npm - @progalaxyelabs/ngx-stonescriptphp-client - Versions diffs - 1.11.1 → 1.12.0 - Mend

@progalaxyelabs/ngx-stonescriptphp-client 1.11.1 → 1.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/fesm2022/progalaxyelabs-ngx-stonescriptphp-client.mjs +1068 -1406
package/fesm2022/progalaxyelabs-ngx-stonescriptphp-client.mjs.map +1 -1
package/index.d.ts +421 -459
package/package.json +1 -1

package/index.d.ts CHANGED Viewed

@@ -1,68 +1,6 @@
 import * as i0 from '@angular/core';
-import { ModuleWithProviders, OnInit, EventEmitter } from '@angular/core';
+import { InjectionToken, EnvironmentProviders, OnInit, EventEmitter } from '@angular/core';
 import { BehaviorSubject, Observable } from 'rxjs';
-import * as i1 from '@angular/common';
-declare class TokenService {
-    private accessToken;
-    private refreshToken;
-    private lsAccessTokenKey;
-    private lsRefreshTokenKey;
-    constructor();
-    setTokens(accessToken: string, refreshToken: string): void;
-    setAccessToken(accessToken: string): void;
-    setRefreshToken(refreshToken: string): void;
-    getAccessToken(): string;
-    getRefreshToken(): string;
-    clear(): void;
-    /**
-     * Check if there is a non-empty access token.
-     * Token is treated as opaque — validity is determined by the auth server.
-     */
-    hasValidAccessToken(): boolean;
-    static ɵfac: i0.ɵɵFactoryDeclaration<TokenService, never>;
-    static ɵprov: i0.ɵɵInjectableDeclaration<TokenService>;
-}
-/**
- * @deprecated Use boolean directly. Kept for backward compatibility.
- */
-declare enum VerifyStatus {
-    initialized = "initialized",
-    yes = "yes",
-    no = "no"
-}
-declare class SigninStatusService {
-    status: BehaviorSubject<boolean | VerifyStatus>;
-    constructor();
-    signedOut(): void;
-    signedIn(): void;
-    /**
-     * Set signin status
-     * @param isSignedIn - True if user is signed in, false otherwise
-     */
-    setSigninStatus(isSignedIn: boolean): void;
-    static ɵfac: i0.ɵɵFactoryDeclaration<SigninStatusService, never>;
-    static ɵprov: i0.ɵɵInjectableDeclaration<SigninStatusService>;
-}
-declare class ApiResponse<DataType> {
-    readonly status: string;
-    readonly data: DataType | null;
-    readonly message: string;
-    get success(): boolean;
-    get errors(): string[];
-    constructor(status: string, data?: any, message?: string);
-    onOk(callback: (data: DataType) => void): ApiResponse<DataType>;
-    onNotOk(callback: (message: string, data: DataType) => void): ApiResponse<DataType>;
-    onError(callback: () => void): ApiResponse<DataType>;
-    isSuccess(): boolean;
-    isError(): boolean;
-    getData(): DataType | null;
-    getError(): string;
-    getStatus(): string;
-    getMessage(): string;
-}
 type AuthMode = 'cookie' | 'body' | 'none';
 interface AuthConfig {
@@ -74,33 +12,46 @@ interface AuthConfig {
      */
     mode: AuthMode;
     /**
-     * Token refresh endpoint path
+     * Auth server host for token refresh and all auth operations.
+     * Use this when auth is on a different server than the API.
+     * Replaces the deprecated accountsUrl and accountsServer fields.
+     * @example 'https://accounts.progalaxyelabs.com'
+     */
+    host?: string;
+    /**
+     * Token refresh endpoint path.
      * @default '/auth/refresh' for cookie mode, '/user/refresh_access' for body mode
      */
     refreshEndpoint?: string;
     /**
-     * Enable CSRF token support (required for cookie mode)
+     * Enable CSRF token support (required for cookie mode).
      * @default true for cookie mode, false for body mode
      */
     useCsrf?: boolean;
     /**
-     * Cookie name for refresh token
+     * Cookie name for refresh token.
      * @default 'refresh_token'
      */
     refreshTokenCookieName?: string;
     /**
-     * Cookie name for CSRF token
+     * Cookie name for CSRF token.
      * @default 'csrf_token'
      */
     csrfTokenCookieName?: string;
     /**
-     * CSRF header name
+     * CSRF header name.
      * @default 'X-CSRF-Token'
      */
     csrfHeaderName?: string;
+    /**
+     * Response field mapping for external auth compatibility.
+     * Defaults to StoneScriptPHP format: { status:'ok', data:{ access_token, user } }
+     * Replaces the deprecated top-level authResponseMap field.
+     */
+    responseMap?: Partial<AuthResponseMap>;
 }
 /**
- * Authentication server configuration
+ * Authentication server configuration (for multi-server mode via StoneScriptPHPAuth).
  */
 interface AuthServerConfig {
     /** Server URL (e.g., 'https://accounts.progalaxyelabs.com') */
@@ -112,8 +63,6 @@ interface AuthServerConfig {
 }
 /**
  * Configuration for a custom OAuth provider.
- * Used to register custom providers via the ProviderRegistryService
- * or through the environment's customProviders field.
  */
 interface OAuthProviderConfig {
     /** Display label for the provider (e.g., "Okta") */
@@ -131,7 +80,6 @@ interface OAuthProviderConfig {
 }
 /**
  * Maps auth service response fields to expected locations.
- * Different auth backends return tokens/user info in different structures.
  * Paths use dot-notation (e.g., 'data.access_token' for nested fields).
  *
  * StoneScriptPHP format:  { status: 'ok', data: { access_token, user, ... } }
@@ -157,195 +105,85 @@ interface AuthResponseMap {
 declare class MyEnvironmentModel {
     production: boolean;
     /**
-     * Platform code identifier (e.g., 'progalaxy', 'hr', 'admin')
-     * Used for multi-tenant authentication
+     * Platform code identifier (e.g., 'progalaxy', 'hr', 'admin').
+     * Used for multi-tenant authentication.
      */
     platformCode: string;
     /**
-     * Accounts platform URL for centralized authentication (single-server mode)
-     * @example 'https://accounts.progalaxyelabs.com'
-     * @deprecated Use authServers for multi-server support
-     */
-    accountsUrl: string;
-    /**
-     * Multiple authentication servers configuration
-     * Enables platforms to authenticate against different identity providers
-     * @example
-     * ```typescript
-     * authServers: {
-     *   customer: { url: 'https://auth.progalaxyelabs.com', default: true },
-     *   employee: { url: 'https://admin-auth.progalaxyelabs.com' }
-     * }
-     * ```
-     */
-    authServers?: Record<string, AuthServerConfig>;
-    firebase: {
-        projectId: string;
-        appId: string;
-        databaseURL: string;
-        storageBucket: string;
-        locationId: string;
-        apiKey: string;
-        authDomain: string;
-        messagingSenderId: string;
-        measurementId: string;
-    };
-    /**
-     * Platform's own API base URL (e.g., '//api.medstoreapp.in')
-     * Used to route registration through the platform API proxy instead of auth directly
+     * Platform's own API base URL.
+     * Used for routes that go through the platform API proxy (e.g. register-tenant).
+     * Falls back to apiServer.host if not set.
      * @example '//api.medstoreapp.in'
      */
     apiUrl?: string;
     apiServer: {
         host: string;
     };
-    chatServer: {
-        host: string;
-    };
     /**
-     * Accounts/Authentication service server configuration
-     * Use this when auth is on a different server than the API
-     * Replaces the deprecated accountsUrl string with structured config
-     * @example { host: 'https://accounts.progalaxyelabs.com' }
-     */
-    accountsServer?: {
-        host: string;
-    };
-    /**
-     * Files service server configuration
-     * Used by FilesService for file upload/download operations
+     * Files service server configuration.
+     * Used by FilesService for file upload/download operations.
      * @example { host: 'https://files.progalaxyelabs.com/api/' }
      */
     filesServer?: {
         host: string;
     };
     /**
-     * Authentication configuration
+     * Authentication configuration.
      * @default { mode: 'cookie', refreshEndpoint: '/auth/refresh', useCsrf: true }
      */
     auth?: AuthConfig;
     /**
-     * Custom OAuth provider configurations.
-     * Register additional OAuth providers beyond the built-in ones
-     * (google, linkedin, apple, microsoft, github, zoho).
+     * Multiple authentication servers configuration (for StoneScriptPHPAuth multi-server mode).
      * @example
      * ```typescript
-     * customProviders: {
-     *   okta: { label: 'Sign in with Okta', cssClass: 'btn-okta', buttonStyle: { borderColor: '#007dc1' } },
-     *   keycloak: { label: 'Sign in with Keycloak', icon: '🔑' }
+     * authServers: {
+     *   customer: { url: 'https://auth.progalaxyelabs.com', default: true },
+     *   employee: { url: 'https://admin-auth.progalaxyelabs.com' }
      * }
      * ```
      */
-    customProviders?: Record<string, OAuthProviderConfig>;
+    authServers?: Record<string, AuthServerConfig>;
     /**
-     * Auth response field mapping.
-     * Defaults to StoneScriptPHP format: { status: 'ok', data: { access_token, user, ... } }
-     *
-     * For external auth servers that return flat responses like
-     * { access_token, identity, ... }, override with:
+     * Custom OAuth provider configurations.
+     * @example
      * ```typescript
-     * authResponseMap: {
-     *   accessTokenPath: 'access_token',
-     *   refreshTokenPath: 'refresh_token',
-     *   userPath: 'identity',
-     *   errorMessagePath: 'message'
+     * customProviders: {
+     *   okta: { label: 'Sign in with Okta', cssClass: 'btn-okta', buttonStyle: { borderColor: '#007dc1' } }
      * }
      * ```
      */
-    authResponseMap?: AuthResponseMap;
+    customProviders?: Record<string, OAuthProviderConfig>;
     /**
-     * Branding configuration for auth components
-     * Allows platforms to customize login/register pages without creating wrappers
+     * Branding configuration for auth UI components.
      */
     branding?: {
-        /** Application name displayed on auth pages */
         appName: string;
-        /** URL to logo image */
         logo?: string;
-        /** Primary brand color (hex) */
         primaryColor?: string;
-        /** Gradient start color (hex) */
         gradientStart?: string;
-        /** Gradient end color (hex) */
         gradientEnd?: string;
-        /** Subtitle text displayed on auth pages */
         subtitle?: string;
     };
-}
-/**
- * CSRF Token Service
- *
- * Manages CSRF tokens for cookie-based authentication.
- * Reads CSRF token from cookies and provides it for request headers.
- */
-declare class CsrfService {
     /**
-     * Get CSRF token from cookie
+     * @deprecated Use auth.host instead.
+     * Auth server URL for centralized authentication.
      */
-    getCsrfToken(cookieName?: string): string | null;
-    /**
-     * Check if CSRF token exists
-     */
-    hasCsrfToken(cookieName?: string): boolean;
-    /**
-     * Clear CSRF token (for logout)
-     * Note: Client-side deletion is limited for httpOnly cookies
-     */
-    clearCsrfToken(cookieName?: string): void;
-    static ɵfac: i0.ɵɵFactoryDeclaration<CsrfService, never>;
-    static ɵprov: i0.ɵɵInjectableDeclaration<CsrfService>;
-}
-declare class ApiConnectionService {
-    private tokens;
-    private signinStatus;
-    private environment;
-    private csrf;
-    private host;
-    private accessToken;
-    private authConfig;
-    constructor(tokens: TokenService, signinStatus: SigninStatusService, environment: MyEnvironmentModel, csrf: CsrfService);
-    private request;
-    private handleError;
-    get<DataType>(endpoint: string, queryParamsObj?: any): Promise<ApiResponse<DataType>>;
-    post<DataType>(pathWithQueryParams: string, data: any): Promise<ApiResponse<DataType>>;
-    put<DataType>(pathWithQueryParams: string, data: any): Promise<ApiResponse<DataType>>;
-    patch<DataType>(pathWithQueryParams: string, data: any): Promise<ApiResponse<DataType>>;
-    delete<DataType>(endpoint: string, queryParamsObj?: any): Promise<ApiResponse<DataType>>;
-    private includeAccessToken;
-    private refreshAccessTokenAndRetry;
-    refreshAccessToken(): Promise<boolean>;
-    /**
-     * Refresh access token using cookie-based auth (StoneScriptPHP v2.1.x default)
-     */
-    private refreshAccessTokenCookieMode;
-    /**
-     * Refresh access token using body-based auth (legacy mode)
-     */
-    private refreshAccessTokenBodyMode;
-    buildQueryString(options?: any): string;
+    accountsUrl: string;
     /**
-     * Upload a drawing (uses upload server if configured, otherwise API server)
-     * @deprecated Platform-specific method - consider moving to platform service
+     * @deprecated Use auth.host instead.
+     * Accounts/Authentication service server configuration.
      */
-    uploadDrawing<DataType>(formData: FormData): Promise<ApiResponse<DataType>>;
+    accountsServer?: {
+        host: string;
+    };
     /**
-     * Upload an image (uses upload server if configured, otherwise API server)
-     * @deprecated Platform-specific method - consider moving to platform service
+     * @deprecated Use auth.responseMap instead.
+     * Auth response field mapping for external auth compatibility.
      */
-    uploadImage<DataType>(formData: FormData): Promise<ApiResponse<DataType>>;
-    static ɵfac: i0.ɵɵFactoryDeclaration<ApiConnectionService, never>;
-    static ɵprov: i0.ɵɵInjectableDeclaration<ApiConnectionService>;
+    authResponseMap?: AuthResponseMap;
 }
-type BuiltInProvider = 'google' | 'linkedin' | 'apple' | 'microsoft' | 'github' | 'zoho' | 'emailPassword';
-/**
- * Authentication provider identifier.
- * Includes all built-in providers plus any custom string identifier.
- * The (string & {}) trick preserves autocomplete for built-in values.
- */
-type AuthProvider = BuiltInProvider | (string & {});
+declare const AUTH_PLUGIN: InjectionToken<AuthPlugin>;
 interface User {
     user_id: number;
     id: string;
@@ -358,312 +196,427 @@ interface AuthResult {
     success: boolean;
     message?: string;
     user?: User;
+    /** Set by the plugin on successful auth — AuthService stores it in TokenService */
+    accessToken?: string;
+    /** Set by the plugin for body mode — AuthService stores it in TokenService */
+    refreshToken?: string;
+    needsVerification?: boolean;
 }
-declare class AuthService {
-    private tokens;
-    private signinStatus;
-    private environment;
-    private readonly USER_STORAGE_KEY;
-    private readonly ACTIVE_AUTH_SERVER_KEY;
-    private userSubject;
-    user$: Observable<User | null>;
-    private activeAuthServer;
-    constructor(tokens: TokenService, signinStatus: SigninStatusService, environment: MyEnvironmentModel);
-    /**
-     * Get the current accounts URL based on configuration
-     * Supports both single-server (accountsUrl) and multi-server (authServers) modes
-     * @param serverName - Optional server name for multi-server mode
-     */
-    private getAccountsUrl;
+interface TenantMembership {
+    tenant_id: string;
+    slug: string;
+    name: string;
+    role: string;
+    status: string;
+    last_accessed?: string;
+}
+interface RegisterTenantData {
+    tenantName: string;
+    displayName?: string;
+    email?: string;
+    password?: string;
+    provider: string;
+    role?: string;
+    countryCode?: string;
+}
+/**
+ * Auth plugin interface — implement this to support any auth backend.
+ *
+ * The library ships StoneScriptPHPAuth as the built-in plugin.
+ * For external providers (Firebase, progalaxyelabs-auth, Okta, etc.),
+ * create a class implementing this interface and provide it via
+ * provideNgxStoneScriptPhpClient(environment, new YourAuthPlugin(...))
+ *
+ * @example Firebase
+ * ```typescript
+ * // firebase-auth.auth-plugin.ts (in your app)
+ * export class FirebaseAuthPlugin implements AuthPlugin {
+ *   async login(email, password): Promise<AuthResult> {
+ *     const cred = await signInWithEmailAndPassword(getAuth(), email, password);
+ *     return { success: true, accessToken: await cred.user.getIdToken() };
+ *   }
+ *   async refresh(): Promise<string | null> {
+ *     const user = getAuth().currentUser;
+ *     return user ? await user.getIdToken(true) : null;
+ *   }
+ *   // ...
+ * }
+ * ```
+ */
+interface AuthPlugin {
     /**
-     * Get the default auth server name
+     * Authenticate with email and password.
+     * Return accessToken (and optionally refreshToken for body mode) in result.
      */
-    private getDefaultAuthServer;
+    login(email: string, password: string): Promise<AuthResult>;
     /**
-     * Restore active auth server from localStorage
+     * Register a new user account.
+     * Return accessToken on success.
      */
-    private restoreActiveAuthServer;
+    register(email: string, password: string, displayName: string): Promise<AuthResult>;
     /**
-     * Save active auth server to localStorage
+     * Sign out the current user.
+     * @param refreshToken - Current refresh token (for body mode revocation)
      */
-    private saveActiveAuthServer;
+    logout(refreshToken?: string): Promise<void>;
     /**
-     * Get available auth servers
-     * @returns Array of server names or empty array if using single-server mode
+     * Check for an existing session on app init (e.g., via httpOnly refresh cookie).
+     * Return success + accessToken if session is valid.
      */
-    getAvailableAuthServers(): string[];
+    checkSession(): Promise<AuthResult>;
     /**
-     * Get current active auth server name
-     * @returns Server name or null if using single-server mode
+     * Refresh the access token.
+     * @param accessToken - Current access token (for body mode)
+     * @param refreshToken - Current refresh token (for body mode)
+     * @returns New access token, or null if refresh failed
      */
-    getActiveAuthServer(): string | null;
+    refresh(accessToken: string, refreshToken?: string): Promise<string | null>;
+    /** OAuth popup login (google, github, linkedin, etc.) */
+    loginWithProvider?(provider: string): Promise<AuthResult>;
+    /** Select a tenant and get a tenant-scoped access token */
+    selectTenant?(tenantId: string, accessToken: string): Promise<AuthResult>;
+    /** List tenant memberships for the authenticated user */
+    getTenantMemberships?(accessToken: string): Promise<TenantMembership[]>;
+    /** Register a new tenant (organization) */
+    registerTenant?(data: RegisterTenantData, accessToken?: string): Promise<any>;
+    /** Check if a tenant slug is available */
+    checkTenantSlugAvailable?(slug: string): Promise<{
+        available: boolean;
+        suggestion?: string;
+    }>;
+    /** Check onboarding status for a user identity */
+    checkOnboardingStatus?(identityId: string, platformCode?: string): Promise<any>;
+    /** Complete tenant onboarding (create tenant with country + org name) */
+    completeTenantOnboarding?(countryCode: string, tenantName: string, accessToken: string): Promise<any>;
+    /** Check if user email exists */
+    checkEmail?(email: string): Promise<{
+        exists: boolean;
+        user?: any;
+    }>;
+    switchServer?(serverName: string): void;
+    getAvailableServers?(): string[];
+    getActiveServer?(): string | null;
+    getServerConfig?(serverName?: string): any;
+}
+/**
+ * Configure the ngx-stonescriptphp-client library.
+ *
+ * @param environment - Library configuration (API server, auth settings, etc.)
+ * @param plugin - Optional auth plugin override. Defaults to StoneScriptPHPAuth.
+ *   Provide your own plugin to use Firebase, progalaxyelabs-auth, Okta, or any other auth backend.
+ *
+ * @example Default (StoneScriptPHP backend)
+ * ```typescript
+ * // app.config.ts
+ * export const appConfig: ApplicationConfig = {
+ *   providers: [
+ *     provideNgxStoneScriptPhpClient(environment)
+ *   ]
+ * };
+ * ```
+ *
+ * @example External auth plugin
+ * ```typescript
+ * import { ProgalaxyElabsAuth } from './progalaxyelabs-auth.auth-plugin';
+ *
+ * providers: [
+ *   provideNgxStoneScriptPhpClient(environment, new ProgalaxyElabsAuth({ host: '...' }))
+ * ]
+ * ```
+ *
+ * @example Firebase
+ * ```typescript
+ * import { FirebaseAuthPlugin } from './firebase-auth.auth-plugin';
+ *
+ * providers: [
+ *   provideNgxStoneScriptPhpClient(environment, new FirebaseAuthPlugin(firebaseConfig))
+ * ]
+ * ```
+ */
+declare function provideNgxStoneScriptPhpClient(environment: MyEnvironmentModel, plugin?: AuthPlugin): EnvironmentProviders;
+interface StoneScriptPHPAuthConfig {
+    /** Auth server base URL (e.g., 'https://accounts.progalaxyelabs.com') */
+    host: string;
+    /** Platform code for multi-tenant auth (e.g., 'progalaxy', 'hr') */
+    platformCode?: string;
     /**
-     * Switch to a different auth server
-     * @param serverName - Name of the server to switch to
-     * @throws Error if server not found in configuration
+     * Named auth servers for multi-server mode.
+     * When set, host is used as fallback if no default server is specified.
      */
-    switchAuthServer(serverName: string): void;
+    authServers?: Record<string, AuthServerConfig>;
     /**
-     * Get auth server configuration
-     * @param serverName - Optional server name (uses active server if not specified)
+     * Response field mapping for external format compatibility.
+     * Defaults to StoneScriptPHP format: { status:'ok', data:{ access_token, user } }
      */
-    getAuthServerConfig(serverName?: string): AuthServerConfig | null;
+    responseMap?: Partial<AuthResponseMap>;
     /**
-     * Check if multi-server mode is enabled
+     * Auth mode and CSRF configuration.
+     * Defaults: mode='cookie', refreshEndpoint='/auth/refresh', useCsrf=true
      */
-    isMultiServerMode(): boolean;
+    auth?: Pick<AuthConfig, 'mode' | 'refreshEndpoint' | 'useCsrf' | 'csrfTokenCookieName' | 'csrfHeaderName'>;
     /**
-     * Get the platform's own API base URL
-     * Used for routes that go through the platform API proxy (e.g. register-tenant)
-     * @throws Error if no API URL is configured
+     * Platform's own API URL for register-tenant proxy route.
+     * Falls back to host if not set.
      */
-    private getPlatformApiUrl;
-    /** Default response map: StoneScriptPHP format */
+    apiUrl?: string;
+}
+/**
+ * Built-in auth plugin for StoneScriptPHP backends.
+ *
+ * Handles StoneScriptPHP's auth format ({ status:'ok', data:{ access_token } })
+ * with optional authResponseMap overrides for external backends.
+ *
+ * Supports:
+ * - Cookie mode (httpOnly refresh token + CSRF)
+ * - Body mode (tokens in localStorage)
+ * - Multi-server auth (named authServers config)
+ * - OAuth popup login
+ * - Multi-tenant operations
+ */
+declare class StoneScriptPHPAuth implements AuthPlugin {
+    private config;
+    private activeServer;
+    constructor(config: StoneScriptPHPAuthConfig);
     private get responseMap();
-    /** Resolve a dot-notation path on an object (e.g., 'data.access_token') */
     private resolvePath;
-    /** Check if an auth response indicates success */
     private isAuthSuccess;
-    /** Extract access token from auth response */
-    private getAccessToken;
-    /** Extract refresh token from auth response */
-    private getRefreshToken;
-    /** Extract user/identity object from auth response */
-    private getUserFromResponse;
-    /** Extract error message from auth response */
-    private getErrorMessage;
-    /** Normalize a user/identity object into the standard User shape */
+    private resolveAccessToken;
+    private resolveRefreshToken;
+    private resolveUser;
+    private resolveErrorMessage;
     private normalizeUser;
-    /**
-     * Hash UUID to numeric ID for backward compatibility
-     * Converts UUID string to a consistent numeric ID for legacy code
-     */
     private hashUUID;
+    private getCsrfToken;
+    private getAccountsUrl;
+    private getPlatformApiUrl;
+    private getDefaultServer;
+    private restoreActiveServer;
+    switchServer(serverName: string): void;
+    getAvailableServers(): string[];
+    getActiveServer(): string | null;
+    getServerConfig(serverName?: string): AuthServerConfig | null;
+    login(email: string, password: string): Promise<AuthResult>;
+    register(email: string, password: string, displayName: string): Promise<AuthResult>;
+    logout(refreshToken?: string): Promise<void>;
+    checkSession(): Promise<AuthResult>;
+    refresh(accessToken: string, refreshToken?: string): Promise<string | null>;
+    private refreshCookieMode;
+    private refreshBodyMode;
+    loginWithProvider(provider: string): Promise<AuthResult>;
+    selectTenant(tenantId: string, accessToken: string): Promise<AuthResult>;
+    getTenantMemberships(accessToken: string): Promise<TenantMembership[]>;
+    registerTenant(data: RegisterTenantData, accessToken?: string): Promise<any>;
+    private registerTenantWithOAuth;
+    checkTenantSlugAvailable(slug: string): Promise<{
+        available: boolean;
+        suggestion?: string;
+    }>;
+    checkOnboardingStatus(identityId: string, platformCode?: string): Promise<any>;
+    completeTenantOnboarding(countryCode: string, tenantName: string, accessToken: string): Promise<any>;
+    checkEmail(email: string): Promise<{
+        exists: boolean;
+        user?: any;
+    }>;
+}
+declare class TokenService {
+    private accessToken;
+    private refreshToken;
+    private lsAccessTokenKey;
+    private lsRefreshTokenKey;
+    constructor();
+    setTokens(accessToken: string, refreshToken: string): void;
+    setAccessToken(accessToken: string): void;
+    setRefreshToken(refreshToken: string): void;
+    getAccessToken(): string;
+    getRefreshToken(): string;
+    clear(): void;
     /**
-     * Restore user from localStorage
+     * Check if there is a non-empty access token.
+     * Token is treated as opaque — validity is determined by the auth server.
      */
-    private restoreUser;
+    hasValidAccessToken(): boolean;
+    static ɵfac: i0.ɵɵFactoryDeclaration<TokenService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<TokenService>;
+}
+/**
+ * @deprecated Use boolean directly. Kept for backward compatibility.
+ */
+declare enum VerifyStatus {
+    initialized = "initialized",
+    yes = "yes",
+    no = "no"
+}
+declare class SigninStatusService {
+    status: BehaviorSubject<boolean | VerifyStatus>;
+    constructor();
+    signedOut(): void;
+    signedIn(): void;
     /**
-     * Save user to localStorage
+     * Set signin status
+     * @param isSignedIn - True if user is signed in, false otherwise
      */
+    setSigninStatus(isSignedIn: boolean): void;
+    static ɵfac: i0.ɵɵFactoryDeclaration<SigninStatusService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<SigninStatusService>;
+}
+declare class ApiResponse<DataType> {
+    readonly status: string;
+    readonly data: DataType | null;
+    readonly message: string;
+    get success(): boolean;
+    get errors(): string[];
+    constructor(status: string, data?: any, message?: string);
+    onOk(callback: (data: DataType) => void): ApiResponse<DataType>;
+    onNotOk(callback: (message: string, data: DataType) => void): ApiResponse<DataType>;
+    onError(callback: () => void): ApiResponse<DataType>;
+    isSuccess(): boolean;
+    isError(): boolean;
+    getData(): DataType | null;
+    getError(): string;
+    getStatus(): string;
+    getMessage(): string;
+}
+type BuiltInProvider = 'google' | 'linkedin' | 'apple' | 'microsoft' | 'github' | 'zoho' | 'emailPassword';
+/**
+ * Authentication provider identifier.
+ * Includes all built-in providers plus any custom string identifier.
+ * The (string & {}) trick preserves autocomplete for built-in values.
+ */
+type AuthProvider = BuiltInProvider | (string & {});
+/**
+ * AuthService — manages auth state and delegates all auth operations to the AuthPlugin.
+ *
+ * This service holds user state (via BehaviorSubject) and tokens (via TokenService).
+ * It does not make any HTTP calls directly — all auth logic lives in the plugin.
+ *
+ * Provide a plugin via provideNgxStoneScriptPhpClient():
+ * - Default: StoneScriptPHPAuth (built-in, matches StoneScriptPHP backend)
+ * - External: any class implementing AuthPlugin (Firebase, progalaxyelabs-auth, Okta, etc.)
+ */
+declare class AuthService {
+    private plugin;
+    private tokens;
+    private signinStatus;
+    private readonly USER_STORAGE_KEY;
+    private userSubject;
+    user$: Observable<User | null>;
+    constructor(plugin: AuthPlugin, tokens: TokenService, signinStatus: SigninStatusService);
+    private restoreUser;
     private saveUser;
-    /**
-     * Update user subject and persist to localStorage
-     */
     private updateUser;
-    /**
-     * Login with email and password
-     * @param email - User email
-     * @param password - User password
-     * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
-     */
-    loginWithEmail(email: string, password: string, serverName?: string): Promise<AuthResult>;
-    /**
-     * Login with Google OAuth (popup window)
-     * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
-     */
+    private storeAuthResult;
+    loginWithEmail(email: string, password: string): Promise<AuthResult>;
     loginWithGoogle(serverName?: string): Promise<AuthResult>;
-    /**
-     * Login with GitHub OAuth (popup window)
-     * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
-     */
     loginWithGitHub(serverName?: string): Promise<AuthResult>;
-    /**
-     * Login with LinkedIn OAuth (popup window)
-     * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
-     */
     loginWithLinkedIn(serverName?: string): Promise<AuthResult>;
-    /**
-     * Login with Apple OAuth (popup window)
-     * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
-     */
     loginWithApple(serverName?: string): Promise<AuthResult>;
-    /**
-     * Login with Microsoft OAuth (popup window)
-     * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
-     */
     loginWithMicrosoft(serverName?: string): Promise<AuthResult>;
-    /**
-     * Login with Zoho OAuth (popup window)
-     * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
-     */
     loginWithZoho(serverName?: string): Promise<AuthResult>;
-    /**
-     * Generic provider-based login (supports all OAuth providers)
-     * @param provider - The provider identifier
-     * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
-     */
     loginWithProvider(provider: AuthProvider, serverName?: string): Promise<AuthResult>;
-    /**
-     * Generic OAuth login handler
-     * Opens popup window and listens for postMessage
-     * @param provider - OAuth provider name
-     * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
-     */
-    private loginWithOAuth;
-    /**
-     * Register new user
-     * @param email - User email
-     * @param password - User password
-     * @param displayName - Display name
-     * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
-     */
     register(email: string, password: string, displayName: string, serverName?: string): Promise<AuthResult>;
-    /**
-     * Sign out user
-     * @param serverName - Optional: Specify which auth server to logout from (for multi-server mode)
-     */
     signout(serverName?: string): Promise<void>;
-    /**
-     * Check for active session (call on app init)
-     * @param serverName - Optional: Specify which auth server to check (for multi-server mode)
-     */
     checkSession(serverName?: string): Promise<boolean>;
     /**
-     * Check if user is authenticated
+     * Refresh the access token. Called by ApiConnectionService on 401.
+     * @returns true if token was refreshed, false if refresh failed (user is signed out)
      */
+    refresh(): Promise<boolean>;
     isAuthenticated(): boolean;
-    /**
-     * Get current user (synchronous)
-     */
     getCurrentUser(): User | null;
-    /**
-     * Register a new user AND create a new tenant (organization)
-     * This is used when a user wants to create their own organization
-     */
     registerTenant(data: {
         tenantName: string;
-        tenantSlug: string;
         displayName?: string;
         email?: string;
         password?: string;
         provider: AuthProvider;
-    }): Promise<{
-        success: boolean;
-        message?: string;
-        tenant?: {
-            id: string;
-            name: string;
-            slug: string;
-        };
-        user?: {
-            id: string;
-            email: string;
-            name: string;
-        };
-        access_token?: string;
-    }>;
-    /**
-     * Register tenant with OAuth provider
-     * Opens popup window for OAuth flow
-     */
-    private registerTenantWithOAuth;
-    /**
-     * Get all tenant memberships for the authenticated user
-     * @param serverName - Optional: Specify which auth server to query (for multi-server mode)
-     */
+        role?: string;
+        countryCode?: string;
+    }): Promise<any>;
     getTenantMemberships(serverName?: string): Promise<{
-        memberships: Array<{
-            tenant_id: string;
-            slug: string;
-            name: string;
-            role: string;
-            status: string;
-            last_accessed?: string;
-        }>;
+        memberships: TenantMembership[];
     }>;
-    /**
-     * Select a tenant for the current session
-     * Updates the JWT token with tenant context
-     * @param tenantId - Tenant ID to select
-     * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
-     */
     selectTenant(tenantId: string, serverName?: string): Promise<{
         success: boolean;
         message?: string;
         access_token?: string;
     }>;
-    /**
-     * Check if a tenant slug is available
-     * @param slug - Tenant slug to check
-     * @param serverName - Optional: Specify which auth server to query (for multi-server mode)
-     */
     checkTenantSlugAvailable(slug: string, serverName?: string): Promise<{
         available: boolean;
         suggestion?: string;
     }>;
-    /**
-     * @deprecated Use getCurrentUser()?.user_id instead
-     */
+    checkOnboardingStatus(identityId: string, serverName?: string): Promise<any>;
+    completeTenantOnboarding(countryCode: string, tenantName: string, serverName?: string): Promise<any>;
+    getAvailableAuthServers(): string[];
+    getActiveAuthServer(): string | null;
+    switchAuthServer(serverName: string): void;
+    getAuthServerConfig(serverName?: string): any | null;
+    isMultiServerMode(): boolean;
+    /** @deprecated Use getCurrentUser()?.user_id instead */
     getUserId(): number;
-    /**
-     * @deprecated Use getCurrentUser()?.display_name instead
-     */
+    /** @deprecated Use getCurrentUser()?.display_name instead */
     getUserName(): string;
-    /**
-     * @deprecated Use getCurrentUser()?.photo_url instead
-     */
+    /** @deprecated Use getCurrentUser()?.photo_url instead */
     getPhotoUrl(): string;
-    /**
-     * @deprecated Use getCurrentUser()?.display_name instead
-     */
+    /** @deprecated Use getCurrentUser()?.display_name instead */
     getDisplayName(): string;
-    /**
-     * @deprecated Use `/profile/${getCurrentUser()?.user_id}` instead
-     */
+    /** @deprecated Use `/profile/${getCurrentUser()?.user_id}` instead */
     getProfileUrl(): string;
-    /**
-     * @deprecated Use isAuthenticated() instead
-     */
+    /** @deprecated Use isAuthenticated() instead */
     signin(): Promise<boolean>;
-    /**
-     * @deprecated Use loginWithEmail() instead
-     */
+    /** @deprecated Use loginWithEmail() instead */
     verifyCredentials(email: string, password: string): Promise<boolean>;
-    /**
-     * @deprecated Check user.is_email_verified from getCurrentUser() instead
-     */
+    /** @deprecated Check user.is_email_verified from getCurrentUser() instead */
     isSigninEmailValid(): boolean;
-    /**
-     * @deprecated No longer needed - dialog is managed by platform
-     */
+    /** @deprecated No longer needed */
     onDialogClose(): void;
-    /**
-     * @deprecated No longer needed - dialog is managed by platform
-     */
+    /** @deprecated No longer needed */
     closeSocialAuthDialog(): void;
+    /** @deprecated Use checkEmail() from the plugin directly */
+    getUserProfile(email: string, serverName?: string): Promise<User | null>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<AuthService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<AuthService>;
+}
+declare class ApiConnectionService {
+    private tokens;
+    private signinStatus;
+    private environment;
+    private authService;
+    private host;
+    constructor(tokens: TokenService, signinStatus: SigninStatusService, environment: MyEnvironmentModel, authService: AuthService);
+    private request;
+    private handleError;
+    get<DataType>(endpoint: string, queryParamsObj?: any): Promise<ApiResponse<DataType>>;
+    post<DataType>(pathWithQueryParams: string, data: any): Promise<ApiResponse<DataType>>;
+    put<DataType>(pathWithQueryParams: string, data: any): Promise<ApiResponse<DataType>>;
+    patch<DataType>(pathWithQueryParams: string, data: any): Promise<ApiResponse<DataType>>;
+    delete<DataType>(endpoint: string, queryParamsObj?: any): Promise<ApiResponse<DataType>>;
+    private includeAccessToken;
+    private refreshAndRetry;
     /**
-     * @deprecated Check if user exists by calling /api/auth/check-email endpoint
+     * Refresh the access token (delegates to AuthService → AuthPlugin).
+     * Kept public for backward compatibility.
      */
-    getUserProfile(email: string, serverName?: string): Promise<User | null>;
+    refreshAccessToken(): Promise<boolean>;
+    buildQueryString(options?: any): string;
     /**
-     * Check if user has completed onboarding (has a tenant)
-     * @param identityId - User identity ID
-     * @param serverName - Optional: Specify which auth server to query (for multi-server mode)
+     * Upload a drawing (uses upload server if configured, otherwise API server)
+     * @deprecated Platform-specific method - consider moving to platform service
      */
-    checkOnboardingStatus(identityId: string, serverName?: string): Promise<{
-        onboarded: boolean;
-        tenant_slug?: string;
-        tenant_name?: string;
-        role?: string;
-    }>;
+    uploadDrawing<DataType>(formData: FormData): Promise<ApiResponse<DataType>>;
     /**
-     * Complete tenant onboarding (create tenant with country + org name)
-     * @param countryCode - Country code
-     * @param tenantName - Tenant organization name
-     * @param serverName - Optional: Specify which auth server to use (for multi-server mode)
+     * Upload an image (uses upload server if configured, otherwise API server)
+     * @deprecated Platform-specific method - consider moving to platform service
      */
-    completeTenantOnboarding(countryCode: string, tenantName: string, serverName?: string): Promise<{
-        tenant: {
-            id: string;
-            slug: string;
-            name: string;
-        };
-        access_token: string;
-        refresh_token: string;
-    }>;
-    static ɵfac: i0.ɵɵFactoryDeclaration<AuthService, never>;
-    static ɵprov: i0.ɵɵInjectableDeclaration<AuthService>;
+    uploadImage<DataType>(formData: FormData): Promise<ApiResponse<DataType>>;
+    static ɵfac: i0.ɵɵFactoryDeclaration<ApiConnectionService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<ApiConnectionService>;
 }
 declare class DbService {
@@ -672,6 +625,30 @@ declare class DbService {
     static ɵprov: i0.ɵɵInjectableDeclaration<DbService>;
 }
+/**
+ * CSRF Token Service
+ *
+ * Manages CSRF tokens for cookie-based authentication.
+ * Reads CSRF token from cookies and provides it for request headers.
+ */
+declare class CsrfService {
+    /**
+     * Get CSRF token from cookie
+     */
+    getCsrfToken(cookieName?: string): string | null;
+    /**
+     * Check if CSRF token exists
+     */
+    hasCsrfToken(cookieName?: string): boolean;
+    /**
+     * Clear CSRF token (for logout)
+     * Note: Client-side deletion is limited for httpOnly cookies
+     */
+    clearCsrfToken(cookieName?: string): void;
+    static ɵfac: i0.ɵɵFactoryDeclaration<CsrfService, never>;
+    static ɵprov: i0.ɵɵInjectableDeclaration<CsrfService>;
+}
 /**
  * Result of a file upload operation
  */
@@ -854,21 +831,6 @@ declare class ProviderRegistryService {
     static ɵprov: i0.ɵɵInjectableDeclaration<ProviderRegistryService>;
 }
-declare class NgxStoneScriptPhpClientModule {
-    static forRoot(environment: MyEnvironmentModel): ModuleWithProviders<NgxStoneScriptPhpClientModule>;
-    static ɵfac: i0.ɵɵFactoryDeclaration<NgxStoneScriptPhpClientModule, never>;
-    static ɵmod: i0.ɵɵNgModuleDeclaration<NgxStoneScriptPhpClientModule, never, [typeof i1.CommonModule], never>;
-    static ɵinj: i0.ɵɵInjectorDeclaration<NgxStoneScriptPhpClientModule>;
-}
-interface TenantMembership {
-    tenant_id: string;
-    slug: string;
-    name: string;
-    role: string;
-    status: string;
-    last_accessed?: string;
-}
 interface TenantSelectedEvent {
     tenantId: string;
     tenantSlug: string;
@@ -1143,5 +1105,5 @@ declare class TenantRegisterDialogComponent {
     static ɵcmp: i0.ɵɵComponentDeclaration<TenantRegisterDialogComponent, "lib-tenant-register-dialog", never, {}, {}, never, never, true, never>;
 }
-export { ApiConnectionService, ApiResponse, AuthPageComponent, AuthService, CsrfService, DbService, FilesService, LoginDialogComponent, MyEnvironmentModel, NgxStoneScriptPhpClientModule, ProviderRegistryService, RegisterComponent, SigninStatusService, TenantLoginComponent, TenantLoginDialogComponent, TenantRegisterComponent, TenantRegisterDialogComponent, TokenService, VerifyStatus };
-export type { AuthConfig, AuthMode, AuthProvider, AuthResponseMap, AuthResult, AuthServerConfig, BuiltInProvider, FileDeleteResponse, FileListResponse, FileMetadata, FileUploadResponse, FileUploadResult, OAuthProviderConfig, TenantCreatedEvent, TenantMembership, TenantSelectedEvent, User };
+export { AUTH_PLUGIN, ApiConnectionService, ApiResponse, AuthPageComponent, AuthService, CsrfService, DbService, FilesService, LoginDialogComponent, MyEnvironmentModel, ProviderRegistryService, RegisterComponent, SigninStatusService, StoneScriptPHPAuth, TenantLoginComponent, TenantLoginDialogComponent, TenantRegisterComponent, TenantRegisterDialogComponent, TokenService, VerifyStatus, provideNgxStoneScriptPhpClient };
+export type { AuthConfig, AuthMode, AuthPlugin, AuthProvider, AuthResponseMap, AuthResult, AuthServerConfig, BuiltInProvider, FileDeleteResponse, FileListResponse, FileMetadata, FileUploadResponse, FileUploadResult, OAuthProviderConfig, RegisterTenantData, StoneScriptPHPAuthConfig, TenantCreatedEvent, TenantMembership, TenantSelectedEvent, User };