@authrim/sveltekit 0.1.0

package/dist/components/SignInButton.svelte

@@ -0,0 +1,93 @@
+<!--
+  SignInButton Component
+
+  A thin wrapper that delegates all behavior to props/events.
+  Responsibilities: Call auth API and dispatch events.
+-->
+<script lang="ts">
+  import { createEventDispatcher } from 'svelte';
+  import { getAuthContext } from '../utils/context.js';
+  import type { SocialProvider, Session, User, AuthLoadingState } from '../types.js';
+  import type { AuthError } from '../stores/auth.js';
+
+  /** Authentication method */
+  export let method: 'passkey' | 'social' = 'passkey';
+
+  /** Social provider (required when method is 'social') */
+  export let provider: SocialProvider | undefined = undefined;
+
+  /** Disabled state */
+  export let disabled: boolean = false;
+
+  /** Custom class */
+  let className: string = '';
+  export { className as class };
+
+  const auth = getAuthContext();
+  const dispatch = createEventDispatcher<{
+    success: { session: Session; user: User };
+    error: AuthError;
+    loading: AuthLoadingState;
+  }>();
+
+  let loading = false;
+
+  async function handleClick() {
+    if (disabled || loading) return;
+
+    loading = true;
+    dispatch('loading', 'authenticating');
+
+    try {
+      let result;
+
+      if (method === 'passkey') {
+        result = await auth.passkey.login();
+      } else if (method === 'social' && provider) {
+        result = await auth.social.loginWithPopup(provider);
+      } else {
+        throw new Error('Invalid method or missing provider');
+      }
+
+      if (result.data) {
+        dispatch('success', {
+          session: result.data.session,
+          user: result.data.user,
+        });
+      } else if (result.error) {
+        dispatch('error', {
+          code: result.error.code,
+          message: result.error.message,
+        });
+      }
+    } catch (error) {
+      dispatch('error', {
+        code: 'UNKNOWN_ERROR',
+        message: error instanceof Error ? error.message : 'Unknown error',
+      });
+    } finally {
+      loading = false;
+      dispatch('loading', 'idle');
+    }
+  }
+</script>
+
+<button
+  type="button"
+  on:click={handleClick}
+  disabled={disabled || loading}
+  class={className}
+  {...$$restProps}
+>
+  <slot>
+    {#if loading}
+      Signing in...
+    {:else if method === 'passkey'}
+      Sign in with Passkey
+    {:else if method === 'social' && provider}
+      Sign in with {provider.charAt(0).toUpperCase() + provider.slice(1)}
+    {:else}
+      Sign In
+    {/if}
+  </slot>
+</button>

package/dist/components/SignInButton.svelte.d.ts

@@ -0,0 +1,43 @@
+import type { SocialProvider, Session, User, AuthLoadingState } from '../types.js';
+import type { AuthError } from '../stores/auth.js';
+interface $$__sveltets_2_IsomorphicComponent<Props extends Record<string, any> = any, Events extends Record<string, any> = any, Slots extends Record<string, any> = any, Exports = {}, Bindings = string> {
+    new (options: import('svelte').ComponentConstructorOptions<Props>): import('svelte').SvelteComponent<Props, Events, Slots> & {
+        $$bindings?: Bindings;
+    } & Exports;
+    (internal: unknown, props: Props & {
+        $$events?: Events;
+        $$slots?: Slots;
+    }): Exports & {
+        $set?: any;
+        $on?: any;
+    };
+    z_$$bindings?: Bindings;
+}
+type $$__sveltets_2_PropsWithChildren<Props, Slots> = Props & (Slots extends {
+    default: any;
+} ? Props extends Record<string, never> ? any : {
+    children?: any;
+} : {});
+declare const SignInButton: $$__sveltets_2_IsomorphicComponent<$$__sveltets_2_PropsWithChildren<{
+    [x: string]: any;
+    method?: "passkey" | "social" | undefined;
+    provider?: SocialProvider | undefined;
+    disabled?: boolean | undefined;
+    class?: string | undefined;
+}, {
+    default: {};
+}>, {
+    success: CustomEvent<{
+        session: Session;
+        user: User;
+    }>;
+    error: CustomEvent<AuthError>;
+    loading: CustomEvent<AuthLoadingState>;
+} & {
+    [evt: string]: CustomEvent<any>;
+}, {
+    default: {};
+}, {}, string>;
+type SignInButton = InstanceType<typeof SignInButton>;
+export default SignInButton;
+//# sourceMappingURL=SignInButton.svelte.d.ts.map

package/dist/components/SignInButton.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SignInButton.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/SignInButton.svelte.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,cAAc,EAAE,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACnF,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAwFnD,UAAU,kCAAkC,CAAC,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,MAAM,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,OAAO,GAAG,EAAE,EAAE,QAAQ,GAAG,MAAM;IACpM,KAAK,OAAO,EAAE,OAAO,QAAQ,EAAE,2BAA2B,CAAC,KAAK,CAAC,GAAG,OAAO,QAAQ,EAAE,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG;QAAE,UAAU,CAAC,EAAE,QAAQ,CAAA;KAAE,GAAG,OAAO,CAAC;IACjK,CAAC,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,GAAG;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,KAAK,CAAA;KAAC,GAAG,OAAO,GAAG;QAAE,IAAI,CAAC,EAAE,GAAG,CAAC;QAAC,GAAG,CAAC,EAAE,GAAG,CAAA;KAAE,CAAC;IAC9G,YAAY,CAAC,EAAE,QAAQ,CAAC;CAC3B;AACD,KAAK,gCAAgC,CAAC,KAAK,EAAE,KAAK,IAAI,KAAK,GACvD,CAAC,KAAK,SAAS;IAAE,OAAO,EAAE,GAAG,CAAA;CAAE,GACzB,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,GACnC,GAAG,GACH;IAAE,QAAQ,CAAC,EAAE,GAAG,CAAA;CAAE,GAClB,EAAE,CAAC,CAAC;AAId,QAAA,MAAM,YAAY;;aAtBmB,SAAS,GAAG,QAAQ;;eAEzB,OAAO;YACZ,MAAM;;;;;iBACT,OAAO;cAAQ,IAAI;;;;;;;;cAkBmF,CAAC;AAC7G,KAAK,YAAY,GAAG,YAAY,CAAC,OAAO,YAAY,CAAC,CAAC;AACxD,eAAe,YAAY,CAAC"}

package/dist/components/SignOutButton.svelte

@@ -0,0 +1,72 @@
+<!--
+  SignOutButton Component
+
+  A thin wrapper that delegates all behavior to props/events.
+-->
+<script lang="ts">
+  import { createEventDispatcher } from 'svelte';
+  import { getAuthContext } from '../utils/context.js';
+  import type { AuthLoadingState } from '../types.js';
+  import type { AuthError } from '../stores/auth.js';
+
+  /** Redirect URI after sign out */
+  export let redirectUri: string | undefined = undefined;
+
+  /** Revoke tokens on sign out */
+  export let revokeTokens: boolean = false;
+
+  /** Disabled state */
+  export let disabled: boolean = false;
+
+  /** Custom class */
+  let className: string = '';
+  export { className as class };
+
+  const auth = getAuthContext();
+  const dispatch = createEventDispatcher<{
+    success: void;
+    error: AuthError;
+    loading: AuthLoadingState;
+  }>();
+
+  let loading = false;
+
+  async function handleClick() {
+    if (disabled || loading) return;
+
+    loading = true;
+    dispatch('loading', 'signing_out');
+
+    try {
+      await auth.signOut({
+        redirectUri,
+        revokeTokens,
+      });
+      dispatch('success');
+    } catch (error) {
+      dispatch('error', {
+        code: 'SIGN_OUT_ERROR',
+        message: error instanceof Error ? error.message : 'Sign out failed',
+      });
+    } finally {
+      loading = false;
+      dispatch('loading', 'idle');
+    }
+  }
+</script>
+
+<button
+  type="button"
+  on:click={handleClick}
+  disabled={disabled || loading}
+  class={className}
+  {...$$restProps}
+>
+  <slot>
+    {#if loading}
+      Signing out...
+    {:else}
+      Sign Out
+    {/if}
+  </slot>
+</button>

package/dist/components/SignOutButton.svelte.d.ts

@@ -0,0 +1,40 @@
+import type { AuthLoadingState } from '../types.js';
+import type { AuthError } from '../stores/auth.js';
+interface $$__sveltets_2_IsomorphicComponent<Props extends Record<string, any> = any, Events extends Record<string, any> = any, Slots extends Record<string, any> = any, Exports = {}, Bindings = string> {
+    new (options: import('svelte').ComponentConstructorOptions<Props>): import('svelte').SvelteComponent<Props, Events, Slots> & {
+        $$bindings?: Bindings;
+    } & Exports;
+    (internal: unknown, props: Props & {
+        $$events?: Events;
+        $$slots?: Slots;
+    }): Exports & {
+        $set?: any;
+        $on?: any;
+    };
+    z_$$bindings?: Bindings;
+}
+type $$__sveltets_2_PropsWithChildren<Props, Slots> = Props & (Slots extends {
+    default: any;
+} ? Props extends Record<string, never> ? any : {
+    children?: any;
+} : {});
+declare const SignOutButton: $$__sveltets_2_IsomorphicComponent<$$__sveltets_2_PropsWithChildren<{
+    [x: string]: any;
+    redirectUri?: string | undefined | undefined;
+    revokeTokens?: boolean | undefined;
+    disabled?: boolean | undefined;
+    class?: string | undefined;
+}, {
+    default: {};
+}>, {
+    success: CustomEvent<void>;
+    error: CustomEvent<AuthError>;
+    loading: CustomEvent<AuthLoadingState>;
+} & {
+    [evt: string]: CustomEvent<any>;
+}, {
+    default: {};
+}, {}, string>;
+type SignOutButton = InstanceType<typeof SignOutButton>;
+export default SignOutButton;
+//# sourceMappingURL=SignOutButton.svelte.d.ts.map

package/dist/components/SignOutButton.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SignOutButton.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/SignOutButton.svelte.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AAuEnD,UAAU,kCAAkC,CAAC,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,MAAM,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,OAAO,GAAG,EAAE,EAAE,QAAQ,GAAG,MAAM;IACpM,KAAK,OAAO,EAAE,OAAO,QAAQ,EAAE,2BAA2B,CAAC,KAAK,CAAC,GAAG,OAAO,QAAQ,EAAE,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG;QAAE,UAAU,CAAC,EAAE,QAAQ,CAAA;KAAE,GAAG,OAAO,CAAC;IACjK,CAAC,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,GAAG;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,KAAK,CAAA;KAAC,GAAG,OAAO,GAAG;QAAE,IAAI,CAAC,EAAE,GAAG,CAAC;QAAC,GAAG,CAAC,EAAE,GAAG,CAAA;KAAE,CAAC;IAC9G,YAAY,CAAC,EAAE,QAAQ,CAAC;CAC3B;AACD,KAAK,gCAAgC,CAAC,KAAK,EAAE,KAAK,IAAI,KAAK,GACvD,CAAC,KAAK,SAAS;IAAE,OAAO,EAAE,GAAG,CAAA;CAAE,GACzB,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,GACnC,GAAG,GACH;IAAE,QAAQ,CAAC,EAAE,GAAG,CAAA;CAAE,GAClB,EAAE,CAAC,CAAC;AAId,QAAA,MAAM,aAAa;;kBAtB6B,MAAM,GAAG,SAAS;mBACnB,OAAO;eACtB,OAAO;YACZ,MAAM;;;;;;;;;;;cAmB8F,CAAC;AAC9G,KAAK,aAAa,GAAG,YAAY,CAAC,OAAO,aAAa,CAAC,CAAC;AAC1D,eAAe,aAAa,CAAC"}

package/dist/components/UserProfile.svelte

@@ -0,0 +1,71 @@
+<!--
+  UserProfile Component
+
+  Displays user information from the auth stores.
+-->
+<script lang="ts">
+  import { getAuthContext } from '../utils/context.js';
+
+  /** Show avatar */
+  export let showAvatar: boolean = true;
+
+  /** Show email */
+  export let showEmail: boolean = true;
+
+  /** Custom class */
+  let className: string = '';
+  export { className as class };
+
+  const auth = getAuthContext();
+  const { user, isAuthenticated } = auth.stores;
+</script>
+
+{#if $isAuthenticated && $user}
+  <div class={className} {...$$restProps}>
+    <slot name="avatar" user={$user}>
+      {#if showAvatar && $user.picture}
+        <img src={$user.picture} alt={$user.name || 'User avatar'} class="authrim-avatar" />
+      {/if}
+    </slot>
+
+    <slot name="info" user={$user}>
+      <div class="authrim-user-info">
+        {#if $user.name}
+          <span class="authrim-user-name">{$user.name}</span>
+        {/if}
+        {#if showEmail && $user.email}
+          <span class="authrim-user-email">{$user.email}</span>
+        {/if}
+      </div>
+    </slot>
+
+    <slot user={$user} />
+  </div>
+{:else}
+  <slot name="unauthenticated">
+    <!-- Empty by default -->
+  </slot>
+{/if}
+
+<style>
+  .authrim-avatar {
+    width: 40px;
+    height: 40px;
+    border-radius: 50%;
+    object-fit: cover;
+  }
+
+  .authrim-user-info {
+    display: flex;
+    flex-direction: column;
+  }
+
+  .authrim-user-name {
+    font-weight: 500;
+  }
+
+  .authrim-user-email {
+    font-size: 0.875em;
+    opacity: 0.7;
+  }
+</style>

package/dist/components/UserProfile.svelte.d.ts

@@ -0,0 +1,51 @@
+interface $$__sveltets_2_IsomorphicComponent<Props extends Record<string, any> = any, Events extends Record<string, any> = any, Slots extends Record<string, any> = any, Exports = {}, Bindings = string> {
+    new (options: import('svelte').ComponentConstructorOptions<Props>): import('svelte').SvelteComponent<Props, Events, Slots> & {
+        $$bindings?: Bindings;
+    } & Exports;
+    (internal: unknown, props: Props & {
+        $$events?: Events;
+        $$slots?: Slots;
+    }): Exports & {
+        $set?: any;
+        $on?: any;
+    };
+    z_$$bindings?: Bindings;
+}
+type $$__sveltets_2_PropsWithChildren<Props, Slots> = Props & (Slots extends {
+    default: any;
+} ? Props extends Record<string, never> ? any : {
+    children?: any;
+} : {});
+declare const UserProfile: $$__sveltets_2_IsomorphicComponent<$$__sveltets_2_PropsWithChildren<{
+    [x: string]: any;
+    showAvatar?: boolean | undefined;
+    showEmail?: boolean | undefined;
+    class?: string | undefined;
+}, {
+    avatar: {
+        user: import("@authrim/core").User | null;
+    };
+    info: {
+        user: import("@authrim/core").User | null;
+    };
+    default: {
+        user: import("@authrim/core").User | null;
+    };
+    unauthenticated: {};
+}>, {
+    [evt: string]: CustomEvent<any>;
+}, {
+    avatar: {
+        user: import("@authrim/core").User | null;
+    };
+    info: {
+        user: import("@authrim/core").User | null;
+    };
+    default: {
+        user: import("@authrim/core").User | null;
+    };
+    unauthenticated: {};
+}, {}, string>;
+type UserProfile = InstanceType<typeof UserProfile>;
+export default UserProfile;
+//# sourceMappingURL=UserProfile.svelte.d.ts.map

package/dist/components/UserProfile.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"UserProfile.svelte.d.ts","sourceRoot":"","sources":["../../src/lib/components/UserProfile.svelte.ts"],"names":[],"mappings":"AAyDA,UAAU,kCAAkC,CAAC,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,MAAM,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,OAAO,GAAG,EAAE,EAAE,QAAQ,GAAG,MAAM;IACpM,KAAK,OAAO,EAAE,OAAO,QAAQ,EAAE,2BAA2B,CAAC,KAAK,CAAC,GAAG,OAAO,QAAQ,EAAE,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,GAAG;QAAE,UAAU,CAAC,EAAE,QAAQ,CAAA;KAAE,GAAG,OAAO,CAAC;IACjK,CAAC,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,GAAG;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,KAAK,CAAA;KAAC,GAAG,OAAO,GAAG;QAAE,IAAI,CAAC,EAAE,GAAG,CAAC;QAAC,GAAG,CAAC,EAAE,GAAG,CAAA;KAAE,CAAC;IAC9G,YAAY,CAAC,EAAE,QAAQ,CAAC;CAC3B;AACD,KAAK,gCAAgC,CAAC,KAAK,EAAE,KAAK,IAAI,KAAK,GACvD,CAAC,KAAK,SAAS;IAAE,OAAO,EAAE,GAAG,CAAA;CAAE,GACzB,KAAK,SAAS,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,GACnC,GAAG,GACH;IAAE,QAAQ,CAAC,EAAE,GAAG,CAAA;CAAE,GAClB,EAAE,CAAC,CAAC;AAId,QAAA,MAAM,WAAW;;iBAjBc,OAAO;gBACT,OAAO;YACT,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;cAe4F,CAAC;AAC5G,KAAK,WAAW,GAAG,YAAY,CAAC,OAAO,WAAW,CAAC,CAAC;AACtD,eAAe,WAAW,CAAC"}

package/dist/components/index.d.ts

@@ -0,0 +1,6 @@
+export { default as AuthProvider } from './AuthProvider.svelte';
+export { default as SignInButton } from './SignInButton.svelte';
+export { default as SignOutButton } from './SignOutButton.svelte';
+export { default as UserProfile } from './UserProfile.svelte';
+export { default as ProtectedRoute } from './ProtectedRoute.svelte';
+//# sourceMappingURL=index.d.ts.map

package/dist/components/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/components/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,OAAO,IAAI,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAChE,OAAO,EAAE,OAAO,IAAI,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAClE,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAAE,OAAO,IAAI,cAAc,EAAE,MAAM,yBAAyB,CAAC"}

package/dist/components/index.js

@@ -0,0 +1,5 @@
+export { default as AuthProvider } from './AuthProvider.svelte';
+export { default as SignInButton } from './SignInButton.svelte';
+export { default as SignOutButton } from './SignOutButton.svelte';
+export { default as UserProfile } from './UserProfile.svelte';
+export { default as ProtectedRoute } from './ProtectedRoute.svelte';

package/dist/direct-auth/ciba.d.ts

@@ -0,0 +1,47 @@
+/**
+ * CIBA (Client Initiated Backchannel Authentication) API Implementation
+ *
+ * Provides methods for fetching pending CIBA requests and approving/rejecting them.
+ * This is a thin API wrapper — no business logic, just HTTP calls.
+ */
+import type { HttpClient } from "@authrim/core";
+export interface CIBAPendingRequest {
+    auth_req_id: string;
+    client_id: string;
+    client_name: string;
+    client_logo_uri: string | null;
+    scope: string;
+    binding_message?: string;
+    user_code?: string;
+    created_at: number;
+    expires_at: number;
+}
+export interface CIBAPendingResponse {
+    requests: CIBAPendingRequest[];
+}
+export interface CIBAActionResult {
+    success: boolean;
+    message?: string;
+}
+export interface CIBAApiConfig {
+    issuer: string;
+    http: HttpClient;
+}
+export declare class CIBAApiImpl {
+    private readonly issuer;
+    private readonly http;
+    constructor(config: CIBAApiConfig);
+    /**
+     * Fetch pending CIBA authentication requests
+     */
+    getData(loginHint: string): Promise<CIBAPendingRequest[]>;
+    /**
+     * Approve a CIBA authentication request
+     */
+    approve(authReqId: string, userId: string, sub: string): Promise<CIBAActionResult>;
+    /**
+     * Reject a CIBA authentication request
+     */
+    reject(authReqId: string, reason?: string): Promise<CIBAActionResult>;
+}
+//# sourceMappingURL=ciba.d.ts.map

package/dist/direct-auth/ciba.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ciba.d.ts","sourceRoot":"","sources":["../../src/lib/direct-auth/ciba.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAe,MAAM,eAAe,CAAC;AAW7D,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,kBAAkB,EAAE,CAAC;CAChC;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAMD,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,UAAU,CAAC;CAClB;AAMD,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAa;gBAEtB,MAAM,EAAE,aAAa;IAKjC;;OAEG;IACG,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,EAAE,CAAC;IAkB/D;;OAEG;IACG,OAAO,CACX,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,gBAAgB,CAAC;IAuB5B;;OAEG;IACG,MAAM,CACV,SAAS,EAAE,MAAM,EACjB,MAAM,SAAkB,GACvB,OAAO,CAAC,gBAAgB,CAAC;CAqB7B"}

package/dist/direct-auth/ciba.js

@@ -0,0 +1,77 @@
+/**
+ * CIBA (Client Initiated Backchannel Authentication) API Implementation
+ *
+ * Provides methods for fetching pending CIBA requests and approving/rejecting them.
+ * This is a thin API wrapper — no business logic, just HTTP calls.
+ */
+// =============================================================================
+// Implementation
+// =============================================================================
+export class CIBAApiImpl {
+    issuer;
+    http;
+    constructor(config) {
+        this.issuer = config.issuer;
+        this.http = config.http;
+    }
+    /**
+     * Fetch pending CIBA authentication requests
+     */
+    async getData(loginHint) {
+        const url = `${this.issuer}/api/ciba/pending?login_hint=${encodeURIComponent(loginHint)}`;
+        const response = await this.http.fetch(url, {
+            method: "GET",
+            headers: { Accept: "application/json" },
+            credentials: "include",
+        });
+        if (!response.ok || !response.data) {
+            const errorMsg = response.data
+                ?.error_description || "Failed to load pending requests";
+            throw new Error(errorMsg);
+        }
+        return response.data.requests || [];
+    }
+    /**
+     * Approve a CIBA authentication request
+     */
+    async approve(authReqId, userId, sub) {
+        const url = `${this.issuer}/api/ciba/approve`;
+        const response = await this.http.fetch(url, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            credentials: "include",
+            body: JSON.stringify({
+                auth_req_id: authReqId,
+                user_id: userId,
+                sub,
+            }),
+        });
+        if (!response.ok) {
+            const errorMsg = response.data
+                ?.error_description || "Failed to approve request";
+            throw new Error(errorMsg);
+        }
+        return response.data;
+    }
+    /**
+     * Reject a CIBA authentication request
+     */
+    async reject(authReqId, reason = "User rejected") {
+        const url = `${this.issuer}/api/ciba/deny`;
+        const response = await this.http.fetch(url, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            credentials: "include",
+            body: JSON.stringify({
+                auth_req_id: authReqId,
+                reason,
+            }),
+        });
+        if (!response.ok) {
+            const errorMsg = response.data
+                ?.error_description || "Failed to deny request";
+            throw new Error(errorMsg);
+        }
+        return response.data;
+    }
+}

package/dist/direct-auth/consent.d.ts

@@ -0,0 +1,85 @@
+/**
+ * Consent API Implementation
+ *
+ * Provides methods for fetching consent screen data and submitting consent decisions.
+ * This is a thin API wrapper — no business logic, just HTTP calls.
+ */
+import type { HttpClient } from "@authrim/core";
+export interface ConsentScopeInfo {
+    name: string;
+    title: string;
+    description: string;
+    required: boolean;
+}
+export interface ConsentClientInfo {
+    client_id: string;
+    client_name: string;
+    logo_uri?: string;
+    client_uri?: string;
+    policy_uri?: string;
+    tos_uri?: string;
+    is_trusted?: boolean;
+}
+export interface ConsentUserInfo {
+    id: string;
+    email: string;
+    name?: string;
+    picture?: string;
+}
+export interface ConsentOrgInfo {
+    id: string;
+    name: string;
+    type: string;
+    is_primary: boolean;
+    plan?: string;
+}
+export interface ConsentActingAsInfo {
+    id: string;
+    name?: string;
+    email: string;
+    relationship_type: string;
+    permission_level: string;
+}
+export interface ConsentFeatureFlags {
+    org_selector_enabled: boolean;
+    acting_as_enabled: boolean;
+    show_roles: boolean;
+}
+export interface ConsentScreenData {
+    challenge_id: string;
+    client: ConsentClientInfo;
+    scopes: ConsentScopeInfo[];
+    user: ConsentUserInfo;
+    organizations: ConsentOrgInfo[];
+    primary_org: ConsentOrgInfo | null;
+    roles: string[];
+    acting_as: ConsentActingAsInfo | null;
+    target_org_id: string | null;
+    features: ConsentFeatureFlags;
+}
+export interface ConsentSubmitOptions {
+    approve: boolean;
+    selectedOrgId?: string | null;
+    actingAsUserId?: string;
+}
+export interface ConsentSubmitResult {
+    redirect_url: string;
+}
+export interface ConsentApiConfig {
+    issuer: string;
+    http: HttpClient;
+}
+export declare class ConsentApiImpl {
+    private readonly issuer;
+    private readonly http;
+    constructor(config: ConsentApiConfig);
+    /**
+     * Fetch consent screen data
+     */
+    getData(challengeId: string): Promise<ConsentScreenData>;
+    /**
+     * Submit consent decision (approve or deny)
+     */
+    submit(challengeId: string, options: ConsentSubmitOptions): Promise<ConsentSubmitResult>;
+}
+//# sourceMappingURL=consent.d.ts.map

package/dist/direct-auth/consent.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"consent.d.ts","sourceRoot":"","sources":["../../src/lib/direct-auth/consent.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAe,MAAM,eAAe,CAAC;AAW7D,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,OAAO,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,mBAAmB;IAClC,oBAAoB,EAAE,OAAO,CAAC;IAC9B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,UAAU,EAAE,OAAO,CAAC;CACrB;AAED,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,iBAAiB,CAAC;IAC1B,MAAM,EAAE,gBAAgB,EAAE,CAAC;IAC3B,IAAI,EAAE,eAAe,CAAC;IACtB,aAAa,EAAE,cAAc,EAAE,CAAC;IAChC,WAAW,EAAE,cAAc,GAAG,IAAI,CAAC;IACnC,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,SAAS,EAAE,mBAAmB,GAAG,IAAI,CAAC;IACtC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,QAAQ,EAAE,mBAAmB,CAAC;CAC/B;AAED,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,mBAAmB;IAClC,YAAY,EAAE,MAAM,CAAC;CACtB;AAMD,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,UAAU,CAAC;CAClB;AAMD,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAa;gBAEtB,MAAM,EAAE,gBAAgB;IAKpC;;OAEG;IACG,OAAO,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAkB9D;;OAEG;IACG,MAAM,CACV,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,mBAAmB,CAAC;CAuBhC"}