@dloizides/auth-client 2.1.0 → 3.2.1

package/CHANGELOG.md

@@ -1,5 +1,72 @@
 # Changelog
 
+## 3.2.0 (2026-05-22)
+
+Additive release for Phase 3d of the unified-auth plan — event-scoped PIN
+login. Extends `BffAuthClient` with the browser-facing PIN call so the new
+`<PinForm>` in `@dloizides/auth-web` has a same-origin client. No breaking
+changes.
+
+### Added
+
+- `BffAuthClient.pinLogin({ pin, eventExternalId })` → `POST /bff/pin/login`.
+  The BFF runs the event-scoped PIN direct-grant against Keycloak server-side
+  (the `(event, pin)` pair resolves to the staff member's KC account + their
+  event-scoped role) and sets the httpOnly session cookie. Returns the
+  sanitised `BffUser`, exactly like `login` / `verifyOtp`. Throws on a non-2xx
+  (`401` for a bad / expired / locked-out PIN or an unknown event, `501` when
+  PIN login is not an enabled method). Carries the `X-BFF-Csrf` header like
+  every other state-changing call. No `username` / `password` ever leaves the
+  browser.
+- Type: `BffPinLoginRequest`.
+
+## 3.1.0 (2026-05-22)
+
+Additive release for Phase 2d of the unified-auth plan — email-OTP. Extends
+`BffAuthClient` with the two browser-facing OTP calls so the new `<OtpForm>` in
+`@dloizides/auth-web` has a same-origin client. No breaking changes.
+
+### Added
+
+- `BffAuthClient.requestOtp({ identifier })` → `POST /bff/otp/request`. The BFF
+  proxies to TenantService, which emails a short-TTL code. The endpoint is
+  anti-enumeration (a `200` is the normal path), so the method **returns** the
+  relayed `{ success, expiresIn, code }` body — the UI uses `expiresIn` for a
+  countdown. It still throws on a non-2xx (`501` OTP not enabled, `502` upstream
+  down). Carries the `X-BFF-Csrf` header like every other state-changing call.
+- `BffAuthClient.verifyOtp({ username, otp })` → `POST /bff/otp/verify`. The BFF
+  runs the OTP direct-grant against Keycloak server-side and sets the httpOnly
+  session cookie. Returns the sanitised `BffUser`, exactly like `login`. Throws
+  on a non-2xx (e.g. `401` for a bad / expired code).
+- Types: `BffOtpRequestRequest`, `BffOtpVerifyRequest`, `BffOtpRequestResult`.
+
+## 3.0.0 (2026-05-19)
+
+Major release for Phase 2 of the identity-hardening initiative. Adds the
+shared `BffAuthClient` — the same-origin client for a per-app
+**Backend-For-Frontend** (`bff-katalogos`, `bff-erevna`). The BFF terminates
+authentication server-side: the browser holds only an opaque httpOnly session
+cookie, never a token.
+
+This is the **new recommended auth surface**. The major bump signals that
+recommendation — it is **not** a breaking change: every v2.x export
+(`AuthClient`, the direct-KC ROPC adapters, `useDirectKcAuth`, the OIDC
+primitives, storage adapters, hooks) remains and is unchanged. BaseClient
+still consumes the direct-KC path; it is removed in a later phase.
+
+### Added
+
+- `BffAuthClient` — same-origin client for a per-app BFF. Methods:
+  `login({username,password})` → `POST /bff/login`; `logout()` →
+  `POST /bff/logout`; `getCurrentUser()` → `GET /bff/me`; `register(...)`,
+  `forgotPassword(...)`, `resetPassword(...)` → the matching `/bff/*`
+  endpoints. Every call is a same-origin `fetch` with
+  `credentials: 'include'`; state-changing calls carry the `X-BFF-Csrf: 1`
+  header the `Bff.AspNetCore` anti-forgery middleware requires. Does **no
+  token handling** — the BFF owns tokens, the browser owns only the cookie.
+- Types: `BffAuthClientOptions`, `BffLoginRequest`, `BffRegisterRequest`,
+  `BffForgotPasswordRequest`, `BffResetPasswordRequest`, `BffUser`.
+
 ## 2.1.0 (2026-05-17)
 
 Additive release. Lays the groundwork for the "shrink identity service"

package/README.md

@@ -119,6 +119,41 @@ const storage = new SecureStoreTokenStorage({
 await biometricGate.hydrate();
 ```
 
+## BFF auth (v3 — recommended)
+
+`BffAuthClient` is the same-origin client for a per-app **Backend-For-Frontend**
+(`bff-katalogos`, `bff-erevna`). The BFF terminates authentication
+server-side: it does ROPC against Keycloak with a confidential client, stores
+the tokens in a Redis vault, and hands the browser only an opaque httpOnly
+session cookie. The SPA never sees a token — an XSS cannot exfiltrate one.
+
+`BffAuthClient` does **no token handling**: every call is a same-origin
+`fetch` with `credentials: 'include'`, and state-changing calls carry the
+`X-BFF-Csrf: 1` header the BFF anti-forgery middleware requires.
+
+```ts
+import { BffAuthClient, createFetchHttpClient } from '@dloizides/auth-client';
+
+const bff = new BffAuthClient({
+  http: createFetchHttpClient(window.fetch.bind(window)),
+  // baseUrl defaults to '' (same-origin) — the production wiring.
+});
+
+// Login — the BFF does ROPC server-side and sets the session cookie.
+const user = await bff.login({ username, password });
+
+// Bootstrap on app load — null when there is no live session.
+const current = await bff.getCurrentUser();
+
+await bff.register({ firstName, lastName, username, email, password, tenantName });
+await bff.forgotPassword({ email, resetUrlTemplate });
+await bff.resetPassword({ token, newPassword });
+await bff.logout();
+```
+
+The direct-KC `AuthClient` / ROPC surface below is retained for consumers not
+yet on a BFF; it is deprecated and removed once every app has migrated.
+
 ## React Query hooks
 
 ```ts
@@ -156,7 +191,8 @@ auth.on('sessionExpired', () => {
 
 ### Core (`@dloizides/auth-client`)
 
-- `AuthClient` — realm-aware orchestrator. `init()`, `refresh()`, `loginWithOtp()`, `loginWithPassword()`, `logout({ everywhere })`, `requestPasswordReset()`, `confirmPasswordReset()`, plus the v1 surface (`getAccessToken`, `getTokens`, `setTokens`, `clearTokens`, `buildAuthorizationUrl`, etc.).
+- `BffAuthClient` — same-origin client for a per-app Backend-For-Frontend. `login()`, `logout()`, `getCurrentUser()`, `register()`, `forgotPassword()`, `resetPassword()`. No token handling — the BFF owns tokens, the browser owns only an httpOnly cookie. **The recommended auth surface (v3).**
+- `AuthClient` — realm-aware orchestrator. `init()`, `refresh()`, `loginWithOtp()`, `loginWithPassword()`, `logout({ everywhere })`, `requestPasswordReset()`, `confirmPasswordReset()`, plus the v1 surface (`getAccessToken`, `getTokens`, `setTokens`, `clearTokens`, `buildAuthorizationUrl`, etc.). Direct-KC ROPC; deprecated in favour of `BffAuthClient`.
 - `AuthApiClient` — typed wrapper for IdentityService auth endpoints.
 - `AuthEventEmitter` — `sessionExpired` event.
 - `RefreshInterceptor` — single-flight refresh queue.

package/dist/{AuthClient-D95OMajD.d.ts → AuthClient-Cv7btBX0.d.ts}

@@ -457,4 +457,4 @@ declare class AuthClient {
     private resolveScope;
 }
 
-export { AuthApiClient as A, type DirectKcOptions as D, type ForgotPasswordRequest as F, type InactivityStore as I, type LoginOptions as L, type OtpLoginRequest as O, type PasswordLoginRequest as P, type ResetPasswordRequest as R, type TokenStorage as T, type AuthSessionInfo as a, AuthClient as b, type AuthTokens as c, type AuthApiClientOptions as d, type AuthClientCollaborators as e, type AuthClientConfig as f, type AuthClientFromIssuerInput as g, AuthEventEmitter as h, type AuthEventListener as i, type AuthEventName as j, type AuthEventUnsubscribe as k, InactivityTracker as l, type InactivityTrackerOptions as m, type LogoutOptions as n, type RawAuthLoginResponse as o, type RefreshFn as p, RefreshInterceptor as q, type RefreshInterceptorOptions as r };
+export { AuthApiClient as A, type DirectKcOptions as D, type ForgotPasswordRequest as F, type InactivityStore as I, type LoginOptions as L, type OtpLoginRequest as O, type PasswordLoginRequest as P, type RawAuthLoginResponse as R, type TokenStorage as T, type AuthApiClientOptions as a, AuthClient as b, type AuthClientCollaborators as c, type AuthClientConfig as d, type AuthClientFromIssuerInput as e, AuthEventEmitter as f, type AuthEventListener as g, type AuthEventName as h, type AuthEventUnsubscribe as i, type AuthSessionInfo as j, type AuthTokens as k, InactivityTracker as l, type InactivityTrackerOptions as m, type LogoutOptions as n, type RefreshFn as o, RefreshInterceptor as p, type RefreshInterceptorOptions as q, type ResetPasswordRequest as r };

package/dist/{AuthClient-BGr8L03W.d.mts → AuthClient-D8Ul-aGa.d.mts}

@@ -457,4 +457,4 @@ declare class AuthClient {
     private resolveScope;
 }
 
-export { AuthApiClient as A, type DirectKcOptions as D, type ForgotPasswordRequest as F, type InactivityStore as I, type LoginOptions as L, type OtpLoginRequest as O, type PasswordLoginRequest as P, type ResetPasswordRequest as R, type TokenStorage as T, type AuthSessionInfo as a, AuthClient as b, type AuthTokens as c, type AuthApiClientOptions as d, type AuthClientCollaborators as e, type AuthClientConfig as f, type AuthClientFromIssuerInput as g, AuthEventEmitter as h, type AuthEventListener as i, type AuthEventName as j, type AuthEventUnsubscribe as k, InactivityTracker as l, type InactivityTrackerOptions as m, type LogoutOptions as n, type RawAuthLoginResponse as o, type RefreshFn as p, RefreshInterceptor as q, type RefreshInterceptorOptions as r };
+export { AuthApiClient as A, type DirectKcOptions as D, type ForgotPasswordRequest as F, type InactivityStore as I, type LoginOptions as L, type OtpLoginRequest as O, type PasswordLoginRequest as P, type RawAuthLoginResponse as R, type TokenStorage as T, type AuthApiClientOptions as a, AuthClient as b, type AuthClientCollaborators as c, type AuthClientConfig as d, type AuthClientFromIssuerInput as e, AuthEventEmitter as f, type AuthEventListener as g, type AuthEventName as h, type AuthEventUnsubscribe as i, type AuthSessionInfo as j, type AuthTokens as k, InactivityTracker as l, type InactivityTrackerOptions as m, type LogoutOptions as n, type RefreshFn as o, RefreshInterceptor as p, type RefreshInterceptorOptions as q, type ResetPasswordRequest as r };

package/dist/index.d.mts

@@ -1,8 +1,8 @@
-import { T as TokenStorage, c as AuthTokens } from './AuthClient-BGr8L03W.mjs';
-export { A as AuthApiClient, d as AuthApiClientOptions, b as AuthClient, e as AuthClientCollaborators, f as AuthClientConfig, g as AuthClientFromIssuerInput, h as AuthEventEmitter, i as AuthEventListener, j as AuthEventName, k as AuthEventUnsubscribe, a as AuthSessionInfo, D as DirectKcOptions, F as ForgotPasswordRequest, I as InactivityStore, l as InactivityTracker, m as InactivityTrackerOptions, L as LoginOptions, n as LogoutOptions, O as OtpLoginRequest, P as PasswordLoginRequest, o as RawAuthLoginResponse, p as RefreshFn, q as RefreshInterceptor, r as RefreshInterceptorOptions, R as ResetPasswordRequest } from './AuthClient-BGr8L03W.mjs';
+import { T as TokenStorage, k as AuthTokens } from './AuthClient-D8Ul-aGa.mjs';
+export { A as AuthApiClient, a as AuthApiClientOptions, b as AuthClient, c as AuthClientCollaborators, d as AuthClientConfig, e as AuthClientFromIssuerInput, f as AuthEventEmitter, g as AuthEventListener, h as AuthEventName, i as AuthEventUnsubscribe, j as AuthSessionInfo, D as DirectKcOptions, F as ForgotPasswordRequest, I as InactivityStore, l as InactivityTracker, m as InactivityTrackerOptions, L as LoginOptions, n as LogoutOptions, O as OtpLoginRequest, P as PasswordLoginRequest, R as RawAuthLoginResponse, o as RefreshFn, p as RefreshInterceptor, q as RefreshInterceptorOptions, r as ResetPasswordRequest } from './AuthClient-D8Ul-aGa.mjs';
 export { ExchangeAuthorizationCodeInput, FetchDiscoveryDocumentInput, OidcDiscoveryDocument, PkcePair, RefreshAccessTokenInput, clearDiscoveryCache, deriveCodeChallenge, exchangeAuthorizationCode, fetchDiscoveryDocument, generateCodeVerifier, generatePkcePair, refreshAccessToken } from './oidc/index.mjs';
-import { R as RawTokenResponse, T as TokenResponse } from './TokenResponse-CY1CaU2l.mjs';
-export { H as HttpClient, a as HttpRequest, b as HttpResponse, c as createFetchHttpClient } from './TokenResponse-CY1CaU2l.mjs';
+import { H as HttpClient, R as RawTokenResponse, T as TokenResponse } from './TokenResponse-CY1CaU2l.mjs';
+export { a as HttpRequest, b as HttpResponse, c as createFetchHttpClient } from './TokenResponse-CY1CaU2l.mjs';
 
 /**
  * Roles emitted by Keycloak realms in the dloizides.com portfolio.
@@ -315,6 +315,182 @@ declare class BiometricGate {
     unlock(): Promise<void>;
 }
 
+/** Credentials posted to `POST /bff/login`. */
+interface BffLoginRequest {
+    username: string;
+    password: string;
+}
+/** Payload for `POST /bff/register` — proxied by the BFF to TenantService. */
+interface BffRegisterRequest {
+    firstName: string;
+    lastName: string;
+    username: string;
+    email: string;
+    password: string;
+    tenantName: string;
+    [key: string]: unknown;
+}
+/** Payload for `POST /bff/forgot-password` — proxied to TenantService. */
+interface BffForgotPasswordRequest {
+    email: string;
+    /** Full URL with a `{token}` placeholder; the backend substitutes the token. */
+    resetUrlTemplate?: string;
+    [key: string]: unknown;
+}
+/** Payload for `POST /bff/reset-password` — proxied to TenantService. */
+interface BffResetPasswordRequest {
+    token: string;
+    newPassword: string;
+}
+/**
+ * Payload for `POST /bff/otp/request` — the BFF proxies it to TenantService,
+ * which generates a short-TTL code and emails it.
+ */
+interface BffOtpRequestRequest {
+    /** The email address (or username) the one-time code is sent to. */
+    identifier: string;
+}
+/** Payload for `POST /bff/otp/verify` — the BFF exchanges it for a session. */
+interface BffOtpVerifyRequest {
+    /** The email / username the code was requested for. */
+    username: string;
+    /** The one-time code the user entered. */
+    otp: string;
+}
+/**
+ * Payload for `POST /bff/pin/login` — the BFF exchanges an event-scoped PIN
+ * for a session.
+ *
+ * The `(event, pin)` pair alone identifies the staff member: no `username` /
+ * `password` ever leaves the browser. A PIN entered in an event's context
+ * grants that staff member their event-scoped role for that event only
+ * (the unified-auth plan §4.4 — event-scoped, per-individual PINs).
+ */
+interface BffPinLoginRequest {
+    /** The numeric PIN the staff member entered. */
+    pin: string;
+    /** External id of the event the PIN is scoped to (supplied by the page/route). */
+    eventExternalId: string;
+}
+/**
+ * The body `POST /bff/otp/request` relays from TenantService.
+ *
+ * Anti-enumeration: the shape is identical whether or not the identifier is
+ * registered. `code` is non-null only outside production (a dev convenience);
+ * the UI must never depend on it being present.
+ */
+interface BffOtpRequestResult {
+    /** Always `true` on a relayed 200 — the request was accepted. */
+    success: boolean;
+    /** Seconds until the emitted code expires — drives a countdown in the UI. */
+    expiresIn: number;
+    /** The code itself, non-production only; `null` (or absent) in production. */
+    code: string | null;
+}
+/**
+ * The user object returned by `GET /bff/me` and `POST /bff/login`. The BFF
+ * returns the sanitised KC claims under a `user` envelope and **never** a
+ * token. Kept permissive so server-added claims flow through without a bump.
+ */
+interface BffUser {
+    sub?: string;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    preferred_username?: string;
+    given_name?: string;
+    family_name?: string;
+    tenantId?: string;
+    roles?: string[];
+    [key: string]: unknown;
+}
+interface BffAuthClientOptions {
+    /** Runtime-agnostic HTTP transport (wrap native `fetch` with `createFetchHttpClient`). */
+    http: HttpClient;
+    /**
+     * BFF origin. Defaults to `''` (same-origin) — the production wiring. An
+     * explicit origin is only useful for tests or a non-same-origin BFF.
+     */
+    baseUrl?: string;
+}
+/**
+ * Same-origin client for a per-app BFF.
+ *
+ * No token storage, no refresh logic, no realm awareness — the BFF owns all of
+ * that server-side. The browser's only auth artefact is the httpOnly cookie.
+ */
+declare class BffAuthClient {
+    private readonly http;
+    private readonly baseUrl;
+    constructor(options: BffAuthClientOptions);
+    /**
+     * `POST /bff/login` — the BFF does ROPC against Keycloak server-side, stores
+     * the tokens in its Redis vault, and sets the httpOnly session cookie.
+     * Returns the sanitised user. Throws on a non-2xx response.
+     */
+    login(request: BffLoginRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/logout` — the BFF calls KC end-session, deletes the Redis
+     * session, and clears the cookie. Non-fatal: a failed logout still leaves
+     * the SPA logged out client-side. Throws only on a non-2xx response.
+     */
+    logout(): Promise<void>;
+    /**
+     * `GET /bff/me` — the live session's sanitised user, or `null` when there is
+     * no session (the BFF answers `401`). Used at app load to bootstrap auth
+     * state in place of the old token-in-storage check.
+     */
+    getCurrentUser(): Promise<BffUser | null>;
+    /**
+     * `POST /bff/register` — the BFF proxies registration to TenantService and,
+     * on success, establishes a session exactly like `login`. Returns the user.
+     */
+    register(request: BffRegisterRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/forgot-password` — proxied to TenantService. The backend
+     * returns 200 unconditionally (no email enumeration); anything else throws.
+     */
+    forgotPassword(request: BffForgotPasswordRequest): Promise<void>;
+    /**
+     * `POST /bff/reset-password` — proxied to TenantService. Throws on a non-2xx
+     * response (e.g. `400` for an invalid / expired token).
+     */
+    resetPassword(request: BffResetPasswordRequest): Promise<void>;
+    /**
+     * `POST /bff/otp/request` — the BFF proxies to TenantService, which generates
+     * a short-TTL code and emails it.
+     *
+     * The endpoint is anti-enumeration: a `200` is the normal path whether or not
+     * the identifier is registered. This method therefore **returns** the relayed
+     * `{ success, expiresIn, code }` body (so the UI can show the expiry) rather
+     * than treating a 200 as opaque. It still throws on a non-2xx — a `501`
+     * (OTP not enabled) or `502` (upstream down) is a real failure to surface.
+     */
+    requestOtp(request: BffOtpRequestRequest): Promise<BffOtpRequestResult>;
+    /**
+     * `POST /bff/otp/verify` — the BFF runs the OTP direct-grant against Keycloak
+     * server-side, stores the tokens in its Redis vault, and sets the httpOnly
+     * session cookie. Returns the sanitised user, exactly like `login`. Throws on
+     * a non-2xx (e.g. `401` for a bad / expired code).
+     */
+    verifyOtp(request: BffOtpVerifyRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/pin/login` — the BFF runs the event-scoped PIN direct-grant
+     * against Keycloak server-side (the `(event, pin)` pair resolves to the
+     * staff member's KC account + event-scoped role), stores the tokens in its
+     * Redis vault, and sets the httpOnly session cookie. Returns the sanitised
+     * user, exactly like `login` / `verifyOtp`. Throws on a non-2xx — `401` for
+     * a bad / expired / locked-out PIN or an unknown event, `501` when PIN login
+     * is not an enabled method for this BFF.
+     */
+    pinLogin(request: BffPinLoginRequest): Promise<BffUser>;
+    /**
+     * Shared POST for every state-changing `/bff/*` call: same-origin, cookie
+     * included, `X-BFF-Csrf` header attached. Throws a labelled error on non-2xx.
+     */
+    private postState;
+}
+
 /**
  * Convert a Keycloak `/userinfo` payload into a flat, app-friendly user object.
  *
@@ -488,4 +664,4 @@ declare function normalizeTokenResponse(raw: RawTokenResponse): TokenResponse;
  */
 declare function tokenResponseToAuthTokens(response: TokenResponse, now?: number): AuthTokens;
 
-export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };
+export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, BffAuthClient, type BffAuthClientOptions, type BffForgotPasswordRequest, type BffLoginRequest, type BffOtpRequestRequest, type BffOtpRequestResult, type BffOtpVerifyRequest, type BffPinLoginRequest, type BffRegisterRequest, type BffResetPasswordRequest, type BffUser, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, HttpClient, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };

package/dist/index.d.ts

@@ -1,8 +1,8 @@
-import { T as TokenStorage, c as AuthTokens } from './AuthClient-D95OMajD.js';
-export { A as AuthApiClient, d as AuthApiClientOptions, b as AuthClient, e as AuthClientCollaborators, f as AuthClientConfig, g as AuthClientFromIssuerInput, h as AuthEventEmitter, i as AuthEventListener, j as AuthEventName, k as AuthEventUnsubscribe, a as AuthSessionInfo, D as DirectKcOptions, F as ForgotPasswordRequest, I as InactivityStore, l as InactivityTracker, m as InactivityTrackerOptions, L as LoginOptions, n as LogoutOptions, O as OtpLoginRequest, P as PasswordLoginRequest, o as RawAuthLoginResponse, p as RefreshFn, q as RefreshInterceptor, r as RefreshInterceptorOptions, R as ResetPasswordRequest } from './AuthClient-D95OMajD.js';
+import { T as TokenStorage, k as AuthTokens } from './AuthClient-Cv7btBX0.js';
+export { A as AuthApiClient, a as AuthApiClientOptions, b as AuthClient, c as AuthClientCollaborators, d as AuthClientConfig, e as AuthClientFromIssuerInput, f as AuthEventEmitter, g as AuthEventListener, h as AuthEventName, i as AuthEventUnsubscribe, j as AuthSessionInfo, D as DirectKcOptions, F as ForgotPasswordRequest, I as InactivityStore, l as InactivityTracker, m as InactivityTrackerOptions, L as LoginOptions, n as LogoutOptions, O as OtpLoginRequest, P as PasswordLoginRequest, R as RawAuthLoginResponse, o as RefreshFn, p as RefreshInterceptor, q as RefreshInterceptorOptions, r as ResetPasswordRequest } from './AuthClient-Cv7btBX0.js';
 export { ExchangeAuthorizationCodeInput, FetchDiscoveryDocumentInput, OidcDiscoveryDocument, PkcePair, RefreshAccessTokenInput, clearDiscoveryCache, deriveCodeChallenge, exchangeAuthorizationCode, fetchDiscoveryDocument, generateCodeVerifier, generatePkcePair, refreshAccessToken } from './oidc/index.js';
-import { R as RawTokenResponse, T as TokenResponse } from './TokenResponse-CY1CaU2l.js';
-export { H as HttpClient, a as HttpRequest, b as HttpResponse, c as createFetchHttpClient } from './TokenResponse-CY1CaU2l.js';
+import { H as HttpClient, R as RawTokenResponse, T as TokenResponse } from './TokenResponse-CY1CaU2l.js';
+export { a as HttpRequest, b as HttpResponse, c as createFetchHttpClient } from './TokenResponse-CY1CaU2l.js';
 
 /**
  * Roles emitted by Keycloak realms in the dloizides.com portfolio.
@@ -315,6 +315,182 @@ declare class BiometricGate {
     unlock(): Promise<void>;
 }
 
+/** Credentials posted to `POST /bff/login`. */
+interface BffLoginRequest {
+    username: string;
+    password: string;
+}
+/** Payload for `POST /bff/register` — proxied by the BFF to TenantService. */
+interface BffRegisterRequest {
+    firstName: string;
+    lastName: string;
+    username: string;
+    email: string;
+    password: string;
+    tenantName: string;
+    [key: string]: unknown;
+}
+/** Payload for `POST /bff/forgot-password` — proxied to TenantService. */
+interface BffForgotPasswordRequest {
+    email: string;
+    /** Full URL with a `{token}` placeholder; the backend substitutes the token. */
+    resetUrlTemplate?: string;
+    [key: string]: unknown;
+}
+/** Payload for `POST /bff/reset-password` — proxied to TenantService. */
+interface BffResetPasswordRequest {
+    token: string;
+    newPassword: string;
+}
+/**
+ * Payload for `POST /bff/otp/request` — the BFF proxies it to TenantService,
+ * which generates a short-TTL code and emails it.
+ */
+interface BffOtpRequestRequest {
+    /** The email address (or username) the one-time code is sent to. */
+    identifier: string;
+}
+/** Payload for `POST /bff/otp/verify` — the BFF exchanges it for a session. */
+interface BffOtpVerifyRequest {
+    /** The email / username the code was requested for. */
+    username: string;
+    /** The one-time code the user entered. */
+    otp: string;
+}
+/**
+ * Payload for `POST /bff/pin/login` — the BFF exchanges an event-scoped PIN
+ * for a session.
+ *
+ * The `(event, pin)` pair alone identifies the staff member: no `username` /
+ * `password` ever leaves the browser. A PIN entered in an event's context
+ * grants that staff member their event-scoped role for that event only
+ * (the unified-auth plan §4.4 — event-scoped, per-individual PINs).
+ */
+interface BffPinLoginRequest {
+    /** The numeric PIN the staff member entered. */
+    pin: string;
+    /** External id of the event the PIN is scoped to (supplied by the page/route). */
+    eventExternalId: string;
+}
+/**
+ * The body `POST /bff/otp/request` relays from TenantService.
+ *
+ * Anti-enumeration: the shape is identical whether or not the identifier is
+ * registered. `code` is non-null only outside production (a dev convenience);
+ * the UI must never depend on it being present.
+ */
+interface BffOtpRequestResult {
+    /** Always `true` on a relayed 200 — the request was accepted. */
+    success: boolean;
+    /** Seconds until the emitted code expires — drives a countdown in the UI. */
+    expiresIn: number;
+    /** The code itself, non-production only; `null` (or absent) in production. */
+    code: string | null;
+}
+/**
+ * The user object returned by `GET /bff/me` and `POST /bff/login`. The BFF
+ * returns the sanitised KC claims under a `user` envelope and **never** a
+ * token. Kept permissive so server-added claims flow through without a bump.
+ */
+interface BffUser {
+    sub?: string;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    preferred_username?: string;
+    given_name?: string;
+    family_name?: string;
+    tenantId?: string;
+    roles?: string[];
+    [key: string]: unknown;
+}
+interface BffAuthClientOptions {
+    /** Runtime-agnostic HTTP transport (wrap native `fetch` with `createFetchHttpClient`). */
+    http: HttpClient;
+    /**
+     * BFF origin. Defaults to `''` (same-origin) — the production wiring. An
+     * explicit origin is only useful for tests or a non-same-origin BFF.
+     */
+    baseUrl?: string;
+}
+/**
+ * Same-origin client for a per-app BFF.
+ *
+ * No token storage, no refresh logic, no realm awareness — the BFF owns all of
+ * that server-side. The browser's only auth artefact is the httpOnly cookie.
+ */
+declare class BffAuthClient {
+    private readonly http;
+    private readonly baseUrl;
+    constructor(options: BffAuthClientOptions);
+    /**
+     * `POST /bff/login` — the BFF does ROPC against Keycloak server-side, stores
+     * the tokens in its Redis vault, and sets the httpOnly session cookie.
+     * Returns the sanitised user. Throws on a non-2xx response.
+     */
+    login(request: BffLoginRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/logout` — the BFF calls KC end-session, deletes the Redis
+     * session, and clears the cookie. Non-fatal: a failed logout still leaves
+     * the SPA logged out client-side. Throws only on a non-2xx response.
+     */
+    logout(): Promise<void>;
+    /**
+     * `GET /bff/me` — the live session's sanitised user, or `null` when there is
+     * no session (the BFF answers `401`). Used at app load to bootstrap auth
+     * state in place of the old token-in-storage check.
+     */
+    getCurrentUser(): Promise<BffUser | null>;
+    /**
+     * `POST /bff/register` — the BFF proxies registration to TenantService and,
+     * on success, establishes a session exactly like `login`. Returns the user.
+     */
+    register(request: BffRegisterRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/forgot-password` — proxied to TenantService. The backend
+     * returns 200 unconditionally (no email enumeration); anything else throws.
+     */
+    forgotPassword(request: BffForgotPasswordRequest): Promise<void>;
+    /**
+     * `POST /bff/reset-password` — proxied to TenantService. Throws on a non-2xx
+     * response (e.g. `400` for an invalid / expired token).
+     */
+    resetPassword(request: BffResetPasswordRequest): Promise<void>;
+    /**
+     * `POST /bff/otp/request` — the BFF proxies to TenantService, which generates
+     * a short-TTL code and emails it.
+     *
+     * The endpoint is anti-enumeration: a `200` is the normal path whether or not
+     * the identifier is registered. This method therefore **returns** the relayed
+     * `{ success, expiresIn, code }` body (so the UI can show the expiry) rather
+     * than treating a 200 as opaque. It still throws on a non-2xx — a `501`
+     * (OTP not enabled) or `502` (upstream down) is a real failure to surface.
+     */
+    requestOtp(request: BffOtpRequestRequest): Promise<BffOtpRequestResult>;
+    /**
+     * `POST /bff/otp/verify` — the BFF runs the OTP direct-grant against Keycloak
+     * server-side, stores the tokens in its Redis vault, and sets the httpOnly
+     * session cookie. Returns the sanitised user, exactly like `login`. Throws on
+     * a non-2xx (e.g. `401` for a bad / expired code).
+     */
+    verifyOtp(request: BffOtpVerifyRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/pin/login` — the BFF runs the event-scoped PIN direct-grant
+     * against Keycloak server-side (the `(event, pin)` pair resolves to the
+     * staff member's KC account + event-scoped role), stores the tokens in its
+     * Redis vault, and sets the httpOnly session cookie. Returns the sanitised
+     * user, exactly like `login` / `verifyOtp`. Throws on a non-2xx — `401` for
+     * a bad / expired / locked-out PIN or an unknown event, `501` when PIN login
+     * is not an enabled method for this BFF.
+     */
+    pinLogin(request: BffPinLoginRequest): Promise<BffUser>;
+    /**
+     * Shared POST for every state-changing `/bff/*` call: same-origin, cookie
+     * included, `X-BFF-Csrf` header attached. Throws a labelled error on non-2xx.
+     */
+    private postState;
+}
+
 /**
  * Convert a Keycloak `/userinfo` payload into a flat, app-friendly user object.
  *
@@ -488,4 +664,4 @@ declare function normalizeTokenResponse(raw: RawTokenResponse): TokenResponse;
  */
 declare function tokenResponseToAuthTokens(response: TokenResponse, now?: number): AuthTokens;
 
-export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };
+export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, BffAuthClient, type BffAuthClientOptions, type BffForgotPasswordRequest, type BffLoginRequest, type BffOtpRequestRequest, type BffOtpRequestResult, type BffOtpVerifyRequest, type BffPinLoginRequest, type BffRegisterRequest, type BffResetPasswordRequest, type BffUser, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, HttpClient, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };