npm - @civic/auth - Versions diffs - 0.11.8-beta.2 → 0.11.9-beta.0 - Mend

@civic/auth 0.11.8-beta.2 → 0.11.9-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/dist/nextjs/hooks/useInitialAuthConfig.d.ts.map +1 -1
package/dist/nextjs/hooks/useInitialAuthConfig.js +4 -2
package/dist/nextjs/hooks/useInitialAuthConfig.js.map +1 -1
package/dist/nextjs/routeHandler.d.ts.map +1 -1
package/dist/nextjs/routeHandler.js +32 -0
package/dist/nextjs/routeHandler.js.map +1 -1
package/dist/react-router-7/routeHandler.d.ts +9 -0
package/dist/react-router-7/routeHandler.d.ts.map +1 -1
package/dist/react-router-7/routeHandler.js +37 -0
package/dist/react-router-7/routeHandler.js.map +1 -1
package/dist/server/config.d.ts +2 -0
package/dist/server/config.d.ts.map +1 -1
package/dist/server/config.js.map +1 -1
package/dist/shared/lib/util.d.ts.map +1 -1
package/dist/shared/lib/util.js +1 -0
package/dist/shared/lib/util.js.map +1 -1
package/dist/shared/version.d.ts +1 -1
package/dist/shared/version.js +1 -1
package/dist/shared/version.js.map +1 -1
package/dist/vanillajs/auth/CivicAuth.d.ts +31 -1
package/dist/vanillajs/auth/CivicAuth.d.ts.map +1 -1
package/dist/vanillajs/auth/CivicAuth.js +141 -88
package/dist/vanillajs/auth/CivicAuth.js.map +1 -1
package/package.json +1 -1

package/dist/shared/lib/util.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"util.js","sourceRoot":"","sources":["../../../src/shared/lib/util.ts"],"names":[],"mappings":"AAQA,OAAO,EACL,0BAA0B,EAC1B,mBAAmB,EACnB,eAAe,GAChB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEjC,OAAO,EACL,wBAAwB,EACxB,YAAY,EACZ,sBAAsB,EACtB,mBAAmB,GACpB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAE1C,OAAO,EAAE,MAAM,EAAsB,MAAM,oBAAoB,CAAC;AAEhE,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;AAC3C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,YAAoB,EACpB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC3D,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;SACxD,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,WAAmB,EACnB,oBAAwC,EAAE;IAE1C,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,WAAW,CAAC,CAAC;IACvD,OAAO;QACL,GAAG,SAAS;QACZ,GAAG,iBAAiB;KACrB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,MAU3C;IACC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAC/C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,MAAM,YAAY,GAAG,iBAAiB,CACpC,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,WAAW,EAClB,SAAS,CACV,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,sBAAsB,CAAC;QACzD,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAC;IAEH,yDAAyD;IACzD,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,gBAAgB,EAAE,CAAC;QAC/D,yGAAyG;QACzG,yEAAyE;QACzE,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QAC1D,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAChE,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,uDAAuD;QACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtD,CAAC;IACD,uDAAuD;IACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAElD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,MAO5C;IACC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAC/C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACpD,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IACnE,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACzD,aAAa,CAAC,YAAY,CAAC,MAAM,CAC/B,0BAA0B,EAC1B,MAAM,CAAC,WAAW,CACnB,CAAC;IACF,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,QAAgB,EAChB,WAAmB,EACnB,SAAoB;IAEpB,OAAO,IAAI,YAAY,CAAC,QAAQ,EAAE,SAAS,CAAC,IAAI,EAAE,SAAS,CAAC,KAAK,EAAE;QACjE,WAAW,EAAE,WAAW;KACzB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAY,EACZ,KAAa,EACb,YAAiC,EACjC,YAA0B,EAC1B,UAA4B;IAE5B,kCAAkC;IAClC,MAAM,YAAY,GAAG,YAAY;QAC/B,CAAC,CAAC,MAAM,YAAY,CAAC,eAAe,EAAE;QACtC,CAAC,CAAC,IAAI,CAAC;IAET,wDAAwD;IACxD,IAAI,CAAC,YAAY,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CACb,6DAA6D,CAC9D,CAAC;IACJ,CAAC;IAED,8CAA8C;IAC9C,MAAM,iBAAiB,GAA2B,EAAE,CAAC;IAErD,IAAI,YAAY,EAAE,CAAC;QACjB,iBAAiB,CAAC,YAAY,GAAG,YAAY,CAAC;IAChD,CAAC;IAED,IAAI,UAAU,CAAC,YAAY,EAAE,CAAC;QAC5B,iBAAiB,CAAC,WAAW,GAAG,UAAU,CAAC,YAAY,CAAC;QACxD,iBAAiB,CAAC,gBAAgB,GAAG,cAAc,CAAC,CAAC,gCAAgC;IACvF,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,MAAM,YAAY,CAAC,yBAAyB,CAC1D,IAAI,EACJ,iBAAiB,CAClB,CAA0B,CAAC;IAE5B,2BAA2B;IAC3B,IAAI,CAAC;QACH,MAAM,oBAAoB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACxD,MAAM,IAAI,KAAK,CACb,kCAAmC,KAAe,CAAC,OAAO,EAAE,CAC7D,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AACD;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAC9B,MAA6B,EACyB,EAAE;IACxD,MAAM,WAAW,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,iBAAiB;IAE9C,IAAI,aAAa,GAAG,WAAW,CAAC;IAChC,IAAI,iBAAiB,GAAG,WAAW,CAAC;IAEpC,iEAAiE;IACjE,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,iEAAiE;QACjE,MAAM,aAAa,GAAG,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACjD,IAAI,aAAa,EAAE,GAAG,EAAE,CAAC;YACvB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,aAAa,GAAG,aAAa,CAAC,GAAG,GAAG,GAAG,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,mDAAmD;QACnD,MAAM,iBAAiB,GAAG,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QACzD,iBAAiB;YACf,MAAM,CAAC,iBAAiB,EAAE,cAAc,CAAC,IAAI,WAAW,CAAC;QAE3D,mDAAmD;QACnD,IAAI,iBAAiB,EAAE,GAAG,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,iBAAiB,GAAG,iBAAiB,CAAC,GAAG,GAAG,GAAG,CAAC;QAClD,CAAC;IACH,CAAC;IAED,OAAO;QACL,iBAAiB;QACjB,aAAa;KACd,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAoC,EACpC,MAA6B;IAE7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,EAAE,aAAa,EAAE,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACnD,oGAAoG;IACpG,MAAM,OAAO,CAAC,GAAG,CACf,eAAe,CAAC,uBAAuB,EACvC,CAAC,aAAa,GAAG,GAAG,CAAC,CAAC,QAAQ,EAAE,CACjC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAoB,EACpB,MAA6B;IAE7B,0DAA0D;IAC1D,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAE7D,4DAA4D;IAC5D,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IACvE,CAAC;IAED,mCAAmC;IACnC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,aAAa,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;IACzE,CAAC;IAED,4DAA4D;IAC5D,mDAAmD;IACnD,MAAM,uBAAuB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACjD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAoC,EACpC,MAA6B;IAE7B,8EAA8E;IAC9E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,EAAE,aAAa,EAAE,iBAAiB,EAAE,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAEtE,oGAAoG;IACpG,MAAM,oBAAoB,GAAG,GAAG,GAAG,aAAa,CAAC;IACjD,MAAM,aAAa,GAAG,OAAwB,CAAC;IAE/C,iCAAiC;IACjC,MAAM,wBAAwB,GAAG;QAC/B,MAAM,EAAE,iBAAiB;KAC1B,CAAC;IAEF,MAAM,yBAAyB,GAAG;QAChC,MAAM,EAAE,sBAAsB;KAC/B,CAAC;IAEF,2DAA2D;IAC3D,MAAM,aAAa,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE;QACjE,MAAM,EAAE,aAAa;KACtB,CAAC,CAAC;IAEH,mDAAmD;IACnD,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,aAAa,CAAC,GAAG,CACrB,eAAe,CAAC,YAAY,EAC5B,MAAM,CAAC,YAAY,EACnB,wBAAwB,CACzB,CAAC;IACJ,CAAC;IAED,mDAAmD;IACnD,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,aAAa,CAAC,GAAG,CACrB,eAAe,CAAC,aAAa,EAC7B,MAAM,CAAC,aAAa,EACpB,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IAED,4EAA4E;IAC5E,MAAM,OAAO,CAAC,GAAG,CACf,eAAe,CAAC,uBAAuB,EACvC,oBAAoB,CAAC,QAAQ,EAAE,EAC/B;QACE,iHAAiH;QACjH,MAAM,EAAE,aAAa;KACtB,CACF,CAAC;IACF,MAAM,CAAC,KAAK,CAAC,mBAAmB,EAAE;QAChC,oBAAoB;QACpB,kBAAkB,EAAE,sBAAsB;QAC1C,aAAa;QACb,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY;KACtC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAoC;IACpE,kEAAkE;IAClE,MAAM,kBAAkB,GAAG;QACzB,GAAG,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC;QACjC,mBAAmB;QACnB,wBAAwB;QACxB,YAAY;KACb,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QAClB,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IACH,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,kBAAkB,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,OAAoB;IAC/D,MAAM,OAAO,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;IAC1C,MAAM,OAAO,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,OAAoB;IAClD,MAAM,WAAW,GAAG,IAAI,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACpD,MAAM,WAAW,CAAC,KAAK,EAAE,CAAC;AAC5B,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,yBAAyB,CAAC,KAAoB;IACrD,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IAEzB,uEAAuE;IACvE,+FAA+F;IAC/F,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACxD,IAAI,CAAC;YACH,4CAA4C;YAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;YAExC,wEAAwE;YACxE,IACE,OAAO;gBACP,OAAO,OAAO,KAAK,QAAQ;gBAC3B,OAAO,CAAC,KAAK;gBACb,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ;gBACjC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,EACrC,CAAC;gBACD,OAAO,OAAO,CAAC,KAAK,CAAC;YACvB,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,KAAK,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAAoB;IAEpB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC5D,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;IACtE,MAAM,oBAAoB,GAAG,MAAM,OAAO,CAAC,GAAG,CAC5C,eAAe,CAAC,uBAAuB,CACxC,CAAC;IAEF,OAAO;QACL,QAAQ,EAAE,yBAAyB,CAAC,OAAO,CAAC,IAAI,SAAS;QACzD,YAAY,EAAE,yBAAyB,CAAC,WAAW,CAAC,IAAI,SAAS;QACjE,aAAa,EAAE,yBAAyB,CAAC,YAAY,CAAC,IAAI,SAAS;QACnE,uBAAuB,EACrB,oBAAoB,KAAK,IAAI;YAC3B,CAAC,CAAC,QAAQ,CAAC,oBAAoB,EAAE,EAAE,CAAC;YACpC,CAAC,CAAC,SAAS,EAAE,2BAA2B;KAC7C,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mCAAmC,CACvD,OAAoB;IAEpB,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CACpC,eAAe,CAAC,uBAAuB,CACxC,CAAC;IACF,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;IACvC,OAAO,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;AAC7C,CAAC;AAMD,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAA6B,EAC7B,MAAwB;IAExB,MAAM,UAAU,GAAG,gBAAgB,CACjC,CAAC,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,kBAAkB,CAAC;QAC/C,+BAA+B,CAClC,CAAC;IAEF,2EAA2E;IAC3E,MAAM,oBAAoB,GAAkB;QAC1C,MAAM,EAAE,UAAU;KACnB,CAAC;IAEF,4BAA4B;IAC5B,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,6EAA6E;QAC7E,oBAAoB,CAAC,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;IAC7C,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE;QAC/C,oBAAoB;QACpB,MAAM;KACP,CAAC,CAAC;IAEH,+DAA+D;IAC/D,MAAM,cAAc,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,oBAAoB,CAAC,CAAC;IAE3E,+EAA+E;IAC/E,IAAI,kBAAkB,CAAC;IACvB,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,wBAAwB,GAAkB;YAC9C,MAAM,EAAE,UAAU;YAClB,4EAA4E;YAC5E,GAAG,EAAE,OAAO;YACZ,QAAQ,EAAE,MAAM,CAAC,QAAQ;SAC1B,CAAC;QAEF,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE;YACnD,wBAAwB;SACzB,CAAC,CAAC;QAEH,mEAAmE;QACnE,kBAAkB,GAAG,MAAM,MAAM,CAC/B,MAAM,CAAC,YAAY,EACnB,wBAAwB,CACzB,CAAC;IACJ,CAAC;IAED,OAAO,gBAAgB,CAAC;QACtB,QAAQ,EAAE,cAAc;QACxB,YAAY,EAAE,kBAAkB;QAChC,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC1E,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CACjC,gBAAmC;IAEnC,OAAO;QACL,OAAO,EAAE,gBAAgB,EAAE,OAAO,IAAI,eAAe;QACrD,MAAM,EAAE,gBAAgB,EAAE,MAAM,IAAI,cAAc;QAClD,IAAI,EAAE,gBAAgB,EAAE,IAAI,IAAI,YAAY;KAC7C,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,QAA4B;IAE5B,4BAA4B;IAC5B,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,0CAA0C;IAC1C,IAAI,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACtE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,8CAA8C;IAC9C,OAAO,GAAG,OAAO,GAAG,QAAQ,EAAE,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAiB;IACtD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,qCAAqC;QACrC,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;IACpE,CAAC;IAED,iEAAiE;IACjE,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAChE,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,cAAc,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;IACzD,CAAC;IAED,MAAM,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACtE,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,iBAAiB,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;IAC5D,CAAC;IAED,iDAAiD;IACjD,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACnD,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACxD,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,UAAU,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;QACxD,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,GAAG,CAAC,QAAQ,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAAiB;IAC/C,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAE3B,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;IAC1D,OAAO,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACvE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAAiB;IAC9C,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAE3B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,GAAG,CAAC,QAAQ,KAAK,WAAW,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,CAAC;AACtE,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAiB;IAItD,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,WAAW,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,OAAO,GAAG,QAAQ,KAAK,QAAQ,CAAC;IAEtC,IAAI,QAAQ,IAAI,WAAW,EAAE,CAAC;QAC5B,4DAA4D;QAC5D,OAAO;YACL,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,KAAK;SAChB,CAAC;IACJ,CAAC;SAAM,IAAI,OAAO,EAAE,CAAC;QACnB,+DAA+D;QAC/D,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,MAAM;SACjB,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,yEAAyE;QACzE,iDAAiD;QACjD,iFAAiF;QACjF,uDAAuD;QACvD,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,MAAM;SACjB,CAAC;IACJ,CAAC;AACH,CAAC","sourcesContent":["// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\nimport type {\n AuthStorage,\n Endpoints,\n OIDCTokenResponseBody,\n ParsedTokens,\n} from \"@/types.js\";\nimport {\n AUTH_SERVER_LEGACY_SESSION,\n AUTH_SERVER_SESSION,\n OAuthTokenTypes,\n} from \"./types.js\";\nimport { OAuth2Client } from \"../../lib/oauth2/OAuth2Client.js\";\nimport { addSlashIfNeeded, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport type { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport { GenericUserSession } from \"@/shared/lib/UserSession.js\";\nimport { decodeJwt } from \"jose\";\nimport type { CookieStorage } from \"./storage.js\";\nimport {\n AUTOREFRESH_TIMEOUT_NAME,\n LOGOUT_STATE,\n MAX_COOKIE_AGE_SECONDS,\n REFRESH_IN_PROGRESS,\n} from \"@/constants.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport type { AuthConfig, BackendEndpoints } from \"@/server/config.js\";\nimport { verify, type VerifyOptions } from \"@civic/auth-verify\";\n\nconst logger = loggers.services.validation;\n/*\n Given a PKCE code verifier, derive the code challenge using SHA\n /\nexport async function deriveCodeChallenge(\n codeVerifier: string,\n method: \"Plain\" \| \"S256\" = \"S256\",\n): Promise<string> {\n if (method === \"Plain\") {\n console.warn(\"Using insecure plain code challenge method\");\n return codeVerifier;\n }\n\n const encoder = new TextEncoder();\n const data = encoder.encode(codeVerifier);\n const digest = await crypto.subtle.digest(\"SHA-256\", data);\n return btoa(String.fromCharCode(...new Uint8Array(digest)))\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n oauthServer: string,\n endpointOverrides: Partial<Endpoints> = {},\n): Promise<Endpoints> {\n const endpoints = await getOauthEndpoints(oauthServer);\n return {\n ...endpoints,\n ...endpointOverrides,\n };\n}\n\nexport async function generateOauthLoginUrl(config: {\n clientId: string;\n scopes: string[];\n state: string;\n redirectUrl: string;\n oauthServer: string;\n nonce?: string;\n endpointOverrides?: Partial<Endpoints>;\n // Optional PKCE challenge - not needed for confidential clients using client secrets\n pkceConsumer?: PKCEConsumer;\n}): Promise<URL> {\n const endpoints = await getEndpointsWithOverrides(\n config.oauthServer,\n config.endpointOverrides,\n );\n const oauth2Client = buildOauth2Client(\n config.clientId,\n config.redirectUrl,\n endpoints,\n );\n\n const oAuthUrl = await oauth2Client.createAuthorizationURL({\n state: config.state,\n scopes: config.scopes,\n });\n\n // Only add PKCE parameters if a pkceConsumer is provided\n if (config.pkceConsumer) {\n const challenge = await config.pkceConsumer.getCodeChallenge();\n // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n // It only allows passing in a code verifier which it then hashes itself.\n oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n }\n\n if (config.nonce) {\n // nonce isn't supported by oslo, so we add it manually\n oAuthUrl.searchParams.append(\"nonce\", config.nonce);\n }\n // Required by the auth server for offline_access scope\n oAuthUrl.searchParams.append(\"prompt\", \"consent\");\n\n return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n clientId: string;\n redirectUrl: string;\n idToken: string;\n state: string;\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n}): Promise<URL> {\n const endpoints = await getEndpointsWithOverrides(\n config.oauthServer,\n config.endpointOverrides,\n );\n const endSessionUrl = new URL(endpoints.endsession);\n endSessionUrl.searchParams.append(\"client_id\", config.clientId);\n endSessionUrl.searchParams.append(\"id_token_hint\", config.idToken);\n endSessionUrl.searchParams.append(\"state\", config.state);\n endSessionUrl.searchParams.append(\n \"post_logout_redirect_uri\",\n config.redirectUrl,\n );\n return endSessionUrl;\n}\n\nexport function buildOauth2Client(\n clientId: string,\n redirectUri: string,\n endpoints: Endpoints,\n): OAuth2Client {\n return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {\n redirectURI: redirectUri,\n });\n}\n\nexport async function exchangeTokens(\n code: string,\n state: string,\n pkceProducer: PKCEProducer \| null,\n oauth2Client: OAuth2Client,\n authConfig: ValidationConfig,\n) {\n // Get code verifier if using PKCE\n const codeVerifier = pkceProducer\n ? await pkceProducer.getCodeVerifier()\n : null;\n\n // Ensure at least one authentication method is provided\n if (!codeVerifier && !authConfig.clientSecret) {\n throw new Error(\n \"Either PKCE code verifier or client secret must be provided\",\n );\n }\n\n // Build options for validateAuthorizationCode\n const validationOptions: Record<string, string> = {};\n\n if (codeVerifier) {\n validationOptions.codeVerifier = codeVerifier;\n }\n\n if (authConfig.clientSecret) {\n validationOptions.credentials = authConfig.clientSecret;\n validationOptions.authenticateWith = \"request_body\"; // Use client_secret_post method\n }\n\n const tokens = (await oauth2Client.validateAuthorizationCode(\n code,\n validationOptions,\n )) as OIDCTokenResponseBody;\n\n // Validate relevant tokens\n try {\n await validateOauth2Tokens(tokens, authConfig);\n } catch (error) {\n console.error(\"tokenExchange error\", { error, tokens });\n throw new Error(\n `OIDC tokens validation failed: ${(error as Error).message}`,\n );\n }\n return tokens;\n}\n/\n Calculates the maxAge values for access and refresh token cookies\n * based on the TTL values in the access token\n \n maxAge needs to be in seconds from now until expiration\n \n @param tokens OIDC tokens response containing the access token\n * @returns Object with accessTokenMaxAge and refreshTokenMaxAge in seconds\n /\nexport const getCookiesMaxAge = (\n tokens: OIDCTokenResponseBody,\n): { idTokenMaxAge: number; accessTokenMaxAge: number } => {\n const DEFAULT_TTL = 60 60; // 1 hour default\n\n let idTokenMaxAge = DEFAULT_TTL;\n let accessTokenMaxAge = DEFAULT_TTL;\n\n // The ID token takes priority, as it represents the OIDC session\n if (tokens.id_token) {\n // If no access token exists, try to get expiration from ID token\n const parsedIdToken = decodeJwt(tokens.id_token);\n if (parsedIdToken?.exp) {\n const now = Math.floor(Date.now() / 1000);\n idTokenMaxAge = parsedIdToken.exp - now;\n }\n }\n\n if (tokens.access_token) {\n // Get access token TTL from the token if it exists\n const parsedAccessToken = decodeJwt(tokens.access_token);\n accessTokenMaxAge =\n Number(parsedAccessToken?.accessTokenTTL) \|\| DEFAULT_TTL;\n\n // If access token has exp claim, use that directly\n if (parsedAccessToken?.exp) {\n const now = Math.floor(Date.now() / 1000);\n accessTokenMaxAge = parsedAccessToken.exp - now;\n }\n }\n\n return {\n accessTokenMaxAge,\n idTokenMaxAge,\n };\n};\n\nexport async function setOidcSessionExpiresAt(\n storage: AuthStorage \| CookieStorage,\n tokens: OIDCTokenResponseBody,\n) {\n const now = Math.floor(Date.now() / 1000);\n const { idTokenMaxAge } = getCookiesMaxAge(tokens);\n // The OIDC session expiry is linked to the ID token expiry, since this is primarily an OIDC client.\n await storage.set(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n (idTokenMaxAge + now).toString(),\n );\n}\n\nexport async function storeTokens(\n storage: AuthStorage,\n tokens: OIDCTokenResponseBody,\n) {\n // ID token is the primary token and must always be stored\n await storage.set(OAuthTokenTypes.ID_TOKEN, tokens.id_token);\n\n // Only store access token if it exists (no longer required)\n if (tokens.access_token) {\n await storage.set(OAuthTokenTypes.ACCESS_TOKEN, tokens.access_token);\n }\n\n // Store refresh token if it exists\n if (tokens.refresh_token) {\n await storage.set(OAuthTokenTypes.REFRESH_TOKEN, tokens.refresh_token);\n }\n\n // Still set access token expiration even if no access token\n // (will get expiration from ID token in this case)\n await setOidcSessionExpiresAt(storage, tokens);\n}\n\n/*\n Stores tokens in server-side cookies with appropriate expiration times\n * Uses TTL values from the tokens to set cookie maxAge values\n * Refresh token is set with 400 day expiry\n /\nexport async function storeServerTokens(\n storage: AuthStorage \| CookieStorage,\n tokens: OIDCTokenResponseBody,\n) {\n // Get maxAge values based on token TTLs (refresh token TTL will be undefined)\n const now = Math.floor(Date.now() / 1000);\n const { idTokenMaxAge, accessTokenMaxAge } = getCookiesMaxAge(tokens);\n\n // The OIDC session expiry is linked to the ID token expiry, since this is primarily an OIDC client.\n const oidcSessionExpiresAt = now + idTokenMaxAge;\n const cookieStorage = storage as CookieStorage;\n\n // Apply maxAge to cookie options\n const accessTokenCookieOptions = {\n maxAge: accessTokenMaxAge,\n };\n\n const refreshTokenCookieOptions = {\n maxAge: MAX_COOKIE_AGE_SECONDS,\n };\n\n // ID token is always stored (primary authentication token)\n await cookieStorage.set(OAuthTokenTypes.ID_TOKEN, tokens.id_token, {\n maxAge: idTokenMaxAge,\n });\n\n // Access token is optional - only set if it exists\n if (tokens.access_token) {\n await cookieStorage.set(\n OAuthTokenTypes.ACCESS_TOKEN,\n tokens.access_token,\n accessTokenCookieOptions,\n );\n }\n\n // Set refresh token if present with 400 day expiry\n if (tokens.refresh_token) {\n await cookieStorage.set(\n OAuthTokenTypes.REFRESH_TOKEN,\n tokens.refresh_token,\n refreshTokenCookieOptions,\n );\n }\n\n // Still store the access token expiration timestamp even if no access token\n await storage.set(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n oidcSessionExpiresAt.toString(),\n {\n // This is primarily an OIDC client, so we use the ID token max age for the session timeout / refresh scheduling.\n maxAge: idTokenMaxAge,\n },\n );\n logger.debug(\"storeServerTokens\", {\n oidcSessionExpiresAt,\n refreshTokenMaxAge: MAX_COOKIE_AGE_SECONDS,\n idTokenMaxAge,\n hasAccessToken: !!tokens.access_token,\n });\n}\n\nexport async function clearTokens(storage: AuthStorage \| CookieStorage) {\n // clear all local storage keys related to OAuth and CivicAuth SDK\n const clearOAuthPromises = [\n ...Object.values(OAuthTokenTypes),\n REFRESH_IN_PROGRESS,\n AUTOREFRESH_TIMEOUT_NAME,\n LOGOUT_STATE,\n ].map(async (key) => {\n await storage.delete(key);\n });\n await Promise.all([...clearOAuthPromises]);\n}\n\nexport async function clearAuthServerSession(storage: AuthStorage) {\n await storage.delete(AUTH_SERVER_SESSION);\n await storage.delete(AUTH_SERVER_LEGACY_SESSION);\n}\n\nexport async function clearUser(storage: AuthStorage) {\n const userSession = new GenericUserSession(storage);\n await userSession.clear();\n}\n\n/\n Smart token unwrapping for Safari's base64-encoding bug\n * Only unwraps tokens that are:\n * 1. Base64-encoded (Safari bug) - very long strings without dots\n * 2. Contain a JSON object with a 'value' property that's a valid JWT\n \n Does NOT unwrap React Router's normal {value: \"token\"} objects\n /\nfunction unwrapSafariTokenIfNeeded(token: string \| null): string \| null {\n if (!token) return token;\n\n // Safari-specific detection: base64-encoded JSON that's extremely long\n // Normal wrapped objects from React Router are much shorter and have different characteristics\n if (token && !token.includes(\".\") && token.length > 800) {\n try {\n // Try to decode as base64 and parse as JSON\n const decoded = JSON.parse(atob(token));\n\n // Verify this is Safari's bug: wrapped value must be a valid 3-part JWT\n if (\n decoded &&\n typeof decoded === \"object\" &&\n decoded.value &&\n typeof decoded.value === \"string\" &&\n decoded.value.split(\".\").length === 3\n ) {\n return decoded.value;\n }\n } catch (error) {\n console.error(\"HERE UTIL - SAFARI TOKEN UNWRAP FAILED\", error);\n }\n }\n\n return token;\n}\n\nexport async function retrieveTokens(\n storage: AuthStorage,\n): Promise<Partial<OIDCTokenResponseBody> \| null> {\n const idToken = await storage.get(OAuthTokenTypes.ID_TOKEN);\n const accessToken = await storage.get(OAuthTokenTypes.ACCESS_TOKEN);\n const refreshToken = await storage.get(OAuthTokenTypes.REFRESH_TOKEN);\n const oidcSessionExpiresAt = await storage.get(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n );\n\n return {\n id_token: unwrapSafariTokenIfNeeded(idToken) ?? undefined,\n access_token: unwrapSafariTokenIfNeeded(accessToken) ?? undefined,\n refresh_token: unwrapSafariTokenIfNeeded(refreshToken) ?? undefined,\n oidc_session_expires_at:\n oidcSessionExpiresAt !== null\n ? parseInt(oidcSessionExpiresAt, 10)\n : undefined, // Convert string to number\n };\n}\n\nexport async function retrieveOidcSessionExpiredAtSeconds(\n storage: AuthStorage,\n): Promise<number \| null> {\n const valueSeconds = await storage.get(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n );\n if (!valueSeconds) {\n return null;\n }\n const expiresAt = Number(valueSeconds);\n return isNaN(expiresAt) ? null : expiresAt;\n}\n\nexport type ValidationConfig = Pick<\n AuthConfig,\n \"clientId\" \| \"oauthServer\" \| \"oauthServerBaseUrl\" \| \"clientSecret\"\n>;\nexport async function validateOauth2Tokens(\n tokens: OIDCTokenResponseBody,\n config: ValidationConfig,\n): Promise<ParsedTokens> {\n const baseIssuer = addSlashIfNeeded(\n (config.oauthServer \|\| config.oauthServerBaseUrl) ??\n \"https://auth.civic.com/oauth/\",\n );\n\n // Validate the ID token - this is now the primary token for authentication\n const idTokenVerifyOptions: VerifyOptions = {\n issuer: baseIssuer,\n };\n\n // Set audience for ID token\n if (config.clientId) {\n // ID tokens should have the client ID as audience for proper OIDC compliance\n idTokenVerifyOptions.aud = config.clientId;\n }\n\n logger.debug(`Verifying id_token with options:`, {\n idTokenVerifyOptions,\n config,\n });\n\n // Use the @civic/auth-verify package for ID token verification\n const idTokenPayload = await verify(tokens.id_token, idTokenVerifyOptions);\n\n // Only validate the access token if it exists, but if present it must be valid\n let accessTokenPayload;\n if (tokens.access_token) {\n const accessTokenVerifyOptions: VerifyOptions = {\n issuer: baseIssuer,\n // Access tokens have \"civic\" as audience based on auth server configuration\n aud: \"civic\",\n clientId: config.clientId,\n };\n\n logger.debug(`Verifying access_token with options:`, {\n accessTokenVerifyOptions,\n });\n\n // Use the @civic/auth-verify package for access token verification\n accessTokenPayload = await verify(\n tokens.access_token,\n accessTokenVerifyOptions,\n );\n }\n\n return withoutUndefined({\n id_token: idTokenPayload,\n access_token: accessTokenPayload,\n ...(tokens?.refresh_token ? { refresh_token: tokens.refresh_token } : {}),\n });\n}\n\n/\n Get backend endpoints with default values merged with custom configuration\n * @param backendEndpoints - Optional custom backend endpoints configuration\n * @returns Backend endpoints with defaults applied\n /\nexport function getBackendEndpoints(\n backendEndpoints?: BackendEndpoints,\n): BackendEndpoints {\n return {\n refresh: backendEndpoints?.refresh ?? \"/auth/refresh\",\n logout: backendEndpoints?.logout ?? \"/auth/logout\",\n user: backendEndpoints?.user ?? \"/auth/user\",\n };\n}\n\n/\n Resolves an endpoint URL by checking if it's already a full URL\n * or if it needs to be combined with a base URL\n * @param baseUrl - The base URL (e.g., \"https://api.example.com\")\n * @param endpoint - The endpoint that might be relative (e.g., \"/auth/logout\") or absolute (e.g., \"https://other-server.com/logout\")\n * @returns The resolved URL\n /\nexport function resolveEndpointUrl(\n baseUrl: string,\n endpoint: string \| undefined,\n): string {\n // Handle undefined endpoint\n if (!endpoint) {\n throw new Error(\"Endpoint is undefined\");\n }\n\n // Check if endpoint is already a full URL\n if (endpoint.startsWith(\"http://\") \|\| endpoint.startsWith(\"https://\")) {\n return endpoint;\n }\n\n // Concatenate base URL with relative endpoint\n return `${baseUrl}${endpoint}`;\n}\n\n/\n Determines the protocol from request headers or environment\n * Checks common proxy headers before falling back to URL or environment\n /\nexport function getProtocolFromRequest(request?: Request): string {\n if (!request) {\n // Fallback when no request available\n return process.env.NODE_ENV === \"production\" ? \"https:\" : \"http:\";\n }\n\n // Check common proxy headers that indicate the original protocol\n const forwardedProto = request.headers.get(\"x-forwarded-proto\");\n if (forwardedProto) {\n return forwardedProto === \"https\" ? \"https:\" : \"http:\";\n }\n\n const forwardedProtocol = request.headers.get(\"x-forwarded-protocol\");\n if (forwardedProtocol) {\n return forwardedProtocol === \"https\" ? \"https:\" : \"http:\";\n }\n\n // Parse the standard Forwarded header (RFC 7239)\n const forwarded = request.headers.get(\"forwarded\");\n if (forwarded) {\n const protoMatch = forwarded.match(/proto=([^;,\\s]+)/i);\n if (protoMatch) {\n return protoMatch[1] === \"https\" ? \"https:\" : \"http:\";\n }\n }\n\n // Extract from the request URL itself\n const url = new URL(request.url);\n return url.protocol;\n}\n\n/\n Detect Safari browser from user agent\n /\nexport function isSafariBrowser(request?: Request): boolean {\n if (!request) return false;\n\n const userAgent = request.headers.get(\"user-agent\") \|\| \"\";\n return userAgent.includes(\"Safari\") && !userAgent.includes(\"Chrome\");\n}\n\n/\n Detect if running on localhost\n /\nexport function isLocalhostUrl(request?: Request): boolean {\n if (!request) return false;\n\n const url = new URL(request.url);\n return url.hostname === \"localhost\" \|\| url.hostname === \"127.0.0.1\";\n}\n\n/\n Get cookie configuration based on environment and browser\n * Handles special cases for Safari on localhost and HTTPS detection\n \n @param request - Optional request object for environment detection\n * @returns Cookie configuration with secure and sameSite settings\n \n Configuration rules:\n * - Safari on localhost: Uses lax sameSite to avoid cross-origin issues\n * - HTTPS: Uses secure cookies with none sameSite for cross-origin iframe support\n * - HTTP localhost (non-Safari): Uses secure cookies for Chrome's localhost exception\n */\nexport function getCookieConfiguration(request?: Request): {\n secure: boolean;\n sameSite: \"lax\" \| \"none\";\n} {\n const isSafari = isSafariBrowser(request);\n const isLocalhost = isLocalhostUrl(request);\n const protocol = getProtocolFromRequest(request);\n const isHttps = protocol === \"https:\";\n\n if (isSafari && isLocalhost) {\n // Safari on localhost: use lax to avoid cross-origin issues\n return {\n secure: false,\n sameSite: \"lax\",\n };\n } else if (isHttps) {\n // HTTPS (production): use none for cross-origin iframe support\n return {\n secure: true,\n sameSite: \"none\",\n };\n } else {\n // HTTP localhost (non-Safari): use secure: true for iframe compatibility\n // Chrome allows secure cookies on localhost HTTP\n // This allows secure: true cookies to work on localhost for iframe compatibility\n // Reference: Chrome's third-party cookie documentation\n return {\n secure: true,\n sameSite: \"none\",\n };\n }\n}\n"]}
1	+ {"version":3,"file":"util.js","sourceRoot":"","sources":["../../../src/shared/lib/util.ts"],"names":[],"mappings":"AAQA,OAAO,EACL,0BAA0B,EAC1B,mBAAmB,EACnB,eAAe,GAChB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,YAAY,EAAE,MAAM,kCAAkC,CAAC;AAChE,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAE9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEjC,OAAO,EACL,wBAAwB,EACxB,YAAY,EACZ,sBAAsB,EACtB,mBAAmB,GACpB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAE1C,OAAO,EAAE,MAAM,EAAsB,MAAM,oBAAoB,CAAC;AAEhE,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC;AAC3C;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,YAAoB,EACpB,SAA2B,MAAM;IAEjC,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC3D,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;SACxD,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,WAAmB,EACnB,oBAAwC,EAAE;IAE1C,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,WAAW,CAAC,CAAC;IACvD,OAAO;QACL,GAAG,SAAS;QACZ,GAAG,iBAAiB;KACrB,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,MAU3C;IACC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAC/C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,MAAM,YAAY,GAAG,iBAAiB,CACpC,MAAM,CAAC,QAAQ,EACf,MAAM,CAAC,WAAW,EAClB,SAAS,CACV,CAAC;IAEF,MAAM,QAAQ,GAAG,MAAM,YAAY,CAAC,sBAAsB,CAAC;QACzD,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAC;IAEH,yDAAyD;IACzD,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,gBAAgB,EAAE,CAAC;QAC/D,yGAAyG;QACzG,yEAAyE;QACzE,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QAC1D,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;IAChE,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QACjB,uDAAuD;QACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACtD,CAAC;IACD,uDAAuD;IACvD,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAElD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,MAO5C;IACC,MAAM,SAAS,GAAG,MAAM,yBAAyB,CAC/C,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,iBAAiB,CACzB,CAAC;IACF,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACpD,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChE,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IACnE,aAAa,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;IACzD,aAAa,CAAC,YAAY,CAAC,MAAM,CAC/B,0BAA0B,EAC1B,MAAM,CAAC,WAAW,CACnB,CAAC;IACF,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,MAAM,UAAU,iBAAiB,CAC/B,QAAgB,EAChB,WAAmB,EACnB,SAAoB;IAEpB,OAAO,IAAI,YAAY,CAAC,QAAQ,EAAE,SAAS,CAAC,IAAI,EAAE,SAAS,CAAC,KAAK,EAAE;QACjE,WAAW,EAAE,WAAW;KACzB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAY,EACZ,KAAa,EACb,YAAiC,EACjC,YAA0B,EAC1B,UAA4B;IAE5B,kCAAkC;IAClC,MAAM,YAAY,GAAG,YAAY;QAC/B,CAAC,CAAC,MAAM,YAAY,CAAC,eAAe,EAAE;QACtC,CAAC,CAAC,IAAI,CAAC;IAET,wDAAwD;IACxD,IAAI,CAAC,YAAY,IAAI,CAAC,UAAU,CAAC,YAAY,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CACb,6DAA6D,CAC9D,CAAC;IACJ,CAAC;IAED,8CAA8C;IAC9C,MAAM,iBAAiB,GAA2B,EAAE,CAAC;IAErD,IAAI,YAAY,EAAE,CAAC;QACjB,iBAAiB,CAAC,YAAY,GAAG,YAAY,CAAC;IAChD,CAAC;IAED,IAAI,UAAU,CAAC,YAAY,EAAE,CAAC;QAC5B,iBAAiB,CAAC,WAAW,GAAG,UAAU,CAAC,YAAY,CAAC;QACxD,iBAAiB,CAAC,gBAAgB,GAAG,cAAc,CAAC,CAAC,gCAAgC;IACvF,CAAC;IAED,MAAM,MAAM,GAAG,CAAC,MAAM,YAAY,CAAC,yBAAyB,CAC1D,IAAI,EACJ,iBAAiB,CAClB,CAA0B,CAAC;IAE5B,2BAA2B;IAC3B,IAAI,CAAC;QACH,MAAM,oBAAoB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;QACxD,MAAM,IAAI,KAAK,CACb,kCAAmC,KAAe,CAAC,OAAO,EAAE,CAC7D,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AACD;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAC9B,MAA6B,EACyB,EAAE;IACxD,MAAM,WAAW,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,iBAAiB;IAE9C,IAAI,aAAa,GAAG,WAAW,CAAC;IAChC,IAAI,iBAAiB,GAAG,WAAW,CAAC;IAEpC,iEAAiE;IACjE,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,iEAAiE;QACjE,MAAM,aAAa,GAAG,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACjD,IAAI,aAAa,EAAE,GAAG,EAAE,CAAC;YACvB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,aAAa,GAAG,aAAa,CAAC,GAAG,GAAG,GAAG,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,mDAAmD;QACnD,MAAM,iBAAiB,GAAG,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;QACzD,iBAAiB;YACf,MAAM,CAAC,iBAAiB,EAAE,cAAc,CAAC,IAAI,WAAW,CAAC;QAE3D,mDAAmD;QACnD,IAAI,iBAAiB,EAAE,GAAG,EAAE,CAAC;YAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,iBAAiB,GAAG,iBAAiB,CAAC,GAAG,GAAG,GAAG,CAAC;QAClD,CAAC;IACH,CAAC;IAED,OAAO;QACL,iBAAiB;QACjB,aAAa;KACd,CAAC;AACJ,CAAC,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAoC,EACpC,MAA6B;IAE7B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,EAAE,aAAa,EAAE,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACnD,oGAAoG;IACpG,MAAM,OAAO,CAAC,GAAG,CACf,eAAe,CAAC,uBAAuB,EACvC,CAAC,aAAa,GAAG,GAAG,CAAC,CAAC,QAAQ,EAAE,CACjC,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAoB,EACpB,MAA6B;IAE7B,0DAA0D;IAC1D,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,CAAC;IAE7D,4DAA4D;IAC5D,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,CAAC;IACvE,CAAC;IAED,mCAAmC;IACnC,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,aAAa,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;IACzE,CAAC;IAED,4DAA4D;IAC5D,mDAAmD;IACnD,MAAM,uBAAuB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACjD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAoC,EACpC,MAA6B;IAE7B,8EAA8E;IAC9E,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,EAAE,aAAa,EAAE,iBAAiB,EAAE,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAEtE,oGAAoG;IACpG,MAAM,oBAAoB,GAAG,GAAG,GAAG,aAAa,CAAC;IACjD,MAAM,aAAa,GAAG,OAAwB,CAAC;IAE/C,iCAAiC;IACjC,MAAM,wBAAwB,GAAG;QAC/B,MAAM,EAAE,iBAAiB;KAC1B,CAAC;IAEF,MAAM,yBAAyB,GAAG;QAChC,MAAM,EAAE,sBAAsB;KAC/B,CAAC;IAEF,2DAA2D;IAC3D,MAAM,aAAa,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE;QACjE,MAAM,EAAE,aAAa;KACtB,CAAC,CAAC;IAEH,mDAAmD;IACnD,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,aAAa,CAAC,GAAG,CACrB,eAAe,CAAC,YAAY,EAC5B,MAAM,CAAC,YAAY,EACnB,wBAAwB,CACzB,CAAC;IACJ,CAAC;IAED,mDAAmD;IACnD,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;QACzB,MAAM,aAAa,CAAC,GAAG,CACrB,eAAe,CAAC,aAAa,EAC7B,MAAM,CAAC,aAAa,EACpB,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IAED,4EAA4E;IAC5E,MAAM,OAAO,CAAC,GAAG,CACf,eAAe,CAAC,uBAAuB,EACvC,oBAAoB,CAAC,QAAQ,EAAE,EAC/B;QACE,iHAAiH;QACjH,MAAM,EAAE,aAAa;KACtB,CACF,CAAC;IACF,MAAM,CAAC,KAAK,CAAC,mBAAmB,EAAE;QAChC,oBAAoB;QACpB,kBAAkB,EAAE,sBAAsB;QAC1C,aAAa;QACb,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY;KACtC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,OAAoC;IACpE,kEAAkE;IAClE,MAAM,kBAAkB,GAAG;QACzB,GAAG,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC;QACjC,mBAAmB;QACnB,wBAAwB;QACxB,YAAY;KACb,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE;QAClB,MAAM,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC,CAAC,CAAC;IACH,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,kBAAkB,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAAC,OAAoB;IAC/D,MAAM,OAAO,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;IAC1C,MAAM,OAAO,CAAC,MAAM,CAAC,0BAA0B,CAAC,CAAC;AACnD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,OAAoB;IAClD,MAAM,WAAW,GAAG,IAAI,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACpD,MAAM,WAAW,CAAC,KAAK,EAAE,CAAC;AAC5B,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,yBAAyB,CAAC,KAAoB;IACrD,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IAEzB,uEAAuE;IACvE,+FAA+F;IAC/F,IAAI,KAAK,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACxD,IAAI,CAAC;YACH,4CAA4C;YAC5C,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;YAExC,wEAAwE;YACxE,IACE,OAAO;gBACP,OAAO,OAAO,KAAK,QAAQ;gBAC3B,OAAO,CAAC,KAAK;gBACb,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ;gBACjC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,CAAC,EACrC,CAAC;gBACD,OAAO,OAAO,CAAC,KAAK,CAAC;YACvB,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,wCAAwC,EAAE,KAAK,CAAC,CAAC;QACjE,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAAoB;IAEpB,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC5D,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,YAAY,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,aAAa,CAAC,CAAC;IACtE,MAAM,oBAAoB,GAAG,MAAM,OAAO,CAAC,GAAG,CAC5C,eAAe,CAAC,uBAAuB,CACxC,CAAC;IAEF,OAAO;QACL,QAAQ,EAAE,yBAAyB,CAAC,OAAO,CAAC,IAAI,SAAS;QACzD,YAAY,EAAE,yBAAyB,CAAC,WAAW,CAAC,IAAI,SAAS;QACjE,aAAa,EAAE,yBAAyB,CAAC,YAAY,CAAC,IAAI,SAAS;QACnE,uBAAuB,EACrB,oBAAoB,KAAK,IAAI;YAC3B,CAAC,CAAC,QAAQ,CAAC,oBAAoB,EAAE,EAAE,CAAC;YACpC,CAAC,CAAC,SAAS,EAAE,2BAA2B;KAC7C,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mCAAmC,CACvD,OAAoB;IAEpB,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CACpC,eAAe,CAAC,uBAAuB,CACxC,CAAC;IACF,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,SAAS,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;IACvC,OAAO,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;AAC7C,CAAC;AAMD,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAA6B,EAC7B,MAAwB;IAExB,MAAM,UAAU,GAAG,gBAAgB,CACjC,CAAC,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,kBAAkB,CAAC;QAC/C,+BAA+B,CAClC,CAAC;IAEF,2EAA2E;IAC3E,MAAM,oBAAoB,GAAkB;QAC1C,MAAM,EAAE,UAAU;KACnB,CAAC;IAEF,4BAA4B;IAC5B,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACpB,6EAA6E;QAC7E,oBAAoB,CAAC,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;IAC7C,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,kCAAkC,EAAE;QAC/C,oBAAoB;QACpB,MAAM;KACP,CAAC,CAAC;IAEH,+DAA+D;IAC/D,MAAM,cAAc,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,oBAAoB,CAAC,CAAC;IAE3E,+EAA+E;IAC/E,IAAI,kBAAkB,CAAC;IACvB,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,wBAAwB,GAAkB;YAC9C,MAAM,EAAE,UAAU;YAClB,4EAA4E;YAC5E,GAAG,EAAE,OAAO;YACZ,QAAQ,EAAE,MAAM,CAAC,QAAQ;SAC1B,CAAC;QAEF,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE;YACnD,wBAAwB;SACzB,CAAC,CAAC;QAEH,mEAAmE;QACnE,kBAAkB,GAAG,MAAM,MAAM,CAC/B,MAAM,CAAC,YAAY,EACnB,wBAAwB,CACzB,CAAC;IACJ,CAAC;IAED,OAAO,gBAAgB,CAAC;QACtB,QAAQ,EAAE,cAAc;QACxB,YAAY,EAAE,kBAAkB;QAChC,GAAG,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,MAAM,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC1E,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CACjC,gBAAmC;IAEnC,OAAO;QACL,OAAO,EAAE,gBAAgB,EAAE,OAAO,IAAI,eAAe;QACrD,MAAM,EAAE,gBAAgB,EAAE,MAAM,IAAI,cAAc;QAClD,IAAI,EAAE,gBAAgB,EAAE,IAAI,IAAI,YAAY;QAC5C,YAAY,EAAE,gBAAgB,EAAE,YAAY,IAAI,oBAAoB;KACrE,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAChC,OAAe,EACf,QAA4B;IAE5B,4BAA4B;IAC5B,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,0CAA0C;IAC1C,IAAI,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACtE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,8CAA8C;IAC9C,OAAO,GAAG,OAAO,GAAG,QAAQ,EAAE,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAiB;IACtD,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,qCAAqC;QACrC,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;IACpE,CAAC;IAED,iEAAiE;IACjE,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAChE,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO,cAAc,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;IACzD,CAAC;IAED,MAAM,iBAAiB,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACtE,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAO,iBAAiB,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;IAC5D,CAAC;IAED,iDAAiD;IACjD,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACnD,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,UAAU,GAAG,SAAS,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACxD,IAAI,UAAU,EAAE,CAAC;YACf,OAAO,UAAU,CAAC,CAAC,CAAC,KAAK,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC;QACxD,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,GAAG,CAAC,QAAQ,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,OAAiB;IAC/C,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAE3B,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,EAAE,CAAC;IAC1D,OAAO,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACvE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,OAAiB;IAC9C,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAE3B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,GAAG,CAAC,QAAQ,KAAK,WAAW,IAAI,GAAG,CAAC,QAAQ,KAAK,WAAW,CAAC;AACtE,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAAiB;IAItD,MAAM,QAAQ,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC1C,MAAM,WAAW,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,sBAAsB,CAAC,OAAO,CAAC,CAAC;IACjD,MAAM,OAAO,GAAG,QAAQ,KAAK,QAAQ,CAAC;IAEtC,IAAI,QAAQ,IAAI,WAAW,EAAE,CAAC;QAC5B,4DAA4D;QAC5D,OAAO;YACL,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,KAAK;SAChB,CAAC;IACJ,CAAC;SAAM,IAAI,OAAO,EAAE,CAAC;QACnB,+DAA+D;QAC/D,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,MAAM;SACjB,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,yEAAyE;QACzE,iDAAiD;QACjD,iFAAiF;QACjF,uDAAuD;QACvD,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,MAAM;SACjB,CAAC;IACJ,CAAC;AACH,CAAC","sourcesContent":["// Utility functions shared by auth server and client integrations\n// Typically these functions should be used inside AuthenticationInitiator and AuthenticationResolver implementations\nimport type {\n AuthStorage,\n Endpoints,\n OIDCTokenResponseBody,\n ParsedTokens,\n} from \"@/types.js\";\nimport {\n AUTH_SERVER_LEGACY_SESSION,\n AUTH_SERVER_SESSION,\n OAuthTokenTypes,\n} from \"./types.js\";\nimport { OAuth2Client } from \"../../lib/oauth2/OAuth2Client.js\";\nimport { addSlashIfNeeded, getOauthEndpoints } from \"@/lib/oauth.js\";\nimport { withoutUndefined } from \"@/utils.js\";\nimport type { PKCEConsumer, PKCEProducer } from \"@/services/types.js\";\nimport { GenericUserSession } from \"@/shared/lib/UserSession.js\";\nimport { decodeJwt } from \"jose\";\nimport type { CookieStorage } from \"./storage.js\";\nimport {\n AUTOREFRESH_TIMEOUT_NAME,\n LOGOUT_STATE,\n MAX_COOKIE_AGE_SECONDS,\n REFRESH_IN_PROGRESS,\n} from \"@/constants.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport type { AuthConfig, BackendEndpoints } from \"@/server/config.js\";\nimport { verify, type VerifyOptions } from \"@civic/auth-verify\";\n\nconst logger = loggers.services.validation;\n/*\n Given a PKCE code verifier, derive the code challenge using SHA\n /\nexport async function deriveCodeChallenge(\n codeVerifier: string,\n method: \"Plain\" \| \"S256\" = \"S256\",\n): Promise<string> {\n if (method === \"Plain\") {\n console.warn(\"Using insecure plain code challenge method\");\n return codeVerifier;\n }\n\n const encoder = new TextEncoder();\n const data = encoder.encode(codeVerifier);\n const digest = await crypto.subtle.digest(\"SHA-256\", data);\n return btoa(String.fromCharCode(...new Uint8Array(digest)))\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/, \"\");\n}\n\nexport async function getEndpointsWithOverrides(\n oauthServer: string,\n endpointOverrides: Partial<Endpoints> = {},\n): Promise<Endpoints> {\n const endpoints = await getOauthEndpoints(oauthServer);\n return {\n ...endpoints,\n ...endpointOverrides,\n };\n}\n\nexport async function generateOauthLoginUrl(config: {\n clientId: string;\n scopes: string[];\n state: string;\n redirectUrl: string;\n oauthServer: string;\n nonce?: string;\n endpointOverrides?: Partial<Endpoints>;\n // Optional PKCE challenge - not needed for confidential clients using client secrets\n pkceConsumer?: PKCEConsumer;\n}): Promise<URL> {\n const endpoints = await getEndpointsWithOverrides(\n config.oauthServer,\n config.endpointOverrides,\n );\n const oauth2Client = buildOauth2Client(\n config.clientId,\n config.redirectUrl,\n endpoints,\n );\n\n const oAuthUrl = await oauth2Client.createAuthorizationURL({\n state: config.state,\n scopes: config.scopes,\n });\n\n // Only add PKCE parameters if a pkceConsumer is provided\n if (config.pkceConsumer) {\n const challenge = await config.pkceConsumer.getCodeChallenge();\n // The OAuth2 client supports PKCE, but does not allow passing in a code challenge from some other source\n // It only allows passing in a code verifier which it then hashes itself.\n oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n }\n\n if (config.nonce) {\n // nonce isn't supported by oslo, so we add it manually\n oAuthUrl.searchParams.append(\"nonce\", config.nonce);\n }\n // Required by the auth server for offline_access scope\n oAuthUrl.searchParams.append(\"prompt\", \"consent\");\n\n return oAuthUrl;\n}\n\nexport async function generateOauthLogoutUrl(config: {\n clientId: string;\n redirectUrl: string;\n idToken: string;\n state: string;\n oauthServer: string;\n endpointOverrides?: Partial<Endpoints>;\n}): Promise<URL> {\n const endpoints = await getEndpointsWithOverrides(\n config.oauthServer,\n config.endpointOverrides,\n );\n const endSessionUrl = new URL(endpoints.endsession);\n endSessionUrl.searchParams.append(\"client_id\", config.clientId);\n endSessionUrl.searchParams.append(\"id_token_hint\", config.idToken);\n endSessionUrl.searchParams.append(\"state\", config.state);\n endSessionUrl.searchParams.append(\n \"post_logout_redirect_uri\",\n config.redirectUrl,\n );\n return endSessionUrl;\n}\n\nexport function buildOauth2Client(\n clientId: string,\n redirectUri: string,\n endpoints: Endpoints,\n): OAuth2Client {\n return new OAuth2Client(clientId, endpoints.auth, endpoints.token, {\n redirectURI: redirectUri,\n });\n}\n\nexport async function exchangeTokens(\n code: string,\n state: string,\n pkceProducer: PKCEProducer \| null,\n oauth2Client: OAuth2Client,\n authConfig: ValidationConfig,\n) {\n // Get code verifier if using PKCE\n const codeVerifier = pkceProducer\n ? await pkceProducer.getCodeVerifier()\n : null;\n\n // Ensure at least one authentication method is provided\n if (!codeVerifier && !authConfig.clientSecret) {\n throw new Error(\n \"Either PKCE code verifier or client secret must be provided\",\n );\n }\n\n // Build options for validateAuthorizationCode\n const validationOptions: Record<string, string> = {};\n\n if (codeVerifier) {\n validationOptions.codeVerifier = codeVerifier;\n }\n\n if (authConfig.clientSecret) {\n validationOptions.credentials = authConfig.clientSecret;\n validationOptions.authenticateWith = \"request_body\"; // Use client_secret_post method\n }\n\n const tokens = (await oauth2Client.validateAuthorizationCode(\n code,\n validationOptions,\n )) as OIDCTokenResponseBody;\n\n // Validate relevant tokens\n try {\n await validateOauth2Tokens(tokens, authConfig);\n } catch (error) {\n console.error(\"tokenExchange error\", { error, tokens });\n throw new Error(\n `OIDC tokens validation failed: ${(error as Error).message}`,\n );\n }\n return tokens;\n}\n/\n Calculates the maxAge values for access and refresh token cookies\n * based on the TTL values in the access token\n \n maxAge needs to be in seconds from now until expiration\n \n @param tokens OIDC tokens response containing the access token\n * @returns Object with accessTokenMaxAge and refreshTokenMaxAge in seconds\n /\nexport const getCookiesMaxAge = (\n tokens: OIDCTokenResponseBody,\n): { idTokenMaxAge: number; accessTokenMaxAge: number } => {\n const DEFAULT_TTL = 60 60; // 1 hour default\n\n let idTokenMaxAge = DEFAULT_TTL;\n let accessTokenMaxAge = DEFAULT_TTL;\n\n // The ID token takes priority, as it represents the OIDC session\n if (tokens.id_token) {\n // If no access token exists, try to get expiration from ID token\n const parsedIdToken = decodeJwt(tokens.id_token);\n if (parsedIdToken?.exp) {\n const now = Math.floor(Date.now() / 1000);\n idTokenMaxAge = parsedIdToken.exp - now;\n }\n }\n\n if (tokens.access_token) {\n // Get access token TTL from the token if it exists\n const parsedAccessToken = decodeJwt(tokens.access_token);\n accessTokenMaxAge =\n Number(parsedAccessToken?.accessTokenTTL) \|\| DEFAULT_TTL;\n\n // If access token has exp claim, use that directly\n if (parsedAccessToken?.exp) {\n const now = Math.floor(Date.now() / 1000);\n accessTokenMaxAge = parsedAccessToken.exp - now;\n }\n }\n\n return {\n accessTokenMaxAge,\n idTokenMaxAge,\n };\n};\n\nexport async function setOidcSessionExpiresAt(\n storage: AuthStorage \| CookieStorage,\n tokens: OIDCTokenResponseBody,\n) {\n const now = Math.floor(Date.now() / 1000);\n const { idTokenMaxAge } = getCookiesMaxAge(tokens);\n // The OIDC session expiry is linked to the ID token expiry, since this is primarily an OIDC client.\n await storage.set(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n (idTokenMaxAge + now).toString(),\n );\n}\n\nexport async function storeTokens(\n storage: AuthStorage,\n tokens: OIDCTokenResponseBody,\n) {\n // ID token is the primary token and must always be stored\n await storage.set(OAuthTokenTypes.ID_TOKEN, tokens.id_token);\n\n // Only store access token if it exists (no longer required)\n if (tokens.access_token) {\n await storage.set(OAuthTokenTypes.ACCESS_TOKEN, tokens.access_token);\n }\n\n // Store refresh token if it exists\n if (tokens.refresh_token) {\n await storage.set(OAuthTokenTypes.REFRESH_TOKEN, tokens.refresh_token);\n }\n\n // Still set access token expiration even if no access token\n // (will get expiration from ID token in this case)\n await setOidcSessionExpiresAt(storage, tokens);\n}\n\n/*\n Stores tokens in server-side cookies with appropriate expiration times\n * Uses TTL values from the tokens to set cookie maxAge values\n * Refresh token is set with 400 day expiry\n /\nexport async function storeServerTokens(\n storage: AuthStorage \| CookieStorage,\n tokens: OIDCTokenResponseBody,\n) {\n // Get maxAge values based on token TTLs (refresh token TTL will be undefined)\n const now = Math.floor(Date.now() / 1000);\n const { idTokenMaxAge, accessTokenMaxAge } = getCookiesMaxAge(tokens);\n\n // The OIDC session expiry is linked to the ID token expiry, since this is primarily an OIDC client.\n const oidcSessionExpiresAt = now + idTokenMaxAge;\n const cookieStorage = storage as CookieStorage;\n\n // Apply maxAge to cookie options\n const accessTokenCookieOptions = {\n maxAge: accessTokenMaxAge,\n };\n\n const refreshTokenCookieOptions = {\n maxAge: MAX_COOKIE_AGE_SECONDS,\n };\n\n // ID token is always stored (primary authentication token)\n await cookieStorage.set(OAuthTokenTypes.ID_TOKEN, tokens.id_token, {\n maxAge: idTokenMaxAge,\n });\n\n // Access token is optional - only set if it exists\n if (tokens.access_token) {\n await cookieStorage.set(\n OAuthTokenTypes.ACCESS_TOKEN,\n tokens.access_token,\n accessTokenCookieOptions,\n );\n }\n\n // Set refresh token if present with 400 day expiry\n if (tokens.refresh_token) {\n await cookieStorage.set(\n OAuthTokenTypes.REFRESH_TOKEN,\n tokens.refresh_token,\n refreshTokenCookieOptions,\n );\n }\n\n // Still store the access token expiration timestamp even if no access token\n await storage.set(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n oidcSessionExpiresAt.toString(),\n {\n // This is primarily an OIDC client, so we use the ID token max age for the session timeout / refresh scheduling.\n maxAge: idTokenMaxAge,\n },\n );\n logger.debug(\"storeServerTokens\", {\n oidcSessionExpiresAt,\n refreshTokenMaxAge: MAX_COOKIE_AGE_SECONDS,\n idTokenMaxAge,\n hasAccessToken: !!tokens.access_token,\n });\n}\n\nexport async function clearTokens(storage: AuthStorage \| CookieStorage) {\n // clear all local storage keys related to OAuth and CivicAuth SDK\n const clearOAuthPromises = [\n ...Object.values(OAuthTokenTypes),\n REFRESH_IN_PROGRESS,\n AUTOREFRESH_TIMEOUT_NAME,\n LOGOUT_STATE,\n ].map(async (key) => {\n await storage.delete(key);\n });\n await Promise.all([...clearOAuthPromises]);\n}\n\nexport async function clearAuthServerSession(storage: AuthStorage) {\n await storage.delete(AUTH_SERVER_SESSION);\n await storage.delete(AUTH_SERVER_LEGACY_SESSION);\n}\n\nexport async function clearUser(storage: AuthStorage) {\n const userSession = new GenericUserSession(storage);\n await userSession.clear();\n}\n\n/\n Smart token unwrapping for Safari's base64-encoding bug\n * Only unwraps tokens that are:\n * 1. Base64-encoded (Safari bug) - very long strings without dots\n * 2. Contain a JSON object with a 'value' property that's a valid JWT\n \n Does NOT unwrap React Router's normal {value: \"token\"} objects\n /\nfunction unwrapSafariTokenIfNeeded(token: string \| null): string \| null {\n if (!token) return token;\n\n // Safari-specific detection: base64-encoded JSON that's extremely long\n // Normal wrapped objects from React Router are much shorter and have different characteristics\n if (token && !token.includes(\".\") && token.length > 800) {\n try {\n // Try to decode as base64 and parse as JSON\n const decoded = JSON.parse(atob(token));\n\n // Verify this is Safari's bug: wrapped value must be a valid 3-part JWT\n if (\n decoded &&\n typeof decoded === \"object\" &&\n decoded.value &&\n typeof decoded.value === \"string\" &&\n decoded.value.split(\".\").length === 3\n ) {\n return decoded.value;\n }\n } catch (error) {\n console.error(\"HERE UTIL - SAFARI TOKEN UNWRAP FAILED\", error);\n }\n }\n\n return token;\n}\n\nexport async function retrieveTokens(\n storage: AuthStorage,\n): Promise<Partial<OIDCTokenResponseBody> \| null> {\n const idToken = await storage.get(OAuthTokenTypes.ID_TOKEN);\n const accessToken = await storage.get(OAuthTokenTypes.ACCESS_TOKEN);\n const refreshToken = await storage.get(OAuthTokenTypes.REFRESH_TOKEN);\n const oidcSessionExpiresAt = await storage.get(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n );\n\n return {\n id_token: unwrapSafariTokenIfNeeded(idToken) ?? undefined,\n access_token: unwrapSafariTokenIfNeeded(accessToken) ?? undefined,\n refresh_token: unwrapSafariTokenIfNeeded(refreshToken) ?? undefined,\n oidc_session_expires_at:\n oidcSessionExpiresAt !== null\n ? parseInt(oidcSessionExpiresAt, 10)\n : undefined, // Convert string to number\n };\n}\n\nexport async function retrieveOidcSessionExpiredAtSeconds(\n storage: AuthStorage,\n): Promise<number \| null> {\n const valueSeconds = await storage.get(\n OAuthTokenTypes.OIDC_SESSION_EXPIRES_AT,\n );\n if (!valueSeconds) {\n return null;\n }\n const expiresAt = Number(valueSeconds);\n return isNaN(expiresAt) ? null : expiresAt;\n}\n\nexport type ValidationConfig = Pick<\n AuthConfig,\n \"clientId\" \| \"oauthServer\" \| \"oauthServerBaseUrl\" \| \"clientSecret\"\n>;\nexport async function validateOauth2Tokens(\n tokens: OIDCTokenResponseBody,\n config: ValidationConfig,\n): Promise<ParsedTokens> {\n const baseIssuer = addSlashIfNeeded(\n (config.oauthServer \|\| config.oauthServerBaseUrl) ??\n \"https://auth.civic.com/oauth/\",\n );\n\n // Validate the ID token - this is now the primary token for authentication\n const idTokenVerifyOptions: VerifyOptions = {\n issuer: baseIssuer,\n };\n\n // Set audience for ID token\n if (config.clientId) {\n // ID tokens should have the client ID as audience for proper OIDC compliance\n idTokenVerifyOptions.aud = config.clientId;\n }\n\n logger.debug(`Verifying id_token with options:`, {\n idTokenVerifyOptions,\n config,\n });\n\n // Use the @civic/auth-verify package for ID token verification\n const idTokenPayload = await verify(tokens.id_token, idTokenVerifyOptions);\n\n // Only validate the access token if it exists, but if present it must be valid\n let accessTokenPayload;\n if (tokens.access_token) {\n const accessTokenVerifyOptions: VerifyOptions = {\n issuer: baseIssuer,\n // Access tokens have \"civic\" as audience based on auth server configuration\n aud: \"civic\",\n clientId: config.clientId,\n };\n\n logger.debug(`Verifying access_token with options:`, {\n accessTokenVerifyOptions,\n });\n\n // Use the @civic/auth-verify package for access token verification\n accessTokenPayload = await verify(\n tokens.access_token,\n accessTokenVerifyOptions,\n );\n }\n\n return withoutUndefined({\n id_token: idTokenPayload,\n access_token: accessTokenPayload,\n ...(tokens?.refresh_token ? { refresh_token: tokens.refresh_token } : {}),\n });\n}\n\n/\n Get backend endpoints with default values merged with custom configuration\n * @param backendEndpoints - Optional custom backend endpoints configuration\n * @returns Backend endpoints with defaults applied\n /\nexport function getBackendEndpoints(\n backendEndpoints?: BackendEndpoints,\n): BackendEndpoints {\n return {\n refresh: backendEndpoints?.refresh ?? \"/auth/refresh\",\n logout: backendEndpoints?.logout ?? \"/auth/logout\",\n user: backendEndpoints?.user ?? \"/auth/user\",\n clearSession: backendEndpoints?.clearSession ?? \"/auth/clearsession\",\n };\n}\n\n/\n Resolves an endpoint URL by checking if it's already a full URL\n * or if it needs to be combined with a base URL\n * @param baseUrl - The base URL (e.g., \"https://api.example.com\")\n * @param endpoint - The endpoint that might be relative (e.g., \"/auth/logout\") or absolute (e.g., \"https://other-server.com/logout\")\n * @returns The resolved URL\n /\nexport function resolveEndpointUrl(\n baseUrl: string,\n endpoint: string \| undefined,\n): string {\n // Handle undefined endpoint\n if (!endpoint) {\n throw new Error(\"Endpoint is undefined\");\n }\n\n // Check if endpoint is already a full URL\n if (endpoint.startsWith(\"http://\") \|\| endpoint.startsWith(\"https://\")) {\n return endpoint;\n }\n\n // Concatenate base URL with relative endpoint\n return `${baseUrl}${endpoint}`;\n}\n\n/\n Determines the protocol from request headers or environment\n * Checks common proxy headers before falling back to URL or environment\n /\nexport function getProtocolFromRequest(request?: Request): string {\n if (!request) {\n // Fallback when no request available\n return process.env.NODE_ENV === \"production\" ? \"https:\" : \"http:\";\n }\n\n // Check common proxy headers that indicate the original protocol\n const forwardedProto = request.headers.get(\"x-forwarded-proto\");\n if (forwardedProto) {\n return forwardedProto === \"https\" ? \"https:\" : \"http:\";\n }\n\n const forwardedProtocol = request.headers.get(\"x-forwarded-protocol\");\n if (forwardedProtocol) {\n return forwardedProtocol === \"https\" ? \"https:\" : \"http:\";\n }\n\n // Parse the standard Forwarded header (RFC 7239)\n const forwarded = request.headers.get(\"forwarded\");\n if (forwarded) {\n const protoMatch = forwarded.match(/proto=([^;,\\s]+)/i);\n if (protoMatch) {\n return protoMatch[1] === \"https\" ? \"https:\" : \"http:\";\n }\n }\n\n // Extract from the request URL itself\n const url = new URL(request.url);\n return url.protocol;\n}\n\n/\n Detect Safari browser from user agent\n /\nexport function isSafariBrowser(request?: Request): boolean {\n if (!request) return false;\n\n const userAgent = request.headers.get(\"user-agent\") \|\| \"\";\n return userAgent.includes(\"Safari\") && !userAgent.includes(\"Chrome\");\n}\n\n/\n Detect if running on localhost\n /\nexport function isLocalhostUrl(request?: Request): boolean {\n if (!request) return false;\n\n const url = new URL(request.url);\n return url.hostname === \"localhost\" \|\| url.hostname === \"127.0.0.1\";\n}\n\n/\n Get cookie configuration based on environment and browser\n * Handles special cases for Safari on localhost and HTTPS detection\n \n @param request - Optional request object for environment detection\n * @returns Cookie configuration with secure and sameSite settings\n \n Configuration rules:\n * - Safari on localhost: Uses lax sameSite to avoid cross-origin issues\n * - HTTPS: Uses secure cookies with none sameSite for cross-origin iframe support\n * - HTTP localhost (non-Safari): Uses secure cookies for Chrome's localhost exception\n */\nexport function getCookieConfiguration(request?: Request): {\n secure: boolean;\n sameSite: \"lax\" \| \"none\";\n} {\n const isSafari = isSafariBrowser(request);\n const isLocalhost = isLocalhostUrl(request);\n const protocol = getProtocolFromRequest(request);\n const isHttps = protocol === \"https:\";\n\n if (isSafari && isLocalhost) {\n // Safari on localhost: use lax to avoid cross-origin issues\n return {\n secure: false,\n sameSite: \"lax\",\n };\n } else if (isHttps) {\n // HTTPS (production): use none for cross-origin iframe support\n return {\n secure: true,\n sameSite: \"none\",\n };\n } else {\n // HTTP localhost (non-Safari): use secure: true for iframe compatibility\n // Chrome allows secure cookies on localhost HTTP\n // This allows secure: true cookies to work on localhost for iframe compatibility\n // Reference: Chrome's third-party cookie documentation\n return {\n secure: true,\n sameSite: \"none\",\n };\n }\n}\n"]}

package/dist/shared/version.d.ts CHANGED Viewed

@@ -1,2 +1,2 @@
-export declare const VERSION = "@civic/auth:0.11.8-beta.2";
+export declare const VERSION = "@civic/auth:0.11.9-beta.0";
 //# sourceMappingURL=version.d.ts.map

package/dist/shared/version.js CHANGED Viewed

@@ -1,3 +1,3 @@
 // This is an auto-generated file. Do not edit.
-export const VERSION = "@civic/auth:0.11.8-beta.2";
+export const VERSION = "@civic/auth:0.11.9-beta.0";
 //# sourceMappingURL=version.js.map

package/dist/shared/version.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"version.js","sourceRoot":"","sources":["../../src/shared/version.ts"],"names":[],"mappings":"AAAA,+CAA+C;AAE/C,MAAM,CAAC,MAAM,OAAO,GAAG,2BAA2B,CAAC","sourcesContent":["// This is an auto-generated file. Do not edit.\n\nexport const VERSION = \"@civic/auth:0.11.8-beta.2\";\n"]}
1	+ {"version":3,"file":"version.js","sourceRoot":"","sources":["../../src/shared/version.ts"],"names":[],"mappings":"AAAA,+CAA+C;AAE/C,MAAM,CAAC,MAAM,OAAO,GAAG,2BAA2B,CAAC","sourcesContent":["// This is an auto-generated file. Do not edit.\n\nexport const VERSION = \"@civic/auth:0.11.9-beta.0\";\n"]}

package/dist/vanillajs/auth/CivicAuth.d.ts CHANGED Viewed

@@ -282,9 +282,39 @@ export declare class CivicAuth {
      */
     destroy(): Promise<void>;
     /**
-     * Handle logout
+     * Handle logout - delegates to the appropriate flow based on configuration.
+     *
+     * Two distinct logout flows exist:
+     * 1. `clientTriggeredLogout` (SPA Mode) - When no loginUrl is configured
+     *    - Browser has direct access to tokens from storage
+     *    - Can directly generate OAuth logout URL
+     *    - No server-side call needed (except to OAuth provider)
+     *
+     * 2. `backendTriggeredLogout` (Server Integration Mode) - When loginUrl is configured
+     *    - Tokens are stored in HttpOnly cookies (not accessible to JavaScript)
+     *    - Uses PARALLEL calls to clearsession and logout endpoints
+     *    - Both requests have cookies attached at send time
+     *    - clearsession returns quickly, clearing browser cookies
+     *    - logout iframe handles OAuth provider logout (slower, but had cookies when initiated)
      */
     logout(): Promise<void>;
+    /**
+     * Logout for SPA mode where browser has direct access to tokens.
+     * Uses redirect-based OAuth logout since we can read the id_token directly.
+     */
+    private clientTriggeredLogout;
+    /**
+     * Logout for server integration mode where tokens are in HttpOnly cookies.
+     *
+     * Uses PARALLEL calls to clearsession and logout endpoints:
+     * - Both requests are sent simultaneously while cookies are still present
+     * - clearsession returns quickly and clears HttpOnly cookies via response
+     * - logout iframe takes longer but had cookies when request was made
+     *
+     * This ensures cookies are cleared fast (preventing race conditions if user refreshes)
+     * while still performing OAuth provider logout.
+     */
+    private backendTriggeredLogout;
     /**
      * Load logout URL in a hidden iframe to avoid full page reload
      * @param logoutUrl The URL to load in the iframe

package/dist/vanillajs/auth/CivicAuth.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"CivicAuth.d.ts","sourceRoot":"","sources":["../../../src/vanillajs/auth/CivicAuth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;~~AA2B7D~~,OAAO,KAAK,EACV,qBAAqB,EAEtB,MAAM,sBAAsB,CAAC;AAoB9B;;;;GAIG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,MAAM,CAA2B;IACzC,OAAO,CAAC,OAAO,CAAc;IAC7B,OAAO,CAAC,SAAS,CAAC,CAAY;IAC9B,OAAO,CAAC,MAAM,CAAkC;IAChD,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,kBAAkB,CAKT;IAGjB,OAAO,CAAC,WAAW,CAAC,CAAsB;IAC1C,OAAO,CAAC,kBAAkB,CAAC,CAA8B;IACzD,OAAO,CAAC,iBAAiB,CAAC,CAA2B;IACrD,OAAO,CAAC,wBAAwB,CAAC,CAAS;IAC1C,OAAO,CAAC,yBAAyB,CAAC,CAAS;IAC3C,OAAO,CAAC,cAAc,CAAkB;IACxC,OAAO,CAAC,gBAAgB,CAAkB;IAG1C,OAAO,CAAC,QAAQ,CAAC,CAAS;IAG1B,OAAO,CAAC,cAAc,CAAC,CAAiB;IACxC,OAAO,CAAC,YAAY,CAAC,CAAe;IACpC,OAAO,CAAC,iBAAiB,CAAC,CAAoB;IAE9C;;;OAGG;IACH,OAAO;IAyCP;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAiCG;WACiB,MAAM,CACxB,MAAM,EAAE,qBAAqB,GAC5B,OAAO,CAAC,SAAS,CAAC;IAMrB;;OAEG;YACW,IAAI;IA4JlB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA8B1B;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAoC1B;;OAEG;YACW,YAAY;IAwE1B;;;;;OAKG;YACW,qBAAqB;IA0EnC;;;OAGG;IACH,yBAAyB,IAAI,OAAO;IAOpC;;;OAGG;IACH,iBAAiB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI;IAuBzC;;;OAGG;IACH,iBAAiB,IAAI,OAAO;IAQ5B;;;OAGG;IACH,OAAO,CAAC,4BAA4B;IAYpC;;;OAGG;IACH,OAAO,CAAC,iCAAiC;IAgCzC;;OAEG;IACH,OAAO,CAAC,iCAAiC;IA8BzC;;OAEG;IACH,OAAO,CAAC,mCAAmC;IAoB3C;;;OAGG;YACW,2BAA2B;IAoDzC;;;;OAIG;IACG,mBAAmB,IAAI,OAAO,CAAC,UAAU,CAAC;IAuEhD;;;;;;;;;;;;;;;OAeG;IACG,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;YA8EvB,8BAA8B;IA+B5C;;OAEG;YACW,iCAAiC;IAqD/C;;OAEG;YACW,4BAA4B;IA6C1C;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAuClC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IA0BzB;;OAEG;IACH,OAAO,CAAC,eAAe;IA0BvB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA0C1B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA6C/B;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAehC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA+B3B;;OAEG;YACW,cAAc;IA0E5B;;OAEG;IACI,OAAO,IAAI,IAAI;IA6BtB;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAyB/B;;OAEG;IACU,iBAAiB,IAAI,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAIzD;;;OAGG;IACU,4BAA4B;IAKzC;;OAEG;IACU,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC;IAIhD;;OAEG;IACU,cAAc;IAI3B;;OAEG;IACU,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAI1C;;OAEG;IACU,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;IAI3C;;OAEG;IACI,sBAAsB;;;;;IAI7B;;;;;;;;;;;;;;;;;;;OAmBG;IACI,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAa1C;;OAEG;IACI,aAAa,IAAI,IAAI;IAW5B;;;OAGG;IACI,WAAW,IAAI,MAAM,GAAG,SAAS;IAIxC;;;OAGG;IACI,oBAAoB,CAAC,IAAI,EAAE,OAAO,GAAG,UAAU,GAAG,IAAI;IAK7D;;;OAGG;IACI,oBAAoB,IAAI,OAAO,GAAG,UAAU,GAAG,SAAS;IAI/D;;;;OAIG;IACI,cAAc,IAAI,IAAI;IAkC7B;;OAEG;IACU,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAMrC~~;;OAEG~~;IACU,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;~~IAkIpC~~;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAwD1B;;;OAGG;YACW,wBAAwB;CAsEvC;AAGD,YAAY,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC"}
1	+ {"version":3,"file":"CivicAuth.d.ts","sourceRoot":"","sources":["../../../src/vanillajs/auth/CivicAuth.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AA4B7D,OAAO,KAAK,EACV,qBAAqB,EAEtB,MAAM,sBAAsB,CAAC;AAoB9B;;;;GAIG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,MAAM,CAA2B;IACzC,OAAO,CAAC,OAAO,CAAc;IAC7B,OAAO,CAAC,SAAS,CAAC,CAAY;IAC9B,OAAO,CAAC,MAAM,CAAkC;IAChD,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,kBAAkB,CAKT;IAGjB,OAAO,CAAC,WAAW,CAAC,CAAsB;IAC1C,OAAO,CAAC,kBAAkB,CAAC,CAA8B;IACzD,OAAO,CAAC,iBAAiB,CAAC,CAA2B;IACrD,OAAO,CAAC,wBAAwB,CAAC,CAAS;IAC1C,OAAO,CAAC,yBAAyB,CAAC,CAAS;IAC3C,OAAO,CAAC,cAAc,CAAkB;IACxC,OAAO,CAAC,gBAAgB,CAAkB;IAG1C,OAAO,CAAC,QAAQ,CAAC,CAAS;IAG1B,OAAO,CAAC,cAAc,CAAC,CAAiB;IACxC,OAAO,CAAC,YAAY,CAAC,CAAe;IACpC,OAAO,CAAC,iBAAiB,CAAC,CAAoB;IAE9C;;;OAGG;IACH,OAAO;IAyCP;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAiCG;WACiB,MAAM,CACxB,MAAM,EAAE,qBAAqB,GAC5B,OAAO,CAAC,SAAS,CAAC;IAMrB;;OAEG;YACW,IAAI;IA4JlB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA8B1B;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAoC1B;;OAEG;YACW,YAAY;IAwE1B;;;;;OAKG;YACW,qBAAqB;IA0EnC;;;OAGG;IACH,yBAAyB,IAAI,OAAO;IAOpC;;;OAGG;IACH,iBAAiB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI;IAuBzC;;;OAGG;IACH,iBAAiB,IAAI,OAAO;IAQ5B;;;OAGG;IACH,OAAO,CAAC,4BAA4B;IAYpC;;;OAGG;IACH,OAAO,CAAC,iCAAiC;IAgCzC;;OAEG;IACH,OAAO,CAAC,iCAAiC;IA8BzC;;OAEG;IACH,OAAO,CAAC,mCAAmC;IAoB3C;;;OAGG;YACW,2BAA2B;IAoDzC;;;;OAIG;IACG,mBAAmB,IAAI,OAAO,CAAC,UAAU,CAAC;IAuEhD;;;;;;;;;;;;;;;OAeG;IACG,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;YA8EvB,8BAA8B;IA+B5C;;OAEG;YACW,iCAAiC;IAqD/C;;OAEG;YACW,4BAA4B;IA6C1C;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAuClC;;OAEG;IACH,OAAO,CAAC,iBAAiB;IA0BzB;;OAEG;IACH,OAAO,CAAC,eAAe;IA0BvB;;OAEG;IACH,OAAO,CAAC,kBAAkB;IA0C1B;;OAEG;IACH,OAAO,CAAC,uBAAuB;IA6C/B;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAehC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IA+B3B;;OAEG;YACW,cAAc;IA0E5B;;OAEG;IACI,OAAO,IAAI,IAAI;IA6BtB;;OAEG;IACH,OAAO,CAAC,uBAAuB;IAyB/B;;OAEG;IACU,iBAAiB,IAAI,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC;IAIzD;;;OAGG;IACU,4BAA4B;IAKzC;;OAEG;IACU,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC;IAIhD;;OAEG;IACU,cAAc;IAI3B;;OAEG;IACU,YAAY,IAAI,OAAO,CAAC,IAAI,CAAC;IAI1C;;OAEG;IACU,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;IAI3C;;OAEG;IACI,sBAAsB;;;;;IAI7B;;;;;;;;;;;;;;;;;;;OAmBG;IACI,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAa1C;;OAEG;IACI,aAAa,IAAI,IAAI;IAW5B;;;OAGG;IACI,WAAW,IAAI,MAAM,GAAG,SAAS;IAIxC;;;OAGG;IACI,oBAAoB,CAAC,IAAI,EAAE,OAAO,GAAG,UAAU,GAAG,IAAI;IAK7D;;;OAGG;IACI,oBAAoB,IAAI,OAAO,GAAG,UAAU,GAAG,SAAS;IAI/D;;;;OAIG;IACI,cAAc,IAAI,IAAI;IAkC7B;;OAEG;IACU,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAMrC;;;;;;;;;;;;;;;OAeG;IACU,MAAM,IAAI,OAAO,CAAC,IAAI,CAAC;IAwBpC;;;OAGG;YACW,qBAAqB;IAgEnC;;;;;;;;;;OAUG;YACW,sBAAsB;IAyEpC;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAwD1B;;;OAGG;YACW,wBAAwB;CAsEvC;AAGD,YAAY,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAClE,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/vanillajs/auth/CivicAuth.js CHANGED Viewed

@@ -8,7 +8,7 @@ import { AuthenticationEvents } from "./AuthenticationEvents.js";
 import { PopupError } from "../../services/types.js";
 import { getVersion } from "../../shared/index.js";
 import { handleOAuthRedirectPage } from "./handlers/OAuthCallbackHandler.js";
-import { generateOauthLogoutUrl, clearTokens, retrieveTokens, getBackendEndpoints, resolveEndpointUrl, } from "../../shared/lib/util.js";
+import { generateOauthLogoutUrl, clearTokens, clearUser, retrieveTokens, getBackendEndpoints, resolveEndpointUrl, } from "../../shared/lib/util.js";
 import { LOGOUT_STATE } from "../../constants.js";
 import { getOauthEndpoints } from "../../lib/oauth.js";
 import { collectAndSendSDKAnalytics } from "../../lib/analytics.js";
@@ -1273,99 +1273,33 @@ export class CivicAuth {
         this.logger.info("CivicAuth destroyed");
     }
     /**
-     * Handle logout
+     * Handle logout - delegates to the appropriate flow based on configuration.
+     *
+     * Two distinct logout flows exist:
+     * 1. `clientTriggeredLogout` (SPA Mode) - When no loginUrl is configured
+     *    - Browser has direct access to tokens from storage
+     *    - Can directly generate OAuth logout URL
+     *    - No server-side call needed (except to OAuth provider)
+     *
+     * 2. `backendTriggeredLogout` (Server Integration Mode) - When loginUrl is configured
+     *    - Tokens are stored in HttpOnly cookies (not accessible to JavaScript)
+     *    - Uses PARALLEL calls to clearsession and logout endpoints
+     *    - Both requests have cookies attached at send time
+     *    - clearsession returns quickly, clearing browser cookies
+     *    - logout iframe handles OAuth provider logout (slower, but had cookies when initiated)
      */
     async logout() {
+        this.logger.info("🔄 Starting logout process");
+        this.events.emit(AuthEvent.SIGN_OUT_STARTED, {
+            detail: "Logout process started",
+        });
         try {
-            this.logger.info("🔄 Starting logout process");
-            this.events.emit(AuthEvent.SIGN_OUT_STARTED, {
-                detail: "Logout process started",
-            });
-            // If a loginUrl is configured, redirect to the backend's logout endpoint.
-            // The backend will then handle redirecting to the OIDC provider.
             if (this.loginUrl) {
-                this.logger.info("🚪 Redirecting to backend for logout in backend-integrated flow");
-                const backendUrl = new URL(this.loginUrl).origin;
-                const endpoints = getBackendEndpoints(this.config.backendEndpoints);
-                const backendLogoutUrl = resolveEndpointUrl(backendUrl, endpoints.logout);
-                this.events.emit(AuthEvent.SIGN_OUT_COMPLETE, {
-                    detail: "Local session cleared, redirecting to backend for logout.",
-                });
-                // Generate state for backend integration to enable iframe mode detection
-                const state = generateState({
-                    displayMode: this.config.displayMode || "iframe",
-                    framework: this.config.framework || "vanillajs",
-                    sdkVersion: getVersion(),
-                });
-                // Perform top-level redirect to the backend logout endpoint
-                // Include logoutRedirectUrl and state as query parameters
-                const logoutUrl = new URL(backendLogoutUrl);
-                if (this.config.logoutRedirectUrl) {
-                    logoutUrl.searchParams.set("logoutRedirectUrl", this.config.logoutRedirectUrl);
-                }
-                // Include state for iframe mode detection on server
-                logoutUrl.searchParams.set("state", state);
-                this.logger.info("🌐 Loading backend logout endpoint in iframe", {
-                    url: logoutUrl.toString(),
-                    path: logoutUrl.pathname,
-                    logoutRedirectUrl: this.config.logoutRedirectUrl,
-                    displayMode: this.config.displayMode,
-                });
-                // Use iframe for SPA logout to avoid full page reload
-                this.loadLogoutInIframe(logoutUrl);
-                await this.sessionManager.clearSession();
-                return;
-            }
-            // --- Existing SPA redirect-based logout flow ---
-            this.logger.info("🚪 Using redirect-based logout for SPA flow");
-            const tokens = await retrieveTokens(this.storage);
-            if (!tokens?.id_token) {
-                this.logger.warn("⚠️ No ID token found, clearing local session only");
-                await clearTokens(this.storage);
-                await this.sessionManager.clearSession();
-                this.events.emit(AuthEvent.SIGN_OUT_COMPLETE, {
-                    detail: "Local session cleared",
-                });
-                return;
-            }
-            if (!this.endpoints) {
-                throw new Error("OAuth endpoints not initialized");
+                await this.backendTriggeredLogout();
             }
-            // Generate a state for logout (for OAuth provider tracking only)
-            const state = generateState({
-                displayMode: this.config.displayMode || "iframe",
-                framework: this.config.framework || "vanillajs",
-                sdkVersion: getVersion(),
-            });
-            this.logger.info("🔄 Generated logout state for OAuth provider", {
-                generatedState: state,
-                displayMode: this.config.displayMode,
-            });
-            // Note: No need to store logout_state in localStorage since iframe flows
-            // don't receive redirect callbacks that need state coordination
-            // Ensure clientId is available for OAuth logout
-            if (!this.config.clientId) {
-                throw new Error("ClientId is required for OAuth logout flow");
+            else {
+                await this.clientTriggeredLogout();
             }
-            // Generate logout URL
-            const logoutUrl = await generateOauthLogoutUrl({
-                clientId: this.config.clientId,
-                redirectUrl: this.config.logoutRedirectUrl,
-                idToken: tokens.id_token,
-                state: state,
-                oauthServer: this.config.oauthServerBaseUrl,
-            });
-            this.logger.info("🔗 Generated logout URL", {
-                logoutUrl: logoutUrl.toString(),
-            });
-            // Clear local tokens and session completely (no need to preserve logout_state)
-            await this.sessionManager.clearSession(false);
-            // Emit logout complete event before iframe request
-            this.events.emit(AuthEvent.SIGN_OUT_COMPLETE, {
-                detail: "Logout successful",
-            });
-            // Use hidden iframe instead of redirect to avoid full page reload in SPA mode
-            this.loadLogoutInIframe(logoutUrl);
         }
         catch (error) {
             this.logger.error("❌ Logout failed", { error });
@@ -1375,6 +1309,125 @@ export class CivicAuth {
             throw new CivicAuthError("Logout failed", CivicAuthErrorCode.LOGOUT_FAILED);
         }
     }
+    /**
+     * Logout for SPA mode where browser has direct access to tokens.
+     * Uses redirect-based OAuth logout since we can read the id_token directly.
+     */
+    async clientTriggeredLogout() {
+        this.logger.info("🚪 Using client-triggered logout (SPA mode)");
+        const tokens = await retrieveTokens(this.storage);
+        if (!tokens?.id_token) {
+            this.logger.warn("⚠️ No ID token found, clearing local session only");
+            await clearTokens(this.storage);
+            await this.sessionManager.clearSession();
+            this.events.emit(AuthEvent.SIGN_OUT_COMPLETE, {
+                detail: "Local session cleared",
+            });
+            return;
+        }
+        // Clear session but preserve tokens for logout request
+        await this.sessionManager.clearSession(true);
+        if (!this.endpoints) {
+            throw new Error("OAuth endpoints not initialized");
+        }
+        // Generate state for logout (for OAuth provider tracking only)
+        const state = generateState({
+            displayMode: this.config.displayMode || "iframe",
+            framework: this.config.framework || "vanillajs",
+            sdkVersion: getVersion(),
+        });
+        this.logger.info("🔄 Generated logout state for OAuth provider", {
+            generatedState: state,
+            displayMode: this.config.displayMode,
+        });
+        // Ensure clientId is available for OAuth logout
+        if (!this.config.clientId) {
+            throw new Error("ClientId is required for OAuth logout flow");
+        }
+        // Generate OAuth logout URL
+        const logoutUrl = await generateOauthLogoutUrl({
+            clientId: this.config.clientId,
+            redirectUrl: this.config.logoutRedirectUrl,
+            idToken: tokens.id_token,
+            state: state,
+            oauthServer: this.config.oauthServerBaseUrl,
+        });
+        this.logger.info("🔗 Generated logout URL", {
+            logoutUrl: logoutUrl.toString(),
+        });
+        // Clear local tokens and session completely
+        await this.sessionManager.clearSession(false);
+        // Emit logout complete event before iframe request
+        this.events.emit(AuthEvent.SIGN_OUT_COMPLETE, {
+            detail: "Logout successful",
+        });
+        // Use hidden iframe instead of redirect to avoid full page reload in SPA mode
+        this.loadLogoutInIframe(logoutUrl);
+    }
+    /**
+     * Logout for server integration mode where tokens are in HttpOnly cookies.
+     *
+     * Uses PARALLEL calls to clearsession and logout endpoints:
+     * - Both requests are sent simultaneously while cookies are still present
+     * - clearsession returns quickly and clears HttpOnly cookies via response
+     * - logout iframe takes longer but had cookies when request was made
+     *
+     * This ensures cookies are cleared fast (preventing race conditions if user refreshes)
+     * while still performing OAuth provider logout.
+     */
+    async backendTriggeredLogout() {
+        this.logger.info("🚪 Using backend-triggered logout (server integration mode)");
+        const backendUrl = new URL(this.loginUrl).origin;
+        const endpoints = getBackendEndpoints(this.config.backendEndpoints);
+        // Generate state for iframe mode detection
+        const state = generateState({
+            displayMode: this.config.displayMode || "iframe",
+            framework: this.config.framework || "vanillajs",
+            sdkVersion: getVersion(),
+        });
+        // Build URLs for both parallel calls
+        const clearSessionUrl = new URL(resolveEndpointUrl(backendUrl, endpoints.clearSession));
+        const logoutUrl = new URL(resolveEndpointUrl(backendUrl, endpoints.logout));
+        logoutUrl.searchParams.set("state", state);
+        this.logger.info("🔄 Starting parallel logout: clearsession + logout iframe", {
+            clearSessionUrl: clearSessionUrl.toString(),
+            logoutUrl: logoutUrl.toString(),
+        });
+        // Start logout iframe (non-blocking, will load in parallel with clearsession)
+        // Both requests are initiated while cookies are still present in the browser
+        this.loadLogoutInIframe(logoutUrl);
+        // Start clearsession fetch (fast, clears HttpOnly cookies via response)
+        try {
+            const response = await fetch(clearSessionUrl.toString(), {
+                method: "POST",
+                credentials: "include",
+            });
+            if (!response.ok) {
+                this.logger.warn("⚠️ Clearsession returned non-OK status", {
+                    status: response.status,
+                });
+            }
+            else {
+                this.logger.info("✅ Server cookies cleared successfully");
+            }
+        }
+        catch (error) {
+            // Don't block logout if clearsession fails
+            this.logger.warn("⚠️ Clearsession failed, proceeding with local cleanup", {
+                error,
+            });
+        }
+        // Clear browser-accessible storage (non-HttpOnly cookies, localStorage)
+        this.logger.info("🧹 Clearing browser storage");
+        await clearTokens(this.storage);
+        await clearUser(this.storage);
+        await this.sessionManager.clearSession();
+        // User is now effectively logged out
+        this.events.emit(AuthEvent.SIGN_OUT_COMPLETE, {
+            detail: "Session cleared",
+        });
+        // Note: Logout iframe continues loading in background for OAuth provider cleanup
+    }
     /**
      * Load logout URL in a hidden iframe to avoid full page reload
      * @param logoutUrl The URL to load in the iframe