@ovixa/auth-client 0.3.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/CHANGELOG.md +7 -0
  2. package/dist/{chunk-IU57RXBC.js → chunk-YFMPRWGI.js} +2 -2
  3. package/dist/{chunk-5QEKSWV4.js → chunk-ZUTZYJDF.js} +29 -11
  4. package/dist/{chunk-5QEKSWV4.js.map → chunk-ZUTZYJDF.js.map} +1 -1
  5. package/dist/index.js +1 -1
  6. package/dist/middleware/astro.js +2 -2
  7. package/dist/middleware/express.js +2 -2
  8. package/package.json +1 -1
  9. /package/dist/{chunk-IU57RXBC.js.map → chunk-YFMPRWGI.js.map} +0 -0
package/CHANGELOG.md CHANGED
@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/).
7
7
 
8
+ ## [0.3.1] - 2026-01-30
9
+
10
+ ### Fixed
11
+
12
+ - `prepareRegistrationOptions` and `prepareAuthenticationOptions` now handle null/undefined credential arrays from server responses
13
+ - Malformed credential IDs in `excludeCredentials` and `allowCredentials` are now skipped with a warning instead of causing "Offset is outside the bounds of the DataView" browser errors
14
+
8
15
  ## [0.3.0] - 2026-01-30
9
16
 
10
17
  ### Added
package/dist/{chunk-IU57RXBC.js → chunk-YFMPRWGI.js} RENAMED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  OvixaAuthError
3
- } from "./chunk-5QEKSWV4.js";
3
+ } from "./chunk-ZUTZYJDF.js";
4
4
 
5
5
  // src/middleware/types.ts
6
6
  var DEFAULT_COOKIE_OPTIONS = {
@@ -140,4 +140,4 @@ export {
140
140
  setAuthCookies,
141
141
  clearAuthCookies
142
142
  };
143
- //# sourceMappingURL=chunk-IU57RXBC.js.map
143
+ //# sourceMappingURL=chunk-YFMPRWGI.js.map
package/dist/{chunk-5QEKSWV4.js → chunk-ZUTZYJDF.js} RENAMED
@@ -1110,6 +1110,19 @@ function base64UrlToArrayBuffer(base64url) {
1110
1110
  return bytes.buffer;
1111
1111
  }
1112
1112
  function prepareRegistrationOptions(options) {
1113
+ const excludeCredentials = Array.isArray(options.excludeCredentials) ? options.excludeCredentials : [];
1114
+ const decodedExcludeCredentials = [];
1115
+ for (const cred of excludeCredentials) {
1116
+ try {
1117
+ decodedExcludeCredentials.push({
1118
+ id: base64UrlToArrayBuffer(cred.id),
1119
+ type: cred.type,
1120
+ transports: cred.transports
1121
+ });
1122
+ } catch {
1123
+ console.warn("[ovixa/auth-client] Skipping malformed credential ID:", cred.id);
1124
+ }
1125
+ }
1113
1126
  return {
1114
1127
  challenge: base64UrlToArrayBuffer(options.challenge),
1115
1128
  rp: options.rp,
@@ -1119,25 +1132,30 @@ function prepareRegistrationOptions(options) {
1119
1132
  displayName: options.user.displayName
1120
1133
  },
1121
1134
  pubKeyCredParams: options.pubKeyCredParams,
1122
- excludeCredentials: options.excludeCredentials.map((cred) => ({
1123
- id: base64UrlToArrayBuffer(cred.id),
1124
- type: cred.type,
1125
- transports: cred.transports
1126
- })),
1135
+ excludeCredentials: decodedExcludeCredentials,
1127
1136
  authenticatorSelection: options.authenticatorSelection,
1128
1137
  timeout: options.timeout,
1129
1138
  attestation: options.attestation
1130
1139
  };
1131
1140
  }
1132
1141
  function prepareAuthenticationOptions(options) {
1142
+ const allowCredentials = Array.isArray(options.allowCredentials) ? options.allowCredentials : [];
1143
+ const decodedAllowCredentials = [];
1144
+ for (const cred of allowCredentials) {
1145
+ try {
1146
+ decodedAllowCredentials.push({
1147
+ id: base64UrlToArrayBuffer(cred.id),
1148
+ type: cred.type,
1149
+ transports: cred.transports
1150
+ });
1151
+ } catch {
1152
+ console.warn("[ovixa/auth-client] Skipping malformed credential ID:", cred.id);
1153
+ }
1154
+ }
1133
1155
  return {
1134
1156
  challenge: base64UrlToArrayBuffer(options.challenge),
1135
1157
  rpId: options.rpId,
1136
- allowCredentials: options.allowCredentials.map((cred) => ({
1137
- id: base64UrlToArrayBuffer(cred.id),
1138
- type: cred.type,
1139
- transports: cred.transports
1140
- })),
1158
+ allowCredentials: decodedAllowCredentials,
1141
1159
  userVerification: options.userVerification,
1142
1160
  timeout: options.timeout
1143
1161
  };
@@ -1182,4 +1200,4 @@ export {
1182
1200
  formatRegistrationResponse,
1183
1201
  formatAuthenticationResponse
1184
1202
  };
1185
- //# sourceMappingURL=chunk-5QEKSWV4.js.map
1203
+ //# sourceMappingURL=chunk-ZUTZYJDF.js.map
package/dist/{chunk-5QEKSWV4.js.map → chunk-ZUTZYJDF.js.map} RENAMED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @ovixa/auth-client\n *\n * Client SDK for Ovixa Auth service.\n * Provides authentication, token verification, and session management.\n */\n\nimport {\n createRemoteJWKSet,\n jwtVerify,\n type JWTPayload,\n type JWTVerifyResult,\n type JWTHeaderParameters,\n} from 'jose';\n\n/**\n * Configuration options for the OvixaAuth client.\n */\nexport interface AuthClientConfig {\n /** The base URL of the Ovixa Auth service */\n authUrl: string;\n /** The realm ID to authenticate against */\n realmId: string;\n /** Your application's client secret (for server-side use only) */\n clientSecret?: string;\n /** Cache duration for JWKS in milliseconds (defaults to 1 hour) */\n jwksCacheTtl?: number;\n}\n\n/**\n * JWT claims for an Ovixa access token.\n */\nexport interface AccessTokenPayload extends JWTPayload {\n /** Subject (user ID) */\n sub: string;\n /** User's email address */\n email: string;\n /** Whether the user's email has been verified */\n email_verified: boolean;\n /** Issued at timestamp */\n iat: number;\n /** Expiration timestamp */\n exp: number;\n /** Issuer */\n iss: string;\n /** Audience (realm ID) */\n aud: string;\n}\n\n/**\n * Result of a successful token verification.\n */\nexport interface VerifyResult {\n /** The decoded token payload */\n payload: AccessTokenPayload;\n /** The protected header */\n protectedHeader: JWTHeaderParameters;\n}\n\n/**\n * Token response from the auth service.\n */\nexport interface TokenResponse {\n /** The access token (JWT) */\n access_token: string;\n /** The refresh token (JWT) */\n refresh_token: string;\n /** Token type (always \"Bearer\") */\n token_type: 'Bearer';\n /** Access token expiration time in seconds */\n expires_in: number;\n /** Whether this is a new user (only present in OAuth callback) */\n is_new_user?: boolean;\n}\n\n/**\n * User information extracted from token payload.\n */\nexport interface User {\n /** User ID (UUID) */\n id: string;\n /** User's email address */\n email: string;\n /** Whether the email has been verified */\n emailVerified: boolean;\n}\n\n/**\n * Session information containing tokens and expiry.\n */\nexport interface Session {\n /** The access token (JWT) */\n accessToken: string;\n /** The refresh token for obtaining new access tokens */\n refreshToken: string;\n /** When the access token expires */\n expiresAt: Date;\n}\n\n/**\n * Combined authentication result with user and session data.\n */\nexport interface AuthResult {\n /** The authenticated user */\n user: User;\n /** The session tokens */\n session: Session;\n /** Whether this is a new user (only set for OAuth flows) */\n isNewUser?: boolean;\n}\n\n/**\n * Options for signup.\n */\nexport interface SignupOptions {\n /** User's email address */\n email: string;\n /** Password meeting requirements */\n password: string;\n /** Optional redirect URI after email verification */\n redirectUri?: string;\n}\n\n/**\n * Response from signup endpoint.\n */\nexport interface SignupResponse {\n /** Whether the operation succeeded */\n success: boolean;\n /** Status message */\n message: string;\n}\n\n/**\n * Options for login.\n */\nexport interface LoginOptions {\n /** User's email address */\n email: string;\n /** User's password */\n password: string;\n}\n\n/**\n * Options for email verification.\n */\nexport interface VerifyEmailOptions {\n /** Verification token from email */\n token: string;\n}\n\n/**\n * Options for resending verification email.\n */\nexport interface ResendVerificationOptions {\n /** User's email address */\n email: string;\n /** Optional redirect URI after verification */\n redirectUri?: string;\n}\n\n/**\n * Generic success response.\n */\nexport interface SuccessResponse {\n /** Whether the operation succeeded */\n success: boolean;\n /** Optional status message */\n message?: string;\n}\n\n/**\n * Options for forgot password request.\n */\nexport interface ForgotPasswordOptions {\n /** User's email address */\n email: string;\n /** Optional redirect URI for password reset page */\n redirectUri?: string;\n}\n\n/**\n * Options for password reset.\n */\nexport interface ResetPasswordOptions {\n /** Reset token from email */\n token: string;\n /** New password */\n password: string;\n}\n\n/**\n * Supported OAuth providers.\n */\nexport type OAuthProvider = 'google' | 'github';\n\n// ============================================================\n// WebAuthn / Passkey Types\n// ============================================================\n\n/**\n * Options for getting passkey registration options.\n */\nexport interface GetPasskeyRegistrationOptionsOptions {\n /** Access token (user must be logged in to register a passkey) */\n accessToken: string;\n}\n\n/**\n * Registration options returned from the server.\n * These are passed directly to navigator.credentials.create().\n */\nexport interface PasskeyRegistrationOptions {\n challenge: string;\n rp: { id: string; name: string };\n user: { id: string; name: string; displayName: string };\n pubKeyCredParams: { type: 'public-key'; alg: number }[];\n excludeCredentials: { id: string; type: 'public-key'; transports?: string[] }[];\n authenticatorSelection: {\n authenticatorAttachment?: 'platform' | 'cross-platform';\n residentKey: 'discouraged' | 'preferred' | 'required';\n userVerification: 'discouraged' | 'preferred' | 'required';\n };\n timeout: number;\n attestation: 'none';\n}\n\n/**\n * Options for verifying passkey registration.\n */\nexport interface VerifyPasskeyRegistrationOptions {\n /** Access token (user must be logged in) */\n accessToken: string;\n /** The registration response from navigator.credentials.create() */\n registration: {\n id: string;\n rawId: string;\n type: 'public-key';\n response: {\n clientDataJSON: string;\n attestationObject: string;\n authenticatorData?: string;\n transports?: string[];\n publicKeyAlgorithm?: number;\n publicKey?: string;\n };\n authenticatorAttachment?: 'platform' | 'cross-platform';\n clientExtensionResults?: Record<string, unknown>;\n };\n /** Optional friendly name for the passkey */\n deviceName?: string;\n}\n\n/**\n * Response from passkey registration verification.\n */\nexport interface PasskeyRegistrationResponse {\n success: boolean;\n credential_id: string;\n device_name?: string;\n}\n\n/**\n * Options for getting passkey authentication options.\n */\nexport interface GetPasskeyAuthenticationOptionsOptions {\n /** Optional email for allowCredentials hint (for non-discoverable credentials) */\n email?: string;\n}\n\n/**\n * Authentication options returned from the server.\n * These are passed directly to navigator.credentials.get().\n */\nexport interface PasskeyAuthenticationOptions {\n challenge: string;\n rpId: string;\n allowCredentials: { id: string; type: 'public-key'; transports?: string[] }[];\n userVerification: 'discouraged' | 'preferred' | 'required';\n timeout: number;\n}\n\n/**\n * Options for verifying passkey authentication.\n */\nexport interface VerifyPasskeyAuthenticationOptions {\n /** The authentication response from navigator.credentials.get() */\n authentication: {\n id: string;\n rawId: string;\n type: 'public-key';\n response: {\n clientDataJSON: string;\n authenticatorData: string;\n signature: string;\n userHandle?: string | null;\n };\n authenticatorAttachment?: 'platform' | 'cross-platform';\n clientExtensionResults?: Record<string, unknown>;\n };\n}\n\n/**\n * Options for listing passkeys.\n */\nexport interface ListPasskeysOptions {\n /** Access token (user must be logged in) */\n accessToken: string;\n}\n\n/**\n * Passkey information returned from listPasskeys.\n */\nexport interface Passkey {\n /** The credential ID (base64url-encoded) */\n credential_id: string;\n /** Optional friendly name for the passkey */\n device_name: string | null;\n /** When the passkey was registered */\n created_at: string;\n /** When the passkey was last used */\n last_used_at: string | null;\n}\n\n/**\n * Response from listPasskeys.\n */\nexport interface ListPasskeysResponse {\n /** Array of passkeys */\n passkeys: Passkey[];\n}\n\n/**\n * Options for deleting a passkey.\n */\nexport interface DeletePasskeyOptions {\n /** Access token (user must be logged in) */\n accessToken: string;\n /** The credential ID to delete */\n credentialId: string;\n}\n\n/**\n * Options for generating OAuth URL.\n */\nexport interface GetOAuthUrlOptions {\n /** OAuth provider */\n provider: OAuthProvider;\n /** Redirect URI after OAuth completes */\n redirectUri: string;\n}\n\n/**\n * Options for deleting a user (admin operation).\n */\nexport interface DeleteUserOptions {\n /** The ID of the user to delete */\n userId: string;\n}\n\n/**\n * Options for deleting the current user's own account.\n */\nexport interface DeleteMyAccountOptions {\n /** The user's current access token */\n accessToken: string;\n /** The user's current password (for re-authentication) */\n password: string;\n}\n\n/**\n * Error thrown by OvixaAuth operations.\n */\nexport class OvixaAuthError extends Error {\n constructor(\n message: string,\n public readonly code: string,\n public readonly statusCode?: number\n ) {\n super(message);\n this.name = 'OvixaAuthError';\n }\n}\n\ninterface InternalConfig {\n authUrl: string;\n realmId: string;\n clientSecret?: string;\n jwksCacheTtl: number;\n}\n\n/** Default JWKS cache TTL: 1 hour */\nconst DEFAULT_JWKS_CACHE_TTL = 60 * 60 * 1000;\n\n/**\n * Custom fetch function that adds cache headers for JWKS requests.\n * Used to implement client-side caching behavior.\n */\ntype JWKSFetcher = ReturnType<typeof createRemoteJWKSet>;\n\ninterface JWKSCache {\n fetcher: JWKSFetcher;\n createdAt: number;\n}\n\n/**\n * OvixaAuth client for authenticating with the Ovixa Auth service.\n *\n * @example\n * ```typescript\n * const auth = new OvixaAuth({\n * authUrl: 'https://auth.ovixa.io',\n * realmId: 'your-realm-id',\n * clientSecret: 'your-client-secret', // Optional, for server-side use\n * });\n *\n * // Verify a token\n * const result = await auth.verifyToken(accessToken);\n * console.log(result.payload.email);\n *\n * // Refresh tokens\n * const tokens = await auth.refreshToken(refreshToken);\n * ```\n */\nexport class OvixaAuth {\n private config: InternalConfig;\n private jwksCache: JWKSCache | null = null;\n\n constructor(config: AuthClientConfig) {\n // Normalize authUrl by removing trailing slash\n const authUrl = config.authUrl.replace(/\\/$/, '');\n\n this.config = {\n authUrl,\n realmId: config.realmId,\n clientSecret: config.clientSecret,\n jwksCacheTtl: config.jwksCacheTtl ?? DEFAULT_JWKS_CACHE_TTL,\n };\n }\n\n /** Get the configured auth URL */\n get authUrl(): string {\n return this.config.authUrl;\n }\n\n /** Get the configured realm ID */\n get realmId(): string {\n return this.config.realmId;\n }\n\n /**\n * Get the JWKS URL for the auth service.\n */\n get jwksUrl(): string {\n return `${this.config.authUrl}/.well-known/jwks.json`;\n }\n\n /**\n * Get the JWKS fetcher, creating a new one if necessary.\n * The fetcher is cached based on the configured TTL.\n */\n private getJwksFetcher(): JWKSFetcher {\n const now = Date.now();\n\n // Return cached fetcher if still valid\n if (this.jwksCache && now - this.jwksCache.createdAt < this.config.jwksCacheTtl) {\n return this.jwksCache.fetcher;\n }\n\n // Create new JWKS fetcher\n const jwksUrl = new URL(this.jwksUrl);\n const fetcher = createRemoteJWKSet(jwksUrl, {\n // jose library has its own internal caching, but we add our own TTL layer\n // to control when to refresh the JWKS set\n cacheMaxAge: this.config.jwksCacheTtl,\n });\n\n this.jwksCache = {\n fetcher,\n createdAt: now,\n };\n\n return fetcher;\n }\n\n /**\n * Verify an access token and return the decoded payload.\n *\n * This method fetches the public key from the JWKS endpoint (with caching)\n * and verifies the token's signature and claims.\n *\n * @param token - The access token (JWT) to verify\n * @returns The verified token payload and header\n * @throws {OvixaAuthError} If verification fails\n *\n * @example\n * ```typescript\n * try {\n * const result = await auth.verifyToken(accessToken);\n * console.log('User ID:', result.payload.sub);\n * console.log('Email:', result.payload.email);\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * console.error('Token verification failed:', error.code);\n * }\n * }\n * ```\n */\n async verifyToken(token: string): Promise<VerifyResult> {\n try {\n const jwks = this.getJwksFetcher();\n\n const result: JWTVerifyResult<AccessTokenPayload> = await jwtVerify(token, jwks, {\n algorithms: ['RS256'],\n issuer: this.config.authUrl,\n // Audience is the realm for this application\n audience: this.config.realmId,\n });\n\n // Validate required claims\n const payload = result.payload;\n if (!payload.sub || !payload.email || payload.email_verified === undefined) {\n throw new OvixaAuthError('Token is missing required claims', 'INVALID_CLAIMS');\n }\n\n return {\n payload: payload as AccessTokenPayload,\n protectedHeader: result.protectedHeader,\n };\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n\n // Handle jose library errors\n if (error instanceof Error) {\n const message = error.message;\n\n if (message.includes('expired')) {\n throw new OvixaAuthError('Token has expired', 'TOKEN_EXPIRED');\n }\n if (message.includes('signature')) {\n throw new OvixaAuthError('Invalid token signature', 'INVALID_SIGNATURE');\n }\n if (message.includes('issuer')) {\n throw new OvixaAuthError('Invalid token issuer', 'INVALID_ISSUER');\n }\n if (message.includes('audience')) {\n throw new OvixaAuthError('Invalid token audience', 'INVALID_AUDIENCE');\n }\n if (message.includes('malformed')) {\n throw new OvixaAuthError('Malformed token', 'MALFORMED_TOKEN');\n }\n\n throw new OvixaAuthError(`Token verification failed: ${message}`, 'VERIFICATION_FAILED');\n }\n\n throw new OvixaAuthError('Token verification failed', 'VERIFICATION_FAILED');\n }\n }\n\n /**\n * Refresh an access token using a refresh token.\n *\n * This method exchanges a valid refresh token for a new access token\n * and a new refresh token (token rotation).\n *\n * @param refreshToken - The refresh token to exchange\n * @returns New token response with access and refresh tokens\n * @throws {OvixaAuthError} If the refresh fails\n *\n * @example\n * ```typescript\n * try {\n * const tokens = await auth.refreshToken(currentRefreshToken);\n * // Store the new tokens\n * saveTokens(tokens.access_token, tokens.refresh_token);\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * // Refresh token is invalid or expired - user must re-authenticate\n * redirectToLogin();\n * }\n * }\n * ```\n */\n async refreshToken(refreshToken: string): Promise<TokenResponse> {\n const url = `${this.config.authUrl}/token/refresh`;\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify({\n refresh_token: refreshToken,\n }),\n });\n\n if (!response.ok) {\n const errorBody = await response.json().catch(() => ({}));\n const errorMessage = (errorBody as { error?: string }).error || 'Token refresh failed';\n const errorCode = this.mapHttpStatusToErrorCode(response.status);\n\n throw new OvixaAuthError(errorMessage, errorCode, response.status);\n }\n\n const data = (await response.json()) as TokenResponse;\n return data;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n\n throw new OvixaAuthError('Token refresh failed', 'REFRESH_FAILED');\n }\n }\n\n /**\n * Invalidate the cached JWKS fetcher.\n * Call this if you need to force a refresh of the public keys.\n */\n clearJwksCache(): void {\n this.jwksCache = null;\n }\n\n /**\n * Create a new user account.\n *\n * After signup, a verification email is sent. The user must verify their\n * email before they can log in.\n *\n * @param options - Signup options\n * @returns Signup response indicating success\n * @throws {OvixaAuthError} If signup fails\n *\n * @example\n * ```typescript\n * try {\n * await auth.signup({\n * email: 'user@example.com',\n * password: 'SecurePassword123!',\n * redirectUri: 'https://myapp.com/verify-callback',\n * });\n * console.log('Verification email sent!');\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * if (error.code === 'EMAIL_ALREADY_EXISTS') {\n * console.error('Email is already registered');\n * }\n * }\n * }\n * ```\n */\n async signup(options: SignupOptions): Promise<SignupResponse> {\n const url = `${this.config.authUrl}/signup`;\n\n const body: Record<string, string> = {\n email: options.email,\n password: options.password,\n realm_id: this.config.realmId,\n };\n\n if (options.redirectUri) {\n body.redirect_uri = options.redirectUri;\n }\n\n return this.makeRequest<SignupResponse>(url, body);\n }\n\n /**\n * Authenticate a user with email and password.\n *\n * @param options - Login options\n * @returns Token response with access and refresh tokens\n * @throws {OvixaAuthError} If login fails\n *\n * @example\n * ```typescript\n * try {\n * const tokens = await auth.login({\n * email: 'user@example.com',\n * password: 'SecurePassword123!',\n * });\n * console.log('Logged in!', tokens.access_token);\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * if (error.code === 'EMAIL_NOT_VERIFIED') {\n * console.error('Please verify your email first');\n * } else if (error.code === 'INVALID_CREDENTIALS') {\n * console.error('Invalid email or password');\n * }\n * }\n * }\n * ```\n */\n async login(options: LoginOptions): Promise<TokenResponse> {\n const url = `${this.config.authUrl}/login`;\n\n const body = {\n email: options.email,\n password: options.password,\n realm_id: this.config.realmId,\n };\n\n return this.makeRequest<TokenResponse>(url, body);\n }\n\n /**\n * Verify an email address using a verification token.\n *\n * This is the API flow that returns tokens. For browser redirect flow,\n * use `GET /verify` directly.\n *\n * @param options - Verification options\n * @returns Token response with access and refresh tokens\n * @throws {OvixaAuthError} If verification fails\n *\n * @example\n * ```typescript\n * // Get token from URL query params after clicking email link\n * const token = new URLSearchParams(window.location.search).get('token');\n *\n * try {\n * const tokens = await auth.verifyEmail({ token });\n * console.log('Email verified! Logged in.');\n * } catch (error) {\n * if (error instanceof OvixaAuthError && error.code === 'INVALID_TOKEN') {\n * console.error('Invalid or expired verification link');\n * }\n * }\n * ```\n */\n async verifyEmail(options: VerifyEmailOptions): Promise<TokenResponse> {\n const url = `${this.config.authUrl}/verify`;\n\n const body = {\n token: options.token,\n realm_id: this.config.realmId,\n type: 'email_verification',\n };\n\n return this.makeRequest<TokenResponse>(url, body);\n }\n\n /**\n * Resend a verification email for an unverified account.\n *\n * @param options - Resend options\n * @returns Success response\n * @throws {OvixaAuthError} If request fails\n *\n * @example\n * ```typescript\n * await auth.resendVerification({\n * email: 'user@example.com',\n * redirectUri: 'https://myapp.com/verify-callback',\n * });\n * console.log('Verification email sent!');\n * ```\n */\n async resendVerification(options: ResendVerificationOptions): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/verify/resend`;\n\n const body: Record<string, string> = {\n email: options.email,\n realm_id: this.config.realmId,\n };\n\n if (options.redirectUri) {\n body.redirect_uri = options.redirectUri;\n }\n\n return this.makeRequest<SuccessResponse>(url, body);\n }\n\n /**\n * Request a password reset email.\n *\n * Note: This endpoint always returns success to prevent email enumeration.\n *\n * @param options - Forgot password options\n * @returns Success response\n * @throws {OvixaAuthError} If request fails\n *\n * @example\n * ```typescript\n * await auth.forgotPassword({\n * email: 'user@example.com',\n * redirectUri: 'https://myapp.com/reset-password',\n * });\n * console.log('If the email exists, a reset link has been sent.');\n * ```\n */\n async forgotPassword(options: ForgotPasswordOptions): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/forgot-password`;\n\n const body: Record<string, string> = {\n email: options.email,\n realm_id: this.config.realmId,\n };\n\n if (options.redirectUri) {\n body.redirect_uri = options.redirectUri;\n }\n\n return this.makeRequest<SuccessResponse>(url, body);\n }\n\n /**\n * Reset password using a reset token.\n *\n * @param options - Reset password options\n * @returns Success response\n * @throws {OvixaAuthError} If reset fails\n *\n * @example\n * ```typescript\n * // Get token from URL query params\n * const token = new URLSearchParams(window.location.search).get('token');\n *\n * try {\n * await auth.resetPassword({\n * token,\n * password: 'NewSecurePassword123!',\n * });\n * console.log('Password reset successfully!');\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * if (error.code === 'INVALID_TOKEN') {\n * console.error('Invalid or expired reset link');\n * } else if (error.code === 'WEAK_PASSWORD') {\n * console.error('Password does not meet requirements');\n * }\n * }\n * }\n * ```\n */\n async resetPassword(options: ResetPasswordOptions): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/reset-password`;\n\n const body = {\n token: options.token,\n password: options.password,\n realm_id: this.config.realmId,\n };\n\n return this.makeRequest<SuccessResponse>(url, body);\n }\n\n /**\n * Revoke a refresh token (logout).\n *\n * @param refreshToken - The refresh token to revoke\n * @returns Success response\n * @throws {OvixaAuthError} If logout fails\n *\n * @example\n * ```typescript\n * await auth.logout(currentRefreshToken);\n * // Clear local token storage\n * localStorage.removeItem('refresh_token');\n * localStorage.removeItem('access_token');\n * ```\n */\n async logout(refreshToken: string): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/logout`;\n\n const body = {\n refresh_token: refreshToken,\n };\n\n return this.makeRequest<SuccessResponse>(url, body);\n }\n\n /**\n * Generate an OAuth authorization URL.\n *\n * Redirect the user to this URL to start the OAuth flow. After authentication,\n * the user will be redirected back to your `redirectUri` with an authorization code.\n * Use `exchangeOAuthCode()` to exchange the code for tokens.\n *\n * @param options - OAuth URL options\n * @returns The full OAuth authorization URL\n *\n * @example\n * ```typescript\n * const googleAuthUrl = auth.getOAuthUrl({\n * provider: 'google',\n * redirectUri: 'https://myapp.com/auth/callback',\n * });\n *\n * // Redirect user to start OAuth flow\n * window.location.href = googleAuthUrl;\n *\n * // In your callback handler:\n * // const code = new URLSearchParams(window.location.search).get('code');\n * // const tokens = await auth.exchangeOAuthCode(code);\n * ```\n */\n getOAuthUrl(options: GetOAuthUrlOptions): string {\n const url = new URL(`${this.config.authUrl}/oauth/${options.provider}`);\n url.searchParams.set('realm_id', this.config.realmId);\n url.searchParams.set('redirect_uri', options.redirectUri);\n return url.toString();\n }\n\n /**\n * Exchange an OAuth authorization code for tokens.\n *\n * After the OAuth flow completes, the user is redirected back to your app with\n * an authorization code in the URL query params. Use this method to exchange\n * that code for access and refresh tokens.\n *\n * Note: Authorization codes expire after 60 seconds.\n *\n * @param code - The authorization code from the OAuth callback URL\n * @returns Token response with access and refresh tokens\n * @throws {OvixaAuthError} If the exchange fails\n *\n * @example\n * ```typescript\n * // In your OAuth callback handler\n * const code = new URLSearchParams(window.location.search).get('code');\n *\n * if (code) {\n * try {\n * const tokens = await auth.exchangeOAuthCode(code);\n * console.log('OAuth successful!', tokens.access_token);\n *\n * // Check if this is a new user (first-time OAuth login)\n * if (tokens.is_new_user) {\n * // Show onboarding flow\n * }\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * if (error.code === 'INVALID_CODE') {\n * console.error('Invalid or expired authorization code');\n * }\n * }\n * }\n * }\n * ```\n */\n async exchangeOAuthCode(code: string): Promise<TokenResponse> {\n const url = `${this.config.authUrl}/oauth/token`;\n\n const body = {\n code,\n realm_id: this.config.realmId,\n };\n\n return this.makeRequest<TokenResponse>(url, body);\n }\n\n /**\n * Transform a token response into an AuthResult with user and session data.\n *\n * This method decodes the access token to extract user information and\n * creates a structured result object.\n *\n * @param tokenResponse - The token response from login, verify, or refresh\n * @returns AuthResult with user and session data\n * @throws {OvixaAuthError} If the access token cannot be decoded\n *\n * @example\n * ```typescript\n * const tokens = await auth.login({ email, password });\n * const result = await auth.toAuthResult(tokens);\n *\n * console.log('User ID:', result.user.id);\n * console.log('Email:', result.user.email);\n * console.log('Expires at:', result.session.expiresAt);\n * ```\n */\n async toAuthResult(tokenResponse: TokenResponse): Promise<AuthResult> {\n // Verify and decode the access token\n const verified = await this.verifyToken(tokenResponse.access_token);\n\n const user: User = {\n id: verified.payload.sub,\n email: verified.payload.email,\n emailVerified: verified.payload.email_verified,\n };\n\n const session: Session = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token,\n expiresAt: new Date(Date.now() + tokenResponse.expires_in * 1000),\n };\n\n const result: AuthResult = { user, session };\n\n if (tokenResponse.is_new_user !== undefined) {\n result.isNewUser = tokenResponse.is_new_user;\n }\n\n return result;\n }\n\n /**\n * Delete the current user's own account.\n *\n * This permanently deletes the user's account and all associated data.\n * Password re-authentication is required to prevent accidental deletion.\n *\n * @param options - Delete account options\n * @returns Success response\n * @throws {OvixaAuthError} If deletion fails\n *\n * @example\n * ```typescript\n * try {\n * await auth.deleteMyAccount({\n * accessToken: session.accessToken,\n * password: 'current-password',\n * });\n * console.log('Account deleted successfully');\n * // Clear local session storage\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * if (error.code === 'INVALID_CREDENTIALS') {\n * console.error('Incorrect password');\n * } else if (error.code === 'UNAUTHORIZED') {\n * console.error('Invalid or expired access token');\n * }\n * }\n * }\n * ```\n */\n async deleteMyAccount(options: DeleteMyAccountOptions): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/me`;\n\n try {\n const response = await fetch(url, {\n method: 'DELETE',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${options.accessToken}`,\n },\n body: JSON.stringify({\n password: options.password,\n }),\n });\n\n if (!response.ok) {\n const errorBody = await response.json().catch(() => ({}));\n const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n let errorCode: string;\n let errorMessage: string;\n\n if (typeof errorData.error === 'object' && errorData.error) {\n errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n errorMessage = errorData.error.message || 'Request failed';\n } else {\n errorCode = this.mapHttpStatusToErrorCode(response.status);\n errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n }\n\n throw new OvixaAuthError(errorMessage, errorCode, response.status);\n }\n\n return (await response.json()) as SuccessResponse;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Make an authenticated POST request to the auth service.\n */\n private async makeRequest<T>(url: string, body: Record<string, unknown>): Promise<T> {\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify(body),\n });\n\n if (!response.ok) {\n const errorBody = await response.json().catch(() => ({}));\n const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n let errorCode: string;\n let errorMessage: string;\n\n if (typeof errorData.error === 'object' && errorData.error) {\n errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n errorMessage = errorData.error.message || 'Request failed';\n } else {\n errorCode = this.mapHttpStatusToErrorCode(response.status);\n errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n }\n\n throw new OvixaAuthError(errorMessage, errorCode, response.status);\n }\n\n return (await response.json()) as T;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Map HTTP status codes to error codes.\n */\n private mapHttpStatusToErrorCode(status: number): string {\n switch (status) {\n case 400:\n return 'BAD_REQUEST';\n case 401:\n return 'UNAUTHORIZED';\n case 403:\n return 'FORBIDDEN';\n case 404:\n return 'NOT_FOUND';\n case 429:\n return 'RATE_LIMITED';\n case 500:\n case 502:\n case 503:\n return 'SERVER_ERROR';\n default:\n return 'UNKNOWN_ERROR';\n }\n }\n\n /**\n * Get the admin API interface for realm-scoped operations.\n *\n * Admin operations require clientSecret to be configured.\n * These operations allow managing users within the realm boundary.\n *\n * @returns OvixaAuthAdmin interface for admin operations\n * @throws {OvixaAuthError} If clientSecret is not configured\n *\n * @example\n * ```typescript\n * const auth = new OvixaAuth({\n * authUrl: 'https://auth.ovixa.io',\n * realmId: 'your-realm',\n * clientSecret: process.env.OVIXA_CLIENT_SECRET,\n * });\n *\n * // Delete a user from the realm\n * await auth.admin.deleteUser({ userId: 'user-id-to-delete' });\n * ```\n */\n get admin(): OvixaAuthAdmin {\n if (!this.config.clientSecret) {\n throw new OvixaAuthError(\n 'clientSecret is required for admin operations',\n 'CLIENT_SECRET_REQUIRED'\n );\n }\n return new OvixaAuthAdmin(this.config);\n }\n\n /**\n * Get the WebAuthn API interface for passkey operations.\n *\n * The WebAuthn namespace provides methods for registering and authenticating\n * with passkeys, as well as managing existing passkeys.\n *\n * @returns OvixaAuthWebAuthn interface for passkey operations\n *\n * @example\n * ```typescript\n * const auth = new OvixaAuth({\n * authUrl: 'https://auth.ovixa.io',\n * realmId: 'your-realm',\n * });\n *\n * // Register a passkey\n * const options = await auth.webauthn.getRegistrationOptions({ accessToken });\n *\n * // Authenticate with passkey\n * const authOptions = await auth.webauthn.getAuthenticationOptions();\n *\n * // List passkeys\n * const { passkeys } = await auth.webauthn.listPasskeys({ accessToken });\n *\n * // Delete a passkey\n * await auth.webauthn.deletePasskey({ accessToken, credentialId });\n * ```\n */\n get webauthn(): OvixaAuthWebAuthn {\n return new OvixaAuthWebAuthn(this.config);\n }\n}\n\n/**\n * Admin API interface for realm-scoped operations.\n *\n * This class provides methods for managing users within the realm boundary.\n * All operations are authenticated using the realm's client_secret.\n *\n * @example\n * ```typescript\n * // Access via OvixaAuth.admin\n * await auth.admin.deleteUser({ userId: 'user-id' });\n * ```\n */\nclass OvixaAuthAdmin {\n private config: InternalConfig;\n\n constructor(config: InternalConfig) {\n this.config = config;\n }\n\n /**\n * Delete a user from the realm.\n *\n * This permanently deletes the user and all associated data (tokens, OAuth accounts).\n * The user must belong to this realm.\n *\n * @param options - Delete user options\n * @returns Success response\n * @throws {OvixaAuthError} If deletion fails\n *\n * @example\n * ```typescript\n * try {\n * await auth.admin.deleteUser({ userId: 'user-id-to-delete' });\n * console.log('User deleted successfully');\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * if (error.code === 'NOT_FOUND') {\n * console.error('User not found');\n * } else if (error.code === 'FORBIDDEN') {\n * console.error('User does not belong to this realm');\n * }\n * }\n * }\n * ```\n */\n async deleteUser(options: DeleteUserOptions): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/realms/${this.config.realmId}/users/${options.userId}`;\n\n try {\n const response = await fetch(url, {\n method: 'DELETE',\n headers: {\n Authorization: `RealmSecret ${this.config.clientSecret}`,\n },\n });\n\n if (!response.ok) {\n const errorBody = await response.json().catch(() => ({}));\n const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n let errorCode: string;\n let errorMessage: string;\n\n if (typeof errorData.error === 'object' && errorData.error) {\n errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n errorMessage = errorData.error.message || 'Request failed';\n } else {\n errorCode = this.mapHttpStatusToErrorCode(response.status);\n errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n }\n\n throw new OvixaAuthError(errorMessage, errorCode, response.status);\n }\n\n return (await response.json()) as SuccessResponse;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Map HTTP status codes to error codes.\n */\n private mapHttpStatusToErrorCode(status: number): string {\n switch (status) {\n case 400:\n return 'BAD_REQUEST';\n case 401:\n return 'UNAUTHORIZED';\n case 403:\n return 'FORBIDDEN';\n case 404:\n return 'NOT_FOUND';\n case 429:\n return 'RATE_LIMITED';\n case 500:\n case 502:\n case 503:\n return 'SERVER_ERROR';\n default:\n return 'UNKNOWN_ERROR';\n }\n }\n}\n\n/**\n * WebAuthn namespace API for passkey operations.\n *\n * Access via `auth.webauthn` property.\n *\n * @example\n * ```typescript\n * // Register a new passkey\n * const options = await auth.webauthn.getRegistrationOptions({ accessToken });\n * // ... use browser API to create credential ...\n * await auth.webauthn.verifyRegistration({ accessToken, registration, deviceName });\n *\n * // Authenticate with passkey\n * const authOptions = await auth.webauthn.getAuthenticationOptions();\n * // ... use browser API to get credential ...\n * const tokens = await auth.webauthn.authenticate({ authentication });\n *\n * // Manage passkeys\n * const { passkeys } = await auth.webauthn.listPasskeys({ accessToken });\n * await auth.webauthn.deletePasskey({ accessToken, credentialId: passkeys[0].credential_id });\n * ```\n */\nclass OvixaAuthWebAuthn {\n private config: InternalConfig;\n\n constructor(config: InternalConfig) {\n this.config = config;\n }\n\n /**\n * Get registration options for creating a new passkey.\n *\n * The user must be logged in to register a passkey. Use the returned options\n * with navigator.credentials.create() to create the credential.\n *\n * @param options - Registration options with access token\n * @returns Registration options to pass to navigator.credentials.create()\n * @throws {OvixaAuthError} If request fails\n */\n async getRegistrationOptions(\n options: GetPasskeyRegistrationOptionsOptions\n ): Promise<PasskeyRegistrationOptions> {\n const url = `${this.config.authUrl}/webauthn/register/options`;\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${options.accessToken}`,\n },\n body: JSON.stringify({\n realm_id: this.config.realmId,\n }),\n });\n\n if (!response.ok) {\n await this.handleErrorResponse(response);\n }\n\n return (await response.json()) as PasskeyRegistrationOptions;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Verify a passkey registration and store the credential.\n *\n * Call this after navigator.credentials.create() succeeds to complete the\n * registration on the server.\n *\n * @param options - Verification options with registration response\n * @returns Registration response with credential ID\n * @throws {OvixaAuthError} If verification fails\n */\n async verifyRegistration(\n options: VerifyPasskeyRegistrationOptions\n ): Promise<PasskeyRegistrationResponse> {\n const url = `${this.config.authUrl}/webauthn/register/verify`;\n\n const body: Record<string, unknown> = {\n realm_id: this.config.realmId,\n registration: options.registration,\n };\n\n if (options.deviceName) {\n body.device_name = options.deviceName;\n }\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${options.accessToken}`,\n },\n body: JSON.stringify(body),\n });\n\n if (!response.ok) {\n await this.handleErrorResponse(response);\n }\n\n return (await response.json()) as PasskeyRegistrationResponse;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Get authentication options for signing in with a passkey.\n *\n * Use the returned options with navigator.credentials.get() to authenticate.\n *\n * @param options - Optional email for allowCredentials hint\n * @returns Authentication options to pass to navigator.credentials.get()\n * @throws {OvixaAuthError} If request fails\n */\n async getAuthenticationOptions(\n options?: GetPasskeyAuthenticationOptionsOptions\n ): Promise<PasskeyAuthenticationOptions> {\n const url = `${this.config.authUrl}/webauthn/authenticate/options`;\n\n const body: Record<string, string> = {\n realm_id: this.config.realmId,\n };\n\n if (options?.email) {\n body.email = options.email;\n }\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify(body),\n });\n\n if (!response.ok) {\n await this.handleErrorResponse(response);\n }\n\n return (await response.json()) as PasskeyAuthenticationOptions;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Verify a passkey authentication and get tokens.\n *\n * Call this after navigator.credentials.get() succeeds to complete the\n * authentication and receive access/refresh tokens.\n *\n * @param options - Verification options with authentication response\n * @returns Token response with access and refresh tokens\n * @throws {OvixaAuthError} If verification fails\n */\n async authenticate(options: VerifyPasskeyAuthenticationOptions): Promise<TokenResponse> {\n const url = `${this.config.authUrl}/webauthn/authenticate/verify`;\n\n const body = {\n realm_id: this.config.realmId,\n authentication: options.authentication,\n };\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify(body),\n });\n\n if (!response.ok) {\n await this.handleErrorResponse(response);\n }\n\n return (await response.json()) as TokenResponse;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * List all passkeys for the authenticated user.\n *\n * @param options - Options with access token\n * @returns List of passkeys\n * @throws {OvixaAuthError} If request fails\n *\n * @example\n * ```typescript\n * const { passkeys } = await auth.webauthn.listPasskeys({ accessToken });\n * for (const passkey of passkeys) {\n * console.log(passkey.device_name, passkey.created_at);\n * }\n * ```\n */\n async listPasskeys(options: ListPasskeysOptions): Promise<ListPasskeysResponse> {\n const url = `${this.config.authUrl}/webauthn/passkeys`;\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${options.accessToken}`,\n },\n body: JSON.stringify({\n realm_id: this.config.realmId,\n }),\n });\n\n if (!response.ok) {\n await this.handleErrorResponse(response);\n }\n\n return (await response.json()) as ListPasskeysResponse;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Delete a passkey for the authenticated user.\n *\n * @param options - Options with access token and credential ID\n * @returns Success response\n * @throws {OvixaAuthError} If deletion fails\n *\n * @example\n * ```typescript\n * await auth.webauthn.deletePasskey({\n * accessToken,\n * credentialId: 'credential-id-to-delete',\n * });\n * ```\n */\n async deletePasskey(options: DeletePasskeyOptions): Promise<{ success: boolean }> {\n const url = `${this.config.authUrl}/webauthn/passkeys/${encodeURIComponent(options.credentialId)}`;\n\n try {\n const response = await fetch(url, {\n method: 'DELETE',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${options.accessToken}`,\n },\n body: JSON.stringify({\n realm_id: this.config.realmId,\n }),\n });\n\n if (!response.ok) {\n await this.handleErrorResponse(response);\n }\n\n return (await response.json()) as { success: boolean };\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Handle error response from the server.\n * @throws {OvixaAuthError} Always throws with appropriate error details\n */\n private async handleErrorResponse(response: Response): Promise<never> {\n const errorBody = await response.json().catch(() => ({}));\n const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n let errorCode: string;\n let errorMessage: string;\n\n if (typeof errorData.error === 'object' && errorData.error) {\n errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n errorMessage = errorData.error.message || 'Request failed';\n } else {\n errorCode = this.mapHttpStatusToErrorCode(response.status);\n errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n }\n\n throw new OvixaAuthError(errorMessage, errorCode, response.status);\n }\n\n /**\n * Map HTTP status codes to error codes.\n */\n private mapHttpStatusToErrorCode(status: number): string {\n switch (status) {\n case 400:\n return 'BAD_REQUEST';\n case 401:\n return 'UNAUTHORIZED';\n case 403:\n return 'FORBIDDEN';\n case 404:\n return 'NOT_FOUND';\n case 429:\n return 'RATE_LIMITED';\n case 500:\n case 502:\n case 503:\n return 'SERVER_ERROR';\n default:\n return 'UNKNOWN_ERROR';\n }\n }\n}\n\n// ============================================================\n// WebAuthn Browser Utilities\n// ============================================================\n\n/**\n * Convert an ArrayBuffer to a base64url-encoded string.\n * Used to encode credential IDs and other binary data for API calls.\n *\n * @param buffer - The ArrayBuffer to encode\n * @returns Base64url-encoded string\n *\n * @example\n * ```typescript\n * const encoded = arrayBufferToBase64Url(credential.rawId);\n * ```\n */\nexport function arrayBufferToBase64Url(buffer: ArrayBuffer): string {\n const bytes = new Uint8Array(buffer);\n let binary = '';\n for (const byte of bytes) {\n binary += String.fromCharCode(byte);\n }\n return btoa(binary).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '');\n}\n\n/**\n * Convert a base64url-encoded string to an ArrayBuffer.\n * Used to decode challenge and credential IDs from API responses.\n *\n * @param base64url - The base64url-encoded string\n * @returns ArrayBuffer\n *\n * @example\n * ```typescript\n * const challenge = base64UrlToArrayBuffer(options.challenge);\n * ```\n */\nexport function base64UrlToArrayBuffer(base64url: string): ArrayBuffer {\n // Convert base64url to base64\n const base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');\n // Add padding if needed\n const padded = base64 + '='.repeat((4 - (base64.length % 4)) % 4);\n // Decode\n const binary = atob(padded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes.buffer;\n}\n\n/**\n * Prepare registration options for navigator.credentials.create().\n * Converts server response to the format expected by the browser API.\n *\n * @param options - Registration options from getPasskeyRegistrationOptions()\n * @returns PublicKeyCredentialCreationOptions for navigator.credentials.create()\n *\n * @example\n * ```typescript\n * const serverOptions = await auth.getPasskeyRegistrationOptions({ accessToken });\n * const browserOptions = prepareRegistrationOptions(serverOptions);\n * const credential = await navigator.credentials.create({ publicKey: browserOptions });\n * ```\n */\nexport function prepareRegistrationOptions(\n options: PasskeyRegistrationOptions\n): PublicKeyCredentialCreationOptions {\n return {\n challenge: base64UrlToArrayBuffer(options.challenge),\n rp: options.rp,\n user: {\n id: new TextEncoder().encode(options.user.id),\n name: options.user.name,\n displayName: options.user.displayName,\n },\n pubKeyCredParams: options.pubKeyCredParams,\n excludeCredentials: options.excludeCredentials.map((cred) => ({\n id: base64UrlToArrayBuffer(cred.id),\n type: cred.type,\n transports: cred.transports as AuthenticatorTransport[] | undefined,\n })),\n authenticatorSelection: options.authenticatorSelection,\n timeout: options.timeout,\n attestation: options.attestation,\n };\n}\n\n/**\n * Prepare authentication options for navigator.credentials.get().\n * Converts server response to the format expected by the browser API.\n *\n * @param options - Authentication options from getPasskeyAuthenticationOptions()\n * @returns PublicKeyCredentialRequestOptions for navigator.credentials.get()\n *\n * @example\n * ```typescript\n * const serverOptions = await auth.getPasskeyAuthenticationOptions();\n * const browserOptions = prepareAuthenticationOptions(serverOptions);\n * const credential = await navigator.credentials.get({ publicKey: browserOptions });\n * ```\n */\nexport function prepareAuthenticationOptions(\n options: PasskeyAuthenticationOptions\n): PublicKeyCredentialRequestOptions {\n return {\n challenge: base64UrlToArrayBuffer(options.challenge),\n rpId: options.rpId,\n allowCredentials: options.allowCredentials.map((cred) => ({\n id: base64UrlToArrayBuffer(cred.id),\n type: cred.type,\n transports: cred.transports as AuthenticatorTransport[] | undefined,\n })),\n userVerification: options.userVerification,\n timeout: options.timeout,\n };\n}\n\n/**\n * Format a registration credential response for the server.\n * Converts browser API response to the format expected by verifyPasskeyRegistration().\n *\n * @param credential - The credential from navigator.credentials.create()\n * @returns Formatted registration object for verifyPasskeyRegistration()\n *\n * @example\n * ```typescript\n * const credential = await navigator.credentials.create({ publicKey: options });\n * const registration = formatRegistrationResponse(credential as PublicKeyCredential);\n * await auth.verifyPasskeyRegistration({ accessToken, registration });\n * ```\n */\nexport function formatRegistrationResponse(credential: PublicKeyCredential): {\n id: string;\n rawId: string;\n type: 'public-key';\n response: {\n clientDataJSON: string;\n attestationObject: string;\n transports?: string[];\n };\n authenticatorAttachment?: 'platform' | 'cross-platform';\n} {\n const response = credential.response as AuthenticatorAttestationResponse;\n\n return {\n id: credential.id,\n rawId: arrayBufferToBase64Url(credential.rawId),\n type: 'public-key',\n response: {\n clientDataJSON: arrayBufferToBase64Url(response.clientDataJSON),\n attestationObject: arrayBufferToBase64Url(response.attestationObject),\n transports: response.getTransports?.() as string[] | undefined,\n },\n authenticatorAttachment: credential.authenticatorAttachment as\n | 'platform'\n | 'cross-platform'\n | undefined,\n };\n}\n\n/**\n * Format an authentication credential response for the server.\n * Converts browser API response to the format expected by verifyPasskeyAuthentication().\n *\n * @param credential - The credential from navigator.credentials.get()\n * @returns Formatted authentication object for verifyPasskeyAuthentication()\n *\n * @example\n * ```typescript\n * const credential = await navigator.credentials.get({ publicKey: options });\n * const authentication = formatAuthenticationResponse(credential as PublicKeyCredential);\n * const tokens = await auth.verifyPasskeyAuthentication({ authentication });\n * ```\n */\nexport function formatAuthenticationResponse(credential: PublicKeyCredential): {\n id: string;\n rawId: string;\n type: 'public-key';\n response: {\n clientDataJSON: string;\n authenticatorData: string;\n signature: string;\n userHandle: string | null;\n };\n authenticatorAttachment?: 'platform' | 'cross-platform';\n} {\n const response = credential.response as AuthenticatorAssertionResponse;\n\n return {\n id: credential.id,\n rawId: arrayBufferToBase64Url(credential.rawId),\n type: 'public-key',\n response: {\n clientDataJSON: arrayBufferToBase64Url(response.clientDataJSON),\n authenticatorData: arrayBufferToBase64Url(response.authenticatorData),\n signature: arrayBufferToBase64Url(response.signature),\n userHandle: response.userHandle ? arrayBufferToBase64Url(response.userHandle) : null,\n },\n authenticatorAttachment: credential.authenticatorAttachment as\n | 'platform'\n | 'cross-platform'\n | undefined,\n };\n}\n"],"mappings":";AAOA;AAAA,EACE;AAAA,EACA;AAAA,OAIK;AAwWA,IAAM,iBAAN,cAA6B,MAAM;AAAA,EACxC,YACE,SACgB,MACA,YAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAUA,IAAM,yBAAyB,KAAK,KAAK;AAgClC,IAAM,YAAN,MAAgB;AAAA,EACb;AAAA,EACA,YAA8B;AAAA,EAEtC,YAAY,QAA0B;AAEpC,UAAM,UAAU,OAAO,QAAQ,QAAQ,OAAO,EAAE;AAEhD,SAAK,SAAS;AAAA,MACZ;AAAA,MACA,SAAS,OAAO;AAAA,MAChB,cAAc,OAAO;AAAA,MACrB,cAAc,OAAO,gBAAgB;AAAA,IACvC;AAAA,EACF;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAkB;AACpB,WAAO,GAAG,KAAK,OAAO,OAAO;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,iBAA8B;AACpC,UAAM,MAAM,KAAK,IAAI;AAGrB,QAAI,KAAK,aAAa,MAAM,KAAK,UAAU,YAAY,KAAK,OAAO,cAAc;AAC/E,aAAO,KAAK,UAAU;AAAA,IACxB;AAGA,UAAM,UAAU,IAAI,IAAI,KAAK,OAAO;AACpC,UAAM,UAAU,mBAAmB,SAAS;AAAA;AAAA;AAAA,MAG1C,aAAa,KAAK,OAAO;AAAA,IAC3B,CAAC;AAED,SAAK,YAAY;AAAA,MACf;AAAA,MACA,WAAW;AAAA,IACb;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAyBA,MAAM,YAAY,OAAsC;AACtD,QAAI;AACF,YAAM,OAAO,KAAK,eAAe;AAEjC,YAAM,SAA8C,MAAM,UAAU,OAAO,MAAM;AAAA,QAC/E,YAAY,CAAC,OAAO;AAAA,QACpB,QAAQ,KAAK,OAAO;AAAA;AAAA,QAEpB,UAAU,KAAK,OAAO;AAAA,MACxB,CAAC;AAGD,YAAM,UAAU,OAAO;AACvB,UAAI,CAAC,QAAQ,OAAO,CAAC,QAAQ,SAAS,QAAQ,mBAAmB,QAAW;AAC1E,cAAM,IAAI,eAAe,oCAAoC,gBAAgB;AAAA,MAC/E;AAEA,aAAO;AAAA,QACL;AAAA,QACA,iBAAiB,OAAO;AAAA,MAC1B;AAAA,IACF,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAGA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,UAAU,MAAM;AAEtB,YAAI,QAAQ,SAAS,SAAS,GAAG;AAC/B,gBAAM,IAAI,eAAe,qBAAqB,eAAe;AAAA,QAC/D;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,2BAA2B,mBAAmB;AAAA,QACzE;AACA,YAAI,QAAQ,SAAS,QAAQ,GAAG;AAC9B,gBAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,QACnE;AACA,YAAI,QAAQ,SAAS,UAAU,GAAG;AAChC,gBAAM,IAAI,eAAe,0BAA0B,kBAAkB;AAAA,QACvE;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,mBAAmB,iBAAiB;AAAA,QAC/D;AAEA,cAAM,IAAI,eAAe,8BAA8B,OAAO,IAAI,qBAAqB;AAAA,MACzF;AAEA,YAAM,IAAI,eAAe,6BAA6B,qBAAqB;AAAA,IAC7E;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0BA,MAAM,aAAa,cAA8C;AAC/D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,eAAe;AAAA,QACjB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,eAAgB,UAAiC,SAAS;AAChE,cAAM,YAAY,KAAK,yBAAyB,SAAS,MAAM;AAE/D,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,YAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,aAAO;AAAA,IACT,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,IACnE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAuB;AACrB,SAAK,YAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA8BA,MAAM,OAAO,SAAiD;AAC5D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA4B,KAAK,IAAI;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,MAAM,SAA+C;AACzD,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,MAAM,YAAY,SAAqD;AACrE,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,MACtB,MAAM;AAAA,IACR;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,MAAM,mBAAmB,SAA8D;AACrF,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBA,MAAM,eAAe,SAA0D;AAC7E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA+BA,MAAM,cAAc,SAAyD;AAC3E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,OAAO,cAAgD;AAC3D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,eAAe;AAAA,IACjB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,YAAY,SAAqC;AAC/C,UAAM,MAAM,IAAI,IAAI,GAAG,KAAK,OAAO,OAAO,UAAU,QAAQ,QAAQ,EAAE;AACtE,QAAI,aAAa,IAAI,YAAY,KAAK,OAAO,OAAO;AACpD,QAAI,aAAa,IAAI,gBAAgB,QAAQ,WAAW;AACxD,WAAO,IAAI,SAAS;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuCA,MAAM,kBAAkB,MAAsC;AAC5D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX;AAAA,MACA,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBA,MAAM,aAAa,eAAmD;AAEpE,UAAM,WAAW,MAAM,KAAK,YAAY,cAAc,YAAY;AAElE,UAAM,OAAa;AAAA,MACjB,IAAI,SAAS,QAAQ;AAAA,MACrB,OAAO,SAAS,QAAQ;AAAA,MACxB,eAAe,SAAS,QAAQ;AAAA,IAClC;AAEA,UAAM,UAAmB;AAAA,MACvB,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc;AAAA,MAC5B,WAAW,IAAI,KAAK,KAAK,IAAI,IAAI,cAAc,aAAa,GAAI;AAAA,IAClE;AAEA,UAAM,SAAqB,EAAE,MAAM,QAAQ;AAE3C,QAAI,cAAc,gBAAgB,QAAW;AAC3C,aAAO,YAAY,cAAc;AAAA,IACnC;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgCA,MAAM,gBAAgB,SAA2D;AAC/E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,UAAU,QAAQ;AAAA,QACpB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,YAAe,KAAa,MAA2C;AACnF,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuBA,IAAI,QAAwB;AAC1B,QAAI,CAAC,KAAK,OAAO,cAAc;AAC7B,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO,IAAI,eAAe,KAAK,MAAM;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA8BA,IAAI,WAA8B;AAChC,WAAO,IAAI,kBAAkB,KAAK,MAAM;AAAA,EAC1C;AACF;AAcA,IAAM,iBAAN,MAAqB;AAAA,EACX;AAAA,EAER,YAAY,QAAwB;AAClC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,WAAW,SAAsD;AACrE,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO,WAAW,KAAK,OAAO,OAAO,UAAU,QAAQ,MAAM;AAExF,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,eAAe,eAAe,KAAK,OAAO,YAAY;AAAA,QACxD;AAAA,MACF,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AACF;AAwBA,IAAM,oBAAN,MAAwB;AAAA,EACd;AAAA,EAER,YAAY,QAAwB;AAClC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,uBACJ,SACqC;AACrC,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,UAAU,KAAK,OAAO;AAAA,QACxB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,mBACJ,SACsC;AACtC,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAgC;AAAA,MACpC,UAAU,KAAK,OAAO;AAAA,MACtB,cAAc,QAAQ;AAAA,IACxB;AAEA,QAAI,QAAQ,YAAY;AACtB,WAAK,cAAc,QAAQ;AAAA,IAC7B;AAEA,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,yBACJ,SACuC;AACvC,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,SAAS,OAAO;AAClB,WAAK,QAAQ,QAAQ;AAAA,IACvB;AAEA,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,aAAa,SAAqE;AACtF,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,UAAU,KAAK,OAAO;AAAA,MACtB,gBAAgB,QAAQ;AAAA,IAC1B;AAEA,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,aAAa,SAA6D;AAC9E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,UAAU,KAAK,OAAO;AAAA,QACxB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,cAAc,SAA8D;AAChF,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO,sBAAsB,mBAAmB,QAAQ,YAAY,CAAC;AAEhG,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,UAAU,KAAK,OAAO;AAAA,QACxB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,oBAAoB,UAAoC;AACpE,UAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,UAAM,YAAY;AAElB,QAAI;AACJ,QAAI;AAEJ,QAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,kBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,qBAAe,UAAU,MAAM,WAAW;AAAA,IAC5C,OAAO;AACL,kBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,qBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,IACzE;AAEA,UAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,EACnE;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AACF;AAkBO,SAAS,uBAAuB,QAA6B;AAClE,QAAM,QAAQ,IAAI,WAAW,MAAM;AACnC,MAAI,SAAS;AACb,aAAW,QAAQ,OAAO;AACxB,cAAU,OAAO,aAAa,IAAI;AAAA,EACpC;AACA,SAAO,KAAK,MAAM,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,EAAE;AAC/E;AAcO,SAAS,uBAAuB,WAAgC;AAErE,QAAM,SAAS,UAAU,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AAE7D,QAAM,SAAS,SAAS,IAAI,QAAQ,IAAK,OAAO,SAAS,KAAM,CAAC;AAEhE,QAAM,SAAS,KAAK,MAAM;AAC1B,QAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;AAC1C,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,UAAM,CAAC,IAAI,OAAO,WAAW,CAAC;AAAA,EAChC;AACA,SAAO,MAAM;AACf;AAgBO,SAAS,2BACd,SACoC;AACpC,SAAO;AAAA,IACL,WAAW,uBAAuB,QAAQ,SAAS;AAAA,IACnD,IAAI,QAAQ;AAAA,IACZ,MAAM;AAAA,MACJ,IAAI,IAAI,YAAY,EAAE,OAAO,QAAQ,KAAK,EAAE;AAAA,MAC5C,MAAM,QAAQ,KAAK;AAAA,MACnB,aAAa,QAAQ,KAAK;AAAA,IAC5B;AAAA,IACA,kBAAkB,QAAQ;AAAA,IAC1B,oBAAoB,QAAQ,mBAAmB,IAAI,CAAC,UAAU;AAAA,MAC5D,IAAI,uBAAuB,KAAK,EAAE;AAAA,MAClC,MAAM,KAAK;AAAA,MACX,YAAY,KAAK;AAAA,IACnB,EAAE;AAAA,IACF,wBAAwB,QAAQ;AAAA,IAChC,SAAS,QAAQ;AAAA,IACjB,aAAa,QAAQ;AAAA,EACvB;AACF;AAgBO,SAAS,6BACd,SACmC;AACnC,SAAO;AAAA,IACL,WAAW,uBAAuB,QAAQ,SAAS;AAAA,IACnD,MAAM,QAAQ;AAAA,IACd,kBAAkB,QAAQ,iBAAiB,IAAI,CAAC,UAAU;AAAA,MACxD,IAAI,uBAAuB,KAAK,EAAE;AAAA,MAClC,MAAM,KAAK;AAAA,MACX,YAAY,KAAK;AAAA,IACnB,EAAE;AAAA,IACF,kBAAkB,QAAQ;AAAA,IAC1B,SAAS,QAAQ;AAAA,EACnB;AACF;AAgBO,SAAS,2BAA2B,YAUzC;AACA,QAAM,WAAW,WAAW;AAE5B,SAAO;AAAA,IACL,IAAI,WAAW;AAAA,IACf,OAAO,uBAAuB,WAAW,KAAK;AAAA,IAC9C,MAAM;AAAA,IACN,UAAU;AAAA,MACR,gBAAgB,uBAAuB,SAAS,cAAc;AAAA,MAC9D,mBAAmB,uBAAuB,SAAS,iBAAiB;AAAA,MACpE,YAAY,SAAS,gBAAgB;AAAA,IACvC;AAAA,IACA,yBAAyB,WAAW;AAAA,EAItC;AACF;AAgBO,SAAS,6BAA6B,YAW3C;AACA,QAAM,WAAW,WAAW;AAE5B,SAAO;AAAA,IACL,IAAI,WAAW;AAAA,IACf,OAAO,uBAAuB,WAAW,KAAK;AAAA,IAC9C,MAAM;AAAA,IACN,UAAU;AAAA,MACR,gBAAgB,uBAAuB,SAAS,cAAc;AAAA,MAC9D,mBAAmB,uBAAuB,SAAS,iBAAiB;AAAA,MACpE,WAAW,uBAAuB,SAAS,SAAS;AAAA,MACpD,YAAY,SAAS,aAAa,uBAAuB,SAAS,UAAU,IAAI;AAAA,IAClF;AAAA,IACA,yBAAyB,WAAW;AAAA,EAItC;AACF;","names":[]}
1
+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["/**\n * @ovixa/auth-client\n *\n * Client SDK for Ovixa Auth service.\n * Provides authentication, token verification, and session management.\n */\n\nimport {\n createRemoteJWKSet,\n jwtVerify,\n type JWTPayload,\n type JWTVerifyResult,\n type JWTHeaderParameters,\n} from 'jose';\n\n/**\n * Configuration options for the OvixaAuth client.\n */\nexport interface AuthClientConfig {\n /** The base URL of the Ovixa Auth service */\n authUrl: string;\n /** The realm ID to authenticate against */\n realmId: string;\n /** Your application's client secret (for server-side use only) */\n clientSecret?: string;\n /** Cache duration for JWKS in milliseconds (defaults to 1 hour) */\n jwksCacheTtl?: number;\n}\n\n/**\n * JWT claims for an Ovixa access token.\n */\nexport interface AccessTokenPayload extends JWTPayload {\n /** Subject (user ID) */\n sub: string;\n /** User's email address */\n email: string;\n /** Whether the user's email has been verified */\n email_verified: boolean;\n /** Issued at timestamp */\n iat: number;\n /** Expiration timestamp */\n exp: number;\n /** Issuer */\n iss: string;\n /** Audience (realm ID) */\n aud: string;\n}\n\n/**\n * Result of a successful token verification.\n */\nexport interface VerifyResult {\n /** The decoded token payload */\n payload: AccessTokenPayload;\n /** The protected header */\n protectedHeader: JWTHeaderParameters;\n}\n\n/**\n * Token response from the auth service.\n */\nexport interface TokenResponse {\n /** The access token (JWT) */\n access_token: string;\n /** The refresh token (JWT) */\n refresh_token: string;\n /** Token type (always \"Bearer\") */\n token_type: 'Bearer';\n /** Access token expiration time in seconds */\n expires_in: number;\n /** Whether this is a new user (only present in OAuth callback) */\n is_new_user?: boolean;\n}\n\n/**\n * User information extracted from token payload.\n */\nexport interface User {\n /** User ID (UUID) */\n id: string;\n /** User's email address */\n email: string;\n /** Whether the email has been verified */\n emailVerified: boolean;\n}\n\n/**\n * Session information containing tokens and expiry.\n */\nexport interface Session {\n /** The access token (JWT) */\n accessToken: string;\n /** The refresh token for obtaining new access tokens */\n refreshToken: string;\n /** When the access token expires */\n expiresAt: Date;\n}\n\n/**\n * Combined authentication result with user and session data.\n */\nexport interface AuthResult {\n /** The authenticated user */\n user: User;\n /** The session tokens */\n session: Session;\n /** Whether this is a new user (only set for OAuth flows) */\n isNewUser?: boolean;\n}\n\n/**\n * Options for signup.\n */\nexport interface SignupOptions {\n /** User's email address */\n email: string;\n /** Password meeting requirements */\n password: string;\n /** Optional redirect URI after email verification */\n redirectUri?: string;\n}\n\n/**\n * Response from signup endpoint.\n */\nexport interface SignupResponse {\n /** Whether the operation succeeded */\n success: boolean;\n /** Status message */\n message: string;\n}\n\n/**\n * Options for login.\n */\nexport interface LoginOptions {\n /** User's email address */\n email: string;\n /** User's password */\n password: string;\n}\n\n/**\n * Options for email verification.\n */\nexport interface VerifyEmailOptions {\n /** Verification token from email */\n token: string;\n}\n\n/**\n * Options for resending verification email.\n */\nexport interface ResendVerificationOptions {\n /** User's email address */\n email: string;\n /** Optional redirect URI after verification */\n redirectUri?: string;\n}\n\n/**\n * Generic success response.\n */\nexport interface SuccessResponse {\n /** Whether the operation succeeded */\n success: boolean;\n /** Optional status message */\n message?: string;\n}\n\n/**\n * Options for forgot password request.\n */\nexport interface ForgotPasswordOptions {\n /** User's email address */\n email: string;\n /** Optional redirect URI for password reset page */\n redirectUri?: string;\n}\n\n/**\n * Options for password reset.\n */\nexport interface ResetPasswordOptions {\n /** Reset token from email */\n token: string;\n /** New password */\n password: string;\n}\n\n/**\n * Supported OAuth providers.\n */\nexport type OAuthProvider = 'google' | 'github';\n\n// ============================================================\n// WebAuthn / Passkey Types\n// ============================================================\n\n/**\n * Options for getting passkey registration options.\n */\nexport interface GetPasskeyRegistrationOptionsOptions {\n /** Access token (user must be logged in to register a passkey) */\n accessToken: string;\n}\n\n/**\n * Registration options returned from the server.\n * These are passed directly to navigator.credentials.create().\n */\nexport interface PasskeyRegistrationOptions {\n challenge: string;\n rp: { id: string; name: string };\n user: { id: string; name: string; displayName: string };\n pubKeyCredParams: { type: 'public-key'; alg: number }[];\n excludeCredentials: { id: string; type: 'public-key'; transports?: string[] }[];\n authenticatorSelection: {\n authenticatorAttachment?: 'platform' | 'cross-platform';\n residentKey: 'discouraged' | 'preferred' | 'required';\n userVerification: 'discouraged' | 'preferred' | 'required';\n };\n timeout: number;\n attestation: 'none';\n}\n\n/**\n * Options for verifying passkey registration.\n */\nexport interface VerifyPasskeyRegistrationOptions {\n /** Access token (user must be logged in) */\n accessToken: string;\n /** The registration response from navigator.credentials.create() */\n registration: {\n id: string;\n rawId: string;\n type: 'public-key';\n response: {\n clientDataJSON: string;\n attestationObject: string;\n authenticatorData?: string;\n transports?: string[];\n publicKeyAlgorithm?: number;\n publicKey?: string;\n };\n authenticatorAttachment?: 'platform' | 'cross-platform';\n clientExtensionResults?: Record<string, unknown>;\n };\n /** Optional friendly name for the passkey */\n deviceName?: string;\n}\n\n/**\n * Response from passkey registration verification.\n */\nexport interface PasskeyRegistrationResponse {\n success: boolean;\n credential_id: string;\n device_name?: string;\n}\n\n/**\n * Options for getting passkey authentication options.\n */\nexport interface GetPasskeyAuthenticationOptionsOptions {\n /** Optional email for allowCredentials hint (for non-discoverable credentials) */\n email?: string;\n}\n\n/**\n * Authentication options returned from the server.\n * These are passed directly to navigator.credentials.get().\n */\nexport interface PasskeyAuthenticationOptions {\n challenge: string;\n rpId: string;\n allowCredentials: { id: string; type: 'public-key'; transports?: string[] }[];\n userVerification: 'discouraged' | 'preferred' | 'required';\n timeout: number;\n}\n\n/**\n * Options for verifying passkey authentication.\n */\nexport interface VerifyPasskeyAuthenticationOptions {\n /** The authentication response from navigator.credentials.get() */\n authentication: {\n id: string;\n rawId: string;\n type: 'public-key';\n response: {\n clientDataJSON: string;\n authenticatorData: string;\n signature: string;\n userHandle?: string | null;\n };\n authenticatorAttachment?: 'platform' | 'cross-platform';\n clientExtensionResults?: Record<string, unknown>;\n };\n}\n\n/**\n * Options for listing passkeys.\n */\nexport interface ListPasskeysOptions {\n /** Access token (user must be logged in) */\n accessToken: string;\n}\n\n/**\n * Passkey information returned from listPasskeys.\n */\nexport interface Passkey {\n /** The credential ID (base64url-encoded) */\n credential_id: string;\n /** Optional friendly name for the passkey */\n device_name: string | null;\n /** When the passkey was registered */\n created_at: string;\n /** When the passkey was last used */\n last_used_at: string | null;\n}\n\n/**\n * Response from listPasskeys.\n */\nexport interface ListPasskeysResponse {\n /** Array of passkeys */\n passkeys: Passkey[];\n}\n\n/**\n * Options for deleting a passkey.\n */\nexport interface DeletePasskeyOptions {\n /** Access token (user must be logged in) */\n accessToken: string;\n /** The credential ID to delete */\n credentialId: string;\n}\n\n/**\n * Options for generating OAuth URL.\n */\nexport interface GetOAuthUrlOptions {\n /** OAuth provider */\n provider: OAuthProvider;\n /** Redirect URI after OAuth completes */\n redirectUri: string;\n}\n\n/**\n * Options for deleting a user (admin operation).\n */\nexport interface DeleteUserOptions {\n /** The ID of the user to delete */\n userId: string;\n}\n\n/**\n * Options for deleting the current user's own account.\n */\nexport interface DeleteMyAccountOptions {\n /** The user's current access token */\n accessToken: string;\n /** The user's current password (for re-authentication) */\n password: string;\n}\n\n/**\n * Error thrown by OvixaAuth operations.\n */\nexport class OvixaAuthError extends Error {\n constructor(\n message: string,\n public readonly code: string,\n public readonly statusCode?: number\n ) {\n super(message);\n this.name = 'OvixaAuthError';\n }\n}\n\ninterface InternalConfig {\n authUrl: string;\n realmId: string;\n clientSecret?: string;\n jwksCacheTtl: number;\n}\n\n/** Default JWKS cache TTL: 1 hour */\nconst DEFAULT_JWKS_CACHE_TTL = 60 * 60 * 1000;\n\n/**\n * Custom fetch function that adds cache headers for JWKS requests.\n * Used to implement client-side caching behavior.\n */\ntype JWKSFetcher = ReturnType<typeof createRemoteJWKSet>;\n\ninterface JWKSCache {\n fetcher: JWKSFetcher;\n createdAt: number;\n}\n\n/**\n * OvixaAuth client for authenticating with the Ovixa Auth service.\n *\n * @example\n * ```typescript\n * const auth = new OvixaAuth({\n * authUrl: 'https://auth.ovixa.io',\n * realmId: 'your-realm-id',\n * clientSecret: 'your-client-secret', // Optional, for server-side use\n * });\n *\n * // Verify a token\n * const result = await auth.verifyToken(accessToken);\n * console.log(result.payload.email);\n *\n * // Refresh tokens\n * const tokens = await auth.refreshToken(refreshToken);\n * ```\n */\nexport class OvixaAuth {\n private config: InternalConfig;\n private jwksCache: JWKSCache | null = null;\n\n constructor(config: AuthClientConfig) {\n // Normalize authUrl by removing trailing slash\n const authUrl = config.authUrl.replace(/\\/$/, '');\n\n this.config = {\n authUrl,\n realmId: config.realmId,\n clientSecret: config.clientSecret,\n jwksCacheTtl: config.jwksCacheTtl ?? DEFAULT_JWKS_CACHE_TTL,\n };\n }\n\n /** Get the configured auth URL */\n get authUrl(): string {\n return this.config.authUrl;\n }\n\n /** Get the configured realm ID */\n get realmId(): string {\n return this.config.realmId;\n }\n\n /**\n * Get the JWKS URL for the auth service.\n */\n get jwksUrl(): string {\n return `${this.config.authUrl}/.well-known/jwks.json`;\n }\n\n /**\n * Get the JWKS fetcher, creating a new one if necessary.\n * The fetcher is cached based on the configured TTL.\n */\n private getJwksFetcher(): JWKSFetcher {\n const now = Date.now();\n\n // Return cached fetcher if still valid\n if (this.jwksCache && now - this.jwksCache.createdAt < this.config.jwksCacheTtl) {\n return this.jwksCache.fetcher;\n }\n\n // Create new JWKS fetcher\n const jwksUrl = new URL(this.jwksUrl);\n const fetcher = createRemoteJWKSet(jwksUrl, {\n // jose library has its own internal caching, but we add our own TTL layer\n // to control when to refresh the JWKS set\n cacheMaxAge: this.config.jwksCacheTtl,\n });\n\n this.jwksCache = {\n fetcher,\n createdAt: now,\n };\n\n return fetcher;\n }\n\n /**\n * Verify an access token and return the decoded payload.\n *\n * This method fetches the public key from the JWKS endpoint (with caching)\n * and verifies the token's signature and claims.\n *\n * @param token - The access token (JWT) to verify\n * @returns The verified token payload and header\n * @throws {OvixaAuthError} If verification fails\n *\n * @example\n * ```typescript\n * try {\n * const result = await auth.verifyToken(accessToken);\n * console.log('User ID:', result.payload.sub);\n * console.log('Email:', result.payload.email);\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * console.error('Token verification failed:', error.code);\n * }\n * }\n * ```\n */\n async verifyToken(token: string): Promise<VerifyResult> {\n try {\n const jwks = this.getJwksFetcher();\n\n const result: JWTVerifyResult<AccessTokenPayload> = await jwtVerify(token, jwks, {\n algorithms: ['RS256'],\n issuer: this.config.authUrl,\n // Audience is the realm for this application\n audience: this.config.realmId,\n });\n\n // Validate required claims\n const payload = result.payload;\n if (!payload.sub || !payload.email || payload.email_verified === undefined) {\n throw new OvixaAuthError('Token is missing required claims', 'INVALID_CLAIMS');\n }\n\n return {\n payload: payload as AccessTokenPayload,\n protectedHeader: result.protectedHeader,\n };\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n\n // Handle jose library errors\n if (error instanceof Error) {\n const message = error.message;\n\n if (message.includes('expired')) {\n throw new OvixaAuthError('Token has expired', 'TOKEN_EXPIRED');\n }\n if (message.includes('signature')) {\n throw new OvixaAuthError('Invalid token signature', 'INVALID_SIGNATURE');\n }\n if (message.includes('issuer')) {\n throw new OvixaAuthError('Invalid token issuer', 'INVALID_ISSUER');\n }\n if (message.includes('audience')) {\n throw new OvixaAuthError('Invalid token audience', 'INVALID_AUDIENCE');\n }\n if (message.includes('malformed')) {\n throw new OvixaAuthError('Malformed token', 'MALFORMED_TOKEN');\n }\n\n throw new OvixaAuthError(`Token verification failed: ${message}`, 'VERIFICATION_FAILED');\n }\n\n throw new OvixaAuthError('Token verification failed', 'VERIFICATION_FAILED');\n }\n }\n\n /**\n * Refresh an access token using a refresh token.\n *\n * This method exchanges a valid refresh token for a new access token\n * and a new refresh token (token rotation).\n *\n * @param refreshToken - The refresh token to exchange\n * @returns New token response with access and refresh tokens\n * @throws {OvixaAuthError} If the refresh fails\n *\n * @example\n * ```typescript\n * try {\n * const tokens = await auth.refreshToken(currentRefreshToken);\n * // Store the new tokens\n * saveTokens(tokens.access_token, tokens.refresh_token);\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * // Refresh token is invalid or expired - user must re-authenticate\n * redirectToLogin();\n * }\n * }\n * ```\n */\n async refreshToken(refreshToken: string): Promise<TokenResponse> {\n const url = `${this.config.authUrl}/token/refresh`;\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify({\n refresh_token: refreshToken,\n }),\n });\n\n if (!response.ok) {\n const errorBody = await response.json().catch(() => ({}));\n const errorMessage = (errorBody as { error?: string }).error || 'Token refresh failed';\n const errorCode = this.mapHttpStatusToErrorCode(response.status);\n\n throw new OvixaAuthError(errorMessage, errorCode, response.status);\n }\n\n const data = (await response.json()) as TokenResponse;\n return data;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n\n throw new OvixaAuthError('Token refresh failed', 'REFRESH_FAILED');\n }\n }\n\n /**\n * Invalidate the cached JWKS fetcher.\n * Call this if you need to force a refresh of the public keys.\n */\n clearJwksCache(): void {\n this.jwksCache = null;\n }\n\n /**\n * Create a new user account.\n *\n * After signup, a verification email is sent. The user must verify their\n * email before they can log in.\n *\n * @param options - Signup options\n * @returns Signup response indicating success\n * @throws {OvixaAuthError} If signup fails\n *\n * @example\n * ```typescript\n * try {\n * await auth.signup({\n * email: 'user@example.com',\n * password: 'SecurePassword123!',\n * redirectUri: 'https://myapp.com/verify-callback',\n * });\n * console.log('Verification email sent!');\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * if (error.code === 'EMAIL_ALREADY_EXISTS') {\n * console.error('Email is already registered');\n * }\n * }\n * }\n * ```\n */\n async signup(options: SignupOptions): Promise<SignupResponse> {\n const url = `${this.config.authUrl}/signup`;\n\n const body: Record<string, string> = {\n email: options.email,\n password: options.password,\n realm_id: this.config.realmId,\n };\n\n if (options.redirectUri) {\n body.redirect_uri = options.redirectUri;\n }\n\n return this.makeRequest<SignupResponse>(url, body);\n }\n\n /**\n * Authenticate a user with email and password.\n *\n * @param options - Login options\n * @returns Token response with access and refresh tokens\n * @throws {OvixaAuthError} If login fails\n *\n * @example\n * ```typescript\n * try {\n * const tokens = await auth.login({\n * email: 'user@example.com',\n * password: 'SecurePassword123!',\n * });\n * console.log('Logged in!', tokens.access_token);\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * if (error.code === 'EMAIL_NOT_VERIFIED') {\n * console.error('Please verify your email first');\n * } else if (error.code === 'INVALID_CREDENTIALS') {\n * console.error('Invalid email or password');\n * }\n * }\n * }\n * ```\n */\n async login(options: LoginOptions): Promise<TokenResponse> {\n const url = `${this.config.authUrl}/login`;\n\n const body = {\n email: options.email,\n password: options.password,\n realm_id: this.config.realmId,\n };\n\n return this.makeRequest<TokenResponse>(url, body);\n }\n\n /**\n * Verify an email address using a verification token.\n *\n * This is the API flow that returns tokens. For browser redirect flow,\n * use `GET /verify` directly.\n *\n * @param options - Verification options\n * @returns Token response with access and refresh tokens\n * @throws {OvixaAuthError} If verification fails\n *\n * @example\n * ```typescript\n * // Get token from URL query params after clicking email link\n * const token = new URLSearchParams(window.location.search).get('token');\n *\n * try {\n * const tokens = await auth.verifyEmail({ token });\n * console.log('Email verified! Logged in.');\n * } catch (error) {\n * if (error instanceof OvixaAuthError && error.code === 'INVALID_TOKEN') {\n * console.error('Invalid or expired verification link');\n * }\n * }\n * ```\n */\n async verifyEmail(options: VerifyEmailOptions): Promise<TokenResponse> {\n const url = `${this.config.authUrl}/verify`;\n\n const body = {\n token: options.token,\n realm_id: this.config.realmId,\n type: 'email_verification',\n };\n\n return this.makeRequest<TokenResponse>(url, body);\n }\n\n /**\n * Resend a verification email for an unverified account.\n *\n * @param options - Resend options\n * @returns Success response\n * @throws {OvixaAuthError} If request fails\n *\n * @example\n * ```typescript\n * await auth.resendVerification({\n * email: 'user@example.com',\n * redirectUri: 'https://myapp.com/verify-callback',\n * });\n * console.log('Verification email sent!');\n * ```\n */\n async resendVerification(options: ResendVerificationOptions): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/verify/resend`;\n\n const body: Record<string, string> = {\n email: options.email,\n realm_id: this.config.realmId,\n };\n\n if (options.redirectUri) {\n body.redirect_uri = options.redirectUri;\n }\n\n return this.makeRequest<SuccessResponse>(url, body);\n }\n\n /**\n * Request a password reset email.\n *\n * Note: This endpoint always returns success to prevent email enumeration.\n *\n * @param options - Forgot password options\n * @returns Success response\n * @throws {OvixaAuthError} If request fails\n *\n * @example\n * ```typescript\n * await auth.forgotPassword({\n * email: 'user@example.com',\n * redirectUri: 'https://myapp.com/reset-password',\n * });\n * console.log('If the email exists, a reset link has been sent.');\n * ```\n */\n async forgotPassword(options: ForgotPasswordOptions): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/forgot-password`;\n\n const body: Record<string, string> = {\n email: options.email,\n realm_id: this.config.realmId,\n };\n\n if (options.redirectUri) {\n body.redirect_uri = options.redirectUri;\n }\n\n return this.makeRequest<SuccessResponse>(url, body);\n }\n\n /**\n * Reset password using a reset token.\n *\n * @param options - Reset password options\n * @returns Success response\n * @throws {OvixaAuthError} If reset fails\n *\n * @example\n * ```typescript\n * // Get token from URL query params\n * const token = new URLSearchParams(window.location.search).get('token');\n *\n * try {\n * await auth.resetPassword({\n * token,\n * password: 'NewSecurePassword123!',\n * });\n * console.log('Password reset successfully!');\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * if (error.code === 'INVALID_TOKEN') {\n * console.error('Invalid or expired reset link');\n * } else if (error.code === 'WEAK_PASSWORD') {\n * console.error('Password does not meet requirements');\n * }\n * }\n * }\n * ```\n */\n async resetPassword(options: ResetPasswordOptions): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/reset-password`;\n\n const body = {\n token: options.token,\n password: options.password,\n realm_id: this.config.realmId,\n };\n\n return this.makeRequest<SuccessResponse>(url, body);\n }\n\n /**\n * Revoke a refresh token (logout).\n *\n * @param refreshToken - The refresh token to revoke\n * @returns Success response\n * @throws {OvixaAuthError} If logout fails\n *\n * @example\n * ```typescript\n * await auth.logout(currentRefreshToken);\n * // Clear local token storage\n * localStorage.removeItem('refresh_token');\n * localStorage.removeItem('access_token');\n * ```\n */\n async logout(refreshToken: string): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/logout`;\n\n const body = {\n refresh_token: refreshToken,\n };\n\n return this.makeRequest<SuccessResponse>(url, body);\n }\n\n /**\n * Generate an OAuth authorization URL.\n *\n * Redirect the user to this URL to start the OAuth flow. After authentication,\n * the user will be redirected back to your `redirectUri` with an authorization code.\n * Use `exchangeOAuthCode()` to exchange the code for tokens.\n *\n * @param options - OAuth URL options\n * @returns The full OAuth authorization URL\n *\n * @example\n * ```typescript\n * const googleAuthUrl = auth.getOAuthUrl({\n * provider: 'google',\n * redirectUri: 'https://myapp.com/auth/callback',\n * });\n *\n * // Redirect user to start OAuth flow\n * window.location.href = googleAuthUrl;\n *\n * // In your callback handler:\n * // const code = new URLSearchParams(window.location.search).get('code');\n * // const tokens = await auth.exchangeOAuthCode(code);\n * ```\n */\n getOAuthUrl(options: GetOAuthUrlOptions): string {\n const url = new URL(`${this.config.authUrl}/oauth/${options.provider}`);\n url.searchParams.set('realm_id', this.config.realmId);\n url.searchParams.set('redirect_uri', options.redirectUri);\n return url.toString();\n }\n\n /**\n * Exchange an OAuth authorization code for tokens.\n *\n * After the OAuth flow completes, the user is redirected back to your app with\n * an authorization code in the URL query params. Use this method to exchange\n * that code for access and refresh tokens.\n *\n * Note: Authorization codes expire after 60 seconds.\n *\n * @param code - The authorization code from the OAuth callback URL\n * @returns Token response with access and refresh tokens\n * @throws {OvixaAuthError} If the exchange fails\n *\n * @example\n * ```typescript\n * // In your OAuth callback handler\n * const code = new URLSearchParams(window.location.search).get('code');\n *\n * if (code) {\n * try {\n * const tokens = await auth.exchangeOAuthCode(code);\n * console.log('OAuth successful!', tokens.access_token);\n *\n * // Check if this is a new user (first-time OAuth login)\n * if (tokens.is_new_user) {\n * // Show onboarding flow\n * }\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * if (error.code === 'INVALID_CODE') {\n * console.error('Invalid or expired authorization code');\n * }\n * }\n * }\n * }\n * ```\n */\n async exchangeOAuthCode(code: string): Promise<TokenResponse> {\n const url = `${this.config.authUrl}/oauth/token`;\n\n const body = {\n code,\n realm_id: this.config.realmId,\n };\n\n return this.makeRequest<TokenResponse>(url, body);\n }\n\n /**\n * Transform a token response into an AuthResult with user and session data.\n *\n * This method decodes the access token to extract user information and\n * creates a structured result object.\n *\n * @param tokenResponse - The token response from login, verify, or refresh\n * @returns AuthResult with user and session data\n * @throws {OvixaAuthError} If the access token cannot be decoded\n *\n * @example\n * ```typescript\n * const tokens = await auth.login({ email, password });\n * const result = await auth.toAuthResult(tokens);\n *\n * console.log('User ID:', result.user.id);\n * console.log('Email:', result.user.email);\n * console.log('Expires at:', result.session.expiresAt);\n * ```\n */\n async toAuthResult(tokenResponse: TokenResponse): Promise<AuthResult> {\n // Verify and decode the access token\n const verified = await this.verifyToken(tokenResponse.access_token);\n\n const user: User = {\n id: verified.payload.sub,\n email: verified.payload.email,\n emailVerified: verified.payload.email_verified,\n };\n\n const session: Session = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token,\n expiresAt: new Date(Date.now() + tokenResponse.expires_in * 1000),\n };\n\n const result: AuthResult = { user, session };\n\n if (tokenResponse.is_new_user !== undefined) {\n result.isNewUser = tokenResponse.is_new_user;\n }\n\n return result;\n }\n\n /**\n * Delete the current user's own account.\n *\n * This permanently deletes the user's account and all associated data.\n * Password re-authentication is required to prevent accidental deletion.\n *\n * @param options - Delete account options\n * @returns Success response\n * @throws {OvixaAuthError} If deletion fails\n *\n * @example\n * ```typescript\n * try {\n * await auth.deleteMyAccount({\n * accessToken: session.accessToken,\n * password: 'current-password',\n * });\n * console.log('Account deleted successfully');\n * // Clear local session storage\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * if (error.code === 'INVALID_CREDENTIALS') {\n * console.error('Incorrect password');\n * } else if (error.code === 'UNAUTHORIZED') {\n * console.error('Invalid or expired access token');\n * }\n * }\n * }\n * ```\n */\n async deleteMyAccount(options: DeleteMyAccountOptions): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/me`;\n\n try {\n const response = await fetch(url, {\n method: 'DELETE',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${options.accessToken}`,\n },\n body: JSON.stringify({\n password: options.password,\n }),\n });\n\n if (!response.ok) {\n const errorBody = await response.json().catch(() => ({}));\n const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n let errorCode: string;\n let errorMessage: string;\n\n if (typeof errorData.error === 'object' && errorData.error) {\n errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n errorMessage = errorData.error.message || 'Request failed';\n } else {\n errorCode = this.mapHttpStatusToErrorCode(response.status);\n errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n }\n\n throw new OvixaAuthError(errorMessage, errorCode, response.status);\n }\n\n return (await response.json()) as SuccessResponse;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Make an authenticated POST request to the auth service.\n */\n private async makeRequest<T>(url: string, body: Record<string, unknown>): Promise<T> {\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify(body),\n });\n\n if (!response.ok) {\n const errorBody = await response.json().catch(() => ({}));\n const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n let errorCode: string;\n let errorMessage: string;\n\n if (typeof errorData.error === 'object' && errorData.error) {\n errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n errorMessage = errorData.error.message || 'Request failed';\n } else {\n errorCode = this.mapHttpStatusToErrorCode(response.status);\n errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n }\n\n throw new OvixaAuthError(errorMessage, errorCode, response.status);\n }\n\n return (await response.json()) as T;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Map HTTP status codes to error codes.\n */\n private mapHttpStatusToErrorCode(status: number): string {\n switch (status) {\n case 400:\n return 'BAD_REQUEST';\n case 401:\n return 'UNAUTHORIZED';\n case 403:\n return 'FORBIDDEN';\n case 404:\n return 'NOT_FOUND';\n case 429:\n return 'RATE_LIMITED';\n case 500:\n case 502:\n case 503:\n return 'SERVER_ERROR';\n default:\n return 'UNKNOWN_ERROR';\n }\n }\n\n /**\n * Get the admin API interface for realm-scoped operations.\n *\n * Admin operations require clientSecret to be configured.\n * These operations allow managing users within the realm boundary.\n *\n * @returns OvixaAuthAdmin interface for admin operations\n * @throws {OvixaAuthError} If clientSecret is not configured\n *\n * @example\n * ```typescript\n * const auth = new OvixaAuth({\n * authUrl: 'https://auth.ovixa.io',\n * realmId: 'your-realm',\n * clientSecret: process.env.OVIXA_CLIENT_SECRET,\n * });\n *\n * // Delete a user from the realm\n * await auth.admin.deleteUser({ userId: 'user-id-to-delete' });\n * ```\n */\n get admin(): OvixaAuthAdmin {\n if (!this.config.clientSecret) {\n throw new OvixaAuthError(\n 'clientSecret is required for admin operations',\n 'CLIENT_SECRET_REQUIRED'\n );\n }\n return new OvixaAuthAdmin(this.config);\n }\n\n /**\n * Get the WebAuthn API interface for passkey operations.\n *\n * The WebAuthn namespace provides methods for registering and authenticating\n * with passkeys, as well as managing existing passkeys.\n *\n * @returns OvixaAuthWebAuthn interface for passkey operations\n *\n * @example\n * ```typescript\n * const auth = new OvixaAuth({\n * authUrl: 'https://auth.ovixa.io',\n * realmId: 'your-realm',\n * });\n *\n * // Register a passkey\n * const options = await auth.webauthn.getRegistrationOptions({ accessToken });\n *\n * // Authenticate with passkey\n * const authOptions = await auth.webauthn.getAuthenticationOptions();\n *\n * // List passkeys\n * const { passkeys } = await auth.webauthn.listPasskeys({ accessToken });\n *\n * // Delete a passkey\n * await auth.webauthn.deletePasskey({ accessToken, credentialId });\n * ```\n */\n get webauthn(): OvixaAuthWebAuthn {\n return new OvixaAuthWebAuthn(this.config);\n }\n}\n\n/**\n * Admin API interface for realm-scoped operations.\n *\n * This class provides methods for managing users within the realm boundary.\n * All operations are authenticated using the realm's client_secret.\n *\n * @example\n * ```typescript\n * // Access via OvixaAuth.admin\n * await auth.admin.deleteUser({ userId: 'user-id' });\n * ```\n */\nclass OvixaAuthAdmin {\n private config: InternalConfig;\n\n constructor(config: InternalConfig) {\n this.config = config;\n }\n\n /**\n * Delete a user from the realm.\n *\n * This permanently deletes the user and all associated data (tokens, OAuth accounts).\n * The user must belong to this realm.\n *\n * @param options - Delete user options\n * @returns Success response\n * @throws {OvixaAuthError} If deletion fails\n *\n * @example\n * ```typescript\n * try {\n * await auth.admin.deleteUser({ userId: 'user-id-to-delete' });\n * console.log('User deleted successfully');\n * } catch (error) {\n * if (error instanceof OvixaAuthError) {\n * if (error.code === 'NOT_FOUND') {\n * console.error('User not found');\n * } else if (error.code === 'FORBIDDEN') {\n * console.error('User does not belong to this realm');\n * }\n * }\n * }\n * ```\n */\n async deleteUser(options: DeleteUserOptions): Promise<SuccessResponse> {\n const url = `${this.config.authUrl}/realms/${this.config.realmId}/users/${options.userId}`;\n\n try {\n const response = await fetch(url, {\n method: 'DELETE',\n headers: {\n Authorization: `RealmSecret ${this.config.clientSecret}`,\n },\n });\n\n if (!response.ok) {\n const errorBody = await response.json().catch(() => ({}));\n const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n let errorCode: string;\n let errorMessage: string;\n\n if (typeof errorData.error === 'object' && errorData.error) {\n errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n errorMessage = errorData.error.message || 'Request failed';\n } else {\n errorCode = this.mapHttpStatusToErrorCode(response.status);\n errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n }\n\n throw new OvixaAuthError(errorMessage, errorCode, response.status);\n }\n\n return (await response.json()) as SuccessResponse;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Map HTTP status codes to error codes.\n */\n private mapHttpStatusToErrorCode(status: number): string {\n switch (status) {\n case 400:\n return 'BAD_REQUEST';\n case 401:\n return 'UNAUTHORIZED';\n case 403:\n return 'FORBIDDEN';\n case 404:\n return 'NOT_FOUND';\n case 429:\n return 'RATE_LIMITED';\n case 500:\n case 502:\n case 503:\n return 'SERVER_ERROR';\n default:\n return 'UNKNOWN_ERROR';\n }\n }\n}\n\n/**\n * WebAuthn namespace API for passkey operations.\n *\n * Access via `auth.webauthn` property.\n *\n * @example\n * ```typescript\n * // Register a new passkey\n * const options = await auth.webauthn.getRegistrationOptions({ accessToken });\n * // ... use browser API to create credential ...\n * await auth.webauthn.verifyRegistration({ accessToken, registration, deviceName });\n *\n * // Authenticate with passkey\n * const authOptions = await auth.webauthn.getAuthenticationOptions();\n * // ... use browser API to get credential ...\n * const tokens = await auth.webauthn.authenticate({ authentication });\n *\n * // Manage passkeys\n * const { passkeys } = await auth.webauthn.listPasskeys({ accessToken });\n * await auth.webauthn.deletePasskey({ accessToken, credentialId: passkeys[0].credential_id });\n * ```\n */\nclass OvixaAuthWebAuthn {\n private config: InternalConfig;\n\n constructor(config: InternalConfig) {\n this.config = config;\n }\n\n /**\n * Get registration options for creating a new passkey.\n *\n * The user must be logged in to register a passkey. Use the returned options\n * with navigator.credentials.create() to create the credential.\n *\n * @param options - Registration options with access token\n * @returns Registration options to pass to navigator.credentials.create()\n * @throws {OvixaAuthError} If request fails\n */\n async getRegistrationOptions(\n options: GetPasskeyRegistrationOptionsOptions\n ): Promise<PasskeyRegistrationOptions> {\n const url = `${this.config.authUrl}/webauthn/register/options`;\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${options.accessToken}`,\n },\n body: JSON.stringify({\n realm_id: this.config.realmId,\n }),\n });\n\n if (!response.ok) {\n await this.handleErrorResponse(response);\n }\n\n return (await response.json()) as PasskeyRegistrationOptions;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Verify a passkey registration and store the credential.\n *\n * Call this after navigator.credentials.create() succeeds to complete the\n * registration on the server.\n *\n * @param options - Verification options with registration response\n * @returns Registration response with credential ID\n * @throws {OvixaAuthError} If verification fails\n */\n async verifyRegistration(\n options: VerifyPasskeyRegistrationOptions\n ): Promise<PasskeyRegistrationResponse> {\n const url = `${this.config.authUrl}/webauthn/register/verify`;\n\n const body: Record<string, unknown> = {\n realm_id: this.config.realmId,\n registration: options.registration,\n };\n\n if (options.deviceName) {\n body.device_name = options.deviceName;\n }\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${options.accessToken}`,\n },\n body: JSON.stringify(body),\n });\n\n if (!response.ok) {\n await this.handleErrorResponse(response);\n }\n\n return (await response.json()) as PasskeyRegistrationResponse;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Get authentication options for signing in with a passkey.\n *\n * Use the returned options with navigator.credentials.get() to authenticate.\n *\n * @param options - Optional email for allowCredentials hint\n * @returns Authentication options to pass to navigator.credentials.get()\n * @throws {OvixaAuthError} If request fails\n */\n async getAuthenticationOptions(\n options?: GetPasskeyAuthenticationOptionsOptions\n ): Promise<PasskeyAuthenticationOptions> {\n const url = `${this.config.authUrl}/webauthn/authenticate/options`;\n\n const body: Record<string, string> = {\n realm_id: this.config.realmId,\n };\n\n if (options?.email) {\n body.email = options.email;\n }\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify(body),\n });\n\n if (!response.ok) {\n await this.handleErrorResponse(response);\n }\n\n return (await response.json()) as PasskeyAuthenticationOptions;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Verify a passkey authentication and get tokens.\n *\n * Call this after navigator.credentials.get() succeeds to complete the\n * authentication and receive access/refresh tokens.\n *\n * @param options - Verification options with authentication response\n * @returns Token response with access and refresh tokens\n * @throws {OvixaAuthError} If verification fails\n */\n async authenticate(options: VerifyPasskeyAuthenticationOptions): Promise<TokenResponse> {\n const url = `${this.config.authUrl}/webauthn/authenticate/verify`;\n\n const body = {\n realm_id: this.config.realmId,\n authentication: options.authentication,\n };\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify(body),\n });\n\n if (!response.ok) {\n await this.handleErrorResponse(response);\n }\n\n return (await response.json()) as TokenResponse;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * List all passkeys for the authenticated user.\n *\n * @param options - Options with access token\n * @returns List of passkeys\n * @throws {OvixaAuthError} If request fails\n *\n * @example\n * ```typescript\n * const { passkeys } = await auth.webauthn.listPasskeys({ accessToken });\n * for (const passkey of passkeys) {\n * console.log(passkey.device_name, passkey.created_at);\n * }\n * ```\n */\n async listPasskeys(options: ListPasskeysOptions): Promise<ListPasskeysResponse> {\n const url = `${this.config.authUrl}/webauthn/passkeys`;\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${options.accessToken}`,\n },\n body: JSON.stringify({\n realm_id: this.config.realmId,\n }),\n });\n\n if (!response.ok) {\n await this.handleErrorResponse(response);\n }\n\n return (await response.json()) as ListPasskeysResponse;\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Delete a passkey for the authenticated user.\n *\n * @param options - Options with access token and credential ID\n * @returns Success response\n * @throws {OvixaAuthError} If deletion fails\n *\n * @example\n * ```typescript\n * await auth.webauthn.deletePasskey({\n * accessToken,\n * credentialId: 'credential-id-to-delete',\n * });\n * ```\n */\n async deletePasskey(options: DeletePasskeyOptions): Promise<{ success: boolean }> {\n const url = `${this.config.authUrl}/webauthn/passkeys/${encodeURIComponent(options.credentialId)}`;\n\n try {\n const response = await fetch(url, {\n method: 'DELETE',\n headers: {\n 'Content-Type': 'application/json',\n Authorization: `Bearer ${options.accessToken}`,\n },\n body: JSON.stringify({\n realm_id: this.config.realmId,\n }),\n });\n\n if (!response.ok) {\n await this.handleErrorResponse(response);\n }\n\n return (await response.json()) as { success: boolean };\n } catch (error) {\n if (error instanceof OvixaAuthError) {\n throw error;\n }\n if (error instanceof Error) {\n throw new OvixaAuthError(`Network error: ${error.message}`, 'NETWORK_ERROR');\n }\n throw new OvixaAuthError('Request failed', 'REQUEST_FAILED');\n }\n }\n\n /**\n * Handle error response from the server.\n * @throws {OvixaAuthError} Always throws with appropriate error details\n */\n private async handleErrorResponse(response: Response): Promise<never> {\n const errorBody = await response.json().catch(() => ({}));\n const errorData = errorBody as { error?: { code?: string; message?: string } | string };\n\n let errorCode: string;\n let errorMessage: string;\n\n if (typeof errorData.error === 'object' && errorData.error) {\n errorCode = errorData.error.code || this.mapHttpStatusToErrorCode(response.status);\n errorMessage = errorData.error.message || 'Request failed';\n } else {\n errorCode = this.mapHttpStatusToErrorCode(response.status);\n errorMessage = typeof errorData.error === 'string' ? errorData.error : 'Request failed';\n }\n\n throw new OvixaAuthError(errorMessage, errorCode, response.status);\n }\n\n /**\n * Map HTTP status codes to error codes.\n */\n private mapHttpStatusToErrorCode(status: number): string {\n switch (status) {\n case 400:\n return 'BAD_REQUEST';\n case 401:\n return 'UNAUTHORIZED';\n case 403:\n return 'FORBIDDEN';\n case 404:\n return 'NOT_FOUND';\n case 429:\n return 'RATE_LIMITED';\n case 500:\n case 502:\n case 503:\n return 'SERVER_ERROR';\n default:\n return 'UNKNOWN_ERROR';\n }\n }\n}\n\n// ============================================================\n// WebAuthn Browser Utilities\n// ============================================================\n\n/**\n * Convert an ArrayBuffer to a base64url-encoded string.\n * Used to encode credential IDs and other binary data for API calls.\n *\n * @param buffer - The ArrayBuffer to encode\n * @returns Base64url-encoded string\n *\n * @example\n * ```typescript\n * const encoded = arrayBufferToBase64Url(credential.rawId);\n * ```\n */\nexport function arrayBufferToBase64Url(buffer: ArrayBuffer): string {\n const bytes = new Uint8Array(buffer);\n let binary = '';\n for (const byte of bytes) {\n binary += String.fromCharCode(byte);\n }\n return btoa(binary).replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '');\n}\n\n/**\n * Convert a base64url-encoded string to an ArrayBuffer.\n * Used to decode challenge and credential IDs from API responses.\n *\n * @param base64url - The base64url-encoded string\n * @returns ArrayBuffer\n *\n * @example\n * ```typescript\n * const challenge = base64UrlToArrayBuffer(options.challenge);\n * ```\n */\nexport function base64UrlToArrayBuffer(base64url: string): ArrayBuffer {\n // Convert base64url to base64\n const base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');\n // Add padding if needed\n const padded = base64 + '='.repeat((4 - (base64.length % 4)) % 4);\n // Decode\n const binary = atob(padded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes.buffer;\n}\n\n/**\n * Prepare registration options for navigator.credentials.create().\n * Converts server response to the format expected by the browser API.\n *\n * @param options - Registration options from getPasskeyRegistrationOptions()\n * @returns PublicKeyCredentialCreationOptions for navigator.credentials.create()\n *\n * @example\n * ```typescript\n * const serverOptions = await auth.getPasskeyRegistrationOptions({ accessToken });\n * const browserOptions = prepareRegistrationOptions(serverOptions);\n * const credential = await navigator.credentials.create({ publicKey: browserOptions });\n * ```\n */\nexport function prepareRegistrationOptions(\n options: PasskeyRegistrationOptions\n): PublicKeyCredentialCreationOptions {\n // Defensive handling for excludeCredentials - may be null/undefined from server\n const excludeCredentials = Array.isArray(options.excludeCredentials)\n ? options.excludeCredentials\n : [];\n\n const decodedExcludeCredentials: PublicKeyCredentialDescriptor[] = [];\n for (const cred of excludeCredentials) {\n try {\n decodedExcludeCredentials.push({\n id: base64UrlToArrayBuffer(cred.id),\n type: cred.type,\n transports: cred.transports as AuthenticatorTransport[] | undefined,\n });\n } catch {\n // Skip malformed credential IDs to prevent browser WebAuthn API errors\n console.warn('[ovixa/auth-client] Skipping malformed credential ID:', cred.id);\n }\n }\n\n return {\n challenge: base64UrlToArrayBuffer(options.challenge),\n rp: options.rp,\n user: {\n id: new TextEncoder().encode(options.user.id),\n name: options.user.name,\n displayName: options.user.displayName,\n },\n pubKeyCredParams: options.pubKeyCredParams,\n excludeCredentials: decodedExcludeCredentials,\n authenticatorSelection: options.authenticatorSelection,\n timeout: options.timeout,\n attestation: options.attestation,\n };\n}\n\n/**\n * Prepare authentication options for navigator.credentials.get().\n * Converts server response to the format expected by the browser API.\n *\n * @param options - Authentication options from getPasskeyAuthenticationOptions()\n * @returns PublicKeyCredentialRequestOptions for navigator.credentials.get()\n *\n * @example\n * ```typescript\n * const serverOptions = await auth.getPasskeyAuthenticationOptions();\n * const browserOptions = prepareAuthenticationOptions(serverOptions);\n * const credential = await navigator.credentials.get({ publicKey: browserOptions });\n * ```\n */\nexport function prepareAuthenticationOptions(\n options: PasskeyAuthenticationOptions\n): PublicKeyCredentialRequestOptions {\n // Defensive handling for allowCredentials - may be null/undefined from server\n const allowCredentials = Array.isArray(options.allowCredentials) ? options.allowCredentials : [];\n\n const decodedAllowCredentials: PublicKeyCredentialDescriptor[] = [];\n for (const cred of allowCredentials) {\n try {\n decodedAllowCredentials.push({\n id: base64UrlToArrayBuffer(cred.id),\n type: cred.type,\n transports: cred.transports as AuthenticatorTransport[] | undefined,\n });\n } catch {\n // Skip malformed credential IDs to prevent browser WebAuthn API errors\n console.warn('[ovixa/auth-client] Skipping malformed credential ID:', cred.id);\n }\n }\n\n return {\n challenge: base64UrlToArrayBuffer(options.challenge),\n rpId: options.rpId,\n allowCredentials: decodedAllowCredentials,\n userVerification: options.userVerification,\n timeout: options.timeout,\n };\n}\n\n/**\n * Format a registration credential response for the server.\n * Converts browser API response to the format expected by verifyPasskeyRegistration().\n *\n * @param credential - The credential from navigator.credentials.create()\n * @returns Formatted registration object for verifyPasskeyRegistration()\n *\n * @example\n * ```typescript\n * const credential = await navigator.credentials.create({ publicKey: options });\n * const registration = formatRegistrationResponse(credential as PublicKeyCredential);\n * await auth.verifyPasskeyRegistration({ accessToken, registration });\n * ```\n */\nexport function formatRegistrationResponse(credential: PublicKeyCredential): {\n id: string;\n rawId: string;\n type: 'public-key';\n response: {\n clientDataJSON: string;\n attestationObject: string;\n transports?: string[];\n };\n authenticatorAttachment?: 'platform' | 'cross-platform';\n} {\n const response = credential.response as AuthenticatorAttestationResponse;\n\n return {\n id: credential.id,\n rawId: arrayBufferToBase64Url(credential.rawId),\n type: 'public-key',\n response: {\n clientDataJSON: arrayBufferToBase64Url(response.clientDataJSON),\n attestationObject: arrayBufferToBase64Url(response.attestationObject),\n transports: response.getTransports?.() as string[] | undefined,\n },\n authenticatorAttachment: credential.authenticatorAttachment as\n | 'platform'\n | 'cross-platform'\n | undefined,\n };\n}\n\n/**\n * Format an authentication credential response for the server.\n * Converts browser API response to the format expected by verifyPasskeyAuthentication().\n *\n * @param credential - The credential from navigator.credentials.get()\n * @returns Formatted authentication object for verifyPasskeyAuthentication()\n *\n * @example\n * ```typescript\n * const credential = await navigator.credentials.get({ publicKey: options });\n * const authentication = formatAuthenticationResponse(credential as PublicKeyCredential);\n * const tokens = await auth.verifyPasskeyAuthentication({ authentication });\n * ```\n */\nexport function formatAuthenticationResponse(credential: PublicKeyCredential): {\n id: string;\n rawId: string;\n type: 'public-key';\n response: {\n clientDataJSON: string;\n authenticatorData: string;\n signature: string;\n userHandle: string | null;\n };\n authenticatorAttachment?: 'platform' | 'cross-platform';\n} {\n const response = credential.response as AuthenticatorAssertionResponse;\n\n return {\n id: credential.id,\n rawId: arrayBufferToBase64Url(credential.rawId),\n type: 'public-key',\n response: {\n clientDataJSON: arrayBufferToBase64Url(response.clientDataJSON),\n authenticatorData: arrayBufferToBase64Url(response.authenticatorData),\n signature: arrayBufferToBase64Url(response.signature),\n userHandle: response.userHandle ? arrayBufferToBase64Url(response.userHandle) : null,\n },\n authenticatorAttachment: credential.authenticatorAttachment as\n | 'platform'\n | 'cross-platform'\n | undefined,\n };\n}\n"],"mappings":";AAOA;AAAA,EACE;AAAA,EACA;AAAA,OAIK;AAwWA,IAAM,iBAAN,cAA6B,MAAM;AAAA,EACxC,YACE,SACgB,MACA,YAChB;AACA,UAAM,OAAO;AAHG;AACA;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAUA,IAAM,yBAAyB,KAAK,KAAK;AAgClC,IAAM,YAAN,MAAgB;AAAA,EACb;AAAA,EACA,YAA8B;AAAA,EAEtC,YAAY,QAA0B;AAEpC,UAAM,UAAU,OAAO,QAAQ,QAAQ,OAAO,EAAE;AAEhD,SAAK,SAAS;AAAA,MACZ;AAAA,MACA,SAAS,OAAO;AAAA,MAChB,cAAc,OAAO;AAAA,MACrB,cAAc,OAAO,gBAAgB;AAAA,IACvC;AAAA,EACF;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA,EAGA,IAAI,UAAkB;AACpB,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAkB;AACpB,WAAO,GAAG,KAAK,OAAO,OAAO;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,iBAA8B;AACpC,UAAM,MAAM,KAAK,IAAI;AAGrB,QAAI,KAAK,aAAa,MAAM,KAAK,UAAU,YAAY,KAAK,OAAO,cAAc;AAC/E,aAAO,KAAK,UAAU;AAAA,IACxB;AAGA,UAAM,UAAU,IAAI,IAAI,KAAK,OAAO;AACpC,UAAM,UAAU,mBAAmB,SAAS;AAAA;AAAA;AAAA,MAG1C,aAAa,KAAK,OAAO;AAAA,IAC3B,CAAC;AAED,SAAK,YAAY;AAAA,MACf;AAAA,MACA,WAAW;AAAA,IACb;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAyBA,MAAM,YAAY,OAAsC;AACtD,QAAI;AACF,YAAM,OAAO,KAAK,eAAe;AAEjC,YAAM,SAA8C,MAAM,UAAU,OAAO,MAAM;AAAA,QAC/E,YAAY,CAAC,OAAO;AAAA,QACpB,QAAQ,KAAK,OAAO;AAAA;AAAA,QAEpB,UAAU,KAAK,OAAO;AAAA,MACxB,CAAC;AAGD,YAAM,UAAU,OAAO;AACvB,UAAI,CAAC,QAAQ,OAAO,CAAC,QAAQ,SAAS,QAAQ,mBAAmB,QAAW;AAC1E,cAAM,IAAI,eAAe,oCAAoC,gBAAgB;AAAA,MAC/E;AAEA,aAAO;AAAA,QACL;AAAA,QACA,iBAAiB,OAAO;AAAA,MAC1B;AAAA,IACF,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAGA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,UAAU,MAAM;AAEtB,YAAI,QAAQ,SAAS,SAAS,GAAG;AAC/B,gBAAM,IAAI,eAAe,qBAAqB,eAAe;AAAA,QAC/D;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,2BAA2B,mBAAmB;AAAA,QACzE;AACA,YAAI,QAAQ,SAAS,QAAQ,GAAG;AAC9B,gBAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,QACnE;AACA,YAAI,QAAQ,SAAS,UAAU,GAAG;AAChC,gBAAM,IAAI,eAAe,0BAA0B,kBAAkB;AAAA,QACvE;AACA,YAAI,QAAQ,SAAS,WAAW,GAAG;AACjC,gBAAM,IAAI,eAAe,mBAAmB,iBAAiB;AAAA,QAC/D;AAEA,cAAM,IAAI,eAAe,8BAA8B,OAAO,IAAI,qBAAqB;AAAA,MACzF;AAEA,YAAM,IAAI,eAAe,6BAA6B,qBAAqB;AAAA,IAC7E;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0BA,MAAM,aAAa,cAA8C;AAC/D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,eAAe;AAAA,QACjB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,eAAgB,UAAiC,SAAS;AAChE,cAAM,YAAY,KAAK,yBAAyB,SAAS,MAAM;AAE/D,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,YAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,aAAO;AAAA,IACT,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,wBAAwB,gBAAgB;AAAA,IACnE;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAuB;AACrB,SAAK,YAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA8BA,MAAM,OAAO,SAAiD;AAC5D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA4B,KAAK,IAAI;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,MAAM,SAA+C;AACzD,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,MAAM,YAAY,SAAqD;AACrE,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,MACtB,MAAM;AAAA,IACR;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,MAAM,mBAAmB,SAA8D;AACrF,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBA,MAAM,eAAe,SAA0D;AAC7E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,OAAO,QAAQ;AAAA,MACf,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,QAAQ,aAAa;AACvB,WAAK,eAAe,QAAQ;AAAA,IAC9B;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA+BA,MAAM,cAAc,SAAyD;AAC3E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,OAAO,QAAQ;AAAA,MACf,UAAU,QAAQ;AAAA,MAClB,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,OAAO,cAAgD;AAC3D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,eAAe;AAAA,IACjB;AAEA,WAAO,KAAK,YAA6B,KAAK,IAAI;AAAA,EACpD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,YAAY,SAAqC;AAC/C,UAAM,MAAM,IAAI,IAAI,GAAG,KAAK,OAAO,OAAO,UAAU,QAAQ,QAAQ,EAAE;AACtE,QAAI,aAAa,IAAI,YAAY,KAAK,OAAO,OAAO;AACpD,QAAI,aAAa,IAAI,gBAAgB,QAAQ,WAAW;AACxD,WAAO,IAAI,SAAS;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuCA,MAAM,kBAAkB,MAAsC;AAC5D,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX;AAAA,MACA,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,WAAO,KAAK,YAA2B,KAAK,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAsBA,MAAM,aAAa,eAAmD;AAEpE,UAAM,WAAW,MAAM,KAAK,YAAY,cAAc,YAAY;AAElE,UAAM,OAAa;AAAA,MACjB,IAAI,SAAS,QAAQ;AAAA,MACrB,OAAO,SAAS,QAAQ;AAAA,MACxB,eAAe,SAAS,QAAQ;AAAA,IAClC;AAEA,UAAM,UAAmB;AAAA,MACvB,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc;AAAA,MAC5B,WAAW,IAAI,KAAK,KAAK,IAAI,IAAI,cAAc,aAAa,GAAI;AAAA,IAClE;AAEA,UAAM,SAAqB,EAAE,MAAM,QAAQ;AAE3C,QAAI,cAAc,gBAAgB,QAAW;AAC3C,aAAO,YAAY,cAAc;AAAA,IACnC;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgCA,MAAM,gBAAgB,SAA2D;AAC/E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,UAAU,QAAQ;AAAA,QACpB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,YAAe,KAAa,MAA2C;AACnF,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuBA,IAAI,QAAwB;AAC1B,QAAI,CAAC,KAAK,OAAO,cAAc;AAC7B,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,WAAO,IAAI,eAAe,KAAK,MAAM;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA8BA,IAAI,WAA8B;AAChC,WAAO,IAAI,kBAAkB,KAAK,MAAM;AAAA,EAC1C;AACF;AAcA,IAAM,iBAAN,MAAqB;AAAA,EACX;AAAA,EAER,YAAY,QAAwB;AAClC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BA,MAAM,WAAW,SAAsD;AACrE,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO,WAAW,KAAK,OAAO,OAAO,UAAU,QAAQ,MAAM;AAExF,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,eAAe,eAAe,KAAK,OAAO,YAAY;AAAA,QACxD;AAAA,MACF,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,cAAM,YAAY;AAElB,YAAI;AACJ,YAAI;AAEJ,YAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,sBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,yBAAe,UAAU,MAAM,WAAW;AAAA,QAC5C,OAAO;AACL,sBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,yBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,QACzE;AAEA,cAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,MACnE;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AAEA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AAEA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AACF;AAwBA,IAAM,oBAAN,MAAwB;AAAA,EACd;AAAA,EAER,YAAY,QAAwB;AAClC,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,uBACJ,SACqC;AACrC,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,UAAU,KAAK,OAAO;AAAA,QACxB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,mBACJ,SACsC;AACtC,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAgC;AAAA,MACpC,UAAU,KAAK,OAAO;AAAA,MACtB,cAAc,QAAQ;AAAA,IACxB;AAEA,QAAI,QAAQ,YAAY;AACtB,WAAK,cAAc,QAAQ;AAAA,IAC7B;AAEA,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,yBACJ,SACuC;AACvC,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAA+B;AAAA,MACnC,UAAU,KAAK,OAAO;AAAA,IACxB;AAEA,QAAI,SAAS,OAAO;AAClB,WAAK,QAAQ,QAAQ;AAAA,IACvB;AAEA,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,aAAa,SAAqE;AACtF,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,UAAM,OAAO;AAAA,MACX,UAAU,KAAK,OAAO;AAAA,MACtB,gBAAgB,QAAQ;AAAA,IAC1B;AAEA,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU,IAAI;AAAA,MAC3B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,aAAa,SAA6D;AAC9E,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO;AAElC,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,UAAU,KAAK,OAAO;AAAA,QACxB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,MAAM,cAAc,SAA8D;AAChF,UAAM,MAAM,GAAG,KAAK,OAAO,OAAO,sBAAsB,mBAAmB,QAAQ,YAAY,CAAC;AAEhG,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK;AAAA,QAChC,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,eAAe,UAAU,QAAQ,WAAW;AAAA,QAC9C;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,UAAU,KAAK,OAAO;AAAA,QACxB,CAAC;AAAA,MACH,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,cAAM,KAAK,oBAAoB,QAAQ;AAAA,MACzC;AAEA,aAAQ,MAAM,SAAS,KAAK;AAAA,IAC9B,SAAS,OAAO;AACd,UAAI,iBAAiB,gBAAgB;AACnC,cAAM;AAAA,MACR;AACA,UAAI,iBAAiB,OAAO;AAC1B,cAAM,IAAI,eAAe,kBAAkB,MAAM,OAAO,IAAI,eAAe;AAAA,MAC7E;AACA,YAAM,IAAI,eAAe,kBAAkB,gBAAgB;AAAA,IAC7D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,oBAAoB,UAAoC;AACpE,UAAM,YAAY,MAAM,SAAS,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AACxD,UAAM,YAAY;AAElB,QAAI;AACJ,QAAI;AAEJ,QAAI,OAAO,UAAU,UAAU,YAAY,UAAU,OAAO;AAC1D,kBAAY,UAAU,MAAM,QAAQ,KAAK,yBAAyB,SAAS,MAAM;AACjF,qBAAe,UAAU,MAAM,WAAW;AAAA,IAC5C,OAAO;AACL,kBAAY,KAAK,yBAAyB,SAAS,MAAM;AACzD,qBAAe,OAAO,UAAU,UAAU,WAAW,UAAU,QAAQ;AAAA,IACzE;AAEA,UAAM,IAAI,eAAe,cAAc,WAAW,SAAS,MAAM;AAAA,EACnE;AAAA;AAAA;AAAA;AAAA,EAKQ,yBAAyB,QAAwB;AACvD,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACH,eAAO;AAAA,MACT;AACE,eAAO;AAAA,IACX;AAAA,EACF;AACF;AAkBO,SAAS,uBAAuB,QAA6B;AAClE,QAAM,QAAQ,IAAI,WAAW,MAAM;AACnC,MAAI,SAAS;AACb,aAAW,QAAQ,OAAO;AACxB,cAAU,OAAO,aAAa,IAAI;AAAA,EACpC;AACA,SAAO,KAAK,MAAM,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,GAAG,EAAE,QAAQ,OAAO,EAAE;AAC/E;AAcO,SAAS,uBAAuB,WAAgC;AAErE,QAAM,SAAS,UAAU,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AAE7D,QAAM,SAAS,SAAS,IAAI,QAAQ,IAAK,OAAO,SAAS,KAAM,CAAC;AAEhE,QAAM,SAAS,KAAK,MAAM;AAC1B,QAAM,QAAQ,IAAI,WAAW,OAAO,MAAM;AAC1C,WAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,UAAM,CAAC,IAAI,OAAO,WAAW,CAAC;AAAA,EAChC;AACA,SAAO,MAAM;AACf;AAgBO,SAAS,2BACd,SACoC;AAEpC,QAAM,qBAAqB,MAAM,QAAQ,QAAQ,kBAAkB,IAC/D,QAAQ,qBACR,CAAC;AAEL,QAAM,4BAA6D,CAAC;AACpE,aAAW,QAAQ,oBAAoB;AACrC,QAAI;AACF,gCAA0B,KAAK;AAAA,QAC7B,IAAI,uBAAuB,KAAK,EAAE;AAAA,QAClC,MAAM,KAAK;AAAA,QACX,YAAY,KAAK;AAAA,MACnB,CAAC;AAAA,IACH,QAAQ;AAEN,cAAQ,KAAK,yDAAyD,KAAK,EAAE;AAAA,IAC/E;AAAA,EACF;AAEA,SAAO;AAAA,IACL,WAAW,uBAAuB,QAAQ,SAAS;AAAA,IACnD,IAAI,QAAQ;AAAA,IACZ,MAAM;AAAA,MACJ,IAAI,IAAI,YAAY,EAAE,OAAO,QAAQ,KAAK,EAAE;AAAA,MAC5C,MAAM,QAAQ,KAAK;AAAA,MACnB,aAAa,QAAQ,KAAK;AAAA,IAC5B;AAAA,IACA,kBAAkB,QAAQ;AAAA,IAC1B,oBAAoB;AAAA,IACpB,wBAAwB,QAAQ;AAAA,IAChC,SAAS,QAAQ;AAAA,IACjB,aAAa,QAAQ;AAAA,EACvB;AACF;AAgBO,SAAS,6BACd,SACmC;AAEnC,QAAM,mBAAmB,MAAM,QAAQ,QAAQ,gBAAgB,IAAI,QAAQ,mBAAmB,CAAC;AAE/F,QAAM,0BAA2D,CAAC;AAClE,aAAW,QAAQ,kBAAkB;AACnC,QAAI;AACF,8BAAwB,KAAK;AAAA,QAC3B,IAAI,uBAAuB,KAAK,EAAE;AAAA,QAClC,MAAM,KAAK;AAAA,QACX,YAAY,KAAK;AAAA,MACnB,CAAC;AAAA,IACH,QAAQ;AAEN,cAAQ,KAAK,yDAAyD,KAAK,EAAE;AAAA,IAC/E;AAAA,EACF;AAEA,SAAO;AAAA,IACL,WAAW,uBAAuB,QAAQ,SAAS;AAAA,IACnD,MAAM,QAAQ;AAAA,IACd,kBAAkB;AAAA,IAClB,kBAAkB,QAAQ;AAAA,IAC1B,SAAS,QAAQ;AAAA,EACnB;AACF;AAgBO,SAAS,2BAA2B,YAUzC;AACA,QAAM,WAAW,WAAW;AAE5B,SAAO;AAAA,IACL,IAAI,WAAW;AAAA,IACf,OAAO,uBAAuB,WAAW,KAAK;AAAA,IAC9C,MAAM;AAAA,IACN,UAAU;AAAA,MACR,gBAAgB,uBAAuB,SAAS,cAAc;AAAA,MAC9D,mBAAmB,uBAAuB,SAAS,iBAAiB;AAAA,MACpE,YAAY,SAAS,gBAAgB;AAAA,IACvC;AAAA,IACA,yBAAyB,WAAW;AAAA,EAItC;AACF;AAgBO,SAAS,6BAA6B,YAW3C;AACA,QAAM,WAAW,WAAW;AAE5B,SAAO;AAAA,IACL,IAAI,WAAW;AAAA,IACf,OAAO,uBAAuB,WAAW,KAAK;AAAA,IAC9C,MAAM;AAAA,IACN,UAAU;AAAA,MACR,gBAAgB,uBAAuB,SAAS,cAAc;AAAA,MAC9D,mBAAmB,uBAAuB,SAAS,iBAAiB;AAAA,MACpE,WAAW,uBAAuB,SAAS,SAAS;AAAA,MACpD,YAAY,SAAS,aAAa,uBAAuB,SAAS,UAAU,IAAI;AAAA,IAClF;AAAA,IACA,yBAAyB,WAAW;AAAA,EAItC;AACF;","names":[]}
package/dist/index.js CHANGED
@@ -7,7 +7,7 @@ import {
7
7
  formatRegistrationResponse,
8
8
  prepareAuthenticationOptions,
9
9
  prepareRegistrationOptions
10
- } from "./chunk-5QEKSWV4.js";
10
+ } from "./chunk-ZUTZYJDF.js";
11
11
  export {
12
12
  OvixaAuth,
13
13
  OvixaAuthError,
package/dist/middleware/astro.js CHANGED
@@ -3,8 +3,8 @@ import {
3
3
  clearAuthCookies,
4
4
  isPublicRoute,
5
5
  setAuthCookies
6
- } from "../chunk-IU57RXBC.js";
7
- import "../chunk-5QEKSWV4.js";
6
+ } from "../chunk-YFMPRWGI.js";
7
+ import "../chunk-ZUTZYJDF.js";
8
8
 
9
9
  // src/middleware/astro.ts
10
10
  var AstroCookieAdapter = class {
package/dist/middleware/express.js CHANGED
@@ -3,8 +3,8 @@ import {
3
3
  clearAuthCookies,
4
4
  isPublicRoute,
5
5
  setAuthCookies
6
- } from "../chunk-IU57RXBC.js";
7
- import "../chunk-5QEKSWV4.js";
6
+ } from "../chunk-YFMPRWGI.js";
7
+ import "../chunk-ZUTZYJDF.js";
8
8
 
9
9
  // src/middleware/express.ts
10
10
  var ExpressCookieAdapter = class {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ovixa/auth-client",
3
- "version": "0.3.0",
3
+ "version": "0.3.1",
4
4
  "description": "Client SDK for Ovixa Auth service",
5
5
  "type": "module",
6
6
  "main": "./dist/index.js",