@monetize.software/sdk-extension 3.0.0-alpha.9 → 3.0.0-beta.0

package/dist/chunks/{chrome-port-rVd4zwU3.js → chrome-port-bfTUUDz_.js}

@@ -20,24 +20,24 @@ class P {
     n.set("Accept", "application/json"), n.set("X-SDK-Version", m), n.set("X-Paywall-Id", this.opts.paywallId), this.opts.capabilities?.length && n.set("X-SDK-Capabilities", this.opts.capabilities.join(","));
     const r = await this.opts.getAuthToken?.();
     r && n.set("Authorization", `Bearer ${r}`);
-    const l = typeof FormData < "u" && e.body instanceof FormData;
-    e.body && !n.has("Content-Type") && !l && n.set("Content-Type", "application/json");
-    let d;
+    const h = typeof FormData < "u" && e.body instanceof FormData;
+    e.body && !n.has("Content-Type") && !h && n.set("Content-Type", "application/json");
+    let f;
     try {
-      d = await a(s, {
+      f = await a(s, {
         ...e,
         headers: n,
         credentials: "omit"
       });
-    } catch (h) {
-      throw (h && typeof h == "object" && "name" in h ? h.name : void 0) === "AbortError" ? new o("aborted", "Request aborted", { cause: h }) : new o("network_error", "Network request failed", { cause: h });
+    } catch (c) {
+      throw (c && typeof c == "object" && "name" in c ? c.name : void 0) === "AbortError" ? new o("aborted", "Request aborted", { cause: c }) : new o("network_error", "Network request failed", { cause: c });
     }
-    const y = (d.headers.get("content-type") ?? "").includes("application/json") ? await d.json().catch(() => null) : null;
-    if (!d.ok) {
-      const h = y && typeof y == "object" && "code" in y && String(y.code) || `http_${d.status}`, g = y && typeof y == "object" && "message" in y && String(y.message) || d.statusText || "Request failed";
-      throw new o(h, g, { status: d.status, cause: y });
+    const d = (f.headers.get("content-type") ?? "").includes("application/json") ? await f.json().catch(() => null) : null;
+    if (!f.ok) {
+      const c = d && typeof d == "object" && "code" in d && String(d.code) || `http_${f.status}`, g = d && typeof d == "object" && "message" in d && String(d.message) || f.statusText || "Request failed";
+      throw new o(c, g, { status: f.status, cause: d });
     }
-    return y;
+    return d;
   }
 }
 function x() {
@@ -101,18 +101,18 @@ const H = {
     };
     return window.addEventListener("storage", e), () => window.removeEventListener("storage", e);
   }
-}, S = /* @__PURE__ */ new Map(), V = {
+}, I = /* @__PURE__ */ new Map(), V = {
   async getItem(i) {
-    return S.get(i) ?? null;
+    return I.get(i) ?? null;
   },
   async setItem(i, t) {
-    S.set(i, t);
+    I.set(i, t);
   },
   async removeItem(i) {
-    S.delete(i);
+    I.delete(i);
   }
 };
-function R(i) {
+function K(i) {
   return i || (x() ? H : typeof window < "u" && "localStorage" in window ? J : V);
 }
 const u = {
@@ -145,7 +145,7 @@ const u = {
   // (оптимистично через `decrementBalanceLocal`).
   balances: (i, t) => `pw-${i}-${t}-balances-v1`
 };
-function D() {
+function R() {
   const i = typeof globalThis < "u" ? globalThis.crypto : void 0;
   if (i && typeof i.randomUUID == "function") return i.randomUUID();
   const t = new Uint8Array(16);
@@ -163,14 +163,14 @@ async function B(i) {
     if (e && typeof e == "string" && e.length >= 16) return e;
   } catch {
   }
-  const t = D();
+  const t = R();
   try {
     await i.setItem(u.visitorId, t);
   } catch {
   }
   return t;
 }
-function M(i) {
+function D(i) {
   const t = new Uint8Array(i), e = typeof globalThis < "u" ? globalThis.crypto : void 0;
   if (e && typeof e.getRandomValues == "function")
     e.getRandomValues(t);
@@ -184,17 +184,17 @@ function _(i) {
   return btoa(t).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
 function j() {
-  return _(M(64));
+  return _(D(64));
 }
-async function G(i) {
+async function X(i) {
   const t = new TextEncoder().encode(i), e = globalThis.crypto;
   if (!e?.subtle?.digest)
     throw new Error("crypto.subtle is required for PKCE");
   const s = await e.subtle.digest("SHA-256", t);
   return _(new Uint8Array(s));
 }
-function X() {
-  return _(M(16));
+function G() {
+  return _(D(16));
 }
 const z = 6e4, Q = 600 * 1e3;
 class mt {
@@ -206,7 +206,7 @@ class mt {
         "invalid_config",
         "apiOrigin is required. Pass the paywall custom_domain configured in the platform."
       );
-    this.paywallId = t.paywallId, this.apiOrigin = t.apiOrigin, this.storage = R(t.storage), this.api = new P({
+    this.paywallId = t.paywallId, this.apiOrigin = t.apiOrigin, this.storage = K(t.storage), this.api = new P({
       apiOrigin: this.apiOrigin,
       paywallId: t.paywallId,
       fetch: t.fetch
@@ -448,10 +448,8 @@ class mt {
    * когда сервер начнёт возвращать challenge_required в риск-сценариях,
    * SDK сможет передать proof-of-something обратно без breaking change.
    *
-   * `forceCaptcha: true` пропускает шаги 1-2 и сразу делает /signin (создаёт
-   * нового anon-юзера). Используется в switch-account flow. Имя поля исторически
-   * остаётся `forceCaptcha`, хотя капчи там больше нет — менять имя ломает
-   * host-сигнатуру; смысл «принудительно новая anon-сессия» сохранён.
+   * `forceNewAnon: true` пропускает шаги 1-2 и сразу делает /signin (создаёт
+   * нового anon-юзера). Используется в switch-account flow.
    *
    * Параллельные вызовы дедуплицируются через `inflightAnonSignin` — два
    * click'а на «Войти как гость» не создадут двух anon-юзеров (два /signup =
@@ -460,9 +458,9 @@ class mt {
   async signInAnonymously(t = {}) {
     if (this.inflightAnonSignin) return this.inflightAnonSignin;
     this.inflightAnonSignin = (async () => {
-      if (await this.hydrated, !t.forceCaptcha && this.session?.user.is_anonymous === !0)
+      if (await this.hydrated, !t.forceNewAnon && this.session?.user.is_anonymous === !0)
         return this.session;
-      if (!t.forceCaptcha) {
+      if (!t.forceNewAnon) {
         const r = await this.resumeAnonymous();
         if (r) return r;
       }
@@ -565,8 +563,8 @@ class mt {
       id: a.user.id,
       email: a.user.email,
       is_anonymous: a.user.is_anonymous ?? !1
-    }, l = { ...n, user: r };
-    return this.setSession(l, { event: "USER_UPDATED" }), await this.clearAnonRefreshToken(), { kind: "updated", session: l };
+    }, h = { ...n, user: r };
+    return this.setSession(h, { event: "USER_UPDATED" }), await this.clearAnonRefreshToken(), { kind: "updated", session: h };
   }
   /**
    * OAuth signin через popup с PKCE. Жизненный цикл:
@@ -623,9 +621,9 @@ class mt {
    */
   async startOAuthFlow(t) {
     await this.hydrated, this.gcOAuthFlows();
-    const e = j(), s = await G(e), a = X(), n = {}, r = await this.getAccessToken().catch(() => null);
+    const e = j(), s = await X(e), a = G(), n = {}, r = await this.getAccessToken().catch(() => null);
     r && (n.Authorization = `Bearer ${r}`);
-    const { authorize_url: l } = await this.api.request(
+    const { authorize_url: h } = await this.api.request(
       `/api/v1/paywall/${this.paywallId}/auth/oauth/init`,
       {
         method: "POST",
@@ -643,7 +641,7 @@ class mt {
       userMeta: t.userMeta,
       provider: t.provider,
       startedAt: Date.now()
-    }), this.recordLastLoginMethod(t.provider), { authorize_url: l, state: a };
+    }), this.recordLastLoginMethod(t.provider), { authorize_url: h, state: a };
   }
   /**
    * Шаг 2 OAuth split-API: обменивает code (полученный из popup) на session,
@@ -958,19 +956,19 @@ function Z(i, t) {
   return new Promise((e, s) => {
     let a = !1;
     const n = () => {
-      a = !0, window.removeEventListener("message", r), clearInterval(l), clearTimeout(d);
-    }, r = (f) => {
+      a = !0, window.removeEventListener("message", r), clearInterval(h), clearTimeout(f);
+    }, r = (p) => {
       if (a) return;
-      const c = f.data;
-      if (!(!c || c.type !== "pw-oauth") && c.messageId === t) {
-        if (c.status === "success" && c.code) {
+      const l = p.data;
+      if (!(!l || l.type !== "pw-oauth") && l.messageId === t) {
+        if (l.status === "success" && l.code) {
           n();
           try {
             i.close();
           } catch {
           }
-          e(c.code);
-        } else if (c.status === "error") {
+          e(l.code);
+        } else if (l.status === "error") {
           n();
           try {
             i.close();
@@ -979,21 +977,21 @@ function Z(i, t) {
           s(
             new o(
               "oauth_failed",
-              c.description || c.error || "OAuth provider returned error"
+              l.description || l.error || "OAuth provider returned error"
             )
           );
         }
       }
-    }, l = setInterval(() => {
+    }, h = setInterval(() => {
       if (a) return;
-      let f;
+      let p;
       try {
-        f = i.closed;
+        p = i.closed;
       } catch {
         return;
       }
-      f && (n(), s(new o("oauth_cancelled", "auth popup was closed")));
-    }, Y), d = setTimeout(() => {
+      p && (n(), s(new o("oauth_cancelled", "auth popup was closed")));
+    }, Y), f = setTimeout(() => {
       if (!a) {
         n();
         try {
@@ -1035,37 +1033,37 @@ class st {
     a.set("X-SDK-Version", m), a.set("X-Paywall-Id", this.paywallId), this.capabilities?.length && a.set("X-SDK-Capabilities", this.capabilities.join(","));
     const n = await this.auth?.getAccessToken();
     n ? a.set("Authorization", `Bearer ${n}`) : this.userId && a.set("X-User-ID", this.userId);
-    const r = typeof FormData < "u" && t.body instanceof FormData, l = typeof Blob < "u" && t.body instanceof Blob, d = typeof ReadableStream < "u" && t.body instanceof ReadableStream, f = typeof t.body == "string";
+    const r = typeof FormData < "u" && t.body instanceof FormData, h = typeof Blob < "u" && t.body instanceof Blob, f = typeof ReadableStream < "u" && t.body instanceof ReadableStream, p = typeof t.body == "string";
+    let l;
+    t.body === void 0 || t.body === null ? l = void 0 : r || h || f || p ? l = t.body : (l = JSON.stringify(t.body), a.has("Content-Type") || a.set("Content-Type", "application/json"));
+    const d = this.customFetch ?? fetch;
     let c;
-    t.body === void 0 || t.body === null ? c = void 0 : r || l || d || f ? c = t.body : (c = JSON.stringify(t.body), a.has("Content-Type") || a.set("Content-Type", "application/json"));
-    const y = this.customFetch ?? fetch;
-    let h;
     try {
-      h = await y(s.toString(), {
+      c = await d(s.toString(), {
         method: t.method ?? "POST",
         headers: a,
-        body: c,
+        body: l,
         signal: t.signal,
         credentials: "omit"
       });
-    } catch (p) {
-      const $ = p instanceof Error ? p.message : String(p);
-      throw new o("network_error", `Network request failed: ${$}`, { cause: p });
+    } catch (y) {
+      const $ = y instanceof Error ? y.message : String(y);
+      throw new o("network_error", `Network request failed: ${$}`, { cause: y });
     }
-    if (h.status === 402) {
-      const p = await it(h);
-      throw this.onQuotaExceeded?.(p), p;
+    if (c.status === 402) {
+      const y = await it(c);
+      throw this.onQuotaExceeded?.(y), y;
     }
-    if (!h.ok) {
-      const p = await at(h.clone());
+    if (!c.ok) {
+      const y = await at(c.clone());
       throw new o(
-        p ?? `http_${h.status}`,
-        h.statusText || "Gateway request failed",
-        { status: h.status }
+        y ?? `http_${c.status}`,
+        c.statusText || "Gateway request failed",
+        { status: c.status }
       );
     }
-    const g = h.headers.get("X-Query-Type") ?? void 0;
-    return this.onChargeSuccess?.(g), h;
+    const g = c.headers.get("X-Query-Type") ?? void 0;
+    return this.onChargeSuccess?.(g), c;
   }
 }
 async function it(i) {
@@ -1095,7 +1093,7 @@ async function at(i) {
     return null;
   }
 }
-const nt = 5e3, rt = 30 * 6e4, k = 60 * 6e4, ot = 5 * 6e4, I = {
+const nt = 5e3, rt = 30 * 6e4, k = 60 * 6e4, ot = 5 * 6e4, S = {
   has_active_subscription: !1,
   purchases: [],
   trial: null,
@@ -1108,14 +1106,14 @@ function ct(i, t) {
   return i === t ? !0 : !i || !t ? !1 : JSON.stringify(i) === JSON.stringify(t);
 }
 const ht = 5e3, T = 5 * 6e4, lt = 3e4;
-function ut(i, t) {
+function dt(i, t) {
   if (i === t) return !0;
   if (!i || !t || i.length !== t.length) return !1;
   for (let e = 0; e < i.length; e++)
     if (i[e].type !== t[e].type || i[e].count !== t[e].count) return !1;
   return !0;
 }
-class St {
+class It {
   constructor(t) {
     if (this.cachedBootstrap = null, this.cachedBootstrapAt = 0, this.inflightBootstrap = null, this.bootstrapListeners = /* @__PURE__ */ new Set(), this.bootstrapStorageUnwatch = null, this.authUnsubscribe = null, this.cachedUser = null, this.cachedUserAt = 0, this.inflightUser = null, this.userListeners = /* @__PURE__ */ new Set(), this.visitorIdPromise = null, this.visitorId = null, this.inflightCheckouts = /* @__PURE__ */ new Map(), this.cachedBalances = null, this.cachedBalancesAt = 0, this.balancesStorageUnwatch = null, this.inflightBalances = null, this.balanceListeners = /* @__PURE__ */ new Set(), this.previewVersionCounter = 0, !t.paywallId)
       throw new o("invalid_config", "paywallId is required");
@@ -1128,7 +1126,7 @@ class St {
     const e = t.auth?.getCachedUser();
     this.identity = t.identity ?? (e ? O(e) : void 0), this.apiKey = t.apiKey, this.fetchImpl = t.fetch, t.apiKey && typeof window < "u" && typeof window.document < "u" && console.error(
       "[paywall] SECURITY: BillingClient.apiKey detected in browser context. This is a server-SDK key and exposes your account. Remove apiKey or move BillingClient to a trusted backend."
-    ), this.storage = R(t.storage), this.api = new P({
+    ), this.storage = K(t.storage), this.api = new P({
       apiOrigin: this.apiOrigin,
       paywallId: t.paywallId,
       capabilities: t.capabilities,
@@ -1139,7 +1137,7 @@ class St {
       getAuthToken: t.auth ? () => t.auth.getAccessToken() : void 0
     }), t.auth && (this.authUnsubscribe = t.auth.onAuthChange((s, a) => {
       const n = a ? O(a.user) : void 0;
-      dt(this.identity, n) || this.setIdentity(n);
+      ut(this.identity, n) || this.setIdentity(n);
     })), this.hydrateUserFromStorage(), this.hydrateBootstrapFromStorage(), this.subscribeBootstrapStorage(), this.hydrateBalancesFromStorage(), this.subscribeBalancesStorage(), this.visitorIdPromise = B(this.storage).then((s) => (this.visitorId = s, s));
   }
   /**
@@ -1156,7 +1154,7 @@ class St {
   }
   setIdentity(t) {
     this.identity = t, this.cachedUser = null, this.cachedUserAt = 0, this.inflightUser = null, this.cachedBalances = null, this.cachedBalancesAt = 0, this.inflightBalances = null, this.balancesStorageUnwatch && (this.balancesStorageUnwatch(), this.balancesStorageUnwatch = null), this.hydrateBalancesFromStorage(), this.subscribeBalancesStorage(), this.hydrateUserFromStorage(), t ? this.getUser({ force: !0 }).catch(() => {
-    }) : (this.applyUser(I), this.applyBalances([]));
+    }) : (this.applyUser(S), this.applyBalances([]));
   }
   /**
    * Отписаться от auth-event'ов и сбросить listener'ы. Вызывать когда
@@ -1354,6 +1352,15 @@ class St {
   getCachedPrices() {
     return this.cachedBootstrap?.prices ?? null;
   }
+  /** Sync-снимок офферов из последнего bootstrap'а. null = bootstrap ещё не
+   *  загружали, пустой массив = бэк отдал пейвол без офферов. Бэк уже
+   *  применил серверный таргетинг (target_countries / target_emails /
+   *  targeting_mode из offer_settings) — наружу выезжает только то, что
+   *  применимо к текущему юзеру. Клиентская сторона остаётся ответственной
+   *  за price_id-matching и countdown (см. core/offer.ts → resolveOffer). */
+  getCachedOffers() {
+    return this.cachedBootstrap?.offers ?? null;
+  }
   /**
    * Снимок того, какой язык SDK сейчас считает «языком юзера». Полезно для
    * синхронизации i18n хоста с тем, что фактически показывает пейвол — чтобы
@@ -1373,7 +1380,7 @@ class St {
    * есть `navigator.language`.
    */
   getUserLanguage() {
-    const t = typeof navigator < "u" && navigator.language ? navigator.language : null, e = this.cachedBootstrap?.settings.locale_default ?? null, s = this.cachedBootstrap ? q(this.cachedBootstrap) : null;
+    const t = typeof navigator < "u" && navigator.language ? navigator.language : null, e = this.cachedBootstrap?.settings.locale_default ?? null, s = this.cachedBootstrap ? M(this.cachedBootstrap) : null;
     return { tag: s ?? t ?? e, applied: s, browserLanguage: t, countryLanguage: e };
   }
   /**
@@ -1388,7 +1395,7 @@ class St {
     return !t && this.cachedUser && Date.now() - this.cachedUserAt < nt ? this.cachedUser : this.inflightUser ? this.inflightUser : (this.inflightUser = (async () => {
       try {
         if (!this.identity?.email)
-          return this.applyUser(I), I;
+          return this.applyUser(S), S;
         const s = await this.api.request(
           `/api/v1/paywall/${this.paywallId}/user-state`,
           { headers: { "X-User-Email": this.identity.email }, signal: e }
@@ -1598,7 +1605,7 @@ class St {
     });
   }
   applyBalances(t, { persist: e = !0 } = {}) {
-    const s = !ut(this.cachedBalances, t);
+    const s = !dt(this.cachedBalances, t);
     if (this.cachedBalances = t, this.cachedBalancesAt = Date.now(), e && this.persistBalances(t), s)
       for (const a of this.balanceListeners)
         try {
@@ -1662,23 +1669,27 @@ class St {
     const e = t.idempotencyKey ?? `auto:${t.priceId}`, s = this.inflightCheckouts.get(e);
     if (s) return s;
     const n = {
-      "Idempotency-Key": t.idempotencyKey ?? D()
+      "Idempotency-Key": t.idempotencyKey ?? R()
     };
     this.apiKey && (n["X-Api-Key"] = this.apiKey);
-    const r = this.cachedBootstrap?.settings, l = t.successUrl ?? r?.success_redirect_url ?? void 0, d = t.shopUrl ?? r?.checkout_shop_url ?? void 0, f = this.api.request(`/api/v1/paywall/${this.paywallId}/start-checkout`, {
+    const r = this.cachedBootstrap?.settings, h = t.successUrl ?? r?.success_redirect_url ?? void 0, f = t.shopUrl ?? r?.checkout_shop_url ?? void 0, l = this.cachedBootstrap?.prices.find(
+      (c) => c.id === t.priceId
+    )?.local?.currency ?? void 0, d = this.api.request(`/api/v1/paywall/${this.paywallId}/start-checkout`, {
       method: "POST",
       headers: n,
       signal: t.signal,
       body: JSON.stringify({
         email: this.identity.email,
         priceId: Number(t.priceId),
-        successUrl: l,
+        offerId: t.offerId,
+        successUrl: h,
         errorUrl: t.errorUrl,
-        shopUrl: d,
+        shopUrl: f,
         productName: r?.checkout_product_name ?? void 0,
         trial_days: t.trialDays,
         ignoreActivePurchase: t.ignoreActivePurchase ? !0 : void 0,
-        userMeta: this.identity.userId ? { userId: this.identity.userId } : void 0
+        userMeta: this.identity.userId ? { userId: this.identity.userId } : void 0,
+        localCurrency: l
       })
     }).then((c) => ({ url: c.checkoutUrl, acquiring: c.acquiring })).catch((c) => {
       throw c instanceof o && c.status === 409 && c.cause && typeof c.cause == "object" && c.cause.hasActivePurchase === !0 ? new o(
@@ -1687,10 +1698,10 @@ class St {
         { status: 409, cause: c.cause }
       ) : c;
     });
-    return this.inflightCheckouts.set(e, f), f.finally(() => {
-      this.inflightCheckouts.get(e) === f && this.inflightCheckouts.delete(e);
+    return this.inflightCheckouts.set(e, d), d.finally(() => {
+      this.inflightCheckouts.get(e) === d && this.inflightCheckouts.delete(e);
     }).catch(() => {
-    }), f;
+    }), d;
   }
   /**
    * URL Stripe/Paddle/Chargebee customer portal — место, где залогиненный
@@ -1698,7 +1709,9 @@ class St {
    * инвойсы). Опен-флоу управляется host'ом:
    *
    * ```ts
-   * const { url } = await billing.getCustomerPortalUrl();
+   * const { url } = await billing.getCustomerPortalUrl({
+   *   returnUrl: 'https://your-app.com/account'
+   * });
    * window.open(url, '_blank');
    * ```
    *
@@ -1716,9 +1729,10 @@ class St {
       );
     const e = {};
     this.apiKey && (e["X-Api-Key"] = this.apiKey);
-    const s = this.auth && this.auth.getCachedSession() ? {} : {
+    const s = this.auth && this.auth.getCachedSession() ? { returnUrl: t.returnUrl } : {
       email: this.identity?.email,
-      userMeta: this.identity?.userId ? { userId: this.identity.userId } : void 0
+      userMeta: this.identity?.userId ? { userId: this.identity.userId } : void 0,
+      returnUrl: t.returnUrl
     };
     return { url: (await this.api.request(
       `/api/v1/paywall/${this.paywallId}/get-customer-portal`,
@@ -1737,43 +1751,65 @@ class St {
    * `/api/v1/paywall/[id]/user` без unstable_cache, потому что list для UI
    * должен быть свежим после cancel-а.
    *
-   * Auth: Bearer обязателен (через AuthClient). Без Bearer — 401 от бэка,
-   * пробрасываем как PaywallError('http_401'). Гость → пустой список.
+   * Auth (два пути):
+   *  - Bearer (через AuthClient) — user.id резолвится из сессии, identity
+   *    в query игнорируется.
+   *  - `apiKey` + `identity.email`/`identity.userId` — server-SDK путь для
+   *    интеграций со своей авторизацией. Бэк проверяет, что identity линкована
+   *    к этому пейволу (защита от cross-paywall lookup).
+   * Без auth и без apiKey+identity — `identity_required`.
    */
   async listPurchases(t = {}) {
-    if (!this.auth)
+    const e = !!(this.identity?.email || this.identity?.userId);
+    if (!this.auth && !(this.apiKey && e))
       throw new o(
-        "auth_required",
-        "listPurchases requires AuthClient (Bearer auth)"
+        "identity_required",
+        "listPurchases requires AuthClient (Bearer) or apiKey + identity.email/userId"
       );
-    return (await this.api.request(`/api/v1/paywall/${this.paywallId}/user`, {
+    const s = {};
+    this.apiKey && (s["X-Api-Key"] = this.apiKey);
+    const a = new URLSearchParams();
+    this.apiKey && this.identity?.email && a.set("email", this.identity.email), this.apiKey && this.identity?.userId && a.set("user_id", this.identity.userId);
+    const n = a.toString(), r = n ? `/api/v1/paywall/${this.paywallId}/user?${n}` : `/api/v1/paywall/${this.paywallId}/user`;
+    return (await this.api.request(r, {
       method: "GET",
+      headers: s,
       signal: t.signal
     })).purchases ?? [];
   }
   /**
-   * Отменить подписку. Бэк проверит что subscription принадлежит auth-юзеру
-   * и сделает cancel у acquiring'а (Stripe/Paddle/Chargebee). По умолчанию
-   * cancel в конце текущего периода — юзер сохраняет access до renewal date'ы.
+   * Отменить подписку. Бэк проверит, что subscription принадлежит юзеру
+   * (Bearer-путь — из сессии; apiKey-путь — из identity), и сделает cancel у
+   * acquiring'а (Stripe/Paddle/Chargebee/Overpay). По умолчанию cancel в
+   * конце текущего периода — юзер сохраняет access до renewal date'ы.
    *
-   * `reason` обязательна (валидация на бэке). Удобно собрать через select
-   * причин в host-UI, как в legacy customer portal'е.
+   * `reason` обязательна (валидация на бэке).
    *
-   * Auth: Bearer обязателен.
+   * Auth (два пути):
+   *  - Bearer (через AuthClient) — стандартный путь для UI customer-portal'a.
+   *  - `apiKey` + `identity.email`/`identity.userId` — для self-service UI на
+   *    бэке клиента со своей авторизацией. Бэк дополнительно фильтрует
+   *    subscription по paywall_id, чтобы owner пейвола A не отменил подписку
+   *    пейвола B.
    */
   async cancelSubscription(t) {
-    if (!this.auth)
+    const e = !!(this.identity?.email || this.identity?.userId);
+    if (!this.auth && !(this.apiKey && e))
       throw new o(
-        "auth_required",
-        "cancelSubscription requires AuthClient (Bearer auth)"
+        "identity_required",
+        "cancelSubscription requires AuthClient (Bearer) or apiKey + identity.email/userId"
       );
-    return this.api.request("/api/paywall/cancel-subscription", {
+    const s = {};
+    this.apiKey && (s["X-Api-Key"] = this.apiKey);
+    const a = {
+      subscriptionId: t.subscriptionId,
+      paywallId: this.paywallId,
+      cancellationReason: t.reason
+    };
+    return this.apiKey && this.identity?.email && (a.email = this.identity.email), this.apiKey && this.identity?.userId && (a.userId = this.identity.userId), this.api.request("/api/paywall/cancel-subscription", {
       method: "POST",
-      body: JSON.stringify({
-        subscriptionId: t.subscriptionId,
-        paywallId: this.paywallId,
-        cancellationReason: t.reason
-      }),
+      headers: s,
+      body: JSON.stringify(a),
       signal: t.signal
     });
   }
@@ -1809,7 +1845,7 @@ class St {
 function O(i) {
   return { email: i.email, userId: i.id };
 }
-function dt(i, t) {
+function ut(i, t) {
   return i === t ? !0 : !i || !t ? !1 : i.email === t.email && i.userId === t.userId && i.anonymousId === t.anonymousId;
 }
 function U(i) {
@@ -1845,7 +1881,7 @@ function E(i, t) {
     ]
   };
 }
-function q(i) {
+function M(i) {
   const t = i.locales;
   if (!t) return null;
   const e = [];
@@ -1861,7 +1897,7 @@ function q(i) {
   return null;
 }
 function w(i) {
-  const t = q(i);
+  const t = M(i);
   if (!t) return;
   const e = i.locales?.[t];
   e && (e.layout && (i.layout = e.layout), e.prices && (i.prices = i.prices.map((s) => {
@@ -1872,7 +1908,7 @@ function w(i) {
   })));
 }
 const yt = 1500, pt = 20, L = 200;
-class It {
+class St {
   constructor(t) {
     this.buffer = [], this.flushTimer = null, this.destroyed = !1, this.unloadHandler = null, this.visibilityHandler = null, this.opts = t, this.isEnabled() && this.attachUnloadHandlers();
   }
@@ -1977,7 +2013,7 @@ function v(i) {
 function b(i) {
   return `paywall-${i}-skip-times`;
 }
-class K {
+class q {
   constructor(t, e, s) {
     this.storage = t, this.paywallId = e, this.config = s;
   }
@@ -2037,11 +2073,11 @@ class K {
   async recordOpens() {
     const t = this.config.payload, e = b(this.paywallId), s = await this.storage.getItem(e), a = s ? Number(s) : 0, n = Number.isFinite(a) ? a : 0, r = Math.min(t, n + 1);
     await this.storage.setItem(e, String(r));
-    const l = Math.max(0, t - r);
+    const h = Math.max(0, t - r);
     return {
       mode: "opens",
       blocked: r < t,
-      remainingActions: l,
+      remainingActions: h,
       totalActions: t
     };
   }
@@ -2051,7 +2087,7 @@ class gt {
   constructor(t, e, s) {
     N || (N = !0, console.warn(
       '[paywall] trial.storage="server" is not implemented yet — falling back to client storage. State lives in localStorage; users can reset trial by clearing site data.'
-    )), this.fallback = new K(t, e, s);
+    )), this.fallback = new q(t, e, s);
   }
   check() {
     return this.fallback.check();
@@ -2064,7 +2100,7 @@ class gt {
   }
 }
 function vt(i, t, e) {
-  return e.storage === "server" ? new gt(i, t, e) : new K(i, t, e);
+  return e.storage === "server" ? new gt(i, t, e) : new q(i, t, e);
 }
 const bt = 1;
 function _t(i) {
@@ -2096,7 +2132,7 @@ function Bt(i) {
 function wt(i) {
   let t = !1;
   const e = /* @__PURE__ */ new Set(), s = /* @__PURE__ */ new Set(), a = (r) => {
-    for (const l of e) l(r);
+    for (const h of e) h(r);
   }, n = () => {
     if (!t) {
       t = !0;
@@ -2109,8 +2145,8 @@ function wt(i) {
       if (!t)
         try {
           i.postMessage(r);
-        } catch (l) {
-          throw n(), l;
+        } catch (h) {
+          throw n(), h;
         }
     },
     onMessage(r) {
@@ -2131,8 +2167,8 @@ function kt(i) {
 }
 export {
   mt as A,
-  St as B,
-  It as E,
+  It as B,
+  St as E,
   o as P,
   bt as a,
   kt as b,
@@ -2142,4 +2178,4 @@ export {
   _t as s,
   Z as w
 };
-//# sourceMappingURL=chrome-port-rVd4zwU3.js.map
+//# sourceMappingURL=chrome-port-bfTUUDz_.js.map