@bigso/auth-sdk 0.4.5 → 0.4.7

package/dist/{index.cjs → browser/index.cjs}

@@ -17,12 +17,12 @@ var __copyProps = (to, from, except, desc) => {
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
-// src/index.ts
-var index_exports = {};
-__export(index_exports, {
+// src/browser/index.ts
+var browser_exports = {};
+__export(browser_exports, {
   BigsoAuth: () => BigsoAuth
 });
-module.exports = __toCommonJS(index_exports);
+module.exports = __toCommonJS(browser_exports);
 
 // src/utils/crypto.ts
 async function sha256Base64Url(input) {
@@ -71,7 +71,7 @@ async function verifySignedPayload(token, jwksUrl, expectedAudience) {
   return payload;
 }
 
-// src/core/auth.ts
+// src/browser/auth.ts
 var BigsoAuth = class extends EventEmitter {
   constructor(options) {
     super();

package/dist/{index.d.cts → browser/index.d.cts}

@@ -1,3 +1,5 @@
+import { B as BigsoAuthOptions } from '../types-CoXgtTry.cjs';
+
 declare class EventEmitter {
     private events;
     on(event: string, handler: Function): void;
@@ -5,25 +7,6 @@ declare class EventEmitter {
     emit(event: string, data?: any): void;
 }
 
-interface BigsoAuthOptions {
-    /** Client ID registrado en el SSO */
-    clientId: string;
-    /** Origen del SSO (ej: https://sso.bigso.co) */
-    ssoOrigin: string;
-    /** URL del JWKS para verificar firmas (ej: https://sso.bigso.co/.well-known/jwks.json) */
-    jwksUrl: string;
-    /** Timeout en milisegundos (por defecto 5000) */
-    timeout?: number;
-    /** Activar logs de depuración */
-    debug?: boolean;
-    /** URI de redirección registrada (opcional, si se requiere validación exacta) */
-    redirectUri?: string;
-    /** Sugerencia de tenant (opcional) */
-    tenantHint?: string;
-    /** Tema visual del iframe ('light' | 'dark', por defecto 'light') */
-    theme?: 'light' | 'dark';
-}
-
 declare class BigsoAuth extends EventEmitter {
     private options;
     private iframe?;
@@ -63,4 +46,4 @@ declare class BigsoAuth extends EventEmitter {
     private debug;
 }
 
-export { BigsoAuth, type BigsoAuthOptions };
+export { BigsoAuth, BigsoAuthOptions };

package/dist/{index.d.ts → browser/index.d.ts}

@@ -1,3 +1,5 @@
+import { B as BigsoAuthOptions } from '../types-CoXgtTry.js';
+
 declare class EventEmitter {
     private events;
     on(event: string, handler: Function): void;
@@ -5,25 +7,6 @@ declare class EventEmitter {
     emit(event: string, data?: any): void;
 }
 
-interface BigsoAuthOptions {
-    /** Client ID registrado en el SSO */
-    clientId: string;
-    /** Origen del SSO (ej: https://sso.bigso.co) */
-    ssoOrigin: string;
-    /** URL del JWKS para verificar firmas (ej: https://sso.bigso.co/.well-known/jwks.json) */
-    jwksUrl: string;
-    /** Timeout en milisegundos (por defecto 5000) */
-    timeout?: number;
-    /** Activar logs de depuración */
-    debug?: boolean;
-    /** URI de redirección registrada (opcional, si se requiere validación exacta) */
-    redirectUri?: string;
-    /** Sugerencia de tenant (opcional) */
-    tenantHint?: string;
-    /** Tema visual del iframe ('light' | 'dark', por defecto 'light') */
-    theme?: 'light' | 'dark';
-}
-
 declare class BigsoAuth extends EventEmitter {
     private options;
     private iframe?;
@@ -63,4 +46,4 @@ declare class BigsoAuth extends EventEmitter {
     private debug;
 }
 
-export { BigsoAuth, type BigsoAuthOptions };
+export { BigsoAuth, BigsoAuthOptions };

package/dist/{index.js → browser/index.js}

@@ -1,3 +1,7 @@
+import {
+  verifySignedPayload
+} from "../chunk-LDDK6SJD.js";
+
 // src/utils/crypto.ts
 async function sha256Base64Url(input) {
   const encoder = new TextEncoder();
@@ -35,17 +39,7 @@ var EventEmitter = class {
   }
 };
 
-// src/utils/jws.ts
-import { jwtVerify, createRemoteJWKSet } from "jose";
-async function verifySignedPayload(token, jwksUrl, expectedAudience) {
-  const JWKS = createRemoteJWKSet(new URL(jwksUrl));
-  const { payload } = await jwtVerify(token, JWKS, {
-    audience: expectedAudience
-  });
-  return payload;
-}
-
-// src/core/auth.ts
+// src/browser/auth.ts
 var BigsoAuth = class extends EventEmitter {
   constructor(options) {
     super();

package/dist/chunk-LDDK6SJD.js

@@ -0,0 +1,13 @@
+// src/utils/jws.ts
+import { jwtVerify, createRemoteJWKSet } from "jose";
+async function verifySignedPayload(token, jwksUrl, expectedAudience) {
+  const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+  const { payload } = await jwtVerify(token, JWKS, {
+    audience: expectedAudience
+  });
+  return payload;
+}
+
+export {
+  verifySignedPayload
+};

package/dist/express/index.cjs

@@ -0,0 +1,287 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/express/index.ts
+var express_exports = {};
+__export(express_exports, {
+  createSsoAuthRouter: () => createSsoAuthRouter,
+  createSsoSyncRouter: () => createSsoSyncRouter,
+  ssoAuthMiddleware: () => ssoAuthMiddleware,
+  ssoSyncGuardMiddleware: () => ssoSyncGuardMiddleware
+});
+module.exports = __toCommonJS(express_exports);
+
+// src/express/middlewares/ssoAuth.ts
+function ssoAuthMiddleware(options) {
+  const cookieName = options.cookieName || "sso_session";
+  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
+  return async (req, res, next) => {
+    try {
+      let sessionToken = req.cookies?.[cookieName];
+      let session = null;
+      if (sessionToken) {
+        session = await options.ssoClient.validateSessionToken(sessionToken);
+      }
+      if (!session) {
+        const refreshToken = req.cookies?.[`${cookieName}_refresh`];
+        if (refreshToken) {
+          const newSessionData = await options.ssoClient.refreshAppSession(refreshToken);
+          if (newSessionData) {
+            const sessionMaxAge = new Date(newSessionData.expiresAt).getTime() - Date.now();
+            const refreshMaxAge = newSessionData.refreshExpiresAt ? new Date(newSessionData.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
+            const sessionCookieOptions = {
+              httpOnly: true,
+              secure: isProduction,
+              sameSite: "lax",
+              path: "/",
+              maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0,
+              ...isProduction && options.cookieDomain ? { domain: options.cookieDomain } : {}
+            };
+            const refreshCookieOptions = {
+              ...sessionCookieOptions,
+              maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
+            };
+            res.cookie(cookieName, newSessionData.sessionToken, sessionCookieOptions);
+            res.cookie(`${cookieName}_refresh`, newSessionData.refreshToken, refreshCookieOptions);
+            session = await options.ssoClient.validateSessionToken(newSessionData.sessionToken);
+          }
+        }
+        if (!session) {
+          res.clearCookie(cookieName);
+          res.clearCookie(`${cookieName}_refresh`);
+          res.status(401).json({ error: "Session expired or invalid" });
+          return;
+        }
+      }
+      if (options.onSessionValidated) {
+        await options.onSessionValidated(session, req);
+      }
+      req.user = session.user;
+      req.tenant = session.tenant;
+      req.ssoSession = session;
+      next();
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Authentication Middleware Error:", error instanceof Error ? error.message : error);
+      res.status(500).json({ error: "Internal authentication error" });
+    }
+  };
+}
+
+// src/express/middlewares/ssoSyncGuard.ts
+var import_dns = require("dns");
+function ssoSyncGuardMiddleware(options) {
+  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
+  return async (req, res, next) => {
+    try {
+      const isSecure = req.secure || req.headers["x-forwarded-proto"] === "https";
+      if (!isSecure && isProduction) {
+        console.warn("\u26A0\uFE0F  [BigsoAuthSDK] Blocked non-HTTPS sync request");
+        res.status(403).json({ error: "HTTPS required" });
+        return;
+      }
+      const clientIp = req.ip || req.socket.remoteAddress || "";
+      const isLoopback = clientIp === "::1" || clientIp === "127.0.0.1" || clientIp === "::ffff:127.0.0.1";
+      if (!isProduction && isLoopback) {
+        return next();
+      }
+      const ssoUrl = new URL(options.ssoBackendUrl);
+      const ssoHostname = ssoUrl.hostname;
+      const ssoIps = await import_dns.promises.resolve4(ssoHostname).catch(() => []);
+      const cleanClientIp = clientIp.replace(/^.*:/, "");
+      const isPrivateIp = cleanClientIp.startsWith("10.") || cleanClientIp.startsWith("192.168.") || cleanClientIp.startsWith("172.") && parseInt(cleanClientIp.split(".")[1], 10) >= 16 && parseInt(cleanClientIp.split(".")[1], 10) <= 31;
+      if (!ssoIps.includes(cleanClientIp) && !isPrivateIp) {
+        console.warn(`\u26D4\uFE0F [BigsoAuthSDK] Blocked sync request from unauthorized IP: ${clientIp}`);
+        res.status(403).json({ error: "Unauthorized origin" });
+        return;
+      }
+      next();
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Sync Guard Validation Error:", error instanceof Error ? error.message : error);
+      res.status(500).json({ error: "Security validation failed" });
+    }
+  };
+}
+
+// src/express/routes/createSsoAuthRouter.ts
+var import_express = require("express");
+function createSsoAuthRouter(options) {
+  const router = (0, import_express.Router)();
+  const cookieName = options.cookieName || "sso_session";
+  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
+  const getCookieOptions = (customOptions = {}) => {
+    const base = {
+      httpOnly: true,
+      secure: isProduction,
+      sameSite: "lax",
+      path: "/",
+      ...customOptions
+    };
+    if (isProduction && options.cookieDomain) {
+      base.domain = options.cookieDomain;
+    }
+    return base;
+  };
+  router.post("/exchange", async (req, res) => {
+    try {
+      const { code } = req.body;
+      if (!code) {
+        res.status(400).json({ error: "Authorization code is required" });
+        return;
+      }
+      const ssoResponse = await options.ssoClient.exchangeCodeForToken(code);
+      if (!ssoResponse.success) {
+        res.status(401).json({ error: "Invalid authorization code" });
+        return;
+      }
+      const sessionMaxAge = new Date(ssoResponse.expiresAt).getTime() - Date.now();
+      const refreshMaxAge = ssoResponse.refreshExpiresAt ? new Date(ssoResponse.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
+      const sessionCookieOptions = getCookieOptions({
+        maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0
+      });
+      const refreshCookieOptions = getCookieOptions({
+        maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
+      });
+      res.cookie(cookieName, ssoResponse.sessionToken, sessionCookieOptions);
+      if (ssoResponse.refreshToken) {
+        res.cookie(`${cookieName}_refresh`, ssoResponse.refreshToken, refreshCookieOptions);
+      }
+      if (options.onLoginSuccess) {
+        await options.onLoginSuccess(ssoResponse);
+      }
+      res.json({
+        success: true,
+        user: ssoResponse.user,
+        tenant: ssoResponse.tenant,
+        expiresAt: ssoResponse.expiresAt
+      });
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Error exchanging code:", error.message);
+      res.status(500).json({
+        error: error.message || "Failed to exchange authorization code"
+      });
+    }
+  });
+  router.post("/exchange-v2", async (req, res) => {
+    try {
+      const { payload } = req.body;
+      if (!payload) {
+        res.status(400).json({ error: "Signed payload is required" });
+        return;
+      }
+      const verified = await options.ssoClient.verifySignedPayload(payload, options.frontendUrl);
+      if (!verified.code) {
+        res.status(400).json({ error: "No authorization code found in payload" });
+        return;
+      }
+      const ssoResponse = await options.ssoClient.exchangeCodeForToken(verified.code);
+      if (!ssoResponse.success) {
+        res.status(401).json({ error: "Invalid authorization code" });
+        return;
+      }
+      const sessionMaxAge = new Date(ssoResponse.expiresAt).getTime() - Date.now();
+      const refreshMaxAge = ssoResponse.refreshExpiresAt ? new Date(ssoResponse.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
+      const sessionCookieOptions = getCookieOptions({
+        maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0
+      });
+      const refreshCookieOptions = getCookieOptions({
+        maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
+      });
+      res.cookie(cookieName, ssoResponse.sessionToken, sessionCookieOptions);
+      if (ssoResponse.refreshToken) {
+        res.cookie(`${cookieName}_refresh`, ssoResponse.refreshToken, refreshCookieOptions);
+      }
+      if (options.onLoginSuccess) {
+        await options.onLoginSuccess(ssoResponse);
+      }
+      res.json({
+        success: true,
+        user: ssoResponse.user,
+        tenant: ssoResponse.tenant,
+        expiresAt: ssoResponse.expiresAt
+      });
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Error exchanging v2 payload:", error.message);
+      res.status(401).json({
+        error: error.message || "Failed to verify signed payload"
+      });
+    }
+  });
+  router.get("/session", ssoAuthMiddleware(options), (req, res) => {
+    res.set("Cache-Control", "no-store, no-cache, must-revalidate, private");
+    res.set("Pragma", "no-cache");
+    res.set("Expires", "0");
+    res.json({
+      success: true,
+      user: req.user,
+      tenant: req.tenant,
+      expiresAt: req.ssoSession?.expiresAt
+    });
+  });
+  router.post("/logout", async (req, res) => {
+    const sessionToken = req.cookies?.[cookieName];
+    if (sessionToken) {
+      try {
+        await options.ssoClient.revokeSession(sessionToken);
+      } catch (error) {
+        console.warn("\u26A0\uFE0F [BigsoAuthSDK] Failed to revoke session in SSO Backend. Clearing local anyway.", error.message);
+      }
+    }
+    const cookieOptions = getCookieOptions({ maxAge: 0 });
+    res.clearCookie(cookieName, cookieOptions);
+    res.clearCookie(`${cookieName}_refresh`, cookieOptions);
+    if (options.onLogout && sessionToken) {
+      await options.onLogout(sessionToken);
+    }
+    res.json({ success: true, message: "Logged out" });
+  });
+  return router;
+}
+
+// src/express/routes/createSsoSyncRouter.ts
+var import_express2 = require("express");
+function createSsoSyncRouter(options) {
+  const router = (0, import_express2.Router)();
+  router.get("/resources", ssoSyncGuardMiddleware({
+    ssoBackendUrl: options.ssoBackendUrl,
+    isProduction: options.isProduction
+  }), (req, res) => {
+    try {
+      res.json({
+        success: true,
+        resources: options.resources,
+        meta: {
+          appId: options.appId,
+          count: options.resources.length,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      });
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Error in sync endpoint:", error.message);
+      res.status(500).json({ error: error.message });
+    }
+  });
+  return router;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createSsoAuthRouter,
+  createSsoSyncRouter,
+  ssoAuthMiddleware,
+  ssoSyncGuardMiddleware
+});

package/dist/express/index.d.cts

@@ -0,0 +1,48 @@
+import { Request, Response, NextFunction, Router } from 'express';
+import { BigsoSsoClient } from '../node/index.cjs';
+import { S as SsoSessionData } from '../types-CoXgtTry.cjs';
+
+interface SsoAuthMiddlewareOptions {
+    ssoClient: BigsoSsoClient;
+    cookieName?: string;
+    cookieDomain?: string;
+    isProduction?: boolean;
+    onSessionValidated?: (session: SsoSessionData, req: Request) => Promise<void> | void;
+}
+declare global {
+    namespace Express {
+        interface Request {
+            user?: SsoSessionData['user'];
+            tenant?: SsoSessionData['tenant'];
+            ssoSession?: SsoSessionData;
+        }
+    }
+}
+declare function ssoAuthMiddleware(options: SsoAuthMiddlewareOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+
+interface SsoSyncGuardOptions {
+    ssoBackendUrl: string;
+    isProduction?: boolean;
+}
+declare function ssoSyncGuardMiddleware(options: SsoSyncGuardOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+
+interface CreateSsoAuthRouterOptions {
+    ssoClient: BigsoSsoClient;
+    frontendUrl: string;
+    cookieName?: string;
+    cookieDomain?: string;
+    isProduction?: boolean;
+    onLoginSuccess?: (session: SsoSessionData) => void | Promise<void>;
+    onLogout?: (sessionToken: string) => void | Promise<void>;
+}
+declare function createSsoAuthRouter(options: CreateSsoAuthRouterOptions): Router;
+
+interface SsoSyncRouterOptions {
+    resources: any[];
+    appId: string;
+    ssoBackendUrl: string;
+    isProduction?: boolean;
+}
+declare function createSsoSyncRouter(options: SsoSyncRouterOptions): Router;
+
+export { type CreateSsoAuthRouterOptions, type SsoAuthMiddlewareOptions, type SsoSyncGuardOptions, type SsoSyncRouterOptions, createSsoAuthRouter, createSsoSyncRouter, ssoAuthMiddleware, ssoSyncGuardMiddleware };

package/dist/express/index.d.ts

@@ -0,0 +1,48 @@
+import { Request, Response, NextFunction, Router } from 'express';
+import { BigsoSsoClient } from '../node/index.js';
+import { S as SsoSessionData } from '../types-CoXgtTry.js';
+
+interface SsoAuthMiddlewareOptions {
+    ssoClient: BigsoSsoClient;
+    cookieName?: string;
+    cookieDomain?: string;
+    isProduction?: boolean;
+    onSessionValidated?: (session: SsoSessionData, req: Request) => Promise<void> | void;
+}
+declare global {
+    namespace Express {
+        interface Request {
+            user?: SsoSessionData['user'];
+            tenant?: SsoSessionData['tenant'];
+            ssoSession?: SsoSessionData;
+        }
+    }
+}
+declare function ssoAuthMiddleware(options: SsoAuthMiddlewareOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+
+interface SsoSyncGuardOptions {
+    ssoBackendUrl: string;
+    isProduction?: boolean;
+}
+declare function ssoSyncGuardMiddleware(options: SsoSyncGuardOptions): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+
+interface CreateSsoAuthRouterOptions {
+    ssoClient: BigsoSsoClient;
+    frontendUrl: string;
+    cookieName?: string;
+    cookieDomain?: string;
+    isProduction?: boolean;
+    onLoginSuccess?: (session: SsoSessionData) => void | Promise<void>;
+    onLogout?: (sessionToken: string) => void | Promise<void>;
+}
+declare function createSsoAuthRouter(options: CreateSsoAuthRouterOptions): Router;
+
+interface SsoSyncRouterOptions {
+    resources: any[];
+    appId: string;
+    ssoBackendUrl: string;
+    isProduction?: boolean;
+}
+declare function createSsoSyncRouter(options: SsoSyncRouterOptions): Router;
+
+export { type CreateSsoAuthRouterOptions, type SsoAuthMiddlewareOptions, type SsoSyncGuardOptions, type SsoSyncRouterOptions, createSsoAuthRouter, createSsoSyncRouter, ssoAuthMiddleware, ssoSyncGuardMiddleware };

package/dist/express/index.js

@@ -0,0 +1,257 @@
+// src/express/middlewares/ssoAuth.ts
+function ssoAuthMiddleware(options) {
+  const cookieName = options.cookieName || "sso_session";
+  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
+  return async (req, res, next) => {
+    try {
+      let sessionToken = req.cookies?.[cookieName];
+      let session = null;
+      if (sessionToken) {
+        session = await options.ssoClient.validateSessionToken(sessionToken);
+      }
+      if (!session) {
+        const refreshToken = req.cookies?.[`${cookieName}_refresh`];
+        if (refreshToken) {
+          const newSessionData = await options.ssoClient.refreshAppSession(refreshToken);
+          if (newSessionData) {
+            const sessionMaxAge = new Date(newSessionData.expiresAt).getTime() - Date.now();
+            const refreshMaxAge = newSessionData.refreshExpiresAt ? new Date(newSessionData.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
+            const sessionCookieOptions = {
+              httpOnly: true,
+              secure: isProduction,
+              sameSite: "lax",
+              path: "/",
+              maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0,
+              ...isProduction && options.cookieDomain ? { domain: options.cookieDomain } : {}
+            };
+            const refreshCookieOptions = {
+              ...sessionCookieOptions,
+              maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
+            };
+            res.cookie(cookieName, newSessionData.sessionToken, sessionCookieOptions);
+            res.cookie(`${cookieName}_refresh`, newSessionData.refreshToken, refreshCookieOptions);
+            session = await options.ssoClient.validateSessionToken(newSessionData.sessionToken);
+          }
+        }
+        if (!session) {
+          res.clearCookie(cookieName);
+          res.clearCookie(`${cookieName}_refresh`);
+          res.status(401).json({ error: "Session expired or invalid" });
+          return;
+        }
+      }
+      if (options.onSessionValidated) {
+        await options.onSessionValidated(session, req);
+      }
+      req.user = session.user;
+      req.tenant = session.tenant;
+      req.ssoSession = session;
+      next();
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Authentication Middleware Error:", error instanceof Error ? error.message : error);
+      res.status(500).json({ error: "Internal authentication error" });
+    }
+  };
+}
+
+// src/express/middlewares/ssoSyncGuard.ts
+import { promises as dns } from "dns";
+function ssoSyncGuardMiddleware(options) {
+  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
+  return async (req, res, next) => {
+    try {
+      const isSecure = req.secure || req.headers["x-forwarded-proto"] === "https";
+      if (!isSecure && isProduction) {
+        console.warn("\u26A0\uFE0F  [BigsoAuthSDK] Blocked non-HTTPS sync request");
+        res.status(403).json({ error: "HTTPS required" });
+        return;
+      }
+      const clientIp = req.ip || req.socket.remoteAddress || "";
+      const isLoopback = clientIp === "::1" || clientIp === "127.0.0.1" || clientIp === "::ffff:127.0.0.1";
+      if (!isProduction && isLoopback) {
+        return next();
+      }
+      const ssoUrl = new URL(options.ssoBackendUrl);
+      const ssoHostname = ssoUrl.hostname;
+      const ssoIps = await dns.resolve4(ssoHostname).catch(() => []);
+      const cleanClientIp = clientIp.replace(/^.*:/, "");
+      const isPrivateIp = cleanClientIp.startsWith("10.") || cleanClientIp.startsWith("192.168.") || cleanClientIp.startsWith("172.") && parseInt(cleanClientIp.split(".")[1], 10) >= 16 && parseInt(cleanClientIp.split(".")[1], 10) <= 31;
+      if (!ssoIps.includes(cleanClientIp) && !isPrivateIp) {
+        console.warn(`\u26D4\uFE0F [BigsoAuthSDK] Blocked sync request from unauthorized IP: ${clientIp}`);
+        res.status(403).json({ error: "Unauthorized origin" });
+        return;
+      }
+      next();
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Sync Guard Validation Error:", error instanceof Error ? error.message : error);
+      res.status(500).json({ error: "Security validation failed" });
+    }
+  };
+}
+
+// src/express/routes/createSsoAuthRouter.ts
+import { Router } from "express";
+function createSsoAuthRouter(options) {
+  const router = Router();
+  const cookieName = options.cookieName || "sso_session";
+  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
+  const getCookieOptions = (customOptions = {}) => {
+    const base = {
+      httpOnly: true,
+      secure: isProduction,
+      sameSite: "lax",
+      path: "/",
+      ...customOptions
+    };
+    if (isProduction && options.cookieDomain) {
+      base.domain = options.cookieDomain;
+    }
+    return base;
+  };
+  router.post("/exchange", async (req, res) => {
+    try {
+      const { code } = req.body;
+      if (!code) {
+        res.status(400).json({ error: "Authorization code is required" });
+        return;
+      }
+      const ssoResponse = await options.ssoClient.exchangeCodeForToken(code);
+      if (!ssoResponse.success) {
+        res.status(401).json({ error: "Invalid authorization code" });
+        return;
+      }
+      const sessionMaxAge = new Date(ssoResponse.expiresAt).getTime() - Date.now();
+      const refreshMaxAge = ssoResponse.refreshExpiresAt ? new Date(ssoResponse.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
+      const sessionCookieOptions = getCookieOptions({
+        maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0
+      });
+      const refreshCookieOptions = getCookieOptions({
+        maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
+      });
+      res.cookie(cookieName, ssoResponse.sessionToken, sessionCookieOptions);
+      if (ssoResponse.refreshToken) {
+        res.cookie(`${cookieName}_refresh`, ssoResponse.refreshToken, refreshCookieOptions);
+      }
+      if (options.onLoginSuccess) {
+        await options.onLoginSuccess(ssoResponse);
+      }
+      res.json({
+        success: true,
+        user: ssoResponse.user,
+        tenant: ssoResponse.tenant,
+        expiresAt: ssoResponse.expiresAt
+      });
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Error exchanging code:", error.message);
+      res.status(500).json({
+        error: error.message || "Failed to exchange authorization code"
+      });
+    }
+  });
+  router.post("/exchange-v2", async (req, res) => {
+    try {
+      const { payload } = req.body;
+      if (!payload) {
+        res.status(400).json({ error: "Signed payload is required" });
+        return;
+      }
+      const verified = await options.ssoClient.verifySignedPayload(payload, options.frontendUrl);
+      if (!verified.code) {
+        res.status(400).json({ error: "No authorization code found in payload" });
+        return;
+      }
+      const ssoResponse = await options.ssoClient.exchangeCodeForToken(verified.code);
+      if (!ssoResponse.success) {
+        res.status(401).json({ error: "Invalid authorization code" });
+        return;
+      }
+      const sessionMaxAge = new Date(ssoResponse.expiresAt).getTime() - Date.now();
+      const refreshMaxAge = ssoResponse.refreshExpiresAt ? new Date(ssoResponse.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
+      const sessionCookieOptions = getCookieOptions({
+        maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0
+      });
+      const refreshCookieOptions = getCookieOptions({
+        maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
+      });
+      res.cookie(cookieName, ssoResponse.sessionToken, sessionCookieOptions);
+      if (ssoResponse.refreshToken) {
+        res.cookie(`${cookieName}_refresh`, ssoResponse.refreshToken, refreshCookieOptions);
+      }
+      if (options.onLoginSuccess) {
+        await options.onLoginSuccess(ssoResponse);
+      }
+      res.json({
+        success: true,
+        user: ssoResponse.user,
+        tenant: ssoResponse.tenant,
+        expiresAt: ssoResponse.expiresAt
+      });
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Error exchanging v2 payload:", error.message);
+      res.status(401).json({
+        error: error.message || "Failed to verify signed payload"
+      });
+    }
+  });
+  router.get("/session", ssoAuthMiddleware(options), (req, res) => {
+    res.set("Cache-Control", "no-store, no-cache, must-revalidate, private");
+    res.set("Pragma", "no-cache");
+    res.set("Expires", "0");
+    res.json({
+      success: true,
+      user: req.user,
+      tenant: req.tenant,
+      expiresAt: req.ssoSession?.expiresAt
+    });
+  });
+  router.post("/logout", async (req, res) => {
+    const sessionToken = req.cookies?.[cookieName];
+    if (sessionToken) {
+      try {
+        await options.ssoClient.revokeSession(sessionToken);
+      } catch (error) {
+        console.warn("\u26A0\uFE0F [BigsoAuthSDK] Failed to revoke session in SSO Backend. Clearing local anyway.", error.message);
+      }
+    }
+    const cookieOptions = getCookieOptions({ maxAge: 0 });
+    res.clearCookie(cookieName, cookieOptions);
+    res.clearCookie(`${cookieName}_refresh`, cookieOptions);
+    if (options.onLogout && sessionToken) {
+      await options.onLogout(sessionToken);
+    }
+    res.json({ success: true, message: "Logged out" });
+  });
+  return router;
+}
+
+// src/express/routes/createSsoSyncRouter.ts
+import { Router as Router2 } from "express";
+function createSsoSyncRouter(options) {
+  const router = Router2();
+  router.get("/resources", ssoSyncGuardMiddleware({
+    ssoBackendUrl: options.ssoBackendUrl,
+    isProduction: options.isProduction
+  }), (req, res) => {
+    try {
+      res.json({
+        success: true,
+        resources: options.resources,
+        meta: {
+          appId: options.appId,
+          count: options.resources.length,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        }
+      });
+    } catch (error) {
+      console.error("\u274C [BigsoAuthSDK] Error in sync endpoint:", error.message);
+      res.status(500).json({ error: error.message });
+    }
+  });
+  return router;
+}
+export {
+  createSsoAuthRouter,
+  createSsoSyncRouter,
+  ssoAuthMiddleware,
+  ssoSyncGuardMiddleware
+};

package/dist/node/index.cjs

@@ -0,0 +1,170 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/node/index.ts
+var node_exports = {};
+__export(node_exports, {
+  BigsoSsoClient: () => BigsoSsoClient
+});
+module.exports = __toCommonJS(node_exports);
+
+// src/utils/jws.ts
+var import_jose = require("jose");
+async function verifySignedPayload(token, jwksUrl, expectedAudience) {
+  const JWKS = (0, import_jose.createRemoteJWKSet)(new URL(jwksUrl));
+  const { payload } = await (0, import_jose.jwtVerify)(token, JWKS, {
+    audience: expectedAudience
+  });
+  return payload;
+}
+
+// src/node/SsoClient.ts
+var BigsoSsoClient = class {
+  constructor(options) {
+    this.ssoBackendUrl = options.ssoBackendUrl;
+    this.appId = options.appId;
+    this.ssoJwksUrl = options.ssoJwksUrl;
+  }
+  /**
+   * Verify a signed payload (JWS) against the SSO's JWKS
+   * @param token - The compact JWS token
+   * @param expectedAudience - The expected audience (app origin)
+   * @returns The verified payload
+   */
+  async verifySignedPayload(token, expectedAudience) {
+    if (!this.ssoJwksUrl) {
+      throw new Error("ssoJwksUrl is required for verifySignedPayload");
+    }
+    return await verifySignedPayload(token, this.ssoJwksUrl, expectedAudience);
+  }
+  /**
+   * Validate session token with SSO Backend
+   * @param sessionToken - JWT token from cookie
+   * @returns Session data or null if invalid
+   */
+  async validateSessionToken(sessionToken) {
+    try {
+      const response = await fetch(`${this.ssoBackendUrl}/api/v1/auth/verify-session`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          sessionToken,
+          appId: this.appId
+        })
+        // Node 18+ allows abort signals to enforce timeout, but we will rely on native fetch timeout if available or no timeout for simplicity.
+        // In production, we might want to implement an AbortController wrapper.
+      });
+      if (!response.ok) {
+        return null;
+      }
+      const data = await response.json();
+      if (data.valid) {
+        return {
+          user: data.user,
+          tenant: data.tenant,
+          appId: data.appId,
+          expiresAt: data.expiresAt
+        };
+      }
+      return null;
+    } catch (error) {
+      console.error("\u274C [BigsoSsoClient] Error validating session:", error instanceof Error ? error.message : error);
+      return null;
+    }
+  }
+  /**
+   * Exchange authorization code for session token from SSO
+   * @param code - The auth code
+   * @returns The SSO exchange response
+   */
+  async exchangeCodeForToken(code) {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v1/auth/token`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        authCode: code,
+        appId: this.appId
+      })
+    });
+    if (!response.ok) {
+      const errData = await response.json().catch(() => ({}));
+      throw new Error(errData.message || "Failed to exchange token");
+    }
+    return await response.json();
+  }
+  /**
+   * Revoke session in SSO backend
+   * @param sessionToken - The active session token
+   */
+  async revokeSession(sessionToken) {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v1/session/revoke`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${sessionToken}`
+      }
+    });
+    if (!response.ok) {
+      throw new Error("Failed to revoke session");
+    }
+  }
+  /**
+   * Refreshes the application session using a refresh token
+   * @param refreshToken - The stored refresh token
+   * @returns The new session tokens or null if failed
+   */
+  async refreshAppSession(refreshToken) {
+    try {
+      const response = await fetch(`${this.ssoBackendUrl}/api/v1/auth/app-refresh`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          refreshToken,
+          appId: this.appId
+        })
+      });
+      if (!response.ok) {
+        return null;
+      }
+      const data = await response.json();
+      if (data.success) {
+        return {
+          sessionToken: data.sessionToken,
+          refreshToken: data.refreshToken,
+          expiresAt: data.expiresAt,
+          refreshExpiresAt: data.refreshExpiresAt
+        };
+      }
+      return null;
+    } catch (error) {
+      console.error("\u274C [BigsoSsoClient] Error refreshing app session:", error instanceof Error ? error.message : error);
+      return null;
+    }
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  BigsoSsoClient
+});

package/dist/node/index.d.cts

@@ -0,0 +1,45 @@
+import { S as SsoSessionData, a as SsoExchangeResponse, b as SsoRefreshData } from '../types-CoXgtTry.cjs';
+
+interface SsoClientOptions {
+    ssoBackendUrl: string;
+    ssoJwksUrl?: string;
+    appId: string;
+}
+declare class BigsoSsoClient {
+    private ssoBackendUrl;
+    private appId;
+    private ssoJwksUrl?;
+    constructor(options: SsoClientOptions);
+    /**
+     * Verify a signed payload (JWS) against the SSO's JWKS
+     * @param token - The compact JWS token
+     * @param expectedAudience - The expected audience (app origin)
+     * @returns The verified payload
+     */
+    verifySignedPayload(token: string, expectedAudience: string): Promise<any>;
+    /**
+     * Validate session token with SSO Backend
+     * @param sessionToken - JWT token from cookie
+     * @returns Session data or null if invalid
+     */
+    validateSessionToken(sessionToken: string): Promise<SsoSessionData | null>;
+    /**
+     * Exchange authorization code for session token from SSO
+     * @param code - The auth code
+     * @returns The SSO exchange response
+     */
+    exchangeCodeForToken(code: string): Promise<SsoExchangeResponse>;
+    /**
+     * Revoke session in SSO backend
+     * @param sessionToken - The active session token
+     */
+    revokeSession(sessionToken: string): Promise<void>;
+    /**
+     * Refreshes the application session using a refresh token
+     * @param refreshToken - The stored refresh token
+     * @returns The new session tokens or null if failed
+     */
+    refreshAppSession(refreshToken: string): Promise<SsoRefreshData | null>;
+}
+
+export { BigsoSsoClient, type SsoClientOptions };

package/dist/node/index.d.ts

@@ -0,0 +1,45 @@
+import { S as SsoSessionData, a as SsoExchangeResponse, b as SsoRefreshData } from '../types-CoXgtTry.js';
+
+interface SsoClientOptions {
+    ssoBackendUrl: string;
+    ssoJwksUrl?: string;
+    appId: string;
+}
+declare class BigsoSsoClient {
+    private ssoBackendUrl;
+    private appId;
+    private ssoJwksUrl?;
+    constructor(options: SsoClientOptions);
+    /**
+     * Verify a signed payload (JWS) against the SSO's JWKS
+     * @param token - The compact JWS token
+     * @param expectedAudience - The expected audience (app origin)
+     * @returns The verified payload
+     */
+    verifySignedPayload(token: string, expectedAudience: string): Promise<any>;
+    /**
+     * Validate session token with SSO Backend
+     * @param sessionToken - JWT token from cookie
+     * @returns Session data or null if invalid
+     */
+    validateSessionToken(sessionToken: string): Promise<SsoSessionData | null>;
+    /**
+     * Exchange authorization code for session token from SSO
+     * @param code - The auth code
+     * @returns The SSO exchange response
+     */
+    exchangeCodeForToken(code: string): Promise<SsoExchangeResponse>;
+    /**
+     * Revoke session in SSO backend
+     * @param sessionToken - The active session token
+     */
+    revokeSession(sessionToken: string): Promise<void>;
+    /**
+     * Refreshes the application session using a refresh token
+     * @param refreshToken - The stored refresh token
+     * @returns The new session tokens or null if failed
+     */
+    refreshAppSession(refreshToken: string): Promise<SsoRefreshData | null>;
+}
+
+export { BigsoSsoClient, type SsoClientOptions };

package/dist/node/index.js

@@ -0,0 +1,137 @@
+import {
+  verifySignedPayload
+} from "../chunk-LDDK6SJD.js";
+
+// src/node/SsoClient.ts
+var BigsoSsoClient = class {
+  constructor(options) {
+    this.ssoBackendUrl = options.ssoBackendUrl;
+    this.appId = options.appId;
+    this.ssoJwksUrl = options.ssoJwksUrl;
+  }
+  /**
+   * Verify a signed payload (JWS) against the SSO's JWKS
+   * @param token - The compact JWS token
+   * @param expectedAudience - The expected audience (app origin)
+   * @returns The verified payload
+   */
+  async verifySignedPayload(token, expectedAudience) {
+    if (!this.ssoJwksUrl) {
+      throw new Error("ssoJwksUrl is required for verifySignedPayload");
+    }
+    return await verifySignedPayload(token, this.ssoJwksUrl, expectedAudience);
+  }
+  /**
+   * Validate session token with SSO Backend
+   * @param sessionToken - JWT token from cookie
+   * @returns Session data or null if invalid
+   */
+  async validateSessionToken(sessionToken) {
+    try {
+      const response = await fetch(`${this.ssoBackendUrl}/api/v1/auth/verify-session`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          sessionToken,
+          appId: this.appId
+        })
+        // Node 18+ allows abort signals to enforce timeout, but we will rely on native fetch timeout if available or no timeout for simplicity.
+        // In production, we might want to implement an AbortController wrapper.
+      });
+      if (!response.ok) {
+        return null;
+      }
+      const data = await response.json();
+      if (data.valid) {
+        return {
+          user: data.user,
+          tenant: data.tenant,
+          appId: data.appId,
+          expiresAt: data.expiresAt
+        };
+      }
+      return null;
+    } catch (error) {
+      console.error("\u274C [BigsoSsoClient] Error validating session:", error instanceof Error ? error.message : error);
+      return null;
+    }
+  }
+  /**
+   * Exchange authorization code for session token from SSO
+   * @param code - The auth code
+   * @returns The SSO exchange response
+   */
+  async exchangeCodeForToken(code) {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v1/auth/token`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        authCode: code,
+        appId: this.appId
+      })
+    });
+    if (!response.ok) {
+      const errData = await response.json().catch(() => ({}));
+      throw new Error(errData.message || "Failed to exchange token");
+    }
+    return await response.json();
+  }
+  /**
+   * Revoke session in SSO backend
+   * @param sessionToken - The active session token
+   */
+  async revokeSession(sessionToken) {
+    const response = await fetch(`${this.ssoBackendUrl}/api/v1/session/revoke`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": `Bearer ${sessionToken}`
+      }
+    });
+    if (!response.ok) {
+      throw new Error("Failed to revoke session");
+    }
+  }
+  /**
+   * Refreshes the application session using a refresh token
+   * @param refreshToken - The stored refresh token
+   * @returns The new session tokens or null if failed
+   */
+  async refreshAppSession(refreshToken) {
+    try {
+      const response = await fetch(`${this.ssoBackendUrl}/api/v1/auth/app-refresh`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          refreshToken,
+          appId: this.appId
+        })
+      });
+      if (!response.ok) {
+        return null;
+      }
+      const data = await response.json();
+      if (data.success) {
+        return {
+          sessionToken: data.sessionToken,
+          refreshToken: data.refreshToken,
+          expiresAt: data.expiresAt,
+          refreshExpiresAt: data.refreshExpiresAt
+        };
+      }
+      return null;
+    } catch (error) {
+      console.error("\u274C [BigsoSsoClient] Error refreshing app session:", error instanceof Error ? error.message : error);
+      return null;
+    }
+  }
+};
+export {
+  BigsoSsoClient
+};

package/dist/types-CoXgtTry.d.cts

@@ -0,0 +1,51 @@
+interface BigsoAuthOptions {
+    /** Client ID registrado en el SSO */
+    clientId: string;
+    /** Origen del SSO (ej: https://sso.bigso.co) */
+    ssoOrigin: string;
+    /** URL del JWKS para verificar firmas (ej: https://sso.bigso.co/.well-known/jwks.json) */
+    jwksUrl: string;
+    /** Timeout en milisegundos (por defecto 5000) */
+    timeout?: number;
+    /** Activar logs de depuración */
+    debug?: boolean;
+    /** URI de redirección registrada (opcional, si se requiere validación exacta) */
+    redirectUri?: string;
+    /** Sugerencia de tenant (opcional) */
+    tenantHint?: string;
+    /** Tema visual del iframe ('light' | 'dark', por defecto 'light') */
+    theme?: 'light' | 'dark';
+}
+interface SsoUser {
+    userId: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+}
+interface SsoTenant {
+    tenantId: string;
+    name: string;
+    slug: string;
+    role: string;
+    permissions: string[];
+}
+interface SsoSessionData {
+    user: SsoUser;
+    tenant: SsoTenant;
+    appId: string;
+    expiresAt: string;
+}
+interface SsoRefreshData {
+    sessionToken: string;
+    refreshToken: string;
+    expiresAt: string;
+    refreshExpiresAt: string;
+}
+interface SsoExchangeResponse extends SsoSessionData {
+    success: boolean;
+    sessionToken: string;
+    refreshToken?: string;
+    refreshExpiresAt?: string;
+}
+
+export type { BigsoAuthOptions as B, SsoSessionData as S, SsoExchangeResponse as a, SsoRefreshData as b };

package/dist/types-CoXgtTry.d.ts

@@ -0,0 +1,51 @@
+interface BigsoAuthOptions {
+    /** Client ID registrado en el SSO */
+    clientId: string;
+    /** Origen del SSO (ej: https://sso.bigso.co) */
+    ssoOrigin: string;
+    /** URL del JWKS para verificar firmas (ej: https://sso.bigso.co/.well-known/jwks.json) */
+    jwksUrl: string;
+    /** Timeout en milisegundos (por defecto 5000) */
+    timeout?: number;
+    /** Activar logs de depuración */
+    debug?: boolean;
+    /** URI de redirección registrada (opcional, si se requiere validación exacta) */
+    redirectUri?: string;
+    /** Sugerencia de tenant (opcional) */
+    tenantHint?: string;
+    /** Tema visual del iframe ('light' | 'dark', por defecto 'light') */
+    theme?: 'light' | 'dark';
+}
+interface SsoUser {
+    userId: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+}
+interface SsoTenant {
+    tenantId: string;
+    name: string;
+    slug: string;
+    role: string;
+    permissions: string[];
+}
+interface SsoSessionData {
+    user: SsoUser;
+    tenant: SsoTenant;
+    appId: string;
+    expiresAt: string;
+}
+interface SsoRefreshData {
+    sessionToken: string;
+    refreshToken: string;
+    expiresAt: string;
+    refreshExpiresAt: string;
+}
+interface SsoExchangeResponse extends SsoSessionData {
+    success: boolean;
+    sessionToken: string;
+    refreshToken?: string;
+    refreshExpiresAt?: string;
+}
+
+export type { BigsoAuthOptions as B, SsoSessionData as S, SsoExchangeResponse as a, SsoRefreshData as b };

package/package.json

@@ -1,20 +1,43 @@
 {
     "name": "@bigso/auth-sdk",
-    "version": "0.4.5",
+    "version": "0.4.7",
     "description": "SDK de autenticación para SSO v2.3 con iframe seguro",
     "publishConfig": {
         "registry": "https://registry.npmjs.org/",
         "access": "public"
     },
     "type": "module",
-    "main": "dist/index.js",
-    "types": "dist/index.d.ts",
+    "exports": {
+        ".": {
+            "types": "./dist/browser/index.d.ts",
+            "import": "./dist/browser/index.js",
+            "require": "./dist/browser/index.cjs"
+        },
+        "./browser": {
+            "types": "./dist/browser/index.d.ts",
+            "import": "./dist/browser/index.js",
+            "require": "./dist/browser/index.cjs"
+        },
+        "./node": {
+            "types": "./dist/node/index.d.ts",
+            "import": "./dist/node/index.js",
+            "require": "./dist/node/index.cjs"
+        },
+        "./express": {
+            "types": "./dist/express/index.d.ts",
+            "import": "./dist/express/index.js",
+            "require": "./dist/express/index.cjs"
+        }
+    },
+    "main": "dist/browser/index.cjs",
+    "module": "dist/browser/index.js",
+    "types": "dist/browser/index.d.ts",
     "files": [
         "dist"
     ],
     "scripts": {
-        "build": "tsup src/index.ts --format esm,cjs --dts",
-        "dev": "tsup src/index.ts --watch",
+        "build": "tsup src/browser/index.ts src/node/index.ts src/express/index.ts --format esm,cjs --dts --out-dir dist",
+        "dev": "tsup src/browser/index.ts src/node/index.ts src/express/index.ts --watch --out-dir dist",
         "lint": "eslint .",
         "test": "vitest",
         "release": "git tag v$npm_package_version && git push origin v$npm_package_version"
@@ -22,10 +45,15 @@
     "dependencies": {
         "jose": "^5.0.0"
     },
+    "peerDependencies": {
+        "express": "^4.0.0 || ^5.0.0"
+    },
     "devDependencies": {
+        "@types/express": "^4.17.21",
+        "eslint": "^9.0.0",
+        "express": "^5.2.1",
         "tsup": "^8.0.0",
         "typescript": "^5.0.0",
-        "eslint": "^9.0.0",
         "vitest": "^1.0.0"
     },
     "keywords": [