@iqauth/sdk 2.3.0 → 2.5.0

package/dist/locales.mjs

@@ -0,0 +1,29 @@
+import {
+  builtInLocales,
+  deDE,
+  defaultBundle,
+  enUS,
+  esES,
+  frFR,
+  jaJP,
+  localizeErrorCode,
+  negotiateLocale,
+  ptBR,
+  resolveBundle,
+  t
+} from "./chunk-5T7GHBX6.mjs";
+import "./chunk-Y6FXYEAI.mjs";
+export {
+  builtInLocales,
+  deDE,
+  defaultBundle,
+  enUS,
+  esES,
+  frFR,
+  jaJP,
+  localizeErrorCode,
+  negotiateLocale,
+  ptBR,
+  resolveBundle,
+  t
+};

package/dist/mobile.d.mts

@@ -1,6 +1,7 @@
-import { I as IQAuthClient } from './client-vdh2a9fJ.mjs';
-import { b as IQAuthTokenClientConfig } from './types-Cxl3bQHt.mjs';
+import { I as IQAuthClient } from './client-kYlJFgPv.mjs';
+import { b as IQAuthTokenClientConfig } from './types-DZAflmmq.mjs';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
+import './tokens-DCyzzn8L.mjs';
 
 declare class MobileIQAuthClient extends IQAuthClient {
     constructor(config: IQAuthTokenClientConfig);

package/dist/mobile.d.ts

@@ -1,6 +1,7 @@
-import { I as IQAuthClient } from './client-DTX4hNdS.js';
-import { b as IQAuthTokenClientConfig } from './types-Cxl3bQHt.js';
+import { I as IQAuthClient } from './client-BNQe3AgF.js';
+import { b as IQAuthTokenClientConfig } from './types-DZAflmmq.js';
 export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
+import './tokens-aHiGFr_E.js';
 
 declare class MobileIQAuthClient extends IQAuthClient {
     constructor(config: IQAuthTokenClientConfig);

package/dist/next.d.mts

@@ -1,5 +1,5 @@
 import { IQAuthHelperConfig } from './server/handlers.mjs';
-import { J as JwtClaims } from './types-Cxl3bQHt.mjs';
+import { J as JwtClaims } from './types-DZAflmmq.mjs';
 
 /**
  * @iqauth/sdk/next — Next.js (App Router) adapter.

package/dist/next.d.ts

@@ -1,5 +1,5 @@
 import { IQAuthHelperConfig } from './server/handlers.js';
-import { J as JwtClaims } from './types-Cxl3bQHt.js';
+import { J as JwtClaims } from './types-DZAflmmq.js';
 
 /**
  * @iqauth/sdk/next — Next.js (App Router) adapter.

package/dist/next.js

@@ -132,8 +132,8 @@ function resolve(config) {
     publishableKey: config.publishableKey,
     secretKey: config.secretKey,
     issuer: (config.issuer ?? inferredIssuer).replace(/\/+$/, ""),
-    accessCookieName: config.accessCookieName ?? "iqauth_at",
-    refreshCookieName: config.refreshCookieName ?? "iqauth_rt",
+    accessCookieName: config.accessCookieName ?? config.cookieNames?.access ?? "iqauth_at",
+    refreshCookieName: config.refreshCookieName ?? config.cookieNames?.refresh ?? "iqauth_rt",
     cookieDomain: config.cookieDomain,
     sameSite: config.sameSite ?? "lax",
     secure: config.secure ?? true,

package/dist/next.mjs

@@ -3,7 +3,7 @@ import {
   handleRefresh,
   handleSignout,
   serializeCookie
-} from "./chunk-KGEPDXHU.mjs";
+} from "./chunk-6TDJJER7.mjs";
 import {
   assertPublishableKey
 } from "./chunk-WQWBJSSS.mjs";

package/dist/provisioningBridge-88xjOS2n.d.mts

@@ -0,0 +1,86 @@
+import { J as JwtClaims } from './types-DZAflmmq.mjs';
+
+/**
+ * createProvisioningBridge — server-side helper that lifts the
+ * "provision-on-first-login" pattern out of every downstream app.
+ *
+ * Pattern (extracted from IQValidate's iqauth-provision.ts):
+ *   1. On every authenticated request, look up the local user record by
+ *      `iqauthUserId` (the `sub` claim from the JWT).
+ *   2. If not found, fall back to lookup by `email` and adopt the row by
+ *      writing the iqauthUserId — handles users that existed locally before
+ *      IQAuth was integrated.
+ *   3. If still not found, INSERT a new local user row from the JWT claims.
+ *      Race-safe: if a concurrent request already inserted the row
+ *      (Postgres unique-violation 23505 / SQLite SQLITE_CONSTRAINT), retry
+ *      the lookup once.
+ *   4. Optionally apply a `roleMapper(claims)` to map IQAuth roles into the
+ *      local app's role enum on insert/update.
+ *
+ * The factory is db-engine and ORM-agnostic — pass adapters that read/write
+ * your local user table. See the JSDoc on each adapter for the contract.
+ */
+
+interface ProvisioningContext<TUser> {
+    claims: JwtClaims;
+    /** The local user record, looked up or freshly inserted. */
+    user: TUser;
+    /** True if `user` was just created by this request. */
+    created: boolean;
+    /** True if `user` existed locally and was adopted by writing iqauthUserId. */
+    adopted: boolean;
+}
+interface ProvisioningStorage<TUser> {
+    /** Find local user by IQAuth `sub` claim. Returns `null` when not found. */
+    findByIqAuthUserId(iqauthUserId: string): Promise<TUser | null>;
+    /** Find local user by email (case-insensitive recommended). */
+    findByEmail(email: string): Promise<TUser | null>;
+    /**
+     * Insert a fresh user row from the JWT claims. The implementation should
+     * set the local `iqauthUserId` column to `claims.sub` and copy email/name.
+     * If a unique-constraint violation fires (concurrent insert), throw the
+     * error — the bridge catches it and retries the read. Common Postgres
+     * error code is `23505`; SQLite uses `SQLITE_CONSTRAINT_UNIQUE`.
+     */
+    insertFromClaims(claims: JwtClaims, mappedRole?: string | null): Promise<TUser>;
+    /**
+     * Adopt a pre-existing local row (matched by email) by writing the
+     * iqauthUserId. Returns the updated user. Optional — when omitted, the
+     * bridge falls through to insertFromClaims.
+     */
+    adoptByEmail?: (existing: TUser, claims: JwtClaims, mappedRole?: string | null) => Promise<TUser>;
+}
+interface ProvisioningBridgeOptions<TUser> {
+    storage: ProvisioningStorage<TUser>;
+    /** Map IQAuth role strings into the local app's role on insert/adopt. */
+    roleMapper?: (claims: JwtClaims) => string | null | undefined;
+    /**
+     * Heuristic that classifies a thrown DB error as a unique-constraint race.
+     * Defaults to checking for Postgres `23505` and SQLite `SQLITE_CONSTRAINT_UNIQUE`.
+     */
+    isUniqueViolation?: (err: unknown) => boolean;
+}
+interface ProvisioningBridge<TUser> {
+    /**
+     * Resolve (or provision) the local user that corresponds to a verified
+     * IQAuth JWT. Idempotent and race-safe.
+     */
+    ensureUser(claims: JwtClaims): Promise<ProvisioningContext<TUser>>;
+}
+/**
+ * Build a provisioning bridge. Returns an `ensureUser(claims)` function that
+ * handles lookup → adopt → insert → race-retry. Apps typically wrap this in
+ * Express middleware:
+ *
+ *   const bridge = createProvisioningBridge({ storage, roleMapper });
+ *   app.use(iqAuth({ ... }));
+ *   app.use(async (req, _res, next) => {
+ *     if (!req.auth) return next();
+ *     const ctx = await bridge.ensureUser(req.auth);
+ *     (req as any).localUser = ctx.user;
+ *     next();
+ *   });
+ */
+declare function createProvisioningBridge<TUser>(options: ProvisioningBridgeOptions<TUser>): ProvisioningBridge<TUser>;
+
+export { type ProvisioningBridge as P, type ProvisioningBridgeOptions as a, type ProvisioningStorage as b, createProvisioningBridge as c, type ProvisioningContext as d };

package/dist/provisioningBridge-DnTfzdZK.d.ts

@@ -0,0 +1,86 @@
+import { J as JwtClaims } from './types-DZAflmmq.js';
+
+/**
+ * createProvisioningBridge — server-side helper that lifts the
+ * "provision-on-first-login" pattern out of every downstream app.
+ *
+ * Pattern (extracted from IQValidate's iqauth-provision.ts):
+ *   1. On every authenticated request, look up the local user record by
+ *      `iqauthUserId` (the `sub` claim from the JWT).
+ *   2. If not found, fall back to lookup by `email` and adopt the row by
+ *      writing the iqauthUserId — handles users that existed locally before
+ *      IQAuth was integrated.
+ *   3. If still not found, INSERT a new local user row from the JWT claims.
+ *      Race-safe: if a concurrent request already inserted the row
+ *      (Postgres unique-violation 23505 / SQLite SQLITE_CONSTRAINT), retry
+ *      the lookup once.
+ *   4. Optionally apply a `roleMapper(claims)` to map IQAuth roles into the
+ *      local app's role enum on insert/update.
+ *
+ * The factory is db-engine and ORM-agnostic — pass adapters that read/write
+ * your local user table. See the JSDoc on each adapter for the contract.
+ */
+
+interface ProvisioningContext<TUser> {
+    claims: JwtClaims;
+    /** The local user record, looked up or freshly inserted. */
+    user: TUser;
+    /** True if `user` was just created by this request. */
+    created: boolean;
+    /** True if `user` existed locally and was adopted by writing iqauthUserId. */
+    adopted: boolean;
+}
+interface ProvisioningStorage<TUser> {
+    /** Find local user by IQAuth `sub` claim. Returns `null` when not found. */
+    findByIqAuthUserId(iqauthUserId: string): Promise<TUser | null>;
+    /** Find local user by email (case-insensitive recommended). */
+    findByEmail(email: string): Promise<TUser | null>;
+    /**
+     * Insert a fresh user row from the JWT claims. The implementation should
+     * set the local `iqauthUserId` column to `claims.sub` and copy email/name.
+     * If a unique-constraint violation fires (concurrent insert), throw the
+     * error — the bridge catches it and retries the read. Common Postgres
+     * error code is `23505`; SQLite uses `SQLITE_CONSTRAINT_UNIQUE`.
+     */
+    insertFromClaims(claims: JwtClaims, mappedRole?: string | null): Promise<TUser>;
+    /**
+     * Adopt a pre-existing local row (matched by email) by writing the
+     * iqauthUserId. Returns the updated user. Optional — when omitted, the
+     * bridge falls through to insertFromClaims.
+     */
+    adoptByEmail?: (existing: TUser, claims: JwtClaims, mappedRole?: string | null) => Promise<TUser>;
+}
+interface ProvisioningBridgeOptions<TUser> {
+    storage: ProvisioningStorage<TUser>;
+    /** Map IQAuth role strings into the local app's role on insert/adopt. */
+    roleMapper?: (claims: JwtClaims) => string | null | undefined;
+    /**
+     * Heuristic that classifies a thrown DB error as a unique-constraint race.
+     * Defaults to checking for Postgres `23505` and SQLite `SQLITE_CONSTRAINT_UNIQUE`.
+     */
+    isUniqueViolation?: (err: unknown) => boolean;
+}
+interface ProvisioningBridge<TUser> {
+    /**
+     * Resolve (or provision) the local user that corresponds to a verified
+     * IQAuth JWT. Idempotent and race-safe.
+     */
+    ensureUser(claims: JwtClaims): Promise<ProvisioningContext<TUser>>;
+}
+/**
+ * Build a provisioning bridge. Returns an `ensureUser(claims)` function that
+ * handles lookup → adopt → insert → race-retry. Apps typically wrap this in
+ * Express middleware:
+ *
+ *   const bridge = createProvisioningBridge({ storage, roleMapper });
+ *   app.use(iqAuth({ ... }));
+ *   app.use(async (req, _res, next) => {
+ *     if (!req.auth) return next();
+ *     const ctx = await bridge.ensureUser(req.auth);
+ *     (req as any).localUser = ctx.user;
+ *     next();
+ *   });
+ */
+declare function createProvisioningBridge<TUser>(options: ProvisioningBridgeOptions<TUser>): ProvisioningBridge<TUser>;
+
+export { type ProvisioningBridge as P, type ProvisioningBridgeOptions as a, type ProvisioningStorage as b, createProvisioningBridge as c, type ProvisioningContext as d };