@micha.bigler/ui-core-micha 1.4.14 → 1.4.16

package/src/auth/authApi.jsx

@@ -1,14 +1,9 @@
-import axios from 'axios';
+import apiClient from './apiClient';
 import { HEADLESS_BASE, USERS_BASE, ACCESS_CODES_BASE } from './authConfig';
 
 // -----------------------------
 // WebAuthn Serialization Helpers
 // -----------------------------
-
-/**
- * Converts an ArrayBuffer to a Base64URL encoded string.
- * Required for manual credential serialization when .toJSON() is missing.
- */
 function bufferToBase64URL(buffer) {
   const bytes = new Uint8Array(buffer);
   let str = '';
@@ -19,16 +14,11 @@ function bufferToBase64URL(buffer) {
   return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
 }
 
-/**
- * Serializes a PublicKeyCredential into a JSON-compatible object.
- * Acts as a polyfill for environments where credential.toJSON() is missing (e.g., Proton Pass).
- */
 function serializeCredential(credential) {
   if (typeof credential.toJSON === 'function') {
     return credential.toJSON();
   }
 
-  // Manual serialization for extensions that return incomplete objects
   const p = {
     id: credential.id,
     rawId: bufferToBase64URL(credential.rawId),
@@ -39,26 +29,21 @@ function serializeCredential(credential) {
   };
 
   if (credential.response.attestationObject) {
-    // Registration specific
     p.response.attestationObject = bufferToBase64URL(credential.response.attestationObject);
   }
 
   if (credential.response.authenticatorData) {
-    // Login specific
     p.response.authenticatorData = bufferToBase64URL(credential.response.authenticatorData);
   }
 
   if (credential.response.signature) {
-    // Login specific
     p.response.signature = bufferToBase64URL(credential.response.signature);
   }
 
   if (credential.response.userHandle) {
-    // Login specific
     p.response.userHandle = bufferToBase64URL(credential.response.userHandle);
   }
 
-  // Include clientExtensionResults if present
   if (typeof credential.getClientExtensionResults === 'function') {
     p.clientExtensionResults = credential.getClientExtensionResults();
   }
@@ -68,7 +53,6 @@ function serializeCredential(credential) {
 
 function normaliseApiError(error, defaultCode = 'Auth.GENERIC_ERROR') {
   const info = extractErrorInfo(error);
-
   const code = info.code || defaultCode;
   const message = info.message || code || defaultCode;
 
@@ -80,13 +64,8 @@ function normaliseApiError(error, defaultCode = 'Auth.GENERIC_ERROR') {
   return err;
 }
 
-
 function mapAllauthDetailToCode(detail) {
   if (!detail || typeof detail !== 'string') return null;
-  // Optional: bekannte allauth-Texte auf eigene Codes mappen
-  // if (detail.includes('Unable to log in with provided credentials')) {
-  //   return 'Auth.INVALID_CREDENTIALS';
-  // }
   return null;
 }
 
@@ -95,56 +74,27 @@ function extractErrorInfo(error) {
   const data = error.response?.data ?? null;
 
   if (!data) {
-    return {
-      status,
-      code: null,
-      message: error.message || null,
-      raw: null,
-    };
+    return { status, code: null, message: error.message || null, raw: null };
   }
 
   if (typeof data.code === 'string') {
-    return {
-      status,
-      code: data.code,
-      message: null,
-      raw: data,
-    };
+    return { status, code: data.code, message: null, raw: data };
   }
 
   if (typeof data.detail === 'string') {
     const mapped = mapAllauthDetailToCode(data.detail);
-    return {
-      status,
-      code: mapped,
-      message: data.detail,
-      raw: data,
-    };
+    return { status, code: mapped, message: data.detail, raw: data };
   }
 
-  if (
-    Array.isArray(data.non_field_errors) &&
-    data.non_field_errors.length > 0
-  ) {
+  if (Array.isArray(data.non_field_errors) && data.non_field_errors.length > 0) {
     const msg = data.non_field_errors[0];
     const mapped = mapAllauthDetailToCode(msg);
-    return {
-      status,
-      code: mapped,
-      message: msg,
-      raw: data,
-    };
+    return { status, code: mapped, message: msg, raw: data };
   }
 
-  return {
-    status,
-    code: null,
-    message: null,
-    raw: data,
-  };
+  return { status, code: null, message: null, raw: data };
 }
 
-
 // -----------------------------
 // CSRF helper
 // -----------------------------
@@ -152,7 +102,8 @@ function getCsrfToken() {
   if (typeof document === 'undefined' || !document.cookie) {
     return null;
   }
-  const match = document.cookie.match(/csrftoken=([^;]+)/);
+  // Robust regex for CSRF token
+  const match = document.cookie.match(/(?:^|; )csrftoken=([^;]+)/);
   return match ? match[1] : null;
 }
 
@@ -172,10 +123,7 @@ function ensureWebAuthnSupport() {
     !window.PublicKeyCredential ||
     !navigator.credentials
   ) {
-    throw normaliseApiError(
-      new Error('Auth.PASSKEY_NOT_SUPPORTED'),
-      'Auth.PASSKEY_NOT_SUPPORTED'
-    );
+    throw normaliseApiError(new Error('Auth.PASSKEY_NOT_SUPPORTED'), 'Auth.PASSKEY_NOT_SUPPORTED');
   }
 }
 
@@ -183,17 +131,14 @@ function ensureWebAuthnSupport() {
 // User-related helpers
 // -----------------------------
 export async function fetchCurrentUser() {
-  const res = await axios.get(`${USERS_BASE}/current/`, {
-    withCredentials: true,
-  });
+  const res = await apiClient.get(`${USERS_BASE}/current/`);
   return res.data;
 }
 
 export async function updateUserProfile(data) {
   try {
-    const res = await axios.patch(`${USERS_BASE}/current/`, data, {
-      withCredentials: true,
-    });
+    // CHANGED: axios -> apiClient
+    const res = await apiClient.patch(`${USERS_BASE}/current/`, data);
     return res.data;
   } catch (error) {
     throw normaliseApiError(error, 'Auth.PROFILE_UPDATE_FAILED');
@@ -203,45 +148,22 @@ export async function updateUserProfile(data) {
 // -----------------------------
 // Authentication: password
 // -----------------------------
-/*
-export async function loginWithPassword(email, password) {
-  try {
-    await axios.post(
-      `${HEADLESS_BASE}/auth/login`,
-      { email, password },
-      { withCredentials: true },
-    );
-  } catch (error) {
-    if (error.response && error.response.status === 409) {
-      // Already logged in: continue and fetch current user
-    } else {
-      throw new Error(extractErrorMessage(error));
-    }
-  }
-
-  const user = await fetchCurrentUser();
-  return { user };
-}
-*/
 export async function requestPasswordReset(email) {
   try {
-    await axios.post(
+    await apiClient.post(
       `${USERS_BASE}/reset-request/`,
-      { email },
-      { withCredentials: true },
+      { email }
     );
   } catch (error) {
     throw normaliseApiError(error, 'Auth.RESET_REQUEST_FAILED');
   }
 }
 
-// (Falls du es noch brauchst: klassischer allauth-Key-Flow)
 export async function resetPasswordWithKey(key, newPassword) {
   try {
-    await axios.post(
+    await apiClient.post(
       `${HEADLESS_BASE}/auth/password/reset/key`,
-      { key, password: newPassword },
-      { withCredentials: true },
+      { key, password: newPassword }
     );
   } catch (error) {
     throw normaliseApiError(error, 'Auth.RESET_WITH_KEY_FAILED');
@@ -250,13 +172,12 @@ export async function resetPasswordWithKey(key, newPassword) {
 
 export async function changePassword(currentPassword, newPassword) {
   try {
-    await axios.post(
+    await apiClient.post(
       `${HEADLESS_BASE}/account/password/change`,
       {
         current_password: currentPassword,
         new_password: newPassword,
-      },
-      { withCredentials: true },
+      }
     );
   } catch (error) {
     throw normaliseApiError(error, 'Auth.PASSWORD_CHANGE_FAILED');
@@ -274,16 +195,13 @@ export async function logoutSession() {
       headers['X-CSRFToken'] = csrfToken;
     }
 
-    await axios.delete(
+    // CHANGED: axios -> apiClient
+    await apiClient.delete(
       `${HEADLESS_BASE}/auth/session`,
-      {
-        withCredentials: true,
-        headers,
-      },
+      { headers }
     );
   } catch (error) {
     if (error.response && [401, 404, 410].includes(error.response.status)) {
-      // Session already gone, nothing to do
       return;
     }
     // eslint-disable-next-line no-console
@@ -292,9 +210,7 @@ export async function logoutSession() {
 }
 
 export async function fetchHeadlessSession() {
-  const res = await axios.get(`${HEADLESS_BASE}/auth/session`, {
-    withCredentials: true,
-  });
+  const res = await apiClient.get(`${HEADLESS_BASE}/auth/session`);
   return res.data;
 }
 
@@ -308,8 +224,6 @@ export function startSocialLogin(provider) {
       'Auth.SOCIAL_LOGIN_NOT_IN_BROWSER'
     );
   }
-
-  // Classic allauth HTML flow
   window.location.href = `/accounts/${provider}/login/?process=login`;
 }
 
@@ -318,17 +232,16 @@ export function startSocialLogin(provider) {
 // -----------------------------
 export async function validateAccessCode(code) {
   try {
-    const res = await axios.post(
+    const res = await apiClient.post(
       `${ACCESS_CODES_BASE}/validate/`,
-      { code },
-      { withCredentials: true },
+      { code }
     );
     return res.data;
   } catch (error) {
-    // Default für "irgendwas ist mit dem Code schief"
     throw normaliseApiError(error, 'Auth.ACCESS_CODE_INVALID_OR_INACTIVE');
   }
 }
+
 export async function requestInviteWithCode(email, accessCode) {
   const payload = { email };
   if (accessCode) {
@@ -336,14 +249,12 @@ export async function requestInviteWithCode(email, accessCode) {
   }
 
   try {
-    const res = await axios.post(
+    const res = await apiClient.post(
       `${USERS_BASE}/invite/`,
-      payload,
-      { withCredentials: true },
+      payload
     );
     return res.data;
   } catch (error) {
-    // z.B. bei Netzwerkfehlern oder wenn Backend ausnahmsweise keinen code liefert
     throw normaliseApiError(error, 'Auth.INVITE_FAILED');
   }
 }
@@ -353,23 +264,20 @@ export async function requestInviteWithCode(email, accessCode) {
 // -----------------------------
 export async function verifyResetToken(uid, token) {
   try {
-    const res = await axios.get(
-      `${USERS_BASE}/password-reset/${uid}/${token}/`,
-      { withCredentials: true },
+    const res = await apiClient.get(
+      `${USERS_BASE}/password-reset/${uid}/${token}/`
     );
     return res.data;
   } catch (error) {
-    // Wenn der Link nicht passt oder Netzwerkfehler: generisch als "Link invalid"
     throw normaliseApiError(error, 'Auth.RESET_LINK_INVALID');
   }
 }
 
 export async function setNewPassword(uid, token, newPassword) {
   try {
-    const res = await axios.post(
+    const res = await apiClient.post(
       `${USERS_BASE}/password-reset/${uid}/${token}/`,
-      { new_password: newPassword },
-      { withCredentials: true },
+      { new_password: newPassword }
     );
     return res.data;
   } catch (error) {
@@ -378,180 +286,121 @@ export async function setNewPassword(uid, token, newPassword) {
 }
 
 // -----------------------------
-// WebAuthn / Passkeys: register
+// WebAuthn / Passkeys
 // -----------------------------
 async function registerPasskeyStart({ passwordless = true } = {}) {
   ensureWebAuthnSupport();
-
-  const res = await axios.get(
+  const res = await apiClient.get(
     `${HEADLESS_BASE}/account/authenticators/webauthn`,
     {
       params: passwordless ? { passwordless: true } : {},
-      withCredentials: true,
-    },
+    }
   );
-
   const responseBody = res.data || {};
-
-  // Handle nested 'data' wrapper if present, otherwise use body directly
   const payload = responseBody.data || responseBody;
-
-  // Extract the inner publicKey structure required by the browser API
   const publicKeyJson =
     (payload.creation_options && payload.creation_options.publicKey) ||
     payload.publicKey ||
     payload;
-
   return publicKeyJson;
 }
 
-
 async function registerPasskeyComplete(credentialJson, name = 'Passkey') {
-  const res = await axios.post(
+  const res = await apiClient.post(
     `${HEADLESS_BASE}/account/authenticators/webauthn`,
-    {
-      credential: credentialJson,
-      name,
-    },
-    { withCredentials: true },
+    { credential: credentialJson, name }
   );
   return res.data;
 }
 
 export async function registerPasskey(name = 'Passkey') {
   ensureWebAuthnSupport();
-
   if (!hasJsonWebAuthn) {
     throw normaliseApiError(
       new Error('Auth.PASSKEY_JSON_HELPERS_UNAVAILABLE'),
-      'Auth.PASSKEY_JSON_HELPERS_UNAVAILABLE',
+      'Auth.PASSKEY_JSON_HELPERS_UNAVAILABLE'
     );
   }
-
-  // ... (previous logic for registerPasskeyStart) ...
   const publicKeyJson = await registerPasskeyStart({ passwordless: true });
-
   let credential;
   try {
-     const publicKeyOptions =
-       window.PublicKeyCredential.parseCreationOptionsFromJSON(publicKeyJson);
-
-     credential = await navigator.credentials.create({
-       publicKey: publicKeyOptions,
-     });
+    const publicKeyOptions = window.PublicKeyCredential.parseCreationOptionsFromJSON(publicKeyJson);
+    credential = await navigator.credentials.create({ publicKey: publicKeyOptions });
   } catch (err) {
-    // ... (error handling) ...
     if (err && err.name === 'NotAllowedError') {
       throw normaliseApiError(err, 'Auth.PASSKEY_CREATION_CANCELLED');
     }
     throw err;
   }
-
   if (!credential) {
-    throw normaliseApiError(
-      new Error('Auth.PASSKEY_CREATION_CANCELLED'),
-      'Auth.PASSKEY_CREATION_CANCELLED',
-    );
+    throw normaliseApiError(new Error('Auth.PASSKEY_CREATION_CANCELLED'), 'Auth.PASSKEY_CREATION_CANCELLED');
   }
-
-  // CHANGED: Use helper instead of direct .toJSON()
   const credentialJson = serializeCredential(credential);
-  
   return registerPasskeyComplete(credentialJson, name);
 }
 
-// -----------------------------
-// WebAuthn / Passkeys: login
-// -----------------------------
 async function loginWithPasskeyStart() {
   ensureWebAuthnSupport();
-
-  const res = await axios.get(
-    `${HEADLESS_BASE}/auth/webauthn/login`,
-    { withCredentials: true },
-  );
-
+  const res = await apiClient.get(`${HEADLESS_BASE}/auth/webauthn/login`);
   const responseBody = res.data || {};
-
-  // Handle nested 'data' wrapper if present
   const payload = responseBody.data || responseBody;
-
-  // Extract request options for authentication
   const requestOptionsJson =
     (payload.request_options && payload.request_options.publicKey) ||
     payload.request_options ||
     payload;
-
   return requestOptionsJson;
 }
 
 async function loginWithPasskeyComplete(credentialJson) {
-  const res = await axios.post(
+  const res = await apiClient.post(
     `${HEADLESS_BASE}/auth/webauthn/login`,
-    { credential: credentialJson },
-    { withCredentials: true },
+    { credential: credentialJson }
   );
   return res.data;
 }
 
 export async function loginWithPasskey() {
   ensureWebAuthnSupport();
-
   if (!hasJsonWebAuthn) {
     throw normaliseApiError(
       new Error('Auth.PASSKEY_JSON_HELPERS_UNAVAILABLE'),
-      'Auth.PASSKEY_JSON_HELPERS_UNAVAILABLE',
+      'Auth.PASSKEY_JSON_HELPERS_UNAVAILABLE'
     );
   }
-
   const requestOptionsJson = await loginWithPasskeyStart();
-
   let assertion;
   try {
-    const publicKeyOptions =
-      window.PublicKeyCredential.parseRequestOptionsFromJSON(requestOptionsJson);
-
+    const publicKeyOptions = window.PublicKeyCredential.parseRequestOptionsFromJSON(requestOptionsJson);
     assertion = await navigator.credentials.get({ publicKey: publicKeyOptions });
   } catch (err) {
-    // Browser-interner Abbruch (z.B. Dialog weggeklickt)
     const e = new Error('Auth.PASSKEY_AUTH_CANCELLED');
     e.code = 'Auth.PASSKEY_AUTH_CANCELLED';
     throw e;
   }
-
   if (!assertion) {
     const e = new Error('Auth.PASSKEY_AUTH_CANCELLED');
     e.code = 'Auth.PASSKEY_AUTH_CANCELLED';
     throw e;
   }
-
   const credentialJson = serializeCredential(assertion);
-
   let postError = null;
   try {
     await loginWithPasskeyComplete(credentialJson);
   } catch (err) {
     postError = err;
   }
-
   try {
     const user = await fetchCurrentUser();
     return { user };
   } catch (err) {
-    if (postError) {
-      throw normaliseApiError(postError, 'Auth.PASSKEY_FAILED');
-    }
+    if (postError) throw normaliseApiError(postError, 'Auth.PASSKEY_FAILED');
     throw normaliseApiError(err, 'Auth.PASSKEY_FAILED');
   }
 }
 
-
 export async function fetchPasskeys() {
   try {
-    const res = await axios.get(
-      `${USERS_BASE}/passkeys/`,
-      { withCredentials: true },
-    );
+    const res = await apiClient.get(`${USERS_BASE}/passkeys/`);
     return Array.isArray(res.data) ? res.data : [];
   } catch (error) {
     throw normaliseApiError(error, 'Auth.PASSKEY_LIST_FAILED');
@@ -560,10 +409,8 @@ export async function fetchPasskeys() {
 
 export async function deletePasskey(id) {
   try {
-    await axios.delete(
-      `${USERS_BASE}/passkeys/${id}/`,
-      { withCredentials: true },
-    );
+    // CHANGED: axios -> apiClient
+    await apiClient.delete(`${USERS_BASE}/passkeys/${id}/`);
   } catch (error) {
     throw normaliseApiError(error, 'Auth.PASSKEY_DELETE_FAILED');
   }
@@ -578,10 +425,9 @@ export async function authenticateWithMFA({ code, credential }) {
   if (credential) payload.credential = credential;
 
   try {
-    const res = await axios.post(
+    const res = await apiClient.post(
       `${HEADLESS_BASE}/auth/2fa/authenticate`,
-      payload,
-      { withCredentials: true },
+      payload
     );
     return res.data;
   } catch (error) {
@@ -590,20 +436,17 @@ export async function authenticateWithMFA({ code, credential }) {
 }
 
 // -----------------------------
-// Authentication: password (MODIFIZIERT)
+// Authentication: password
 // -----------------------------
 export async function loginWithPassword(email, password) {
   try {
-    await axios.post(
+    await apiClient.post(
       `${HEADLESS_BASE}/auth/login`,
-      { email, password },
-      { withCredentials: true },
+      { email, password }
     );
   } catch (error) {
     const status = error.response?.status;
     const body = error.response?.data;
-
-    // Flows können in body.data.flows oder body.flows liegen
     const flows = body?.data?.flows || body?.flows || [];
     const mfaFlow = Array.isArray(flows)
       ? flows.find((f) => f.id === 'mfa_authenticate')
@@ -612,55 +455,41 @@ export async function loginWithPassword(email, password) {
     if (status === 401 && mfaFlow && mfaFlow.is_pending) {
       return {
         needsMfa: true,
-        availableTypes: mfaFlow.types || [], // ["recovery_codes", "totp", "webauthn"]
+        availableTypes: mfaFlow.types || [],
       };
     }
-
     if (status === 409) {
-      // Already logged in – einfach weitermachen
+      // Already logged in
     } else {
       throw normaliseApiError(error, 'Auth.LOGIN_FAILED');
     }
   }
-
-  // Erfolg ohne MFA
   const user = await fetchCurrentUser();
   return { user, needsMfa: false };
 }
 
-// 1. Status prüfen (Liste der aktiven Authenticators)
+// -----------------------------
+// Authenticators & MFA
+// -----------------------------
 export async function fetchAuthenticators() {
-  const res = await axios.get(
-    `${HEADLESS_BASE}/account/authenticators`,
-    { withCredentials: true },
-  );
-
+  const res = await apiClient.get(`${HEADLESS_BASE}/account/authenticators`);
   const body = res.data || {};
-  // Headless gibt i.d.R. { status, data: [...] } zurück
   const items = Array.isArray(body.data) ? body.data : (Array.isArray(body) ? body : []);
   return items;
 }
 
-// 2. TOTP Einrichtung starten (liefert Secret & QR-URL)
 export async function requestTotpKey() {
   try {
-    const res = await axios.get(
-      `${HEADLESS_BASE}/account/authenticators/totp`,
-      { withCredentials: true },
-    );
-
-    // Fall: TOTP existiert bereits -> 200
+    const res = await apiClient.get(`${HEADLESS_BASE}/account/authenticators/totp`);
     const body = res.data || {};
     const data = body.data || body;
-
     return {
       exists: true,
-      authenticator: data,  // z.B. { id, type, created_at, ... }
+      authenticator: data,
     };
   } catch (error) {
     const { response } = error;
     if (response?.status === 404) {
-      // Spezialfall von allauth: noch kein TOTP eingerichtet
       const meta = response.data?.meta || {};
       return {
         exists: false,
@@ -674,10 +503,9 @@ export async function requestTotpKey() {
 
 export async function activateTotp(code) {
   try {
-    const res = await axios.post(
+    const res = await apiClient.post(
       `${HEADLESS_BASE}/account/authenticators/totp`,
-      { code },
-      { withCredentials: true },
+      { code }
     );
     return res.data;
   } catch (error) {
@@ -687,37 +515,26 @@ export async function activateTotp(code) {
 
 export async function deactivateTotp() {
   try {
-    const res = await axios.delete(
-      `${HEADLESS_BASE}/account/authenticators/totp`,
-      { withCredentials: true },
-    );
+    // CHANGED: axios -> apiClient
+    const res = await apiClient.delete(`${HEADLESS_BASE}/account/authenticators/totp`);
     return res.data;
   } catch (error) {
     throw normaliseApiError(error, 'Auth.TOTP_DEACTIVATE_FAILED');
   }
 }
-// -----------------------------
-// MFA: Recovery Codes
-// -----------------------------
 
 export async function fetchRecoveryCodes() {
   try {
-    const res = await axios.get(
-      `${HEADLESS_BASE}/account/authenticators/recovery-codes`,
-      { withCredentials: true },
-    );
+    const res = await apiClient.get(`${HEADLESS_BASE}/account/authenticators/recovery-codes`);
     const body = res.data || {};
-    // Inneres "data" herausziehen, sonst direkt body verwenden
     const data = body.data || body;
-    return data; // { type, unused_codes, ... }
+    return data;
   } catch (error) {
     const status = error.response?.status;
     if (status === 404) {
-      // Noch keine Codes -> automatisch generieren
-      const resPost = await axios.post(
+      const resPost = await apiClient.post(
         `${HEADLESS_BASE}/account/authenticators/recovery-codes`,
-        {},
-        { withCredentials: true },
+        {}
       );
       const body = resPost.data || {};
       const data = body.data || body;
@@ -729,10 +546,9 @@ export async function fetchRecoveryCodes() {
 
 export async function generateRecoveryCodes() {
   try {
-    const res = await axios.post(
+    const res = await apiClient.post(
       `${HEADLESS_BASE}/account/authenticators/recovery-codes`,
-      {},
-      { withCredentials: true },
+      {}
     );
     const body = res.data || {};
     const data = body.data || body;
@@ -742,23 +558,16 @@ export async function generateRecoveryCodes() {
   }
 }
 
-
-
 export async function fetchOrGenerateRecoveryCodes() {
   try {
-    const res = await axios.get(
-      `${HEADLESS_BASE}/mfa/recovery_codes`,
-      { withCredentials: true },
-    );
+    const res = await apiClient.get(`${HEADLESS_BASE}/mfa/recovery_codes`);
     return res.data;
   } catch (error) {
     const { response } = error;
     if (response?.status === 404) {
-      // Noch keine Codes -> jetzt generieren
-      const resPost = await axios.post(
+      const resPost = await apiClient.post(
         `${HEADLESS_BASE}/mfa/recovery_codes`,
-        {},
-        { withCredentials: true },
+        {}
       );
       return resPost.data;
     }
@@ -766,76 +575,59 @@ export async function fetchOrGenerateRecoveryCodes() {
   }
 }
 
-
 export function isStrongSession(session) {
   const methods = session?.methods || [];
   const used = methods.map((m) => m.method);
-
-  // alles, was klar 2FA / starker Faktor ist:
   const strongMethods = ['totp', 'recovery_codes', 'webauthn'];
-
   return used.some((m) => strongMethods.includes(m));
 }
 
 export async function requestMfaSupportHelp(emailOrIdentifier, message = '') {
-  // Wir nutzen hier die Users-API, nicht HEADLESS_BASE
   const payload = { email: emailOrIdentifier, message };
-
-  const res = await axios.post(
+  const res = await apiClient.post(
     `${USERS_BASE}/mfa/support-help/`,
-    payload,
-    { withCredentials: true }
+    payload
   );
   return res.data;
 }
 
 export async function fetchRecoveryRequests(status = 'pending') {
-  const res = await axios.get(
+  const res = await apiClient.get(
     '/api/support/recovery-requests/',
-    {
-      params: { status },
-      withCredentials: true,
-    },
+    { params: { status } }
   );
   return res.data;
 }
 
 export async function approveRecoveryRequest(id, supportNote) {
-  const res = await axios.post(
+  const res = await apiClient.post(
     `/api/support/recovery-requests/${id}/approve/`,
-    { support_note: supportNote || '' },
-    { withCredentials: true },
+    { support_note: supportNote || '' }
   );
   return res.data;
 }
 
 export async function rejectRecoveryRequest(id, supportNote) {
-  const res = await axios.post(
+  const res = await apiClient.post(
     `/api/support/recovery-requests/${id}/reject/`,
-    { support_note: supportNote || '' },
-    { withCredentials: true },
+    { support_note: supportNote || '' }
   );
   return res.data;
 }
 
-
 export async function loginWithRecoveryPassword(email, password, token) {
   try {
-    await axios.post(
+    await apiClient.post(
       `/api/support/recovery-requests/recovery-login/${token}/`,
-      { email, password },
-      { withCredentials: true },
+      { email, password }
     );
   } catch (error) {
     throw normaliseApiError(error, 'Auth.RECOVERY_LOGIN_FAILED');
   }
-
   const user = await fetchCurrentUser();
   return { user, needsMfa: false };
 }
 
-
-
 // -----------------------------
 // Aggregated API object
 // -----------------------------
@@ -872,4 +664,4 @@ export const authApi = {
   loginWithRecoveryPassword,
 };
 
-export default authApi;
+export default authApi;