@iqauth/sdk 2.3.0 → 2.5.0

package/dist/{chunk-KGEPDXHU.mjs → chunk-6TDJJER7.mjs}

@@ -28,8 +28,8 @@ function resolve(config) {
     publishableKey: config.publishableKey,
     secretKey: config.secretKey,
     issuer: (config.issuer ?? inferredIssuer).replace(/\/+$/, ""),
-    accessCookieName: config.accessCookieName ?? "iqauth_at",
-    refreshCookieName: config.refreshCookieName ?? "iqauth_rt",
+    accessCookieName: config.accessCookieName ?? config.cookieNames?.access ?? "iqauth_at",
+    refreshCookieName: config.refreshCookieName ?? config.cookieNames?.refresh ?? "iqauth_rt",
     cookieDomain: config.cookieDomain,
     sameSite: config.sameSite ?? "lax",
     secure: config.secure ?? true,

package/dist/{chunk-RACIPVLD.mjs → chunk-76W5TLQQ.mjs}

@@ -1,3 +1,9 @@
+import {
+  REFRESH_COOKIE,
+  clearCookie,
+  getCookie,
+  setCookie
+} from "./chunk-TKZTCPEK.mjs";
 import {
   assertPublishableKey
 } from "./chunk-WQWBJSSS.mjs";
@@ -5,69 +11,23 @@ import {
   IQAuthError
 } from "./chunk-6I6RM4MN.mjs";
 
-// src/browser/storage.ts
-var REFRESH_COOKIE = "iqauth_rt";
-var PKCE_STORAGE_PREFIX = "iqauth.pkce.";
-function isBrowser() {
-  return typeof window !== "undefined" && typeof document !== "undefined";
-}
-function setCookie(name, value, opts = {}) {
-  if (!isBrowser()) return;
-  const parts = [`${name}=${encodeURIComponent(value)}`];
-  parts.push(`Path=${opts.path ?? "/"}`);
-  if (opts.maxAgeSeconds !== void 0) parts.push(`Max-Age=${opts.maxAgeSeconds}`);
-  if (opts.domain) parts.push(`Domain=${opts.domain}`);
-  if (opts.secure ?? location.protocol === "https:") parts.push("Secure");
-  parts.push(`SameSite=${opts.sameSite ?? "lax"}`);
-  document.cookie = parts.join("; ");
-}
-function getCookie(name) {
-  if (!isBrowser()) return null;
-  const target = `${name}=`;
-  const segments = document.cookie ? document.cookie.split(";") : [];
-  for (const seg of segments) {
-    const trimmed = seg.trim();
-    if (trimmed.startsWith(target)) {
-      try {
-        return decodeURIComponent(trimmed.slice(target.length));
-      } catch {
-        return null;
-      }
-    }
-  }
-  return null;
-}
-function clearCookie(name, opts = {}) {
-  setCookie(name, "", { ...opts, maxAgeSeconds: 0 });
-}
-function savePkce(record) {
-  if (!isBrowser()) return;
-  try {
-    sessionStorage.setItem(PKCE_STORAGE_PREFIX + record.state, JSON.stringify(record));
-  } catch {
-  }
-}
-function loadPkce(state) {
-  if (!isBrowser()) return null;
+// src/browser/sessionManager.ts
+var DEFAULT_REFRESH_PATH = "/api/v1/auth/refresh";
+var DEFAULT_USERINFO_PATH = "/api/v1/auth/me";
+async function readAuthErrorCode(res) {
   try {
-    const raw = sessionStorage.getItem(PKCE_STORAGE_PREFIX + state);
-    if (!raw) return null;
-    return JSON.parse(raw);
-  } catch {
+    const cloned = res.clone();
+    const data = await cloned.json().catch(() => null);
+    if (!data || typeof data !== "object") return null;
+    const err = data.error;
+    if (err && typeof err.code === "string") {
+      return { code: err.code, message: typeof err.message === "string" ? err.message : void 0 };
+    }
     return null;
-  }
-}
-function clearPkce(state) {
-  if (!isBrowser()) return;
-  try {
-    sessionStorage.removeItem(PKCE_STORAGE_PREFIX + state);
   } catch {
+    return null;
   }
 }
-
-// src/browser/sessionManager.ts
-var DEFAULT_REFRESH_PATH = "/api/v1/auth/refresh";
-var DEFAULT_USERINFO_PATH = "/api/v1/auth/me";
 function decodeClaims(token) {
   try {
     const parts = token.split(".");
@@ -101,11 +61,11 @@ var EMPTY = {
   error: null,
   version: 0
 };
-function defaultCookieStore() {
+function defaultCookieStore(name = REFRESH_COOKIE) {
   return {
-    read: () => getCookie(REFRESH_COOKIE),
-    write: (token) => setCookie(REFRESH_COOKIE, token, { maxAgeSeconds: 60 * 60 * 24 * 30 }),
-    clear: () => clearCookie(REFRESH_COOKIE)
+    read: () => getCookie(name),
+    write: (token) => setCookie(name, token, { maxAgeSeconds: 60 * 60 * 24 * 30 }),
+    clear: () => clearCookie(name)
   };
 }
 var NO_OP_STORE = {
@@ -134,7 +94,8 @@ var SessionManager = class {
     this.useCookies = options.useCookies ?? true;
     this.serverManagedSession = options.serverManagedSession ?? false;
     this.proactiveRefresh = this.serverManagedSession ? false : options.proactiveRefresh ?? true;
-    this.tokenStore = options.tokenStore ?? (this.serverManagedSession ? NO_OP_STORE : this.useCookies ? defaultCookieStore() : NO_OP_STORE);
+    this.refreshCookieName = options.cookieNames?.refresh ?? REFRESH_COOKIE;
+    this.tokenStore = options.tokenStore ?? (this.serverManagedSession ? NO_OP_STORE : this.useCookies ? defaultCookieStore(this.refreshCookieName) : NO_OP_STORE);
     this.crossTabLockTimeoutMs = options.crossTabLockTimeoutMs ?? 4e3;
     this.fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : (() => {
       throw new Error("global fetch is not available; pass fetchImpl");
@@ -162,6 +123,10 @@ var SessionManager = class {
   get issuerUrl() {
     return this.issuer;
   }
+  /** Cookie name the SDK uses for the refresh token (overridable via `cookieNames.refresh`). */
+  get refreshCookie() {
+    return this.refreshCookieName;
+  }
   getSnapshot() {
     return this.snapshot;
   }
@@ -268,7 +233,7 @@ var SessionManager = class {
         return false;
       }
       if (data.refreshToken) {
-        await Promise.resolve(this.tokenStore.write(data.refreshToken));
+        await Promise.resolve(this.tokenStore.write(data.refreshToken, { claims: decodeClaims(data.accessToken) }));
       }
       this.applyAccessToken(data.accessToken);
       this.broadcast("session:refresh");
@@ -312,7 +277,7 @@ var SessionManager = class {
     const claims = decodeClaims(accessToken);
     const user = claimsToSessionUser(claims);
     if (refreshToken) {
-      void Promise.resolve(this.tokenStore.write(refreshToken));
+      void Promise.resolve(this.tokenStore.write(refreshToken, { claims }));
     }
     this.update({
       status: user ? "authenticated" : "unauthenticated",
@@ -346,33 +311,39 @@ var SessionManager = class {
    */
   async fetch(input, init = {}) {
     const exec = async (token2) => {
-      const headers = new Headers(init.headers || {});
-      if (token2) headers.set("Authorization", `Bearer ${token2}`);
+      const headers2 = new Headers(init.headers || {});
+      if (token2) headers2.set("Authorization", `Bearer ${token2}`);
       return this.fetchImpl(input, {
         ...init,
-        headers,
+        headers: headers2,
         credentials: init.credentials ?? "include"
       });
     };
     let token = await this.getToken();
     let res = await exec(token);
     if (res.status !== 401) return res;
+    const initialErr = await readAuthErrorCode(res);
+    if (initialErr && (initialErr.code === "SESSION_EXPIRED_INACTIVITY" || initialErr.code === "SESSION_EXPIRED_MAX_DURATION" || initialErr.code === "SESSION_INVALID")) {
+      this.signOutLocal("unauthenticated");
+      throw new IQAuthError(initialErr.code, initialErr.message || "Session expired", 401);
+    }
     const refreshed = await this.refresh();
     if (!refreshed) {
       this.signOutLocal("unauthenticated");
       throw new IQAuthError(
-        "TOKEN_EXPIRED",
-        "Session refresh failed; user must sign in again",
+        initialErr?.code || "TOKEN_EXPIRED",
+        initialErr?.message || "Session refresh failed; user must sign in again",
         401
       );
     }
     token = this.snapshot.accessToken;
     res = await exec(token);
     if (res.status === 401) {
+      const secondErr = await readAuthErrorCode(res);
       this.signOutLocal("unauthenticated");
       throw new IQAuthError(
-        "TOKEN_EXPIRED",
-        "Authenticated request failed twice with 401; aborting",
+        secondErr?.code || "TOKEN_EXPIRED",
+        secondErr?.message || "Authenticated request failed twice with 401; aborting",
         401
       );
     }
@@ -400,6 +371,14 @@ var SessionManager = class {
     });
     this.broadcast("session:signout");
   }
+  /**
+   * Replace the refresh-token store at runtime. Used by the F22
+   * `<MultisessionAppSupport>` wrapper to swap in a `MultiAccountTokenStore`
+   * after the manager has already been constructed by `<IQAuthProvider>`.
+   */
+  setTokenStore(store) {
+    this.tokenStore = store;
+  }
   destroy() {
     if (this.proactiveTimer) clearTimeout(this.proactiveTimer);
     this.proactiveTimer = null;
@@ -492,174 +471,237 @@ var SessionManager = class {
   }
 };
 
-// src/browser/pkce.ts
-function getCrypto() {
-  if (typeof globalThis !== "undefined" && globalThis.crypto) {
-    return globalThis.crypto;
+// src/browser/passwordless.ts
+function url(base, path) {
+  return `${base.replace(/\/+$/, "")}${path}`;
+}
+function headers(o) {
+  const h = { "Content-Type": "application/json" };
+  if (o.cookieSession !== false) h["x-iqauth-session"] = "cookie";
+  return h;
+}
+async function postJson(u, body, h) {
+  const r = await fetch(u, {
+    method: "POST",
+    credentials: "include",
+    headers: h,
+    body: JSON.stringify(body)
+  });
+  const p = await r.json().catch(() => ({}));
+  if (!r.ok) {
+    const msg = p?.error?.message || `Request failed (${r.status})`;
+    throw new Error(msg);
   }
-  throw new Error("WebCrypto is not available in this environment");
+  return p.data;
 }
-function base64UrlEncode(bytes) {
-  let bin = "";
-  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
-  const b64 = typeof btoa === "function" ? btoa(bin) : Buffer.from(bin, "binary").toString("base64");
-  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+async function requestMagicLink(opts, input) {
+  await postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/magic-link/request"), input, headers(opts));
+  return { ok: true };
 }
-function randomUrlSafe(byteLength = 32) {
-  const bytes = new Uint8Array(byteLength);
-  getCrypto().getRandomValues(bytes);
-  return base64UrlEncode(bytes);
+async function verifyMagicLink(opts, token) {
+  return postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/magic-link/verify"), { token }, headers(opts));
 }
-async function s256Challenge(verifier) {
-  const data = new TextEncoder().encode(verifier);
-  const digest = await getCrypto().subtle.digest("SHA-256", data);
-  return base64UrlEncode(new Uint8Array(digest));
+async function beginPasskeyAuthentication(opts, input = {}) {
+  return postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/passkeys/authentication/options"), input, headers(opts));
 }
-async function createPkcePair() {
-  const codeVerifier = randomUrlSafe(32);
-  const codeChallenge = await s256Challenge(codeVerifier);
-  const state = randomUrlSafe(16);
-  const nonce = randomUrlSafe(16);
-  return { codeVerifier, codeChallenge, state, nonce };
+async function finishPasskeyAuthentication(opts, response) {
+  return postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/passkeys/authentication/verify"), { response }, headers(opts));
 }
-
-// src/browser/signIn.ts
-var DEFAULT_SIGN_IN_PATH = "/sign-in";
-var DEFAULT_LOGOUT_PATH = "/api/v1/auth/logout";
-var DEFAULT_SSO_LOGOUT_PATH = "/oidc/sso-logout";
-var DEFAULT_TOKEN_PATH = "/oidc/token";
-var DEFAULT_CALLBACK_PATH = "/auth/callback";
-function defaultRedirectUri() {
-  if (typeof window === "undefined") {
-    throw new Error("redirectToSignIn requires a browser environment (window)");
-  }
-  return `${window.location.origin}${DEFAULT_CALLBACK_PATH}`;
+async function beginPasskeyRegistration(opts) {
+  return postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/passkeys/registration/options"), {}, headers(opts));
 }
-function defaultReturnTo() {
-  if (typeof window === "undefined") return "/";
-  return window.location.href;
+async function finishPasskeyRegistration(opts, response, name) {
+  return postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/passkeys/registration/verify"), { response, name }, headers(opts));
 }
-async function buildSignInUrl(manager, opts = {}) {
-  const pkce = await createPkcePair();
-  const redirectUri = opts.redirectUri ?? defaultRedirectUri();
-  const returnTo = opts.returnTo ?? defaultReturnTo();
-  savePkce({
-    codeVerifier: pkce.codeVerifier,
-    state: pkce.state,
-    nonce: pkce.nonce,
-    redirectUri,
-    appKey: manager.publishableKey.raw,
-    returnTo,
-    createdAt: Date.now()
-  });
-  const url = new URL(opts.signInPath ?? DEFAULT_SIGN_IN_PATH, manager.issuerUrl);
-  url.searchParams.set("response_type", "code");
-  url.searchParams.set("app", manager.appKey);
-  url.searchParams.set("publishable_key", manager.publishableKey.raw);
-  url.searchParams.set("redirect_uri", redirectUri);
-  url.searchParams.set("state", pkce.state);
-  url.searchParams.set("nonce", pkce.nonce);
-  url.searchParams.set("code_challenge", pkce.codeChallenge);
-  url.searchParams.set("code_challenge_method", "S256");
-  url.searchParams.set("scope", opts.scope ?? "openid profile email");
-  url.searchParams.set("return_to", returnTo);
-  return url.toString();
+async function signInWithPasskey(opts, input = {}) {
+  const mod = await import(
+    /* @vite-ignore */
+    "./bundle-LUKDQYVQ.mjs"
+  );
+  const options = await beginPasskeyAuthentication(opts, input);
+  const response = await mod.startAuthentication({ optionsJSON: options });
+  return finishPasskeyAuthentication(opts, response);
 }
-async function redirectToSignIn(manager, opts = {}) {
-  const url = await buildSignInUrl(manager, opts);
-  if (typeof window === "undefined") {
-    throw new Error("redirectToSignIn requires a browser environment");
-  }
-  window.location.assign(url);
+async function enrollPasskey(opts, name) {
+  const mod = await import(
+    /* @vite-ignore */
+    "./bundle-LUKDQYVQ.mjs"
+  );
+  const options = await beginPasskeyRegistration(opts);
+  const response = await mod.startRegistration({ optionsJSON: options });
+  return finishPasskeyRegistration(opts, response, name);
 }
-async function signIn(manager, opts = {}) {
-  return redirectToSignIn(manager, opts);
+async function listLinkedIdentities(opts) {
+  const r = await fetch(url(opts.iqAuthBaseUrl, "/api/v1/auth/identities"), { credentials: "include" });
+  const p = await r.json().catch(() => ({}));
+  if (!r.ok) throw new Error(p?.error?.message || `Request failed (${r.status})`);
+  return p?.data?.identities ?? [];
 }
-async function handleAuthCallback(manager, options = {}) {
-  const url = new URL(options.url ?? (typeof window !== "undefined" ? window.location.href : ""));
-  const code = url.searchParams.get("code");
-  const state = url.searchParams.get("state");
-  const errorParam = url.searchParams.get("error");
-  if (errorParam) {
-    return { ok: false, returnTo: "/", error: errorParam };
-  }
-  if (!code || !state) {
-    return { ok: false, returnTo: "/", error: "missing_code_or_state" };
-  }
-  const record = loadPkce(state);
-  if (!record) {
-    return { ok: false, returnTo: "/", error: "unknown_state" };
-  }
-  clearPkce(state);
-  const fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : null);
-  if (!fetchImpl) {
-    return { ok: false, returnTo: record.returnTo, error: "no_fetch" };
-  }
-  const tokenUrl = `${manager.issuerUrl}${options.tokenPath ?? DEFAULT_TOKEN_PATH}`;
-  const res = await fetchImpl(tokenUrl, {
-    method: "POST",
-    credentials: "include",
-    headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({
-      grant_type: "authorization_code",
-      code,
-      redirect_uri: record.redirectUri,
-      client_id: manager.appKey,
-      code_verifier: record.codeVerifier
-    })
-  });
-  const body = await res.json().catch(() => ({}));
-  if (!res.ok) {
-    const desc = body.error_description ?? body.error ?? "token_exchange_failed";
-    return { ok: false, returnTo: record.returnTo, error: desc };
-  }
-  const tokens = body;
-  if (!tokens.access_token) {
-    return { ok: false, returnTo: record.returnTo, error: "missing_access_token" };
+async function linkProvider(opts, input) {
+  await postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/identities/link"), input, headers(opts));
+  return { ok: true };
+}
+async function unlinkProvider(opts, input) {
+  await postJson(url(opts.iqAuthBaseUrl, "/api/v1/auth/identities/unlink"), input, headers(opts));
+  return { ok: true };
+}
+
+// src/browser/accountRegistry.ts
+var STORAGE_PREFIX = "iqauth.accounts.";
+var COOKIE_PREFIX = "iqauth_rt_";
+var COOKIE_MAX_AGE = 60 * 60 * 24 * 30;
+function isBrowser() {
+  return typeof window !== "undefined" && typeof localStorage !== "undefined";
+}
+function storageKey(appId) {
+  return STORAGE_PREFIX + appId;
+}
+function readState(appId) {
+  if (!isBrowser()) return { accounts: [], activeAccountId: null };
+  try {
+    const raw = localStorage.getItem(storageKey(appId));
+    if (!raw) return { accounts: [], activeAccountId: null };
+    const parsed = JSON.parse(raw);
+    return {
+      accounts: Array.isArray(parsed.accounts) ? parsed.accounts : [],
+      activeAccountId: parsed.activeAccountId ?? null
+    };
+  } catch {
+    return { accounts: [], activeAccountId: null };
   }
-  if (tokens.refresh_token) {
-    setCookie(REFRESH_COOKIE, tokens.refresh_token, { maxAgeSeconds: 60 * 60 * 24 * 30 });
+}
+function writeState(appId, state) {
+  if (!isBrowser()) return;
+  try {
+    localStorage.setItem(storageKey(appId), JSON.stringify(state));
+  } catch {
   }
-  manager.applyAccessToken(tokens.access_token, tokens.refresh_token);
-  return { ok: true, returnTo: record.returnTo };
 }
-async function signOut(manager, opts = {}) {
-  if (!opts.localOnly) {
-    const issuer = manager.issuerUrl.replace(/\/$/, "");
-    try {
-      const url = `${issuer}${opts.logoutPath ?? DEFAULT_LOGOUT_PATH}`;
-      await manager.fetch(url, { method: "POST" }).catch(() => void 0);
-    } catch {
+var AccountRegistry = class {
+  constructor(appId) {
+    this.appId = appId;
+    this.listeners = /* @__PURE__ */ new Set();
+    this.storageHandler = null;
+    if (isBrowser()) {
+      this.storageHandler = (ev) => {
+        if (ev.key === storageKey(this.appId)) {
+          for (const l of this.listeners) l();
+        }
+      };
+      window.addEventListener("storage", this.storageHandler);
     }
-    if (opts.endSsoSession !== false) {
-      try {
-        await fetch(`${issuer}${DEFAULT_SSO_LOGOUT_PATH}`, {
-          method: "POST",
-          credentials: "include"
-        }).catch(() => void 0);
-      } catch {
+  }
+  destroy() {
+    if (this.storageHandler && isBrowser()) {
+      window.removeEventListener("storage", this.storageHandler);
+    }
+    this.listeners.clear();
+  }
+  list() {
+    return readState(this.appId).accounts.slice();
+  }
+  active() {
+    return readState(this.appId).activeAccountId;
+  }
+  get(accountId) {
+    return readState(this.appId).accounts.find((a) => a.accountId === accountId) ?? null;
+  }
+  upsert(rec) {
+    const state = readState(this.appId);
+    const idx = state.accounts.findIndex((a) => a.accountId === rec.accountId);
+    if (idx >= 0) state.accounts[idx] = { ...state.accounts[idx], ...rec };
+    else state.accounts.push(rec);
+    writeState(this.appId, state);
+    this.notify();
+  }
+  setActive(accountId) {
+    const state = readState(this.appId);
+    state.activeAccountId = accountId;
+    writeState(this.appId, state);
+    this.notify();
+  }
+  remove(accountId) {
+    const state = readState(this.appId);
+    state.accounts = state.accounts.filter((a) => a.accountId !== accountId);
+    if (state.activeAccountId === accountId) state.activeAccountId = state.accounts[0]?.accountId ?? null;
+    writeState(this.appId, state);
+    clearCookie(COOKIE_PREFIX + accountId);
+    this.notify();
+  }
+  subscribe(listener) {
+    this.listeners.add(listener);
+    return () => this.listeners.delete(listener);
+  }
+  /**
+   * Read the refresh token for a specific account from its per-account
+   * cookie. Used by `MultiAccountTokenStore.read()`.
+   */
+  readRefreshToken(accountId) {
+    return getCookie(COOKIE_PREFIX + accountId);
+  }
+  /**
+   * Persist a refresh token to the per-account cookie. Caller is the
+   * SessionManager via `MultiAccountTokenStore.write()`.
+   */
+  writeRefreshToken(accountId, token, opts = {}) {
+    setCookie(COOKIE_PREFIX + accountId, token, { maxAgeSeconds: COOKIE_MAX_AGE, ...opts });
+  }
+  clearRefreshToken(accountId) {
+    clearCookie(COOKIE_PREFIX + accountId);
+  }
+  notify() {
+    for (const l of this.listeners) l();
+  }
+};
+var MultiAccountTokenStore = class {
+  constructor(registry, fallback) {
+    this.registry = registry;
+    this.fallback = fallback;
+  }
+  read() {
+    const id = this.registry.active();
+    if (id) return this.registry.readRefreshToken(id);
+    return this.fallback.read();
+  }
+  write(token, ctx) {
+    let id = this.registry.active();
+    if (!id) {
+      const sub = ctx?.claims?.sub;
+      if (sub) {
+        id = sub;
+        this.registry.setActive(sub);
       }
     }
+    if (id) {
+      this.registry.writeRefreshToken(id, token);
+      return;
+    }
+    return this.fallback.write(token);
   }
-  clearCookie(REFRESH_COOKIE);
-  manager.signOutLocal();
-  if (opts.returnTo && typeof window !== "undefined") {
-    window.location.assign(opts.returnTo);
+  clear() {
+    const id = this.registry.active();
+    if (id) {
+      this.registry.clearRefreshToken(id);
+      return;
+    }
+    return this.fallback.clear();
   }
-}
+};
 
 export {
-  REFRESH_COOKIE,
-  setCookie,
-  getCookie,
-  clearCookie,
+  defaultCookieStore,
   SessionManager,
-  randomUrlSafe,
-  s256Challenge,
-  createPkcePair,
-  buildSignInUrl,
-  redirectToSignIn,
-  signIn,
-  handleAuthCallback,
-  signOut
+  requestMagicLink,
+  verifyMagicLink,
+  beginPasskeyAuthentication,
+  finishPasskeyAuthentication,
+  beginPasskeyRegistration,
+  finishPasskeyRegistration,
+  signInWithPasskey,
+  enrollPasskey,
+  listLinkedIdentities,
+  linkProvider,
+  unlinkProvider,
+  AccountRegistry,
+  MultiAccountTokenStore
 };

package/dist/{chunk-EKTNEZIH.mjs → chunk-BVV54LPI.mjs}

@@ -1,9 +1,9 @@
-import {
-  IQAuthClient
-} from "./chunk-W3F4JYGP.mjs";
 import {
   assertPublishableKey
 } from "./chunk-WQWBJSSS.mjs";
+import {
+  IQAuthClient
+} from "./chunk-W3F4JYGP.mjs";
 import {
   IQAuthError
 } from "./chunk-6I6RM4MN.mjs";
@@ -43,6 +43,22 @@ function readCookie(req, name) {
   }
   return void 0;
 }
+function compileMatcher(pat) {
+  if (pat instanceof RegExp) return (p) => pat.test(p);
+  const re = new RegExp(
+    "^" + pat.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "::DOUBLE::").replace(/\*/g, "[^/]*").replace(/::DOUBLE::/g, ".*") + "$"
+  );
+  return (p) => re.test(p);
+}
+function compileMatchers(pats) {
+  return (pats ?? []).map(compileMatcher);
+}
+function pathOf(req) {
+  const r = req;
+  const raw = r.path || r.originalUrl || r.url || "/";
+  const q = raw.indexOf("?");
+  return q >= 0 ? raw.slice(0, q) : raw;
+}
 function clientFromPublishableKey(opts) {
   const parsed = assertPublishableKey(opts.publishableKey, { context: "iqAuthMiddleware" });
   const issuer = (opts.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`)).replace(/\/+$/, "");
@@ -70,10 +86,26 @@ function iqAuthMiddleware(clientOrOptions, options = {}) {
     onUnauthorized,
     onForbidden,
     onError,
-    accessCookieName = DEFAULT_ACCESS_COOKIE,
-    cookieAware = true
+    cookieAware = true,
+    cookieNames,
+    protect,
+    publicRoutes
   } = resolvedOptions;
+  const accessCookieName = resolvedOptions.accessCookieName ?? cookieNames?.access ?? DEFAULT_ACCESS_COOKIE;
+  const protectMatchers = compileMatchers(protect);
+  const publicMatchers = compileMatchers(publicRoutes);
+  const hasProtect = protectMatchers.length > 0;
+  const hasPublic = publicMatchers.length > 0;
   return async (req, res, next) => {
+    if (hasProtect || hasPublic) {
+      const path = pathOf(req);
+      if (hasPublic && publicMatchers.some((m) => m(path))) {
+        return next();
+      }
+      if (hasProtect && !protectMatchers.some((m) => m(path))) {
+        return next();
+      }
+    }
     let token;
     const authHeader = getAuthorizationHeader(req);
     if (authHeader && authHeader.startsWith("Bearer ")) {