@iqauth/sdk 2.6.3 → 2.7.0

package/dist/index.mjs

@@ -1,27 +1,38 @@
+import {
+  expandPermissions,
+  hasPermission
+} from "./chunk-GLXSIGVS.mjs";
 import {
   createProvisioningBridge
 } from "./chunk-SL3KRS4W.mjs";
 import {
   createTestIssuer
-} from "./chunk-MKKZULZR.mjs";
+} from "./chunk-WIFG74IK.mjs";
 import {
+  IQAUTH_SIGNATURE_HEADER,
+  LEGACY_SIGNATURE_HEADERS,
   WebhookSignatureError,
   isValidWebhookSignature,
+  parseWebhookEvent,
   verifyWebhookSignature
-} from "./chunk-UKZLOHZG.mjs";
+} from "./chunk-PMAFENVI.mjs";
 import {
   verifyWsUpgrade
-} from "./chunk-3JULWS6F.mjs";
+} from "./chunk-WCELYTJ3.mjs";
 import {
   iqAuthMiddleware
-} from "./chunk-BVV54LPI.mjs";
+} from "./chunk-YVALAG3B.mjs";
+import {
+  buildUserinfoResponse,
+  handleUserinfo
+} from "./chunk-RUJXRTEW.mjs";
 import {
   assertPublishableKey,
   encodePublishableKey,
   isPublishableKey,
   isSecretKey,
   parsePublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
 import {
   ApiKeysModule,
   AppsModule,
@@ -48,17 +59,18 @@ import {
   UsersModule,
   VendorsModule,
   WebhooksModule
-} from "./chunk-W3F4JYGP.mjs";
+} from "./chunk-JXQI62A7.mjs";
 import {
   DEFAULT_CLOCK_TOLERANCE_SECONDS,
   DEFAULT_TOKEN_AUDIENCE,
   DEFAULT_TOKEN_ISSUER,
   TokensModule
-} from "./chunk-UNYDG2L4.mjs";
+} from "./chunk-NUO2I65G.mjs";
 import {
   ErrorCodes,
-  IQAuthError
-} from "./chunk-6I6RM4MN.mjs";
+  IQAuthError,
+  IQ_AUTH_ERROR_CODES
+} from "./chunk-6PJRLRB4.mjs";
 import "./chunk-Y6FXYEAI.mjs";
 export {
   ApiKeysModule,
@@ -73,10 +85,13 @@ export {
   ErrorCodes,
   GdprModule,
   HierarchyModule,
+  IQAUTH_SIGNATURE_HEADER,
   IQAuthClient,
   IQAuthError,
+  IQ_AUTH_ERROR_CODES,
   InMemoryOidcStateStore,
   InvitesModule,
+  LEGACY_SIGNATURE_HEADERS,
   MembershipsModule,
   MfaModule,
   OidcModule,
@@ -94,14 +109,19 @@ export {
   WebhookSignatureError,
   WebhooksModule,
   assertPublishableKey,
+  buildUserinfoResponse,
   createProvisioningBridge,
   createTestIssuer,
   encodePublishableKey,
+  expandPermissions,
+  handleUserinfo,
+  hasPermission,
   iqAuthMiddleware,
   isPublishableKey,
   isSecretKey,
   isValidWebhookSignature,
   parsePublishableKey,
+  parseWebhookEvent,
   verifyWebhookSignature,
   verifyWsUpgrade
 };

package/dist/{keys-NLWFAOEM.mjs → keys-6Y776TG2.mjs}

@@ -10,10 +10,10 @@ async function getCtx(flags) {
   const env = await loadEnv(flags.get("env-file") || ".env");
   const baseUrl = flags.get("base-url") || env.IQAUTH_ISSUER;
   const token = flags.get("token") || env.IQAUTH_ADMIN_TOKEN || env.IQAUTH_SECRET_KEY;
-  const app = flags.get("app") || env.IQAUTH_APP_ID || env.IQAUTH_APP_KEY;
+  const app = flags.get("app") || env.IQAUTH_APP_ID;
   if (!baseUrl) throw new Error("Missing --base-url (or IQAUTH_ISSUER in env).");
   if (!token) throw new Error("Missing --token (or IQAUTH_ADMIN_TOKEN / IQAUTH_SECRET_KEY in env).");
-  if (!app) throw new Error("Missing --app <appId|appKey> (or IQAUTH_APP_ID in env).");
+  if (!app) throw new Error("Missing --app <appId> (or IQAUTH_APP_ID in env). The `IQAUTH_APP_KEY` env-var fallback has been removed (Task #130) \u2014 pass --app explicitly.");
   return { baseUrl, token, app };
 }
 async function runKeys(argv) {

package/dist/locales.d.mts

@@ -1,4 +1,4 @@
-import { I as IQAuthLocaleBundle, a as IQAuthLocaleOverride, b as IQAuthLocaleKey } from './types-6bNdxesb.mjs';
+import { I as IQAuthLocaleBundle, b as IQAuthLocaleOverride, a as IQAuthLocaleKey } from './types-BdQ2lqfT.mjs';
 
 declare const enUS: IQAuthLocaleBundle;
 

package/dist/locales.d.ts

@@ -1,4 +1,4 @@
-import { I as IQAuthLocaleBundle, a as IQAuthLocaleOverride, b as IQAuthLocaleKey } from './types-6bNdxesb.js';
+import { I as IQAuthLocaleBundle, b as IQAuthLocaleOverride, a as IQAuthLocaleKey } from './types-BdQ2lqfT.js';
 
 declare const enUS: IQAuthLocaleBundle;
 

package/dist/mobile.d.mts

@@ -1,11 +1,81 @@
-import { I as IQAuthClient } from './client-kYlJFgPv.mjs';
-import { b as IQAuthTokenClientConfig } from './types-DZAflmmq.mjs';
-export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
-import './tokens-DCyzzn8L.mjs';
+import { I as IQAuthClient } from './client-BGFnBpfc.mjs';
+import { f as IQAuthTokenClientConfig } from './types-XOV9XPVi.mjs';
+export { E as ErrorCodes, I as IQAuthError } from './errors-Jl1Jtm-6.mjs';
+import './tokens-CITeoG6P.mjs';
 
+/**
+ * Mobile client — wraps IQAuthClient with React Native / Expo–aware behavior.
+ *
+ * Notable mode: `autoRefresh: 'app-state'`
+ *   The default per-request "expiring soon" proactive refresh fights with
+ *   Expo / React Native's app-suspension lifecycle (the JS engine pauses in
+ *   background, fetch in-flight when the OS suspends the app fails on resume,
+ *   and the resulting cascade of refresh attempts can blow up with
+ *   `Network request failed` rather than recovering cleanly).
+ *
+ *   In `'app-state'` mode the SDK:
+ *     - DISABLES the per-request proactive refresh.
+ *     - KEEPS the reactive 401 retry on TOKEN_EXPIRED (one attempt).
+ *     - SUBSCRIBES to `AppState.addEventListener('change', ...)` and triggers
+ *       a refresh when the app transitions back to `'active'` from background
+ *       or inactive — but only if a refresh token exists and the access token
+ *       is within 5 minutes of expiry (or already expired).
+ *
+ *   The AppState listener is started automatically when `'app-state'` mode is
+ *   selected and react-native is resolvable. Call `client.stop()` to remove
+ *   the subscription (e.g. in a unit test or on logout).
+ */
+
+type AppStateStatus = "active" | "background" | "inactive" | string;
+interface AppStateLike {
+    currentState: AppStateStatus;
+    addEventListener(type: "change", handler: (state: AppStateStatus) => void): {
+        remove: () => void;
+    } | (() => void) | void;
+    removeEventListener?: (type: "change", handler: (state: AppStateStatus) => void) => void;
+}
+interface MobileClientOptions extends IQAuthTokenClientConfig {
+    /**
+     * Override how AppState is resolved. Defaults to a runtime
+     * `require('react-native').AppState`. Tests inject a fake here.
+     */
+    appState?: AppStateLike | null;
+    /**
+     * Seconds-of-life-remaining threshold below which a foreground transition
+     * triggers a refresh. Default 300 (5 min).
+     */
+    appStateRefreshLeewaySeconds?: number;
+    /**
+     * Optional hook invoked when an AppState-triggered refresh fails. The
+     * default behavior is to swallow the error so the host app doesn't crash
+     * on a foreground tick — the next API call's reactive 401 path will
+     * surface the same error to the caller. Use this hook for telemetry.
+     */
+    onAppStateRefreshError?: (err: unknown) => void;
+}
 declare class MobileIQAuthClient extends IQAuthClient {
-    constructor(config: IQAuthTokenClientConfig);
+    private appStateSub;
+    private appStateMode;
+    private leewaySeconds;
+    private lastAppState;
+    private refreshing;
+    private onTokenRefreshCb?;
+    private onAppStateRefreshError?;
+    constructor(config: MobileClientOptions);
+    /** True iff the client is configured for AppState-driven refresh. */
+    get isAppStateMode(): boolean;
+    private startAppStateListener;
+    /**
+     * Public hook: call this from your own AppState handler if you've passed
+     * `appState: null` to opt out of the auto-subscription. Returns true if a
+     * refresh was attempted.
+     */
+    refreshIfStale(): Promise<boolean>;
+    private maybeRefreshOnForeground;
+    private isAccessTokenStale;
+    /** Remove the AppState subscription. Idempotent. */
+    stop(): void;
 }
-declare function createMobileClient(config: IQAuthTokenClientConfig): MobileIQAuthClient;
+declare function createMobileClient(config: MobileClientOptions): MobileIQAuthClient;
 
-export { IQAuthClient, IQAuthTokenClientConfig, MobileIQAuthClient, createMobileClient };
+export { IQAuthClient, IQAuthTokenClientConfig, type MobileClientOptions, MobileIQAuthClient, createMobileClient };

package/dist/mobile.d.ts

@@ -1,11 +1,81 @@
-import { I as IQAuthClient } from './client-BNQe3AgF.js';
-import { b as IQAuthTokenClientConfig } from './types-DZAflmmq.js';
-export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
-import './tokens-aHiGFr_E.js';
+import { I as IQAuthClient } from './client-CDQ21LvW.js';
+import { f as IQAuthTokenClientConfig } from './types-XOV9XPVi.js';
+export { E as ErrorCodes, I as IQAuthError } from './errors-Jl1Jtm-6.js';
+import './tokens-Bqhmqq_R.js';
 
+/**
+ * Mobile client — wraps IQAuthClient with React Native / Expo–aware behavior.
+ *
+ * Notable mode: `autoRefresh: 'app-state'`
+ *   The default per-request "expiring soon" proactive refresh fights with
+ *   Expo / React Native's app-suspension lifecycle (the JS engine pauses in
+ *   background, fetch in-flight when the OS suspends the app fails on resume,
+ *   and the resulting cascade of refresh attempts can blow up with
+ *   `Network request failed` rather than recovering cleanly).
+ *
+ *   In `'app-state'` mode the SDK:
+ *     - DISABLES the per-request proactive refresh.
+ *     - KEEPS the reactive 401 retry on TOKEN_EXPIRED (one attempt).
+ *     - SUBSCRIBES to `AppState.addEventListener('change', ...)` and triggers
+ *       a refresh when the app transitions back to `'active'` from background
+ *       or inactive — but only if a refresh token exists and the access token
+ *       is within 5 minutes of expiry (or already expired).
+ *
+ *   The AppState listener is started automatically when `'app-state'` mode is
+ *   selected and react-native is resolvable. Call `client.stop()` to remove
+ *   the subscription (e.g. in a unit test or on logout).
+ */
+
+type AppStateStatus = "active" | "background" | "inactive" | string;
+interface AppStateLike {
+    currentState: AppStateStatus;
+    addEventListener(type: "change", handler: (state: AppStateStatus) => void): {
+        remove: () => void;
+    } | (() => void) | void;
+    removeEventListener?: (type: "change", handler: (state: AppStateStatus) => void) => void;
+}
+interface MobileClientOptions extends IQAuthTokenClientConfig {
+    /**
+     * Override how AppState is resolved. Defaults to a runtime
+     * `require('react-native').AppState`. Tests inject a fake here.
+     */
+    appState?: AppStateLike | null;
+    /**
+     * Seconds-of-life-remaining threshold below which a foreground transition
+     * triggers a refresh. Default 300 (5 min).
+     */
+    appStateRefreshLeewaySeconds?: number;
+    /**
+     * Optional hook invoked when an AppState-triggered refresh fails. The
+     * default behavior is to swallow the error so the host app doesn't crash
+     * on a foreground tick — the next API call's reactive 401 path will
+     * surface the same error to the caller. Use this hook for telemetry.
+     */
+    onAppStateRefreshError?: (err: unknown) => void;
+}
 declare class MobileIQAuthClient extends IQAuthClient {
-    constructor(config: IQAuthTokenClientConfig);
+    private appStateSub;
+    private appStateMode;
+    private leewaySeconds;
+    private lastAppState;
+    private refreshing;
+    private onTokenRefreshCb?;
+    private onAppStateRefreshError?;
+    constructor(config: MobileClientOptions);
+    /** True iff the client is configured for AppState-driven refresh. */
+    get isAppStateMode(): boolean;
+    private startAppStateListener;
+    /**
+     * Public hook: call this from your own AppState handler if you've passed
+     * `appState: null` to opt out of the auto-subscription. Returns true if a
+     * refresh was attempted.
+     */
+    refreshIfStale(): Promise<boolean>;
+    private maybeRefreshOnForeground;
+    private isAccessTokenStale;
+    /** Remove the AppState subscription. Idempotent. */
+    stop(): void;
 }
-declare function createMobileClient(config: IQAuthTokenClientConfig): MobileIQAuthClient;
+declare function createMobileClient(config: MobileClientOptions): MobileIQAuthClient;
 
-export { IQAuthClient, IQAuthTokenClientConfig, MobileIQAuthClient, createMobileClient };
+export { IQAuthClient, IQAuthTokenClientConfig, type MobileClientOptions, MobileIQAuthClient, createMobileClient };