@proveanything/smartlinks-auth-ui 0.5.21 → 0.6.0

package/dist/index.esm.js

@@ -316,7 +316,7 @@ const EmailAuthForm = ({ mode, onSubmit, onModeSwitch, onForgotPassword, loading
                 }, disabled: loading })), jsxs("div", { className: "auth-form-header", children: [jsx("h2", { className: "auth-form-title", children: title }), jsx("p", { className: "auth-form-subtitle", children: subtitle })] }), error && (jsxs("div", { className: "auth-error", role: "alert", children: [jsx("svg", { width: "16", height: "16", viewBox: "0 0 16 16", fill: "currentColor", children: jsx("path", { d: "M8 0C3.58 0 0 3.58 0 8s3.58 8 8 8 8-3.58 8-8-3.58-8-8-8zm1 13H7v-2h2v2zm0-3H7V4h2v6z" }) }), error] })), mode === 'register' && (jsxs("div", { className: "auth-form-group", children: [jsx("label", { htmlFor: "displayName", className: "auth-label", children: "Full Name" }), jsx("input", { type: "text", id: "displayName", className: "auth-input", value: formData.displayName || '', onChange: (e) => handleChange('displayName', e.target.value), required: mode === 'register', disabled: loading, placeholder: "John Smith" })] })), jsxs("div", { className: "auth-form-group", children: [jsx("label", { htmlFor: "email", className: "auth-label", children: "Email address" }), jsx("input", { type: "email", id: "email", className: "auth-input", value: formData.email || '', onChange: (e) => handleChange('email', e.target.value), required: true, disabled: loading, placeholder: "you@example.com", autoComplete: "email" })] }), jsxs("div", { className: "auth-form-group", children: [jsx("label", { htmlFor: "password", className: "auth-label", children: "Password" }), jsx("input", { type: "password", id: "password", className: "auth-input", value: formData.password || '', onChange: (e) => handleChange('password', e.target.value), required: true, disabled: loading, placeholder: "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022", autoComplete: mode === 'login' ? 'current-password' : 'new-password', minLength: 6 })] }), mode === 'register' && hasSchemaFields && schemaFields.inline.map(renderSchemaField), mode === 'register' && hasLegacyFields && additionalFields.map(renderLegacyField), mode === 'register' && hasSchemaFields && schemaFields.postCredentials.length > 0 && (jsxs(Fragment, { children: [jsx("div", { className: "auth-divider", style: { margin: '16px 0' }, children: jsx("span", { children: "Additional Information" }) }), schemaFields.postCredentials.map(renderSchemaField)] })), mode === 'login' && (jsx("div", { className: "auth-form-footer", children: jsx("button", { type: "button", className: "auth-link", onClick: onForgotPassword, disabled: loading, children: "Forgot password?" }) })), jsx("button", { type: "submit", className: "auth-button auth-button-primary", disabled: loading, children: loading ? (jsx("span", { className: "auth-spinner" })) : mode === 'login' ? ('Sign in') : ('Create account') }), signupProminence !== 'balanced' && signupProminence !== 'none' && (jsxs("div", { className: "auth-divider", children: [jsx("span", { children: mode === 'login' ? "Don't have an account?" : 'Already have an account?' }), signupRedirectUrl && mode === 'login' ? (jsx("a", { href: signupRedirectUrl, target: "_top", className: "auth-link auth-link-bold", children: "Sign up" })) : (jsx("button", { type: "button", className: "auth-link auth-link-bold", onClick: onModeSwitch, disabled: loading, children: mode === 'login' ? 'Sign up' : 'Sign in' }))] }))] }));
 };
 
-const ProviderButtons = ({ enabledProviders, providerOrder, onEmailLogin, onGoogleLogin, onPhoneLogin, onMagicLinkLogin, onWhatsAppLogin, loading, }) => {
+const ProviderButtons = ({ enabledProviders, providerOrder, onEmailLogin, onGoogleLogin, onAppleLogin, onPhoneLogin, onMagicLinkLogin, onWhatsAppLogin, loading, }) => {
     if (enabledProviders.length === 0)
         return null;
     // Determine the order of providers to display
@@ -339,6 +339,11 @@ const ProviderButtons = ({ enabledProviders, providerOrder, onEmailLogin, onGoog
             icon: (jsxs("svg", { width: "20", height: "20", viewBox: "0 0 20 20", fill: "none", children: [jsx("path", { d: "M19.6 10.227c0-.709-.064-1.39-.182-2.045H10v3.868h5.382a4.6 4.6 0 01-1.996 3.018v2.51h3.232c1.891-1.742 2.982-4.305 2.982-7.35z", fill: "#4285F4" }), jsx("path", { d: "M10 20c2.7 0 4.964-.895 6.618-2.423l-3.232-2.509c-.895.6-2.04.955-3.386.955-2.605 0-4.81-1.76-5.595-4.123H1.064v2.59A9.996 9.996 0 0010 20z", fill: "#34A853" }), jsx("path", { d: "M4.405 11.9c-.2-.6-.314-1.24-.314-1.9 0-.66.114-1.3.314-1.9V5.51H1.064A9.996 9.996 0 000 10c0 1.614.386 3.14 1.064 4.49l3.34-2.59z", fill: "#FBBC05" }), jsx("path", { d: "M10 3.977c1.468 0 2.786.505 3.823 1.496l2.868-2.868C14.959.99 12.695 0 10 0 6.09 0 2.71 2.24 1.064 5.51l3.34 2.59C5.19 5.736 7.395 3.977 10 3.977z", fill: "#EA4335" })] })),
             onClick: onGoogleLogin
         },
+        apple: {
+            label: 'Continue with Apple',
+            icon: (jsx("svg", { width: "20", height: "20", viewBox: "0 0 24 24", fill: "currentColor", "aria-hidden": "true", children: jsx("path", { d: "M17.05 20.28c-.98.95-2.05.8-3.08.35-1.09-.46-2.09-.48-3.24 0-1.44.62-2.2.44-3.06-.35C2.79 15.25 3.51 7.59 9.05 7.31c1.35.07 2.29.74 3.08.8 1.18-.24 2.31-.93 3.57-.84 1.51.12 2.65.72 3.4 1.8-3.12 1.87-2.38 5.98.48 7.13-.57 1.5-1.31 2.99-2.54 4.09l.01-.01zM12.03 7.25c-.15-2.23 1.66-4.07 3.74-4.25.29 2.58-2.34 4.5-3.74 4.25z" }) })),
+            onClick: () => onAppleLogin?.()
+        },
         phone: {
             label: 'Continue with Phone',
             icon: (jsx("svg", { width: "20", height: "20", viewBox: "0 0 20 20", fill: "none", stroke: "currentColor", children: jsx("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M3 5a2 2 0 012-2h3.28a1 1 0 01.948.684l1.498 4.493a1 1 0 01-.502 1.21l-2.257 1.13a11.042 11.042 0 005.516 5.516l1.13-2.257a1 1 0 011.21-.502l4.493 1.498a1 1 0 01.684.949V15a2 2 0 01-2 2h-1C7.82 17 2 11.18 2 5V4z" }) })),
@@ -11410,6 +11415,25 @@ class AuthAPI {
             redirectUri,
         });
     }
+    /**
+     * Sign in with Apple via an identity token (from native "Sign in with Apple"
+     * or the web JS flow). The backend verifies the JWT against Apple's keys.
+     *
+     * Delegates to `smartlinks.authKit.appleLogin`, which on success stores the
+     * bearer token automatically and invalidates the SDK cache.
+     */
+    async loginWithApple(identityToken, options) {
+        this.log.log('loginWithApple called:', {
+            tokenLength: identityToken?.length,
+            hasAuthCode: !!options?.authorizationCode,
+            hasUserInfo: !!options?.appleUserInfo,
+        });
+        return smartlinks.authKit.appleLogin(this.clientId, identityToken, {
+            authorizationCode: options?.authorizationCode,
+            nonce: options?.nonce,
+            userInfo: options?.appleUserInfo,
+        });
+    }
     async sendPhoneCode(phoneNumber) {
         return smartlinks.authKit.sendPhoneCode(this.clientId, phoneNumber);
     }
@@ -11940,6 +11964,24 @@ async function getStorage() {
     storageInstance = await storageInitPromise;
     return storageInstance;
 }
+/**
+ * Install a custom storage backend (e.g. Capacitor Keychain / Keystore).
+ *
+ * Must be called BEFORE `getStorage()` is invoked for the first time
+ * (typically right after your app boots, before `<SmartlinksAuthUI />` mounts).
+ * The supplied adapter then handles ALL token, user, and account persistence
+ * — replacing the default IndexedDB → localStorage → in-memory chain.
+ *
+ * Intended for native shells (Capacitor / Capgo) that want tokens stored in
+ * the OS secure enclave (Keychain on iOS, Keystore on Android) instead of the
+ * WebView's IndexedDB. Implement the `PersistentStorage` interface against
+ * your secure-storage plugin and pass the instance here.
+ */
+function setStorageAdapter(adapter) {
+    StorageFactory.reset();
+    storageInstance = adapter;
+    storageInitPromise = Promise.resolve(adapter);
+}
 /**
  * Listen for storage changes from other tabs
  */
@@ -11958,6 +12000,7 @@ function onStorageChange(callback) {
 }
 
 const TOKEN_KEY = 'token';
+const REFRESH_TOKEN_KEY = 'refresh_token';
 const USER_KEY = 'user';
 const ACCOUNT_DATA_KEY = 'account_data';
 const ACCOUNT_INFO_KEY = 'account_info';
@@ -11996,6 +12039,28 @@ const tokenStorage = {
         const storage = await getStorage();
         await storage.removeItem(TOKEN_KEY);
     },
+    // ----- Refresh token (native / long-lived sessions) ------------------
+    async saveRefreshToken(token, expiresAt) {
+        const storage = await getStorage();
+        const payload = { token, expiresAt };
+        await storage.setItem(REFRESH_TOKEN_KEY, payload);
+    },
+    async getRefreshToken() {
+        const storage = await getStorage();
+        const rt = await storage.getItem(REFRESH_TOKEN_KEY);
+        if (!rt)
+            return null;
+        if (rt.expiresAt && rt.expiresAt < Date.now()) {
+            console.log('[TokenStorage] Refresh token expired - clearing');
+            await this.clearRefreshToken();
+            return null;
+        }
+        return rt;
+    },
+    async clearRefreshToken() {
+        const storage = await getStorage();
+        await storage.removeItem(REFRESH_TOKEN_KEY);
+    },
     async saveUser(user) {
         const storage = await getStorage();
         await storage.setItem(USER_KEY, user);
@@ -12010,6 +12075,7 @@ const tokenStorage = {
     },
     async clearAll() {
         await this.clearToken();
+        await this.clearRefreshToken();
         await this.clearUser();
         await this.clearAccountData();
         await this.clearAccountInfo();
@@ -12067,12 +12133,18 @@ const tokenStorage = {
 
 // Export context for optional usage (e.g., SmartlinksFrame can work without AuthProvider)
 const AuthContext = createContext(undefined);
-const AuthProvider = ({ children, proxyMode = false, accountCacheTTL = 5 * 60 * 1000, preloadAccountInfo = false, 
+const AuthProvider = ({ children, proxyMode = false, accountCacheTTL = 5 * 60 * 1000, preloadAccountInfo = false, clientId: clientIdProp, 
 // Token refresh settings
 enableAutoRefresh = true, refreshThresholdPercent = 75, // Refresh when 75% of token lifetime has passed
 refreshCheckInterval = 60 * 1000, // Check every minute
+refreshOnResume, 
 // Contact & Interaction features
 collectionId, enableContactSync, enableInteractionTracking, interactionAppId, interactionConfig, }) => {
+    // Resolved client ID — explicit prop wins; otherwise fall back to the
+    // collection's defaultAuthKitId (the standard pattern — see
+    // mem://architecture/default-authkit-collection-property).
+    const [resolvedClientId, setResolvedClientId] = useState(clientIdProp);
+    const clientId = resolvedClientId;
     const [user, setUser] = useState(null);
     const [token, setToken] = useState(null);
     const [accountData, setAccountData] = useState(null);
@@ -12088,8 +12160,8 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
     const pendingVerificationRef = useRef(false);
     const proxyRefreshInFlightRef = useRef(false);
     // Stable refs for callbacks to avoid useEffect dependency cycles
-    const syncContactRef = useRef();
-    const trackInteractionRef = useRef();
+    const syncContactRef = useRef(undefined);
+    const trackInteractionRef = useRef(undefined);
     // Default to enabled if collectionId is provided
     const shouldSyncContacts = enableContactSync ?? !!collectionId;
     const shouldTrackInteractions = enableInteractionTracking ?? !!collectionId;
@@ -12772,9 +12844,7 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
             });
         });
     };
-    const login = useCallback(async (authToken, authUser, authAccountData, isNewUser, expiresAt
-    // Note: waitForParentAck removed - we ALWAYS wait for parent ack in iframe mode now
-    ) => {
+    const login = useCallback(async (authToken, authUser, authAccountData, isNewUser, expiresAt, refreshTokenValue, refreshTokenExpiresAt) => {
         try {
             // Only persist to storage in standalone mode
             if (!proxyMode) {
@@ -12788,6 +12858,15 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
                 else {
                     await tokenStorage.clearAccountData();
                 }
+                // Persist refresh token when the backend issued one (native clients).
+                if (refreshTokenValue) {
+                    const rtExp = refreshTokenExpiresAt
+                        ?? Date.now() + 90 * 24 * 60 * 60 * 1000; // 90d fallback per spec
+                    await tokenStorage.saveRefreshToken(refreshTokenValue, rtExp);
+                }
+                else {
+                    await tokenStorage.clearRefreshToken();
+                }
                 smartlinks.auth.verifyToken(authToken).catch(() => { });
             }
             // Always update memory state (but NOT isVerified yet - wait for parent ack in iframe mode)
@@ -12851,6 +12930,17 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
             }
             // Only clear persistent storage in standalone mode
             if (!proxyMode) {
+                // Best-effort: revoke the refresh-token family server-side before
+                // wiping local state, so a stolen copy is dead immediately.
+                try {
+                    const storedRefresh = await tokenStorage.getRefreshToken();
+                    if (storedRefresh?.token && clientId) {
+                        await smartlinks.authKit.logout(clientId, storedRefresh.token);
+                    }
+                }
+                catch (err) {
+                    console.warn('[AuthContext] Refresh-token revoke failed (continuing):', err);
+                }
                 await tokenStorage.clearAll();
                 smartlinks.auth.logout();
             }
@@ -12876,7 +12966,7 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
         catch (error) {
             console.error('Failed to clear auth data from storage:', error);
         }
-    }, [proxyMode, notifyAuthStateChange, user, contactId, collectionId, shouldTrackInteractions, trackInteraction]);
+    }, [proxyMode, clientId, notifyAuthStateChange, user, contactId, collectionId, shouldTrackInteractions, trackInteraction]);
     const getToken = useCallback(async () => {
         if (proxyMode) {
             return token;
@@ -12903,12 +12993,44 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
             expiresIn: Math.max(0, storedToken.expiresAt - Date.now()),
         };
     }, [proxyMode, token]);
-    // Refresh token - validates current token and extends session if backend supports it
+    // Refresh token - prefers the AuthKit refresh-token endpoint when a refresh
+    // token is stored (native clients); otherwise falls back to verify-and-extend
+    // for web clients whose backend still issues only short-lived JWTs.
     const refreshToken = useCallback(async () => {
         if (proxyMode) {
             throw new Error('Token refresh in proxy mode is handled by the parent application');
         }
         const storedToken = await tokenStorage.getToken();
+        const storedRefresh = await tokenStorage.getRefreshToken();
+        // -------- Path A: true refresh-token rotation (native) ---------------
+        if (storedRefresh?.token && clientId) {
+            try {
+                const resp = await smartlinks.authKit.refreshToken(clientId, storedRefresh.token);
+                await tokenStorage.saveToken(resp.token, resp.expiresAt);
+                await tokenStorage.saveRefreshToken(resp.refreshToken, resp.refreshTokenExpiresAt);
+                setToken(resp.token);
+                setIsVerified(true);
+                pendingVerificationRef.current = false;
+                notifyAuthStateChange('TOKEN_REFRESH', user, resp.token, accountData, accountInfo, true, contact, contactId);
+                return resp.token;
+            }
+            catch (error) {
+                console.error('[AuthContext] Refresh-token rotation failed:', error);
+                if (isNetworkError(error))
+                    throw error;
+                // Reuse / invalid / expired → force re-login. The SDK surfaces these
+                // as RefreshErrorCode (INVALID_REFRESH_TOKEN / REUSE_DETECTED / MISSING).
+                const code = error?.errorCode ?? error?.code;
+                if (code === 'INVALID_REFRESH_TOKEN' ||
+                    code === 'REFRESH_TOKEN_REUSE_DETECTED' ||
+                    code === 'MISSING_REFRESH_TOKEN') {
+                    await logout();
+                    throw new Error('Session expired. Please login again.');
+                }
+                // Fall through to verify-and-extend on unexpected errors.
+            }
+        }
+        // -------- Path B: legacy verify-and-extend (web) ---------------------
         if (!storedToken?.token) {
             throw new Error('No token to refresh. Please login first.');
         }
@@ -12933,7 +13055,7 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
             await logout();
             throw new Error('Token refresh failed. Please login again.');
         }
-    }, [proxyMode, user, accountData, accountInfo, contact, contactId, notifyAuthStateChange, isNetworkError, logout]);
+    }, [proxyMode, clientId, user, accountData, accountInfo, contact, contactId, notifyAuthStateChange, isNetworkError, logout]);
     const getAccount = useCallback(async (forceRefresh = false) => {
         try {
             if (proxyMode) {
@@ -13097,6 +13219,105 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
             clearInterval(intervalId);
         };
     }, [proxyMode, enableAutoRefresh, refreshCheckInterval, refreshThresholdPercent, token, user, refreshToken]);
+    // Resolve clientId from the collection's defaultAuthKitId when not provided
+    // explicitly. Most apps only pass `collectionId` — this means refresh-token
+    // rotation and server-side logout revocation still work end-to-end.
+    useEffect(() => {
+        if (clientIdProp) {
+            setResolvedClientId(clientIdProp);
+            return;
+        }
+        if (!collectionId)
+            return;
+        let cancelled = false;
+        (async () => {
+            try {
+                const { getDefaultAuthKitId } = await Promise.resolve().then(function () { return defaultAuthKit; });
+                const id = await getDefaultAuthKitId(collectionId);
+                if (!cancelled && id)
+                    setResolvedClientId(id);
+            }
+            catch (err) {
+                console.warn('[AuthContext] Could not resolve default authKitId from collection:', err);
+            }
+        })();
+        return () => { cancelled = true; };
+    }, [clientIdProp, collectionId]);
+    // Refresh-on-resume: fires when the app returns to the foreground.
+    // - Capacitor: `App.addListener('appStateChange')` via dynamic import (no
+    //   runtime dep on web).
+    // - Universal fallback: `document.visibilitychange` — also catches PWAs /
+    //   web tabs that have been backgrounded for hours.
+    useEffect(() => {
+        if (proxyMode || !enableAutoRefresh || !token || !user)
+            return;
+        // Default ON when we detect a native shell; OFF otherwise.
+        const isNative = (() => {
+            try {
+                const cap = window.Capacitor;
+                if (cap?.isNativePlatform?.() === true)
+                    return true;
+                if (window.AuthKit?.isNative === true)
+                    return true;
+            }
+            catch { /* noop */ }
+            return false;
+        })();
+        const enabled = refreshOnResume ?? isNative;
+        if (!enabled)
+            return;
+        const maybeRefresh = async () => {
+            try {
+                const storedToken = await tokenStorage.getToken();
+                if (!storedToken?.expiresAt)
+                    return;
+                const remainingMs = storedToken.expiresAt - Date.now();
+                const totalLifetimeMs = 7 * 24 * 60 * 60 * 1000;
+                const percentUsed = ((totalLifetimeMs - remainingMs) / totalLifetimeMs) * 100;
+                if (percentUsed < refreshThresholdPercent)
+                    return;
+                await refreshToken().catch(() => { });
+            }
+            catch (err) {
+                console.error('[AuthContext] Resume refresh check failed:', err);
+            }
+        };
+        // Universal visibility listener
+        const onVisibility = () => {
+            if (document.visibilityState === 'visible')
+                maybeRefresh();
+        };
+        document.addEventListener('visibilitychange', onVisibility);
+        // Capacitor listener (optional)
+        let capRemove;
+        (async () => {
+            try {
+                // Only attempt to load @capacitor/app in an actual native shell.
+                // The specifier is obfuscated so bundlers (Vite/webpack) don't try
+                // to statically resolve an optional peer dependency at build time.
+                const isNative = typeof window !== 'undefined' &&
+                    (window.Capacitor?.isNativePlatform?.() === true ||
+                        window.AuthKit?.isNative === true);
+                if (!isNative)
+                    return;
+                const specifier = ['@capacitor', 'app'].join('/');
+                const dynamicImport = new Function('s', 'return import(s)');
+                const mod = await dynamicImport(specifier);
+                const handle = await mod.App.addListener('appStateChange', (state) => {
+                    if (state.isActive)
+                        maybeRefresh();
+                });
+                capRemove = () => handle?.remove?.();
+            }
+            catch {
+                // @capacitor/app not installed or unavailable — visibilitychange handles it.
+            }
+        })();
+        return () => {
+            document.removeEventListener('visibilitychange', onVisibility);
+            capRemove?.();
+        };
+    }, [proxyMode, enableAutoRefresh, refreshOnResume, refreshThresholdPercent, token, user, refreshToken]);
     const value = {
         user,
         token,
@@ -13358,8 +13579,22 @@ const loadGoogleIdentityServices = () => {
         document.head.appendChild(script);
     });
 };
+// Helper to detect a Capacitor native runtime (iOS/Android shell, not the web)
+const isCapacitorNative = () => {
+    const cap = window.Capacitor;
+    if (!cap)
+        return false;
+    // isNativePlatform() is the modern API; fall back to platform string for older cores
+    if (typeof cap.isNativePlatform === 'function')
+        return cap.isNativePlatform();
+    return cap.platform === 'ios' || cap.platform === 'android';
+};
 // Helper to detect WebView environments (Android/iOS)
 const detectWebView = () => {
+    // Capacitor apps run inside a WebView (WKWebView/Android WebView) but don't
+    // always set the `wv` UA token — treat them as WebView explicitly.
+    if (isCapacitorNative())
+        return true;
     const ua = navigator.userAgent;
     // Android WebView detection
     if (/Android/i.test(ua)) {
@@ -13467,7 +13702,7 @@ const checkSilentGoogleSignIn = async (clientId, googleClientId) => {
     });
 };
 // getFriendlyErrorMessage is now imported from ../utils/errorHandling
-const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAuthSuccess, onAuthError, onRedirect, enabledProviders = ['email', 'google', 'phone'], initialMode, signupProminence, redirectUrl, theme = 'light', className, customization, skipConfigFetch = false, minimal = false, logger, proxyMode = false, collectionId, disableConfigCache = false, enableSilentGoogleSignIn = false, whatsappReply, whatsappPrefillMessage, }) => {
+const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAuthSuccess, onAuthError, onRedirect, enabledProviders = ['email', 'google', 'phone'], initialMode, signupProminence, redirectUrl, theme = 'light', className, customization, skipConfigFetch = false, minimal = false, logger, proxyMode = false, collectionId, disableConfigCache = false, enableSilentGoogleSignIn = false, nativeAuth, enableSilentNativeSignIn = false, whatsappReply, whatsappPrefillMessage, }) => {
     // Resolve signup prominence from props, customization, config, or default
     const resolvedSignupProminence = signupProminence || customization?.signupProminence || 'minimal';
     // Determine initial mode based on signupProminence setting
@@ -13540,17 +13775,48 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
         }
     };
     // Dark mode detection and theme management
+    // In 'auto' mode we honor (in priority order):
+    //   1. An explicit `.dark` class on <html> or <body> (set by the host portal / SmartLinks theme system)
+    //   2. A SmartLinks theme payload in the URL (?theme=... with m === 'd')
+    //   3. The OS `prefers-color-scheme` preference
     useEffect(() => {
         if (theme !== 'auto') {
             setResolvedTheme(theme);
             return;
         }
-        // Auto-detect system theme preference
         const mediaQuery = window.matchMedia('(prefers-color-scheme: dark)');
-        const updateTheme = () => setResolvedTheme(mediaQuery.matches ? 'dark' : 'light');
+        const hostHasDarkClass = () => document.documentElement.classList.contains('dark') ||
+            document.body.classList.contains('dark');
+        const urlRequestsDark = () => {
+            try {
+                const search = new URLSearchParams(window.location.search);
+                let themeParam = search.get('theme');
+                if (!themeParam && window.location.hash.includes('?')) {
+                    themeParam = new URLSearchParams(window.location.hash.substring(window.location.hash.indexOf('?'))).get('theme');
+                }
+                if (!themeParam)
+                    return false;
+                const decoded = JSON.parse(atob(themeParam));
+                return decoded?.m === 'd';
+            }
+            catch {
+                return false;
+            }
+        };
+        const updateTheme = () => {
+            const isDark = hostHasDarkClass() || urlRequestsDark() || mediaQuery.matches;
+            setResolvedTheme(isDark ? 'dark' : 'light');
+        };
         updateTheme();
         mediaQuery.addEventListener('change', updateTheme);
-        return () => mediaQuery.removeEventListener('change', updateTheme);
+        // Watch host <html>/<body> class changes (portal toggling dark mode at runtime)
+        const observer = new MutationObserver(updateTheme);
+        observer.observe(document.documentElement, { attributes: true, attributeFilter: ['class'] });
+        observer.observe(document.body, { attributes: true, attributeFilter: ['class'] });
+        return () => {
+            mediaQuery.removeEventListener('change', updateTheme);
+            observer.disconnect();
+        };
     }, [theme]);
     // Version tracking for debugging if needed
     // console.log(`${LOG_PREFIX} Component mounted, v${AUTH_UI_VERSION}`);
@@ -13736,23 +14002,28 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
         };
         fetchSchema();
     }, [collectionId, sdkReady]);
-    // Silent Google Sign-In check on mount (for native Android apps)
-    // When enabled, checks if user is already signed in via Google on the native side
+    // Silent Sign-In check on mount (for native apps).
+    // Prefers the injected `nativeAuth.checkSignIn` adapter (Capacitor) when
+    // `enableSilentNativeSignIn` is set; otherwise falls back to the legacy
+    // `window.AuthKit` bridge when `enableSilentGoogleSignIn` is set.
+    const wantsSilentNative = enableSilentNativeSignIn && !!nativeAuth?.checkSignIn;
     useEffect(() => {
-        if (!enableSilentGoogleSignIn || silentSignInChecked || !sdkReady || auth.isAuthenticated) {
+        if ((!enableSilentGoogleSignIn && !wantsSilentNative) || silentSignInChecked || !sdkReady || auth.isAuthenticated) {
             return;
         }
         const googleClientId = config?.googleClientId || DEFAULT_GOOGLE_CLIENT_ID;
         const performSilentSignIn = async () => {
             try {
-                const result = await checkSilentGoogleSignIn(clientId, googleClientId);
+                const result = wantsSilentNative
+                    ? await nativeAuth.checkSignIn({ serverClientId: googleClientId })
+                    : await checkSilentGoogleSignIn(clientId, googleClientId);
                 setSilentSignInChecked(true);
                 if (result?.isSignedIn && result.idToken) {
                     setLoading(true);
                     try {
                         const authResponse = await api.loginWithGoogle(result.idToken);
                         if (authResponse.token) {
-                            await auth.login(authResponse.token, authResponse.user, authResponse.accountData, false, getExpirationFromResponse(authResponse));
+                            await auth.login(authResponse.token, authResponse.user, authResponse.accountData, false, getExpirationFromResponse(authResponse), authResponse.refreshToken, authResponse.refreshTokenExpiresAt);
                             setAuthSuccess(true);
                             setSuccessMessage('Signed in automatically with Google!');
                             onAuthSuccess(authResponse.token, authResponse.user, authResponse.accountData);
@@ -13771,7 +14042,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
             }
         };
         performSilentSignIn();
-    }, [enableSilentGoogleSignIn, silentSignInChecked, sdkReady, auth.isAuthenticated, clientId, config?.googleClientId, api, auth, onAuthSuccess]);
+    }, [enableSilentGoogleSignIn, wantsSilentNative, nativeAuth, silentSignInChecked, sdkReady, auth.isAuthenticated, clientId, config?.googleClientId, api, auth, onAuthSuccess]);
     // Reset showEmailForm when mode changes away from login/register
     useEffect(() => {
         if (mode !== 'login' && mode !== 'register') {
@@ -13847,7 +14118,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                 if ((verificationMode === 'verify-auto-login' || verificationMode === 'immediate') && response.token) {
                     // Auto-login modes: Log the user in immediately if token is provided
                     // Always await - auth.login now waits for parent ack automatically in iframe mode
-                    await auth.login(response.token, response.user, response.accountData, true, getExpirationFromResponse(response));
+                    await auth.login(response.token, response.user, response.accountData, true, getExpirationFromResponse(response), response.refreshToken, response.refreshTokenExpiresAt);
                     setUrlAuthProcessing(false); // Clear processing state before redirect/success
                     if (redirectUrl) {
                         // Redirect to clean URL and resume flow
@@ -13907,7 +14178,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                 // Auto-login with magic link if token is provided
                 if (response.token) {
                     // Always await - auth.login now waits for parent ack automatically in iframe mode
-                    await auth.login(response.token, response.user, response.accountData, true, getExpirationFromResponse(response));
+                    await auth.login(response.token, response.user, response.accountData, true, getExpirationFromResponse(response), response.refreshToken, response.refreshTokenExpiresAt);
                     setUrlAuthProcessing(false); // Clear processing state before redirect/success
                     if (redirectUrl) {
                         // Redirect to clean URL and resume flow
@@ -13982,7 +14253,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
             log.log('Google OAuth code exchange response:', { hasToken: !!response.token, hasUser: !!response.user, isNewUser: response.isNewUser });
             if (response.token) {
                 // Await login to ensure token is persisted before any navigation
-                await auth.login(response.token, response.user, response.accountData, response.isNewUser, getExpirationFromResponse(response));
+                await auth.login(response.token, response.user, response.accountData, response.isNewUser, getExpirationFromResponse(response), response.refreshToken, response.refreshTokenExpiresAt);
                 setAuthSuccess(true);
                 setSuccessMessage('Google login successful!');
                 onAuthSuccess(response.token, response.user, response.accountData);
@@ -14036,7 +14307,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                 // Handle different verification modes
                 if (verificationMode === 'immediate' && response.token) {
                     // Immediate mode: Log in right away if token is provided (isNewUser=true for registration)
-                    await auth.login(response.token, response.user, response.accountData, true, getExpirationFromResponse(response));
+                    await auth.login(response.token, response.user, response.accountData, true, getExpirationFromResponse(response), response.refreshToken, response.refreshTokenExpiresAt);
                     setAuthSuccess(true);
                     const deadline = response.emailVerificationDeadline
                         ? new Date(response.emailVerificationDeadline).toLocaleString()
@@ -14098,7 +14369,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                         setLoading(false);
                         return;
                     }
-                    await auth.login(response.token, response.user, response.accountData, false, getExpirationFromResponse(response));
+                    await auth.login(response.token, response.user, response.accountData, false, getExpirationFromResponse(response), response.refreshToken, response.refreshTokenExpiresAt);
                     setAuthSuccess(true);
                     setSuccessMessage('Login successful!');
                     onAuthSuccess(response.token, response.user, response.accountData);
@@ -14228,6 +14499,55 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
             }
         });
     };
+    // Finish a login once a backend AuthResponse has been obtained (shared by the
+    // native adapter paths for Google and Apple).
+    const completeNativeLogin = async (authResponse, successLabel) => {
+        if (!authResponse.token) {
+            throw new Error('Authentication failed - no token received');
+        }
+        await auth.login(authResponse.token, authResponse.user, authResponse.accountData, authResponse.isNewUser, getExpirationFromResponse(authResponse));
+        setAuthSuccess(true);
+        setSuccessMessage(successLabel);
+        onAuthSuccess(authResponse.token, authResponse.user, authResponse.accountData);
+    };
+    // Sign in with Apple. Apple is native-only in this kit today: it requires an
+    // injected `nativeAuth` adapter (e.g. a Capacitor plugin) that resolves an
+    // Apple identity token. There is no in-browser fallback yet.
+    const handleAppleLogin = async () => {
+        if (!nativeAuth?.signInWithApple) {
+            log.warn('Apple sign-in requested but no nativeAuth.signInWithApple adapter is configured');
+            setError('Apple Sign-In is not available in this environment.');
+            onAuthError?.(new Error('No nativeAuth.signInWithApple adapter configured'));
+            return;
+        }
+        setLoading(true);
+        setError(undefined);
+        try {
+            log.log('Using native adapter for Apple Sign-In');
+            const result = await nativeAuth.signInWithApple({
+                clientId: config?.appleClientId,
+                scopes: ['name', 'email'],
+            });
+            if (!result?.idToken) {
+                throw new Error('Apple Sign-In did not return an identity token');
+            }
+            const authResponse = await api.loginWithApple(result.idToken, {
+                authorizationCode: result.authorizationCode,
+                nonce: result.nonce,
+                appleUserInfo: result.email || result.name ? { email: result.email, name: result.name } : undefined,
+            });
+            log.log('Native Apple login response:', { hasToken: !!authResponse.token, isNewUser: authResponse.isNewUser });
+            await completeNativeLogin(authResponse, 'Apple login successful!');
+        }
+        catch (err) {
+            log.error('Apple Sign-In failed:', err);
+            setError(getFriendlyErrorMessage(err));
+            onAuthError?.(err instanceof Error ? err : new Error(getFriendlyErrorMessage(err)));
+        }
+        finally {
+            setLoading(false);
+        }
+    };
     const handleGoogleLogin = async () => {
         const hasCustomGoogleClientId = !!config?.googleClientId;
         const googleClientId = config?.googleClientId || DEFAULT_GOOGLE_CLIENT_ID;
@@ -14257,6 +14577,32 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
         setLoading(true);
         setError(undefined);
         try {
+            // Priority 0: injected Promise-based native adapter (Capacitor, etc.).
+            // This is the clean path — await the plugin directly, no callback bridge.
+            if (nativeAuth?.signInWithGoogle) {
+                log.log('Using injected nativeAuth adapter for Google Sign-In');
+                try {
+                    const result = await nativeAuth.signInWithGoogle({
+                        serverClientId: googleClientId,
+                        scopes: ['email', 'profile'],
+                    });
+                    if (!result?.idToken) {
+                        throw new Error('Google Sign-In did not return an ID token');
+                    }
+                    const authResponse = await api.loginWithGoogle(result.idToken);
+                    log.log('Native (adapter) Google login response:', { hasToken: !!authResponse.token, isNewUser: authResponse.isNewUser });
+                    await completeNativeLogin(authResponse, 'Google login successful!');
+                }
+                catch (err) {
+                    log.error('Adapter Google Sign-In failed:', err);
+                    setError(getFriendlyErrorMessage(err));
+                    onAuthError?.(err instanceof Error ? err : new Error(getFriendlyErrorMessage(err)));
+                }
+                finally {
+                    setLoading(false);
+                }
+                return;
+            }
             if (nativeBridge) {
                 log.log('Using native bridge for Google Sign-In');
                 const callbackId = `google_auth_${Date.now()}`;
@@ -14275,7 +14621,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                             const authResponse = await api.loginWithGoogle(result.idToken);
                             log.log('Native Google login response:', { hasToken: !!authResponse.token, hasUser: !!authResponse.user, isNewUser: authResponse.isNewUser });
                             if (authResponse.token) {
-                                await auth.login(authResponse.token, authResponse.user, authResponse.accountData, authResponse.isNewUser, getExpirationFromResponse(authResponse));
+                                await auth.login(authResponse.token, authResponse.user, authResponse.accountData, authResponse.isNewUser, getExpirationFromResponse(authResponse), authResponse.refreshToken, authResponse.refreshTokenExpiresAt);
                                 setAuthSuccess(true);
                                 setSuccessMessage('Google login successful!');
                                 onAuthSuccess(authResponse.token, authResponse.user, authResponse.accountData);
@@ -14495,7 +14841,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                                 log.log('Popup Google login response:', { hasToken: !!authResponse.token, hasUser: !!authResponse.user, isNewUser: authResponse.isNewUser });
                                 if (authResponse.token) {
                                     // Google OAuth can be login or signup - use isNewUser flag from backend if available
-                                    await auth.login(authResponse.token, authResponse.user, authResponse.accountData, authResponse.isNewUser, getExpirationFromResponse(authResponse));
+                                    await auth.login(authResponse.token, authResponse.user, authResponse.accountData, authResponse.isNewUser, getExpirationFromResponse(authResponse), authResponse.refreshToken, authResponse.refreshTokenExpiresAt);
                                     setAuthSuccess(true);
                                     setSuccessMessage('Google login successful!');
                                     onAuthSuccess(authResponse.token, authResponse.user, authResponse.accountData);
@@ -14545,7 +14891,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                             log.log('OneTap Google login response:', { hasToken: !!authResponse.token, hasUser: !!authResponse.user, isNewUser: authResponse.isNewUser });
                             if (authResponse.token) {
                                 // Google OAuth can be login or signup - use isNewUser flag from backend if available
-                                await auth.login(authResponse.token, authResponse.user, authResponse.accountData, authResponse.isNewUser, getExpirationFromResponse(authResponse));
+                                await auth.login(authResponse.token, authResponse.user, authResponse.accountData, authResponse.isNewUser, getExpirationFromResponse(authResponse), authResponse.refreshToken, authResponse.refreshTokenExpiresAt);
                                 setAuthSuccess(true);
                                 setSuccessMessage('Google login successful!');
                                 onAuthSuccess(authResponse.token, authResponse.user, authResponse.accountData);
@@ -14627,7 +14973,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                     // Phone auth is an INTERACTIVE flow (user entered OTP in UI)
                     // Unlike deep-link flows (email verification, magic link), there's no URL token to clean up
                     // Do NOT auto-redirect - let the parent app control the next step (profile completion, etc.)
-                    await auth.login(response.token, response.user, response.accountData, response.isNewUser, getExpirationFromResponse(response));
+                    await auth.login(response.token, response.user, response.accountData, response.isNewUser, getExpirationFromResponse(response), response.refreshToken, response.refreshTokenExpiresAt);
                     setAuthSuccess(true);
                     setSuccessMessage('Phone verified! You are now logged in.');
                     onAuthSuccess(response.token, response.user, response.accountData);
@@ -14917,7 +15263,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                     throw Object.assign(new Error(resultErrorMessage), session);
                 }
                 if (session?.token && session.user) {
-                    await auth.login(session.token, session.user, session.accountData, true, getExpirationFromResponse(session));
+                    await auth.login(session.token, session.user, session.accountData, true, getExpirationFromResponse(session), session.refreshToken, session.refreshTokenExpiresAt);
                     if (!proxyMode) {
                         onAuthSuccess(session.token, session.user, session.accountData);
                     }
@@ -15247,11 +15593,11 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                         const hasEmailProvider = actualProviders.includes('email');
                         // If email provider is not enabled, only show provider buttons (no email/password form)
                         if (!hasEmailProvider) {
-                            return (jsx(ProviderButtons, { enabledProviders: actualProviders, providerOrder: providerOrder, onGoogleLogin: handleGoogleLogin, onPhoneLogin: () => setMode('phone'), onMagicLinkLogin: () => setMode('magic-link'), onWhatsAppLogin: () => setMode('whatsapp'), loading: loading }));
+                            return (jsx(ProviderButtons, { enabledProviders: actualProviders, providerOrder: providerOrder, onGoogleLogin: handleGoogleLogin, onAppleLogin: handleAppleLogin, onPhoneLogin: () => setMode('phone'), onMagicLinkLogin: () => setMode('magic-link'), onWhatsAppLogin: () => setMode('whatsapp'), loading: loading }));
                         }
                         // Button mode: show provider selection first, then email form if email is selected
                         if (emailDisplayMode === 'button' && !showEmailForm) {
-                            return (jsx(ProviderButtons, { enabledProviders: actualProviders, providerOrder: providerOrder, onEmailLogin: () => setShowEmailForm(true), onGoogleLogin: handleGoogleLogin, onPhoneLogin: () => setMode('phone'), onMagicLinkLogin: () => setMode('magic-link'), onWhatsAppLogin: () => setMode('whatsapp'), loading: loading }));
+                            return (jsx(ProviderButtons, { enabledProviders: actualProviders, providerOrder: providerOrder, onEmailLogin: () => setShowEmailForm(true), onGoogleLogin: handleGoogleLogin, onAppleLogin: handleAppleLogin, onPhoneLogin: () => setMode('phone'), onMagicLinkLogin: () => setMode('magic-link'), onWhatsAppLogin: () => setMode('whatsapp'), loading: loading }));
                         }
                         // Form mode or email button was clicked: show email form with other providers
                         return (jsxs(Fragment, { children: [emailDisplayMode === 'button' && showEmailForm && (jsx("button", { onClick: () => setShowEmailForm(false), style: {
@@ -15270,7 +15616,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                                         setShowResendVerification(false);
                                         setShowRequestNewReset(false);
                                         setError(undefined);
-                                    }, onForgotPassword: () => setMode('reset-password'), loading: loading, error: error, signupProminence: resolvedSignupProminence, signupRedirectUrl: config?.signupRedirectUrl || customization?.signupRedirectUrl, schema: contactSchema, registrationFieldsConfig: config?.registrationFields, additionalFields: config?.signupAdditionalFields }), emailDisplayMode === 'form' && actualProviders.length > 1 && (jsx(ProviderButtons, { enabledProviders: actualProviders.filter((p) => p !== 'email'), providerOrder: providerOrder, onGoogleLogin: handleGoogleLogin, onPhoneLogin: () => setMode('phone'), onMagicLinkLogin: () => setMode('magic-link'), onWhatsAppLogin: () => setMode('whatsapp'), loading: loading }))] }));
+                                    }, onForgotPassword: () => setMode('reset-password'), loading: loading, error: error, signupProminence: resolvedSignupProminence, signupRedirectUrl: config?.signupRedirectUrl || customization?.signupRedirectUrl, schema: contactSchema, registrationFieldsConfig: config?.registrationFields, additionalFields: config?.signupAdditionalFields }), emailDisplayMode === 'form' && actualProviders.length > 1 && (jsx(ProviderButtons, { enabledProviders: actualProviders.filter((p) => p !== 'email'), providerOrder: providerOrder, onGoogleLogin: handleGoogleLogin, onAppleLogin: handleAppleLogin, onPhoneLogin: () => setMode('phone'), onMagicLinkLogin: () => setMode('magic-link'), onWhatsAppLogin: () => setMode('whatsapp'), loading: loading }))] }));
                     })()] })) })) : null }));
 };
 
@@ -16411,5 +16757,11 @@ async function setDefaultAuthKitId(collectionId, authKitId) {
     });
 }
 
-export { AccountManagement, AuthProvider, AuthUIPreview, SmartlinksAuthUI as FirebaseAuthUI, ProtectedRoute, SchemaFieldRenderer, SmartlinksAuthUI, SmartlinksFrame, buildIframeSrc, evaluateConditions, getDefaultAuthKitId, getEditableFields, getErrorCode, getErrorStatusCode, getFriendlyErrorMessage, getRegistrationFields, isAdminFromRoles, isAuthError, isConflictError, isRateLimitError, isServerError, resolveFields, setDefaultAuthKitId, sortFieldsByPlacement, tokenStorage, useAdminDetection, useAuth, useIframeMessages, useIframeResize };
+var defaultAuthKit = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    getDefaultAuthKitId: getDefaultAuthKitId,
+    setDefaultAuthKitId: setDefaultAuthKitId
+});
+
+export { AccountManagement, AuthProvider, AuthUIPreview, SmartlinksAuthUI as FirebaseAuthUI, ProtectedRoute, SchemaFieldRenderer, SmartlinksAuthUI, SmartlinksFrame, buildIframeSrc, evaluateConditions, getDefaultAuthKitId, getEditableFields, getErrorCode, getErrorStatusCode, getFriendlyErrorMessage, getRegistrationFields, isAdminFromRoles, isAuthError, isConflictError, isRateLimitError, isServerError, resolveFields, setDefaultAuthKitId, setStorageAdapter, sortFieldsByPlacement, tokenStorage, useAdminDetection, useAuth, useIframeMessages, useIframeResize };
 //# sourceMappingURL=index.esm.js.map