@nexusrt/nexus-auth 1.0.0

package/dist/index.mjs

@@ -0,0 +1,506 @@
+// src/http.ts
+async function request(url, options = {}) {
+  const response = await fetch(url, {
+    ...options,
+    credentials: "include",
+    // required for cookie-based sessions
+    headers: {
+      "Content-Type": "application/json",
+      ...options.headers
+    }
+  });
+  const data = await response.json().catch(() => null);
+  if (!response.ok) {
+    const message = data?.message ?? `Request failed with status ${response.status}`;
+    throw new AuthError(message, response.status, data);
+  }
+  return data;
+}
+var AuthError = class extends Error {
+  constructor(message, status, body = null) {
+    super(message);
+    this.status = status;
+    this.body = body;
+    this.name = "AuthError";
+  }
+};
+
+// src/methods/token.ts
+var TokenManager = class {
+  constructor() {
+    this.accessToken = null;
+  }
+  // ── Getters / Setters ───────────────────────────────────────────────────
+  getAccessToken() {
+    return this.accessToken;
+  }
+  setAccessToken(token) {
+    this.accessToken = token;
+  }
+  clearAccessToken() {
+    this.accessToken = null;
+  }
+  // ── JWT helpers ─────────────────────────────────────────────────────────
+  /**
+   * Decodes the JWT payload without verifying the signature.
+   * Useful for reading user info (email, avatar) on the client side.
+   */
+  decodeToken(token) {
+    try {
+      const payload = token.split(".")[1];
+      return JSON.parse(atob(payload));
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Reads user info directly from the stored access token.
+   * Returns null if no token is set or it cannot be decoded.
+   */
+  getUserFromToken() {
+    if (!this.accessToken) return null;
+    const payload = this.decodeToken(this.accessToken);
+    if (!payload) return null;
+    return {
+      email: payload.email,
+      avatar_url: payload.avatar_url
+    };
+  }
+  // ── Refresh ─────────────────────────────────────────────────────────────
+  /**
+   * Attempts to get a new access token using the HttpOnly refresh-token cookie.
+   * Call this once on app startup to restore an existing session.
+   *
+   * @returns The decoded user info on success, or null if no refresh token exists.
+   */
+  async refresh(baseUrl) {
+    try {
+      const data = await request(
+        `${baseUrl}/auth/refresh`,
+        { method: "POST" }
+      );
+      this.setAccessToken(data.access_token);
+      return this.getUserFromToken();
+    } catch {
+      return null;
+    }
+  }
+};
+
+// src/methods/session.ts
+var SessionManager = class {
+  // ── Get Current User ────────────────────────────────────────────────────
+  /**
+   * Fetches the currently authenticated user from the server.
+   * Relies on the session cookie being present in the browser.
+   *
+   * Use this instead of decoding the JWT when you want the
+   * authoritative user object from your database.
+   */
+  async getUser(baseUrl) {
+    return request(`${baseUrl}/me`, { method: "GET" });
+  }
+  // ── Verify Session ──────────────────────────────────────────────────────
+  /**
+   * Verifies that a session is still valid for a given email address.
+   * Useful for server-side checks or sensitive operations.
+   */
+  async verifySession(baseUrl, email) {
+    await request(`${baseUrl}/auth/verify_session`, {
+      method: "POST",
+      body: JSON.stringify({ email })
+    });
+  }
+};
+
+// src/types/index.ts
+var SignInStatus = {
+  /** Standard email+password sign-in succeeded — no MFA required */
+  SUCCESS: "SUCCESS",
+  /** Server requires the user to complete an Email MFA challenge */
+  MFA_REQUIRED: "MFA_REQUIRED",
+  /** Server requires the user to complete a TOTP challenge */
+  TOTP_REQUIRED: "TOTP_REQUIRED",
+  /** Server sent a magic link/code to the user's email */
+  MAGIC_LINK: "MAGIC_LINK",
+  /** Server sent a password-reset code to the user's email */
+  RESET_PASSWORD: "RESET_PASSWORD"
+};
+
+// src/methods/emailPassword.ts
+var EmailPasswordAuth = class {
+  // ── Sign Up ─────────────────────────────────────────────────────────────
+  /**
+   * Creates a new account with an email address and password.
+   */
+  async signUp(baseUrl, credentials) {
+    return request(
+      `${baseUrl}/auth/email_password/signup`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          email: credentials.email,
+          password: credentials.password,
+          userName: credentials.userName,
+          firstName: credentials.firstName,
+          lastName: credentials.lastName
+        })
+      }
+    );
+  }
+  // ── Sign In ─────────────────────────────────────────────────────────────
+  /**
+   * Signs in with email + password.
+   *
+   * Check `response.status` to determine the next step:
+   *
+   * ```ts
+   * const result = await auth.email.signIn({ email, password });
+   *
+   * if (result.status === SignInStatus.MFA_REQUIRED) {
+   *   // prompt for email OTP, then call auth.email.verifyMfa()
+   * } else if (result.status === SignInStatus.TOTP_REQUIRED) {
+   *   // prompt for TOTP code, then call auth.totp.verifySignIn()
+   * } else {
+   *   // user is signed in — store result.access_token if using JWT mode
+   * }
+   * ```
+   */
+  async signIn(baseUrl, credentials) {
+    return request(
+      `${baseUrl}/auth/email_password/signin`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          email: credentials.email,
+          password: credentials.password
+        })
+      }
+    );
+  }
+  // ── Email MFA verify ────────────────────────────────────────────────────
+  /**
+   * Confirms the one-time code sent to the user's email after a sign-in
+   * that returned `status === SignInStatus.MFA_REQUIRED`.
+   */
+  async verifyMfa(baseUrl, input) {
+    return request(
+      `${baseUrl}/auth/email_mfa_signin`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          sessionid: input.sessionId,
+          code: input.code
+        })
+      }
+    );
+  }
+  // ── Get username ────────────────────────────────────────────────────────
+  /**
+   * Looks up the username associated with an email address.
+   */
+  async getUsername(baseUrl, email) {
+    return request(
+      `${baseUrl}/auth/getusername`,
+      {
+        method: "POST",
+        body: JSON.stringify({ email })
+      }
+    );
+  }
+};
+
+// src/methods/magicLink.ts
+var MagicLinkAuth = class {
+  /**
+   * Sends a magic-link code to the provided email address.
+   *
+   * @returns A session ID (`mfa` field) that you must pass to `verify()`.
+   *
+   * ```ts
+   * const { mfa: sessionId } = await auth.magicLink.send(email);
+   * // store sessionId, prompt user for code
+   * ```
+   */
+  async send(baseUrl, email) {
+    return request(
+      `${baseUrl}/auth/email_magic_link`,
+      {
+        method: "POST",
+        body: JSON.stringify({ email })
+      }
+    );
+  }
+  /**
+   * Verifies the code the user received and completes sign-in.
+   */
+  async verify(baseUrl, input) {
+    return request(
+      `${baseUrl}/auth/verify_magic_link`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          sessionid: input.sessionId,
+          code: input.code
+        })
+      }
+    );
+  }
+};
+
+// src/methods/totp.ts
+var TotpAuth = class {
+  /**
+   * Starts TOTP registration — returns the secret / QR code to display.
+   */
+  async setup(baseUrl) {
+    return request(
+      `${baseUrl}/auth/mfa/totp/start`,
+      { method: "POST" }
+    );
+  }
+  /**
+   * Confirms the TOTP setup by verifying the first code from the
+   * authenticator app.
+   */
+  async confirmSetup(baseUrl, code) {
+    return request(
+      `${baseUrl}/auth/mfa/totp/confirm`,
+      {
+        method: "POST",
+        body: JSON.stringify({ code })
+      }
+    );
+  }
+  /**
+   * Completes a TOTP sign-in challenge.
+   * Use the `mfa` session ID returned by `emailPassword.signIn()` as `sessionId`.
+   */
+  async verifySignIn(baseUrl, input) {
+    return request(
+      `${baseUrl}/auth/mfa/totp/signin`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          challenge_id: input.sessionId,
+          code: input.code
+        })
+      }
+    );
+  }
+  /**
+   * Removes TOTP from the currently authenticated user's account.
+   */
+  async delete(baseUrl) {
+    await request(`${baseUrl}/auth/mfa/totp/delete`, { method: "POST" });
+  }
+};
+
+// src/methods/password.ts
+var PasswordAuth = class {
+  /**
+   * Changes the password for an already authenticated user.
+   */
+  async reset(baseUrl, input) {
+    return request(
+      `${baseUrl}/auth/password/reset`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          oldPassword: input.oldPassword,
+          newPassword: input.newPassword
+        })
+      }
+    );
+  }
+  /**
+   * Initiates the forgot-password flow by sending a reset code to the
+   * user's email address.
+   *
+   * @returns A session ID (`mfa` field) required by `confirmForgot()`.
+   *
+   * ```ts
+   * const { mfa: sessionId } = await auth.password.forgot(email);
+   * // prompt user for code
+   * ```
+   */
+  async forgot(baseUrl, email) {
+    return request(
+      `${baseUrl}/auth/password/forgot`,
+      {
+        method: "POST",
+        body: JSON.stringify({ email })
+      }
+    );
+  }
+  /**
+   * Completes the forgot-password flow by verifying the emailed code
+   * and setting the new password.
+   */
+  async confirmForgot(baseUrl, input) {
+    return request(
+      `${baseUrl}/auth/password/forgot/confirm`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          sessionID: input.sessionId,
+          code: input.code,
+          password: input.password
+        })
+      }
+    );
+  }
+};
+
+// src/methods/sso.ts
+var SsoAuth = class {
+  /**
+   * Registers an organisation's Identity Provider (IDP) with the auth system.
+   * This is typically called once by an organisation admin during onboarding.
+   */
+  async registerProvider(baseUrl, input) {
+    return request(
+      `${baseUrl}/sso/providers/register`,
+      {
+        method: "POST",
+        body: JSON.stringify({
+          provider_name: input.providerName,
+          provider_end_email: input.providerEndEmail,
+          client_id: input.clientId,
+          client_secret: input.clientSecret,
+          issuer: input.issuer,
+          callback_url: input.callbackUrl
+        })
+      }
+    );
+  }
+  /**
+   * Starts the SSO sign-in flow for an end user.
+   *
+   * The server resolves the correct IDP from the user's email domain
+   * and returns a redirect URL.  Redirect the user to that URL to
+   * complete sign-in with their organisation's IDP.
+   */
+  async signIn(baseUrl, email) {
+    return request(`${baseUrl}/sso/start`, {
+      method: "POST",
+      body: JSON.stringify({ email })
+    });
+  }
+};
+
+// src/methods/emailMfa.ts
+var EmailMfaManager = class {
+  /**
+   * Enables Email MFA for the currently authenticated user.
+   * Once enabled, future sign-ins will require a one-time code sent to email.
+   */
+  async create(baseUrl) {
+    await request(`${baseUrl}/auth/mfa/email/create`, { method: "POST" });
+  }
+  /**
+   * Disables Email MFA for the currently authenticated user.
+   */
+  async delete(baseUrl) {
+    await request(`${baseUrl}/auth/mfa/email/delete`, { method: "POST" });
+  }
+};
+
+// src/providers/social.ts
+var SocialAuth = class {
+  constructor(baseUrl) {
+    this.baseUrl = baseUrl;
+  }
+  /** Redirects to Google OAuth sign-in. */
+  signInWithGoogle() {
+    window.location.href = `${this.baseUrl}/auth/google`;
+  }
+  /** Redirects to GitHub OAuth sign-in. */
+  signInWithGithub() {
+    window.location.href = `${this.baseUrl}/auth/github`;
+  }
+  /** Redirects to LinkedIn OAuth sign-in. */
+  signInWithLinkedIn() {
+    window.location.href = `${this.baseUrl}/auth/linkedin`;
+  }
+  /** Redirects to Okta OAuth sign-in. */
+  signInWithOkta() {
+    window.location.href = `${this.baseUrl}/auth/okta`;
+  }
+};
+
+// src/client.ts
+var AuthClient = class {
+  constructor(config = {}) {
+    this.baseUrl = config.baseUrl ?? "https://auth.jobtrk.com";
+    this.token = new TokenManager();
+    this.session = new SessionManager();
+    this.social = new SocialAuth(this.baseUrl);
+    this.email = new EmailPasswordAuth();
+    this.magicLink = new MagicLinkAuth();
+    this.totp = new TotpAuth();
+    this.emailMfa = new EmailMfaManager();
+    this.password = new PasswordAuth();
+    this.sso = new SsoAuth();
+  }
+  // ── Logout helpers ───────────────────────────────────────────────────────
+  /**
+   * Signs the user out of the current session/device.
+   * Clears the in-memory access token after a successful server response.
+   */
+  async logout() {
+    await request(`${this.baseUrl}/auth/logout`, { method: "POST" });
+    this.token.clearAccessToken();
+  }
+  /**
+   * Signs the user out of ALL active sessions / devices.
+   * Clears the in-memory access token after a successful server response.
+   */
+  async logoutAllSessions() {
+    await request(`${this.baseUrl}/auth/logoutsessions`, { method: "POST" });
+    this.token.clearAccessToken();
+  }
+  // ── Convenience passthrough (avoids needing to pass baseUrl manually) ──
+  // The methods below are thin wrappers so callers can write:
+  //   auth.email.signIn(...)   instead of   auth.email.signIn(baseUrl, ...)
+  // by binding the baseUrl at construction time.
+  //
+  // This is achieved via Proxy in the factory below, but you can also use
+  // the raw modules directly if you prefer more control.
+};
+function bindBaseUrl(module, baseUrl) {
+  return new Proxy(module, {
+    get(target, prop) {
+      const value = target[prop];
+      if (typeof value === "function") {
+        return (...args) => value.call(target, baseUrl, ...args);
+      }
+      return value;
+    }
+  });
+}
+function createAuthClient(config = {}) {
+  const baseUrl = config.baseUrl ?? "https://auth.jobtrk.com";
+  const client = new AuthClient(config);
+  return {
+    ...client,
+    token: bindBaseUrl(client.token, baseUrl),
+    session: bindBaseUrl(client.session, baseUrl),
+    email: bindBaseUrl(client.email, baseUrl),
+    magicLink: bindBaseUrl(client.magicLink, baseUrl),
+    totp: bindBaseUrl(client.totp, baseUrl),
+    emailMfa: bindBaseUrl(client.emailMfa, baseUrl),
+    password: bindBaseUrl(client.password, baseUrl),
+    sso: bindBaseUrl(client.sso, baseUrl),
+    social: client.social,
+    // already has baseUrl from constructor
+    logout: () => client.logout(),
+    logoutAllSessions: () => client.logoutAllSessions()
+  };
+}
+export {
+  AuthClient,
+  AuthError,
+  SignInStatus,
+  createAuthClient
+};

package/dist/methods/emailMfa.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Email MFA management.
+ *
+ * These methods manage whether a user has Email MFA enabled on their account.
+ * They are separate from the sign-in verify step (see EmailPasswordAuth.verifyMfa).
+ */
+export declare class EmailMfaManager {
+    /**
+     * Enables Email MFA for the currently authenticated user.
+     * Once enabled, future sign-ins will require a one-time code sent to email.
+     */
+    create(baseUrl: string): Promise<void>;
+    /**
+     * Disables Email MFA for the currently authenticated user.
+     */
+    delete(baseUrl: string): Promise<void>;
+}
+//# sourceMappingURL=emailMfa.d.ts.map

package/dist/methods/emailMfa.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"emailMfa.d.ts","sourceRoot":"","sources":["../../src/methods/emailMfa.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AACH,qBAAa,eAAe;IAC1B;;;OAGG;IACG,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI5C;;OAEG;IACG,MAAM,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAG7C"}

package/dist/methods/emailPassword.d.ts

@@ -0,0 +1,52 @@
+import type { EmailPasswordCredentials, MfaVerifyInput, SignInResponse, GenericSuccessResponse } from "../types";
+import { SignInStatus } from "../types";
+/**
+ * Email + Password authentication methods.
+ *
+ * Sign-in has three possible outcomes depending on what the user has enabled:
+ *
+ *   1. Plain sign-in     → status is undefined / SUCCESS  (no MFA)
+ *   2. Email MFA         → status === SignInStatus.MFA_REQUIRED
+ *   3. TOTP              → status === SignInStatus.TOTP_REQUIRED
+ *
+ * In cases 2 & 3 the response includes a `mfa` session ID that you must
+ * pass to the corresponding verify method.
+ *
+ * Import `SignInStatus` to compare against the status value:
+ *   import { SignInStatus } from "jobtrk-auth-sdk";
+ */
+export declare class EmailPasswordAuth {
+    /**
+     * Creates a new account with an email address and password.
+     */
+    signUp(baseUrl: string, credentials: EmailPasswordCredentials): Promise<GenericSuccessResponse>;
+    /**
+     * Signs in with email + password.
+     *
+     * Check `response.status` to determine the next step:
+     *
+     * ```ts
+     * const result = await auth.email.signIn({ email, password });
+     *
+     * if (result.status === SignInStatus.MFA_REQUIRED) {
+     *   // prompt for email OTP, then call auth.email.verifyMfa()
+     * } else if (result.status === SignInStatus.TOTP_REQUIRED) {
+     *   // prompt for TOTP code, then call auth.totp.verifySignIn()
+     * } else {
+     *   // user is signed in — store result.access_token if using JWT mode
+     * }
+     * ```
+     */
+    signIn(baseUrl: string, credentials: EmailPasswordCredentials): Promise<SignInResponse>;
+    /**
+     * Confirms the one-time code sent to the user's email after a sign-in
+     * that returned `status === SignInStatus.MFA_REQUIRED`.
+     */
+    verifyMfa(baseUrl: string, input: MfaVerifyInput): Promise<GenericSuccessResponse>;
+    /**
+     * Looks up the username associated with an email address.
+     */
+    getUsername(baseUrl: string, email: string): Promise<GenericSuccessResponse>;
+}
+export { SignInStatus };
+//# sourceMappingURL=emailPassword.d.ts.map

package/dist/methods/emailPassword.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"emailPassword.d.ts","sourceRoot":"","sources":["../../src/methods/emailPassword.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,wBAAwB,EACxB,cAAc,EACd,cAAc,EACd,sBAAsB,EACvB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAExC;;;;;;;;;;;;;;GAcG;AACH,qBAAa,iBAAiB;IAG5B;;OAEG;IACG,MAAM,CACV,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,wBAAwB,GACpC,OAAO,CAAC,sBAAsB,CAAC;IAkBlC;;;;;;;;;;;;;;;;OAgBG;IACG,MAAM,CACV,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,wBAAwB,GACpC,OAAO,CAAC,cAAc,CAAC;IAe1B;;;OAGG;IACG,SAAS,CACb,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,cAAc,GACpB,OAAO,CAAC,sBAAsB,CAAC;IAelC;;OAEG;IACG,WAAW,CACf,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,sBAAsB,CAAC;CASnC;AAGD,OAAO,EAAE,YAAY,EAAE,CAAC"}

package/dist/methods/magicLink.d.ts

@@ -0,0 +1,27 @@
+import type { MagicLinkResponse, MfaVerifyInput, GenericSuccessResponse } from "../types";
+/**
+ * Email Magic Link authentication.
+ *
+ * Flow:
+ *   1. Call `send(email)` → server emails a one-time code to the user.
+ *   2. Response contains a `mfa` session ID.
+ *   3. User enters the code; call `verify({ sessionId, code })` to complete sign-in.
+ */
+export declare class MagicLinkAuth {
+    /**
+     * Sends a magic-link code to the provided email address.
+     *
+     * @returns A session ID (`mfa` field) that you must pass to `verify()`.
+     *
+     * ```ts
+     * const { mfa: sessionId } = await auth.magicLink.send(email);
+     * // store sessionId, prompt user for code
+     * ```
+     */
+    send(baseUrl: string, email: string): Promise<MagicLinkResponse>;
+    /**
+     * Verifies the code the user received and completes sign-in.
+     */
+    verify(baseUrl: string, input: MfaVerifyInput): Promise<GenericSuccessResponse>;
+}
+//# sourceMappingURL=magicLink.d.ts.map

package/dist/methods/magicLink.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"magicLink.d.ts","sourceRoot":"","sources":["../../src/methods/magicLink.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,iBAAiB,EACjB,cAAc,EACd,sBAAsB,EACvB,MAAM,UAAU,CAAC;AAElB;;;;;;;GAOG;AACH,qBAAa,aAAa;IACxB;;;;;;;;;OASG;IACG,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAUtE;;OAEG;IACG,MAAM,CACV,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,cAAc,GACpB,OAAO,CAAC,sBAAsB,CAAC;CAYnC"}

package/dist/methods/password.d.ts

@@ -0,0 +1,37 @@
+import type { ResetPasswordInput, ForgotPasswordConfirmInput, ForgotPasswordResponse, GenericSuccessResponse } from "../types";
+/**
+ * Password management methods.
+ *
+ * ── Reset password (authenticated user) ──────────────────────────────
+ *   The user knows their current password and wants to change it.
+ *   Call `reset({ oldPassword, newPassword })`.
+ *
+ * ── Forgot password (unauthenticated) ────────────────────────────────
+ *   1. Call `forgot(email)` → server emails a code and returns a session ID.
+ *   2. User enters the code from their email.
+ *   3. Call `confirmForgot({ sessionId, code, password })` to set the new password.
+ */
+export declare class PasswordAuth {
+    /**
+     * Changes the password for an already authenticated user.
+     */
+    reset(baseUrl: string, input: ResetPasswordInput): Promise<GenericSuccessResponse>;
+    /**
+     * Initiates the forgot-password flow by sending a reset code to the
+     * user's email address.
+     *
+     * @returns A session ID (`mfa` field) required by `confirmForgot()`.
+     *
+     * ```ts
+     * const { mfa: sessionId } = await auth.password.forgot(email);
+     * // prompt user for code
+     * ```
+     */
+    forgot(baseUrl: string, email: string): Promise<ForgotPasswordResponse>;
+    /**
+     * Completes the forgot-password flow by verifying the emailed code
+     * and setting the new password.
+     */
+    confirmForgot(baseUrl: string, input: ForgotPasswordConfirmInput): Promise<GenericSuccessResponse>;
+}
+//# sourceMappingURL=password.d.ts.map

package/dist/methods/password.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"password.d.ts","sourceRoot":"","sources":["../../src/methods/password.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,kBAAkB,EAClB,0BAA0B,EAC1B,sBAAsB,EACtB,sBAAsB,EACvB,MAAM,UAAU,CAAC;AAElB;;;;;;;;;;;GAWG;AACH,qBAAa,YAAY;IACvB;;OAEG;IACG,KAAK,CACT,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,kBAAkB,GACxB,OAAO,CAAC,sBAAsB,CAAC;IAalC;;;;;;;;;;OAUG;IACG,MAAM,CACV,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,sBAAsB,CAAC;IAUlC;;;OAGG;IACG,aAAa,CACjB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,0BAA0B,GAChC,OAAO,CAAC,sBAAsB,CAAC;CAanC"}

package/dist/methods/session.d.ts

@@ -0,0 +1,27 @@
+import type { AuthUser } from "../types";
+/**
+ * Session-based auth helpers.
+ *
+ * When the developer chooses sessions over JWTs, the server sets an
+ * HttpOnly session cookie.  These methods let you read and verify
+ * that session without managing tokens yourself.
+ *
+ * Note: An access token is still returned by the server even in session
+ * mode, so you can use it to authenticate with downstream services if needed.
+ */
+export declare class SessionManager {
+    /**
+     * Fetches the currently authenticated user from the server.
+     * Relies on the session cookie being present in the browser.
+     *
+     * Use this instead of decoding the JWT when you want the
+     * authoritative user object from your database.
+     */
+    getUser(baseUrl: string): Promise<AuthUser>;
+    /**
+     * Verifies that a session is still valid for a given email address.
+     * Useful for server-side checks or sensitive operations.
+     */
+    verifySession(baseUrl: string, email: string): Promise<void>;
+}
+//# sourceMappingURL=session.d.ts.map

package/dist/methods/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../../src/methods/session.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AAEzC;;;;;;;;;GASG;AACH,qBAAa,cAAc;IAGzB;;;;;;OAMG;IACG,OAAO,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAMjD;;;OAGG;IACG,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAMnE"}