npm - @authrim/sveltekit - Versions diffs - 0.1.3 → 0.1.5 - Mend

@authrim/sveltekit 0.1.3 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/dist/client.d.ts.map +1 -1
package/dist/client.js +31 -1
package/dist/oauth/index.d.ts +41 -0
package/dist/oauth/index.d.ts.map +1 -0
package/dist/oauth/index.js +196 -0
package/dist/server/handoff.d.ts +77 -0
package/dist/server/handoff.d.ts.map +1 -0
package/dist/server/handoff.js +133 -0
package/dist/server/index.d.ts +1 -0
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +1 -0
package/dist/types.d.ts +67 -0
package/dist/types.d.ts.map +1 -1
package/dist/utils/client-config.d.ts +32 -0
package/dist/utils/client-config.d.ts.map +1 -0
package/dist/utils/client-config.js +42 -0
package/dist/utils/index.d.ts +1 -0
package/dist/utils/index.d.ts.map +1 -1
package/dist/utils/index.js +1 -0
package/package.json +4 -2

package/dist/client.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/lib/client.ts"],"names":[],"mappings":"AAAA;;GAEG;~~AAYH~~,OAAO,KAAK,EACV,aAAa,EACb,aAAa,~~EAgBd~~,MAAM,YAAY,CAAC;~~AAmEpB~~;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,aAAa,CAAC,~~CAsbxB~~"}
1	+ {"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/lib/client.ts"],"names":[],"mappings":"AAAA;;GAEG;AAaH,OAAO,KAAK,EACV,aAAa,EACb,aAAa,EAiBd,MAAM,YAAY,CAAC;AAqEpB;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAsB,aAAa,CACjC,MAAM,EAAE,aAAa,GACpB,OAAO,CAAC,aAAa,CAAC,CAwdxB"}

package/dist/client.js CHANGED Viewed

@@ -1,7 +1,8 @@
 /**
  * Authrim Svelte SDK Main Entry Point
  */
-import { authResultToResponse, wrapWithAuthResponse, success, } from "./utils/response.js";
+import { createAuthrimClient } from "@authrim/core";
+import { authResultToResponse, wrapWithAuthResponse, success, fetchClientConfig, } from "./utils/index.js";
 import { PasskeyAuthImpl } from "./direct-auth/passkey.js";
 import { EmailCodeAuthImpl } from "./direct-auth/email-code.js";
 import { SocialAuthImpl } from "./direct-auth/social.js";
@@ -10,6 +11,7 @@ import { ConsentApiImpl } from "./direct-auth/consent.js";
 import { DeviceFlowApiImpl } from "./direct-auth/device-flow.js";
 import { CIBAApiImpl } from "./direct-auth/ciba.js";
 import { LoginChallengeApiImpl } from "./direct-auth/login-challenge.js";
+import { createOAuthNamespace } from "./oauth/index.js";
 import { BrowserHttpClient } from "./providers/http.js";
 import { BrowserCryptoProvider } from "./providers/crypto.js";
 import { createBrowserStorage, } from "./providers/storage.js";
@@ -73,6 +75,33 @@ export async function createAuthrim(config) {
     const emitter = new AuthEventEmitter();
     // Initialize stores
     const internalStores = createAuthStores();
+    // ==========================================================================
+    // OAuth (Optional)
+    // ==========================================================================
+    let oauth;
+    if (config.enableOAuth) {
+        // Fetch public client configuration from server
+        const clientConfig = await fetchClientConfig(config.issuer, config.clientId);
+        if (clientConfig) {
+            console.debug('[Authrim] Client configuration loaded:', {
+                client_id: clientConfig.client_id,
+                client_name: clientConfig.client_name,
+                login_ui_url: clientConfig.login_ui_url,
+            });
+        }
+        // Create core client for OAuth flows
+        const coreClient = await createAuthrimClient({
+            issuer: config.issuer,
+            clientId: config.clientId,
+            http,
+            crypto,
+            storage,
+        });
+        // Create OAuth namespace
+        oauth = createOAuthNamespace(coreClient, {
+            silentLoginRedirectUri: config.silentLoginRedirectUri,
+        });
+    }
     // Create session manager
     const sessionManager = new SessionAuthImpl({
         issuer: config.issuer,
@@ -391,6 +420,7 @@ export async function createAuthrim(config) {
         emailCode,
         social,
         session,
+        oauth,
         consent,
         deviceFlow,
         ciba,

package/dist/oauth/index.d.ts ADDED Viewed

@@ -0,0 +1,41 @@
+/**
+ * OAuth Namespace for SvelteKit
+ *
+ * Provides OAuth 2.0 / OpenID Connect authentication flows
+ */
+import type { AuthrimClient as CoreClient } from "@authrim/core";
+import type { TrySilentLoginOptions, SilentLoginResult } from "../types.js";
+/**
+ * Create OAuth namespace
+ */
+export declare function createOAuthNamespace(coreClient: CoreClient, config: {
+    silentLoginRedirectUri?: string;
+}): {
+    /**
+     * Try silent SSO via top-level navigation (prompt=none)
+     *
+     * Safari ITP / Chrome Third-Party Cookie Phaseout compatible.
+     * This function redirects to IdP and does not return.
+     *
+     * @param options - Silent login options
+     * @throws Error if returnTo URL is not same origin
+     */
+    trySilentLogin(options?: TrySilentLoginOptions): Promise<never>;
+    /**
+     * Handle silent login callback
+     *
+     * Call this in your callback page. Handles both silent login
+     * results and regular OAuth callbacks.
+     *
+     * @returns Silent login result
+     */
+    handleSilentCallback(): Promise<SilentLoginResult>;
+    /**
+     * Handle regular OAuth callback (for authorization code flow)
+     *
+     * @param callbackUrl - Full callback URL with code and state
+     * @returns Tokens from token exchange
+     */
+    handleCallback(callbackUrl?: string): Promise<import("@authrim/core").TokenSet>;
+};
+//# sourceMappingURL=index.d.ts.map

package/dist/oauth/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/oauth/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,aAAa,IAAI,UAAU,EAAE,MAAM,eAAe,CAAC;AAEjE,OAAO,KAAK,EAAE,qBAAqB,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAc5E;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,UAAU,EACtB,MAAM,EAAE;IACN,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;IAGC;;;;;;;;OAQG;6BAC4B,qBAAqB,GAAG,OAAO,CAAC,KAAK,CAAC;IA2CrE;;;;;;;OAOG;4BAC2B,OAAO,CAAC,iBAAiB,CAAC;IA0HxD;;;;;OAKG;iCACgC,MAAM;EAK5C"}

package/dist/oauth/index.js ADDED Viewed

@@ -0,0 +1,196 @@
+/**
+ * OAuth Namespace for SvelteKit
+ *
+ * Provides OAuth 2.0 / OpenID Connect authentication flows
+ */
+import { stringToBase64url, base64urlToString } from "@authrim/core";
+/**
+ * Create OAuth namespace
+ */
+export function createOAuthNamespace(coreClient, config) {
+    return {
+        /**
+         * Try silent SSO via top-level navigation (prompt=none)
+         *
+         * Safari ITP / Chrome Third-Party Cookie Phaseout compatible.
+         * This function redirects to IdP and does not return.
+         *
+         * @param options - Silent login options
+         * @throws Error if returnTo URL is not same origin
+         */
+        async trySilentLogin(options) {
+            // Browser-only feature
+            if (typeof window === "undefined") {
+                throw new Error("trySilentLogin is only available in browser");
+            }
+            const onLoginRequired = options?.onLoginRequired ?? "return";
+            const returnTo = options?.returnTo ?? window.location.href;
+            // Security: Open redirect prevention
+            if (!isSafeReturnTo(returnTo)) {
+                throw new Error("returnTo must be same origin");
+            }
+            // Encode state data (short keys to reduce URL length)
+            const stateData = {
+                t: "sl", // silent_login
+                lr: onLoginRequired === "login" ? "l" : "r",
+                rt: returnTo,
+            };
+            const state = stringToBase64url(JSON.stringify(stateData));
+            // Build authorization URL with prompt=none
+            const result = await coreClient.buildAuthorizationUrl({
+                redirectUri: config.silentLoginRedirectUri ??
+                    `${window.location.origin}/callback.html`,
+                scope: options?.scope,
+                prompt: "none",
+                exposeState: false, // We manage state ourselves
+            });
+            // Append our custom state to the URL
+            const url = new URL(result.url);
+            url.searchParams.set("state", state);
+            // Redirect (this function never returns)
+            window.location.href = url.toString();
+            // TypeScript: This line is never reached
+            throw new Error("unreachable");
+        },
+        /**
+         * Handle silent login callback
+         *
+         * Call this in your callback page. Handles both silent login
+         * results and regular OAuth callbacks.
+         *
+         * @returns Silent login result
+         */
+        async handleSilentCallback() {
+            // Browser-only feature
+            if (typeof window === "undefined") {
+                return { status: "error", error: "not_browser" };
+            }
+            const params = new URLSearchParams(window.location.search);
+            const error = params.get("error");
+            const stateParam = params.get("state");
+            // Try to decode state
+            let stateData = null;
+            if (stateParam) {
+                try {
+                    const decoded = base64urlToString(stateParam);
+                    const parsed = JSON.parse(decoded);
+                    // Type guard: check if this is a silent login state
+                    if (parsed.t === "sl" &&
+                        typeof parsed.lr === "string" &&
+                        typeof parsed.rt === "string") {
+                        stateData = {
+                            t: "sl",
+                            lr: parsed.lr,
+                            rt: parsed.rt,
+                        };
+                    }
+                }
+                catch {
+                    // Decode failed, not a silent login state
+                }
+            }
+            // Not a silent login callback
+            if (!stateData) {
+                // Return error to indicate this is not a silent login callback
+                return { status: "error", error: "not_silent_login" };
+            }
+            const returnTo = stateData.rt;
+            const onLoginRequired = stateData.lr === "l" ? "login" : "return";
+            // Security: Open redirect prevention
+            if (!isSafeReturnTo(returnTo)) {
+                return { status: "error", error: "invalid_return_to" };
+            }
+            // Handle login_required error (IdP has no session)
+            if (error === "login_required") {
+                if (onLoginRequired === "login") {
+                    // Redirect to login screen (without prompt=none)
+                    const loginResult = await coreClient.buildAuthorizationUrl({
+                        redirectUri: config.silentLoginRedirectUri ??
+                            `${window.location.origin}/callback.html`,
+                        exposeState: false,
+                    });
+                    // Encode return URL in state for after login
+                    const loginStateData = { rt: returnTo };
+                    const loginUrl = new URL(loginResult.url);
+                    loginUrl.searchParams.set("state", stringToBase64url(JSON.stringify(loginStateData)));
+                    window.location.href = loginUrl.toString();
+                    return { status: "login_required" };
+                }
+                else {
+                    // Return to original page with error
+                    const returnUrl = new URL(returnTo);
+                    returnUrl.searchParams.set("sso_error", "login_required");
+                    window.location.href = returnUrl.toString();
+                    return { status: "login_required" };
+                }
+            }
+            // Handle other errors
+            if (error) {
+                const errorDescription = params.get("error_description");
+                const returnUrl = new URL(returnTo);
+                returnUrl.searchParams.set("sso_error", error);
+                if (errorDescription) {
+                    returnUrl.searchParams.set("sso_error_description", errorDescription);
+                }
+                window.location.href = returnUrl.toString();
+                return {
+                    status: "error",
+                    error,
+                    errorDescription: errorDescription ?? undefined,
+                };
+            }
+            // Success: Exchange code for tokens
+            const code = params.get("code");
+            if (code) {
+                try {
+                    await coreClient.handleCallback(window.location.href);
+                    // Clear sso_attempted flag on success
+                    if (typeof sessionStorage !== "undefined") {
+                        sessionStorage.removeItem("sso_attempted");
+                    }
+                    window.location.href = returnTo;
+                    return { status: "success" };
+                }
+                catch (e) {
+                    const errorMessage = e instanceof Error ? e.message : "Token exchange failed";
+                    const returnUrl = new URL(returnTo);
+                    returnUrl.searchParams.set("sso_error", "token_error");
+                    returnUrl.searchParams.set("sso_error_description", errorMessage);
+                    window.location.href = returnUrl.toString();
+                    return {
+                        status: "error",
+                        error: "token_error",
+                        errorDescription: errorMessage,
+                    };
+                }
+            }
+            return { status: "error", error: "unknown_error" };
+        },
+        /**
+         * Handle regular OAuth callback (for authorization code flow)
+         *
+         * @param callbackUrl - Full callback URL with code and state
+         * @returns Tokens from token exchange
+         */
+        async handleCallback(callbackUrl) {
+            const url = callbackUrl ?? (typeof window !== "undefined" ? window.location.href : "");
+            return await coreClient.handleCallback(url);
+        },
+    };
+}
+/**
+ * Check if returnTo URL is safe (same origin)
+ * Prevents open redirect attacks
+ */
+function isSafeReturnTo(url) {
+    if (typeof window === "undefined") {
+        return false;
+    }
+    try {
+        const u = new URL(url, window.location.origin);
+        return u.origin === window.location.origin;
+    }
+    catch {
+        return false;
+    }
+}

package/dist/server/handoff.d.ts ADDED Viewed

@@ -0,0 +1,77 @@
+/**
+ * Smart Handoff SSO Handler for SvelteKit
+ *
+ * Handles handoff token verification and session management for cross-domain SSO
+ * in SvelteKit server-side code.
+ */
+import type { Handle, RequestEvent } from '@sveltejs/kit';
+import type { Session, User } from '@authrim/core';
+import { type ServerSessionManagerOptions } from './session.js';
+/**
+ * Handoff verification options
+ */
+export interface HandoffVerifyOptions {
+    /**
+     * Authrim IdP URL (required if not using createAuthHandle)
+     */
+    issuer?: string;
+    /**
+     * OAuth client ID (required if not using createAuthHandle)
+     */
+    clientId?: string;
+    /**
+     * Handoff verify endpoint
+     * @default '/auth/external/handoff/verify'
+     */
+    verifyEndpoint?: string;
+    /**
+     * Error redirect path
+     * @default '/login'
+     */
+    errorRedirect?: string;
+    /**
+     * Session manager options
+     */
+    sessionOptions?: ServerSessionManagerOptions;
+}
+/**
+ * Verify handoff token from callback URL
+ *
+ * Usage in +page.server.ts:
+ * ```typescript
+ * export const load = async (event) => {
+ *   const result = await verifyHandoffToken(event);
+ *   if (!result.success) {
+ *     throw redirect(302, '/login');
+ *   }
+ *   return { session: result.session, user: result.user };
+ * };
+ * ```
+ */
+export declare function verifyHandoffToken(event: RequestEvent, options?: HandoffVerifyOptions): Promise<{
+    success: true;
+    session: Session;
+    user: User;
+} | {
+    success: false;
+    error: string;
+}>;
+/**
+ * Create handoff handler for SvelteKit hooks
+ *
+ * Usage in hooks.server.ts:
+ * ```typescript
+ * import { sequence } from '@sveltejs/kit/hooks';
+ * import { createAuthHandle, createHandoffHandler } from '@authrim/sveltekit/server';
+ *
+ * export const handle = sequence(
+ *   createAuthHandle({
+ *     issuer: env.AUTHRIM_ISSUER,
+ *     clientId: env.AUTHRIM_CLIENT_ID,
+ *   }),
+ *   createHandoffHandler()
+ * );
+ * ```
+ */
+export declare function createHandoffHandler(options?: HandoffVerifyOptions): Handle;
+//# sourceMappingURL=handoff.d.ts.map

package/dist/server/handoff.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"handoff.d.ts","sourceRoot":"","sources":["../../src/lib/server/handoff.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE1D,OAAO,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AACnD,OAAO,EAGL,KAAK,2BAA2B,EACjC,MAAM,cAAc,CAAC;AAEtB;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,CAAC;IAExB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;OAEG;IACH,cAAc,CAAC,EAAE,2BAA2B,CAAC;CAC9C;AAmDD;;;;;;;;;;;;;GAaG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,YAAY,EACnB,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CACN;IAAE,OAAO,EAAE,IAAI,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,IAAI,EAAE,IAAI,CAAA;CAAE,GAC/C;IAAE,OAAO,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CACpC,CA+DA;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,CAAC,EAAE,oBAAoB,GAAG,MAAM,CAwB3E"}

package/dist/server/handoff.js ADDED Viewed

@@ -0,0 +1,133 @@
+/**
+ * Smart Handoff SSO Handler for SvelteKit
+ *
+ * Handles handoff token verification and session management for cross-domain SSO
+ * in SvelteKit server-side code.
+ */
+import { redirect } from '@sveltejs/kit';
+import { createServerSessionManager, } from './session.js';
+/**
+ * Get auth config from options or event.locals
+ */
+function getAuthConfig(event, options) {
+    // Try to get from options first
+    if (options?.issuer && options?.clientId) {
+        return { issuer: options.issuer, clientId: options.clientId };
+    }
+    // Fallback to event.locals (set by createAuthHandle)
+    const issuer = event.locals.authrim_issuer;
+    const clientId = event.locals.authrim_client_id;
+    if (!issuer || !clientId) {
+        throw new Error('Authrim config not found. Please provide issuer and clientId in options, or use createAuthHandle.');
+    }
+    return { issuer, clientId };
+}
+/**
+ * Verify handoff token from callback URL
+ *
+ * Usage in +page.server.ts:
+ * ```typescript
+ * export const load = async (event) => {
+ *   const result = await verifyHandoffToken(event);
+ *   if (!result.success) {
+ *     throw redirect(302, '/login');
+ *   }
+ *   return { session: result.session, user: result.user };
+ * };
+ * ```
+ */
+export async function verifyHandoffToken(event, options) {
+    const { url } = event;
+    const handoffToken = url.searchParams.get('handoff_token');
+    const state = url.searchParams.get('state');
+    if (!handoffToken || !state) {
+        return { success: false, error: 'Missing handoff token or state' };
+    }
+    try {
+        const { issuer, clientId } = getAuthConfig(event, options);
+        const verifyEndpoint = options?.verifyEndpoint || '/auth/external/handoff/verify';
+        const response = await fetch(`${issuer}${verifyEndpoint}`, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' },
+            body: JSON.stringify({
+                handoff_token: handoffToken,
+                state: state,
+                client_id: clientId,
+            }),
+        });
+        if (!response.ok) {
+            const error = await response.json().catch(() => ({}));
+            return {
+                success: false,
+                error: error.error_description || 'Handoff verification failed',
+            };
+        }
+        const data = await response.json();
+        // Save session to cookie
+        const sessionManager = createServerSessionManager(options?.sessionOptions);
+        const authContext = {
+            session: {
+                id: data.session.id,
+                userId: data.session.userId,
+                createdAt: data.session.createdAt,
+                expiresAt: data.session.expiresAt,
+            },
+            user: {
+                id: data.user.id,
+                email: data.user.email ?? undefined,
+                name: data.user.name ?? undefined,
+                emailVerified: data.user.emailVerified,
+            },
+        };
+        sessionManager.set(event, authContext);
+        return {
+            success: true,
+            session: authContext.session,
+            user: authContext.user,
+        };
+    }
+    catch (error) {
+        return {
+            success: false,
+            error: error instanceof Error ? error.message : 'Unknown error',
+        };
+    }
+}
+/**
+ * Create handoff handler for SvelteKit hooks
+ *
+ * Usage in hooks.server.ts:
+ * ```typescript
+ * import { sequence } from '@sveltejs/kit/hooks';
+ * import { createAuthHandle, createHandoffHandler } from '@authrim/sveltekit/server';
+ *
+ * export const handle = sequence(
+ *   createAuthHandle({
+ *     issuer: env.AUTHRIM_ISSUER,
+ *     clientId: env.AUTHRIM_CLIENT_ID,
+ *   }),
+ *   createHandoffHandler()
+ * );
+ * ```
+ */
+export function createHandoffHandler(options) {
+    return async ({ event, resolve }) => {
+        // Check if this is a handoff callback
+        const { url } = event;
+        if (url.searchParams.has('handoff_token')) {
+            const result = await verifyHandoffToken(event, options);
+            if (!result.success) {
+                const errorRedirect = options?.errorRedirect || '/login';
+                // Use 303 See Other (POST → GET redirect, safer than 302)
+                throw redirect(303, errorRedirect);
+            }
+            // Remove handoff token from URL
+            const cleanUrl = new URL(url);
+            cleanUrl.searchParams.delete('handoff_token');
+            cleanUrl.searchParams.delete('state');
+            // Use 303 See Other (認証後のリダイレクトに適切)
+            throw redirect(303, cleanUrl.toString());
+        }
+        return resolve(event);
+    };
+}

package/dist/server/index.d.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 export { createServerSessionManager, type ServerSessionManager, type ServerSessionManagerOptions, type ServerAuthContext, } from './session.js';
 export { createAuthHandle, getServerSessionManager, getAuthFromEvent, type AuthHandleOptions, } from './handle.js';
 export { requireAuth, createAuthLoad, isAuthenticated, getUser, getSession, type AuthLoadOptions, } from './load.js';
+export { verifyHandoffToken, createHandoffHandler, type HandoffVerifyOptions, } from './handoff.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,0BAA0B,EAC1B,KAAK,oBAAoB,EACzB,KAAK,2BAA2B,EAChC,KAAK,iBAAiB,GACvB,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,gBAAgB,EAChB,KAAK,iBAAiB,GACvB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,WAAW,EACX,cAAc,EACd,eAAe,EACf,OAAO,EACP,UAAU,EACV,KAAK,eAAe,GACrB,MAAM,WAAW,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,0BAA0B,EAC1B,KAAK,oBAAoB,EACzB,KAAK,2BAA2B,EAChC,KAAK,iBAAiB,GACvB,MAAM,cAAc,CAAC;AAEtB,OAAO,EACL,gBAAgB,EAChB,uBAAuB,EACvB,gBAAgB,EAChB,KAAK,iBAAiB,GACvB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,WAAW,EACX,cAAc,EACd,eAAe,EACf,OAAO,EACP,UAAU,EACV,KAAK,eAAe,GACrB,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,kBAAkB,EAClB,oBAAoB,EACpB,KAAK,oBAAoB,GAC1B,MAAM,cAAc,CAAC"}

package/dist/server/index.js CHANGED Viewed

@@ -1,3 +1,4 @@
 export { createServerSessionManager, } from './session.js';
 export { createAuthHandle, getServerSessionManager, getAuthFromEvent, } from './handle.js';
 export { requireAuth, createAuthLoad, isAuthenticated, getUser, getSession, } from './load.js';
+export { verifyHandoffToken, createHandoffHandler, } from './handoff.js';

package/dist/types.d.ts CHANGED Viewed

@@ -13,6 +13,16 @@ export interface AuthrimConfig {
     issuer: string;
     clientId: string;
     storage?: StorageOptions;
+    /**
+     * Enable OAuth 2.0 / OpenID Connect flows
+     * Default: false
+     */
+    enableOAuth?: boolean;
+    /**
+     * Silent login redirect URI (for OAuth callback)
+     * Default: {origin}/callback.html
+     */
+    silentLoginRedirectUri?: string;
 }
 export interface AuthError {
     code: string;
@@ -108,6 +118,61 @@ export interface CIBANamespace {
 export interface LoginChallengeNamespace {
     getData(challengeId: string): Promise<import("./direct-auth/login-challenge.js").LoginChallengeData>;
 }
+/**
+ * Try silent login options
+ */
+export interface TrySilentLoginOptions {
+    /**
+     * What to do if IdP has no session (login_required)
+     * - 'return': Return to returnTo URL with sso_error=login_required
+     * - 'login': Redirect to login screen, then return after login
+     * Default: 'return'
+     */
+    onLoginRequired?: "return" | "login";
+    /**
+     * URL to return after silent login completes
+     * Default: current page URL
+     * Security: Must be same origin
+     */
+    returnTo?: string;
+    /**
+     * OAuth scopes to request
+     * Default: SDK default scopes
+     */
+    scope?: string;
+}
+/**
+ * Silent login result
+ */
+export type SilentLoginResult = {
+    status: "success";
+} | {
+    status: "login_required";
+} | {
+    status: "error";
+    error: string;
+    errorDescription?: string;
+};
+export interface OAuthNamespace {
+    /**
+     * Try silent SSO via top-level navigation (prompt=none)
+     *
+     * Safari ITP / Chrome Third-Party Cookie Phaseout compatible.
+     * This function redirects to IdP and does not return.
+     */
+    trySilentLogin(options?: TrySilentLoginOptions): Promise<never>;
+    /**
+     * Handle silent login callback
+     *
+     * Call this in your callback page. Handles both silent login
+     * results and regular OAuth callbacks.
+     */
+    handleSilentCallback(): Promise<SilentLoginResult>;
+    /**
+     * Handle regular OAuth callback (for authorization code flow)
+     */
+    handleCallback(callbackUrl?: string): Promise<import("@authrim/core").TokenSet>;
+}
 export interface SignInShortcuts {
     passkey(options?: PasskeyLoginOptions): Promise<AuthResponse<AuthSessionData>>;
     social(provider: SocialProvider, options?: SocialLoginOptions): Promise<AuthResponse<AuthSessionData>>;
@@ -127,6 +192,8 @@ export interface AuthrimClient {
     emailCode: EmailCodeNamespace;
     social: SocialNamespace;
     session: SessionNamespace;
+    /** OAuth 2.0 / OpenID Connect API (optional, enabled via config.enableOAuth) */
+    oauth?: OAuthNamespace;
     /** Consent flow API */
     consent: ConsentNamespace;
     /** Device flow API (RFC 8628) */

package/dist/types.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/lib/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,KAAK,EACV,OAAO,EACP,IAAI,EACJ,cAAc,EACd,mBAAmB,EACnB,oBAAoB,EACpB,sBAAsB,EACtB,iBAAiB,EACjB,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,kBAAkB,EAClB,uBAAuB,EACvB,UAAU,EACX,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EACV,gBAAgB,EAChB,SAAS,IAAI,cAAc,EAC5B,MAAM,kBAAkB,CAAC;AAM1B,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,gBAAgB,GAAG,cAAc,CAAC;AAEvE,MAAM,WAAW,cAAc;IAC7B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,WAAW,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,cAAc,CAAC;~~CAC1B~~;AAMD,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,UAAU,CAAC;IACjD,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,MAAM,YAAY,CAAC,CAAC,IACtB;IAAE,IAAI,EAAE,CAAC,CAAC;IAAC,KAAK,EAAE,IAAI,CAAA;CAAE,GACxB;IAAE,IAAI,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,SAAS,CAAA;CAAE,CAAC;AAErC,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,IAAI,CAAC;IACX,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAMD,MAAM,MAAM,aAAa,GACrB,iBAAiB,GACjB,iBAAiB,GACjB,YAAY,GACZ,aAAa,GACb,YAAY,GACZ,iBAAiB,CAAC;AAEtB,MAAM,WAAW,iBAAiB;IAChC,iBAAiB,EAAE;QAAE,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC;QAAC,IAAI,EAAE,IAAI,GAAG,IAAI,CAAA;KAAE,CAAC;IAClE,iBAAiB,EAAE;QAAE,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,QAAQ,CAAA;KAAE,CAAC;IAChE,YAAY,EAAE;QACZ,OAAO,EAAE,OAAO,CAAC;QACjB,IAAI,EAAE,IAAI,CAAC;QACX,MAAM,EAAE,SAAS,GAAG,WAAW,GAAG,QAAQ,CAAC;KAC5C,CAAC;IACF,aAAa,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC,YAAY,EAAE;QAAE,KAAK,EAAE,SAAS,CAAA;KAAE,CAAC;IACnC,iBAAiB,EAAE;QAAE,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;CACzC;AAED,MAAM,MAAM,gBAAgB,CAAC,CAAC,SAAS,aAAa,IAAI,CACtD,OAAO,EAAE,iBAAiB,CAAC,CAAC,CAAC,KAC1B,IAAI,CAAC;AAMV,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,OAAO,CAAC,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;IAC7E,MAAM,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;IAC9E,QAAQ,CACN,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAC5C,WAAW,IAAI,OAAO,CAAC;IACvB,wBAAwB,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAC7C,mBAAmB,IAAI,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,CACF,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CAAC,YAAY,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAC9C,MAAM,CACJ,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;IAC1C,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IAC/C,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACxC,wBAAwB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/C;AAED,MAAM,WAAW,eAAe;IAC9B,cAAc,CACZ,QAAQ,EAAE,cAAc,EACxB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;IAC1C,iBAAiB,CACf,QAAQ,EAAE,cAAc,EACxB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,OAAO,CAAC,IAAI,CAAC,CAAC;IACjB,cAAc,IAAI,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;IACzD,iBAAiB,IAAI,OAAO,CAAC;IAC7B,qBAAqB,IAAI,cAAc,EAAE,CAAC;CAC3C;AAED,MAAM,WAAW,gBAAgB;IAC/B,GAAG,IAAI,OAAO,CAAC,YAAY,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC,CAAC;IACrD,QAAQ,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAC7B,OAAO,IAAI,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;IAChC,OAAO,IAAI,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IACnC,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IACpC,UAAU,IAAI,IAAI,CAAC;CACpB;AAED,MAAM,WAAW,cAAe,SAAQ,uBAAuB;CAAG;AAMlE,MAAM,WAAW,gBAAgB;IAC/B,OAAO,CACL,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,OAAO,0BAA0B,EAAE,iBAAiB,CAAC,CAAC;IACjE,MAAM,CACJ,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,OAAO,0BAA0B,EAAE,oBAAoB,GAC/D,OAAO,CAAC,OAAO,0BAA0B,EAAE,mBAAmB,CAAC,CAAC;CACpE;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,CACJ,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,OAAO,GAChB,OAAO,CAAC,OAAO,8BAA8B,EAAE,sBAAsB,CAAC,CAAC;CAC3E;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,CACL,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,OAAO,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,CAAC;IACjE,OAAO,CACL,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,OAAO,uBAAuB,EAAE,gBAAgB,CAAC,CAAC;IAC7D,MAAM,CACJ,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,uBAAuB,EAAE,gBAAgB,CAAC,CAAC;CAC9D;AAED,MAAM,WAAW,uBAAuB;IACtC,OAAO,CACL,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,OAAO,kCAAkC,EAAE,kBAAkB,CAAC,CAAC;CAC3E;AAMD,MAAM,WAAW,eAAe;IAC9B,OAAO,CACL,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;IAC1C,MAAM,CACJ,QAAQ,EAAE,cAAc,EACxB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;CAC3C;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,CACL,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;CAC3C;AAMD,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,QAAQ,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IAClC,IAAI,EAAE,QAAQ,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;IAC5B,eAAe,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC;IACnC,YAAY,EAAE,QAAQ,CAAC,gBAAgB,CAAC,CAAC;IACzC,KAAK,EAAE,QAAQ,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;CACxC;AAMD,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,SAAS,EAAE,kBAAkB,CAAC;IAC9B,MAAM,EAAE,eAAe,CAAC;IACxB,OAAO,EAAE,gBAAgB,CAAC;IAE1B,uBAAuB;IACvB,OAAO,EAAE,gBAAgB,CAAC;IAC1B,iCAAiC;IACjC,UAAU,EAAE,mBAAmB,CAAC;IAChC,6DAA6D;IAC7D,IAAI,EAAE,aAAa,CAAC;IACpB,0BAA0B;IAC1B,cAAc,EAAE,uBAAuB,CAAC;IAExC,MAAM,EAAE,eAAe,CAAC;IACxB,MAAM,EAAE,eAAe,CAAC;IAExB,OAAO,CAAC,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjD,EAAE,CAAC,CAAC,SAAS,aAAa,EACxB,KAAK,EAAE,CAAC,EACR,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC,GAC3B,MAAM,IAAI,CAAC;IAEd,uCAAuC;IACvC,MAAM,EAAE,UAAU,CAAC;IAEnB;;;;;;OAMG;IACH,YAAY,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,EAAE,IAAI,EAAE,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;IAE/D;;;;;;;OAOG;IACH,OAAO,IAAI,IAAI,CAAC;CACjB;AAMD,YAAY,EACV,OAAO,EACP,IAAI,EACJ,cAAc,EACd,mBAAmB,EACnB,oBAAoB,EACpB,sBAAsB,EACtB,iBAAiB,EACjB,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,kBAAkB,EAClB,uBAAuB,EACvB,UAAU,GACX,MAAM,eAAe,CAAC;AAEvB,YAAY,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC"}
1	+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/lib/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,KAAK,EACV,OAAO,EACP,IAAI,EACJ,cAAc,EACd,mBAAmB,EACnB,oBAAoB,EACpB,sBAAsB,EACtB,iBAAiB,EACjB,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,kBAAkB,EAClB,uBAAuB,EACvB,UAAU,EACX,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EACV,gBAAgB,EAChB,SAAS,IAAI,cAAc,EAC5B,MAAM,kBAAkB,CAAC;AAM1B,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,gBAAgB,GAAG,cAAc,CAAC;AAEvE,MAAM,WAAW,cAAc;IAC7B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,WAAW,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,cAAc,CAAC;IACzB;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB;;;OAGG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;AAMD,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,UAAU,CAAC;IACjD,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,MAAM,YAAY,CAAC,CAAC,IACtB;IAAE,IAAI,EAAE,CAAC,CAAC;IAAC,KAAK,EAAE,IAAI,CAAA;CAAE,GACxB;IAAE,IAAI,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,SAAS,CAAA;CAAE,CAAC;AAErC,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,IAAI,CAAC;IACX,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,2EAA2E;IAC3E,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAMD,MAAM,MAAM,aAAa,GACrB,iBAAiB,GACjB,iBAAiB,GACjB,YAAY,GACZ,aAAa,GACb,YAAY,GACZ,iBAAiB,CAAC;AAEtB,MAAM,WAAW,iBAAiB;IAChC,iBAAiB,EAAE;QAAE,OAAO,EAAE,OAAO,GAAG,IAAI,CAAC;QAAC,IAAI,EAAE,IAAI,GAAG,IAAI,CAAA;KAAE,CAAC;IAClE,iBAAiB,EAAE;QAAE,MAAM,EAAE,SAAS,GAAG,SAAS,GAAG,QAAQ,CAAA;KAAE,CAAC;IAChE,YAAY,EAAE;QACZ,OAAO,EAAE,OAAO,CAAC;QACjB,IAAI,EAAE,IAAI,CAAC;QACX,MAAM,EAAE,SAAS,GAAG,WAAW,GAAG,QAAQ,CAAC;KAC5C,CAAC;IACF,aAAa,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IACxC,YAAY,EAAE;QAAE,KAAK,EAAE,SAAS,CAAA;KAAE,CAAC;IACnC,iBAAiB,EAAE;QAAE,OAAO,EAAE,OAAO,CAAA;KAAE,CAAC;CACzC;AAED,MAAM,MAAM,gBAAgB,CAAC,CAAC,SAAS,aAAa,IAAI,CACtD,OAAO,EAAE,iBAAiB,CAAC,CAAC,CAAC,KAC1B,IAAI,CAAC;AAMV,MAAM,WAAW,gBAAgB;IAC/B,KAAK,CAAC,OAAO,CAAC,EAAE,mBAAmB,GAAG,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;IAC7E,MAAM,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;IAC9E,QAAQ,CACN,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAC5C,WAAW,IAAI,OAAO,CAAC;IACvB,wBAAwB,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAC7C,mBAAmB,IAAI,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,CACF,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CAAC,YAAY,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAC9C,MAAM,CACJ,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE,sBAAsB,GAC/B,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;IAC1C,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC;IAC/C,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAAC;IACxC,wBAAwB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CAC/C;AAED,MAAM,WAAW,eAAe;IAC9B,cAAc,CACZ,QAAQ,EAAE,cAAc,EACxB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;IAC1C,iBAAiB,CACf,QAAQ,EAAE,cAAc,EACxB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,OAAO,CAAC,IAAI,CAAC,CAAC;IACjB,cAAc,IAAI,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;IACzD,iBAAiB,IAAI,OAAO,CAAC;IAC7B,qBAAqB,IAAI,cAAc,EAAE,CAAC;CAC3C;AAED,MAAM,WAAW,gBAAgB;IAC/B,GAAG,IAAI,OAAO,CAAC,YAAY,CAAC,eAAe,GAAG,IAAI,CAAC,CAAC,CAAC;IACrD,QAAQ,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IAC7B,OAAO,IAAI,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;IAChC,OAAO,IAAI,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IACnC,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC,CAAC;IACpC,UAAU,IAAI,IAAI,CAAC;CACpB;AAED,MAAM,WAAW,cAAe,SAAQ,uBAAuB;CAAG;AAMlE,MAAM,WAAW,gBAAgB;IAC/B,OAAO,CACL,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,OAAO,0BAA0B,EAAE,iBAAiB,CAAC,CAAC;IACjE,MAAM,CACJ,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,OAAO,0BAA0B,EAAE,oBAAoB,GAC/D,OAAO,CAAC,OAAO,0BAA0B,EAAE,mBAAmB,CAAC,CAAC;CACpE;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,CACJ,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,OAAO,GAChB,OAAO,CAAC,OAAO,8BAA8B,EAAE,sBAAsB,CAAC,CAAC;CAC3E;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,CACL,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,OAAO,uBAAuB,EAAE,kBAAkB,EAAE,CAAC,CAAC;IACjE,OAAO,CACL,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,GACV,OAAO,CAAC,OAAO,uBAAuB,EAAE,gBAAgB,CAAC,CAAC;IAC7D,MAAM,CACJ,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,OAAO,uBAAuB,EAAE,gBAAgB,CAAC,CAAC;CAC9D;AAED,MAAM,WAAW,uBAAuB;IACtC,OAAO,CACL,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,OAAO,kCAAkC,EAAE,kBAAkB,CAAC,CAAC;CAC3E;AAMD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;;;OAKG;IACH,eAAe,CAAC,EAAE,QAAQ,GAAG,OAAO,CAAC;IACrC;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,MAAM,iBAAiB,GACzB;IAAE,MAAM,EAAE,SAAS,CAAA;CAAE,GACrB;IAAE,MAAM,EAAE,gBAAgB,CAAA;CAAE,GAC5B;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAElE,MAAM,WAAW,cAAc;IAC7B;;;;;OAKG;IACH,cAAc,CAAC,OAAO,CAAC,EAAE,qBAAqB,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;IAEhE;;;;;OAKG;IACH,oBAAoB,IAAI,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAEnD;;OAEG;IACH,cAAc,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,eAAe,EAAE,QAAQ,CAAC,CAAC;CACjF;AAMD,MAAM,WAAW,eAAe;IAC9B,OAAO,CACL,OAAO,CAAC,EAAE,mBAAmB,GAC5B,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;IAC1C,MAAM,CACJ,QAAQ,EAAE,cAAc,EACxB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;CAC3C;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,CACL,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAC;CAC3C;AAMD,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,QAAQ,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;IAClC,IAAI,EAAE,QAAQ,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;IAC5B,eAAe,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC;IACnC,YAAY,EAAE,QAAQ,CAAC,gBAAgB,CAAC,CAAC;IACzC,KAAK,EAAE,QAAQ,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC;CACxC;AAMD,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,gBAAgB,CAAC;IAC1B,SAAS,EAAE,kBAAkB,CAAC;IAC9B,MAAM,EAAE,eAAe,CAAC;IACxB,OAAO,EAAE,gBAAgB,CAAC;IAE1B,gFAAgF;IAChF,KAAK,CAAC,EAAE,cAAc,CAAC;IAEvB,uBAAuB;IACvB,OAAO,EAAE,gBAAgB,CAAC;IAC1B,iCAAiC;IACjC,UAAU,EAAE,mBAAmB,CAAC;IAChC,6DAA6D;IAC7D,IAAI,EAAE,aAAa,CAAC;IACpB,0BAA0B;IAC1B,cAAc,EAAE,uBAAuB,CAAC;IAExC,MAAM,EAAE,eAAe,CAAC;IACxB,MAAM,EAAE,eAAe,CAAC;IAExB,OAAO,CAAC,OAAO,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAEjD,EAAE,CAAC,CAAC,SAAS,aAAa,EACxB,KAAK,EAAE,CAAC,EACR,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC,GAC3B,MAAM,IAAI,CAAC;IAEd,uCAAuC;IACvC,MAAM,EAAE,UAAU,CAAC;IAEnB;;;;;;OAMG;IACH,YAAY,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,EAAE,IAAI,EAAE,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;IAE/D;;;;;;;OAOG;IACH,OAAO,IAAI,IAAI,CAAC;CACjB;AAMD,YAAY,EACV,OAAO,EACP,IAAI,EACJ,cAAc,EACd,mBAAmB,EACnB,oBAAoB,EACpB,sBAAsB,EACtB,iBAAiB,EACjB,oBAAoB,EACpB,mBAAmB,EACnB,sBAAsB,EACtB,kBAAkB,EAClB,uBAAuB,EACvB,UAAU,GACX,MAAM,eAAe,CAAC;AAEvB,YAAY,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC"}

package/dist/utils/client-config.d.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * Client Configuration Fetcher
+ *
+ * Fetches public client configuration from the server's Public Config API.
+ */
+/**
+ * Public client configuration from server
+ */
+export interface PublicClientConfig {
+    client_id: string;
+    client_name?: string;
+    logo_uri?: string;
+    client_uri?: string;
+    policy_uri?: string;
+    tos_uri?: string;
+    login_ui_url?: string;
+    initiate_login_uri?: string;
+}
+/**
+ * Fetch public client configuration from server
+ *
+ * This fetches configuration from the Public Config API endpoint:
+ * GET /oauth/clients/:client_id/config
+ *
+ * This endpoint is public (no authentication required) and cached for 5 minutes.
+ *
+ * @param issuer - Authrim issuer URL
+ * @param clientId - OAuth client ID
+ * @returns Public client configuration or null if fetch fails
+ */
+export declare function fetchClientConfig(issuer: string, clientId: string): Promise<PublicClientConfig | null>;
+//# sourceMappingURL=client-config.d.ts.map

package/dist/utils/client-config.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"client-config.d.ts","sourceRoot":"","sources":["../../src/lib/utils/client-config.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CA0BpC"}

package/dist/utils/client-config.js ADDED Viewed

@@ -0,0 +1,42 @@
+/**
+ * Client Configuration Fetcher
+ *
+ * Fetches public client configuration from the server's Public Config API.
+ */
+/**
+ * Fetch public client configuration from server
+ *
+ * This fetches configuration from the Public Config API endpoint:
+ * GET /oauth/clients/:client_id/config
+ *
+ * This endpoint is public (no authentication required) and cached for 5 minutes.
+ *
+ * @param issuer - Authrim issuer URL
+ * @param clientId - OAuth client ID
+ * @returns Public client configuration or null if fetch fails
+ */
+export async function fetchClientConfig(issuer, clientId) {
+    try {
+        // Normalize issuer URL (remove trailing slash)
+        const baseUrl = issuer.replace(/\/$/, '');
+        const url = `${baseUrl}/oauth/clients/${encodeURIComponent(clientId)}/config`;
+        const response = await fetch(url, {
+            method: 'GET',
+            headers: {
+                'Accept': 'application/json',
+            },
+            // Use cache to avoid unnecessary requests
+            cache: 'default',
+        });
+        if (!response.ok) {
+            console.warn(`Failed to fetch client config: ${response.status} ${response.statusText}`);
+            return null;
+        }
+        const config = await response.json();
+        return config;
+    }
+    catch (error) {
+        console.warn('Failed to fetch client config:', error);
+        return null;
+    }
+}

package/dist/utils/index.d.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 export { sanitizeForLogging, sanitizeJsonForLogging, maskValue, } from './sensitive-data.js';
 export { getAuthrimCode, mapSeverity, ERROR_CODE_MAP } from './error-mapping.js';
+export { fetchClientConfig, type PublicClientConfig } from './client-config.js';
 export { convertToPublicKeyCredentialRequestOptions, convertToPublicKeyCredentialCreationOptions, assertionResponseToJSON, attestationResponseToJSON, } from './webauthn-converters.js';
 export { success, failure, failureFromParams, toAuthError, authResultToResponse, wrapWithAuthResponse, } from './response.js';
 export { AUTH_CONTEXT_KEY, setAuthContext, getAuthContext, hasAuthContext } from './context.js';

package/dist/utils/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/utils/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,SAAS,GACV,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACjF,OAAO,EACL,0CAA0C,EAC1C,2CAA2C,EAC3C,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,OAAO,EACP,OAAO,EACP,iBAAiB,EACjB,WAAW,EACX,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAChG,OAAO,EACL,SAAS,EACT,QAAQ,EACR,SAAS,EACT,QAAQ,EACR,SAAS,EACT,WAAW,EACX,eAAe,EACf,iBAAiB,GAClB,MAAM,UAAU,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/utils/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,kBAAkB,EAClB,sBAAsB,EACtB,SAAS,GACV,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACjF,OAAO,EAAE,iBAAiB,EAAE,KAAK,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAChF,OAAO,EACL,0CAA0C,EAC1C,2CAA2C,EAC3C,uBAAuB,EACvB,yBAAyB,GAC1B,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,OAAO,EACP,OAAO,EACP,iBAAiB,EACjB,WAAW,EACX,oBAAoB,EACpB,oBAAoB,GACrB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAChG,OAAO,EACL,SAAS,EACT,QAAQ,EACR,SAAS,EACT,QAAQ,EACR,SAAS,EACT,WAAW,EACX,eAAe,EACf,iBAAiB,GAClB,MAAM,UAAU,CAAC"}

package/dist/utils/index.js CHANGED Viewed

@@ -1,5 +1,6 @@
 export { sanitizeForLogging, sanitizeJsonForLogging, maskValue, } from './sensitive-data.js';
 export { getAuthrimCode, mapSeverity, ERROR_CODE_MAP } from './error-mapping.js';
+export { fetchClientConfig } from './client-config.js';
 export { convertToPublicKeyCredentialRequestOptions, convertToPublicKeyCredentialCreationOptions, assertionResponseToJSON, attestationResponseToJSON, } from './webauthn-converters.js';
 export { success, failure, failureFromParams, toAuthError, authResultToResponse, wrapWithAuthResponse, } from './response.js';
 export { AUTH_CONTEXT_KEY, setAuthContext, getAuthContext, hasAuthContext } from './context.js';

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@authrim/sveltekit",
   "packageManager": "pnpm@9.15.0",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "SvelteKit SDK for Authrim authentication",
   "type": "module",
   "svelte": "./dist/index.js",
@@ -71,7 +71,9 @@
     "passkey",
     "webauthn",
     "social-login",
-    "session-management"
+    "session-management",
+    "sso",
+    "silent-auth"
   ],
   "author": "Authrim <info@authrim.com>",
   "license": "Apache-2.0",