@doswiftly/storefront-sdk 16.1.0 → 18.0.0

package/dist/react/hooks/use-session-refresh.js

@@ -0,0 +1,147 @@
+/**
+ * useSessionRefresh — proactive, browser-only session-refresh scheduler.
+ *
+ * Renews the access token shortly *before* it expires so an active buyer is
+ * never logged out mid-session, reschedules from each new expiry, and never runs
+ * on the server. On tab wake after the token already lapsed it tries once and —
+ * if the session can no longer be recovered — emits `session-expired` and clears
+ * local auth.
+ *
+ * The refresh goes through the same-origin BFF route via
+ * `AuthClient.refreshSession()` (`POST {authBasePath}/refresh`). The route handler
+ * reads the httpOnly refresh cookie server-side, rotates it against the backend,
+ * and sets the new first-party cookies — so an ALREADY-EXPIRED access token still
+ * refreshes (the old GraphQL `customerRefreshToken` could not, as it needed a
+ * valid access token). No `setToken` round-trip and no consumer callback.
+ *
+ * The timer lives in the effect closure (provider lifecycle), never in module state.
+ */
+'use client';
+import { useEffect, useRef } from 'react';
+import { useAuthStoreApi } from '../stores/store-context';
+import { useStorefrontClientContext } from '../providers/storefront-client-provider';
+const DEFAULT_BUFFER_MS = 60_000;
+/** Backoff before retrying a proactive refresh that failed while the token was still valid. */
+const PROACTIVE_RETRY_MS = 15_000;
+/**
+ * When the token is already within the buffer window but still valid, space out
+ * refreshes by this much so a token whose lifetime is <= the buffer cannot
+ * busy-loop the scheduler.
+ */
+const WITHIN_BUFFER_RETRY_MS = 5_000;
+export function useSessionRefresh(options = {}) {
+    const { enabled, bufferMs = DEFAULT_BUFFER_MS, sessionExpiredEmitter } = options;
+    const isBrowser = typeof window !== 'undefined';
+    const active = (enabled ?? isBrowser) && isBrowser;
+    const { authClient } = useStorefrontClientContext();
+    const authStore = useAuthStoreApi();
+    // Moving parts in refs so the scheduling effect re-runs only on structural
+    // deps (active / bufferMs / authBasePath / store identity), not on every render.
+    const authClientRef = useRef(authClient);
+    authClientRef.current = authClient;
+    const emitterRef = useRef(sessionExpiredEmitter);
+    emitterRef.current = sessionExpiredEmitter;
+    useEffect(() => {
+        if (!active)
+            return;
+        let timer;
+        let disposed = false;
+        let inFlight = false;
+        // Tracks the expiry we last scheduled against, so the store subscription
+        // ignores our own writes (we reschedule explicitly after a refresh).
+        let lastExpiresAt = authStore.getState().expiresAt;
+        const clearTimer = () => {
+            if (timer !== undefined) {
+                clearTimeout(timer);
+                timer = undefined;
+            }
+        };
+        const doRefresh = async (tokenAlreadyExpired) => {
+            if (inFlight)
+                return;
+            inFlight = true;
+            try {
+                // Same-origin BFF refresh: the route reads the httpOnly refresh cookie
+                // server-side, rotates it against the backend, and sets the new
+                // first-party cookies. No `setToken` round-trip — the route owns the cookie.
+                const result = await authClientRef.current.refreshSession();
+                if (disposed)
+                    return;
+                lastExpiresAt = result.expiresAt;
+                authStore.getState().setAuth(authStore.getState().customer, result.accessToken, result.expiresAt);
+                schedule();
+            }
+            catch (err) {
+                if (disposed)
+                    return;
+                if (tokenAlreadyExpired) {
+                    // The access token had already lapsed and the BFF refresh could not
+                    // recover the session (refresh token expired/reused/revoked). Clear
+                    // local auth and notify so the storefront can prompt re-login.
+                    authStore.getState().clearAuth();
+                    emitterRef.current?.emit({ reason: 'wake-refresh-failed', cause: err });
+                }
+                else {
+                    // Token still valid — a proactive refresh failed transiently
+                    // (network / server blip). Do NOT log the buyer out; retry shortly.
+                    clearTimer();
+                    timer = setTimeout(schedule, PROACTIVE_RETRY_MS);
+                }
+            }
+            finally {
+                inFlight = false;
+            }
+        };
+        const schedule = () => {
+            clearTimer();
+            const { expiresAt, isAuthenticated } = authStore.getState();
+            if (!expiresAt || !isAuthenticated)
+                return;
+            const expiryMs = new Date(expiresAt).getTime();
+            if (Number.isNaN(expiryMs))
+                return;
+            const now = Date.now();
+            let fireIn;
+            if (now >= expiryMs) {
+                // Already expired (e.g. tab slept past expiry) — recover ASAP.
+                fireIn = 0;
+            }
+            else {
+                const untilBuffer = expiryMs - bufferMs - now;
+                // Within the buffer but still valid — space retries so a token whose
+                // lifetime is <= the buffer cannot busy-loop.
+                fireIn = untilBuffer > 0 ? untilBuffer : WITHIN_BUFFER_RETRY_MS;
+            }
+            // ALWAYS arm a timer — never call doRefresh synchronously. A synchronous
+            // call can re-enter while a refresh is in flight and be dropped by the
+            // in-flight guard, leaving the scheduler permanently stalled; the timer
+            // fires after the current call stack, by which point `inFlight` has reset.
+            // `tokenAlreadyExpired` is re-derived at fire time (the clock has moved).
+            timer = setTimeout(() => void doRefresh(Date.now() >= expiryMs), fireIn);
+        };
+        // Reschedule when expiresAt changes from outside (login, manual refresh).
+        const unsubscribe = authStore.subscribe((state) => {
+            if (disposed)
+                return;
+            if (state.expiresAt !== lastExpiresAt) {
+                lastExpiresAt = state.expiresAt;
+                schedule();
+            }
+        });
+        // Wake-from-sleep: background tabs throttle/pause timers — on return,
+        // recompute (and refresh immediately if the token already lapsed).
+        const onVisibility = () => {
+            if (document.visibilityState === 'visible' && !disposed)
+                schedule();
+        };
+        document.addEventListener('visibilitychange', onVisibility);
+        schedule();
+        return () => {
+            disposed = true;
+            clearTimer();
+            unsubscribe();
+            document.removeEventListener('visibilitychange', onVisibility);
+        };
+        // eslint-disable-next-line react-hooks/exhaustive-deps
+    }, [active, bufferMs, authStore]);
+}

package/dist/react/index.d.ts

@@ -19,6 +19,9 @@ export { useAuth, type UseAuthOptions, type LoginResult, type LogoutResult, type
 export { useLogin, type UseLoginOptions, type UseLoginReturn } from './hooks/use-login';
 export { useLogout, type UseLogoutOptions, type UseLogoutReturn } from './hooks/use-logout';
 export { useRefreshToken, type UseRefreshTokenOptions, type UseRefreshTokenReturn } from './hooks/use-refresh-token';
+export { useSessionRefresh, type UseSessionRefreshOptions } from './hooks/use-session-refresh';
+export { useSessionExpired } from './hooks/use-session-expired';
+export type { SessionExpiredEvent, SessionExpiredReason, SessionExpiredEmitter } from '../core/auth/session-events';
 export { useCartManager, type CartManagerOperation, type CartManagerStatus, type UseCartManagerResult } from './hooks/use-cart-manager';
 export { useCart, type UseCartOptions, type UseCartResult, type ServerCartOperation } from './hooks/use-cart';
 export { useStorefrontClient } from './hooks/use-storefront-client';
@@ -41,5 +44,6 @@ export { createCartStore, selectCartId, selectIsCartOpen, selectCartIsLoading, }
 export type { CartState, CartStoreConfig, CartActions, CartData, CartMutationAction, CartLineInput, CartLineUpdateInput, } from './stores/cart.store';
 export { CartProvider, useCartStore, useCartStoreApi } from './stores/cart.context';
 export { createStoreContext } from './helpers/create-store-context';
-export { Money, type MoneyProps, Image, type ImageComponentProps, CartCount, type CartCountProps, AddToCartButton, type AddToCartButtonProps, PriceDisplay, type PriceDisplayProps, CartTotals, type CartTotalsProps, type CartTotalsLabels, } from './components';
+export { Money, type MoneyProps, Image, type ImageComponentProps, CartCount, type CartCountProps, AddToCartButton, type AddToCartButtonProps, PriceDisplay, type PriceDisplayProps, CartTotals, type CartTotalsProps, type CartTotalsLabels, PaymentInstrumentTile, type PaymentInstrumentTileProps, type PaymentInstrumentTileInstrument, PaymentInstrumentSection, type PaymentInstrumentSectionProps, type PaymentInstrumentSectionMethod, } from './components';
+export { getBrowserDataForPayment, BrowserDataNotAvailableError, type PaymentBrowserData, } from './helpers/browser-data';
 //# sourceMappingURL=index.d.ts.map

package/dist/react/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/react/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,kBAAkB,EAAE,KAAK,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AACnG,OAAO,EAAE,wBAAwB,EAAE,KAAK,6BAA6B,EAAE,MAAM,wCAAwC,CAAC;AACtH,OAAO,EAAE,gBAAgB,EAAE,KAAK,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAC7F,OAAO,EAAE,gBAAgB,EAAE,KAAK,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAG7F,OAAO,EAAE,OAAO,EAAE,KAAK,cAAc,EAAE,KAAK,WAAW,EAAE,KAAK,YAAY,EAAE,KAAK,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC9H,OAAO,EAAE,QAAQ,EAAE,KAAK,eAAe,EAAE,KAAK,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxF,OAAO,EAAE,SAAS,EAAE,KAAK,gBAAgB,EAAE,KAAK,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC5F,OAAO,EAAE,eAAe,EAAE,KAAK,sBAAsB,EAAE,KAAK,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AACrH,OAAO,EAAE,cAAc,EAAE,KAAK,oBAAoB,EAAE,KAAK,iBAAiB,EAAE,KAAK,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AACxI,OAAO,EAAE,OAAO,EAAE,KAAK,cAAc,EAAE,KAAK,aAAa,EAAE,KAAK,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAC9G,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAGnD,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACxF,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC/E,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAG/E,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnE,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC/E,YAAY,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC7D,YAAY,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGtD,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACxH,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,wBAAwB,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAGlI,OAAO,EACL,SAAS,EACT,SAAS,EACT,YAAY,EACZ,0BAA0B,EAC1B,wBAAwB,EACxB,4BAA4B,GAC7B,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAG9D,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAGhE,OAAO,EACL,cAAc,EACd,eAAe,EACf,mBAAmB,EACnB,aAAa,EACb,iBAAiB,EACjB,eAAe,EACf,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,eAAe,EACf,YAAY,EACZ,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,SAAS,EACT,eAAe,EACf,WAAW,EACX,QAAQ,EACR,kBAAkB,EAClB,aAAa,EACb,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAGpF,OAAO,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAC;AAGpE,OAAO,EACL,KAAK,EACL,KAAK,UAAU,EACf,KAAK,EACL,KAAK,mBAAmB,EACxB,SAAS,EACT,KAAK,cAAc,EACnB,eAAe,EACf,KAAK,oBAAoB,EACzB,YAAY,EACZ,KAAK,iBAAiB,EACtB,UAAU,EACV,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,cAAc,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/react/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,kBAAkB,EAAE,KAAK,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AACnG,OAAO,EAAE,wBAAwB,EAAE,KAAK,6BAA6B,EAAE,MAAM,wCAAwC,CAAC;AACtH,OAAO,EAAE,gBAAgB,EAAE,KAAK,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAC7F,OAAO,EAAE,gBAAgB,EAAE,KAAK,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAG7F,OAAO,EAAE,OAAO,EAAE,KAAK,cAAc,EAAE,KAAK,WAAW,EAAE,KAAK,YAAY,EAAE,KAAK,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC9H,OAAO,EAAE,QAAQ,EAAE,KAAK,eAAe,EAAE,KAAK,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxF,OAAO,EAAE,SAAS,EAAE,KAAK,gBAAgB,EAAE,KAAK,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAC5F,OAAO,EAAE,eAAe,EAAE,KAAK,sBAAsB,EAAE,KAAK,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AACrH,OAAO,EAAE,iBAAiB,EAAE,KAAK,wBAAwB,EAAE,MAAM,6BAA6B,CAAC;AAC/F,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAChE,YAAY,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AACpH,OAAO,EAAE,cAAc,EAAE,KAAK,oBAAoB,EAAE,KAAK,iBAAiB,EAAE,KAAK,oBAAoB,EAAE,MAAM,0BAA0B,CAAC;AACxI,OAAO,EAAE,OAAO,EAAE,KAAK,cAAc,EAAE,KAAK,aAAa,EAAE,KAAK,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAC9G,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAGnD,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACxF,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC/E,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAG/E,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnE,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC/E,YAAY,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC7D,YAAY,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGtD,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACxH,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,wBAAwB,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAGlI,OAAO,EACL,SAAS,EACT,SAAS,EACT,YAAY,EACZ,0BAA0B,EAC1B,wBAAwB,EACxB,4BAA4B,GAC7B,MAAM,WAAW,CAAC;AAGnB,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAG9D,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAGhE,OAAO,EACL,cAAc,EACd,eAAe,EACf,mBAAmB,EACnB,aAAa,EACb,iBAAiB,EACjB,eAAe,EACf,oBAAoB,GACrB,MAAM,oBAAoB,CAAC;AAG5B,OAAO,EACL,eAAe,EACf,YAAY,EACZ,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,SAAS,EACT,eAAe,EACf,WAAW,EACX,QAAQ,EACR,kBAAkB,EAClB,aAAa,EACb,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAGpF,OAAO,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAC;AAGpE,OAAO,EACL,KAAK,EACL,KAAK,UAAU,EACf,KAAK,EACL,KAAK,mBAAmB,EACxB,SAAS,EACT,KAAK,cAAc,EACnB,eAAe,EACf,KAAK,oBAAoB,EACzB,YAAY,EACZ,KAAK,iBAAiB,EACtB,UAAU,EACV,KAAK,eAAe,EACpB,KAAK,gBAAgB,EACrB,qBAAqB,EACrB,KAAK,0BAA0B,EAC/B,KAAK,+BAA+B,EACpC,wBAAwB,EACxB,KAAK,6BAA6B,EAClC,KAAK,8BAA8B,GACpC,MAAM,cAAc,CAAC;AAGtB,OAAO,EACL,wBAAwB,EACxB,4BAA4B,EAC5B,KAAK,kBAAkB,GACxB,MAAM,wBAAwB,CAAC"}

package/dist/react/index.js

@@ -21,6 +21,8 @@ export { useAuth } from './hooks/use-auth';
 export { useLogin } from './hooks/use-login';
 export { useLogout } from './hooks/use-logout';
 export { useRefreshToken } from './hooks/use-refresh-token';
+export { useSessionRefresh } from './hooks/use-session-refresh';
+export { useSessionExpired } from './hooks/use-session-expired';
 export { useCartManager } from './hooks/use-cart-manager';
 export { useCart } from './hooks/use-cart';
 export { useStorefrontClient } from './hooks/use-storefront-client';
@@ -47,4 +49,6 @@ export { CartProvider, useCartStore, useCartStoreApi } from './stores/cart.conte
 // Store context helper
 export { createStoreContext } from './helpers/create-store-context';
 // Pre-built components (headless — no styling, accessibility-aware)
-export { Money, Image, CartCount, AddToCartButton, PriceDisplay, CartTotals, } from './components';
+export { Money, Image, CartCount, AddToCartButton, PriceDisplay, CartTotals, PaymentInstrumentTile, PaymentInstrumentSection, } from './components';
+// Browser context helpers (PSD2/3DS2 — browser-only)
+export { getBrowserDataForPayment, BrowserDataNotAvailableError, } from './helpers/browser-data';

package/dist/react/providers/storefront-client-provider.d.ts

@@ -11,6 +11,7 @@ import { CartClient } from '../../core/cart/cart-client';
 import { AuthClient } from '../../core/auth/auth-client';
 import { type BotProtectionTokenProvider } from '../../core/middleware/bot-protection';
 import type { StorefrontClient, StorefrontClientConfig, Middleware } from '../../core/client/types';
+import type { SessionExpiredEmitter } from '../../core/auth/session-events';
 export interface StorefrontClientContextValue {
     client: StorefrontClient;
     cartClient: CartClient;
@@ -28,8 +29,16 @@ export interface StorefrontClientProviderProps {
     botProtection?: BotProtectionTokenProvider | null;
     /** Operations that require bot protection (from shop query) */
     botProtectionOperations?: string[];
+    /**
+     * Auth-level session-expired emitter (from StorefrontProvider). When present,
+     * a reactive 401 on a read query triggers a single deduped refresh + replay,
+     * while a 401 on a mutation — or a refresh that also fails — fires this emitter.
+     */
+    sessionExpiredEmitter?: SessionExpiredEmitter;
+    /** Base path of the auth route handlers used to sync the httpOnly cookie after a reactive refresh (default `/api/auth`). */
+    authBasePath?: string;
 }
-export declare function StorefrontClientProvider({ children, config, middleware: customMiddleware, botProtection, botProtectionOperations, }: StorefrontClientProviderProps): import("react/jsx-runtime").JSX.Element;
+export declare function StorefrontClientProvider({ children, config, middleware: customMiddleware, botProtection, botProtectionOperations, sessionExpiredEmitter, authBasePath, }: StorefrontClientProviderProps): import("react/jsx-runtime").JSX.Element;
 /**
  * Get StorefrontClient context value.
  * Must be used within StorefrontClientProvider.

package/dist/react/providers/storefront-client-provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"storefront-client-provider.d.ts","sourceRoot":"","sources":["../../../src/react/providers/storefront-client-provider.tsx"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAA6C,MAAM,OAAO,CAAC;AAElE,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAIzD,OAAO,EAA2B,KAAK,0BAA0B,EAAE,MAAM,sCAAsC,CAAC;AAKhH,OAAO,KAAK,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAEpG,MAAM,WAAW,4BAA4B;IAC3C,MAAM,EAAE,gBAAgB,CAAC;IACzB,UAAU,EAAE,UAAU,CAAC;IACvB,UAAU,EAAE,UAAU,CAAC;CACxB;AAID,MAAM,WAAW,6BAA6B;IAC5C,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAC1B,MAAM,EAAE,sBAAsB,CAAC;IAC/B;;;OAGG;IACH,UAAU,CAAC,EAAE,UAAU,EAAE,CAAC;IAC1B,oEAAoE;IACpE,aAAa,CAAC,EAAE,0BAA0B,GAAG,IAAI,CAAC;IAClD,+DAA+D;IAC/D,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;CACpC;AAED,wBAAgB,wBAAwB,CAAC,EACvC,QAAQ,EACR,MAAM,EACN,UAAU,EAAE,gBAAqB,EACjC,aAAa,EACb,uBAAuB,GACxB,EAAE,6BAA6B,2CAyC/B;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,IAAI,4BAA4B,CAMzE"}
+{"version":3,"file":"storefront-client-provider.d.ts","sourceRoot":"","sources":["../../../src/react/providers/storefront-client-provider.tsx"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAA6C,MAAM,OAAO,CAAC;AAElE,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,6BAA6B,CAAC;AAIzD,OAAO,EAA2B,KAAK,0BAA0B,EAAE,MAAM,sCAAsC,CAAC;AAKhH,OAAO,KAAK,EAAE,gBAAgB,EAAE,sBAAsB,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAEpG,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AAE5E,MAAM,WAAW,4BAA4B;IAC3C,MAAM,EAAE,gBAAgB,CAAC;IACzB,UAAU,EAAE,UAAU,CAAC;IACvB,UAAU,EAAE,UAAU,CAAC;CACxB;AAID,MAAM,WAAW,6BAA6B;IAC5C,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAC1B,MAAM,EAAE,sBAAsB,CAAC;IAC/B;;;OAGG;IACH,UAAU,CAAC,EAAE,UAAU,EAAE,CAAC;IAC1B,oEAAoE;IACpE,aAAa,CAAC,EAAE,0BAA0B,GAAG,IAAI,CAAC;IAClD,+DAA+D;IAC/D,uBAAuB,CAAC,EAAE,MAAM,EAAE,CAAC;IACnC;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;IAC9C,4HAA4H;IAC5H,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,wBAAgB,wBAAwB,CAAC,EACvC,QAAQ,EACR,MAAM,EACN,UAAU,EAAE,gBAAqB,EACjC,aAAa,EACb,uBAAuB,EACvB,qBAAqB,EACrB,YAAY,GACb,EAAE,6BAA6B,2CAyE/B;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,IAAI,4BAA4B,CAMzE"}

package/dist/react/providers/storefront-client-provider.js

@@ -20,15 +20,46 @@ import { retryMiddleware } from '../../core/middleware/retry';
 import { timeoutMiddleware } from '../../core/middleware/timeout';
 import { errorMiddleware } from '../../core/middleware/errors';
 import { useAuthStoreApi, useCurrencyStoreApi, useLanguageStoreApi } from '../stores/store-context';
+import { sessionRetryMiddleware } from '../../core/middleware/session-retry';
 const StorefrontClientContext = createContext(null);
-export function StorefrontClientProvider({ children, config, middleware: customMiddleware = [], botProtection, botProtectionOperations, }) {
+export function StorefrontClientProvider({ children, config, middleware: customMiddleware = [], botProtection, botProtectionOperations, sessionExpiredEmitter, authBasePath, }) {
     const authStore = useAuthStoreApi();
     const currencyStore = useCurrencyStoreApi();
     const languageStore = useLanguageStoreApi();
     const value = useMemo(() => {
+        // Reactive-401 renewal via the same-origin BFF route (`refreshSession`): the
+        // route reads the httpOnly refresh cookie server-side and sets the new
+        // first-party cookies, so no GraphQL refresh and no `setToken` round-trip.
+        // Forward-declared so this closure can reach the AuthClient created below.
+        // Deduped so concurrent 401s share a single renewal.
+        let authClientForRefresh;
+        let inFlightRefresh = null;
+        const refresh = () => {
+            if (inFlightRefresh)
+                return inFlightRefresh;
+            inFlightRefresh = (async () => {
+                try {
+                    const result = await authClientForRefresh.refreshSession();
+                    authStore.getState().setAuth(authStore.getState().customer, result.accessToken, result.expiresAt);
+                    return true;
+                }
+                catch {
+                    authStore.getState().clearAuth();
+                    return false;
+                }
+                finally {
+                    inFlightRefresh = null;
+                }
+            })();
+            return inFlightRefresh;
+        };
         const client = createStorefrontClient({
             ...config,
             middleware: [
+                // Reactive 401 — OUTERMOST so the replay re-runs auth with the fresh token.
+                ...(sessionExpiredEmitter
+                    ? [sessionRetryMiddleware({ refresh, onSessionExpired: (e) => sessionExpiredEmitter.emit(e) })]
+                    : []),
                 // Header middleware (runs first)
                 authMiddleware(() => authStore.getState().accessToken),
                 currencyMiddleware(() => currencyStore.getState().currency),
@@ -49,10 +80,14 @@ export function StorefrontClientProvider({ children, config, middleware: customM
             ],
         });
         const cartClient = new CartClient(client);
-        const authClient = new AuthClient(client);
+        // The AuthClient's `refreshSession()` posts to the same-origin BFF route at
+        // `${authBasePath}/refresh`; pass the configured base so a non-standard mount
+        // still resolves (default `/api/auth`).
+        const authClient = new AuthClient(client, { authBasePath });
+        authClientForRefresh = authClient;
         return { client, cartClient, authClient };
         // eslint-disable-next-line react-hooks/exhaustive-deps
-    }, [config.apiUrl, config.shopSlug, authStore, currencyStore, languageStore]);
+    }, [config.apiUrl, config.shopSlug, authStore, currencyStore, languageStore, sessionExpiredEmitter, authBasePath]);
     return (_jsx(StorefrontClientContext.Provider, { value: value, children: children }));
 }
 /**

package/dist/react/providers/storefront-provider.d.ts

@@ -10,14 +10,18 @@
  * @example
  * ```tsx
  * // app/layout.tsx
- * import { StorefrontProvider } from '@doswiftly/storefront-sdk/react';
+ * import { cookies } from 'next/headers';
+ * import { StorefrontProvider, AUTH_COOKIE_NAME } from '@doswiftly/storefront-sdk';
  *
  * export default async function RootLayout({ children }) {
- *   const shopData = await fetchShop();
+ *   const [shopData, cookieStore] = await Promise.all([fetchShop(), cookies()]);
+ *   const initialAccessToken = cookieStore.get(AUTH_COOKIE_NAME)?.value ?? null;
+ *
  *   return (
  *     <StorefrontProvider
  *       config={{ apiUrl: '...', shopSlug: '...' }}
  *       shopData={shopData}
+ *       initialAccessToken={initialAccessToken}
  *     >
  *       {children}
  *     </StorefrontProvider>
@@ -35,14 +39,58 @@ export interface StorefrontProviderProps extends StorefrontClientProviderProps {
      * eliminating the flash of "Sign In" while Zustand persist rehydrates from localStorage.
      *
      * Read from cookies() in a Server Component (layout.tsx) and pass here.
+     *
+     * Defaults to `!!initialAccessToken` when omitted (raw token implies authenticated).
+     * Pass `false` explicitly to override that default in edge cases (opt-out flow,
+     * recovery banner that holds a token without claiming auth state).
      */
     initialIsAuthenticated?: boolean;
+    /**
+     * Server-side token seed. See {@link CreateAuthStoreOptions.initialAccessToken}
+     * for full semantics and security guarantees (token kept in memory, never
+     * persisted). Wire up from your Server Component with `cookies()` + `AUTH_COOKIE_NAME`.
+     *
+     * @example
+     * ```tsx
+     * // app/layout.tsx
+     * import { cookies } from 'next/headers';
+     * import { AUTH_COOKIE_NAME } from '@doswiftly/storefront-sdk';
+     *
+     * const cookieStore = await cookies();
+     * const initialAccessToken = cookieStore.get(AUTH_COOKIE_NAME)?.value ?? null;
+     *
+     * <StorefrontProvider initialAccessToken={initialAccessToken} ...>
+     * ```
+     */
+    initialAccessToken?: string | null;
     /**
      * Server-side language hint — pass the URL locale from next-intl params.
      * Eliminates flash of wrong language on first render by initializing the
      * language store with the correct value from the server.
      */
     initialLanguage?: string;
+    /**
+     * Proactive session refresh. Defaults to ON in the browser and OFF on the
+     * server — you do NOT need to pass it. When active, the SDK renews the access
+     * token shortly before it expires so an active buyer is never logged out
+     * mid-session, and fires a global `session-expired` signal (subscribe via
+     * `useSessionExpired`) when the session can no longer be kept alive. Pass
+     * `autoRefresh={false}` to opt out and drive refreshing yourself.
+     */
+    autoRefresh?: boolean;
+    /**
+     * Base path of the SDK-BFF auth route handlers (default `/api/auth`). The
+     * proactive scheduler and the reactive-401 renewal post to `${authBasePath}/refresh`
+     * (same-origin), which rotates the refresh cookie server-side. Override only for
+     * non-standard mounts — it must match where `createStorefrontAuthRoute` is mounted.
+     */
+    authBasePath?: string;
+    /**
+     * Server-side session-expiry seed (ISO 8601) — typically the readable
+     * `session-expiry` cookie value read in a Server Component. Lets the refresh
+     * scheduler arm on the first render (cold start) without a whoami round-trip.
+     */
+    initialExpiresAt?: string | null;
 }
-export declare function StorefrontProvider({ children, config, middleware, shopData, initialIsAuthenticated, initialLanguage, }: StorefrontProviderProps): import("react/jsx-runtime").JSX.Element;
+export declare function StorefrontProvider({ children, config, middleware, shopData, initialIsAuthenticated, initialAccessToken, initialExpiresAt, initialLanguage, autoRefresh, authBasePath, }: StorefrontProviderProps): import("react/jsx-runtime").JSX.Element;
 //# sourceMappingURL=storefront-provider.d.ts.map

package/dist/react/providers/storefront-provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"storefront-provider.d.ts","sourceRoot":"","sources":["../../../src/react/providers/storefront-provider.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AASH,OAAO,EAA4B,KAAK,6BAA6B,EAAE,MAAM,8BAA8B,CAAC;AAC5G,OAAO,EAAoB,KAAK,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAMnF,MAAM,WAAW,uBAAwB,SAAQ,6BAA6B;IAC5E,QAAQ,EAAE,qBAAqB,CAAC,UAAU,CAAC,CAAC;IAC5C;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,wBAAgB,kBAAkB,CAAC,EACjC,QAAQ,EACR,MAAM,EACN,UAAU,EACV,QAAQ,EACR,sBAAsB,EACtB,eAAe,GAChB,EAAE,uBAAuB,2CA+BzB"}
+{"version":3,"file":"storefront-provider.d.ts","sourceRoot":"","sources":["../../../src/react/providers/storefront-provider.tsx"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AASH,OAAO,EAA4B,KAAK,6BAA6B,EAAE,MAAM,8BAA8B,CAAC;AAC5G,OAAO,EAAoB,KAAK,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AASnF,MAAM,WAAW,uBAAwB,SAAQ,6BAA6B;IAC5E,QAAQ,EAAE,qBAAqB,CAAC,UAAU,CAAC,CAAC;IAC5C;;;;;;;;;;OAUG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;IACjC;;;;;;;;;;;;;;;;OAgBG;IACH,kBAAkB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnC;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB;;;;;;;OAOG;IACH,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAClC;AAED,wBAAgB,kBAAkB,CAAC,EACjC,QAAQ,EACR,MAAM,EACN,UAAU,EACV,QAAQ,EACR,sBAAsB,EACtB,kBAAkB,EAClB,gBAAgB,EAChB,eAAe,EACf,WAAW,EACX,YAAY,GACb,EAAE,uBAAuB,2CAwCzB"}

package/dist/react/providers/storefront-provider.js

@@ -10,14 +10,18 @@
  * @example
  * ```tsx
  * // app/layout.tsx
- * import { StorefrontProvider } from '@doswiftly/storefront-sdk/react';
+ * import { cookies } from 'next/headers';
+ * import { StorefrontProvider, AUTH_COOKIE_NAME } from '@doswiftly/storefront-sdk';
  *
  * export default async function RootLayout({ children }) {
- *   const shopData = await fetchShop();
+ *   const [shopData, cookieStore] = await Promise.all([fetchShop(), cookies()]);
+ *   const initialAccessToken = cookieStore.get(AUTH_COOKIE_NAME)?.value ?? null;
+ *
  *   return (
  *     <StorefrontProvider
  *       config={{ apiUrl: '...', shopSlug: '...' }}
  *       shopData={shopData}
+ *       initialAccessToken={initialAccessToken}
  *     >
  *       {children}
  *     </StorefrontProvider>
@@ -38,10 +42,23 @@ import { LanguageProvider } from './language-provider';
 import { createBotProtectionManager } from '../../core/bot-protection/create-manager';
 import { BotProtectionContext } from '../bot-protection/bot-protection-context';
 import { BotProtectionWidget } from '../bot-protection/bot-protection-widget';
-export function StorefrontProvider({ children, config, middleware, shopData, initialIsAuthenticated, initialLanguage, }) {
-    const authStoreRef = useRef(createAuthStore(initialIsAuthenticated));
+import { createSessionExpiredEmitter } from '../../core/auth/session-events';
+import { SessionExpiredContext } from '../hooks/use-session-expired';
+import { useSessionRefresh } from '../hooks/use-session-refresh';
+export function StorefrontProvider({ children, config, middleware, shopData, initialIsAuthenticated, initialAccessToken, initialExpiresAt, initialLanguage, autoRefresh, authBasePath, }) {
+    const authStoreRef = useRef(createAuthStore({ initialIsAuthenticated, initialAccessToken, initialExpiresAt }));
     const currencyStoreRef = useRef(createCurrencyStore());
     const languageStoreRef = useRef(createLanguageStore(initialLanguage));
+    const sessionExpiredRef = useRef(createSessionExpiredEmitter());
     const botProtectionRef = useRef(shopData.botProtection ? createBotProtectionManager(shopData.botProtection) : null);
-    return (_jsx(AuthStoreContext.Provider, { value: authStoreRef.current, children: _jsx(CurrencyStoreContext.Provider, { value: currencyStoreRef.current, children: _jsx(LanguageStoreContext.Provider, { value: languageStoreRef.current, children: _jsx(StorefrontClientProvider, { config: config, middleware: middleware, botProtection: botProtectionRef.current, botProtectionOperations: shopData.botProtection?.protectedOperations, children: _jsx(BotProtectionContext.Provider, { value: { manager: botProtectionRef.current }, children: _jsx(CurrencyProvider, { shopData: shopData, children: _jsxs(LanguageProvider, { shopData: shopData, children: [_jsx(BotProtectionWidget, { manager: botProtectionRef.current }), children] }) }) }) }) }) }) }));
+    return (_jsx(AuthStoreContext.Provider, { value: authStoreRef.current, children: _jsx(CurrencyStoreContext.Provider, { value: currencyStoreRef.current, children: _jsx(LanguageStoreContext.Provider, { value: languageStoreRef.current, children: _jsx(StorefrontClientProvider, { config: config, middleware: middleware, botProtection: botProtectionRef.current, botProtectionOperations: shopData.botProtection?.protectedOperations, sessionExpiredEmitter: sessionExpiredRef.current, authBasePath: authBasePath, children: _jsx(BotProtectionContext.Provider, { value: { manager: botProtectionRef.current }, children: _jsx(CurrencyProvider, { shopData: shopData, children: _jsxs(LanguageProvider, { shopData: shopData, children: [_jsx(BotProtectionWidget, { manager: botProtectionRef.current }), _jsx(SessionRefreshRunner, { autoRefresh: autoRefresh, emitter: sessionExpiredRef.current }), _jsx(SessionExpiredContext.Provider, { value: sessionExpiredRef.current, children: children })] }) }) }) }) }) }) }));
+}
+/**
+ * Internal — drives the proactive refresh scheduler from inside the provider
+ * tree (so it can read the client + auth store via context). Renders nothing.
+ * The scheduler itself is a browser-only no-op on the server.
+ */
+function SessionRefreshRunner({ autoRefresh, emitter, }) {
+    useSessionRefresh({ enabled: autoRefresh, sessionExpiredEmitter: emitter });
+    return null;
 }

package/dist/react/server/create-storefront-auth-route.d.ts

@@ -0,0 +1,63 @@
+/**
+ * createStorefrontAuthRoute — SDK-BFF auth route handlers.
+ *
+ * Generates the four same-origin auth route handlers that live on the storefront
+ * domain (`/api/auth/[action]`): `login`, `refresh`, `logout` (POST) and `whoami`
+ * (GET). Each handler calls the backend `/storefront/auth/*` namespace
+ * server-to-server with `X-Shop-Slug` as a routing hint, owns the first-party
+ * httpOnly cookies on the storefront domain, and returns ONLY
+ * `{ accessToken, expiresAt[, customer] }` to JavaScript — the refresh token is
+ * read server-side and never reaches the browser's JS.
+ *
+ * This is the universal auth transport: the route handlers live on the
+ * storefront's own domain, so first-party cookies work identically on a platform
+ * subdomain, a custom domain, and off-platform hosting (e.g. Vercel) —
+ * independent of any reverse proxy in front. The backend never emits a
+ * `Set-Cookie` to a browser (tokens travel in the server-to-server response
+ * body); the BFF sets the cookies here.
+ *
+ * 0 runtime dependencies — pure Web API (`Request`/`Response`/`fetch`). No React,
+ * no `next/*`. Mount it in a Next.js (or any framework) route:
+ *
+ * @example
+ * ```ts
+ * // app/api/auth/[action]/route.ts
+ * import { createStorefrontAuthRoute, trustedForwardedHostValidator } from '@doswiftly/storefront-sdk/react/server';
+ *
+ * export const { GET, POST } = createStorefrontAuthRoute({
+ *   apiUrl: process.env.NEXT_PUBLIC_API_URL!,
+ *   shopSlug: process.env.NEXT_PUBLIC_SHOP_SLUG!,
+ *   isTrustedOrigin: trustedForwardedHostValidator, // when behind a reverse proxy that rewrites Host
+ * });
+ * ```
+ */
+import { type OriginValidator } from '../../core/auth/handlers';
+export interface StorefrontAuthRouteOptions {
+    /** Backend base URL (e.g. `https://api.doswiftly.pl`). The server-to-server namespace is `${apiUrl}/storefront/auth/*`. */
+    apiUrl: string;
+    /** Shop slug forwarded as the `X-Shop-Slug` routing hint (selects the tenant; never binds the rotation family). */
+    shopSlug: string;
+    /**
+     * CSRF defense-in-depth predicate. When the storefront runs behind a reverse
+     * proxy that rewrites/strips `Host` (Cloudflare Workers, Vercel, NGINX),
+     * pass `trustedForwardedHostValidator`. This is NOT the primary control — the
+     * backend's protocol controls (rotation + reuse-detection + rate-limit +
+     * possession-proof) are. See {@link OriginValidator}.
+     */
+    isTrustedOrigin?: OriginValidator | null;
+    /**
+     * Base path the route is mounted at (default `/api/auth`). The refresh cookie's
+     * `Path` is set to it so the cookie reaches both the refresh and logout routes
+     * (siblings under this base) but not GraphQL data traffic, which lives on a
+     * different path.
+     */
+    authBasePath?: string;
+    /** Custom fetch (tests, non-standard runtimes). Defaults to `globalThis.fetch`. */
+    fetch?: typeof globalThis.fetch;
+}
+export interface StorefrontAuthRouteHandlers {
+    GET: (request: Request) => Promise<Response>;
+    POST: (request: Request) => Promise<Response>;
+}
+export declare function createStorefrontAuthRoute(options: StorefrontAuthRouteOptions): StorefrontAuthRouteHandlers;
+//# sourceMappingURL=create-storefront-auth-route.d.ts.map

package/dist/react/server/create-storefront-auth-route.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"create-storefront-auth-route.d.ts","sourceRoot":"","sources":["../../../src/react/server/create-storefront-auth-route.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAGL,KAAK,eAAe,EACrB,MAAM,0BAA0B,CAAC;AAOlC,MAAM,WAAW,0BAA0B;IACzC,2HAA2H;IAC3H,MAAM,EAAE,MAAM,CAAC;IACf,mHAAmH;IACnH,QAAQ,EAAE,MAAM,CAAC;IACjB;;;;;;OAMG;IACH,eAAe,CAAC,EAAE,eAAe,GAAG,IAAI,CAAC;IACzC;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mFAAmF;IACnF,KAAK,CAAC,EAAE,OAAO,UAAU,CAAC,KAAK,CAAC;CACjC;AAED,MAAM,WAAW,2BAA2B;IAC1C,GAAG,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC7C,IAAI,EAAE,CAAC,OAAO,EAAE,OAAO,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAC/C;AAgDD,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,0BAA0B,GAClC,2BAA2B,CA+L7B"}