@ovixa/auth-client 0.1.2 → 0.1.3

package/CHANGELOG.md

@@ -5,6 +5,16 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/),
 and this project adheres to [Semantic Versioning](https://semver.org/).
 
+## [0.1.3] - 2026-01-29
+
+### Added
+
+- `auth.exchangeOAuthCode(code)` - Exchange OAuth authorization code for tokens, completing the OAuth 2.0 Authorization Code flow
+
+### Fixed
+
+- OAuth flow now works correctly with the auth server's secure authorization code pattern
+
 ## [0.1.2] - 2026-01-28
 
 ### Added

package/README.md

@@ -141,6 +141,15 @@ await auth.forgotPassword({
 });
 ```
 
+### Email Branding
+
+Verification and password reset emails automatically display your realm's `display_name` as the brand name. To customize the branding in emails:
+
+1. Set `display_name` when creating your realm
+2. Emails will show your brand (e.g., "Linkdrop") instead of "Ovixa"
+
+If no `display_name` is set, emails default to "Ovixa".
+
 #### `resetPassword(options)`
 
 Set a new password using a reset token.

package/dist/{chunk-IIOWUPWH.js → chunk-CUACHOKT.js}

@@ -415,7 +415,8 @@ var OvixaAuth = class {
    * Generate an OAuth authorization URL.
    *
    * Redirect the user to this URL to start the OAuth flow. After authentication,
-   * the user will be redirected back to your `redirectUri` with tokens.
+   * the user will be redirected back to your `redirectUri` with an authorization code.
+   * Use `exchangeOAuthCode()` to exchange the code for tokens.
    *
    * @param options - OAuth URL options
    * @returns The full OAuth authorization URL
@@ -429,6 +430,10 @@ var OvixaAuth = class {
    *
    * // Redirect user to start OAuth flow
    * window.location.href = googleAuthUrl;
+   *
+   * // In your callback handler:
+   * // const code = new URLSearchParams(window.location.search).get('code');
+   * // const tokens = await auth.exchangeOAuthCode(code);
    * ```
    */
   getOAuthUrl(options) {
@@ -437,6 +442,51 @@ var OvixaAuth = class {
     url.searchParams.set("redirect_uri", options.redirectUri);
     return url.toString();
   }
+  /**
+   * Exchange an OAuth authorization code for tokens.
+   *
+   * After the OAuth flow completes, the user is redirected back to your app with
+   * an authorization code in the URL query params. Use this method to exchange
+   * that code for access and refresh tokens.
+   *
+   * Note: Authorization codes expire after 60 seconds.
+   *
+   * @param code - The authorization code from the OAuth callback URL
+   * @returns Token response with access and refresh tokens
+   * @throws {OvixaAuthError} If the exchange fails
+   *
+   * @example
+   * ```typescript
+   * // In your OAuth callback handler
+   * const code = new URLSearchParams(window.location.search).get('code');
+   *
+   * if (code) {
+   *   try {
+   *     const tokens = await auth.exchangeOAuthCode(code);
+   *     console.log('OAuth successful!', tokens.access_token);
+   *
+   *     // Check if this is a new user (first-time OAuth login)
+   *     if (tokens.is_new_user) {
+   *       // Show onboarding flow
+   *     }
+   *   } catch (error) {
+   *     if (error instanceof OvixaAuthError) {
+   *       if (error.code === 'INVALID_CODE') {
+   *         console.error('Invalid or expired authorization code');
+   *       }
+   *     }
+   *   }
+   * }
+   * ```
+   */
+  async exchangeOAuthCode(code) {
+    const url = `${this.config.authUrl}/oauth/token`;
+    const body = {
+      code,
+      realm_id: this.config.realmId
+    };
+    return this.makeRequest(url, body);
+  }
   /**
    * Transform a token response into an AuthResult with user and session data.
    *
@@ -728,4 +778,4 @@ export {
   OvixaAuthError,
   OvixaAuth
 };
-//# sourceMappingURL=chunk-IIOWUPWH.js.map
+//# sourceMappingURL=chunk-CUACHOKT.js.map

package/dist/chunk-CUACHOKT.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @ovixa/auth-client\n *\n * Client SDK for Ovixa Auth service.\n * Provides authentication, token verification, and session management.\n */\n\nimport {\n  createRemoteJWKSet,\n  jwtVerify,\n  type JWTPayload,\n  type JWTVerifyResult,\n  type JWTHeaderParameters,\n} from 'jose';\n\n/**\n * Configuration options for the OvixaAuth client.\n */\nexport interface AuthClientConfig {\n  /** The base URL of the Ovixa Auth service */\n  authUrl: string;\n  /** The realm ID to authenticate against */\n  realmId: string;\n  /** Your application's client secret (for server-side use only) */\n  clientSecret?: string;\n  /** Cache duration for JWKS in milliseconds (defaults to 1 hour) */\n  jwksCacheTtl?: number;\n}\n\n/**\n * JWT claims for an Ovixa access token.\n */\nexport interface AccessTokenPayload extends JWTPayload {\n  /** Subject (user ID) */\n  sub: string;\n  /** User's email address */\n  email: string;\n  /** Whether the user's email has been verified */\n  email_verified: boolean;\n  /** Issued at timestamp */\n  iat: number;\n  /** Expiration timestamp */\n  exp: number;\n  /** Issuer */\n  iss: string;\n  /** Audience (realm ID) */\n  aud: string;\n}\n\n/**\n * Result of a successful token verification.\n */\nexport interface VerifyResult {\n  /** The decoded token payload */\n  payload: AccessTokenPayload;\n  /** The protected header */\n  protectedHeader: JWTHeaderParameters;\n}\n\n/**\n * Token response from the auth service.\n */\nexport interface TokenResponse {\n  /** The access token (JWT) */\n  access_token: string;\n  /** The refresh token (JWT) */\n  refresh_token: string;\n  /** Token type (always \"Bearer\") */\n  token_type: 'Bearer';\n  /** Access token expiration time in seconds */\n  expires_in: number;\n  /** Whether this is a new user (only present in OAuth callback) */\n  is_new_user?: boolean;\n}\n\n/**\n * User information extracted from token payload.\n */\nexport interface User {\n  /** User ID (UUID) */\n  id: string;\n  /** User's email address */\n  email: string;\n  /** Whether the email has been verified */\n  emailVerified: boolean;\n}\n\n/**\n * Session information containing tokens and expiry.\n */\nexport interface Session {\n  /** The access token (JWT) */\n  accessToken: string;\n  /** The refresh token for obtaining new access tokens */\n  refreshToken: string;\n  /** When the access token expires */\n  expiresAt: Date;\n}\n\n/**\n * Combined authentication result with user and session data.\n */\nexport interface AuthResult {\n  /** The authenticated user */\n  user: User;\n  /** The session tokens */\n  session: Session;\n  /** Whether this is a new user (only set for OAuth flows) */\n  isNewUser?: boolean;\n}\n\n/**\n * Options for signup.\n */\nexport interface SignupOptions {\n  /** User's email address */\n  email: string;\n  /** Password meeting requirements */\n  password: string;\n  /** Optional redirect URI after email verification */\n  redirectUri?: string;\n}\n\n/**\n * Response from signup endpoint.\n */\nexport interface SignupResponse {\n  /** Whether the operation succeeded */\n  success: boolean;\n  /** Status message */\n  message: string;\n}\n\n/**\n * Options for login.\n */\nexport interface LoginOptions {\n  /** User's email address */\n  email: string;\n  /** User's password */\n  password: string;\n}\n\n/**\n * Options for email verification.\n */\nexport interface VerifyEmailOptions {\n  /** Verification token from email */\n  token: string;\n}\n\n/**\n * Options for resending verification email.\n */\nexport interface ResendVerificationOptions {\n  /** User's email address */\n  email: string;\n  /** Optional redirect URI after verification */\n  redirectUri?: string;\n}\n\n/**\n * Generic success response.\n */\nexport interface SuccessResponse {\n  /** Whether the operation succeeded */\n  success: boolean;\n  /** Optional status message */\n  message?: string;\n}\n\n/**\n * Options for forgot password request.\n */\nexport interface ForgotPasswordOptions {\n  /** User's email address */\n  email: string;\n  /** Optional redirect URI for password reset page */\n  redirectUri?: string;\n}\n\n/**\n * Options for password reset.\n */\nexport interface ResetPasswordOptions {\n  /** Reset token from email */\n  token: string;\n  /** New password */\n  password: string;\n}\n\n/**\n * Supported OAuth providers.\n */\nexport type OAuthProvider = 'google' | 'github';\n\n/**\n * Options for generating OAuth URL.\n */\nexport interface GetOAuthUrlOptions {\n  /** OAuth provider */\n  provider: OAuthProvider;\n  /** Redirect URI after OAuth completes */\n  redirectUri: string;\n}\n\n/**\n * Options for deleting a user (admin operation).\n */\nexport interface DeleteUserOptions {\n  /** The ID of the user to delete */\n  userId: string;\n}\n\n/**\n * Options for deleting the current user's own account.\n */\nexport interface DeleteMyAccountOptions {\n  /** The user's current access token */\n  accessToken: string;\n  /** The user's current password (for re-authentication) */\n  password: string;\n}\n\n/**\n * Error thrown by OvixaAuth operations.\n */\nexport class OvixaAuthError extends Error {\n  constructor(\n    message: string,\n    public readonly code: string,\n    public readonly statusCode?: number\n  ) {\n    super(message);\n    this.name = 'OvixaAuthError';\n  }\n}\n\ninterface InternalConfig {\n  authUrl: string;\n  realmId: string;\n  clientSecret?: string;\n  jwksCacheTtl: number;\n}\n\n/** Default JWKS cache TTL: 1 hour */\nconst DEFAULT_JWKS_CACHE_TTL = 60 * 60 * 1000;\n\n/**\n * Custom fetch function that adds cache headers for JWKS requests.\n * Used to implement client-side caching behavior.\n */\ntype JWKSFetcher = ReturnType<typeof createRemoteJWKSet>;\n\ninterface JWKSCache {\n  fetcher: JWKSFetcher;\n  createdAt: number;\n}\n\n/**\n * OvixaAuth client for authenticating with the Ovixa Auth service.\n *\n * @example\n * ```typescript\n * const auth = new OvixaAuth({\n *   authUrl: 'https://auth.ovixa.io',\n *   realmId: 'your-realm-id',\n *   clientSecret: 'your-client-secret', // Optional, for server-side use\n * });\n *\n * // Verify a token\n * const result = await auth.verifyToken(accessToken);\n * console.log(result.payload.email);\n *\n * // Refresh tokens\n * const tokens = await auth.refreshToken(refreshToken);\n * ```\n */\nexport class OvixaAuth {\n  private config: InternalConfig;\n  private jwksCache: JWKSCache | null = null;\n\n  constructor(config: AuthClientConfig) {\n    // Normalize authUrl by removing trailing slash\n    const authUrl = config.authUrl.replace(/\\/$/, '');\n\n    this.config = {\n      authUrl,\n      realmId: config.realmId,\n      clientSecret: config.clientSecret,\n      jwksCacheTtl: config.jwksCacheTtl ?? DEFAULT_JWKS_CACHE_TTL,\n    };\n  }\n\n  /** Get the configured auth URL */\n  get authUrl(): string {\n    return this.config.authUrl;\n  }\n\n  /** Get the configured realm ID */\n  get realmId(): string {\n    return this.config.realmId;\n  }\n\n  /**\n   * Get the JWKS URL for the auth service.\n   */\n  get jwksUrl(): string {\n    return `${this.config.authUrl}/.well-known/jwks.json`;\n  }\n\n  /**\n   * Get the JWKS fetcher, creating a new one if necessary.\n   * The fetcher is cached based on the configured TTL.\n   */\n  private getJwksFetcher(): JWKSFetcher {\n    const now = Date.now();\n\n    // Return cached fetcher if still valid\n    if (this.jwksCache && now - this.jwksCache.createdAt < this.config.jwksCacheTtl) {\n      return this.jwksCache.fetcher;\n    }\n\n    // Create new JWKS fetcher\n    const jwksUrl = new URL(this.jwksUrl);\n    const fetcher = createRemoteJWKSet(jwksUrl, {\n      // jose library has its own internal caching, but we add our own TTL layer\n      // to control when to refresh the JWKS set\n      cacheMaxAge: this.config.jwksCacheTtl,\n    });\n\n    this.jwksCache = {\n      fetcher,\n      createdAt: now,\n    };\n\n    return fetcher;\n  }\n\n  /**\n   * Verify an access token and return the decoded payload.\n   *\n   * This method fetches the public key from the JWKS endpoint (with caching)\n   * and verifies the token's signature and claims.\n   *\n   * @param token - The access token (JWT) to verify\n   * @returns The verified token payload and header\n   * @throws {OvixaAuthError} If verification fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   const result = await auth.verifyToken(accessToken);\n   *   console.log('User ID:', result.payload.sub);\n   *   console.log('Email:', result.payload.email);\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     console.error('Token verification failed:', error.code);\n   *   }\n   * }\n   * ```\n   */\n  async verifyToken(token: string): Promise<VerifyResult> {\n    try {\n      const jwks = this.getJwksFetcher();\n\n      const result: JWTVerifyResult<AccessTokenPayload> = await jwtVerify(token, jwks, {\n        algorithms: ['RS256'],\n        issuer: this.config.authUrl,\n        // Audience is the realm for this application\n        audience: this.config.realmId,\n      });\n\n      // Validate required claims\n      const payload = result.payload;\n      if (!payload.sub || !payload.email || payload.email_verified === undefined) {\n        throw new OvixaAuthError('Token is missing required claims', 'INVALID_CLAIMS');\n      }\n\n      return {\n        payload: payload as AccessTokenPayload,\n        protectedHeader: result.protectedHeader,\n      };\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      // Handle jose library errors\n      if (error instanceof Error) {\n        const message = error.message;\n\n        if (message.includes('expired')) {\n          throw new OvixaAuthError('Token has expired', 'TOKEN_EXPIRED');\n        }\n        if (message.includes('signature')) {\n          throw new OvixaAuthError('Invalid token signature', 'INVALID_SIGNATURE');\n        }\n        if (message.includes('issuer')) {\n          throw new OvixaAuthError('Invalid token issuer', 'INVALID_ISSUER');\n        }\n        if (message.includes('audience')) {\n          throw new OvixaAuthError('Invalid token audience', 'INVALID_AUDIENCE');\n        }\n        if (message.includes('malformed')) {\n          throw new OvixaAuthError('Malformed token', 'MALFORMED_TOKEN');\n        }\n\n        throw new OvixaAuthError(`Token verification failed: ${message}`, 'VERIFICATION_FAILED');\n      }\n\n      throw new OvixaAuthError('Token verification failed', 'VERIFICATION_FAILED');\n    }\n  }\n\n  /**\n   * Refresh an access token using a refresh token.\n   *\n   * This method exchanges a valid refresh token for a new access token\n   * and a new refresh token (token rotation).\n   *\n   * @param refreshToken - The refresh token to exchange\n   * @returns New token response with access and refresh tokens\n   * @throws {OvixaAuthError} If the refresh fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   const tokens = await auth.refreshToken(currentRefreshToken);\n   *   // Store the new tokens\n   *   saveTokens(tokens.access_token, tokens.refresh_token);\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     // Refresh token is invalid or expired - user must re-authenticate\n   *     redirectToLogin();\n   *   }\n   * }\n   * ```\n   */\n  async refreshToken(refreshToken: string): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/token/refresh`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n        },\n        body: JSON.stringify({\n          refresh_token: refreshToken,\n        }),\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorMessage = (errorBody as { error?: string }).error || 'Token refresh failed';\n        const errorCode = this.mapHttpStatusToErrorCode(response.status);\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      const data = (await response.json()) as TokenResponse;\n      return data;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Token refresh failed', 'REFRESH_FAILED');\n    }\n  }\n\n  /**\n   * Invalidate the cached JWKS fetcher.\n   * Call this if you need to force a refresh of the public keys.\n   */\n  clearJwksCache(): void {\n    this.jwksCache = null;\n  }\n\n  /**\n   * Create a new user account.\n   *\n   * After signup, a verification email is sent. The user must verify their\n   * email before they can log in.\n   *\n   * @param options - Signup options\n   * @returns Signup response indicating success\n   * @throws {OvixaAuthError} If signup fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   await auth.signup({\n   *     email: 'user@example.com',\n   *     password: 'SecurePassword123!',\n   *     redirectUri: 'https://myapp.com/verify-callback',\n   *   });\n   *   console.log('Verification email sent!');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'EMAIL_ALREADY_EXISTS') {\n   *       console.error('Email is already registered');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async signup(options: SignupOptions): Promise<SignupResponse> {\n    const url = `${this.config.authUrl}/signup`;\n\n    const body: Record<string, string> = {\n      email: options.email,\n      password: options.password,\n      realm_id: this.config.realmId,\n    };\n\n    if (options.redirectUri) {\n      body.redirect_uri = options.redirectUri;\n    }\n\n    return this.makeRequest<SignupResponse>(url, body);\n  }\n\n  /**\n   * Authenticate a user with email and password.\n   *\n   * @param options - Login options\n   * @returns Token response with access and refresh tokens\n   * @throws {OvixaAuthError} If login fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   const tokens = await auth.login({\n   *     email: 'user@example.com',\n   *     password: 'SecurePassword123!',\n   *   });\n   *   console.log('Logged in!', tokens.access_token);\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'EMAIL_NOT_VERIFIED') {\n   *       console.error('Please verify your email first');\n   *     } else if (error.code === 'INVALID_CREDENTIALS') {\n   *       console.error('Invalid email or password');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async login(options: LoginOptions): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/login`;\n\n    const body = {\n      email: options.email,\n      password: options.password,\n      realm_id: this.config.realmId,\n    };\n\n    return this.makeRequest<TokenResponse>(url, body);\n  }\n\n  /**\n   * Verify an email address using a verification token.\n   *\n   * This is the API flow that returns tokens. For browser redirect flow,\n   * use `GET /verify` directly.\n   *\n   * @param options - Verification options\n   * @returns Token response with access and refresh tokens\n   * @throws {OvixaAuthError} If verification fails\n   *\n   * @example\n   * ```typescript\n   * // Get token from URL query params after clicking email link\n   * const token = new URLSearchParams(window.location.search).get('token');\n   *\n   * try {\n   *   const tokens = await auth.verifyEmail({ token });\n   *   console.log('Email verified! Logged in.');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError && error.code === 'INVALID_TOKEN') {\n   *     console.error('Invalid or expired verification link');\n   *   }\n   * }\n   * ```\n   */\n  async verifyEmail(options: VerifyEmailOptions): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/verify`;\n\n    const body = {\n      token: options.token,\n      realm_id: this.config.realmId,\n      type: 'email_verification',\n    };\n\n    return this.makeRequest<TokenResponse>(url, body);\n  }\n\n  /**\n   * Resend a verification email for an unverified account.\n   *\n   * @param options - Resend options\n   * @returns Success response\n   * @throws {OvixaAuthError} If request fails\n   *\n   * @example\n   * ```typescript\n   * await auth.resendVerification({\n   *   email: 'user@example.com',\n   *   redirectUri: 'https://myapp.com/verify-callback',\n   * });\n   * console.log('Verification email sent!');\n   * ```\n   */\n  async resendVerification(options: ResendVerificationOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/verify/resend`;\n\n    const body: Record<string, string> = {\n      email: options.email,\n      realm_id: this.config.realmId,\n    };\n\n    if (options.redirectUri) {\n      body.redirect_uri = options.redirectUri;\n    }\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Request a password reset email.\n   *\n   * Note: This endpoint always returns success to prevent email enumeration.\n   *\n   * @param options - Forgot password options\n   * @returns Success response\n   * @throws {OvixaAuthError} If request fails\n   *\n   * @example\n   * ```typescript\n   * await auth.forgotPassword({\n   *   email: 'user@example.com',\n   *   redirectUri: 'https://myapp.com/reset-password',\n   * });\n   * console.log('If the email exists, a reset link has been sent.');\n   * ```\n   */\n  async forgotPassword(options: ForgotPasswordOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/forgot-password`;\n\n    const body: Record<string, string> = {\n      email: options.email,\n      realm_id: this.config.realmId,\n    };\n\n    if (options.redirectUri) {\n      body.redirect_uri = options.redirectUri;\n    }\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Reset password using a reset token.\n   *\n   * @param options - Reset password options\n   * @returns Success response\n   * @throws {OvixaAuthError} If reset fails\n   *\n   * @example\n   * ```typescript\n   * // Get token from URL query params\n   * const token = new URLSearchParams(window.location.search).get('token');\n   *\n   * try {\n   *   await auth.resetPassword({\n   *     token,\n   *     password: 'NewSecurePassword123!',\n   *   });\n   *   console.log('Password reset successfully!');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'INVALID_TOKEN') {\n   *       console.error('Invalid or expired reset link');\n   *     } else if (error.code === 'WEAK_PASSWORD') {\n   *       console.error('Password does not meet requirements');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async resetPassword(options: ResetPasswordOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/reset-password`;\n\n    const body = {\n      token: options.token,\n      password: options.password,\n      realm_id: this.config.realmId,\n    };\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Revoke a refresh token (logout).\n   *\n   * @param refreshToken - The refresh token to revoke\n   * @returns Success response\n   * @throws {OvixaAuthError} If logout fails\n   *\n   * @example\n   * ```typescript\n   * await auth.logout(currentRefreshToken);\n   * // Clear local token storage\n   * localStorage.removeItem('refresh_token');\n   * localStorage.removeItem('access_token');\n   * ```\n   */\n  async logout(refreshToken: string): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/logout`;\n\n    const body = {\n      refresh_token: refreshToken,\n    };\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Generate an OAuth authorization URL.\n   *\n   * Redirect the user to this URL to start the OAuth flow. After authentication,\n   * the user will be redirected back to your `redirectUri` with an authorization code.\n   * Use `exchangeOAuthCode()` to exchange the code for tokens.\n   *\n   * @param options - OAuth URL options\n   * @returns The full OAuth authorization URL\n   *\n   * @example\n   * ```typescript\n   * const googleAuthUrl = auth.getOAuthUrl({\n   *   provider: 'google',\n   *   redirectUri: 'https://myapp.com/auth/callback',\n   * });\n   *\n   * // Redirect user to start OAuth flow\n   * window.location.href = googleAuthUrl;\n   *\n   * // In your callback handler:\n   * // const code = new URLSearchParams(window.location.search).get('code');\n   * // const tokens = await auth.exchangeOAuthCode(code);\n   * ```\n   */\n  getOAuthUrl(options: GetOAuthUrlOptions): string {\n    const url = new URL(`${this.config.authUrl}/oauth/${options.provider}`);\n    url.searchParams.set('realm_id', this.config.realmId);\n    url.searchParams.set('redirect_uri', options.redirectUri);\n    return url.toString();\n  }\n\n  /**\n   * Exchange an OAuth authorization code for tokens.\n   *\n   * After the OAuth flow completes, the user is redirected back to your app with\n   * an authorization code in the URL query params. Use this method to exchange\n   * that code for access and refresh tokens.\n   *\n   * Note: Authorization codes expire after 60 seconds.\n   *\n   * @param code - The authorization code from the OAuth callback URL\n   * @returns Token response with access and refresh tokens\n   * @throws {OvixaAuthError} If the exchange fails\n   *\n   * @example\n   * ```typescript\n   * // In your OAuth callback handler\n   * const code = new URLSearchParams(window.location.search).get('code');\n   *\n   * if (code) {\n   *   try {\n   *     const tokens = await auth.exchangeOAuthCode(code);\n   *     console.log('OAuth successful!', tokens.access_token);\n   *\n   *     // Check if this is a new user (first-time OAuth login)\n   *     if (tokens.is_new_user) {\n   *       // Show onboarding flow\n   *     }\n   *   } catch (error) {\n   *     if (error instanceof OvixaAuthError) {\n   *       if (error.code === 'INVALID_CODE') {\n   *         console.error('Invalid or expired authorization code');\n   *       }\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async exchangeOAuthCode(code: string): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/oauth/token`;\n\n    const body = {\n      code,\n      realm_id: this.config.realmId,\n    };\n\n    return this.makeRequest<TokenResponse>(url, body);\n  }\n\n  /**\n   * Transform a token response into an AuthResult with user and session data.\n   *\n   * This method decodes the access token to extract user information and\n   * creates a structured result object.\n   *\n   * @param tokenResponse - The token response from login, verify, or refresh\n   * @returns AuthResult with user and session data\n   * @throws {OvixaAuthError} If the access token cannot be decoded\n   *\n   * @example\n   * ```typescript\n   * const tokens = await auth.login({ email, password });\n   * const result = await auth.toAuthResult(tokens);\n   *\n   * console.log('User ID:', result.user.id);\n   * console.log('Email:', result.user.email);\n   * console.log('Expires at:', result.session.expiresAt);\n   * ```\n   */\n  async toAuthResult(tokenResponse: TokenResponse): Promise<AuthResult> {\n    // Verify and decode the access token\n    const verified = await this.verifyToken(tokenResponse.access_token);\n\n    const user: User = {\n      id: verified.payload.sub,\n      email: verified.payload.email,\n      emailVerified: verified.payload.email_verified,\n    };\n\n    const session: Session = {\n      accessToken: tokenResponse.access_token,\n      refreshToken: tokenResponse.refresh_token,\n      expiresAt: new Date(Date.now() + tokenResponse.expires_in * 1000),\n    };\n\n    const result: AuthResult = { user, session };\n\n    if (tokenResponse.is_new_user !== undefined) {\n      result.isNewUser = tokenResponse.is_new_user;\n    }\n\n    return result;\n  }\n\n  /**\n   * Delete the current user's own account.\n   *\n   * This permanently deletes the user's account and all associated data.\n   * Password re-authentication is required to prevent accidental deletion.\n   *\n   * @param options - Delete account options\n   * @returns Success response\n   * @throws {OvixaAuthError} If deletion fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   await auth.deleteMyAccount({\n   *     accessToken: session.accessToken,\n   *     password: 'current-password',\n   *   });\n   *   console.log('Account deleted successfully');\n   *   // Clear local session storage\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'INVALID_CREDENTIALS') {\n   *       console.error('Incorrect password');\n   *     } else if (error.code === 'UNAUTHORIZED') {\n   *       console.error('Invalid or expired access token');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async deleteMyAccount(options: DeleteMyAccountOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/me`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'DELETE',\n        headers: {\n          'Content-Type': 'application/json',\n          Authorization: `Bearer ${options.accessToken}`,\n        },\n        body: JSON.stringify({\n          password: options.password,\n        }),\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n        let errorCode: string;\n        let errorMessage: string;\n\n        if (typeof errorData.error === 'object' && errorData.error) {\n          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = errorData.error.message || 'Request failed';\n        } else {\n          errorCode = this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n        }\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      return (await response.json()) as SuccessResponse;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Make an authenticated POST request to the auth service.\n   */\n  private async makeRequest<T>(url: string, body: Record<string, unknown>): Promise<T> {\n    try {\n      const response = await fetch(url, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n        },\n        body: JSON.stringify(body),\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n        let errorCode: string;\n        let errorMessage: string;\n\n        if (typeof errorData.error === 'object' && errorData.error) {\n          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = errorData.error.message || 'Request failed';\n        } else {\n          errorCode = this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n        }\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      return (await response.json()) as T;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Map HTTP status codes to error codes.\n   */\n  private mapHttpStatusToErrorCode(status: number): string {\n    switch (status) {\n      case 400:\n        return 'BAD_REQUEST';\n      case 401:\n        return 'UNAUTHORIZED';\n      case 403:\n        return 'FORBIDDEN';\n      case 404:\n        return 'NOT_FOUND';\n      case 429:\n        return 'RATE_LIMITED';\n      case 500:\n      case 502:\n      case 503:\n        return 'SERVER_ERROR';\n      default:\n        return 'UNKNOWN_ERROR';\n    }\n  }\n\n  /**\n   * Get the admin API interface for realm-scoped operations.\n   *\n   * Admin operations require clientSecret to be configured.\n   * These operations allow managing users within the realm boundary.\n   *\n   * @returns OvixaAuthAdmin interface for admin operations\n   * @throws {OvixaAuthError} If clientSecret is not configured\n   *\n   * @example\n   * ```typescript\n   * const auth = new OvixaAuth({\n   *   authUrl: 'https://auth.ovixa.io',\n   *   realmId: 'your-realm',\n   *   clientSecret: process.env.OVIXA_CLIENT_SECRET,\n   * });\n   *\n   * // Delete a user from the realm\n   * await auth.admin.deleteUser({ userId: 'user-id-to-delete' });\n   * ```\n   */\n  get admin(): OvixaAuthAdmin {\n    if (!this.config.clientSecret) {\n      throw new OvixaAuthError(\n        'clientSecret is required for admin operations',\n        'CLIENT_SECRET_REQUIRED'\n      );\n    }\n    return new OvixaAuthAdmin(this.config);\n  }\n}\n\n/**\n * Admin API interface for realm-scoped operations.\n *\n * This class provides methods for managing users within the realm boundary.\n * All operations are authenticated using the realm's client_secret.\n *\n * @example\n * ```typescript\n * // Access via OvixaAuth.admin\n * await auth.admin.deleteUser({ userId: 'user-id' });\n * ```\n */\nclass OvixaAuthAdmin {\n  private config: InternalConfig;\n\n  constructor(config: InternalConfig) {\n    this.config = config;\n  }\n\n  /**\n   * Delete a user from the realm.\n   *\n   * This permanently deletes the user and all associated data (tokens, OAuth accounts).\n   * The user must belong to this realm.\n   *\n   * @param options - Delete user options\n   * @returns Success response\n   * @throws {OvixaAuthError} If deletion fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   await auth.admin.deleteUser({ userId: 'user-id-to-delete' });\n   *   console.log('User deleted successfully');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'NOT_FOUND') {\n   *       console.error('User not found');\n   *     } else if (error.code === 'FORBIDDEN') {\n   *       console.error('User does not belong to this realm');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async deleteUser(options: DeleteUserOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/realms/${this.config.realmId}/users/${options.userId}`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'DELETE',\n        headers: {\n          Authorization: `RealmSecret ${this.config.clientSecret}`,\n        },\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n        let errorCode: string;\n        let errorMessage: string;\n\n        if (typeof errorData.error === 'object' && errorData.error) {\n          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = errorData.error.message || 'Request failed';\n        } else {\n          errorCode = this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n        }\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      return (await response.json()) as SuccessResponse;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Map HTTP status codes to error codes.\n   */\n  private mapHttpStatusToErrorCode(status: number): string {\n    switch (status) {\n      case 400:\n        return 'BAD_REQUEST';\n      case 401:\n        return 'UNAUTHORIZED';\n      case 403:\n        return 'FORBIDDEN';\n      case 404:\n        return 'NOT_FOUND';\n      case 429:\n        return 'RATE_LIMITED';\n      case 500:\n      case 502:\n      case 503:\n        return 'SERVER_ERROR';\n      default:\n        return 'UNKNOWN_ERROR';\n    }\n  }\n}\n"],"mappings":";AAOA;AAAA,EACE;AAAA,EACA;AAAA,OAIK;AAsNA,IAAM,iBAAN,cAA6B,MAAM;AAAA,EACxC,YACE,SACgB,MACA,YAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAUA,IAAM,yBAAyB,KAAK,KAAK;AAgClC,IAAM,YAAN,MAAgB;AAAA,EACb;AAAA,EACA,YAA8B;AAAA,EAEtC,YAAY,QAA0B;AAEpC,UAAM,UAAU,OAAO,QAAQ,QAAQ,OAAO,EAAE;AAEhD,SAAK,SAAS;AAAA,MACZ;AAAA,MACA,SAAS,OAAO;AAAA,MAChB,cAAc,OAAO;AAAA,MACrB,cAAc,OAAO,gBAAgB;AAAA,IACvC;AAAA,EACF;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAkB;AACpB,WAAO,GAAG,KAAK,OAAO,OAAO;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,iBAA8B;AACpC,UAAM,MAAM,KAAK,IAAI;AAGrB,QAAI,KAAK,aAAa,MAAM,KAAK,UAAU,YAAY,KAAK,OAAO,cAAc;AAC/E,aAAO,KAAK,UAAU;AAAA,IACxB;AAGA,UAAM,UAAU,IAAI,IAAI,KAAK,OAAO;AACpC,UAAM,UAAU,mBAAmB,SAAS;AAAA;AAAA;AAAA,MAG1C,aAAa,KAAK,OAAO;AAAA,IAC3B,CAAC;AAED,SAAK,YAAY;AAAA,MACf;AAAA,MACA,WAAW;AAAA,IACb;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAyBA,MAAM,YAAY,OAAsC;AACtD,QAAI;AACF,YAAM,OAAO,KAAK,eAAe;AAEjC,YAAM,SAA8C,MAAM,UAAU,OAAO,MAAM;AAAA,QAC/E,YAAY,CAAC,OAAO;AAAA,QACpB,QAAQ,KAAK,OAAO;AAAA;AAAA,QAEpB,UAAU,KAAK,OAAO;AAAA,MACxB,CAAC;AAGD,YAAM,UAAU,OAAO;AACvB,UAAI,CAAC,QAAQ,OAAO,CAAC,QAAQ,SAAS,QAAQ,mBAAmB,QAAW;AAC1E,cAAM,IAAI,eAAe,oCAAoC,gBAAgB;AAAA,MAC/E;AAEA,aAAO;AAAA,QACL;AAAA,QACA,iBAAiB,OAAO;AAAA,MAC1B;AAAA,IACF,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAGA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,UAAU,MAAM;AAEtB,YAAI,QAAQ,SAAS,SAAS,GAAG;AAC/B,gBAAM,IAAI,eAAe,qBAAqB,eAAe;AAAA,QAC/D;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,2BAA2B,mBAAmB;AAAA,QACzE;AACA,YAAI,QAAQ,SAAS,QAAQ,GAAG;AAC9B,gBAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,QACnE;AACA,YAAI,QAAQ,SAAS,UAAU,GAAG;AAChC,gBAAM,IAAI,eAAe,0BAA0B,kBAAkB;AAAA,QACvE;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,mBAAmB,iBAAiB;AAAA,QAC/D;AAEA,cAAM,IAAI,eAAe,8BAA8B,OAAO,IAAI,qBAAqB;AAAA,MACzF;AAEA,YAAM,IAAI,eAAe,6BAA6B,qBAAqB;AAAA,IAC7E;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0BA,MAAM,aAAa,cAA8C;AAC/D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,eAAe;AAAA,QACjB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,eAAgB,UAAiC,SAAS;AAChE,cAAM,YAAY,KAAK,yBAAyB,SAAS,MAAM;AAE/D,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,YAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,aAAO;AAAA,IACT,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,IACnE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAuB;AACrB,SAAK,YAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA8BA,MAAM,OAAO,SAAiD;AAC5D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA4B,KAAK,IAAI;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,MAAM,SAA+C;AACzD,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,MAAM,YAAY,SAAqD;AACrE,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,MACtB,MAAM;AAAA,IACR;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,MAAM,mBAAmB,SAA8D;AACrF,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBA,MAAM,eAAe,SAA0D;AAC7E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA+BA,MAAM,cAAc,SAAyD;AAC3E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,OAAO,cAAgD;AAC3D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,eAAe;AAAA,IACjB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,YAAY,SAAqC;AAC/C,UAAM,MAAM,IAAI,IAAI,GAAG,KAAK,OAAO,OAAO,UAAU,QAAQ,QAAQ,EAAE;AACtE,QAAI,aAAa,IAAI,YAAY,KAAK,OAAO,OAAO;AACpD,QAAI,aAAa,IAAI,gBAAgB,QAAQ,WAAW;AACxD,WAAO,IAAI,SAAS;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuCA,MAAM,kBAAkB,MAAsC;AAC5D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX;AAAA,MACA,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBA,MAAM,aAAa,eAAmD;AAEpE,UAAM,WAAW,MAAM,KAAK,YAAY,cAAc,YAAY;AAElE,UAAM,OAAa;AAAA,MACjB,IAAI,SAAS,QAAQ;AAAA,MACrB,OAAO,SAAS,QAAQ;AAAA,MACxB,eAAe,SAAS,QAAQ;AAAA,IAClC;AAEA,UAAM,UAAmB;AAAA,MACvB,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc;AAAA,MAC5B,WAAW,IAAI,KAAK,KAAK,IAAI,IAAI,cAAc,aAAa,GAAI;AAAA,IAClE;AAEA,UAAM,SAAqB,EAAE,MAAM,QAAQ;AAE3C,QAAI,cAAc,gBAAgB,QAAW;AAC3C,aAAO,YAAY,cAAc;AAAA,IACnC;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgCA,MAAM,gBAAgB,SAA2D;AAC/E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,UAAU,QAAQ;AAAA,QACpB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,YAAe,KAAa,MAA2C;AACnF,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuBA,IAAI,QAAwB;AAC1B,QAAI,CAAC,KAAK,OAAO,cAAc;AAC7B,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO,IAAI,eAAe,KAAK,MAAM;AAAA,EACvC;AACF;AAcA,IAAM,iBAAN,MAAqB;AAAA,EACX;AAAA,EAER,YAAY,QAAwB;AAClC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,WAAW,SAAsD;AACrE,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO,WAAW,KAAK,OAAO,OAAO,UAAU,QAAQ,MAAM;AAExF,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,eAAe,eAAe,KAAK,OAAO,YAAY;AAAA,QACxD;AAAA,MACF,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AACF;","names":[]}

package/dist/{chunk-MU444WPK.js → chunk-DIZJA4PY.js}

@@ -1,6 +1,6 @@
 import {
   OvixaAuthError
-} from "./chunk-IIOWUPWH.js";
+} from "./chunk-CUACHOKT.js";
 
 // src/middleware/types.ts
 var DEFAULT_COOKIE_OPTIONS = {
@@ -140,4 +140,4 @@ export {
   setAuthCookies,
   clearAuthCookies
 };
-//# sourceMappingURL=chunk-MU444WPK.js.map
+//# sourceMappingURL=chunk-DIZJA4PY.js.map

package/dist/index.d.ts

@@ -469,7 +469,8 @@ declare class OvixaAuth {
      * Generate an OAuth authorization URL.
      *
      * Redirect the user to this URL to start the OAuth flow. After authentication,
-     * the user will be redirected back to your `redirectUri` with tokens.
+     * the user will be redirected back to your `redirectUri` with an authorization code.
+     * Use `exchangeOAuthCode()` to exchange the code for tokens.
      *
      * @param options - OAuth URL options
      * @returns The full OAuth authorization URL
@@ -483,9 +484,51 @@ declare class OvixaAuth {
      *
      * // Redirect user to start OAuth flow
      * window.location.href = googleAuthUrl;
+     *
+     * // In your callback handler:
+     * // const code = new URLSearchParams(window.location.search).get('code');
+     * // const tokens = await auth.exchangeOAuthCode(code);
      * ```
      */
     getOAuthUrl(options: GetOAuthUrlOptions): string;
+    /**
+     * Exchange an OAuth authorization code for tokens.
+     *
+     * After the OAuth flow completes, the user is redirected back to your app with
+     * an authorization code in the URL query params. Use this method to exchange
+     * that code for access and refresh tokens.
+     *
+     * Note: Authorization codes expire after 60 seconds.
+     *
+     * @param code - The authorization code from the OAuth callback URL
+     * @returns Token response with access and refresh tokens
+     * @throws {OvixaAuthError} If the exchange fails
+     *
+     * @example
+     * ```typescript
+     * // In your OAuth callback handler
+     * const code = new URLSearchParams(window.location.search).get('code');
+     *
+     * if (code) {
+     *   try {
+     *     const tokens = await auth.exchangeOAuthCode(code);
+     *     console.log('OAuth successful!', tokens.access_token);
+     *
+     *     // Check if this is a new user (first-time OAuth login)
+     *     if (tokens.is_new_user) {
+     *       // Show onboarding flow
+     *     }
+     *   } catch (error) {
+     *     if (error instanceof OvixaAuthError) {
+     *       if (error.code === 'INVALID_CODE') {
+     *         console.error('Invalid or expired authorization code');
+     *       }
+     *     }
+     *   }
+     * }
+     * ```
+     */
+    exchangeOAuthCode(code: string): Promise<TokenResponse>;
     /**
      * Transform a token response into an AuthResult with user and session data.
      *

package/dist/index.js

@@ -1,7 +1,7 @@
 import {
   OvixaAuth,
   OvixaAuthError
-} from "./chunk-IIOWUPWH.js";
+} from "./chunk-CUACHOKT.js";
 export {
   OvixaAuth,
   OvixaAuthError

package/dist/middleware/astro.js

@@ -3,8 +3,8 @@ import {
   clearAuthCookies,
   isPublicRoute,
   setAuthCookies
-} from "../chunk-MU444WPK.js";
-import "../chunk-IIOWUPWH.js";
+} from "../chunk-DIZJA4PY.js";
+import "../chunk-CUACHOKT.js";
 
 // src/middleware/astro.ts
 var AstroCookieAdapter = class {

package/dist/middleware/express.js

@@ -3,8 +3,8 @@ import {
   clearAuthCookies,
   isPublicRoute,
   setAuthCookies
-} from "../chunk-MU444WPK.js";
-import "../chunk-IIOWUPWH.js";
+} from "../chunk-DIZJA4PY.js";
+import "../chunk-CUACHOKT.js";
 
 // src/middleware/express.ts
 var ExpressCookieAdapter = class {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ovixa/auth-client",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "Client SDK for Ovixa Auth service",
   "type": "module",
   "main": "./dist/index.js",

package/dist/chunk-IIOWUPWH.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @ovixa/auth-client\n *\n * Client SDK for Ovixa Auth service.\n * Provides authentication, token verification, and session management.\n */\n\nimport {\n  createRemoteJWKSet,\n  jwtVerify,\n  type JWTPayload,\n  type JWTVerifyResult,\n  type JWTHeaderParameters,\n} from 'jose';\n\n/**\n * Configuration options for the OvixaAuth client.\n */\nexport interface AuthClientConfig {\n  /** The base URL of the Ovixa Auth service */\n  authUrl: string;\n  /** The realm ID to authenticate against */\n  realmId: string;\n  /** Your application's client secret (for server-side use only) */\n  clientSecret?: string;\n  /** Cache duration for JWKS in milliseconds (defaults to 1 hour) */\n  jwksCacheTtl?: number;\n}\n\n/**\n * JWT claims for an Ovixa access token.\n */\nexport interface AccessTokenPayload extends JWTPayload {\n  /** Subject (user ID) */\n  sub: string;\n  /** User's email address */\n  email: string;\n  /** Whether the user's email has been verified */\n  email_verified: boolean;\n  /** Issued at timestamp */\n  iat: number;\n  /** Expiration timestamp */\n  exp: number;\n  /** Issuer */\n  iss: string;\n  /** Audience (realm ID) */\n  aud: string;\n}\n\n/**\n * Result of a successful token verification.\n */\nexport interface VerifyResult {\n  /** The decoded token payload */\n  payload: AccessTokenPayload;\n  /** The protected header */\n  protectedHeader: JWTHeaderParameters;\n}\n\n/**\n * Token response from the auth service.\n */\nexport interface TokenResponse {\n  /** The access token (JWT) */\n  access_token: string;\n  /** The refresh token (JWT) */\n  refresh_token: string;\n  /** Token type (always \"Bearer\") */\n  token_type: 'Bearer';\n  /** Access token expiration time in seconds */\n  expires_in: number;\n  /** Whether this is a new user (only present in OAuth callback) */\n  is_new_user?: boolean;\n}\n\n/**\n * User information extracted from token payload.\n */\nexport interface User {\n  /** User ID (UUID) */\n  id: string;\n  /** User's email address */\n  email: string;\n  /** Whether the email has been verified */\n  emailVerified: boolean;\n}\n\n/**\n * Session information containing tokens and expiry.\n */\nexport interface Session {\n  /** The access token (JWT) */\n  accessToken: string;\n  /** The refresh token for obtaining new access tokens */\n  refreshToken: string;\n  /** When the access token expires */\n  expiresAt: Date;\n}\n\n/**\n * Combined authentication result with user and session data.\n */\nexport interface AuthResult {\n  /** The authenticated user */\n  user: User;\n  /** The session tokens */\n  session: Session;\n  /** Whether this is a new user (only set for OAuth flows) */\n  isNewUser?: boolean;\n}\n\n/**\n * Options for signup.\n */\nexport interface SignupOptions {\n  /** User's email address */\n  email: string;\n  /** Password meeting requirements */\n  password: string;\n  /** Optional redirect URI after email verification */\n  redirectUri?: string;\n}\n\n/**\n * Response from signup endpoint.\n */\nexport interface SignupResponse {\n  /** Whether the operation succeeded */\n  success: boolean;\n  /** Status message */\n  message: string;\n}\n\n/**\n * Options for login.\n */\nexport interface LoginOptions {\n  /** User's email address */\n  email: string;\n  /** User's password */\n  password: string;\n}\n\n/**\n * Options for email verification.\n */\nexport interface VerifyEmailOptions {\n  /** Verification token from email */\n  token: string;\n}\n\n/**\n * Options for resending verification email.\n */\nexport interface ResendVerificationOptions {\n  /** User's email address */\n  email: string;\n  /** Optional redirect URI after verification */\n  redirectUri?: string;\n}\n\n/**\n * Generic success response.\n */\nexport interface SuccessResponse {\n  /** Whether the operation succeeded */\n  success: boolean;\n  /** Optional status message */\n  message?: string;\n}\n\n/**\n * Options for forgot password request.\n */\nexport interface ForgotPasswordOptions {\n  /** User's email address */\n  email: string;\n  /** Optional redirect URI for password reset page */\n  redirectUri?: string;\n}\n\n/**\n * Options for password reset.\n */\nexport interface ResetPasswordOptions {\n  /** Reset token from email */\n  token: string;\n  /** New password */\n  password: string;\n}\n\n/**\n * Supported OAuth providers.\n */\nexport type OAuthProvider = 'google' | 'github';\n\n/**\n * Options for generating OAuth URL.\n */\nexport interface GetOAuthUrlOptions {\n  /** OAuth provider */\n  provider: OAuthProvider;\n  /** Redirect URI after OAuth completes */\n  redirectUri: string;\n}\n\n/**\n * Options for deleting a user (admin operation).\n */\nexport interface DeleteUserOptions {\n  /** The ID of the user to delete */\n  userId: string;\n}\n\n/**\n * Options for deleting the current user's own account.\n */\nexport interface DeleteMyAccountOptions {\n  /** The user's current access token */\n  accessToken: string;\n  /** The user's current password (for re-authentication) */\n  password: string;\n}\n\n/**\n * Error thrown by OvixaAuth operations.\n */\nexport class OvixaAuthError extends Error {\n  constructor(\n    message: string,\n    public readonly code: string,\n    public readonly statusCode?: number\n  ) {\n    super(message);\n    this.name = 'OvixaAuthError';\n  }\n}\n\ninterface InternalConfig {\n  authUrl: string;\n  realmId: string;\n  clientSecret?: string;\n  jwksCacheTtl: number;\n}\n\n/** Default JWKS cache TTL: 1 hour */\nconst DEFAULT_JWKS_CACHE_TTL = 60 * 60 * 1000;\n\n/**\n * Custom fetch function that adds cache headers for JWKS requests.\n * Used to implement client-side caching behavior.\n */\ntype JWKSFetcher = ReturnType<typeof createRemoteJWKSet>;\n\ninterface JWKSCache {\n  fetcher: JWKSFetcher;\n  createdAt: number;\n}\n\n/**\n * OvixaAuth client for authenticating with the Ovixa Auth service.\n *\n * @example\n * ```typescript\n * const auth = new OvixaAuth({\n *   authUrl: 'https://auth.ovixa.io',\n *   realmId: 'your-realm-id',\n *   clientSecret: 'your-client-secret', // Optional, for server-side use\n * });\n *\n * // Verify a token\n * const result = await auth.verifyToken(accessToken);\n * console.log(result.payload.email);\n *\n * // Refresh tokens\n * const tokens = await auth.refreshToken(refreshToken);\n * ```\n */\nexport class OvixaAuth {\n  private config: InternalConfig;\n  private jwksCache: JWKSCache | null = null;\n\n  constructor(config: AuthClientConfig) {\n    // Normalize authUrl by removing trailing slash\n    const authUrl = config.authUrl.replace(/\\/$/, '');\n\n    this.config = {\n      authUrl,\n      realmId: config.realmId,\n      clientSecret: config.clientSecret,\n      jwksCacheTtl: config.jwksCacheTtl ?? DEFAULT_JWKS_CACHE_TTL,\n    };\n  }\n\n  /** Get the configured auth URL */\n  get authUrl(): string {\n    return this.config.authUrl;\n  }\n\n  /** Get the configured realm ID */\n  get realmId(): string {\n    return this.config.realmId;\n  }\n\n  /**\n   * Get the JWKS URL for the auth service.\n   */\n  get jwksUrl(): string {\n    return `${this.config.authUrl}/.well-known/jwks.json`;\n  }\n\n  /**\n   * Get the JWKS fetcher, creating a new one if necessary.\n   * The fetcher is cached based on the configured TTL.\n   */\n  private getJwksFetcher(): JWKSFetcher {\n    const now = Date.now();\n\n    // Return cached fetcher if still valid\n    if (this.jwksCache && now - this.jwksCache.createdAt < this.config.jwksCacheTtl) {\n      return this.jwksCache.fetcher;\n    }\n\n    // Create new JWKS fetcher\n    const jwksUrl = new URL(this.jwksUrl);\n    const fetcher = createRemoteJWKSet(jwksUrl, {\n      // jose library has its own internal caching, but we add our own TTL layer\n      // to control when to refresh the JWKS set\n      cacheMaxAge: this.config.jwksCacheTtl,\n    });\n\n    this.jwksCache = {\n      fetcher,\n      createdAt: now,\n    };\n\n    return fetcher;\n  }\n\n  /**\n   * Verify an access token and return the decoded payload.\n   *\n   * This method fetches the public key from the JWKS endpoint (with caching)\n   * and verifies the token's signature and claims.\n   *\n   * @param token - The access token (JWT) to verify\n   * @returns The verified token payload and header\n   * @throws {OvixaAuthError} If verification fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   const result = await auth.verifyToken(accessToken);\n   *   console.log('User ID:', result.payload.sub);\n   *   console.log('Email:', result.payload.email);\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     console.error('Token verification failed:', error.code);\n   *   }\n   * }\n   * ```\n   */\n  async verifyToken(token: string): Promise<VerifyResult> {\n    try {\n      const jwks = this.getJwksFetcher();\n\n      const result: JWTVerifyResult<AccessTokenPayload> = await jwtVerify(token, jwks, {\n        algorithms: ['RS256'],\n        issuer: this.config.authUrl,\n        // Audience is the realm for this application\n        audience: this.config.realmId,\n      });\n\n      // Validate required claims\n      const payload = result.payload;\n      if (!payload.sub || !payload.email || payload.email_verified === undefined) {\n        throw new OvixaAuthError('Token is missing required claims', 'INVALID_CLAIMS');\n      }\n\n      return {\n        payload: payload as AccessTokenPayload,\n        protectedHeader: result.protectedHeader,\n      };\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      // Handle jose library errors\n      if (error instanceof Error) {\n        const message = error.message;\n\n        if (message.includes('expired')) {\n          throw new OvixaAuthError('Token has expired', 'TOKEN_EXPIRED');\n        }\n        if (message.includes('signature')) {\n          throw new OvixaAuthError('Invalid token signature', 'INVALID_SIGNATURE');\n        }\n        if (message.includes('issuer')) {\n          throw new OvixaAuthError('Invalid token issuer', 'INVALID_ISSUER');\n        }\n        if (message.includes('audience')) {\n          throw new OvixaAuthError('Invalid token audience', 'INVALID_AUDIENCE');\n        }\n        if (message.includes('malformed')) {\n          throw new OvixaAuthError('Malformed token', 'MALFORMED_TOKEN');\n        }\n\n        throw new OvixaAuthError(`Token verification failed: ${message}`, 'VERIFICATION_FAILED');\n      }\n\n      throw new OvixaAuthError('Token verification failed', 'VERIFICATION_FAILED');\n    }\n  }\n\n  /**\n   * Refresh an access token using a refresh token.\n   *\n   * This method exchanges a valid refresh token for a new access token\n   * and a new refresh token (token rotation).\n   *\n   * @param refreshToken - The refresh token to exchange\n   * @returns New token response with access and refresh tokens\n   * @throws {OvixaAuthError} If the refresh fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   const tokens = await auth.refreshToken(currentRefreshToken);\n   *   // Store the new tokens\n   *   saveTokens(tokens.access_token, tokens.refresh_token);\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     // Refresh token is invalid or expired - user must re-authenticate\n   *     redirectToLogin();\n   *   }\n   * }\n   * ```\n   */\n  async refreshToken(refreshToken: string): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/token/refresh`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n        },\n        body: JSON.stringify({\n          refresh_token: refreshToken,\n        }),\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorMessage = (errorBody as { error?: string }).error || 'Token refresh failed';\n        const errorCode = this.mapHttpStatusToErrorCode(response.status);\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      const data = (await response.json()) as TokenResponse;\n      return data;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Token refresh failed', 'REFRESH_FAILED');\n    }\n  }\n\n  /**\n   * Invalidate the cached JWKS fetcher.\n   * Call this if you need to force a refresh of the public keys.\n   */\n  clearJwksCache(): void {\n    this.jwksCache = null;\n  }\n\n  /**\n   * Create a new user account.\n   *\n   * After signup, a verification email is sent. The user must verify their\n   * email before they can log in.\n   *\n   * @param options - Signup options\n   * @returns Signup response indicating success\n   * @throws {OvixaAuthError} If signup fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   await auth.signup({\n   *     email: 'user@example.com',\n   *     password: 'SecurePassword123!',\n   *     redirectUri: 'https://myapp.com/verify-callback',\n   *   });\n   *   console.log('Verification email sent!');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'EMAIL_ALREADY_EXISTS') {\n   *       console.error('Email is already registered');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async signup(options: SignupOptions): Promise<SignupResponse> {\n    const url = `${this.config.authUrl}/signup`;\n\n    const body: Record<string, string> = {\n      email: options.email,\n      password: options.password,\n      realm_id: this.config.realmId,\n    };\n\n    if (options.redirectUri) {\n      body.redirect_uri = options.redirectUri;\n    }\n\n    return this.makeRequest<SignupResponse>(url, body);\n  }\n\n  /**\n   * Authenticate a user with email and password.\n   *\n   * @param options - Login options\n   * @returns Token response with access and refresh tokens\n   * @throws {OvixaAuthError} If login fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   const tokens = await auth.login({\n   *     email: 'user@example.com',\n   *     password: 'SecurePassword123!',\n   *   });\n   *   console.log('Logged in!', tokens.access_token);\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'EMAIL_NOT_VERIFIED') {\n   *       console.error('Please verify your email first');\n   *     } else if (error.code === 'INVALID_CREDENTIALS') {\n   *       console.error('Invalid email or password');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async login(options: LoginOptions): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/login`;\n\n    const body = {\n      email: options.email,\n      password: options.password,\n      realm_id: this.config.realmId,\n    };\n\n    return this.makeRequest<TokenResponse>(url, body);\n  }\n\n  /**\n   * Verify an email address using a verification token.\n   *\n   * This is the API flow that returns tokens. For browser redirect flow,\n   * use `GET /verify` directly.\n   *\n   * @param options - Verification options\n   * @returns Token response with access and refresh tokens\n   * @throws {OvixaAuthError} If verification fails\n   *\n   * @example\n   * ```typescript\n   * // Get token from URL query params after clicking email link\n   * const token = new URLSearchParams(window.location.search).get('token');\n   *\n   * try {\n   *   const tokens = await auth.verifyEmail({ token });\n   *   console.log('Email verified! Logged in.');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError && error.code === 'INVALID_TOKEN') {\n   *     console.error('Invalid or expired verification link');\n   *   }\n   * }\n   * ```\n   */\n  async verifyEmail(options: VerifyEmailOptions): Promise<TokenResponse> {\n    const url = `${this.config.authUrl}/verify`;\n\n    const body = {\n      token: options.token,\n      realm_id: this.config.realmId,\n      type: 'email_verification',\n    };\n\n    return this.makeRequest<TokenResponse>(url, body);\n  }\n\n  /**\n   * Resend a verification email for an unverified account.\n   *\n   * @param options - Resend options\n   * @returns Success response\n   * @throws {OvixaAuthError} If request fails\n   *\n   * @example\n   * ```typescript\n   * await auth.resendVerification({\n   *   email: 'user@example.com',\n   *   redirectUri: 'https://myapp.com/verify-callback',\n   * });\n   * console.log('Verification email sent!');\n   * ```\n   */\n  async resendVerification(options: ResendVerificationOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/verify/resend`;\n\n    const body: Record<string, string> = {\n      email: options.email,\n      realm_id: this.config.realmId,\n    };\n\n    if (options.redirectUri) {\n      body.redirect_uri = options.redirectUri;\n    }\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Request a password reset email.\n   *\n   * Note: This endpoint always returns success to prevent email enumeration.\n   *\n   * @param options - Forgot password options\n   * @returns Success response\n   * @throws {OvixaAuthError} If request fails\n   *\n   * @example\n   * ```typescript\n   * await auth.forgotPassword({\n   *   email: 'user@example.com',\n   *   redirectUri: 'https://myapp.com/reset-password',\n   * });\n   * console.log('If the email exists, a reset link has been sent.');\n   * ```\n   */\n  async forgotPassword(options: ForgotPasswordOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/forgot-password`;\n\n    const body: Record<string, string> = {\n      email: options.email,\n      realm_id: this.config.realmId,\n    };\n\n    if (options.redirectUri) {\n      body.redirect_uri = options.redirectUri;\n    }\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Reset password using a reset token.\n   *\n   * @param options - Reset password options\n   * @returns Success response\n   * @throws {OvixaAuthError} If reset fails\n   *\n   * @example\n   * ```typescript\n   * // Get token from URL query params\n   * const token = new URLSearchParams(window.location.search).get('token');\n   *\n   * try {\n   *   await auth.resetPassword({\n   *     token,\n   *     password: 'NewSecurePassword123!',\n   *   });\n   *   console.log('Password reset successfully!');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'INVALID_TOKEN') {\n   *       console.error('Invalid or expired reset link');\n   *     } else if (error.code === 'WEAK_PASSWORD') {\n   *       console.error('Password does not meet requirements');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async resetPassword(options: ResetPasswordOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/reset-password`;\n\n    const body = {\n      token: options.token,\n      password: options.password,\n      realm_id: this.config.realmId,\n    };\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Revoke a refresh token (logout).\n   *\n   * @param refreshToken - The refresh token to revoke\n   * @returns Success response\n   * @throws {OvixaAuthError} If logout fails\n   *\n   * @example\n   * ```typescript\n   * await auth.logout(currentRefreshToken);\n   * // Clear local token storage\n   * localStorage.removeItem('refresh_token');\n   * localStorage.removeItem('access_token');\n   * ```\n   */\n  async logout(refreshToken: string): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/logout`;\n\n    const body = {\n      refresh_token: refreshToken,\n    };\n\n    return this.makeRequest<SuccessResponse>(url, body);\n  }\n\n  /**\n   * Generate an OAuth authorization URL.\n   *\n   * Redirect the user to this URL to start the OAuth flow. After authentication,\n   * the user will be redirected back to your `redirectUri` with tokens.\n   *\n   * @param options - OAuth URL options\n   * @returns The full OAuth authorization URL\n   *\n   * @example\n   * ```typescript\n   * const googleAuthUrl = auth.getOAuthUrl({\n   *   provider: 'google',\n   *   redirectUri: 'https://myapp.com/auth/callback',\n   * });\n   *\n   * // Redirect user to start OAuth flow\n   * window.location.href = googleAuthUrl;\n   * ```\n   */\n  getOAuthUrl(options: GetOAuthUrlOptions): string {\n    const url = new URL(`${this.config.authUrl}/oauth/${options.provider}`);\n    url.searchParams.set('realm_id', this.config.realmId);\n    url.searchParams.set('redirect_uri', options.redirectUri);\n    return url.toString();\n  }\n\n  /**\n   * Transform a token response into an AuthResult with user and session data.\n   *\n   * This method decodes the access token to extract user information and\n   * creates a structured result object.\n   *\n   * @param tokenResponse - The token response from login, verify, or refresh\n   * @returns AuthResult with user and session data\n   * @throws {OvixaAuthError} If the access token cannot be decoded\n   *\n   * @example\n   * ```typescript\n   * const tokens = await auth.login({ email, password });\n   * const result = await auth.toAuthResult(tokens);\n   *\n   * console.log('User ID:', result.user.id);\n   * console.log('Email:', result.user.email);\n   * console.log('Expires at:', result.session.expiresAt);\n   * ```\n   */\n  async toAuthResult(tokenResponse: TokenResponse): Promise<AuthResult> {\n    // Verify and decode the access token\n    const verified = await this.verifyToken(tokenResponse.access_token);\n\n    const user: User = {\n      id: verified.payload.sub,\n      email: verified.payload.email,\n      emailVerified: verified.payload.email_verified,\n    };\n\n    const session: Session = {\n      accessToken: tokenResponse.access_token,\n      refreshToken: tokenResponse.refresh_token,\n      expiresAt: new Date(Date.now() + tokenResponse.expires_in * 1000),\n    };\n\n    const result: AuthResult = { user, session };\n\n    if (tokenResponse.is_new_user !== undefined) {\n      result.isNewUser = tokenResponse.is_new_user;\n    }\n\n    return result;\n  }\n\n  /**\n   * Delete the current user's own account.\n   *\n   * This permanently deletes the user's account and all associated data.\n   * Password re-authentication is required to prevent accidental deletion.\n   *\n   * @param options - Delete account options\n   * @returns Success response\n   * @throws {OvixaAuthError} If deletion fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   await auth.deleteMyAccount({\n   *     accessToken: session.accessToken,\n   *     password: 'current-password',\n   *   });\n   *   console.log('Account deleted successfully');\n   *   // Clear local session storage\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'INVALID_CREDENTIALS') {\n   *       console.error('Incorrect password');\n   *     } else if (error.code === 'UNAUTHORIZED') {\n   *       console.error('Invalid or expired access token');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async deleteMyAccount(options: DeleteMyAccountOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/me`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'DELETE',\n        headers: {\n          'Content-Type': 'application/json',\n          Authorization: `Bearer ${options.accessToken}`,\n        },\n        body: JSON.stringify({\n          password: options.password,\n        }),\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n        let errorCode: string;\n        let errorMessage: string;\n\n        if (typeof errorData.error === 'object' && errorData.error) {\n          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = errorData.error.message || 'Request failed';\n        } else {\n          errorCode = this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n        }\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      return (await response.json()) as SuccessResponse;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Make an authenticated POST request to the auth service.\n   */\n  private async makeRequest<T>(url: string, body: Record<string, unknown>): Promise<T> {\n    try {\n      const response = await fetch(url, {\n        method: 'POST',\n        headers: {\n          'Content-Type': 'application/json',\n        },\n        body: JSON.stringify(body),\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n        let errorCode: string;\n        let errorMessage: string;\n\n        if (typeof errorData.error === 'object' && errorData.error) {\n          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = errorData.error.message || 'Request failed';\n        } else {\n          errorCode = this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n        }\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      return (await response.json()) as T;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Map HTTP status codes to error codes.\n   */\n  private mapHttpStatusToErrorCode(status: number): string {\n    switch (status) {\n      case 400:\n        return 'BAD_REQUEST';\n      case 401:\n        return 'UNAUTHORIZED';\n      case 403:\n        return 'FORBIDDEN';\n      case 404:\n        return 'NOT_FOUND';\n      case 429:\n        return 'RATE_LIMITED';\n      case 500:\n      case 502:\n      case 503:\n        return 'SERVER_ERROR';\n      default:\n        return 'UNKNOWN_ERROR';\n    }\n  }\n\n  /**\n   * Get the admin API interface for realm-scoped operations.\n   *\n   * Admin operations require clientSecret to be configured.\n   * These operations allow managing users within the realm boundary.\n   *\n   * @returns OvixaAuthAdmin interface for admin operations\n   * @throws {OvixaAuthError} If clientSecret is not configured\n   *\n   * @example\n   * ```typescript\n   * const auth = new OvixaAuth({\n   *   authUrl: 'https://auth.ovixa.io',\n   *   realmId: 'your-realm',\n   *   clientSecret: process.env.OVIXA_CLIENT_SECRET,\n   * });\n   *\n   * // Delete a user from the realm\n   * await auth.admin.deleteUser({ userId: 'user-id-to-delete' });\n   * ```\n   */\n  get admin(): OvixaAuthAdmin {\n    if (!this.config.clientSecret) {\n      throw new OvixaAuthError(\n        'clientSecret is required for admin operations',\n        'CLIENT_SECRET_REQUIRED'\n      );\n    }\n    return new OvixaAuthAdmin(this.config);\n  }\n}\n\n/**\n * Admin API interface for realm-scoped operations.\n *\n * This class provides methods for managing users within the realm boundary.\n * All operations are authenticated using the realm's client_secret.\n *\n * @example\n * ```typescript\n * // Access via OvixaAuth.admin\n * await auth.admin.deleteUser({ userId: 'user-id' });\n * ```\n */\nclass OvixaAuthAdmin {\n  private config: InternalConfig;\n\n  constructor(config: InternalConfig) {\n    this.config = config;\n  }\n\n  /**\n   * Delete a user from the realm.\n   *\n   * This permanently deletes the user and all associated data (tokens, OAuth accounts).\n   * The user must belong to this realm.\n   *\n   * @param options - Delete user options\n   * @returns Success response\n   * @throws {OvixaAuthError} If deletion fails\n   *\n   * @example\n   * ```typescript\n   * try {\n   *   await auth.admin.deleteUser({ userId: 'user-id-to-delete' });\n   *   console.log('User deleted successfully');\n   * } catch (error) {\n   *   if (error instanceof OvixaAuthError) {\n   *     if (error.code === 'NOT_FOUND') {\n   *       console.error('User not found');\n   *     } else if (error.code === 'FORBIDDEN') {\n   *       console.error('User does not belong to this realm');\n   *     }\n   *   }\n   * }\n   * ```\n   */\n  async deleteUser(options: DeleteUserOptions): Promise<SuccessResponse> {\n    const url = `${this.config.authUrl}/realms/${this.config.realmId}/users/${options.userId}`;\n\n    try {\n      const response = await fetch(url, {\n        method: 'DELETE',\n        headers: {\n          Authorization: `RealmSecret ${this.config.clientSecret}`,\n        },\n      });\n\n      if (!response.ok) {\n        const errorBody = await response.json().catch(() => ({}));\n        const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n        let errorCode: string;\n        let errorMessage: string;\n\n        if (typeof errorData.error === 'object' && errorData.error) {\n          errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = errorData.error.message || 'Request failed';\n        } else {\n          errorCode = this.mapHttpStatusToErrorCode(response.status);\n          errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n        }\n\n        throw new OvixaAuthError(errorMessage, errorCode, response.status);\n      }\n\n      return (await response.json()) as SuccessResponse;\n    } catch (error) {\n      if (error instanceof OvixaAuthError) {\n        throw error;\n      }\n\n      if (error instanceof Error) {\n        throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n      }\n\n      throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n    }\n  }\n\n  /**\n   * Map HTTP status codes to error codes.\n   */\n  private mapHttpStatusToErrorCode(status: number): string {\n    switch (status) {\n      case 400:\n        return 'BAD_REQUEST';\n      case 401:\n        return 'UNAUTHORIZED';\n      case 403:\n        return 'FORBIDDEN';\n      case 404:\n        return 'NOT_FOUND';\n      case 429:\n        return 'RATE_LIMITED';\n      case 500:\n      case 502:\n      case 503:\n        return 'SERVER_ERROR';\n      default:\n        return 'UNKNOWN_ERROR';\n    }\n  }\n}\n"],"mappings":";AAOA;AAAA,EACE;AAAA,EACA;AAAA,OAIK;AAsNA,IAAM,iBAAN,cAA6B,MAAM;AAAA,EACxC,YACE,SACgB,MACA,YAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAUA,IAAM,yBAAyB,KAAK,KAAK;AAgClC,IAAM,YAAN,MAAgB;AAAA,EACb;AAAA,EACA,YAA8B;AAAA,EAEtC,YAAY,QAA0B;AAEpC,UAAM,UAAU,OAAO,QAAQ,QAAQ,OAAO,EAAE;AAEhD,SAAK,SAAS;AAAA,MACZ;AAAA,MACA,SAAS,OAAO;AAAA,MAChB,cAAc,OAAO;AAAA,MACrB,cAAc,OAAO,gBAAgB;AAAA,IACvC;AAAA,EACF;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAkB;AACpB,WAAO,GAAG,KAAK,OAAO,OAAO;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,iBAA8B;AACpC,UAAM,MAAM,KAAK,IAAI;AAGrB,QAAI,KAAK,aAAa,MAAM,KAAK,UAAU,YAAY,KAAK,OAAO,cAAc;AAC/E,aAAO,KAAK,UAAU;AAAA,IACxB;AAGA,UAAM,UAAU,IAAI,IAAI,KAAK,OAAO;AACpC,UAAM,UAAU,mBAAmB,SAAS;AAAA;AAAA;AAAA,MAG1C,aAAa,KAAK,OAAO;AAAA,IAC3B,CAAC;AAED,SAAK,YAAY;AAAA,MACf;AAAA,MACA,WAAW;AAAA,IACb;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAyBA,MAAM,YAAY,OAAsC;AACtD,QAAI;AACF,YAAM,OAAO,KAAK,eAAe;AAEjC,YAAM,SAA8C,MAAM,UAAU,OAAO,MAAM;AAAA,QAC/E,YAAY,CAAC,OAAO;AAAA,QACpB,QAAQ,KAAK,OAAO;AAAA;AAAA,QAEpB,UAAU,KAAK,OAAO;AAAA,MACxB,CAAC;AAGD,YAAM,UAAU,OAAO;AACvB,UAAI,CAAC,QAAQ,OAAO,CAAC,QAAQ,SAAS,QAAQ,mBAAmB,QAAW;AAC1E,cAAM,IAAI,eAAe,oCAAoC,gBAAgB;AAAA,MAC/E;AAEA,aAAO;AAAA,QACL;AAAA,QACA,iBAAiB,OAAO;AAAA,MAC1B;AAAA,IACF,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAGA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,UAAU,MAAM;AAEtB,YAAI,QAAQ,SAAS,SAAS,GAAG;AAC/B,gBAAM,IAAI,eAAe,qBAAqB,eAAe;AAAA,QAC/D;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,2BAA2B,mBAAmB;AAAA,QACzE;AACA,YAAI,QAAQ,SAAS,QAAQ,GAAG;AAC9B,gBAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,QACnE;AACA,YAAI,QAAQ,SAAS,UAAU,GAAG;AAChC,gBAAM,IAAI,eAAe,0BAA0B,kBAAkB;AAAA,QACvE;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,mBAAmB,iBAAiB;AAAA,QAC/D;AAEA,cAAM,IAAI,eAAe,8BAA8B,OAAO,IAAI,qBAAqB;AAAA,MACzF;AAEA,YAAM,IAAI,eAAe,6BAA6B,qBAAqB;AAAA,IAC7E;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0BA,MAAM,aAAa,cAA8C;AAC/D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,eAAe;AAAA,QACjB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,eAAgB,UAAiC,SAAS;AAChE,cAAM,YAAY,KAAK,yBAAyB,SAAS,MAAM;AAE/D,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,YAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,aAAO;AAAA,IACT,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,IACnE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAuB;AACrB,SAAK,YAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA8BA,MAAM,OAAO,SAAiD;AAC5D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA4B,KAAK,IAAI;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,MAAM,SAA+C;AACzD,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,MAAM,YAAY,SAAqD;AACrE,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,MACtB,MAAM;AAAA,IACR;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,MAAM,mBAAmB,SAA8D;AACrF,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBA,MAAM,eAAe,SAA0D;AAC7E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA+BA,MAAM,cAAc,SAAyD;AAC3E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,OAAO,cAAgD;AAC3D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,eAAe;AAAA,IACjB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBA,YAAY,SAAqC;AAC/C,UAAM,MAAM,IAAI,IAAI,GAAG,KAAK,OAAO,OAAO,UAAU,QAAQ,QAAQ,EAAE;AACtE,QAAI,aAAa,IAAI,YAAY,KAAK,OAAO,OAAO;AACpD,QAAI,aAAa,IAAI,gBAAgB,QAAQ,WAAW;AACxD,WAAO,IAAI,SAAS;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBA,MAAM,aAAa,eAAmD;AAEpE,UAAM,WAAW,MAAM,KAAK,YAAY,cAAc,YAAY;AAElE,UAAM,OAAa;AAAA,MACjB,IAAI,SAAS,QAAQ;AAAA,MACrB,OAAO,SAAS,QAAQ;AAAA,MACxB,eAAe,SAAS,QAAQ;AAAA,IAClC;AAEA,UAAM,UAAmB;AAAA,MACvB,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc;AAAA,MAC5B,WAAW,IAAI,KAAK,KAAK,IAAI,IAAI,cAAc,aAAa,GAAI;AAAA,IAClE;AAEA,UAAM,SAAqB,EAAE,MAAM,QAAQ;AAE3C,QAAI,cAAc,gBAAgB,QAAW;AAC3C,aAAO,YAAY,cAAc;AAAA,IACnC;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgCA,MAAM,gBAAgB,SAA2D;AAC/E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,UAAU,QAAQ;AAAA,QACpB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,YAAe,KAAa,MAA2C;AACnF,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuBA,IAAI,QAAwB;AAC1B,QAAI,CAAC,KAAK,OAAO,cAAc;AAC7B,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO,IAAI,eAAe,KAAK,MAAM;AAAA,EACvC;AACF;AAcA,IAAM,iBAAN,MAAqB;AAAA,EACX;AAAA,EAER,YAAY,QAAwB;AAClC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,WAAW,SAAsD;AACrE,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO,WAAW,KAAK,OAAO,OAAO,UAAU,QAAQ,MAAM;AAExF,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,eAAe,eAAe,KAAK,OAAO,YAAY;AAAA,QACxD;AAAA,MACF,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AACF;","names":[]}