@djangocfg/api 2.1.455 → 2.1.456

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (87) hide show
  1. package/dist/auth.cjs +2654 -2920
  2. package/dist/auth.cjs.map +1 -1
  3. package/dist/auth.d.cts +18 -82
  4. package/dist/auth.d.ts +18 -82
  5. package/dist/auth.mjs +385 -2861
  6. package/dist/auth.mjs.map +1 -1
  7. package/dist/chunk-2G67QRNU.mjs +2096 -0
  8. package/dist/chunk-2G67QRNU.mjs.map +1 -0
  9. package/dist/chunk-32SRQGAC.mjs +2109 -0
  10. package/dist/chunk-32SRQGAC.mjs.map +1 -0
  11. package/dist/chunk-4BPRCONN.mjs +2098 -0
  12. package/dist/chunk-4BPRCONN.mjs.map +1 -0
  13. package/dist/chunk-5UZ2Z323.mjs +2021 -0
  14. package/dist/chunk-5UZ2Z323.mjs.map +1 -0
  15. package/dist/chunk-7KFTJXNM.mjs +2097 -0
  16. package/dist/chunk-7KFTJXNM.mjs.map +1 -0
  17. package/dist/chunk-BK4K5CVT.mjs +2019 -0
  18. package/dist/chunk-BK4K5CVT.mjs.map +1 -0
  19. package/dist/chunk-JLPJZ6WB.mjs +2020 -0
  20. package/dist/chunk-JLPJZ6WB.mjs.map +1 -0
  21. package/dist/chunk-TVU6PYJH.mjs +2032 -0
  22. package/dist/chunk-TVU6PYJH.mjs.map +1 -0
  23. package/dist/clients.cjs +2210 -1847
  24. package/dist/clients.cjs.map +1 -1
  25. package/dist/clients.d.cts +23 -0
  26. package/dist/clients.d.ts +23 -0
  27. package/dist/clients.mjs +14 -1845
  28. package/dist/clients.mjs.map +1 -1
  29. package/dist/hooks.cjs +1776 -962
  30. package/dist/hooks.cjs.map +1 -1
  31. package/dist/hooks.mjs +4 -1375
  32. package/dist/hooks.mjs.map +1 -1
  33. package/dist/index.cjs +2245 -1877
  34. package/dist/index.cjs.map +1 -1
  35. package/dist/index.d.cts +81 -4
  36. package/dist/index.d.ts +81 -4
  37. package/dist/index.mjs +20 -1860
  38. package/dist/index.mjs.map +1 -1
  39. package/dist/sdk.gen-2SQOPTWJ.mjs +26 -0
  40. package/dist/sdk.gen-2SQOPTWJ.mjs.map +1 -0
  41. package/dist/sdk.gen-HSGK4C5S.mjs +26 -0
  42. package/dist/sdk.gen-HSGK4C5S.mjs.map +1 -0
  43. package/dist/sdk.gen-NUK2VGHO.mjs +25 -0
  44. package/dist/sdk.gen-NUK2VGHO.mjs.map +1 -0
  45. package/dist/sdk.gen-O4KAQUZB.mjs +26 -0
  46. package/dist/sdk.gen-O4KAQUZB.mjs.map +1 -0
  47. package/dist/sdk.gen-PPAVSBNT.mjs +26 -0
  48. package/dist/sdk.gen-PPAVSBNT.mjs.map +1 -0
  49. package/dist/sdk.gen-XLHLOCJ2.mjs +25 -0
  50. package/dist/sdk.gen-XLHLOCJ2.mjs.map +1 -0
  51. package/dist/sdk.gen-ZOE6NQAL.mjs +26 -0
  52. package/dist/sdk.gen-ZOE6NQAL.mjs.map +1 -0
  53. package/dist/sdk.gen-ZT7LGJVO.mjs +26 -0
  54. package/dist/sdk.gen-ZT7LGJVO.mjs.map +1 -0
  55. package/package.json +2 -2
  56. package/src/_api/generated/_cfg_accounts/hooks/index.ts +1 -0
  57. package/src/_api/generated/_cfg_accounts/hooks/useCfgAccountsTokenBlacklistCreate.ts +28 -0
  58. package/src/_api/generated/_cfg_accounts/openapi.json +99 -0
  59. package/src/_api/generated/_cfg_accounts/schemas/TokenBlacklistRequest.ts +11 -0
  60. package/src/_api/generated/_cfg_accounts/schemas/index.ts +1 -0
  61. package/src/_api/generated/_cfg_centrifugo/openapi.json +9 -0
  62. package/src/_api/generated/_cfg_totp/openapi.json +33 -0
  63. package/src/_api/generated/helpers/auth.ts +276 -31
  64. package/src/_api/generated/openapi.json +129 -0
  65. package/src/_api/generated/sdk.gen.ts +94 -16
  66. package/src/_api/generated/types.gen.ts +18 -0
  67. package/src/auth/__tests__/guard.test.ts +0 -31
  68. package/src/auth/constants.ts +6 -0
  69. package/src/auth/context/AccountsContext.tsx +14 -24
  70. package/src/auth/context/AuthContext.tsx +226 -609
  71. package/src/auth/hooks/index.ts +3 -4
  72. package/src/auth/hooks/useGithubAuth.ts +3 -3
  73. package/src/auth/hooks/useSession.ts +22 -0
  74. package/src/auth/hooks/useTwoFactor.ts +4 -4
  75. package/src/auth/middlewares/index.ts +5 -6
  76. package/src/auth/utils/guard.ts +0 -22
  77. package/src/auth/utils/index.ts +0 -2
  78. package/src/_api/generated/_cfg_accounts/events.ts +0 -198
  79. package/src/_api/generated/_cfg_centrifugo/events.ts +0 -198
  80. package/src/_api/generated/_cfg_totp/events.ts +0 -198
  81. package/src/auth/__tests__/jwt.test.ts +0 -119
  82. package/src/auth/__tests__/sessionBootstrap.test.ts +0 -111
  83. package/src/auth/__tests__/useTokenRefresh.dom.test.tsx +0 -167
  84. package/src/auth/hooks/useAuthGuard.ts +0 -35
  85. package/src/auth/hooks/useTokenRefresh.ts +0 -131
  86. package/src/auth/refreshHandler.ts +0 -79
  87. package/src/auth/utils/jwt.ts +0 -66
package/dist/auth.d.cts CHANGED
@@ -15,6 +15,18 @@ declare const AUTH_CONSTANTS: {
15
15
  /** Backup code max length. */
16
16
  readonly BACKUP_CODE_MAX_LENGTH: 12;
17
17
  };
18
+ /** Default route for the sign-in page. Override per app via AuthConfig.routes. */
19
+ declare const DEFAULT_AUTH_PATH = "/auth";
20
+ /** Default post-login destination. Override per app via AuthConfig.routes. */
21
+ declare const DEFAULT_CALLBACK_PATH = "/dashboard";
22
+
23
+ type SessionStatus = 'authenticated' | 'anonymous';
24
+ type SessionSnapshot = {
25
+ /** 'authenticated' = a live access token OR a live refresh token exists. */
26
+ status: SessionStatus;
27
+ /** ms-epoch expiry of the current access token (null: no token / no exp). */
28
+ accessExpiresAt: number | null;
29
+ };
18
30
 
19
31
  /**
20
32
  * Nested serializer for Centrifugo WebSocket connection token.
@@ -146,10 +158,6 @@ type PatchedCfgUserUpdateRequest = {
146
158
  */
147
159
  timezone?: string;
148
160
  };
149
- type TokenRefresh = {
150
- readonly access: string;
151
- refresh: string;
152
- };
153
161
  /**
154
162
  * Serializer for user details.
155
163
  */
@@ -488,15 +496,14 @@ declare const AuthContext: React$1.Context<AuthContextType>;
488
496
  * AuthProvider — wraps AccountsProvider + AuthProviderInternal.
489
497
  *
490
498
  * Memoised: re-renders only when `config` reference or `children` change.
491
- * Internal auth state is isolated inside AuthProviderInternal.
492
499
  */
493
500
  declare function AuthProviderRaw({ children, config, enabled }: AuthProviderProps): react_jsx_runtime.JSX.Element;
494
501
  declare const AuthProvider: React$1.MemoExoticComponent<typeof AuthProviderRaw>;
495
502
  /**
496
- * Hook to access auth context
503
+ * Hook to access auth context.
497
504
  *
498
- * SSR-safe: Returns default unauthenticated state when called outside AuthProvider
499
- * (e.g., during static page generation or server-side rendering)
505
+ * SSR-safe: returns default unauthenticated state when called outside
506
+ * AuthProvider (e.g. during static page generation).
500
507
  */
501
508
  declare const useAuth: () => AuthContextType;
502
509
 
@@ -523,7 +530,6 @@ interface AccountsContextValue {
523
530
  }) => Promise<User | undefined>;
524
531
  requestOTP: (data: OtpRequestRequest) => Promise<OtpRequestResponse>;
525
532
  verifyOTP: (data: OtpVerifyRequest) => Promise<OtpVerifyResponse>;
526
- refreshToken: (refresh: string) => Promise<TokenRefresh>;
527
533
  logout: () => void;
528
534
  }
529
535
  interface AccountsProviderProps {
@@ -532,6 +538,8 @@ interface AccountsProviderProps {
532
538
  declare function AccountsProvider({ children }: AccountsProviderProps): react_jsx_runtime.JSX.Element;
533
539
  declare function useAccountsContext(): AccountsContextValue;
534
540
 
541
+ declare function useSession(): SessionSnapshot;
542
+
535
543
  /**
536
544
  * Universal Router Hook with BasePath Support
537
545
  *
@@ -851,18 +859,6 @@ declare const useAuthRedirectManager: (options?: AuthRedirectOptions) => {
851
859
  useAndClearRedirect: () => string;
852
860
  };
853
861
 
854
- interface UseAuthGuardOptions {
855
- redirectTo?: string;
856
- requireAuth?: boolean;
857
- /** Whether to save current URL for redirect after auth (default: true) */
858
- saveRedirectUrl?: boolean;
859
- }
860
- declare const useAuthGuard: (options?: UseAuthGuardOptions) => {
861
- isAuthenticated: boolean;
862
- isLoading: boolean;
863
- isRedirecting: boolean;
864
- };
865
-
866
862
  /**
867
863
  * Simple sessionStorage hook with better error handling
868
864
  * @param key - Storage key
@@ -943,24 +939,6 @@ declare function getCacheMetadata(): {
943
939
  expiresIn?: number;
944
940
  } | null;
945
941
 
946
- interface UseTokenRefreshOptions {
947
- /** Enable automatic token refresh (default: true) */
948
- enabled?: boolean;
949
- /** Callback when token is refreshed */
950
- onRefresh?: (newToken: string) => void;
951
- /** Callback when refresh fails */
952
- onRefreshError?: (error: Error) => void;
953
- }
954
- /**
955
- * Hook for proactive automatic token refresh.
956
- * (JWT expiry helpers live in ../utils/jwt so they can be unit-tested and
957
- * reused by the auth-bootstrap validation path.)
958
- */
959
- declare function useTokenRefresh(options?: UseTokenRefreshOptions): {
960
- refreshToken: () => Promise<boolean>;
961
- checkAndRefresh: () => Promise<void>;
962
- };
963
-
964
942
  interface DeleteAccountResult {
965
943
  success: boolean;
966
944
  message: string;
@@ -1044,48 +1022,6 @@ declare function resolveGuardIsLoading(s: GuardInput): boolean;
1044
1022
  declare function shouldRedirectToAuth(s: GuardInput): boolean;
1045
1023
  /** The effective authenticated flag the guard exposes to consumers. */
1046
1024
  declare function resolveGuardIsAuthenticated(s: Pick<GuardInput, 'requireAuth' | 'isAuthenticated'>): boolean;
1047
- /**
1048
- * Delay (ms from `now`) until `isAuthenticated` should next be re-evaluated,
1049
- * given the access/refresh expiry timestamps (ms epoch, or null if absent).
1050
- *
1051
- * `isAuthenticated` is derived from token `exp`, so it can change with no event
1052
- * to trigger a recompute — a tab left open silently crosses an expiry boundary.
1053
- * We schedule a wake-up at the SOONEST future expiry (the next moment the answer
1054
- * could flip), plus a 1s cushion so we re-check strictly after the inclusive
1055
- * boundary. Returns null when nothing live remains to expire (no timer needed).
1056
- * Callers should clamp the result to the platform setTimeout ceiling.
1057
- */
1058
- declare function nextAuthEvaluationDelay(accessExp: number | null, refreshExp: number | null, now: number): number | null;
1059
-
1060
- /**
1061
- * JWT inspection helpers (browser-safe, dependency-free).
1062
- *
1063
- * These decode ONLY the `exp` claim to reason about token freshness on the
1064
- * client. They do NOT verify the signature — that is the server's job. The
1065
- * point is purely to avoid firing doomed requests with a token we can already
1066
- * see is malformed or expired, and to let auth bootstrap collapse a dead
1067
- * session to the login form instead of hanging on a preloader.
1068
- *
1069
- * A JWT that cannot be decoded is treated as EXPIRED/invalid (fail-closed):
1070
- * better to re-authenticate than to loop on 401s with garbage in storage.
1071
- */
1072
- /**
1073
- * Extract the `exp` claim (epoch ms), or null if the token is undecodable or
1074
- * has no numeric `exp`.
1075
- */
1076
- declare function getTokenExpiry(token: string | null | undefined): number | null;
1077
- /**
1078
- * True when the token is missing, malformed, or already past its `exp`.
1079
- * `skewMs` treats a token expiring within the skew window as already expired
1080
- * (default 0). Fail-closed: an undecodable token is considered expired.
1081
- */
1082
- declare function isTokenExpired(token: string | null | undefined, skewMs?: number, now?: number): boolean;
1083
- /**
1084
- * True when a valid token exists but expires within `thresholdMs` (used by the
1085
- * proactive refresher). A missing/undecodable token returns false here — that
1086
- * case is handled by the "expired" path, not the "expiring soon" path.
1087
- */
1088
- declare function isTokenExpiringSoon(token: string | null | undefined, thresholdMs: number, now?: number): boolean;
1089
1025
 
1090
1026
  /**
1091
1027
  * Path normalization for auth routing.
@@ -1156,4 +1092,4 @@ declare const Analytics: {
1156
1092
  setUser(userId: string): void;
1157
1093
  };
1158
1094
 
1159
- export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile, getTokenExpiry, hasValidCache, isAllowedAuthPath, isTokenExpired, isTokenExpiringSoon, logger, nextAuthEvaluationDelay, normalizePath, resolveGuardIsAuthenticated, resolveGuardIsLoading, setCachedProfile, shouldRedirectToAuth, useAccountsContext, useAuth, useAuthForm, useAuthFormState, useAuthGuard, useAuthRedirectManager, useAuthValidation, useAutoAuth, useBase64, useCfgRouter, useDeleteAccount, useGithubAuth, useLocalStorage, useQueryParams, useSessionStorage, useTokenRefresh, useTwoFactor, useTwoFactorSetup, useTwoFactorStatus, validateEmail, validateIdentifier };
1095
+ export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, DEFAULT_AUTH_PATH, DEFAULT_CALLBACK_PATH, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type SessionSnapshot, type SessionStatus, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile, hasValidCache, isAllowedAuthPath, logger, normalizePath, resolveGuardIsAuthenticated, resolveGuardIsLoading, setCachedProfile, shouldRedirectToAuth, useAccountsContext, useAuth, useAuthForm, useAuthFormState, useAuthRedirectManager, useAuthValidation, useAutoAuth, useBase64, useCfgRouter, useDeleteAccount, useGithubAuth, useLocalStorage, useQueryParams, useSession, useSessionStorage, useTwoFactor, useTwoFactorSetup, useTwoFactorStatus, validateEmail, validateIdentifier };
package/dist/auth.d.ts CHANGED
@@ -15,6 +15,18 @@ declare const AUTH_CONSTANTS: {
15
15
  /** Backup code max length. */
16
16
  readonly BACKUP_CODE_MAX_LENGTH: 12;
17
17
  };
18
+ /** Default route for the sign-in page. Override per app via AuthConfig.routes. */
19
+ declare const DEFAULT_AUTH_PATH = "/auth";
20
+ /** Default post-login destination. Override per app via AuthConfig.routes. */
21
+ declare const DEFAULT_CALLBACK_PATH = "/dashboard";
22
+
23
+ type SessionStatus = 'authenticated' | 'anonymous';
24
+ type SessionSnapshot = {
25
+ /** 'authenticated' = a live access token OR a live refresh token exists. */
26
+ status: SessionStatus;
27
+ /** ms-epoch expiry of the current access token (null: no token / no exp). */
28
+ accessExpiresAt: number | null;
29
+ };
18
30
 
19
31
  /**
20
32
  * Nested serializer for Centrifugo WebSocket connection token.
@@ -146,10 +158,6 @@ type PatchedCfgUserUpdateRequest = {
146
158
  */
147
159
  timezone?: string;
148
160
  };
149
- type TokenRefresh = {
150
- readonly access: string;
151
- refresh: string;
152
- };
153
161
  /**
154
162
  * Serializer for user details.
155
163
  */
@@ -488,15 +496,14 @@ declare const AuthContext: React$1.Context<AuthContextType>;
488
496
  * AuthProvider — wraps AccountsProvider + AuthProviderInternal.
489
497
  *
490
498
  * Memoised: re-renders only when `config` reference or `children` change.
491
- * Internal auth state is isolated inside AuthProviderInternal.
492
499
  */
493
500
  declare function AuthProviderRaw({ children, config, enabled }: AuthProviderProps): react_jsx_runtime.JSX.Element;
494
501
  declare const AuthProvider: React$1.MemoExoticComponent<typeof AuthProviderRaw>;
495
502
  /**
496
- * Hook to access auth context
503
+ * Hook to access auth context.
497
504
  *
498
- * SSR-safe: Returns default unauthenticated state when called outside AuthProvider
499
- * (e.g., during static page generation or server-side rendering)
505
+ * SSR-safe: returns default unauthenticated state when called outside
506
+ * AuthProvider (e.g. during static page generation).
500
507
  */
501
508
  declare const useAuth: () => AuthContextType;
502
509
 
@@ -523,7 +530,6 @@ interface AccountsContextValue {
523
530
  }) => Promise<User | undefined>;
524
531
  requestOTP: (data: OtpRequestRequest) => Promise<OtpRequestResponse>;
525
532
  verifyOTP: (data: OtpVerifyRequest) => Promise<OtpVerifyResponse>;
526
- refreshToken: (refresh: string) => Promise<TokenRefresh>;
527
533
  logout: () => void;
528
534
  }
529
535
  interface AccountsProviderProps {
@@ -532,6 +538,8 @@ interface AccountsProviderProps {
532
538
  declare function AccountsProvider({ children }: AccountsProviderProps): react_jsx_runtime.JSX.Element;
533
539
  declare function useAccountsContext(): AccountsContextValue;
534
540
 
541
+ declare function useSession(): SessionSnapshot;
542
+
535
543
  /**
536
544
  * Universal Router Hook with BasePath Support
537
545
  *
@@ -851,18 +859,6 @@ declare const useAuthRedirectManager: (options?: AuthRedirectOptions) => {
851
859
  useAndClearRedirect: () => string;
852
860
  };
853
861
 
854
- interface UseAuthGuardOptions {
855
- redirectTo?: string;
856
- requireAuth?: boolean;
857
- /** Whether to save current URL for redirect after auth (default: true) */
858
- saveRedirectUrl?: boolean;
859
- }
860
- declare const useAuthGuard: (options?: UseAuthGuardOptions) => {
861
- isAuthenticated: boolean;
862
- isLoading: boolean;
863
- isRedirecting: boolean;
864
- };
865
-
866
862
  /**
867
863
  * Simple sessionStorage hook with better error handling
868
864
  * @param key - Storage key
@@ -943,24 +939,6 @@ declare function getCacheMetadata(): {
943
939
  expiresIn?: number;
944
940
  } | null;
945
941
 
946
- interface UseTokenRefreshOptions {
947
- /** Enable automatic token refresh (default: true) */
948
- enabled?: boolean;
949
- /** Callback when token is refreshed */
950
- onRefresh?: (newToken: string) => void;
951
- /** Callback when refresh fails */
952
- onRefreshError?: (error: Error) => void;
953
- }
954
- /**
955
- * Hook for proactive automatic token refresh.
956
- * (JWT expiry helpers live in ../utils/jwt so they can be unit-tested and
957
- * reused by the auth-bootstrap validation path.)
958
- */
959
- declare function useTokenRefresh(options?: UseTokenRefreshOptions): {
960
- refreshToken: () => Promise<boolean>;
961
- checkAndRefresh: () => Promise<void>;
962
- };
963
-
964
942
  interface DeleteAccountResult {
965
943
  success: boolean;
966
944
  message: string;
@@ -1044,48 +1022,6 @@ declare function resolveGuardIsLoading(s: GuardInput): boolean;
1044
1022
  declare function shouldRedirectToAuth(s: GuardInput): boolean;
1045
1023
  /** The effective authenticated flag the guard exposes to consumers. */
1046
1024
  declare function resolveGuardIsAuthenticated(s: Pick<GuardInput, 'requireAuth' | 'isAuthenticated'>): boolean;
1047
- /**
1048
- * Delay (ms from `now`) until `isAuthenticated` should next be re-evaluated,
1049
- * given the access/refresh expiry timestamps (ms epoch, or null if absent).
1050
- *
1051
- * `isAuthenticated` is derived from token `exp`, so it can change with no event
1052
- * to trigger a recompute — a tab left open silently crosses an expiry boundary.
1053
- * We schedule a wake-up at the SOONEST future expiry (the next moment the answer
1054
- * could flip), plus a 1s cushion so we re-check strictly after the inclusive
1055
- * boundary. Returns null when nothing live remains to expire (no timer needed).
1056
- * Callers should clamp the result to the platform setTimeout ceiling.
1057
- */
1058
- declare function nextAuthEvaluationDelay(accessExp: number | null, refreshExp: number | null, now: number): number | null;
1059
-
1060
- /**
1061
- * JWT inspection helpers (browser-safe, dependency-free).
1062
- *
1063
- * These decode ONLY the `exp` claim to reason about token freshness on the
1064
- * client. They do NOT verify the signature — that is the server's job. The
1065
- * point is purely to avoid firing doomed requests with a token we can already
1066
- * see is malformed or expired, and to let auth bootstrap collapse a dead
1067
- * session to the login form instead of hanging on a preloader.
1068
- *
1069
- * A JWT that cannot be decoded is treated as EXPIRED/invalid (fail-closed):
1070
- * better to re-authenticate than to loop on 401s with garbage in storage.
1071
- */
1072
- /**
1073
- * Extract the `exp` claim (epoch ms), or null if the token is undecodable or
1074
- * has no numeric `exp`.
1075
- */
1076
- declare function getTokenExpiry(token: string | null | undefined): number | null;
1077
- /**
1078
- * True when the token is missing, malformed, or already past its `exp`.
1079
- * `skewMs` treats a token expiring within the skew window as already expired
1080
- * (default 0). Fail-closed: an undecodable token is considered expired.
1081
- */
1082
- declare function isTokenExpired(token: string | null | undefined, skewMs?: number, now?: number): boolean;
1083
- /**
1084
- * True when a valid token exists but expires within `thresholdMs` (used by the
1085
- * proactive refresher). A missing/undecodable token returns false here — that
1086
- * case is handled by the "expired" path, not the "expiring soon" path.
1087
- */
1088
- declare function isTokenExpiringSoon(token: string | null | undefined, thresholdMs: number, now?: number): boolean;
1089
1025
 
1090
1026
  /**
1091
1027
  * Path normalization for auth routing.
@@ -1156,4 +1092,4 @@ declare const Analytics: {
1156
1092
  setUser(userId: string): void;
1157
1093
  };
1158
1094
 
1159
- export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile, getTokenExpiry, hasValidCache, isAllowedAuthPath, isTokenExpired, isTokenExpiringSoon, logger, nextAuthEvaluationDelay, normalizePath, resolveGuardIsAuthenticated, resolveGuardIsLoading, setCachedProfile, shouldRedirectToAuth, useAccountsContext, useAuth, useAuthForm, useAuthFormState, useAuthGuard, useAuthRedirectManager, useAuthValidation, useAutoAuth, useBase64, useCfgRouter, useDeleteAccount, useGithubAuth, useLocalStorage, useQueryParams, useSessionStorage, useTokenRefresh, useTwoFactor, useTwoFactorSetup, useTwoFactorStatus, validateEmail, validateIdentifier };
1095
+ export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, DEFAULT_AUTH_PATH, DEFAULT_CALLBACK_PATH, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type SessionSnapshot, type SessionStatus, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile, hasValidCache, isAllowedAuthPath, logger, normalizePath, resolveGuardIsAuthenticated, resolveGuardIsLoading, setCachedProfile, shouldRedirectToAuth, useAccountsContext, useAuth, useAuthForm, useAuthFormState, useAuthRedirectManager, useAuthValidation, useAutoAuth, useBase64, useCfgRouter, useDeleteAccount, useGithubAuth, useLocalStorage, useQueryParams, useSession, useSessionStorage, useTwoFactor, useTwoFactorSetup, useTwoFactorStatus, validateEmail, validateIdentifier };