@iqauth/sdk 2.7.0 → 2.8.1

package/dist/server.js

@@ -35,6 +35,7 @@ __export(server_exports, {
   ErrorCodes: () => ErrorCodes,
   IQAuthClient: () => IQAuthClient,
   IQAuthError: () => IQAuthError,
+  ProvisioningError: () => ProvisioningError,
   ServerIQAuthClient: () => ServerIQAuthClient,
   buildUserinfoResponse: () => buildUserinfoResponse,
   createDrizzleLinkAdapter: () => createDrizzleLinkAdapter,
@@ -347,17 +348,27 @@ function parseLoginResponse(data, browserSessionMode) {
       tenants: data.tenants
     };
   }
+  if (data.type === "scope_selection" && data.scopeSelectionToken && data.scopes && data.tenantId) {
+    return {
+      status: "scope_selection",
+      scopeSelectionToken: data.scopeSelectionToken,
+      tenantId: data.tenantId,
+      scopes: data.scopes
+    };
+  }
   throw new Error("Unexpected login response shape");
 }
 var AuthModule = class {
   constructor(http) {
     this.http = http;
   }
-  async login(email, password) {
+  async login(email, password, opts) {
+    const body = { email, password };
+    if (opts?.scopeHint) body.scopeHint = opts.scopeHint;
     const data = await this.http.request(
       "POST",
       "/api/v1/auth/login",
-      { email, password },
+      body,
       { skipAutoRefresh: true }
     );
     return parseLoginResponse(data, this.http.isBrowserSession());
@@ -395,13 +406,29 @@ var AuthModule = class {
       method
     }, { skipAutoRefresh: true });
   }
-  async selectTenant(tenantSelectionToken, tenantId) {
+  async selectTenant(tenantSelectionToken, tenantId, opts) {
+    const body = { tenantSelectionToken, tenantId };
+    if (opts?.scopeHint) body.scopeHint = opts.scopeHint;
     const data = await this.http.request(
       "POST",
       "/api/v1/auth/select-tenant",
+      body,
+      { skipAutoRefresh: true }
+    );
+    return parseLoginResponse(data, this.http.isBrowserSession());
+  }
+  /**
+   * Task #171 — redeem a scope-selection token + chosen membership for a
+   * real authenticated session. `membershipId` must be one of the scopes
+   * returned in the prior `scope_selection` envelope.
+   */
+  async selectScope(scopeSelectionToken, membershipId) {
+    const data = await this.http.request(
+      "POST",
+      "/api/v1/auth/select-scope",
       {
-        tenantSelectionToken,
-        tenantId
+        scopeSelectionToken,
+        membershipId
       },
       { skipAutoRefresh: true }
     );
@@ -2240,7 +2267,11 @@ async function buildUserinfoResponse(claims, opts = {}) {
     tenantId: claims.tenantId,
     vendorId: claims.vendorId,
     roles: claims.roles ?? [],
-    entitlements: claims.entitlements ?? []
+    entitlements: claims.entitlements ?? [],
+    // Task #171 — project the active source/client scope onto the userinfo
+    // payload so server handlers (`getSessionUser`, `/api/iqauth/userinfo`)
+    // expose it without consumers having to re-decode the JWT.
+    ...claims.scopeContext !== void 0 ? { scopeContext: claims.scopeContext } : {}
   };
   const enriched = opts.enrich ? await opts.enrich(claims) : null;
   const user = enriched ? { ...baseUser, ...enriched } : baseUser;
@@ -2285,19 +2316,62 @@ function shouldClearCookiesOnFailure(policy, status, errorCode) {
 }
 var ACCESS_TOKEN_TTL_SECONDS = 60 * 15;
 var REFRESH_TOKEN_TTL_SECONDS = 60 * 60 * 24 * 30;
+function assertCookiePrefixInvariants(name, secure, path, domain) {
+  if (name.startsWith("__Host-")) {
+    if (!secure) {
+      throw new IQAuthError(
+        "config_invalid",
+        `Cookie "${name}" uses the __Host- prefix, which browsers only accept on a Secure cookie. Set secure:true (and serve over HTTPS).`
+      );
+    }
+    if (path !== "/") {
+      throw new IQAuthError(
+        "config_invalid",
+        `Cookie "${name}" uses the __Host- prefix, which requires Path=/ (got "${path}"). Remove cookiePath or set it to "/".`
+      );
+    }
+    if (domain) {
+      throw new IQAuthError(
+        "config_invalid",
+        `Cookie "${name}" uses the __Host- prefix, which forbids a Domain attribute (the cookie is host-locked). Remove cookieDomain.`
+      );
+    }
+  } else if (name.startsWith("__Secure-") && !secure) {
+    throw new IQAuthError(
+      "config_invalid",
+      `Cookie "${name}" uses the __Secure- prefix, which browsers only accept on a Secure cookie. Set secure:true (and serve over HTTPS).`
+    );
+  }
+}
 function resolve(config) {
   const parsed = assertPublishableKey(config.publishableKey, { context: "@iqauth/sdk helpers" });
   const inferredIssuer = parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`;
+  maybeWarnDefaultSignoutRegistry(config);
+  const secure = config.secure ?? true;
+  if (config.secure === false && config.allowInsecureCookies !== true) {
+    throw new IQAuthError(
+      "config_invalid",
+      "Refusing to issue auth cookies with secure:false \u2014 this exposes session cookies over plaintext HTTP. For local HTTP development, set allowInsecureCookies:true to acknowledge the risk. Production MUST use HTTPS with secure cookies."
+    );
+  }
+  const accessCookieName = config.accessCookieName ?? config.cookieNames?.access ?? "iqauth_at";
+  const refreshCookieName = config.refreshCookieName ?? config.cookieNames?.refresh ?? "iqauth_rt";
+  const stateCookieName = config.stateCookieName ?? "iqauth_state";
+  const cookiePath = config.cookiePath ?? "/";
+  const cookieDomain = config.cookieDomain;
+  for (const name of [accessCookieName, refreshCookieName, stateCookieName]) {
+    assertCookiePrefixInvariants(name, secure, cookiePath, cookieDomain);
+  }
   return {
     publishableKey: config.publishableKey,
     secretKey: config.secretKey,
     issuer: (config.issuer ?? inferredIssuer).replace(/\/+$/, ""),
-    accessCookieName: config.accessCookieName ?? config.cookieNames?.access ?? "iqauth_at",
-    refreshCookieName: config.refreshCookieName ?? config.cookieNames?.refresh ?? "iqauth_rt",
-    cookieDomain: config.cookieDomain,
+    accessCookieName,
+    refreshCookieName,
+    cookieDomain,
     sameSite: config.sameSite ?? "lax",
-    secure: config.secure ?? true,
-    cookiePath: config.cookiePath ?? "/",
+    secure,
+    cookiePath,
     tokenPath: config.tokenPath ?? "/oidc/token",
     refreshPath: config.refreshPath ?? "/api/v1/auth/refresh",
     logoutPath: config.logoutPath ?? "/api/v1/auth/logout",
@@ -2310,9 +2384,19 @@ function resolve(config) {
     debug: config.debug,
     onTimingEvent: config.onTimingEvent,
     signoutRegistry: config.signoutRegistry ?? defaultSignoutRegistry,
-    signoutMarkerTtlMs: config.signoutMarkerTtlMs ?? DEFAULT_SIGNOUT_TTL_MS
+    signoutMarkerTtlMs: config.signoutMarkerTtlMs ?? DEFAULT_SIGNOUT_TTL_MS,
+    requireOAuthState: config.requireOAuthState ?? true,
+    stateCookieName: config.stateCookieName ?? "iqauth_state"
   };
 }
+function timingSafeEqualStr(a, b) {
+  const len = Math.max(a.length, b.length);
+  let diff = a.length ^ b.length;
+  for (let i = 0; i < len; i++) {
+    diff |= (a.charCodeAt(i) || 0) ^ (b.charCodeAt(i) || 0);
+  }
+  return diff === 0;
+}
 function makeCookie(cfg, name, value, maxAge, httpOnly = true) {
   return {
     name,
@@ -2331,6 +2415,9 @@ function clearCookies(cfg) {
     { ...makeCookie(cfg, cfg.refreshCookieName, "", 0), clear: true }
   ];
 }
+function clearStateCookie(cfg) {
+  return { ...makeCookie(cfg, cfg.stateCookieName, "", 0, false), clear: true };
+}
 var DEFAULT_SIGNOUT_TTL_MS = 6e4;
 var inMemorySignoutMarkers = /* @__PURE__ */ new Map();
 function pruneInMemoryMarkers(now) {
@@ -2356,6 +2443,15 @@ var defaultSignoutRegistry = {
     return true;
   }
 };
+var warnedDefaultSignoutRegistry = false;
+function maybeWarnDefaultSignoutRegistry(config) {
+  if (warnedDefaultSignoutRegistry) return;
+  if (config.signoutRegistry) return;
+  warnedDefaultSignoutRegistry = true;
+  console.warn(
+    "[IQAuth] Using the in-memory signout registry (process-local). Signout idempotency is NOT shared across instances \u2014 in a multi-replica deployment a /refresh racing a /signout on another replica can reissue cookies after sign-out. Plug a shared backend (e.g. Redis) into IQAuthHelperConfig.signoutRegistry to fix this and silence this warning."
+  );
+}
 function serializeCookie(d) {
   const parts = [`${d.name}=${encodeURIComponent(d.value)}`];
   parts.push(`Path=${d.path}`);
@@ -2378,6 +2474,23 @@ async function handleCallback(config, input) {
       cookies: []
     };
   }
+  const provided = input.state;
+  const expected = input.expectedState;
+  const stateOk = cfg.requireOAuthState ? !!expected && !!provided && timingSafeEqualStr(provided, expected) : !expected || !!provided && timingSafeEqualStr(provided, expected);
+  if (!stateOk) {
+    emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code: "STATE_MISMATCH" });
+    return {
+      status: 400,
+      body: {
+        success: false,
+        error: {
+          code: "STATE_MISMATCH",
+          message: "OAuth state validation failed; the sign-in could not be verified as originating from this browser."
+        }
+      },
+      cookies: [clearStateCookie(cfg)]
+    };
+  }
   if (!cfg.secretKey) {
     emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code: "INTERNAL_ERROR" });
     return {
@@ -2416,6 +2529,26 @@ async function handleCallback(config, input) {
       cookies: []
     };
   }
+  try {
+    await getTokensFor(cfg.issuer).verify(json.access_token, {
+      issuer: cfg.issuer,
+      ...config.verify
+    });
+  } catch (err) {
+    const code = err instanceof IQAuthError ? err.code : err.code || "TOKEN_INVALID";
+    emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code });
+    return {
+      status: 502,
+      body: {
+        success: false,
+        error: {
+          code: "ACCESS_TOKEN_VERIFICATION_FAILED",
+          message: "The issuer returned an access token that failed verification; no session was established."
+        }
+      },
+      cookies: []
+    };
+  }
   const cookies = [];
   cookies.push(
     makeCookie(cfg, cfg.accessCookieName, json.access_token, json.expires_in ?? ACCESS_TOKEN_TTL_SECONDS)
@@ -2423,6 +2556,7 @@ async function handleCallback(config, input) {
   if (json.refresh_token) {
     cookies.push(makeCookie(cfg, cfg.refreshCookieName, json.refresh_token, REFRESH_TOKEN_TTL_SECONDS));
   }
+  cookies.push(clearStateCookie(cfg));
   emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: true });
   return {
     status: 200,
@@ -2544,7 +2678,10 @@ async function handleUserinfo(config, input) {
   }
   let claims;
   try {
-    claims = await getTokensFor(cfg.issuer).verify(input.accessToken, config.verify);
+    claims = await getTokensFor(cfg.issuer).verify(input.accessToken, {
+      issuer: cfg.issuer,
+      ...config.verify
+    });
   } catch (err) {
     const code = err instanceof IQAuthError ? err.code : err.code || "TOKEN_INVALID";
     const message = err instanceof Error ? err.message : "Access token verification failed";
@@ -2565,6 +2702,13 @@ async function handleUserinfo(config, input) {
 }
 
 // src/server/provisioningBridge.ts
+var ProvisioningError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.name = "ProvisioningError";
+    this.code = code;
+  }
+};
 function defaultIsUniqueViolation(err) {
   if (!err || typeof err !== "object") return false;
   const e = err;
@@ -2576,6 +2720,16 @@ function defaultIsUniqueViolation(err) {
 function createProvisioningBridge(options) {
   const { storage } = options;
   const isUniqueViolation = options.isUniqueViolation ?? defaultIsUniqueViolation;
+  const allowUnverifiedEmailAdopt = options.allowUnverifiedEmailAdopt === true;
+  const emailVerified = (claims) => claims.email_verified === true;
+  const assertAdoptAllowed = (claims) => {
+    if (!allowUnverifiedEmailAdopt && !emailVerified(claims)) {
+      throw new ProvisioningError(
+        "UNVERIFIED_EMAIL_ADOPT_REFUSED",
+        "Refusing to adopt a pre-existing local account from an unverified email (claims.email_verified !== true). Set allowUnverifiedEmailAdopt:true only if your issuer is trusted to never emit unverified emails for adoption."
+      );
+    }
+  };
   const roleOf = (claims) => {
     try {
       return options.roleMapper?.(claims) ?? null;
@@ -2592,6 +2746,7 @@ function createProvisioningBridge(options) {
     if (claims.email) {
       const byEmail = await storage.findByEmail(claims.email);
       if (byEmail) {
+        assertAdoptAllowed(claims);
         if (storage.adoptByEmail) {
           const adopted = await storage.adoptByEmail(byEmail, claims, roleOf(claims));
           return { user: adopted, claims, created: false, adopted: true };
@@ -2607,7 +2762,10 @@ function createProvisioningBridge(options) {
       if (after) return { user: after, claims, created: false, adopted: false };
       if (claims.email) {
         const byEmail = await storage.findByEmail(claims.email);
-        if (byEmail) return { user: byEmail, claims, created: false, adopted: true };
+        if (byEmail) {
+          assertAdoptAllowed(claims);
+          return { user: byEmail, claims, created: false, adopted: true };
+        }
       }
       throw err;
     }
@@ -2639,6 +2797,9 @@ async function linkLocalUserToIqAuthSub(options) {
       if (row.iqauthSub === claims.sub) {
         return { status: "already_linked", userId: row.id };
       }
+      if (claims.email_verified !== true && options.allowUnverifiedEmail !== true) {
+        return { status: "conflict", userId: row.id, reason: "unverified_email" };
+      }
       const wrote = await tx.setIqAuthSub(row.id, claims.sub);
       if (wrote === false) {
         return { status: "conflict", userId: row.id, reason: "different_sub" };
@@ -2710,6 +2871,7 @@ function createServerClient(config) {
   ErrorCodes,
   IQAuthClient,
   IQAuthError,
+  ProvisioningError,
   ServerIQAuthClient,
   buildUserinfoResponse,
   createDrizzleLinkAdapter,

package/dist/server.mjs

@@ -1,11 +1,12 @@
 import {
+  ProvisioningError,
   createProvisioningBridge
-} from "./chunk-SL3KRS4W.mjs";
+} from "./chunk-CIJORODR.mjs";
 import {
   DEFAULT_ACCESS_COOKIE,
   DEFAULT_REFRESH_COOKIE,
   iqAuthMiddleware
-} from "./chunk-YVALAG3B.mjs";
+} from "./chunk-25SSYDIP.mjs";
 import {
   buildUserinfoResponse,
   handleCallback,
@@ -13,11 +14,11 @@ import {
   handleSignout,
   handleUserinfo,
   serializeCookie
-} from "./chunk-RUJXRTEW.mjs";
+} from "./chunk-WSH4SW7F.mjs";
 import "./chunk-HVHNYPDC.mjs";
 import {
   IQAuthClient
-} from "./chunk-JXQI62A7.mjs";
+} from "./chunk-ZLJPABB7.mjs";
 import "./chunk-NUO2I65G.mjs";
 import {
   ErrorCodes,
@@ -49,6 +50,9 @@ async function linkLocalUserToIqAuthSub(options) {
       if (row.iqauthSub === claims.sub) {
         return { status: "already_linked", userId: row.id };
       }
+      if (claims.email_verified !== true && options.allowUnverifiedEmail !== true) {
+        return { status: "conflict", userId: row.id, reason: "unverified_email" };
+      }
       const wrote = await tx.setIqAuthSub(row.id, claims.sub);
       if (wrote === false) {
         return { status: "conflict", userId: row.id, reason: "different_sub" };
@@ -119,6 +123,7 @@ export {
   ErrorCodes,
   IQAuthClient,
   IQAuthError,
+  ProvisioningError,
   ServerIQAuthClient,
   buildUserinfoResponse,
   createDrizzleLinkAdapter,

package/dist/service.d.mts

@@ -1,7 +1,7 @@
-import { I as IQAuthClient } from './client-BGFnBpfc.mjs';
-import { f as IQAuthTokenClientConfig } from './types-XOV9XPVi.mjs';
+import { I as IQAuthClient } from './client-D8L-PaWr.mjs';
+import { f as IQAuthTokenClientConfig } from './types-Bn8O-OEd.mjs';
 export { E as ErrorCodes, I as IQAuthError } from './errors-Jl1Jtm-6.mjs';
-import './tokens-CITeoG6P.mjs';
+import './tokens-B06VtvUi.mjs';
 
 declare class ServiceIQAuthClient extends IQAuthClient {
     constructor(config: IQAuthTokenClientConfig);

package/dist/service.d.ts

@@ -1,7 +1,7 @@
-import { I as IQAuthClient } from './client-CDQ21LvW.js';
-import { f as IQAuthTokenClientConfig } from './types-XOV9XPVi.js';
+import { I as IQAuthClient } from './client-DkPL0EPZ.js';
+import { f as IQAuthTokenClientConfig } from './types-Bn8O-OEd.js';
 export { E as ErrorCodes, I as IQAuthError } from './errors-Jl1Jtm-6.js';
-import './tokens-Bqhmqq_R.js';
+import './tokens-9F6ETrzk.js';
 
 declare class ServiceIQAuthClient extends IQAuthClient {
     constructor(config: IQAuthTokenClientConfig);

package/dist/service.js

@@ -335,17 +335,27 @@ function parseLoginResponse(data, browserSessionMode) {
       tenants: data.tenants
     };
   }
+  if (data.type === "scope_selection" && data.scopeSelectionToken && data.scopes && data.tenantId) {
+    return {
+      status: "scope_selection",
+      scopeSelectionToken: data.scopeSelectionToken,
+      tenantId: data.tenantId,
+      scopes: data.scopes
+    };
+  }
   throw new Error("Unexpected login response shape");
 }
 var AuthModule = class {
   constructor(http) {
     this.http = http;
   }
-  async login(email, password) {
+  async login(email, password, opts) {
+    const body = { email, password };
+    if (opts?.scopeHint) body.scopeHint = opts.scopeHint;
     const data = await this.http.request(
       "POST",
       "/api/v1/auth/login",
-      { email, password },
+      body,
       { skipAutoRefresh: true }
     );
     return parseLoginResponse(data, this.http.isBrowserSession());
@@ -383,13 +393,29 @@ var AuthModule = class {
       method
     }, { skipAutoRefresh: true });
   }
-  async selectTenant(tenantSelectionToken, tenantId) {
+  async selectTenant(tenantSelectionToken, tenantId, opts) {
+    const body = { tenantSelectionToken, tenantId };
+    if (opts?.scopeHint) body.scopeHint = opts.scopeHint;
     const data = await this.http.request(
       "POST",
       "/api/v1/auth/select-tenant",
+      body,
+      { skipAutoRefresh: true }
+    );
+    return parseLoginResponse(data, this.http.isBrowserSession());
+  }
+  /**
+   * Task #171 — redeem a scope-selection token + chosen membership for a
+   * real authenticated session. `membershipId` must be one of the scopes
+   * returned in the prior `scope_selection` envelope.
+   */
+  async selectScope(scopeSelectionToken, membershipId) {
+    const data = await this.http.request(
+      "POST",
+      "/api/v1/auth/select-scope",
       {
-        tenantSelectionToken,
-        tenantId
+        scopeSelectionToken,
+        membershipId
       },
       { skipAutoRefresh: true }
     );

package/dist/service.mjs

@@ -1,6 +1,6 @@
 import {
   IQAuthClient
-} from "./chunk-JXQI62A7.mjs";
+} from "./chunk-ZLJPABB7.mjs";
 import "./chunk-NUO2I65G.mjs";
 import {
   ErrorCodes,

package/dist/{signIn-T-CZ6t6r.d.mts → signIn-CReqfXsh.d.mts}

@@ -1,5 +1,5 @@
 import { c as ParsedPublishableKey } from './publishableKey-f2kq-rKw.mjs';
-import { J as JwtClaims, S as SessionUser } from './types-XOV9XPVi.mjs';
+import { J as JwtClaims, S as SessionUser } from './types-Bn8O-OEd.mjs';
 
 /**
  * SessionManager — core browser-side session state.
@@ -253,6 +253,23 @@ declare class SessionManager {
      * session and notify subscribers and other tabs.
      */
     applyAccessToken(accessToken: string, refreshToken?: string): void;
+    /**
+     * Task #197 — Adopt an access token that the server has already minted
+     * for us (e.g. from `POST /api/v1/auth/switch-scope`) without contacting
+     * the issuer. Swaps the in-memory token, re-decodes claims, bumps
+     * `version`, schedules proactive refresh, and broadcasts a
+     * `session:update` to peer tabs.
+     *
+     * This is the safe path for any server endpoint that returns a fresh
+     * access token in its JSON body: we want the new claims (scope, roles,
+     * etc.) to take effect immediately, even if the refresh-cookie round-trip
+     * would have failed (network blip, rate limit, signout race). When the
+     * server also rotated the refresh token, pass it via
+     * `opts.refreshToken` so the cookie stays aligned.
+     */
+    adoptAccessToken(accessToken: string, opts?: {
+        refreshToken?: string;
+    }): void;
     /**
      * Returns a valid access token, refreshing once if it is expired or about
      * to expire. Resolves to `null` if the session can no longer be revived.

package/dist/{signIn-BLFnz8SV.d.ts → signIn-Cfa1GTpO.d.ts}

@@ -1,5 +1,5 @@
 import { c as ParsedPublishableKey } from './publishableKey-f2kq-rKw.js';
-import { J as JwtClaims, S as SessionUser } from './types-XOV9XPVi.js';
+import { J as JwtClaims, S as SessionUser } from './types-Bn8O-OEd.js';
 
 /**
  * SessionManager — core browser-side session state.
@@ -253,6 +253,23 @@ declare class SessionManager {
      * session and notify subscribers and other tabs.
      */
     applyAccessToken(accessToken: string, refreshToken?: string): void;
+    /**
+     * Task #197 — Adopt an access token that the server has already minted
+     * for us (e.g. from `POST /api/v1/auth/switch-scope`) without contacting
+     * the issuer. Swaps the in-memory token, re-decodes claims, bumps
+     * `version`, schedules proactive refresh, and broadcasts a
+     * `session:update` to peer tabs.
+     *
+     * This is the safe path for any server endpoint that returns a fresh
+     * access token in its JSON body: we want the new claims (scope, roles,
+     * etc.) to take effect immediately, even if the refresh-cookie round-trip
+     * would have failed (network blip, rate limit, signout race). When the
+     * server also rotated the refresh token, pass it via
+     * `opts.refreshToken` so the cookie stays aligned.
+     */
+    adoptAccessToken(accessToken: string, opts?: {
+        refreshToken?: string;
+    }): void;
     /**
      * Returns a valid access token, refreshing once if it is expired or about
      * to expire. Resolves to `null` if the session can no longer be revived.

package/dist/{tokens-Bqhmqq_R.d.ts → tokens-9F6ETrzk.d.ts}

@@ -1,4 +1,4 @@
-import { h as IQAuthClaims, J as JwtClaims } from './types-XOV9XPVi.js';
+import { h as IQAuthClaims, J as JwtClaims } from './types-Bn8O-OEd.js';
 
 /**
  * SOURCE REFS:

package/dist/{tokens-CITeoG6P.d.mts → tokens-B06VtvUi.d.mts}

@@ -1,4 +1,4 @@
-import { h as IQAuthClaims, J as JwtClaims } from './types-XOV9XPVi.mjs';
+import { h as IQAuthClaims, J as JwtClaims } from './types-Bn8O-OEd.mjs';
 
 /**
  * SOURCE REFS:

package/dist/{types-XOV9XPVi.d.mts → types-Bn8O-OEd.d.mts}

@@ -176,6 +176,14 @@ interface SessionUser {
     givenName?: string;
     familyName?: string;
     locale?: string;
+    /**
+     * Task #171 — When the active session was minted under a source/client
+     * scope (either via a scope_hint, single-resolved scope, or post-pick),
+     * the access token carries a `scopeContext` claim and we project it here
+     * so SDK consumers (`useUser()`, framework adapters) can read the active
+     * scope without re-parsing the JWT. Absent for tenant-wide sessions.
+     */
+    scopeContext?: ScopeContext;
 }
 interface Tenant {
     tenantId: string;
@@ -201,6 +209,24 @@ interface SessionAuthenticatedLoginResult {
     authMode: "session";
     user: SessionUser;
 }
+/**
+ * Task #171 — A user can have multiple source/client scoped memberships in
+ * the same tenant with no tenant-wide role. When login resolves to that
+ * state the backend returns a short-lived `scopeSelectionToken` plus the
+ * list of choices; the caller redeems it via `AuthModule.selectScope`.
+ */
+interface ScopeChoice {
+    membershipId: string;
+    scopeType: "vendor" | "source" | "client";
+    scopeId: string;
+    scopeName: string;
+    roleName: string;
+}
+/** Task #171 — Optional hint forwarded with login / select-tenant / OIDC. */
+interface ScopeHint {
+    type: "vendor" | "source" | "client";
+    id: string;
+}
 type LoginResult = TokenAuthenticatedLoginResult | SessionAuthenticatedLoginResult | {
     status: "mfa_required";
     mfaChallengeToken: string;
@@ -209,6 +235,11 @@ type LoginResult = TokenAuthenticatedLoginResult | SessionAuthenticatedLoginResu
     status: "tenant_selection";
     tenantSelectionToken: string;
     tenants: Tenant[];
+} | {
+    status: "scope_selection";
+    scopeSelectionToken: string;
+    tenantId: string;
+    scopes: ScopeChoice[];
 };
 interface Session {
     id: string;
@@ -718,13 +749,46 @@ interface Invitation {
     invitedBy: string;
     expiresAt?: string;
     createdAt?: string;
+    /** Scope the invite grants into ("tenant" | "vendor" | "source" | "client"). */
+    scopeType?: string | null;
+    /** Scope target id (paired with `scopeType`). */
+    scopeId?: string | null;
+    /** OIDC client bound for post-accept auto-redirect (paired with `redirectUri`). */
+    clientId?: string | null;
+    /** Registered redirect URI the new invitee is sent to after account creation. */
+    redirectUri?: string | null;
+    /** Display name pre-filled on the hosted accept page. */
+    inviteeName?: string | null;
 }
 interface CreateInviteRequest {
     email: string;
-    tenantId: string;
+    /**
+     * Target tenant. Optional for service (API-key) callers — the backend
+     * derives the tenant from the key and rejects a mismatching value. Platform
+     * admins may target any tenant.
+     */
+    tenantId?: string;
     vendorId?: string;
     role: string;
     products?: string[];
+    /** Scope to grant into. Must match the backend's accepted values. */
+    scopeType?: "tenant" | "vendor" | "source" | "client";
+    /** Scope target id (paired with `scopeType`). */
+    scopeId?: string;
+    /**
+     * Opt-in auto-redirect after the invitee creates their account. `clientId`
+     * and `redirectUri` are all-or-nothing — pass both or neither. The backend
+     * validates that `clientId` is an active OIDC client in the invite's tenant
+     * and that `redirectUri` is in that client's registered allowlist, then mints
+     * an OIDC authorization code and 302s the brand-new invitee to
+     * `${redirectUri}?code=…&state=…`. Point this at your app's
+     * `/api/iqauth/callback` so the framework adapter signs the user in on first
+     * paint. Existing-user accepts do NOT auto-redirect (see the integration guide).
+     */
+    clientId?: string;
+    redirectUri?: string;
+    /** Optional display name to pre-fill on the hosted accept page. Never used for auth. */
+    inviteeName?: string;
 }
 interface InviteValidation {
     valid: boolean;
@@ -992,4 +1056,4 @@ interface BackupCodeCountResult {
     remainingBackupCodes: number;
 }
 
-export type { AppManifest as $, ApiSuccessResponse as A, BrandingConfig as B, CreateTenantRequest as C, ApiErrorResponse as D, ApiResponse as E, MfaMethod as F, MfaEnrollment as G, TotpEnrollmentResult as H, IQAuthBrowserSessionClientConfig as I, JwtClaims as J, MfaVerifyResult as K, LoginResult as L, MigrateUserRequest as M, PasswordPolicy as N, OidcDiscovery as O, PromoteToVendorRequest as P, MfaPolicy as Q, UserPermissions as R, SessionUser as S, TokenPair as T, UserProfile as U, ProvisionUserRequest as V, ProvisionUserResponse as W, ExpressMiddlewareOptions as X, IQAuthRetryConfig as Y, IQAuthVerifyConfig as Z, PermissionNodeManifest as _, IQAuthRequestLike as a, BackupCodesResult as a$, AppInfo as a0, PermissionNodeInfo as a1, AppSyncResult as a2, Role as a3, CreateRoleRequest as a4, UpdateRoleRequest as a5, AssignRoleRequest as a6, UserRoleAssignment as a7, UserGroupAssignment as a8, TenantUser as a9, Source as aA, CreateSourceRequest as aB, UpdateSourceRequest as aC, Client as aD, CreateClientRequest as aE, UpdateClientRequest as aF, HierarchyVendor as aG, HierarchySource as aH, HierarchyClient as aI, HierarchyLink as aJ, Membership as aK, CreateMembershipRequest as aL, UpdateMembershipRequest as aM, MembershipWithDetails as aN, AvailableScopesTree as aO, ScopeTreeClient as aP, ScopeTreeSource as aQ, ScopeTreeVendor as aR, ScopeSwitchResult as aS, GdprExportData as aT, PinStatus as aU, PinLoginResult as aV, MfaAvailableMethods as aW, TotpEnrollResult as aX, TotpVerifyResult as aY, SmsEnrollResult as aZ, EmailEnrollResult as a_, PermissionGroup as aa, GroupPermission as ab, AddGroupPermissionRequest as ac, InheritanceRelation as ad, UserPermissionOverride as ae, AddUserOverrideRequest as af, EffectivePermission as ag, PermissionCheckResult as ah, ApiKeyInfo as ai, CreateApiKeyRequest as aj, CreateApiKeyResult as ak, ApiKeyIntrospection as al, Invitation as am, CreateInviteRequest as an, InviteValidation as ao, AcceptInviteRequest as ap, WebhookEndpoint as aq, CreateWebhookRequest as ar, CreateWebhookResult as as, WebhookDelivery as at, WebhookTestResult as au, Entitlement as av, GrantEntitlementRequest as aw, Vendor as ax, CreateVendorRequest as ay, UpdateVendorRequest as az, IQAuthResponseLike as b, BackupCodeCountResult as b0, SignupRequest as b1, HostedClientContext as b2, IQAuthNextFunction as c, IQAuthEnvironment as d, IQAuthClientConfig as e, IQAuthTokenClientConfig as f, ScopeContext as g, IQAuthClaims as h, IQAuthBaseClaims as i, Tenant as j, TokenAuthenticatedLoginResult as k, SessionAuthenticatedLoginResult as l, Session as m, TenantInfo as n, UpdateTenantRequest as o, PromoteToVendorResult as p, InviteTenantUserRequest as q, InviteTenantUserResult as r, TenantUserRoleUpdate as s, UpdateBrandingRequest as t, BrandingAsset as u, UploadAssetRequest as v, BrandingDomainMapping as w, JwksKey as x, JwksResponse as y, OidcTokenResponse as z };
+export type { AppManifest as $, ApiSuccessResponse as A, BrandingConfig as B, CreateTenantRequest as C, ApiErrorResponse as D, ApiResponse as E, MfaMethod as F, MfaEnrollment as G, TotpEnrollmentResult as H, IQAuthBrowserSessionClientConfig as I, JwtClaims as J, MfaVerifyResult as K, LoginResult as L, MigrateUserRequest as M, PasswordPolicy as N, OidcDiscovery as O, PromoteToVendorRequest as P, MfaPolicy as Q, UserPermissions as R, SessionUser as S, TokenPair as T, UserProfile as U, ProvisionUserRequest as V, ProvisionUserResponse as W, ExpressMiddlewareOptions as X, IQAuthRetryConfig as Y, IQAuthVerifyConfig as Z, PermissionNodeManifest as _, IQAuthRequestLike as a, BackupCodesResult as a$, AppInfo as a0, PermissionNodeInfo as a1, AppSyncResult as a2, Role as a3, CreateRoleRequest as a4, UpdateRoleRequest as a5, AssignRoleRequest as a6, UserRoleAssignment as a7, UserGroupAssignment as a8, TenantUser as a9, Source as aA, CreateSourceRequest as aB, UpdateSourceRequest as aC, Client as aD, CreateClientRequest as aE, UpdateClientRequest as aF, HierarchyVendor as aG, HierarchySource as aH, HierarchyClient as aI, HierarchyLink as aJ, Membership as aK, CreateMembershipRequest as aL, UpdateMembershipRequest as aM, MembershipWithDetails as aN, AvailableScopesTree as aO, ScopeTreeClient as aP, ScopeTreeSource as aQ, ScopeTreeVendor as aR, ScopeSwitchResult as aS, GdprExportData as aT, PinStatus as aU, PinLoginResult as aV, MfaAvailableMethods as aW, TotpEnrollResult as aX, TotpVerifyResult as aY, SmsEnrollResult as aZ, EmailEnrollResult as a_, PermissionGroup as aa, GroupPermission as ab, AddGroupPermissionRequest as ac, InheritanceRelation as ad, UserPermissionOverride as ae, AddUserOverrideRequest as af, EffectivePermission as ag, PermissionCheckResult as ah, ApiKeyInfo as ai, CreateApiKeyRequest as aj, CreateApiKeyResult as ak, ApiKeyIntrospection as al, Invitation as am, CreateInviteRequest as an, InviteValidation as ao, AcceptInviteRequest as ap, WebhookEndpoint as aq, CreateWebhookRequest as ar, CreateWebhookResult as as, WebhookDelivery as at, WebhookTestResult as au, Entitlement as av, GrantEntitlementRequest as aw, Vendor as ax, CreateVendorRequest as ay, UpdateVendorRequest as az, IQAuthResponseLike as b, BackupCodeCountResult as b0, ScopeHint as b1, SignupRequest as b2, HostedClientContext as b3, IQAuthNextFunction as c, IQAuthEnvironment as d, IQAuthClientConfig as e, IQAuthTokenClientConfig as f, ScopeContext as g, IQAuthClaims as h, IQAuthBaseClaims as i, Tenant as j, TokenAuthenticatedLoginResult as k, SessionAuthenticatedLoginResult as l, Session as m, TenantInfo as n, UpdateTenantRequest as o, PromoteToVendorResult as p, InviteTenantUserRequest as q, InviteTenantUserResult as r, TenantUserRoleUpdate as s, UpdateBrandingRequest as t, BrandingAsset as u, UploadAssetRequest as v, BrandingDomainMapping as w, JwksKey as x, JwksResponse as y, OidcTokenResponse as z };