@djangocfg/api 2.1.455 → 2.1.456
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth.cjs +2654 -2920
- package/dist/auth.cjs.map +1 -1
- package/dist/auth.d.cts +18 -82
- package/dist/auth.d.ts +18 -82
- package/dist/auth.mjs +385 -2861
- package/dist/auth.mjs.map +1 -1
- package/dist/chunk-2G67QRNU.mjs +2096 -0
- package/dist/chunk-2G67QRNU.mjs.map +1 -0
- package/dist/chunk-32SRQGAC.mjs +2109 -0
- package/dist/chunk-32SRQGAC.mjs.map +1 -0
- package/dist/chunk-4BPRCONN.mjs +2098 -0
- package/dist/chunk-4BPRCONN.mjs.map +1 -0
- package/dist/chunk-5UZ2Z323.mjs +2021 -0
- package/dist/chunk-5UZ2Z323.mjs.map +1 -0
- package/dist/chunk-7KFTJXNM.mjs +2097 -0
- package/dist/chunk-7KFTJXNM.mjs.map +1 -0
- package/dist/chunk-BK4K5CVT.mjs +2019 -0
- package/dist/chunk-BK4K5CVT.mjs.map +1 -0
- package/dist/chunk-JLPJZ6WB.mjs +2020 -0
- package/dist/chunk-JLPJZ6WB.mjs.map +1 -0
- package/dist/chunk-TVU6PYJH.mjs +2032 -0
- package/dist/chunk-TVU6PYJH.mjs.map +1 -0
- package/dist/clients.cjs +2210 -1847
- package/dist/clients.cjs.map +1 -1
- package/dist/clients.d.cts +23 -0
- package/dist/clients.d.ts +23 -0
- package/dist/clients.mjs +14 -1845
- package/dist/clients.mjs.map +1 -1
- package/dist/hooks.cjs +1776 -962
- package/dist/hooks.cjs.map +1 -1
- package/dist/hooks.mjs +4 -1375
- package/dist/hooks.mjs.map +1 -1
- package/dist/index.cjs +2245 -1877
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +81 -4
- package/dist/index.d.ts +81 -4
- package/dist/index.mjs +20 -1860
- package/dist/index.mjs.map +1 -1
- package/dist/sdk.gen-2SQOPTWJ.mjs +26 -0
- package/dist/sdk.gen-2SQOPTWJ.mjs.map +1 -0
- package/dist/sdk.gen-HSGK4C5S.mjs +26 -0
- package/dist/sdk.gen-HSGK4C5S.mjs.map +1 -0
- package/dist/sdk.gen-NUK2VGHO.mjs +25 -0
- package/dist/sdk.gen-NUK2VGHO.mjs.map +1 -0
- package/dist/sdk.gen-O4KAQUZB.mjs +26 -0
- package/dist/sdk.gen-O4KAQUZB.mjs.map +1 -0
- package/dist/sdk.gen-PPAVSBNT.mjs +26 -0
- package/dist/sdk.gen-PPAVSBNT.mjs.map +1 -0
- package/dist/sdk.gen-XLHLOCJ2.mjs +25 -0
- package/dist/sdk.gen-XLHLOCJ2.mjs.map +1 -0
- package/dist/sdk.gen-ZOE6NQAL.mjs +26 -0
- package/dist/sdk.gen-ZOE6NQAL.mjs.map +1 -0
- package/dist/sdk.gen-ZT7LGJVO.mjs +26 -0
- package/dist/sdk.gen-ZT7LGJVO.mjs.map +1 -0
- package/package.json +2 -2
- package/src/_api/generated/_cfg_accounts/hooks/index.ts +1 -0
- package/src/_api/generated/_cfg_accounts/hooks/useCfgAccountsTokenBlacklistCreate.ts +28 -0
- package/src/_api/generated/_cfg_accounts/openapi.json +99 -0
- package/src/_api/generated/_cfg_accounts/schemas/TokenBlacklistRequest.ts +11 -0
- package/src/_api/generated/_cfg_accounts/schemas/index.ts +1 -0
- package/src/_api/generated/_cfg_centrifugo/openapi.json +9 -0
- package/src/_api/generated/_cfg_totp/openapi.json +33 -0
- package/src/_api/generated/helpers/auth.ts +276 -31
- package/src/_api/generated/openapi.json +129 -0
- package/src/_api/generated/sdk.gen.ts +94 -16
- package/src/_api/generated/types.gen.ts +18 -0
- package/src/auth/__tests__/guard.test.ts +0 -31
- package/src/auth/constants.ts +6 -0
- package/src/auth/context/AccountsContext.tsx +14 -24
- package/src/auth/context/AuthContext.tsx +226 -609
- package/src/auth/hooks/index.ts +3 -4
- package/src/auth/hooks/useGithubAuth.ts +3 -3
- package/src/auth/hooks/useSession.ts +22 -0
- package/src/auth/hooks/useTwoFactor.ts +4 -4
- package/src/auth/middlewares/index.ts +5 -6
- package/src/auth/utils/guard.ts +0 -22
- package/src/auth/utils/index.ts +0 -2
- package/src/_api/generated/_cfg_accounts/events.ts +0 -198
- package/src/_api/generated/_cfg_centrifugo/events.ts +0 -198
- package/src/_api/generated/_cfg_totp/events.ts +0 -198
- package/src/auth/__tests__/jwt.test.ts +0 -119
- package/src/auth/__tests__/sessionBootstrap.test.ts +0 -111
- package/src/auth/__tests__/useTokenRefresh.dom.test.tsx +0 -167
- package/src/auth/hooks/useAuthGuard.ts +0 -35
- package/src/auth/hooks/useTokenRefresh.ts +0 -131
- package/src/auth/refreshHandler.ts +0 -79
- package/src/auth/utils/jwt.ts +0 -66
package/dist/auth.d.cts
CHANGED
|
@@ -15,6 +15,18 @@ declare const AUTH_CONSTANTS: {
|
|
|
15
15
|
/** Backup code max length. */
|
|
16
16
|
readonly BACKUP_CODE_MAX_LENGTH: 12;
|
|
17
17
|
};
|
|
18
|
+
/** Default route for the sign-in page. Override per app via AuthConfig.routes. */
|
|
19
|
+
declare const DEFAULT_AUTH_PATH = "/auth";
|
|
20
|
+
/** Default post-login destination. Override per app via AuthConfig.routes. */
|
|
21
|
+
declare const DEFAULT_CALLBACK_PATH = "/dashboard";
|
|
22
|
+
|
|
23
|
+
type SessionStatus = 'authenticated' | 'anonymous';
|
|
24
|
+
type SessionSnapshot = {
|
|
25
|
+
/** 'authenticated' = a live access token OR a live refresh token exists. */
|
|
26
|
+
status: SessionStatus;
|
|
27
|
+
/** ms-epoch expiry of the current access token (null: no token / no exp). */
|
|
28
|
+
accessExpiresAt: number | null;
|
|
29
|
+
};
|
|
18
30
|
|
|
19
31
|
/**
|
|
20
32
|
* Nested serializer for Centrifugo WebSocket connection token.
|
|
@@ -146,10 +158,6 @@ type PatchedCfgUserUpdateRequest = {
|
|
|
146
158
|
*/
|
|
147
159
|
timezone?: string;
|
|
148
160
|
};
|
|
149
|
-
type TokenRefresh = {
|
|
150
|
-
readonly access: string;
|
|
151
|
-
refresh: string;
|
|
152
|
-
};
|
|
153
161
|
/**
|
|
154
162
|
* Serializer for user details.
|
|
155
163
|
*/
|
|
@@ -488,15 +496,14 @@ declare const AuthContext: React$1.Context<AuthContextType>;
|
|
|
488
496
|
* AuthProvider — wraps AccountsProvider + AuthProviderInternal.
|
|
489
497
|
*
|
|
490
498
|
* Memoised: re-renders only when `config` reference or `children` change.
|
|
491
|
-
* Internal auth state is isolated inside AuthProviderInternal.
|
|
492
499
|
*/
|
|
493
500
|
declare function AuthProviderRaw({ children, config, enabled }: AuthProviderProps): react_jsx_runtime.JSX.Element;
|
|
494
501
|
declare const AuthProvider: React$1.MemoExoticComponent<typeof AuthProviderRaw>;
|
|
495
502
|
/**
|
|
496
|
-
* Hook to access auth context
|
|
503
|
+
* Hook to access auth context.
|
|
497
504
|
*
|
|
498
|
-
* SSR-safe:
|
|
499
|
-
* (e.g
|
|
505
|
+
* SSR-safe: returns default unauthenticated state when called outside
|
|
506
|
+
* AuthProvider (e.g. during static page generation).
|
|
500
507
|
*/
|
|
501
508
|
declare const useAuth: () => AuthContextType;
|
|
502
509
|
|
|
@@ -523,7 +530,6 @@ interface AccountsContextValue {
|
|
|
523
530
|
}) => Promise<User | undefined>;
|
|
524
531
|
requestOTP: (data: OtpRequestRequest) => Promise<OtpRequestResponse>;
|
|
525
532
|
verifyOTP: (data: OtpVerifyRequest) => Promise<OtpVerifyResponse>;
|
|
526
|
-
refreshToken: (refresh: string) => Promise<TokenRefresh>;
|
|
527
533
|
logout: () => void;
|
|
528
534
|
}
|
|
529
535
|
interface AccountsProviderProps {
|
|
@@ -532,6 +538,8 @@ interface AccountsProviderProps {
|
|
|
532
538
|
declare function AccountsProvider({ children }: AccountsProviderProps): react_jsx_runtime.JSX.Element;
|
|
533
539
|
declare function useAccountsContext(): AccountsContextValue;
|
|
534
540
|
|
|
541
|
+
declare function useSession(): SessionSnapshot;
|
|
542
|
+
|
|
535
543
|
/**
|
|
536
544
|
* Universal Router Hook with BasePath Support
|
|
537
545
|
*
|
|
@@ -851,18 +859,6 @@ declare const useAuthRedirectManager: (options?: AuthRedirectOptions) => {
|
|
|
851
859
|
useAndClearRedirect: () => string;
|
|
852
860
|
};
|
|
853
861
|
|
|
854
|
-
interface UseAuthGuardOptions {
|
|
855
|
-
redirectTo?: string;
|
|
856
|
-
requireAuth?: boolean;
|
|
857
|
-
/** Whether to save current URL for redirect after auth (default: true) */
|
|
858
|
-
saveRedirectUrl?: boolean;
|
|
859
|
-
}
|
|
860
|
-
declare const useAuthGuard: (options?: UseAuthGuardOptions) => {
|
|
861
|
-
isAuthenticated: boolean;
|
|
862
|
-
isLoading: boolean;
|
|
863
|
-
isRedirecting: boolean;
|
|
864
|
-
};
|
|
865
|
-
|
|
866
862
|
/**
|
|
867
863
|
* Simple sessionStorage hook with better error handling
|
|
868
864
|
* @param key - Storage key
|
|
@@ -943,24 +939,6 @@ declare function getCacheMetadata(): {
|
|
|
943
939
|
expiresIn?: number;
|
|
944
940
|
} | null;
|
|
945
941
|
|
|
946
|
-
interface UseTokenRefreshOptions {
|
|
947
|
-
/** Enable automatic token refresh (default: true) */
|
|
948
|
-
enabled?: boolean;
|
|
949
|
-
/** Callback when token is refreshed */
|
|
950
|
-
onRefresh?: (newToken: string) => void;
|
|
951
|
-
/** Callback when refresh fails */
|
|
952
|
-
onRefreshError?: (error: Error) => void;
|
|
953
|
-
}
|
|
954
|
-
/**
|
|
955
|
-
* Hook for proactive automatic token refresh.
|
|
956
|
-
* (JWT expiry helpers live in ../utils/jwt so they can be unit-tested and
|
|
957
|
-
* reused by the auth-bootstrap validation path.)
|
|
958
|
-
*/
|
|
959
|
-
declare function useTokenRefresh(options?: UseTokenRefreshOptions): {
|
|
960
|
-
refreshToken: () => Promise<boolean>;
|
|
961
|
-
checkAndRefresh: () => Promise<void>;
|
|
962
|
-
};
|
|
963
|
-
|
|
964
942
|
interface DeleteAccountResult {
|
|
965
943
|
success: boolean;
|
|
966
944
|
message: string;
|
|
@@ -1044,48 +1022,6 @@ declare function resolveGuardIsLoading(s: GuardInput): boolean;
|
|
|
1044
1022
|
declare function shouldRedirectToAuth(s: GuardInput): boolean;
|
|
1045
1023
|
/** The effective authenticated flag the guard exposes to consumers. */
|
|
1046
1024
|
declare function resolveGuardIsAuthenticated(s: Pick<GuardInput, 'requireAuth' | 'isAuthenticated'>): boolean;
|
|
1047
|
-
/**
|
|
1048
|
-
* Delay (ms from `now`) until `isAuthenticated` should next be re-evaluated,
|
|
1049
|
-
* given the access/refresh expiry timestamps (ms epoch, or null if absent).
|
|
1050
|
-
*
|
|
1051
|
-
* `isAuthenticated` is derived from token `exp`, so it can change with no event
|
|
1052
|
-
* to trigger a recompute — a tab left open silently crosses an expiry boundary.
|
|
1053
|
-
* We schedule a wake-up at the SOONEST future expiry (the next moment the answer
|
|
1054
|
-
* could flip), plus a 1s cushion so we re-check strictly after the inclusive
|
|
1055
|
-
* boundary. Returns null when nothing live remains to expire (no timer needed).
|
|
1056
|
-
* Callers should clamp the result to the platform setTimeout ceiling.
|
|
1057
|
-
*/
|
|
1058
|
-
declare function nextAuthEvaluationDelay(accessExp: number | null, refreshExp: number | null, now: number): number | null;
|
|
1059
|
-
|
|
1060
|
-
/**
|
|
1061
|
-
* JWT inspection helpers (browser-safe, dependency-free).
|
|
1062
|
-
*
|
|
1063
|
-
* These decode ONLY the `exp` claim to reason about token freshness on the
|
|
1064
|
-
* client. They do NOT verify the signature — that is the server's job. The
|
|
1065
|
-
* point is purely to avoid firing doomed requests with a token we can already
|
|
1066
|
-
* see is malformed or expired, and to let auth bootstrap collapse a dead
|
|
1067
|
-
* session to the login form instead of hanging on a preloader.
|
|
1068
|
-
*
|
|
1069
|
-
* A JWT that cannot be decoded is treated as EXPIRED/invalid (fail-closed):
|
|
1070
|
-
* better to re-authenticate than to loop on 401s with garbage in storage.
|
|
1071
|
-
*/
|
|
1072
|
-
/**
|
|
1073
|
-
* Extract the `exp` claim (epoch ms), or null if the token is undecodable or
|
|
1074
|
-
* has no numeric `exp`.
|
|
1075
|
-
*/
|
|
1076
|
-
declare function getTokenExpiry(token: string | null | undefined): number | null;
|
|
1077
|
-
/**
|
|
1078
|
-
* True when the token is missing, malformed, or already past its `exp`.
|
|
1079
|
-
* `skewMs` treats a token expiring within the skew window as already expired
|
|
1080
|
-
* (default 0). Fail-closed: an undecodable token is considered expired.
|
|
1081
|
-
*/
|
|
1082
|
-
declare function isTokenExpired(token: string | null | undefined, skewMs?: number, now?: number): boolean;
|
|
1083
|
-
/**
|
|
1084
|
-
* True when a valid token exists but expires within `thresholdMs` (used by the
|
|
1085
|
-
* proactive refresher). A missing/undecodable token returns false here — that
|
|
1086
|
-
* case is handled by the "expired" path, not the "expiring soon" path.
|
|
1087
|
-
*/
|
|
1088
|
-
declare function isTokenExpiringSoon(token: string | null | undefined, thresholdMs: number, now?: number): boolean;
|
|
1089
1025
|
|
|
1090
1026
|
/**
|
|
1091
1027
|
* Path normalization for auth routing.
|
|
@@ -1156,4 +1092,4 @@ declare const Analytics: {
|
|
|
1156
1092
|
setUser(userId: string): void;
|
|
1157
1093
|
};
|
|
1158
1094
|
|
|
1159
|
-
export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile,
|
|
1095
|
+
export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, DEFAULT_AUTH_PATH, DEFAULT_CALLBACK_PATH, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type SessionSnapshot, type SessionStatus, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile, hasValidCache, isAllowedAuthPath, logger, normalizePath, resolveGuardIsAuthenticated, resolveGuardIsLoading, setCachedProfile, shouldRedirectToAuth, useAccountsContext, useAuth, useAuthForm, useAuthFormState, useAuthRedirectManager, useAuthValidation, useAutoAuth, useBase64, useCfgRouter, useDeleteAccount, useGithubAuth, useLocalStorage, useQueryParams, useSession, useSessionStorage, useTwoFactor, useTwoFactorSetup, useTwoFactorStatus, validateEmail, validateIdentifier };
|
package/dist/auth.d.ts
CHANGED
|
@@ -15,6 +15,18 @@ declare const AUTH_CONSTANTS: {
|
|
|
15
15
|
/** Backup code max length. */
|
|
16
16
|
readonly BACKUP_CODE_MAX_LENGTH: 12;
|
|
17
17
|
};
|
|
18
|
+
/** Default route for the sign-in page. Override per app via AuthConfig.routes. */
|
|
19
|
+
declare const DEFAULT_AUTH_PATH = "/auth";
|
|
20
|
+
/** Default post-login destination. Override per app via AuthConfig.routes. */
|
|
21
|
+
declare const DEFAULT_CALLBACK_PATH = "/dashboard";
|
|
22
|
+
|
|
23
|
+
type SessionStatus = 'authenticated' | 'anonymous';
|
|
24
|
+
type SessionSnapshot = {
|
|
25
|
+
/** 'authenticated' = a live access token OR a live refresh token exists. */
|
|
26
|
+
status: SessionStatus;
|
|
27
|
+
/** ms-epoch expiry of the current access token (null: no token / no exp). */
|
|
28
|
+
accessExpiresAt: number | null;
|
|
29
|
+
};
|
|
18
30
|
|
|
19
31
|
/**
|
|
20
32
|
* Nested serializer for Centrifugo WebSocket connection token.
|
|
@@ -146,10 +158,6 @@ type PatchedCfgUserUpdateRequest = {
|
|
|
146
158
|
*/
|
|
147
159
|
timezone?: string;
|
|
148
160
|
};
|
|
149
|
-
type TokenRefresh = {
|
|
150
|
-
readonly access: string;
|
|
151
|
-
refresh: string;
|
|
152
|
-
};
|
|
153
161
|
/**
|
|
154
162
|
* Serializer for user details.
|
|
155
163
|
*/
|
|
@@ -488,15 +496,14 @@ declare const AuthContext: React$1.Context<AuthContextType>;
|
|
|
488
496
|
* AuthProvider — wraps AccountsProvider + AuthProviderInternal.
|
|
489
497
|
*
|
|
490
498
|
* Memoised: re-renders only when `config` reference or `children` change.
|
|
491
|
-
* Internal auth state is isolated inside AuthProviderInternal.
|
|
492
499
|
*/
|
|
493
500
|
declare function AuthProviderRaw({ children, config, enabled }: AuthProviderProps): react_jsx_runtime.JSX.Element;
|
|
494
501
|
declare const AuthProvider: React$1.MemoExoticComponent<typeof AuthProviderRaw>;
|
|
495
502
|
/**
|
|
496
|
-
* Hook to access auth context
|
|
503
|
+
* Hook to access auth context.
|
|
497
504
|
*
|
|
498
|
-
* SSR-safe:
|
|
499
|
-
* (e.g
|
|
505
|
+
* SSR-safe: returns default unauthenticated state when called outside
|
|
506
|
+
* AuthProvider (e.g. during static page generation).
|
|
500
507
|
*/
|
|
501
508
|
declare const useAuth: () => AuthContextType;
|
|
502
509
|
|
|
@@ -523,7 +530,6 @@ interface AccountsContextValue {
|
|
|
523
530
|
}) => Promise<User | undefined>;
|
|
524
531
|
requestOTP: (data: OtpRequestRequest) => Promise<OtpRequestResponse>;
|
|
525
532
|
verifyOTP: (data: OtpVerifyRequest) => Promise<OtpVerifyResponse>;
|
|
526
|
-
refreshToken: (refresh: string) => Promise<TokenRefresh>;
|
|
527
533
|
logout: () => void;
|
|
528
534
|
}
|
|
529
535
|
interface AccountsProviderProps {
|
|
@@ -532,6 +538,8 @@ interface AccountsProviderProps {
|
|
|
532
538
|
declare function AccountsProvider({ children }: AccountsProviderProps): react_jsx_runtime.JSX.Element;
|
|
533
539
|
declare function useAccountsContext(): AccountsContextValue;
|
|
534
540
|
|
|
541
|
+
declare function useSession(): SessionSnapshot;
|
|
542
|
+
|
|
535
543
|
/**
|
|
536
544
|
* Universal Router Hook with BasePath Support
|
|
537
545
|
*
|
|
@@ -851,18 +859,6 @@ declare const useAuthRedirectManager: (options?: AuthRedirectOptions) => {
|
|
|
851
859
|
useAndClearRedirect: () => string;
|
|
852
860
|
};
|
|
853
861
|
|
|
854
|
-
interface UseAuthGuardOptions {
|
|
855
|
-
redirectTo?: string;
|
|
856
|
-
requireAuth?: boolean;
|
|
857
|
-
/** Whether to save current URL for redirect after auth (default: true) */
|
|
858
|
-
saveRedirectUrl?: boolean;
|
|
859
|
-
}
|
|
860
|
-
declare const useAuthGuard: (options?: UseAuthGuardOptions) => {
|
|
861
|
-
isAuthenticated: boolean;
|
|
862
|
-
isLoading: boolean;
|
|
863
|
-
isRedirecting: boolean;
|
|
864
|
-
};
|
|
865
|
-
|
|
866
862
|
/**
|
|
867
863
|
* Simple sessionStorage hook with better error handling
|
|
868
864
|
* @param key - Storage key
|
|
@@ -943,24 +939,6 @@ declare function getCacheMetadata(): {
|
|
|
943
939
|
expiresIn?: number;
|
|
944
940
|
} | null;
|
|
945
941
|
|
|
946
|
-
interface UseTokenRefreshOptions {
|
|
947
|
-
/** Enable automatic token refresh (default: true) */
|
|
948
|
-
enabled?: boolean;
|
|
949
|
-
/** Callback when token is refreshed */
|
|
950
|
-
onRefresh?: (newToken: string) => void;
|
|
951
|
-
/** Callback when refresh fails */
|
|
952
|
-
onRefreshError?: (error: Error) => void;
|
|
953
|
-
}
|
|
954
|
-
/**
|
|
955
|
-
* Hook for proactive automatic token refresh.
|
|
956
|
-
* (JWT expiry helpers live in ../utils/jwt so they can be unit-tested and
|
|
957
|
-
* reused by the auth-bootstrap validation path.)
|
|
958
|
-
*/
|
|
959
|
-
declare function useTokenRefresh(options?: UseTokenRefreshOptions): {
|
|
960
|
-
refreshToken: () => Promise<boolean>;
|
|
961
|
-
checkAndRefresh: () => Promise<void>;
|
|
962
|
-
};
|
|
963
|
-
|
|
964
942
|
interface DeleteAccountResult {
|
|
965
943
|
success: boolean;
|
|
966
944
|
message: string;
|
|
@@ -1044,48 +1022,6 @@ declare function resolveGuardIsLoading(s: GuardInput): boolean;
|
|
|
1044
1022
|
declare function shouldRedirectToAuth(s: GuardInput): boolean;
|
|
1045
1023
|
/** The effective authenticated flag the guard exposes to consumers. */
|
|
1046
1024
|
declare function resolveGuardIsAuthenticated(s: Pick<GuardInput, 'requireAuth' | 'isAuthenticated'>): boolean;
|
|
1047
|
-
/**
|
|
1048
|
-
* Delay (ms from `now`) until `isAuthenticated` should next be re-evaluated,
|
|
1049
|
-
* given the access/refresh expiry timestamps (ms epoch, or null if absent).
|
|
1050
|
-
*
|
|
1051
|
-
* `isAuthenticated` is derived from token `exp`, so it can change with no event
|
|
1052
|
-
* to trigger a recompute — a tab left open silently crosses an expiry boundary.
|
|
1053
|
-
* We schedule a wake-up at the SOONEST future expiry (the next moment the answer
|
|
1054
|
-
* could flip), plus a 1s cushion so we re-check strictly after the inclusive
|
|
1055
|
-
* boundary. Returns null when nothing live remains to expire (no timer needed).
|
|
1056
|
-
* Callers should clamp the result to the platform setTimeout ceiling.
|
|
1057
|
-
*/
|
|
1058
|
-
declare function nextAuthEvaluationDelay(accessExp: number | null, refreshExp: number | null, now: number): number | null;
|
|
1059
|
-
|
|
1060
|
-
/**
|
|
1061
|
-
* JWT inspection helpers (browser-safe, dependency-free).
|
|
1062
|
-
*
|
|
1063
|
-
* These decode ONLY the `exp` claim to reason about token freshness on the
|
|
1064
|
-
* client. They do NOT verify the signature — that is the server's job. The
|
|
1065
|
-
* point is purely to avoid firing doomed requests with a token we can already
|
|
1066
|
-
* see is malformed or expired, and to let auth bootstrap collapse a dead
|
|
1067
|
-
* session to the login form instead of hanging on a preloader.
|
|
1068
|
-
*
|
|
1069
|
-
* A JWT that cannot be decoded is treated as EXPIRED/invalid (fail-closed):
|
|
1070
|
-
* better to re-authenticate than to loop on 401s with garbage in storage.
|
|
1071
|
-
*/
|
|
1072
|
-
/**
|
|
1073
|
-
* Extract the `exp` claim (epoch ms), or null if the token is undecodable or
|
|
1074
|
-
* has no numeric `exp`.
|
|
1075
|
-
*/
|
|
1076
|
-
declare function getTokenExpiry(token: string | null | undefined): number | null;
|
|
1077
|
-
/**
|
|
1078
|
-
* True when the token is missing, malformed, or already past its `exp`.
|
|
1079
|
-
* `skewMs` treats a token expiring within the skew window as already expired
|
|
1080
|
-
* (default 0). Fail-closed: an undecodable token is considered expired.
|
|
1081
|
-
*/
|
|
1082
|
-
declare function isTokenExpired(token: string | null | undefined, skewMs?: number, now?: number): boolean;
|
|
1083
|
-
/**
|
|
1084
|
-
* True when a valid token exists but expires within `thresholdMs` (used by the
|
|
1085
|
-
* proactive refresher). A missing/undecodable token returns false here — that
|
|
1086
|
-
* case is handled by the "expired" path, not the "expiring soon" path.
|
|
1087
|
-
*/
|
|
1088
|
-
declare function isTokenExpiringSoon(token: string | null | undefined, thresholdMs: number, now?: number): boolean;
|
|
1089
1025
|
|
|
1090
1026
|
/**
|
|
1091
1027
|
* Path normalization for auth routing.
|
|
@@ -1156,4 +1092,4 @@ declare const Analytics: {
|
|
|
1156
1092
|
setUser(userId: string): void;
|
|
1157
1093
|
};
|
|
1158
1094
|
|
|
1159
|
-
export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile,
|
|
1095
|
+
export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, DEFAULT_AUTH_PATH, DEFAULT_CALLBACK_PATH, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type SessionSnapshot, type SessionStatus, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile, hasValidCache, isAllowedAuthPath, logger, normalizePath, resolveGuardIsAuthenticated, resolveGuardIsLoading, setCachedProfile, shouldRedirectToAuth, useAccountsContext, useAuth, useAuthForm, useAuthFormState, useAuthRedirectManager, useAuthValidation, useAutoAuth, useBase64, useCfgRouter, useDeleteAccount, useGithubAuth, useLocalStorage, useQueryParams, useSession, useSessionStorage, useTwoFactor, useTwoFactorSetup, useTwoFactorStatus, validateEmail, validateIdentifier };
|