npm - @feelflow/ffid-sdk - Versions diffs - 1.10.0 → 1.13.0 - Mend

@feelflow/ffid-sdk 1.10.0 → 1.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/{chunk-OAPA5VKR.cjs → chunk-7YV3SUEY.cjs} +810 -369
package/dist/{chunk-PSSNMEJB.js → chunk-KFOIVZEY.js} +810 -369
package/dist/components/index.cjs +7 -7
package/dist/components/index.d.cts +1 -1
package/dist/components/index.d.ts +1 -1
package/dist/components/index.js +1 -1
package/dist/{index-DsXjcF0i.d.cts → index-GrAWBpmf.d.cts} +32 -5
package/dist/{index-DsXjcF0i.d.ts → index-GrAWBpmf.d.ts} +32 -5
package/dist/index.cjs +22 -22
package/dist/index.d.cts +65 -9
package/dist/index.d.ts +65 -9
package/dist/index.js +2 -2
package/dist/server/index.cjs +814 -376
package/dist/server/index.d.cts +84 -9
package/dist/server/index.d.ts +84 -9
package/dist/server/index.js +814 -376
package/package.json +1 -1

package/dist/server/index.js CHANGED Viewed

@@ -4,6 +4,7 @@ import { createRemoteJWKSet, jwtVerify } from 'jose';
 // src/auth/token-store.ts
 var STORAGE_KEY = "ffid_tokens";
+var TOKEN_STORE_LOG_PREFIX = "[FFID SDK] TokenStore:";
 var EXPIRY_BUFFER_SECONDS = 30;
 var EXPIRY_BUFFER_MS = EXPIRY_BUFFER_SECONDS * 1e3;
 function isLocalStorageAvailable() {
@@ -27,22 +28,33 @@ function createLocalStorageStore() {
         const raw = storage.getItem(STORAGE_KEY);
         if (!raw) return null;
         const parsed = JSON.parse(raw);
-        if (!isTokenData(parsed)) return null;
+        if (!isTokenData(parsed)) {
+          console.warn(TOKEN_STORE_LOG_PREFIX, "\u30C8\u30FC\u30AF\u30F3\u30C7\u30FC\u30BF\u304C\u4E0D\u6B63\u306A\u5F62\u5F0F\u3067\u3059\u3002\u30B9\u30C8\u30EC\u30FC\u30B8\u3092\u30AF\u30EA\u30A2\u3057\u307E\u3059");
+          storage.removeItem(STORAGE_KEY);
+          return null;
+        }
         return parsed;
-      } catch {
+      } catch (error) {
+        console.warn(TOKEN_STORE_LOG_PREFIX, "\u30C8\u30FC\u30AF\u30F3\u8AAD\u307F\u53D6\u308A\u306B\u5931\u6557\u3057\u307E\u3057\u305F\u3002\u7834\u640D\u30C7\u30FC\u30BF\u3092\u30AF\u30EA\u30A2\u3057\u307E\u3059", error);
+        try {
+          storage.removeItem(STORAGE_KEY);
+        } catch {
+        }
         return null;
       }
     },
     setTokens(tokens) {
       try {
         storage.setItem(STORAGE_KEY, JSON.stringify(tokens));
-      } catch {
+      } catch (error) {
+        console.warn(TOKEN_STORE_LOG_PREFIX, "\u30C8\u30FC\u30AF\u30F3\u4FDD\u5B58\u306B\u5931\u6557\u3057\u307E\u3057\u305F\uFF08\u30B9\u30C8\u30EC\u30FC\u30B8\u5BB9\u91CF\u8D85\u904E\u306E\u53EF\u80FD\u6027\uFF09", error);
       }
     },
     clearTokens() {
       try {
         storage.removeItem(STORAGE_KEY);
-      } catch {
+      } catch (error) {
+        console.warn(TOKEN_STORE_LOG_PREFIX, "\u30C8\u30FC\u30AF\u30F3\u524A\u9664\u306B\u5931\u6557\u3057\u307E\u3057\u305F", error);
       }
     },
     isAccessTokenExpired() {
@@ -85,42 +97,6 @@ function createTokenStore(storageType) {
   return createMemoryStore();
 }
-// src/auth/pkce.ts
-var VERIFIER_STORAGE_KEY = "ffid_code_verifier";
-var CODE_VERIFIER_MIN_LENGTH = 43;
-var UNRESERVED_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
-function generateCodeVerifier() {
-  const length = CODE_VERIFIER_MIN_LENGTH;
-  const randomValues = new Uint8Array(length);
-  crypto.getRandomValues(randomValues);
-  let verifier = "";
-  for (let i = 0; i < length; i++) {
-    verifier += UNRESERVED_CHARS[randomValues[i] % UNRESERVED_CHARS.length];
-  }
-  return verifier;
-}
-async function generateCodeChallenge(verifier) {
-  const encoder = new TextEncoder();
-  const data = encoder.encode(verifier);
-  const digest = await crypto.subtle.digest("SHA-256", data);
-  return base64UrlEncode(digest);
-}
-function storeCodeVerifier(verifier) {
-  try {
-    if (typeof window === "undefined") return;
-    window.sessionStorage.setItem(VERIFIER_STORAGE_KEY, verifier);
-  } catch {
-  }
-}
-function base64UrlEncode(buffer) {
-  const bytes = new Uint8Array(buffer);
-  let binary = "";
-  for (let i = 0; i < bytes.length; i++) {
-    binary += String.fromCharCode(bytes[i]);
-  }
-  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
 // src/client/oauth-userinfo.ts
 var VALID_SUBSCRIPTION_STATUSES = ["trialing", "active", "past_due", "canceled", "paused"];
 function isValidSubscriptionStatus(value) {
@@ -224,6 +200,7 @@ var OAUTH_INTROSPECT_ENDPOINT = "/api/v1/oauth/introspect";
 var CACHE_KEY_PREFIX = "ffid:introspect:";
 var HEX_BASE = 16;
 var HEX_BYTE_WIDTH = 2;
+var TOKEN_LOG_PREFIX_LENGTH = 8;
 function createVerifyAccessToken(deps) {
   const { authMode, baseUrl, serviceCode, serviceApiKey, verifyStrategy, logger, createError, errorCodes, cache, timeout } = deps;
   let jwtVerify2 = null;
@@ -239,7 +216,7 @@ function createVerifyAccessToken(deps) {
     }
     return jwtVerify2;
   }
-  async function verifyAccessToken(accessToken) {
+  async function verifyAccessToken(accessToken, options) {
     if (authMode !== "service-key") {
       return {
         error: createError(
@@ -256,12 +233,24 @@ function createVerifyAccessToken(deps) {
         )
       };
     }
+    if (options?.includeProfile && verifyStrategy === "jwt" && !serviceApiKey) {
+      return {
+        error: createError(
+          errorCodes.TOKEN_VERIFICATION_ERROR,
+          "includeProfile: true \u3092\u4F7F\u7528\u3059\u308B\u306B\u306F serviceApiKey \u306E\u8A2D\u5B9A\u304C\u5FC5\u8981\u3067\u3059"
+        )
+      };
+    }
     if (verifyStrategy === "jwt") {
-      return getJwtVerifier()(accessToken);
+      const jwtResult = await getJwtVerifier()(accessToken);
+      if (!options?.includeProfile || jwtResult.error) {
+        return jwtResult;
+      }
+      return verifyViaIntrospect(accessToken, "profile");
     }
     return verifyViaIntrospect(accessToken);
   }
-  async function verifyViaIntrospect(accessToken) {
+  async function verifyViaIntrospect(accessToken, cacheKeySuffix) {
     if (!serviceApiKey) {
       return {
         error: createError(
@@ -272,7 +261,7 @@ function createVerifyAccessToken(deps) {
     }
     const url = `${baseUrl}${OAUTH_INTROSPECT_ENDPOINT}`;
     logger.debug("Verifying access token:", url);
-    const cacheKey = await buildCacheKey(accessToken);
+    const cacheKey = cache ? await buildCacheKey(accessToken, cacheKeySuffix) : "";
     if (cache) {
       try {
         const cached = await cache.adapter.get(cacheKey);
@@ -374,16 +363,23 @@ function createVerifyAccessToken(deps) {
     }
     return { data: userinfo };
   }
-  async function buildCacheKey(token) {
+  async function buildCacheKey(token, suffix) {
+    let key;
     if (typeof globalThis.crypto?.subtle?.digest === "function") {
       const encoder = new TextEncoder();
       const data = encoder.encode(token);
       const hashBuffer = await crypto.subtle.digest("SHA-256", data);
       const hashArray = Array.from(new Uint8Array(hashBuffer));
       const hashHex = hashArray.map((b) => b.toString(HEX_BASE).padStart(HEX_BYTE_WIDTH, "0")).join("");
-      return CACHE_KEY_PREFIX + hashHex;
+      key = CACHE_KEY_PREFIX + hashHex;
+    } else {
+      const tokenPrefix = token.length > TOKEN_LOG_PREFIX_LENGTH ? token.substring(0, TOKEN_LOG_PREFIX_LENGTH) + "..." : "***";
+      logger.warn(
+        `crypto.subtle \u304C\u5229\u7528\u3067\u304D\u306A\u3044\u305F\u3081\u3001\u30AD\u30E3\u30C3\u30B7\u30E5\u30AD\u30FC\u306B\u30CF\u30C3\u30B7\u30E5\u5316\u3055\u308C\u3066\u3044\u306A\u3044\u30C8\u30FC\u30AF\u30F3\u3092\u4F7F\u7528\u3057\u307E\u3059 (token prefix: ${tokenPrefix})`
+      );
+      key = CACHE_KEY_PREFIX + token;
     }
-    return CACHE_KEY_PREFIX + token;
+    return suffix ? `${key}:${suffix}` : key;
   }
   return verifyAccessToken;
 }
@@ -436,9 +432,15 @@ function createBillingMethods(deps) {
 }
 // src/client/version-check.ts
-var SDK_VERSION = "1.10.0";
+var SDK_VERSION = "1.13.0";
 var SDK_USER_AGENT = `FFID-SDK/${SDK_VERSION} (TypeScript)`;
 var SDK_VERSION_HEADER = "X-FFID-SDK-Version";
+function sdkHeaders() {
+  return {
+    "User-Agent": SDK_USER_AGENT,
+    [SDK_VERSION_HEADER]: SDK_VERSION
+  };
+}
 var LATEST_VERSION_HEADER = "X-FFID-SDK-Latest-Version";
 var SEMVER_PATTERN = /^\d+(\.\d+)*$/;
 var _versionWarningShown = false;
@@ -472,213 +474,277 @@ npm install @feelflow/ffid-sdk@latest \u3067\u30A2\u30C3\u30D7\u30C7\u30FC\u30C8
   }
 }
-// src/client/ffid-client.ts
-var NO_CONTENT_STATUS = 204;
-var SESSION_ENDPOINT = "/api/v1/auth/session";
-var LOGOUT_ENDPOINT = "/api/v1/auth/signout";
+// src/client/oauth-token.ts
 var OAUTH_TOKEN_ENDPOINT = "/api/v1/oauth/token";
-var OAUTH_USERINFO_ENDPOINT = "/api/v1/oauth/userinfo";
-var OAUTH_AUTHORIZE_ENDPOINT = "/api/v1/oauth/authorize";
 var OAUTH_REVOKE_ENDPOINT = "/api/v1/oauth/revoke";
-var EXT_CHECK_ENDPOINT = "/api/v1/subscriptions/ext/check";
-var SDK_LOG_PREFIX = "[FFID SDK]";
 var MS_PER_SECOND = 1e3;
-var UNAUTHORIZED_STATUS = 401;
-var STATE_RANDOM_BYTES = 16;
-var HEX_BASE2 = 16;
-var noopLogger = {
-  debug: () => {
-  },
-  info: () => {
-  },
-  warn: () => {
-  },
-  error: (...args) => console.error(SDK_LOG_PREFIX, ...args)
-};
-var consoleLogger = {
-  debug: (...args) => console.debug(SDK_LOG_PREFIX, ...args),
-  info: (...args) => console.info(SDK_LOG_PREFIX, ...args),
-  warn: (...args) => console.warn(SDK_LOG_PREFIX, ...args),
-  error: (...args) => console.error(SDK_LOG_PREFIX, ...args)
-};
-var FFID_ERROR_CODES = {
-  NETWORK_ERROR: "NETWORK_ERROR",
-  PARSE_ERROR: "PARSE_ERROR",
-  UNKNOWN_ERROR: "UNKNOWN_ERROR",
-  TOKEN_EXCHANGE_ERROR: "TOKEN_EXCHANGE_ERROR",
-  TOKEN_REFRESH_ERROR: "TOKEN_REFRESH_ERROR",
-  NO_TOKENS: "NO_TOKENS",
-  TOKEN_VERIFICATION_ERROR: "TOKEN_VERIFICATION_ERROR"
-};
-function createFFIDClient(config) {
-  if (!config.serviceCode || !config.serviceCode.trim()) {
-    throw new Error("FFID Client: serviceCode \u304C\u672A\u8A2D\u5B9A\u3067\u3059");
+function validateTokenResponse(tokenResponse) {
+  const invalid = [];
+  if (!tokenResponse.access_token) {
+    invalid.push("access_token");
   }
-  const baseUrl = config.apiBaseUrl ?? DEFAULT_API_BASE_URL;
-  const authMode = config.authMode ?? "cookie";
-  const clientId = config.clientId ?? config.serviceCode;
-  const resolvedRedirectUri = config.redirectUri ?? null;
-  const serviceApiKey = config.serviceApiKey?.trim();
-  const verifyStrategy = config.verifyStrategy ?? "jwt";
-  const cache = config.cache;
-  const timeout = config.timeout;
-  if (authMode === "service-key" && !serviceApiKey) {
-    throw new Error("FFID Client: service-key \u30E2\u30FC\u30C9\u3067\u306F serviceApiKey \u304C\u5FC5\u9808\u3067\u3059");
+  if (!tokenResponse.refresh_token) {
+    invalid.push("refresh_token");
   }
-  if (cache && cache.ttl <= 0) {
-    throw new Error("FFID Client: cache.ttl \u306F\u6B63\u306E\u6570\u5024\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044");
+  if (typeof tokenResponse.expires_in !== "number" || tokenResponse.expires_in <= 0) {
+    invalid.push("expires_in");
   }
-  if (timeout !== void 0 && timeout <= 0) {
-    throw new Error("FFID Client: timeout \u306F\u6B63\u306E\u6570\u5024\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044");
+  if (invalid.length > 0) {
+    return `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306B\u4E0D\u6B63\u306A\u30D5\u30A3\u30FC\u30EB\u30C9\u304C\u3042\u308A\u307E\u3059: ${invalid.join(", ")}`;
   }
-  const logger = config.logger ?? (config.debug ? consoleLogger : noopLogger);
-  const tokenStore = authMode === "token" ? createTokenStore() : createTokenStore("memory");
-  async function fetchWithAuth(endpoint, options = {}) {
-    const url = `${baseUrl}${endpoint}`;
-    logger.debug("Fetching:", url);
-    const fetchOptions = buildFetchOptions(options);
+  return null;
+}
+function createOAuthTokenMethods(deps) {
+  const {
+    baseUrl,
+    clientId,
+    resolvedRedirectUri,
+    tokenStore,
+    logger,
+    errorCodes
+  } = deps;
+  async function exchangeCodeForTokens(code, codeVerifier) {
+    const url = `${baseUrl}${OAUTH_TOKEN_ENDPOINT}`;
+    logger.debug("Exchanging code for tokens:", url);
+    const effectiveRedirectUri = resolvedRedirectUri ?? (typeof window !== "undefined" ? window.location.origin + window.location.pathname : null);
+    if (!effectiveRedirectUri) {
+      logger.error("redirectUri is required for token exchange in SSR environments. Set config.redirectUri explicitly.");
+      return {
+        error: {
+          code: errorCodes.TOKEN_EXCHANGE_ERROR,
+          message: "redirectUri \u304C\u672A\u8A2D\u5B9A\u3067\u3059\u3002SSR\u74B0\u5883\u3067\u306F config.redirectUri \u3092\u660E\u793A\u7684\u306B\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044"
+        }
+      };
+    }
+    const body = {
+      grant_type: "authorization_code",
+      code,
+      client_id: clientId,
+      redirect_uri: effectiveRedirectUri
+    };
+    if (codeVerifier) {
+      body.code_verifier = codeVerifier;
+    }
     let response;
     try {
-      response = await fetch(url, fetchOptions);
+      response = await fetch(url, {
+        method: "POST",
+        credentials: "omit",
+        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
+        body: new URLSearchParams(body).toString()
+      });
     } catch (error) {
-      logger.error("Network error:", error);
+      logger.error("Network error during token exchange:", error);
       return {
         error: {
-          code: FFID_ERROR_CODES.NETWORK_ERROR,
+          code: errorCodes.NETWORK_ERROR,
           message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
     }
-    if (authMode === "token" && response.status === UNAUTHORIZED_STATUS) {
-      const refreshResult = await refreshAccessToken();
-      if (!refreshResult.error) {
-        logger.debug("Token refreshed, retrying request");
-        const retryOptions = buildFetchOptions(options);
-        try {
-          response = await fetch(url, retryOptions);
-        } catch (retryError) {
-          logger.error("Network error on retry:", retryError);
-          return {
-            error: {
-              code: FFID_ERROR_CODES.NETWORK_ERROR,
-              message: retryError instanceof Error ? retryError.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
-            }
-          };
-        }
-      }
-    }
-    let raw;
+    let tokenResponse;
     try {
-      raw = await response.json();
+      tokenResponse = await response.json();
     } catch (parseError) {
-      logger.error("Parse error:", parseError, "Status:", response.status);
+      logger.error("Parse error during token exchange:", parseError);
       return {
         error: {
-          code: FFID_ERROR_CODES.PARSE_ERROR,
-          message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
+          code: errorCodes.PARSE_ERROR,
+          message: `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306E\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F (status: ${response.status})`
         }
       };
     }
-    logger.debug("Response:", response.status, raw);
-    checkVersionHeader(response, logger);
     if (!response.ok) {
-      return {
-        error: raw.error ?? {
-          code: FFID_ERROR_CODES.UNKNOWN_ERROR,
-          message: "\u4E0D\u660E\u306A\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
-        }
-      };
-    }
-    if (raw.data === void 0) {
+      const errorBody = tokenResponse;
       return {
         error: {
-          code: FFID_ERROR_CODES.UNKNOWN_ERROR,
-          message: "\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u30C7\u30FC\u30BF\u304C\u8FD4\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"
-        }
-      };
-    }
-    return { data: raw.data };
-  }
-  function sdkHeaders() {
-    return {
-      "User-Agent": SDK_USER_AGENT,
-      [SDK_VERSION_HEADER]: SDK_VERSION
-    };
-  }
-  function buildFetchOptions(options) {
-    if (authMode === "service-key") {
-      return {
-        ...options,
-        credentials: "omit",
-        headers: {
-          "Content-Type": "application/json",
-          ...sdkHeaders(),
-          "X-Service-Api-Key": serviceApiKey,
-          ...options.headers
+          code: errorBody.error ?? errorCodes.TOKEN_EXCHANGE_ERROR,
+          message: errorBody.error_description ?? "\u30C8\u30FC\u30AF\u30F3\u4EA4\u63DB\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
         }
       };
     }
-    if (authMode === "token") {
-      const tokens = tokenStore.getTokens();
-      const headers = {
-        "Content-Type": "application/json",
-        ...sdkHeaders(),
-        ...options.headers
-      };
-      if (tokens) {
-        headers["Authorization"] = `Bearer ${tokens.accessToken}`;
-      }
-      return {
-        ...options,
-        credentials: "omit",
-        headers
-      };
-    }
-    return {
-      ...options,
-      credentials: "include",
-      headers: {
-        "Content-Type": "application/json",
-        ...sdkHeaders(),
-        ...options.headers
-      }
-    };
-  }
-  async function getSession() {
-    if (authMode === "token") {
-      return getSessionFromUserinfo();
-    }
-    const result = await fetchWithAuth(SESSION_ENDPOINT);
-    if (result.data?.user) {
+    const validationError = validateTokenResponse(tokenResponse);
+    if (validationError) {
+      logger.error("Token exchange validation failed:", validationError);
       return {
-        ...result,
-        data: {
-          ...result.data,
-          user: normalizeFFIDUser(result.data.user)
+        error: {
+          code: errorCodes.TOKEN_EXCHANGE_ERROR,
+          message: validationError
         }
       };
     }
-    return result;
-  }
-  function normalizeFFIDUser(user) {
-    return {
-      ...user,
-      locale: user.locale ?? null,
-      timezone: user.timezone ?? null
-    };
+    tokenStore.setTokens({
+      accessToken: tokenResponse.access_token,
+      refreshToken: tokenResponse.refresh_token,
+      expiresAt: Date.now() + tokenResponse.expires_in * MS_PER_SECOND
+    });
+    logger.debug("Token exchange successful");
+    return { data: void 0 };
   }
-  async function getSessionFromUserinfo() {
+  async function refreshAccessToken() {
     const tokens = tokenStore.getTokens();
     if (!tokens) {
       return {
         error: {
-          code: FFID_ERROR_CODES.NO_TOKENS,
-          message: "\u30C8\u30FC\u30AF\u30F3\u304C\u4FDD\u5B58\u3055\u308C\u3066\u3044\u307E\u305B\u3093"
+          code: errorCodes.NO_TOKENS,
+          message: "\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u30C8\u30FC\u30AF\u30F3\u304C\u3042\u308A\u307E\u305B\u3093"
         }
       };
     }
-    const url = `${baseUrl}${OAUTH_USERINFO_ENDPOINT}`;
-    logger.debug("Fetching userinfo:", url);
+    const url = `${baseUrl}${OAUTH_TOKEN_ENDPOINT}`;
+    logger.debug("Refreshing access token:", url);
+    let response;
+    try {
+      response = await fetch(url, {
+        method: "POST",
+        credentials: "omit",
+        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
+        body: new URLSearchParams({
+          grant_type: "refresh_token",
+          refresh_token: tokens.refreshToken,
+          client_id: clientId
+        }).toString()
+      });
+    } catch (error) {
+      logger.error("Network error during token refresh:", error);
+      return {
+        error: {
+          code: errorCodes.NETWORK_ERROR,
+          message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    let tokenResponse;
+    try {
+      tokenResponse = await response.json();
+    } catch (parseError) {
+      logger.error("Parse error during token refresh:", parseError);
+      return {
+        error: {
+          code: errorCodes.PARSE_ERROR,
+          message: `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306E\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F (status: ${response.status})`
+        }
+      };
+    }
+    if (!response.ok) {
+      const errorBody = tokenResponse;
+      logger.error("Token refresh failed:", errorBody);
+      const irrecoverableErrors = ["token_revoked", "invalid_grant"];
+      if (errorBody.error && irrecoverableErrors.includes(errorBody.error)) {
+        tokenStore.clearTokens();
+        logger.debug("Cleared tokens due to irrecoverable refresh error:", errorBody.error);
+      }
+      return {
+        error: {
+          code: errorBody.error ?? errorCodes.TOKEN_REFRESH_ERROR,
+          message: errorBody.error_description ?? "\u30C8\u30FC\u30AF\u30F3\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    const validationError = validateTokenResponse(tokenResponse);
+    if (validationError) {
+      logger.error("Token refresh validation failed:", validationError);
+      return {
+        error: {
+          code: errorCodes.TOKEN_REFRESH_ERROR,
+          message: validationError
+        }
+      };
+    }
+    tokenStore.setTokens({
+      accessToken: tokenResponse.access_token,
+      refreshToken: tokenResponse.refresh_token,
+      expiresAt: Date.now() + tokenResponse.expires_in * MS_PER_SECOND
+    });
+    logger.debug("Token refresh successful");
+    return { data: void 0 };
+  }
+  async function signOutToken() {
+    const tokens = tokenStore.getTokens();
+    tokenStore.clearTokens();
+    if (!tokens) {
+      logger.debug("No tokens to revoke");
+      return { data: void 0 };
+    }
+    const url = `${baseUrl}${OAUTH_REVOKE_ENDPOINT}`;
+    logger.debug("Revoking token:", url);
+    try {
+      const response = await fetch(url, {
+        method: "POST",
+        credentials: "omit",
+        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
+        body: new URLSearchParams({
+          token: tokens.accessToken,
+          client_id: clientId
+        }).toString()
+      });
+      if (!response.ok) {
+        logger.warn(
+          "\u30C8\u30FC\u30AF\u30F3\u7121\u52B9\u5316\u30EA\u30AF\u30A8\u30B9\u30C8\u304C\u30B5\u30FC\u30D0\u30FC\u3067\u5931\u6557\u3057\u307E\u3057\u305F:",
+          `status=${response.status}`
+        );
+      }
+    } catch (error) {
+      logger.warn("\u30C8\u30FC\u30AF\u30F3\u7121\u52B9\u5316\u306E\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30EA\u30AF\u30A8\u30B9\u30C8\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
+    }
+    logger.debug("Token sign-out completed");
+    return { data: void 0 };
+  }
+  return { exchangeCodeForTokens, refreshAccessToken, signOutToken };
+}
+// src/client/session.ts
+var SESSION_ENDPOINT = "/api/v1/auth/session";
+var LOGOUT_ENDPOINT = "/api/v1/auth/signout";
+var OAUTH_USERINFO_ENDPOINT = "/api/v1/oauth/userinfo";
+var NO_CONTENT_STATUS = 204;
+var UNAUTHORIZED_STATUS = 401;
+function normalizeFFIDUser(user) {
+  return {
+    ...user,
+    locale: user.locale ?? null,
+    timezone: user.timezone ?? null
+  };
+}
+function createSessionMethods(deps) {
+  const {
+    authMode,
+    baseUrl,
+    serviceCode,
+    tokenStore,
+    logger,
+    fetchWithAuth,
+    refreshAccessToken,
+    errorCodes
+  } = deps;
+  async function getSession() {
+    if (authMode === "token") {
+      return getSessionFromUserinfo();
+    }
+    const result = await fetchWithAuth(SESSION_ENDPOINT);
+    if (result.data?.user) {
+      return {
+        ...result,
+        data: {
+          ...result.data,
+          user: normalizeFFIDUser(result.data.user)
+        }
+      };
+    }
+    return result;
+  }
+  async function getSessionFromUserinfo() {
+    const tokens = tokenStore.getTokens();
+    if (!tokens) {
+      return {
+        error: {
+          code: errorCodes.NO_TOKENS,
+          message: "\u30C8\u30FC\u30AF\u30F3\u304C\u4FDD\u5B58\u3055\u308C\u3066\u3044\u307E\u305B\u3093"
+        }
+      };
+    }
+    const url = `${baseUrl}${OAUTH_USERINFO_ENDPOINT}`;
+    logger.debug("Fetching userinfo:", url);
     let response;
     try {
       response = await fetch(url, {
@@ -693,7 +759,7 @@ function createFFIDClient(config) {
       logger.error("Network error:", error);
       return {
         error: {
-          code: FFID_ERROR_CODES.NETWORK_ERROR,
+          code: errorCodes.NETWORK_ERROR,
           message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
@@ -716,7 +782,7 @@ function createFFIDClient(config) {
             logger.error("Network error on retry:", retryError);
             return {
               error: {
-                code: FFID_ERROR_CODES.NETWORK_ERROR,
+                code: errorCodes.NETWORK_ERROR,
                 message: retryError instanceof Error ? retryError.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
               }
             };
@@ -733,7 +799,7 @@ function createFFIDClient(config) {
       logger.error("Parse error:", parseError, "Status:", response.status);
       return {
         error: {
-          code: FFID_ERROR_CODES.PARSE_ERROR,
+          code: errorCodes.PARSE_ERROR,
           message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
         }
       };
@@ -742,7 +808,7 @@ function createFFIDClient(config) {
       const errorBody = rawUserinfo;
       return {
         error: {
-          code: errorBody.code ?? FFID_ERROR_CODES.UNKNOWN_ERROR,
+          code: errorBody.code ?? errorCodes.UNKNOWN_ERROR,
           message: errorBody.message ?? "\u4E0D\u660E\u306A\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
@@ -761,16 +827,10 @@ function createFFIDClient(config) {
       data: {
         user,
         organizations: [],
-        subscriptions: mapUserinfoSubscriptionToSession(userinfo, config.serviceCode)
+        subscriptions: mapUserinfoSubscriptionToSession(userinfo, serviceCode)
       }
     };
   }
-  async function signOut() {
-    if (authMode === "token") {
-      return signOutToken();
-    }
-    return signOutCookie();
-  }
   async function signOutCookie() {
     const url = `${baseUrl}${LOGOUT_ENDPOINT}`;
     logger.debug("Fetching:", url);
@@ -785,7 +845,7 @@ function createFFIDClient(config) {
       logger.error("Network error:", error);
       return {
         error: {
-          code: FFID_ERROR_CODES.NETWORK_ERROR,
+          code: errorCodes.NETWORK_ERROR,
           message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
@@ -799,14 +859,20 @@ function createFFIDClient(config) {
         const raw = await response.json();
         return {
           error: raw.error ?? {
-            code: FFID_ERROR_CODES.UNKNOWN_ERROR,
+            code: errorCodes.UNKNOWN_ERROR,
             message: "\u4E0D\u660E\u306A\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
           }
         };
-      } catch {
+      } catch (parseError) {
+        logger.error(
+          "\u30B5\u30A4\u30F3\u30A2\u30A6\u30C8\u30EC\u30B9\u30DD\u30F3\u30B9\u306E\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F:",
+          parseError,
+          "Status:",
+          response.status
+        );
         return {
           error: {
-            code: FFID_ERROR_CODES.PARSE_ERROR,
+            code: errorCodes.PARSE_ERROR,
             message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
           }
         };
@@ -815,214 +881,567 @@ function createFFIDClient(config) {
     logger.debug("Response:", response.status);
     return { data: void 0 };
   }
-  async function signOutToken() {
-    const tokens = tokenStore.getTokens();
-    tokenStore.clearTokens();
-    if (!tokens) {
-      logger.debug("No tokens to revoke");
-      return { data: void 0 };
+  return { getSession, signOutCookie };
+}
+// src/auth/pkce.ts
+var VERIFIER_STORAGE_KEY = "ffid_code_verifier";
+var CODE_VERIFIER_MIN_LENGTH = 43;
+var UNRESERVED_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+function generateCodeVerifier() {
+  const length = CODE_VERIFIER_MIN_LENGTH;
+  const randomValues = new Uint8Array(length);
+  crypto.getRandomValues(randomValues);
+  let verifier = "";
+  for (let i = 0; i < length; i++) {
+    verifier += UNRESERVED_CHARS[randomValues[i] % UNRESERVED_CHARS.length];
+  }
+  return verifier;
+}
+async function generateCodeChallenge(verifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(digest);
+}
+function storeCodeVerifier(verifier, logger) {
+  try {
+    if (typeof window === "undefined") {
+      logger?.warn("storeCodeVerifier: sessionStorage is not available in SSR context");
+      return false;
     }
-    const url = `${baseUrl}${OAUTH_REVOKE_ENDPOINT}`;
-    logger.debug("Revoking token:", url);
+    window.sessionStorage.setItem(VERIFIER_STORAGE_KEY, verifier);
+    return true;
+  } catch (error) {
+    logger?.warn("storeCodeVerifier: sessionStorage \u3078\u306E\u4FDD\u5B58\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
+    return false;
+  }
+}
+function base64UrlEncode(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+// src/client/redirect.ts
+var OAUTH_AUTHORIZE_ENDPOINT = "/api/v1/oauth/authorize";
+var STATE_RANDOM_BYTES = 16;
+var HEX_BASE2 = 16;
+function generateRandomState() {
+  const array = new Uint8Array(STATE_RANDOM_BYTES);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => byte.toString(HEX_BASE2).padStart(2, "0")).join("");
+}
+function createRedirectMethods(deps) {
+  const {
+    authMode,
+    baseUrl,
+    clientId,
+    serviceCode,
+    resolvedRedirectUri,
+    logger
+  } = deps;
+  async function redirectToAuthorize() {
+    const verifier = generateCodeVerifier();
+    storeCodeVerifier(verifier, logger);
+    let challenge;
     try {
-      await fetch(url, {
-        method: "POST",
-        credentials: "omit",
-        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
-        body: new URLSearchParams({
-          token: tokens.accessToken,
-          client_id: clientId
-        }).toString()
-      });
+      challenge = await generateCodeChallenge(verifier);
     } catch (error) {
-      logger.warn("Token revocation failed:", error);
+      const errorMessage = error instanceof Error ? error.message : "PKCE \u30B3\u30FC\u30C9\u30C1\u30E3\u30EC\u30F3\u30B8\u306E\u751F\u6210\u306B\u5931\u6557\u3057\u307E\u3057\u305F";
+      logger.error("PKCE \u30B3\u30FC\u30C9\u30C1\u30E3\u30EC\u30F3\u30B8\u306E\u751F\u6210\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
+      return { success: false, error: errorMessage };
     }
-    logger.debug("Token sign-out completed");
-    return { data: void 0 };
+    const state = generateRandomState();
+    const redirectUri = resolvedRedirectUri ?? window.location.origin + window.location.pathname;
+    const params = new URLSearchParams({
+      response_type: "code",
+      client_id: clientId,
+      redirect_uri: redirectUri,
+      state,
+      code_challenge: challenge,
+      code_challenge_method: "S256"
+    });
+    const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
+    logger.debug("Redirecting to authorize:", authorizeUrl);
+    window.location.href = authorizeUrl;
+    return { success: true };
   }
-  async function exchangeCodeForTokens(code, codeVerifier) {
-    const url = `${baseUrl}${OAUTH_TOKEN_ENDPOINT}`;
-    logger.debug("Exchanging code for tokens:", url);
-    const effectiveRedirectUri = resolvedRedirectUri ?? (typeof window !== "undefined" ? window.location.origin + window.location.pathname : null);
-    if (!effectiveRedirectUri) {
-      logger.error("redirectUri is required for token exchange in SSR environments. Set config.redirectUri explicitly.");
-      return {
-        error: {
-          code: FFID_ERROR_CODES.TOKEN_EXCHANGE_ERROR,
-          message: "redirectUri \u304C\u672A\u8A2D\u5B9A\u3067\u3059\u3002SSR\u74B0\u5883\u3067\u306F config.redirectUri \u3092\u660E\u793A\u7684\u306B\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044"
-        }
-      };
+  async function redirectToLogin() {
+    if (typeof window === "undefined") {
+      logger.warn("SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093");
+      return { success: false, error: "SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093" };
     }
-    const body = {
-      grant_type: "authorization_code",
-      code,
-      client_id: clientId,
-      redirect_uri: effectiveRedirectUri
-    };
-    if (codeVerifier) {
-      body.code_verifier = codeVerifier;
+    if (authMode === "token") {
+      return redirectToAuthorize();
+    }
+    const currentUrl = window.location.href;
+    const loginUrl = `${baseUrl}/login?redirect=${encodeURIComponent(currentUrl)}&service=${encodeURIComponent(serviceCode)}`;
+    logger.debug("Redirecting to login:", loginUrl);
+    window.location.href = loginUrl;
+    return { success: true };
+  }
+  function getLoginUrl(redirectUrl) {
+    let redirect;
+    if (redirectUrl != null) {
+      redirect = redirectUrl;
+    } else if (typeof window !== "undefined") {
+      redirect = window.location.href;
+    } else {
+      logger.warn("getLoginUrl: SSR \u74B0\u5883\u3067 redirectUrl \u304C\u672A\u6307\u5B9A\u306E\u305F\u3081\u7A7A\u6587\u5B57\u306B\u30D5\u30A9\u30FC\u30EB\u30D0\u30C3\u30AF\u3057\u307E\u3059");
+      redirect = "";
+    }
+    return `${baseUrl}/login?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(serviceCode)}`;
+  }
+  function getSignupUrl(redirectUrl) {
+    let redirect;
+    if (redirectUrl != null) {
+      redirect = redirectUrl;
+    } else if (typeof window !== "undefined") {
+      redirect = window.location.href;
+    } else {
+      logger.warn("getSignupUrl: SSR \u74B0\u5883\u3067 redirectUrl \u304C\u672A\u6307\u5B9A\u306E\u305F\u3081\u7A7A\u6587\u5B57\u306B\u30D5\u30A9\u30FC\u30EB\u30D0\u30C3\u30AF\u3057\u307E\u3059");
+      redirect = "";
     }
+    return `${baseUrl}/signup?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(serviceCode)}`;
+  }
+  return { redirectToLogin, redirectToAuthorize, getLoginUrl, getSignupUrl };
+}
+// src/client/password-reset.ts
+var RESET_PASSWORD_BASE = "/api/v1/auth/reset-password";
+function isBlank(value) {
+  return !value || !value.trim();
+}
+function createPasswordResetMethods(deps) {
+  const { baseUrl, logger, createError, fetchWithAuth, errorCodes } = deps;
+  async function fetchPublic(endpoint, options = {}) {
+    const url = `${baseUrl}${endpoint}`;
+    logger.debug("Fetching (public):", url);
     let response;
     try {
       response = await fetch(url, {
-        method: "POST",
-        credentials: "omit",
-        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
-        body: new URLSearchParams(body).toString()
-      });
-    } catch (error) {
-      logger.error("Network error during token exchange:", error);
-      return {
-        error: {
-          code: FFID_ERROR_CODES.NETWORK_ERROR,
+        ...options,
+        credentials: "include",
+        headers: {
+          "Content-Type": "application/json",
+          ...sdkHeaders(),
+          ...options.headers
+        }
+      });
+    } catch (error) {
+      logger.error("Network error:", error);
+      return {
+        error: {
+          code: errorCodes.NETWORK_ERROR,
           message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
     }
-    let tokenResponse;
+    let raw;
     try {
-      tokenResponse = await response.json();
+      raw = await response.json();
     } catch (parseError) {
-      logger.error("Parse error during token exchange:", parseError);
+      logger.error("Parse error:", parseError, "Status:", response.status);
       return {
         error: {
-          code: FFID_ERROR_CODES.PARSE_ERROR,
-          message: `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306E\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F (status: ${response.status})`
+          code: errorCodes.PARSE_ERROR,
+          message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
         }
       };
     }
+    logger.debug("Response (public):", response.status, raw);
+    checkVersionHeader(response, logger);
     if (!response.ok) {
-      const errorBody = tokenResponse;
+      return {
+        error: raw.error ?? {
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "\u30D1\u30B9\u30EF\u30FC\u30C9\u30EA\u30BB\u30C3\u30C8\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    if (raw.data === void 0) {
       return {
         error: {
-          code: errorBody.error ?? FFID_ERROR_CODES.TOKEN_EXCHANGE_ERROR,
-          message: errorBody.error_description ?? "\u30C8\u30FC\u30AF\u30F3\u4EA4\u63DB\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u30C7\u30FC\u30BF\u304C\u8FD4\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"
         }
       };
     }
-    tokenStore.setTokens({
-      accessToken: tokenResponse.access_token,
-      refreshToken: tokenResponse.refresh_token,
-      expiresAt: Date.now() + tokenResponse.expires_in * MS_PER_SECOND
+    return { data: raw.data };
+  }
+  async function requestPasswordReset(email) {
+    if (isBlank(email)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchPublic(
+      RESET_PASSWORD_BASE,
+      {
+        method: "POST",
+        body: JSON.stringify({ email })
+      }
+    );
+  }
+  async function verifyPasswordResetToken(accessToken) {
+    if (isBlank(accessToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30A2\u30AF\u30BB\u30B9\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    const query = new URLSearchParams({
+      access_token: accessToken,
+      type: "recovery"
     });
-    logger.debug("Token exchange successful");
-    return { data: void 0 };
+    return fetchPublic(
+      `${RESET_PASSWORD_BASE}/verify?${query.toString()}`
+    );
   }
-  async function refreshAccessToken() {
-    const tokens = tokenStore.getTokens();
-    if (!tokens) {
+  async function establishResetSession(accessToken, refreshToken) {
+    if (isBlank(accessToken)) {
       return {
-        error: {
-          code: FFID_ERROR_CODES.NO_TOKENS,
-          message: "\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u30C8\u30FC\u30AF\u30F3\u304C\u3042\u308A\u307E\u305B\u3093"
-        }
+        error: createError("VALIDATION_ERROR", "\u30A2\u30AF\u30BB\u30B9\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
       };
     }
-    const url = `${baseUrl}${OAUTH_TOKEN_ENDPOINT}`;
-    logger.debug("Refreshing access token:", url);
+    if (isBlank(refreshToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchPublic(
+      `${RESET_PASSWORD_BASE}/session`,
+      {
+        method: "POST",
+        body: JSON.stringify({ accessToken, refreshToken })
+      }
+    );
+  }
+  async function confirmPasswordReset(password) {
+    if (isBlank(password)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30D1\u30B9\u30EF\u30FC\u30C9\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchWithAuth(
+      `${RESET_PASSWORD_BASE}/confirm`,
+      {
+        method: "POST",
+        body: JSON.stringify({ password })
+      }
+    );
+  }
+  return {
+    requestPasswordReset,
+    verifyPasswordResetToken,
+    establishResetSession,
+    confirmPasswordReset
+  };
+}
+// src/client/otp.ts
+var OTP_BASE = "/api/v1/auth/otp";
+function isBlank2(value) {
+  return !value || !value.trim();
+}
+function createOtpMethods(deps) {
+  const { baseUrl, logger, createError, errorCodes } = deps;
+  async function fetchPublic(endpoint, options = {}) {
+    const url = `${baseUrl}${endpoint}`;
+    logger.debug("Fetching (public):", url);
     let response;
     try {
       response = await fetch(url, {
-        method: "POST",
-        credentials: "omit",
-        headers: { "Content-Type": "application/x-www-form-urlencoded", ...sdkHeaders() },
-        body: new URLSearchParams({
-          grant_type: "refresh_token",
-          refresh_token: tokens.refreshToken,
-          client_id: clientId
-        }).toString()
+        ...options,
+        credentials: "include",
+        headers: {
+          "Content-Type": "application/json",
+          ...sdkHeaders(),
+          ...options.headers
+        }
       });
     } catch (error) {
-      logger.error("Network error during token refresh:", error);
+      logger.error("Network error:", error);
       return {
         error: {
-          code: FFID_ERROR_CODES.NETWORK_ERROR,
+          code: errorCodes.NETWORK_ERROR,
           message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
         }
       };
     }
-    let tokenResponse;
+    let raw;
     try {
-      tokenResponse = await response.json();
+      raw = await response.json();
     } catch (parseError) {
-      logger.error("Parse error during token refresh:", parseError);
+      logger.error("Parse error:", parseError, "Status:", response.status);
       return {
         error: {
-          code: FFID_ERROR_CODES.PARSE_ERROR,
-          message: `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306E\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F (status: ${response.status})`
+          code: errorCodes.PARSE_ERROR,
+          message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
         }
       };
     }
+    logger.debug("Response (public):", response.status, raw);
+    checkVersionHeader(response, logger);
     if (!response.ok) {
-      const errorBody = tokenResponse;
-      logger.error("Token refresh failed:", errorBody);
-      const irrecoverableErrors = ["token_revoked", "invalid_grant"];
-      if (errorBody.error && irrecoverableErrors.includes(errorBody.error)) {
-        tokenStore.clearTokens();
-        logger.debug("Cleared tokens due to irrecoverable refresh error:", errorBody.error);
-      }
+      return {
+        error: raw.error ?? {
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "OTP\u8A8D\u8A3C\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    if (raw.data === void 0) {
       return {
         error: {
-          code: errorBody.error ?? FFID_ERROR_CODES.TOKEN_REFRESH_ERROR,
-          message: errorBody.error_description ?? "\u30C8\u30FC\u30AF\u30F3\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u30C7\u30FC\u30BF\u304C\u8FD4\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"
         }
       };
     }
-    tokenStore.setTokens({
-      accessToken: tokenResponse.access_token,
-      refreshToken: tokenResponse.refresh_token,
-      expiresAt: Date.now() + tokenResponse.expires_in * MS_PER_SECOND
-    });
-    logger.debug("Token refresh successful");
-    return { data: void 0 };
+    return { data: raw.data };
   }
-  function redirectToLogin() {
-    if (typeof window === "undefined") {
-      logger.debug("Cannot redirect in SSR context");
-      return false;
+  async function sendOtp(email, options) {
+    if (isBlank2(email)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u306F\u5FC5\u9808\u3067\u3059")
+      };
     }
-    if (authMode === "token") {
-      return redirectToAuthorize();
+    return fetchPublic(
+      `${OTP_BASE}/send`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          email,
+          ...options?.redirectUrl ? { redirectUrl: options.redirectUrl } : {}
+        })
+      }
+    );
+  }
+  async function verifyOtp(params) {
+    if (isBlank2(params.accessToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30A2\u30AF\u30BB\u30B9\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
     }
-    const currentUrl = window.location.href;
-    const loginUrl = `${baseUrl}/login?redirect=${encodeURIComponent(currentUrl)}&service=${encodeURIComponent(config.serviceCode)}`;
-    logger.debug("Redirecting to login:", loginUrl);
-    window.location.href = loginUrl;
-    return true;
+    if (isBlank2(params.refreshToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchPublic(
+      `${OTP_BASE}/verify`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          accessToken: params.accessToken,
+          refreshToken: params.refreshToken
+        })
+      }
+    );
   }
-  function redirectToAuthorize() {
-    const verifier = generateCodeVerifier();
-    storeCodeVerifier(verifier);
-    generateCodeChallenge(verifier).then((challenge) => {
-      const state = generateRandomState();
-      const redirectUri = resolvedRedirectUri ?? window.location.origin + window.location.pathname;
-      const params = new URLSearchParams({
-        response_type: "code",
-        client_id: clientId,
-        redirect_uri: redirectUri,
-        state,
-        code_challenge: challenge,
-        code_challenge_method: "S256"
-      });
-      const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
-      logger.debug("Redirecting to authorize:", authorizeUrl);
-      window.location.href = authorizeUrl;
-    }).catch((error) => {
-      logger.error("Failed to generate code challenge:", error);
-    });
-    return true;
+  return {
+    sendOtp,
+    verifyOtp
+  };
+}
+// src/client/ffid-client.ts
+var UNAUTHORIZED_STATUS2 = 401;
+var SDK_LOG_PREFIX = "[FFID SDK]";
+var noopLogger = {
+  debug: () => {
+  },
+  info: () => {
+  },
+  warn: (...args) => console.warn(SDK_LOG_PREFIX, ...args),
+  error: (...args) => console.error(SDK_LOG_PREFIX, ...args)
+};
+var consoleLogger = {
+  debug: (...args) => console.debug(SDK_LOG_PREFIX, ...args),
+  info: (...args) => console.info(SDK_LOG_PREFIX, ...args),
+  warn: (...args) => console.warn(SDK_LOG_PREFIX, ...args),
+  error: (...args) => console.error(SDK_LOG_PREFIX, ...args)
+};
+var FFID_ERROR_CODES = {
+  NETWORK_ERROR: "NETWORK_ERROR",
+  PARSE_ERROR: "PARSE_ERROR",
+  UNKNOWN_ERROR: "UNKNOWN_ERROR",
+  TOKEN_EXCHANGE_ERROR: "TOKEN_EXCHANGE_ERROR",
+  TOKEN_REFRESH_ERROR: "TOKEN_REFRESH_ERROR",
+  NO_TOKENS: "NO_TOKENS",
+  TOKEN_VERIFICATION_ERROR: "TOKEN_VERIFICATION_ERROR"
+};
+var EXT_CHECK_ENDPOINT = "/api/v1/subscriptions/ext/check";
+function createFFIDClient(config) {
+  if (!config.serviceCode || !config.serviceCode.trim()) {
+    throw new Error("FFID Client: serviceCode \u304C\u672A\u8A2D\u5B9A\u3067\u3059");
   }
-  function getLoginUrl(redirectUrl) {
-    const redirect = redirectUrl ?? (typeof window !== "undefined" ? window.location.href : "");
-    return `${baseUrl}/login?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(config.serviceCode)}`;
+  const baseUrl = config.apiBaseUrl ?? DEFAULT_API_BASE_URL;
+  const authMode = config.authMode ?? "cookie";
+  const clientId = config.clientId ?? config.serviceCode;
+  const resolvedRedirectUri = config.redirectUri ?? null;
+  const serviceApiKey = config.serviceApiKey?.trim();
+  const verifyStrategy = config.verifyStrategy ?? "jwt";
+  const cache = config.cache;
+  const timeout = config.timeout;
+  if (authMode === "service-key" && !serviceApiKey) {
+    throw new Error("FFID Client: service-key \u30E2\u30FC\u30C9\u3067\u306F serviceApiKey \u304C\u5FC5\u9808\u3067\u3059");
   }
-  function getSignupUrl(redirectUrl) {
-    const redirect = redirectUrl ?? (typeof window !== "undefined" ? window.location.href : "");
-    return `${baseUrl}/signup?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(config.serviceCode)}`;
+  if (cache && cache.ttl <= 0) {
+    throw new Error("FFID Client: cache.ttl \u306F\u6B63\u306E\u6570\u5024\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044");
   }
+  if (timeout !== void 0 && timeout <= 0) {
+    throw new Error("FFID Client: timeout \u306F\u6B63\u306E\u6570\u5024\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044");
+  }
+  const logger = config.logger ?? (config.debug ? consoleLogger : noopLogger);
+  const tokenStore = authMode === "token" ? createTokenStore() : createTokenStore("memory");
   function createError(code, message) {
     return { code, message };
   }
+  function buildFetchOptions(options) {
+    if (authMode === "service-key") {
+      return {
+        ...options,
+        credentials: "omit",
+        headers: {
+          "Content-Type": "application/json",
+          ...sdkHeaders(),
+          "X-Service-Api-Key": serviceApiKey,
+          ...options.headers
+        }
+      };
+    }
+    if (authMode === "token") {
+      const tokens = tokenStore.getTokens();
+      const headers = {
+        "Content-Type": "application/json",
+        ...sdkHeaders(),
+        ...options.headers
+      };
+      if (tokens) {
+        headers["Authorization"] = `Bearer ${tokens.accessToken}`;
+      }
+      return {
+        ...options,
+        credentials: "omit",
+        headers
+      };
+    }
+    return {
+      ...options,
+      credentials: "include",
+      headers: {
+        "Content-Type": "application/json",
+        ...sdkHeaders(),
+        ...options.headers
+      }
+    };
+  }
+  const { exchangeCodeForTokens, refreshAccessToken, signOutToken } = createOAuthTokenMethods({
+    baseUrl,
+    clientId,
+    resolvedRedirectUri,
+    tokenStore,
+    logger,
+    errorCodes: FFID_ERROR_CODES
+  });
+  async function fetchWithAuth(endpoint, options = {}) {
+    const url = `${baseUrl}${endpoint}`;
+    logger.debug("Fetching:", url);
+    const fetchOptions = buildFetchOptions(options);
+    let response;
+    try {
+      response = await fetch(url, fetchOptions);
+    } catch (error) {
+      logger.error("Network error:", error);
+      return {
+        error: {
+          code: FFID_ERROR_CODES.NETWORK_ERROR,
+          message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    if (authMode === "token" && response.status === UNAUTHORIZED_STATUS2) {
+      const refreshResult = await refreshAccessToken();
+      if (!refreshResult.error) {
+        logger.debug("Token refreshed, retrying request");
+        const retryOptions = buildFetchOptions(options);
+        try {
+          response = await fetch(url, retryOptions);
+        } catch (retryError) {
+          logger.error("Network error on retry:", retryError);
+          return {
+            error: {
+              code: FFID_ERROR_CODES.NETWORK_ERROR,
+              message: retryError instanceof Error ? retryError.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+            }
+          };
+        }
+      } else {
+        logger.warn("Token refresh failed, returning refresh error:", refreshResult.error);
+        return { error: refreshResult.error };
+      }
+    }
+    let raw;
+    try {
+      raw = await response.json();
+    } catch (parseError) {
+      logger.error("Parse error:", parseError, "Status:", response.status);
+      return {
+        error: {
+          code: FFID_ERROR_CODES.PARSE_ERROR,
+          message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
+        }
+      };
+    }
+    logger.debug("Response:", response.status, raw);
+    checkVersionHeader(response, logger);
+    if (!response.ok) {
+      return {
+        error: raw.error ?? {
+          code: FFID_ERROR_CODES.UNKNOWN_ERROR,
+          message: "\u4E0D\u660E\u306A\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    if (raw.data === void 0) {
+      return {
+        error: {
+          code: FFID_ERROR_CODES.UNKNOWN_ERROR,
+          message: "\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u30C7\u30FC\u30BF\u304C\u8FD4\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"
+        }
+      };
+    }
+    return { data: raw.data };
+  }
+  const { getSession, signOutCookie } = createSessionMethods({
+    authMode,
+    baseUrl,
+    serviceCode: config.serviceCode,
+    tokenStore,
+    logger,
+    fetchWithAuth,
+    refreshAccessToken,
+    errorCodes: FFID_ERROR_CODES
+  });
+  async function signOut() {
+    if (authMode === "token") {
+      return signOutToken();
+    }
+    return signOutCookie();
+  }
+  const { redirectToLogin, getLoginUrl, getSignupUrl } = createRedirectMethods({
+    authMode,
+    baseUrl,
+    clientId,
+    serviceCode: config.serviceCode,
+    resolvedRedirectUri,
+    logger
+  });
   async function checkSubscription(params) {
     if (!params.userId || !params.organizationId) {
       return {
@@ -1042,6 +1461,24 @@ function createFFIDClient(config) {
     fetchWithAuth,
     createError
   });
+  const {
+    requestPasswordReset,
+    verifyPasswordResetToken,
+    establishResetSession,
+    confirmPasswordReset
+  } = createPasswordResetMethods({
+    baseUrl,
+    logger,
+    createError,
+    fetchWithAuth,
+    errorCodes: FFID_ERROR_CODES
+  });
+  const { sendOtp, verifyOtp } = createOtpMethods({
+    baseUrl,
+    logger,
+    createError,
+    errorCodes: FFID_ERROR_CODES
+  });
   const verifyAccessToken = createVerifyAccessToken({
     authMode,
     baseUrl,
@@ -1067,6 +1504,12 @@ function createFFIDClient(config) {
     createCheckoutSession,
     createPortalSession,
     verifyAccessToken,
+    requestPasswordReset,
+    verifyPasswordResetToken,
+    establishResetSession,
+    confirmPasswordReset,
+    sendOtp,
+    verifyOtp,
     /** Token store (token mode only) */
     tokenStore,
     /** Resolved auth mode */
@@ -1079,11 +1522,6 @@ function createFFIDClient(config) {
     redirectUri: resolvedRedirectUri
   };
 }
-function generateRandomState() {
-  const array = new Uint8Array(STATE_RANDOM_BYTES);
-  crypto.getRandomValues(array);
-  return Array.from(array, (byte) => byte.toString(HEX_BASE2).padStart(2, "0")).join("");
-}
 // src/client/cache/memory-cache-adapter.ts
 var MS_PER_SECOND2 = 1e3;