@nuria-tech/auth-sdk 1.0.3 → 1.0.4

package/README.md

@@ -1,16 +1,18 @@
 # @nuria-tech/auth-sdk
 
-A minimal, browser-native TypeScript SDK for OAuth 2.0 Authorization Code flow with PKCE. Redirect-only — no embedded UI, no password flows.
+[![npm version](https://img.shields.io/npm/v/@nuria-tech/auth-sdk.svg)](https://www.npmjs.com/package/@nuria-tech/auth-sdk)
+[![CI](https://github.com/nuria-tech/nuria-auth-sdk/actions/workflows/ci-publish.yml/badge.svg)](https://github.com/nuria-tech/nuria-auth-sdk/actions/workflows/ci-publish.yml)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE)
 
-## Features
+TypeScript SDK for OAuth 2.0 Authorization Code + PKCE, focused on browser apps and framework integrations (React, Vue, Nuxt, Next, Angular).
 
-- Authorization Code flow + PKCE (S256, mandatory)
-- State parameter generation and validation
-- Token exchange via standard form-encoded request
-- Automatic token refresh (optional)
-- Pluggable storage adapters (memory, sessionStorage, cookies)
-- Configurable HTTP transport with retry and interceptors
-- Zero production dependencies — uses Web Crypto API and fetch
+## Why this SDK
+
+- PKCE S256 + state validation by default
+- Redirect-only flow (no embedded credential UI)
+- Optional automatic refresh with concurrency dedupe
+- Storage adapters for browser/SSR scenarios
+- Framework helpers in dedicated entrypoints
 
 ## Installation
 
@@ -20,291 +22,271 @@ npm install @nuria-tech/auth-sdk
 
 Published on [npm](https://www.npmjs.com/package/@nuria-tech/auth-sdk).
 
-## Quick start
-
-```ts
-import { createAuthClient } from '@nuria-tech/auth-sdk';
-
-const auth = createAuthClient({
-  clientId: 'your-client-id',
-  baseUrl: 'https://ms-auth-v2.nuria.com.br',
-  redirectUri: 'https://your-app.example.com/callback',
-});
+## Entrypoints
 
-// Redirect to login
-await auth.startLogin();
+- `@nuria-tech/auth-sdk`: core client + adapters
+- `@nuria-tech/auth-sdk/react`: `useAuthSession`, `AuthProvider`, `useAuth`
+- `@nuria-tech/auth-sdk/vue`: `useAuthSession` composable
+- `@nuria-tech/auth-sdk/nuxt`: Nuxt cookie adapter helpers
+- `@nuria-tech/auth-sdk/next`: Next cookie adapter helpers
+- `@nuria-tech/auth-sdk/angular`: RxJS auth facade for Angular services/components
 
-// In your callback page
-const session = await auth.handleRedirectCallback(window.location.href);
-console.log(session.tokens.accessToken);
-```
+## Auth flows matrix
 
-## Default behavior
+| Flow | Backend endpoint(s) | SDK method(s) | Result |
+|---|---|---|---|
+| Google | `POST /v2/google` | `loginWithGoogle(...)` | `Session` tokens |
+| Login + password | `POST /v2/login` | `loginWithPassword(...)` | `Session` tokens |
+| Code sent (default) | `POST /v2/login-code/challenge` + `POST /v2/2fa/verify-login` | `loginWithCodeSent(...)` + `completeLoginWithCode(...)` | `Session` tokens after code verify |
 
-When omitted, the SDK uses:
+## Example apps
 
-- `baseUrl`: `https://ms-auth-v2.nuria.com.br`
-- `authorizationEndpoint`: `${baseUrl}/v2/oauth/authorize`
-- `tokenEndpoint`: `${baseUrl}/v2/oauth/token`
-- `scope`: `openid profile email`
-- `enableRefreshToken`: `true`
+- `examples/react`
+- `examples/vue`
+- `examples/nuxt`
+- `examples/next`
+- `examples/angular`
 
-Override example:
+## Core quick start
 
 ```ts
+import { createAuthClient } from '@nuria-tech/auth-sdk';
+
 const auth = createAuthClient({
   clientId: 'your-client-id',
-  baseUrl: 'https://auth.hml.nuria.com.br',
-  authorizationEndpoint: 'https://auth.hml.nuria.com.br/custom/authorize',
-  tokenEndpoint: 'https://auth.hml.nuria.com.br/custom/token',
-  redirectUri: 'https://your-app.example.com/callback',
-  scope: 'openid profile',
-  enableRefreshToken: false,
+  redirectUri: `${window.location.origin}/callback`,
 });
-```
-
-## Configuration
 
-```ts
-interface AuthConfig {
-  // Required
-  clientId: string;
-  redirectUri: string;
-
-  // Optional
-  baseUrl?: string;            // default: https://ms-auth-v2.nuria.com.br
-  authorizationEndpoint?: string; // default: {baseUrl}/v2/oauth/authorize
-  tokenEndpoint?: string;      // default: {baseUrl}/v2/oauth/token
-  scope?: string;              // default: "openid profile email"
-  logoutEndpoint?: string;     // if set, logout() redirects here
-  userinfoEndpoint?: string;   // required for getUserinfo()
-  storage?: StorageAdapter;    // default: MemoryStorageAdapter
-  transport?: AuthTransport;   // default: FetchAuthTransport
-  onRedirect?: (url: string) => void | Promise<void>;  // override browser redirect
-  enableRefreshToken?: boolean; // default: true
-  now?: () => number;          // override Date.now() for testing
-}
+await auth.startLogin();
+// callback route
+await auth.handleRedirectCallback(window.location.href);
+const token = await auth.getAccessToken();
+console.log(token);
 ```
 
-> **Security note:** Do not include `clientSecret` in browser apps. This SDK is designed for public clients (SPAs, mobile). PKCE provides the proof of possession without a client secret.
-
-## Public API
+## Default login flow (login code sent)
 
 ```ts
-interface AuthClient {
-  startLogin(options?: StartLoginOptions): Promise<void>;
-  handleRedirectCallback(callbackUrl?: string): Promise<Session>;
-  getSession(): Session | null;
-  getAccessToken(): Promise<string | null>;
-  logout(options?: { returnTo?: string }): Promise<void>;
-  isAuthenticated(): boolean;
-  onAuthStateChanged(handler: (session: Session | null) => void): () => void;
-  getUserinfo(): Promise<Record<string, unknown>>;
-}
-```
-
-### `startLogin(options?)`
-
-Generates PKCE `code_verifier` + `code_challenge` (S256), stores them in the configured storage, and redirects to `authorizationEndpoint`. The `state` parameter is always included and validated on callback.
+const challenge = await auth.startLoginCodeChallenge({
+  email: 'user@company.com',
+  // optional: channel defaults to 'email'
+  // channel: 'sms',
+});
 
-```ts
-await auth.startLogin({
-  scopes: ['openid', 'profile'],     // overrides config.scope
-  loginHint: 'user@example.com',
-  extraParams: { prompt: 'login' },
+const session = await auth.verifyLoginCode({
+  challengeId: challenge.challengeId,
+  code: '123456',
 });
 ```
 
-### `handleRedirectCallback(callbackUrl?)`
-
-Parses the callback URL, validates `state`, exchanges `code` for tokens using a form-encoded POST to `tokenEndpoint`, and clears transient PKCE storage. Throws typed `AuthError` on any failure.
-Token endpoint calls are sent with `credentials: 'include'` to support `HttpOnly` refresh-token cookies.
+Aliases with clearer naming:
 
 ```ts
-// In your /callback route
-const session = await auth.handleRedirectCallback(window.location.href);
+await auth.loginWithCodeSent({ email: 'user@company.com' });
+await auth.completeLoginWithCode({ challengeId: '...', code: '123456' });
 ```
 
-### `getAccessToken()`
+## React quick start
 
-Returns the current access token. If the token is expired and `enableRefreshToken: true`, automatically refreshes it (concurrent calls are deduplicated).
-Refresh calls to `tokenEndpoint` are sent with `credentials: 'include'`.
-If no `refresh_token` is available in JS memory/storage, SDK still attempts refresh using cookie-based session (HttpOnly) when the server supports it.
-
-### `logout(options?)`
-
-Clears the local session. If `logoutEndpoint` is configured, redirects to it. Validates `returnTo` to prevent open redirect attacks.
+```tsx
+import { createAuthClient } from '@nuria-tech/auth-sdk';
+import { AuthProvider, useAuth } from '@nuria-tech/auth-sdk/react';
 
-```ts
-await auth.logout({ returnTo: 'https://your-app.example.com' });
-```
+const auth = createAuthClient({
+  clientId: 'your-client-id',
+  redirectUri: `${window.location.origin}/callback`,
+});
 
-### `onAuthStateChanged(handler)`
+function AppContent() {
+  const { session, isLoading, login, logout } = useAuth();
 
-Subscribes to session changes. Returns an unsubscribe function.
+  if (isLoading) return <div>Loading...</div>;
+  if (!session) return <button onClick={() => login()}>Login</button>;
+  return <button onClick={() => logout()}>Logout</button>;
+}
 
-```ts
-const unsubscribe = auth.onAuthStateChanged((session) => {
-  console.log(session ? 'logged in' : 'logged out');
-});
+export function App() {
+  return (
+    <AuthProvider auth={auth}>
+      <AppContent />
+    </AuthProvider>
+  );
+}
 ```
 
-## Storage adapters
-
-Default is `MemoryStorageAdapter` (most secure for XSS resistance, clears on reload).
+## Vue quick start
 
 ```ts
-import { WebStorageAdapter } from '@nuria-tech/auth-sdk';
+import { createAuthClient } from '@nuria-tech/auth-sdk';
+import { useAuthSession } from '@nuria-tech/auth-sdk/vue';
 
-// sessionStorage: persists per tab, JS-readable
 const auth = createAuthClient({
-  ...config,
-  storage: new WebStorageAdapter(window.sessionStorage),
+  clientId: 'your-client-id',
+  redirectUri: `${window.location.origin}/callback`,
 });
+
+export function usePageAuth() {
+  const { session, isLoading, refresh } = useAuthSession(auth);
+  return { session, isLoading, refresh };
+}
 ```
 
-Cookie adapter for SSR:
+## Nuxt quick start
 
 ```ts
-import { CookieStorageAdapter } from '@nuria-tech/auth-sdk';
-
-const auth = createAuthClient({
-  ...config,
-  storage: new CookieStorageAdapter({
-    getCookie: async (name) => getCookieFromRequest(name),
-    setCookie: async (name, value) => setResponseCookie(name, value),
-    removeCookie: async (name) => clearResponseCookie(name),
-  }),
-});
+import { createNuxtAuthClient } from '@nuria-tech/auth-sdk/nuxt';
+import { useCookie } from '#app';
+
+const auth = createNuxtAuthClient(
+  {
+    clientId: process.env.NUXT_PUBLIC_AUTH_CLIENT_ID!,
+    redirectUri: process.env.NUXT_PUBLIC_AUTH_CALLBACK_URL!,
+  },
+  {
+    get: (name) => useCookie<string | null>(name).value,
+    set: (name, value) => {
+      useCookie<string | null>(name).value = value;
+    },
+    remove: (name) => {
+      useCookie<string | null>(name).value = null;
+    },
+  },
+);
 ```
 
-## Transport customization
+## Next quick start
 
 ```ts
-import { FetchAuthTransport } from '@nuria-tech/auth-sdk';
-
-const auth = createAuthClient({
-  ...config,
-  transport: new FetchAuthTransport({
-    timeoutMs: 10_000,
-    retries: 1,
-    interceptors: [
-      {
-        onRequest: async (_url, req) => ({
-          ...req,
-          headers: { ...(req.headers ?? {}), 'X-App-Version': '1.0.0' },
-        }),
-      },
-    ],
-  }),
-});
+import { createNextAuthClient } from '@nuria-tech/auth-sdk/next';
+import { cookies } from 'next/headers';
+
+export function createServerAuth() {
+  const cookieStore = cookies();
+  return createNextAuthClient(
+    {
+      clientId: process.env.NEXT_PUBLIC_AUTH_CLIENT_ID!,
+      redirectUri: process.env.NEXT_PUBLIC_AUTH_CALLBACK_URL!,
+    },
+    {
+      get: (name) => cookieStore.get(name)?.value,
+      set: (name, value) => cookieStore.set(name, value),
+      remove: (name) => cookieStore.delete(name),
+    },
+  );
+}
 ```
 
-## React example
+## Angular quick start
 
-```tsx
-import { useMemo, useState, useEffect } from 'react';
+```ts
+import { Injectable } from '@angular/core';
 import { createAuthClient } from '@nuria-tech/auth-sdk';
+import { createAngularAuthFacade } from '@nuria-tech/auth-sdk/angular';
 
-const auth = createAuthClient({
-  clientId: 'your-client-id',
-  baseUrl: 'https://ms-auth-v2.nuria.com.br',
-  redirectUri: `${window.location.origin}/callback`,
-});
+@Injectable({ providedIn: 'root' })
+export class AuthService {
+  private auth = createAuthClient({
+    clientId: 'your-client-id',
+    redirectUri: `${window.location.origin}/callback`,
+  });
 
-export function App() {
-  const [session, setSession] = useState(auth.getSession());
+  private facade = createAngularAuthFacade(this.auth);
+  state$ = this.facade.state$;
 
-  useEffect(() => auth.onAuthStateChanged(setSession), []);
+  login() {
+    return this.facade.login();
+  }
 
-  if (!session) {
-    return <button onClick={() => auth.startLogin()}>Login</button>;
+  logout() {
+    return this.facade.logout();
   }
-  return <button onClick={() => auth.logout()}>Logout</button>;
 }
 ```
 
-## Next.js SSR example
+Full Angular example (service + guard + callback route + status component):
+`examples/angular`
+
+## Defaults
+
+- `baseUrl`: `https://ms-auth-v2.nuria.com.br`
+- `authorizationEndpoint`: `${baseUrl}/v2/oauth/authorize`
+- `tokenEndpoint`: `${baseUrl}/v2/oauth/token`
+- `scope`: `openid profile email`
+- `enableRefreshToken`: `true`
+
+## Configuration
 
 ```ts
-// lib/auth.ts
-import { createAuthClient, CookieStorageAdapter } from '@nuria-tech/auth-sdk';
-
-export function createServerAuth(cookieApi: {
-  get: (name: string) => string | undefined;
-  set: (name: string, value: string) => void;
-  delete: (name: string) => void;
-}) {
-  return createAuthClient({
-    clientId: process.env.NEXT_PUBLIC_AUTH_CLIENT_ID!,
-    baseUrl: process.env.NEXT_PUBLIC_AUTH_BASE_URL!,
-    redirectUri: process.env.NEXT_PUBLIC_AUTH_CALLBACK_URL!,
-    storage: new CookieStorageAdapter({
-      getCookie: async (name) => cookieApi.get(name) ?? null,
-      setCookie: async (name, value) => cookieApi.set(name, value),
-      removeCookie: async (name) => cookieApi.delete(name),
-    }),
-    onRedirect: (url) => { redirect(url); },
-  });
+interface AuthConfig {
+  clientId: string;
+  redirectUri: string;
+  baseUrl?: string;
+  authorizationEndpoint?: string;
+  tokenEndpoint?: string;
+  scope?: string;
+  logoutEndpoint?: string;
+  userinfoEndpoint?: string;
+  storage?: StorageAdapter;
+  transport?: AuthTransport;
+  onRedirect?: (url: string) => void | Promise<void>;
+  enableRefreshToken?: boolean;
+  now?: () => number;
 }
 ```
 
-## Security notes
+## Storage strategy
 
-- **No secrets:** Never include a `clientSecret` in browser/mobile apps. This SDK supports public clients only.
-- **PKCE is mandatory:** S256 code challenge is always used. Plain PKCE is not supported.
-- **State validation:** State is always generated and validated on callback.
-- **Memory storage default:** Tokens are stored in memory by default to minimize XSS exposure.
-- **Use sessionStorage cautiously:** Survives page reload but is still JS-readable.
-- **Avoid localStorage** for sensitive tokens.
-- **Validate `returnTo`:** The `logout()` method rejects non-`https://` or `http://` `returnTo` values.
+| Adapter | Persists reload | JS-readable | SSR |
+|---|---|---|---|
+| `MemoryStorageAdapter` | No | Yes | No |
+| `WebStorageAdapter(sessionStorage)` | Per tab | Yes | No |
+| `WebStorageAdapter(localStorage)` | Yes | Yes | No |
+| `CookieStorageAdapter` | Configurable | Depends on cookie flags | Yes |
 
-## Storage trade-offs
+## Security notes
 
-| Adapter | Persists reload | XSS risk | SSR compatible |
-|---------|----------------|----------|----------------|
-| `MemoryStorageAdapter` | No | Lowest | No |
-| `WebStorageAdapter(sessionStorage)` | Per tab | Medium | No |
-| `WebStorageAdapter(localStorage)` | Yes | High | No |
-| `CookieStorageAdapter` | Configurable | Low (httpOnly) | Yes |
+- Do not use `clientSecret` in browser/mobile apps.
+- Prefer memory storage when possible.
+- Keep refresh on cookies (`HttpOnly`) server-side when available.
+- `logout({ returnTo })` accepts `https://` URLs, plus `http://localhost|127.0.0.1|[::1]` for local dev only.
+- `logout({ returnTo })` rejects URLs with embedded credentials (`user:pass@host`).
+- `isAuthenticated()` also checks token expiration (`expiresAt`) when available.
+- Browser cookie storage encodes/decodes values safely (`encodeURIComponent`/`decodeURIComponent`).
 
-## Troubleshooting
+Full policy and reporting process: [SECURITY.md](./SECURITY.md).
 
-- **State mismatch:** Ensure the same storage instance/tab is used between `startLogin()` and `handleRedirectCallback()`. Clear `nuria:oauth:state` and retry.
-- **Missing code_verifier:** The `nuria:oauth:code_verifier` key was not found in storage. Ensure `startLogin()` was called before `handleRedirectCallback()`.
-- **Token refresh fails:** Ensure `enableRefreshToken: true` is set and the auth server supports the `refresh_token` grant for your client.
+## Public API
 
-## CI/CD
+```ts
+interface AuthClient {
+  startLogin(options?: StartLoginOptions): Promise<void>;
+  handleRedirectCallback(callbackUrl?: string): Promise<Session>;
+  getSession(): Session | null;
+  getAccessToken(): Promise<string | null>;
+  logout(options?: { returnTo?: string }): Promise<void>;
+  isAuthenticated(): boolean;
+  onAuthStateChanged(handler: (session: Session | null) => void): () => void;
+  getUserinfo(): Promise<Record<string, unknown>>;
+  startLoginCodeChallenge(options: LoginCodeChallengeOptions): Promise<TwoFactorChallenge>;
+  verifyLoginCode(options: VerifyLoginCodeOptions): Promise<Session>;
+  loginWithCodeSent(options: LoginCodeChallengeOptions): Promise<TwoFactorChallenge>;
+  completeLoginWithCode(options: VerifyLoginCodeOptions): Promise<Session>;
+  loginWithGoogle(options: GoogleLoginOptions): Promise<Session>;
+  loginWithPassword(options: PasswordLoginOptions): Promise<Session>;
+}
+```
 
-This repository uses GitHub Actions (`.github/workflows/ci-publish.yml`):
+## CI and publish
 
-- **PR and `main` push:** typecheck, lint, test (coverage), build — runs on Node 20, 22
-- **Tag `v*` push:** validates tag matches `package.json` version, then publishes to npm via Trusted Publishing (OIDC — no stored tokens)
+- PR/main runs: typecheck, lint, test, build
+- Tag `v*` runs publish workflow with Trusted Publishing
 
-### Publishing
+Publish flow:
 
 1. Update `version` in `package.json`
-2. Push a tag: `git tag v1.0.0 && git push --tags`
-3. The workflow validates the version and publishes to npm
-
-> **One-time setup:** after the first manual publish, configure Trusted Publishing at **npmjs.com → package → Settings → Automated Publishing** with repository `nuria-tech/nuria-auth-sdk` and workflow `ci-publish.yml`.
-
-## Endpoint defaults
-
-By default, the SDK assumes `ms-auth` OAuth endpoints:
-
-- `baseUrl`: `https://ms-auth-v2.nuria.com.br`
-- `authorizationEndpoint`: `${baseUrl}/v2/oauth/authorize`
-- `tokenEndpoint`: `${baseUrl}/v2/oauth/token`
-
-You can still override `authorizationEndpoint` and `tokenEndpoint` explicitly when needed.
-
-## SSO strategy for multiple portals/apps
-
-- Storage adapter (memory/session/local) is **per origin** and does not share tokens across different domains.
-- For real SSO between different portals/apps, rely on auth-server session + `HttpOnly` refresh cookie (`__Host-nuria_rt`) and keep token calls with `credentials: 'include'`.
-- Keep `MemoryStorageAdapter` as default to reduce token exposure in JS.
+2. Tag and push (`git tag vX.Y.Z && git push --tags`)
+3. Workflow validates and publishes
 
 ## License
 
-MIT — see [LICENSE](./LICENSE).
+MIT - see [LICENSE](./LICENSE).

package/dist/angular.cjs

@@ -0,0 +1,49 @@
+'use strict';
+
+var rxjs = require('rxjs');
+
+// src/angular/index.ts
+function toState(session, isLoading, error) {
+  return {
+    session,
+    isAuthenticated: session !== null,
+    isLoading,
+    error
+  };
+}
+function createAngularAuthFacade(auth) {
+  const subject = new rxjs.BehaviorSubject(
+    toState(auth.getSession(), auth.getSession() === null, null)
+  );
+  const unsubscribe = auth.onAuthStateChanged((nextSession) => {
+    subject.next(toState(nextSession, false, null));
+  });
+  const refresh = async () => {
+    subject.next(toState(subject.value.session, true, null));
+    try {
+      await auth.getAccessToken();
+      const session = auth.getSession();
+      subject.next(toState(session, false, null));
+      return session;
+    } catch (error) {
+      subject.next(toState(auth.getSession(), false, error));
+      return null;
+    }
+  };
+  void refresh();
+  return {
+    state$: subject.asObservable(),
+    snapshot: () => subject.value,
+    refresh,
+    login: () => auth.startLogin(),
+    logout: (options) => auth.logout(options),
+    destroy: () => {
+      unsubscribe();
+      subject.complete();
+    }
+  };
+}
+
+exports.createAngularAuthFacade = createAngularAuthFacade;
+//# sourceMappingURL=angular.cjs.map
+//# sourceMappingURL=angular.cjs.map

package/dist/angular.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/angular/index.ts"],"names":["BehaviorSubject"],"mappings":";;;;;AAmBA,SAAS,OAAA,CACP,OAAA,EACA,SAAA,EACA,KAAA,EACkB;AAClB,EAAA,OAAO;AAAA,IACL,OAAA;AAAA,IACA,iBAAiB,OAAA,KAAY,IAAA;AAAA,IAC7B,SAAA;AAAA,IACA;AAAA,GACF;AACF;AAEO,SAAS,wBAAwB,IAAA,EAAqC;AAC3E,EAAA,MAAM,UAAU,IAAIA,oBAAA;AAAA,IAClB,OAAA,CAAQ,KAAK,UAAA,EAAW,EAAG,KAAK,UAAA,EAAW,KAAM,MAAM,IAAI;AAAA,GAC7D;AAEA,EAAA,MAAM,WAAA,GAAc,IAAA,CAAK,kBAAA,CAAmB,CAAC,WAAA,KAAgB;AAC3D,IAAA,OAAA,CAAQ,IAAA,CAAK,OAAA,CAAQ,WAAA,EAAa,KAAA,EAAO,IAAI,CAAC,CAAA;AAAA,EAChD,CAAC,CAAA;AAED,EAAA,MAAM,UAAU,YAAqC;AACnD,IAAA,OAAA,CAAQ,KAAK,OAAA,CAAQ,OAAA,CAAQ,MAAM,OAAA,EAAS,IAAA,EAAM,IAAI,CAAC,CAAA;AACvD,IAAA,IAAI;AACF,MAAA,MAAM,KAAK,cAAA,EAAe;AAC1B,MAAA,MAAM,OAAA,GAAU,KAAK,UAAA,EAAW;AAChC,MAAA,OAAA,CAAQ,IAAA,CAAK,OAAA,CAAQ,OAAA,EAAS,KAAA,EAAO,IAAI,CAAC,CAAA;AAC1C,MAAA,OAAO,OAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,OAAA,CAAQ,KAAK,OAAA,CAAQ,IAAA,CAAK,YAAW,EAAG,KAAA,EAAO,KAAK,CAAC,CAAA;AACrD,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF,CAAA;AAEA,EAAA,KAAK,OAAA,EAAQ;AAEb,EAAA,OAAO;AAAA,IACL,MAAA,EAAQ,QAAQ,YAAA,EAAa;AAAA,IAC7B,QAAA,EAAU,MAAM,OAAA,CAAQ,KAAA;AAAA,IACxB,OAAA;AAAA,IACA,KAAA,EAAO,MAAM,IAAA,CAAK,UAAA,EAAW;AAAA,IAC7B,MAAA,EAAQ,CAAC,OAAA,KAAY,IAAA,CAAK,OAAO,OAAO,CAAA;AAAA,IACxC,SAAS,MAAM;AACb,MAAA,WAAA,EAAY;AACZ,MAAA,OAAA,CAAQ,QAAA,EAAS;AAAA,IACnB;AAAA,GACF;AACF","file":"angular.cjs","sourcesContent":["import { BehaviorSubject, type Observable } from 'rxjs';\nimport type { AuthClient, Session } from '../core/types';\n\nexport interface AngularAuthState {\n  session: Session | null;\n  isAuthenticated: boolean;\n  isLoading: boolean;\n  error: unknown;\n}\n\nexport interface AngularAuthFacade {\n  state$: Observable<AngularAuthState>;\n  snapshot: () => AngularAuthState;\n  refresh: () => Promise<Session | null>;\n  login: () => Promise<void>;\n  logout: (options?: { returnTo?: string }) => Promise<void>;\n  destroy: () => void;\n}\n\nfunction toState(\n  session: Session | null,\n  isLoading: boolean,\n  error: unknown,\n): AngularAuthState {\n  return {\n    session,\n    isAuthenticated: session !== null,\n    isLoading,\n    error,\n  };\n}\n\nexport function createAngularAuthFacade(auth: AuthClient): AngularAuthFacade {\n  const subject = new BehaviorSubject<AngularAuthState>(\n    toState(auth.getSession(), auth.getSession() === null, null),\n  );\n\n  const unsubscribe = auth.onAuthStateChanged((nextSession) => {\n    subject.next(toState(nextSession, false, null));\n  });\n\n  const refresh = async (): Promise<Session | null> => {\n    subject.next(toState(subject.value.session, true, null));\n    try {\n      await auth.getAccessToken();\n      const session = auth.getSession();\n      subject.next(toState(session, false, null));\n      return session;\n    } catch (error) {\n      subject.next(toState(auth.getSession(), false, error));\n      return null;\n    }\n  };\n\n  void refresh();\n\n  return {\n    state$: subject.asObservable(),\n    snapshot: () => subject.value,\n    refresh,\n    login: () => auth.startLogin(),\n    logout: (options) => auth.logout(options),\n    destroy: () => {\n      unsubscribe();\n      subject.complete();\n    },\n  };\n}\n"]}

package/dist/angular.d.cts

@@ -0,0 +1,22 @@
+import { Observable } from 'rxjs';
+import { e as Session, a as AuthClient } from './types-2k4ZYpF4.cjs';
+
+interface AngularAuthState {
+    session: Session | null;
+    isAuthenticated: boolean;
+    isLoading: boolean;
+    error: unknown;
+}
+interface AngularAuthFacade {
+    state$: Observable<AngularAuthState>;
+    snapshot: () => AngularAuthState;
+    refresh: () => Promise<Session | null>;
+    login: () => Promise<void>;
+    logout: (options?: {
+        returnTo?: string;
+    }) => Promise<void>;
+    destroy: () => void;
+}
+declare function createAngularAuthFacade(auth: AuthClient): AngularAuthFacade;
+
+export { type AngularAuthFacade, type AngularAuthState, createAngularAuthFacade };

package/dist/angular.d.ts

@@ -0,0 +1,22 @@
+import { Observable } from 'rxjs';
+import { e as Session, a as AuthClient } from './types-2k4ZYpF4.js';
+
+interface AngularAuthState {
+    session: Session | null;
+    isAuthenticated: boolean;
+    isLoading: boolean;
+    error: unknown;
+}
+interface AngularAuthFacade {
+    state$: Observable<AngularAuthState>;
+    snapshot: () => AngularAuthState;
+    refresh: () => Promise<Session | null>;
+    login: () => Promise<void>;
+    logout: (options?: {
+        returnTo?: string;
+    }) => Promise<void>;
+    destroy: () => void;
+}
+declare function createAngularAuthFacade(auth: AuthClient): AngularAuthFacade;
+
+export { type AngularAuthFacade, type AngularAuthState, createAngularAuthFacade };