@civic/auth 0.0.1-beta.28 → 0.0.1-beta.3

package/dist/chunk-VXIWRZWU.js

@@ -0,0 +1,238 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { newObj[key] = obj[key]; } } } newObj.default = obj; return newObj; } }
+
+
+var _chunkCRTRMMJ7js = require('./chunk-CRTRMMJ7.js');
+
+// src/utils.ts
+var _clsx = require('clsx');
+var _tailwindmerge = require('tailwind-merge');
+var isPopupBlocked = () => {
+  const popup = window.open("", "", "width=1,height=1");
+  if (!popup) {
+    return true;
+  }
+  try {
+    if (typeof popup.closed === "undefined") {
+      throw new Error("Popup is blocked");
+    }
+  } catch (e) {
+    return true;
+  }
+  popup.close();
+  return false;
+};
+var cn = (...inputs) => {
+  return _tailwindmerge.twMerge.call(void 0, _clsx.clsx.call(void 0, inputs));
+};
+var withoutUndefined = (obj) => {
+  const result = {};
+  for (const key in obj) {
+    if (obj[key] !== void 0) {
+      result[key] = obj[key];
+    }
+  }
+  return result;
+};
+
+// src/shared/types.ts
+var NextjsServerCookies = /* @__PURE__ */ ((NextjsServerCookies2) => {
+  NextjsServerCookies2["ID_TOKEN"] = "id_token";
+  NextjsServerCookies2["ACCESS_TOKEN"] = "access_token";
+  NextjsServerCookies2["REFRESH_TOKEN"] = "refresh_token";
+  return NextjsServerCookies2;
+})(NextjsServerCookies || {});
+
+// src/shared/util.ts
+var _oauth2 = require('oslo/oauth2');
+
+// src/lib/oauth.ts
+var _uuid = require('uuid');
+var getIssuerVariations = (issuer) => {
+  const issuerWithoutSlash = issuer.endsWith("/") ? issuer.slice(0, issuer.length - 1) : issuer;
+  const issuerWithSlash = `${issuerWithoutSlash}/`;
+  return [issuerWithoutSlash, issuerWithSlash];
+};
+var addSlashIfNeeded = (url) => url.endsWith("/") ? url : `${url}/`;
+var getOauthEndpoints = (oauthServer) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
+  const openIdConfigResponse = yield fetch(
+    `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`
+  );
+  const openIdConfig = yield openIdConfigResponse.json();
+  return {
+    jwks: openIdConfig.jwks_uri,
+    auth: openIdConfig.authorization_endpoint,
+    token: openIdConfig.token_endpoint,
+    userinfo: openIdConfig.userinfo_endpoint
+  };
+});
+var generateState = (displayMode) => {
+  const jsonString = JSON.stringify({
+    uuid: _uuid.v4.call(void 0, ),
+    displayMode
+  });
+  return btoa(jsonString);
+};
+var displayModeFromState = (state, sessionDisplayMode) => {
+  try {
+    const jsonString = btoa(state);
+    return JSON.parse(jsonString).displayMode;
+  } catch (e) {
+    console.error("Failed to parse displayMode from state:", state);
+    return sessionDisplayMode;
+  }
+};
+
+// src/shared/util.ts
+var _jose = require('jose'); var jose = _interopRequireWildcard(_jose);
+function deriveCodeChallenge(codeVerifier, method = "S256") {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+    if (method === "Plain") {
+      console.warn("Using insecure plain code challenge method");
+      return codeVerifier;
+    }
+    const encoder = new TextEncoder();
+    const data = encoder.encode(codeVerifier);
+    const digest = yield crypto.subtle.digest("SHA-256", data);
+    return btoa(String.fromCharCode(...new Uint8Array(digest))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  });
+}
+function getEndpointsWithOverrides(_0) {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, arguments, function* (oauthServer, endpointOverrides = {}) {
+    const endpoints = yield getOauthEndpoints(oauthServer);
+    return _chunkCRTRMMJ7js.__spreadValues.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, endpoints), endpointOverrides);
+  });
+}
+function generateOauthLoginUrl(config) {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+    const endpoints = yield getEndpointsWithOverrides(
+      config.oauthServer,
+      config.endpointOverrides
+    );
+    const oauth2Client = buildOauth2Client(
+      config.clientId,
+      config.redirectUrl,
+      endpoints
+    );
+    const challenge = yield config.pkceConsumer.getCodeChallenge();
+    const oAuthUrl = yield oauth2Client.createAuthorizationURL({
+      state: config.state,
+      scopes: config.scopes
+    });
+    oAuthUrl.searchParams.append("code_challenge", challenge);
+    oAuthUrl.searchParams.append("code_challenge_method", "S256");
+    return oAuthUrl;
+  });
+}
+function generateOauthLogoutUrl(config) {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+    console.log(config);
+    return new URL("http://localhost");
+  });
+}
+function buildOauth2Client(clientId, redirectUri, endpoints) {
+  return new (0, _oauth2.OAuth2Client)(
+    clientId,
+    endpoints.auth,
+    endpoints.token,
+    // this
+    { redirectURI: redirectUri }
+  );
+}
+function exchangeTokens(code, state, pkceProducer, oauth2Client, oauthServer, endpoints) {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+    const codeVerifier = yield pkceProducer.getCodeVerifier();
+    if (!codeVerifier) throw new Error("Code verifier not found in state");
+    const tokens = yield oauth2Client.validateAuthorizationCode(code, {
+      codeVerifier
+    });
+    try {
+      yield validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);
+    } catch (error) {
+      console.error("tokenExchange error", { error, tokens });
+      throw new Error(
+        `OIDC tokens validation failed: ${error.message}`
+      );
+    }
+    return tokens;
+  });
+}
+function storeTokens(storage, tokens) {
+  storage.set("id_token" /* ID_TOKEN */, tokens.id_token);
+  storage.set("access_token" /* ACCESS_TOKEN */, tokens.access_token);
+  if (tokens.refresh_token)
+    storage.set("refresh_token" /* REFRESH_TOKEN */, tokens.refresh_token);
+}
+function clearTokens(storage) {
+  Object.values(NextjsServerCookies).forEach((cookie) => {
+    storage.set(cookie, "");
+  });
+}
+function retrieveTokens(storage) {
+  const idToken = storage.get("id_token" /* ID_TOKEN */);
+  const accessToken = storage.get("access_token" /* ACCESS_TOKEN */);
+  const refreshToken = storage.get("refresh_token" /* REFRESH_TOKEN */);
+  if (!idToken || !accessToken) return null;
+  return {
+    id_token: idToken,
+    access_token: accessToken,
+    refresh_token: refreshToken != null ? refreshToken : void 0
+  };
+}
+function validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer) {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+    const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));
+    const idTokenResponse = yield jose.jwtVerify(
+      tokens.id_token,
+      JWKS,
+      {
+        issuer: getIssuerVariations(oauthServer),
+        audience: oauth2Client.clientId
+      }
+    );
+    const accessTokenResponse = yield jose.jwtVerify(
+      tokens.access_token,
+      JWKS,
+      {
+        issuer: getIssuerVariations(oauthServer)
+      }
+    );
+    return withoutUndefined({
+      id_token: idTokenResponse.payload,
+      access_token: accessTokenResponse.payload,
+      refresh_token: tokens.refresh_token
+    });
+  });
+}
+
+// src/constants.ts
+var DEFAULT_SCOPES = [
+  "openid",
+  "profile",
+  "email",
+  "forwardedTokens",
+  "offline_access"
+];
+var IFRAME_ID = "civic-auth-iframe";
+var AUTH_SERVER = "https://auth-dev.civic.com/oauth";
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+exports.getOauthEndpoints = getOauthEndpoints; exports.generateState = generateState; exports.displayModeFromState = displayModeFromState; exports.isPopupBlocked = isPopupBlocked; exports.cn = cn; exports.deriveCodeChallenge = deriveCodeChallenge; exports.getEndpointsWithOverrides = getEndpointsWithOverrides; exports.generateOauthLoginUrl = generateOauthLoginUrl; exports.generateOauthLogoutUrl = generateOauthLogoutUrl; exports.buildOauth2Client = buildOauth2Client; exports.exchangeTokens = exchangeTokens; exports.storeTokens = storeTokens; exports.clearTokens = clearTokens; exports.retrieveTokens = retrieveTokens; exports.validateOauth2Tokens = validateOauth2Tokens; exports.DEFAULT_SCOPES = DEFAULT_SCOPES; exports.IFRAME_ID = IFRAME_ID; exports.AUTH_SERVER = AUTH_SERVER;
+//# sourceMappingURL=chunk-VXIWRZWU.js.map

package/dist/chunk-VXIWRZWU.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/lucas/dev/civic/civic-auth/packages/civic-auth-client/dist/chunk-VXIWRZWU.js","../src/utils.ts","../src/shared/types.ts","../src/shared/util.ts","../src/lib/oauth.ts","../src/constants.ts"],"names":["NextjsServerCookies"],"mappings":"AAAA;AACE;AACA;AACF,sDAA4B;AAC5B;AACA;ACLA,4BAAsC;AACtC,+CAAwB;AAUxB,IAAM,eAAA,EAAiB,CAAA,EAAA,GAAe;AAEpC,EAAA,MAAM,MAAA,EAAQ,MAAA,CAAO,IAAA,CAAK,EAAA,EAAI,EAAA,EAAI,kBAAkB,CAAA;AAGpD,EAAA,GAAA,CAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,IAAI;AAEF,IAAA,GAAA,CAAI,OAAO,KAAA,CAAM,OAAA,IAAW,WAAA,EAAa;AACvC,MAAA,MAAM,IAAI,KAAA,CAAM,kBAAkB,CAAA;AAAA,IACpC;AAAA,EACF,EAAA,MAAA,CAAQ,CAAA,EAAA;AAEN,IAAA,OAAO,IAAA;AAAA,EACT;AAGA,EAAA,KAAA,CAAM,KAAA,CAAM,CAAA;AACZ,EAAA,OAAO,KAAA;AACT,CAAA;AAEA,IAAM,GAAA,EAAK,CAAA,GAAI,MAAA,EAAA,GAAyB;AACtC,EAAA,OAAO,oCAAA,wBAAQ,MAAW,CAAC,CAAA;AAC7B,CAAA;AAUO,IAAM,iBAAA,EAAmB,CAC9B,GAAA,EAAA,GACwB;AACxB,EAAA,MAAM,OAAA,EAAS,CAAC,CAAA;AAEhB,EAAA,IAAA,CAAA,MAAW,IAAA,GAAO,GAAA,EAAK;AACrB,IAAA,GAAA,CAAI,GAAA,CAAI,GAAG,EAAA,IAAM,KAAA,CAAA,EAAW;AAI1B,MAAC,MAAA,CAAe,GAAG,EAAA,EAAI,GAAA,CAAI,GAAG,CAAA;AAAA,IAChC;AAAA,EACF;AAEA,EAAA,OAAO,MAAA;AACT,CAAA;AD3BA;AACA;AEpCO,IAAK,oBAAA,kBAAL,CAAA,CAAKA,oBAAAA,EAAAA,GAAL;AACL,EAAAA,oBAAAA,CAAA,UAAA,EAAA,EAAW,UAAA;AACX,EAAAA,oBAAAA,CAAA,cAAA,EAAA,EAAe,cAAA;AACf,EAAAA,oBAAAA,CAAA,eAAA,EAAA,EAAgB,eAAA;AAHN,EAAA,OAAAA,oBAAAA;AAAA,CAAA,CAAA,CAAA,oBAAA,GAAA,CAAA,CAAA,CAAA;AF2CZ;AACA;AGlCA,qCAA6B;AHoC7B;AACA;AI9CA,4BAA2B;AAE3B,IAAM,oBAAA,EAAsB,CAAC,MAAA,EAAA,GAA6B;AACxD,EAAA,MAAM,mBAAA,EAAqB,MAAA,CAAO,QAAA,CAAS,GAAG,EAAA,EAC1C,MAAA,CAAO,KAAA,CAAM,CAAA,EAAG,MAAA,CAAO,OAAA,EAAS,CAAC,EAAA,EACjC,MAAA;AAEJ,EAAA,MAAM,gBAAA,EAAkB,CAAA,EAAA;AAEhB,EAAA;AACV;AAE0B;AAGO;AACzB,EAAA;AACgB,IAAA;AACtB,EAAA;AAEG,EAAA;AACI,EAAA;AACc,IAAA;AACA,IAAA;AACC,IAAA;AACG,IAAA;AACzB,EAAA;AACF;AAOuB;AACG,EAAA;AACX,IAAA;AACX,IAAA;AACD,EAAA;AAEqB,EAAA;AACxB;AAQ6B;AAIvB,EAAA;AACiB,IAAA;AAED,IAAA;AACR,EAAA;AACI,IAAA;AACP,IAAA;AACT,EAAA;AACF;AJqB2B;AACA;AGxEL;AAQA;AAGH,EAAA;AACF,IAAA;AACA,MAAA;AACN,MAAA;AACT,IAAA;AAEoB,IAAA;AACC,IAAA;AACA,IAAA;AACF,IAAA;AAIrB,EAAA;AAAA;AAEsB;AAGpB,EAAA;AACkB,IAAA;AACX,IAAA;AAIT,EAAA;AAAA;AAEsB;AASL,EAAA;AACG,IAAA;AACT,MAAA;AACA,MAAA;AACT,IAAA;AACqB,IAAA;AACZ,MAAA;AACA,MAAA;AACP,MAAA;AACF,IAAA;AACkB,IAAA;AACK,IAAA;AACP,MAAA;AACC,MAAA;AAChB,IAAA;AAGqB,IAAA;AACA,IAAA;AACf,IAAA;AACT,EAAA;AAAA;AAEsB;AAOL,EAAA;AAEG,IAAA;AACH,IAAA;AACjB,EAAA;AAAA;AAGE;AAIW,EAAA;AACT,IAAA;AACU,IAAA;AACA,IAAA;AAAA;AAEK,IAAA;AACjB,EAAA;AACF;AAGE;AAMA,EAAA;AACqB,IAAA;AACF,IAAA;AAGX,IAAA;AACJ,MAAA;AACD,IAAA;AAGC,IAAA;AACI,MAAA;AACQ,IAAA;AACA,MAAA;AACJ,MAAA;AACR,QAAA;AACF,MAAA;AACF,IAAA;AAEO,IAAA;AACT,EAAA;AAAA;AAGE;AAIQ,EAAA;AACA,EAAA;AACG,EAAA;AACD,IAAA;AACZ;AAE4B;AACZ,EAAA;AACU,IAAA;AACvB,EAAA;AACH;AAGE;AAEwB,EAAA;AACJ,EAAA;AACC,EAAA;AAEJ,EAAA;AAEV,EAAA;AACK,IAAA;AACI,IAAA;AACC,IAAA;AACjB,EAAA;AACF;AAEsB;AAKG,EAAA;AACL,IAAA;AAGZ,IAAA;AACG,MAAA;AACP,MAAA;AACA,MAAA;AACU,QAAA;AACE,QAAA;AACZ,MAAA;AACF,IAAA;AAGM,IAAA;AACG,MAAA;AACP,MAAA;AACA,MAAA;AACU,QAAA;AACV,MAAA;AACF,IAAA;AAEO,IAAA;AACK,MAAA;AACI,MAAA;AACC,MAAA;AAChB,IAAA;AACH,EAAA;AAAA;AHI2B;AACA;AK9MJ;AACrB,EAAA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AACA,EAAA;AACF;AACkB;AAEE;AL+MO;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA","file":"/Users/lucas/dev/civic/civic-auth/packages/civic-auth-client/dist/chunk-VXIWRZWU.js","sourcesContent":[null,"import { clsx, type ClassValue } from \"clsx\";\nimport { twMerge } from \"tailwind-merge\";\n\n/**\n * Checks if a popup window is blocked by the browser.\n *\n * This function attempts to open a small popup window and then checks if it was successfully created.\n * If the popup is blocked by the browser, the function returns `true`. Otherwise, it returns `false`.\n *\n * @returns {boolean} - `true` if the popup is blocked, `false` otherwise.\n */\nconst isPopupBlocked = (): boolean => {\n  // First we try to open a small popup window. It either returns a window object or null.\n  const popup = window.open(\"\", \"\", \"width=1,height=1\");\n\n  // If window.open() returns null, popup is definitely blocked\n  if (!popup) {\n    return true;\n  }\n\n  try {\n    // Try to access a property of the popup to check if it's usable\n    if (typeof popup.closed === \"undefined\") {\n      throw new Error(\"Popup is blocked\");\n    }\n  } catch {\n    // Accessing the popup's properties throws an error if the popup is blocked\n    return true;\n  }\n\n  // Close the popup immediately if it was opened\n  popup.close();\n  return false;\n};\n\nconst cn = (...inputs: ClassValue[]) => {\n  return twMerge(clsx(inputs));\n};\n\n// This type narrows T as far as it can by:\n// - removing all keys where the value is `undefined`\n// - making keys that are not undefined required\n// So, for example: given { a: string | undefined, b: string | undefined },\n// if you pass in { a: \"foo\" }, it returns an object of type: { a: string }\ntype WithoutUndefined<T> = {\n  [K in keyof T as undefined extends T[K] ? never : K]: T[K];\n};\nexport const withoutUndefined = <T extends { [K in keyof T]: unknown }>(\n  obj: T,\n): WithoutUndefined<T> => {\n  const result = {} as WithoutUndefined<T>;\n\n  for (const key in obj) {\n    if (obj[key] !== undefined) {\n      // TypeScript needs assurance that key is a valid key in WithoutUndefined<T>\n      // We use type assertion here\n      // eslint-disable-next-line @typescript-eslint/no-explicit-any\n      (result as any)[key] = obj[key];\n    }\n  }\n\n  return result;\n};\n\nexport { cn, isPopupBlocked };\n","export enum NextjsServerCookies {\n  ID_TOKEN = \"id_token\",\n  ACCESS_TOKEN = \"access_token\",\n  REFRESH_TOKEN = \"refresh_token\",\n}\n\nexport enum NextjsClientCookies {\n  USER = \"user\",\n}\n","// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\n\nimport {\n  Endpoints,\n  JWTPayload,\n  OIDCTokenResponseBody,\n  ParsedTokens,\n} from \"@/types.js\";\nimport { NextjsServerCookies } from \"./types\";\nimport { OAuth2Client } from \"oslo/oauth2\";\nimport { getIssuerVariations, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport * as jose from \"jose\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport { AuthStorage } from \"@/shared/storage.js\";\nimport { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\n\n/**\n * Given a PKCE code verifier, derive the code challenge using SHA\n */\nexport async function deriveCodeChallenge(\n  codeVerifier: string,\n  method: \"Plain\" | \"S256\" = \"S256\",\n): Promise<string> {\n  if (method === \"Plain\") {\n    console.warn(\"Using insecure plain code challenge method\");\n    return codeVerifier;\n  }\n\n  const encoder = new TextEncoder();\n  const data = encoder.encode(codeVerifier);\n  const digest = await crypto.subtle.digest(\"SHA-256\", data);\n  return btoa(String.fromCharCode(...new Uint8Array(digest)))\n    .replace(/\\+/g, \"-\")\n    .replace(/\\//g, \"_\")\n    .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n  oauthServer: string,\n  endpointOverrides: Partial<Endpoints> = {},\n) {\n  const endpoints = await getOauthEndpoints(oauthServer);\n  return {\n    ...endpoints,\n    ...endpointOverrides,\n  };\n}\n\nexport async function generateOauthLoginUrl(config: {\n  clientId: string;\n  scopes: string[];\n  state: string;\n  redirectUrl: string;\n  oauthServer: string;\n  endpointOverrides?: Partial<Endpoints>;\n  // used to get the PKCE challenge\n  pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n  const endpoints = await getEndpointsWithOverrides(\n    config.oauthServer,\n    config.endpointOverrides,\n  );\n  const oauth2Client = buildOauth2Client(\n    config.clientId,\n    config.redirectUrl,\n    endpoints,\n  );\n  const challenge = await config.pkceConsumer.getCodeChallenge();\n  const oAuthUrl = await oauth2Client.createAuthorizationURL({\n    state: config.state,\n    scopes: config.scopes,\n  });\n  // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n  // It only allows passing in a code verifier which it then hashes itself.\n  oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n  oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n  return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n  clientId: string;\n  scopes: string[];\n  oauthServer: string;\n  endpointOverrides?: Partial<Endpoints>;\n  // used to get the PKCE challenge\n  pkceConsumer: PKCEConsumer;\n}): Promise<URL> {\n  // TODO\n  console.log(config);\n  return new URL(\"http://localhost\");\n}\n\nexport function buildOauth2Client(\n  clientId: string,\n  redirectUri: string,\n  endpoints: Endpoints,\n): OAuth2Client {\n  return new OAuth2Client(\n    clientId,\n    endpoints.auth,\n    endpoints.token,\n    // this\n    { redirectURI: redirectUri },\n  );\n}\n\nexport async function exchangeTokens(\n  code: string,\n  state: string,\n  pkceProducer: PKCEProducer,\n  oauth2Client: OAuth2Client,\n  oauthServer: string,\n  endpoints: Endpoints,\n) {\n  const codeVerifier = await pkceProducer.getCodeVerifier();\n  if (!codeVerifier) throw new Error(\"Code verifier not found in state\");\n\n  const tokens =\n    await oauth2Client.validateAuthorizationCode<OIDCTokenResponseBody>(code, {\n      codeVerifier,\n    });\n\n  // Validate relevant tokens\n  try {\n    await validateOauth2Tokens(tokens, endpoints, oauth2Client, oauthServer);\n  } catch (error) {\n    console.error(\"tokenExchange error\", { error, tokens });\n    throw new Error(\n      `OIDC tokens validation failed: ${(error as Error).message}`,\n    );\n  }\n\n  return tokens;\n}\n\nexport function storeTokens(\n  storage: AuthStorage,\n  tokens: OIDCTokenResponseBody,\n) {\n  // store tokens in storage ( TODO we should probably store them against the state to allow multiple logins )\n  storage.set(NextjsServerCookies.ID_TOKEN, tokens.id_token);\n  storage.set(NextjsServerCookies.ACCESS_TOKEN, tokens.access_token);\n  if (tokens.refresh_token)\n    storage.set(NextjsServerCookies.REFRESH_TOKEN, tokens.refresh_token);\n}\n\nexport function clearTokens(storage: AuthStorage) {\n  Object.values(NextjsServerCookies).forEach((cookie) => {\n    storage.set(cookie, \"\");\n  });\n}\n\nexport function retrieveTokens(\n  storage: AuthStorage,\n): OIDCTokenResponseBody | null {\n  const idToken = storage.get(NextjsServerCookies.ID_TOKEN);\n  const accessToken = storage.get(NextjsServerCookies.ACCESS_TOKEN);\n  const refreshToken = storage.get(NextjsServerCookies.REFRESH_TOKEN);\n\n  if (!idToken || !accessToken) return null;\n\n  return {\n    id_token: idToken,\n    access_token: accessToken,\n    refresh_token: refreshToken ?? undefined,\n  };\n}\n\nexport async function validateOauth2Tokens(\n  tokens: OIDCTokenResponseBody,\n  endpoints: Endpoints,\n  oauth2Client: OAuth2Client,\n  oauthServer: string,\n): Promise<ParsedTokens> {\n  const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));\n\n  // validate the ID token\n  const idTokenResponse = await jose.jwtVerify<JWTPayload>(\n    tokens.id_token,\n    JWKS,\n    {\n      issuer: getIssuerVariations(oauthServer),\n      audience: oauth2Client.clientId,\n    },\n  );\n\n  // validate the access token\n  const accessTokenResponse = await jose.jwtVerify<JWTPayload>(\n    tokens.access_token,\n    JWKS,\n    {\n      issuer: getIssuerVariations(oauthServer),\n    },\n  );\n\n  return withoutUndefined({\n    id_token: idTokenResponse.payload,\n    access_token: accessTokenResponse.payload,\n    refresh_token: tokens.refresh_token,\n  });\n}\n","import { DisplayMode, Endpoints, OpenIdConfiguration } from \"@/types\";\nimport { v4 as uuid } from \"uuid\";\n\nconst getIssuerVariations = (issuer: string): string[] => {\n  const issuerWithoutSlash = issuer.endsWith(\"/\")\n    ? issuer.slice(0, issuer.length - 1)\n    : issuer;\n\n  const issuerWithSlash = `${issuerWithoutSlash}/`;\n\n  return [issuerWithoutSlash, issuerWithSlash];\n};\n\nconst addSlashIfNeeded = (url: string): string =>\n  url.endsWith(\"/\") ? url : `${url}/`;\n\nconst getOauthEndpoints = async (oauthServer: string): Promise<Endpoints> => {\n  const openIdConfigResponse = await fetch(\n    `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`,\n  );\n  const openIdConfig =\n    (await openIdConfigResponse.json()) as OpenIdConfiguration;\n  return {\n    jwks: openIdConfig.jwks_uri,\n    auth: openIdConfig.authorization_endpoint,\n    token: openIdConfig.token_endpoint,\n    userinfo: openIdConfig.userinfo_endpoint,\n  };\n};\n\n/**\n * creates a state string for the OAuth2 flow, encoding the display mode too for future use\n * @param {DisplayMode} displayMode\n * @returns {string}\n */\nconst generateState = (displayMode: DisplayMode): string => {\n  const jsonString = JSON.stringify({\n    uuid: uuid(),\n    displayMode,\n  });\n\n  return btoa(jsonString);\n};\n\n/**\n * parses the state string from the OAuth2 flow, decoding the display mode too\n * @param state\n * @param sessionDisplayMode\n * @returns { uuid: string, displayMode: DisplayMode }\n */\nconst displayModeFromState = (\n  state: string,\n  sessionDisplayMode: DisplayMode | undefined,\n): DisplayMode | undefined => {\n  try {\n    const jsonString = btoa(state);\n\n    return JSON.parse(jsonString).displayMode;\n  } catch (e) {\n    console.error(\"Failed to parse displayMode from state:\", state);\n    return sessionDisplayMode;\n  }\n};\n\nexport {\n  getIssuerVariations,\n  getOauthEndpoints,\n  displayModeFromState,\n  generateState,\n};\n","const DEFAULT_SCOPES = [\n  \"openid\",\n  \"profile\",\n  \"email\",\n  \"forwardedTokens\",\n  \"offline_access\",\n];\nconst IFRAME_ID = \"civic-auth-iframe\";\n\nconst AUTH_SERVER = \"https://auth-dev.civic.com/oauth\";\n\nexport { DEFAULT_SCOPES, IFRAME_ID, AUTH_SERVER };\n"]}

package/dist/chunk-WPISYQG3.js

@@ -0,0 +1,154 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+
+
+var _chunkCRTRMMJ7js = require('./chunk-CRTRMMJ7.js');
+
+// src/lib/logger.ts
+var _debug = require('debug'); var _debug2 = _interopRequireDefault(_debug);
+var PACKAGE_NAME = "@civic/auth";
+var DebugLogger = class {
+  constructor(namespace) {
+    this.debugLogger = _debug2.default.call(void 0, `${PACKAGE_NAME}:${namespace}:debug`);
+    this.infoLogger = _debug2.default.call(void 0, `${PACKAGE_NAME}:${namespace}:info`);
+    this.warnLogger = _debug2.default.call(void 0, `${PACKAGE_NAME}:${namespace}:warn`);
+    this.errorLogger = _debug2.default.call(void 0, `${PACKAGE_NAME}:${namespace}:error`);
+    this.debugLogger.color = "4";
+    this.infoLogger.color = "2";
+    this.warnLogger.color = "3";
+    this.errorLogger.color = "1";
+  }
+  debug(message, ...args) {
+    this.debugLogger(message, ...args);
+  }
+  info(message, ...args) {
+    this.infoLogger(message, ...args);
+  }
+  warn(message, ...args) {
+    this.warnLogger(message, ...args);
+  }
+  error(message, ...args) {
+    this.errorLogger(message, ...args);
+  }
+};
+var createLogger = (namespace) => new DebugLogger(namespace);
+var loggers = {
+  // Next.js specific loggers
+  nextjs: {
+    routes: createLogger("api:routes"),
+    middleware: createLogger("api:middleware"),
+    handlers: {
+      auth: createLogger("api:handlers:auth")
+    }
+  },
+  // React specific loggers
+  react: {
+    components: createLogger("react:components"),
+    hooks: createLogger("react:hooks"),
+    context: createLogger("react:context")
+  },
+  // Shared utilities loggers
+  services: {
+    validation: createLogger("utils:validation"),
+    network: createLogger("utils:network")
+  }
+};
+
+// src/nextjs/config.ts
+var logger = loggers.nextjs.handlers.auth;
+var defaultAuthConfig = {
+  oauthServer: "https://auth-dev.civic.com/oauth",
+  callbackUrl: "/api/auth/callback",
+  challengeUrl: "/api/auth/challenge",
+  logoutUrl: "/api/auth/logout",
+  loginUrl: "/",
+  include: ["/*"],
+  exclude: [],
+  cookies: {
+    tokens: {
+      sameSite: "strict",
+      path: "/",
+      maxAge: 60 * 60
+      // 1 hour
+    },
+    user: {
+      sameSite: "strict",
+      path: "/",
+      maxAge: 60 * 60
+      // 1 hour
+    }
+  }
+};
+var withoutUndefined = (obj) => {
+  const result = {};
+  for (const key in obj) {
+    if (obj[key] !== void 0) {
+      result[key] = obj[key];
+    }
+  }
+  return result;
+};
+var resolveAuthConfig = (config = {}) => {
+  var _a, _b, _c, _d;
+  const configFromEnv = withoutUndefined({
+    clientId: process.env._civic_auth_client_id,
+    oauthServer: process.env._civic_oauth_server,
+    callbackUrl: process.env._civic_auth_callback_url,
+    challengeUrl: process.env._civic_auth_challenge_url,
+    loginUrl: process.env._civic_auth_login_url,
+    appUrl: process.env._civic_auth_app_url,
+    logoutUrl: process.env._civic_auth_logout_url,
+    include: (_a = process.env._civic_auth_includes) == null ? void 0 : _a.split(","),
+    exclude: (_b = process.env._civic_auth_excludes) == null ? void 0 : _b.split(","),
+    cookies: process.env._civic_auth_cookie_config ? JSON.parse(process.env._civic_auth_cookie_config) : void 0
+  });
+  const mergedConfig = _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, defaultAuthConfig), configFromEnv), config), {
+    // Override with directly passed config
+    cookies: {
+      tokens: _chunkCRTRMMJ7js.__spreadValues.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, defaultAuthConfig.cookies.tokens), ((_c = config.cookies) == null ? void 0 : _c.tokens) || {}),
+      user: _chunkCRTRMMJ7js.__spreadValues.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, defaultAuthConfig.cookies.user), ((_d = config.cookies) == null ? void 0 : _d.user) || {})
+    }
+  });
+  logger.debug("Config from environment:", configFromEnv);
+  logger.debug("Resolved config:", mergedConfig);
+  if (mergedConfig.clientId === void 0) {
+    throw new Error("Civic Auth client ID is required");
+  }
+  return mergedConfig;
+};
+var createCivicAuthPlugin = (clientId, authConfig = {}) => {
+  return (nextConfig) => {
+    const resolvedConfig = resolveAuthConfig(_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, authConfig), { clientId }));
+    return _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, nextConfig), {
+      env: _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, nextConfig == null ? void 0 : nextConfig.env), {
+        // Internal environment variables - do not set these manually
+        _civic_auth_client_id: clientId,
+        _civic_oauth_server: resolvedConfig.oauthServer,
+        _civic_auth_callback_url: resolvedConfig.callbackUrl,
+        _civic_auth_challenge_url: resolvedConfig.challengeUrl,
+        _civic_auth_login_url: resolvedConfig.loginUrl,
+        _civic_auth_logout_url: resolvedConfig.logoutUrl,
+        _civic_auth_app_url: resolvedConfig.appUrl,
+        _civic_auth_includes: resolvedConfig.include.join(","),
+        _civic_auth_excludes: resolvedConfig.exclude.join(","),
+        _civic_auth_cookie_config: JSON.stringify(resolvedConfig.cookies)
+      })
+    });
+  };
+};
+
+// src/nextjs/utils.ts
+var resolveCallbackUrl = (config, alternativeUrl) => {
+  var _a;
+  const baseUrl = (_a = config.appUrl) != null ? _a : alternativeUrl;
+  const callbackUrl = new URL(config == null ? void 0 : config.callbackUrl, baseUrl).toString();
+  return callbackUrl.toString();
+};
+
+
+
+
+
+
+
+exports.loggers = loggers; exports.defaultAuthConfig = defaultAuthConfig; exports.resolveAuthConfig = resolveAuthConfig; exports.createCivicAuthPlugin = createCivicAuthPlugin; exports.resolveCallbackUrl = resolveCallbackUrl;
+//# sourceMappingURL=chunk-WPISYQG3.js.map

package/dist/chunk-WPISYQG3.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/lucas/dev/civic/civic-auth/packages/civic-auth-client/dist/chunk-WPISYQG3.js","../src/lib/logger.ts","../src/nextjs/config.ts","../src/nextjs/utils.ts"],"names":[],"mappings":"AAAA;AACE;AACA;AACF,sDAA4B;AAC5B;AACA;ACLA,4EAAkB;AAElB,IAAM,aAAA,EAAe,aAAA;AASrB,IAAM,YAAA,EAAN,MAAoC;AAAA,EAMlC,WAAA,CAAY,SAAA,EAAmB;AAE7B,IAAA,IAAA,CAAK,YAAA,EAAc,6BAAA,CAAM,EAAA;AACD,IAAA;AACA,IAAA;AACC,IAAA;AAEA,IAAA;AACD,IAAA;AACA,IAAA;AACC,IAAA;AAC3B,EAAA;AAEiD,EAAA;AACrB,IAAA;AAC5B,EAAA;AAEgD,EAAA;AACrB,IAAA;AAC3B,EAAA;AAEgD,EAAA;AACrB,IAAA;AAC3B,EAAA;AAEiD,EAAA;AACrB,IAAA;AAC5B,EAAA;AACF;AAE6B;AAIN;AAAA;AAEb,EAAA;AACe,IAAA;AACI,IAAA;AACf,IAAA;AACW,MAAA;AACrB,IAAA;AACF,EAAA;AAAA;AAEO,EAAA;AACoB,IAAA;AACL,IAAA;AACE,IAAA;AACxB,EAAA;AAAA;AAEU,EAAA;AACiB,IAAA;AACH,IAAA;AACxB,EAAA;AACF;ADjB8B;AACA;AElDA;AAiC6C;AAC5D,EAAA;AACA,EAAA;AACC,EAAA;AACH,EAAA;AACD,EAAA;AACI,EAAA;AACJ,EAAA;AACD,EAAA;AACC,IAAA;AACI,MAAA;AACJ,MAAA;AACO,MAAA;AAAA;AACf,IAAA;AACM,IAAA;AACM,MAAA;AACJ,MAAA;AACO,MAAA;AAAA;AACf,IAAA;AACF,EAAA;AACF;AAGE;AAE4B,EAAA;AACL,EAAA;AACO,IAAA;AACL,MAAA;AACvB,IAAA;AACF,EAAA;AACO,EAAA;AACT;AAoBE;AA1FF,EAAA;AA6FwB,EAAA;AACE,IAAA;AACG,IAAA;AACA,IAAA;AACC,IAAA;AACJ,IAAA;AACF,IAAA;AACG,IAAA;AACN,IAAA;AACA,IAAA;AACI,IAAA;AAGtB,EAAA;AAEoB,EAAA;AAAA;AAIV,IAAA;AACC,MAAA;AAIF,MAAA;AAIR,IAAA;AACF,EAAA;AAEa,EAAA;AACA,EAAA;AACI,EAAA;AACC,IAAA;AAClB,EAAA;AACO,EAAA;AACT;AA0BE;AAGoC,EAAA;AACX,IAAA;AAChB,IAAA;AAEA,MAAA;AAAA;AAGH,QAAA;AACqB,QAAA;AACrB,QAAA;AACA,QAAA;AACA,QAAA;AACA,QAAA;AACqB,QAAA;AACC,QAAA;AACA,QAAA;AACtB,QAAA;AACF,MAAA;AACF,IAAA;AACF,EAAA;AACF;AF1C8B;AACA;AGvI5B;AAHF,EAAA;AAMkB,EAAA;AACY,EAAA;AACA,EAAA;AAC9B;AHwI8B;AACA;AACA;AACA;AACA;AACA;AACA;AACA","file":"/Users/lucas/dev/civic/civic-auth/packages/civic-auth-client/dist/chunk-WPISYQG3.js","sourcesContent":[null,"import debug from \"debug\";\n\nconst PACKAGE_NAME = \"@civic/auth\";\n\nexport interface Logger {\n  debug(message: string, ...args: unknown[]): void;\n  info(message: string, ...args: unknown[]): void;\n  warn(message: string, ...args: unknown[]): void;\n  error(message: string, ...args: unknown[]): void;\n}\n\nclass DebugLogger implements Logger {\n  private debugLogger: debug.Debugger;\n  private infoLogger: debug.Debugger;\n  private warnLogger: debug.Debugger;\n  private errorLogger: debug.Debugger;\n\n  constructor(namespace: string) {\n    // Format: @org/package:library:component:level\n    this.debugLogger = debug(`${PACKAGE_NAME}:${namespace}:debug`);\n    this.infoLogger = debug(`${PACKAGE_NAME}:${namespace}:info`);\n    this.warnLogger = debug(`${PACKAGE_NAME}:${namespace}:warn`);\n    this.errorLogger = debug(`${PACKAGE_NAME}:${namespace}:error`);\n\n    this.debugLogger.color = \"4\";\n    this.infoLogger.color = \"2\";\n    this.warnLogger.color = \"3\";\n    this.errorLogger.color = \"1\";\n  }\n\n  debug(message: string, ...args: unknown[]): void {\n    this.debugLogger(message, ...args);\n  }\n\n  info(message: string, ...args: unknown[]): void {\n    this.infoLogger(message, ...args);\n  }\n\n  warn(message: string, ...args: unknown[]): void {\n    this.warnLogger(message, ...args);\n  }\n\n  error(message: string, ...args: unknown[]): void {\n    this.errorLogger(message, ...args);\n  }\n}\n\nexport const createLogger = (namespace: string): Logger =>\n  new DebugLogger(namespace);\n\n// Pre-configured loggers for different parts of your package\nexport const loggers = {\n  // Next.js specific loggers\n  nextjs: {\n    routes: createLogger(\"api:routes\"),\n    middleware: createLogger(\"api:middleware\"),\n    handlers: {\n      auth: createLogger(\"api:handlers:auth\"),\n    },\n  },\n  // React specific loggers\n  react: {\n    components: createLogger(\"react:components\"),\n    hooks: createLogger(\"react:hooks\"),\n    context: createLogger(\"react:context\"),\n  },\n  // Shared utilities loggers\n  services: {\n    validation: createLogger(\"utils:validation\"),\n    network: createLogger(\"utils:network\"),\n  },\n} as const;\n","/* eslint-disable turbo/no-undeclared-env-vars */\n\"use server\";\nimport { NextConfig } from \"next\";\nimport { loggers } from \"@/lib/logger\";\n\nconst logger = loggers.nextjs.handlers.auth;\n\nexport interface CookieConfig {\n  secure?: boolean;\n  sameSite?: \"strict\" | \"lax\" | \"none\";\n  domain?: string;\n  path?: string;\n  maxAge?: number;\n}\n\nexport type AuthConfigWithDefaults = {\n  clientId: string;\n  oauthServer: string;\n  callbackUrl: string;\n  loginUrl: string;\n  logoutUrl: string;\n  appUrl?: string;\n  challengeUrl: string;\n  include: string[];\n  exclude: string[];\n  cookies: {\n    tokens: CookieConfig;\n    user: CookieConfig;\n  };\n};\n\nexport type AuthConfig = Partial<AuthConfigWithDefaults>;\n\nexport type DefinedAuthConfig = AuthConfigWithDefaults;\n\n/**\n * Default configuration values that will be used if not overridden\n */\nexport const defaultAuthConfig: Omit<AuthConfigWithDefaults, \"clientId\"> = {\n  oauthServer: \"https://auth-dev.civic.com/oauth\",\n  callbackUrl: \"/api/auth/callback\",\n  challengeUrl: \"/api/auth/challenge\",\n  logoutUrl: \"/api/auth/logout\",\n  loginUrl: \"/\",\n  include: [\"/*\"],\n  exclude: [],\n  cookies: {\n    tokens: {\n      sameSite: \"strict\",\n      path: \"/\",\n      maxAge: 60 * 60, // 1 hour\n    },\n    user: {\n      sameSite: \"strict\",\n      path: \"/\",\n      maxAge: 60 * 60, // 1 hour\n    },\n  },\n};\n\nconst withoutUndefined = <T extends { [k: string]: unknown }>(\n  obj: T,\n): Partial<T> => {\n  const result: Partial<T> = {};\n  for (const key in obj) {\n    if (obj[key] !== undefined) {\n      result[key] = obj[key];\n    }\n  }\n  return result;\n};\n\n/**\n * Resolves the authentication configuration by combining:\n * 1. Default values\n * 2. Environment variables (set internally by the plugin)\n * 3. Explicitly passed configuration\n *\n * Note: Developers should not set _civic_auth_* environment variables directly.\n * Instead, pass configuration to the createCivicAuthPlugin in next.config.js:\n *\n * @example\n * ```js\n * // next.config.js\n * export default createCivicAuthPlugin({\n *   callbackUrl: '/custom/callback',\n * })\n * ```\n */\nexport const resolveAuthConfig = (\n  config: AuthConfig = {},\n): AuthConfigWithDefaults & { clientId: string } => {\n  // Read configuration that was set by the plugin via environment variables\n  const configFromEnv = withoutUndefined({\n    clientId: process.env._civic_auth_client_id,\n    oauthServer: process.env._civic_oauth_server,\n    callbackUrl: process.env._civic_auth_callback_url,\n    challengeUrl: process.env._civic_auth_challenge_url,\n    loginUrl: process.env._civic_auth_login_url,\n    appUrl: process.env._civic_auth_app_url,\n    logoutUrl: process.env._civic_auth_logout_url,\n    include: process.env._civic_auth_includes?.split(\",\"),\n    exclude: process.env._civic_auth_excludes?.split(\",\"),\n    cookies: process.env._civic_auth_cookie_config\n      ? JSON.parse(process.env._civic_auth_cookie_config)\n      : undefined,\n  });\n\n  const mergedConfig = {\n    ...defaultAuthConfig,\n    ...configFromEnv, // Apply plugin-set config\n    ...config, // Override with directly passed config\n    cookies: {\n      tokens: {\n        ...defaultAuthConfig.cookies.tokens,\n        ...(config.cookies?.tokens || {}),\n      },\n      user: {\n        ...defaultAuthConfig.cookies.user,\n        ...(config.cookies?.user || {}),\n      },\n    },\n  };\n\n  logger.debug(\"Config from environment:\", configFromEnv);\n  logger.debug(\"Resolved config:\", mergedConfig);\n  if (mergedConfig.clientId === undefined) {\n    throw new Error(\"Civic Auth client ID is required\");\n  }\n  return mergedConfig as AuthConfigWithDefaults & { clientId: string };\n};\n\n/**\n * Creates a Next.js plugin that handles auth configuration.\n *\n * This is the main configuration point for the auth system.\n * Do not set _civic_auth_* environment variables directly - instead,\n * pass your configuration here:\n *\n * @example\n * ```js\n * // next.config.js\n * export tefault createCivicAuthPlugin({\n *   clientId: 'my-client-id',\n *   callbackUrl: '/custom/callback',\n *   loginUrl: '/custom/login',\n *   logoutUrl: '/custom/logout',\n *   include: ['/protected/*'],\n *   exclude: ['/public/*']\n * })\n * ```\n *\n * The plugin sets internal environment variables that are used by\n * the auth system. These variables should not be set manually.\n */\nexport const createCivicAuthPlugin = (\n  clientId: string,\n  authConfig: AuthConfig = {},\n) => {\n  return (nextConfig?: NextConfig) => {\n    const resolvedConfig = resolveAuthConfig({ ...authConfig, clientId });\n    return {\n      ...nextConfig,\n      env: {\n        ...nextConfig?.env,\n        // Internal environment variables - do not set these manually\n        _civic_auth_client_id: clientId,\n        _civic_oauth_server: resolvedConfig.oauthServer,\n        _civic_auth_callback_url: resolvedConfig.callbackUrl,\n        _civic_auth_challenge_url: resolvedConfig.challengeUrl,\n        _civic_auth_login_url: resolvedConfig.loginUrl,\n        _civic_auth_logout_url: resolvedConfig.logoutUrl,\n        _civic_auth_app_url: resolvedConfig.appUrl,\n        _civic_auth_includes: resolvedConfig.include.join(\",\"),\n        _civic_auth_excludes: resolvedConfig.exclude.join(\",\"),\n        _civic_auth_cookie_config: JSON.stringify(resolvedConfig.cookies),\n      },\n    };\n  };\n};\n","import { AuthConfigWithDefaults } from \"@/nextjs/config\";\n\nexport const resolveCallbackUrl = (\n  config: AuthConfigWithDefaults,\n  alternativeUrl?: string,\n): string => {\n  const baseUrl = config.appUrl ?? alternativeUrl;\n  const callbackUrl = new URL(config?.callbackUrl, baseUrl).toString();\n  return callbackUrl.toString();\n};\n"]}

package/dist/index-DoDoIY_K.d.mts

@@ -0,0 +1,79 @@
+import { TokenResponseBody } from 'oslo/oauth2';
+import { JWT } from 'oslo/jwt';
+
+type UnknownObject = Record<string, unknown>;
+type EmptyObject = Record<string, never>;
+type DisplayMode = "iframe" | "redirect" | "new_tab" | "custom_tab";
+interface AuthSessionService {
+    loadAuthorizationUrl(authorizationURL: string, displayMode: DisplayMode): void;
+    getAuthorizationUrl(scopes: string[], overrideDisplayMode: DisplayMode, nonce?: string): Promise<string>;
+    signIn(displayMode: DisplayMode, scopes: string[], nonce?: string): Promise<void>;
+    tokenExchange(responseUrl: string): Promise<SessionData>;
+    getSessionData(): SessionData;
+    updateSessionData(data: SessionData): void;
+    getUserInfoService(): Promise<UserInfoService>;
+}
+interface UserInfoService {
+    getUserInfo<T extends UnknownObject>(accessToken: string, idToken: string | null): Promise<User<T> | null>;
+}
+type Endpoints = {
+    jwks: string;
+    auth: string;
+    token: string;
+    userinfo: string;
+    challenge?: string;
+};
+type Config = {
+    oauthServer: string;
+    endpoints?: Endpoints;
+};
+type SessionData = {
+    authenticated: boolean;
+    state?: string;
+    accessToken?: string;
+    refreshToken?: string;
+    idToken?: string;
+    timestamp?: number;
+    expiresIn?: number;
+    codeVerifier?: string;
+    displayMode?: DisplayMode;
+    openerUrl?: string;
+};
+type OIDCTokenResponseBody = TokenResponseBody & {
+    id_token: string;
+};
+type ParsedTokens = {
+    id_token: JWTPayload;
+    access_token: JWTPayload;
+    refresh_token?: string;
+};
+type ForwardedTokens = Record<string, {
+    idToken?: string;
+    accessToken?: string;
+    refreshToken?: string;
+}>;
+type JWTPayload = JWT["payload"] & {
+    iss: string;
+    aud: string;
+    sub: string;
+    iat: number;
+    exp: number;
+};
+type Tokens = {
+    idToken: string;
+    accessToken: string;
+    refreshToken: string;
+    forwardedTokens: ForwardedTokens;
+};
+type BaseUser = {
+    id: string;
+    email?: string;
+    name?: string;
+    given_name?: string;
+    family_name?: string;
+    picture?: string;
+    updated_at?: Date;
+};
+type User<T extends UnknownObject = EmptyObject> = BaseUser & Tokens & T;
+
+export type { AuthSessionService as A, Config as C, DisplayMode as D, Endpoints as E, ForwardedTokens as F, OIDCTokenResponseBody as O, ParsedTokens as P, SessionData as S, Tokens as T, User as U, UnknownObject as a, UserInfoService as b };

package/dist/index-DoDoIY_K.d.ts

@@ -0,0 +1,79 @@
+import { TokenResponseBody } from 'oslo/oauth2';
+import { JWT } from 'oslo/jwt';
+
+type UnknownObject = Record<string, unknown>;
+type EmptyObject = Record<string, never>;
+type DisplayMode = "iframe" | "redirect" | "new_tab" | "custom_tab";
+interface AuthSessionService {
+    loadAuthorizationUrl(authorizationURL: string, displayMode: DisplayMode): void;
+    getAuthorizationUrl(scopes: string[], overrideDisplayMode: DisplayMode, nonce?: string): Promise<string>;
+    signIn(displayMode: DisplayMode, scopes: string[], nonce?: string): Promise<void>;
+    tokenExchange(responseUrl: string): Promise<SessionData>;
+    getSessionData(): SessionData;
+    updateSessionData(data: SessionData): void;
+    getUserInfoService(): Promise<UserInfoService>;
+}
+interface UserInfoService {
+    getUserInfo<T extends UnknownObject>(accessToken: string, idToken: string | null): Promise<User<T> | null>;
+}
+type Endpoints = {
+    jwks: string;
+    auth: string;
+    token: string;
+    userinfo: string;
+    challenge?: string;
+};
+type Config = {
+    oauthServer: string;
+    endpoints?: Endpoints;
+};
+type SessionData = {
+    authenticated: boolean;
+    state?: string;
+    accessToken?: string;
+    refreshToken?: string;
+    idToken?: string;
+    timestamp?: number;
+    expiresIn?: number;
+    codeVerifier?: string;
+    displayMode?: DisplayMode;
+    openerUrl?: string;
+};
+type OIDCTokenResponseBody = TokenResponseBody & {
+    id_token: string;
+};
+type ParsedTokens = {
+    id_token: JWTPayload;
+    access_token: JWTPayload;
+    refresh_token?: string;
+};
+type ForwardedTokens = Record<string, {
+    idToken?: string;
+    accessToken?: string;
+    refreshToken?: string;
+}>;
+type JWTPayload = JWT["payload"] & {
+    iss: string;
+    aud: string;
+    sub: string;
+    iat: number;
+    exp: number;
+};
+type Tokens = {
+    idToken: string;
+    accessToken: string;
+    refreshToken: string;
+    forwardedTokens: ForwardedTokens;
+};
+type BaseUser = {
+    id: string;
+    email?: string;
+    name?: string;
+    given_name?: string;
+    family_name?: string;
+    picture?: string;
+    updated_at?: Date;
+};
+type User<T extends UnknownObject = EmptyObject> = BaseUser & Tokens & T;
+
+export type { AuthSessionService as A, Config as C, DisplayMode as D, Endpoints as E, ForwardedTokens as F, OIDCTokenResponseBody as O, ParsedTokens as P, SessionData as S, Tokens as T, User as U, UnknownObject as a, UserInfoService as b };