@djangocfg/api 2.1.455 → 2.1.457
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth.cjs +1611 -2148
- package/dist/auth.cjs.map +1 -1
- package/dist/auth.d.cts +37 -82
- package/dist/auth.d.ts +37 -82
- package/dist/auth.mjs +1581 -2118
- package/dist/auth.mjs.map +1 -1
- package/dist/chunk-2G67QRNU.mjs +2096 -0
- package/dist/chunk-2G67QRNU.mjs.map +1 -0
- package/dist/chunk-32SRQGAC.mjs +2109 -0
- package/dist/chunk-32SRQGAC.mjs.map +1 -0
- package/dist/chunk-4BPRCONN.mjs +2098 -0
- package/dist/chunk-4BPRCONN.mjs.map +1 -0
- package/dist/chunk-5UZ2Z323.mjs +2021 -0
- package/dist/chunk-5UZ2Z323.mjs.map +1 -0
- package/dist/chunk-7KFTJXNM.mjs +2097 -0
- package/dist/chunk-7KFTJXNM.mjs.map +1 -0
- package/dist/chunk-BK4K5CVT.mjs +2019 -0
- package/dist/chunk-BK4K5CVT.mjs.map +1 -0
- package/dist/chunk-JLPJZ6WB.mjs +2020 -0
- package/dist/chunk-JLPJZ6WB.mjs.map +1 -0
- package/dist/chunk-TVU6PYJH.mjs +2032 -0
- package/dist/chunk-TVU6PYJH.mjs.map +1 -0
- package/dist/clients.cjs +292 -47
- package/dist/clients.cjs.map +1 -1
- package/dist/clients.d.cts +23 -0
- package/dist/clients.d.ts +23 -0
- package/dist/clients.mjs +292 -47
- package/dist/clients.mjs.map +1 -1
- package/dist/hooks.cjs +200 -32
- package/dist/hooks.cjs.map +1 -1
- package/dist/hooks.mjs +200 -32
- package/dist/hooks.mjs.map +1 -1
- package/dist/index.cjs +292 -47
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +81 -4
- package/dist/index.d.ts +81 -4
- package/dist/index.mjs +292 -47
- package/dist/index.mjs.map +1 -1
- package/dist/sdk.gen-2SQOPTWJ.mjs +26 -0
- package/dist/sdk.gen-2SQOPTWJ.mjs.map +1 -0
- package/dist/sdk.gen-HSGK4C5S.mjs +26 -0
- package/dist/sdk.gen-HSGK4C5S.mjs.map +1 -0
- package/dist/sdk.gen-NUK2VGHO.mjs +25 -0
- package/dist/sdk.gen-NUK2VGHO.mjs.map +1 -0
- package/dist/sdk.gen-O4KAQUZB.mjs +26 -0
- package/dist/sdk.gen-O4KAQUZB.mjs.map +1 -0
- package/dist/sdk.gen-PPAVSBNT.mjs +26 -0
- package/dist/sdk.gen-PPAVSBNT.mjs.map +1 -0
- package/dist/sdk.gen-XLHLOCJ2.mjs +25 -0
- package/dist/sdk.gen-XLHLOCJ2.mjs.map +1 -0
- package/dist/sdk.gen-ZOE6NQAL.mjs +26 -0
- package/dist/sdk.gen-ZOE6NQAL.mjs.map +1 -0
- package/dist/sdk.gen-ZT7LGJVO.mjs +26 -0
- package/dist/sdk.gen-ZT7LGJVO.mjs.map +1 -0
- package/package.json +2 -2
- package/src/_api/generated/_cfg_accounts/hooks/index.ts +1 -0
- package/src/_api/generated/_cfg_accounts/hooks/useCfgAccountsTokenBlacklistCreate.ts +28 -0
- package/src/_api/generated/_cfg_accounts/openapi.json +99 -0
- package/src/_api/generated/_cfg_accounts/schemas/TokenBlacklistRequest.ts +11 -0
- package/src/_api/generated/_cfg_accounts/schemas/index.ts +1 -0
- package/src/_api/generated/_cfg_centrifugo/openapi.json +9 -0
- package/src/_api/generated/_cfg_totp/openapi.json +33 -0
- package/src/_api/generated/helpers/auth.ts +288 -31
- package/src/_api/generated/openapi.json +129 -0
- package/src/_api/generated/sdk.gen.ts +94 -16
- package/src/_api/generated/types.gen.ts +18 -0
- package/src/auth/__tests__/guard.test.ts +0 -31
- package/src/auth/constants.ts +6 -0
- package/src/auth/context/AccountsContext.tsx +14 -24
- package/src/auth/context/AuthContext.tsx +263 -607
- package/src/auth/context/types.ts +13 -0
- package/src/auth/hooks/index.ts +8 -5
- package/src/auth/hooks/useAuthRedirect.ts +17 -0
- package/src/auth/hooks/useGithubAuth.ts +3 -3
- package/src/auth/hooks/useSession.ts +22 -0
- package/src/auth/hooks/useTwoFactor.ts +8 -6
- package/src/auth/middlewares/index.ts +5 -6
- package/src/auth/utils/guard.ts +0 -22
- package/src/auth/utils/index.ts +0 -2
- package/src/_api/generated/_cfg_accounts/events.ts +0 -198
- package/src/_api/generated/_cfg_centrifugo/events.ts +0 -198
- package/src/_api/generated/_cfg_totp/events.ts +0 -198
- package/src/auth/__tests__/jwt.test.ts +0 -119
- package/src/auth/__tests__/sessionBootstrap.test.ts +0 -111
- package/src/auth/__tests__/useTokenRefresh.dom.test.tsx +0 -167
- package/src/auth/hooks/useAuthGuard.ts +0 -35
- package/src/auth/hooks/useTokenRefresh.ts +0 -131
- package/src/auth/refreshHandler.ts +0 -79
- package/src/auth/utils/jwt.ts +0 -66
package/dist/auth.d.cts
CHANGED
|
@@ -16,6 +16,14 @@ declare const AUTH_CONSTANTS: {
|
|
|
16
16
|
readonly BACKUP_CODE_MAX_LENGTH: 12;
|
|
17
17
|
};
|
|
18
18
|
|
|
19
|
+
type SessionStatus = 'authenticated' | 'anonymous';
|
|
20
|
+
type SessionSnapshot = {
|
|
21
|
+
/** 'authenticated' = a live access token OR a live refresh token exists. */
|
|
22
|
+
status: SessionStatus;
|
|
23
|
+
/** ms-epoch expiry of the current access token (null: no token / no exp). */
|
|
24
|
+
accessExpiresAt: number | null;
|
|
25
|
+
};
|
|
26
|
+
|
|
19
27
|
/**
|
|
20
28
|
* Nested serializer for Centrifugo WebSocket connection token.
|
|
21
29
|
*/
|
|
@@ -146,10 +154,6 @@ type PatchedCfgUserUpdateRequest = {
|
|
|
146
154
|
*/
|
|
147
155
|
timezone?: string;
|
|
148
156
|
};
|
|
149
|
-
type TokenRefresh = {
|
|
150
|
-
readonly access: string;
|
|
151
|
-
refresh: string;
|
|
152
|
-
};
|
|
153
157
|
/**
|
|
154
158
|
* Serializer for user details.
|
|
155
159
|
*/
|
|
@@ -439,11 +443,23 @@ interface AuthConfig {
|
|
|
439
443
|
};
|
|
440
444
|
onLogout?: () => void;
|
|
441
445
|
}
|
|
446
|
+
/**
|
|
447
|
+
* AuthConfig.routes resolved against the framework conventions — no field is
|
|
448
|
+
* optional here. This is what components consume (via `useAuth().routes`)
|
|
449
|
+
* instead of defaulting to route constants themselves.
|
|
450
|
+
*/
|
|
451
|
+
interface ResolvedAuthRoutes {
|
|
452
|
+
auth: string;
|
|
453
|
+
defaultCallback: string;
|
|
454
|
+
defaultAuthCallback: string;
|
|
455
|
+
}
|
|
442
456
|
interface AuthContextType {
|
|
443
457
|
user: UserProfile | null;
|
|
444
458
|
isLoading: boolean;
|
|
445
459
|
isAuthenticated: boolean;
|
|
446
460
|
isAdminUser: boolean;
|
|
461
|
+
/** Resolved route conventions (config override or framework default). */
|
|
462
|
+
routes: ResolvedAuthRoutes;
|
|
447
463
|
loadCurrentProfile: (callerId?: string) => Promise<void>;
|
|
448
464
|
checkAuthAndRedirect: () => Promise<void>;
|
|
449
465
|
getToken: () => string | null;
|
|
@@ -488,15 +504,14 @@ declare const AuthContext: React$1.Context<AuthContextType>;
|
|
|
488
504
|
* AuthProvider — wraps AccountsProvider + AuthProviderInternal.
|
|
489
505
|
*
|
|
490
506
|
* Memoised: re-renders only when `config` reference or `children` change.
|
|
491
|
-
* Internal auth state is isolated inside AuthProviderInternal.
|
|
492
507
|
*/
|
|
493
508
|
declare function AuthProviderRaw({ children, config, enabled }: AuthProviderProps): react_jsx_runtime.JSX.Element;
|
|
494
509
|
declare const AuthProvider: React$1.MemoExoticComponent<typeof AuthProviderRaw>;
|
|
495
510
|
/**
|
|
496
|
-
* Hook to access auth context
|
|
511
|
+
* Hook to access auth context.
|
|
497
512
|
*
|
|
498
|
-
* SSR-safe:
|
|
499
|
-
* (e.g
|
|
513
|
+
* SSR-safe: returns default unauthenticated state when called outside
|
|
514
|
+
* AuthProvider (e.g. during static page generation).
|
|
500
515
|
*/
|
|
501
516
|
declare const useAuth: () => AuthContextType;
|
|
502
517
|
|
|
@@ -523,7 +538,6 @@ interface AccountsContextValue {
|
|
|
523
538
|
}) => Promise<User | undefined>;
|
|
524
539
|
requestOTP: (data: OtpRequestRequest) => Promise<OtpRequestResponse>;
|
|
525
540
|
verifyOTP: (data: OtpVerifyRequest) => Promise<OtpVerifyResponse>;
|
|
526
|
-
refreshToken: (refresh: string) => Promise<TokenRefresh>;
|
|
527
541
|
logout: () => void;
|
|
528
542
|
}
|
|
529
543
|
interface AccountsProviderProps {
|
|
@@ -532,6 +546,8 @@ interface AccountsProviderProps {
|
|
|
532
546
|
declare function AccountsProvider({ children }: AccountsProviderProps): react_jsx_runtime.JSX.Element;
|
|
533
547
|
declare function useAccountsContext(): AccountsContextValue;
|
|
534
548
|
|
|
549
|
+
declare function useSession(): SessionSnapshot;
|
|
550
|
+
|
|
535
551
|
/**
|
|
536
552
|
* Universal Router Hook with BasePath Support
|
|
537
553
|
*
|
|
@@ -841,6 +857,17 @@ interface AuthRedirectOptions {
|
|
|
841
857
|
fallbackUrl?: string;
|
|
842
858
|
clearOnUse?: boolean;
|
|
843
859
|
}
|
|
860
|
+
/**
|
|
861
|
+
* Read the saved back-url without clearing it. Null when nothing saved —
|
|
862
|
+
* unlike getFinalRedirectUrl, never substitutes a fallback.
|
|
863
|
+
*/
|
|
864
|
+
declare const peekSavedRedirect: () => string | null;
|
|
865
|
+
/**
|
|
866
|
+
* Read AND clear the saved back-url (single-use intent). Null when nothing
|
|
867
|
+
* saved. This is the one primitive every post-auth navigator uses to honor
|
|
868
|
+
* "return the user to where the guard bounced them from".
|
|
869
|
+
*/
|
|
870
|
+
declare const consumeSavedRedirect: () => string | null;
|
|
844
871
|
declare const useAuthRedirectManager: (options?: AuthRedirectOptions) => {
|
|
845
872
|
redirectUrl: string;
|
|
846
873
|
setRedirect: (url: string) => void;
|
|
@@ -851,18 +878,6 @@ declare const useAuthRedirectManager: (options?: AuthRedirectOptions) => {
|
|
|
851
878
|
useAndClearRedirect: () => string;
|
|
852
879
|
};
|
|
853
880
|
|
|
854
|
-
interface UseAuthGuardOptions {
|
|
855
|
-
redirectTo?: string;
|
|
856
|
-
requireAuth?: boolean;
|
|
857
|
-
/** Whether to save current URL for redirect after auth (default: true) */
|
|
858
|
-
saveRedirectUrl?: boolean;
|
|
859
|
-
}
|
|
860
|
-
declare const useAuthGuard: (options?: UseAuthGuardOptions) => {
|
|
861
|
-
isAuthenticated: boolean;
|
|
862
|
-
isLoading: boolean;
|
|
863
|
-
isRedirecting: boolean;
|
|
864
|
-
};
|
|
865
|
-
|
|
866
881
|
/**
|
|
867
882
|
* Simple sessionStorage hook with better error handling
|
|
868
883
|
* @param key - Storage key
|
|
@@ -943,24 +958,6 @@ declare function getCacheMetadata(): {
|
|
|
943
958
|
expiresIn?: number;
|
|
944
959
|
} | null;
|
|
945
960
|
|
|
946
|
-
interface UseTokenRefreshOptions {
|
|
947
|
-
/** Enable automatic token refresh (default: true) */
|
|
948
|
-
enabled?: boolean;
|
|
949
|
-
/** Callback when token is refreshed */
|
|
950
|
-
onRefresh?: (newToken: string) => void;
|
|
951
|
-
/** Callback when refresh fails */
|
|
952
|
-
onRefreshError?: (error: Error) => void;
|
|
953
|
-
}
|
|
954
|
-
/**
|
|
955
|
-
* Hook for proactive automatic token refresh.
|
|
956
|
-
* (JWT expiry helpers live in ../utils/jwt so they can be unit-tested and
|
|
957
|
-
* reused by the auth-bootstrap validation path.)
|
|
958
|
-
*/
|
|
959
|
-
declare function useTokenRefresh(options?: UseTokenRefreshOptions): {
|
|
960
|
-
refreshToken: () => Promise<boolean>;
|
|
961
|
-
checkAndRefresh: () => Promise<void>;
|
|
962
|
-
};
|
|
963
|
-
|
|
964
961
|
interface DeleteAccountResult {
|
|
965
962
|
success: boolean;
|
|
966
963
|
message: string;
|
|
@@ -1044,48 +1041,6 @@ declare function resolveGuardIsLoading(s: GuardInput): boolean;
|
|
|
1044
1041
|
declare function shouldRedirectToAuth(s: GuardInput): boolean;
|
|
1045
1042
|
/** The effective authenticated flag the guard exposes to consumers. */
|
|
1046
1043
|
declare function resolveGuardIsAuthenticated(s: Pick<GuardInput, 'requireAuth' | 'isAuthenticated'>): boolean;
|
|
1047
|
-
/**
|
|
1048
|
-
* Delay (ms from `now`) until `isAuthenticated` should next be re-evaluated,
|
|
1049
|
-
* given the access/refresh expiry timestamps (ms epoch, or null if absent).
|
|
1050
|
-
*
|
|
1051
|
-
* `isAuthenticated` is derived from token `exp`, so it can change with no event
|
|
1052
|
-
* to trigger a recompute — a tab left open silently crosses an expiry boundary.
|
|
1053
|
-
* We schedule a wake-up at the SOONEST future expiry (the next moment the answer
|
|
1054
|
-
* could flip), plus a 1s cushion so we re-check strictly after the inclusive
|
|
1055
|
-
* boundary. Returns null when nothing live remains to expire (no timer needed).
|
|
1056
|
-
* Callers should clamp the result to the platform setTimeout ceiling.
|
|
1057
|
-
*/
|
|
1058
|
-
declare function nextAuthEvaluationDelay(accessExp: number | null, refreshExp: number | null, now: number): number | null;
|
|
1059
|
-
|
|
1060
|
-
/**
|
|
1061
|
-
* JWT inspection helpers (browser-safe, dependency-free).
|
|
1062
|
-
*
|
|
1063
|
-
* These decode ONLY the `exp` claim to reason about token freshness on the
|
|
1064
|
-
* client. They do NOT verify the signature — that is the server's job. The
|
|
1065
|
-
* point is purely to avoid firing doomed requests with a token we can already
|
|
1066
|
-
* see is malformed or expired, and to let auth bootstrap collapse a dead
|
|
1067
|
-
* session to the login form instead of hanging on a preloader.
|
|
1068
|
-
*
|
|
1069
|
-
* A JWT that cannot be decoded is treated as EXPIRED/invalid (fail-closed):
|
|
1070
|
-
* better to re-authenticate than to loop on 401s with garbage in storage.
|
|
1071
|
-
*/
|
|
1072
|
-
/**
|
|
1073
|
-
* Extract the `exp` claim (epoch ms), or null if the token is undecodable or
|
|
1074
|
-
* has no numeric `exp`.
|
|
1075
|
-
*/
|
|
1076
|
-
declare function getTokenExpiry(token: string | null | undefined): number | null;
|
|
1077
|
-
/**
|
|
1078
|
-
* True when the token is missing, malformed, or already past its `exp`.
|
|
1079
|
-
* `skewMs` treats a token expiring within the skew window as already expired
|
|
1080
|
-
* (default 0). Fail-closed: an undecodable token is considered expired.
|
|
1081
|
-
*/
|
|
1082
|
-
declare function isTokenExpired(token: string | null | undefined, skewMs?: number, now?: number): boolean;
|
|
1083
|
-
/**
|
|
1084
|
-
* True when a valid token exists but expires within `thresholdMs` (used by the
|
|
1085
|
-
* proactive refresher). A missing/undecodable token returns false here — that
|
|
1086
|
-
* case is handled by the "expired" path, not the "expiring soon" path.
|
|
1087
|
-
*/
|
|
1088
|
-
declare function isTokenExpiringSoon(token: string | null | undefined, thresholdMs: number, now?: number): boolean;
|
|
1089
1044
|
|
|
1090
1045
|
/**
|
|
1091
1046
|
* Path normalization for auth routing.
|
|
@@ -1156,4 +1111,4 @@ declare const Analytics: {
|
|
|
1156
1111
|
setUser(userId: string): void;
|
|
1157
1112
|
};
|
|
1158
1113
|
|
|
1159
|
-
export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile,
|
|
1114
|
+
export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type SessionSnapshot, type SessionStatus, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, consumeSavedRedirect, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile, hasValidCache, isAllowedAuthPath, logger, normalizePath, peekSavedRedirect, resolveGuardIsAuthenticated, resolveGuardIsLoading, setCachedProfile, shouldRedirectToAuth, useAccountsContext, useAuth, useAuthForm, useAuthFormState, useAuthRedirectManager, useAuthValidation, useAutoAuth, useBase64, useCfgRouter, useDeleteAccount, useGithubAuth, useLocalStorage, useQueryParams, useSession, useSessionStorage, useTwoFactor, useTwoFactorSetup, useTwoFactorStatus, validateEmail, validateIdentifier };
|
package/dist/auth.d.ts
CHANGED
|
@@ -16,6 +16,14 @@ declare const AUTH_CONSTANTS: {
|
|
|
16
16
|
readonly BACKUP_CODE_MAX_LENGTH: 12;
|
|
17
17
|
};
|
|
18
18
|
|
|
19
|
+
type SessionStatus = 'authenticated' | 'anonymous';
|
|
20
|
+
type SessionSnapshot = {
|
|
21
|
+
/** 'authenticated' = a live access token OR a live refresh token exists. */
|
|
22
|
+
status: SessionStatus;
|
|
23
|
+
/** ms-epoch expiry of the current access token (null: no token / no exp). */
|
|
24
|
+
accessExpiresAt: number | null;
|
|
25
|
+
};
|
|
26
|
+
|
|
19
27
|
/**
|
|
20
28
|
* Nested serializer for Centrifugo WebSocket connection token.
|
|
21
29
|
*/
|
|
@@ -146,10 +154,6 @@ type PatchedCfgUserUpdateRequest = {
|
|
|
146
154
|
*/
|
|
147
155
|
timezone?: string;
|
|
148
156
|
};
|
|
149
|
-
type TokenRefresh = {
|
|
150
|
-
readonly access: string;
|
|
151
|
-
refresh: string;
|
|
152
|
-
};
|
|
153
157
|
/**
|
|
154
158
|
* Serializer for user details.
|
|
155
159
|
*/
|
|
@@ -439,11 +443,23 @@ interface AuthConfig {
|
|
|
439
443
|
};
|
|
440
444
|
onLogout?: () => void;
|
|
441
445
|
}
|
|
446
|
+
/**
|
|
447
|
+
* AuthConfig.routes resolved against the framework conventions — no field is
|
|
448
|
+
* optional here. This is what components consume (via `useAuth().routes`)
|
|
449
|
+
* instead of defaulting to route constants themselves.
|
|
450
|
+
*/
|
|
451
|
+
interface ResolvedAuthRoutes {
|
|
452
|
+
auth: string;
|
|
453
|
+
defaultCallback: string;
|
|
454
|
+
defaultAuthCallback: string;
|
|
455
|
+
}
|
|
442
456
|
interface AuthContextType {
|
|
443
457
|
user: UserProfile | null;
|
|
444
458
|
isLoading: boolean;
|
|
445
459
|
isAuthenticated: boolean;
|
|
446
460
|
isAdminUser: boolean;
|
|
461
|
+
/** Resolved route conventions (config override or framework default). */
|
|
462
|
+
routes: ResolvedAuthRoutes;
|
|
447
463
|
loadCurrentProfile: (callerId?: string) => Promise<void>;
|
|
448
464
|
checkAuthAndRedirect: () => Promise<void>;
|
|
449
465
|
getToken: () => string | null;
|
|
@@ -488,15 +504,14 @@ declare const AuthContext: React$1.Context<AuthContextType>;
|
|
|
488
504
|
* AuthProvider — wraps AccountsProvider + AuthProviderInternal.
|
|
489
505
|
*
|
|
490
506
|
* Memoised: re-renders only when `config` reference or `children` change.
|
|
491
|
-
* Internal auth state is isolated inside AuthProviderInternal.
|
|
492
507
|
*/
|
|
493
508
|
declare function AuthProviderRaw({ children, config, enabled }: AuthProviderProps): react_jsx_runtime.JSX.Element;
|
|
494
509
|
declare const AuthProvider: React$1.MemoExoticComponent<typeof AuthProviderRaw>;
|
|
495
510
|
/**
|
|
496
|
-
* Hook to access auth context
|
|
511
|
+
* Hook to access auth context.
|
|
497
512
|
*
|
|
498
|
-
* SSR-safe:
|
|
499
|
-
* (e.g
|
|
513
|
+
* SSR-safe: returns default unauthenticated state when called outside
|
|
514
|
+
* AuthProvider (e.g. during static page generation).
|
|
500
515
|
*/
|
|
501
516
|
declare const useAuth: () => AuthContextType;
|
|
502
517
|
|
|
@@ -523,7 +538,6 @@ interface AccountsContextValue {
|
|
|
523
538
|
}) => Promise<User | undefined>;
|
|
524
539
|
requestOTP: (data: OtpRequestRequest) => Promise<OtpRequestResponse>;
|
|
525
540
|
verifyOTP: (data: OtpVerifyRequest) => Promise<OtpVerifyResponse>;
|
|
526
|
-
refreshToken: (refresh: string) => Promise<TokenRefresh>;
|
|
527
541
|
logout: () => void;
|
|
528
542
|
}
|
|
529
543
|
interface AccountsProviderProps {
|
|
@@ -532,6 +546,8 @@ interface AccountsProviderProps {
|
|
|
532
546
|
declare function AccountsProvider({ children }: AccountsProviderProps): react_jsx_runtime.JSX.Element;
|
|
533
547
|
declare function useAccountsContext(): AccountsContextValue;
|
|
534
548
|
|
|
549
|
+
declare function useSession(): SessionSnapshot;
|
|
550
|
+
|
|
535
551
|
/**
|
|
536
552
|
* Universal Router Hook with BasePath Support
|
|
537
553
|
*
|
|
@@ -841,6 +857,17 @@ interface AuthRedirectOptions {
|
|
|
841
857
|
fallbackUrl?: string;
|
|
842
858
|
clearOnUse?: boolean;
|
|
843
859
|
}
|
|
860
|
+
/**
|
|
861
|
+
* Read the saved back-url without clearing it. Null when nothing saved —
|
|
862
|
+
* unlike getFinalRedirectUrl, never substitutes a fallback.
|
|
863
|
+
*/
|
|
864
|
+
declare const peekSavedRedirect: () => string | null;
|
|
865
|
+
/**
|
|
866
|
+
* Read AND clear the saved back-url (single-use intent). Null when nothing
|
|
867
|
+
* saved. This is the one primitive every post-auth navigator uses to honor
|
|
868
|
+
* "return the user to where the guard bounced them from".
|
|
869
|
+
*/
|
|
870
|
+
declare const consumeSavedRedirect: () => string | null;
|
|
844
871
|
declare const useAuthRedirectManager: (options?: AuthRedirectOptions) => {
|
|
845
872
|
redirectUrl: string;
|
|
846
873
|
setRedirect: (url: string) => void;
|
|
@@ -851,18 +878,6 @@ declare const useAuthRedirectManager: (options?: AuthRedirectOptions) => {
|
|
|
851
878
|
useAndClearRedirect: () => string;
|
|
852
879
|
};
|
|
853
880
|
|
|
854
|
-
interface UseAuthGuardOptions {
|
|
855
|
-
redirectTo?: string;
|
|
856
|
-
requireAuth?: boolean;
|
|
857
|
-
/** Whether to save current URL for redirect after auth (default: true) */
|
|
858
|
-
saveRedirectUrl?: boolean;
|
|
859
|
-
}
|
|
860
|
-
declare const useAuthGuard: (options?: UseAuthGuardOptions) => {
|
|
861
|
-
isAuthenticated: boolean;
|
|
862
|
-
isLoading: boolean;
|
|
863
|
-
isRedirecting: boolean;
|
|
864
|
-
};
|
|
865
|
-
|
|
866
881
|
/**
|
|
867
882
|
* Simple sessionStorage hook with better error handling
|
|
868
883
|
* @param key - Storage key
|
|
@@ -943,24 +958,6 @@ declare function getCacheMetadata(): {
|
|
|
943
958
|
expiresIn?: number;
|
|
944
959
|
} | null;
|
|
945
960
|
|
|
946
|
-
interface UseTokenRefreshOptions {
|
|
947
|
-
/** Enable automatic token refresh (default: true) */
|
|
948
|
-
enabled?: boolean;
|
|
949
|
-
/** Callback when token is refreshed */
|
|
950
|
-
onRefresh?: (newToken: string) => void;
|
|
951
|
-
/** Callback when refresh fails */
|
|
952
|
-
onRefreshError?: (error: Error) => void;
|
|
953
|
-
}
|
|
954
|
-
/**
|
|
955
|
-
* Hook for proactive automatic token refresh.
|
|
956
|
-
* (JWT expiry helpers live in ../utils/jwt so they can be unit-tested and
|
|
957
|
-
* reused by the auth-bootstrap validation path.)
|
|
958
|
-
*/
|
|
959
|
-
declare function useTokenRefresh(options?: UseTokenRefreshOptions): {
|
|
960
|
-
refreshToken: () => Promise<boolean>;
|
|
961
|
-
checkAndRefresh: () => Promise<void>;
|
|
962
|
-
};
|
|
963
|
-
|
|
964
961
|
interface DeleteAccountResult {
|
|
965
962
|
success: boolean;
|
|
966
963
|
message: string;
|
|
@@ -1044,48 +1041,6 @@ declare function resolveGuardIsLoading(s: GuardInput): boolean;
|
|
|
1044
1041
|
declare function shouldRedirectToAuth(s: GuardInput): boolean;
|
|
1045
1042
|
/** The effective authenticated flag the guard exposes to consumers. */
|
|
1046
1043
|
declare function resolveGuardIsAuthenticated(s: Pick<GuardInput, 'requireAuth' | 'isAuthenticated'>): boolean;
|
|
1047
|
-
/**
|
|
1048
|
-
* Delay (ms from `now`) until `isAuthenticated` should next be re-evaluated,
|
|
1049
|
-
* given the access/refresh expiry timestamps (ms epoch, or null if absent).
|
|
1050
|
-
*
|
|
1051
|
-
* `isAuthenticated` is derived from token `exp`, so it can change with no event
|
|
1052
|
-
* to trigger a recompute — a tab left open silently crosses an expiry boundary.
|
|
1053
|
-
* We schedule a wake-up at the SOONEST future expiry (the next moment the answer
|
|
1054
|
-
* could flip), plus a 1s cushion so we re-check strictly after the inclusive
|
|
1055
|
-
* boundary. Returns null when nothing live remains to expire (no timer needed).
|
|
1056
|
-
* Callers should clamp the result to the platform setTimeout ceiling.
|
|
1057
|
-
*/
|
|
1058
|
-
declare function nextAuthEvaluationDelay(accessExp: number | null, refreshExp: number | null, now: number): number | null;
|
|
1059
|
-
|
|
1060
|
-
/**
|
|
1061
|
-
* JWT inspection helpers (browser-safe, dependency-free).
|
|
1062
|
-
*
|
|
1063
|
-
* These decode ONLY the `exp` claim to reason about token freshness on the
|
|
1064
|
-
* client. They do NOT verify the signature — that is the server's job. The
|
|
1065
|
-
* point is purely to avoid firing doomed requests with a token we can already
|
|
1066
|
-
* see is malformed or expired, and to let auth bootstrap collapse a dead
|
|
1067
|
-
* session to the login form instead of hanging on a preloader.
|
|
1068
|
-
*
|
|
1069
|
-
* A JWT that cannot be decoded is treated as EXPIRED/invalid (fail-closed):
|
|
1070
|
-
* better to re-authenticate than to loop on 401s with garbage in storage.
|
|
1071
|
-
*/
|
|
1072
|
-
/**
|
|
1073
|
-
* Extract the `exp` claim (epoch ms), or null if the token is undecodable or
|
|
1074
|
-
* has no numeric `exp`.
|
|
1075
|
-
*/
|
|
1076
|
-
declare function getTokenExpiry(token: string | null | undefined): number | null;
|
|
1077
|
-
/**
|
|
1078
|
-
* True when the token is missing, malformed, or already past its `exp`.
|
|
1079
|
-
* `skewMs` treats a token expiring within the skew window as already expired
|
|
1080
|
-
* (default 0). Fail-closed: an undecodable token is considered expired.
|
|
1081
|
-
*/
|
|
1082
|
-
declare function isTokenExpired(token: string | null | undefined, skewMs?: number, now?: number): boolean;
|
|
1083
|
-
/**
|
|
1084
|
-
* True when a valid token exists but expires within `thresholdMs` (used by the
|
|
1085
|
-
* proactive refresher). A missing/undecodable token returns false here — that
|
|
1086
|
-
* case is handled by the "expired" path, not the "expiring soon" path.
|
|
1087
|
-
*/
|
|
1088
|
-
declare function isTokenExpiringSoon(token: string | null | undefined, thresholdMs: number, now?: number): boolean;
|
|
1089
1044
|
|
|
1090
1045
|
/**
|
|
1091
1046
|
* Path normalization for auth routing.
|
|
@@ -1156,4 +1111,4 @@ declare const Analytics: {
|
|
|
1156
1111
|
setUser(userId: string): void;
|
|
1157
1112
|
};
|
|
1158
1113
|
|
|
1159
|
-
export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile,
|
|
1114
|
+
export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type SessionSnapshot, type SessionStatus, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, consumeSavedRedirect, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile, hasValidCache, isAllowedAuthPath, logger, normalizePath, peekSavedRedirect, resolveGuardIsAuthenticated, resolveGuardIsLoading, setCachedProfile, shouldRedirectToAuth, useAccountsContext, useAuth, useAuthForm, useAuthFormState, useAuthRedirectManager, useAuthValidation, useAutoAuth, useBase64, useCfgRouter, useDeleteAccount, useGithubAuth, useLocalStorage, useQueryParams, useSession, useSessionStorage, useTwoFactor, useTwoFactorSetup, useTwoFactorStatus, validateEmail, validateIdentifier };
|