@iqauth/sdk 2.1.0 → 2.3.0

package/dist/express.mjs

@@ -1,18 +1,19 @@
 import {
   DEFAULT_REFRESH_COOKIE,
   iqAuthMiddleware
-} from "./chunk-ZESHDJDU.mjs";
+} from "./chunk-EKTNEZIH.mjs";
+import {
+  IQAuthClient
+} from "./chunk-W3F4JYGP.mjs";
 import {
   handleCallback,
   handleRefresh,
   handleSignout
-} from "./chunk-JQRTY5MY.mjs";
+} from "./chunk-KGEPDXHU.mjs";
 import {
-  parsePublishableKey
-} from "./chunk-5WFR6Y33.mjs";
-import {
-  IQAuthClient
-} from "./chunk-MDUHPQMM.mjs";
+  assertPublishableKey
+} from "./chunk-WQWBJSSS.mjs";
+import "./chunk-UNYDG2L4.mjs";
 import {
   ErrorCodes,
   IQAuthError
@@ -20,6 +21,78 @@ import {
 import "./chunk-Y6FXYEAI.mjs";
 
 // src/express.ts
+var PKCE_COOKIE = "iqauth_pkce";
+function escapeHtml(s) {
+  return s.replace(/[&<>"']/g, (c) => {
+    switch (c) {
+      case "&":
+        return "&amp;";
+      case "<":
+        return "&lt;";
+      case ">":
+        return "&gt;";
+      case '"':
+        return "&quot;";
+      case "'":
+        return "&#39;";
+      default:
+        return c;
+    }
+  });
+}
+function appendErrorParam(path, errorCode) {
+  const sep = path.includes("?") ? "&" : "?";
+  return `${path}${sep}error=${encodeURIComponent(errorCode)}`;
+}
+function defaultBrandedSpinner(args) {
+  return `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8" />
+<title>Signing you in\u2026</title>
+<meta name="viewport" content="width=device-width,initial-scale=1" />
+<style>
+  body { margin:0; min-height:100vh; display:flex; align-items:center; justify-content:center; font-family: system-ui, -apple-system, "Segoe UI", sans-serif; background:#f7f7f8; color:#111; }
+  .iqauth-card { text-align:center; padding:2rem; }
+  .iqauth-spinner { width:36px; height:36px; border:3px solid #e5e7eb; border-top-color:#111; border-radius:50%; margin:0 auto 1rem; animation:iqauth-spin 0.9s linear infinite; }
+  @keyframes iqauth-spin { to { transform: rotate(360deg); } }
+  .iqauth-msg { font-size:0.95rem; color:#374151; }
+</style>
+</head>
+<body>
+<div class="iqauth-card" data-testid="iqauth-inline-callback-spinner">
+  <div class="iqauth-spinner" aria-hidden="true"></div>
+  <div class="iqauth-msg">Signing you in\u2026</div>
+</div>
+<script>
+(function(){
+  var code = ${JSON.stringify(args.code)};
+  var state = ${JSON.stringify(args.state)};
+  var errorPath = ${JSON.stringify(args.errorPath || "")};
+  function fail(reason){
+    if (errorPath) { window.location.replace(errorPath + (errorPath.indexOf("?")>=0?"&":"?") + "error=" + encodeURIComponent(reason)); return; }
+    window.location.replace("/");
+  }
+  var verifier = (document.cookie.split('; ').find(function(c){return c.indexOf('${PKCE_COOKIE}=')===0;})||'').slice(${PKCE_COOKIE.length + 1});
+  try { verifier = decodeURIComponent(verifier); } catch (e) {}
+  fetch(${JSON.stringify(args.exchangePath)}, {
+    method: "POST",
+    credentials: "include",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ code: code, state: state, codeVerifier: verifier, redirectUri: window.location.origin + window.location.pathname })
+  }).then(function(r){ return r.json().then(function(j){ return { status:r.status, body:j }; }); })
+    .then(function(out){
+      if (out.status >= 400) { fail((out.body && out.body.error && out.body.error.code) || "exchange_failed"); return; }
+      var dest = (out.body && out.body.returnTo) || sessionStorage.getItem("iqauth_return_to") || "/";
+      sessionStorage.removeItem("iqauth_return_to");
+      window.location.replace(dest);
+    })
+    .catch(function(){ fail("network_error"); });
+})();
+</script>
+</body>
+</html>`;
+}
 function applyHandlerResponse(res, hr) {
   for (const c of hr.cookies) {
     if (typeof res.cookie === "function") {
@@ -66,10 +139,7 @@ function readCookieFromReq(req, name) {
   return void 0;
 }
 function iqAuth(options) {
-  const parsed = parsePublishableKey(options.publishableKey);
-  if (!parsed) {
-    throw new Error("@iqauth/sdk/express: invalid publishable key");
-  }
+  const parsed = assertPublishableKey(options.publishableKey, { context: "@iqauth/sdk/express" });
   const issuer = (options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
   const client = new IQAuthClient({
     baseUrl: issuer,
@@ -86,6 +156,8 @@ function iqAuth(options) {
     if (mountHelpers && path.startsWith(mount + "/")) return next();
     return verify(req, res, next);
   };
+  const inline = options.inlineCallback === true ? {} : options.inlineCallback && typeof options.inlineCallback === "object" ? options.inlineCallback : null;
+  const inlineBranded = inline?.branded === true ? {} : inline?.branded && typeof inline.branded === "object" ? inline.branded : null;
   const attachHelpers = (app) => {
     app.post(`${mount}/callback`, async (req, res) => {
       const body = readBody(req);
@@ -96,6 +168,131 @@ function iqAuth(options) {
       });
       applyHandlerResponse(res, hr);
     });
+    if (inline && typeof app.get === "function") {
+      const callbackPath = `${mount}/callback`;
+      const exchangePath = `${callbackPath}/exchange`;
+      const stateCookie = inline.stateCookieName ?? "iqauth_state";
+      const returnToCookie = inline.returnToCookieName ?? "iqauth_return_to";
+      const errorPath = inline.errorPath;
+      const clearCookie = (res, name) => {
+        if (typeof res.clearCookie === "function") {
+          res.clearCookie(name, { path: "/" });
+          return;
+        }
+        const existing = res.getHeader?.("Set-Cookie") || [];
+        const list = Array.isArray(existing) ? existing : [existing];
+        list.push(`${name}=; Path=/; Max-Age=0; SameSite=Lax`);
+        res.setHeader?.("Set-Cookie", list);
+      };
+      const failPlain = (res, errorCode, fallback) => {
+        if (errorPath) {
+          const dest = appendErrorParam(errorPath, errorCode);
+          if (typeof res.redirect === "function") return res.redirect(302, dest);
+          res.status(302);
+          res.setHeader?.("Location", dest);
+          return res.end?.();
+        }
+        fallback();
+      };
+      if (inlineBranded) {
+        const render = inlineBranded.render ?? defaultBrandedSpinner;
+        app.get(callbackPath, (req, res) => {
+          const q = req.query || {};
+          const html = render({
+            issuer,
+            exchangePath,
+            code: escapeHtml(q.code ?? ""),
+            state: escapeHtml(q.state ?? ""),
+            errorPath: errorPath ?? ""
+          });
+          res.status(200);
+          if (typeof res.set === "function") res.set("Content-Type", "text/html; charset=utf-8");
+          else if (typeof res.setHeader === "function") res.setHeader("Content-Type", "text/html; charset=utf-8");
+          if (typeof res.send === "function") res.send(html);
+          else res.end?.(html);
+        });
+        app.post(exchangePath, async (req, res) => {
+          const body = readBody(req);
+          const stateFromBody = body.state || void 0;
+          const stateFromCookie = readCookieFromReq(req, stateCookie);
+          if (stateFromCookie && stateFromBody !== stateFromCookie) {
+            clearCookie(res, stateCookie);
+            res.status(400);
+            return res.json ? res.json({ success: false, error: { code: "STATE_MISMATCH", message: "OAuth state mismatch" } }) : res.end?.(JSON.stringify({ success: false, error: { code: "STATE_MISMATCH", message: "OAuth state mismatch" } }));
+          }
+          const hr = await handleCallback(helperConfig, {
+            code: body.code,
+            codeVerifier: body.codeVerifier || readCookieFromReq(req, PKCE_COOKIE) || "",
+            redirectUri: body.redirectUri
+          });
+          clearCookie(res, stateCookie);
+          clearCookie(res, PKCE_COOKIE);
+          const returnTo = readCookieFromReq(req, returnToCookie) || hr.body?.returnTo || "/";
+          if (hr.status < 400) clearCookie(res, returnToCookie);
+          const enriched = {
+            ...hr,
+            body: { ...hr.body, returnTo }
+          };
+          applyHandlerResponse(res, enriched);
+        });
+      } else {
+        app.get(callbackPath, async (req, res) => {
+          const q = req.query || {};
+          const code = q.code;
+          if (!code) {
+            return failPlain(res, "missing_code", () => {
+              res.status(400);
+              if (res.json) res.json({ success: false, error: { code: "MISSING_CODE", message: "Missing authorization code" } });
+              else res.end?.("Missing authorization code");
+            });
+          }
+          const stateFromQuery = q.state;
+          const stateFromCookie = readCookieFromReq(req, stateCookie);
+          if (stateFromCookie && stateFromQuery !== stateFromCookie) {
+            clearCookie(res, stateCookie);
+            return failPlain(res, "state_mismatch", () => {
+              res.status(400);
+              if (res.json) res.json({ success: false, error: { code: "STATE_MISMATCH", message: "OAuth state mismatch" } });
+              else res.end?.("OAuth state mismatch");
+            });
+          }
+          const codeVerifier = readCookieFromReq(req, PKCE_COOKIE) || "";
+          const proto = req.headers?.["x-forwarded-proto"] || req.protocol || "https";
+          const host = req.headers?.["x-forwarded-host"] || req.headers?.host || "";
+          const redirectUri = `${proto}://${host}${callbackPath}`;
+          const hr = await handleCallback(helperConfig, { code, codeVerifier, redirectUri });
+          for (const c of hr.cookies) {
+            if (typeof res.cookie === "function") {
+              const opts = {
+                httpOnly: c.httpOnly,
+                secure: c.secure,
+                sameSite: c.sameSite,
+                path: c.path,
+                maxAge: c.maxAge * 1e3
+              };
+              if (c.domain) opts.domain = c.domain;
+              res.cookie(c.name, c.value, opts);
+            }
+          }
+          clearCookie(res, stateCookie);
+          clearCookie(res, PKCE_COOKIE);
+          if (hr.status >= 400) {
+            const code2 = hr.body?.error?.code || "exchange_failed";
+            return failPlain(res, code2, () => {
+              res.status(hr.status);
+              if (res.json) res.json(hr.body);
+              else res.end?.(JSON.stringify(hr.body));
+            });
+          }
+          const returnTo = readCookieFromReq(req, returnToCookie) || hr.body?.returnTo || "/";
+          clearCookie(res, returnToCookie);
+          if (typeof res.redirect === "function") return res.redirect(302, returnTo);
+          res.status(302);
+          if (typeof res.setHeader === "function") res.setHeader("Location", returnTo);
+          res.end?.();
+        });
+      }
+    }
     app.post(`${mount}/refresh`, async (req, res) => {
       const body = readBody(req);
       const refreshToken = body.refreshToken || readCookieFromReq(req, refreshCookie);
@@ -104,7 +301,8 @@ function iqAuth(options) {
     });
     app.post(`${mount}/signout`, async (req, res) => {
       const accessToken = req.headers?.authorization?.replace(/^Bearer /i, "") || readCookieFromReq(req, accessCookie);
-      const hr = await handleSignout(helperConfig, { accessToken });
+      const ssoCookieHeader = req.headers?.cookie;
+      const hr = await handleSignout(helperConfig, { accessToken, ssoCookieHeader });
       applyHandlerResponse(res, hr);
     });
   };

package/dist/fastify.js

@@ -407,8 +407,7 @@ function parseMfaResponse(data, browserSessionMode) {
 }
 
 // src/modules/tokens.ts
-var import_crypto = __toESM(require("crypto"));
-var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
+var import_jose = require("jose");
 var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
 var DEFAULT_TOKEN_ISSUER = [
   "https://auth.dispositioniq.com",
@@ -421,6 +420,24 @@ var DEFAULT_TOKEN_AUDIENCE = [
   "iqvalidate"
 ];
 var DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
+function decodeProtectedHeader(token) {
+  const parts = token.split(".");
+  if (parts.length < 2) return null;
+  try {
+    const padded = parts[0] + "=".repeat((4 - parts[0].length % 4) % 4);
+    const b64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+    let json;
+    if (typeof atob === "function") {
+      json = atob(b64);
+    } else {
+      const { Buffer: Buffer2 } = require("buffer");
+      json = Buffer2.from(b64, "base64").toString("utf8");
+    }
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
 var TokensModule = class {
   constructor(baseUrl, options = {}) {
     this.jwksCache = null;
@@ -431,49 +448,49 @@ var TokensModule = class {
     this.defaultClockTolerance = options.clockTolerance ?? DEFAULT_CLOCK_TOLERANCE_SECONDS;
   }
   /**
-   * Verify a JWT access token using RS256 via JWKS from /.well-known/jwks.json.
-   * Caches JWKS keys for 1 hour. Retries once on unknown `kid`.
-   *
-   * @remarks Validates against /.well-known/jwks.json. Issuer, audience, and
-   * clock tolerance default to client config but can be overridden per call.
+   * Verify a JWT access token using RS256/ES256 via JWKS from
+   * `/.well-known/jwks.json`. Backed by `jose` (Web Crypto) so it runs on
+   * Node, browser, and edge runtimes alike — no `node:crypto` dependency.
+   * Caches JWKS for 1 hour and refetches once on unknown `kid`.
    */
   async verify(token, options = {}) {
-    const decoded = import_jsonwebtoken.default.decode(token, { complete: true });
-    if (!decoded || typeof decoded === "string") {
+    const header = decodeProtectedHeader(token);
+    if (!header) {
       throw new IQAuthError("TOKEN_INVALID", "Unable to decode token");
     }
-    const kid = decoded.header.kid;
+    const kid = header.kid;
     if (!kid) {
       throw new IQAuthError("TOKEN_INVALID", "Token missing kid header");
     }
-    let publicKey = await this.getPublicKey(kid);
-    if (!publicKey) {
-      await this.refreshJwks();
-      publicKey = await this.getPublicKey(kid);
+    let cache = await this.ensureCache();
+    if (!cache.byKid.has(kid)) {
+      this.jwksCache = null;
+      cache = await this.ensureCache();
     }
-    if (!publicKey) {
+    if (!cache.byKid.has(kid)) {
       throw new IQAuthError("TOKEN_INVALID", `Unknown key ID: ${kid}`);
     }
     const issuer = options.issuer ?? this.defaultIssuer;
     const audience = options.audience ?? this.defaultAudience;
     const clockTolerance = options.clockTolerance ?? this.defaultClockTolerance;
-    const algorithms = options.algorithms ?? ["RS256"];
+    const algorithms = options.algorithms ?? ["RS256", "ES256"];
+    const verifyOptions = {
+      algorithms,
+      clockTolerance,
+      issuer,
+      audience
+    };
     try {
-      const verifyOptions = {
-        algorithms,
-        clockTolerance,
-        // The jsonwebtoken types insist on tuple types for arrays; runtime
-        // accepts plain string[] so we cast to satisfy the compiler.
-        issuer,
-        audience
-      };
-      const verified = import_jsonwebtoken.default.verify(token, publicKey, verifyOptions);
-      return verified;
+      const { payload } = await (0, import_jose.jwtVerify)(token, cache.verifier, verifyOptions);
+      return payload;
     } catch (err) {
+      if (err instanceof import_jose.errors.JWTExpired) {
+        throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
+      }
+      if (err instanceof import_jose.errors.JOSEError) {
+        throw new IQAuthError("TOKEN_INVALID", err.message);
+      }
       if (err instanceof Error) {
-        if (err.name === "TokenExpiredError") {
-          throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
-        }
         throw new IQAuthError("TOKEN_INVALID", err.message);
       }
       throw new IQAuthError("TOKEN_INVALID", "Token verification failed");
@@ -481,29 +498,40 @@ var TokensModule = class {
   }
   /**
    * Decode a JWT without verification. Returns null if malformed.
-   *
-   * @remarks Local decode only — no network call
    */
   decode(token) {
-    const decoded = import_jsonwebtoken.default.decode(token);
-    return decoded;
+    try {
+      const parts = token.split(".");
+      if (parts.length < 2) return null;
+      const payload = parts[1];
+      const padded = payload + "=".repeat((4 - payload.length % 4) % 4);
+      const b64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+      let json;
+      if (typeof atob === "function") {
+        json = atob(b64);
+      } else {
+        const { Buffer: Buffer2 } = require("buffer");
+        json = Buffer2.from(b64, "base64").toString("utf8");
+      }
+      try {
+        json = decodeURIComponent(escape(json));
+      } catch {
+      }
+      const claims = JSON.parse(json);
+      if (!claims || typeof claims !== "object") return null;
+      return claims;
+    } catch {
+      return null;
+    }
   }
-  /**
-   * Check if a token is expired based on the `exp` claim.
-   *
-   * @remarks Local check only — no network call
-   */
+  /** Check if a token is expired based on the `exp` claim. */
   isExpired(token) {
     const claims = this.decode(token);
     if (!claims?.exp) return true;
     const now = Math.floor(Date.now() / 1e3);
     return claims.exp <= now;
   }
-  /**
-   * Get the claims from a token without verification.
-   *
-   * @remarks Local decode only — no network call
-   */
+  /** Get the claims from a token without verification. */
   getClaims(token) {
     const claims = this.decode(token);
     if (!claims) {
@@ -511,11 +539,15 @@ var TokensModule = class {
     }
     return claims;
   }
-  async getPublicKey(kid) {
-    if (!this.jwksCache || Date.now() - this.jwksCache.fetchedAt > JWKS_CACHE_TTL_MS) {
-      await this.refreshJwks();
+  async ensureCache() {
+    if (this.jwksCache && Date.now() - this.jwksCache.fetchedAt <= JWKS_CACHE_TTL_MS) {
+      return this.jwksCache;
     }
-    return this.jwksCache?.keys.get(kid) ?? null;
+    await this.refreshJwks();
+    if (!this.jwksCache) {
+      throw new IQAuthError("INTERNAL_ERROR", "JWKS cache unavailable after refresh");
+    }
+    return this.jwksCache;
   }
   async refreshJwks() {
     if (this.inFlightRefresh) {
@@ -542,35 +574,24 @@ var TokensModule = class {
             "Malformed JWKS response: expected { keys: [...] }"
           );
         }
-        const keys = /* @__PURE__ */ new Map();
+        const byKid = /* @__PURE__ */ new Set();
         for (const key of jwks.keys) {
-          if (!key || typeof key.kid !== "string" || typeof key.n !== "string" || typeof key.e !== "string") {
+          if (!key || typeof key.kid !== "string" || typeof key.n !== "string" && typeof key.x !== "string" || key.kty === "RSA" && (typeof key.n !== "string" || typeof key.e !== "string")) {
             throw new IQAuthError(
               "INTERNAL_ERROR",
               "Malformed JWKS response: key missing required fields"
             );
           }
-          const pem = this.jwkToPem(key);
-          keys.set(key.kid, pem);
+          byKid.add(key.kid);
         }
-        this.jwksCache = { keys, fetchedAt: Date.now() };
+        const verifier = (0, import_jose.createLocalJWKSet)({ keys: jwks.keys });
+        this.jwksCache = { raw: jwks.keys, byKid, verifier, fetchedAt: Date.now() };
       } finally {
         this.inFlightRefresh = null;
       }
     })();
     return this.inFlightRefresh;
   }
-  jwkToPem(jwk) {
-    const keyObject = import_crypto.default.createPublicKey({
-      key: {
-        kty: jwk.kty,
-        n: jwk.n,
-        e: jwk.e
-      },
-      format: "jwk"
-    });
-    return keyObject.export({ type: "spki", format: "pem" });
-  }
   /** @internal Exposed for testing — clears JWKS cache */
   clearCache() {
     this.jwksCache = null;
@@ -778,7 +799,7 @@ var PermissionsModule = class {
 };
 
 // src/modules/oidc.ts
-var import_crypto2 = __toESM(require("crypto"));
+var import_crypto = __toESM(require("crypto"));
 var InMemoryOidcStateStore = class {
   constructor() {
     this.map = /* @__PURE__ */ new Map();
@@ -859,12 +880,12 @@ var OidcModule = class {
    * ready to redirect the user to.
    */
   async createAuthRequest(params) {
-    const codeVerifier = base64UrlEncode(import_crypto2.default.randomBytes(32));
+    const codeVerifier = base64UrlEncode(import_crypto.default.randomBytes(32));
     const codeChallenge = base64UrlEncode(
-      import_crypto2.default.createHash("sha256").update(codeVerifier).digest()
+      import_crypto.default.createHash("sha256").update(codeVerifier).digest()
     );
-    const state = base64UrlEncode(import_crypto2.default.randomBytes(16));
-    const nonce = base64UrlEncode(import_crypto2.default.randomBytes(16));
+    const state = base64UrlEncode(import_crypto.default.randomBytes(16));
+    const nonce = base64UrlEncode(import_crypto.default.randomBytes(16));
     await this.stateStore.set(state, {
       codeVerifier,
       state,
@@ -1767,21 +1788,61 @@ function b64urlDecode(input) {
   const { Buffer: Buffer2 } = require("buffer");
   return Buffer2.from(normalized, "base64").toString("utf8");
 }
-function parsePublishableKey(raw) {
-  if (typeof raw !== "string") return null;
-  const m = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
-  if (!m) return null;
+function isValidIssuerUrl(iss) {
+  if (typeof iss !== "string" || iss.length === 0) return false;
+  if (!iss.startsWith("http://") && !iss.startsWith("https://")) return false;
   try {
-    const json = JSON.parse(b64urlDecode(m[2]));
-    if (!json || typeof json !== "object") return null;
-    if (typeof json.iss !== "string" || typeof json.appId !== "string" || typeof json.tenantId !== "string" || typeof json.kid !== "string") {
-      return null;
-    }
-    return { mode: m[1], iss: json.iss, appId: json.appId, tenantId: json.tenantId, kid: json.kid, raw };
+    const u = new URL(iss);
+    if (u.protocol !== "http:" && u.protocol !== "https:") return false;
+    if (!u.hostname) return false;
+    return true;
   } catch {
-    return null;
+    return false;
   }
 }
+function assertPublishableKey(raw, opts) {
+  const ctx = opts?.context ? `${opts.context}: ` : "";
+  if (typeof raw !== "string" || raw.length === 0) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key is missing. Set IQAUTH_PUBLISHABLE_KEY (or pass publishableKey) to a pk_test_\u2026 or pk_live_\u2026 value from the IQAuth admin console.`
+    );
+  }
+  const shapeMatch = raw.match(/^pk_(test|live)_([A-Za-z0-9_-]+)$/);
+  if (!shapeMatch) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key is malformed (got ${raw.slice(0, 12)}\u2026). Expected pk_test_\u2026 or pk_live_\u2026; regenerate the key from the IQAuth admin console.`
+    );
+  }
+  let decoded;
+  try {
+    decoded = JSON.parse(b64urlDecode(shapeMatch[2]));
+  } catch {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key payload is not valid base64url JSON. Regenerate the key from the IQAuth admin console.`
+    );
+  }
+  if (!isPublishableKeyPayload(decoded)) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key payload is missing required fields {iss, appId, tenantId, kid}. Regenerate the key from the IQAuth admin console.`
+    );
+  }
+  if (!isValidIssuerUrl(decoded.iss)) {
+    throw new IQAuthError(
+      "CONFIG_INVALID",
+      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console \u2014 the new key will encode a valid issuer URL.`
+    );
+  }
+  return { mode: shapeMatch[1], iss: decoded.iss, appId: decoded.appId, tenantId: decoded.tenantId, kid: decoded.kid, raw };
+}
+function isPublishableKeyPayload(value) {
+  if (!value || typeof value !== "object") return false;
+  const v = value;
+  return typeof v.iss === "string" && typeof v.appId === "string" && typeof v.tenantId === "string" && typeof v.kid === "string";
+}
 
 // src/server/handlers.ts
 var TERMINAL_REFRESH_ERROR_CODES = /* @__PURE__ */ new Set([
@@ -1803,12 +1864,7 @@ function shouldClearCookiesOnFailure(policy, status, errorCode) {
 var ACCESS_TOKEN_TTL_SECONDS = 60 * 15;
 var REFRESH_TOKEN_TTL_SECONDS = 60 * 60 * 24 * 30;
 function resolve(config) {
-  const parsed = parsePublishableKey(config.publishableKey);
-  if (!parsed) {
-    throw new Error(
-      "@iqauth/sdk: invalid publishable key passed to iqAuth helpers (expected pk_test_\u2026 or pk_live_\u2026)"
-    );
-  }
+  const parsed = assertPublishableKey(config.publishableKey, { context: "@iqauth/sdk helpers" });
   const inferredIssuer = parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`;
   return {
     publishableKey: config.publishableKey,
@@ -1979,6 +2035,15 @@ async function handleSignout(config, input) {
     } catch {
     }
   }
+  if (input.endSsoSession !== false && input.ssoCookieHeader) {
+    try {
+      await cfg.fetchImpl(`${cfg.issuer}/oidc/sso-logout`, {
+        method: "POST",
+        headers: { Cookie: input.ssoCookieHeader }
+      });
+    } catch {
+    }
+  }
   return {
     status: 200,
     body: { success: true, data: { signedOut: true } },
@@ -2023,8 +2088,7 @@ function readCookie(req, name) {
   return void 0;
 }
 async function iqAuth(fastify, options) {
-  const parsed = parsePublishableKey(options.publishableKey);
-  if (!parsed) throw new Error("@iqauth/sdk/fastify: invalid publishable key");
+  const parsed = assertPublishableKey(options.publishableKey, { context: "@iqauth/sdk/fastify" });
   const issuer = (options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
   const helperConfig = { ...options, issuer };
   const client = new IQAuthClient({
@@ -2086,7 +2150,8 @@ async function iqAuth(fastify, options) {
     fastify.post(`${mount}/signout`, async (req, reply) => {
       const auth = req.headers?.authorization;
       const accessToken = (typeof auth === "string" ? auth.replace(/^Bearer /i, "") : void 0) || readCookie(req, accessCookie);
-      applyResponse(reply, await handleSignout(helperConfig, { accessToken }));
+      const ssoCookieHeader = typeof req.headers?.cookie === "string" ? req.headers.cookie : void 0;
+      applyResponse(reply, await handleSignout(helperConfig, { accessToken, ssoCookieHeader }));
     });
   }
   fastify.decorate("iqauth", { client, issuer });