npm - @proveanything/smartlinks-auth-ui - Versions diffs - 0.5.22 → 0.6.1 - Mend

@proveanything/smartlinks-auth-ui 0.5.22 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/ACCOUNT_CACHING.md +349 -0
package/ANDROID_NATIVE_BRIDGE.md +775 -0
package/AUTH_STATE_MANAGEMENT.md +262 -0
package/CAPACITOR_INTEGRATION.md +244 -0
package/CUSTOMIZATION_GUIDE.md +411 -0
package/README.md +73 -13
package/SDK_DEBUGGING_GUIDE.md +217 -0
package/SMARTLINKS_FRAME.md +302 -0
package/SMARTLINKS_INTEGRATION.md +330 -0
package/WHATSAPP_OTP_PLAN.md +106 -0
package/dist/api.d.ts +27 -1
package/dist/api.d.ts.map +1 -1
package/dist/components/ProviderButtons.d.ts +1 -0
package/dist/components/ProviderButtons.d.ts.map +1 -1
package/dist/components/SmartlinksAuthUI.d.ts.map +1 -1
package/dist/context/AuthContext.d.ts.map +1 -1
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.esm.js +379 -34
package/dist/index.esm.js.map +1 -1
package/dist/index.js +379 -33
package/dist/index.js.map +1 -1
package/dist/types.d.ts +98 -2
package/dist/types.d.ts.map +1 -1
package/dist/utils/persistentStorage.d.ts +14 -0
package/dist/utils/persistentStorage.d.ts.map +1 -1
package/dist/utils/tokenStorage.d.ts +7 -0
package/dist/utils/tokenStorage.d.ts.map +1 -1
package/package.json +15 -6

package/dist/index.js CHANGED Viewed

@@ -336,7 +336,7 @@ const EmailAuthForm = ({ mode, onSubmit, onModeSwitch, onForgotPassword, loading
                 }, disabled: loading })), jsxRuntime.jsxs("div", { className: "auth-form-header", children: [jsxRuntime.jsx("h2", { className: "auth-form-title", children: title }), jsxRuntime.jsx("p", { className: "auth-form-subtitle", children: subtitle })] }), error && (jsxRuntime.jsxs("div", { className: "auth-error", role: "alert", children: [jsxRuntime.jsx("svg", { width: "16", height: "16", viewBox: "0 0 16 16", fill: "currentColor", children: jsxRuntime.jsx("path", { d: "M8 0C3.58 0 0 3.58 0 8s3.58 8 8 8 8-3.58 8-8-3.58-8-8-8zm1 13H7v-2h2v2zm0-3H7V4h2v6z" }) }), error] })), mode === 'register' && (jsxRuntime.jsxs("div", { className: "auth-form-group", children: [jsxRuntime.jsx("label", { htmlFor: "displayName", className: "auth-label", children: "Full Name" }), jsxRuntime.jsx("input", { type: "text", id: "displayName", className: "auth-input", value: formData.displayName || '', onChange: (e) => handleChange('displayName', e.target.value), required: mode === 'register', disabled: loading, placeholder: "John Smith" })] })), jsxRuntime.jsxs("div", { className: "auth-form-group", children: [jsxRuntime.jsx("label", { htmlFor: "email", className: "auth-label", children: "Email address" }), jsxRuntime.jsx("input", { type: "email", id: "email", className: "auth-input", value: formData.email || '', onChange: (e) => handleChange('email', e.target.value), required: true, disabled: loading, placeholder: "you@example.com", autoComplete: "email" })] }), jsxRuntime.jsxs("div", { className: "auth-form-group", children: [jsxRuntime.jsx("label", { htmlFor: "password", className: "auth-label", children: "Password" }), jsxRuntime.jsx("input", { type: "password", id: "password", className: "auth-input", value: formData.password || '', onChange: (e) => handleChange('password', e.target.value), required: true, disabled: loading, placeholder: "\u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022", autoComplete: mode === 'login' ? 'current-password' : 'new-password', minLength: 6 })] }), mode === 'register' && hasSchemaFields && schemaFields.inline.map(renderSchemaField), mode === 'register' && hasLegacyFields && additionalFields.map(renderLegacyField), mode === 'register' && hasSchemaFields && schemaFields.postCredentials.length > 0 && (jsxRuntime.jsxs(jsxRuntime.Fragment, { children: [jsxRuntime.jsx("div", { className: "auth-divider", style: { margin: '16px 0' }, children: jsxRuntime.jsx("span", { children: "Additional Information" }) }), schemaFields.postCredentials.map(renderSchemaField)] })), mode === 'login' && (jsxRuntime.jsx("div", { className: "auth-form-footer", children: jsxRuntime.jsx("button", { type: "button", className: "auth-link", onClick: onForgotPassword, disabled: loading, children: "Forgot password?" }) })), jsxRuntime.jsx("button", { type: "submit", className: "auth-button auth-button-primary", disabled: loading, children: loading ? (jsxRuntime.jsx("span", { className: "auth-spinner" })) : mode === 'login' ? ('Sign in') : ('Create account') }), signupProminence !== 'balanced' && signupProminence !== 'none' && (jsxRuntime.jsxs("div", { className: "auth-divider", children: [jsxRuntime.jsx("span", { children: mode === 'login' ? "Don't have an account?" : 'Already have an account?' }), signupRedirectUrl && mode === 'login' ? (jsxRuntime.jsx("a", { href: signupRedirectUrl, target: "_top", className: "auth-link auth-link-bold", children: "Sign up" })) : (jsxRuntime.jsx("button", { type: "button", className: "auth-link auth-link-bold", onClick: onModeSwitch, disabled: loading, children: mode === 'login' ? 'Sign up' : 'Sign in' }))] }))] }));
 };
-const ProviderButtons = ({ enabledProviders, providerOrder, onEmailLogin, onGoogleLogin, onPhoneLogin, onMagicLinkLogin, onWhatsAppLogin, loading, }) => {
+const ProviderButtons = ({ enabledProviders, providerOrder, onEmailLogin, onGoogleLogin, onAppleLogin, onPhoneLogin, onMagicLinkLogin, onWhatsAppLogin, loading, }) => {
     if (enabledProviders.length === 0)
         return null;
     // Determine the order of providers to display
@@ -359,6 +359,11 @@ const ProviderButtons = ({ enabledProviders, providerOrder, onEmailLogin, onGoog
             icon: (jsxRuntime.jsxs("svg", { width: "20", height: "20", viewBox: "0 0 20 20", fill: "none", children: [jsxRuntime.jsx("path", { d: "M19.6 10.227c0-.709-.064-1.39-.182-2.045H10v3.868h5.382a4.6 4.6 0 01-1.996 3.018v2.51h3.232c1.891-1.742 2.982-4.305 2.982-7.35z", fill: "#4285F4" }), jsxRuntime.jsx("path", { d: "M10 20c2.7 0 4.964-.895 6.618-2.423l-3.232-2.509c-.895.6-2.04.955-3.386.955-2.605 0-4.81-1.76-5.595-4.123H1.064v2.59A9.996 9.996 0 0010 20z", fill: "#34A853" }), jsxRuntime.jsx("path", { d: "M4.405 11.9c-.2-.6-.314-1.24-.314-1.9 0-.66.114-1.3.314-1.9V5.51H1.064A9.996 9.996 0 000 10c0 1.614.386 3.14 1.064 4.49l3.34-2.59z", fill: "#FBBC05" }), jsxRuntime.jsx("path", { d: "M10 3.977c1.468 0 2.786.505 3.823 1.496l2.868-2.868C14.959.99 12.695 0 10 0 6.09 0 2.71 2.24 1.064 5.51l3.34 2.59C5.19 5.736 7.395 3.977 10 3.977z", fill: "#EA4335" })] })),
             onClick: onGoogleLogin
         },
+        apple: {
+            label: 'Continue with Apple',
+            icon: (jsxRuntime.jsx("svg", { width: "20", height: "20", viewBox: "0 0 24 24", fill: "currentColor", "aria-hidden": "true", children: jsxRuntime.jsx("path", { d: "M17.05 20.28c-.98.95-2.05.8-3.08.35-1.09-.46-2.09-.48-3.24 0-1.44.62-2.2.44-3.06-.35C2.79 15.25 3.51 7.59 9.05 7.31c1.35.07 2.29.74 3.08.8 1.18-.24 2.31-.93 3.57-.84 1.51.12 2.65.72 3.4 1.8-3.12 1.87-2.38 5.98.48 7.13-.57 1.5-1.31 2.99-2.54 4.09l.01-.01zM12.03 7.25c-.15-2.23 1.66-4.07 3.74-4.25.29 2.58-2.34 4.5-3.74 4.25z" }) })),
+            onClick: () => onAppleLogin?.()
+        },
         phone: {
             label: 'Continue with Phone',
             icon: (jsxRuntime.jsx("svg", { width: "20", height: "20", viewBox: "0 0 20 20", fill: "none", stroke: "currentColor", children: jsxRuntime.jsx("path", { strokeLinecap: "round", strokeLinejoin: "round", strokeWidth: 2, d: "M3 5a2 2 0 012-2h3.28a1 1 0 01.948.684l1.498 4.493a1 1 0 01-.502 1.21l-2.257 1.13a11.042 11.042 0 005.516 5.516l1.13-2.257a1 1 0 011.21-.502l4.493 1.498a1 1 0 01.684.949V15a2 2 0 01-2 2h-1C7.82 17 2 11.18 2 5V4z" }) })),
@@ -11430,6 +11435,25 @@ class AuthAPI {
             redirectUri,
         });
     }
+    /**
+     * Sign in with Apple via an identity token (from native "Sign in with Apple"
+     * or the web JS flow). The backend verifies the JWT against Apple's keys.
+     *
+     * Delegates to `smartlinks.authKit.appleLogin`, which on success stores the
+     * bearer token automatically and invalidates the SDK cache.
+     */
+    async loginWithApple(identityToken, options) {
+        this.log.log('loginWithApple called:', {
+            tokenLength: identityToken?.length,
+            hasAuthCode: !!options?.authorizationCode,
+            hasUserInfo: !!options?.appleUserInfo,
+        });
+        return smartlinks__namespace.authKit.appleLogin(this.clientId, identityToken, {
+            authorizationCode: options?.authorizationCode,
+            nonce: options?.nonce,
+            userInfo: options?.appleUserInfo,
+        });
+    }
     async sendPhoneCode(phoneNumber) {
         return smartlinks__namespace.authKit.sendPhoneCode(this.clientId, phoneNumber);
     }
@@ -11478,6 +11502,17 @@ class AuthAPI {
             throw error;
         }
     }
+    /**
+     * Complete a password reset OR accept an invite by setting the first password.
+     *
+     * The backend distinguishes the two flows via the token's `metadata.invitedBy`:
+     *  - Plain password reset → returns `{ success, message }` only.
+     *  - Invite acceptance under `verify-auto-login` → returns a full session
+     *    (`token`, `user`, `accountData`, and on native: refresh-token fields)
+     *    so the kit can log the user straight in without bouncing them to /login.
+     *
+     * See: SDK_AUTHKIT_REFRESH_TOKENS / "Invite Auto-Login" spec.
+     */
     async completePasswordReset(token, newPassword) {
         return smartlinks__namespace.authKit.completePasswordReset(this.clientId, token, newPassword);
     }
@@ -11960,6 +11995,24 @@ async function getStorage() {
     storageInstance = await storageInitPromise;
     return storageInstance;
 }
+/**
+ * Install a custom storage backend (e.g. Capacitor Keychain / Keystore).
+ *
+ * Must be called BEFORE `getStorage()` is invoked for the first time
+ * (typically right after your app boots, before `<SmartlinksAuthUI />` mounts).
+ * The supplied adapter then handles ALL token, user, and account persistence
+ * — replacing the default IndexedDB → localStorage → in-memory chain.
+ *
+ * Intended for native shells (Capacitor / Capgo) that want tokens stored in
+ * the OS secure enclave (Keychain on iOS, Keystore on Android) instead of the
+ * WebView's IndexedDB. Implement the `PersistentStorage` interface against
+ * your secure-storage plugin and pass the instance here.
+ */
+function setStorageAdapter(adapter) {
+    StorageFactory.reset();
+    storageInstance = adapter;
+    storageInitPromise = Promise.resolve(adapter);
+}
 /**
  * Listen for storage changes from other tabs
  */
@@ -11978,6 +12031,7 @@ function onStorageChange(callback) {
 }
 const TOKEN_KEY = 'token';
+const REFRESH_TOKEN_KEY = 'refresh_token';
 const USER_KEY = 'user';
 const ACCOUNT_DATA_KEY = 'account_data';
 const ACCOUNT_INFO_KEY = 'account_info';
@@ -12016,6 +12070,28 @@ const tokenStorage = {
         const storage = await getStorage();
         await storage.removeItem(TOKEN_KEY);
     },
+    // ----- Refresh token (native / long-lived sessions) ------------------
+    async saveRefreshToken(token, expiresAt) {
+        const storage = await getStorage();
+        const payload = { token, expiresAt };
+        await storage.setItem(REFRESH_TOKEN_KEY, payload);
+    },
+    async getRefreshToken() {
+        const storage = await getStorage();
+        const rt = await storage.getItem(REFRESH_TOKEN_KEY);
+        if (!rt)
+            return null;
+        if (rt.expiresAt && rt.expiresAt < Date.now()) {
+            console.log('[TokenStorage] Refresh token expired - clearing');
+            await this.clearRefreshToken();
+            return null;
+        }
+        return rt;
+    },
+    async clearRefreshToken() {
+        const storage = await getStorage();
+        await storage.removeItem(REFRESH_TOKEN_KEY);
+    },
     async saveUser(user) {
         const storage = await getStorage();
         await storage.setItem(USER_KEY, user);
@@ -12030,6 +12106,7 @@ const tokenStorage = {
     },
     async clearAll() {
         await this.clearToken();
+        await this.clearRefreshToken();
         await this.clearUser();
         await this.clearAccountData();
         await this.clearAccountInfo();
@@ -12087,12 +12164,18 @@ const tokenStorage = {
 // Export context for optional usage (e.g., SmartlinksFrame can work without AuthProvider)
 const AuthContext = React.createContext(undefined);
-const AuthProvider = ({ children, proxyMode = false, accountCacheTTL = 5 * 60 * 1000, preloadAccountInfo = false,
+const AuthProvider = ({ children, proxyMode = false, accountCacheTTL = 5 * 60 * 1000, preloadAccountInfo = false, clientId: clientIdProp,
 // Token refresh settings
 enableAutoRefresh = true, refreshThresholdPercent = 75, // Refresh when 75% of token lifetime has passed
 refreshCheckInterval = 60 * 1000, // Check every minute
+refreshOnResume,
 // Contact & Interaction features
 collectionId, enableContactSync, enableInteractionTracking, interactionAppId, interactionConfig, }) => {
+    // Resolved client ID — explicit prop wins; otherwise fall back to the
+    // collection's defaultAuthKitId (the standard pattern — see
+    // mem://architecture/default-authkit-collection-property).
+    const [resolvedClientId, setResolvedClientId] = React.useState(clientIdProp);
+    const clientId = resolvedClientId;
     const [user, setUser] = React.useState(null);
     const [token, setToken] = React.useState(null);
     const [accountData, setAccountData] = React.useState(null);
@@ -12108,8 +12191,8 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
     const pendingVerificationRef = React.useRef(false);
     const proxyRefreshInFlightRef = React.useRef(false);
     // Stable refs for callbacks to avoid useEffect dependency cycles
-    const syncContactRef = React.useRef();
-    const trackInteractionRef = React.useRef();
+    const syncContactRef = React.useRef(undefined);
+    const trackInteractionRef = React.useRef(undefined);
     // Default to enabled if collectionId is provided
     const shouldSyncContacts = enableContactSync ?? !!collectionId;
     const shouldTrackInteractions = enableInteractionTracking ?? !!collectionId;
@@ -12792,9 +12875,7 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
             });
         });
     };
-    const login = React.useCallback(async (authToken, authUser, authAccountData, isNewUser, expiresAt
-    // Note: waitForParentAck removed - we ALWAYS wait for parent ack in iframe mode now
-    ) => {
+    const login = React.useCallback(async (authToken, authUser, authAccountData, isNewUser, expiresAt, refreshTokenValue, refreshTokenExpiresAt) => {
         try {
             // Only persist to storage in standalone mode
             if (!proxyMode) {
@@ -12808,6 +12889,15 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
                 else {
                     await tokenStorage.clearAccountData();
                 }
+                // Persist refresh token when the backend issued one (native clients).
+                if (refreshTokenValue) {
+                    const rtExp = refreshTokenExpiresAt
+                        ?? Date.now() + 90 * 24 * 60 * 60 * 1000; // 90d fallback per spec
+                    await tokenStorage.saveRefreshToken(refreshTokenValue, rtExp);
+                }
+                else {
+                    await tokenStorage.clearRefreshToken();
+                }
                 smartlinks__namespace.auth.verifyToken(authToken).catch(() => { });
             }
             // Always update memory state (but NOT isVerified yet - wait for parent ack in iframe mode)
@@ -12871,6 +12961,17 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
             }
             // Only clear persistent storage in standalone mode
             if (!proxyMode) {
+                // Best-effort: revoke the refresh-token family server-side before
+                // wiping local state, so a stolen copy is dead immediately.
+                try {
+                    const storedRefresh = await tokenStorage.getRefreshToken();
+                    if (storedRefresh?.token && clientId) {
+                        await smartlinks__namespace.authKit.logout(clientId, storedRefresh.token);
+                    }
+                }
+                catch (err) {
+                    console.warn('[AuthContext] Refresh-token revoke failed (continuing):', err);
+                }
                 await tokenStorage.clearAll();
                 smartlinks__namespace.auth.logout();
             }
@@ -12896,7 +12997,7 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
         catch (error) {
             console.error('Failed to clear auth data from storage:', error);
         }
-    }, [proxyMode, notifyAuthStateChange, user, contactId, collectionId, shouldTrackInteractions, trackInteraction]);
+    }, [proxyMode, clientId, notifyAuthStateChange, user, contactId, collectionId, shouldTrackInteractions, trackInteraction]);
     const getToken = React.useCallback(async () => {
         if (proxyMode) {
             return token;
@@ -12923,12 +13024,44 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
             expiresIn: Math.max(0, storedToken.expiresAt - Date.now()),
         };
     }, [proxyMode, token]);
-    // Refresh token - validates current token and extends session if backend supports it
+    // Refresh token - prefers the AuthKit refresh-token endpoint when a refresh
+    // token is stored (native clients); otherwise falls back to verify-and-extend
+    // for web clients whose backend still issues only short-lived JWTs.
     const refreshToken = React.useCallback(async () => {
         if (proxyMode) {
             throw new Error('Token refresh in proxy mode is handled by the parent application');
         }
         const storedToken = await tokenStorage.getToken();
+        const storedRefresh = await tokenStorage.getRefreshToken();
+        // -------- Path A: true refresh-token rotation (native) ---------------
+        if (storedRefresh?.token && clientId) {
+            try {
+                const resp = await smartlinks__namespace.authKit.refreshToken(clientId, storedRefresh.token);
+                await tokenStorage.saveToken(resp.token, resp.expiresAt);
+                await tokenStorage.saveRefreshToken(resp.refreshToken, resp.refreshTokenExpiresAt);
+                setToken(resp.token);
+                setIsVerified(true);
+                pendingVerificationRef.current = false;
+                notifyAuthStateChange('TOKEN_REFRESH', user, resp.token, accountData, accountInfo, true, contact, contactId);
+                return resp.token;
+            }
+            catch (error) {
+                console.error('[AuthContext] Refresh-token rotation failed:', error);
+                if (isNetworkError(error))
+                    throw error;
+                // Reuse / invalid / expired → force re-login. The SDK surfaces these
+                // as RefreshErrorCode (INVALID_REFRESH_TOKEN / REUSE_DETECTED / MISSING).
+                const code = error?.errorCode ?? error?.code;
+                if (code === 'INVALID_REFRESH_TOKEN' ||
+                    code === 'REFRESH_TOKEN_REUSE_DETECTED' ||
+                    code === 'MISSING_REFRESH_TOKEN') {
+                    await logout();
+                    throw new Error('Session expired. Please login again.');
+                }
+                // Fall through to verify-and-extend on unexpected errors.
+            }
+        }
+        // -------- Path B: legacy verify-and-extend (web) ---------------------
         if (!storedToken?.token) {
             throw new Error('No token to refresh. Please login first.');
         }
@@ -12953,7 +13086,7 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
             await logout();
             throw new Error('Token refresh failed. Please login again.');
         }
-    }, [proxyMode, user, accountData, accountInfo, contact, contactId, notifyAuthStateChange, isNetworkError, logout]);
+    }, [proxyMode, clientId, user, accountData, accountInfo, contact, contactId, notifyAuthStateChange, isNetworkError, logout]);
     const getAccount = React.useCallback(async (forceRefresh = false) => {
         try {
             if (proxyMode) {
@@ -13117,6 +13250,105 @@ collectionId, enableContactSync, enableInteractionTracking, interactionAppId, in
             clearInterval(intervalId);
         };
     }, [proxyMode, enableAutoRefresh, refreshCheckInterval, refreshThresholdPercent, token, user, refreshToken]);
+    // Resolve clientId from the collection's defaultAuthKitId when not provided
+    // explicitly. Most apps only pass `collectionId` — this means refresh-token
+    // rotation and server-side logout revocation still work end-to-end.
+    React.useEffect(() => {
+        if (clientIdProp) {
+            setResolvedClientId(clientIdProp);
+            return;
+        }
+        if (!collectionId)
+            return;
+        let cancelled = false;
+        (async () => {
+            try {
+                const { getDefaultAuthKitId } = await Promise.resolve().then(function () { return defaultAuthKit; });
+                const id = await getDefaultAuthKitId(collectionId);
+                if (!cancelled && id)
+                    setResolvedClientId(id);
+            }
+            catch (err) {
+                console.warn('[AuthContext] Could not resolve default authKitId from collection:', err);
+            }
+        })();
+        return () => { cancelled = true; };
+    }, [clientIdProp, collectionId]);
+    // Refresh-on-resume: fires when the app returns to the foreground.
+    // - Capacitor: `App.addListener('appStateChange')` via dynamic import (no
+    //   runtime dep on web).
+    // - Universal fallback: `document.visibilitychange` — also catches PWAs /
+    //   web tabs that have been backgrounded for hours.
+    React.useEffect(() => {
+        if (proxyMode || !enableAutoRefresh || !token || !user)
+            return;
+        // Default ON when we detect a native shell; OFF otherwise.
+        const isNative = (() => {
+            try {
+                const cap = window.Capacitor;
+                if (cap?.isNativePlatform?.() === true)
+                    return true;
+                if (window.AuthKit?.isNative === true)
+                    return true;
+            }
+            catch { /* noop */ }
+            return false;
+        })();
+        const enabled = refreshOnResume ?? isNative;
+        if (!enabled)
+            return;
+        const maybeRefresh = async () => {
+            try {
+                const storedToken = await tokenStorage.getToken();
+                if (!storedToken?.expiresAt)
+                    return;
+                const remainingMs = storedToken.expiresAt - Date.now();
+                const totalLifetimeMs = 7 * 24 * 60 * 60 * 1000;
+                const percentUsed = ((totalLifetimeMs - remainingMs) / totalLifetimeMs) * 100;
+                if (percentUsed < refreshThresholdPercent)
+                    return;
+                await refreshToken().catch(() => { });
+            }
+            catch (err) {
+                console.error('[AuthContext] Resume refresh check failed:', err);
+            }
+        };
+        // Universal visibility listener
+        const onVisibility = () => {
+            if (document.visibilityState === 'visible')
+                maybeRefresh();
+        };
+        document.addEventListener('visibilitychange', onVisibility);
+        // Capacitor listener (optional)
+        let capRemove;
+        (async () => {
+            try {
+                // Only attempt to load @capacitor/app in an actual native shell.
+                // The specifier is obfuscated so bundlers (Vite/webpack) don't try
+                // to statically resolve an optional peer dependency at build time.
+                const isNative = typeof window !== 'undefined' &&
+                    (window.Capacitor?.isNativePlatform?.() === true ||
+                        window.AuthKit?.isNative === true);
+                if (!isNative)
+                    return;
+                const specifier = ['@capacitor', 'app'].join('/');
+                const dynamicImport = new Function('s', 'return import(s)');
+                const mod = await dynamicImport(specifier);
+                const handle = await mod.App.addListener('appStateChange', (state) => {
+                    if (state.isActive)
+                        maybeRefresh();
+                });
+                capRemove = () => handle?.remove?.();
+            }
+            catch {
+                // @capacitor/app not installed or unavailable — visibilitychange handles it.
+            }
+        })();
+        return () => {
+            document.removeEventListener('visibilitychange', onVisibility);
+            capRemove?.();
+        };
+    }, [proxyMode, enableAutoRefresh, refreshOnResume, refreshThresholdPercent, token, user, refreshToken]);
     const value = {
         user,
         token,
@@ -13378,8 +13610,22 @@ const loadGoogleIdentityServices = () => {
         document.head.appendChild(script);
     });
 };
+// Helper to detect a Capacitor native runtime (iOS/Android shell, not the web)
+const isCapacitorNative = () => {
+    const cap = window.Capacitor;
+    if (!cap)
+        return false;
+    // isNativePlatform() is the modern API; fall back to platform string for older cores
+    if (typeof cap.isNativePlatform === 'function')
+        return cap.isNativePlatform();
+    return cap.platform === 'ios' || cap.platform === 'android';
+};
 // Helper to detect WebView environments (Android/iOS)
 const detectWebView = () => {
+    // Capacitor apps run inside a WebView (WKWebView/Android WebView) but don't
+    // always set the `wv` UA token — treat them as WebView explicitly.
+    if (isCapacitorNative())
+        return true;
     const ua = navigator.userAgent;
     // Android WebView detection
     if (/Android/i.test(ua)) {
@@ -13487,7 +13733,7 @@ const checkSilentGoogleSignIn = async (clientId, googleClientId) => {
     });
 };
 // getFriendlyErrorMessage is now imported from ../utils/errorHandling
-const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAuthSuccess, onAuthError, onRedirect, enabledProviders = ['email', 'google', 'phone'], initialMode, signupProminence, redirectUrl, theme = 'light', className, customization, skipConfigFetch = false, minimal = false, logger, proxyMode = false, collectionId, disableConfigCache = false, enableSilentGoogleSignIn = false, whatsappReply, whatsappPrefillMessage, }) => {
+const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAuthSuccess, onAuthError, onRedirect, enabledProviders = ['email', 'google', 'phone'], initialMode, signupProminence, redirectUrl, theme = 'light', className, customization, skipConfigFetch = false, minimal = false, logger, proxyMode = false, collectionId, disableConfigCache = false, enableSilentGoogleSignIn = false, nativeAuth, enableSilentNativeSignIn = false, whatsappReply, whatsappPrefillMessage, }) => {
     // Resolve signup prominence from props, customization, config, or default
     const resolvedSignupProminence = signupProminence || customization?.signupProminence || 'minimal';
     // Determine initial mode based on signupProminence setting
@@ -13787,23 +14033,28 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
         };
         fetchSchema();
     }, [collectionId, sdkReady]);
-    // Silent Google Sign-In check on mount (for native Android apps)
-    // When enabled, checks if user is already signed in via Google on the native side
+    // Silent Sign-In check on mount (for native apps).
+    // Prefers the injected `nativeAuth.checkSignIn` adapter (Capacitor) when
+    // `enableSilentNativeSignIn` is set; otherwise falls back to the legacy
+    // `window.AuthKit` bridge when `enableSilentGoogleSignIn` is set.
+    const wantsSilentNative = enableSilentNativeSignIn && !!nativeAuth?.checkSignIn;
     React.useEffect(() => {
-        if (!enableSilentGoogleSignIn || silentSignInChecked || !sdkReady || auth.isAuthenticated) {
+        if ((!enableSilentGoogleSignIn && !wantsSilentNative) || silentSignInChecked || !sdkReady || auth.isAuthenticated) {
             return;
         }
         const googleClientId = config?.googleClientId || DEFAULT_GOOGLE_CLIENT_ID;
         const performSilentSignIn = async () => {
             try {
-                const result = await checkSilentGoogleSignIn(clientId, googleClientId);
+                const result = wantsSilentNative
+                    ? await nativeAuth.checkSignIn({ serverClientId: googleClientId })
+                    : await checkSilentGoogleSignIn(clientId, googleClientId);
                 setSilentSignInChecked(true);
                 if (result?.isSignedIn && result.idToken) {
                     setLoading(true);
                     try {
                         const authResponse = await api.loginWithGoogle(result.idToken);
                         if (authResponse.token) {
-                            await auth.login(authResponse.token, authResponse.user, authResponse.accountData, false, getExpirationFromResponse(authResponse));
+                            await auth.login(authResponse.token, authResponse.user, authResponse.accountData, false, getExpirationFromResponse(authResponse), authResponse.refreshToken, authResponse.refreshTokenExpiresAt);
                             setAuthSuccess(true);
                             setSuccessMessage('Signed in automatically with Google!');
                             onAuthSuccess(authResponse.token, authResponse.user, authResponse.accountData);
@@ -13822,7 +14073,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
             }
         };
         performSilentSignIn();
-    }, [enableSilentGoogleSignIn, silentSignInChecked, sdkReady, auth.isAuthenticated, clientId, config?.googleClientId, api, auth, onAuthSuccess]);
+    }, [enableSilentGoogleSignIn, wantsSilentNative, nativeAuth, silentSignInChecked, sdkReady, auth.isAuthenticated, clientId, config?.googleClientId, api, auth, onAuthSuccess]);
     // Reset showEmailForm when mode changes away from login/register
     React.useEffect(() => {
         if (mode !== 'login' && mode !== 'register') {
@@ -13898,7 +14149,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                 if ((verificationMode === 'verify-auto-login' || verificationMode === 'immediate') && response.token) {
                     // Auto-login modes: Log the user in immediately if token is provided
                     // Always await - auth.login now waits for parent ack automatically in iframe mode
-                    await auth.login(response.token, response.user, response.accountData, true, getExpirationFromResponse(response));
+                    await auth.login(response.token, response.user, response.accountData, true, getExpirationFromResponse(response), response.refreshToken, response.refreshTokenExpiresAt);
                     setUrlAuthProcessing(false); // Clear processing state before redirect/success
                     if (redirectUrl) {
                         // Redirect to clean URL and resume flow
@@ -13958,7 +14209,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                 // Auto-login with magic link if token is provided
                 if (response.token) {
                     // Always await - auth.login now waits for parent ack automatically in iframe mode
-                    await auth.login(response.token, response.user, response.accountData, true, getExpirationFromResponse(response));
+                    await auth.login(response.token, response.user, response.accountData, true, getExpirationFromResponse(response), response.refreshToken, response.refreshTokenExpiresAt);
                     setUrlAuthProcessing(false); // Clear processing state before redirect/success
                     if (redirectUrl) {
                         // Redirect to clean URL and resume flow
@@ -14033,7 +14284,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
             log.log('Google OAuth code exchange response:', { hasToken: !!response.token, hasUser: !!response.user, isNewUser: response.isNewUser });
             if (response.token) {
                 // Await login to ensure token is persisted before any navigation
-                await auth.login(response.token, response.user, response.accountData, response.isNewUser, getExpirationFromResponse(response));
+                await auth.login(response.token, response.user, response.accountData, response.isNewUser, getExpirationFromResponse(response), response.refreshToken, response.refreshTokenExpiresAt);
                 setAuthSuccess(true);
                 setSuccessMessage('Google login successful!');
                 onAuthSuccess(response.token, response.user, response.accountData);
@@ -14087,7 +14338,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                 // Handle different verification modes
                 if (verificationMode === 'immediate' && response.token) {
                     // Immediate mode: Log in right away if token is provided (isNewUser=true for registration)
-                    await auth.login(response.token, response.user, response.accountData, true, getExpirationFromResponse(response));
+                    await auth.login(response.token, response.user, response.accountData, true, getExpirationFromResponse(response), response.refreshToken, response.refreshTokenExpiresAt);
                     setAuthSuccess(true);
                     const deadline = response.emailVerificationDeadline
                         ? new Date(response.emailVerificationDeadline).toLocaleString()
@@ -14149,7 +14400,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                         setLoading(false);
                         return;
                     }
-                    await auth.login(response.token, response.user, response.accountData, false, getExpirationFromResponse(response));
+                    await auth.login(response.token, response.user, response.accountData, false, getExpirationFromResponse(response), response.refreshToken, response.refreshTokenExpiresAt);
                     setAuthSuccess(true);
                     setSuccessMessage('Login successful!');
                     onAuthSuccess(response.token, response.user, response.accountData);
@@ -14279,6 +14530,55 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
             }
         });
     };
+    // Finish a login once a backend AuthResponse has been obtained (shared by the
+    // native adapter paths for Google and Apple).
+    const completeNativeLogin = async (authResponse, successLabel) => {
+        if (!authResponse.token) {
+            throw new Error('Authentication failed - no token received');
+        }
+        await auth.login(authResponse.token, authResponse.user, authResponse.accountData, authResponse.isNewUser, getExpirationFromResponse(authResponse));
+        setAuthSuccess(true);
+        setSuccessMessage(successLabel);
+        onAuthSuccess(authResponse.token, authResponse.user, authResponse.accountData);
+    };
+    // Sign in with Apple. Apple is native-only in this kit today: it requires an
+    // injected `nativeAuth` adapter (e.g. a Capacitor plugin) that resolves an
+    // Apple identity token. There is no in-browser fallback yet.
+    const handleAppleLogin = async () => {
+        if (!nativeAuth?.signInWithApple) {
+            log.warn('Apple sign-in requested but no nativeAuth.signInWithApple adapter is configured');
+            setError('Apple Sign-In is not available in this environment.');
+            onAuthError?.(new Error('No nativeAuth.signInWithApple adapter configured'));
+            return;
+        }
+        setLoading(true);
+        setError(undefined);
+        try {
+            log.log('Using native adapter for Apple Sign-In');
+            const result = await nativeAuth.signInWithApple({
+                clientId: config?.appleClientId,
+                scopes: ['name', 'email'],
+            });
+            if (!result?.idToken) {
+                throw new Error('Apple Sign-In did not return an identity token');
+            }
+            const authResponse = await api.loginWithApple(result.idToken, {
+                authorizationCode: result.authorizationCode,
+                nonce: result.nonce,
+                appleUserInfo: result.email || result.name ? { email: result.email, name: result.name } : undefined,
+            });
+            log.log('Native Apple login response:', { hasToken: !!authResponse.token, isNewUser: authResponse.isNewUser });
+            await completeNativeLogin(authResponse, 'Apple login successful!');
+        }
+        catch (err) {
+            log.error('Apple Sign-In failed:', err);
+            setError(getFriendlyErrorMessage(err));
+            onAuthError?.(err instanceof Error ? err : new Error(getFriendlyErrorMessage(err)));
+        }
+        finally {
+            setLoading(false);
+        }
+    };
     const handleGoogleLogin = async () => {
         const hasCustomGoogleClientId = !!config?.googleClientId;
         const googleClientId = config?.googleClientId || DEFAULT_GOOGLE_CLIENT_ID;
@@ -14308,6 +14608,32 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
         setLoading(true);
         setError(undefined);
         try {
+            // Priority 0: injected Promise-based native adapter (Capacitor, etc.).
+            // This is the clean path — await the plugin directly, no callback bridge.
+            if (nativeAuth?.signInWithGoogle) {
+                log.log('Using injected nativeAuth adapter for Google Sign-In');
+                try {
+                    const result = await nativeAuth.signInWithGoogle({
+                        serverClientId: googleClientId,
+                        scopes: ['email', 'profile'],
+                    });
+                    if (!result?.idToken) {
+                        throw new Error('Google Sign-In did not return an ID token');
+                    }
+                    const authResponse = await api.loginWithGoogle(result.idToken);
+                    log.log('Native (adapter) Google login response:', { hasToken: !!authResponse.token, isNewUser: authResponse.isNewUser });
+                    await completeNativeLogin(authResponse, 'Google login successful!');
+                }
+                catch (err) {
+                    log.error('Adapter Google Sign-In failed:', err);
+                    setError(getFriendlyErrorMessage(err));
+                    onAuthError?.(err instanceof Error ? err : new Error(getFriendlyErrorMessage(err)));
+                }
+                finally {
+                    setLoading(false);
+                }
+                return;
+            }
             if (nativeBridge) {
                 log.log('Using native bridge for Google Sign-In');
                 const callbackId = `google_auth_${Date.now()}`;
@@ -14326,7 +14652,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                             const authResponse = await api.loginWithGoogle(result.idToken);
                             log.log('Native Google login response:', { hasToken: !!authResponse.token, hasUser: !!authResponse.user, isNewUser: authResponse.isNewUser });
                             if (authResponse.token) {
-                                await auth.login(authResponse.token, authResponse.user, authResponse.accountData, authResponse.isNewUser, getExpirationFromResponse(authResponse));
+                                await auth.login(authResponse.token, authResponse.user, authResponse.accountData, authResponse.isNewUser, getExpirationFromResponse(authResponse), authResponse.refreshToken, authResponse.refreshTokenExpiresAt);
                                 setAuthSuccess(true);
                                 setSuccessMessage('Google login successful!');
                                 onAuthSuccess(authResponse.token, authResponse.user, authResponse.accountData);
@@ -14546,7 +14872,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                                 log.log('Popup Google login response:', { hasToken: !!authResponse.token, hasUser: !!authResponse.user, isNewUser: authResponse.isNewUser });
                                 if (authResponse.token) {
                                     // Google OAuth can be login or signup - use isNewUser flag from backend if available
-                                    await auth.login(authResponse.token, authResponse.user, authResponse.accountData, authResponse.isNewUser, getExpirationFromResponse(authResponse));
+                                    await auth.login(authResponse.token, authResponse.user, authResponse.accountData, authResponse.isNewUser, getExpirationFromResponse(authResponse), authResponse.refreshToken, authResponse.refreshTokenExpiresAt);
                                     setAuthSuccess(true);
                                     setSuccessMessage('Google login successful!');
                                     onAuthSuccess(authResponse.token, authResponse.user, authResponse.accountData);
@@ -14596,7 +14922,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                             log.log('OneTap Google login response:', { hasToken: !!authResponse.token, hasUser: !!authResponse.user, isNewUser: authResponse.isNewUser });
                             if (authResponse.token) {
                                 // Google OAuth can be login or signup - use isNewUser flag from backend if available
-                                await auth.login(authResponse.token, authResponse.user, authResponse.accountData, authResponse.isNewUser, getExpirationFromResponse(authResponse));
+                                await auth.login(authResponse.token, authResponse.user, authResponse.accountData, authResponse.isNewUser, getExpirationFromResponse(authResponse), authResponse.refreshToken, authResponse.refreshTokenExpiresAt);
                                 setAuthSuccess(true);
                                 setSuccessMessage('Google login successful!');
                                 onAuthSuccess(authResponse.token, authResponse.user, authResponse.accountData);
@@ -14678,7 +15004,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                     // Phone auth is an INTERACTIVE flow (user entered OTP in UI)
                     // Unlike deep-link flows (email verification, magic link), there's no URL token to clean up
                     // Do NOT auto-redirect - let the parent app control the next step (profile completion, etc.)
-                    await auth.login(response.token, response.user, response.accountData, response.isNewUser, getExpirationFromResponse(response));
+                    await auth.login(response.token, response.user, response.accountData, response.isNewUser, getExpirationFromResponse(response), response.refreshToken, response.refreshTokenExpiresAt);
                     setAuthSuccess(true);
                     setSuccessMessage('Phone verified! You are now logged in.');
                     onAuthSuccess(response.token, response.user, response.accountData);
@@ -14709,9 +15035,22 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
         const effectiveRedirectUrl = getRedirectUrl();
         try {
             if (resetToken && confirmPassword) {
-                // Complete password reset with token
-                await api.completePasswordReset(resetToken, emailOrPassword);
-                // Auto-login with the new password if we have the email
+                // Complete password reset (or invite acceptance) with token
+                const completeResponse = await api.completePasswordReset(resetToken, emailOrPassword);
+                // Invite acceptance under verify-auto-login: backend returns a full session.
+                // Adopt it directly — same pattern as verifyEmail / verifyMagicLink — and skip /login.
+                if (completeResponse?.token && completeResponse.user) {
+                    log.log('complete-reset returned a session (invite auto-login), adopting it');
+                    await auth.login(completeResponse.token, completeResponse.user, completeResponse.accountData, true, getExpirationFromResponse(completeResponse), completeResponse.refreshToken, completeResponse.refreshTokenExpiresAt);
+                    setAuthSuccess(true);
+                    setSuccessMessage('Welcome! Your account is ready.');
+                    onAuthSuccess(completeResponse.token, completeResponse.user, completeResponse.accountData);
+                    setResetToken(undefined);
+                    setResetEmail(undefined);
+                    return;
+                }
+                // Plain password reset: no session returned. Try auto-login with the new password
+                // if we have the email on hand.
                 if (resetEmail) {
                     try {
                         log.log('Auto-login after password reset for:', resetEmail);
@@ -14968,7 +15307,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                     throw Object.assign(new Error(resultErrorMessage), session);
                 }
                 if (session?.token && session.user) {
-                    await auth.login(session.token, session.user, session.accountData, true, getExpirationFromResponse(session));
+                    await auth.login(session.token, session.user, session.accountData, true, getExpirationFromResponse(session), session.refreshToken, session.refreshTokenExpiresAt);
                     if (!proxyMode) {
                         onAuthSuccess(session.token, session.user, session.accountData);
                     }
@@ -15298,11 +15637,11 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                         const hasEmailProvider = actualProviders.includes('email');
                         // If email provider is not enabled, only show provider buttons (no email/password form)
                         if (!hasEmailProvider) {
-                            return (jsxRuntime.jsx(ProviderButtons, { enabledProviders: actualProviders, providerOrder: providerOrder, onGoogleLogin: handleGoogleLogin, onPhoneLogin: () => setMode('phone'), onMagicLinkLogin: () => setMode('magic-link'), onWhatsAppLogin: () => setMode('whatsapp'), loading: loading }));
+                            return (jsxRuntime.jsx(ProviderButtons, { enabledProviders: actualProviders, providerOrder: providerOrder, onGoogleLogin: handleGoogleLogin, onAppleLogin: handleAppleLogin, onPhoneLogin: () => setMode('phone'), onMagicLinkLogin: () => setMode('magic-link'), onWhatsAppLogin: () => setMode('whatsapp'), loading: loading }));
                         }
                         // Button mode: show provider selection first, then email form if email is selected
                         if (emailDisplayMode === 'button' && !showEmailForm) {
-                            return (jsxRuntime.jsx(ProviderButtons, { enabledProviders: actualProviders, providerOrder: providerOrder, onEmailLogin: () => setShowEmailForm(true), onGoogleLogin: handleGoogleLogin, onPhoneLogin: () => setMode('phone'), onMagicLinkLogin: () => setMode('magic-link'), onWhatsAppLogin: () => setMode('whatsapp'), loading: loading }));
+                            return (jsxRuntime.jsx(ProviderButtons, { enabledProviders: actualProviders, providerOrder: providerOrder, onEmailLogin: () => setShowEmailForm(true), onGoogleLogin: handleGoogleLogin, onAppleLogin: handleAppleLogin, onPhoneLogin: () => setMode('phone'), onMagicLinkLogin: () => setMode('magic-link'), onWhatsAppLogin: () => setMode('whatsapp'), loading: loading }));
                         }
                         // Form mode or email button was clicked: show email form with other providers
                         return (jsxRuntime.jsxs(jsxRuntime.Fragment, { children: [emailDisplayMode === 'button' && showEmailForm && (jsxRuntime.jsx("button", { onClick: () => setShowEmailForm(false), style: {
@@ -15321,7 +15660,7 @@ const SmartlinksAuthUI = ({ apiEndpoint, clientId, clientName, accountData, onAu
                                         setShowResendVerification(false);
                                         setShowRequestNewReset(false);
                                         setError(undefined);
-                                    }, onForgotPassword: () => setMode('reset-password'), loading: loading, error: error, signupProminence: resolvedSignupProminence, signupRedirectUrl: config?.signupRedirectUrl || customization?.signupRedirectUrl, schema: contactSchema, registrationFieldsConfig: config?.registrationFields, additionalFields: config?.signupAdditionalFields }), emailDisplayMode === 'form' && actualProviders.length > 1 && (jsxRuntime.jsx(ProviderButtons, { enabledProviders: actualProviders.filter((p) => p !== 'email'), providerOrder: providerOrder, onGoogleLogin: handleGoogleLogin, onPhoneLogin: () => setMode('phone'), onMagicLinkLogin: () => setMode('magic-link'), onWhatsAppLogin: () => setMode('whatsapp'), loading: loading }))] }));
+                                    }, onForgotPassword: () => setMode('reset-password'), loading: loading, error: error, signupProminence: resolvedSignupProminence, signupRedirectUrl: config?.signupRedirectUrl || customization?.signupRedirectUrl, schema: contactSchema, registrationFieldsConfig: config?.registrationFields, additionalFields: config?.signupAdditionalFields }), emailDisplayMode === 'form' && actualProviders.length > 1 && (jsxRuntime.jsx(ProviderButtons, { enabledProviders: actualProviders.filter((p) => p !== 'email'), providerOrder: providerOrder, onGoogleLogin: handleGoogleLogin, onAppleLogin: handleAppleLogin, onPhoneLogin: () => setMode('phone'), onMagicLinkLogin: () => setMode('magic-link'), onWhatsAppLogin: () => setMode('whatsapp'), loading: loading }))] }));
                     })()] })) })) : null }));
 };
@@ -16462,6 +16801,12 @@ async function setDefaultAuthKitId(collectionId, authKitId) {
     });
 }
+var defaultAuthKit = /*#__PURE__*/Object.freeze({
+    __proto__: null,
+    getDefaultAuthKitId: getDefaultAuthKitId,
+    setDefaultAuthKitId: setDefaultAuthKitId
+});
 exports.AccountManagement = AccountManagement;
 exports.AuthProvider = AuthProvider;
 exports.AuthUIPreview = AuthUIPreview;
@@ -16485,6 +16830,7 @@ exports.isRateLimitError = isRateLimitError;
 exports.isServerError = isServerError;
 exports.resolveFields = resolveFields;
 exports.setDefaultAuthKitId = setDefaultAuthKitId;
+exports.setStorageAdapter = setStorageAdapter;
 exports.sortFieldsByPlacement = sortFieldsByPlacement;
 exports.tokenStorage = tokenStorage;
 exports.useAdminDetection = useAdminDetection;