@iqauth/sdk 2.7.0 → 2.8.1

package/dist/{chunk-RUJXRTEW.mjs → chunk-WSH4SW7F.mjs}

@@ -17,7 +17,11 @@ async function buildUserinfoResponse(claims, opts = {}) {
     tenantId: claims.tenantId,
     vendorId: claims.vendorId,
     roles: claims.roles ?? [],
-    entitlements: claims.entitlements ?? []
+    entitlements: claims.entitlements ?? [],
+    // Task #171 — project the active source/client scope onto the userinfo
+    // payload so server handlers (`getSessionUser`, `/api/iqauth/userinfo`)
+    // expose it without consumers having to re-decode the JWT.
+    ...claims.scopeContext !== void 0 ? { scopeContext: claims.scopeContext } : {}
   };
   const enriched = opts.enrich ? await opts.enrich(claims) : null;
   const user = enriched ? { ...baseUser, ...enriched } : baseUser;
@@ -62,19 +66,62 @@ function shouldClearCookiesOnFailure(policy, status, errorCode) {
 }
 var ACCESS_TOKEN_TTL_SECONDS = 60 * 15;
 var REFRESH_TOKEN_TTL_SECONDS = 60 * 60 * 24 * 30;
+function assertCookiePrefixInvariants(name, secure, path, domain) {
+  if (name.startsWith("__Host-")) {
+    if (!secure) {
+      throw new IQAuthError(
+        "config_invalid",
+        `Cookie "${name}" uses the __Host- prefix, which browsers only accept on a Secure cookie. Set secure:true (and serve over HTTPS).`
+      );
+    }
+    if (path !== "/") {
+      throw new IQAuthError(
+        "config_invalid",
+        `Cookie "${name}" uses the __Host- prefix, which requires Path=/ (got "${path}"). Remove cookiePath or set it to "/".`
+      );
+    }
+    if (domain) {
+      throw new IQAuthError(
+        "config_invalid",
+        `Cookie "${name}" uses the __Host- prefix, which forbids a Domain attribute (the cookie is host-locked). Remove cookieDomain.`
+      );
+    }
+  } else if (name.startsWith("__Secure-") && !secure) {
+    throw new IQAuthError(
+      "config_invalid",
+      `Cookie "${name}" uses the __Secure- prefix, which browsers only accept on a Secure cookie. Set secure:true (and serve over HTTPS).`
+    );
+  }
+}
 function resolve(config) {
   const parsed = assertPublishableKey(config.publishableKey, { context: "@iqauth/sdk helpers" });
   const inferredIssuer = parsed.iss.startsWith("http") ? parsed.iss : `https://${parsed.iss}`;
+  maybeWarnDefaultSignoutRegistry(config);
+  const secure = config.secure ?? true;
+  if (config.secure === false && config.allowInsecureCookies !== true) {
+    throw new IQAuthError(
+      "config_invalid",
+      "Refusing to issue auth cookies with secure:false \u2014 this exposes session cookies over plaintext HTTP. For local HTTP development, set allowInsecureCookies:true to acknowledge the risk. Production MUST use HTTPS with secure cookies."
+    );
+  }
+  const accessCookieName = config.accessCookieName ?? config.cookieNames?.access ?? "iqauth_at";
+  const refreshCookieName = config.refreshCookieName ?? config.cookieNames?.refresh ?? "iqauth_rt";
+  const stateCookieName = config.stateCookieName ?? "iqauth_state";
+  const cookiePath = config.cookiePath ?? "/";
+  const cookieDomain = config.cookieDomain;
+  for (const name of [accessCookieName, refreshCookieName, stateCookieName]) {
+    assertCookiePrefixInvariants(name, secure, cookiePath, cookieDomain);
+  }
   return {
     publishableKey: config.publishableKey,
     secretKey: config.secretKey,
     issuer: (config.issuer ?? inferredIssuer).replace(/\/+$/, ""),
-    accessCookieName: config.accessCookieName ?? config.cookieNames?.access ?? "iqauth_at",
-    refreshCookieName: config.refreshCookieName ?? config.cookieNames?.refresh ?? "iqauth_rt",
-    cookieDomain: config.cookieDomain,
+    accessCookieName,
+    refreshCookieName,
+    cookieDomain,
     sameSite: config.sameSite ?? "lax",
-    secure: config.secure ?? true,
-    cookiePath: config.cookiePath ?? "/",
+    secure,
+    cookiePath,
     tokenPath: config.tokenPath ?? "/oidc/token",
     refreshPath: config.refreshPath ?? "/api/v1/auth/refresh",
     logoutPath: config.logoutPath ?? "/api/v1/auth/logout",
@@ -87,9 +134,19 @@ function resolve(config) {
     debug: config.debug,
     onTimingEvent: config.onTimingEvent,
     signoutRegistry: config.signoutRegistry ?? defaultSignoutRegistry,
-    signoutMarkerTtlMs: config.signoutMarkerTtlMs ?? DEFAULT_SIGNOUT_TTL_MS
+    signoutMarkerTtlMs: config.signoutMarkerTtlMs ?? DEFAULT_SIGNOUT_TTL_MS,
+    requireOAuthState: config.requireOAuthState ?? true,
+    stateCookieName: config.stateCookieName ?? "iqauth_state"
   };
 }
+function timingSafeEqualStr(a, b) {
+  const len = Math.max(a.length, b.length);
+  let diff = a.length ^ b.length;
+  for (let i = 0; i < len; i++) {
+    diff |= (a.charCodeAt(i) || 0) ^ (b.charCodeAt(i) || 0);
+  }
+  return diff === 0;
+}
 function makeCookie(cfg, name, value, maxAge, httpOnly = true) {
   return {
     name,
@@ -108,6 +165,9 @@ function clearCookies(cfg) {
     { ...makeCookie(cfg, cfg.refreshCookieName, "", 0), clear: true }
   ];
 }
+function clearStateCookie(cfg) {
+  return { ...makeCookie(cfg, cfg.stateCookieName, "", 0, false), clear: true };
+}
 var DEFAULT_SIGNOUT_TTL_MS = 6e4;
 var inMemorySignoutMarkers = /* @__PURE__ */ new Map();
 function pruneInMemoryMarkers(now) {
@@ -133,9 +193,21 @@ var defaultSignoutRegistry = {
     return true;
   }
 };
+var warnedDefaultSignoutRegistry = false;
+function maybeWarnDefaultSignoutRegistry(config) {
+  if (warnedDefaultSignoutRegistry) return;
+  if (config.signoutRegistry) return;
+  warnedDefaultSignoutRegistry = true;
+  console.warn(
+    "[IQAuth] Using the in-memory signout registry (process-local). Signout idempotency is NOT shared across instances \u2014 in a multi-replica deployment a /refresh racing a /signout on another replica can reissue cookies after sign-out. Plug a shared backend (e.g. Redis) into IQAuthHelperConfig.signoutRegistry to fix this and silence this warning."
+  );
+}
 function __resetSignoutMarkersForTests() {
   inMemorySignoutMarkers.clear();
 }
+function __resetSignoutRegistryWarningForTests() {
+  warnedDefaultSignoutRegistry = false;
+}
 function createInMemorySignoutRegistry() {
   const store = /* @__PURE__ */ new Map();
   return {
@@ -178,6 +250,23 @@ async function handleCallback(config, input) {
       cookies: []
     };
   }
+  const provided = input.state;
+  const expected = input.expectedState;
+  const stateOk = cfg.requireOAuthState ? !!expected && !!provided && timingSafeEqualStr(provided, expected) : !expected || !!provided && timingSafeEqualStr(provided, expected);
+  if (!stateOk) {
+    emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code: "STATE_MISMATCH" });
+    return {
+      status: 400,
+      body: {
+        success: false,
+        error: {
+          code: "STATE_MISMATCH",
+          message: "OAuth state validation failed; the sign-in could not be verified as originating from this browser."
+        }
+      },
+      cookies: [clearStateCookie(cfg)]
+    };
+  }
   if (!cfg.secretKey) {
     emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code: "INTERNAL_ERROR" });
     return {
@@ -216,6 +305,26 @@ async function handleCallback(config, input) {
       cookies: []
     };
   }
+  try {
+    await getTokensFor(cfg.issuer).verify(json.access_token, {
+      issuer: cfg.issuer,
+      ...config.verify
+    });
+  } catch (err) {
+    const code = err instanceof IQAuthError ? err.code : err.code || "TOKEN_INVALID";
+    emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: false, code });
+    return {
+      status: 502,
+      body: {
+        success: false,
+        error: {
+          code: "ACCESS_TOKEN_VERIFICATION_FAILED",
+          message: "The issuer returned an access token that failed verification; no session was established."
+        }
+      },
+      cookies: []
+    };
+  }
   const cookies = [];
   cookies.push(
     makeCookie(cfg, cfg.accessCookieName, json.access_token, json.expires_in ?? ACCESS_TOKEN_TTL_SECONDS)
@@ -223,6 +332,7 @@ async function handleCallback(config, input) {
   if (json.refresh_token) {
     cookies.push(makeCookie(cfg, cfg.refreshCookieName, json.refresh_token, REFRESH_TOKEN_TTL_SECONDS));
   }
+  cookies.push(clearStateCookie(cfg));
   emitTiming(cfg, { phase: "callback", durationMs: Date.now() - t0, ok: true });
   return {
     status: 200,
@@ -344,7 +454,10 @@ async function handleUserinfo(config, input) {
   }
   let claims;
   try {
-    claims = await getTokensFor(cfg.issuer).verify(input.accessToken, config.verify);
+    claims = await getTokensFor(cfg.issuer).verify(input.accessToken, {
+      issuer: cfg.issuer,
+      ...config.verify
+    });
   } catch (err) {
     const code = err instanceof IQAuthError ? err.code : err.code || "TOKEN_INVALID";
     const message = err instanceof Error ? err.message : "Access token verification failed";
@@ -367,6 +480,7 @@ async function handleUserinfo(config, input) {
 export {
   buildUserinfoResponse,
   __resetSignoutMarkersForTests,
+  __resetSignoutRegistryWarningForTests,
   createInMemorySignoutRegistry,
   serializeCookie,
   handleCallback,

package/dist/{chunk-JXQI62A7.mjs → chunk-ZLJPABB7.mjs}

@@ -36,17 +36,27 @@ function parseLoginResponse(data, browserSessionMode) {
       tenants: data.tenants
     };
   }
+  if (data.type === "scope_selection" && data.scopeSelectionToken && data.scopes && data.tenantId) {
+    return {
+      status: "scope_selection",
+      scopeSelectionToken: data.scopeSelectionToken,
+      tenantId: data.tenantId,
+      scopes: data.scopes
+    };
+  }
   throw new Error("Unexpected login response shape");
 }
 var AuthModule = class {
   constructor(http) {
     this.http = http;
   }
-  async login(email, password) {
+  async login(email, password, opts) {
+    const body = { email, password };
+    if (opts?.scopeHint) body.scopeHint = opts.scopeHint;
     const data = await this.http.request(
       "POST",
       "/api/v1/auth/login",
-      { email, password },
+      body,
       { skipAutoRefresh: true }
     );
     return parseLoginResponse(data, this.http.isBrowserSession());
@@ -84,13 +94,29 @@ var AuthModule = class {
       method
     }, { skipAutoRefresh: true });
   }
-  async selectTenant(tenantSelectionToken, tenantId) {
+  async selectTenant(tenantSelectionToken, tenantId, opts) {
+    const body = { tenantSelectionToken, tenantId };
+    if (opts?.scopeHint) body.scopeHint = opts.scopeHint;
     const data = await this.http.request(
       "POST",
       "/api/v1/auth/select-tenant",
+      body,
+      { skipAutoRefresh: true }
+    );
+    return parseLoginResponse(data, this.http.isBrowserSession());
+  }
+  /**
+   * Task #171 — redeem a scope-selection token + chosen membership for a
+   * real authenticated session. `membershipId` must be one of the scopes
+   * returned in the prior `scope_selection` envelope.
+   */
+  async selectScope(scopeSelectionToken, membershipId) {
+    const data = await this.http.request(
+      "POST",
+      "/api/v1/auth/select-scope",
       {
-        tenantSelectionToken,
-        tenantId
+        scopeSelectionToken,
+        membershipId
       },
       { skipAutoRefresh: true }
     );

package/dist/{client-BGFnBpfc.d.mts → client-D8L-PaWr.d.mts}

@@ -1,5 +1,5 @@
-import { d as IQAuthEnvironment, T as TokenPair, Y as IQAuthRetryConfig, L as LoginResult, b1 as SignupRequest, K as MfaVerifyResult, S as SessionUser, m as Session, U as UserProfile, V as ProvisionUserRequest, W as ProvisionUserResponse, R as UserPermissions, J as JwtClaims, O as OidcDiscovery, y as JwksResponse, z as OidcTokenResponse, b2 as HostedClientContext, n as TenantInfo, C as CreateTenantRequest, o as UpdateTenantRequest, P as PromoteToVendorRequest, p as PromoteToVendorResult, a9 as TenantUser, q as InviteTenantUserRequest, r as InviteTenantUserResult, s as TenantUserRoleUpdate, M as MigrateUserRequest, N as PasswordPolicy, Q as MfaPolicy, B as BrandingConfig, a0 as AppInfo, a1 as PermissionNodeInfo, $ as AppManifest, a2 as AppSyncResult, a3 as Role, a4 as CreateRoleRequest, a5 as UpdateRoleRequest, a6 as AssignRoleRequest, a7 as UserRoleAssignment, aa as PermissionGroup, ab as GroupPermission, ac as AddGroupPermissionRequest, ad as InheritanceRelation, a8 as UserGroupAssignment, ae as UserPermissionOverride, af as AddUserOverrideRequest, ag as EffectivePermission, ah as PermissionCheckResult, aj as CreateApiKeyRequest, ak as CreateApiKeyResult, ai as ApiKeyInfo, al as ApiKeyIntrospection, an as CreateInviteRequest, am as Invitation, ao as InviteValidation, ap as AcceptInviteRequest, ar as CreateWebhookRequest, as as CreateWebhookResult, aq as WebhookEndpoint, at as WebhookDelivery, au as WebhookTestResult, av as Entitlement, aw as GrantEntitlementRequest, ax as Vendor, ay as CreateVendorRequest, az as UpdateVendorRequest, aB as CreateSourceRequest, aA as Source, aC as UpdateSourceRequest, aE as CreateClientRequest, aD as Client, aF as UpdateClientRequest, aG as HierarchyVendor, aJ as HierarchyLink, aN as MembershipWithDetails, aL as CreateMembershipRequest, aK as Membership, aM as UpdateMembershipRequest, aO as AvailableScopesTree, aS as ScopeSwitchResult, aT as GdprExportData, aU as PinStatus, aW as MfaAvailableMethods, aX as TotpEnrollResult, aY as TotpVerifyResult, aZ as SmsEnrollResult, G as MfaEnrollment, a_ as EmailEnrollResult, a$ as BackupCodesResult, b0 as BackupCodeCountResult, t as UpdateBrandingRequest, v as UploadAssetRequest, u as BrandingAsset, w as BrandingDomainMapping, e as IQAuthClientConfig, I as IQAuthBrowserSessionClientConfig, f as IQAuthTokenClientConfig } from './types-XOV9XPVi.mjs';
-import { T as TokensModule } from './tokens-CITeoG6P.mjs';
+import { d as IQAuthEnvironment, T as TokenPair, Y as IQAuthRetryConfig, b1 as ScopeHint, L as LoginResult, b2 as SignupRequest, K as MfaVerifyResult, S as SessionUser, m as Session, U as UserProfile, V as ProvisionUserRequest, W as ProvisionUserResponse, R as UserPermissions, J as JwtClaims, O as OidcDiscovery, y as JwksResponse, z as OidcTokenResponse, b3 as HostedClientContext, n as TenantInfo, C as CreateTenantRequest, o as UpdateTenantRequest, P as PromoteToVendorRequest, p as PromoteToVendorResult, a9 as TenantUser, q as InviteTenantUserRequest, r as InviteTenantUserResult, s as TenantUserRoleUpdate, M as MigrateUserRequest, N as PasswordPolicy, Q as MfaPolicy, B as BrandingConfig, a0 as AppInfo, a1 as PermissionNodeInfo, $ as AppManifest, a2 as AppSyncResult, a3 as Role, a4 as CreateRoleRequest, a5 as UpdateRoleRequest, a6 as AssignRoleRequest, a7 as UserRoleAssignment, aa as PermissionGroup, ab as GroupPermission, ac as AddGroupPermissionRequest, ad as InheritanceRelation, a8 as UserGroupAssignment, ae as UserPermissionOverride, af as AddUserOverrideRequest, ag as EffectivePermission, ah as PermissionCheckResult, aj as CreateApiKeyRequest, ak as CreateApiKeyResult, ai as ApiKeyInfo, al as ApiKeyIntrospection, an as CreateInviteRequest, am as Invitation, ao as InviteValidation, ap as AcceptInviteRequest, ar as CreateWebhookRequest, as as CreateWebhookResult, aq as WebhookEndpoint, at as WebhookDelivery, au as WebhookTestResult, av as Entitlement, aw as GrantEntitlementRequest, ax as Vendor, ay as CreateVendorRequest, az as UpdateVendorRequest, aB as CreateSourceRequest, aA as Source, aC as UpdateSourceRequest, aE as CreateClientRequest, aD as Client, aF as UpdateClientRequest, aG as HierarchyVendor, aJ as HierarchyLink, aN as MembershipWithDetails, aL as CreateMembershipRequest, aK as Membership, aM as UpdateMembershipRequest, aO as AvailableScopesTree, aS as ScopeSwitchResult, aT as GdprExportData, aU as PinStatus, aW as MfaAvailableMethods, aX as TotpEnrollResult, aY as TotpVerifyResult, aZ as SmsEnrollResult, G as MfaEnrollment, a_ as EmailEnrollResult, a$ as BackupCodesResult, b0 as BackupCodeCountResult, t as UpdateBrandingRequest, v as UploadAssetRequest, u as BrandingAsset, w as BrandingDomainMapping, e as IQAuthClientConfig, I as IQAuthBrowserSessionClientConfig, f as IQAuthTokenClientConfig } from './types-Bn8O-OEd.mjs';
+import { T as TokensModule } from './tokens-B06VtvUi.mjs';
 
 /**
  * SOURCE REFS:
@@ -56,7 +56,9 @@ declare class HttpClient {
 declare class AuthModule {
     private http;
     constructor(http: HttpClient);
-    login(email: string, password: string): Promise<LoginResult>;
+    login(email: string, password: string, opts?: {
+        scopeHint?: ScopeHint;
+    }): Promise<LoginResult>;
     signup(input: SignupRequest): Promise<LoginResult>;
     completeMfa(mfaChallengeToken: string, code: string, method?: string): Promise<MfaVerifyResult>;
     completeMfaWithBackup(mfaChallengeToken: string, backupCode: string): Promise<MfaVerifyResult>;
@@ -64,7 +66,15 @@ declare class AuthModule {
         sent: boolean;
         method: string;
     }>;
-    selectTenant(tenantSelectionToken: string, tenantId: string): Promise<LoginResult>;
+    selectTenant(tenantSelectionToken: string, tenantId: string, opts?: {
+        scopeHint?: ScopeHint;
+    }): Promise<LoginResult>;
+    /**
+     * Task #171 — redeem a scope-selection token + chosen membership for a
+     * real authenticated session. `membershipId` must be one of the scopes
+     * returned in the prior `scope_selection` envelope.
+     */
+    selectScope(scopeSelectionToken: string, membershipId: string): Promise<LoginResult>;
     logout(): Promise<{
         message: string;
     }>;

package/dist/{client-CDQ21LvW.d.ts → client-DkPL0EPZ.d.ts}

@@ -1,5 +1,5 @@
-import { d as IQAuthEnvironment, T as TokenPair, Y as IQAuthRetryConfig, L as LoginResult, b1 as SignupRequest, K as MfaVerifyResult, S as SessionUser, m as Session, U as UserProfile, V as ProvisionUserRequest, W as ProvisionUserResponse, R as UserPermissions, J as JwtClaims, O as OidcDiscovery, y as JwksResponse, z as OidcTokenResponse, b2 as HostedClientContext, n as TenantInfo, C as CreateTenantRequest, o as UpdateTenantRequest, P as PromoteToVendorRequest, p as PromoteToVendorResult, a9 as TenantUser, q as InviteTenantUserRequest, r as InviteTenantUserResult, s as TenantUserRoleUpdate, M as MigrateUserRequest, N as PasswordPolicy, Q as MfaPolicy, B as BrandingConfig, a0 as AppInfo, a1 as PermissionNodeInfo, $ as AppManifest, a2 as AppSyncResult, a3 as Role, a4 as CreateRoleRequest, a5 as UpdateRoleRequest, a6 as AssignRoleRequest, a7 as UserRoleAssignment, aa as PermissionGroup, ab as GroupPermission, ac as AddGroupPermissionRequest, ad as InheritanceRelation, a8 as UserGroupAssignment, ae as UserPermissionOverride, af as AddUserOverrideRequest, ag as EffectivePermission, ah as PermissionCheckResult, aj as CreateApiKeyRequest, ak as CreateApiKeyResult, ai as ApiKeyInfo, al as ApiKeyIntrospection, an as CreateInviteRequest, am as Invitation, ao as InviteValidation, ap as AcceptInviteRequest, ar as CreateWebhookRequest, as as CreateWebhookResult, aq as WebhookEndpoint, at as WebhookDelivery, au as WebhookTestResult, av as Entitlement, aw as GrantEntitlementRequest, ax as Vendor, ay as CreateVendorRequest, az as UpdateVendorRequest, aB as CreateSourceRequest, aA as Source, aC as UpdateSourceRequest, aE as CreateClientRequest, aD as Client, aF as UpdateClientRequest, aG as HierarchyVendor, aJ as HierarchyLink, aN as MembershipWithDetails, aL as CreateMembershipRequest, aK as Membership, aM as UpdateMembershipRequest, aO as AvailableScopesTree, aS as ScopeSwitchResult, aT as GdprExportData, aU as PinStatus, aW as MfaAvailableMethods, aX as TotpEnrollResult, aY as TotpVerifyResult, aZ as SmsEnrollResult, G as MfaEnrollment, a_ as EmailEnrollResult, a$ as BackupCodesResult, b0 as BackupCodeCountResult, t as UpdateBrandingRequest, v as UploadAssetRequest, u as BrandingAsset, w as BrandingDomainMapping, e as IQAuthClientConfig, I as IQAuthBrowserSessionClientConfig, f as IQAuthTokenClientConfig } from './types-XOV9XPVi.js';
-import { T as TokensModule } from './tokens-Bqhmqq_R.js';
+import { d as IQAuthEnvironment, T as TokenPair, Y as IQAuthRetryConfig, b1 as ScopeHint, L as LoginResult, b2 as SignupRequest, K as MfaVerifyResult, S as SessionUser, m as Session, U as UserProfile, V as ProvisionUserRequest, W as ProvisionUserResponse, R as UserPermissions, J as JwtClaims, O as OidcDiscovery, y as JwksResponse, z as OidcTokenResponse, b3 as HostedClientContext, n as TenantInfo, C as CreateTenantRequest, o as UpdateTenantRequest, P as PromoteToVendorRequest, p as PromoteToVendorResult, a9 as TenantUser, q as InviteTenantUserRequest, r as InviteTenantUserResult, s as TenantUserRoleUpdate, M as MigrateUserRequest, N as PasswordPolicy, Q as MfaPolicy, B as BrandingConfig, a0 as AppInfo, a1 as PermissionNodeInfo, $ as AppManifest, a2 as AppSyncResult, a3 as Role, a4 as CreateRoleRequest, a5 as UpdateRoleRequest, a6 as AssignRoleRequest, a7 as UserRoleAssignment, aa as PermissionGroup, ab as GroupPermission, ac as AddGroupPermissionRequest, ad as InheritanceRelation, a8 as UserGroupAssignment, ae as UserPermissionOverride, af as AddUserOverrideRequest, ag as EffectivePermission, ah as PermissionCheckResult, aj as CreateApiKeyRequest, ak as CreateApiKeyResult, ai as ApiKeyInfo, al as ApiKeyIntrospection, an as CreateInviteRequest, am as Invitation, ao as InviteValidation, ap as AcceptInviteRequest, ar as CreateWebhookRequest, as as CreateWebhookResult, aq as WebhookEndpoint, at as WebhookDelivery, au as WebhookTestResult, av as Entitlement, aw as GrantEntitlementRequest, ax as Vendor, ay as CreateVendorRequest, az as UpdateVendorRequest, aB as CreateSourceRequest, aA as Source, aC as UpdateSourceRequest, aE as CreateClientRequest, aD as Client, aF as UpdateClientRequest, aG as HierarchyVendor, aJ as HierarchyLink, aN as MembershipWithDetails, aL as CreateMembershipRequest, aK as Membership, aM as UpdateMembershipRequest, aO as AvailableScopesTree, aS as ScopeSwitchResult, aT as GdprExportData, aU as PinStatus, aW as MfaAvailableMethods, aX as TotpEnrollResult, aY as TotpVerifyResult, aZ as SmsEnrollResult, G as MfaEnrollment, a_ as EmailEnrollResult, a$ as BackupCodesResult, b0 as BackupCodeCountResult, t as UpdateBrandingRequest, v as UploadAssetRequest, u as BrandingAsset, w as BrandingDomainMapping, e as IQAuthClientConfig, I as IQAuthBrowserSessionClientConfig, f as IQAuthTokenClientConfig } from './types-Bn8O-OEd.js';
+import { T as TokensModule } from './tokens-9F6ETrzk.js';
 
 /**
  * SOURCE REFS:
@@ -56,7 +56,9 @@ declare class HttpClient {
 declare class AuthModule {
     private http;
     constructor(http: HttpClient);
-    login(email: string, password: string): Promise<LoginResult>;
+    login(email: string, password: string, opts?: {
+        scopeHint?: ScopeHint;
+    }): Promise<LoginResult>;
     signup(input: SignupRequest): Promise<LoginResult>;
     completeMfa(mfaChallengeToken: string, code: string, method?: string): Promise<MfaVerifyResult>;
     completeMfaWithBackup(mfaChallengeToken: string, backupCode: string): Promise<MfaVerifyResult>;
@@ -64,7 +66,15 @@ declare class AuthModule {
         sent: boolean;
         method: string;
     }>;
-    selectTenant(tenantSelectionToken: string, tenantId: string): Promise<LoginResult>;
+    selectTenant(tenantSelectionToken: string, tenantId: string, opts?: {
+        scopeHint?: ScopeHint;
+    }): Promise<LoginResult>;
+    /**
+     * Task #171 — redeem a scope-selection token + chosen membership for a
+     * real authenticated session. `membershipId` must be one of the scopes
+     * returned in the prior `scope_selection` envelope.
+     */
+    selectScope(scopeSelectionToken: string, membershipId: string): Promise<LoginResult>;
     logout(): Promise<{
         message: string;
     }>;

package/dist/{express-Piv2WhWM.d.ts → express-Budysq4h.d.ts}

@@ -1,5 +1,5 @@
-import { I as IQAuthClient } from './client-CDQ21LvW.js';
-import { J as JwtClaims, X as ExpressMiddlewareOptions, a as IQAuthRequestLike, b as IQAuthResponseLike, c as IQAuthNextFunction } from './types-XOV9XPVi.js';
+import { I as IQAuthClient } from './client-DkPL0EPZ.js';
+import { J as JwtClaims, X as ExpressMiddlewareOptions, a as IQAuthRequestLike, b as IQAuthResponseLike, c as IQAuthNextFunction } from './types-Bn8O-OEd.js';
 
 /**
  * SOURCE REFS:

package/dist/{express-CVNQEkOr.d.mts → express-DDTA3qV1.d.mts}

@@ -1,5 +1,5 @@
-import { I as IQAuthClient } from './client-BGFnBpfc.mjs';
-import { J as JwtClaims, X as ExpressMiddlewareOptions, a as IQAuthRequestLike, b as IQAuthResponseLike, c as IQAuthNextFunction } from './types-XOV9XPVi.mjs';
+import { I as IQAuthClient } from './client-D8L-PaWr.mjs';
+import { J as JwtClaims, X as ExpressMiddlewareOptions, a as IQAuthRequestLike, b as IQAuthResponseLike, c as IQAuthNextFunction } from './types-Bn8O-OEd.mjs';
 
 /**
  * SOURCE REFS:

package/dist/express.d.mts

@@ -1,10 +1,10 @@
-import { I as IQAuthClient } from './client-BGFnBpfc.mjs';
-import { C as CookieAwareMiddlewareOptions } from './express-CVNQEkOr.mjs';
-export { i as iqAuthMiddleware } from './express-CVNQEkOr.mjs';
+import { I as IQAuthClient } from './client-D8L-PaWr.mjs';
+import { C as CookieAwareMiddlewareOptions } from './express-DDTA3qV1.mjs';
+export { i as iqAuthMiddleware } from './express-DDTA3qV1.mjs';
 import { IQAuthHelperConfig } from './server/handlers.mjs';
-import { a as IQAuthRequestLike, b as IQAuthResponseLike, c as IQAuthNextFunction } from './types-XOV9XPVi.mjs';
+import { a as IQAuthRequestLike, b as IQAuthResponseLike, c as IQAuthNextFunction } from './types-Bn8O-OEd.mjs';
 export { E as ErrorCodes, I as IQAuthError } from './errors-Jl1Jtm-6.mjs';
-import './tokens-CITeoG6P.mjs';
+import './tokens-B06VtvUi.mjs';
 
 /**
  * @iqauth/sdk/express — drop-in Express adapter.

package/dist/express.d.ts

@@ -1,10 +1,10 @@
-import { I as IQAuthClient } from './client-CDQ21LvW.js';
-import { C as CookieAwareMiddlewareOptions } from './express-Piv2WhWM.js';
-export { i as iqAuthMiddleware } from './express-Piv2WhWM.js';
+import { I as IQAuthClient } from './client-DkPL0EPZ.js';
+import { C as CookieAwareMiddlewareOptions } from './express-Budysq4h.js';
+export { i as iqAuthMiddleware } from './express-Budysq4h.js';
 import { IQAuthHelperConfig } from './server/handlers.js';
-import { a as IQAuthRequestLike, b as IQAuthResponseLike, c as IQAuthNextFunction } from './types-XOV9XPVi.js';
+import { a as IQAuthRequestLike, b as IQAuthResponseLike, c as IQAuthNextFunction } from './types-Bn8O-OEd.js';
 export { E as ErrorCodes, I as IQAuthError } from './errors-Jl1Jtm-6.js';
-import './tokens-Bqhmqq_R.js';
+import './tokens-9F6ETrzk.js';
 
 /**
  * @iqauth/sdk/express — drop-in Express adapter.