@memberjunction/auth-providers 0.0.1 → 5.17.0

package/.turbo/turbo-build.log

@@ -0,0 +1,4 @@
+
+> @memberjunction/auth-providers@5.17.0 build
+> tsc && tsc-alias -f
+

package/CHANGELOG.md

@@ -0,0 +1,18 @@
+# @memberjunction/auth-providers
+
+## 5.17.0
+
+### Patch Changes
+
+- Updated dependencies [9881045]
+  - @memberjunction/core@5.17.0
+  - @memberjunction/global@5.17.0
+
+## 5.16.0
+
+### Patch Changes
+
+- Updated dependencies [2387400]
+- Updated dependencies [11dba07]
+  - @memberjunction/core@5.16.0
+  - @memberjunction/global@5.16.0

package/dist/AuthProviderFactory.d.ts

@@ -0,0 +1,68 @@
+import { AuthProviderConfig } from '@memberjunction/core';
+import { IAuthProvider } from './IAuthProvider.js';
+import { BaseSingleton } from '@memberjunction/global';
+import './providers/Auth0Provider.js';
+import './providers/MSALProvider.js';
+import './providers/OktaProvider.js';
+import './providers/CognitoProvider.js';
+import './providers/GoogleProvider.js';
+/**
+ * Factory and registry for managing authentication providers
+ * Combines provider creation and lifecycle management in a single class
+ */
+export declare class AuthProviderFactory extends BaseSingleton<AuthProviderFactory> {
+    private providers;
+    private issuerCache;
+    private issuerMultiCache;
+    constructor();
+    /**
+     * Gets the singleton instance of the factory
+     */
+    static get Instance(): AuthProviderFactory;
+    /**
+     * Creates an authentication provider instance based on configuration
+     * Uses MJGlobal ClassFactory to instantiate the correct provider class
+     */
+    static createProvider(config: AuthProviderConfig): IAuthProvider;
+    /**
+     * Registers a new authentication provider
+     */
+    register(provider: IAuthProvider): void;
+    /**
+     * Gets a provider by its issuer URL
+     */
+    getByIssuer(issuer: string): IAuthProvider | undefined;
+    /**
+     * Gets all providers matching an issuer URL.
+     * Unlike getByIssuer() which returns only the first match, this returns
+     * all providers for a given issuer. This is needed when multiple apps
+     * (e.g. MJExplorer + MJCentral) share the same Auth0 domain but have
+     * different audiences (client IDs).
+     */
+    getAllByIssuer(issuer: string): IAuthProvider[];
+    /**
+     * Gets a provider by its name
+     */
+    getByName(name: string): IAuthProvider | undefined;
+    /**
+     * Gets all registered providers
+     */
+    getAllProviders(): IAuthProvider[];
+    /**
+     * Checks if any providers are registered
+     */
+    hasProviders(): boolean;
+    /**
+     * Clears all registered providers (useful for testing)
+     */
+    clear(): void;
+    /**
+     * Gets all registered provider types from the ClassFactory
+     */
+    static getRegisteredProviderTypes(): string[];
+    /**
+     * Checks if a provider type is registered
+     */
+    static isProviderTypeRegistered(type: string): boolean;
+}
+//# sourceMappingURL=AuthProviderFactory.d.ts.map

package/dist/AuthProviderFactory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthProviderFactory.d.ts","sourceRoot":"","sources":["../src/AuthProviderFactory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,sBAAsB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEnD,OAAO,EAAY,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAGjE,OAAO,8BAA8B,CAAC;AACtC,OAAO,6BAA6B,CAAC;AACrC,OAAO,6BAA6B,CAAC;AACrC,OAAO,gCAAgC,CAAC;AACxC,OAAO,+BAA+B,CAAC;AAEvC;;;GAGG;AACH,qBAAa,mBAAoB,SAAQ,aAAa,CAAC,mBAAmB,CAAC;IACzE,OAAO,CAAC,SAAS,CAAyC;IAC1D,OAAO,CAAC,WAAW,CAAyC;IAC5D,OAAO,CAAC,gBAAgB,CAA2C;;IAMnE;;OAEG;IACH,WAAkB,QAAQ,IAAI,mBAAmB,CAEhD;IAED;;;OAGG;IACH,MAAM,CAAC,cAAc,CAAC,MAAM,EAAE,kBAAkB,GAAG,aAAa;IAsBhE;;OAEG;IACH,QAAQ,CAAC,QAAQ,EAAE,aAAa,GAAG,IAAI;IAcvC;;OAEG;IACH,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAkBtD;;;;;;OAMG;IACH,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,EAAE;IAoB/C;;OAEG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAIlD;;OAEG;IACH,eAAe,IAAI,aAAa,EAAE;IAIlC;;OAEG;IACH,YAAY,IAAI,OAAO;IAIvB;;OAEG;IACH,KAAK,IAAI,IAAI;IAMb;;OAEG;IACH,MAAM,CAAC,0BAA0B,IAAI,MAAM,EAAE;IAW7C;;OAEG;IACH,MAAM,CAAC,wBAAwB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;CASvD"}

package/dist/AuthProviderFactory.js

@@ -0,0 +1,153 @@
+import { BaseAuthProvider } from './BaseAuthProvider.js';
+import { MJGlobal, BaseSingleton } from '@memberjunction/global';
+// Import providers to ensure they're registered
+import './providers/Auth0Provider.js';
+import './providers/MSALProvider.js';
+import './providers/OktaProvider.js';
+import './providers/CognitoProvider.js';
+import './providers/GoogleProvider.js';
+/**
+ * Factory and registry for managing authentication providers
+ * Combines provider creation and lifecycle management in a single class
+ */
+export class AuthProviderFactory extends BaseSingleton {
+    constructor() {
+        super();
+        this.providers = new Map();
+        this.issuerCache = new Map();
+        this.issuerMultiCache = new Map();
+    }
+    /**
+     * Gets the singleton instance of the factory
+     */
+    static get Instance() {
+        return AuthProviderFactory.getInstance();
+    }
+    /**
+     * Creates an authentication provider instance based on configuration
+     * Uses MJGlobal ClassFactory to instantiate the correct provider class
+     */
+    static createProvider(config) {
+        try {
+            // Use MJGlobal ClassFactory to create the provider instance
+            // The provider type in config should match the key used in @RegisterClass
+            // The config is passed as a constructor parameter via the spread operator
+            const provider = MJGlobal.Instance.ClassFactory.CreateInstance(BaseAuthProvider, config.type.toLowerCase(), config);
+            if (!provider) {
+                throw new Error(`No provider registered for type: ${config.type}`);
+            }
+            return provider;
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            throw new Error(`Failed to create authentication provider for type '${config.type}': ${message}`);
+        }
+    }
+    /**
+     * Registers a new authentication provider
+     */
+    register(provider) {
+        if (!provider.validateConfig()) {
+            throw new Error(`Invalid configuration for provider: ${provider.name}`);
+        }
+        this.providers.set(provider.name, provider);
+        // Clear issuer caches when registering new provider
+        this.issuerCache.clear();
+        this.issuerMultiCache.clear();
+        console.log(`Registered auth provider: ${provider.name} with issuer: ${provider.issuer}`);
+    }
+    /**
+     * Gets a provider by its issuer URL
+     */
+    getByIssuer(issuer) {
+        // Check cache first
+        if (this.issuerCache.has(issuer)) {
+            return this.issuerCache.get(issuer);
+        }
+        // Search through providers
+        for (const provider of this.providers.values()) {
+            if (provider.matchesIssuer(issuer)) {
+                // Cache for future lookups
+                this.issuerCache.set(issuer, provider);
+                return provider;
+            }
+        }
+        return undefined;
+    }
+    /**
+     * Gets all providers matching an issuer URL.
+     * Unlike getByIssuer() which returns only the first match, this returns
+     * all providers for a given issuer. This is needed when multiple apps
+     * (e.g. MJExplorer + MJCentral) share the same Auth0 domain but have
+     * different audiences (client IDs).
+     */
+    getAllByIssuer(issuer) {
+        // Check multi-provider cache first
+        if (this.issuerMultiCache.has(issuer)) {
+            return this.issuerMultiCache.get(issuer);
+        }
+        const matches = [];
+        for (const provider of this.providers.values()) {
+            if (provider.matchesIssuer(issuer)) {
+                matches.push(provider);
+            }
+        }
+        if (matches.length > 0) {
+            this.issuerMultiCache.set(issuer, matches);
+        }
+        return matches;
+    }
+    /**
+     * Gets a provider by its name
+     */
+    getByName(name) {
+        return this.providers.get(name);
+    }
+    /**
+     * Gets all registered providers
+     */
+    getAllProviders() {
+        return Array.from(this.providers.values());
+    }
+    /**
+     * Checks if any providers are registered
+     */
+    hasProviders() {
+        return this.providers.size > 0;
+    }
+    /**
+     * Clears all registered providers (useful for testing)
+     */
+    clear() {
+        this.providers.clear();
+        this.issuerCache.clear();
+        this.issuerMultiCache.clear();
+    }
+    /**
+     * Gets all registered provider types from the ClassFactory
+     */
+    static getRegisteredProviderTypes() {
+        // Get all registrations for BaseAuthProvider from ClassFactory
+        const registrations = MJGlobal.Instance.ClassFactory.GetAllRegistrations(BaseAuthProvider);
+        // Extract unique keys (provider types) from registrations
+        const providerTypes = registrations
+            .map(reg => reg.Key)
+            .filter((key) => key !== null && key !== undefined);
+        // Return unique provider types
+        return Array.from(new Set(providerTypes));
+    }
+    /**
+     * Checks if a provider type is registered
+     */
+    static isProviderTypeRegistered(type) {
+        try {
+            // Try to get the registration for this specific type
+            const registration = MJGlobal.Instance.ClassFactory.GetRegistration(BaseAuthProvider, type.toLowerCase());
+            return registration !== null && registration !== undefined;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+//# sourceMappingURL=AuthProviderFactory.js.map

package/dist/AuthProviderFactory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthProviderFactory.js","sourceRoot":"","sources":["../src/AuthProviderFactory.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAEjE,gDAAgD;AAChD,OAAO,8BAA8B,CAAC;AACtC,OAAO,6BAA6B,CAAC;AACrC,OAAO,6BAA6B,CAAC;AACrC,OAAO,gCAAgC,CAAC;AACxC,OAAO,+BAA+B,CAAC;AAEvC;;;GAGG;AACH,MAAM,OAAO,mBAAoB,SAAQ,aAAkC;IAKzE;QACE,KAAK,EAAE,CAAC;QALF,cAAS,GAA+B,IAAI,GAAG,EAAE,CAAC;QAClD,gBAAW,GAA+B,IAAI,GAAG,EAAE,CAAC;QACpD,qBAAgB,GAAiC,IAAI,GAAG,EAAE,CAAC;IAInE,CAAC;IAED;;OAEG;IACI,MAAM,KAAK,QAAQ;QACxB,OAAO,mBAAmB,CAAC,WAAW,EAAuB,CAAC;IAChE,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,cAAc,CAAC,MAA0B;QAC9C,IAAI,CAAC;YACH,4DAA4D;YAC5D,0EAA0E;YAC1E,0EAA0E;YAC1E,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,cAAc,CAC5D,gBAAgB,EAChB,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,EACzB,MAAM,CACP,CAAC;YAEF,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,MAAM,IAAI,KAAK,CAAC,oCAAoC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YACrE,CAAC;YAED,OAAO,QAAQ,CAAC;QAClB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,IAAI,KAAK,CAAC,sDAAsD,MAAM,CAAC,IAAI,MAAM,OAAO,EAAE,CAAC,CAAC;QACpG,CAAC;IACH,CAAC;IAED;;OAEG;IACH,QAAQ,CAAC,QAAuB;QAC9B,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,uCAAuC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1E,CAAC;QAED,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;QAE5C,oDAAoD;QACpD,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,gBAAgB,CAAC,KAAK,EAAE,CAAC;QAE9B,OAAO,CAAC,GAAG,CAAC,6BAA6B,QAAQ,CAAC,IAAI,iBAAiB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IAC5F,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,MAAc;QACxB,oBAAoB;QACpB,IAAI,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACtC,CAAC;QAED,2BAA2B;QAC3B,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,CAAC;YAC/C,IAAI,QAAQ,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;gBACnC,2BAA2B;gBAC3B,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;gBACvC,OAAO,QAAQ,CAAC;YAClB,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;;;;;OAMG;IACH,cAAc,CAAC,MAAc;QAC3B,mCAAmC;QACnC,IAAI,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACtC,OAAO,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAE,CAAC;QAC5C,CAAC;QAED,MAAM,OAAO,GAAoB,EAAE,CAAC;QACpC,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,CAAC;YAC/C,IAAI,QAAQ,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;gBACnC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC7C,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,IAAY;QACpB,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,eAAe;QACb,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,YAAY;QACV,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,GAAG,CAAC,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,CAAC;QACvB,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,gBAAgB,CAAC,KAAK,EAAE,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,0BAA0B;QAC/B,+DAA+D;QAC/D,MAAM,aAAa,GAAG,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,mBAAmB,CAAC,gBAAgB,CAAC,CAAC;QAC3F,0DAA0D;QAC1D,MAAM,aAAa,GAAG,aAAa;aAChC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC;aACnB,MAAM,CAAC,CAAC,GAAG,EAAiB,EAAE,CAAC,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,CAAC,CAAC;QACrE,+BAA+B;QAC/B,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,wBAAwB,CAAC,IAAY;QAC1C,IAAI,CAAC;YACH,qDAAqD;YACrD,MAAM,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,eAAe,CAAC,gBAAgB,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YAC1G,OAAO,YAAY,KAAK,IAAI,IAAI,YAAY,KAAK,SAAS,CAAC;QAC7D,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;CACF"}

package/dist/BaseAuthProvider.d.ts

@@ -0,0 +1,41 @@
+import { JwtHeader, JwtPayload, SigningKeyCallback } from 'jsonwebtoken';
+import jwksClient from 'jwks-rsa';
+import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
+import { IAuthProvider } from './IAuthProvider.js';
+/**
+ * Base implementation of IAuthProvider with common functionality
+ * Concrete providers should extend this class and use @RegisterClass decorator
+ * with BaseAuthProvider as the base class
+ */
+export declare abstract class BaseAuthProvider implements IAuthProvider {
+    name: string;
+    issuer: string;
+    audience: string;
+    jwksUri: string;
+    /** OAuth client ID for this provider (used by OAuth proxy for upstream auth) */
+    clientId?: string;
+    protected config: AuthProviderConfig;
+    protected jwksClient: jwksClient.JwksClient;
+    constructor(config: AuthProviderConfig);
+    /**
+     * Validates that required configuration is present
+     */
+    validateConfig(): boolean;
+    /**
+     * Gets the signing key for token verification with retry logic
+     */
+    getSigningKey(header: JwtHeader, callback: SigningKeyCallback): void;
+    /**
+     * Retrieves signing key with exponential backoff retry logic
+     */
+    private getSigningKeyWithRetry;
+    /**
+     * Checks if a given issuer URL belongs to this provider
+     */
+    matchesIssuer(issuer: string): boolean;
+    /**
+     * Abstract method for extracting user info - must be implemented by each provider
+     */
+    abstract extractUserInfo(payload: JwtPayload): AuthUserInfo;
+}
+//# sourceMappingURL=BaseAuthProvider.d.ts.map

package/dist/BaseAuthProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"BaseAuthProvider.d.ts","sourceRoot":"","sources":["../src/BaseAuthProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AACzE,OAAO,UAAU,MAAM,UAAU,CAAC;AAClC,OAAO,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACxE,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAInD;;;;GAIG;AACH,8BAAsB,gBAAiB,YAAW,aAAa;IAC7D,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,gFAAgF;IAChF,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,MAAM,EAAE,kBAAkB,CAAC;IACrC,SAAS,CAAC,UAAU,EAAE,UAAU,CAAC,UAAU,CAAC;gBAEhC,MAAM,EAAE,kBAAkB;IAoCtC;;OAEG;IACH,cAAc,IAAI,OAAO;IAIzB;;OAEG;IACH,aAAa,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,kBAAkB,GAAG,IAAI;IAYpE;;OAEG;YACW,sBAAsB;IAuCpC;;OAEG;IACH,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAOtC;;OAEG;IACH,QAAQ,CAAC,eAAe,CAAC,OAAO,EAAE,UAAU,GAAG,YAAY;CAC5D"}

package/dist/BaseAuthProvider.js

@@ -0,0 +1,102 @@
+import jwksClient from 'jwks-rsa';
+import https from 'https';
+import http from 'http';
+/**
+ * Base implementation of IAuthProvider with common functionality
+ * Concrete providers should extend this class and use @RegisterClass decorator
+ * with BaseAuthProvider as the base class
+ */
+export class BaseAuthProvider {
+    constructor(config) {
+        this.config = config;
+        this.name = config.name;
+        this.issuer = config.issuer;
+        this.audience = config.audience;
+        this.jwksUri = config.jwksUri;
+        this.clientId = config.clientId;
+        // Create HTTP agent with keep-alive to prevent socket hangups
+        const agent = this.jwksUri.startsWith('https')
+            ? new https.Agent({
+                keepAlive: true,
+                keepAliveMsecs: 30000,
+                maxSockets: 50,
+                maxFreeSockets: 10,
+                timeout: 60000
+            })
+            : new http.Agent({
+                keepAlive: true,
+                keepAliveMsecs: 30000,
+                maxSockets: 50,
+                maxFreeSockets: 10,
+                timeout: 60000
+            });
+        // Initialize JWKS client with connection pooling and extended timeout
+        this.jwksClient = jwksClient({
+            jwksUri: this.jwksUri,
+            cache: true,
+            cacheMaxEntries: 5,
+            cacheMaxAge: 600000, // 10 minutes
+            timeout: 60000, // 60 seconds (increased from default 30s)
+            requestAgent: agent
+        });
+    }
+    /**
+     * Validates that required configuration is present
+     */
+    validateConfig() {
+        return !!(this.name && this.issuer && this.audience && this.jwksUri);
+    }
+    /**
+     * Gets the signing key for token verification with retry logic
+     */
+    getSigningKey(header, callback) {
+        this.getSigningKeyWithRetry(header, 3, 1000)
+            .then((key) => {
+            const signingKey = 'publicKey' in key ? key.publicKey : key.rsaPublicKey;
+            callback(null, signingKey);
+        })
+            .catch((err) => {
+            console.error(`Error getting signing key for provider ${this.name} after retries:`, err);
+            callback(err);
+        });
+    }
+    /**
+     * Retrieves signing key with exponential backoff retry logic
+     */
+    async getSigningKeyWithRetry(header, maxRetries, initialDelayMs) {
+        let lastError;
+        for (let attempt = 0; attempt <= maxRetries; attempt++) {
+            try {
+                return await this.jwksClient.getSigningKey(header.kid);
+            }
+            catch (err) {
+                lastError = err instanceof Error ? err : new Error(String(err));
+                // Check if this is a connection error that's worth retrying
+                const isRetryableError = lastError.message.includes('socket hang up') ||
+                    lastError.message.includes('ECONNRESET') ||
+                    lastError.message.includes('ETIMEDOUT') ||
+                    lastError.message.includes('ENOTFOUND') ||
+                    lastError.message.includes('EAI_AGAIN');
+                if (!isRetryableError || attempt === maxRetries) {
+                    throw lastError;
+                }
+                // Exponential backoff: wait longer between each retry
+                const delayMs = initialDelayMs * Math.pow(2, attempt);
+                console.warn(`Attempt ${attempt + 1}/${maxRetries + 1} failed for provider ${this.name}. ` +
+                    `Retrying in ${delayMs}ms... Error: ${lastError.message}`);
+                await new Promise(resolve => setTimeout(resolve, delayMs));
+            }
+        }
+        throw lastError || new Error('Failed to retrieve signing key');
+    }
+    /**
+     * Checks if a given issuer URL belongs to this provider
+     */
+    matchesIssuer(issuer) {
+        // Handle trailing slashes and case sensitivity
+        const normalizedIssuer = issuer.toLowerCase().replace(/\/$/, '');
+        const normalizedProviderIssuer = this.issuer.toLowerCase().replace(/\/$/, '');
+        return normalizedIssuer === normalizedProviderIssuer;
+    }
+}
+//# sourceMappingURL=BaseAuthProvider.js.map

package/dist/BaseAuthProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"BaseAuthProvider.js","sourceRoot":"","sources":["../src/BaseAuthProvider.ts"],"names":[],"mappings":"AACA,OAAO,UAAU,MAAM,UAAU,CAAC;AAGlC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB;;;;GAIG;AACH,MAAM,OAAgB,gBAAgB;IAUpC,YAAY,MAA0B;QACpC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC;QACxB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QAChC,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QAEhC,8DAA8D;QAC9D,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC;YAC5C,CAAC,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC;gBACd,SAAS,EAAE,IAAI;gBACf,cAAc,EAAE,KAAK;gBACrB,UAAU,EAAE,EAAE;gBACd,cAAc,EAAE,EAAE;gBAClB,OAAO,EAAE,KAAK;aACf,CAAC;YACJ,CAAC,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC;gBACb,SAAS,EAAE,IAAI;gBACf,cAAc,EAAE,KAAK;gBACrB,UAAU,EAAE,EAAE;gBACd,cAAc,EAAE,EAAE;gBAClB,OAAO,EAAE,KAAK;aACf,CAAC,CAAC;QAEP,sEAAsE;QACtE,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;YAC3B,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,KAAK,EAAE,IAAI;YACX,eAAe,EAAE,CAAC;YAClB,WAAW,EAAE,MAAM,EAAE,aAAa;YAClC,OAAO,EAAE,KAAK,EAAE,0CAA0C;YAC1D,YAAY,EAAE,KAAK;SACpB,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC;IACvE,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,MAAiB,EAAE,QAA4B;QAC3D,IAAI,CAAC,sBAAsB,CAAC,MAAM,EAAE,CAAC,EAAE,IAAI,CAAC;aACzC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE;YACZ,MAAM,UAAU,GAAG,WAAW,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC;YACzE,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;QAC7B,CAAC,CAAC;aACD,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACb,OAAO,CAAC,KAAK,CAAC,0CAA0C,IAAI,CAAC,IAAI,iBAAiB,EAAE,GAAG,CAAC,CAAC;YACzF,QAAQ,CAAC,GAAG,CAAC,CAAC;QAChB,CAAC,CAAC,CAAC;IACP,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,sBAAsB,CAClC,MAAiB,EACjB,UAAkB,EAClB,cAAsB;QAEtB,IAAI,SAA4B,CAAC;QAEjC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,IAAI,UAAU,EAAE,OAAO,EAAE,EAAE,CAAC;YACvD,IAAI,CAAC;gBACH,OAAO,MAAM,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACzD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,SAAS,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;gBAEhE,4DAA4D;gBAC5D,MAAM,gBAAgB,GACpB,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC;oBAC5C,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC;oBACxC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;oBACvC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;oBACvC,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;gBAE1C,IAAI,CAAC,gBAAgB,IAAI,OAAO,KAAK,UAAU,EAAE,CAAC;oBAChD,MAAM,SAAS,CAAC;gBAClB,CAAC;gBAED,sDAAsD;gBACtD,MAAM,OAAO,GAAG,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;gBACtD,OAAO,CAAC,IAAI,CACV,WAAW,OAAO,GAAG,CAAC,IAAI,UAAU,GAAG,CAAC,wBAAwB,IAAI,CAAC,IAAI,IAAI;oBAC7E,eAAe,OAAO,gBAAgB,SAAS,CAAC,OAAO,EAAE,CAC1D,CAAC;gBAEF,MAAM,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;QAED,MAAM,SAAS,IAAI,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACjE,CAAC;IAED;;OAEG;IACH,aAAa,CAAC,MAAc;QAC1B,+CAA+C;QAC/C,MAAM,gBAAgB,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACjE,MAAM,wBAAwB,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAC9E,OAAO,gBAAgB,KAAK,wBAAwB,CAAC;IACvD,CAAC;CAMF"}

package/dist/IAuthProvider.d.ts

@@ -0,0 +1,46 @@
+import { JwtHeader, JwtPayload, SigningKeyCallback } from 'jsonwebtoken';
+import { AuthUserInfo } from '@memberjunction/core';
+/**
+ * Interface for authentication providers in MemberJunction
+ * Enables support for any OAuth 2.0/OIDC compliant provider
+ */
+export interface IAuthProvider {
+    /**
+     * Unique name identifier for this provider
+     */
+    name: string;
+    /**
+     * The issuer URL for this provider (must match the 'iss' claim in tokens)
+     */
+    issuer: string;
+    /**
+     * The expected audience for tokens from this provider
+     */
+    audience: string;
+    /**
+     * The JWKS endpoint URL for retrieving signing keys
+     */
+    jwksUri: string;
+    /**
+     * OAuth client ID for this provider (optional, used by OAuth proxy for upstream authentication)
+     */
+    clientId?: string;
+    /**
+     * Validates that the provider configuration is complete and valid
+     */
+    validateConfig(): boolean;
+    /**
+     * Gets the signing key for token verification
+     */
+    getSigningKey(header: JwtHeader, callback: SigningKeyCallback): void;
+    /**
+     * Extracts user information from the JWT payload
+     * Different providers use different claim names
+     */
+    extractUserInfo(payload: JwtPayload): AuthUserInfo;
+    /**
+     * Checks if a given issuer URL belongs to this provider
+     */
+    matchesIssuer(issuer: string): boolean;
+}
+//# sourceMappingURL=IAuthProvider.d.ts.map

package/dist/IAuthProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"IAuthProvider.d.ts","sourceRoot":"","sources":["../src/IAuthProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAC;AACzE,OAAO,EAAsB,YAAY,EAAE,MAAM,sBAAsB,CAAC;AAExE;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,MAAM,EAAE,MAAM,CAAC;IAEf;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;OAEG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;OAEG;IACH,cAAc,IAAI,OAAO,CAAC;IAE1B;;OAEG;IACH,aAAa,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,kBAAkB,GAAG,IAAI,CAAC;IAErE;;;OAGG;IACH,eAAe,CAAC,OAAO,EAAE,UAAU,GAAG,YAAY,CAAC;IAEnD;;OAEG;IACH,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;CACxC"}

package/dist/IAuthProvider.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=IAuthProvider.js.map

package/dist/IAuthProvider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"IAuthProvider.js","sourceRoot":"","sources":["../src/IAuthProvider.ts"],"names":[],"mappings":""}

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+export { IAuthProvider } from './IAuthProvider.js';
+export { BaseAuthProvider } from './BaseAuthProvider.js';
+export { AuthProviderFactory } from './AuthProviderFactory.js';
+export { TokenExpiredError } from './tokenExpiredError.js';
+export type { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAG3D,YAAY,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/index.js

@@ -0,0 +1,4 @@
+export { BaseAuthProvider } from './BaseAuthProvider.js';
+export { AuthProviderFactory } from './AuthProviderFactory.js';
+export { TokenExpiredError } from './tokenExpiredError.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC"}

package/dist/providers/Auth0Provider.d.ts

@@ -0,0 +1,18 @@
+import { JwtPayload } from 'jsonwebtoken';
+import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
+import { BaseAuthProvider } from '../BaseAuthProvider.js';
+/**
+ * Auth0 authentication provider implementation
+ */
+export declare class Auth0Provider extends BaseAuthProvider {
+    constructor(config: AuthProviderConfig);
+    /**
+     * Extracts user information from Auth0 JWT payload
+     */
+    extractUserInfo(payload: JwtPayload): AuthUserInfo;
+    /**
+     * Validates Auth0-specific configuration
+     */
+    validateConfig(): boolean;
+}
+//# sourceMappingURL=Auth0Provider.d.ts.map

package/dist/providers/Auth0Provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"Auth0Provider.d.ts","sourceRoot":"","sources":["../../src/providers/Auth0Provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,OAAO,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACxE,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D;;GAEG;AACH,qBACa,aAAc,SAAQ,gBAAgB;gBACrC,MAAM,EAAE,kBAAkB;IAItC;;OAEG;IACH,eAAe,CAAC,OAAO,EAAE,UAAU,GAAG,YAAY;IAiBlD;;OAEG;IACH,cAAc,IAAI,OAAO;CAO1B"}

package/dist/providers/Auth0Provider.js

@@ -0,0 +1,52 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { RegisterClass } from '@memberjunction/global';
+import { BaseAuthProvider } from '../BaseAuthProvider.js';
+/**
+ * Auth0 authentication provider implementation
+ */
+let Auth0Provider = class Auth0Provider extends BaseAuthProvider {
+    constructor(config) {
+        super(config);
+    }
+    /**
+     * Extracts user information from Auth0 JWT payload
+     */
+    extractUserInfo(payload) {
+        // Auth0 uses standard OIDC claims
+        const email = payload.email;
+        const fullName = payload.name;
+        const firstName = payload.given_name;
+        const lastName = payload.family_name;
+        const preferredUsername = payload.preferred_username || email;
+        return {
+            email,
+            firstName: firstName || fullName?.split(' ')[0],
+            lastName: lastName || fullName?.split(' ')[1] || fullName?.split(' ')[0],
+            fullName,
+            preferredUsername
+        };
+    }
+    /**
+     * Validates Auth0-specific configuration
+     */
+    validateConfig() {
+        const baseValid = super.validateConfig();
+        const hasClientId = !!this.config.clientId;
+        const hasDomain = !!this.config.domain;
+        return baseValid && hasClientId && hasDomain;
+    }
+};
+Auth0Provider = __decorate([
+    RegisterClass(BaseAuthProvider, 'auth0'),
+    __metadata("design:paramtypes", [Object])
+], Auth0Provider);
+export { Auth0Provider };
+//# sourceMappingURL=Auth0Provider.js.map

package/dist/providers/Auth0Provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"Auth0Provider.js","sourceRoot":"","sources":["../../src/providers/Auth0Provider.ts"],"names":[],"mappings":";;;;;;;;;AACA,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAEvD,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE1D;;GAEG;AAEI,IAAM,aAAa,GAAnB,MAAM,aAAc,SAAQ,gBAAgB;IACjD,YAAY,MAA0B;QACpC,KAAK,CAAC,MAAM,CAAC,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,eAAe,CAAC,OAAmB;QACjC,kCAAkC;QAClC,MAAM,KAAK,GAAG,OAAO,CAAC,KAA2B,CAAC;QAClD,MAAM,QAAQ,GAAG,OAAO,CAAC,IAA0B,CAAC;QACpD,MAAM,SAAS,GAAG,OAAO,CAAC,UAAgC,CAAC;QAC3D,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAiC,CAAC;QAC3D,MAAM,iBAAiB,GAAG,OAAO,CAAC,kBAAwC,IAAI,KAAK,CAAC;QAEpF,OAAO;YACL,KAAK;YACL,SAAS,EAAE,SAAS,IAAI,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YAC/C,QAAQ,EAAE,QAAQ,IAAI,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACxE,QAAQ;YACR,iBAAiB;SAClB,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,MAAM,SAAS,GAAG,KAAK,CAAC,cAAc,EAAE,CAAC;QACzC,MAAM,WAAW,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC;QAC3C,MAAM,SAAS,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;QAEvC,OAAO,SAAS,IAAI,WAAW,IAAI,SAAS,CAAC;IAC/C,CAAC;CACF,CAAA;AAnCY,aAAa;IADzB,aAAa,CAAC,gBAAgB,EAAE,OAAO,CAAC;;GAC5B,aAAa,CAmCzB"}

package/dist/providers/CognitoProvider.d.ts

@@ -0,0 +1,18 @@
+import { JwtPayload } from 'jsonwebtoken';
+import { AuthProviderConfig, AuthUserInfo } from '@memberjunction/core';
+import { BaseAuthProvider } from '../BaseAuthProvider.js';
+/**
+ * AWS Cognito authentication provider implementation
+ */
+export declare class CognitoProvider extends BaseAuthProvider {
+    constructor(config: AuthProviderConfig);
+    /**
+     * Extracts user information from Cognito JWT payload
+     */
+    extractUserInfo(payload: JwtPayload): AuthUserInfo;
+    /**
+     * Validates Cognito-specific configuration
+     */
+    validateConfig(): boolean;
+}
+//# sourceMappingURL=CognitoProvider.d.ts.map

package/dist/providers/CognitoProvider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CognitoProvider.d.ts","sourceRoot":"","sources":["../../src/providers/CognitoProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAE1C,OAAO,EAAE,kBAAkB,EAAE,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACxE,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAG1D;;GAEG;AACH,qBACa,eAAgB,SAAQ,gBAAgB;gBACvC,MAAM,EAAE,kBAAkB;IAItC;;OAEG;IACH,eAAe,CAAC,OAAO,EAAE,UAAU,GAAG,YAAY;IAoBlD;;OAEG;IACH,cAAc,IAAI,OAAO;CAQ1B"}

package/dist/providers/CognitoProvider.js

@@ -0,0 +1,56 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { RegisterClass } from '@memberjunction/global';
+import { BaseAuthProvider } from '../BaseAuthProvider.js';
+/**
+ * AWS Cognito authentication provider implementation
+ */
+let CognitoProvider = class CognitoProvider extends BaseAuthProvider {
+    constructor(config) {
+        super(config);
+    }
+    /**
+     * Extracts user information from Cognito JWT payload
+     */
+    extractUserInfo(payload) {
+        // Cognito uses custom claims with 'cognito:' prefix for some fields
+        const email = payload.email ||
+            payload['cognito:username'];
+        const fullName = payload.name;
+        const firstName = payload.given_name;
+        const lastName = payload.family_name;
+        const preferredUsername = payload['cognito:username'] ||
+            payload.preferred_username ||
+            email;
+        return {
+            email,
+            firstName: firstName || fullName?.split(' ')[0],
+            lastName: lastName || fullName?.split(' ')[1] || fullName?.split(' ')[0],
+            fullName,
+            preferredUsername
+        };
+    }
+    /**
+     * Validates Cognito-specific configuration
+     */
+    validateConfig() {
+        const baseValid = super.validateConfig();
+        const hasClientId = !!this.config.clientId;
+        const hasRegion = !!this.config.region;
+        const hasUserPoolId = !!this.config.userPoolId;
+        return baseValid && hasClientId && hasRegion && hasUserPoolId;
+    }
+};
+CognitoProvider = __decorate([
+    RegisterClass(BaseAuthProvider, 'cognito'),
+    __metadata("design:paramtypes", [Object])
+], CognitoProvider);
+export { CognitoProvider };
+//# sourceMappingURL=CognitoProvider.js.map