npm - @nauth-toolkit/client - Versions diffs - 0.1.49 → 0.1.53 - Mend

@nauth-toolkit/client 0.1.49 → 0.1.53

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json +2 -19
package/dist/angular/index.cjs +0 -2348
package/dist/angular/index.cjs.map +0 -1
package/dist/angular/index.d.mts +0 -2030
package/dist/angular/index.d.ts +0 -2030
package/dist/angular/index.mjs +0 -2316
package/dist/angular/index.mjs.map +0 -1

package/dist/angular/index.cjs DELETED Viewed

@@ -1,2348 +0,0 @@
-"use strict";
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-var __copyProps = (to, from2, except, desc) => {
-  if (from2 && typeof from2 === "object" || typeof from2 === "function") {
-    for (let key of __getOwnPropNames(from2))
-      if (!__hasOwnProp.call(to, key) && key !== except)
-        __defProp(to, key, { get: () => from2[key], enumerable: !(desc = __getOwnPropDesc(from2, key)) || desc.enumerable });
-  }
-  return to;
-};
-var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var __decorateClass = (decorators, target, key, kind) => {
-  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
-  for (var i = decorators.length - 1, decorator; i >= 0; i--)
-    if (decorator = decorators[i])
-      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
-  if (kind && result) __defProp(target, key, result);
-  return result;
-};
-var __decorateParam = (index, decorator) => (target, key) => decorator(target, key, index);
-var __publicField = (obj, key, value) => __defNormalProp(obj, typeof key !== "symbol" ? key + "" : key, value);
-// src/angular/index.ts
-var index_exports = {};
-__export(index_exports, {
-  AngularHttpAdapter: () => AngularHttpAdapter,
-  AuthGuard: () => AuthGuard,
-  AuthInterceptor: () => AuthInterceptor,
-  AuthService: () => AuthService,
-  NAUTH_CLIENT_CONFIG: () => NAUTH_CLIENT_CONFIG,
-  NAuthModule: () => NAuthModule,
-  authGuard: () => authGuard,
-  authInterceptor: () => authInterceptor,
-  socialRedirectCallbackGuard: () => socialRedirectCallbackGuard
-});
-module.exports = __toCommonJS(index_exports);
-// src/angular/tokens.ts
-var import_core = require("@angular/core");
-var NAUTH_CLIENT_CONFIG = new import_core.InjectionToken("NAUTH_CLIENT_CONFIG");
-// src/angular/auth.service.ts
-var import_core3 = require("@angular/core");
-var import_rxjs2 = require("rxjs");
-var import_operators = require("rxjs/operators");
-// src/angular/http-adapter.ts
-var import_core2 = require("@angular/core");
-var import_http = require("@angular/common/http");
-var import_rxjs = require("rxjs");
-// src/core/errors.ts
-var _NAuthClientError = class _NAuthClientError extends Error {
-  /**
-   * Create a new client error.
-   *
-   * @param code - Error code from NAuthErrorCode enum
-   * @param message - Human-readable error message
-   * @param options - Optional metadata including details, statusCode, timestamp, and network error flag
-   */
-  constructor(code, message, options) {
-    super(message);
-    __publicField(this, "code");
-    __publicField(this, "details");
-    __publicField(this, "statusCode");
-    __publicField(this, "timestamp");
-    __publicField(this, "isNetworkError");
-    this.code = code;
-    this.details = options?.details;
-    this.statusCode = options?.statusCode;
-    this.timestamp = options?.timestamp || (/* @__PURE__ */ new Date()).toISOString();
-    this.isNetworkError = options?.isNetworkError ?? false;
-    this.name = "NAuthClientError";
-    Object.setPrototypeOf(this, _NAuthClientError.prototype);
-  }
-  /**
-   * Check if error matches a specific error code.
-   *
-   * @param code - Error code to check against
-   * @returns True if the error code matches
-   *
-   * @example
-   * ```typescript
-   * if (error.isCode(NAuthErrorCode.RATE_LIMIT_SMS)) {
-   *   // Handle SMS rate limit
-   * }
-   * ```
-   */
-  isCode(code) {
-    return this.code === code;
-  }
-  /**
-   * Get error details/metadata.
-   *
-   * @returns Error details object or undefined
-   *
-   * @example
-   * ```typescript
-   * const details = error.getDetails();
-   * if (details?.retryAfter) {
-   *   console.log(`Retry after ${details.retryAfter} seconds`);
-   * }
-   * ```
-   */
-  getDetails() {
-    return this.details;
-  }
-  /**
-   * Get the error code.
-   *
-   * @returns The error code enum value
-   */
-  getCode() {
-    return this.code;
-  }
-  /**
-   * Serialize error to JSON object.
-   *
-   * @returns Plain object representation
-   *
-   * @example
-   * ```typescript
-   * const errorJson = error.toJSON();
-   * // { code: 'AUTH_INVALID_CREDENTIALS', message: '...', timestamp: '...', details: {...} }
-   * ```
-   */
-  toJSON() {
-    return {
-      code: this.code,
-      message: this.message,
-      timestamp: this.timestamp,
-      details: this.details,
-      statusCode: this.statusCode
-    };
-  }
-};
-__name(_NAuthClientError, "NAuthClientError");
-var NAuthClientError = _NAuthClientError;
-// src/angular/http-adapter.ts
-var AngularHttpAdapter = class {
-  constructor() {
-    __publicField(this, "http", (0, import_core2.inject)(import_http.HttpClient));
-  }
-  /**
-   * Execute HTTP request using Angular's HttpClient.
-   *
-   * @param config - Request configuration
-   * @returns Response with parsed data
-   * @throws NAuthClientError if request fails
-   */
-  async request(config) {
-    try {
-      const data = await (0, import_rxjs.firstValueFrom)(
-        this.http.request(config.method, config.url, {
-          body: config.body,
-          headers: config.headers,
-          withCredentials: config.credentials === "include",
-          observe: "body"
-          // Only return body data
-        })
-      );
-      return {
-        data,
-        status: 200,
-        // HttpClient only returns data on success
-        headers: {}
-        // Can extract from observe: 'response' if needed
-      };
-    } catch (error) {
-      if (error instanceof import_http.HttpErrorResponse) {
-        const errorData = error.error || {};
-        const code = typeof errorData["code"] === "string" ? errorData.code : "INTERNAL_ERROR" /* INTERNAL_ERROR */;
-        const message = typeof errorData["message"] === "string" ? errorData.message : error.message || `Request failed with status ${error.status}`;
-        const timestamp = typeof errorData["timestamp"] === "string" ? errorData.timestamp : void 0;
-        const details = errorData["details"];
-        throw new NAuthClientError(code, message, {
-          statusCode: error.status,
-          timestamp,
-          details,
-          isNetworkError: error.status === 0
-          // Network error (no response from server)
-        });
-      }
-      throw error;
-    }
-  }
-};
-__name(AngularHttpAdapter, "AngularHttpAdapter");
-AngularHttpAdapter = __decorateClass([
-  (0, import_core2.Injectable)({ providedIn: "root" })
-], AngularHttpAdapter);
-// src/core/config.ts
-var defaultEndpoints = {
-  login: "/login",
-  signup: "/signup",
-  logout: "/logout",
-  logoutAll: "/logout/all",
-  refresh: "/refresh",
-  respondChallenge: "/respond-challenge",
-  resendCode: "/challenge/resend",
-  getSetupData: "/challenge/setup-data",
-  getChallengeData: "/challenge/challenge-data",
-  profile: "/profile",
-  changePassword: "/change-password",
-  requestPasswordChange: "/request-password-change",
-  forgotPassword: "/forgot-password",
-  confirmForgotPassword: "/forgot-password/confirm",
-  mfaStatus: "/mfa/status",
-  mfaDevices: "/mfa/devices",
-  mfaSetupData: "/mfa/setup-data",
-  mfaVerifySetup: "/mfa/verify-setup",
-  mfaRemove: "/mfa/method",
-  mfaPreferred: "/mfa/preferred-method",
-  mfaBackupCodes: "/mfa/backup-codes/generate",
-  mfaExemption: "/mfa/exemption",
-  socialLinked: "/social/linked",
-  socialLink: "/social/link",
-  socialUnlink: "/social/unlink",
-  socialVerify: "/social/:provider/verify",
-  socialRedirectStart: "/social/:provider/redirect",
-  socialExchange: "/social/exchange",
-  trustDevice: "/trust-device",
-  isTrustedDevice: "/is-trusted-device",
-  auditHistory: "/audit/history",
-  updateProfile: "/profile"
-};
-var resolveConfig = /* @__PURE__ */ __name((config, defaultAdapter) => {
-  const resolvedEndpoints = {
-    ...defaultEndpoints,
-    ...config.endpoints ?? {}
-  };
-  return {
-    ...config,
-    csrf: {
-      cookieName: config.csrf?.cookieName ?? "nauth_csrf_token",
-      headerName: config.csrf?.headerName ?? "x-csrf-token"
-    },
-    deviceTrust: {
-      headerName: config.deviceTrust?.headerName ?? "X-Device-Token",
-      storageKey: config.deviceTrust?.storageKey ?? "nauth_device_token"
-    },
-    headers: config.headers ?? {},
-    timeout: config.timeout ?? 3e4,
-    endpoints: resolvedEndpoints,
-    storage: config.storage,
-    httpAdapter: config.httpAdapter ?? defaultAdapter
-  };
-}, "resolveConfig");
-// src/core/refresh.ts
-var ACCESS_TOKEN_KEY = "nauth_access_token";
-var REFRESH_TOKEN_KEY = "nauth_refresh_token";
-var ACCESS_EXPIRES_AT_KEY = "nauth_access_token_expires_at";
-var REFRESH_EXPIRES_AT_KEY = "nauth_refresh_token_expires_at";
-var USER_KEY = "nauth_user";
-var CHALLENGE_KEY = "nauth_challenge_session";
-var _TokenManager = class _TokenManager {
-  /**
-   * @param storage - storage adapter
-   */
-  constructor(storage) {
-    __publicField(this, "storage");
-    __publicField(this, "refreshPromise", null);
-    __publicField(this, "isBrowser", typeof window !== "undefined");
-    this.storage = storage;
-  }
-  /**
-   * Load tokens from storage.
-   */
-  async getTokens() {
-    const [accessToken, refreshToken, accessExpRaw, refreshExpRaw] = await Promise.all([
-      this.storage.getItem(ACCESS_TOKEN_KEY),
-      this.storage.getItem(REFRESH_TOKEN_KEY),
-      this.storage.getItem(ACCESS_EXPIRES_AT_KEY),
-      this.storage.getItem(REFRESH_EXPIRES_AT_KEY)
-    ]);
-    return {
-      accessToken,
-      refreshToken,
-      accessTokenExpiresAt: accessExpRaw ? Number(accessExpRaw) : null,
-      refreshTokenExpiresAt: refreshExpRaw ? Number(refreshExpRaw) : null
-    };
-  }
-  /**
-   * Persist tokens.
-   *
-   * @param tokens - new token pair
-   */
-  async setTokens(tokens) {
-    await Promise.all([
-      this.storage.setItem(ACCESS_TOKEN_KEY, tokens.accessToken),
-      this.storage.setItem(REFRESH_TOKEN_KEY, tokens.refreshToken),
-      this.storage.setItem(ACCESS_EXPIRES_AT_KEY, tokens.accessTokenExpiresAt.toString()),
-      this.storage.setItem(REFRESH_EXPIRES_AT_KEY, tokens.refreshTokenExpiresAt.toString())
-    ]);
-    this.broadcastStorage();
-  }
-  /**
-   * Clear tokens and related auth state.
-   */
-  async clearTokens() {
-    await Promise.all([
-      this.storage.removeItem(ACCESS_TOKEN_KEY),
-      this.storage.removeItem(REFRESH_TOKEN_KEY),
-      this.storage.removeItem(ACCESS_EXPIRES_AT_KEY),
-      this.storage.removeItem(REFRESH_EXPIRES_AT_KEY),
-      this.storage.removeItem(USER_KEY),
-      this.storage.removeItem(CHALLENGE_KEY)
-    ]);
-    this.broadcastStorage();
-  }
-  /**
-   * Ensure only one refresh in flight.
-   *
-   * @param refreshFn - function performing refresh request
-   */
-  async refreshOnce(refreshFn) {
-    if (!this.refreshPromise) {
-      this.refreshPromise = refreshFn().then(async (tokens) => {
-        await this.setTokens(tokens);
-        return tokens;
-      }).catch((error) => {
-        throw error;
-      }).finally(() => {
-        this.refreshPromise = null;
-      });
-    }
-    return this.refreshPromise;
-  }
-  /**
-   * Validate that a refresh token exists before attempting refresh.
-   */
-  async assertHasRefreshToken() {
-    const state = await this.getTokens();
-    if (!state.refreshToken) {
-      throw new NAuthClientError("AUTH_SESSION_NOT_FOUND" /* AUTH_SESSION_NOT_FOUND */, "No refresh token available");
-    }
-  }
-  /**
-   * Broadcast a no-op write to trigger storage listeners in other tabs.
-   */
-  broadcastStorage() {
-    if (!this.isBrowser) return;
-    try {
-      window.localStorage.setItem("nauth_sync", Date.now().toString());
-    } catch {
-    }
-  }
-};
-__name(_TokenManager, "TokenManager");
-var TokenManager = _TokenManager;
-// src/storage/browser.ts
-var _BrowserStorage = class _BrowserStorage {
-  /**
-   * Create a browser storage adapter.
-   *
-   * @param storage - Storage implementation (localStorage by default)
-   */
-  constructor(storage = window.localStorage) {
-    __publicField(this, "storage");
-    this.storage = storage;
-  }
-  async getItem(key) {
-    return this.storage.getItem(key);
-  }
-  async setItem(key, value) {
-    this.storage.setItem(key, value);
-  }
-  async removeItem(key) {
-    this.storage.removeItem(key);
-  }
-  async clear() {
-    this.storage.clear();
-  }
-};
-__name(_BrowserStorage, "BrowserStorage");
-var BrowserStorage = _BrowserStorage;
-// src/storage/memory.ts
-var _InMemoryStorage = class _InMemoryStorage {
-  constructor() {
-    __publicField(this, "store", /* @__PURE__ */ new Map());
-  }
-  async getItem(key) {
-    return this.store.has(key) ? this.store.get(key) : null;
-  }
-  async setItem(key, value) {
-    this.store.set(key, value);
-  }
-  async removeItem(key) {
-    this.store.delete(key);
-  }
-  async clear() {
-    this.store.clear();
-  }
-};
-__name(_InMemoryStorage, "InMemoryStorage");
-var InMemoryStorage = _InMemoryStorage;
-// src/core/events.ts
-var _EventEmitter = class _EventEmitter {
-  constructor() {
-    __publicField(this, "listeners", /* @__PURE__ */ new Map());
-  }
-  /**
-   * Subscribe to an authentication event
-   *
-   * @param event - Event type or '*' for all events
-   * @param listener - Callback function
-   * @returns Unsubscribe function
-   *
-   * @example
-   * ```typescript
-   * const unsubscribe = emitter.on('auth:success', (event) => {
-   *   console.log('User logged in:', event.data);
-   * });
-   *
-   * // Later
-   * unsubscribe();
-   * ```
-   */
-  on(event, listener) {
-    if (!this.listeners.has(event)) {
-      this.listeners.set(event, /* @__PURE__ */ new Set());
-    }
-    this.listeners.get(event).add(listener);
-    return () => this.off(event, listener);
-  }
-  /**
-   * Unsubscribe from an authentication event
-   *
-   * @param event - Event type or '*'
-   * @param listener - Callback function to remove
-   */
-  off(event, listener) {
-    this.listeners.get(event)?.delete(listener);
-  }
-  /**
-   * Emit an authentication event
-   *
-   * Notifies all listeners for the specific event type and wildcard listeners.
-   *
-   * @param event - Event to emit
-   * @internal
-   */
-  emit(event) {
-    const specificListeners = this.listeners.get(event.type);
-    const wildcardListeners = this.listeners.get("*");
-    specificListeners?.forEach((listener) => {
-      try {
-        listener(event);
-      } catch (error) {
-        console.error(`Error in ${event.type} event listener:`, error);
-      }
-    });
-    wildcardListeners?.forEach((listener) => {
-      try {
-        listener(event);
-      } catch (error) {
-        console.error(`Error in wildcard event listener:`, error);
-      }
-    });
-  }
-  /**
-   * Remove all listeners
-   *
-   * @internal
-   */
-  clear() {
-    this.listeners.clear();
-  }
-};
-__name(_EventEmitter, "EventEmitter");
-var EventEmitter = _EventEmitter;
-// src/adapters/fetch-adapter.ts
-var _FetchAdapter = class _FetchAdapter {
-  /**
-   * Execute HTTP request using native fetch.
-   *
-   * @param config - Request configuration
-   * @returns Response with parsed data
-   * @throws NAuthClientError if request fails
-   */
-  async request(config) {
-    const fetchOptions = {
-      method: config.method,
-      headers: config.headers,
-      signal: config.signal,
-      credentials: config.credentials
-    };
-    if (config.body !== void 0) {
-      fetchOptions.body = JSON.stringify(config.body);
-    }
-    let response;
-    try {
-      response = await fetch(config.url, fetchOptions);
-    } catch (error) {
-      throw new NAuthClientError("INTERNAL_ERROR" /* INTERNAL_ERROR */, "Network request failed", {
-        isNetworkError: true,
-        details: { url: config.url, message: error.message }
-      });
-    }
-    const status = response.status;
-    let data = null;
-    const text = await response.text();
-    if (text) {
-      try {
-        data = JSON.parse(text);
-      } catch {
-        data = text;
-      }
-    }
-    const headers = {};
-    response.headers.forEach((value, key) => {
-      headers[key] = value;
-    });
-    if (!response.ok) {
-      const errorData = typeof data === "object" && data !== null ? data : {};
-      const code = typeof errorData["code"] === "string" ? errorData["code"] : "INTERNAL_ERROR" /* INTERNAL_ERROR */;
-      const message = typeof errorData["message"] === "string" ? errorData["message"] : `Request failed with status ${status}`;
-      const timestamp = typeof errorData["timestamp"] === "string" ? errorData["timestamp"] : void 0;
-      const details = errorData["details"];
-      throw new NAuthClientError(code, message, {
-        statusCode: status,
-        timestamp,
-        details
-      });
-    }
-    return { data, status, headers };
-  }
-};
-__name(_FetchAdapter, "FetchAdapter");
-var FetchAdapter = _FetchAdapter;
-// src/core/client.ts
-var USER_KEY2 = "nauth_user";
-var CHALLENGE_KEY2 = "nauth_challenge_session";
-var hasWindow = /* @__PURE__ */ __name(() => typeof globalThis !== "undefined" && typeof globalThis.window !== "undefined", "hasWindow");
-var defaultStorage = /* @__PURE__ */ __name(() => {
-  if (hasWindow() && typeof window.localStorage !== "undefined") {
-    return new BrowserStorage();
-  }
-  return new InMemoryStorage();
-}, "defaultStorage");
-var _NAuthClient = class _NAuthClient {
-  /**
-   * Create a new client instance.
-   *
-   * @param userConfig - Client configuration
-   */
-  constructor(userConfig) {
-    __publicField(this, "config");
-    __publicField(this, "tokenManager");
-    __publicField(this, "eventEmitter");
-    __publicField(this, "currentUser", null);
-    /**
-     * Handle cross-tab storage updates.
-     */
-    __publicField(this, "handleStorageEvent", /* @__PURE__ */ __name((event) => {
-      if (event.key === "nauth_sync") {
-        this.config.storage.getItem(USER_KEY2).then((value) => value ? JSON.parse(value) : null).then((user) => {
-          this.currentUser = user;
-          this.config.onAuthStateChange?.(user);
-        }).catch(() => {
-        });
-      }
-    }, "handleStorageEvent"));
-    const storage = userConfig.storage ?? defaultStorage();
-    const defaultAdapter = userConfig.httpAdapter ?? new FetchAdapter();
-    this.config = resolveConfig({ ...userConfig, storage }, defaultAdapter);
-    this.tokenManager = new TokenManager(storage);
-    this.eventEmitter = new EventEmitter();
-    if (hasWindow()) {
-      window.addEventListener("storage", this.handleStorageEvent);
-    }
-  }
-  /**
-   * Clean up resources.
-   */
-  dispose() {
-    if (hasWindow()) {
-      window.removeEventListener("storage", this.handleStorageEvent);
-    }
-  }
-  /**
-   * Login with identifier and password.
-   */
-  async login(identifier, password) {
-    const loginEvent = { type: "auth:login", data: { identifier }, timestamp: Date.now() };
-    this.eventEmitter.emit(loginEvent);
-    try {
-      const body = { identifier, password };
-      const response = await this.post(this.config.endpoints.login, body);
-      await this.handleAuthResponse(response);
-      if (response.challengeName) {
-        const challengeEvent = { type: "auth:challenge", data: response, timestamp: Date.now() };
-        this.eventEmitter.emit(challengeEvent);
-      } else {
-        const successEvent = { type: "auth:success", data: response, timestamp: Date.now() };
-        this.eventEmitter.emit(successEvent);
-      }
-      return response;
-    } catch (error) {
-      const authError = error instanceof NAuthClientError ? error : new NAuthClientError("AUTH_INVALID_CREDENTIALS" /* AUTH_INVALID_CREDENTIALS */, error.message || "Login failed");
-      const errorEvent = { type: "auth:error", data: authError, timestamp: Date.now() };
-      this.eventEmitter.emit(errorEvent);
-      throw authError;
-    }
-  }
-  /**
-   * Signup with credentials.
-   */
-  async signup(payload) {
-    this.eventEmitter.emit({ type: "auth:signup", data: { email: payload.email }, timestamp: Date.now() });
-    try {
-      const response = await this.post(this.config.endpoints.signup, payload);
-      await this.handleAuthResponse(response);
-      if (response.challengeName) {
-        this.eventEmitter.emit({ type: "auth:challenge", data: response, timestamp: Date.now() });
-      } else {
-        this.eventEmitter.emit({ type: "auth:success", data: response, timestamp: Date.now() });
-      }
-      return response;
-    } catch (error) {
-      const authError = error instanceof NAuthClientError ? error : new NAuthClientError("AUTH_INVALID_CREDENTIALS" /* AUTH_INVALID_CREDENTIALS */, error.message || "Signup failed");
-      this.eventEmitter.emit({ type: "auth:error", data: authError, timestamp: Date.now() });
-      throw authError;
-    }
-  }
-  /**
-   * Refresh tokens manually.
-   */
-  async refreshTokens() {
-    const tokenDelivery = this.getTokenDeliveryMode();
-    if (tokenDelivery === "json") {
-      await this.tokenManager.assertHasRefreshToken();
-    }
-    const body = tokenDelivery === "json" ? { refreshToken: (await this.tokenManager.getTokens()).refreshToken } : { refreshToken: "" };
-    const refreshFn = /* @__PURE__ */ __name(async () => {
-      return this.post(this.config.endpoints.refresh, body, false);
-    }, "refreshFn");
-    const tokens = await this.tokenManager.refreshOnce(refreshFn);
-    this.config.onTokenRefresh?.();
-    this.eventEmitter.emit({ type: "auth:refresh", data: { success: true }, timestamp: Date.now() });
-    return tokens;
-  }
-  /**
-   * Logout current session.
-   *
-   * Uses GET request to avoid CSRF token issues.
-   *
-   * @param forgetDevice - If true, also untrust the device (require MFA on next login)
-   */
-  async logout(forgetDevice) {
-    const queryParams = forgetDevice ? "?forgetMe=true" : "";
-    try {
-      await this.get(this.config.endpoints.logout + queryParams, true);
-    } catch (error) {
-      console.warn("[nauth] Logout request failed (session may already be invalid):", error);
-    } finally {
-      await this.clearAuthState(forgetDevice);
-      this.eventEmitter.emit({
-        type: "auth:logout",
-        data: { forgetDevice: !!forgetDevice, global: false },
-        timestamp: Date.now()
-      });
-    }
-  }
-  /**
-   * Logout all sessions.
-   *
-   * Revokes all active sessions for the current user across all devices.
-   * Optionally revokes all trusted devices if forgetDevices is true.
-   *
-   * @param forgetDevices - If true, also revokes all trusted devices (default: false)
-   * @returns Number of sessions revoked
-   */
-  async logoutAll(forgetDevices) {
-    try {
-      const payload = {
-        forgetDevices: forgetDevices ?? false
-      };
-      const result = await this.post(
-        this.config.endpoints.logoutAll,
-        payload,
-        true
-      );
-      await this.clearAuthState(forgetDevices);
-      this.eventEmitter.emit({
-        type: "auth:logout",
-        data: { forgetDevice: !!forgetDevices, global: true },
-        timestamp: Date.now()
-      });
-      return { revokedCount: result.revokedCount };
-    } catch (error) {
-      await this.clearAuthState(forgetDevices);
-      this.eventEmitter.emit({
-        type: "auth:logout",
-        data: { forgetDevice: !!forgetDevices, global: true },
-        timestamp: Date.now()
-      });
-      throw error;
-    }
-  }
-  /**
-   * Respond to a challenge.
-   *
-   * Validates challenge response data before sending to backend.
-   * Provides helpful error messages for common validation issues.
-   *
-   * @param response - Challenge response data
-   * @returns Auth response from backend
-   * @throws {NAuthClientError} If validation fails
-   */
-  async respondToChallenge(response) {
-    if (response.type === "MFA_SETUP_REQUIRED" /* MFA_SETUP_REQUIRED */ && response.method === "totp") {
-      const setupData = response.setupData;
-      if (!setupData || typeof setupData !== "object") {
-        throw new NAuthClientError(
-          "VALIDATION_FAILED" /* VALIDATION_FAILED */,
-          "TOTP setup requires setupData with both secret and code",
-          { details: { field: "setupData" } }
-        );
-      }
-      const secret = setupData["secret"];
-      const code = setupData["code"];
-      if (!secret || typeof secret !== "string") {
-        throw new NAuthClientError(
-          "VALIDATION_FAILED" /* VALIDATION_FAILED */,
-          "TOTP setup requires secret in setupData. Make sure to include the secret from getSetupData() response.",
-          { details: { field: "secret" } }
-        );
-      }
-      if (!code || typeof code !== "string") {
-        throw new NAuthClientError(
-          "VALIDATION_FAILED" /* VALIDATION_FAILED */,
-          "TOTP setup requires code in setupData. Please enter the verification code from your authenticator app.",
-          { details: { field: "code" } }
-        );
-      }
-    }
-    try {
-      const result = await this.post(this.config.endpoints.respondChallenge, response);
-      await this.handleAuthResponse(result);
-      if (result.challengeName) {
-        const challengeEvent = { type: "auth:challenge", data: result, timestamp: Date.now() };
-        this.eventEmitter.emit(challengeEvent);
-      } else {
-        const successEvent = { type: "auth:success", data: result, timestamp: Date.now() };
-        this.eventEmitter.emit(successEvent);
-      }
-      return result;
-    } catch (error) {
-      const authError = error instanceof NAuthClientError ? error : new NAuthClientError(
-        "CHALLENGE_INVALID" /* CHALLENGE_INVALID */,
-        error.message || "Challenge response failed"
-      );
-      const errorEvent = { type: "auth:error", data: authError, timestamp: Date.now() };
-      this.eventEmitter.emit(errorEvent);
-      throw authError;
-    }
-  }
-  /**
-   * Resend a challenge code.
-   */
-  async resendCode(session) {
-    const payload = { session };
-    return this.post(this.config.endpoints.resendCode, payload);
-  }
-  /**
-   * Get setup data for MFA.
-   *
-   * Returns method-specific setup information:
-   * - TOTP: { secret, qrCode, manualEntryKey }
-   * - SMS: { maskedPhone }
-   * - Email: { maskedEmail }
-   * - Passkey: WebAuthn registration options
-   *
-   * @param session - Challenge session token
-   * @param method - MFA method to set up
-   * @returns Setup data wrapped in GetSetupDataResponse
-   */
-  async getSetupData(session, method) {
-    const payload = { session, method };
-    return this.post(this.config.endpoints.getSetupData, payload);
-  }
-  /**
-   * Get challenge data (e.g., WebAuthn options).
-   *
-   * Returns challenge-specific data for verification flows.
-   *
-   * @param session - Challenge session token
-   * @param method - Challenge method to get data for
-   * @returns Challenge data wrapped in GetChallengeDataResponse
-   */
-  async getChallengeData(session, method) {
-    const payload = { session, method };
-    return this.post(this.config.endpoints.getChallengeData, payload);
-  }
-  /**
-   * Get current user profile.
-   */
-  async getProfile() {
-    const profile = await this.get(this.config.endpoints.profile, true);
-    await this.setUser(profile);
-    return profile;
-  }
-  /**
-   * Update user profile.
-   */
-  async updateProfile(updates) {
-    const updated = await this.put(this.config.endpoints.updateProfile, updates, true);
-    await this.setUser(updated);
-    return updated;
-  }
-  /**
-   * Change user password.
-   */
-  async changePassword(oldPassword, newPassword) {
-    const payload = { currentPassword: oldPassword, newPassword };
-    await this.post(this.config.endpoints.changePassword, payload, true);
-  }
-  /**
-   * Request a password reset code (forgot password).
-   */
-  async forgotPassword(identifier) {
-    const payload = { identifier };
-    return this.post(this.config.endpoints.forgotPassword, payload);
-  }
-  /**
-   * Confirm a password reset code and set a new password.
-   */
-  async confirmForgotPassword(identifier, code, newPassword) {
-    const payload = { identifier, code, newPassword };
-    const result = await this.post(this.config.endpoints.confirmForgotPassword, payload);
-    await this.clearAuthState(false);
-    return result;
-  }
-  /**
-   * Request password change (must change on next login).
-   */
-  async requestPasswordChange() {
-    await this.post(this.config.endpoints.requestPasswordChange, {}, true);
-  }
-  /**
-   * Get MFA status.
-   */
-  async getMfaStatus() {
-    return this.get(this.config.endpoints.mfaStatus, true);
-  }
-  /**
-   * Get MFA devices.
-   */
-  async getMfaDevices() {
-    return this.get(this.config.endpoints.mfaDevices, true);
-  }
-  /**
-   * Setup MFA device (authenticated user).
-   */
-  async setupMfaDevice(method) {
-    return this.post(this.config.endpoints.mfaSetupData, { method }, true);
-  }
-  /**
-   * Verify MFA setup (authenticated user).
-   */
-  async verifyMfaSetup(method, setupData, deviceName) {
-    return this.post(
-      this.config.endpoints.mfaVerifySetup,
-      { method, setupData, deviceName },
-      true
-    );
-  }
-  /**
-   * Remove MFA method.
-   */
-  async removeMfaDevice(method) {
-    const path = `${this.config.endpoints.mfaRemove}/${method}`;
-    return this.delete(path, true);
-  }
-  /**
-   * Set preferred MFA method.
-   *
-   * @param method - Device method to set as preferred ('totp', 'sms', 'email', or 'passkey'). Cannot be 'backup'.
-   * @returns Success message
-   */
-  async setPreferredMfaMethod(method) {
-    return this.post(this.config.endpoints.mfaPreferred, { method }, true);
-  }
-  /**
-   * Generate backup codes.
-   */
-  async generateBackupCodes() {
-    const result = await this.post(this.config.endpoints.mfaBackupCodes, {}, true);
-    return result.codes;
-  }
-  /**
-   * Set MFA exemption (admin/test scenarios).
-   */
-  async setMfaExemption(exempt, reason) {
-    await this.post(this.config.endpoints.mfaExemption, { exempt, reason }, true);
-  }
-  // ============================================================================
-  // Event System
-  // ============================================================================
-  /**
-   * Subscribe to authentication events.
-   *
-   * Emits events throughout the auth lifecycle for custom logic, analytics, or UI updates.
-   *
-   * @param event - Event type to listen for, or '*' for all events
-   * @param listener - Callback function to handle the event
-   * @returns Unsubscribe function
-   *
-   * @example
-   * ```typescript
-   * // Listen to successful authentication
-   * const unsubscribe = client.on('auth:success', (event) => {
-   *   console.log('User logged in:', event.data.user);
-   *   analytics.track('login_success');
-   * });
-   *
-   * // Listen to all events
-   * client.on('*', (event) => {
-   *   console.log('Auth event:', event.type, event.data);
-   * });
-   *
-   * // Unsubscribe when done
-   * unsubscribe();
-   * ```
-   */
-  on(event, listener) {
-    return this.eventEmitter.on(event, listener);
-  }
-  /**
-   * Unsubscribe from authentication events.
-   *
-   * @param event - Event type
-   * @param listener - Callback function to remove
-   */
-  off(event, listener) {
-    this.eventEmitter.off(event, listener);
-  }
-  // ============================================================================
-  // Social Authentication
-  // ============================================================================
-  /**
-   * Start redirect-first social OAuth flow (web).
-   *
-   * This performs a browser navigation to:
-   * `GET {baseUrl}/social/:provider/redirect?returnTo=...&appState=...`
-   *
-   * The backend:
-   * - generates and stores CSRF state (cluster-safe)
-   * - redirects the user to the provider
-   * - completes OAuth on callback and sets cookies (or issues an exchange token)
-   * - redirects back to `returnTo` with `appState` (and `exchangeToken` for json/hybrid)
-   *
-   * @param provider - OAuth provider ('google', 'apple', 'facebook')
-   * @param options - Optional redirect options
-   *
-   * @example
-   * ```typescript
-   * await client.loginWithSocial('google', { returnTo: '/auth/callback', appState: '12345' });
-   * ```
-   */
-  async loginWithSocial(provider, options) {
-    this.eventEmitter.emit({ type: "oauth:started", data: { provider }, timestamp: Date.now() });
-    if (hasWindow()) {
-      const startPath = this.config.endpoints.socialRedirectStart.replace(":provider", provider);
-      const base = this.config.baseUrl.replace(/\/$/, "");
-      const startUrl = new URL(`${base}${startPath}`);
-      const returnTo = options?.returnTo ?? this.config.redirects?.success ?? "/";
-      startUrl.searchParams.set("returnTo", returnTo);
-      if (options?.action === "link") {
-        startUrl.searchParams.set("action", "link");
-      }
-      if (typeof options?.appState === "string" && options.appState.trim() !== "") {
-        startUrl.searchParams.set("appState", options.appState);
-      }
-      window.location.href = startUrl.toString();
-    }
-  }
-  /**
-   * Exchange an `exchangeToken` (from redirect callback URL) into an AuthResponse.
-   *
-   * Used for `tokenDelivery: 'json'` or hybrid flows where the backend redirects back
-   * with `exchangeToken` instead of setting cookies.
-   *
-   * @param exchangeToken - One-time exchange token from the callback URL
-   * @returns AuthResponse
-   */
-  async exchangeSocialRedirect(exchangeToken) {
-    const token = exchangeToken?.trim();
-    if (!token) {
-      throw new NAuthClientError("CHALLENGE_INVALID" /* CHALLENGE_INVALID */, "Missing exchangeToken");
-    }
-    const result = await this.post(this.config.endpoints.socialExchange, { exchangeToken: token });
-    await this.handleAuthResponse(result);
-    return result;
-  }
-  /**
-   * Verify native social token (mobile).
-   */
-  async verifyNativeSocial(request) {
-    try {
-      const path = this.config.endpoints.socialVerify.replace(":provider", request.provider);
-      const result = await this.post(path, request);
-      await this.handleAuthResponse(result);
-      if (result.challengeName) {
-        const challengeEvent = { type: "auth:challenge", data: result, timestamp: Date.now() };
-        this.eventEmitter.emit(challengeEvent);
-      } else {
-        const successEvent = { type: "auth:success", data: result, timestamp: Date.now() };
-        this.eventEmitter.emit(successEvent);
-      }
-      return result;
-    } catch (error) {
-      const authError = error instanceof NAuthClientError ? error : new NAuthClientError(
-        "SOCIAL_TOKEN_INVALID" /* SOCIAL_TOKEN_INVALID */,
-        error.message || "Social verification failed"
-      );
-      const errorEvent = { type: "auth:error", data: authError, timestamp: Date.now() };
-      this.eventEmitter.emit(errorEvent);
-      throw authError;
-    }
-  }
-  /**
-   * Get linked accounts.
-   */
-  async getLinkedAccounts() {
-    return this.get(this.config.endpoints.socialLinked, true);
-  }
-  /**
-   * Link social account.
-   */
-  async linkSocialAccount(provider, code, state) {
-    return this.post(this.config.endpoints.socialLink, { provider, code, state }, true);
-  }
-  /**
-   * Unlink social account.
-   */
-  async unlinkSocialAccount(provider) {
-    return this.post(this.config.endpoints.socialUnlink, { provider }, true);
-  }
-  /**
-   * Trust current device.
-   */
-  async trustDevice() {
-    const result = await this.post(this.config.endpoints.trustDevice, {}, true);
-    await this.setDeviceToken(result.deviceToken);
-    return result;
-  }
-  /**
-   * Check if the current device is trusted.
-   *
-   * Returns whether the current device is trusted based on the device token
-   * (from cookie in cookies mode, or header in JSON mode).
-   *
-   * This performs a server-side validation of the device token and checks:
-   * - Device token exists and is valid
-   * - Device token matches a trusted device record in the database
-   * - Trust has not expired
-   *
-   * @returns Object with trusted status
-   *
-   * @example
-   * ```typescript
-   * const result = await client.isTrustedDevice();
-   * if (result.trusted) {
-   *   console.log('This device is trusted');
-   * }
-   * ```
-   */
-  async isTrustedDevice() {
-    return this.get(this.config.endpoints.isTrustedDevice, true);
-  }
-  /**
-   * Get paginated audit history for the current user.
-   *
-   * Returns authentication and security events with full audit details including:
-   * - Event type (login, logout, MFA, etc.)
-   * - Event status (success, failure, suspicious)
-   * - Device information, location, risk factors
-   *
-   * @param params - Query parameters for filtering and pagination
-   * @returns Paginated audit history response
-   *
-   * @example
-   * ```typescript
-   * const history = await client.getAuditHistory({
-   *   page: 1,
-   *   limit: 20,
-   *   eventType: 'LOGIN_SUCCESS'
-   * });
-   * ```
-   */
-  async getAuditHistory(params) {
-    const entries = Object.entries(params ?? {}).map(([k, v]) => [k, String(v)]);
-    const query = entries.length > 0 ? `?${new URLSearchParams(entries).toString()}` : "";
-    const path = `${this.config.endpoints.auditHistory}${query}`;
-    return this.get(path, true);
-  }
-  /**
-   * Initialize client by hydrating state from storage.
-   * Call this on app startup to restore auth state.
-   */
-  async initialize() {
-    const userJson = await this.config.storage.getItem(USER_KEY2);
-    if (userJson) {
-      try {
-        this.currentUser = JSON.parse(userJson);
-        this.config.onAuthStateChange?.(this.currentUser);
-      } catch {
-        await this.config.storage.removeItem(USER_KEY2);
-      }
-    }
-  }
-  /**
-   * Determine if user is authenticated (async - checks tokens).
-   */
-  async isAuthenticated() {
-    const tokens = await this.tokenManager.getTokens();
-    return Boolean(tokens.accessToken);
-  }
-  /**
-   * Determine if user is authenticated (sync - checks cached user).
-   * Use this for guards and sync checks. Use `isAuthenticated()` for definitive check.
-   */
-  isAuthenticatedSync() {
-    return this.currentUser !== null;
-  }
-  /**
-   * Get current access token (may be null).
-   */
-  async getAccessToken() {
-    const tokens = await this.tokenManager.getTokens();
-    return tokens.accessToken ?? null;
-  }
-  /**
-   * Get current user (cached, sync).
-   */
-  getCurrentUser() {
-    return this.currentUser;
-  }
-  /**
-   * Get stored challenge session (for resuming challenge flows).
-   */
-  async getStoredChallenge() {
-    const raw = await this.config.storage.getItem(CHALLENGE_KEY2);
-    if (!raw) return null;
-    try {
-      return JSON.parse(raw);
-    } catch {
-      return null;
-    }
-  }
-  /**
-   * Clear stored challenge session.
-   */
-  async clearStoredChallenge() {
-    await this.config.storage.removeItem(CHALLENGE_KEY2);
-  }
-  /**
-   * Internal: handle auth response (tokens or challenge).
-   *
-   * In cookies mode: Tokens are set as httpOnly cookies by backend, not stored in client storage.
-   * In JSON mode: Tokens are stored in tokenManager for Authorization header.
-   */
-  async handleAuthResponse(response) {
-    if (response.challengeName) {
-      await this.persistChallenge(response);
-      return;
-    }
-    if (this.config.tokenDelivery === "json" && response.accessToken && response.refreshToken) {
-      await this.tokenManager.setTokens({
-        accessToken: response.accessToken,
-        refreshToken: response.refreshToken,
-        accessTokenExpiresAt: response.accessTokenExpiresAt ?? 0,
-        refreshTokenExpiresAt: response.refreshTokenExpiresAt ?? 0
-      });
-    }
-    if (this.config.tokenDelivery === "json" && response.deviceToken) {
-      await this.setDeviceToken(response.deviceToken);
-    }
-    if (response.user) {
-      const user = response.user;
-      user.sessionAuthMethod = response.authMethod ?? null;
-      await this.setUser(user);
-    }
-    await this.clearChallenge();
-  }
-  /**
-   * Persist challenge state.
-   */
-  async persistChallenge(challenge) {
-    await this.config.storage.setItem(CHALLENGE_KEY2, JSON.stringify(challenge));
-  }
-  /**
-   * Clear challenge state.
-   */
-  async clearChallenge() {
-    await this.config.storage.removeItem(CHALLENGE_KEY2);
-  }
-  /**
-   * Persist user.
-   */
-  async setUser(user) {
-    this.currentUser = user;
-    await this.config.storage.setItem(USER_KEY2, JSON.stringify(user));
-    this.config.onAuthStateChange?.(user);
-  }
-  /**
-   * Clear all auth state.
-   *
-   * @param forgetDevice - If true, also clear device token (for JSON mode)
-   */
-  async clearAuthState(forgetDevice) {
-    this.currentUser = null;
-    await this.tokenManager.clearTokens();
-    await this.config.storage.removeItem(USER_KEY2);
-    if (forgetDevice && this.config.tokenDelivery === "json") {
-      await this.config.storage.removeItem(this.config.deviceTrust.storageKey);
-    }
-    this.config.onAuthStateChange?.(null);
-  }
-  /**
-   * Persist device token (json mode mobile).
-   */
-  async setDeviceToken(token) {
-    await this.config.storage.setItem(this.config.deviceTrust.storageKey, token);
-  }
-  /**
-   * Determine token delivery mode for this environment.
-   */
-  getTokenDeliveryMode() {
-    return this.config.tokenDelivery;
-  }
-  /**
-   * Build request URL by combining baseUrl with path.
-   * @private
-   */
-  buildUrl(path) {
-    return `${this.config.baseUrl}${path}`;
-  }
-  /**
-   * Build request headers for authentication.
-   * @private
-   */
-  async buildHeaders(auth) {
-    const headers = {
-      "Content-Type": "application/json",
-      ...this.config.headers
-    };
-    if (auth && this.config.tokenDelivery === "json") {
-      const accessToken = (await this.tokenManager.getTokens()).accessToken;
-      if (accessToken) {
-        headers["Authorization"] = `Bearer ${accessToken}`;
-      }
-    }
-    if (this.config.tokenDelivery === "json") {
-      try {
-        const deviceToken = await this.config.storage.getItem(this.config.deviceTrust.storageKey);
-        if (deviceToken) {
-          headers[this.config.deviceTrust.headerName] = deviceToken;
-        }
-      } catch {
-      }
-    }
-    if (this.config.tokenDelivery === "cookies" && hasWindow()) {
-      const csrfToken = this.getCsrfToken();
-      if (csrfToken) {
-        headers[this.config.csrf.headerName] = csrfToken;
-      }
-    }
-    return headers;
-  }
-  /**
-   * Get CSRF token from cookie (browser only).
-   * @private
-   */
-  getCsrfToken() {
-    if (!hasWindow() || typeof document === "undefined") return null;
-    const match = document.cookie.match(new RegExp(`(^| )${this.config.csrf.cookieName}=([^;]+)`));
-    return match ? decodeURIComponent(match[2]) : null;
-  }
-  /**
-   * Execute GET request.
-   * Note: 401 refresh is handled by framework interceptors (Angular) or manually.
-   */
-  async get(path, auth = false) {
-    const url = this.buildUrl(path);
-    const headers = await this.buildHeaders(auth);
-    const credentials = this.config.tokenDelivery === "cookies" ? "include" : "omit";
-    const response = await this.config.httpAdapter.request({
-      method: "GET",
-      url,
-      headers,
-      credentials
-    });
-    return response.data;
-  }
-  /**
-   * Execute POST request.
-   * Note: 401 refresh is handled by framework interceptors (Angular) or manually.
-   */
-  async post(path, body, auth = false) {
-    const url = this.buildUrl(path);
-    const headers = await this.buildHeaders(auth);
-    const credentials = this.config.tokenDelivery === "cookies" ? "include" : "omit";
-    const response = await this.config.httpAdapter.request({
-      method: "POST",
-      url,
-      headers,
-      body,
-      credentials
-    });
-    return response.data;
-  }
-  /**
-   * Execute PUT request.
-   * Note: 401 refresh is handled by framework interceptors (Angular) or manually.
-   */
-  async put(path, body, auth = false) {
-    const url = this.buildUrl(path);
-    const headers = await this.buildHeaders(auth);
-    const credentials = this.config.tokenDelivery === "cookies" ? "include" : "omit";
-    const response = await this.config.httpAdapter.request({
-      method: "PUT",
-      url,
-      headers,
-      body,
-      credentials
-    });
-    return response.data;
-  }
-  /**
-   * Execute DELETE request.
-   * Note: 401 refresh is handled by framework interceptors (Angular) or manually.
-   */
-  async delete(path, auth = false) {
-    const url = this.buildUrl(path);
-    const headers = await this.buildHeaders(auth);
-    const credentials = this.config.tokenDelivery === "cookies" ? "include" : "omit";
-    const response = await this.config.httpAdapter.request({
-      method: "DELETE",
-      url,
-      headers,
-      credentials
-    });
-    return response.data;
-  }
-};
-__name(_NAuthClient, "NAuthClient");
-var NAuthClient = _NAuthClient;
-// src/angular/auth.service.ts
-var AuthService = class {
-  /**
-   * @param config - Injected client configuration
-   *
-   * Note: AngularHttpAdapter is automatically injected via Angular DI.
-   * This ensures all requests go through Angular's HttpClient and interceptors.
-   */
-  constructor(config, injector) {
-    this.injector = injector;
-    __publicField(this, "client");
-    __publicField(this, "config");
-    __publicField(this, "currentUserSubject", new import_rxjs2.BehaviorSubject(null));
-    __publicField(this, "isAuthenticatedSubject", new import_rxjs2.BehaviorSubject(false));
-    __publicField(this, "challengeSubject", new import_rxjs2.BehaviorSubject(null));
-    __publicField(this, "authEventsSubject", new import_rxjs2.Subject());
-    __publicField(this, "initialized", false);
-    if (!config) {
-      throw new Error("NAUTH_CLIENT_CONFIG is required to initialize AuthService");
-    }
-    this.config = config;
-    const httpAdapter = config.httpAdapter ?? this.injector?.get(AngularHttpAdapter, null) ?? null;
-    if (!httpAdapter) {
-      throw new Error(
-        "AngularHttpAdapter is required. Ensure AngularHttpAdapter is provided in your module or pass httpAdapter in config."
-      );
-    }
-    this.client = new NAuthClient({
-      ...config,
-      httpAdapter,
-      // Automatically use Angular's HttpClient
-      onAuthStateChange: /* @__PURE__ */ __name((user) => {
-        this.currentUserSubject.next(user);
-        this.isAuthenticatedSubject.next(Boolean(user));
-        config.onAuthStateChange?.(user);
-      }, "onAuthStateChange")
-    });
-    this.client.on("*", (event) => {
-      this.authEventsSubject.next(event);
-    });
-    this.initialize();
-  }
-  // ============================================================================
-  // Reactive State Observables
-  // ============================================================================
-  /**
-   * Current user observable.
-   */
-  get currentUser$() {
-    return this.currentUserSubject.asObservable();
-  }
-  /**
-   * Authenticated state observable.
-   */
-  get isAuthenticated$() {
-    return this.isAuthenticatedSubject.asObservable();
-  }
-  /**
-   * Current challenge observable (for reactive challenge navigation).
-   */
-  get challenge$() {
-    return this.challengeSubject.asObservable();
-  }
-  /**
-   * Authentication events stream.
-   * Emits all auth lifecycle events for custom logic, analytics, or UI updates.
-   */
-  get authEvents$() {
-    return this.authEventsSubject.asObservable();
-  }
-  /**
-   * Successful authentication events stream.
-   * Emits when user successfully authenticates (login, signup, social auth).
-   */
-  get authSuccess$() {
-    return this.authEventsSubject.pipe((0, import_operators.filter)((e) => e.type === "auth:success"));
-  }
-  /**
-   * Authentication error events stream.
-   * Emits when authentication fails (login error, OAuth error, etc.).
-   */
-  get authError$() {
-    return this.authEventsSubject.pipe((0, import_operators.filter)((e) => e.type === "auth:error" || e.type === "oauth:error"));
-  }
-  // ============================================================================
-  // Sync State Accessors (for guards, templates)
-  // ============================================================================
-  /**
-   * Check if authenticated (sync, uses cached state).
-   */
-  isAuthenticated() {
-    return this.client.isAuthenticatedSync();
-  }
-  /**
-   * Get current user (sync, uses cached state).
-   */
-  getCurrentUser() {
-    return this.client.getCurrentUser();
-  }
-  /**
-   * Get current challenge (sync).
-   */
-  getCurrentChallenge() {
-    return this.challengeSubject.value;
-  }
-  // ============================================================================
-  // Core Auth Methods
-  // ============================================================================
-  /**
-   * Login with identifier and password.
-   *
-   * @param identifier - User email or username
-   * @param password - User password
-   * @returns Promise with auth response or challenge
-   *
-   * @example
-   * ```typescript
-   * const response = await this.auth.login('user@example.com', 'password');
-   * if (response.challengeName) {
-   *   // Handle challenge
-   * } else {
-   *   // Login successful
-   * }
-   * ```
-   */
-  async login(identifier, password) {
-    const res = await this.client.login(identifier, password);
-    return this.updateChallengeState(res);
-  }
-  /**
-   * Signup with credentials.
-   *
-   * @param payload - Signup request payload
-   * @returns Promise with auth response or challenge
-   *
-   * @example
-   * ```typescript
-   * const response = await this.auth.signup({
-   *   email: 'new@example.com',
-   *   password: 'SecurePass123!',
-   *   firstName: 'John',
-   * });
-   * ```
-   */
-  async signup(payload) {
-    const res = await this.client.signup(payload);
-    return this.updateChallengeState(res);
-  }
-  /**
-   * Logout current session.
-   *
-   * @param forgetDevice - If true, removes device trust
-   *
-   * @example
-   * ```typescript
-   * await this.auth.logout();
-   * ```
-   */
-  async logout(forgetDevice) {
-    await this.client.logout(forgetDevice);
-    this.challengeSubject.next(null);
-    this.currentUserSubject.next(null);
-    this.isAuthenticatedSubject.next(false);
-    if (this.config.tokenDelivery === "cookies" && typeof document !== "undefined") {
-      const csrfCookieName = this.config.csrf?.cookieName ?? "nauth_csrf_token";
-      try {
-        const url = new URL(this.config.baseUrl);
-        document.cookie = `${csrfCookieName}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/; domain=${url.hostname}`;
-        document.cookie = `${csrfCookieName}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;
-      } catch {
-        document.cookie = `${csrfCookieName}=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;
-      }
-    }
-  }
-  /**
-   * Logout all sessions.
-   *
-   * Revokes all active sessions for the current user across all devices.
-   * Optionally revokes all trusted devices if forgetDevices is true.
-   *
-   * @param forgetDevices - If true, also revokes all trusted devices (default: false)
-   * @returns Promise with number of sessions revoked
-   *
-   * @example
-   * ```typescript
-   * const result = await this.auth.logoutAll();
-   * console.log(`Revoked ${result.revokedCount} sessions`);
-   * ```
-   */
-  async logoutAll(forgetDevices) {
-    const res = await this.client.logoutAll(forgetDevices);
-    this.challengeSubject.next(null);
-    this.currentUserSubject.next(null);
-    this.isAuthenticatedSubject.next(false);
-    return res;
-  }
-  /**
-   * Refresh tokens.
-   *
-   * @returns Promise with new tokens
-   *
-   * @example
-   * ```typescript
-   * const tokens = await this.auth.refresh();
-   * ```
-   */
-  async refresh() {
-    return this.client.refreshTokens();
-  }
-  // ============================================================================
-  // Account Recovery (Forgot Password)
-  // ============================================================================
-  /**
-   * Request a password reset code (forgot password).
-   *
-   * @param identifier - User email, username, or phone
-   * @returns Promise with password reset response
-   *
-   * @example
-   * ```typescript
-   * await this.auth.forgotPassword('user@example.com');
-   * ```
-   */
-  async forgotPassword(identifier) {
-    return this.client.forgotPassword(identifier);
-  }
-  /**
-   * Confirm a password reset code and set a new password.
-   *
-   * @param identifier - User email, username, or phone
-   * @param code - One-time reset code
-   * @param newPassword - New password
-   * @returns Promise with confirmation response
-   *
-   * @example
-   * ```typescript
-   * await this.auth.confirmForgotPassword('user@example.com', '123456', 'NewPass123!');
-   * ```
-   */
-  async confirmForgotPassword(identifier, code, newPassword) {
-    return this.client.confirmForgotPassword(identifier, code, newPassword);
-  }
-  /**
-   * Change user password (requires current password).
-   *
-   * @param oldPassword - Current password
-   * @param newPassword - New password (must meet requirements)
-   * @returns Promise that resolves when password is changed
-   *
-   * @example
-   * ```typescript
-   * await this.auth.changePassword('oldPassword123', 'newSecurePassword456!');
-   * ```
-   */
-  async changePassword(oldPassword, newPassword) {
-    return this.client.changePassword(oldPassword, newPassword);
-  }
-  /**
-   * Request password change (must change on next login).
-   *
-   * @returns Promise that resolves when request is sent
-   *
-   * @example
-   * ```typescript
-   * await this.auth.requestPasswordChange();
-   * ```
-   */
-  async requestPasswordChange() {
-    return this.client.requestPasswordChange();
-  }
-  // ============================================================================
-  // Profile Management
-  // ============================================================================
-  /**
-   * Get current user profile.
-   *
-   * @returns Promise of current user profile
-   *
-   * @example
-   * ```typescript
-   * const user = await this.auth.getProfile();
-   * console.log('User profile:', user);
-   * ```
-   */
-  async getProfile() {
-    const user = await this.client.getProfile();
-    this.currentUserSubject.next(user);
-    return user;
-  }
-  /**
-   * Update user profile.
-   *
-   * @param updates - Profile fields to update
-   * @returns Promise of updated user profile
-   *
-   * @example
-   * ```typescript
-   * const user = await this.auth.updateProfile({ firstName: 'John', lastName: 'Doe' });
-   * console.log('Profile updated:', user);
-   * ```
-   */
-  async updateProfile(updates) {
-    const user = await this.client.updateProfile(updates);
-    this.currentUserSubject.next(user);
-    return user;
-  }
-  // ============================================================================
-  // Challenge Flow Methods (Essential for any auth flow)
-  // ============================================================================
-  /**
-   * Respond to a challenge (VERIFY_EMAIL, VERIFY_PHONE, MFA_REQUIRED, etc.).
-   *
-   * @param response - Challenge response data
-   * @returns Promise with auth response or next challenge
-   *
-   * @example
-   * ```typescript
-   * const result = await this.auth.respondToChallenge({
-   *   session: challengeSession,
-   *   type: 'VERIFY_EMAIL',
-   *   code: '123456',
-   * });
-   * ```
-   */
-  async respondToChallenge(response) {
-    const res = await this.client.respondToChallenge(response);
-    return this.updateChallengeState(res);
-  }
-  /**
-   * Resend challenge code.
-   *
-   * @param session - Challenge session token
-   * @returns Promise with destination information
-   *
-   * @example
-   * ```typescript
-   * const result = await this.auth.resendCode(session);
-   * console.log('Code sent to:', result.destination);
-   * ```
-   */
-  async resendCode(session) {
-    return this.client.resendCode(session);
-  }
-  /**
-   * Get MFA setup data (for MFA_SETUP_REQUIRED challenge).
-   *
-   * Returns method-specific setup information:
-   * - TOTP: { secret, qrCode, manualEntryKey }
-   * - SMS: { maskedPhone }
-   * - Email: { maskedEmail }
-   * - Passkey: WebAuthn registration options
-   *
-   * @param session - Challenge session token
-   * @param method - MFA method to set up
-   * @returns Promise of setup data response
-   *
-   * @example
-   * ```typescript
-   * const setupData = await this.auth.getSetupData(session, 'totp');
-   * console.log('QR Code:', setupData.setupData.qrCode);
-   * ```
-   */
-  async getSetupData(session, method) {
-    return this.client.getSetupData(session, method);
-  }
-  /**
-   * Get MFA challenge data (for MFA_REQUIRED challenge - e.g., passkey options).
-   *
-   * @param session - Challenge session token
-   * @param method - Challenge method
-   * @returns Promise of challenge data response
-   *
-   * @example
-   * ```typescript
-   * const challengeData = await this.auth.getChallengeData(session, 'passkey');
-   * ```
-   */
-  async getChallengeData(session, method) {
-    return this.client.getChallengeData(session, method);
-  }
-  /**
-   * Clear stored challenge (when navigating away from challenge flow).
-   *
-   * @returns Promise that resolves when challenge is cleared
-   *
-   * @example
-   * ```typescript
-   * await this.auth.clearChallenge();
-   * ```
-   */
-  async clearChallenge() {
-    await this.client.clearStoredChallenge();
-    this.challengeSubject.next(null);
-  }
-  // ============================================================================
-  // Social Authentication
-  // ============================================================================
-  /**
-   * Initiate social OAuth login flow.
-   * Redirects the browser to backend `/auth/social/:provider/redirect`.
-   *
-   * @param provider - Social provider ('google', 'apple', 'facebook')
-   * @param options - Optional redirect options
-   * @returns Promise that resolves when redirect starts
-   *
-   * @example
-   * ```typescript
-   * await this.auth.loginWithSocial('google', { returnTo: '/auth/callback' });
-   * ```
-   */
-  async loginWithSocial(provider, options) {
-    return this.client.loginWithSocial(provider, options);
-  }
-  /**
-   * Exchange an exchangeToken (from redirect callback URL) into an AuthResponse.
-   *
-   * Used for `tokenDelivery: 'json'` or hybrid flows where the backend redirects back
-   * with `exchangeToken` instead of setting cookies.
-   *
-   * @param exchangeToken - One-time exchange token from the callback URL
-   * @returns Promise of AuthResponse
-   *
-   * @example
-   * ```typescript
-   * const response = await this.auth.exchangeSocialRedirect(exchangeToken);
-   * ```
-   */
-  async exchangeSocialRedirect(exchangeToken) {
-    const res = await this.client.exchangeSocialRedirect(exchangeToken);
-    return this.updateChallengeState(res);
-  }
-  /**
-   * Verify native social token (mobile).
-   *
-   * @param request - Social verification request with provider and token
-   * @returns Promise of AuthResponse
-   *
-   * @example
-   * ```typescript
-   * const result = await this.auth.verifyNativeSocial({
-   *   provider: 'google',
-   *   idToken: nativeIdToken,
-   * });
-   * ```
-   */
-  async verifyNativeSocial(request) {
-    const res = await this.client.verifyNativeSocial(request);
-    return this.updateChallengeState(res);
-  }
-  /**
-   * Get linked social accounts.
-   *
-   * @returns Promise of linked accounts response
-   *
-   * @example
-   * ```typescript
-   * const accounts = await this.auth.getLinkedAccounts();
-   * console.log('Linked providers:', accounts.providers);
-   * ```
-   */
-  async getLinkedAccounts() {
-    return this.client.getLinkedAccounts();
-  }
-  /**
-   * Link social account.
-   *
-   * @param provider - Social provider to link
-   * @param code - OAuth authorization code
-   * @param state - OAuth state parameter
-   * @returns Promise with success message
-   *
-   * @example
-   * ```typescript
-   * await this.auth.linkSocialAccount('google', code, state);
-   * ```
-   */
-  async linkSocialAccount(provider, code, state) {
-    return this.client.linkSocialAccount(provider, code, state);
-  }
-  /**
-   * Unlink social account.
-   *
-   * @param provider - Social provider to unlink
-   * @returns Promise with success message
-   *
-   * @example
-   * ```typescript
-   * await this.auth.unlinkSocialAccount('google');
-   * ```
-   */
-  async unlinkSocialAccount(provider) {
-    return this.client.unlinkSocialAccount(provider);
-  }
-  // ============================================================================
-  // MFA Management
-  // ============================================================================
-  /**
-   * Get MFA status for the current user.
-   *
-   * @returns Promise of MFA status
-   *
-   * @example
-   * ```typescript
-   * const status = await this.auth.getMfaStatus();
-   * console.log('MFA enabled:', status.enabled);
-   * ```
-   */
-  async getMfaStatus() {
-    return this.client.getMfaStatus();
-  }
-  /**
-   * Get MFA devices for the current user.
-   *
-   * @returns Promise of MFA devices array
-   *
-   * @example
-   * ```typescript
-   * const devices = await this.auth.getMfaDevices();
-   * ```
-   */
-  async getMfaDevices() {
-    return this.client.getMfaDevices();
-  }
-  /**
-   * Setup MFA device (authenticated user).
-   *
-   * @param method - MFA method to set up
-   * @returns Promise of setup data
-   *
-   * @example
-   * ```typescript
-   * const setupData = await this.auth.setupMfaDevice('totp');
-   * ```
-   */
-  async setupMfaDevice(method) {
-    return this.client.setupMfaDevice(method);
-  }
-  /**
-   * Verify MFA setup (authenticated user).
-   *
-   * @param method - MFA method
-   * @param setupData - Setup data from setupMfaDevice
-   * @param deviceName - Optional device name
-   * @returns Promise with device ID
-   *
-   * @example
-   * ```typescript
-   * const result = await this.auth.verifyMfaSetup('totp', { code: '123456' }, 'My Phone');
-   * ```
-   */
-  async verifyMfaSetup(method, setupData, deviceName) {
-    return this.client.verifyMfaSetup(method, setupData, deviceName);
-  }
-  /**
-   * Remove MFA device.
-   *
-   * @param method - MFA method to remove
-   * @returns Promise with success message
-   *
-   * @example
-   * ```typescript
-   * await this.auth.removeMfaDevice('sms');
-   * ```
-   */
-  async removeMfaDevice(method) {
-    return this.client.removeMfaDevice(method);
-  }
-  /**
-   * Set preferred MFA method.
-   *
-   * @param method - Device method to set as preferred ('totp', 'sms', 'email', or 'passkey')
-   * @returns Promise with success message
-   *
-   * @example
-   * ```typescript
-   * await this.auth.setPreferredMfaMethod('totp');
-   * ```
-   */
-  async setPreferredMfaMethod(method) {
-    return this.client.setPreferredMfaMethod(method);
-  }
-  /**
-   * Generate backup codes.
-   *
-   * @returns Promise of backup codes array
-   *
-   * @example
-   * ```typescript
-   * const codes = await this.auth.generateBackupCodes();
-   * console.log('Backup codes:', codes);
-   * ```
-   */
-  async generateBackupCodes() {
-    return this.client.generateBackupCodes();
-  }
-  /**
-   * Set MFA exemption (admin/test scenarios).
-   *
-   * @param exempt - Whether to exempt user from MFA
-   * @param reason - Optional reason for exemption
-   * @returns Promise that resolves when exemption is set
-   *
-   * @example
-   * ```typescript
-   * await this.auth.setMfaExemption(true, 'Test account');
-   * ```
-   */
-  async setMfaExemption(exempt, reason) {
-    return this.client.setMfaExemption(exempt, reason);
-  }
-  // ============================================================================
-  // Device Trust
-  // ============================================================================
-  /**
-   * Trust current device.
-   *
-   * @returns Promise with device token
-   *
-   * @example
-   * ```typescript
-   * const result = await this.auth.trustDevice();
-   * console.log('Device trusted:', result.deviceToken);
-   * ```
-   */
-  async trustDevice() {
-    return this.client.trustDevice();
-  }
-  /**
-   * Check if the current device is trusted.
-   *
-   * @returns Promise with trusted status
-   *
-   * @example
-   * ```typescript
-   * const result = await this.auth.isTrustedDevice();
-   * if (result.trusted) {
-   *   console.log('This device is trusted');
-   * }
-   * ```
-   */
-  async isTrustedDevice() {
-    return this.client.isTrustedDevice();
-  }
-  // ============================================================================
-  // Audit History
-  // ============================================================================
-  /**
-   * Get paginated audit history for the current user.
-   *
-   * @param params - Query parameters for filtering and pagination
-   * @returns Promise of audit history response
-   *
-   * @example
-   * ```typescript
-   * const history = await this.auth.getAuditHistory({
-   *   page: 1,
-   *   limit: 20,
-   *   eventType: 'LOGIN_SUCCESS'
-   * });
-   * console.log('Audit history:', history);
-   * ```
-   */
-  async getAuditHistory(params) {
-    return this.client.getAuditHistory(params);
-  }
-  // ============================================================================
-  // Escape Hatch
-  // ============================================================================
-  /**
-   * Expose underlying NAuthClient for advanced scenarios.
-   *
-   * @deprecated All core functionality is now exposed directly on AuthService as Promises.
-   * Use the direct methods on AuthService instead (e.g., `auth.changePassword()` instead of `auth.getClient().changePassword()`).
-   * This method is kept for backward compatibility only and may be removed in a future version.
-   *
-   * @returns The underlying NAuthClient instance
-   *
-   * @example
-   * ```typescript
-   * // Deprecated - use direct methods instead
-   * const status = await this.auth.getClient().getMfaStatus();
-   *
-   * // Preferred - use direct methods
-   * const status = await this.auth.getMfaStatus();
-   * ```
-   */
-  getClient() {
-    return this.client;
-  }
-  // ============================================================================
-  // Internal Methods
-  // ============================================================================
-  /**
-   * Initialize by hydrating state from storage.
-   * Called automatically on construction.
-   */
-  async initialize() {
-    if (this.initialized) return;
-    this.initialized = true;
-    await this.client.initialize();
-    const storedChallenge = await this.client.getStoredChallenge();
-    if (storedChallenge) {
-      this.challengeSubject.next(storedChallenge);
-    }
-    const user = this.client.getCurrentUser();
-    if (user) {
-      this.currentUserSubject.next(user);
-      this.isAuthenticatedSubject.next(true);
-    }
-  }
-  /**
-   * Update challenge state after auth response.
-   */
-  updateChallengeState(response) {
-    if (response.challengeName) {
-      this.challengeSubject.next(response);
-    } else {
-      this.challengeSubject.next(null);
-    }
-    return response;
-  }
-};
-__name(AuthService, "AuthService");
-AuthService = __decorateClass([
-  (0, import_core3.Injectable)({
-    providedIn: "root"
-  }),
-  __decorateParam(0, (0, import_core3.Optional)()),
-  __decorateParam(0, (0, import_core3.Inject)(NAUTH_CLIENT_CONFIG))
-], AuthService);
-// src/angular/auth.interceptor.ts
-var import_core4 = require("@angular/core");
-var import_common = require("@angular/common");
-var import_http2 = require("@angular/common/http");
-var import_router = require("@angular/router");
-var import_rxjs3 = require("rxjs");
-var isRefreshing = false;
-var refreshTokenSubject = new import_rxjs3.BehaviorSubject(null);
-var retriedRequests = /* @__PURE__ */ new WeakSet();
-function getCsrfToken(cookieName) {
-  if (typeof document === "undefined") return null;
-  const match = document.cookie.match(new RegExp(`(^| )${cookieName}=([^;]+)`));
-  return match ? decodeURIComponent(match[2]) : null;
-}
-__name(getCsrfToken, "getCsrfToken");
-var authInterceptor = /* @__PURE__ */ __name((req, next) => {
-  const config = (0, import_core4.inject)(NAUTH_CLIENT_CONFIG);
-  const http = (0, import_core4.inject)(import_http2.HttpClient);
-  const authService = (0, import_core4.inject)(AuthService);
-  const platformId = (0, import_core4.inject)(import_core4.PLATFORM_ID);
-  const router = (0, import_core4.inject)(import_router.Router);
-  const isBrowser = (0, import_common.isPlatformBrowser)(platformId);
-  if (!isBrowser) {
-    return next(req);
-  }
-  const tokenDelivery = config.tokenDelivery;
-  const baseUrl = config.baseUrl;
-  const endpoints = config.endpoints ?? {};
-  const refreshPath = endpoints.refresh ?? "/refresh";
-  const loginPath = endpoints.login ?? "/login";
-  const signupPath = endpoints.signup ?? "/signup";
-  const socialExchangePath = endpoints.socialExchange ?? "/social/exchange";
-  const refreshUrl = `${baseUrl}${refreshPath}`;
-  const isAuthApiRequest = req.url.includes(baseUrl);
-  const isRefreshEndpoint = req.url.includes(refreshPath);
-  const isPublicEndpoint = req.url.includes(loginPath) || req.url.includes(signupPath) || req.url.includes(socialExchangePath);
-  let authReq = req;
-  if (tokenDelivery === "cookies") {
-    authReq = authReq.clone({ withCredentials: true });
-    if (["POST", "PUT", "PATCH", "DELETE"].includes(req.method)) {
-      const csrfCookieName = config.csrf?.cookieName ?? "nauth_csrf_token";
-      const csrfHeaderName = config.csrf?.headerName ?? "x-csrf-token";
-      const csrfToken = getCsrfToken(csrfCookieName);
-      if (csrfToken) {
-        authReq = authReq.clone({ setHeaders: { [csrfHeaderName]: csrfToken } });
-      }
-    }
-  }
-  return next(authReq).pipe(
-    (0, import_rxjs3.catchError)((error) => {
-      const shouldHandle = error instanceof import_http2.HttpErrorResponse && error.status === 401 && isAuthApiRequest && !isRefreshEndpoint && !isPublicEndpoint && !retriedRequests.has(req);
-      if (!shouldHandle) {
-        return (0, import_rxjs3.throwError)(() => error);
-      }
-      if (config.debug) {
-        console.warn("[nauth-interceptor] 401 detected:", req.url);
-      }
-      if (!isRefreshing) {
-        isRefreshing = true;
-        refreshTokenSubject.next(null);
-        if (config.debug) {
-          console.warn("[nauth-interceptor] Starting refresh...");
-        }
-        const refresh$ = tokenDelivery === "cookies" ? http.post(refreshUrl, {}, { withCredentials: true }) : (0, import_rxjs3.from)(authService.refresh());
-        return refresh$.pipe(
-          (0, import_rxjs3.switchMap)((response) => {
-            if (config.debug) {
-              console.warn("[nauth-interceptor] Refresh successful");
-            }
-            isRefreshing = false;
-            const newToken = "accessToken" in response ? response.accessToken : "success";
-            refreshTokenSubject.next(newToken ?? "success");
-            const retryReq = buildRetryRequest(authReq, tokenDelivery, newToken);
-            retriedRequests.add(retryReq);
-            if (config.debug) {
-              console.warn("[nauth-interceptor] Retrying:", req.url);
-            }
-            return next(retryReq);
-          }),
-          (0, import_rxjs3.catchError)((err) => {
-            if (config.debug) {
-              console.error("[nauth-interceptor] Refresh failed:", err);
-            }
-            isRefreshing = false;
-            refreshTokenSubject.next(null);
-            if (config.redirects?.sessionExpired) {
-              router.navigateByUrl(config.redirects.sessionExpired).catch((navError) => {
-                if (config.debug) {
-                  console.error("[nauth-interceptor] Navigation failed:", navError);
-                }
-              });
-            }
-            return (0, import_rxjs3.throwError)(() => err);
-          })
-        );
-      } else {
-        if (config.debug) {
-          console.warn("[nauth-interceptor] Waiting for refresh...");
-        }
-        return refreshTokenSubject.pipe(
-          (0, import_rxjs3.filter)((token) => token !== null),
-          (0, import_rxjs3.take)(1),
-          (0, import_rxjs3.switchMap)((token) => {
-            if (config.debug) {
-              console.warn("[nauth-interceptor] Refresh done, retrying:", req.url);
-            }
-            const retryReq = buildRetryRequest(authReq, tokenDelivery, token);
-            retriedRequests.add(retryReq);
-            return next(retryReq);
-          })
-        );
-      }
-    })
-  );
-}, "authInterceptor");
-function buildRetryRequest(originalReq, tokenDelivery, newToken) {
-  if (tokenDelivery === "json" && newToken && newToken !== "success") {
-    return originalReq.clone({
-      setHeaders: { Authorization: `Bearer ${newToken}` }
-    });
-  }
-  return originalReq.clone();
-}
-__name(buildRetryRequest, "buildRetryRequest");
-var _AuthInterceptor = class _AuthInterceptor {
-  intercept(req, next) {
-    return authInterceptor(req, next);
-  }
-};
-__name(_AuthInterceptor, "AuthInterceptor");
-var AuthInterceptor = _AuthInterceptor;
-// src/angular/auth.guard.ts
-var import_core5 = require("@angular/core");
-var import_router2 = require("@angular/router");
-function authGuard(redirectTo = "/login") {
-  return () => {
-    const auth = (0, import_core5.inject)(AuthService);
-    const router = (0, import_core5.inject)(import_router2.Router);
-    if (auth.isAuthenticated()) {
-      return true;
-    }
-    return router.createUrlTree([redirectTo]);
-  };
-}
-__name(authGuard, "authGuard");
-var _AuthGuard = class _AuthGuard {
-  /**
-   * @param auth - Authentication service
-   * @param router - Angular router
-   */
-  constructor(auth, router) {
-    this.auth = auth;
-    this.router = router;
-  }
-  /**
-   * Check if route can be activated.
-   *
-   * @returns True if authenticated, otherwise redirects to login
-   */
-  canActivate() {
-    if (this.auth.isAuthenticated()) {
-      return true;
-    }
-    return this.router.createUrlTree(["/login"]);
-  }
-};
-__name(_AuthGuard, "AuthGuard");
-var AuthGuard = _AuthGuard;
-// src/angular/social-redirect-callback.guard.ts
-var import_core6 = require("@angular/core");
-var import_common2 = require("@angular/common");
-var socialRedirectCallbackGuard = /* @__PURE__ */ __name(async () => {
-  const auth = (0, import_core6.inject)(AuthService);
-  const config = (0, import_core6.inject)(NAUTH_CLIENT_CONFIG);
-  const platformId = (0, import_core6.inject)(import_core6.PLATFORM_ID);
-  const isBrowser = (0, import_common2.isPlatformBrowser)(platformId);
-  if (!isBrowser) {
-    return false;
-  }
-  const params = new URLSearchParams(window.location.search);
-  const error = params.get("error");
-  const exchangeToken = params.get("exchangeToken");
-  if (error) {
-    const errorUrl = config.redirects?.oauthError || "/login";
-    window.location.replace(errorUrl);
-    return false;
-  }
-  if (!exchangeToken) {
-    try {
-      await auth.getProfile();
-    } catch {
-      const errorUrl = config.redirects?.oauthError || "/login";
-      window.location.replace(errorUrl);
-      return false;
-    }
-    const successUrl2 = config.redirects?.success || "/";
-    window.location.replace(successUrl2);
-    return false;
-  }
-  const response = await auth.exchangeSocialRedirect(exchangeToken);
-  if (response.challengeName) {
-    const challengeBase = config.redirects?.challengeBase || "/auth/challenge";
-    const challengeRoute = response.challengeName.toLowerCase().replace(/_/g, "-");
-    window.location.replace(`${challengeBase}/${challengeRoute}`);
-    return false;
-  }
-  const successUrl = config.redirects?.success || "/";
-  window.location.replace(successUrl);
-  return false;
-}, "socialRedirectCallbackGuard");
-// src/angular/auth.module.ts
-var import_core7 = require("@angular/core");
-var import_http3 = require("@angular/common/http");
-var NAuthModule = class {
-  /**
-   * Configure the module with client settings.
-   *
-   * @param config - Client configuration
-   */
-  static forRoot(config) {
-    return {
-      ngModule: NAuthModule,
-      providers: [
-        { provide: NAUTH_CLIENT_CONFIG, useValue: config },
-        { provide: import_http3.HTTP_INTERCEPTORS, useClass: AuthInterceptor, multi: true }
-      ]
-    };
-  }
-};
-__name(NAuthModule, "NAuthModule");
-NAuthModule = __decorateClass([
-  (0, import_core7.NgModule)({})
-], NAuthModule);
-// Annotate the CommonJS export names for ESM import in node:
-0 && (module.exports = {
-  AngularHttpAdapter,
-  AuthGuard,
-  AuthInterceptor,
-  AuthService,
-  NAUTH_CLIENT_CONFIG,
-  NAuthModule,
-  authGuard,
-  authInterceptor,
-  socialRedirectCallbackGuard
-});
-//# sourceMappingURL=index.cjs.map