@iqauth/sdk 2.6.4 → 2.8.1

package/dist/errors-Jl1Jtm-6.d.mts

@@ -0,0 +1,107 @@
+/**
+ * SOURCE REFS:
+ * - Route file: src/lib/response.ts (error envelope: { success: false, error: { code, message } })
+ * - All route files for error code extraction
+ * - Verified claims: N/A (error module)
+ * - Last verified: Phase 0 Research Summary
+ *
+ * Task #127 (SDK 2.7.0): typed `IQAuthErrorCode` taxonomy.
+ * The SDK historically threw `IQAuthError` with arbitrary string codes,
+ * forcing every integrator to either string-match the message or memorize
+ * the full server code list. This module now ships a discriminated union of
+ * 10 normalized codes that callers can pattern-match exhaustively, and the
+ * `IQAuthError.code` field is typed as `IQAuthErrorCode | (string & {})` so
+ * existing throw sites that pass server-supplied strings (e.g.
+ * `"TOKEN_REVOKED"`, `"SESSION_EXPIRED_INACTIVITY"`) continue to compile and
+ * still pass through to consumers verbatim.
+ *
+ * Migration: existing `catch (e: Error)` keeps working unchanged. The new
+ * codes are additive — `e.code` may now equal one of the 10 lowercase
+ * tokens for SDK-originated errors (verify, JWKS fetch, config validation,
+ * network) while server-originated errors keep their existing UPPER_SNAKE
+ * codes (so framework adapters that switch on `TOKEN_EXPIRED` still work).
+ */
+/**
+ * Discriminated union of normalized SDK error codes. Use these for typed
+ * pattern-matching on errors thrown by SDK calls (`tokens.verify`, JWKS
+ * fetch, config validation, network failures).
+ *
+ * Server-originated errors (e.g. those rethrown from API responses or from
+ * the issuer) may still surface with their UPPER_SNAKE_CASE codes
+ * (`TOKEN_REVOKED`, `MFA_INVALID_CODE`, …) — `code` is widened to accept
+ * those alongside the typed taxonomy.
+ */
+type IQAuthErrorCode = "token_expired" | "token_invalid" | "jwks_unavailable" | "jwks_fetch_failed" | "rate_limited" | "network" | "config_invalid" | "app_not_found" | "permission_denied" | "unknown";
+/**
+ * The 10 canonical typed codes, exposed as a runtime tuple for exhaustive
+ * `switch` checks and for SDK consumers that want to enumerate them.
+ */
+declare const IQ_AUTH_ERROR_CODES: readonly IQAuthErrorCode[];
+declare class IQAuthError extends Error {
+    /**
+     * Normalized error code. Prefer matching against {@link IQAuthErrorCode}
+     * for SDK-originated errors. Server-originated errors may carry their
+     * UPPER_SNAKE server code (e.g. `"TOKEN_REVOKED"`).
+     */
+    code: IQAuthErrorCode | (string & {});
+    status?: number;
+    /**
+     * The underlying error or response payload that triggered this throw.
+     * Aliased as `raw` for back-compat with SDK ≤2.6.x.
+     */
+    cause?: unknown;
+    /** @deprecated alias for {@link cause}; kept for SDK ≤2.6.x compatibility. */
+    raw?: unknown;
+    constructor(code: IQAuthErrorCode | (string & {}), message: string, status?: number, cause?: unknown);
+    /**
+     * Type guard: true when `value` is an `IQAuthError`. Useful for adapters
+     * that round-trip errors through `unknown` (e.g. fastify's `setErrorHandler`).
+     */
+    static isIQAuthError(value: unknown): value is IQAuthError;
+    /**
+     * Type-narrowed code check. Lets callers write
+     * `if (err.is("token_expired")) …` with full IntelliSense for the typed
+     * taxonomy without losing the ability to handle server codes via
+     * `err.code === "TOKEN_REVOKED"`.
+     */
+    is(code: IQAuthErrorCode): boolean;
+}
+declare const ErrorCodes: {
+    readonly VALIDATION_ERROR: "VALIDATION_ERROR";
+    readonly INVALID_CREDENTIALS: "INVALID_CREDENTIALS";
+    readonly ACCOUNT_INACTIVE: "ACCOUNT_INACTIVE";
+    readonly ACCOUNT_LOCKED: "ACCOUNT_LOCKED";
+    readonly INSUFFICIENT_PERMISSIONS: "INSUFFICIENT_PERMISSIONS";
+    readonly TOKEN_INVALID: "TOKEN_INVALID";
+    readonly TOKEN_EXPIRED: "TOKEN_EXPIRED";
+    readonly TOKEN_REVOKED: "TOKEN_REVOKED";
+    readonly USER_INACTIVE: "USER_INACTIVE";
+    readonly INTERNAL_ERROR: "INTERNAL_ERROR";
+    readonly NOT_FOUND: "NOT_FOUND";
+    readonly SESSION_INVALID: "SESSION_INVALID";
+    readonly SESSION_EXPIRED: "SESSION_EXPIRED";
+    readonly REFRESH_TOKEN_REUSED: "REFRESH_TOKEN_REUSED";
+    readonly PASSWORD_EXPIRED: "PASSWORD_EXPIRED";
+    readonly PIN_EXPIRED: "PIN_EXPIRED";
+    readonly PASSWORD_POLICY_VIOLATION: "PASSWORD_POLICY_VIOLATION";
+    readonly MFA_INVALID_CODE: "MFA_INVALID_CODE";
+    readonly MFA_METHOD_UNAVAILABLE: "MFA_METHOD_UNAVAILABLE";
+    readonly MFA_RATE_LIMITED: "MFA_RATE_LIMITED";
+    readonly MFA_ENROLLMENT_REQUIRED: "MFA_ENROLLMENT_REQUIRED";
+    readonly API_KEY_REQUIRED: "API_KEY_REQUIRED";
+    readonly API_KEY_INVALID: "API_KEY_INVALID";
+    readonly AUTH_REQUIRED: "AUTH_REQUIRED";
+    readonly ALREADY_EXISTS: "ALREADY_EXISTS";
+    readonly FORBIDDEN: "FORBIDDEN";
+    readonly OAUTH_NOT_CONFIGURED: "OAUTH_NOT_CONFIGURED";
+    readonly UPLOAD_ERROR: "UPLOAD_ERROR";
+    readonly EMAIL_SERVICE_UNAVAILABLE: "EMAIL_SERVICE_UNAVAILABLE";
+    readonly INVALID_CODE: "INVALID_CODE";
+    readonly CODE_ALREADY_USED: "CODE_ALREADY_USED";
+    readonly CODE_EXPIRED: "CODE_EXPIRED";
+    readonly CODE_IP_MISMATCH: "CODE_IP_MISMATCH";
+    readonly UNKNOWN_PAYLOAD: "UNKNOWN_PAYLOAD";
+};
+type ErrorCode = (typeof ErrorCodes)[keyof typeof ErrorCodes];
+
+export { ErrorCodes as E, IQAuthError as I, IQ_AUTH_ERROR_CODES as a, type ErrorCode as b, type IQAuthErrorCode as c };

package/dist/errors-Jl1Jtm-6.d.ts

@@ -0,0 +1,107 @@
+/**
+ * SOURCE REFS:
+ * - Route file: src/lib/response.ts (error envelope: { success: false, error: { code, message } })
+ * - All route files for error code extraction
+ * - Verified claims: N/A (error module)
+ * - Last verified: Phase 0 Research Summary
+ *
+ * Task #127 (SDK 2.7.0): typed `IQAuthErrorCode` taxonomy.
+ * The SDK historically threw `IQAuthError` with arbitrary string codes,
+ * forcing every integrator to either string-match the message or memorize
+ * the full server code list. This module now ships a discriminated union of
+ * 10 normalized codes that callers can pattern-match exhaustively, and the
+ * `IQAuthError.code` field is typed as `IQAuthErrorCode | (string & {})` so
+ * existing throw sites that pass server-supplied strings (e.g.
+ * `"TOKEN_REVOKED"`, `"SESSION_EXPIRED_INACTIVITY"`) continue to compile and
+ * still pass through to consumers verbatim.
+ *
+ * Migration: existing `catch (e: Error)` keeps working unchanged. The new
+ * codes are additive — `e.code` may now equal one of the 10 lowercase
+ * tokens for SDK-originated errors (verify, JWKS fetch, config validation,
+ * network) while server-originated errors keep their existing UPPER_SNAKE
+ * codes (so framework adapters that switch on `TOKEN_EXPIRED` still work).
+ */
+/**
+ * Discriminated union of normalized SDK error codes. Use these for typed
+ * pattern-matching on errors thrown by SDK calls (`tokens.verify`, JWKS
+ * fetch, config validation, network failures).
+ *
+ * Server-originated errors (e.g. those rethrown from API responses or from
+ * the issuer) may still surface with their UPPER_SNAKE_CASE codes
+ * (`TOKEN_REVOKED`, `MFA_INVALID_CODE`, …) — `code` is widened to accept
+ * those alongside the typed taxonomy.
+ */
+type IQAuthErrorCode = "token_expired" | "token_invalid" | "jwks_unavailable" | "jwks_fetch_failed" | "rate_limited" | "network" | "config_invalid" | "app_not_found" | "permission_denied" | "unknown";
+/**
+ * The 10 canonical typed codes, exposed as a runtime tuple for exhaustive
+ * `switch` checks and for SDK consumers that want to enumerate them.
+ */
+declare const IQ_AUTH_ERROR_CODES: readonly IQAuthErrorCode[];
+declare class IQAuthError extends Error {
+    /**
+     * Normalized error code. Prefer matching against {@link IQAuthErrorCode}
+     * for SDK-originated errors. Server-originated errors may carry their
+     * UPPER_SNAKE server code (e.g. `"TOKEN_REVOKED"`).
+     */
+    code: IQAuthErrorCode | (string & {});
+    status?: number;
+    /**
+     * The underlying error or response payload that triggered this throw.
+     * Aliased as `raw` for back-compat with SDK ≤2.6.x.
+     */
+    cause?: unknown;
+    /** @deprecated alias for {@link cause}; kept for SDK ≤2.6.x compatibility. */
+    raw?: unknown;
+    constructor(code: IQAuthErrorCode | (string & {}), message: string, status?: number, cause?: unknown);
+    /**
+     * Type guard: true when `value` is an `IQAuthError`. Useful for adapters
+     * that round-trip errors through `unknown` (e.g. fastify's `setErrorHandler`).
+     */
+    static isIQAuthError(value: unknown): value is IQAuthError;
+    /**
+     * Type-narrowed code check. Lets callers write
+     * `if (err.is("token_expired")) …` with full IntelliSense for the typed
+     * taxonomy without losing the ability to handle server codes via
+     * `err.code === "TOKEN_REVOKED"`.
+     */
+    is(code: IQAuthErrorCode): boolean;
+}
+declare const ErrorCodes: {
+    readonly VALIDATION_ERROR: "VALIDATION_ERROR";
+    readonly INVALID_CREDENTIALS: "INVALID_CREDENTIALS";
+    readonly ACCOUNT_INACTIVE: "ACCOUNT_INACTIVE";
+    readonly ACCOUNT_LOCKED: "ACCOUNT_LOCKED";
+    readonly INSUFFICIENT_PERMISSIONS: "INSUFFICIENT_PERMISSIONS";
+    readonly TOKEN_INVALID: "TOKEN_INVALID";
+    readonly TOKEN_EXPIRED: "TOKEN_EXPIRED";
+    readonly TOKEN_REVOKED: "TOKEN_REVOKED";
+    readonly USER_INACTIVE: "USER_INACTIVE";
+    readonly INTERNAL_ERROR: "INTERNAL_ERROR";
+    readonly NOT_FOUND: "NOT_FOUND";
+    readonly SESSION_INVALID: "SESSION_INVALID";
+    readonly SESSION_EXPIRED: "SESSION_EXPIRED";
+    readonly REFRESH_TOKEN_REUSED: "REFRESH_TOKEN_REUSED";
+    readonly PASSWORD_EXPIRED: "PASSWORD_EXPIRED";
+    readonly PIN_EXPIRED: "PIN_EXPIRED";
+    readonly PASSWORD_POLICY_VIOLATION: "PASSWORD_POLICY_VIOLATION";
+    readonly MFA_INVALID_CODE: "MFA_INVALID_CODE";
+    readonly MFA_METHOD_UNAVAILABLE: "MFA_METHOD_UNAVAILABLE";
+    readonly MFA_RATE_LIMITED: "MFA_RATE_LIMITED";
+    readonly MFA_ENROLLMENT_REQUIRED: "MFA_ENROLLMENT_REQUIRED";
+    readonly API_KEY_REQUIRED: "API_KEY_REQUIRED";
+    readonly API_KEY_INVALID: "API_KEY_INVALID";
+    readonly AUTH_REQUIRED: "AUTH_REQUIRED";
+    readonly ALREADY_EXISTS: "ALREADY_EXISTS";
+    readonly FORBIDDEN: "FORBIDDEN";
+    readonly OAUTH_NOT_CONFIGURED: "OAUTH_NOT_CONFIGURED";
+    readonly UPLOAD_ERROR: "UPLOAD_ERROR";
+    readonly EMAIL_SERVICE_UNAVAILABLE: "EMAIL_SERVICE_UNAVAILABLE";
+    readonly INVALID_CODE: "INVALID_CODE";
+    readonly CODE_ALREADY_USED: "CODE_ALREADY_USED";
+    readonly CODE_EXPIRED: "CODE_EXPIRED";
+    readonly CODE_IP_MISMATCH: "CODE_IP_MISMATCH";
+    readonly UNKNOWN_PAYLOAD: "UNKNOWN_PAYLOAD";
+};
+type ErrorCode = (typeof ErrorCodes)[keyof typeof ErrorCodes];
+
+export { ErrorCodes as E, IQAuthError as I, IQ_AUTH_ERROR_CODES as a, type ErrorCode as b, type IQAuthErrorCode as c };

package/dist/{express-CHpfa7D_.d.ts → express-Budysq4h.d.ts}

@@ -1,5 +1,5 @@
-import { I as IQAuthClient } from './client-BNQe3AgF.js';
-import { J as JwtClaims, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-DZAflmmq.js';
+import { I as IQAuthClient } from './client-DkPL0EPZ.js';
+import { J as JwtClaims, X as ExpressMiddlewareOptions, a as IQAuthRequestLike, b as IQAuthResponseLike, c as IQAuthNextFunction } from './types-Bn8O-OEd.js';
 
 /**
  * SOURCE REFS:

package/dist/{express-B6_1vBYZ.d.mts → express-DDTA3qV1.d.mts}

@@ -1,5 +1,5 @@
-import { I as IQAuthClient } from './client-kYlJFgPv.mjs';
-import { J as JwtClaims, N as ExpressMiddlewareOptions, Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-DZAflmmq.mjs';
+import { I as IQAuthClient } from './client-D8L-PaWr.mjs';
+import { J as JwtClaims, X as ExpressMiddlewareOptions, a as IQAuthRequestLike, b as IQAuthResponseLike, c as IQAuthNextFunction } from './types-Bn8O-OEd.mjs';
 
 /**
  * SOURCE REFS:

package/dist/express.d.mts

@@ -1,10 +1,10 @@
-import { I as IQAuthClient } from './client-kYlJFgPv.mjs';
-import { C as CookieAwareMiddlewareOptions } from './express-B6_1vBYZ.mjs';
-export { i as iqAuthMiddleware } from './express-B6_1vBYZ.mjs';
+import { I as IQAuthClient } from './client-D8L-PaWr.mjs';
+import { C as CookieAwareMiddlewareOptions } from './express-DDTA3qV1.mjs';
+export { i as iqAuthMiddleware } from './express-DDTA3qV1.mjs';
 import { IQAuthHelperConfig } from './server/handlers.mjs';
-import { Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-DZAflmmq.mjs';
-export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.mjs';
-import './tokens-DCyzzn8L.mjs';
+import { a as IQAuthRequestLike, b as IQAuthResponseLike, c as IQAuthNextFunction } from './types-Bn8O-OEd.mjs';
+export { E as ErrorCodes, I as IQAuthError } from './errors-Jl1Jtm-6.mjs';
+import './tokens-B06VtvUi.mjs';
 
 /**
  * @iqauth/sdk/express — drop-in Express adapter.
@@ -111,6 +111,7 @@ declare function iqAuth(options: IQAuthExpressOptions): {
     middleware: (req: IQAuthRequestLike, res: IQAuthResponseLike, next: IQAuthNextFunction) => void | Promise<void>;
     attachHelpers: (app: ExpressLikeApp | ExpressLikeRouter) => void;
     client: IQAuthClient;
+    prewarm: () => Promise<void>;
 };
 
 export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, type InlineCallbackBrandedConfig, type InlineCallbackBrandedRenderArgs, type InlineCallbackConfig, iqAuth };

package/dist/express.d.ts

@@ -1,10 +1,10 @@
-import { I as IQAuthClient } from './client-BNQe3AgF.js';
-import { C as CookieAwareMiddlewareOptions } from './express-CHpfa7D_.js';
-export { i as iqAuthMiddleware } from './express-CHpfa7D_.js';
+import { I as IQAuthClient } from './client-DkPL0EPZ.js';
+import { C as CookieAwareMiddlewareOptions } from './express-Budysq4h.js';
+export { i as iqAuthMiddleware } from './express-Budysq4h.js';
 import { IQAuthHelperConfig } from './server/handlers.js';
-import { Q as IQAuthRequestLike, R as IQAuthResponseLike, V as IQAuthNextFunction } from './types-DZAflmmq.js';
-export { E as ErrorCodes, I as IQAuthError } from './errors-CDdl24MP.js';
-import './tokens-aHiGFr_E.js';
+import { a as IQAuthRequestLike, b as IQAuthResponseLike, c as IQAuthNextFunction } from './types-Bn8O-OEd.js';
+export { E as ErrorCodes, I as IQAuthError } from './errors-Jl1Jtm-6.js';
+import './tokens-9F6ETrzk.js';
 
 /**
  * @iqauth/sdk/express — drop-in Express adapter.
@@ -111,6 +111,7 @@ declare function iqAuth(options: IQAuthExpressOptions): {
     middleware: (req: IQAuthRequestLike, res: IQAuthResponseLike, next: IQAuthNextFunction) => void | Promise<void>;
     attachHelpers: (app: ExpressLikeApp | ExpressLikeRouter) => void;
     client: IQAuthClient;
+    prewarm: () => Promise<void>;
 };
 
 export { CookieAwareMiddlewareOptions, type IQAuthExpressOptions, type InlineCallbackBrandedConfig, type InlineCallbackBrandedRenderArgs, type InlineCallbackConfig, iqAuth };