@feelflow/ffid-sdk 1.11.0 → 1.13.0

package/dist/server/index.cjs

@@ -433,7 +433,7 @@ function createBillingMethods(deps) {
 }
 
 // src/client/version-check.ts
-var SDK_VERSION = "1.11.0";
+var SDK_VERSION = "1.13.0";
 var SDK_USER_AGENT = `FFID-SDK/${SDK_VERSION} (TypeScript)`;
 var SDK_VERSION_HEADER = "X-FFID-SDK-Version";
 function sdkHeaders() {
@@ -479,6 +479,22 @@ npm install @feelflow/ffid-sdk@latest \u3067\u30A2\u30C3\u30D7\u30C7\u30FC\u30C8
 var OAUTH_TOKEN_ENDPOINT = "/api/v1/oauth/token";
 var OAUTH_REVOKE_ENDPOINT = "/api/v1/oauth/revoke";
 var MS_PER_SECOND = 1e3;
+function validateTokenResponse(tokenResponse) {
+  const invalid = [];
+  if (!tokenResponse.access_token) {
+    invalid.push("access_token");
+  }
+  if (!tokenResponse.refresh_token) {
+    invalid.push("refresh_token");
+  }
+  if (typeof tokenResponse.expires_in !== "number" || tokenResponse.expires_in <= 0) {
+    invalid.push("expires_in");
+  }
+  if (invalid.length > 0) {
+    return `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306B\u4E0D\u6B63\u306A\u30D5\u30A3\u30FC\u30EB\u30C9\u304C\u3042\u308A\u307E\u3059: ${invalid.join(", ")}`;
+  }
+  return null;
+}
 function createOAuthTokenMethods(deps) {
   const {
     baseUrl,
@@ -548,6 +564,16 @@ function createOAuthTokenMethods(deps) {
         }
       };
     }
+    const validationError = validateTokenResponse(tokenResponse);
+    if (validationError) {
+      logger.error("Token exchange validation failed:", validationError);
+      return {
+        error: {
+          code: errorCodes.TOKEN_EXCHANGE_ERROR,
+          message: validationError
+        }
+      };
+    }
     tokenStore.setTokens({
       accessToken: tokenResponse.access_token,
       refreshToken: tokenResponse.refresh_token,
@@ -616,6 +642,16 @@ function createOAuthTokenMethods(deps) {
         }
       };
     }
+    const validationError = validateTokenResponse(tokenResponse);
+    if (validationError) {
+      logger.error("Token refresh validation failed:", validationError);
+      return {
+        error: {
+          code: errorCodes.TOKEN_REFRESH_ERROR,
+          message: validationError
+        }
+      };
+    }
     tokenStore.setTokens({
       accessToken: tokenResponse.access_token,
       refreshToken: tokenResponse.refresh_token,
@@ -869,11 +905,17 @@ async function generateCodeChallenge(verifier) {
   const digest = await crypto.subtle.digest("SHA-256", data);
   return base64UrlEncode(digest);
 }
-function storeCodeVerifier(verifier) {
+function storeCodeVerifier(verifier, logger) {
   try {
-    if (typeof window === "undefined") return;
+    if (typeof window === "undefined") {
+      logger?.warn("storeCodeVerifier: sessionStorage is not available in SSR context");
+      return false;
+    }
     window.sessionStorage.setItem(VERIFIER_STORAGE_KEY, verifier);
-  } catch {
+    return true;
+  } catch (error) {
+    logger?.warn("storeCodeVerifier: sessionStorage \u3078\u306E\u4FDD\u5B58\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
+    return false;
   }
 }
 function base64UrlEncode(buffer) {
@@ -905,32 +947,34 @@ function createRedirectMethods(deps) {
   } = deps;
   async function redirectToAuthorize() {
     const verifier = generateCodeVerifier();
-    storeCodeVerifier(verifier);
+    storeCodeVerifier(verifier, logger);
+    let challenge;
     try {
-      const challenge = await generateCodeChallenge(verifier);
-      const state = generateRandomState();
-      const redirectUri = resolvedRedirectUri ?? window.location.origin + window.location.pathname;
-      const params = new URLSearchParams({
-        response_type: "code",
-        client_id: clientId,
-        redirect_uri: redirectUri,
-        state,
-        code_challenge: challenge,
-        code_challenge_method: "S256"
-      });
-      const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
-      logger.debug("Redirecting to authorize:", authorizeUrl);
-      window.location.href = authorizeUrl;
-      return true;
+      challenge = await generateCodeChallenge(verifier);
     } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : "PKCE \u30B3\u30FC\u30C9\u30C1\u30E3\u30EC\u30F3\u30B8\u306E\u751F\u6210\u306B\u5931\u6557\u3057\u307E\u3057\u305F";
       logger.error("PKCE \u30B3\u30FC\u30C9\u30C1\u30E3\u30EC\u30F3\u30B8\u306E\u751F\u6210\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
-      return false;
+      return { success: false, error: errorMessage };
     }
+    const state = generateRandomState();
+    const redirectUri = resolvedRedirectUri ?? window.location.origin + window.location.pathname;
+    const params = new URLSearchParams({
+      response_type: "code",
+      client_id: clientId,
+      redirect_uri: redirectUri,
+      state,
+      code_challenge: challenge,
+      code_challenge_method: "S256"
+    });
+    const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
+    logger.debug("Redirecting to authorize:", authorizeUrl);
+    window.location.href = authorizeUrl;
+    return { success: true };
   }
   async function redirectToLogin() {
     if (typeof window === "undefined") {
-      logger.debug("Cannot redirect in SSR context");
-      return false;
+      logger.warn("SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093");
+      return { success: false, error: "SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093" };
     }
     if (authMode === "token") {
       return redirectToAuthorize();
@@ -939,19 +983,273 @@ function createRedirectMethods(deps) {
     const loginUrl = `${baseUrl}/login?redirect=${encodeURIComponent(currentUrl)}&service=${encodeURIComponent(serviceCode)}`;
     logger.debug("Redirecting to login:", loginUrl);
     window.location.href = loginUrl;
-    return true;
+    return { success: true };
   }
   function getLoginUrl(redirectUrl) {
-    const redirect = redirectUrl ?? (typeof window !== "undefined" ? window.location.href : "");
+    let redirect;
+    if (redirectUrl != null) {
+      redirect = redirectUrl;
+    } else if (typeof window !== "undefined") {
+      redirect = window.location.href;
+    } else {
+      logger.warn("getLoginUrl: SSR \u74B0\u5883\u3067 redirectUrl \u304C\u672A\u6307\u5B9A\u306E\u305F\u3081\u7A7A\u6587\u5B57\u306B\u30D5\u30A9\u30FC\u30EB\u30D0\u30C3\u30AF\u3057\u307E\u3059");
+      redirect = "";
+    }
     return `${baseUrl}/login?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(serviceCode)}`;
   }
   function getSignupUrl(redirectUrl) {
-    const redirect = redirectUrl ?? (typeof window !== "undefined" ? window.location.href : "");
+    let redirect;
+    if (redirectUrl != null) {
+      redirect = redirectUrl;
+    } else if (typeof window !== "undefined") {
+      redirect = window.location.href;
+    } else {
+      logger.warn("getSignupUrl: SSR \u74B0\u5883\u3067 redirectUrl \u304C\u672A\u6307\u5B9A\u306E\u305F\u3081\u7A7A\u6587\u5B57\u306B\u30D5\u30A9\u30FC\u30EB\u30D0\u30C3\u30AF\u3057\u307E\u3059");
+      redirect = "";
+    }
     return `${baseUrl}/signup?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(serviceCode)}`;
   }
   return { redirectToLogin, redirectToAuthorize, getLoginUrl, getSignupUrl };
 }
 
+// src/client/password-reset.ts
+var RESET_PASSWORD_BASE = "/api/v1/auth/reset-password";
+function isBlank(value) {
+  return !value || !value.trim();
+}
+function createPasswordResetMethods(deps) {
+  const { baseUrl, logger, createError, fetchWithAuth, errorCodes } = deps;
+  async function fetchPublic(endpoint, options = {}) {
+    const url = `${baseUrl}${endpoint}`;
+    logger.debug("Fetching (public):", url);
+    let response;
+    try {
+      response = await fetch(url, {
+        ...options,
+        credentials: "include",
+        headers: {
+          "Content-Type": "application/json",
+          ...sdkHeaders(),
+          ...options.headers
+        }
+      });
+    } catch (error) {
+      logger.error("Network error:", error);
+      return {
+        error: {
+          code: errorCodes.NETWORK_ERROR,
+          message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    let raw;
+    try {
+      raw = await response.json();
+    } catch (parseError) {
+      logger.error("Parse error:", parseError, "Status:", response.status);
+      return {
+        error: {
+          code: errorCodes.PARSE_ERROR,
+          message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
+        }
+      };
+    }
+    logger.debug("Response (public):", response.status, raw);
+    checkVersionHeader(response, logger);
+    if (!response.ok) {
+      return {
+        error: raw.error ?? {
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "\u30D1\u30B9\u30EF\u30FC\u30C9\u30EA\u30BB\u30C3\u30C8\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    if (raw.data === void 0) {
+      return {
+        error: {
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u30C7\u30FC\u30BF\u304C\u8FD4\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"
+        }
+      };
+    }
+    return { data: raw.data };
+  }
+  async function requestPasswordReset(email) {
+    if (isBlank(email)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchPublic(
+      RESET_PASSWORD_BASE,
+      {
+        method: "POST",
+        body: JSON.stringify({ email })
+      }
+    );
+  }
+  async function verifyPasswordResetToken(accessToken) {
+    if (isBlank(accessToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30A2\u30AF\u30BB\u30B9\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    const query = new URLSearchParams({
+      access_token: accessToken,
+      type: "recovery"
+    });
+    return fetchPublic(
+      `${RESET_PASSWORD_BASE}/verify?${query.toString()}`
+    );
+  }
+  async function establishResetSession(accessToken, refreshToken) {
+    if (isBlank(accessToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30A2\u30AF\u30BB\u30B9\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    if (isBlank(refreshToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchPublic(
+      `${RESET_PASSWORD_BASE}/session`,
+      {
+        method: "POST",
+        body: JSON.stringify({ accessToken, refreshToken })
+      }
+    );
+  }
+  async function confirmPasswordReset(password) {
+    if (isBlank(password)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30D1\u30B9\u30EF\u30FC\u30C9\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchWithAuth(
+      `${RESET_PASSWORD_BASE}/confirm`,
+      {
+        method: "POST",
+        body: JSON.stringify({ password })
+      }
+    );
+  }
+  return {
+    requestPasswordReset,
+    verifyPasswordResetToken,
+    establishResetSession,
+    confirmPasswordReset
+  };
+}
+
+// src/client/otp.ts
+var OTP_BASE = "/api/v1/auth/otp";
+function isBlank2(value) {
+  return !value || !value.trim();
+}
+function createOtpMethods(deps) {
+  const { baseUrl, logger, createError, errorCodes } = deps;
+  async function fetchPublic(endpoint, options = {}) {
+    const url = `${baseUrl}${endpoint}`;
+    logger.debug("Fetching (public):", url);
+    let response;
+    try {
+      response = await fetch(url, {
+        ...options,
+        credentials: "include",
+        headers: {
+          "Content-Type": "application/json",
+          ...sdkHeaders(),
+          ...options.headers
+        }
+      });
+    } catch (error) {
+      logger.error("Network error:", error);
+      return {
+        error: {
+          code: errorCodes.NETWORK_ERROR,
+          message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    let raw;
+    try {
+      raw = await response.json();
+    } catch (parseError) {
+      logger.error("Parse error:", parseError, "Status:", response.status);
+      return {
+        error: {
+          code: errorCodes.PARSE_ERROR,
+          message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
+        }
+      };
+    }
+    logger.debug("Response (public):", response.status, raw);
+    checkVersionHeader(response, logger);
+    if (!response.ok) {
+      return {
+        error: raw.error ?? {
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "OTP\u8A8D\u8A3C\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    if (raw.data === void 0) {
+      return {
+        error: {
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u30C7\u30FC\u30BF\u304C\u8FD4\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"
+        }
+      };
+    }
+    return { data: raw.data };
+  }
+  async function sendOtp(email, options) {
+    if (isBlank2(email)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchPublic(
+      `${OTP_BASE}/send`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          email,
+          ...options?.redirectUrl ? { redirectUrl: options.redirectUrl } : {}
+        })
+      }
+    );
+  }
+  async function verifyOtp(params) {
+    if (isBlank2(params.accessToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30A2\u30AF\u30BB\u30B9\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    if (isBlank2(params.refreshToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchPublic(
+      `${OTP_BASE}/verify`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          accessToken: params.accessToken,
+          refreshToken: params.refreshToken
+        })
+      }
+    );
+  }
+  return {
+    sendOtp,
+    verifyOtp
+  };
+}
+
 // src/client/ffid-client.ts
 var UNAUTHORIZED_STATUS2 = 401;
 var SDK_LOG_PREFIX = "[FFID SDK]";
@@ -1084,6 +1382,9 @@ function createFFIDClient(config) {
             }
           };
         }
+      } else {
+        logger.warn("Token refresh failed, returning refresh error:", refreshResult.error);
+        return { error: refreshResult.error };
       }
     }
     let raw;
@@ -1161,6 +1462,24 @@ function createFFIDClient(config) {
     fetchWithAuth,
     createError
   });
+  const {
+    requestPasswordReset,
+    verifyPasswordResetToken,
+    establishResetSession,
+    confirmPasswordReset
+  } = createPasswordResetMethods({
+    baseUrl,
+    logger,
+    createError,
+    fetchWithAuth,
+    errorCodes: FFID_ERROR_CODES
+  });
+  const { sendOtp, verifyOtp } = createOtpMethods({
+    baseUrl,
+    logger,
+    createError,
+    errorCodes: FFID_ERROR_CODES
+  });
   const verifyAccessToken = createVerifyAccessToken({
     authMode,
     baseUrl,
@@ -1186,6 +1505,12 @@ function createFFIDClient(config) {
     createCheckoutSession,
     createPortalSession,
     verifyAccessToken,
+    requestPasswordReset,
+    verifyPasswordResetToken,
+    establishResetSession,
+    confirmPasswordReset,
+    sendOtp,
+    verifyOtp,
     /** Token store (token mode only) */
     tokenStore,
     /** Resolved auth mode */

package/dist/server/index.d.cts

@@ -301,6 +301,55 @@ interface FFIDCreatePortalParams {
     /** URL to redirect when user exits the portal */
     returnUrl: string;
 }
+/**
+ * Result of a redirect operation (redirectToLogin / redirectToAuthorize)
+ *
+ * Structured return type so callers can inspect failure reasons
+ * instead of receiving a bare `false`.
+ */
+type FFIDRedirectResult = {
+    success: true;
+} | {
+    success: false;
+    error: string;
+};
+
+/** OTP / magic link methods - sendOtp / verifyOtp */
+
+/** Response from sendOtp */
+interface FFIDOtpSendResponse {
+    message: string;
+}
+/** Response from verifyOtp */
+interface FFIDOtpVerifyResponse {
+    user: {
+        id: string;
+        email: string;
+        displayName: string | null;
+        avatarUrl: string | null;
+    };
+    session: {
+        accessToken: string;
+        refreshToken: string;
+        expiresAt: number;
+        expiresIn: number;
+    };
+}
+
+/** Password reset methods - requestPasswordReset / verifyPasswordResetToken / establishResetSession / confirmPasswordReset */
+
+/** Response from requestPasswordReset */
+interface FFIDPasswordResetResponse {
+    message: string;
+}
+/** Response from verifyPasswordResetToken */
+interface FFIDPasswordResetVerifyResponse {
+    valid: boolean;
+}
+/** Response from establishResetSession */
+type FFIDResetSessionResponse = FFIDPasswordResetResponse;
+/** Response from confirmPasswordReset */
+type FFIDPasswordResetConfirmResponse = FFIDPasswordResetResponse;
 
 /**
  * Token Store
@@ -347,7 +396,7 @@ declare function createTokenStore(storageType?: 'localStorage' | 'memory'): Toke
 declare function createFFIDClient(config: FFIDConfig): {
     getSession: () => Promise<FFIDApiResponse<FFIDSessionResponse>>;
     signOut: () => Promise<FFIDApiResponse<void>>;
-    redirectToLogin: () => Promise<boolean>;
+    redirectToLogin: () => Promise<FFIDRedirectResult>;
     getLoginUrl: (redirectUrl?: string) => string;
     getSignupUrl: (redirectUrl?: string) => string;
     createError: (code: string, message: string) => FFIDError;
@@ -360,6 +409,17 @@ declare function createFFIDClient(config: FFIDConfig): {
     createCheckoutSession: (params: FFIDCreateCheckoutParams) => Promise<FFIDApiResponse<FFIDCheckoutSessionResponse>>;
     createPortalSession: (params: FFIDCreatePortalParams) => Promise<FFIDApiResponse<FFIDPortalSessionResponse>>;
     verifyAccessToken: (accessToken: string, options?: FFIDVerifyAccessTokenOptions) => Promise<FFIDApiResponse<FFIDOAuthUserInfo>>;
+    requestPasswordReset: (email: string) => Promise<FFIDApiResponse<FFIDPasswordResetResponse>>;
+    verifyPasswordResetToken: (accessToken: string) => Promise<FFIDApiResponse<FFIDPasswordResetVerifyResponse>>;
+    establishResetSession: (accessToken: string, refreshToken: string) => Promise<FFIDApiResponse<FFIDResetSessionResponse>>;
+    confirmPasswordReset: (password: string) => Promise<FFIDApiResponse<FFIDPasswordResetConfirmResponse>>;
+    sendOtp: (email: string, options?: {
+        redirectUrl?: string;
+    }) => Promise<FFIDApiResponse<FFIDOtpSendResponse>>;
+    verifyOtp: (params: {
+        accessToken: string;
+        refreshToken: string;
+    }) => Promise<FFIDApiResponse<FFIDOtpVerifyResponse>>;
     /** Token store (token mode only) */
     tokenStore: TokenStore;
     /** Resolved auth mode */
@@ -428,4 +488,4 @@ interface KVNamespaceLike {
  */
 declare function createKVCacheAdapter(kv: KVNamespaceLike): FFIDCacheAdapter;
 
-export { type FFIDCacheAdapter, type FFIDCacheConfig, type FFIDClient, type FFIDConfig, type FFIDOAuthUserInfo, type FFIDOrganization, type FFIDSubscription, type FFIDUser, type FFIDVerifyAccessTokenOptions, type KVNamespaceLike, type TokenData, type TokenStore, createFFIDClient, createKVCacheAdapter, createMemoryCacheAdapter, createTokenStore, createVerifyAccessToken };
+export { type FFIDCacheAdapter, type FFIDCacheConfig, type FFIDClient, type FFIDConfig, type FFIDOAuthUserInfo, type FFIDOrganization, type FFIDOtpSendResponse, type FFIDOtpVerifyResponse, type FFIDPasswordResetConfirmResponse, type FFIDPasswordResetResponse, type FFIDPasswordResetVerifyResponse, type FFIDResetSessionResponse, type FFIDSubscription, type FFIDUser, type FFIDVerifyAccessTokenOptions, type KVNamespaceLike, type TokenData, type TokenStore, createFFIDClient, createKVCacheAdapter, createMemoryCacheAdapter, createTokenStore, createVerifyAccessToken };

package/dist/server/index.d.ts

@@ -301,6 +301,55 @@ interface FFIDCreatePortalParams {
     /** URL to redirect when user exits the portal */
     returnUrl: string;
 }
+/**
+ * Result of a redirect operation (redirectToLogin / redirectToAuthorize)
+ *
+ * Structured return type so callers can inspect failure reasons
+ * instead of receiving a bare `false`.
+ */
+type FFIDRedirectResult = {
+    success: true;
+} | {
+    success: false;
+    error: string;
+};
+
+/** OTP / magic link methods - sendOtp / verifyOtp */
+
+/** Response from sendOtp */
+interface FFIDOtpSendResponse {
+    message: string;
+}
+/** Response from verifyOtp */
+interface FFIDOtpVerifyResponse {
+    user: {
+        id: string;
+        email: string;
+        displayName: string | null;
+        avatarUrl: string | null;
+    };
+    session: {
+        accessToken: string;
+        refreshToken: string;
+        expiresAt: number;
+        expiresIn: number;
+    };
+}
+
+/** Password reset methods - requestPasswordReset / verifyPasswordResetToken / establishResetSession / confirmPasswordReset */
+
+/** Response from requestPasswordReset */
+interface FFIDPasswordResetResponse {
+    message: string;
+}
+/** Response from verifyPasswordResetToken */
+interface FFIDPasswordResetVerifyResponse {
+    valid: boolean;
+}
+/** Response from establishResetSession */
+type FFIDResetSessionResponse = FFIDPasswordResetResponse;
+/** Response from confirmPasswordReset */
+type FFIDPasswordResetConfirmResponse = FFIDPasswordResetResponse;
 
 /**
  * Token Store
@@ -347,7 +396,7 @@ declare function createTokenStore(storageType?: 'localStorage' | 'memory'): Toke
 declare function createFFIDClient(config: FFIDConfig): {
     getSession: () => Promise<FFIDApiResponse<FFIDSessionResponse>>;
     signOut: () => Promise<FFIDApiResponse<void>>;
-    redirectToLogin: () => Promise<boolean>;
+    redirectToLogin: () => Promise<FFIDRedirectResult>;
     getLoginUrl: (redirectUrl?: string) => string;
     getSignupUrl: (redirectUrl?: string) => string;
     createError: (code: string, message: string) => FFIDError;
@@ -360,6 +409,17 @@ declare function createFFIDClient(config: FFIDConfig): {
     createCheckoutSession: (params: FFIDCreateCheckoutParams) => Promise<FFIDApiResponse<FFIDCheckoutSessionResponse>>;
     createPortalSession: (params: FFIDCreatePortalParams) => Promise<FFIDApiResponse<FFIDPortalSessionResponse>>;
     verifyAccessToken: (accessToken: string, options?: FFIDVerifyAccessTokenOptions) => Promise<FFIDApiResponse<FFIDOAuthUserInfo>>;
+    requestPasswordReset: (email: string) => Promise<FFIDApiResponse<FFIDPasswordResetResponse>>;
+    verifyPasswordResetToken: (accessToken: string) => Promise<FFIDApiResponse<FFIDPasswordResetVerifyResponse>>;
+    establishResetSession: (accessToken: string, refreshToken: string) => Promise<FFIDApiResponse<FFIDResetSessionResponse>>;
+    confirmPasswordReset: (password: string) => Promise<FFIDApiResponse<FFIDPasswordResetConfirmResponse>>;
+    sendOtp: (email: string, options?: {
+        redirectUrl?: string;
+    }) => Promise<FFIDApiResponse<FFIDOtpSendResponse>>;
+    verifyOtp: (params: {
+        accessToken: string;
+        refreshToken: string;
+    }) => Promise<FFIDApiResponse<FFIDOtpVerifyResponse>>;
     /** Token store (token mode only) */
     tokenStore: TokenStore;
     /** Resolved auth mode */
@@ -428,4 +488,4 @@ interface KVNamespaceLike {
  */
 declare function createKVCacheAdapter(kv: KVNamespaceLike): FFIDCacheAdapter;
 
-export { type FFIDCacheAdapter, type FFIDCacheConfig, type FFIDClient, type FFIDConfig, type FFIDOAuthUserInfo, type FFIDOrganization, type FFIDSubscription, type FFIDUser, type FFIDVerifyAccessTokenOptions, type KVNamespaceLike, type TokenData, type TokenStore, createFFIDClient, createKVCacheAdapter, createMemoryCacheAdapter, createTokenStore, createVerifyAccessToken };
+export { type FFIDCacheAdapter, type FFIDCacheConfig, type FFIDClient, type FFIDConfig, type FFIDOAuthUserInfo, type FFIDOrganization, type FFIDOtpSendResponse, type FFIDOtpVerifyResponse, type FFIDPasswordResetConfirmResponse, type FFIDPasswordResetResponse, type FFIDPasswordResetVerifyResponse, type FFIDResetSessionResponse, type FFIDSubscription, type FFIDUser, type FFIDVerifyAccessTokenOptions, type KVNamespaceLike, type TokenData, type TokenStore, createFFIDClient, createKVCacheAdapter, createMemoryCacheAdapter, createTokenStore, createVerifyAccessToken };