@iqauth/sdk 2.2.0 → 2.5.0

package/dist/index.js

@@ -60,13 +60,19 @@ __export(index_exports, {
   TokensModule: () => TokensModule,
   UsersModule: () => UsersModule,
   VendorsModule: () => VendorsModule,
+  WebhookSignatureError: () => WebhookSignatureError,
   WebhooksModule: () => WebhooksModule,
   assertPublishableKey: () => assertPublishableKey,
+  createProvisioningBridge: () => createProvisioningBridge,
+  createTestIssuer: () => createTestIssuer,
   encodePublishableKey: () => encodePublishableKey,
   iqAuthMiddleware: () => iqAuthMiddleware,
   isPublishableKey: () => isPublishableKey,
   isSecretKey: () => isSecretKey,
-  parsePublishableKey: () => parsePublishableKey
+  isValidWebhookSignature: () => isValidWebhookSignature,
+  parsePublishableKey: () => parsePublishableKey,
+  verifyWebhookSignature: () => verifyWebhookSignature,
+  verifyWsUpgrade: () => verifyWsUpgrade
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -478,8 +484,7 @@ function parseMfaResponse(data, browserSessionMode) {
 }
 
 // src/modules/tokens.ts
-var import_crypto = __toESM(require("crypto"));
-var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
+var import_jose = require("jose");
 var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
 var DEFAULT_TOKEN_ISSUER = [
   "https://auth.dispositioniq.com",
@@ -492,6 +497,24 @@ var DEFAULT_TOKEN_AUDIENCE = [
   "iqvalidate"
 ];
 var DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
+function decodeProtectedHeader(token) {
+  const parts = token.split(".");
+  if (parts.length < 2) return null;
+  try {
+    const padded = parts[0] + "=".repeat((4 - parts[0].length % 4) % 4);
+    const b64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+    let json;
+    if (typeof atob === "function") {
+      json = atob(b64);
+    } else {
+      const { Buffer: Buffer2 } = require("buffer");
+      json = Buffer2.from(b64, "base64").toString("utf8");
+    }
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
 var TokensModule = class {
   constructor(baseUrl, options = {}) {
     this.jwksCache = null;
@@ -502,49 +525,49 @@ var TokensModule = class {
     this.defaultClockTolerance = options.clockTolerance ?? DEFAULT_CLOCK_TOLERANCE_SECONDS;
   }
   /**
-   * Verify a JWT access token using RS256 via JWKS from /.well-known/jwks.json.
-   * Caches JWKS keys for 1 hour. Retries once on unknown `kid`.
-   *
-   * @remarks Validates against /.well-known/jwks.json. Issuer, audience, and
-   * clock tolerance default to client config but can be overridden per call.
+   * Verify a JWT access token using RS256/ES256 via JWKS from
+   * `/.well-known/jwks.json`. Backed by `jose` (Web Crypto) so it runs on
+   * Node, browser, and edge runtimes alike — no `node:crypto` dependency.
+   * Caches JWKS for 1 hour and refetches once on unknown `kid`.
    */
   async verify(token, options = {}) {
-    const decoded = import_jsonwebtoken.default.decode(token, { complete: true });
-    if (!decoded || typeof decoded === "string") {
+    const header = decodeProtectedHeader(token);
+    if (!header) {
       throw new IQAuthError("TOKEN_INVALID", "Unable to decode token");
     }
-    const kid = decoded.header.kid;
+    const kid = header.kid;
     if (!kid) {
       throw new IQAuthError("TOKEN_INVALID", "Token missing kid header");
     }
-    let publicKey = await this.getPublicKey(kid);
-    if (!publicKey) {
-      await this.refreshJwks();
-      publicKey = await this.getPublicKey(kid);
+    let cache = await this.ensureCache();
+    if (!cache.byKid.has(kid)) {
+      this.jwksCache = null;
+      cache = await this.ensureCache();
     }
-    if (!publicKey) {
+    if (!cache.byKid.has(kid)) {
       throw new IQAuthError("TOKEN_INVALID", `Unknown key ID: ${kid}`);
     }
     const issuer = options.issuer ?? this.defaultIssuer;
     const audience = options.audience ?? this.defaultAudience;
     const clockTolerance = options.clockTolerance ?? this.defaultClockTolerance;
-    const algorithms = options.algorithms ?? ["RS256"];
+    const algorithms = options.algorithms ?? ["RS256", "ES256"];
+    const verifyOptions = {
+      algorithms,
+      clockTolerance,
+      issuer,
+      audience
+    };
     try {
-      const verifyOptions = {
-        algorithms,
-        clockTolerance,
-        // The jsonwebtoken types insist on tuple types for arrays; runtime
-        // accepts plain string[] so we cast to satisfy the compiler.
-        issuer,
-        audience
-      };
-      const verified = import_jsonwebtoken.default.verify(token, publicKey, verifyOptions);
-      return verified;
+      const { payload } = await (0, import_jose.jwtVerify)(token, cache.verifier, verifyOptions);
+      return payload;
     } catch (err) {
+      if (err instanceof import_jose.errors.JWTExpired) {
+        throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
+      }
+      if (err instanceof import_jose.errors.JOSEError) {
+        throw new IQAuthError("TOKEN_INVALID", err.message);
+      }
       if (err instanceof Error) {
-        if (err.name === "TokenExpiredError") {
-          throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
-        }
         throw new IQAuthError("TOKEN_INVALID", err.message);
       }
       throw new IQAuthError("TOKEN_INVALID", "Token verification failed");
@@ -552,29 +575,40 @@ var TokensModule = class {
   }
   /**
    * Decode a JWT without verification. Returns null if malformed.
-   *
-   * @remarks Local decode only — no network call
    */
   decode(token) {
-    const decoded = import_jsonwebtoken.default.decode(token);
-    return decoded;
+    try {
+      const parts = token.split(".");
+      if (parts.length < 2) return null;
+      const payload = parts[1];
+      const padded = payload + "=".repeat((4 - payload.length % 4) % 4);
+      const b64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+      let json;
+      if (typeof atob === "function") {
+        json = atob(b64);
+      } else {
+        const { Buffer: Buffer2 } = require("buffer");
+        json = Buffer2.from(b64, "base64").toString("utf8");
+      }
+      try {
+        json = decodeURIComponent(escape(json));
+      } catch {
+      }
+      const claims = JSON.parse(json);
+      if (!claims || typeof claims !== "object") return null;
+      return claims;
+    } catch {
+      return null;
+    }
   }
-  /**
-   * Check if a token is expired based on the `exp` claim.
-   *
-   * @remarks Local check only — no network call
-   */
+  /** Check if a token is expired based on the `exp` claim. */
   isExpired(token) {
     const claims = this.decode(token);
     if (!claims?.exp) return true;
     const now = Math.floor(Date.now() / 1e3);
     return claims.exp <= now;
   }
-  /**
-   * Get the claims from a token without verification.
-   *
-   * @remarks Local decode only — no network call
-   */
+  /** Get the claims from a token without verification. */
   getClaims(token) {
     const claims = this.decode(token);
     if (!claims) {
@@ -582,11 +616,15 @@ var TokensModule = class {
     }
     return claims;
   }
-  async getPublicKey(kid) {
-    if (!this.jwksCache || Date.now() - this.jwksCache.fetchedAt > JWKS_CACHE_TTL_MS) {
-      await this.refreshJwks();
+  async ensureCache() {
+    if (this.jwksCache && Date.now() - this.jwksCache.fetchedAt <= JWKS_CACHE_TTL_MS) {
+      return this.jwksCache;
+    }
+    await this.refreshJwks();
+    if (!this.jwksCache) {
+      throw new IQAuthError("INTERNAL_ERROR", "JWKS cache unavailable after refresh");
     }
-    return this.jwksCache?.keys.get(kid) ?? null;
+    return this.jwksCache;
   }
   async refreshJwks() {
     if (this.inFlightRefresh) {
@@ -613,35 +651,24 @@ var TokensModule = class {
             "Malformed JWKS response: expected { keys: [...] }"
           );
         }
-        const keys = /* @__PURE__ */ new Map();
+        const byKid = /* @__PURE__ */ new Set();
         for (const key of jwks.keys) {
-          if (!key || typeof key.kid !== "string" || typeof key.n !== "string" || typeof key.e !== "string") {
+          if (!key || typeof key.kid !== "string" || typeof key.n !== "string" && typeof key.x !== "string" || key.kty === "RSA" && (typeof key.n !== "string" || typeof key.e !== "string")) {
             throw new IQAuthError(
               "INTERNAL_ERROR",
               "Malformed JWKS response: key missing required fields"
             );
           }
-          const pem = this.jwkToPem(key);
-          keys.set(key.kid, pem);
+          byKid.add(key.kid);
         }
-        this.jwksCache = { keys, fetchedAt: Date.now() };
+        const verifier = (0, import_jose.createLocalJWKSet)({ keys: jwks.keys });
+        this.jwksCache = { raw: jwks.keys, byKid, verifier, fetchedAt: Date.now() };
       } finally {
         this.inFlightRefresh = null;
       }
     })();
     return this.inFlightRefresh;
   }
-  jwkToPem(jwk) {
-    const keyObject = import_crypto.default.createPublicKey({
-      key: {
-        kty: jwk.kty,
-        n: jwk.n,
-        e: jwk.e
-      },
-      format: "jwk"
-    });
-    return keyObject.export({ type: "spki", format: "pem" });
-  }
   /** @internal Exposed for testing — clears JWKS cache */
   clearCache() {
     this.jwksCache = null;
@@ -849,7 +876,7 @@ var PermissionsModule = class {
 };
 
 // src/modules/oidc.ts
-var import_crypto2 = __toESM(require("crypto"));
+var import_crypto = __toESM(require("crypto"));
 var InMemoryOidcStateStore = class {
   constructor() {
     this.map = /* @__PURE__ */ new Map();
@@ -930,12 +957,12 @@ var OidcModule = class {
    * ready to redirect the user to.
    */
   async createAuthRequest(params) {
-    const codeVerifier = base64UrlEncode(import_crypto2.default.randomBytes(32));
+    const codeVerifier = base64UrlEncode(import_crypto.default.randomBytes(32));
     const codeChallenge = base64UrlEncode(
-      import_crypto2.default.createHash("sha256").update(codeVerifier).digest()
+      import_crypto.default.createHash("sha256").update(codeVerifier).digest()
     );
-    const state = base64UrlEncode(import_crypto2.default.randomBytes(16));
-    const nonce = base64UrlEncode(import_crypto2.default.randomBytes(16));
+    const state = base64UrlEncode(import_crypto.default.randomBytes(16));
+    const nonce = base64UrlEncode(import_crypto.default.randomBytes(16));
     await this.stateStore.set(state, {
       codeVerifier,
       state,
@@ -1913,7 +1940,7 @@ function assertPublishableKey(raw, opts) {
   if (!isValidIssuerUrl(decoded.iss)) {
     throw new IQAuthError(
       "CONFIG_INVALID",
-      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console, or set IQAUTH_ISSUER to the correct issuer URL as a temporary workaround.`
+      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console \u2014 the new key will encode a valid issuer URL.`
     );
   }
   return { mode: shapeMatch[1], iss: decoded.iss, appId: decoded.appId, tenantId: decoded.tenantId, kid: decoded.kid, raw };
@@ -1964,6 +1991,22 @@ function readCookie(req, name) {
   }
   return void 0;
 }
+function compileMatcher(pat) {
+  if (pat instanceof RegExp) return (p) => pat.test(p);
+  const re = new RegExp(
+    "^" + pat.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "::DOUBLE::").replace(/\*/g, "[^/]*").replace(/::DOUBLE::/g, ".*") + "$"
+  );
+  return (p) => re.test(p);
+}
+function compileMatchers(pats) {
+  return (pats ?? []).map(compileMatcher);
+}
+function pathOf(req) {
+  const r = req;
+  const raw = r.path || r.originalUrl || r.url || "/";
+  const q = raw.indexOf("?");
+  return q >= 0 ? raw.slice(0, q) : raw;
+}
 function clientFromPublishableKey(opts) {
   const parsed = assertPublishableKey(opts.publishableKey, { context: "iqAuthMiddleware" });
   const issuer = (opts.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
@@ -1991,10 +2034,26 @@ function iqAuthMiddleware(clientOrOptions, options = {}) {
     onUnauthorized,
     onForbidden,
     onError,
-    accessCookieName = DEFAULT_ACCESS_COOKIE,
-    cookieAware = true
+    cookieAware = true,
+    cookieNames,
+    protect,
+    publicRoutes
   } = resolvedOptions;
+  const accessCookieName = resolvedOptions.accessCookieName ?? cookieNames?.access ?? DEFAULT_ACCESS_COOKIE;
+  const protectMatchers = compileMatchers(protect);
+  const publicMatchers = compileMatchers(publicRoutes);
+  const hasProtect = protectMatchers.length > 0;
+  const hasPublic = publicMatchers.length > 0;
   return async (req, res, next) => {
+    if (hasProtect || hasPublic) {
+      const path = pathOf(req);
+      if (hasPublic && publicMatchers.some((m) => m(path))) {
+        return next();
+      }
+      if (hasProtect && !protectMatchers.some((m) => m(path))) {
+        return next();
+      }
+    }
     let token;
     const authHeader = getAuthorizationHeader(req);
     if (authHeader && authHeader.startsWith("Bearer ")) {
@@ -2086,6 +2145,458 @@ function iqAuthMiddleware(clientOrOptions, options = {}) {
     next();
   };
 }
+
+// src/ws.ts
+var DEFAULT_COOKIE = "iqauth_at";
+var DEFAULT_SUBPROTOCOL_PREFIX = "iqauth.bearer.";
+var JWT_SHAPE = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/;
+var tokensByIssuer = /* @__PURE__ */ new Map();
+function getTokens(issuer) {
+  let mod = tokensByIssuer.get(issuer);
+  if (!mod) {
+    mod = new TokensModule(issuer);
+    tokensByIssuer.set(issuer, mod);
+  }
+  return mod;
+}
+function firstHeader(value) {
+  if (Array.isArray(value)) return value[0];
+  return value;
+}
+function readCookie2(cookieHeader, name) {
+  if (!cookieHeader) return void 0;
+  const target = `${name}=`;
+  for (const seg of cookieHeader.split(";")) {
+    const t = seg.trim();
+    if (t.startsWith(target)) {
+      try {
+        return decodeURIComponent(t.slice(target.length));
+      } catch {
+        return t.slice(target.length);
+      }
+    }
+  }
+  return void 0;
+}
+function extractToken(req, cookieName, subprotocolPrefix) {
+  let authHeader;
+  let cookieHeader;
+  let subprotoHeader;
+  if ("headers" in req && req.headers && typeof req.headers === "object") {
+    authHeader = firstHeader(req.headers.authorization);
+    cookieHeader = firstHeader(req.headers.cookie);
+    subprotoHeader = firstHeader(req.headers["sec-websocket-protocol"]);
+  } else {
+    const r = req;
+    authHeader = r.authorization;
+    cookieHeader = r.cookie;
+    subprotoHeader = r.secWebSocketProtocol;
+  }
+  if (authHeader && /^Bearer /i.test(authHeader)) {
+    return authHeader.slice(7).trim();
+  }
+  if (cookieName && cookieHeader) {
+    const fromCookie = readCookie2(cookieHeader, cookieName);
+    if (fromCookie) return fromCookie;
+  }
+  if (subprotocolPrefix !== null && subprotoHeader) {
+    const protos = subprotoHeader.split(",").map((s) => s.trim()).filter(Boolean);
+    for (const proto of protos) {
+      if (subprotocolPrefix && proto.startsWith(subprotocolPrefix)) {
+        return proto.slice(subprotocolPrefix.length);
+      }
+      if (JWT_SHAPE.test(proto)) return proto;
+    }
+  }
+  return void 0;
+}
+async function verifyWsUpgrade(req, options) {
+  const parsed = assertPublishableKey(options.publishableKey, {
+    context: "@iqauth/sdk/ws"
+  });
+  const issuer = (options.issuer && typeof options.issuer === "string" ? options.issuer : parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`).replace(/\/+$/, "");
+  const cookieName = options.cookieName === void 0 ? DEFAULT_COOKIE : options.cookieName;
+  const subprotocolPrefix = options.subprotocolPrefix === void 0 ? DEFAULT_SUBPROTOCOL_PREFIX : options.subprotocolPrefix;
+  const token = extractToken(req, cookieName, subprotocolPrefix);
+  if (!token) return null;
+  const tokens = getTokens(issuer);
+  try {
+    const verifyOpts = {};
+    if (options.audience !== void 0) verifyOpts.audience = options.audience;
+    verifyOpts.issuer = options.issuer ?? issuer;
+    if (options.clockTolerance !== void 0)
+      verifyOpts.clockTolerance = options.clockTolerance;
+    if (options.algorithms !== void 0) verifyOpts.algorithms = options.algorithms;
+    const claims = await tokens.verify(token, verifyOpts);
+    return { claims };
+  } catch (err) {
+    if (err instanceof IQAuthError) return null;
+    return null;
+  }
+}
+
+// src/test.ts
+var import_http2 = require("http");
+var import_crypto2 = require("crypto");
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
+function jwkFromPublicKey(publicKey, kid) {
+  const jwk = publicKey.export({ format: "jwk" });
+  return { kty: "RSA", use: "sig", alg: "RS256", kid, n: jwk.n, e: jwk.e };
+}
+function readBody(req) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    req.on("data", (c) => chunks.push(c));
+    req.on("end", () => resolve(Buffer.concat(chunks).toString("utf8")));
+    req.on("error", reject);
+  });
+}
+function parseFormOrJson(raw, contentType) {
+  if (!raw) return {};
+  if (contentType && contentType.includes("application/json")) {
+    try {
+      const obj = JSON.parse(raw);
+      const out2 = {};
+      for (const [k, v] of Object.entries(obj || {})) {
+        if (typeof v === "string") out2[k] = v;
+        else if (v != null) out2[k] = String(v);
+      }
+      return out2;
+    } catch {
+      return {};
+    }
+  }
+  const out = {};
+  for (const part of raw.split("&")) {
+    if (!part) continue;
+    const eq = part.indexOf("=");
+    const k = decodeURIComponent(eq === -1 ? part : part.slice(0, eq)).replace(/\+/g, " ");
+    const v = eq === -1 ? "" : decodeURIComponent(part.slice(eq + 1)).replace(/\+/g, " ");
+    out[k] = v;
+  }
+  return out;
+}
+function send(res, status, body, headers = {}) {
+  const payload = typeof body === "string" ? body : JSON.stringify(body);
+  res.writeHead(status, {
+    "Content-Type": typeof body === "string" ? "text/plain; charset=utf-8" : "application/json; charset=utf-8",
+    "Content-Length": Buffer.byteLength(payload),
+    ...headers
+  });
+  res.end(payload);
+}
+async function createTestIssuer(options = {}) {
+  const host = options.host ?? "127.0.0.1";
+  const port = options.port ?? 0;
+  const tenantId = options.tenantId ?? "tenant-test";
+  const appId = options.appId ?? "app-test";
+  const kid = options.kid ?? `test-${(0, import_crypto2.randomBytes)(6).toString("hex")}`;
+  const defaultAudience = options.defaultAudience ?? ["dispositioniq"];
+  const { privateKey, publicKey } = (0, import_crypto2.generateKeyPairSync)("rsa", {
+    modulusLength: 2048,
+    publicKeyEncoding: { type: "spki", format: "pem" },
+    privateKeyEncoding: { type: "pkcs8", format: "pem" }
+  });
+  const publicKeyObj = (0, import_crypto2.createPublicKey)(publicKey);
+  const jwk = jwkFromPublicKey(publicKeyObj, kid);
+  const pendingCodes = /* @__PURE__ */ new Map();
+  let baseUrl = "";
+  const buildToken = (opts) => {
+    const payload = {
+      sub: opts.sub ?? "test-user",
+      email: opts.email ?? "test@example.com",
+      name: opts.name ?? "Test User",
+      tenantId: opts.tenantId ?? tenantId,
+      vendorId: opts.vendorId ?? null,
+      roles: opts.roles ?? [],
+      entitlements: opts.entitlements ?? [],
+      sessionId: opts.sessionId ?? `sess-${(0, import_crypto2.randomBytes)(4).toString("hex")}`,
+      jti: opts.jti ?? `jti-${(0, import_crypto2.randomBytes)(4).toString("hex")}`
+    };
+    if (opts.scopeContext !== void 0) payload.scopeContext = opts.scopeContext;
+    if (opts.loginMethod !== void 0) payload.loginMethod = opts.loginMethod;
+    for (const [k, v] of Object.entries(opts)) {
+      if (["sub", "email", "name", "tenantId", "vendorId", "roles", "entitlements", "sessionId", "jti", "scopeContext", "loginMethod", "audience", "issuer", "expiresInSeconds", "iat"].includes(k))
+        continue;
+      payload[k] = v;
+    }
+    const audience = opts.audience ?? defaultAudience;
+    const issuer = opts.issuer ?? baseUrl;
+    const expiresIn = opts.expiresInSeconds ?? 900;
+    const signOpts = {
+      algorithm: "RS256",
+      keyid: kid,
+      issuer,
+      audience
+    };
+    if (opts.iat !== void 0) {
+      payload.iat = opts.iat;
+      payload.exp = opts.iat + expiresIn;
+    } else {
+      signOpts.expiresIn = expiresIn;
+    }
+    return import_jsonwebtoken.default.sign(payload, privateKey, signOpts);
+  };
+  const handler = async (req, res) => {
+    try {
+      const url = new URL(req.url || "/", baseUrl || `http://${host}`);
+      const path = url.pathname;
+      if (req.method === "OPTIONS") {
+        res.writeHead(204, {
+          "Access-Control-Allow-Origin": "*",
+          "Access-Control-Allow-Methods": "GET,POST,OPTIONS",
+          "Access-Control-Allow-Headers": "Authorization,Content-Type"
+        });
+        return res.end();
+      }
+      const cors = { "Access-Control-Allow-Origin": "*" };
+      if (req.method === "GET" && path === "/.well-known/openid-configuration") {
+        return send(res, 200, {
+          issuer: baseUrl,
+          jwks_uri: `${baseUrl}/.well-known/jwks.json`,
+          authorization_endpoint: `${baseUrl}/oidc/authorize`,
+          token_endpoint: `${baseUrl}/oidc/token`,
+          userinfo_endpoint: `${baseUrl}/api/v1/auth/me`,
+          response_types_supported: ["code"],
+          grant_types_supported: ["authorization_code", "refresh_token"],
+          subject_types_supported: ["public"],
+          id_token_signing_alg_values_supported: ["RS256"],
+          code_challenge_methods_supported: ["S256"]
+        }, cors);
+      }
+      if (req.method === "GET" && path === "/.well-known/jwks.json") {
+        return send(res, 200, { keys: [jwk] }, { ...cors, "Cache-Control": "public, max-age=3600" });
+      }
+      if (req.method === "POST" && path === "/oidc/token") {
+        const raw = await readBody(req);
+        const params = parseFormOrJson(raw, req.headers["content-type"]);
+        const grant = params.grant_type;
+        if (grant === "authorization_code") {
+          const code = params.code;
+          const pending = code ? pendingCodes.get(code) : void 0;
+          if (!pending) {
+            return send(res, 400, { error: "invalid_grant", error_description: "Unknown or expired code" }, cors);
+          }
+          pendingCodes.delete(code);
+          const accessToken = buildToken(pending.claims);
+          return send(res, 200, {
+            access_token: accessToken,
+            refresh_token: pending.refreshToken,
+            id_token: accessToken,
+            token_type: "Bearer",
+            expires_in: pending.claims.expiresInSeconds ?? 900
+          }, cors);
+        }
+        if (grant === "refresh_token") {
+          const accessToken = buildToken({ sub: "test-user" });
+          return send(res, 200, {
+            access_token: accessToken,
+            refresh_token: params.refresh_token || `rt-${(0, import_crypto2.randomBytes)(8).toString("hex")}`,
+            token_type: "Bearer",
+            expires_in: 900
+          }, cors);
+        }
+        return send(res, 400, { error: "unsupported_grant_type" }, cors);
+      }
+      if (req.method === "GET" && path === "/api/v1/auth/me") {
+        const auth = req.headers.authorization || "";
+        if (!/^Bearer /i.test(auth)) {
+          return send(res, 401, { success: false, error: { code: "TOKEN_INVALID", message: "Missing bearer" } }, cors);
+        }
+        const token = auth.slice(7).trim();
+        try {
+          const decoded = import_jsonwebtoken.default.verify(token, publicKey, {
+            algorithms: ["RS256"],
+            issuer: baseUrl,
+            audience: defaultAudience
+          });
+          return send(res, 200, {
+            success: true,
+            data: {
+              id: decoded.sub,
+              email: decoded.email,
+              name: decoded.name,
+              tenantId: decoded.tenantId,
+              roles: decoded.roles,
+              entitlements: decoded.entitlements
+            }
+          }, cors);
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : "verify failed";
+          return send(res, 401, { success: false, error: { code: "TOKEN_INVALID", message: msg } }, cors);
+        }
+      }
+      send(res, 404, { error: "not_found", path }, cors);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : "internal error";
+      send(res, 500, { error: "internal", message: msg });
+    }
+  };
+  const server = (0, import_http2.createServer)((req, res) => {
+    void handler(req, res);
+  });
+  await new Promise((resolve, reject) => {
+    server.once("error", reject);
+    server.listen(port, host, () => {
+      server.off("error", reject);
+      resolve();
+    });
+  });
+  const addr = server.address();
+  const boundPort = typeof addr === "object" && addr ? addr.port : port;
+  baseUrl = `http://${host}:${boundPort}`;
+  const publishableKey = encodePublishableKey("test", {
+    iss: baseUrl,
+    appId,
+    tenantId,
+    kid
+  });
+  return {
+    baseUrl,
+    publishableKey,
+    kid,
+    publicKey,
+    mintToken: (opts = {}) => buildToken(opts),
+    mintAuthCode: (opts = {}) => {
+      const code = `code-${(0, import_crypto2.randomBytes)(12).toString("hex")}`;
+      const refreshToken = opts.refreshToken ?? `rt-${(0, import_crypto2.randomBytes)(12).toString("hex")}`;
+      pendingCodes.set(code, { claims: opts, refreshToken });
+      return code;
+    },
+    close: () => new Promise((resolve, reject) => {
+      server.close((err) => err ? reject(err) : resolve());
+    })
+  };
+}
+
+// src/webhooks.ts
+var import_crypto3 = __toESM(require("crypto"));
+var WebhookSignatureError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.name = "WebhookSignatureError";
+    this.code = code;
+  }
+};
+function toBuffer(p) {
+  if (typeof p === "string") return Buffer.from(p, "utf8");
+  if (Buffer.isBuffer(p)) return p;
+  return Buffer.from(p);
+}
+function parseHeader(header) {
+  let t = NaN;
+  const v1 = [];
+  for (const part of header.split(",")) {
+    const [k, v] = part.split("=", 2);
+    if (!k || v === void 0) continue;
+    const key = k.trim();
+    const value = v.trim();
+    if (key === "t") t = Number(value);
+    else if (key === "v1") v1.push(value);
+  }
+  return { t, v1 };
+}
+function timingSafeEqualHex(a, b) {
+  if (a.length !== b.length) return false;
+  try {
+    return import_crypto3.default.timingSafeEqual(Buffer.from(a, "hex"), Buffer.from(b, "hex"));
+  } catch {
+    return false;
+  }
+}
+function verifyWebhookSignature(opts) {
+  const headerRaw = Array.isArray(opts.header) ? opts.header[0] : opts.header;
+  if (!headerRaw || typeof headerRaw !== "string") {
+    throw new WebhookSignatureError("MISSING_HEADER", "Missing X-IQAuth-Signature header");
+  }
+  if (!opts.secret) {
+    throw new WebhookSignatureError("MISSING_SECRET", "secret is required");
+  }
+  const { t, v1 } = parseHeader(headerRaw);
+  if (!Number.isFinite(t) || v1.length === 0) {
+    throw new WebhookSignatureError("MALFORMED_HEADER", `Could not parse signature header: ${headerRaw}`);
+  }
+  const tolerance = opts.toleranceSeconds ?? 300;
+  const now = opts.nowSeconds ?? Math.floor(Date.now() / 1e3);
+  if (Math.abs(now - t) > tolerance) {
+    throw new WebhookSignatureError(
+      "TIMESTAMP_OUT_OF_TOLERANCE",
+      `Signature timestamp ${t} is outside the ${tolerance}s tolerance window (now=${now})`
+    );
+  }
+  const body = toBuffer(opts.payload);
+  const expected = import_crypto3.default.createHmac("sha256", opts.secret).update(`${t}.`).update(body).digest("hex");
+  const matched = v1.some((sig) => timingSafeEqualHex(sig, expected));
+  if (!matched) {
+    throw new WebhookSignatureError("SIGNATURE_MISMATCH", "Webhook signature does not match expected value");
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(body.toString("utf8"));
+  } catch {
+    throw new WebhookSignatureError("MALFORMED_BODY", "Webhook body is not valid JSON");
+  }
+  return parsed;
+}
+function isValidWebhookSignature(opts) {
+  try {
+    verifyWebhookSignature(opts);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/server/provisioningBridge.ts
+function defaultIsUniqueViolation(err) {
+  if (!err || typeof err !== "object") return false;
+  const e = err;
+  if (e.code === "23505") return true;
+  if (typeof e.code === "string" && e.code.startsWith("SQLITE_CONSTRAINT")) return true;
+  if (typeof e.message === "string" && /unique constraint|duplicate key/i.test(e.message)) return true;
+  return false;
+}
+function createProvisioningBridge(options) {
+  const { storage } = options;
+  const isUniqueViolation = options.isUniqueViolation ?? defaultIsUniqueViolation;
+  const roleOf = (claims) => {
+    try {
+      return options.roleMapper?.(claims) ?? null;
+    } catch {
+      return null;
+    }
+  };
+  const ensureUser = async (claims) => {
+    if (!claims?.sub) {
+      throw new Error("createProvisioningBridge: claims.sub is required");
+    }
+    const byId = await storage.findByIqAuthUserId(claims.sub);
+    if (byId) return { user: byId, claims, created: false, adopted: false };
+    if (claims.email) {
+      const byEmail = await storage.findByEmail(claims.email);
+      if (byEmail) {
+        if (storage.adoptByEmail) {
+          const adopted = await storage.adoptByEmail(byEmail, claims, roleOf(claims));
+          return { user: adopted, claims, created: false, adopted: true };
+        }
+      }
+    }
+    try {
+      const created = await storage.insertFromClaims(claims, roleOf(claims));
+      return { user: created, claims, created: true, adopted: false };
+    } catch (err) {
+      if (!isUniqueViolation(err)) throw err;
+      const after = await storage.findByIqAuthUserId(claims.sub);
+      if (after) return { user: after, claims, created: false, adopted: false };
+      if (claims.email) {
+        const byEmail = await storage.findByEmail(claims.email);
+        if (byEmail) return { user: byEmail, claims, created: false, adopted: true };
+      }
+      throw err;
+    }
+  };
+  return { ensureUser };
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ApiKeysModule,
@@ -2118,11 +2629,17 @@ function iqAuthMiddleware(clientOrOptions, options = {}) {
   TokensModule,
   UsersModule,
   VendorsModule,
+  WebhookSignatureError,
   WebhooksModule,
   assertPublishableKey,
+  createProvisioningBridge,
+  createTestIssuer,
   encodePublishableKey,
   iqAuthMiddleware,
   isPublishableKey,
   isSecretKey,
-  parsePublishableKey
+  isValidWebhookSignature,
+  parsePublishableKey,
+  verifyWebhookSignature,
+  verifyWsUpgrade
 });