@crossauth/frontend 0.0.2

package/dist/oauth/autorefresher.d.ts

@@ -0,0 +1,44 @@
+import { CrossauthError } from '@crossauth/common';
+import { OAuthTokenProvider } from './tokenprovider.ts';
+
+/**
+ * Used by {@link OAuthClient} and {@link OAuthBsffClient} to automatically
+ * refresh access and ID tokens
+ */
+export declare class OAuthAutoRefresher {
+    private autoRefreshUrl;
+    protected csrfHeader: string;
+    protected headers: {
+        [key: string]: string;
+    };
+    private autoRefreshActive;
+    protected mode: "no-cors" | "cors" | "same-origin";
+    protected credentials: "include" | "omit" | "same-origin";
+    protected tokenProvider: OAuthTokenProvider;
+    /**
+     * Constructor
+     *
+     * @param options
+     *   - `autoRefreshUrl` the URL to call to perform the refresh  Default is `/autorefresh`
+     *   - `csrfHeader` the header to put CSRF tokens into
+     *        (default `X-CROSSAUTH-CSRF`))
+     *   - `mode` overrides the default `mode` in fetch calls
+     *   - `credentials` - overrides the default `credentials` for fetch calls
+     *   - `headers` - adds headers to fetfh calls
+     *   - `tokenProvider` - class for fetching tokens and adding them to requests
+     */
+    constructor(options: {
+        autoRefreshUrl: string;
+        csrfHeader?: string;
+        credentials?: "include" | "omit" | "same-origin";
+        mode?: "no-cors" | "cors" | "same-origin";
+        headers?: {
+            [key: string]: any;
+        };
+        tokenProvider: OAuthTokenProvider;
+    });
+    startAutoRefresh(tokensToFetch?: ("access" | "id")[], errorFn?: (msg: string, e?: CrossauthError) => void): Promise<void>;
+    stopAutoRefresh(): void;
+    private scheduleAutoRefresh;
+    private autoRefresh;
+}

package/dist/oauth/bffclient.d.ts

@@ -0,0 +1,208 @@
+import { CrossauthError } from '@crossauth/common';
+
+/**
+ * A browser-side OAuth client designed with work with the
+ * backend-for-frontend (BFF) mode of the backend OAuth client.
+ *
+ * See {@link @crossauth/fastify!FastifyOAuthClient}.
+ */
+export declare class OAuthBffClient {
+    private bffPrefix;
+    private csrfHeader;
+    private enableCsrfProtection;
+    private headers;
+    private mode;
+    private credentials;
+    private autoRefresher;
+    private deviceCodePoller;
+    private getCsrfTokenUrl;
+    private autoRefreshUrl;
+    private tokensUrl;
+    /**
+     * Constructor
+     *
+     * @param options
+     *   - `bffPrefix` the base url for BFF calls to the OAuth client
+     *        (eg `bff`, which is the default)
+     *   - `csrfHeader` the header to put CSRF tokens into
+     *        (default `X-CROSSAUTH-CSRF`))
+     *   - `getCsrfTokenUrl` URL to use to fetch CSRF tokens.  Default is
+     *        `/api/getcsrftoken`
+     *   - `autoRefreshUrl` URL to use to refresh tokens.  Default is
+     *        `/api/refreshtokens`
+     *   - `tokensUrl` URL to use to fetch token payloads.  Default is
+     *        `/tokens`
+     *   - `deviceCodePollUrl` URL for polling for device code authorization.
+     *      Default is `/devicecodepoll`
+     *   - `mode` overrides the default `mode` in fetch calls
+     *   - `credentials` - overrides the default `credentials` for fetch calls
+     *   - `headers` - adds headers to fetfh calls
+     */
+    constructor(options?: {
+        bffPrefix?: string;
+        csrfHeader?: string;
+        credentials?: "include" | "omit" | "same-origin";
+        mode?: "no-cors" | "cors" | "same-origin";
+        headers?: {
+            [key: string]: any;
+        };
+        enableCsrfProtection?: boolean;
+        getCsrfTokenUrl?: string;
+        autoRefreshUrl?: string;
+        tokensUrl?: string;
+        deviceCodePollUrl?: string;
+    });
+    /**
+     * Gets a CSRF token from the server
+     * @returns the CSRF token that can be included in
+     *          the `X-CROSSAUTH-CSRF` header
+     */
+    getCsrfToken(): Promise<string | undefined>;
+    /**
+     * Fetches the ID token from the client.
+     *
+     * This only returns something if the ID token was returned to the BFF
+     * client in a previous OAuth call.  Otherwise it returns an empty JSON.
+     *
+     * @param crfToken the CSRF token.  If emtpy, one will be fetched before
+     *        making the request
+     * @returns the ID token payload or an empty object if there isn't one
+     */
+    getIdToken(csrfToken?: string): Promise<{
+        [key: string]: any;
+    } | null>;
+    /**
+     * Returns whether or not there is an ID token stored in the BFF server
+     * for this client.
+     *
+     * @param crfToken the CSRF token.  If emtpy, one will be fetched before
+     *        making the request
+     * @returns true or false
+     */
+    haveIdToken(csrfToken?: string): Promise<boolean>;
+    /**
+     * Fetches the access token from the client.
+     *
+     * This only returns something if the access token was returned to the BFF
+     * client in a previous OAuth call.  Otherwise it returns an empty JSON.
+     *
+     * @param crfToken the CSRF token.  If emtpy, one will be fetched before
+     *        making the request
+     * @param headers any additional headers to add (will be added to
+     *         the ones given with {@link OAuthBffClient.addHeader} )
+     * @returns the access token payload or an empty object if there isn't one
+     */
+    getAccessToken(csrfToken?: string): Promise<{
+        [key: string]: any;
+    } | null>;
+    /**
+     * Returns whether or not there is an access token stored in the BFF server
+     * for this client.
+     *
+     * @param crfToken the CSRF token.  If emtpy, one will be fetched before
+     *        making the request
+     * @returns true or false
+     */
+    haveAccessToken(csrfToken?: string): Promise<boolean>;
+    /**
+     * Fetches the refresh token from the client.
+     *
+     * This only returns something if the refresh token was returned to the BFF
+     * client in a previous OAuth call.  Otherwise it returns an empty JSON.
+     *
+     * @param crfToken the CSRF token.  If emtpy, one will be fetched before
+     *        making the request
+     * @returns the refresh token payload or an empty object if there isn't one
+     */
+    getRefreshToken(csrfToken?: string): Promise<{
+        [key: string]: any;
+    } | null>;
+    /**
+     * Returns whether or not there is a refresh token stored in the BFF server
+     * for this client.
+     *
+     * @param crfToken the CSRF token.  If emtpy, one will be fetched before
+     *        making the request
+     * @returns true or false
+     */
+    haveRefreshToken(csrfToken?: string): Promise<boolean>;
+    /**
+     * Calls an API endpoint via the BFF server
+     * @param method the HTTP method
+     * @param endpoint the endpoint to call, relative to `bffPrefix`
+     * @param body : the body to pass to the call
+     * @param csrfToken : the CSRF token
+     * @returns the HTTP status code and the body or null
+     */
+    api(method: "GET" | "POST" | "PUT" | "PATCH" | "OPTIONS" | "HEAD" | "DELETE", endpoint: string, body?: {
+        [key: string]: any;
+    }, csrfToken?: string): Promise<{
+        status: number;
+        body: {
+            [key: string]: any;
+        } | null;
+    }>;
+    /**
+     * Return all tokens that the client has been enabled to return.
+     *
+     * @param csrfToken the CSRF token if one is needed
+     * @returns an object with the following (whichever are enabled at the client)
+     *   - `id_token`
+     *   - `access_token`
+     *   - `refresh_token`
+     *   - `have_id_token`
+     *   - `have_access_token`
+     *   - `have_refresh_token`
+     */
+    getTokens(csrfToken?: string): Promise<{
+        [key: string]: any;
+    } | null>;
+    /**
+     * Turns auto refresh of tokens on
+     * @param tokensToFetch which tokens to fetch
+     * @param errorFn what to call in case of error
+     */
+    startAutoRefresh(tokensToFetch?: ("access" | "id")[], errorFn?: (msg: string, e?: CrossauthError) => void): Promise<void>;
+    /**
+     * Turns auto refresh of tokens off
+     */
+    stopAutoRefresh(): void;
+    /**
+     * Turns polling for a device code
+     * @param tokensToFetch which tokens to fetch
+     * @param errorFn what to call in case of error
+     */
+    startDeviceCodePolling(deviceCode: string, pollResultFn: (status: ("complete" | "completeAndRedirect" | "authorization_pending" | "expired_token" | "error"), error?: string, location?: string) => void, interval?: number): Promise<void>;
+    /**
+     * Turns off polling for a device code
+     */
+    stopDeviceCodePolling(): void;
+    /**
+     * Fetches the expiry times for each token.
+     * @param crfToken the CSRF token.  If emtpy
+     * , one will be fetched before
+     *        making the request
+     * @returns for each token, either the expiry, `null` if it does not
+     *          expire, or `undefined` if the token does not exist
+     */
+    getTokenExpiries(tokensToFetch: ("access" | "id" | "refresh")[], csrfToken?: string): Promise<{
+        id: number | null | undefined;
+        access: number | null | undefined;
+        refresh: number | null | undefined;
+    }>;
+    /**
+     * Makes a fetch, adding in the requested token
+     * @param url the URL to fetch
+     * @param params parameters to add to the fetch
+     * @param token which token to add
+     * @returns parsed JSON response
+     */
+    jsonFetchWithToken(url: string, params: {
+        [key: string]: any;
+    }, _token: "access" | "refresh"): Promise<Response>;
+    receiveTokens(_tokens: {
+        access_token?: string | null;
+        id_token?: string | null;
+        refresh_token?: string | null;
+    }): Promise<void>;
+}

package/dist/oauth/client.d.ts

@@ -0,0 +1,271 @@
+import { OAuthClientBase, CrossauthError, OAuthTokenResponse, OAuthDeviceAuthorizationResponse } from '@crossauth/common';
+import { OAuthTokenConsumer } from './tokenconsumer';
+
+/**
+ * This is the type for a function that is called when an OAuth endpoint
+ * returns the `error` field.
+ */
+export type ErrorFn = (client: OAuthClient, error: string, errorDescription?: string) => Promise<any>;
+/**
+ * If this URL was called with an OAuth authorize response, the `token`
+ * endpoint will be called and, if successful, passed to this function.
+ */
+export type ReceiveTokenFn = (client: OAuthClient, response: OAuthTokenResponse) => Promise<any>;
+export type TokenResponseType = "memory" | "localStorage" | "sessionStorage";
+export declare class OAuthClient extends OAuthClientBase {
+    #private;
+    private resServerBaseUrl;
+    private resServerHeaders;
+    private resServerMode;
+    private resServerCredentials;
+    private accessTokenResponseType?;
+    private refreshTokenResponseType?;
+    private idTokenResponseType?;
+    private accessTokenName;
+    private refreshTokenName;
+    private idTokenName;
+    get idTokenPayload(): {
+        [key: string]: any;
+    } | undefined;
+    private autoRefresher;
+    private deviceCodePoller;
+    private deviceAuthorizationUrl;
+    /**
+     * Constructor
+     *
+     * @param options
+     *   - `authServerBaseUrl` the base url the authorization server.
+     *      For example, the authorize endpoint would be
+     *      `authServerBaseUrl + "authorize"`.
+     *       Required: no default
+     *   - `resServerBaseUrl` the base url the resource server.
+     *      For example, Relative URLs to the resource server are relative
+     *      to this.  If you always give absolute URLs, this is optional.
+     *      If you don't give it and you do make relative URLs, it will be
+     *      relative to the page you are on.  Default: empty string.
+     *   - `redirect_uri` a URL on the site serving this app which the
+     *      authorization server will redirect to with an authorization
+     *      code.  See description in class documentation.
+     *      This is not required if you are not using OAuth flows
+     *      which require a redirect URI (eg the password flow).
+     *   - `accessTokenResponseType` where to store access tokens.  See
+     *     class documentation.  Default `return`.
+     *   - `refreshTokenResponseType` where to store refresh tokens.  See
+     *     class documentation.  Default `return`.
+     *   - `idTokenResponseType` where to store id tokens.  See
+     *     class documentation.  Default `return`.
+     *   - `accessTokenName` name for access token in local or session
+     *     storage, depending on `accessTokenResponseType`
+     *   - `refreshTokenName` name for refresh token in local or session
+     *     storage, depending on `refreshTokenResponseType`
+     *   - `idTokenName` name for id token in local or session
+     *     storage, depending on `idTokenResponseType`
+     *   - `mresServerMode` overrides the default `mode` in fetch calls
+     *   - `resServerCredentials` - overrides the default `credentials` for fetch calls
+     *   - `resServerHeaders` - adds headers to fetfh calls
+     *   - `autoRefresh` - if set and tokens are present in local or session storage,
+     *      automatically turn on auto refresh
+     *   - `deviceAuthorization` URL, relative to the authorization server base,
+     *      for starting the device code flow.  Default `device_authorization`
+     *      Default is `/devicecodepoll`
+     *  For other options see {@link @crossauth/common/OAuthClientBase}.
+     */
+    constructor(options: {
+        authServerBaseUrl: string;
+        stateLength?: number;
+        verifierLength?: number;
+        client_id: string;
+        client_secret?: string;
+        redirect_uri?: string;
+        codeChallengeMethod?: "plain" | "S256";
+        tokenConsumer: OAuthTokenConsumer;
+        resServerBaseUrl?: string;
+        accessTokenResponseType?: TokenResponseType;
+        refreshTokenResponseType?: TokenResponseType;
+        idTokenResponseType?: TokenResponseType;
+        accessTokenName?: string;
+        refreshTokenName?: string;
+        idTokenName?: string;
+        resServerCredentials?: "include" | "omit" | "same-origin";
+        resServerMode?: "no-cors" | "cors" | "same-origin";
+        resServerHeaders?: {
+            [key: string]: any;
+        };
+        autoRefresh?: ("access" | "id")[];
+        deviceAuthorizationUrl?: string;
+    });
+    /**
+     * Processes the query parameters for a Redirect URI request if they
+     * exist in the URL.
+     *
+     * Call this on page load to see if it was called as redirect URI.
+     *
+     * If this URL doesn't match the redirect URI passed in the constructor,
+     * or this URL was not called with OAuth Redirect URI query parameters,
+     * undefined is returned.
+     *
+     * If this URL contains the error query parameter, `errorFn` is called.
+     * It is also called if the state does not match.
+     *
+     * If an authorization code was in the query parameters, the token
+     * endpoint is called.  Depending on whether that returned an error,
+     * either `receiveTokenFn` or `errorFn` will be called.
+     *
+     * @param receiveTokenFn if defined, called if a token is returned.
+     *
+     * @param errorFn if defined, called if any OAuth endpoint returned `error`,
+     *        or if the `state` was not correct.
+     *
+     * @returns the result of `receiveTokenFn`, `errorFn` or `undefined`.  If
+     *          `receiveTokenFn`/`errorFn` is not defined, rather than calling
+     *          it, this function just returns the OAuth response.
+     *
+     */
+    handleRedirectUri(): Promise<any | undefined>;
+    /**
+     * Turns auto refresh of tokens on
+     * @param tokensToFetch which tokens to fetch
+     * @param errorFn what to call in case of error
+     */
+    startAutoRefresh(tokensToFetch?: ("access" | "id")[], errorFn?: (msg: string, e?: CrossauthError) => void): Promise<void>;
+    /**
+     * Turns auto refresh of tokens off
+     */
+    stopAutoRefresh(): void;
+    /**
+     * Turns polling for a device code
+     * @param tokensToFetch which tokens to fetch
+     * @param errorFn what to call in case of error
+     */
+    startDeviceCodePolling(deviceCode: string, pollResultFn: (status: ("complete" | "completeAndRedirect" | "authorization_pending" | "expired_token" | "error"), error?: string, location?: string) => void, interval?: number): Promise<void>;
+    /**
+     * Turns off polling for a device code
+     */
+    stopDeviceCodePolling(): void;
+    /**
+     * Return the ID token payload
+     *
+     * This does the same thign as {@link idTokenPayload}.  We have it here
+     * as well for consistency with {@link OAuthBffClient}.
+     *
+     * @returns the payload as an object
+     */
+    getIdToken(): {
+        [key: string]: any;
+    } | undefined;
+    /**
+     * Produce a random Base64-url-encoded string, whose length before
+     * base64-url-encoding is the given length,
+     * @param length the length of the random array before base64-url-encoding.
+     * @returns the random value as a Base64-url-encoded srting
+     */
+    protected randomValue(length: number): string;
+    /**
+     * SHA256 and Base64-url-encodes the given test
+     * @param plaintext the text to encode
+     * @returns the SHA256 hash, Base64-url-encode
+     */
+    protected sha256(plaintext: string): Promise<string>;
+    /**
+     * Calls an API endpoint on the resource server
+     * @param method the HTTP method
+     * @param endpoint the endpoint to call, relative to `resServerBaseUrl`
+     * @param body : the body to pass to the call
+     * @returns the HTTP status code and the body or null
+     */
+    api(method: "GET" | "POST" | "PUT" | "PATCH" | "OPTIONS" | "HEAD" | "DELETE", endpoint: string, body?: {
+        [key: string]: any;
+    }): Promise<{
+        status: number;
+        body: {
+            [key: string]: any;
+        } | null;
+    }>;
+    /**
+     * Fetches the expiry times for each token.
+     * @param crfToken the CSRF token.  If emtpy
+     * , one will be fetched before
+     *        making the request
+     * @returns for each token, either the expiry, `null` if it does not
+     *          expire, or `undefined` if the token does not exist
+     */
+    getTokenExpiries(_tokensToFetch: ("access" | "id" | "refresh")[], _csrfToken?: string): Promise<{
+        id: number | null | undefined;
+        access: number | null | undefined;
+        refresh: number | null | undefined;
+    }>;
+    /**
+     * Makes a fetch, adding in the requested token.
+     *
+     * Also adds client ID and secret if they are defined.
+     *
+     * @param url the URL to fetch
+     * @param params parameters to add to the fetch
+     * @param token which token to add
+     * @returns parsed JSON response
+     */
+    jsonFetchWithToken(url: string, params: {
+        [key: string]: any;
+    }, token: "access" | "refresh"): Promise<Response>;
+    /**
+     * Does nothing as CSRF tokens are not needed for this class
+     * @returns `undefined`
+     */
+    getCsrfToken(): Promise<undefined>;
+    receiveTokens(tokens: {
+        access_token?: string | null;
+        id_token?: string | null;
+        refresh_token?: string | null;
+    }): Promise<void>;
+    /**
+     * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
+     * then saves the tokens, as per the requested method
+     * @param scope
+     */
+    clientCredentialsFlow(scope?: string): Promise<OAuthTokenResponse>;
+    /**
+     * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
+     * then saves the tokens, as per the requested method
+     * @param scope
+     */
+    passwordFlow(username: string, password: string, scope?: string): Promise<OAuthTokenResponse>;
+    /**
+     * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
+     * then saves the tokens, as per the requested method
+     * @param scope
+     */
+    deviceCodeFlow(scope?: string): Promise<OAuthDeviceAuthorizationResponse>;
+    /**
+     * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
+     * then saves the tokens, as per the requested method
+     * @param scope
+     */
+    mfaOtpComplete(mfaToken: string, otp: string): Promise<{
+        access_token?: string;
+        refresh_token?: string;
+        id_token?: string;
+        expires_in?: number;
+        scope?: string;
+        token_type?: string;
+        error?: string;
+        error_description?: string;
+    }>;
+    /**
+     * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
+     * then saves the tokens, as per the requested method
+     * @param scope
+     */
+    mfaOobComplete(mfaToken: string, oobCode: string, bindingCode: string): Promise<OAuthTokenResponse>;
+    /**
+     * See {@link @crossuath/common!OAuthClientBase}.  Calls the base function
+     * then saves the tokens, as per the requested method
+     * @param scope
+     */
+    refreshTokenFlow(refreshToken?: string): Promise<OAuthTokenResponse>;
+    /**
+     * Executes the authorization code flow
+     * @param scope the scope to request
+     * @param pkce whether or not to use PKCE.
+     */
+    authorizationCodeFlow(scope?: string, pkce?: boolean): Promise<void>;
+}

package/dist/oauth/devicecodepoller.d.ts

@@ -0,0 +1,38 @@
+import { OAuthClientBase } from '@crossauth/common';
+
+/**
+ * Used by {@link OAuthClient} and {@link OAuthBsffClient} to poll for
+ * authorization in the device code flow
+ */
+export declare class OAuthDeviceCodePoller {
+    private deviceCodePollUrl;
+    protected headers: {
+        [key: string]: string;
+    };
+    private pollingActive;
+    protected mode: "no-cors" | "cors" | "same-origin";
+    protected credentials: "include" | "omit" | "same-origin";
+    protected respectRedirect: boolean;
+    protected oauthClient?: OAuthClientBase;
+    /**
+     * Constructor
+     *
+     * @param options
+     *   - `deviceCodePollUrl` the URL to call to poll for authorization.  Default `/devicecodepoll`
+     *   - `mode` overrides the default `mode` in fetch calls
+     *   - `credentials` - overrides the default `credentials` for fetch calls
+     *   - `headers` - adds headers to fetfh calls
+     */
+    constructor(options: {
+        deviceCodePollUrl?: string | null;
+        credentials?: "include" | "omit" | "same-origin";
+        mode?: "no-cors" | "cors" | "same-origin";
+        headers?: {
+            [key: string]: any;
+        };
+        oauthClient?: OAuthClientBase;
+    });
+    startPolling(deviceCode: string, pollResultFn: (status: ("complete" | "completeAndRedirect" | "authorization_pending" | "expired_token" | "error"), error?: string, location?: string) => void, interval?: number): Promise<void>;
+    stopPolling(): void;
+    private poll;
+}

package/dist/oauth/tokenconsumer.d.ts

@@ -0,0 +1,10 @@
+import { OAuthTokenConsumerBase } from '@crossauth/common';
+
+export declare class OAuthTokenConsumer extends OAuthTokenConsumerBase {
+    /**
+     * SHA256 and Base64-url-encodes the given test
+     * @param plaintext the text to encode
+     * @returns the SHA256 hash, Base64-url-encode
+     */
+    hash(plaintext: string): Promise<string>;
+}

package/dist/oauth/tokenprovider.d.ts

@@ -0,0 +1,39 @@
+/**
+ * USed by {@link OAuthAutoRefresher} to get tokens from the client
+ */
+export declare abstract class OAuthTokenProvider {
+    /**
+     * Gets a CSRF token from the server
+     * @returns the CSRF token that can be included in
+     *          the `X-CROSSAUTH-CSRF` header
+     */
+    getCsrfToken(): Promise<string | undefined>;
+    /**
+     * Fetches the expiry times for each token.
+     * @param crfToken the CSRF token.  If emtpy
+     * , one will be fetched before
+     *        making the request
+     * @returns for each token, either the expiry, `null` if it does not
+     *          expire, or `undefined` if the token does not exist
+     */
+    abstract getTokenExpiries(tokensToFetch: ("access" | "id" | "refresh")[], csrfToken?: string): Promise<{
+        id: number | null | undefined;
+        access: number | null | undefined;
+        refresh: number | null | undefined;
+    }>;
+    /**
+     * Makes a fetch, adding in the requested token
+     * @param url the URL to fetch
+     * @param params parameters to add to the fetch
+     * @param token which token to add.  Ignored as this client doesn't add tokens
+     * @returns parsed JSON response
+     */
+    abstract jsonFetchWithToken(url: string, params: {
+        [key: string]: any;
+    }, token: "access" | "refresh"): Promise<Response>;
+    abstract receiveTokens(tokens: {
+        access_token?: string | null;
+        id_token?: string | null;
+        refresh_token?: string | null;
+    }): Promise<void>;
+}

package/package.json

@@ -0,0 +1,34 @@
+{
+  "name": "@crossauth/frontend",
+  "private": false,
+  "version": "0.0.2",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "typings": "./dist/index.d.ts",
+  "types": "./dist/index.d.ts",
+  "files": [
+    "dist/*"
+  ],
+  "devDependencies": {
+    "@types/node": "^20.10.8",
+    "@types/supertest": "^6.0.2",
+    "typedoc": "^0.25.4",
+    "typescript": "^5.3.3",
+    "vite": "^5.0.8",
+    "vite-plugin-dts": "^3.6.4",
+    "vitest": "^1.1.0"
+  },
+  "dependencies": {
+    "@esbuild-plugins/node-modules-polyfill": "^0.2.2",
+    "@crossauth/common": "^0.0.2"
+  },
+  "scripts": {
+    "dev": "vite",
+    "build": "vite build --emptyOutDir=false",
+    "preview": "vite preview",
+    "test": "echo 'No tests defined'",
+    "testonce": "echo 'No tests defined'",
+    "doc": "typedoc"
+  }
+}