@djangocfg/api 2.1.455 → 2.1.457

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (89) hide show
  1. package/dist/auth.cjs +1611 -2148
  2. package/dist/auth.cjs.map +1 -1
  3. package/dist/auth.d.cts +37 -82
  4. package/dist/auth.d.ts +37 -82
  5. package/dist/auth.mjs +1581 -2118
  6. package/dist/auth.mjs.map +1 -1
  7. package/dist/chunk-2G67QRNU.mjs +2096 -0
  8. package/dist/chunk-2G67QRNU.mjs.map +1 -0
  9. package/dist/chunk-32SRQGAC.mjs +2109 -0
  10. package/dist/chunk-32SRQGAC.mjs.map +1 -0
  11. package/dist/chunk-4BPRCONN.mjs +2098 -0
  12. package/dist/chunk-4BPRCONN.mjs.map +1 -0
  13. package/dist/chunk-5UZ2Z323.mjs +2021 -0
  14. package/dist/chunk-5UZ2Z323.mjs.map +1 -0
  15. package/dist/chunk-7KFTJXNM.mjs +2097 -0
  16. package/dist/chunk-7KFTJXNM.mjs.map +1 -0
  17. package/dist/chunk-BK4K5CVT.mjs +2019 -0
  18. package/dist/chunk-BK4K5CVT.mjs.map +1 -0
  19. package/dist/chunk-JLPJZ6WB.mjs +2020 -0
  20. package/dist/chunk-JLPJZ6WB.mjs.map +1 -0
  21. package/dist/chunk-TVU6PYJH.mjs +2032 -0
  22. package/dist/chunk-TVU6PYJH.mjs.map +1 -0
  23. package/dist/clients.cjs +292 -47
  24. package/dist/clients.cjs.map +1 -1
  25. package/dist/clients.d.cts +23 -0
  26. package/dist/clients.d.ts +23 -0
  27. package/dist/clients.mjs +292 -47
  28. package/dist/clients.mjs.map +1 -1
  29. package/dist/hooks.cjs +200 -32
  30. package/dist/hooks.cjs.map +1 -1
  31. package/dist/hooks.mjs +200 -32
  32. package/dist/hooks.mjs.map +1 -1
  33. package/dist/index.cjs +292 -47
  34. package/dist/index.cjs.map +1 -1
  35. package/dist/index.d.cts +81 -4
  36. package/dist/index.d.ts +81 -4
  37. package/dist/index.mjs +292 -47
  38. package/dist/index.mjs.map +1 -1
  39. package/dist/sdk.gen-2SQOPTWJ.mjs +26 -0
  40. package/dist/sdk.gen-2SQOPTWJ.mjs.map +1 -0
  41. package/dist/sdk.gen-HSGK4C5S.mjs +26 -0
  42. package/dist/sdk.gen-HSGK4C5S.mjs.map +1 -0
  43. package/dist/sdk.gen-NUK2VGHO.mjs +25 -0
  44. package/dist/sdk.gen-NUK2VGHO.mjs.map +1 -0
  45. package/dist/sdk.gen-O4KAQUZB.mjs +26 -0
  46. package/dist/sdk.gen-O4KAQUZB.mjs.map +1 -0
  47. package/dist/sdk.gen-PPAVSBNT.mjs +26 -0
  48. package/dist/sdk.gen-PPAVSBNT.mjs.map +1 -0
  49. package/dist/sdk.gen-XLHLOCJ2.mjs +25 -0
  50. package/dist/sdk.gen-XLHLOCJ2.mjs.map +1 -0
  51. package/dist/sdk.gen-ZOE6NQAL.mjs +26 -0
  52. package/dist/sdk.gen-ZOE6NQAL.mjs.map +1 -0
  53. package/dist/sdk.gen-ZT7LGJVO.mjs +26 -0
  54. package/dist/sdk.gen-ZT7LGJVO.mjs.map +1 -0
  55. package/package.json +2 -2
  56. package/src/_api/generated/_cfg_accounts/hooks/index.ts +1 -0
  57. package/src/_api/generated/_cfg_accounts/hooks/useCfgAccountsTokenBlacklistCreate.ts +28 -0
  58. package/src/_api/generated/_cfg_accounts/openapi.json +99 -0
  59. package/src/_api/generated/_cfg_accounts/schemas/TokenBlacklistRequest.ts +11 -0
  60. package/src/_api/generated/_cfg_accounts/schemas/index.ts +1 -0
  61. package/src/_api/generated/_cfg_centrifugo/openapi.json +9 -0
  62. package/src/_api/generated/_cfg_totp/openapi.json +33 -0
  63. package/src/_api/generated/helpers/auth.ts +288 -31
  64. package/src/_api/generated/openapi.json +129 -0
  65. package/src/_api/generated/sdk.gen.ts +94 -16
  66. package/src/_api/generated/types.gen.ts +18 -0
  67. package/src/auth/__tests__/guard.test.ts +0 -31
  68. package/src/auth/constants.ts +6 -0
  69. package/src/auth/context/AccountsContext.tsx +14 -24
  70. package/src/auth/context/AuthContext.tsx +263 -607
  71. package/src/auth/context/types.ts +13 -0
  72. package/src/auth/hooks/index.ts +8 -5
  73. package/src/auth/hooks/useAuthRedirect.ts +17 -0
  74. package/src/auth/hooks/useGithubAuth.ts +3 -3
  75. package/src/auth/hooks/useSession.ts +22 -0
  76. package/src/auth/hooks/useTwoFactor.ts +8 -6
  77. package/src/auth/middlewares/index.ts +5 -6
  78. package/src/auth/utils/guard.ts +0 -22
  79. package/src/auth/utils/index.ts +0 -2
  80. package/src/_api/generated/_cfg_accounts/events.ts +0 -198
  81. package/src/_api/generated/_cfg_centrifugo/events.ts +0 -198
  82. package/src/_api/generated/_cfg_totp/events.ts +0 -198
  83. package/src/auth/__tests__/jwt.test.ts +0 -119
  84. package/src/auth/__tests__/sessionBootstrap.test.ts +0 -111
  85. package/src/auth/__tests__/useTokenRefresh.dom.test.tsx +0 -167
  86. package/src/auth/hooks/useAuthGuard.ts +0 -35
  87. package/src/auth/hooks/useTokenRefresh.ts +0 -131
  88. package/src/auth/refreshHandler.ts +0 -79
  89. package/src/auth/utils/jwt.ts +0 -66
package/dist/auth.d.cts CHANGED
@@ -16,6 +16,14 @@ declare const AUTH_CONSTANTS: {
16
16
  readonly BACKUP_CODE_MAX_LENGTH: 12;
17
17
  };
18
18
 
19
+ type SessionStatus = 'authenticated' | 'anonymous';
20
+ type SessionSnapshot = {
21
+ /** 'authenticated' = a live access token OR a live refresh token exists. */
22
+ status: SessionStatus;
23
+ /** ms-epoch expiry of the current access token (null: no token / no exp). */
24
+ accessExpiresAt: number | null;
25
+ };
26
+
19
27
  /**
20
28
  * Nested serializer for Centrifugo WebSocket connection token.
21
29
  */
@@ -146,10 +154,6 @@ type PatchedCfgUserUpdateRequest = {
146
154
  */
147
155
  timezone?: string;
148
156
  };
149
- type TokenRefresh = {
150
- readonly access: string;
151
- refresh: string;
152
- };
153
157
  /**
154
158
  * Serializer for user details.
155
159
  */
@@ -439,11 +443,23 @@ interface AuthConfig {
439
443
  };
440
444
  onLogout?: () => void;
441
445
  }
446
+ /**
447
+ * AuthConfig.routes resolved against the framework conventions — no field is
448
+ * optional here. This is what components consume (via `useAuth().routes`)
449
+ * instead of defaulting to route constants themselves.
450
+ */
451
+ interface ResolvedAuthRoutes {
452
+ auth: string;
453
+ defaultCallback: string;
454
+ defaultAuthCallback: string;
455
+ }
442
456
  interface AuthContextType {
443
457
  user: UserProfile | null;
444
458
  isLoading: boolean;
445
459
  isAuthenticated: boolean;
446
460
  isAdminUser: boolean;
461
+ /** Resolved route conventions (config override or framework default). */
462
+ routes: ResolvedAuthRoutes;
447
463
  loadCurrentProfile: (callerId?: string) => Promise<void>;
448
464
  checkAuthAndRedirect: () => Promise<void>;
449
465
  getToken: () => string | null;
@@ -488,15 +504,14 @@ declare const AuthContext: React$1.Context<AuthContextType>;
488
504
  * AuthProvider — wraps AccountsProvider + AuthProviderInternal.
489
505
  *
490
506
  * Memoised: re-renders only when `config` reference or `children` change.
491
- * Internal auth state is isolated inside AuthProviderInternal.
492
507
  */
493
508
  declare function AuthProviderRaw({ children, config, enabled }: AuthProviderProps): react_jsx_runtime.JSX.Element;
494
509
  declare const AuthProvider: React$1.MemoExoticComponent<typeof AuthProviderRaw>;
495
510
  /**
496
- * Hook to access auth context
511
+ * Hook to access auth context.
497
512
  *
498
- * SSR-safe: Returns default unauthenticated state when called outside AuthProvider
499
- * (e.g., during static page generation or server-side rendering)
513
+ * SSR-safe: returns default unauthenticated state when called outside
514
+ * AuthProvider (e.g. during static page generation).
500
515
  */
501
516
  declare const useAuth: () => AuthContextType;
502
517
 
@@ -523,7 +538,6 @@ interface AccountsContextValue {
523
538
  }) => Promise<User | undefined>;
524
539
  requestOTP: (data: OtpRequestRequest) => Promise<OtpRequestResponse>;
525
540
  verifyOTP: (data: OtpVerifyRequest) => Promise<OtpVerifyResponse>;
526
- refreshToken: (refresh: string) => Promise<TokenRefresh>;
527
541
  logout: () => void;
528
542
  }
529
543
  interface AccountsProviderProps {
@@ -532,6 +546,8 @@ interface AccountsProviderProps {
532
546
  declare function AccountsProvider({ children }: AccountsProviderProps): react_jsx_runtime.JSX.Element;
533
547
  declare function useAccountsContext(): AccountsContextValue;
534
548
 
549
+ declare function useSession(): SessionSnapshot;
550
+
535
551
  /**
536
552
  * Universal Router Hook with BasePath Support
537
553
  *
@@ -841,6 +857,17 @@ interface AuthRedirectOptions {
841
857
  fallbackUrl?: string;
842
858
  clearOnUse?: boolean;
843
859
  }
860
+ /**
861
+ * Read the saved back-url without clearing it. Null when nothing saved —
862
+ * unlike getFinalRedirectUrl, never substitutes a fallback.
863
+ */
864
+ declare const peekSavedRedirect: () => string | null;
865
+ /**
866
+ * Read AND clear the saved back-url (single-use intent). Null when nothing
867
+ * saved. This is the one primitive every post-auth navigator uses to honor
868
+ * "return the user to where the guard bounced them from".
869
+ */
870
+ declare const consumeSavedRedirect: () => string | null;
844
871
  declare const useAuthRedirectManager: (options?: AuthRedirectOptions) => {
845
872
  redirectUrl: string;
846
873
  setRedirect: (url: string) => void;
@@ -851,18 +878,6 @@ declare const useAuthRedirectManager: (options?: AuthRedirectOptions) => {
851
878
  useAndClearRedirect: () => string;
852
879
  };
853
880
 
854
- interface UseAuthGuardOptions {
855
- redirectTo?: string;
856
- requireAuth?: boolean;
857
- /** Whether to save current URL for redirect after auth (default: true) */
858
- saveRedirectUrl?: boolean;
859
- }
860
- declare const useAuthGuard: (options?: UseAuthGuardOptions) => {
861
- isAuthenticated: boolean;
862
- isLoading: boolean;
863
- isRedirecting: boolean;
864
- };
865
-
866
881
  /**
867
882
  * Simple sessionStorage hook with better error handling
868
883
  * @param key - Storage key
@@ -943,24 +958,6 @@ declare function getCacheMetadata(): {
943
958
  expiresIn?: number;
944
959
  } | null;
945
960
 
946
- interface UseTokenRefreshOptions {
947
- /** Enable automatic token refresh (default: true) */
948
- enabled?: boolean;
949
- /** Callback when token is refreshed */
950
- onRefresh?: (newToken: string) => void;
951
- /** Callback when refresh fails */
952
- onRefreshError?: (error: Error) => void;
953
- }
954
- /**
955
- * Hook for proactive automatic token refresh.
956
- * (JWT expiry helpers live in ../utils/jwt so they can be unit-tested and
957
- * reused by the auth-bootstrap validation path.)
958
- */
959
- declare function useTokenRefresh(options?: UseTokenRefreshOptions): {
960
- refreshToken: () => Promise<boolean>;
961
- checkAndRefresh: () => Promise<void>;
962
- };
963
-
964
961
  interface DeleteAccountResult {
965
962
  success: boolean;
966
963
  message: string;
@@ -1044,48 +1041,6 @@ declare function resolveGuardIsLoading(s: GuardInput): boolean;
1044
1041
  declare function shouldRedirectToAuth(s: GuardInput): boolean;
1045
1042
  /** The effective authenticated flag the guard exposes to consumers. */
1046
1043
  declare function resolveGuardIsAuthenticated(s: Pick<GuardInput, 'requireAuth' | 'isAuthenticated'>): boolean;
1047
- /**
1048
- * Delay (ms from `now`) until `isAuthenticated` should next be re-evaluated,
1049
- * given the access/refresh expiry timestamps (ms epoch, or null if absent).
1050
- *
1051
- * `isAuthenticated` is derived from token `exp`, so it can change with no event
1052
- * to trigger a recompute — a tab left open silently crosses an expiry boundary.
1053
- * We schedule a wake-up at the SOONEST future expiry (the next moment the answer
1054
- * could flip), plus a 1s cushion so we re-check strictly after the inclusive
1055
- * boundary. Returns null when nothing live remains to expire (no timer needed).
1056
- * Callers should clamp the result to the platform setTimeout ceiling.
1057
- */
1058
- declare function nextAuthEvaluationDelay(accessExp: number | null, refreshExp: number | null, now: number): number | null;
1059
-
1060
- /**
1061
- * JWT inspection helpers (browser-safe, dependency-free).
1062
- *
1063
- * These decode ONLY the `exp` claim to reason about token freshness on the
1064
- * client. They do NOT verify the signature — that is the server's job. The
1065
- * point is purely to avoid firing doomed requests with a token we can already
1066
- * see is malformed or expired, and to let auth bootstrap collapse a dead
1067
- * session to the login form instead of hanging on a preloader.
1068
- *
1069
- * A JWT that cannot be decoded is treated as EXPIRED/invalid (fail-closed):
1070
- * better to re-authenticate than to loop on 401s with garbage in storage.
1071
- */
1072
- /**
1073
- * Extract the `exp` claim (epoch ms), or null if the token is undecodable or
1074
- * has no numeric `exp`.
1075
- */
1076
- declare function getTokenExpiry(token: string | null | undefined): number | null;
1077
- /**
1078
- * True when the token is missing, malformed, or already past its `exp`.
1079
- * `skewMs` treats a token expiring within the skew window as already expired
1080
- * (default 0). Fail-closed: an undecodable token is considered expired.
1081
- */
1082
- declare function isTokenExpired(token: string | null | undefined, skewMs?: number, now?: number): boolean;
1083
- /**
1084
- * True when a valid token exists but expires within `thresholdMs` (used by the
1085
- * proactive refresher). A missing/undecodable token returns false here — that
1086
- * case is handled by the "expired" path, not the "expiring soon" path.
1087
- */
1088
- declare function isTokenExpiringSoon(token: string | null | undefined, thresholdMs: number, now?: number): boolean;
1089
1044
 
1090
1045
  /**
1091
1046
  * Path normalization for auth routing.
@@ -1156,4 +1111,4 @@ declare const Analytics: {
1156
1111
  setUser(userId: string): void;
1157
1112
  };
1158
1113
 
1159
- export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile, getTokenExpiry, hasValidCache, isAllowedAuthPath, isTokenExpired, isTokenExpiringSoon, logger, nextAuthEvaluationDelay, normalizePath, resolveGuardIsAuthenticated, resolveGuardIsLoading, setCachedProfile, shouldRedirectToAuth, useAccountsContext, useAuth, useAuthForm, useAuthFormState, useAuthGuard, useAuthRedirectManager, useAuthValidation, useAutoAuth, useBase64, useCfgRouter, useDeleteAccount, useGithubAuth, useLocalStorage, useQueryParams, useSessionStorage, useTokenRefresh, useTwoFactor, useTwoFactorSetup, useTwoFactorStatus, validateEmail, validateIdentifier };
1114
+ export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type SessionSnapshot, type SessionStatus, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, consumeSavedRedirect, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile, hasValidCache, isAllowedAuthPath, logger, normalizePath, peekSavedRedirect, resolveGuardIsAuthenticated, resolveGuardIsLoading, setCachedProfile, shouldRedirectToAuth, useAccountsContext, useAuth, useAuthForm, useAuthFormState, useAuthRedirectManager, useAuthValidation, useAutoAuth, useBase64, useCfgRouter, useDeleteAccount, useGithubAuth, useLocalStorage, useQueryParams, useSession, useSessionStorage, useTwoFactor, useTwoFactorSetup, useTwoFactorStatus, validateEmail, validateIdentifier };
package/dist/auth.d.ts CHANGED
@@ -16,6 +16,14 @@ declare const AUTH_CONSTANTS: {
16
16
  readonly BACKUP_CODE_MAX_LENGTH: 12;
17
17
  };
18
18
 
19
+ type SessionStatus = 'authenticated' | 'anonymous';
20
+ type SessionSnapshot = {
21
+ /** 'authenticated' = a live access token OR a live refresh token exists. */
22
+ status: SessionStatus;
23
+ /** ms-epoch expiry of the current access token (null: no token / no exp). */
24
+ accessExpiresAt: number | null;
25
+ };
26
+
19
27
  /**
20
28
  * Nested serializer for Centrifugo WebSocket connection token.
21
29
  */
@@ -146,10 +154,6 @@ type PatchedCfgUserUpdateRequest = {
146
154
  */
147
155
  timezone?: string;
148
156
  };
149
- type TokenRefresh = {
150
- readonly access: string;
151
- refresh: string;
152
- };
153
157
  /**
154
158
  * Serializer for user details.
155
159
  */
@@ -439,11 +443,23 @@ interface AuthConfig {
439
443
  };
440
444
  onLogout?: () => void;
441
445
  }
446
+ /**
447
+ * AuthConfig.routes resolved against the framework conventions — no field is
448
+ * optional here. This is what components consume (via `useAuth().routes`)
449
+ * instead of defaulting to route constants themselves.
450
+ */
451
+ interface ResolvedAuthRoutes {
452
+ auth: string;
453
+ defaultCallback: string;
454
+ defaultAuthCallback: string;
455
+ }
442
456
  interface AuthContextType {
443
457
  user: UserProfile | null;
444
458
  isLoading: boolean;
445
459
  isAuthenticated: boolean;
446
460
  isAdminUser: boolean;
461
+ /** Resolved route conventions (config override or framework default). */
462
+ routes: ResolvedAuthRoutes;
447
463
  loadCurrentProfile: (callerId?: string) => Promise<void>;
448
464
  checkAuthAndRedirect: () => Promise<void>;
449
465
  getToken: () => string | null;
@@ -488,15 +504,14 @@ declare const AuthContext: React$1.Context<AuthContextType>;
488
504
  * AuthProvider — wraps AccountsProvider + AuthProviderInternal.
489
505
  *
490
506
  * Memoised: re-renders only when `config` reference or `children` change.
491
- * Internal auth state is isolated inside AuthProviderInternal.
492
507
  */
493
508
  declare function AuthProviderRaw({ children, config, enabled }: AuthProviderProps): react_jsx_runtime.JSX.Element;
494
509
  declare const AuthProvider: React$1.MemoExoticComponent<typeof AuthProviderRaw>;
495
510
  /**
496
- * Hook to access auth context
511
+ * Hook to access auth context.
497
512
  *
498
- * SSR-safe: Returns default unauthenticated state when called outside AuthProvider
499
- * (e.g., during static page generation or server-side rendering)
513
+ * SSR-safe: returns default unauthenticated state when called outside
514
+ * AuthProvider (e.g. during static page generation).
500
515
  */
501
516
  declare const useAuth: () => AuthContextType;
502
517
 
@@ -523,7 +538,6 @@ interface AccountsContextValue {
523
538
  }) => Promise<User | undefined>;
524
539
  requestOTP: (data: OtpRequestRequest) => Promise<OtpRequestResponse>;
525
540
  verifyOTP: (data: OtpVerifyRequest) => Promise<OtpVerifyResponse>;
526
- refreshToken: (refresh: string) => Promise<TokenRefresh>;
527
541
  logout: () => void;
528
542
  }
529
543
  interface AccountsProviderProps {
@@ -532,6 +546,8 @@ interface AccountsProviderProps {
532
546
  declare function AccountsProvider({ children }: AccountsProviderProps): react_jsx_runtime.JSX.Element;
533
547
  declare function useAccountsContext(): AccountsContextValue;
534
548
 
549
+ declare function useSession(): SessionSnapshot;
550
+
535
551
  /**
536
552
  * Universal Router Hook with BasePath Support
537
553
  *
@@ -841,6 +857,17 @@ interface AuthRedirectOptions {
841
857
  fallbackUrl?: string;
842
858
  clearOnUse?: boolean;
843
859
  }
860
+ /**
861
+ * Read the saved back-url without clearing it. Null when nothing saved —
862
+ * unlike getFinalRedirectUrl, never substitutes a fallback.
863
+ */
864
+ declare const peekSavedRedirect: () => string | null;
865
+ /**
866
+ * Read AND clear the saved back-url (single-use intent). Null when nothing
867
+ * saved. This is the one primitive every post-auth navigator uses to honor
868
+ * "return the user to where the guard bounced them from".
869
+ */
870
+ declare const consumeSavedRedirect: () => string | null;
844
871
  declare const useAuthRedirectManager: (options?: AuthRedirectOptions) => {
845
872
  redirectUrl: string;
846
873
  setRedirect: (url: string) => void;
@@ -851,18 +878,6 @@ declare const useAuthRedirectManager: (options?: AuthRedirectOptions) => {
851
878
  useAndClearRedirect: () => string;
852
879
  };
853
880
 
854
- interface UseAuthGuardOptions {
855
- redirectTo?: string;
856
- requireAuth?: boolean;
857
- /** Whether to save current URL for redirect after auth (default: true) */
858
- saveRedirectUrl?: boolean;
859
- }
860
- declare const useAuthGuard: (options?: UseAuthGuardOptions) => {
861
- isAuthenticated: boolean;
862
- isLoading: boolean;
863
- isRedirecting: boolean;
864
- };
865
-
866
881
  /**
867
882
  * Simple sessionStorage hook with better error handling
868
883
  * @param key - Storage key
@@ -943,24 +958,6 @@ declare function getCacheMetadata(): {
943
958
  expiresIn?: number;
944
959
  } | null;
945
960
 
946
- interface UseTokenRefreshOptions {
947
- /** Enable automatic token refresh (default: true) */
948
- enabled?: boolean;
949
- /** Callback when token is refreshed */
950
- onRefresh?: (newToken: string) => void;
951
- /** Callback when refresh fails */
952
- onRefreshError?: (error: Error) => void;
953
- }
954
- /**
955
- * Hook for proactive automatic token refresh.
956
- * (JWT expiry helpers live in ../utils/jwt so they can be unit-tested and
957
- * reused by the auth-bootstrap validation path.)
958
- */
959
- declare function useTokenRefresh(options?: UseTokenRefreshOptions): {
960
- refreshToken: () => Promise<boolean>;
961
- checkAndRefresh: () => Promise<void>;
962
- };
963
-
964
961
  interface DeleteAccountResult {
965
962
  success: boolean;
966
963
  message: string;
@@ -1044,48 +1041,6 @@ declare function resolveGuardIsLoading(s: GuardInput): boolean;
1044
1041
  declare function shouldRedirectToAuth(s: GuardInput): boolean;
1045
1042
  /** The effective authenticated flag the guard exposes to consumers. */
1046
1043
  declare function resolveGuardIsAuthenticated(s: Pick<GuardInput, 'requireAuth' | 'isAuthenticated'>): boolean;
1047
- /**
1048
- * Delay (ms from `now`) until `isAuthenticated` should next be re-evaluated,
1049
- * given the access/refresh expiry timestamps (ms epoch, or null if absent).
1050
- *
1051
- * `isAuthenticated` is derived from token `exp`, so it can change with no event
1052
- * to trigger a recompute — a tab left open silently crosses an expiry boundary.
1053
- * We schedule a wake-up at the SOONEST future expiry (the next moment the answer
1054
- * could flip), plus a 1s cushion so we re-check strictly after the inclusive
1055
- * boundary. Returns null when nothing live remains to expire (no timer needed).
1056
- * Callers should clamp the result to the platform setTimeout ceiling.
1057
- */
1058
- declare function nextAuthEvaluationDelay(accessExp: number | null, refreshExp: number | null, now: number): number | null;
1059
-
1060
- /**
1061
- * JWT inspection helpers (browser-safe, dependency-free).
1062
- *
1063
- * These decode ONLY the `exp` claim to reason about token freshness on the
1064
- * client. They do NOT verify the signature — that is the server's job. The
1065
- * point is purely to avoid firing doomed requests with a token we can already
1066
- * see is malformed or expired, and to let auth bootstrap collapse a dead
1067
- * session to the login form instead of hanging on a preloader.
1068
- *
1069
- * A JWT that cannot be decoded is treated as EXPIRED/invalid (fail-closed):
1070
- * better to re-authenticate than to loop on 401s with garbage in storage.
1071
- */
1072
- /**
1073
- * Extract the `exp` claim (epoch ms), or null if the token is undecodable or
1074
- * has no numeric `exp`.
1075
- */
1076
- declare function getTokenExpiry(token: string | null | undefined): number | null;
1077
- /**
1078
- * True when the token is missing, malformed, or already past its `exp`.
1079
- * `skewMs` treats a token expiring within the skew window as already expired
1080
- * (default 0). Fail-closed: an undecodable token is considered expired.
1081
- */
1082
- declare function isTokenExpired(token: string | null | undefined, skewMs?: number, now?: number): boolean;
1083
- /**
1084
- * True when a valid token exists but expires within `thresholdMs` (used by the
1085
- * proactive refresher). A missing/undecodable token returns false here — that
1086
- * case is handled by the "expired" path, not the "expiring soon" path.
1087
- */
1088
- declare function isTokenExpiringSoon(token: string | null | undefined, thresholdMs: number, now?: number): boolean;
1089
1044
 
1090
1045
  /**
1091
1046
  * Path normalization for auth routing.
@@ -1156,4 +1111,4 @@ declare const Analytics: {
1156
1111
  setUser(userId: string): void;
1157
1112
  };
1158
1113
 
1159
- export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile, getTokenExpiry, hasValidCache, isAllowedAuthPath, isTokenExpired, isTokenExpiringSoon, logger, nextAuthEvaluationDelay, normalizePath, resolveGuardIsAuthenticated, resolveGuardIsLoading, setCachedProfile, shouldRedirectToAuth, useAccountsContext, useAuth, useAuthForm, useAuthFormState, useAuthGuard, useAuthRedirectManager, useAuthValidation, useAutoAuth, useBase64, useCfgRouter, useDeleteAccount, useGithubAuth, useLocalStorage, useQueryParams, useSessionStorage, useTokenRefresh, useTwoFactor, useTwoFactorSetup, useTwoFactorStatus, validateEmail, validateIdentifier };
1114
+ export { AUTH_CONSTANTS, type AccountsContextValue, AccountsProvider, Analytics, AnalyticsCategory, type AnalyticsCategoryType, AnalyticsEvent, type AnalyticsEventType, type AuthConfig, AuthContext, type AuthContextType, type AuthFormAutoSubmit, type AuthFormReturn, type AuthFormState, type AuthFormStateHandlers, type AuthFormSubmitHandlers, type AuthFormValidation, AuthProvider, type AuthProviderProps, type AuthStep, type DeleteAccountResult, type GuardInput, type OTPRequestResult, type PatchedCfgUserUpdateRequest, PatchedCfgUserUpdateRequestSchema, type ProfileCacheOptions, type SessionSnapshot, type SessionStatus, type TwoFactorDevice, type TwoFactorSetupData, type UseAuthFormOptions, type UseAuthFormStateReturn, type UseAutoAuthOptions, type UseDeleteAccountReturn, type UseGithubAuthOptions, type UseGithubAuthReturn, type UseTwoFactorOptions, type UseTwoFactorReturn, type UseTwoFactorSetupOptions, type UseTwoFactorSetupReturn, type UseTwoFactorStatusReturn, type UserProfile, type WebmailLink, authLogger, clearProfileCache, consumeSavedRedirect, decodeBase64, encodeBase64, formatAuthError, getCacheMetadata, getCachedProfile, hasValidCache, isAllowedAuthPath, logger, normalizePath, peekSavedRedirect, resolveGuardIsAuthenticated, resolveGuardIsLoading, setCachedProfile, shouldRedirectToAuth, useAccountsContext, useAuth, useAuthForm, useAuthFormState, useAuthRedirectManager, useAuthValidation, useAutoAuth, useBase64, useCfgRouter, useDeleteAccount, useGithubAuth, useLocalStorage, useQueryParams, useSession, useSessionStorage, useTwoFactor, useTwoFactorSetup, useTwoFactorStatus, validateEmail, validateIdentifier };