@civic/auth 0.0.1-beta.0 → 0.0.1-beta.10

package/dist/react.mjs

@@ -1,65 +1,43 @@
-'use client'
-var __defProp = Object.defineProperty;
-var __defProps = Object.defineProperties;
-var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
-var __getOwnPropSymbols = Object.getOwnPropertySymbols;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __propIsEnum = Object.prototype.propertyIsEnumerable;
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __spreadValues = (a, b) => {
-  for (var prop in b || (b = {}))
-    if (__hasOwnProp.call(b, prop))
-      __defNormalProp(a, prop, b[prop]);
-  if (__getOwnPropSymbols)
-    for (var prop of __getOwnPropSymbols(b)) {
-      if (__propIsEnum.call(b, prop))
-        __defNormalProp(a, prop, b[prop]);
-    }
-  return a;
-};
-var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
-var __objRest = (source, exclude) => {
-  var target = {};
-  for (var prop in source)
-    if (__hasOwnProp.call(source, prop) && exclude.indexOf(prop) < 0)
-      target[prop] = source[prop];
-  if (source != null && __getOwnPropSymbols)
-    for (var prop of __getOwnPropSymbols(source)) {
-      if (exclude.indexOf(prop) < 0 && __propIsEnum.call(source, prop))
-        target[prop] = source[prop];
-    }
-  return target;
-};
-var __async = (__this, __arguments, generator) => {
-  return new Promise((resolve, reject) => {
-    var fulfilled = (value) => {
-      try {
-        step(generator.next(value));
-      } catch (e) {
-        reject(e);
-      }
-    };
-    var rejected = (value) => {
-      try {
-        step(generator.throw(value));
-      } catch (e) {
-        reject(e);
-      }
-    };
-    var step = (x) => x.done ? resolve(x.value) : Promise.resolve(x.value).then(fulfilled, rejected);
-    step((generator = generator.apply(__this, __arguments)).next());
-  });
-};
+import {
+  resolveAuthConfig,
+  resolveCallbackUrl
+} from "./chunk-EAANLFR5.mjs";
+import {
+  BrowserAuthenticationInitiator,
+  BrowserAuthenticationService,
+  BrowserPublicClientPKCEProducer,
+  ConfidentialClientPKCEConsumer,
+  DEFAULT_SCOPES,
+  GenericUserSession,
+  IFRAME_ID,
+  LocalStorageAdapter,
+  cn,
+  generateState,
+  getUser,
+  isWindowInIframe
+} from "./chunk-PMDIR5XE.mjs";
+import {
+  __async,
+  __objRest,
+  __spreadProps,
+  __spreadValues
+} from "./chunk-RGHW4PYM.mjs";
 
 // src/react/hooks/useUser.tsx
-import { useContext as useContext3 } from "react";
+import { useContext as useContext5 } from "react";
 
 // src/react/providers/UserProvider.tsx
-import { createContext } from "react";
+import { createContext as createContext4 } from "react";
 import { useQuery } from "@tanstack/react-query";
 
 // src/react/hooks/useAuth.tsx
 import { useContext } from "react";
+
+// src/shared/AuthContext.tsx
+import { createContext } from "react";
+var AuthContext = createContext(null);
+
+// src/react/hooks/useAuth.tsx
 var useAuth = () => {
   const context = useContext(AuthContext);
   if (!context) {
@@ -69,96 +47,88 @@ var useAuth = () => {
 };
 
 // src/react/hooks/useToken.tsx
+import { useContext as useContext3 } from "react";
+
+// src/react/providers/TokenProvider.tsx
+import { createContext as createContext3, useMemo } from "react";
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+
+// src/react/hooks/useSession.tsx
 import { useContext as useContext2 } from "react";
-var useToken = () => {
-  const context = useContext2(TokenContext);
+
+// src/react/providers/SessionProvider.tsx
+import {
+  createContext as createContext2
+} from "react";
+import { jsx } from "react/jsx-runtime";
+var defaultSession = {
+  authenticated: false,
+  idToken: void 0,
+  accessToken: void 0,
+  displayMode: "iframe",
+  iframeRef: null,
+  setAuthResponseUrl: () => {
+  }
+};
+var SessionContext = createContext2(defaultSession);
+var SessionProvider = ({
+  children,
+  session,
+  iframeRef,
+  setAuthResponseUrl
+}) => /* @__PURE__ */ jsx(
+  SessionContext.Provider,
+  {
+    value: __spreadProps(__spreadValues({}, session || defaultSession), { iframeRef, setAuthResponseUrl }),
+    children
+  }
+);
+
+// src/react/hooks/useSession.tsx
+var useSession = () => {
+  const context = useContext2(SessionContext);
   if (!context) {
-    throw new Error("useToken must be used within a TokenProvider");
+    throw new Error("useSession must be used within an SessionProvider");
   }
   return context;
 };
 
-// src/react/providers/UserProvider.tsx
+// src/react/providers/TokenProvider.tsx
 import { parseJWT } from "oslo/jwt";
-import { jsx } from "react/jsx-runtime";
-var UserContext = createContext(null);
-var UserProvider = ({
-  children
-}) => {
-  const { isLoading: authLoading, error: authError } = useAuth();
-  const session = useSession();
-  const { forwardedTokens, idToken, accessToken, refreshToken } = useToken();
-  const { isAuthenticated, signIn, signOut } = useAuth();
-  const fetchUser = () => __async(void 0, null, function* () {
-    if (!(session == null ? void 0 : session.idToken)) {
-      return null;
-    }
-    const parsedJWT = parseJWT(session.idToken);
-    if (!parsedJWT) {
-      return null;
-    }
-    const user2 = parsedJWT.payload;
-    return __spreadProps(__spreadValues({}, user2), {
-      forwardedTokens,
-      idToken,
-      accessToken,
-      refreshToken
-    });
-  });
-  const {
-    data: user,
-    isLoading: userLoading,
-    error: userError,
-    refetch
-  } = useQuery({
-    queryKey: ["user", session == null ? void 0 : session.accessToken],
-    queryFn: fetchUser,
-    enabled: !!(session == null ? void 0 : session.accessToken)
-    // Only run the query if we have an access token
-  });
-  const isLoading = authLoading || userLoading;
-  const error = authError || userError;
-  return /* @__PURE__ */ jsx(
-    UserContext.Provider,
+
+// src/lib/jwt.ts
+var convertForwardedTokenFormat = (inputTokens) => Object.fromEntries(
+  Object.entries(inputTokens).map(([source, tokens]) => [
+    source,
     {
-      value: {
-        user,
-        isLoading,
-        error,
-        refetch,
-        isAuthenticated,
-        signIn,
-        signOut
-      },
-      children
+      idToken: tokens == null ? void 0 : tokens.id_token,
+      accessToken: tokens == null ? void 0 : tokens.access_token,
+      refreshToken: tokens == null ? void 0 : tokens.refresh_token
     }
-  );
-};
+  ])
+);
 
 // src/react/providers/TokenProvider.tsx
-import { createContext as createContext2, useMemo } from "react";
-import { useMutation, useQueryClient } from "@tanstack/react-query";
-import { parseJWT as parseJWT2 } from "oslo/jwt";
 import { jsx as jsx2 } from "react/jsx-runtime";
-var TokenContext = createContext2(void 0);
+var TokenContext = createContext3(void 0);
 var TokenProvider = ({ children }) => {
   const { isLoading, error: authError } = useAuth();
   const session = useSession();
-  const queryClient2 = useQueryClient();
+  const queryClient3 = useQueryClient();
   const refreshTokenMutation = useMutation({
     mutationFn: () => __async(void 0, null, function* () {
       throw new Error("Method not implemented.");
     }),
     onSuccess: () => {
-      queryClient2.invalidateQueries({ queryKey: ["session"] });
+      queryClient3.invalidateQueries({ queryKey: ["session"] });
     }
   });
   const decodeTokens = useMemo(() => {
     if (!(session == null ? void 0 : session.idToken)) return null;
-    const parsedJWT = parseJWT2(session.idToken);
+    const parsedJWT = parseJWT(session.idToken);
     if (!parsedJWT) return null;
     const { forwardedTokens } = parsedJWT.payload;
-    return forwardedTokens;
+    return forwardedTokens ? convertForwardedTokenFormat(forwardedTokens) : null;
   }, [session == null ? void 0 : session.idToken]);
   const value = useMemo(
     () => ({
@@ -182,378 +152,93 @@ var TokenProvider = ({ children }) => {
   return /* @__PURE__ */ jsx2(TokenContext.Provider, { value, children });
 };
 
-// src/react/providers/AuthProvider.tsx
-import {
-  createContext as createContext5,
-  useState as useState3,
-  useEffect as useEffect3,
-  useMemo as useMemo2,
-  useCallback as useCallback2
-} from "react";
-import { useQuery as useQuery2, useMutation as useMutation2, useQueryClient as useQueryClient2 } from "@tanstack/react-query";
-
-// src/services/UserInfoService.ts
-var UserInfoServiceImpl = class {
-  constructor(endpoints) {
-    this.endpoints = endpoints;
-  }
-  getUserInfo(accessToken) {
-    return __async(this, null, function* () {
-      return {
-        id: "user123",
-        name: "John Doe",
-        email: "john@example.com",
-        picture: "https://example.com/john.jpg",
-        given_name: "John",
-        family_name: "Doe",
-        created_at: /* @__PURE__ */ new Date(),
-        updated_at: /* @__PURE__ */ new Date(),
-        country: "US",
-        accessToken
-      };
-    });
+// src/react/hooks/useToken.tsx
+var useToken = () => {
+  const context = useContext3(TokenContext);
+  if (!context) {
+    throw new Error("useToken must be used within a TokenProvider");
   }
+  return context;
 };
 
-// src/services/SessionService.ts
-import { OAuth2Client, generateCodeVerifier } from "oslo/oauth2";
-import * as jose from "jose";
-
-// src/lib/oauth.ts
-import { v4 as uuid } from "uuid";
-var getIssuerVariations = (issuer) => {
-  const issuerWithoutSlash = issuer.endsWith("/") ? issuer.slice(0, issuer.length - 1) : issuer;
-  const issuerWithSlash = `${issuerWithoutSlash}/`;
-  return [issuerWithoutSlash, issuerWithSlash];
-};
-var addSlashIfNeeded = (url) => url.endsWith("/") ? url : `${url}/`;
-var getOauthEndpoints = (oauthServer) => __async(void 0, null, function* () {
-  const openIdConfigResponse = yield fetch(
-    `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`
-  );
-  const openIdConfig = yield openIdConfigResponse.json();
-  return {
-    jwks: openIdConfig.jwks_uri,
-    auth: openIdConfig.authorization_endpoint,
-    token: openIdConfig.token_endpoint,
-    userinfo: openIdConfig.userinfo_endpoint
-  };
-});
-var generateState = (displayMode) => {
-  const jsonString = JSON.stringify({
-    uuid: uuid(),
-    displayMode
+// src/react/providers/UserProvider.tsx
+import { jsx as jsx3 } from "react/jsx-runtime";
+var UserContext = createContext4(null);
+var UserProvider = ({
+  children,
+  storage
+}) => {
+  const { isLoading: authLoading, error: authError } = useAuth();
+  const session = useSession();
+  const { accessToken } = useToken();
+  const { signIn, signOut } = useAuth();
+  const fetchUser = () => __async(void 0, null, function* () {
+    if (!accessToken) {
+      return null;
+    }
+    const userSession = new GenericUserSession(storage);
+    return userSession.get();
   });
-  return Buffer.from(jsonString).toString("base64");
-};
-var displayModeFromState = (state, sessionDisplayMode) => {
-  try {
-    const jsonString = Buffer.from(state, "base64").toString();
-    return JSON.parse(jsonString).displayMode;
-  } catch (_e) {
-    return sessionDisplayMode;
-  }
-};
-
-// src/utils.ts
-import { clsx } from "clsx";
-import { twMerge } from "tailwind-merge";
-var isPopupBlocked = () => {
-  const popup = window.open("", "", "width=1,height=1");
-  if (!popup) {
-    return true;
-  }
-  try {
-    if (typeof popup.closed === "undefined") {
-      throw new Error("Popup is blocked");
+  const {
+    data: user,
+    isLoading: userLoading,
+    error: userError
+  } = useQuery({
+    queryKey: ["user", session == null ? void 0 : session.idToken],
+    queryFn: fetchUser,
+    enabled: !!(session == null ? void 0 : session.idToken)
+    // Only run the query if we have an access token
+  });
+  const isLoading = authLoading || userLoading;
+  const error = authError || userError;
+  return /* @__PURE__ */ jsx3(
+    UserContext.Provider,
+    {
+      value: {
+        user: user != null ? user : null,
+        isLoading,
+        error,
+        signIn,
+        signOut
+      },
+      children
     }
-  } catch (e) {
-    return true;
-  }
-  popup.close();
-  return false;
-};
-var cn = (...inputs) => {
-  return twMerge(clsx(inputs));
+  );
 };
 
-// src/services/SessionService.ts
-var AuthSessionServiceImpl = class {
-  constructor(clientId, redirectUrl, oauthServer, inputEndpoints) {
-    this.clientId = clientId;
-    this.redirectUrl = redirectUrl;
-    this.oauthServer = oauthServer;
-    this.codeVerifier = void 0;
-    this.state = void 0;
-    this.codeVerifier = generateCodeVerifier();
-    this._endpoints = inputEndpoints;
-  }
-  getUserInfoService() {
-    return __async(this, null, function* () {
-      if (this._userInfoService) {
-        return this._userInfoService;
-      }
-      const endpoints = yield this.getEndpoints();
-      this._userInfoService = new UserInfoServiceImpl(endpoints);
-      return this._userInfoService;
-    });
-  }
-  getEndpoints() {
-    return __async(this, null, function* () {
-      if (this._endpoints) {
-        return this._endpoints;
-      }
-      this._endpoints = yield getOauthEndpoints(this.oauthServer);
-      return this._endpoints;
-    });
-  }
-  getOauth2Client() {
-    return __async(this, null, function* () {
-      if (this._oauth2Client) {
-        return this._oauth2Client;
-      }
-      const endpoints = yield this.getEndpoints();
-      this._oauth2Client = new OAuth2Client(
-        this.clientId,
-        endpoints.auth,
-        endpoints.token,
-        // this
-        { redirectURI: this.redirectUrl }
-      );
-      return this._oauth2Client;
-    });
-  }
-  getSessionData() {
-    return JSON.parse(
-      localStorage.getItem(`civic-auth:${this.clientId}`) || "{}"
-    );
-  }
-  updateSessionData(data) {
-    localStorage.setItem(
-      `civic-auth:${this.clientId}`,
-      JSON.stringify(__spreadValues({}, data))
-    );
-  }
-  getAuthorizationUrl(scopes, displayMode, nonce) {
-    return __async(this, null, function* () {
-      const state = generateState(displayMode);
-      this.state = state;
-      const existingSessionData = this.getSessionData();
-      this.updateSessionData(__spreadProps(__spreadValues({}, existingSessionData), {
-        codeVerifier: this.codeVerifier,
-        displayMode
-      }));
-      const oauth2Client = yield this.getOauth2Client();
-      const oAuthUrl = yield oauth2Client.createAuthorizationURL({
-        state,
-        codeVerifier: this.codeVerifier,
-        codeChallengeMethod: "S256",
-        scopes
-      });
-      if (nonce) {
-        oAuthUrl.searchParams.append("nonce", nonce);
-      }
-      return oAuthUrl.toString();
-    });
-  }
-  // TODO fix the Window reference
-  loadAuthorizationUrl(authorizationURL, displayMode) {
-    switch (displayMode) {
-      case "iframe":
-        break;
-      case "redirect":
-        window.location.href = authorizationURL;
-        break;
-      case "new_tab":
-        window.open(authorizationURL, "_blank");
-        break;
-      case "custom_tab":
-        break;
-    }
-  }
-  init() {
-    return __async(this, null, function* () {
-      this.updateSessionData({ authenticated: false });
-    });
-  }
-  determineDisplayMode(displayMode) {
-    if (isPopupBlocked() && displayMode === "iframe") {
-      displayMode = "redirect";
-    }
-    return displayMode;
-  }
-  signIn(displayMode, scopes, nonce) {
-    return __async(this, null, function* () {
-      const authorizationURL = yield this.getAuthorizationUrl(
-        scopes,
-        displayMode,
-        nonce
-      );
-      this.loadAuthorizationUrl(authorizationURL, displayMode);
-    });
-  }
-  tokenExchange(responseUrl) {
-    return __async(this, null, function* () {
-      let session = this.getSessionData();
-      if (!session.authenticated) {
-        const url = new URL(responseUrl);
-        const authorizationCode = url.searchParams.get("code");
-        const returnedState = url.searchParams.get("state");
-        if (!authorizationCode || !returnedState) {
-          throw new Error("Invalid authorization response");
-        }
-        const codeVerifier = this.getSessionData().codeVerifier;
-        const oauth2Client = yield this.getOauth2Client();
-        const tokens = yield oauth2Client.validateAuthorizationCode(
-          authorizationCode,
-          {
-            codeVerifier
-          }
-        );
-        try {
-          yield this.validateTokens(tokens);
-        } catch (error) {
-          console.error("tokenExchange tokens", { error, tokens });
-          throw new Error(
-            `OIDC tokens validation failed: ${error.message}`
-          );
-        }
-        const parsedDisplayMode = displayModeFromState(
-          returnedState,
-          session.displayMode
-        );
-        session = __spreadProps(__spreadValues({}, session), {
-          displayMode: parsedDisplayMode,
-          idToken: tokens.id_token,
-          authenticated: true,
-          state: returnedState,
-          accessToken: tokens.access_token,
-          refreshToken: tokens.refresh_token,
-          expiresIn: tokens.expires_in
-        });
-        this.updateSessionData(session);
-      }
-      if (session.displayMode === "new_tab") {
-        window.close();
-      } else if (session.displayMode === "redirect") {
-      }
-      return session;
-    });
-  }
-  refreshToken() {
-    return __async(this, null, function* () {
-      const sessionData = this.getSessionData();
-      if (!sessionData.refreshToken) {
-        throw new Error("No refresh token available");
-      }
-      const oauth2Client = yield this.getOauth2Client();
-      const tokens = yield oauth2Client.refreshAccessToken(
-        sessionData.refreshToken
-      );
-      const session = __spreadProps(__spreadValues({}, sessionData), {
-        idToken: tokens.id_token,
-        authenticated: true,
-        accessToken: tokens.access_token,
-        refreshToken: tokens.refresh_token,
-        expiresIn: tokens.expires_in
-      });
-      this.updateSessionData(session);
-      return session;
-    });
-  }
-  getUserInfo() {
-    return __async(this, null, function* () {
-      const sessionData = this.getSessionData();
-      if (!sessionData.accessToken) {
-        throw new Error("No access token available");
-      }
-      const userInfoService = yield this.getUserInfoService();
-      return userInfoService.getUserInfo(sessionData.accessToken);
-    });
-  }
-  /**
-   * Uses the jose library to validate a JWT token using the OAuth JWKS endpoint
-   * @param {string} token
-   * @returns {Promise<jose.JWTPayload>}
-   * @throws {Error} if the token is invalid
-   */
-  validateTokens(tokens) {
-    return __async(this, null, function* () {
-      const endpoints = yield this.getEndpoints();
-      const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));
-      const returnPayload = {};
-      console.log("issuer", getIssuerVariations(this.oauthServer));
-      const idTokenResponse = yield jose.jwtVerify(tokens.id_token, JWKS, {
-        issuer: getIssuerVariations(this.oauthServer),
-        audience: this.clientId
-      });
-      returnPayload.idToken = idTokenResponse.payload;
-      const accessTokenResponse = yield jose.jwtVerify(
-        tokens.access_token,
-        JWKS,
-        {
-          issuer: getIssuerVariations(this.oauthServer)
-        }
-      );
-      returnPayload.accessToken = accessTokenResponse.payload;
-      if (tokens.refresh_token) {
-        const refreshResponse = yield jose.jwtVerify(tokens.refresh_token, JWKS, {
-          issuer: getIssuerVariations(this.oauthServer)
-        });
-        returnPayload.refreshToken = refreshResponse.payload;
-      }
-      return returnPayload;
-    });
-  }
-  validateExistingSession() {
-    return __async(this, null, function* () {
-      const sessionData = this.getSessionData();
-      try {
-        if (!sessionData.idToken || !sessionData.accessToken) {
-          const unAuthenticatedSession = __spreadProps(__spreadValues({}, sessionData), { authenticated: false });
-          this.updateSessionData(unAuthenticatedSession);
-          return unAuthenticatedSession;
-        }
-        yield this.validateTokens({
-          id_token: sessionData.idToken,
-          access_token: sessionData.accessToken,
-          refresh_token: sessionData.refreshToken
-        });
-        sessionData.authenticated = true;
-        return sessionData;
-      } catch (error) {
-        console.warn("Failed to validate existing tokens", error);
-        const unAuthenticatedSession = __spreadProps(__spreadValues({}, sessionData), { authenticated: false });
-        this.updateSessionData(unAuthenticatedSession);
-        return unAuthenticatedSession;
-      }
-    });
-  }
-};
+// src/shared/AuthProvider.tsx
+import {
+  useCallback as useCallback2,
+  useEffect as useEffect2,
+  useMemo as useMemo2,
+  useRef as useRef2,
+  useState as useState2
+} from "react";
+import { useMutation as useMutation2, useQuery as useQuery2, useQueryClient as useQueryClient2 } from "@tanstack/react-query";
 
-// src/react/components/CivicAuthIframe.tsx
+// src/react/components/CivicAuthIframeContainer.tsx
 import { useCallback, useEffect, useRef, useState } from "react";
 
 // src/react/components/LoadingIcon.tsx
-import { jsx as jsx3, jsxs } from "react/jsx-runtime";
+import { jsx as jsx4, jsxs } from "react/jsx-runtime";
 var LoadingIcon = () => /* @__PURE__ */ jsxs("div", { role: "status", children: [
   /* @__PURE__ */ jsxs(
     "svg",
     {
       "aria-hidden": "true",
-      className: "inline h-8 w-8 animate-spin fill-neutral-600 text-neutral-200 dark:fill-neutral-300 dark:text-neutral-600",
+      className: "cac-inline cac-h-8 cac-w-8 cac-animate-spin cac-fill-neutral-600 cac-text-neutral-200 dark:cac-fill-neutral-300 dark:cac-text-neutral-600",
       viewBox: "0 0 100 101",
       fill: "none",
       xmlns: "http://www.w3.org/2000/svg",
       children: [
-        /* @__PURE__ */ jsx3(
+        /* @__PURE__ */ jsx4(
           "path",
           {
             d: "M100 50.5908C100 78.2051 77.6142 100.591 50 100.591C22.3858 100.591 0 78.2051 0 50.5908C0 22.9766 22.3858 0.59082 50 0.59082C77.6142 0.59082 100 22.9766 100 50.5908ZM9.08144 50.5908C9.08144 73.1895 27.4013 91.5094 50 91.5094C72.5987 91.5094 90.9186 73.1895 90.9186 50.5908C90.9186 27.9921 72.5987 9.67226 50 9.67226C27.4013 9.67226 9.08144 27.9921 9.08144 50.5908Z",
             fill: "currentColor"
           }
         ),
-        /* @__PURE__ */ jsx3(
+        /* @__PURE__ */ jsx4(
           "path",
           {
             d: "M93.9676 39.0409C96.393 38.4038 97.8624 35.9116 97.0079 33.5539C95.2932 28.8227 92.871 24.3692 89.8167 20.348C85.8452 15.1192 80.8826 10.7238 75.2124 7.41289C69.5422 4.10194 63.2754 1.94025 56.7698 1.05124C51.7666 0.367541 46.6976 0.446843 41.7345 1.27873C39.2613 1.69328 37.813 4.19778 38.4501 6.62326C39.0873 9.04874 41.5694 10.4717 44.0505 10.1071C47.8511 9.54855 51.7191 9.52689 55.5402 10.0491C60.8642 10.7766 65.9928 12.5457 70.6331 15.2552C75.2735 17.9648 79.3347 21.5619 82.5849 25.841C84.9175 28.9121 86.7997 32.2913 88.1811 35.8758C89.083 38.2158 91.5421 39.6781 93.9676 39.0409Z",
@@ -563,11 +248,11 @@ var LoadingIcon = () => /* @__PURE__ */ jsxs("div", { role: "status", children:
       ]
     }
   ),
-  /* @__PURE__ */ jsx3("span", { className: "sr-only", children: "Loading..." })
+  /* @__PURE__ */ jsx4("span", { className: "cac-sr-only", children: "Loading..." })
 ] });
 
-// src/react/components/CivicAuthIframe.tsx
-import { jsx as jsx4, jsxs as jsxs2 } from "react/jsx-runtime";
+// src/react/components/CloseIcon.tsx
+import { jsx as jsx5, jsxs as jsxs2 } from "react/jsx-runtime";
 var CloseIcon = () => /* @__PURE__ */ jsxs2(
   "svg",
   {
@@ -582,26 +267,90 @@ var CloseIcon = () => /* @__PURE__ */ jsxs2(
     strokeLinejoin: "round",
     className: "lucide lucide-x",
     children: [
-      /* @__PURE__ */ jsx4("path", { d: "M18 6 6 18" }),
-      /* @__PURE__ */ jsx4("path", { d: "m6 6 12 12" })
+      /* @__PURE__ */ jsx5("path", { d: "M18 6 6 18" }),
+      /* @__PURE__ */ jsx5("path", { d: "m6 6 12 12" })
     ]
   }
 );
-var IFRAME_ID = "civic-auth-iframe";
-var CivicAuthIframe = ({
-  authUrl,
-  redirectUri,
-  setAuthResponseUrl,
+
+// src/react/components/CivicAuthIframe.tsx
+import { forwardRef } from "react";
+import { jsx as jsx6 } from "react/jsx-runtime";
+var CivicAuthIframe = forwardRef(
+  ({ onLoad }, ref) => {
+    return /* @__PURE__ */ jsx6(
+      "iframe",
+      {
+        id: IFRAME_ID,
+        ref,
+        className: "cac-h-96 cac-w-80 cac-border-none",
+        onLoad
+      }
+    );
+  }
+);
+CivicAuthIframe.displayName = "CivicAuthIframe";
+
+// src/react/components/CivicAuthIframeContainer.tsx
+import { Fragment, jsx as jsx7, jsxs as jsxs3 } from "react/jsx-runtime";
+function NoChrome({
+  children
+}) {
+  return /* @__PURE__ */ jsx7(Fragment, { children });
+}
+function IframeChrome({
+  children,
   onClose
+}) {
+  return /* @__PURE__ */ jsx7(
+    "div",
+    {
+      className: "cac-absolute cac-left-0 cac-top-0 cac-z-50 cac-flex cac-h-screen cac-w-screen cac-items-center cac-justify-center cac-bg-neutral-950 cac-bg-opacity-50",
+      onClick: onClose,
+      children: /* @__PURE__ */ jsxs3(
+        "div",
+        {
+          className: "cac-relative cac-rounded-3xl cac-bg-white cac-p-6 cac-shadow-lg",
+          onClick: (e) => e.stopPropagation(),
+          children: [
+            /* @__PURE__ */ jsx7(
+              "button",
+              {
+                className: "cac-absolute cac-right-4 cac-top-4 cac-flex cac-cursor-pointer cac-items-center cac-justify-center cac-border-none cac-bg-transparent cac-p-1 cac-text-neutral-400",
+                onClick: onClose,
+                children: /* @__PURE__ */ jsx7(CloseIcon, {})
+              }
+            ),
+            children
+          ]
+        }
+      )
+    }
+  );
+}
+var CivicAuthIframeContainer = ({
+  onClose,
+  closeOnRedirect = true
 }) => {
-  const iframeRef = useRef(null);
+  var _a;
   const [isLoading, setIsLoading] = useState(true);
+  const { isLoading: isAuthLoading } = useAuth();
+  const config = useConfig();
+  const { serverTokenExchange } = config;
+  const { setAuthResponseUrl, iframeRef } = useSession();
   const processIframeUrl = useCallback(() => {
-    if (iframeRef.current && iframeRef.current.contentWindow) {
+    if (iframeRef && iframeRef.current && iframeRef.current.contentWindow) {
       try {
         const iframeUrl = iframeRef.current.contentWindow.location.href;
-        if (iframeUrl.startsWith(redirectUri)) {
-          setAuthResponseUrl(iframeUrl);
+        if (iframeUrl.startsWith(config.redirectUrl)) {
+          if (serverTokenExchange) {
+            const params = new URL(iframeUrl).searchParams;
+            params.set("tokenExchange", "true");
+            fetch(`${config.redirectUrl}?${params.toString()}`);
+          } else {
+            setAuthResponseUrl(iframeUrl);
+          }
+          if (closeOnRedirect) onClose == null ? void 0 : onClose();
           return true;
         }
       } catch (e) {
@@ -609,14 +358,24 @@ var CivicAuthIframe = ({
       }
     }
     return false;
-  }, [redirectUri, setAuthResponseUrl]);
+  }, [
+    closeOnRedirect,
+    config.redirectUrl,
+    iframeRef,
+    onClose,
+    serverTokenExchange,
+    setAuthResponseUrl
+  ]);
   const intervalId = useRef();
-  useEffect(() => {
-    const handleEscape = (event) => {
+  const handleEscape = useCallback(
+    (event) => {
       if (event.key === "Escape") {
-        onClose();
+        onClose == null ? void 0 : onClose();
       }
-    };
+    },
+    [onClose]
+  );
+  useEffect(() => {
     window.addEventListener("keydown", handleEscape);
     return () => window.removeEventListener("keydown", handleEscape);
   });
@@ -627,214 +386,51 @@ var CivicAuthIframe = ({
       clearInterval(intervalId.current);
     }
   };
-  return /* @__PURE__ */ jsx4(
-    "div",
-    {
-      className: "absolute left-0 top-0 z-[9999] flex h-screen w-screen items-center justify-center bg-neutral-950 bg-opacity-50",
-      onClick: onClose,
-      children: /* @__PURE__ */ jsxs2(
-        "div",
-        {
-          className: "relative rounded-3xl bg-white p-6 shadow-lg",
-          onClick: (e) => e.stopPropagation(),
-          children: [
-            /* @__PURE__ */ jsx4(
-              "button",
-              {
-                className: "absolute right-4 top-4 flex cursor-pointer items-center justify-center border-none bg-transparent p-1 text-neutral-400",
-                onClick: onClose,
-                children: /* @__PURE__ */ jsx4(CloseIcon, {})
-              }
-            ),
-            isLoading && /* @__PURE__ */ jsx4("div", { className: "absolute inset-0 flex items-center justify-center rounded-3xl bg-neutral-100", children: /* @__PURE__ */ jsx4(LoadingIcon, {}) }),
-            /* @__PURE__ */ jsx4(
-              "iframe",
-              {
-                id: IFRAME_ID,
-                ref: iframeRef,
-                src: authUrl,
-                className: "h-48 w-80 border-none",
-                onLoad: handleIframeLoad
-              }
-            )
-          ]
-        }
-      )
-    }
-  );
+  const showLoadingIcon = isLoading || isAuthLoading || !((_a = iframeRef == null ? void 0 : iframeRef.current) == null ? void 0 : _a.getAttribute("src"));
+  const WrapperComponent = config.modalIframe ? IframeChrome : NoChrome;
+  return /* @__PURE__ */ jsxs3(WrapperComponent, { onClose, children: [
+    showLoadingIcon && /* @__PURE__ */ jsx7("div", { className: "cac-absolute cac-inset-0 cac-flex cac-items-center cac-justify-center cac-rounded-3xl cac-bg-neutral-100", children: /* @__PURE__ */ jsx7(LoadingIcon, {}) }),
+    /* @__PURE__ */ jsx7(CivicAuthIframe, { ref: iframeRef, onLoad: handleIframeLoad })
+  ] });
 };
 
-// src/react/components/UserButton.tsx
-import { useEffect as useEffect2, useState as useState2 } from "react";
-import { jsx as jsx5, jsxs as jsxs3 } from "react/jsx-runtime";
-var ChevronDown = () => /* @__PURE__ */ jsx5(
-  "svg",
-  {
-    xmlns: "http://www.w3.org/2000/svg",
-    width: "24",
-    height: "24",
-    viewBox: "0 0 24 24",
-    fill: "none",
-    stroke: "currentColor",
-    strokeWidth: "2",
-    strokeLinecap: "round",
-    strokeLinejoin: "round",
-    className: "lucide lucide-chevron-down",
-    children: /* @__PURE__ */ jsx5("path", { d: "m6 9 6 6 6-6" })
-  }
-);
-var ChevronUp = () => /* @__PURE__ */ jsx5(
-  "svg",
-  {
-    xmlns: "http://www.w3.org/2000/svg",
-    width: "24",
-    height: "24",
-    viewBox: "0 0 24 24",
-    fill: "none",
-    stroke: "currentColor",
-    strokeWidth: "2",
-    strokeLinecap: "round",
-    strokeLinejoin: "round",
-    className: "lucide lucide-chevron-up",
-    children: /* @__PURE__ */ jsx5("path", { d: "m18 15-6-6-6 6" })
-  }
-);
-var UserButton = ({
-  displayMode,
-  className
-}) => {
-  const [isOpen, setIsOpen] = useState2(false);
-  const { signIn, isAuthenticated, signOut } = useAuth();
-  const { user } = useUser();
-  useEffect2(() => {
-    const handleEscape = (event) => {
-      if (event.key === "Escape") {
-        setIsOpen(false);
-      }
-    };
-    if (isOpen) {
-      window.addEventListener("keydown", handleEscape);
-    }
-    return () => {
-      window.removeEventListener("keydown", handleEscape);
-    };
-  }, [isOpen]);
-  useEffect2(() => {
-    const handleClick = (event) => {
-      const target = event.target;
-      if (!target.closest("#civic-dropdown-container")) {
-        setIsOpen(false);
-      }
-    };
-    if (isOpen) {
-      window.addEventListener("click", handleClick);
-    }
-    return () => {
-      window.removeEventListener("click", handleClick);
-    };
-  }, [isOpen]);
-  useEffect2(() => {
-    if (!isAuthenticated) {
-      setIsOpen(false);
-    }
-  }, [isAuthenticated]);
-  if (isAuthenticated) {
-    return /* @__PURE__ */ jsxs3("div", { className: "relative", id: "civic-dropdown-container", children: [
-      /* @__PURE__ */ jsxs3(
-        "button",
-        {
-          className: cn(
-            "flex w-full items-center justify-between gap-2 rounded-full border border-neutral-500 px-3 py-2 text-neutral-500 transition-colors hover:bg-neutral-200 hover:bg-opacity-50",
-            className
-          ),
-          onClick: () => setIsOpen((isOpen2) => !isOpen2),
-          children: [
-            (user == null ? void 0 : user.picture) ? /* @__PURE__ */ jsx5("span", { className: "relative flex h-10 w-10 shrink-0 gap-2 overflow-hidden rounded-full", children: /* @__PURE__ */ jsx5(
-              "img",
-              {
-                className: "h-full w-full object-cover",
-                src: user.picture,
-                alt: (user == null ? void 0 : user.name) || (user == null ? void 0 : user.email)
-              }
-            ) }) : /* @__PURE__ */ jsx5("div", {}),
-            /* @__PURE__ */ jsx5("span", { children: (user == null ? void 0 : user.name) || (user == null ? void 0 : user.email) }),
-            isOpen ? /* @__PURE__ */ jsx5(ChevronUp, {}) : /* @__PURE__ */ jsx5(ChevronDown, {})
-          ]
-        }
-      ),
-      /* @__PURE__ */ jsx5(
-        "div",
-        {
-          className: isOpen ? "absolute right-0 mt-2 w-full rounded-lg bg-white py-2 text-neutral-500 shadow-xl" : "hidden",
-          children: /* @__PURE__ */ jsx5("ul", { children: /* @__PURE__ */ jsx5("li", { children: /* @__PURE__ */ jsx5(
-            "button",
-            {
-              className: "block w-full px-4 py-2 transition-colors hover:bg-neutral-200 hover:bg-opacity-50",
-              onClick: () => signOut(),
-              children: "Logout"
-            }
-          ) }) })
-        }
-      )
-    ] });
-  }
-  return /* @__PURE__ */ jsx5(
-    "button",
-    {
-      className: cn(
-        "rounded-full border border-neutral-500 px-3 py-2 transition-colors hover:bg-neutral-200 hover:bg-opacity-50",
-        className
-      ),
-      onClick: () => signIn(displayMode),
-      children: "Sign in"
-    }
-  );
-};
-
-// src/react/providers/ParamsProvider.tsx
-import { createContext as createContext3 } from "react";
-import { jsx as jsx6 } from "react/jsx-runtime";
-var ParamsContext = createContext3(null);
-var ParamsProvider = ({
-  children,
-  clientId,
-  redirectUrl,
-  config,
-  nonce
-}) => {
-  const value = {
-    clientId,
-    redirectUrl,
-    config,
-    nonce
-  };
-  return /* @__PURE__ */ jsx6(ParamsContext.Provider, { value, children });
-};
-
-// src/react/providers/SessionProvider.tsx
-import { createContext as createContext4 } from "react";
-import { jsx as jsx7 } from "react/jsx-runtime";
-var defaultSession = {
-  authenticated: false,
-  idToken: void 0,
-  accessToken: void 0,
-  displayMode: "iframe"
-};
-var SessionContext = createContext4(defaultSession);
-var SessionProvider = ({ children, session }) => /* @__PURE__ */ jsx7(SessionContext.Provider, { value: session || defaultSession, children });
-
-// src/constants.ts
-var DEFAULT_SCOPES = ["openid", "profile", "email", "forwardedTokens"];
-
 // src/config.ts
 var authConfig = {
   // TODO change this to the production URL once we're out of beta
   oauthServer: "https://auth-dev.civic.com/oauth/"
 };
 
-// src/react/providers/AuthProvider.tsx
-import { jsx as jsx8, jsxs as jsxs4 } from "react/jsx-runtime";
-var AuthContext = createContext5(null);
+// src/react/providers/ConfigProvider.tsx
+import { createContext as createContext5 } from "react";
+import { jsx as jsx8 } from "react/jsx-runtime";
+var defaultConfig = {
+  config: authConfig,
+  redirectUrl: "",
+  modalIframe: true,
+  serverTokenExchange: false
+};
+var ConfigContext = createContext5(defaultConfig);
+var ConfigProvider = ({
+  children,
+  config,
+  redirectUrl,
+  modalIframe,
+  serverTokenExchange
+}) => /* @__PURE__ */ jsx8(
+  ConfigContext.Provider,
+  {
+    value: {
+      config,
+      redirectUrl,
+      modalIframe: !!modalIframe,
+      serverTokenExchange
+    },
+    children
+  }
+);
+
+// src/shared/AuthProvider.tsx
+import { jsx as jsx9, jsxs as jsxs4 } from "react/jsx-runtime";
 var globalThisObject;
 if (typeof window !== "undefined") {
   globalThisObject = window;
@@ -844,35 +440,36 @@ if (typeof window !== "undefined") {
   globalThisObject = Function("return this")();
 }
 globalThisObject.globalThis = globalThisObject;
+function BlockDisplay({ children }) {
+  return /* @__PURE__ */ jsx9("div", { className: "cac-absolute cac-left-0 cac-top-0 cac-z-50 cac-flex cac-h-screen cac-w-screen cac-items-center cac-justify-center cac-bg-white", children: /* @__PURE__ */ jsx9("div", { className: "cac-absolute cac-inset-0 cac-flex cac-items-center cac-justify-center cac-bg-white", children }) });
+}
 var AuthProvider = ({
   children,
   clientId,
   redirectUrl: inputRedirectUrl,
   config = authConfig,
-  nonce,
   onSignIn,
-  onSignOut
+  onSignOut,
+  pkceConsumer,
+  nonce,
+  modalIframe = true
 }) => {
-  const [iframeUrl, setIframeUrl] = useState3(null);
-  const [currentUrl, setCurrentUrl] = useState3(null);
-  const [isInIframe, setIsInIframe] = useState3(false);
-  const [authResponseUrl, setAuthResponseUrl] = useState3(null);
-  const [tokenExchangeInProgress, setTokenExchangeInProgress] = useState3(false);
-  const [tokenExchangeError, setTokenExchangeError] = useState3();
-  const queryClient2 = useQueryClient2();
-  useEffect3(() => {
-    var _a, _b;
+  const [iframeUrl, setIframeUrl] = useState2(null);
+  const [currentUrl, setCurrentUrl] = useState2(null);
+  const [isInIframe, setIsInIframe] = useState2(false);
+  const [authResponseUrl, setAuthResponseUrl] = useState2(null);
+  const [tokenExchangeError, setTokenExchangeError] = useState2();
+  const [displayMode, setDisplayMode] = useState2("iframe");
+  const [browserAuthenticationInitiator, setBrowserAuthenticationInitiator] = useState2();
+  const [showIFrame, setShowIFrame] = useState2(false);
+  const [isRedirecting, setIsRedirecting] = useState2(false);
+  const queryClient3 = useQueryClient2();
+  const iframeRef = useRef2(null);
+  const serverTokenExchange = pkceConsumer instanceof ConfidentialClientPKCEConsumer;
+  useEffect2(() => {
     if (typeof globalThis.window !== "undefined") {
       setCurrentUrl(globalThis.window.location.href);
-      let isInIframeVal = false;
-      try {
-        if (((_b = (_a = globalThis.window) == null ? void 0 : _a.frameElement) == null ? void 0 : _b.id) === "civic-auth-iframe") {
-          isInIframeVal = true;
-        }
-      } catch (_e) {
-        isInIframeVal = false;
-      }
-      console.log("isInIframeVal", isInIframeVal);
+      const isInIframeVal = isWindowInIframe(globalThis.window);
       setIsInIframe(isInIframeVal);
     }
   }, []);
@@ -880,42 +477,56 @@ var AuthProvider = ({
     () => (inputRedirectUrl || currentUrl || "").split("?")[0],
     [currentUrl, inputRedirectUrl]
   );
-  const authService = useMemo2(
-    () => currentUrl ? new AuthSessionServiceImpl(
+  const [authService, setAuthService] = useState2();
+  useEffect2(() => {
+    if (!currentUrl) return;
+    BrowserAuthenticationService.build({
       clientId,
       redirectUrl,
-      config == null ? void 0 : config.oauthServer,
-      config == null ? void 0 : config.endpoints
-    ) : null,
-    [currentUrl, clientId, redirectUrl, config]
-  );
+      oauthServer: config.oauthServer,
+      scopes: DEFAULT_SCOPES,
+      displayMode
+    }).then(setAuthService);
+  }, [currentUrl, clientId, redirectUrl, config, displayMode]);
   const {
     data: session,
     isLoading,
     error
   } = useQuery2({
-    queryKey: ["session"],
+    queryKey: [
+      "session",
+      authResponseUrl,
+      iframeUrl,
+      currentUrl,
+      isInIframe,
+      authService
+    ],
     queryFn: () => __async(void 0, null, function* () {
-      const url = new URL(globalThis.window.location.href || "");
-      console.log("AuthProvider useQuery", { isInIframe, url, authService });
       if (!authService) {
         return { authenticated: false };
       }
-      const existingSessionData = yield authService.validateExistingSession();
-      if (existingSessionData.authenticated) {
-        return existingSessionData;
-      }
+      const url = new URL(
+        authResponseUrl ? authResponseUrl : globalThis.window.location.href || ""
+      );
       const code = url.searchParams.get("code");
-      if (code && !isInIframe) {
+      const state = url.searchParams.get("state");
+      if (!serverTokenExchange && code && state && !isInIframe) {
         try {
-          console.log("AuthProvider useQuery code", { isInIframe, code });
-          setTokenExchangeInProgress(true);
-          const newSession = yield authService.tokenExchange(
-            globalThis.window.location.href
-          );
-          setTokenExchangeInProgress(false);
+          console.log("AuthProvider useQuery code", {
+            isInIframe,
+            code,
+            state
+          });
+          yield authService.tokenExchange(code, state);
+          const clientStorage = new LocalStorageAdapter();
+          const user = yield getUser(clientStorage);
+          if (!user) {
+            throw new Error("Failed to get user info");
+          }
+          const userSession = new GenericUserSession(clientStorage);
+          userSession.set(user);
           onSignIn == null ? void 0 : onSignIn();
-          return newSession;
+          return authService.getSessionData();
         } catch (error2) {
           setTokenExchangeError(error2);
           onSignIn == null ? void 0 : onSignIn(
@@ -924,173 +535,460 @@ var AuthProvider = ({
           return { authenticated: false };
         }
       }
+      const existingSessionData = yield authService.validateExistingSession();
+      if (existingSessionData.authenticated) {
+        return existingSessionData;
+      }
       return existingSessionData;
-    }),
-    enabled: !!authService && !!currentUrl && !isInIframe
+    })
   });
   const signOutMutation = useMutation2({
     mutationFn: () => __async(void 0, null, function* () {
-      authService == null ? void 0 : authService.updateSessionData({});
+      const authInitiator = getAuthInitiator();
+      authInitiator == null ? void 0 : authInitiator.signOut();
+      setIframeUrl(null);
+      setShowIFrame(false);
       setAuthResponseUrl(null);
       onSignOut == null ? void 0 : onSignOut();
     }),
     onSuccess: () => {
-      queryClient2.setQueryData(["session"], null);
+      queryClient3.setQueryData(
+        [
+          "session",
+          authResponseUrl,
+          iframeUrl,
+          currentUrl,
+          isInIframe,
+          authService
+        ],
+        null
+      );
     }
   });
+  const getAuthInitiator = useCallback2(
+    (overrideDisplayMode) => {
+      const useDisplayMode = overrideDisplayMode || displayMode;
+      if (!pkceConsumer) {
+        return null;
+      }
+      return browserAuthenticationInitiator || new BrowserAuthenticationInitiator({
+        pkceConsumer,
+        // generate and retrieve the challenge client-side
+        clientId,
+        redirectUrl,
+        state: generateState(useDisplayMode),
+        scopes: DEFAULT_SCOPES,
+        displayMode: useDisplayMode,
+        oauthServer: config.oauthServer,
+        // the endpoints to use for the login (if not obtained from the auth server
+        endpointOverrides: config.endpoints,
+        nonce
+      });
+    },
+    [
+      displayMode,
+      browserAuthenticationInitiator,
+      clientId,
+      redirectUrl,
+      config.oauthServer,
+      config.endpoints,
+      pkceConsumer,
+      nonce
+    ]
+  );
   const signIn = useCallback2(
     (overrideDisplayMode = "iframe") => __async(void 0, null, function* () {
-      if (!authService) return;
-      const url = yield authService.getAuthorizationUrl(
-        // This is the default scope. We will eventually pull this from the partner dashboard
-        DEFAULT_SCOPES,
-        overrideDisplayMode,
-        nonce
-      );
+      setDisplayMode(overrideDisplayMode);
+      const authInitiator = getAuthInitiator(overrideDisplayMode);
+      setBrowserAuthenticationInitiator(authInitiator);
       if (overrideDisplayMode === "iframe") {
-        setIframeUrl(url);
-        return;
+        setShowIFrame(true);
+      } else if (overrideDisplayMode === "redirect") {
+        setIsRedirecting(true);
       }
-      authService.loadAuthorizationUrl(url, overrideDisplayMode);
+      authInitiator == null ? void 0 : authInitiator.signIn(iframeRef.current);
     }),
-    [authService, nonce]
+    [getAuthInitiator]
   );
   const isAuthenticated = useMemo2(
     () => session ? session.authenticated : false,
     [session]
   );
-  useEffect3(() => {
-    if (!authService || !authResponseUrl) return;
-    const url = new URL(authResponseUrl);
-    const code = url.searchParams.get("code");
-    console.log("AuthProvider useEffect code", {
-      isAuthenticated,
-      code,
-      tokenExchangeInProgress,
-      isInIframe
-    });
-    if (code && !isAuthenticated && !tokenExchangeInProgress && !isInIframe) {
-      try {
-        setTokenExchangeInProgress(true);
-        authService.tokenExchange(authResponseUrl).then((newSession) => {
-          queryClient2.setQueryData(["session"], newSession);
-          setIframeUrl(null);
-          onSignIn == null ? void 0 : onSignIn();
-        }).catch((error2) => {
-          setTokenExchangeError(error2);
-        }).finally(() => {
-          setTokenExchangeInProgress(false);
-        });
-      } catch (error2) {
-        setTokenExchangeInProgress(false);
-        onSignIn == null ? void 0 : onSignIn(
-          error2 instanceof Error ? error2 : new Error("Failed to sign in")
-        );
+  const {
+    data: autoSignIn,
+    isLoading: autoSignInLoading,
+    error: autoSignInError
+  } = useQuery2({
+    queryKey: ["autoSignIn", modalIframe, redirectUrl, isAuthenticated],
+    queryFn: () => __async(void 0, null, function* () {
+      if (!modalIframe && redirectUrl && !isAuthenticated && iframeRef.current) {
+        signIn("iframe");
       }
-    }
-  }, [
-    authService,
-    onSignIn,
-    queryClient2,
-    isAuthenticated,
-    authResponseUrl,
-    tokenExchangeInProgress,
-    isInIframe
-  ]);
+      return true;
+    }),
+    refetchOnWindowFocus: false
+  });
   const value = useMemo2(
     () => ({
       isLoading,
       error,
-      signOut: signOutMutation.mutate,
+      signOut: () => __async(void 0, null, function* () {
+        yield signOutMutation.mutateAsync();
+      }),
       isAuthenticated,
       signIn
     }),
-    [isLoading, error, signOutMutation.mutate, isAuthenticated, signIn]
+    [isLoading, error, signOutMutation, isAuthenticated, signIn]
   );
-  return /* @__PURE__ */ jsx8(
-    AuthContext.Provider,
+  return /* @__PURE__ */ jsx9(AuthContext.Provider, { value, children: /* @__PURE__ */ jsx9(
+    ConfigProvider,
     {
-      value: __spreadProps(__spreadValues({}, value), {
-        signOut: () => __async(void 0, null, function* () {
-          yield signOutMutation.mutateAsync();
-        })
-      }),
-      children: /* @__PURE__ */ jsx8(
-        ParamsProvider,
+      config,
+      redirectUrl,
+      modalIframe,
+      serverTokenExchange,
+      children: /* @__PURE__ */ jsx9(
+        SessionProvider,
         {
-          clientId,
-          redirectUrl,
-          config,
-          nonce,
-          children: /* @__PURE__ */ jsx8(SessionProvider, { session, children: /* @__PURE__ */ jsx8(TokenProvider, { children: /* @__PURE__ */ jsxs4(UserProvider, { children: [
-            !isInIframe && iframeUrl && !(session == null ? void 0 : session.authenticated) && /* @__PURE__ */ jsx8(
-              CivicAuthIframe,
+          session,
+          setAuthResponseUrl,
+          iframeRef,
+          children: /* @__PURE__ */ jsx9(TokenProvider, { children: /* @__PURE__ */ jsxs4(UserProvider, { storage: new LocalStorageAdapter(), children: [
+            modalIframe && !isInIframe && !(session == null ? void 0 : session.authenticated) && /* @__PURE__ */ jsx9(
+              "div",
               {
-                authUrl: iframeUrl,
-                redirectUri: redirectUrl,
-                setAuthResponseUrl,
-                onClose: () => setIframeUrl(null)
+                style: showIFrame ? { display: "block" } : { display: "none" },
+                children: /* @__PURE__ */ jsx9(
+                  CivicAuthIframeContainer,
+                  {
+                    onClose: () => setShowIFrame(false)
+                  }
+                )
               }
             ),
-            (tokenExchangeInProgress || tokenExchangeError || isLoading || isInIframe) && /* @__PURE__ */ jsxs4("div", { className: "absolute left-0 top-0 z-[9999] flex h-screen w-screen items-center justify-center bg-white", children: [
-              " ",
-              /* @__PURE__ */ jsx8("div", { className: "absolute inset-0 flex items-center justify-center bg-white", children: tokenExchangeError ? /* @__PURE__ */ jsxs4("div", { children: [
-                "Error: ",
-                tokenExchangeError.message
-              ] }) : /* @__PURE__ */ jsx8(LoadingIcon, {}) })
-            ] }),
+            modalIframe && (isInIframe || isRedirecting || isLoading) && /* @__PURE__ */ jsx9(BlockDisplay, { children: /* @__PURE__ */ jsx9(LoadingIcon, {}) }),
+            (tokenExchangeError || error) && /* @__PURE__ */ jsx9(BlockDisplay, { children: /* @__PURE__ */ jsxs4("div", { children: [
+              "Error: ",
+              (tokenExchangeError || error).message
+            ] }) }),
             children
-          ] }) }) })
+          ] }) })
         }
       )
     }
-  );
+  ) });
 };
 
-// src/react/providers/CivicProvider.tsx
+// src/shared/CivicAuthProvider.tsx
 import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
-import { jsx as jsx9 } from "react/jsx-runtime";
+import "@civic/auth/styles.css";
+import { jsx as jsx10 } from "react/jsx-runtime";
 var queryClient = new QueryClient();
-var CivicProvider = (_a) => {
+var CivicAuthProvider = (_a) => {
   var _b = _a, { children } = _b, props = __objRest(_b, ["children"]);
-  return /* @__PURE__ */ jsx9(QueryClientProvider, { client: queryClient, children: /* @__PURE__ */ jsx9(AuthProvider, __spreadProps(__spreadValues({}, props), { children })) });
+  return /* @__PURE__ */ jsx10(QueryClientProvider, { client: queryClient, children: /* @__PURE__ */ jsx10(
+    AuthProvider,
+    __spreadProps(__spreadValues({}, props), {
+      pkceConsumer: new BrowserPublicClientPKCEProducer(),
+      children
+    })
+  ) });
+};
+
+// src/react/providers/NextAuthProvider.tsx
+import { createContext as createContext6, useContext as useContext4, useEffect as useEffect4, useState as useState3 } from "react";
+
+// src/react/hooks/useUserCookie.ts
+import { useEffect as useEffect3, useRef as useRef3 } from "react";
+import { useRouter } from "next/navigation.js";
+import { useQuery as useQuery3 } from "@tanstack/react-query";
+
+// src/lib/cookies.ts
+var getCookieValue = (key, window2) => {
+  const cookie = window2.document.cookie;
+  if (!cookie) return null;
+  const cookies = cookie.split(";");
+  for (const c of cookies) {
+    const [name, value] = c.trim().split("=");
+    if (value && name === key) {
+      try {
+        return JSON.parse(decodeURIComponent(value));
+      } catch (e) {
+        console.log("Error parsing cookie value", e);
+        return value;
+      }
+    }
+  }
+  return null;
+};
+
+// src/react/hooks/useUserCookie.ts
+var getUserFromCookie = () => {
+  const userCookie = getCookieValue("user", globalThis.window);
+  return userCookie;
+};
+var useUserCookie = () => {
+  const hasRunRef = useRef3(false);
+  const router = useRouter();
+  const { data: user } = useQuery3({
+    queryKey: ["user"],
+    queryFn: () => getUserFromCookie(),
+    refetchInterval: 2e3,
+    refetchIntervalInBackground: true,
+    enabled: !hasRunRef.current,
+    refetchOnWindowFocus: true
+  });
+  useEffect3(() => {
+    if (user) {
+      if (!hasRunRef.current) {
+        hasRunRef.current = true;
+        router.refresh();
+      }
+    } else {
+      hasRunRef.current = false;
+    }
+  }, [user, router]);
+  return user;
+};
+
+// src/react/providers/NextAuthProvider.tsx
+import { QueryClient as QueryClient2, QueryClientProvider as QueryClientProvider2 } from "@tanstack/react-query";
+import "@civic/auth/styles.css";
+import { jsx as jsx11 } from "react/jsx-runtime";
+var queryClient2 = new QueryClient2();
+var defaultUserContext = { user: null };
+var UserContext2 = createContext6(defaultUserContext);
+var CivicNextAuthProvider = (_a) => {
+  var _b = _a, {
+    children
+  } = _b, props = __objRest(_b, [
+    "children"
+  ]);
+  const user = useUserCookie();
+  const [redirectUrl, setRedirectUrl] = useState3("");
+  const { clientId, oauthServer, callbackUrl, challengeUrl } = resolveAuthConfig();
+  useEffect4(() => {
+    if (typeof globalThis.window !== "undefined") {
+      const currentUrl = globalThis.window.location.href;
+      setRedirectUrl(resolveCallbackUrl(resolveAuthConfig(), currentUrl));
+    }
+  }, [callbackUrl]);
+  return /* @__PURE__ */ jsx11(QueryClientProvider2, { client: queryClient2, children: /* @__PURE__ */ jsx11(
+    AuthProvider,
+    __spreadProps(__spreadValues({}, props), {
+      redirectUrl,
+      config: { oauthServer },
+      clientId,
+      pkceConsumer: new ConfidentialClientPKCEConsumer(challengeUrl),
+      children: /* @__PURE__ */ jsx11(UserContext2.Provider, { value: user, children })
+    })
+  ) });
 };
+var useNextUser = () => useContext4(UserContext2);
 
 // src/react/hooks/useUser.tsx
 var useUser = () => {
-  const context = useContext3(UserContext);
+  const context = useContext5(UserContext);
   if (!context) {
     throw new Error("useUser must be used within a UserProvider");
   }
   return context;
 };
 
-// src/react/hooks/useParams.tsx
-import { useContext as useContext4 } from "react";
-var useParams = () => {
-  const context = useContext4(ParamsContext);
+// src/react/hooks/useConfig.tsx
+import { useContext as useContext6 } from "react";
+var useConfig = () => {
+  const context = useContext6(ConfigContext);
   if (!context) {
-    throw new Error("useParams must be used within an ParamsProvider");
+    throw new Error("useConfig must be used within an ConfigProvider");
   }
   return context;
 };
 
-// src/react/hooks/useSession.tsx
-import { useContext as useContext5 } from "react";
-var useSession = () => {
-  const context = useContext5(SessionContext);
-  if (!context) {
-    throw new Error("useSession must be used within an SessionProvider");
+// src/react/components/UserButton.tsx
+import { useCallback as useCallback3, useEffect as useEffect5, useState as useState4 } from "react";
+import { jsx as jsx12, jsxs as jsxs5 } from "react/jsx-runtime";
+var ChevronDown = () => /* @__PURE__ */ jsx12(
+  "svg",
+  {
+    xmlns: "http://www.w3.org/2000/svg",
+    width: "24",
+    height: "24",
+    viewBox: "0 0 24 24",
+    fill: "none",
+    stroke: "currentColor",
+    strokeWidth: "2",
+    strokeLinecap: "round",
+    strokeLinejoin: "round",
+    className: "lucide lucide-chevron-down",
+    children: /* @__PURE__ */ jsx12("path", { d: "m6 9 6 6 6-6" })
   }
-  return context;
+);
+var ChevronUp = () => /* @__PURE__ */ jsx12(
+  "svg",
+  {
+    xmlns: "http://www.w3.org/2000/svg",
+    width: "24",
+    height: "24",
+    viewBox: "0 0 24 24",
+    fill: "none",
+    stroke: "currentColor",
+    strokeWidth: "2",
+    strokeLinecap: "round",
+    strokeLinejoin: "round",
+    className: "lucide lucide-chevron-up",
+    children: /* @__PURE__ */ jsx12("path", { d: "m18 15-6-6-6 6" })
+  }
+);
+var UserButton = ({
+  displayMode,
+  className
+}) => {
+  const [isOpen, setIsOpen] = useState4(false);
+  const { signIn, isAuthenticated, signOut } = useAuth();
+  const { user } = useUser();
+  const handleClickOutside = useCallback3((event) => {
+    const target = event.target;
+    if (!target.closest("#civic-dropdown-container")) {
+      setIsOpen(false);
+    }
+  }, []);
+  const handleSignOut = useCallback3(() => __async(void 0, null, function* () {
+    yield signOut();
+    setIsOpen(false);
+  }), [signOut]);
+  const handleSignIn = useCallback3(() => __async(void 0, null, function* () {
+    yield signIn(displayMode);
+    setIsOpen(false);
+  }), [signIn, displayMode]);
+  const handleEscape = useCallback3((event) => {
+    if (event.key === "Escape") {
+      setIsOpen(false);
+    }
+  }, []);
+  useEffect5(() => {
+    if (isOpen) {
+      window.addEventListener("click", handleClickOutside);
+      window.addEventListener("keydown", handleEscape);
+    }
+    return () => {
+      window.removeEventListener("click", handleClickOutside);
+      window.removeEventListener("keydown", handleEscape);
+    };
+  }, [handleClickOutside, handleEscape, isOpen]);
+  if (isAuthenticated) {
+    return /* @__PURE__ */ jsxs5("div", { className: "cac-relative", id: "civic-dropdown-container", children: [
+      /* @__PURE__ */ jsxs5(
+        "button",
+        {
+          className: cn(
+            "cac-flex cac-w-full cac-items-center cac-justify-between cac-gap-2 cac-rounded-full cac-border cac-border-neutral-500 cac-px-3 cac-py-2 cac-text-neutral-500 cac-transition-colors hover:cac-bg-neutral-200 hover:cac-bg-opacity-50",
+            className
+          ),
+          onClick: () => setIsOpen((isOpen2) => !isOpen2),
+          children: [
+            (user == null ? void 0 : user.picture) ? /* @__PURE__ */ jsx12("span", { className: "cac-relative cac-flex cac-h-10 cac-w-10 cac-shrink-0 cac-gap-2 cac-overflow-hidden cac-rounded-full", children: /* @__PURE__ */ jsx12(
+              "img",
+              {
+                className: "cac-h-full cac-w-full cac-object-cover",
+                src: user.picture,
+                alt: (user == null ? void 0 : user.name) || (user == null ? void 0 : user.email)
+              }
+            ) }) : /* @__PURE__ */ jsx12("div", {}),
+            /* @__PURE__ */ jsx12("span", { children: (user == null ? void 0 : user.name) || (user == null ? void 0 : user.email) }),
+            isOpen ? /* @__PURE__ */ jsx12(ChevronUp, {}) : /* @__PURE__ */ jsx12(ChevronDown, {})
+          ]
+        }
+      ),
+      /* @__PURE__ */ jsx12(
+        "div",
+        {
+          className: isOpen ? "cac-absolute cac-right-0 cac-mt-2 cac-w-full cac-rounded-lg cac-bg-white cac-py-2 cac-text-neutral-500 cac-shadow-xl" : "cac-hidden",
+          children: /* @__PURE__ */ jsx12("ul", { children: /* @__PURE__ */ jsx12("li", { children: /* @__PURE__ */ jsx12(
+            "button",
+            {
+              className: "cac-block cac-w-full cac-px-4 cac-py-2 cac-transition-colors hover:cac-bg-neutral-200 hover:cac-bg-opacity-50",
+              onClick: handleSignOut,
+              children: "Logout"
+            }
+          ) }) })
+        }
+      )
+    ] });
+  }
+  return /* @__PURE__ */ jsx12(
+    "button",
+    {
+      "data-testid": "sign-in-button",
+      className: cn(
+        "cac-rounded-full cac-border cac-border-neutral-500 cac-px-3 cac-py-2 cac-transition-colors hover:cac-bg-neutral-200 hover:cac-bg-opacity-50",
+        className
+      ),
+      onClick: handleSignIn,
+      children: "Sign in"
+    }
+  );
+};
+
+// src/react/components/SignInButton.tsx
+import { jsx as jsx13 } from "react/jsx-runtime";
+var SignInButton = ({
+  displayMode,
+  className
+}) => {
+  const { signIn } = useAuth();
+  return /* @__PURE__ */ jsx13(
+    "button",
+    {
+      "data-testid": "sign-in-button",
+      className: cn(
+        "cac-rounded-full cac-border cac-border-neutral-500 cac-px-3 cac-py-2 cac-transition-colors hover:cac-bg-neutral-200 hover:cac-bg-opacity-50",
+        className
+      ),
+      onClick: () => signIn(displayMode),
+      children: "Sign In"
+    }
+  );
+};
+
+// src/react/components/SignOutButton.tsx
+import { jsx as jsx14 } from "react/jsx-runtime";
+var SignOutButton = ({ className }) => {
+  const { signOut } = useAuth();
+  return /* @__PURE__ */ jsx14(
+    "button",
+    {
+      className: cn(
+        "cac-rounded-full cac-border cac-border-neutral-500 cac-px-3 cac-py-2 cac-transition-colors hover:cac-bg-neutral-200 hover:cac-bg-opacity-50",
+        className
+      ),
+      onClick: () => signOut(),
+      children: "Sign Out"
+    }
+  );
+};
+
+// src/react/components/NextLogOut.tsx
+import { jsx as jsx15 } from "react/jsx-runtime";
+var NextLogOut = ({ children }) => {
+  const config = resolveAuthConfig();
+  const logoutUrl = `${config.logoutUrl}`;
+  return /* @__PURE__ */ jsx15("a", { href: logoutUrl, children });
 };
 export {
-  CivicProvider,
+  CivicAuthIframeContainer,
+  CivicAuthProvider,
+  CivicNextAuthProvider,
+  NextLogOut,
+  SignInButton,
+  SignOutButton,
   UserButton,
   useAuth,
-  useParams,
+  useConfig,
+  useNextUser,
   useSession,
   useToken,
-  useUser
+  useUser,
+  useUserCookie
 };
 //# sourceMappingURL=react.mjs.map