@iqauth/sdk 2.6.3 → 2.7.0

package/dist/{chunk-76W5TLQQ.mjs → chunk-RTJAIBXY.mjs}

@@ -3,15 +3,16 @@ import {
   clearCookie,
   getCookie,
   setCookie
-} from "./chunk-TKZTCPEK.mjs";
+} from "./chunk-GN37E64I.mjs";
 import {
   assertPublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
 import {
   IQAuthError
-} from "./chunk-6I6RM4MN.mjs";
+} from "./chunk-6PJRLRB4.mjs";
 
 // src/browser/sessionManager.ts
+var PROBE_WAIT_MS = 80;
 var DEFAULT_REFRESH_PATH = "/api/v1/auth/refresh";
 var DEFAULT_USERINFO_PATH = "/api/v1/auth/me";
 async function readAuthErrorCode(res) {
@@ -49,7 +50,13 @@ function claimsToSessionUser(claims) {
     tenantId: claims.tenantId,
     vendorId: claims.vendorId,
     roles: claims.roles ?? [],
-    entitlements: claims.entitlements ?? []
+    entitlements: claims.entitlements ?? [],
+    // SDK 2.7.0 (Task #124) — pass through identity claims when issued.
+    ...claims.picture !== void 0 ? { picture: claims.picture } : {},
+    ...claims.email_verified !== void 0 ? { emailVerified: claims.email_verified } : {},
+    ...claims.given_name !== void 0 ? { givenName: claims.given_name } : {},
+    ...claims.family_name !== void 0 ? { familyName: claims.family_name } : {},
+    ...claims.locale !== void 0 ? { locale: claims.locale } : {}
   };
 }
 var EMPTY = {
@@ -73,11 +80,50 @@ var NO_OP_STORE = {
   write: () => void 0,
   clear: () => void 0
 };
+var IDEMPOTENCY_HEADER = "X-IQAuth-Idempotency";
+function randomIdempotencyToken() {
+  if (typeof crypto !== "undefined" && typeof crypto.getRandomValues === "function") {
+    const bytes = new Uint8Array(16);
+    crypto.getRandomValues(bytes);
+    let out = "";
+    for (const b of bytes) out += b.toString(16).padStart(2, "0");
+    return out;
+  }
+  return Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2);
+}
 var SessionManager = class {
   constructor(options) {
     this.snapshot = { ...EMPTY };
     this.listeners = /* @__PURE__ */ new Set();
     this.refreshPromise = null;
+    /**
+     * Cancellation handle for the in-flight refresh, if any. `signOut()` (or a
+     * `session:signout` broadcast from another tab) calls `abort()` so the
+     * refresh response is dropped before it can write a fresh access cookie
+     * on top of the just-cleared session — the second root cause of "ghost
+     * signed-in" sessions after Sign Out.
+     */
+    this.refreshAbort = null;
+    /**
+     * Set to `true` by `signOut()` / `signOutLocal()` for the lifetime of the
+     * call. Used as a safety belt: even if a refresh response arrives while
+     * `refreshAbort` was unable to interrupt the network call (e.g. the body
+     * was already streaming back), `runRefresh` checks this flag before
+     * mutating session state and bails out.
+     */
+    this.signoutInProgress = false;
+    /**
+     * Per-session opaque idempotency token. Sent as `X-IQAuth-Idempotency` on
+     * every /refresh and /signout request the SDK makes through a framework
+     * adapter (Express/Fastify/Hono/Next), so the adapter's `SignoutRegistry`
+     * can collapse a refresh that lands moments after a signout — even when
+     * the two requests are routed to different server instances (multi-replica
+     * deployments).
+     *
+     * Generated lazily on first use, rotated on signout so the next session
+     * starts with a fresh token. Opaque random — never the raw refresh token.
+     */
+    this.idempotencyToken = null;
     this.channel = null;
     this.proactiveTimer = null;
     this.bootstrapped = false;
@@ -85,6 +131,8 @@ var SessionManager = class {
     this.remoteRefreshWaiters = [];
     /** Active claims by other tabs (keyed by source tabId). */
     this.foreignClaim = null;
+    /** Resolver for an in-flight cross-tab `session:probe`, set during bootstrap. */
+    this.probeResolver = null;
     const parsed = assertPublishableKey(options.publishableKey, { context: "@iqauth/sdk/browser SessionManager" });
     this.key = parsed;
     const inferred = options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`);
@@ -97,6 +145,8 @@ var SessionManager = class {
     this.refreshCookieName = options.cookieNames?.refresh ?? REFRESH_COOKIE;
     this.tokenStore = options.tokenStore ?? (this.serverManagedSession ? NO_OP_STORE : this.useCookies ? defaultCookieStore(this.refreshCookieName) : NO_OP_STORE);
     this.crossTabLockTimeoutMs = options.crossTabLockTimeoutMs ?? 4e3;
+    this.debug = options.debug ?? false;
+    this.onTimingEvent = options.onTimingEvent ?? null;
     this.fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : (() => {
       throw new Error("global fetch is not available; pass fetchImpl");
     }));
@@ -123,10 +173,35 @@ var SessionManager = class {
   get issuerUrl() {
     return this.issuer;
   }
+  /**
+   * SDK 2.7.0 (Task #124) — The hosted IQAuth host derived from the
+   * publishable key's `iss` claim, normalized to URL form. This is what
+   * `<SignIn/>` and `buildSignInUrl` use to talk to the hosted UI; it
+   * deliberately ignores the `issuer` constructor override so a misrouted
+   * `issuer` (e.g. pointed at the consumer app's own domain) cannot break
+   * the hosted flow. Use {@link issuerUrl} for token / discovery endpoints.
+   */
+  get hostedIssuerUrl() {
+    const iss = this.key.iss;
+    return (iss.startsWith("http") ? iss : `https://${iss}`).replace(/\/+$/, "");
+  }
   /** Cookie name the SDK uses for the refresh token (overridable via `cookieNames.refresh`). */
   get refreshCookie() {
     return this.refreshCookieName;
   }
+  /**
+   * Returns the current per-session idempotency token, generating one
+   * lazily on first use. Sent as the `X-IQAuth-Idempotency` header on
+   * /refresh and /signout requests so the framework adapter's
+   * `SignoutRegistry` can collapse a refresh-vs-signout race even across
+   * server instances.
+   */
+  getIdempotencyToken() {
+    if (!this.idempotencyToken) {
+      this.idempotencyToken = randomIdempotencyToken();
+    }
+    return this.idempotencyToken;
+  }
   getSnapshot() {
     return this.snapshot;
   }
@@ -140,9 +215,44 @@ var SessionManager = class {
    * One-time bootstrap: warm the session from the refresh cookie if present.
    * Safe to call multiple times.
    */
+  /**
+   * Task #126: Public timing-event emitter. Used by the browser sign-in
+   * helpers (redirectToSignIn / handleAuthCallback) to surface signIn-phase
+   * timings through the same `debug` + `onTimingEvent` channel as
+   * bootstrap/refresh. Safe to call from anywhere — internal callers
+   * pre-compute durationMs.
+   */
+  recordTiming(phase, durationMs, ok, code) {
+    this.emitTiming(phase, durationMs, ok, code);
+  }
+  /** Task #126: emit a session timing event to debug log + onTimingEvent hook. */
+  emitTiming(phase, durationMs, ok, code) {
+    if (this.debug) {
+      try {
+        console.debug("[iqauth_session]", { phase, durationMs, ok, code });
+      } catch {
+      }
+    }
+    if (this.onTimingEvent) {
+      try {
+        this.onTimingEvent({ phase, durationMs, ok, code });
+      } catch {
+      }
+    }
+  }
   async bootstrap() {
     if (this.bootstrapped) return;
     this.bootstrapped = true;
+    const t0 = Date.now();
+    try {
+      await this.bootstrapInner();
+      this.emitTiming("bootstrap", Date.now() - t0, this.snapshot.status === "authenticated");
+    } catch (err) {
+      this.emitTiming("bootstrap", Date.now() - t0, false, err instanceof Error ? err.message : "ERROR");
+      throw err;
+    }
+  }
+  async bootstrapInner() {
     if (this.serverManagedSession) {
       try {
         const res = await this.fetchImpl(`${this.issuer}${this.userinfoPath}`, {
@@ -177,6 +287,15 @@ var SessionManager = class {
         return;
       }
     }
+    const peerSnapshot = await this.probePeers();
+    if (peerSnapshot && peerSnapshot.status === "authenticated") {
+      this.update({
+        ...peerSnapshot,
+        version: Math.max(this.snapshot.version, peerSnapshot.version) + 1
+      });
+      this.scheduleProactiveRefresh();
+      return;
+    }
     const stored = await Promise.resolve(this.tokenStore.read());
     if (!stored) {
       this.setStatus("unauthenticated");
@@ -185,6 +304,22 @@ var SessionManager = class {
     const ok = await this.refresh();
     if (!ok) this.setStatus("unauthenticated");
   }
+  probePeers() {
+    if (!this.channel) return Promise.resolve(null);
+    return new Promise((resolve) => {
+      let settled = false;
+      const finish = (snap) => {
+        if (settled) return;
+        settled = true;
+        this.probeResolver = null;
+        clearTimeout(timer);
+        resolve(snap);
+      };
+      this.probeResolver = (snap) => finish(snap);
+      const timer = setTimeout(() => finish(null), PROBE_WAIT_MS);
+      this.broadcastEnvelope({ type: "session:probe", source: this.tabId, ts: Date.now() });
+    });
+  }
   /**
    * Single-flight token refresh, coordinated across tabs via BroadcastChannel.
    *
@@ -198,30 +333,48 @@ var SessionManager = class {
    */
   refresh() {
     if (this.refreshPromise) return this.refreshPromise;
-    this.refreshPromise = this.runRefresh().finally(() => {
+    const t0 = Date.now();
+    this.refreshPromise = this.runRefresh().then((ok) => {
+      this.emitTiming("refresh", Date.now() - t0, ok, ok ? void 0 : this.snapshot.error?.code ?? "REFRESH_FAILED");
+      return ok;
+    }).finally(() => {
       this.refreshPromise = null;
     });
     return this.refreshPromise;
   }
   async runRefresh() {
-    const myClaim = { source: this.tabId, ts: Date.now() };
-    if (this.channel) {
-      this.broadcastEnvelope({ type: "refresh:claim", source: myClaim.source, ts: myClaim.ts });
-      await new Promise((r) => setTimeout(r, 25));
-      const foreign = this.foreignClaim;
-      if (foreign && this.claimWins(foreign, myClaim)) {
-        return this.waitForForeignRefresh();
-      }
-    }
+    const abort = new AbortController();
+    this.refreshAbort = abort;
     try {
+      const myClaim = { source: this.tabId, ts: Date.now() };
+      if (this.channel) {
+        this.broadcastEnvelope({ type: "refresh:claim", source: myClaim.source, ts: myClaim.ts });
+        await new Promise((r) => setTimeout(r, 25));
+        if (abort.signal.aborted || this.signoutInProgress) {
+          this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: false });
+          return false;
+        }
+        const foreign = this.foreignClaim;
+        if (foreign && this.claimWins(foreign, myClaim)) {
+          return this.waitForForeignRefresh();
+        }
+      }
       const refreshToken = await Promise.resolve(this.tokenStore.read());
       const res = await this.fetchImpl(`${this.issuer}${this.refreshPath}`, {
         method: "POST",
         credentials: "include",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify(refreshToken ? { refreshToken } : {})
+        headers: {
+          "Content-Type": "application/json",
+          [IDEMPOTENCY_HEADER]: this.getIdempotencyToken()
+        },
+        body: JSON.stringify(refreshToken ? { refreshToken } : {}),
+        signal: abort.signal
       });
       const body = await res.json().catch(() => ({}));
+      if (this.signoutInProgress || abort.signal.aborted) {
+        this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: false });
+        return false;
+      }
       const data = body.data;
       if (!res.ok || !body.success || !data?.accessToken) {
         const err = body.error;
@@ -240,14 +393,18 @@ var SessionManager = class {
       this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: true });
       return true;
     } catch (err) {
-      this.setError({
-        code: "NETWORK_ERROR",
-        message: err instanceof Error ? err.message : "Refresh request failed"
-      });
+      const aborted = err?.name === "AbortError" || abort.signal.aborted || this.signoutInProgress;
+      if (!aborted) {
+        this.setError({
+          code: "NETWORK_ERROR",
+          message: err instanceof Error ? err.message : "Refresh request failed"
+        });
+      }
       this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: false });
       return false;
     } finally {
       this.foreignClaim = null;
+      if (this.refreshAbort === abort) this.refreshAbort = null;
     }
   }
   claimWins(foreign, mine) {
@@ -355,6 +512,14 @@ var SessionManager = class {
    * the server-side logout request.
    */
   signOutLocal(status = "unauthenticated") {
+    this.signoutInProgress = true;
+    if (this.refreshAbort) {
+      try {
+        this.refreshAbort.abort();
+      } catch {
+      }
+      this.refreshAbort = null;
+    }
     void Promise.resolve(this.tokenStore.clear());
     if (this.proactiveTimer) {
       clearTimeout(this.proactiveTimer);
@@ -369,7 +534,12 @@ var SessionManager = class {
       error: null,
       version: this.snapshot.version + 1
     });
+    this.broadcastEnvelope({ type: "refresh:abort", source: this.tabId, ts: Date.now() });
     this.broadcast("session:signout");
+    this.idempotencyToken = null;
+    setTimeout(() => {
+      this.signoutInProgress = false;
+    }, 0);
   }
   /**
    * Replace the refresh-token store at runtime. Used by the F22
@@ -433,6 +603,12 @@ var SessionManager = class {
   }
   onBroadcast(env) {
     if (!env || env.source === this.tabId) return;
+    if (env.type === "session:probe") {
+      if (this.snapshot.status === "authenticated") {
+        this.broadcast("session:update");
+      }
+      return;
+    }
     if (env.type === "refresh:claim") {
       this.foreignClaim = { source: env.source, ts: env.ts };
       return;
@@ -445,6 +621,24 @@ var SessionManager = class {
       this.foreignClaim = null;
       return;
     }
+    if (env.type === "refresh:abort") {
+      this.signoutInProgress = true;
+      if (this.refreshAbort) {
+        try {
+          this.refreshAbort.abort();
+        } catch {
+        }
+        this.refreshAbort = null;
+      }
+      const waiters = this.remoteRefreshWaiters;
+      this.remoteRefreshWaiters = [];
+      for (const w of waiters) w(false);
+      this.foreignClaim = null;
+      setTimeout(() => {
+        this.signoutInProgress = false;
+      }, 0);
+      return;
+    }
     if (env.type === "session:signout") {
       this.update({
         status: "unauthenticated",
@@ -458,6 +652,12 @@ var SessionManager = class {
       return;
     }
     if ((env.type === "session:update" || env.type === "session:refresh") && env.payload) {
+      if (this.probeResolver && env.payload.status === "authenticated") {
+        const r = this.probeResolver;
+        this.probeResolver = null;
+        r(env.payload);
+        return;
+      }
       this.update({
         ...env.payload,
         version: Math.max(this.snapshot.version, env.payload.version) + 1

package/dist/{chunk-6TDJJER7.mjs → chunk-RUJXRTEW.mjs}

@@ -1,8 +1,49 @@
 import {
   assertPublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
+import {
+  TokensModule
+} from "./chunk-NUO2I65G.mjs";
+import {
+  IQAuthError
+} from "./chunk-6PJRLRB4.mjs";
 
 // src/server/handlers.ts
+async function buildUserinfoResponse(claims, opts = {}) {
+  const baseUser = {
+    sub: claims.sub,
+    email: claims.email,
+    name: claims.name,
+    tenantId: claims.tenantId,
+    vendorId: claims.vendorId,
+    roles: claims.roles ?? [],
+    entitlements: claims.entitlements ?? []
+  };
+  const enriched = opts.enrich ? await opts.enrich(claims) : null;
+  const user = enriched ? { ...baseUser, ...enriched } : baseUser;
+  return {
+    success: true,
+    data: {
+      user,
+      claims,
+      tenantId: claims.tenantId ?? null
+    }
+  };
+}
+function emitTiming(cfg, event) {
+  if (cfg.debug) {
+    try {
+      console.debug("[iqauth_helper]", event);
+    } catch {
+    }
+  }
+  if (cfg.onTimingEvent) {
+    try {
+      cfg.onTimingEvent(event);
+    } catch {
+    }
+  }
+}
 var TERMINAL_REFRESH_ERROR_CODES = /* @__PURE__ */ new Set([
   "TOKEN_REVOKED",
   "SESSION_REVOKED",
@@ -42,7 +83,11 @@ function resolve(config) {
     })),
     appId: parsed.appId,
     tenantId: parsed.tenantId,
-    clearCookiesOnRefreshFailure: config.clearCookiesOnRefreshFailure ?? "terminal-only"
+    clearCookiesOnRefreshFailure: config.clearCookiesOnRefreshFailure ?? "terminal-only",
+    debug: config.debug,
+    onTimingEvent: config.onTimingEvent,
+    signoutRegistry: config.signoutRegistry ?? defaultSignoutRegistry,
+    signoutMarkerTtlMs: config.signoutMarkerTtlMs ?? DEFAULT_SIGNOUT_TTL_MS
   };
 }
 function makeCookie(cfg, name, value, maxAge, httpOnly = true) {
@@ -59,15 +104,64 @@ function makeCookie(cfg, name, value, maxAge, httpOnly = true) {
 }
 function clearCookies(cfg) {
   return [
-    makeCookie(cfg, cfg.accessCookieName, "", 0),
-    makeCookie(cfg, cfg.refreshCookieName, "", 0)
+    { ...makeCookie(cfg, cfg.accessCookieName, "", 0), clear: true },
+    { ...makeCookie(cfg, cfg.refreshCookieName, "", 0), clear: true }
   ];
 }
+var DEFAULT_SIGNOUT_TTL_MS = 6e4;
+var inMemorySignoutMarkers = /* @__PURE__ */ new Map();
+function pruneInMemoryMarkers(now) {
+  if (inMemorySignoutMarkers.size === 0) return;
+  for (const [k, exp] of inMemorySignoutMarkers) {
+    if (exp <= now) inMemorySignoutMarkers.delete(k);
+  }
+}
+var defaultSignoutRegistry = {
+  mark(token, ttlMs) {
+    const now = Date.now();
+    pruneInMemoryMarkers(now);
+    inMemorySignoutMarkers.set(token, now + ttlMs);
+  },
+  has(token) {
+    const now = Date.now();
+    const exp = inMemorySignoutMarkers.get(token);
+    if (!exp) return false;
+    if (exp <= now) {
+      inMemorySignoutMarkers.delete(token);
+      return false;
+    }
+    return true;
+  }
+};
+function __resetSignoutMarkersForTests() {
+  inMemorySignoutMarkers.clear();
+}
+function createInMemorySignoutRegistry() {
+  const store = /* @__PURE__ */ new Map();
+  return {
+    mark(token, ttlMs) {
+      const now = Date.now();
+      for (const [k, exp] of store) if (exp <= now) store.delete(k);
+      store.set(token, now + ttlMs);
+    },
+    has(token) {
+      const now = Date.now();
+      const exp = store.get(token);
+      if (!exp) return false;
+      if (exp <= now) {
+        store.delete(token);
+        return false;
+      }
+      return true;
+    }
+  };
+}
 function serializeCookie(d) {
   const parts = [`${d.name}=${encodeURIComponent(d.value)}`];
   parts.push(`Path=${d.path}`);
   if (d.domain) parts.push(`Domain=${d.domain}`);
   parts.push(`Max-Age=${d.maxAge}`);
+  if (d.clear) parts.push("Expires=Thu, 01 Jan 1970 00:00:00 GMT");
   if (d.secure) parts.push("Secure");
   if (d.httpOnly) parts.push("HttpOnly");
   parts.push(`SameSite=${d.sameSite}`);
@@ -75,7 +169,9 @@ function serializeCookie(d) {
 }
 async function handleCallback(config, input) {
   const cfg = resolve(config);
+  const t0 = Date.now();
   if (!input.code || !input.redirectUri) {
+    emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code: "VALIDATION_ERROR" });
     return {
       status: 400,
       body: { success: false, error: { code: "VALIDATION_ERROR", message: "code and redirectUri are required" } },
@@ -83,6 +179,7 @@ async function handleCallback(config, input) {
     };
   }
   if (!cfg.secretKey) {
+    emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code: "INTERNAL_ERROR" });
     return {
       status: 500,
       body: { success: false, error: { code: "INTERNAL_ERROR", message: "secretKey is required for the callback handler" } },
@@ -106,6 +203,7 @@ async function handleCallback(config, input) {
   });
   const json = await res.json().catch(() => ({}));
   if (!res.ok || !json.access_token) {
+    emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code: json.error || "OIDC_EXCHANGE_FAILED" });
     return {
       status: res.status || 502,
       body: {
@@ -125,6 +223,7 @@ async function handleCallback(config, input) {
   if (json.refresh_token) {
     cookies.push(makeCookie(cfg, cfg.refreshCookieName, json.refresh_token, REFRESH_TOKEN_TTL_SECONDS));
   }
+  emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: true });
   return {
     status: 200,
     body: { success: true, data: { authenticated: true } },
@@ -133,8 +232,18 @@ async function handleCallback(config, input) {
 }
 async function handleRefresh(config, input) {
   const cfg = resolve(config);
+  const t0 = Date.now();
   const refreshToken = input.refreshToken;
+  const idemKey = input.idempotencyToken;
+  if (idemKey && await Promise.resolve(cfg.signoutRegistry.has(idemKey))) {
+    return {
+      status: 401,
+      body: { success: false, error: { code: "SESSION_REVOKED", message: "Session was signed out" } },
+      cookies: clearCookies(cfg)
+    };
+  }
   if (!refreshToken) {
+    emitTiming(cfg, { phase: "refresh", durationMs: Date.now() - t0, ok: false, code: "TOKEN_INVALID" });
     return {
       status: 401,
       body: { success: false, error: { code: "TOKEN_INVALID", message: "Missing refresh token" } },
@@ -150,6 +259,7 @@ async function handleRefresh(config, input) {
   if (!res.ok || !json.success || !json.data?.accessToken) {
     const status = res.status || 401;
     const errorCode = json.error?.code || "TOKEN_INVALID";
+    emitTiming(cfg, { phase: "refresh", durationMs: Date.now() - t0, ok: false, code: errorCode });
     const shouldClear = shouldClearCookiesOnFailure(
       cfg.clearCookiesOnRefreshFailure,
       status,
@@ -173,6 +283,7 @@ async function handleRefresh(config, input) {
   if (json.data.refreshToken) {
     cookies.push(makeCookie(cfg, cfg.refreshCookieName, json.data.refreshToken, REFRESH_TOKEN_TTL_SECONDS));
   }
+  emitTiming(cfg, { phase: "refresh", durationMs: Date.now() - t0, ok: true });
   return {
     status: 200,
     body: { success: true, data: { accessToken: json.data.accessToken } },
@@ -181,6 +292,10 @@ async function handleRefresh(config, input) {
 }
 async function handleSignout(config, input) {
   const cfg = resolve(config);
+  const t0 = Date.now();
+  if (input.idempotencyToken) {
+    await Promise.resolve(cfg.signoutRegistry.mark(input.idempotencyToken, cfg.signoutMarkerTtlMs));
+  }
   if (input.accessToken) {
     try {
       await cfg.fetchImpl(`${cfg.issuer}${cfg.logoutPath}`, {
@@ -202,16 +317,60 @@ async function handleSignout(config, input) {
     } catch {
     }
   }
+  emitTiming(cfg, { phase: "signout", durationMs: Date.now() - t0, ok: true });
   return {
     status: 200,
     body: { success: true, data: { signedOut: true } },
     cookies: clearCookies(cfg)
   };
 }
+var TOKENS_CACHE = /* @__PURE__ */ new Map();
+function getTokensFor(issuer) {
+  let m = TOKENS_CACHE.get(issuer);
+  if (!m) {
+    m = new TokensModule(issuer);
+    TOKENS_CACHE.set(issuer, m);
+  }
+  return m;
+}
+async function handleUserinfo(config, input) {
+  const cfg = resolve(config);
+  if (!input.accessToken) {
+    return {
+      status: 401,
+      body: { success: false, error: { code: "TOKEN_INVALID", message: "Missing access token" } },
+      cookies: []
+    };
+  }
+  let claims;
+  try {
+    claims = await getTokensFor(cfg.issuer).verify(input.accessToken, config.verify);
+  } catch (err) {
+    const code = err instanceof IQAuthError ? err.code : err.code || "TOKEN_INVALID";
+    const message = err instanceof Error ? err.message : "Access token verification failed";
+    return {
+      status: 401,
+      body: { success: false, error: { code, message } },
+      cookies: []
+    };
+  }
+  const envelope = await buildUserinfoResponse(claims, {
+    enrich: config.userinfoEnricher ? (c) => config.userinfoEnricher(c, input.req) : void 0
+  });
+  return {
+    status: 200,
+    body: envelope,
+    cookies: []
+  };
+}
 
 export {
+  buildUserinfoResponse,
+  __resetSignoutMarkersForTests,
+  createInMemorySignoutRegistry,
   serializeCookie,
   handleCallback,
   handleRefresh,
-  handleSignout
+  handleSignout,
+  handleUserinfo
 };

package/dist/{chunk-3JULWS6F.mjs → chunk-WCELYTJ3.mjs}

@@ -1,12 +1,12 @@
 import {
   assertPublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
 import {
   TokensModule
-} from "./chunk-UNYDG2L4.mjs";
+} from "./chunk-NUO2I65G.mjs";
 import {
   IQAuthError
-} from "./chunk-6I6RM4MN.mjs";
+} from "./chunk-6PJRLRB4.mjs";
 
 // src/ws.ts
 var DEFAULT_COOKIE = "iqauth_at";

package/dist/{chunk-MKKZULZR.mjs → chunk-WIFG74IK.mjs}

@@ -1,6 +1,6 @@
 import {
   encodePublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
 
 // src/test.ts
 import { createServer } from "http";