@passflow/core 0.2.0 → 0.2.8

package/dist/index.mjs

@@ -1,9 +1,9 @@
 import D from "axios";
 import { v4 as H } from "uuid";
 import { startRegistration as K, startAuthentication as j } from "@simplewebauthn/browser";
-const z = "0.1.47", X = {
+const z = "0.2.8", X = {
   version: z
-}, C = "X-Passflow-Clientid", _ = "Authorization", W = "X-Passflow-DeviceId", J = "X-Passflow-DeviceType", Z = X.version, Ne = ["id", "offline", "openid"], Q = ["id", "offline", "tenant", "email", "oidc", "openid", "access:tenant:all"], G = "https://auth.passflow.cloud", Ke = "default", ee = 500, te = 600, se = 100, re = 6e4, V = 30, ie = 3, oe = 30, ne = 200, ae = (i) => {
+}, C = "X-Passflow-Clientid", _ = "Authorization", W = "X-Passflow-DeviceId", J = "X-Passflow-DeviceType", Z = X.version, Ne = ["id", "offline", "openid"], Q = ["id", "offline", "tenant", "email", "oidc", "openid", "access:tenant:all"], G = "https://auth.passflow.cloud", Ke = "default", ee = 500, te = 600, se = 100, re = 6e4, V = 30, ie = 3, ne = 30, oe = 200, ae = (i) => {
   const e = [];
   let t;
   for (t in i) {
@@ -11,10 +11,10 @@ const z = "0.1.47", X = {
     if (s === void 0)
       continue;
     const r = { tenant: { id: s.tenant_id, name: s.tenant_name } };
-    r.groups = s.groups ? Object.keys(s.groups).map((o) => {
-      const n = s.groups[o] || [];
-      return { group: { id: o, name: s.group_names?.[o] ?? "unknown" }, roles: n };
-    }) : [], r.tenantRoles = r.groups?.find((o) => o.group.id === s.root_group_id), e.push(r);
+    r.groups = s.groups ? Object.keys(s.groups).map((n) => {
+      const o = s.groups[n] || [];
+      return { group: { id: n, name: s.group_names?.[n] ?? "unknown" }, roles: o };
+    }) : [], r.tenantRoles = r.groups?.find((n) => n.group.id === s.root_group_id), e.push(r);
   }
   return { raw: i, tenants: e };
 };
@@ -39,7 +39,7 @@ class he {
     const t = this.storageManager.getToken(e);
     if (!t) return !0;
     const s = y(t);
-    return s ? S(s) : !0;
+    return s ? m(s) : !0;
   }
   /**
    * Parse token from storage by type.
@@ -54,19 +54,19 @@ class he {
       return y(t);
   }
 }
-function S(i, e = V) {
+function m(i, e = V) {
   return Math.floor(Date.now() / 1e3) + e > i.exp;
 }
 function y(i) {
   const e = i.split(".")[1];
   if (!e) throw new Error("Invalid token string");
-  const t = e.replace(/-/g, "+").replace(/_/g, "/"), s = t + "=".repeat((4 - t.length % 4) % 4), r = ce(s), o = decodeURIComponent(
+  const t = e.replace(/-/g, "+").replace(/_/g, "/"), s = t + "=".repeat((4 - t.length % 4) % 4), r = ce(s), n = decodeURIComponent(
     r.split("").map((d) => "%" + ("00" + d.charCodeAt(0).toString(16)).slice(-2)).join("")
-  ), n = JSON.parse(o);
-  return n.membership = n.passflow_tm && n.type !== "invite" ? ae(n.passflow_tm) : void 0, n;
+  ), o = JSON.parse(n);
+  return o.membership = o.passflow_tm && o.type !== "invite" ? ae(o.passflow_tm) : void 0, o;
 }
 var k = /* @__PURE__ */ ((i) => (i.id_token = "id_token", i.access_token = "access", i.refresh_token = "refresh", i.invite_token = "invite", i.reset_token = "reset", i.web_cookie = "web-cookie", i.management = "management", i.signin = "signin", i.actor = "actor", i.two_factor = "2fa", i))(k || {}), v = /* @__PURE__ */ ((i) => (i.JsonBody = "json_body", i.Cookie = "cookie", i.Mobile = "mobile", i.BFF = "bff", i))(v || {}), q = /* @__PURE__ */ ((i) => (i.Unknown = "unknown", i.Valid = "valid", i.Invalid = "invalid", i))(q || {});
-class B {
+class Y {
   constructor(e) {
     this.storageManager = e, this.mode = "json_body", this.sessionState = "unknown", this.isInitializedFlag = !1, this.STORAGE_PREFIX = "passflow_", this.DELIVERY_MODE_KEY = `${this.STORAGE_PREFIX}delivery_mode`, this.SESSION_STATE_KEY = `${this.STORAGE_PREFIX}session_state`, this.loadPersistedMode(), this.loadPersistedSessionState();
   }
@@ -227,8 +227,8 @@ class $ {
    * In JSON mode: save all tokens (existing behavior)
    */
   saveTokens(e, t) {
-    const { id_token: s, access_token: r, refresh_token: o, scopes: n } = e;
-    t === v.Cookie || t === v.BFF ? s && this.storage.setItem(this.ID_TOKEN_KEY, s) : (s && this.storage.setItem(this.getKeyForTokenType(k.id_token), s), r && this.storage.setItem(this.getKeyForTokenType(k.access_token), r), o && this.storage.setItem(this.getKeyForTokenType(k.refresh_token), o), n && this.storage.setItem(this.scopes, n.join(",")));
+    const { id_token: s, access_token: r, refresh_token: n, scopes: o } = e;
+    t === v.Cookie || t === v.BFF ? s && this.storage.setItem(this.ID_TOKEN_KEY, s) : (s && this.storage.setItem(this.getKeyForTokenType(k.id_token), s), r && this.storage.setItem(this.getKeyForTokenType(k.access_token), r), n && this.storage.setItem(this.getKeyForTokenType(k.refresh_token), n), o && this.storage.setItem(this.scopes, o.join(",")));
   }
   getToken(e) {
     const t = this.getKeyForTokenType(e);
@@ -386,7 +386,7 @@ class $ {
     return `${this.keyStoragePrefix}${e}`;
   }
 }
-class Y {
+class B {
   constructor(e) {
     this.storageManager = e ?? new $();
   }
@@ -423,12 +423,12 @@ class T {
       Accept: "application/json",
       "Content-Type": "application/json"
     }, this.nonAccessTokenEndpoints = ["/auth/", "/settings", "/settings/"], this.protectedEndpoints = ["logout", "refresh"];
-    const { url: r, appId: o, keyStoragePrefix: n } = e;
+    const { url: r, appId: n, keyStoragePrefix: o } = e;
     this.url = r || G, this.storageManager = t ?? new $({
-      prefix: n ?? ""
-    }), this.deviceService = s ?? new Y(this.storageManager), this.tokenService = new he(this.storageManager), this.tokenDeliveryManager = new B(this.storageManager), o && (this.appId = o, this.defaultHeaders = {
+      prefix: o ?? ""
+    }), this.deviceService = s ?? new B(this.storageManager), this.tokenService = new he(this.storageManager), this.tokenDeliveryManager = new Y(this.storageManager), n && (this.appId = n, this.defaultHeaders = {
       ...this.defaultHeaders,
-      [C]: o
+      [C]: n
     });
     const d = this.deviceService.getDeviceId();
     this.defaultHeaders = {
@@ -456,7 +456,7 @@ class T {
       const g = this.storageManager.getTokens();
       if (g?.access_token) {
         const p = y(g.access_token);
-        if (S(p, V) && g.refresh_token)
+        if (m(p, V) && g.refresh_token)
           try {
             if (this.refreshPromise) {
               const f = await this.refreshPromise;
@@ -495,7 +495,7 @@ class T {
       try {
         document.cookie = "passflow_test=1; SameSite=Lax";
         const e = document.cookie.indexOf("passflow_test=1") !== -1;
-        document.cookie = "passflow_test=; expires=Thu, 01 Jan 1970 00:00:00 UTC", !e && this.tokenDeliveryManager.isCookieMode() && console.warn("[Passflow SDK] Cookies are blocked. Cookie mode may not work.");
+        document.cookie = "passflow_test=; expires=Thu, 01 Jan 1970 00:00:00 UTC", !e && this.tokenDeliveryManager.isCookieMode();
       } catch {
       }
   }
@@ -535,21 +535,21 @@ class T {
     const s = t.method?.toUpperCase();
     if (!["GET", "HEAD", "OPTIONS"].includes(s || ""))
       return Promise.reject(e);
-    const o = t._retryCount || 0;
-    if (o >= le)
+    const n = t._retryCount || 0;
+    if (n >= le)
       return Promise.reject(e);
-    let n = ge * Math.pow(2, o);
+    let o = ge * Math.pow(2, n);
     const d = e.response?.headers?.["retry-after"];
     if (d) {
       const c = Number.parseInt(d, 10);
       if (!Number.isNaN(c))
-        n = c * 1e3;
+        o = c * 1e3;
       else {
         const g = new Date(d);
-        Number.isNaN(g.getTime()) || (n = Math.max(0, g.getTime() - Date.now()));
+        Number.isNaN(g.getTime()) || (o = Math.max(0, g.getTime() - Date.now()));
       }
     }
-    return await new Promise((c) => setTimeout(c, n)), t._retryCount = o + 1, this.instance.request(t);
+    return await new Promise((c) => setTimeout(c, o)), t._retryCount = n + 1, this.instance.request(t);
   }
   // eslint-disable-next-line complexity
   // biome-ignore lint/suspicious/useAwait: <explanation>
@@ -658,7 +658,7 @@ class fe {
     );
   }
   passwordlessSignIn(e, t, s) {
-    const { create_tenant: r } = e, o = {
+    const { create_tenant: r } = e, n = {
       ...e,
       create_tenant: r ?? !1,
       device: t,
@@ -666,7 +666,7 @@ class fe {
     };
     return this.axiosClient.post(
       h.passwordless,
-      o
+      n
     );
   }
   passwordlessSignInComplete(e) {
@@ -676,8 +676,8 @@ class fe {
     );
   }
   logOut(e, t, s = !1) {
-    const r = s ? void 0 : { refresh_token: t, device: e }, o = s ? w.logout : h.logout;
-    return this.axiosClient.post(o, r);
+    const r = s ? void 0 : { refresh_token: t, device: e }, n = s ? w.logout : h.logout;
+    return this.axiosClient.post(n, r);
   }
   validateSession() {
     return this.axiosClient.get(h.validateSession);
@@ -701,52 +701,52 @@ class fe {
     });
   }
   passkeyRegisterStart(e, t, s, r = !1) {
-    const { create_tenant: o } = e, n = {
+    const { create_tenant: n } = e, o = {
       ...e,
-      create_tenant: o ?? !1,
+      create_tenant: n ?? !1,
       device: t,
       os: s
     }, d = r ? w.passkeyRegisterStart : h.passkeyRegisterStart;
-    return this.axiosClient.post(d, n);
+    return this.axiosClient.post(d, o);
   }
   passkeyRegisterComplete(e, t, s, r = !1) {
-    const o = {
+    const n = {
       challenge_id: s,
       device: t,
       passkey_data: e
-    }, n = r ? w.passkeyRegisterComplete : h.passkeyRegisterComplete;
-    return this.axiosClient.post(n, o);
+    }, o = r ? w.passkeyRegisterComplete : h.passkeyRegisterComplete;
+    return this.axiosClient.post(o, n);
   }
   passkeyAuthenticateStart(e, t, s, r = !1) {
-    const o = {
+    const n = {
       ...e,
       user_id: e.user_id ?? "",
       device: t,
       os: s
-    }, n = r ? w.passkeyAuthenticateStart : h.passkeyAuthenticateStart;
+    }, o = r ? w.passkeyAuthenticateStart : h.passkeyAuthenticateStart;
     return this.axiosClient.post(
-      n,
-      o
+      o,
+      n
     );
   }
   passkeyAuthenticateComplete(e, t, s, r = !1) {
-    const o = {
+    const n = {
       challenge_id: s,
       device: t,
       passkey_data: e
-    }, n = r ? w.passkeyAuthenticateComplete : h.passkeyAuthenticateComplete;
-    return this.axiosClient.post(n, o);
+    }, o = r ? w.passkeyAuthenticateComplete : h.passkeyAuthenticateComplete;
+    return this.axiosClient.post(o, n);
   }
-  passkeyValidate(e, t, s, r = !1, o) {
-    const n = {
+  passkeyValidate(e, t, s, r = !1, n) {
+    const o = {
       otp: e,
       device: t,
       challenge_id: s
     };
     let d = h.passkeyValidate;
-    !o && r && (d = w.passkeyValidate);
-    const c = o ? { [C]: o } : {};
-    return this.axiosClient.post(d, n, { headers: c });
+    !n && r && (d = w.passkeyValidate);
+    const c = n ? { [C]: n } : {};
+    return this.axiosClient.post(d, o, { headers: c });
   }
 }
 class ke {
@@ -918,8 +918,8 @@ class ve {
    * @param name New group name
    */
   updateGroup(e, t, s) {
-    const r = `${h.tenantPath}/${e}/group/${t}`, o = { name: s };
-    return this.axiosClient.put(r, o);
+    const r = `${h.tenantPath}/${e}/group/${t}`, n = { name: s };
+    return this.axiosClient.put(r, n);
   }
   /**
    * Delete a group
@@ -938,8 +938,8 @@ class ve {
    * @param role Role to assign
    */
   addUserToGroup(e, t, s, r) {
-    const o = `${h.tenantPath}/${e}/group/${t}/add`, n = { user_id: s, role: r };
-    return this.axiosClient.post(o, n);
+    const n = `${h.tenantPath}/${e}/group/${t}/add`, o = { user_id: s, role: r };
+    return this.axiosClient.post(n, o);
   }
   /**
    * Remove user roles from a group
@@ -949,8 +949,8 @@ class ve {
    * @param roles Roles to remove
    */
   removeUserRolesFromGroup(e, t, s, r) {
-    const o = `${h.tenantPath}/${e}/group/${t}/remove_roles`, n = { user_id: s, roles: r };
-    return this.axiosClient.post(o, n);
+    const n = `${h.tenantPath}/${e}/group/${t}/remove_roles`, o = { user_id: s, roles: r };
+    return this.axiosClient.post(n, o);
   }
   /**
    * Change user roles in a group
@@ -960,8 +960,8 @@ class ve {
    * @param roles New roles to assign
    */
   changeUserRoles(e, t, s, r) {
-    const o = `${h.tenantPath}/${e}/group/${t}/change`, n = { user_id: s, roles: r };
-    return this.axiosClient.post(o, n);
+    const n = `${h.tenantPath}/${e}/group/${t}/change`, o = { user_id: s, roles: r };
+    return this.axiosClient.post(n, o);
   }
   /**
    * Delete a user from a group
@@ -998,8 +998,8 @@ class ve {
    * @param name New role name
    */
   updateRole(e, t, s) {
-    const r = `${h.tenantPath}/${e}/role/${t}`, o = { name: s };
-    return this.axiosClient.put(r, o);
+    const r = `${h.tenantPath}/${e}/role/${t}`, n = { name: s };
+    return this.axiosClient.put(r, n);
   }
   /**
    * Delete a role
@@ -1029,8 +1029,8 @@ class ve {
    * @param skip Number of invitations to skip
    */
   getGroupInvitations(e, t, s, r) {
-    const o = `${h.tenantPath}/${e}/group/${t}/invitations`;
-    return this.axiosClient.get(o, {
+    const n = `${h.tenantPath}/${e}/group/${t}/invitations`;
+    return this.axiosClient.get(n, {
       params: { limit: s, skip: r }
     });
   }
@@ -1067,7 +1067,7 @@ class ve {
     return this.axiosClient.delete(r);
   }
 }
-class Se {
+class me {
   constructor(e, t, s) {
     this.axiosClient = new T(e, t, s);
   }
@@ -1172,21 +1172,24 @@ class Se {
       transformRequest: [
         (s, r) => (r && delete r.Authorization, s)
       ]
-    }).then((s) => ({
-      success: !0,
-      sessionToken: s.session_token,
-      userId: s.user_id,
-      expiresIn: s.expires_in,
-      appId: s.app_id
-    })).catch((s) => {
+    }).then((s) => {
+      const r = s;
+      return {
+        success: !0,
+        sessionToken: r.session_token,
+        userId: r.user_id,
+        expiresIn: r.expires_in,
+        appId: r.app_id
+      };
+    }).catch((s) => {
       if (s.response) {
-        const r = s.response.status, o = s.response.data || {}, n = s.response.headers?.["retry-after"] ? parseInt(s.response.headers["retry-after"], 10) : void 0;
+        const r = s.response.status, n = s.response.data || {}, o = s.response.headers?.["retry-after"] ? parseInt(s.response.headers["retry-after"], 10) : void 0;
         return {
           success: !1,
           error: {
-            code: o.error || this.mapStatusToErrorCode(r),
-            message: o.message || this.getDefaultErrorMessage(r),
-            retryAfter: n
+            code: n.error || this.mapStatusToErrorCode(r),
+            message: n.message || this.getDefaultErrorMessage(r),
+            retryAfter: o
           }
         };
       }
@@ -1234,7 +1237,7 @@ class Se {
     }
   }
 }
-class me {
+class Se {
   constructor(e, t, s) {
     this.axiosClient = new T(e, t, s);
   }
@@ -1260,16 +1263,16 @@ class me {
     deviceId: t,
     os: s,
     passkeyDisplayName: r,
-    passkeyUsername: o
+    passkeyUsername: n
   }) {
-    const n = {
+    const o = {
       passkey_display_name: r,
-      passkey_username: o,
+      passkey_username: n,
       relying_party_id: e,
       deviceId: t,
       os: s
     };
-    return this.axiosClient.post(h.addUserPasskey, n);
+    return this.axiosClient.post(h.addUserPasskey, o);
   }
   addUserPasskeyComplete(e, t, s) {
     return this.axiosClient.post(h.completeAddUserPasskey, {
@@ -1320,7 +1323,7 @@ class we {
     });
   }
 }
-function F(i) {
+function M(i) {
   if (!i || typeof i != "string") return !1;
   const e = i.split(".");
   if (e.length !== 3) return !1;
@@ -1328,9 +1331,9 @@ function F(i) {
   return e.every((s) => t.test(s) && s.length > 0);
 }
 function Te(i) {
-  return i.replace(/<[^>]*>/g, "").substring(0, ne);
+  return i.replace(/<[^>]*>/g, "").substring(0, oe);
 }
-function M(i) {
+function F(i) {
   if (!i || typeof i != "string") return !1;
   const e = i.trim();
   return e.length === 0 ? !1 : /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(e);
@@ -1343,7 +1346,7 @@ function x(i) {
 function Ee(i) {
   if (!i || typeof i != "string") return !1;
   const e = i.trim();
-  return e.length < ie || e.length > oe ? !1 : /^[a-zA-Z0-9_-]+$/.test(e);
+  return e.length < ie || e.length > ne ? !1 : /^[a-zA-Z0-9_-]+$/.test(e);
 }
 function R(i, e = 6) {
   return !i || typeof i != "string" ? !1 : (e === 8 ? /^\d{8}$/ : /^\d{6}$/).test(i);
@@ -1354,8 +1357,8 @@ function _e(i) {
   return /^[A-Z0-9-]{4,16}$/.test(e) ? e : null;
 }
 class Ie {
-  constructor(e, t, s, r, o, n, d, c, g, p, f, b) {
-    this.authApi = e, this.deviceService = t, this.storageManager = s, this.subscribeStore = r, this.tokenCacheService = o, this.scopes = n, this.createTenantForNewUser = d, this.origin = c, this.url = g, this.sessionCallbacks = p, this.appId = f, this.tokenExchangeConfig = b, this.tokenDeliveryManager = new B(s), b?.enabled && this.tokenDeliveryManager.setMode(v.BFF), this.initializeSession();
+  constructor(e, t, s, r, n, o, d, c, g, p, f, b) {
+    this.authApi = e, this.deviceService = t, this.storageManager = s, this.subscribeStore = r, this.tokenCacheService = n, this.scopes = o, this.createTenantForNewUser = d, this.origin = c, this.url = g, this.sessionCallbacks = p, this.appId = f, this.tokenExchangeConfig = b, this.tokenDeliveryManager = new Y(s), b?.enabled && this.tokenDeliveryManager.setMode(v.BFF), this.initializeSession();
   }
   /**
    * Initialize session state on page load for cookie/BFF mode
@@ -1401,61 +1404,52 @@ class Ie {
    * Forward tokens to BFF server for httpOnly cookie storage
    */
   async forwardTokensToBFF(e) {
-    if (!this.tokenExchangeConfig?.callbackUrl) {
-      console.warn("[Passflow SDK] BFF mode enabled but callbackUrl not configured");
+    if (!this.tokenExchangeConfig?.callbackUrl)
       return;
-    }
-    try {
-      const t = await fetch(this.tokenExchangeConfig.callbackUrl, {
-        method: "POST",
-        credentials: "include",
-        // Include/set httpOnly cookies
-        headers: {
-          "Content-Type": "application/json"
-        },
-        body: JSON.stringify({
-          access_token: e.access_token,
-          refresh_token: e.refresh_token,
-          id_token: e.id_token,
-          // expires_in is returned by the server but not typed in the SDK
-          expires_in: e.expires_in
-        })
-      });
-      if (!t.ok) {
-        const s = await t.text();
-        throw console.error("[Passflow SDK] Failed to forward tokens to BFF:", s), new Error(`BFF token storage failed: ${t.status}`);
-      }
-      console.log("[Passflow SDK] Tokens forwarded to BFF successfully");
-    } catch (t) {
-      throw console.error("[Passflow SDK] Error forwarding tokens to BFF:", t), t;
-    }
+    const t = await fetch(this.tokenExchangeConfig.callbackUrl, {
+      method: "POST",
+      credentials: "include",
+      // Include/set httpOnly cookies
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        access_token: e.access_token,
+        refresh_token: e.refresh_token,
+        id_token: e.id_token,
+        // expires_in is returned by the server but not typed in the SDK
+        expires_in: e.expires_in
+      })
+    });
+    if (!t.ok)
+      throw new Error(`BFF token storage failed: ${t.status}`);
   }
   async signIn(e) {
-    if ("email" in e && e.email && !M(e.email)) {
-      const r = new Error("Invalid email format"), o = {
+    if ("email" in e && e.email && !F(e.email)) {
+      const r = new Error("Invalid email format"), n = {
         message: "Invalid email format",
         originalError: r,
         code: "VALIDATION_ERROR"
       };
-      throw this.subscribeStore.notify(a.Error, o), r;
+      throw this.subscribeStore.notify(a.Error, n), r;
     }
     if ("username" in e && e.username && !Ee(e.username)) {
       const r = new Error(
         "Invalid username format. Username must be 3-30 characters and contain only letters, numbers, underscores, and hyphens"
-      ), o = {
+      ), n = {
         message: "Invalid username format. Username must be 3-30 characters and contain only letters, numbers, underscores, and hyphens",
         originalError: r,
         code: "VALIDATION_ERROR"
       };
-      throw this.subscribeStore.notify(a.Error, o), r;
+      throw this.subscribeStore.notify(a.Error, n), r;
     }
     if ("phone" in e && e.phone && !x(e.phone)) {
-      const r = new Error("Invalid phone number format. Phone must be in E.164 format (e.g., +12345678901)"), o = {
+      const r = new Error("Invalid phone number format. Phone must be in E.164 format (e.g., +12345678901)"), n = {
         message: "Invalid phone number format. Phone must be in E.164 format (e.g., +12345678901)",
         originalError: r,
         code: "VALIDATION_ERROR"
       };
-      throw this.subscribeStore.notify(a.Error, o), r;
+      throw this.subscribeStore.notify(a.Error, n), r;
     }
     this.subscribeStore.notify(a.SignInStart, { email: e.email });
     const t = this.deviceService.getDeviceId(), s = I.web;
@@ -1471,16 +1465,16 @@ class Ie {
         parsedTokens: this.tokenCacheService.getParsedTokens()
       }), await this.submitSessionCheck(), r);
     } catch (r) {
-      const o = {
+      const n = {
         message: r instanceof Error ? r.message : "Sign in failed",
         originalError: r,
         code: r instanceof u ? r.id : void 0
       };
-      throw this.subscribeStore.notify(a.Error, o), r;
+      throw this.subscribeStore.notify(a.Error, n), r;
     }
   }
   async signUp(e) {
-    if (e.user.email && !M(e.user.email)) {
+    if (e.user.email && !F(e.user.email)) {
       const t = new Error("Invalid email format"), s = {
         message: "Invalid email format",
         originalError: t,
@@ -1513,33 +1507,33 @@ class Ie {
     }
   }
   async passwordlessSignIn(e) {
-    if (e.email && !M(e.email)) {
-      const r = new Error("Invalid email format"), o = {
+    if (e.email && !F(e.email)) {
+      const r = new Error("Invalid email format"), n = {
         message: "Invalid email format",
         originalError: r,
         code: "VALIDATION_ERROR"
       };
-      throw this.subscribeStore.notify(a.Error, o), r;
+      throw this.subscribeStore.notify(a.Error, n), r;
     }
     if (e.phone && !x(e.phone)) {
-      const r = new Error("Invalid phone number format. Phone must be in E.164 format (e.g., +12345678901)"), o = {
+      const r = new Error("Invalid phone number format. Phone must be in E.164 format (e.g., +12345678901)"), n = {
         message: "Invalid phone number format. Phone must be in E.164 format (e.g., +12345678901)",
         originalError: r,
         code: "VALIDATION_ERROR"
       };
-      throw this.subscribeStore.notify(a.Error, o), r;
+      throw this.subscribeStore.notify(a.Error, n), r;
     }
     this.subscribeStore.notify(a.SignInStart, { email: e.email }), e.scopes = e.scopes ?? this.scopes;
     const t = this.deviceService.getDeviceId(), s = I.web;
     try {
       return await this.authApi.passwordlessSignIn(e, t, s);
     } catch (r) {
-      const o = {
+      const n = {
         message: r instanceof Error ? r.message : "Failed to send passwordless sign-in link",
         originalError: r,
         code: r instanceof u ? r.id : void 0
       };
-      throw this.subscribeStore.notify(a.Error, o), r;
+      throw this.subscribeStore.notify(a.Error, n), r;
     }
   }
   async passwordlessSignInComplete(e) {
@@ -1562,22 +1556,19 @@ class Ie {
   async logOut() {
     if (this.tokenDeliveryManager.isBFFMode() && this.tokenExchangeConfig?.logoutUrl)
       try {
-        const e = await fetch(this.tokenExchangeConfig.logoutUrl, {
+        (await fetch(this.tokenExchangeConfig.logoutUrl, {
           method: "POST",
           credentials: "include"
           // Include httpOnly cookies
-        });
-        e.ok || console.warn("[Passflow SDK] BFF logout failed:", await e.text());
-      } catch (e) {
-        console.warn("[Passflow SDK] BFF logout error:", e);
+        })).ok;
+      } catch {
       }
     else {
       const e = this.storageManager.getToken(k.refresh_token), t = this.storageManager.getDeviceId();
       try {
         if ((await this.authApi.logOut(t, e, !this.appId)).status !== "ok")
           throw new Error("Logout failed");
-      } catch (s) {
-        console.warn("[Passflow SDK] Logout API failed, clearing local state anyway:", s);
+      } catch {
       }
     }
     this.storageManager.deleteTokens(), this.storageManager.clearIdToken(), this.storageManager.clearCsrfToken(), this.tokenDeliveryManager.reset(), this.subscribeStore.notify(a.SignOut, {});
@@ -1671,20 +1662,20 @@ class Ie {
   }
   async resetPassword(e, t) {
     this.subscribeStore.notify(a.SignInStart, {});
-    const r = new URLSearchParams(window.location.search).get("token") ?? void 0, o = t ?? this.scopes;
+    const r = new URLSearchParams(window.location.search).get("token") ?? void 0, n = t ?? this.scopes;
     try {
-      const n = await this.authApi.resetPassword(e, o, r);
-      return await this.processAuthResponse(n, o), this.subscribeStore.notify(a.SignIn, {
-        tokens: n,
+      const o = await this.authApi.resetPassword(e, n, r);
+      return await this.processAuthResponse(o, n), this.subscribeStore.notify(a.SignIn, {
+        tokens: o,
         parsedTokens: this.tokenCacheService.getParsedTokens()
-      }), await this.submitSessionCheck(), n;
-    } catch (n) {
+      }), await this.submitSessionCheck(), o;
+    } catch (o) {
       const d = {
-        message: n instanceof Error ? n.message : "Password reset failed",
-        originalError: n,
-        code: n instanceof u ? n.id : void 0
+        message: o instanceof Error ? o.message : "Password reset failed",
+        originalError: o,
+        code: o instanceof u ? o.id : void 0
       };
-      throw this.subscribeStore.notify(a.Error, d), n;
+      throw this.subscribeStore.notify(a.Error, d), o;
     }
   }
   async passkeyRegister(e) {
@@ -1692,12 +1683,12 @@ class Ie {
     const t = this.deviceService.getDeviceId(), s = I.web;
     e.scopes = e.scopes ?? this.scopes, e.create_tenant = this.createTenantForNewUser;
     try {
-      const { challenge_id: r, publicKey: o } = await this.authApi.passkeyRegisterStart(e, t, s, !this.appId);
-      o.user.id = btoa(o.user.id);
-      const n = await K({
-        optionsJSON: o
+      const { challenge_id: r, publicKey: n } = await this.authApi.passkeyRegisterStart(e, t, s, !this.appId);
+      n.user.id = btoa(n.user.id);
+      const o = await K({
+        optionsJSON: n
       }), d = await this.authApi.passkeyRegisterComplete(
-        n,
+        o,
         t,
         r,
         !this.appId
@@ -1707,12 +1698,12 @@ class Ie {
         parsedTokens: this.tokenCacheService.getParsedTokens()
       }), await this.submitSessionCheck(), d;
     } catch (r) {
-      const o = {
+      const n = {
         message: r instanceof Error ? r.message : "Passkey registration failed",
         originalError: r,
         code: r instanceof u ? r.id : void 0
       };
-      throw this.subscribeStore.notify(a.Error, o), r;
+      throw this.subscribeStore.notify(a.Error, n), r;
     }
   }
   async passkeyAuthenticate(e) {
@@ -1720,10 +1711,10 @@ class Ie {
     const t = this.deviceService.getDeviceId(), s = I.web;
     e.scopes = e.scopes ?? this.scopes;
     try {
-      const { challenge_id: r, publicKey: o } = await this.authApi.passkeyAuthenticateStart(e, t, s, !this.appId), n = await j({
-        optionsJSON: o
+      const { challenge_id: r, publicKey: n } = await this.authApi.passkeyAuthenticateStart(e, t, s, !this.appId), o = await j({
+        optionsJSON: n
       }), d = await this.authApi.passkeyAuthenticateComplete(
-        n,
+        o,
         t,
         r,
         !this.appId
@@ -1733,12 +1724,12 @@ class Ie {
         parsedTokens: this.tokenCacheService.getParsedTokens()
       }), await this.submitSessionCheck()), d;
     } catch (r) {
-      const o = {
+      const n = {
         message: r instanceof Error ? r.message : "Passkey authentication failed",
         originalError: r,
         code: r instanceof u ? r.id : void 0
       };
-      throw this.subscribeStore.notify(a.Error, o), r;
+      throw this.subscribeStore.notify(a.Error, n), r;
     }
   }
   createFederatedAuthUrl(e) {
@@ -1751,18 +1742,18 @@ class Ie {
       ...e.invite_token ? { invite_token: e.invite_token } : {},
       ...e.create_tenant ? { create_tenant: e.create_tenant.toString() } : {},
       ...e.device ? { device: e.device } : {}
-    }, o = new URL(t, this.url), n = new URLSearchParams(r);
-    return o.search = n.toString(), o.toString();
+    }, n = new URL(t, this.url), o = new URLSearchParams(r);
+    return n.search = o.toString(), n.toString();
   }
   federatedAuthWithPopup(e) {
     this.subscribeStore.notify(a.SignInStart, { provider: e.provider });
-    const t = e.scopes ?? this.scopes, s = this.deviceService.getDeviceId(), r = this.createFederatedAuthUrl({ ...e, scopes: t, device: s }), o = window.open(r, "_blank", `width=${ee},height=${te}`);
-    if (!o) {
+    const t = e.scopes ?? this.scopes, s = this.deviceService.getDeviceId(), r = this.createFederatedAuthUrl({ ...e, scopes: t, device: s }), n = window.open(r, "_blank", `width=${ee},height=${te}`);
+    if (!n) {
       this.federatedAuthWithRedirect(e);
       return;
     }
-    const n = Date.now(), d = setInterval(() => {
-      if (o.closed) {
+    const o = Date.now(), d = setInterval(() => {
+      if (n.closed) {
         clearInterval(d);
         const c = {
           message: "Authentication popup was closed",
@@ -1771,8 +1762,8 @@ class Ie {
         this.subscribeStore.notify(a.Error, c);
         return;
       }
-      if (Date.now() - n > re) {
-        clearInterval(d), o.close();
+      if (Date.now() - o > re) {
+        clearInterval(d), n.close();
         const c = {
           message: "Authentication popup timed out",
           code: "POPUP_TIMEOUT"
@@ -1781,8 +1772,8 @@ class Ie {
         return;
       }
       try {
-        if (o.location.href.startsWith(this.origin)) {
-          const c = new URLSearchParams(o.location.search), g = c.get("access_token") || "", p = c.get("refresh_token") || "", f = c.get("id_token") || "", b = {
+        if (n.location.href.startsWith(this.origin)) {
+          const c = new URLSearchParams(n.location.search), g = c.get("access_token") || "", p = c.get("refresh_token") || "", f = c.get("id_token") || "", b = {
             access_token: g,
             refresh_token: p || void 0,
             id_token: f || void 0,
@@ -1793,7 +1784,7 @@ class Ie {
               tokens: b,
               parsedTokens: this.tokenCacheService.getParsedTokens()
             }), window.location.href = `${this.origin}`;
-          }), clearInterval(d), o.close();
+          }), clearInterval(d), n.close();
         }
       } catch {
       }
@@ -1807,14 +1798,14 @@ class Ie {
   // Helper methods for authentication UI redirect
   authRedirectUrl(e = {}) {
     try {
-      const { url: t, redirectUrl: s, scopes: r, appId: o } = e ?? {}, n = new URL(t ?? this.url);
-      n.pathname = (n.pathname.endsWith("/") ? n.pathname : n.pathname + "/") + "web";
+      const { url: t, redirectUrl: s, scopes: r, appId: n } = e ?? {}, o = new URL(t ?? this.url);
+      o.pathname = (o.pathname.endsWith("/") ? o.pathname : o.pathname + "/") + "web";
       const d = r ?? this.scopes, c = {
-        appId: o ?? this.appId ?? "",
+        appId: n ?? this.appId ?? "",
         redirectto: s ?? window.location.href,
         scopes: d.join(",")
       }, g = new URLSearchParams(c);
-      return n.search = g.toString(), n.toString();
+      return o.search = g.toString(), o.toString();
     } catch (t) {
       const s = {
         message: t instanceof Error ? t.message : "Failed to create auth redirect URL",
@@ -1844,7 +1835,7 @@ class Ie {
         const t = !!e?.id_token || !!this.storageManager.getIdToken(), s = this.tokenDeliveryManager.isSessionValid(), r = this.tokenDeliveryManager.isSessionUnknown();
         return t && (s || r);
       }
-      return !e || !e.access_token ? !1 : !S(e.access_token) || e.refresh_token !== void 0 && !S(e.refresh_token);
+      return !e || !e.access_token ? !1 : !m(e.access_token) || e.refresh_token !== void 0 && !m(e.refresh_token);
     } catch (t) {
       const s = {
         message: t instanceof Error ? t.message : "Failed to check authentication status",
@@ -1861,11 +1852,11 @@ class Ie {
     try {
       t = await this.getTokens(e), s = this.tokenCacheService.getParsedTokens();
     } catch (r) {
-      const o = {
+      const n = {
         message: r instanceof Error || r instanceof u ? r.message : "Session check failed",
         originalError: r
       };
-      this.subscribeStore.notify(a.Error, o), t = void 0;
+      this.subscribeStore.notify(a.Error, n), t = void 0;
     }
     return t && this.sessionCallbacks.createSession && await this.sessionCallbacks.createSession({ tokens: t, parsedTokens: s }), !t && this.sessionCallbacks.expiredSession && await this.sessionCallbacks.expiredSession(), t;
   }
@@ -1883,7 +1874,7 @@ class Ie {
       const t = this.storageManager.getTokens();
       if (!t || !t.access_token) return;
       const s = y(t.access_token);
-      return S(s) ? e ? await this.refreshToken() : void 0 : t;
+      return m(s) ? e ? await this.refreshToken() : void 0 : t;
     } catch (t) {
       const s = {
         message: t instanceof Error ? t.message : "Failed to get tokens",
@@ -1961,32 +1952,32 @@ class Re {
     this.data = this.normalize(e);
   }
   normalize(e) {
-    const t = /* @__PURE__ */ new Map(), s = /* @__PURE__ */ new Map(), r = /* @__PURE__ */ new Map(), o = [];
-    return e.groups?.forEach((n) => {
-      s.set(n.id, {
-        id: n.id,
-        name: n.name,
-        default: n.default ?? !1,
-        updated_at: n.updated_at,
-        created_at: n.created_at
+    const t = /* @__PURE__ */ new Map(), s = /* @__PURE__ */ new Map(), r = /* @__PURE__ */ new Map(), n = [];
+    return e.groups?.forEach((o) => {
+      s.set(o.id, {
+        id: o.id,
+        name: o.name,
+        default: o.default ?? !1,
+        updated_at: o.updated_at,
+        created_at: o.created_at
       });
-    }), e.roles?.forEach((n) => {
-      r.set(n.id, {
-        id: n.id,
-        tenant_id: n.tenant_id,
-        name: n.name
+    }), e.roles?.forEach((o) => {
+      r.set(o.id, {
+        id: o.id,
+        tenant_id: o.tenant_id,
+        name: o.name
       });
-    }), e.users_in_groups?.forEach((n) => {
-      const d = n.user;
+    }), e.users_in_groups?.forEach((o) => {
+      const d = o.user;
       d && !t.has(d.id) && t.set(d.id, {
         id: d.id,
         name: d.name ?? null,
         email: d.email ?? null,
         phone: d.phone ?? null
-      }), d && n.group_id && s.has(n.group_id) && o.push({
+      }), d && o.group_id && s.has(o.group_id) && n.push({
         userId: d.id,
-        groupId: n.group_id,
-        roleIds: n.roles?.map((c) => c.id) ?? []
+        groupId: o.group_id,
+        roleIds: o.roles?.map((c) => c.id) ?? []
       });
     }), {
       tenant_id: e.tenant_id,
@@ -1994,7 +1985,7 @@ class Re {
       users: Array.from(t.values()),
       groups: Array.from(s.values()),
       roles: Array.from(r.values()),
-      memberships: o,
+      memberships: n,
       usersById: t,
       groupsById: s,
       rolesById: r
@@ -2204,9 +2195,9 @@ class Pe {
   async addUserToGroup(e, t, s, r) {
     try {
       return await this.tenantApi.addUserToGroup(e, t, s, r);
-    } catch (o) {
+    } catch (n) {
       this.handlePassflowError(
-        o,
+        n,
         `Add user to group failed for tenant ID ${e}, group ID ${t}, user ID ${s}`
       );
     }
@@ -2222,9 +2213,9 @@ class Pe {
   async removeUserRolesFromGroup(e, t, s, r) {
     try {
       return await this.tenantApi.removeUserRolesFromGroup(e, t, s, r);
-    } catch (o) {
+    } catch (n) {
       this.handlePassflowError(
-        o,
+        n,
         `Remove user roles from group failed for tenant ID ${e}, group ID ${t}, user ID ${s}`
       );
     }
@@ -2240,9 +2231,9 @@ class Pe {
   async changeUserRoles(e, t, s, r) {
     try {
       return await this.tenantApi.changeUserRoles(e, t, s, r);
-    } catch (o) {
+    } catch (n) {
       this.handlePassflowError(
-        o,
+        n,
         `Change user roles failed for tenant ID ${e}, group ID ${t}, user ID ${s}`
       );
     }
@@ -2343,8 +2334,8 @@ class Pe {
   async getGroupInvitations(e, t, s, r) {
     try {
       return await this.tenantApi.getGroupInvitations(e, t, s, r);
-    } catch (o) {
-      this.handlePassflowError(o, `Get group invitations failed for tenant ID ${e}, group ID ${t}`);
+    } catch (n) {
+      this.handlePassflowError(n, `Get group invitations failed for tenant ID ${e}, group ID ${t}`);
     }
   }
   /**
@@ -2412,7 +2403,7 @@ class De {
         return;
       }
       const t = y(e.access_token);
-      S(t) ? (this.tokenExpiredFlag = !0, this.stopTokenCheck(), this.subscribeStore.notify(a.TokenCacheExpired, { isExpired: !0 })) : (this.setTokensCache(e), this.startTokenCheck());
+      m(t) ? (this.tokenExpiredFlag = !0, this.stopTokenCheck(), this.subscribeStore.notify(a.TokenCacheExpired, { isExpired: !0 })) : (this.setTokensCache(e), this.startTokenCheck());
     } catch (e) {
       const t = {
         message: e instanceof Error ? e.message : "Failed to get tokens",
@@ -2479,7 +2470,7 @@ class De {
       if (!this.tokensCache.access_token)
         return this.tokensCache;
       const e = y(this.tokensCache.access_token);
-      return S(e) && !this.tokenExpiredFlag ? (await this.refreshTokensCache(this.tokensCache), this.tokensCache) : this.tokensCache;
+      return m(e) && !this.tokenExpiredFlag ? (await this.refreshTokensCache(this.tokensCache), this.tokensCache) : this.tokensCache;
     } catch (e) {
       const t = {
         message: e instanceof Error ? e.message : "Failed to get tokens",
@@ -2497,17 +2488,17 @@ class De {
     if (!this.tokensCache.access_token)
       return !1;
     const e = y(this.tokensCache.access_token);
-    return S(e);
+    return m(e);
   }
 }
-class Fe {
+class Me {
   constructor(e, t) {
     this.twoFactorApi = e, this.subscribeStore = t, this.PARTIAL_AUTH_TIMEOUT_MS = 300 * 1e3, this.SESSION_STORAGE_KEY = "passflow_2fa_challenge", this.totpDigits = 6;
     const s = {
-      onAuthChange: (r, o) => {
+      onAuthChange: (r, n) => {
         if (r === a.TwoFactorRequired) {
-          const n = o;
-          this.setPartialAuthState(n.email, n.challengeId, n.tfaToken);
+          const o = n;
+          this.setPartialAuthState(o.email, o.challengeId, o.tfaToken);
         }
       }
     };
@@ -2518,12 +2509,12 @@ class Fe {
    * Helper method to ensure errors are properly emitted to subscribers
    */
   emitErrorAndThrow(e, t) {
-    const s = {
+    const s = e, r = {
       message: e instanceof Error ? e.message : `${t} failed`,
       originalError: e,
-      code: e?.id || void 0
+      code: s?.id || void 0
     };
-    throw this.subscribeStore.notify(a.Error, s), e;
+    throw this.subscribeStore.notify(a.Error, r), e;
   }
   /**
    * Get 2FA enrollment status for current user
@@ -2772,7 +2763,7 @@ class Fe {
     return this.totpDigits;
   }
 }
-class Me {
+class Fe {
   constructor(e, t) {
     this.userAPI = e, this.deviceService = t;
   }
@@ -2810,31 +2801,31 @@ class Me {
     passkeyUsername: t,
     passkeyDisplayName: s
   } = {}) {
-    const r = this.deviceService.getDeviceId(), o = I.web, { challenge_id: n, publicKey: d } = await this.userAPI.addUserPasskeyStart({
+    const r = this.deviceService.getDeviceId(), n = I.web, { challenge_id: o, publicKey: d } = await this.userAPI.addUserPasskeyStart({
       relyingPartyId: e || window?.location?.hostname,
       deviceId: r,
-      os: o,
+      os: n,
       passkeyDisplayName: s,
       passkeyUsername: t
     });
     d.user.id = btoa(d.user.id);
     const c = await K({ optionsJSON: d });
-    return await this.userAPI.addUserPasskeyComplete(c, r, n);
+    return await this.userAPI.addUserPasskeyComplete(c, r, o);
   }
 }
 const O = class O {
   constructor(e) {
     this.doRefreshTokens = !1, this.origin = window.location.origin, this.session = async ({
-      createSession: o,
-      expiredSession: n,
+      createSession: n,
+      expiredSession: o,
       doRefresh: d = !1
     }) => {
-      this.createSessionCallback = o, this.expiredSessionCallback = n, this.doRefreshTokens = d, await this.submitSessionCheck();
+      this.createSessionCallback = n, this.expiredSessionCallback = o, this.doRefreshTokens = d, await this.submitSessionCheck();
     };
     const { url: t, appId: s, scopes: r } = e;
     this.url = t || G, this.appId = s, this.storageManager = new $({
       prefix: e.keyStoragePrefix ?? ""
-    }), this.deviceService = new Y(this.storageManager), this.authApi = new fe(e, this.storageManager, this.deviceService), this.appApi = new pe(e, this.storageManager, this.deviceService), this.userApi = new me(e, this.storageManager, this.deviceService), this.settingApi = new ye(e, this.storageManager, this.deviceService), this.tenantApi = new ve(e, this.storageManager, this.deviceService), this.invitationApi = new ke(e, this.storageManager, this.deviceService), this.twoFactorApi = new Se(e, this.storageManager, this.deviceService), this.subscribeStore = new we(), this.tokenCacheService = new De(this.storageManager, this.authApi, this.subscribeStore), this.scopes = r ?? Q, this.createTenantForNewUser = e.createTenantForNewUser ?? !1, this.authService = new Ie(
+    }), this.deviceService = new B(this.storageManager), this.authApi = new fe(e, this.storageManager, this.deviceService), this.appApi = new pe(e, this.storageManager, this.deviceService), this.userApi = new Se(e, this.storageManager, this.deviceService), this.settingApi = new ye(e, this.storageManager, this.deviceService), this.tenantApi = new ve(e, this.storageManager, this.deviceService), this.invitationApi = new ke(e, this.storageManager, this.deviceService), this.twoFactorApi = new me(e, this.storageManager, this.deviceService), this.subscribeStore = new we(), this.tokenCacheService = new De(this.storageManager, this.authApi, this.subscribeStore), this.scopes = r ?? Q, this.createTenantForNewUser = e.createTenantForNewUser ?? !1, this.authService = new Ie(
       this.authApi,
       this.deviceService,
       this.storageManager,
@@ -2850,7 +2841,7 @@ const O = class O {
       },
       this.appId ?? "",
       e.tokenExchange
-    ), this.userService = new Me(this.userApi, this.deviceService), this.tenantService = new Pe(this.tenantApi, this.scopes), this.tenant = this.tenantService, this.invitationService = new be(this.invitationApi), this.twoFactorService = new Fe(this.twoFactorApi, this.subscribeStore), this.twoFactor = this.twoFactorService, e.parseQueryParams && this.checkAndSetTokens(), this.setTokensToCacheFromLocalStorage();
+    ), this.userService = new Fe(this.userApi, this.deviceService), this.tenantService = new Pe(this.tenantApi, this.scopes), this.tenant = this.tenantService, this.invitationService = new be(this.invitationApi), this.twoFactorService = new Me(this.twoFactorApi, this.subscribeStore), this.twoFactor = this.twoFactorService, e.parseQueryParams && this.checkAndSetTokens(), this.setTokensToCacheFromLocalStorage();
   }
   /**
    * Update the appId and propagate it to all API clients.
@@ -2954,10 +2945,10 @@ const O = class O {
       const c = new URLSearchParams(window.location.hash.substring(1));
       c.get("access_token") && (e = c, t = !0);
     }
-    const s = e.get("access_token"), r = e.get("refresh_token"), o = e.get("id_token"), n = e.get("scopes")?.split(",") ?? this.scopes;
+    const s = e.get("access_token"), r = e.get("refresh_token"), n = e.get("id_token"), o = e.get("scopes")?.split(",") ?? this.scopes;
     let d;
     if (s) {
-      if (!F(s)) {
+      if (!M(s)) {
         const c = {
           message: "Invalid access token format received",
           code: "INVALID_TOKEN_FORMAT"
@@ -2965,7 +2956,7 @@ const O = class O {
         this.subscribeStore.notify(a.Error, c), this.cleanupUrlParams(t);
         return;
       }
-      if (r && !F(r)) {
+      if (r && !M(r)) {
         const c = {
           message: "Invalid refresh token format received",
           code: "INVALID_TOKEN_FORMAT"
@@ -2973,7 +2964,7 @@ const O = class O {
         this.subscribeStore.notify(a.Error, c), this.cleanupUrlParams(t);
         return;
       }
-      if (o && !F(o)) {
+      if (n && !M(n)) {
         const c = {
           message: "Invalid ID token format received",
           code: "INVALID_TOKEN_FORMAT"
@@ -2984,8 +2975,8 @@ const O = class O {
       return d = {
         access_token: s,
         refresh_token: r ?? void 0,
-        id_token: o ?? void 0,
-        scopes: n
+        id_token: n ?? void 0,
+        scopes: o
       }, this.storageManager.saveTokens(d), this.tokenCacheService.setTokensCache(d), this.subscribeStore.notify(a.SignIn, { tokens: d, parsedTokens: this.getParsedTokens() }), this.submitSessionCheck(), this.cleanupUrlParams(t), this.error = void 0, d;
     } else
       this.error = this.checkErrorsFromURL();
@@ -4299,7 +4290,7 @@ const Ge = {
   RateLimitExceeded: "rate_limit_exceeded",
   ServerError: "server_error",
   TemporarilyUnavailable: "temporarily_unavailable"
-}, m = {
+}, S = {
   /** Default token endpoint path */
   TOKEN_ENDPOINT: "/oauth2/token",
   /** Default request timeout in milliseconds */
@@ -4317,18 +4308,18 @@ class xe {
   constructor() {
     this.cache = /* @__PURE__ */ new Map();
   }
-  async get(e) {
+  get(e) {
     const t = this.cache.get(e);
-    return t ? Date.now() >= t.expiresAt ? (this.cache.delete(e), null) : t.token : null;
+    return t ? Date.now() >= t.expiresAt ? (this.cache.delete(e), Promise.resolve(null)) : Promise.resolve(t.token) : Promise.resolve(null);
   }
-  async set(e, t, s) {
-    this.cache.set(e, {
+  set(e, t, s) {
+    return this.cache.set(e, {
       token: t,
       expiresAt: Date.now() + s * 1e3
-    });
+    }), Promise.resolve();
   }
-  async delete(e) {
-    this.cache.delete(e);
+  delete(e) {
+    return this.cache.delete(e), Promise.resolve();
   }
 }
 const Ue = {
@@ -4370,16 +4361,16 @@ class Ve {
       scopes: e.scopes,
       audience: e.audience,
       autoRefresh: e.autoRefresh ?? !1,
-      refreshThreshold: e.refreshThreshold ?? m.REFRESH_THRESHOLD,
-      timeout: e.timeout ?? m.TIMEOUT,
-      retries: e.retries ?? m.RETRIES,
-      retryDelay: e.retryDelay ?? m.RETRY_DELAY,
+      refreshThreshold: e.refreshThreshold ?? S.REFRESH_THRESHOLD,
+      timeout: e.timeout ?? S.TIMEOUT,
+      retries: e.retries ?? S.RETRIES,
+      retryDelay: e.retryDelay ?? S.RETRY_DELAY,
       retryStrategy: e.retryStrategy,
       cache: e.cache,
       onTokenRequest: e.onTokenRequest,
       onTokenResponse: e.onTokenResponse,
       onError: e.onError
-    }, this.cache = e.cache ?? new xe(), this.retryStrategy = e.retryStrategy ?? Ue, this.tokenEndpoint = `${t}${m.TOKEN_ENDPOINT}`;
+    }, this.cache = e.cache ?? new xe(), this.retryStrategy = e.retryStrategy ?? Ue, this.tokenEndpoint = `${t}${S.TOKEN_ENDPOINT}`;
   }
   /**
    * Get the cache key for this client
@@ -4410,9 +4401,9 @@ class Ve {
   async getToken(e) {
     const t = e?.scopes ?? this.config.scopes, s = e?.audience ?? this.config.audience, r = this.getCacheKey(t, s);
     if (!e?.forceRefresh) {
-      const o = await this.cache.get(r);
-      if (o && !this.isTokenExpired(o))
-        return o;
+      const n = await this.cache.get(r);
+      if (n && !this.isTokenExpired(n))
+        return n;
     }
     return this.requestToken(t, s, r);
   }
@@ -4456,8 +4447,8 @@ class Ve {
       audience: t ?? [],
       timestamp: (/* @__PURE__ */ new Date()).toISOString()
     });
-    const o = await this.executeWithRetry(() => this.doTokenRequest(r));
-    return o.issued_at = Math.floor(Date.now() / 1e3), s && await this.cache.set(s, o, o.expires_in), this.config.onTokenResponse && this.config.onTokenResponse(o), o;
+    const n = await this.executeWithRetry(() => this.doTokenRequest(r));
+    return n.issued_at = Math.floor(Date.now() / 1e3), s && await this.cache.set(s, n, n.expires_in), this.config.onTokenResponse && this.config.onTokenResponse(n), n;
   }
   /**
    * Execute the actual HTTP request to the token endpoint
@@ -4467,30 +4458,30 @@ class Ve {
     t.append("grant_type", e.grant_type), t.append("client_id", e.client_id), t.append("client_secret", e.client_secret), e.scope && t.append("scope", e.scope), e.audience && t.append("audience", e.audience);
     const s = new AbortController(), r = setTimeout(() => s.abort(), this.config.timeout);
     try {
-      const o = await fetch(this.tokenEndpoint, {
+      const n = await fetch(this.tokenEndpoint, {
         method: "POST",
         headers: {
-          "Content-Type": m.CONTENT_TYPE,
+          "Content-Type": S.CONTENT_TYPE,
           Accept: "application/json"
         },
         body: t.toString(),
         signal: s.signal
       });
       clearTimeout(r);
-      const n = {};
-      o.headers.forEach((c, g) => {
-        n[g.toLowerCase()] = c;
+      const o = {};
+      n.headers.forEach((c, g) => {
+        o[g.toLowerCase()] = c;
       });
-      const d = await o.json();
-      if (!o.ok) {
+      const d = await n.json();
+      if (!n.ok) {
         const c = l.fromOAuthError(
           {
             error: d.error || "server_error",
             error_description: d.error_description || d.message,
             error_uri: d.error_uri
           },
-          o.status,
-          n
+          n.status,
+          o
         );
         throw this.config.onError && this.config.onError({
           error: c.code,
@@ -4498,8 +4489,8 @@ class Ve {
         }), c;
       }
       return d;
-    } catch (o) {
-      throw clearTimeout(r), o instanceof Error && o.name === "AbortError" ? new N(`Request timed out after ${this.config.timeout}ms`) : o instanceof TypeError && o.message.includes("fetch") ? new N(`Network error: ${o.message}`, o) : o instanceof l ? o : l.fromError(o instanceof Error ? o : new Error(String(o)));
+    } catch (n) {
+      throw clearTimeout(r), n instanceof Error && n.name === "AbortError" ? new N(`Request timed out after ${this.config.timeout}ms`) : n instanceof TypeError && n.message.includes("fetch") ? new N(`Network error: ${n.message}`, n) : n instanceof l ? n : l.fromError(n instanceof Error ? n : new Error(String(n)));
     }
   }
   /**
@@ -4514,8 +4505,8 @@ class Ve {
         if (!(r instanceof l))
           throw r;
         if (t = r, s < this.config.retries && this.retryStrategy.shouldRetry({ code: r.code, status: r.status }, s)) {
-          const o = this.retryStrategy.getDelay(s);
-          await this.sleep(o);
+          const n = this.retryStrategy.getDelay(s);
+          await this.sleep(n);
           continue;
         }
         throw r;
@@ -4572,8 +4563,8 @@ class Ve {
    */
   isTokenExpired(e, t = 0) {
     if (!e) return !0;
-    const s = Math.floor(Date.now() / 1e3), o = (e.issued_at ?? s - e.expires_in) + e.expires_in;
-    return s >= o - t;
+    const s = Math.floor(Date.now() / 1e3), n = (e.issued_at ?? s - e.expires_in) + e.expires_in;
+    return s >= n - t;
   }
   /**
    * Parse token claims from a JWT access token
@@ -4598,8 +4589,8 @@ class Ve {
       const s = t[1];
       if (!s)
         throw new P("Invalid JWT format: missing payload");
-      const r = atob(s.replace(/-/g, "+").replace(/_/g, "/")), o = JSON.parse(r);
-      return o.scopes && typeof o.scopes == "string" ? o.scopes = o.scopes.split(" ") : o.scopes || (o.scopes = []), o;
+      const r = atob(s.replace(/-/g, "+").replace(/_/g, "/")), n = JSON.parse(r);
+      return n.scopes && typeof n.scopes == "string" ? n.scopes = n.scopes.split(" ") : n.scopes || (n.scopes = []), n;
     } catch (t) {
       throw t instanceof P ? t : new P(`Failed to parse token: ${t instanceof Error ? t.message : "Unknown error"}`);
     }
@@ -4642,16 +4633,16 @@ class Ve {
       const r = await fetch(t, {
         method: "POST",
         headers: {
-          "Content-Type": m.CONTENT_TYPE
+          "Content-Type": S.CONTENT_TYPE
         },
         body: s.toString()
       });
       if (!r.ok && r.status !== 200) {
-        const o = await r.json().catch(() => ({}));
+        const n = await r.json().catch(() => ({}));
         throw l.fromOAuthError(
           {
-            error: o.error || "server_error",
-            error_description: o.error_description || "Token revocation failed"
+            error: n.error || "server_error",
+            error_description: n.error_description || "Token revocation failed"
           },
           r.status
         );
@@ -4696,7 +4687,7 @@ export {
   Q as DEFAULT_SCOPES,
   W as DEVICE_ID_HEADER_KEY,
   J as DEVICE_TYPE_HEADER_KEY,
-  ne as ERROR_MESSAGE_MAX_LENGTH,
+  oe as ERROR_MESSAGE_MAX_LENGTH,
   ke as InvitationAPI,
   be as InvitationService,
   Ve as M2MClient,
@@ -4705,7 +4696,7 @@ export {
   Ge as M2MErrorCodes,
   N as M2MNetworkError,
   P as M2MTokenParseError,
-  m as M2M_DEFAULTS,
+  S as M2M_DEFAULTS,
   Ne as MINIMAL_DEFAULT_SCOPES,
   I as OS,
   G as PASSFLOW_CLOUD_URL,
@@ -4730,16 +4721,16 @@ export {
   De as TokenCacheService,
   v as TokenDeliveryMode,
   k as TokenType,
-  Se as TwoFactorApiClient,
+  me as TwoFactorApiClient,
   ue as TwoFactorPolicy,
-  Fe as TwoFactorService,
-  oe as USERNAME_MAX_LENGTH,
+  Me as TwoFactorService,
+  ne as USERNAME_MAX_LENGTH,
   ie as USERNAME_MIN_LENGTH,
-  me as UserAPI,
-  Me as UserService,
-  S as isTokenExpired,
-  M as isValidEmail,
-  F as isValidJWTFormat,
+  Se as UserAPI,
+  Fe as UserService,
+  m as isTokenExpired,
+  F as isValidEmail,
+  M as isValidJWTFormat,
   x as isValidPhoneNumber,
   Ee as isValidUsername,
   y as parseToken,