@cedros/login-react 0.0.11 → 0.0.13

package/dist/crypto/webauthnPrf.d.ts

@@ -1,108 +0,0 @@
-import { PrfSalt } from './types';
-/** Result of registering a new passkey with PRF */
-export interface PasskeyRegistrationResult {
-    /** Base64-encoded credential ID */
-    credentialId: string;
-    /** Base64-encoded PRF salt */
-    prfSalt: string;
-    /** PRF output (32 bytes) for key derivation */
-    prfOutput: Uint8Array;
-}
-/** Result of authenticating with an existing passkey */
-export interface PasskeyAuthResult {
-    /** PRF output (32 bytes) for key derivation */
-    prfOutput: Uint8Array;
-}
-/**
- * Check if WebAuthn is available in this browser
- */
-export declare function isWebAuthnAvailable(): boolean;
-/**
- * Check if the PRF extension is supported
- *
- * Note: This only checks for API support, not actual authenticator support.
- * The actual PRF availability depends on the user's authenticator.
- */
-export declare function isPrfSupported(): Promise<boolean>;
-/** Options for passkey operations */
-export interface PasskeyOptions {
-    /** SEC-004: Allowed domains for RP ID validation */
-    allowedDomains?: string[];
-}
-/**
- * Register a new passkey with PRF extension for wallet encryption
- *
- * @param userId - User ID bytes (from authenticated user)
- * @param userName - Display name for the passkey
- * @param displayName - User's display name
- * @param prfSalt - Optional PRF salt (generated if not provided)
- * @param options - Optional configuration including allowed domains
- * @returns Registration result with credential ID and PRF output
- * @throws Error if registration fails or PRF is not supported
- */
-export declare function registerPasskeyWithPrf(userId: Uint8Array, userName: string, displayName: string, prfSalt?: PrfSalt, options?: PasskeyOptions): Promise<PasskeyRegistrationResult>;
-/**
- * Authenticate with an existing passkey and get PRF output
- *
- * @param credentialId - Base64-encoded credential ID
- * @param prfSalt - Base64-encoded PRF salt
- * @param options - Optional configuration including allowed domains
- * @returns Authentication result with PRF output
- * @throws Error if authentication fails
- */
-export declare function authenticateWithPrf(credentialId: string, prfSalt: string, options?: PasskeyOptions): Promise<PasskeyAuthResult>;
-/**
- * Get encryption key from passkey via PRF extension
- *
- * This combines authentication and key derivation in a single operation.
- *
- * ## SEC-03: Key Lifecycle Management
- *
- * **IMPORTANT**: The returned encryption key is sensitive cryptographic material.
- * Callers are responsible for:
- *
- * 1. Using the key only for its intended purpose (Share B decryption)
- * 2. Wiping the key from memory after use by calling `key.fill(0)`
- * 3. Not storing the key in persistent storage (localStorage, IndexedDB, etc.)
- * 4. Not logging or transmitting the key
- *
- * The PRF output used to derive this key is automatically wiped in the finally
- * block, but the derived key must be managed by the caller.
- *
- * @example
- * ```typescript
- * const key = await getEncryptionKeyFromPasskey(credentialId, prfSalt);
- * try {
- *   const plaintext = await decryptShareB(ciphertext, key);
- *   // ... use plaintext
- * } finally {
- *   key.fill(0); // Wipe key after use
- * }
- * ```
- *
- * @param credentialId - Base64-encoded credential ID
- * @param prfSalt - Base64-encoded PRF salt
- * @param options - Optional configuration including allowed domains
- * @returns 32-byte encryption key derived from PRF output. **Caller must wipe after use.**
- */
-export declare function getEncryptionKeyFromPasskey(credentialId: string, prfSalt: string, options?: PasskeyOptions): Promise<Uint8Array>;
-/**
- * Check if a credential ID is valid for this user
- *
- * @param credentialId - Base64-encoded credential ID to check
- * @param options - Optional configuration including allowed domains
- * @returns true if credential exists and can be used
- */
-export declare function isCredentialAvailable(credentialId: string, options?: PasskeyOptions): Promise<boolean>;
-/**
- * Authenticate with any discoverable passkey and get PRF output
- *
- * This allows authentication without specifying a credential ID, letting
- * the browser present all available passkeys for this domain.
- *
- * @param prfSalt - Base64-encoded PRF salt
- * @param options - Optional configuration including allowed domains
- * @returns Authentication result with PRF output
- * @throws Error if authentication fails
- */
-export declare function authenticateWithDiscoverablePrf(prfSalt: string, options?: PasskeyOptions): Promise<PasskeyAuthResult>;

package/dist/hooks/useAdminDeposits.d.ts

@@ -1,10 +0,0 @@
-import { UseAdminDepositsReturn } from '../types/deposit';
-export type { UseAdminDepositsReturn } from '../types/deposit';
-/**
- * Hook for admin Privacy Cash deposit operations
- *
- * Requires system admin privileges. All methods will fail with 403 if not admin.
- *
- * Safe to call outside CedrosLoginProvider - returns no-op functions that throw.
- */
-export declare function useAdminDeposits(): UseAdminDepositsReturn;

package/dist/hooks/useAdminUsers.d.ts

@@ -1,28 +0,0 @@
-import { UseAdminUsersReturn } from '../types';
-/**
- * Hook for admin user management operations
- *
- * Provides methods to list all users, get individual users,
- * and manage system admin status. Requires system admin privileges.
- *
- * @example
- * ```tsx
- * function UserManagement() {
- *   const { users, total, isLoading, listUsers, setSystemAdmin } = useAdminUsers();
- *
- *   useEffect(() => {
- *     listUsers({ limit: 20 });
- *   }, [listUsers]);
- *
- *   return (
- *     <AdminUserList
- *       users={users}
- *       total={total}
- *       isLoading={isLoading}
- *       onToggleAdmin={(userId, isAdmin) => setSystemAdmin(userId, isAdmin)}
- *     />
- *   );
- * }
- * ```
- */
-export declare function useAdminUsers(): UseAdminUsersReturn;

package/dist/hooks/useAppleAuth.d.ts

@@ -1,52 +0,0 @@
-import { AuthResponse, AuthError } from '../types';
-export interface UseAppleAuthReturn {
-    signIn: () => Promise<AuthResponse>;
-    isLoading: boolean;
-    isInitialized: boolean;
-    error: AuthError | null;
-    clearError: () => void;
-}
-/**
- * Hook for Apple Sign In authentication.
- *
- * @example
- * ```tsx
- * function AppleButton() {
- *   const { signIn, isLoading, isInitialized, error } = useAppleAuth();
- *
- *   return (
- *     <button onClick={signIn} disabled={!isInitialized || isLoading}>
- *       {isLoading ? 'Signing in...' : 'Sign in with Apple'}
- *     </button>
- *   );
- * }
- * ```
- */
-export declare function useAppleAuth(): UseAppleAuthReturn;
-declare global {
-    interface Window {
-        AppleID?: {
-            auth?: {
-                init: (config: {
-                    clientId: string;
-                    scope: string;
-                    redirectURI: string;
-                    usePopup?: boolean;
-                }) => void;
-                signIn: () => Promise<{
-                    authorization?: {
-                        id_token?: string;
-                        code?: string;
-                    };
-                    user?: {
-                        email?: string;
-                        name?: {
-                            firstName?: string;
-                            lastName?: string;
-                        };
-                    };
-                }>;
-            };
-        };
-    }
-}

package/dist/hooks/useAuth.d.ts

@@ -1,34 +0,0 @@
-import { AuthUser, AuthState, AuthError } from '../types';
-export interface UseAuthReturn {
-    user: AuthUser | null;
-    authState: AuthState;
-    error: AuthError | null;
-    isAuthenticated: boolean;
-    isLoading: boolean;
-    logout: () => Promise<void>;
-    refreshUser: () => Promise<void>;
-    openLoginModal: () => void;
-    closeLoginModal: () => void;
-}
-/**
- * Main authentication hook providing user state and actions.
- *
- * @example
- * ```tsx
- * function MyComponent() {
- *   const { user, isAuthenticated, logout, openLoginModal } = useAuth();
- *
- *   if (!isAuthenticated) {
- *     return <button onClick={openLoginModal}>Login</button>;
- *   }
- *
- *   return (
- *     <div>
- *       <p>Welcome, {user?.name}</p>
- *       <button onClick={logout}>Logout</button>
- *     </div>
- *   );
- * }
- * ```
- */
-export declare function useAuth(): UseAuthReturn;

package/dist/hooks/useAuthSession.d.ts

@@ -1,19 +0,0 @@
-import { AuthUser, AuthState, TokenPair, SessionConfig, AuthCallbacks } from '../types';
-export interface UseAuthSessionOptions {
-    serverUrl: string;
-    session?: SessionConfig;
-    callbacks?: AuthCallbacks;
-    requestTimeoutMs?: number;
-}
-export interface UseAuthSessionReturn {
-    user: AuthUser | null;
-    authState: AuthState;
-    handleLoginSuccess: (user: AuthUser, tokens?: TokenPair) => void;
-    logout: () => Promise<void>;
-    refreshUser: () => Promise<void>;
-    getAccessToken: () => string | null;
-}
-/**
- * Hook that manages authentication session state, token refresh, and tab sync.
- */
-export declare function useAuthSession({ serverUrl, session, callbacks, requestTimeoutMs, }: UseAuthSessionOptions): UseAuthSessionReturn;

package/dist/hooks/useAuthorize.d.ts

@@ -1,62 +0,0 @@
-import { AuthorizeRequest, AuthError } from '../types';
-export interface AuthorizationCheck {
-    allowed: boolean;
-    reason?: string;
-    isLoading: boolean;
-    error: AuthError | null;
-}
-export interface UseAuthorizeReturn {
-    /**
-     * Check if an action is authorized server-side.
-     * Use this for dynamic authorization checks.
-     */
-    authorize: (request: AuthorizeRequest) => Promise<boolean>;
-    /**
-     * Authorization state for the last check
-     */
-    lastCheck: AuthorizationCheck;
-    /**
-     * Clear the last authorization check
-     */
-    clearCheck: () => void;
-    /**
-     * Check authorization and return detailed result
-     */
-    checkAuthorization: (request: AuthorizeRequest) => Promise<AuthorizationCheck>;
-}
-/**
- * Hook for server-side authorization checks.
- *
- * This hook allows you to check if a specific action is authorized
- * by making a request to the server's /authorize endpoint.
- *
- * For simple permission checks based on the user's role, use `useOrgs().hasPermission()` instead.
- *
- * @example
- * ```tsx
- * function DeleteButton({ resourceId }: { resourceId: string }) {
- *   const { authorize, lastCheck } = useAuthorize();
- *   const { activeOrg } = useOrgs();
- *
- *   const handleDelete = async () => {
- *     const allowed = await authorize({
- *       orgId: activeOrg?.id!,
- *       action: 'delete',
- *       resource: 'document',
- *       resourceId,
- *     });
- *
- *     if (allowed) {
- *       // Proceed with delete
- *     }
- *   };
- *
- *   return (
- *     <button onClick={handleDelete} disabled={lastCheck.isLoading}>
- *       Delete
- *     </button>
- *   );
- * }
- * ```
- */
-export declare function useAuthorize(): UseAuthorizeReturn;

package/dist/hooks/useCredits.d.ts

@@ -1,11 +0,0 @@
-import { UseCreditsReturn } from '../types/deposit';
-export type { UseCreditsReturn } from '../types/deposit';
-/**
- * Hook for credit balance and transaction history
- *
- * Credits represent the user's balance from Privacy Cash deposits.
- * The balance can be used for services within the application.
- *
- * Safe to call outside CedrosLoginProvider - returns no-op functions that throw.
- */
-export declare function useCredits(): UseCreditsReturn;

package/dist/hooks/useDashboardPermissions.d.ts

@@ -1,45 +0,0 @@
-import { DashboardSection, DashboardPermissions, AuthError } from '../types';
-export interface UseDashboardPermissionsReturn {
-    /** Current dashboard permissions config */
-    permissions: DashboardPermissions;
-    /** Whether the current user can access a specific section */
-    canAccess: (section: DashboardSection) => boolean;
-    /** Update permissions (owner only) */
-    updatePermissions: (permissions: DashboardPermissions) => Promise<void>;
-    /** Loading state */
-    isLoading: boolean;
-    /** Updating state */
-    isUpdating: boolean;
-    /** Error state */
-    error: AuthError | null;
-    /** Refresh permissions from server */
-    fetchPermissions: () => Promise<void>;
-}
-/**
- * Hook for managing dashboard permissions per role.
- *
- * Allows org owners to configure which dashboard sections each role can access.
- * - Owner always has full access (not configurable)
- * - Admin and Member roles are configurable
- *
- * @example
- * ```tsx
- * function AdminDashboard() {
- *   const { canAccess, permissions, updatePermissions } = useDashboardPermissions();
- *
- *   // Check if current user can access a section
- *   if (!canAccess('deposits')) {
- *     return <div>You don't have access to deposits</div>;
- *   }
- *
- *   // Update permissions (owner only)
- *   const toggleMemberDeposits = () => {
- *     updatePermissions({
- *       ...permissions,
- *       member: { ...permissions.member, deposits: !permissions.member.deposits },
- *     });
- *   };
- * }
- * ```
- */
-export declare function useDashboardPermissions(): UseDashboardPermissionsReturn;

package/dist/hooks/useDeposit.d.ts

@@ -1,16 +0,0 @@
-import { UseDepositReturn } from '../types/deposit';
-export type { UseDepositReturn } from '../types/deposit';
-/**
- * Hook for Privacy Cash deposit operations
- *
- * Deposits go to the user's Privacy Cash account (user's pubkey is owner).
- * Credits are issued immediately, withdrawal to company wallet happens later.
- *
- * Requirements:
- * - User must have SSS wallet enrolled
- * - Wallet must be unlocked (call POST /wallet/unlock first)
- * - Wallet must be in "no recovery" mode
- *
- * Safe to call outside CedrosLoginProvider - returns no-op functions that throw.
- */
-export declare function useDeposit(): UseDepositReturn;

package/dist/hooks/useEmailAuth.d.ts

@@ -1,60 +0,0 @@
-import { AuthResponse, AuthError } from '../types';
-/** Result when MFA verification is required */
-export interface MfaRequiredResult {
-    mfaRequired: true;
-    mfaToken: string;
-    email: string;
-    userId: string;
-}
-/** Result of successful login (no TOTP required or after TOTP verification) */
-export interface LoginSuccessResult {
-    mfaRequired: false;
-    response: AuthResponse;
-}
-/** Union type for login result */
-export type LoginResult = MfaRequiredResult | LoginSuccessResult;
-export interface UseEmailAuthReturn {
-    /** Login - may return mfaRequired if 2FA is enabled */
-    login: (email: string, password: string) => Promise<LoginResult>;
-    register: (email: string, password: string, name?: string) => Promise<AuthResponse>;
-    isLoading: boolean;
-    error: AuthError | null;
-    clearError: () => void;
-    /**
-     * Number of remaining login attempts before rate limiting.
-     *
-     * M-10: Snapshot Behavior
-     * This value is a point-in-time snapshot computed at render time.
-     * It may be briefly stale during rapid requests or concurrent renders.
-     * For UI display only - actual rate limiting is enforced inside login/register.
-     */
-    remainingAttempts: number;
-    /**
-     * Time in ms until rate limit resets (0 if not rate limited).
-     *
-     * M-10: Snapshot Behavior
-     * This value is a point-in-time snapshot computed at render time.
-     * It may be briefly stale - use for UI display, not for logic decisions.
-     */
-    timeUntilReset: number;
-}
-/**
- * Hook for email/password authentication.
- *
- * @example
- * ```tsx
- * function LoginForm() {
- *   const { login, isLoading, error } = useEmailAuth();
- *
- *   const handleSubmit = async (e) => {
- *     e.preventDefault();
- *     try {
- *       await login(email, password);
- *     } catch (err) {
- *       // Handle error
- *     }
- *   };
- * }
- * ```
- */
-export declare function useEmailAuth(): UseEmailAuthReturn;

package/dist/hooks/useGoogleAuth.d.ts

@@ -1,67 +0,0 @@
-import { AuthResponse, AuthError } from '../types';
-/** @internal */
-export declare const _internalGoogleScriptLoader: {
-    loading: boolean;
-    loaded: boolean;
-    error: Error | null;
-    callbacks: Array<{
-        resolve: () => void;
-        reject: (err: Error) => void;
-    }>;
-    load(): Promise<void>;
-    /**
-     * Reset singleton state for test isolation (F-08)
-     * @internal - Only use in test setup/teardown
-     */
-    _reset(): void;
-};
-export interface UseGoogleAuthReturn {
-    signIn: () => Promise<AuthResponse>;
-    isLoading: boolean;
-    isInitialized: boolean;
-    error: AuthError | null;
-    clearError: () => void;
-}
-/**
- * Hook for Google OAuth authentication.
- *
- * @example
- * ```tsx
- * function GoogleButton() {
- *   const { signIn, isLoading, isInitialized, error } = useGoogleAuth();
- *
- *   return (
- *     <button onClick={signIn} disabled={!isInitialized || isLoading}>
- *       {isLoading ? 'Signing in...' : 'Sign in with Google'}
- *     </button>
- *   );
- * }
- * ```
- */
-export declare function useGoogleAuth(): UseGoogleAuthReturn;
-declare global {
-    interface Window {
-        google?: {
-            accounts?: {
-                id?: {
-                    initialize: (config: {
-                        client_id: string;
-                        callback: (response: {
-                            credential: string;
-                        }) => void;
-                        auto_select?: boolean;
-                        cancel_on_tap_outside?: boolean;
-                    }) => void;
-                    prompt: (callback: (notification: {
-                        isNotDisplayed: () => boolean;
-                        isSkippedMoment: () => boolean;
-                        isDismissedMoment: () => boolean;
-                        getMomentType: () => string;
-                    }) => void) => void;
-                    renderButton: (element: HTMLElement, config: object) => void;
-                    disableAutoSelect: () => void;
-                };
-            };
-        };
-    }
-}

package/dist/hooks/useInstantLink.d.ts

@@ -1,42 +0,0 @@
-import { AuthError, AuthResponse, MfaRequiredResponse } from '../types';
-export interface UseInstantLinkReturn {
-    /** Send an instant link email to the given address */
-    sendInstantLink: (email: string) => Promise<void>;
-    /** Verify an instant link token and sign in */
-    verifyInstantLink: (token: string) => Promise<AuthResponse | MfaRequiredResponse>;
-    /** Whether a request is in progress */
-    isLoading: boolean;
-    /** Whether the instant link was sent successfully */
-    isSuccess: boolean;
-    /** Error from the last request */
-    error: AuthError | null;
-    /** Clear the error state */
-    clearError: () => void;
-    /** Reset to initial state */
-    reset: () => void;
-    /** Number of remaining attempts before rate limiting */
-    remainingAttempts: number;
-}
-/**
- * Hook for instant link (passwordless) authentication.
- *
- * Sends an instant link email that allows the user to sign in
- * without entering their password.
- *
- * @example
- * ```tsx
- * function InstantLinkForm() {
- *   const { sendInstantLink, isLoading, isSuccess, error } = useInstantLink();
- *
- *   const handleSubmit = async (e) => {
- *     e.preventDefault();
- *     await sendInstantLink(email);
- *   };
- *
- *   if (isSuccess) {
- *     return <p>Check your email for the sign-in link</p>;
- *   }
- * }
- * ```
- */
-export declare function useInstantLink(): UseInstantLinkReturn;

package/dist/hooks/useInvites.d.ts

@@ -1,57 +0,0 @@
-import { Invite, OrgRole, AuthError, AcceptInviteResponse } from '../types';
-export interface UseInvitesReturn {
-    /** List of pending invites */
-    invites: Invite[];
-    /** Total pending invites available on the server */
-    total: number;
-    /** Loading state */
-    isLoading: boolean;
-    /** Error state */
-    error: AuthError | null;
-    /** Fetch/refresh invites list */
-    fetchInvites: (options?: {
-        limit?: number;
-        offset?: number;
-    }) => Promise<void>;
-    /** Create a new invite */
-    createInvite: (email: string, role?: Exclude<OrgRole, 'owner'>) => Promise<void>;
-    /** Cancel a pending invite */
-    cancelInvite: (inviteId: string) => Promise<void>;
-    /** Resend an invite email */
-    resendInvite: (inviteId: string) => Promise<void>;
-    /** Accept an invite (public) */
-    acceptInvite: (token: string) => Promise<AcceptInviteResponse>;
-}
-/**
- * Hook for managing organization invites.
- *
- * @param orgId - The organization ID to manage invites for
- *
- * @example
- * ```tsx
- * function InviteManager() {
- *   const { activeOrg } = useOrgs();
- *   const { invites, createInvite, cancelInvite, resendInvite } = useInvites(activeOrg?.id);
- *
- *   const handleInvite = async (email: string) => {
- *     await createInvite(email, 'member');
- *   };
- *
- *   return (
- *     <div>
- *       <InviteForm onSubmit={handleInvite} />
- *       <ul>
- *         {invites.map(invite => (
- *           <li key={invite.id}>
- *             {invite.email} ({invite.role})
- *             <button onClick={() => resendInvite(invite.id)}>Resend</button>
- *             <button onClick={() => cancelInvite(invite.id)}>Cancel</button>
- *           </li>
- *         ))}
- *       </ul>
- *     </div>
- *   );
- * }
- * ```
- */
-export declare function useInvites(orgId: string | undefined): UseInvitesReturn;

package/dist/hooks/useMembers.d.ts

@@ -1,52 +0,0 @@
-import { Member, OrgRole, AuthError } from '../types';
-export interface UseMembersReturn {
-    /** List of members */
-    members: Member[];
-    /** Total members available on the server */
-    total: number;
-    /** Loading state */
-    isLoading: boolean;
-    /** Error state */
-    error: AuthError | null;
-    /** Fetch/refresh members list */
-    fetchMembers: (options?: {
-        limit?: number;
-        offset?: number;
-    }) => Promise<void>;
-    /** Update a member's role */
-    updateMemberRole: (userId: string, role: OrgRole) => Promise<void>;
-    /** Remove a member */
-    removeMember: (userId: string) => Promise<void>;
-}
-/**
- * Hook for managing organization members.
- *
- * @param orgId - The organization ID to manage members for
- *
- * @example
- * ```tsx
- * function MembersList() {
- *   const { activeOrg } = useOrgs();
- *   const { members, isLoading, updateMemberRole, removeMember } = useMembers(activeOrg?.id);
- *
- *   if (!activeOrg) return null;
- *
- *   return (
- *     <ul>
- *       {members.map(member => (
- *         <li key={member.id}>
- *           {member.user.name} - {member.role}
- *           <button onClick={() => updateMemberRole(member.userId, 'admin')}>
- *             Make Admin
- *           </button>
- *           <button onClick={() => removeMember(member.userId)}>
- *             Remove
- *           </button>
- *         </li>
- *       ))}
- *     </ul>
- *   );
- * }
- * ```
- */
-export declare function useMembers(orgId: string | undefined): UseMembersReturn;