@dloizides/auth-client 1.0.0 → 2.1.0

package/dist/index.mjs

@@ -79,19 +79,141 @@ function parseBaseUrlFromIssuer(issuerUrl) {
   return issuerUrl.substring(0, idx).replace(/\/$/, "");
 }
 
+// src/utils/normalizeTokenResponse.ts
+function asString(value) {
+  return typeof value === "string" && value !== "" ? value : void 0;
+}
+function asNumber(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : void 0;
+}
+function normalizeTokenResponse(raw) {
+  const accessToken = asString(raw.access_token);
+  if (accessToken === void 0) {
+    throw new Error("Token response missing access_token");
+  }
+  return {
+    accessToken,
+    refreshToken: asString(raw.refresh_token),
+    idToken: asString(raw.id_token),
+    expiresIn: asNumber(raw.expires_in),
+    tokenType: asString(raw.token_type),
+    scope: asString(raw.scope)
+  };
+}
+function tokenResponseToAuthTokens(response, now = Date.now()) {
+  return {
+    accessToken: response.accessToken,
+    refreshToken: response.refreshToken,
+    idToken: response.idToken,
+    expiresAt: computeExpiresAt(response.expiresIn, now)
+  };
+}
+
+// src/events/AuthEventEmitter.ts
+var AuthEventEmitter = class {
+  constructor() {
+    this.listeners = /* @__PURE__ */ new Map();
+  }
+  on(event, listener) {
+    let bucket = this.listeners.get(event);
+    if (bucket === void 0) {
+      bucket = /* @__PURE__ */ new Set();
+      this.listeners.set(event, bucket);
+    }
+    bucket.add(listener);
+    return () => {
+      const current = this.listeners.get(event);
+      if (current !== void 0) {
+        current.delete(listener);
+      }
+    };
+  }
+  emit(event) {
+    const bucket = this.listeners.get(event);
+    if (bucket === void 0) {
+      return;
+    }
+    const snapshot = Array.from(bucket);
+    for (const listener of snapshot) {
+      listener();
+    }
+  }
+  /** Remove all listeners. Useful for `AuthClient.dispose()` and tests. */
+  clear() {
+    this.listeners.clear();
+  }
+};
+
 // src/AuthClient.ts
 var DEFAULT_SCOPE = "openid profile email";
+var OFFLINE_ACCESS_SCOPE = "offline_access";
 var AuthClient = class _AuthClient {
   /**
    * @throws Error when `baseUrl`, `realm`, or `clientId` is missing or empty.
    */
-  constructor(config, storage) {
+  constructor(config, storage, collaborators = {}) {
     _AuthClient.validateConfig(config);
     this.config = {
       ...config,
       scope: config.scope ?? DEFAULT_SCOPE
     };
+    this.directKcAuth = config.useDirectKcAuth === true;
     this.tokenStorage = storage;
+    this.api = collaborators.api;
+    this.interceptor = collaborators.interceptor;
+    this.inactivityTracker = collaborators.inactivityTracker;
+    this.events = collaborators.events ?? new AuthEventEmitter();
+    this.onTokenAcquired = collaborators.onTokenAcquired;
+    this.onTokenRefreshed = collaborators.onTokenRefreshed;
+  }
+  /**
+   * Whether this client is configured to route auth flows directly to
+   * Keycloak (v2.1.0 direct-KC path) instead of through the proxied
+   * identity-api `/auth/*` endpoints.
+   *
+   * Apps can render conditionally on this — e.g. to swap a login form for
+   * a "Sign in with Keycloak" redirect button.
+   */
+  isDirectMode() {
+    return this.directKcAuth;
+  }
+  /**
+   * Persist a token bundle produced by an external flow (e.g. the
+   * app-side `useKeycloakExchange` hook that consumes the shared
+   * `exchangeAuthorizationCode` primitive). Fires `onTokenAcquired` after
+   * persistence and marks the inactivity tracker active.
+   *
+   * Designed for the v2.1.0 direct-KC path where the PKCE code exchange
+   * happens in the app's React-Query hook (which needs `useDispatch`/etc.)
+   * but the token persistence + observability should still flow through
+   * the shared client.
+   */
+  async acceptDirectKcTokens(response) {
+    const tokens = tokenResponseToAuthTokens(response);
+    await this.tokenStorage.write(tokens);
+    if (this.inactivityTracker !== void 0) {
+      await this.inactivityTracker.markActive();
+    }
+    if (this.onTokenAcquired !== void 0) {
+      this.onTokenAcquired(tokens);
+    }
+    return tokens;
+  }
+  /**
+   * Same as {@link acceptDirectKcTokens} but fires `onTokenRefreshed`.
+   * Use after a `refreshAccessToken()` swap to keep observability counts
+   * separated between "fresh login" and "silent refresh".
+   */
+  async acceptDirectKcRefresh(response) {
+    const tokens = tokenResponseToAuthTokens(response);
+    await this.tokenStorage.write(tokens);
+    if (this.inactivityTracker !== void 0) {
+      await this.inactivityTracker.markActive();
+    }
+    if (this.onTokenRefreshed !== void 0) {
+      this.onTokenRefreshed(tokens);
+    }
+    return tokens;
   }
   /**
    * Build an {@link AuthClient} from a standalone issuer URL by parsing the
@@ -100,7 +222,7 @@ var AuthClient = class _AuthClient {
    *
    * @throws Error when the issuer URL doesn't match `{base}/realms/{realm}`.
    */
-  static fromIssuerUrl(input, storage) {
+  static fromIssuerUrl(input, storage, collaborators = {}) {
     const realm = parseRealmFromIssuer(input.issuerUrl);
     const baseUrl = parseBaseUrlFromIssuer(input.issuerUrl);
     if (realm === null || baseUrl === null || baseUrl === "") {
@@ -114,7 +236,8 @@ var AuthClient = class _AuthClient {
         redirectUri: input.redirectUri,
         scope: input.scope
       },
-      storage
+      storage,
+      collaborators
     );
   }
   static validateConfig(config) {
@@ -173,7 +296,7 @@ var AuthClient = class _AuthClient {
       realm: this.realm,
       clientId: this.clientId,
       redirectUri: this.config.redirectUri,
-      scope: this.scope,
+      scope: this.resolveScope(input.offlineAccess),
       state: input.state,
       codeChallenge: input.codeChallenge,
       codeChallengeMethod: input.codeChallengeMethod
@@ -202,8 +325,258 @@ var AuthClient = class _AuthClient {
     }
     return tokens.accessToken;
   }
+  /** Subscribe to lifecycle events (currently `sessionExpired` only). */
+  on(event, listener) {
+    return this.events.on(event, listener);
+  }
+  /**
+   * Boot-time wiring. Checks the inactivity tracker; if expired, clears
+   * tokens and emits `sessionExpired`. Returns whether a usable session
+   * survived.
+   */
+  async init() {
+    if (this.inactivityTracker !== void 0) {
+      const expired = await this.inactivityTracker.isExpired();
+      if (expired) {
+        await this.tokenStorage.clear();
+        await this.inactivityTracker.clear();
+        this.events.emit("sessionExpired");
+        return { hasSession: false };
+      }
+    }
+    const tokens = await this.tokenStorage.read();
+    return { hasSession: tokens !== null };
+  }
+  /**
+   * Trigger a refresh via the configured interceptor. Returns the new tokens
+   * or `null` when the refresh failed (in which case `sessionExpired` has
+   * already fired).
+   *
+   * @throws Error when no interceptor is configured.
+   */
+  async refresh() {
+    if (this.interceptor === void 0) {
+      throw new Error("AuthClient.refresh: no RefreshInterceptor configured");
+    }
+    const tokens = await this.interceptor.refreshTokens();
+    if (tokens !== null && this.onTokenRefreshed !== void 0) {
+      this.onTokenRefreshed(tokens);
+    }
+    return tokens;
+  }
+  async loginWithOtp(input) {
+    return this.runLogin(this.requireApi().loginWithOtp({
+      email: input.email,
+      otp: input.otp,
+      tenantId: input.tenantId,
+      offlineAccess: input.offlineAccess ?? false
+    }));
+  }
+  async loginWithPassword(input) {
+    return this.runLogin(this.requireApi().loginWithPassword({
+      email: input.email,
+      password: input.password,
+      tenantId: input.tenantId,
+      offlineAccess: input.offlineAccess ?? false
+    }));
+  }
+  async logout(options = {}) {
+    const api = this.requireApi();
+    try {
+      await api.logout(options.everywhere ?? false);
+    } finally {
+      await this.tokenStorage.clear();
+      if (this.inactivityTracker !== void 0) {
+        await this.inactivityTracker.clear();
+      }
+    }
+  }
+  async requestPasswordReset(input) {
+    return this.requireApi().forgotPassword({ email: input.email, tenantId: input.tenantId });
+  }
+  async confirmPasswordReset(input) {
+    return this.requireApi().resetPassword({ token: input.token, newPassword: input.newPassword });
+  }
+  /** Internal: run a login HTTP call, persist tokens, mark inactivity-active. */
+  async runLogin(promise) {
+    const raw = await promise;
+    if (typeof raw.access_token !== "string" || raw.access_token === "") {
+      throw new Error("AuthClient: login response missing access_token");
+    }
+    const normalized = normalizeTokenResponse({ ...raw, access_token: raw.access_token });
+    const tokens = tokenResponseToAuthTokens(normalized);
+    await this.tokenStorage.write(tokens);
+    if (this.inactivityTracker !== void 0) {
+      await this.inactivityTracker.markActive();
+    }
+    if (this.onTokenAcquired !== void 0) {
+      this.onTokenAcquired(tokens);
+    }
+    return tokens;
+  }
+  requireApi() {
+    if (this.api === void 0) {
+      throw new Error("AuthClient: no AuthApiClient configured");
+    }
+    return this.api;
+  }
+  resolveScope(offlineAccess) {
+    if (offlineAccess !== true) {
+      return this.scope;
+    }
+    if (this.scope.includes(OFFLINE_ACCESS_SCOPE)) {
+      return this.scope;
+    }
+    return `${this.scope} ${OFFLINE_ACCESS_SCOPE}`.trim();
+  }
 };
 
+// src/oidc/discovery.ts
+var cache = /* @__PURE__ */ new Map();
+function normalizeIssuer(issuerUrl) {
+  return issuerUrl.replace(/\/$/, "");
+}
+function isOidcDiscoveryDocument(data) {
+  if (data === null || typeof data !== "object") {
+    return false;
+  }
+  const d = data;
+  return typeof d.issuer === "string" && d.issuer !== "" && typeof d.authorization_endpoint === "string" && d.authorization_endpoint !== "" && typeof d.token_endpoint === "string" && d.token_endpoint !== "";
+}
+async function fetchDiscoveryDocument(input) {
+  const key = normalizeIssuer(input.issuerUrl);
+  const cached = cache.get(key);
+  if (cached !== void 0) {
+    return cached;
+  }
+  const response = await input.http({
+    url: `${key}/.well-known/openid-configuration`,
+    method: "GET"
+  });
+  if (!response.ok) {
+    throw new Error(
+      `OIDC discovery failed: ${String(response.status)} for ${key}`
+    );
+  }
+  if (!isOidcDiscoveryDocument(response.data)) {
+    throw new Error(`OIDC discovery returned invalid metadata for ${key}`);
+  }
+  cache.set(key, response.data);
+  return response.data;
+}
+function clearDiscoveryCache() {
+  cache.clear();
+}
+
+// src/oidc/pkce.ts
+var VERIFIER_MIN_LENGTH = 43;
+var VERIFIER_MAX_LENGTH = 128;
+var DEFAULT_VERIFIER_LENGTH = 64;
+var RANDOM_BYTES_PER_CHAR = 1;
+var UNRESERVED_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+function getCrypto() {
+  const c = globalThis.crypto;
+  if (c === void 0 || c.subtle === void 0) {
+    throw new Error("pkce: globalThis.crypto.subtle is required (Node 16+ / modern browser)");
+  }
+  return c;
+}
+function assertVerifierLength(length) {
+  if (length < VERIFIER_MIN_LENGTH || length > VERIFIER_MAX_LENGTH) {
+    throw new Error(`pkce: code_verifier length must be ${String(VERIFIER_MIN_LENGTH)}-${String(VERIFIER_MAX_LENGTH)} chars (RFC 7636)`);
+  }
+}
+function base64UrlEncode(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  const b64 = globalThis.btoa?.(binary) ?? Buffer.from(binary, "binary").toString("base64");
+  let end = b64.length;
+  while (end > 0 && b64.charCodeAt(end - 1) === "=".charCodeAt(0)) {
+    end -= 1;
+  }
+  return b64.slice(0, end).replace(/\+/g, "-").replace(/\//g, "_");
+}
+function generateCodeVerifier(length = DEFAULT_VERIFIER_LENGTH) {
+  assertVerifierLength(length);
+  const crypto = getCrypto();
+  const bytes = new Uint8Array(length * RANDOM_BYTES_PER_CHAR);
+  crypto.getRandomValues(bytes);
+  let out = "";
+  for (let i = 0; i < length; i++) {
+    const byte = bytes[i];
+    out += UNRESERVED_CHARS[byte % UNRESERVED_CHARS.length];
+  }
+  return out;
+}
+async function deriveCodeChallenge(verifier) {
+  assertVerifierLength(verifier.length);
+  const crypto = getCrypto();
+  const data = new TextEncoder().encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(digest);
+}
+async function generatePkcePair(length) {
+  const codeVerifier = generateCodeVerifier(length);
+  const codeChallenge = await deriveCodeChallenge(codeVerifier);
+  return { codeVerifier, codeChallenge, codeChallengeMethod: "S256" };
+}
+
+// src/utils/buildTokenRequestBody.ts
+function buildAuthorizationCodeBody(input) {
+  return new URLSearchParams({
+    client_id: input.clientId,
+    grant_type: "authorization_code",
+    code: input.code,
+    redirect_uri: input.redirectUri,
+    code_verifier: input.codeVerifier
+  }).toString();
+}
+function buildRefreshTokenBody(input) {
+  return new URLSearchParams({
+    client_id: input.clientId,
+    grant_type: "refresh_token",
+    refresh_token: input.refreshToken
+  }).toString();
+}
+
+// src/oidc/tokenExchange.ts
+var FORM_HEADERS = {
+  "Content-Type": "application/x-www-form-urlencoded"
+};
+async function postTokenEndpoint(http, url, body) {
+  const response = await http({
+    url,
+    method: "POST",
+    headers: FORM_HEADERS,
+    body
+  });
+  if (!response.ok) {
+    throw new Error(`token endpoint POST failed: ${String(response.status)}`);
+  }
+  return normalizeTokenResponse(response.data);
+}
+async function exchangeAuthorizationCode(input) {
+  const url = buildTokenEndpoint(input.baseUrl, input.realm);
+  const body = buildAuthorizationCodeBody({
+    clientId: input.clientId,
+    code: input.code,
+    redirectUri: input.redirectUri,
+    codeVerifier: input.codeVerifier
+  });
+  return postTokenEndpoint(input.http, url, body);
+}
+async function refreshAccessToken(input) {
+  const url = buildTokenEndpoint(input.baseUrl, input.realm);
+  const body = buildRefreshTokenBody({
+    clientId: input.clientId,
+    refreshToken: input.refreshToken
+  });
+  return postTokenEndpoint(input.http, url, body);
+}
+
 // src/types/KeycloakRoles.ts
 var KeycloakRoles = /* @__PURE__ */ ((KeycloakRoles2) => {
   KeycloakRoles2["SuperUser"] = "superUser";
@@ -277,6 +650,413 @@ var InMemoryTokenStorage = class {
   }
 };
 
+// src/storage/CookieTokenStorage.ts
+var CookieTokenStorage = class {
+  constructor() {
+    this.accessToken = null;
+    this.idToken = void 0;
+    this.expiresAt = 0;
+  }
+  read() {
+    if (this.accessToken === null) {
+      return Promise.resolve(null);
+    }
+    const tokens = {
+      accessToken: this.accessToken,
+      idToken: this.idToken,
+      expiresAt: this.expiresAt
+    };
+    return Promise.resolve(tokens);
+  }
+  write(tokens) {
+    this.accessToken = tokens.accessToken;
+    this.idToken = tokens.idToken;
+    this.expiresAt = tokens.expiresAt;
+    return Promise.resolve();
+  }
+  clear() {
+    this.accessToken = null;
+    this.idToken = void 0;
+    this.expiresAt = 0;
+    return Promise.resolve();
+  }
+};
+
+// src/storage/SecureStoreTokenStorage.ts
+var DEFAULT_PREFIX = "auth";
+var ACCESS_KEY = "access";
+var REFRESH_KEY = "refresh";
+var ID_KEY = "id";
+var EXPIRES_KEY = "expiresAt";
+var SecureStoreTokenStorage = class {
+  constructor(options) {
+    this.secureStore = options.secureStore;
+    this.prefix = options.keyPrefix ?? DEFAULT_PREFIX;
+    this.requireAuthentication = options.requireAuthentication ?? false;
+    this.biometricGate = options.biometricGate;
+  }
+  async read() {
+    if (this.shouldRunBiometricGate()) {
+      await this.biometricGate.unlock();
+    }
+    const readOptions = this.requireAuthentication ? { requireAuthentication: true } : void 0;
+    const accessToken = await this.secureStore.getItemAsync(this.fullKey(ACCESS_KEY), readOptions);
+    if (accessToken === null) {
+      return null;
+    }
+    const refreshTokenRaw = await this.secureStore.getItemAsync(this.fullKey(REFRESH_KEY), readOptions);
+    const idTokenRaw = await this.secureStore.getItemAsync(this.fullKey(ID_KEY));
+    const expiresAtRaw = await this.secureStore.getItemAsync(this.fullKey(EXPIRES_KEY));
+    const expiresAt = parseExpiresAt(expiresAtRaw);
+    return {
+      accessToken,
+      refreshToken: refreshTokenRaw === null ? void 0 : refreshTokenRaw,
+      idToken: idTokenRaw === null ? void 0 : idTokenRaw,
+      expiresAt
+    };
+  }
+  async write(tokens) {
+    await this.secureStore.setItemAsync(this.fullKey(ACCESS_KEY), tokens.accessToken);
+    if (tokens.refreshToken !== void 0 && tokens.refreshToken !== "") {
+      await this.secureStore.setItemAsync(this.fullKey(REFRESH_KEY), tokens.refreshToken);
+    } else {
+      await this.secureStore.deleteItemAsync(this.fullKey(REFRESH_KEY));
+    }
+    if (tokens.idToken !== void 0 && tokens.idToken !== "") {
+      await this.secureStore.setItemAsync(this.fullKey(ID_KEY), tokens.idToken);
+    } else {
+      await this.secureStore.deleteItemAsync(this.fullKey(ID_KEY));
+    }
+    await this.secureStore.setItemAsync(this.fullKey(EXPIRES_KEY), String(tokens.expiresAt));
+  }
+  async clear() {
+    await this.secureStore.deleteItemAsync(this.fullKey(ACCESS_KEY));
+    await this.secureStore.deleteItemAsync(this.fullKey(REFRESH_KEY));
+    await this.secureStore.deleteItemAsync(this.fullKey(ID_KEY));
+    await this.secureStore.deleteItemAsync(this.fullKey(EXPIRES_KEY));
+  }
+  shouldRunBiometricGate() {
+    return this.biometricGate !== void 0 && this.biometricGate.isEnabled();
+  }
+  fullKey(slot) {
+    return `${this.prefix}.${slot}`;
+  }
+};
+function parseExpiresAt(raw) {
+  if (raw === null || raw === "") {
+    return 0;
+  }
+  const parsed = Number(raw);
+  return Number.isFinite(parsed) ? parsed : 0;
+}
+
+// src/biometric/BiometricGate.ts
+var DEFAULT_PROMPT = "Unlock to continue";
+var DEFAULT_MAX_FAILURES = 3;
+var BiometricGate = class {
+  constructor(options) {
+    this.enabled = false;
+    this.failureCount = 0;
+    this.hydrated = false;
+    this.localAuth = options.localAuth;
+    this.flagStore = options.flagStore;
+    this.promptMessage = options.promptMessage ?? DEFAULT_PROMPT;
+    this.maxFailures = options.maxFailures ?? DEFAULT_MAX_FAILURES;
+  }
+  /** Hardware present AND a fingerprint/face ID is enrolled. */
+  async isAvailable() {
+    const hasHardware = await this.localAuth.hasHardwareAsync();
+    if (!hasHardware) {
+      return false;
+    }
+    return this.localAuth.isEnrolledAsync();
+  }
+  /** Synchronous read of the current enabled flag (post-hydration). */
+  isEnabled() {
+    return this.enabled;
+  }
+  /** Read the persisted opt-in flag once at app boot. Idempotent. */
+  async hydrate() {
+    if (this.hydrated) {
+      return;
+    }
+    this.hydrated = true;
+    if (this.flagStore !== void 0) {
+      this.enabled = await this.flagStore.read();
+    }
+  }
+  /**
+   * Toggle biometric requirement. Persists via {@link BiometricFlagStore} when
+   * configured. Resets the failure counter so a re-enable starts fresh.
+   */
+  async setEnabled(enabled) {
+    this.enabled = enabled;
+    this.failureCount = 0;
+    if (this.flagStore !== void 0) {
+      await this.flagStore.write(enabled);
+    }
+  }
+  /** Reset the failure counter. Tests + consumer recovery flows. */
+  resetFailures() {
+    this.failureCount = 0;
+  }
+  /**
+   * One-shot biometric prompt. Returns `true` on success. Does NOT throw on
+   * failure or update the failure counter — useful for action confirmation.
+   */
+  async prompt() {
+    const result = await this.localAuth.authenticateAsync({
+      promptMessage: this.promptMessage
+    });
+    return result.success;
+  }
+  /**
+   * Required pre-condition for sensitive token reads. No-op when disabled.
+   *
+   * @throws Error after {@link maxFailures} consecutive failures.
+   * @throws Error on a single failure (lower in the count, but still throws so
+   *   `SecureStoreTokenStorage.read()` short-circuits).
+   */
+  async unlock() {
+    if (!this.enabled) {
+      return;
+    }
+    const result = await this.localAuth.authenticateAsync({
+      promptMessage: this.promptMessage
+    });
+    if (result.success) {
+      this.failureCount = 0;
+      return;
+    }
+    this.failureCount += 1;
+    if (this.failureCount >= this.maxFailures) {
+      throw new Error("Biometric authentication failed; locked out");
+    }
+    throw new Error("Biometric authentication failed");
+  }
+};
+
+// src/interceptor/RefreshInterceptor.ts
+var RefreshInterceptor = class {
+  constructor(options) {
+    this.inflight = null;
+    this.storage = options.storage;
+    this.refresh = options.refresh;
+    this.events = options.events;
+    this.onRefreshSuccess = options.onRefreshSuccess;
+  }
+  /**
+   * Trigger (or join) a refresh. Returns the new tokens, or `null` if the
+   * refresh failed — in which case storage has already been cleared and
+   * `sessionExpired` already fired.
+   */
+  async refreshTokens() {
+    if (this.inflight !== null) {
+      return this.inflight;
+    }
+    this.inflight = this.runRefresh();
+    try {
+      return await this.inflight;
+    } finally {
+      this.inflight = null;
+    }
+  }
+  /**
+   * Whether a refresh is currently in flight. Exposed for tests / debug.
+   */
+  get isRefreshing() {
+    return this.inflight !== null;
+  }
+  async runRefresh() {
+    const current = await this.storage.read();
+    let next;
+    try {
+      next = await this.refresh(current);
+    } catch {
+      await this.failHard();
+      return null;
+    }
+    if (next === null) {
+      await this.failHard();
+      return null;
+    }
+    await this.storage.write(next);
+    if (this.onRefreshSuccess !== void 0) {
+      await this.onRefreshSuccess(next);
+    }
+    return next;
+  }
+  async failHard() {
+    await this.storage.clear();
+    this.events.emit("sessionExpired");
+  }
+};
+
+// src/inactivity/InactivityTracker.ts
+var DEFAULT_MAX_DAYS = 90;
+var MS_PER_DAY = 24 * 60 * 60 * 1e3;
+var InactivityTracker = class {
+  constructor(options) {
+    this.store = options.store;
+    const days = options.maxInactivityDays ?? DEFAULT_MAX_DAYS;
+    this.maxInactivityMs = days * MS_PER_DAY;
+    this.now = options.now ?? Date.now;
+  }
+  async markActive(timestamp) {
+    await this.store.write(timestamp ?? this.now());
+  }
+  async getLastActive() {
+    return this.store.read();
+  }
+  async isExpired() {
+    const last = await this.store.read();
+    if (last === null) {
+      return false;
+    }
+    return this.now() - last > this.maxInactivityMs;
+  }
+  async clear() {
+    await this.store.clear();
+  }
+};
+
+// src/http/HttpClient.ts
+function createFetchHttpClient(fetchImpl) {
+  return async (request) => {
+    const init = {
+      method: request.method,
+      headers: request.headers,
+      body: request.body
+    };
+    if (request.credentials !== void 0) {
+      init.credentials = request.credentials;
+    }
+    const response = await fetchImpl(request.url, init);
+    let data;
+    if (response.status !== 204) {
+      const contentType = response.headers.get("content-type") ?? "";
+      if (contentType.includes("application/json")) {
+        data = await response.json();
+      }
+    }
+    return {
+      status: response.status,
+      ok: response.ok,
+      data
+    };
+  };
+}
+
+// src/api/AuthApiClient.ts
+var AuthApiClient = class {
+  constructor(options) {
+    this.http = options.http;
+    this.baseUrl = options.baseUrl.replace(/\/$/, "");
+    this.getAccessToken = options.getAccessToken;
+    this.useCredentials = options.useCredentials ?? false;
+  }
+  loginWithOtp(request) {
+    return this.postLogin("/auth/verify-otp", request);
+  }
+  loginWithPassword(request) {
+    return this.postLogin("/auth/login", request);
+  }
+  /** Web cookie-flow refresh. Sends no body; cookie travels via `credentials`. */
+  async refreshCookie() {
+    const response = await this.http({
+      url: `${this.baseUrl}/auth/refresh-cookie`,
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      credentials: this.useCredentials ? "include" : void 0
+    });
+    if (!response.ok) {
+      throw new Error(`refresh-cookie failed with status ${response.status}`);
+    }
+    return response.data ?? {};
+  }
+  async logout(everywhere = false) {
+    const url = everywhere ? `${this.baseUrl}/auth/logout?everywhere=true` : `${this.baseUrl}/auth/logout`;
+    const response = await this.http({
+      url,
+      method: "POST",
+      headers: await this.authHeaders(),
+      credentials: this.useCredentials ? "include" : void 0
+    });
+    if (!response.ok) {
+      throw new Error(`logout failed with status ${response.status}`);
+    }
+  }
+  async forgotPassword(request) {
+    const response = await this.http({
+      url: `${this.baseUrl}/auth/forgot-password`,
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify(request)
+    });
+    if (!response.ok) {
+      throw new Error(`forgot-password failed with status ${response.status}`);
+    }
+  }
+  async resetPassword(request) {
+    const response = await this.http({
+      url: `${this.baseUrl}/auth/reset-password`,
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify(request)
+    });
+    if (!response.ok) {
+      throw new Error(`reset-password failed with status ${response.status}`);
+    }
+  }
+  async listSessions() {
+    const response = await this.http({
+      url: `${this.baseUrl}/me/sessions`,
+      method: "GET",
+      headers: await this.authHeaders(),
+      credentials: this.useCredentials ? "include" : void 0
+    });
+    if (!response.ok) {
+      throw new Error(`listSessions failed with status ${response.status}`);
+    }
+    return Array.isArray(response.data) ? response.data : [];
+  }
+  async revokeSession(sessionId) {
+    const response = await this.http({
+      url: `${this.baseUrl}/me/sessions/${encodeURIComponent(sessionId)}/revoke`,
+      method: "POST",
+      headers: await this.authHeaders(),
+      credentials: this.useCredentials ? "include" : void 0
+    });
+    if (!response.ok) {
+      throw new Error(`revokeSession failed with status ${response.status}`);
+    }
+  }
+  async postLogin(path, body) {
+    const response = await this.http({
+      url: `${this.baseUrl}${path}`,
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify(body),
+      credentials: this.useCredentials ? "include" : void 0
+    });
+    if (!response.ok) {
+      throw new Error(`login failed with status ${response.status}`);
+    }
+    return response.data ?? {};
+  }
+  async authHeaders() {
+    const headers = { "content-type": "application/json" };
+    if (this.getAccessToken === void 0) {
+      return headers;
+    }
+    const token = await this.getAccessToken();
+    if (token !== null && token !== "") {
+      headers.authorization = `Bearer ${token}`;
+    }
+    return headers;
+  }
+};
+
 // src/utils/normalizeKeycloakUser.ts
 function isNonEmptyString(value) {
   return typeof value === "string" && value !== "";
@@ -327,24 +1107,6 @@ function normalizeKeycloakUser(u) {
   };
 }
 
-// src/utils/buildTokenRequestBody.ts
-function buildAuthorizationCodeBody(input) {
-  return new URLSearchParams({
-    client_id: input.clientId,
-    grant_type: "authorization_code",
-    code: input.code,
-    redirect_uri: input.redirectUri,
-    code_verifier: input.codeVerifier
-  }).toString();
-}
-function buildRefreshTokenBody(input) {
-  return new URLSearchParams({
-    client_id: input.clientId,
-    grant_type: "refresh_token",
-    refresh_token: input.refreshToken
-  }).toString();
-}
-
 // src/utils/extractAuthCode.ts
 function extractAuthCode(response) {
   if (!response) {
@@ -405,36 +1167,6 @@ function decodeUtf8(binary) {
   return new TextDecoder("utf-8").decode(bytes);
 }
 
-// src/utils/normalizeTokenResponse.ts
-function asString(value) {
-  return typeof value === "string" && value !== "" ? value : void 0;
-}
-function asNumber(value) {
-  return typeof value === "number" && Number.isFinite(value) ? value : void 0;
-}
-function normalizeTokenResponse(raw) {
-  const accessToken = asString(raw.access_token);
-  if (accessToken === void 0) {
-    throw new Error("Token response missing access_token");
-  }
-  return {
-    accessToken,
-    refreshToken: asString(raw.refresh_token),
-    idToken: asString(raw.id_token),
-    expiresIn: asNumber(raw.expires_in),
-    tokenType: asString(raw.token_type),
-    scope: asString(raw.scope)
-  };
-}
-function tokenResponseToAuthTokens(response, now = Date.now()) {
-  return {
-    accessToken: response.accessToken,
-    refreshToken: response.refreshToken,
-    idToken: response.idToken,
-    expiresAt: computeExpiresAt(response.expiresIn, now)
-  };
-}
-
-export { AuthClient, BrowserStorageTokenStorage, InMemoryTokenStorage, KeycloakRoles, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };
+export { AuthApiClient, AuthClient, AuthEventEmitter, BiometricGate, BrowserStorageTokenStorage, CookieTokenStorage, InMemoryTokenStorage, InactivityTracker, KeycloakRoles, RefreshInterceptor, SecureStoreTokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, clearDiscoveryCache, computeExpiresAt, createFetchHttpClient, decodeJwt, deriveCodeChallenge, exchangeAuthorizationCode, extractAuthCode, fetchDiscoveryDocument, generateCodeVerifier, generatePkcePair, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, refreshAccessToken, tokenResponseToAuthTokens };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map