npm - @authrim/core - Versions diffs - 0.1.2 → 0.1.3 - Mend

@authrim/core 0.1.2 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -51,6 +51,14 @@ interface HttpClient {
      */
     fetch<T = unknown>(url: string, options?: HttpOptions): Promise<HttpResponse<T>>;
 }
+/**
+ * HTTP error response body (OAuth 2.0 / OIDC standard)
+ */
+interface OAuthErrorResponse {
+    error: string;
+    error_description?: string;
+    error_uri?: string;
+}
 /**
  * Crypto Provider Interface
@@ -614,7 +622,7 @@ interface AuthrimErrorMeta {
 /**
  * Error codes used by the SDK
  */
-type AuthrimErrorCode = 'invalid_request' | 'unauthorized_client' | 'access_denied' | 'unsupported_response_type' | 'invalid_scope' | 'server_error' | 'temporarily_unavailable' | 'invalid_grant' | 'invalid_token' | 'invalid_state' | 'expired_state' | 'invalid_nonce' | 'nonce_mismatch' | 'session_expired' | 'session_check_failed' | 'network_error' | 'timeout_error' | 'discovery_error' | 'discovery_mismatch' | 'configuration_error' | 'storage_error' | 'flow_engine_error' | 'no_tokens' | 'token_expired' | 'token_error' | 'refresh_error' | 'token_exchange_error' | 'oauth_error' | 'missing_code' | 'missing_state' | 'not_initialized' | 'no_discovery' | 'no_userinfo_endpoint' | 'userinfo_error' | 'introspection_error' | 'revocation_error' | 'no_introspection_endpoint' | 'no_revocation_endpoint' | 'login_required' | 'interaction_required' | 'consent_required' | 'account_selection_required' | 'dom_not_ready' | 'state_mismatch' | 'popup_blocked' | 'popup_closed' | 'invalid_response';
+type AuthrimErrorCode = 'invalid_request' | 'unauthorized_client' | 'access_denied' | 'unsupported_response_type' | 'invalid_scope' | 'server_error' | 'temporarily_unavailable' | 'invalid_grant' | 'invalid_token' | 'invalid_state' | 'expired_state' | 'invalid_nonce' | 'nonce_mismatch' | 'session_expired' | 'session_check_failed' | 'network_error' | 'timeout_error' | 'discovery_error' | 'discovery_mismatch' | 'configuration_error' | 'storage_error' | 'flow_engine_error' | 'no_tokens' | 'token_expired' | 'token_error' | 'refresh_error' | 'token_exchange_error' | 'oauth_error' | 'missing_code' | 'missing_state' | 'not_initialized' | 'no_discovery' | 'no_userinfo_endpoint' | 'userinfo_error' | 'introspection_error' | 'revocation_error' | 'no_introspection_endpoint' | 'no_revocation_endpoint' | 'login_required' | 'interaction_required' | 'consent_required' | 'account_selection_required' | 'dom_not_ready' | 'state_mismatch' | 'popup_blocked' | 'popup_closed' | 'invalid_response' | 'passkey_not_found' | 'passkey_verification_failed' | 'passkey_not_supported' | 'passkey_cancelled' | 'passkey_invalid_credential' | 'email_code_invalid' | 'email_code_expired' | 'email_code_too_many_attempts' | 'challenge_expired' | 'challenge_invalid' | 'auth_code_invalid' | 'auth_code_expired' | 'pkce_mismatch' | 'origin_not_allowed' | 'mfa_required' | 'email_verification_required' | 'consent_required_direct' | 'rate_limited' | 'event_handler_error';
 /**
  * Options for creating an AuthrimError
  */
@@ -685,7 +693,8 @@ interface TokenErrorEvent {
  */
 interface TokenExchangedEvent {
     tokens: TokenSet;
-    issuedTokenType: string;
+    /** Issued token type URI (RFC 8693 standard or custom URI) */
+    issuedTokenType: TokenTypeUri | string;
 }
 /**
  * Session started event data
@@ -808,6 +817,8 @@ declare class StateManager {
     private readonly clientIdHash;
     /** Default TTL: 10 minutes */
     private static readonly DEFAULT_TTL_SECONDS;
+    /** Entropy bytes for state/nonce generation (256 bits = 32 bytes) */
+    private static readonly ENTROPY_BYTES;
     constructor(crypto: CryptoProvider, storage: AuthrimStorage, issuerHash: string, clientIdHash: string);
     /**
      * Generate and store auth state
@@ -980,7 +991,9 @@ declare class AuthorizationCodeFlow {
      *
      * @param callbackUrl - Callback URL or query string
      * @returns Parsed code and state
-     * @throws AuthrimError if code or state is missing, or if error is present
+     * @throws AuthrimError with code 'oauth_error' if OAuth error response is present
+     * @throws AuthrimError with code 'missing_code' if authorization code is not found
+     * @throws AuthrimError with code 'missing_state' if state parameter is not found
      */
     parseCallback(callbackUrl: string): {
         code: string;
@@ -992,7 +1005,9 @@ declare class AuthorizationCodeFlow {
      * @param discovery - OIDC discovery document
      * @param options - Exchange options
      * @returns Token set
-     * @throws AuthrimError if exchange fails or nonce validation fails
+     * @throws AuthrimError with code 'network_error' if token request fails
+     * @throws AuthrimError with code 'token_error' if token exchange fails
+     * @throws AuthrimError with code 'nonce_mismatch' if ID token nonce validation fails
      */
     exchangeCode(discovery: OIDCDiscoveryDocument, options: ExchangeCodeOptions): Promise<TokenSet>;
 }
@@ -1811,7 +1826,7 @@ declare class TokenManager {
      * Perform refresh with single retry for network errors
      *
      * @param refreshToken - Refresh token to use
-     * @param attemptedRetry - Whether retry has been attempted (stack-local)
+     * @param attemptedRetry - Internal flag to prevent infinite recursion (do not pass externally)
      * @returns New token set
      */
     private doRefreshWithRetry;
@@ -1975,6 +1990,7 @@ declare function base64urlEncode(data: Uint8Array): string;
  *
  * @param str - Base64URL encoded string
  * @returns Decoded bytes
+ * @throws Error if the input contains invalid characters
  */
 declare function base64urlDecode(str: string): Uint8Array;
 /**
@@ -2087,4 +2103,576 @@ declare function getIdTokenNonce(idToken: string): string | undefined;
  */
 declare function calculateDsHash(deviceSecret: string, crypto: CryptoProvider): Promise<string>;
-export { type AddressClaim, type AuthCallbackEvent, type AuthRedirectingEvent, type AuthState, AuthorizationCodeFlow, type AuthorizationContext, type AuthorizationUrlResult, AuthrimClient, type AuthrimClientConfig, AuthrimError, type AuthrimErrorCode, type AuthrimErrorMeta, type AuthrimErrorOptions, type AuthrimErrorSeverity, type AuthrimErrorUserAction, type AuthrimEventHandler, type AuthrimEventName, type AuthrimEvents, type AuthrimStorage, type BuildAuthorizationUrlOptions, type CodeChallengeMethod, type CryptoProvider, type DecodedJwt, DiscoveryClient, type EndpointOverrides, type ErrorEvent, EventEmitter, type ExchangeCodeOptions, type GenerateAuthStateOptions, type HashOptions, type HttpClient, type HttpOptions, type HttpResponse, type IntrospectTokenOptions, type IntrospectionResponse, type IntrospectionTokenTypeHint, type JwtHeader, LogoutHandler, type LogoutHandlerOptions, type LogoutOptions, type LogoutResult, type OIDCDiscoveryDocument, PKCEHelper, type PKCEPair, type ResolvedConfig, type RevokeTokenOptions, STORAGE_KEYS, type SessionCheckResult, type SessionEndedEvent, SessionManager, type SessionManagerOptions, type SessionStartedEvent, SilentAuthHandler, type SilentAuthOptions, type SilentAuthResult, type SilentAuthUrlResult, type StandardClaims, StateManager, TOKEN_TYPE_URIS, TokenApiClient, type TokenApiClientOptions, type TokenErrorEvent, type TokenExchangeRequest, type TokenExchangeResponse, type TokenExchangeResult, type TokenExchangedEvent, type TokenExpiredEvent, TokenIntrospector, type TokenIntrospectorOptions, TokenManager, type TokenManagerOptions, type TokenRefreshedEvent, type TokenResponse, TokenRevoker, type TokenRevokerOptions, type TokenSet, type TokenTypeHint, type TokenTypeUri, type UserInfo, base64urlDecode, base64urlEncode, base64urlToString, calculateDsHash, createAuthrimClient, decodeIdToken, decodeJwt, getErrorMeta, getIdTokenNonce, isJwtExpired, normalizeIssuer, resolveConfig, stringToBase64url };
+/**
+ * Timing-Safe Comparison Utilities
+ *
+ * Provides constant-time string comparison to prevent timing attacks.
+ * Used for comparing security-sensitive values like nonces and states.
+ */
+/**
+ * Compare two strings in constant time
+ *
+ * This function always takes the same amount of time regardless of
+ * where the strings differ, preventing timing attacks.
+ *
+ * @param a - First string
+ * @param b - Second string
+ * @returns true if strings are equal, false otherwise
+ */
+declare function timingSafeEqual(a: string, b: string): boolean;
+/**
+ * Direct Authentication API Types
+ *
+ * Simple and intuitive BetterAuth-style API type definitions
+ * for calling Authrim API directly from custom login pages.
+ */
+/**
+ * Authenticator transport type
+ */
+type AuthenticatorTransportType = 'usb' | 'nfc' | 'ble' | 'internal' | 'hybrid';
+/**
+ * User verification requirement
+ */
+type UserVerificationRequirementType = 'required' | 'preferred' | 'discouraged';
+/**
+ * Authenticator attachment
+ */
+type AuthenticatorAttachmentType = 'platform' | 'cross-platform';
+/**
+ * Resident key requirement
+ */
+type ResidentKeyRequirementType = 'required' | 'preferred' | 'discouraged';
+/**
+ * Attestation conveyance preference
+ */
+type AttestationConveyancePreferenceType = 'none' | 'indirect' | 'direct' | 'enterprise';
+/**
+ * Public key credential type
+ */
+type PublicKeyCredentialType = 'public-key';
+/**
+ * COSE algorithm identifier
+ */
+type COSEAlgorithmIdentifier = -7 | -257 | -8 | -35 | -36 | -37 | -38 | -39 | number;
+/**
+ * Public key credential parameters
+ */
+interface PublicKeyCredentialParametersType {
+    type: PublicKeyCredentialType;
+    alg: COSEAlgorithmIdentifier;
+}
+/**
+ * Relying party entity
+ */
+interface PublicKeyCredentialRpEntityType {
+    id?: string;
+    name: string;
+}
+/**
+ * Authenticator selection criteria
+ */
+interface AuthenticatorSelectionCriteriaType {
+    authenticatorAttachment?: AuthenticatorAttachmentType;
+    residentKey?: ResidentKeyRequirementType;
+    requireResidentKey?: boolean;
+    userVerification?: UserVerificationRequirementType;
+}
+/**
+ * Authentication extensions client inputs
+ */
+interface AuthenticationExtensionsClientInputsType {
+    credProps?: boolean;
+    appid?: string;
+    [key: string]: unknown;
+}
+/**
+ * Social login provider
+ */
+type SocialProvider = 'google' | 'github' | 'apple' | 'microsoft' | 'facebook';
+/**
+ * MFA method
+ */
+type MfaMethod = 'totp' | 'sms' | 'email' | 'passkey';
+/**
+ * User information
+ */
+interface User {
+    /** User ID */
+    id: string;
+    /** Email address */
+    email?: string;
+    /** Whether email is verified */
+    emailVerified?: boolean;
+    /** Display name */
+    name?: string;
+    /** Profile picture URL */
+    picture?: string;
+    /** Username */
+    username?: string;
+    /** Additional claims */
+    [key: string]: unknown;
+}
+/**
+ * Session information
+ */
+interface Session {
+    /** Session ID */
+    id: string;
+    /** User ID */
+    userId: string;
+    /** Session creation time (ISO 8601) */
+    createdAt: string;
+    /** Session expiration time (ISO 8601) */
+    expiresAt: string;
+    /** Last activity time (ISO 8601) */
+    lastActiveAt?: string;
+    /** User agent that created the session */
+    userAgent?: string;
+    /** IP address (for display purposes only, not for security) */
+    ipAddress?: string;
+}
+/**
+ * Next action required after authentication
+ */
+type NextAction = {
+    type: 'mfa_required';
+    methods: MfaMethod[];
+} | {
+    type: 'consent_required';
+    scopes: string[];
+} | {
+    type: 'email_verification_required';
+};
+/**
+ * Authentication result (tokens are not returned directly for security)
+ */
+interface AuthResult {
+    /** Authentication success flag */
+    success: boolean;
+    /** Session information (on success) */
+    session?: Session;
+    /** User information (on success) */
+    user?: User;
+    /** Error information (on failure) */
+    error?: DirectAuthError;
+    /** Additional action required */
+    nextAction?: NextAction;
+}
+/**
+ * Direct Auth error structure (OAuth 2.0 extension)
+ */
+interface DirectAuthError {
+    /** OAuth 2.0 error code */
+    error: string;
+    /** Human-readable error description */
+    error_description?: string;
+    /** URI with more information about the error */
+    error_uri?: string;
+    /** Authrim error code (AR000001 format) */
+    code: string;
+    /** Error metadata */
+    meta: {
+        /** Whether the error can be retried */
+        retryable: boolean;
+        /** Whether the error is transient */
+        transient?: boolean;
+        /** Suggested user action */
+        user_action?: 'login' | 'reauth' | 'retry' | 'contact_admin';
+        /** Error severity */
+        severity: 'info' | 'warn' | 'error' | 'critical';
+        /** Retry after (seconds) */
+        retry_after?: number;
+    };
+}
+/**
+ * Passkey login options
+ */
+interface PasskeyLoginOptions {
+    /** Use conditional UI (autofill) */
+    conditional?: boolean;
+    /** Mediation preference */
+    mediation?: 'conditional' | 'optional' | 'required' | 'silent';
+    /** Abort signal for cancellation */
+    signal?: AbortSignal;
+}
+/**
+ * Passkey sign-up options
+ */
+interface PasskeySignUpOptions {
+    /** User email */
+    email: string;
+    /** User display name */
+    displayName?: string;
+    /** Preferred authenticator type */
+    authenticatorType?: 'platform' | 'cross-platform' | 'any';
+    /** Resident key requirement */
+    residentKey?: 'required' | 'preferred' | 'discouraged';
+    /** User verification requirement */
+    userVerification?: 'required' | 'preferred' | 'discouraged';
+    /** Abort signal for cancellation */
+    signal?: AbortSignal;
+}
+/**
+ * Passkey register options (for adding to existing account)
+ */
+interface PasskeyRegisterOptions {
+    /** Passkey display name */
+    displayName?: string;
+    /** Preferred authenticator type */
+    authenticatorType?: 'platform' | 'cross-platform' | 'any';
+    /** Resident key requirement */
+    residentKey?: 'required' | 'preferred' | 'discouraged';
+    /** User verification requirement */
+    userVerification?: 'required' | 'preferred' | 'discouraged';
+    /** Abort signal for cancellation */
+    signal?: AbortSignal;
+}
+/**
+ * Passkey credential (returned after registration)
+ */
+interface PasskeyCredential {
+    /** Credential ID (base64url) */
+    credentialId: string;
+    /** Public key (COSE format, base64url) */
+    publicKey: string;
+    /** Authenticator type */
+    authenticatorType: 'platform' | 'cross-platform';
+    /** Transports (usb, nfc, ble, internal, etc.) */
+    transports?: AuthenticatorTransportType[];
+    /** When the credential was created */
+    createdAt: string;
+    /** User-friendly name */
+    displayName?: string;
+}
+/**
+ * Email code send options
+ */
+interface EmailCodeSendOptions {
+    /** Email locale for the message */
+    locale?: string;
+    /** Code length (default: 6) */
+    codeLength?: 6 | 8;
+}
+/**
+ * Email code send result
+ */
+interface EmailCodeSendResult {
+    /** Attempt ID for verification */
+    attemptId: string;
+    /** Code expiration time (seconds) */
+    expiresIn: number;
+    /** Masked email for display */
+    maskedEmail: string;
+    /** Whether this is a new user */
+    isNewUser?: boolean;
+}
+/**
+ * Email code verify options
+ */
+interface EmailCodeVerifyOptions {
+    /** Create account if user doesn't exist */
+    createAccountIfNotExists?: boolean;
+}
+/**
+ * Social login options
+ */
+interface SocialLoginOptions {
+    /** Redirect URI after authentication */
+    redirectUri?: string;
+    /** Additional OAuth scopes */
+    scopes?: string[];
+    /** Custom state parameter */
+    state?: string;
+    /** Login hint (e.g., email address) */
+    loginHint?: string;
+    /** Popup window features */
+    popupFeatures?: {
+        width?: number;
+        height?: number;
+    };
+}
+/**
+ * Logout options
+ */
+interface DirectAuthLogoutOptions {
+    /** Revoke refresh tokens */
+    revokeTokens?: boolean;
+    /** Post-logout redirect URI */
+    redirectUri?: string;
+}
+/**
+ * Passkey login start request
+ */
+interface PasskeyLoginStartRequest {
+    client_id: string;
+    code_challenge: string;
+    code_challenge_method: 'S256';
+}
+/**
+ * Passkey login start response
+ */
+interface PasskeyLoginStartResponse {
+    /** Challenge ID (5 min TTL) */
+    challenge_id: string;
+    /** WebAuthn options */
+    options: PublicKeyCredentialRequestOptionsJSON;
+}
+/**
+ * Passkey login finish request
+ */
+interface PasskeyLoginFinishRequest {
+    challenge_id: string;
+    credential: AuthenticatorAssertionResponseJSON;
+    code_verifier: string;
+}
+/**
+ * Passkey login finish response
+ */
+interface PasskeyLoginFinishResponse {
+    /** Authorization code (60s TTL, single-use) */
+    auth_code: string;
+}
+/**
+ * Passkey signup start request
+ */
+interface PasskeySignupStartRequest {
+    client_id: string;
+    email: string;
+    display_name?: string;
+    code_challenge: string;
+    code_challenge_method: 'S256';
+    authenticator_type?: 'platform' | 'cross-platform' | 'any';
+    resident_key?: 'required' | 'preferred' | 'discouraged';
+    user_verification?: 'required' | 'preferred' | 'discouraged';
+}
+/**
+ * Passkey signup start response
+ */
+interface PasskeySignupStartResponse {
+    /** Challenge ID (5 min TTL) */
+    challenge_id: string;
+    /** WebAuthn creation options */
+    options: PublicKeyCredentialCreationOptionsJSON;
+}
+/**
+ * Passkey signup finish request
+ */
+interface PasskeySignupFinishRequest {
+    challenge_id: string;
+    credential: AuthenticatorAttestationResponseJSON;
+    code_verifier: string;
+}
+/**
+ * Passkey signup finish response
+ */
+interface PasskeySignupFinishResponse {
+    /** Authorization code (60s TTL, single-use) */
+    auth_code: string;
+    /** Whether the user was newly created */
+    is_new_user: boolean;
+}
+/**
+ * Email code send request
+ */
+interface EmailCodeSendRequest {
+    client_id: string;
+    email: string;
+    code_challenge: string;
+    code_challenge_method: 'S256';
+    locale?: string;
+}
+/**
+ * Email code send response
+ */
+interface EmailCodeSendResponse {
+    /** Attempt ID (5 min TTL) */
+    attempt_id: string;
+    /** Code expiration (seconds) */
+    expires_in: number;
+    /** Masked email */
+    masked_email: string;
+}
+/**
+ * Email code verify request
+ */
+interface EmailCodeVerifyRequest {
+    attempt_id: string;
+    code: string;
+    code_verifier: string;
+}
+/**
+ * Email code verify response
+ */
+interface EmailCodeVerifyResponse {
+    /** Authorization code (60s TTL, single-use) */
+    auth_code: string;
+    /** Whether the user was newly created */
+    is_new_user: boolean;
+}
+/**
+ * Token exchange request (Direct Auth)
+ */
+interface DirectAuthTokenRequest {
+    grant_type: 'authorization_code';
+    code: string;
+    client_id: string;
+    code_verifier: string;
+    /** Whether to request refresh token (for SPA opt-in) */
+    request_refresh_token?: boolean;
+}
+/**
+ * Token exchange response (OAuth 2.0 extension)
+ *
+ * Unified structure for Web/Mobile, differentiated by flags.
+ */
+interface DirectAuthTokenResponse {
+    /** Token type (always 'Bearer') */
+    token_type: 'Bearer';
+    /** Access token */
+    access_token: string;
+    /** Token expiration (seconds) */
+    expires_in: number;
+    /** Refresh token (Mobile, or SPA with opt-in) */
+    refresh_token?: string;
+    /** ID token */
+    id_token?: string;
+    /** Granted scopes */
+    scope?: string;
+    /** Whether session is established via Cookie (Web) */
+    session_established: boolean;
+    /** Session information */
+    session?: Session;
+    /** User information */
+    user?: User;
+}
+/**
+ * PublicKeyCredentialRequestOptions as JSON
+ */
+interface PublicKeyCredentialRequestOptionsJSON {
+    challenge: string;
+    timeout?: number;
+    rpId?: string;
+    allowCredentials?: PublicKeyCredentialDescriptorJSON[];
+    userVerification?: UserVerificationRequirementType;
+    extensions?: AuthenticationExtensionsClientInputsType;
+}
+/**
+ * PublicKeyCredentialCreationOptions as JSON
+ */
+interface PublicKeyCredentialCreationOptionsJSON {
+    rp: PublicKeyCredentialRpEntityType;
+    user: PublicKeyCredentialUserEntityJSON;
+    challenge: string;
+    pubKeyCredParams: PublicKeyCredentialParametersType[];
+    timeout?: number;
+    excludeCredentials?: PublicKeyCredentialDescriptorJSON[];
+    authenticatorSelection?: AuthenticatorSelectionCriteriaType;
+    attestation?: AttestationConveyancePreferenceType;
+    extensions?: AuthenticationExtensionsClientInputsType;
+}
+/**
+ * PublicKeyCredentialDescriptor as JSON
+ */
+interface PublicKeyCredentialDescriptorJSON {
+    type: PublicKeyCredentialType;
+    id: string;
+    transports?: AuthenticatorTransportType[];
+}
+/**
+ * PublicKeyCredentialUserEntity as JSON
+ */
+interface PublicKeyCredentialUserEntityJSON {
+    id: string;
+    name: string;
+    displayName: string;
+}
+/**
+ * AuthenticatorAssertionResponse as JSON
+ */
+interface AuthenticatorAssertionResponseJSON {
+    clientDataJSON: string;
+    authenticatorData: string;
+    signature: string;
+    userHandle?: string;
+}
+/**
+ * AuthenticatorAttestationResponse as JSON
+ */
+interface AuthenticatorAttestationResponseJSON {
+    clientDataJSON: string;
+    attestationObject: string;
+    transports?: AuthenticatorTransportType[];
+}
+/**
+ * Direct Auth client configuration
+ */
+interface DirectAuthClientConfig {
+    /** Authrim IdP URL */
+    issuer: string;
+    /** OAuth client ID */
+    clientId: string;
+    /** Default redirect URI */
+    redirectUri?: string;
+}
+/**
+ * Passkey authentication interface
+ */
+interface PasskeyAuth {
+    /** Login with Passkey */
+    login(options?: PasskeyLoginOptions): Promise<AuthResult>;
+    /** Sign up with Passkey (create account + register Passkey) */
+    signUp(options: PasskeySignUpOptions): Promise<AuthResult>;
+    /** Register a Passkey to existing account (requires authentication) */
+    register(options?: PasskeyRegisterOptions): Promise<PasskeyCredential>;
+    /** Check if WebAuthn is supported */
+    isSupported(): boolean;
+    /** Check if conditional UI (autofill) is available */
+    isConditionalUIAvailable(): Promise<boolean>;
+}
+/**
+ * Email code authentication interface
+ */
+interface EmailCodeAuth {
+    /** Send verification code to email */
+    send(email: string, options?: EmailCodeSendOptions): Promise<EmailCodeSendResult>;
+    /** Verify code and authenticate */
+    verify(email: string, code: string, options?: EmailCodeVerifyOptions): Promise<AuthResult>;
+}
+/**
+ * Social login interface
+ */
+interface SocialAuth {
+    /** Login with social provider (popup) */
+    loginWithPopup(provider: SocialProvider, options?: SocialLoginOptions): Promise<AuthResult>;
+    /** Login with social provider (redirect) */
+    loginWithRedirect(provider: SocialProvider, options?: SocialLoginOptions): Promise<void>;
+    /** Handle callback from social provider (redirect) */
+    handleCallback(): Promise<AuthResult>;
+}
+/**
+ * Session management interface
+ */
+interface SessionAuth {
+    /** Get current session */
+    get(): Promise<Session | null>;
+    /** Validate session */
+    validate(): Promise<boolean>;
+    /** Logout */
+    logout(options?: DirectAuthLogoutOptions): Promise<void>;
+}
+/**
+ * Direct Auth client interface (BetterAuth style)
+ */
+interface DirectAuthClient {
+    /** Passkey authentication */
+    passkey: PasskeyAuth;
+    /** Email code authentication */
+    emailCode: EmailCodeAuth;
+    /** Social login */
+    social: SocialAuth;
+    /** Session management */
+    session: SessionAuth;
+}
+export { type AddressClaim, type AttestationConveyancePreferenceType, type AuthCallbackEvent, type AuthRedirectingEvent, type AuthResult, type AuthState, type AuthenticationExtensionsClientInputsType, type AuthenticatorAssertionResponseJSON, type AuthenticatorAttachmentType, type AuthenticatorAttestationResponseJSON, type AuthenticatorSelectionCriteriaType, type AuthenticatorTransportType, AuthorizationCodeFlow, type AuthorizationContext, type AuthorizationUrlResult, AuthrimClient, type AuthrimClientConfig, AuthrimError, type AuthrimErrorCode, type AuthrimErrorMeta, type AuthrimErrorOptions, type AuthrimErrorSeverity, type AuthrimErrorUserAction, type AuthrimEventHandler, type AuthrimEventName, type AuthrimEvents, type AuthrimStorage, type BuildAuthorizationUrlOptions, type COSEAlgorithmIdentifier, type CodeChallengeMethod, type CryptoProvider, type DecodedJwt, type DirectAuthClient, type DirectAuthClientConfig, type DirectAuthError, type DirectAuthLogoutOptions, type DirectAuthTokenRequest, type DirectAuthTokenResponse, DiscoveryClient, type EmailCodeAuth, type EmailCodeSendOptions, type EmailCodeSendRequest, type EmailCodeSendResponse, type EmailCodeSendResult, type EmailCodeVerifyOptions, type EmailCodeVerifyRequest, type EmailCodeVerifyResponse, type EndpointOverrides, type ErrorEvent, EventEmitter, type ExchangeCodeOptions, type GenerateAuthStateOptions, type HashOptions, type HttpClient, type HttpOptions, type HttpResponse, type IntrospectTokenOptions, type IntrospectionResponse, type IntrospectionTokenTypeHint, type JwtHeader, LogoutHandler, type LogoutHandlerOptions, type LogoutOptions, type LogoutResult, type MfaMethod, type NextAction, type OAuthErrorResponse, type OIDCDiscoveryDocument, PKCEHelper, type PKCEPair, type PasskeyAuth, type PasskeyCredential, type PasskeyLoginFinishRequest, type PasskeyLoginFinishResponse, type PasskeyLoginOptions, type PasskeyLoginStartRequest, type PasskeyLoginStartResponse, type PasskeyRegisterOptions, type PasskeySignUpOptions, type PasskeySignupFinishRequest, type PasskeySignupFinishResponse, type PasskeySignupStartRequest, type PasskeySignupStartResponse, type PublicKeyCredentialCreationOptionsJSON, type PublicKeyCredentialDescriptorJSON, type PublicKeyCredentialParametersType, type PublicKeyCredentialRequestOptionsJSON, type PublicKeyCredentialRpEntityType, type PublicKeyCredentialType, type PublicKeyCredentialUserEntityJSON, type ResidentKeyRequirementType, type ResolvedConfig, type RevokeTokenOptions, STORAGE_KEYS, type Session, type SessionAuth, type SessionCheckResult, type SessionEndedEvent, SessionManager, type SessionManagerOptions, type SessionStartedEvent, SilentAuthHandler, type SilentAuthOptions, type SilentAuthResult, type SilentAuthUrlResult, type SocialAuth, type SocialLoginOptions, type SocialProvider, type StandardClaims, StateManager, TOKEN_TYPE_URIS, TokenApiClient, type TokenApiClientOptions, type TokenErrorEvent, type TokenExchangeRequest, type TokenExchangeResponse, type TokenExchangeResult, type TokenExchangedEvent, type TokenExpiredEvent, TokenIntrospector, type TokenIntrospectorOptions, TokenManager, type TokenManagerOptions, type TokenRefreshedEvent, type TokenResponse, TokenRevoker, type TokenRevokerOptions, type TokenSet, type TokenTypeHint, type TokenTypeUri, type User, type UserInfo, type UserVerificationRequirementType, base64urlDecode, base64urlEncode, base64urlToString, calculateDsHash, createAuthrimClient, decodeIdToken, decodeJwt, getErrorMeta, getIdTokenNonce, isJwtExpired, normalizeIssuer, resolveConfig, stringToBase64url, timingSafeEqual };