@micha.bigler/ui-core-micha 1.4.20 → 1.4.23

package/src/auth/authApi.jsx

@@ -1,134 +1,18 @@
 import apiClient from './apiClient';
 import { HEADLESS_BASE, USERS_BASE, ACCESS_CODES_BASE } from './authConfig';
+import { normaliseApiError } from '../utils/errors'; // Beachte den Pfad zu deiner errors.js
 
-// -----------------------------
-// WebAuthn Serialization Helpers
-// -----------------------------
-function bufferToBase64URL(buffer) {
-  const bytes = new Uint8Array(buffer);
-  let str = '';
-  for (const char of bytes) {
-    str += String.fromCharCode(char);
-  }
-  const base64 = btoa(str);
-  return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-}
-
-function serializeCredential(credential) {
-  // Wir nutzen IMMER die manuelle Serialisierung, um sicherzugehen,
-  // dass alles Base64URL-kodiert ist (kompatibel mit Allauth).
-  const p = {
-    id: credential.id,
-    rawId: bufferToBase64URL(credential.rawId),
-    type: credential.type,
-    response: {
-      clientDataJSON: bufferToBase64URL(credential.response.clientDataJSON),
-    },
-  };
-
-  if (credential.response.attestationObject) {
-    p.response.attestationObject = bufferToBase64URL(credential.response.attestationObject);
-  }
-
-  if (credential.response.authenticatorData) {
-    p.response.authenticatorData = bufferToBase64URL(credential.response.authenticatorData);
-  }
-
-  if (credential.response.signature) {
-    p.response.signature = bufferToBase64URL(credential.response.signature);
-  }
-
-  if (credential.response.userHandle) {
-    p.response.userHandle = bufferToBase64URL(credential.response.userHandle);
-  }
-  
-  // Extension Results direkt übernehmen, falls vorhanden
-  if (typeof credential.getClientExtensionResults === 'function') {
-    p.clientExtensionResults = credential.getClientExtensionResults();
-  }
-
-  return p;
-}
-
-function normaliseApiError(error, defaultCode = 'Auth.GENERIC_ERROR') {
-  const info = extractErrorInfo(error);
-  const code = info.code || defaultCode;
-  const message = info.message || code || defaultCode;
-
-  const err = new Error(message);
-  err.code = code;
-  err.status = info.status;
-  err.raw = info.raw;
-
-  return err;
-}
-
-function mapAllauthDetailToCode(detail) {
-  if (!detail || typeof detail !== 'string') return null;
-  return null;
-}
-
-function extractErrorInfo(error) {
-  const status = error.response?.status ?? null;
-  const data = error.response?.data ?? null;
-
-  if (!data) {
-    return { status, code: null, message: error.message || null, raw: null };
-  }
-
-  if (typeof data.code === 'string') {
-    return { status, code: data.code, message: null, raw: data };
-  }
-
-  if (typeof data.detail === 'string') {
-    const mapped = mapAllauthDetailToCode(data.detail);
-    return { status, code: mapped, message: data.detail, raw: data };
-  }
-
-  if (Array.isArray(data.non_field_errors) && data.non_field_errors.length > 0) {
-    const msg = data.non_field_errors[0];
-    const mapped = mapAllauthDetailToCode(msg);
-    return { status, code: mapped, message: msg, raw: data };
-  }
-
-  return { status, code: null, message: null, raw: data };
-}
-
-// -----------------------------
-// CSRF helper
-// -----------------------------
+// --- Internal Helper for CSRF ---
 function getCsrfToken() {
-  if (typeof document === 'undefined' || !document.cookie) {
-    return null;
-  }
-  // Robust regex for CSRF token
+  if (typeof document === 'undefined' || !document.cookie) return null;
   const match = document.cookie.match(/(?:^|; )csrftoken=([^;]+)/);
   return match ? match[1] : null;
 }
 
 // -----------------------------
-// WebAuthn capability helpers
+// Session & User Core
 // -----------------------------
-const hasJsonWebAuthn =
-  typeof window !== 'undefined' &&
-  typeof window.PublicKeyCredential !== 'undefined' &&
-  typeof window.PublicKeyCredential.parseCreationOptionsFromJSON === 'function' &&
-  typeof window.PublicKeyCredential.parseRequestOptionsFromJSON === 'function';
-
-function ensureWebAuthnSupport() {
-  if (
-    typeof window === 'undefined' ||
-    typeof navigator === 'undefined' ||
-    !window.PublicKeyCredential ||
-    !navigator.credentials
-  ) {
-    throw normaliseApiError(new Error('Auth.PASSKEY_NOT_SUPPORTED'), 'Auth.PASSKEY_NOT_SUPPORTED');
-  }
-}
 
-// -----------------------------
-// User-related helpers
-// -----------------------------
 export async function fetchCurrentUser() {
   const res = await apiClient.get(`${USERS_BASE}/current/`);
   return res.data;
@@ -136,7 +20,6 @@ export async function fetchCurrentUser() {
 
 export async function updateUserProfile(data) {
   try {
-    // CHANGED: axios -> apiClient
     const res = await apiClient.patch(`${USERS_BASE}/current/`, data);
     return res.data;
   } catch (error) {
@@ -144,128 +27,105 @@ export async function updateUserProfile(data) {
   }
 }
 
-// -----------------------------
-// Authentication: password
-// -----------------------------
-export async function requestPasswordReset(email) {
-  try {
-    await apiClient.post(
-      `${USERS_BASE}/reset-request/`,
-      { email }
-    );
-  } catch (error) {
-    throw normaliseApiError(error, 'Auth.RESET_REQUEST_FAILED');
-  }
+export async function fetchHeadlessSession() {
+  const res = await apiClient.get(`${HEADLESS_BASE}/auth/session`);
+  return res.data;
 }
 
-export async function resetPasswordWithKey(key, newPassword) {
+export async function logoutSession() {
   try {
-    await apiClient.post(
-      `${HEADLESS_BASE}/auth/password/reset/key`,
-      { key, password: newPassword }
-    );
-  } catch (error) {
-    throw normaliseApiError(error, 'Auth.RESET_WITH_KEY_FAILED');
-  }
-}
+    const headers = {};
+    const token = getCsrfToken();
+    if (token) headers['X-CSRFToken'] = token;
 
-export async function changePassword(currentPassword, newPassword) {
-  try {
-    await apiClient.post(
-      `${HEADLESS_BASE}/account/password/change`,
-      {
-        current_password: currentPassword,
-        new_password: newPassword,
-      }
-    );
+    await apiClient.delete(`${HEADLESS_BASE}/auth/session`, { headers });
   } catch (error) {
-    throw normaliseApiError(error, 'Auth.PASSWORD_CHANGE_FAILED');
+    // 401/404 beim Logout ignorieren wir
+    if (error.response && [401, 404, 410].includes(error.response.status)) return;
+    console.error('Logout error:', error);
   }
 }
 
 // -----------------------------
-// Logout / Session
+// Authentication: Password & MFA
 // -----------------------------
-export async function logoutSession() {
-  try {
-    const headers = {};
-    const csrfToken = getCsrfToken();
-    if (csrfToken) {
-      headers['X-CSRFToken'] = csrfToken;
-    }
 
-    // CHANGED: axios -> apiClient
-    await apiClient.delete(
-      `${HEADLESS_BASE}/auth/session`,
-      { headers }
-    );
+export async function loginWithPassword(email, password) {
+  try {
+    await apiClient.post(`${HEADLESS_BASE}/auth/login`, { email, password });
+    // Nach erfolgreichem Login User holen
+    const user = await fetchCurrentUser();
+    return { user, needsMfa: false };
   } catch (error) {
-    if (error.response && [401, 404, 410].includes(error.response.status)) {
-      return;
+    const status = error.response?.status;
+    const body = error.response?.data;
+    
+    // Prüfen auf Allauth Headless MFA Flow (401 + flows)
+    const flows = body?.data?.flows || body?.flows || [];
+    const mfaFlow = Array.isArray(flows) ? flows.find((f) => f.id === 'mfa_authenticate') : null;
+
+    if (status === 401 && mfaFlow && mfaFlow.is_pending) {
+      return { needsMfa: true, availableTypes: mfaFlow.types || [] };
     }
-    // eslint-disable-next-line no-console
-    console.error('Logout error:', error);
+    
+    // 409 = Already logged in
+    if (status === 409) {
+        const user = await fetchCurrentUser();
+        return { user, needsMfa: false };
+    }
+
+    throw normaliseApiError(error, 'Auth.LOGIN_FAILED');
   }
 }
 
-export async function fetchHeadlessSession() {
-  const res = await apiClient.get(`${HEADLESS_BASE}/auth/session`);
-  return res.data;
-}
+export async function authenticateWithMFA({ code, credential }) {
+  const payload = {};
+  if (code) payload.code = code;
+  if (credential) payload.credential = credential;
 
-// -----------------------------
-// Social login
-// -----------------------------
-export function startSocialLogin(provider) {
-  if (typeof window === 'undefined') {
-    throw normaliseApiError(
-      new Error('Auth.SOCIAL_LOGIN_NOT_IN_BROWSER'),
-      'Auth.SOCIAL_LOGIN_NOT_IN_BROWSER'
-    );
+  try {
+    const res = await apiClient.post(`${HEADLESS_BASE}/auth/2fa/authenticate`, payload);
+    return res.data;
+  } catch (error) {
+    throw normaliseApiError(error, 'Auth.MFA_AUTHENTICATE_FAILED');
   }
-  window.location.href = `/accounts/${provider}/login/?process=login`;
 }
 
 // -----------------------------
-// Invitation / access code
+// Password Management
 // -----------------------------
-export async function validateAccessCode(code) {
+
+export async function requestPasswordReset(email) {
   try {
-    const res = await apiClient.post(
-      `${ACCESS_CODES_BASE}/validate/`,
-      { code }
-    );
-    return res.data;
+    await apiClient.post(`${USERS_BASE}/reset-request/`, { email });
   } catch (error) {
-    throw normaliseApiError(error, 'Auth.ACCESS_CODE_INVALID_OR_INACTIVE');
+    throw normaliseApiError(error, 'Auth.RESET_REQUEST_FAILED');
   }
 }
 
-export async function requestInviteWithCode(email, accessCode) {
-  const payload = { email };
-  if (accessCode) {
-    payload.access_code = accessCode;
+export async function resetPasswordWithKey(key, newPassword) {
+  try {
+    await apiClient.post(`${HEADLESS_BASE}/auth/password/reset/key`, { key, password: newPassword });
+  } catch (error) {
+    throw normaliseApiError(error, 'Auth.RESET_WITH_KEY_FAILED');
   }
+}
 
+export async function changePassword(currentPassword, newPassword) {
   try {
-    const res = await apiClient.post(
-      `${USERS_BASE}/invite/`,
-      payload
-    );
-    return res.data;
+    await apiClient.post(`${HEADLESS_BASE}/account/password/change`, {
+      current_password: currentPassword,
+      new_password: newPassword,
+    });
   } catch (error) {
-    throw normaliseApiError(error, 'Auth.INVITE_FAILED');
+    throw normaliseApiError(error, 'Auth.PASSWORD_CHANGE_FAILED');
   }
 }
 
-// -----------------------------
-// Custom password-reset via uid/token
-// -----------------------------
+// Custom UID/Token Reset Flow
 export async function verifyResetToken(uid, token) {
   try {
-    const res = await apiClient.get(
-      `${USERS_BASE}/password-reset/${uid}/${token}/`
-    );
+    const res = await apiClient.get(`${USERS_BASE}/password-reset/${uid}/${token}/`);
     return res.data;
   } catch (error) {
     throw normaliseApiError(error, 'Auth.RESET_LINK_INVALID');
@@ -274,10 +134,7 @@ export async function verifyResetToken(uid, token) {
 
 export async function setNewPassword(uid, token, newPassword) {
   try {
-    const res = await apiClient.post(
-      `${USERS_BASE}/password-reset/${uid}/${token}/`,
-      { new_password: newPassword }
-    );
+    const res = await apiClient.post(`${USERS_BASE}/password-reset/${uid}/${token}/`, { new_password: newPassword });
     return res.data;
   } catch (error) {
     throw normaliseApiError(error, 'Auth.RESET_PASSWORD_FAILED');
@@ -285,118 +142,39 @@ export async function setNewPassword(uid, token, newPassword) {
 }
 
 // -----------------------------
-// WebAuthn / Passkeys
+// WebAuthn / Passkeys (API Calls Only)
 // -----------------------------
-async function registerPasskeyStart({ passwordless = true } = {}) {
-  ensureWebAuthnSupport();
-  const res = await apiClient.get(
-    `${HEADLESS_BASE}/account/authenticators/webauthn`,
-    {
-      params: passwordless ? { passwordless: true } : {},
-    }
-  );
-  const responseBody = res.data || {};
-  const payload = responseBody.data || responseBody;
-  const publicKeyJson =
-    (payload.creation_options && payload.creation_options.publicKey) ||
-    payload.publicKey ||
-    payload;
-  return publicKeyJson;
-}
 
-async function registerPasskeyComplete(credentialJson, name = 'Passkey') {
-  const res = await apiClient.post(
-    `${HEADLESS_BASE}/account/authenticators/webauthn`,
-    { credential: credentialJson, name }
-  );
-  return res.data;
+export async function getPasskeyRegistrationOptions() {
+  const res = await apiClient.get(`${HEADLESS_BASE}/account/authenticators/webauthn`, {
+    params: { passwordless: true }
+  });
+  // Extrahiere nested data Struktur von Allauth
+  const data = res.data?.data || res.data;
+  return data.creation_options || data;
 }
 
-export async function registerPasskey(name = 'Passkey') {
-  ensureWebAuthnSupport();
-  if (!hasJsonWebAuthn) {
-    throw normaliseApiError(
-      new Error('Auth.PASSKEY_JSON_HELPERS_UNAVAILABLE'),
-      'Auth.PASSKEY_JSON_HELPERS_UNAVAILABLE'
-    );
-  }
-  const publicKeyJson = await registerPasskeyStart({ passwordless: true });
-  let credential;
-  try {
-    const publicKeyOptions = window.PublicKeyCredential.parseCreationOptionsFromJSON(publicKeyJson);
-    credential = await navigator.credentials.create({ publicKey: publicKeyOptions });
-  } catch (err) {
-    if (err && err.name === 'NotAllowedError') {
-      throw normaliseApiError(err, 'Auth.PASSKEY_CREATION_CANCELLED');
-    }
-    throw err;
-  }
-  if (!credential) {
-    throw normaliseApiError(new Error('Auth.PASSKEY_CREATION_CANCELLED'), 'Auth.PASSKEY_CREATION_CANCELLED');
-  }
-  const credentialJson = serializeCredential(credential);
-  return registerPasskeyComplete(credentialJson, name);
+export async function completePasskeyRegistration(credentialJson, name) {
+  const res = await apiClient.post(`${HEADLESS_BASE}/account/authenticators/webauthn`, {
+    credential: credentialJson,
+    name
+  });
+  return res.data;
 }
 
-async function loginWithPasskeyStart() {
-  ensureWebAuthnSupport();
+export async function getPasskeyLoginOptions() {
   const res = await apiClient.get(`${HEADLESS_BASE}/auth/webauthn/login`);
-  const responseBody = res.data || {};
-  const payload = responseBody.data || responseBody;
-  const requestOptionsJson =
-    (payload.request_options && payload.request_options.publicKey) ||
-    payload.request_options ||
-    payload;
-  return requestOptionsJson;
+  const data = res.data?.data || res.data;
+  return data.request_options || data;
 }
 
-async function loginWithPasskeyComplete(credentialJson) {
-  const res = await apiClient.post(
-    `${HEADLESS_BASE}/auth/webauthn/login`,
-    { credential: credentialJson }
-  );
+export async function completePasskeyLogin(credentialJson) {
+  const res = await apiClient.post(`${HEADLESS_BASE}/auth/webauthn/login`, {
+    credential: credentialJson
+  });
   return res.data;
 }
 
-export async function loginWithPasskey() {
-  ensureWebAuthnSupport();
-  if (!hasJsonWebAuthn) {
-    throw normaliseApiError(
-      new Error('Auth.PASSKEY_JSON_HELPERS_UNAVAILABLE'),
-      'Auth.PASSKEY_JSON_HELPERS_UNAVAILABLE'
-    );
-  }
-  const requestOptionsJson = await loginWithPasskeyStart();
-  let assertion;
-  try {
-    const publicKeyOptions = window.PublicKeyCredential.parseRequestOptionsFromJSON(requestOptionsJson);
-    assertion = await navigator.credentials.get({ publicKey: publicKeyOptions });
-  } catch (err) {
-    const e = new Error('Auth.PASSKEY_AUTH_CANCELLED');
-    e.code = 'Auth.PASSKEY_AUTH_CANCELLED';
-    throw e;
-  }
-  if (!assertion) {
-    const e = new Error('Auth.PASSKEY_AUTH_CANCELLED');
-    e.code = 'Auth.PASSKEY_AUTH_CANCELLED';
-    throw e;
-  }
-  const credentialJson = serializeCredential(assertion);
-  let postError = null;
-  try {
-    await loginWithPasskeyComplete(credentialJson);
-  } catch (err) {
-    postError = err;
-  }
-  try {
-    const user = await fetchCurrentUser();
-    return { user };
-  } catch (err) {
-    if (postError) throw normaliseApiError(postError, 'Auth.PASSKEY_FAILED');
-    throw normaliseApiError(err, 'Auth.PASSKEY_FAILED');
-  }
-}
-
 export async function fetchPasskeys() {
   try {
     const res = await apiClient.get(`${USERS_BASE}/passkeys/`);
@@ -408,7 +186,6 @@ export async function fetchPasskeys() {
 
 export async function deletePasskey(id) {
   try {
-    // CHANGED: axios -> apiClient
     await apiClient.delete(`${USERS_BASE}/passkeys/${id}/`);
   } catch (error) {
     throw normaliseApiError(error, 'Auth.PASSKEY_DELETE_FAILED');
@@ -416,80 +193,24 @@ export async function deletePasskey(id) {
 }
 
 // -----------------------------
-// Authentication: MFA Step
-// -----------------------------
-export async function authenticateWithMFA({ code, credential }) {
-  const payload = {};
-  if (code) payload.code = code;
-  if (credential) payload.credential = credential;
-
-  try {
-    const res = await apiClient.post(
-      `${HEADLESS_BASE}/auth/2fa/authenticate`,
-      payload
-    );
-    return res.data;
-  } catch (error) {
-    throw normaliseApiError(error, 'Auth.MFA_AUTHENTICATE_FAILED');
-  }
-}
-
-// -----------------------------
-// Authentication: password
+// Authenticators (TOTP & Recovery)
 // -----------------------------
-export async function loginWithPassword(email, password) {
-  try {
-    await apiClient.post(
-      `${HEADLESS_BASE}/auth/login`,
-      { email, password }
-    );
-  } catch (error) {
-    const status = error.response?.status;
-    const body = error.response?.data;
-    const flows = body?.data?.flows || body?.flows || [];
-    const mfaFlow = Array.isArray(flows)
-      ? flows.find((f) => f.id === 'mfa_authenticate')
-      : null;
-
-    if (status === 401 && mfaFlow && mfaFlow.is_pending) {
-      return {
-        needsMfa: true,
-        availableTypes: mfaFlow.types || [],
-      };
-    }
-    if (status === 409) {
-      // Already logged in
-    } else {
-      throw normaliseApiError(error, 'Auth.LOGIN_FAILED');
-    }
-  }
-  const user = await fetchCurrentUser();
-  return { user, needsMfa: false };
-}
 
-// -----------------------------
-// Authenticators & MFA
-// -----------------------------
 export async function fetchAuthenticators() {
   const res = await apiClient.get(`${HEADLESS_BASE}/account/authenticators`);
   const body = res.data || {};
-  const items = Array.isArray(body.data) ? body.data : (Array.isArray(body) ? body : []);
-  return items;
+  return Array.isArray(body.data) ? body.data : (Array.isArray(body) ? body : []);
 }
 
 export async function requestTotpKey() {
   try {
     const res = await apiClient.get(`${HEADLESS_BASE}/account/authenticators/totp`);
-    const body = res.data || {};
-    const data = body.data || body;
-    return {
-      exists: true,
-      authenticator: data,
-    };
+    const data = res.data?.data || res.data;
+    return { exists: true, authenticator: data };
   } catch (error) {
-    const { response } = error;
-    if (response?.status === 404) {
-      const meta = response.data?.meta || {};
+    // 404 bedeutet: Noch kein TOTP eingerichtet -> Wir bekommen das Secret zum Einrichten
+    if (error.response?.status === 404) {
+      const meta = error.response.data?.meta || {};
       return {
         exists: false,
         secret: meta.secret,
@@ -502,11 +223,7 @@ export async function requestTotpKey() {
 
 export async function activateTotp(code) {
   try {
-    const res = await apiClient.post(
-      `${HEADLESS_BASE}/account/authenticators/totp`,
-      { code }
-    );
-    return res.data;
+    await apiClient.post(`${HEADLESS_BASE}/account/authenticators/totp`, { code });
   } catch (error) {
     throw normaliseApiError(error, 'Auth.TOTP_ACTIVATE_FAILED');
   }
@@ -514,9 +231,7 @@ export async function activateTotp(code) {
 
 export async function deactivateTotp() {
   try {
-    // CHANGED: axios -> apiClient
-    const res = await apiClient.delete(`${HEADLESS_BASE}/account/authenticators/totp`);
-    return res.data;
+    await apiClient.delete(`${HEADLESS_BASE}/account/authenticators/totp`);
   } catch (error) {
     throw normaliseApiError(error, 'Auth.TOTP_DEACTIVATE_FAILED');
   }
@@ -524,20 +239,14 @@ export async function deactivateTotp() {
 
 export async function fetchRecoveryCodes() {
   try {
+    // Versuch, Codes zu laden
     const res = await apiClient.get(`${HEADLESS_BASE}/account/authenticators/recovery-codes`);
-    const body = res.data || {};
-    const data = body.data || body;
-    return data;
+    return res.data?.data || res.data;
   } catch (error) {
-    const status = error.response?.status;
-    if (status === 404) {
-      const resPost = await apiClient.post(
-        `${HEADLESS_BASE}/account/authenticators/recovery-codes`,
-        {}
-      );
-      const body = resPost.data || {};
-      const data = body.data || body;
-      return data;
+    // 404 -> Noch keine Codes -> Generieren
+    if (error.response?.status === 404) {
+      const resPost = await apiClient.post(`${HEADLESS_BASE}/account/authenticators/recovery-codes`, {});
+      return resPost.data?.data || resPost.data;
     }
     throw normaliseApiError(error, 'Auth.RECOVERY_CODES_FETCH_FAILED');
   }
@@ -545,122 +254,78 @@ export async function fetchRecoveryCodes() {
 
 export async function generateRecoveryCodes() {
   try {
-    const res = await apiClient.post(
-      `${HEADLESS_BASE}/account/authenticators/recovery-codes`,
-      {}
-    );
-    const body = res.data || {};
-    const data = body.data || body;
-    return data;
+    const res = await apiClient.post(`${HEADLESS_BASE}/account/authenticators/recovery-codes`, {});
+    return res.data?.data || res.data;
   } catch (error) {
     throw normaliseApiError(error, 'Auth.RECOVERY_CODES_GENERATE_FAILED');
   }
 }
 
-export async function fetchOrGenerateRecoveryCodes() {
+// -----------------------------
+// Invitations & Access Codes
+// -----------------------------
+
+export async function validateAccessCode(code) {
   try {
-    const res = await apiClient.get(`${HEADLESS_BASE}/mfa/recovery_codes`);
+    const res = await apiClient.post(`${ACCESS_CODES_BASE}/validate/`, { code });
     return res.data;
   } catch (error) {
-    const { response } = error;
-    if (response?.status === 404) {
-      const resPost = await apiClient.post(
-        `${HEADLESS_BASE}/mfa/recovery_codes`,
-        {}
-      );
-      return resPost.data;
-    }
-    throw normaliseApiError(error, 'Auth.RECOVERY_CODES_FETCH_FAILED');
+    throw normaliseApiError(error, 'Auth.ACCESS_CODE_INVALID_OR_INACTIVE');
   }
 }
 
-export function isStrongSession(session) {
-  const methods = session?.methods || [];
-  const used = methods.map((m) => m.method);
-  const strongMethods = ['totp', 'recovery_codes', 'webauthn'];
-  return used.some((m) => strongMethods.includes(m));
+export async function requestInviteWithCode(email, accessCode) {
+  const payload = { email };
+  if (accessCode) payload.access_code = accessCode;
+
+  try {
+    const res = await apiClient.post(`${USERS_BASE}/invite/`, payload);
+    return res.data;
+  } catch (error) {
+    throw normaliseApiError(error, 'Auth.INVITE_FAILED');
+  }
 }
 
+// -----------------------------
+// Recovery Support (Admin/Support Side)
+// -----------------------------
+
 export async function requestMfaSupportHelp(emailOrIdentifier, message = '') {
-  const payload = { email: emailOrIdentifier, message };
-  const res = await apiClient.post(
-    `${USERS_BASE}/mfa/support-help/`,
-    payload
-  );
+  const res = await apiClient.post(`${USERS_BASE}/mfa/support-help/`, {
+    email: emailOrIdentifier,
+    message
+  });
   return res.data;
 }
 
 export async function fetchRecoveryRequests(status = 'pending') {
-  const res = await apiClient.get(
-    '/api/support/recovery-requests/',
-    { params: { status } }
-  );
+  const res = await apiClient.get('/api/support/recovery-requests/', { params: { status } });
   return res.data;
 }
 
 export async function approveRecoveryRequest(id, supportNote) {
-  const res = await apiClient.post(
-    `/api/support/recovery-requests/${id}/approve/`,
-    { support_note: supportNote || '' }
-  );
+  const res = await apiClient.post(`/api/support/recovery-requests/${id}/approve/`, {
+    support_note: supportNote || ''
+  });
   return res.data;
 }
 
 export async function rejectRecoveryRequest(id, supportNote) {
-  const res = await apiClient.post(
-    `/api/support/recovery-requests/${id}/reject/`,
-    { support_note: supportNote || '' }
-  );
+  const res = await apiClient.post(`/api/support/recovery-requests/${id}/reject/`, {
+    support_note: supportNote || ''
+  });
   return res.data;
 }
 
 export async function loginWithRecoveryPassword(email, password, token) {
   try {
-    await apiClient.post(
-      `/api/support/recovery-requests/recovery-login/${token}/`,
-      { email, password }
-    );
+    await apiClient.post(`/api/support/recovery-requests/recovery-login/${token}/`, {
+      email,
+      password
+    });
   } catch (error) {
     throw normaliseApiError(error, 'Auth.RECOVERY_LOGIN_FAILED');
   }
   const user = await fetchCurrentUser();
   return { user, needsMfa: false };
-}
-
-// -----------------------------
-// Aggregated API object
-// -----------------------------
-export const authApi = {
-  fetchCurrentUser,
-  updateUserProfile,
-  loginWithPassword,
-  requestPasswordReset,
-  changePassword,
-  logoutSession,
-  startSocialLogin,
-  fetchHeadlessSession,
-  verifyResetToken,
-  setNewPassword,
-  loginWithPasskey,
-  registerPasskey,
-  fetchPasskeys,
-  deletePasskey,
-  authenticateWithMFA,
-  fetchAuthenticators,
-  requestTotpKey,
-  activateTotp,
-  deactivateTotp,
-  fetchRecoveryCodes,
-  generateRecoveryCodes,
-  fetchOrGenerateRecoveryCodes,
-  validateAccessCode,
-  requestInviteWithCode,
-  isStrongSession,
-  requestMfaSupportHelp,
-  fetchRecoveryRequests,
-  approveRecoveryRequest,
-  rejectRecoveryRequest,
-  loginWithRecoveryPassword,
-};
-
-export default authApi;
+}