@iqauth/sdk 2.2.0 → 2.5.0

package/dist/browser.js

@@ -3,6 +3,9 @@ var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -17,28 +20,426 @@ var __copyProps = (to, from, except, desc) => {
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
+// ../../node_modules/@simplewebauthn/browser/dist/bundle/index.js
+var bundle_exports = {};
+__export(bundle_exports, {
+  WebAuthnAbortService: () => WebAuthnAbortService,
+  WebAuthnError: () => WebAuthnError,
+  base64URLStringToBuffer: () => base64URLStringToBuffer,
+  browserSupportsWebAuthn: () => browserSupportsWebAuthn,
+  browserSupportsWebAuthnAutofill: () => browserSupportsWebAuthnAutofill,
+  bufferToBase64URLString: () => bufferToBase64URLString,
+  platformAuthenticatorIsAvailable: () => platformAuthenticatorIsAvailable,
+  startAuthentication: () => startAuthentication,
+  startRegistration: () => startRegistration
+});
+function bufferToBase64URLString(buffer) {
+  const bytes = new Uint8Array(buffer);
+  let str = "";
+  for (const charCode of bytes) {
+    str += String.fromCharCode(charCode);
+  }
+  const base64String = btoa(str);
+  return base64String.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function base64URLStringToBuffer(base64URLString) {
+  const base64 = base64URLString.replace(/-/g, "+").replace(/_/g, "/");
+  const padLength = (4 - base64.length % 4) % 4;
+  const padded = base64.padEnd(base64.length + padLength, "=");
+  const binary = atob(padded);
+  const buffer = new ArrayBuffer(binary.length);
+  const bytes = new Uint8Array(buffer);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return buffer;
+}
+function browserSupportsWebAuthn() {
+  return window?.PublicKeyCredential !== void 0 && typeof window.PublicKeyCredential === "function";
+}
+function toPublicKeyCredentialDescriptor(descriptor) {
+  const { id } = descriptor;
+  return {
+    ...descriptor,
+    id: base64URLStringToBuffer(id),
+    transports: descriptor.transports
+  };
+}
+function isValidDomain(hostname) {
+  return hostname === "localhost" || /^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$/i.test(hostname);
+}
+function identifyRegistrationError({ error, options }) {
+  const { publicKey } = options;
+  if (!publicKey) {
+    throw Error("options was missing required publicKey property");
+  }
+  if (error.name === "AbortError") {
+    if (options.signal instanceof AbortSignal) {
+      return new WebAuthnError({
+        message: "Registration ceremony was sent an abort signal",
+        code: "ERROR_CEREMONY_ABORTED",
+        cause: error
+      });
+    }
+  } else if (error.name === "ConstraintError") {
+    if (publicKey.authenticatorSelection?.requireResidentKey === true) {
+      return new WebAuthnError({
+        message: "Discoverable credentials were required but no available authenticator supported it",
+        code: "ERROR_AUTHENTICATOR_MISSING_DISCOVERABLE_CREDENTIAL_SUPPORT",
+        cause: error
+      });
+    } else if (options.mediation === "conditional" && publicKey.authenticatorSelection?.userVerification === "required") {
+      return new WebAuthnError({
+        message: "User verification was required during automatic registration but it could not be performed",
+        code: "ERROR_AUTO_REGISTER_USER_VERIFICATION_FAILURE",
+        cause: error
+      });
+    } else if (publicKey.authenticatorSelection?.userVerification === "required") {
+      return new WebAuthnError({
+        message: "User verification was required but no available authenticator supported it",
+        code: "ERROR_AUTHENTICATOR_MISSING_USER_VERIFICATION_SUPPORT",
+        cause: error
+      });
+    }
+  } else if (error.name === "InvalidStateError") {
+    return new WebAuthnError({
+      message: "The authenticator was previously registered",
+      code: "ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED",
+      cause: error
+    });
+  } else if (error.name === "NotAllowedError") {
+    return new WebAuthnError({
+      message: error.message,
+      code: "ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",
+      cause: error
+    });
+  } else if (error.name === "NotSupportedError") {
+    const validPubKeyCredParams = publicKey.pubKeyCredParams.filter((param) => param.type === "public-key");
+    if (validPubKeyCredParams.length === 0) {
+      return new WebAuthnError({
+        message: 'No entry in pubKeyCredParams was of type "public-key"',
+        code: "ERROR_MALFORMED_PUBKEYCREDPARAMS",
+        cause: error
+      });
+    }
+    return new WebAuthnError({
+      message: "No available authenticator supported any of the specified pubKeyCredParams algorithms",
+      code: "ERROR_AUTHENTICATOR_NO_SUPPORTED_PUBKEYCREDPARAMS_ALG",
+      cause: error
+    });
+  } else if (error.name === "SecurityError") {
+    const effectiveDomain = window.location.hostname;
+    if (!isValidDomain(effectiveDomain)) {
+      return new WebAuthnError({
+        message: `${window.location.hostname} is an invalid domain`,
+        code: "ERROR_INVALID_DOMAIN",
+        cause: error
+      });
+    } else if (publicKey.rp.id !== effectiveDomain) {
+      return new WebAuthnError({
+        message: `The RP ID "${publicKey.rp.id}" is invalid for this domain`,
+        code: "ERROR_INVALID_RP_ID",
+        cause: error
+      });
+    }
+  } else if (error.name === "TypeError") {
+    if (publicKey.user.id.byteLength < 1 || publicKey.user.id.byteLength > 64) {
+      return new WebAuthnError({
+        message: "User ID was not between 1 and 64 characters",
+        code: "ERROR_INVALID_USER_ID_LENGTH",
+        cause: error
+      });
+    }
+  } else if (error.name === "UnknownError") {
+    return new WebAuthnError({
+      message: "The authenticator was unable to process the specified options, or could not create a new credential",
+      code: "ERROR_AUTHENTICATOR_GENERAL_ERROR",
+      cause: error
+    });
+  }
+  return error;
+}
+function toAuthenticatorAttachment(attachment) {
+  if (!attachment) {
+    return;
+  }
+  if (attachments.indexOf(attachment) < 0) {
+    return;
+  }
+  return attachment;
+}
+async function startRegistration(options) {
+  const { optionsJSON, useAutoRegister = false } = options;
+  if (!browserSupportsWebAuthn()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  const publicKey = {
+    ...optionsJSON,
+    challenge: base64URLStringToBuffer(optionsJSON.challenge),
+    user: {
+      ...optionsJSON.user,
+      id: base64URLStringToBuffer(optionsJSON.user.id)
+    },
+    excludeCredentials: optionsJSON.excludeCredentials?.map(toPublicKeyCredentialDescriptor)
+  };
+  const createOptions = {};
+  if (useAutoRegister) {
+    createOptions.mediation = "conditional";
+  }
+  createOptions.publicKey = publicKey;
+  createOptions.signal = WebAuthnAbortService.createNewAbortSignal();
+  let credential;
+  try {
+    credential = await navigator.credentials.create(createOptions);
+  } catch (err) {
+    throw identifyRegistrationError({ error: err, options: createOptions });
+  }
+  if (!credential) {
+    throw new Error("Registration was not completed");
+  }
+  const { id, rawId, response, type } = credential;
+  let transports = void 0;
+  if (typeof response.getTransports === "function") {
+    transports = response.getTransports();
+  }
+  let responsePublicKeyAlgorithm = void 0;
+  if (typeof response.getPublicKeyAlgorithm === "function") {
+    try {
+      responsePublicKeyAlgorithm = response.getPublicKeyAlgorithm();
+    } catch (error) {
+      warnOnBrokenImplementation("getPublicKeyAlgorithm()", error);
+    }
+  }
+  let responsePublicKey = void 0;
+  if (typeof response.getPublicKey === "function") {
+    try {
+      const _publicKey = response.getPublicKey();
+      if (_publicKey !== null) {
+        responsePublicKey = bufferToBase64URLString(_publicKey);
+      }
+    } catch (error) {
+      warnOnBrokenImplementation("getPublicKey()", error);
+    }
+  }
+  let responseAuthenticatorData;
+  if (typeof response.getAuthenticatorData === "function") {
+    try {
+      responseAuthenticatorData = bufferToBase64URLString(response.getAuthenticatorData());
+    } catch (error) {
+      warnOnBrokenImplementation("getAuthenticatorData()", error);
+    }
+  }
+  return {
+    id,
+    rawId: bufferToBase64URLString(rawId),
+    response: {
+      attestationObject: bufferToBase64URLString(response.attestationObject),
+      clientDataJSON: bufferToBase64URLString(response.clientDataJSON),
+      transports,
+      publicKeyAlgorithm: responsePublicKeyAlgorithm,
+      publicKey: responsePublicKey,
+      authenticatorData: responseAuthenticatorData
+    },
+    type,
+    clientExtensionResults: credential.getClientExtensionResults(),
+    authenticatorAttachment: toAuthenticatorAttachment(credential.authenticatorAttachment)
+  };
+}
+function warnOnBrokenImplementation(methodName, cause) {
+  console.warn(`The browser extension that intercepted this WebAuthn API call incorrectly implemented ${methodName}. You should report this error to them.
+`, cause);
+}
+function browserSupportsWebAuthnAutofill() {
+  if (!browserSupportsWebAuthn()) {
+    return new Promise((resolve) => resolve(false));
+  }
+  const globalPublicKeyCredential = window.PublicKeyCredential;
+  if (globalPublicKeyCredential.isConditionalMediationAvailable === void 0) {
+    return new Promise((resolve) => resolve(false));
+  }
+  return globalPublicKeyCredential.isConditionalMediationAvailable();
+}
+function identifyAuthenticationError({ error, options }) {
+  const { publicKey } = options;
+  if (!publicKey) {
+    throw Error("options was missing required publicKey property");
+  }
+  if (error.name === "AbortError") {
+    if (options.signal instanceof AbortSignal) {
+      return new WebAuthnError({
+        message: "Authentication ceremony was sent an abort signal",
+        code: "ERROR_CEREMONY_ABORTED",
+        cause: error
+      });
+    }
+  } else if (error.name === "NotAllowedError") {
+    return new WebAuthnError({
+      message: error.message,
+      code: "ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",
+      cause: error
+    });
+  } else if (error.name === "SecurityError") {
+    const effectiveDomain = window.location.hostname;
+    if (!isValidDomain(effectiveDomain)) {
+      return new WebAuthnError({
+        message: `${window.location.hostname} is an invalid domain`,
+        code: "ERROR_INVALID_DOMAIN",
+        cause: error
+      });
+    } else if (publicKey.rpId !== effectiveDomain) {
+      return new WebAuthnError({
+        message: `The RP ID "${publicKey.rpId}" is invalid for this domain`,
+        code: "ERROR_INVALID_RP_ID",
+        cause: error
+      });
+    }
+  } else if (error.name === "UnknownError") {
+    return new WebAuthnError({
+      message: "The authenticator was unable to process the specified options, or could not create a new assertion signature",
+      code: "ERROR_AUTHENTICATOR_GENERAL_ERROR",
+      cause: error
+    });
+  }
+  return error;
+}
+async function startAuthentication(options) {
+  const { optionsJSON, useBrowserAutofill = false, verifyBrowserAutofillInput = true } = options;
+  if (!browserSupportsWebAuthn()) {
+    throw new Error("WebAuthn is not supported in this browser");
+  }
+  let allowCredentials;
+  if (optionsJSON.allowCredentials?.length !== 0) {
+    allowCredentials = optionsJSON.allowCredentials?.map(toPublicKeyCredentialDescriptor);
+  }
+  const publicKey = {
+    ...optionsJSON,
+    challenge: base64URLStringToBuffer(optionsJSON.challenge),
+    allowCredentials
+  };
+  const getOptions = {};
+  if (useBrowserAutofill) {
+    if (!await browserSupportsWebAuthnAutofill()) {
+      throw Error("Browser does not support WebAuthn autofill");
+    }
+    const eligibleInputs = document.querySelectorAll("input[autocomplete$='webauthn']");
+    if (eligibleInputs.length < 1 && verifyBrowserAutofillInput) {
+      throw Error('No <input> with "webauthn" as the only or last value in its `autocomplete` attribute was detected');
+    }
+    getOptions.mediation = "conditional";
+    publicKey.allowCredentials = [];
+  }
+  getOptions.publicKey = publicKey;
+  getOptions.signal = WebAuthnAbortService.createNewAbortSignal();
+  let credential;
+  try {
+    credential = await navigator.credentials.get(getOptions);
+  } catch (err) {
+    throw identifyAuthenticationError({ error: err, options: getOptions });
+  }
+  if (!credential) {
+    throw new Error("Authentication was not completed");
+  }
+  const { id, rawId, response, type } = credential;
+  let userHandle = void 0;
+  if (response.userHandle) {
+    userHandle = bufferToBase64URLString(response.userHandle);
+  }
+  return {
+    id,
+    rawId: bufferToBase64URLString(rawId),
+    response: {
+      authenticatorData: bufferToBase64URLString(response.authenticatorData),
+      clientDataJSON: bufferToBase64URLString(response.clientDataJSON),
+      signature: bufferToBase64URLString(response.signature),
+      userHandle
+    },
+    type,
+    clientExtensionResults: credential.getClientExtensionResults(),
+    authenticatorAttachment: toAuthenticatorAttachment(credential.authenticatorAttachment)
+  };
+}
+function platformAuthenticatorIsAvailable() {
+  if (!browserSupportsWebAuthn()) {
+    return new Promise((resolve) => resolve(false));
+  }
+  return PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
+}
+var WebAuthnError, BaseWebAuthnAbortService, WebAuthnAbortService, attachments;
+var init_bundle = __esm({
+  "../../node_modules/@simplewebauthn/browser/dist/bundle/index.js"() {
+    "use strict";
+    WebAuthnError = class extends Error {
+      constructor({ message, code, cause, name }) {
+        super(message, { cause });
+        this.name = name ?? cause.name;
+        this.code = code;
+      }
+    };
+    BaseWebAuthnAbortService = class {
+      createNewAbortSignal() {
+        if (this.controller) {
+          const abortError = new Error("Cancelling existing WebAuthn API call for new one");
+          abortError.name = "AbortError";
+          this.controller.abort(abortError);
+        }
+        const newController = new AbortController();
+        this.controller = newController;
+        return newController.signal;
+      }
+      cancelCeremony() {
+        if (this.controller) {
+          const abortError = new Error("Manually cancelling existing WebAuthn API call");
+          abortError.name = "AbortError";
+          this.controller.abort(abortError);
+          this.controller = void 0;
+        }
+      }
+    };
+    WebAuthnAbortService = new BaseWebAuthnAbortService();
+    attachments = ["cross-platform", "platform"];
+  }
+});
+
 // src/browser.ts
 var browser_exports = {};
 __export(browser_exports, {
+  AccountRegistry: () => AccountRegistry,
   ErrorCodes: () => ErrorCodes,
   IQAuthError: () => IQAuthError,
+  MultiAccountTokenStore: () => MultiAccountTokenStore,
+  PRIOR_SESSION_STORAGE_KEY: () => PRIOR_SESSION_STORAGE_KEY,
   REFRESH_COOKIE: () => REFRESH_COOKIE,
   SessionManager: () => SessionManager,
+  beginPasskeyAuthentication: () => beginPasskeyAuthentication,
+  beginPasskeyRegistration: () => beginPasskeyRegistration,
   buildSignInUrl: () => buildSignInUrl,
   clearCookie: () => clearCookie,
   createPkcePair: () => createPkcePair,
   encodePublishableKey: () => encodePublishableKey,
+  enrollPasskey: () => enrollPasskey,
+  enterImpersonation: () => enterImpersonation,
+  exitImpersonation: () => exitImpersonation,
+  finishPasskeyAuthentication: () => finishPasskeyAuthentication,
+  finishPasskeyRegistration: () => finishPasskeyRegistration,
   getCookie: () => getCookie,
   handleAuthCallback: () => handleAuthCallback,
   isPublishableKey: () => isPublishableKey,
   isSecretKey: () => isSecretKey,
+  linkProvider: () => linkProvider,
+  listLinkedIdentities: () => listLinkedIdentities,
   parsePublishableKey: () => parsePublishableKey,
   randomUrlSafe: () => randomUrlSafe,
   redirectToSignIn: () => redirectToSignIn,
+  requestMagicLink: () => requestMagicLink,
+  reverify: () => reverify,
   s256Challenge: () => s256Challenge,
   setCookie: () => setCookie,
   signIn: () => signIn,
-  signOut: () => signOut
+  signInWithPasskey: () => signInWithPasskey,
+  signOut: () => signOut,
+  unlinkProvider: () => unlinkProvider,
+  verifyMagicLink: () => verifyMagicLink,
+  withReverification: () => withReverification
 });
 module.exports = __toCommonJS(browser_exports);
 
@@ -177,7 +578,7 @@ function assertPublishableKey(raw, opts) {
   if (!isValidIssuerUrl(decoded.iss)) {
     throw new IQAuthError(
       "CONFIG_INVALID",
-      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console, or set IQAUTH_ISSUER to the correct issuer URL as a temporary workaround.`
+      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console \u2014 the new key will encode a valid issuer URL.`
     );
   }
   return { mode: shapeMatch[1], iss: decoded.iss, appId: decoded.appId, tenantId: decoded.tenantId, kid: decoded.kid, raw };
@@ -257,6 +658,20 @@ function clearPkce(state) {
 // src/browser/sessionManager.ts
 var DEFAULT_REFRESH_PATH = "/api/v1/auth/refresh";
 var DEFAULT_USERINFO_PATH = "/api/v1/auth/me";
+async function readAuthErrorCode(res) {
+  try {
+    const cloned = res.clone();
+    const data = await cloned.json().catch(() => null);
+    if (!data || typeof data !== "object") return null;
+    const err = data.error;
+    if (err && typeof err.code === "string") {
+      return { code: err.code, message: typeof err.message === "string" ? err.message : void 0 };
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
 function decodeClaims(token) {
   try {
     const parts = token.split(".");
@@ -290,11 +705,11 @@ var EMPTY = {
   error: null,
   version: 0
 };
-function defaultCookieStore() {
+function defaultCookieStore(name = REFRESH_COOKIE) {
   return {
-    read: () => getCookie(REFRESH_COOKIE),
-    write: (token) => setCookie(REFRESH_COOKIE, token, { maxAgeSeconds: 60 * 60 * 24 * 30 }),
-    clear: () => clearCookie(REFRESH_COOKIE)
+    read: () => getCookie(name),
+    write: (token) => setCookie(name, token, { maxAgeSeconds: 60 * 60 * 24 * 30 }),
+    clear: () => clearCookie(name)
   };
 }
 var NO_OP_STORE = {
@@ -323,7 +738,8 @@ var SessionManager = class {
     this.useCookies = options.useCookies ?? true;
     this.serverManagedSession = options.serverManagedSession ?? false;
     this.proactiveRefresh = this.serverManagedSession ? false : options.proactiveRefresh ?? true;
-    this.tokenStore = options.tokenStore ?? (this.serverManagedSession ? NO_OP_STORE : this.useCookies ? defaultCookieStore() : NO_OP_STORE);
+    this.refreshCookieName = options.cookieNames?.refresh ?? REFRESH_COOKIE;
+    this.tokenStore = options.tokenStore ?? (this.serverManagedSession ? NO_OP_STORE : this.useCookies ? defaultCookieStore(this.refreshCookieName) : NO_OP_STORE);
     this.crossTabLockTimeoutMs = options.crossTabLockTimeoutMs ?? 4e3;
     this.fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : (() => {
       throw new Error("global fetch is not available; pass fetchImpl");
@@ -351,6 +767,10 @@ var SessionManager = class {
   get issuerUrl() {
     return this.issuer;
   }
+  /** Cookie name the SDK uses for the refresh token (overridable via `cookieNames.refresh`). */
+  get refreshCookie() {
+    return this.refreshCookieName;
+  }
   getSnapshot() {
     return this.snapshot;
   }
@@ -457,7 +877,7 @@ var SessionManager = class {
         return false;
       }
       if (data.refreshToken) {
-        await Promise.resolve(this.tokenStore.write(data.refreshToken));
+        await Promise.resolve(this.tokenStore.write(data.refreshToken, { claims: decodeClaims(data.accessToken) }));
       }
       this.applyAccessToken(data.accessToken);
       this.broadcast("session:refresh");
@@ -501,7 +921,7 @@ var SessionManager = class {
     const claims = decodeClaims(accessToken);
     const user = claimsToSessionUser(claims);
     if (refreshToken) {
-      void Promise.resolve(this.tokenStore.write(refreshToken));
+      void Promise.resolve(this.tokenStore.write(refreshToken, { claims }));
     }
     this.update({
       status: user ? "authenticated" : "unauthenticated",
@@ -535,33 +955,39 @@ var SessionManager = class {
    */
   async fetch(input, init = {}) {
     const exec = async (token2) => {
-      const headers = new Headers(init.headers || {});
-      if (token2) headers.set("Authorization", `Bearer ${token2}`);
+      const headers2 = new Headers(init.headers || {});
+      if (token2) headers2.set("Authorization", `Bearer ${token2}`);
       return this.fetchImpl(input, {
         ...init,
-        headers,
+        headers: headers2,
         credentials: init.credentials ?? "include"
       });
     };
     let token = await this.getToken();
     let res = await exec(token);
     if (res.status !== 401) return res;
+    const initialErr = await readAuthErrorCode(res);
+    if (initialErr && (initialErr.code === "SESSION_EXPIRED_INACTIVITY" || initialErr.code === "SESSION_EXPIRED_MAX_DURATION" || initialErr.code === "SESSION_INVALID")) {
+      this.signOutLocal("unauthenticated");
+      throw new IQAuthError(initialErr.code, initialErr.message || "Session expired", 401);
+    }
     const refreshed = await this.refresh();
     if (!refreshed) {
       this.signOutLocal("unauthenticated");
       throw new IQAuthError(
-        "TOKEN_EXPIRED",
-        "Session refresh failed; user must sign in again",
+        initialErr?.code || "TOKEN_EXPIRED",
+        initialErr?.message || "Session refresh failed; user must sign in again",
         401
       );
     }
     token = this.snapshot.accessToken;
     res = await exec(token);
     if (res.status === 401) {
+      const secondErr = await readAuthErrorCode(res);
       this.signOutLocal("unauthenticated");
       throw new IQAuthError(
-        "TOKEN_EXPIRED",
-        "Authenticated request failed twice with 401; aborting",
+        secondErr?.code || "TOKEN_EXPIRED",
+        secondErr?.message || "Authenticated request failed twice with 401; aborting",
         401
       );
     }
@@ -589,6 +1015,14 @@ var SessionManager = class {
     });
     this.broadcast("session:signout");
   }
+  /**
+   * Replace the refresh-token store at runtime. Used by the F22
+   * `<MultisessionAppSupport>` wrapper to swap in a `MultiAccountTokenStore`
+   * after the manager has already been constructed by `<IQAuthProvider>`.
+   */
+  setTokenStore(store) {
+    this.tokenStore = store;
+  }
   destroy() {
     if (this.proactiveTimer) clearTimeout(this.proactiveTimer);
     this.proactiveTimer = null;
@@ -681,6 +1115,217 @@ var SessionManager = class {
   }
 };
 
+// src/browser/passwordless.ts
+function url(base, path) {
+  return `${base.replace(/\/+$/, "")}${path}`;
+}
+function headers(o) {
+  const h = { "Content-Type": "application/json" };
+  if (o.cookieSession !== false) h["x-iqauth-session"] = "cookie";
+  return h;
+}
+async function postJson(u, body, h) {
+  const r = await fetch(u, {
+    method: "POST",
+    credentials: "include",
+    headers: h,
+    body: JSON.stringify(body)
+  });
+  const p = await r.json().catch(() => ({}));
+  if (!r.ok) {
+    const msg = p?.error?.message || `Request failed (${r.status})`;
+    throw new Error(msg);
+  }
+  return p.data;
+}
+async function requestMagicLink(opts, input) {
+  await postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/magic-link/request"), input, headers(opts));
+  return { ok: true };
+}
+async function verifyMagicLink(opts, token) {
+  return postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/magic-link/verify"), { token }, headers(opts));
+}
+async function beginPasskeyAuthentication(opts, input = {}) {
+  return postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/passkeys/authentication/options"), input, headers(opts));
+}
+async function finishPasskeyAuthentication(opts, response) {
+  return postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/passkeys/authentication/verify"), { response }, headers(opts));
+}
+async function beginPasskeyRegistration(opts) {
+  return postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/passkeys/registration/options"), {}, headers(opts));
+}
+async function finishPasskeyRegistration(opts, response, name) {
+  return postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/passkeys/registration/verify"), { response, name }, headers(opts));
+}
+async function signInWithPasskey(opts, input = {}) {
+  const mod = await Promise.resolve().then(() => (init_bundle(), bundle_exports));
+  const options = await beginPasskeyAuthentication(opts, input);
+  const response = await mod.startAuthentication({ optionsJSON: options });
+  return finishPasskeyAuthentication(opts, response);
+}
+async function enrollPasskey(opts, name) {
+  const mod = await Promise.resolve().then(() => (init_bundle(), bundle_exports));
+  const options = await beginPasskeyRegistration(opts);
+  const response = await mod.startRegistration({ optionsJSON: options });
+  return finishPasskeyRegistration(opts, response, name);
+}
+async function listLinkedIdentities(opts) {
+  const r = await fetch(url(opts.iqAuthBaseUrl, "/api/v1/auth/identities"), { credentials: "include" });
+  const p = await r.json().catch(() => ({}));
+  if (!r.ok) throw new Error(p?.error?.message || `Request failed (${r.status})`);
+  return p?.data?.identities ?? [];
+}
+async function linkProvider(opts, input) {
+  await postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/identities/link"), input, headers(opts));
+  return { ok: true };
+}
+async function unlinkProvider(opts, input) {
+  await postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/identities/unlink"), input, headers(opts));
+  return { ok: true };
+}
+
+// src/browser/accountRegistry.ts
+var STORAGE_PREFIX = "iqauth.accounts.";
+var COOKIE_PREFIX = "iqauth_rt_";
+var COOKIE_MAX_AGE = 60 * 60 * 24 * 30;
+function isBrowser2() {
+  return typeof window !== "undefined" && typeof localStorage !== "undefined";
+}
+function storageKey(appId) {
+  return STORAGE_PREFIX + appId;
+}
+function readState(appId) {
+  if (!isBrowser2()) return { accounts: [], activeAccountId: null };
+  try {
+    const raw = localStorage.getItem(storageKey(appId));
+    if (!raw) return { accounts: [], activeAccountId: null };
+    const parsed = JSON.parse(raw);
+    return {
+      accounts: Array.isArray(parsed.accounts) ? parsed.accounts : [],
+      activeAccountId: parsed.activeAccountId ?? null
+    };
+  } catch {
+    return { accounts: [], activeAccountId: null };
+  }
+}
+function writeState(appId, state) {
+  if (!isBrowser2()) return;
+  try {
+    localStorage.setItem(storageKey(appId), JSON.stringify(state));
+  } catch {
+  }
+}
+var AccountRegistry = class {
+  constructor(appId) {
+    this.appId = appId;
+    this.listeners = /* @__PURE__ */ new Set();
+    this.storageHandler = null;
+    if (isBrowser2()) {
+      this.storageHandler = (ev) => {
+        if (ev.key === storageKey(this.appId)) {
+          for (const l of this.listeners) l();
+        }
+      };
+      window.addEventListener("storage", this.storageHandler);
+    }
+  }
+  destroy() {
+    if (this.storageHandler && isBrowser2()) {
+      window.removeEventListener("storage", this.storageHandler);
+    }
+    this.listeners.clear();
+  }
+  list() {
+    return readState(this.appId).accounts.slice();
+  }
+  active() {
+    return readState(this.appId).activeAccountId;
+  }
+  get(accountId) {
+    return readState(this.appId).accounts.find((a) => a.accountId === accountId) ?? null;
+  }
+  upsert(rec) {
+    const state = readState(this.appId);
+    const idx = state.accounts.findIndex((a) => a.accountId === rec.accountId);
+    if (idx >= 0) state.accounts[idx] = { ...state.accounts[idx], ...rec };
+    else state.accounts.push(rec);
+    writeState(this.appId, state);
+    this.notify();
+  }
+  setActive(accountId) {
+    const state = readState(this.appId);
+    state.activeAccountId = accountId;
+    writeState(this.appId, state);
+    this.notify();
+  }
+  remove(accountId) {
+    const state = readState(this.appId);
+    state.accounts = state.accounts.filter((a) => a.accountId !== accountId);
+    if (state.activeAccountId === accountId) state.activeAccountId = state.accounts[0]?.accountId ?? null;
+    writeState(this.appId, state);
+    clearCookie(COOKIE_PREFIX + accountId);
+    this.notify();
+  }
+  subscribe(listener) {
+    this.listeners.add(listener);
+    return () => this.listeners.delete(listener);
+  }
+  /**
+   * Read the refresh token for a specific account from its per-account
+   * cookie. Used by `MultiAccountTokenStore.read()`.
+   */
+  readRefreshToken(accountId) {
+    return getCookie(COOKIE_PREFIX + accountId);
+  }
+  /**
+   * Persist a refresh token to the per-account cookie. Caller is the
+   * SessionManager via `MultiAccountTokenStore.write()`.
+   */
+  writeRefreshToken(accountId, token, opts = {}) {
+    setCookie(COOKIE_PREFIX + accountId, token, { maxAgeSeconds: COOKIE_MAX_AGE, ...opts });
+  }
+  clearRefreshToken(accountId) {
+    clearCookie(COOKIE_PREFIX + accountId);
+  }
+  notify() {
+    for (const l of this.listeners) l();
+  }
+};
+var MultiAccountTokenStore = class {
+  constructor(registry, fallback) {
+    this.registry = registry;
+    this.fallback = fallback;
+  }
+  read() {
+    const id = this.registry.active();
+    if (id) return this.registry.readRefreshToken(id);
+    return this.fallback.read();
+  }
+  write(token, ctx) {
+    let id = this.registry.active();
+    if (!id) {
+      const sub = ctx?.claims?.sub;
+      if (sub) {
+        id = sub;
+        this.registry.setActive(sub);
+      }
+    }
+    if (id) {
+      this.registry.writeRefreshToken(id, token);
+      return;
+    }
+    return this.fallback.write(token);
+  }
+  clear() {
+    const id = this.registry.active();
+    if (id) {
+      this.registry.clearRefreshToken(id);
+      return;
+    }
+    return this.fallback.clear();
+  }
+};
+
 // src/browser/pkce.ts
 function getCrypto() {
   if (typeof globalThis !== "undefined" && globalThis.crypto) {
@@ -715,6 +1360,7 @@ async function createPkcePair() {
 // src/browser/signIn.ts
 var DEFAULT_SIGN_IN_PATH = "/sign-in";
 var DEFAULT_LOGOUT_PATH = "/api/v1/auth/logout";
+var DEFAULT_SSO_LOGOUT_PATH = "/oidc/sso-logout";
 var DEFAULT_TOKEN_PATH = "/oidc/token";
 var DEFAULT_CALLBACK_PATH = "/auth/callback";
 function defaultRedirectUri() {
@@ -740,34 +1386,35 @@ async function buildSignInUrl(manager, opts = {}) {
     returnTo,
     createdAt: Date.now()
   });
-  const url = new URL(opts.signInPath ?? DEFAULT_SIGN_IN_PATH, manager.issuerUrl);
-  url.searchParams.set("response_type", "code");
-  url.searchParams.set("app", manager.appKey);
-  url.searchParams.set("publishable_key", manager.publishableKey.raw);
-  url.searchParams.set("redirect_uri", redirectUri);
-  url.searchParams.set("state", pkce.state);
-  url.searchParams.set("nonce", pkce.nonce);
-  url.searchParams.set("code_challenge", pkce.codeChallenge);
-  url.searchParams.set("code_challenge_method", "S256");
-  url.searchParams.set("scope", opts.scope ?? "openid profile email");
-  url.searchParams.set("return_to", returnTo);
-  return url.toString();
+  const url2 = new URL(opts.signInPath ?? DEFAULT_SIGN_IN_PATH, manager.issuerUrl);
+  url2.searchParams.set("response_type", "code");
+  url2.searchParams.set("app", manager.appKey);
+  url2.searchParams.set("publishable_key", manager.publishableKey.raw);
+  url2.searchParams.set("redirect_uri", redirectUri);
+  url2.searchParams.set("state", pkce.state);
+  url2.searchParams.set("nonce", pkce.nonce);
+  url2.searchParams.set("code_challenge", pkce.codeChallenge);
+  url2.searchParams.set("code_challenge_method", "S256");
+  url2.searchParams.set("scope", opts.scope ?? "openid profile email");
+  url2.searchParams.set("return_to", returnTo);
+  if (opts.prompt) url2.searchParams.set("prompt", opts.prompt);
+  return url2.toString();
 }
 async function redirectToSignIn(manager, opts = {}) {
-  const url = await buildSignInUrl(manager, opts);
+  const url2 = await buildSignInUrl(manager, opts);
   if (typeof window === "undefined") {
     throw new Error("redirectToSignIn requires a browser environment");
   }
-  window.location.assign(url);
+  window.location.assign(url2);
 }
 async function signIn(manager, opts = {}) {
   return redirectToSignIn(manager, opts);
 }
 async function handleAuthCallback(manager, options = {}) {
-  const url = new URL(options.url ?? (typeof window !== "undefined" ? window.location.href : ""));
-  const code = url.searchParams.get("code");
-  const state = url.searchParams.get("state");
-  const errorParam = url.searchParams.get("error");
+  const url2 = new URL(options.url ?? (typeof window !== "undefined" ? window.location.href : ""));
+  const code = url2.searchParams.get("code");
+  const state = url2.searchParams.get("state");
+  const errorParam = url2.searchParams.get("error");
   if (errorParam) {
     return { ok: false, returnTo: "/", error: errorParam };
   }
@@ -806,44 +1453,152 @@ async function handleAuthCallback(manager, options = {}) {
     return { ok: false, returnTo: record.returnTo, error: "missing_access_token" };
   }
   if (tokens.refresh_token) {
-    setCookie(REFRESH_COOKIE, tokens.refresh_token, { maxAgeSeconds: 60 * 60 * 24 * 30 });
+    const cookieName = options.cookieNames?.refresh ?? manager.refreshCookie ?? REFRESH_COOKIE;
+    setCookie(cookieName, tokens.refresh_token, { maxAgeSeconds: 60 * 60 * 24 * 30 });
   }
   manager.applyAccessToken(tokens.access_token, tokens.refresh_token);
   return { ok: true, returnTo: record.returnTo };
 }
 async function signOut(manager, opts = {}) {
   if (!opts.localOnly) {
+    const issuer = manager.issuerUrl.replace(/\/$/, "");
     try {
-      const url = `${manager.issuerUrl}${opts.logoutPath ?? DEFAULT_LOGOUT_PATH}`;
-      await manager.fetch(url, { method: "POST" }).catch(() => void 0);
+      const url2 = `${issuer}${opts.logoutPath ?? DEFAULT_LOGOUT_PATH}`;
+      await manager.fetch(url2, { method: "POST" }).catch(() => void 0);
     } catch {
     }
+    if (opts.endSsoSession !== false) {
+      try {
+        await fetch(`${issuer}${DEFAULT_SSO_LOGOUT_PATH}`, {
+          method: "POST",
+          credentials: "include"
+        }).catch(() => void 0);
+      } catch {
+      }
+    }
   }
-  clearCookie(REFRESH_COOKIE);
+  clearCookie(manager.refreshCookie ?? REFRESH_COOKIE);
   manager.signOutLocal();
   if (opts.returnTo && typeof window !== "undefined") {
     window.location.assign(opts.returnTo);
   }
 }
+
+// src/browser/reverify.ts
+var PRIOR_SESSION_STORAGE_KEY = "iqauth_prior_admin_session";
+function enterImpersonation(manager, actorAccessToken) {
+  if (typeof window === "undefined") return;
+  const current = manager.getSnapshot().accessToken;
+  if (current) {
+    const envelope = { accessToken: current, savedAt: Date.now() };
+    try {
+      window.sessionStorage.setItem(PRIOR_SESSION_STORAGE_KEY, JSON.stringify(envelope));
+    } catch {
+    }
+  }
+  manager.applyAccessToken(actorAccessToken);
+}
+function exitImpersonation(manager) {
+  if (typeof window === "undefined") return false;
+  let raw = null;
+  try {
+    raw = window.sessionStorage.getItem(PRIOR_SESSION_STORAGE_KEY);
+  } catch {
+    return false;
+  }
+  if (!raw) return false;
+  try {
+    const envelope = JSON.parse(raw);
+    if (!envelope?.accessToken) return false;
+    manager.applyAccessToken(envelope.accessToken);
+    return true;
+  } catch {
+    return false;
+  } finally {
+    try {
+      window.sessionStorage.removeItem(PRIOR_SESSION_STORAGE_KEY);
+    } catch {
+    }
+  }
+}
+var DEFAULT_REVERIFY_PATH = "/api/v1/auth/reverify";
+async function reverify(manager, input, options = {}) {
+  if (input.level === "password" && !input.password) {
+    throw new IQAuthError("MISSING_PASSWORD", "password is required for level=password");
+  }
+  if (input.level === "mfa" && !input.totp) {
+    throw new IQAuthError("MISSING_CODE", "totp code is required for level=mfa");
+  }
+  const issuer = manager.issuerUrl.replace(/\/$/, "");
+  const url2 = `${issuer}${options.path ?? DEFAULT_REVERIFY_PATH}`;
+  const res = await manager.fetch(url2, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(input)
+  });
+  let payload = null;
+  try {
+    payload = await res.json();
+  } catch {
+  }
+  if (!res.ok || !payload?.success) {
+    const code = payload?.error?.code ?? "REVERIFICATION_FAILED";
+    const message = payload?.error?.message ?? `reverification failed (${res.status})`;
+    throw new IQAuthError(code, message);
+  }
+  return {
+    token: payload.data.reverificationToken,
+    level: payload.data.level,
+    expiresAt: new Date(payload.data.expiresAt)
+  };
+}
+function withReverification(manager, token) {
+  let used = false;
+  return async (input, init = {}) => {
+    if (used) throw new IQAuthError("REVERIFICATION_USED", "Reverification token already consumed");
+    used = true;
+    const headers2 = new Headers(init.headers);
+    headers2.set("X-Reverification-Token", token);
+    return manager.fetch(input, { ...init, headers: headers2 });
+  };
+}
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  AccountRegistry,
   ErrorCodes,
   IQAuthError,
+  MultiAccountTokenStore,
+  PRIOR_SESSION_STORAGE_KEY,
   REFRESH_COOKIE,
   SessionManager,
+  beginPasskeyAuthentication,
+  beginPasskeyRegistration,
   buildSignInUrl,
   clearCookie,
   createPkcePair,
   encodePublishableKey,
+  enrollPasskey,
+  enterImpersonation,
+  exitImpersonation,
+  finishPasskeyAuthentication,
+  finishPasskeyRegistration,
   getCookie,
   handleAuthCallback,
   isPublishableKey,
   isSecretKey,
+  linkProvider,
+  listLinkedIdentities,
   parsePublishableKey,
   randomUrlSafe,
   redirectToSignIn,
+  requestMagicLink,
+  reverify,
   s256Challenge,
   setCookie,
   signIn,
-  signOut
+  signInWithPasskey,
+  signOut,
+  unlinkProvider,
+  verifyMagicLink,
+  withReverification
 });