npm - @civic/auth - Versions diffs - 0.0.1-beta.18 → 0.0.1-beta.19 - Mend

@civic/auth 0.0.1-beta.18 → 0.0.1-beta.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (68) hide show

package/dist/AuthProvider-Bj_Prt1x.d.ts +21 -0
package/dist/AuthProvider-DUAoX4G9.d.mts +21 -0
package/dist/{index-DTimUlkB.d.ts → UserProvider-CMLaYOUD.d.ts} +1 -2
package/dist/{index-DvjkKpkk.d.mts → UserProvider-Cbm8MZkJ.d.mts} +1 -2
package/dist/chunk-5UQQYXCX.js +1 -0
package/dist/chunk-5UQQYXCX.js.map +1 -0
package/dist/chunk-BFESCRFK.mjs +118 -0
package/dist/chunk-BFESCRFK.mjs.map +1 -0
package/dist/{chunk-G3P5TIO2.mjs → chunk-CBQ3HKRV.mjs} +123 -232
package/dist/chunk-CBQ3HKRV.mjs.map +1 -0
package/dist/chunk-CRTRMMJ7.js.map +1 -1
package/dist/{chunk-SEKF2WZX.js → chunk-CZ3AVCKD.js} +16 -71
package/dist/chunk-CZ3AVCKD.js.map +1 -0
package/dist/chunk-DJFTZS4P.js +118 -0
package/dist/chunk-DJFTZS4P.js.map +1 -0
package/dist/chunk-HTTTZ2BP.mjs +223 -0
package/dist/chunk-HTTTZ2BP.mjs.map +1 -0
package/dist/{chunk-RF23Q4V6.js → chunk-O2SODTR3.js} +114 -223
package/dist/chunk-O2SODTR3.js.map +1 -0
package/dist/chunk-O6DPCPRH.js +223 -0
package/dist/chunk-O6DPCPRH.js.map +1 -0
package/dist/chunk-PMJAV4JJ.mjs +1 -0
package/dist/chunk-PMJAV4JJ.mjs.map +1 -0
package/dist/chunk-UADVRCHY.mjs +710 -0
package/dist/chunk-UADVRCHY.mjs.map +1 -0
package/dist/chunk-VJVRFKDH.js +710 -0
package/dist/chunk-VJVRFKDH.js.map +1 -0
package/dist/{chunk-5XL2ST72.mjs → chunk-X3FQBE22.mjs} +15 -70
package/dist/chunk-X3FQBE22.mjs.map +1 -0
package/dist/index.d.mts +2 -2
package/dist/index.d.ts +2 -2
package/dist/index.js +2 -1
package/dist/index.js.map +1 -1
package/dist/index.mjs +1 -0
package/dist/nextjs/client.css +335 -0
package/dist/nextjs/client.css.map +1 -0
package/dist/nextjs/client.d.mts +12 -0
package/dist/nextjs/client.d.ts +12 -0
package/dist/nextjs/client.js +179 -0
package/dist/nextjs/client.js.map +1 -0
package/dist/nextjs/client.mjs +179 -0
package/dist/nextjs/client.mjs.map +1 -0
package/dist/nextjs.d.mts +35 -7
package/dist/nextjs.d.ts +35 -7
package/dist/nextjs.js +129 -42
package/dist/nextjs.js.map +1 -1
package/dist/nextjs.mjs +116 -29
package/dist/nextjs.mjs.map +1 -1
package/dist/react.d.mts +7 -31
package/dist/react.d.ts +7 -31
package/dist/react.js +15 -835
package/dist/react.js.map +1 -1
package/dist/react.mjs +47 -867
package/dist/react.mjs.map +1 -1
package/dist/server.d.mts +3 -24
package/dist/server.d.ts +3 -24
package/dist/server.js +4 -2
package/dist/server.js.map +1 -1
package/dist/server.mjs +4 -2
package/dist/storage-B2eAQNdv.d.ts +25 -0
package/dist/storage-BJPUpxhm.d.mts +25 -0
package/dist/{types-b4c1koXj.d.mts → types-Bqm9OCZN.d.mts} +5 -2
package/dist/{types-b4c1koXj.d.ts → types-Bqm9OCZN.d.ts} +5 -2
package/package.json +24 -15
package/dist/chunk-5XL2ST72.mjs.map +0 -1
package/dist/chunk-G3P5TIO2.mjs.map +0 -1
package/dist/chunk-RF23Q4V6.js.map +0 -1
package/dist/chunk-SEKF2WZX.js.map +0 -1

package/dist/AuthProvider-Bj_Prt1x.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import { ReactNode } from 'react';
+import { C as Config, S as SessionData } from './types-HdCjGldB.js';
+interface PKCEConsumer {
+    getCodeChallenge(): Promise<string>;
+}
+type AuthProviderProps = {
+    children: ReactNode;
+    clientId: string;
+    redirectUrl?: string;
+    nonce?: string;
+    config?: Config;
+    onSignIn?: (error?: Error) => void;
+    onSignOut?: () => Promise<void>;
+    pkceConsumer?: PKCEConsumer;
+    modalIframe?: boolean;
+    sessionData?: SessionData;
+};
+export type { AuthProviderProps as A };

package/dist/AuthProvider-DUAoX4G9.d.mts ADDED Viewed

@@ -0,0 +1,21 @@
+import { ReactNode } from 'react';
+import { C as Config, S as SessionData } from './types-HdCjGldB.mjs';
+interface PKCEConsumer {
+    getCodeChallenge(): Promise<string>;
+}
+type AuthProviderProps = {
+    children: ReactNode;
+    clientId: string;
+    redirectUrl?: string;
+    nonce?: string;
+    config?: Config;
+    onSignIn?: (error?: Error) => void;
+    onSignOut?: () => Promise<void>;
+    pkceConsumer?: PKCEConsumer;
+    modalIframe?: boolean;
+    sessionData?: SessionData;
+};
+export type { AuthProviderProps as A };

package/dist/{index-DTimUlkB.d.ts → UserProvider-CMLaYOUD.d.ts} RENAMED Viewed

@@ -1,6 +1,5 @@
-import { D as DisplayMode, U as User } from './types-HdCjGldB.js';
-import './types-b4c1koXj.js';
 import { JWT } from 'oslo/jwt';
+import { D as DisplayMode, U as User } from './types-HdCjGldB.js';
 type AuthContextType = {
     signIn: (displayMode?: DisplayMode) => Promise<void>;

package/dist/{index-DvjkKpkk.d.mts → UserProvider-Cbm8MZkJ.d.mts} RENAMED Viewed

@@ -1,6 +1,5 @@
-import { D as DisplayMode, U as User } from './types-HdCjGldB.mjs';
-import './types-b4c1koXj.mjs';
 import { JWT } from 'oslo/jwt';
+import { D as DisplayMode, U as User } from './types-HdCjGldB.mjs';
 type AuthContextType = {
     signIn: (displayMode?: DisplayMode) => Promise<void>;

package/dist/chunk-5UQQYXCX.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ "use strict";//# sourceMappingURL=chunk-5UQQYXCX.js.map

package/dist/chunk-5UQQYXCX.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"sources":["/Users/kevincolgan/code/civic-auth/packages/civic-auth-client/dist/chunk-5UQQYXCX.js"],"names":[],"mappings":"AAAA","file":"/Users/kevincolgan/code/civic-auth/packages/civic-auth-client/dist/chunk-5UQQYXCX.js"}

package/dist/chunk-BFESCRFK.mjs ADDED Viewed

@@ -0,0 +1,118 @@
+import {
+  CookieStorage
+} from "./chunk-HTTTZ2BP.mjs";
+import {
+  GenericUserSession,
+  clearTokens
+} from "./chunk-CBQ3HKRV.mjs";
+import {
+  __async,
+  __spreadProps,
+  __spreadValues
+} from "./chunk-RGHW4PYM.mjs";
+// src/nextjs/cookies.ts
+import { cookies } from "next/headers.js";
+var createTokenCookies = (response, sessionData, config) => {
+  var _a, _b;
+  const maxAge = (_a = sessionData.expiresIn) != null ? _a : 3600;
+  const cookieOptions = __spreadProps(__spreadValues({}, (_b = config.cookies) == null ? void 0 : _b.tokens), {
+    maxAge
+  });
+  if (sessionData.accessToken) {
+    response.cookies.set("access_token", sessionData.accessToken, __spreadProps(__spreadValues({}, cookieOptions), {
+      httpOnly: true
+    }));
+  }
+  if (sessionData.idToken) {
+    response.cookies.set("id_token", sessionData.idToken, __spreadProps(__spreadValues({}, cookieOptions), {
+      httpOnly: true
+    }));
+  }
+  if (sessionData.refreshToken) {
+    response.cookies.set("refresh_token", sessionData.refreshToken, __spreadProps(__spreadValues({}, cookieOptions), {
+      httpOnly: true
+    }));
+  }
+};
+var createUserInfoCookie = (response, user, sessionData, config) => {
+  var _a, _b, _c;
+  if (!user) {
+    response.cookies.set("user", "", __spreadProps(__spreadValues({}, (_a = config.cookies) == null ? void 0 : _a.user), {
+      maxAge: 0
+    }));
+    return;
+  }
+  const maxAge = (_b = sessionData.expiresIn) != null ? _b : 3600;
+  const frontendUser = __spreadValues({}, user);
+  response.cookies.set("user", JSON.stringify(frontendUser), __spreadProps(__spreadValues({}, (_c = config.cookies) == null ? void 0 : _c.user), {
+    maxAge
+  }));
+};
+var clearAuthCookies = (config) => __async(void 0, null, function* () {
+  var _a;
+  const cookieStorage = new NextjsCookieStorage((_a = config.cookies) == null ? void 0 : _a.tokens);
+  clearTokens(cookieStorage);
+  const clientStorage = new NextjsClientStorage();
+  const userSession = new GenericUserSession(clientStorage);
+  userSession.set(null);
+});
+var NextjsCookieStorage = class extends CookieStorage {
+  constructor(config = {}) {
+    super({
+      secure: true,
+      httpOnly: true
+    });
+    this.config = config;
+  }
+  get(key) {
+    var _a;
+    return ((_a = cookies().get(key)) == null ? void 0 : _a.value) || null;
+  }
+  set(key, value) {
+    var _a;
+    const cookieSettings = ((_a = this.config) == null ? void 0 : _a[key]) || __spreadValues({}, this.settings);
+    console.log(
+      "NextjsCookieStorage.set",
+      JSON.stringify(
+        { key, value, config: this.config, cookieSettings },
+        null,
+        2
+      )
+    );
+    cookies().set(key, value, cookieSettings);
+  }
+};
+var NextjsClientStorage = class extends CookieStorage {
+  constructor(config = {}) {
+    super(__spreadProps(__spreadValues({}, config), {
+      secure: false,
+      httpOnly: false
+    }));
+  }
+  get(key) {
+    var _a;
+    return ((_a = cookies().get(key)) == null ? void 0 : _a.value) || null;
+  }
+  set(key, value) {
+    cookies().set(key, value, this.settings);
+  }
+};
+// src/nextjs/utils.ts
+var resolveCallbackUrl = (config, alternativeUrl) => {
+  var _a;
+  const baseUrl = (_a = config.appUrl) != null ? _a : alternativeUrl;
+  const callbackUrl = new URL(config == null ? void 0 : config.callbackUrl, baseUrl).toString();
+  return callbackUrl.toString();
+};
+export {
+  createTokenCookies,
+  createUserInfoCookie,
+  clearAuthCookies,
+  NextjsCookieStorage,
+  NextjsClientStorage,
+  resolveCallbackUrl
+};
+//# sourceMappingURL=chunk-BFESCRFK.mjs.map

package/dist/chunk-BFESCRFK.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/nextjs/cookies.ts","../src/nextjs/utils.ts"],"sourcesContent":["import { SessionData, UnknownObject, User } from \"@/types\";\nimport { NextResponse } from \"next/server\";\nimport { AuthConfig, CookiesConfigObject } from \"@/nextjs/config\";\nimport { CookieStorage, CookieStorageSettings } from \"@/server\";\nimport { cookies } from \"next/headers.js\";\nimport { GenericUserSession } from \"@/shared/UserSession\";\nimport { clearTokens } from \"@/shared/util\";\nimport { CodeVerifier, OAuthTokens, TokensCookieConfig } from \"@/shared/types\";\n\n/**\n * Creates HTTP-only cookies for authentication tokens\n */\nconst createTokenCookies = (\n response: NextResponse,\n sessionData: SessionData,\n config: AuthConfig,\n) => {\n const maxAge = sessionData.expiresIn ?? 3600;\n const cookieOptions = {\n ...config.cookies?.tokens,\n maxAge,\n };\n\n if (sessionData.accessToken) {\n response.cookies.set(\"access_token\", sessionData.accessToken, {\n ...cookieOptions,\n httpOnly: true,\n });\n }\n\n if (sessionData.idToken) {\n response.cookies.set(\"id_token\", sessionData.idToken, {\n ...cookieOptions,\n httpOnly: true,\n });\n }\n\n if (sessionData.refreshToken) {\n response.cookies.set(\"refresh_token\", sessionData.refreshToken, {\n ...cookieOptions,\n httpOnly: true,\n });\n }\n};\n\n/**\n * Creates a client-readable cookie with user info\n */\nconst createUserInfoCookie = (\n response: NextResponse,\n user: User<UnknownObject> | null,\n sessionData: SessionData,\n config: AuthConfig,\n) => {\n if (!user) {\n response.cookies.set(\"user\", \"\", {\n ...config.cookies?.user,\n maxAge: 0,\n });\n return;\n }\n const maxAge = sessionData.expiresIn ?? 3600;\n\n // TODO select fields to include in the user cookie\n const frontendUser = {\n ...user,\n };\n\n // TODO make call to get user info from the\n // auth server /userinfo endpoint when it's available\n // then add to the default claims above\n\n response.cookies.set(\"user\", JSON.stringify(frontendUser), {\n ...config.cookies?.user,\n maxAge,\n });\n};\n\n/**\n * Clears all authentication cookies\n */\nconst clearAuthCookies = async (config: AuthConfig) => {\n // clear session, and tokens\n const cookieStorage = new NextjsCookieStorage(config.cookies?.tokens);\n clearTokens(cookieStorage);\n\n // clear user\n const clientStorage = new NextjsClientStorage();\n const userSession = new GenericUserSession(clientStorage);\n userSession.set(null);\n};\n\ntype KeySetter = OAuthTokens | CodeVerifier;\nclass NextjsCookieStorage extends CookieStorage {\n constructor(readonly config: Partial<TokensCookieConfig> = {}) {\n super({\n secure: true,\n httpOnly: true,\n });\n }\n\n get(key: string): string | null {\n return cookies().get(key)?.value || null;\n }\n\n set(key: KeySetter, value: string): void {\n const cookieSettings = this.config?.[key as KeySetter] || {\n ...this.settings,\n };\n console.log(\n \"NextjsCookieStorage.set\",\n JSON.stringify(\n { key, value, config: this.config, cookieSettings },\n null,\n 2,\n ),\n );\n cookies().set(key, value, cookieSettings);\n }\n}\n\nclass NextjsClientStorage extends CookieStorage {\n constructor(config: Partial<CookieStorageSettings> = {}) {\n super({\n ...config,\n secure: false,\n httpOnly: false,\n });\n }\n\n get(key: string): string | null {\n return cookies().get(key)?.value || null;\n }\n\n set(key: string, value: string): void {\n cookies().set(key, value, this.settings);\n }\n}\n\nexport {\n createTokenCookies,\n createUserInfoCookie,\n clearAuthCookies,\n NextjsCookieStorage,\n NextjsClientStorage,\n};\n","import { AuthConfigWithDefaults } from \"@/nextjs/config\";\n\nexport const resolveCallbackUrl = (\n config: AuthConfigWithDefaults,\n alternativeUrl?: string,\n): string => {\n const baseUrl = config.appUrl ?? alternativeUrl;\n const callbackUrl = new URL(config?.callbackUrl, baseUrl).toString();\n return callbackUrl.toString();\n};\n"],"mappings":";;;;;;;;;;;;;;AAIA,SAAS,eAAe;AAQxB,IAAM,qBAAqB,CACzB,UACA,aACA,WACG;AAhBL;AAiBE,QAAM,UAAS,iBAAY,cAAZ,YAAyB;AACxC,QAAM,gBAAgB,kCACjB,YAAO,YAAP,mBAAgB,SADC;AAAA,IAEpB;AAAA,EACF;AAEA,MAAI,YAAY,aAAa;AAC3B,aAAS,QAAQ,IAAI,gBAAgB,YAAY,aAAa,iCACzD,gBADyD;AAAA,MAE5D,UAAU;AAAA,IACZ,EAAC;AAAA,EACH;AAEA,MAAI,YAAY,SAAS;AACvB,aAAS,QAAQ,IAAI,YAAY,YAAY,SAAS,iCACjD,gBADiD;AAAA,MAEpD,UAAU;AAAA,IACZ,EAAC;AAAA,EACH;AAEA,MAAI,YAAY,cAAc;AAC5B,aAAS,QAAQ,IAAI,iBAAiB,YAAY,cAAc,iCAC3D,gBAD2D;AAAA,MAE9D,UAAU;AAAA,IACZ,EAAC;AAAA,EACH;AACF;AAKA,IAAM,uBAAuB,CAC3B,UACA,MACA,aACA,WACG;AArDL;AAsDE,MAAI,CAAC,MAAM;AACT,aAAS,QAAQ,IAAI,QAAQ,IAAI,kCAC5B,YAAO,YAAP,mBAAgB,OADY;AAAA,MAE/B,QAAQ;AAAA,IACV,EAAC;AACD;AAAA,EACF;AACA,QAAM,UAAS,iBAAY,cAAZ,YAAyB;AAGxC,QAAM,eAAe,mBAChB;AAOL,WAAS,QAAQ,IAAI,QAAQ,KAAK,UAAU,YAAY,GAAG,kCACtD,YAAO,YAAP,mBAAgB,OADsC;AAAA,IAEzD;AAAA,EACF,EAAC;AACH;AAKA,IAAM,mBAAmB,CAAO,WAAuB;AAjFvD;AAmFE,QAAM,gBAAgB,IAAI,qBAAoB,YAAO,YAAP,mBAAgB,MAAM;AACpE,cAAY,aAAa;AAGzB,QAAM,gBAAgB,IAAI,oBAAoB;AAC9C,QAAM,cAAc,IAAI,mBAAmB,aAAa;AACxD,cAAY,IAAI,IAAI;AACtB;AAGA,IAAM,sBAAN,cAAkC,cAAc;AAAA,EAC9C,YAAqB,SAAsC,CAAC,GAAG;AAC7D,UAAM;AAAA,MACJ,QAAQ;AAAA,MACR,UAAU;AAAA,IACZ,CAAC;AAJkB;AAAA,EAKrB;AAAA,EAEA,IAAI,KAA4B;AArGlC;AAsGI,aAAO,aAAQ,EAAE,IAAI,GAAG,MAAjB,mBAAoB,UAAS;AAAA,EACtC;AAAA,EAEA,IAAI,KAAgB,OAAqB;AAzG3C;AA0GI,UAAM,mBAAiB,UAAK,WAAL,mBAAc,SAAqB,mBACrD,KAAK;AAEV,YAAQ;AAAA,MACN;AAAA,MACA,KAAK;AAAA,QACH,EAAE,KAAK,OAAO,QAAQ,KAAK,QAAQ,eAAe;AAAA,QAClD;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,YAAQ,EAAE,IAAI,KAAK,OAAO,cAAc;AAAA,EAC1C;AACF;AAEA,IAAM,sBAAN,cAAkC,cAAc;AAAA,EAC9C,YAAY,SAAyC,CAAC,GAAG;AACvD,UAAM,iCACD,SADC;AAAA,MAEJ,QAAQ;AAAA,MACR,UAAU;AAAA,IACZ,EAAC;AAAA,EACH;AAAA,EAEA,IAAI,KAA4B;AAlIlC;AAmII,aAAO,aAAQ,EAAE,IAAI,GAAG,MAAjB,mBAAoB,UAAS;AAAA,EACtC;AAAA,EAEA,IAAI,KAAa,OAAqB;AACpC,YAAQ,EAAE,IAAI,KAAK,OAAO,KAAK,QAAQ;AAAA,EACzC;AACF;;;ACvIO,IAAM,qBAAqB,CAChC,QACA,mBACW;AALb;AAME,QAAM,WAAU,YAAO,WAAP,YAAiB;AACjC,QAAM,cAAc,IAAI,IAAI,iCAAQ,aAAa,OAAO,EAAE,SAAS;AACnE,SAAO,YAAY,SAAS;AAC9B;","names":[]}

package/dist/{chunk-G3P5TIO2.mjs → chunk-CBQ3HKRV.mjs} RENAMED Viewed

@@ -4,36 +4,6 @@ import {
   __spreadValues
 } from "./chunk-RGHW4PYM.mjs";
-// src/shared/storage.ts
-var DEFAULT_COOKIE_DURATION = 60 * 15;
-var CookieStorage = class {
-  constructor(settings = {}) {
-    var _a, _b, _c, _d, _e;
-    this.settings = {
-      httpOnly: (_a = settings.httpOnly) != null ? _a : true,
-      secure: (_b = settings.secure) != null ? _b : true,
-      // the callback request comes the auth server
-      // 'lax' ensures the code_verifier cookie is sent with the request
-      sameSite: (_c = settings.sameSite) != null ? _c : "lax",
-      expires: (_d = settings.expires) != null ? _d : new Date(Date.now() + 1e3 * DEFAULT_COOKIE_DURATION),
-      path: (_e = settings.path) != null ? _e : "/"
-    };
-  }
-};
-// src/constants.ts
-var DEFAULT_SCOPES = [
-  "openid",
-  "profile",
-  "email",
-  "forwardedTokens",
-  "offline_access"
-];
-var IFRAME_ID = "civic-auth-iframe";
-var AUTH_SERVER = "https://auth-dev.civic.com/oauth";
-var DEFAULT_OAUTH_GET_PARAMS = ["code", "state", "iss"];
-var TOKEN_EXCHANGE_TRIGGER_TEXT = "sameDomainCodeExchangeRequired";
 // src/shared/types.ts
 var OAuthTokens = /* @__PURE__ */ ((OAuthTokens2) => {
   OAuthTokens2["ID_TOKEN"] = "id_token";
@@ -65,11 +35,11 @@ var getOauthEndpoints = (oauthServer) => __async(void 0, null, function* () {
     userinfo: openIdConfig.userinfo_endpoint
   };
 });
-var generateState = (displayMode) => {
-  const jsonString = JSON.stringify({
+var generateState = (displayMode, serverTokenExchange) => {
+  const jsonString = JSON.stringify(__spreadValues({
     uuid: uuid(),
     displayMode
-  });
+  }, serverTokenExchange ? { serverTokenExchange } : {}));
   return btoa(jsonString);
 };
 var displayModeFromState = (state, sessionDisplayMode) => {
@@ -81,6 +51,15 @@ var displayModeFromState = (state, sessionDisplayMode) => {
     return sessionDisplayMode;
   }
 };
+var serverTokenExchangeFromState = (state) => {
+  try {
+    const jsonString = atob(state);
+    return JSON.parse(jsonString).serverTokenExchange;
+  } catch (e) {
+    console.error("Failed to parse serverTokenExchange from state:", state);
+    return void 0;
+  }
+};
 // src/shared/util.ts
 import * as jose from "jose";
@@ -212,6 +191,9 @@ function clearTokens(storage) {
   Object.values(OAuthTokens).forEach((cookie) => {
     storage.set(cookie, "");
   });
+  Object.values("code_verifier" /* COOKIE_NAME */).forEach((cookie) => {
+    storage.set(cookie, "");
+  });
 }
 function clearUser(storage) {
   const userSession = new GenericUserSession(storage);
@@ -254,8 +236,30 @@ function validateOauth2Tokens(tokens, endpoints, oauth2Client, issuer) {
   });
 }
-// src/services/PKCE.ts
-import { generateCodeVerifier } from "oslo/oauth2";
+// src/shared/session.ts
+import { parseJWT } from "oslo/jwt";
+function getUser(storage) {
+  return __async(this, null, function* () {
+    var _a, _b;
+    const tokens = retrieveTokens(storage);
+    if (!tokens) return null;
+    return (_b = (_a = parseJWT(tokens.id_token)) == null ? void 0 : _a.payload) != null ? _b : null;
+  });
+}
+// src/constants.ts
+var DEFAULT_SCOPES = [
+  "openid",
+  "profile",
+  "email",
+  "forwardedTokens",
+  "offline_access"
+];
+var IFRAME_ID = "civic-auth-iframe";
+var AUTH_SERVER = "https://auth-dev.civic.com/oauth";
+var DEFAULT_OAUTH_GET_PARAMS = ["code", "state", "iss"];
+var TOKEN_EXCHANGE_TRIGGER_TEXT = "sameDomainCodeExchangeRequired";
+var TOKEN_EXCHANGE_SUCCESS_TEXT = "serverSideTokenExchangeSuccess";
 // src/browser/storage.ts
 var LocalStorageAdapter = class {
@@ -268,6 +272,7 @@ var LocalStorageAdapter = class {
 };
 // src/services/PKCE.ts
+import { generateCodeVerifier } from "oslo/oauth2";
 var ConfidentialClientPKCEConsumer = class {
   constructor(pkceChallengeEndpoint) {
     this.pkceChallengeEndpoint = pkceChallengeEndpoint;
@@ -289,14 +294,14 @@ var GenericPublicClientPKCEProducer = class {
   getCodeChallenge() {
     return __async(this, null, function* () {
       const verifier = generateCodeVerifier();
-      this.storage.set("code_verifier", verifier);
+      this.storage.set("code_verifier" /* COOKIE_NAME */, verifier);
       return deriveCodeChallenge(verifier);
     });
   }
   // if there is already a verifier, return it,
   getCodeVerifier() {
     return __async(this, null, function* () {
-      return this.storage.get("code_verifier");
+      return this.storage.get("code_verifier" /* COOKIE_NAME */);
     });
   }
 };
@@ -309,6 +314,14 @@ var BrowserPublicClientPKCEProducer = class extends GenericPublicClientPKCEProdu
 // src/services/AuthenticationService.ts
 import { OAuth2Client as OAuth2Client2 } from "oslo/oauth2";
+// src/services/types.ts
+var PopupError = class _PopupError extends Error {
+  constructor(message) {
+    super(message);
+    Object.setPrototypeOf(this, _PopupError.prototype);
+  }
+};
 // src/lib/windowUtil.ts
 var isWindowInIframe = (window2) => {
   var _a;
@@ -328,19 +341,57 @@ var removeParamsWithoutReload = (paramsToRemove) => {
   paramsToRemove.forEach((param) => {
     url.searchParams.delete(param);
   });
-  window.history.replaceState({}, "", url);
+  try {
+    window.history.replaceState({}, "", url);
+  } catch (error) {
+    console.warn("window.history.replaceState failed", error);
+  }
+};
+// src/lib/postMessage.ts
+var validateLoginAppPostMessage = (event, clientId) => {
+  const caseEvent = event;
+  console.log("caseEvent", caseEvent);
+  if (!caseEvent.clientId || !caseEvent.data.url || !caseEvent.source || !caseEvent.type || caseEvent.clientId !== clientId || caseEvent.source !== "civicloginApp") {
+    return false;
+  }
+  return true;
 };
 // src/services/AuthenticationService.ts
 var BrowserAuthenticationInitiator = class {
   constructor(config) {
+    this.postMessageHandler = null;
     this.config = config;
+    console.log("BrowserAuthenticationInitiator constructor", this.config);
+  }
+  handleLoginAppPopupFailed(redirectUrl) {
+    return __async(this, null, function* () {
+      console.warn(
+        "Login app popup failed open a popup, using redirect mode instead...",
+        redirectUrl
+      );
+      window.location.href = redirectUrl;
+    });
   }
   // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
   // and then use the display mode to decide how to send the user there
   signIn(iframeRef) {
     return __async(this, null, function* () {
       const url = yield generateOauthLoginUrl(this.config);
+      this.postMessageHandler = (event) => {
+        const thisURL = new URL(window.location.href);
+        if (event.origin.endsWith("civic.com") || thisURL.hostname === "localhost") {
+          if (!validateLoginAppPostMessage(event.data, this.config.clientId)) {
+            console.log("Received invalid message from login app", event.data);
+            return;
+          }
+          const loginMessage = event.data;
+          console.log("Received message from login app", event.data);
+          this.handleLoginAppPopupFailed(loginMessage.data.url);
+        }
+      };
+      window.addEventListener("message", this.postMessageHandler);
       if (this.config.displayMode === "iframe") {
         if (!iframeRef)
           throw new Error("iframeRef is required for displayMode 'iframe'");
@@ -350,7 +401,18 @@ var BrowserAuthenticationInitiator = class {
         window.location.href = url.toString();
       }
       if (this.config.displayMode === "new_tab") {
-        window.open(url.toString(), "_blank");
+        try {
+          const popupWindow = window.open(url.toString(), "_blank");
+          console.log("signIn", popupWindow);
+          if (!popupWindow) {
+            throw new PopupError("Failed to open popup window");
+          }
+        } catch (error) {
+          console.error("popupWindow", error);
+          throw new PopupError(
+            "window.open has thrown: Failed to open popup window"
+          );
+        }
       }
       return url;
     });
@@ -364,10 +426,18 @@ var BrowserAuthenticationInitiator = class {
       return url;
     });
   }
+  cleanup() {
+    if (this.postMessageHandler) {
+      window.removeEventListener("message", this.postMessageHandler);
+    }
+  }
 };
 var GenericAuthenticationInitiator = class {
   constructor(config) {
     this.config = config;
+    console.log("GenericAuthenticationInitiator constructor", {
+      config
+    });
   }
   // Use the config (Client ID, scopes OAuth Server, Endpoints, PKCEConsumer) to generate a new login url
   // and simply return the url
@@ -385,6 +455,9 @@ var GenericAuthenticationInitiator = class {
 var BrowserAuthenticationService = class _BrowserAuthenticationService extends BrowserAuthenticationInitiator {
   // TODO WIP - perhaps we want to keep resolver and initiator separate here
   constructor(config, pkceProducer = new BrowserPublicClientPKCEProducer()) {
+    console.log("BrowserAuthenticationService constructor", {
+      config
+    });
     super(__spreadProps(__spreadValues({}, config), {
       state: generateState(config.displayMode),
       // Store and retrieve the PKCE challenge in local storage
@@ -437,9 +510,8 @@ var BrowserAuthenticationService = class _BrowserAuthenticationService extends B
       );
       if (parsedDisplayMode === "new_tab") {
         window.close();
-      } else if (parsedDisplayMode === "redirect") {
-        removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);
       }
+      removeParamsWithoutReload(DEFAULT_OAUTH_GET_PARAMS);
       return tokens;
     });
   }
@@ -496,213 +568,32 @@ var BrowserAuthenticationService = class _BrowserAuthenticationService extends B
   }
 };
-// src/server/ServerAuthenticationResolver.ts
-import { OAuth2Client as OAuth2Client3 } from "oslo/oauth2";
-var ServerAuthenticationResolver = class _ServerAuthenticationResolver {
-  constructor(authConfig, storage, endpointOverrides) {
-    this.authConfig = authConfig;
-    this.storage = storage;
-    this.endpointOverrides = endpointOverrides;
-    this.pkceProducer = new GenericPublicClientPKCEProducer(storage);
-  }
-  validateExistingSession() {
-    throw new Error("Method not implemented.");
-  }
-  init() {
-    return __async(this, null, function* () {
-      this.endpoints = yield getEndpointsWithOverrides(
-        this.authConfig.oauthServer,
-        this.endpointOverrides
-      );
-      this.oauth2client = new OAuth2Client3(
-        this.authConfig.clientId,
-        this.endpoints.auth,
-        this.endpoints.token,
-        {
-          redirectURI: this.authConfig.redirectUrl
-        }
-      );
-      return this;
-    });
-  }
-  tokenExchange(code, state) {
-    return __async(this, null, function* () {
-      if (!this.oauth2client) yield this.init();
-      const codeVerifier = yield this.pkceProducer.getCodeVerifier();
-      if (!codeVerifier) throw new Error("Code verifier not found in storage");
-      const tokens = yield exchangeTokens(
-        code,
-        state,
-        this.pkceProducer,
-        this.oauth2client,
-        // clean up types here to avoid the ! operator
-        this.authConfig.oauthServer,
-        this.endpoints
-        // clean up types here to avoid the ! operator
-      );
-      storeTokens(this.storage, tokens);
-      return tokens;
-    });
-  }
-  getSessionData() {
-    return __async(this, null, function* () {
-      const storageData = retrieveTokens(this.storage);
-      if (!storageData) return null;
-      return {
-        authenticated: !!storageData.id_token,
-        idToken: storageData.id_token,
-        accessToken: storageData.access_token,
-        refreshToken: storageData.refresh_token
-      };
-    });
-  }
-  static build(authConfig, storage, endpointOverrides) {
-    return __async(this, null, function* () {
-      const resolver = new _ServerAuthenticationResolver(
-        authConfig,
-        storage,
-        endpointOverrides
-      );
-      yield resolver.init();
-      return resolver;
-    });
-  }
-};
-// src/server/login.ts
-function resolveOAuthAccessCode(code, state, storage, config) {
-  return __async(this, null, function* () {
-    var _a;
-    const authSessionService = yield ServerAuthenticationResolver.build(
-      __spreadProps(__spreadValues({}, config), {
-        oauthServer: (_a = config.oauthServer) != null ? _a : AUTH_SERVER
-      }),
-      storage,
-      config.endpointOverrides
-    );
-    return authSessionService.tokenExchange(code, state);
-  });
-}
-function isLoggedIn(storage) {
-  return !!storage.get("id_token");
-}
-function buildLoginUrl(config, storage) {
-  return __async(this, null, function* () {
-    var _a, _b, _c;
-    const state = (_a = config.state) != null ? _a : Math.random().toString(36).substring(2);
-    const scopes = (_b = config.scopes) != null ? _b : DEFAULT_SCOPES;
-    const pkceProducer = new GenericPublicClientPKCEProducer(storage);
-    const authInitiator = new GenericAuthenticationInitiator(__spreadProps(__spreadValues({}, config), {
-      state,
-      scopes,
-      oauthServer: (_c = config.oauthServer) != null ? _c : AUTH_SERVER,
-      // When retrieving the PKCE challenge on the server-side, we produce it and store it in the session
-      pkceConsumer: pkceProducer
-    }));
-    return authInitiator.signIn();
-  });
-}
-// src/shared/session.ts
-import { parseJWT } from "oslo/jwt";
-function getUser(storage) {
-  return __async(this, null, function* () {
-    var _a, _b;
-    const tokens = retrieveTokens(storage);
-    if (!tokens) return null;
-    return (_b = (_a = parseJWT(tokens.id_token)) == null ? void 0 : _a.payload) != null ? _b : null;
-  });
-}
-// src/shared/GenericAuthenticationRefresher.ts
-import { OAuth2Client as OAuth2Client4 } from "oslo/oauth2";
-var GenericAuthenticationRefresher = class _GenericAuthenticationRefresher {
-  constructor(authConfig, storage, endpointOverrides) {
-    this.authConfig = authConfig;
-    this.storage = storage;
-    this.endpointOverrides = endpointOverrides;
-  }
-  init() {
-    return __async(this, null, function* () {
-      this.endpoints = yield getEndpointsWithOverrides(
-        this.authConfig.oauthServer,
-        this.endpointOverrides
-      );
-      this.oauth2client = new OAuth2Client4(
-        this.authConfig.clientId,
-        this.endpoints.auth,
-        this.endpoints.token,
-        {
-          redirectURI: this.authConfig.redirectUrl
-        }
-      );
-      return this;
-    });
-  }
-  static build(authConfig, storage, endpointOverrides) {
-    return __async(this, null, function* () {
-      const refresher = new _GenericAuthenticationRefresher(
-        authConfig,
-        storage,
-        endpointOverrides
-      );
-      yield refresher.init();
-      return refresher;
-    });
-  }
-  refreshTokens() {
-    return __async(this, null, function* () {
-      if (!this.oauth2client) yield this.init();
-      const tokens = retrieveTokens(this.storage);
-      if (!(tokens == null ? void 0 : tokens.refresh_token)) throw new Error("No refresh token available");
-      const oauth2Client = this.oauth2client;
-      const refreshedTokens = yield oauth2Client.refreshAccessToken(
-        tokens.refresh_token
-      );
-      storeTokens(this.storage, refreshedTokens);
-      return tokens;
-    });
-  }
-};
-// src/server/refresh.ts
-function refreshTokens(storage, config) {
-  return __async(this, null, function* () {
-    var _a;
-    const refresher = yield GenericAuthenticationRefresher.build(
-      __spreadProps(__spreadValues({}, config), {
-        oauthServer: (_a = config.oauthServer) != null ? _a : AUTH_SERVER
-      }),
-      storage,
-      config.endpointOverrides
-    );
-    return refresher.refreshTokens();
-  });
-}
 export {
   convertForwardedTokenFormat,
   GenericUserSession,
   DEFAULT_SCOPES,
   IFRAME_ID,
+  AUTH_SERVER,
   TOKEN_EXCHANGE_TRIGGER_TEXT,
+  TOKEN_EXCHANGE_SUCCESS_TEXT,
   isWindowInIframe,
   generateState,
+  serverTokenExchangeFromState,
   cn,
   withoutUndefined,
+  getEndpointsWithOverrides,
+  exchangeTokens,
+  storeTokens,
   clearTokens,
   retrieveTokens,
   LocalStorageAdapter,
   ConfidentialClientPKCEConsumer,
   GenericPublicClientPKCEProducer,
   BrowserPublicClientPKCEProducer,
+  PopupError,
   BrowserAuthenticationInitiator,
+  GenericAuthenticationInitiator,
   BrowserAuthenticationService,
-  getUser,
-  CookieStorage,
-  resolveOAuthAccessCode,
-  isLoggedIn,
-  buildLoginUrl,
-  refreshTokens
+  getUser
 };
-//# sourceMappingURL=chunk-G3P5TIO2.mjs.map
+//# sourceMappingURL=chunk-CBQ3HKRV.mjs.map