npm - @k3-universe/react-kit - Versions diffs - 0.0.29 → 0.0.31 - Mend

@k3-universe/react-kit 0.0.29 → 0.0.31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

package/dist/index.js CHANGED Viewed

@@ -1,9 +1,952 @@
+var __defProp = Object.defineProperty;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
 import { jsx, Fragment, jsxs } from "react/jsx-runtime";
 import * as React from "react";
-import React__default, { forwardRef, createElement, Fragment as Fragment$1, memo as memo$1, useRef, useCallback, useEffect, useMemo, useLayoutEffect, useReducer, cloneElement, Component, useState, createContext, useContext, useImperativeHandle, use, isValidElement, PureComponent } from "react";
+import React__default, { createContext, useSyncExternalStore, useEffect, useMemo, useContext, forwardRef, createElement, Fragment as Fragment$1, memo as memo$1, useRef, useCallback, useLayoutEffect, useReducer, cloneElement, Component, useState, useImperativeHandle, use, isValidElement, PureComponent } from "react";
 import * as ReactDOM from "react-dom";
 import ReactDOM__default from "react-dom";
 import { useLocation, Link as Link$1 } from "@tanstack/react-router";
+const isBrowser = typeof window !== "undefined" && typeof window.localStorage !== "undefined";
+class SimpleEncryption {
+  constructor(key) {
+    __publicField(this, "key");
+    this.key = key;
+  }
+  async encrypt(text2) {
+    if (!(crypto == null ? void 0 : crypto.subtle)) {
+      console.warn("[auth2][storage] Crypto API not available, storing unencrypted");
+      return text2;
+    }
+    try {
+      const encoder = new TextEncoder();
+      const data = encoder.encode(text2);
+      const keyData = encoder.encode(this.key.padEnd(32, "0").slice(0, 32));
+      const cryptoKey = await crypto.subtle.importKey(
+        "raw",
+        keyData,
+        { name: "AES-GCM", length: 256 },
+        false,
+        ["encrypt"]
+      );
+      const iv = crypto.getRandomValues(new Uint8Array(12));
+      const encrypted = await crypto.subtle.encrypt(
+        { name: "AES-GCM", iv },
+        cryptoKey,
+        data
+      );
+      const result = new Uint8Array(iv.length + encrypted.byteLength);
+      result.set(iv, 0);
+      result.set(new Uint8Array(encrypted), iv.length);
+      return btoa(String.fromCharCode(...result));
+    } catch (error) {
+      console.error("[auth2][storage] Encryption failed:", error);
+      return text2;
+    }
+  }
+  async decrypt(encrypted) {
+    if (!(crypto == null ? void 0 : crypto.subtle)) {
+      console.warn("[auth2][storage] Crypto API not available, reading unencrypted");
+      return encrypted;
+    }
+    try {
+      const encoder = new TextEncoder();
+      const decoder = new TextDecoder();
+      const keyData = encoder.encode(this.key.padEnd(32, "0").slice(0, 32));
+      const cryptoKey = await crypto.subtle.importKey(
+        "raw",
+        keyData,
+        { name: "AES-GCM", length: 256 },
+        false,
+        ["decrypt"]
+      );
+      const data = Uint8Array.from(atob(encrypted), (c2) => c2.charCodeAt(0));
+      const iv = data.slice(0, 12);
+      const encryptedData = data.slice(12);
+      const decrypted = await crypto.subtle.decrypt(
+        { name: "AES-GCM", iv },
+        cryptoKey,
+        encryptedData
+      );
+      return decoder.decode(decrypted);
+    } catch (error) {
+      console.error("[auth2][storage] Decryption failed:", error);
+      return encrypted;
+    }
+  }
+}
+const createMemoryStorage = () => {
+  let value = null;
+  return {
+    get: () => value,
+    set: (next) => {
+      value = next;
+    },
+    clear: () => {
+      value = null;
+    }
+  };
+};
+const createCookieStorage = (options) => {
+  var _a;
+  const key = options.key ?? "auth2_session";
+  const cookieOpts = options.cookieOptions ?? {};
+  const fallback = createMemoryStorage();
+  const encryption = options.encrypt && options.encryptionKey ? new SimpleEncryption(options.encryptionKey) : null;
+  const cookieSetter = typeof Document !== "undefined" ? (_a = Object.getOwnPropertyDescriptor(Document.prototype, "cookie")) == null ? void 0 : _a.set : void 0;
+  const assignCookie = (value) => {
+    if (!isBrowser || typeof document === "undefined") return;
+    if (cookieSetter) {
+      cookieSetter.call(document, value);
+      return;
+    }
+    Reflect.set(document, "cookie", value);
+  };
+  const serialize = async (value) => {
+    if (value === null) return null;
+    const json = JSON.stringify(value);
+    return encryption ? await encryption.encrypt(json) : json;
+  };
+  const deserialize = async (value) => {
+    if (!value) return null;
+    try {
+      const decrypted = encryption ? await encryption.decrypt(value) : value;
+      return JSON.parse(decrypted);
+    } catch {
+      return null;
+    }
+  };
+  const getCookie = (name) => {
+    if (!isBrowser) return null;
+    const matches = document.cookie.match(
+      new RegExp(
+        `(?:^|; )${name.replace(/([.$?*|{}()\[\]\\/+^])/g, "\\$1")}=([^;]*)`
+      )
+    );
+    return matches ? decodeURIComponent(matches[1]) : null;
+  };
+  const setCookie = (name, value, opts = {}) => {
+    if (!isBrowser) return;
+    let cookie = `${encodeURIComponent(name)}=${encodeURIComponent(value)}`;
+    if (opts.maxAge) cookie += `; max-age=${opts.maxAge}`;
+    if (opts.domain) cookie += `; domain=${opts.domain}`;
+    if (opts.path !== void 0) cookie += `; path=${opts.path}`;
+    else cookie += "; path=/";
+    if (opts.secure) cookie += "; secure";
+    if (opts.sameSite) cookie += `; samesite=${opts.sameSite}`;
+    assignCookie(cookie);
+  };
+  const deleteCookie = (name) => {
+    if (!isBrowser) return;
+    assignCookie(`${name}=; max-age=0; path=/`);
+  };
+  return {
+    get: async () => {
+      try {
+        const raw = getCookie(key);
+        const value = await deserialize(raw);
+        fallback.set(value);
+        return value;
+      } catch (error) {
+        console.warn("[auth2][storage] Failed to read from cookie", error);
+        return fallback.get();
+      }
+    },
+    set: async (value) => {
+      try {
+        const serialized = await serialize(value);
+        if (serialized === null) {
+          deleteCookie(key);
+        } else {
+          setCookie(key, serialized, cookieOpts);
+        }
+        fallback.set(value);
+      } catch (error) {
+        console.warn("[auth2][storage] Failed to write to cookie", error);
+        fallback.set(value);
+      }
+    },
+    clear: () => {
+      try {
+        deleteCookie(key);
+      } catch (error) {
+        console.warn("[auth2][storage] Failed to clear cookie", error);
+      } finally {
+        fallback.clear();
+      }
+    }
+  };
+};
+const createBrowserStorage = (options) => {
+  const fallback = createMemoryStorage();
+  const targetStorage = options.storage ?? (isBrowser ? window.localStorage : void 0);
+  const encryption = options.encrypt && options.encryptionKey ? new SimpleEncryption(options.encryptionKey) : null;
+  const defaultSerialize = async (value) => {
+    if (value === null) return null;
+    const json = JSON.stringify(value);
+    return encryption ? await encryption.encrypt(json) : json;
+  };
+  const defaultDeserialize = async (value) => {
+    if (!value) return null;
+    try {
+      const decrypted = encryption ? await encryption.decrypt(value) : value;
+      return JSON.parse(decrypted);
+    } catch {
+      return null;
+    }
+  };
+  const serialize = options.serialize ? async (value) => {
+    var _a;
+    const result = await ((_a = options.serialize) == null ? void 0 : _a.call(options, value));
+    return result ?? null;
+  } : defaultSerialize;
+  const deserialize = options.deserialize ? async (value) => {
+    var _a;
+    const result = await ((_a = options.deserialize) == null ? void 0 : _a.call(options, value));
+    return result ?? null;
+  } : defaultDeserialize;
+  if (!targetStorage) {
+    return fallback;
+  }
+  return {
+    get: async () => {
+      try {
+        const raw = targetStorage.getItem(options.key);
+        const value = await deserialize(raw);
+        fallback.set(value);
+        return value;
+      } catch (error) {
+        console.warn("[auth2][storage] Failed to read from storage", error);
+        return fallback.get();
+      }
+    },
+    set: async (value) => {
+      try {
+        const serialized = await serialize(value);
+        if (serialized === null) {
+          targetStorage.removeItem(options.key);
+        } else {
+          targetStorage.setItem(options.key, serialized);
+        }
+        fallback.set(value);
+      } catch (error) {
+        console.warn("[auth2][storage] Failed to write to storage", error);
+        fallback.set(value);
+      }
+    },
+    clear: () => {
+      try {
+        targetStorage.removeItem(options.key);
+      } catch (error) {
+        console.warn("[auth2][storage] Failed to clear storage", error);
+      } finally {
+        fallback.clear();
+      }
+    }
+  };
+};
+function createStorage(options = {}) {
+  const storageType = options.storage ?? "local";
+  const key = options.key ?? "auth2_session";
+  switch (storageType) {
+    case "cookie":
+      return createCookieStorage(options);
+    case "session":
+      return createBrowserStorage({
+        key,
+        storage: isBrowser ? window.sessionStorage : void 0,
+        encrypt: options.encrypt,
+        encryptionKey: options.encryptionKey
+      });
+    case "local":
+      return createBrowserStorage({
+        key,
+        storage: isBrowser ? window.localStorage : void 0,
+        encrypt: options.encrypt,
+        encryptionKey: options.encryptionKey
+      });
+    default:
+      return createMemoryStorage();
+  }
+}
+function createTokenManager(config2) {
+  const refreshThreshold = (config2 == null ? void 0 : config2.refreshThreshold) ?? 300;
+  const isExpired = (expiresAt) => {
+    if (!expiresAt) return false;
+    return Date.now() >= expiresAt;
+  };
+  const shouldRefresh = (expiresAt, threshold) => {
+    if (!expiresAt) return false;
+    const thresholdMs = (threshold ?? refreshThreshold) * 1e3;
+    return Date.now() >= expiresAt - thresholdMs;
+  };
+  const getTimeUntilExpiry = (expiresAt) => {
+    if (!expiresAt) return Infinity;
+    const timeLeft = expiresAt - Date.now();
+    return Math.max(0, timeLeft);
+  };
+  const scheduleRefresh = (callback, expiresAt) => {
+    if (!expiresAt) return () => {
+    };
+    const timeUntilRefresh = expiresAt - Date.now() - refreshThreshold * 1e3;
+    if (timeUntilRefresh <= 0) {
+      callback();
+      return () => {
+      };
+    }
+    const timeoutId = setTimeout(callback, timeUntilRefresh);
+    return () => clearTimeout(timeoutId);
+  };
+  return {
+    isExpired,
+    shouldRefresh,
+    getTimeUntilExpiry,
+    scheduleRefresh
+  };
+}
+function expandPermissions(permissions, hierarchy) {
+  if (!hierarchy) return permissions;
+  const expanded = new Set(permissions);
+  const queue = [...permissions];
+  while (queue.length > 0) {
+    const current = queue.shift();
+    if (!current) continue;
+    const children = hierarchy[current];
+    if (children) {
+      for (const child of children) {
+        if (!expanded.has(child)) {
+          expanded.add(child);
+          queue.push(child);
+        }
+      }
+    }
+  }
+  return Array.from(expanded);
+}
+function expandRoles(roles, hierarchy) {
+  if (!hierarchy) return roles;
+  const expanded = new Set(roles);
+  const queue = [...roles];
+  while (queue.length > 0) {
+    const current = queue.shift();
+    if (!current) continue;
+    const children = hierarchy[current];
+    if (children) {
+      for (const child of children) {
+        if (!expanded.has(child)) {
+          expanded.add(child);
+          queue.push(child);
+        }
+      }
+    }
+  }
+  return Array.from(expanded);
+}
+function checkPermissions(userPermissions, target, options) {
+  if (typeof target === "object" && "permissions" in target) {
+    const policy = target;
+    const operator = policy.operator ?? "AND";
+    if (operator === "AND") {
+      return policy.permissions.every((p2) => userPermissions.includes(p2));
+    } else {
+      return policy.permissions.some((p2) => userPermissions.includes(p2));
+    }
+  }
+  const targets = Array.isArray(target) ? target : [target];
+  const requireAll = (options == null ? void 0 : options.requireAll) ?? true;
+  if (targets.length === 0) return true;
+  return requireAll ? targets.every((p2) => userPermissions.includes(p2)) : targets.some((p2) => userPermissions.includes(p2));
+}
+function checkRoles(userRoles, target, options) {
+  const targets = Array.isArray(target) ? target : [target];
+  const requireAll = (options == null ? void 0 : options.requireAll) ?? true;
+  if (targets.length === 0) return true;
+  return requireAll ? targets.every((r2) => userRoles.includes(r2)) : targets.some((r2) => userRoles.includes(r2));
+}
+function evaluatePermissionRule(userRoles, userPermissions, rule) {
+  if (!rule.roles && !rule.permissions) {
+    return true;
+  }
+  const requireAll = rule.requireAll ?? true;
+  const roleAllowed = rule.roles ? checkRoles(userRoles, rule.roles, { requireAll }) : true;
+  const permissionAllowed = rule.permissions ? checkPermissions(userPermissions, rule.permissions, { requireAll }) : true;
+  return requireAll ? roleAllowed && permissionAllowed : roleAllowed || permissionAllowed;
+}
+const unique$1 = (values) => {
+  return Array.from(new Set(values));
+};
+function createAuthAdapter(config2) {
+  const storage = config2.storage ?? createMemoryStorage();
+  const tokenManager = config2.tokenManager ?? createTokenManager({
+    refreshThreshold: config2.refreshThreshold ?? 300
+  });
+  const subscribers = /* @__PURE__ */ new Set();
+  const resolveUser = config2.resolveUser ?? ((session) => (session == null ? void 0 : session.user) ?? null);
+  const resolveRoles = config2.resolveRoles ?? ((session) => {
+    var _a;
+    return ((_a = session == null ? void 0 : session.roles) == null ? void 0 : _a.filter((role) => role != null)) ?? [];
+  });
+  const resolvePermissions = config2.resolvePermissions ?? ((session) => {
+    var _a;
+    return ((_a = session == null ? void 0 : session.permissions) == null ? void 0 : _a.filter(
+      (permission) => permission != null
+    )) ?? [];
+  });
+  let state = {
+    status: "idle",
+    session: null,
+    user: null,
+    roles: [],
+    permissions: []
+  };
+  let autoRefreshCleanup = null;
+  const executeMiddleware = async (hook, ...args) => {
+    if (!config2.middleware) return;
+    for (const middleware of config2.middleware) {
+      const fn = middleware[hook];
+      if (fn) {
+        try {
+          await fn(...args);
+        } catch (error) {
+          console.error(`[auth2] Middleware error in ${String(hook)}:`, error);
+          if (middleware.onError) {
+            await middleware.onError(error);
+          }
+        }
+      }
+    }
+  };
+  const notify = () => {
+    var _a;
+    for (const listener of subscribers) listener(state);
+    (_a = config2.onStateChange) == null ? void 0 : _a.call(config2, state);
+  };
+  const setState = (next) => {
+    state = next;
+    notify();
+  };
+  const computeState = (session, status, error) => {
+    const user = resolveUser(session);
+    const baseRoles = resolveRoles(session);
+    const basePermissions = resolvePermissions(session);
+    const roles = unique$1(expandRoles(baseRoles, config2.roleHierarchy));
+    const permissions = unique$1(
+      expandPermissions(basePermissions, config2.permissionHierarchy)
+    );
+    const tokenExpiresIn = (session == null ? void 0 : session.expiresAt) ? tokenManager.getTimeUntilExpiry(session.expiresAt) : void 0;
+    return {
+      status,
+      session,
+      user,
+      roles,
+      permissions,
+      error,
+      lastRefresh: Date.now(),
+      tokenExpiresIn
+    };
+  };
+  const readStorage = async () => {
+    const stored = await Promise.resolve(storage.get());
+    return stored ?? null;
+  };
+  const writeStorage = async (next) => {
+    if (next === null) {
+      await Promise.resolve(storage.clear());
+    } else {
+      await Promise.resolve(storage.set(next));
+    }
+  };
+  const setupAutoRefresh = () => {
+    var _a;
+    if (autoRefreshCleanup) {
+      autoRefreshCleanup();
+      autoRefreshCleanup = null;
+    }
+    if (!config2.autoRefresh || !config2.refresh || !((_a = state.session) == null ? void 0 : _a.expiresAt)) {
+      return;
+    }
+    if (tokenManager.scheduleRefresh) {
+      autoRefreshCleanup = tokenManager.scheduleRefresh(() => {
+        refresh().catch((error) => {
+          console.error("[auth2] Auto-refresh failed:", error);
+        });
+      }, state.session.expiresAt);
+    }
+  };
+  const setSession = async (session, statusOverride, error) => {
+    await writeStorage(session);
+    const status = statusOverride ?? (session ? "authenticated" : "unauthenticated");
+    const nextState = computeState(session, status, error);
+    setState(nextState);
+    setupAutoRefresh();
+    return nextState;
+  };
+  const sync = async () => {
+    var _a;
+    setState({ ...state, status: "loading" });
+    try {
+      const session = await ((_a = config2.loadSession) == null ? void 0 : _a.call(config2)) ?? await readStorage() ?? null;
+      if ((session == null ? void 0 : session.expiresAt) && tokenManager.isExpired(session.expiresAt)) {
+        if (config2.refresh && session.refreshToken) {
+          try {
+            const refreshed = await config2.refresh(session);
+            return await setSession(refreshed, "authenticated");
+          } catch {
+            await executeMiddleware("onSessionExpired");
+            return await setSession(null, "unauthenticated");
+          }
+        }
+        await executeMiddleware("onSessionExpired");
+        return await setSession(null, "unauthenticated");
+      }
+      return await setSession(
+        session,
+        session ? "authenticated" : "unauthenticated"
+      );
+    } catch (error) {
+      await executeMiddleware("onError", error);
+      return await setSession(null, "error", error);
+    }
+  };
+  const withRetry = async (fn, context) => {
+    var _a, _b, _c;
+    const maxRetries = ((_a = config2.retryConfig) == null ? void 0 : _a.maxRetries) ?? 0;
+    const retryDelay = ((_b = config2.retryConfig) == null ? void 0 : _b.retryDelay) ?? 1e3;
+    const shouldRetry = (_c = config2.retryConfig) == null ? void 0 : _c.retryOn;
+    let lastError;
+    for (let attempt = 0; attempt <= maxRetries; attempt++) {
+      try {
+        return await fn();
+      } catch (error) {
+        lastError = error;
+        const isLastAttempt = attempt === maxRetries;
+        const shouldRetryError = shouldRetry ? shouldRetry(error) : false;
+        if (isLastAttempt || !shouldRetryError) {
+          throw error;
+        }
+        console.warn(
+          `[auth2] ${context} failed (attempt ${attempt + 1}/${maxRetries + 1}), retrying...`
+        );
+        await new Promise((resolve) => setTimeout(resolve, retryDelay));
+      }
+    }
+    throw lastError;
+  };
+  const refresh = async () => {
+    const refreshFn = config2.refresh;
+    const currentSession = state.session;
+    if (!refreshFn) return state;
+    if (!currentSession) return state;
+    try {
+      const refreshed = await withRetry(
+        () => refreshFn(currentSession),
+        "refresh"
+      );
+      const nextState = await setSession(refreshed, "authenticated");
+      await executeMiddleware("onRefresh", nextState);
+      return nextState;
+    } catch (error) {
+      await executeMiddleware("onError", error);
+      return await setSession(state.session, "error", error);
+    }
+  };
+  const login = async (credentials) => {
+    const loginFn = config2.login;
+    if (!loginFn) throw new Error("Auth adapter login is not configured");
+    setState({ ...state, status: "loading" });
+    try {
+      await executeMiddleware("onBeforeLogin", credentials);
+      const session = await withRetry(() => loginFn(credentials), "login");
+      const nextState = await setSession(session, "authenticated");
+      await executeMiddleware("onAfterLogin", nextState);
+      return nextState;
+    } catch (error) {
+      await executeMiddleware("onError", error);
+      await setSession(null, "error", error);
+      throw error;
+    }
+  };
+  const logout = async () => {
+    var _a;
+    const current = state.session;
+    try {
+      await executeMiddleware("onBeforeLogout");
+      await ((_a = config2.logout) == null ? void 0 : _a.call(config2, current ?? null));
+    } finally {
+      if (autoRefreshCleanup) {
+        autoRefreshCleanup();
+        autoRefreshCleanup = null;
+      }
+      await setSession(null, "unauthenticated");
+      await executeMiddleware("onAfterLogout");
+    }
+  };
+  const hasRole = (target, options) => {
+    return checkRoles(state.roles, target, options);
+  };
+  const hasPermission = (target, options) => {
+    return checkPermissions(state.permissions, target, options);
+  };
+  const can = (rule) => {
+    return evaluatePermissionRule(state.roles, state.permissions, rule);
+  };
+  const getToken = () => {
+    var _a;
+    return ((_a = state.session) == null ? void 0 : _a.accessToken) ?? null;
+  };
+  const isTokenExpired = () => {
+    var _a;
+    return tokenManager.isExpired((_a = state.session) == null ? void 0 : _a.expiresAt);
+  };
+  const getTimeUntilExpiry = () => {
+    var _a;
+    return tokenManager.getTimeUntilExpiry((_a = state.session) == null ? void 0 : _a.expiresAt);
+  };
+  const scheduleAutoRefresh = () => {
+    setupAutoRefresh();
+    return () => {
+      if (autoRefreshCleanup) {
+        autoRefreshCleanup();
+        autoRefreshCleanup = null;
+      }
+    };
+  };
+  const api = {
+    getState: () => state,
+    subscribe: (listener) => {
+      subscribers.add(listener);
+      return () => {
+        subscribers.delete(listener);
+      };
+    },
+    sync,
+    login: config2.login ? login : void 0,
+    logout,
+    refresh: async () => {
+      return await refresh();
+    },
+    setSession: async (session) => {
+      return await setSession(session);
+    },
+    hasRole,
+    hasPermission,
+    can,
+    getToken,
+    isTokenExpired,
+    getTimeUntilExpiry,
+    scheduleAutoRefresh
+  };
+  return api;
+}
+const AuthContext = createContext(void 0);
+function AuthProvider({
+  adapter,
+  children,
+  autoSync = true
+}) {
+  const state = useSyncExternalStore(
+    adapter.subscribe,
+    adapter.getState,
+    adapter.getState
+  );
+  useEffect(() => {
+    if (!autoSync) return;
+    adapter.sync().catch(() => void 0);
+  }, [adapter, autoSync]);
+  const value = useMemo(() => {
+    const login = adapter.login ? async (credentials) => {
+      if (!adapter.login) {
+        throw new Error("Login is not configured");
+      }
+      return await adapter.login(credentials);
+    } : void 0;
+    return {
+      state,
+      status: state.status,
+      session: state.session,
+      user: state.user,
+      roles: state.roles,
+      permissions: state.permissions,
+      error: state.error,
+      login,
+      logout: adapter.logout,
+      refresh: adapter.refresh,
+      setSession: adapter.setSession,
+      hasRole: adapter.hasRole,
+      hasPermission: adapter.hasPermission,
+      can: adapter.can,
+      getToken: adapter.getToken,
+      isTokenExpired: adapter.isTokenExpired,
+      getTimeUntilExpiry: adapter.getTimeUntilExpiry
+    };
+  }, [adapter, state]);
+  const contextValue = value;
+  return /* @__PURE__ */ jsx(AuthContext.Provider, { value: contextValue, children });
+}
+function useAuthContext() {
+  const ctx = useContext(AuthContext);
+  if (!ctx) throw new Error("useAuthContext must be used within AuthProvider");
+  return ctx;
+}
+function createGraphQLAuthAdapter(options) {
+  return {
+    login: options.client.login,
+    logout: options.client.logout,
+    refresh: options.client.refresh ? async (session) => {
+      if (!session.refreshToken) {
+        throw new Error("No refresh token available");
+      }
+      if (!options.client.refresh) {
+        throw new Error("Refresh function not provided");
+      }
+      return await options.client.refresh(session.refreshToken);
+    } : void 0,
+    loadSession: options.client.getCurrentUser,
+    resolveUser: options.resolveUser,
+    resolveRoles: options.resolveRoles,
+    resolvePermissions: options.resolvePermissions
+  };
+}
+function createRESTAuthAdapter(options) {
+  return {
+    login: options.client.login,
+    logout: options.client.logout,
+    refresh: options.client.refresh ? async (session) => {
+      if (!session.refreshToken) {
+        throw new Error("No refresh token available");
+      }
+      if (!options.client.refresh) {
+        throw new Error("Refresh function not provided");
+      }
+      return await options.client.refresh(session.refreshToken);
+    } : void 0,
+    loadSession: options.client.getCurrentUser,
+    resolveUser: options.resolveUser,
+    resolveRoles: options.resolveRoles,
+    resolvePermissions: options.resolvePermissions
+  };
+}
+function createAxiosAuthInterceptor(axiosInstance, getToken, options) {
+  const tokenType = (options == null ? void 0 : options.tokenType) ?? "Bearer";
+  axiosInstance.interceptors.request.use(
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    async (config2) => {
+      const token = getToken();
+      if (token) {
+        config2.headers.Authorization = `${tokenType} ${token}`;
+      }
+      return config2;
+    },
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    (error) => Promise.reject(error)
+  );
+  if (options == null ? void 0 : options.refreshToken) {
+    axiosInstance.interceptors.response.use(
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      (response) => response,
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      async (error) => {
+        var _a, _b;
+        const originalRequest = error.config;
+        if (((_a = error.response) == null ? void 0 : _a.status) === 401 && !originalRequest._retry && options.refreshToken) {
+          originalRequest._retry = true;
+          try {
+            await options.refreshToken();
+            const token = getToken();
+            if (token) {
+              originalRequest.headers.Authorization = `${tokenType} ${token}`;
+            }
+            return axiosInstance(originalRequest);
+          } catch (refreshError) {
+            (_b = options.onTokenExpired) == null ? void 0 : _b.call(options);
+            return Promise.reject(refreshError);
+          }
+        }
+        return Promise.reject(error);
+      }
+    );
+  }
+}
+function createAuthFetch(getToken, options) {
+  const tokenType = (options == null ? void 0 : options.tokenType) ?? "Bearer";
+  return async (input, init) => {
+    var _a;
+    const token = getToken();
+    const headers = new Headers(init == null ? void 0 : init.headers);
+    if (token) {
+      headers.set("Authorization", `${tokenType} ${token}`);
+    }
+    const response = await fetch(input, {
+      ...init,
+      headers
+    });
+    if (response.status === 401 && (options == null ? void 0 : options.refreshToken)) {
+      try {
+        await options.refreshToken();
+        const newToken = getToken();
+        if (newToken) {
+          headers.set("Authorization", `${tokenType} ${newToken}`);
+          return await fetch(input, {
+            ...init,
+            headers
+          });
+        }
+      } catch (error) {
+        (_a = options.onTokenExpired) == null ? void 0 : _a.call(options);
+        throw error;
+      }
+    }
+    return response;
+  };
+}
+function createApolloAuthLink(getToken, options) {
+  const tokenType = (options == null ? void 0 : options.tokenType) ?? "Bearer";
+  return (ApolloLink) => {
+    return new ApolloLink((operation, forward) => {
+      const token = getToken();
+      if (token) {
+        operation.setContext(({ headers = {} }) => ({
+          headers: {
+            ...headers,
+            authorization: `${tokenType} ${token}`
+          }
+        }));
+      }
+      return forward(operation);
+    });
+  };
+}
+function useAuth() {
+  return useAuthContext();
+}
+function useAuthStatus() {
+  const { status } = useAuthContext();
+  return status;
+}
+function useIsAuthenticated() {
+  const { status } = useAuthContext();
+  return status === "authenticated";
+}
+function useAuthSession() {
+  const { session } = useAuthContext();
+  return session;
+}
+function useAuthUser() {
+  const { user } = useAuthContext();
+  return user;
+}
+function useAuthRoles() {
+  const { roles } = useAuthContext();
+  return roles;
+}
+function useAuthPermissions() {
+  const { permissions } = useAuthContext();
+  return permissions;
+}
+function useAuthError() {
+  const { error } = useAuthContext();
+  return error;
+}
+function usePermission(permission, options) {
+  const { hasPermission } = useAuthContext();
+  return hasPermission(permission, options);
+}
+function useRole(roles, options) {
+  const { hasRole } = useAuthContext();
+  return hasRole(roles, options);
+}
+function useCan(rule) {
+  const { can } = useAuthContext();
+  return can(rule);
+}
+function useAuthToken() {
+  const { getToken } = useAuthContext();
+  return getToken();
+}
+function useIsTokenExpired() {
+  const { isTokenExpired } = useAuthContext();
+  return isTokenExpired();
+}
+function useTimeUntilExpiry() {
+  const { getTimeUntilExpiry } = useAuthContext();
+  return getTimeUntilExpiry();
+}
+function useLogin() {
+  const { login } = useAuthContext();
+  return login;
+}
+function useLogout() {
+  const { logout } = useAuthContext();
+  return logout;
+}
+function useRefresh() {
+  const { refresh } = useAuthContext();
+  return refresh;
+}
+function useSetSession() {
+  const { setSession } = useAuthContext();
+  return setSession;
+}
+function RequireAuth({
+  children,
+  fallback = null,
+  loadingFallback = null,
+  roles,
+  permissions,
+  requireAll = true
+}) {
+  const { status, can } = useAuthContext();
+  if (status === "loading" || status === "idle") {
+    return loadingFallback;
+  }
+  if (status !== "authenticated") {
+    return fallback;
+  }
+  if (!roles && !permissions) {
+    return children;
+  }
+  const allowed = can({ roles, permissions, requireAll });
+  if (!allowed) {
+    return fallback;
+  }
+  return children;
+}
+function Can({
+  children,
+  fallback = null,
+  roles,
+  permissions,
+  requireAll = true
+}) {
+  const allowed = useCan({ roles, permissions, requireAll });
+  if (!allowed) return fallback;
+  return children;
+}
+function withPermission(Component2, options) {
+  const WithPermissionWrapper = (props2) => {
+    const allowed = useCan(options);
+    if (!allowed) return null;
+    return /* @__PURE__ */ jsx(Component2, { ...props2 });
+  };
+  WithPermissionWrapper.displayName = `WithPermission(${Component2.displayName ?? Component2.name ?? "Component"})`;
+  return WithPermissionWrapper;
+}
+function ShowWhenAuthenticated({ children }) {
+  const { status } = useAuthContext();
+  return status === "authenticated" ? children : null;
+}
+function ShowWhenUnauthenticated({ children }) {
+  const { status } = useAuthContext();
+  return status === "unauthenticated" ? children : null;
+}
+function ShowWhenLoading({ children }) {
+  const { status } = useAuthContext();
+  return status === "loading" ? children : null;
+}
+function ShowWhenError({ children }) {
+  const { status } = useAuthContext();
+  return status === "error" ? children : null;
+}
 /**
    * table-core
    *
@@ -216,7 +1159,7 @@ function createHeader(table, column, options) {
   });
   return header;
 }
-const Headers = {
+const Headers$1 = {
   createTable: (table) => {
     table.getHeaderGroups = memo(() => [table.getAllColumns(), table.getVisibleLeafColumns(), table.getState().columnPinning.left, table.getState().columnPinning.right], (allColumns, leafColumns, left, right) => {
       var _left$map$filter, _right$map$filter;
@@ -2418,7 +3361,7 @@ const RowSorting = {
   }
 };
 const builtInFeatures = [
-  Headers,
+  Headers$1,
   ColumnVisibility,
   ColumnOrdering,
   ColumnPinning,
@@ -38972,7 +39915,7 @@ function requireLodash() {
         var reIsNative = RegExp2(
           "^" + funcToString.call(hasOwnProperty).replace(reRegExpChar, "\\$&").replace(/hasOwnProperty|(function).*?(?=\\\()| for .+?(?=\\\])/g, "$1.*?") + "$"
         );
-        var Buffer = moduleExports ? context.Buffer : undefined$1, Symbol2 = context.Symbol, Uint8Array = context.Uint8Array, allocUnsafe = Buffer ? Buffer.allocUnsafe : undefined$1, getPrototype = overArg(Object2.getPrototypeOf, Object2), objectCreate = Object2.create, propertyIsEnumerable = objectProto.propertyIsEnumerable, splice = arrayProto.splice, spreadableSymbol = Symbol2 ? Symbol2.isConcatSpreadable : undefined$1, symIterator = Symbol2 ? Symbol2.iterator : undefined$1, symToStringTag = Symbol2 ? Symbol2.toStringTag : undefined$1;
+        var Buffer2 = moduleExports ? context.Buffer : undefined$1, Symbol2 = context.Symbol, Uint8Array2 = context.Uint8Array, allocUnsafe = Buffer2 ? Buffer2.allocUnsafe : undefined$1, getPrototype = overArg(Object2.getPrototypeOf, Object2), objectCreate = Object2.create, propertyIsEnumerable = objectProto.propertyIsEnumerable, splice = arrayProto.splice, spreadableSymbol = Symbol2 ? Symbol2.isConcatSpreadable : undefined$1, symIterator = Symbol2 ? Symbol2.iterator : undefined$1, symToStringTag = Symbol2 ? Symbol2.toStringTag : undefined$1;
         var defineProperty = (function() {
           try {
             var func = getNative(Object2, "defineProperty");
@@ -38982,7 +39925,7 @@ function requireLodash() {
           }
         })();
         var ctxClearTimeout = context.clearTimeout !== root.clearTimeout && context.clearTimeout, ctxNow = Date2 && Date2.now !== root.Date.now && Date2.now, ctxSetTimeout = context.setTimeout !== root.setTimeout && context.setTimeout;
-        var nativeCeil = Math2.ceil, nativeFloor = Math2.floor, nativeGetSymbols = Object2.getOwnPropertySymbols, nativeIsBuffer = Buffer ? Buffer.isBuffer : undefined$1, nativeIsFinite = context.isFinite, nativeJoin = arrayProto.join, nativeKeys = overArg(Object2.keys, Object2), nativeMax = Math2.max, nativeMin = Math2.min, nativeNow = Date2.now, nativeParseInt = context.parseInt, nativeRandom = Math2.random, nativeReverse = arrayProto.reverse;
+        var nativeCeil = Math2.ceil, nativeFloor = Math2.floor, nativeGetSymbols = Object2.getOwnPropertySymbols, nativeIsBuffer = Buffer2 ? Buffer2.isBuffer : undefined$1, nativeIsFinite = context.isFinite, nativeJoin = arrayProto.join, nativeKeys = overArg(Object2.keys, Object2), nativeMax = Math2.max, nativeMin = Math2.min, nativeNow = Date2.now, nativeParseInt = context.parseInt, nativeRandom = Math2.random, nativeReverse = arrayProto.reverse;
         var DataView = getNative(context, "DataView"), Map2 = getNative(context, "Map"), Promise2 = getNative(context, "Promise"), Set2 = getNative(context, "Set"), WeakMap2 = getNative(context, "WeakMap"), nativeCreate = getNative(Object2, "create");
         var metaMap = WeakMap2 && new WeakMap2();
         var realNames = {};
@@ -40274,7 +41217,7 @@ function requireLodash() {
         }
         function cloneArrayBuffer(arrayBuffer) {
           var result2 = new arrayBuffer.constructor(arrayBuffer.byteLength);
-          new Uint8Array(result2).set(new Uint8Array(arrayBuffer));
+          new Uint8Array2(result2).set(new Uint8Array2(arrayBuffer));
           return result2;
         }
         function cloneDataView(dataView, isDeep) {
@@ -40878,7 +41821,7 @@ function requireLodash() {
               object2 = object2.buffer;
               other = other.buffer;
             case arrayBufferTag:
-              if (object2.byteLength != other.byteLength || !equalFunc(new Uint8Array(object2), new Uint8Array(other))) {
+              if (object2.byteLength != other.byteLength || !equalFunc(new Uint8Array2(object2), new Uint8Array2(other))) {
                 return false;
               }
               return true;
@@ -44760,22 +45703,28 @@ function Login({
   subtitle,
   signupLabel = "Don't have an account?",
   signupLinkLabel = "Sign up",
-  signupHref = "#",
+  signupHref,
   forgotPasswordLabel = "Forgot your password?",
   forgotPasswordLinkLabel = "Reset Here",
   forgotPasswordHref,
   rightImageSrc,
   rightImageAlt = "Login image",
+  showRightImage = true,
   className,
   continueWith,
   children
 }) {
+  const shouldRenderRightColumn = showRightImage;
   return /* @__PURE__ */ jsxs(
     "div",
     {
-      className: ["grid min-h-dvh grid-cols-1 md:grid-cols-2", className].filter(Boolean).join(" "),
+      className: [
+        "mx-auto grid min-h-dvh w-full max-w-[1920px] grid-cols-1 lg:min-h-[768px]",
+        shouldRenderRightColumn ? "lg:grid-cols-[minmax(0,_1fr)_minmax(384px,_1fr)]" : null,
+        className
+      ].filter(Boolean).join(" "),
       children: [
-        /* @__PURE__ */ jsx("div", { className: "flex items-center justify-center p-6 md:p-10", children: /* @__PURE__ */ jsxs("div", { className: "w-full max-w-md", children: [
+        /* @__PURE__ */ jsx("div", { className: "flex min-h-0 items-center justify-center p-6 sm:p-8 lg:p-12", children: /* @__PURE__ */ jsxs("div", { className: "w-full max-w-md", children: [
           /* @__PURE__ */ jsxs("div", { className: "mb-6 text-center", children: [
             /* @__PURE__ */ jsx("h1", { className: "text-2xl font-bold leading-tight tracking-tight", children: appTitle }),
             subtitle ? /* @__PURE__ */ jsx("p", { className: "text-muted-foreground mt-1 text-sm", children: subtitle }) : null
@@ -44799,13 +45748,13 @@ function Login({
               /* @__PURE__ */ jsx("div", { className: "grid gap-3", children: continueWith })
             ] }) : null
           ] }),
-          /* @__PURE__ */ jsxs("div", { className: "mt-6 text-center text-sm", children: [
+          signupHref ? /* @__PURE__ */ jsxs("div", { className: "mt-6 text-center text-sm", children: [
             signupLabel,
             " ",
             /* @__PURE__ */ jsx("a", { href: signupHref, className: "underline underline-offset-4", children: signupLinkLabel })
-          ] })
+          ] }) : null
         ] }) }),
-        /* @__PURE__ */ jsx("div", { className: "hidden md:block", children: rightImageSrc ? /* @__PURE__ */ jsx(
+        shouldRenderRightColumn ? /* @__PURE__ */ jsx("div", { className: "hidden max-h-[1280px] lg:block", children: rightImageSrc ? /* @__PURE__ */ jsx(
           "img",
           {
             src: rightImageSrc,
@@ -44813,7 +45762,7 @@ function Login({
             className: "h-full w-full object-cover",
             loading: "lazy"
           }
-        ) : /* @__PURE__ */ jsx("div", { className: "h-full w-full bg-muted" }) })
+        ) : /* @__PURE__ */ jsx("div", { className: "h-full w-full bg-muted" }) }) : null
       ]
     }
   );
@@ -45935,7 +46884,8 @@ function AdminLayoutContent({
   sidebarHeaderTitle,
   sidebarHeaderIcon,
   headerAfterTrigger,
-  headerAfterTheme
+  headerAfterTheme,
+  onLogout
 }) {
   const { groups: sidebarGroups } = useAdminSidebarMenu();
   const location = useLocation();
@@ -46034,11 +46984,14 @@ function AdminLayoutContent({
               }
             )
           ] }, group.id)) }),
-          /* @__PURE__ */ jsx(SidebarFooter, { className: "bg-sidebar border-t border-sidebar-border px-2 py-3", children: /* @__PURE__ */ jsx(SidebarMenu, { children: /* @__PURE__ */ jsx(SidebarMenuItem, { className: "group-data-[collapsible=icon]:flex group-data-[collapsible=icon]:w-full group-data-[collapsible=icon]:justify-center", children: /* @__PURE__ */ jsx(
+          onLogout && /* @__PURE__ */ jsx(SidebarFooter, { className: "bg-sidebar border-t border-sidebar-border px-2 py-3", children: /* @__PURE__ */ jsx(SidebarMenu, { children: /* @__PURE__ */ jsx(SidebarMenuItem, { className: "group-data-[collapsible=icon]:flex group-data-[collapsible=icon]:w-full group-data-[collapsible=icon]:justify-center", children: /* @__PURE__ */ jsx(
             SidebarMenuButton,
             {
               tooltip: "Logout",
-              className: "group relative overflow-hidden rounded-lg mx-1 transition-all duration-200 hover:bg-sidebar-accent/70 hover:text-sidebar-accent-foreground group-data-[collapsible=icon]:flex group-data-[collapsible=icon]:w-full group-data-[collapsible=icon]:items-center group-data-[collapsible=icon]:!justify-center group-data-[collapsible=icon]:!px-0 group-data-[collapsible=icon]:!gap-0",
+              className: "cursor-pointer group relative overflow-hidden rounded-lg mx-1 transition-all duration-200 hover:bg-sidebar-accent/70 hover:text-sidebar-accent-foreground group-data-[collapsible=icon]:flex group-data-[collapsible=icon]:w-full group-data-[collapsible=icon]:items-center group-data-[collapsible=icon]:!justify-center group-data-[collapsible=icon]:!px-0 group-data-[collapsible=icon]:!gap-0",
+              onClick: () => {
+                void onLogout();
+              },
               children: /* @__PURE__ */ jsxs("div", { className: "flex items-center gap-3 px-3 py-2.5 group-data-[collapsible=icon]:w-full group-data-[collapsible=icon]:items-center group-data-[collapsible=icon]:!justify-center group-data-[collapsible=icon]:!gap-0 group-data-[collapsible=icon]:!px-0", children: [
                 /* @__PURE__ */ jsx(LogOut, { className: "h-4 w-4 text-sidebar-foreground group-hover:text-sidebar-accent-foreground group-data-[collapsible=icon]:mx-auto group-data-[collapsible=icon]:mr-0" }),
                 /* @__PURE__ */ jsx("span", { className: "font-medium text-sidebar-foreground group-hover:text-sidebar-accent-foreground group-data-[collapsible=icon]:hidden", children: "Logout" })
@@ -46071,7 +47024,8 @@ function AdminLayout({
   sidebarHeaderTitle,
   sidebarHeaderIcon,
   headerAfterTrigger,
-  headerAfterTheme
+  headerAfterTheme,
+  onLogout
 }) {
   return /* @__PURE__ */ jsx(AdminMenuProvider, { children: /* @__PURE__ */ jsx(SidebarProvider, { children: /* @__PURE__ */ jsx(
     AdminLayoutContent,
@@ -46083,6 +47037,7 @@ function AdminLayout({
       sidebarHeaderIcon,
       headerAfterTrigger,
       headerAfterTheme,
+      onLogout,
       children
     }
   ) }) });
@@ -52233,8 +53188,8 @@ function require_Uint8Array() {
   if (hasRequired_Uint8Array) return _Uint8Array;
   hasRequired_Uint8Array = 1;
   var root = require_root();
-  var Uint8Array = root.Uint8Array;
-  _Uint8Array = Uint8Array;
+  var Uint8Array2 = root.Uint8Array;
+  _Uint8Array = Uint8Array2;
   return _Uint8Array;
 }
 var _mapToArray;
@@ -52272,7 +53227,7 @@ var hasRequired_equalByTag;
 function require_equalByTag() {
   if (hasRequired_equalByTag) return _equalByTag;
   hasRequired_equalByTag = 1;
-  var Symbol2 = require_Symbol(), Uint8Array = require_Uint8Array(), eq = requireEq(), equalArrays = require_equalArrays(), mapToArray = require_mapToArray(), setToArray = require_setToArray();
+  var Symbol2 = require_Symbol(), Uint8Array2 = require_Uint8Array(), eq = requireEq(), equalArrays = require_equalArrays(), mapToArray = require_mapToArray(), setToArray = require_setToArray();
   var COMPARE_PARTIAL_FLAG = 1, COMPARE_UNORDERED_FLAG = 2;
   var boolTag = "[object Boolean]", dateTag = "[object Date]", errorTag = "[object Error]", mapTag = "[object Map]", numberTag = "[object Number]", regexpTag = "[object RegExp]", setTag = "[object Set]", stringTag = "[object String]", symbolTag = "[object Symbol]";
   var arrayBufferTag = "[object ArrayBuffer]", dataViewTag = "[object DataView]";
@@ -52286,7 +53241,7 @@ function require_equalByTag() {
         object2 = object2.buffer;
         other = other.buffer;
       case arrayBufferTag:
-        if (object2.byteLength != other.byteLength || !equalFunc(new Uint8Array(object2), new Uint8Array(other))) {
+        if (object2.byteLength != other.byteLength || !equalFunc(new Uint8Array2(object2), new Uint8Array2(other))) {
           return false;
         }
         return true;
@@ -52471,8 +53426,8 @@ function requireIsBuffer() {
     var freeExports = exports && !exports.nodeType && exports;
     var freeModule = freeExports && true && module && !module.nodeType && module;
     var moduleExports = freeModule && freeModule.exports === freeExports;
-    var Buffer = moduleExports ? root.Buffer : void 0;
-    var nativeIsBuffer = Buffer ? Buffer.isBuffer : void 0;
+    var Buffer2 = moduleExports ? root.Buffer : void 0;
+    var nativeIsBuffer = Buffer2 ? Buffer2.isBuffer : void 0;
     var isBuffer2 = nativeIsBuffer || stubFalse;
     module.exports = isBuffer2;
   })(isBuffer, isBuffer.exports);
@@ -64062,6 +65017,7 @@ export {
   AlertDialogTrigger,
   AlertTitle,
   AspectRatio,
+  AuthProvider,
   Autocomplete,
   Avatar,
   AvatarFallback,
@@ -64077,6 +65033,7 @@ export {
   Button$1 as Button,
   Calendar,
   CalendarDayButton,
+  Can,
   Card,
   CardAction,
   CardContent,
@@ -64224,6 +65181,7 @@ export {
   Progress,
   RadioGroup$1 as RadioGroup,
   RadioGroupItem,
+  RequireAuth,
   ResizableHandle,
   ResizablePanel,
   ResizablePanelGroup,
@@ -64249,6 +65207,10 @@ export {
   SheetHeader,
   SheetTitle,
   SheetTrigger,
+  ShowWhenAuthenticated,
+  ShowWhenError,
+  ShowWhenLoading,
+  ShowWhenUnauthenticated,
   Sidebar,
   SidebarContent,
   SidebarFooter,
@@ -64302,27 +65264,63 @@ export {
   TooltipTrigger,
   badgeVariants,
   buttonVariants,
+  checkPermissions,
+  checkRoles,
   cn$1 as cn,
   commonForms,
   commonValidations,
   conditions,
+  createApolloAuthLink,
+  createAuthAdapter,
+  createAuthFetch,
+  createAxiosAuthInterceptor,
+  createBrowserStorage,
+  createCookieStorage,
   createDependency,
   createField,
+  createGraphQLAuthAdapter,
+  createMemoryStorage,
+  createRESTAuthAdapter,
   createSection,
+  createStorage,
+  createTokenManager,
   dotAccessor,
+  evaluatePermissionRule,
+  expandPermissions,
+  expandRoles,
   navigationMenuTriggerStyle,
   toast,
   toggleVariants,
   transformers,
   useAdminSidebarMenu,
   useAdminSidebarMenuRegistration,
+  useAuth,
+  useAuthContext,
+  useAuthError,
+  useAuthPermissions,
+  useAuthRoles,
+  useAuthSession,
+  useAuthStatus,
+  useAuthToken,
+  useAuthUser,
+  useCan,
   useDialog,
   useDialogController,
   useFormBuilder,
   useFormField,
+  useIsAuthenticated,
   useIsMobile,
+  useIsTokenExpired,
+  useLogin,
+  useLogout,
+  usePermission,
+  useRefresh,
+  useRole,
+  useSetSession,
   useSidebar,
   useStackDialog,
   useTheme,
-  validators
+  useTimeUntilExpiry,
+  validators,
+  withPermission
 };