@lastshotlabs/snapshot 0.1.0

package/dist/index.cjs

@@ -0,0 +1,1135 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ApiError: () => ApiError,
+  createSnapshot: () => createSnapshot,
+  isMfaChallenge: () => isMfaChallenge
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/create-snapshot.tsx
+var import_react_query7 = require("@tanstack/react-query");
+var import_jotai7 = require("jotai");
+
+// src/api/error.ts
+function extractMessage(body) {
+  if (body && typeof body === "object") {
+    const b = body;
+    if (typeof b.message === "string") return b.message;
+    if (typeof b.error === "string") return b.error;
+  }
+}
+var ApiError = class _ApiError extends Error {
+  constructor(status, body, message) {
+    super(message ?? extractMessage(body) ?? `HTTP ${status}`);
+    this.status = status;
+    this.body = body;
+    this.name = "ApiError";
+    Object.setPrototypeOf(this, _ApiError.prototype);
+  }
+};
+
+// src/auth/csrf.ts
+var CSRF_COOKIE_NAME = "csrf_token";
+var MUTATING_METHODS = /* @__PURE__ */ new Set(["POST", "PUT", "PATCH", "DELETE"]);
+function getCsrfToken() {
+  if (typeof document === "undefined") return null;
+  const match = document.cookie.split("; ").find((row) => row.startsWith(`${CSRF_COOKIE_NAME}=`));
+  return match ? decodeURIComponent(match.split("=")[1]) : null;
+}
+function isMutatingMethod(method) {
+  return MUTATING_METHODS.has(method.toUpperCase());
+}
+
+// src/api/client.ts
+var ApiClient = class {
+  baseUrl;
+  authMode;
+  bearerToken;
+  storage = null;
+  onUnauthenticated;
+  onForbidden;
+  onMfaSetupRequired;
+  constructor(config) {
+    this.baseUrl = config.apiUrl.replace(/\/$/, "");
+    this.authMode = config.auth ?? "cookie";
+    this.bearerToken = config.bearerToken;
+    this.onUnauthenticated = config.onUnauthenticated;
+    this.onForbidden = config.onForbidden;
+    this.onMfaSetupRequired = config.onMfaSetupRequired;
+    if (this.bearerToken && typeof window !== "undefined") {
+      console.warn(
+        "[snapshot] bearerToken is a static API credential. It should not be used in browser deployments. See the snapshot security docs for the recommended cookie-auth model."
+      );
+    }
+  }
+  setStorage(storage) {
+    this.storage = storage;
+  }
+  buildHeaders(method, overrides) {
+    const headers = {
+      "Content-Type": "application/json",
+      ...overrides
+    };
+    if (this.bearerToken) {
+      headers["Authorization"] = `Bearer ${this.bearerToken}`;
+    }
+    if (this.authMode === "cookie") {
+      if (isMutatingMethod(method)) {
+        const csrf = getCsrfToken();
+        if (csrf) headers["x-csrf-token"] = csrf;
+      }
+      return headers;
+    }
+    const userToken = this.storage?.get();
+    if (userToken) {
+      headers["x-user-token"] = userToken;
+    }
+    if (typeof process !== "undefined" && process.env?.["NODE_ENV"] !== "production" && !this.bearerToken && !userToken) {
+      console.warn(
+        "[snapshot] No auth credentials attached to request. Set bearerToken in createSnapshot config or ensure a user token is stored."
+      );
+    }
+    return headers;
+  }
+  async rawFetch(method, path, body, options) {
+    const url = `${this.baseUrl}${path}`;
+    const headers = this.buildHeaders(method, options?.headers);
+    const init = { method, headers };
+    if (this.authMode === "cookie") init.credentials = "include";
+    if (body !== void 0) init.body = JSON.stringify(body);
+    if (options?.signal) init.signal = options.signal;
+    return fetch(url, init);
+  }
+  async handleResponse(response) {
+    if (response.status === 403) {
+      const body = await response.json().catch(() => null);
+      if (body && typeof body === "object" && "code" in body && body.code === "MFA_SETUP_REQUIRED") {
+        this.onMfaSetupRequired?.();
+      } else {
+        this.onForbidden?.();
+      }
+      throw new ApiError(403, body);
+    }
+    if (!response.ok) {
+      const body = await response.json().catch(() => null);
+      throw new ApiError(response.status, body);
+    }
+    const contentType = response.headers.get("content-type");
+    if (!contentType?.includes("application/json")) {
+      return void 0;
+    }
+    return response.json();
+  }
+  async request(method, path, body, options) {
+    const response = await this.rawFetch(method, path, body, options);
+    if (response.status === 401) {
+      const refreshToken = this.storage?.getRefreshToken();
+      if (refreshToken && path !== "/auth/refresh") {
+        try {
+          const refreshResponse = await fetch(`${this.baseUrl}/auth/refresh`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ refreshToken }),
+            credentials: "include"
+          });
+          if (refreshResponse.ok) {
+            const refreshData = await refreshResponse.json();
+            this.storage?.set(refreshData.token);
+            if (refreshData.refreshToken) {
+              this.storage?.setRefreshToken(refreshData.refreshToken);
+            }
+            const retryResponse = await this.rawFetch(method, path, body, options);
+            return this.handleResponse(retryResponse);
+          }
+        } catch {
+        }
+      }
+      this.storage?.clear();
+      this.storage?.clearRefreshToken();
+      this.onUnauthenticated?.();
+      const errBody = await response.json().catch(() => null);
+      throw new ApiError(401, errBody);
+    }
+    return this.handleResponse(response);
+  }
+  get(path, options) {
+    return this.request("GET", path, void 0, options);
+  }
+  post(path, body, options) {
+    return this.request("POST", path, body, options);
+  }
+  put(path, body, options) {
+    return this.request("PUT", path, body, options);
+  }
+  patch(path, body, options) {
+    return this.request("PATCH", path, body, options);
+  }
+  delete(path, body, options) {
+    return this.request("DELETE", path, body, options);
+  }
+};
+
+// src/auth/storage.ts
+function createLocalStorageStorage(key) {
+  const refreshKey = `${key}-refresh`;
+  return {
+    get: () => localStorage.getItem(key),
+    set: (token) => localStorage.setItem(key, token),
+    clear: () => localStorage.removeItem(key),
+    getRefreshToken: () => localStorage.getItem(refreshKey),
+    setRefreshToken: (token) => localStorage.setItem(refreshKey, token),
+    clearRefreshToken: () => localStorage.removeItem(refreshKey)
+  };
+}
+function createSessionStorageStorage(key) {
+  const refreshKey = `${key}-refresh`;
+  return {
+    get: () => sessionStorage.getItem(key),
+    set: (token) => sessionStorage.setItem(key, token),
+    clear: () => sessionStorage.removeItem(key),
+    getRefreshToken: () => sessionStorage.getItem(refreshKey),
+    setRefreshToken: (token) => sessionStorage.setItem(refreshKey, token),
+    clearRefreshToken: () => sessionStorage.removeItem(refreshKey)
+  };
+}
+function createMemoryStorage() {
+  let token = null;
+  let refreshValue = null;
+  return {
+    get: () => token,
+    set: (t) => {
+      token = t;
+    },
+    clear: () => {
+      token = null;
+    },
+    getRefreshToken: () => refreshValue,
+    setRefreshToken: (t) => {
+      refreshValue = t;
+    },
+    clearRefreshToken: () => {
+      refreshValue = null;
+    }
+  };
+}
+function createNoopStorage() {
+  return {
+    get: () => null,
+    set: () => {
+    },
+    clear: () => {
+    },
+    getRefreshToken: () => null,
+    setRefreshToken: () => {
+    },
+    clearRefreshToken: () => {
+    }
+  };
+}
+function createTokenStorage(config) {
+  if (config.auth === "cookie") return createNoopStorage();
+  const key = config.tokenKey ?? "x-user-token";
+  const type = config.tokenStorage ?? "sessionStorage";
+  switch (type) {
+    case "sessionStorage":
+      return createSessionStorageStorage(key);
+    case "memory":
+      return createMemoryStorage();
+    case "localStorage":
+    default:
+      return createLocalStorageStorage(key);
+  }
+}
+
+// src/auth/hooks.ts
+var import_react_query = require("@tanstack/react-query");
+var import_react_router = require("@tanstack/react-router");
+var import_jotai = require("jotai");
+
+// src/types.ts
+function isMfaChallenge(result) {
+  return "mfaToken" in result && !("id" in result);
+}
+
+// src/auth/hooks.ts
+var AUTH_QUERY_KEY = ["auth", "me"];
+function createAuthHooks({ api, storage, config, pendingMfaChallengeAtom, onLoginSuccess }) {
+  function useUser() {
+    const { data: user = null, isLoading, isError } = (0, import_react_query.useQuery)({
+      queryKey: AUTH_QUERY_KEY,
+      queryFn: async () => {
+        try {
+          return await api.get("/auth/me");
+        } catch {
+          return null;
+        }
+      },
+      staleTime: config.staleTime ?? 5 * 60 * 1e3,
+      retry: false
+    });
+    return { user, isLoading, isError };
+  }
+  function useLogin() {
+    const queryClient = (0, import_react_query.useQueryClient)();
+    const navigate = (0, import_react_router.useNavigate)();
+    const setMfaChallenge = (0, import_jotai.useSetAtom)(pendingMfaChallengeAtom);
+    return (0, import_react_query.useMutation)({
+      mutationFn: async ({ redirectTo: _, ...body }) => {
+        const res = await api.post("/auth/login", body);
+        if (res.mfaRequired) {
+          return { mfaToken: res.mfaToken, mfaMethods: res.mfaMethods ?? [] };
+        }
+        if (config.auth !== "cookie") {
+          if (res.token) {
+            storage.set(res.token);
+          }
+          if (res.refreshToken) {
+            storage.setRefreshToken(res.refreshToken);
+          }
+        }
+        return api.get("/auth/me");
+      },
+      onSuccess: (result, vars) => {
+        if (isMfaChallenge(result)) {
+          setMfaChallenge({ mfaToken: result.mfaToken, mfaMethods: result.mfaMethods });
+          if (config.mfaPath) navigate({ to: config.mfaPath });
+          return;
+        }
+        queryClient.setQueryData(AUTH_QUERY_KEY, result);
+        onLoginSuccess?.();
+        const to = vars.redirectTo ?? config.homePath;
+        if (to) navigate({ to });
+      }
+    });
+  }
+  function useLogout() {
+    const queryClient = (0, import_react_query.useQueryClient)();
+    const navigate = (0, import_react_router.useNavigate)();
+    const setMfaChallenge = (0, import_jotai.useSetAtom)(pendingMfaChallengeAtom);
+    function cleanup(vars) {
+      storage.clear();
+      storage.clearRefreshToken();
+      queryClient.clear();
+      config.onUnauthenticated?.();
+      const to = vars?.redirectTo ?? config.loginPath;
+      if (to) navigate({ to });
+    }
+    return (0, import_react_query.useMutation)({
+      mutationFn: () => api.post("/auth/logout", {}),
+      onSuccess: (_data, vars) => {
+        setMfaChallenge(null);
+        cleanup(vars);
+      },
+      onError: (_err, vars) => cleanup(vars)
+    });
+  }
+  function useRegister() {
+    const queryClient = (0, import_react_query.useQueryClient)();
+    const navigate = (0, import_react_router.useNavigate)();
+    return (0, import_react_query.useMutation)({
+      mutationFn: async ({ redirectTo: _, ...body }) => {
+        const res = await api.post("/auth/register", body);
+        if (config.auth !== "cookie") {
+          if (res && typeof res["token"] === "string") {
+            storage.set(res["token"]);
+          }
+          if (typeof res["refreshToken"] === "string") {
+            storage.setRefreshToken(res["refreshToken"]);
+          }
+        }
+        return api.get("/auth/me");
+      },
+      onSuccess: (user, vars) => {
+        queryClient.setQueryData(AUTH_QUERY_KEY, user);
+        onLoginSuccess?.();
+        const to = vars.redirectTo ?? config.homePath;
+        if (to) navigate({ to });
+      }
+    });
+  }
+  function useForgotPassword() {
+    return (0, import_react_query.useMutation)({
+      mutationFn: (body) => api.post("/auth/forgot-password", body)
+    });
+  }
+  return { useUser, useLogin, useLogout, useRegister, useForgotPassword };
+}
+
+// src/auth/mfa-hooks.ts
+var import_react_query2 = require("@tanstack/react-query");
+var import_react_router2 = require("@tanstack/react-router");
+var import_jotai2 = require("jotai");
+var AUTH_QUERY_KEY2 = ["auth", "me"];
+function createMfaHooks({ api, storage, config, pendingMfaChallengeAtom, onLoginSuccess }) {
+  function useMfaVerify() {
+    const queryClient = (0, import_react_query2.useQueryClient)();
+    const navigate = (0, import_react_router2.useNavigate)();
+    const pendingChallenge = (0, import_jotai2.useAtomValue)(pendingMfaChallengeAtom);
+    const setMfaChallenge = (0, import_jotai2.useSetAtom)(pendingMfaChallengeAtom);
+    return (0, import_react_query2.useMutation)({
+      mutationFn: async (body) => {
+        if (!pendingChallenge) throw new Error("No pending MFA challenge");
+        const res = await api.post("/auth/mfa/verify", {
+          ...body,
+          mfaToken: pendingChallenge.mfaToken
+        });
+        if (config.auth !== "cookie" && res.token) {
+          storage.set(res.token);
+          if (res.refreshToken) {
+            storage.setRefreshToken(res.refreshToken);
+          }
+        }
+        return api.get("/auth/me");
+      },
+      onSuccess: (user) => {
+        setMfaChallenge(null);
+        queryClient.setQueryData(AUTH_QUERY_KEY2, user);
+        onLoginSuccess?.();
+        if (config.homePath) navigate({ to: config.homePath });
+      }
+    });
+  }
+  function useMfaSetup() {
+    return (0, import_react_query2.useMutation)({
+      mutationFn: () => api.post("/auth/mfa/setup", {})
+    });
+  }
+  function useMfaVerifySetup() {
+    return (0, import_react_query2.useMutation)({
+      mutationFn: (body) => api.post("/auth/mfa/verify-setup", body)
+    });
+  }
+  function useMfaDisable() {
+    return (0, import_react_query2.useMutation)({
+      mutationFn: (body) => api.delete("/auth/mfa", body)
+    });
+  }
+  function useMfaRecoveryCodes() {
+    return (0, import_react_query2.useMutation)({
+      mutationFn: (body) => api.post("/auth/mfa/recovery-codes", body)
+    });
+  }
+  function useMfaEmailOtpEnable() {
+    return (0, import_react_query2.useMutation)({
+      mutationFn: () => api.post("/auth/mfa/email-otp/enable", {})
+    });
+  }
+  function useMfaEmailOtpVerifySetup() {
+    return (0, import_react_query2.useMutation)({
+      mutationFn: (body) => api.post("/auth/mfa/email-otp/verify-setup", body)
+    });
+  }
+  function useMfaEmailOtpDisable() {
+    return (0, import_react_query2.useMutation)({
+      mutationFn: (body) => api.delete("/auth/mfa/email-otp", body)
+    });
+  }
+  function useMfaResend() {
+    return (0, import_react_query2.useMutation)({
+      mutationFn: (body) => api.post("/auth/mfa/resend", body)
+    });
+  }
+  function useMfaMethods() {
+    const { data: methods = null, isLoading, isError } = (0, import_react_query2.useQuery)({
+      queryKey: ["auth", "mfa", "methods"],
+      queryFn: async () => {
+        try {
+          const res = await api.get("/auth/mfa/methods");
+          return res.methods;
+        } catch {
+          return null;
+        }
+      },
+      staleTime: config.staleTime ?? 5 * 60 * 1e3,
+      retry: false
+    });
+    return { methods, isLoading, isError };
+  }
+  return {
+    useMfaVerify,
+    useMfaSetup,
+    useMfaVerifySetup,
+    useMfaDisable,
+    useMfaRecoveryCodes,
+    useMfaEmailOtpEnable,
+    useMfaEmailOtpVerifySetup,
+    useMfaEmailOtpDisable,
+    useMfaResend,
+    useMfaMethods
+  };
+}
+
+// src/auth/account-hooks.ts
+var import_react_query3 = require("@tanstack/react-query");
+var import_react_router3 = require("@tanstack/react-router");
+function createAccountHooks({ api, storage, config, onUnauthenticated, queryClient: qc }) {
+  function useResetPassword() {
+    return (0, import_react_query3.useMutation)({
+      mutationFn: (body) => api.post("/auth/reset-password", body)
+    });
+  }
+  function useVerifyEmail() {
+    return (0, import_react_query3.useMutation)({
+      mutationFn: (body) => api.post("/auth/verify-email", body)
+    });
+  }
+  function useResendVerification() {
+    return (0, import_react_query3.useMutation)({
+      mutationFn: (body) => api.post("/auth/resend-verification", body)
+    });
+  }
+  function useSetPassword() {
+    return (0, import_react_query3.useMutation)({
+      mutationFn: (body) => api.post("/auth/set-password", body)
+    });
+  }
+  function useDeleteAccount() {
+    const navigate = (0, import_react_router3.useNavigate)();
+    return (0, import_react_query3.useMutation)({
+      mutationFn: (body) => api.delete("/auth/me", body ?? {}),
+      onSuccess: () => {
+        storage.clear();
+        qc.clear();
+        onUnauthenticated?.();
+        if (config.loginPath) navigate({ to: config.loginPath });
+      }
+    });
+  }
+  function useCancelDeletion() {
+    return (0, import_react_query3.useMutation)({
+      mutationFn: () => api.post("/auth/cancel-deletion", {})
+    });
+  }
+  function useRefreshToken() {
+    return (0, import_react_query3.useMutation)({
+      mutationFn: (body) => api.post("/auth/refresh", body ?? {}),
+      onSuccess: (data) => {
+        storage.set(data.token);
+        if (data.refreshToken) {
+          storage.setRefreshToken(data.refreshToken);
+        }
+      }
+    });
+  }
+  function useSessions() {
+    const { data, isLoading, isError } = (0, import_react_query3.useQuery)({
+      queryKey: ["auth", "sessions"],
+      queryFn: () => api.get("/auth/sessions")
+    });
+    return { sessions: data?.sessions ?? [], isLoading, isError };
+  }
+  function useRevokeSession() {
+    const queryClient = (0, import_react_query3.useQueryClient)();
+    return (0, import_react_query3.useMutation)({
+      mutationFn: (sessionId) => api.delete(`/auth/sessions/${sessionId}`, {}),
+      onSuccess: () => {
+        queryClient.invalidateQueries({ queryKey: ["auth", "sessions"] });
+      }
+    });
+  }
+  return {
+    useResetPassword,
+    useVerifyEmail,
+    useResendVerification,
+    useSetPassword,
+    useDeleteAccount,
+    useCancelDeletion,
+    useRefreshToken,
+    useSessions,
+    useRevokeSession
+  };
+}
+
+// src/auth/oauth-hooks.ts
+var import_react_query4 = require("@tanstack/react-query");
+var import_react_router4 = require("@tanstack/react-router");
+var AUTH_QUERY_KEY3 = ["auth", "me"];
+function createOAuthHooks({ api, storage, config, onLoginSuccess }) {
+  function getOAuthUrl(provider) {
+    return `${config.apiUrl}/auth/${provider}`;
+  }
+  function getLinkUrl(provider) {
+    return `${config.apiUrl}/auth/${provider}/link`;
+  }
+  function useOAuthExchange() {
+    const queryClient = (0, import_react_query4.useQueryClient)();
+    const navigate = (0, import_react_router4.useNavigate)();
+    return (0, import_react_query4.useMutation)({
+      mutationFn: (body) => api.post("/auth/oauth/exchange", body),
+      onSuccess: async (data) => {
+        if (config.auth !== "cookie" && data.token) {
+          storage.set(data.token);
+          if (data.refreshToken) {
+            storage.setRefreshToken(data.refreshToken);
+          }
+        }
+        const user = await api.get("/auth/me");
+        queryClient.setQueryData(AUTH_QUERY_KEY3, user);
+        onLoginSuccess?.();
+        if (config.homePath) navigate({ to: config.homePath });
+      }
+    });
+  }
+  function useOAuthUnlink() {
+    const queryClient = (0, import_react_query4.useQueryClient)();
+    return (0, import_react_query4.useMutation)({
+      mutationFn: (provider) => api.delete(`/auth/${provider}/link`, {}),
+      onSuccess: () => {
+        queryClient.invalidateQueries({ queryKey: AUTH_QUERY_KEY3 });
+      }
+    });
+  }
+  return {
+    getOAuthUrl,
+    getLinkUrl,
+    useOAuthExchange,
+    useOAuthUnlink
+  };
+}
+
+// src/auth/webauthn-hooks.ts
+var import_react_query5 = require("@tanstack/react-query");
+var import_react_router5 = require("@tanstack/react-router");
+var import_jotai3 = require("jotai");
+var WEBAUTHN_CREDENTIALS_KEY = ["auth", "webauthn", "credentials"];
+function createWebAuthnHooks({ api, storage, config, pendingMfaChallengeAtom, onLoginSuccess }) {
+  function useWebAuthnRegisterOptions() {
+    return (0, import_react_query5.useMutation)({
+      mutationFn: () => api.post("/auth/mfa/webauthn/register-options", {})
+    });
+  }
+  function useWebAuthnRegister() {
+    const queryClient = (0, import_react_query5.useQueryClient)();
+    return (0, import_react_query5.useMutation)({
+      mutationFn: (body) => api.post("/auth/mfa/webauthn/register", body),
+      onSuccess: () => {
+        queryClient.invalidateQueries({ queryKey: WEBAUTHN_CREDENTIALS_KEY });
+      }
+    });
+  }
+  function useWebAuthnCredentials() {
+    const { data, isLoading, isError } = (0, import_react_query5.useQuery)({
+      queryKey: WEBAUTHN_CREDENTIALS_KEY,
+      queryFn: () => api.get("/auth/mfa/webauthn/credentials")
+    });
+    return { credentials: data?.credentials ?? [], isLoading, isError };
+  }
+  function useWebAuthnRemoveCredential() {
+    const queryClient = (0, import_react_query5.useQueryClient)();
+    return (0, import_react_query5.useMutation)({
+      mutationFn: (credentialId) => api.delete(`/auth/mfa/webauthn/credentials/${credentialId}`),
+      onSuccess: () => {
+        queryClient.invalidateQueries({ queryKey: WEBAUTHN_CREDENTIALS_KEY });
+      }
+    });
+  }
+  function useWebAuthnDisable() {
+    return (0, import_react_query5.useMutation)({
+      mutationFn: () => api.delete("/auth/mfa/webauthn", {})
+    });
+  }
+  function usePasskeyLoginOptions() {
+    return (0, import_react_query5.useMutation)({
+      mutationFn: (body) => api.post("/auth/passkey/login-options", body)
+    });
+  }
+  function usePasskeyLogin() {
+    const queryClient = (0, import_react_query5.useQueryClient)();
+    const navigate = (0, import_react_router5.useNavigate)();
+    const setMfaChallenge = (0, import_jotai3.useSetAtom)(pendingMfaChallengeAtom);
+    return (0, import_react_query5.useMutation)({
+      mutationFn: async (body) => {
+        const response = await api.post("/auth/passkey/login", body);
+        if (response.mfaRequired && response.mfaToken && response.mfaMethods) {
+          return { mfaToken: response.mfaToken, mfaMethods: response.mfaMethods };
+        }
+        if (config?.auth !== "cookie" && response.token && storage) {
+          storage.set(response.token);
+          if (response.refreshToken) {
+            storage.setRefreshToken(response.refreshToken);
+          }
+        }
+        return { id: response.userId, email: response.userId };
+      },
+      onSuccess: (result) => {
+        if (isMfaChallenge(result)) {
+          setMfaChallenge({ mfaToken: result.mfaToken, mfaMethods: result.mfaMethods });
+          if (config?.mfaPath) navigate({ to: config.mfaPath });
+          return;
+        }
+        queryClient.invalidateQueries({ queryKey: ["auth", "me"] });
+        onLoginSuccess?.();
+        if (config?.homePath) {
+          window.location.href = config.homePath;
+        }
+      }
+    });
+  }
+  return {
+    useWebAuthnRegisterOptions,
+    useWebAuthnRegister,
+    useWebAuthnCredentials,
+    useWebAuthnRemoveCredential,
+    useWebAuthnDisable,
+    usePasskeyLoginOptions,
+    usePasskeyLogin
+  };
+}
+
+// src/ws/manager.ts
+var WebSocketManager = class {
+  ws = null;
+  rooms = /* @__PURE__ */ new Set();
+  listeners = /* @__PURE__ */ new Map();
+  reconnectAttempts = 0;
+  reconnectTimer = null;
+  destroyed = false;
+  url;
+  autoReconnect;
+  reconnectOnFocus;
+  maxReconnectAttempts;
+  reconnectBaseDelay;
+  reconnectMaxDelay;
+  onConnected;
+  onDisconnected;
+  onReconnecting;
+  onReconnectFailed;
+  constructor(config) {
+    this.url = config.url;
+    this.autoReconnect = config.autoReconnect ?? true;
+    this.reconnectOnFocus = config.reconnectOnFocus ?? true;
+    this.maxReconnectAttempts = config.maxReconnectAttempts ?? Infinity;
+    this.reconnectBaseDelay = config.reconnectBaseDelay ?? 1e3;
+    this.reconnectMaxDelay = config.reconnectMaxDelay ?? 3e4;
+    this.onConnected = config.onConnected;
+    this.onDisconnected = config.onDisconnected;
+    this.onReconnecting = config.onReconnecting;
+    this.onReconnectFailed = config.onReconnectFailed;
+    this.connect();
+    if (this.reconnectOnFocus) {
+      document.addEventListener("visibilitychange", this.handleVisibilityChange);
+    }
+  }
+  get isConnected() {
+    return this.ws?.readyState === WebSocket.OPEN;
+  }
+  handleVisibilityChange = () => {
+    if (document.visibilityState === "visible" && !this.isConnected && !this.destroyed) {
+      this.reconnect();
+    }
+  };
+  connect() {
+    if (this.destroyed) return;
+    try {
+      this.ws = new WebSocket(this.url);
+    } catch {
+      this.scheduleReconnect();
+      return;
+    }
+    this.ws.onopen = () => {
+      this.reconnectAttempts = 0;
+      this.clearReconnectTimer();
+      this.onConnected?.();
+      this.rooms.forEach((room) => this.sendMessage({ type: "subscribe", room }));
+    };
+    this.ws.onclose = () => {
+      this.onDisconnected?.();
+      if (this.autoReconnect && !this.destroyed) {
+        this.scheduleReconnect();
+      }
+    };
+    this.ws.onerror = () => {
+    };
+    this.ws.onmessage = (event) => {
+      try {
+        const message = JSON.parse(event.data);
+        const handlers = this.listeners.get(message["type"]);
+        handlers?.forEach((h) => h(message));
+      } catch {
+      }
+    };
+  }
+  sendMessage(message) {
+    if (this.ws?.readyState === WebSocket.OPEN) {
+      this.ws.send(JSON.stringify(message));
+    }
+  }
+  scheduleReconnect() {
+    if (this.destroyed || this.reconnectTimer !== null) return;
+    if (this.reconnectAttempts >= this.maxReconnectAttempts) {
+      this.onReconnectFailed?.();
+      return;
+    }
+    this.reconnectAttempts++;
+    const delay = Math.min(
+      this.reconnectBaseDelay * Math.pow(2, this.reconnectAttempts - 1),
+      this.reconnectMaxDelay
+    );
+    this.onReconnecting?.(this.reconnectAttempts);
+    this.reconnectTimer = setTimeout(() => {
+      this.reconnectTimer = null;
+      this.connect();
+    }, delay);
+  }
+  clearReconnectTimer() {
+    if (this.reconnectTimer !== null) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
+    }
+  }
+  subscribe(room) {
+    this.rooms.add(room);
+    this.sendMessage({ type: "subscribe", room });
+  }
+  unsubscribe(room) {
+    this.rooms.delete(room);
+    this.sendMessage({ type: "unsubscribe", room });
+  }
+  getRooms() {
+    return Array.from(this.rooms);
+  }
+  send(type, payload) {
+    this.sendMessage({ type, payload });
+  }
+  on(event, handler) {
+    const key = event;
+    if (!this.listeners.has(key)) {
+      this.listeners.set(key, /* @__PURE__ */ new Set());
+    }
+    this.listeners.get(key).add(handler);
+  }
+  off(event, handler) {
+    const key = event;
+    this.listeners.get(key)?.delete(handler);
+  }
+  reconnect() {
+    this.clearReconnectTimer();
+    if (this.ws) {
+      this.ws.onclose = null;
+      this.ws.close();
+      this.ws = null;
+    }
+    this.reconnectAttempts = 0;
+    this.connect();
+  }
+  disconnect() {
+    this.destroyed = true;
+    this.clearReconnectTimer();
+    document.removeEventListener("visibilitychange", this.handleVisibilityChange);
+    if (this.ws) {
+      this.ws.onclose = null;
+      this.ws.close();
+      this.ws = null;
+    }
+  }
+};
+
+// src/ws/atom.ts
+var import_jotai4 = require("jotai");
+var wsManagerAtom = (0, import_jotai4.atom)(null);
+
+// src/ws/hook.ts
+var import_jotai5 = require("jotai");
+var import_react = require("react");
+function createWsHooks() {
+  function useWebSocketManager() {
+    return (0, import_jotai5.useAtomValue)(wsManagerAtom);
+  }
+  function useSocket() {
+    const manager = useWebSocketManager();
+    const [isConnected, setIsConnected] = (0, import_react.useState)(manager?.isConnected ?? false);
+    (0, import_react.useEffect)(() => {
+      if (!manager) return;
+      const interval = setInterval(() => {
+        setIsConnected(manager.isConnected);
+      }, 500);
+      return () => clearInterval(interval);
+    }, [manager]);
+    return {
+      isConnected,
+      send: (type, payload) => manager?.send(type, payload),
+      subscribe: (room) => manager?.subscribe(room),
+      unsubscribe: (room) => manager?.unsubscribe(room),
+      getRooms: () => manager?.getRooms() ?? [],
+      on: (event, handler) => manager?.on(event, handler),
+      off: (event, handler) => manager?.off(event, handler),
+      reconnect: () => manager?.reconnect()
+    };
+  }
+  function useRoom(room) {
+    const manager = useWebSocketManager();
+    const [isSubscribed, setIsSubscribed] = (0, import_react.useState)(false);
+    (0, import_react.useEffect)(() => {
+      if (!manager) return;
+      manager.subscribe(room);
+      setIsSubscribed(true);
+      return () => {
+        manager.unsubscribe(room);
+        setIsSubscribed(false);
+      };
+    }, [room, manager]);
+    return { isSubscribed };
+  }
+  function useRoomEvent(room, event, handler) {
+    const manager = useWebSocketManager();
+    (0, import_react.useEffect)(() => {
+      if (!manager) return;
+      const scoped = (data) => {
+        if (data["room"] === room && data["payload"] !== void 0) {
+          handler(data["payload"]);
+        }
+      };
+      manager.on(event, scoped);
+      return () => {
+        manager.off(event, scoped);
+      };
+    }, [room, event, handler, manager]);
+  }
+  return { useWebSocketManager, useSocket, useRoom, useRoomEvent };
+}
+
+// src/theme/hook.ts
+var import_utils = require("jotai/utils");
+var import_jotai6 = require("jotai");
+var import_react2 = require("react");
+var getInitialTheme = () => {
+  if (typeof window === "undefined") return "light";
+  const stored = localStorage.getItem("snapshot-theme");
+  if (stored === "light" || stored === "dark") return stored;
+  return window.matchMedia("(prefers-color-scheme: dark)").matches ? "dark" : "light";
+};
+var themeAtom = (0, import_utils.atomWithStorage)("snapshot-theme", getInitialTheme());
+var styleInjected = false;
+function ensureNoTransitionStyle() {
+  if (styleInjected || typeof document === "undefined") return;
+  const style = document.createElement("style");
+  style.textContent = ".no-transition, .no-transition * { transition: none !important; }";
+  document.head.appendChild(style);
+  styleInjected = true;
+}
+function useTheme() {
+  const [theme, setTheme] = (0, import_jotai6.useAtom)(themeAtom);
+  (0, import_react2.useEffect)(() => {
+    ensureNoTransitionStyle();
+    const root = document.documentElement;
+    root.classList.add("no-transition");
+    if (theme === "dark") {
+      root.classList.add("dark");
+    } else {
+      root.classList.remove("dark");
+    }
+    requestAnimationFrame(() => {
+      requestAnimationFrame(() => {
+        root.classList.remove("no-transition");
+      });
+    });
+  }, [theme]);
+  return {
+    theme,
+    toggle: () => setTheme((t) => t === "dark" ? "light" : "dark"),
+    set: (t) => setTheme(t)
+  };
+}
+
+// src/routing/loaders.ts
+var import_react_router6 = require("@tanstack/react-router");
+var AUTH_QUERY_KEY4 = ["auth", "me"];
+function createLoaders(config, api) {
+  async function fetchUser(queryClient) {
+    try {
+      return await queryClient.ensureQueryData({
+        queryKey: AUTH_QUERY_KEY4,
+        queryFn: async () => {
+          try {
+            return await api.get("/auth/me");
+          } catch {
+            return null;
+          }
+        },
+        staleTime: config.staleTime ?? 5 * 60 * 1e3
+      });
+    } catch {
+      return null;
+    }
+  }
+  async function protectedBeforeLoad({ context }) {
+    const user = await fetchUser(context.queryClient);
+    if (!user) {
+      config.onUnauthenticated?.();
+      if (!config.loginPath) {
+        if (typeof process !== "undefined" && process.env?.["NODE_ENV"] !== "production") {
+          throw new Error(
+            "[snapshot] protectedBeforeLoad: no loginPath configured. Set loginPath in createSnapshot config."
+          );
+        }
+        return;
+      }
+      throw (0, import_react_router6.redirect)({ to: config.loginPath });
+    }
+  }
+  async function guestBeforeLoad({ context }) {
+    const user = await fetchUser(context.queryClient);
+    if (user) {
+      if (!config.homePath) {
+        if (typeof process !== "undefined" && process.env?.["NODE_ENV"] !== "production") {
+          throw new Error(
+            "[snapshot] guestBeforeLoad: no homePath configured. Set homePath in createSnapshot config."
+          );
+        }
+        return;
+      }
+      throw (0, import_react_router6.redirect)({ to: config.homePath });
+    }
+  }
+  return { protectedBeforeLoad, guestBeforeLoad };
+}
+
+// src/providers/QueryProvider.tsx
+var import_react_query6 = require("@tanstack/react-query");
+var import_jsx_runtime = require("react/jsx-runtime");
+function QueryProviderInner({ client, children }) {
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(import_react_query6.QueryClientProvider, { client, children });
+}
+
+// src/create-snapshot.tsx
+var import_jsx_runtime2 = require("react/jsx-runtime");
+function createSnapshot(config) {
+  const api = new ApiClient({
+    apiUrl: config.apiUrl,
+    auth: config.auth,
+    bearerToken: config.bearerToken,
+    onUnauthenticated: config.onUnauthenticated,
+    onForbidden: config.onForbidden,
+    onMfaSetupRequired: config.mfaSetupPath ? () => {
+      window.location.href = config.mfaSetupPath;
+    } : void 0
+  });
+  const tokenStorage = createTokenStorage({
+    auth: config.auth,
+    tokenStorage: config.tokenStorage,
+    tokenKey: config.tokenKey
+  });
+  api.setStorage(tokenStorage);
+  const queryClient = new import_react_query7.QueryClient({
+    defaultOptions: {
+      queries: {
+        staleTime: config.staleTime ?? 5 * 60 * 1e3,
+        gcTime: config.gcTime ?? 10 * 60 * 1e3,
+        retry: config.retry ?? 1
+      }
+    }
+  });
+  let wsManager = null;
+  if (config.ws) {
+    wsManager = new WebSocketManager(config.ws);
+  }
+  const pendingMfaChallengeAtom = (0, import_jotai7.atom)(null);
+  function usePendingMfaChallenge() {
+    return (0, import_jotai7.useAtomValue)(pendingMfaChallengeAtom);
+  }
+  const { useWebSocketManager, useSocket, useRoom, useRoomEvent } = createWsHooks();
+  function useWebSocketManagerWithInit() {
+    const [current, setManager] = (0, import_jotai7.useAtom)(wsManagerAtom);
+    if (wsManager !== null && current === null) {
+      setManager(wsManager);
+    }
+    return current;
+  }
+  const { useUser, useLogin, useLogout, useRegister, useForgotPassword } = createAuthHooks({
+    api,
+    storage: tokenStorage,
+    config,
+    pendingMfaChallengeAtom,
+    onLoginSuccess: config.ws?.reconnectOnLogin !== false ? () => wsManager?.reconnect() : void 0
+  });
+  const mfaHooks = createMfaHooks({
+    api,
+    storage: tokenStorage,
+    config,
+    pendingMfaChallengeAtom,
+    onLoginSuccess: config.ws?.reconnectOnLogin !== false ? () => wsManager?.reconnect() : void 0
+  });
+  const accountHooks = createAccountHooks({
+    api,
+    storage: tokenStorage,
+    config,
+    onUnauthenticated: config.onUnauthenticated,
+    queryClient
+  });
+  const oauthHooks = createOAuthHooks({
+    api,
+    storage: tokenStorage,
+    config,
+    onLoginSuccess: config.ws?.reconnectOnLogin !== false ? () => wsManager?.reconnect() : void 0
+  });
+  const webAuthnHooks = createWebAuthnHooks({
+    api,
+    storage: tokenStorage,
+    config,
+    pendingMfaChallengeAtom,
+    onLoginSuccess: config.ws?.reconnectOnLogin !== false ? () => wsManager?.reconnect() : void 0
+  });
+  const { protectedBeforeLoad, guestBeforeLoad } = createLoaders(config, api);
+  function QueryProvider({ children }) {
+    return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(QueryProviderInner, { client: queryClient, children });
+  }
+  return {
+    // High-level hooks
+    useUser,
+    useLogin,
+    useLogout,
+    useRegister,
+    useForgotPassword,
+    useSocket,
+    useRoom,
+    useRoomEvent,
+    useTheme,
+    // MFA
+    usePendingMfaChallenge,
+    ...mfaHooks,
+    isMfaChallenge,
+    // Account
+    ...accountHooks,
+    // OAuth
+    ...oauthHooks,
+    // WebAuthn
+    ...webAuthnHooks,
+    // Primitives
+    api,
+    tokenStorage,
+    queryClient,
+    useWebSocketManager: useWebSocketManagerWithInit,
+    // Routing
+    protectedBeforeLoad,
+    guestBeforeLoad,
+    // Components
+    QueryProvider
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ApiError,
+  createSnapshot,
+  isMfaChallenge
+});
+//# sourceMappingURL=index.cjs.map