@djangocfg/api 2.1.427 → 2.1.429

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. package/README.md +56 -0
  2. package/dist/auth-server.cjs +248 -32
  3. package/dist/auth-server.cjs.map +1 -1
  4. package/dist/auth-server.mjs +248 -32
  5. package/dist/auth-server.mjs.map +1 -1
  6. package/dist/auth.cjs +271 -29
  7. package/dist/auth.cjs.map +1 -1
  8. package/dist/auth.mjs +271 -29
  9. package/dist/auth.mjs.map +1 -1
  10. package/dist/clients.cjs +222 -25
  11. package/dist/clients.cjs.map +1 -1
  12. package/dist/clients.d.cts +35 -28
  13. package/dist/clients.d.ts +35 -28
  14. package/dist/clients.mjs +222 -25
  15. package/dist/clients.mjs.map +1 -1
  16. package/dist/hooks.cjs +117 -4
  17. package/dist/hooks.cjs.map +1 -1
  18. package/dist/hooks.mjs +117 -4
  19. package/dist/hooks.mjs.map +1 -1
  20. package/dist/index.cjs +277 -26
  21. package/dist/index.cjs.map +1 -1
  22. package/dist/index.d.cts +98 -29
  23. package/dist/index.d.ts +98 -29
  24. package/dist/index.mjs +277 -26
  25. package/dist/index.mjs.map +1 -1
  26. package/package.json +2 -2
  27. package/src/_api/generated/client/index.ts +1 -0
  28. package/src/_api/generated/client/utils.gen.ts +2 -2
  29. package/src/_api/generated/client.gen.ts +2 -2
  30. package/src/_api/generated/core/auth.gen.ts +7 -0
  31. package/src/_api/generated/core/params.gen.ts +10 -8
  32. package/src/_api/generated/core/pathSerializer.gen.ts +6 -6
  33. package/src/_api/generated/core/queryKeySerializer.gen.ts +1 -1
  34. package/src/_api/generated/core/utils.gen.ts +4 -4
  35. package/src/_api/generated/helpers/auth.ts +127 -1
  36. package/src/_api/generated/sdk.gen.ts +149 -53
  37. package/src/auth/context/AuthContext.tsx +8 -0
  38. package/src/auth/utils/env.ts +18 -0
  39. package/src/auth/utils/logger.ts +11 -4
  40. package/src/index.ts +12 -0
  41. package/src/log-control.ts +81 -0
package/README.md CHANGED
@@ -78,6 +78,62 @@ import {
78
78
  } from '@djangocfg/api/auth';
79
79
  ```
80
80
 
81
+ ## Token storage & DPoP
82
+
83
+ The token lives in the shared `auth` store (localStorage by default, switchable
84
+ to cookie):
85
+
86
+ ```typescript
87
+ import { auth } from '@djangocfg/api';
88
+
89
+ auth.getToken(); // current access token
90
+ auth.setStorageMode('cookie'); // SSR-readable cookie instead of localStorage
91
+ ```
92
+
93
+ ### DPoP (RFC 9449) — sender-constrained tokens
94
+
95
+ When enabled, the generated client holds a **non-extractable** P-256 key
96
+ (IndexedDB) and attaches a fresh `DPoP` proof to every request, so a stolen
97
+ token can't be replayed. No BFF/proxy required.
98
+
99
+ ```typescript
100
+ import { dpopEnabled } from '@djangocfg/api';
101
+ // true when NEXT_PUBLIC_DPOP_ENABLED==='true'
102
+ // (set it via createBaseNextConfig({ dpop: true }) in @djangocfg/nextjs)
103
+ ```
104
+
105
+ Backend pairing: `JWTConfig(dpop_enabled=True)`. Full guide:
106
+ `@djangocfg/nextjs/@docs/DPOP.md`. The token is still readable via
107
+ `auth.getToken()` — DPoP protects by *binding* to the key, not by hiding the token.
108
+
109
+ ## Logging — role-aware verbosity
110
+
111
+ All `@djangocfg/*` consola loggers read one global runtime level so the console
112
+ is clean for end users and verbose for admins/devs — like big SaaS apps.
113
+
114
+ ```typescript
115
+ import { applyRoleLogPolicy, setLogLevel } from '@djangocfg/api';
116
+
117
+ // Usually automatic: AuthProvider calls this on login/logout.
118
+ // admin (is_staff/is_superuser) or dev → debug; prod regular user → errors only.
119
+ applyRoleLogPolicy({ isAdmin: user?.is_staff || user?.is_superuser });
120
+
121
+ // Manual override (0 silent · 1 error · 2 warn · 3 info · 4 debug · 5 trace):
122
+ setLogLevel(0);
123
+ ```
124
+
125
+ Errors still flow to `@djangocfg/monitor` regardless of console level, so prod
126
+ incidents stay diagnosable.
127
+
128
+ ## Env flags
129
+
130
+ `@djangocfg/api` is the lowest shared package, so env flags live here (single
131
+ source of truth):
132
+
133
+ ```typescript
134
+ import { isDev, isProd, isBrowser, isStaticBuild, dpopEnabled } from '@djangocfg/api';
135
+ ```
136
+
81
137
  ## Type Namespaces
82
138
 
83
139
  ```typescript
@@ -342,6 +342,99 @@ async function tryRefresh() {
342
342
  return _refreshInflight;
343
343
  }
344
344
  __name(tryRefresh, "tryRefresh");
345
+ function dpopEnabled() {
346
+ try {
347
+ return typeof process !== "undefined" && process.env?.NEXT_PUBLIC_DPOP_ENABLED === "true";
348
+ } catch {
349
+ return false;
350
+ }
351
+ }
352
+ __name(dpopEnabled, "dpopEnabled");
353
+ var _DPOP_DB = "cfg-auth";
354
+ var _DPOP_STORE = "keys";
355
+ var _DPOP_KEY_ID = "dpop-ec-p256";
356
+ function _idbOpen() {
357
+ return new Promise((resolve, reject) => {
358
+ const req = indexedDB.open(_DPOP_DB, 1);
359
+ req.onupgradeneeded = () => req.result.createObjectStore(_DPOP_STORE);
360
+ req.onsuccess = () => resolve(req.result);
361
+ req.onerror = () => reject(req.error);
362
+ });
363
+ }
364
+ __name(_idbOpen, "_idbOpen");
365
+ function _idbGet(key) {
366
+ return _idbOpen().then((db) => new Promise((resolve, reject) => {
367
+ const tx = db.transaction(_DPOP_STORE, "readonly");
368
+ const req = tx.objectStore(_DPOP_STORE).get(key);
369
+ req.onsuccess = () => resolve(req.result);
370
+ req.onerror = () => reject(req.error);
371
+ }));
372
+ }
373
+ __name(_idbGet, "_idbGet");
374
+ function _idbPut(key, value) {
375
+ return _idbOpen().then((db) => new Promise((resolve, reject) => {
376
+ const tx = db.transaction(_DPOP_STORE, "readwrite");
377
+ tx.objectStore(_DPOP_STORE).put(value, key);
378
+ tx.oncomplete = () => resolve();
379
+ tx.onerror = () => reject(tx.error);
380
+ }));
381
+ }
382
+ __name(_idbPut, "_idbPut");
383
+ var _dpopKeyPromise = null;
384
+ function _getDpopKeyPair() {
385
+ if (_dpopKeyPromise) return _dpopKeyPromise;
386
+ _dpopKeyPromise = (async () => {
387
+ const existing = await _idbGet(_DPOP_KEY_ID).catch(() => void 0);
388
+ if (existing) return existing;
389
+ const pair = await crypto.subtle.generateKey(
390
+ { name: "ECDSA", namedCurve: "P-256" },
391
+ false,
392
+ // extractable:false — JS can sign but never export the private key
393
+ ["sign"]
394
+ );
395
+ await _idbPut(_DPOP_KEY_ID, pair).catch(() => {
396
+ });
397
+ return pair;
398
+ })();
399
+ return _dpopKeyPromise;
400
+ }
401
+ __name(_getDpopKeyPair, "_getDpopKeyPair");
402
+ function _b64urlFromBytes(bytes) {
403
+ const arr = bytes instanceof Uint8Array ? bytes : new Uint8Array(bytes);
404
+ let s = "";
405
+ for (let i = 0; i < arr.length; i++) s += String.fromCharCode(arr[i]);
406
+ return btoa(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
407
+ }
408
+ __name(_b64urlFromBytes, "_b64urlFromBytes");
409
+ function _b64urlFromString(str) {
410
+ return _b64urlFromBytes(new TextEncoder().encode(str));
411
+ }
412
+ __name(_b64urlFromString, "_b64urlFromString");
413
+ async function _publicJwk(pub) {
414
+ const jwk = await crypto.subtle.exportKey("jwk", pub);
415
+ return { kty: "EC", crv: "P-256", x: jwk.x, y: jwk.y };
416
+ }
417
+ __name(_publicJwk, "_publicJwk");
418
+ async function _makeDpopProof(method, url) {
419
+ try {
420
+ const pair = await _getDpopKeyPair();
421
+ const jwk = await _publicJwk(pair.publicKey);
422
+ const header = { typ: "dpop+jwt", alg: "ES256", jwk };
423
+ const htu = url.split("#")[0].split("?")[0];
424
+ const jti = crypto.randomUUID && crypto.randomUUID() || _b64urlFromBytes(crypto.getRandomValues(new Uint8Array(16)));
425
+ const payload = { htm: method.toUpperCase(), htu, iat: Math.floor(Date.now() / 1e3), jti };
426
+ const signingInput = `${_b64urlFromString(JSON.stringify(header))}.${_b64urlFromString(JSON.stringify(payload))}`;
427
+ const sig = await crypto.subtle.sign(
428
+ { name: "ECDSA", hash: "SHA-256" },
429
+ pair.privateKey,
430
+ new TextEncoder().encode(signingInput)
431
+ );
432
+ return `${signingInput}.${_b64urlFromBytes(sig)}`;
433
+ } catch {
434
+ return null;
435
+ }
436
+ }
437
+ __name(_makeDpopProof, "_makeDpopProof");
345
438
  function installAuthOnClient(client2) {
346
439
  if (_client) return;
347
440
  _client = client2;
@@ -349,7 +442,7 @@ function installAuthOnClient(client2) {
349
442
  baseUrl: auth.getBaseUrl(),
350
443
  credentials: _withCredentials ? "include" : "same-origin"
351
444
  });
352
- client2.interceptors.request.use((request) => {
445
+ client2.interceptors.request.use(async (request) => {
353
446
  const token = auth.getToken();
354
447
  if (token) request.headers.set("Authorization", `Bearer ${token}`);
355
448
  const locale = auth.getLocale();
@@ -362,6 +455,10 @@ function installAuthOnClient(client2) {
362
455
  } catch {
363
456
  }
364
457
  request.headers.set("X-Client-Time", (/* @__PURE__ */ new Date()).toISOString());
458
+ if (dpopEnabled() && typeof window !== "undefined") {
459
+ const proof = await _makeDpopProof(request.method, request.url);
460
+ if (proof) request.headers.set("DPoP", proof);
461
+ }
365
462
  return request;
366
463
  });
367
464
  client2.interceptors.error.use((err, res, req) => {
@@ -395,6 +492,10 @@ function installAuthOnClient(client2) {
395
492
  const retry = request.clone();
396
493
  retry.headers.set("Authorization", `Bearer ${newToken}`);
397
494
  retry.headers.set(RETRY_MARKER, "1");
495
+ if (dpopEnabled() && typeof window !== "undefined") {
496
+ const proof = await _makeDpopProof(retry.method, retry.url);
497
+ if (proof) retry.headers.set("DPoP", proof);
498
+ }
398
499
  try {
399
500
  const retried = await fetch(retry);
400
501
  if (retried.status === 401 && _onUnauthorized) {
@@ -1344,7 +1445,11 @@ var CfgAccountsApiKey = class {
1344
1445
  static cfgAccountsApiKeyRetrieve(options) {
1345
1446
  return (options?.client ?? client).get({
1346
1447
  security: [
1347
- { scheme: "bearer", type: "http" },
1448
+ {
1449
+ key: "jwtAuth",
1450
+ scheme: "bearer",
1451
+ type: "http"
1452
+ },
1348
1453
  {
1349
1454
  in: "cookie",
1350
1455
  name: "sessionid",
@@ -1364,7 +1469,11 @@ var CfgAccountsApiKey = class {
1364
1469
  static cfgAccountsApiKeyRegenerateCreate(options) {
1365
1470
  return (options.client ?? client).post({
1366
1471
  security: [
1367
- { scheme: "bearer", type: "http" },
1472
+ {
1473
+ key: "jwtAuth",
1474
+ scheme: "bearer",
1475
+ type: "http"
1476
+ },
1368
1477
  {
1369
1478
  in: "cookie",
1370
1479
  name: "sessionid",
@@ -1388,7 +1497,11 @@ var CfgAccountsApiKey = class {
1388
1497
  static cfgAccountsApiKeyTestCreate(options) {
1389
1498
  return (options.client ?? client).post({
1390
1499
  security: [
1391
- { scheme: "bearer", type: "http" },
1500
+ {
1501
+ key: "jwtAuth",
1502
+ scheme: "bearer",
1503
+ type: "http"
1504
+ },
1392
1505
  {
1393
1506
  in: "cookie",
1394
1507
  name: "sessionid",
@@ -1416,7 +1529,11 @@ var CfgAccountsOauth = class {
1416
1529
  */
1417
1530
  static cfgAccountsOauthConnectionsList(options) {
1418
1531
  return (options?.client ?? client).get({
1419
- security: [{ name: "X-API-Key", type: "apiKey" }, { scheme: "bearer", type: "http" }],
1532
+ security: [{ name: "X-API-Key", type: "apiKey" }, {
1533
+ key: "jwtAuthWithLastLogin",
1534
+ scheme: "bearer",
1535
+ type: "http"
1536
+ }],
1420
1537
  url: "/cfg/accounts/oauth/connections/",
1421
1538
  ...options
1422
1539
  });
@@ -1428,7 +1545,11 @@ var CfgAccountsOauth = class {
1428
1545
  */
1429
1546
  static cfgAccountsOauthDisconnectCreate(options) {
1430
1547
  return (options.client ?? client).post({
1431
- security: [{ name: "X-API-Key", type: "apiKey" }, { scheme: "bearer", type: "http" }],
1548
+ security: [{ name: "X-API-Key", type: "apiKey" }, {
1549
+ key: "jwtAuthWithLastLogin",
1550
+ scheme: "bearer",
1551
+ type: "http"
1552
+ }],
1432
1553
  url: "/cfg/accounts/oauth/disconnect/",
1433
1554
  ...options,
1434
1555
  headers: {
@@ -1485,7 +1606,11 @@ var CfgAccounts = class {
1485
1606
  */
1486
1607
  static cfgAccountsOtpRequestCreate(options) {
1487
1608
  return (options.client ?? client).post({
1488
- security: [{ name: "X-API-Key", type: "apiKey" }, { scheme: "bearer", type: "http" }],
1609
+ security: [{ name: "X-API-Key", type: "apiKey" }, {
1610
+ key: "jwtAuthWithLastLogin",
1611
+ scheme: "bearer",
1612
+ type: "http"
1613
+ }],
1489
1614
  url: "/cfg/accounts/otp/request/",
1490
1615
  ...options,
1491
1616
  headers: {
@@ -1506,7 +1631,11 @@ var CfgAccounts = class {
1506
1631
  */
1507
1632
  static cfgAccountsOtpVerifyCreate(options) {
1508
1633
  return (options.client ?? client).post({
1509
- security: [{ name: "X-API-Key", type: "apiKey" }, { scheme: "bearer", type: "http" }],
1634
+ security: [{ name: "X-API-Key", type: "apiKey" }, {
1635
+ key: "jwtAuthWithLastLogin",
1636
+ scheme: "bearer",
1637
+ type: "http"
1638
+ }],
1510
1639
  url: "/cfg/accounts/otp/verify/",
1511
1640
  ...options,
1512
1641
  headers: {
@@ -1527,7 +1656,11 @@ var CfgAccountsProfile = class {
1527
1656
  */
1528
1657
  static cfgAccountsProfileRetrieve(options) {
1529
1658
  return (options?.client ?? client).get({
1530
- security: [{ scheme: "bearer", type: "http" }, {
1659
+ security: [{
1660
+ key: "jwtAuth",
1661
+ scheme: "bearer",
1662
+ type: "http"
1663
+ }, {
1531
1664
  in: "cookie",
1532
1665
  name: "sessionid",
1533
1666
  type: "apiKey"
@@ -1544,7 +1677,11 @@ var CfgAccountsProfile = class {
1544
1677
  static cfgAccountsProfileAvatarCreate(options) {
1545
1678
  return (options?.client ?? client).post({
1546
1679
  ...formDataBodySerializer,
1547
- security: [{ name: "X-API-Key", type: "apiKey" }, { scheme: "bearer", type: "http" }],
1680
+ security: [{ name: "X-API-Key", type: "apiKey" }, {
1681
+ key: "jwtAuthWithLastLogin",
1682
+ scheme: "bearer",
1683
+ type: "http"
1684
+ }],
1548
1685
  url: "/cfg/accounts/profile/avatar/",
1549
1686
  ...options,
1550
1687
  headers: {
@@ -1570,7 +1707,11 @@ var CfgAccountsProfile = class {
1570
1707
  */
1571
1708
  static cfgAccountsProfileDeleteCreate(options) {
1572
1709
  return (options?.client ?? client).post({
1573
- security: [{ scheme: "bearer", type: "http" }, {
1710
+ security: [{
1711
+ key: "jwtAuth",
1712
+ scheme: "bearer",
1713
+ type: "http"
1714
+ }, {
1574
1715
  in: "cookie",
1575
1716
  name: "sessionid",
1576
1717
  type: "apiKey"
@@ -1586,7 +1727,11 @@ var CfgAccountsProfile = class {
1586
1727
  */
1587
1728
  static cfgAccountsProfilePartialPartialUpdate(options) {
1588
1729
  return (options?.client ?? client).patch({
1589
- security: [{ scheme: "bearer", type: "http" }, {
1730
+ security: [{
1731
+ key: "jwtAuth",
1732
+ scheme: "bearer",
1733
+ type: "http"
1734
+ }, {
1590
1735
  in: "cookie",
1591
1736
  name: "sessionid",
1592
1737
  type: "apiKey"
@@ -1606,7 +1751,11 @@ var CfgAccountsProfile = class {
1606
1751
  */
1607
1752
  static cfgAccountsProfilePartialUpdate(options) {
1608
1753
  return (options?.client ?? client).put({
1609
- security: [{ scheme: "bearer", type: "http" }, {
1754
+ security: [{
1755
+ key: "jwtAuth",
1756
+ scheme: "bearer",
1757
+ type: "http"
1758
+ }, {
1610
1759
  in: "cookie",
1611
1760
  name: "sessionid",
1612
1761
  type: "apiKey"
@@ -1626,7 +1775,11 @@ var CfgAccountsProfile = class {
1626
1775
  */
1627
1776
  static cfgAccountsProfileUpdatePartialUpdate(options) {
1628
1777
  return (options?.client ?? client).patch({
1629
- security: [{ scheme: "bearer", type: "http" }, {
1778
+ security: [{
1779
+ key: "jwtAuth",
1780
+ scheme: "bearer",
1781
+ type: "http"
1782
+ }, {
1630
1783
  in: "cookie",
1631
1784
  name: "sessionid",
1632
1785
  type: "apiKey"
@@ -1646,7 +1799,11 @@ var CfgAccountsProfile = class {
1646
1799
  */
1647
1800
  static cfgAccountsProfileUpdateUpdate(options) {
1648
1801
  return (options?.client ?? client).put({
1649
- security: [{ scheme: "bearer", type: "http" }, {
1802
+ security: [{
1803
+ key: "jwtAuth",
1804
+ scheme: "bearer",
1805
+ type: "http"
1806
+ }, {
1650
1807
  in: "cookie",
1651
1808
  name: "sessionid",
1652
1809
  type: "apiKey"
@@ -1689,7 +1846,11 @@ var CfgCentrifugo = class {
1689
1846
  */
1690
1847
  static cfgCentrifugoAuthTokenRetrieve(options) {
1691
1848
  return (options?.client ?? client).get({
1692
- security: [{ name: "X-API-Key", type: "apiKey" }, { scheme: "bearer", type: "http" }],
1849
+ security: [{ name: "X-API-Key", type: "apiKey" }, {
1850
+ key: "jwtAuthWithLastLogin",
1851
+ scheme: "bearer",
1852
+ type: "http"
1853
+ }],
1693
1854
  url: "/cfg/centrifugo/auth/token/",
1694
1855
  ...options
1695
1856
  });
@@ -1704,7 +1865,11 @@ var CfgTotpBackupCodes = class {
1704
1865
  */
1705
1866
  static cfgTotpBackupCodesRetrieve(options) {
1706
1867
  return (options?.client ?? client).get({
1707
- security: [{ name: "X-API-Key", type: "apiKey" }, { scheme: "bearer", type: "http" }],
1868
+ security: [{ name: "X-API-Key", type: "apiKey" }, {
1869
+ key: "jwtAuthWithLastLogin",
1870
+ scheme: "bearer",
1871
+ type: "http"
1872
+ }],
1708
1873
  url: "/cfg/totp/backup-codes/",
1709
1874
  ...options
1710
1875
  });
@@ -1717,7 +1882,11 @@ var CfgTotpBackupCodes = class {
1717
1882
  */
1718
1883
  static cfgTotpBackupCodesRegenerateCreate(options) {
1719
1884
  return (options.client ?? client).post({
1720
- security: [{ name: "X-API-Key", type: "apiKey" }, { scheme: "bearer", type: "http" }],
1885
+ security: [{ name: "X-API-Key", type: "apiKey" }, {
1886
+ key: "jwtAuthWithLastLogin",
1887
+ scheme: "bearer",
1888
+ type: "http"
1889
+ }],
1721
1890
  url: "/cfg/totp/backup-codes/regenerate/",
1722
1891
  ...options,
1723
1892
  headers: {
@@ -1736,7 +1905,11 @@ var CfgTotp = class {
1736
1905
  */
1737
1906
  static cfgTotpDevicesRetrieve(options) {
1738
1907
  return (options?.client ?? client).get({
1739
- security: [{ name: "X-API-Key", type: "apiKey" }, { scheme: "bearer", type: "http" }],
1908
+ security: [{ name: "X-API-Key", type: "apiKey" }, {
1909
+ key: "jwtAuthWithLastLogin",
1910
+ scheme: "bearer",
1911
+ type: "http"
1912
+ }],
1740
1913
  url: "/cfg/totp/devices/",
1741
1914
  ...options
1742
1915
  });
@@ -1748,7 +1921,11 @@ var CfgTotp = class {
1748
1921
  */
1749
1922
  static cfgTotpDevicesDestroy(options) {
1750
1923
  return (options.client ?? client).delete({
1751
- security: [{ name: "X-API-Key", type: "apiKey" }, { scheme: "bearer", type: "http" }],
1924
+ security: [{ name: "X-API-Key", type: "apiKey" }, {
1925
+ key: "jwtAuthWithLastLogin",
1926
+ scheme: "bearer",
1927
+ type: "http"
1928
+ }],
1752
1929
  url: "/cfg/totp/devices/{id}/",
1753
1930
  ...options
1754
1931
  });
@@ -1760,7 +1937,11 @@ var CfgTotp = class {
1760
1937
  */
1761
1938
  static cfgTotpDisableCreate(options) {
1762
1939
  return (options.client ?? client).post({
1763
- security: [{ name: "X-API-Key", type: "apiKey" }, { scheme: "bearer", type: "http" }],
1940
+ security: [{ name: "X-API-Key", type: "apiKey" }, {
1941
+ key: "jwtAuthWithLastLogin",
1942
+ scheme: "bearer",
1943
+ type: "http"
1944
+ }],
1764
1945
  url: "/cfg/totp/disable/",
1765
1946
  ...options,
1766
1947
  headers: {
@@ -1781,7 +1962,11 @@ var CfgTotpSetup = class {
1781
1962
  */
1782
1963
  static cfgTotpSetupCreate(options) {
1783
1964
  return (options?.client ?? client).post({
1784
- security: [{ name: "X-API-Key", type: "apiKey" }, { scheme: "bearer", type: "http" }],
1965
+ security: [{ name: "X-API-Key", type: "apiKey" }, {
1966
+ key: "jwtAuthWithLastLogin",
1967
+ scheme: "bearer",
1968
+ type: "http"
1969
+ }],
1785
1970
  url: "/cfg/totp/setup/",
1786
1971
  ...options,
1787
1972
  headers: {
@@ -1797,7 +1982,11 @@ var CfgTotpSetup = class {
1797
1982
  */
1798
1983
  static cfgTotpSetupConfirmCreate(options) {
1799
1984
  return (options.client ?? client).post({
1800
- security: [{ name: "X-API-Key", type: "apiKey" }, { scheme: "bearer", type: "http" }],
1985
+ security: [{ name: "X-API-Key", type: "apiKey" }, {
1986
+ key: "jwtAuthWithLastLogin",
1987
+ scheme: "bearer",
1988
+ type: "http"
1989
+ }],
1801
1990
  url: "/cfg/totp/setup/confirm/",
1802
1991
  ...options,
1803
1992
  headers: {
@@ -1818,7 +2007,11 @@ var CfgTotpVerify = class {
1818
2007
  */
1819
2008
  static cfgTotpVerifyCreate(options) {
1820
2009
  return (options.client ?? client).post({
1821
- security: [{ name: "X-API-Key", type: "apiKey" }, { scheme: "bearer", type: "http" }],
2010
+ security: [{ name: "X-API-Key", type: "apiKey" }, {
2011
+ key: "jwtAuthWithLastLogin",
2012
+ scheme: "bearer",
2013
+ type: "http"
2014
+ }],
1822
2015
  url: "/cfg/totp/verify/",
1823
2016
  ...options,
1824
2017
  headers: {
@@ -1834,7 +2027,11 @@ var CfgTotpVerify = class {
1834
2027
  */
1835
2028
  static cfgTotpVerifyBackupCreate(options) {
1836
2029
  return (options.client ?? client).post({
1837
- security: [{ name: "X-API-Key", type: "apiKey" }, { scheme: "bearer", type: "http" }],
2030
+ security: [{ name: "X-API-Key", type: "apiKey" }, {
2031
+ key: "jwtAuthWithLastLogin",
2032
+ scheme: "bearer",
2033
+ type: "http"
2034
+ }],
1838
2035
  url: "/cfg/totp/verify/backup/",
1839
2036
  ...options,
1840
2037
  headers: {
@@ -2049,19 +2246,38 @@ var CfgAccountsApi = new API();
2049
2246
  var CfgCentrifugoApi = new API2();
2050
2247
  var CfgTotpApi = new API3();
2051
2248
 
2052
- // src/auth/utils/logger.ts
2053
- var import_consola2 = require("consola");
2054
-
2055
2249
  // src/auth/utils/env.ts
2056
2250
  var isDev = process.env.NODE_ENV === "development";
2251
+ var isStaticBuild = process.env.NEXT_PUBLIC_STATIC_BUILD === "true";
2252
+ var dpopEnabled2 = process.env.NEXT_PUBLIC_DPOP_ENABLED === "true";
2253
+
2254
+ // src/log-control.ts
2255
+ var verboseByDefault = isDev || isStaticBuild;
2256
+ var DEFAULT_LEVEL = verboseByDefault ? 4 : 1;
2257
+ var _level = DEFAULT_LEVEL;
2258
+ var _subscribers = /* @__PURE__ */ new Set();
2259
+ function getLogLevel() {
2260
+ return _level;
2261
+ }
2262
+ __name(getLogLevel, "getLogLevel");
2263
+ function onLogLevelChange(fn) {
2264
+ _subscribers.add(fn);
2265
+ try {
2266
+ fn(_level);
2267
+ } catch {
2268
+ }
2269
+ return () => _subscribers.delete(fn);
2270
+ }
2271
+ __name(onLogLevelChange, "onLogLevelChange");
2057
2272
 
2058
2273
  // src/auth/utils/logger.ts
2059
- var isStaticBuild = process.env.NEXT_PUBLIC_STATIC_BUILD === "true";
2060
- var showLogs = isDev || isStaticBuild;
2274
+ var import_consola2 = require("consola");
2061
2275
  var logger = (0, import_consola2.createConsola)({
2062
- level: showLogs ? 4 : 1
2063
- // dev: debug, production: errors only
2276
+ level: getLogLevel()
2064
2277
  }).withTag("api");
2278
+ onLogLevelChange((level) => {
2279
+ logger.level = level;
2280
+ });
2065
2281
  var authLogger = logger.withTag("auth");
2066
2282
 
2067
2283
  // src/auth/middlewares/tokenRefresh.ts