@pega/react-sdk-components 0.23.26 → 8.8.21

package/lib/components/helpers/authManager.js

@@ -1,198 +1,665 @@
 // This file wraps various calls related to logging in, logging out, etc.
 //  that use the auth.html/auth.js to do the work of logging in via OAuth 2.0.
+var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (receiver, state, kind, f) {
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a getter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
+    return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
+};
+var __classPrivateFieldSet = (this && this.__classPrivateFieldSet) || function (receiver, state, value, kind, f) {
+    if (kind === "m") throw new TypeError("Private method is not writable");
+    if (kind === "a" && !f) throw new TypeError("Private accessor was defined without a setter");
+    if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot write private member to an object whose class did not declare it");
+    return (kind === "a" ? f.call(receiver, value) : f ? f.value = value : state.set(receiver, value)), value;
+};
+var _AuthManager_instances, _AuthManager_ssKeyPrefix, _AuthManager_pegaAuth, _AuthManager_ssKeyConfigInfo, _AuthManager_ssKeySessionInfo, _AuthManager_ssKeyTokenInfo, _AuthManager_ssKeyState, _AuthManager_authConfig, _AuthManager_authDynState, _AuthManager_authHeader, _AuthManager_tokenInfo, _AuthManager_userInfo, _AuthManager_usePASS, _AuthManager_pageHideAdded, _AuthManager_tokenStorage, _AuthManager_transform, _AuthManager_foldSpot, _AuthManager_transformAndParse, _AuthManager_getStorage, _AuthManager_setStorage, _AuthManager_calcFoldSpot, _AuthManager_transformer, _AuthManager_doPageHide, _AuthManager_loadState, _AuthManager_doOnLoad, _AuthManager_doAuthDynStateChanged, _AuthManager_initialize, _AuthManager_constellationInit, _AuthManager_customConstellationInit, _AuthManager_fireTokenAvailable, _AuthManager_processTokenOnLogin, _AuthManager_updateLoginStatus, _AuthManager_authFullReauth, _AuthManager_authTokenUpdated;
+// It utilizes a JS Class and private members to protect any sensitive tokens
+//  and token obfuscation routines
+import { isEmptyObject } from './common-utils';
 import { getSdkConfig, SdkConfigAccess } from './config_access';
 import PegaAuth from './auth';
-// eslint-disable-next-line import/no-mutable-exports
-export let gbLoggedIn = sessionStorage.getItem('rsdk_AH') !== null;
-// eslint-disable-next-line import/no-mutable-exports
-export let gbLoginInProgress = sessionStorage.getItem("rsdk_loggingIn") !== null;
-// other sessionStorage items: rsdk_appName
-// will store the PegaAuth instance
-let authMgr = null;
-// Since this variable is loaded in a separate instance in the popup scenario, use storage to coordinate across the two
-let usePopupForRestOfSession = sessionStorage.getItem("rsdk_popup") === "1";
-let gbC11NBootstrapInProgress = false;
-// Some non Pega OAuth 2.0 Authentication in use (Basic or Custom for service package)
-let gbCustomAuth = false;
-/*
- * Set to use popup experience for rest of session
- */
-const forcePopupForReauths = (bForce) => {
-    if (bForce) {
-        sessionStorage.setItem("rsdk_popup", "1");
-        usePopupForRestOfSession = true;
+// Meant to be a singleton...only one instance per page
+class AuthManager {
+    constructor() {
+        _AuthManager_instances.add(this);
+        _AuthManager_ssKeyPrefix.set(this, 'rs');
+        // will store the PegaAuth (OAuth 2.0 client library) instance
+        _AuthManager_pegaAuth.set(this, null);
+        _AuthManager_ssKeyConfigInfo.set(this, '');
+        _AuthManager_ssKeySessionInfo.set(this, '');
+        _AuthManager_ssKeyTokenInfo.set(this, '');
+        _AuthManager_ssKeyState.set(this, `${__classPrivateFieldGet(this, _AuthManager_ssKeyPrefix, "f")}State`);
+        _AuthManager_authConfig.set(this, {});
+        _AuthManager_authDynState.set(this, {});
+        _AuthManager_authHeader.set(this, null);
+        // state that should be persisted across loads
+        Object.defineProperty(this, "state", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: { usePopup: false, noInitialRedirect: false }
+        });
+        Object.defineProperty(this, "bC11NBootstrapInProgress", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: false
+        });
+        Object.defineProperty(this, "bCustomAuth", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: false
+        });
+        _AuthManager_tokenInfo.set(this, void 0);
+        _AuthManager_userInfo.set(this, void 0);
+        Object.defineProperty(this, "onLoadDone", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: false
+        });
+        Object.defineProperty(this, "msReauthStart", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: null
+        });
+        Object.defineProperty(this, "initInProgress", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: false
+        });
+        Object.defineProperty(this, "isLoggedIn", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: false
+        });
+        // Whether to pass a session storage key or structure to auth library
+        _AuthManager_usePASS.set(this, false);
+        _AuthManager_pageHideAdded.set(this, false);
+        _AuthManager_tokenStorage.set(this, 'temp');
+        _AuthManager_transform.set(this, true);
+        _AuthManager_foldSpot.set(this, 2);
+        // Auth Manager specific state is saved within session storage as important in redirect and popup window scenarios
+        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_loadState).call(this);
     }
-    else {
-        sessionStorage.removeItem("rsdk_popup");
-        usePopupForRestOfSession = false;
+    // Setter for authHeader (no getter)
+    set authHeader(value) {
+        __classPrivateFieldSet(this, _AuthManager_authHeader, value, "f");
+        // setAuthorizationHeader method not available til 8.8 so do safety check
+        if (window.PCore?.getAuthUtils().setAuthorizationHeader) {
+            const authHdr = value === null ? '' : value;
+            window.PCore.getAuthUtils().setAuthorizationHeader(authHdr);
+        }
+        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_updateLoginStatus).call(this);
     }
-};
-const setNoInitialRedirect = (bNoInitialRedirect) => {
-    if (bNoInitialRedirect) {
-        forcePopupForReauths(true);
-        sessionStorage.setItem("rsdk_noRedirect", "1");
+    // Setter/getter for usePopupForRestOfSession
+    set usePopupForRestOfSession(usePopup) {
+        this.state.usePopup = usePopup;
+        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_setStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeyState, "f"), this.state);
     }
-    else {
-        sessionStorage.removeItem("rsdk_noRedirect");
+    get usePopupForRestOfSession() {
+        return this.state.usePopup;
     }
-};
-const isLoginExpired = () => {
-    let bExpired = true;
-    const sLoginStart = sessionStorage.getItem("rsdk_loggingIn");
-    if (sLoginStart !== null) {
-        const currTime = Date.now();
-        bExpired = currTime - parseInt(sLoginStart, 10) > 60000;
+    // Setter/getter for noInitialRedirect
+    set noInitialRedirect(bNoInitialRedirect) {
+        if (bNoInitialRedirect) {
+            this.usePopupForRestOfSession = true;
+        }
+        this.state.noInitialRedirect = bNoInitialRedirect;
+        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_setStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeyState, "f"), this.state);
     }
-    return bExpired;
-};
-/**
- * Clean up any web storage allocated for the user session.
- */
-const clearAuthMgr = (bFullReauth = false) => {
-    // Remove any local storage for the user
-    if (!gbCustomAuth) {
-        sessionStorage.removeItem('rsdk_AH');
-    }
-    if (!bFullReauth) {
-        sessionStorage.removeItem("rsdk_CI");
-    }
-    sessionStorage.removeItem("rsdk_TI");
-    sessionStorage.removeItem("rsdk_UI");
-    sessionStorage.removeItem("rsdk_loggingIn");
-    gbLoggedIn = false;
-    gbLoginInProgress = false;
-    forcePopupForReauths(bFullReauth);
-    // Not removing the authMgr structure itself...as it can be leveraged on next login
-};
-export const authNoRedirect = () => {
-    return sessionStorage.getItem("rsdk_noRedirect") === "1";
-};
-/**
- * Initialize OAuth config structure members  and create authMgr instance
- * bInit - governs whether to create new sessionStorage or load existing one
- */
-const initOAuth = (bInit) => {
-    return getSdkConfig().then(sdkConfig => {
-        const sdkConfigAuth = sdkConfig.authConfig;
-        const sdkConfigServer = sdkConfig.serverConfig;
-        let pegaUrl = sdkConfigServer.infinityRestServerUrl;
-        const bNoInitialRedirect = authNoRedirect();
-        // Construct default OAuth endpoints (if not explicitly specified)
-        if (pegaUrl) {
-            // Cope with trailing slash being present
-            if (!pegaUrl.endsWith('/')) {
-                pegaUrl += '/';
-            }
-            if (!sdkConfigAuth.authorize) {
-                sdkConfigAuth.authorize = `${pegaUrl}PRRestService/oauth2/v1/authorize`;
-            }
-            if (!sdkConfigAuth.token) {
-                sdkConfigAuth.token = `${pegaUrl}PRRestService/oauth2/v1/token`;
+    get noInitialRedirect() {
+        return this.state.noInitialRedirect || false;
+    }
+    // Init/getter for loginStart
+    set loginStart(msValue) {
+        if (msValue) {
+            this.state.msLoginStart = msValue;
+        }
+        else if (this.state.msLoginStart) {
+            delete this.state.msLoginStart;
+        }
+        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_setStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeyState, "f"), this.state);
+    }
+    get loginStart() {
+        return this.state.msLoginStart || 0;
+    }
+    // Init/getter for reauthStart
+    set reauthStart(msValue) {
+        if (msValue) {
+            this.msReauthStart = msValue;
+        }
+        else if (this.msReauthStart) {
+            delete this.msReauthStart;
+        }
+        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_setStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeyState, "f"), this.state);
+    }
+    get reauthStart() {
+        return this.msReauthStart || 0;
+    }
+    // Setter for clientId
+    set keySuffix(s) {
+        this.state.sfx = s || undefined;
+        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_setStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeyState, "f"), this.state);
+        if (s) {
+            // To make it a bit more obtuse reverse the string and use that as the actual suffix
+            const sSfx = s.split("").reverse().join("");
+            __classPrivateFieldSet(this, _AuthManager_ssKeyConfigInfo, `${__classPrivateFieldGet(this, _AuthManager_ssKeyPrefix, "f")}CI_${sSfx}`, "f");
+            __classPrivateFieldSet(this, _AuthManager_ssKeySessionInfo, `${__classPrivateFieldGet(this, _AuthManager_ssKeyPrefix, "f")}SI_${sSfx}`, "f");
+            __classPrivateFieldSet(this, _AuthManager_ssKeyTokenInfo, `${__classPrivateFieldGet(this, _AuthManager_ssKeyPrefix, "f")}TI_${sSfx}`, "f");
+            __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_calcFoldSpot).call(this, sSfx);
+        }
+    }
+    isLoginExpired() {
+        let bExpired = true;
+        if (this.loginStart) {
+            const currTime = Date.now();
+            bExpired = currTime - this.loginStart > 60000;
+        }
+        return bExpired;
+    }
+    /**
+     * Clean up any session storage allocated for the user session.
+     */
+    clear(bFullReauth = false) {
+        if (!this.bCustomAuth) {
+            __classPrivateFieldSet(this, _AuthManager_authHeader, null, "f");
+        }
+        if (!bFullReauth) {
+            if (__classPrivateFieldGet(this, _AuthManager_usePASS, "f")) {
+                sessionStorage.removeItem(__classPrivateFieldGet(this, _AuthManager_ssKeyConfigInfo, "f"));
             }
-            if (!sdkConfigAuth.revoke) {
-                sdkConfigAuth.revoke = `${pegaUrl}PRRestService/oauth2/v1/revoke`;
+            else {
+                __classPrivateFieldSet(this, _AuthManager_authConfig, {}, "f");
+                __classPrivateFieldSet(this, _AuthManager_authDynState, {}, "f");
             }
-            if (!sdkConfigAuth.redirectUri) {
-                sdkConfigAuth.redirectUri = `${window.location.origin}${window.location.pathname}`;
+            sessionStorage.removeItem(__classPrivateFieldGet(this, _AuthManager_ssKeySessionInfo, "f"));
+        }
+        // Clear any established auth tokens
+        __classPrivateFieldSet(this, _AuthManager_tokenInfo, null, "f");
+        sessionStorage.removeItem(__classPrivateFieldGet(this, _AuthManager_ssKeyTokenInfo, "f"));
+        this.loginStart = 0;
+        this.isLoggedIn = false;
+        // reset the initial redirect as well by using this setter
+        this.usePopupForRestOfSession = bFullReauth;
+        this.keySuffix = '';
+    }
+    updateRedirectUri(sRedirectUri) {
+        __classPrivateFieldGet(this, _AuthManager_authConfig, "f").redirectUri = sRedirectUri;
+    }
+    /**
+     * Get available portals which supports SDK
+     * @returns list of available portals (portals other than excludingPortals list)
+     */
+    async getAvailablePortals() {
+        return getSdkConfig().then(sdkConfig => {
+            const serverConfig = sdkConfig.serverConfig;
+            const userAccessGroup = PCore.getEnvironmentInfo().getAccessGroup();
+            const dataPageName = 'D_OperatorAccessGroups';
+            const serverUrl = serverConfig.infinityRestServerUrl;
+            const appAlias = serverConfig.appAlias;
+            const appAliasPath = appAlias ? `/app/${appAlias}` : '';
+            const arExcludedPortals = serverConfig['excludePortals'];
+            const headers = {
+                Authorization: __classPrivateFieldGet(this, _AuthManager_authHeader, "f") === null ? '' : __classPrivateFieldGet(this, _AuthManager_authHeader, "f"),
+                'Content-Type': 'application/json'
+            };
+            // Using v1 API here as v2 data_views is not able to access same data page currently.  Should move to avoid having this logic to find
+            //  a default portal or constellation portal and rather have Constellation JS Engine API just load the default portal
+            return fetch(`${serverUrl}${appAliasPath}/api/v1/data/${dataPageName}`, {
+                method: 'GET',
+                headers
+            })
+                .then(response => {
+                if (response.ok && response.status === 200) {
+                    return response.json();
+                }
+                else {
+                    if (response.status === 401) {
+                        // Might be either a real token expiration or revoke, but more likely that the "api" service package is misconfigured
+                        throw new Error(`Attempt to access ${dataPageName} failed.  The "api" service package is likely not configured to use "OAuth 2.0"`);
+                    }
+                    throw new Error(`HTTP Error: ${response.status}`);
+                }
+            })
+                .then(async (agData) => {
+                const arAccessGroups = agData.pxResults;
+                const availablePortals = [];
+                for (const ag of arAccessGroups) {
+                    if (ag.pyAccessGroup === userAccessGroup) {
+                        // eslint-disable-next-line no-console
+                        console.error(`Default portal for current operator (${ag.pyPortal}) is not compatible with SDK.\nConsider using a different operator, adjusting the default portal for this operator, or using "appPortal" setting within sdk-config.json to specify a specific portal to load.`);
+                        let portal = null;
+                        for (portal of ag.pyUserPortals) {
+                            if (!arExcludedPortals.includes(portal.pyPortalLayout)) {
+                                availablePortals.push(portal.pyPortalLayout);
+                            }
+                        }
+                        break;
+                    }
+                }
+                // Found operator's current access group. Use its portal
+                // eslint-disable-next-line no-console
+                console.log(`Available portals: ${availablePortals}`);
+                return availablePortals;
+            })
+                .catch(e => {
+                // eslint-disable-next-line no-console
+                console.error(e.message);
+                // check specific error if 401, and wiped out if so stored token is stale.  Fetch new tokens.
+            });
+        });
+    }
+    ;
+    // TODO: Cope with 401 and refresh token if possible (or just hope that it succeeds during login)
+    /**
+     * Retrieve UserInfo for current authentication service
+     */
+    getUserInfo() {
+        if (__classPrivateFieldGet(this, _AuthManager_userInfo, "f")) {
+            return __classPrivateFieldGet(this, _AuthManager_userInfo, "f");
+        }
+        return __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_initialize).call(this, false).then((aMgr) => {
+            return aMgr.getUserinfo(__classPrivateFieldGet(this, _AuthManager_tokenInfo, "f").access_token).then(data => {
+                __classPrivateFieldSet(this, _AuthManager_userInfo, data, "f");
+                return __classPrivateFieldGet(this, _AuthManager_userInfo, "f");
+            });
+        });
+    }
+    login(bFullReauth = false) {
+        if (this.bCustomAuth)
+            return;
+        // Needed so a redirect to login screen and back will know we are still in process of logging in
+        this.loginStart = Date.now();
+        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_initialize).call(this, !bFullReauth).then((aMgr) => {
+            const bMainRedirect = !this.noInitialRedirect;
+            const sdkConfigAuth = SdkConfigAccess.getSdkConfigAuth();
+            let sRedirectUri = sdkConfigAuth.redirectUri;
+            // If initial main redirect is OK, redirect to main page, otherwise will authorize in a popup window
+            if (bMainRedirect && !bFullReauth) {
+                // update redirect uri to be the root
+                this.updateRedirectUri(sRedirectUri);
+                aMgr.loginRedirect();
+                // Don't have token til after the redirect
+                return Promise.resolve(undefined);
             }
-            if (!sdkConfigAuth.userinfo) {
-                const appAliasSeg = sdkConfigServer.appAlias ? `app/${sdkConfigServer.appAlias}/` : '';
-                sdkConfigAuth.userinfo = `${pegaUrl}${appAliasSeg}api/oauthclients/v1/userinfo/JSON`;
+            else {
+                // Construct path to redirect uri
+                const nLastPathSep = sRedirectUri.lastIndexOf("/");
+                sRedirectUri = nLastPathSep !== -1 ? `${sRedirectUri.substring(0, nLastPathSep + 1)}auth.html` : `${sRedirectUri}/auth.html`;
+                // Set redirectUri to static auth.html
+                this.updateRedirectUri(sRedirectUri);
+                return new Promise((resolve, reject) => {
+                    aMgr.login().then(token => {
+                        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_processTokenOnLogin).call(this, token);
+                        // this.getUserInfo();
+                        resolve(token.access_token);
+                    }).catch((e) => {
+                        // Use setter to update state
+                        this.loginStart = 0;
+                        // eslint-disable-next-line no-console
+                        console.log(e);
+                        reject(e);
+                    });
+                });
             }
+        });
+    }
+    authRedirectCallback(href, fnLoggedInCB = null) {
+        // Get code from href and swap for token
+        const aHrefParts = href.split('?');
+        const urlParams = new URLSearchParams(aHrefParts.length > 1 ? `?${aHrefParts[1]}` : '');
+        const code = urlParams.get('code');
+        const state = urlParams.get('state');
+        // If state should also match before accepting code
+        if (code) {
+            __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_initialize).call(this, false).then((aMgr) => {
+                if (aMgr.checkStateMatch(state)) {
+                    aMgr.getToken(code).then(token => {
+                        if (token && token.access_token) {
+                            __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_processTokenOnLogin).call(this, token, false);
+                            // this.getUserInfo();
+                            if (fnLoggedInCB) {
+                                fnLoggedInCB(token.access_token);
+                            }
+                        }
+                    });
+                }
+            });
         }
-        // Auth service alias
-        if (!sdkConfigAuth.authService) {
-            sdkConfigAuth.authService = "pega";
+        else {
+            const error = urlParams.get('error');
+            const errorDesc = urlParams.get('errorDesc');
+            fnLoggedInCB(null, error, errorDesc);
         }
-        // Construct path to auth.html (used for case when not doing a main window redirect)
-        let sNoMainRedirectUri = sdkConfigAuth.redirectUri;
-        const nLastPathSep = sNoMainRedirectUri.lastIndexOf("/");
-        sNoMainRedirectUri = nLastPathSep !== -1 ? `${sNoMainRedirectUri.substring(0, nLastPathSep + 1)}auth.html` : `${sNoMainRedirectUri}/auth.html`;
-        const authConfig = {
-            clientId: bNoInitialRedirect ? sdkConfigAuth.mashupClientId : sdkConfigAuth.portalClientId,
-            authorizeUri: sdkConfigAuth.authorize,
-            tokenUri: sdkConfigAuth.token,
-            revokeUri: sdkConfigAuth.revoke,
-            userinfoUri: sdkConfigAuth.userinfo,
-            redirectUri: bNoInitialRedirect || usePopupForRestOfSession
-                ? sNoMainRedirectUri
-                : sdkConfigAuth.redirectUri,
-            authService: sdkConfigAuth.authService,
-            appAlias: sdkConfigServer.appAlias || '',
-            useLocking: true
-        };
-        // If no clientId is specified assume not OAuth but custom auth
-        if (!authConfig.clientId) {
-            gbCustomAuth = true;
-            return;
+    }
+    loginIfNecessary(loginProps) {
+        const { appName, deferLogin, redirectDoneCB } = loginProps;
+        const noMainRedirect = !loginProps.mainRedirect;
+        // We need to load state before making any decisions
+        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_loadState).call(this);
+        // If no initial redirect status of page changed...clear AuthMgr
+        const currNoMainRedirect = this.noInitialRedirect;
+        if (appName !== this.state.appName || noMainRedirect !== currNoMainRedirect) {
+            this.clear(false);
+            this.state.appName = appName;
+            __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_setStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeyState, "f"), this.state);
         }
-        if ('silentTimeout' in sdkConfigAuth) {
-            authConfig.silentTimeout = sdkConfigAuth.silentTimeout;
+        this.noInitialRedirect = noMainRedirect;
+        // If custom auth no need to do any OAuth logic
+        if (this.bCustomAuth) {
+            __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_updateLoginStatus).call(this);
+            if (!window.PCore) {
+                __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_customConstellationInit).call(this, () => {
+                    // Fire the SdkCustomReauth event to indicate a new authHeader is needed. Event listener should invoke sdkSetAuthHeader
+                    //  to communicate the new token to sdk (and Constellation JS Engine)
+                    // eslint-disable-next-line @typescript-eslint/no-use-before-define
+                    const event = new CustomEvent('SdkCustomReauth', { detail: sdkSetAuthHeader });
+                    document.dispatchEvent(event);
+                });
+            }
+            return;
         }
-        if (bNoInitialRedirect) {
-            authConfig.userIdentifier = sdkConfigAuth.mashupUserIdentifier;
-            authConfig.password = sdkConfigAuth.mashupPassword;
+        if (window.location.href.includes("?code")) {
+            // initialize authMgr (now initialize in constructor?)
+            return __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_initialize).call(this, false).then(() => {
+                const cbDefault = () => {
+                    window.location.href = window.location.pathname;
+                };
+                // eslint-disable-next-line no-console
+                console.log('About to invoke PegaAuth authRedirectCallback');
+                this.authRedirectCallback(window.location.href, redirectDoneCB || cbDefault);
+                // });
+            });
         }
-        if ('iframeLoginUI' in sdkConfigAuth) {
-            authConfig.iframeLoginUI = sdkConfigAuth.iframeLoginUI.toString().toLowerCase() === 'true';
+        if (!deferLogin && (!this.loginStart || this.isLoginExpired())) {
+            return __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_initialize).call(this, false).then(() => {
+                __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_updateLoginStatus).call(this);
+                if (this.isLoggedIn) {
+                    __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_fireTokenAvailable).call(this, __classPrivateFieldGet(this, _AuthManager_tokenInfo, "f"));
+                    // this.getUserInfo();
+                }
+                else {
+                    return this.login();
+                }
+                // });
+            });
         }
-        // Check if sessionStorage exists (and if so if for same authorize endpoint).  Otherwise, assume
-        //  sessionStorage is out of date (user just edited endpoints).  Else, logout required to clear
-        //  sessionStorage and get other endpoints updates.
-        // Doing this as sessionIndex might have been added to this storage structure
-        let sSI = sessionStorage.getItem("rsdk_CI");
-        if (sSI) {
-            try {
-                const oSI = JSON.parse(sSI);
-                if (oSI.authorizeUri !== authConfig.authorizeUri ||
-                    oSI.appAlias !== authConfig.appAlias ||
-                    oSI.clientId !== authConfig.clientId ||
-                    oSI.userIdentifier !== authConfig.userIdentifier ||
-                    oSI.password !== authConfig.password) {
-                    clearAuthMgr();
-                    sSI = null;
+    }
+    logout() {
+        sessionStorage.removeItem('rsdk_portalName');
+        return new Promise((resolve) => {
+            const fnClearAndResolve = () => {
+                this.clear();
+                const event = new Event('SdkLoggedOut');
+                document.dispatchEvent(event);
+                resolve(null);
+            };
+            if (this.bCustomAuth) {
+                fnClearAndResolve();
+                return;
+            }
+            if (__classPrivateFieldGet(this, _AuthManager_tokenInfo, "f") && __classPrivateFieldGet(this, _AuthManager_tokenInfo, "f").access_token) {
+                if (window.PCore) {
+                    window.PCore.getAuthUtils().revokeTokens().then(() => {
+                        fnClearAndResolve();
+                    }).catch(err => {
+                        // eslint-disable-next-line no-console
+                        console.log("Error:", err?.message);
+                    });
+                }
+                else {
+                    __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_initialize).call(this, false).then((aMgr) => {
+                        aMgr.revokeTokens(__classPrivateFieldGet(this, _AuthManager_tokenInfo, "f").access_token, __classPrivateFieldGet(this, _AuthManager_tokenInfo, "f").refresh_token)
+                            .then(() => {
+                            // Go to finally
+                        })
+                            .finally(() => {
+                            fnClearAndResolve();
+                        });
+                    });
                 }
             }
-            catch (e) {
-                // do nothing
+            else {
+                fnClearAndResolve();
             }
+        });
+    }
+}
+_AuthManager_ssKeyPrefix = new WeakMap(), _AuthManager_pegaAuth = new WeakMap(), _AuthManager_ssKeyConfigInfo = new WeakMap(), _AuthManager_ssKeySessionInfo = new WeakMap(), _AuthManager_ssKeyTokenInfo = new WeakMap(), _AuthManager_ssKeyState = new WeakMap(), _AuthManager_authConfig = new WeakMap(), _AuthManager_authDynState = new WeakMap(), _AuthManager_authHeader = new WeakMap(), _AuthManager_tokenInfo = new WeakMap(), _AuthManager_userInfo = new WeakMap(), _AuthManager_usePASS = new WeakMap(), _AuthManager_pageHideAdded = new WeakMap(), _AuthManager_tokenStorage = new WeakMap(), _AuthManager_transform = new WeakMap(), _AuthManager_foldSpot = new WeakMap(), _AuthManager_instances = new WeakSet(), _AuthManager_transformAndParse = function _AuthManager_transformAndParse(ssKey, ssItem, bForce = false) {
+    let obj = {};
+    try {
+        obj = JSON.parse(__classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_transformer).call(this, ssKey, ssItem, false, bForce));
+    }
+    catch (e) {
+        // fall thru and return empty object
+    }
+    return obj;
+}, _AuthManager_getStorage = function _AuthManager_getStorage(ssKey, sAttrib = null) {
+    const ssItem = ssKey ? window.sessionStorage.getItem(ssKey) : null;
+    let obj = {};
+    if (ssItem) {
+        try {
+            obj = JSON.parse(ssItem);
         }
-        if (!sSI || bInit) {
-            sessionStorage.setItem('rsdk_CI', JSON.stringify(authConfig));
+        catch (e) {
+            obj = __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_transformAndParse).call(this, ssKey, ssItem, true);
         }
-        authMgr = new PegaAuth('rsdk_CI');
-    });
-};
-const getAuthMgr = (bInit) => {
+    }
+    return sAttrib ? obj[sAttrib] : obj;
+}, _AuthManager_setStorage = function _AuthManager_setStorage(ssKey, obj) {
+    // Set storage only if obj is not empty, else delete the storage
+    if (!obj || isEmptyObject(obj)) {
+        window.sessionStorage.removeItem(ssKey);
+    }
+    else {
+        // const bClear = (ssKey === this.#ssKeyState || ssKey === this.#ssKeySessionInfo);
+        const bClear = false;
+        const sValue = bClear ? JSON.stringify(obj) : __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_transformer).call(this, ssKey, JSON.stringify(obj), true);
+        window.sessionStorage.setItem(ssKey, sValue);
+    }
+}, _AuthManager_calcFoldSpot = function _AuthManager_calcFoldSpot(s) {
+    const nOffset = 1;
+    const sChar = s.length > nOffset ? s.charAt(nOffset) : '2';
+    const nSpot = parseInt(sChar, 10);
+    __classPrivateFieldSet(this, _AuthManager_foldSpot, Number.isNaN(nSpot) ? 2 : (nSpot % 4) + 2, "f");
+}, _AuthManager_transformer = function _AuthManager_transformer(ssKey, s, bIn, bForce = false) {
+    const bTransform = bForce || __classPrivateFieldGet(this, _AuthManager_transform, "f");
+    const fnFold = (x) => {
+        const nLen = x.length;
+        const nExtra = nLen % __classPrivateFieldGet(this, _AuthManager_foldSpot, "f");
+        const nOffset = Math.floor(nLen / __classPrivateFieldGet(this, _AuthManager_foldSpot, "f")) + nExtra;
+        const nRem = x.length - nOffset;
+        return x.substring(bIn ? nOffset : nRem) + x.substring(0, bIn ? nOffset : nRem);
+    };
+    const bTknInfo = ssKey === __classPrivateFieldGet(this, _AuthManager_ssKeyTokenInfo, "f");
+    if (bTknInfo && !bIn && bTransform) {
+        s = window.atob(fnFold(s));
+    }
+    // eslint-disable-next-line no-nested-ternary
+    let result = bTransform ? (bIn ? window.btoa(s) : window.atob(s)) : s;
+    if (bTknInfo && bIn && bTransform) {
+        result = fnFold(window.btoa(result));
+    }
+    return result;
+}, _AuthManager_doPageHide = function _AuthManager_doPageHide() {
+    // Safari and particularly Safari on mobile devices doesn't seem to load this on first main redirect or
+    // reliably, so have moved to having PegaAuth manage writing all state props to session storage
+    __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_setStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeyState, "f"), this.state);
+    __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_setStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeySessionInfo, "f"), __classPrivateFieldGet(this, _AuthManager_authDynState, "f"));
+    // If tokenStorage was always, token would already be there
+    if (__classPrivateFieldGet(this, _AuthManager_tokenStorage, "f") === 'temp') {
+        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_setStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeyTokenInfo, "f"), __classPrivateFieldGet(this, _AuthManager_tokenInfo, "f"));
+    }
+}, _AuthManager_loadState = function _AuthManager_loadState() {
+    // Note: State storage key doesn't have a client id associated with it
+    const oState = __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_getStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeyState, "f"));
+    if (oState) {
+        Object.assign(this.state, oState);
+        if (this.state.sfx) {
+            // Setter sets up the ssKey values as well
+            this.keySuffix = this.state.sfx;
+        }
+    }
+}, _AuthManager_doOnLoad = function _AuthManager_doOnLoad() {
+    if (!this.onLoadDone) {
+        // This authConfig state doesn't collide with other calculated static state...so load it first
+        // Note: transform setting will have already been loaded into #authConfig at this point
+        __classPrivateFieldSet(this, _AuthManager_authDynState, __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_getStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeySessionInfo, "f")), "f");
+        __classPrivateFieldSet(this, _AuthManager_tokenInfo, __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_getStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeyTokenInfo, "f")), "f");
+        if (__classPrivateFieldGet(this, _AuthManager_tokenStorage, "f") !== 'always') {
+            sessionStorage.removeItem(__classPrivateFieldGet(this, _AuthManager_ssKeyTokenInfo, "f"));
+            sessionStorage.removeItem(__classPrivateFieldGet(this, _AuthManager_ssKeySessionInfo, "f"));
+        }
+        this.onLoadDone = true;
+    }
+}, _AuthManager_doAuthDynStateChanged = function _AuthManager_doAuthDynStateChanged() {
+    // If tokenStorage is setup for always then always persist the auth dynamic state as well
+    if (__classPrivateFieldGet(this, _AuthManager_tokenStorage, "f") === 'always') {
+        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_setStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeySessionInfo, "f"), __classPrivateFieldGet(this, _AuthManager_authDynState, "f"));
+    }
+}, _AuthManager_initialize = 
+/**
+ * Initialize OAuth config structure members and create authMgr instance (if necessary)
+ * bNew - governs whether to create new sessionStorage or load existing one
+ */
+async function _AuthManager_initialize(bNew = false) {
     return new Promise((resolve) => {
-        let idNextCheck = null;
-        const fnCheckForAuthMgr = () => {
-            if (PegaAuth && !authMgr) {
-                initOAuth(bInit);
-            }
-            if (authMgr) {
-                if (idNextCheck) {
-                    clearInterval(idNextCheck);
+        if (!this.initInProgress && (bNew || isEmptyObject(__classPrivateFieldGet(this, _AuthManager_authConfig, "f")) || !__classPrivateFieldGet(this, _AuthManager_pegaAuth, "f"))) {
+            this.initInProgress = true;
+            getSdkConfig().then(sdkConfig => {
+                const sdkConfigAuth = sdkConfig.authConfig;
+                const sdkConfigServer = sdkConfig.serverConfig;
+                let pegaUrl = sdkConfigServer.infinityRestServerUrl;
+                const bNoInitialRedirect = this.noInitialRedirect;
+                // Construct default OAuth endpoints (if not explicitly specified)
+                if (pegaUrl) {
+                    // Cope with trailing slash being present
+                    if (!pegaUrl.endsWith('/')) {
+                        pegaUrl += '/';
+                    }
+                    if (!sdkConfigAuth.authorize) {
+                        sdkConfigAuth.authorize = `${pegaUrl}PRRestService/oauth2/v1/authorize`;
+                    }
+                    if (!sdkConfigAuth.token) {
+                        sdkConfigAuth.token = `${pegaUrl}PRRestService/oauth2/v1/token`;
+                    }
+                    if (!sdkConfigAuth.revoke) {
+                        sdkConfigAuth.revoke = `${pegaUrl}PRRestService/oauth2/v1/revoke`;
+                    }
+                    if (!sdkConfigAuth.redirectUri) {
+                        sdkConfigAuth.redirectUri = `${window.location.origin}${window.location.pathname}`;
+                    }
+                    if (!sdkConfigAuth.userinfo) {
+                        const appAliasSeg = sdkConfigServer.appAlias ? `app/${sdkConfigServer.appAlias}/` : '';
+                        sdkConfigAuth.userinfo = `${pegaUrl}${appAliasSeg}api/oauthclients/v1/userinfo/JSON`;
+                    }
                 }
-                return resolve(authMgr);
-            }
-        };
-        fnCheckForAuthMgr();
-        idNextCheck = setInterval(fnCheckForAuthMgr, 10);
+                // Auth service alias
+                if (!sdkConfigAuth.authService) {
+                    sdkConfigAuth.authService = "pega";
+                }
+                // mashupAuthService provides way to have a different auth service for embedded
+                if (!sdkConfigAuth.mashupAuthService) {
+                    sdkConfigAuth.mashupAuthService = sdkConfigAuth.authService;
+                }
+                // Construct path to auth.html (used for case when not doing a main window redirect)
+                let sNoMainRedirectUri = sdkConfigAuth.redirectUri;
+                const nLastPathSep = sNoMainRedirectUri.lastIndexOf("/");
+                sNoMainRedirectUri = nLastPathSep !== -1 ? `${sNoMainRedirectUri.substring(0, nLastPathSep + 1)}auth.html` : `${sNoMainRedirectUri}/auth.html`;
+                const portalGrantType = sdkConfigAuth.portalGrantType || 'authCode';
+                const mashupGrantType = sdkConfigAuth.mashupGrantType || 'authCode';
+                const pegaAuthConfig = {
+                    clientId: bNoInitialRedirect ? sdkConfigAuth.mashupClientId : sdkConfigAuth.portalClientId,
+                    grantType: bNoInitialRedirect ? mashupGrantType : portalGrantType,
+                    tokenUri: sdkConfigAuth.token,
+                    revokeUri: sdkConfigAuth.revoke,
+                    userinfoUri: sdkConfigAuth.userinfo,
+                    authService: bNoInitialRedirect ? sdkConfigAuth.mashupAuthService : sdkConfigAuth.authService,
+                    appAlias: sdkConfigServer.appAlias || '',
+                    useLocking: true
+                };
+                // Invoke keySuffix setter
+                // Was using pegaAuthConfig.clientId as key but more secure to just use a random string as getting
+                //  both a clientId and the refresh token could yield a new access token.
+                // Suffix is so we might in future move to an array of suffixes based on the appName, so might store
+                //  both portal and embedded tokens/session info at same time
+                if (!this.state?.sfx) {
+                    // Just using a random number to make the suffix unique on each session
+                    this.keySuffix = `${Math.ceil(Math.random() * 100000000)}`;
+                }
+                __classPrivateFieldGet(this, _AuthManager_authConfig, "f").transform = sdkConfigAuth.transform !== undefined ? sdkConfigAuth.transform : __classPrivateFieldGet(this, _AuthManager_transform, "f");
+                // Using property in class as authConfig may be empty at times
+                __classPrivateFieldSet(this, _AuthManager_transform, __classPrivateFieldGet(this, _AuthManager_authConfig, "f").transform, "f");
+                if (sdkConfigAuth.tokenStorage !== undefined) {
+                    __classPrivateFieldSet(this, _AuthManager_tokenStorage, sdkConfigAuth.tokenStorage, "f");
+                }
+                // Get latest state once client ids, transform and tokenStorage have been established
+                __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_doOnLoad).call(this);
+                // If no clientId is specified assume not OAuth but custom auth
+                if (!pegaAuthConfig.clientId) {
+                    this.bCustomAuth = true;
+                    return;
+                }
+                if (pegaAuthConfig.grantType === 'authCode') {
+                    const authCodeProps = {
+                        authorizeUri: sdkConfigAuth.authorize,
+                        // If we have already specified a redirect on the authorize redirect, we need to continue to use that
+                        //  on token endpoint
+                        redirectUri: bNoInitialRedirect || this.usePopupForRestOfSession ? sNoMainRedirectUri : sdkConfigAuth.redirectUri
+                    };
+                    if ('silentTimeout' in sdkConfigAuth) {
+                        authCodeProps.silentTimeout = sdkConfigAuth.silentTimeout;
+                    }
+                    if (bNoInitialRedirect && pegaAuthConfig.authService === 'pega' &&
+                        sdkConfigAuth.mashupUserIdentifier && sdkConfigAuth.mashupPassword) {
+                        authCodeProps.userIdentifier = sdkConfigAuth.mashupUserIdentifier;
+                        authCodeProps.password = sdkConfigAuth.mashupPassword;
+                    }
+                    if ('iframeLoginUI' in sdkConfigAuth) {
+                        authCodeProps.iframeLoginUI = sdkConfigAuth.iframeLoginUI.toString().toLowerCase() === 'true';
+                    }
+                    Object.assign(pegaAuthConfig, authCodeProps);
+                }
+                Object.assign(__classPrivateFieldGet(this, _AuthManager_authConfig, "f"), pegaAuthConfig);
+                // Add an on page hide handler to write out key properties that we want to survive a
+                //  browser reload
+                if (!__classPrivateFieldGet(this, _AuthManager_pageHideAdded, "f") && (!__classPrivateFieldGet(this, _AuthManager_usePASS, "f") || __classPrivateFieldGet(this, _AuthManager_tokenStorage, "f") !== 'always')) {
+                    window.addEventListener('pagehide', __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_doPageHide).bind(this));
+                    __classPrivateFieldSet(this, _AuthManager_pageHideAdded, true, "f");
+                }
+                // Initialise PegaAuth OAuth 2.0 client library
+                if (__classPrivateFieldGet(this, _AuthManager_usePASS, "f")) {
+                    __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_setStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeyConfigInfo, "f"), __classPrivateFieldGet(this, _AuthManager_authConfig, "f"));
+                    __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_setStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeySessionInfo, "f"), __classPrivateFieldGet(this, _AuthManager_authDynState, "f"));
+                    __classPrivateFieldSet(this, _AuthManager_pegaAuth, new PegaAuth(__classPrivateFieldGet(this, _AuthManager_ssKeyConfigInfo, "f"), __classPrivateFieldGet(this, _AuthManager_ssKeySessionInfo, "f")), "f");
+                }
+                else {
+                    __classPrivateFieldGet(this, _AuthManager_authConfig, "f").fnDynStateChangedCB = __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_doAuthDynStateChanged).bind(this);
+                    __classPrivateFieldSet(this, _AuthManager_pegaAuth, new PegaAuth(__classPrivateFieldGet(this, _AuthManager_authConfig, "f"), __classPrivateFieldGet(this, _AuthManager_authDynState, "f")), "f");
+                }
+                this.initInProgress = false;
+                resolve(__classPrivateFieldGet(this, _AuthManager_pegaAuth, "f"));
+            });
+        }
+        else {
+            let idNextCheck;
+            const fnCheckForAuthMgr = () => {
+                if (!this.initInProgress) {
+                    if (idNextCheck) {
+                        clearInterval(idNextCheck);
+                    }
+                    resolve(__classPrivateFieldGet(this, _AuthManager_pegaAuth, "f"));
+                }
+            };
+            fnCheckForAuthMgr();
+            idNextCheck = setInterval(fnCheckForAuthMgr, 100);
+        }
     });
-};
-export const sdkGetAuthHeader = () => {
-    return sessionStorage.getItem("rsdk_AH");
-};
-/**
- * Initiate the process to get the Constellation bootstrap shell loaded and initialized
- * @param {Object} authConfig
- * @param {Object} tokenInfo
- * @param {Function} authTokenUpdated - callback invoked when Constellation JS Engine silently updates
- *      an expired access_token
- * @param {Function} fnReauth - callback invoked when a full or custom reauth is needed
- */
-const constellationInit = (authConfig, tokenInfo, authTokenUpdated, fnReauth) => {
+}, _AuthManager_constellationInit = function _AuthManager_constellationInit(authConfig, tokenInfo, authTokenUpdated, fnReauth) {
     const constellationBootConfig = {};
     const sdkConfigServer = SdkConfigAccess.getSdkConfigServer();
     // Set up constellationConfig with data that bootstrapWithAuthHeader expects
@@ -217,7 +684,7 @@ const constellationInit = (authConfig, tokenInfo, authTokenUpdated, fnReauth) =>
             tokenInfo,
             // Set whether we want constellation to try to do a full re-Auth or not ()
             // true doesn't seem to be working in SDK scenario so always passing false for now
-            popupReauth: false /* !authNoRedirect() */,
+            popupReauth: false /* !this.noInitialRedirect */,
             client_id: authConfig.clientId,
             authentication_service: authConfig.authService,
             redirect_uri: authConfig.redirectUri,
@@ -227,19 +694,19 @@ const constellationInit = (authConfig, tokenInfo, authTokenUpdated, fnReauth) =>
                 revoke: authConfig.revokeUri
             },
             // TODO: setup callback so we can update own storage
-            onTokenRetrieval: authTokenUpdated
+            onTokenRetrieval: __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_authTokenUpdated).bind(this)
         };
     }
     else {
-        constellationBootConfig.authorizationHeader = sdkGetAuthHeader();
+        constellationBootConfig.authorizationHeader = __classPrivateFieldGet(this, _AuthManager_authHeader, "f");
     }
     // Turn off dynamic load components (should be able to do it here instead of after load?)
     constellationBootConfig.dynamicLoadComponents = false;
-    if (gbC11NBootstrapInProgress) {
+    if (this.bC11NBootstrapInProgress) {
         return;
     }
     else {
-        gbC11NBootstrapInProgress = true;
+        this.bC11NBootstrapInProgress = true;
     }
     // Note that staticContentServerUrl already ends with a slash (see above), so no slash added.
     // In order to have this import succeed and to have it done with the webpackIgnore magic comment tag.
@@ -250,21 +717,18 @@ const constellationInit = (authConfig, tokenInfo, authTokenUpdated, fnReauth) =>
         window.myLoadMashup = bootstrapShell.loadMashup;
         window.myLoadPortal = bootstrapShell.loadPortal;
         window.myLoadDefaultPortal = bootstrapShell.loadDefaultPortal;
-        bootstrapShell.bootstrapWithAuthHeader(constellationBootConfig, 'shell').then(() => {
+        bootstrapShell.bootstrapWithAuthHeader(constellationBootConfig, 'pega-root').then(() => {
             // eslint-disable-next-line no-console
-            console.log('Bootstrap successful!');
-            gbC11NBootstrapInProgress = false;
+            console.log('ConstellationJS bootstrap successful!');
+            this.bC11NBootstrapInProgress = false;
             // Setup listener for the reauth event
             if (tokenInfo) {
-                // eslint-disable-next-line no-undef
                 PCore.getPubSubUtils().subscribe(PCore.getConstants().PUB_SUB_EVENTS.EVENT_FULL_REAUTH, fnReauth, "authFullReauth");
             }
             else {
                 // customReauth event introduced with 8.8
-                // eslint-disable-next-line no-undef
                 const sEvent = PCore.getConstants().PUB_SUB_EVENTS.EVENT_CUSTOM_REAUTH;
                 if (sEvent) {
-                    // eslint-disable-next-line no-undef
                     PCore.getPubSubUtils().subscribe(sEvent, fnReauth, "doReauth");
                 }
             }
@@ -275,175 +739,94 @@ const constellationInit = (authConfig, tokenInfo, authTokenUpdated, fnReauth) =>
             .catch(e => {
             // Assume error caught is because token is not valid and attempt a full reauth
             // eslint-disable-next-line no-console
-            console.error(`Constellation JS Engine bootstrap failed. ${e}`);
-            gbC11NBootstrapInProgress = false;
+            console.error(`ConstellationJS bootstrap failed. ${e}`);
+            this.bC11NBootstrapInProgress = false;
             fnReauth();
         });
     });
     /* Ends here */
-};
-export const updateLoginStatus = () => {
-    const sAuthHdr = sdkGetAuthHeader();
-    gbLoggedIn = sAuthHdr && sAuthHdr.length > 0;
-};
-const getCurrentTokens = () => {
-    let tokens = null;
-    const sTI = sessionStorage.getItem('rsdk_TI');
-    if (sTI) {
-        try {
-            tokens = JSON.parse(sTI);
-        }
-        catch (e) {
-            tokens = null;
-        }
-    }
-    return tokens;
-};
-const fireTokenAvailable = (token, bLoadC11N = true) => {
+}, _AuthManager_customConstellationInit = function _AuthManager_customConstellationInit(fnReauth) {
+    __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_constellationInit).call(this, null, null, null, fnReauth);
+}, _AuthManager_fireTokenAvailable = function _AuthManager_fireTokenAvailable(token, bLoadC11N = true) {
     if (!token) {
         // This is used on page reload to load the token from sessionStorage and carry on
-        token = getCurrentTokens();
+        token = __classPrivateFieldGet(this, _AuthManager_tokenInfo, "f");
         if (!token) {
             return;
         }
     }
-    sessionStorage.setItem('rsdk_AH', `${token.token_type} ${token.access_token}`);
-    updateLoginStatus();
-    // gbLoggedIn is getting updated in updateLoginStatus
-    gbLoggedIn = true;
-    gbLoginInProgress = false;
-    sessionStorage.removeItem("rsdk_loggingIn");
-    forcePopupForReauths(true);
-    const sSI = sessionStorage.getItem("rsdk_CI");
-    let authConfig = null;
-    if (sSI) {
-        try {
-            authConfig = JSON.parse(sSI);
-        }
-        catch (e) {
-            // do nothing
-        }
+    __classPrivateFieldSet(this, _AuthManager_tokenInfo, token, "f");
+    if (__classPrivateFieldGet(this, _AuthManager_tokenStorage, "f") === 'always') {
+        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_setStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeyTokenInfo, "f"), __classPrivateFieldGet(this, _AuthManager_tokenInfo, "f"));
     }
+    __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_updateLoginStatus).call(this);
+    // this.isLoggedIn is getting updated in updateLoginStatus
+    this.isLoggedIn = true;
+    this.loginStart = 0;
+    this.usePopupForRestOfSession = true;
     if (!window.PCore && bLoadC11N) {
-        // eslint-disable-next-line @typescript-eslint/no-use-before-define
-        constellationInit(authConfig, token, authTokenUpdated, authFullReauth);
+        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_constellationInit).call(this, __classPrivateFieldGet(this, _AuthManager_authConfig, "f"), token, __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_authTokenUpdated).bind(this), __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_authFullReauth).bind(this));
     }
     /*
-      // Create and dispatch the SdkLoggedIn event to trigger constellationInit
-      const event = new CustomEvent('SdkLoggedIn', { detail: { authConfig, tokenInfo: token } });
-      document.dispatchEvent(event);
-      */
-};
-const processTokenOnLogin = (token, bLoadC11N = true) => {
-    sessionStorage.setItem("rsdk_TI", JSON.stringify(token));
+    // Create and dispatch the SdkLoggedIn event to trigger constellationInit
+    const event = new CustomEvent('SdkLoggedIn', { detail: { authConfig, tokenInfo: token } });
+    document.dispatchEvent(event);
+    */
+}, _AuthManager_processTokenOnLogin = function _AuthManager_processTokenOnLogin(token, bLoadC11N = true) {
+    __classPrivateFieldSet(this, _AuthManager_tokenInfo, token, "f");
+    if (__classPrivateFieldGet(this, _AuthManager_tokenStorage, "f") === 'always') {
+        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_setStorage).call(this, __classPrivateFieldGet(this, _AuthManager_ssKeyTokenInfo, "f"), __classPrivateFieldGet(this, _AuthManager_tokenInfo, "f"));
+    }
     if (window.PCore) {
-        window.PCore.getAuthUtils().setTokens(token);
+        PCore.getAuthUtils().setTokens(token);
     }
     else {
-        fireTokenAvailable(token, bLoadC11N);
+        __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_fireTokenAvailable).call(this, token, bLoadC11N);
     }
-};
-const updateRedirectUri = (aMgr, sRedirectUri) => {
-    const sSI = sessionStorage.getItem("rsdk_CI");
-    let authConfig = null;
-    if (sSI) {
-        try {
-            authConfig = JSON.parse(sSI);
-        }
-        catch (e) {
-            // do nothing
+}, _AuthManager_updateLoginStatus = function _AuthManager_updateLoginStatus() {
+    if (!__classPrivateFieldGet(this, _AuthManager_authHeader, "f") && __classPrivateFieldGet(this, _AuthManager_tokenInfo, "f")?.access_token) {
+        // Use setter to set this securely
+        this.authHeader = `${__classPrivateFieldGet(this, _AuthManager_tokenInfo, "f").token_type} ${__classPrivateFieldGet(this, _AuthManager_tokenInfo, "f").access_token}`;
+    }
+    this.isLoggedIn = !!(__classPrivateFieldGet(this, _AuthManager_authHeader, "f") && __classPrivateFieldGet(this, _AuthManager_authHeader, "f").length > 0);
+}, _AuthManager_authFullReauth = function _AuthManager_authFullReauth() {
+    const bHandleHere = true; // Other alternative is to raise an event and have someone else handle it
+    if (this.reauthStart) {
+        const reauthIgnoreInterval = 300000; // 5 minutes
+        const currTime = Date.now();
+        const bReauthInProgress = currTime - this.reauthStart <= reauthIgnoreInterval;
+        if (bReauthInProgress) {
+            return;
         }
     }
-    authConfig.redirectUri = sRedirectUri;
-    sessionStorage.setItem("rsdk_CI", JSON.stringify(authConfig));
-    aMgr.reloadConfig();
+    if (bHandleHere) {
+        // Don't want to do a full clear of authMgr as will loose state props (like sessionIndex).  Rather just clear the tokens
+        this.clear(true);
+        // eslint-disable-next-line @typescript-eslint/no-use-before-define
+        login(true);
+    }
+    else {
+        // Fire the SdkFullReauth event to indicate a new token is needed (PCore.getAuthUtils.setTokens method
+        //  should be used to communicate the new token to Constellation JS Engine.
+        const event = new CustomEvent('SdkFullReauth', { detail: __classPrivateFieldGet(this, _AuthManager_instances, "m", _AuthManager_processTokenOnLogin).bind(this) });
+        document.dispatchEvent(event);
+    }
+}, _AuthManager_authTokenUpdated = function _AuthManager_authTokenUpdated(tokenInfo) {
+    __classPrivateFieldSet(this, _AuthManager_tokenInfo, tokenInfo, "f");
 };
+const gAuthMgr = new AuthManager();
 // TODO: Cope with 401 and refresh token if possible (or just hope that it succeeds during login)
 /**
  * Retrieve UserInfo for current authentication service
  */
-export const getUserInfo = (bUseSS = true) => {
-    const ssUserInfo = sessionStorage.getItem("rsdk_UI");
-    let userInfo = null;
-    if (bUseSS && ssUserInfo) {
-        try {
-            userInfo = JSON.parse(ssUserInfo);
-            return Promise.resolve(userInfo);
-        }
-        catch (e) {
-            // do nothing
-        }
-    }
-    getAuthMgr(false).then((aMgr) => {
-        const tokenInfo = getCurrentTokens();
-        return aMgr.getUserinfo(tokenInfo.access_token).then(data => {
-            userInfo = data;
-            if (userInfo) {
-                sessionStorage.setItem("rsdk_UI", JSON.stringify(userInfo));
-            }
-            else {
-                sessionStorage.removeItem("rsdk_UI");
-            }
-            return Promise.resolve(userInfo);
-        });
-    });
+export const getUserInfo = () => {
+    return gAuthMgr.getUserInfo();
 };
 export const login = (bFullReauth = false) => {
-    if (gbCustomAuth)
-        return;
-    gbLoginInProgress = true;
-    // Needed so a redirect to login screen and back will know we are still in process of logging in
-    sessionStorage.setItem("rsdk_loggingIn", `${Date.now()}`);
-    getAuthMgr(!bFullReauth).then((aMgr) => {
-        const bMainRedirect = !authNoRedirect();
-        const sdkConfigAuth = SdkConfigAccess.getSdkConfigAuth();
-        let sRedirectUri = sdkConfigAuth.redirectUri;
-        // If initial main redirect is OK, redirect to main page, otherwise will authorize in a popup window
-        if (bMainRedirect && !bFullReauth) {
-            // update redirect uri to be the root
-            updateRedirectUri(aMgr, sRedirectUri);
-            aMgr.loginRedirect();
-            // Don't have token til after the redirect
-            return Promise.resolve(undefined);
-        }
-        else {
-            // Construct path to redirect uri
-            const nLastPathSep = sRedirectUri.lastIndexOf("/");
-            sRedirectUri = nLastPathSep !== -1 ? `${sRedirectUri.substring(0, nLastPathSep + 1)}auth.html` : `${sRedirectUri}/auth.html`;
-            // Set redirectUri to static auth.html
-            updateRedirectUri(aMgr, sRedirectUri);
-            return new Promise((resolve, reject) => {
-                aMgr.login().then(token => {
-                    processTokenOnLogin(token);
-                    // getUserInfo();
-                    resolve(token.access_token);
-                }).catch((e) => {
-                    gbLoginInProgress = false;
-                    sessionStorage.removeItem("rsdk_loggingIn");
-                    // eslint-disable-next-line no-console
-                    console.log(e);
-                    reject(e);
-                });
-            });
-        }
-    });
+    return gAuthMgr.login(bFullReauth);
 };
 export const authRedirectCallback = (href, fnLoggedInCB = null) => {
-    // Get code from href and swap for token
-    const aHrefParts = href.split('?');
-    const urlParams = new URLSearchParams(aHrefParts.length > 1 ? `?${aHrefParts[1]}` : '');
-    const code = urlParams.get("code");
-    getAuthMgr(false).then((aMgr) => {
-        aMgr.getToken(code).then(token => {
-            if (token && token.access_token) {
-                processTokenOnLogin(token, false);
-                // getUserInfo();
-                if (fnLoggedInCB) {
-                    fnLoggedInCB(token.access_token);
-                }
-            }
-        });
-    });
+    gAuthMgr.authRedirectCallback(href, fnLoggedInCB);
 };
 /**
  * Silent or visible login based on login status
@@ -452,138 +835,30 @@ export const authRedirectCallback = (href, fnLoggedInCB = null) => {
  *   away from the main page
  *  @param {boolean} deferLogin - defer logging in (if not already authenticated)
  */
-export const loginIfNecessary = (appName, noMainRedirect = false, deferLogin = false) => {
-    // If no initial redirect status of page changed...clearAuthMgr
-    const currNoMainRedirect = authNoRedirect();
-    const currAppName = sessionStorage.getItem("rsdk_appName");
-    if (appName !== currAppName || noMainRedirect !== currNoMainRedirect) {
-        clearAuthMgr();
-        sessionStorage.setItem("rsdk_appName", appName);
-    }
-    setNoInitialRedirect(noMainRedirect);
-    // If custom auth no need to do any OAuth logic
-    if (gbCustomAuth) {
-        if (!window.PCore) {
-            // eslint-disable-next-line @typescript-eslint/no-use-before-define
-            constellationInit(null, null, null, authCustomReauth);
-        }
-        return;
-    }
-    if (window.location.href.indexOf("?code") !== -1) {
-        // initialize authMgr
-        initOAuth(false);
-        return getAuthMgr(false).then(() => {
-            authRedirectCallback(window.location.href, () => {
-                window.location.href = window.location.pathname;
-            });
-        });
-    }
-    if (!deferLogin && (!gbLoginInProgress || isLoginExpired())) {
-        initOAuth(false);
-        return getAuthMgr(false).then(() => {
-            updateLoginStatus();
-            if (gbLoggedIn) {
-                fireTokenAvailable(getCurrentTokens());
-                // getUserInfo();
-            }
-            else {
-                return login();
-            }
-        });
-    }
+export const loginIfNecessary = (loginProps) => {
+    gAuthMgr.loginIfNecessary(loginProps);
 };
 export const getHomeUrl = () => {
     return `${window.location.origin}/`;
 };
 export const authIsMainRedirect = () => {
     // Even with main redirect, we want to use it only for the first login (so it doesn't wipe out any state or the reload)
-    return !authNoRedirect() && !usePopupForRestOfSession;
+    return !gAuthMgr.noInitialRedirect && !gAuthMgr.usePopupForRestOfSession;
 };
-// Passive update where just session storage is updated so can be used on a window refresh
-export const authTokenUpdated = (tokenInfo) => {
-    sessionStorage.setItem("rsdk_TI", JSON.stringify(tokenInfo));
+export const sdkIsLoggedIn = () => {
+    return gAuthMgr.isLoggedIn;
 };
 export const logout = () => {
-    sessionStorage.removeItem('rsdk_portalName');
-    return new Promise((resolve) => {
-        const fnClearAndResolve = () => {
-            clearAuthMgr();
-            const event = new Event('SdkLoggedOut');
-            document.dispatchEvent(event);
-            resolve();
-        };
-        if (gbCustomAuth) {
-            sessionStorage.removeItem("rsdk_AH");
-            fnClearAndResolve();
-            return;
-        }
-        const tokenInfo = getCurrentTokens();
-        if (tokenInfo && tokenInfo.access_token) {
-            if (window.PCore) {
-                window.PCore.getAuthUtils().revokeTokens().then(() => {
-                    fnClearAndResolve();
-                }).catch(err => {
-                    // eslint-disable-next-line no-console
-                    console.log("Error:", err?.message);
-                });
-            }
-            else {
-                getAuthMgr(false).then((aMgr) => {
-                    aMgr.revokeTokens(tokenInfo.access_token, tokenInfo.refresh_token)
-                        .then(() => {
-                        // Go to finally
-                    })
-                        .finally(() => {
-                        fnClearAndResolve();
-                    });
-                });
-            }
-        }
-        else {
-            fnClearAndResolve();
-        }
-    });
-};
-// Callback routine for custom event to ask for updated tokens
-export const authUpdateTokens = (token) => {
-    processTokenOnLogin(token);
-};
-// Initiate a full OAuth re-authorization (any refresh token has also expired).
-export const authFullReauth = () => {
-    const bHandleHere = true; // Other alternative is to raise an event and have someone else handle it
-    if (bHandleHere) {
-        // Don't want to do a full clear of authMgr as will loose sessionIndex.  Rather just clear the tokens
-        clearAuthMgr(true);
-        login(true);
-    }
-    else {
-        // Fire the SdkFullReauth event to indicate a new token is needed (PCore.getAuthUtils.setTokens method
-        //  should be used to communicate the new token to Constellation JS Engine.
-        const event = new CustomEvent('SdkFullReauth', { detail: authUpdateTokens });
-        document.dispatchEvent(event);
-    }
+    return gAuthMgr.logout();
 };
 // Set the custom authorization header for the SDK (and Constellation JS Engine) to
 // utilize for every DX API request
 export const sdkSetAuthHeader = (authHeader) => {
-    // set this within session storage so it survives a browser reload
-    if (authHeader) {
-        sessionStorage.setItem("rsdk_AH", authHeader);
-        // setAuthorizationHeader method not available til 8.8 so do safety check
-        if (window.PCore?.getAuthUtils().setAuthorizationHeader) {
-            window.PCore.getAuthUtils().setAuthorizationHeader(authHeader);
-        }
-    }
-    else {
-        sessionStorage.removeItem("rsdk_AH");
-    }
-    gbCustomAuth = true;
+    gAuthMgr.bCustomAuth = !!authHeader;
+    // Use setter to set this securely
+    gAuthMgr.authHeader = authHeader;
 };
-// Initiate a custom re-authorization.
-export const authCustomReauth = () => {
-    // Fire the SdkCustomReauth event to indicate a new authHeader is needed. Event listener should invoke sdkSetAuthHeader
-    //  to communicate the new token to sdk (and Constellation JS Engine)
-    const event = new CustomEvent('SdkCustomReauth', { detail: sdkSetAuthHeader });
-    document.dispatchEvent(event);
+export const getAvailablePortals = async () => {
+    return gAuthMgr.getAvailablePortals();
 };
 //# sourceMappingURL=authManager.js.map