@omni2fa/core 0.7.0 → 0.7.3

package/dist/index.js

@@ -1,6 +1,6 @@
-import O from "openapi-fetch";
-import { setup as h, fromPromise as l, createActor as u } from "xstate";
-class N {
+import J from "openapi-fetch";
+import { setup as h, fromPromise as i, createActor as u } from "xstate";
+class _ {
   map = /* @__PURE__ */ new Map();
   get(e) {
     return this.map.get(e) ?? null;
@@ -12,7 +12,7 @@ class N {
     this.map.delete(e);
   }
 }
-const s = {
+const a = {
   InvalidCode: "INVALID_CODE",
   PreAuthExpired: "PREAUTH_EXPIRED",
   PreAuthInvalid: "PREAUTH_INVALID",
@@ -27,38 +27,40 @@ const s = {
   RecoveryCodeUsed: "RECOVERY_CODE_USED",
   WebAuthnVerificationFailed: "WEBAUTHN_VERIFICATION_FAILED",
   ValidationFailed: "VALIDATION_FAILED",
+  StepUpRequired: "STEP_UP_REQUIRED",
   NetworkError: "NETWORK_ERROR",
   Unknown: "UNKNOWN"
-}, w = {
-  [s.InvalidCode]: "The code you entered is invalid.",
-  [s.PreAuthExpired]: "Your session has expired. Please sign in again.",
-  [s.PreAuthInvalid]: "Your session is invalid. Please sign in again.",
-  [s.ChallengeNotFound]: "No active verification step. Please restart.",
-  [s.ChallengeConsumed]: "This verification step was already used. Please sign in again.",
-  [s.TooManyAttempts]: "Too many attempts. Please wait before trying again.",
-  [s.MethodNotFound]: "The selected 2FA method was not found.",
-  [s.TypeAlreadyEnrolled]: "You already have this type of 2FA enabled.",
-  [s.MaxMethodsReached]: "You have reached the maximum number of 2FA methods.",
-  [s.LastMethodProtected]: "You cannot remove your last 2FA method.",
-  [s.RecoveryCodeInvalid]: "The recovery code is invalid.",
-  [s.RecoveryCodeUsed]: "This recovery code has already been used.",
-  [s.WebAuthnVerificationFailed]: "Security key verification failed.",
-  [s.ValidationFailed]: "The request was malformed.",
-  [s.NetworkError]: "Network error. Please check your connection.",
-  [s.Unknown]: "An unexpected error occurred."
+}, S = {
+  [a.InvalidCode]: "The code you entered is invalid.",
+  [a.PreAuthExpired]: "Your session has expired. Please sign in again.",
+  [a.PreAuthInvalid]: "Your session is invalid. Please sign in again.",
+  [a.ChallengeNotFound]: "No active verification step. Please restart.",
+  [a.ChallengeConsumed]: "This verification step was already used. Please sign in again.",
+  [a.TooManyAttempts]: "Too many attempts. Please wait before trying again.",
+  [a.MethodNotFound]: "The selected 2FA method was not found.",
+  [a.TypeAlreadyEnrolled]: "You already have this type of 2FA enabled.",
+  [a.MaxMethodsReached]: "You have reached the maximum number of 2FA methods.",
+  [a.LastMethodProtected]: "You cannot remove your last 2FA method.",
+  [a.RecoveryCodeInvalid]: "The recovery code is invalid.",
+  [a.RecoveryCodeUsed]: "This recovery code has already been used.",
+  [a.WebAuthnVerificationFailed]: "Security key verification failed.",
+  [a.ValidationFailed]: "The request was malformed.",
+  [a.StepUpRequired]: "Please confirm two-factor authentication to continue.",
+  [a.NetworkError]: "Network error. Please check your connection.",
+  [a.Unknown]: "An unexpected error occurred."
 };
-function v(t) {
-  return w[t] ?? w[s.Unknown];
+function T(t) {
+  return S[t] ?? S[a.Unknown];
 }
-const R = "omni2fa:preauth", D = "omni2fa:session", I = "http://omni2fa.local";
-class P {
+const F = "omni2fa:preauth", L = "omni2fa:session", b = "http://omni2fa.local";
+class K {
   storage;
   preAuthKey;
   sessionKey;
   basePath;
   inner;
   constructor(e) {
-    this.storage = e.storage ?? new N(), this.preAuthKey = e.preAuthStorageKey ?? R, this.sessionKey = e.sessionStorageKey ?? D, this.basePath = new URL(e.baseUrl, I).pathname.replace(/\/$/, ""), this.inner = O({
+    this.storage = e.storage ?? new _(), this.preAuthKey = e.preAuthStorageKey ?? F, this.sessionKey = e.sessionStorageKey ?? L, this.basePath = new URL(e.baseUrl, b).pathname.replace(/\/$/, ""), this.inner = J({
       baseUrl: e.baseUrl,
       fetch: e.fetch ?? globalThis.fetch.bind(globalThis),
       ...e.credentials ? { credentials: e.credentials } : {}
@@ -73,7 +75,7 @@ class P {
   }
   /** Pre-auth endpoints are exactly the ones mounted under <c>{basePath}/challenge/</c>. */
   isPreAuthEndpoint(e) {
-    const r = new URL(e, I).pathname;
+    const r = new URL(e, b).pathname;
     return (r.startsWith(this.basePath) ? r.slice(this.basePath.length) : r).startsWith("/challenge/");
   }
   setPreAuthToken(e) {
@@ -143,6 +145,18 @@ class P {
     const { data: r, error: n, response: o } = await this.inner.POST("/challenge/recovery-code", { body: e });
     return this.toCall(r, n, o);
   }
+  async startStepUp(e) {
+    const { data: r, error: n, response: o } = await this.inner.POST("/stepup/start", { body: e });
+    return this.toCall(r, n, o);
+  }
+  async resendStepUp(e) {
+    const { data: r, error: n, response: o } = await this.inner.POST("/stepup/resend", { body: e });
+    return this.toCall(r, n, o);
+  }
+  async verifyStepUp(e) {
+    const { data: r, error: n, response: o } = await this.inner.POST("/stepup/verify", { body: e });
+    return this.toCall(r, n, o);
+  }
   async regenerateRecoveryCodes() {
     const { data: e, error: r, response: n } = await this.inner.POST("/recovery-codes/regenerate");
     return this.toCall(e, r, n);
@@ -150,23 +164,23 @@ class P {
   toCall(e, r, n) {
     return r !== void 0 ? this.errorCall(r, n) : e === void 0 ? {
       ok: !1,
-      code: s.NetworkError,
-      message: v(s.NetworkError),
+      code: a.NetworkError,
+      message: T(a.NetworkError),
       httpStatus: n.status
     } : { ok: !0, value: e };
   }
   errorCall(e, r) {
-    const n = e.code || s.Unknown;
+    const n = e.code || a.Unknown;
     return {
       ok: !1,
       code: n,
-      message: e.message || v(n),
+      message: e.message || T(n),
       httpStatus: r.status,
       details: e.details ?? null
     };
   }
 }
-class z {
+class te {
   get(e) {
     return globalThis.sessionStorage?.getItem(e) ?? null;
   }
@@ -177,7 +191,7 @@ class z {
     globalThis.sessionStorage?.removeItem(e);
   }
 }
-class X {
+class ne {
   get(e) {
     return globalThis.localStorage?.getItem(e) ?? null;
   }
@@ -188,7 +202,7 @@ class X {
     globalThis.localStorage?.removeItem(e);
   }
 }
-class a extends Error {
+class s extends Error {
   code;
   httpStatus;
   details;
@@ -196,7 +210,7 @@ class a extends Error {
     super(r), this.name = "Omni2FaApiError", this.code = e, this.httpStatus = n, this.details = o;
   }
 }
-const U = {
+const W = {
   enrollmentId: null,
   otpAuthUri: null,
   secret: null,
@@ -205,34 +219,34 @@ const U = {
   errorCode: null,
   errorMessage: null
 };
-function _(t) {
+function $(t) {
   return h({
     types: {
       context: {},
       events: {}
     },
     actors: {
-      startEnrollment: l(async () => {
+      startEnrollment: i(async () => {
         const e = await t.startTotpEnrollment();
         if (!e.ok)
-          throw new a(e.code, e.message, e.httpStatus, e.details ?? null);
+          throw new s(e.code, e.message, e.httpStatus, e.details ?? null);
         return e.value;
       }),
-      confirmEnrollment: l(async ({ input: e }) => {
+      confirmEnrollment: i(async ({ input: e }) => {
         const r = await t.confirmTotpEnrollment({
           enrollmentId: e.enrollmentId,
           code: e.code,
           name: e.name
         });
         if (!r.ok)
-          throw new a(r.code, r.message, r.httpStatus, r.details ?? null);
+          throw new s(r.code, r.message, r.httpStatus, r.details ?? null);
         return r.value;
       })
     }
   }).createMachine({
     id: "totpEnrollment",
     initial: "idle",
-    context: U,
+    context: W,
     states: {
       idle: {
         on: {
@@ -250,14 +264,14 @@ function _(t) {
           },
           onError: {
             target: "failed",
-            actions: ({ context: e, event: r }) => A(e, r.error)
+            actions: ({ context: e, event: r }) => k(e, r.error)
           }
         }
       },
       awaitingCode: {
         on: {
           submit: { target: "confirming" },
-          reset: { target: "idle", actions: p }
+          reset: { target: "idle", actions: y }
         }
       },
       confirming: {
@@ -276,31 +290,31 @@ function _(t) {
           },
           onError: {
             target: "awaitingCode",
-            actions: ({ context: e, event: r }) => A(e, r.error)
+            actions: ({ context: e, event: r }) => k(e, r.error)
           }
         }
       },
       enrolled: {
         on: {
-          reset: { target: "idle", actions: p }
+          reset: { target: "idle", actions: y }
         }
       },
       failed: {
         on: {
           start: { target: "starting" },
-          reset: { target: "idle", actions: p }
+          reset: { target: "idle", actions: y }
         }
       }
     }
   });
 }
-function p({ context: t }) {
+function y({ context: t }) {
   t.enrollmentId = null, t.otpAuthUri = null, t.secret = null, t.methodId = null, t.recoveryCodes = null, t.errorCode = null, t.errorMessage = null;
 }
-function A(t, e) {
-  e instanceof a ? (t.errorCode = e.code, t.errorMessage = e.message) : (t.errorCode = "UNKNOWN", t.errorMessage = e instanceof Error ? e.message : null);
+function k(t, e) {
+  e instanceof s ? (t.errorCode = e.code, t.errorMessage = e.message) : (t.errorCode = "UNKNOWN", t.errorMessage = e instanceof Error ? e.message : null);
 }
-const J = {
+const H = {
   enrollmentId: null,
   email: null,
   expiresAt: null,
@@ -310,40 +324,40 @@ const J = {
   errorCode: null,
   errorMessage: null
 };
-function F(t) {
+function V(t) {
   return h({
     types: {
       context: {},
       events: {}
     },
     actors: {
-      startEnrollment: l(async ({ input: e }) => {
-        const r = await t.startEmailEnrollment({ email: e.email });
+      startEnrollment: i(async ({ input: e }) => {
+        const r = await t.startEmailEnrollment(e.email !== void 0 ? { email: e.email } : {});
         if (!r.ok)
-          throw new a(r.code, r.message, r.httpStatus, r.details ?? null);
+          throw new s(r.code, r.message, r.httpStatus, r.details ?? null);
         return r.value;
       }),
-      resendEnrollment: l(async ({ input: e }) => {
+      resendEnrollment: i(async ({ input: e }) => {
         const r = await t.resendEmailEnrollment({ enrollmentId: e.enrollmentId });
         if (!r.ok)
-          throw new a(r.code, r.message, r.httpStatus, r.details ?? null);
+          throw new s(r.code, r.message, r.httpStatus, r.details ?? null);
         return r.value;
       }),
-      confirmEnrollment: l(async ({ input: e }) => {
+      confirmEnrollment: i(async ({ input: e }) => {
         const r = await t.confirmEmailEnrollment({
           enrollmentId: e.enrollmentId,
           code: e.code,
           name: e.name
         });
         if (!r.ok)
-          throw new a(r.code, r.message, r.httpStatus, r.details ?? null);
+          throw new s(r.code, r.message, r.httpStatus, r.details ?? null);
         return r.value;
       })
     }
   }).createMachine({
     id: "emailEnrollment",
     initial: "idle",
-    context: J,
+    context: H,
     states: {
       idle: {
         on: {
@@ -352,21 +366,20 @@ function F(t) {
       },
       starting: {
         entry: ({ context: e, event: r }) => {
-          r.type === "start" && (e.email = r.email);
+          r.type === "start" && (e.email = r.email ?? null);
         },
         invoke: {
           src: "startEnrollment",
-          input: ({ context: e }) => {
-            if (!e.email) throw new Error("no email");
-            return { email: e.email };
-          },
+          // Under the server's default ClaimOnly source the address is derived from the
+          // session, so an absent email is valid; HostSupplied callers pass one through.
+          input: ({ context: e }) => ({ email: e.email ?? void 0 }),
           onDone: {
             target: "awaitingCode",
-            actions: ({ context: e, event: r }) => T(e, r.output)
+            actions: ({ context: e, event: r }) => M(e, r.output)
           },
           onError: {
             target: "failed",
-            actions: ({ context: e, event: r }) => y(e, r.error)
+            actions: ({ context: e, event: r }) => v(e, r.error)
           }
         }
       },
@@ -374,7 +387,7 @@ function F(t) {
         on: {
           submit: { target: "confirming" },
           resend: { target: "resending" },
-          reset: { target: "idle", actions: f }
+          reset: { target: "idle", actions: w }
         }
       },
       resending: {
@@ -386,11 +399,11 @@ function F(t) {
           },
           onDone: {
             target: "awaitingCode",
-            actions: ({ context: e, event: r }) => T(e, r.output)
+            actions: ({ context: e, event: r }) => M(e, r.output)
           },
           onError: {
             target: "awaitingCode",
-            actions: ({ context: e, event: r }) => y(e, r.error)
+            actions: ({ context: e, event: r }) => v(e, r.error)
           }
         }
       },
@@ -410,37 +423,37 @@ function F(t) {
           },
           onError: {
             target: "awaitingCode",
-            actions: ({ context: e, event: r }) => y(e, r.error)
+            actions: ({ context: e, event: r }) => v(e, r.error)
           }
         }
       },
       enrolled: {
         on: {
-          reset: { target: "idle", actions: f }
+          reset: { target: "idle", actions: w }
         }
       },
       failed: {
         on: {
           start: { target: "starting" },
-          reset: { target: "idle", actions: f }
+          reset: { target: "idle", actions: w }
         }
       }
     }
   });
 }
-function T(t, e) {
+function M(t, e) {
   t.enrollmentId = e.enrollmentId, t.expiresAt = e.expiresAt, t.resendAvailableAt = e.resendAvailableAt, t.errorCode = null, t.errorMessage = null;
 }
-function f({ context: t }) {
+function w({ context: t }) {
   t.enrollmentId = null, t.email = null, t.expiresAt = null, t.resendAvailableAt = null, t.methodId = null, t.recoveryCodes = null, t.errorCode = null, t.errorMessage = null;
 }
-function y(t, e) {
-  e instanceof a ? (t.errorCode = e.code, t.errorMessage = e.message) : (t.errorCode = "UNKNOWN", t.errorMessage = e instanceof Error ? e.message : null);
+function v(t, e) {
+  e instanceof s ? (t.errorCode = e.code, t.errorMessage = e.message) : (t.errorCode = "UNKNOWN", t.errorMessage = e instanceof Error ? e.message : null);
 }
-function g(t) {
+function m(t) {
   const e = t.replace(/-/g, "+").replace(/_/g, "/"), r = e.padEnd(Math.ceil(e.length / 4) * 4, "="), n = atob(r), o = new Uint8Array(n.length);
-  for (let i = 0; i < n.length; i++)
-    o[i] = n.charCodeAt(i);
+  for (let l = 0; l < n.length; l++)
+    o[l] = n.charCodeAt(l);
   return o.buffer;
 }
 function d(t) {
@@ -450,15 +463,15 @@ function d(t) {
     r += String.fromCharCode(n);
   return btoa(r).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
-function k(t) {
-  return (t ?? []).map((e) => ({ ...e, id: g(e.id) }));
+function D(t) {
+  return (t ?? []).map((e) => ({ ...e, id: m(e.id) }));
 }
-async function L(t) {
+async function Y(t) {
   const e = JSON.parse(t), r = {
     ...e,
-    challenge: g(e.challenge),
-    user: { ...e.user, id: g(e.user.id) },
-    excludeCredentials: k(e.excludeCredentials)
+    challenge: m(e.challenge),
+    user: { ...e.user, id: m(e.user.id) },
+    excludeCredentials: D(e.excludeCredentials)
     // Cast through unknown: the spread carries Fido2's index-signature fields the DOM type omits.
   }, n = await navigator.credentials.create({ publicKey: r });
   if (n === null)
@@ -475,11 +488,11 @@ async function L(t) {
     }
   });
 }
-async function K(t) {
+async function P(t) {
   const e = JSON.parse(t), r = {
     ...e,
-    challenge: g(e.challenge),
-    allowCredentials: k(e.allowCredentials)
+    challenge: m(e.challenge),
+    allowCredentials: D(e.allowCredentials)
   }, n = await navigator.credentials.get({ publicKey: r });
   if (n === null)
     throw new Error("WebAuthn authentication produced no credential.");
@@ -497,7 +510,7 @@ async function K(t) {
     }
   });
 }
-const W = {
+const q = {
   enrollmentId: null,
   optionsJson: null,
   name: null,
@@ -506,34 +519,34 @@ const W = {
   errorCode: null,
   errorMessage: null
 };
-function $(t) {
+function B(t) {
   return h({
     types: {
       context: {},
       events: {}
     },
     actors: {
-      startEnrollment: l(async () => {
+      startEnrollment: i(async () => {
         const e = await t.startWebAuthnEnrollment();
         if (!e.ok)
-          throw new a(e.code, e.message, e.httpStatus, e.details ?? null);
+          throw new s(e.code, e.message, e.httpStatus, e.details ?? null);
         return e.value;
       }),
-      registerAndConfirm: l(async ({ input: e }) => {
-        const r = await L(e.optionsJson), n = await t.confirmWebAuthnEnrollment({
+      registerAndConfirm: i(async ({ input: e }) => {
+        const r = await Y(e.optionsJson), n = await t.confirmWebAuthnEnrollment({
           enrollmentId: e.enrollmentId,
           attestationResponseJson: r,
           name: e.name
         });
         if (!n.ok)
-          throw new a(n.code, n.message, n.httpStatus, n.details ?? null);
+          throw new s(n.code, n.message, n.httpStatus, n.details ?? null);
         return n.value;
       })
     }
   }).createMachine({
     id: "webauthnEnrollment",
     initial: "idle",
-    context: W,
+    context: q,
     states: {
       idle: {
         on: {
@@ -554,7 +567,7 @@ function $(t) {
           },
           onError: {
             target: "failed",
-            actions: ({ context: e, event: r }) => M(e, r.error)
+            actions: ({ context: e, event: r }) => U(e, r.error)
           }
         }
       },
@@ -573,31 +586,31 @@ function $(t) {
           },
           onError: {
             target: "failed",
-            actions: ({ context: e, event: r }) => M(e, r.error)
+            actions: ({ context: e, event: r }) => U(e, r.error)
           }
         }
       },
       enrolled: {
         on: {
-          reset: { target: "idle", actions: b }
+          reset: { target: "idle", actions: O }
         }
       },
       failed: {
         on: {
           retry: { target: "starting" },
-          reset: { target: "idle", actions: b }
+          reset: { target: "idle", actions: O }
         }
       }
     }
   });
 }
-function b({ context: t }) {
+function O({ context: t }) {
   t.enrollmentId = null, t.optionsJson = null, t.name = null, t.methodId = null, t.recoveryCodes = null, t.errorCode = null, t.errorMessage = null;
 }
-function M(t, e) {
-  e instanceof a ? (t.errorCode = e.code, t.errorMessage = e.message) : (t.errorCode = "UNKNOWN", t.errorMessage = e instanceof Error ? e.message : null);
+function U(t, e) {
+  e instanceof s ? (t.errorCode = e.code, t.errorMessage = e.message) : (t.errorCode = "UNKNOWN", t.errorMessage = e instanceof Error ? e.message : null);
 }
-const H = {
+const G = {
   methodId: null,
   methodType: null,
   userId: null,
@@ -608,48 +621,48 @@ const H = {
   errorCode: null,
   errorMessage: null
 };
-function Y(t) {
+function X(t) {
   return h({
     types: {
       context: {},
       events: {}
     },
     actors: {
-      startChallenge: l(async ({ input: e }) => {
+      startChallenge: i(async ({ input: e }) => {
         const r = await t.startChallenge({ methodId: e.methodId });
         if (!r.ok)
-          throw new a(r.code, r.message, r.httpStatus, r.details ?? null);
+          throw new s(r.code, r.message, r.httpStatus, r.details ?? null);
         return r.value;
       }),
-      resendChallenge: l(async ({ input: e }) => {
+      resendChallenge: i(async ({ input: e }) => {
         const r = await t.resendChallenge({ methodId: e.methodId });
         if (!r.ok)
-          throw new a(r.code, r.message, r.httpStatus, r.details ?? null);
+          throw new s(r.code, r.message, r.httpStatus, r.details ?? null);
         return r.value;
       }),
-      verifyChallenge: l(async ({ input: e }) => {
+      verifyChallenge: i(async ({ input: e }) => {
         const r = await t.verifyChallenge({ methodId: e.methodId, code: e.code });
         if (!r.ok)
-          throw new a(r.code, r.message, r.httpStatus, r.details ?? null);
+          throw new s(r.code, r.message, r.httpStatus, r.details ?? null);
         return r.value;
       }),
-      assertChallenge: l(async ({ input: e }) => {
-        const r = await K(e.optionsJson), n = await t.verifyChallenge({ methodId: e.methodId, assertionResponseJson: r });
+      assertChallenge: i(async ({ input: e }) => {
+        const r = await P(e.optionsJson), n = await t.verifyChallenge({ methodId: e.methodId, assertionResponseJson: r });
         if (!n.ok)
-          throw new a(n.code, n.message, n.httpStatus, n.details ?? null);
+          throw new s(n.code, n.message, n.httpStatus, n.details ?? null);
         return n.value;
       }),
-      verifyRecoveryCode: l(async ({ input: e }) => {
+      verifyRecoveryCode: i(async ({ input: e }) => {
         const r = await t.verifyRecoveryCode({ recoveryCode: e.code });
         if (!r.ok)
-          throw new a(r.code, r.message, r.httpStatus, r.details ?? null);
+          throw new s(r.code, r.message, r.httpStatus, r.details ?? null);
         return r.value;
       })
     }
   }).createMachine({
     id: "challenge",
     initial: "idle",
-    context: H,
+    context: G,
     states: {
       idle: {
         on: {
@@ -671,11 +684,11 @@ function Y(t) {
             {
               guard: ({ event: e }) => e.output.type === "WebAuthn",
               target: "asserting",
-              actions: ({ context: e, event: r }) => C(e, r.output)
+              actions: ({ context: e, event: r }) => E(e, r.output)
             },
             {
               target: "awaitingCode",
-              actions: ({ context: e, event: r }) => C(e, r.output)
+              actions: ({ context: e, event: r }) => E(e, r.output)
             }
           ],
           onError: {
@@ -708,7 +721,7 @@ function Y(t) {
           submit: { target: "verifying" },
           resend: { target: "resending" },
           useRecoveryCode: { target: "verifyingRecovery" },
-          reset: { target: "idle", actions: E }
+          reset: { target: "idle", actions: C }
         }
       },
       verifyingRecovery: {
@@ -739,7 +752,7 @@ function Y(t) {
           },
           onDone: {
             target: "awaitingCode",
-            actions: ({ context: e, event: r }) => C(e, r.output)
+            actions: ({ context: e, event: r }) => E(e, r.output)
           },
           onError: {
             target: "awaitingCode",
@@ -769,57 +782,57 @@ function Y(t) {
       },
       verified: {
         on: {
-          reset: { target: "idle", actions: E }
+          reset: { target: "idle", actions: C }
         }
       },
       failed: {
         on: {
           pick: { target: "starting" },
           useRecoveryCode: { target: "verifyingRecovery" },
-          reset: { target: "idle", actions: E }
+          reset: { target: "idle", actions: C }
         }
       }
     }
   });
 }
-function C(t, e) {
+function E(t, e) {
   t.methodType = e.type, t.expiresAt = e.expiresAt ?? null, t.resendAvailableAt = e.resendAvailableAt ?? null, t.optionsJson = e.optionsJson ?? null, t.errorCode = null, t.errorMessage = null;
 }
-function E({ context: t }) {
+function C({ context: t }) {
   t.methodId = null, t.methodType = null, t.userId = null, t.verifiedToken = null, t.expiresAt = null, t.resendAvailableAt = null, t.optionsJson = null, t.errorCode = null, t.errorMessage = null;
 }
 function c(t, e) {
-  e instanceof a ? (t.errorCode = e.code, t.errorMessage = e.message) : (t.errorCode = "UNKNOWN", t.errorMessage = e instanceof Error ? e.message : null);
+  e instanceof s ? (t.errorCode = e.code, t.errorMessage = e.message) : (t.errorCode = "UNKNOWN", t.errorMessage = e instanceof Error ? e.message : null);
 }
-const V = {
+const j = {
   items: [],
   errorCode: null,
   errorMessage: null
 };
-function B(t) {
+function z(t) {
   return h({
     types: {
       context: {},
       events: {}
     },
     actors: {
-      load: l(async () => {
+      load: i(async () => {
         const e = await t.listMethods();
         if (!e.ok)
-          throw new a(e.code, e.message, e.httpStatus, e.details ?? null);
+          throw new s(e.code, e.message, e.httpStatus, e.details ?? null);
         return e.value;
       }),
-      remove: l(async ({ input: e }) => {
+      remove: i(async ({ input: e }) => {
         const r = await t.removeMethod(e.methodId);
         if (!r.ok)
-          throw new a(r.code, r.message, r.httpStatus, r.details ?? null);
+          throw new s(r.code, r.message, r.httpStatus, r.details ?? null);
         return e.methodId;
       })
     }
   }).createMachine({
     id: "methods",
     initial: "idle",
-    context: V,
+    context: j,
     states: {
       idle: {
         on: {
@@ -837,7 +850,7 @@ function B(t) {
           },
           onError: {
             target: "failed",
-            actions: ({ context: e, event: r }) => S(e, r.error)
+            actions: ({ context: e, event: r }) => N(e, r.error)
           }
         }
       },
@@ -863,54 +876,222 @@ function B(t) {
           },
           onError: {
             target: "ready",
-            actions: ({ context: e, event: r }) => S(e, r.error)
+            actions: ({ context: e, event: r }) => N(e, r.error)
           }
         }
       },
       failed: {
         on: {
           load: { target: "loading" },
-          reset: { target: "idle", actions: G }
+          reset: { target: "idle", actions: Q }
         }
       }
     }
   });
 }
-function G({ context: t }) {
+function Q({ context: t }) {
   t.items = [], t.errorCode = null, t.errorMessage = null;
 }
-function S(t, e) {
-  e instanceof a ? (t.errorCode = e.code, t.errorMessage = e.message) : (t.errorCode = "UNKNOWN", t.errorMessage = e instanceof Error ? e.message : null);
+function N(t, e) {
+  e instanceof s ? (t.errorCode = e.code, t.errorMessage = e.message) : (t.errorCode = "UNKNOWN", t.errorMessage = e instanceof Error ? e.message : null);
+}
+const Z = {
+  methodId: null,
+  methodType: null,
+  stepUpToken: null,
+  expiresAt: null,
+  resendAvailableAt: null,
+  optionsJson: null,
+  errorCode: null,
+  errorMessage: null
+};
+function x(t) {
+  return h({
+    types: {
+      context: {},
+      events: {}
+    },
+    actors: {
+      startStepUp: i(async ({ input: e }) => {
+        const r = await t.startStepUp({ methodId: e.methodId });
+        if (!r.ok)
+          throw new s(r.code, r.message, r.httpStatus, r.details ?? null);
+        return r.value;
+      }),
+      resendStepUp: i(async ({ input: e }) => {
+        const r = await t.resendStepUp({ methodId: e.methodId });
+        if (!r.ok)
+          throw new s(r.code, r.message, r.httpStatus, r.details ?? null);
+        return r.value;
+      }),
+      verifyStepUp: i(async ({ input: e }) => {
+        const r = await t.verifyStepUp({ methodId: e.methodId, code: e.code });
+        if (!r.ok)
+          throw new s(r.code, r.message, r.httpStatus, r.details ?? null);
+        return r.value;
+      }),
+      assertStepUp: i(async ({ input: e }) => {
+        const r = await P(e.optionsJson), n = await t.verifyStepUp({ methodId: e.methodId, assertionResponseJson: r });
+        if (!n.ok)
+          throw new s(n.code, n.message, n.httpStatus, n.details ?? null);
+        return n.value;
+      })
+    }
+  }).createMachine({
+    id: "stepup",
+    initial: "idle",
+    context: Z,
+    states: {
+      idle: {
+        on: {
+          pick: { target: "starting" }
+        }
+      },
+      starting: {
+        entry: ({ context: e, event: r }) => {
+          r.type === "pick" && (e.methodId = r.methodId);
+        },
+        invoke: {
+          src: "startStepUp",
+          input: ({ context: e }) => {
+            if (!e.methodId) throw new Error("no methodId");
+            return { methodId: e.methodId };
+          },
+          onDone: [
+            {
+              guard: ({ event: e }) => e.output.type === "WebAuthn",
+              target: "asserting",
+              actions: ({ context: e, event: r }) => I(e, r.output)
+            },
+            {
+              target: "awaitingCode",
+              actions: ({ context: e, event: r }) => I(e, r.output)
+            }
+          ],
+          onError: {
+            target: "failed",
+            actions: ({ context: e, event: r }) => g(e, r.error)
+          }
+        }
+      },
+      asserting: {
+        invoke: {
+          src: "assertStepUp",
+          input: ({ context: e }) => {
+            if (!e.methodId || !e.optionsJson) throw new Error("no assertion options");
+            return { methodId: e.methodId, optionsJson: e.optionsJson };
+          },
+          onDone: {
+            target: "verified",
+            actions: ({ context: e, event: r }) => R(e, r.output.stepUpToken)
+          },
+          onError: {
+            target: "failed",
+            actions: ({ context: e, event: r }) => g(e, r.error)
+          }
+        }
+      },
+      awaitingCode: {
+        on: {
+          submit: { target: "verifying" },
+          resend: { target: "resending" },
+          reset: { target: "idle", actions: A }
+        }
+      },
+      resending: {
+        invoke: {
+          src: "resendStepUp",
+          input: ({ context: e }) => {
+            if (!e.methodId) throw new Error("no methodId");
+            return { methodId: e.methodId };
+          },
+          onDone: {
+            target: "awaitingCode",
+            actions: ({ context: e, event: r }) => I(e, r.output)
+          },
+          onError: {
+            target: "awaitingCode",
+            actions: ({ context: e, event: r }) => g(e, r.error)
+          }
+        }
+      },
+      verifying: {
+        invoke: {
+          src: "verifyStepUp",
+          input: ({ context: e, event: r }) => {
+            if (r.type !== "submit") throw new Error("verifying requires submit event");
+            if (!e.methodId) throw new Error("no methodId");
+            return { methodId: e.methodId, code: r.code };
+          },
+          onDone: {
+            target: "verified",
+            actions: ({ context: e, event: r }) => R(e, r.output.stepUpToken)
+          },
+          onError: {
+            target: "awaitingCode",
+            actions: ({ context: e, event: r }) => g(e, r.error)
+          }
+        }
+      },
+      verified: {
+        on: {
+          reset: { target: "idle", actions: A }
+        }
+      },
+      failed: {
+        on: {
+          pick: { target: "starting" },
+          reset: { target: "idle", actions: A }
+        }
+      }
+    }
+  });
+}
+function I(t, e) {
+  t.methodType = e.type, t.expiresAt = e.expiresAt ?? null, t.resendAvailableAt = e.resendAvailableAt ?? null, t.optionsJson = e.optionsJson ?? null, t.errorCode = null, t.errorMessage = null;
+}
+function R(t, e) {
+  t.stepUpToken = e, t.errorCode = null, t.errorMessage = null;
+}
+function A({ context: t }) {
+  t.methodId = null, t.methodType = null, t.stepUpToken = null, t.expiresAt = null, t.resendAvailableAt = null, t.optionsJson = null, t.errorCode = null, t.errorMessage = null;
+}
+function g(t, e) {
+  e instanceof s ? (t.errorCode = e.code, t.errorMessage = e.message) : (t.errorCode = "UNKNOWN", t.errorMessage = e instanceof Error ? e.message : null);
 }
-function Q(t) {
-  const e = new P(t), r = u(_(e)), n = u(F(e)), o = u($(e)), i = u(Y(e)), m = u(B(e));
-  return r.start(), n.start(), o.start(), i.start(), m.start(), {
+const oe = "X-Omni2FA-StepUp";
+function se(t) {
+  const e = new K(t), r = u($(e)), n = u(V(e)), o = u(B(e)), l = u(X(e)), p = u(x(e)), f = u(z(e));
+  return r.start(), n.start(), o.start(), l.start(), p.start(), f.start(), {
     client: e,
     totpEnrollment: r,
     emailEnrollment: n,
     webauthnEnrollment: o,
-    challenge: i,
-    methods: m,
+    challenge: l,
+    stepUp: p,
+    methods: f,
     dispose() {
-      r.stop(), n.stop(), o.stop(), i.stop(), m.stop();
+      r.stop(), n.stop(), o.stop(), l.stop(), p.stop(), f.stop();
     }
   };
 }
 export {
-  X as LocalStorageStorage,
-  N as MemoryStorage,
-  a as Omni2FaApiError,
-  P as Omni2FaClient,
-  s as Omni2FaErrorCodes,
-  z as SessionStorageStorage,
-  Y as createChallengeMachine,
-  F as createEmailEnrollmentMachine,
-  B as createMethodsMachine,
-  Q as createOmni2Fa,
-  _ as createTotpEnrollmentMachine,
-  $ as createWebAuthnEnrollmentMachine,
-  v as getDefaultMessage,
-  K as startAuthentication,
-  L as startRegistration
+  ne as LocalStorageStorage,
+  _ as MemoryStorage,
+  s as Omni2FaApiError,
+  K as Omni2FaClient,
+  a as Omni2FaErrorCodes,
+  oe as STEP_UP_HEADER,
+  te as SessionStorageStorage,
+  X as createChallengeMachine,
+  V as createEmailEnrollmentMachine,
+  z as createMethodsMachine,
+  se as createOmni2Fa,
+  x as createStepUpMachine,
+  $ as createTotpEnrollmentMachine,
+  B as createWebAuthnEnrollmentMachine,
+  T as getDefaultMessage,
+  P as startAuthentication,
+  Y as startRegistration
 };
 //# sourceMappingURL=index.js.map