@ollaid/native-sso 1.0.0 → 1.0.2

package/README.md

@@ -60,6 +60,7 @@ function App() {
           <NativeSSOPage
             saasApiUrl="https://mon-saas.com/api"
             iamApiUrl="https://identityam.ollaid.com/api"
+            accountType="user"
             onLoginSuccess={(token, user) => {
               console.log('Connecté !', user.name);
               navigate('/dashboard');
@@ -95,15 +96,17 @@ La page `/auth/sso` gère automatiquement :
 |------|------|--------|-------------|
 | `saasApiUrl` | `string` | ✅ | URL du backend SaaS (ex: `https://mon-saas.com/api`) |
 | `iamApiUrl` | `string` | ✅ | URL du backend IAM (ex: `https://identityam.ollaid.com/api`) |
+| `accountType` | `'user' \| 'client'` | ❌ | Type de compte à persister dans localStorage (défaut: `'user'`). Utile si vous avez plusieurs pages SSO avec des rôles différents. |
 | `onLoginSuccess` | `(token: string, user: UserInfos) => void` | ❌ | Callback après connexion réussie |
 | `onLogout` | `() => void` | ❌ | Callback après déconnexion |
-| `debug` | `boolean` | ❌ | Active les logs console |
 | `title` | `string` | ❌ | Titre personnalisé (défaut: "Un compte, plusieurs accès") |
 | `description` | `string` | ❌ | Description personnalisée |
 | `logoUrl` | `string` | ❌ | URL du logo (remplace le slider) |
 | `hideFooter` | `boolean` | ❌ | Masquer "Propulsé par iam.ollaid.com" |
 | `onOnboardingComplete` | `(data: { image_url?: string; ccphone?: string; phone?: string }) => void` | ❌ | Callback après complétion de l'onboarding |
 
+> **Note :** Le mode `debug` est contrôlé **uniquement** par le backend via la variable d'environnement `IAM_DEBUG` dans le `.env` du SaaS. Il n'y a plus de prop `debug` à passer au composant.
+
 ---
 
 ## Usage avancé (composants individuels)
@@ -227,6 +230,11 @@ $secretKey = $payload['secret_key'];
 
 ### `POST /api/native/exchange`
 
+> ⚠️ **IMPORTANT — Route PUBLIQUE obligatoire**  
+> Cette route **NE DOIT PAS** être derrière le middleware `auth:sanctum`.  
+> Si vous la placez dans un groupe `Route::middleware('auth:sanctum')`, le frontend recevra une **erreur 401 Unauthenticated** systématique car l'utilisateur n'a pas encore de token Sanctum à ce stade du flux.  
+> Assurez-vous que `/api/native/config` et `/api/native/exchange` sont **en dehors** de tout groupe authentifié.
+
 Échange le `callback_token` reçu de l'IAM contre un token Sanctum local.
 
 **Headers requis :** `Content-Type: application/json`
@@ -665,14 +673,19 @@ class NativeAuthController extends Controller
 
 ### Routes `routes/api.php`
 
+> ⚠️ **Attention au placement des routes !**  
+> `config` et `exchange` doivent être **publiques** (pas de middleware auth).  
+> `check-token` et `logout` doivent être **protégées** par `auth:sanctum`.  
+> Si `exchange` est derrière `auth:sanctum`, le frontend recevra un **401 Unauthenticated**.
+
 ```php
 use App\Http\Controllers\Api\NativeAuthController;
 
-// Routes SSO Native (pas d'auth requise)
+// ✅ Routes PUBLIQUES (pas d'auth requise — l'utilisateur n'a pas encore de token)
 Route::get('/native/config', [NativeAuthController::class, 'config']);
 Route::post('/native/exchange', [NativeAuthController::class, 'exchange']);
 
-// Routes SSO Native (auth Sanctum requise)
+// 🔒 Routes PROTÉGÉES (auth Sanctum requise — l'utilisateur a un token)
 Route::middleware('auth:sanctum')->group(function () {
     Route::post('/native/check-token', [NativeAuthController::class, 'checkToken']);
     Route::post('/native/logout', [NativeAuthController::class, 'logout']);
@@ -1370,20 +1383,27 @@ Toutes les APIs IAM retournent le même objet `user_infos` avec exactement **9 c
 
 ## Session & localStorage
 
-Le package utilise **4 clés** dans `localStorage` pour persister la session :
+Le package utilise **5 clés** dans `localStorage` pour persister la session :
 
 | Clé | Contenu | Source | Valeurs possibles |
 |-----|---------|--------|-------------------|
 | `token` | Token Sanctum (bearer) | Réponse de `/api/native/exchange` | Chaîne `"1\|abc123..."` |
 | `auth_token` | Copie du token (compatibilité) | Même source que `token` | Idem |
-| `user` | Objet `user_infos` sérialisé en JSON | Réponse de `/api/native/exchange` ou mise à jour via health check | `{"name":"...","email":"...",...}` |
+| `user` | Objet utilisateur enrichi sérialisé en JSON | Réponse de `/api/native/exchange` ou mise à jour via health check | `{"iam_reference":"USR-XXX","alias_reference":"ALI-XXX","name":"...","email":"...",...}` |
 | `account_type` | Type de compte | Déterminé lors du `exchange` selon le mode d'inscription | `"user"` (défaut) ou `"client"` (inscription phone-only) |
+| `alias_reference` | Référence alias utilisée lors de la connexion | Réponse de `/api/native/exchange` (champ `user.alias_reference`) | `"ALI-XXXXXXXX"` |
+
+> **Note :** `account_type` et `alias_reference` sont stockés **séparément** de l'objet `user` en plus d'être inclus dans le JSON de la clé `user`.
+
+#### Champs enrichis dans l'objet `user`
 
-> **Note :** `account_type` est stocké **séparément** de l'objet `user` — il n'est pas inclus dans le JSON de la clé `user`.
+L'objet `user` stocké en localStorage contient deux champs ajoutés automatiquement par le package :
+- `iam_reference` : la référence IAM de l'utilisateur (`USR-XXXXXXXX`), extraite de `user.reference`
+- `alias_reference` : la référence de l'alias utilisé lors de la connexion (`ALI-XXXXXXXX`), extraite de `user.alias_reference`
 
 ### Nettoyage
 
-Lors du `logout()`, les 4 clés sont supprimées via `clearAuthToken()`.
+Lors du `logout()`, les 5 clés sont supprimées via `clearAuthToken()`.
 
 ### Accès programmatique
 
@@ -1391,8 +1411,9 @@ Lors du `logout()`, les 4 clés sont supprimées via `clearAuthToken()`.
 import { getAuthToken, getAuthUser, getAccountType } from '@ollaid/native-sso';
 
 const token = getAuthToken();           // string | null
-const user = getAuthUser<UserInfos>();  // UserInfos | null
+const user = getAuthUser<UserInfos>();  // UserInfos | null  — contient iam_reference et alias_reference
 const type = getAccountType();          // string | null
+const aliasRef = localStorage.getItem('alias_reference'); // string | null
 ```
 
 ---

package/dist/components/LoginModal.d.ts

@@ -14,7 +14,8 @@ export interface LoginModalProps {
     iamApiUrl: string;
     loading?: boolean;
     showSwitchToSignup?: boolean;
-    debug?: boolean;
+    /** Type de compte par défaut à persister dans localStorage */
+    defaultAccountType?: 'user' | 'client';
 }
-export declare function LoginModal({ open, onOpenChange, onSwitchToSignup, onLoginSuccess, saasApiUrl, iamApiUrl, loading, showSwitchToSignup, debug, }: LoginModalProps): import("react/jsx-runtime").JSX.Element;
+export declare function LoginModal({ open, onOpenChange, onSwitchToSignup, onLoginSuccess, saasApiUrl, iamApiUrl, loading, showSwitchToSignup, defaultAccountType, }: LoginModalProps): import("react/jsx-runtime").JSX.Element;
 export default LoginModal;

package/dist/components/NativeSSOPage.d.ts

@@ -20,8 +20,8 @@ export interface NativeSSOPageProps {
         ccphone?: string;
         phone?: string;
     }) => void;
-    /** Mode debug */
-    debug?: boolean;
+    /** Type de compte à persister dans localStorage (défaut: 'user') */
+    accountType?: 'user' | 'client';
     /** Titre personnalisé */
     title?: string;
     /** Description personnalisée */
@@ -31,5 +31,5 @@ export interface NativeSSOPageProps {
     /** Masquer le footer "Propulsé par" */
     hideFooter?: boolean;
 }
-export declare function NativeSSOPage({ saasApiUrl, iamApiUrl, onLoginSuccess, onLogout, onOnboardingComplete, debug, title, description, logoUrl, hideFooter, }: NativeSSOPageProps): import("react/jsx-runtime").JSX.Element;
+export declare function NativeSSOPage({ saasApiUrl, iamApiUrl, onLoginSuccess, onLogout, onOnboardingComplete, accountType, title, description, logoUrl, hideFooter, }: NativeSSOPageProps): import("react/jsx-runtime").JSX.Element;
 export default NativeSSOPage;

package/dist/components/PasswordRecoveryModal.d.ts

@@ -11,7 +11,6 @@ export interface PasswordRecoveryModalProps {
     onSuccess: () => void;
     saasApiUrl: string;
     iamApiUrl: string;
-    debug?: boolean;
 }
-export declare function PasswordRecoveryModal({ open, onOpenChange, onSuccess, saasApiUrl, iamApiUrl, debug }: PasswordRecoveryModalProps): import("react/jsx-runtime").JSX.Element;
+export declare function PasswordRecoveryModal({ open, onOpenChange, onSuccess, saasApiUrl, iamApiUrl }: PasswordRecoveryModalProps): import("react/jsx-runtime").JSX.Element;
 export default PasswordRecoveryModal;

package/dist/components/SignupModal.d.ts

@@ -12,7 +12,8 @@ export interface SignupModalProps {
     onSignupSuccess: (token: string, user: UserInfos) => void;
     saasApiUrl: string;
     iamApiUrl: string;
-    debug?: boolean;
+    /** Type de compte par défaut à persister dans localStorage */
+    defaultAccountType?: 'user' | 'client';
 }
-export declare function SignupModal({ open, onOpenChange, onSwitchToLogin, onSignupSuccess, saasApiUrl, iamApiUrl, debug }: SignupModalProps): import("react/jsx-runtime").JSX.Element;
+export declare function SignupModal({ open, onOpenChange, onSwitchToLogin, onSignupSuccess, saasApiUrl, iamApiUrl, defaultAccountType }: SignupModalProps): import("react/jsx-runtime").JSX.Element;
 export default SignupModal;

package/dist/hooks/useMobilePassword.d.ts

@@ -8,7 +8,6 @@ export interface UseMobilePasswordOptions {
     saasApiUrl: string;
     iamApiUrl: string;
     autoLoadCredentials?: boolean;
-    debug?: boolean;
 }
 export declare function useMobilePassword(options: UseMobilePasswordOptions): {
     credentialsLoaded: boolean;

package/dist/hooks/useMobileRegistration.d.ts

@@ -19,7 +19,6 @@ interface RegistrationConflict {
 export interface UseMobileRegistrationOptions {
     saasApiUrl: string;
     iamApiUrl: string;
-    debug?: boolean;
 }
 export declare function useMobileRegistration(options?: UseMobileRegistrationOptions): {
     processToken: string | null;

package/dist/hooks/useNativeAuth.d.ts

@@ -12,8 +12,8 @@ export interface UseNativeAuthOptions {
     iamApiUrl: string;
     /** Charger les credentials automatiquement au montage */
     autoLoadCredentials?: boolean;
-    /** Mode debug */
-    debug?: boolean;
+    /** Type de compte par défaut à persister (défaut: 'user') */
+    defaultAccountType?: 'user' | 'client';
 }
 export declare function useNativeAuth(options: UseNativeAuthOptions): {
     credentialsLoaded: boolean;
@@ -117,7 +117,22 @@ export declare function useNativeAuth(options: UseNativeAuthOptions): {
         error_type?: undefined;
     } | {
         success: boolean;
-        user: import("..").NativeUser;
+        user: {
+            iam_reference: string;
+            alias_reference: any;
+            id?: number;
+            reference: string;
+            name: string;
+            email?: string | null;
+            phone?: string;
+            ccphone?: string;
+            image_url?: string;
+            account_type?: "user" | "client";
+            town?: string;
+            country?: string;
+            address?: string;
+            auth_2fa?: boolean;
+        };
         callback_token: string;
         error?: undefined;
         requires_2fa?: undefined;
@@ -157,7 +172,22 @@ export declare function useNativeAuth(options: UseNativeAuthOptions): {
         error_type?: undefined;
     } | {
         success: boolean;
-        user: import("..").NativeUser;
+        user: {
+            iam_reference: string;
+            alias_reference: any;
+            id?: number;
+            reference: string;
+            name: string;
+            email?: string | null;
+            phone?: string;
+            ccphone?: string;
+            image_url?: string;
+            account_type?: "user" | "client";
+            town?: string;
+            country?: string;
+            address?: string;
+            auth_2fa?: boolean;
+        };
         callback_token: string;
         error?: undefined;
         status?: undefined;
@@ -184,7 +214,22 @@ export declare function useNativeAuth(options: UseNativeAuthOptions): {
         error_type?: undefined;
     } | {
         success: boolean;
-        user: import("..").NativeUser;
+        user: {
+            iam_reference: string;
+            alias_reference: any;
+            id?: number;
+            reference: string;
+            name: string;
+            email?: string | null;
+            phone?: string;
+            ccphone?: string;
+            image_url?: string;
+            account_type?: "user" | "client";
+            town?: string;
+            country?: string;
+            address?: string;
+            auth_2fa?: boolean;
+        };
         error?: undefined;
         error_type?: undefined;
     } | {
@@ -201,7 +246,22 @@ export declare function useNativeAuth(options: UseNativeAuthOptions): {
         error_type?: undefined;
     } | {
         success: boolean;
-        user: import("..").NativeUser;
+        user: {
+            iam_reference: string;
+            alias_reference: any;
+            id?: number;
+            reference: string;
+            name: string;
+            email?: string | null;
+            phone?: string;
+            ccphone?: string;
+            image_url?: string;
+            account_type?: "user" | "client";
+            town?: string;
+            country?: string;
+            address?: string;
+            auth_2fa?: boolean;
+        };
         callback_token: string;
         error?: undefined;
         error_type?: undefined;

package/dist/index.cjs

@@ -481,7 +481,8 @@ const STORAGE = {
   AUTH_TOKEN: "auth_token",
   TOKEN: "token",
   USER: "user",
-  ACCOUNT_TYPE: "account_type"
+  ACCOUNT_TYPE: "account_type",
+  ALIAS_REFERENCE: "alias_reference"
 };
 const setAuthToken = (token) => {
   if (typeof localStorage !== "undefined") {
@@ -499,6 +500,7 @@ const clearAuthToken = () => {
     localStorage.removeItem(STORAGE.TOKEN);
     localStorage.removeItem(STORAGE.USER);
     localStorage.removeItem(STORAGE.ACCOUNT_TYPE);
+    localStorage.removeItem(STORAGE.ALIAS_REFERENCE);
   }
 };
 const setAuthUser = (user) => {
@@ -587,6 +589,10 @@ function getHeaders(token) {
   return headers;
 }
 let credentials = null;
+let credentialsLoadedAt = 0;
+let credentialsTtl = 300;
+const DEFAULT_TTL = 300;
+const REFRESH_MARGIN = 30;
 const nativeAuthService = {
   hasCredentials() {
     return credentials !== null;
@@ -594,6 +600,26 @@ const nativeAuthService = {
   getCredentials() {
     return credentials ? { ...credentials } : null;
   },
+  getCredentialsTtl() {
+    return credentialsTtl;
+  },
+  getCredentialsAge() {
+    if (!credentialsLoadedAt) return Infinity;
+    return (Date.now() - credentialsLoadedAt) / 1e3;
+  },
+  areCredentialsExpiringSoon() {
+    if (!credentials || !credentialsLoadedAt) return true;
+    const age = this.getCredentialsAge();
+    return age >= credentialsTtl - REFRESH_MARGIN;
+  },
+  async ensureFreshCredentials() {
+    if (!credentials || this.areCredentialsExpiringSoon()) {
+      if (isDebugMode()) {
+        console.log("🔄 [Native] Credentials expirés ou proches — auto-refresh");
+      }
+      await this.loadCredentials();
+    }
+  },
   async loadCredentials() {
     const config2 = getNativeAuthConfig();
     if (!config2.saasApiUrl) {
@@ -614,6 +640,8 @@ const nativeAuthService = {
       appKey: response.app_key,
       encryptedCredentials: response.encrypted_credentials
     };
+    credentialsLoadedAt = Date.now();
+    credentialsTtl = response.credentials_ttl || DEFAULT_TTL;
     if (typeof response.debug === "boolean") {
       const currentConfig = getNativeAuthConfig();
       if (currentConfig.debug !== true) {
@@ -621,11 +649,12 @@ const nativeAuthService = {
       }
     }
     if (isDebugMode()) {
-      console.log("✅ [SaaS] Credentials chargés (debug:", response.debug ?? "non défini", ")");
+      console.log("✅ [SaaS] Credentials chargés (ttl:", credentialsTtl, "s, debug:", response.debug ?? "non défini", ")");
     }
     return credentials;
   },
   async encrypt(type, data) {
+    await this.ensureFreshCredentials();
     if (!credentials) {
       throw new ApiError("Credentials non chargés. Appelez loadCredentials() d'abord.", "auth");
     }
@@ -833,15 +862,18 @@ const nativeAuthService = {
       );
       clearAuthToken();
       credentials = null;
+      credentialsLoadedAt = 0;
       return response;
     } catch {
       clearAuthToken();
       credentials = null;
+      credentialsLoadedAt = 0;
       return { success: true };
     }
   },
   clearCredentials() {
     credentials = null;
+    credentialsLoadedAt = 0;
   },
   // ============================================
   // High-level methods
@@ -1024,14 +1056,14 @@ function getErrorMessage$2(err, context) {
   return { message: `Erreur lors de ${context}`, type: "unknown" };
 }
 function useMobilePassword(options) {
-  const { saasApiUrl, iamApiUrl, autoLoadCredentials = true, debug = false } = options;
+  const { saasApiUrl, iamApiUrl, autoLoadCredentials = true } = options;
   const configuredRef = react.useRef(false);
   react.useEffect(() => {
     if (!configuredRef.current) {
-      setNativeAuthConfig({ saasApiUrl, iamApiUrl, debug });
+      setNativeAuthConfig({ saasApiUrl, iamApiUrl });
       configuredRef.current = true;
     }
-  }, [saasApiUrl, iamApiUrl, debug]);
+  }, [saasApiUrl, iamApiUrl]);
   const [state, setState] = react.useState({
     credentialsLoaded: false,
     processToken: null,
@@ -1267,7 +1299,7 @@ const backBtnStyle$2 = {
   color: C$3.gray700,
   zIndex: 10
 };
-function PasswordRecoveryModal({ open, onOpenChange, onSuccess, saasApiUrl, iamApiUrl, debug = false }) {
+function PasswordRecoveryModal({ open, onOpenChange, onSuccess, saasApiUrl, iamApiUrl }) {
   const {
     status,
     loading: pwLoading,
@@ -1282,7 +1314,7 @@ function PasswordRecoveryModal({ open, onOpenChange, onSuccess, saasApiUrl, iamA
     resendOtp,
     reset: resetHook,
     clearError
-  } = useMobilePassword({ saasApiUrl, iamApiUrl, debug });
+  } = useMobilePassword({ saasApiUrl, iamApiUrl });
   const [step, setStep] = react.useState("email");
   const [email, setEmail] = react.useState("");
   const [otp, setOtp] = react.useState("");
@@ -1569,11 +1601,22 @@ function useTokenHealthCheck(options) {
   }, [enabled, saasApiUrl, performCheck, debug]);
 }
 function saveSession(exchangeResult, accountType) {
+  var _a, _b;
   const sanctumToken = exchangeResult.auth_token || exchangeResult.token;
   localStorage.setItem(STORAGE.AUTH_TOKEN, sanctumToken);
   localStorage.setItem(STORAGE.TOKEN, sanctumToken);
-  const userToStore = exchangeResult.user_infos ? { ...exchangeResult.user, ...exchangeResult.user_infos } : exchangeResult.user;
-  const acctType = accountType === "phone-only" ? "client" : "user";
+  const baseUser = exchangeResult.user_infos ? { ...exchangeResult.user, ...exchangeResult.user_infos } : exchangeResult.user;
+  const aliasRef = ((_a = exchangeResult.user) == null ? void 0 : _a.alias_reference) || exchangeResult.alias_reference || "";
+  const iamRef = ((_b = exchangeResult.user) == null ? void 0 : _b.reference) || "";
+  const userToStore = {
+    ...baseUser,
+    iam_reference: iamRef,
+    alias_reference: aliasRef
+  };
+  if (aliasRef) {
+    localStorage.setItem(STORAGE.ALIAS_REFERENCE, aliasRef);
+  }
+  const acctType = typeof accountType === "string" ? accountType : "user";
   localStorage.setItem(STORAGE.USER, JSON.stringify(userToStore));
   localStorage.setItem(STORAGE.ACCOUNT_TYPE, acctType);
   return { token: sanctumToken, user: userToStore };
@@ -1583,6 +1626,7 @@ function clearSession() {
   localStorage.removeItem(STORAGE.TOKEN);
   localStorage.removeItem(STORAGE.USER);
   localStorage.removeItem(STORAGE.ACCOUNT_TYPE);
+  localStorage.removeItem(STORAGE.ALIAS_REFERENCE);
 }
 function getErrorMessage$1(err, context) {
   if (err instanceof Error) {
@@ -1597,14 +1641,15 @@ function getErrorMessage$1(err, context) {
   return { message: `Erreur lors de ${context}`, type: "unknown" };
 }
 function useNativeAuth(options) {
-  const { saasApiUrl, iamApiUrl, autoLoadCredentials = true, debug = false } = options;
+  const { saasApiUrl, iamApiUrl, autoLoadCredentials = true, defaultAccountType = "user" } = options;
   const configuredRef = react.useRef(false);
+  const debug = isDebugMode();
   react.useEffect(() => {
     if (!configuredRef.current) {
-      setNativeAuthConfig({ saasApiUrl, iamApiUrl, debug });
+      setNativeAuthConfig({ saasApiUrl, iamApiUrl });
       configuredRef.current = true;
     }
-  }, [saasApiUrl, iamApiUrl, debug]);
+  }, [saasApiUrl, iamApiUrl]);
   const [state, setState] = react.useState({
     credentialsLoaded: false,
     processToken: null,
@@ -1676,6 +1721,23 @@ function useNativeAuth(options) {
       loadCredentials();
     }
   }, [autoLoadCredentials, state.credentialsLoaded, state.user]);
+  react.useEffect(() => {
+    if (state.status === "completed" || !state.credentialsLoaded) return;
+    const ttl = nativeAuthService.getCredentialsTtl();
+    const refreshInterval = Math.max((ttl - 30) * 1e3, 3e4);
+    if (debug) {
+      console.log(`🔄 [Native] Auto-refresh credentials every ${refreshInterval / 1e3}s (TTL: ${ttl}s)`);
+    }
+    const timer = setInterval(async () => {
+      try {
+        await nativeAuthService.loadCredentials();
+        if (debug) console.log("✅ [Native] Credentials auto-refreshed");
+      } catch (err) {
+        if (debug) console.warn("⚠️ [Native] Auto-refresh failed:", err);
+      }
+    }, refreshInterval);
+    return () => clearInterval(timer);
+  }, [state.status, state.credentialsLoaded, debug]);
   const loadCredentials = react.useCallback(async () => {
     setState((prev) => ({ ...prev, loading: true, error: null }));
     try {
@@ -1903,7 +1965,7 @@ function useNativeAuth(options) {
       if (response.success && response.callback_token) {
         const exchangeResult = await nativeAuthService.exchange(response.callback_token);
         if (exchangeResult.success) {
-          const { user: savedUser } = saveSession(exchangeResult, accountType);
+          const { user: savedUser } = saveSession(exchangeResult, defaultAccountType);
           setState((prev) => ({
             ...prev,
             status: "completed",
@@ -1964,7 +2026,7 @@ function useNativeAuth(options) {
       if (response.success && response.callback_token) {
         const exchangeResult = await nativeAuthService.exchange(response.callback_token);
         if (exchangeResult.success) {
-          const { user: savedUser } = saveSession(exchangeResult, accountType);
+          const { user: savedUser } = saveSession(exchangeResult, defaultAccountType);
           setState((prev) => ({
             ...prev,
             status: "completed",
@@ -2025,7 +2087,7 @@ function useNativeAuth(options) {
       if (response.success && response.callback_token) {
         const exchangeResult = await nativeAuthService.exchange(response.callback_token);
         if (exchangeResult.success) {
-          const { user: savedUser } = saveSession(exchangeResult, accountType);
+          const { user: savedUser } = saveSession(exchangeResult, defaultAccountType);
           setState((prev) => ({
             ...prev,
             status: "completed",
@@ -2059,7 +2121,7 @@ function useNativeAuth(options) {
       if (response.success && response.callback_token) {
         const exchangeResult = await nativeAuthService.exchange(response.callback_token);
         if (exchangeResult.success) {
-          const { user: savedUser } = saveSession(exchangeResult, accountType);
+          const { user: savedUser } = saveSession(exchangeResult, defaultAccountType);
           setState((prev) => ({
             ...prev,
             status: "completed",
@@ -2104,14 +2166,14 @@ function useNativeAuth(options) {
     }
   }, [state.processToken]);
   const setSession = react.useCallback((data) => {
-    const { user: savedUser } = saveSession(data, accountType);
+    const { user: savedUser } = saveSession(data, defaultAccountType);
     setState((prev) => ({
       ...prev,
       user: savedUser,
       status: "completed",
       processToken: null
     }));
-  }, [accountType]);
+  }, [defaultAccountType]);
   const logout = react.useCallback(async () => {
     const token = localStorage.getItem(STORAGE.AUTH_TOKEN) || localStorage.getItem(STORAGE.TOKEN);
     try {
@@ -2271,7 +2333,7 @@ function LoginModal({
   iamApiUrl,
   loading,
   showSwitchToSignup = true,
-  debug = false
+  defaultAccountType
 }) {
   const {
     status,
@@ -2290,7 +2352,7 @@ function LoginModal({
     setSession,
     reset: resetAuth,
     clearError
-  } = useNativeAuth({ saasApiUrl, iamApiUrl, debug });
+  } = useNativeAuth({ saasApiUrl, iamApiUrl, defaultAccountType });
   const [step, setStep] = react.useState("choice");
   const [email, setEmail] = react.useState("");
   const [password, setPassword] = react.useState("");
@@ -2799,8 +2861,7 @@ function LoginModal({
         onOpenChange: setShowPasswordRecovery,
         onSuccess: () => setShowPasswordRecovery(false),
         saasApiUrl,
-        iamApiUrl,
-        debug
+        iamApiUrl
       }
     )
   ] });
@@ -3058,8 +3119,7 @@ function useMobileRegistration(options) {
     if (options && !configuredRef.current) {
       setNativeAuthConfig({
         saasApiUrl: options.saasApiUrl,
-        iamApiUrl: options.iamApiUrl,
-        debug: options.debug
+        iamApiUrl: options.iamApiUrl
       });
       configuredRef.current = true;
     }
@@ -3358,7 +3418,7 @@ function SuccessOrbit() {
     })
   ] });
 }
-function SignupModal({ open, onOpenChange, onSwitchToLogin, onSignupSuccess, saasApiUrl, iamApiUrl, debug = false }) {
+function SignupModal({ open, onOpenChange, onSwitchToLogin, onSignupSuccess, saasApiUrl, iamApiUrl, defaultAccountType }) {
   const {
     status,
     formData,
@@ -3374,7 +3434,7 @@ function SignupModal({ open, onOpenChange, onSwitchToLogin, onSignupSuccess, saa
     resendOtp,
     reset: resetReg,
     clearError
-  } = useMobileRegistration({ saasApiUrl, iamApiUrl, debug });
+  } = useMobileRegistration({ saasApiUrl, iamApiUrl });
   const [step, setStep] = react.useState("intro");
   const [otpCode, setOtpCode] = react.useState("");
   const [password, setPassword] = react.useState("");
@@ -4075,7 +4135,7 @@ function NativeSSOPage({
   onLoginSuccess,
   onLogout,
   onOnboardingComplete,
-  debug,
+  accountType = "user",
   title = "Un compte, plusieurs accès",
   description = "Connectez-vous avec votre compte Ollaid pour accéder à toutes les applications partenaires.",
   logoUrl,
@@ -4093,7 +4153,7 @@ function NativeSSOPage({
     }
     return null;
   });
-  const resolvedDebug = debug !== void 0 ? debug : isDebugMode();
+  const resolvedDebug = isDebugMode();
   react.useEffect(() => {
     const root = document.documentElement;
     const originalValues = {};
@@ -4172,6 +4232,7 @@ function NativeSSOPage({
     localStorage.removeItem(STORAGE.TOKEN);
     localStorage.removeItem(STORAGE.USER);
     localStorage.removeItem(STORAGE.ACCOUNT_TYPE);
+    localStorage.removeItem(STORAGE.ALIAS_REFERENCE);
     setSession(null);
     onLogout == null ? void 0 : onLogout();
   }, [onLogout]);
@@ -4270,7 +4331,7 @@ function NativeSSOPage({
         onLoginSuccess: handleLoginSuccess,
         saasApiUrl,
         iamApiUrl,
-        debug: resolvedDebug
+        defaultAccountType: accountType
       }
     ),
     /* @__PURE__ */ jsxRuntime.jsx(
@@ -4284,7 +4345,7 @@ function NativeSSOPage({
         onSignupSuccess: handleLoginSuccess,
         saasApiUrl,
         iamApiUrl,
-        debug: resolvedDebug
+        defaultAccountType: accountType
       }
     ),
     pendingSession && /* @__PURE__ */ jsxRuntime.jsx(