@authon/js 0.2.1 → 0.3.0

package/dist/index.js

@@ -1,3 +1,13 @@
+// src/types.ts
+var AuthonMfaRequiredError = class extends Error {
+  mfaToken;
+  constructor(mfaToken) {
+    super("MFA verification required");
+    this.name = "AuthonMfaRequiredError";
+    this.mfaToken = mfaToken;
+  }
+};
+
 // src/modal.ts
 import { DEFAULT_BRANDING } from "@authon/shared";
 
@@ -470,6 +480,9 @@ var SessionManager = class {
       this.scheduleRefresh(tokens.expiresIn);
     }
   }
+  updateUser(user) {
+    this.user = user;
+  }
   clearSession() {
     this.accessToken = null;
     this.refreshToken = null;
@@ -531,6 +544,404 @@ var SessionManager = class {
   }
 };
 
+// src/qrcode.ts
+var EXP = [];
+var LOG = new Array(256).fill(0);
+(() => {
+  let v = 1;
+  for (let i = 0; i < 255; i++) {
+    EXP[i] = v;
+    LOG[v] = i;
+    v <<= 1;
+    if (v & 256) v ^= 285;
+  }
+  for (let i = 255; i < 512; i++) EXP[i] = EXP[i - 255];
+})();
+var gfMul = (a, b) => a && b ? EXP[LOG[a] + LOG[b]] : 0;
+function rsEncode(data, ecLen) {
+  let g = [1];
+  for (let i = 0; i < ecLen; i++) {
+    const ng = new Array(g.length + 1).fill(0);
+    for (let j = 0; j < g.length; j++) {
+      ng[j] ^= gfMul(g[j], EXP[i]);
+      ng[j + 1] ^= g[j];
+    }
+    g = ng;
+  }
+  const rem = new Array(ecLen).fill(0);
+  for (const d of data) {
+    const fb = d ^ rem[0];
+    for (let j = 0; j < ecLen - 1; j++) {
+      rem[j] = rem[j + 1] ^ gfMul(g[ecLen - 1 - j], fb);
+    }
+    rem[ecLen - 1] = gfMul(g[0], fb);
+  }
+  return rem;
+}
+var VER = [
+  { total: 0, ec: 0, g1: 0, g1d: 0, g2: 0, g2d: 0, align: [] },
+  // dummy
+  { total: 26, ec: 7, g1: 1, g1d: 19, g2: 0, g2d: 0, align: [] },
+  { total: 44, ec: 10, g1: 1, g1d: 34, g2: 0, g2d: 0, align: [6, 18] },
+  { total: 70, ec: 15, g1: 1, g1d: 55, g2: 0, g2d: 0, align: [6, 22] },
+  { total: 100, ec: 20, g1: 1, g1d: 80, g2: 0, g2d: 0, align: [6, 26] },
+  { total: 134, ec: 26, g1: 1, g1d: 108, g2: 0, g2d: 0, align: [6, 30] },
+  { total: 172, ec: 18, g1: 2, g1d: 68, g2: 0, g2d: 0, align: [6, 34] },
+  { total: 196, ec: 20, g1: 2, g1d: 78, g2: 0, g2d: 0, align: [6, 22, 38] },
+  { total: 242, ec: 24, g1: 2, g1d: 97, g2: 0, g2d: 0, align: [6, 24, 42] },
+  { total: 292, ec: 30, g1: 2, g1d: 116, g2: 0, g2d: 0, align: [6, 26, 46] },
+  { total: 346, ec: 18, g1: 2, g1d: 68, g2: 2, g2d: 69, align: [6, 28, 50] },
+  { total: 404, ec: 20, g1: 4, g1d: 81, g2: 0, g2d: 0, align: [6, 30, 54] },
+  { total: 466, ec: 24, g1: 2, g1d: 92, g2: 2, g2d: 93, align: [6, 32, 58] },
+  { total: 532, ec: 26, g1: 4, g1d: 107, g2: 0, g2d: 0, align: [6, 34, 62] }
+];
+function dataCapacity(ver) {
+  const v = VER[ver];
+  return v.g1 * v.g1d + v.g2 * v.g2d;
+}
+function pickVersion(byteLen) {
+  for (let v = 1; v < VER.length; v++) {
+    const headerBits = 4 + (v <= 9 ? 8 : 16);
+    const available = dataCapacity(v) * 8 - headerBits;
+    if (byteLen * 8 <= available) return v;
+  }
+  throw new Error(`Data too long for QR code (${byteLen} bytes)`);
+}
+function encodeData(bytes, ver) {
+  const cap = dataCapacity(ver);
+  const countBits = ver <= 9 ? 8 : 16;
+  const bits = [];
+  const push = (val, len) => {
+    for (let i = len - 1; i >= 0; i--) bits.push(val >> i & 1);
+  };
+  push(4, 4);
+  push(bytes.length, countBits);
+  for (const b of bytes) push(b, 8);
+  push(0, Math.min(4, cap * 8 - bits.length));
+  while (bits.length % 8) bits.push(0);
+  const padBytes = [236, 17];
+  let pi = 0;
+  while (bits.length < cap * 8) {
+    push(padBytes[pi], 8);
+    pi ^= 1;
+  }
+  const cw = [];
+  for (let i = 0; i < bits.length; i += 8) {
+    let byte = 0;
+    for (let j = 0; j < 8; j++) byte = byte << 1 | bits[i + j];
+    cw.push(byte);
+  }
+  return cw;
+}
+function computeCodewords(ver, dataCW) {
+  const v = VER[ver];
+  const blocks = [];
+  const ecBlocks = [];
+  let offset = 0;
+  for (let i = 0; i < v.g1; i++) {
+    const block = dataCW.slice(offset, offset + v.g1d);
+    blocks.push(block);
+    ecBlocks.push(rsEncode(block, v.ec));
+    offset += v.g1d;
+  }
+  for (let i = 0; i < v.g2; i++) {
+    const block = dataCW.slice(offset, offset + v.g2d);
+    blocks.push(block);
+    ecBlocks.push(rsEncode(block, v.ec));
+    offset += v.g2d;
+  }
+  const result = [];
+  const maxDataLen = Math.max(v.g1d, v.g2d || 0);
+  for (let i = 0; i < maxDataLen; i++) {
+    for (const block of blocks) {
+      if (i < block.length) result.push(block[i]);
+    }
+  }
+  for (let i = 0; i < v.ec; i++) {
+    for (const block of ecBlocks) result.push(block[i]);
+  }
+  return result;
+}
+var UNSET = -1;
+var DARK = 1;
+var LIGHT = 0;
+function createMatrix(size) {
+  return Array.from({ length: size }, () => new Array(size).fill(UNSET));
+}
+function setModule(m, r, c, dark) {
+  if (r >= 0 && r < m.length && c >= 0 && c < m.length) m[r][c] = dark ? DARK : LIGHT;
+}
+function placeFinderPattern(m, row, col) {
+  for (let r = -1; r <= 7; r++) {
+    for (let c = -1; c <= 7; c++) {
+      const dark = r >= 0 && r <= 6 && c >= 0 && c <= 6 && (r === 0 || r === 6 || c === 0 || c === 6 || r >= 2 && r <= 4 && c >= 2 && c <= 4);
+      setModule(m, row + r, col + c, dark);
+    }
+  }
+}
+function placeAlignmentPattern(m, row, col) {
+  for (let r = -2; r <= 2; r++) {
+    for (let c = -2; c <= 2; c++) {
+      const dark = Math.abs(r) === 2 || Math.abs(c) === 2 || r === 0 && c === 0;
+      m[row + r][col + c] = dark ? DARK : LIGHT;
+    }
+  }
+}
+function isReserved(m, r, c) {
+  return m[r][c] !== UNSET;
+}
+function buildMatrix(ver, codewords) {
+  const size = ver * 4 + 17;
+  const m = createMatrix(size);
+  placeFinderPattern(m, 0, 0);
+  placeFinderPattern(m, 0, size - 7);
+  placeFinderPattern(m, size - 7, 0);
+  for (let i = 8; i < size - 8; i++) {
+    m[6][i] = i % 2 === 0 ? DARK : LIGHT;
+    m[i][6] = i % 2 === 0 ? DARK : LIGHT;
+  }
+  const ap = VER[ver].align;
+  if (ap.length > 0) {
+    for (const r of ap) {
+      for (const c of ap) {
+        if (r <= 8 && c <= 8) continue;
+        if (r <= 8 && c >= size - 8) continue;
+        if (r >= size - 8 && c <= 8) continue;
+        placeAlignmentPattern(m, r, c);
+      }
+    }
+  }
+  m[4 * ver + 9][8] = DARK;
+  for (let i = 0; i < 9; i++) {
+    if (m[8][i] === UNSET) m[8][i] = LIGHT;
+    if (m[i][8] === UNSET) m[i][8] = LIGHT;
+  }
+  for (let i = 0; i < 8; i++) {
+    if (m[8][size - 1 - i] === UNSET) m[8][size - 1 - i] = LIGHT;
+    if (m[size - 1 - i][8] === UNSET) m[size - 1 - i][8] = LIGHT;
+  }
+  if (ver >= 7) {
+    for (let i = 0; i < 6; i++) {
+      for (let j = 0; j < 3; j++) {
+        m[i][size - 11 + j] = LIGHT;
+        m[size - 11 + j][i] = LIGHT;
+      }
+    }
+  }
+  let bitIdx = 0;
+  const totalBits = codewords.length * 8;
+  let upward = true;
+  for (let right = size - 1; right >= 0; right -= 2) {
+    if (right === 6) right = 5;
+    for (let i = 0; i < size; i++) {
+      const row = upward ? size - 1 - i : i;
+      for (const dc of [0, -1]) {
+        const col = right + dc;
+        if (col < 0 || col >= size) continue;
+        if (isReserved(m, row, col)) continue;
+        if (bitIdx < totalBits) {
+          const byteIdx = bitIdx >> 3;
+          const bitPos = 7 - (bitIdx & 7);
+          m[row][col] = codewords[byteIdx] >> bitPos & 1;
+          bitIdx++;
+        } else {
+          m[row][col] = LIGHT;
+        }
+      }
+    }
+    upward = !upward;
+  }
+  return m;
+}
+var MASKS = [
+  (r, c) => (r + c) % 2 === 0,
+  (r) => r % 2 === 0,
+  (_, c) => c % 3 === 0,
+  (r, c) => (r + c) % 3 === 0,
+  (r, c) => (Math.floor(r / 2) + Math.floor(c / 3)) % 2 === 0,
+  (r, c) => r * c % 2 + r * c % 3 === 0,
+  (r, c) => (r * c % 2 + r * c % 3) % 2 === 0,
+  (r, c) => ((r + c) % 2 + r * c % 3) % 2 === 0
+];
+function applyMask(m, maskIdx, template) {
+  const size = m.length;
+  const result = m.map((row) => [...row]);
+  const fn = MASKS[maskIdx];
+  for (let r = 0; r < size; r++) {
+    for (let c = 0; c < size; c++) {
+      if (template[r][c] !== UNSET) continue;
+      if (fn(r, c)) result[r][c] ^= 1;
+    }
+  }
+  return result;
+}
+function penalty(m) {
+  const size = m.length;
+  let score = 0;
+  for (let r = 0; r < size; r++) {
+    let count = 1;
+    for (let c = 1; c < size; c++) {
+      if (m[r][c] === m[r][c - 1]) {
+        count++;
+      } else {
+        if (count >= 5) score += count - 2;
+        count = 1;
+      }
+    }
+    if (count >= 5) score += count - 2;
+  }
+  for (let c = 0; c < size; c++) {
+    let count = 1;
+    for (let r = 1; r < size; r++) {
+      if (m[r][c] === m[r - 1][c]) {
+        count++;
+      } else {
+        if (count >= 5) score += count - 2;
+        count = 1;
+      }
+    }
+    if (count >= 5) score += count - 2;
+  }
+  for (let r = 0; r < size - 1; r++) {
+    for (let c = 0; c < size - 1; c++) {
+      const v = m[r][c];
+      if (v === m[r][c + 1] && v === m[r + 1][c] && v === m[r + 1][c + 1]) score += 3;
+    }
+  }
+  const pat1 = [1, 0, 1, 1, 1, 0, 1, 0, 0, 0, 0];
+  const pat2 = [0, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1];
+  for (let r = 0; r < size; r++) {
+    for (let c = 0; c <= size - 11; c++) {
+      let match1 = true, match2 = true;
+      for (let k = 0; k < 11; k++) {
+        if (m[r][c + k] !== pat1[k]) match1 = false;
+        if (m[r][c + k] !== pat2[k]) match2 = false;
+      }
+      if (match1 || match2) score += 40;
+    }
+  }
+  for (let c = 0; c < size; c++) {
+    for (let r = 0; r <= size - 11; r++) {
+      let match1 = true, match2 = true;
+      for (let k = 0; k < 11; k++) {
+        if (m[r + k][c] !== pat1[k]) match1 = false;
+        if (m[r + k][c] !== pat2[k]) match2 = false;
+      }
+      if (match1 || match2) score += 40;
+    }
+  }
+  let dark = 0;
+  for (let r = 0; r < size; r++) for (let c = 0; c < size; c++) if (m[r][c]) dark++;
+  const pct = dark * 100 / (size * size);
+  const prev5 = Math.floor(pct / 5) * 5;
+  const next5 = prev5 + 5;
+  score += Math.min(Math.abs(prev5 - 50) / 5, Math.abs(next5 - 50) / 5) * 10;
+  return score;
+}
+function bchEncode(data, gen, dataBits) {
+  let d = data << 15 - dataBits;
+  const genLen = Math.floor(Math.log2(gen)) + 1;
+  const totalBits = dataBits + (genLen - 1);
+  d = data << totalBits - dataBits;
+  for (let i = dataBits - 1; i >= 0; i--) {
+    if (d & 1 << i + genLen - 1) d ^= gen << i;
+  }
+  return data << genLen - 1 | d;
+}
+function placeFormatInfo(m, maskIdx) {
+  const size = m.length;
+  const data = 1 << 3 | maskIdx;
+  let format = bchEncode(data, 1335, 5);
+  format ^= 21522;
+  const bits = [];
+  for (let i = 14; i >= 0; i--) bits.push(format >> i & 1);
+  const hPos = [0, 1, 2, 3, 4, 5, 7, 8, size - 8, size - 7, size - 6, size - 5, size - 4, size - 3, size - 2];
+  for (let i = 0; i < 15; i++) m[8][hPos[i]] = bits[i];
+  const vPos = [size - 1, size - 2, size - 3, size - 4, size - 5, size - 6, size - 7, size - 8, 7, 5, 4, 3, 2, 1, 0];
+  for (let i = 0; i < 15; i++) m[vPos[i]][8] = bits[i];
+}
+function placeVersionInfo(m, ver) {
+  if (ver < 7) return;
+  const size = m.length;
+  let info = bchEncode(ver, 7973, 6);
+  for (let i = 0; i < 18; i++) {
+    const bit = info >> i & 1;
+    const r = Math.floor(i / 3);
+    const c = size - 11 + i % 3;
+    m[r][c] = bit;
+    m[c][r] = bit;
+  }
+}
+function generateQrSvg(text, moduleSize = 4) {
+  const bytes = Array.from(new TextEncoder().encode(text));
+  const ver = pickVersion(bytes.length);
+  const dataCW = encodeData(bytes, ver);
+  const allCW = computeCodewords(ver, dataCW);
+  const size = ver * 4 + 17;
+  const template = createMatrix(size);
+  placeFinderPattern(template, 0, 0);
+  placeFinderPattern(template, 0, size - 7);
+  placeFinderPattern(template, size - 7, 0);
+  for (let i = 8; i < size - 8; i++) {
+    template[6][i] = LIGHT;
+    template[i][6] = LIGHT;
+  }
+  const ap = VER[ver].align;
+  for (const r of ap) {
+    for (const c of ap) {
+      if (r <= 8 && c <= 8) continue;
+      if (r <= 8 && c >= size - 8) continue;
+      if (r >= size - 8 && c <= 8) continue;
+      for (let dr = -2; dr <= 2; dr++) for (let dc = -2; dc <= 2; dc++) template[r + dr][c + dc] = LIGHT;
+    }
+  }
+  template[4 * ver + 9][8] = LIGHT;
+  for (let i = 0; i < 9; i++) {
+    if (template[8][i] === UNSET) template[8][i] = LIGHT;
+    if (template[i][8] === UNSET) template[i][8] = LIGHT;
+  }
+  for (let i = 0; i < 8; i++) {
+    if (template[8][size - 1 - i] === UNSET) template[8][size - 1 - i] = LIGHT;
+    if (template[size - 1 - i][8] === UNSET) template[size - 1 - i][8] = LIGHT;
+  }
+  if (ver >= 7) {
+    for (let i = 0; i < 6; i++) for (let j = 0; j < 3; j++) {
+      template[i][size - 11 + j] = LIGHT;
+      template[size - 11 + j][i] = LIGHT;
+    }
+  }
+  const base = buildMatrix(ver, allCW);
+  let bestMask = 0;
+  let bestScore = Infinity;
+  for (let mask = 0; mask < 8; mask++) {
+    const masked = applyMask(base, mask, template);
+    placeFormatInfo(masked, mask);
+    placeVersionInfo(masked, ver);
+    const s = penalty(masked);
+    if (s < bestScore) {
+      bestScore = s;
+      bestMask = mask;
+    }
+  }
+  const final = applyMask(base, bestMask, template);
+  placeFormatInfo(final, bestMask);
+  placeVersionInfo(final, ver);
+  const quiet = 4;
+  const total = size + quiet * 2;
+  const px = total * moduleSize;
+  let svg = `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 ${total} ${total}" width="${px}" height="${px}" shape-rendering="crispEdges">`;
+  svg += `<rect width="${total}" height="${total}" fill="#fff"/>`;
+  for (let r = 0; r < size; r++) {
+    for (let c = 0; c < size; c++) {
+      if (final[r][c] === DARK) {
+        svg += `<rect x="${c + quiet}" y="${r + quiet}" width="1" height="1" fill="#000"/>`;
+      }
+    }
+  }
+  svg += "</svg>";
+  return svg;
+}
+
 // src/authon.ts
 var Authon = class {
   publishableKey;
@@ -573,10 +984,17 @@ var Authon = class {
     await this.startOAuthFlow(provider, options);
   }
   async signInWithEmail(email, password) {
-    const tokens = await this.apiPost("/v1/auth/signin", { email, password });
-    this.session.setSession(tokens);
-    this.emit("signedIn", tokens.user);
-    return tokens.user;
+    const res = await this.apiPost(
+      "/v1/auth/signin",
+      { email, password }
+    );
+    if (res.mfaRequired && res.mfaToken) {
+      this.emit("mfaRequired", res.mfaToken);
+      throw new AuthonMfaRequiredError(res.mfaToken);
+    }
+    this.session.setSession(res);
+    this.emit("signedIn", res.user);
+    return res.user;
   }
   async signUpWithEmail(email, password, meta) {
     const tokens = await this.apiPost("/v1/auth/signup", {
@@ -604,6 +1022,258 @@ var Authon = class {
     set.add(listener);
     return () => set.delete(listener);
   }
+  // ── MFA ──
+  async setupMfa() {
+    const token = this.session.getToken();
+    if (!token) throw new Error("Must be signed in to setup MFA");
+    const res = await this.apiPostAuth("/v1/auth/mfa/totp/setup", void 0, token);
+    return { ...res, qrCodeSvg: generateQrSvg(res.qrCodeUri) };
+  }
+  async verifyMfaSetup(code) {
+    const token = this.session.getToken();
+    if (!token) throw new Error("Must be signed in to verify MFA setup");
+    await this.apiPostAuth("/v1/auth/mfa/totp/verify-setup", { code }, token);
+  }
+  async verifyMfa(mfaToken, code) {
+    const res = await this.apiPost("/v1/auth/mfa/verify", { mfaToken, code });
+    this.session.setSession(res);
+    this.emit("signedIn", res.user);
+    return res.user;
+  }
+  async disableMfa(code) {
+    const token = this.session.getToken();
+    if (!token) throw new Error("Must be signed in to disable MFA");
+    await this.apiPostAuth("/v1/auth/mfa/disable", { code }, token);
+  }
+  async getMfaStatus() {
+    const token = this.session.getToken();
+    if (!token) throw new Error("Must be signed in to get MFA status");
+    const res = await fetch(`${this.config.apiUrl}/v1/auth/mfa/status`, {
+      headers: {
+        "x-api-key": this.publishableKey,
+        Authorization: `Bearer ${token}`
+      },
+      credentials: "include"
+    });
+    if (!res.ok) throw new Error(await this.parseApiError(res, "/v1/auth/mfa/status"));
+    return res.json();
+  }
+  async regenerateBackupCodes(code) {
+    const token = this.session.getToken();
+    if (!token) throw new Error("Must be signed in to regenerate backup codes");
+    const res = await this.apiPostAuth(
+      "/v1/auth/mfa/backup-codes/regenerate",
+      { code },
+      token
+    );
+    return res.backupCodes;
+  }
+  // ── Passwordless ──
+  async sendMagicLink(email) {
+    await this.apiPost("/v1/auth/passwordless/magic-link", { email });
+  }
+  async sendEmailOtp(email) {
+    await this.apiPost("/v1/auth/passwordless/email-otp", { email });
+  }
+  async verifyPasswordless(options) {
+    const res = await this.apiPost("/v1/auth/passwordless/verify", options);
+    this.session.setSession(res);
+    this.emit("signedIn", res.user);
+    return res.user;
+  }
+  // ── Passkeys ──
+  async registerPasskey(name) {
+    const token = this.session.getToken();
+    if (!token) throw new Error("Must be signed in to register a passkey");
+    const options = await this.apiPostAuth(
+      "/v1/auth/passkeys/register/options",
+      name ? { name } : void 0,
+      token
+    );
+    const credential = await navigator.credentials.create({
+      publicKey: this.deserializeCreationOptions(options.options)
+    });
+    const attestation = credential.response;
+    const result = await this.apiPostAuth(
+      "/v1/auth/passkeys/register/verify",
+      {
+        id: credential.id,
+        rawId: this.bufferToBase64url(credential.rawId),
+        type: credential.type,
+        response: {
+          attestationObject: this.bufferToBase64url(attestation.attestationObject),
+          clientDataJSON: this.bufferToBase64url(attestation.clientDataJSON)
+        }
+      },
+      token
+    );
+    this.emit("passkeyRegistered", result);
+    return result;
+  }
+  async authenticateWithPasskey(email) {
+    const options = await this.apiPost(
+      "/v1/auth/passkeys/authenticate/options",
+      email ? { email } : void 0
+    );
+    const credential = await navigator.credentials.get({
+      publicKey: this.deserializeRequestOptions(options.options)
+    });
+    const assertion = credential.response;
+    const res = await this.apiPost("/v1/auth/passkeys/authenticate/verify", {
+      id: credential.id,
+      rawId: this.bufferToBase64url(credential.rawId),
+      type: credential.type,
+      response: {
+        authenticatorData: this.bufferToBase64url(assertion.authenticatorData),
+        clientDataJSON: this.bufferToBase64url(assertion.clientDataJSON),
+        signature: this.bufferToBase64url(assertion.signature),
+        userHandle: assertion.userHandle ? this.bufferToBase64url(assertion.userHandle) : void 0
+      }
+    });
+    this.session.setSession(res);
+    this.emit("signedIn", res.user);
+    return res.user;
+  }
+  async listPasskeys() {
+    const token = this.session.getToken();
+    if (!token) throw new Error("Must be signed in to list passkeys");
+    return this.apiGetAuth("/v1/auth/passkeys", token);
+  }
+  async renamePasskey(passkeyId, name) {
+    const token = this.session.getToken();
+    if (!token) throw new Error("Must be signed in to rename a passkey");
+    return this.apiPatchAuth(`/v1/auth/passkeys/${passkeyId}`, { name }, token);
+  }
+  async revokePasskey(passkeyId) {
+    const token = this.session.getToken();
+    if (!token) throw new Error("Must be signed in to revoke a passkey");
+    await this.apiDeleteAuth(`/v1/auth/passkeys/${passkeyId}`, token);
+  }
+  // ── Web3 ──
+  async web3GetNonce(address, chain, walletType, chainId) {
+    return this.apiPost("/v1/auth/web3/nonce", {
+      address,
+      chain,
+      walletType,
+      ...chainId != null ? { chainId } : {}
+    });
+  }
+  async web3Verify(message, signature, address, chain, walletType) {
+    const res = await this.apiPost("/v1/auth/web3/verify", {
+      message,
+      signature,
+      address,
+      chain,
+      walletType
+    });
+    this.session.setSession(res);
+    this.emit("signedIn", res.user);
+    return res.user;
+  }
+  async listWallets() {
+    const token = this.session.getToken();
+    if (!token) throw new Error("Must be signed in to list wallets");
+    return this.apiGetAuth("/v1/auth/web3/wallets", token);
+  }
+  async linkWallet(params) {
+    const token = this.session.getToken();
+    if (!token) throw new Error("Must be signed in to link a wallet");
+    const wallet = await this.apiPostAuth("/v1/auth/web3/wallets/link", params, token);
+    this.emit("web3Connected", wallet);
+    return wallet;
+  }
+  async unlinkWallet(walletId) {
+    const token = this.session.getToken();
+    if (!token) throw new Error("Must be signed in to unlink a wallet");
+    await this.apiDeleteAuth(`/v1/auth/web3/wallets/${walletId}`, token);
+  }
+  // ── User Profile ──
+  async updateProfile(data) {
+    const token = this.session.getToken();
+    if (!token) throw new Error("Must be signed in to update profile");
+    const user = await this.apiPatchAuth("/v1/auth/me", data, token);
+    this.session.updateUser(user);
+    return user;
+  }
+  // ── Session Management ──
+  async listSessions() {
+    const token = this.session.getToken();
+    if (!token) throw new Error("Must be signed in to list sessions");
+    return this.apiGetAuth("/v1/auth/me/sessions", token);
+  }
+  async revokeSession(sessionId) {
+    const token = this.session.getToken();
+    if (!token) throw new Error("Must be signed in to revoke a session");
+    await this.apiDeleteAuth(`/v1/auth/me/sessions/${sessionId}`, token);
+  }
+  // ── Organizations ──
+  organizations = {
+    list: async () => {
+      const token = this.session.getToken();
+      if (!token) throw new Error("Must be signed in to list organizations");
+      return this.apiGetAuth("/v1/auth/organizations", token);
+    },
+    create: async (params) => {
+      const token = this.session.getToken();
+      if (!token) throw new Error("Must be signed in to create an organization");
+      return this.apiPostAuth("/v1/auth/organizations", params, token);
+    },
+    get: async (orgId) => {
+      const token = this.session.getToken();
+      if (!token) throw new Error("Must be signed in to get organization");
+      return this.apiGetAuth(`/v1/auth/organizations/${orgId}`, token);
+    },
+    update: async (orgId, params) => {
+      const token = this.session.getToken();
+      if (!token) throw new Error("Must be signed in to update organization");
+      return this.apiPatchAuth(`/v1/auth/organizations/${orgId}`, params, token);
+    },
+    delete: async (orgId) => {
+      const token = this.session.getToken();
+      if (!token) throw new Error("Must be signed in to delete organization");
+      await this.apiDeleteAuth(`/v1/auth/organizations/${orgId}`, token);
+    },
+    getMembers: async (orgId) => {
+      const token = this.session.getToken();
+      if (!token) throw new Error("Must be signed in to get organization members");
+      return this.apiGetAuth(`/v1/auth/organizations/${orgId}/members`, token);
+    },
+    invite: async (orgId, params) => {
+      const token = this.session.getToken();
+      if (!token) throw new Error("Must be signed in to invite a member");
+      return this.apiPostAuth(`/v1/auth/organizations/${orgId}/invitations`, params, token);
+    },
+    getInvitations: async (orgId) => {
+      const token = this.session.getToken();
+      if (!token) throw new Error("Must be signed in to get invitations");
+      return this.apiGetAuth(`/v1/auth/organizations/${orgId}/invitations`, token);
+    },
+    acceptInvitation: async (token) => {
+      const authToken = this.session.getToken();
+      if (!authToken) throw new Error("Must be signed in to accept an invitation");
+      return this.apiPostAuth(`/v1/auth/organizations/invitations/${token}/accept`, void 0, authToken);
+    },
+    rejectInvitation: async (token) => {
+      const authToken = this.session.getToken();
+      if (!authToken) throw new Error("Must be signed in to reject an invitation");
+      await this.apiPostAuth(`/v1/auth/organizations/invitations/${token}/reject`, void 0, authToken);
+    },
+    removeMember: async (orgId, memberId) => {
+      const token = this.session.getToken();
+      if (!token) throw new Error("Must be signed in to remove a member");
+      await this.apiDeleteAuth(`/v1/auth/organizations/${orgId}/members/${memberId}`, token);
+    },
+    updateMemberRole: async (orgId, memberId, role) => {
+      const token = this.session.getToken();
+      if (!token) throw new Error("Must be signed in to update member role");
+      return this.apiPatchAuth(`/v1/auth/organizations/${orgId}/members/${memberId}`, { role }, token);
+    },
+    leave: async (orgId) => {
+      const token = this.session.getToken();
+      if (!token) throw new Error("Must be signed in to leave organization");
+      await this.apiPostAuth(`/v1/auth/organizations/${orgId}/leave`, void 0, token);
+    }
+  };
   destroy() {
     this.modal?.close();
     this.session.destroy();
@@ -894,6 +1564,106 @@ var Authon = class {
     if (!res.ok) throw new Error(await this.parseApiError(res, path));
     return res.json();
   }
+  async apiPostAuth(path, body, token) {
+    const res = await fetch(`${this.config.apiUrl}${path}`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "x-api-key": this.publishableKey,
+        Authorization: `Bearer ${token}`
+      },
+      credentials: "include",
+      body: body ? JSON.stringify(body) : void 0
+    });
+    if (!res.ok) throw new Error(await this.parseApiError(res, path));
+    return res.json();
+  }
+  async apiGetAuth(path, token) {
+    const res = await fetch(`${this.config.apiUrl}${path}`, {
+      headers: {
+        "x-api-key": this.publishableKey,
+        Authorization: `Bearer ${token}`
+      },
+      credentials: "include"
+    });
+    if (!res.ok) throw new Error(await this.parseApiError(res, path));
+    return res.json();
+  }
+  async apiPatchAuth(path, body, token) {
+    const res = await fetch(`${this.config.apiUrl}${path}`, {
+      method: "PATCH",
+      headers: {
+        "Content-Type": "application/json",
+        "x-api-key": this.publishableKey,
+        Authorization: `Bearer ${token}`
+      },
+      credentials: "include",
+      body: body ? JSON.stringify(body) : void 0
+    });
+    if (!res.ok) throw new Error(await this.parseApiError(res, path));
+    return res.json();
+  }
+  async apiDeleteAuth(path, token) {
+    const res = await fetch(`${this.config.apiUrl}${path}`, {
+      method: "DELETE",
+      headers: {
+        "x-api-key": this.publishableKey,
+        Authorization: `Bearer ${token}`
+      },
+      credentials: "include"
+    });
+    if (!res.ok) throw new Error(await this.parseApiError(res, path));
+  }
+  // ── WebAuthn helpers ──
+  bufferToBase64url(buffer) {
+    const bytes = new Uint8Array(buffer);
+    let binary = "";
+    for (let i = 0; i < bytes.length; i++) {
+      binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  }
+  base64urlToBuffer(base64url) {
+    const base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = base64 + "=".repeat((4 - base64.length % 4) % 4);
+    const binary = atob(padded);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes.buffer;
+  }
+  deserializeCreationOptions(options) {
+    const opts = { ...options };
+    if (typeof opts.challenge === "string") {
+      opts.challenge = this.base64urlToBuffer(opts.challenge);
+    }
+    if (opts.user && typeof opts.user.id === "string") {
+      opts.user.id = this.base64urlToBuffer(
+        opts.user.id
+      );
+    }
+    if (Array.isArray(opts.excludeCredentials)) {
+      opts.excludeCredentials = opts.excludeCredentials.map((c) => ({
+        ...c,
+        id: typeof c.id === "string" ? this.base64urlToBuffer(c.id) : c.id
+      }));
+    }
+    return opts;
+  }
+  deserializeRequestOptions(options) {
+    const opts = { ...options };
+    if (typeof opts.challenge === "string") {
+      opts.challenge = this.base64urlToBuffer(opts.challenge);
+    }
+    if (Array.isArray(opts.allowCredentials)) {
+      opts.allowCredentials = opts.allowCredentials.map((c) => ({
+        ...c,
+        id: typeof c.id === "string" ? this.base64urlToBuffer(c.id) : c.id
+      }));
+    }
+    return opts;
+  }
   async parseApiError(res, path) {
     try {
       const body = await res.json();
@@ -910,6 +1680,8 @@ var Authon = class {
 };
 export {
   Authon,
+  AuthonMfaRequiredError,
+  generateQrSvg,
   getProviderButtonConfig
 };
 //# sourceMappingURL=index.js.map