@enterprisestandard/react 0.0.5 → 0.0.6

package/dist/index.js

@@ -1,1366 +1 @@
-// src/iam.ts
-async function iam(config) {
-  return {};
-}
-
-// src/oidc-schema.ts
-function oidcCallbackSchema(vendor) {
-  return {
-    "~standard": {
-      version: 1,
-      vendor,
-      validate: (value) => {
-        if (typeof value !== "object" || value === null) {
-          return {
-            issues: [
-              {
-                message: "Expected an object"
-              }
-            ]
-          };
-        }
-        const params = value;
-        const issues = [];
-        const result = {};
-        if ("code" in params) {
-          if (typeof params.code === "string") {
-            result.code = params.code;
-          } else {
-            issues.push({
-              message: "code must be a string",
-              path: ["code"]
-            });
-          }
-        } else if (!("error" in params)) {
-          issues.push({
-            message: "code is required",
-            path: ["code"]
-          });
-        }
-        if ("state" in params) {
-          if (typeof params.state === "string" || params.state === undefined) {
-            result.state = params.state;
-          } else {
-            issues.push({
-              message: "state must be a string",
-              path: ["state"]
-            });
-          }
-        }
-        if ("session_state" in params) {
-          if (typeof params.session_state === "string" || params.session_state === undefined) {
-            result.session_state = params.session_state;
-          } else {
-            issues.push({
-              message: "session_state must be a string",
-              path: ["session_state"]
-            });
-          }
-        }
-        if ("error" in params) {
-          if (typeof params.error === "string") {
-            result.error = params.error;
-          } else {
-            issues.push({
-              message: "error must be a string",
-              path: ["error"]
-            });
-          }
-          if ("error_description" in params) {
-            if (typeof params.error_description === "string" || params.error_description === undefined) {
-              result.error_description = params.error_description;
-            } else {
-              issues.push({
-                message: "error_description must be a string",
-                path: ["error_description"]
-              });
-            }
-          }
-          if ("error_uri" in params) {
-            if (typeof params.error_uri === "string" || params.error_uri === undefined) {
-              result.error_uri = params.error_uri;
-            } else {
-              issues.push({
-                message: "error_uri must be a string",
-                path: ["error_uri"]
-              });
-            }
-          }
-        }
-        if ("iss" in params) {
-          if (typeof params.iss === "string" || params.iss === undefined) {
-            result.iss = params.iss;
-          } else {
-            issues.push({
-              message: "iss must be a string",
-              path: ["iss"]
-            });
-          }
-        }
-        if (issues.length > 0) {
-          return { issues };
-        }
-        return { value: result };
-      }
-    }
-  };
-}
-function tokenResponseSchema(vendor) {
-  return {
-    "~standard": {
-      version: 1,
-      vendor,
-      validate: (value) => {
-        if (typeof value !== "object" || value === null) {
-          return {
-            issues: [
-              {
-                message: "Expected an object"
-              }
-            ]
-          };
-        }
-        const response = value;
-        const issues = [];
-        const result = {};
-        if ("access_token" in response) {
-          if (typeof response.access_token === "string") {
-            result.access_token = response.access_token;
-          } else {
-            issues.push({
-              message: "access_token must be a string",
-              path: ["access_token"]
-            });
-          }
-        } else {
-          issues.push({
-            message: "access_token is required",
-            path: ["access_token"]
-          });
-        }
-        if ("id_token" in response) {
-          if (typeof response.id_token === "string") {
-            result.id_token = response.id_token;
-          } else {
-            issues.push({
-              message: "id_token must be a string",
-              path: ["id_token"]
-            });
-          }
-        } else {
-          issues.push({
-            message: "id_token is required",
-            path: ["id_token"]
-          });
-        }
-        if ("token_type" in response) {
-          if (typeof response.token_type === "string") {
-            result.token_type = response.token_type;
-          } else {
-            issues.push({
-              message: "token_type must be a string",
-              path: ["token_type"]
-            });
-          }
-        } else {
-          issues.push({
-            message: "token_type is required",
-            path: ["token_type"]
-          });
-        }
-        if ("refresh_token" in response) {
-          if (typeof response.refresh_token === "string" || response.refresh_token === undefined) {
-            result.refresh_token = response.refresh_token;
-          } else {
-            issues.push({
-              message: "refresh_token must be a string",
-              path: ["refresh_token"]
-            });
-          }
-        }
-        if ("scope" in response) {
-          if (typeof response.scope === "string" || response.scope === undefined) {
-            result.scope = response.scope;
-          } else {
-            issues.push({
-              message: "scope must be a string",
-              path: ["scope"]
-            });
-          }
-        }
-        if ("session_state" in response) {
-          if (typeof response.session_state === "string" || response.session_state === undefined) {
-            result.session_state = response.session_state;
-          } else {
-            issues.push({
-              message: "session_state must be a string",
-              path: ["session_state"]
-            });
-          }
-        }
-        if ("expires" in response) {
-          if (typeof response.expires === "string" || response.expires === undefined) {
-            result.expires = response.expires;
-          } else {
-            issues.push({
-              message: "expires must be a string",
-              path: ["expires"]
-            });
-          }
-        }
-        if ("expires_in" in response) {
-          if (typeof response.expires_in === "number" || response.expires_in === undefined) {
-            result.expires_in = response.expires_in;
-          } else {
-            issues.push({
-              message: "expires_in must be a number",
-              path: ["expires_in"]
-            });
-          }
-        }
-        if ("refresh_expires_in" in response) {
-          if (typeof response.refresh_expires_in === "number" || response.refresh_expires_in === undefined) {
-            result.refresh_expires_in = response.refresh_expires_in;
-          } else {
-            issues.push({
-              message: "refresh_expires_in must be a number",
-              path: ["refresh_expires_in"]
-            });
-          }
-        }
-        if (issues.length > 0) {
-          return { issues };
-        }
-        return { value: result };
-      }
-    }
-  };
-}
-function idTokenClaimsSchema(vendor) {
-  return {
-    "~standard": {
-      version: 1,
-      vendor,
-      validate: (value) => {
-        if (typeof value !== "object" || value === null) {
-          return {
-            issues: [
-              {
-                message: "Expected an object"
-              }
-            ]
-          };
-        }
-        const claims = value;
-        const issues = [];
-        const result = { ...claims };
-        const stringFields = ["iss", "aud", "sub", "sid", "name", "email", "preferred_username", "picture"];
-        for (const field of stringFields) {
-          if (field in claims && claims[field] !== undefined) {
-            if (typeof claims[field] !== "string") {
-              issues.push({
-                message: `${field} must be a string`,
-                path: [field]
-              });
-            }
-          }
-        }
-        const numberFields = ["exp", "iat"];
-        for (const field of numberFields) {
-          if (field in claims && claims[field] !== undefined) {
-            if (typeof claims[field] !== "number") {
-              issues.push({
-                message: `${field} must be a number`,
-                path: [field]
-              });
-            }
-          }
-        }
-        if (issues.length > 0) {
-          return { issues };
-        }
-        return { value: result };
-      }
-    }
-  };
-}
-
-// src/utils.ts
-var defaultInstance;
-function must(value, message = "Assertion failed. Required value is null or undefined.") {
-  if (value === undefined || value === null) {
-    throw new Error(message);
-  }
-  return value;
-}
-function setDefaultInstance(es) {
-  defaultInstance = es;
-}
-function getDefaultInstance() {
-  return defaultInstance;
-}
-function getES(es) {
-  if (es)
-    return es;
-  if (defaultInstance)
-    return defaultInstance;
-  throw new Error(`TODO standardize the error message when there isn't a default EntepriseStandard`);
-}
-
-// src/sso.ts
-var jwksCache = new Map;
-function sso(config) {
-  const configWithDefaults = {
-    ...config,
-    authority: must(config.authority, "Missing 'authority' from SSO Config"),
-    token_url: must(config.token_url, "Missing 'token_url' from SSO Config"),
-    authorization_url: must(config.authorization_url, "Missing 'authorization_url' from SSO Config"),
-    client_id: must(config.client_id, "Missing 'client_id' from SSO Config"),
-    redirect_uri: must(config.redirect_uri, "Missing 'redirect_uri' from SSO Config"),
-    scope: must(config.scope, "Missing 'scope' from SSO Config"),
-    response_type: config.response_type ?? "code",
-    cookies_secure: config.cookies_secure !== undefined ? config.cookies_secure : true,
-    cookies_same_site: config.cookies_same_site !== undefined ? config.cookies_same_site : "Strict",
-    cookies_prefix: config.cookies_prefix ?? `es.sso.${config.client_id}`,
-    cookies_path: config.cookies_path ?? "/"
-  };
-  async function getUser(request) {
-    if (!configWithDefaults) {
-      console.error("SSO Manager not initialized");
-      return;
-    }
-    try {
-      const { tokens } = await getTokenFromCookies(request);
-      if (!tokens)
-        return;
-      return await parseUser(tokens);
-    } catch (error) {
-      console.error("Error parsing user from cookies:", error);
-      return;
-    }
-  }
-  async function getRequiredUser(request) {
-    const user = await getUser(request);
-    if (user)
-      return user;
-    throw new Response("Unauthorized", {
-      status: 401,
-      statusText: "Unauthorized"
-    });
-  }
-  async function initiateLogin({ landingUrl, errorUrl }) {
-    if (!configWithDefaults) {
-      console.error("SSO Manager not initialized");
-      return Promise.resolve(new Response("SSO Manager not initialized", { status: 503 }));
-    }
-    const state = generateRandomString();
-    const codeVerifier = generateRandomString(64);
-    const url = new URL(configWithDefaults.authorization_url);
-    url.searchParams.append("client_id", configWithDefaults.client_id);
-    url.searchParams.append("redirect_uri", configWithDefaults.redirect_uri);
-    url.searchParams.append("response_type", "code");
-    url.searchParams.append("scope", configWithDefaults.scope);
-    url.searchParams.append("state", state);
-    const codeChallenge = await pkceChallengeFromVerifier(codeVerifier);
-    url.searchParams.append("code_challenge", codeChallenge);
-    url.searchParams.append("code_challenge_method", "S256");
-    const val = {
-      state,
-      codeVerifier,
-      landingUrl,
-      errorUrl
-    };
-    return new Response("Redirecting to SSO Provider", {
-      status: 302,
-      headers: {
-        Location: url.toString(),
-        "Set-Cookie": createCookie("state", val, 86400)
-      }
-    });
-  }
-  async function logout(request, _config) {
-    try {
-      const refreshToken2 = getCookie("refresh", request);
-      if (refreshToken2) {
-        await revokeToken(refreshToken2);
-      }
-    } catch (error) {
-      console.warn("Failed to revoke token:", error);
-    }
-    if (config.session_store) {
-      try {
-        const user = await getUser(request);
-        if (user?.sso?.profile.sid) {
-          const sid = user.sso.profile.sid;
-          await config.session_store.delete(sid);
-          console.log(`Session ${sid} deleted from store`);
-        }
-      } catch (error) {
-        console.warn("Failed to delete session:", error);
-      }
-    }
-    const clearHeaders = [
-      ["Set-Cookie", clearCookie("access")],
-      ["Set-Cookie", clearCookie("id")],
-      ["Set-Cookie", clearCookie("refresh")],
-      ["Set-Cookie", clearCookie("control")],
-      ["Set-Cookie", clearCookie("state")]
-    ];
-    const url = new URL(request.url);
-    const redirectTo = url.searchParams.get("redirect");
-    if (redirectTo) {
-      return new Response("Logged out", {
-        status: 302,
-        headers: [["Location", redirectTo], ...clearHeaders]
-      });
-    }
-    const accept = request.headers.get("accept");
-    const isAjax = accept?.includes("application/json") || accept?.includes("text/javascript");
-    if (isAjax) {
-      return new Response(JSON.stringify({ success: true, message: "Logged out" }), {
-        status: 200,
-        headers: [["Content-Type", "application/json"], ...clearHeaders]
-      });
-    } else {
-      return new Response(`
-          <!DOCTYPE html><html lang="en"><body>
-            <h1>Logout Complete</h1>
-            <div style="display: none">
-              It is not recommended to show the default logout page. Include '?redirect=/someHomePage' or logout asynchronously.
-              Check the <a href="https://EnterpriseStandard.com/sso#logout">Enterprise Standard Packages</a> for more information.
-            </div>
-          </body></html>
-        `, {
-        status: 200,
-        headers: [["Content-Type", "text/html"], ...clearHeaders]
-      });
-    }
-  }
-  async function logoutBackChannel(request) {
-    if (!configWithDefaults.session_store) {
-      return new Response("Back-Channel Logout requires session_store configuration", {
-        status: 400,
-        statusText: "Bad Request"
-      });
-    }
-    try {
-      const contentType = request.headers.get("content-type");
-      if (!contentType || !contentType.includes("application/x-www-form-urlencoded")) {
-        return new Response("Invalid Content-Type, expected application/x-www-form-urlencoded", {
-          status: 400
-        });
-      }
-      const body = await request.text();
-      const params = new URLSearchParams(body);
-      const logoutToken = params.get("logout_token");
-      if (!logoutToken) {
-        return new Response("Missing logout_token parameter", { status: 400 });
-      }
-      const claims = await parseJwt(logoutToken);
-      const sid = claims.sid;
-      if (!sid) {
-        console.warn("Back-Channel Logout: logout_token missing sid claim");
-        return new Response("Invalid logout_token: missing sid claim", { status: 400 });
-      }
-      await configWithDefaults.session_store.delete(sid);
-      console.log(`Back-Channel Logout: successfully deleted session ${sid}`);
-      return new Response("OK", { status: 200 });
-    } catch (error) {
-      console.error("Error during back-channel logout:", error);
-      return new Response("Internal Server Error", { status: 500 });
-    }
-  }
-  async function callbackHandler(request, validation) {
-    if (!configWithDefaults) {
-      console.error("SSO Manager not initialized");
-      return Promise.resolve(new Response("SSO Manager not initialized", { status: 503 }));
-    }
-    const url = new URL(request.url);
-    const params = new URLSearchParams(url.search);
-    const callbackParamsValidator = validation?.callbackParams ?? oidcCallbackSchema("builtin");
-    const paramsObject = Object.fromEntries(params.entries());
-    const paramsResult = await callbackParamsValidator["~standard"].validate(paramsObject);
-    if ("issues" in paramsResult) {
-      return new Response(JSON.stringify({
-        error: "validation_failed",
-        message: "OIDC callback parameters validation failed",
-        issues: paramsResult.issues?.map((i) => ({
-          path: i.path?.join("."),
-          message: i.message
-        }))
-      }), {
-        status: 400,
-        headers: { "Content-Type": "application/json" }
-      });
-    }
-    const { code: codeFromUrl, state: stateFromUrl } = paramsResult.value;
-    try {
-      const cookie = getCookie("state", request, true);
-      const { codeVerifier, state, landingUrl } = cookie ?? {};
-      must(codeVerifier, 'OIDC "codeVerifier" was not present in cookies, ensure that the SSO login was initiated correctly');
-      must(state, 'OIDC "stateVerifier" was not present in cookies, ensure that the SSO login was initiated correctly');
-      must(landingUrl, 'OIDC "landingUrl" was not present in cookies');
-      if (stateFromUrl !== state) {
-        throw new Error('SSO State Verifier failed, the "state" request parameter does not equal the "state" in the SSO cookie');
-      }
-      const tokenResponse = await exchangeCodeForToken(codeFromUrl, codeVerifier, validation);
-      const user = await parseUser(tokenResponse, validation);
-      if (config.session_store) {
-        try {
-          const sid = user.sso.profile.sid;
-          const sub = user.id;
-          if (sid && sub) {
-            const session = {
-              sid,
-              sub,
-              createdAt: new Date,
-              lastActivityAt: new Date
-            };
-            await config.session_store.create(session);
-          } else {
-            console.warn("Session creation skipped: missing sid or sub in ID token claims");
-          }
-        } catch (error) {
-          console.warn("Failed to create session:", error);
-        }
-      }
-      return new Response("Authentication successful, redirecting", {
-        status: 302,
-        headers: [
-          ["Location", landingUrl],
-          ["Set-Cookie", clearCookie("state")],
-          ...createJwtCookies(tokenResponse, user.sso.expires)
-        ]
-      });
-    } catch (error) {
-      console.error("Error during sign-in callback:", error);
-      try {
-        const cookie = getCookie("state", request, true);
-        const { errorUrl } = cookie ?? {};
-        if (errorUrl) {
-          return new Response("Redirecting to error url", {
-            status: 302,
-            headers: [["Location", errorUrl]]
-          });
-        }
-      } catch (_err) {
-        console.warn("Error parsing the errorUrl from the OIDC cookie");
-      }
-      console.warn("No error page was found in the cookies. The user will be shown a default error page.");
-      return new Response("An error occurred during authentication, please return to the application homepage and try again.", {
-        status: 500
-      });
-    }
-  }
-  async function parseUser(token, validation) {
-    if (!configWithDefaults)
-      throw new Error("SSO Manager not initialized");
-    const idToken = await parseJwt(token.id_token, validation);
-    const expiresIn = Number(token.refresh_expires_in ?? token.expires_in ?? 3600);
-    const expires = token.expires ? new Date(token.expires) : new Date(Date.now() + expiresIn * 1000);
-    return {
-      id: idToken.sub,
-      userName: idToken.preferred_username || "",
-      name: idToken.name || "",
-      email: idToken.email || "",
-      emails: [
-        {
-          value: idToken.email || "",
-          primary: true
-        }
-      ],
-      avatarUrl: idToken.picture,
-      sso: {
-        profile: {
-          ...idToken,
-          iss: idToken.iss || configWithDefaults.authority,
-          aud: idToken.aud || configWithDefaults.client_id
-        },
-        tenant: {
-          id: idToken.idp || idToken.iss || configWithDefaults.authority,
-          name: idToken.iss || configWithDefaults.authority
-        },
-        scope: token.scope,
-        tokenType: token.token_type,
-        sessionState: token.session_state,
-        expires
-      }
-    };
-  }
-  async function exchangeCodeForToken(code, codeVerifier, validation) {
-    if (!configWithDefaults)
-      throw new Error("SSO Manager not initialized");
-    const tokenUrl = configWithDefaults.token_url;
-    const body = new URLSearchParams;
-    body.append("grant_type", "authorization_code");
-    body.append("code", code);
-    body.append("redirect_uri", configWithDefaults.redirect_uri);
-    body.append("client_id", configWithDefaults.client_id);
-    body.append("code_verifier", codeVerifier);
-    try {
-      const response = await fetch(tokenUrl, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/x-www-form-urlencoded",
-          Accept: "application/json"
-        },
-        body: body.toString()
-      });
-      const data = await response.json();
-      if (!response.ok) {
-        console.error("Token exchange error:", data);
-        throw new Error(`Token exchange failed: ${data.error || response.statusText} - ${data.error_description || ""}`.trim());
-      }
-      const tokenResponseValidator = validation?.tokenResponse ?? tokenResponseSchema("builtin");
-      const tokenResult = await tokenResponseValidator["~standard"].validate(data);
-      if ("issues" in tokenResult) {
-        console.error("Token response validation failed:", tokenResult.issues);
-        throw new Error(`Token response validation failed: ${tokenResult.issues?.map((i) => i.message).join("; ")}`);
-      }
-      return tokenResult.value;
-    } catch (error) {
-      console.error("Error during token exchange:", error);
-      throw error;
-    }
-  }
-  async function refreshToken(refreshToken2) {
-    return retryWithBackoff(async () => {
-      if (!configWithDefaults)
-        throw new Error("SSO Manager not initialized");
-      const tokenUrl = configWithDefaults.token_url;
-      const body = new URLSearchParams;
-      body.append("grant_type", "refresh_token");
-      body.append("refresh_token", refreshToken2);
-      body.append("client_id", configWithDefaults.client_id);
-      const response = await fetch(tokenUrl, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/x-www-form-urlencoded",
-          Accept: "application/json"
-        },
-        body: body.toString()
-      });
-      const data = await response.json();
-      if (!response.ok) {
-        console.error("Token refresh error:", data);
-        throw new Error(`Token refresh failed: ${data.error || response.statusText} - ${data.error_description || ""}`.trim());
-      }
-      return data;
-    });
-  }
-  async function revokeToken(token) {
-    try {
-      if (!configWithDefaults)
-        throw new Error("SSO Manager not initialized");
-      if (!configWithDefaults.revocation_endpoint) {
-        return;
-      }
-      const body = new URLSearchParams;
-      body.append("token", token);
-      body.append("token_type_hint", "refresh_token");
-      body.append("client_id", configWithDefaults.client_id);
-      const response = await fetch(configWithDefaults.revocation_endpoint, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/x-www-form-urlencoded"
-        },
-        body: body.toString()
-      });
-      if (!response.ok) {
-        console.warn("Token revocation failed:", response.status, response.statusText);
-      } else {
-        console.log("Token revoked successfully");
-      }
-    } catch (error) {
-      console.warn("Error revoking token:", error);
-    }
-  }
-  async function fetchJwks() {
-    const url = configWithDefaults.jwks_uri || `${configWithDefaults.authority}/protocol/openid-connect/certs`;
-    const cached = jwksCache.get(url);
-    if (cached)
-      return cached;
-    return retryWithBackoff(async () => {
-      if (!configWithDefaults)
-        throw new Error("SSO Manager not initialized");
-      const response = await fetch(url);
-      if (!response.ok)
-        throw new Error("Failed to fetch JWKS");
-      const jwks = await response.json();
-      jwksCache.set(url, jwks);
-      return jwks;
-    });
-  }
-  async function retryWithBackoff(operation, maxRetries = 3, baseDelay = 1000, maxDelay = 30000) {
-    let lastError = new Error("Placeholder Error");
-    for (let attempt = 0;attempt <= maxRetries; attempt++) {
-      try {
-        return await operation();
-      } catch (error) {
-        lastError = error instanceof Error ? error : new Error(String(error));
-        if (error instanceof Error && error.message.includes("400")) {
-          throw error;
-        }
-        if (attempt === maxRetries) {
-          throw lastError;
-        }
-        const delay = Math.min(baseDelay * 2 ** attempt, maxDelay);
-        const jitter = Math.random() * 0.1 * delay;
-        await new Promise((resolve) => setTimeout(resolve, delay + jitter));
-        console.warn(`Retry attempt ${attempt + 1} after ${delay + jitter}ms delay`);
-      }
-    }
-    throw lastError;
-  }
-  async function parseJwt(token, validation) {
-    try {
-      const parts = token.split(".");
-      if (parts.length !== 3)
-        throw new Error("Invalid JWT");
-      const header = JSON.parse(atob(parts[0].replace(/-/g, "+").replace(/_/g, "/")));
-      const payload = JSON.parse(atob(parts[1].replace(/-/g, "+").replace(/_/g, "/")));
-      const signature = parts[2].replace(/-/g, "+").replace(/_/g, "/");
-      const publicKey = await getPublicKey(header.kid);
-      const encoder = new TextEncoder;
-      const data = encoder.encode(`${parts[0]}.${parts[1]}`);
-      const isValid = await crypto.subtle.verify("RSASSA-PKCS1-v1_5", publicKey, Uint8Array.from(atob(signature), (c) => c.charCodeAt(0)), data);
-      if (!isValid)
-        throw new Error("Invalid JWT signature");
-      const idTokenClaimsValidator = validation?.idTokenClaims ?? idTokenClaimsSchema("builtin");
-      const claimsResult = await idTokenClaimsValidator["~standard"].validate(payload);
-      if ("issues" in claimsResult) {
-        console.error("ID token claims validation failed:", claimsResult.issues);
-        throw new Error(`ID token claims validation failed: ${claimsResult.issues?.map((i) => i.message).join("; ")}`);
-      }
-      return claimsResult.value;
-    } catch (e) {
-      console.error("Error verifying JWT:", e);
-      throw e;
-    }
-  }
-  function generateRandomString(length = 32) {
-    const array = new Uint8Array(length);
-    crypto.getRandomValues(array);
-    return Array.from(array, (byte) => byte.toString(16).padStart(2, "0")).join("").substring(0, length);
-  }
-  async function pkceChallengeFromVerifier(verifier) {
-    const encoder = new TextEncoder;
-    const data = encoder.encode(verifier);
-    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
-    const hashArray = Array.from(new Uint8Array(hashBuffer));
-    const hashBase64 = btoa(String.fromCharCode(...hashArray)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-    return hashBase64;
-  }
-  async function getPublicKey(kid) {
-    const jwks = await fetchJwks();
-    const key = jwks.keys.find((k) => k.kid === kid);
-    if (!key)
-      throw new Error("Public key not found");
-    const publicKey = await crypto.subtle.importKey("jwk", {
-      kty: key.kty,
-      n: key.n,
-      e: key.e
-    }, { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" }, false, ["verify"]);
-    return publicKey;
-  }
-  function createJwtCookies(token, expires) {
-    const control = {
-      expires_in: token.expires_in,
-      refresh_expires_in: token.refresh_expires_in,
-      scope: token.scope,
-      session_state: token.session_state,
-      token_type: token.token_type,
-      expires: expires.toISOString()
-    };
-    return [
-      ["Set-Cookie", createCookie("access", token.access_token, expires)],
-      ["Set-Cookie", createCookie("id", token.id_token, expires)],
-      ["Set-Cookie", createCookie("refresh", token.refresh_token ?? "", expires)],
-      ["Set-Cookie", createCookie("control", control, expires)]
-    ];
-  }
-  async function getTokenFromCookies(req) {
-    const access_token = getCookie("access", req);
-    const id_token = getCookie("id", req);
-    const refresh_token = getCookie("refresh", req);
-    const control = getCookie("control", req, true);
-    if (!access_token || !id_token || !refresh_token || !control) {
-      return { tokens: undefined, refreshHeaders: [] };
-    }
-    let tokenResponse = {
-      access_token,
-      id_token,
-      refresh_token,
-      ...control
-    };
-    if (control.expires && refresh_token && Date.now() > new Date(control.expires).getTime()) {
-      tokenResponse = await refreshToken(refresh_token);
-      const user = await parseUser(tokenResponse);
-      const refreshHeaders = createJwtCookies(tokenResponse, user.sso.expires);
-      return { tokens: tokenResponse, refreshHeaders };
-    }
-    return { tokens: tokenResponse, refreshHeaders: [] };
-  }
-  async function getJwt(request) {
-    const { tokens } = await getTokenFromCookies(request);
-    if (!tokens)
-      return;
-    return tokens.access_token;
-  }
-  function createCookie(name, value, expires) {
-    name = `${configWithDefaults.cookies_prefix}.${name}`;
-    if (typeof value !== "string") {
-      value = btoa(JSON.stringify(value));
-    }
-    let exp;
-    if (expires instanceof Date) {
-      exp = `Expires=${expires.toUTCString()}`;
-    } else if (typeof expires === "number") {
-      exp = `Max-Age=${expires}`;
-    } else {
-      throw new Error("Invalid expires type", expires);
-    }
-    if (value.length > 4000) {
-      throw new Error(`Error setting cookie: ${name}. Cookie length is: ${value.length}`);
-    }
-    return `${name}=${value}; ${exp}; Path=${configWithDefaults.cookies_path}; HttpOnly;${configWithDefaults.cookies_secure ? " Secure;" : ""} SameSite=${configWithDefaults.cookies_same_site};`;
-  }
-  function clearCookie(name) {
-    return `${configWithDefaults.cookies_prefix}.${name}=; Max-Age=0; Path=${configWithDefaults.cookies_path}; HttpOnly;${configWithDefaults.cookies_secure ? " Secure;" : ""} SameSite=${configWithDefaults.cookies_same_site};`;
-  }
-  function getCookie(name, req, parse = false) {
-    const header = req.headers.get("cookie");
-    if (!header)
-      return null;
-    const cookie = header.split(";").find((row) => row.trim().startsWith(`${configWithDefaults.cookies_prefix}.${name}=`));
-    if (!cookie)
-      return null;
-    const val = cookie.split("=")[1].trim();
-    if (!parse)
-      return val;
-    const str = atob(val);
-    return JSON.parse(str);
-  }
-  async function handler(request, handlerConfig) {
-    const { loginUrl, userUrl, errorUrl, landingUrl, tokenUrl, refreshUrl, logoutUrl, logoutBackChannelUrl, jwksUrl, validation } = handlerConfig ?? {};
-    if (!loginUrl) {
-      console.error("loginUrl is required");
-    }
-    const path = new URL(request.url).pathname;
-    if (new URL(configWithDefaults.redirect_uri).pathname === path) {
-      return callbackHandler(request, validation);
-    }
-    if (loginUrl === path) {
-      return initiateLogin({
-        landingUrl: landingUrl || "/",
-        errorUrl
-      });
-    }
-    if (userUrl === path) {
-      const { tokens, refreshHeaders } = await getTokenFromCookies(request);
-      if (!tokens) {
-        return new Response("User not logged in", { status: 401 });
-      }
-      const user = await parseUser(tokens);
-      return new Response(JSON.stringify(user), {
-        headers: [["Content-Type", "application/json"], ...refreshHeaders]
-      });
-    }
-    if (tokenUrl === path) {
-      const { tokens, refreshHeaders } = await getTokenFromCookies(request);
-      if (!tokens) {
-        return new Response("User not logged in", { status: 401 });
-      }
-      return new Response(JSON.stringify({
-        token: tokens.access_token,
-        expires: tokens.expires
-      }), {
-        headers: [["Content-Type", "application/json"], ...refreshHeaders]
-      });
-    }
-    if (refreshUrl === path) {
-      const refresh_token = getCookie("refresh", request);
-      if (!refresh_token) {
-        return new Response("User not logged in", { status: 401 });
-      }
-      const newTokenResponse = await refreshToken(refresh_token);
-      const user = await parseUser(newTokenResponse);
-      const refreshHeaders = createJwtCookies(newTokenResponse, user.sso.expires);
-      return new Response("Refresh Complete", {
-        status: 200,
-        headers: refreshHeaders
-      });
-    }
-    if (logoutUrl === path) {
-      return logout(request, { landingUrl: landingUrl || "/" });
-    }
-    if (logoutBackChannelUrl === path) {
-      return logoutBackChannel(request);
-    }
-    if (jwksUrl === path) {
-      const jwks = await fetchJwks();
-      return new Response(JSON.stringify(jwks), {
-        headers: [["Content-Type", "application/json"]]
-      });
-    }
-    return new Response("Not Found", { status: 404 });
-  }
-  return {
-    getUser,
-    getRequiredUser,
-    getJwt,
-    initiateLogin,
-    logout,
-    callbackHandler,
-    handler
-  };
-}
-
-// src/vault.ts
-function vault(url) {
-  async function getFullSecret(path, token) {
-    const resp = await fetch(`${url}/${path}`, { headers: { "X-Vault-Token": token } });
-    if (resp.status !== 200) {
-      throw new Error(`Vault returned invalid status, ${resp.status}: '${resp.statusText}' from URL: ${url}`);
-    }
-    try {
-      const secret = await resp.json();
-      return secret.data;
-    } catch (cause) {
-      throw new Error("Error retrieving secret", { cause });
-    }
-  }
-  return {
-    url,
-    getFullSecret,
-    getSecret: async (path, token) => {
-      return (await getFullSecret(path, token)).data;
-    }
-  };
-}
-// src/server.ts
-function getSSO(config) {
-  const es = getES(config?.es);
-  if (!es.sso) {
-    console.error("TODO tell them how to connect SSO");
-    return;
-  }
-  return es.sso;
-}
-function unavailable() {
-  new Response(JSON.stringify({ error: "SSO Unavailable" }), {
-    status: 503,
-    statusText: "SSO Unavailable",
-    headers: { "Content-Type": "application/json" }
-  });
-}
-async function getUser(request, config) {
-  return getSSO(config)?.getUser(request);
-}
-async function getRequiredUser(request, config) {
-  const sso2 = getSSO(config);
-  if (!sso2)
-    throw unavailable();
-  return sso2.getRequiredUser(request);
-}
-async function initiateLogin(config) {
-  const sso2 = getSSO(config);
-  if (!sso2)
-    throw unavailable();
-  return sso2.initiateLogin(config);
-}
-async function callback(request, config) {
-  const sso2 = getSSO(config);
-  if (!sso2)
-    throw unavailable();
-  return sso2.callbackHandler(request);
-}
-async function handler(request, config) {
-  const sso2 = getSSO(config);
-  if (!sso2)
-    throw unavailable();
-  return sso2.handler(request, config);
-}
-// src/session-store.ts
-class InMemorySessionStore {
-  sessions = new Map;
-  async create(session) {
-    if (this.sessions.has(session.sid)) {
-      throw new Error(`Session with sid ${session.sid} already exists`);
-    }
-    this.sessions.set(session.sid, session);
-  }
-  async get(sid) {
-    return this.sessions.get(sid) ?? null;
-  }
-  async update(sid, data) {
-    const session = this.sessions.get(sid);
-    if (!session) {
-      throw new Error(`Session with sid ${sid} not found`);
-    }
-    const updated = { ...session, ...data };
-    this.sessions.set(sid, updated);
-  }
-  async delete(sid) {
-    this.sessions.delete(sid);
-  }
-}
-// src/ui/sign-in-loading.tsx
-import { jsxDEV, Fragment } from "react/jsx-dev-runtime";
-function SignInLoading({ complete = false, children }) {
-  const { isLoading } = useUser();
-  if (isLoading && !complete)
-    return /* @__PURE__ */ jsxDEV(Fragment, {
-      children
-    }, undefined, false, undefined, this);
-  return null;
-}
-// src/ui/signed-in.tsx
-import { jsxDEV as jsxDEV2, Fragment as Fragment2 } from "react/jsx-dev-runtime";
-function SignedIn({ children }) {
-  const { user } = useUser();
-  if (user)
-    return /* @__PURE__ */ jsxDEV2(Fragment2, {
-      children
-    }, undefined, false, undefined, this);
-  return null;
-}
-// src/ui/signed-out.tsx
-import { jsxDEV as jsxDEV3, Fragment as Fragment3 } from "react/jsx-dev-runtime";
-function SignedOut({ children }) {
-  const { user, isLoading } = useUser();
-  if (user || isLoading)
-    return null;
-  return /* @__PURE__ */ jsxDEV3(Fragment3, {
-    children
-  }, undefined, false, undefined, this);
-}
-// src/ui/sso-provider.tsx
-import { createContext, useCallback, useContext, useEffect, useState } from "react";
-import { jsxDEV as jsxDEV4 } from "react/jsx-dev-runtime";
-var CTX = createContext(undefined);
-var generateStorageKey = (tenantId) => {
-  return `es-sso-user-${tenantId.replace(/[^a-zA-Z0-9]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "")}`;
-};
-function SSOProvider({
-  tenantId,
-  storage = "memory",
-  storageKey,
-  userUrl,
-  tokenUrl,
-  refreshUrl,
-  disableListener = false,
-  children
-}) {
-  const [user, setUserState] = useState(null);
-  const [isLoading, setIsLoading] = useState(!!userUrl);
-  const actualStorageKey = storageKey || (tenantId ? generateStorageKey(tenantId) : "es-sso-user");
-  const isValidUser = useCallback((user2) => {
-    if (!user2 || !tenantId)
-      return true;
-    return user2.sso?.tenant?.id === tenantId;
-  }, [tenantId]);
-  const loadUserFromStorage = useCallback(() => {
-    if (storage === "memory" || typeof window === "undefined")
-      return null;
-    try {
-      const storageObject = storage === "local" ? localStorage : sessionStorage;
-      const userData = storageObject.getItem(actualStorageKey);
-      if (!userData)
-        return null;
-      const parsedUser = JSON.parse(userData);
-      if (parsedUser.sso?.expires) {
-        parsedUser.sso.expires = new Date(parsedUser.sso.expires);
-      }
-      return isValidUser(parsedUser) ? parsedUser : null;
-    } catch (error) {
-      console.error("Error loading user from storage:", error);
-      return null;
-    }
-  }, [storage, actualStorageKey, isValidUser]);
-  const saveUserToStorage = useCallback((user2) => {
-    if (storage === "memory" || typeof window === "undefined")
-      return;
-    try {
-      const storageObject = storage === "local" ? localStorage : sessionStorage;
-      if (user2 === null) {
-        storageObject.removeItem(actualStorageKey);
-      } else {
-        storageObject.setItem(actualStorageKey, JSON.stringify(user2));
-      }
-    } catch (error) {
-      console.error("Error saving user to storage:", error);
-    }
-  }, [storage, actualStorageKey]);
-  const setUser = useCallback((newUser) => {
-    if (newUser && !isValidUser(newUser))
-      return;
-    setUserState(newUser);
-    saveUserToStorage(newUser);
-  }, [isValidUser, saveUserToStorage]);
-  const fetchUserFromUrl = useCallback(async () => {
-    if (!userUrl)
-      return;
-    setIsLoading(true);
-    try {
-      const response = await fetch(userUrl);
-      if (response.status === 401) {
-        setUserState(null);
-        saveUserToStorage(null);
-        setIsLoading(false);
-        return;
-      }
-      if (!response.ok) {
-        throw new Error(`Failed to fetch user: ${response.status} ${response.statusText}`);
-      }
-      const userData = await response.json();
-      if (userData.sso?.expires && typeof userData.sso.expires === "string") {
-        userData.sso.expires = new Date(userData.sso.expires);
-      }
-      if (isValidUser(userData)) {
-        setUserState(userData);
-        saveUserToStorage(userData);
-      }
-    } catch (error) {
-      console.error("Error fetching user from URL:", error);
-    } finally {
-      setIsLoading(false);
-    }
-  }, [userUrl, isValidUser, saveUserToStorage]);
-  useEffect(() => {
-    const storedUser = loadUserFromStorage();
-    if (storedUser) {
-      setUserState(storedUser);
-    }
-    if (userUrl) {
-      fetchUserFromUrl();
-    } else {
-      setIsLoading(false);
-    }
-  }, [loadUserFromStorage, userUrl, fetchUserFromUrl]);
-  useEffect(() => {
-    if (disableListener || storage === "memory")
-      return;
-    const handleStorageChange = (event) => {
-      if (event.key !== actualStorageKey)
-        return;
-      if (event.newValue === null) {
-        setUserState(null);
-      } else {
-        try {
-          const parsedUser = JSON.parse(event.newValue);
-          if (parsedUser.sso?.expires) {
-            parsedUser.sso.expires = new Date(parsedUser.sso.expires);
-          }
-          if (isValidUser(parsedUser)) {
-            setUserState(parsedUser);
-          }
-        } catch (error) {
-          console.error("Error parsing user from storage event:", error);
-        }
-      }
-    };
-    const handleLogout = () => {
-      setUserState(null);
-    };
-    window.addEventListener("storage", handleStorageChange);
-    window.addEventListener("es-sso-logout", handleLogout);
-    return () => {
-      window.removeEventListener("storage", handleStorageChange);
-      window.removeEventListener("es-sso-logout", handleLogout);
-    };
-  }, [disableListener, storage, actualStorageKey, isValidUser]);
-  const contextValue = {
-    user,
-    setUser,
-    isLoading,
-    tokenUrl,
-    refreshUrl
-  };
-  return /* @__PURE__ */ jsxDEV4(CTX.Provider, {
-    value: contextValue,
-    children
-  }, undefined, false, undefined, this);
-}
-function useUser() {
-  const context = useContext(CTX);
-  if (context === undefined) {
-    throw new Error("useUser must be used within a SSOProvider");
-  }
-  return context;
-}
-function useToken() {
-  const context = useContext(CTX);
-  if (context === undefined) {
-    throw new Error("useToken must be used within a SSOProvider");
-  }
-  const { tokenUrl, refreshUrl } = context;
-  if (!tokenUrl || !refreshUrl) {
-    throw new Error('useToken requires that a "tokenUrl" and "refreshUrl" be set in the SSOProvider');
-  }
-  const [token, setToken] = useState(null);
-  const [expires, setExpires] = useState(null);
-  const [isLoading, setIsLoading] = useState(!!tokenUrl);
-  const [error, setError] = useState(null);
-  const fetchJwt = useCallback(async (url) => {
-    setIsLoading(true);
-    setError(null);
-    try {
-      const response = await fetch(url);
-      if (response.status === 401) {
-        context.setUser(null);
-        setToken(null);
-        setExpires(null);
-        setIsLoading(false);
-        return;
-      }
-      if (!response.ok) {
-        throw new Error(`Failed to fetch JWT: ${response.status} ${response.statusText}`);
-      }
-      const data = await response.json();
-      setToken(data.token);
-      setExpires(new Date(data.expires));
-    } catch (err) {
-      const error2 = err instanceof Error ? err : new Error(String(err));
-      setError(error2);
-      setToken(null);
-      setExpires(null);
-      console.error("Error fetching JWT:", error2);
-    } finally {
-      setIsLoading(false);
-    }
-  }, [context]);
-  const refresh = useCallback(async () => {
-    const url = refreshUrl || tokenUrl;
-    if (!url) {
-      console.warn("No tokenUrl or refreshUrl provided");
-      return;
-    }
-    await fetchJwt(url);
-  }, [refreshUrl, tokenUrl, fetchJwt]);
-  useEffect(() => {
-    if (!tokenUrl) {
-      setIsLoading(false);
-      return;
-    }
-    fetchJwt(tokenUrl);
-  }, [tokenUrl, fetchJwt]);
-  useEffect(() => {
-    if (!expires || !refreshUrl)
-      return;
-    const checkExpiration = () => {
-      const now = new Date;
-      const timeUntilExpiry = expires.getTime() - now.getTime();
-      if (timeUntilExpiry <= 60000 && timeUntilExpiry > 0) {
-        refresh();
-      }
-    };
-    checkExpiration();
-    const interval = setInterval(checkExpiration, 30000);
-    return () => clearInterval(interval);
-  }, [expires, refreshUrl, refresh]);
-  return {
-    token,
-    isLoading,
-    error,
-    refresh
-  };
-}
-async function logout(logoutUrl) {
-  try {
-    const response = await fetch(logoutUrl, {
-      headers: { Accept: "application/json" }
-    });
-    if (!response.ok) {
-      return { success: false, error: `HTTP ${response.status}` };
-    }
-    const data = await response.json();
-    if (!data.success) {
-      return { success: false, error: data.message || "Logout failed" };
-    }
-    if (typeof window !== "undefined") {
-      for (let i = localStorage.length - 1;i >= 0; i--) {
-        const key = localStorage.key(i);
-        if (key?.startsWith("es-sso-user")) {
-          localStorage.removeItem(key);
-        }
-      }
-      for (let i = sessionStorage.length - 1;i >= 0; i--) {
-        const key = sessionStorage.key(i);
-        if (key?.startsWith("es-sso-user")) {
-          sessionStorage.removeItem(key);
-        }
-      }
-      window.dispatchEvent(new CustomEvent("es-sso-logout"));
-    }
-    return { success: true };
-  } catch (error) {
-    return {
-      success: false,
-      error: error instanceof Error ? error.message : "Network error"
-    };
-  }
-}
-
-// src/index.ts
-async function enterpriseStandard(appKey, initConfig) {
-  let vaultUrl;
-  let vaultToken;
-  let secrets;
-  const ioniteUrl = initConfig?.ioniteUrl ?? "https://ionite.com";
-  if (appKey?.startsWith("IONITE_PUBLIC_DEMO_")) {
-    vaultUrl = "https://vault-ionite.ionite.dev/v1/secret/data";
-    const port = appKey.slice("IONITE_PUBLIC_DEMO_".length);
-    secrets = {
-      sso: {
-        path: `public/IONITE_PUBLIC_DEMO_SSO_${port}`,
-        token: "hvs.VGhD2hmXDH9PmZjTacZx0G5K"
-      }
-    };
-  } else if (appKey) {
-    if (!vaultUrl || !vaultToken) {
-      throw new Error("TODO something is wrong with the ionite config, handle this error");
-    }
-    secrets = {};
-  } else {
-    throw new Error("TODO tell them how to connect to ionite");
-  }
-  const defaultInstance2 = getDefaultInstance();
-  const vaultClient = vault(vaultUrl);
-  const result = {
-    ioniteUrl,
-    defaultInstance: initConfig?.defaultInstance || initConfig?.defaultInstance !== false && !defaultInstance2,
-    vault: vaultClient,
-    sso: secrets.sso ? sso({
-      ...await vaultClient.getSecret(secrets.sso.path, secrets.sso.token),
-      ...initConfig
-    }) : undefined,
-    iam: secrets.iam ? await iam(await vaultClient.getSecret(secrets.iam.path, secrets.iam.token)) : undefined
-  };
-  if (result.defaultInstance) {
-    if (defaultInstance2) {
-      defaultInstance2.defaultInstance = false;
-    }
-    setDefaultInstance(result);
-  }
-  return result;
-}
-export {
-  useUser,
-  useToken,
-  tokenResponseSchema,
-  oidcCallbackSchema,
-  logout,
-  initiateLogin,
-  idTokenClaimsSchema,
-  handler,
-  getUser,
-  getRequiredUser,
-  enterpriseStandard,
-  callback,
-  SignedOut,
-  SignedIn,
-  SignInLoading,
-  SSOProvider,
-  InMemorySessionStore
-};
+import{createContext as p,useCallback as $,useContext as w,useEffect as T,useState as m}from"react";import{jsxDEV as c}from"react/jsx-dev-runtime";var b=p(void 0),E=(R)=>{return`es-sso-user-${R.replace(/[^a-zA-Z0-9]/g,"-").replace(/-+/g,"-").replace(/^-|-$/g,"")}`};function k({tenantId:R,storage:P="memory",storageKey:A,userUrl:q,tokenUrl:H,refreshUrl:C,disableListener:X=!1,children:f}){let[J,Q]=m(null),[F,Y]=m(!!q),M=A||(R?E(R):"es-sso-user"),z=$((W)=>{if(!W||!R)return!0;return W.sso?.tenant?.id===R},[R]),B=$(()=>{if(P==="memory"||typeof window>"u")return null;try{let N=(P==="local"?localStorage:sessionStorage).getItem(M);if(!N)return null;let Z=JSON.parse(N);if(Z.sso?.expires)Z.sso.expires=new Date(Z.sso.expires);return z(Z)?Z:null}catch(W){return console.error("Error loading user from storage:",W),null}},[P,M,z]),G=$((W)=>{if(P==="memory"||typeof window>"u")return;try{let N=P==="local"?localStorage:sessionStorage;if(W===null)N.removeItem(M);else N.setItem(M,JSON.stringify(W))}catch(N){console.error("Error saving user to storage:",N)}},[P,M]),K=$((W)=>{if(W&&!z(W))return;Q(W),G(W)},[z,G]),j=$(async()=>{if(!q)return;Y(!0);try{let W=await fetch(q);if(W.status===401){Q(null),G(null),Y(!1);return}if(!W.ok)throw Error(`Failed to fetch user: ${W.status} ${W.statusText}`);let N=await W.json();if(N.sso?.expires&&typeof N.sso.expires==="string")N.sso.expires=new Date(N.sso.expires);if(z(N))Q(N),G(N)}catch(W){console.error("Error fetching user from URL:",W)}finally{Y(!1)}},[q,z,G]);T(()=>{let W=B();if(W)Q(W);if(q)j();else Y(!1)},[B,q,j]),T(()=>{if(X||P==="memory")return;let W=(Z)=>{if(Z.key!==M)return;if(Z.newValue===null)Q(null);else try{let _=JSON.parse(Z.newValue);if(_.sso?.expires)_.sso.expires=new Date(_.sso.expires);if(z(_))Q(_)}catch(_){console.error("Error parsing user from storage event:",_)}},N=()=>{Q(null)};return window.addEventListener("storage",W),window.addEventListener("es-sso-logout",N),()=>{window.removeEventListener("storage",W),window.removeEventListener("es-sso-logout",N)}},[X,P,M,z]);let I={user:J,setUser:K,isLoading:F,tokenUrl:H,refreshUrl:C};return c(b.Provider,{value:I,children:f},void 0,!1,void 0,this)}function O(){let R=w(b);if(R===void 0)throw Error("useUser must be used within a SSOProvider");return R}function S(){let R=w(b);if(R===void 0)throw Error("useToken must be used within a SSOProvider");let{tokenUrl:P,refreshUrl:A}=R;if(!P||!A)throw Error('useToken requires that a "tokenUrl" and "refreshUrl" be set in the SSOProvider');let[q,H]=m(null),[C,X]=m(null),[f,J]=m(!!P),[Q,F]=m(null),Y=$(async(z)=>{J(!0),F(null);try{let B=await fetch(z);if(B.status===401){R.setUser(null),H(null),X(null),J(!1);return}if(!B.ok)throw Error(`Failed to fetch JWT: ${B.status} ${B.statusText}`);let G=await B.json();H(G.token),X(new Date(G.expires))}catch(B){let G=B instanceof Error?B:Error(String(B));F(G),H(null),X(null),console.error("Error fetching JWT:",G)}finally{J(!1)}},[R]),M=$(async()=>{let z=A||P;if(!z){console.warn("No tokenUrl or refreshUrl provided");return}await Y(z)},[A,P,Y]);return T(()=>{if(!P){J(!1);return}Y(P)},[P,Y]),T(()=>{if(!C||!A)return;let z=()=>{let G=new Date,K=C.getTime()-G.getTime();if(K<=60000&&K>0)M()};z();let B=setInterval(z,30000);return()=>clearInterval(B)},[C,A,M]),{token:q,isLoading:f,error:Q,refresh:M}}async function x(R){try{let P=await fetch(R,{headers:{Accept:"application/json"}});if(!P.ok)return{success:!1,error:`HTTP ${P.status}`};let A=await P.json();if(!A.success)return{success:!1,error:A.message||"Logout failed"};if(typeof window<"u"){for(let q=localStorage.length-1;q>=0;q--){let H=localStorage.key(q);if(H?.startsWith("es-sso-user"))localStorage.removeItem(H)}for(let q=sessionStorage.length-1;q>=0;q--){let H=sessionStorage.key(q);if(H?.startsWith("es-sso-user"))sessionStorage.removeItem(H)}window.dispatchEvent(new CustomEvent("es-sso-logout"))}return{success:!0}}catch(P){return{success:!1,error:P instanceof Error?P.message:"Network error"}}}import{jsxDEV as L,Fragment as y}from"react/jsx-dev-runtime";function i({complete:R=!1,children:P}){let{isLoading:A}=O();if(A&&!R)return L(y,{children:P},void 0,!1,void 0,this);return L(y,{},void 0,!1,void 0,this)}import{jsxDEV as V,Fragment as h}from"react/jsx-dev-runtime";function d({children:R}){let{user:P}=O();if(P)return V(h,{children:R},void 0,!1,void 0,this);return V(h,{},void 0,!1,void 0,this)}import{jsxDEV as v,Fragment as D}from"react/jsx-dev-runtime";function g({children:R}){let{user:P,isLoading:A}=O();if(P||A)return v(D,{},void 0,!1,void 0,this);return v(D,{children:R},void 0,!1,void 0,this)}export{O as useUser,S as useToken,x as logout,g as SignedOut,d as SignedIn,i as SignInLoading,k as SSOProvider};