@dloizides/auth-client 2.1.0 → 3.0.0

package/CHANGELOG.md

@@ -1,5 +1,32 @@
 # Changelog
 
+## 3.0.0 (2026-05-19)
+
+Major release for Phase 2 of the identity-hardening initiative. Adds the
+shared `BffAuthClient` — the same-origin client for a per-app
+**Backend-For-Frontend** (`bff-katalogos`, `bff-erevna`). The BFF terminates
+authentication server-side: the browser holds only an opaque httpOnly session
+cookie, never a token.
+
+This is the **new recommended auth surface**. The major bump signals that
+recommendation — it is **not** a breaking change: every v2.x export
+(`AuthClient`, the direct-KC ROPC adapters, `useDirectKcAuth`, the OIDC
+primitives, storage adapters, hooks) remains and is unchanged. BaseClient
+still consumes the direct-KC path; it is removed in a later phase.
+
+### Added
+
+- `BffAuthClient` — same-origin client for a per-app BFF. Methods:
+  `login({username,password})` → `POST /bff/login`; `logout()` →
+  `POST /bff/logout`; `getCurrentUser()` → `GET /bff/me`; `register(...)`,
+  `forgotPassword(...)`, `resetPassword(...)` → the matching `/bff/*`
+  endpoints. Every call is a same-origin `fetch` with
+  `credentials: 'include'`; state-changing calls carry the `X-BFF-Csrf: 1`
+  header the `Bff.AspNetCore` anti-forgery middleware requires. Does **no
+  token handling** — the BFF owns tokens, the browser owns only the cookie.
+- Types: `BffAuthClientOptions`, `BffLoginRequest`, `BffRegisterRequest`,
+  `BffForgotPasswordRequest`, `BffResetPasswordRequest`, `BffUser`.
+
 ## 2.1.0 (2026-05-17)
 
 Additive release. Lays the groundwork for the "shrink identity service"

package/README.md

@@ -119,6 +119,41 @@ const storage = new SecureStoreTokenStorage({
 await biometricGate.hydrate();
 ```
 
+## BFF auth (v3 — recommended)
+
+`BffAuthClient` is the same-origin client for a per-app **Backend-For-Frontend**
+(`bff-katalogos`, `bff-erevna`). The BFF terminates authentication
+server-side: it does ROPC against Keycloak with a confidential client, stores
+the tokens in a Redis vault, and hands the browser only an opaque httpOnly
+session cookie. The SPA never sees a token — an XSS cannot exfiltrate one.
+
+`BffAuthClient` does **no token handling**: every call is a same-origin
+`fetch` with `credentials: 'include'`, and state-changing calls carry the
+`X-BFF-Csrf: 1` header the BFF anti-forgery middleware requires.
+
+```ts
+import { BffAuthClient, createFetchHttpClient } from '@dloizides/auth-client';
+
+const bff = new BffAuthClient({
+  http: createFetchHttpClient(window.fetch.bind(window)),
+  // baseUrl defaults to '' (same-origin) — the production wiring.
+});
+
+// Login — the BFF does ROPC server-side and sets the session cookie.
+const user = await bff.login({ username, password });
+
+// Bootstrap on app load — null when there is no live session.
+const current = await bff.getCurrentUser();
+
+await bff.register({ firstName, lastName, username, email, password, tenantName });
+await bff.forgotPassword({ email, resetUrlTemplate });
+await bff.resetPassword({ token, newPassword });
+await bff.logout();
+```
+
+The direct-KC `AuthClient` / ROPC surface below is retained for consumers not
+yet on a BFF; it is deprecated and removed once every app has migrated.
+
 ## React Query hooks
 
 ```ts
@@ -156,7 +191,8 @@ auth.on('sessionExpired', () => {
 
 ### Core (`@dloizides/auth-client`)
 
-- `AuthClient` — realm-aware orchestrator. `init()`, `refresh()`, `loginWithOtp()`, `loginWithPassword()`, `logout({ everywhere })`, `requestPasswordReset()`, `confirmPasswordReset()`, plus the v1 surface (`getAccessToken`, `getTokens`, `setTokens`, `clearTokens`, `buildAuthorizationUrl`, etc.).
+- `BffAuthClient` — same-origin client for a per-app Backend-For-Frontend. `login()`, `logout()`, `getCurrentUser()`, `register()`, `forgotPassword()`, `resetPassword()`. No token handling — the BFF owns tokens, the browser owns only an httpOnly cookie. **The recommended auth surface (v3).**
+- `AuthClient` — realm-aware orchestrator. `init()`, `refresh()`, `loginWithOtp()`, `loginWithPassword()`, `logout({ everywhere })`, `requestPasswordReset()`, `confirmPasswordReset()`, plus the v1 surface (`getAccessToken`, `getTokens`, `setTokens`, `clearTokens`, `buildAuthorizationUrl`, etc.). Direct-KC ROPC; deprecated in favour of `BffAuthClient`.
 - `AuthApiClient` — typed wrapper for IdentityService auth endpoints.
 - `AuthEventEmitter` — `sessionExpired` event.
 - `RefreshInterceptor` — single-flight refresh queue.

package/dist/index.d.mts

@@ -1,8 +1,8 @@
 import { T as TokenStorage, c as AuthTokens } from './AuthClient-BGr8L03W.mjs';
 export { A as AuthApiClient, d as AuthApiClientOptions, b as AuthClient, e as AuthClientCollaborators, f as AuthClientConfig, g as AuthClientFromIssuerInput, h as AuthEventEmitter, i as AuthEventListener, j as AuthEventName, k as AuthEventUnsubscribe, a as AuthSessionInfo, D as DirectKcOptions, F as ForgotPasswordRequest, I as InactivityStore, l as InactivityTracker, m as InactivityTrackerOptions, L as LoginOptions, n as LogoutOptions, O as OtpLoginRequest, P as PasswordLoginRequest, o as RawAuthLoginResponse, p as RefreshFn, q as RefreshInterceptor, r as RefreshInterceptorOptions, R as ResetPasswordRequest } from './AuthClient-BGr8L03W.mjs';
 export { ExchangeAuthorizationCodeInput, FetchDiscoveryDocumentInput, OidcDiscoveryDocument, PkcePair, RefreshAccessTokenInput, clearDiscoveryCache, deriveCodeChallenge, exchangeAuthorizationCode, fetchDiscoveryDocument, generateCodeVerifier, generatePkcePair, refreshAccessToken } from './oidc/index.mjs';
-import { R as RawTokenResponse, T as TokenResponse } from './TokenResponse-CY1CaU2l.mjs';
-export { H as HttpClient, a as HttpRequest, b as HttpResponse, c as createFetchHttpClient } from './TokenResponse-CY1CaU2l.mjs';
+import { H as HttpClient, R as RawTokenResponse, T as TokenResponse } from './TokenResponse-CY1CaU2l.mjs';
+export { a as HttpRequest, b as HttpResponse, c as createFetchHttpClient } from './TokenResponse-CY1CaU2l.mjs';
 
 /**
  * Roles emitted by Keycloak realms in the dloizides.com portfolio.
@@ -315,6 +315,109 @@ declare class BiometricGate {
     unlock(): Promise<void>;
 }
 
+/** Credentials posted to `POST /bff/login`. */
+interface BffLoginRequest {
+    username: string;
+    password: string;
+}
+/** Payload for `POST /bff/register` — proxied by the BFF to TenantService. */
+interface BffRegisterRequest {
+    firstName: string;
+    lastName: string;
+    username: string;
+    email: string;
+    password: string;
+    tenantName: string;
+    [key: string]: unknown;
+}
+/** Payload for `POST /bff/forgot-password` — proxied to TenantService. */
+interface BffForgotPasswordRequest {
+    email: string;
+    /** Full URL with a `{token}` placeholder; the backend substitutes the token. */
+    resetUrlTemplate?: string;
+    [key: string]: unknown;
+}
+/** Payload for `POST /bff/reset-password` — proxied to TenantService. */
+interface BffResetPasswordRequest {
+    token: string;
+    newPassword: string;
+}
+/**
+ * The user object returned by `GET /bff/me` and `POST /bff/login`. The BFF
+ * returns the sanitised KC claims under a `user` envelope and **never** a
+ * token. Kept permissive so server-added claims flow through without a bump.
+ */
+interface BffUser {
+    sub?: string;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    preferred_username?: string;
+    given_name?: string;
+    family_name?: string;
+    tenantId?: string;
+    roles?: string[];
+    [key: string]: unknown;
+}
+interface BffAuthClientOptions {
+    /** Runtime-agnostic HTTP transport (wrap native `fetch` with `createFetchHttpClient`). */
+    http: HttpClient;
+    /**
+     * BFF origin. Defaults to `''` (same-origin) — the production wiring. An
+     * explicit origin is only useful for tests or a non-same-origin BFF.
+     */
+    baseUrl?: string;
+}
+/**
+ * Same-origin client for a per-app BFF.
+ *
+ * No token storage, no refresh logic, no realm awareness — the BFF owns all of
+ * that server-side. The browser's only auth artefact is the httpOnly cookie.
+ */
+declare class BffAuthClient {
+    private readonly http;
+    private readonly baseUrl;
+    constructor(options: BffAuthClientOptions);
+    /**
+     * `POST /bff/login` — the BFF does ROPC against Keycloak server-side, stores
+     * the tokens in its Redis vault, and sets the httpOnly session cookie.
+     * Returns the sanitised user. Throws on a non-2xx response.
+     */
+    login(request: BffLoginRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/logout` — the BFF calls KC end-session, deletes the Redis
+     * session, and clears the cookie. Non-fatal: a failed logout still leaves
+     * the SPA logged out client-side. Throws only on a non-2xx response.
+     */
+    logout(): Promise<void>;
+    /**
+     * `GET /bff/me` — the live session's sanitised user, or `null` when there is
+     * no session (the BFF answers `401`). Used at app load to bootstrap auth
+     * state in place of the old token-in-storage check.
+     */
+    getCurrentUser(): Promise<BffUser | null>;
+    /**
+     * `POST /bff/register` — the BFF proxies registration to TenantService and,
+     * on success, establishes a session exactly like `login`. Returns the user.
+     */
+    register(request: BffRegisterRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/forgot-password` — proxied to TenantService. The backend
+     * returns 200 unconditionally (no email enumeration); anything else throws.
+     */
+    forgotPassword(request: BffForgotPasswordRequest): Promise<void>;
+    /**
+     * `POST /bff/reset-password` — proxied to TenantService. Throws on a non-2xx
+     * response (e.g. `400` for an invalid / expired token).
+     */
+    resetPassword(request: BffResetPasswordRequest): Promise<void>;
+    /**
+     * Shared POST for every state-changing `/bff/*` call: same-origin, cookie
+     * included, `X-BFF-Csrf` header attached. Throws a labelled error on non-2xx.
+     */
+    private postState;
+}
+
 /**
  * Convert a Keycloak `/userinfo` payload into a flat, app-friendly user object.
  *
@@ -488,4 +591,4 @@ declare function normalizeTokenResponse(raw: RawTokenResponse): TokenResponse;
  */
 declare function tokenResponseToAuthTokens(response: TokenResponse, now?: number): AuthTokens;
 
-export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };
+export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, BffAuthClient, type BffAuthClientOptions, type BffForgotPasswordRequest, type BffLoginRequest, type BffRegisterRequest, type BffResetPasswordRequest, type BffUser, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, HttpClient, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };

package/dist/index.d.ts

@@ -1,8 +1,8 @@
 import { T as TokenStorage, c as AuthTokens } from './AuthClient-D95OMajD.js';
 export { A as AuthApiClient, d as AuthApiClientOptions, b as AuthClient, e as AuthClientCollaborators, f as AuthClientConfig, g as AuthClientFromIssuerInput, h as AuthEventEmitter, i as AuthEventListener, j as AuthEventName, k as AuthEventUnsubscribe, a as AuthSessionInfo, D as DirectKcOptions, F as ForgotPasswordRequest, I as InactivityStore, l as InactivityTracker, m as InactivityTrackerOptions, L as LoginOptions, n as LogoutOptions, O as OtpLoginRequest, P as PasswordLoginRequest, o as RawAuthLoginResponse, p as RefreshFn, q as RefreshInterceptor, r as RefreshInterceptorOptions, R as ResetPasswordRequest } from './AuthClient-D95OMajD.js';
 export { ExchangeAuthorizationCodeInput, FetchDiscoveryDocumentInput, OidcDiscoveryDocument, PkcePair, RefreshAccessTokenInput, clearDiscoveryCache, deriveCodeChallenge, exchangeAuthorizationCode, fetchDiscoveryDocument, generateCodeVerifier, generatePkcePair, refreshAccessToken } from './oidc/index.js';
-import { R as RawTokenResponse, T as TokenResponse } from './TokenResponse-CY1CaU2l.js';
-export { H as HttpClient, a as HttpRequest, b as HttpResponse, c as createFetchHttpClient } from './TokenResponse-CY1CaU2l.js';
+import { H as HttpClient, R as RawTokenResponse, T as TokenResponse } from './TokenResponse-CY1CaU2l.js';
+export { a as HttpRequest, b as HttpResponse, c as createFetchHttpClient } from './TokenResponse-CY1CaU2l.js';
 
 /**
  * Roles emitted by Keycloak realms in the dloizides.com portfolio.
@@ -315,6 +315,109 @@ declare class BiometricGate {
     unlock(): Promise<void>;
 }
 
+/** Credentials posted to `POST /bff/login`. */
+interface BffLoginRequest {
+    username: string;
+    password: string;
+}
+/** Payload for `POST /bff/register` — proxied by the BFF to TenantService. */
+interface BffRegisterRequest {
+    firstName: string;
+    lastName: string;
+    username: string;
+    email: string;
+    password: string;
+    tenantName: string;
+    [key: string]: unknown;
+}
+/** Payload for `POST /bff/forgot-password` — proxied to TenantService. */
+interface BffForgotPasswordRequest {
+    email: string;
+    /** Full URL with a `{token}` placeholder; the backend substitutes the token. */
+    resetUrlTemplate?: string;
+    [key: string]: unknown;
+}
+/** Payload for `POST /bff/reset-password` — proxied to TenantService. */
+interface BffResetPasswordRequest {
+    token: string;
+    newPassword: string;
+}
+/**
+ * The user object returned by `GET /bff/me` and `POST /bff/login`. The BFF
+ * returns the sanitised KC claims under a `user` envelope and **never** a
+ * token. Kept permissive so server-added claims flow through without a bump.
+ */
+interface BffUser {
+    sub?: string;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    preferred_username?: string;
+    given_name?: string;
+    family_name?: string;
+    tenantId?: string;
+    roles?: string[];
+    [key: string]: unknown;
+}
+interface BffAuthClientOptions {
+    /** Runtime-agnostic HTTP transport (wrap native `fetch` with `createFetchHttpClient`). */
+    http: HttpClient;
+    /**
+     * BFF origin. Defaults to `''` (same-origin) — the production wiring. An
+     * explicit origin is only useful for tests or a non-same-origin BFF.
+     */
+    baseUrl?: string;
+}
+/**
+ * Same-origin client for a per-app BFF.
+ *
+ * No token storage, no refresh logic, no realm awareness — the BFF owns all of
+ * that server-side. The browser's only auth artefact is the httpOnly cookie.
+ */
+declare class BffAuthClient {
+    private readonly http;
+    private readonly baseUrl;
+    constructor(options: BffAuthClientOptions);
+    /**
+     * `POST /bff/login` — the BFF does ROPC against Keycloak server-side, stores
+     * the tokens in its Redis vault, and sets the httpOnly session cookie.
+     * Returns the sanitised user. Throws on a non-2xx response.
+     */
+    login(request: BffLoginRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/logout` — the BFF calls KC end-session, deletes the Redis
+     * session, and clears the cookie. Non-fatal: a failed logout still leaves
+     * the SPA logged out client-side. Throws only on a non-2xx response.
+     */
+    logout(): Promise<void>;
+    /**
+     * `GET /bff/me` — the live session's sanitised user, or `null` when there is
+     * no session (the BFF answers `401`). Used at app load to bootstrap auth
+     * state in place of the old token-in-storage check.
+     */
+    getCurrentUser(): Promise<BffUser | null>;
+    /**
+     * `POST /bff/register` — the BFF proxies registration to TenantService and,
+     * on success, establishes a session exactly like `login`. Returns the user.
+     */
+    register(request: BffRegisterRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/forgot-password` — proxied to TenantService. The backend
+     * returns 200 unconditionally (no email enumeration); anything else throws.
+     */
+    forgotPassword(request: BffForgotPasswordRequest): Promise<void>;
+    /**
+     * `POST /bff/reset-password` — proxied to TenantService. Throws on a non-2xx
+     * response (e.g. `400` for an invalid / expired token).
+     */
+    resetPassword(request: BffResetPasswordRequest): Promise<void>;
+    /**
+     * Shared POST for every state-changing `/bff/*` call: same-origin, cookie
+     * included, `X-BFF-Csrf` header attached. Throws a labelled error on non-2xx.
+     */
+    private postState;
+}
+
 /**
  * Convert a Keycloak `/userinfo` payload into a flat, app-friendly user object.
  *
@@ -488,4 +591,4 @@ declare function normalizeTokenResponse(raw: RawTokenResponse): TokenResponse;
  */
 declare function tokenResponseToAuthTokens(response: TokenResponse, now?: number): AuthTokens;
 
-export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };
+export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, BffAuthClient, type BffAuthClientOptions, type BffForgotPasswordRequest, type BffLoginRequest, type BffRegisterRequest, type BffResetPasswordRequest, type BffUser, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, HttpClient, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };

package/dist/index.js

@@ -1059,6 +1059,121 @@ var AuthApiClient = class {
   }
 };
 
+// src/bff/BffAuthClient.ts
+var CSRF_HEADER = "X-BFF-Csrf";
+var CSRF_HEADER_VALUE = "1";
+var JSON_CONTENT_TYPE = "application/json";
+var ENDPOINTS = {
+  login: "/bff/login",
+  logout: "/bff/logout",
+  me: "/bff/me",
+  register: "/bff/register",
+  forgotPassword: "/bff/forgot-password",
+  resetPassword: "/bff/reset-password"
+};
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function extractUser(data) {
+  if (!isRecord(data)) {
+    return null;
+  }
+  const envelope = data;
+  return isRecord(envelope.user) ? envelope.user : null;
+}
+var BffAuthClient = class {
+  constructor(options) {
+    this.http = options.http;
+    this.baseUrl = (options.baseUrl ?? "").replace(/\/$/, "");
+  }
+  /**
+   * `POST /bff/login` — the BFF does ROPC against Keycloak server-side, stores
+   * the tokens in its Redis vault, and sets the httpOnly session cookie.
+   * Returns the sanitised user. Throws on a non-2xx response.
+   */
+  async login(request) {
+    const data = await this.postState(ENDPOINTS.login, request, "login");
+    const user = extractUser(data);
+    if (user === null) {
+      throw new Error("login: BFF response missing user");
+    }
+    return user;
+  }
+  /**
+   * `POST /bff/logout` — the BFF calls KC end-session, deletes the Redis
+   * session, and clears the cookie. Non-fatal: a failed logout still leaves
+   * the SPA logged out client-side. Throws only on a non-2xx response.
+   */
+  async logout() {
+    await this.postState(ENDPOINTS.logout, void 0, "logout");
+  }
+  /**
+   * `GET /bff/me` — the live session's sanitised user, or `null` when there is
+   * no session (the BFF answers `401`). Used at app load to bootstrap auth
+   * state in place of the old token-in-storage check.
+   */
+  async getCurrentUser() {
+    const response = await this.http({
+      url: `${this.baseUrl}${ENDPOINTS.me}`,
+      method: "GET",
+      headers: { Accept: JSON_CONTENT_TYPE },
+      credentials: "include"
+    });
+    if (!response.ok) {
+      return null;
+    }
+    return extractUser(response.data);
+  }
+  /**
+   * `POST /bff/register` — the BFF proxies registration to TenantService and,
+   * on success, establishes a session exactly like `login`. Returns the user.
+   */
+  async register(request) {
+    const data = await this.postState(ENDPOINTS.register, request, "register");
+    const user = extractUser(data);
+    if (user === null) {
+      throw new Error("register: BFF response missing user");
+    }
+    return user;
+  }
+  /**
+   * `POST /bff/forgot-password` — proxied to TenantService. The backend
+   * returns 200 unconditionally (no email enumeration); anything else throws.
+   */
+  async forgotPassword(request) {
+    await this.postState(ENDPOINTS.forgotPassword, request, "forgot-password");
+  }
+  /**
+   * `POST /bff/reset-password` — proxied to TenantService. Throws on a non-2xx
+   * response (e.g. `400` for an invalid / expired token).
+   */
+  async resetPassword(request) {
+    await this.postState(ENDPOINTS.resetPassword, request, "reset-password");
+  }
+  /**
+   * Shared POST for every state-changing `/bff/*` call: same-origin, cookie
+   * included, `X-BFF-Csrf` header attached. Throws a labelled error on non-2xx.
+   */
+  async postState(path, body, label) {
+    const headers = {
+      "Content-Type": JSON_CONTENT_TYPE,
+      Accept: JSON_CONTENT_TYPE,
+      [CSRF_HEADER]: CSRF_HEADER_VALUE
+    };
+    const response = await this.http({
+      url: `${this.baseUrl}${path}`,
+      method: "POST",
+      headers,
+      body: body === void 0 ? void 0 : JSON.stringify(body),
+      credentials: "include"
+    });
+    if (!response.ok) {
+      throw new Error(`${label} failed with status ${String(response.status)}`);
+    }
+    return response.data;
+  }
+};
+
 // src/utils/normalizeKeycloakUser.ts
 function isNonEmptyString(value) {
   return typeof value === "string" && value !== "";
@@ -1172,6 +1287,7 @@ function decodeUtf8(binary) {
 exports.AuthApiClient = AuthApiClient;
 exports.AuthClient = AuthClient;
 exports.AuthEventEmitter = AuthEventEmitter;
+exports.BffAuthClient = BffAuthClient;
 exports.BiometricGate = BiometricGate;
 exports.BrowserStorageTokenStorage = BrowserStorageTokenStorage;
 exports.CookieTokenStorage = CookieTokenStorage;