@kaiz11/stack-client 0.0.14

package/dist/auth/server/verify.js

@@ -0,0 +1,222 @@
+import * as jose from "jose";
+import { PLATFORM_TENANT_ID } from "../../types.js";
+/**
+ * Verification error
+ */
+export class VerifyError extends Error {
+    code;
+    statusCode;
+    constructor(message, code, statusCode = 401) {
+        super(message);
+        this.code = code;
+        this.statusCode = statusCode;
+        this.name = "VerifyError";
+    }
+    static invalidToken(reason) {
+        return new VerifyError(reason ? `Invalid token: ${reason}` : "Invalid token", "invalid_token", 401);
+    }
+    static tokenExpired() {
+        return new VerifyError("Token has expired", "token_expired", 401);
+    }
+    static insufficientRole(required, actual) {
+        return new VerifyError(`Insufficient role: required ${required}, got ${actual}`, "insufficient_role", 403);
+    }
+    static insufficientAal(required, actual) {
+        return new VerifyError(`Insufficient AAL: required ${required}, got ${actual}`, "insufficient_aal", 403);
+    }
+    static missingToken() {
+        return new VerifyError("Missing authorization token", "missing_token", 401);
+    }
+}
+// Cache for remote JWKS to avoid creating multiple instances
+const jwksCache = new Map();
+/**
+ * Get the JWKS URL for a tenant
+ *
+ * @param baseUrl - The stack base URL (e.g., "https://stack.zenku.app")
+ * @param tenantId - The tenant identifier (default: "_platform")
+ * @returns The JWKS URL
+ *
+ * @example
+ * ```typescript
+ * getJWKSUrl("https://stack.zenku.app")
+ * // → "https://stack.zenku.app/auth/_platform/.well-known/jwks.json"
+ *
+ * getJWKSUrl("https://stack.zenku.app", "acme-corp")
+ * // → "https://stack.zenku.app/auth/acme-corp/.well-known/jwks.json"
+ * ```
+ */
+export function getJWKSUrl(baseUrl, tenantId = PLATFORM_TENANT_ID) {
+    return `${baseUrl}/auth/${tenantId}/.well-known/jwks.json`;
+}
+/**
+ * Create a JWKS key getter
+ *
+ * Automatically constructs the JWKS URL from the base URL and optional tenant ID.
+ *
+ * @param baseUrl - The stack base URL (e.g., "https://stack.zenku.app")
+ * @param tenantId - The tenant identifier (default: "_platform")
+ * @returns A key getter function for use with verifyToken
+ *
+ * @example
+ * ```typescript
+ * import { createJWKS, verifyToken } from "@kaiz11/stack-client/auth/server";
+ *
+ * // Platform (default)
+ * const getKey = createJWKS("https://stack.zenku.app");
+ *
+ * // Tenant
+ * const getKey = createJWKS("https://stack.zenku.app", "acme-corp");
+ *
+ * const payload = await verifyToken(token, getKey);
+ * ```
+ */
+export function createJWKS(baseUrl, tenantId = PLATFORM_TENANT_ID) {
+    return createRemoteJWKS(getJWKSUrl(baseUrl, tenantId));
+}
+/**
+ * Create a JWKS key getter from a URL
+ *
+ * Fetches and caches the JWKS from the GoTrue /.well-known/jwks.json endpoint.
+ * Uses jose's built-in caching and refresh logic.
+ *
+ * For most use cases, prefer `createPlatformJWKS` or `createTenantJWKS` which
+ * automatically construct the URL.
+ *
+ * @param jwksUrl - The JWKS endpoint URL
+ * @returns A key getter function for use with verifyToken
+ *
+ * @example
+ * ```typescript
+ * import { createRemoteJWKS, verifyToken } from "@kaiz11/stack-client/auth/server";
+ *
+ * const getKey = createRemoteJWKS("https://stack.zenku.app/auth/_platform/.well-known/jwks.json");
+ * const payload = await verifyToken(token, getKey);
+ * ```
+ */
+export function createRemoteJWKS(jwksUrl) {
+    // Return cached instance if available
+    const cached = jwksCache.get(jwksUrl);
+    if (cached) {
+        return cached;
+    }
+    // Create new remote JWKS with caching
+    const keyGetter = jose.createRemoteJWKSet(new URL(jwksUrl), {
+        // Cache JWKS for 10 minutes, refresh in background
+        cacheMaxAge: 600_000,
+        cooldownDuration: 30_000,
+    });
+    jwksCache.set(jwksUrl, keyGetter);
+    return keyGetter;
+}
+/**
+ * Create a JWKS key getter from a local JWKS object
+ *
+ * Useful for testing without making network requests.
+ *
+ * @param jwks - The JWKS object containing keys
+ * @returns A key getter function for use with verifyToken
+ *
+ * @example
+ * ```typescript
+ * import { createLocalJWKS, verifyToken } from "@kaiz11/stack-client/auth/server";
+ *
+ * const jwks = { keys: [{ kty: "EC", crv: "P-256", ... }] };
+ * const getKey = createLocalJWKS(jwks);
+ * const payload = await verifyToken(token, getKey);
+ * ```
+ */
+export function createLocalJWKS(jwks) {
+    return jose.createLocalJWKSet(jwks);
+}
+/**
+ * Clear the JWKS cache (useful for testing or key rotation)
+ */
+export function clearJWKSCache() {
+    jwksCache.clear();
+}
+/**
+ * Verify a JWT and extract the payload using ES256 (ECDSA P-256)
+ *
+ * @param token - The JWT access token to verify
+ * @param keyGetter - JWKS key getter (from createRemoteJWKS or createLocalJWKS)
+ * @param options - Optional verification options
+ * @returns The token payload if valid
+ * @throws VerifyError if the token is invalid or expired
+ *
+ * @example
+ * ```typescript
+ * import { createRemoteJWKS, verifyToken } from "@kaiz11/stack-client/auth/server";
+ *
+ * // Create key getter once (cached)
+ * const getKey = createRemoteJWKS(process.env.JWKS_URL!);
+ *
+ * // Verify tokens
+ * const payload = await verifyToken(token, getKey);
+ * console.log("User ID:", payload.sub);
+ * console.log("Email:", payload.email);
+ * console.log("Role:", payload.role);
+ * ```
+ */
+export async function verifyToken(token, keyGetter, options = {}) {
+    try {
+        const { payload } = await jose.jwtVerify(token, keyGetter, {
+            audience: options.audience,
+            clockTolerance: options.clockTolerance,
+            algorithms: ["ES256"], // Only accept ES256
+        });
+        const tokenPayload = payload;
+        // sub is required for authenticated users, but anon tokens don't have it
+        if (!tokenPayload.sub && tokenPayload.role !== "anon") {
+            throw VerifyError.invalidToken("missing sub claim");
+        }
+        // Check role if required
+        if (options.requiredRole && tokenPayload.role !== options.requiredRole) {
+            throw VerifyError.insufficientRole(options.requiredRole, tokenPayload.role);
+        }
+        // Check AAL if required
+        if (options.requiredAal) {
+            const actualAal = tokenPayload.aal || "aal1";
+            const aalOrder = { aal1: 1, aal2: 2 };
+            if (aalOrder[actualAal] < aalOrder[options.requiredAal]) {
+                throw VerifyError.insufficientAal(options.requiredAal, actualAal);
+            }
+        }
+        return tokenPayload;
+    }
+    catch (error) {
+        if (error instanceof VerifyError) {
+            throw error;
+        }
+        if (error instanceof jose.errors.JWTExpired) {
+            throw VerifyError.tokenExpired();
+        }
+        if (error instanceof jose.errors.JWTClaimValidationFailed) {
+            throw VerifyError.invalidToken(error.message);
+        }
+        throw VerifyError.invalidToken();
+    }
+}
+/**
+ * Extract bearer token from Authorization header
+ *
+ * @param authHeader - The Authorization header value
+ * @returns The token string or null if not a valid Bearer token
+ *
+ * @example
+ * ```typescript
+ * import { extractBearerToken } from "@kaiz11/stack-client/auth/server";
+ *
+ * const token = extractBearerToken(request.headers.get("Authorization"));
+ * if (token) {
+ *   const payload = await verifyToken(token, secret);
+ * }
+ * ```
+ */
+export function extractBearerToken(authHeader) {
+    if (!authHeader?.startsWith("Bearer ")) {
+        return null;
+    }
+    return authHeader.slice(7);
+}
+//# sourceMappingURL=verify.js.map

package/dist/auth/server/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../../src/auth/server/verify.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAC7B,OAAO,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAkDpD;;GAEG;AACH,MAAM,OAAO,WAAY,SAAQ,KAAK;IAGlB;IACA;IAHlB,YACE,OAAe,EACC,IAAY,EACZ,aAAqB,GAAG;QAExC,KAAK,CAAC,OAAO,CAAC,CAAC;QAHC,SAAI,GAAJ,IAAI,CAAQ;QACZ,eAAU,GAAV,UAAU,CAAc;QAGxC,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;IAED,MAAM,CAAC,YAAY,CAAC,MAAe;QACjC,OAAO,IAAI,WAAW,CACpB,MAAM,CAAC,CAAC,CAAC,kBAAkB,MAAM,EAAE,CAAC,CAAC,CAAC,eAAe,EACrD,eAAe,EACf,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,YAAY;QACjB,OAAO,IAAI,WAAW,CAAC,mBAAmB,EAAE,eAAe,EAAE,GAAG,CAAC,CAAC;IACpE,CAAC;IAED,MAAM,CAAC,gBAAgB,CAAC,QAAgB,EAAE,MAAc;QACtD,OAAO,IAAI,WAAW,CACpB,+BAA+B,QAAQ,SAAS,MAAM,EAAE,EACxD,mBAAmB,EACnB,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,eAAe,CAAC,QAAgB,EAAE,MAAc;QACrD,OAAO,IAAI,WAAW,CACpB,8BAA8B,QAAQ,SAAS,MAAM,EAAE,EACvD,kBAAkB,EAClB,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,YAAY;QACjB,OAAO,IAAI,WAAW,CAAC,6BAA6B,EAAE,eAAe,EAAE,GAAG,CAAC,CAAC;IAC9E,CAAC;CACF;AAED,6DAA6D;AAC7D,MAAM,SAAS,GAAG,IAAI,GAAG,EAAyB,CAAC;AAEnD;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,UAAU,CACxB,OAAe,EACf,WAAmB,kBAAkB;IAErC,OAAO,GAAG,OAAO,SAAS,QAAQ,wBAAwB,CAAC;AAC7D,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,UAAU,UAAU,CACxB,OAAe,EACf,WAAmB,kBAAkB;IAErC,OAAO,gBAAgB,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;AACzD,CAAC;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe;IAC9C,sCAAsC;IACtC,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACtC,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,sCAAsC;IACtC,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,EAAE;QAC1D,mDAAmD;QACnD,WAAW,EAAE,OAAO;QACpB,gBAAgB,EAAE,MAAM;KACzB,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;IAClC,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,eAAe,CAAC,IAAwB;IACtD,OAAO,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAkB,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc;IAC5B,SAAS,CAAC,KAAK,EAAE,CAAC;AACpB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,KAAa,EACb,SAAwB,EACxB,UAAyB,EAAE;IAE3B,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,SAAS,EAAE;YACzD,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,UAAU,EAAE,CAAC,OAAO,CAAC,EAAE,oBAAoB;SAC5C,CAAC,CAAC;QAEH,MAAM,YAAY,GAAG,OAAkC,CAAC;QAExD,yEAAyE;QACzE,IAAI,CAAC,YAAY,CAAC,GAAG,IAAI,YAAY,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YACtD,MAAM,WAAW,CAAC,YAAY,CAAC,mBAAmB,CAAC,CAAC;QACtD,CAAC;QAED,yBAAyB;QACzB,IAAI,OAAO,CAAC,YAAY,IAAI,YAAY,CAAC,IAAI,KAAK,OAAO,CAAC,YAAY,EAAE,CAAC;YACvE,MAAM,WAAW,CAAC,gBAAgB,CAChC,OAAO,CAAC,YAAY,EACpB,YAAY,CAAC,IAAI,CAClB,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YACxB,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,IAAI,MAAM,CAAC;YAC7C,MAAM,QAAQ,GAAG,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;YACtC,IAAI,QAAQ,CAAC,SAAS,CAAC,GAAG,QAAQ,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;gBACxD,MAAM,WAAW,CAAC,eAAe,CAAC,OAAO,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;YACpE,CAAC;QACH,CAAC;QAED,OAAO,YAAY,CAAC;IACtB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;YACjC,MAAM,KAAK,CAAC;QACd,CAAC;QACD,IAAI,KAAK,YAAY,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;YAC5C,MAAM,WAAW,CAAC,YAAY,EAAE,CAAC;QACnC,CAAC;QACD,IAAI,KAAK,YAAY,IAAI,CAAC,MAAM,CAAC,wBAAwB,EAAE,CAAC;YAC1D,MAAM,WAAW,CAAC,YAAY,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAChD,CAAC;QACD,MAAM,WAAW,CAAC,YAAY,EAAE,CAAC;IACnC,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAyB;IAC1D,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACvC,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAC7B,CAAC"}

package/dist/auth/token-manager.d.ts

@@ -0,0 +1,94 @@
+import type { HttpClient } from "../lib/http.js";
+import type { TokenStore } from "../lib/token-store.js";
+import type { Session, AuthChangeEvent, AuthChangeCallback, Unsubscribe } from "./types.js";
+/**
+ * Custom refresh function type (for mock mode)
+ */
+export type RefreshFn = () => Promise<Session>;
+/**
+ * Token manager configuration
+ */
+export interface TokenManagerConfig {
+    /** HTTP client for token refresh (optional if refreshFn provided) */
+    http?: HttpClient;
+    tokenStore: TokenStore;
+    tenantId: string;
+    /** Auto-refresh buffer in seconds (default: 60) */
+    autoRefreshBuffer?: number;
+    /** Custom refresh function (for mock mode) */
+    refreshFn?: RefreshFn;
+}
+/**
+ * Manages token storage, refresh, and auth state
+ */
+export declare class TokenManager {
+    private http;
+    private tokenStore;
+    private tenantId;
+    private autoRefreshBuffer;
+    private refreshFn;
+    private refreshTimer;
+    private listeners;
+    private currentSession;
+    constructor(config: TokenManagerConfig);
+    /**
+     * Initialize session from stored tokens
+     */
+    private initializeFromStorage;
+    /**
+     * JWT payload structure (for decoding)
+     */
+    private decodeToken;
+    /**
+     * Set the refresh function (for mock mode)
+     *
+     * This allows MockAuthClient to provide its refresh implementation
+     * after TokenManager is constructed.
+     */
+    setRefreshFn(fn: RefreshFn): void;
+    /**
+     * Set session from auth response
+     */
+    setSession(session: Session, event?: AuthChangeEvent): void;
+    /**
+     * Clear current session
+     */
+    clearSession(): void;
+    /**
+     * Get current session
+     */
+    getSession(): Session | null;
+    /**
+     * Get access token (null if not authenticated)
+     */
+    getAccessToken(): string | null;
+    /**
+     * Check if current token is expired
+     */
+    isTokenExpired(): boolean;
+    /**
+     * Refresh the current session
+     */
+    refreshSession(): Promise<Session>;
+    /**
+     * Schedule automatic token refresh
+     */
+    private scheduleRefresh;
+    /**
+     * Cancel scheduled refresh
+     */
+    private cancelRefresh;
+    /**
+     * Subscribe to auth state changes
+     */
+    onAuthStateChange(callback: AuthChangeCallback): Unsubscribe;
+    /**
+     * Notify all listeners of auth state change
+     */
+    private notifyListeners;
+    /**
+     * Cleanup resources
+     */
+    destroy(): void;
+}
+//# sourceMappingURL=token-manager.d.ts.map

package/dist/auth/token-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-manager.d.ts","sourceRoot":"","sources":["../../src/auth/token-manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AAGxD,OAAO,KAAK,EAEV,OAAO,EACP,eAAe,EACf,kBAAkB,EAClB,WAAW,EACZ,MAAM,YAAY,CAAC;AAgBpB;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,CAAC;AAE/C;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,qEAAqE;IACrE,IAAI,CAAC,EAAE,UAAU,CAAC;IAClB,UAAU,EAAE,UAAU,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,mDAAmD;IACnD,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,8CAA8C;IAC9C,SAAS,CAAC,EAAE,SAAS,CAAC;CACvB;AAED;;GAEG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,IAAI,CAAoB;IAChC,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,iBAAiB,CAAS;IAClC,OAAO,CAAC,SAAS,CAAmB;IACpC,OAAO,CAAC,YAAY,CAA8C;IAClE,OAAO,CAAC,SAAS,CAAsC;IACvD,OAAO,CAAC,cAAc,CAAwB;gBAElC,MAAM,EAAE,kBAAkB;IAWtC;;OAEG;IACH,OAAO,CAAC,qBAAqB;IA8C7B;;OAEG;IACH,OAAO,CAAC,WAAW;IAWnB;;;;;OAKG;IACH,YAAY,CAAC,EAAE,EAAE,SAAS,GAAG,IAAI;IAIjC;;OAEG;IACH,UAAU,CAAC,OAAO,EAAE,OAAO,EAAE,KAAK,GAAE,eAA6B,GAAG,IAAI;IAOxE;;OAEG;IACH,YAAY,IAAI,IAAI;IAOpB;;OAEG;IACH,UAAU,IAAI,OAAO,GAAG,IAAI;IAI5B;;OAEG;IACH,cAAc,IAAI,MAAM,GAAG,IAAI;IAI/B;;OAEG;IACH,cAAc,IAAI,OAAO;IAczB;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,OAAO,CAAC;IAuCxC;;OAEG;IACH,OAAO,CAAC,eAAe;IAiBvB;;OAEG;IACH,OAAO,CAAC,aAAa;IAOrB;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,kBAAkB,GAAG,WAAW;IAa5D;;OAEG;IACH,OAAO,CAAC,eAAe;IAavB;;OAEG;IACH,OAAO,IAAI,IAAI;CAIhB"}

package/dist/auth/token-manager.js

@@ -0,0 +1,231 @@
+import { authPath } from "../lib/paths.js";
+import { AuthError } from "../lib/errors.js";
+import { normalizeSession } from "./types.js";
+/**
+ * Manages token storage, refresh, and auth state
+ */
+export class TokenManager {
+    http;
+    tokenStore;
+    tenantId;
+    autoRefreshBuffer;
+    refreshFn;
+    refreshTimer = null;
+    listeners = new Set();
+    currentSession = null;
+    constructor(config) {
+        this.http = config.http ?? null;
+        this.tokenStore = config.tokenStore;
+        this.tenantId = config.tenantId;
+        this.autoRefreshBuffer = config.autoRefreshBuffer ?? 60;
+        this.refreshFn = config.refreshFn ?? null;
+        // Initialize session from stored tokens
+        this.initializeFromStorage();
+    }
+    /**
+     * Initialize session from stored tokens
+     */
+    initializeFromStorage() {
+        const accessToken = this.tokenStore.getAccessToken();
+        const refreshToken = this.tokenStore.getRefreshToken();
+        if (accessToken && refreshToken) {
+            // Decode token to check expiry and get user info
+            try {
+                const payload = this.decodeToken(accessToken);
+                const now = Math.floor(Date.now() / 1000);
+                if (payload.exp > now) {
+                    // Token still valid, reconstruct session
+                    this.currentSession = {
+                        accessToken,
+                        refreshToken,
+                        expiresIn: payload.exp - now,
+                        expiresAt: payload.exp,
+                        tokenType: "bearer",
+                        user: {
+                            id: payload.sub,
+                            email: payload.email ?? null,
+                            phone: payload.phone ?? null,
+                            emailConfirmedAt: null,
+                            phoneConfirmedAt: null,
+                            createdAt: new Date(payload.iat * 1000).toISOString(),
+                            updatedAt: new Date(payload.iat * 1000).toISOString(),
+                            appMetadata: payload.app_metadata ?? {},
+                            userMetadata: payload.user_metadata ?? {},
+                        },
+                    };
+                    // Schedule auto-refresh
+                    this.scheduleRefresh();
+                }
+                else {
+                    // Token expired, try to refresh
+                    this.refreshSession().catch(() => {
+                        this.clearSession();
+                    });
+                }
+            }
+            catch {
+                // Invalid token, clear storage
+                this.clearSession();
+            }
+        }
+    }
+    /**
+     * JWT payload structure (for decoding)
+     */
+    decodeToken(token) {
+        const parts = token.split(".");
+        if (parts.length !== 3) {
+            throw new Error("Invalid JWT format");
+        }
+        const payload = parts[1];
+        const decoded = atob(payload.replace(/-/g, "+").replace(/_/g, "/"));
+        return JSON.parse(decoded);
+    }
+    /**
+     * Set the refresh function (for mock mode)
+     *
+     * This allows MockAuthClient to provide its refresh implementation
+     * after TokenManager is constructed.
+     */
+    setRefreshFn(fn) {
+        this.refreshFn = fn;
+    }
+    /**
+     * Set session from auth response
+     */
+    setSession(session, event = "SIGNED_IN") {
+        this.currentSession = session;
+        this.tokenStore.setTokens(session.accessToken, session.refreshToken);
+        this.scheduleRefresh();
+        this.notifyListeners(event, session);
+    }
+    /**
+     * Clear current session
+     */
+    clearSession() {
+        this.currentSession = null;
+        this.tokenStore.clearTokens();
+        this.cancelRefresh();
+        this.notifyListeners("SIGNED_OUT", null);
+    }
+    /**
+     * Get current session
+     */
+    getSession() {
+        return this.currentSession;
+    }
+    /**
+     * Get access token (null if not authenticated)
+     */
+    getAccessToken() {
+        return this.tokenStore.getAccessToken();
+    }
+    /**
+     * Check if current token is expired
+     */
+    isTokenExpired() {
+        const accessToken = this.tokenStore.getAccessToken();
+        if (!accessToken)
+            return true;
+        try {
+            const payload = this.decodeToken(accessToken);
+            const exp = payload.exp;
+            const now = Math.floor(Date.now() / 1000);
+            return exp <= now;
+        }
+        catch {
+            return true;
+        }
+    }
+    /**
+     * Refresh the current session
+     */
+    async refreshSession() {
+        // Use custom refresh function if provided (mock mode)
+        if (this.refreshFn) {
+            return this.refreshFn();
+        }
+        // HTTP-based refresh
+        const refreshToken = this.tokenStore.getRefreshToken();
+        if (!refreshToken) {
+            throw AuthError.notAuthenticated();
+        }
+        if (!this.http) {
+            throw new Error("TokenManager requires http client or refreshFn for token refresh");
+        }
+        try {
+            const path = authPath(this.tenantId, "/token?grant_type=refresh_token");
+            const response = await this.http.post(path, { refresh_token: refreshToken }, { noAuth: true });
+            const session = normalizeSession(response);
+            this.currentSession = session;
+            this.tokenStore.setTokens(session.accessToken, session.refreshToken);
+            this.scheduleRefresh();
+            this.notifyListeners("TOKEN_REFRESHED", session);
+            return session;
+        }
+        catch {
+            this.clearSession();
+            throw AuthError.refreshFailed();
+        }
+    }
+    /**
+     * Schedule automatic token refresh
+     */
+    scheduleRefresh() {
+        this.cancelRefresh();
+        if (!this.currentSession)
+            return;
+        // Calculate refresh time (expiresAt - buffer)
+        const now = Math.floor(Date.now() / 1000);
+        const refreshAt = this.currentSession.expiresAt - this.autoRefreshBuffer;
+        const delay = Math.max(0, (refreshAt - now) * 1000);
+        this.refreshTimer = setTimeout(() => {
+            this.refreshSession().catch(() => {
+                // Refresh failed, session cleared
+            });
+        }, delay);
+    }
+    /**
+     * Cancel scheduled refresh
+     */
+    cancelRefresh() {
+        if (this.refreshTimer) {
+            clearTimeout(this.refreshTimer);
+            this.refreshTimer = null;
+        }
+    }
+    /**
+     * Subscribe to auth state changes
+     */
+    onAuthStateChange(callback) {
+        this.listeners.add(callback);
+        // Immediately notify with current state
+        if (this.currentSession) {
+            callback("SIGNED_IN", this.currentSession);
+        }
+        return () => {
+            this.listeners.delete(callback);
+        };
+    }
+    /**
+     * Notify all listeners of auth state change
+     */
+    notifyListeners(event, session) {
+        for (const listener of this.listeners) {
+            try {
+                listener(event, session);
+            }
+            catch {
+                // Ignore listener errors
+            }
+        }
+    }
+    /**
+     * Cleanup resources
+     */
+    destroy() {
+        this.cancelRefresh();
+        this.listeners.clear();
+    }
+}
+//# sourceMappingURL=token-manager.js.map

package/dist/auth/token-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-manager.js","sourceRoot":"","sources":["../../src/auth/token-manager.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAQ7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAkC9C;;GAEG;AACH,MAAM,OAAO,YAAY;IACf,IAAI,CAAoB;IACxB,UAAU,CAAa;IACvB,QAAQ,CAAS;IACjB,iBAAiB,CAAS;IAC1B,SAAS,CAAmB;IAC5B,YAAY,GAAyC,IAAI,CAAC;IAC1D,SAAS,GAA4B,IAAI,GAAG,EAAE,CAAC;IAC/C,cAAc,GAAmB,IAAI,CAAC;IAE9C,YAAY,MAA0B;QACpC,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,IAAI,IAAI,CAAC;QAChC,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;QACpC,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QAChC,IAAI,CAAC,iBAAiB,GAAG,MAAM,CAAC,iBAAiB,IAAI,EAAE,CAAC;QACxD,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,IAAI,IAAI,CAAC;QAE1C,wCAAwC;QACxC,IAAI,CAAC,qBAAqB,EAAE,CAAC;IAC/B,CAAC;IAED;;OAEG;IACK,qBAAqB;QAC3B,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;QACrD,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,CAAC,eAAe,EAAE,CAAC;QAEvD,IAAI,WAAW,IAAI,YAAY,EAAE,CAAC;YAChC,iDAAiD;YACjD,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;gBAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;gBAE1C,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;oBACtB,yCAAyC;oBACzC,IAAI,CAAC,cAAc,GAAG;wBACpB,WAAW;wBACX,YAAY;wBACZ,SAAS,EAAE,OAAO,CAAC,GAAG,GAAG,GAAG;wBAC5B,SAAS,EAAE,OAAO,CAAC,GAAG;wBACtB,SAAS,EAAE,QAAQ;wBACnB,IAAI,EAAE;4BACJ,EAAE,EAAE,OAAO,CAAC,GAAG;4BACf,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,IAAI;4BAC5B,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,IAAI;4BAC5B,gBAAgB,EAAE,IAAI;4BACtB,gBAAgB,EAAE,IAAI;4BACtB,SAAS,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;4BACrD,SAAS,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;4BACrD,WAAW,EAAE,OAAO,CAAC,YAAY,IAAI,EAAE;4BACvC,YAAY,EAAE,OAAO,CAAC,aAAa,IAAI,EAAE;yBAC1C;qBACF,CAAC;oBAEF,wBAAwB;oBACxB,IAAI,CAAC,eAAe,EAAE,CAAC;gBACzB,CAAC;qBAAM,CAAC;oBACN,gCAAgC;oBAChC,IAAI,CAAC,cAAc,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE;wBAC/B,IAAI,CAAC,YAAY,EAAE,CAAC;oBACtB,CAAC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,+BAA+B;gBAC/B,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACK,WAAW,CAAC,KAAa;QAC/B,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;QACxC,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;QACpE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAe,CAAC;IAC3C,CAAC;IAED;;;;;OAKG;IACH,YAAY,CAAC,EAAa;QACxB,IAAI,CAAC,SAAS,GAAG,EAAE,CAAC;IACtB,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,OAAgB,EAAE,QAAyB,WAAW;QAC/D,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC;QAC9B,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;QACrE,IAAI,CAAC,eAAe,EAAE,CAAC;QACvB,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,YAAY;QACV,IAAI,CAAC,cAAc,GAAG,IAAI,CAAC;QAC3B,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;QAC9B,IAAI,CAAC,aAAa,EAAE,CAAC;QACrB,IAAI,CAAC,eAAe,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,OAAO,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,MAAM,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;QACrD,IAAI,CAAC,WAAW;YAAE,OAAO,IAAI,CAAC;QAE9B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;YAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,GAAa,CAAC;YAClC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;YAC1C,OAAO,GAAG,IAAI,GAAG,CAAC;QACpB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc;QAClB,sDAAsD;QACtD,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC,SAAS,EAAE,CAAC;QAC1B,CAAC;QAED,qBAAqB;QACrB,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,CAAC,eAAe,EAAE,CAAC;QACvD,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,SAAS,CAAC,gBAAgB,EAAE,CAAC;QACrC,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,kEAAkE,CACnE,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,QAAQ,EAAE,iCAAiC,CAAC,CAAC;YACxE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAI,CACnC,IAAI,EACJ,EAAE,aAAa,EAAE,YAAY,EAAE,EAC/B,EAAE,MAAM,EAAE,IAAI,EAAE,CACjB,CAAC;YAEF,MAAM,OAAO,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;YAC3C,IAAI,CAAC,cAAc,GAAG,OAAO,CAAC;YAC9B,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;YACrE,IAAI,CAAC,eAAe,EAAE,CAAC;YACvB,IAAI,CAAC,eAAe,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;YAEjD,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,MAAM,SAAS,CAAC,aAAa,EAAE,CAAC;QAClC,CAAC;IACH,CAAC;IAED;;OAEG;IACK,eAAe;QACrB,IAAI,CAAC,aAAa,EAAE,CAAC;QAErB,IAAI,CAAC,IAAI,CAAC,cAAc;YAAE,OAAO;QAEjC,8CAA8C;QAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC1C,MAAM,SAAS,GAAG,IAAI,CAAC,cAAc,CAAC,SAAS,GAAG,IAAI,CAAC,iBAAiB,CAAC;QACzE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,SAAS,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;QAEpD,IAAI,CAAC,YAAY,GAAG,UAAU,CAAC,GAAG,EAAE;YAClC,IAAI,CAAC,cAAc,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE;gBAC/B,kCAAkC;YACpC,CAAC,CAAC,CAAC;QACL,CAAC,EAAE,KAAK,CAAC,CAAC;IACZ,CAAC;IAED;;OAEG;IACK,aAAa;QACnB,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAChC,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QAC3B,CAAC;IACH,CAAC;IAED;;OAEG;IACH,iBAAiB,CAAC,QAA4B;QAC5C,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAE7B,wCAAwC;QACxC,IAAI,IAAI,CAAC,cAAc,EAAE,CAAC;YACxB,QAAQ,CAAC,WAAW,EAAE,IAAI,CAAC,cAAc,CAAC,CAAC;QAC7C,CAAC;QAED,OAAO,GAAG,EAAE;YACV,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAClC,CAAC,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,eAAe,CACrB,KAAsB,EACtB,OAAuB;QAEvB,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACtC,IAAI,CAAC;gBACH,QAAQ,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YAC3B,CAAC;YAAC,MAAM,CAAC;gBACP,yBAAyB;YAC3B,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACH,OAAO;QACL,IAAI,CAAC,aAAa,EAAE,CAAC;QACrB,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;IACzB,CAAC;CACF"}