@authaz/next 0.0.1

package/CHANGELOG.md

@@ -0,0 +1,64 @@
+# Changelog
+
+Todas as mudanças notáveis deste projeto serão documentadas neste arquivo.
+
+## [1.1.0] - 2024-01-XX
+
+### ✨ Adicionado
+- **Nova API de Configuração**: Introduzida configuração baseada em objeto para melhor organização
+- **Validação de Configuração**: Validação automática de campos obrigatórios
+- **Status Específicos**: Cada fluxo agora tem status específicos para diferentes cenários
+- **Arquivo de Configuração**: Novo módulo `config.ts` para centralizar configurações
+
+### 🔧 Melhorado
+- **Nomenclatura Padronizada**: 
+  - `SignupConfigureMfa` → `signupConfigureMfa`
+  - `SignupVerifyMfa` → `signupVerifyMfa`
+  - `acessTokenMfa` → `accessTokenMfa`
+- **Estrutura de Respostas**: Status específicos para cada tipo de operação com cenários detalhados
+- **Tipos de Usuário**: Unificação dos tipos de usuário com interface base `User`
+- **URLs Dinâmicas**: Remoção de URLs hardcoded, agora configuráveis
+
+### 🏗️ Refatorado
+- **Construtor da ApiService**: Suporte para objeto de configuração + compatibilidade legacy
+- **Tipos de Token**: Melhor organização e reutilização de tipos de token
+- **Tipos de Erro**: Padronização de tipos de erro comuns
+
+### 📚 Documentação
+- **README Atualizado**: Exemplos de configuração moderna e legacy
+- **Tipos Documentados**: Melhor documentação dos tipos disponíveis
+- **Exemplos de Uso**: Adicionados exemplos com nova API de configuração
+
+### ⚡ Compatibilidade
+- **Backward Compatible**: Mantida compatibilidade com API legacy
+- **Migração Suave**: Possibilidade de migrar gradualmente para nova API
+
+## Exemplo de Migração
+
+### Antes (Legacy)
+```typescript
+const client = new ApiService(
+  'https://api.authaz.com',
+  'client-id',
+  'client-secret',
+  'auth-pool-id',
+  'org-id',
+  'redirect-uri'
+)
+```
+
+### Depois (Moderno)
+```typescript
+const client = new ApiService({
+  baseUrl: 'https://api.authaz.com',
+  clientId: 'client-id',
+  clientSecret: 'client-secret',
+  authPoolId: 'auth-pool-id',
+  organizationId: 'org-id',
+  redirectUri: 'redirect-uri'
+})
+```
+
+## Breaking Changes
+
+Nenhuma breaking change nesta versão. Todas as mudanças mantêm compatibilidade com versões anteriores.

package/CLAUDE.md

@@ -0,0 +1,118 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+This is the **Authaz SDK for JavaScript/TypeScript**, providing authentication and user management for the Authaz platform. The SDK supports Universal Login flow with OAuth2/OIDC, PKCE, and secure session management.
+
+## Development Commands
+
+### Building
+```bash
+npm run build              # Build using tsdown (outputs to dist/)
+npm run prepare           # Build script (runs on npm install)
+```
+
+### Testing
+```bash
+npm test                  # Run Jest tests
+npm run test:watch       # Run tests in watch mode
+npm run test:coverage    # Run tests with coverage report (80% threshold)
+```
+
+### Linting
+```bash
+npm run lint             # Check code with ESLint
+npm run lint:fix         # Fix linting issues automatically
+```
+
+### Releasing
+```bash
+npm run release          # Build and create patch release
+npm run release:patch    # Bump patch version and push with tags
+npm run release:minor    # Bump minor version and push with tags
+npm run release:major    # Bump major version and push with tags
+```
+
+## Architecture Overview
+
+### Core Service Structure
+
+The SDK follows a **layered service architecture**:
+
+1. **ApiService** (`src/api.ts`) - Main entry point that orchestrates child services
+   - Initializes configuration via `createConfig()`
+   - Delegates to specialized services: `UserApiService`, `UniversalLoginApiService`
+   - Provides high-level methods: `getMe()`, `getUniversalLoginUrl()`, `getUniversalLoginAccessToken()`
+
+2. **BaseApiService** (`src/shared/base-api.ts`) - Abstract base class for all API services
+   - Manages authentication tokens (API token, CSRF token, Session token)
+   - Initializes on construction: fetches CSRF token → gets API token (client credentials grant)
+   - Updates Axios instances with tokens via `updateAxiosTokens()`
+   - Provides two Axios instances: `apiAxiosInstance` (for API calls) and `universalLoginAxiosInstance` (for OAuth flow)
+
+3. **Specialized Services** (extend BaseApiService)
+   - `UserApiService` (`src/general/user/api.ts`) - User profile operations
+   - `UniversalLoginApiService` (`src/flows/universal-login/api.ts`) - OAuth2/OIDC Universal Login flow
+
+### HTTP Client Layer
+
+**AuthazAxiosInstance** (`src/shared/axios-instance.ts`) - Wraps Axios with automatic token injection
+- Request interceptor adds: `X-Client-Authorization`, `X-CSRF-Token`, `X-Session-Token` headers
+- Tokens are updated via `updateTokens()` method
+- All HTTP methods (get, post, put, delete, patch) return typed responses
+
+### Configuration System
+
+**Config** (`src/config.ts`) - Environment-aware configuration
+- Detects production vs development via `NODE_ENV`
+- Production defaults: `api.authaz.com`, `authaz.com`
+- Development defaults: `localhost:5138`
+- Validates required fields: `clientId`, `clientSecret`, `organizationId`, `redirectUri`, `tenantId`
+
+### Type System
+
+The SDK uses a **dual-type approach**:
+
+1. **Raw HTTP Types** (`src/http-types.ts`) - Direct server responses (e.g., `RawApiTokenResponse`, `RawUserProfileResponse`)
+2. **Processed Types** (`src/types.ts` + flow-specific types) - SDK-transformed responses with status codes
+
+Exported via namespace: `import type * as HttpTypes from "@authaz/sdk"`
+
+### Universal Login Flow
+
+OAuth2/OIDC with PKCE implementation (`src/flows/universal-login/api.ts`):
+1. `redirectToLogin()` - Generates PKCE challenge, state parameter, and authorization URL
+2. `getUniversalLoginAccessToken()` - Exchanges authorization code for access/refresh tokens
+3. Uses Web Crypto API for SHA-256 hashing and secure random generation
+
+## Key Implementation Details
+
+### Token Management
+- All services extend `BaseApiService` which handles 3-token system: API token (client credentials), CSRF token, Session token
+- Tokens are automatically injected into requests via Axios interceptors
+- Base service constructor chains: get CSRF → get API token → update Axios instances
+
+### Build Configuration
+- Uses `tsdown` for bundling (not tsc)
+- Output: ESM format only, with TypeScript declarations
+- External dependencies: Next.js, React, routing libraries (not bundled)
+- Tree-shaking enabled for optimal bundle size
+
+### Testing Setup
+- Jest with ts-jest preset
+- 80% coverage threshold required (branches, functions, lines, statements)
+- Test files: `**/__tests__/**/*.ts` or `**/*.{spec,test}.ts`
+
+### Peer Dependencies
+- Next.js >=13.0.0
+- nookies >=2.5.2 (for cookie management in Next.js)
+
+## Important Notes
+
+- The SDK is designed for Next.js applications (see peer dependencies)
+- Environment detection relies on `process.env.NODE_ENV`
+- All API calls use `withCredentials: true` for cookie handling
+- PKCE implementation uses `S256` method (SHA-256)
+- Session management utilities are exported but implementation is in `src/utils/session.ts`

package/README.md

@@ -0,0 +1,209 @@
+# @authaz/next
+
+Next.js integration for Authaz authentication. Provides server-side session management with cookie-based authentication for Next.js applications.
+
+## Installation
+
+```bash
+npm install @authaz/next @authaz/sdk
+# or
+pnpm add @authaz/next @authaz/sdk
+# or
+yarn add @authaz/next @authaz/sdk
+```
+
+### Peer Dependencies
+
+```bash
+npm install next@">=15" react@">=17" @authaz/sdk@workspace:*
+```
+
+## Features
+
+- **Server-Side Session Management** - Secure cookie-based authentication
+- **Next.js 15+ Support** - Built for the latest Next.js features
+- **Type-Safe** - Full TypeScript support
+- **Cookie Integration** - Uses Next.js cookies API for secure token storage
+- **Debug Mode** - Optional debug logging for development
+- **Zero Configuration** - Works with sensible defaults
+
+## Quick Start
+
+### 1. Configure Authaz SDK
+
+```typescript
+// lib/authaz.ts
+import { authazNext } from "@authaz/next";
+
+export const authaz = authazNext(
+    {
+        clientId: process.env.AUTHAZ_CLIENT_ID!,
+        clientSecret: process.env.AUTHAZ_CLIENT_SECRET!,
+        tenantId: process.env.AUTHAZ_TENANT_ID!,
+        organizationId: process.env.AUTHAZ_ORG_ID!,
+        redirectUri: process.env.AUTHAZ_REDIRECT_URI!,
+    },
+    {
+        debug: process.env.NODE_ENV === "development",
+        cookies: {
+            accessToken: "accessToken", // optional
+        },
+    }
+);
+```
+
+### 2. Use in Server Components
+
+```tsx
+// app/dashboard/page.tsx
+import { authaz } from "@/lib/authaz";
+import { redirect } from "next/navigation";
+
+export default async function DashboardPage() {
+    const user = await authaz.getUserSession();
+
+    if (!user) {
+        redirect("/login");
+    }
+
+    return (
+        <div>
+            <h1>Welcome, {user.name}</h1>
+            <p>Email: {user.email}</p>
+        </div>
+    );
+}
+```
+
+### 3. Use in API Routes
+
+```typescript
+// app/api/user/route.ts
+import { authaz } from "@/lib/authaz";
+import { NextResponse } from "next/server";
+
+export async function GET() {
+    const user = await authaz.getUserSession();
+
+    if (!user) {
+        return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    return NextResponse.json({ user });
+}
+```
+
+## API Reference
+
+### `authazNext(config, options?)`
+
+Creates an Authaz instance configured for Next.js.
+
+```typescript
+// SDK Configuration (required)
+config: {
+    clientId: string;
+    clientSecret: string;
+    tenantId: string;
+    organizationId: string;
+    redirectUri?: string;
+    authPoolId?: string;
+}
+
+// SDK Options (optional)
+options?: {
+    debug?: boolean;
+    cookies?: {
+        accessToken?: string; // Default: "accessToken"
+    }
+}
+```
+
+Returns:
+
+```typescript
+{
+    getUserSession: () => Promise<UserProfile | null>
+}
+```
+
+### `getUserSession()`
+
+Retrieves the authenticated user's session from cookies.
+
+Returns `UserProfile | null`:
+
+```typescript
+interface UserProfile {
+    id: string;
+    email: string;
+    name: string;
+    role?: string;
+    createdAt?: string;
+    updatedAt?: string;
+}
+```
+
+## Environment Variables
+
+Create a `.env.local` file:
+
+```env
+AUTHAZ_CLIENT_ID=your_client_id
+AUTHAZ_CLIENT_SECRET=your_client_secret
+AUTHAZ_TENANT_ID=your_tenant_id
+AUTHAZ_ORG_ID=your_organization_id
+AUTHAZ_REDIRECT_URI=http://localhost:3000/callback
+```
+
+## Middleware Protection
+
+Protect multiple routes with Next.js middleware:
+
+```typescript
+// middleware.ts
+import { NextResponse } from "next/server";
+import type { NextRequest } from "next/server";
+import { authaz } from "@/lib/authaz";
+
+export async function middleware(request: NextRequest) {
+    const user = await authaz.getUserSession();
+
+    if (request.nextUrl.pathname.startsWith("/dashboard") && !user) {
+        return NextResponse.redirect(new URL("/login", request.url));
+    }
+
+    return NextResponse.next();
+}
+
+export const config = {
+    matcher: ["/dashboard/:path*"],
+};
+```
+
+## Security Best Practices
+
+1. **Use HTTP-Only Cookies** - Always set `httpOnly: true`
+2. **Enable Secure Flag in Production** - Set `secure: true` when `NODE_ENV === "production"`
+3. **Set SameSite** - Use `sameSite: "lax"` or `"strict"`
+4. **Never Expose Client Secret** - Only use this package in server-side code
+5. **Implement Token Refresh** - Refresh tokens before expiration
+
+## TypeScript Support
+
+Full TypeScript support with type inference:
+
+```typescript
+import type { UserProfile } from "@authaz/sdk";
+
+const user: UserProfile | null = await authaz.getUserSession();
+```
+
+## License
+
+MIT
+
+## Support
+
+- GitHub: https://github.com/Authaz/authaz-sdk-js
+- Documentation: https://www.authaz.io/docs

package/dist/index.d.ts

@@ -0,0 +1,17 @@
+import * as _authaz_sdk0 from "@authaz/sdk";
+import { UserProfile, authaz } from "@authaz/sdk";
+
+//#region src/index.d.ts
+type SdkConfig = {
+  debug?: boolean;
+  cookies?: {
+    accessToken?: string;
+  };
+};
+type AuthazArgs = Parameters<typeof authaz>[0];
+declare const authazNext: (config: AuthazArgs, args?: SdkConfig) => {
+  getUserSession: () => Promise<UserProfile | null>;
+  sdk: _authaz_sdk0.ApiService;
+};
+//#endregion
+export { authazNext };

package/dist/index.js

@@ -0,0 +1,30 @@
+import { authaz, validateToken } from "@authaz/sdk";
+import { cookies } from "next/headers";
+
+//#region src/index.tsx
+const authazNext = (config, args) => {
+	const sdk = authaz(config);
+	const isDebug = args?.debug || false;
+	const getUserSession = (args$1) => {
+		const accessTokenCookie = args$1?.cookies?.accessToken || "accessToken";
+		return async () => {
+			try {
+				const accessToken = (await cookies()).get(accessTokenCookie)?.value;
+				if (!accessToken || !validateToken(accessToken)) return null;
+				const response = await sdk.getMe(accessToken);
+				if (response.status !== "success") return null;
+				return response.user;
+			} catch (error) {
+				if (isDebug) console.error("[authaz-sdk] Error on get user session", error);
+				return null;
+			}
+		};
+	};
+	return {
+		getUserSession: getUserSession(args),
+		sdk
+	};
+};
+
+//#endregion
+export { authazNext };

package/docs/ENVIRONMENT-CONFIG.md

@@ -0,0 +1,171 @@
+# Environment Configuration - Authaz SDK
+
+The SDK now automatically detects the environment (development or production) and applies the appropriate configurations.
+
+## 🔧 How It Works
+
+The `DEFAULT_CONFIG` now reads from environment variables first, with fallback based on `NODE_ENV`:
+
+### 📋 Environment Variables (Priority)
+- `AUTHAZ_API_URL` - API URL
+- `AUTHAZ_DOMAIN` - Authaz Domain
+- `AUTHAZ_UNIVERSAL_LOGIN_URL` - Universal Login URL
+
+### 🏠 Development (Fallback)
+- **When**: `NODE_ENV !== 'production'` and environment variables are not defined
+- **URLs**:
+  - `baseUrl`: `http://localhost:5138/api`
+  - `universalLoginUrl`: `http://localhost:5138`
+  - `authazDomain`: `http://localhost:5138`
+
+### 🚀 Production (Fallback)
+- **When**: `NODE_ENV === 'production'` and environment variables are not defined
+- **URLs**:
+  - `baseUrl`: `https://api.authaz.com`
+  - `universalLoginUrl`: `https://authaz.com`
+  - `authazDomain`: `https://authaz.com`
+
+## 💻 Practical Usage
+
+### Automatic Configuration (Recommended)
+```typescript
+import { ApiService } from 'authaz-sdk-js'
+
+// URLs are automatically detected based on environment
+const authazClient = new ApiService({
+  clientId: 'your-client-id',
+  clientSecret: 'your-client-secret',
+  authPoolId: 'your-auth-pool-id',
+  organizationId: 'your-organization-id',
+  redirectUri: 'your-redirect-uri'
+  // baseUrl, authazDomain and universalLoginUrl are set automatically
+})
+```
+
+### Manual Override (Optional)
+```typescript
+// You can still override URLs if needed
+const authazClient = new ApiService({
+  clientId: 'your-client-id',
+  clientSecret: 'your-client-secret',
+  authPoolId: 'your-auth-pool-id',
+  organizationId: 'your-organization-id',
+  redirectUri: 'your-redirect-uri',
+  baseUrl: 'https://api-custom.authaz.com', // Manual override
+  authazDomain: 'https://custom.authaz.com'
+})
+```
+
+## 🌍 Environment Detection
+
+### Node.js (Backend)
+```javascript
+// Development
+process.env.NODE_ENV = 'development' // or undefined
+
+// Production
+process.env.NODE_ENV = 'production'
+```
+
+### Browser (Frontend)
+```javascript
+// Development
+window.location.hostname = 'localhost' // or '127.0.0.1'
+
+// Production
+window.location.hostname = 'myapp.com' // any domain that is not localhost
+```
+
+## 🔍 Debug
+
+To verify which environment was detected, you can check in the console:
+
+```typescript
+import { DEFAULT_CONFIG } from 'authaz-sdk-js'
+
+console.log('Detected configuration:', DEFAULT_CONFIG)
+// Development: { baseUrl: 'http://localhost:5138/api', ... }
+// Production: { baseUrl: 'https://api.authaz.com', ... }
+```
+
+## 📝 Complete Example
+
+```typescript
+// authaz.config.ts
+import { ApiService } from 'authaz-sdk-js'
+
+export const createAuthazClient = () => {
+  return new ApiService({
+    clientId: process.env.NEXT_PUBLIC_CLIENT_ID!,
+    clientSecret: process.env.CLIENT_SECRET!,
+    authPoolId: process.env.NEXT_PUBLIC_AUTH_POOL_ID!,
+    organizationId: process.env.NEXT_PUBLIC_ORGANIZATION_ID!,
+    redirectUri: process.env.NEXT_PUBLIC_REDIRECT_URI!
+    // URLs are automatically set based on environment
+  })
+}
+
+// In development: will use localhost:5138
+// In production: will use api.authaz.com
+```
+
+## ⚙️ Environment Variables
+
+### Development (.env.local)
+```env
+NODE_ENV=development
+
+# Authaz URLs (optional - uses localhost if not defined)
+AUTHAZ_API_URL=http://localhost:5138/api
+AUTHAZ_DOMAIN=http://localhost:5138
+AUTHAZ_UNIVERSAL_LOGIN_URL=http://localhost:5138
+
+# Credentials
+NEXT_PUBLIC_CLIENT_ID=dev-client-id
+CLIENT_SECRET=dev-client-secret
+NEXT_PUBLIC_AUTH_POOL_ID=dev-auth-pool
+NEXT_PUBLIC_ORGANIZATION_ID=dev-org-id
+NEXT_PUBLIC_REDIRECT_URI=http://localhost:3000/auth/callback
+```
+
+### Production (.env.production)
+```env
+NODE_ENV=production
+
+# Authaz URLs (optional - uses api.authaz.com if not defined)
+AUTHAZ_API_URL=https://api.authaz.com
+AUTHAZ_DOMAIN=https://authaz.com
+AUTHAZ_UNIVERSAL_LOGIN_URL=https://authaz.com
+
+# Credentials
+NEXT_PUBLIC_CLIENT_ID=prod-client-id
+CLIENT_SECRET=prod-client-secret
+NEXT_PUBLIC_AUTH_POOL_ID=prod-auth-pool
+NEXT_PUBLIC_ORGANIZATION_ID=prod-org-id
+NEXT_PUBLIC_REDIRECT_URI=https://myapp.com/auth/callback
+```
+
+### Staging/Custom (.env.staging)
+```env
+NODE_ENV=staging
+
+# Custom URLs
+AUTHAZ_API_URL=https://api-staging.authaz.com
+AUTHAZ_DOMAIN=https://staging.authaz.com
+AUTHAZ_UNIVERSAL_LOGIN_URL=https://staging.authaz.com
+
+# Credentials
+NEXT_PUBLIC_CLIENT_ID=staging-client-id
+CLIENT_SECRET=staging-client-secret
+NEXT_PUBLIC_AUTH_POOL_ID=staging-auth-pool
+NEXT_PUBLIC_ORGANIZATION_ID=staging-org-id
+NEXT_PUBLIC_REDIRECT_URI=https://staging.myapp.com/auth/callback
+```
+
+## ✅ Advantages
+
+1. **Automatic**: No need to manually configure URLs
+2. **Safe**: Prevents using development URLs in production
+3. **Simple**: Just configure credentials, URLs are automatic
+4. **Flexible**: Still allows manual override when needed
+5. **Compatible**: Works in both Node.js and Browser

package/docs/README-AXIOS-INSTANCE.md

@@ -0,0 +1,276 @@
+# Authaz SDK - Axios Instance
+
+## Overview
+
+The SDK now uses a custom Axios instance that automatically adds the necessary authentication tokens (`ApiToken` and `CsrfToken`) to the headers of all requests.
+
+## Architecture
+
+### AuthazAxiosInstance
+
+The `AuthazAxiosInstance` class manages an Axios instance with configured interceptors:
+
+```typescript
+import { AuthazAxiosInstance } from './shared/axios-instance';
+
+// Create an instance with base URL
+const axiosInstance = new AuthazAxiosInstance('https://api.authaz.com');
+
+// Update tokens
+axiosInstance.updateTokens(apiToken, csrfToken);
+
+// Make requests that automatically include tokens
+const data = await axiosInstance.get('/users');
+const response = await axiosInstance.post('/auth/login', { email, password });
+```
+
+### Automatic Interceptors
+
+The Axios instance includes interceptors that:
+
+1. **Request Interceptor**: Automatically adds headers:
+   - `X-Client-Authorization: Bearer {apiToken}`
+   - `X-CSRF-Token: {csrfToken}`
+
+2. **Response Interceptor**: Handles errors consistently
+
+### Integration with BaseApiService
+
+The `BaseApiService` class now includes an instance of `AuthazAxiosInstance`:
+
+```typescript
+export abstract class BaseApiService {
+  protected axiosInstance: AuthazAxiosInstance;
+
+  constructor(...) {
+    this.axiosInstance = new AuthazAxiosInstance(baseUrl);
+    // ...
+  }
+
+  // Method to update tokens in the axios instance
+  protected updateAxiosTokens(): void {
+    this.axiosInstance.updateTokens(this.ApiToken, this.CsrfToken);
+  }
+}
+```
+
+## Benefits
+
+1. **Automation**: No longer necessary to manually add authentication headers
+2. **Consistency**: All services inherit the same authentication configuration
+3. **Maintainability**: Changes to authentication logic are centralized
+4. **Type Safety**: Full TypeScript support with generic types
+
+## Usage in Services
+
+### Before (with fetch)
+
+```typescript
+const response = await fetch(`${this.baseUrl}/auth/login`, {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json',
+    'X-Client-Authorization': `Bearer ${apiToken}`,
+    'X-CSRF-Token': csrfToken,
+  },
+  body: JSON.stringify({ email, password }),
+});
+```
+
+### After (with axios instance)
+
+```typescript
+const data = await this.axiosInstance.post<LoginResponse>(
+  '/auth/login',
+  { email, password }
+);
+```
+
+## Available Methods
+
+The Axios instance offers convenient methods:
+
+- `get<T>(url, config?)`: GET requests
+- `post<T>(url, data?, config?)`: POST requests
+- `put<T>(url, data?, config?)`: PUT requests
+- `delete<T>(url, config?)`: DELETE requests
+- `patch<T>(url, data?, config?)`: PATCH requests
+
+## Token Updates
+
+Tokens are automatically updated when:
+
+1. CSRF token is obtained via `getCsrfToken()`
+2. API token is obtained via `getApiToken()`
+3. Both are updated in the axios instance via `updateAxiosTokens()`
+
+## Error Handling
+
+The Axios instance includes consistent error handling:
+
+```typescript
+try {
+  const data = await this.axiosInstance.post('/auth/login', credentials);
+  return { status: 'success', data };
+} catch (error) {
+  const axiosError = error as { response?: { status: number; data?: unknown } };
+
+  if (axiosError.response?.status === 401) {
+    return { status: 'error', message: 'Unauthorized' };
+  }
+
+  return { status: 'error', message: 'Internal error' };
+}
+```
+
+## Migration
+
+To migrate existing services:
+
+1. Remove manual `fetch` calls
+2. Replace with calls to `this.axiosInstance`
+3. Remove manual addition of authentication headers
+4. Update error handling to use Axios structure
+
+## Complete Example
+
+```typescript
+export class MyApiService extends BaseApiService {
+  public async getUserData(userId: string): Promise<UserData> {
+    try {
+      // Ensure tokens are up to date
+      await this.getApiToken();
+
+      // Make request - headers are added automatically
+      const data = await this.axiosInstance.get<UserData>(`/users/${userId}`);
+
+      return data;
+    } catch (error: unknown) {
+      const axiosError = error as { response?: { status: number } };
+
+      if (axiosError.response?.status === 404) {
+        throw new Error('User not found');
+      }
+
+      throw new Error('Error fetching user data');
+    }
+  }
+}
+```
+
+# AuthazAxiosInstance - Per-Request Cookies
+
+This document explains how to use request-specific cookies in `AuthazAxiosInstance`.
+
+## Configuration
+
+The `AuthazAxiosInstance` now supports request-specific cookies through the `cookies` property in the configuration.
+
+## Interface
+
+```typescript
+interface AuthazRequestConfig extends AxiosRequestConfig {
+  cookies?: Record<string, string>;
+}
+```
+
+## Usage Examples
+
+### 1. GET Request with cookies
+
+```typescript
+const axiosInstance = new AuthazAxiosInstance('https://api.example.com');
+
+// GET request with specific cookies
+const response = await axiosInstance.get('/users', {
+  cookies: {
+    'sessionId': 'abc123',
+    'userId': 'user456'
+  }
+});
+```
+
+### 2. POST Request with cookies
+
+```typescript
+// POST request with cookies
+const response = await axiosInstance.post('/login', {
+  email: 'user@example.com',
+  password: 'password123'
+}, {
+  cookies: {
+    'sessionId': 'new-session-123',
+    'theme': 'dark'
+  }
+});
+```
+
+### 3. PUT Request with cookies
+
+```typescript
+// PUT request with cookies
+const response = await axiosInstance.put('/users/123', {
+  name: 'John Doe',
+  email: 'john@example.com'
+}, {
+  cookies: {
+    'sessionId': 'abc123',
+    'lastUpdate': Date.now().toString()
+  }
+});
+```
+
+### 4. DELETE Request with cookies
+
+```typescript
+// DELETE request with cookies
+const response = await axiosInstance.delete('/users/123', {
+  cookies: {
+    'sessionId': 'abc123',
+    'action': 'delete'
+  }
+});
+```
+
+### 5. PATCH Request with cookies
+
+```typescript
+// PATCH request with cookies
+const response = await axiosInstance.patch('/users/123', {
+  name: 'Jane Doe'
+}, {
+  cookies: {
+    'sessionId': 'abc123',
+    'updateType': 'name'
+  }
+});
+```
+
+## Advantages
+
+1. **Flexibility**: Each request can have its own cookies
+2. **Isolation**: Cookies from one request don't affect others
+3. **Control**: Allows granular control over cookies per operation
+4. **Security**: Prevents cookie leakage between different contexts
+
+## Global Tokens
+
+API and CSRF tokens continue to be configured globally:
+
+```typescript
+// Configure global tokens
+axiosInstance.updateTokens('api-token-123', 'csrf-token-456');
+
+// Or individually
+axiosInstance.updateApiToken('api-token-123');
+axiosInstance.updateCsrfToken('csrf-token-456');
+```
+
+## Interceptor
+
+The interceptor automatically:
+1. Adds API token if configured
+2. Adds CSRF token if configured
+3. Adds request-specific cookies if configured
+
+All headers are added automatically in each request.

package/docs/REFACTORING.md

@@ -0,0 +1,163 @@
+# Authaz SDK Refactoring
+
+## 📁 New Structure
+
+The refactoring organized the SDK by **functional flows**, separating responsibilities and improving maintainability:
+
+```
+src/
+├── flows/                    # Specific functionality flows
+│   ├── auth/                # Authentication and MFA
+│   │   ├── api.ts          # Methods: login, loginVerifyMfa
+│   │   └── types.ts        # LoginResponse, MfaVerifyResponse
+│   ├── password-reset/      # Password recovery
+│   │   ├── api.ts          # Methods: requestPasswordReset, verifyPasswordResetCode, etc.
+│   │   └── types.ts        # PasswordResetRequestResponse, etc.
+│   ├── signup/             # User registration
+│   │   ├── api.ts          # Methods: requestSignup, confirmSignup, etc.
+│   │   └── types.ts        # SignupRequestResponse, etc.
+│   └── user/               # User data
+│       ├── api.ts          # Methods: getMe
+│       └── types.ts        # UserResponse, UserProfile
+├── shared/                  # Shared logic and types
+│   ├── base-api.ts         # Base class with common authentication
+│   └── types.ts            # Base types (tokens, session, etc.)
+├── utils/                   # Utilities
+│   ├── auth.ts             # Validation functions and helpers
+│   └── session.ts          # Session management
+├── api.ts                   # Main aggregator class
+├── types.ts                 # Re-exports of all types
+├── http-types.ts           # Raw HTTP types (maintained)
+└── index.ts                # Main exports
+```
+
+## 🔄 Compatibility
+
+The refactoring **maintains full compatibility** with existing code:
+
+```typescript
+// Will continue to work exactly the same
+import { ApiService } from 'authaz-sdk-js'
+
+const client = new ApiService(clientId, clientSecret, authPoolId, organizationId)
+
+// All methods work the same
+const loginResult = await client.login(email, password)
+const userResult = await client.getMe(token)
+```
+
+## 🎯 Refactoring Benefits
+
+### 1. **Separation of Concerns**
+- Each flow has its own class and types
+- More organized and easier to maintain code
+- Less chance of conflicts between functionalities
+
+### 2. **Code Reusability**
+- `BaseApiService` class eliminates duplication
+- Centralized authentication logic
+- Shared configuration across all services
+
+### 3. **Better Developer Experience**
+- More specific types per flow
+- More precise IntelliSense
+- Easier debugging and maintenance
+
+### 4. **Flexibility**
+- Ability to use individual services
+- Easier unit testing
+- Allows future extensions
+
+## 🚀 Advanced Usage (Optional)
+
+For specific cases, you can use individual services:
+
+```typescript
+import {
+  AuthApiService,
+  PasswordResetApiService,
+  SignupApiService,
+  UserApiService
+} from 'authaz-sdk-js'
+
+// Use only the authentication service
+const authService = new AuthApiService(baseUrl, clientId, clientSecret, authPoolId, organizationId)
+const loginResult = await authService.login(email, password)
+
+// Or only password recovery
+const passwordService = new PasswordResetApiService(baseUrl, clientId, clientSecret, authPoolId, organizationId)
+const resetResult = await passwordService.requestPasswordReset(email)
+```
+
+## 📝 Usage Examples
+
+### Complete Authentication
+```typescript
+import { ApiService } from 'authaz-sdk-js'
+
+const client = new ApiService(/* configs */)
+
+// Normal login
+const loginResult = await client.login('user@example.com', 'password')
+
+if (loginResult.status === 'mfa_required') {
+  // Verify MFA
+  const mfaResult = await client.loginVerifyMfa(
+    'user@example.com',
+    '123456',
+    loginResult.challengeToken.value
+  )
+
+  if (mfaResult.status === 'success') {
+    // User authenticated
+    console.log('Access token:', mfaResult.accessToken.value)
+  }
+}
+```
+
+### Password Recovery
+```typescript
+// Request reset
+const requestResult = await client.requestPasswordReset('user@example.com')
+
+// Verify email code
+const verifyResult = await client.verifyPasswordResetCode('user@example.com', '123456')
+
+if (verifyResult.status === 'challenge') {
+  // Needs MFA
+  const mfaResult = await client.forgotPasswordVerifyMfa(
+    'user@example.com',
+    '654321',
+    verifyResult.challengeToken.value
+  )
+}
+
+// Confirm new password
+const confirmResult = await client.confirmPasswordReset(
+  token,
+  'user@example.com',
+  'newPassword123'
+)
+```
+
+## 🔧 Migration (If Needed)
+
+If you were importing specific internal files, update:
+
+```typescript
+// ❌ Before (if you were doing this)
+import { validateToken } from 'authaz-sdk-js/src/auth'
+import { getSession } from 'authaz-sdk-js/src/session'
+
+// ✅ Now
+import { validateToken } from 'authaz-sdk-js'
+import { getSession } from 'authaz-sdk-js'
+```
+
+## 📊 Impact
+
+- **Code removed**: ~400 duplicated lines
+- **Organized files**: 6 → 14 well-structured files
+- **Maintainability**: ↗️ Much better
+- **Performance**: Same (no impact)
+- **Compatibility**: ✅ 100% maintained

package/docs/STATUS-CODES.md

@@ -0,0 +1,141 @@
+# Status Codes - Authaz SDK
+
+This document describes all specific statuses for each operation flow in the Authaz SDK.
+
+## 🔐 Authentication (Auth)
+
+### LoginResponse
+- `success` - Login successful
+- `error` - Generic login error
+- `mfa_required` - MFA is required to complete login
+- `too_many_attempts` - Too many login attempts
+
+### MfaVerifyResponse
+- `success` - MFA verified successfully
+- `error` - Generic MFA verification error
+- `invalid_code` - Invalid MFA code
+- `expired` - MFA token expired
+
+## 📝 Signup
+
+### SignupRequestResponse
+- `success` - Signup request sent successfully
+- `error` - Generic request error
+- `user_already_exists` - User already exists in the system
+- `invalid_email` - Invalid email
+- `password_not_strong_enough` - Password doesn't meet criteria
+
+### SignupConfirmResponse
+- `success` - Signup confirmed successfully
+- `requires_mfa` - MFA is required to complete signup
+- `error` - Generic confirmation error
+- `invalid_code` - Invalid confirmation code
+- `expired` - Confirmation code expired
+- `user_exists` - User already exists
+
+### SignupConfigureMfaResponse
+- `success` - MFA configured successfully
+- `error` - Generic configuration error
+- `unauthorized` - Invalid access token
+- `mfa_already_configured` - MFA already configured
+
+### SignupVerifyMfaResponse
+- `success` - MFA verified successfully during signup
+- `error` - Generic verification error
+- `invalid_code` - Invalid MFA code
+- `expired` - MFA token expired
+- `unauthorized` - Invalid access token
+- `user_exists` - User already exists
+
+## 🔑 Password Reset
+
+### PasswordResetRequestResponse
+- `success` - Reset request sent successfully
+- `error` - Generic request error
+- `user_not_found` - User not found
+- `too_many_requests` - Too many reset requests
+- `email_not_verified` - Email not verified
+
+### PasswordResetVerifyEmailTokenResponse
+- `success` - Code verified successfully
+- `error` - Generic verification error
+- `invalid_code` - Invalid code
+- `challenge` - MFA challenge required
+- `expired` - Code expired
+- `code_already_used` - Code already used
+
+### PasswordResetVerifyMfaResponse
+- `success` - MFA verified successfully during reset
+- `error` - Generic MFA verification error
+- `invalid_code` - Invalid MFA code
+- `expired` - MFA token expired
+- `challenge_token_expired` - Challenge token expired
+- `too_many_attempts` - Too many verification attempts
+
+### PasswordResetConfirmResponse
+- `success` - Password reset successfully
+- `password_not_strong_enough` - New password doesn't meet criteria
+- `error` - Generic confirmation error
+- `token_expired` - Reset token expired
+- `token_invalid` - Reset token invalid
+- `password_recently_used` - Password was recently used
+
+## 👤 User
+
+### UserResponse
+- `success` - User data retrieved successfully
+- `error` - Generic data retrieval error
+- `unauthorized` - Invalid access token
+- `token_expired` - Access token expired
+- `user_not_found` - User not found
+
+## 🔒 Password Policy
+
+### PasswordPolicyResponse
+- `success` - Policy retrieved successfully
+- `error` - Generic policy retrieval error
+- `policy_not_found` - Policy not found
+- `unauthorized` - Unauthorized access
+
+## 🔄 Refresh Token
+
+### RefreshTokenResponse
+- `success` - Token refreshed successfully
+- `error` - Generic refresh error
+- `invalid_refresh_token` - Invalid refresh token
+- `refresh_token_expired` - Refresh token expired
+- `unauthorized` - Unauthorized access
+
+## 💡 Using Status Codes
+
+Each status allows specific handling in the frontend:
+
+```typescript
+const loginResult = await authazClient.login(email, password)
+
+switch (loginResult.status) {
+  case 'success':
+    // Redirect to dashboard
+    break
+  case 'mfa_required':
+    // Show MFA screen
+    showMfaScreen(loginResult.challengeToken)
+    break
+  case 'too_many_attempts':
+    // Show temporary block message
+    showBlockedMessage()
+    break
+  case 'error':
+    // Show generic error
+    showError(loginResult.message)
+    break
+}
+```
+
+## 🔍 Advantages of Specific Status Codes
+
+1. **Precise Handling**: Each scenario can be handled specifically
+2. **Improved UX**: More precise messages and actions for users
+3. **Easier Debugging**: Quick identification of specific issues
+4. **Flexibility**: Adding new statuses without breaking compatibility
+5. **Strong Typing**: TypeScript ensures all cases are handled

package/jest.config.js

@@ -0,0 +1,25 @@
+module.exports = {
+  preset: 'ts-jest',
+  testEnvironment: 'node',
+  roots: ['<rootDir>/src'],
+  testMatch: ['**/__tests__/**/*.ts', '**/?(*.)+(spec|test).ts'],
+  transform: {
+    '^.+\\.ts$': 'ts-jest',
+  },
+  moduleFileExtensions: ['ts', 'js', 'json', 'node'],
+  collectCoverageFrom: [
+    'src/**/*.ts',
+    '!src/**/*.d.ts',
+    '!src/**/__tests__/**',
+  ],
+  coverageDirectory: 'coverage',
+  coverageReporters: ['text', 'lcov'],
+  coverageThreshold: {
+    global: {
+      branches: 80,
+      functions: 80,
+      lines: 80,
+      statements: 80,
+    },
+  },
+} 

package/package.json

@@ -0,0 +1,52 @@
+{
+    "author": "@authaz",
+    "name": "@authaz/next",
+    "version": "0.0.1",
+    "type": "module",
+    "description": "NextJS authaz SDK",
+    "license": "MIT",
+    "main": "dist/index.js",
+    "module": "dist/index.js",
+    "types": "dist/index.d.ts",
+    "exports": {
+        "./*": "./dist/*",
+        "./src/*": "./src/*",
+        ".": {
+            "import": "./dist/index.js",
+            "require": "./dist/index.js",
+            "types": "./dist/index.d.ts",
+            "development": "./src/index.ts"
+        }
+    },
+    "repository": {
+        "type": "git",
+        "url": "git+https://github.com/Authaz/authaz-sdk-js.git"
+    },
+    "scripts": {
+        "build": "tsdown",
+        "prepare": "npm run build",
+        "release:patch": "pnpm version patch && git push origin main --follow-tags",
+        "release:minor": "pnpm version minor && git push origin main --follow-tags",
+        "release:major": "pnpm version major && git push origin main --follow-tags",
+        "release": "pnpm build && pnpm run release:patch"
+    },
+    "keywords": [
+        "auth",
+        "authentication",
+        "authaz",
+        "sdk",
+        "react",
+        "nextjs",
+        "next"
+    ],
+    "peerDependencies": {
+        "react": ">=17",
+        "next": ">=15",
+        "@authaz/sdk": "workspace:*"
+    },
+    "devDependencies": {
+        "@types/node": "24.10.0",
+        "tsdown": "0.15.12",
+        "typescript": "5.9.3"
+    }
+}

package/src/index.tsx

@@ -0,0 +1,34 @@
+import { authaz, UserProfile, validateToken } from "@authaz/sdk";
+import { cookies } from "next/headers";
+
+type SdkConfig = { debug?: boolean; cookies?: { accessToken?: string } };
+
+type AuthazArgs = Parameters<typeof authaz>[0];
+
+export const authazNext = (config: AuthazArgs, args?: SdkConfig) => {
+    const sdk = authaz(config);
+    const isDebug = args?.debug || false;
+
+    const getUserSession = (args?: SdkConfig) => {
+        const accessTokenCookie = args?.cookies?.accessToken || "accessToken";
+        return async (): Promise<UserProfile | null> => {
+            try {
+                const cookieStore = await cookies();
+                const accessToken = cookieStore.get(accessTokenCookie)?.value;
+                if (!accessToken || !validateToken(accessToken)) {
+                    return null;
+                }
+                const response = await sdk.getMe(accessToken);
+                if (response.status !== "success") {
+                    return null;
+                }
+                return response.user;
+            } catch (error) {
+                if (isDebug) console.error("[authaz-sdk] Error on get user session", error);
+                return null;
+            }
+        };
+    };
+
+    return { getUserSession: getUserSession(args), sdk };
+};

package/tsconfig.json

@@ -0,0 +1,12 @@
+{
+    "extends": "../../tsconfig.root.json",
+    "include": ["src/**/*"],
+    "exclude": ["node_modules", "dist", "**/*.test.ts"],
+    "compilerOptions": {
+        "outDir": "./dist",
+        "baseUrl": ".",
+        "paths": {
+            "*": ["src/*"]
+        }
+    }
+}

package/tsdown.config.ts

@@ -0,0 +1,21 @@
+import { defineConfig } from "tsdown";
+
+export default defineConfig({
+    entry: ["./src/index.tsx"],
+    clean: true,
+    format: ["esm"],
+    dts: true,
+    outDir: "dist",
+    treeshake: true,
+    tsconfig: "tsconfig.json",
+    external: [
+        "next",
+        "react",
+        "nookies",
+        "react-dom",
+        "@remix-run/react",
+        "react-router-dom",
+        "react-router",
+        "@tanstack/react-router",
+    ],
+});