@glideidentity/glide-be-sdk-node 2.0.1

package/dist/internal/oauth.js

@@ -0,0 +1,139 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthClient = exports.OAuthError = exports.OAuthManager = void 0;
+const http_1 = require("./http");
+/** Default buffer time (seconds) before token expiry to trigger refresh. */
+const DEFAULT_TOKEN_REFRESH_BUFFER_SECONDS = 60;
+/**
+ * OAuth2 Client Credentials authentication manager.
+ * Manages token fetching and caching with automatic refresh before expiry.
+ */
+class OAuthManager {
+    constructor(clientId, clientSecret, baseUrl, logger, refreshBuffer = DEFAULT_TOKEN_REFRESH_BUFFER_SECONDS) {
+        this.cachedToken = null;
+        /** Pending token fetch promise for request deduplication. */
+        this.pendingTokenPromise = null;
+        this.clientId = clientId;
+        this.clientSecret = clientSecret;
+        this.tokenUrl = `${baseUrl}/oauth2-cc/token`;
+        this.refreshBuffer = refreshBuffer;
+        this.logger = logger;
+    }
+    /**
+     * Gets a valid access token, fetching a new one if necessary.
+     * Implements lazy refresh - tokens are refreshed before they expire.
+     * Uses pending promise deduplication to prevent multiple concurrent token fetches.
+     */
+    async getAccessToken() {
+        if (this.isTokenValid()) {
+            this.logger.debug('Using cached access token');
+            return this.cachedToken.accessToken;
+        }
+        // If a token fetch is already in progress, await the same promise
+        if (this.pendingTokenPromise) {
+            this.logger.debug('Awaiting pending token fetch');
+            return this.pendingTokenPromise;
+        }
+        this.logger.debug('Fetching new access token', { tokenUrl: this.tokenUrl });
+        // Store the promise to deduplicate concurrent requests
+        this.pendingTokenPromise = this.fetchAndCacheToken();
+        try {
+            return await this.pendingTokenPromise;
+        }
+        finally {
+            // Clear pending promise when fetch completes (success or failure)
+            this.pendingTokenPromise = null;
+        }
+    }
+    /**
+     * Fetches and caches a new token. Separated for promise deduplication.
+     */
+    async fetchAndCacheToken() {
+        const token = await this.fetchToken();
+        this.cacheToken(token);
+        return token.access_token;
+    }
+    /**
+     * Checks if the cached token is still valid (not expired or about to expire).
+     */
+    isTokenValid() {
+        if (!this.cachedToken) {
+            return false;
+        }
+        const now = Date.now();
+        const bufferMs = this.refreshBuffer * 1000;
+        const isValid = this.cachedToken.expiresAt - bufferMs > now;
+        if (!isValid) {
+            this.logger.debug('Cached token expired or within refresh buffer');
+        }
+        return isValid;
+    }
+    /**
+     * Fetches a new access token from the OAuth2 token endpoint.
+     * Uses HTTP Basic authentication with base64-encoded credentials.
+     * Most OAuth2 servers expect raw client credentials to be base64-encoded directly
+     * in the Authorization header without additional URL-encoding.
+     *
+     */
+    async fetchToken() {
+        const credentials = Buffer.from(`${this.clientId}:${this.clientSecret}`).toString('base64');
+        try {
+            const response = await (0, http_1.request)(this.tokenUrl, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    'Authorization': `Basic ${credentials}`,
+                    'Accept': 'application/json',
+                },
+                body: 'grant_type=client_credentials',
+            });
+            const tokenResponse = response.json();
+            this.logger.debug('Access token obtained successfully', {
+                tokenType: tokenResponse.token_type,
+                expiresIn: tokenResponse.expires_in,
+            });
+            return tokenResponse;
+        }
+        catch (error) {
+            if (error instanceof http_1.FetchError) {
+                this.logger.error('Failed to obtain access token', {
+                    status: error.response.statusCode,
+                    message: error.message,
+                });
+                throw new OAuthError(error.response.statusCode || 500, error.response.statusMessage || 'Unknown error');
+            }
+            throw error;
+        }
+    }
+    /**
+     * Caches the token with its expiration time.
+     */
+    cacheToken(token) {
+        const now = Date.now();
+        this.cachedToken = {
+            accessToken: token.access_token,
+            expiresAt: now + (token.expires_in * 1000),
+        };
+        this.logger.debug('Token cached', {
+            expiresAt: new Date(this.cachedToken.expiresAt).toISOString(),
+        });
+    }
+    /**
+     * Clears the cached token. Useful for forcing a token refresh.
+     */
+    clearCache() {
+        this.cachedToken = null;
+        this.logger.debug('Token cache cleared');
+    }
+}
+exports.OAuthManager = OAuthManager;
+exports.OAuthClient = OAuthManager;
+class OAuthError extends Error {
+    constructor(statusCode, statusMessage) {
+        super(`OAuth2 token request failed: ${statusCode} ${statusMessage}`);
+        this.name = 'OAuthError';
+        this.statusCode = statusCode;
+        this.statusMessage = statusMessage;
+    }
+}
+exports.OAuthError = OAuthError;

package/dist/logger.d.ts

@@ -0,0 +1,28 @@
+import type { LogFormat } from './types';
+/** Log severity levels. */
+export declare enum LogLevel {
+    DEBUG = 0,
+    INFO = 1,
+    WARN = 2,
+    ERROR = 3
+}
+/** Structured log field. */
+export interface LogField {
+    [key: string]: unknown;
+}
+/** Logger interface for custom implementations. */
+export interface Logger {
+    debug(message: string, fields?: LogField): void;
+    info(message: string, fields?: LogField): void;
+    warn(message: string, fields?: LogField): void;
+    error(message: string, fields?: LogField): void;
+}
+/**
+ * Creates a logger instance.
+ * @param logLevel - Log level. Defaults to GLIDE_LOG_LEVEL env var or INFO.
+ * @param logFormat - Output format: 'text' or 'json'.
+ */
+export declare function createLogger(logLevel?: LogLevel, logFormat?: LogFormat): Logger;
+/** Generates a unique request ID. */
+export declare function generateRequestId(): string;
+//# sourceMappingURL=logger.d.ts.map

package/dist/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEzC,2BAA2B;AAC3B,oBAAY,QAAQ;IAChB,KAAK,IAAI;IACT,IAAI,IAAI;IACR,IAAI,IAAI;IACR,KAAK,IAAI;CACZ;AAED,4BAA4B;AAC5B,MAAM,WAAW,QAAQ;IACrB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CAC1B;AAED,mDAAmD;AACnD,MAAM,WAAW,MAAM;IACnB,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,IAAI,CAAC;IAChD,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,IAAI,CAAC;IAC/C,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,IAAI,CAAC;IAC/C,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,QAAQ,GAAG,IAAI,CAAC;CACnD;AAiHD;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,QAAQ,CAAC,EAAE,QAAQ,EAAE,SAAS,CAAC,EAAE,SAAS,GAAG,MAAM,CAG/E;AAED,qCAAqC;AACrC,wBAAgB,iBAAiB,IAAI,MAAM,CAE1C"}

package/dist/logger.js

@@ -0,0 +1,118 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LogLevel = void 0;
+exports.createLogger = createLogger;
+exports.generateRequestId = generateRequestId;
+/** Log severity levels. */
+var LogLevel;
+(function (LogLevel) {
+    LogLevel[LogLevel["DEBUG"] = 0] = "DEBUG";
+    LogLevel[LogLevel["INFO"] = 1] = "INFO";
+    LogLevel[LogLevel["WARN"] = 2] = "WARN";
+    LogLevel[LogLevel["ERROR"] = 3] = "ERROR";
+})(LogLevel || (exports.LogLevel = LogLevel = {}));
+const SENSITIVE_KEYS = [
+    'apikey', 'api_key', 'api-key', 'token', 'password', 'secret',
+    'credential', 'authorization', 'bearer', 'key'
+];
+const SENSITIVE_PATTERN = new RegExp(`(${SENSITIVE_KEYS.join('|')})([=:\\s"']+)([^\\s"'&,}{\\]\\)]+)`, 'gi');
+function sanitizeMessage(message) {
+    return message.replace(SENSITIVE_PATTERN, '$1$2***');
+}
+function sanitizeValue(key, value) {
+    if (typeof value !== 'string') {
+        if (value && typeof value === 'object' && !Array.isArray(value)) {
+            return sanitizeObject(value);
+        }
+        return value;
+    }
+    const lowerKey = key.toLowerCase();
+    for (const pattern of SENSITIVE_KEYS) {
+        if (lowerKey.includes(pattern)) {
+            return '***';
+        }
+    }
+    if (value.startsWith('eyJ') && value.split('.').length === 3) {
+        return '***';
+    }
+    return value;
+}
+function sanitizeObject(obj) {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+        result[key] = sanitizeValue(key, value);
+    }
+    return result;
+}
+class DefaultLogger {
+    constructor(level = LogLevel.INFO, prefix = '[Glide]', format = 'text') {
+        this.level = level;
+        this.prefix = prefix;
+        this.format = format;
+    }
+    debug(message, fields) {
+        if (this.level <= LogLevel.DEBUG)
+            this.log('DEBUG', message, fields);
+    }
+    info(message, fields) {
+        if (this.level <= LogLevel.INFO)
+            this.log('INFO', message, fields);
+    }
+    warn(message, fields) {
+        if (this.level <= LogLevel.WARN)
+            this.log('WARN', message, fields);
+    }
+    error(message, fields) {
+        if (this.level <= LogLevel.ERROR)
+            this.log('ERROR', message, fields);
+    }
+    log(level, message, fields) {
+        const timestamp = new Date().toISOString();
+        const sanitizedMessage = sanitizeMessage(message);
+        const sanitizedFields = fields ? sanitizeObject(fields) : {};
+        if (this.format === 'json') {
+            const logEntry = { timestamp, level, message: sanitizedMessage, ...sanitizedFields };
+            console.log(JSON.stringify(logEntry));
+            return;
+        }
+        const fieldsStr = Object.keys(sanitizedFields).length > 0
+            ? ' ' + Object.entries(sanitizedFields).map(([k, v]) => `${k}=${JSON.stringify(v)}`).join(' ')
+            : '';
+        const output = `${this.prefix} ${timestamp} [${level}] ${sanitizedMessage}${fieldsStr}`;
+        if (level === 'ERROR')
+            console.error(output);
+        else if (level === 'WARN')
+            console.warn(output);
+        else
+            console.log(output);
+    }
+}
+function parseLogLevel(level) {
+    switch (level.toLowerCase()) {
+        case 'debug': return LogLevel.DEBUG;
+        case 'info': return LogLevel.INFO;
+        case 'warn':
+        case 'warning': return LogLevel.WARN;
+        case 'error': return LogLevel.ERROR;
+        default: return LogLevel.INFO;
+    }
+}
+function getLogLevelFromEnv() {
+    const envLogLevel = process.env.GLIDE_LOG_LEVEL;
+    if (envLogLevel)
+        return parseLogLevel(envLogLevel);
+    return LogLevel.INFO;
+}
+/**
+ * Creates a logger instance.
+ * @param logLevel - Log level. Defaults to GLIDE_LOG_LEVEL env var or INFO.
+ * @param logFormat - Output format: 'text' or 'json'.
+ */
+function createLogger(logLevel, logFormat) {
+    const level = logLevel ?? getLogLevelFromEnv();
+    return new DefaultLogger(level, '[Glide]', logFormat || 'text');
+}
+/** Generates a unique request ID. */
+function generateRequestId() {
+    return `req_${Date.now()}_${Math.random().toString(36).substring(2, 9)}`;
+}

package/dist/services/magical-auth.d.ts

@@ -0,0 +1,32 @@
+import { GlideSdkSettings } from '../types';
+import { Logger } from '../logger';
+import { OAuthManager } from '../internal/oauth';
+import type { PrepareRequest, PrepareResponse, VerifyPhoneNumberRequest, VerifyPhoneNumberResponse, GetPhoneNumberRequest, GetPhoneNumberResponse, ReportInvocationRequest, ReportInvocationResponse } from '@glideidentity/glide-be-sdk-node-core';
+/** Handles SIM-based phone authentication via the Glide API. */
+export declare class MagicalAuth {
+    private settings;
+    private oauthClient;
+    private logger;
+    constructor(settings: GlideSdkSettings, oauthClient: OAuthManager, logger: Logger);
+    /** Initiates a phone authentication session. */
+    prepare(req: PrepareRequest): Promise<PrepareResponse>;
+    /** Verifies a phone number matches the device. */
+    verifyPhoneNumber(req: VerifyPhoneNumberRequest): Promise<VerifyPhoneNumberResponse>;
+    /** Retrieves the phone number. */
+    getPhoneNumber(req: GetPhoneNumberRequest): Promise<GetPhoneNumberResponse>;
+    /**
+     * Report that an authentication flow was started.
+     *
+     * Returns the server response. For fire-and-forget usage, callers can ignore the response:
+     * ```typescript
+     * glide.magicAuth.reportInvocation({ session_id }).catch(() => {}); // fire-and-forget
+     * const result = await glide.magicAuth.reportInvocation({ session_id }); // with response
+     * ```
+     *
+     * @param req - Request containing session_id from prepare response
+     * @returns Response with success status
+     */
+    reportInvocation(req: ReportInvocationRequest): Promise<ReportInvocationResponse>;
+    private handleError;
+}
+//# sourceMappingURL=magical-auth.d.ts.map

package/dist/services/magical-auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"magical-auth.d.ts","sourceRoot":"","sources":["../../src/services/magical-auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,EAAE,MAAM,EAAE,MAAM,WAAW,CAAC;AAEnC,OAAO,EAAE,YAAY,EAAc,MAAM,mBAAmB,CAAC;AAG7D,OAAO,KAAK,EACR,cAAc,EACd,eAAe,EACf,wBAAwB,EACxB,yBAAyB,EACzB,qBAAqB,EACrB,sBAAsB,EACtB,uBAAuB,EACvB,wBAAwB,EAC3B,MAAM,uCAAuC,CAAC;AAa/C,gEAAgE;AAChE,qBAAa,WAAW;IACpB,OAAO,CAAC,QAAQ,CAAmB;IACnC,OAAO,CAAC,WAAW,CAAe;IAClC,OAAO,CAAC,MAAM,CAAS;gBAEX,QAAQ,EAAE,gBAAgB,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM;IAMjF,gDAAgD;IAC1C,OAAO,CAAC,GAAG,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC;IAkF5D,kDAAkD;IAC5C,iBAAiB,CAAC,GAAG,EAAE,wBAAwB,GAAG,OAAO,CAAC,yBAAyB,CAAC;IA8C1F,kCAAkC;IAC5B,cAAc,CAAC,GAAG,EAAE,qBAAqB,GAAG,OAAO,CAAC,sBAAsB,CAAC;IA8CjF;;;;;;;;;;;OAWG;IACG,gBAAgB,CAAC,GAAG,EAAE,uBAAuB,GAAG,OAAO,CAAC,wBAAwB,CAAC;IAsCvF,OAAO,CAAC,WAAW;CAyCtB"}

package/dist/services/magical-auth.js

@@ -0,0 +1,265 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MagicalAuth = void 0;
+const http_1 = require("../internal/http");
+const oauth_1 = require("../internal/oauth");
+const errors_1 = require("../errors");
+const validation_1 = require("../validation");
+function generateNonce(length = 32) {
+    const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+    let result = '';
+    const randomValues = new Uint8Array(length);
+    crypto.getRandomValues(randomValues);
+    for (let i = 0; i < length; i++) {
+        result += chars[randomValues[i] % chars.length];
+    }
+    return result;
+}
+/** Handles SIM-based phone authentication via the Glide API. */
+class MagicalAuth {
+    constructor(settings, oauthClient, logger) {
+        this.settings = settings;
+        this.oauthClient = oauthClient;
+        this.logger = logger;
+    }
+    /** Initiates a phone authentication session. */
+    async prepare(req) {
+        const hasParentSession = req.options?.parent_session_id;
+        if (!hasParentSession) {
+            const useCaseValidation = (0, validation_1.validateUseCaseRequirements)(req.use_case, req.phone_number, req.plmn);
+            if (!useCaseValidation.valid) {
+                throw new errors_1.MagicalAuthError({
+                    code: useCaseValidation.errorCode || errors_1.ErrorCode.INVALID_USE_CASE,
+                    message: useCaseValidation.error,
+                    status: 400,
+                    details: useCaseValidation.details
+                });
+            }
+        }
+        if (req.phone_number) {
+            const phoneValidation = (0, validation_1.validatePhoneNumber)(req.phone_number);
+            if (!phoneValidation.valid) {
+                throw new errors_1.MagicalAuthError({
+                    code: errors_1.ErrorCode.INVALID_PHONE_NUMBER,
+                    message: phoneValidation.error,
+                    status: 400
+                });
+            }
+        }
+        if (req.plmn) {
+            const plmnValidation = (0, validation_1.validatePlmn)(req.plmn);
+            if (!plmnValidation.valid) {
+                throw new errors_1.MagicalAuthError({
+                    code: errors_1.ErrorCode.MISSING_REQUIRED_FIELD,
+                    message: plmnValidation.error,
+                    status: 400
+                });
+            }
+        }
+        const nonce = req.nonce || generateNonce();
+        const body = { nonce };
+        if (req.use_case)
+            body.use_case = req.use_case;
+        if (req.phone_number)
+            body.phone_number = req.phone_number;
+        if (req.plmn)
+            body.plmn = req.plmn;
+        if (req.consent_data)
+            body.consent_data = req.consent_data;
+        if (req.client_info) {
+            body.client_info = {
+                user_agent: req.client_info.user_agent || 'unknown',
+                platform: req.client_info.platform || 'unknown'
+            };
+        }
+        if (req.options)
+            body.options = req.options;
+        const url = `${this.settings.baseUrl}/magic-auth/v2/auth/prepare`;
+        this.logger.debug('Prepare request', { url });
+        try {
+            const accessToken = await this.oauthClient.getAccessToken();
+            const response = await (0, http_1.request)(url, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'Accept': 'application/json',
+                    'Authorization': `Bearer ${accessToken}`,
+                },
+                body: JSON.stringify(body),
+            });
+            const result = response.json();
+            this.logger.debug('Prepare completed', { strategy: result.authentication_strategy });
+            return result;
+        }
+        catch (error) {
+            this.handleError(error);
+        }
+    }
+    /** Verifies a phone number matches the device. */
+    async verifyPhoneNumber(req) {
+        if (!req.session?.session_key) {
+            throw new errors_1.MagicalAuthError({
+                code: errors_1.ErrorCode.MISSING_REQUIRED_FIELD,
+                message: 'Session is required',
+                status: 400
+            });
+        }
+        if (!req.credential) {
+            throw new errors_1.MagicalAuthError({
+                code: errors_1.ErrorCode.MISSING_REQUIRED_FIELD,
+                message: 'Credential is required',
+                status: 400
+            });
+        }
+        const body = {
+            session: req.session,
+            credential: req.credential,
+        };
+        const url = `${this.settings.baseUrl}/magic-auth/v2/auth/verify-phone-number`;
+        this.logger.debug('VerifyPhoneNumber request', { url });
+        try {
+            const accessToken = await this.oauthClient.getAccessToken();
+            const response = await (0, http_1.request)(url, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'Accept': 'application/json',
+                    'Authorization': `Bearer ${accessToken}`,
+                },
+                body: JSON.stringify(body),
+            });
+            const result = response.json();
+            this.logger.debug('VerifyPhoneNumber completed', { verified: result.verified });
+            return result;
+        }
+        catch (error) {
+            this.handleError(error);
+        }
+    }
+    /** Retrieves the phone number. */
+    async getPhoneNumber(req) {
+        if (!req.session?.session_key) {
+            throw new errors_1.MagicalAuthError({
+                code: errors_1.ErrorCode.MISSING_REQUIRED_FIELD,
+                message: 'Session is required',
+                status: 400
+            });
+        }
+        if (!req.credential) {
+            throw new errors_1.MagicalAuthError({
+                code: errors_1.ErrorCode.MISSING_REQUIRED_FIELD,
+                message: 'Credential is required',
+                status: 400
+            });
+        }
+        const body = {
+            session: req.session,
+            credential: req.credential,
+        };
+        const url = `${this.settings.baseUrl}/magic-auth/v2/auth/get-phone-number`;
+        this.logger.debug('GetPhoneNumber request', { url });
+        try {
+            const accessToken = await this.oauthClient.getAccessToken();
+            const response = await (0, http_1.request)(url, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'Accept': 'application/json',
+                    'Authorization': `Bearer ${accessToken}`,
+                },
+                body: JSON.stringify(body),
+            });
+            const result = response.json();
+            this.logger.debug('GetPhoneNumber completed', { phone_number: result.phone_number });
+            return result;
+        }
+        catch (error) {
+            this.handleError(error);
+        }
+    }
+    /**
+     * Report that an authentication flow was started.
+     *
+     * Returns the server response. For fire-and-forget usage, callers can ignore the response:
+     * ```typescript
+     * glide.magicAuth.reportInvocation({ session_id }).catch(() => {}); // fire-and-forget
+     * const result = await glide.magicAuth.reportInvocation({ session_id }); // with response
+     * ```
+     *
+     * @param req - Request containing session_id from prepare response
+     * @returns Response with success status
+     */
+    async reportInvocation(req) {
+        if (!req.session_id) {
+            throw new errors_1.MagicalAuthError({
+                code: errors_1.ErrorCode.MISSING_REQUIRED_FIELD,
+                message: 'session_id is required',
+                status: 400
+            });
+        }
+        const body = {
+            session_id: req.session_id,
+        };
+        const url = `${this.settings.baseUrl}/magic-auth/v2/auth/report-invocation`;
+        this.logger.debug('ReportInvocation request', { url, session_id: req.session_id });
+        try {
+            const accessToken = await this.oauthClient.getAccessToken();
+            const response = await (0, http_1.request)(url, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'Accept': 'application/json',
+                    'Authorization': `Bearer ${accessToken}`,
+                },
+                body: JSON.stringify(body),
+            });
+            const result = await response.json();
+            this.logger.debug('ReportInvocation completed', { session_id: req.session_id, success: result.success });
+            return result;
+        }
+        catch (error) {
+            this.handleError(error);
+        }
+    }
+    handleError(error) {
+        if (error instanceof http_1.FetchError) {
+            let errorData;
+            try {
+                errorData = JSON.parse(error.data);
+            }
+            catch {
+                throw new errors_1.MagicalAuthError({
+                    code: errors_1.ErrorCode.INTERNAL_SERVER_ERROR,
+                    message: error.message,
+                    status: error.response.statusCode || 500
+                });
+            }
+            throw new errors_1.MagicalAuthError({
+                ...errorData,
+                status: error.response.statusCode || 500
+            });
+        }
+        // Wrap OAuth and other errors in MagicalAuthError for consistent error handling
+        if (error instanceof oauth_1.OAuthError) {
+            throw new errors_1.MagicalAuthError({
+                code: errors_1.ErrorCode.AUTHENTICATION_FAILED,
+                message: error.message,
+                status: error.statusCode || 401
+            });
+        }
+        if (error instanceof Error) {
+            throw new errors_1.MagicalAuthError({
+                code: errors_1.ErrorCode.INTERNAL_SERVER_ERROR,
+                message: error.message,
+                status: 500
+            });
+        }
+        // Unknown error type - wrap with generic message
+        throw new errors_1.MagicalAuthError({
+            code: errors_1.ErrorCode.INTERNAL_SERVER_ERROR,
+            message: 'An unexpected error occurred',
+            status: 500
+        });
+    }
+}
+exports.MagicalAuth = MagicalAuth;

package/dist/types.d.ts

@@ -0,0 +1,39 @@
+import { Logger, LogLevel } from './logger';
+/** Log output format. */
+export type LogFormat = 'json' | 'text';
+/** OAuth2 token response from the token endpoint. */
+export interface TokenResponse {
+    /** The access token to use for API calls. */
+    access_token: string;
+    /** Token type (typically "Bearer"). */
+    token_type: string;
+    /** Grant type used. */
+    grant_type: string;
+    /** Token lifetime in seconds. */
+    expires_in: number;
+}
+/** Cached token with expiration tracking. */
+export interface CachedToken {
+    /** The access token. */
+    accessToken: string;
+    /** Timestamp (ms) when the token expires. */
+    expiresAt: number;
+}
+/** Client configuration options. */
+export interface GlideSdkSettings {
+    /** OAuth2 Client ID (required). */
+    clientId: string;
+    /** OAuth2 Client Secret (required). */
+    clientSecret: string;
+    /** API base URL. Defaults to production. */
+    baseUrl?: string;
+    /** Log output format. */
+    logFormat?: LogFormat;
+    /** Log level. */
+    logLevel?: LogLevel;
+    /** Custom logger implementation. */
+    logger?: Logger;
+    /** Buffer time in seconds before token expiry to trigger refresh. Defaults to 60. */
+    tokenRefreshBuffer?: number;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AAE5C,yBAAyB;AACzB,MAAM,MAAM,SAAS,GAAG,MAAM,GAAG,MAAM,CAAC;AAExC,qDAAqD;AACrD,MAAM,WAAW,aAAa;IAC1B,6CAA6C;IAC7C,YAAY,EAAE,MAAM,CAAC;IACrB,uCAAuC;IACvC,UAAU,EAAE,MAAM,CAAC;IACnB,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,iCAAiC;IACjC,UAAU,EAAE,MAAM,CAAC;CACtB;AAED,6CAA6C;AAC7C,MAAM,WAAW,WAAW;IACxB,wBAAwB;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,SAAS,EAAE,MAAM,CAAC;CACrB;AAED,oCAAoC;AACpC,MAAM,WAAW,gBAAgB;IAC7B,mCAAmC;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,uCAAuC;IACvC,YAAY,EAAE,MAAM,CAAC;IACrB,4CAA4C;IAC5C,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,yBAAyB;IACzB,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,iBAAiB;IACjB,QAAQ,CAAC,EAAE,QAAQ,CAAC;IACpB,oCAAoC;IACpC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,qFAAqF;IACrF,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC/B"}

package/dist/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/utils.d.ts

@@ -0,0 +1,10 @@
+import { PrepareResponse } from '@glideidentity/glide-be-sdk-node-core';
+/**
+ * Extract status_url from PrepareResponse strategy-specific data.
+ * Works for both Link and Desktop strategies.
+ *
+ * @param response - The prepare response
+ * @returns Status URL for polling, or undefined if not available (e.g., TS43 strategy)
+ */
+export declare function getStatusUrl(response: PrepareResponse): string | undefined;
+//# sourceMappingURL=utils.d.ts.map

package/dist/utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAiD,MAAM,uCAAuC,CAAC;AAEvH;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,eAAe,GAAG,MAAM,GAAG,SAAS,CAe1E"}

package/dist/utils.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getStatusUrl = getStatusUrl;
+const glide_be_sdk_node_core_1 = require("@glideidentity/glide-be-sdk-node-core");
+/**
+ * Extract status_url from PrepareResponse strategy-specific data.
+ * Works for both Link and Desktop strategies.
+ *
+ * @param response - The prepare response
+ * @returns Status URL for polling, or undefined if not available (e.g., TS43 strategy)
+ */
+function getStatusUrl(response) {
+    if (!response?.data || !response.authentication_strategy) {
+        return undefined;
+    }
+    if (response.authentication_strategy === glide_be_sdk_node_core_1.AuthenticationStrategy.LINK) {
+        return response.data.status_url;
+    }
+    if (response.authentication_strategy === glide_be_sdk_node_core_1.AuthenticationStrategy.DESKTOP) {
+        return response.data.data?.status_url;
+    }
+    // TS43 strategy doesn't use polling
+    return undefined;
+}