npm - @iqauth/sdk - Versions diffs - 2.6.4 → 2.7.0 - Mend

@iqauth/sdk 2.6.4 → 2.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (110) hide show

package/README.md +173 -1
package/dist/browser-session.d.mts +4 -4
package/dist/browser-session.d.ts +4 -4
package/dist/browser-session.js +181 -41
package/dist/browser-session.mjs +3 -3
package/dist/browser.d.mts +5 -5
package/dist/browser.d.ts +5 -5
package/dist/browser.js +271 -32
package/dist/browser.mjs +5 -5
package/dist/{chunk-6I6RM4MN.mjs → chunk-6PJRLRB4.mjs} +33 -3
package/dist/{chunk-LIZYFXH7.mjs → chunk-DFWHSDYQ.mjs} +1 -1
package/dist/chunk-GLXSIGVS.mjs +66 -0
package/dist/{chunk-DJIBN2N7.mjs → chunk-GN37E64I.mjs} +29 -7
package/dist/{chunk-WQWBJSSS.mjs → chunk-HVHNYPDC.mjs} +6 -6
package/dist/{chunk-W3F4JYGP.mjs → chunk-JXQI62A7.mjs} +108 -18
package/dist/{chunk-UNYDG2L4.mjs → chunk-NUO2I65G.mjs} +56 -23
package/dist/chunk-PMAFENVI.mjs +229 -0
package/dist/chunk-RR2MGPTK.mjs +2724 -0
package/dist/{chunk-XAWYUPMO.mjs → chunk-RTJAIBXY.mjs} +220 -20
package/dist/{chunk-6TDJJER7.mjs → chunk-RUJXRTEW.mjs} +164 -5
package/dist/{chunk-3JULWS6F.mjs → chunk-WCELYTJ3.mjs} +3 -3
package/dist/{chunk-MKKZULZR.mjs → chunk-WIFG74IK.mjs} +1 -1
package/dist/{chunk-BVV54LPI.mjs → chunk-YVALAG3B.mjs} +10 -4
package/dist/cli/index.js +2 -2
package/dist/cli/index.mjs +2 -2
package/dist/{client-kYlJFgPv.d.mts → client-BGFnBpfc.d.mts} +47 -4
package/dist/{client-BNQe3AgF.d.ts → client-CDQ21LvW.d.ts} +47 -4
package/dist/{doctor-YYNHNMLD.mjs → doctor-JAFXWU3X.mjs} +2 -2
package/dist/errors-Jl1Jtm-6.d.mts +107 -0
package/dist/errors-Jl1Jtm-6.d.ts +107 -0
package/dist/{express-B6_1vBYZ.d.mts → express-CVNQEkOr.d.mts} +2 -2
package/dist/{express-CHpfa7D_.d.ts → express-Piv2WhWM.d.ts} +2 -2
package/dist/express.d.mts +7 -6
package/dist/express.d.ts +7 -6
package/dist/express.js +349 -52
package/dist/express.mjs +39 -12
package/dist/fastify.d.mts +2 -0
package/dist/fastify.d.ts +2 -0
package/dist/fastify.js +332 -52
package/dist/fastify.mjs +23 -8
package/dist/hono.d.mts +2 -0
package/dist/hono.d.ts +2 -0
package/dist/hono.js +329 -52
package/dist/hono.mjs +20 -8
package/dist/index-5KSZEnDe.d.ts +1626 -0
package/dist/index-CKoZHAoc.d.mts +1626 -0
package/dist/index.d.mts +56 -8
package/dist/index.d.ts +56 -8
package/dist/index.js +565 -69
package/dist/index.mjs +29 -9
package/dist/{keys-NLWFAOEM.mjs → keys-6Y776TG2.mjs} +2 -2
package/dist/locales.d.mts +1 -1
package/dist/locales.d.ts +1 -1
package/dist/mobile.d.mts +77 -7
package/dist/mobile.d.ts +77 -7
package/dist/mobile.js +276 -41
package/dist/mobile.mjs +98 -3
package/dist/next.d.mts +2 -1
package/dist/next.d.ts +2 -1
package/dist/next.js +391 -201
package/dist/next.mjs +22 -7
package/dist/{provisioningBridge-DnTfzdZK.d.ts → provisioningBridge-CGpMRie4.d.ts} +1 -1
package/dist/{provisioningBridge-88xjOS2n.d.mts → provisioningBridge-M5G47LWO.d.mts} +1 -1
package/dist/{publishableKey-BaR0HoAH.d.ts → publishableKey-f2kq-rKw.d.mts} +1 -1
package/dist/{publishableKey-BaR0HoAH.d.mts → publishableKey-f2kq-rKw.d.ts} +1 -1
package/dist/react-permissions.d.mts +52 -0
package/dist/react-permissions.d.ts +52 -0
package/dist/react-permissions.js +239 -0
package/dist/react-permissions.mjs +97 -0
package/dist/react.d.mts +9 -1624
package/dist/react.d.ts +9 -1624
package/dist/react.js +313 -33
package/dist/react.mjs +58 -2632
package/dist/{reverify-4UEJXUS6.mjs → reverify-C64QXKJO.mjs} +2 -2
package/dist/server/handlers.d.mts +148 -3
package/dist/server/handlers.d.ts +148 -3
package/dist/server/handlers.js +410 -11
package/dist/server/handlers.mjs +12 -3
package/dist/server.d.mts +151 -8
package/dist/server.d.ts +151 -8
package/dist/server.js +406 -50
package/dist/server.mjs +93 -11
package/dist/service.d.mts +4 -4
package/dist/service.d.ts +4 -4
package/dist/service.js +181 -41
package/dist/service.mjs +3 -3
package/dist/{signIn-OCr88Zf8.d.ts → signIn-BLFnz8SV.d.ts} +78 -3
package/dist/{signIn-4OKLDEIH.mjs → signIn-SHBW6Z4T.mjs} +1 -1
package/dist/{signIn-CiIBTJIh.d.mts → signIn-T-CZ6t6r.d.mts} +78 -3
package/dist/test.mjs +3 -3
package/dist/{tokens-DCyzzn8L.d.mts → tokens-Bqhmqq_R.d.ts} +9 -2
package/dist/{tokens-aHiGFr_E.d.ts → tokens-CITeoG6P.d.mts} +9 -2
package/dist/{types-6bNdxesb.d.ts → types-BdQ2lqfT.d.mts} +1 -1
package/dist/{types-6bNdxesb.d.mts → types-BdQ2lqfT.d.ts} +1 -1
package/dist/{types-DZAflmmq.d.mts → types-XOV9XPVi.d.mts} +99 -10
package/dist/{types-DZAflmmq.d.ts → types-XOV9XPVi.d.ts} +99 -10
package/dist/webhooks.d.mts +100 -17
package/dist/webhooks.d.ts +100 -17
package/dist/webhooks.js +164 -15
package/dist/webhooks.mjs +7 -1
package/dist/ws.d.mts +2 -2
package/dist/ws.d.ts +2 -2
package/dist/ws.js +80 -30
package/dist/ws.mjs +4 -4
package/docs/error-handling.md +101 -0
package/docs/guides/effective-permissions.md +171 -0
package/package.json +13 -3
package/dist/chunk-UKZLOHZG.mjs +0 -83
package/dist/errors-CDdl24MP.d.mts +0 -52
package/dist/errors-CDdl24MP.d.ts +0 -52

package/dist/{chunk-XAWYUPMO.mjs → chunk-RTJAIBXY.mjs} RENAMED Viewed

@@ -3,15 +3,16 @@ import {
   clearCookie,
   getCookie,
   setCookie
-} from "./chunk-DJIBN2N7.mjs";
+} from "./chunk-GN37E64I.mjs";
 import {
   assertPublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
 import {
   IQAuthError
-} from "./chunk-6I6RM4MN.mjs";
+} from "./chunk-6PJRLRB4.mjs";
 // src/browser/sessionManager.ts
+var PROBE_WAIT_MS = 80;
 var DEFAULT_REFRESH_PATH = "/api/v1/auth/refresh";
 var DEFAULT_USERINFO_PATH = "/api/v1/auth/me";
 async function readAuthErrorCode(res) {
@@ -49,7 +50,13 @@ function claimsToSessionUser(claims) {
     tenantId: claims.tenantId,
     vendorId: claims.vendorId,
     roles: claims.roles ?? [],
-    entitlements: claims.entitlements ?? []
+    entitlements: claims.entitlements ?? [],
+    // SDK 2.7.0 (Task #124) — pass through identity claims when issued.
+    ...claims.picture !== void 0 ? { picture: claims.picture } : {},
+    ...claims.email_verified !== void 0 ? { emailVerified: claims.email_verified } : {},
+    ...claims.given_name !== void 0 ? { givenName: claims.given_name } : {},
+    ...claims.family_name !== void 0 ? { familyName: claims.family_name } : {},
+    ...claims.locale !== void 0 ? { locale: claims.locale } : {}
   };
 }
 var EMPTY = {
@@ -73,11 +80,50 @@ var NO_OP_STORE = {
   write: () => void 0,
   clear: () => void 0
 };
+var IDEMPOTENCY_HEADER = "X-IQAuth-Idempotency";
+function randomIdempotencyToken() {
+  if (typeof crypto !== "undefined" && typeof crypto.getRandomValues === "function") {
+    const bytes = new Uint8Array(16);
+    crypto.getRandomValues(bytes);
+    let out = "";
+    for (const b of bytes) out += b.toString(16).padStart(2, "0");
+    return out;
+  }
+  return Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2);
+}
 var SessionManager = class {
   constructor(options) {
     this.snapshot = { ...EMPTY };
     this.listeners = /* @__PURE__ */ new Set();
     this.refreshPromise = null;
+    /**
+     * Cancellation handle for the in-flight refresh, if any. `signOut()` (or a
+     * `session:signout` broadcast from another tab) calls `abort()` so the
+     * refresh response is dropped before it can write a fresh access cookie
+     * on top of the just-cleared session — the second root cause of "ghost
+     * signed-in" sessions after Sign Out.
+     */
+    this.refreshAbort = null;
+    /**
+     * Set to `true` by `signOut()` / `signOutLocal()` for the lifetime of the
+     * call. Used as a safety belt: even if a refresh response arrives while
+     * `refreshAbort` was unable to interrupt the network call (e.g. the body
+     * was already streaming back), `runRefresh` checks this flag before
+     * mutating session state and bails out.
+     */
+    this.signoutInProgress = false;
+    /**
+     * Per-session opaque idempotency token. Sent as `X-IQAuth-Idempotency` on
+     * every /refresh and /signout request the SDK makes through a framework
+     * adapter (Express/Fastify/Hono/Next), so the adapter's `SignoutRegistry`
+     * can collapse a refresh that lands moments after a signout — even when
+     * the two requests are routed to different server instances (multi-replica
+     * deployments).
+     *
+     * Generated lazily on first use, rotated on signout so the next session
+     * starts with a fresh token. Opaque random — never the raw refresh token.
+     */
+    this.idempotencyToken = null;
     this.channel = null;
     this.proactiveTimer = null;
     this.bootstrapped = false;
@@ -85,6 +131,8 @@ var SessionManager = class {
     this.remoteRefreshWaiters = [];
     /** Active claims by other tabs (keyed by source tabId). */
     this.foreignClaim = null;
+    /** Resolver for an in-flight cross-tab `session:probe`, set during bootstrap. */
+    this.probeResolver = null;
     const parsed = assertPublishableKey(options.publishableKey, { context: "@iqauth/sdk/browser SessionManager" });
     this.key = parsed;
     const inferred = options.issuer ?? (parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`);
@@ -97,6 +145,8 @@ var SessionManager = class {
     this.refreshCookieName = options.cookieNames?.refresh ?? REFRESH_COOKIE;
     this.tokenStore = options.tokenStore ?? (this.serverManagedSession ? NO_OP_STORE : this.useCookies ? defaultCookieStore(this.refreshCookieName) : NO_OP_STORE);
     this.crossTabLockTimeoutMs = options.crossTabLockTimeoutMs ?? 4e3;
+    this.debug = options.debug ?? false;
+    this.onTimingEvent = options.onTimingEvent ?? null;
     this.fetchImpl = options.fetchImpl ?? (typeof fetch !== "undefined" ? fetch.bind(globalThis) : (() => {
       throw new Error("global fetch is not available; pass fetchImpl");
     }));
@@ -123,10 +173,35 @@ var SessionManager = class {
   get issuerUrl() {
     return this.issuer;
   }
+  /**
+   * SDK 2.7.0 (Task #124) — The hosted IQAuth host derived from the
+   * publishable key's `iss` claim, normalized to URL form. This is what
+   * `<SignIn/>` and `buildSignInUrl` use to talk to the hosted UI; it
+   * deliberately ignores the `issuer` constructor override so a misrouted
+   * `issuer` (e.g. pointed at the consumer app's own domain) cannot break
+   * the hosted flow. Use {@link issuerUrl} for token / discovery endpoints.
+   */
+  get hostedIssuerUrl() {
+    const iss = this.key.iss;
+    return (iss.startsWith("http") ? iss : `https://${iss}`).replace(/\/+$/, "");
+  }
   /** Cookie name the SDK uses for the refresh token (overridable via `cookieNames.refresh`). */
   get refreshCookie() {
     return this.refreshCookieName;
   }
+  /**
+   * Returns the current per-session idempotency token, generating one
+   * lazily on first use. Sent as the `X-IQAuth-Idempotency` header on
+   * /refresh and /signout requests so the framework adapter's
+   * `SignoutRegistry` can collapse a refresh-vs-signout race even across
+   * server instances.
+   */
+  getIdempotencyToken() {
+    if (!this.idempotencyToken) {
+      this.idempotencyToken = randomIdempotencyToken();
+    }
+    return this.idempotencyToken;
+  }
   getSnapshot() {
     return this.snapshot;
   }
@@ -140,9 +215,44 @@ var SessionManager = class {
    * One-time bootstrap: warm the session from the refresh cookie if present.
    * Safe to call multiple times.
    */
+  /**
+   * Task #126: Public timing-event emitter. Used by the browser sign-in
+   * helpers (redirectToSignIn / handleAuthCallback) to surface signIn-phase
+   * timings through the same `debug` + `onTimingEvent` channel as
+   * bootstrap/refresh. Safe to call from anywhere — internal callers
+   * pre-compute durationMs.
+   */
+  recordTiming(phase, durationMs, ok, code) {
+    this.emitTiming(phase, durationMs, ok, code);
+  }
+  /** Task #126: emit a session timing event to debug log + onTimingEvent hook. */
+  emitTiming(phase, durationMs, ok, code) {
+    if (this.debug) {
+      try {
+        console.debug("[iqauth_session]", { phase, durationMs, ok, code });
+      } catch {
+      }
+    }
+    if (this.onTimingEvent) {
+      try {
+        this.onTimingEvent({ phase, durationMs, ok, code });
+      } catch {
+      }
+    }
+  }
   async bootstrap() {
     if (this.bootstrapped) return;
     this.bootstrapped = true;
+    const t0 = Date.now();
+    try {
+      await this.bootstrapInner();
+      this.emitTiming("bootstrap", Date.now() - t0, this.snapshot.status === "authenticated");
+    } catch (err) {
+      this.emitTiming("bootstrap", Date.now() - t0, false, err instanceof Error ? err.message : "ERROR");
+      throw err;
+    }
+  }
+  async bootstrapInner() {
     if (this.serverManagedSession) {
       try {
         const res = await this.fetchImpl(`${this.issuer}${this.userinfoPath}`, {
@@ -177,6 +287,15 @@ var SessionManager = class {
         return;
       }
     }
+    const peerSnapshot = await this.probePeers();
+    if (peerSnapshot && peerSnapshot.status === "authenticated") {
+      this.update({
+        ...peerSnapshot,
+        version: Math.max(this.snapshot.version, peerSnapshot.version) + 1
+      });
+      this.scheduleProactiveRefresh();
+      return;
+    }
     const stored = await Promise.resolve(this.tokenStore.read());
     if (!stored) {
       this.setStatus("unauthenticated");
@@ -185,6 +304,22 @@ var SessionManager = class {
     const ok = await this.refresh();
     if (!ok) this.setStatus("unauthenticated");
   }
+  probePeers() {
+    if (!this.channel) return Promise.resolve(null);
+    return new Promise((resolve) => {
+      let settled = false;
+      const finish = (snap) => {
+        if (settled) return;
+        settled = true;
+        this.probeResolver = null;
+        clearTimeout(timer);
+        resolve(snap);
+      };
+      this.probeResolver = (snap) => finish(snap);
+      const timer = setTimeout(() => finish(null), PROBE_WAIT_MS);
+      this.broadcastEnvelope({ type: "session:probe", source: this.tabId, ts: Date.now() });
+    });
+  }
   /**
    * Single-flight token refresh, coordinated across tabs via BroadcastChannel.
    *
@@ -198,30 +333,48 @@ var SessionManager = class {
    */
   refresh() {
     if (this.refreshPromise) return this.refreshPromise;
-    this.refreshPromise = this.runRefresh().finally(() => {
+    const t0 = Date.now();
+    this.refreshPromise = this.runRefresh().then((ok) => {
+      this.emitTiming("refresh", Date.now() - t0, ok, ok ? void 0 : this.snapshot.error?.code ?? "REFRESH_FAILED");
+      return ok;
+    }).finally(() => {
       this.refreshPromise = null;
     });
     return this.refreshPromise;
   }
   async runRefresh() {
-    const myClaim = { source: this.tabId, ts: Date.now() };
-    if (this.channel) {
-      this.broadcastEnvelope({ type: "refresh:claim", source: myClaim.source, ts: myClaim.ts });
-      await new Promise((r) => setTimeout(r, 25));
-      const foreign = this.foreignClaim;
-      if (foreign && this.claimWins(foreign, myClaim)) {
-        return this.waitForForeignRefresh();
-      }
-    }
+    const abort = new AbortController();
+    this.refreshAbort = abort;
     try {
+      const myClaim = { source: this.tabId, ts: Date.now() };
+      if (this.channel) {
+        this.broadcastEnvelope({ type: "refresh:claim", source: myClaim.source, ts: myClaim.ts });
+        await new Promise((r) => setTimeout(r, 25));
+        if (abort.signal.aborted || this.signoutInProgress) {
+          this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: false });
+          return false;
+        }
+        const foreign = this.foreignClaim;
+        if (foreign && this.claimWins(foreign, myClaim)) {
+          return this.waitForForeignRefresh();
+        }
+      }
       const refreshToken = await Promise.resolve(this.tokenStore.read());
       const res = await this.fetchImpl(`${this.issuer}${this.refreshPath}`, {
         method: "POST",
         credentials: "include",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify(refreshToken ? { refreshToken } : {})
+        headers: {
+          "Content-Type": "application/json",
+          [IDEMPOTENCY_HEADER]: this.getIdempotencyToken()
+        },
+        body: JSON.stringify(refreshToken ? { refreshToken } : {}),
+        signal: abort.signal
       });
       const body = await res.json().catch(() => ({}));
+      if (this.signoutInProgress || abort.signal.aborted) {
+        this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: false });
+        return false;
+      }
       const data = body.data;
       if (!res.ok || !body.success || !data?.accessToken) {
         const err = body.error;
@@ -240,14 +393,18 @@ var SessionManager = class {
       this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: true });
       return true;
     } catch (err) {
-      this.setError({
-        code: "NETWORK_ERROR",
-        message: err instanceof Error ? err.message : "Refresh request failed"
-      });
+      const aborted = err?.name === "AbortError" || abort.signal.aborted || this.signoutInProgress;
+      if (!aborted) {
+        this.setError({
+          code: "NETWORK_ERROR",
+          message: err instanceof Error ? err.message : "Refresh request failed"
+        });
+      }
       this.broadcastEnvelope({ type: "refresh:done", source: this.tabId, ts: Date.now(), ok: false });
       return false;
     } finally {
       this.foreignClaim = null;
+      if (this.refreshAbort === abort) this.refreshAbort = null;
     }
   }
   claimWins(foreign, mine) {
@@ -355,6 +512,14 @@ var SessionManager = class {
    * the server-side logout request.
    */
   signOutLocal(status = "unauthenticated") {
+    this.signoutInProgress = true;
+    if (this.refreshAbort) {
+      try {
+        this.refreshAbort.abort();
+      } catch {
+      }
+      this.refreshAbort = null;
+    }
     void Promise.resolve(this.tokenStore.clear());
     if (this.proactiveTimer) {
       clearTimeout(this.proactiveTimer);
@@ -369,7 +534,12 @@ var SessionManager = class {
       error: null,
       version: this.snapshot.version + 1
     });
+    this.broadcastEnvelope({ type: "refresh:abort", source: this.tabId, ts: Date.now() });
     this.broadcast("session:signout");
+    this.idempotencyToken = null;
+    setTimeout(() => {
+      this.signoutInProgress = false;
+    }, 0);
   }
   /**
    * Replace the refresh-token store at runtime. Used by the F22
@@ -433,6 +603,12 @@ var SessionManager = class {
   }
   onBroadcast(env) {
     if (!env || env.source === this.tabId) return;
+    if (env.type === "session:probe") {
+      if (this.snapshot.status === "authenticated") {
+        this.broadcast("session:update");
+      }
+      return;
+    }
     if (env.type === "refresh:claim") {
       this.foreignClaim = { source: env.source, ts: env.ts };
       return;
@@ -445,6 +621,24 @@ var SessionManager = class {
       this.foreignClaim = null;
       return;
     }
+    if (env.type === "refresh:abort") {
+      this.signoutInProgress = true;
+      if (this.refreshAbort) {
+        try {
+          this.refreshAbort.abort();
+        } catch {
+        }
+        this.refreshAbort = null;
+      }
+      const waiters = this.remoteRefreshWaiters;
+      this.remoteRefreshWaiters = [];
+      for (const w of waiters) w(false);
+      this.foreignClaim = null;
+      setTimeout(() => {
+        this.signoutInProgress = false;
+      }, 0);
+      return;
+    }
     if (env.type === "session:signout") {
       this.update({
         status: "unauthenticated",
@@ -458,6 +652,12 @@ var SessionManager = class {
       return;
     }
     if ((env.type === "session:update" || env.type === "session:refresh") && env.payload) {
+      if (this.probeResolver && env.payload.status === "authenticated") {
+        const r = this.probeResolver;
+        this.probeResolver = null;
+        r(env.payload);
+        return;
+      }
       this.update({
         ...env.payload,
         version: Math.max(this.snapshot.version, env.payload.version) + 1

package/dist/{chunk-6TDJJER7.mjs → chunk-RUJXRTEW.mjs} RENAMED Viewed

@@ -1,8 +1,49 @@
 import {
   assertPublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
+import {
+  TokensModule
+} from "./chunk-NUO2I65G.mjs";
+import {
+  IQAuthError
+} from "./chunk-6PJRLRB4.mjs";
 // src/server/handlers.ts
+async function buildUserinfoResponse(claims, opts = {}) {
+  const baseUser = {
+    sub: claims.sub,
+    email: claims.email,
+    name: claims.name,
+    tenantId: claims.tenantId,
+    vendorId: claims.vendorId,
+    roles: claims.roles ?? [],
+    entitlements: claims.entitlements ?? []
+  };
+  const enriched = opts.enrich ? await opts.enrich(claims) : null;
+  const user = enriched ? { ...baseUser, ...enriched } : baseUser;
+  return {
+    success: true,
+    data: {
+      user,
+      claims,
+      tenantId: claims.tenantId ?? null
+    }
+  };
+}
+function emitTiming(cfg, event) {
+  if (cfg.debug) {
+    try {
+      console.debug("[iqauth_helper]", event);
+    } catch {
+    }
+  }
+  if (cfg.onTimingEvent) {
+    try {
+      cfg.onTimingEvent(event);
+    } catch {
+    }
+  }
+}
 var TERMINAL_REFRESH_ERROR_CODES = /* @__PURE__ */ new Set([
   "TOKEN_REVOKED",
   "SESSION_REVOKED",
@@ -42,7 +83,11 @@ function resolve(config) {
     })),
     appId: parsed.appId,
     tenantId: parsed.tenantId,
-    clearCookiesOnRefreshFailure: config.clearCookiesOnRefreshFailure ?? "terminal-only"
+    clearCookiesOnRefreshFailure: config.clearCookiesOnRefreshFailure ?? "terminal-only",
+    debug: config.debug,
+    onTimingEvent: config.onTimingEvent,
+    signoutRegistry: config.signoutRegistry ?? defaultSignoutRegistry,
+    signoutMarkerTtlMs: config.signoutMarkerTtlMs ?? DEFAULT_SIGNOUT_TTL_MS
   };
 }
 function makeCookie(cfg, name, value, maxAge, httpOnly = true) {
@@ -59,15 +104,64 @@ function makeCookie(cfg, name, value, maxAge, httpOnly = true) {
 }
 function clearCookies(cfg) {
   return [
-    makeCookie(cfg, cfg.accessCookieName, "", 0),
-    makeCookie(cfg, cfg.refreshCookieName, "", 0)
+    { ...makeCookie(cfg, cfg.accessCookieName, "", 0), clear: true },
+    { ...makeCookie(cfg, cfg.refreshCookieName, "", 0), clear: true }
   ];
 }
+var DEFAULT_SIGNOUT_TTL_MS = 6e4;
+var inMemorySignoutMarkers = /* @__PURE__ */ new Map();
+function pruneInMemoryMarkers(now) {
+  if (inMemorySignoutMarkers.size === 0) return;
+  for (const [k, exp] of inMemorySignoutMarkers) {
+    if (exp <= now) inMemorySignoutMarkers.delete(k);
+  }
+}
+var defaultSignoutRegistry = {
+  mark(token, ttlMs) {
+    const now = Date.now();
+    pruneInMemoryMarkers(now);
+    inMemorySignoutMarkers.set(token, now + ttlMs);
+  },
+  has(token) {
+    const now = Date.now();
+    const exp = inMemorySignoutMarkers.get(token);
+    if (!exp) return false;
+    if (exp <= now) {
+      inMemorySignoutMarkers.delete(token);
+      return false;
+    }
+    return true;
+  }
+};
+function __resetSignoutMarkersForTests() {
+  inMemorySignoutMarkers.clear();
+}
+function createInMemorySignoutRegistry() {
+  const store = /* @__PURE__ */ new Map();
+  return {
+    mark(token, ttlMs) {
+      const now = Date.now();
+      for (const [k, exp] of store) if (exp <= now) store.delete(k);
+      store.set(token, now + ttlMs);
+    },
+    has(token) {
+      const now = Date.now();
+      const exp = store.get(token);
+      if (!exp) return false;
+      if (exp <= now) {
+        store.delete(token);
+        return false;
+      }
+      return true;
+    }
+  };
+}
 function serializeCookie(d) {
   const parts = [`${d.name}=${encodeURIComponent(d.value)}`];
   parts.push(`Path=${d.path}`);
   if (d.domain) parts.push(`Domain=${d.domain}`);
   parts.push(`Max-Age=${d.maxAge}`);
+  if (d.clear) parts.push("Expires=Thu, 01 Jan 1970 00:00:00 GMT");
   if (d.secure) parts.push("Secure");
   if (d.httpOnly) parts.push("HttpOnly");
   parts.push(`SameSite=${d.sameSite}`);
@@ -75,7 +169,9 @@ function serializeCookie(d) {
 }
 async function handleCallback(config, input) {
   const cfg = resolve(config);
+  const t0 = Date.now();
   if (!input.code || !input.redirectUri) {
+    emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code: "VALIDATION_ERROR" });
     return {
       status: 400,
       body: { success: false, error: { code: "VALIDATION_ERROR", message: "code and redirectUri are required" } },
@@ -83,6 +179,7 @@ async function handleCallback(config, input) {
     };
   }
   if (!cfg.secretKey) {
+    emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code: "INTERNAL_ERROR" });
     return {
       status: 500,
       body: { success: false, error: { code: "INTERNAL_ERROR", message: "secretKey is required for the callback handler" } },
@@ -106,6 +203,7 @@ async function handleCallback(config, input) {
   });
   const json = await res.json().catch(() => ({}));
   if (!res.ok || !json.access_token) {
+    emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code: json.error || "OIDC_EXCHANGE_FAILED" });
     return {
       status: res.status || 502,
       body: {
@@ -125,6 +223,7 @@ async function handleCallback(config, input) {
   if (json.refresh_token) {
     cookies.push(makeCookie(cfg, cfg.refreshCookieName, json.refresh_token, REFRESH_TOKEN_TTL_SECONDS));
   }
+  emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: true });
   return {
     status: 200,
     body: { success: true, data: { authenticated: true } },
@@ -133,8 +232,18 @@ async function handleCallback(config, input) {
 }
 async function handleRefresh(config, input) {
   const cfg = resolve(config);
+  const t0 = Date.now();
   const refreshToken = input.refreshToken;
+  const idemKey = input.idempotencyToken;
+  if (idemKey && await Promise.resolve(cfg.signoutRegistry.has(idemKey))) {
+    return {
+      status: 401,
+      body: { success: false, error: { code: "SESSION_REVOKED", message: "Session was signed out" } },
+      cookies: clearCookies(cfg)
+    };
+  }
   if (!refreshToken) {
+    emitTiming(cfg, { phase: "refresh", durationMs: Date.now() - t0, ok: false, code: "TOKEN_INVALID" });
     return {
       status: 401,
       body: { success: false, error: { code: "TOKEN_INVALID", message: "Missing refresh token" } },
@@ -150,6 +259,7 @@ async function handleRefresh(config, input) {
   if (!res.ok || !json.success || !json.data?.accessToken) {
     const status = res.status || 401;
     const errorCode = json.error?.code || "TOKEN_INVALID";
+    emitTiming(cfg, { phase: "refresh", durationMs: Date.now() - t0, ok: false, code: errorCode });
     const shouldClear = shouldClearCookiesOnFailure(
       cfg.clearCookiesOnRefreshFailure,
       status,
@@ -173,6 +283,7 @@ async function handleRefresh(config, input) {
   if (json.data.refreshToken) {
     cookies.push(makeCookie(cfg, cfg.refreshCookieName, json.data.refreshToken, REFRESH_TOKEN_TTL_SECONDS));
   }
+  emitTiming(cfg, { phase: "refresh", durationMs: Date.now() - t0, ok: true });
   return {
     status: 200,
     body: { success: true, data: { accessToken: json.data.accessToken } },
@@ -181,6 +292,10 @@ async function handleRefresh(config, input) {
 }
 async function handleSignout(config, input) {
   const cfg = resolve(config);
+  const t0 = Date.now();
+  if (input.idempotencyToken) {
+    await Promise.resolve(cfg.signoutRegistry.mark(input.idempotencyToken, cfg.signoutMarkerTtlMs));
+  }
   if (input.accessToken) {
     try {
       await cfg.fetchImpl(`${cfg.issuer}${cfg.logoutPath}`, {
@@ -202,16 +317,60 @@ async function handleSignout(config, input) {
     } catch {
     }
   }
+  emitTiming(cfg, { phase: "signout", durationMs: Date.now() - t0, ok: true });
   return {
     status: 200,
     body: { success: true, data: { signedOut: true } },
     cookies: clearCookies(cfg)
   };
 }
+var TOKENS_CACHE = /* @__PURE__ */ new Map();
+function getTokensFor(issuer) {
+  let m = TOKENS_CACHE.get(issuer);
+  if (!m) {
+    m = new TokensModule(issuer);
+    TOKENS_CACHE.set(issuer, m);
+  }
+  return m;
+}
+async function handleUserinfo(config, input) {
+  const cfg = resolve(config);
+  if (!input.accessToken) {
+    return {
+      status: 401,
+      body: { success: false, error: { code: "TOKEN_INVALID", message: "Missing access token" } },
+      cookies: []
+    };
+  }
+  let claims;
+  try {
+    claims = await getTokensFor(cfg.issuer).verify(input.accessToken, config.verify);
+  } catch (err) {
+    const code = err instanceof IQAuthError ? err.code : err.code || "TOKEN_INVALID";
+    const message = err instanceof Error ? err.message : "Access token verification failed";
+    return {
+      status: 401,
+      body: { success: false, error: { code, message } },
+      cookies: []
+    };
+  }
+  const envelope = await buildUserinfoResponse(claims, {
+    enrich: config.userinfoEnricher ? (c) => config.userinfoEnricher(c, input.req) : void 0
+  });
+  return {
+    status: 200,
+    body: envelope,
+    cookies: []
+  };
+}
 export {
+  buildUserinfoResponse,
+  __resetSignoutMarkersForTests,
+  createInMemorySignoutRegistry,
   serializeCookie,
   handleCallback,
   handleRefresh,
-  handleSignout
+  handleSignout,
+  handleUserinfo
 };

package/dist/{chunk-3JULWS6F.mjs → chunk-WCELYTJ3.mjs} RENAMED Viewed

@@ -1,12 +1,12 @@
 import {
   assertPublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
 import {
   TokensModule
-} from "./chunk-UNYDG2L4.mjs";
+} from "./chunk-NUO2I65G.mjs";
 import {
   IQAuthError
-} from "./chunk-6I6RM4MN.mjs";
+} from "./chunk-6PJRLRB4.mjs";
 // src/ws.ts
 var DEFAULT_COOKIE = "iqauth_at";

package/dist/{chunk-MKKZULZR.mjs → chunk-WIFG74IK.mjs} RENAMED Viewed

@@ -1,6 +1,6 @@
 import {
   encodePublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
 // src/test.ts
 import { createServer } from "http";