@health-samurai/aidbox-client 0.0.0-alpha.2 → 0.0.0-alpha.4

package/README.md

@@ -1,6 +1,6 @@
 # Typescript FHIR client
 
-A typescript client for interacting with a FHIR server.
+A TypeScript client for interacting with a FHIR server.
 
 ## Usage
 
@@ -8,21 +8,207 @@ The client is created with the `makeClient` function:
 
 ```typescript
 const baseUrl = "https://fhir-server.address";
-const client = makeClient({
+const client = new AidboxClient(
   baseUrl,
-  authProvider: new BrowserAuthProvider(baseUrl);
+  new BrowserAuthProvider(baseUrl),
+);
+```
+
+## Documentation
+
+Documentation is generated automatically, and can be found [here](https://healthsamurai.github.io/aidbox-ts-sdk/aidbox-client/).
+
+## Type Generator
+
+This project is designed around the type generator that provides FHIR types based on the specified package.
+However, not all types are provided in the client itself, only the necessary ones, like `Bundle`, and `OperationOutcome`.
+If your application requires more types, use [atomic-ehr/codegen](https://github.com/atomic-ehr/codegen) to generate more types.
+
+For example, using `atomic-ehr/codegen`, we can generate and import an `Observation` type, and ensure that all fields are provided when creating a resource:
+
+```typescript
+import type { Observation } from "hl7-fhir-r4-core";
+
+client.create<Observation>({
+  resourceType: "Observation",
+  status: "final",
+  code: {
+    coding: [{
+      system: "http://loinc.org",
+      code: "59408-5",
+      display: "Blood pressure systolic & diastolic"
+    }],
+    text: "Blood pressure"
+  },
+  subject: {
+    reference: "Patient/pt-1"
+  },
+  effectiveDateTime: "2025-12-05T00:00:00Z",
+  valueString: "minimal"
+})
+```
+
+The default set of types in the client is based on FHIR R4 Core.
+If your application requires a different set of types, it is possible to override that through type parameters when creating a client:
+
+```typescript
+import type * as R5 from "hl7-fhir-r5-core";
+import type { User } from "@health-samurai/aidbox-client";
+
+const baseUrl = "https://fhir-server.address";
+
+const client = new AidboxClient<R5.Bundle, R5.OperationOutcome, User> (
+  baseUrl,
+  new BrowserAuthProvider(baseUrl),
+);
+```
+
+## [FHIR Interactions](https://hl7.org/fhir/http.html)
+
+This client provides a set of methods to work with a FHIR server in a more convenient way:
+
+- Instance Level Interaction
+  - `read` - Read the current state of the resource
+  - `vread` - Read the state of a specific version of the resource
+  - `update` - Update an existing resource by its id (or create it if it is new)
+  - `conditionalUpdate` - Update an existing resource based on some identification criteria (or create it if it is new).
+  - `patch` - Update an existing resource by posting a set of changes to it.
+  - `conditionalPatch` - Update an existing resource, based on some identification criteria, by posting a set of changes to it.
+  - `delete` - Delete a resource.
+  - `deleteHistory` - Delete all historical versions of a resource.
+  - `deleteHistoryVersion` - Delete a specific version of a resource.
+  - `history` - Retrieve the change history for a particular resource.
+- Type Level Interaction
+  - `create` - Create a new resource with a server assigned id
+  - `conditionalCreate` - Create a new resource with a server assigned id if an equivalent resource does not already exist.
+  - `search` - Search the resource type based on some filter criteria.
+  - `conditionalDelete` - Conditional delete a single or multiple resources based on some identification criteria.
+  - `history` - Retrieve the change history for a particular resource type.
+- Whole System Interaction
+  - `capabilities` - Get a capability statement for the system.
+  - `batch`/`transaction` - Perform multiple interactions (e.g., create, read, update, delete, patch, and/or [extended operations]) in a single interaction.
+  - `delete` - Conditional Delete across all resource types based on some filter criteria.
+  - `history` - Retrieve the change history for all resources.
+  - `search` - Search across all resource types based on some filter criteria.
+- Compartment Interaction
+  - `search` - Search resources associated with a specific compartment instance (see [Search Contexts](https://build.fhir.org/search.html#searchcontexts) and [Compartments](https://build.fhir.org/compartmentdefinition.html))
+- Operations Framework
+  - `operation` - Perform an operation as defined by an `OperationDefinition`.
+  - `validate` - Perform the Validate Operation.
+
+### Patient CRUD Example
+
+Here's an example of
+
+```typescript
+import { AidboxClient, BrowserAuthProvider } from "@health-samurai/aidbox-client";
+import type { Patient } from "hl7-fhir-r4-core";
+import { formatOperationOutcome } from "utils";
+
+const client = new AidboxClient(
+  "http://localhost:8080",
+  new BrowserAuthProvider("http://localhost:8080"),
+);
+
+// Create a new Patient resource
+const result = await client.create<Patient>({
+  type: "Patient",
+  resource: {
+    gender: "female",
+    resourceType: "Patient",
+  },
 });
+
+// Check if interaction was successful
+if (result.isErr())
+  throw Error(formatOperationOutcome(result.value.resource), {
+    cause: result.value.resource,
+  });
+
+const patient = result.value.resource;
+
+if (!patient.id)
+  throw Error(
+    "id is optional in FHIR, so we check it to satisfy the type checker",
+  );
+
+// Updating the patient
+
+patient.name = [
+  {
+    given: ["Jane"],
+    family: "Doe",
+  },
+];
+
+const updateResult = await client.update<Patient>({
+  id: patient.id,
+  type: "Patient",
+  resource: patient,
+});
+
+if (updateResult.isErr())
+  throw Error(formatOperationOutcome(updateResult.value.resource), {
+    cause: updateResult.value.resource,
+  });
+
+// Deleting the patient
+
+const deleteResult = await client.delete<Patient>({
+  id: patient.id,
+  type: "Patient",
+});
+
+if (deleteResult.isErr())
+  throw Error(formatOperationOutcome(deleteResult.value.resource), {
+    cause: deleteResult.value.resource,
+  });
 ```
 
-## Methods
+### Return data format
 
-The client provides two basic methods of interaction:
+As seen in the example above, most methods return a `Result<T, E>` object.
+This object represents a successful or erroneous state of the response.
 
-- `rawRequest` - send request to the FHIR server and recieve response in a raw format
-- `request<T>` - send request to the FHIR server and recieve response with its body parsed to the specified type `T`
+A general usage pattern is as follows:
 
-In successful case, the `rawRequest` returns an object with JavaScript Repsonse, and additional meta information.
-When server responds with an error code, this function throws an error:
+```typescript
+const result = await client.read<Patient>({ type: 'Patient', id: 'patient-id' });
+
+if (result.isErr())
+  throw new Error("error reading Patient", { cause: result.value.resource })
+
+const patient = result.value.resource;
+
+// work with patient.
+```
+
+It is also possible to work with resources without unwrapping the `Result` object:
+
+```typescript
+const result = await client.read<Patient>({ type: 'Patient', id: 'patient-id' });
+
+return result
+  .map(({resource}: {resource: Patient}): Patient => {
+  /* work with Patient resource */
+  })
+  .mapErr(({resource}: {resource: OperationOutcome}): OperationOutcome => {
+  /* work with OperationOutcome resource */
+  });
+  // result is still Result<Patient, OperationOutcome>
+```
+
+See the [documentation](https://healthsamurai.github.io/aidbox-ts-sdk/aidbox-client/) for more info.
+
+## Low-level methods
+
+The client provides two basic methods for writing custom interactions:
+
+- `rawRequest` - send request to the FHIR server and receive response in a raw format
+- `request<T>` - send request to the FHIR server and receive response with its body parsed to the specified type `T`
+
+In a successful case, the `rawRequest` returns an object with JavaScript Response and additional meta information.
+When the server responds with an error code, this function throws an error:
 
 ```typescript
 const result = await client.rawRequest({
@@ -33,7 +219,7 @@ const result = await client.rawRequest({
 }).then((result) => {
   const patient: Patient = await result.response.json();
   // ...
-}).catch ((error) => {
+}).catch((error) => {
   if (error instanceof ErrorResponse) {
     const outcome = await error.responseWithMeta.response.json
     // ...
@@ -41,7 +227,7 @@ const result = await client.rawRequest({
 });
 ```
 
-Alternatively, a `request` method can be used.
+Alternatively, the `request` method can be used.
 It returns a `Result<T, OperationOutcome>`, which contains an already parsed result, coerced to the specified type `T`.
 
 ```typescript
@@ -63,68 +249,111 @@ if (result.isErr()) {
 }
 ```
 
-Both methods can throw `RequestError` class, if the error happened before the request was actually made.
-
-### [FHIR HTTP](https://hl7.org/fhir/http.html) methods:
-
-Additional set of methods is provided to work with FHIR server in a more convinient way:
-
-- [x] Instance Level Interaction
-  - [x] `read` - Read the current state of the resource
-  - [x] `vread` - Read the state of a specific version of the resource
-  - [x] `update` - Update an existing resource by its id (or create it if it is new)
-  - [x] `conditionalUpdate` - Update an existing resource based on some identification criteria (or create it if it is new)
-  - [x] `patch` - Update an existing resource by posting a set of changes to it
-  - [x] `conditionalPatch` - Update an existing resource, based on some identification criteria, by posting a set of changes to it
-  - [x] `delete` - Delete a resource
-  - [x] `deleteHistory` - Delete all historical versions of a resource
-  - [x] `deleteHistoryVersion` - Delete a specific version of a resource
-  - [x] `history` - Retrieve the change history for a particular resource
-- [x] Type Level Interaction
-  - [x] `create` - Create a new resource with a server assigned id
-  - [x] `conditionalCreate` - Create a new resource with a server assigned id if an equivalent resource does not already exist
-  - [x] `search` - Search the resource type based on some filter criteria
-  - [x] `conditionalDelete` - Conditional delete a single or multiple resources based on some identification criteria
-  - [x] `history` - Retrieve the change history for a particular resource type
-- [x] Whole System Interaction
-  - [x] `capabilities` - Get a capability statement for the system
-  - [x] `batch`/`transaction` - Perform multiple interactions (e.g., create, read, update, delete, patch, and/or [extended operations]) in a single interaction
-  - [x] `delete` - Conditional Delete across all resource types based on some filter criteria
-  - [x] `history` - Retrieve the change history for all resources
-  - [x] `search` - Search across all resource types based on some filter criteria
-- [x] Compartment Interaction
-  - [x] `search` - Search resources associated with a specific compartment instance (see [Search Contexts](https://build.fhir.org/search.html#searchcontexts) and [Compartments](https://build.fhir.org/compartmentdefinition.html))
-
-<!--
-TODO: Operations
-https://build.fhir.org/operations.html
--->
-
-## Return data format
-
-Most client methods return a `Result<T, E>` object, with methods to check if the request was successful:
+Both methods can throw the `RequestError` class if the error happened before the request was actually made.
+
+## Authentication Providers
+
+Authentication is managed via the `AuthProvider` interface. The client ships with three built-in providers:
+
+| Provider | Environment | Auth Method |
+|----------|-------------|-------------|
+| `BrowserAuthProvider` | Browser | Cookie-based sessions |
+| `BasicAuthProvider` | Any | HTTP Basic Auth |
+| `SmartBackendServicesAuthProvider` | Server-side | OAuth 2.0 client_credentials with JWT bearer |
+
+### BrowserAuthProvider
+
+For browser applications. Uses cookie-based sessions and redirects to the login page on 401.
 
 ```typescript
-const result = await client.read<Patient>({type: 'Patient', id: 'patient-id'});
-if (result.isErr())
-    throw new Error("error reading Patient", { cause: result.value })
+import { AidboxClient, BrowserAuthProvider } from "@health-samurai/aidbox-client";
 
-const { resource: patient } = result.value;
+const baseUrl = "https://fhir-server.address";
+const client = new AidboxClient(baseUrl, new BrowserAuthProvider(baseUrl));
+```
 
-// work with patient.
+### BasicAuthProvider
+
+For server-side applications using HTTP Basic Auth.
+
+```typescript
+import { AidboxClient, BasicAuthProvider } from "@health-samurai/aidbox-client";
+
+const baseUrl = "https://fhir-server.address";
+const client = new AidboxClient(
+  baseUrl,
+  new BasicAuthProvider(baseUrl, "username", "password"),
+);
 ```
 
-Unwrapping is not required to modify the data in the `Result`:
+### SmartBackendServicesAuthProvider
+
+For server-to-server authentication using [SMART Backend Services](https://www.hl7.org/fhir/smart-app-launch/backend-services.html) (OAuth 2.0 client_credentials grant with JWT bearer assertion).
+
+Features:
+- Token caching with proactive refresh before expiry
+- Thundering herd prevention — concurrent requests share a single token fetch
+- Automatic retry on 401 with fresh token
+- OAuth2 discovery from `.well-known/smart-configuration`
 
 ```typescript
-const result = await client.read<Patient>({type: 'Patient', id: 'patient-id'});
+import { AidboxClient, SmartBackendServicesAuthProvider } from "@health-samurai/aidbox-client";
 
-return result
-  .map(({resource}: {resource: Patient}): Patient => {
-    /* work with Patient resource */
-  })
-  .mapErr(({resource}: {resource: OperationOutcome}): OperationOutcome => {
-    /* work with OperationOutcome resource */
-  });
-  // result is still Result<Patient, OperationOutcome>
+// Generate or import your private key using Web Crypto API
+const privateKey = await crypto.subtle.generateKey(
+  { name: "RSASSA-PKCS1-v1_5", modulusLength: 2048, publicExponent: new Uint8Array([1, 0, 1]), hash: "SHA-384" },
+  true,
+  ["sign", "verify"]
+).then(kp => kp.privateKey);
+
+const auth = new SmartBackendServicesAuthProvider({
+  baseUrl: "https://fhir-server.address",
+  clientId: "my-service",
+  privateKey: privateKey,                     // CryptoKey from Web Crypto API
+  keyId: "key-001",                           // Must match kid in JWKS
+  scope: "system/*.read",
+  // tokenExpirationBuffer: 30,              // Optional: seconds before expiry to refresh (default: 30)
+});
+
+const client = new AidboxClient("https://fhir-server.address", auth);
+```
+
+### Custom Auth Provider
+
+For other authentication methods, implement the `AuthProvider` interface:
+
+```typescript
+import type { AuthProvider } from "@health-samurai/aidbox-client";
+
+export class CustomAuthProvider implements AuthProvider {
+  public baseUrl: string;
+
+  constructor(baseUrl: string) {
+    this.baseUrl = baseUrl;
+  }
+
+  public async establishSession() {
+    /* code to establish a session */
+  }
+
+  public async revokeSession() {
+    /* code to revoke the session */
+  }
+
+  /**
+   * A wrapper around the `fetch` function, that does all the
+   * necessary preparations and argument patching required for the
+   * request to go through.
+   *
+   * Optionally, security checks can be implemented, like verifying
+   * that the request indeed goes to the `baseUrl`, and not
+   * somewhere else.
+   */
+  public async fetch(
+    input: RequestInfo | URL,
+    init?: RequestInit,
+  ): Promise<Response> {
+    /* ... */
+  }
+}
 ```

package/dist/src/auth-providers.d.ts

@@ -1,8 +1,30 @@
 import type { AuthProvider } from "./types";
 export declare class BrowserAuthProvider implements AuthProvider {
     #private;
+    /** @ignore */
     baseUrl: string;
     constructor(baseUrl: string);
+    /**
+     * Checks if the session is already authenticated, and if not, redirects to the login page.
+     */
+    establishSession(): Promise<void>;
+    /**
+     * Sends a POST request to `baseurl/auth/logout`.
+     */
+    revokeSession(): Promise<void>;
+    /**
+     * A thin wrapper around `fetch` function.
+     * Checks if the client is authorized to perform a request, and redirects to a login page if not.
+     *
+     * Accepts the same arguments as `fetch`.
+     */
+    fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;
+}
+export declare class BasicAuthProvider implements AuthProvider {
+    #private;
+    /** @ignore */
+    baseUrl: string;
+    constructor(baseUrl: string, username: string, password: string);
     establishSession(): Promise<void>;
     revokeSession(): Promise<void>;
     fetch(input: RequestInfo | URL, init?: RequestInit): Promise<Response>;

package/dist/src/auth-providers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-providers.d.ts","sourceRoot":"","sources":["../../src/auth-providers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAE5C,qBAAa,mBAAoB,YAAW,YAAY;;IAChD,OAAO,EAAE,MAAM,CAAC;gBAEX,OAAO,EAAE,MAAM;IAgBd,gBAAgB;IAQhB,aAAa;IAWb,KAAK,CACjB,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,GAChB,OAAO,CAAC,QAAQ,CAAC;CAsBpB"}
+{"version":3,"file":"auth-providers.d.ts","sourceRoot":"","sources":["../../src/auth-providers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAG5C,qBAAa,mBAAoB,YAAW,YAAY;;IACvD,cAAc;IACP,OAAO,EAAE,MAAM,CAAC;gBAEX,OAAO,EAAE,MAAM;IAgB3B;;OAEG;IACU,gBAAgB;IAQ7B;;OAEG;IACU,aAAa;IAW1B;;;;;OAKG;IACU,KAAK,CACjB,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,GAChB,OAAO,CAAC,QAAQ,CAAC;CAepB;AAED,qBAAa,iBAAkB,YAAW,YAAY;;IACrD,cAAc;IACP,OAAO,EAAE,MAAM,CAAC;gBAGX,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM;IASlD,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC;IAIjC,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;IAI9B,KAAK,CACjB,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,GAChB,OAAO,CAAC,QAAQ,CAAC;CAcpB"}

package/dist/src/auth-providers.js

@@ -1,3 +1,11 @@
+function _array_like_to_array(arr, len) {
+    if (len == null || len > arr.length) len = arr.length;
+    for(var i = 0, arr2 = new Array(len); i < len; i++)arr2[i] = arr[i];
+    return arr2;
+}
+function _array_without_holes(arr) {
+    if (Array.isArray(arr)) return _array_like_to_array(arr);
+}
 function asyncGeneratorStep(gen, resolve, reject, _next, _throw, key, arg) {
     try {
         var info = gen[key](arg);
@@ -32,11 +40,46 @@ function _check_private_redeclaration(obj, privateCollection) {
         throw new TypeError("Cannot initialize the same private elements twice on an object");
     }
 }
+function _class_apply_descriptor_get(receiver, descriptor) {
+    if (descriptor.get) {
+        return descriptor.get.call(receiver);
+    }
+    return descriptor.value;
+}
+function _class_apply_descriptor_set(receiver, descriptor, value) {
+    if (descriptor.set) {
+        descriptor.set.call(receiver, value);
+    } else {
+        if (!descriptor.writable) {
+            throw new TypeError("attempted to set read only private field");
+        }
+        descriptor.value = value;
+    }
+}
 function _class_call_check(instance, Constructor) {
     if (!(instance instanceof Constructor)) {
         throw new TypeError("Cannot call a class as a function");
     }
 }
+function _class_extract_field_descriptor(receiver, privateMap, action) {
+    if (!privateMap.has(receiver)) {
+        throw new TypeError("attempted to " + action + " private field on non-instance");
+    }
+    return privateMap.get(receiver);
+}
+function _class_private_field_get(receiver, privateMap) {
+    var descriptor = _class_extract_field_descriptor(receiver, privateMap, "get");
+    return _class_apply_descriptor_get(receiver, descriptor);
+}
+function _class_private_field_init(obj, privateMap, value) {
+    _check_private_redeclaration(obj, privateMap);
+    privateMap.set(obj, value);
+}
+function _class_private_field_set(receiver, privateMap, value) {
+    var descriptor = _class_extract_field_descriptor(receiver, privateMap, "set");
+    _class_apply_descriptor_set(receiver, descriptor, value);
+    return value;
+}
 function _class_private_method_get(receiver, privateSet, fn) {
     if (!privateSet.has(receiver)) {
         throw new TypeError("attempted to get private field on non-instance");
@@ -81,6 +124,23 @@ function _instanceof(left, right) {
         return left instanceof right;
     }
 }
+function _iterable_to_array(iter) {
+    if (typeof Symbol !== "undefined" && iter[Symbol.iterator] != null || iter["@@iterator"] != null) return Array.from(iter);
+}
+function _non_iterable_spread() {
+    throw new TypeError("Invalid attempt to spread non-iterable instance.\\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
+}
+function _to_consumable_array(arr) {
+    return _array_without_holes(arr) || _iterable_to_array(arr) || _unsupported_iterable_to_array(arr) || _non_iterable_spread();
+}
+function _unsupported_iterable_to_array(o, minLen) {
+    if (!o) return;
+    if (typeof o === "string") return _array_like_to_array(o, minLen);
+    var n = Object.prototype.toString.call(o).slice(8, -1);
+    if (n === "Object" && o.constructor) n = o.constructor.name;
+    if (n === "Map" || n === "Set") return Array.from(n);
+    if (n === "Arguments" || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(n)) return _array_like_to_array(o, minLen);
+}
 function _ts_generator(thisArg, body) {
     var f, y, t, _ = {
         label: 0,
@@ -172,19 +232,22 @@ function _ts_generator(thisArg, body) {
         };
     }
 }
+import { mergeHeaders, validateBaseUrl } from "./utils";
 var _checkSession = /*#__PURE__*/ new WeakSet();
 export var BrowserAuthProvider = /*#__PURE__*/ function() {
     "use strict";
     function BrowserAuthProvider(baseUrl) {
         _class_call_check(this, BrowserAuthProvider);
         _class_private_method_init(this, _checkSession);
-        _define_property(this, "baseUrl", void 0);
+        /** @ignore */ _define_property(this, "baseUrl", void 0);
         this.baseUrl = baseUrl;
     }
     _create_class(BrowserAuthProvider, [
         {
             key: "establishSession",
-            value: function establishSession() {
+            value: /**
+	 * Checks if the session is already authenticated, and if not, redirects to the login page.
+	 */ function establishSession() {
                 return _async_to_generator(function() {
                     var encodedLocation, redirectTo;
                     return _ts_generator(this, function(_state) {
@@ -210,7 +273,9 @@ export var BrowserAuthProvider = /*#__PURE__*/ function() {
         },
         {
             key: "revokeSession",
-            value: function revokeSession() {
+            value: /**
+	 * Sends a POST request to `baseurl/auth/logout`.
+	 */ function revokeSession() {
                 return _async_to_generator(function() {
                     return _ts_generator(this, function(_state) {
                         switch(_state.label){
@@ -238,20 +303,23 @@ export var BrowserAuthProvider = /*#__PURE__*/ function() {
         },
         {
             key: "fetch",
-            value: function fetch1(input, init) {
+            value: /**
+	 * A thin wrapper around `fetch` function.
+	 * Checks if the client is authorized to perform a request, and redirects to a login page if not.
+	 *
+	 * Accepts the same arguments as `fetch`.
+	 */ function fetch1(input, init) {
                 return _async_to_generator(function() {
-                    var url, i, response;
+                    var requestInit, response;
                     return _ts_generator(this, function(_state) {
                         switch(_state.label){
                             case 0:
-                                if (_instanceof(input, Request)) url = input.url;
-                                else url = input.toString();
-                                if (!url.startsWith(this.baseUrl)) throw Error("url of the request must start with baseUrl");
-                                i = init !== null && init !== void 0 ? init : {};
-                                i.credentials = "include";
+                                validateBaseUrl(input, this.baseUrl);
+                                requestInit = init !== null && init !== void 0 ? init : {};
+                                requestInit.credentials = "include";
                                 return [
                                     4,
-                                    fetch(input, i)
+                                    fetch(input, requestInit)
                                 ];
                             case 1:
                                 response = _state.sent();
@@ -282,8 +350,7 @@ export var BrowserAuthProvider = /*#__PURE__*/ function() {
         }
     ]);
     return BrowserAuthProvider;
-} // TODO: backend auth provider
-();
+}();
 function checkSession() {
     return _async_to_generator(function() {
         var response;
@@ -311,3 +378,72 @@ function checkSession() {
         });
     }).call(this);
 }
+var _authHeader = /*#__PURE__*/ new WeakMap();
+export var BasicAuthProvider = /*#__PURE__*/ function() {
+    "use strict";
+    function BasicAuthProvider(baseUrl, username, password) {
+        var _String;
+        _class_call_check(this, BasicAuthProvider);
+        /** @ignore */ _define_property(this, "baseUrl", void 0);
+        _class_private_field_init(this, _authHeader, {
+            writable: true,
+            value: void 0
+        });
+        this.baseUrl = baseUrl;
+        // Create Base64-encoded credentials for Basic Auth header (RFC 7617: UTF-8 encoded)
+        var credentials = "".concat(username, ":").concat(password);
+        var utf8Bytes = new TextEncoder().encode(credentials);
+        var base64 = btoa((_String = String).fromCharCode.apply(_String, _to_consumable_array(utf8Bytes)));
+        _class_private_field_set(this, _authHeader, "Basic ".concat(base64));
+    }
+    _create_class(BasicAuthProvider, [
+        {
+            key: "establishSession",
+            value: function establishSession() {
+                return _async_to_generator(function() {
+                    return _ts_generator(this, function(_state) {
+                        return [
+                            2
+                        ];
+                    });
+                // No-op for basic auth - credentials are sent with each request
+                })();
+            }
+        },
+        {
+            key: "revokeSession",
+            value: function revokeSession() {
+                return _async_to_generator(function() {
+                    return _ts_generator(this, function(_state) {
+                        return [
+                            2
+                        ];
+                    });
+                // No-op for basic auth - stateless authentication
+                })();
+            }
+        },
+        {
+            key: "fetch",
+            value: function fetch1(input, init) {
+                return _async_to_generator(function() {
+                    var requestInit, baseHeaders, initHeaders, headers;
+                    return _ts_generator(this, function(_state) {
+                        validateBaseUrl(input, this.baseUrl);
+                        requestInit = init !== null && init !== void 0 ? init : {};
+                        baseHeaders = _instanceof(input, Request) ? input.headers : undefined;
+                        initHeaders = requestInit.headers ? new Headers(requestInit.headers) : undefined;
+                        headers = mergeHeaders(baseHeaders, initHeaders);
+                        headers.set("Authorization", _class_private_field_get(this, _authHeader));
+                        requestInit.headers = headers;
+                        return [
+                            2,
+                            fetch(input, requestInit)
+                        ];
+                    });
+                }).call(this);
+            }
+        }
+    ]);
+    return BasicAuthProvider;
+}();