npm - @feelflow/ffid-sdk - Versions diffs - 1.10.0 → 1.11.0 - Mend

@feelflow/ffid-sdk 1.10.0 → 1.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/{chunk-PSSNMEJB.js → chunk-GW23IWNE.js} +502 -387
package/dist/{chunk-OAPA5VKR.cjs → chunk-WZZP7SQB.cjs} +502 -387
package/dist/components/index.cjs +7 -7
package/dist/components/index.d.cts +1 -1
package/dist/components/index.d.ts +1 -1
package/dist/components/index.js +1 -1
package/dist/{index-DsXjcF0i.d.cts → index-DMgtXEt5.d.cts} +20 -5
package/dist/{index-DsXjcF0i.d.ts → index-DMgtXEt5.d.ts} +20 -5
package/dist/index.cjs +22 -22
package/dist/index.d.cts +6 -6
package/dist/index.d.ts +6 -6
package/dist/index.js +2 -2
package/dist/server/index.cjs +487 -374
package/dist/server/index.d.cts +24 -9
package/dist/server/index.d.ts +24 -9
package/dist/server/index.js +487 -374
package/package.json +1 -1

package/dist/server/index.js CHANGED Viewed

@@ -4,6 +4,7 @@ import { createRemoteJWKSet, jwtVerify } from 'jose';
 // src/auth/token-store.ts
 var STORAGE_KEY = "ffid_tokens";
+var TOKEN_STORE_LOG_PREFIX = "[FFID SDK] TokenStore:";
 var EXPIRY_BUFFER_SECONDS = 30;
 var EXPIRY_BUFFER_MS = EXPIRY_BUFFER_SECONDS * 1e3;
 function isLocalStorageAvailable() {
@@ -27,22 +28,33 @@ function createLocalStorageStore() {
         const raw = storage.getItem(STORAGE_KEY);
         if (!raw) return null;
         const parsed = JSON.parse(raw);
-        if (!isTokenData(parsed)) return null;
+        if (!isTokenData(parsed)) {
+          console.warn(TOKEN_STORE_LOG_PREFIX, "\u30C8\u30FC\u30AF\u30F3\u30C7\u30FC\u30BF\u304C\u4E0D\u6B63\u306A\u5F62\u5F0F\u3067\u3059\u3002\u30B9\u30C8\u30EC\u30FC\u30B8\u3092\u30AF\u30EA\u30A2\u3057\u307E\u3059");
+          storage.removeItem(STORAGE_KEY);
+          return null;
+        }
         return parsed;
-      } catch {
+      } catch (error) {
+        console.warn(TOKEN_STORE_LOG_PREFIX, "\u30C8\u30FC\u30AF\u30F3\u8AAD\u307F\u53D6\u308A\u306B\u5931\u6557\u3057\u307E\u3057\u305F\u3002\u7834\u640D\u30C7\u30FC\u30BF\u3092\u30AF\u30EA\u30A2\u3057\u307E\u3059", error);
+        try {
+          storage.removeItem(STORAGE_KEY);
+        } catch {
+        }
         return null;
       }
     },
     setTokens(tokens) {
       try {
         storage.setItem(STORAGE_KEY, JSON.stringify(tokens));
-      } catch {
+      } catch (error) {
+        console.warn(TOKEN_STORE_LOG_PREFIX, "\u30C8\u30FC\u30AF\u30F3\u4FDD\u5B58\u306B\u5931\u6557\u3057\u307E\u3057\u305F\uFF08\u30B9\u30C8\u30EC\u30FC\u30B8\u5BB9\u91CF\u8D85\u904E\u306E\u53EF\u80FD\u6027\uFF09", error);
       }
     },
     clearTokens() {
       try {
         storage.removeItem(STORAGE_KEY);
-      } catch {
+      } catch (error) {
+        console.warn(TOKEN_STORE_LOG_PREFIX, "\u30C8\u30FC\u30AF\u30F3\u524A\u9664\u306B\u5931\u6557\u3057\u307E\u3057\u305F", error);
       }
     },
     isAccessTokenExpired() {
@@ -85,42 +97,6 @@ function createTokenStore(storageType) {
   return createMemoryStore();
 }
-// src/auth/pkce.ts
-var VERIFIER_STORAGE_KEY = "ffid_code_verifier";
-var CODE_VERIFIER_MIN_LENGTH = 43;
-var UNRESERVED_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
-function generateCodeVerifier() {
-  const length = CODE_VERIFIER_MIN_LENGTH;
-  const randomValues = new Uint8Array(length);
-  crypto.getRandomValues(randomValues);
-  let verifier = "";
-  for (let i = 0; i < length; i++) {
-    verifier += UNRESERVED_CHARS[randomValues[i] % UNRESERVED_CHARS.length];
-  }
-  return verifier;
-}
-async function generateCodeChallenge(verifier) {
-  const encoder = new TextEncoder();
-  const data = encoder.encode(verifier);
-  const digest = await crypto.subtle.digest("SHA-256", data);
-  return base64UrlEncode(digest);
-}
-function storeCodeVerifier(verifier) {
-  try {
-    if (typeof window === "undefined") return;
-    window.sessionStorage.setItem(VERIFIER_STORAGE_KEY, verifier);
-  } catch {
-  }
-}
-function base64UrlEncode(buffer) {
-  const bytes = new Uint8Array(buffer);
-  let binary = "";
-  for (let i = 0; i < bytes.length; i++) {
-    binary += String.fromCharCode(bytes[i]);
-  }
-  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
 // src/client/oauth-userinfo.ts
 var VALID_SUBSCRIPTION_STATUSES = ["trialing", "active", "past_due", "canceled", "paused"];
 function isValidSubscriptionStatus(value) {
@@ -224,6 +200,7 @@ var OAUTH_INTROSPECT_ENDPOINT = "/api/v1/oauth/introspect";
 var CACHE_KEY_PREFIX = "ffid:introspect:";
 var HEX_BASE = 16;
 var HEX_BYTE_WIDTH = 2;
+var TOKEN_LOG_PREFIX_LENGTH = 8;
 function createVerifyAccessToken(deps) {
   const { authMode, baseUrl, serviceCode, serviceApiKey, verifyStrategy, logger, createError, errorCodes, cache, timeout } = deps;
   let jwtVerify2 = null;
@@ -239,7 +216,7 @@ function createVerifyAccessToken(deps) {
     }
     return jwtVerify2;
   }
-  async function verifyAccessToken(accessToken) {
+  async function verifyAccessToken(accessToken, options) {
     if (authMode !== "service-key") {
       return {
         error: createError(
@@ -256,12 +233,24 @@ function createVerifyAccessToken(deps) {
         )
       };
     }
+    if (options?.includeProfile && verifyStrategy === "jwt" && !serviceApiKey) {
+      return {
+        error: createError(
+          errorCodes.TOKEN_VERIFICATION_ERROR,
+          "includeProfile: true \u3092\u4F7F\u7528\u3059\u308B\u306B\u306F serviceApiKey \u306E\u8A2D\u5B9A\u304C\u5FC5\u8981\u3067\u3059"
+        )
+      };
+    }
     if (verifyStrategy === "jwt") {
-      return getJwtVerifier()(accessToken);
+      const jwtResult = await getJwtVerifier()(accessToken);
+      if (!options?.includeProfile || jwtResult.error) {
+        return jwtResult;
+      }
+      return verifyViaIntrospect(accessToken, "profile");
     }
     return verifyViaIntrospect(accessToken);
   }
-  async function verifyViaIntrospect(accessToken) {
+  async function verifyViaIntrospect(accessToken, cacheKeySuffix) {
     if (!serviceApiKey) {
       return {
         error: createError(
@@ -272,7 +261,7 @@ function createVerifyAccessToken(deps) {
     }
     const url = `${baseUrl}${OAUTH_INTROSPECT_ENDPOINT}`;
     logger.debug("Verifying access token:", url);
-    const cacheKey = await buildCacheKey(accessToken);
+    const cacheKey = cache ? await buildCacheKey(accessToken, cacheKeySuffix) : "";
     if (cache) {
       try {
         const cached = await cache.adapter.get(cacheKey);
@@ -374,16 +363,23 @@ function createVerifyAccessToken(deps) {
     }
     return { data: userinfo };
   }
-  async function buildCacheKey(token) {
+  async function buildCacheKey(token, suffix) {
+    let key;
     if (typeof globalThis.crypto?.subtle?.digest === "function") {
       const encoder = new TextEncoder();
       const data = encoder.encode(token);
       const hashBuffer = await crypto.subtle.digest("SHA-256", data);
       const hashArray = Array.from(new Uint8Array(hashBuffer));
       const hashHex = hashArray.map((b) => b.toString(HEX_BASE).padStart(HEX_BYTE_WIDTH, "0")).join("");
-      return CACHE_KEY_PREFIX + hashHex;
+      key = CACHE_KEY_PREFIX + hashHex;
+    } else {
+      const tokenPrefix = token.length > TOKEN_LOG_PREFIX_LENGTH ? token.substring(0, TOKEN_LOG_PREFIX_LENGTH) + "..." : "***";
+      logger.warn(
+        `crypto.subtle \u304C\u5229\u7528\u3067\u304D\u306A\u3044\u305F\u3081\u3001\u30AD\u30E3\u30C3\u30B7\u30E5\u30AD\u30FC\u306B\u30CF\u30C3\u30B7\u30E5\u5316\u3055\u308C\u3066\u3044\u306A\u3044\u30C8\u30FC\u30AF\u30F3\u3092\u4F7F\u7528\u3057\u307E\u3059 (token prefix: ${tokenPrefix})`
+      );
+      key = CACHE_KEY_PREFIX + token;
     }
-    return CACHE_KEY_PREFIX + token;
+    return suffix ? `${key}:${suffix}` : key;
   }
   return verifyAccessToken;
 }
@@ -436,9 +432,15 @@ function createBillingMethods(deps) {
 }
 // src/client/version-check.ts
-var SDK_VERSION = "1.10.0";
+var SDK_VERSION = "1.11.0";
 var SDK_USER_AGENT = `FFID-SDK/${SDK_VERSION} (TypeScript)`;
 var SDK_VERSION_HEADER = "X-FFID-SDK-Version";
+function sdkHeaders() {
+  return {
+    "User-Agent": SDK_USER_AGENT,
+    [SDK_VERSION_HEADER]: SDK_VERSION
+  };
+}
 var LATEST_VERSION_HEADER = "X-FFID-SDK-Latest-Version";
 var SEMVER_PATTERN = /^\d+(\.\d+)*$/;
 var _versionWarningShown = false;
@@ -472,178 +474,213 @@ npm install @feelflow/ffid-sdk@latest \u3067\u30A2\u30C3\u30D7\u30C7\u30FC\u30C8
   }
 }
-// src/client/ffid-client.ts
-var NO_CONTENT_STATUS = 204;
-var SESSION_ENDPOINT = "/api/v1/auth/session";
-var LOGOUT_ENDPOINT = "/api/v1/auth/signout";
+// src/client/oauth-token.ts
 var OAUTH_TOKEN_ENDPOINT = "/api/v1/oauth/token";
-var OAUTH_USERINFO_ENDPOINT = "/api/v1/oauth/userinfo";
-var OAUTH_AUTHORIZE_ENDPOINT = "/api/v1/oauth/authorize";
 var OAUTH_REVOKE_ENDPOINT = "/api/v1/oauth/revoke";
-var EXT_CHECK_ENDPOINT = "/api/v1/subscriptions/ext/check";
-var SDK_LOG_PREFIX = "[FFID SDK]";
 var MS_PER_SECOND = 1e3;
-var UNAUTHORIZED_STATUS = 401;
-var STATE_RANDOM_BYTES = 16;
-var HEX_BASE2 = 16;
-var noopLogger = {
-  debug: () => {
-  },
-  info: () => {
-  },
-  warn: () => {
-  },
-  error: (...args) => console.error(SDK_LOG_PREFIX, ...args)
-};
-var consoleLogger = {
-  debug: (...args) => console.debug(SDK_LOG_PREFIX, ...args),
-  info: (...args) => console.info(SDK_LOG_PREFIX, ...args),
-  warn: (...args) => console.warn(SDK_LOG_PREFIX, ...args),
-  error: (...args) => console.error(SDK_LOG_PREFIX, ...args)
-};
-var FFID_ERROR_CODES = {
-  NETWORK_ERROR: "NETWORK_ERROR",
-  PARSE_ERROR: "PARSE_ERROR",
-  UNKNOWN_ERROR: "UNKNOWN_ERROR",
-  TOKEN_EXCHANGE_ERROR: "TOKEN_EXCHANGE_ERROR",
-  TOKEN_REFRESH_ERROR: "TOKEN_REFRESH_ERROR",
-  NO_TOKENS: "NO_TOKENS",
-  TOKEN_VERIFICATION_ERROR: "TOKEN_VERIFICATION_ERROR"
-};
-function createFFIDClient(config) {
-  if (!config.serviceCode || !config.serviceCode.trim()) {
-    throw new Error("FFID Client: serviceCode \u304C\u672A\u8A2D\u5B9A\u3067\u3059");
-  }
-  const baseUrl = config.apiBaseUrl ?? DEFAULT_API_BASE_URL;
-  const authMode = config.authMode ?? "cookie";
-  const clientId = config.clientId ?? config.serviceCode;
-  const resolvedRedirectUri = config.redirectUri ?? null;
-  const serviceApiKey = config.serviceApiKey?.trim();
-  const verifyStrategy = config.verifyStrategy ?? "jwt";
-  const cache = config.cache;
-  const timeout = config.timeout;
-  if (authMode === "service-key" && !serviceApiKey) {
-    throw new Error("FFID Client: service-key \u30E2\u30FC\u30C9\u3067\u306F serviceApiKey \u304C\u5FC5\u9808\u3067\u3059");
-  }
-  if (cache && cache.ttl <= 0) {
-    throw new Error("FFID Client: cache.ttl \u306F\u6B63\u306E\u6570\u5024\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044");
-  }
-  if (timeout !== void 0 && timeout <= 0) {
-    throw new Error("FFID Client: timeout \u306F\u6B63\u306E\u6570\u5024\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044");
-  }
-  const logger = config.logger ?? (config.debug ? consoleLogger : noopLogger);
-  const tokenStore = authMode === "token" ? createTokenStore() : createTokenStore("memory");
-  async function fetchWithAuth(endpoint, options = {}) {
-    const url = `${baseUrl}${endpoint}`;
-    logger.debug("Fetching:", url);
-    const fetchOptions = buildFetchOptions(options);
+function createOAuthTokenMethods(deps) {
+  const {
+    baseUrl,
+    clientId,
+    resolvedRedirectUri,
+    tokenStore,
+    logger,
+    errorCodes
+  } = deps;
+  async function exchangeCodeForTokens(code, codeVerifier) {
+    const url = `${baseUrl}${OAUTH_TOKEN_ENDPOINT}`;
+    logger.debug("Exchanging code for tokens:", url);
+    const effectiveRedirectUri = resolvedRedirectUri ?? (typeof window !== "undefined" ? window.location.origin + window.location.pathname : null);
+    if (!effectiveRedirectUri) {
+      logger.error("redirectUri is required for token exchange in SSR environments. Set config.redirectUri explicitly.");
+      return {
+        error: {
+          code: errorCodes.TOKEN_EXCHANGE_ERROR,
+          message: "redirectUri \u304C\u672A\u8A2D\u5B9A\u3067\u3059\u3002SSR\u74B0\u5883\u3067\u306F config.redirectUri \u3092\u660E\u793A\u7684\u306B\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044"
+        }
+      };
+    }
+    const body = {
+      grant_type: "authorization_code",
+      code,
+      client_id: clientId,
+      redirect_uri: effectiveRedirectUri
+    };
+    if (codeVerifier) {
+      body.code_verifier = codeVerifier;
+    }
     let response;
     try {
-      response = await fetch(url, fetchOptions);
+      response = await fetch(url, {
+        method: "POST",
+        credentials: "omit",
+        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
+        body: new URLSearchParams(body).toString()
+      });
     } catch (error) {
-      logger.error("Network error:", error);
+      logger.error("Network error during token exchange:", error);
       return {
         error: {
-          code: FFID_ERROR_CODES.NETWORK_ERROR,
+          code: errorCodes.NETWORK_ERROR,
           message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
     }
-    if (authMode === "token" && response.status === UNAUTHORIZED_STATUS) {
-      const refreshResult = await refreshAccessToken();
-      if (!refreshResult.error) {
-        logger.debug("Token refreshed, retrying request");
-        const retryOptions = buildFetchOptions(options);
-        try {
-          response = await fetch(url, retryOptions);
-        } catch (retryError) {
-          logger.error("Network error on retry:", retryError);
-          return {
-            error: {
-              code: FFID_ERROR_CODES.NETWORK_ERROR,
-              message: retryError instanceof Error ? retryError.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
-            }
-          };
-        }
-      }
-    }
-    let raw;
+    let tokenResponse;
     try {
-      raw = await response.json();
+      tokenResponse = await response.json();
     } catch (parseError) {
-      logger.error("Parse error:", parseError, "Status:", response.status);
+      logger.error("Parse error during token exchange:", parseError);
       return {
         error: {
-          code: FFID_ERROR_CODES.PARSE_ERROR,
-          message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
+          code: errorCodes.PARSE_ERROR,
+          message: `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306E\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F (status: ${response.status})`
         }
       };
     }
-    logger.debug("Response:", response.status, raw);
-    checkVersionHeader(response, logger);
     if (!response.ok) {
+      const errorBody = tokenResponse;
       return {
-        error: raw.error ?? {
-          code: FFID_ERROR_CODES.UNKNOWN_ERROR,
-          message: "\u4E0D\u660E\u306A\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+        error: {
+          code: errorBody.error ?? errorCodes.TOKEN_EXCHANGE_ERROR,
+          message: errorBody.error_description ?? "\u30C8\u30FC\u30AF\u30F3\u4EA4\u63DB\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
         }
       };
     }
-    if (raw.data === void 0) {
+    tokenStore.setTokens({
+      accessToken: tokenResponse.access_token,
+      refreshToken: tokenResponse.refresh_token,
+      expiresAt: Date.now() + tokenResponse.expires_in * MS_PER_SECOND
+    });
+    logger.debug("Token exchange successful");
+    return { data: void 0 };
+  }
+  async function refreshAccessToken() {
+    const tokens = tokenStore.getTokens();
+    if (!tokens) {
       return {
         error: {
-          code: FFID_ERROR_CODES.UNKNOWN_ERROR,
-          message: "\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u30C7\u30FC\u30BF\u304C\u8FD4\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"
+          code: errorCodes.NO_TOKENS,
+          message: "\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u30C8\u30FC\u30AF\u30F3\u304C\u3042\u308A\u307E\u305B\u3093"
         }
       };
     }
-    return { data: raw.data };
-  }
-  function sdkHeaders() {
-    return {
-      "User-Agent": SDK_USER_AGENT,
-      [SDK_VERSION_HEADER]: SDK_VERSION
-    };
-  }
-  function buildFetchOptions(options) {
-    if (authMode === "service-key") {
-      return {
-        ...options,
+    const url = `${baseUrl}${OAUTH_TOKEN_ENDPOINT}`;
+    logger.debug("Refreshing access token:", url);
+    let response;
+    try {
+      response = await fetch(url, {
+        method: "POST",
         credentials: "omit",
-        headers: {
-          "Content-Type": "application/json",
-          ...sdkHeaders(),
-          "X-Service-Api-Key": serviceApiKey,
-          ...options.headers
+        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
+        body: new URLSearchParams({
+          grant_type: "refresh_token",
+          refresh_token: tokens.refreshToken,
+          client_id: clientId
+        }).toString()
+      });
+    } catch (error) {
+      logger.error("Network error during token refresh:", error);
+      return {
+        error: {
+          code: errorCodes.NETWORK_ERROR,
+          message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
     }
-    if (authMode === "token") {
-      const tokens = tokenStore.getTokens();
-      const headers = {
-        "Content-Type": "application/json",
-        ...sdkHeaders(),
-        ...options.headers
-      };
-      if (tokens) {
-        headers["Authorization"] = `Bearer ${tokens.accessToken}`;
-      }
+    let tokenResponse;
+    try {
+      tokenResponse = await response.json();
+    } catch (parseError) {
+      logger.error("Parse error during token refresh:", parseError);
       return {
-        ...options,
-        credentials: "omit",
-        headers
+        error: {
+          code: errorCodes.PARSE_ERROR,
+          message: `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306E\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F (status: ${response.status})`
+        }
       };
     }
-    return {
-      ...options,
-      credentials: "include",
-      headers: {
-        "Content-Type": "application/json",
-        ...sdkHeaders(),
-        ...options.headers
+    if (!response.ok) {
+      const errorBody = tokenResponse;
+      logger.error("Token refresh failed:", errorBody);
+      const irrecoverableErrors = ["token_revoked", "invalid_grant"];
+      if (errorBody.error && irrecoverableErrors.includes(errorBody.error)) {
+        tokenStore.clearTokens();
+        logger.debug("Cleared tokens due to irrecoverable refresh error:", errorBody.error);
       }
-    };
+      return {
+        error: {
+          code: errorBody.error ?? errorCodes.TOKEN_REFRESH_ERROR,
+          message: errorBody.error_description ?? "\u30C8\u30FC\u30AF\u30F3\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    tokenStore.setTokens({
+      accessToken: tokenResponse.access_token,
+      refreshToken: tokenResponse.refresh_token,
+      expiresAt: Date.now() + tokenResponse.expires_in * MS_PER_SECOND
+    });
+    logger.debug("Token refresh successful");
+    return { data: void 0 };
+  }
+  async function signOutToken() {
+    const tokens = tokenStore.getTokens();
+    tokenStore.clearTokens();
+    if (!tokens) {
+      logger.debug("No tokens to revoke");
+      return { data: void 0 };
+    }
+    const url = `${baseUrl}${OAUTH_REVOKE_ENDPOINT}`;
+    logger.debug("Revoking token:", url);
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        credentials: "omit",
+        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
+        body: new URLSearchParams({
+          token: tokens.accessToken,
+          client_id: clientId
+        }).toString()
+      });
+      if (!response.ok) {
+        logger.warn(
+          "\u30C8\u30FC\u30AF\u30F3\u7121\u52B9\u5316\u30EA\u30AF\u30A8\u30B9\u30C8\u304C\u30B5\u30FC\u30D0\u30FC\u3067\u5931\u6557\u3057\u307E\u3057\u305F:",
+          `status=${response.status}`
+        );
+      }
+    } catch (error) {
+      logger.warn("\u30C8\u30FC\u30AF\u30F3\u7121\u52B9\u5316\u306E\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30EA\u30AF\u30A8\u30B9\u30C8\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
+    }
+    logger.debug("Token sign-out completed");
+    return { data: void 0 };
   }
+  return { exchangeCodeForTokens, refreshAccessToken, signOutToken };
+}
+// src/client/session.ts
+var SESSION_ENDPOINT = "/api/v1/auth/session";
+var LOGOUT_ENDPOINT = "/api/v1/auth/signout";
+var OAUTH_USERINFO_ENDPOINT = "/api/v1/oauth/userinfo";
+var NO_CONTENT_STATUS = 204;
+var UNAUTHORIZED_STATUS = 401;
+function normalizeFFIDUser(user) {
+  return {
+    ...user,
+    locale: user.locale ?? null,
+    timezone: user.timezone ?? null
+  };
+}
+function createSessionMethods(deps) {
+  const {
+    authMode,
+    baseUrl,
+    serviceCode,
+    tokenStore,
+    logger,
+    fetchWithAuth,
+    refreshAccessToken,
+    errorCodes
+  } = deps;
   async function getSession() {
     if (authMode === "token") {
       return getSessionFromUserinfo();
@@ -660,19 +697,12 @@ function createFFIDClient(config) {
     }
     return result;
   }
-  function normalizeFFIDUser(user) {
-    return {
-      ...user,
-      locale: user.locale ?? null,
-      timezone: user.timezone ?? null
-    };
-  }
   async function getSessionFromUserinfo() {
     const tokens = tokenStore.getTokens();
     if (!tokens) {
       return {
         error: {
-          code: FFID_ERROR_CODES.NO_TOKENS,
+          code: errorCodes.NO_TOKENS,
           message: "\u30C8\u30FC\u30AF\u30F3\u304C\u4FDD\u5B58\u3055\u308C\u3066\u3044\u307E\u305B\u3093"
         }
       };
@@ -693,7 +723,7 @@ function createFFIDClient(config) {
       logger.error("Network error:", error);
       return {
         error: {
-          code: FFID_ERROR_CODES.NETWORK_ERROR,
+          code: errorCodes.NETWORK_ERROR,
           message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
@@ -716,7 +746,7 @@ function createFFIDClient(config) {
             logger.error("Network error on retry:", retryError);
             return {
               error: {
-                code: FFID_ERROR_CODES.NETWORK_ERROR,
+                code: errorCodes.NETWORK_ERROR,
                 message: retryError instanceof Error ? retryError.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
               }
             };
@@ -733,7 +763,7 @@ function createFFIDClient(config) {
       logger.error("Parse error:", parseError, "Status:", response.status);
       return {
         error: {
-          code: FFID_ERROR_CODES.PARSE_ERROR,
+          code: errorCodes.PARSE_ERROR,
           message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
         }
       };
@@ -742,7 +772,7 @@ function createFFIDClient(config) {
       const errorBody = rawUserinfo;
       return {
         error: {
-          code: errorBody.code ?? FFID_ERROR_CODES.UNKNOWN_ERROR,
+          code: errorBody.code ?? errorCodes.UNKNOWN_ERROR,
           message: errorBody.message ?? "\u4E0D\u660E\u306A\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
@@ -761,16 +791,10 @@ function createFFIDClient(config) {
       data: {
         user,
         organizations: [],
-        subscriptions: mapUserinfoSubscriptionToSession(userinfo, config.serviceCode)
+        subscriptions: mapUserinfoSubscriptionToSession(userinfo, serviceCode)
       }
     };
   }
-  async function signOut() {
-    if (authMode === "token") {
-      return signOutToken();
-    }
-    return signOutCookie();
-  }
   async function signOutCookie() {
     const url = `${baseUrl}${LOGOUT_ENDPOINT}`;
     logger.debug("Fetching:", url);
@@ -785,7 +809,7 @@ function createFFIDClient(config) {
       logger.error("Network error:", error);
       return {
         error: {
-          code: FFID_ERROR_CODES.NETWORK_ERROR,
+          code: errorCodes.NETWORK_ERROR,
           message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
@@ -799,14 +823,20 @@ function createFFIDClient(config) {
         const raw = await response.json();
         return {
           error: raw.error ?? {
-            code: FFID_ERROR_CODES.UNKNOWN_ERROR,
+            code: errorCodes.UNKNOWN_ERROR,
             message: "\u4E0D\u660E\u306A\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
           }
         };
-      } catch {
+      } catch (parseError) {
+        logger.error(
+          "\u30B5\u30A4\u30F3\u30A2\u30A6\u30C8\u30EC\u30B9\u30DD\u30F3\u30B9\u306E\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F:",
+          parseError,
+          "Status:",
+          response.status
+        );
         return {
           error: {
-            code: FFID_ERROR_CODES.PARSE_ERROR,
+            code: errorCodes.PARSE_ERROR,
             message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
           }
         };
@@ -815,125 +845,221 @@ function createFFIDClient(config) {
     logger.debug("Response:", response.status);
     return { data: void 0 };
   }
-  async function signOutToken() {
-    const tokens = tokenStore.getTokens();
-    tokenStore.clearTokens();
-    if (!tokens) {
-      logger.debug("No tokens to revoke");
-      return { data: void 0 };
-    }
-    const url = `${baseUrl}${OAUTH_REVOKE_ENDPOINT}`;
-    logger.debug("Revoking token:", url);
+  return { getSession, signOutCookie };
+}
+// src/auth/pkce.ts
+var VERIFIER_STORAGE_KEY = "ffid_code_verifier";
+var CODE_VERIFIER_MIN_LENGTH = 43;
+var UNRESERVED_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+function generateCodeVerifier() {
+  const length = CODE_VERIFIER_MIN_LENGTH;
+  const randomValues = new Uint8Array(length);
+  crypto.getRandomValues(randomValues);
+  let verifier = "";
+  for (let i = 0; i < length; i++) {
+    verifier += UNRESERVED_CHARS[randomValues[i] % UNRESERVED_CHARS.length];
+  }
+  return verifier;
+}
+async function generateCodeChallenge(verifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(digest);
+}
+function storeCodeVerifier(verifier) {
+  try {
+    if (typeof window === "undefined") return;
+    window.sessionStorage.setItem(VERIFIER_STORAGE_KEY, verifier);
+  } catch {
+  }
+}
+function base64UrlEncode(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+// src/client/redirect.ts
+var OAUTH_AUTHORIZE_ENDPOINT = "/api/v1/oauth/authorize";
+var STATE_RANDOM_BYTES = 16;
+var HEX_BASE2 = 16;
+function generateRandomState() {
+  const array = new Uint8Array(STATE_RANDOM_BYTES);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => byte.toString(HEX_BASE2).padStart(2, "0")).join("");
+}
+function createRedirectMethods(deps) {
+  const {
+    authMode,
+    baseUrl,
+    clientId,
+    serviceCode,
+    resolvedRedirectUri,
+    logger
+  } = deps;
+  async function redirectToAuthorize() {
+    const verifier = generateCodeVerifier();
+    storeCodeVerifier(verifier);
     try {
-      await fetch(url, {
-        method: "POST",
-        credentials: "omit",
-        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
-        body: new URLSearchParams({
-          token: tokens.accessToken,
-          client_id: clientId
-        }).toString()
+      const challenge = await generateCodeChallenge(verifier);
+      const state = generateRandomState();
+      const redirectUri = resolvedRedirectUri ?? window.location.origin + window.location.pathname;
+      const params = new URLSearchParams({
+        response_type: "code",
+        client_id: clientId,
+        redirect_uri: redirectUri,
+        state,
+        code_challenge: challenge,
+        code_challenge_method: "S256"
       });
+      const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
+      logger.debug("Redirecting to authorize:", authorizeUrl);
+      window.location.href = authorizeUrl;
+      return true;
     } catch (error) {
-      logger.warn("Token revocation failed:", error);
+      logger.error("PKCE \u30B3\u30FC\u30C9\u30C1\u30E3\u30EC\u30F3\u30B8\u306E\u751F\u6210\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
+      return false;
     }
-    logger.debug("Token sign-out completed");
-    return { data: void 0 };
   }
-  async function exchangeCodeForTokens(code, codeVerifier) {
-    const url = `${baseUrl}${OAUTH_TOKEN_ENDPOINT}`;
-    logger.debug("Exchanging code for tokens:", url);
-    const effectiveRedirectUri = resolvedRedirectUri ?? (typeof window !== "undefined" ? window.location.origin + window.location.pathname : null);
-    if (!effectiveRedirectUri) {
-      logger.error("redirectUri is required for token exchange in SSR environments. Set config.redirectUri explicitly.");
-      return {
-        error: {
-          code: FFID_ERROR_CODES.TOKEN_EXCHANGE_ERROR,
-          message: "redirectUri \u304C\u672A\u8A2D\u5B9A\u3067\u3059\u3002SSR\u74B0\u5883\u3067\u306F config.redirectUri \u3092\u660E\u793A\u7684\u306B\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044"
-        }
-      };
+  async function redirectToLogin() {
+    if (typeof window === "undefined") {
+      logger.debug("Cannot redirect in SSR context");
+      return false;
     }
-    const body = {
-      grant_type: "authorization_code",
-      code,
-      client_id: clientId,
-      redirect_uri: effectiveRedirectUri
-    };
-    if (codeVerifier) {
-      body.code_verifier = codeVerifier;
+    if (authMode === "token") {
+      return redirectToAuthorize();
     }
-    let response;
-    try {
-      response = await fetch(url, {
-        method: "POST",
-        credentials: "omit",
-        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
-        body: new URLSearchParams(body).toString()
-      });
-    } catch (error) {
-      logger.error("Network error during token exchange:", error);
+    const currentUrl = window.location.href;
+    const loginUrl = `${baseUrl}/login?redirect=${encodeURIComponent(currentUrl)}&service=${encodeURIComponent(serviceCode)}`;
+    logger.debug("Redirecting to login:", loginUrl);
+    window.location.href = loginUrl;
+    return true;
+  }
+  function getLoginUrl(redirectUrl) {
+    const redirect = redirectUrl ?? (typeof window !== "undefined" ? window.location.href : "");
+    return `${baseUrl}/login?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(serviceCode)}`;
+  }
+  function getSignupUrl(redirectUrl) {
+    const redirect = redirectUrl ?? (typeof window !== "undefined" ? window.location.href : "");
+    return `${baseUrl}/signup?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(serviceCode)}`;
+  }
+  return { redirectToLogin, redirectToAuthorize, getLoginUrl, getSignupUrl };
+}
+// src/client/ffid-client.ts
+var UNAUTHORIZED_STATUS2 = 401;
+var SDK_LOG_PREFIX = "[FFID SDK]";
+var noopLogger = {
+  debug: () => {
+  },
+  info: () => {
+  },
+  warn: (...args) => console.warn(SDK_LOG_PREFIX, ...args),
+  error: (...args) => console.error(SDK_LOG_PREFIX, ...args)
+};
+var consoleLogger = {
+  debug: (...args) => console.debug(SDK_LOG_PREFIX, ...args),
+  info: (...args) => console.info(SDK_LOG_PREFIX, ...args),
+  warn: (...args) => console.warn(SDK_LOG_PREFIX, ...args),
+  error: (...args) => console.error(SDK_LOG_PREFIX, ...args)
+};
+var FFID_ERROR_CODES = {
+  NETWORK_ERROR: "NETWORK_ERROR",
+  PARSE_ERROR: "PARSE_ERROR",
+  UNKNOWN_ERROR: "UNKNOWN_ERROR",
+  TOKEN_EXCHANGE_ERROR: "TOKEN_EXCHANGE_ERROR",
+  TOKEN_REFRESH_ERROR: "TOKEN_REFRESH_ERROR",
+  NO_TOKENS: "NO_TOKENS",
+  TOKEN_VERIFICATION_ERROR: "TOKEN_VERIFICATION_ERROR"
+};
+var EXT_CHECK_ENDPOINT = "/api/v1/subscriptions/ext/check";
+function createFFIDClient(config) {
+  if (!config.serviceCode || !config.serviceCode.trim()) {
+    throw new Error("FFID Client: serviceCode \u304C\u672A\u8A2D\u5B9A\u3067\u3059");
+  }
+  const baseUrl = config.apiBaseUrl ?? DEFAULT_API_BASE_URL;
+  const authMode = config.authMode ?? "cookie";
+  const clientId = config.clientId ?? config.serviceCode;
+  const resolvedRedirectUri = config.redirectUri ?? null;
+  const serviceApiKey = config.serviceApiKey?.trim();
+  const verifyStrategy = config.verifyStrategy ?? "jwt";
+  const cache = config.cache;
+  const timeout = config.timeout;
+  if (authMode === "service-key" && !serviceApiKey) {
+    throw new Error("FFID Client: service-key \u30E2\u30FC\u30C9\u3067\u306F serviceApiKey \u304C\u5FC5\u9808\u3067\u3059");
+  }
+  if (cache && cache.ttl <= 0) {
+    throw new Error("FFID Client: cache.ttl \u306F\u6B63\u306E\u6570\u5024\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044");
+  }
+  if (timeout !== void 0 && timeout <= 0) {
+    throw new Error("FFID Client: timeout \u306F\u6B63\u306E\u6570\u5024\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044");
+  }
+  const logger = config.logger ?? (config.debug ? consoleLogger : noopLogger);
+  const tokenStore = authMode === "token" ? createTokenStore() : createTokenStore("memory");
+  function createError(code, message) {
+    return { code, message };
+  }
+  function buildFetchOptions(options) {
+    if (authMode === "service-key") {
       return {
-        error: {
-          code: FFID_ERROR_CODES.NETWORK_ERROR,
-          message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+        ...options,
+        credentials: "omit",
+        headers: {
+          "Content-Type": "application/json",
+          ...sdkHeaders(),
+          "X-Service-Api-Key": serviceApiKey,
+          ...options.headers
         }
       };
     }
-    let tokenResponse;
-    try {
-      tokenResponse = await response.json();
-    } catch (parseError) {
-      logger.error("Parse error during token exchange:", parseError);
-      return {
-        error: {
-          code: FFID_ERROR_CODES.PARSE_ERROR,
-          message: `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306E\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F (status: ${response.status})`
-        }
+    if (authMode === "token") {
+      const tokens = tokenStore.getTokens();
+      const headers = {
+        "Content-Type": "application/json",
+        ...sdkHeaders(),
+        ...options.headers
       };
-    }
-    if (!response.ok) {
-      const errorBody = tokenResponse;
+      if (tokens) {
+        headers["Authorization"] = `Bearer ${tokens.accessToken}`;
+      }
       return {
-        error: {
-          code: errorBody.error ?? FFID_ERROR_CODES.TOKEN_EXCHANGE_ERROR,
-          message: errorBody.error_description ?? "\u30C8\u30FC\u30AF\u30F3\u4EA4\u63DB\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
-        }
+        ...options,
+        credentials: "omit",
+        headers
       };
     }
-    tokenStore.setTokens({
-      accessToken: tokenResponse.access_token,
-      refreshToken: tokenResponse.refresh_token,
-      expiresAt: Date.now() + tokenResponse.expires_in * MS_PER_SECOND
-    });
-    logger.debug("Token exchange successful");
-    return { data: void 0 };
+    return {
+      ...options,
+      credentials: "include",
+      headers: {
+        "Content-Type": "application/json",
+        ...sdkHeaders(),
+        ...options.headers
+      }
+    };
   }
-  async function refreshAccessToken() {
-    const tokens = tokenStore.getTokens();
-    if (!tokens) {
-      return {
-        error: {
-          code: FFID_ERROR_CODES.NO_TOKENS,
-          message: "\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u30C8\u30FC\u30AF\u30F3\u304C\u3042\u308A\u307E\u305B\u3093"
-        }
-      };
-    }
-    const url = `${baseUrl}${OAUTH_TOKEN_ENDPOINT}`;
-    logger.debug("Refreshing access token:", url);
+  const { exchangeCodeForTokens, refreshAccessToken, signOutToken } = createOAuthTokenMethods({
+    baseUrl,
+    clientId,
+    resolvedRedirectUri,
+    tokenStore,
+    logger,
+    errorCodes: FFID_ERROR_CODES
+  });
+  async function fetchWithAuth(endpoint, options = {}) {
+    const url = `${baseUrl}${endpoint}`;
+    logger.debug("Fetching:", url);
+    const fetchOptions = buildFetchOptions(options);
     let response;
     try {
-      response = await fetch(url, {
-        method: "POST",
-        credentials: "omit",
-        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
-        body: new URLSearchParams({
-          grant_type: "refresh_token",
-          refresh_token: tokens.refreshToken,
-          client_id: clientId
-        }).toString()
-      });
+      response = await fetch(url, fetchOptions);
     } catch (error) {
-      logger.error("Network error during token refresh:", error);
+      logger.error("Network error:", error);
       return {
         error: {
           code: FFID_ERROR_CODES.NETWORK_ERROR,
@@ -941,88 +1067,80 @@ function createFFIDClient(config) {
         }
       };
     }
-    let tokenResponse;
+    if (authMode === "token" && response.status === UNAUTHORIZED_STATUS2) {
+      const refreshResult = await refreshAccessToken();
+      if (!refreshResult.error) {
+        logger.debug("Token refreshed, retrying request");
+        const retryOptions = buildFetchOptions(options);
+        try {
+          response = await fetch(url, retryOptions);
+        } catch (retryError) {
+          logger.error("Network error on retry:", retryError);
+          return {
+            error: {
+              code: FFID_ERROR_CODES.NETWORK_ERROR,
+              message: retryError instanceof Error ? retryError.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+            }
+          };
+        }
+      }
+    }
+    let raw;
     try {
-      tokenResponse = await response.json();
+      raw = await response.json();
     } catch (parseError) {
-      logger.error("Parse error during token refresh:", parseError);
+      logger.error("Parse error:", parseError, "Status:", response.status);
       return {
         error: {
           code: FFID_ERROR_CODES.PARSE_ERROR,
-          message: `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306E\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F (status: ${response.status})`
+          message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
         }
       };
     }
+    logger.debug("Response:", response.status, raw);
+    checkVersionHeader(response, logger);
     if (!response.ok) {
-      const errorBody = tokenResponse;
-      logger.error("Token refresh failed:", errorBody);
-      const irrecoverableErrors = ["token_revoked", "invalid_grant"];
-      if (errorBody.error && irrecoverableErrors.includes(errorBody.error)) {
-        tokenStore.clearTokens();
-        logger.debug("Cleared tokens due to irrecoverable refresh error:", errorBody.error);
-      }
+      return {
+        error: raw.error ?? {
+          code: FFID_ERROR_CODES.UNKNOWN_ERROR,
+          message: "\u4E0D\u660E\u306A\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    if (raw.data === void 0) {
       return {
         error: {
-          code: errorBody.error ?? FFID_ERROR_CODES.TOKEN_REFRESH_ERROR,
-          message: errorBody.error_description ?? "\u30C8\u30FC\u30AF\u30F3\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+          code: FFID_ERROR_CODES.UNKNOWN_ERROR,
+          message: "\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u30C7\u30FC\u30BF\u304C\u8FD4\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"
         }
       };
     }
-    tokenStore.setTokens({
-      accessToken: tokenResponse.access_token,
-      refreshToken: tokenResponse.refresh_token,
-      expiresAt: Date.now() + tokenResponse.expires_in * MS_PER_SECOND
-    });
-    logger.debug("Token refresh successful");
-    return { data: void 0 };
+    return { data: raw.data };
   }
-  function redirectToLogin() {
-    if (typeof window === "undefined") {
-      logger.debug("Cannot redirect in SSR context");
-      return false;
-    }
+  const { getSession, signOutCookie } = createSessionMethods({
+    authMode,
+    baseUrl,
+    serviceCode: config.serviceCode,
+    tokenStore,
+    logger,
+    fetchWithAuth,
+    refreshAccessToken,
+    errorCodes: FFID_ERROR_CODES
+  });
+  async function signOut() {
     if (authMode === "token") {
-      return redirectToAuthorize();
+      return signOutToken();
     }
-    const currentUrl = window.location.href;
-    const loginUrl = `${baseUrl}/login?redirect=${encodeURIComponent(currentUrl)}&service=${encodeURIComponent(config.serviceCode)}`;
-    logger.debug("Redirecting to login:", loginUrl);
-    window.location.href = loginUrl;
-    return true;
-  }
-  function redirectToAuthorize() {
-    const verifier = generateCodeVerifier();
-    storeCodeVerifier(verifier);
-    generateCodeChallenge(verifier).then((challenge) => {
-      const state = generateRandomState();
-      const redirectUri = resolvedRedirectUri ?? window.location.origin + window.location.pathname;
-      const params = new URLSearchParams({
-        response_type: "code",
-        client_id: clientId,
-        redirect_uri: redirectUri,
-        state,
-        code_challenge: challenge,
-        code_challenge_method: "S256"
-      });
-      const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
-      logger.debug("Redirecting to authorize:", authorizeUrl);
-      window.location.href = authorizeUrl;
-    }).catch((error) => {
-      logger.error("Failed to generate code challenge:", error);
-    });
-    return true;
-  }
-  function getLoginUrl(redirectUrl) {
-    const redirect = redirectUrl ?? (typeof window !== "undefined" ? window.location.href : "");
-    return `${baseUrl}/login?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(config.serviceCode)}`;
-  }
-  function getSignupUrl(redirectUrl) {
-    const redirect = redirectUrl ?? (typeof window !== "undefined" ? window.location.href : "");
-    return `${baseUrl}/signup?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(config.serviceCode)}`;
-  }
-  function createError(code, message) {
-    return { code, message };
+    return signOutCookie();
   }
+  const { redirectToLogin, getLoginUrl, getSignupUrl } = createRedirectMethods({
+    authMode,
+    baseUrl,
+    clientId,
+    serviceCode: config.serviceCode,
+    resolvedRedirectUri,
+    logger
+  });
   async function checkSubscription(params) {
     if (!params.userId || !params.organizationId) {
       return {
@@ -1079,11 +1197,6 @@ function createFFIDClient(config) {
     redirectUri: resolvedRedirectUri
   };
 }
-function generateRandomState() {
-  const array = new Uint8Array(STATE_RANDOM_BYTES);
-  crypto.getRandomValues(array);
-  return Array.from(array, (byte) => byte.toString(HEX_BASE2).padStart(2, "0")).join("");
-}
 // src/client/cache/memory-cache-adapter.ts
 var MS_PER_SECOND2 = 1e3;