@kaiord/garmin-connect 5.0.0 → 7.0.0

package/dist/index.js

@@ -1,80 +1,104 @@
-import { createConsoleLogger, createServiceAuthError, createServiceApiError, toText } from '@kaiord/core';
+import { createConsoleLogger, createServiceAuthError, createServiceApiError, fromText, toText } from '@kaiord/core';
 import fetchCookie from 'fetch-cookie';
 import { createHmac } from 'crypto';
 import OAuth from 'oauth-1.0a';
 import { z } from 'zod';
-import { createGarminWriter } from '@kaiord/garmin';
+import { createGarminWriter, createGarminReader } from '@kaiord/garmin';
 import { unlink, readFile, mkdir, writeFile } from 'fs/promises';
 import { homedir } from 'os';
 import { join, dirname } from 'path';
 
 // src/adapters/auth/garmin-auth-provider.ts
 var createCookieFetch = () => fetchCookie(globalThis.fetch);
-var makeRequest = (url, init, refresh, fetchFn) => {
-  if (!refresh.state.oauth2Token) {
-    throw createServiceApiError("Token unavailable after refresh", 401);
-  }
-  return fetchFn(url, {
-    ...init,
-    headers: {
-      ...init?.headers,
-      Authorization: `Bearer ${refresh.state.oauth2Token.access_token}`
-    }
-  });
-};
-var authFetch = async (url, init, refresh, fetchFn) => {
-  if (!refresh.state.oauth2Token) {
-    throw createServiceApiError("Not authenticated", 401);
-  }
-  if (refresh.state.oauth2Token.expires_at < Math.floor(Date.now() / 1e3)) {
-    await refresh.ensureFreshToken();
-  }
-  const res = await makeRequest(url, init, refresh, fetchFn);
-  if (res.status === 401) {
-    await refresh.ensureFreshToken();
-    const retry = await makeRequest(url, init, refresh, fetchFn);
-    if (!retry.ok) {
-      throw createServiceApiError(
-        `API request failed after token refresh: ${retry.statusText}`,
-        retry.status
-      );
-    }
-    return retry;
-  }
-  if (!res.ok) {
-    throw createServiceApiError(
-      `API request failed: ${res.statusText}`,
-      res.status
-    );
-  }
-  return res;
-};
 
 // src/adapters/http/urls.ts
 var GARMIN_SSO_ORIGIN = "https://sso.garmin.com";
 var GARMIN_SSO_EMBED = "https://sso.garmin.com/sso/embed";
 var SIGNIN_URL = "https://sso.garmin.com/sso/signin";
-var GC_MODERN = "https://connect.garmin.com/modern";
 var API_BASE = "https://connectapi.garmin.com";
 var OAUTH_URL = `${API_BASE}/oauth-service/oauth`;
 var WORKOUT_URL = `${API_BASE}/workout-service`;
 var OAUTH_CONSUMER_URL = "https://thegarth.s3.amazonaws.com/oauth_consumer.json";
 var USER_AGENT_MOBILE = "com.garmin.android.apps.connectmobile";
-var USER_AGENT_BROWSER = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36";
+var USER_AGENT_SSO = "GCM-iOS-5.7.2.1";
 
 // src/adapters/http/oauth-consumer.ts
-var fetchOAuthConsumer = async (fetchFn) => {
+var fetchOAuthConsumer = async (fetchFn, logger) => {
+  logger.debug("[SSO] Fetching OAuth consumer credentials");
   const res = await fetchFn(OAUTH_CONSUMER_URL);
   if (!res.ok) {
+    logger.error("[SSO] OAuth consumer fetch failed", { status: res.status });
     throw createServiceAuthError(
       `Failed to fetch OAuth consumer: ${res.status} ${res.statusText}`
     );
   }
+  logger.debug("[SSO] OAuth consumer fetch", { status: res.status });
   const data = await res.json();
   return { key: data.consumer_key, secret: data.consumer_secret };
 };
-var ACCOUNT_LOCKED_RE = /var status\s*=\s*"([^"]*)"/;
+
+// src/adapters/http/sso-html-diagnostics.ts
 var PAGE_TITLE_RE = /<title>([^<]*)<\/title>/;
+var extractTitle = (html) => {
+  const match = PAGE_TITLE_RE.exec(html);
+  return match?.[1] ?? "unknown";
+};
+var logCsrfResult = (logger, status, size, found) => {
+  logger.debug("[SSO] CSRF fetch", { status, size });
+  if (!found) logger.warn("[SSO] CSRF token not found in response");
+};
+var logLoginResponse = (logger, status, size) => {
+  logger.debug("[SSO] Login response", { status, size });
+};
+var logLoginHtmlDiagnostics = (html, ticketFound, logger) => {
+  const title = extractTitle(html);
+  const size = new TextEncoder().encode(html).byteLength;
+  logger.debug("[SSO] Page title", { title });
+  if (/\bmfa\b/i.test(html)) logger.warn("[SSO] MFA detected");
+  if (/\berror\b/i.test(html)) logger.warn("[SSO] Error indicators found");
+  if (ticketFound) {
+    logger.debug("[SSO] Ticket found in HTML");
+  } else {
+    logger.warn("[SSO] Ticket not found in HTML", { size, title });
+  }
+};
+
+// src/adapters/http/sso-submit.ts
+var buildLoginParams = () => new URLSearchParams({
+  id: "gauth-widget",
+  embedWidget: "true",
+  gauthHost: GARMIN_SSO_EMBED,
+  service: GARMIN_SSO_EMBED,
+  source: GARMIN_SSO_EMBED,
+  redirectAfterAccountLoginUrl: GARMIN_SSO_EMBED,
+  redirectAfterAccountCreationUrl: GARMIN_SSO_EMBED
+});
+var submitLogin = async (input) => {
+  const { username, password, csrf, fetchFn, logger } = input;
+  logger.debug("[SSO] Submitting login");
+  const body = new URLSearchParams({
+    username,
+    password,
+    embed: "true",
+    _csrf: csrf
+  });
+  const loginRes = await fetchFn(`${SIGNIN_URL}?${buildLoginParams()}`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Origin: GARMIN_SSO_ORIGIN,
+      Referer: `${SIGNIN_URL}?${buildLoginParams()}`,
+      "User-Agent": USER_AGENT_SSO
+    },
+    body: body.toString()
+  });
+  const html = await loginRes.text();
+  const size = new TextEncoder().encode(html).byteLength;
+  logLoginResponse(logger, loginRes.status, size);
+  return { html, status: loginRes.status };
+};
+var ACCOUNT_LOCKED_RE = /var status\s*=\s*"([^"]*)"/;
+var PAGE_TITLE_RE2 = /<title>([^<]*)<\/title>/;
 var checkAccountLocked = (html) => {
   const match = ACCOUNT_LOCKED_RE.exec(html);
   if (match && match[1] === "ACCOUNT_LOCKED") {
@@ -84,7 +108,7 @@ var checkAccountLocked = (html) => {
   }
 };
 var checkPageTitle = (html, logger) => {
-  const match = PAGE_TITLE_RE.exec(html);
+  const match = PAGE_TITLE_RE2.exec(html);
   if (match?.[1]?.includes("Update Phone Number")) {
     throw createServiceAuthError("Login failed: phone number update required.");
   }
@@ -96,69 +120,66 @@ var checkPageTitle = (html, logger) => {
 // src/adapters/http/sso-login.ts
 var CSRF_RE = /name="_csrf"\s+value="(.+?)"/;
 var TICKET_RE = /ticket=([^"]+)"/;
-var fetchCsrfToken = async (fetchFn) => {
-  const signinParams = new URLSearchParams({
-    id: "gauth-widget",
-    embedWidget: "true",
-    locale: "en",
-    gauthHost: GARMIN_SSO_EMBED
+var buildSigninParams = () => new URLSearchParams({
+  id: "gauth-widget",
+  embedWidget: "true",
+  gauthHost: GARMIN_SSO_EMBED,
+  service: GARMIN_SSO_EMBED,
+  source: GARMIN_SSO_EMBED,
+  redirectAfterAccountLoginUrl: GARMIN_SSO_EMBED,
+  redirectAfterAccountCreationUrl: GARMIN_SSO_EMBED
+});
+var fetchCsrfToken = async (fetchFn, embedUrl, logger) => {
+  logger.debug("[SSO] Fetching CSRF token");
+  const signinParams = buildSigninParams();
+  const csrfRes = await fetchFn(`${SIGNIN_URL}?${signinParams}`, {
+    headers: {
+      "User-Agent": USER_AGENT_SSO,
+      Referer: embedUrl
+    }
   });
-  const csrfRes = await fetchFn(`${SIGNIN_URL}?${signinParams}`);
+  const csrfHtml = await csrfRes.text();
+  const csrfMatch = CSRF_RE.exec(csrfHtml);
+  const size = new TextEncoder().encode(csrfHtml).byteLength;
+  logCsrfResult(logger, csrfRes.status, size, !!csrfMatch);
   if (!csrfRes.ok) {
     throw createServiceAuthError(
       `SSO login page returned ${csrfRes.status}: ${csrfRes.statusText}`
     );
   }
-  const csrfHtml = await csrfRes.text();
-  const csrfMatch = CSRF_RE.exec(csrfHtml);
   if (!csrfMatch) {
     throw createServiceAuthError("CSRF token not found on login page");
   }
   return csrfMatch[1];
 };
-var submitLogin = async (username, password, csrf, fetchFn) => {
-  const loginParams = new URLSearchParams({
+var getLoginTicket = async (username, password, fetchFn, logger) => {
+  const embedParams = new URLSearchParams({
     id: "gauth-widget",
     embedWidget: "true",
-    clientId: "GarminConnect",
-    locale: "en",
-    gauthHost: GARMIN_SSO_EMBED,
-    service: GARMIN_SSO_EMBED,
-    source: GARMIN_SSO_EMBED,
-    redirectAfterAccountLoginUrl: GARMIN_SSO_EMBED,
-    redirectAfterAccountCreationUrl: GARMIN_SSO_EMBED
+    gauthHost: "https://sso.garmin.com/sso"
   });
-  const body = new URLSearchParams({
+  const embedUrl = `${GARMIN_SSO_EMBED}?${embedParams}`;
+  const embedRes = await fetchFn(embedUrl, {
+    headers: { "User-Agent": USER_AGENT_SSO }
+  });
+  logger.debug("[SSO] Embed bootstrap", { status: embedRes.status });
+  if (!embedRes.ok) {
+    throw createServiceAuthError(
+      `SSO embed bootstrap failed: ${embedRes.status} ${embedRes.statusText}`
+    );
+  }
+  const csrf = await fetchCsrfToken(fetchFn, embedUrl, logger);
+  const { html: loginHtml } = await submitLogin({
     username,
     password,
-    embed: "true",
-    _csrf: csrf
-  });
-  const loginRes = await fetchFn(`${SIGNIN_URL}?${loginParams}`, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-      Dnt: "1",
-      Origin: GARMIN_SSO_ORIGIN,
-      Referer: SIGNIN_URL,
-      "User-Agent": USER_AGENT_BROWSER
-    },
-    body: body.toString()
-  });
-  return loginRes.text();
-};
-var getLoginTicket = async (username, password, fetchFn, logger) => {
-  const embedParams = new URLSearchParams({
-    clientId: "GarminConnect",
-    locale: "en",
-    service: GC_MODERN
+    csrf,
+    fetchFn,
+    logger
   });
-  await fetchFn(`${GARMIN_SSO_EMBED}?${embedParams}`);
-  const csrf = await fetchCsrfToken(fetchFn);
-  const loginHtml = await submitLogin(username, password, csrf, fetchFn);
   checkAccountLocked(loginHtml);
   checkPageTitle(loginHtml, logger);
   const ticketMatch = TICKET_RE.exec(loginHtml);
+  logLoginHtmlDiagnostics(loginHtml, !!ticketMatch, logger);
   if (!ticketMatch) {
     throw createServiceAuthError(
       "Login failed: ticket not found. Check username and password."
@@ -184,7 +205,7 @@ var createOAuthSigner = (consumer) => {
 };
 
 // src/adapters/http/sso-oauth.ts
-var getOAuth1Token = async (ticket, consumer, fetchFn) => {
+var getOAuth1Token = async (ticket, consumer, fetchFn, logger) => {
   const signer = createOAuthSigner(consumer);
   const params = new URLSearchParams({
     ticket,
@@ -196,6 +217,7 @@ var getOAuth1Token = async (ticket, consumer, fetchFn) => {
   const res = await fetchFn(url, {
     headers: { ...headers, "User-Agent": USER_AGENT_MOBILE }
   });
+  logger.debug("[SSO] OAuth1 token response", { status: res.status });
   if (!res.ok) {
     throw createServiceAuthError(
       `OAuth1 token request failed: ${res.status} ${res.statusText}`
@@ -210,7 +232,7 @@ var getOAuth1Token = async (ticket, consumer, fetchFn) => {
   }
   return { oauth_token: oauthToken, oauth_token_secret: oauthTokenSecret };
 };
-var exchangeOAuth2 = async (oauth1, consumer, fetchFn) => {
+var exchangeOAuth2 = async (oauth1, consumer, fetchFn, logger) => {
   const signer = createOAuthSigner(consumer);
   const baseUrl = `${OAUTH_URL}/exchange/user/2.0`;
   const token = {
@@ -226,6 +248,7 @@ var exchangeOAuth2 = async (oauth1, consumer, fetchFn) => {
       "Content-Type": "application/x-www-form-urlencoded"
     }
   });
+  logger.debug("[SSO] OAuth2 exchange response", { status: res.status });
   if (!res.ok) {
     throw createServiceAuthError(
       `OAuth2 exchange failed: ${res.status} ${res.statusText}`
@@ -241,74 +264,179 @@ var exchangeOAuth2 = async (oauth1, consumer, fetchFn) => {
 // src/adapters/http/garmin-sso.ts
 var garminSso = async (username, password, logger, fetchFn) => {
   logger.info("Starting Garmin Connect SSO login");
-  const consumer = await fetchOAuthConsumer(fetchFn);
+  logger.info("[SSO] Step 1/4: OAuth consumer");
+  const consumer = await fetchOAuthConsumer(fetchFn, logger);
+  logger.info("[SSO] Step 2/4: Login ticket");
   const ticket = await getLoginTicket(username, password, fetchFn, logger);
-  logger.debug("SSO ticket obtained");
-  const oauth1 = await getOAuth1Token(ticket, consumer, fetchFn);
-  logger.debug("OAuth1 token obtained");
-  const oauth2 = await exchangeOAuth2(oauth1, consumer, fetchFn);
+  logger.info("[SSO] Step 3/4: OAuth1 token");
+  const oauth1 = await getOAuth1Token(ticket, consumer, fetchFn, logger);
+  logger.info("[SSO] Step 4/4: OAuth2 exchange");
+  const oauth2 = await exchangeOAuth2(oauth1, consumer, fetchFn, logger);
   logger.info("Garmin Connect SSO login successful");
   return { oauth1, oauth2 };
 };
+var oauth1TokenSchema = z.object({
+  oauth_token: z.string(),
+  oauth_token_secret: z.string()
+});
+var oauth2TokenSchema = z.object({
+  access_token: z.string(),
+  refresh_token: z.string(),
+  token_type: z.string(),
+  expires_in: z.number(),
+  refresh_token_expires_in: z.number(),
+  expires_at: z.number()
+});
+var garminTokensSchema = z.object({
+  oauth1: oauth1TokenSchema,
+  oauth2: oauth2TokenSchema
+});
 
-// src/adapters/http/token-refresh.ts
-var notifyAll = (subs, token) => {
-  subs.forEach((s) => s.resolve(token));
-};
-var rejectAll = (subs, error) => {
-  subs.forEach((s) => s.reject(error));
+// src/adapters/auth/garmin-auth-provider.ts
+var buildAuthProvider = (tm, logger, fetchFn) => ({
+  login: async (username, password) => {
+    const result = await garminSso(username, password, logger, fetchFn);
+    await tm.setTokens(result.oauth1, result.oauth2);
+  },
+  is_authenticated: () => tm.isAuthenticated(),
+  export_tokens: async () => {
+    const oauth1 = tm.getOAuth1Token();
+    const oauth2 = tm.getOAuth2Token();
+    if (!oauth1 || !oauth2) {
+      throw createServiceAuthError("No tokens to export");
+    }
+    return { oauth1: { ...oauth1 }, oauth2: { ...oauth2 } };
+  },
+  restore_tokens: async (data) => {
+    const parsed = garminTokensSchema.parse(data);
+    await tm.setTokens(parsed.oauth1, parsed.oauth2);
+    logger.info("Tokens restored from stored session");
+  },
+  logout: async () => {
+    await tm.clearTokens();
+    logger.info("Logged out from Garmin Connect");
+  }
+});
+var createGarminAuthProvider = (options) => {
+  const logger = options.logger ?? createConsoleLogger();
+  const fetchFn = options.fetchFn ?? createCookieFetch();
+  return buildAuthProvider(options.tokenManager, logger, fetchFn);
 };
-var getOrFetchConsumer = async (state, fetchFn) => {
-  if (state.consumer) return state.consumer;
-  state.consumer = await fetchOAuthConsumer(fetchFn);
-  return state.consumer;
+var persistBestEffort = async (store, oauth1, oauth2, logger) => {
+  if (!store) return;
+  try {
+    await store.save({ oauth1, oauth2 });
+  } catch (error) {
+    logger.warn("Failed to persist tokens", {
+      errorName: error instanceof Error ? error.name : typeof error
+    });
+  }
 };
-var doRefreshToken = async (state, fetchFn, logger) => {
-  if (!state.oauth1Token || !state.oauth2Token) {
-    throw createServiceApiError("No tokens available for refresh", 401);
+var isExpired = (oauth2) => !oauth2 || oauth2.expires_at <= Date.now() / 1e3;
+var doRefresh = (s, refreshFn, logger, tokenStore) => {
+  if (!s.oauth1) {
+    throw createServiceApiError("No OAuth1 token for refresh", 401);
   }
-  const cons = await getOrFetchConsumer(state, fetchFn);
-  state.oauth2Token = await exchangeOAuth2(state.oauth1Token, cons, fetchFn);
-  logger.info("OAuth2 token refreshed");
-};
-var createTokenRefreshManager = (fetchFn, logger) => {
-  const state = {
-    oauth1Token: void 0,
-    oauth2Token: void 0,
-    consumer: void 0
+  const currentOAuth1 = s.oauth1;
+  const generationAtStart = s.generation;
+  s.refreshPromise = refreshFn(currentOAuth1).then(async (newOAuth2) => {
+    if (s.generation !== generationAtStart) return;
+    s.oauth2 = newOAuth2;
+    s.generation++;
+    logger.info("Token refreshed", { generation: s.generation });
+    await persistBestEffort(tokenStore, currentOAuth1, newOAuth2, logger);
+  }).finally(() => {
+    s.refreshPromise = void 0;
+  });
+  return s.refreshPromise;
+};
+var restoreFromStore = async (s, tokenStore, logger) => {
+  const data = await tokenStore.load();
+  if (!data) return { restored: false };
+  if (s.oauth1 && s.oauth2) return { restored: false };
+  const parsed = garminTokensSchema.safeParse(data);
+  if (!parsed.success) return { restored: false };
+  s.oauth1 = parsed.data.oauth1;
+  s.oauth2 = parsed.data.oauth2;
+  s.generation++;
+  if (isExpired(s.oauth2)) logger.warn("Restored tokens are expired");
+  logger.info("Tokens restored from store", { generation: s.generation });
+  return { restored: true };
+};
+
+// src/adapters/token/token-manager.ts
+var createTokenManager = (options) => {
+  const { refreshFn, logger, tokenStore } = options;
+  const s = {
+    oauth1: void 0,
+    oauth2: void 0,
+    generation: 0,
+    refreshPromise: void 0
   };
-  let isRefreshing = false;
-  let subscribers = [];
   return {
-    state,
-    ensureFreshToken: async () => {
-      if (isRefreshing) {
-        await new Promise((resolve, reject) => {
-          subscribers.push({ resolve, reject });
-        });
-        return;
-      }
-      isRefreshing = true;
-      try {
-        await doRefreshToken(state, fetchFn, logger);
-        if (state.oauth2Token)
-          notifyAll(subscribers, state.oauth2Token.access_token);
-        subscribers = [];
-      } catch (error) {
-        rejectAll(subscribers, error);
-        subscribers = [];
-        throw error;
-      } finally {
-        isRefreshing = false;
-      }
+    getAccessToken: () => s.oauth2?.access_token,
+    getOAuth1Token: () => s.oauth1 ? { ...s.oauth1 } : void 0,
+    getOAuth2Token: () => s.oauth2 ? { ...s.oauth2 } : void 0,
+    getGeneration: () => s.generation,
+    isAuthenticated: () => !!s.oauth2 && !isExpired(s.oauth2),
+    setTokens: async (o1, o2) => {
+      s.oauth1 = o1;
+      s.oauth2 = o2;
+      s.generation++;
+      logger.info("Tokens set", { generation: s.generation });
+      await persistBestEffort(tokenStore, o1, o2, logger);
+    },
+    clearTokens: async () => {
+      s.oauth1 = void 0;
+      s.oauth2 = void 0;
+      s.refreshPromise = void 0;
+      s.generation++;
+      logger.info("Tokens cleared");
+      if (tokenStore) await tokenStore.clear();
+    },
+    refresh: async () => {
+      if (s.refreshPromise) return s.refreshPromise;
+      return doRefresh(s, refreshFn, logger, tokenStore);
+    },
+    init: async () => {
+      if (s.oauth1 && s.oauth2) return { restored: false };
+      if (!tokenStore) return { restored: false };
+      return restoreFromStore(s, tokenStore, logger);
     }
   };
 };
+var sendRequest = (url, init, token, fetchFn) => fetchFn(url, {
+  ...init,
+  headers: { ...init?.headers, Authorization: `Bearer ${token}` }
+});
+var getTokenOrThrow = (reader, msg) => {
+  const token = reader.getAccessToken();
+  if (!token) throw createServiceApiError(msg, 401);
+  return token;
+};
+var handleNonOk = (res, prefix) => {
+  throw createServiceApiError(`${prefix}: ${res.statusText}`, res.status);
+};
+var authFetch = async (url, init, reader, fetchFn) => {
+  if (!reader.isAuthenticated()) await reader.refresh();
+  const gen = reader.getGeneration();
+  const token = getTokenOrThrow(reader, "Not authenticated");
+  const res = await sendRequest(url, init, token, fetchFn);
+  if (res.status !== 401) {
+    if (!res.ok) handleNonOk(res, "API request failed");
+    return res;
+  }
+  if (reader.getGeneration() === gen) await reader.refresh();
+  const freshToken = getTokenOrThrow(reader, "Token unavailable after refresh");
+  const retry = await sendRequest(url, init, freshToken, fetchFn);
+  if (!retry.ok) handleNonOk(retry, "API request failed after token refresh");
+  return retry;
+};
 
 // src/adapters/http/garmin-http-client.ts
-var createGarminHttpClient = (logger, fetchFn = globalThis.fetch) => {
-  const refresh = createTokenRefreshManager(fetchFn, logger);
-  const fetch = (url, init) => authFetch(url, init, refresh, fetchFn);
+var createGarminHttpClient = (tokenReader, fetchFn, logger) => {
+  const fetch = (url, init) => authFetch(url, init, tokenReader, fetchFn);
+  logger.debug("HTTP client created");
   return {
     get: async (url) => {
       const res = await fetch(url);
@@ -329,88 +457,80 @@ var createGarminHttpClient = (logger, fetchFn = globalThis.fetch) => {
       });
       const text = await res.text();
       return text ? JSON.parse(text) : void 0;
-    },
-    setTokens: (o1, o2) => {
-      refresh.state.oauth1Token = o1;
-      refresh.state.oauth2Token = o2;
-    },
-    clearTokens: () => {
-      refresh.state.oauth1Token = void 0;
-      refresh.state.oauth2Token = void 0;
-      refresh.state.consumer = void 0;
-    },
-    getOAuth2Token: () => refresh.state.oauth2Token
+    }
   };
 };
-var oauth1TokenSchema = z.object({
-  oauth_token: z.string(),
-  oauth_token_secret: z.string()
-});
-var oauth2TokenSchema = z.object({
-  access_token: z.string(),
-  refresh_token: z.string(),
-  token_type: z.string(),
-  expires_in: z.number(),
-  refresh_token_expires_in: z.number(),
-  expires_at: z.number()
-});
-var garminTokensSchema = z.object({
-  oauth1: oauth1TokenSchema,
-  oauth2: oauth2TokenSchema
-});
 
-// src/adapters/auth/garmin-auth-provider.ts
-var buildAuthProvider = (ctx) => ({
-  login: async (username, password) => {
-    const result = await garminSso(username, password, ctx.logger, ctx.fetchFn);
-    ctx.state.oauth1 = result.oauth1;
-    ctx.httpClient.setTokens(result.oauth1, result.oauth2);
-    if (ctx.tokenStore) {
-      await ctx.tokenStore.save({
-        oauth1: result.oauth1,
-        oauth2: result.oauth2
-      });
+// src/adapters/http/retry.ts
+var isRetryable = (status) => status === 429 || status >= 500 && status <= 599;
+var computeDelay = (attempt, baseDelay, maxDelay, randomFn) => randomFn() * Math.min(maxDelay, baseDelay * 2 ** attempt);
+var sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+var waitAndLog = (opts, attempt, message, info) => {
+  const delay = computeDelay(
+    attempt,
+    opts.baseDelay,
+    opts.maxDelay,
+    opts.randomFn
+  );
+  opts.logger?.debug(message, { ...info, delay: Math.round(delay) });
+  return sleep(delay);
+};
+var handleRetryableResponse = async (attempt, response, opts) => {
+  if (attempt < opts.maxRetries && isRetryable(response.status)) {
+    await waitAndLog(opts, attempt, "Retrying request", {
+      attempt: attempt + 1,
+      status: response.status
+    });
+    return true;
+  }
+  return false;
+};
+var handleRetryableError = async (attempt, error, opts) => {
+  if (attempt < opts.maxRetries && error instanceof TypeError) {
+    await waitAndLog(opts, attempt, "Retrying request after network error", {
+      attempt: attempt + 1,
+      error: error.message
+    });
+    return true;
+  }
+  return false;
+};
+var withRetry = (fetchFn, options) => {
+  const opts = {
+    maxRetries: options?.maxRetries ?? 3,
+    baseDelay: options?.baseDelay ?? 1e3,
+    maxDelay: options?.maxDelay ?? 1e4,
+    randomFn: options?.randomFn ?? Math.random,
+    logger: options?.logger
+  };
+  return async (input, init) => {
+    for (let attempt = 0; attempt <= opts.maxRetries; attempt++) {
+      try {
+        const response = await fetchFn(input, init);
+        if (await handleRetryableResponse(attempt, response, opts)) continue;
+        return response;
+      } catch (error) {
+        if (await handleRetryableError(attempt, error, opts)) continue;
+        throw error;
+      }
     }
-  },
-  is_authenticated: () => {
-    const token = ctx.httpClient.getOAuth2Token();
-    if (!token) return false;
-    return token.expires_at > Math.floor(Date.now() / 1e3);
-  },
-  export_tokens: async () => {
-    const token = ctx.httpClient.getOAuth2Token();
-    if (!token || !ctx.state.oauth1) {
-      throw createServiceAuthError("No tokens to export");
+    throw new Error("Unexpected retry exhaustion");
+  };
+};
+
+// src/adapters/client/build-refresh-fn.ts
+var buildRefreshFn = (fetchFn, logger) => {
+  let consumer;
+  return async (oauth1) => {
+    consumer ??= await fetchOAuthConsumer(fetchFn, logger);
+    try {
+      return await exchangeOAuth2(oauth1, consumer, fetchFn, logger);
+    } catch {
+      consumer = void 0;
+      consumer = await fetchOAuthConsumer(fetchFn, logger);
+      return exchangeOAuth2(oauth1, consumer, fetchFn, logger);
     }
-    return { oauth1: ctx.state.oauth1, oauth2: token };
-  },
-  restore_tokens: async (data) => {
-    const parsed = garminTokensSchema.parse(data);
-    ctx.state.oauth1 = parsed.oauth1;
-    ctx.httpClient.setTokens(parsed.oauth1, parsed.oauth2);
-    ctx.logger.info("Tokens restored from stored session");
-  },
-  logout: async () => {
-    ctx.state.oauth1 = void 0;
-    ctx.httpClient.clearTokens();
-    if (ctx.tokenStore) await ctx.tokenStore.clear();
-    ctx.logger.info("Logged out from Garmin Connect");
-  }
-});
-var createGarminAuthProvider = (options) => {
-  const logger = options?.logger ?? createConsoleLogger();
-  const tokenStore = options?.tokenStore;
-  const fetchFn = options?.fetchFn ?? createCookieFetch();
-  const httpClient = createGarminHttpClient(logger, fetchFn);
-  const state = { oauth1: void 0 };
-  const auth = buildAuthProvider({
-    httpClient,
-    state,
-    tokenStore,
-    logger,
-    fetchFn
-  });
-  return { auth, httpClient };
+  };
 };
 
 // src/adapters/mappers/workout-summary.mapper.ts
@@ -432,6 +552,26 @@ var garminPushResponseSchema = z.object({
   workoutId: z.number().or(z.string()),
   workoutName: z.string().optional()
 });
+var pullWorkout = async (workoutId, httpClient, garminReader, log) => {
+  try {
+    log.info(`Pulling workout ${workoutId} from Garmin Connect`);
+    const raw = await httpClient.get(
+      `${WORKOUT_URL}/workout/${workoutId}`
+    );
+    const gcnJson = JSON.stringify(raw);
+    return await fromText(gcnJson, garminReader, log);
+  } catch (error) {
+    throw createServiceApiError("Failed to pull workout", void 0, error);
+  }
+};
+var removeWorkout = async (workoutId, httpClient, log) => {
+  try {
+    log.info(`Removing workout ${workoutId} from Garmin Connect`);
+    await httpClient.del(`${WORKOUT_URL}/workout/${workoutId}`);
+  } catch (error) {
+    throw createServiceApiError("Failed to remove workout", void 0, error);
+  }
+};
 
 // src/adapters/client/garmin-workout-service.ts
 var pushWorkout = async (krd, httpClient, garminWriter, log) => {
@@ -474,17 +614,38 @@ var listWorkouts = async (httpClient, log, options) => {
 var createGarminWorkoutService = (httpClient, logger) => {
   const log = logger ?? createConsoleLogger();
   const garminWriter = createGarminWriter(log);
+  const garminReader = createGarminReader(log);
   return {
     push: (krd) => pushWorkout(krd, httpClient, garminWriter, log),
-    list: (opts) => listWorkouts(httpClient, log, opts)
+    pull: (id) => pullWorkout(id, httpClient, garminReader, log),
+    list: (opts) => listWorkouts(httpClient, log, opts),
+    remove: (id) => removeWorkout(id, httpClient, log)
   };
 };
 
 // src/adapters/client/garmin-connect-client.ts
 var createGarminConnectClient = (options) => {
-  const { auth, httpClient } = createGarminAuthProvider(options);
-  const service = createGarminWorkoutService(httpClient, options?.logger);
-  return { auth, service };
+  const logger = options?.logger ?? createConsoleLogger();
+  const rawFetchFn = options?.fetchFn ?? createCookieFetch();
+  const retryFetchFn = options?.retry ? withRetry(rawFetchFn, { ...options.retry, logger }) : rawFetchFn;
+  const refreshFn = buildRefreshFn(rawFetchFn, logger);
+  const tokenManager = createTokenManager({
+    refreshFn,
+    logger,
+    tokenStore: options?.tokenStore
+  });
+  const auth = createGarminAuthProvider({
+    tokenManager,
+    logger,
+    fetchFn: rawFetchFn
+  });
+  const httpClient = createGarminHttpClient(tokenManager, retryFetchFn, logger);
+  const service = createGarminWorkoutService(httpClient, logger);
+  return {
+    auth,
+    service,
+    init: () => tokenManager.init()
+  };
 };
 var DEFAULT_PATH = join(homedir(), ".kaiord", "garmin-tokens.json");
 var createFileTokenStore = (filePath = DEFAULT_PATH) => ({
@@ -525,6 +686,6 @@ var createMemoryTokenStore = () => {
   };
 };
 
-export { createCookieFetch, createFileTokenStore, createGarminAuthProvider, createGarminConnectClient, createMemoryTokenStore };
+export { createCookieFetch, createFileTokenStore, createGarminAuthProvider, createGarminConnectClient, createMemoryTokenStore, createTokenManager };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map