@iqauth/sdk 2.2.0 → 2.5.0

package/dist/reverify-4UEJXUS6.mjs

@@ -0,0 +1,16 @@
+import {
+  PRIOR_SESSION_STORAGE_KEY,
+  enterImpersonation,
+  exitImpersonation,
+  reverify,
+  withReverification
+} from "./chunk-LIZYFXH7.mjs";
+import "./chunk-6I6RM4MN.mjs";
+import "./chunk-Y6FXYEAI.mjs";
+export {
+  PRIOR_SESSION_STORAGE_KEY,
+  enterImpersonation,
+  exitImpersonation,
+  reverify,
+  withReverification
+};

package/dist/server/handlers.d.mts

@@ -47,6 +47,11 @@ interface IQAuthHelperConfig {
     accessCookieName?: string;
     /** Override the refresh token cookie name. Defaults to `iqauth_rt`. */
     refreshCookieName?: string;
+    /** F14 — Umbrella shorthand for `accessCookieName` / `refreshCookieName`. */
+    cookieNames?: {
+        access?: string;
+        refresh?: string;
+    };
     /** Cookie domain (e.g. `.example.com`). Defaults to host-only. */
     cookieDomain?: string;
     /** Cookie sameSite policy. Defaults to `lax`. */
@@ -82,7 +87,11 @@ interface IQAuthHelperConfig {
      */
     clearCookiesOnRefreshFailure?: "terminal-only" | "always" | "never";
 }
-interface ResolvedConfig extends Required<Omit<IQAuthHelperConfig, "secretKey" | "cookieDomain" | "issuer" | "fetchImpl" | "clearCookiesOnRefreshFailure">> {
+interface ResolvedConfig extends Required<Omit<IQAuthHelperConfig, "secretKey" | "cookieDomain" | "issuer" | "fetchImpl" | "clearCookiesOnRefreshFailure" | "cookieNames">> {
+    cookieNames?: {
+        access?: string;
+        refresh?: string;
+    };
     secretKey?: string;
     cookieDomain?: string;
     issuer: string;
@@ -118,6 +127,8 @@ declare function handleRefresh(config: IQAuthHelperConfig, input: {
 /** POST /api/iqauth/signout — clear cookies and best-effort revoke at issuer. */
 declare function handleSignout(config: IQAuthHelperConfig, input: {
     accessToken?: string;
+    ssoCookieHeader?: string;
+    endSsoSession?: boolean;
 }): Promise<HandlerResponse>;
 
 export { type HandlerResponse, type IQAuthHelperConfig, type ResolvedConfig as ResolvedIQAuthHelperConfig, type SetCookieDirective, handleCallback, handleRefresh, handleSignout, serializeCookie };

package/dist/server/handlers.d.ts

@@ -47,6 +47,11 @@ interface IQAuthHelperConfig {
     accessCookieName?: string;
     /** Override the refresh token cookie name. Defaults to `iqauth_rt`. */
     refreshCookieName?: string;
+    /** F14 — Umbrella shorthand for `accessCookieName` / `refreshCookieName`. */
+    cookieNames?: {
+        access?: string;
+        refresh?: string;
+    };
     /** Cookie domain (e.g. `.example.com`). Defaults to host-only. */
     cookieDomain?: string;
     /** Cookie sameSite policy. Defaults to `lax`. */
@@ -82,7 +87,11 @@ interface IQAuthHelperConfig {
      */
     clearCookiesOnRefreshFailure?: "terminal-only" | "always" | "never";
 }
-interface ResolvedConfig extends Required<Omit<IQAuthHelperConfig, "secretKey" | "cookieDomain" | "issuer" | "fetchImpl" | "clearCookiesOnRefreshFailure">> {
+interface ResolvedConfig extends Required<Omit<IQAuthHelperConfig, "secretKey" | "cookieDomain" | "issuer" | "fetchImpl" | "clearCookiesOnRefreshFailure" | "cookieNames">> {
+    cookieNames?: {
+        access?: string;
+        refresh?: string;
+    };
     secretKey?: string;
     cookieDomain?: string;
     issuer: string;
@@ -118,6 +127,8 @@ declare function handleRefresh(config: IQAuthHelperConfig, input: {
 /** POST /api/iqauth/signout — clear cookies and best-effort revoke at issuer. */
 declare function handleSignout(config: IQAuthHelperConfig, input: {
     accessToken?: string;
+    ssoCookieHeader?: string;
+    endSsoSession?: boolean;
 }): Promise<HandlerResponse>;
 
 export { type HandlerResponse, type IQAuthHelperConfig, type ResolvedConfig as ResolvedIQAuthHelperConfig, type SetCookieDirective, handleCallback, handleRefresh, handleSignout, serializeCookie };

package/dist/server/handlers.js

@@ -96,7 +96,7 @@ function assertPublishableKey(raw, opts) {
   if (!isValidIssuerUrl(decoded.iss)) {
     throw new IQAuthError(
       "CONFIG_INVALID",
-      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console, or set IQAUTH_ISSUER to the correct issuer URL as a temporary workaround.`
+      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console \u2014 the new key will encode a valid issuer URL.`
     );
   }
   return { mode: shapeMatch[1], iss: decoded.iss, appId: decoded.appId, tenantId: decoded.tenantId, kid: decoded.kid, raw };
@@ -133,8 +133,8 @@ function resolve(config) {
     publishableKey: config.publishableKey,
     secretKey: config.secretKey,
     issuer: (config.issuer ?? inferredIssuer).replace(/\/+$/, ""),
-    accessCookieName: config.accessCookieName ?? "iqauth_at",
-    refreshCookieName: config.refreshCookieName ?? "iqauth_rt",
+    accessCookieName: config.accessCookieName ?? config.cookieNames?.access ?? "iqauth_at",
+    refreshCookieName: config.refreshCookieName ?? config.cookieNames?.refresh ?? "iqauth_rt",
     cookieDomain: config.cookieDomain,
     sameSite: config.sameSite ?? "lax",
     secure: config.secure ?? true,
@@ -298,6 +298,15 @@ async function handleSignout(config, input) {
     } catch {
     }
   }
+  if (input.endSsoSession !== false && input.ssoCookieHeader) {
+    try {
+      await cfg.fetchImpl(`${cfg.issuer}/oidc/sso-logout`, {
+        method: "POST",
+        headers: { Cookie: input.ssoCookieHeader }
+      });
+    } catch {
+    }
+  }
   return {
     status: 200,
     body: { success: true, data: { signedOut: true } },

package/dist/server/handlers.mjs

@@ -3,8 +3,8 @@ import {
   handleRefresh,
   handleSignout,
   serializeCookie
-} from "../chunk-M4J6BPK7.mjs";
-import "../chunk-QEJB7WEQ.mjs";
+} from "../chunk-6TDJJER7.mjs";
+import "../chunk-WQWBJSSS.mjs";
 import "../chunk-6I6RM4MN.mjs";
 import "../chunk-Y6FXYEAI.mjs";
 export {

package/dist/server.d.mts

@@ -1,9 +1,10 @@
-import { b as IQAuthTokenClientConfig, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.mjs';
-import { I as IQAuthClient } from './client-Dv4v92Mj.mjs';
+import { b as IQAuthTokenClientConfig, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-DZAflmmq.mjs';
+import { I as IQAuthClient } from './client-kYlJFgPv.mjs';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
-export { C as CookieAwareMiddlewareOptions, D as DEFAULT_ACCESS_COOKIE, a as DEFAULT_REFRESH_COOKIE, i as iqAuthMiddleware } from './express-BZmF1llh.mjs';
+export { C as CookieAwareMiddlewareOptions, D as DEFAULT_ACCESS_COOKIE, a as DEFAULT_REFRESH_COOKIE, i as iqAuthMiddleware } from './express-B6_1vBYZ.mjs';
 export { HandlerResponse, IQAuthHelperConfig, SetCookieDirective, handleCallback, handleRefresh, handleSignout, serializeCookie } from './server/handlers.mjs';
-import 'jsonwebtoken';
+export { P as ProvisioningBridge, a as ProvisioningBridgeOptions, d as ProvisioningContext, b as ProvisioningStorage, c as createProvisioningBridge } from './provisioningBridge-88xjOS2n.mjs';
+import './tokens-DCyzzn8L.mjs';
 
 declare class ServerIQAuthClient extends IQAuthClient {
     constructor(config: IQAuthTokenClientConfig);

package/dist/server.d.ts

@@ -1,9 +1,10 @@
-import { b as IQAuthTokenClientConfig, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-Cxl3bQHt.js';
-import { I as IQAuthClient } from './client-DXbHb2ul.js';
+import { b as IQAuthTokenClientConfig, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-DZAflmmq.js';
+import { I as IQAuthClient } from './client-BNQe3AgF.js';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
-export { C as CookieAwareMiddlewareOptions, D as DEFAULT_ACCESS_COOKIE, a as DEFAULT_REFRESH_COOKIE, i as iqAuthMiddleware } from './express-B4o3P8vK.js';
+export { C as CookieAwareMiddlewareOptions, D as DEFAULT_ACCESS_COOKIE, a as DEFAULT_REFRESH_COOKIE, i as iqAuthMiddleware } from './express-CHpfa7D_.js';
 export { HandlerResponse, IQAuthHelperConfig, SetCookieDirective, handleCallback, handleRefresh, handleSignout, serializeCookie } from './server/handlers.js';
-import 'jsonwebtoken';
+export { P as ProvisioningBridge, a as ProvisioningBridgeOptions, d as ProvisioningContext, b as ProvisioningStorage, c as createProvisioningBridge } from './provisioningBridge-DnTfzdZK.js';
+import './tokens-aHiGFr_E.js';
 
 declare class ServerIQAuthClient extends IQAuthClient {
     constructor(config: IQAuthTokenClientConfig);

package/dist/server.js

@@ -36,6 +36,7 @@ __export(server_exports, {
   IQAuthClient: () => IQAuthClient,
   IQAuthError: () => IQAuthError,
   ServerIQAuthClient: () => ServerIQAuthClient,
+  createProvisioningBridge: () => createProvisioningBridge,
   createServerClient: () => createServerClient,
   handleCallback: () => handleCallback,
   handleRefresh: () => handleRefresh,
@@ -453,8 +454,7 @@ function parseMfaResponse(data, browserSessionMode) {
 }
 
 // src/modules/tokens.ts
-var import_crypto = __toESM(require("crypto"));
-var import_jsonwebtoken = __toESM(require("jsonwebtoken"));
+var import_jose = require("jose");
 var JWKS_CACHE_TTL_MS = 60 * 60 * 1e3;
 var DEFAULT_TOKEN_ISSUER = [
   "https://auth.dispositioniq.com",
@@ -467,6 +467,24 @@ var DEFAULT_TOKEN_AUDIENCE = [
   "iqvalidate"
 ];
 var DEFAULT_CLOCK_TOLERANCE_SECONDS = 30;
+function decodeProtectedHeader(token) {
+  const parts = token.split(".");
+  if (parts.length < 2) return null;
+  try {
+    const padded = parts[0] + "=".repeat((4 - parts[0].length % 4) % 4);
+    const b64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+    let json;
+    if (typeof atob === "function") {
+      json = atob(b64);
+    } else {
+      const { Buffer: Buffer2 } = require("buffer");
+      json = Buffer2.from(b64, "base64").toString("utf8");
+    }
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+}
 var TokensModule = class {
   constructor(baseUrl, options = {}) {
     this.jwksCache = null;
@@ -477,49 +495,49 @@ var TokensModule = class {
     this.defaultClockTolerance = options.clockTolerance ?? DEFAULT_CLOCK_TOLERANCE_SECONDS;
   }
   /**
-   * Verify a JWT access token using RS256 via JWKS from /.well-known/jwks.json.
-   * Caches JWKS keys for 1 hour. Retries once on unknown `kid`.
-   *
-   * @remarks Validates against /.well-known/jwks.json. Issuer, audience, and
-   * clock tolerance default to client config but can be overridden per call.
+   * Verify a JWT access token using RS256/ES256 via JWKS from
+   * `/.well-known/jwks.json`. Backed by `jose` (Web Crypto) so it runs on
+   * Node, browser, and edge runtimes alike — no `node:crypto` dependency.
+   * Caches JWKS for 1 hour and refetches once on unknown `kid`.
    */
   async verify(token, options = {}) {
-    const decoded = import_jsonwebtoken.default.decode(token, { complete: true });
-    if (!decoded || typeof decoded === "string") {
+    const header = decodeProtectedHeader(token);
+    if (!header) {
       throw new IQAuthError("TOKEN_INVALID", "Unable to decode token");
     }
-    const kid = decoded.header.kid;
+    const kid = header.kid;
     if (!kid) {
       throw new IQAuthError("TOKEN_INVALID", "Token missing kid header");
     }
-    let publicKey = await this.getPublicKey(kid);
-    if (!publicKey) {
-      await this.refreshJwks();
-      publicKey = await this.getPublicKey(kid);
+    let cache = await this.ensureCache();
+    if (!cache.byKid.has(kid)) {
+      this.jwksCache = null;
+      cache = await this.ensureCache();
     }
-    if (!publicKey) {
+    if (!cache.byKid.has(kid)) {
       throw new IQAuthError("TOKEN_INVALID", `Unknown key ID: ${kid}`);
     }
     const issuer = options.issuer ?? this.defaultIssuer;
     const audience = options.audience ?? this.defaultAudience;
     const clockTolerance = options.clockTolerance ?? this.defaultClockTolerance;
-    const algorithms = options.algorithms ?? ["RS256"];
+    const algorithms = options.algorithms ?? ["RS256", "ES256"];
+    const verifyOptions = {
+      algorithms,
+      clockTolerance,
+      issuer,
+      audience
+    };
     try {
-      const verifyOptions = {
-        algorithms,
-        clockTolerance,
-        // The jsonwebtoken types insist on tuple types for arrays; runtime
-        // accepts plain string[] so we cast to satisfy the compiler.
-        issuer,
-        audience
-      };
-      const verified = import_jsonwebtoken.default.verify(token, publicKey, verifyOptions);
-      return verified;
+      const { payload } = await (0, import_jose.jwtVerify)(token, cache.verifier, verifyOptions);
+      return payload;
     } catch (err) {
+      if (err instanceof import_jose.errors.JWTExpired) {
+        throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
+      }
+      if (err instanceof import_jose.errors.JOSEError) {
+        throw new IQAuthError("TOKEN_INVALID", err.message);
+      }
       if (err instanceof Error) {
-        if (err.name === "TokenExpiredError") {
-          throw new IQAuthError("TOKEN_EXPIRED", "Token has expired");
-        }
         throw new IQAuthError("TOKEN_INVALID", err.message);
       }
       throw new IQAuthError("TOKEN_INVALID", "Token verification failed");
@@ -527,29 +545,40 @@ var TokensModule = class {
   }
   /**
    * Decode a JWT without verification. Returns null if malformed.
-   *
-   * @remarks Local decode only — no network call
    */
   decode(token) {
-    const decoded = import_jsonwebtoken.default.decode(token);
-    return decoded;
+    try {
+      const parts = token.split(".");
+      if (parts.length < 2) return null;
+      const payload = parts[1];
+      const padded = payload + "=".repeat((4 - payload.length % 4) % 4);
+      const b64 = padded.replace(/-/g, "+").replace(/_/g, "/");
+      let json;
+      if (typeof atob === "function") {
+        json = atob(b64);
+      } else {
+        const { Buffer: Buffer2 } = require("buffer");
+        json = Buffer2.from(b64, "base64").toString("utf8");
+      }
+      try {
+        json = decodeURIComponent(escape(json));
+      } catch {
+      }
+      const claims = JSON.parse(json);
+      if (!claims || typeof claims !== "object") return null;
+      return claims;
+    } catch {
+      return null;
+    }
   }
-  /**
-   * Check if a token is expired based on the `exp` claim.
-   *
-   * @remarks Local check only — no network call
-   */
+  /** Check if a token is expired based on the `exp` claim. */
   isExpired(token) {
     const claims = this.decode(token);
     if (!claims?.exp) return true;
     const now = Math.floor(Date.now() / 1e3);
     return claims.exp <= now;
   }
-  /**
-   * Get the claims from a token without verification.
-   *
-   * @remarks Local decode only — no network call
-   */
+  /** Get the claims from a token without verification. */
   getClaims(token) {
     const claims = this.decode(token);
     if (!claims) {
@@ -557,11 +586,15 @@ var TokensModule = class {
     }
     return claims;
   }
-  async getPublicKey(kid) {
-    if (!this.jwksCache || Date.now() - this.jwksCache.fetchedAt > JWKS_CACHE_TTL_MS) {
-      await this.refreshJwks();
+  async ensureCache() {
+    if (this.jwksCache && Date.now() - this.jwksCache.fetchedAt <= JWKS_CACHE_TTL_MS) {
+      return this.jwksCache;
+    }
+    await this.refreshJwks();
+    if (!this.jwksCache) {
+      throw new IQAuthError("INTERNAL_ERROR", "JWKS cache unavailable after refresh");
     }
-    return this.jwksCache?.keys.get(kid) ?? null;
+    return this.jwksCache;
   }
   async refreshJwks() {
     if (this.inFlightRefresh) {
@@ -588,35 +621,24 @@ var TokensModule = class {
             "Malformed JWKS response: expected { keys: [...] }"
           );
         }
-        const keys = /* @__PURE__ */ new Map();
+        const byKid = /* @__PURE__ */ new Set();
         for (const key of jwks.keys) {
-          if (!key || typeof key.kid !== "string" || typeof key.n !== "string" || typeof key.e !== "string") {
+          if (!key || typeof key.kid !== "string" || typeof key.n !== "string" && typeof key.x !== "string" || key.kty === "RSA" && (typeof key.n !== "string" || typeof key.e !== "string")) {
             throw new IQAuthError(
               "INTERNAL_ERROR",
               "Malformed JWKS response: key missing required fields"
             );
           }
-          const pem = this.jwkToPem(key);
-          keys.set(key.kid, pem);
+          byKid.add(key.kid);
         }
-        this.jwksCache = { keys, fetchedAt: Date.now() };
+        const verifier = (0, import_jose.createLocalJWKSet)({ keys: jwks.keys });
+        this.jwksCache = { raw: jwks.keys, byKid, verifier, fetchedAt: Date.now() };
       } finally {
         this.inFlightRefresh = null;
       }
     })();
     return this.inFlightRefresh;
   }
-  jwkToPem(jwk) {
-    const keyObject = import_crypto.default.createPublicKey({
-      key: {
-        kty: jwk.kty,
-        n: jwk.n,
-        e: jwk.e
-      },
-      format: "jwk"
-    });
-    return keyObject.export({ type: "spki", format: "pem" });
-  }
   /** @internal Exposed for testing — clears JWKS cache */
   clearCache() {
     this.jwksCache = null;
@@ -824,7 +846,7 @@ var PermissionsModule = class {
 };
 
 // src/modules/oidc.ts
-var import_crypto2 = __toESM(require("crypto"));
+var import_crypto = __toESM(require("crypto"));
 var InMemoryOidcStateStore = class {
   constructor() {
     this.map = /* @__PURE__ */ new Map();
@@ -905,12 +927,12 @@ var OidcModule = class {
    * ready to redirect the user to.
    */
   async createAuthRequest(params) {
-    const codeVerifier = base64UrlEncode(import_crypto2.default.randomBytes(32));
+    const codeVerifier = base64UrlEncode(import_crypto.default.randomBytes(32));
     const codeChallenge = base64UrlEncode(
-      import_crypto2.default.createHash("sha256").update(codeVerifier).digest()
+      import_crypto.default.createHash("sha256").update(codeVerifier).digest()
     );
-    const state = base64UrlEncode(import_crypto2.default.randomBytes(16));
-    const nonce = base64UrlEncode(import_crypto2.default.randomBytes(16));
+    const state = base64UrlEncode(import_crypto.default.randomBytes(16));
+    const nonce = base64UrlEncode(import_crypto.default.randomBytes(16));
     await this.stateStore.set(state, {
       codeVerifier,
       state,
@@ -1858,7 +1880,7 @@ function assertPublishableKey(raw, opts) {
   if (!isValidIssuerUrl(decoded.iss)) {
     throw new IQAuthError(
       "CONFIG_INVALID",
-      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console, or set IQAUTH_ISSUER to the correct issuer URL as a temporary workaround.`
+      `${ctx}IQAuth publishable key encodes an invalid issuer (iss=${JSON.stringify(decoded.iss)}). Expected a fully-qualified URL like "https://auth.example.com" (scheme required). Regenerate the key from the IQAuth admin console \u2014 the new key will encode a valid issuer URL.`
     );
   }
   return { mode: shapeMatch[1], iss: decoded.iss, appId: decoded.appId, tenantId: decoded.tenantId, kid: decoded.kid, raw };
@@ -1904,6 +1926,22 @@ function readCookie(req, name) {
   }
   return void 0;
 }
+function compileMatcher(pat) {
+  if (pat instanceof RegExp) return (p) => pat.test(p);
+  const re = new RegExp(
+    "^" + pat.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "::DOUBLE::").replace(/\*/g, "[^/]*").replace(/::DOUBLE::/g, ".*") + "$"
+  );
+  return (p) => re.test(p);
+}
+function compileMatchers(pats) {
+  return (pats ?? []).map(compileMatcher);
+}
+function pathOf(req) {
+  const r = req;
+  const raw = r.path || r.originalUrl || r.url || "/";
+  const q = raw.indexOf("?");
+  return q >= 0 ? raw.slice(0, q) : raw;
+}
 function clientFromPublishableKey(opts) {
   const parsed = assertPublishableKey(opts.publishableKey, { context: "iqAuthMiddleware" });
   const issuer = (opts.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
@@ -1931,10 +1969,26 @@ function iqAuthMiddleware(clientOrOptions, options = {}) {
     onUnauthorized,
     onForbidden,
     onError,
-    accessCookieName = DEFAULT_ACCESS_COOKIE,
-    cookieAware = true
+    cookieAware = true,
+    cookieNames,
+    protect,
+    publicRoutes
   } = resolvedOptions;
+  const accessCookieName = resolvedOptions.accessCookieName ?? cookieNames?.access ?? DEFAULT_ACCESS_COOKIE;
+  const protectMatchers = compileMatchers(protect);
+  const publicMatchers = compileMatchers(publicRoutes);
+  const hasProtect = protectMatchers.length > 0;
+  const hasPublic = publicMatchers.length > 0;
   return async (req, res, next) => {
+    if (hasProtect || hasPublic) {
+      const path = pathOf(req);
+      if (hasPublic && publicMatchers.some((m) => m(path))) {
+        return next();
+      }
+      if (hasProtect && !protectMatchers.some((m) => m(path))) {
+        return next();
+      }
+    }
     let token;
     const authHeader = getAuthorizationHeader(req);
     if (authHeader && authHeader.startsWith("Bearer ")) {
@@ -2053,8 +2107,8 @@ function resolve(config) {
     publishableKey: config.publishableKey,
     secretKey: config.secretKey,
     issuer: (config.issuer ?? inferredIssuer).replace(/\/+$/, ""),
-    accessCookieName: config.accessCookieName ?? "iqauth_at",
-    refreshCookieName: config.refreshCookieName ?? "iqauth_rt",
+    accessCookieName: config.accessCookieName ?? config.cookieNames?.access ?? "iqauth_at",
+    refreshCookieName: config.refreshCookieName ?? config.cookieNames?.refresh ?? "iqauth_rt",
     cookieDomain: config.cookieDomain,
     sameSite: config.sameSite ?? "lax",
     secure: config.secure ?? true,
@@ -2218,6 +2272,15 @@ async function handleSignout(config, input) {
     } catch {
     }
   }
+  if (input.endSsoSession !== false && input.ssoCookieHeader) {
+    try {
+      await cfg.fetchImpl(`${cfg.issuer}/oidc/sso-logout`, {
+        method: "POST",
+        headers: { Cookie: input.ssoCookieHeader }
+      });
+    } catch {
+    }
+  }
   return {
     status: 200,
     body: { success: true, data: { signedOut: true } },
@@ -2225,6 +2288,57 @@ async function handleSignout(config, input) {
   };
 }
 
+// src/server/provisioningBridge.ts
+function defaultIsUniqueViolation(err) {
+  if (!err || typeof err !== "object") return false;
+  const e = err;
+  if (e.code === "23505") return true;
+  if (typeof e.code === "string" && e.code.startsWith("SQLITE_CONSTRAINT")) return true;
+  if (typeof e.message === "string" && /unique constraint|duplicate key/i.test(e.message)) return true;
+  return false;
+}
+function createProvisioningBridge(options) {
+  const { storage } = options;
+  const isUniqueViolation = options.isUniqueViolation ?? defaultIsUniqueViolation;
+  const roleOf = (claims) => {
+    try {
+      return options.roleMapper?.(claims) ?? null;
+    } catch {
+      return null;
+    }
+  };
+  const ensureUser = async (claims) => {
+    if (!claims?.sub) {
+      throw new Error("createProvisioningBridge: claims.sub is required");
+    }
+    const byId = await storage.findByIqAuthUserId(claims.sub);
+    if (byId) return { user: byId, claims, created: false, adopted: false };
+    if (claims.email) {
+      const byEmail = await storage.findByEmail(claims.email);
+      if (byEmail) {
+        if (storage.adoptByEmail) {
+          const adopted = await storage.adoptByEmail(byEmail, claims, roleOf(claims));
+          return { user: adopted, claims, created: false, adopted: true };
+        }
+      }
+    }
+    try {
+      const created = await storage.insertFromClaims(claims, roleOf(claims));
+      return { user: created, claims, created: true, adopted: false };
+    } catch (err) {
+      if (!isUniqueViolation(err)) throw err;
+      const after = await storage.findByIqAuthUserId(claims.sub);
+      if (after) return { user: after, claims, created: false, adopted: false };
+      if (claims.email) {
+        const byEmail = await storage.findByEmail(claims.email);
+        if (byEmail) return { user: byEmail, claims, created: false, adopted: true };
+      }
+      throw err;
+    }
+  };
+  return { ensureUser };
+}
+
 // src/server.ts
 var ServerIQAuthClient = class extends IQAuthClient {
   constructor(config) {
@@ -2245,6 +2359,7 @@ function createServerClient(config) {
   IQAuthClient,
   IQAuthError,
   ServerIQAuthClient,
+  createProvisioningBridge,
   createServerClient,
   handleCallback,
   handleRefresh,

package/dist/server.mjs

@@ -1,18 +1,22 @@
-import {
-  DEFAULT_ACCESS_COOKIE,
-  DEFAULT_REFRESH_COOKIE,
-  iqAuthMiddleware
-} from "./chunk-D72UL5HL.mjs";
 import {
   handleCallback,
   handleRefresh,
   handleSignout,
   serializeCookie
-} from "./chunk-M4J6BPK7.mjs";
-import "./chunk-QEJB7WEQ.mjs";
+} from "./chunk-6TDJJER7.mjs";
+import {
+  createProvisioningBridge
+} from "./chunk-SL3KRS4W.mjs";
+import {
+  DEFAULT_ACCESS_COOKIE,
+  DEFAULT_REFRESH_COOKIE,
+  iqAuthMiddleware
+} from "./chunk-BVV54LPI.mjs";
+import "./chunk-WQWBJSSS.mjs";
 import {
   IQAuthClient
-} from "./chunk-MDUHPQMM.mjs";
+} from "./chunk-W3F4JYGP.mjs";
+import "./chunk-UNYDG2L4.mjs";
 import {
   ErrorCodes,
   IQAuthError
@@ -38,6 +42,7 @@ export {
   IQAuthClient,
   IQAuthError,
   ServerIQAuthClient,
+  createProvisioningBridge,
   createServerClient,
   handleCallback,
   handleRefresh,

package/dist/service.d.mts

@@ -1,7 +1,7 @@
-import { I as IQAuthClient } from './client-Dv4v92Mj.mjs';
-import { b as IQAuthTokenClientConfig } from './types-Cxl3bQHt.mjs';
+import { I as IQAuthClient } from './client-kYlJFgPv.mjs';
+import { b as IQAuthTokenClientConfig } from './types-DZAflmmq.mjs';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
-import 'jsonwebtoken';
+import './tokens-DCyzzn8L.mjs';
 
 declare class ServiceIQAuthClient extends IQAuthClient {
     constructor(config: IQAuthTokenClientConfig);

package/dist/service.d.ts

@@ -1,7 +1,7 @@
-import { I as IQAuthClient } from './client-DXbHb2ul.js';
-import { b as IQAuthTokenClientConfig } from './types-Cxl3bQHt.js';
+import { I as IQAuthClient } from './client-BNQe3AgF.js';
+import { b as IQAuthTokenClientConfig } from './types-DZAflmmq.js';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
-import 'jsonwebtoken';
+import './tokens-aHiGFr_E.js';
 
 declare class ServiceIQAuthClient extends IQAuthClient {
     constructor(config: IQAuthTokenClientConfig);