@feelflow/ffid-sdk 1.11.0 → 1.14.0

package/dist/{chunk-WZZP7SQB.cjs → chunk-TMUFELR5.cjs}

@@ -437,7 +437,7 @@ function createBillingMethods(deps) {
 }
 
 // src/client/version-check.ts
-var SDK_VERSION = "1.11.0";
+var SDK_VERSION = "1.14.0";
 var SDK_USER_AGENT = `FFID-SDK/${SDK_VERSION} (TypeScript)`;
 var SDK_VERSION_HEADER = "X-FFID-SDK-Version";
 function sdkHeaders() {
@@ -483,6 +483,22 @@ npm install @feelflow/ffid-sdk@latest \u3067\u30A2\u30C3\u30D7\u30C7\u30FC\u30C8
 var OAUTH_TOKEN_ENDPOINT = "/api/v1/oauth/token";
 var OAUTH_REVOKE_ENDPOINT = "/api/v1/oauth/revoke";
 var MS_PER_SECOND = 1e3;
+function validateTokenResponse(tokenResponse) {
+  const invalid = [];
+  if (!tokenResponse.access_token) {
+    invalid.push("access_token");
+  }
+  if (!tokenResponse.refresh_token) {
+    invalid.push("refresh_token");
+  }
+  if (typeof tokenResponse.expires_in !== "number" || tokenResponse.expires_in <= 0) {
+    invalid.push("expires_in");
+  }
+  if (invalid.length > 0) {
+    return `\u30C8\u30FC\u30AF\u30F3\u30EC\u30B9\u30DD\u30F3\u30B9\u306B\u4E0D\u6B63\u306A\u30D5\u30A3\u30FC\u30EB\u30C9\u304C\u3042\u308A\u307E\u3059: ${invalid.join(", ")}`;
+  }
+  return null;
+}
 function createOAuthTokenMethods(deps) {
   const {
     baseUrl,
@@ -552,6 +568,16 @@ function createOAuthTokenMethods(deps) {
         }
       };
     }
+    const validationError = validateTokenResponse(tokenResponse);
+    if (validationError) {
+      logger.error("Token exchange validation failed:", validationError);
+      return {
+        error: {
+          code: errorCodes.TOKEN_EXCHANGE_ERROR,
+          message: validationError
+        }
+      };
+    }
     tokenStore.setTokens({
       accessToken: tokenResponse.access_token,
       refreshToken: tokenResponse.refresh_token,
@@ -620,6 +646,16 @@ function createOAuthTokenMethods(deps) {
         }
       };
     }
+    const validationError = validateTokenResponse(tokenResponse);
+    if (validationError) {
+      logger.error("Token refresh validation failed:", validationError);
+      return {
+        error: {
+          code: errorCodes.TOKEN_REFRESH_ERROR,
+          message: validationError
+        }
+      };
+    }
     tokenStore.setTokens({
       accessToken: tokenResponse.access_token,
       refreshToken: tokenResponse.refresh_token,
@@ -873,14 +909,20 @@ async function generateCodeChallenge(verifier) {
   const digest = await crypto.subtle.digest("SHA-256", data);
   return base64UrlEncode(digest);
 }
-function storeCodeVerifier(verifier) {
+function storeCodeVerifier(verifier, logger) {
   try {
-    if (typeof window === "undefined") return;
+    if (typeof window === "undefined") {
+      logger?.warn("storeCodeVerifier: sessionStorage is not available in SSR context");
+      return false;
+    }
     window.sessionStorage.setItem(VERIFIER_STORAGE_KEY, verifier);
-  } catch {
+    return true;
+  } catch (error) {
+    logger?.warn("storeCodeVerifier: sessionStorage \u3078\u306E\u4FDD\u5B58\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
+    return false;
   }
 }
-function retrieveCodeVerifier() {
+function retrieveCodeVerifier(logger) {
   try {
     if (typeof window === "undefined") return null;
     const verifier = window.sessionStorage.getItem(VERIFIER_STORAGE_KEY);
@@ -888,7 +930,8 @@ function retrieveCodeVerifier() {
       window.sessionStorage.removeItem(VERIFIER_STORAGE_KEY);
     }
     return verifier;
-  } catch {
+  } catch (error) {
+    logger?.warn("retrieveCodeVerifier: sessionStorage \u304B\u3089\u306E\u53D6\u5F97\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
     return null;
   }
 }
@@ -903,6 +946,7 @@ function base64UrlEncode(buffer) {
 
 // src/client/redirect.ts
 var OAUTH_AUTHORIZE_ENDPOINT = "/api/v1/oauth/authorize";
+var AUTH_LOGOUT_ENDPOINT = "/api/v1/auth/logout";
 var STATE_RANDOM_BYTES = 16;
 var HEX_BASE2 = 16;
 function generateRandomState() {
@@ -921,32 +965,34 @@ function createRedirectMethods(deps) {
   } = deps;
   async function redirectToAuthorize() {
     const verifier = generateCodeVerifier();
-    storeCodeVerifier(verifier);
+    storeCodeVerifier(verifier, logger);
+    let challenge;
     try {
-      const challenge = await generateCodeChallenge(verifier);
-      const state = generateRandomState();
-      const redirectUri = resolvedRedirectUri ?? window.location.origin + window.location.pathname;
-      const params = new URLSearchParams({
-        response_type: "code",
-        client_id: clientId,
-        redirect_uri: redirectUri,
-        state,
-        code_challenge: challenge,
-        code_challenge_method: "S256"
-      });
-      const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
-      logger.debug("Redirecting to authorize:", authorizeUrl);
-      window.location.href = authorizeUrl;
-      return true;
+      challenge = await generateCodeChallenge(verifier);
     } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : "PKCE \u30B3\u30FC\u30C9\u30C1\u30E3\u30EC\u30F3\u30B8\u306E\u751F\u6210\u306B\u5931\u6557\u3057\u307E\u3057\u305F";
       logger.error("PKCE \u30B3\u30FC\u30C9\u30C1\u30E3\u30EC\u30F3\u30B8\u306E\u751F\u6210\u306B\u5931\u6557\u3057\u307E\u3057\u305F:", error);
-      return false;
+      return { success: false, error: errorMessage };
     }
+    const state = generateRandomState();
+    const redirectUri = resolvedRedirectUri ?? window.location.origin + window.location.pathname;
+    const params = new URLSearchParams({
+      response_type: "code",
+      client_id: clientId,
+      redirect_uri: redirectUri,
+      state,
+      code_challenge: challenge,
+      code_challenge_method: "S256"
+    });
+    const authorizeUrl = `${baseUrl}${OAUTH_AUTHORIZE_ENDPOINT}?${params.toString()}`;
+    logger.debug("Redirecting to authorize:", authorizeUrl);
+    window.location.href = authorizeUrl;
+    return { success: true };
   }
   async function redirectToLogin() {
     if (typeof window === "undefined") {
-      logger.debug("Cannot redirect in SSR context");
-      return false;
+      logger.warn("SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093");
+      return { success: false, error: "SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093" };
     }
     if (authMode === "token") {
       return redirectToAuthorize();
@@ -955,17 +1001,289 @@ function createRedirectMethods(deps) {
     const loginUrl = `${baseUrl}/login?redirect=${encodeURIComponent(currentUrl)}&service=${encodeURIComponent(serviceCode)}`;
     logger.debug("Redirecting to login:", loginUrl);
     window.location.href = loginUrl;
-    return true;
+    return { success: true };
   }
   function getLoginUrl(redirectUrl) {
-    const redirect = redirectUrl ?? (typeof window !== "undefined" ? window.location.href : "");
+    let redirect;
+    if (redirectUrl != null) {
+      redirect = redirectUrl;
+    } else if (typeof window !== "undefined") {
+      redirect = window.location.href;
+    } else {
+      logger.warn("getLoginUrl: SSR \u74B0\u5883\u3067 redirectUrl \u304C\u672A\u6307\u5B9A\u306E\u305F\u3081\u7A7A\u6587\u5B57\u306B\u30D5\u30A9\u30FC\u30EB\u30D0\u30C3\u30AF\u3057\u307E\u3059");
+      redirect = "";
+    }
     return `${baseUrl}/login?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(serviceCode)}`;
   }
   function getSignupUrl(redirectUrl) {
-    const redirect = redirectUrl ?? (typeof window !== "undefined" ? window.location.href : "");
+    let redirect;
+    if (redirectUrl != null) {
+      redirect = redirectUrl;
+    } else if (typeof window !== "undefined") {
+      redirect = window.location.href;
+    } else {
+      logger.warn("getSignupUrl: SSR \u74B0\u5883\u3067 redirectUrl \u304C\u672A\u6307\u5B9A\u306E\u305F\u3081\u7A7A\u6587\u5B57\u306B\u30D5\u30A9\u30FC\u30EB\u30D0\u30C3\u30AF\u3057\u307E\u3059");
+      redirect = "";
+    }
     return `${baseUrl}/signup?redirect=${encodeURIComponent(redirect)}&service=${encodeURIComponent(serviceCode)}`;
   }
-  return { redirectToLogin, redirectToAuthorize, getLoginUrl, getSignupUrl };
+  function getLogoutUrl(postLogoutRedirectUri) {
+    const url = new URL(`${baseUrl}${AUTH_LOGOUT_ENDPOINT}`);
+    url.searchParams.set("client_id", clientId);
+    if (postLogoutRedirectUri != null) {
+      url.searchParams.set("post_logout_redirect_uri", postLogoutRedirectUri);
+    }
+    return url.toString();
+  }
+  function redirectToLogout(postLogoutRedirectUri) {
+    if (typeof window === "undefined") {
+      logger.warn("SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093");
+      return { success: false, error: "SSR \u74B0\u5883\u3067\u306F\u30EA\u30C0\u30A4\u30EC\u30AF\u30C8\u3067\u304D\u307E\u305B\u3093" };
+    }
+    const logoutUrl = getLogoutUrl(postLogoutRedirectUri);
+    logger.debug("Redirecting to logout:", logoutUrl);
+    window.location.href = logoutUrl;
+    return { success: true };
+  }
+  return { redirectToLogin, redirectToAuthorize, getLoginUrl, getSignupUrl, getLogoutUrl, redirectToLogout };
+}
+
+// src/client/password-reset.ts
+var RESET_PASSWORD_BASE = "/api/v1/auth/reset-password";
+function isBlank(value) {
+  return !value || !value.trim();
+}
+function createPasswordResetMethods(deps) {
+  const { baseUrl, logger, createError, fetchWithAuth, errorCodes } = deps;
+  async function fetchPublic(endpoint, options = {}) {
+    const url = `${baseUrl}${endpoint}`;
+    logger.debug("Fetching (public):", url);
+    let response;
+    try {
+      response = await fetch(url, {
+        ...options,
+        credentials: "include",
+        headers: {
+          "Content-Type": "application/json",
+          ...sdkHeaders(),
+          ...options.headers
+        }
+      });
+    } catch (error) {
+      logger.error("Network error:", error);
+      return {
+        error: {
+          code: errorCodes.NETWORK_ERROR,
+          message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    let raw;
+    try {
+      raw = await response.json();
+    } catch (parseError) {
+      logger.error("Parse error:", parseError, "Status:", response.status);
+      return {
+        error: {
+          code: errorCodes.PARSE_ERROR,
+          message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
+        }
+      };
+    }
+    logger.debug("Response (public):", response.status, raw);
+    checkVersionHeader(response, logger);
+    if (!response.ok) {
+      return {
+        error: raw.error ?? {
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "\u30D1\u30B9\u30EF\u30FC\u30C9\u30EA\u30BB\u30C3\u30C8\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    if (raw.data === void 0) {
+      return {
+        error: {
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u30C7\u30FC\u30BF\u304C\u8FD4\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"
+        }
+      };
+    }
+    return { data: raw.data };
+  }
+  async function requestPasswordReset(email) {
+    if (isBlank(email)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchPublic(
+      RESET_PASSWORD_BASE,
+      {
+        method: "POST",
+        body: JSON.stringify({ email })
+      }
+    );
+  }
+  async function verifyPasswordResetToken(accessToken) {
+    if (isBlank(accessToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30A2\u30AF\u30BB\u30B9\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    const query = new URLSearchParams({
+      access_token: accessToken,
+      type: "recovery"
+    });
+    return fetchPublic(
+      `${RESET_PASSWORD_BASE}/verify?${query.toString()}`
+    );
+  }
+  async function establishResetSession(accessToken, refreshToken) {
+    if (isBlank(accessToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30A2\u30AF\u30BB\u30B9\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    if (isBlank(refreshToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchPublic(
+      `${RESET_PASSWORD_BASE}/session`,
+      {
+        method: "POST",
+        body: JSON.stringify({ accessToken, refreshToken })
+      }
+    );
+  }
+  async function confirmPasswordReset(password) {
+    if (isBlank(password)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30D1\u30B9\u30EF\u30FC\u30C9\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchWithAuth(
+      `${RESET_PASSWORD_BASE}/confirm`,
+      {
+        method: "POST",
+        body: JSON.stringify({ password })
+      }
+    );
+  }
+  return {
+    requestPasswordReset,
+    verifyPasswordResetToken,
+    establishResetSession,
+    confirmPasswordReset
+  };
+}
+
+// src/client/otp.ts
+var OTP_BASE = "/api/v1/auth/otp";
+function isBlank2(value) {
+  return !value || !value.trim();
+}
+function createOtpMethods(deps) {
+  const { baseUrl, logger, createError, errorCodes } = deps;
+  async function fetchPublic(endpoint, options = {}) {
+    const url = `${baseUrl}${endpoint}`;
+    logger.debug("Fetching (public):", url);
+    let response;
+    try {
+      response = await fetch(url, {
+        ...options,
+        credentials: "include",
+        headers: {
+          "Content-Type": "application/json",
+          ...sdkHeaders(),
+          ...options.headers
+        }
+      });
+    } catch (error) {
+      logger.error("Network error:", error);
+      return {
+        error: {
+          code: errorCodes.NETWORK_ERROR,
+          message: error instanceof Error ? error.message : "\u30CD\u30C3\u30C8\u30EF\u30FC\u30AF\u30A8\u30E9\u30FC\u304C\u767A\u751F\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    let raw;
+    try {
+      raw = await response.json();
+    } catch (parseError) {
+      logger.error("Parse error:", parseError, "Status:", response.status);
+      return {
+        error: {
+          code: errorCodes.PARSE_ERROR,
+          message: `\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u4E0D\u6B63\u306A\u30EC\u30B9\u30DD\u30F3\u30B9\u3092\u53D7\u4FE1\u3057\u307E\u3057\u305F (status: ${response.status})`
+        }
+      };
+    }
+    logger.debug("Response (public):", response.status, raw);
+    checkVersionHeader(response, logger);
+    if (!response.ok) {
+      return {
+        error: raw.error ?? {
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "OTP\u8A8D\u8A3C\u306B\u5931\u6557\u3057\u307E\u3057\u305F"
+        }
+      };
+    }
+    if (raw.data === void 0) {
+      return {
+        error: {
+          code: errorCodes.UNKNOWN_ERROR,
+          message: "\u30B5\u30FC\u30D0\u30FC\u304B\u3089\u30C7\u30FC\u30BF\u304C\u8FD4\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"
+        }
+      };
+    }
+    return { data: raw.data };
+  }
+  async function sendOtp(email, options) {
+    if (isBlank2(email)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30E1\u30FC\u30EB\u30A2\u30C9\u30EC\u30B9\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchPublic(
+      `${OTP_BASE}/send`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          email,
+          ...options?.redirectUrl ? { redirectUrl: options.redirectUrl } : {}
+        })
+      }
+    );
+  }
+  async function verifyOtp(params) {
+    if (isBlank2(params.accessToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30A2\u30AF\u30BB\u30B9\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    if (isBlank2(params.refreshToken)) {
+      return {
+        error: createError("VALIDATION_ERROR", "\u30EA\u30D5\u30EC\u30C3\u30B7\u30E5\u30C8\u30FC\u30AF\u30F3\u306F\u5FC5\u9808\u3067\u3059")
+      };
+    }
+    return fetchPublic(
+      `${OTP_BASE}/verify`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          accessToken: params.accessToken,
+          refreshToken: params.refreshToken
+        })
+      }
+    );
+  }
+  return {
+    sendOtp,
+    verifyOtp
+  };
 }
 
 // src/client/ffid-client.ts
@@ -1100,6 +1418,9 @@ function createFFIDClient(config) {
             }
           };
         }
+      } else {
+        logger.warn("Token refresh failed, returning refresh error:", refreshResult.error);
+        return { error: refreshResult.error };
       }
     }
     let raw;
@@ -1150,7 +1471,7 @@ function createFFIDClient(config) {
     }
     return signOutCookie();
   }
-  const { redirectToLogin, getLoginUrl, getSignupUrl } = createRedirectMethods({
+  const { redirectToLogin, getLoginUrl, getSignupUrl, getLogoutUrl, redirectToLogout } = createRedirectMethods({
     authMode,
     baseUrl,
     clientId,
@@ -1177,6 +1498,24 @@ function createFFIDClient(config) {
     fetchWithAuth,
     createError
   });
+  const {
+    requestPasswordReset,
+    verifyPasswordResetToken,
+    establishResetSession,
+    confirmPasswordReset
+  } = createPasswordResetMethods({
+    baseUrl,
+    logger,
+    createError,
+    fetchWithAuth,
+    errorCodes: FFID_ERROR_CODES
+  });
+  const { sendOtp, verifyOtp } = createOtpMethods({
+    baseUrl,
+    logger,
+    createError,
+    errorCodes: FFID_ERROR_CODES
+  });
   const verifyAccessToken = createVerifyAccessToken({
     authMode,
     baseUrl,
@@ -1193,7 +1532,9 @@ function createFFIDClient(config) {
     getSession,
     signOut,
     redirectToLogin,
+    redirectToLogout,
     getLoginUrl,
+    getLogoutUrl,
     getSignupUrl,
     createError,
     exchangeCodeForTokens,
@@ -1202,6 +1543,12 @@ function createFFIDClient(config) {
     createCheckoutSession,
     createPortalSession,
     verifyAccessToken,
+    requestPasswordReset,
+    verifyPasswordResetToken,
+    establishResetSession,
+    confirmPasswordReset,
+    sendOtp,
+    verifyOtp,
     /** Token store (token mode only) */
     tokenStore,
     /** Resolved auth mode */