npm - @authms/core - Versions diffs - 0.1.0 - Mend

@authms/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/dist/index.d.mts +398 -0
package/dist/index.d.ts +398 -0
package/dist/index.js +1337 -0
package/dist/index.mjs +1294 -0
package/package.json +48 -0
package/src/__tests__/api-client.test.ts +314 -0
package/src/__tests__/auth-client.test.ts +412 -0
package/src/__tests__/discovery.test.ts +129 -0
package/src/__tests__/password-transmission.test.ts +131 -0
package/src/__tests__/sync.test.ts +85 -0
package/src/__tests__/token-manager.test.ts +104 -0
package/src/api-client.ts +203 -0
package/src/auth-client.ts +368 -0
package/src/authms.ts +244 -0
package/src/binding.ts +126 -0
package/src/crypto/index.ts +6 -0
package/src/crypto/password-transmission.ts +198 -0
package/src/crypto/pow-solver.ts +41 -0
package/src/discovery.ts +77 -0
package/src/errors.ts +44 -0
package/src/index.ts +39 -0
package/src/platform/browser.ts +23 -0
package/src/platform/index.ts +3 -0
package/src/platform/memory.ts +19 -0
package/src/platform/types.ts +21 -0
package/src/plugin.ts +8 -0
package/src/sync.ts +51 -0
package/src/token-manager.ts +140 -0
package/src/types.ts +113 -0

package/dist/index.js ADDED Viewed

@@ -0,0 +1,1337 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ApiClient: () => ApiClient,
+  AuthClient: () => AuthClient,
+  AuthMS: () => AuthMS,
+  AuthmsApiError: () => AuthmsApiError,
+  AuthmsAuthError: () => AuthmsAuthError,
+  AuthmsConfigError: () => AuthmsConfigError,
+  AuthmsError: () => AuthmsError,
+  AuthmsNetworkError: () => AuthmsNetworkError,
+  Discovery: () => Discovery,
+  ERROR_CODES: () => ERROR_CODES,
+  TabSync: () => TabSync,
+  TokenManager: () => TokenManager,
+  browserPlatform: () => browserPlatform,
+  createPlatformBinding: () => createPlatformBinding,
+  memoryPlatform: () => memoryPlatform,
+  processPasswordForTransmission: () => processPasswordForTransmission,
+  solveProofOfWork: () => solveProofOfWork
+});
+module.exports = __toCommonJS(index_exports);
+// src/token-manager.ts
+var STORAGE_PREFIX = "authms_";
+var TokenManager = class {
+  constructor(storage, prefix) {
+    this.changeListeners = /* @__PURE__ */ new Set();
+    this.storage = storage;
+    this.prefix = prefix ?? STORAGE_PREFIX;
+    this.store = this.initialStore();
+  }
+  initialStore() {
+    return {
+      accessToken: null,
+      refreshToken: null,
+      user: null,
+      tenantId: null,
+      expiresAt: null
+    };
+  }
+  storageKey(key) {
+    return `${this.prefix}${key}`;
+  }
+  async load() {
+    try {
+      const raw = await this.storage.getItem(this.storageKey("tokens"));
+      if (raw) {
+        const parsed = JSON.parse(raw);
+        this.store = { ...this.initialStore(), ...parsed };
+      }
+    } catch {
+      this.store = this.initialStore();
+    }
+  }
+  async persist() {
+    try {
+      await this.storage.setItem(this.storageKey("tokens"), JSON.stringify(this.store));
+    } catch {
+    }
+  }
+  getAccessToken() {
+    if (this.store.accessToken && this.isTokenExpired(this.store.accessToken)) {
+      return null;
+    }
+    return this.store.accessToken;
+  }
+  getRefreshToken() {
+    return this.store.refreshToken;
+  }
+  getUser() {
+    return this.store.user;
+  }
+  getTenantId() {
+    return this.store.tenantId;
+  }
+  getExpiresAt() {
+    return this.store.expiresAt;
+  }
+  isAuthenticated() {
+    return !!this.store.accessToken && !this.isTokenExpired(this.store.accessToken);
+  }
+  setTokens(accessToken, refreshToken, expiresIn) {
+    this.store.accessToken = accessToken;
+    this.store.refreshToken = refreshToken;
+    this.store.expiresAt = Date.now() + expiresIn * 1e3;
+    this.notifyListeners(accessToken);
+  }
+  setUser(user) {
+    this.store.user = user;
+  }
+  setTenantId(tenantId) {
+    this.store.tenantId = tenantId;
+  }
+  clear() {
+    this.store = this.initialStore();
+    this.notifyListeners(null);
+  }
+  onTokenChange(listener) {
+    this.changeListeners.add(listener);
+    return () => this.changeListeners.delete(listener);
+  }
+  notifyListeners(token) {
+    this.changeListeners.forEach((fn) => {
+      try {
+        fn(token);
+      } catch {
+      }
+    });
+  }
+  decodeToken(token) {
+    try {
+      const base64Url = token.split(".")[1];
+      const base64 = base64Url.replace(/-/g, "+").replace(/_/g, "/");
+      const json = decodeURIComponent(
+        atob(base64).split("").map((c) => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2)).join("")
+      );
+      return JSON.parse(json);
+    } catch {
+      return null;
+    }
+  }
+  isTokenExpired(token) {
+    const claims = this.decodeToken(token);
+    if (!claims?.exp) return true;
+    return Date.now() >= claims.exp * 1e3;
+  }
+  getTokenRemainingTime(token) {
+    const claims = this.decodeToken(token);
+    if (!claims?.exp) return 0;
+    return Math.max(0, claims.exp * 1e3 - Date.now());
+  }
+};
+// src/errors.ts
+var AuthmsError = class extends Error {
+  constructor(code, message, status, detail) {
+    super(message);
+    this.name = "AuthmsError";
+    this.code = code;
+    this.status = status;
+    this.detail = detail;
+  }
+};
+var AuthmsAuthError = class extends AuthmsError {
+  constructor(code, message, status) {
+    super(code, message, status);
+    this.name = "AuthmsAuthError";
+  }
+};
+var AuthmsNetworkError = class extends AuthmsError {
+  constructor(message) {
+    super("NETWORK_ERROR", message, 0);
+    this.name = "AuthmsNetworkError";
+  }
+};
+var AuthmsApiError = class extends AuthmsError {
+  constructor(code, message, status, violations) {
+    super(code, message, status);
+    this.name = "AuthmsApiError";
+    this.violations = violations;
+  }
+};
+var AuthmsConfigError = class extends AuthmsError {
+  constructor(message) {
+    super("CONFIG_ERROR", message, 500);
+    this.name = "AuthmsConfigError";
+  }
+};
+// src/api-client.ts
+function snakeToCamel(str) {
+  return str.replace(/_([a-z])/g, (_, c) => c.toUpperCase());
+}
+function camelToSnake(str) {
+  return str.replace(/[A-Z]/g, (c) => "_" + c.toLowerCase());
+}
+function transformKeys(obj, transform) {
+  if (obj === null || typeof obj !== "object") return obj;
+  if (Array.isArray(obj)) return obj.map((v) => transformKeys(v, transform));
+  const result = {};
+  for (const [k, v] of Object.entries(obj)) {
+    result[transform(k)] = transformKeys(v, transform);
+  }
+  return result;
+}
+function unwrapResponse(data) {
+  if ("data" in data && data.data !== void 0) {
+    return data.data;
+  }
+  if ("items" in data) {
+    return { items: data.items, total: data.total, pagination: data.pagination };
+  }
+  return data;
+}
+var ApiClient = class {
+  constructor(config) {
+    this.refreshPromise = null;
+    this.redirectingToLogin = false;
+    this.baseUrl = config.baseUrl.replace(/\/$/, "");
+    this.tokenManager = config.tokenManager;
+    this.http = config.http;
+    this.refreshTokenFn = config.refreshTokenFn;
+    this.onForceLogout = config.onForceLogout;
+  }
+  async get(path, params) {
+    const url = this.buildUrl(path, params);
+    return this.request(url, { method: "GET" });
+  }
+  async post(path, data) {
+    const url = `${this.baseUrl}${path}`;
+    return this.request(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: data ? JSON.stringify(transformKeys(data, camelToSnake)) : void 0
+    });
+  }
+  async put(path, data) {
+    const url = `${this.baseUrl}${path}`;
+    return this.request(url, {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: data ? JSON.stringify(transformKeys(data, camelToSnake)) : void 0
+    });
+  }
+  async delete(path, params) {
+    const url = this.buildUrl(path, params);
+    return this.request(url, { method: "DELETE" });
+  }
+  buildUrl(path, params) {
+    let url = `${this.baseUrl}${path}`;
+    if (params && Object.keys(params).length > 0) {
+      const query = new URLSearchParams();
+      for (const [k, v] of Object.entries(params)) {
+        if (v !== void 0 && v !== null) {
+          query.append(camelToSnake(k), String(v));
+        }
+      }
+      url += "?" + query.toString();
+    }
+    return url;
+  }
+  async request(url, init) {
+    const headers = {
+      ...init.headers || {}
+    };
+    const token = this.tokenManager.getAccessToken();
+    if (token) {
+      headers["Authorization"] = `Bearer ${token}`;
+    }
+    const tenantId = this.tokenManager.getTenantId();
+    if (tenantId) {
+      headers["X-Tenant-ID"] = tenantId;
+    }
+    const requestInit = {
+      ...init,
+      headers
+    };
+    let response;
+    try {
+      response = await this.http.request(url, requestInit);
+    } catch (err) {
+      throw new AuthmsNetworkError(err instanceof Error ? err.message : "Network request failed");
+    }
+    if (response.status === 401 && !url.includes("/api/v1/auth/login") && !url.includes("/api/v1/auth/refresh")) {
+      return this.handle401(url, requestInit);
+    }
+    return this.handleResponse(response);
+  }
+  async handle401(url, requestInit) {
+    if (!this.refreshPromise) {
+      this.refreshPromise = (async () => {
+        try {
+          await this.refreshTokenFn();
+        } catch {
+          this.tokenManager.clear();
+          if (!this.redirectingToLogin) {
+            this.redirectingToLogin = true;
+            this.onForceLogout?.();
+            throw new AuthmsAuthError("SESSION_EXPIRED", "Session expired, please login again", 401);
+          }
+          throw new AuthmsAuthError("REFRESH_FAILED", "Token refresh failed", 401);
+        } finally {
+          this.refreshPromise = null;
+        }
+      })();
+    }
+    await this.refreshPromise;
+    const newToken = this.tokenManager.getAccessToken();
+    if (newToken) {
+      const headers = { ...requestInit.headers };
+      headers["Authorization"] = `Bearer ${newToken}`;
+      const response = await this.http.request(url, { ...requestInit, headers });
+      return this.handleResponse(response);
+    }
+    throw new AuthmsAuthError("NOT_AUTHENTICATED", "Not authenticated", 401);
+  }
+  async handleResponse(response) {
+    if (!response.ok) {
+      await this.handleErrorResponse(response);
+    }
+    if (response.status === 204 || response.headers.get("content-length") === "0") {
+      return void 0;
+    }
+    const json = await response.json();
+    if (json && typeof json === "object" && "code" in json) {
+      const code = String(json.code);
+      if (json.code !== 0) {
+        throw new AuthmsApiError(
+          code,
+          json.message || "API error",
+          response.status
+        );
+      }
+      return transformKeys(unwrapResponse(json), snakeToCamel);
+    }
+    return json;
+  }
+  async handleErrorResponse(response) {
+    try {
+      const json = await response.json();
+      const code = String(json.code ?? response.status);
+      const message = json.message || `HTTP ${response.status}`;
+      throw new AuthmsApiError(code, message, response.status);
+    } catch (e) {
+      if (e instanceof AuthmsError) throw e;
+      throw new AuthmsNetworkError(`HTTP ${response.status}: ${response.statusText}`);
+    }
+  }
+};
+// src/crypto/password-transmission.ts
+var ENCODER = new TextEncoder();
+function base64ToBytes(base64) {
+  const binary = atob(base64);
+  return Uint8Array.from(binary, (c) => c.charCodeAt(0));
+}
+function bytesToHex(bytes) {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+async function processPasswordForTransmission(rawPassword, policy, keyExchangeFn) {
+  const mode = policy.mode || "plain";
+  const result = {
+    password: rawPassword,
+    passwordTransmission: mode
+  };
+  switch (mode) {
+    case "hash": {
+      const input = rawPassword + "|" + policy.tenantId;
+      try {
+        const hashBuffer = await crypto.subtle.digest("SHA-256", ENCODER.encode(input));
+        result.password = bytesToHex(new Uint8Array(hashBuffer));
+      } catch {
+        result.password = sha256HexPureJS(input);
+      }
+      result.passwordTransmission = "hash";
+      break;
+    }
+    case "symmetric": {
+      if (!keyExchangeFn) {
+        throw new Error("keyExchangeFn is required for symmetric mode");
+      }
+      const keResult = await keyExchangeFn();
+      const serverPubBytes = base64ToBytes(keResult.serverPubKey);
+      const clientKeyPair = await crypto.subtle.generateKey(
+        { name: "ECDH", namedCurve: "P-256" },
+        false,
+        ["deriveBits"]
+      );
+      const serverPubKey = await crypto.subtle.importKey(
+        "raw",
+        serverPubBytes,
+        { name: "ECDH", namedCurve: "P-256" },
+        false,
+        []
+      );
+      const sharedBits = await crypto.subtle.deriveBits(
+        { name: "ECDH", public: serverPubKey },
+        clientKeyPair.privateKey,
+        256
+      );
+      const aesKey = await crypto.subtle.importKey(
+        "raw",
+        sharedBits,
+        "AES-GCM",
+        false,
+        ["encrypt"]
+      );
+      const iv = crypto.getRandomValues(new Uint8Array(12));
+      const encoded = ENCODER.encode(rawPassword);
+      const ciphertext = await crypto.subtle.encrypt(
+        { name: "AES-GCM", iv },
+        aesKey,
+        encoded
+      );
+      const clientPubRaw = await crypto.subtle.exportKey("raw", clientKeyPair.publicKey);
+      const clientPubBytes = new Uint8Array(clientPubRaw);
+      const combined = new Uint8Array(12 + ciphertext.byteLength + clientPubBytes.byteLength);
+      combined.set(iv, 0);
+      combined.set(new Uint8Array(ciphertext), 12);
+      combined.set(clientPubBytes, 12 + ciphertext.byteLength);
+      result.password = btoa(String.fromCharCode(...Array.from(combined)));
+      result.keyExchangeId = keResult.keyExchangeId;
+      result.clientPubKey = btoa(String.fromCharCode(...Array.from(new Uint8Array(clientPubRaw))));
+      result.passwordTransmission = "symmetric";
+      break;
+    }
+    case "asymmetric": {
+      const publicKeyPem = policy.publicKey;
+      if (!publicKeyPem || publicKeyPem.length < 100) {
+        throw new Error("public_key is required for asymmetric mode");
+      }
+      const pemContents = publicKeyPem.replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "").replace(/\s/g, "");
+      const derBytes = Uint8Array.from(atob(pemContents), (c) => c.charCodeAt(0));
+      const publicKey = await crypto.subtle.importKey(
+        "spki",
+        derBytes,
+        { name: "RSA-OAEP", hash: "SHA-256" },
+        false,
+        ["encrypt"]
+      );
+      const encoded = ENCODER.encode(rawPassword);
+      const ciphertext = await crypto.subtle.encrypt(
+        { name: "RSA-OAEP" },
+        publicKey,
+        encoded
+      );
+      result.password = btoa(String.fromCharCode(...Array.from(new Uint8Array(ciphertext))));
+      result.passwordTransmission = "asymmetric";
+      break;
+    }
+    default:
+      result.passwordTransmission = "plain";
+      break;
+  }
+  return result;
+}
+function ror(x, n) {
+  return x >>> n | x << 32 - n;
+}
+function sha256HexPureJS(input) {
+  const msg = new TextEncoder().encode(input);
+  const msgBits = msg.length * 8;
+  const buf = new Uint8Array(msg.length + 9 + 63 >>> 6 << 6);
+  buf.set(msg);
+  buf[msg.length] = 128;
+  const view = new DataView(buf.buffer);
+  view.setUint32(buf.length - 4, msgBits);
+  const K = new Uint32Array([
+    1116352408,
+    1899447441,
+    3049323471,
+    3921009573,
+    961987163,
+    1508970993,
+    2453635748,
+    2870763221,
+    3624381080,
+    310598401,
+    607225278,
+    1426881987,
+    1925078388,
+    2162078206,
+    2614888103,
+    3248222580,
+    3835390401,
+    4022224774,
+    264347078,
+    604807628,
+    770255983,
+    1249150122,
+    1555081692,
+    1996064986,
+    2554220882,
+    2821834349,
+    2952996808,
+    3210313671,
+    3336571891,
+    3584528711,
+    113926993,
+    338241895,
+    666307205,
+    773529912,
+    1294757372,
+    1396182291,
+    1695183700,
+    1986661051,
+    2177026350,
+    2456956037,
+    2730485921,
+    2820302411,
+    3259730800,
+    3345764771,
+    3516065817,
+    3600352804,
+    4094571909,
+    275423344,
+    430227734,
+    506948616,
+    659060556,
+    883997877,
+    958139571,
+    1322822218,
+    1537002063,
+    1747873779,
+    1955562222,
+    2024104815,
+    2227730452,
+    2361852424,
+    2428436474,
+    2756734187,
+    3204031479,
+    3329325298
+  ]);
+  const H = new Uint32Array([1779033703, 3144134277, 1013904242, 2773480762, 1359893119, 2600822924, 528734635, 1541459225]);
+  const W = new Uint32Array(64);
+  for (let off = 0; off < buf.length; off += 64) {
+    for (let i = 0; i < 16; i++) W[i] = view.getUint32(off + i * 4);
+    for (let i = 16; i < 64; i++) {
+      const s0 = ror(W[i - 15], 7) ^ ror(W[i - 15], 18) ^ W[i - 15] >>> 3;
+      const s1 = ror(W[i - 2], 17) ^ ror(W[i - 2], 19) ^ W[i - 2] >>> 10;
+      W[i] = W[i - 16] + s0 + W[i - 7] + s1 | 0;
+    }
+    let [a, b, c, d, e, f2, g, h] = H;
+    for (let i = 0; i < 64; i++) {
+      const S1 = ror(e, 6) ^ ror(e, 11) ^ ror(e, 25);
+      const ch = e & f2 ^ ~e & g;
+      const t1 = h + S1 + ch + K[i] + W[i] | 0;
+      const S0 = ror(a, 2) ^ ror(a, 13) ^ ror(a, 22);
+      const maj = a & b ^ a & c ^ b & c;
+      const t2 = S0 + maj | 0;
+      h = g;
+      g = f2;
+      f2 = e;
+      e = d + t1 | 0;
+      d = c;
+      c = b;
+      b = a;
+      a = t1 + t2 | 0;
+    }
+    H[0] = H[0] + a | 0;
+    H[1] = H[1] + b | 0;
+    H[2] = H[2] + c | 0;
+    H[3] = H[3] + d | 0;
+    H[4] = H[4] + e | 0;
+    H[5] = H[5] + f2 | 0;
+    H[6] = H[6] + g | 0;
+    H[7] = H[7] + h | 0;
+  }
+  const digest = new Uint8Array(32);
+  const dv = new DataView(digest.buffer);
+  for (let i = 0; i < 8; i++) dv.setUint32(i * 4, H[i]);
+  return Array.from(digest).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+// src/crypto/pow-solver.ts
+var SOLVER_TIMEOUT_MS = 5e3;
+async function solveProofOfWork(challenge, difficulty = 4, timeoutMs = SOLVER_TIMEOUT_MS) {
+  const startTime = Date.now();
+  const encoder = new TextEncoder();
+  let nonce = 0;
+  const prefix = "0".repeat(difficulty);
+  while (true) {
+    if (Date.now() - startTime > timeoutMs) {
+      throw new Error("PoW solver timeout");
+    }
+    const data = encoder.encode(challenge + nonce);
+    try {
+      const hash = await crypto.subtle.digest("SHA-256", data);
+      const hex = Array.from(new Uint8Array(hash)).map((b) => b.toString(16).padStart(2, "0")).join("");
+      if (hex.startsWith(prefix)) {
+        return "pow_" + nonce.toString(36);
+      }
+    } catch {
+    }
+    nonce++;
+    if (nonce % 1e3 === 0) {
+      await new Promise((r) => setTimeout(r, 0));
+    }
+  }
+}
+// src/auth-client.ts
+var MAX_CAPTCHA_RETRIES = 3;
+var CACHE_TTL_MS = 5 * 60 * 1e3;
+var AuthClient = class {
+  constructor(config) {
+    this.configCache = /* @__PURE__ */ new Map();
+    this.tokenManager = config.tokenManager;
+    this.http = config.http;
+    this.baseUrl = config.baseUrl;
+    this.keyExchangeFn = config.keyExchangeFn;
+  }
+  async fetchAuthConfig(tenantId) {
+    const key = tenantId || "__default__";
+    const cached = this.configCache.get(key);
+    if (cached && Date.now() - cached.at < CACHE_TTL_MS) {
+      return cached.data;
+    }
+    const path = tenantId ? `/identity/api/v1/public/auth-config/${tenantId}` : "/identity/api/v1/public/auth-config";
+    const response = await this.http.request(`${this.baseUrl}${path}`);
+    const json = await response.json();
+    const data = json.data ?? json;
+    const pp = data.password_policy ?? {};
+    const config = {
+      tenantId: data.tenant_id || "",
+      tenantName: data.tenant_name || "",
+      displayName: data.display_name || "",
+      membershipApproval: data.membership_approval || "open",
+      loginMethods: data.login_methods || [],
+      oauthProviders: data.oauth_providers || [],
+      passwordPolicy: {
+        mode: pp.password_transmission || data.password_transmission || "plain",
+        minLength: pp.min_length || 8,
+        maxLength: pp.max_length || 128,
+        requireUpper: pp.require_upper || false,
+        requireLower: pp.require_lower || false,
+        requireDigit: pp.require_digit || false,
+        requireSpecial: pp.require_special || false,
+        tenantId: data.tenant_id || "",
+        publicKey: data.transmission_public_key || ""
+      },
+      captchaEnabled: data.captcha_enabled || false,
+      captchaProvider: data.captcha_provider || "pow",
+      silentChallengeEnabled: data.silent_challenge_enabled || false,
+      transmissionPublicKey: data.transmission_public_key || "",
+      oauthClientId: data.oauth_client_id || "",
+      passkeyEnabled: data.passkey_enabled || false,
+      magicLinkEnabled: data.magic_link_enabled || false,
+      branding: data.branding ?? null
+    };
+    this.configCache.set(key, { data: config, at: Date.now() });
+    return config;
+  }
+  clearConfigCache() {
+    this.configCache.clear();
+  }
+  async login(credentials) {
+    const authConfig = await this.fetchAuthConfig(credentials.tenantId);
+    let captchaRetries = 0;
+    while (true) {
+      const body = await this.buildLoginBody(credentials, authConfig);
+      if (!body["captcha_token"] && authConfig.silentChallengeEnabled && authConfig.captchaProvider === "pow") {
+        try {
+          const token = await this.solveCaptchaChallenge();
+          body["captcha_token"] = token;
+          body["captcha_provider"] = "pow";
+        } catch {
+        }
+      }
+      const response = await this.http.request(`${this.baseUrl}/identity/api/v1/auth/login`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(body)
+      });
+      if (response.status === 401) {
+        const errJson = await response.json().catch(() => ({}));
+        const code = String(errJson.code ?? "");
+        if (code.includes("captcha") && captchaRetries < MAX_CAPTCHA_RETRIES) {
+          captchaRetries++;
+          continue;
+        }
+        throw new AuthmsAuthError(code, errJson.message || `Login failed`, 401);
+      }
+      if (!response.ok) {
+        const errJson = await response.json().catch(() => ({}));
+        throw new AuthmsAuthError(
+          String(errJson.code ?? response.status),
+          errJson.message || `Login failed`,
+          response.status
+        );
+      }
+      const json = await response.json();
+      return this.handleAuthResponse(json);
+    }
+  }
+  async register(data) {
+    const authConfig = await this.fetchAuthConfig(data.tenantId);
+    const processed = await processPasswordForTransmission(
+      data.password,
+      {
+        mode: authConfig.passwordPolicy.mode,
+        tenantId: authConfig.tenantId || data.tenantId || "",
+        requireUpper: false,
+        minLength: 0,
+        publicKey: authConfig.transmissionPublicKey || ""
+      },
+      this.keyExchangeFn
+    );
+    const body = {
+      ...data,
+      password: processed.password,
+      password_transmission: processed.passwordTransmission
+    };
+    if (processed.keyExchangeId) body.key_exchange_id = processed.keyExchangeId;
+    if (processed.clientPubKey) body.client_pub_key = processed.clientPubKey;
+    const response = await this.http.request(`${this.baseUrl}/identity/api/v1/auth/register`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body)
+    });
+    if (!response.ok) {
+      const errJson = await response.json().catch(() => ({}));
+      throw new AuthmsAuthError(
+        String(errJson.code ?? response.status),
+        errJson.message || `Registration failed`,
+        response.status
+      );
+    }
+    const json = await response.json();
+    const payload = json.data ?? json;
+    if (payload.access_token) {
+      const result = this.handleAuthResponse(json);
+      return result;
+    }
+    return { user: payload, accessToken: "", refreshToken: "", expiresIn: 0, tokenType: "" };
+  }
+  async changePassword(currentPassword, newPassword) {
+    const authConfig = await this.fetchAuthConfig();
+    const processed = await processPasswordForTransmission(
+      newPassword,
+      {
+        mode: authConfig.passwordPolicy.mode,
+        tenantId: authConfig.tenantId,
+        requireUpper: false,
+        minLength: 0,
+        publicKey: authConfig.transmissionPublicKey || ""
+      },
+      this.keyExchangeFn
+    );
+    const body = {
+      current_password: currentPassword,
+      password: processed.password,
+      password_transmission: processed.passwordTransmission
+    };
+    if (processed.keyExchangeId) body.key_exchange_id = processed.keyExchangeId;
+    if (processed.clientPubKey) body.client_pub_key = processed.clientPubKey;
+    const response = await this.http.request(`${this.baseUrl}/identity/api/v1/auth/me/password`, {
+      method: "PUT",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(body)
+    });
+    if (!response.ok) {
+      const errJson = await response.json().catch(() => ({}));
+      throw new AuthmsAuthError(
+        String(errJson.code ?? response.status),
+        errJson.message || `Password change failed`,
+        response.status
+      );
+    }
+  }
+  async loginWithOAuth(options) {
+    const redirectUri = options.redirectUri || (typeof window !== "undefined" ? window.location.origin + "/oauth/callback" : "");
+    const params = new URLSearchParams({ provider: options.provider, redirect_uri: redirectUri });
+    if (typeof window !== "undefined") {
+      window.location.href = `${this.baseUrl}/oauth/api/v1/oauth/${options.provider}/authorize?${params.toString()}`;
+    } else {
+      throw new AuthmsAuthError("NOT_BROWSER", "OAuth login requires a browser environment", 400);
+    }
+  }
+  async handleOAuthCallback(url) {
+    const urlObj = new URL(url);
+    const code = urlObj.searchParams.get("code");
+    const state = urlObj.searchParams.get("state");
+    if (!code) throw new AuthmsAuthError("OAUTH_FAILED", "No authorization code in callback URL", 400);
+    const response = await this.http.request(`${this.baseUrl}/oauth/api/v1/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        state: state ?? "",
+        redirect_uri: typeof window !== "undefined" ? window.location.origin + "/oauth/callback" : ""
+      }).toString()
+    });
+    if (!response.ok) throw new AuthmsNetworkError(`OAuth token exchange failed (${response.status})`);
+    const json = await response.json();
+    return this.handleAuthResponse(json);
+  }
+  async refreshToken() {
+    const refreshToken = this.tokenManager.getRefreshToken();
+    if (!refreshToken) throw new AuthmsAuthError("NO_REFRESH_TOKEN", "No refresh token available", 401);
+    const response = await this.http.request(`${this.baseUrl}/identity/api/v1/auth/refresh`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ refresh_token: refreshToken })
+    });
+    if (!response.ok) {
+      const errJson = await response.json().catch(() => ({}));
+      const code = String(errJson.code ?? "");
+      if (code.startsWith("400002")) {
+        this.tokenManager.clear();
+        this.tokenManager.persist();
+        throw new AuthmsAuthError("TOKEN_REUSE", "Refresh token reused \u2014 all sessions revoked", 401);
+      }
+      this.tokenManager.clear();
+      this.tokenManager.persist();
+      throw new AuthmsAuthError("REFRESH_FAILED", "Token refresh failed", 401);
+    }
+    const json = await response.json();
+    const data = json.data ?? json;
+    this.tokenManager.setTokens(
+      data.access_token,
+      data.refresh_token || refreshToken,
+      data.expires_in || 900
+    );
+    if (data.user) this.tokenManager.setUser(data.user);
+    this.tokenManager.persist();
+  }
+  async logout() {
+    const accessToken = this.tokenManager.getAccessToken();
+    const refreshToken = this.tokenManager.getRefreshToken();
+    this.tokenManager.clear();
+    this.tokenManager.persist();
+    if (accessToken) {
+      this.http.request(`${this.baseUrl}/identity/api/v1/auth/logout`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json", "Authorization": `Bearer ${accessToken}` },
+        body: JSON.stringify({ refresh_token: refreshToken })
+      }).catch(() => {
+      });
+    }
+    if (typeof window !== "undefined") window.localStorage.removeItem("authms_auth_tokens");
+  }
+  async getProfile() {
+    const response = await this.http.request(`${this.baseUrl}/identity/api/v1/auth/me`, {
+      method: "GET",
+      headers: { "Authorization": `Bearer ${this.tokenManager.getAccessToken()}` }
+    });
+    if (response.status === 401) return null;
+    if (!response.ok) return null;
+    const json = await response.json();
+    const data = json.data ?? json;
+    this.tokenManager.setUser(data);
+    return data;
+  }
+  async buildLoginBody(credentials, authConfig) {
+    const processed = await processPasswordForTransmission(
+      credentials.password,
+      {
+        mode: authConfig.passwordPolicy.mode,
+        tenantId: authConfig.tenantId || credentials.tenantId || "",
+        requireUpper: false,
+        minLength: 0,
+        publicKey: authConfig.transmissionPublicKey || ""
+      },
+      this.keyExchangeFn
+    );
+    const body = {
+      identity: credentials.email || credentials.phone || credentials.username || "",
+      password: processed.password,
+      password_transmission: processed.passwordTransmission
+    };
+    if (credentials.tenantId) body["tenant_id"] = credentials.tenantId;
+    if (processed.keyExchangeId) body["key_exchange_id"] = processed.keyExchangeId;
+    if (processed.clientPubKey) body["client_pub_key"] = processed.clientPubKey;
+    if (credentials.captchaToken) body["captcha_token"] = credentials.captchaToken;
+    if (credentials.captchaProvider) body["captcha_provider"] = credentials.captchaProvider;
+    if (credentials.captchaChallengeId) body["captcha_challenge_id"] = credentials.captchaChallengeId;
+    return body;
+  }
+  async solveCaptchaChallenge() {
+    const challengeResp = await this.http.request(
+      `${this.baseUrl}/identity/api/v1/auth/captcha/challenge?provider=pow&difficulty=4`
+    );
+    const cJson = await challengeResp.json();
+    const cData = cJson.data ?? cJson;
+    const cd = cData.data ?? cData ?? cData;
+    const powChallenge = String(cd.challenge ?? cd["challenge"] ?? "");
+    const difficulty = Number(cd.difficulty ?? cd["difficulty"] ?? 4);
+    return solveProofOfWork(powChallenge, difficulty);
+  }
+  handleAuthResponse(json) {
+    const data = json.data ?? json;
+    const result = {
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      expiresIn: data.expires_in || 900,
+      tokenType: data.token_type || "Bearer",
+      user: data.user || { id: data.user_id || "" }
+    };
+    this.tokenManager.setTokens(result.accessToken, result.refreshToken, result.expiresIn);
+    this.tokenManager.setUser(result.user);
+    this.tokenManager.persist();
+    return result;
+  }
+};
+// src/discovery.ts
+var Discovery = class {
+  /**
+   * @param http HTTP adapter
+   * @param discoveryBaseUrl discovery 请求使用的基础 URL（proxy 模式用 apiUrl，否则留空用 issuer）
+   */
+  constructor(http, discoveryBaseUrl) {
+    this.metadata = null;
+    this.http = http;
+    this.discoveryBaseUrl = (discoveryBaseUrl || "").replace(/\/bff\/?$/, "").replace(/\/$/, "");
+  }
+  async discover(issuer) {
+    if (this.metadata) return this.metadata;
+    const base = this.discoveryBaseUrl || issuer.replace(/\/$/, "");
+    const url = `${base}/.well-known/openid-configuration`;
+    const response = await this.http.request(url);
+    if (!response.ok) {
+      throw new Error(`OIDC Discovery failed: HTTP ${response.status}`);
+    }
+    const json = await response.json();
+    const metadata = json.data ?? json;
+    if (!metadata.issuer || !metadata.authorization_endpoint || !metadata.token_endpoint) {
+      throw new Error("OIDC Discovery response missing required fields (issuer, authorization_endpoint, token_endpoint)");
+    }
+    this.metadata = metadata;
+    return metadata;
+  }
+  getAuthorizationEndpoint() {
+    return this.metadata?.authorization_endpoint ?? null;
+  }
+  getTokenEndpoint() {
+    return this.metadata?.token_endpoint ?? null;
+  }
+  getEndSessionEndpoint() {
+    return this.metadata?.end_session_endpoint ?? null;
+  }
+  getJWKSUri() {
+    return this.metadata?.jwks_uri ?? null;
+  }
+  getMetadata() {
+    return this.metadata;
+  }
+};
+// src/sync.ts
+var TabSync = class {
+  constructor(onLogout, onTokenChange) {
+    this.channel = null;
+    this.onLogout = onLogout;
+    this.onTokenChange = onTokenChange;
+  }
+  listen() {
+    if (typeof BroadcastChannel === "undefined") return;
+    try {
+      this.channel = new BroadcastChannel("authms:sync");
+      this.channel.onmessage = (event) => {
+        const { type } = event.data;
+        switch (type) {
+          case "LOGOUT":
+            this.onLogout();
+            break;
+          case "TOKEN_REFRESHED":
+          case "LOGIN":
+            this.onTokenChange();
+            break;
+        }
+      };
+    } catch {
+    }
+  }
+  broadcast(type) {
+    if (!this.channel) return;
+    try {
+      this.channel.postMessage({ type, timestamp: Date.now() });
+    } catch {
+    }
+  }
+  close() {
+    if (this.channel) {
+      this.channel.close();
+      this.channel = null;
+    }
+  }
+};
+// src/authms.ts
+var AuthMS = class {
+  constructor(config) {
+    this.tabSync = null;
+    this.eventHandlers = /* @__PURE__ */ new Map();
+    this._ready = false;
+    this._userCache = null;
+    this._authConfig = null;
+    if (!config.appId) throw new AuthmsError("CONFIG_ERROR", "appId is required", 500);
+    if (!config.issuer) throw new AuthmsError("CONFIG_ERROR", "issuer is required", 500);
+    this.config = config;
+    const apiUrl = config.apiUrl ?? config.issuer;
+    this.tokenManager = new TokenManager(config.platform.storage, config.storagePrefix);
+    this.discovery = new Discovery(config.platform.http, config.apiUrl);
+    this.authClient = new AuthClient({
+      tokenManager: this.tokenManager,
+      http: config.platform.http,
+      baseUrl: apiUrl
+    });
+    this.api = new ApiClient({
+      baseUrl: apiUrl,
+      tokenManager: this.tokenManager,
+      http: config.platform.http,
+      refreshTokenFn: () => this.authClient.refreshToken(),
+      onForceLogout: () => {
+        this.emit("LOGGED_OUT");
+        this.tabSync?.broadcast("LOGOUT");
+      }
+    });
+    if (config.syncTabs !== false) {
+      this.tabSync = new TabSync(
+        () => {
+          this.tokenManager.clear();
+          this._userCache = null;
+          this.emit("LOGGED_OUT");
+        },
+        async () => {
+          await this.tokenManager.load();
+          this._userCache = this.tokenManager.getUser();
+          this.emit("TOKEN_CHANGED");
+          this.emit("USER_CHANGED");
+        }
+      );
+      this.tabSync.listen();
+    }
+  }
+  async initialize() {
+    await this.tokenManager.load();
+    try {
+      await this.discovery.discover(this.config.issuer);
+    } catch {
+    }
+    const accessToken = this.tokenManager.getAccessToken();
+    if (accessToken) {
+      this._userCache = this.tokenManager.getUser();
+      if (!this._userCache) {
+        try {
+          this._userCache = await this.authClient.getProfile();
+          if (this._userCache) {
+            this.tokenManager.setUser(this._userCache);
+            this.tokenManager.persist();
+          }
+        } catch {
+          if (!this.tokenManager.isTokenExpired(accessToken)) {
+            const claims = this.tokenManager.decodeToken(accessToken);
+            this._userCache = claims ?? {};
+          }
+        }
+      }
+      this.tokenManager.onTokenChange((token) => {
+        if (!token) {
+          this._userCache = null;
+          this.emit("LOGGED_OUT");
+        }
+        this.emit("TOKEN_CHANGED", { token });
+        this.emit("USER_CHANGED");
+      });
+    }
+    this._ready = true;
+    this.emit("READY");
+    if (this._userCache) {
+      this.emit("USER_CHANGED");
+    }
+  }
+  isReady() {
+    return this._ready;
+  }
+  get user() {
+    return this._userCache ?? this.tokenManager.getUser();
+  }
+  get authConfig() {
+    return this._authConfig;
+  }
+  async fetchAuthConfig(tenantId) {
+    const config = await this.authClient.fetchAuthConfig(tenantId);
+    this._authConfig = config;
+    return config;
+  }
+  async getAccessToken() {
+    const token = this.tokenManager.getAccessToken();
+    if (token) return token;
+    try {
+      await this.authClient.refreshToken();
+      return this.tokenManager.getAccessToken();
+    } catch {
+      return null;
+    }
+  }
+  getRefreshToken() {
+    return this.tokenManager.getRefreshToken();
+  }
+  isAuthenticated() {
+    return this.tokenManager.isAuthenticated();
+  }
+  async login(credentials) {
+    const result = await this.authClient.login(credentials);
+    this._userCache = result.user;
+    this.emit("USER_CHANGED");
+    this.emit("TOKEN_CHANGED");
+    this.tabSync?.broadcast("LOGIN");
+    return result;
+  }
+  async loginWithOAuth(options) {
+    await this.authClient.loginWithOAuth(options);
+  }
+  async handleOAuthCallback(url) {
+    const result = await this.authClient.handleOAuthCallback(url);
+    this._userCache = result.user;
+    this.emit("USER_CHANGED");
+    this.tabSync?.broadcast("LOGIN");
+    return result;
+  }
+  async register(data) {
+    const result = await this.authClient.register(data);
+    if (result.accessToken) {
+      this._userCache = result.user;
+      this.emit("USER_CHANGED");
+      this.tabSync?.broadcast("LOGIN");
+    }
+    return result;
+  }
+  async logout() {
+    await this.authClient.logout();
+    this._userCache = null;
+    this.emit("LOGGED_OUT");
+    this.emit("USER_CHANGED");
+    this.tabSync?.broadcast("LOGOUT");
+  }
+  async getProfile() {
+    return this.authClient.getProfile();
+  }
+  setTenantId(tenantId) {
+    this.tokenManager.setTenantId(tenantId);
+    this.tokenManager.persist();
+    this._authConfig = null;
+    try {
+      this.authClient.clearConfigCache();
+    } catch {
+    }
+  }
+  getTenantId() {
+    return this.tokenManager.getTenantId();
+  }
+  use(plugin) {
+    plugin.install(this);
+  }
+  on(event, handler) {
+    if (!this.eventHandlers.has(event)) {
+      this.eventHandlers.set(event, /* @__PURE__ */ new Set());
+    }
+    this.eventHandlers.get(event).add(handler);
+    return () => this.eventHandlers.get(event)?.delete(handler);
+  }
+  emit(event, ...args) {
+    const handlers = this.eventHandlers.get(event);
+    if (handlers) {
+      handlers.forEach((fn) => {
+        try {
+          fn(...args);
+        } catch {
+        }
+      });
+    }
+  }
+  dispose() {
+    this.tabSync?.close();
+    this.eventHandlers.clear();
+  }
+};
+// src/platform/browser.ts
+var browserPlatform = {
+  storage: {
+    getItem(key) {
+      try {
+        return localStorage.getItem(key);
+      } catch {
+        return null;
+      }
+    },
+    setItem(key, value) {
+      try {
+        localStorage.setItem(key, value);
+      } catch {
+      }
+    },
+    removeItem(key) {
+      try {
+        localStorage.removeItem(key);
+      } catch {
+      }
+    },
+    keys() {
+      try {
+        return Object.keys(localStorage);
+      } catch {
+        return [];
+      }
+    }
+  },
+  http: {
+    request(input, init) {
+      return fetch(input, init);
+    }
+  }
+};
+// src/binding.ts
+function createPlatformBinding(config) {
+  const coreConfig = {
+    appId: config.appId,
+    issuer: config.issuer,
+    apiUrl: config.apiUrl,
+    platform: config.platform || browserPlatform,
+    storagePrefix: config.storagePrefix,
+    syncTabs: config.syncTabs
+  };
+  const authms = new AuthMS(coreConfig);
+  let user = null;
+  let authConfig = null;
+  let ready = false;
+  const changeHandlers = /* @__PURE__ */ new Set();
+  const emitChange = () => {
+    changeHandlers.forEach((fn) => {
+      try {
+        fn();
+      } catch {
+      }
+    });
+  };
+  authms.initialize().then(async () => {
+    user = authms.user;
+    try {
+      authConfig = await authms.fetchAuthConfig();
+    } catch {
+    }
+    ready = true;
+    emitChange();
+  }).catch(() => {
+    ready = true;
+    emitChange();
+  });
+  authms.on("USER_CHANGED", () => {
+    user = authms.user;
+    emitChange();
+  });
+  return {
+    authms,
+    getUser: () => user,
+    getAuthConfig: () => authConfig,
+    isReady: () => ready,
+    isAuthenticated: () => authms.isAuthenticated(),
+    onChange: (handler) => {
+      changeHandlers.add(handler);
+      return () => changeHandlers.delete(handler);
+    },
+    login: (c) => authms.login(c),
+    loginWithOAuth: (o) => authms.loginWithOAuth(o),
+    register: (d) => authms.register(d),
+    logout: () => authms.logout(),
+    getAccessToken: () => authms.getAccessToken(),
+    setTenantId: (id) => authms.setTenantId(id),
+    getTenantId: () => authms.getTenantId(),
+    dispose: () => {
+      changeHandlers.clear();
+      authms.dispose();
+    }
+  };
+}
+// src/platform/memory.ts
+function memoryPlatform() {
+  const store = /* @__PURE__ */ new Map();
+  return {
+    storage: {
+      getItem(key) {
+        return store.get(key) ?? null;
+      },
+      setItem(key, value) {
+        store.set(key, value);
+      },
+      removeItem(key) {
+        store.delete(key);
+      },
+      keys() {
+        return Array.from(store.keys());
+      }
+    },
+    http: {
+      request(_input, _init) {
+        throw new Error("HttpAdapter.request not implemented in memory platform");
+      }
+    }
+  };
+}
+// src/types.ts
+var ERROR_CODES = {
+  CAPTCHA_REQUIRED: "CAPTCHA_REQUIRED",
+  INVALID_CAPTCHA: "INVALID_CAPTCHA",
+  TOKEN_REUSE: "TOKEN_REUSE",
+  SESSION_EXPIRED: "SESSION_EXPIRED",
+  REFRESH_FAILED: "REFRESH_FAILED",
+  NOT_AUTHENTICATED: "NOT_AUTHENTICATED"
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ApiClient,
+  AuthClient,
+  AuthMS,
+  AuthmsApiError,
+  AuthmsAuthError,
+  AuthmsConfigError,
+  AuthmsError,
+  AuthmsNetworkError,
+  Discovery,
+  ERROR_CODES,
+  TabSync,
+  TokenManager,
+  browserPlatform,
+  createPlatformBinding,
+  memoryPlatform,
+  processPasswordForTransmission,
+  solveProofOfWork
+});