@dloizides/auth-client 3.0.0 → 3.2.1

package/CHANGELOG.md

@@ -1,5 +1,45 @@
 # Changelog
 
+## 3.2.0 (2026-05-22)
+
+Additive release for Phase 3d of the unified-auth plan — event-scoped PIN
+login. Extends `BffAuthClient` with the browser-facing PIN call so the new
+`<PinForm>` in `@dloizides/auth-web` has a same-origin client. No breaking
+changes.
+
+### Added
+
+- `BffAuthClient.pinLogin({ pin, eventExternalId })` → `POST /bff/pin/login`.
+  The BFF runs the event-scoped PIN direct-grant against Keycloak server-side
+  (the `(event, pin)` pair resolves to the staff member's KC account + their
+  event-scoped role) and sets the httpOnly session cookie. Returns the
+  sanitised `BffUser`, exactly like `login` / `verifyOtp`. Throws on a non-2xx
+  (`401` for a bad / expired / locked-out PIN or an unknown event, `501` when
+  PIN login is not an enabled method). Carries the `X-BFF-Csrf` header like
+  every other state-changing call. No `username` / `password` ever leaves the
+  browser.
+- Type: `BffPinLoginRequest`.
+
+## 3.1.0 (2026-05-22)
+
+Additive release for Phase 2d of the unified-auth plan — email-OTP. Extends
+`BffAuthClient` with the two browser-facing OTP calls so the new `<OtpForm>` in
+`@dloizides/auth-web` has a same-origin client. No breaking changes.
+
+### Added
+
+- `BffAuthClient.requestOtp({ identifier })` → `POST /bff/otp/request`. The BFF
+  proxies to TenantService, which emails a short-TTL code. The endpoint is
+  anti-enumeration (a `200` is the normal path), so the method **returns** the
+  relayed `{ success, expiresIn, code }` body — the UI uses `expiresIn` for a
+  countdown. It still throws on a non-2xx (`501` OTP not enabled, `502` upstream
+  down). Carries the `X-BFF-Csrf` header like every other state-changing call.
+- `BffAuthClient.verifyOtp({ username, otp })` → `POST /bff/otp/verify`. The BFF
+  runs the OTP direct-grant against Keycloak server-side and sets the httpOnly
+  session cookie. Returns the sanitised `BffUser`, exactly like `login`. Throws
+  on a non-2xx (e.g. `401` for a bad / expired code).
+- Types: `BffOtpRequestRequest`, `BffOtpVerifyRequest`, `BffOtpRequestResult`.
+
 ## 3.0.0 (2026-05-19)
 
 Major release for Phase 2 of the identity-hardening initiative. Adds the

package/dist/{AuthClient-D95OMajD.d.ts → AuthClient-Cv7btBX0.d.ts}

@@ -457,4 +457,4 @@ declare class AuthClient {
     private resolveScope;
 }
 
-export { AuthApiClient as A, type DirectKcOptions as D, type ForgotPasswordRequest as F, type InactivityStore as I, type LoginOptions as L, type OtpLoginRequest as O, type PasswordLoginRequest as P, type ResetPasswordRequest as R, type TokenStorage as T, type AuthSessionInfo as a, AuthClient as b, type AuthTokens as c, type AuthApiClientOptions as d, type AuthClientCollaborators as e, type AuthClientConfig as f, type AuthClientFromIssuerInput as g, AuthEventEmitter as h, type AuthEventListener as i, type AuthEventName as j, type AuthEventUnsubscribe as k, InactivityTracker as l, type InactivityTrackerOptions as m, type LogoutOptions as n, type RawAuthLoginResponse as o, type RefreshFn as p, RefreshInterceptor as q, type RefreshInterceptorOptions as r };
+export { AuthApiClient as A, type DirectKcOptions as D, type ForgotPasswordRequest as F, type InactivityStore as I, type LoginOptions as L, type OtpLoginRequest as O, type PasswordLoginRequest as P, type RawAuthLoginResponse as R, type TokenStorage as T, type AuthApiClientOptions as a, AuthClient as b, type AuthClientCollaborators as c, type AuthClientConfig as d, type AuthClientFromIssuerInput as e, AuthEventEmitter as f, type AuthEventListener as g, type AuthEventName as h, type AuthEventUnsubscribe as i, type AuthSessionInfo as j, type AuthTokens as k, InactivityTracker as l, type InactivityTrackerOptions as m, type LogoutOptions as n, type RefreshFn as o, RefreshInterceptor as p, type RefreshInterceptorOptions as q, type ResetPasswordRequest as r };

package/dist/{AuthClient-BGr8L03W.d.mts → AuthClient-D8Ul-aGa.d.mts}

@@ -457,4 +457,4 @@ declare class AuthClient {
     private resolveScope;
 }
 
-export { AuthApiClient as A, type DirectKcOptions as D, type ForgotPasswordRequest as F, type InactivityStore as I, type LoginOptions as L, type OtpLoginRequest as O, type PasswordLoginRequest as P, type ResetPasswordRequest as R, type TokenStorage as T, type AuthSessionInfo as a, AuthClient as b, type AuthTokens as c, type AuthApiClientOptions as d, type AuthClientCollaborators as e, type AuthClientConfig as f, type AuthClientFromIssuerInput as g, AuthEventEmitter as h, type AuthEventListener as i, type AuthEventName as j, type AuthEventUnsubscribe as k, InactivityTracker as l, type InactivityTrackerOptions as m, type LogoutOptions as n, type RawAuthLoginResponse as o, type RefreshFn as p, RefreshInterceptor as q, type RefreshInterceptorOptions as r };
+export { AuthApiClient as A, type DirectKcOptions as D, type ForgotPasswordRequest as F, type InactivityStore as I, type LoginOptions as L, type OtpLoginRequest as O, type PasswordLoginRequest as P, type RawAuthLoginResponse as R, type TokenStorage as T, type AuthApiClientOptions as a, AuthClient as b, type AuthClientCollaborators as c, type AuthClientConfig as d, type AuthClientFromIssuerInput as e, AuthEventEmitter as f, type AuthEventListener as g, type AuthEventName as h, type AuthEventUnsubscribe as i, type AuthSessionInfo as j, type AuthTokens as k, InactivityTracker as l, type InactivityTrackerOptions as m, type LogoutOptions as n, type RefreshFn as o, RefreshInterceptor as p, type RefreshInterceptorOptions as q, type ResetPasswordRequest as r };

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { T as TokenStorage, c as AuthTokens } from './AuthClient-BGr8L03W.mjs';
-export { A as AuthApiClient, d as AuthApiClientOptions, b as AuthClient, e as AuthClientCollaborators, f as AuthClientConfig, g as AuthClientFromIssuerInput, h as AuthEventEmitter, i as AuthEventListener, j as AuthEventName, k as AuthEventUnsubscribe, a as AuthSessionInfo, D as DirectKcOptions, F as ForgotPasswordRequest, I as InactivityStore, l as InactivityTracker, m as InactivityTrackerOptions, L as LoginOptions, n as LogoutOptions, O as OtpLoginRequest, P as PasswordLoginRequest, o as RawAuthLoginResponse, p as RefreshFn, q as RefreshInterceptor, r as RefreshInterceptorOptions, R as ResetPasswordRequest } from './AuthClient-BGr8L03W.mjs';
+import { T as TokenStorage, k as AuthTokens } from './AuthClient-D8Ul-aGa.mjs';
+export { A as AuthApiClient, a as AuthApiClientOptions, b as AuthClient, c as AuthClientCollaborators, d as AuthClientConfig, e as AuthClientFromIssuerInput, f as AuthEventEmitter, g as AuthEventListener, h as AuthEventName, i as AuthEventUnsubscribe, j as AuthSessionInfo, D as DirectKcOptions, F as ForgotPasswordRequest, I as InactivityStore, l as InactivityTracker, m as InactivityTrackerOptions, L as LoginOptions, n as LogoutOptions, O as OtpLoginRequest, P as PasswordLoginRequest, R as RawAuthLoginResponse, o as RefreshFn, p as RefreshInterceptor, q as RefreshInterceptorOptions, r as ResetPasswordRequest } from './AuthClient-D8Ul-aGa.mjs';
 export { ExchangeAuthorizationCodeInput, FetchDiscoveryDocumentInput, OidcDiscoveryDocument, PkcePair, RefreshAccessTokenInput, clearDiscoveryCache, deriveCodeChallenge, exchangeAuthorizationCode, fetchDiscoveryDocument, generateCodeVerifier, generatePkcePair, refreshAccessToken } from './oidc/index.mjs';
 import { H as HttpClient, R as RawTokenResponse, T as TokenResponse } from './TokenResponse-CY1CaU2l.mjs';
 export { a as HttpRequest, b as HttpResponse, c as createFetchHttpClient } from './TokenResponse-CY1CaU2l.mjs';
@@ -342,6 +342,51 @@ interface BffResetPasswordRequest {
     token: string;
     newPassword: string;
 }
+/**
+ * Payload for `POST /bff/otp/request` — the BFF proxies it to TenantService,
+ * which generates a short-TTL code and emails it.
+ */
+interface BffOtpRequestRequest {
+    /** The email address (or username) the one-time code is sent to. */
+    identifier: string;
+}
+/** Payload for `POST /bff/otp/verify` — the BFF exchanges it for a session. */
+interface BffOtpVerifyRequest {
+    /** The email / username the code was requested for. */
+    username: string;
+    /** The one-time code the user entered. */
+    otp: string;
+}
+/**
+ * Payload for `POST /bff/pin/login` — the BFF exchanges an event-scoped PIN
+ * for a session.
+ *
+ * The `(event, pin)` pair alone identifies the staff member: no `username` /
+ * `password` ever leaves the browser. A PIN entered in an event's context
+ * grants that staff member their event-scoped role for that event only
+ * (the unified-auth plan §4.4 — event-scoped, per-individual PINs).
+ */
+interface BffPinLoginRequest {
+    /** The numeric PIN the staff member entered. */
+    pin: string;
+    /** External id of the event the PIN is scoped to (supplied by the page/route). */
+    eventExternalId: string;
+}
+/**
+ * The body `POST /bff/otp/request` relays from TenantService.
+ *
+ * Anti-enumeration: the shape is identical whether or not the identifier is
+ * registered. `code` is non-null only outside production (a dev convenience);
+ * the UI must never depend on it being present.
+ */
+interface BffOtpRequestResult {
+    /** Always `true` on a relayed 200 — the request was accepted. */
+    success: boolean;
+    /** Seconds until the emitted code expires — drives a countdown in the UI. */
+    expiresIn: number;
+    /** The code itself, non-production only; `null` (or absent) in production. */
+    code: string | null;
+}
 /**
  * The user object returned by `GET /bff/me` and `POST /bff/login`. The BFF
  * returns the sanitised KC claims under a `user` envelope and **never** a
@@ -411,6 +456,34 @@ declare class BffAuthClient {
      * response (e.g. `400` for an invalid / expired token).
      */
     resetPassword(request: BffResetPasswordRequest): Promise<void>;
+    /**
+     * `POST /bff/otp/request` — the BFF proxies to TenantService, which generates
+     * a short-TTL code and emails it.
+     *
+     * The endpoint is anti-enumeration: a `200` is the normal path whether or not
+     * the identifier is registered. This method therefore **returns** the relayed
+     * `{ success, expiresIn, code }` body (so the UI can show the expiry) rather
+     * than treating a 200 as opaque. It still throws on a non-2xx — a `501`
+     * (OTP not enabled) or `502` (upstream down) is a real failure to surface.
+     */
+    requestOtp(request: BffOtpRequestRequest): Promise<BffOtpRequestResult>;
+    /**
+     * `POST /bff/otp/verify` — the BFF runs the OTP direct-grant against Keycloak
+     * server-side, stores the tokens in its Redis vault, and sets the httpOnly
+     * session cookie. Returns the sanitised user, exactly like `login`. Throws on
+     * a non-2xx (e.g. `401` for a bad / expired code).
+     */
+    verifyOtp(request: BffOtpVerifyRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/pin/login` — the BFF runs the event-scoped PIN direct-grant
+     * against Keycloak server-side (the `(event, pin)` pair resolves to the
+     * staff member's KC account + event-scoped role), stores the tokens in its
+     * Redis vault, and sets the httpOnly session cookie. Returns the sanitised
+     * user, exactly like `login` / `verifyOtp`. Throws on a non-2xx — `401` for
+     * a bad / expired / locked-out PIN or an unknown event, `501` when PIN login
+     * is not an enabled method for this BFF.
+     */
+    pinLogin(request: BffPinLoginRequest): Promise<BffUser>;
     /**
      * Shared POST for every state-changing `/bff/*` call: same-origin, cookie
      * included, `X-BFF-Csrf` header attached. Throws a labelled error on non-2xx.
@@ -591,4 +664,4 @@ declare function normalizeTokenResponse(raw: RawTokenResponse): TokenResponse;
  */
 declare function tokenResponseToAuthTokens(response: TokenResponse, now?: number): AuthTokens;
 
-export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, BffAuthClient, type BffAuthClientOptions, type BffForgotPasswordRequest, type BffLoginRequest, type BffRegisterRequest, type BffResetPasswordRequest, type BffUser, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, HttpClient, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };
+export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, BffAuthClient, type BffAuthClientOptions, type BffForgotPasswordRequest, type BffLoginRequest, type BffOtpRequestRequest, type BffOtpRequestResult, type BffOtpVerifyRequest, type BffPinLoginRequest, type BffRegisterRequest, type BffResetPasswordRequest, type BffUser, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, HttpClient, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { T as TokenStorage, c as AuthTokens } from './AuthClient-D95OMajD.js';
-export { A as AuthApiClient, d as AuthApiClientOptions, b as AuthClient, e as AuthClientCollaborators, f as AuthClientConfig, g as AuthClientFromIssuerInput, h as AuthEventEmitter, i as AuthEventListener, j as AuthEventName, k as AuthEventUnsubscribe, a as AuthSessionInfo, D as DirectKcOptions, F as ForgotPasswordRequest, I as InactivityStore, l as InactivityTracker, m as InactivityTrackerOptions, L as LoginOptions, n as LogoutOptions, O as OtpLoginRequest, P as PasswordLoginRequest, o as RawAuthLoginResponse, p as RefreshFn, q as RefreshInterceptor, r as RefreshInterceptorOptions, R as ResetPasswordRequest } from './AuthClient-D95OMajD.js';
+import { T as TokenStorage, k as AuthTokens } from './AuthClient-Cv7btBX0.js';
+export { A as AuthApiClient, a as AuthApiClientOptions, b as AuthClient, c as AuthClientCollaborators, d as AuthClientConfig, e as AuthClientFromIssuerInput, f as AuthEventEmitter, g as AuthEventListener, h as AuthEventName, i as AuthEventUnsubscribe, j as AuthSessionInfo, D as DirectKcOptions, F as ForgotPasswordRequest, I as InactivityStore, l as InactivityTracker, m as InactivityTrackerOptions, L as LoginOptions, n as LogoutOptions, O as OtpLoginRequest, P as PasswordLoginRequest, R as RawAuthLoginResponse, o as RefreshFn, p as RefreshInterceptor, q as RefreshInterceptorOptions, r as ResetPasswordRequest } from './AuthClient-Cv7btBX0.js';
 export { ExchangeAuthorizationCodeInput, FetchDiscoveryDocumentInput, OidcDiscoveryDocument, PkcePair, RefreshAccessTokenInput, clearDiscoveryCache, deriveCodeChallenge, exchangeAuthorizationCode, fetchDiscoveryDocument, generateCodeVerifier, generatePkcePair, refreshAccessToken } from './oidc/index.js';
 import { H as HttpClient, R as RawTokenResponse, T as TokenResponse } from './TokenResponse-CY1CaU2l.js';
 export { a as HttpRequest, b as HttpResponse, c as createFetchHttpClient } from './TokenResponse-CY1CaU2l.js';
@@ -342,6 +342,51 @@ interface BffResetPasswordRequest {
     token: string;
     newPassword: string;
 }
+/**
+ * Payload for `POST /bff/otp/request` — the BFF proxies it to TenantService,
+ * which generates a short-TTL code and emails it.
+ */
+interface BffOtpRequestRequest {
+    /** The email address (or username) the one-time code is sent to. */
+    identifier: string;
+}
+/** Payload for `POST /bff/otp/verify` — the BFF exchanges it for a session. */
+interface BffOtpVerifyRequest {
+    /** The email / username the code was requested for. */
+    username: string;
+    /** The one-time code the user entered. */
+    otp: string;
+}
+/**
+ * Payload for `POST /bff/pin/login` — the BFF exchanges an event-scoped PIN
+ * for a session.
+ *
+ * The `(event, pin)` pair alone identifies the staff member: no `username` /
+ * `password` ever leaves the browser. A PIN entered in an event's context
+ * grants that staff member their event-scoped role for that event only
+ * (the unified-auth plan §4.4 — event-scoped, per-individual PINs).
+ */
+interface BffPinLoginRequest {
+    /** The numeric PIN the staff member entered. */
+    pin: string;
+    /** External id of the event the PIN is scoped to (supplied by the page/route). */
+    eventExternalId: string;
+}
+/**
+ * The body `POST /bff/otp/request` relays from TenantService.
+ *
+ * Anti-enumeration: the shape is identical whether or not the identifier is
+ * registered. `code` is non-null only outside production (a dev convenience);
+ * the UI must never depend on it being present.
+ */
+interface BffOtpRequestResult {
+    /** Always `true` on a relayed 200 — the request was accepted. */
+    success: boolean;
+    /** Seconds until the emitted code expires — drives a countdown in the UI. */
+    expiresIn: number;
+    /** The code itself, non-production only; `null` (or absent) in production. */
+    code: string | null;
+}
 /**
  * The user object returned by `GET /bff/me` and `POST /bff/login`. The BFF
  * returns the sanitised KC claims under a `user` envelope and **never** a
@@ -411,6 +456,34 @@ declare class BffAuthClient {
      * response (e.g. `400` for an invalid / expired token).
      */
     resetPassword(request: BffResetPasswordRequest): Promise<void>;
+    /**
+     * `POST /bff/otp/request` — the BFF proxies to TenantService, which generates
+     * a short-TTL code and emails it.
+     *
+     * The endpoint is anti-enumeration: a `200` is the normal path whether or not
+     * the identifier is registered. This method therefore **returns** the relayed
+     * `{ success, expiresIn, code }` body (so the UI can show the expiry) rather
+     * than treating a 200 as opaque. It still throws on a non-2xx — a `501`
+     * (OTP not enabled) or `502` (upstream down) is a real failure to surface.
+     */
+    requestOtp(request: BffOtpRequestRequest): Promise<BffOtpRequestResult>;
+    /**
+     * `POST /bff/otp/verify` — the BFF runs the OTP direct-grant against Keycloak
+     * server-side, stores the tokens in its Redis vault, and sets the httpOnly
+     * session cookie. Returns the sanitised user, exactly like `login`. Throws on
+     * a non-2xx (e.g. `401` for a bad / expired code).
+     */
+    verifyOtp(request: BffOtpVerifyRequest): Promise<BffUser>;
+    /**
+     * `POST /bff/pin/login` — the BFF runs the event-scoped PIN direct-grant
+     * against Keycloak server-side (the `(event, pin)` pair resolves to the
+     * staff member's KC account + event-scoped role), stores the tokens in its
+     * Redis vault, and sets the httpOnly session cookie. Returns the sanitised
+     * user, exactly like `login` / `verifyOtp`. Throws on a non-2xx — `401` for
+     * a bad / expired / locked-out PIN or an unknown event, `501` when PIN login
+     * is not an enabled method for this BFF.
+     */
+    pinLogin(request: BffPinLoginRequest): Promise<BffUser>;
     /**
      * Shared POST for every state-changing `/bff/*` call: same-origin, cookie
      * included, `X-BFF-Csrf` header attached. Throws a labelled error on non-2xx.
@@ -591,4 +664,4 @@ declare function normalizeTokenResponse(raw: RawTokenResponse): TokenResponse;
  */
 declare function tokenResponseToAuthTokens(response: TokenResponse, now?: number): AuthTokens;
 
-export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, BffAuthClient, type BffAuthClientOptions, type BffForgotPasswordRequest, type BffLoginRequest, type BffRegisterRequest, type BffResetPasswordRequest, type BffUser, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, HttpClient, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };
+export { AuthTokens, type AuthorizationCodeBodyInput, type AuthorizationResponseLike, type AuthorizationUrlInput, BffAuthClient, type BffAuthClientOptions, type BffForgotPasswordRequest, type BffLoginRequest, type BffOtpRequestRequest, type BffOtpRequestResult, type BffOtpVerifyRequest, type BffPinLoginRequest, type BffRegisterRequest, type BffResetPasswordRequest, type BffUser, type BiometricFlagStore, BiometricGate, type BiometricGateLike, type BiometricGateOptions, BrowserStorageTokenStorage, type BrowserStorageTokenStorageOptions, CookieTokenStorage, HttpClient, InMemoryTokenStorage, KeycloakRoles, type KeycloakUserInfo, type LocalAuthLike, type NormalizedUser, RawTokenResponse, type RefreshTokenBodyInput, type SecureStoreLike, SecureStoreTokenStorage, type SecureStoreTokenStorageOptions, type StorageLike, TokenResponse, TokenStorage, buildAuthorizationCodeBody, buildAuthorizationEndpoint, buildAuthorizationUrl, buildIssuerUrl, buildLogoutEndpoint, buildRefreshTokenBody, buildTokenEndpoint, buildUserInfoEndpoint, computeExpiresAt, decodeJwt, extractAuthCode, isKeycloakRole, isTokenExpired, normalizeKeycloakUser, normalizeTokenResponse, parseBaseUrlFromIssuer, parseRealmFromIssuer, tokenResponseToAuthTokens };

package/dist/index.js

@@ -1069,7 +1069,10 @@ var ENDPOINTS = {
   me: "/bff/me",
   register: "/bff/register",
   forgotPassword: "/bff/forgot-password",
-  resetPassword: "/bff/reset-password"
+  resetPassword: "/bff/reset-password",
+  otpRequest: "/bff/otp/request",
+  otpVerify: "/bff/otp/verify",
+  pinLogin: "/bff/pin/login"
 };
 function isRecord(value) {
   return typeof value === "object" && value !== null;
@@ -1081,6 +1084,16 @@ function extractUser(data) {
   const envelope = data;
   return isRecord(envelope.user) ? envelope.user : null;
 }
+function toOtpRequestResult(data) {
+  if (!isRecord(data)) {
+    return { success: true, expiresIn: 0, code: null };
+  }
+  return {
+    success: typeof data.success === "boolean" ? data.success : true,
+    expiresIn: typeof data.expiresIn === "number" ? data.expiresIn : 0,
+    code: typeof data.code === "string" ? data.code : null
+  };
+}
 var BffAuthClient = class {
   constructor(options) {
     this.http = options.http;
@@ -1150,6 +1163,51 @@ var BffAuthClient = class {
   async resetPassword(request) {
     await this.postState(ENDPOINTS.resetPassword, request, "reset-password");
   }
+  /**
+   * `POST /bff/otp/request` — the BFF proxies to TenantService, which generates
+   * a short-TTL code and emails it.
+   *
+   * The endpoint is anti-enumeration: a `200` is the normal path whether or not
+   * the identifier is registered. This method therefore **returns** the relayed
+   * `{ success, expiresIn, code }` body (so the UI can show the expiry) rather
+   * than treating a 200 as opaque. It still throws on a non-2xx — a `501`
+   * (OTP not enabled) or `502` (upstream down) is a real failure to surface.
+   */
+  async requestOtp(request) {
+    const data = await this.postState(ENDPOINTS.otpRequest, request, "otp-request");
+    return toOtpRequestResult(data);
+  }
+  /**
+   * `POST /bff/otp/verify` — the BFF runs the OTP direct-grant against Keycloak
+   * server-side, stores the tokens in its Redis vault, and sets the httpOnly
+   * session cookie. Returns the sanitised user, exactly like `login`. Throws on
+   * a non-2xx (e.g. `401` for a bad / expired code).
+   */
+  async verifyOtp(request) {
+    const data = await this.postState(ENDPOINTS.otpVerify, request, "otp-verify");
+    const user = extractUser(data);
+    if (user === null) {
+      throw new Error("otp-verify: BFF response missing user");
+    }
+    return user;
+  }
+  /**
+   * `POST /bff/pin/login` — the BFF runs the event-scoped PIN direct-grant
+   * against Keycloak server-side (the `(event, pin)` pair resolves to the
+   * staff member's KC account + event-scoped role), stores the tokens in its
+   * Redis vault, and sets the httpOnly session cookie. Returns the sanitised
+   * user, exactly like `login` / `verifyOtp`. Throws on a non-2xx — `401` for
+   * a bad / expired / locked-out PIN or an unknown event, `501` when PIN login
+   * is not an enabled method for this BFF.
+   */
+  async pinLogin(request) {
+    const data = await this.postState(ENDPOINTS.pinLogin, request, "pin-login");
+    const user = extractUser(data);
+    if (user === null) {
+      throw new Error("pin-login: BFF response missing user");
+    }
+    return user;
+  }
   /**
    * Shared POST for every state-changing `/bff/*` call: same-origin, cookie
    * included, `X-BFF-Csrf` header attached. Throws a labelled error on non-2xx.