@makroz/web 1.2.5 → 1.2.6

package/README.md

@@ -5,7 +5,7 @@ Librería de componentes UI para proyectos Web (React). Enfocada en performance
 ## Características Core
 - **Native CSS Theming**: Todo el look se controla via variables CSS (`--mk-primary`, etc.). Sin Tailwind.
 - **Micro-Animations**: Transiciones fluidas y estados activos integrados.
-- **useApi Hook**: Comunicación estandarizada con backend MK-Director, manejando loading/error/success automáticamente.
+- **useApi Hook**: Comunicación estandarizada con backend MK-Director, manejando loading/error/success automáticamente. AbortController wired up on unmount and param change, `response.ok` checked before parsing JSON, default 30s timeout. Returned by `useApi()` directly so consumer call sites do not need to change.
 
 ## Instalación & Tematización
 Importa los estilos en tu root:

package/bin/mk-update.js

@@ -57,10 +57,125 @@ function getLatestRegistryVersion(packageName) {
   return 'unknown';
 }
 
+function getRegistryVersions(packageName) {
+  try {
+    const stdout = execSync(`npm view ${packageName} versions --json`, {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'ignore'],
+      timeout: 5000,
+    });
+    if (stdout.trim()) {
+      const parsed = JSON.parse(stdout.trim());
+      return Array.isArray(parsed) ? parsed : [parsed];
+    }
+  } catch {
+    try {
+      const stdout = execSync(`npm view ${packageName} versions`, {
+        encoding: 'utf8',
+        stdio: ['ignore', 'pipe', 'ignore'],
+        timeout: 5000,
+      });
+      if (stdout.trim()) {
+        return stdout.replace(/[\[\]']/g, '').split(',').map(v => v.trim()).filter(Boolean);
+      }
+    } catch {
+      // silent fallback
+    }
+  }
+  return [];
+}
+
+function parseVersion(v) {
+  const clean = v.replace(/^v/, '');
+  const [main, prerelease] = clean.split('-');
+  const [major, minor, patch] = main.split('.').map(Number);
+  return {
+    major: isNaN(major) ? 0 : major,
+    minor: isNaN(minor) ? 0 : minor,
+    patch: isNaN(patch) ? 0 : patch,
+    prerelease: prerelease || null,
+  };
+}
+
+function compareVersions(v1, v2) {
+  const p1 = parseVersion(v1);
+  const p2 = parseVersion(v2);
+
+  if (p1.major !== p2.major) return p1.major - p2.major;
+  if (p1.minor !== p2.minor) return p1.minor - p2.minor;
+  if (p1.patch !== p2.patch) return p1.patch - p2.patch;
+
+  if (p1.prerelease && !p2.prerelease) return -1;
+  if (!p1.prerelease && p2.prerelease) return 1;
+
+  if (p1.prerelease && p2.prerelease) {
+    const regex = /^([a-zA-Z.-]+)(\d*)$/;
+    const m1 = p1.prerelease.match(regex);
+    const m2 = p2.prerelease.match(regex);
+
+    if (m1 && m2) {
+      const label1 = m1[1];
+      const label2 = m2[1];
+      if (label1 !== label2) {
+        return label1.localeCompare(label2);
+      }
+      const num1 = m1[2] ? parseInt(m1[2], 10) : 0;
+      const num2 = m2[2] ? parseInt(m2[2], 10) : 0;
+      return num1 - num2;
+    }
+    return p1.prerelease.localeCompare(p2.prerelease);
+  }
+
+  return 0;
+}
+
+function performUpdate(updates, packageManager) {
+  const pkgJsonPath = path.join(process.cwd(), 'package.json');
+  const pkg = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf8'));
+
+  const dependencies = pkg.dependencies || {};
+  const devDependencies = pkg.devDependencies || {};
+
+  updates.forEach(upd => {
+    const newSpec = upd.isLocal ? `file:../../mk-director/packages/${upd.name.replace('@makroz/', 'mk-')}` : `^${upd.version}`;
+    if (dependencies[upd.name]) {
+      dependencies[upd.name] = newSpec;
+    } else if (devDependencies[upd.name]) {
+      devDependencies[upd.name] = newSpec;
+    }
+  });
+
+  fs.writeFileSync(pkgJsonPath, JSON.stringify(pkg, null, 2) + '\n', 'utf8');
+  console.log('\n✅ package.json actualizado.');
+
+  let command = '';
+  if (packageManager === 'pnpm') {
+    command = 'pnpm install';
+  } else if (packageManager === 'yarn') {
+    command = 'yarn install';
+  } else {
+    command = 'npm install';
+  }
+
+  console.log(`\nEjecutando: ${command}...\n`);
+
+  try {
+    execSync(command, { stdio: 'inherit' });
+    console.log('\n🏁 Actualización finalizada con éxito.\n');
+  } catch (e) {
+    console.error(`\n❌ Error al ejecutar la actualización: ${e.message}\n`);
+    process.exit(1);
+  }
+}
+
 async function run() {
   const args = process.argv.slice(2);
   const toLocal = args.includes('--local') || args.includes('--dev');
   const toProd = args.includes('--prod') || args.includes('--registry') || args.includes('--remote');
+  const dryRun = args.includes('--dry-run');
+
+  const cleanArgs = args.filter(arg => !['--local', '--dev', '--prod', '--registry', '--remote', '--dry-run'].includes(arg));
+  const targetVersionArg = cleanArgs.find(arg => !arg.startsWith('-'));
 
   const pkgJsonPath = path.join(process.cwd(), 'package.json');
   if (!fs.existsSync(pkgJsonPath)) {
@@ -117,6 +232,10 @@ async function run() {
     updateSection(devDependencies);
 
     if (modified) {
+      if (dryRun) {
+        console.log('\n[Simulación] Se omitió la escritura en package.json y la ejecución del gestor de paquetes.');
+        process.exit(0);
+      }
       fs.writeFileSync(pkgJsonPath, JSON.stringify(pkg, null, 2) + '\n', 'utf8');
       console.log('\n✅ package.json actualizado correctamente.');
       const packageManager = detectPackageManager();
@@ -159,37 +278,44 @@ async function run() {
     const isLocal = spec.startsWith('file:');
     const installed = getInstalledVersion(name);
     
-    let latest = 'unknown';
+    let versions = [];
+    let latestStable = 'unknown';
+
     if (isLocal) {
-      latest = getLatestLocalVersion(spec);
+      const localVersion = getLatestLocalVersion(spec);
+      if (localVersion !== 'unknown') {
+        versions = [localVersion];
+      }
     } else {
-      latest = getLatestRegistryVersion(name);
+      versions = getRegistryVersions(name);
+      latestStable = getLatestRegistryVersion(name);
     }
 
-    // Compare versions to see if update is needed
-    let needsUpdate = false;
-    if (installed !== 'unknown' && latest !== 'unknown') {
-      needsUpdate = installed !== latest;
-    } else if (installed === 'unknown' && latest !== 'unknown') {
-      needsUpdate = true;
+    let higherVersions = [];
+    if (installed !== 'unknown') {
+      higherVersions = versions.filter(v => compareVersions(v, installed) > 0);
+    } else {
+      higherVersions = versions;
     }
 
+    higherVersions.sort((a, b) => compareVersions(b, a));
+
     packageInfos.push({
       name,
       currentSpec: spec,
       installedVersion: installed,
-      latestVersion: latest,
+      higherVersions,
+      latestStable,
       isLocal,
-      needsUpdate,
+      needsUpdate: higherVersions.length > 0,
     });
   }
 
-  // Print summary of packages
   console.log('Estado de los paquetes:');
   for (const info of packageInfos) {
     const typeLabel = info.isLocal ? '[Local]' : '[Registry]';
     if (info.needsUpdate) {
-      console.log(`  ⚠️  ${info.name} ${typeLabel}: ${info.installedVersion} -> ${info.latestVersion} (Actualización disponible)`);
+      console.log(`  ⚠️  ${info.name} ${typeLabel}: ${info.installedVersion} -> ${info.higherVersions[0]} (Actualizaciones disponibles: ${info.higherVersions.length})`);
     } else {
       console.log(`  ✅ ${info.name} ${typeLabel}: ${info.installedVersion} (Al día)`);
     }
@@ -205,45 +331,123 @@ async function run() {
   const packageManager = detectPackageManager();
   console.log(`\nGestor de paquetes detectado: ${packageManager}`);
 
+  if (targetVersionArg) {
+    const targetVersionClean = targetVersionArg.replace(/^v/, '');
+    console.log(`\n📌 Versión especificada por argumento: v${targetVersionClean}`);
+    
+    if (dryRun) {
+      console.log(`[Simulación] Se actualizarían los siguientes paquetes a v${targetVersionClean}:`);
+      updatable.forEach(info => console.log(`  - ${info.name}`));
+      process.exit(0);
+    }
+
+    const rl = readline.createInterface({
+      input: process.stdin,
+      output: process.stdout,
+    });
+
+    rl.question(`\n¿Confirmás la actualización a v${targetVersionClean}? (Y/n): `, (answer) => {
+      rl.close();
+      if (answer.trim().toLowerCase() === 'n') {
+        console.log('Actualización cancelada.');
+        process.exit(0);
+      }
+      performUpdate(updatable.map(info => ({ name: info.name, version: targetVersionClean, isLocal: info.isLocal })), packageManager);
+    });
+    return;
+  }
+
   const rl = readline.createInterface({
     input: process.stdin,
     output: process.stdout,
   });
 
-  rl.question('\n¿Querés actualizar los paquetes? (Y/n): ', (answer) => {
-    rl.close();
-    const confirmed = answer.trim().toLowerCase() !== 'n';
+  const selectedUpdates = [];
 
-    if (!confirmed) {
-      console.log('Actualización cancelada por el usuario.');
-      process.exit(0);
-    }
+  async function askPackageUpdate(index) {
+    if (index >= updatable.length) {
+      rl.close();
+      if (selectedUpdates.length === 0) {
+        console.log('No se seleccionó ninguna actualización.');
+        process.exit(0);
+      }
 
-    const packageNames = updatable.map(info => info.name);
-    let command = '';
+      console.log('\nSelección de actualizaciones:');
+      selectedUpdates.forEach(upd => {
+        console.log(`  - ${upd.name} -> v${upd.version}`);
+      });
 
-    if (packageManager === 'pnpm') {
-      command = `pnpm update ${packageNames.join(' ')}`;
-    } else if (packageManager === 'yarn') {
-      command = `yarn upgrade ${packageNames.join(' ')}`;
-    } else {
-      // npm
-      const args = updatable.map(info => {
-        return info.isLocal ? info.name : `${info.name}@latest`;
-      }).join(' ');
-      command = `npm install ${args}`;
-    }
+      if (dryRun) {
+        console.log('\n[Simulación] Se omitirá la descarga e instalación.');
+        process.exit(0);
+      }
 
-    console.log(`\nEjecutando: ${command}...\n`);
+      const confirmRl = readline.createInterface({
+        input: process.stdin,
+        output: process.stdout,
+      });
 
-    try {
-      execSync(command, { stdio: 'inherit' });
-      console.log('\n🏁 Actualización finalizada con éxito.\n');
-    } catch (e) {
-      console.error(`\n❌ Error al ejecutar la actualización: ${e.message}\n`);
-      process.exit(1);
+      confirmRl.question('\n¿Confirmás la actualización? (Y/n): ', (answer) => {
+        confirmRl.close();
+        if (answer.trim().toLowerCase() === 'n') {
+          console.log('Actualización cancelada.');
+          process.exit(0);
+        }
+        performUpdate(selectedUpdates, packageManager);
+      });
+      return;
     }
-  });
+
+    const info = updatable[index];
+    console.log(`\n----------------------------------------`);
+    console.log(`¿A qué versión querés actualizar ${info.name}? (Actual: ${info.installedVersion})`);
+
+    const choices = info.higherVersions.map((version, i) => {
+      const isLatestStable = version === info.latestStable;
+      const isRc = /rc|alpha|beta/i.test(version);
+      const marker = isLatestStable ? ' ⭐ (última estable)' : (isRc ? ' 🧪 (pre-release)' : '');
+      return {
+        text: `v${version}${marker}`,
+        version,
+      };
+    });
+
+    choices.forEach((choice, i) => {
+      console.log(`  [${i + 1}] ${choice.text}`);
+    });
+    console.log(`  [s] Omitir este paquete`);
+
+    rl.question(`\nIngresá el número de opción (1-${choices.length}) o 's' para omitir [default 1]: `, (ans) => {
+      const cleanAns = ans.trim();
+      if (cleanAns.toLowerCase() === 's') {
+        console.log(`Omitiendo ${info.name}.`);
+        askPackageUpdate(index + 1);
+        return;
+      }
+
+      let choiceIndex = 0;
+      if (cleanAns !== '') {
+        const parsedAns = parseInt(cleanAns, 10);
+        if (isNaN(parsedAns) || parsedAns < 1 || parsedAns > choices.length) {
+          console.log('Opción inválida. Reintentando...');
+          askPackageUpdate(index);
+          return;
+        }
+        choiceIndex = parsedAns - 1;
+      }
+
+      const selectedVersion = choices[choiceIndex].version;
+      selectedUpdates.push({
+        name: info.name,
+        version: selectedVersion,
+        isLocal: info.isLocal,
+      });
+
+      askPackageUpdate(index + 1);
+    });
+  }
+
+  askPackageUpdate(0);
 }
 
 run();

package/dist/auth/AuthStorageAdapter.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Storage adapters for `<MkAuthProvider>`.
+ *
+ * `AuthStorageAdapter` is the interface; `CookieStorageAdapter` is the
+ * default implementation; `LocalStorageAdapter` is an opt-in escape hatch
+ * kept for one release cycle and marked `@deprecated`.
+ *
+ * ## Why a Cookie default?
+ *
+ * Mobile (`@makroz/mobile`) already stores tokens in `expo-secure-store`
+ * (device keychain / Android Keystore). That is the secure pattern for
+ * tokens. Web never had an equivalent — the previous default wrote
+ * `access_token` and `refresh_token` into `localStorage`, where any
+ * XSS payload could exfiltrate them and where they survive tab close
+ * (extending the attack window). Switching the default to cookies
+ * aligns web with the mobile pattern; the migration story is in the
+ * package CHANGELOG.
+ *
+ * ## SSR safety
+ *
+ * Both adapters are no-ops when `document` / `window` are unavailable
+ * (server-side rendering). The provider should be hydrated client-side
+ * to pick up tokens — that has always been the case.
+ *
+ * ## Future GA work
+ *
+ * When the consumer migrates to `makroz/director-laravel` Sanctum v4
+ * cookie mode, the cookies will become `httpOnly` and the JS adapter
+ * will only manage a non-secret CSRF/read mirror. That sprint is
+ * out of scope here; this file only ships the adapter surface.
+ */
+import type { AuthStorageAdapter } from './types';
+export interface CookieStorageAdapterOptions {
+    /**
+     * Emit the `Secure` flag. Set `true` in production over HTTPS.
+     * Defaults to `false` (so the adapter works in `http://localhost`
+     * during development without surprises).
+     */
+    secure?: boolean;
+}
+/**
+ * Default storage adapter. Reads/writes browser cookies via
+ * `document.cookie`. Use this unless you have a specific reason to
+ * pin tokens in JavaScript-managed storage (and you almost certainly
+ * don't — that's the XSS risk this adapter exists to retire).
+ */
+export declare class CookieStorageAdapter implements AuthStorageAdapter {
+    private readonly secure;
+    constructor(opts?: CookieStorageAdapterOptions);
+    getItem(key: string): string | null;
+    setItem(key: string, value: string): void;
+    removeItem(key: string): void;
+}
+/**
+ * @deprecated Use `CookieStorageAdapter` instead. Persists tokens in
+ * `localStorage`, where any XSS payload can read them and where they
+ * survive tab close — the opposite of what mobile's
+ * `expo-secure-store` does. Scheduled for removal in v1.4.x. A
+ * one-shot `console.warn` is emitted on the first `setItem` to make
+ * accidental usage greppable.
+ */
+export declare class LocalStorageAdapter implements AuthStorageAdapter {
+    getItem(key: string): string | null;
+    setItem(key: string, value: string): void;
+    removeItem(key: string): void;
+}
+/**
+ * Factory for the default storage used by `<MkAuthProvider>` when no
+ * `storage` prop is passed. Always returns a fresh `CookieStorageAdapter`
+ * so multiple providers in the same tree (different scopes) get their
+ * own adapter instances — cookies themselves are scoped by key name.
+ */
+export declare function getDefaultAuthStorage(): AuthStorageAdapter;
+//# sourceMappingURL=AuthStorageAdapter.d.ts.map

package/dist/auth/AuthStorageAdapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthStorageAdapter.d.ts","sourceRoot":"","sources":["../../src/auth/AuthStorageAdapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAKlD,MAAM,WAAW,2BAA2B;IACxC;;;;OAIG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;CACpB;AAED;;;;;GAKG;AACH,qBAAa,oBAAqB,YAAW,kBAAkB;IAC3D,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAU;gBAErB,IAAI,GAAE,2BAAgC;IAIlD,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAkBnC,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI;IAOzC,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;CAKhC;AAID;;;;;;;GAOG;AACH,qBAAa,mBAAoB,YAAW,kBAAkB;IAC1D,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IASnC,OAAO,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI;IAUzC,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;CAQhC;AAaD;;;;;GAKG;AACH,wBAAgB,qBAAqB,IAAI,kBAAkB,CAE1D"}

package/dist/auth/AuthStorageAdapter.js

@@ -0,0 +1,140 @@
+/**
+ * Storage adapters for `<MkAuthProvider>`.
+ *
+ * `AuthStorageAdapter` is the interface; `CookieStorageAdapter` is the
+ * default implementation; `LocalStorageAdapter` is an opt-in escape hatch
+ * kept for one release cycle and marked `@deprecated`.
+ *
+ * ## Why a Cookie default?
+ *
+ * Mobile (`@makroz/mobile`) already stores tokens in `expo-secure-store`
+ * (device keychain / Android Keystore). That is the secure pattern for
+ * tokens. Web never had an equivalent — the previous default wrote
+ * `access_token` and `refresh_token` into `localStorage`, where any
+ * XSS payload could exfiltrate them and where they survive tab close
+ * (extending the attack window). Switching the default to cookies
+ * aligns web with the mobile pattern; the migration story is in the
+ * package CHANGELOG.
+ *
+ * ## SSR safety
+ *
+ * Both adapters are no-ops when `document` / `window` are unavailable
+ * (server-side rendering). The provider should be hydrated client-side
+ * to pick up tokens — that has always been the case.
+ *
+ * ## Future GA work
+ *
+ * When the consumer migrates to `makroz/director-laravel` Sanctum v4
+ * cookie mode, the cookies will become `httpOnly` and the JS adapter
+ * will only manage a non-secret CSRF/read mirror. That sprint is
+ * out of scope here; this file only ships the adapter surface.
+ */
+const COOKIE_DEFAULTS = 'Path=/; SameSite=Lax';
+const COOKIE_MAX_AGE = 60 * 60 * 24 * 30; // 30 days
+/**
+ * Default storage adapter. Reads/writes browser cookies via
+ * `document.cookie`. Use this unless you have a specific reason to
+ * pin tokens in JavaScript-managed storage (and you almost certainly
+ * don't — that's the XSS risk this adapter exists to retire).
+ */
+export class CookieStorageAdapter {
+    constructor(opts = {}) {
+        var _a;
+        this.secure = (_a = opts.secure) !== null && _a !== void 0 ? _a : false;
+    }
+    getItem(key) {
+        if (typeof document === 'undefined' || !document.cookie)
+            return null;
+        const cookies = document.cookie.split('; ');
+        for (const cookie of cookies) {
+            const eq = cookie.indexOf('=');
+            if (eq === -1)
+                continue;
+            const name = cookie.slice(0, eq);
+            if (name !== key)
+                continue;
+            const raw = cookie.slice(eq + 1);
+            try {
+                return decodeURIComponent(raw);
+            }
+            catch (_a) {
+                return raw;
+            }
+        }
+        return null;
+    }
+    setItem(key, value) {
+        if (typeof document === 'undefined')
+            return;
+        const encoded = encodeURIComponent(value);
+        const flags = `${COOKIE_DEFAULTS}${this.secure ? '; Secure' : ''}`;
+        document.cookie = `${key}=${encoded}; Max-Age=${COOKIE_MAX_AGE}; ${flags}`;
+    }
+    removeItem(key) {
+        if (typeof document === 'undefined')
+            return;
+        const flags = `${COOKIE_DEFAULTS}${this.secure ? '; Secure' : ''}`;
+        document.cookie = `${key}=; Max-Age=0; ${flags}`;
+    }
+}
+let localStorageWarned = false;
+/**
+ * @deprecated Use `CookieStorageAdapter` instead. Persists tokens in
+ * `localStorage`, where any XSS payload can read them and where they
+ * survive tab close — the opposite of what mobile's
+ * `expo-secure-store` does. Scheduled for removal in v1.4.x. A
+ * one-shot `console.warn` is emitted on the first `setItem` to make
+ * accidental usage greppable.
+ */
+export class LocalStorageAdapter {
+    getItem(key) {
+        if (typeof window === 'undefined' || !window.localStorage)
+            return null;
+        try {
+            return window.localStorage.getItem(key);
+        }
+        catch (_a) {
+            return null;
+        }
+    }
+    setItem(key, value) {
+        warnOnce();
+        if (typeof window === 'undefined' || !window.localStorage)
+            return;
+        try {
+            window.localStorage.setItem(key, value);
+        }
+        catch (_a) {
+            /* quota / private mode — silent */
+        }
+    }
+    removeItem(key) {
+        if (typeof window === 'undefined' || !window.localStorage)
+            return;
+        try {
+            window.localStorage.removeItem(key);
+        }
+        catch (_a) {
+            /* silent */
+        }
+    }
+}
+function warnOnce() {
+    if (localStorageWarned)
+        return;
+    // eslint-disable-next-line no-console
+    console.warn('[mk-web] LocalStorageAdapter is deprecated. Tokens in localStorage are ' +
+        'reachable from any XSS payload. Migrate to CookieStorageAdapter ' +
+        '(browser-managed cookies) or a server-set httpOnly cookie.');
+    localStorageWarned = true;
+}
+/**
+ * Factory for the default storage used by `<MkAuthProvider>` when no
+ * `storage` prop is passed. Always returns a fresh `CookieStorageAdapter`
+ * so multiple providers in the same tree (different scopes) get their
+ * own adapter instances — cookies themselves are scoped by key name.
+ */
+export function getDefaultAuthStorage() {
+    return new CookieStorageAdapter();
+}
+//# sourceMappingURL=AuthStorageAdapter.js.map

package/dist/auth/AuthStorageAdapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthStorageAdapter.js","sourceRoot":"","sources":["../../src/auth/AuthStorageAdapter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAIH,MAAM,eAAe,GAAG,sBAAsB,CAAC;AAC/C,MAAM,cAAc,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,UAAU;AAWpD;;;;;GAKG;AACH,MAAM,OAAO,oBAAoB;IAG7B,YAAY,OAAoC,EAAE;;QAC9C,IAAI,CAAC,MAAM,GAAG,MAAA,IAAI,CAAC,MAAM,mCAAI,KAAK,CAAC;IACvC,CAAC;IAED,OAAO,CAAC,GAAW;QACf,IAAI,OAAO,QAAQ,KAAK,WAAW,IAAI,CAAC,QAAQ,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QACrE,MAAM,OAAO,GAAG,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC5C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC3B,MAAM,EAAE,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC/B,IAAI,EAAE,KAAK,CAAC,CAAC;gBAAE,SAAS;YACxB,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACjC,IAAI,IAAI,KAAK,GAAG;gBAAE,SAAS;YAC3B,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;YACjC,IAAI,CAAC;gBACD,OAAO,kBAAkB,CAAC,GAAG,CAAC,CAAC;YACnC,CAAC;YAAC,WAAM,CAAC;gBACL,OAAO,GAAG,CAAC;YACf,CAAC;QACL,CAAC;QACD,OAAO,IAAI,CAAC;IAChB,CAAC;IAED,OAAO,CAAC,GAAW,EAAE,KAAa;QAC9B,IAAI,OAAO,QAAQ,KAAK,WAAW;YAAE,OAAO;QAC5C,MAAM,OAAO,GAAG,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAC1C,MAAM,KAAK,GAAG,GAAG,eAAe,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QACnE,QAAQ,CAAC,MAAM,GAAG,GAAG,GAAG,IAAI,OAAO,aAAa,cAAc,KAAK,KAAK,EAAE,CAAC;IAC/E,CAAC;IAED,UAAU,CAAC,GAAW;QAClB,IAAI,OAAO,QAAQ,KAAK,WAAW;YAAE,OAAO;QAC5C,MAAM,KAAK,GAAG,GAAG,eAAe,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QACnE,QAAQ,CAAC,MAAM,GAAG,GAAG,GAAG,iBAAiB,KAAK,EAAE,CAAC;IACrD,CAAC;CACJ;AAED,IAAI,kBAAkB,GAAG,KAAK,CAAC;AAE/B;;;;;;;GAOG;AACH,MAAM,OAAO,mBAAmB;IAC5B,OAAO,CAAC,GAAW;QACf,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,CAAC,MAAM,CAAC,YAAY;YAAE,OAAO,IAAI,CAAC;QACvE,IAAI,CAAC;YACD,OAAO,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC5C,CAAC;QAAC,WAAM,CAAC;YACL,OAAO,IAAI,CAAC;QAChB,CAAC;IACL,CAAC;IAED,OAAO,CAAC,GAAW,EAAE,KAAa;QAC9B,QAAQ,EAAE,CAAC;QACX,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,CAAC,MAAM,CAAC,YAAY;YAAE,OAAO;QAClE,IAAI,CAAC;YACD,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC5C,CAAC;QAAC,WAAM,CAAC;YACL,mCAAmC;QACvC,CAAC;IACL,CAAC;IAED,UAAU,CAAC,GAAW;QAClB,IAAI,OAAO,MAAM,KAAK,WAAW,IAAI,CAAC,MAAM,CAAC,YAAY;YAAE,OAAO;QAClE,IAAI,CAAC;YACD,MAAM,CAAC,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACxC,CAAC;QAAC,WAAM,CAAC;YACL,YAAY;QAChB,CAAC;IACL,CAAC;CACJ;AAED,SAAS,QAAQ;IACb,IAAI,kBAAkB;QAAE,OAAO;IAC/B,sCAAsC;IACtC,OAAO,CAAC,IAAI,CACR,yEAAyE;QACzE,kEAAkE;QAClE,4DAA4D,CAC/D,CAAC;IACF,kBAAkB,GAAG,IAAI,CAAC;AAC9B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,qBAAqB;IACjC,OAAO,IAAI,oBAAoB,EAAE,CAAC;AACtC,CAAC"}

package/dist/auth/MkAuthProvider.d.ts

@@ -11,8 +11,17 @@ export interface MkAuthProviderProps {
     /** Children wrapped by the provider. */
     children: ReactNode;
     /**
-     * Optional storage adapter. Defaults to `window.localStorage` when
-     * available. Tests pass an in-memory adapter.
+     * Storage adapter for tokens and the cached user.
+     *
+     * **Required since v1.3.0.** Default if omitted is
+     * `new CookieStorageAdapter()` — aligned with the mobile
+     * `expo-secure-store` pattern, immune to the XSS exfiltration
+     * window that `localStorage` opened. Tests pass an in-memory
+     * adapter; consumers with a specific need can pass
+     * `new LocalStorageAdapter()` (deprecated) or their own impl.
+     *
+     * @see CookieStorageAdapter
+     * @see LocalStorageAdapter
      */
     storage?: AuthStorageAdapter;
     /**

package/dist/auth/MkAuthProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"MkAuthProvider.d.ts","sourceRoot":"","sources":["../../src/auth/MkAuthProvider.tsx"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAUvC,OAAO,KAAK,EAER,kBAAkB,EAKrB,MAAM,SAAS,CAAC;AAmBjB,MAAM,WAAW,mBAAmB;IAChC,uEAAuE;IACvE,KAAK,EAAE,MAAM,CAAC;IACd;;;OAGG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB,wCAAwC;IACxC,QAAQ,EAAE,SAAS,CAAC;IACpB;;;OAGG;IACH,OAAO,CAAC,EAAE,kBAAkB,CAAC;IAC7B;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;CAC1B;AAgSD;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,mBAAmB,GAAG,KAAK,CAAC,GAAG,CAAC,OAAO,CAkB5E"}
+{"version":3,"file":"MkAuthProvider.d.ts","sourceRoot":"","sources":["../../src/auth/MkAuthProvider.tsx"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,OAAO,CAAC;AAUvC,OAAO,KAAK,EAER,kBAAkB,EAKrB,MAAM,SAAS,CAAC;AAWjB,MAAM,WAAW,mBAAmB;IAChC,uEAAuE;IACvE,KAAK,EAAE,MAAM,CAAC;IACd;;;OAGG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB,wCAAwC;IACxC,QAAQ,EAAE,SAAS,CAAC;IACpB;;;;;;;;;;;;OAYG;IACH,OAAO,CAAC,EAAE,kBAAkB,CAAC;IAC7B;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,KAAK,CAAC;CAC1B;AAsSD;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,mBAAmB,GAAG,KAAK,CAAC,GAAG,CAAC,OAAO,CAkB5E"}