npm - @logi-auth/browser - Versions diffs - 0.1.0 - Mend

@logi-auth/browser 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,120 @@
+# @logi-auth/browser
+Browser SDK for **logi (1pass)** — OAuth 2.0 + OIDC PKCE for SPAs. Zero dependencies, ~3 KB minified.
+```bash
+npm install @logi-auth/browser
+```
+## Quickstart
+```ts
+import { LogiAuth } from "@logi-auth/browser";
+const auth = new LogiAuth({
+  clientId: "logi_xxx",
+  redirectUri: window.location.origin + "/auth/callback",
+  // scopes: ["openid", "profile:basic", "email"],   // default
+  // issuer: "https://api.1pass.dev",                 // default
+});
+```
+### Sign in (page A — wherever the login button lives)
+```ts
+loginButton.addEventListener("click", () => {
+  auth.signIn({ returnTo: location.pathname });
+  // → redirects to https://api.1pass.dev/oauth/authorize
+});
+```
+### Handle callback (page B — `/auth/callback`)
+```ts
+if (auth.hasPendingCallback()) {
+  try {
+    const tokens = await auth.handleCallback();
+    // tokens.accessToken    — Bearer token for your API
+    // tokens.refreshToken   — store securely (preferably HttpOnly cookie via your backend)
+    // tokens.idToken        — OIDC identity (decode for UI hints only)
+    // tokens.returnTo       — what you passed to signIn({ returnTo })
+    // tokens.expiresAt      — ms epoch
+    location.replace(tokens.returnTo ?? "/");
+  } catch (err) {
+    if (err instanceof LogiAuthError) {
+      console.error(err.code, err.message, err.details);
+    }
+  }
+}
+```
+### Refresh
+```ts
+const fresh = await auth.refresh(savedRefreshToken);
+// fresh.refreshToken is the rotated token — persist the new value.
+```
+### Read the ID token (UI hints only)
+```ts
+const claims = auth.parseIdToken<{ sub: string; email?: string }>(tokens.idToken!);
+// ⚠️ No signature verification. Don't make authorization decisions client-side.
+```
+## Why this SDK
+Browser PKCE flow is small but easy to get wrong:
+- Generating the `code_verifier` + SHA-256 `code_challenge`
+- Persisting `verifier` + `state` across the IdP redirect
+- Validating returned `state` to defeat CSRF
+- Distinguishing `error=` callbacks from missing-`code` cases
+- Cleaning up `sessionStorage` on every exit path (success or failure)
+This SDK does all of that in ~250 LOC, zero deps, ESM-only.
+## Design
+- **Zero dependencies.** Uses `crypto.subtle` and `fetch` directly.
+- **Public client.** Never sends `client_secret`. Token endpoint must accept `none` auth (logi PKCE clients do).
+- **No signature verification.** ID token claims are decoded for UI only; your backend is the trust root and re-verifies via `/.well-known/jwks.json`.
+- **sessionStorage by default.** Pending handoff is wiped on tab close. Override via `storage:` option.
+- **TTL on pending handoff.** Stale handoffs (default 10 min) are rejected with `expired_handoff`.
+## Requirements
+- **Secure context.** `crypto.subtle` is undefined on plain `http://` (except `http://localhost`). Serve your SPA over HTTPS.
+- **Modern browsers.** Chromium 92+, Safari 15.4+, Firefox 90+ (anything with `crypto.subtle.digest("SHA-256")` and `fetch`).
+- **Node ≥ 18** if you import this from a server-side test harness or SSR layer.
+## Errors
+`LogiAuthError` with one of:
+- `storage_unavailable` — `signIn()` couldn't persist the PKCE handoff (Safari ITP, iOS private browsing, corp policy). Thrown **before** redirecting to the IdP so the user doesn't waste a round-trip.
+- `no_pending_handoff` — `handleCallback()` called without a prior `signIn()` in this tab
+- `state_mismatch` — returned `state` ≠ persisted (CSRF attempt or stale callback)
+- `missing_code` — callback URL had no `code` parameter
+- `authorization_server_error` — IdP returned `?error=...`
+- `token_exchange_failed` — `/oauth/token` POST failed (HTTP status + truncated body in `details`)
+- `network_error` — `fetch` rejected (offline, DNS, CORS, TLS)
+- `expired_handoff` — pending older than `pendingTtlMs`
+> **`details.body` may include server payloads.** We truncate to 2 KB but logging it to Sentry/Datadog without scrubbing could leak tokens that the IdP echoed in a 4xx response.
+## Limitations (v0.1.0)
+- **Multi-tab race.** Concurrent `signIn()` calls in multiple tabs share `sessionStorage` per origin, so only the most-recent handoff completes; the older tab's `handleCallback()` will fail with `state_mismatch`. State-keyed storage is on the v0.2.0 roadmap.
+- **No automatic refresh.** Call `auth.refresh(savedRefreshToken)` yourself before `expiresAt`. A token-manager wrapper (`@logi-auth/react`) is planned.
+## Server side
+This SDK only handles the browser. Your backend should:
+1. Validate `accessToken` against `/.well-known/jwks.json` on every protected request
+2. Store `refreshToken` server-side (HttpOnly cookie) — don't keep it in `localStorage`
+For Node.js servers, use a generic OIDC library pointed at `https://api.1pass.dev/.well-known/openid-configuration`. logi advertises a full discovery document so `oauth4webapi`, `openid-client`, `next-auth`, `auth.js` all auto-configure.
+## License
+MIT © Seunghan Kim

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,82 @@
+import { type StorageBackend } from "./storage.js";
+export interface LogiAuthOptions {
+    /** OAuth client_id from logi developer portal. Public PKCE client. */
+    clientId: string;
+    /** Where the IdP returns the user. Must be one of the registered redirect_uris. */
+    redirectUri: string;
+    /** Default scopes; override per-call via signIn({ scopes }). */
+    scopes?: string[];
+    /** Issuer URL. Defaults to https://api.1pass.dev. */
+    issuer?: string;
+    /** Override storage backend (default: sessionStorage). */
+    storage?: StorageBackend;
+    /** Maximum age of a pending handoff in ms (default: 10 minutes). */
+    pendingTtlMs?: number;
+}
+export interface SignInRequest {
+    /** Override default scopes. */
+    scopes?: string[];
+    /** Caller-supplied passthrough — restored in handleCallback().returnTo. */
+    returnTo?: string;
+    /** OIDC `prompt` parameter (e.g. "login" or "consent"). */
+    prompt?: "none" | "login" | "consent" | "select_account";
+}
+export interface TokenResponse {
+    accessToken: string;
+    idToken?: string;
+    refreshToken?: string;
+    tokenType: string;
+    expiresAt?: number;
+    scope?: string;
+}
+export interface CallbackResult extends TokenResponse {
+    /** The `returnTo` value passed to signIn(), if any. */
+    returnTo?: string;
+}
+export type LogiAuthErrorCode = "no_pending_handoff" | "state_mismatch" | "missing_code" | "authorization_server_error" | "token_exchange_failed" | "expired_handoff" | "storage_unavailable" | "network_error";
+export declare class LogiAuthError extends Error {
+    readonly code: LogiAuthErrorCode;
+    readonly details?: unknown | undefined;
+    constructor(code: LogiAuthErrorCode, message: string, details?: unknown | undefined);
+}
+export declare class LogiAuth {
+    readonly issuer: string;
+    readonly clientId: string;
+    readonly redirectUri: string;
+    readonly defaultScopes: string[];
+    private readonly storage;
+    private readonly pendingTtlMs;
+    constructor(opts: LogiAuthOptions);
+    /**
+     * Build the authorize URL and navigate the browser to it. Persists the PKCE
+     * verifier + state to sessionStorage so handleCallback() can complete the
+     * exchange after the IdP redirects back.
+     */
+    signIn(req?: SignInRequest): Promise<void>;
+    /**
+     * Read the current page URL for ?code & ?state, validate against the
+     * persisted handoff, and exchange the code for tokens. Call this from your
+     * `/auth/callback` route.
+     *
+     * Pass an explicit URL if you've already routed past the callback (rare).
+     */
+    handleCallback(callbackUrl?: string | URL): Promise<CallbackResult>;
+    /**
+     * Exchange a refresh_token for a fresh access_token. Public clients should
+     * persist the rotated refresh_token returned in `refreshToken`.
+     */
+    refresh(refreshToken: string): Promise<TokenResponse>;
+    /**
+     * Decode an ID token's payload (no signature verification). Use only for
+     * UI hints (e.g. show user's email). Real authorization decisions must be
+     * made server-side after re-verifying via JWKS.
+     */
+    parseIdToken<T = Record<string, unknown>>(idToken: string): T;
+    /**
+     * True when sessionStorage has a pending sign-in (i.e. user just returned
+     * from the IdP). Use to gate calling handleCallback() in shared components.
+     */
+    hasPendingCallback(): boolean;
+}
+export type { StorageBackend, PendingHandoff } from "./storage.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAmBA,OAAO,EACL,KAAK,cAAc,EAKpB,MAAM,cAAc,CAAC;AAEtB,MAAM,WAAW,eAAe;IAC9B,sEAAsE;IACtE,QAAQ,EAAE,MAAM,CAAC;IACjB,mFAAmF;IACnF,WAAW,EAAE,MAAM,CAAC;IACpB,gEAAgE;IAChE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,qDAAqD;IACrD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,0DAA0D;IAC1D,OAAO,CAAC,EAAE,cAAc,CAAC;IACzB,oEAAoE;IACpE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,aAAa;IAC5B,+BAA+B;IAC/B,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,2EAA2E;IAC3E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2DAA2D;IAC3D,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS,GAAG,gBAAgB,CAAC;CAC1D;AAED,MAAM,WAAW,aAAa;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,cAAe,SAAQ,aAAa;IACnD,uDAAuD;IACvD,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,iBAAiB,GACzB,oBAAoB,GACpB,gBAAgB,GAChB,cAAc,GACd,4BAA4B,GAC5B,uBAAuB,GACvB,iBAAiB,GACjB,qBAAqB,GACrB,eAAe,CAAC;AAEpB,qBAAa,aAAc,SAAQ,KAAK;aAEpB,IAAI,EAAE,iBAAiB;aAEvB,OAAO,CAAC,EAAE,OAAO;gBAFjB,IAAI,EAAE,iBAAiB,EACvC,OAAO,EAAE,MAAM,EACC,OAAO,CAAC,EAAE,OAAO,YAAA;CAKpC;AAED,qBAAa,QAAQ;IACnB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,aAAa,EAAE,MAAM,EAAE,CAAC;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAiB;IACzC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;gBAE1B,IAAI,EAAE,eAAe;IAWjC;;;;OAIG;IACG,MAAM,CAAC,GAAG,GAAE,aAAkB,GAAG,OAAO,CAAC,IAAI,CAAC;IA0CpD;;;;;;OAMG;IACG,cAAc,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,GAAG,GAAG,OAAO,CAAC,cAAc,CAAC;IAqGzE;;;OAGG;IACG,OAAO,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IA2C3D;;;;OAIG;IACH,YAAY,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,OAAO,EAAE,MAAM,GAAG,CAAC;IAa7D;;;OAGG;IACH,kBAAkB,IAAI,OAAO;CAG9B;AAED,YAAY,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,223 @@
+// @logi-auth/browser — OAuth 2.0 + OIDC PKCE client for SPAs.
+//
+// Usage:
+//   const auth = new LogiAuth({
+//     clientId: 'logi_xxx',
+//     redirectUri: window.location.origin + '/auth/callback',
+//   });
+//
+//   // Page A — kick off
+//   await auth.signIn();
+//
+//   // Page B (callback) — finish
+//   const tokens = await auth.handleCallback();
+//
+//   // Server validates id_token via /.well-known/jwks.json — this SDK does
+//   // NOT verify signatures (browsers can't keep the public-key cache safe
+//   // and the RP backend should be the trust root anyway).
+import { generateCodeVerifier, deriveCodeChallenge, generateState } from "./pkce.js";
+import { sessionStorageBackend, savePending, loadPending, clearPending, } from "./storage.js";
+export class LogiAuthError extends Error {
+    code;
+    details;
+    constructor(code, message, details) {
+        super(message);
+        this.code = code;
+        this.details = details;
+        this.name = "LogiAuthError";
+    }
+}
+export class LogiAuth {
+    issuer;
+    clientId;
+    redirectUri;
+    defaultScopes;
+    storage;
+    pendingTtlMs;
+    constructor(opts) {
+        if (!opts.clientId)
+            throw new Error("LogiAuth: clientId is required");
+        if (!opts.redirectUri)
+            throw new Error("LogiAuth: redirectUri is required");
+        this.clientId = opts.clientId;
+        this.redirectUri = opts.redirectUri;
+        this.issuer = (opts.issuer ?? "https://api.1pass.dev").replace(/\/+$/, "");
+        this.defaultScopes = opts.scopes ?? ["openid", "profile:basic", "email"];
+        this.storage = opts.storage ?? sessionStorageBackend;
+        this.pendingTtlMs = opts.pendingTtlMs ?? 10 * 60 * 1000;
+    }
+    /**
+     * Build the authorize URL and navigate the browser to it. Persists the PKCE
+     * verifier + state to sessionStorage so handleCallback() can complete the
+     * exchange after the IdP redirects back.
+     */
+    async signIn(req = {}) {
+        const verifier = generateCodeVerifier();
+        const challenge = await deriveCodeChallenge(verifier);
+        const state = generateState();
+        const scopes = (req.scopes ?? this.defaultScopes).join(" ");
+        // Persist BEFORE navigating. If sessionStorage is disabled (Safari ITP,
+        // iOS private browsing, corp policy), throw a typed error instead of
+        // redirecting the user into a flow that can't complete (codex P2
+        // 2026-05-15).
+        try {
+            savePending({
+                state,
+                verifier,
+                redirectUri: this.redirectUri,
+                returnTo: req.returnTo,
+                startedAt: Date.now(),
+            }, this.storage);
+        }
+        catch (cause) {
+            throw new LogiAuthError("storage_unavailable", "Could not persist PKCE handoff to sessionStorage (private browsing, ITP, or corp policy).", cause);
+        }
+        const url = new URL(`${this.issuer}/oauth/authorize`);
+        url.searchParams.set("response_type", "code");
+        url.searchParams.set("client_id", this.clientId);
+        url.searchParams.set("redirect_uri", this.redirectUri);
+        url.searchParams.set("scope", scopes);
+        url.searchParams.set("state", state);
+        url.searchParams.set("code_challenge", challenge);
+        url.searchParams.set("code_challenge_method", "S256");
+        if (req.prompt)
+            url.searchParams.set("prompt", req.prompt);
+        window.location.assign(url.toString());
+    }
+    /**
+     * Read the current page URL for ?code & ?state, validate against the
+     * persisted handoff, and exchange the code for tokens. Call this from your
+     * `/auth/callback` route.
+     *
+     * Pass an explicit URL if you've already routed past the callback (rare).
+     */
+    async handleCallback(callbackUrl) {
+        const url = new URL(callbackUrl ?? (typeof window !== "undefined" ? window.location.href : "http://localhost/"));
+        const params = url.searchParams;
+        const pending = loadPending(this.storage);
+        if (!pending) {
+            throw new LogiAuthError("no_pending_handoff", "No pending sign-in handoff in sessionStorage. Did you call signIn() in this tab?");
+        }
+        if (Date.now() - pending.startedAt > this.pendingTtlMs) {
+            clearPending(this.storage);
+            throw new LogiAuthError("expired_handoff", `Pending handoff older than ${this.pendingTtlMs}ms — the user took too long. Restart sign-in.`);
+        }
+        const errParam = params.get("error");
+        if (errParam) {
+            clearPending(this.storage);
+            throw new LogiAuthError("authorization_server_error", `Authorization server returned error: ${errParam}`, { error: errParam, errorDescription: params.get("error_description") });
+        }
+        const returnedState = params.get("state");
+        if (returnedState !== pending.state) {
+            clearPending(this.storage);
+            throw new LogiAuthError("state_mismatch", "state parameter mismatch — possible CSRF attempt or stale callback.");
+        }
+        const code = params.get("code");
+        if (!code) {
+            clearPending(this.storage);
+            throw new LogiAuthError("missing_code", "Callback URL had no `code` parameter.");
+        }
+        // PKCE token exchange. Public client → no client_secret.
+        let tokenResp;
+        try {
+            tokenResp = await fetch(`${this.issuer}/oauth/token`, {
+                method: "POST",
+                headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                body: new URLSearchParams({
+                    grant_type: "authorization_code",
+                    code,
+                    redirect_uri: pending.redirectUri,
+                    client_id: this.clientId,
+                    code_verifier: pending.verifier,
+                }).toString(),
+            });
+        }
+        catch (cause) {
+            clearPending(this.storage);
+            throw new LogiAuthError("network_error", "Network error during token exchange (offline, DNS, CORS, or TLS failure).", cause);
+        }
+        clearPending(this.storage);
+        if (!tokenResp.ok) {
+            // Truncate body to 2 KB — IdPs occasionally echo request params on
+            // 4xx, and consumers shouldn't blindly log multi-MB payloads to Sentry.
+            const rawBody = await tokenResp.text();
+            const body = rawBody.length > 2048 ? rawBody.slice(0, 2048) + "…[truncated]" : rawBody;
+            throw new LogiAuthError("token_exchange_failed", `Token exchange failed: HTTP ${tokenResp.status}`, { status: tokenResp.status, body });
+        }
+        const tokens = await tokenResp.json();
+        return {
+            accessToken: tokens.access_token,
+            idToken: tokens.id_token,
+            refreshToken: tokens.refresh_token,
+            tokenType: tokens.token_type ?? "Bearer",
+            expiresAt: tokens.expires_in
+                ? Date.now() + Number(tokens.expires_in) * 1000
+                : undefined,
+            scope: tokens.scope,
+            returnTo: pending.returnTo,
+        };
+    }
+    /**
+     * Exchange a refresh_token for a fresh access_token. Public clients should
+     * persist the rotated refresh_token returned in `refreshToken`.
+     */
+    async refresh(refreshToken) {
+        let resp;
+        try {
+            resp = await fetch(`${this.issuer}/oauth/token`, {
+                method: "POST",
+                headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                body: new URLSearchParams({
+                    grant_type: "refresh_token",
+                    refresh_token: refreshToken,
+                    client_id: this.clientId,
+                }).toString(),
+            });
+        }
+        catch (cause) {
+            throw new LogiAuthError("network_error", "Network error during refresh (offline, DNS, CORS, or TLS failure).", cause);
+        }
+        if (!resp.ok) {
+            const rawBody = await resp.text();
+            const body = rawBody.length > 2048 ? rawBody.slice(0, 2048) + "…[truncated]" : rawBody;
+            throw new LogiAuthError("token_exchange_failed", `Refresh failed: HTTP ${resp.status}`, { status: resp.status, body });
+        }
+        const tokens = await resp.json();
+        return {
+            accessToken: tokens.access_token,
+            idToken: tokens.id_token,
+            refreshToken: tokens.refresh_token,
+            tokenType: tokens.token_type ?? "Bearer",
+            expiresAt: tokens.expires_in
+                ? Date.now() + Number(tokens.expires_in) * 1000
+                : undefined,
+            scope: tokens.scope,
+        };
+    }
+    /**
+     * Decode an ID token's payload (no signature verification). Use only for
+     * UI hints (e.g. show user's email). Real authorization decisions must be
+     * made server-side after re-verifying via JWKS.
+     */
+    parseIdToken(idToken) {
+        const [, payload] = idToken.split(".");
+        if (!payload)
+            throw new Error("Invalid id_token: missing payload");
+        const b64 = payload.replace(/-/g, "+").replace(/_/g, "/");
+        const padded = b64.padEnd(b64.length + ((4 - (b64.length % 4)) % 4), "=");
+        // Decode as UTF-8, not Latin-1 — Korean / Japanese / emoji claim values
+        // round-trip correctly. atob() returns a binary string interpreted as
+        // UTF-16 by JSON.parse, which mojibakes any non-ASCII (codex P2 fix).
+        const bytes = Uint8Array.from(atob(padded), (c) => c.charCodeAt(0));
+        const json = new TextDecoder("utf-8").decode(bytes);
+        return JSON.parse(json);
+    }
+    /**
+     * True when sessionStorage has a pending sign-in (i.e. user just returned
+     * from the IdP). Use to gate calling handleCallback() in shared components.
+     */
+    hasPendingCallback() {
+        return loadPending(this.storage) !== null;
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,EAAE;AACF,SAAS;AACT,gCAAgC;AAChC,4BAA4B;AAC5B,8DAA8D;AAC9D,QAAQ;AACR,EAAE;AACF,yBAAyB;AACzB,yBAAyB;AACzB,EAAE;AACF,kCAAkC;AAClC,gDAAgD;AAChD,EAAE;AACF,4EAA4E;AAC5E,4EAA4E;AAC5E,4DAA4D;AAE5D,OAAO,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AACrF,OAAO,EAEL,qBAAqB,EACrB,WAAW,EACX,WAAW,EACX,YAAY,GACb,MAAM,cAAc,CAAC;AAkDtB,MAAM,OAAO,aAAc,SAAQ,KAAK;IAEpB;IAEA;IAHlB,YACkB,IAAuB,EACvC,OAAe,EACC,OAAiB;QAEjC,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,SAAI,GAAJ,IAAI,CAAmB;QAEvB,YAAO,GAAP,OAAO,CAAU;QAGjC,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF;AAED,MAAM,OAAO,QAAQ;IACV,MAAM,CAAS;IACf,QAAQ,CAAS;IACjB,WAAW,CAAS;IACpB,aAAa,CAAW;IAChB,OAAO,CAAiB;IACxB,YAAY,CAAS;IAEtC,YAAY,IAAqB;QAC/B,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACtE,IAAI,CAAC,IAAI,CAAC,WAAW;YAAE,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QAC5E,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC9B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,CAAC;QACpC,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,IAAI,uBAAuB,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC3E,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;QACzE,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,qBAAqB,CAAC;QACrD,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,YAAY,IAAI,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;IAC1D,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,MAAM,CAAC,MAAqB,EAAE;QAClC,MAAM,QAAQ,GAAG,oBAAoB,EAAE,CAAC;QACxC,MAAM,SAAS,GAAG,MAAM,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QACtD,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;QAC9B,MAAM,MAAM,GAAG,CAAC,GAAG,CAAC,MAAM,IAAI,IAAI,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAE5D,wEAAwE;QACxE,qEAAqE;QACrE,iEAAiE;QACjE,eAAe;QACf,IAAI,CAAC;YACH,WAAW,CACT;gBACE,KAAK;gBACL,QAAQ;gBACR,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;aACtB,EACD,IAAI,CAAC,OAAO,CACb,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,aAAa,CACrB,qBAAqB,EACrB,2FAA2F,EAC3F,KAAK,CACN,CAAC;QACJ,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,kBAAkB,CAAC,CAAC;QACtD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAC9C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACjD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC;QACvD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QACtC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACrC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,SAAS,CAAC,CAAC;QAClD,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;QACtD,IAAI,GAAG,CAAC,MAAM;YAAE,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;QAE3D,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;IACzC,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,cAAc,CAAC,WAA0B;QAC7C,MAAM,GAAG,GAAG,IAAI,GAAG,CACjB,WAAW,IAAI,CAAC,OAAO,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAC5F,CAAC;QACF,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC;QAEhC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC1C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,aAAa,CACrB,oBAAoB,EACpB,kFAAkF,CACnF,CAAC;QACJ,CAAC;QAED,IAAI,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;YACvD,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3B,MAAM,IAAI,aAAa,CACrB,iBAAiB,EACjB,8BAA8B,IAAI,CAAC,YAAY,+CAA+C,CAC/F,CAAC;QACJ,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACrC,IAAI,QAAQ,EAAE,CAAC;YACb,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3B,MAAM,IAAI,aAAa,CACrB,4BAA4B,EAC5B,wCAAwC,QAAQ,EAAE,EAClD,EAAE,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAAE,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,EAAE,CACvE,CAAC;QACJ,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC1C,IAAI,aAAa,KAAK,OAAO,CAAC,KAAK,EAAE,CAAC;YACpC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3B,MAAM,IAAI,aAAa,CACrB,gBAAgB,EAChB,qEAAqE,CACtE,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAChC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3B,MAAM,IAAI,aAAa,CACrB,cAAc,EACd,uCAAuC,CACxC,CAAC;QACJ,CAAC;QAED,yDAAyD;QACzD,IAAI,SAAmB,CAAC;QACxB,IAAI,CAAC;YACH,SAAS,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,cAAc,EAAE;gBACpD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,UAAU,EAAE,oBAAoB;oBAChC,IAAI;oBACJ,YAAY,EAAE,OAAO,CAAC,WAAW;oBACjC,SAAS,EAAE,IAAI,CAAC,QAAQ;oBACxB,aAAa,EAAE,OAAO,CAAC,QAAQ;iBAChC,CAAC,CAAC,QAAQ,EAAE;aACd,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC3B,MAAM,IAAI,aAAa,CACrB,eAAe,EACf,2EAA2E,EAC3E,KAAK,CACN,CAAC;QACJ,CAAC;QAED,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAE3B,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC;YAClB,mEAAmE;YACnE,wEAAwE;YACxE,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC;YACvC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC,OAAO,CAAC;YACvF,MAAM,IAAI,aAAa,CACrB,uBAAuB,EACvB,+BAA+B,SAAS,CAAC,MAAM,EAAE,EACjD,EAAE,MAAM,EAAE,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CACnC,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,EAAE,CAAC;QACtC,OAAO;YACL,WAAW,EAAE,MAAM,CAAC,YAAY;YAChC,OAAO,EAAE,MAAM,CAAC,QAAQ;YACxB,YAAY,EAAE,MAAM,CAAC,aAAa;YAClC,SAAS,EAAE,MAAM,CAAC,UAAU,IAAI,QAAQ;YACxC,SAAS,EAAE,MAAM,CAAC,UAAU;gBAC1B,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,IAAI;gBAC/C,CAAC,CAAC,SAAS;YACb,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,OAAO,CAAC,YAAoB;QAChC,IAAI,IAAc,CAAC;QACnB,IAAI,CAAC;YACH,IAAI,GAAG,MAAM,KAAK,CAAC,GAAG,IAAI,CAAC,MAAM,cAAc,EAAE;gBAC/C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,UAAU,EAAE,eAAe;oBAC3B,aAAa,EAAE,YAAY;oBAC3B,SAAS,EAAE,IAAI,CAAC,QAAQ;iBACzB,CAAC,CAAC,QAAQ,EAAE;aACd,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,aAAa,CACrB,eAAe,EACf,oEAAoE,EACpE,KAAK,CACN,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;YACb,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,cAAc,CAAC,CAAC,CAAC,OAAO,CAAC;YACvF,MAAM,IAAI,aAAa,CACrB,uBAAuB,EACvB,wBAAwB,IAAI,CAAC,MAAM,EAAE,EACrC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAC9B,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC;QACjC,OAAO;YACL,WAAW,EAAE,MAAM,CAAC,YAAY;YAChC,OAAO,EAAE,MAAM,CAAC,QAAQ;YACxB,YAAY,EAAE,MAAM,CAAC,aAAa;YAClC,SAAS,EAAE,MAAM,CAAC,UAAU,IAAI,QAAQ;YACxC,SAAS,EAAE,MAAM,CAAC,UAAU;gBAC1B,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,GAAG,IAAI;gBAC/C,CAAC,CAAC,SAAS;YACb,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,YAAY,CAA8B,OAAe;QACvD,MAAM,CAAC,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,CAAC,OAAO;YAAE,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACnE,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAC1D,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAC1E,wEAAwE;QACxE,sEAAsE;QACtE,sEAAsE;QACtE,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QACpE,MAAM,IAAI,GAAG,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACpD,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAM,CAAC;IAC/B,CAAC;IAED;;;OAGG;IACH,kBAAkB;QAChB,OAAO,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC;IAC5C,CAAC;CACF"}

package/dist/pkce.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+export declare function generateCodeVerifier(byteLength?: number): string;
+export declare function deriveCodeChallenge(verifier: string): Promise<string>;
+export declare function generateState(): string;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/pkce.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../src/pkce.ts"],"names":[],"mappings":"AAWA,wBAAgB,oBAAoB,CAAC,UAAU,SAAK,GAAG,MAAM,CAI5D;AAED,wBAAsB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAI3E;AAED,wBAAgB,aAAa,IAAI,MAAM,CAKtC"}

package/dist/pkce.js ADDED Viewed

@@ -0,0 +1,27 @@
+// PKCE helpers (RFC 7636) — browser-only, uses crypto.subtle.
+//
+// `code_verifier`: 43–128 char URL-safe random string.
+// `code_challenge`: BASE64URL(SHA256(verifier)), 43 chars unpadded.
+function base64url(bytes) {
+    let bin = "";
+    for (const b of bytes)
+        bin += String.fromCharCode(b);
+    return btoa(bin).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+export function generateCodeVerifier(byteLength = 48) {
+    const bytes = new Uint8Array(byteLength);
+    crypto.getRandomValues(bytes);
+    return base64url(bytes);
+}
+export async function deriveCodeChallenge(verifier) {
+    const data = new TextEncoder().encode(verifier);
+    const digest = await crypto.subtle.digest("SHA-256", data);
+    return base64url(new Uint8Array(digest));
+}
+export function generateState() {
+    // Random opaque value to defeat CSRF on the callback. 16 bytes → 22 chars.
+    const bytes = new Uint8Array(16);
+    crypto.getRandomValues(bytes);
+    return base64url(bytes);
+}
+//# sourceMappingURL=pkce.js.map

package/dist/pkce.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pkce.js","sourceRoot":"","sources":["../src/pkce.ts"],"names":[],"mappings":"AAAA,8DAA8D;AAC9D,EAAE;AACF,uDAAuD;AACvD,oEAAoE;AAEpE,SAAS,SAAS,CAAC,KAAiB;IAClC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,GAAG,IAAI,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IACrD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AAC9E,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,UAAU,GAAG,EAAE;IAClD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IACzC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,QAAgB;IACxD,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC3D,OAAO,SAAS,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,2EAA2E;IAC3E,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,SAAS,CAAC,KAAK,CAAC,CAAC;AAC1B,CAAC"}

package/dist/storage.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+export interface PendingHandoff {
+    state: string;
+    verifier: string;
+    redirectUri: string;
+    /** Optional caller-supplied passthrough (e.g. UI route to restore). */
+    returnTo?: string;
+    /** ms epoch — used to expire stale handoffs. */
+    startedAt: number;
+}
+export interface StorageBackend {
+    get(key: string): string | null;
+    set(key: string, value: string): void;
+    remove(key: string): void;
+}
+export declare const sessionStorageBackend: StorageBackend;
+export declare function savePending(p: PendingHandoff, backend: StorageBackend): void;
+export declare function loadPending(backend: StorageBackend): PendingHandoff | null;
+export declare function clearPending(backend: StorageBackend): void;
+//# sourceMappingURL=storage.d.ts.map

package/dist/storage.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../src/storage.ts"],"names":[],"mappings":"AAMA,MAAM,WAAW,cAAc;IAC7B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,uEAAuE;IACvE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,cAAc;IAC7B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC;IAChC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACtC,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED,eAAO,MAAM,qBAAqB,EAAE,cAuBnC,CAAC;AAEF,wBAAgB,WAAW,CAAC,CAAC,EAAE,cAAc,EAAE,OAAO,EAAE,cAAc,GAAG,IAAI,CAE5E;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,cAAc,GAAG,cAAc,GAAG,IAAI,CAQ1E;AAED,wBAAgB,YAAY,CAAC,OAAO,EAAE,cAAc,GAAG,IAAI,CAE1D"}

package/dist/storage.js ADDED Viewed

@@ -0,0 +1,48 @@
+// Per-handoff storage for the PKCE verifier + CSRF state. Kept in
+// sessionStorage so it survives the IdP redirect round-trip but is wiped on
+// tab close.
+const KEY = "logi-auth.pending";
+export const sessionStorageBackend = {
+    get(key) {
+        try {
+            return sessionStorage.getItem(key);
+        }
+        catch {
+            return null;
+        }
+    },
+    set(key, value) {
+        // Re-throw on quota / disabled storage so signIn() can refuse to
+        // navigate to the IdP. Silent failure (codex P2 2026-05-15) lets the
+        // user complete the IdP round-trip and only fail at handleCallback()
+        // with a misleading no_pending_handoff. Real-world hits: Safari ITP,
+        // iOS private browsing, corporate policies disabling sessionStorage.
+        sessionStorage.setItem(key, value);
+    },
+    remove(key) {
+        try {
+            sessionStorage.removeItem(key);
+        }
+        catch {
+            // ignore
+        }
+    },
+};
+export function savePending(p, backend) {
+    backend.set(KEY, JSON.stringify(p));
+}
+export function loadPending(backend) {
+    const raw = backend.get(KEY);
+    if (!raw)
+        return null;
+    try {
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+export function clearPending(backend) {
+    backend.remove(KEY);
+}
+//# sourceMappingURL=storage.js.map

package/dist/storage.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"storage.js","sourceRoot":"","sources":["../src/storage.ts"],"names":[],"mappings":"AAAA,kEAAkE;AAClE,4EAA4E;AAC5E,aAAa;AAEb,MAAM,GAAG,GAAG,mBAAmB,CAAC;AAkBhC,MAAM,CAAC,MAAM,qBAAqB,GAAmB;IACnD,GAAG,CAAC,GAAG;QACL,IAAI,CAAC;YACH,OAAO,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IACD,GAAG,CAAC,GAAG,EAAE,KAAK;QACZ,iEAAiE;QACjE,qEAAqE;QACrE,qEAAqE;QACrE,qEAAqE;QACrE,qEAAqE;QACrE,cAAc,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACrC,CAAC;IACD,MAAM,CAAC,GAAG;QACR,IAAI,CAAC;YACH,cAAc,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC;CACF,CAAC;AAEF,MAAM,UAAU,WAAW,CAAC,CAAiB,EAAE,OAAuB;IACpE,OAAO,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;AACtC,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,OAAuB;IACjD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAmB,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,OAAuB;IAClD,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;AACtB,CAAC"}

package/package.json ADDED Viewed

@@ -0,0 +1,57 @@
+{
+  "name": "@logi-auth/browser",
+  "version": "0.1.0",
+  "description": "Browser SDK for logi (1pass) — OAuth 2.0 + OIDC PKCE for SPAs. Zero dependencies.",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "prepublishOnly": "npm run build && npm run test"
+  },
+  "keywords": [
+    "logi",
+    "1pass",
+    "oauth",
+    "oidc",
+    "pkce",
+    "spa",
+    "auth",
+    "openid"
+  ],
+  "author": "Seunghan Kim (https://github.com/seunghan91)",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/seunghan91/logi.git",
+    "directory": "Packages/npm/browser"
+  },
+  "homepage": "https://docs.1pass.dev",
+  "bugs": {
+    "url": "https://github.com/seunghan91/logi/issues"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "devDependencies": {
+    "typescript": "^5.6.0",
+    "vitest": "^2.1.0"
+  },
+  "sideEffects": false
+}