npm - @oxy-hq/sdk - Versions diffs - 0.1.4 → 0.1.6 - Mend

@oxy-hq/sdk 0.1.4 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/README.md +52 -31
package/dist/index.cjs +81 -49
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +17 -10
package/dist/index.d.cts.map +1 -1
package/dist/index.d.mts +17 -10
package/dist/index.d.mts.map +1 -1
package/dist/index.mjs +81 -50
package/dist/index.mjs.map +1 -1
package/dist/{postMessage-CufWf9ji.cjs → postMessage-B1J0jDRN.cjs} +15 -11
package/dist/postMessage-B1J0jDRN.cjs.map +1 -0
package/dist/{postMessage-CVS3MsL5.cjs → postMessage-BSNS3ccd.cjs} +1 -1
package/dist/{postMessage-DLGITn0e.mjs → postMessage-BxdgtX8j.mjs} +15 -11
package/dist/postMessage-BxdgtX8j.mjs.map +1 -0
package/dist/{postMessage-DwfY0HM5.mjs → postMessage-D5wWgwcO.mjs} +1 -1
package/package.json +2 -2
package/dist/postMessage-CufWf9ji.cjs.map +0 -1
package/dist/postMessage-DLGITn0e.mjs.map +0 -1

package/dist/{postMessage-CVS3MsL5.cjs → postMessage-BSNS3ccd.cjs} RENAMED Viewed

@@ -1,5 +1,5 @@
 // @oxy/sdk - TypeScript SDK for Oxy data platform
-const require_postMessage = require('./postMessage-CufWf9ji.cjs');
+const require_postMessage = require('./postMessage-B1J0jDRN.cjs');
 exports.isInIframe = require_postMessage.isInIframe;
 exports.requestAuthFromParent = require_postMessage.requestAuthFromParent;

package/dist/{postMessage-DLGITn0e.mjs → postMessage-BxdgtX8j.mjs} RENAMED Viewed

@@ -26,10 +26,16 @@ var PostMessageAuthInvalidOriginError = class extends Error {
 */
 var PostMessageAuthNotInIframeError = class extends Error {
 	constructor() {
-		super(`PostMessage authentication is only available when running in an iframe context.\n\nCurrent context: ${typeof window !== "undefined" ? window === window.parent ? "top-level window" : "iframe" : "non-browser (Node.js)"}\n\nIf you're running in a regular browser window, use direct configuration instead:\nconst client = new OxyClient({ apiKey: 'your-key', ... })`);
+		const currentContext = getCurrentContext();
+		super(`PostMessage authentication is only available when running in an iframe context.\n\nCurrent context: ${currentContext}\n\nIf you're running in a regular browser window, use direct configuration instead:\nconst client = new OxyClient({ apiKey: 'your-key', ... })`);
 		this.name = "PostMessageAuthNotInIframeError";
 	}
 };
+function getCurrentContext() {
+	if (typeof window === "undefined") return "non-browser (Node.js)";
+	if (window === window.parent) return "top-level window";
+	return "iframe";
+}
 /**
 * Error thrown when authentication response is malformed or invalid
 */
@@ -51,7 +57,7 @@ function isInIframe() {
 	if (typeof window === "undefined") return false;
 	try {
 		return window !== window.parent && window.parent !== null;
-	} catch (e) {
+	} catch {
 		return true;
 	}
 }
@@ -79,7 +85,7 @@ function validateOrigin(messageOrigin, allowedOrigin) {
 		const messageUrl = new URL(messageOrigin);
 		const allowedUrl = new URL(allowedOrigin);
 		return messageUrl.origin === allowedUrl.origin;
-	} catch (e) {
+	} catch {
 		return messageOrigin === allowedOrigin;
 	}
 }
@@ -93,13 +99,7 @@ function validateOrigin(messageOrigin, allowedOrigin) {
 */
 function createAuthListener(requestId, origin, timeout) {
 	return new Promise((resolve, reject) => {
-		let timeoutId;
-		let listener;
-		timeoutId = setTimeout(() => {
-			window.removeEventListener("message", listener);
-			reject(new PostMessageAuthTimeoutError(timeout));
-		}, timeout);
-		listener = (event) => {
+		const listener = (event) => {
 			if (!validateOrigin(event.origin, origin)) return;
 			if (!event.data || event.data.type !== "OXY_AUTH_RESPONSE") return;
 			const response = event.data;
@@ -114,6 +114,10 @@ function createAuthListener(requestId, origin, timeout) {
 			window.removeEventListener("message", listener);
 			resolve(response);
 		};
+		const timeoutId = setTimeout(() => {
+			window.removeEventListener("message", listener);
+			reject(new PostMessageAuthTimeoutError(timeout));
+		}, timeout);
 		window.addEventListener("message", listener);
 	});
 }
@@ -177,4 +181,4 @@ async function requestAuthFromParent(options = {}) {
 //#endregion
 export { PostMessageAuthInvalidOriginError as a, PostMessageAuthTimeoutError as c, validateOrigin as i, isInIframe as n, PostMessageAuthInvalidResponseError as o, requestAuthFromParent as r, PostMessageAuthNotInIframeError as s, generateRequestId as t };
-//# sourceMappingURL=postMessage-DLGITn0e.mjs.map
+//# sourceMappingURL=postMessage-BxdgtX8j.mjs.map

package/dist/postMessage-BxdgtX8j.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"postMessage-BxdgtX8j.mjs","names":[],"sources":["../src/types.ts","../src/auth/postMessage.ts"],"sourcesContent":["/**\n * Represents an app item in the project\n */\nexport interface AppItem {\n name: string;\n path: string;\n}\n\n/**\n * Reference to a data file (usually parquet)\n */\nexport interface FileReference {\n file_path: string;\n}\n\n/**\n * Table data structure for in-memory tables\n * (used when data is fetched and parsed)\n */\nexport interface TableData {\n columns: string[];\n rows: unknown[][];\n total_rows?: number;\n}\n\nexport type DataContainer = Record<string, FileReference>;\n\n/**\n * Response from app data endpoints\n */\nexport interface AppDataResponse {\n data: DataContainer | null;\n error: string | null;\n}\n\n/**\n * Display with potential error\n */\nexport interface DisplayWithError {\n display?: DisplayData;\n error?: string;\n}\n\n/**\n * Display data structure\n */\nexport interface DisplayData {\n type: string;\n content: unknown;\n}\n\n/**\n * Response from get displays endpoint\n */\nexport interface GetDisplaysResponse {\n displays: DisplayWithError[];\n}\n\n/**\n * Error response from the API\n */\nexport interface ApiError {\n message: string;\n status: number;\n details?: unknown;\n}\n\n/**\n * Query result from ParquetReader\n */\nexport interface QueryResult {\n columns: string[];\n rows: unknown[][];\n rowCount: number;\n}\n\n/**\n * PostMessage authentication protocol types\n */\n\n/**\n * Request message sent from iframe to parent window\n */\nexport interface OxyAuthRequestMessage {\n type: \"OXY_AUTH_REQUEST\";\n version: \"1.0\";\n timestamp: number;\n requestId: string;\n}\n\n/**\n * Response message sent from parent window to iframe\n */\nexport interface OxyAuthResponseMessage {\n type: \"OXY_AUTH_RESPONSE\";\n version: \"1.0\";\n requestId: string;\n apiKey?: string;\n projectId?: string;\n baseUrl?: string;\n}\n\n/**\n * Options for postMessage authentication\n */\nexport interface PostMessageAuthOptions {\n /** Required parent window origin for security (e.g., 'https://app.example.com'). Use '*' only in development! */\n parentOrigin?: string;\n /** Timeout in milliseconds (default: 5000) */\n timeout?: number;\n /** Number of retry attempts (default: 0) */\n retries?: number;\n}\n\n/**\n * Result from successful postMessage authentication\n */\nexport interface PostMessageAuthResult {\n apiKey?: string;\n projectId?: string;\n baseUrl?: string;\n source: \"postmessage\";\n}\n\n/**\n * Custom error classes for postMessage authentication\n */\n\n/**\n * Error thrown when postMessage authentication times out\n */\nexport class PostMessageAuthTimeoutError extends Error {\n constructor(timeout: number) {\n super(\n `Parent window did not respond to authentication request within ${timeout}ms.\\n\\n` +\n `Possible causes:\\n` +\n `- Parent window is not listening for 'OXY_AUTH_REQUEST' messages\\n` +\n `- Parent origin mismatch\\n` +\n `- Network/browser issues\\n\\n` +\n `Troubleshooting:\\n` +\n `1. Verify parent window has message listener set up\\n` +\n `2. Check parentOrigin configuration matches parent window origin\\n` +\n `3. Open browser console in parent window for errors`,\n );\n this.name = \"PostMessageAuthTimeoutError\";\n }\n}\n\n/**\n * Error thrown when authentication response comes from unauthorized origin\n */\nexport class PostMessageAuthInvalidOriginError extends Error {\n constructor(expected: string, actual: string) {\n super(\n `Received authentication response from unauthorized origin.\\n\\n` +\n `Expected: ${expected}\\n` +\n `Actual: ${actual}\\n\\n` +\n `This is a security error. Verify your parentOrigin configuration.`,\n );\n this.name = \"PostMessageAuthInvalidOriginError\";\n }\n}\n\n/**\n * Error thrown when postMessage authentication is attempted outside iframe context\n */\nexport class PostMessageAuthNotInIframeError extends Error {\n constructor() {\n const currentContext = getCurrentContext();\n super(\n `PostMessage authentication is only available when running in an iframe context.\\n\\n` +\n `Current context: ${currentContext}\\n\\n` +\n `If you're running in a regular browser window, use direct configuration instead:\\n` +\n `const client = new OxyClient({ apiKey: 'your-key', ... })`,\n );\n this.name = \"PostMessageAuthNotInIframeError\";\n }\n}\n\nfunction getCurrentContext(): string {\n if (typeof window === \"undefined\") {\n return \"non-browser (Node.js)\";\n }\n if (window === window.parent) {\n return \"top-level window\";\n }\n return \"iframe\";\n}\n\n/**\n * Error thrown when authentication response is malformed or invalid\n */\nexport class PostMessageAuthInvalidResponseError extends Error {\n constructor(reason: string) {\n super(`Invalid authentication response from parent: ${reason}`);\n this.name = \"PostMessageAuthInvalidResponseError\";\n }\n}\n","/**\n * PostMessage-based authentication for iframe scenarios\n *\n * This module enables secure cross-origin authentication between an iframe\n * (running the Oxy SDK) and its parent window (holding the API key).\n */\n\nimport type {\n OxyAuthRequestMessage,\n OxyAuthResponseMessage,\n PostMessageAuthOptions,\n PostMessageAuthResult,\n} from \"../types\";\n\nimport {\n PostMessageAuthTimeoutError,\n PostMessageAuthNotInIframeError,\n PostMessageAuthInvalidResponseError,\n} from \"../types\";\n\n/**\n * Check if the current context is running inside an iframe\n *\n * @returns true if running in an iframe, false otherwise (including Node.js)\n */\nexport function isInIframe(): boolean {\n // Check if we're in a browser environment\n if (typeof window === \"undefined\") {\n return false;\n }\n\n // Check if window has a parent and it's different from itself\n try {\n return window !== window.parent && window.parent !== null;\n } catch {\n // Cross-origin access might throw an error, but we're still in an iframe\n return true;\n }\n}\n\n/**\n * Generate a unique request ID for tracking auth requests\n *\n * @returns A unique identifier string\n */\nexport function generateRequestId(): string {\n // Use crypto.randomUUID if available (modern browsers)\n if (typeof crypto !== \"undefined\" && crypto.randomUUID) {\n return crypto.randomUUID();\n }\n\n // Fallback for older environments: timestamp + random\n // Note: Math.random() is used here as a fallback for environments without crypto.randomUUID\n // This is acceptable for non-security-critical request IDs (used only for message correlation)\n /* eslint-disable sonarjs/pseudo-random */\n return `${Date.now()}-${Math.random().toString(36).substring(2, 11)}`;\n /* eslint-enable sonarjs/pseudo-random */\n}\n\n/**\n * Validate that a message origin matches the expected origin\n *\n * @param messageOrigin - The origin from the message event\n * @param allowedOrigin - The expected/allowed origin\n * @returns true if origin is valid, false otherwise\n */\nexport function validateOrigin(\n messageOrigin: string,\n allowedOrigin?: string,\n): boolean {\n // If no allowed origin is specified, reject (security)\n if (!allowedOrigin) {\n return false;\n }\n\n // Wildcard - allow any origin (development only!)\n if (allowedOrigin === \"*\") {\n return true;\n }\n\n // Exact match\n if (messageOrigin === allowedOrigin) {\n return true;\n }\n\n // Try URL parsing for more flexible matching\n try {\n const messageUrl = new URL(messageOrigin);\n const allowedUrl = new URL(allowedOrigin);\n return messageUrl.origin === allowedUrl.origin;\n } catch {\n // If URL parsing fails, do simple string match\n return messageOrigin === allowedOrigin;\n }\n}\n\n/**\n * Create a promise that listens for an authentication response\n *\n * @param requestId - The request ID to match against\n * @param origin - The expected parent origin\n * @param timeout - Timeout in milliseconds\n * @returns Promise that resolves with the auth response\n */\nfunction createAuthListener(\n requestId: string,\n origin: string | undefined,\n timeout: number,\n): Promise<OxyAuthResponseMessage> {\n return new Promise((resolve, reject) => {\n // Set up message listener\n const listener = (event: MessageEvent) => {\n // Validate origin\n if (!validateOrigin(event.origin, origin)) {\n // Don't reject here - might be other postMessage traffic\n // Just ignore messages from wrong origins\n return;\n }\n\n // Check message type\n if (!event.data || event.data.type !== \"OXY_AUTH_RESPONSE\") {\n // Not our message type, ignore\n return;\n }\n\n const response = event.data as OxyAuthResponseMessage;\n\n // Validate request ID matches\n if (response.requestId !== requestId) {\n // Wrong request ID, ignore (might be another auth in progress)\n return;\n }\n\n // Validate version\n if (response.version !== \"1.0\") {\n clearTimeout(timeoutId);\n window.removeEventListener(\"message\", listener);\n reject(\n new PostMessageAuthInvalidResponseError(\n `Unsupported protocol version: ${response.version}`,\n ),\n );\n return;\n }\n\n // Success!\n clearTimeout(timeoutId);\n window.removeEventListener(\"message\", listener);\n resolve(response);\n };\n\n // Set up timeout\n const timeoutId = setTimeout(() => {\n window.removeEventListener(\"message\", listener);\n reject(new PostMessageAuthTimeoutError(timeout));\n }, timeout);\n\n // Start listening\n window.addEventListener(\"message\", listener);\n });\n}\n\n/**\n * Request authentication from parent window via postMessage\n *\n * This is the main entry point for iframe-based authentication.\n * It sends a request to the parent window and waits for a response.\n *\n * @param options - Configuration options for the auth request\n * @returns Promise that resolves with authentication credentials\n * @throws {PostMessageAuthNotInIframeError} If not in an iframe\n * @throws {PostMessageAuthTimeoutError} If parent doesn't respond in time\n * @throws {PostMessageAuthInvalidOriginError} If response from wrong origin\n * @throws {PostMessageAuthInvalidResponseError} If response is malformed\n *\n * @example\n * ```typescript\n * const auth = await requestAuthFromParent({\n * parentOrigin: 'https://app.example.com',\n * timeout: 5000\n * });\n * console.log('Received API key:', auth.apiKey);\n * ```\n */\nexport async function requestAuthFromParent(\n options: PostMessageAuthOptions = {},\n): Promise<PostMessageAuthResult> {\n const { parentOrigin, timeout = 5000, retries = 0 } = options;\n\n // Validate we're in an iframe\n if (!isInIframe()) {\n throw new PostMessageAuthNotInIframeError();\n }\n\n // Validate we're in a browser environment\n if (typeof window === \"undefined\") {\n throw new PostMessageAuthNotInIframeError();\n }\n\n // Generate request ID\n const requestId = generateRequestId();\n\n // Create request message\n const request: OxyAuthRequestMessage = {\n type: \"OXY_AUTH_REQUEST\",\n version: \"1.0\",\n timestamp: Date.now(),\n requestId,\n };\n\n // Attempt authentication with retries\n let lastError: Error | null = null;\n const maxAttempts = retries + 1;\n\n for (let attempt = 0; attempt < maxAttempts; attempt++) {\n try {\n // Set up listener before sending request to avoid race condition\n const responsePromise = createAuthListener(\n requestId,\n parentOrigin,\n timeout,\n );\n\n // Send request to parent\n const targetOrigin = parentOrigin || \"*\";\n window.parent.postMessage(request, targetOrigin);\n\n // Wait for response\n const response = await responsePromise;\n\n // Return successful result\n return {\n apiKey: response.apiKey,\n projectId: response.projectId,\n baseUrl: response.baseUrl,\n source: \"postmessage\",\n };\n } catch (error) {\n lastError = error as Error;\n\n // If this isn't a timeout, don't retry\n if (!(error instanceof PostMessageAuthTimeoutError)) {\n throw error;\n }\n\n // If we have more attempts, continue\n if (attempt < maxAttempts - 1) {\n // Optional: Add a small delay before retry\n await new Promise((resolve) => setTimeout(resolve, 100));\n continue;\n }\n\n // All retries exhausted\n throw error;\n }\n }\n\n // Should never reach here, but TypeScript needs this\n throw lastError || new Error(\"Authentication failed\");\n}\n"],"mappings":";;;;;;;;AAmIA,IAAa,8BAAb,cAAiD,MAAM;CACrD,YAAY,SAAiB;AAC3B,QACE,kEAAkE,QAAQ,+UAS3E;AACD,OAAK,OAAO;;;;;;AAOhB,IAAa,oCAAb,cAAuD,MAAM;CAC3D,YAAY,UAAkB,QAAgB;AAC5C,QACE,2EACe,SAAS,YACX,OAAO,uEAErB;AACD,OAAK,OAAO;;;;;;AAOhB,IAAa,kCAAb,cAAqD,MAAM;CACzD,cAAc;EACZ,MAAM,iBAAiB,mBAAmB;AAC1C,QACE,uGACsB,eAAe,iJAGtC;AACD,OAAK,OAAO;;;AAIhB,SAAS,oBAA4B;AACnC,KAAI,OAAO,WAAW,YACpB,QAAO;AAET,KAAI,WAAW,OAAO,OACpB,QAAO;AAET,QAAO;;;;;AAMT,IAAa,sCAAb,cAAyD,MAAM;CAC7D,YAAY,QAAgB;AAC1B,QAAM,gDAAgD,SAAS;AAC/D,OAAK,OAAO;;;;;;;;;;;AC1KhB,SAAgB,aAAsB;AAEpC,KAAI,OAAO,WAAW,YACpB,QAAO;AAIT,KAAI;AACF,SAAO,WAAW,OAAO,UAAU,OAAO,WAAW;SAC/C;AAEN,SAAO;;;;;;;;AASX,SAAgB,oBAA4B;AAE1C,KAAI,OAAO,WAAW,eAAe,OAAO,WAC1C,QAAO,OAAO,YAAY;AAO5B,QAAO,GAAG,KAAK,KAAK,CAAC,GAAG,KAAK,QAAQ,CAAC,SAAS,GAAG,CAAC,UAAU,GAAG,GAAG;;;;;;;;;AAWrE,SAAgB,eACd,eACA,eACS;AAET,KAAI,CAAC,cACH,QAAO;AAIT,KAAI,kBAAkB,IACpB,QAAO;AAIT,KAAI,kBAAkB,cACpB,QAAO;AAIT,KAAI;EACF,MAAM,aAAa,IAAI,IAAI,cAAc;EACzC,MAAM,aAAa,IAAI,IAAI,cAAc;AACzC,SAAO,WAAW,WAAW,WAAW;SAClC;AAEN,SAAO,kBAAkB;;;;;;;;;;;AAY7B,SAAS,mBACP,WACA,QACA,SACiC;AACjC,QAAO,IAAI,SAAS,SAAS,WAAW;EAEtC,MAAM,YAAY,UAAwB;AAExC,OAAI,CAAC,eAAe,MAAM,QAAQ,OAAO,CAGvC;AAIF,OAAI,CAAC,MAAM,QAAQ,MAAM,KAAK,SAAS,oBAErC;GAGF,MAAM,WAAW,MAAM;AAGvB,OAAI,SAAS,cAAc,UAEzB;AAIF,OAAI,SAAS,YAAY,OAAO;AAC9B,iBAAa,UAAU;AACvB,WAAO,oBAAoB,WAAW,SAAS;AAC/C,WACE,IAAI,oCACF,iCAAiC,SAAS,UAC3C,CACF;AACD;;AAIF,gBAAa,UAAU;AACvB,UAAO,oBAAoB,WAAW,SAAS;AAC/C,WAAQ,SAAS;;EAInB,MAAM,YAAY,iBAAiB;AACjC,UAAO,oBAAoB,WAAW,SAAS;AAC/C,UAAO,IAAI,4BAA4B,QAAQ,CAAC;KAC/C,QAAQ;AAGX,SAAO,iBAAiB,WAAW,SAAS;GAC5C;;;;;;;;;;;;;;;;;;;;;;;;AAyBJ,eAAsB,sBACpB,UAAkC,EAAE,EACJ;CAChC,MAAM,EAAE,cAAc,UAAU,KAAM,UAAU,MAAM;AAGtD,KAAI,CAAC,YAAY,CACf,OAAM,IAAI,iCAAiC;AAI7C,KAAI,OAAO,WAAW,YACpB,OAAM,IAAI,iCAAiC;CAI7C,MAAM,YAAY,mBAAmB;CAGrC,MAAM,UAAiC;EACrC,MAAM;EACN,SAAS;EACT,WAAW,KAAK,KAAK;EACrB;EACD;CAGD,IAAI,YAA0B;CAC9B,MAAM,cAAc,UAAU;AAE9B,MAAK,IAAI,UAAU,GAAG,UAAU,aAAa,UAC3C,KAAI;EAEF,MAAM,kBAAkB,mBACtB,WACA,cACA,QACD;EAGD,MAAM,eAAe,gBAAgB;AACrC,SAAO,OAAO,YAAY,SAAS,aAAa;EAGhD,MAAM,WAAW,MAAM;AAGvB,SAAO;GACL,QAAQ,SAAS;GACjB,WAAW,SAAS;GACpB,SAAS,SAAS;GAClB,QAAQ;GACT;UACM,OAAO;AACd,cAAY;AAGZ,MAAI,EAAE,iBAAiB,6BACrB,OAAM;AAIR,MAAI,UAAU,cAAc,GAAG;AAE7B,SAAM,IAAI,SAAS,YAAY,WAAW,SAAS,IAAI,CAAC;AACxD;;AAIF,QAAM;;AAKV,OAAM,6BAAa,IAAI,MAAM,wBAAwB"}

package/dist/{postMessage-DwfY0HM5.mjs → postMessage-D5wWgwcO.mjs} RENAMED Viewed

@@ -1,4 +1,4 @@
 // @oxy/sdk - TypeScript SDK for Oxy data platform
-import { i as validateOrigin, n as isInIframe, r as requestAuthFromParent, t as generateRequestId } from "./postMessage-DLGITn0e.mjs";
+import { i as validateOrigin, n as isInIframe, r as requestAuthFromParent, t as generateRequestId } from "./postMessage-BxdgtX8j.mjs";
 export { isInIframe, requestAuthFromParent };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@oxy-hq/sdk",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "description": "TypeScript SDK for interacting with Oxy data platform",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -23,7 +23,7 @@
     "build:watch": "tsdown --watch",
     "dev": "tsdown --watch",
     "typecheck": "tsc --noEmit",
-    "lint": "eslint src --ext .ts",
+    "lint": "ESLINT_USE_FLAT_CONFIG=false eslint src --ext .ts",
     "test": "vitest run",
     "test:watch": "vitest",
     "prepublishOnly": "pnpm build",

package/dist/postMessage-CufWf9ji.cjs.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"postMessage-CufWf9ji.cjs","names":[],"sources":["../src/types.ts","../src/auth/postMessage.ts"],"sourcesContent":["/**\n * Represents an app item in the project\n */\nexport interface AppItem {\n name: string;\n path: string;\n}\n\n/**\n * Reference to a data file (usually parquet)\n */\nexport interface FileReference {\n file_path: string;\n}\n\n/**\n * Table data structure for in-memory tables\n * (used when data is fetched and parsed)\n */\nexport interface TableData {\n columns: string[];\n rows: any[][];\n total_rows?: number;\n}\n\nexport type DataContainer = Record<string, FileReference>;\n\n/**\n * Response from app data endpoints\n */\nexport interface AppDataResponse {\n data: DataContainer | null;\n error: string | null;\n}\n\n/**\n * Display with potential error\n */\nexport interface DisplayWithError {\n display?: DisplayData;\n error?: string;\n}\n\n/**\n * Display data structure\n */\nexport interface DisplayData {\n type: string;\n content: any;\n}\n\n/**\n * Response from get displays endpoint\n */\nexport interface GetDisplaysResponse {\n displays: DisplayWithError[];\n}\n\n/**\n * Error response from the API\n */\nexport interface ApiError {\n message: string;\n status: number;\n details?: any;\n}\n\n/**\n * Query result from ParquetReader\n */\nexport interface QueryResult {\n columns: string[];\n rows: any[][];\n rowCount: number;\n}\n\n/**\n * PostMessage authentication protocol types\n */\n\n/**\n * Request message sent from iframe to parent window\n */\nexport interface OxyAuthRequestMessage {\n type: 'OXY_AUTH_REQUEST';\n version: '1.0';\n timestamp: number;\n requestId: string;\n}\n\n/**\n * Response message sent from parent window to iframe\n */\nexport interface OxyAuthResponseMessage {\n type: 'OXY_AUTH_RESPONSE';\n version: '1.0';\n requestId: string;\n apiKey?: string;\n projectId?: string;\n baseUrl?: string;\n}\n\n/**\n * Options for postMessage authentication\n */\nexport interface PostMessageAuthOptions {\n /** Required parent window origin for security (e.g., 'https://app.example.com'). Use '*' only in development! */\n parentOrigin?: string;\n /** Timeout in milliseconds (default: 5000) */\n timeout?: number;\n /** Number of retry attempts (default: 0) */\n retries?: number;\n}\n\n/**\n * Result from successful postMessage authentication\n */\nexport interface PostMessageAuthResult {\n apiKey?: string;\n projectId?: string;\n baseUrl?: string;\n source: 'postmessage';\n}\n\n/**\n * Custom error classes for postMessage authentication\n */\n\n/**\n * Error thrown when postMessage authentication times out\n */\nexport class PostMessageAuthTimeoutError extends Error {\n constructor(timeout: number) {\n super(\n `Parent window did not respond to authentication request within ${timeout}ms.\\n\\n` +\n `Possible causes:\\n` +\n `- Parent window is not listening for 'OXY_AUTH_REQUEST' messages\\n` +\n `- Parent origin mismatch\\n` +\n `- Network/browser issues\\n\\n` +\n `Troubleshooting:\\n` +\n `1. Verify parent window has message listener set up\\n` +\n `2. Check parentOrigin configuration matches parent window origin\\n` +\n `3. Open browser console in parent window for errors`\n );\n this.name = 'PostMessageAuthTimeoutError';\n }\n}\n\n/**\n * Error thrown when authentication response comes from unauthorized origin\n */\nexport class PostMessageAuthInvalidOriginError extends Error {\n constructor(expected: string, actual: string) {\n super(\n `Received authentication response from unauthorized origin.\\n\\n` +\n `Expected: ${expected}\\n` +\n `Actual: ${actual}\\n\\n` +\n `This is a security error. Verify your parentOrigin configuration.`\n );\n this.name = 'PostMessageAuthInvalidOriginError';\n }\n}\n\n/**\n * Error thrown when postMessage authentication is attempted outside iframe context\n */\nexport class PostMessageAuthNotInIframeError extends Error {\n constructor() {\n super(\n `PostMessage authentication is only available when running in an iframe context.\\n\\n` +\n `Current context: ${typeof window !== 'undefined' ? (window === window.parent ? 'top-level window' : 'iframe') : 'non-browser (Node.js)'}\\n\\n` +\n `If you're running in a regular browser window, use direct configuration instead:\\n` +\n `const client = new OxyClient({ apiKey: 'your-key', ... })`\n );\n this.name = 'PostMessageAuthNotInIframeError';\n }\n}\n\n/**\n * Error thrown when authentication response is malformed or invalid\n */\nexport class PostMessageAuthInvalidResponseError extends Error {\n constructor(reason: string) {\n super(`Invalid authentication response from parent: ${reason}`);\n this.name = 'PostMessageAuthInvalidResponseError';\n }\n}\n","/**\n * PostMessage-based authentication for iframe scenarios\n *\n * This module enables secure cross-origin authentication between an iframe\n * (running the Oxy SDK) and its parent window (holding the API key).\n */\n\nimport type {\n OxyAuthRequestMessage,\n OxyAuthResponseMessage,\n PostMessageAuthOptions,\n PostMessageAuthResult,\n} from '../types';\n\nimport {\n PostMessageAuthTimeoutError,\n PostMessageAuthInvalidOriginError,\n PostMessageAuthNotInIframeError,\n PostMessageAuthInvalidResponseError,\n} from '../types';\n\n/**\n * Check if the current context is running inside an iframe\n *\n * @returns true if running in an iframe, false otherwise (including Node.js)\n */\nexport function isInIframe(): boolean {\n // Check if we're in a browser environment\n if (typeof window === 'undefined') {\n return false;\n }\n\n // Check if window has a parent and it's different from itself\n try {\n return window !== window.parent && window.parent !== null;\n } catch (e) {\n // Cross-origin access might throw an error, but we're still in an iframe\n return true;\n }\n}\n\n/**\n * Generate a unique request ID for tracking auth requests\n *\n * @returns A unique identifier string\n */\nexport function generateRequestId(): string {\n // Use crypto.randomUUID if available (modern browsers)\n if (typeof crypto !== 'undefined' && crypto.randomUUID) {\n return crypto.randomUUID();\n }\n\n // Fallback for older environments: timestamp + random\n return `${Date.now()}-${Math.random().toString(36).substring(2, 11)}`;\n}\n\n/**\n * Validate that a message origin matches the expected origin\n *\n * @param messageOrigin - The origin from the message event\n * @param allowedOrigin - The expected/allowed origin\n * @returns true if origin is valid, false otherwise\n */\nexport function validateOrigin(\n messageOrigin: string,\n allowedOrigin?: string\n): boolean {\n // If no allowed origin is specified, reject (security)\n if (!allowedOrigin) {\n return false;\n }\n\n // Wildcard - allow any origin (development only!)\n if (allowedOrigin === '*') {\n return true;\n }\n\n // Exact match\n if (messageOrigin === allowedOrigin) {\n return true;\n }\n\n // Try URL parsing for more flexible matching\n try {\n const messageUrl = new URL(messageOrigin);\n const allowedUrl = new URL(allowedOrigin);\n return messageUrl.origin === allowedUrl.origin;\n } catch (e) {\n // If URL parsing fails, do simple string match\n return messageOrigin === allowedOrigin;\n }\n}\n\n/**\n * Create a promise that listens for an authentication response\n *\n * @param requestId - The request ID to match against\n * @param origin - The expected parent origin\n * @param timeout - Timeout in milliseconds\n * @returns Promise that resolves with the auth response\n */\nfunction createAuthListener(\n requestId: string,\n origin: string | undefined,\n timeout: number\n): Promise<OxyAuthResponseMessage> {\n return new Promise((resolve, reject) => {\n let timeoutId: NodeJS.Timeout;\n let listener: (event: MessageEvent) => void;\n\n // Set up timeout\n timeoutId = setTimeout(() => {\n window.removeEventListener('message', listener);\n reject(new PostMessageAuthTimeoutError(timeout));\n }, timeout);\n\n // Set up message listener\n listener = (event: MessageEvent) => {\n // Validate origin\n if (!validateOrigin(event.origin, origin)) {\n // Don't reject here - might be other postMessage traffic\n // Just ignore messages from wrong origins\n return;\n }\n\n // Check message type\n if (!event.data || event.data.type !== 'OXY_AUTH_RESPONSE') {\n // Not our message type, ignore\n return;\n }\n\n const response = event.data as OxyAuthResponseMessage;\n\n // Validate request ID matches\n if (response.requestId !== requestId) {\n // Wrong request ID, ignore (might be another auth in progress)\n return;\n }\n\n // Validate version\n if (response.version !== '1.0') {\n clearTimeout(timeoutId);\n window.removeEventListener('message', listener);\n reject(\n new PostMessageAuthInvalidResponseError(\n `Unsupported protocol version: ${response.version}`\n )\n );\n return;\n }\n\n // Success!\n clearTimeout(timeoutId);\n window.removeEventListener('message', listener);\n resolve(response);\n };\n\n // Start listening\n window.addEventListener('message', listener);\n });\n}\n\n/**\n * Request authentication from parent window via postMessage\n *\n * This is the main entry point for iframe-based authentication.\n * It sends a request to the parent window and waits for a response.\n *\n * @param options - Configuration options for the auth request\n * @returns Promise that resolves with authentication credentials\n * @throws {PostMessageAuthNotInIframeError} If not in an iframe\n * @throws {PostMessageAuthTimeoutError} If parent doesn't respond in time\n * @throws {PostMessageAuthInvalidOriginError} If response from wrong origin\n * @throws {PostMessageAuthInvalidResponseError} If response is malformed\n *\n * @example\n * ```typescript\n * const auth = await requestAuthFromParent({\n * parentOrigin: 'https://app.example.com',\n * timeout: 5000\n * });\n * console.log('Received API key:', auth.apiKey);\n * ```\n */\nexport async function requestAuthFromParent(\n options: PostMessageAuthOptions = {}\n): Promise<PostMessageAuthResult> {\n const {\n parentOrigin,\n timeout = 5000,\n retries = 0,\n } = options;\n\n // Validate we're in an iframe\n if (!isInIframe()) {\n throw new PostMessageAuthNotInIframeError();\n }\n\n // Validate we're in a browser environment\n if (typeof window === 'undefined') {\n throw new PostMessageAuthNotInIframeError();\n }\n\n // Generate request ID\n const requestId = generateRequestId();\n\n // Create request message\n const request: OxyAuthRequestMessage = {\n type: 'OXY_AUTH_REQUEST',\n version: '1.0',\n timestamp: Date.now(),\n requestId,\n };\n\n // Attempt authentication with retries\n let lastError: Error | null = null;\n const maxAttempts = retries + 1;\n\n for (let attempt = 0; attempt < maxAttempts; attempt++) {\n try {\n // Set up listener before sending request to avoid race condition\n const responsePromise = createAuthListener(requestId, parentOrigin, timeout);\n\n // Send request to parent\n const targetOrigin = parentOrigin || '*';\n window.parent.postMessage(request, targetOrigin);\n\n // Wait for response\n const response = await responsePromise;\n\n // Return successful result\n return {\n apiKey: response.apiKey,\n projectId: response.projectId,\n baseUrl: response.baseUrl,\n source: 'postmessage',\n };\n } catch (error) {\n lastError = error as Error;\n\n // If this isn't a timeout, don't retry\n if (!(error instanceof PostMessageAuthTimeoutError)) {\n throw error;\n }\n\n // If we have more attempts, continue\n if (attempt < maxAttempts - 1) {\n // Optional: Add a small delay before retry\n await new Promise((resolve) => setTimeout(resolve, 100));\n continue;\n }\n\n // All retries exhausted\n throw error;\n }\n }\n\n // Should never reach here, but TypeScript needs this\n throw lastError || new Error('Authentication failed');\n}\n"],"mappings":";;;;;;;;;AAmIA,IAAa,8BAAb,cAAiD,MAAM;CACrD,YAAY,SAAiB;AAC3B,QACE,kEAAkE,QAAQ,+UAS3E;AACD,OAAK,OAAO;;;;;;AAOhB,IAAa,oCAAb,cAAuD,MAAM;CAC3D,YAAY,UAAkB,QAAgB;AAC5C,QACE,2EACa,SAAS,YACX,OAAO,uEAEnB;AACD,OAAK,OAAO;;;;;;AAOhB,IAAa,kCAAb,cAAqD,MAAM;CACzD,cAAc;AACZ,QACE,uGACoB,OAAO,WAAW,cAAe,WAAW,OAAO,SAAS,qBAAqB,WAAY,wBAAwB,iJAG1I;AACD,OAAK,OAAO;;;;;;AAOhB,IAAa,sCAAb,cAAyD,MAAM;CAC7D,YAAY,QAAgB;AAC1B,QAAM,gDAAgD,SAAS;AAC/D,OAAK,OAAO;;;;;;;;;;;AC9JhB,SAAgB,aAAsB;AAEpC,KAAI,OAAO,WAAW,YACpB,QAAO;AAIT,KAAI;AACF,SAAO,WAAW,OAAO,UAAU,OAAO,WAAW;UAC9C,GAAG;AAEV,SAAO;;;;;;;;AASX,SAAgB,oBAA4B;AAE1C,KAAI,OAAO,WAAW,eAAe,OAAO,WAC1C,QAAO,OAAO,YAAY;AAI5B,QAAO,GAAG,KAAK,KAAK,CAAC,GAAG,KAAK,QAAQ,CAAC,SAAS,GAAG,CAAC,UAAU,GAAG,GAAG;;;;;;;;;AAUrE,SAAgB,eACd,eACA,eACS;AAET,KAAI,CAAC,cACH,QAAO;AAIT,KAAI,kBAAkB,IACpB,QAAO;AAIT,KAAI,kBAAkB,cACpB,QAAO;AAIT,KAAI;EACF,MAAM,aAAa,IAAI,IAAI,cAAc;EACzC,MAAM,aAAa,IAAI,IAAI,cAAc;AACzC,SAAO,WAAW,WAAW,WAAW;UACjC,GAAG;AAEV,SAAO,kBAAkB;;;;;;;;;;;AAY7B,SAAS,mBACP,WACA,QACA,SACiC;AACjC,QAAO,IAAI,SAAS,SAAS,WAAW;EACtC,IAAI;EACJ,IAAI;AAGJ,cAAY,iBAAiB;AAC3B,UAAO,oBAAoB,WAAW,SAAS;AAC/C,UAAO,IAAI,4BAA4B,QAAQ,CAAC;KAC/C,QAAQ;AAGX,cAAY,UAAwB;AAElC,OAAI,CAAC,eAAe,MAAM,QAAQ,OAAO,CAGvC;AAIF,OAAI,CAAC,MAAM,QAAQ,MAAM,KAAK,SAAS,oBAErC;GAGF,MAAM,WAAW,MAAM;AAGvB,OAAI,SAAS,cAAc,UAEzB;AAIF,OAAI,SAAS,YAAY,OAAO;AAC9B,iBAAa,UAAU;AACvB,WAAO,oBAAoB,WAAW,SAAS;AAC/C,WACE,IAAI,oCACF,iCAAiC,SAAS,UAC3C,CACF;AACD;;AAIF,gBAAa,UAAU;AACvB,UAAO,oBAAoB,WAAW,SAAS;AAC/C,WAAQ,SAAS;;AAInB,SAAO,iBAAiB,WAAW,SAAS;GAC5C;;;;;;;;;;;;;;;;;;;;;;;;AAyBJ,eAAsB,sBACpB,UAAkC,EAAE,EACJ;CAChC,MAAM,EACJ,cACA,UAAU,KACV,UAAU,MACR;AAGJ,KAAI,CAAC,YAAY,CACf,OAAM,IAAI,iCAAiC;AAI7C,KAAI,OAAO,WAAW,YACpB,OAAM,IAAI,iCAAiC;CAI7C,MAAM,YAAY,mBAAmB;CAGrC,MAAM,UAAiC;EACrC,MAAM;EACN,SAAS;EACT,WAAW,KAAK,KAAK;EACrB;EACD;CAGD,IAAI,YAA0B;CAC9B,MAAM,cAAc,UAAU;AAE9B,MAAK,IAAI,UAAU,GAAG,UAAU,aAAa,UAC3C,KAAI;EAEF,MAAM,kBAAkB,mBAAmB,WAAW,cAAc,QAAQ;EAG5E,MAAM,eAAe,gBAAgB;AACrC,SAAO,OAAO,YAAY,SAAS,aAAa;EAGhD,MAAM,WAAW,MAAM;AAGvB,SAAO;GACL,QAAQ,SAAS;GACjB,WAAW,SAAS;GACpB,SAAS,SAAS;GAClB,QAAQ;GACT;UACM,OAAO;AACd,cAAY;AAGZ,MAAI,EAAE,iBAAiB,6BACrB,OAAM;AAIR,MAAI,UAAU,cAAc,GAAG;AAE7B,SAAM,IAAI,SAAS,YAAY,WAAW,SAAS,IAAI,CAAC;AACxD;;AAIF,QAAM;;AAKV,OAAM,6BAAa,IAAI,MAAM,wBAAwB"}

package/dist/postMessage-DLGITn0e.mjs.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"file":"postMessage-DLGITn0e.mjs","names":[],"sources":["../src/types.ts","../src/auth/postMessage.ts"],"sourcesContent":["/**\n * Represents an app item in the project\n */\nexport interface AppItem {\n name: string;\n path: string;\n}\n\n/**\n * Reference to a data file (usually parquet)\n */\nexport interface FileReference {\n file_path: string;\n}\n\n/**\n * Table data structure for in-memory tables\n * (used when data is fetched and parsed)\n */\nexport interface TableData {\n columns: string[];\n rows: any[][];\n total_rows?: number;\n}\n\nexport type DataContainer = Record<string, FileReference>;\n\n/**\n * Response from app data endpoints\n */\nexport interface AppDataResponse {\n data: DataContainer | null;\n error: string | null;\n}\n\n/**\n * Display with potential error\n */\nexport interface DisplayWithError {\n display?: DisplayData;\n error?: string;\n}\n\n/**\n * Display data structure\n */\nexport interface DisplayData {\n type: string;\n content: any;\n}\n\n/**\n * Response from get displays endpoint\n */\nexport interface GetDisplaysResponse {\n displays: DisplayWithError[];\n}\n\n/**\n * Error response from the API\n */\nexport interface ApiError {\n message: string;\n status: number;\n details?: any;\n}\n\n/**\n * Query result from ParquetReader\n */\nexport interface QueryResult {\n columns: string[];\n rows: any[][];\n rowCount: number;\n}\n\n/**\n * PostMessage authentication protocol types\n */\n\n/**\n * Request message sent from iframe to parent window\n */\nexport interface OxyAuthRequestMessage {\n type: 'OXY_AUTH_REQUEST';\n version: '1.0';\n timestamp: number;\n requestId: string;\n}\n\n/**\n * Response message sent from parent window to iframe\n */\nexport interface OxyAuthResponseMessage {\n type: 'OXY_AUTH_RESPONSE';\n version: '1.0';\n requestId: string;\n apiKey?: string;\n projectId?: string;\n baseUrl?: string;\n}\n\n/**\n * Options for postMessage authentication\n */\nexport interface PostMessageAuthOptions {\n /** Required parent window origin for security (e.g., 'https://app.example.com'). Use '*' only in development! */\n parentOrigin?: string;\n /** Timeout in milliseconds (default: 5000) */\n timeout?: number;\n /** Number of retry attempts (default: 0) */\n retries?: number;\n}\n\n/**\n * Result from successful postMessage authentication\n */\nexport interface PostMessageAuthResult {\n apiKey?: string;\n projectId?: string;\n baseUrl?: string;\n source: 'postmessage';\n}\n\n/**\n * Custom error classes for postMessage authentication\n */\n\n/**\n * Error thrown when postMessage authentication times out\n */\nexport class PostMessageAuthTimeoutError extends Error {\n constructor(timeout: number) {\n super(\n `Parent window did not respond to authentication request within ${timeout}ms.\\n\\n` +\n `Possible causes:\\n` +\n `- Parent window is not listening for 'OXY_AUTH_REQUEST' messages\\n` +\n `- Parent origin mismatch\\n` +\n `- Network/browser issues\\n\\n` +\n `Troubleshooting:\\n` +\n `1. Verify parent window has message listener set up\\n` +\n `2. Check parentOrigin configuration matches parent window origin\\n` +\n `3. Open browser console in parent window for errors`\n );\n this.name = 'PostMessageAuthTimeoutError';\n }\n}\n\n/**\n * Error thrown when authentication response comes from unauthorized origin\n */\nexport class PostMessageAuthInvalidOriginError extends Error {\n constructor(expected: string, actual: string) {\n super(\n `Received authentication response from unauthorized origin.\\n\\n` +\n `Expected: ${expected}\\n` +\n `Actual: ${actual}\\n\\n` +\n `This is a security error. Verify your parentOrigin configuration.`\n );\n this.name = 'PostMessageAuthInvalidOriginError';\n }\n}\n\n/**\n * Error thrown when postMessage authentication is attempted outside iframe context\n */\nexport class PostMessageAuthNotInIframeError extends Error {\n constructor() {\n super(\n `PostMessage authentication is only available when running in an iframe context.\\n\\n` +\n `Current context: ${typeof window !== 'undefined' ? (window === window.parent ? 'top-level window' : 'iframe') : 'non-browser (Node.js)'}\\n\\n` +\n `If you're running in a regular browser window, use direct configuration instead:\\n` +\n `const client = new OxyClient({ apiKey: 'your-key', ... })`\n );\n this.name = 'PostMessageAuthNotInIframeError';\n }\n}\n\n/**\n * Error thrown when authentication response is malformed or invalid\n */\nexport class PostMessageAuthInvalidResponseError extends Error {\n constructor(reason: string) {\n super(`Invalid authentication response from parent: ${reason}`);\n this.name = 'PostMessageAuthInvalidResponseError';\n }\n}\n","/**\n * PostMessage-based authentication for iframe scenarios\n *\n * This module enables secure cross-origin authentication between an iframe\n * (running the Oxy SDK) and its parent window (holding the API key).\n */\n\nimport type {\n OxyAuthRequestMessage,\n OxyAuthResponseMessage,\n PostMessageAuthOptions,\n PostMessageAuthResult,\n} from '../types';\n\nimport {\n PostMessageAuthTimeoutError,\n PostMessageAuthInvalidOriginError,\n PostMessageAuthNotInIframeError,\n PostMessageAuthInvalidResponseError,\n} from '../types';\n\n/**\n * Check if the current context is running inside an iframe\n *\n * @returns true if running in an iframe, false otherwise (including Node.js)\n */\nexport function isInIframe(): boolean {\n // Check if we're in a browser environment\n if (typeof window === 'undefined') {\n return false;\n }\n\n // Check if window has a parent and it's different from itself\n try {\n return window !== window.parent && window.parent !== null;\n } catch (e) {\n // Cross-origin access might throw an error, but we're still in an iframe\n return true;\n }\n}\n\n/**\n * Generate a unique request ID for tracking auth requests\n *\n * @returns A unique identifier string\n */\nexport function generateRequestId(): string {\n // Use crypto.randomUUID if available (modern browsers)\n if (typeof crypto !== 'undefined' && crypto.randomUUID) {\n return crypto.randomUUID();\n }\n\n // Fallback for older environments: timestamp + random\n return `${Date.now()}-${Math.random().toString(36).substring(2, 11)}`;\n}\n\n/**\n * Validate that a message origin matches the expected origin\n *\n * @param messageOrigin - The origin from the message event\n * @param allowedOrigin - The expected/allowed origin\n * @returns true if origin is valid, false otherwise\n */\nexport function validateOrigin(\n messageOrigin: string,\n allowedOrigin?: string\n): boolean {\n // If no allowed origin is specified, reject (security)\n if (!allowedOrigin) {\n return false;\n }\n\n // Wildcard - allow any origin (development only!)\n if (allowedOrigin === '*') {\n return true;\n }\n\n // Exact match\n if (messageOrigin === allowedOrigin) {\n return true;\n }\n\n // Try URL parsing for more flexible matching\n try {\n const messageUrl = new URL(messageOrigin);\n const allowedUrl = new URL(allowedOrigin);\n return messageUrl.origin === allowedUrl.origin;\n } catch (e) {\n // If URL parsing fails, do simple string match\n return messageOrigin === allowedOrigin;\n }\n}\n\n/**\n * Create a promise that listens for an authentication response\n *\n * @param requestId - The request ID to match against\n * @param origin - The expected parent origin\n * @param timeout - Timeout in milliseconds\n * @returns Promise that resolves with the auth response\n */\nfunction createAuthListener(\n requestId: string,\n origin: string | undefined,\n timeout: number\n): Promise<OxyAuthResponseMessage> {\n return new Promise((resolve, reject) => {\n let timeoutId: NodeJS.Timeout;\n let listener: (event: MessageEvent) => void;\n\n // Set up timeout\n timeoutId = setTimeout(() => {\n window.removeEventListener('message', listener);\n reject(new PostMessageAuthTimeoutError(timeout));\n }, timeout);\n\n // Set up message listener\n listener = (event: MessageEvent) => {\n // Validate origin\n if (!validateOrigin(event.origin, origin)) {\n // Don't reject here - might be other postMessage traffic\n // Just ignore messages from wrong origins\n return;\n }\n\n // Check message type\n if (!event.data || event.data.type !== 'OXY_AUTH_RESPONSE') {\n // Not our message type, ignore\n return;\n }\n\n const response = event.data as OxyAuthResponseMessage;\n\n // Validate request ID matches\n if (response.requestId !== requestId) {\n // Wrong request ID, ignore (might be another auth in progress)\n return;\n }\n\n // Validate version\n if (response.version !== '1.0') {\n clearTimeout(timeoutId);\n window.removeEventListener('message', listener);\n reject(\n new PostMessageAuthInvalidResponseError(\n `Unsupported protocol version: ${response.version}`\n )\n );\n return;\n }\n\n // Success!\n clearTimeout(timeoutId);\n window.removeEventListener('message', listener);\n resolve(response);\n };\n\n // Start listening\n window.addEventListener('message', listener);\n });\n}\n\n/**\n * Request authentication from parent window via postMessage\n *\n * This is the main entry point for iframe-based authentication.\n * It sends a request to the parent window and waits for a response.\n *\n * @param options - Configuration options for the auth request\n * @returns Promise that resolves with authentication credentials\n * @throws {PostMessageAuthNotInIframeError} If not in an iframe\n * @throws {PostMessageAuthTimeoutError} If parent doesn't respond in time\n * @throws {PostMessageAuthInvalidOriginError} If response from wrong origin\n * @throws {PostMessageAuthInvalidResponseError} If response is malformed\n *\n * @example\n * ```typescript\n * const auth = await requestAuthFromParent({\n * parentOrigin: 'https://app.example.com',\n * timeout: 5000\n * });\n * console.log('Received API key:', auth.apiKey);\n * ```\n */\nexport async function requestAuthFromParent(\n options: PostMessageAuthOptions = {}\n): Promise<PostMessageAuthResult> {\n const {\n parentOrigin,\n timeout = 5000,\n retries = 0,\n } = options;\n\n // Validate we're in an iframe\n if (!isInIframe()) {\n throw new PostMessageAuthNotInIframeError();\n }\n\n // Validate we're in a browser environment\n if (typeof window === 'undefined') {\n throw new PostMessageAuthNotInIframeError();\n }\n\n // Generate request ID\n const requestId = generateRequestId();\n\n // Create request message\n const request: OxyAuthRequestMessage = {\n type: 'OXY_AUTH_REQUEST',\n version: '1.0',\n timestamp: Date.now(),\n requestId,\n };\n\n // Attempt authentication with retries\n let lastError: Error | null = null;\n const maxAttempts = retries + 1;\n\n for (let attempt = 0; attempt < maxAttempts; attempt++) {\n try {\n // Set up listener before sending request to avoid race condition\n const responsePromise = createAuthListener(requestId, parentOrigin, timeout);\n\n // Send request to parent\n const targetOrigin = parentOrigin || '*';\n window.parent.postMessage(request, targetOrigin);\n\n // Wait for response\n const response = await responsePromise;\n\n // Return successful result\n return {\n apiKey: response.apiKey,\n projectId: response.projectId,\n baseUrl: response.baseUrl,\n source: 'postmessage',\n };\n } catch (error) {\n lastError = error as Error;\n\n // If this isn't a timeout, don't retry\n if (!(error instanceof PostMessageAuthTimeoutError)) {\n throw error;\n }\n\n // If we have more attempts, continue\n if (attempt < maxAttempts - 1) {\n // Optional: Add a small delay before retry\n await new Promise((resolve) => setTimeout(resolve, 100));\n continue;\n }\n\n // All retries exhausted\n throw error;\n }\n }\n\n // Should never reach here, but TypeScript needs this\n throw lastError || new Error('Authentication failed');\n}\n"],"mappings":";;;;;;;;AAmIA,IAAa,8BAAb,cAAiD,MAAM;CACrD,YAAY,SAAiB;AAC3B,QACE,kEAAkE,QAAQ,+UAS3E;AACD,OAAK,OAAO;;;;;;AAOhB,IAAa,oCAAb,cAAuD,MAAM;CAC3D,YAAY,UAAkB,QAAgB;AAC5C,QACE,2EACa,SAAS,YACX,OAAO,uEAEnB;AACD,OAAK,OAAO;;;;;;AAOhB,IAAa,kCAAb,cAAqD,MAAM;CACzD,cAAc;AACZ,QACE,uGACoB,OAAO,WAAW,cAAe,WAAW,OAAO,SAAS,qBAAqB,WAAY,wBAAwB,iJAG1I;AACD,OAAK,OAAO;;;;;;AAOhB,IAAa,sCAAb,cAAyD,MAAM;CAC7D,YAAY,QAAgB;AAC1B,QAAM,gDAAgD,SAAS;AAC/D,OAAK,OAAO;;;;;;;;;;;AC9JhB,SAAgB,aAAsB;AAEpC,KAAI,OAAO,WAAW,YACpB,QAAO;AAIT,KAAI;AACF,SAAO,WAAW,OAAO,UAAU,OAAO,WAAW;UAC9C,GAAG;AAEV,SAAO;;;;;;;;AASX,SAAgB,oBAA4B;AAE1C,KAAI,OAAO,WAAW,eAAe,OAAO,WAC1C,QAAO,OAAO,YAAY;AAI5B,QAAO,GAAG,KAAK,KAAK,CAAC,GAAG,KAAK,QAAQ,CAAC,SAAS,GAAG,CAAC,UAAU,GAAG,GAAG;;;;;;;;;AAUrE,SAAgB,eACd,eACA,eACS;AAET,KAAI,CAAC,cACH,QAAO;AAIT,KAAI,kBAAkB,IACpB,QAAO;AAIT,KAAI,kBAAkB,cACpB,QAAO;AAIT,KAAI;EACF,MAAM,aAAa,IAAI,IAAI,cAAc;EACzC,MAAM,aAAa,IAAI,IAAI,cAAc;AACzC,SAAO,WAAW,WAAW,WAAW;UACjC,GAAG;AAEV,SAAO,kBAAkB;;;;;;;;;;;AAY7B,SAAS,mBACP,WACA,QACA,SACiC;AACjC,QAAO,IAAI,SAAS,SAAS,WAAW;EACtC,IAAI;EACJ,IAAI;AAGJ,cAAY,iBAAiB;AAC3B,UAAO,oBAAoB,WAAW,SAAS;AAC/C,UAAO,IAAI,4BAA4B,QAAQ,CAAC;KAC/C,QAAQ;AAGX,cAAY,UAAwB;AAElC,OAAI,CAAC,eAAe,MAAM,QAAQ,OAAO,CAGvC;AAIF,OAAI,CAAC,MAAM,QAAQ,MAAM,KAAK,SAAS,oBAErC;GAGF,MAAM,WAAW,MAAM;AAGvB,OAAI,SAAS,cAAc,UAEzB;AAIF,OAAI,SAAS,YAAY,OAAO;AAC9B,iBAAa,UAAU;AACvB,WAAO,oBAAoB,WAAW,SAAS;AAC/C,WACE,IAAI,oCACF,iCAAiC,SAAS,UAC3C,CACF;AACD;;AAIF,gBAAa,UAAU;AACvB,UAAO,oBAAoB,WAAW,SAAS;AAC/C,WAAQ,SAAS;;AAInB,SAAO,iBAAiB,WAAW,SAAS;GAC5C;;;;;;;;;;;;;;;;;;;;;;;;AAyBJ,eAAsB,sBACpB,UAAkC,EAAE,EACJ;CAChC,MAAM,EACJ,cACA,UAAU,KACV,UAAU,MACR;AAGJ,KAAI,CAAC,YAAY,CACf,OAAM,IAAI,iCAAiC;AAI7C,KAAI,OAAO,WAAW,YACpB,OAAM,IAAI,iCAAiC;CAI7C,MAAM,YAAY,mBAAmB;CAGrC,MAAM,UAAiC;EACrC,MAAM;EACN,SAAS;EACT,WAAW,KAAK,KAAK;EACrB;EACD;CAGD,IAAI,YAA0B;CAC9B,MAAM,cAAc,UAAU;AAE9B,MAAK,IAAI,UAAU,GAAG,UAAU,aAAa,UAC3C,KAAI;EAEF,MAAM,kBAAkB,mBAAmB,WAAW,cAAc,QAAQ;EAG5E,MAAM,eAAe,gBAAgB;AACrC,SAAO,OAAO,YAAY,SAAS,aAAa;EAGhD,MAAM,WAAW,MAAM;AAGvB,SAAO;GACL,QAAQ,SAAS;GACjB,WAAW,SAAS;GACpB,SAAS,SAAS;GAClB,QAAQ;GACT;UACM,OAAO;AACd,cAAY;AAGZ,MAAI,EAAE,iBAAiB,6BACrB,OAAM;AAIR,MAAI,UAAU,cAAc,GAAG;AAE7B,SAAM,IAAI,SAAS,YAAY,WAAW,SAAS,IAAI,CAAC;AACxD;;AAIF,QAAM;;AAKV,OAAM,6BAAa,IAAI,MAAM,wBAAwB"}