@iqauth/sdk 2.0.0

package/dist/browser-session.mjs

@@ -0,0 +1,28 @@
+import {
+  IQAuthClient
+} from "./chunk-JQWYIIIS.mjs";
+import {
+  ErrorCodes,
+  IQAuthError
+} from "./chunk-6I6RM4MN.mjs";
+import "./chunk-Y6FXYEAI.mjs";
+
+// src/browser-session.ts
+var BrowserSessionIQAuthClient = class extends IQAuthClient {
+  constructor(config) {
+    super({ ...config, environment: "browser_session" });
+  }
+  async getSessionUser() {
+    return this.auth.getSessionUser();
+  }
+};
+function createBrowserSessionClient(config) {
+  return new BrowserSessionIQAuthClient(config);
+}
+export {
+  BrowserSessionIQAuthClient,
+  ErrorCodes,
+  IQAuthClient,
+  IQAuthError,
+  createBrowserSessionClient
+};

package/dist/browser.d.mts

@@ -0,0 +1,46 @@
+export { C as CallbackResult, S as SessionManager, d as SessionManagerOptions, a as SessionSnapshot, e as SessionStatus, b as SignInOptions, c as SignOutOptions, f as buildSignInUrl, h as handleAuthCallback, r as redirectToSignIn, s as signIn, g as signOut } from './signIn-C8f6qVjD.mjs';
+export { K as KeyMode, b as ParsedPublishableKey, P as PublishableKeyPayload, e as encodePublishableKey, i as isPublishableKey, a as isSecretKey, p as parsePublishableKey } from './publishableKey-B5DIK81A.mjs';
+export { a as ErrorCode, E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
+import './types-Cxl3bQHt.mjs';
+
+/**
+ * Browser-only storage helpers used by the SessionManager.
+ *
+ * Storage strategy (Phase B):
+ *   - Access token: in memory only (held by SessionManager).
+ *   - Refresh token: first-party cookie on the app's own domain. The cookie
+ *     is set by the SDK callback handler and cleared on signOut.
+ *
+ * NOTE: Cookies set from JS cannot be httpOnly. Phase D (cookie-aware
+ * middleware) will move refresh-token cookie management into the app's
+ * backend so it can be httpOnly. Until then, the SDK uses a `Secure`,
+ * `SameSite=Lax` first-party cookie as a pragmatic stopgap. Nothing
+ * privileged ever lives in localStorage.
+ */
+declare const REFRESH_COOKIE = "iqauth_rt";
+interface CookieOptions {
+    maxAgeSeconds?: number;
+    path?: string;
+    domain?: string;
+    secure?: boolean;
+    sameSite?: "lax" | "strict" | "none";
+}
+declare function setCookie(name: string, value: string, opts?: CookieOptions): void;
+declare function getCookie(name: string): string | null;
+declare function clearCookie(name: string, opts?: CookieOptions): void;
+
+/**
+ * Browser-safe PKCE + state/nonce generation using WebCrypto.
+ * Falls back to Node's crypto.webcrypto for tests.
+ */
+declare function randomUrlSafe(byteLength?: number): string;
+declare function s256Challenge(verifier: string): Promise<string>;
+interface PkcePair {
+    codeVerifier: string;
+    codeChallenge: string;
+    state: string;
+    nonce: string;
+}
+declare function createPkcePair(): Promise<PkcePair>;
+
+export { REFRESH_COOKIE, clearCookie, createPkcePair, getCookie, randomUrlSafe, s256Challenge, setCookie };

package/dist/browser.d.ts

@@ -0,0 +1,46 @@
+export { C as CallbackResult, S as SessionManager, d as SessionManagerOptions, a as SessionSnapshot, e as SessionStatus, b as SignInOptions, c as SignOutOptions, f as buildSignInUrl, h as handleAuthCallback, r as redirectToSignIn, s as signIn, g as signOut } from './signIn-Cy2lbEXb.js';
+export { K as KeyMode, b as ParsedPublishableKey, P as PublishableKeyPayload, e as encodePublishableKey, i as isPublishableKey, a as isSecretKey, p as parsePublishableKey } from './publishableKey-B5DIK81A.js';
+export { a as ErrorCode, E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
+import './types-Cxl3bQHt.js';
+
+/**
+ * Browser-only storage helpers used by the SessionManager.
+ *
+ * Storage strategy (Phase B):
+ *   - Access token: in memory only (held by SessionManager).
+ *   - Refresh token: first-party cookie on the app's own domain. The cookie
+ *     is set by the SDK callback handler and cleared on signOut.
+ *
+ * NOTE: Cookies set from JS cannot be httpOnly. Phase D (cookie-aware
+ * middleware) will move refresh-token cookie management into the app's
+ * backend so it can be httpOnly. Until then, the SDK uses a `Secure`,
+ * `SameSite=Lax` first-party cookie as a pragmatic stopgap. Nothing
+ * privileged ever lives in localStorage.
+ */
+declare const REFRESH_COOKIE = "iqauth_rt";
+interface CookieOptions {
+    maxAgeSeconds?: number;
+    path?: string;
+    domain?: string;
+    secure?: boolean;
+    sameSite?: "lax" | "strict" | "none";
+}
+declare function setCookie(name: string, value: string, opts?: CookieOptions): void;
+declare function getCookie(name: string): string | null;
+declare function clearCookie(name: string, opts?: CookieOptions): void;
+
+/**
+ * Browser-safe PKCE + state/nonce generation using WebCrypto.
+ * Falls back to Node's crypto.webcrypto for tests.
+ */
+declare function randomUrlSafe(byteLength?: number): string;
+declare function s256Challenge(verifier: string): Promise<string>;
+interface PkcePair {
+    codeVerifier: string;
+    codeChallenge: string;
+    state: string;
+    nonce: string;
+}
+declare function createPkcePair(): Promise<PkcePair>;
+
+export { REFRESH_COOKIE, clearCookie, createPkcePair, getCookie, randomUrlSafe, s256Challenge, setCookie };