npm - @iqauth/sdk - Versions diffs - 2.0.4 → 2.1.0 - Mend

@iqauth/sdk 2.0.4 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

package/dist/browser-session.d.mts +1 -1
package/dist/browser-session.d.ts +1 -1
package/dist/browser-session.js +4 -1
package/dist/browser-session.mjs +1 -1
package/dist/{chunk-JQWYIIIS.mjs → chunk-MDUHPQMM.mjs} +4 -1
package/dist/{chunk-73R6BEGO.mjs → chunk-ZESHDJDU.mjs} +1 -1
package/dist/{client-CggvJmmm.d.ts → client-DXbHb2ul.d.ts} +1 -1
package/dist/{client-C1DXfB8Z.d.mts → client-Dv4v92Mj.d.mts} +1 -1
package/dist/{express-BKAXB5Nl.d.ts → express-B4o3P8vK.d.ts} +1 -1
package/dist/{express-CpfyYTmw.d.mts → express-BZmF1llh.d.mts} +1 -1
package/dist/express.d.mts +3 -3
package/dist/express.d.ts +3 -3
package/dist/express.js +4 -1
package/dist/express.mjs +2 -2
package/dist/fastify.d.mts +6 -0
package/dist/fastify.d.ts +6 -0
package/dist/fastify.js +21 -3
package/dist/fastify.mjs +18 -3
package/dist/hono.js +4 -1
package/dist/hono.mjs +1 -1
package/dist/index.d.mts +2 -2
package/dist/index.d.ts +2 -2
package/dist/index.js +4 -1
package/dist/index.mjs +2 -2
package/dist/mobile.d.mts +1 -1
package/dist/mobile.d.ts +1 -1
package/dist/mobile.js +4 -1
package/dist/mobile.mjs +1 -1
package/dist/next.js +4 -1
package/dist/next.mjs +1 -1
package/dist/react.d.mts +64 -2
package/dist/react.d.ts +64 -2
package/dist/react.js +501 -132
package/dist/react.mjs +498 -132
package/dist/server.d.mts +2 -2
package/dist/server.d.ts +2 -2
package/dist/server.js +4 -1
package/dist/server.mjs +2 -2
package/dist/service.d.mts +1 -1
package/dist/service.d.ts +1 -1
package/dist/service.js +4 -1
package/dist/service.mjs +1 -1
package/package.json +1 -1

package/dist/browser-session.d.mts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { c as IQAuthBrowserSessionClientConfig, d as SessionUser } from './types-Cxl3bQHt.mjs';
-import { I as IQAuthClient } from './client-C1DXfB8Z.mjs';
+import { I as IQAuthClient } from './client-Dv4v92Mj.mjs';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
 import 'jsonwebtoken';

package/dist/browser-session.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { c as IQAuthBrowserSessionClientConfig, d as SessionUser } from './types-Cxl3bQHt.js';
-import { I as IQAuthClient } from './client-CggvJmmm.js';
+import { I as IQAuthClient } from './client-DXbHb2ul.js';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
 import 'jsonwebtoken';

package/dist/browser-session.js CHANGED Viewed

@@ -449,7 +449,10 @@ function parseMfaResponse(data, browserSessionMode) {
 var import_crypto = __toESM(require("crypto"));
 var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
 var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
-var DEFAULT_TOKEN_ISSUER = "auth.dispositioniq.com";
+var DEFAULT_TOKEN_ISSUER = [
+  "https://auth.dispositioniq.com",
+  "auth.dispositioniq.com"
+];
 var DEFAULT_TOKEN_AUDIENCE = [
   "dispositioniq",
   "iqcapture",

package/dist/browser-session.mjs CHANGED Viewed

@@ -1,6 +1,6 @@
 import {
   IQAuthClient
-} from "./chunk-JQWYIIIS.mjs";
+} from "./chunk-MDUHPQMM.mjs";
 import {
   ErrorCodes,
   IQAuthError

package/dist/{chunk-JQWYIIIS.mjs → chunk-MDUHPQMM.mjs} RENAMED Viewed

@@ -164,7 +164,10 @@ function parseMfaResponse(data, browserSessionMode) {
 import crypto from "crypto";
 import jwt from "jsonwebtoken";
 var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
-var DEFAULT_TOKEN_ISSUER = "auth.dispositioniq.com";
+var DEFAULT_TOKEN_ISSUER = [
+  "https://auth.dispositioniq.com",
+  "auth.dispositioniq.com"
+];
 var DEFAULT_TOKEN_AUDIENCE = [
   "dispositioniq",
   "iqcapture",

package/dist/{chunk-73R6BEGO.mjs → chunk-ZESHDJDU.mjs} RENAMED Viewed

@@ -3,7 +3,7 @@ import {
 } from "./chunk-5WFR6Y33.mjs";
 import {
   IQAuthClient
-} from "./chunk-JQWYIIIS.mjs";
+} from "./chunk-MDUHPQMM.mjs";
 import {
   IQAuthError
 } from "./chunk-6I6RM4MN.mjs";

package/dist/{client-CggvJmmm.d.ts → client-DXbHb2ul.d.ts} RENAMED Viewed

@@ -92,7 +92,7 @@ declare class AuthModule {
  * - Last verified: Phase 0 Research Summary
  */
-declare const DEFAULT_TOKEN_ISSUER = "auth.dispositioniq.com";
+declare const DEFAULT_TOKEN_ISSUER: string[];
 declare const DEFAULT_TOKEN_AUDIENCE: string[];
 declare const DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
 interface TokenVerifyOptions {

package/dist/{client-C1DXfB8Z.d.mts → client-Dv4v92Mj.d.mts} RENAMED Viewed

@@ -92,7 +92,7 @@ declare class AuthModule {
  * - Last verified: Phase 0 Research Summary
  */
-declare const DEFAULT_TOKEN_ISSUER = "auth.dispositioniq.com";
+declare const DEFAULT_TOKEN_ISSUER: string[];
 declare const DEFAULT_TOKEN_AUDIENCE: string[];
 declare const DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
 interface TokenVerifyOptions {

package/dist/{express-BKAXB5Nl.d.ts → express-B4o3P8vK.d.ts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { I as IQAuthClient } from './client-CggvJmmm.js';
+import { I as IQAuthClient } from './client-DXbHb2ul.js';
 import { J as JwtClaims, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.js';
 /**

package/dist/{express-CpfyYTmw.d.mts → express-BZmF1llh.d.mts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { I as IQAuthClient } from './client-C1DXfB8Z.mjs';
+import { I as IQAuthClient } from './client-Dv4v92Mj.mjs';
 import { J as JwtClaims, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.mjs';
 /**

package/dist/express.d.mts CHANGED Viewed

@@ -1,6 +1,6 @@
-import { I as IQAuthClient } from './client-C1DXfB8Z.mjs';
-import { C as CookieAwareMiddlewareOptions } from './express-CpfyYTmw.mjs';
-export { i as iqAuthMiddleware } from './express-CpfyYTmw.mjs';
+import { I as IQAuthClient } from './client-Dv4v92Mj.mjs';
+import { C as CookieAwareMiddlewareOptions } from './express-BZmF1llh.mjs';
+export { i as iqAuthMiddleware } from './express-BZmF1llh.mjs';
 import { IQAuthHelperConfig } from './server/handlers.mjs';
 import { Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.mjs';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';

package/dist/express.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
-import { I as IQAuthClient } from './client-CggvJmmm.js';
-import { C as CookieAwareMiddlewareOptions } from './express-BKAXB5Nl.js';
-export { i as iqAuthMiddleware } from './express-BKAXB5Nl.js';
+import { I as IQAuthClient } from './client-DXbHb2ul.js';
+import { C as CookieAwareMiddlewareOptions } from './express-B4o3P8vK.js';
+export { i as iqAuthMiddleware } from './express-B4o3P8vK.js';
 import { IQAuthHelperConfig } from './server/handlers.js';
 import { Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.js';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';

package/dist/express.js CHANGED Viewed

@@ -448,7 +448,10 @@ function parseMfaResponse(data, browserSessionMode) {
 var import_crypto = __toESM(require("crypto"));
 var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
 var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
-var DEFAULT_TOKEN_ISSUER = "auth.dispositioniq.com";
+var DEFAULT_TOKEN_ISSUER = [
+  "https://auth.dispositioniq.com",
+  "auth.dispositioniq.com"
+];
 var DEFAULT_TOKEN_AUDIENCE = [
   "dispositioniq",
   "iqcapture",

package/dist/express.mjs CHANGED Viewed

@@ -1,7 +1,7 @@
 import {
   DEFAULT_REFRESH_COOKIE,
   iqAuthMiddleware
-} from "./chunk-73R6BEGO.mjs";
+} from "./chunk-ZESHDJDU.mjs";
 import {
   handleCallback,
   handleRefresh,
@@ -12,7 +12,7 @@ import {
 } from "./chunk-5WFR6Y33.mjs";
 import {
   IQAuthClient
-} from "./chunk-JQWYIIIS.mjs";
+} from "./chunk-MDUHPQMM.mjs";
 import {
   ErrorCodes,
   IQAuthError

package/dist/fastify.d.mts CHANGED Viewed

@@ -17,6 +17,12 @@ interface IQAuthFastifyOptions extends IQAuthHelperConfig {
     mountHelperRoutes?: boolean;
     /** Routes that bypass verification (e.g. health checks). */
     publicPaths?: string[] | ((path: string) => boolean);
+    /** Override token verification options (issuer / audience / clock tolerance). */
+    verify?: {
+        issuer?: string | string[];
+        audience?: string | string[];
+        clockTolerance?: number;
+    };
 }
 declare function iqAuth(fastify: any, options: IQAuthFastifyOptions): Promise<void>;

package/dist/fastify.d.ts CHANGED Viewed

@@ -17,6 +17,12 @@ interface IQAuthFastifyOptions extends IQAuthHelperConfig {
     mountHelperRoutes?: boolean;
     /** Routes that bypass verification (e.g. health checks). */
     publicPaths?: string[] | ((path: string) => boolean);
+    /** Override token verification options (issuer / audience / clock tolerance). */
+    verify?: {
+        issuer?: string | string[];
+        audience?: string | string[];
+        clockTolerance?: number;
+    };
 }
 declare function iqAuth(fastify: any, options: IQAuthFastifyOptions): Promise<void>;

package/dist/fastify.js CHANGED Viewed

@@ -410,7 +410,10 @@ function parseMfaResponse(data, browserSessionMode) {
 var import_crypto = __toESM(require("crypto"));
 var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
 var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
-var DEFAULT_TOKEN_ISSUER = "auth.dispositioniq.com";
+var DEFAULT_TOKEN_ISSUER = [
+  "https://auth.dispositioniq.com",
+  "auth.dispositioniq.com"
+];
 var DEFAULT_TOKEN_AUDIENCE = [
   "dispositioniq",
   "iqcapture",
@@ -2024,7 +2027,16 @@ async function iqAuth(fastify, options) {
   if (!parsed) throw new Error("@iqauth/sdk/fastify: invalid publishable key");
   const issuer = (options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
   const helperConfig = { ...options, issuer };
-  const client = new IQAuthClient({ baseUrl: issuer, environment: "server" });
+  const client = new IQAuthClient({
+    baseUrl: issuer,
+    environment: "server",
+    verify: options.verify
+  });
+  const perCallVerify = options.verify ? {
+    issuer: options.verify.issuer,
+    audience: options.verify.audience,
+    clockTolerance: options.verify.clockTolerance
+  } : void 0;
   const accessCookie = options.accessCookieName ?? "iqauth_at";
   const refreshCookie = options.refreshCookieName ?? "iqauth_rt";
   const mount = (options.mountPath ?? "/api/iqauth").replace(/\/+$/, "");
@@ -2047,7 +2059,7 @@ async function iqAuth(fastify, options) {
       return reply;
     }
     try {
-      req.auth = await client.tokens.verify(token);
+      req.auth = await client.tokens.verify(token, perCallVerify);
     } catch (err) {
       if (err instanceof IQAuthError && KNOWN_AUTH_ERRORS.has(err.code)) {
         reply.code(401).send({ success: false, error: { code: err.code, message: err.message } });
@@ -2079,6 +2091,12 @@ async function iqAuth(fastify, options) {
   }
   fastify.decorate("iqauth", { client, issuer });
 }
+iqAuth[/* @__PURE__ */ Symbol.for("skip-override")] = true;
+iqAuth[/* @__PURE__ */ Symbol.for("fastify.display-name")] = "@iqauth/sdk/fastify";
+iqAuth[/* @__PURE__ */ Symbol.for("plugin-meta")] = {
+  name: "@iqauth/sdk/fastify",
+  fastify: ">=4.0.0"
+};
 var fastify_default = iqAuth;
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {

package/dist/fastify.mjs CHANGED Viewed

@@ -9,7 +9,7 @@ import {
 } from "./chunk-5WFR6Y33.mjs";
 import {
   IQAuthClient
-} from "./chunk-JQWYIIIS.mjs";
+} from "./chunk-MDUHPQMM.mjs";
 import {
   IQAuthError
 } from "./chunk-6I6RM4MN.mjs";
@@ -56,7 +56,16 @@ async function iqAuth(fastify, options) {
   if (!parsed) throw new Error("@iqauth/sdk/fastify: invalid publishable key");
   const issuer = (options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
   const helperConfig = { ...options, issuer };
-  const client = new IQAuthClient({ baseUrl: issuer, environment: "server" });
+  const client = new IQAuthClient({
+    baseUrl: issuer,
+    environment: "server",
+    verify: options.verify
+  });
+  const perCallVerify = options.verify ? {
+    issuer: options.verify.issuer,
+    audience: options.verify.audience,
+    clockTolerance: options.verify.clockTolerance
+  } : void 0;
   const accessCookie = options.accessCookieName ?? "iqauth_at";
   const refreshCookie = options.refreshCookieName ?? "iqauth_rt";
   const mount = (options.mountPath ?? "/api/iqauth").replace(/\/+$/, "");
@@ -79,7 +88,7 @@ async function iqAuth(fastify, options) {
       return reply;
     }
     try {
-      req.auth = await client.tokens.verify(token);
+      req.auth = await client.tokens.verify(token, perCallVerify);
     } catch (err) {
       if (err instanceof IQAuthError && KNOWN_AUTH_ERRORS.has(err.code)) {
         reply.code(401).send({ success: false, error: { code: err.code, message: err.message } });
@@ -111,6 +120,12 @@ async function iqAuth(fastify, options) {
   }
   fastify.decorate("iqauth", { client, issuer });
 }
+iqAuth[/* @__PURE__ */ Symbol.for("skip-override")] = true;
+iqAuth[/* @__PURE__ */ Symbol.for("fastify.display-name")] = "@iqauth/sdk/fastify";
+iqAuth[/* @__PURE__ */ Symbol.for("plugin-meta")] = {
+  name: "@iqauth/sdk/fastify",
+  fastify: ">=4.0.0"
+};
 var fastify_default = iqAuth;
 export {
   fastify_default as default,

package/dist/hono.js CHANGED Viewed

@@ -409,7 +409,10 @@ function parseMfaResponse(data, browserSessionMode) {
 var import_crypto = __toESM(require("crypto"));
 var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
 var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
-var DEFAULT_TOKEN_ISSUER = "auth.dispositioniq.com";
+var DEFAULT_TOKEN_ISSUER = [
+  "https://auth.dispositioniq.com",
+  "auth.dispositioniq.com"
+];
 var DEFAULT_TOKEN_AUDIENCE = [
   "dispositioniq",
   "iqcapture",

package/dist/hono.mjs CHANGED Viewed

@@ -9,7 +9,7 @@ import {
 } from "./chunk-5WFR6Y33.mjs";
 import {
   IQAuthClient
-} from "./chunk-JQWYIIIS.mjs";
+} from "./chunk-MDUHPQMM.mjs";
 import {
   IQAuthError
 } from "./chunk-6I6RM4MN.mjs";

package/dist/index.d.mts CHANGED Viewed

@@ -1,6 +1,6 @@
-export { o as ApiKeysModule, l as AppsModule, A as AuthModule, B as BrandingModule, r as ClientsModule, C as CreateAppRequest, m as CreateAppResponse, h as DEFAULT_CLOCK_TOLERANCE_SECONDS, g as DEFAULT_TOKEN_AUDIENCE, D as DEFAULT_TOKEN_ISSUER, E as EntitlementsModule, G as GdprModule, H as HierarchyModule, I as IQAuthClient, a as InMemoryOidcStateStore, p as InvitesModule, M as MembershipsModule, u as MfaModule, d as OidcAuthRequest, e as OidcCallbackResult, O as OidcModule, f as OidcModuleOptions, b as OidcStateStore, c as OidcStoredRequest, n as PermissionGroupsModule, P as PermissionsModule, t as PinModule, R as RolesModule, s as ScopeModule, S as SessionsModule, q as SourcesModule, k as TenantsModule, i as TokenVerifyOptions, T as TokensModule, j as TokensModuleOptions, U as UsersModule, V as VendorsModule, W as WebhooksModule } from './client-C1DXfB8Z.mjs';
+export { o as ApiKeysModule, l as AppsModule, A as AuthModule, B as BrandingModule, r as ClientsModule, C as CreateAppRequest, m as CreateAppResponse, h as DEFAULT_CLOCK_TOLERANCE_SECONDS, g as DEFAULT_TOKEN_AUDIENCE, D as DEFAULT_TOKEN_ISSUER, E as EntitlementsModule, G as GdprModule, H as HierarchyModule, I as IQAuthClient, a as InMemoryOidcStateStore, p as InvitesModule, M as MembershipsModule, u as MfaModule, d as OidcAuthRequest, e as OidcCallbackResult, O as OidcModule, f as OidcModuleOptions, b as OidcStateStore, c as OidcStoredRequest, n as PermissionGroupsModule, P as PermissionsModule, t as PinModule, R as RolesModule, s as ScopeModule, S as SessionsModule, q as SourcesModule, k as TenantsModule, i as TokenVerifyOptions, T as TokensModule, j as TokensModuleOptions, U as UsersModule, V as VendorsModule, W as WebhooksModule } from './client-Dv4v92Mj.mjs';
 export { a as ErrorCode, E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
-export { i as iqAuthMiddleware } from './express-CpfyYTmw.mjs';
+export { i as iqAuthMiddleware } from './express-BZmF1llh.mjs';
 export { K as KeyMode, b as ParsedPublishableKey, P as PublishableKeyPayload, e as encodePublishableKey, i as isPublishableKey, a as isSecretKey, p as parsePublishableKey } from './publishableKey-B5DIK81A.mjs';
 export { an as AcceptInviteRequest, aa as AddGroupPermissionRequest, ad as AddUserOverrideRequest, v as ApiErrorResponse, ag as ApiKeyInfo, aj as ApiKeyIntrospection, w as ApiResponse, A as ApiSuccessResponse, _ as AppInfo, Z as AppManifest, a0 as AppSyncResult, a4 as AssignRoleRequest, aM as AvailableScopesTree, a_ as BackupCodeCountResult, aZ as BackupCodesResult, p as BrandingAsset, B as BrandingConfig, r as BrandingDomainMapping, aB as Client, ah as CreateApiKeyRequest, ai as CreateApiKeyResult, aC as CreateClientRequest, al as CreateInviteRequest, aJ as CreateMembershipRequest, a2 as CreateRoleRequest, az as CreateSourceRequest, C as CreateTenantRequest, aw as CreateVendorRequest, ap as CreateWebhookRequest, aq as CreateWebhookResult, ae as EffectivePermission, aY as EmailEnrollResult, at as Entitlement, N as ExpressMiddlewareOptions, aR as GdprExportData, au as GrantEntitlementRequest, a9 as GroupPermission, aG as HierarchyClient, aH as HierarchyLink, aF as HierarchySource, aE as HierarchyVendor, c as IQAuthBrowserSessionClientConfig, a as IQAuthClientConfig, I as IQAuthEnvironment, V as IQAuthNextFunction, Q as IQAuthRequestLike, R as IQAuthResponseLike, W as IQAuthRetryConfig, b as IQAuthTokenClientConfig, X as IQAuthVerifyConfig, ab as InheritanceRelation, ak as Invitation, l as InviteTenantUserRequest, m as InviteTenantUserResult, am as InviteValidation, s as JwksKey, t as JwksResponse, J as JwtClaims, L as LoginResult, aI as Membership, aL as MembershipWithDetails, aU as MfaAvailableMethods, y as MfaEnrollment, x as MfaMethod, F as MfaPolicy, D as MfaVerifyResult, M as MigrateUserRequest, O as OidcDiscovery, u as OidcTokenResponse, E as PasswordPolicy, af as PermissionCheckResult, a8 as PermissionGroup, $ as PermissionNodeInfo, Y as PermissionNodeManifest, aT as PinLoginResult, aS as PinStatus, P as PromoteToVendorRequest, k as PromoteToVendorResult, H as ProvisionUserRequest, K as ProvisionUserResponse, a1 as Role, S as ScopeContext, aQ as ScopeSwitchResult, aN as ScopeTreeClient, aO as ScopeTreeSource, aP as ScopeTreeVendor, h as Session, g as SessionAuthenticatedLoginResult, d as SessionUser, aX as SmsEnrollResult, ay as Source, e as Tenant, i as TenantInfo, a7 as TenantUser, n as TenantUserRoleUpdate, f as TokenAuthenticatedLoginResult, T as TokenPair, aV as TotpEnrollResult, z as TotpEnrollmentResult, aW as TotpVerifyResult, o as UpdateBrandingRequest, aD as UpdateClientRequest, aK as UpdateMembershipRequest, a3 as UpdateRoleRequest, aA as UpdateSourceRequest, j as UpdateTenantRequest, ax as UpdateVendorRequest, q as UploadAssetRequest, a6 as UserGroupAssignment, ac as UserPermissionOverride, G as UserPermissions, U as UserProfile, a5 as UserRoleAssignment, av as Vendor, ar as WebhookDelivery, ao as WebhookEndpoint, as as WebhookTestResult } from './types-Cxl3bQHt.mjs';
 import 'jsonwebtoken';

package/dist/index.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
-export { o as ApiKeysModule, l as AppsModule, A as AuthModule, B as BrandingModule, r as ClientsModule, C as CreateAppRequest, m as CreateAppResponse, h as DEFAULT_CLOCK_TOLERANCE_SECONDS, g as DEFAULT_TOKEN_AUDIENCE, D as DEFAULT_TOKEN_ISSUER, E as EntitlementsModule, G as GdprModule, H as HierarchyModule, I as IQAuthClient, a as InMemoryOidcStateStore, p as InvitesModule, M as MembershipsModule, u as MfaModule, d as OidcAuthRequest, e as OidcCallbackResult, O as OidcModule, f as OidcModuleOptions, b as OidcStateStore, c as OidcStoredRequest, n as PermissionGroupsModule, P as PermissionsModule, t as PinModule, R as RolesModule, s as ScopeModule, S as SessionsModule, q as SourcesModule, k as TenantsModule, i as TokenVerifyOptions, T as TokensModule, j as TokensModuleOptions, U as UsersModule, V as VendorsModule, W as WebhooksModule } from './client-CggvJmmm.js';
+export { o as ApiKeysModule, l as AppsModule, A as AuthModule, B as BrandingModule, r as ClientsModule, C as CreateAppRequest, m as CreateAppResponse, h as DEFAULT_CLOCK_TOLERANCE_SECONDS, g as DEFAULT_TOKEN_AUDIENCE, D as DEFAULT_TOKEN_ISSUER, E as EntitlementsModule, G as GdprModule, H as HierarchyModule, I as IQAuthClient, a as InMemoryOidcStateStore, p as InvitesModule, M as MembershipsModule, u as MfaModule, d as OidcAuthRequest, e as OidcCallbackResult, O as OidcModule, f as OidcModuleOptions, b as OidcStateStore, c as OidcStoredRequest, n as PermissionGroupsModule, P as PermissionsModule, t as PinModule, R as RolesModule, s as ScopeModule, S as SessionsModule, q as SourcesModule, k as TenantsModule, i as TokenVerifyOptions, T as TokensModule, j as TokensModuleOptions, U as UsersModule, V as VendorsModule, W as WebhooksModule } from './client-DXbHb2ul.js';
 export { a as ErrorCode, E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
-export { i as iqAuthMiddleware } from './express-BKAXB5Nl.js';
+export { i as iqAuthMiddleware } from './express-B4o3P8vK.js';
 export { K as KeyMode, b as ParsedPublishableKey, P as PublishableKeyPayload, e as encodePublishableKey, i as isPublishableKey, a as isSecretKey, p as parsePublishableKey } from './publishableKey-B5DIK81A.js';
 export { an as AcceptInviteRequest, aa as AddGroupPermissionRequest, ad as AddUserOverrideRequest, v as ApiErrorResponse, ag as ApiKeyInfo, aj as ApiKeyIntrospection, w as ApiResponse, A as ApiSuccessResponse, _ as AppInfo, Z as AppManifest, a0 as AppSyncResult, a4 as AssignRoleRequest, aM as AvailableScopesTree, a_ as BackupCodeCountResult, aZ as BackupCodesResult, p as BrandingAsset, B as BrandingConfig, r as BrandingDomainMapping, aB as Client, ah as CreateApiKeyRequest, ai as CreateApiKeyResult, aC as CreateClientRequest, al as CreateInviteRequest, aJ as CreateMembershipRequest, a2 as CreateRoleRequest, az as CreateSourceRequest, C as CreateTenantRequest, aw as CreateVendorRequest, ap as CreateWebhookRequest, aq as CreateWebhookResult, ae as EffectivePermission, aY as EmailEnrollResult, at as Entitlement, N as ExpressMiddlewareOptions, aR as GdprExportData, au as GrantEntitlementRequest, a9 as GroupPermission, aG as HierarchyClient, aH as HierarchyLink, aF as HierarchySource, aE as HierarchyVendor, c as IQAuthBrowserSessionClientConfig, a as IQAuthClientConfig, I as IQAuthEnvironment, V as IQAuthNextFunction, Q as IQAuthRequestLike, R as IQAuthResponseLike, W as IQAuthRetryConfig, b as IQAuthTokenClientConfig, X as IQAuthVerifyConfig, ab as InheritanceRelation, ak as Invitation, l as InviteTenantUserRequest, m as InviteTenantUserResult, am as InviteValidation, s as JwksKey, t as JwksResponse, J as JwtClaims, L as LoginResult, aI as Membership, aL as MembershipWithDetails, aU as MfaAvailableMethods, y as MfaEnrollment, x as MfaMethod, F as MfaPolicy, D as MfaVerifyResult, M as MigrateUserRequest, O as OidcDiscovery, u as OidcTokenResponse, E as PasswordPolicy, af as PermissionCheckResult, a8 as PermissionGroup, $ as PermissionNodeInfo, Y as PermissionNodeManifest, aT as PinLoginResult, aS as PinStatus, P as PromoteToVendorRequest, k as PromoteToVendorResult, H as ProvisionUserRequest, K as ProvisionUserResponse, a1 as Role, S as ScopeContext, aQ as ScopeSwitchResult, aN as ScopeTreeClient, aO as ScopeTreeSource, aP as ScopeTreeVendor, h as Session, g as SessionAuthenticatedLoginResult, d as SessionUser, aX as SmsEnrollResult, ay as Source, e as Tenant, i as TenantInfo, a7 as TenantUser, n as TenantUserRoleUpdate, f as TokenAuthenticatedLoginResult, T as TokenPair, aV as TotpEnrollResult, z as TotpEnrollmentResult, aW as TotpVerifyResult, o as UpdateBrandingRequest, aD as UpdateClientRequest, aK as UpdateMembershipRequest, a3 as UpdateRoleRequest, aA as UpdateSourceRequest, j as UpdateTenantRequest, ax as UpdateVendorRequest, q as UploadAssetRequest, a6 as UserGroupAssignment, ac as UserPermissionOverride, G as UserPermissions, U as UserProfile, a5 as UserRoleAssignment, av as Vendor, ar as WebhookDelivery, ao as WebhookEndpoint, as as WebhookTestResult } from './types-Cxl3bQHt.js';
 import 'jsonwebtoken';

package/dist/index.js CHANGED Viewed

@@ -480,7 +480,10 @@ function parseMfaResponse(data, browserSessionMode) {
 var import_crypto = __toESM(require("crypto"));
 var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
 var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
-var DEFAULT_TOKEN_ISSUER = "auth.dispositioniq.com";
+var DEFAULT_TOKEN_ISSUER = [
+  "https://auth.dispositioniq.com",
+  "auth.dispositioniq.com"
+];
 var DEFAULT_TOKEN_AUDIENCE = [
   "dispositioniq",
   "iqcapture",

package/dist/index.mjs CHANGED Viewed

@@ -1,6 +1,6 @@
 import {
   iqAuthMiddleware
-} from "./chunk-73R6BEGO.mjs";
+} from "./chunk-ZESHDJDU.mjs";
 import {
   encodePublishableKey,
   isPublishableKey,
@@ -37,7 +37,7 @@ import {
   UsersModule,
   VendorsModule,
   WebhooksModule
-} from "./chunk-JQWYIIIS.mjs";
+} from "./chunk-MDUHPQMM.mjs";
 import {
   ErrorCodes,
   IQAuthError

package/dist/mobile.d.mts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { I as IQAuthClient } from './client-C1DXfB8Z.mjs';
+import { I as IQAuthClient } from './client-Dv4v92Mj.mjs';
 import { b as IQAuthTokenClientConfig } from './types-Cxl3bQHt.mjs';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
 import 'jsonwebtoken';

package/dist/mobile.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { I as IQAuthClient } from './client-CggvJmmm.js';
+import { I as IQAuthClient } from './client-DXbHb2ul.js';
 import { b as IQAuthTokenClientConfig } from './types-Cxl3bQHt.js';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
 import 'jsonwebtoken';

package/dist/mobile.js CHANGED Viewed

@@ -449,7 +449,10 @@ function parseMfaResponse(data, browserSessionMode) {
 var import_crypto = __toESM(require("crypto"));
 var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
 var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
-var DEFAULT_TOKEN_ISSUER = "auth.dispositioniq.com";
+var DEFAULT_TOKEN_ISSUER = [
+  "https://auth.dispositioniq.com",
+  "auth.dispositioniq.com"
+];
 var DEFAULT_TOKEN_AUDIENCE = [
   "dispositioniq",
   "iqcapture",

package/dist/mobile.mjs CHANGED Viewed

@@ -1,6 +1,6 @@
 import {
   IQAuthClient
-} from "./chunk-JQWYIIIS.mjs";
+} from "./chunk-MDUHPQMM.mjs";
 import {
   ErrorCodes,
   IQAuthError

package/dist/next.js CHANGED Viewed

@@ -643,7 +643,10 @@ function parseMfaResponse(data, browserSessionMode) {
 var import_crypto = __toESM(require("crypto"));
 var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
 var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
-var DEFAULT_TOKEN_ISSUER = "auth.dispositioniq.com";
+var DEFAULT_TOKEN_ISSUER = [
+  "https://auth.dispositioniq.com",
+  "auth.dispositioniq.com"
+];
 var DEFAULT_TOKEN_AUDIENCE = [
   "dispositioniq",
   "iqcapture",

package/dist/next.mjs CHANGED Viewed

@@ -9,7 +9,7 @@ import {
 } from "./chunk-5WFR6Y33.mjs";
 import {
   IQAuthClient
-} from "./chunk-JQWYIIIS.mjs";
+} from "./chunk-MDUHPQMM.mjs";
 import "./chunk-6I6RM4MN.mjs";
 import "./chunk-Y6FXYEAI.mjs";

package/dist/react.d.mts CHANGED Viewed

@@ -122,6 +122,9 @@ declare function AuthCallback({ onComplete, fallback }?: AuthCallbackProps): Rea
 interface IQAuthBranding {
     brandName: string | null;
     logoUrl: string | null;
+    logoLightUrl?: string | null;
+    logoDarkUrl?: string | null;
+    faviconUrl?: string | null;
     loginHeadline: string | null;
     loginSubheadline: string | null;
     primaryColor: string | null;
@@ -129,10 +132,31 @@ interface IQAuthBranding {
     backgroundColor: string | null;
     surfaceColor: string | null;
     textColor: string | null;
+    heroImageUrl?: string | null;
+    /** Optional full-bleed background image for the `full_bleed` layout. */
+    backgroundImageUrl?: string | null;
+    tagline?: string | null;
+    loginSideCopy?: string | null;
+    googleButtonLabel?: string | null;
+    customCss?: string | null;
+    /** "centered_card" | "split_screen" | "full_bleed" */
+    loginLayout?: string | null;
+    /** "solid" | "outline" | "ghost" */
+    socialButtonStyle?: string | null;
+    fontFamilyBody?: string | null;
+    fontFamilyHeading?: string | null;
+    customFontUrl?: string | null;
+    borderRadius?: number | string | null;
+    footerText?: string | null;
+    emailHeaderImageUrl?: string | null;
+    emailSenderName?: string | null;
+    emailFooter?: string | null;
     supportEmail?: string | null;
     supportUrl?: string | null;
     termsUrl?: string | null;
     privacyUrl?: string | null;
+    /** Composite revision (`${tenantRev}.${appRev}`) for cache-busting. */
+    brandingRev?: string | null;
 }
 interface IQAuthSignInContext {
     app: {
@@ -149,6 +173,13 @@ interface IQAuthSignInContext {
     allowedOrigins: string[];
     returnAllowed: boolean;
     branding: IQAuthBranding | null;
+    brandingRev?: string | null;
+    session?: {
+        userId: string;
+        email: string;
+        name: string;
+        authenticatedAt: number;
+    } | null;
 }
 interface SharedComponentProps {
     /** Base URL of the IQAuth service (e.g. https://auth.dispositioniq.com). */
@@ -166,13 +197,44 @@ declare function useIQAuthSignInContext(iqAuthBaseUrl: string, appKey: string, r
     loading: boolean;
     error: string | null;
 };
+declare function sanitizeBrandCss(input: string | null | undefined): string;
+/**
+ * Fetches the layered tenant/app branding for use by chrome-only SDK
+ * components (`<UserButton/>`, `<UserProfile/>`, `<OrganizationSwitcher/>`)
+ * that don't go through `<SignIn/>`'s sign-in-context.
+ *
+ * Cached at module scope for 60s, keyed by URL. The cache is also
+ * brandingRev-aware: a newer rev for the same URL replaces older entries
+ * even within the TTL window. Returns `null` until first resolution; callers
+ * should treat that as "use neutral defaults".
+ *
+ * Reads `appId` from the IQAuthProvider's session manager (parsed from the
+ * publishable key) so per-app branding overrides are layered. Callers may
+ * override with the explicit `appId` parameter.
+ */
+declare function useResolvedSdkBranding(iqAuthBaseUrl: string, appId?: string | null): IQAuthBranding | null;
 interface SignInProps extends SharedComponentProps {
     /** URL the IQAuth backend should redirect back to with `?code=...`. Must be in the app's allowed_origins. */
     returnTo: string;
     /** Called after successful redirect. By default, `window.location.href = url`. */
     onRedirect?: (url: string) => void;
+    /** Pass `"login"` to force the form to render even when an SSO session is active. */
+    prompt?: "login";
 }
-declare function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className }: SignInProps): react_jsx_runtime.JSX.Element;
+/**
+ * Pure render-decision helper. When this returns `true`, `<SignIn/>` MUST
+ * render the silent SSO placeholder instead of the email/password form,
+ * even on the very first render before `useEffect` fires. Exported so that
+ * smoke tests can verify the no-flash guarantee without standing up a DOM.
+ */
+declare function isSilentSsoEligible(ctx: {
+    session?: unknown;
+    app: {
+        defaultClientId: string | null;
+    };
+    returnAllowed: boolean;
+} | null | undefined, effectivePrompt: "login" | undefined): boolean;
+declare function SignIn({ iqAuthBaseUrl, appKey, returnTo, onRedirect, className, prompt }: SignInProps): react_jsx_runtime.JSX.Element;
 interface SignUpProps extends SharedComponentProps {
     returnTo?: string;
     onSuccess?: () => void;
@@ -206,4 +268,4 @@ interface OrganizationSwitcherProps {
 declare function OrganizationSwitcher({ iqAuthBaseUrl, onSwitched, className }: OrganizationSwitcherProps): react_jsx_runtime.JSX.Element;
 declare const __version__ = "phase-bc-1.0.0";
-export { AuthCallback, type AuthCallbackProps, type IQAuthBranding, IQAuthProvider, type IQAuthProviderProps, type IQAuthSignInContext, OrganizationSwitcher, type OrganizationSwitcherProps, RedirectToSignIn, type RedirectToSignInProps, type SessionError, type SharedComponentProps, SignIn, type SignInProps, SignUp, type SignUpProps, SignedIn, SignedOut, type UseAuthResult, type UseOrganizationResult, type UseSessionResult, type UseUserResult, UserButton, type UserButtonProps, UserProfile, type UserProfileProps, type UserSummary, __version__, useAuth, useAuthFetch, useIQAuthSignInContext, useOrganization, useSession, useUser };
+export { AuthCallback, type AuthCallbackProps, type IQAuthBranding, IQAuthProvider, type IQAuthProviderProps, type IQAuthSignInContext, OrganizationSwitcher, type OrganizationSwitcherProps, RedirectToSignIn, type RedirectToSignInProps, type SessionError, type SharedComponentProps, SignIn, type SignInProps, SignUp, type SignUpProps, SignedIn, SignedOut, type UseAuthResult, type UseOrganizationResult, type UseSessionResult, type UseUserResult, UserButton, type UserButtonProps, UserProfile, type UserProfileProps, type UserSummary, __version__, isSilentSsoEligible, sanitizeBrandCss, useAuth, useAuthFetch, useIQAuthSignInContext, useOrganization, useResolvedSdkBranding, useSession, useUser };