@fnd-platform/cognito-auth 1.0.0-alpha.1 → 1.0.0-alpha.10

package/lib/client/errors.d.ts

@@ -9,18 +9,7 @@
 /**
  * Error codes for authentication failures.
  */
-export type AuthErrorCode =
-  | 'INVALID_CREDENTIALS'
-  | 'USER_NOT_FOUND'
-  | 'USER_NOT_CONFIRMED'
-  | 'CODE_MISMATCH'
-  | 'CODE_EXPIRED'
-  | 'TOKEN_EXPIRED'
-  | 'INVALID_TOKEN'
-  | 'USER_EXISTS'
-  | 'PASSWORD_POLICY'
-  | 'RATE_LIMITED'
-  | 'SERVICE_ERROR';
+export type AuthErrorCode = 'INVALID_CREDENTIALS' | 'USER_NOT_FOUND' | 'USER_NOT_CONFIRMED' | 'NEW_PASSWORD_REQUIRED' | 'CODE_MISMATCH' | 'CODE_EXPIRED' | 'TOKEN_EXPIRED' | 'INVALID_TOKEN' | 'USER_EXISTS' | 'PASSWORD_POLICY' | 'RATE_LIMITED' | 'SERVICE_ERROR';
 /**
  * Authentication error with structured error code.
  *
@@ -43,16 +32,49 @@ export type AuthErrorCode =
  * ```
  */
 export declare class AuthError extends Error {
-  readonly code: AuthErrorCode;
-  readonly cause?: Error | undefined;
-  /**
-   * Creates a new AuthError.
-   *
-   * @param message - Human-readable error message
-   * @param code - Structured error code for programmatic handling
-   * @param cause - Original error that caused this error
-   */
-  constructor(message: string, code: AuthErrorCode, cause?: Error | undefined);
+    readonly code: AuthErrorCode;
+    readonly cause?: Error | undefined;
+    /**
+     * Creates a new AuthError.
+     *
+     * @param message - Human-readable error message
+     * @param code - Structured error code for programmatic handling
+     * @param cause - Original error that caused this error
+     */
+    constructor(message: string, code: AuthErrorCode, cause?: Error | undefined);
+}
+/**
+ * Error thrown when user must change their password before signing in.
+ *
+ * This occurs when:
+ * - User was created by admin and has FORCE_CHANGE_PASSWORD status
+ * - Password has expired per user pool policy
+ *
+ * The session token must be used to complete the password change via
+ * `authClient.completeNewPassword()`.
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   await authClient.signIn(email, password);
+ * } catch (error) {
+ *   if (error instanceof NewPasswordRequiredError) {
+ *     // Redirect to change password page with session
+ *     redirect(`/change-password?session=${error.session}&email=${email}`);
+ *   }
+ * }
+ * ```
+ */
+export declare class NewPasswordRequiredError extends AuthError {
+    readonly session: string;
+    readonly email: string;
+    /**
+     * Creates a NewPasswordRequiredError.
+     *
+     * @param session - Cognito session token for completing password change
+     * @param email - User's email address
+     */
+    constructor(session: string, email: string);
 }
 /**
  * Maps a Cognito SDK error to an AuthError.
@@ -64,4 +86,4 @@ export declare class AuthError extends Error {
  * @internal
  */
 export declare function mapCognitoError(error: unknown, defaultMessage: string): AuthError;
-//# sourceMappingURL=errors.d.ts.map
+//# sourceMappingURL=errors.d.ts.map

package/lib/client/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/client/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH;;GAEG;AACH,MAAM,MAAM,aAAa,GACrB,qBAAqB,GACrB,gBAAgB,GAChB,oBAAoB,GACpB,eAAe,GACf,cAAc,GACd,eAAe,GACf,eAAe,GACf,aAAa,GACb,iBAAiB,GACjB,cAAc,GACd,eAAe,CAAC;AAEpB;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,qBAAa,SAAU,SAAQ,KAAK;aAUhB,IAAI,EAAE,aAAa;aACnB,KAAK,CAAC,EAAE,KAAK;IAV/B;;;;;;OAMG;gBAED,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,aAAa,EACnB,KAAK,CAAC,EAAE,KAAK,YAAA;CAShC;AAoBD;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,GAAG,SAAS,CAOjF"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/client/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH;;GAEG;AACH,MAAM,MAAM,aAAa,GACrB,qBAAqB,GACrB,gBAAgB,GAChB,oBAAoB,GACpB,uBAAuB,GACvB,eAAe,GACf,cAAc,GACd,eAAe,GACf,eAAe,GACf,aAAa,GACb,iBAAiB,GACjB,cAAc,GACd,eAAe,CAAC;AAEpB;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,qBAAa,SAAU,SAAQ,KAAK;aAUhB,IAAI,EAAE,aAAa;aACnB,KAAK,CAAC,EAAE,KAAK;IAV/B;;;;;;OAMG;gBAED,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,aAAa,EACnB,KAAK,CAAC,EAAE,KAAK,YAAA;CAShC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,qBAAa,wBAAyB,SAAQ,SAAS;aAQnC,OAAO,EAAE,MAAM;aACf,KAAK,EAAE,MAAM;IAR/B;;;;;OAKG;gBAEe,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM;CAQhC;AAoBD;;;;;;;;GAQG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,GAAG,SAAS,CAOjF"}

package/lib/client/errors.js

@@ -1,4 +1,4 @@
-'use strict';
+"use strict";
 /**
  * Authentication error types for FndAuthClient.
  *
@@ -7,8 +7,8 @@
  *
  * @packageDocumentation
  */
-Object.defineProperty(exports, '__esModule', { value: true });
-exports.AuthError = void 0;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NewPasswordRequiredError = exports.AuthError = void 0;
 exports.mapCognitoError = mapCognitoError;
 /**
  * Authentication error with structured error code.
@@ -32,43 +32,85 @@ exports.mapCognitoError = mapCognitoError;
  * ```
  */
 class AuthError extends Error {
-  code;
-  cause;
-  /**
-   * Creates a new AuthError.
-   *
-   * @param message - Human-readable error message
-   * @param code - Structured error code for programmatic handling
-   * @param cause - Original error that caused this error
-   */
-  constructor(message, code, cause) {
-    super(message);
-    this.code = code;
-    this.cause = cause;
-    this.name = 'AuthError';
-    // Maintains proper stack trace in V8 environments
-    if (Error.captureStackTrace) {
-      Error.captureStackTrace(this, AuthError);
+    code;
+    cause;
+    /**
+     * Creates a new AuthError.
+     *
+     * @param message - Human-readable error message
+     * @param code - Structured error code for programmatic handling
+     * @param cause - Original error that caused this error
+     */
+    constructor(message, code, cause) {
+        super(message);
+        this.code = code;
+        this.cause = cause;
+        this.name = 'AuthError';
+        // Maintains proper stack trace in V8 environments
+        if (Error.captureStackTrace) {
+            Error.captureStackTrace(this, AuthError);
+        }
     }
-  }
 }
 exports.AuthError = AuthError;
+/**
+ * Error thrown when user must change their password before signing in.
+ *
+ * This occurs when:
+ * - User was created by admin and has FORCE_CHANGE_PASSWORD status
+ * - Password has expired per user pool policy
+ *
+ * The session token must be used to complete the password change via
+ * `authClient.completeNewPassword()`.
+ *
+ * @example
+ * ```typescript
+ * try {
+ *   await authClient.signIn(email, password);
+ * } catch (error) {
+ *   if (error instanceof NewPasswordRequiredError) {
+ *     // Redirect to change password page with session
+ *     redirect(`/change-password?session=${error.session}&email=${email}`);
+ *   }
+ * }
+ * ```
+ */
+class NewPasswordRequiredError extends AuthError {
+    session;
+    email;
+    /**
+     * Creates a NewPasswordRequiredError.
+     *
+     * @param session - Cognito session token for completing password change
+     * @param email - User's email address
+     */
+    constructor(session, email) {
+        super('Password change required', 'NEW_PASSWORD_REQUIRED');
+        this.session = session;
+        this.email = email;
+        this.name = 'NewPasswordRequiredError';
+        if (Error.captureStackTrace) {
+            Error.captureStackTrace(this, NewPasswordRequiredError);
+        }
+    }
+}
+exports.NewPasswordRequiredError = NewPasswordRequiredError;
 /**
  * Maps Cognito exception names to AuthErrorCode.
  *
  * @internal
  */
 const COGNITO_ERROR_MAP = {
-  NotAuthorizedException: 'INVALID_CREDENTIALS',
-  UserNotFoundException: 'USER_NOT_FOUND',
-  UserNotConfirmedException: 'USER_NOT_CONFIRMED',
-  CodeMismatchException: 'CODE_MISMATCH',
-  ExpiredCodeException: 'CODE_EXPIRED',
-  UsernameExistsException: 'USER_EXISTS',
-  InvalidPasswordException: 'PASSWORD_POLICY',
-  InvalidParameterException: 'PASSWORD_POLICY',
-  TooManyRequestsException: 'RATE_LIMITED',
-  LimitExceededException: 'RATE_LIMITED',
+    NotAuthorizedException: 'INVALID_CREDENTIALS',
+    UserNotFoundException: 'USER_NOT_FOUND',
+    UserNotConfirmedException: 'USER_NOT_CONFIRMED',
+    CodeMismatchException: 'CODE_MISMATCH',
+    ExpiredCodeException: 'CODE_EXPIRED',
+    UsernameExistsException: 'USER_EXISTS',
+    InvalidPasswordException: 'PASSWORD_POLICY',
+    InvalidParameterException: 'PASSWORD_POLICY',
+    TooManyRequestsException: 'RATE_LIMITED',
+    LimitExceededException: 'RATE_LIMITED',
 };
 /**
  * Maps a Cognito SDK error to an AuthError.
@@ -80,11 +122,11 @@ const COGNITO_ERROR_MAP = {
  * @internal
  */
 function mapCognitoError(error, defaultMessage) {
-  if (error instanceof Error) {
-    const errorName = error.name;
-    const code = COGNITO_ERROR_MAP[errorName] ?? 'SERVICE_ERROR';
-    return new AuthError(error.message || defaultMessage, code, error);
-  }
-  return new AuthError(defaultMessage, 'SERVICE_ERROR');
+    if (error instanceof Error) {
+        const errorName = error.name;
+        const code = COGNITO_ERROR_MAP[errorName] ?? 'SERVICE_ERROR';
+        return new AuthError(error.message || defaultMessage, code, error);
+    }
+    return new AuthError(defaultMessage, 'SERVICE_ERROR');
 }
-//# sourceMappingURL=errors.js.map
+//# sourceMappingURL=errors.js.map

package/lib/client/errors.js.map

@@ -1 +1 @@
-{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/client/errors.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAwFH,0CAOC;AA7ED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAa,SAAU,SAAQ,KAAK;IAUhB;IACA;IAVlB;;;;;;OAMG;IACH,YACE,OAAe,EACC,IAAmB,EACnB,KAAa;QAE7B,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,SAAI,GAAJ,IAAI,CAAe;QACnB,UAAK,GAAL,KAAK,CAAQ;QAG7B,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,kDAAkD;QAClD,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;YAC5B,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;CACF;AApBD,8BAoBC;AAED;;;;GAIG;AACH,MAAM,iBAAiB,GAAkC;IACvD,sBAAsB,EAAE,qBAAqB;IAC7C,qBAAqB,EAAE,gBAAgB;IACvC,yBAAyB,EAAE,oBAAoB;IAC/C,qBAAqB,EAAE,eAAe;IACtC,oBAAoB,EAAE,cAAc;IACpC,uBAAuB,EAAE,aAAa;IACtC,wBAAwB,EAAE,iBAAiB;IAC3C,yBAAyB,EAAE,iBAAiB;IAC5C,wBAAwB,EAAE,cAAc;IACxC,sBAAsB,EAAE,cAAc;CACvC,CAAC;AAEF;;;;;;;;GAQG;AACH,SAAgB,eAAe,CAAC,KAAc,EAAE,cAAsB;IACpE,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;QAC3B,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC;QAC7B,MAAM,IAAI,GAAG,iBAAiB,CAAC,SAAS,CAAC,IAAI,eAAe,CAAC;QAC7D,OAAO,IAAI,SAAS,CAAC,KAAK,CAAC,OAAO,IAAI,cAAc,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IACrE,CAAC;IACD,OAAO,IAAI,SAAS,CAAC,cAAc,EAAE,eAAe,CAAC,CAAC;AACxD,CAAC"}
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/client/errors.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAkIH,0CAOC;AAtHD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAa,SAAU,SAAQ,KAAK;IAUhB;IACA;IAVlB;;;;;;OAMG;IACH,YACE,OAAe,EACC,IAAmB,EACnB,KAAa;QAE7B,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,SAAI,GAAJ,IAAI,CAAe;QACnB,UAAK,GAAL,KAAK,CAAQ;QAG7B,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;QACxB,kDAAkD;QAClD,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;YAC5B,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;CACF;AApBD,8BAoBC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAa,wBAAyB,SAAQ,SAAS;IAQnC;IACA;IARlB;;;;;OAKG;IACH,YACkB,OAAe,EACf,KAAa;QAE7B,KAAK,CAAC,0BAA0B,EAAE,uBAAuB,CAAC,CAAC;QAH3C,YAAO,GAAP,OAAO,CAAQ;QACf,UAAK,GAAL,KAAK,CAAQ;QAG7B,IAAI,CAAC,IAAI,GAAG,0BAA0B,CAAC;QACvC,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;YAC5B,KAAK,CAAC,iBAAiB,CAAC,IAAI,EAAE,wBAAwB,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;CACF;AAjBD,4DAiBC;AAED;;;;GAIG;AACH,MAAM,iBAAiB,GAAkC;IACvD,sBAAsB,EAAE,qBAAqB;IAC7C,qBAAqB,EAAE,gBAAgB;IACvC,yBAAyB,EAAE,oBAAoB;IAC/C,qBAAqB,EAAE,eAAe;IACtC,oBAAoB,EAAE,cAAc;IACpC,uBAAuB,EAAE,aAAa;IACtC,wBAAwB,EAAE,iBAAiB;IAC3C,yBAAyB,EAAE,iBAAiB;IAC5C,wBAAwB,EAAE,cAAc;IACxC,sBAAsB,EAAE,cAAc;CACvC,CAAC;AAEF;;;;;;;;GAQG;AACH,SAAgB,eAAe,CAAC,KAAc,EAAE,cAAsB;IACpE,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;QAC3B,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC;QAC7B,MAAM,IAAI,GAAG,iBAAiB,CAAC,SAAS,CAAC,IAAI,eAAe,CAAC;QAC7D,OAAO,IAAI,SAAS,CAAC,KAAK,CAAC,OAAO,IAAI,cAAc,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IACrE,CAAC;IACD,OAAO,IAAI,SAAS,CAAC,cAAc,EAAE,eAAe,CAAC,CAAC;AACxD,CAAC"}

package/lib/client/index.js

@@ -1,29 +1,14 @@
-'use strict';
+"use strict";
 /**
  * Auth client exports.
  *
  * @packageDocumentation
  */
-Object.defineProperty(exports, '__esModule', { value: true });
+Object.defineProperty(exports, "__esModule", { value: true });
 exports.AuthError = exports.clearClientCache = exports.FndAuthClient = void 0;
-var auth_client_js_1 = require('./auth-client.js');
-Object.defineProperty(exports, 'FndAuthClient', {
-  enumerable: true,
-  get: function () {
-    return auth_client_js_1.FndAuthClient;
-  },
-});
-Object.defineProperty(exports, 'clearClientCache', {
-  enumerable: true,
-  get: function () {
-    return auth_client_js_1.clearClientCache;
-  },
-});
-var errors_js_1 = require('./errors.js');
-Object.defineProperty(exports, 'AuthError', {
-  enumerable: true,
-  get: function () {
-    return errors_js_1.AuthError;
-  },
-});
-//# sourceMappingURL=index.js.map
+var auth_client_js_1 = require("./auth-client.js");
+Object.defineProperty(exports, "FndAuthClient", { enumerable: true, get: function () { return auth_client_js_1.FndAuthClient; } });
+Object.defineProperty(exports, "clearClientCache", { enumerable: true, get: function () { return auth_client_js_1.clearClientCache; } });
+var errors_js_1 = require("./errors.js");
+Object.defineProperty(exports, "AuthError", { enumerable: true, get: function () { return errors_js_1.AuthError; } });
+//# sourceMappingURL=index.js.map

package/lib/index.d.ts

@@ -22,9 +22,10 @@ export { handler as authorizerHandler } from './authorizer/handler.js';
 export { refreshAccessToken, clearClientCache } from './utils/token-refresh.js';
 export type { TokenRefreshConfig, RefreshResult } from './utils/token-refresh.js';
 export { FndAuthClient, clearClientCache as clearAuthClientCache } from './client/auth-client.js';
-export { AuthError } from './client/errors.js';
+export { AuthError, NewPasswordRequiredError } from './client/errors.js';
 export type { AuthErrorCode } from './client/errors.js';
-export { createSessionStorage, getSession, createUserSession, requireAuth, getOptionalUser, getUserSession, logout, } from './remix/session.server.js';
+export { createSessionStorage, getSession, createUserSession, requireAuth, getOptionalUser, getUserSession, getAccessToken, logout, } from './remix/session.server.js';
+export type { GetAccessTokenConfig } from './remix/session.server.js';
 export { requireAdmin, requireRole, hasRole, hasAnyRole } from './remix/admin.server.js';
-export type { AuthClientConfig, AuthTokens, SignUpResult, SessionData, SessionUser, } from './types.js';
+export type { AuthClientConfig, AuthTokens, SignUpResult, ForgotPasswordResult, SessionData, SessionUser, } from './types.js';
 //# sourceMappingURL=index.d.ts.map

package/lib/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,YAAY,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAGrE,YAAY,EACV,yBAAyB,EACzB,qBAAqB,EACrB,kBAAkB,EAClB,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAG1F,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,YAAY,EACV,yBAAyB,EACzB,UAAU,IAAI,iBAAiB,EAC/B,iBAAiB,IAAI,wBAAwB,GAC9C,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EAAE,OAAO,IAAI,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAGvE,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAChF,YAAY,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAGlF,OAAO,EAAE,aAAa,EAAE,gBAAgB,IAAI,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAClG,OAAO,EAAE,SAAS,EAAE,MAAM,oBAAoB,CAAC;AAC/C,YAAY,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAGxD,OAAO,EACL,oBAAoB,EACpB,UAAU,EACV,iBAAiB,EACjB,WAAW,EACX,eAAe,EACf,cAAc,EACd,MAAM,GACP,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAGzF,YAAY,EACV,gBAAgB,EAChB,UAAU,EACV,YAAY,EACZ,WAAW,EACX,WAAW,GACZ,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AACxD,YAAY,EAAE,mBAAmB,EAAE,KAAK,EAAE,MAAM,wBAAwB,CAAC;AACzE,OAAO,EAAE,aAAa,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAGrE,YAAY,EACV,yBAAyB,EACzB,qBAAqB,EACrB,kBAAkB,EAClB,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,WAAW,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAG1F,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,YAAY,EACV,yBAAyB,EACzB,UAAU,IAAI,iBAAiB,EAC/B,iBAAiB,IAAI,wBAAwB,GAC9C,MAAM,sBAAsB,CAAC;AAG9B,OAAO,EAAE,OAAO,IAAI,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAGvE,OAAO,EAAE,kBAAkB,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAChF,YAAY,EAAE,kBAAkB,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAGlF,OAAO,EAAE,aAAa,EAAE,gBAAgB,IAAI,oBAAoB,EAAE,MAAM,yBAAyB,CAAC;AAClG,OAAO,EAAE,SAAS,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AACzE,YAAY,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAGxD,OAAO,EACL,oBAAoB,EACpB,UAAU,EACV,iBAAiB,EACjB,WAAW,EACX,eAAe,EACf,cAAc,EACd,cAAc,EACd,MAAM,GACP,MAAM,2BAA2B,CAAC;AAEnC,YAAY,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC;AAEtE,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAGzF,YAAY,EACV,gBAAgB,EAChB,UAAU,EACV,YAAY,EACZ,oBAAoB,EACpB,WAAW,EACX,WAAW,GACZ,MAAM,YAAY,CAAC"}

package/lib/index.js

@@ -13,7 +13,7 @@
  * @packageDocumentation
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.hasAnyRole = exports.hasRole = exports.requireRole = exports.requireAdmin = exports.logout = exports.getUserSession = exports.getOptionalUser = exports.requireAuth = exports.createUserSession = exports.getSession = exports.createSessionStorage = exports.AuthError = exports.clearAuthClientCache = exports.FndAuthClient = exports.clearClientCache = exports.refreshAccessToken = exports.authorizerHandler = exports.withCognitoAuth = exports.clearVerifierCache = exports.getVerifier = exports.verifyAndExtract = exports.verifyToken = exports.VALID_STAGES = exports.validateStage = exports.FndCognitoAuth = void 0;
+exports.hasAnyRole = exports.hasRole = exports.requireRole = exports.requireAdmin = exports.logout = exports.getAccessToken = exports.getUserSession = exports.getOptionalUser = exports.requireAuth = exports.createUserSession = exports.getSession = exports.createSessionStorage = exports.NewPasswordRequiredError = exports.AuthError = exports.clearAuthClientCache = exports.FndAuthClient = exports.clearClientCache = exports.refreshAccessToken = exports.authorizerHandler = exports.withCognitoAuth = exports.clearVerifierCache = exports.getVerifier = exports.verifyAndExtract = exports.verifyToken = exports.VALID_STAGES = exports.validateStage = exports.FndCognitoAuth = void 0;
 // ===== CDK Constructs =====
 var cognito_construct_js_1 = require("./cognito-construct.js");
 Object.defineProperty(exports, "FndCognitoAuth", { enumerable: true, get: function () { return cognito_construct_js_1.FndCognitoAuth; } });
@@ -42,6 +42,7 @@ Object.defineProperty(exports, "FndAuthClient", { enumerable: true, get: functio
 Object.defineProperty(exports, "clearAuthClientCache", { enumerable: true, get: function () { return auth_client_js_1.clearClientCache; } });
 var errors_js_1 = require("./client/errors.js");
 Object.defineProperty(exports, "AuthError", { enumerable: true, get: function () { return errors_js_1.AuthError; } });
+Object.defineProperty(exports, "NewPasswordRequiredError", { enumerable: true, get: function () { return errors_js_1.NewPasswordRequiredError; } });
 // ===== Remix Utilities =====
 var session_server_js_1 = require("./remix/session.server.js");
 Object.defineProperty(exports, "createSessionStorage", { enumerable: true, get: function () { return session_server_js_1.createSessionStorage; } });
@@ -50,6 +51,7 @@ Object.defineProperty(exports, "createUserSession", { enumerable: true, get: fun
 Object.defineProperty(exports, "requireAuth", { enumerable: true, get: function () { return session_server_js_1.requireAuth; } });
 Object.defineProperty(exports, "getOptionalUser", { enumerable: true, get: function () { return session_server_js_1.getOptionalUser; } });
 Object.defineProperty(exports, "getUserSession", { enumerable: true, get: function () { return session_server_js_1.getUserSession; } });
+Object.defineProperty(exports, "getAccessToken", { enumerable: true, get: function () { return session_server_js_1.getAccessToken; } });
 Object.defineProperty(exports, "logout", { enumerable: true, get: function () { return session_server_js_1.logout; } });
 var admin_server_js_1 = require("./remix/admin.server.js");
 Object.defineProperty(exports, "requireAdmin", { enumerable: true, get: function () { return admin_server_js_1.requireAdmin; } });

package/lib/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAEH,6BAA6B;AAC7B,+DAAwD;AAA/C,sHAAA,cAAc,OAAA;AAEvB,+DAAqE;AAA5D,qHAAA,aAAa,OAAA;AAAE,oHAAA,YAAY,OAAA;AAWpC,4BAA4B;AAC5B,mCAA0F;AAAjF,qGAAA,WAAW,OAAA;AAAE,0GAAA,gBAAgB,OAAA;AAAE,qGAAA,WAAW,OAAA;AAAE,4GAAA,kBAAkB,OAAA;AAEvE,yBAAyB;AACzB,gDAAuD;AAA9C,0GAAA,eAAe,OAAA;AAOxB,gCAAgC;AAChC,sDAAuE;AAA9D,+GAAA,OAAO,OAAqB;AAErC,8BAA8B;AAC9B,6DAAgF;AAAvE,sHAAA,kBAAkB,OAAA;AAAE,oHAAA,gBAAgB,OAAA;AAG7C,0BAA0B;AAC1B,0DAAkG;AAAzF,+GAAA,aAAa,OAAA;AAAE,sHAAA,gBAAgB,OAAwB;AAChE,gDAA+C;AAAtC,sGAAA,SAAS,OAAA;AAGlB,8BAA8B;AAC9B,+DAQmC;AAPjC,yHAAA,oBAAoB,OAAA;AACpB,+GAAA,UAAU,OAAA;AACV,sHAAA,iBAAiB,OAAA;AACjB,gHAAA,WAAW,OAAA;AACX,oHAAA,eAAe,OAAA;AACf,mHAAA,cAAc,OAAA;AACd,2GAAA,MAAM,OAAA;AAGR,2DAAyF;AAAhF,+GAAA,YAAY,OAAA;AAAE,8GAAA,WAAW,OAAA;AAAE,0GAAA,OAAO,OAAA;AAAE,6GAAA,UAAU,OAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAEH,6BAA6B;AAC7B,+DAAwD;AAA/C,sHAAA,cAAc,OAAA;AAEvB,+DAAqE;AAA5D,qHAAA,aAAa,OAAA;AAAE,oHAAA,YAAY,OAAA;AAWpC,4BAA4B;AAC5B,mCAA0F;AAAjF,qGAAA,WAAW,OAAA;AAAE,0GAAA,gBAAgB,OAAA;AAAE,qGAAA,WAAW,OAAA;AAAE,4GAAA,kBAAkB,OAAA;AAEvE,yBAAyB;AACzB,gDAAuD;AAA9C,0GAAA,eAAe,OAAA;AAOxB,gCAAgC;AAChC,sDAAuE;AAA9D,+GAAA,OAAO,OAAqB;AAErC,8BAA8B;AAC9B,6DAAgF;AAAvE,sHAAA,kBAAkB,OAAA;AAAE,oHAAA,gBAAgB,OAAA;AAG7C,0BAA0B;AAC1B,0DAAkG;AAAzF,+GAAA,aAAa,OAAA;AAAE,sHAAA,gBAAgB,OAAwB;AAChE,gDAAyE;AAAhE,sGAAA,SAAS,OAAA;AAAE,qHAAA,wBAAwB,OAAA;AAG5C,8BAA8B;AAC9B,+DASmC;AARjC,yHAAA,oBAAoB,OAAA;AACpB,+GAAA,UAAU,OAAA;AACV,sHAAA,iBAAiB,OAAA;AACjB,gHAAA,WAAW,OAAA;AACX,oHAAA,eAAe,OAAA;AACf,mHAAA,cAAc,OAAA;AACd,mHAAA,cAAc,OAAA;AACd,2GAAA,MAAM,OAAA;AAKR,2DAAyF;AAAhF,+GAAA,YAAY,OAAA;AAAE,8GAAA,WAAW,OAAA;AAAE,0GAAA,OAAO,OAAA;AAAE,6GAAA,UAAU,OAAA"}

package/lib/jwt.js

@@ -1,4 +1,4 @@
-'use strict';
+"use strict";
 /**
  * JWT verification utilities using aws-jwt-verify.
  *
@@ -7,12 +7,12 @@
  *
  * @packageDocumentation
  */
-Object.defineProperty(exports, '__esModule', { value: true });
+Object.defineProperty(exports, "__esModule", { value: true });
 exports.getVerifier = getVerifier;
 exports.verifyToken = verifyToken;
 exports.verifyAndExtract = verifyAndExtract;
 exports.clearVerifierCache = clearVerifierCache;
-const aws_jwt_verify_1 = require('aws-jwt-verify');
+const aws_jwt_verify_1 = require("aws-jwt-verify");
 /** Verifier cache keyed by userPoolId+clientId+tokenUse */
 const verifierCache = new Map();
 /**
@@ -22,7 +22,7 @@ const verifierCache = new Map();
  * @returns Cache key string
  */
 function getCacheKey(config) {
-  return `${config.userPoolId}:${config.clientId}:${config.tokenUse ?? 'access'}`;
+    return `${config.userPoolId}:${config.clientId}:${config.tokenUse ?? 'access'}`;
 }
 /**
  * Gets or creates a verifier for the given configuration.
@@ -40,16 +40,16 @@ function getCacheKey(config) {
  * ```
  */
 function getVerifier(config) {
-  const key = getCacheKey(config);
-  if (!verifierCache.has(key)) {
-    const verifier = aws_jwt_verify_1.CognitoJwtVerifier.create({
-      userPoolId: config.userPoolId,
-      clientId: config.clientId,
-      tokenUse: config.tokenUse ?? 'access',
-    });
-    verifierCache.set(key, verifier);
-  }
-  return verifierCache.get(key);
+    const key = getCacheKey(config);
+    if (!verifierCache.has(key)) {
+        const verifier = aws_jwt_verify_1.CognitoJwtVerifier.create({
+            userPoolId: config.userPoolId,
+            clientId: config.clientId,
+            tokenUse: config.tokenUse ?? 'access',
+        });
+        verifierCache.set(key, verifier);
+    }
+    return verifierCache.get(key);
 }
 /**
  * Verifies a JWT token from Cognito.
@@ -69,10 +69,10 @@ function getVerifier(config) {
  * ```
  */
 async function verifyToken(token, config) {
-  const verifier = getVerifier(config);
-  const payload = await verifier.verify(token);
-  // Cast through unknown to handle aws-jwt-verify's generic payload type
-  return payload;
+    const verifier = getVerifier(config);
+    const payload = await verifier.verify(token);
+    // Cast through unknown to handle aws-jwt-verify's generic payload type
+    return payload;
 }
 /**
  * Verifies a token and returns a normalized result.
@@ -93,13 +93,13 @@ async function verifyToken(token, config) {
  * ```
  */
 async function verifyAndExtract(token, config) {
-  const payload = await verifyToken(token, config);
-  return {
-    userId: payload.sub,
-    email: 'email' in payload ? payload.email : undefined,
-    groups: payload['cognito:groups'] ?? [],
-    payload,
-  };
+    const payload = await verifyToken(token, config);
+    return {
+        userId: payload.sub,
+        email: 'email' in payload ? payload.email : undefined,
+        groups: payload['cognito:groups'] ?? [],
+        payload,
+    };
 }
 /**
  * Clears the verifier cache. Useful for testing.
@@ -112,6 +112,6 @@ async function verifyAndExtract(token, config) {
  * ```
  */
 function clearVerifierCache() {
-  verifierCache.clear();
+    verifierCache.clear();
 }
-//# sourceMappingURL=jwt.js.map
+//# sourceMappingURL=jwt.js.map

package/lib/remix/admin.server.js

@@ -1,4 +1,4 @@
-'use strict';
+"use strict";
 /**
  * Admin and role-based access utilities for Remix.
  *
@@ -6,13 +6,13 @@
  *
  * @packageDocumentation
  */
-Object.defineProperty(exports, '__esModule', { value: true });
+Object.defineProperty(exports, "__esModule", { value: true });
 exports.requireAdmin = requireAdmin;
 exports.requireRole = requireRole;
 exports.hasRole = hasRole;
 exports.hasAnyRole = hasAnyRole;
-const node_1 = require('@remix-run/node');
-const session_server_js_1 = require('./session.server.js');
+const node_1 = require("@remix-run/node");
+const session_server_js_1 = require("./session.server.js");
 /**
  * Requires admin role for accessing a route.
  *
@@ -35,7 +35,7 @@ const session_server_js_1 = require('./session.server.js');
  * ```
  */
 async function requireAdmin(request, storage) {
-  return requireRole(request, ['admin'], storage);
+    return requireRole(request, ['admin'], storage);
 }
 /**
  * Requires any of the specified roles for accessing a route.
@@ -60,25 +60,22 @@ async function requireAdmin(request, storage) {
  * ```
  */
 async function requireRole(request, roles, storage) {
-  // First ensure user is authenticated
-  const userId = await (0, session_server_js_1.requireAuth)(request, '/login', storage);
-  // Get user's groups from session
-  const session = await (0, session_server_js_1.getSession)(request, storage);
-  const userGroups = session.get('groups') ?? [];
-  // Check if user has at least one required role
-  const hasRequiredRole = roles.some((role) => userGroups.includes(role));
-  if (!hasRequiredRole) {
-    throw (0, node_1.json)(
-      {
-        error: {
-          code: 'FORBIDDEN',
-          message: `Required role: ${roles.join(' or ')}`,
-        },
-      },
-      { status: 403 }
-    );
-  }
-  return userId;
+    // First ensure user is authenticated
+    const userId = await (0, session_server_js_1.requireAuth)(request, '/login', storage);
+    // Get user's groups from session
+    const session = await (0, session_server_js_1.getSession)(request, storage);
+    const userGroups = session.get('groups') ?? [];
+    // Check if user has at least one required role
+    const hasRequiredRole = roles.some((role) => userGroups.includes(role));
+    if (!hasRequiredRole) {
+        throw (0, node_1.json)({
+            error: {
+                code: 'FORBIDDEN',
+                message: `Required role: ${roles.join(' or ')}`,
+            },
+        }, { status: 403 });
+    }
+    return userId;
 }
 /**
  * Checks if the user has a specific role.
@@ -100,17 +97,18 @@ async function requireRole(request, roles, storage) {
  * ```
  */
 async function hasRole(request, role, storage) {
-  try {
-    const session = await (0, session_server_js_1.getSession)(request, storage);
-    const userId = session.get('userId');
-    if (!userId) {
-      return false;
+    try {
+        const session = await (0, session_server_js_1.getSession)(request, storage);
+        const userId = session.get('userId');
+        if (!userId) {
+            return false;
+        }
+        const userGroups = session.get('groups') ?? [];
+        return userGroups.includes(role);
+    }
+    catch {
+        return false;
     }
-    const userGroups = session.get('groups') ?? [];
-    return userGroups.includes(role);
-  } catch {
-    return false;
-  }
 }
 /**
  * Checks if the user has any of the specified roles.
@@ -131,16 +129,17 @@ async function hasRole(request, role, storage) {
  * ```
  */
 async function hasAnyRole(request, roles, storage) {
-  try {
-    const session = await (0, session_server_js_1.getSession)(request, storage);
-    const userId = session.get('userId');
-    if (!userId) {
-      return false;
+    try {
+        const session = await (0, session_server_js_1.getSession)(request, storage);
+        const userId = session.get('userId');
+        if (!userId) {
+            return false;
+        }
+        const userGroups = session.get('groups') ?? [];
+        return roles.some((role) => userGroups.includes(role));
+    }
+    catch {
+        return false;
     }
-    const userGroups = session.get('groups') ?? [];
-    return roles.some((role) => userGroups.includes(role));
-  } catch {
-    return false;
-  }
 }
-//# sourceMappingURL=admin.server.js.map
+//# sourceMappingURL=admin.server.js.map

package/lib/remix/index.d.ts

@@ -3,15 +3,7 @@
  *
  * @packageDocumentation
  */
-export {
-  createSessionStorage,
-  getSession,
-  createUserSession,
-  requireAuth,
-  getOptionalUser,
-  getUserSession,
-  logout,
-  resetDefaultStorage,
-} from './session.server.js';
+export { createSessionStorage, getSession, createUserSession, requireAuth, getOptionalUser, getUserSession, getAccessToken, logout, resetDefaultStorage, } from './session.server.js';
+export type { GetAccessTokenConfig } from './session.server.js';
 export { requireAdmin, requireRole, hasRole, hasAnyRole } from './admin.server.js';
-//# sourceMappingURL=index.d.ts.map
+//# sourceMappingURL=index.d.ts.map

package/lib/remix/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/remix/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,oBAAoB,EACpB,UAAU,EACV,iBAAiB,EACjB,WAAW,EACX,eAAe,EACf,cAAc,EACd,MAAM,EACN,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/remix/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EACL,oBAAoB,EACpB,UAAU,EACV,iBAAiB,EACjB,WAAW,EACX,eAAe,EACf,cAAc,EACd,cAAc,EACd,MAAM,EACN,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAE7B,YAAY,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAEhE,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC"}