@iqauth/sdk 2.1.0 → 2.3.0

package/dist/{client-Dv4v92Mj.d.mts → client-vdh2a9fJ.d.mts}

@@ -1,5 +1,4 @@
 import { I as IQAuthEnvironment, T as TokenPair, W as IQAuthRetryConfig, L as LoginResult, a$ as SignupRequest, D as MfaVerifyResult, d as SessionUser, J as JwtClaims, h as Session, U as UserProfile, H as ProvisionUserRequest, K as ProvisionUserResponse, G as UserPermissions, O as OidcDiscovery, t as JwksResponse, u as OidcTokenResponse, b0 as HostedClientContext, i as TenantInfo, C as CreateTenantRequest, j as UpdateTenantRequest, P as PromoteToVendorRequest, k as PromoteToVendorResult, a7 as TenantUser, l as InviteTenantUserRequest, m as InviteTenantUserResult, n as TenantUserRoleUpdate, M as MigrateUserRequest, E as PasswordPolicy, F as MfaPolicy, B as BrandingConfig, _ as AppInfo, $ as PermissionNodeInfo, Z as AppManifest, a0 as AppSyncResult, a1 as Role, a2 as CreateRoleRequest, a3 as UpdateRoleRequest, a4 as AssignRoleRequest, a5 as UserRoleAssignment, a8 as PermissionGroup, a9 as GroupPermission, aa as AddGroupPermissionRequest, ab as InheritanceRelation, a6 as UserGroupAssignment, ac as UserPermissionOverride, ad as AddUserOverrideRequest, ae as EffectivePermission, af as PermissionCheckResult, ah as CreateApiKeyRequest, ai as CreateApiKeyResult, ag as ApiKeyInfo, aj as ApiKeyIntrospection, al as CreateInviteRequest, ak as Invitation, am as InviteValidation, an as AcceptInviteRequest, ap as CreateWebhookRequest, aq as CreateWebhookResult, ao as WebhookEndpoint, ar as WebhookDelivery, as as WebhookTestResult, at as Entitlement, au as GrantEntitlementRequest, av as Vendor, aw as CreateVendorRequest, ax as UpdateVendorRequest, az as CreateSourceRequest, ay as Source, aA as UpdateSourceRequest, aC as CreateClientRequest, aB as Client, aD as UpdateClientRequest, aE as HierarchyVendor, aH as HierarchyLink, aL as MembershipWithDetails, aJ as CreateMembershipRequest, aI as Membership, aK as UpdateMembershipRequest, aM as AvailableScopesTree, aQ as ScopeSwitchResult, aR as GdprExportData, aS as PinStatus, aU as MfaAvailableMethods, aV as TotpEnrollResult, aW as TotpVerifyResult, aX as SmsEnrollResult, y as MfaEnrollment, aY as EmailEnrollResult, aZ as BackupCodesResult, a_ as BackupCodeCountResult, o as UpdateBrandingRequest, q as UploadAssetRequest, p as BrandingAsset, r as BrandingDomainMapping, a as IQAuthClientConfig, c as IQAuthBrowserSessionClientConfig, b as IQAuthTokenClientConfig } from './types-Cxl3bQHt.mjs';
-import jwt from 'jsonwebtoken';
 
 /**
  * SOURCE REFS:
@@ -90,6 +89,14 @@ declare class AuthModule {
  * - Route file: src/lib/crypto.ts (key rotation with kid)
  * - Verified claims: sub, email, name, tenantId, vendorId, roles, entitlements, sessionId, jti, iss, aud, exp, iat, scopeContext, loginMethod
  * - Last verified: Phase 0 Research Summary
+ *
+ * 2.3.0: Verify path swapped from `jsonwebtoken` (which depends on
+ * `node:crypto`) to `jose` so the SDK works on Next.js / Vercel / Cloudflare
+ * edge runtimes. Edge has only Web Crypto, so every call from a Next
+ * middleware previously threw and was wrapped as `TOKEN_INVALID`,
+ * indistinguishable from a real bad token. We keep our own JWKS fetch +
+ * cache to preserve INTERNAL_ERROR mapping for malformed JWKS payloads and
+ * to keep the kid-aware "Unknown key ID" diagnostic.
  */
 
 declare const DEFAULT_TOKEN_ISSUER: string[];
@@ -99,7 +106,7 @@ interface TokenVerifyOptions {
     issuer?: string | string[];
     audience?: string | string[];
     clockTolerance?: number;
-    algorithms?: jwt.Algorithm[];
+    algorithms?: string[];
 }
 interface TokensModuleOptions {
     issuer?: string | string[];
@@ -115,34 +122,22 @@ declare class TokensModule {
     private defaultClockTolerance;
     constructor(baseUrl: string, options?: TokensModuleOptions);
     /**
-     * Verify a JWT access token using RS256 via JWKS from /.well-known/jwks.json.
-     * Caches JWKS keys for 1 hour. Retries once on unknown `kid`.
-     *
-     * @remarks Validates against /.well-known/jwks.json. Issuer, audience, and
-     * clock tolerance default to client config but can be overridden per call.
+     * Verify a JWT access token using RS256/ES256 via JWKS from
+     * `/.well-known/jwks.json`. Backed by `jose` (Web Crypto) so it runs on
+     * Node, browser, and edge runtimes alike — no `node:crypto` dependency.
+     * Caches JWKS for 1 hour and refetches once on unknown `kid`.
      */
     verify(token: string, options?: TokenVerifyOptions): Promise<JwtClaims>;
     /**
      * Decode a JWT without verification. Returns null if malformed.
-     *
-     * @remarks Local decode only — no network call
      */
     decode(token: string): JwtClaims | null;
-    /**
-     * Check if a token is expired based on the `exp` claim.
-     *
-     * @remarks Local check only — no network call
-     */
+    /** Check if a token is expired based on the `exp` claim. */
     isExpired(token: string): boolean;
-    /**
-     * Get the claims from a token without verification.
-     *
-     * @remarks Local decode only — no network call
-     */
+    /** Get the claims from a token without verification. */
     getClaims(token: string): JwtClaims;
-    private getPublicKey;
+    private ensureCache;
     private refreshJwks;
-    private jwkToPem;
     /** @internal Exposed for testing — clears JWKS cache */
     clearCache(): void;
 }

package/dist/{doctor-OHJRZBBT.mjs → doctor-A5E7LSFW.mjs}

@@ -5,7 +5,8 @@ import {
 } from "./chunk-X3K3WOBR.mjs";
 import {
   parsePublishableKey
-} from "./chunk-5WFR6Y33.mjs";
+} from "./chunk-WQWBJSSS.mjs";
+import "./chunk-6I6RM4MN.mjs";
 import "./chunk-Y6FXYEAI.mjs";
 
 // src/cli/doctor.ts

package/dist/{express-BZmF1llh.d.mts → express-A0-dWEMy.d.mts}

@@ -1,4 +1,4 @@
-import { I as IQAuthClient } from './client-Dv4v92Mj.mjs';
+import { I as IQAuthClient } from './client-vdh2a9fJ.mjs';
 import { J as JwtClaims, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.mjs';
 
 /**

package/dist/{express-B4o3P8vK.d.ts → express-Bo_pJKHN.d.ts}

@@ -1,4 +1,4 @@
-import { I as IQAuthClient } from './client-DXbHb2ul.js';
+import { I as IQAuthClient } from './client-DTX4hNdS.js';
 import { J as JwtClaims, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.js';
 
 /**

package/dist/express.d.mts

@@ -1,10 +1,9 @@
-import { I as IQAuthClient } from './client-Dv4v92Mj.mjs';
-import { C as CookieAwareMiddlewareOptions } from './express-BZmF1llh.mjs';
-export { i as iqAuthMiddleware } from './express-BZmF1llh.mjs';
+import { I as IQAuthClient } from './client-vdh2a9fJ.mjs';
+import { C as CookieAwareMiddlewareOptions } from './express-A0-dWEMy.mjs';
+export { i as iqAuthMiddleware } from './express-A0-dWEMy.mjs';
 import { IQAuthHelperConfig } from './server/handlers.mjs';
 import { Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.mjs';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
-import 'jsonwebtoken';
 
 /**
  * @iqauth/sdk/express — drop-in Express adapter.
@@ -22,18 +21,89 @@ import 'jsonwebtoken';
  *   app.use(iqAuth({ publishableKey: process.env.IQAUTH_PUBLISHABLE_KEY!, secretKey: process.env.IQAUTH_SECRET_KEY! }));
  */
 
+interface InlineCallbackBrandedRenderArgs {
+    /** Issuer URL the SDK will use to mint the authorization code (publishable key origin). */
+    issuer: string;
+    /** Path of the JSON exchange endpoint to POST to (e.g. `/api/iqauth/callback/exchange`). */
+    exchangePath: string;
+    /** The raw `?code=` value from the OAuth redirect (already escaped for HTML). */
+    code: string;
+    /** The raw `?state=` value from the OAuth redirect (already escaped for HTML). */
+    state: string;
+    /** If `errorPath` is configured on the inline-callback options, it's threaded
+     * here so a custom render function can reuse it for its own catch handler.
+     * `""` when unset. */
+    errorPath?: string;
+}
+interface InlineCallbackBrandedConfig {
+    /**
+     * Optional override for the spinner page HTML. Receives the issuer URL, the
+     * exchange endpoint path, and the (HTML-escaped) `code` + `state` from the
+     * OAuth redirect. Returns a full HTML document. When omitted, a minimal
+     * neutral spinner is rendered.
+     */
+    render?: (args: InlineCallbackBrandedRenderArgs) => string;
+}
+interface InlineCallbackConfig {
+    /**
+     * When truthy, mount a GET-method handler on the same path as the POST
+     * callback so the OAuth redirect lands on a server-rendered page (no
+     * blank-tab while waiting for client JS). When `false`, only `POST` is
+     * mounted (the browser SDK posts the code + verifier itself).
+     *
+     * - `inlineCallback: true` — GET exchanges the code synchronously
+     *   (PKCE verifier read from the `iqauth_pkce` first-party cookie set by
+     *   the browser SDK before redirect) and 302s to the final URL.
+     *
+     * - `inlineCallback: { branded: true }` — GET returns a small spinner HTML
+     *   document; the exchange happens via a sibling JSON endpoint at
+     *   `${callbackPath}/exchange`.
+     *
+     * - `inlineCallback: { branded: { render } }` — same as above but lets
+     *   you supply your own HTML (logo, copy, theme).
+     */
+    branded?: boolean | InlineCallbackBrandedConfig;
+    /**
+     * Where to redirect on a failed inline callback (state mismatch, missing
+     * code, code-exchange error from the issuer, etc). When omitted, the
+     * plain inline flow returns a JSON error body and the branded flow
+     * surfaces the failure via the spinner script's catch handler. When set,
+     * the GET handler 302s to this path with `?error=<code>` appended.
+     */
+    errorPath?: string;
+    /**
+     * Cookie name the browser SDK uses to publish the OAuth `state` value
+     * before redirect. Validated against the `?state=` query param on the
+     * return trip. Defaults to `iqauth_state`.
+     */
+    stateCookieName?: string;
+    /**
+     * Cookie name the browser SDK uses to publish the post-login destination
+     * before redirect. The inline GET handler reads it and 302s the user
+     * there after a successful exchange. Defaults to `iqauth_return_to`.
+     */
+    returnToCookieName?: string;
+}
 interface IQAuthExpressOptions extends IQAuthHelperConfig, CookieAwareMiddlewareOptions {
     /** Mount path prefix for the auto-mounted helper routes. */
     mountPath?: string;
     /** Set to false to skip mounting helper routes (verify-only mode). */
     mountHelperRoutes?: boolean;
+    /**
+     * Mount a GET handler on the callback path so the OAuth redirect lands
+     * on a server-rendered page. Off by default (browser SDK posts the code
+     * itself). See {@link InlineCallbackConfig}.
+     */
+    inlineCallback?: boolean | InlineCallbackConfig;
 }
 interface ExpressLikeApp {
     post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+    get?(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
     use?: (...args: unknown[]) => unknown;
 }
 interface ExpressLikeRouter {
     post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+    get?(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
 }
 declare function iqAuth(options: IQAuthExpressOptions): {
     (req: IQAuthRequestLike, res: IQAuthResponseLike, next: IQAuthNextFunction): unknown;
@@ -42,4 +112,4 @@ declare function iqAuth(options: IQAuthExpressOptions): {
     client: IQAuthClient;
 };
 
-export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, iqAuth };
+export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, type InlineCallbackBrandedConfig, type InlineCallbackBrandedRenderArgs, type InlineCallbackConfig, iqAuth };

package/dist/express.d.ts

@@ -1,10 +1,9 @@
-import { I as IQAuthClient } from './client-DXbHb2ul.js';
-import { C as CookieAwareMiddlewareOptions } from './express-B4o3P8vK.js';
-export { i as iqAuthMiddleware } from './express-B4o3P8vK.js';
+import { I as IQAuthClient } from './client-DTX4hNdS.js';
+import { C as CookieAwareMiddlewareOptions } from './express-Bo_pJKHN.js';
+export { i as iqAuthMiddleware } from './express-Bo_pJKHN.js';
 import { IQAuthHelperConfig } from './server/handlers.js';
 import { Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.js';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
-import 'jsonwebtoken';
 
 /**
  * @iqauth/sdk/express — drop-in Express adapter.
@@ -22,18 +21,89 @@ import 'jsonwebtoken';
  *   app.use(iqAuth({ publishableKey: process.env.IQAUTH_PUBLISHABLE_KEY!, secretKey: process.env.IQAUTH_SECRET_KEY! }));
  */
 
+interface InlineCallbackBrandedRenderArgs {
+    /** Issuer URL the SDK will use to mint the authorization code (publishable key origin). */
+    issuer: string;
+    /** Path of the JSON exchange endpoint to POST to (e.g. `/api/iqauth/callback/exchange`). */
+    exchangePath: string;
+    /** The raw `?code=` value from the OAuth redirect (already escaped for HTML). */
+    code: string;
+    /** The raw `?state=` value from the OAuth redirect (already escaped for HTML). */
+    state: string;
+    /** If `errorPath` is configured on the inline-callback options, it's threaded
+     * here so a custom render function can reuse it for its own catch handler.
+     * `""` when unset. */
+    errorPath?: string;
+}
+interface InlineCallbackBrandedConfig {
+    /**
+     * Optional override for the spinner page HTML. Receives the issuer URL, the
+     * exchange endpoint path, and the (HTML-escaped) `code` + `state` from the
+     * OAuth redirect. Returns a full HTML document. When omitted, a minimal
+     * neutral spinner is rendered.
+     */
+    render?: (args: InlineCallbackBrandedRenderArgs) => string;
+}
+interface InlineCallbackConfig {
+    /**
+     * When truthy, mount a GET-method handler on the same path as the POST
+     * callback so the OAuth redirect lands on a server-rendered page (no
+     * blank-tab while waiting for client JS). When `false`, only `POST` is
+     * mounted (the browser SDK posts the code + verifier itself).
+     *
+     * - `inlineCallback: true` — GET exchanges the code synchronously
+     *   (PKCE verifier read from the `iqauth_pkce` first-party cookie set by
+     *   the browser SDK before redirect) and 302s to the final URL.
+     *
+     * - `inlineCallback: { branded: true }` — GET returns a small spinner HTML
+     *   document; the exchange happens via a sibling JSON endpoint at
+     *   `${callbackPath}/exchange`.
+     *
+     * - `inlineCallback: { branded: { render } }` — same as above but lets
+     *   you supply your own HTML (logo, copy, theme).
+     */
+    branded?: boolean | InlineCallbackBrandedConfig;
+    /**
+     * Where to redirect on a failed inline callback (state mismatch, missing
+     * code, code-exchange error from the issuer, etc). When omitted, the
+     * plain inline flow returns a JSON error body and the branded flow
+     * surfaces the failure via the spinner script's catch handler. When set,
+     * the GET handler 302s to this path with `?error=<code>` appended.
+     */
+    errorPath?: string;
+    /**
+     * Cookie name the browser SDK uses to publish the OAuth `state` value
+     * before redirect. Validated against the `?state=` query param on the
+     * return trip. Defaults to `iqauth_state`.
+     */
+    stateCookieName?: string;
+    /**
+     * Cookie name the browser SDK uses to publish the post-login destination
+     * before redirect. The inline GET handler reads it and 302s the user
+     * there after a successful exchange. Defaults to `iqauth_return_to`.
+     */
+    returnToCookieName?: string;
+}
 interface IQAuthExpressOptions extends IQAuthHelperConfig, CookieAwareMiddlewareOptions {
     /** Mount path prefix for the auto-mounted helper routes. */
     mountPath?: string;
     /** Set to false to skip mounting helper routes (verify-only mode). */
     mountHelperRoutes?: boolean;
+    /**
+     * Mount a GET handler on the callback path so the OAuth redirect lands
+     * on a server-rendered page. Off by default (browser SDK posts the code
+     * itself). See {@link InlineCallbackConfig}.
+     */
+    inlineCallback?: boolean | InlineCallbackConfig;
 }
 interface ExpressLikeApp {
     post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+    get?(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
     use?: (...args: unknown[]) => unknown;
 }
 interface ExpressLikeRouter {
     post(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
+    get?(path: string, handler: (req: any, res: any) => unknown | Promise<unknown>): unknown;
 }
 declare function iqAuth(options: IQAuthExpressOptions): {
     (req: IQAuthRequestLike, res: IQAuthResponseLike, next: IQAuthNextFunction): unknown;
@@ -42,4 +112,4 @@ declare function iqAuth(options: IQAuthExpressOptions): {
     client: IQAuthClient;
 };
 
-export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, iqAuth };
+export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, type InlineCallbackBrandedConfig, type InlineCallbackBrandedRenderArgs, type InlineCallbackConfig, iqAuth };