@bigso/auth-sdk 0.4.6 → 0.5.0

package/dist/chunk-5ECHA2VH.js

@@ -0,0 +1,32 @@
+// src/utils/jws.ts
+import { jwtVerify, createRemoteJWKSet } from "jose";
+async function verifySignedPayload(token, jwksUrl, expectedAudience) {
+  const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+  const { payload } = await jwtVerify(token, JWKS, {
+    audience: expectedAudience
+  });
+  return payload;
+}
+async function verifyAccessToken(accessToken, jwksUrl) {
+  const JWKS = createRemoteJWKSet(new URL(jwksUrl));
+  const { payload } = await jwtVerify(accessToken, JWKS);
+  if (!payload.sub || !payload.jti) {
+    throw new Error("Invalid token structure: missing sub or jti");
+  }
+  return {
+    sub: payload.sub,
+    jti: payload.jti,
+    iss: payload.iss,
+    aud: payload.aud || "",
+    exp: payload.exp,
+    iat: payload.iat,
+    tenants: payload.tenants || [],
+    systemRole: payload.systemRole || "user",
+    deviceFingerprint: payload.deviceFingerprint
+  };
+}
+
+export {
+  verifySignedPayload,
+  verifyAccessToken
+};

package/dist/express/index.cjs

@@ -29,56 +29,32 @@ module.exports = __toCommonJS(express_exports);
 
 // src/express/middlewares/ssoAuth.ts
 function ssoAuthMiddleware(options) {
-  const cookieName = options.cookieName || "sso_session";
-  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
   return async (req, res, next) => {
     try {
-      let sessionToken = req.cookies?.[cookieName];
-      let session = null;
-      if (sessionToken) {
-        session = await options.ssoClient.validateSessionToken(sessionToken);
-      }
-      if (!session) {
-        const refreshToken = req.cookies?.[`${cookieName}_refresh`];
-        if (refreshToken) {
-          const newSessionData = await options.ssoClient.refreshAppSession(refreshToken);
-          if (newSessionData) {
-            const sessionMaxAge = new Date(newSessionData.expiresAt).getTime() - Date.now();
-            const refreshMaxAge = newSessionData.refreshExpiresAt ? new Date(newSessionData.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
-            const sessionCookieOptions = {
-              httpOnly: true,
-              secure: isProduction,
-              sameSite: "lax",
-              path: "/",
-              maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0,
-              ...isProduction && options.cookieDomain ? { domain: options.cookieDomain } : {}
-            };
-            const refreshCookieOptions = {
-              ...sessionCookieOptions,
-              maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
-            };
-            res.cookie(cookieName, newSessionData.sessionToken, sessionCookieOptions);
-            res.cookie(`${cookieName}_refresh`, newSessionData.refreshToken, refreshCookieOptions);
-            session = await options.ssoClient.validateSessionToken(newSessionData.sessionToken);
-          }
-        }
-        if (!session) {
-          res.clearCookie(cookieName);
-          res.clearCookie(`${cookieName}_refresh`);
-          res.status(401).json({ error: "Session expired or invalid" });
-          return;
-        }
+      const authHeader = req.headers.authorization;
+      if (!authHeader || !authHeader.startsWith("Bearer ")) {
+        res.status(401).json({ error: "Missing access token" });
+        return;
       }
-      if (options.onSessionValidated) {
-        await options.onSessionValidated(session, req);
+      const accessToken = authHeader.substring(7);
+      const payload = await options.ssoClient.validateAccessToken(accessToken);
+      if (!payload) {
+        res.status(401).json({ error: "Invalid or expired access token" });
+        return;
       }
-      req.user = session.user;
-      req.tenant = session.tenant;
-      req.ssoSession = session;
+      const primaryTenant = payload.tenants?.[0];
+      req.user = {
+        userId: payload.sub,
+        email: "",
+        firstName: "",
+        lastName: ""
+      };
+      req.tenant = primaryTenant || void 0;
+      req.tokenPayload = payload;
       next();
     } catch (error) {
-      console.error("\u274C [BigsoAuthSDK] Authentication Middleware Error:", error instanceof Error ? error.message : error);
-      res.status(500).json({ error: "Internal authentication error" });
+      console.error("[BigsoAuthSDK] Authentication Middleware Error:", error instanceof Error ? error.message : error);
+      res.status(401).json({ error: "Authentication failed" });
     }
   };
 }
@@ -122,59 +98,26 @@ function ssoSyncGuardMiddleware(options) {
 var import_express = require("express");
 function createSsoAuthRouter(options) {
   const router = (0, import_express.Router)();
-  const cookieName = options.cookieName || "sso_session";
-  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
-  const getCookieOptions = (customOptions = {}) => {
-    const base = {
-      httpOnly: true,
-      secure: isProduction,
-      sameSite: "lax",
-      path: "/",
-      ...customOptions
-    };
-    if (isProduction && options.cookieDomain) {
-      base.domain = options.cookieDomain;
-    }
-    return base;
-  };
   router.post("/exchange", async (req, res) => {
     try {
-      const { code } = req.body;
-      if (!code) {
-        res.status(400).json({ error: "Authorization code is required" });
-        return;
-      }
-      const ssoResponse = await options.ssoClient.exchangeCodeForToken(code);
-      if (!ssoResponse.success) {
-        res.status(401).json({ error: "Invalid authorization code" });
+      const { code, codeVerifier } = req.body;
+      if (!code || !codeVerifier) {
+        res.status(400).json({ error: "code and codeVerifier are required" });
         return;
       }
-      const sessionMaxAge = new Date(ssoResponse.expiresAt).getTime() - Date.now();
-      const refreshMaxAge = ssoResponse.refreshExpiresAt ? new Date(ssoResponse.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
-      const sessionCookieOptions = getCookieOptions({
-        maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0
-      });
-      const refreshCookieOptions = getCookieOptions({
-        maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
-      });
-      res.cookie(cookieName, ssoResponse.sessionToken, sessionCookieOptions);
-      if (ssoResponse.refreshToken) {
-        res.cookie(`${cookieName}_refresh`, ssoResponse.refreshToken, refreshCookieOptions);
-      }
+      const ssoResponse = await options.ssoClient.exchangeCode(code, codeVerifier);
       if (options.onLoginSuccess) {
         await options.onLoginSuccess(ssoResponse);
       }
       res.json({
         success: true,
+        tokens: ssoResponse.tokens,
         user: ssoResponse.user,
-        tenant: ssoResponse.tenant,
-        expiresAt: ssoResponse.expiresAt
+        tenant: ssoResponse.tenant
       });
     } catch (error) {
-      console.error("\u274C [BigsoAuthSDK] Error exchanging code:", error.message);
-      res.status(500).json({
-        error: error.message || "Failed to exchange authorization code"
-      });
+      console.error("[BigsoAuthSDK] Error exchanging code:", error.message);
+      res.status(401).json({ error: error.message || "Failed to exchange authorization code" });
     }
   });
   router.post("/exchange-v2", async (req, res) => {
@@ -189,40 +132,27 @@ function createSsoAuthRouter(options) {
         res.status(400).json({ error: "No authorization code found in payload" });
         return;
       }
-      const ssoResponse = await options.ssoClient.exchangeCodeForToken(verified.code);
-      if (!ssoResponse.success) {
-        res.status(401).json({ error: "Invalid authorization code" });
+      const codeVerifier = verified.code_verifier;
+      if (!codeVerifier) {
+        res.status(400).json({ error: "code_verifier is required for PKCE exchange" });
         return;
       }
-      const sessionMaxAge = new Date(ssoResponse.expiresAt).getTime() - Date.now();
-      const refreshMaxAge = ssoResponse.refreshExpiresAt ? new Date(ssoResponse.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
-      const sessionCookieOptions = getCookieOptions({
-        maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0
-      });
-      const refreshCookieOptions = getCookieOptions({
-        maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
-      });
-      res.cookie(cookieName, ssoResponse.sessionToken, sessionCookieOptions);
-      if (ssoResponse.refreshToken) {
-        res.cookie(`${cookieName}_refresh`, ssoResponse.refreshToken, refreshCookieOptions);
-      }
+      const ssoResponse = await options.ssoClient.exchangeCode(verified.code, codeVerifier);
       if (options.onLoginSuccess) {
         await options.onLoginSuccess(ssoResponse);
       }
       res.json({
         success: true,
+        tokens: ssoResponse.tokens,
         user: ssoResponse.user,
-        tenant: ssoResponse.tenant,
-        expiresAt: ssoResponse.expiresAt
+        tenant: ssoResponse.tenant
       });
     } catch (error) {
-      console.error("\u274C [BigsoAuthSDK] Error exchanging v2 payload:", error.message);
-      res.status(401).json({
-        error: error.message || "Failed to verify signed payload"
-      });
+      console.error("[BigsoAuthSDK] Error exchanging v2 payload:", error.message);
+      res.status(401).json({ error: error.message || "Failed to verify signed payload" });
     }
   });
-  router.get("/session", ssoAuthMiddleware(options), (req, res) => {
+  router.get("/session", ssoAuthMiddleware({ ssoClient: options.ssoClient }), (req, res) => {
     res.set("Cache-Control", "no-store, no-cache, must-revalidate, private");
     res.set("Pragma", "no-cache");
     res.set("Expires", "0");
@@ -230,25 +160,34 @@ function createSsoAuthRouter(options) {
       success: true,
       user: req.user,
       tenant: req.tenant,
-      expiresAt: req.ssoSession?.expiresAt
+      tokenPayload: req.tokenPayload
     });
   });
-  router.post("/logout", async (req, res) => {
-    const sessionToken = req.cookies?.[cookieName];
-    if (sessionToken) {
-      try {
-        await options.ssoClient.revokeSession(sessionToken);
-      } catch (error) {
-        console.warn("\u26A0\uFE0F [BigsoAuthSDK] Failed to revoke session in SSO Backend. Clearing local anyway.", error.message);
-      }
+  router.post("/refresh", async (req, res) => {
+    try {
+      const ssoResponse = await options.ssoClient.refreshTokens();
+      res.json({
+        success: true,
+        tokens: ssoResponse.tokens
+      });
+    } catch (error) {
+      console.error("[BigsoAuthSDK] Error refreshing tokens:", error.message);
+      res.status(401).json({ error: error.message || "Failed to refresh tokens" });
     }
-    const cookieOptions = getCookieOptions({ maxAge: 0 });
-    res.clearCookie(cookieName, cookieOptions);
-    res.clearCookie(`${cookieName}_refresh`, cookieOptions);
-    if (options.onLogout && sessionToken) {
-      await options.onLogout(sessionToken);
+  });
+  router.post("/logout", ssoAuthMiddleware({ ssoClient: options.ssoClient }), async (req, res) => {
+    try {
+      const accessToken = req.headers.authorization?.substring(7) || "";
+      const { revokeAll = false } = req.body || {};
+      await options.ssoClient.logout(accessToken, revokeAll);
+      if (options.onLogout) {
+        await options.onLogout(accessToken);
+      }
+      res.json({ success: true, message: "Logged out" });
+    } catch (error) {
+      console.warn("[BigsoAuthSDK] Failed to logout in SSO Backend.", error.message);
+      res.json({ success: true, message: "Logged out (backend revocation failed)" });
     }
-    res.json({ success: true, message: "Logged out" });
   });
   return router;
 }

package/dist/express/index.d.cts

@@ -1,20 +1,26 @@
 import { Request, Response, NextFunction, Router } from 'express';
 import { BigsoSsoClient } from '../node/index.cjs';
-import { S as SsoSessionData } from '../types-CoXgtTry.cjs';
+import { S as SsoTokenPayload, V as V2ExchangeResponse } from '../types-BQzACpj3.cjs';
 
 interface SsoAuthMiddlewareOptions {
     ssoClient: BigsoSsoClient;
-    cookieName?: string;
-    cookieDomain?: string;
-    isProduction?: boolean;
-    onSessionValidated?: (session: SsoSessionData, req: Request) => Promise<void> | void;
 }
 declare global {
     namespace Express {
         interface Request {
-            user?: SsoSessionData['user'];
-            tenant?: SsoSessionData['tenant'];
-            ssoSession?: SsoSessionData;
+            user?: {
+                userId: string;
+                email: string;
+                firstName: string;
+                lastName: string;
+            };
+            tenant?: {
+                tenantId: string;
+                name: string;
+                slug: string;
+                role: string;
+            };
+            tokenPayload?: SsoTokenPayload;
         }
     }
 }
@@ -29,11 +35,8 @@ declare function ssoSyncGuardMiddleware(options: SsoSyncGuardOptions): (req: Req
 interface CreateSsoAuthRouterOptions {
     ssoClient: BigsoSsoClient;
     frontendUrl: string;
-    cookieName?: string;
-    cookieDomain?: string;
-    isProduction?: boolean;
-    onLoginSuccess?: (session: SsoSessionData) => void | Promise<void>;
-    onLogout?: (sessionToken: string) => void | Promise<void>;
+    onLoginSuccess?: (session: V2ExchangeResponse) => void | Promise<void>;
+    onLogout?: (accessToken: string) => void | Promise<void>;
 }
 declare function createSsoAuthRouter(options: CreateSsoAuthRouterOptions): Router;
 

package/dist/express/index.d.ts

@@ -1,20 +1,26 @@
 import { Request, Response, NextFunction, Router } from 'express';
 import { BigsoSsoClient } from '../node/index.js';
-import { S as SsoSessionData } from '../types-CoXgtTry.js';
+import { S as SsoTokenPayload, V as V2ExchangeResponse } from '../types-BQzACpj3.js';
 
 interface SsoAuthMiddlewareOptions {
     ssoClient: BigsoSsoClient;
-    cookieName?: string;
-    cookieDomain?: string;
-    isProduction?: boolean;
-    onSessionValidated?: (session: SsoSessionData, req: Request) => Promise<void> | void;
 }
 declare global {
     namespace Express {
         interface Request {
-            user?: SsoSessionData['user'];
-            tenant?: SsoSessionData['tenant'];
-            ssoSession?: SsoSessionData;
+            user?: {
+                userId: string;
+                email: string;
+                firstName: string;
+                lastName: string;
+            };
+            tenant?: {
+                tenantId: string;
+                name: string;
+                slug: string;
+                role: string;
+            };
+            tokenPayload?: SsoTokenPayload;
         }
     }
 }
@@ -29,11 +35,8 @@ declare function ssoSyncGuardMiddleware(options: SsoSyncGuardOptions): (req: Req
 interface CreateSsoAuthRouterOptions {
     ssoClient: BigsoSsoClient;
     frontendUrl: string;
-    cookieName?: string;
-    cookieDomain?: string;
-    isProduction?: boolean;
-    onLoginSuccess?: (session: SsoSessionData) => void | Promise<void>;
-    onLogout?: (sessionToken: string) => void | Promise<void>;
+    onLoginSuccess?: (session: V2ExchangeResponse) => void | Promise<void>;
+    onLogout?: (accessToken: string) => void | Promise<void>;
 }
 declare function createSsoAuthRouter(options: CreateSsoAuthRouterOptions): Router;
 

package/dist/express/index.js

@@ -1,55 +1,31 @@
 // src/express/middlewares/ssoAuth.ts
 function ssoAuthMiddleware(options) {
-  const cookieName = options.cookieName || "sso_session";
-  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
   return async (req, res, next) => {
     try {
-      let sessionToken = req.cookies?.[cookieName];
-      let session = null;
-      if (sessionToken) {
-        session = await options.ssoClient.validateSessionToken(sessionToken);
-      }
-      if (!session) {
-        const refreshToken = req.cookies?.[`${cookieName}_refresh`];
-        if (refreshToken) {
-          const newSessionData = await options.ssoClient.refreshAppSession(refreshToken);
-          if (newSessionData) {
-            const sessionMaxAge = new Date(newSessionData.expiresAt).getTime() - Date.now();
-            const refreshMaxAge = newSessionData.refreshExpiresAt ? new Date(newSessionData.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
-            const sessionCookieOptions = {
-              httpOnly: true,
-              secure: isProduction,
-              sameSite: "lax",
-              path: "/",
-              maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0,
-              ...isProduction && options.cookieDomain ? { domain: options.cookieDomain } : {}
-            };
-            const refreshCookieOptions = {
-              ...sessionCookieOptions,
-              maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
-            };
-            res.cookie(cookieName, newSessionData.sessionToken, sessionCookieOptions);
-            res.cookie(`${cookieName}_refresh`, newSessionData.refreshToken, refreshCookieOptions);
-            session = await options.ssoClient.validateSessionToken(newSessionData.sessionToken);
-          }
-        }
-        if (!session) {
-          res.clearCookie(cookieName);
-          res.clearCookie(`${cookieName}_refresh`);
-          res.status(401).json({ error: "Session expired or invalid" });
-          return;
-        }
+      const authHeader = req.headers.authorization;
+      if (!authHeader || !authHeader.startsWith("Bearer ")) {
+        res.status(401).json({ error: "Missing access token" });
+        return;
       }
-      if (options.onSessionValidated) {
-        await options.onSessionValidated(session, req);
+      const accessToken = authHeader.substring(7);
+      const payload = await options.ssoClient.validateAccessToken(accessToken);
+      if (!payload) {
+        res.status(401).json({ error: "Invalid or expired access token" });
+        return;
       }
-      req.user = session.user;
-      req.tenant = session.tenant;
-      req.ssoSession = session;
+      const primaryTenant = payload.tenants?.[0];
+      req.user = {
+        userId: payload.sub,
+        email: "",
+        firstName: "",
+        lastName: ""
+      };
+      req.tenant = primaryTenant || void 0;
+      req.tokenPayload = payload;
       next();
     } catch (error) {
-      console.error("\u274C [BigsoAuthSDK] Authentication Middleware Error:", error instanceof Error ? error.message : error);
-      res.status(500).json({ error: "Internal authentication error" });
+      console.error("[BigsoAuthSDK] Authentication Middleware Error:", error instanceof Error ? error.message : error);
+      res.status(401).json({ error: "Authentication failed" });
     }
   };
 }
@@ -93,59 +69,26 @@ function ssoSyncGuardMiddleware(options) {
 import { Router } from "express";
 function createSsoAuthRouter(options) {
   const router = Router();
-  const cookieName = options.cookieName || "sso_session";
-  const isProduction = options.isProduction ?? process.env.NODE_ENV === "production";
-  const getCookieOptions = (customOptions = {}) => {
-    const base = {
-      httpOnly: true,
-      secure: isProduction,
-      sameSite: "lax",
-      path: "/",
-      ...customOptions
-    };
-    if (isProduction && options.cookieDomain) {
-      base.domain = options.cookieDomain;
-    }
-    return base;
-  };
   router.post("/exchange", async (req, res) => {
     try {
-      const { code } = req.body;
-      if (!code) {
-        res.status(400).json({ error: "Authorization code is required" });
-        return;
-      }
-      const ssoResponse = await options.ssoClient.exchangeCodeForToken(code);
-      if (!ssoResponse.success) {
-        res.status(401).json({ error: "Invalid authorization code" });
+      const { code, codeVerifier } = req.body;
+      if (!code || !codeVerifier) {
+        res.status(400).json({ error: "code and codeVerifier are required" });
         return;
       }
-      const sessionMaxAge = new Date(ssoResponse.expiresAt).getTime() - Date.now();
-      const refreshMaxAge = ssoResponse.refreshExpiresAt ? new Date(ssoResponse.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
-      const sessionCookieOptions = getCookieOptions({
-        maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0
-      });
-      const refreshCookieOptions = getCookieOptions({
-        maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
-      });
-      res.cookie(cookieName, ssoResponse.sessionToken, sessionCookieOptions);
-      if (ssoResponse.refreshToken) {
-        res.cookie(`${cookieName}_refresh`, ssoResponse.refreshToken, refreshCookieOptions);
-      }
+      const ssoResponse = await options.ssoClient.exchangeCode(code, codeVerifier);
       if (options.onLoginSuccess) {
         await options.onLoginSuccess(ssoResponse);
       }
       res.json({
         success: true,
+        tokens: ssoResponse.tokens,
         user: ssoResponse.user,
-        tenant: ssoResponse.tenant,
-        expiresAt: ssoResponse.expiresAt
+        tenant: ssoResponse.tenant
       });
     } catch (error) {
-      console.error("\u274C [BigsoAuthSDK] Error exchanging code:", error.message);
-      res.status(500).json({
-        error: error.message || "Failed to exchange authorization code"
-      });
+      console.error("[BigsoAuthSDK] Error exchanging code:", error.message);
+      res.status(401).json({ error: error.message || "Failed to exchange authorization code" });
     }
   });
   router.post("/exchange-v2", async (req, res) => {
@@ -160,40 +103,27 @@ function createSsoAuthRouter(options) {
         res.status(400).json({ error: "No authorization code found in payload" });
         return;
       }
-      const ssoResponse = await options.ssoClient.exchangeCodeForToken(verified.code);
-      if (!ssoResponse.success) {
-        res.status(401).json({ error: "Invalid authorization code" });
+      const codeVerifier = verified.code_verifier;
+      if (!codeVerifier) {
+        res.status(400).json({ error: "code_verifier is required for PKCE exchange" });
         return;
       }
-      const sessionMaxAge = new Date(ssoResponse.expiresAt).getTime() - Date.now();
-      const refreshMaxAge = ssoResponse.refreshExpiresAt ? new Date(ssoResponse.refreshExpiresAt).getTime() - Date.now() : 7 * 24 * 60 * 60 * 1e3;
-      const sessionCookieOptions = getCookieOptions({
-        maxAge: sessionMaxAge > 0 ? sessionMaxAge : 0
-      });
-      const refreshCookieOptions = getCookieOptions({
-        maxAge: refreshMaxAge > 0 ? refreshMaxAge : 0
-      });
-      res.cookie(cookieName, ssoResponse.sessionToken, sessionCookieOptions);
-      if (ssoResponse.refreshToken) {
-        res.cookie(`${cookieName}_refresh`, ssoResponse.refreshToken, refreshCookieOptions);
-      }
+      const ssoResponse = await options.ssoClient.exchangeCode(verified.code, codeVerifier);
       if (options.onLoginSuccess) {
         await options.onLoginSuccess(ssoResponse);
       }
       res.json({
         success: true,
+        tokens: ssoResponse.tokens,
         user: ssoResponse.user,
-        tenant: ssoResponse.tenant,
-        expiresAt: ssoResponse.expiresAt
+        tenant: ssoResponse.tenant
       });
     } catch (error) {
-      console.error("\u274C [BigsoAuthSDK] Error exchanging v2 payload:", error.message);
-      res.status(401).json({
-        error: error.message || "Failed to verify signed payload"
-      });
+      console.error("[BigsoAuthSDK] Error exchanging v2 payload:", error.message);
+      res.status(401).json({ error: error.message || "Failed to verify signed payload" });
     }
   });
-  router.get("/session", ssoAuthMiddleware(options), (req, res) => {
+  router.get("/session", ssoAuthMiddleware({ ssoClient: options.ssoClient }), (req, res) => {
     res.set("Cache-Control", "no-store, no-cache, must-revalidate, private");
     res.set("Pragma", "no-cache");
     res.set("Expires", "0");
@@ -201,25 +131,34 @@ function createSsoAuthRouter(options) {
       success: true,
       user: req.user,
       tenant: req.tenant,
-      expiresAt: req.ssoSession?.expiresAt
+      tokenPayload: req.tokenPayload
     });
   });
-  router.post("/logout", async (req, res) => {
-    const sessionToken = req.cookies?.[cookieName];
-    if (sessionToken) {
-      try {
-        await options.ssoClient.revokeSession(sessionToken);
-      } catch (error) {
-        console.warn("\u26A0\uFE0F [BigsoAuthSDK] Failed to revoke session in SSO Backend. Clearing local anyway.", error.message);
-      }
+  router.post("/refresh", async (req, res) => {
+    try {
+      const ssoResponse = await options.ssoClient.refreshTokens();
+      res.json({
+        success: true,
+        tokens: ssoResponse.tokens
+      });
+    } catch (error) {
+      console.error("[BigsoAuthSDK] Error refreshing tokens:", error.message);
+      res.status(401).json({ error: error.message || "Failed to refresh tokens" });
     }
-    const cookieOptions = getCookieOptions({ maxAge: 0 });
-    res.clearCookie(cookieName, cookieOptions);
-    res.clearCookie(`${cookieName}_refresh`, cookieOptions);
-    if (options.onLogout && sessionToken) {
-      await options.onLogout(sessionToken);
+  });
+  router.post("/logout", ssoAuthMiddleware({ ssoClient: options.ssoClient }), async (req, res) => {
+    try {
+      const accessToken = req.headers.authorization?.substring(7) || "";
+      const { revokeAll = false } = req.body || {};
+      await options.ssoClient.logout(accessToken, revokeAll);
+      if (options.onLogout) {
+        await options.onLogout(accessToken);
+      }
+      res.json({ success: true, message: "Logged out" });
+    } catch (error) {
+      console.warn("[BigsoAuthSDK] Failed to logout in SSO Backend.", error.message);
+      res.json({ success: true, message: "Logged out (backend revocation failed)" });
     }
-    res.json({ success: true, message: "Logged out" });
   });
   return router;
 }