@progalaxyelabs/ngx-stonescriptphp-client 1.10.0 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/fesm2022/progalaxyelabs-ngx-stonescriptphp-client.mjs +1075 -1365
  2. package/fesm2022/progalaxyelabs-ngx-stonescriptphp-client.mjs.map +1 -1
  3. package/index.d.ts +450 -431
  4. package/package.json +1 -1
package/index.d.ts CHANGED
@@ -1,68 +1,6 @@
1
1
  import * as i0 from '@angular/core';
2
- import { ModuleWithProviders, OnInit, EventEmitter } from '@angular/core';
2
+ import { InjectionToken, EnvironmentProviders, OnInit, EventEmitter } from '@angular/core';
3
3
  import { BehaviorSubject, Observable } from 'rxjs';
4
- import * as i1 from '@angular/common';
5
-
6
- declare class TokenService {
7
- private accessToken;
8
- private refreshToken;
9
- private lsAccessTokenKey;
10
- private lsRefreshTokenKey;
11
- constructor();
12
- setTokens(accessToken: string, refreshToken: string): void;
13
- setAccessToken(accessToken: string): void;
14
- setRefreshToken(refreshToken: string): void;
15
- getAccessToken(): string;
16
- getRefreshToken(): string;
17
- clear(): void;
18
- /**
19
- * Check if there is a valid (non-empty) access token
20
- * @returns True if access token exists and is not empty
21
- */
22
- hasValidAccessToken(): boolean;
23
- static ɵfac: i0.ɵɵFactoryDeclaration<TokenService, never>;
24
- static ɵprov: i0.ɵɵInjectableDeclaration<TokenService>;
25
- }
26
-
27
- /**
28
- * @deprecated Use boolean directly. Kept for backward compatibility.
29
- */
30
- declare enum VerifyStatus {
31
- initialized = "initialized",
32
- yes = "yes",
33
- no = "no"
34
- }
35
- declare class SigninStatusService {
36
- status: BehaviorSubject<boolean | VerifyStatus>;
37
- constructor();
38
- signedOut(): void;
39
- signedIn(): void;
40
- /**
41
- * Set signin status
42
- * @param isSignedIn - True if user is signed in, false otherwise
43
- */
44
- setSigninStatus(isSignedIn: boolean): void;
45
- static ɵfac: i0.ɵɵFactoryDeclaration<SigninStatusService, never>;
46
- static ɵprov: i0.ɵɵInjectableDeclaration<SigninStatusService>;
47
- }
48
-
49
- declare class ApiResponse<DataType> {
50
- readonly status: string;
51
- readonly data: DataType | null;
52
- readonly message: string;
53
- get success(): boolean;
54
- get errors(): string[];
55
- constructor(status: string, data?: any, message?: string);
56
- onOk(callback: (data: DataType) => void): ApiResponse<DataType>;
57
- onNotOk(callback: (message: string, data: DataType) => void): ApiResponse<DataType>;
58
- onError(callback: () => void): ApiResponse<DataType>;
59
- isSuccess(): boolean;
60
- isError(): boolean;
61
- getData(): DataType | null;
62
- getError(): string;
63
- getStatus(): string;
64
- getMessage(): string;
65
- }
66
4
 
67
5
  type AuthMode = 'cookie' | 'body' | 'none';
68
6
  interface AuthConfig {
@@ -74,33 +12,46 @@ interface AuthConfig {
74
12
  */
75
13
  mode: AuthMode;
76
14
  /**
77
- * Token refresh endpoint path
15
+ * Auth server host for token refresh and all auth operations.
16
+ * Use this when auth is on a different server than the API.
17
+ * Replaces the deprecated accountsUrl and accountsServer fields.
18
+ * @example 'https://accounts.progalaxyelabs.com'
19
+ */
20
+ host?: string;
21
+ /**
22
+ * Token refresh endpoint path.
78
23
  * @default '/auth/refresh' for cookie mode, '/user/refresh_access' for body mode
79
24
  */
80
25
  refreshEndpoint?: string;
81
26
  /**
82
- * Enable CSRF token support (required for cookie mode)
27
+ * Enable CSRF token support (required for cookie mode).
83
28
  * @default true for cookie mode, false for body mode
84
29
  */
85
30
  useCsrf?: boolean;
86
31
  /**
87
- * Cookie name for refresh token
32
+ * Cookie name for refresh token.
88
33
  * @default 'refresh_token'
89
34
  */
90
35
  refreshTokenCookieName?: string;
91
36
  /**
92
- * Cookie name for CSRF token
37
+ * Cookie name for CSRF token.
93
38
  * @default 'csrf_token'
94
39
  */
95
40
  csrfTokenCookieName?: string;
96
41
  /**
97
- * CSRF header name
42
+ * CSRF header name.
98
43
  * @default 'X-CSRF-Token'
99
44
  */
100
45
  csrfHeaderName?: string;
46
+ /**
47
+ * Response field mapping for external auth compatibility.
48
+ * Defaults to StoneScriptPHP format: { status:'ok', data:{ access_token, user } }
49
+ * Replaces the deprecated top-level authResponseMap field.
50
+ */
51
+ responseMap?: Partial<AuthResponseMap>;
101
52
  }
102
53
  /**
103
- * Authentication server configuration
54
+ * Authentication server configuration (for multi-server mode via StoneScriptPHPAuth).
104
55
  */
105
56
  interface AuthServerConfig {
106
57
  /** Server URL (e.g., 'https://accounts.progalaxyelabs.com') */
@@ -112,8 +63,6 @@ interface AuthServerConfig {
112
63
  }
113
64
  /**
114
65
  * Configuration for a custom OAuth provider.
115
- * Used to register custom providers via the ProviderRegistryService
116
- * or through the environment's customProviders field.
117
66
  */
118
67
  interface OAuthProviderConfig {
119
68
  /** Display label for the provider (e.g., "Okta") */
@@ -129,182 +78,112 @@ interface OAuthProviderConfig {
129
78
  color?: string;
130
79
  };
131
80
  }
81
+ /**
82
+ * Maps auth service response fields to expected locations.
83
+ * Paths use dot-notation (e.g., 'data.access_token' for nested fields).
84
+ *
85
+ * StoneScriptPHP format: { status: 'ok', data: { access_token, user, ... } }
86
+ * Raw/external format: { access_token, identity, ... }
87
+ */
88
+ interface AuthResponseMap {
89
+ /**
90
+ * Dot-path to check for success (e.g., 'status' for StoneScriptPHP).
91
+ * If omitted, success is determined by presence of accessToken.
92
+ */
93
+ successPath?: string;
94
+ /** Value that indicates success at successPath (e.g., 'ok') */
95
+ successValue?: string;
96
+ /** Dot-path to the access token (default: 'data.access_token') */
97
+ accessTokenPath: string;
98
+ /** Dot-path to the refresh token (default: 'data.refresh_token') */
99
+ refreshTokenPath: string;
100
+ /** Dot-path to the user/identity object (default: 'data.user') */
101
+ userPath: string;
102
+ /** Dot-path to error message (default: 'message') */
103
+ errorMessagePath?: string;
104
+ }
132
105
  declare class MyEnvironmentModel {
133
106
  production: boolean;
134
107
  /**
135
- * Platform code identifier (e.g., 'progalaxy', 'hr', 'admin')
136
- * Used for multi-tenant authentication
108
+ * Platform code identifier (e.g., 'progalaxy', 'hr', 'admin').
109
+ * Used for multi-tenant authentication.
137
110
  */
138
111
  platformCode: string;
139
112
  /**
140
- * Accounts platform URL for centralized authentication (single-server mode)
141
- * @example 'https://accounts.progalaxyelabs.com'
142
- * @deprecated Use authServers for multi-server support
143
- */
144
- accountsUrl: string;
145
- /**
146
- * Multiple authentication servers configuration
147
- * Enables platforms to authenticate against different identity providers
148
- * @example
149
- * ```typescript
150
- * authServers: {
151
- * customer: { url: 'https://auth.progalaxyelabs.com', default: true },
152
- * employee: { url: 'https://admin-auth.progalaxyelabs.com' }
153
- * }
154
- * ```
155
- */
156
- authServers?: Record<string, AuthServerConfig>;
157
- firebase: {
158
- projectId: string;
159
- appId: string;
160
- databaseURL: string;
161
- storageBucket: string;
162
- locationId: string;
163
- apiKey: string;
164
- authDomain: string;
165
- messagingSenderId: string;
166
- measurementId: string;
167
- };
168
- /**
169
- * Platform's own API base URL (e.g., '//api.medstoreapp.in')
170
- * Used to route registration through the platform API proxy instead of auth directly
113
+ * Platform's own API base URL.
114
+ * Used for routes that go through the platform API proxy (e.g. register-tenant).
115
+ * Falls back to apiServer.host if not set.
171
116
  * @example '//api.medstoreapp.in'
172
117
  */
173
118
  apiUrl?: string;
174
119
  apiServer: {
175
120
  host: string;
176
121
  };
177
- chatServer: {
178
- host: string;
179
- };
180
122
  /**
181
- * Accounts/Authentication service server configuration
182
- * Use this when auth is on a different server than the API
183
- * Replaces the deprecated accountsUrl string with structured config
184
- * @example { host: 'https://accounts.progalaxyelabs.com' }
185
- */
186
- accountsServer?: {
187
- host: string;
188
- };
189
- /**
190
- * Files service server configuration
191
- * Used by FilesService for file upload/download operations
123
+ * Files service server configuration.
124
+ * Used by FilesService for file upload/download operations.
192
125
  * @example { host: 'https://files.progalaxyelabs.com/api/' }
193
126
  */
194
127
  filesServer?: {
195
128
  host: string;
196
129
  };
197
130
  /**
198
- * Authentication configuration
131
+ * Authentication configuration.
199
132
  * @default { mode: 'cookie', refreshEndpoint: '/auth/refresh', useCsrf: true }
200
133
  */
201
134
  auth?: AuthConfig;
135
+ /**
136
+ * Multiple authentication servers configuration (for StoneScriptPHPAuth multi-server mode).
137
+ * @example
138
+ * ```typescript
139
+ * authServers: {
140
+ * customer: { url: 'https://auth.progalaxyelabs.com', default: true },
141
+ * employee: { url: 'https://admin-auth.progalaxyelabs.com' }
142
+ * }
143
+ * ```
144
+ */
145
+ authServers?: Record<string, AuthServerConfig>;
202
146
  /**
203
147
  * Custom OAuth provider configurations.
204
- * Register additional OAuth providers beyond the built-in ones
205
- * (google, linkedin, apple, microsoft, github, zoho).
206
148
  * @example
207
149
  * ```typescript
208
150
  * customProviders: {
209
- * okta: { label: 'Sign in with Okta', cssClass: 'btn-okta', buttonStyle: { borderColor: '#007dc1' } },
210
- * keycloak: { label: 'Sign in with Keycloak', icon: '🔑' }
151
+ * okta: { label: 'Sign in with Okta', cssClass: 'btn-okta', buttonStyle: { borderColor: '#007dc1' } }
211
152
  * }
212
153
  * ```
213
154
  */
214
155
  customProviders?: Record<string, OAuthProviderConfig>;
215
156
  /**
216
- * Branding configuration for auth components
217
- * Allows platforms to customize login/register pages without creating wrappers
157
+ * Branding configuration for auth UI components.
218
158
  */
219
159
  branding?: {
220
- /** Application name displayed on auth pages */
221
160
  appName: string;
222
- /** URL to logo image */
223
161
  logo?: string;
224
- /** Primary brand color (hex) */
225
162
  primaryColor?: string;
226
- /** Gradient start color (hex) */
227
163
  gradientStart?: string;
228
- /** Gradient end color (hex) */
229
164
  gradientEnd?: string;
230
- /** Subtitle text displayed on auth pages */
231
165
  subtitle?: string;
232
166
  };
233
- }
234
-
235
- /**
236
- * CSRF Token Service
237
- *
238
- * Manages CSRF tokens for cookie-based authentication.
239
- * Reads CSRF token from cookies and provides it for request headers.
240
- */
241
- declare class CsrfService {
242
- /**
243
- * Get CSRF token from cookie
244
- */
245
- getCsrfToken(cookieName?: string): string | null;
246
- /**
247
- * Check if CSRF token exists
248
- */
249
- hasCsrfToken(cookieName?: string): boolean;
250
- /**
251
- * Clear CSRF token (for logout)
252
- * Note: Client-side deletion is limited for httpOnly cookies
253
- */
254
- clearCsrfToken(cookieName?: string): void;
255
- static ɵfac: i0.ɵɵFactoryDeclaration<CsrfService, never>;
256
- static ɵprov: i0.ɵɵInjectableDeclaration<CsrfService>;
257
- }
258
-
259
- declare class ApiConnectionService {
260
- private tokens;
261
- private signinStatus;
262
- private environment;
263
- private csrf;
264
- private host;
265
- private accessToken;
266
- private authConfig;
267
- constructor(tokens: TokenService, signinStatus: SigninStatusService, environment: MyEnvironmentModel, csrf: CsrfService);
268
- private request;
269
- private handleError;
270
- get<DataType>(endpoint: string, queryParamsObj?: any): Promise<ApiResponse<DataType>>;
271
- post<DataType>(pathWithQueryParams: string, data: any): Promise<ApiResponse<DataType>>;
272
- put<DataType>(pathWithQueryParams: string, data: any): Promise<ApiResponse<DataType>>;
273
- patch<DataType>(pathWithQueryParams: string, data: any): Promise<ApiResponse<DataType>>;
274
- delete<DataType>(endpoint: string, queryParamsObj?: any): Promise<ApiResponse<DataType>>;
275
- private includeAccessToken;
276
- private refreshAccessTokenAndRetry;
277
- refreshAccessToken(): Promise<boolean>;
278
- /**
279
- * Refresh access token using cookie-based auth (StoneScriptPHP v2.1.x default)
280
- */
281
- private refreshAccessTokenCookieMode;
282
167
  /**
283
- * Refresh access token using body-based auth (legacy mode)
168
+ * @deprecated Use auth.host instead.
169
+ * Auth server URL for centralized authentication.
284
170
  */
285
- private refreshAccessTokenBodyMode;
286
- buildQueryString(options?: any): string;
171
+ accountsUrl: string;
287
172
  /**
288
- * Upload a drawing (uses upload server if configured, otherwise API server)
289
- * @deprecated Platform-specific method - consider moving to platform service
173
+ * @deprecated Use auth.host instead.
174
+ * Accounts/Authentication service server configuration.
290
175
  */
291
- uploadDrawing<DataType>(formData: FormData): Promise<ApiResponse<DataType>>;
176
+ accountsServer?: {
177
+ host: string;
178
+ };
292
179
  /**
293
- * Upload an image (uses upload server if configured, otherwise API server)
294
- * @deprecated Platform-specific method - consider moving to platform service
180
+ * @deprecated Use auth.responseMap instead.
181
+ * Auth response field mapping for external auth compatibility.
295
182
  */
296
- uploadImage<DataType>(formData: FormData): Promise<ApiResponse<DataType>>;
297
- static ɵfac: i0.ɵɵFactoryDeclaration<ApiConnectionService, never>;
298
- static ɵprov: i0.ɵɵInjectableDeclaration<ApiConnectionService>;
183
+ authResponseMap?: AuthResponseMap;
299
184
  }
300
185
 
301
- type BuiltInProvider = 'google' | 'linkedin' | 'apple' | 'microsoft' | 'github' | 'zoho' | 'emailPassword';
302
- /**
303
- * Authentication provider identifier.
304
- * Includes all built-in providers plus any custom string identifier.
305
- * The (string & {}) trick preserves autocomplete for built-in values.
306
- */
307
- type AuthProvider = BuiltInProvider | (string & {});
186
+ declare const AUTH_PLUGIN: InjectionToken<AuthPlugin>;
308
187
  interface User {
309
188
  user_id: number;
310
189
  id: string;
@@ -317,296 +196,427 @@ interface AuthResult {
317
196
  success: boolean;
318
197
  message?: string;
319
198
  user?: User;
199
+ /** Set by the plugin on successful auth — AuthService stores it in TokenService */
200
+ accessToken?: string;
201
+ /** Set by the plugin for body mode — AuthService stores it in TokenService */
202
+ refreshToken?: string;
203
+ needsVerification?: boolean;
320
204
  }
321
- declare class AuthService {
322
- private tokens;
323
- private signinStatus;
324
- private environment;
325
- private readonly USER_STORAGE_KEY;
326
- private readonly ACTIVE_AUTH_SERVER_KEY;
327
- private userSubject;
328
- user$: Observable<User | null>;
329
- private activeAuthServer;
330
- constructor(tokens: TokenService, signinStatus: SigninStatusService, environment: MyEnvironmentModel);
331
- /**
332
- * Get the current accounts URL based on configuration
333
- * Supports both single-server (accountsUrl) and multi-server (authServers) modes
334
- * @param serverName - Optional server name for multi-server mode
335
- */
336
- private getAccountsUrl;
205
+ interface TenantMembership {
206
+ tenant_id: string;
207
+ slug: string;
208
+ name: string;
209
+ role: string;
210
+ status: string;
211
+ last_accessed?: string;
212
+ }
213
+ interface RegisterTenantData {
214
+ tenantName: string;
215
+ displayName?: string;
216
+ email?: string;
217
+ password?: string;
218
+ provider: string;
219
+ role?: string;
220
+ countryCode?: string;
221
+ }
222
+ /**
223
+ * Auth plugin interface — implement this to support any auth backend.
224
+ *
225
+ * The library ships StoneScriptPHPAuth as the built-in plugin.
226
+ * For external providers (Firebase, progalaxyelabs-auth, Okta, etc.),
227
+ * create a class implementing this interface and provide it via
228
+ * provideNgxStoneScriptPhpClient(environment, new YourAuthPlugin(...))
229
+ *
230
+ * @example Firebase
231
+ * ```typescript
232
+ * // firebase-auth.auth-plugin.ts (in your app)
233
+ * export class FirebaseAuthPlugin implements AuthPlugin {
234
+ * async login(email, password): Promise<AuthResult> {
235
+ * const cred = await signInWithEmailAndPassword(getAuth(), email, password);
236
+ * return { success: true, accessToken: await cred.user.getIdToken() };
237
+ * }
238
+ * async refresh(): Promise<string | null> {
239
+ * const user = getAuth().currentUser;
240
+ * return user ? await user.getIdToken(true) : null;
241
+ * }
242
+ * // ...
243
+ * }
244
+ * ```
245
+ */
246
+ interface AuthPlugin {
337
247
  /**
338
- * Get the default auth server name
248
+ * Authenticate with email and password.
249
+ * Return accessToken (and optionally refreshToken for body mode) in result.
339
250
  */
340
- private getDefaultAuthServer;
251
+ login(email: string, password: string): Promise<AuthResult>;
341
252
  /**
342
- * Restore active auth server from localStorage
253
+ * Register a new user account.
254
+ * Return accessToken on success.
343
255
  */
344
- private restoreActiveAuthServer;
256
+ register(email: string, password: string, displayName: string): Promise<AuthResult>;
345
257
  /**
346
- * Save active auth server to localStorage
258
+ * Sign out the current user.
259
+ * @param refreshToken - Current refresh token (for body mode revocation)
347
260
  */
348
- private saveActiveAuthServer;
261
+ logout(refreshToken?: string): Promise<void>;
349
262
  /**
350
- * Get available auth servers
351
- * @returns Array of server names or empty array if using single-server mode
263
+ * Check for an existing session on app init (e.g., via httpOnly refresh cookie).
264
+ * Return success + accessToken if session is valid.
352
265
  */
353
- getAvailableAuthServers(): string[];
266
+ checkSession(): Promise<AuthResult>;
354
267
  /**
355
- * Get current active auth server name
356
- * @returns Server name or null if using single-server mode
268
+ * Refresh the access token.
269
+ * @param accessToken - Current access token (for body mode)
270
+ * @param refreshToken - Current refresh token (for body mode)
271
+ * @returns New access token, or null if refresh failed
357
272
  */
358
- getActiveAuthServer(): string | null;
273
+ refresh(accessToken: string, refreshToken?: string): Promise<string | null>;
274
+ /** OAuth popup login (google, github, linkedin, etc.) */
275
+ loginWithProvider?(provider: string): Promise<AuthResult>;
276
+ /** Select a tenant and get a tenant-scoped access token */
277
+ selectTenant?(tenantId: string, accessToken: string): Promise<AuthResult>;
278
+ /** List tenant memberships for the authenticated user */
279
+ getTenantMemberships?(accessToken: string): Promise<TenantMembership[]>;
280
+ /** Register a new tenant (organization) */
281
+ registerTenant?(data: RegisterTenantData, accessToken?: string): Promise<any>;
282
+ /** Check if a tenant slug is available */
283
+ checkTenantSlugAvailable?(slug: string): Promise<{
284
+ available: boolean;
285
+ suggestion?: string;
286
+ }>;
287
+ /** Check onboarding status for a user identity */
288
+ checkOnboardingStatus?(identityId: string, platformCode?: string): Promise<any>;
289
+ /** Complete tenant onboarding (create tenant with country + org name) */
290
+ completeTenantOnboarding?(countryCode: string, tenantName: string, accessToken: string): Promise<any>;
291
+ /** Check if user email exists */
292
+ checkEmail?(email: string): Promise<{
293
+ exists: boolean;
294
+ user?: any;
295
+ }>;
296
+ switchServer?(serverName: string): void;
297
+ getAvailableServers?(): string[];
298
+ getActiveServer?(): string | null;
299
+ getServerConfig?(serverName?: string): any;
300
+ }
301
+
302
+ /**
303
+ * Configure the ngx-stonescriptphp-client library.
304
+ *
305
+ * @param environment - Library configuration (API server, auth settings, etc.)
306
+ * @param plugin - Optional auth plugin override. Defaults to StoneScriptPHPAuth.
307
+ * Provide your own plugin to use Firebase, progalaxyelabs-auth, Okta, or any other auth backend.
308
+ *
309
+ * @example Default (StoneScriptPHP backend)
310
+ * ```typescript
311
+ * // app.config.ts
312
+ * export const appConfig: ApplicationConfig = {
313
+ * providers: [
314
+ * provideNgxStoneScriptPhpClient(environment)
315
+ * ]
316
+ * };
317
+ * ```
318
+ *
319
+ * @example External auth plugin
320
+ * ```typescript
321
+ * import { ProgalaxyElabsAuth } from './progalaxyelabs-auth.auth-plugin';
322
+ *
323
+ * providers: [
324
+ * provideNgxStoneScriptPhpClient(environment, new ProgalaxyElabsAuth({ host: '...' }))
325
+ * ]
326
+ * ```
327
+ *
328
+ * @example Firebase
329
+ * ```typescript
330
+ * import { FirebaseAuthPlugin } from './firebase-auth.auth-plugin';
331
+ *
332
+ * providers: [
333
+ * provideNgxStoneScriptPhpClient(environment, new FirebaseAuthPlugin(firebaseConfig))
334
+ * ]
335
+ * ```
336
+ */
337
+ declare function provideNgxStoneScriptPhpClient(environment: MyEnvironmentModel, plugin?: AuthPlugin): EnvironmentProviders;
338
+
339
+ interface StoneScriptPHPAuthConfig {
340
+ /** Auth server base URL (e.g., 'https://accounts.progalaxyelabs.com') */
341
+ host: string;
342
+ /** Platform code for multi-tenant auth (e.g., 'progalaxy', 'hr') */
343
+ platformCode?: string;
359
344
  /**
360
- * Switch to a different auth server
361
- * @param serverName - Name of the server to switch to
362
- * @throws Error if server not found in configuration
345
+ * Named auth servers for multi-server mode.
346
+ * When set, host is used as fallback if no default server is specified.
363
347
  */
364
- switchAuthServer(serverName: string): void;
348
+ authServers?: Record<string, AuthServerConfig>;
365
349
  /**
366
- * Get auth server configuration
367
- * @param serverName - Optional server name (uses active server if not specified)
350
+ * Response field mapping for external format compatibility.
351
+ * Defaults to StoneScriptPHP format: { status:'ok', data:{ access_token, user } }
368
352
  */
369
- getAuthServerConfig(serverName?: string): AuthServerConfig | null;
353
+ responseMap?: Partial<AuthResponseMap>;
370
354
  /**
371
- * Check if multi-server mode is enabled
355
+ * Auth mode and CSRF configuration.
356
+ * Defaults: mode='cookie', refreshEndpoint='/auth/refresh', useCsrf=true
372
357
  */
373
- isMultiServerMode(): boolean;
358
+ auth?: Pick<AuthConfig, 'mode' | 'refreshEndpoint' | 'useCsrf' | 'csrfTokenCookieName' | 'csrfHeaderName'>;
374
359
  /**
375
- * Get the platform's own API base URL
376
- * Used for routes that go through the platform API proxy (e.g. register-tenant)
377
- * @throws Error if no API URL is configured
360
+ * Platform's own API URL for register-tenant proxy route.
361
+ * Falls back to host if not set.
378
362
  */
363
+ apiUrl?: string;
364
+ }
365
+ /**
366
+ * Built-in auth plugin for StoneScriptPHP backends.
367
+ *
368
+ * Handles StoneScriptPHP's auth format ({ status:'ok', data:{ access_token } })
369
+ * with optional authResponseMap overrides for external backends.
370
+ *
371
+ * Supports:
372
+ * - Cookie mode (httpOnly refresh token + CSRF)
373
+ * - Body mode (tokens in localStorage)
374
+ * - Multi-server auth (named authServers config)
375
+ * - OAuth popup login
376
+ * - Multi-tenant operations
377
+ */
378
+ declare class StoneScriptPHPAuth implements AuthPlugin {
379
+ private config;
380
+ private activeServer;
381
+ constructor(config: StoneScriptPHPAuthConfig);
382
+ private get responseMap();
383
+ private resolvePath;
384
+ private isAuthSuccess;
385
+ private resolveAccessToken;
386
+ private resolveRefreshToken;
387
+ private resolveUser;
388
+ private resolveErrorMessage;
389
+ private normalizeUser;
390
+ private hashUUID;
391
+ private getCsrfToken;
392
+ private getAccountsUrl;
379
393
  private getPlatformApiUrl;
394
+ private getDefaultServer;
395
+ private restoreActiveServer;
396
+ switchServer(serverName: string): void;
397
+ getAvailableServers(): string[];
398
+ getActiveServer(): string | null;
399
+ getServerConfig(serverName?: string): AuthServerConfig | null;
400
+ login(email: string, password: string): Promise<AuthResult>;
401
+ register(email: string, password: string, displayName: string): Promise<AuthResult>;
402
+ logout(refreshToken?: string): Promise<void>;
403
+ checkSession(): Promise<AuthResult>;
404
+ refresh(accessToken: string, refreshToken?: string): Promise<string | null>;
405
+ private refreshCookieMode;
406
+ private refreshBodyMode;
407
+ loginWithProvider(provider: string): Promise<AuthResult>;
408
+ selectTenant(tenantId: string, accessToken: string): Promise<AuthResult>;
409
+ getTenantMemberships(accessToken: string): Promise<TenantMembership[]>;
410
+ registerTenant(data: RegisterTenantData, accessToken?: string): Promise<any>;
411
+ private registerTenantWithOAuth;
412
+ checkTenantSlugAvailable(slug: string): Promise<{
413
+ available: boolean;
414
+ suggestion?: string;
415
+ }>;
416
+ checkOnboardingStatus(identityId: string, platformCode?: string): Promise<any>;
417
+ completeTenantOnboarding(countryCode: string, tenantName: string, accessToken: string): Promise<any>;
418
+ checkEmail(email: string): Promise<{
419
+ exists: boolean;
420
+ user?: any;
421
+ }>;
422
+ }
423
+
424
+ declare class TokenService {
425
+ private accessToken;
426
+ private refreshToken;
427
+ private lsAccessTokenKey;
428
+ private lsRefreshTokenKey;
429
+ constructor();
430
+ setTokens(accessToken: string, refreshToken: string): void;
431
+ setAccessToken(accessToken: string): void;
432
+ setRefreshToken(refreshToken: string): void;
433
+ getAccessToken(): string;
434
+ getRefreshToken(): string;
435
+ clear(): void;
380
436
  /**
381
- * Hash UUID to numeric ID for backward compatibility
382
- * Converts UUID string to a consistent numeric ID for legacy code
437
+ * Check if there is a non-empty access token.
438
+ * Token is treated as opaque validity is determined by the auth server.
383
439
  */
384
- private hashUUID;
440
+ hasValidAccessToken(): boolean;
441
+ static ɵfac: i0.ɵɵFactoryDeclaration<TokenService, never>;
442
+ static ɵprov: i0.ɵɵInjectableDeclaration<TokenService>;
443
+ }
444
+
445
+ /**
446
+ * @deprecated Use boolean directly. Kept for backward compatibility.
447
+ */
448
+ declare enum VerifyStatus {
449
+ initialized = "initialized",
450
+ yes = "yes",
451
+ no = "no"
452
+ }
453
+ declare class SigninStatusService {
454
+ status: BehaviorSubject<boolean | VerifyStatus>;
455
+ constructor();
456
+ signedOut(): void;
457
+ signedIn(): void;
385
458
  /**
386
- * Restore user from localStorage
459
+ * Set signin status
460
+ * @param isSignedIn - True if user is signed in, false otherwise
387
461
  */
462
+ setSigninStatus(isSignedIn: boolean): void;
463
+ static ɵfac: i0.ɵɵFactoryDeclaration<SigninStatusService, never>;
464
+ static ɵprov: i0.ɵɵInjectableDeclaration<SigninStatusService>;
465
+ }
466
+
467
+ declare class ApiResponse<DataType> {
468
+ readonly status: string;
469
+ readonly data: DataType | null;
470
+ readonly message: string;
471
+ get success(): boolean;
472
+ get errors(): string[];
473
+ constructor(status: string, data?: any, message?: string);
474
+ onOk(callback: (data: DataType) => void): ApiResponse<DataType>;
475
+ onNotOk(callback: (message: string, data: DataType) => void): ApiResponse<DataType>;
476
+ onError(callback: () => void): ApiResponse<DataType>;
477
+ isSuccess(): boolean;
478
+ isError(): boolean;
479
+ getData(): DataType | null;
480
+ getError(): string;
481
+ getStatus(): string;
482
+ getMessage(): string;
483
+ }
484
+
485
+ type BuiltInProvider = 'google' | 'linkedin' | 'apple' | 'microsoft' | 'github' | 'zoho' | 'emailPassword';
486
+ /**
487
+ * Authentication provider identifier.
488
+ * Includes all built-in providers plus any custom string identifier.
489
+ * The (string & {}) trick preserves autocomplete for built-in values.
490
+ */
491
+ type AuthProvider = BuiltInProvider | (string & {});
492
+ /**
493
+ * AuthService — manages auth state and delegates all auth operations to the AuthPlugin.
494
+ *
495
+ * This service holds user state (via BehaviorSubject) and tokens (via TokenService).
496
+ * It does not make any HTTP calls directly — all auth logic lives in the plugin.
497
+ *
498
+ * Provide a plugin via provideNgxStoneScriptPhpClient():
499
+ * - Default: StoneScriptPHPAuth (built-in, matches StoneScriptPHP backend)
500
+ * - External: any class implementing AuthPlugin (Firebase, progalaxyelabs-auth, Okta, etc.)
501
+ */
502
+ declare class AuthService {
503
+ private plugin;
504
+ private tokens;
505
+ private signinStatus;
506
+ private readonly USER_STORAGE_KEY;
507
+ private userSubject;
508
+ user$: Observable<User | null>;
509
+ constructor(plugin: AuthPlugin, tokens: TokenService, signinStatus: SigninStatusService);
388
510
  private restoreUser;
389
- /**
390
- * Save user to localStorage
391
- */
392
511
  private saveUser;
393
- /**
394
- * Update user subject and persist to localStorage
395
- */
396
512
  private updateUser;
397
- /**
398
- * Login with email and password
399
- * @param email - User email
400
- * @param password - User password
401
- * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
402
- */
403
- loginWithEmail(email: string, password: string, serverName?: string): Promise<AuthResult>;
404
- /**
405
- * Login with Google OAuth (popup window)
406
- * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
407
- */
513
+ private storeAuthResult;
514
+ loginWithEmail(email: string, password: string): Promise<AuthResult>;
408
515
  loginWithGoogle(serverName?: string): Promise<AuthResult>;
409
- /**
410
- * Login with GitHub OAuth (popup window)
411
- * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
412
- */
413
516
  loginWithGitHub(serverName?: string): Promise<AuthResult>;
414
- /**
415
- * Login with LinkedIn OAuth (popup window)
416
- * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
417
- */
418
517
  loginWithLinkedIn(serverName?: string): Promise<AuthResult>;
419
- /**
420
- * Login with Apple OAuth (popup window)
421
- * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
422
- */
423
518
  loginWithApple(serverName?: string): Promise<AuthResult>;
424
- /**
425
- * Login with Microsoft OAuth (popup window)
426
- * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
427
- */
428
519
  loginWithMicrosoft(serverName?: string): Promise<AuthResult>;
429
- /**
430
- * Login with Zoho OAuth (popup window)
431
- * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
432
- */
433
520
  loginWithZoho(serverName?: string): Promise<AuthResult>;
434
- /**
435
- * Generic provider-based login (supports all OAuth providers)
436
- * @param provider - The provider identifier
437
- * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
438
- */
439
521
  loginWithProvider(provider: AuthProvider, serverName?: string): Promise<AuthResult>;
440
- /**
441
- * Generic OAuth login handler
442
- * Opens popup window and listens for postMessage
443
- * @param provider - OAuth provider name
444
- * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
445
- */
446
- private loginWithOAuth;
447
- /**
448
- * Register new user
449
- * @param email - User email
450
- * @param password - User password
451
- * @param displayName - Display name
452
- * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
453
- */
454
522
  register(email: string, password: string, displayName: string, serverName?: string): Promise<AuthResult>;
455
- /**
456
- * Sign out user
457
- * @param serverName - Optional: Specify which auth server to logout from (for multi-server mode)
458
- */
459
523
  signout(serverName?: string): Promise<void>;
460
- /**
461
- * Check for active session (call on app init)
462
- * @param serverName - Optional: Specify which auth server to check (for multi-server mode)
463
- */
464
524
  checkSession(serverName?: string): Promise<boolean>;
465
525
  /**
466
- * Check if user is authenticated
526
+ * Refresh the access token. Called by ApiConnectionService on 401.
527
+ * @returns true if token was refreshed, false if refresh failed (user is signed out)
467
528
  */
529
+ refresh(): Promise<boolean>;
468
530
  isAuthenticated(): boolean;
469
- /**
470
- * Get current user (synchronous)
471
- */
472
531
  getCurrentUser(): User | null;
473
- /**
474
- * Register a new user AND create a new tenant (organization)
475
- * This is used when a user wants to create their own organization
476
- */
477
532
  registerTenant(data: {
478
533
  tenantName: string;
479
- tenantSlug: string;
480
534
  displayName?: string;
481
535
  email?: string;
482
536
  password?: string;
483
537
  provider: AuthProvider;
484
- }): Promise<{
485
- success: boolean;
486
- message?: string;
487
- tenant?: {
488
- id: string;
489
- name: string;
490
- slug: string;
491
- };
492
- user?: {
493
- id: string;
494
- email: string;
495
- name: string;
496
- };
497
- access_token?: string;
498
- }>;
499
- /**
500
- * Register tenant with OAuth provider
501
- * Opens popup window for OAuth flow
502
- */
503
- private registerTenantWithOAuth;
504
- /**
505
- * Get all tenant memberships for the authenticated user
506
- * @param serverName - Optional: Specify which auth server to query (for multi-server mode)
507
- */
538
+ role?: string;
539
+ countryCode?: string;
540
+ }): Promise<any>;
508
541
  getTenantMemberships(serverName?: string): Promise<{
509
- memberships: Array<{
510
- tenant_id: string;
511
- slug: string;
512
- name: string;
513
- role: string;
514
- status: string;
515
- last_accessed?: string;
516
- }>;
542
+ memberships: TenantMembership[];
517
543
  }>;
518
- /**
519
- * Select a tenant for the current session
520
- * Updates the JWT token with tenant context
521
- * @param tenantId - Tenant ID to select
522
- * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
523
- */
524
544
  selectTenant(tenantId: string, serverName?: string): Promise<{
525
545
  success: boolean;
526
546
  message?: string;
527
547
  access_token?: string;
528
548
  }>;
529
- /**
530
- * Check if a tenant slug is available
531
- * @param slug - Tenant slug to check
532
- * @param serverName - Optional: Specify which auth server to query (for multi-server mode)
533
- */
534
549
  checkTenantSlugAvailable(slug: string, serverName?: string): Promise<{
535
550
  available: boolean;
536
551
  suggestion?: string;
537
552
  }>;
538
- /**
539
- * @deprecated Use getCurrentUser()?.user_id instead
540
- */
553
+ checkOnboardingStatus(identityId: string, serverName?: string): Promise<any>;
554
+ completeTenantOnboarding(countryCode: string, tenantName: string, serverName?: string): Promise<any>;
555
+ getAvailableAuthServers(): string[];
556
+ getActiveAuthServer(): string | null;
557
+ switchAuthServer(serverName: string): void;
558
+ getAuthServerConfig(serverName?: string): any | null;
559
+ isMultiServerMode(): boolean;
560
+ /** @deprecated Use getCurrentUser()?.user_id instead */
541
561
  getUserId(): number;
542
- /**
543
- * @deprecated Use getCurrentUser()?.display_name instead
544
- */
562
+ /** @deprecated Use getCurrentUser()?.display_name instead */
545
563
  getUserName(): string;
546
- /**
547
- * @deprecated Use getCurrentUser()?.photo_url instead
548
- */
564
+ /** @deprecated Use getCurrentUser()?.photo_url instead */
549
565
  getPhotoUrl(): string;
550
- /**
551
- * @deprecated Use getCurrentUser()?.display_name instead
552
- */
566
+ /** @deprecated Use getCurrentUser()?.display_name instead */
553
567
  getDisplayName(): string;
554
- /**
555
- * @deprecated Use `/profile/${getCurrentUser()?.user_id}` instead
556
- */
568
+ /** @deprecated Use `/profile/${getCurrentUser()?.user_id}` instead */
557
569
  getProfileUrl(): string;
558
- /**
559
- * @deprecated Use isAuthenticated() instead
560
- */
570
+ /** @deprecated Use isAuthenticated() instead */
561
571
  signin(): Promise<boolean>;
562
- /**
563
- * @deprecated Use loginWithEmail() instead
564
- */
572
+ /** @deprecated Use loginWithEmail() instead */
565
573
  verifyCredentials(email: string, password: string): Promise<boolean>;
566
- /**
567
- * @deprecated Check user.is_email_verified from getCurrentUser() instead
568
- */
574
+ /** @deprecated Check user.is_email_verified from getCurrentUser() instead */
569
575
  isSigninEmailValid(): boolean;
570
- /**
571
- * @deprecated No longer needed - dialog is managed by platform
572
- */
576
+ /** @deprecated No longer needed */
573
577
  onDialogClose(): void;
574
- /**
575
- * @deprecated No longer needed - dialog is managed by platform
576
- */
578
+ /** @deprecated No longer needed */
577
579
  closeSocialAuthDialog(): void;
580
+ /** @deprecated Use checkEmail() from the plugin directly */
581
+ getUserProfile(email: string, serverName?: string): Promise<User | null>;
582
+ static ɵfac: i0.ɵɵFactoryDeclaration<AuthService, never>;
583
+ static ɵprov: i0.ɵɵInjectableDeclaration<AuthService>;
584
+ }
585
+
586
+ declare class ApiConnectionService {
587
+ private tokens;
588
+ private signinStatus;
589
+ private environment;
590
+ private authService;
591
+ private host;
592
+ constructor(tokens: TokenService, signinStatus: SigninStatusService, environment: MyEnvironmentModel, authService: AuthService);
593
+ private request;
594
+ private handleError;
595
+ get<DataType>(endpoint: string, queryParamsObj?: any): Promise<ApiResponse<DataType>>;
596
+ post<DataType>(pathWithQueryParams: string, data: any): Promise<ApiResponse<DataType>>;
597
+ put<DataType>(pathWithQueryParams: string, data: any): Promise<ApiResponse<DataType>>;
598
+ patch<DataType>(pathWithQueryParams: string, data: any): Promise<ApiResponse<DataType>>;
599
+ delete<DataType>(endpoint: string, queryParamsObj?: any): Promise<ApiResponse<DataType>>;
600
+ private includeAccessToken;
601
+ private refreshAndRetry;
578
602
  /**
579
- * @deprecated Check if user exists by calling /api/auth/check-email endpoint
603
+ * Refresh the access token (delegates to AuthService AuthPlugin).
604
+ * Kept public for backward compatibility.
580
605
  */
581
- getUserProfile(email: string, serverName?: string): Promise<User | null>;
606
+ refreshAccessToken(): Promise<boolean>;
607
+ buildQueryString(options?: any): string;
582
608
  /**
583
- * Check if user has completed onboarding (has a tenant)
584
- * @param identityId - User identity ID
585
- * @param serverName - Optional: Specify which auth server to query (for multi-server mode)
609
+ * Upload a drawing (uses upload server if configured, otherwise API server)
610
+ * @deprecated Platform-specific method - consider moving to platform service
586
611
  */
587
- checkOnboardingStatus(identityId: string, serverName?: string): Promise<{
588
- onboarded: boolean;
589
- tenant_slug?: string;
590
- tenant_name?: string;
591
- role?: string;
592
- }>;
612
+ uploadDrawing<DataType>(formData: FormData): Promise<ApiResponse<DataType>>;
593
613
  /**
594
- * Complete tenant onboarding (create tenant with country + org name)
595
- * @param countryCode - Country code
596
- * @param tenantName - Tenant organization name
597
- * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
614
+ * Upload an image (uses upload server if configured, otherwise API server)
615
+ * @deprecated Platform-specific method - consider moving to platform service
598
616
  */
599
- completeTenantOnboarding(countryCode: string, tenantName: string, serverName?: string): Promise<{
600
- tenant: {
601
- id: string;
602
- slug: string;
603
- name: string;
604
- };
605
- access_token: string;
606
- refresh_token: string;
607
- }>;
608
- static ɵfac: i0.ɵɵFactoryDeclaration<AuthService, never>;
609
- static ɵprov: i0.ɵɵInjectableDeclaration<AuthService>;
617
+ uploadImage<DataType>(formData: FormData): Promise<ApiResponse<DataType>>;
618
+ static ɵfac: i0.ɵɵFactoryDeclaration<ApiConnectionService, never>;
619
+ static ɵprov: i0.ɵɵInjectableDeclaration<ApiConnectionService>;
610
620
  }
611
621
 
612
622
  declare class DbService {
@@ -615,6 +625,30 @@ declare class DbService {
615
625
  static ɵprov: i0.ɵɵInjectableDeclaration<DbService>;
616
626
  }
617
627
 
628
+ /**
629
+ * CSRF Token Service
630
+ *
631
+ * Manages CSRF tokens for cookie-based authentication.
632
+ * Reads CSRF token from cookies and provides it for request headers.
633
+ */
634
+ declare class CsrfService {
635
+ /**
636
+ * Get CSRF token from cookie
637
+ */
638
+ getCsrfToken(cookieName?: string): string | null;
639
+ /**
640
+ * Check if CSRF token exists
641
+ */
642
+ hasCsrfToken(cookieName?: string): boolean;
643
+ /**
644
+ * Clear CSRF token (for logout)
645
+ * Note: Client-side deletion is limited for httpOnly cookies
646
+ */
647
+ clearCsrfToken(cookieName?: string): void;
648
+ static ɵfac: i0.ɵɵFactoryDeclaration<CsrfService, never>;
649
+ static ɵprov: i0.ɵɵInjectableDeclaration<CsrfService>;
650
+ }
651
+
618
652
  /**
619
653
  * Result of a file upload operation
620
654
  */
@@ -797,21 +831,6 @@ declare class ProviderRegistryService {
797
831
  static ɵprov: i0.ɵɵInjectableDeclaration<ProviderRegistryService>;
798
832
  }
799
833
 
800
- declare class NgxStoneScriptPhpClientModule {
801
- static forRoot(environment: MyEnvironmentModel): ModuleWithProviders<NgxStoneScriptPhpClientModule>;
802
- static ɵfac: i0.ɵɵFactoryDeclaration<NgxStoneScriptPhpClientModule, never>;
803
- static ɵmod: i0.ɵɵNgModuleDeclaration<NgxStoneScriptPhpClientModule, never, [typeof i1.CommonModule], never>;
804
- static ɵinj: i0.ɵɵInjectorDeclaration<NgxStoneScriptPhpClientModule>;
805
- }
806
-
807
- interface TenantMembership {
808
- tenant_id: string;
809
- slug: string;
810
- name: string;
811
- role: string;
812
- status: string;
813
- last_accessed?: string;
814
- }
815
834
  interface TenantSelectedEvent {
816
835
  tenantId: string;
817
836
  tenantSlug: string;
@@ -1086,5 +1105,5 @@ declare class TenantRegisterDialogComponent {
1086
1105
  static ɵcmp: i0.ɵɵComponentDeclaration<TenantRegisterDialogComponent, "lib-tenant-register-dialog", never, {}, {}, never, never, true, never>;
1087
1106
  }
1088
1107
 
1089
- export { ApiConnectionService, ApiResponse, AuthPageComponent, AuthService, CsrfService, DbService, FilesService, LoginDialogComponent, MyEnvironmentModel, NgxStoneScriptPhpClientModule, ProviderRegistryService, RegisterComponent, SigninStatusService, TenantLoginComponent, TenantLoginDialogComponent, TenantRegisterComponent, TenantRegisterDialogComponent, TokenService, VerifyStatus };
1090
- export type { AuthConfig, AuthMode, AuthProvider, AuthResult, AuthServerConfig, BuiltInProvider, FileDeleteResponse, FileListResponse, FileMetadata, FileUploadResponse, FileUploadResult, OAuthProviderConfig, TenantCreatedEvent, TenantMembership, TenantSelectedEvent, User };
1108
+ export { AUTH_PLUGIN, ApiConnectionService, ApiResponse, AuthPageComponent, AuthService, CsrfService, DbService, FilesService, LoginDialogComponent, MyEnvironmentModel, ProviderRegistryService, RegisterComponent, SigninStatusService, StoneScriptPHPAuth, TenantLoginComponent, TenantLoginDialogComponent, TenantRegisterComponent, TenantRegisterDialogComponent, TokenService, VerifyStatus, provideNgxStoneScriptPhpClient };
1109
+ export type { AuthConfig, AuthMode, AuthPlugin, AuthProvider, AuthResponseMap, AuthResult, AuthServerConfig, BuiltInProvider, FileDeleteResponse, FileListResponse, FileMetadata, FileUploadResponse, FileUploadResult, OAuthProviderConfig, RegisterTenantData, StoneScriptPHPAuthConfig, TenantCreatedEvent, TenantMembership, TenantSelectedEvent, User };