@djangocfg/api 2.1.57 → 2.1.59

package/dist/auth.cjs

@@ -39,6 +39,7 @@ __export(auth_exports, {
   authLogger: () => authLogger,
   clearProfileCache: () => clearProfileCache,
   decodeBase64: () => decodeBase64,
+  detectChannelFromIdentifier: () => detectChannelFromIdentifier,
   encodeBase64: () => encodeBase64,
   formatAuthError: () => formatAuthError,
   getCacheMetadata: () => getCacheMetadata,
@@ -49,14 +50,19 @@ __export(auth_exports, {
   useAccountsContext: () => useAccountsContext,
   useAuth: () => useAuth,
   useAuthForm: () => useAuthForm,
+  useAuthFormState: () => useAuthFormState,
   useAuthGuard: () => useAuthGuard,
   useAuthRedirectManager: () => useAuthRedirectManager,
+  useAuthValidation: () => useAuthValidation,
   useAutoAuth: () => useAutoAuth,
   useBase64: () => useBase64,
   useGithubAuth: () => useGithubAuth,
   useLocalStorage: () => useLocalStorage2,
   useSessionStorage: () => useSessionStorage,
-  validateEmail: () => validateEmail
+  useTwoFactor: () => useTwoFactor,
+  useTwoFactorSetup: () => useTwoFactorSetup,
+  validateEmail: () => validateEmail,
+  validateIdentifier: () => validateIdentifier
 });
 module.exports = __toCommonJS(auth_exports);
 
@@ -222,7 +228,10 @@ var Accounts = class {
     return response;
   }
   /**
-   * Verify OTP code and return JWT tokens.
+   * Verify OTP code and return JWT tokens or 2FA session. If user has 2FA
+   * enabled: - Returns requires_2fa=True with session_id - Client must
+   * complete 2FA verification at /cfg/totp/verify/ If user has no 2FA: -
+   * Returns JWT tokens and user data directly
    */
   async otpVerifyCreate(data) {
     const response = await this.client.request("POST", "/cfg/accounts/otp/verify/", { body: data });
@@ -236,7 +245,7 @@ var FetchAdapter = class {
     __name(this, "FetchAdapter");
   }
   async request(request) {
-    const { method, url, headers, body, params, formData } = request;
+    const { method, url, headers, body, params, formData, binaryBody } = request;
     let finalUrl = url;
     if (params) {
       const searchParams = new URLSearchParams();
@@ -254,6 +263,9 @@ var FetchAdapter = class {
     let requestBody;
     if (formData) {
       requestBody = formData;
+    } else if (binaryBody) {
+      finalHeaders["Content-Type"] = "application/octet-stream";
+      requestBody = binaryBody;
     } else if (body) {
       finalHeaders["Content-Type"] = "application/json";
       requestBody = JSON.stringify(body);
@@ -653,7 +665,7 @@ var APIClient = class {
     const headers = {
       ...options?.headers || {}
     };
-    if (!options?.formData && !headers["Content-Type"]) {
+    if (!options?.formData && !options?.binaryBody && !headers["Content-Type"]) {
       headers["Content-Type"] = "application/json";
     }
     if (this.logger) {
@@ -672,7 +684,8 @@ var APIClient = class {
         headers,
         params: options?.params,
         body: options?.body,
-        formData: options?.formData
+        formData: options?.formData,
+        binaryBody: options?.binaryBody
       });
       const duration = Date.now() - startTime;
       if (response.status >= 400) {
@@ -926,11 +939,14 @@ var OAuthProvidersResponseSchema = import_zod8.z.object({
 // src/generated/cfg_accounts/_utils/schemas/OAuthTokenResponse.schema.ts
 var import_zod9 = require("zod");
 var OAuthTokenResponseSchema = import_zod9.z.object({
-  access: import_zod9.z.string(),
-  refresh: import_zod9.z.string(),
-  user: import_zod9.z.record(import_zod9.z.string(), import_zod9.z.any()),
+  requires_2fa: import_zod9.z.boolean().optional(),
+  session_id: import_zod9.z.string().regex(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i).nullable().optional(),
+  access: import_zod9.z.string().nullable().optional(),
+  refresh: import_zod9.z.string().nullable().optional(),
+  user: import_zod9.z.record(import_zod9.z.string(), import_zod9.z.any()).nullable().optional(),
   is_new_user: import_zod9.z.boolean(),
-  is_new_connection: import_zod9.z.boolean()
+  is_new_connection: import_zod9.z.boolean(),
+  should_prompt_2fa: import_zod9.z.boolean().optional()
 });
 
 // src/generated/cfg_accounts/_utils/schemas/OTPErrorResponse.schema.ts
@@ -989,9 +1005,12 @@ var UserSchema = import_zod14.z.object({
 
 // src/generated/cfg_accounts/_utils/schemas/OTPVerifyResponse.schema.ts
 var OTPVerifyResponseSchema = import_zod15.z.object({
-  refresh: import_zod15.z.string(),
-  access: import_zod15.z.string(),
-  user: UserSchema
+  requires_2fa: import_zod15.z.boolean().optional(),
+  session_id: import_zod15.z.string().regex(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i).nullable().optional(),
+  refresh: import_zod15.z.string().nullable().optional(),
+  access: import_zod15.z.string().nullable().optional(),
+  user: UserSchema.nullable().optional(),
+  should_prompt_2fa: import_zod15.z.boolean().optional()
 });
 
 // src/generated/cfg_accounts/_utils/schemas/PatchedUserProfileUpdateRequest.schema.ts
@@ -1710,7 +1729,7 @@ var FetchAdapter2 = class {
     __name(this, "FetchAdapter");
   }
   async request(request) {
-    const { method, url, headers, body, params, formData } = request;
+    const { method, url, headers, body, params, formData, binaryBody } = request;
     let finalUrl = url;
     if (params) {
       const searchParams = new URLSearchParams();
@@ -1728,6 +1747,9 @@ var FetchAdapter2 = class {
     let requestBody;
     if (formData) {
       requestBody = formData;
+    } else if (binaryBody) {
+      finalHeaders["Content-Type"] = "application/octet-stream";
+      requestBody = binaryBody;
     } else if (body) {
       finalHeaders["Content-Type"] = "application/json";
       requestBody = JSON.stringify(body);
@@ -2127,7 +2149,7 @@ var APIClient2 = class {
     const headers = {
       ...options?.headers || {}
     };
-    if (!options?.formData && !headers["Content-Type"]) {
+    if (!options?.formData && !options?.binaryBody && !headers["Content-Type"]) {
       headers["Content-Type"] = "application/json";
     }
     if (this.logger) {
@@ -2146,7 +2168,8 @@ var APIClient2 = class {
         headers,
         params: options?.params,
         body: options?.body,
-        formData: options?.formData
+        formData: options?.formData,
+        binaryBody: options?.binaryBody
       });
       const duration = Date.now() - startTime;
       if (response.status >= 400) {
@@ -2807,7 +2830,7 @@ var FetchAdapter3 = class {
     __name(this, "FetchAdapter");
   }
   async request(request) {
-    const { method, url, headers, body, params, formData } = request;
+    const { method, url, headers, body, params, formData, binaryBody } = request;
     let finalUrl = url;
     if (params) {
       const searchParams = new URLSearchParams();
@@ -2825,6 +2848,9 @@ var FetchAdapter3 = class {
     let requestBody;
     if (formData) {
       requestBody = formData;
+    } else if (binaryBody) {
+      finalHeaders["Content-Type"] = "application/octet-stream";
+      requestBody = binaryBody;
     } else if (body) {
       finalHeaders["Content-Type"] = "application/json";
       requestBody = JSON.stringify(body);
@@ -3221,7 +3247,7 @@ var APIClient3 = class {
     const headers = {
       ...options?.headers || {}
     };
-    if (!options?.formData && !headers["Content-Type"]) {
+    if (!options?.formData && !options?.binaryBody && !headers["Content-Type"]) {
       headers["Content-Type"] = "application/json";
     }
     if (this.logger) {
@@ -3240,7 +3266,8 @@ var APIClient3 = class {
         headers,
         params: options?.params,
         body: options?.body,
-        formData: options?.formData
+        formData: options?.formData,
+        binaryBody: options?.binaryBody
       });
       const duration = Date.now() - startTime;
       if (response.status >= 400) {
@@ -4110,6 +4137,10 @@ function AccountsProvider({ children }) {
   }, "requestOTP");
   const verifyOTP = /* @__PURE__ */ __name(async (data) => {
     const result = await otpVerifyMutation(data, api);
+    if (result.requires_2fa && result.session_id) {
+      authLogger.info("2FA required, session:", result.session_id);
+      return result;
+    }
     if (result.access && result.refresh) {
       api.setToken(result.access, result.refresh);
       await refreshProfile("AccountsContext.verifyOTP");
@@ -4368,7 +4399,7 @@ var AuthProviderInternal = /* @__PURE__ */ __name(({ children, config }) => {
     [accounts]
   );
   const verifyOTP = (0, import_react3.useCallback)(
-    async (identifier, otpCode, channel, sourceUrl, redirectUrl) => {
+    async (identifier, otpCode, channel, sourceUrl, redirectUrl, skipRedirect) => {
       try {
         const channelValue = channel === "phone" ? enums_exports.OTPVerifyRequestChannel.PHONE : enums_exports.OTPVerifyRequestChannel.EMAIL;
         const result = await accounts.verifyOTP({
@@ -4376,6 +4407,16 @@ var AuthProviderInternal = /* @__PURE__ */ __name(({ children, config }) => {
           otp: otpCode,
           channel: channelValue
         });
+        if (result.requires_2fa && result.session_id) {
+          authLogger.info("2FA required, session:", result.session_id);
+          return {
+            success: true,
+            message: "OTP verified, 2FA required",
+            requires_2fa: true,
+            session_id: result.session_id,
+            should_prompt_2fa: result.should_prompt_2fa
+          };
+        }
         if (!result.access || !result.refresh) {
           authLogger.error("Verify OTP returned invalid response:", result);
           return {
@@ -4398,14 +4439,17 @@ var AuthProviderInternal = /* @__PURE__ */ __name(({ children, config }) => {
         if (result.user?.id) {
           Analytics.setUser(String(result.user.id));
         }
-        const savedRedirect = redirectManager.useAndClearRedirect();
-        const finalRedirectUrl = redirectUrl || savedRedirect || config?.routes?.defaultCallback || defaultRoutes.defaultCallback;
-        authLogger.info("Redirecting after auth to:", finalRedirectUrl);
-        router.hardPush(finalRedirectUrl);
+        if (!skipRedirect) {
+          const savedRedirect = redirectManager.useAndClearRedirect();
+          const finalRedirectUrl = redirectUrl || savedRedirect || config?.routes?.defaultCallback || defaultRoutes.defaultCallback;
+          authLogger.info("Redirecting after auth to:", finalRedirectUrl);
+          router.hardPush(finalRedirectUrl);
+        }
         return {
           success: true,
           message: "Login successful",
-          user: result.user
+          user: result.user,
+          should_prompt_2fa: result.should_prompt_2fa
         };
       } catch (error) {
         authLogger.error("Verify OTP error:", error);
@@ -4545,199 +4589,107 @@ var useAuth = /* @__PURE__ */ __name(() => {
   return context;
 }, "useAuth");
 
-// src/auth/hooks/useAuthGuard.ts
+// src/auth/hooks/useAuthFormState.ts
 var import_react4 = require("react");
-var import_hooks3 = require("@djangocfg/ui-nextjs/hooks");
-var useAuthGuard = /* @__PURE__ */ __name((options = {}) => {
-  const { redirectTo = "/auth", requireAuth = true, saveRedirectUrl: shouldSaveUrl = true } = options;
-  const { isAuthenticated, isLoading, saveRedirectUrl } = useAuth();
-  const router = (0, import_hooks3.useCfgRouter)();
-  const [isRedirecting, setIsRedirecting] = (0, import_react4.useState)(false);
-  (0, import_react4.useEffect)(() => {
-    if (!isLoading && requireAuth && !isAuthenticated && !isRedirecting) {
-      if (shouldSaveUrl && typeof window !== "undefined") {
-        const currentUrl = window.location.pathname + window.location.search;
-        saveRedirectUrl(currentUrl);
-      }
-      setIsRedirecting(true);
-      router.push(redirectTo);
-    }
-  }, [isAuthenticated, isLoading, router, redirectTo, requireAuth, isRedirecting, shouldSaveUrl, saveRedirectUrl]);
-  return { isAuthenticated, isLoading, isRedirecting };
-}, "useAuthGuard");
+var useAuthFormState = /* @__PURE__ */ __name((initialIdentifier = "", initialChannel = "email") => {
+  const [identifier, setIdentifier] = (0, import_react4.useState)(initialIdentifier);
+  const [channel, setChannel] = (0, import_react4.useState)(initialChannel);
+  const [otp, setOtp] = (0, import_react4.useState)("");
+  const [isLoading, setIsLoading] = (0, import_react4.useState)(false);
+  const [acceptedTerms, setAcceptedTerms] = (0, import_react4.useState)(false);
+  const [step, setStep] = (0, import_react4.useState)("identifier");
+  const [error, setError] = (0, import_react4.useState)("");
+  const [twoFactorSessionId, setTwoFactorSessionId] = (0, import_react4.useState)(null);
+  const [shouldPrompt2FA, setShouldPrompt2FA] = (0, import_react4.useState)(false);
+  const [twoFactorCode, setTwoFactorCode] = (0, import_react4.useState)("");
+  const [useBackupCode, setUseBackupCode] = (0, import_react4.useState)(false);
+  const clearError = (0, import_react4.useCallback)(() => setError(""), []);
+  return {
+    // State
+    identifier,
+    channel,
+    otp,
+    isLoading,
+    acceptedTerms,
+    step,
+    error,
+    twoFactorSessionId,
+    shouldPrompt2FA,
+    twoFactorCode,
+    useBackupCode,
+    // Handlers
+    setIdentifier,
+    setChannel,
+    setOtp,
+    setAcceptedTerms,
+    setError,
+    clearError,
+    setStep,
+    setIsLoading,
+    setTwoFactorSessionId,
+    setShouldPrompt2FA,
+    setTwoFactorCode,
+    setUseBackupCode
+  };
+}, "useAuthFormState");
 
-// src/auth/hooks/useLocalStorage.ts
+// src/auth/hooks/useAuthValidation.ts
 var import_react5 = require("react");
-function useLocalStorage2(key, initialValue) {
-  const [storedValue, setStoredValue] = (0, import_react5.useState)(() => {
-    if (typeof window === "undefined") {
-      return initialValue;
-    }
-    try {
-      const item = window.localStorage.getItem(key);
-      if (item === null) {
-        return initialValue;
-      }
-      try {
-        return JSON.parse(item);
-      } catch {
-        return item;
-      }
-    } catch (error) {
-      authLogger.error(`Error reading localStorage key "${key}":`, error);
-      return initialValue;
-    }
-  });
-  const checkDataSize = /* @__PURE__ */ __name((data) => {
-    try {
-      const jsonString = JSON.stringify(data);
-      const sizeInBytes = new Blob([jsonString]).size;
-      const sizeInKB = sizeInBytes / 1024;
-      if (sizeInKB > 1024) {
-        authLogger.warn(`Data size (${sizeInKB.toFixed(2)}KB) exceeds 1MB limit for key "${key}"`);
-        return false;
-      }
-      return true;
-    } catch (error) {
-      authLogger.error(`Error checking data size for key "${key}":`, error);
-      return false;
-    }
-  }, "checkDataSize");
-  const clearOldData = /* @__PURE__ */ __name(() => {
-    try {
-      const keys = Object.keys(localStorage).filter((key2) => key2 && typeof key2 === "string");
-      if (keys.length > 50) {
-        const itemsToRemove = Math.ceil(keys.length * 0.2);
-        for (let i = 0; i < itemsToRemove; i++) {
-          try {
-            const key2 = keys[i];
-            if (key2) {
-              localStorage.removeItem(key2);
-              localStorage.removeItem(`${key2}_timestamp`);
-            }
-          } catch {
-          }
-        }
-      }
-    } catch (error) {
-      authLogger.error("Error clearing old localStorage data:", error);
+var EMAIL_REGEX = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+var PHONE_REGEX = /^\+[1-9]\d{6,14}$/;
+var useAuthValidation = /* @__PURE__ */ __name(() => {
+  const detectChannelFromIdentifier2 = (0, import_react5.useCallback)((id) => {
+    if (!id) return null;
+    if (id.includes("@")) {
+      return "email";
     }
-  }, "clearOldData");
-  const forceClearAll = /* @__PURE__ */ __name(() => {
-    try {
-      const keys = Object.keys(localStorage);
-      for (const key2 of keys) {
-        try {
-          localStorage.removeItem(key2);
-        } catch {
-        }
-      }
-    } catch (error) {
-      authLogger.error("Error force clearing localStorage:", error);
+    if (id.startsWith("+") && PHONE_REGEX.test(id)) {
+      return "phone";
     }
-  }, "forceClearAll");
-  const setValue = /* @__PURE__ */ __name((value) => {
-    try {
-      const valueToStore = value instanceof Function ? value(storedValue) : value;
-      if (!checkDataSize(valueToStore)) {
-        authLogger.warn(`Data size too large for key "${key}", removing key`);
-        try {
-          window.localStorage.removeItem(key);
-          window.localStorage.removeItem(`${key}_timestamp`);
-        } catch {
-        }
-        setStoredValue(valueToStore);
-        return;
-      }
-      setStoredValue(valueToStore);
-      if (typeof window !== "undefined") {
-        try {
-          if (typeof valueToStore === "string") {
-            window.localStorage.setItem(key, valueToStore);
-          } else {
-            window.localStorage.setItem(key, JSON.stringify(valueToStore));
-          }
-          window.localStorage.setItem(`${key}_timestamp`, Date.now().toString());
-        } catch (storageError) {
-          if (storageError.name === "QuotaExceededError" || storageError.code === 22 || storageError.message?.includes("quota")) {
-            authLogger.warn("localStorage quota exceeded, clearing old data...");
-            clearOldData();
-            try {
-              if (typeof valueToStore === "string") {
-                window.localStorage.setItem(key, valueToStore);
-              } else {
-                window.localStorage.setItem(key, JSON.stringify(valueToStore));
-              }
-              window.localStorage.setItem(`${key}_timestamp`, Date.now().toString());
-            } catch (retryError) {
-              authLogger.error(`Failed to set localStorage key "${key}" after clearing old data:`, retryError);
-              try {
-                forceClearAll();
-                if (typeof valueToStore === "string") {
-                  window.localStorage.setItem(key, valueToStore);
-                } else {
-                  window.localStorage.setItem(key, JSON.stringify(valueToStore));
-                }
-                window.localStorage.setItem(`${key}_timestamp`, Date.now().toString());
-              } catch (finalError) {
-                authLogger.error(`Failed to set localStorage key "${key}" after force clearing:`, finalError);
-                setStoredValue(valueToStore);
-              }
-            }
-          } else {
-            throw storageError;
-          }
-        }
-      }
-    } catch (error) {
-      authLogger.error(`Error setting localStorage key "${key}":`, error);
-      const valueToStore = value instanceof Function ? value(storedValue) : value;
-      setStoredValue(valueToStore);
+    return null;
+  }, []);
+  const validateIdentifier2 = (0, import_react5.useCallback)((id, channelType) => {
+    if (!id) return false;
+    const channel = channelType || detectChannelFromIdentifier2(id);
+    if (channel === "email") {
+      return EMAIL_REGEX.test(id);
     }
-  }, "setValue");
-  const removeValue = /* @__PURE__ */ __name(() => {
-    try {
-      setStoredValue(initialValue);
-      if (typeof window !== "undefined") {
-        try {
-          window.localStorage.removeItem(key);
-          window.localStorage.removeItem(`${key}_timestamp`);
-        } catch (removeError) {
-          if (removeError.name === "QuotaExceededError" || removeError.code === 22 || removeError.message?.includes("quota")) {
-            authLogger.warn("localStorage quota exceeded during removal, clearing old data...");
-            clearOldData();
-            try {
-              window.localStorage.removeItem(key);
-              window.localStorage.removeItem(`${key}_timestamp`);
-            } catch (retryError) {
-              authLogger.error(`Failed to remove localStorage key "${key}" after clearing:`, retryError);
-              forceClearAll();
-            }
-          } else {
-            throw removeError;
-          }
-        }
-      }
-    } catch (error) {
-      authLogger.error(`Error removing localStorage key "${key}":`, error);
+    if (channel === "phone") {
+      return PHONE_REGEX.test(id);
     }
-  }, "removeValue");
-  return [storedValue, setValue, removeValue];
-}
-__name(useLocalStorage2, "useLocalStorage");
+    return false;
+  }, [detectChannelFromIdentifier2]);
+  return {
+    detectChannelFromIdentifier: detectChannelFromIdentifier2,
+    validateIdentifier: validateIdentifier2
+  };
+}, "useAuthValidation");
+var detectChannelFromIdentifier = /* @__PURE__ */ __name((id) => {
+  if (!id) return null;
+  if (id.includes("@")) return "email";
+  if (id.startsWith("+") && PHONE_REGEX.test(id)) return "phone";
+  return null;
+}, "detectChannelFromIdentifier");
+var validateIdentifier = /* @__PURE__ */ __name((id, channelType) => {
+  if (!id) return false;
+  const channel = channelType || detectChannelFromIdentifier(id);
+  if (channel === "email") return EMAIL_REGEX.test(id);
+  if (channel === "phone") return PHONE_REGEX.test(id);
+  return false;
+}, "validateIdentifier");
 
 // src/auth/hooks/useAuthForm.ts
-var import_react7 = require("react");
+var import_react8 = require("react");
 
 // src/auth/hooks/useAutoAuth.ts
 var import_navigation2 = require("next/navigation");
 var import_react6 = require("react");
-var import_hooks4 = require("@djangocfg/ui-nextjs/hooks");
+var import_hooks3 = require("@djangocfg/ui-nextjs/hooks");
 var useAutoAuth = /* @__PURE__ */ __name((options = {}) => {
   const { onOTPDetected, cleanupUrl = true, allowedPaths = ["/auth"] } = options;
-  const queryParams = (0, import_hooks4.useQueryParams)();
+  const queryParams = (0, import_hooks3.useQueryParams)();
   const pathname = (0, import_navigation2.usePathname)();
-  const router = (0, import_hooks4.useCfgRouter)();
+  const router = (0, import_hooks3.useCfgRouter)();
   const isAllowedPath = allowedPaths.some((path) => pathname === path || pathname?.startsWith(path + "/"));
   const hasOTP = !!queryParams.get("otp");
   const isReady = !!pathname && hasOTP && isAllowedPath;
@@ -4762,81 +4714,1275 @@ var useAutoAuth = /* @__PURE__ */ __name((options = {}) => {
   };
 }, "useAutoAuth");
 
-// src/auth/hooks/useAuthForm.ts
-var useAuthForm = /* @__PURE__ */ __name((options) => {
-  const { onIdentifierSuccess, onOTPSuccess, onError, sourceUrl, redirectUrl, requireTermsAcceptance = false, authPath = "/auth" } = options;
-  const [identifier, setIdentifier] = (0, import_react7.useState)("");
-  const [channel, setChannel] = (0, import_react7.useState)("email");
-  const [otp, setOtp] = (0, import_react7.useState)("");
-  const [isLoading, setIsLoading] = (0, import_react7.useState)(false);
-  const [acceptedTerms, setAcceptedTerms] = (0, import_react7.useState)(false);
-  const [step, setStep] = (0, import_react7.useState)("identifier");
-  const [error, setError] = (0, import_react7.useState)("");
-  const { requestOTP, verifyOTP, getSavedEmail, saveEmail, getSavedPhone, savePhone } = useAuth();
-  const [savedTermsAccepted, setSavedTermsAccepted] = useLocalStorage2("auth_terms_accepted", false);
-  const [savedEmail, setSavedEmail] = useLocalStorage2("auth_email", "");
-  const [savedPhone, setSavedPhone] = useLocalStorage2("auth_phone", "");
-  const detectChannelFromIdentifier = (0, import_react7.useCallback)((identifier2) => {
-    if (!identifier2) return null;
-    if (identifier2.includes("@")) {
-      return "email";
-    }
-    if (identifier2.startsWith("+") && /^\+[1-9]\d{6,14}$/.test(identifier2)) {
-      return "phone";
-    }
-    return null;
-  }, []);
-  const validateIdentifier = (0, import_react7.useCallback)((identifier2, channelType) => {
-    if (!identifier2) return false;
-    const detectedChannel = channelType || detectChannelFromIdentifier(identifier2);
-    if (detectedChannel === "email") {
-      return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(identifier2);
-    } else if (detectedChannel === "phone") {
-      return /^\+[1-9]\d{6,14}$/.test(identifier2);
-    }
-    return false;
-  }, [detectChannelFromIdentifier]);
-  (0, import_react7.useEffect)(() => {
-    const authSavedEmail = getSavedEmail();
-    const authSavedPhone = getSavedPhone();
-    if (authSavedPhone) {
-      setIdentifier(authSavedPhone);
-      setChannel("phone");
-    } else if (authSavedEmail) {
-      setIdentifier(authSavedEmail);
-      setChannel("email");
-    }
-    if (savedTermsAccepted) {
-      setAcceptedTerms(savedTermsAccepted);
-    }
-  }, [getSavedEmail, getSavedPhone, savedTermsAccepted]);
-  (0, import_react7.useEffect)(() => {
-    if (identifier) {
-      const detectedChannel = detectChannelFromIdentifier(identifier);
-      if (detectedChannel && detectedChannel !== channel) {
-        setChannel(detectedChannel);
-      }
-    }
-  }, [identifier, channel, detectChannelFromIdentifier]);
-  const clearError = (0, import_react7.useCallback)(() => setError(""), []);
-  const handleIdentifierSubmit = (0, import_react7.useCallback)(async (e) => {
-    e.preventDefault();
-    if (!identifier) {
-      const message = channel === "phone" ? "Please enter your phone number" : "Please enter your email address";
-      setError(message);
-      onError?.(message);
-      return;
+// src/auth/hooks/useTwoFactor.ts
+var import_react7 = require("react");
+var import_hooks4 = require("@djangocfg/ui-nextjs/hooks");
+
+// src/generated/cfg_totp/totp__backup_codes/client.ts
+var BackupCodes = class {
+  static {
+    __name(this, "BackupCodes");
+  }
+  constructor(client) {
+    this.client = client;
+  }
+  /**
+   * Get backup codes status for user.
+   */
+  async totpBackupCodesRetrieve() {
+    const response = await this.client.request("GET", "/cfg/totp/backup-codes/");
+    return response;
+  }
+  /**
+   * Regenerate backup codes. Requires TOTP code for verification.
+   * Invalidates all existing codes.
+   */
+  async totpBackupCodesRegenerateCreate(data) {
+    const response = await this.client.request("POST", "/cfg/totp/backup-codes/regenerate/", { body: data });
+    return response;
+  }
+};
+
+// src/generated/cfg_totp/totp__totp_management/client.ts
+var TotpManagement = class {
+  static {
+    __name(this, "TotpManagement");
+  }
+  constructor(client) {
+    this.client = client;
+  }
+  /**
+   * List all TOTP devices for user.
+   */
+  async totpDevicesList(...args) {
+    const isParamsObject = args.length === 1 && typeof args[0] === "object" && args[0] !== null && !Array.isArray(args[0]);
+    let params;
+    if (isParamsObject) {
+      params = args[0];
+    } else {
+      params = { page: args[0], page_size: args[1] };
     }
-    if (!validateIdentifier(identifier, channel)) {
-      const message = channel === "phone" ? "Please enter a valid phone number (e.g., +1234567890)" : "Please enter a valid email address";
-      setError(message);
-      onError?.(message);
-      return;
+    const response = await this.client.request("GET", "/cfg/totp/devices/", { params });
+    return response;
+  }
+  /**
+   * Completely disable 2FA for account. Requires verification code.
+   */
+  async totpDisableCreate(data) {
+    const response = await this.client.request("POST", "/cfg/totp/disable/", { body: data });
+    return response;
+  }
+};
+
+// src/generated/cfg_totp/totp__totp_setup/client.ts
+var TotpSetup = class {
+  static {
+    __name(this, "TotpSetup");
+  }
+  constructor(client) {
+    this.client = client;
+  }
+  /**
+   * Start 2FA setup process. Creates a new TOTP device and returns QR code
+   * for scanning.
+   */
+  async create(data) {
+    const response = await this.client.request("POST", "/cfg/totp/setup/", { body: data });
+    return response;
+  }
+  /**
+   * Confirm 2FA setup with first valid code. Activates the device and
+   * generates backup codes.
+   */
+  async confirmCreate(data) {
+    const response = await this.client.request("POST", "/cfg/totp/setup/confirm/", { body: data });
+    return response;
+  }
+};
+
+// src/generated/cfg_totp/totp__totp_verification/client.ts
+var TotpVerification = class {
+  static {
+    __name(this, "TotpVerification");
+  }
+  constructor(client) {
+    this.client = client;
+  }
+  /**
+   * Verify TOTP code for 2FA session. Completes authentication and returns
+   * JWT tokens on success.
+   */
+  async totpVerifyCreate(data) {
+    const response = await this.client.request("POST", "/cfg/totp/verify/", { body: data });
+    return response;
+  }
+  /**
+   * Verify backup recovery code for 2FA session. Alternative verification
+   * method when TOTP device unavailable.
+   */
+  async totpVerifyBackupCreate(data) {
+    const response = await this.client.request("POST", "/cfg/totp/verify/backup/", { body: data });
+    return response;
+  }
+};
+
+// src/generated/cfg_totp/totp/client.ts
+var Totp = class {
+  static {
+    __name(this, "Totp");
+  }
+  constructor(client) {
+    this.client = client;
+  }
+  /**
+   * Delete a TOTP device. Requires verification code if removing the
+   * last/primary device.
+   */
+  async devicesDestroy(id) {
+    const response = await this.client.request("DELETE", `/cfg/totp/devices/${id}/`);
+    return;
+  }
+};
+
+// src/generated/cfg_totp/http.ts
+var FetchAdapter4 = class {
+  static {
+    __name(this, "FetchAdapter");
+  }
+  async request(request) {
+    const { method, url, headers, body, params, formData, binaryBody } = request;
+    let finalUrl = url;
+    if (params) {
+      const searchParams = new URLSearchParams();
+      Object.entries(params).forEach(([key, value]) => {
+        if (value !== null && value !== void 0) {
+          searchParams.append(key, String(value));
+        }
+      });
+      const queryString = searchParams.toString();
+      if (queryString) {
+        finalUrl = url.includes("?") ? `${url}&${queryString}` : `${url}?${queryString}`;
+      }
+    }
+    const finalHeaders = { ...headers };
+    let requestBody;
+    if (formData) {
+      requestBody = formData;
+    } else if (binaryBody) {
+      finalHeaders["Content-Type"] = "application/octet-stream";
+      requestBody = binaryBody;
+    } else if (body) {
+      finalHeaders["Content-Type"] = "application/json";
+      requestBody = JSON.stringify(body);
+    }
+    const response = await fetch(finalUrl, {
+      method,
+      headers: finalHeaders,
+      body: requestBody,
+      credentials: "include"
+      // Include Django session cookies
+    });
+    let data = null;
+    const contentType = response.headers.get("content-type");
+    if (response.status !== 204 && contentType?.includes("application/json")) {
+      data = await response.json();
+    } else if (response.status !== 204) {
+      data = await response.text();
+    }
+    const responseHeaders = {};
+    response.headers.forEach((value, key) => {
+      responseHeaders[key] = value;
+    });
+    return {
+      data,
+      status: response.status,
+      statusText: response.statusText,
+      headers: responseHeaders
+    };
+  }
+};
+
+// src/generated/cfg_totp/errors.ts
+var APIError4 = class extends Error {
+  constructor(statusCode, statusText, response, url, message) {
+    super(message || `HTTP ${statusCode}: ${statusText}`);
+    this.statusCode = statusCode;
+    this.statusText = statusText;
+    this.response = response;
+    this.url = url;
+    this.name = "APIError";
+  }
+  static {
+    __name(this, "APIError");
+  }
+  /**
+   * Get error details from response.
+   * DRF typically returns: { "detail": "Error message" } or { "field": ["error1", "error2"] }
+   */
+  get details() {
+    if (typeof this.response === "object" && this.response !== null) {
+      return this.response;
+    }
+    return null;
+  }
+  /**
+   * Get field-specific validation errors from DRF.
+   * Returns: { "field_name": ["error1", "error2"], ... }
+   */
+  get fieldErrors() {
+    const details = this.details;
+    if (!details) return null;
+    const fieldErrors = {};
+    for (const [key, value] of Object.entries(details)) {
+      if (Array.isArray(value)) {
+        fieldErrors[key] = value;
+      }
+    }
+    return Object.keys(fieldErrors).length > 0 ? fieldErrors : null;
+  }
+  /**
+   * Get single error message from DRF.
+   * Checks for "detail", "message", or first field error.
+   */
+  get errorMessage() {
+    const details = this.details;
+    if (!details) return this.message;
+    if (details.detail) {
+      return Array.isArray(details.detail) ? details.detail.join(", ") : String(details.detail);
+    }
+    if (details.message) {
+      return String(details.message);
+    }
+    const fieldErrors = this.fieldErrors;
+    if (fieldErrors) {
+      const firstField = Object.keys(fieldErrors)[0];
+      if (firstField) {
+        return `${firstField}: ${fieldErrors[firstField]?.join(", ")}`;
+      }
+    }
+    return this.message;
+  }
+  // Helper methods for common HTTP status codes
+  get isValidationError() {
+    return this.statusCode === 400;
+  }
+  get isAuthError() {
+    return this.statusCode === 401;
+  }
+  get isPermissionError() {
+    return this.statusCode === 403;
+  }
+  get isNotFoundError() {
+    return this.statusCode === 404;
+  }
+  get isServerError() {
+    return this.statusCode >= 500 && this.statusCode < 600;
+  }
+};
+var NetworkError4 = class extends Error {
+  constructor(message, url, originalError) {
+    super(message);
+    this.url = url;
+    this.originalError = originalError;
+    this.name = "NetworkError";
+  }
+  static {
+    __name(this, "NetworkError");
+  }
+};
+
+// src/generated/cfg_totp/logger.ts
+var import_consola14 = require("consola");
+var DEFAULT_CONFIG4 = {
+  enabled: process.env.NODE_ENV !== "production",
+  logRequests: true,
+  logResponses: true,
+  logErrors: true,
+  logBodies: true,
+  logHeaders: false
+};
+var SENSITIVE_HEADERS4 = [
+  "authorization",
+  "cookie",
+  "set-cookie",
+  "x-api-key",
+  "x-csrf-token"
+];
+var APILogger4 = class {
+  static {
+    __name(this, "APILogger");
+  }
+  constructor(config = {}) {
+    this.config = { ...DEFAULT_CONFIG4, ...config };
+    this.consola = config.consola || (0, import_consola14.createConsola)({
+      level: this.config.enabled ? 4 : 0
+    });
+  }
+  /**
+   * Enable logging
+   */
+  enable() {
+    this.config.enabled = true;
+  }
+  /**
+   * Disable logging
+   */
+  disable() {
+    this.config.enabled = false;
+  }
+  /**
+   * Update configuration
+   */
+  setConfig(config) {
+    this.config = { ...this.config, ...config };
+  }
+  /**
+   * Filter sensitive headers
+   */
+  filterHeaders(headers) {
+    if (!headers) return {};
+    const filtered = {};
+    Object.keys(headers).forEach((key) => {
+      const lowerKey = key.toLowerCase();
+      if (SENSITIVE_HEADERS4.includes(lowerKey)) {
+        filtered[key] = "***";
+      } else {
+        filtered[key] = headers[key] || "";
+      }
+    });
+    return filtered;
+  }
+  /**
+   * Log request
+   */
+  logRequest(request) {
+    if (!this.config.enabled || !this.config.logRequests) return;
+    const { method, url, headers, body } = request;
+    this.consola.start(`${method} ${url}`);
+    if (this.config.logHeaders && headers) {
+      this.consola.debug("Headers:", this.filterHeaders(headers));
+    }
+    if (this.config.logBodies && body) {
+      this.consola.debug("Body:", body);
+    }
+  }
+  /**
+   * Log response
+   */
+  logResponse(request, response) {
+    if (!this.config.enabled || !this.config.logResponses) return;
+    const { method, url } = request;
+    const { status, statusText, data, duration } = response;
+    const statusColor = status >= 500 ? "red" : status >= 400 ? "yellow" : status >= 300 ? "cyan" : "green";
+    this.consola.success(
+      `${method} ${url} ${status} ${statusText} (${duration}ms)`
+    );
+    if (this.config.logBodies && data) {
+      this.consola.debug("Response:", data);
+    }
+  }
+  /**
+   * Log error
+   */
+  logError(request, error) {
+    if (!this.config.enabled || !this.config.logErrors) return;
+    const { method, url } = request;
+    const { message, statusCode, fieldErrors, duration } = error;
+    this.consola.error(
+      `${method} ${url} ${statusCode || "Network"} Error (${duration}ms)`
+    );
+    this.consola.error("Message:", message);
+    if (fieldErrors && Object.keys(fieldErrors).length > 0) {
+      this.consola.error("Field Errors:");
+      Object.entries(fieldErrors).forEach(([field, errors]) => {
+        errors.forEach((err) => {
+          this.consola.error(`  \u2022 ${field}: ${err}`);
+        });
+      });
+    }
+  }
+  /**
+   * Log general info
+   */
+  info(message, ...args) {
+    if (!this.config.enabled) return;
+    this.consola.info(message, ...args);
+  }
+  /**
+   * Log warning
+   */
+  warn(message, ...args) {
+    if (!this.config.enabled) return;
+    this.consola.warn(message, ...args);
+  }
+  /**
+   * Log error
+   */
+  error(message, ...args) {
+    if (!this.config.enabled) return;
+    this.consola.error(message, ...args);
+  }
+  /**
+   * Log debug
+   */
+  debug(message, ...args) {
+    if (!this.config.enabled) return;
+    this.consola.debug(message, ...args);
+  }
+  /**
+   * Log success
+   */
+  success(message, ...args) {
+    if (!this.config.enabled) return;
+    this.consola.success(message, ...args);
+  }
+  /**
+   * Create a sub-logger with prefix
+   */
+  withTag(tag) {
+    return this.consola.withTag(tag);
+  }
+};
+var defaultLogger4 = new APILogger4();
+
+// src/generated/cfg_totp/retry.ts
+var import_p_retry4 = __toESM(require("p-retry"), 1);
+var DEFAULT_RETRY_CONFIG4 = {
+  retries: 3,
+  factor: 2,
+  minTimeout: 1e3,
+  maxTimeout: 6e4,
+  randomize: true,
+  onFailedAttempt: /* @__PURE__ */ __name(() => {
+  }, "onFailedAttempt")
+};
+function shouldRetry4(error) {
+  if (error instanceof NetworkError4) {
+    return true;
+  }
+  if (error instanceof APIError4) {
+    const status = error.statusCode;
+    if (status >= 500 && status < 600) {
+      return true;
+    }
+    if (status === 429) {
+      return true;
+    }
+    return false;
+  }
+  return true;
+}
+__name(shouldRetry4, "shouldRetry");
+async function withRetry4(fn, config) {
+  const finalConfig = { ...DEFAULT_RETRY_CONFIG4, ...config };
+  return (0, import_p_retry4.default)(
+    async () => {
+      try {
+        return await fn();
+      } catch (error) {
+        if (!shouldRetry4(error)) {
+          throw new import_p_retry4.AbortError(error);
+        }
+        throw error;
+      }
+    },
+    {
+      retries: finalConfig.retries,
+      factor: finalConfig.factor,
+      minTimeout: finalConfig.minTimeout,
+      maxTimeout: finalConfig.maxTimeout,
+      randomize: finalConfig.randomize,
+      onFailedAttempt: finalConfig.onFailedAttempt ? (error) => {
+        const pRetryError = error;
+        finalConfig.onFailedAttempt({
+          error: pRetryError,
+          attemptNumber: pRetryError.attemptNumber,
+          retriesLeft: pRetryError.retriesLeft
+        });
+      } : void 0
+    }
+  );
+}
+__name(withRetry4, "withRetry");
+
+// src/generated/cfg_totp/client.ts
+var APIClient4 = class {
+  constructor(baseUrl, options) {
+    this.logger = null;
+    this.retryConfig = null;
+    this.baseUrl = baseUrl.replace(/\/$/, "");
+    this.httpClient = options?.httpClient || new FetchAdapter4();
+    if (options?.loggerConfig !== void 0) {
+      this.logger = new APILogger4(options.loggerConfig);
+    }
+    if (options?.retryConfig !== void 0) {
+      this.retryConfig = options.retryConfig;
+    }
+    this.backup_codes = new BackupCodes(this);
+    this.totp_management = new TotpManagement(this);
+    this.totp_setup = new TotpSetup(this);
+    this.totp_verification = new TotpVerification(this);
+    this.totp = new Totp(this);
+  }
+  static {
+    __name(this, "APIClient");
+  }
+  /**
+   * Get CSRF token from cookies (for SessionAuthentication).
+   *
+   * Returns null if cookie doesn't exist (JWT-only auth).
+   */
+  getCsrfToken() {
+    const name = "csrftoken";
+    const value = `; ${document.cookie}`;
+    const parts = value.split(`; ${name}=`);
+    if (parts.length === 2) {
+      return parts.pop()?.split(";").shift() || null;
+    }
+    return null;
+  }
+  /**
+   * Make HTTP request with Django CSRF and session handling.
+   * Automatically retries on network errors and 5xx server errors.
+   */
+  async request(method, path, options) {
+    if (this.retryConfig) {
+      return withRetry4(() => this._makeRequest(method, path, options), {
+        ...this.retryConfig,
+        onFailedAttempt: /* @__PURE__ */ __name((info) => {
+          if (this.logger) {
+            this.logger.warn(
+              `Retry attempt ${info.attemptNumber}/${info.retriesLeft + info.attemptNumber} for ${method} ${path}: ${info.error.message}`
+            );
+          }
+          this.retryConfig?.onFailedAttempt?.(info);
+        }, "onFailedAttempt")
+      });
+    }
+    return this._makeRequest(method, path, options);
+  }
+  /**
+   * Internal request method (without retry wrapper).
+   * Used by request() method with optional retry logic.
+   */
+  async _makeRequest(method, path, options) {
+    const url = this.baseUrl ? `${this.baseUrl}${path}` : path;
+    const startTime = Date.now();
+    const headers = {
+      ...options?.headers || {}
+    };
+    if (!options?.formData && !options?.binaryBody && !headers["Content-Type"]) {
+      headers["Content-Type"] = "application/json";
+    }
+    if (this.logger) {
+      this.logger.logRequest({
+        method,
+        url,
+        headers,
+        body: options?.formData || options?.body,
+        timestamp: startTime
+      });
+    }
+    try {
+      const response = await this.httpClient.request({
+        method,
+        url,
+        headers,
+        params: options?.params,
+        body: options?.body,
+        formData: options?.formData,
+        binaryBody: options?.binaryBody
+      });
+      const duration = Date.now() - startTime;
+      if (response.status >= 400) {
+        const error = new APIError4(
+          response.status,
+          response.statusText,
+          response.data,
+          url
+        );
+        if (this.logger) {
+          this.logger.logError(
+            {
+              method,
+              url,
+              headers,
+              body: options?.formData || options?.body,
+              timestamp: startTime
+            },
+            {
+              message: error.message,
+              statusCode: response.status,
+              duration,
+              timestamp: Date.now()
+            }
+          );
+        }
+        throw error;
+      }
+      if (this.logger) {
+        this.logger.logResponse(
+          {
+            method,
+            url,
+            headers,
+            body: options?.formData || options?.body,
+            timestamp: startTime
+          },
+          {
+            status: response.status,
+            statusText: response.statusText,
+            data: response.data,
+            duration,
+            timestamp: Date.now()
+          }
+        );
+      }
+      return response.data;
+    } catch (error) {
+      const duration = Date.now() - startTime;
+      if (error instanceof APIError4) {
+        throw error;
+      }
+      const isCORSError = error instanceof TypeError && (error.message.toLowerCase().includes("cors") || error.message.toLowerCase().includes("failed to fetch") || error.message.toLowerCase().includes("network request failed"));
+      if (this.logger) {
+        if (isCORSError) {
+          this.logger.error(`\u{1F6AB} CORS Error: ${method} ${url}`);
+          this.logger.error(`  \u2192 ${error instanceof Error ? error.message : String(error)}`);
+          this.logger.error(`  \u2192 Configure security_domains parameter on the server`);
+        } else {
+          this.logger.error(`\u26A0\uFE0F  Network Error: ${method} ${url}`);
+          this.logger.error(`  \u2192 ${error instanceof Error ? error.message : String(error)}`);
+        }
+      }
+      if (typeof window !== "undefined") {
+        try {
+          if (isCORSError) {
+            window.dispatchEvent(new CustomEvent("cors-error", {
+              detail: {
+                url,
+                method,
+                error: error instanceof Error ? error.message : String(error),
+                timestamp: /* @__PURE__ */ new Date()
+              },
+              bubbles: true,
+              cancelable: false
+            }));
+          } else {
+            window.dispatchEvent(new CustomEvent("network-error", {
+              detail: {
+                url,
+                method,
+                error: error instanceof Error ? error.message : String(error),
+                timestamp: /* @__PURE__ */ new Date()
+              },
+              bubbles: true,
+              cancelable: false
+            }));
+          }
+        } catch (eventError) {
+        }
+      }
+      const networkError = error instanceof Error ? new NetworkError4(error.message, url, error) : new NetworkError4("Unknown error", url);
+      if (this.logger) {
+        this.logger.logError(
+          {
+            method,
+            url,
+            headers,
+            body: options?.formData || options?.body,
+            timestamp: startTime
+          },
+          {
+            message: networkError.message,
+            duration,
+            timestamp: Date.now()
+          }
+        );
+      }
+      throw networkError;
+    }
+  }
+};
+
+// src/generated/cfg_totp/storage.ts
+var LocalStorageAdapter4 = class {
+  static {
+    __name(this, "LocalStorageAdapter");
+  }
+  constructor(logger2) {
+    this.logger = logger2;
+  }
+  getItem(key) {
+    try {
+      if (typeof window !== "undefined" && window.localStorage) {
+        const value = localStorage.getItem(key);
+        this.logger?.debug(`LocalStorage.getItem("${key}"): ${value ? "found" : "not found"}`);
+        return value;
+      }
+      this.logger?.warn("LocalStorage not available: window.localStorage is undefined");
+    } catch (error) {
+      this.logger?.error("LocalStorage.getItem failed:", error);
+    }
+    return null;
+  }
+  setItem(key, value) {
+    try {
+      if (typeof window !== "undefined" && window.localStorage) {
+        localStorage.setItem(key, value);
+        this.logger?.debug(`LocalStorage.setItem("${key}"): success`);
+      } else {
+        this.logger?.warn("LocalStorage not available: window.localStorage is undefined");
+      }
+    } catch (error) {
+      this.logger?.error("LocalStorage.setItem failed:", error);
+    }
+  }
+  removeItem(key) {
+    try {
+      if (typeof window !== "undefined" && window.localStorage) {
+        localStorage.removeItem(key);
+        this.logger?.debug(`LocalStorage.removeItem("${key}"): success`);
+      } else {
+        this.logger?.warn("LocalStorage not available: window.localStorage is undefined");
+      }
+    } catch (error) {
+      this.logger?.error("LocalStorage.removeItem failed:", error);
+    }
+  }
+};
+
+// src/generated/cfg_totp/enums.ts
+var DeviceListStatus = /* @__PURE__ */ ((DeviceListStatus2) => {
+  DeviceListStatus2["PENDING"] = "pending";
+  DeviceListStatus2["ACTIVE"] = "active";
+  DeviceListStatus2["DISABLED"] = "disabled";
+  return DeviceListStatus2;
+})(DeviceListStatus || {});
+
+// src/generated/cfg_totp/_utils/schemas/BackupCodesRegenerateRequest.schema.ts
+var import_zod60 = require("zod");
+var BackupCodesRegenerateRequestSchema = import_zod60.z.object({
+  code: import_zod60.z.string().min(6).max(6)
+});
+
+// src/generated/cfg_totp/_utils/schemas/BackupCodesRegenerateResponse.schema.ts
+var import_zod61 = require("zod");
+var BackupCodesRegenerateResponseSchema = import_zod61.z.object({
+  backup_codes: import_zod61.z.array(import_zod61.z.string()),
+  warning: import_zod61.z.string()
+});
+
+// src/generated/cfg_totp/_utils/schemas/BackupCodesStatus.schema.ts
+var import_zod62 = require("zod");
+var BackupCodesStatusSchema = import_zod62.z.object({
+  remaining_count: import_zod62.z.int(),
+  total_generated: import_zod62.z.int(),
+  warning: import_zod62.z.string().nullable().optional()
+});
+
+// src/generated/cfg_totp/_utils/schemas/ConfirmSetupRequest.schema.ts
+var import_zod63 = require("zod");
+var ConfirmSetupRequestSchema = import_zod63.z.object({
+  device_id: import_zod63.z.string().regex(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i),
+  code: import_zod63.z.string().min(6).max(6)
+});
+
+// src/generated/cfg_totp/_utils/schemas/ConfirmSetupResponse.schema.ts
+var import_zod64 = require("zod");
+var ConfirmSetupResponseSchema = import_zod64.z.object({
+  message: import_zod64.z.string(),
+  backup_codes: import_zod64.z.array(import_zod64.z.string()),
+  backup_codes_warning: import_zod64.z.string()
+});
+
+// src/generated/cfg_totp/_utils/schemas/DeviceList.schema.ts
+var import_zod65 = require("zod");
+var DeviceListSchema = import_zod65.z.object({
+  id: import_zod65.z.string().regex(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i),
+  name: import_zod65.z.string(),
+  is_primary: import_zod65.z.boolean(),
+  status: import_zod65.z.nativeEnum(DeviceListStatus),
+  created_at: import_zod65.z.iso.datetime(),
+  confirmed_at: import_zod65.z.iso.datetime().nullable(),
+  last_used_at: import_zod65.z.iso.datetime().nullable()
+});
+
+// src/generated/cfg_totp/_utils/schemas/DisableRequest.schema.ts
+var import_zod66 = require("zod");
+var DisableRequestSchema = import_zod66.z.object({
+  code: import_zod66.z.string().min(6).max(6)
+});
+
+// src/generated/cfg_totp/_utils/schemas/PaginatedDeviceListList.schema.ts
+var import_zod67 = require("zod");
+var PaginatedDeviceListListSchema = import_zod67.z.object({
+  count: import_zod67.z.int(),
+  page: import_zod67.z.int(),
+  pages: import_zod67.z.int(),
+  page_size: import_zod67.z.int(),
+  has_next: import_zod67.z.boolean(),
+  has_previous: import_zod67.z.boolean(),
+  next_page: import_zod67.z.int().nullable().optional(),
+  previous_page: import_zod67.z.int().nullable().optional(),
+  results: import_zod67.z.array(DeviceListSchema)
+});
+
+// src/generated/cfg_totp/_utils/schemas/SetupRequest.schema.ts
+var import_zod68 = require("zod");
+var SetupRequestSchema = import_zod68.z.object({
+  device_name: import_zod68.z.string().min(1).max(100).optional()
+});
+
+// src/generated/cfg_totp/_utils/schemas/SetupResponse.schema.ts
+var import_zod69 = require("zod");
+var SetupResponseSchema = import_zod69.z.object({
+  device_id: import_zod69.z.string().regex(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i),
+  secret: import_zod69.z.string(),
+  provisioning_uri: import_zod69.z.string(),
+  qr_code_base64: import_zod69.z.string(),
+  expires_in: import_zod69.z.int()
+});
+
+// src/generated/cfg_totp/_utils/schemas/VerifyBackupRequest.schema.ts
+var import_zod70 = require("zod");
+var VerifyBackupRequestSchema = import_zod70.z.object({
+  session_id: import_zod70.z.string().regex(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i),
+  backup_code: import_zod70.z.string().min(8).max(8)
+});
+
+// src/generated/cfg_totp/_utils/schemas/VerifyRequest.schema.ts
+var import_zod71 = require("zod");
+var VerifyRequestSchema = import_zod71.z.object({
+  session_id: import_zod71.z.string().regex(/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i),
+  code: import_zod71.z.string().min(6).max(6)
+});
+
+// src/generated/cfg_totp/_utils/schemas/VerifyResponse.schema.ts
+var import_zod72 = require("zod");
+var VerifyResponseSchema = import_zod72.z.object({
+  message: import_zod72.z.string(),
+  access_token: import_zod72.z.string(),
+  refresh_token: import_zod72.z.string(),
+  user: import_zod72.z.record(import_zod72.z.string(), import_zod72.z.any()),
+  remaining_backup_codes: import_zod72.z.int().optional(),
+  warning: import_zod72.z.string().optional()
+});
+
+// src/generated/cfg_totp/_utils/fetchers/totp__backup_codes.ts
+var import_consola15 = require("consola");
+
+// src/generated/cfg_totp/_utils/fetchers/totp__totp_management.ts
+var import_consola16 = require("consola");
+
+// src/generated/cfg_totp/_utils/fetchers/totp__totp_setup.ts
+var import_consola17 = require("consola");
+
+// src/generated/cfg_totp/_utils/fetchers/totp__totp_verification.ts
+var import_consola18 = require("consola");
+
+// src/generated/cfg_totp/index.ts
+var TOKEN_KEY4 = "auth_token";
+var REFRESH_TOKEN_KEY4 = "refresh_token";
+var API4 = class {
+  constructor(baseUrl, options) {
+    this._token = null;
+    this._refreshToken = null;
+    this.baseUrl = baseUrl;
+    this.options = options;
+    const logger2 = options?.loggerConfig ? new APILogger4(options.loggerConfig) : void 0;
+    this.storage = options?.storage || new LocalStorageAdapter4(logger2);
+    this._loadTokensFromStorage();
+    this._client = new APIClient4(this.baseUrl, {
+      retryConfig: this.options?.retryConfig,
+      loggerConfig: this.options?.loggerConfig
+    });
+    this._injectAuthHeader();
+    this.backup_codes = this._client.backup_codes;
+    this.totp_management = this._client.totp_management;
+    this.totp_setup = this._client.totp_setup;
+    this.totp_verification = this._client.totp_verification;
+    this.totp = this._client.totp;
+  }
+  static {
+    __name(this, "API");
+  }
+  _loadTokensFromStorage() {
+    this._token = this.storage.getItem(TOKEN_KEY4);
+    this._refreshToken = this.storage.getItem(REFRESH_TOKEN_KEY4);
+  }
+  _reinitClients() {
+    this._client = new APIClient4(this.baseUrl, {
+      retryConfig: this.options?.retryConfig,
+      loggerConfig: this.options?.loggerConfig
+    });
+    this._injectAuthHeader();
+    this.backup_codes = this._client.backup_codes;
+    this.totp_management = this._client.totp_management;
+    this.totp_setup = this._client.totp_setup;
+    this.totp_verification = this._client.totp_verification;
+    this.totp = this._client.totp;
+  }
+  _injectAuthHeader() {
+    const originalRequest = this._client.request.bind(this._client);
+    this._client.request = async (method, path, options) => {
+      const token = this.getToken();
+      const mergedOptions = {
+        ...options,
+        headers: {
+          ...options?.headers || {},
+          ...token ? { "Authorization": `Bearer ${token}` } : {}
+        }
+      };
+      return originalRequest(method, path, mergedOptions);
+    };
+  }
+  /**
+   * Get current JWT token
+   */
+  getToken() {
+    return this.storage.getItem(TOKEN_KEY4);
+  }
+  /**
+   * Get current refresh token
+   */
+  getRefreshToken() {
+    return this.storage.getItem(REFRESH_TOKEN_KEY4);
+  }
+  /**
+   * Set JWT token and refresh token
+   * @param token - JWT access token
+   * @param refreshToken - JWT refresh token (optional)
+   */
+  setToken(token, refreshToken) {
+    this._token = token;
+    this.storage.setItem(TOKEN_KEY4, token);
+    if (refreshToken) {
+      this._refreshToken = refreshToken;
+      this.storage.setItem(REFRESH_TOKEN_KEY4, refreshToken);
+    }
+    this._reinitClients();
+  }
+  /**
+   * Clear all tokens
+   */
+  clearTokens() {
+    this._token = null;
+    this._refreshToken = null;
+    this.storage.removeItem(TOKEN_KEY4);
+    this.storage.removeItem(REFRESH_TOKEN_KEY4);
+    this._reinitClients();
+  }
+  /**
+   * Check if user is authenticated
+   */
+  isAuthenticated() {
+    return !!this.getToken();
+  }
+  /**
+   * Update base URL and reinitialize clients
+   * @param url - New base URL
+   */
+  setBaseUrl(url) {
+    this.baseUrl = url;
+    this._reinitClients();
+  }
+  /**
+   * Get current base URL
+   */
+  getBaseUrl() {
+    return this.baseUrl;
+  }
+  /**
+   * Get OpenAPI schema path
+   * @returns Path to the OpenAPI schema JSON file
+   *
+   * Note: The OpenAPI schema is available in the schema.json file.
+   * You can load it dynamically using:
+   * ```typescript
+   * const schema = await fetch('./schema.json').then(r => r.json());
+   * // or using fs in Node.js:
+   * // const schema = JSON.parse(fs.readFileSync('./schema.json', 'utf-8'));
+   * ```
+   */
+  getSchemaPath() {
+    return "./schema.json";
+  }
+};
+
+// src/generated/cfg_webpush/_utils/hooks/webpush__web_push.ts
+var import_swr7 = __toESM(require("swr"), 1);
+var import_swr8 = require("swr");
+
+// src/generated/cfg_centrifugo/_utils/hooks/centrifugo__centrifugo_admin_api.ts
+var import_swr9 = require("swr");
+
+// src/generated/cfg_centrifugo/_utils/hooks/centrifugo__centrifugo_auth.ts
+var import_swr10 = __toESM(require("swr"), 1);
+
+// src/generated/cfg_centrifugo/_utils/hooks/centrifugo__centrifugo_monitoring.ts
+var import_swr11 = __toESM(require("swr"), 1);
+
+// src/generated/cfg_centrifugo/_utils/hooks/centrifugo__centrifugo_testing.ts
+var import_swr12 = require("swr");
+
+// src/generated/cfg_totp/_utils/hooks/totp__backup_codes.ts
+var import_swr13 = __toESM(require("swr"), 1);
+var import_swr14 = require("swr");
+
+// src/generated/cfg_totp/_utils/hooks/totp__totp_management.ts
+var import_swr15 = __toESM(require("swr"), 1);
+var import_swr16 = require("swr");
+
+// src/generated/cfg_totp/_utils/hooks/totp__totp_setup.ts
+var import_swr17 = require("swr");
+
+// src/generated/cfg_totp/_utils/hooks/totp__totp_verification.ts
+var import_swr18 = require("swr");
+
+// src/generated/cfg_totp/_utils/hooks/totp.ts
+var import_swr19 = require("swr");
+
+// src/clients.ts
+var isStaticBuild3 = process.env.NEXT_PUBLIC_STATIC_BUILD === "true";
+var apiUrl2 = isStaticBuild3 ? "" : process.env.NEXT_PUBLIC_API_URL || "";
+var storage = new LocalStorageAdapter();
+var apiAccounts = new API(apiUrl2, { storage });
+var apiTotp = new API4(apiUrl2, { storage });
+var apiWebPush = new API3(apiUrl2, { storage });
+var apiCentrifugo = new API2(apiUrl2, { storage });
+
+// src/auth/hooks/useTwoFactor.ts
+var useTwoFactor = /* @__PURE__ */ __name((options = {}) => {
+  const { onSuccess, onError, redirectUrl, skipRedirect = false } = options;
+  const router = (0, import_hooks4.useCfgRouter)();
+  const [isLoading, setIsLoading] = (0, import_react7.useState)(false);
+  const [error, setError] = (0, import_react7.useState)(null);
+  const [warning, setWarning] = (0, import_react7.useState)(null);
+  const [remainingBackupCodes, setRemainingBackupCodes] = (0, import_react7.useState)(null);
+  const clearError = (0, import_react7.useCallback)(() => {
+    setError(null);
+  }, []);
+  const handleSuccess = (0, import_react7.useCallback)((response) => {
+    apiAccounts.setToken(response.access_token, response.refresh_token);
+    if (response.warning) {
+      setWarning(response.warning);
+    }
+    if (response.remaining_backup_codes !== void 0) {
+      setRemainingBackupCodes(response.remaining_backup_codes);
+    }
+    Analytics.event("auth_login_success" /* AUTH_LOGIN_SUCCESS */, {
+      category: "auth" /* AUTH */,
+      label: "2fa"
+    });
+    if (response.user?.id) {
+      Analytics.setUser(String(response.user.id));
+    }
+    onSuccess?.(response.user);
+    if (!skipRedirect) {
+      const finalRedirectUrl = redirectUrl || "/dashboard";
+      authLogger.info("2FA successful, redirecting to:", finalRedirectUrl);
+      router.hardPush(finalRedirectUrl);
+    }
+  }, [onSuccess, redirectUrl, router, skipRedirect]);
+  const verifyTOTP = (0, import_react7.useCallback)(async (sessionId, code) => {
+    if (!sessionId) {
+      const msg = "Missing 2FA session ID";
+      setError(msg);
+      onError?.(msg);
+      return false;
+    }
+    if (!code || code.length !== 6) {
+      const msg = "Please enter a 6-digit code";
+      setError(msg);
+      onError?.(msg);
+      return false;
+    }
+    setIsLoading(true);
+    setError(null);
+    try {
+      authLogger.info("Verifying TOTP code...");
+      const response = await apiTotp.totp_verification.totpVerifyCreate({
+        session_id: sessionId,
+        code
+      });
+      if (!response.access_token || !response.refresh_token) {
+        throw new Error("Invalid response from 2FA verification");
+      }
+      handleSuccess(response);
+      return true;
+    } catch (err) {
+      const errorMessage = err instanceof Error ? err.message : "Invalid verification code";
+      authLogger.error("2FA TOTP verification error:", err);
+      setError(errorMessage);
+      onError?.(errorMessage);
+      Analytics.event("auth_otp_verify_fail" /* AUTH_OTP_VERIFY_FAIL */, {
+        category: "auth" /* AUTH */,
+        label: "2fa-totp"
+      });
+      return false;
+    } finally {
+      setIsLoading(false);
+    }
+  }, [handleSuccess, onError]);
+  const verifyBackupCode = (0, import_react7.useCallback)(async (sessionId, backupCode) => {
+    if (!sessionId) {
+      const msg = "Missing 2FA session ID";
+      setError(msg);
+      onError?.(msg);
+      return false;
+    }
+    if (!backupCode || backupCode.length < 8) {
+      const msg = "Please enter your backup code";
+      setError(msg);
+      onError?.(msg);
+      return false;
+    }
+    setIsLoading(true);
+    setError(null);
+    try {
+      authLogger.info("Verifying backup code...");
+      const response = await apiTotp.totp_verification.totpVerifyBackupCreate({
+        session_id: sessionId,
+        backup_code: backupCode.replace(/\s+/g, "")
+        // Remove spaces
+      });
+      if (!response.access_token || !response.refresh_token) {
+        throw new Error("Invalid response from backup code verification");
+      }
+      handleSuccess(response);
+      return true;
+    } catch (err) {
+      const errorMessage = err instanceof Error ? err.message : "Invalid backup code";
+      authLogger.error("2FA backup code verification error:", err);
+      setError(errorMessage);
+      onError?.(errorMessage);
+      Analytics.event("auth_otp_verify_fail" /* AUTH_OTP_VERIFY_FAIL */, {
+        category: "auth" /* AUTH */,
+        label: "2fa-backup"
+      });
+      return false;
+    } finally {
+      setIsLoading(false);
+    }
+  }, [handleSuccess, onError]);
+  return {
+    isLoading,
+    error,
+    warning,
+    remainingBackupCodes,
+    verifyTOTP,
+    verifyBackupCode,
+    clearError
+  };
+}, "useTwoFactor");
+
+// src/auth/hooks/useAuthForm.ts
+var useAuthForm = /* @__PURE__ */ __name((options) => {
+  const {
+    onIdentifierSuccess,
+    onOTPSuccess,
+    onError,
+    sourceUrl,
+    redirectUrl,
+    requireTermsAcceptance = false,
+    authPath = "/auth"
+  } = options;
+  const formState = useAuthFormState();
+  const validation = useAuthValidation();
+  const isAutoSubmitFromUrlRef = (0, import_react8.useRef)(false);
+  const {
+    requestOTP,
+    verifyOTP,
+    getSavedEmail,
+    saveEmail,
+    clearSavedEmail,
+    getSavedPhone,
+    savePhone,
+    clearSavedPhone
+  } = useAuth();
+  const {
+    identifier,
+    channel,
+    otp,
+    isLoading,
+    acceptedTerms,
+    twoFactorSessionId,
+    twoFactorCode,
+    useBackupCode,
+    setIdentifier,
+    setChannel,
+    setOtp,
+    setStep,
+    setError,
+    setIsLoading,
+    clearError,
+    setTwoFactorSessionId,
+    setShouldPrompt2FA,
+    setTwoFactorCode,
+    setUseBackupCode
+  } = formState;
+  const twoFactor = useTwoFactor({
+    onSuccess: /* @__PURE__ */ __name(() => {
+      authLogger.info("2FA verification successful, showing success screen");
+      setStep("success");
+      onOTPSuccess?.();
+    }, "onSuccess"),
+    onError: /* @__PURE__ */ __name((error) => {
+      setError(error);
+      onError?.(error);
+    }, "onError"),
+    redirectUrl,
+    skipRedirect: true
+    // We handle navigation via success step
+  });
+  const { detectChannelFromIdentifier: detectChannelFromIdentifier2, validateIdentifier: validateIdentifier2 } = validation;
+  const saveIdentifierToStorage = (0, import_react8.useCallback)((id, ch) => {
+    if (ch === "email") {
+      saveEmail(id);
+      clearSavedPhone();
+    } else {
+      savePhone(id);
+      clearSavedEmail();
+    }
+  }, [saveEmail, savePhone, clearSavedEmail, clearSavedPhone]);
+  (0, import_react8.useEffect)(() => {
+    const savedPhone = getSavedPhone();
+    const savedEmail = getSavedEmail();
+    if (savedPhone) {
+      setIdentifier(savedPhone);
+      setChannel("phone");
+    } else if (savedEmail) {
+      setIdentifier(savedEmail);
+      setChannel("email");
+    }
+  }, [getSavedEmail, getSavedPhone, setIdentifier, setChannel]);
+  (0, import_react8.useEffect)(() => {
+    if (identifier) {
+      const detected = detectChannelFromIdentifier2(identifier);
+      if (detected && detected !== channel) {
+        setChannel(detected);
+      }
+    }
+  }, [identifier, channel, detectChannelFromIdentifier2, setChannel]);
+  const handleIdentifierSubmit = (0, import_react8.useCallback)(async (e) => {
+    e.preventDefault();
+    if (!identifier) {
+      const msg = channel === "phone" ? "Please enter your phone number" : "Please enter your email address";
+      setError(msg);
+      onError?.(msg);
+      return;
+    }
+    if (!validateIdentifier2(identifier, channel)) {
+      const msg = channel === "phone" ? "Please enter a valid phone number (e.g., +1234567890)" : "Please enter a valid email address";
+      setError(msg);
+      onError?.(msg);
+      return;
     }
     if (requireTermsAcceptance && !acceptedTerms) {
-      const message = "Please accept the Terms of Service and Privacy Policy";
-      setError(message);
-      onError?.(message);
+      const msg = "Please accept the Terms of Service and Privacy Policy";
+      setError(msg);
+      onError?.(msg);
       return;
     }
     setIsLoading(true);
@@ -4844,185 +5990,206 @@ var useAuthForm = /* @__PURE__ */ __name((options) => {
     try {
       const result = await requestOTP(identifier, channel, sourceUrl);
       if (result.success) {
-        if (channel === "email") {
-          saveEmail(identifier);
-          setSavedPhone("");
-        } else if (channel === "phone") {
-          savePhone(identifier);
-          setSavedEmail("");
-        }
-        setSavedTermsAccepted(true);
+        saveIdentifierToStorage(identifier, channel);
         setStep("otp");
         onIdentifierSuccess?.(identifier, channel);
       } else {
         setError(result.message);
         onError?.(result.message);
       }
-    } catch (error2) {
-      const message = "An unexpected error occurred";
-      setError(message);
-      onError?.(message);
+    } catch {
+      const msg = "An unexpected error occurred";
+      setError(msg);
+      onError?.(msg);
     } finally {
       setIsLoading(false);
     }
-  }, [identifier, channel, acceptedTerms, validateIdentifier, requestOTP, saveEmail, clearError, setSavedTermsAccepted, onIdentifierSuccess, onError, sourceUrl]);
-  const handleOTPSubmit = (0, import_react7.useCallback)(async (e) => {
-    e.preventDefault();
-    if (!otp || otp.length < 6) {
-      const message = "Please enter the 6-digit verification code";
-      setError(message);
-      onError?.(message);
-      return;
+  }, [
+    identifier,
+    channel,
+    acceptedTerms,
+    requireTermsAcceptance,
+    validateIdentifier2,
+    requestOTP,
+    saveIdentifierToStorage,
+    setError,
+    setIsLoading,
+    setStep,
+    clearError,
+    onIdentifierSuccess,
+    onError,
+    sourceUrl
+  ]);
+  const submitOTP = (0, import_react8.useCallback)(async (submitIdentifier, submitOtp, submitChannel) => {
+    if (!submitOtp || submitOtp.length < 6) {
+      const msg = "Please enter the 6-digit verification code";
+      setError(msg);
+      onError?.(msg);
+      return false;
     }
     setIsLoading(true);
     clearError();
     try {
-      const result = await verifyOTP(identifier, otp, channel, sourceUrl, redirectUrl);
+      const result = await verifyOTP(submitIdentifier, submitOtp, submitChannel, sourceUrl, redirectUrl, true);
+      if (result.requires_2fa && result.session_id) {
+        authLogger.info("2FA required after OTP verification");
+        setTwoFactorSessionId(result.session_id);
+        setShouldPrompt2FA(result.should_prompt_2fa || false);
+        setStep("2fa");
+        saveIdentifierToStorage(submitIdentifier, submitChannel);
+        return true;
+      }
       if (result.success) {
-        if (channel === "email") {
-          setSavedEmail(identifier);
-          setSavedPhone("");
-        } else if (channel === "phone") {
-          setSavedPhone(identifier);
-          setSavedEmail("");
+        saveIdentifierToStorage(submitIdentifier, submitChannel);
+        if (result.should_prompt_2fa) {
+          authLogger.info("OTP verification successful, prompting 2FA setup");
+          setShouldPrompt2FA(true);
+          setStep("2fa-setup");
+          onOTPSuccess?.();
+          return true;
         }
+        authLogger.info("OTP verification successful, showing success screen");
+        setStep("success");
         onOTPSuccess?.();
+        return true;
       } else {
         setError(result.message);
         onError?.(result.message);
+        return false;
       }
-    } catch (error2) {
-      const message = "An unexpected error occurred";
-      setError(message);
-      onError?.(message);
+    } catch {
+      const msg = "An unexpected error occurred";
+      setError(msg);
+      onError?.(msg);
+      return false;
     } finally {
       setIsLoading(false);
     }
-  }, [identifier, otp, channel, verifyOTP, clearError, setSavedEmail, onOTPSuccess, onError, sourceUrl, redirectUrl]);
-  const handleResendOTP = (0, import_react7.useCallback)(async () => {
+  }, [verifyOTP, saveIdentifierToStorage, setError, setIsLoading, clearError, onOTPSuccess, onError, sourceUrl, redirectUrl, setTwoFactorSessionId, setShouldPrompt2FA, setStep]);
+  const handleOTPSubmit = (0, import_react8.useCallback)(async (e) => {
+    e.preventDefault();
+    await submitOTP(identifier, otp, channel);
+  }, [identifier, otp, channel, submitOTP]);
+  const handleResendOTP = (0, import_react8.useCallback)(async () => {
     setIsLoading(true);
     clearError();
     try {
       const result = await requestOTP(identifier, channel, sourceUrl);
       if (result.success) {
-        if (channel === "email") {
-          saveEmail(identifier);
-          setSavedPhone("");
-        } else if (channel === "phone") {
-          savePhone(identifier);
-          setSavedEmail("");
-        }
+        saveIdentifierToStorage(identifier, channel);
         setOtp("");
       } else {
         setError(result.message);
         onError?.(result.message);
       }
-    } catch (error2) {
-      const message = "Failed to resend verification code";
-      setError(message);
-      onError?.(message);
+    } catch {
+      const msg = "Failed to resend verification code";
+      setError(msg);
+      onError?.(msg);
     } finally {
       setIsLoading(false);
     }
-  }, [identifier, channel, requestOTP, saveEmail, clearError, setOtp, onError, sourceUrl]);
-  const handleBackToIdentifier = (0, import_react7.useCallback)(() => {
+  }, [identifier, channel, requestOTP, saveIdentifierToStorage, setOtp, setError, setIsLoading, clearError, onError, sourceUrl]);
+  const handleBackToIdentifier = (0, import_react8.useCallback)(() => {
     setStep("identifier");
     clearError();
-  }, [clearError]);
-  const forceOTPStep = (0, import_react7.useCallback)(() => {
+  }, [setStep, clearError]);
+  const forceOTPStep = (0, import_react8.useCallback)(() => {
     setStep("otp");
     clearError();
-  }, [clearError]);
-  const handleAcceptedTermsChange = (0, import_react7.useCallback)((checked) => {
-    setAcceptedTerms(checked);
-    setSavedTermsAccepted(checked);
-  }, [setSavedTermsAccepted]);
+  }, [setStep, clearError]);
+  const handle2FASubmit = (0, import_react8.useCallback)(async (e) => {
+    e.preventDefault();
+    if (!twoFactorSessionId) {
+      const msg = "Missing 2FA session";
+      setError(msg);
+      onError?.(msg);
+      return;
+    }
+    if (useBackupCode) {
+      await twoFactor.verifyBackupCode(twoFactorSessionId, twoFactorCode);
+    } else {
+      await twoFactor.verifyTOTP(twoFactorSessionId, twoFactorCode);
+    }
+  }, [twoFactorSessionId, twoFactorCode, useBackupCode, twoFactor, setError, onError]);
+  const handleUseBackupCode = (0, import_react8.useCallback)(() => {
+    setUseBackupCode(true);
+    setTwoFactorCode("");
+    clearError();
+  }, [setUseBackupCode, setTwoFactorCode, clearError]);
+  const handleUseTOTP = (0, import_react8.useCallback)(() => {
+    setUseBackupCode(false);
+    setTwoFactorCode("");
+    clearError();
+  }, [setUseBackupCode, setTwoFactorCode, clearError]);
   useAutoAuth({
-    allowedPaths: [authPath],
-    onOTPDetected: /* @__PURE__ */ __name((otp2) => {
-      authLogger.info("OTP detected, auto-submitting");
-      const savedEmail2 = getSavedEmail();
-      const savedPhone2 = getSavedPhone();
-      if (savedPhone2) {
-        setIdentifier(savedPhone2);
-        setChannel("phone");
-      } else if (savedEmail2) {
-        setIdentifier(savedEmail2);
-        setChannel("email");
-      }
-      setOtp(otp2);
-      setStep("otp");
-      setTimeout(() => {
-        const fakeEvent = { preventDefault: /* @__PURE__ */ __name(() => {
-        }, "preventDefault") };
-        handleOTPSubmit(fakeEvent);
-      }, 200);
-    }, "onOTPDetected"),
-    cleanupUrl: true
-  });
-  return {
-    // Form state
-    identifier,
-    channel,
-    otp,
-    isLoading,
-    acceptedTerms,
-    step,
-    error,
-    // Form handlers
-    setIdentifier,
-    setChannel,
-    setOtp,
-    setAcceptedTerms: handleAcceptedTermsChange,
-    setError,
-    clearError,
-    // Auth handlers
+    allowedPaths: [authPath],
+    onOTPDetected: /* @__PURE__ */ __name((detectedOtp) => {
+      if (isAutoSubmitFromUrlRef.current || isLoading) return;
+      isAutoSubmitFromUrlRef.current = true;
+      authLogger.info("OTP detected from URL, auto-submitting");
+      const savedPhone = getSavedPhone();
+      const savedEmail = getSavedEmail();
+      let autoIdentifier = "";
+      let autoChannel = "email";
+      if (savedPhone) {
+        autoIdentifier = savedPhone;
+        autoChannel = "phone";
+      } else if (savedEmail) {
+        autoIdentifier = savedEmail;
+        autoChannel = "email";
+      }
+      if (!autoIdentifier) {
+        authLogger.warn("No saved identifier found for auto-submit");
+        isAutoSubmitFromUrlRef.current = false;
+        return;
+      }
+      setIdentifier(autoIdentifier);
+      setChannel(autoChannel);
+      setOtp(detectedOtp);
+      setStep("otp");
+      setTimeout(async () => {
+        try {
+          await submitOTP(autoIdentifier, detectedOtp, autoChannel);
+        } finally {
+          isAutoSubmitFromUrlRef.current = false;
+        }
+      }, 100);
+    }, "onOTPDetected"),
+    cleanupUrl: true
+  });
+  return {
+    // State
+    ...formState,
+    // Submit handlers
     handleIdentifierSubmit,
     handleOTPSubmit,
     handleResendOTP,
     handleBackToIdentifier,
     forceOTPStep,
-    // Utility methods
-    detectChannelFromIdentifier,
-    validateIdentifier
+    // 2FA handlers
+    handle2FASubmit,
+    handleUseBackupCode,
+    handleUseTOTP,
+    // Validation
+    ...validation,
+    // Auto-submit ref
+    isAutoSubmittingFromUrl: isAutoSubmitFromUrlRef,
+    // 2FA state from hook (for loading indicator)
+    is2FALoading: twoFactor.isLoading,
+    twoFactorWarning: twoFactor.warning
   };
 }, "useAuthForm");
 
 // src/auth/hooks/useGithubAuth.ts
-var import_react8 = require("react");
+var import_react9 = require("react");
 var import_hooks5 = require("@djangocfg/ui-nextjs/hooks");
-
-// src/generated/cfg_webpush/_utils/hooks/webpush__web_push.ts
-var import_swr7 = __toESM(require("swr"), 1);
-var import_swr8 = require("swr");
-
-// src/generated/cfg_centrifugo/_utils/hooks/centrifugo__centrifugo_admin_api.ts
-var import_swr9 = require("swr");
-
-// src/generated/cfg_centrifugo/_utils/hooks/centrifugo__centrifugo_auth.ts
-var import_swr10 = __toESM(require("swr"), 1);
-
-// src/generated/cfg_centrifugo/_utils/hooks/centrifugo__centrifugo_monitoring.ts
-var import_swr11 = __toESM(require("swr"), 1);
-
-// src/generated/cfg_centrifugo/_utils/hooks/centrifugo__centrifugo_testing.ts
-var import_swr12 = require("swr");
-
-// src/clients.ts
-var isStaticBuild3 = process.env.NEXT_PUBLIC_STATIC_BUILD === "true";
-var apiUrl2 = isStaticBuild3 ? "" : process.env.NEXT_PUBLIC_API_URL || "";
-var storage = new LocalStorageAdapter();
-var apiAccounts = new API(apiUrl2, { storage });
-var apiWebPush = new API3(apiUrl2, { storage });
-var apiCentrifugo = new API2(apiUrl2, { storage });
-
-// src/auth/hooks/useGithubAuth.ts
 var useGithubAuth = /* @__PURE__ */ __name((options = {}) => {
-  const { sourceUrl, onSuccess, onError, redirectUrl } = options;
+  const { sourceUrl, onSuccess, onError, onRequires2FA, redirectUrl, skipRedirect = false } = options;
   const router = (0, import_hooks5.useCfgRouter)();
-  const [isLoading, setIsLoading] = (0, import_react8.useState)(false);
-  const [error, setError] = (0, import_react8.useState)(null);
-  const startGithubAuth = (0, import_react8.useCallback)(async () => {
+  const [isLoading, setIsLoading] = (0, import_react9.useState)(false);
+  const [error, setError] = (0, import_react9.useState)(null);
+  const startGithubAuth = (0, import_react9.useCallback)(async () => {
     setIsLoading(true);
     setError(null);
     try {
@@ -5056,7 +6223,7 @@ var useGithubAuth = /* @__PURE__ */ __name((options = {}) => {
       setIsLoading(false);
     }
   }, [sourceUrl, onError]);
-  const handleGithubCallback = (0, import_react8.useCallback)(async (code, state) => {
+  const handleGithubCallback = (0, import_react9.useCallback)(async (code, state) => {
     setIsLoading(true);
     setError(null);
     try {
@@ -5073,6 +6240,15 @@ var useGithubAuth = /* @__PURE__ */ __name((options = {}) => {
         code,
         state
       });
+      if (response.requires_2fa && response.session_id) {
+        authLogger.info("GitHub OAuth requires 2FA, session:", response.session_id);
+        Analytics.event("auth_oauth_start" /* AUTH_OAUTH_START */, {
+          category: "auth" /* AUTH */,
+          label: "github-2fa-required"
+        });
+        onRequires2FA?.(response.session_id, response.should_prompt_2fa || false);
+        return;
+      }
       if (!response.access || !response.refresh) {
         throw new Error("Invalid response from OAuth callback");
       }
@@ -5086,8 +6262,10 @@ var useGithubAuth = /* @__PURE__ */ __name((options = {}) => {
         Analytics.setUser(String(response.user.id));
       }
       onSuccess?.(response.user, response.is_new_user || false);
-      const finalRedirectUrl = redirectUrl || "/dashboard";
-      router.hardPush(finalRedirectUrl);
+      if (!skipRedirect) {
+        const finalRedirectUrl = redirectUrl || "/dashboard";
+        router.hardPush(finalRedirectUrl);
+      }
     } catch (err) {
       const errorMessage = err instanceof Error ? err.message : "GitHub authentication failed";
       authLogger.error("GitHub OAuth callback error:", err);
@@ -5109,6 +6287,291 @@ var useGithubAuth = /* @__PURE__ */ __name((options = {}) => {
   };
 }, "useGithubAuth");
 
+// src/auth/hooks/useTwoFactorSetup.ts
+var import_react10 = require("react");
+var useTwoFactorSetup = /* @__PURE__ */ __name((options = {}) => {
+  const { onComplete, onError } = options;
+  const [isLoading, setIsLoading] = (0, import_react10.useState)(false);
+  const [error, setError] = (0, import_react10.useState)(null);
+  const [setupData, setSetupData] = (0, import_react10.useState)(null);
+  const [backupCodes, setBackupCodes] = (0, import_react10.useState)(null);
+  const [backupCodesWarning, setBackupCodesWarning] = (0, import_react10.useState)(null);
+  const [setupStep, setSetupStep] = (0, import_react10.useState)("idle");
+  const clearError = (0, import_react10.useCallback)(() => {
+    setError(null);
+  }, []);
+  const resetSetup = (0, import_react10.useCallback)(() => {
+    setSetupData(null);
+    setBackupCodes(null);
+    setBackupCodesWarning(null);
+    setSetupStep("idle");
+    setError(null);
+  }, []);
+  const startSetup = (0, import_react10.useCallback)(async (deviceName) => {
+    setIsLoading(true);
+    setError(null);
+    setSetupStep("scanning");
+    try {
+      authLogger.info("Starting 2FA setup...");
+      const response = await apiTotp.totp_setup.create({
+        device_name: deviceName
+      });
+      const data = {
+        deviceId: response.device_id,
+        secret: response.secret,
+        provisioningUri: response.provisioning_uri,
+        qrCodeBase64: response.qr_code_base64,
+        expiresIn: response.expires_in
+      };
+      setSetupData(data);
+      authLogger.info("2FA setup initiated, expires in:", data.expiresIn, "seconds");
+      return data;
+    } catch (err) {
+      const errorMessage = err instanceof Error ? err.message : "Failed to start 2FA setup";
+      authLogger.error("2FA setup error:", err);
+      setError(errorMessage);
+      setSetupStep("idle");
+      onError?.(errorMessage);
+      return null;
+    } finally {
+      setIsLoading(false);
+    }
+  }, [onError]);
+  const confirmSetup = (0, import_react10.useCallback)(async (code) => {
+    if (!setupData) {
+      const msg = "Setup not started. Call startSetup() first.";
+      setError(msg);
+      onError?.(msg);
+      return null;
+    }
+    if (!code || code.length !== 6) {
+      const msg = "Please enter a 6-digit code";
+      setError(msg);
+      onError?.(msg);
+      return null;
+    }
+    setIsLoading(true);
+    setError(null);
+    setSetupStep("confirming");
+    try {
+      authLogger.info("Confirming 2FA setup...");
+      const response = await apiTotp.totp_setup.confirmCreate({
+        device_id: setupData.deviceId,
+        code
+      });
+      const codes = response.backup_codes;
+      setBackupCodes(codes);
+      setBackupCodesWarning(response.backup_codes_warning);
+      setSetupStep("complete");
+      authLogger.info("2FA setup confirmed, backup codes generated:", codes.length);
+      onComplete?.(codes);
+      return codes;
+    } catch (err) {
+      const errorMessage = err instanceof Error ? err.message : "Invalid code. Please try again.";
+      authLogger.error("2FA setup confirmation error:", err);
+      setError(errorMessage);
+      setSetupStep("scanning");
+      onError?.(errorMessage);
+      return null;
+    } finally {
+      setIsLoading(false);
+    }
+  }, [setupData, onComplete, onError]);
+  return {
+    isLoading,
+    error,
+    setupData,
+    backupCodes,
+    backupCodesWarning,
+    setupStep,
+    startSetup,
+    confirmSetup,
+    resetSetup,
+    clearError
+  };
+}, "useTwoFactorSetup");
+
+// src/auth/hooks/useAuthGuard.ts
+var import_react11 = require("react");
+var import_hooks6 = require("@djangocfg/ui-nextjs/hooks");
+var useAuthGuard = /* @__PURE__ */ __name((options = {}) => {
+  const { redirectTo = "/auth", requireAuth = true, saveRedirectUrl: shouldSaveUrl = true } = options;
+  const { isAuthenticated, isLoading, saveRedirectUrl } = useAuth();
+  const router = (0, import_hooks6.useCfgRouter)();
+  const [isRedirecting, setIsRedirecting] = (0, import_react11.useState)(false);
+  (0, import_react11.useEffect)(() => {
+    if (!isLoading && requireAuth && !isAuthenticated && !isRedirecting) {
+      if (shouldSaveUrl && typeof window !== "undefined") {
+        const currentUrl = window.location.pathname + window.location.search;
+        saveRedirectUrl(currentUrl);
+      }
+      setIsRedirecting(true);
+      router.push(redirectTo);
+    }
+  }, [isAuthenticated, isLoading, router, redirectTo, requireAuth, isRedirecting, shouldSaveUrl, saveRedirectUrl]);
+  return { isAuthenticated, isLoading, isRedirecting };
+}, "useAuthGuard");
+
+// src/auth/hooks/useLocalStorage.ts
+var import_react12 = require("react");
+function useLocalStorage2(key, initialValue) {
+  const [storedValue, setStoredValue] = (0, import_react12.useState)(() => {
+    if (typeof window === "undefined") {
+      return initialValue;
+    }
+    try {
+      const item = window.localStorage.getItem(key);
+      if (item === null) {
+        return initialValue;
+      }
+      try {
+        return JSON.parse(item);
+      } catch {
+        return item;
+      }
+    } catch (error) {
+      authLogger.error(`Error reading localStorage key "${key}":`, error);
+      return initialValue;
+    }
+  });
+  const checkDataSize = /* @__PURE__ */ __name((data) => {
+    try {
+      const jsonString = JSON.stringify(data);
+      const sizeInBytes = new Blob([jsonString]).size;
+      const sizeInKB = sizeInBytes / 1024;
+      if (sizeInKB > 1024) {
+        authLogger.warn(`Data size (${sizeInKB.toFixed(2)}KB) exceeds 1MB limit for key "${key}"`);
+        return false;
+      }
+      return true;
+    } catch (error) {
+      authLogger.error(`Error checking data size for key "${key}":`, error);
+      return false;
+    }
+  }, "checkDataSize");
+  const clearOldData = /* @__PURE__ */ __name(() => {
+    try {
+      const keys = Object.keys(localStorage).filter((key2) => key2 && typeof key2 === "string");
+      if (keys.length > 50) {
+        const itemsToRemove = Math.ceil(keys.length * 0.2);
+        for (let i = 0; i < itemsToRemove; i++) {
+          try {
+            const key2 = keys[i];
+            if (key2) {
+              localStorage.removeItem(key2);
+              localStorage.removeItem(`${key2}_timestamp`);
+            }
+          } catch {
+          }
+        }
+      }
+    } catch (error) {
+      authLogger.error("Error clearing old localStorage data:", error);
+    }
+  }, "clearOldData");
+  const forceClearAll = /* @__PURE__ */ __name(() => {
+    try {
+      const keys = Object.keys(localStorage);
+      for (const key2 of keys) {
+        try {
+          localStorage.removeItem(key2);
+        } catch {
+        }
+      }
+    } catch (error) {
+      authLogger.error("Error force clearing localStorage:", error);
+    }
+  }, "forceClearAll");
+  const setValue = /* @__PURE__ */ __name((value) => {
+    try {
+      const valueToStore = value instanceof Function ? value(storedValue) : value;
+      if (!checkDataSize(valueToStore)) {
+        authLogger.warn(`Data size too large for key "${key}", removing key`);
+        try {
+          window.localStorage.removeItem(key);
+          window.localStorage.removeItem(`${key}_timestamp`);
+        } catch {
+        }
+        setStoredValue(valueToStore);
+        return;
+      }
+      setStoredValue(valueToStore);
+      if (typeof window !== "undefined") {
+        try {
+          if (typeof valueToStore === "string") {
+            window.localStorage.setItem(key, valueToStore);
+          } else {
+            window.localStorage.setItem(key, JSON.stringify(valueToStore));
+          }
+          window.localStorage.setItem(`${key}_timestamp`, Date.now().toString());
+        } catch (storageError) {
+          if (storageError.name === "QuotaExceededError" || storageError.code === 22 || storageError.message?.includes("quota")) {
+            authLogger.warn("localStorage quota exceeded, clearing old data...");
+            clearOldData();
+            try {
+              if (typeof valueToStore === "string") {
+                window.localStorage.setItem(key, valueToStore);
+              } else {
+                window.localStorage.setItem(key, JSON.stringify(valueToStore));
+              }
+              window.localStorage.setItem(`${key}_timestamp`, Date.now().toString());
+            } catch (retryError) {
+              authLogger.error(`Failed to set localStorage key "${key}" after clearing old data:`, retryError);
+              try {
+                forceClearAll();
+                if (typeof valueToStore === "string") {
+                  window.localStorage.setItem(key, valueToStore);
+                } else {
+                  window.localStorage.setItem(key, JSON.stringify(valueToStore));
+                }
+                window.localStorage.setItem(`${key}_timestamp`, Date.now().toString());
+              } catch (finalError) {
+                authLogger.error(`Failed to set localStorage key "${key}" after force clearing:`, finalError);
+                setStoredValue(valueToStore);
+              }
+            }
+          } else {
+            throw storageError;
+          }
+        }
+      }
+    } catch (error) {
+      authLogger.error(`Error setting localStorage key "${key}":`, error);
+      const valueToStore = value instanceof Function ? value(storedValue) : value;
+      setStoredValue(valueToStore);
+    }
+  }, "setValue");
+  const removeValue = /* @__PURE__ */ __name(() => {
+    try {
+      setStoredValue(initialValue);
+      if (typeof window !== "undefined") {
+        try {
+          window.localStorage.removeItem(key);
+          window.localStorage.removeItem(`${key}_timestamp`);
+        } catch (removeError) {
+          if (removeError.name === "QuotaExceededError" || removeError.code === 22 || removeError.message?.includes("quota")) {
+            authLogger.warn("localStorage quota exceeded during removal, clearing old data...");
+            clearOldData();
+            try {
+              window.localStorage.removeItem(key);
+              window.localStorage.removeItem(`${key}_timestamp`);
+            } catch (retryError) {
+              authLogger.error(`Failed to remove localStorage key "${key}" after clearing:`, retryError);
+              forceClearAll();
+            }
+          } else {
+            throw removeError;
+          }
+        }
+      }
+    } catch (error) {
+      authLogger.error(`Error removing localStorage key "${key}":`, error);
+    }
+  }, "removeValue");
+  return [storedValue, setValue, removeValue];
+}
+__name(useLocalStorage2, "useLocalStorage");
+
 // src/auth/utils/validation.ts
 var validateEmail = /* @__PURE__ */ __name((email) => {
   const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;