@pulseid/client 0.1.0

package/README.md

@@ -0,0 +1,85 @@
+# @pulseid/client
+
+TypeScript SDK for [PULSE ID](https://id.pulserunning.at).
+
+## Install
+
+```bash
+pnpm add @pulseid/client
+```
+
+## Server (Recommended)
+
+```typescript
+import { PulseIdServer } from '@pulseid/client/server';
+
+const server = new PulseIdServer({
+  issuer: 'https://id.pulserunning.at',
+  clientId: process.env.PULSEID_CLIENT_ID!,
+  clientSecret: process.env.PULSEID_CLIENT_SECRET!,
+  storage: tokenStorage,
+});
+
+// Get a user-scoped client with auto-refresh
+const pulse = server.forUser(userId);
+const profile = await pulse.profile.get();
+await pulse.profile.update({ displayName: 'New Name' });
+```
+
+## Browser
+
+```typescript
+import { PulseIdClient } from '@pulseid/client';
+
+const client = new PulseIdClient({
+  issuer: 'https://id.pulserunning.at',
+  clientId: 'your-client-id',
+});
+
+// Build auth URL
+const authUrl = client.buildAuthorizationUrl({
+  redirectUri: 'https://yourapp.com/callback',
+  scope: 'openid profile email offline_access',
+  state: crypto.randomUUID(),
+  nonce: crypto.randomUUID(),
+  codeChallenge,
+  codeChallengeMethod: 'S256',
+});
+
+// After callback
+const profile = await client.getProfile(accessToken);
+```
+
+## Token Storage
+
+```typescript
+import type { TokenStorage, StoredTokens } from '@pulseid/client/server';
+
+const tokenStorage: TokenStorage = {
+  async getTokens(userId) { /* fetch from db */ },
+  async setTokens(userId, tokens) { /* save to db */ },
+  async deleteTokens(userId) { /* delete from db */ },
+};
+```
+
+## Error Handling
+
+```typescript
+import { InvalidTokenError, InsufficientScopeError } from '@pulseid/client';
+
+try {
+  await pulse.profile.get();
+} catch (error) {
+  if (error instanceof InvalidTokenError) redirect('/login');
+  if (error instanceof InsufficientScopeError) console.log(error.requiredScope);
+  throw error;
+}
+```
+
+## Docs
+
+See [docs](./docs) or run `pnpm docs:dev`.
+
+## License
+
+MIT

package/dist/chunk-BRQ2T53Z.js

@@ -0,0 +1,406 @@
+// src/errors.ts
+var PulseIdError = class _PulseIdError extends Error {
+  code;
+  statusCode;
+  constructor(code, message, statusCode = 400) {
+    super(message);
+    this.name = "PulseIdError";
+    this.code = code;
+    this.statusCode = statusCode;
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, _PulseIdError);
+    }
+  }
+  /**
+   * Create an error from an API response.
+   */
+  static fromResponse(response, statusCode) {
+    const code = mapErrorCode(response.error);
+    switch (code) {
+      case "invalid_token":
+      case "expired_token":
+        return new InvalidTokenError(response.error_description);
+      case "insufficient_scope":
+        return new InsufficientScopeError(
+          response.error_description,
+          response.required_scope
+        );
+      case "not_found":
+        return new NotFoundError(response.error_description);
+      default:
+        return new _PulseIdError(code, response.error_description, statusCode);
+    }
+  }
+};
+var InvalidTokenError = class extends PulseIdError {
+  constructor(message = "Invalid or expired access token") {
+    super("invalid_token", message, 401);
+    this.name = "InvalidTokenError";
+  }
+};
+var InsufficientScopeError = class extends PulseIdError {
+  requiredScope;
+  constructor(message, requiredScope) {
+    super("insufficient_scope", message, 403);
+    this.name = "InsufficientScopeError";
+    this.requiredScope = requiredScope;
+  }
+};
+var NotFoundError = class extends PulseIdError {
+  constructor(message = "Resource not found") {
+    super("not_found", message, 404);
+    this.name = "NotFoundError";
+  }
+};
+var NetworkError = class extends PulseIdError {
+  cause;
+  constructor(message, cause) {
+    super("server_error", message, 0);
+    this.name = "NetworkError";
+    this.cause = cause;
+  }
+};
+var TimeoutError = class extends PulseIdError {
+  constructor(message = "Request timed out") {
+    super("server_error", message, 0);
+    this.name = "TimeoutError";
+  }
+};
+function mapErrorCode(apiError) {
+  switch (apiError) {
+    case "invalid_token":
+      return "invalid_token";
+    case "expired_token":
+      return "expired_token";
+    case "insufficient_scope":
+      return "insufficient_scope";
+    case "not_found":
+      return "not_found";
+    case "invalid_request":
+      return "invalid_request";
+    default:
+      return "server_error";
+  }
+}
+
+// src/http.ts
+var DEFAULT_TIMEOUT = 3e4;
+function validateIssuerUrl(issuer) {
+  let url;
+  try {
+    url = new URL(issuer);
+  } catch {
+    throw new Error(`Invalid issuer URL: ${issuer}`);
+  }
+  if (url.username || url.password) {
+    throw new Error(`Issuer URL must not include credentials: ${issuer}`);
+  }
+  const isLocalhost = url.hostname === "localhost" || url.hostname === "127.0.0.1" || url.hostname === "::1";
+  if (url.protocol !== "https:" && !isLocalhost) {
+    throw new Error(`Issuer URL must use HTTPS: ${issuer}`);
+  }
+  return url.origin + url.pathname.replace(/\/$/, "");
+}
+function createHttpClient(config) {
+  const baseUrl = validateIssuerUrl(config.issuer);
+  const fetchFn = config.fetch ?? globalThis.fetch;
+  const timeout = config.timeout ?? DEFAULT_TIMEOUT;
+  async function request(path, options) {
+    const url = `${baseUrl}${path}`;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => {
+      controller.abort();
+    }, options.timeout ?? timeout);
+    try {
+      const response = await fetchFn(url, {
+        method: options.method,
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json",
+          ...options.headers
+        },
+        ...options.body !== void 0 && { body: JSON.stringify(options.body) },
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      const contentType = response.headers.get("content-type");
+      const isJson = contentType?.includes("application/json");
+      if (!response.ok) {
+        if (isJson) {
+          const errorBody = await response.json();
+          throw PulseIdError.fromResponse(errorBody, response.status);
+        }
+        const errorText = await response.text();
+        throw new PulseIdError(
+          "server_error",
+          errorText || `HTTP ${response.status}`,
+          response.status
+        );
+      }
+      if (response.status === 204 || !isJson) {
+        return {};
+      }
+      return await response.json();
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof PulseIdError) {
+        throw error;
+      }
+      if (error instanceof DOMException && error.name === "AbortError") {
+        throw new TimeoutError(`Request to ${path} timed out after ${timeout}ms`);
+      }
+      if (error instanceof TypeError) {
+        throw new NetworkError(`Network request to ${path} failed`, error);
+      }
+      throw new NetworkError(
+        `Unknown error during request to ${path}`,
+        error instanceof Error ? error : void 0
+      );
+    }
+  }
+  return {
+    /**
+     * Make a GET request.
+     */
+    get(path, headers) {
+      return request(path, { method: "GET", ...headers && { headers } });
+    },
+    /**
+     * Make a POST request.
+     */
+    post(path, body, headers) {
+      return request(path, { method: "POST", body, ...headers && { headers } });
+    },
+    /**
+     * Make a PATCH request.
+     */
+    patch(path, body, headers) {
+      return request(path, { method: "PATCH", body, ...headers && { headers } });
+    },
+    /**
+     * Make a DELETE request.
+     */
+    delete(path, headers) {
+      return request(path, { method: "DELETE", ...headers && { headers } });
+    },
+    /**
+     * Make a form-encoded POST request (for OAuth token endpoints).
+     */
+    async postForm(path, data, headers) {
+      const url = `${baseUrl}${path}`;
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), timeout);
+      try {
+        const response = await fetchFn(url, {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+            Accept: "application/json",
+            ...headers
+          },
+          body: new URLSearchParams(data).toString(),
+          signal: controller.signal
+        });
+        clearTimeout(timeoutId);
+        const contentType = response.headers.get("content-type");
+        const isJson = contentType?.includes("application/json");
+        if (!response.ok) {
+          if (isJson) {
+            const errorBody = await response.json();
+            throw PulseIdError.fromResponse(errorBody, response.status);
+          }
+          const errorText = await response.text();
+          throw new PulseIdError(
+            "server_error",
+            errorText || `HTTP ${response.status}`,
+            response.status
+          );
+        }
+        return await response.json();
+      } catch (error) {
+        clearTimeout(timeoutId);
+        if (error instanceof PulseIdError) throw error;
+        if (error instanceof DOMException && error.name === "AbortError") {
+          throw new TimeoutError();
+        }
+        throw new NetworkError(
+          `Request to ${path} failed`,
+          error instanceof Error ? error : void 0
+        );
+      }
+    }
+  };
+}
+
+// src/client.ts
+var PulseIdClient = class {
+  http;
+  config;
+  constructor(config) {
+    this.config = config;
+    this.http = createHttpClient(config);
+  }
+  // ===========================================================================
+  // PROFILE
+  // ===========================================================================
+  /**
+   * Get the authenticated user's profile.
+   *
+   * The fields returned depend on the scopes granted to the access token:
+   * - `profile`: name, avatar, birthday, etc.
+   * - `email`: email address and verification status
+   * - `address`: address information
+   * - `phone`: phone number
+   *
+   * @param accessToken - A valid access token
+   * @returns The user's profile
+   *
+   * @example
+   * ```typescript
+   * const profile = await client.getProfile(accessToken);
+   * console.log(`Hello, ${profile.displayName}!`);
+   * ```
+   */
+  async getProfile(accessToken) {
+    return this.http.get("/api/v1/me", {
+      Authorization: `Bearer ${accessToken}`
+    });
+  }
+  /**
+   * Update the authenticated user's profile.
+   *
+   * Requires the `profile:write` scope.
+   *
+   * @param accessToken - A valid access token with `profile:write` scope
+   * @param data - The profile fields to update
+   * @returns The updated profile
+   *
+   * @example
+   * ```typescript
+   * const updated = await client.updateProfile(accessToken, {
+   *   displayName: 'Max Runner',
+   *   height: 180,
+   * });
+   * ```
+   */
+  async updateProfile(accessToken, data) {
+    return this.http.patch("/api/v1/me", data, {
+      Authorization: `Bearer ${accessToken}`
+    });
+  }
+  /**
+   * Get the authenticated user's OIDC userinfo.
+   *
+   * Requires the `openid` scope. Additional fields depend on granted scopes.
+   *
+   * @param accessToken - A valid access token
+   * @returns The user's OIDC userinfo
+   *
+   * @example
+   * ```typescript
+   * const info = await client.getUserInfo(accessToken);
+   * console.log(info.sub);
+   * ```
+   */
+  async getUserInfo(accessToken) {
+    return this.http.get("/userinfo", {
+      Authorization: `Bearer ${accessToken}`
+    });
+  }
+  // ===========================================================================
+  // UTILITY METHODS
+  // ===========================================================================
+  /**
+   * Get the configured issuer URL.
+   */
+  get issuer() {
+    return this.config.issuer;
+  }
+  /**
+   * Get the configured client ID.
+   */
+  get clientId() {
+    return this.config.clientId;
+  }
+  /**
+   * Build an authorization URL for the OAuth flow.
+   *
+   * @param options - Authorization options
+   * @returns The authorization URL to redirect the user to
+   *
+   * @example
+   * ```typescript
+   * const authUrl = client.buildAuthorizationUrl({
+   *   redirectUri: 'https://myapp.com/callback',
+   *   scope: 'openid profile email',
+   *   state: 'random-state-string',
+   * });
+   * window.location.href = authUrl;
+   * ```
+   */
+  buildAuthorizationUrl(options) {
+    if (options.codeChallengeMethod && options.codeChallengeMethod !== "S256") {
+      throw new Error("code_challenge_method must be S256");
+    }
+    if (!options.state) {
+      throw new Error("state is required for authorization requests");
+    }
+    if (!options.codeChallenge) {
+      throw new Error("code_challenge is required for authorization requests");
+    }
+    const scopes = options.scope.split(" ").filter(Boolean);
+    if (scopes.includes("openid") && !options.nonce) {
+      throw new Error("nonce is required when requesting openid scope");
+    }
+    const url = new URL(`${this.config.issuer}/authorize`);
+    url.searchParams.set("response_type", "code");
+    url.searchParams.set("client_id", this.config.clientId);
+    url.searchParams.set("redirect_uri", options.redirectUri);
+    url.searchParams.set("scope", options.scope);
+    url.searchParams.set("state", options.state);
+    if (options.nonce) {
+      url.searchParams.set("nonce", options.nonce);
+    }
+    url.searchParams.set("code_challenge", options.codeChallenge);
+    url.searchParams.set("code_challenge_method", options.codeChallengeMethod ?? "S256");
+    if (options.prompt) {
+      url.searchParams.set("prompt", options.prompt);
+    }
+    if (options.loginHint) {
+      url.searchParams.set("login_hint", options.loginHint);
+    }
+    return url.toString();
+  }
+  /**
+   * Build a logout URL for ending the session.
+   *
+   * @param options - Logout options
+   * @returns The logout URL to redirect the user to
+   *
+   * @example
+   * ```typescript
+   * const logoutUrl = client.buildLogoutUrl({
+   *   idTokenHint: idToken,
+   *   postLogoutRedirectUri: 'https://myapp.com',
+   * });
+   * window.location.href = logoutUrl;
+   * ```
+   */
+  buildLogoutUrl(options) {
+    const url = new URL(`${this.config.issuer}/logout`);
+    if (options?.idTokenHint) {
+      url.searchParams.set("id_token_hint", options.idTokenHint);
+    }
+    if (options?.postLogoutRedirectUri) {
+      url.searchParams.set("post_logout_redirect_uri", options.postLogoutRedirectUri);
+    }
+    if (options?.state) {
+      url.searchParams.set("state", options.state);
+    }
+    return url.toString();
+  }
+};
+
+export { InsufficientScopeError, InvalidTokenError, NetworkError, NotFoundError, PulseIdClient, PulseIdError, TimeoutError };
+//# sourceMappingURL=chunk-BRQ2T53Z.js.map
+//# sourceMappingURL=chunk-BRQ2T53Z.js.map

package/dist/chunk-BRQ2T53Z.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/errors.ts","../src/http.ts","../src/client.ts"],"names":[],"mappings":";AAWO,IAAM,YAAA,GAAN,MAAM,aAAA,SAAqB,KAAA,CAAM;AAAA,EAC7B,IAAA;AAAA,EACA,UAAA;AAAA,EAET,WAAA,CAAY,IAAA,EAAiB,OAAA,EAAiB,UAAA,GAAa,GAAA,EAAK;AAC9D,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,cAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAGlB,IAAA,IAAI,MAAM,iBAAA,EAAmB;AAC3B,MAAA,KAAA,CAAM,iBAAA,CAAkB,MAAM,aAAY,CAAA;AAAA,IAC5C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,YAAA,CAAa,QAAA,EAA4B,UAAA,EAAkC;AAChF,IAAA,MAAM,IAAA,GAAO,YAAA,CAAa,QAAA,CAAS,KAAK,CAAA;AAExC,IAAA,QAAQ,IAAA;AAAM,MACZ,KAAK,eAAA;AAAA,MACL,KAAK,eAAA;AACH,QAAA,OAAO,IAAI,iBAAA,CAAkB,QAAA,CAAS,iBAAiB,CAAA;AAAA,MACzD,KAAK,oBAAA;AACH,QAAA,OAAO,IAAI,sBAAA;AAAA,UACT,QAAA,CAAS,iBAAA;AAAA,UACT,QAAA,CAAS;AAAA,SACX;AAAA,MACF,KAAK,WAAA;AACH,QAAA,OAAO,IAAI,aAAA,CAAc,QAAA,CAAS,iBAAiB,CAAA;AAAA,MACrD;AACE,QAAA,OAAO,IAAI,aAAA,CAAa,IAAA,EAAM,QAAA,CAAS,mBAAmB,UAAU,CAAA;AAAA;AACxE,EACF;AACF;AAKO,IAAM,iBAAA,GAAN,cAAgC,YAAA,CAAa;AAAA,EAClD,WAAA,CAAY,UAAU,iCAAA,EAAmC;AACvD,IAAA,KAAA,CAAM,eAAA,EAAiB,SAAS,GAAG,CAAA;AACnC,IAAA,IAAA,CAAK,IAAA,GAAO,mBAAA;AAAA,EACd;AACF;AAKO,IAAM,sBAAA,GAAN,cAAqC,YAAA,CAAa;AAAA,EAC9C,aAAA;AAAA,EAET,WAAA,CAAY,SAAiB,aAAA,EAAwB;AACnD,IAAA,KAAA,CAAM,oBAAA,EAAsB,SAAS,GAAG,CAAA;AACxC,IAAA,IAAA,CAAK,IAAA,GAAO,wBAAA;AACZ,IAAA,IAAA,CAAK,aAAA,GAAgB,aAAA;AAAA,EACvB;AACF;AAKO,IAAM,aAAA,GAAN,cAA4B,YAAA,CAAa;AAAA,EAC9C,WAAA,CAAY,UAAU,oBAAA,EAAsB;AAC1C,IAAA,KAAA,CAAM,WAAA,EAAa,SAAS,GAAG,CAAA;AAC/B,IAAA,IAAA,CAAK,IAAA,GAAO,eAAA;AAAA,EACd;AACF;AAKO,IAAM,YAAA,GAAN,cAA2B,YAAA,CAAa;AAAA,EACpC,KAAA;AAAA,EAET,WAAA,CAAY,SAAiB,KAAA,EAAe;AAC1C,IAAA,KAAA,CAAM,cAAA,EAAgB,SAAS,CAAC,CAAA;AAChC,IAAA,IAAA,CAAK,IAAA,GAAO,cAAA;AACZ,IAAA,IAAA,CAAK,KAAA,GAAQ,KAAA;AAAA,EACf;AACF;AAKO,IAAM,YAAA,GAAN,cAA2B,YAAA,CAAa;AAAA,EAC7C,WAAA,CAAY,UAAU,mBAAA,EAAqB;AACzC,IAAA,KAAA,CAAM,cAAA,EAAgB,SAAS,CAAC,CAAA;AAChC,IAAA,IAAA,CAAK,IAAA,GAAO,cAAA;AAAA,EACd;AACF;AAKA,SAAS,aAAa,QAAA,EAA6B;AACjD,EAAA,QAAQ,QAAA;AAAU,IAChB,KAAK,eAAA;AACH,MAAA,OAAO,eAAA;AAAA,IACT,KAAK,eAAA;AACH,MAAA,OAAO,eAAA;AAAA,IACT,KAAK,oBAAA;AACH,MAAA,OAAO,oBAAA;AAAA,IACT,KAAK,WAAA;AACH,MAAA,OAAO,WAAA;AAAA,IACT,KAAK,iBAAA;AACH,MAAA,OAAO,iBAAA;AAAA,IACT;AACE,MAAA,OAAO,cAAA;AAAA;AAEb;;;ACnHA,IAAM,eAAA,GAAkB,GAAA;AAexB,SAAS,kBAAkB,MAAA,EAAwB;AACjD,EAAA,IAAI,GAAA;AACJ,EAAA,IAAI;AACF,IAAA,GAAA,GAAM,IAAI,IAAI,MAAM,CAAA;AAAA,EACtB,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,oBAAA,EAAuB,MAAM,CAAA,CAAE,CAAA;AAAA,EACjD;AAEA,EAAA,IAAI,GAAA,CAAI,QAAA,IAAY,GAAA,CAAI,QAAA,EAAU;AAChC,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,yCAAA,EAA4C,MAAM,CAAA,CAAE,CAAA;AAAA,EACtE;AAGA,EAAA,MAAM,WAAA,GACJ,IAAI,QAAA,KAAa,WAAA,IAAe,IAAI,QAAA,KAAa,WAAA,IAAe,IAAI,QAAA,KAAa,KAAA;AACnF,EAAA,IAAI,GAAA,CAAI,QAAA,KAAa,QAAA,IAAY,CAAC,WAAA,EAAa;AAC7C,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,2BAAA,EAA8B,MAAM,CAAA,CAAE,CAAA;AAAA,EACxD;AAGA,EAAA,OAAO,IAAI,MAAA,GAAS,GAAA,CAAI,QAAA,CAAS,OAAA,CAAQ,OAAO,EAAE,CAAA;AACpD;AAKO,SAAS,iBAAiB,MAAA,EAAuB;AACtD,EAAA,MAAM,OAAA,GAAU,iBAAA,CAAkB,MAAA,CAAO,MAAM,CAAA;AAC/C,EAAA,MAAM,OAAA,GAAU,MAAA,CAAO,KAAA,IAAS,UAAA,CAAW,KAAA;AAC3C,EAAA,MAAM,OAAA,GAAU,OAAO,OAAA,IAAW,eAAA;AAKlC,EAAA,eAAe,OAAA,CAAW,MAAc,OAAA,EAAqC;AAC3E,IAAA,MAAM,GAAA,GAAM,CAAA,EAAG,OAAO,CAAA,EAAG,IAAI,CAAA,CAAA;AAC7B,IAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AAGvC,IAAA,MAAM,SAAA,GAAY,WAAW,MAAM;AACjC,MAAA,UAAA,CAAW,KAAA,EAAM;AAAA,IACnB,CAAA,EAAG,OAAA,CAAQ,OAAA,IAAW,OAAO,CAAA;AAE7B,IAAA,IAAI;AACF,MAAA,MAAM,QAAA,GAAW,MAAM,OAAA,CAAQ,GAAA,EAAK;AAAA,QAClC,QAAQ,OAAA,CAAQ,MAAA;AAAA,QAChB,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,MAAA,EAAQ,kBAAA;AAAA,UACR,GAAG,OAAA,CAAQ;AAAA,SACb;AAAA,QACA,GAAI,OAAA,CAAQ,IAAA,KAAS,KAAA,CAAA,IAAa,EAAE,MAAM,IAAA,CAAK,SAAA,CAAU,OAAA,CAAQ,IAAI,CAAA,EAAE;AAAA,QACvE,QAAQ,UAAA,CAAW;AAAA,OACpB,CAAA;AAGD,MAAA,YAAA,CAAa,SAAS,CAAA;AAGtB,MAAA,MAAM,WAAA,GAAc,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA;AACvD,MAAA,MAAM,MAAA,GAAS,WAAA,EAAa,QAAA,CAAS,kBAAkB,CAAA;AAEvD,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,QAAA,IAAI,MAAA,EAAQ;AACV,UAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,EAAK;AACvC,UAAA,MAAM,YAAA,CAAa,YAAA,CAAa,SAAA,EAAW,QAAA,CAAS,MAAM,CAAA;AAAA,QAC5D;AAEA,QAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,QAAA,MAAM,IAAI,YAAA;AAAA,UACR,cAAA;AAAA,UACA,SAAA,IAAa,CAAA,KAAA,EAAQ,QAAA,CAAS,MAAM,CAAA,CAAA;AAAA,UACpC,QAAA,CAAS;AAAA,SACX;AAAA,MACF;AAGA,MAAA,IAAI,QAAA,CAAS,MAAA,KAAW,GAAA,IAAO,CAAC,MAAA,EAAQ;AACtC,QAAA,OAAO,EAAC;AAAA,MACV;AAEA,MAAA,OAAQ,MAAM,SAAS,IAAA,EAAK;AAAA,IAC9B,SAAS,KAAA,EAAO;AACd,MAAA,YAAA,CAAa,SAAS,CAAA;AAGtB,MAAA,IAAI,iBAAiB,YAAA,EAAc;AACjC,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,IAAI,KAAA,YAAiB,YAAA,IAAgB,KAAA,CAAM,IAAA,KAAS,YAAA,EAAc;AAChE,QAAA,MAAM,IAAI,YAAA,CAAa,CAAA,WAAA,EAAc,IAAI,CAAA,iBAAA,EAAoB,OAAO,CAAA,EAAA,CAAI,CAAA;AAAA,MAC1E;AAGA,MAAA,IAAI,iBAAiB,SAAA,EAAW;AAC9B,QAAA,MAAM,IAAI,YAAA,CAAa,CAAA,mBAAA,EAAsB,IAAI,WAAW,KAAK,CAAA;AAAA,MACnE;AAGA,MAAA,MAAM,IAAI,YAAA;AAAA,QACR,mCAAmC,IAAI,CAAA,CAAA;AAAA,QACvC,KAAA,YAAiB,QAAQ,KAAA,GAAQ;AAAA,OACnC;AAAA,IACF;AAAA,EACF;AAEA,EAAA,OAAO;AAAA;AAAA;AAAA;AAAA,IAIL,GAAA,CAAO,MAAc,OAAA,EAA8C;AACjE,MAAA,OAAO,OAAA,CAAW,IAAA,EAAM,EAAE,MAAA,EAAQ,KAAA,EAAO,GAAI,OAAA,IAAW,EAAE,OAAA,EAAQ,EAAI,CAAA;AAAA,IACxE,CAAA;AAAA;AAAA;AAAA;AAAA,IAKA,IAAA,CAAQ,IAAA,EAAc,IAAA,EAAgB,OAAA,EAA8C;AAClF,MAAA,OAAO,OAAA,CAAW,IAAA,EAAM,EAAE,MAAA,EAAQ,MAAA,EAAQ,IAAA,EAAM,GAAI,OAAA,IAAW,EAAE,OAAA,EAAQ,EAAI,CAAA;AAAA,IAC/E,CAAA;AAAA;AAAA;AAAA;AAAA,IAKA,KAAA,CAAS,IAAA,EAAc,IAAA,EAAgB,OAAA,EAA8C;AACnF,MAAA,OAAO,OAAA,CAAW,IAAA,EAAM,EAAE,MAAA,EAAQ,OAAA,EAAS,IAAA,EAAM,GAAI,OAAA,IAAW,EAAE,OAAA,EAAQ,EAAI,CAAA;AAAA,IAChF,CAAA;AAAA;AAAA;AAAA;AAAA,IAKA,MAAA,CAAU,MAAc,OAAA,EAA8C;AACpE,MAAA,OAAO,OAAA,CAAW,IAAA,EAAM,EAAE,MAAA,EAAQ,QAAA,EAAU,GAAI,OAAA,IAAW,EAAE,OAAA,EAAQ,EAAI,CAAA;AAAA,IAC3E,CAAA;AAAA;AAAA;AAAA;AAAA,IAKA,MAAM,QAAA,CACJ,IAAA,EACA,IAAA,EACA,OAAA,EACY;AACZ,MAAA,MAAM,GAAA,GAAM,CAAA,EAAG,OAAO,CAAA,EAAG,IAAI,CAAA,CAAA;AAC7B,MAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,MAAA,MAAM,YAAY,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,OAAO,CAAA;AAE9D,MAAA,IAAI;AACF,QAAA,MAAM,QAAA,GAAW,MAAM,OAAA,CAAQ,GAAA,EAAK;AAAA,UAClC,MAAA,EAAQ,MAAA;AAAA,UACR,OAAA,EAAS;AAAA,YACP,cAAA,EAAgB,mCAAA;AAAA,YAChB,MAAA,EAAQ,kBAAA;AAAA,YACR,GAAG;AAAA,WACL;AAAA,UACA,IAAA,EAAM,IAAI,eAAA,CAAgB,IAAI,EAAE,QAAA,EAAS;AAAA,UACzC,QAAQ,UAAA,CAAW;AAAA,SACpB,CAAA;AAED,QAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,QAAA,MAAM,WAAA,GAAc,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA;AACvD,QAAA,MAAM,MAAA,GAAS,WAAA,EAAa,QAAA,CAAS,kBAAkB,CAAA;AAEvD,QAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,UAAA,IAAI,MAAA,EAAQ;AACV,YAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,EAAK;AACvC,YAAA,MAAM,YAAA,CAAa,YAAA,CAAa,SAAA,EAAW,QAAA,CAAS,MAAM,CAAA;AAAA,UAC5D;AAEA,UAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,UAAA,MAAM,IAAI,YAAA;AAAA,YACR,cAAA;AAAA,YACA,SAAA,IAAa,CAAA,KAAA,EAAQ,QAAA,CAAS,MAAM,CAAA,CAAA;AAAA,YACpC,QAAA,CAAS;AAAA,WACX;AAAA,QACF;AAEA,QAAA,OAAQ,MAAM,SAAS,IAAA,EAAK;AAAA,MAC9B,SAAS,KAAA,EAAO;AACd,QAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,QAAA,IAAI,KAAA,YAAiB,cAAc,MAAM,KAAA;AACzC,QAAA,IAAI,KAAA,YAAiB,YAAA,IAAgB,KAAA,CAAM,IAAA,KAAS,YAAA,EAAc;AAChE,UAAA,MAAM,IAAI,YAAA,EAAa;AAAA,QACzB;AACA,QAAA,MAAM,IAAI,YAAA;AAAA,UACR,cAAc,IAAI,CAAA,OAAA,CAAA;AAAA,UAClB,KAAA,YAAiB,QAAQ,KAAA,GAAQ;AAAA,SACnC;AAAA,MACF;AAAA,IACF;AAAA,GACF;AACF;;;ACjMO,IAAM,gBAAN,MAAoB;AAAA,EACN,IAAA;AAAA,EACA,MAAA;AAAA,EAEnB,YAAY,MAAA,EAAuB;AACjC,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,IAAA,GAAO,iBAAiB,MAAM,CAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBA,MAAM,WAAW,WAAA,EAAuC;AACtD,IAAA,OAAO,IAAA,CAAK,IAAA,CAAK,GAAA,CAAa,YAAA,EAAc;AAAA,MAC1C,aAAA,EAAe,UAAU,WAAW,CAAA;AAAA,KACrC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBA,MAAM,aAAA,CAAc,WAAA,EAAqB,IAAA,EAAuC;AAC9E,IAAA,OAAO,IAAA,CAAK,IAAA,CAAK,KAAA,CAAe,YAAA,EAAc,IAAA,EAAM;AAAA,MAClD,aAAA,EAAe,UAAU,WAAW,CAAA;AAAA,KACrC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,YAAY,WAAA,EAAwC;AACxD,IAAA,OAAO,IAAA,CAAK,IAAA,CAAK,GAAA,CAAc,WAAA,EAAa;AAAA,MAC1C,aAAA,EAAe,UAAU,WAAW,CAAA;AAAA,KACrC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,IAAI,MAAA,GAAiB;AACnB,IAAA,OAAO,KAAK,MAAA,CAAO,MAAA;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,QAAA,GAAmB;AACrB,IAAA,OAAO,KAAK,MAAA,CAAO,QAAA;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,sBAAsB,OAAA,EASX;AACT,IAAA,IAAI,OAAA,CAAQ,mBAAA,IAAuB,OAAA,CAAQ,mBAAA,KAAwB,MAAA,EAAQ;AACzE,MAAA,MAAM,IAAI,MAAM,oCAAoC,CAAA;AAAA,IACtD;AAEA,IAAA,IAAI,CAAC,QAAQ,KAAA,EAAO;AAClB,MAAA,MAAM,IAAI,MAAM,8CAA8C,CAAA;AAAA,IAChE;AAEA,IAAA,IAAI,CAAC,QAAQ,aAAA,EAAe;AAC1B,MAAA,MAAM,IAAI,MAAM,uDAAuD,CAAA;AAAA,IACzE;AAEA,IAAA,MAAM,SAAS,OAAA,CAAQ,KAAA,CAAM,MAAM,GAAG,CAAA,CAAE,OAAO,OAAO,CAAA;AACtD,IAAA,IAAI,OAAO,QAAA,CAAS,QAAQ,CAAA,IAAK,CAAC,QAAQ,KAAA,EAAO;AAC/C,MAAA,MAAM,IAAI,MAAM,gDAAgD,CAAA;AAAA,IAClE;AAEA,IAAA,MAAM,MAAM,IAAI,GAAA,CAAI,GAAG,IAAA,CAAK,MAAA,CAAO,MAAM,CAAA,UAAA,CAAY,CAAA;AAErD,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,eAAA,EAAiB,MAAM,CAAA;AAC5C,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,WAAA,EAAa,IAAA,CAAK,OAAO,QAAQ,CAAA;AACtD,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,cAAA,EAAgB,OAAA,CAAQ,WAAW,CAAA;AACxD,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,OAAA,CAAQ,KAAK,CAAA;AAE3C,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,OAAA,CAAQ,KAAK,CAAA;AAC3C,IAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,MAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,OAAA,CAAQ,KAAK,CAAA;AAAA,IAC7C;AACA,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,gBAAA,EAAkB,OAAA,CAAQ,aAAa,CAAA;AAC5D,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,uBAAA,EAAyB,OAAA,CAAQ,uBAAuB,MAAM,CAAA;AACnF,IAAA,IAAI,QAAQ,MAAA,EAAQ;AAClB,MAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,QAAA,EAAU,OAAA,CAAQ,MAAM,CAAA;AAAA,IAC/C;AACA,IAAA,IAAI,QAAQ,SAAA,EAAW;AACrB,MAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,YAAA,EAAc,OAAA,CAAQ,SAAS,CAAA;AAAA,IACtD;AAEA,IAAA,OAAO,IAAI,QAAA,EAAS;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,eAAe,OAAA,EAIJ;AACT,IAAA,MAAM,MAAM,IAAI,GAAA,CAAI,GAAG,IAAA,CAAK,MAAA,CAAO,MAAM,CAAA,OAAA,CAAS,CAAA;AAElD,IAAA,IAAI,SAAS,WAAA,EAAa;AACxB,MAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,eAAA,EAAiB,OAAA,CAAQ,WAAW,CAAA;AAAA,IAC3D;AACA,IAAA,IAAI,SAAS,qBAAA,EAAuB;AAClC,MAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,0BAAA,EAA4B,OAAA,CAAQ,qBAAqB,CAAA;AAAA,IAChF;AACA,IAAA,IAAI,SAAS,KAAA,EAAO;AAClB,MAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,OAAA,EAAS,OAAA,CAAQ,KAAK,CAAA;AAAA,IAC7C;AAEA,IAAA,OAAO,IAAI,QAAA,EAAS;AAAA,EACtB;AACF","file":"chunk-BRQ2T53Z.js","sourcesContent":["/**\n * PULSE ID SDK Errors\n *\n * Custom error classes for better error handling.\n */\n\nimport type { ApiErrorResponse, ErrorCode } from './types.js';\n\n/**\n * Base error class for PULSE ID SDK errors.\n */\nexport class PulseIdError extends Error {\n  readonly code: ErrorCode;\n  readonly statusCode: number;\n\n  constructor(code: ErrorCode, message: string, statusCode = 400) {\n    super(message);\n    this.name = 'PulseIdError';\n    this.code = code;\n    this.statusCode = statusCode;\n\n    // Maintains proper stack trace in V8 environments\n    if (Error.captureStackTrace) {\n      Error.captureStackTrace(this, PulseIdError);\n    }\n  }\n\n  /**\n   * Create an error from an API response.\n   */\n  static fromResponse(response: ApiErrorResponse, statusCode: number): PulseIdError {\n    const code = mapErrorCode(response.error);\n\n    switch (code) {\n      case 'invalid_token':\n      case 'expired_token':\n        return new InvalidTokenError(response.error_description);\n      case 'insufficient_scope':\n        return new InsufficientScopeError(\n          response.error_description,\n          response.required_scope\n        );\n      case 'not_found':\n        return new NotFoundError(response.error_description);\n      default:\n        return new PulseIdError(code, response.error_description, statusCode);\n    }\n  }\n}\n\n/**\n * Error thrown when the access token is invalid or expired.\n */\nexport class InvalidTokenError extends PulseIdError {\n  constructor(message = 'Invalid or expired access token') {\n    super('invalid_token', message, 401);\n    this.name = 'InvalidTokenError';\n  }\n}\n\n/**\n * Error thrown when the access token lacks required scopes.\n */\nexport class InsufficientScopeError extends PulseIdError {\n  readonly requiredScope: string | undefined;\n\n  constructor(message: string, requiredScope?: string) {\n    super('insufficient_scope', message, 403);\n    this.name = 'InsufficientScopeError';\n    this.requiredScope = requiredScope;\n  }\n}\n\n/**\n * Error thrown when a resource is not found.\n */\nexport class NotFoundError extends PulseIdError {\n  constructor(message = 'Resource not found') {\n    super('not_found', message, 404);\n    this.name = 'NotFoundError';\n  }\n}\n\n/**\n * Error thrown when a network request fails.\n */\nexport class NetworkError extends PulseIdError {\n  readonly cause: Error | undefined;\n\n  constructor(message: string, cause?: Error) {\n    super('server_error', message, 0);\n    this.name = 'NetworkError';\n    this.cause = cause;\n  }\n}\n\n/**\n * Error thrown when a request times out.\n */\nexport class TimeoutError extends PulseIdError {\n  constructor(message = 'Request timed out') {\n    super('server_error', message, 0);\n    this.name = 'TimeoutError';\n  }\n}\n\n/**\n * Map API error codes to SDK error codes.\n */\nfunction mapErrorCode(apiError: string): ErrorCode {\n  switch (apiError) {\n    case 'invalid_token':\n      return 'invalid_token';\n    case 'expired_token':\n      return 'expired_token';\n    case 'insufficient_scope':\n      return 'insufficient_scope';\n    case 'not_found':\n      return 'not_found';\n    case 'invalid_request':\n      return 'invalid_request';\n    default:\n      return 'server_error';\n  }\n}\n","/**\n * HTTP Client Utilities\n *\n * Internal utilities for making HTTP requests with proper error handling.\n */\n\nimport { NetworkError, PulseIdError, TimeoutError } from './errors.js';\nimport type { ApiErrorResponse, PulseIdConfig } from './types.js';\n\nconst DEFAULT_TIMEOUT = 30_000; // 30 seconds\n\ntype HttpMethod = 'GET' | 'POST' | 'PATCH' | 'DELETE';\n\ntype RequestOptions = {\n  method: HttpMethod;\n  headers?: Record<string, string>;\n  body?: unknown;\n  timeout?: number;\n};\n\n/**\n * Validate that a URL is a valid HTTPS URL.\n * Prevents SSRF and ensures secure communication.\n */\nfunction validateIssuerUrl(issuer: string): string {\n  let url: URL;\n  try {\n    url = new URL(issuer);\n  } catch {\n    throw new Error(`Invalid issuer URL: ${issuer}`);\n  }\n\n  if (url.username || url.password) {\n    throw new Error(`Issuer URL must not include credentials: ${issuer}`);\n  }\n\n  // Only allow HTTPS in production (allow HTTP for localhost in development)\n  const isLocalhost =\n    url.hostname === 'localhost' || url.hostname === '127.0.0.1' || url.hostname === '::1';\n  if (url.protocol !== 'https:' && !isLocalhost) {\n    throw new Error(`Issuer URL must use HTTPS: ${issuer}`);\n  }\n\n  // Remove trailing slash for consistent URL building\n  return url.origin + url.pathname.replace(/\\/$/, '');\n}\n\n/**\n * Create a configured HTTP client for the PULSE ID API.\n */\nexport function createHttpClient(config: PulseIdConfig) {\n  const baseUrl = validateIssuerUrl(config.issuer);\n  const fetchFn = config.fetch ?? globalThis.fetch;\n  const timeout = config.timeout ?? DEFAULT_TIMEOUT;\n\n  /**\n   * Make an HTTP request to the PULSE ID API.\n   */\n  async function request<T>(path: string, options: RequestOptions): Promise<T> {\n    const url = `${baseUrl}${path}`;\n    const controller = new AbortController();\n\n    // Set up timeout\n    const timeoutId = setTimeout(() => {\n      controller.abort();\n    }, options.timeout ?? timeout);\n\n    try {\n      const response = await fetchFn(url, {\n        method: options.method,\n        headers: {\n          'Content-Type': 'application/json',\n          Accept: 'application/json',\n          ...options.headers,\n        },\n        ...(options.body !== undefined && { body: JSON.stringify(options.body) }),\n        signal: controller.signal,\n      });\n\n      // Clear the timeout\n      clearTimeout(timeoutId);\n\n      // Parse response body\n      const contentType = response.headers.get('content-type');\n      const isJson = contentType?.includes('application/json');\n\n      if (!response.ok) {\n        if (isJson) {\n          const errorBody = (await response.json()) as ApiErrorResponse;\n          throw PulseIdError.fromResponse(errorBody, response.status);\n        }\n\n        const errorText = await response.text();\n        throw new PulseIdError(\n          'server_error',\n          errorText || `HTTP ${response.status}`,\n          response.status\n        );\n      }\n\n      // Return parsed JSON or empty object for 204\n      if (response.status === 204 || !isJson) {\n        return {} as T;\n      }\n\n      return (await response.json()) as T;\n    } catch (error) {\n      clearTimeout(timeoutId);\n\n      // Re-throw SDK errors as-is\n      if (error instanceof PulseIdError) {\n        throw error;\n      }\n\n      // Handle abort (timeout)\n      if (error instanceof DOMException && error.name === 'AbortError') {\n        throw new TimeoutError(`Request to ${path} timed out after ${timeout}ms`);\n      }\n\n      // Handle network errors\n      if (error instanceof TypeError) {\n        throw new NetworkError(`Network request to ${path} failed`, error);\n      }\n\n      // Unknown error\n      throw new NetworkError(\n        `Unknown error during request to ${path}`,\n        error instanceof Error ? error : undefined\n      );\n    }\n  }\n\n  return {\n    /**\n     * Make a GET request.\n     */\n    get<T>(path: string, headers?: Record<string, string>): Promise<T> {\n      return request<T>(path, { method: 'GET', ...(headers && { headers }) });\n    },\n\n    /**\n     * Make a POST request.\n     */\n    post<T>(path: string, body?: unknown, headers?: Record<string, string>): Promise<T> {\n      return request<T>(path, { method: 'POST', body, ...(headers && { headers }) });\n    },\n\n    /**\n     * Make a PATCH request.\n     */\n    patch<T>(path: string, body?: unknown, headers?: Record<string, string>): Promise<T> {\n      return request<T>(path, { method: 'PATCH', body, ...(headers && { headers }) });\n    },\n\n    /**\n     * Make a DELETE request.\n     */\n    delete<T>(path: string, headers?: Record<string, string>): Promise<T> {\n      return request<T>(path, { method: 'DELETE', ...(headers && { headers }) });\n    },\n\n    /**\n     * Make a form-encoded POST request (for OAuth token endpoints).\n     */\n    async postForm<T>(\n      path: string,\n      data: Record<string, string>,\n      headers?: Record<string, string>\n    ): Promise<T> {\n      const url = `${baseUrl}${path}`;\n      const controller = new AbortController();\n      const timeoutId = setTimeout(() => controller.abort(), timeout);\n\n      try {\n        const response = await fetchFn(url, {\n          method: 'POST',\n          headers: {\n            'Content-Type': 'application/x-www-form-urlencoded',\n            Accept: 'application/json',\n            ...headers,\n          },\n          body: new URLSearchParams(data).toString(),\n          signal: controller.signal,\n        });\n\n        clearTimeout(timeoutId);\n\n        const contentType = response.headers.get('content-type');\n        const isJson = contentType?.includes('application/json');\n\n        if (!response.ok) {\n          if (isJson) {\n            const errorBody = (await response.json()) as ApiErrorResponse;\n            throw PulseIdError.fromResponse(errorBody, response.status);\n          }\n          // Handle non-JSON error responses (e.g., HTML from proxy)\n          const errorText = await response.text();\n          throw new PulseIdError(\n            'server_error',\n            errorText || `HTTP ${response.status}`,\n            response.status\n          );\n        }\n\n        return (await response.json()) as T;\n      } catch (error) {\n        clearTimeout(timeoutId);\n\n        if (error instanceof PulseIdError) throw error;\n        if (error instanceof DOMException && error.name === 'AbortError') {\n          throw new TimeoutError();\n        }\n        throw new NetworkError(\n          `Request to ${path} failed`,\n          error instanceof Error ? error : undefined\n        );\n      }\n    },\n  };\n}\n\nexport type HttpClient = ReturnType<typeof createHttpClient>;\n","/**\n * PULSE ID Client\n *\n * Client-side SDK for interacting with the PULSE ID API.\n * Use this in browser environments where you have an access token.\n *\n * For server-side usage with refresh token management, use `PulseIdServer` from './server'.\n */\n\nimport { createHttpClient, type HttpClient } from './http.js';\nimport type { Profile, ProfileUpdate, PulseIdConfig, UserInfo } from './types.js';\n\n/**\n * PULSE ID API Client.\n *\n * @example\n * ```typescript\n * const client = new PulseIdClient({\n *   issuer: 'https://id.pulserunning.at',\n *   clientId: 'your-client-id',\n * });\n *\n * const profile = await client.getProfile(accessToken);\n * console.log(profile.displayName);\n * ```\n */\nexport class PulseIdClient {\n  protected readonly http: HttpClient;\n  protected readonly config: PulseIdConfig;\n\n  constructor(config: PulseIdConfig) {\n    this.config = config;\n    this.http = createHttpClient(config);\n  }\n\n  // ===========================================================================\n  // PROFILE\n  // ===========================================================================\n\n  /**\n   * Get the authenticated user's profile.\n   *\n   * The fields returned depend on the scopes granted to the access token:\n   * - `profile`: name, avatar, birthday, etc.\n   * - `email`: email address and verification status\n   * - `address`: address information\n   * - `phone`: phone number\n   *\n   * @param accessToken - A valid access token\n   * @returns The user's profile\n   *\n   * @example\n   * ```typescript\n   * const profile = await client.getProfile(accessToken);\n   * console.log(`Hello, ${profile.displayName}!`);\n   * ```\n   */\n  async getProfile(accessToken: string): Promise<Profile> {\n    return this.http.get<Profile>('/api/v1/me', {\n      Authorization: `Bearer ${accessToken}`,\n    });\n  }\n\n  /**\n   * Update the authenticated user's profile.\n   *\n   * Requires the `profile:write` scope.\n   *\n   * @param accessToken - A valid access token with `profile:write` scope\n   * @param data - The profile fields to update\n   * @returns The updated profile\n   *\n   * @example\n   * ```typescript\n   * const updated = await client.updateProfile(accessToken, {\n   *   displayName: 'Max Runner',\n   *   height: 180,\n   * });\n   * ```\n   */\n  async updateProfile(accessToken: string, data: ProfileUpdate): Promise<Profile> {\n    return this.http.patch<Profile>('/api/v1/me', data, {\n      Authorization: `Bearer ${accessToken}`,\n    });\n  }\n\n  /**\n   * Get the authenticated user's OIDC userinfo.\n   *\n   * Requires the `openid` scope. Additional fields depend on granted scopes.\n   *\n   * @param accessToken - A valid access token\n   * @returns The user's OIDC userinfo\n   *\n   * @example\n   * ```typescript\n   * const info = await client.getUserInfo(accessToken);\n   * console.log(info.sub);\n   * ```\n   */\n  async getUserInfo(accessToken: string): Promise<UserInfo> {\n    return this.http.get<UserInfo>('/userinfo', {\n      Authorization: `Bearer ${accessToken}`,\n    });\n  }\n\n  // ===========================================================================\n  // UTILITY METHODS\n  // ===========================================================================\n\n  /**\n   * Get the configured issuer URL.\n   */\n  get issuer(): string {\n    return this.config.issuer;\n  }\n\n  /**\n   * Get the configured client ID.\n   */\n  get clientId(): string {\n    return this.config.clientId;\n  }\n\n  /**\n   * Build an authorization URL for the OAuth flow.\n   *\n   * @param options - Authorization options\n   * @returns The authorization URL to redirect the user to\n   *\n   * @example\n   * ```typescript\n   * const authUrl = client.buildAuthorizationUrl({\n   *   redirectUri: 'https://myapp.com/callback',\n   *   scope: 'openid profile email',\n   *   state: 'random-state-string',\n   * });\n   * window.location.href = authUrl;\n   * ```\n   */\n  buildAuthorizationUrl(options: {\n    redirectUri: string;\n    scope: string;\n    state: string;\n    nonce?: string;\n    codeChallenge: string;\n    codeChallengeMethod?: 'S256';\n    prompt?: 'none' | 'login' | 'consent' | 'create';\n    loginHint?: string;\n  }): string {\n    if (options.codeChallengeMethod && options.codeChallengeMethod !== 'S256') {\n      throw new Error('code_challenge_method must be S256');\n    }\n\n    if (!options.state) {\n      throw new Error('state is required for authorization requests');\n    }\n\n    if (!options.codeChallenge) {\n      throw new Error('code_challenge is required for authorization requests');\n    }\n\n    const scopes = options.scope.split(' ').filter(Boolean);\n    if (scopes.includes('openid') && !options.nonce) {\n      throw new Error('nonce is required when requesting openid scope');\n    }\n\n    const url = new URL(`${this.config.issuer}/authorize`);\n\n    url.searchParams.set('response_type', 'code');\n    url.searchParams.set('client_id', this.config.clientId);\n    url.searchParams.set('redirect_uri', options.redirectUri);\n    url.searchParams.set('scope', options.scope);\n\n    url.searchParams.set('state', options.state);\n    if (options.nonce) {\n      url.searchParams.set('nonce', options.nonce);\n    }\n    url.searchParams.set('code_challenge', options.codeChallenge);\n    url.searchParams.set('code_challenge_method', options.codeChallengeMethod ?? 'S256');\n    if (options.prompt) {\n      url.searchParams.set('prompt', options.prompt);\n    }\n    if (options.loginHint) {\n      url.searchParams.set('login_hint', options.loginHint);\n    }\n\n    return url.toString();\n  }\n\n  /**\n   * Build a logout URL for ending the session.\n   *\n   * @param options - Logout options\n   * @returns The logout URL to redirect the user to\n   *\n   * @example\n   * ```typescript\n   * const logoutUrl = client.buildLogoutUrl({\n   *   idTokenHint: idToken,\n   *   postLogoutRedirectUri: 'https://myapp.com',\n   * });\n   * window.location.href = logoutUrl;\n   * ```\n   */\n  buildLogoutUrl(options?: {\n    idTokenHint?: string;\n    postLogoutRedirectUri?: string;\n    state?: string;\n  }): string {\n    const url = new URL(`${this.config.issuer}/logout`);\n\n    if (options?.idTokenHint) {\n      url.searchParams.set('id_token_hint', options.idTokenHint);\n    }\n    if (options?.postLogoutRedirectUri) {\n      url.searchParams.set('post_logout_redirect_uri', options.postLogoutRedirectUri);\n    }\n    if (options?.state) {\n      url.searchParams.set('state', options.state);\n    }\n\n    return url.toString();\n  }\n}\n"]}

package/dist/index.d.ts

@@ -0,0 +1,404 @@
+/**
+ * PULSE ID SDK Types
+ *
+ * Type definitions for the PULSE ID API.
+ */
+/**
+ * Configuration for the PULSE ID client.
+ */
+type PulseIdConfig = {
+    /**
+     * The PULSE ID issuer URL (e.g., 'https://id.pulserunning.at').
+     * Do not include a trailing slash.
+     */
+    issuer: string;
+    /**
+     * OAuth client ID registered with PULSE ID.
+     */
+    clientId: string;
+    /**
+     * OAuth client secret. Only required for server-side operations.
+     * Never expose this in client-side code.
+     */
+    clientSecret?: string;
+    /**
+     * Custom fetch implementation. Defaults to global fetch.
+     * Useful for testing or custom HTTP handling.
+     */
+    fetch?: typeof fetch;
+    /**
+     * Request timeout in milliseconds. Defaults to 30000 (30 seconds).
+     */
+    timeout?: number;
+};
+/**
+ * User profile returned by PULSE ID.
+ */
+type Profile = {
+    /** Unique user identifier (UUID) */
+    id: string;
+    /** User's email address (requires 'email' scope) */
+    email?: string;
+    /** Whether the email has been verified */
+    emailVerified?: boolean;
+    /** User's first name */
+    firstName?: string | null;
+    /** User's last name */
+    lastName?: string | null;
+    /** Display name (how the user appears to others) */
+    displayName?: string | null;
+    /** URL to the user's avatar image */
+    avatar?: string | null;
+    /** User's birthday in ISO date format (YYYY-MM-DD) */
+    birthday?: string | null;
+    /** User's gender */
+    gender?: 'male' | 'female' | 'other' | null;
+    /** Height in centimeters */
+    height?: number | null;
+    /** Weight in kilograms */
+    weight?: number | null;
+    /** User's address (requires 'address' scope) */
+    address?: {
+        street?: string | null;
+        city?: string | null;
+        postalCode?: string | null;
+        country?: string | null;
+    };
+    /** User's phone number (requires 'phone' scope) */
+    phone?: string | null;
+    /** When the account was created */
+    createdAt: string;
+    /** When the profile was last updated */
+    updatedAt: string;
+};
+/**
+ * Fields that can be updated on a user profile.
+ */
+type ProfileUpdate = {
+    firstName?: string | null;
+    lastName?: string | null;
+    displayName?: string | null;
+    avatar?: string | null;
+    birthday?: string | null;
+    gender?: 'male' | 'female' | 'other' | null;
+    height?: number | null;
+    weight?: number | null;
+    phone?: string | null;
+    street?: string | null;
+    city?: string | null;
+    postalCode?: string | null;
+    country?: string | null;
+};
+/**
+ * Standard OIDC userinfo response from PULSE ID.
+ */
+type UserInfo = {
+    /** Subject identifier (user ID) */
+    sub: string;
+    /** User's email address (requires 'email' scope) */
+    email?: string;
+    /** Whether the email has been verified */
+    email_verified?: boolean;
+    /** Full name */
+    name?: string;
+    /** Given name */
+    given_name?: string;
+    /** Family name */
+    family_name?: string;
+    /** Preferred username */
+    preferred_username?: string;
+    /** Profile picture URL */
+    picture?: string;
+    /** Locale */
+    locale?: string;
+    /** When the userinfo was last updated (seconds since epoch) */
+    updated_at?: number;
+};
+/**
+ * OAuth token response from PULSE ID.
+ */
+type TokenResponse = {
+    /** The access token for API requests */
+    access_token: string;
+    /** Token type (always 'Bearer') */
+    token_type: 'Bearer';
+    /** Time until the access token expires (in seconds) */
+    expires_in: number;
+    /** Refresh token for obtaining new access tokens */
+    refresh_token?: string;
+    /** ID token containing user claims (JWT) */
+    id_token?: string;
+    /** Granted scopes (space-separated) */
+    scope?: string;
+};
+/**
+ * Token refresh options.
+ */
+type RefreshOptions = {
+    /** The refresh token to exchange */
+    refreshToken: string;
+    /** Optionally request a subset of the original scopes */
+    scope?: string;
+};
+/**
+ * Standard OAuth error response.
+ */
+type ApiErrorResponse = {
+    /** Error code (e.g., 'invalid_token', 'insufficient_scope') */
+    error: string;
+    /** Human-readable error description */
+    error_description: string;
+    /** Required scope (for 'insufficient_scope' errors) */
+    required_scope?: string;
+};
+/**
+ * Error codes returned by PULSE ID.
+ */
+type ErrorCode = 'invalid_request' | 'invalid_token' | 'expired_token' | 'insufficient_scope' | 'not_found' | 'server_error';
+/**
+ * Available OAuth scopes for PULSE ID.
+ */
+declare const SCOPES: {
+    /** Required for OIDC. Returns the user's ID. */
+    readonly OPENID: "openid";
+    /** Read profile information (name, avatar, etc.) */
+    readonly PROFILE: "profile";
+    /** Update profile information */
+    readonly PROFILE_WRITE: "profile:write";
+    /** Read email address */
+    readonly EMAIL: "email";
+    /** Read address information */
+    readonly ADDRESS: "address";
+    /** Read phone number */
+    readonly PHONE: "phone";
+    /** Request a refresh token */
+    readonly OFFLINE_ACCESS: "offline_access";
+    /** Read activities (future) */
+    readonly ACTIVITIES: "activities";
+    /** Create/update activities (future) */
+    readonly ACTIVITIES_WRITE: "activities:write";
+    /** Manage external sync connections (future) */
+    readonly CONNECTIONS: "connections";
+};
+type Scope = (typeof SCOPES)[keyof typeof SCOPES];
+
+/**
+ * HTTP Client Utilities
+ *
+ * Internal utilities for making HTTP requests with proper error handling.
+ */
+
+/**
+ * Create a configured HTTP client for the PULSE ID API.
+ */
+declare function createHttpClient(config: PulseIdConfig): {
+    /**
+     * Make a GET request.
+     */
+    get<T>(path: string, headers?: Record<string, string>): Promise<T>;
+    /**
+     * Make a POST request.
+     */
+    post<T>(path: string, body?: unknown, headers?: Record<string, string>): Promise<T>;
+    /**
+     * Make a PATCH request.
+     */
+    patch<T>(path: string, body?: unknown, headers?: Record<string, string>): Promise<T>;
+    /**
+     * Make a DELETE request.
+     */
+    delete<T>(path: string, headers?: Record<string, string>): Promise<T>;
+    /**
+     * Make a form-encoded POST request (for OAuth token endpoints).
+     */
+    postForm<T>(path: string, data: Record<string, string>, headers?: Record<string, string>): Promise<T>;
+};
+type HttpClient = ReturnType<typeof createHttpClient>;
+
+/**
+ * PULSE ID Client
+ *
+ * Client-side SDK for interacting with the PULSE ID API.
+ * Use this in browser environments where you have an access token.
+ *
+ * For server-side usage with refresh token management, use `PulseIdServer` from './server'.
+ */
+
+/**
+ * PULSE ID API Client.
+ *
+ * @example
+ * ```typescript
+ * const client = new PulseIdClient({
+ *   issuer: 'https://id.pulserunning.at',
+ *   clientId: 'your-client-id',
+ * });
+ *
+ * const profile = await client.getProfile(accessToken);
+ * console.log(profile.displayName);
+ * ```
+ */
+declare class PulseIdClient {
+    protected readonly http: HttpClient;
+    protected readonly config: PulseIdConfig;
+    constructor(config: PulseIdConfig);
+    /**
+     * Get the authenticated user's profile.
+     *
+     * The fields returned depend on the scopes granted to the access token:
+     * - `profile`: name, avatar, birthday, etc.
+     * - `email`: email address and verification status
+     * - `address`: address information
+     * - `phone`: phone number
+     *
+     * @param accessToken - A valid access token
+     * @returns The user's profile
+     *
+     * @example
+     * ```typescript
+     * const profile = await client.getProfile(accessToken);
+     * console.log(`Hello, ${profile.displayName}!`);
+     * ```
+     */
+    getProfile(accessToken: string): Promise<Profile>;
+    /**
+     * Update the authenticated user's profile.
+     *
+     * Requires the `profile:write` scope.
+     *
+     * @param accessToken - A valid access token with `profile:write` scope
+     * @param data - The profile fields to update
+     * @returns The updated profile
+     *
+     * @example
+     * ```typescript
+     * const updated = await client.updateProfile(accessToken, {
+     *   displayName: 'Max Runner',
+     *   height: 180,
+     * });
+     * ```
+     */
+    updateProfile(accessToken: string, data: ProfileUpdate): Promise<Profile>;
+    /**
+     * Get the authenticated user's OIDC userinfo.
+     *
+     * Requires the `openid` scope. Additional fields depend on granted scopes.
+     *
+     * @param accessToken - A valid access token
+     * @returns The user's OIDC userinfo
+     *
+     * @example
+     * ```typescript
+     * const info = await client.getUserInfo(accessToken);
+     * console.log(info.sub);
+     * ```
+     */
+    getUserInfo(accessToken: string): Promise<UserInfo>;
+    /**
+     * Get the configured issuer URL.
+     */
+    get issuer(): string;
+    /**
+     * Get the configured client ID.
+     */
+    get clientId(): string;
+    /**
+     * Build an authorization URL for the OAuth flow.
+     *
+     * @param options - Authorization options
+     * @returns The authorization URL to redirect the user to
+     *
+     * @example
+     * ```typescript
+     * const authUrl = client.buildAuthorizationUrl({
+     *   redirectUri: 'https://myapp.com/callback',
+     *   scope: 'openid profile email',
+     *   state: 'random-state-string',
+     * });
+     * window.location.href = authUrl;
+     * ```
+     */
+    buildAuthorizationUrl(options: {
+        redirectUri: string;
+        scope: string;
+        state: string;
+        nonce?: string;
+        codeChallenge: string;
+        codeChallengeMethod?: 'S256';
+        prompt?: 'none' | 'login' | 'consent' | 'create';
+        loginHint?: string;
+    }): string;
+    /**
+     * Build a logout URL for ending the session.
+     *
+     * @param options - Logout options
+     * @returns The logout URL to redirect the user to
+     *
+     * @example
+     * ```typescript
+     * const logoutUrl = client.buildLogoutUrl({
+     *   idTokenHint: idToken,
+     *   postLogoutRedirectUri: 'https://myapp.com',
+     * });
+     * window.location.href = logoutUrl;
+     * ```
+     */
+    buildLogoutUrl(options?: {
+        idTokenHint?: string;
+        postLogoutRedirectUri?: string;
+        state?: string;
+    }): string;
+}
+
+/**
+ * PULSE ID SDK Errors
+ *
+ * Custom error classes for better error handling.
+ */
+
+/**
+ * Base error class for PULSE ID SDK errors.
+ */
+declare class PulseIdError extends Error {
+    readonly code: ErrorCode;
+    readonly statusCode: number;
+    constructor(code: ErrorCode, message: string, statusCode?: number);
+    /**
+     * Create an error from an API response.
+     */
+    static fromResponse(response: ApiErrorResponse, statusCode: number): PulseIdError;
+}
+/**
+ * Error thrown when the access token is invalid or expired.
+ */
+declare class InvalidTokenError extends PulseIdError {
+    constructor(message?: string);
+}
+/**
+ * Error thrown when the access token lacks required scopes.
+ */
+declare class InsufficientScopeError extends PulseIdError {
+    readonly requiredScope: string | undefined;
+    constructor(message: string, requiredScope?: string);
+}
+/**
+ * Error thrown when a resource is not found.
+ */
+declare class NotFoundError extends PulseIdError {
+    constructor(message?: string);
+}
+/**
+ * Error thrown when a network request fails.
+ */
+declare class NetworkError extends PulseIdError {
+    readonly cause: Error | undefined;
+    constructor(message: string, cause?: Error);
+}
+/**
+ * Error thrown when a request times out.
+ */
+declare class TimeoutError extends PulseIdError {
+    constructor(message?: string);
+}
+
+export { type ApiErrorResponse, type ErrorCode, InsufficientScopeError, InvalidTokenError, NetworkError, NotFoundError, type Profile, type ProfileUpdate, PulseIdClient, type PulseIdConfig, PulseIdError, type RefreshOptions, SCOPES, type Scope, TimeoutError, type TokenResponse, type UserInfo };

package/dist/index.js

@@ -0,0 +1,29 @@
+export { InsufficientScopeError, InvalidTokenError, NetworkError, NotFoundError, PulseIdClient, PulseIdError, TimeoutError } from './chunk-BRQ2T53Z.js';
+
+// src/types.ts
+var SCOPES = {
+  /** Required for OIDC. Returns the user's ID. */
+  OPENID: "openid",
+  /** Read profile information (name, avatar, etc.) */
+  PROFILE: "profile",
+  /** Update profile information */
+  PROFILE_WRITE: "profile:write",
+  /** Read email address */
+  EMAIL: "email",
+  /** Read address information */
+  ADDRESS: "address",
+  /** Read phone number */
+  PHONE: "phone",
+  /** Request a refresh token */
+  OFFLINE_ACCESS: "offline_access",
+  /** Read activities (future) */
+  ACTIVITIES: "activities",
+  /** Create/update activities (future) */
+  ACTIVITIES_WRITE: "activities:write",
+  /** Manage external sync connections (future) */
+  CONNECTIONS: "connections"
+};
+
+export { SCOPES };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/types.ts"],"names":[],"mappings":";;;AAiOO,IAAM,MAAA,GAAS;AAAA;AAAA,EAEpB,MAAA,EAAQ,QAAA;AAAA;AAAA,EAGR,OAAA,EAAS,SAAA;AAAA;AAAA,EAGT,aAAA,EAAe,eAAA;AAAA;AAAA,EAGf,KAAA,EAAO,OAAA;AAAA;AAAA,EAGP,OAAA,EAAS,SAAA;AAAA;AAAA,EAGT,KAAA,EAAO,OAAA;AAAA;AAAA,EAGP,cAAA,EAAgB,gBAAA;AAAA;AAAA,EAGhB,UAAA,EAAY,YAAA;AAAA;AAAA,EAGZ,gBAAA,EAAkB,kBAAA;AAAA;AAAA,EAGlB,WAAA,EAAa;AACf","file":"index.js","sourcesContent":["/**\n * PULSE ID SDK Types\n *\n * Type definitions for the PULSE ID API.\n */\n\n// =============================================================================\n// CLIENT CONFIGURATION\n// =============================================================================\n\n/**\n * Configuration for the PULSE ID client.\n */\nexport type PulseIdConfig = {\n  /**\n   * The PULSE ID issuer URL (e.g., 'https://id.pulserunning.at').\n   * Do not include a trailing slash.\n   */\n  issuer: string;\n\n  /**\n   * OAuth client ID registered with PULSE ID.\n   */\n  clientId: string;\n\n  /**\n   * OAuth client secret. Only required for server-side operations.\n   * Never expose this in client-side code.\n   */\n  clientSecret?: string;\n\n  /**\n   * Custom fetch implementation. Defaults to global fetch.\n   * Useful for testing or custom HTTP handling.\n   */\n  fetch?: typeof fetch;\n\n  /**\n   * Request timeout in milliseconds. Defaults to 30000 (30 seconds).\n   */\n  timeout?: number;\n};\n\n// =============================================================================\n// USER PROFILE\n// =============================================================================\n\n/**\n * User profile returned by PULSE ID.\n */\nexport type Profile = {\n  /** Unique user identifier (UUID) */\n  id: string;\n\n  /** User's email address (requires 'email' scope) */\n  email?: string;\n\n  /** Whether the email has been verified */\n  emailVerified?: boolean;\n\n  /** User's first name */\n  firstName?: string | null;\n\n  /** User's last name */\n  lastName?: string | null;\n\n  /** Display name (how the user appears to others) */\n  displayName?: string | null;\n\n  /** URL to the user's avatar image */\n  avatar?: string | null;\n\n  /** User's birthday in ISO date format (YYYY-MM-DD) */\n  birthday?: string | null;\n\n  /** User's gender */\n  gender?: 'male' | 'female' | 'other' | null;\n\n  /** Height in centimeters */\n  height?: number | null;\n\n  /** Weight in kilograms */\n  weight?: number | null;\n\n  /** User's address (requires 'address' scope) */\n  address?: {\n    street?: string | null;\n    city?: string | null;\n    postalCode?: string | null;\n    country?: string | null;\n  };\n\n  /** User's phone number (requires 'phone' scope) */\n  phone?: string | null;\n\n  /** When the account was created */\n  createdAt: string;\n\n  /** When the profile was last updated */\n  updatedAt: string;\n};\n\n/**\n * Fields that can be updated on a user profile.\n */\nexport type ProfileUpdate = {\n  firstName?: string | null;\n  lastName?: string | null;\n  displayName?: string | null;\n  avatar?: string | null;\n  birthday?: string | null;\n  gender?: 'male' | 'female' | 'other' | null;\n  height?: number | null;\n  weight?: number | null;\n  phone?: string | null;\n  street?: string | null;\n  city?: string | null;\n  postalCode?: string | null;\n  country?: string | null;\n};\n\n// =============================================================================\n// OIDC USERINFO\n// =============================================================================\n\n/**\n * Standard OIDC userinfo response from PULSE ID.\n */\nexport type UserInfo = {\n  /** Subject identifier (user ID) */\n  sub: string;\n  /** User's email address (requires 'email' scope) */\n  email?: string;\n  /** Whether the email has been verified */\n  email_verified?: boolean;\n  /** Full name */\n  name?: string;\n  /** Given name */\n  given_name?: string;\n  /** Family name */\n  family_name?: string;\n  /** Preferred username */\n  preferred_username?: string;\n  /** Profile picture URL */\n  picture?: string;\n  /** Locale */\n  locale?: string;\n  /** When the userinfo was last updated (seconds since epoch) */\n  updated_at?: number;\n};\n\n// =============================================================================\n// OAUTH / TOKENS\n// =============================================================================\n\n/**\n * OAuth token response from PULSE ID.\n */\nexport type TokenResponse = {\n  /** The access token for API requests */\n  access_token: string;\n\n  /** Token type (always 'Bearer') */\n  token_type: 'Bearer';\n\n  /** Time until the access token expires (in seconds) */\n  expires_in: number;\n\n  /** Refresh token for obtaining new access tokens */\n  refresh_token?: string;\n\n  /** ID token containing user claims (JWT) */\n  id_token?: string;\n\n  /** Granted scopes (space-separated) */\n  scope?: string;\n};\n\n/**\n * Token refresh options.\n */\nexport type RefreshOptions = {\n  /** The refresh token to exchange */\n  refreshToken: string;\n\n  /** Optionally request a subset of the original scopes */\n  scope?: string;\n};\n\n// =============================================================================\n// API ERRORS\n// =============================================================================\n\n/**\n * Standard OAuth error response.\n */\nexport type ApiErrorResponse = {\n  /** Error code (e.g., 'invalid_token', 'insufficient_scope') */\n  error: string;\n\n  /** Human-readable error description */\n  error_description: string;\n\n  /** Required scope (for 'insufficient_scope' errors) */\n  required_scope?: string;\n};\n\n/**\n * Error codes returned by PULSE ID.\n */\nexport type ErrorCode =\n  | 'invalid_request'\n  | 'invalid_token'\n  | 'expired_token'\n  | 'insufficient_scope'\n  | 'not_found'\n  | 'server_error';\n\n// =============================================================================\n// SCOPES\n// =============================================================================\n\n/**\n * Available OAuth scopes for PULSE ID.\n */\nexport const SCOPES = {\n  /** Required for OIDC. Returns the user's ID. */\n  OPENID: 'openid',\n\n  /** Read profile information (name, avatar, etc.) */\n  PROFILE: 'profile',\n\n  /** Update profile information */\n  PROFILE_WRITE: 'profile:write',\n\n  /** Read email address */\n  EMAIL: 'email',\n\n  /** Read address information */\n  ADDRESS: 'address',\n\n  /** Read phone number */\n  PHONE: 'phone',\n\n  /** Request a refresh token */\n  OFFLINE_ACCESS: 'offline_access',\n\n  /** Read activities (future) */\n  ACTIVITIES: 'activities',\n\n  /** Create/update activities (future) */\n  ACTIVITIES_WRITE: 'activities:write',\n\n  /** Manage external sync connections (future) */\n  CONNECTIONS: 'connections',\n} as const;\n\nexport type Scope = (typeof SCOPES)[keyof typeof SCOPES];\n"]}

package/dist/server.d.ts

@@ -0,0 +1,44 @@
+import { Profile, ProfileUpdate, PulseIdClient, PulseIdConfig, UserInfo, TokenResponse, RefreshOptions } from './index.js';
+export { InsufficientScopeError, InvalidTokenError, PulseIdError } from './index.js';
+
+type ServerConfig = PulseIdConfig & {
+    clientSecret: string;
+    storage?: TokenStorage;
+};
+interface TokenStorage {
+    getTokens(userId: string): Promise<StoredTokens | null>;
+    setTokens(userId: string, tokens: StoredTokens): Promise<void>;
+    deleteTokens(userId: string): Promise<void>;
+}
+type StoredTokens = {
+    accessToken: string;
+    refreshToken: string;
+    expiresAt: Date;
+    scope?: string;
+};
+interface ProfileResource {
+    get(): Promise<Profile>;
+    update(data: ProfileUpdate): Promise<Profile>;
+}
+interface UserInfoResource {
+    get(): Promise<UserInfo>;
+}
+interface UserClient {
+    profile: ProfileResource;
+    userInfo: UserInfoResource;
+}
+declare class PulseIdServer extends PulseIdClient {
+    private readonly clientSecret;
+    private readonly storage;
+    constructor(config: ServerConfig);
+    forUser(userId: string): UserClient;
+    exchangeCode(code: string, redirectUri: string, codeVerifier?: string): Promise<TokenResponse>;
+    refreshTokens(options: RefreshOptions): Promise<TokenResponse>;
+    revokeToken(token: string, tokenTypeHint?: 'access_token' | 'refresh_token'): Promise<void>;
+    getProfileWithRefresh(storage: TokenStorage, userId: string): Promise<Profile>;
+    updateProfileWithRefresh(storage: TokenStorage, userId: string, data: ProfileUpdate): Promise<Profile>;
+    getUserInfoWithRefresh(storage: TokenStorage, userId: string): Promise<UserInfo>;
+    private ensureValidTokens;
+}
+
+export { Profile, type ProfileResource, ProfileUpdate, PulseIdConfig, PulseIdServer, type ServerConfig, type StoredTokens, TokenResponse, type TokenStorage, type UserClient, UserInfo, type UserInfoResource };

package/dist/server.js

@@ -0,0 +1,108 @@
+import { PulseIdClient, PulseIdError } from './chunk-BRQ2T53Z.js';
+export { InsufficientScopeError, InvalidTokenError, PulseIdError } from './chunk-BRQ2T53Z.js';
+
+// src/server.ts
+var PulseIdServer = class extends PulseIdClient {
+  clientSecret;
+  storage;
+  constructor(config) {
+    if (!config.clientSecret) {
+      throw new Error("clientSecret is required for server-side operations");
+    }
+    super(config);
+    this.clientSecret = config.clientSecret;
+    this.storage = config.storage;
+  }
+  forUser(userId) {
+    if (!this.storage) {
+      throw new Error("storage must be configured to use forUser()");
+    }
+    const storage = this.storage;
+    return {
+      profile: {
+        get: () => this.getProfileWithRefresh(storage, userId),
+        update: (data) => this.updateProfileWithRefresh(storage, userId, data)
+      },
+      userInfo: {
+        get: () => this.getUserInfoWithRefresh(storage, userId)
+      }
+    };
+  }
+  async exchangeCode(code, redirectUri, codeVerifier) {
+    const data = {
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: redirectUri,
+      client_id: this.config.clientId,
+      client_secret: this.clientSecret
+    };
+    if (codeVerifier) {
+      data["code_verifier"] = codeVerifier;
+    }
+    return this.http.postForm("/token", data);
+  }
+  async refreshTokens(options) {
+    const data = {
+      grant_type: "refresh_token",
+      refresh_token: options.refreshToken,
+      client_id: this.config.clientId,
+      client_secret: this.clientSecret
+    };
+    if (options.scope) {
+      data["scope"] = options.scope;
+    }
+    return this.http.postForm("/token", data);
+  }
+  async revokeToken(token, tokenTypeHint) {
+    const data = {
+      token,
+      client_id: this.config.clientId,
+      client_secret: this.clientSecret
+    };
+    if (tokenTypeHint) {
+      data["token_type_hint"] = tokenTypeHint;
+    }
+    await this.http.postForm("/revoke", data);
+  }
+  async getProfileWithRefresh(storage, userId) {
+    const tokens = await this.ensureValidTokens(storage, userId);
+    return this.getProfile(tokens.accessToken);
+  }
+  async updateProfileWithRefresh(storage, userId, data) {
+    const tokens = await this.ensureValidTokens(storage, userId);
+    return this.updateProfile(tokens.accessToken, data);
+  }
+  async getUserInfoWithRefresh(storage, userId) {
+    const tokens = await this.ensureValidTokens(storage, userId);
+    return this.getUserInfo(tokens.accessToken);
+  }
+  async ensureValidTokens(storage, userId) {
+    const tokens = await storage.getTokens(userId);
+    if (!tokens) {
+      throw new PulseIdError("invalid_token", "No tokens found. User needs to re-authenticate.", 401);
+    }
+    const bufferMs = 5 * 60 * 1e3;
+    const isExpired = tokens.expiresAt.getTime() - bufferMs < Date.now();
+    if (!isExpired) {
+      return tokens;
+    }
+    try {
+      const newTokens = await this.refreshTokens({ refreshToken: tokens.refreshToken });
+      const updatedTokens = {
+        accessToken: newTokens.access_token,
+        refreshToken: newTokens.refresh_token ?? tokens.refreshToken,
+        expiresAt: new Date(Date.now() + newTokens.expires_in * 1e3),
+        ...newTokens.scope ?? tokens.scope ? { scope: newTokens.scope ?? tokens.scope } : {}
+      };
+      await storage.setTokens(userId, updatedTokens);
+      return updatedTokens;
+    } catch {
+      await storage.deleteTokens(userId);
+      throw new PulseIdError("invalid_token", "Token refresh failed. User needs to re-authenticate.", 401);
+    }
+  }
+};
+
+export { PulseIdServer };
+//# sourceMappingURL=server.js.map
+//# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/server.ts"],"names":[],"mappings":";;;;AA2CO,IAAM,aAAA,GAAN,cAA4B,aAAA,CAAc;AAAA,EAC9B,YAAA;AAAA,EACA,OAAA;AAAA,EAEjB,YAAY,MAAA,EAAsB;AAChC,IAAA,IAAI,CAAC,OAAO,YAAA,EAAc;AACxB,MAAA,MAAM,IAAI,MAAM,qDAAqD,CAAA;AAAA,IACvE;AACA,IAAA,KAAA,CAAM,MAAM,CAAA;AACZ,IAAA,IAAA,CAAK,eAAe,MAAA,CAAO,YAAA;AAC3B,IAAA,IAAA,CAAK,UAAU,MAAA,CAAO,OAAA;AAAA,EACxB;AAAA,EAEA,QAAQ,MAAA,EAA4B;AAClC,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,MAAA,MAAM,IAAI,MAAM,6CAA6C,CAAA;AAAA,IAC/D;AACA,IAAA,MAAM,UAAU,IAAA,CAAK,OAAA;AAErB,IAAA,OAAO;AAAA,MACL,OAAA,EAAS;AAAA,QACP,GAAA,EAAK,MAAM,IAAA,CAAK,qBAAA,CAAsB,SAAS,MAAM,CAAA;AAAA,QACrD,QAAQ,CAAC,IAAA,KAAwB,KAAK,wBAAA,CAAyB,OAAA,EAAS,QAAQ,IAAI;AAAA,OACtF;AAAA,MACA,QAAA,EAAU;AAAA,QACR,GAAA,EAAK,MAAM,IAAA,CAAK,sBAAA,CAAuB,SAAS,MAAM;AAAA;AACxD,KACF;AAAA,EACF;AAAA,EAEA,MAAM,YAAA,CAAa,IAAA,EAAc,WAAA,EAAqB,YAAA,EAA+C;AACnG,IAAA,MAAM,IAAA,GAA+B;AAAA,MACnC,UAAA,EAAY,oBAAA;AAAA,MACZ,IAAA;AAAA,MACA,YAAA,EAAc,WAAA;AAAA,MACd,SAAA,EAAW,KAAK,MAAA,CAAO,QAAA;AAAA,MACvB,eAAe,IAAA,CAAK;AAAA,KACtB;AACA,IAAA,IAAI,YAAA,EAAc;AAChB,MAAA,IAAA,CAAK,eAAe,CAAA,GAAI,YAAA;AAAA,IAC1B;AACA,IAAA,OAAO,IAAA,CAAK,IAAA,CAAK,QAAA,CAAwB,QAAA,EAAU,IAAI,CAAA;AAAA,EACzD;AAAA,EAEA,MAAM,cAAc,OAAA,EAAiD;AACnE,IAAA,MAAM,IAAA,GAA+B;AAAA,MACnC,UAAA,EAAY,eAAA;AAAA,MACZ,eAAe,OAAA,CAAQ,YAAA;AAAA,MACvB,SAAA,EAAW,KAAK,MAAA,CAAO,QAAA;AAAA,MACvB,eAAe,IAAA,CAAK;AAAA,KACtB;AACA,IAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,MAAA,IAAA,CAAK,OAAO,IAAI,OAAA,CAAQ,KAAA;AAAA,IAC1B;AACA,IAAA,OAAO,IAAA,CAAK,IAAA,CAAK,QAAA,CAAwB,QAAA,EAAU,IAAI,CAAA;AAAA,EACzD;AAAA,EAEA,MAAM,WAAA,CAAY,KAAA,EAAe,aAAA,EAAiE;AAChG,IAAA,MAAM,IAAA,GAA+B;AAAA,MACnC,KAAA;AAAA,MACA,SAAA,EAAW,KAAK,MAAA,CAAO,QAAA;AAAA,MACvB,eAAe,IAAA,CAAK;AAAA,KACtB;AACA,IAAA,IAAI,aAAA,EAAe;AACjB,MAAA,IAAA,CAAK,iBAAiB,CAAA,GAAI,aAAA;AAAA,IAC5B;AACA,IAAA,MAAM,IAAA,CAAK,IAAA,CAAK,QAAA,CAAe,SAAA,EAAW,IAAI,CAAA;AAAA,EAChD;AAAA,EAEA,MAAM,qBAAA,CAAsB,OAAA,EAAuB,MAAA,EAAkC;AACnF,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,iBAAA,CAAkB,SAAS,MAAM,CAAA;AAC3D,IAAA,OAAO,IAAA,CAAK,UAAA,CAAW,MAAA,CAAO,WAAW,CAAA;AAAA,EAC3C;AAAA,EAEA,MAAM,wBAAA,CAAyB,OAAA,EAAuB,MAAA,EAAgB,IAAA,EAAuC;AAC3G,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,iBAAA,CAAkB,SAAS,MAAM,CAAA;AAC3D,IAAA,OAAO,IAAA,CAAK,aAAA,CAAc,MAAA,CAAO,WAAA,EAAa,IAAI,CAAA;AAAA,EACpD;AAAA,EAEA,MAAM,sBAAA,CAAuB,OAAA,EAAuB,MAAA,EAAmC;AACrF,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,iBAAA,CAAkB,SAAS,MAAM,CAAA;AAC3D,IAAA,OAAO,IAAA,CAAK,WAAA,CAAY,MAAA,CAAO,WAAW,CAAA;AAAA,EAC5C;AAAA,EAEA,MAAc,iBAAA,CAAkB,OAAA,EAAuB,MAAA,EAAuC;AAC5F,IAAA,MAAM,MAAA,GAAS,MAAM,OAAA,CAAQ,SAAA,CAAU,MAAM,CAAA;AAC7C,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,MAAM,IAAI,YAAA,CAAa,eAAA,EAAiB,iDAAA,EAAmD,GAAG,CAAA;AAAA,IAChG;AAEA,IAAA,MAAM,QAAA,GAAW,IAAI,EAAA,GAAK,GAAA;AAC1B,IAAA,MAAM,YAAY,MAAA,CAAO,SAAA,CAAU,SAAQ,GAAI,QAAA,GAAW,KAAK,GAAA,EAAI;AACnE,IAAA,IAAI,CAAC,SAAA,EAAW;AACd,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,SAAA,GAAY,MAAM,IAAA,CAAK,aAAA,CAAc,EAAE,YAAA,EAAc,MAAA,CAAO,cAAc,CAAA;AAChF,MAAA,MAAM,aAAA,GAA8B;AAAA,QAClC,aAAa,SAAA,CAAU,YAAA;AAAA,QACvB,YAAA,EAAc,SAAA,CAAU,aAAA,IAAiB,MAAA,CAAO,YAAA;AAAA,QAChD,SAAA,EAAW,IAAI,IAAA,CAAK,IAAA,CAAK,KAAI,GAAI,SAAA,CAAU,aAAa,GAAI,CAAA;AAAA,QAC5D,GAAI,SAAA,CAAU,KAAA,IAAS,MAAA,CAAO,KAAA,GAAQ,EAAE,KAAA,EAAO,SAAA,CAAU,KAAA,IAAS,MAAA,CAAO,KAAA,EAAM,GAAI;AAAC,OACtF;AACA,MAAA,MAAM,OAAA,CAAQ,SAAA,CAAU,MAAA,EAAQ,aAAa,CAAA;AAC7C,MAAA,OAAO,aAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,MAAM,OAAA,CAAQ,aAAa,MAAM,CAAA;AACjC,MAAA,MAAM,IAAI,YAAA,CAAa,eAAA,EAAiB,sDAAA,EAAwD,GAAG,CAAA;AAAA,IACrG;AAAA,EACF;AACF","file":"server.js","sourcesContent":["import { PulseIdClient } from './client.js';\nimport { PulseIdError } from './errors.js';\nimport type {\n  Profile,\n  ProfileUpdate,\n  PulseIdConfig,\n  RefreshOptions,\n  TokenResponse,\n  UserInfo,\n} from './types.js';\n\nexport type ServerConfig = PulseIdConfig & {\n  clientSecret: string;\n  storage?: TokenStorage;\n};\n\nexport interface TokenStorage {\n  getTokens(userId: string): Promise<StoredTokens | null>;\n  setTokens(userId: string, tokens: StoredTokens): Promise<void>;\n  deleteTokens(userId: string): Promise<void>;\n}\n\nexport type StoredTokens = {\n  accessToken: string;\n  refreshToken: string;\n  expiresAt: Date;\n  scope?: string;\n};\n\nexport interface ProfileResource {\n  get(): Promise<Profile>;\n  update(data: ProfileUpdate): Promise<Profile>;\n}\n\nexport interface UserInfoResource {\n  get(): Promise<UserInfo>;\n}\n\nexport interface UserClient {\n  profile: ProfileResource;\n  userInfo: UserInfoResource;\n}\n\nexport class PulseIdServer extends PulseIdClient {\n  private readonly clientSecret: string;\n  private readonly storage: TokenStorage | undefined;\n\n  constructor(config: ServerConfig) {\n    if (!config.clientSecret) {\n      throw new Error('clientSecret is required for server-side operations');\n    }\n    super(config);\n    this.clientSecret = config.clientSecret;\n    this.storage = config.storage;\n  }\n\n  forUser(userId: string): UserClient {\n    if (!this.storage) {\n      throw new Error('storage must be configured to use forUser()');\n    }\n    const storage = this.storage;\n\n    return {\n      profile: {\n        get: () => this.getProfileWithRefresh(storage, userId),\n        update: (data: ProfileUpdate) => this.updateProfileWithRefresh(storage, userId, data),\n      },\n      userInfo: {\n        get: () => this.getUserInfoWithRefresh(storage, userId),\n      },\n    };\n  }\n\n  async exchangeCode(code: string, redirectUri: string, codeVerifier?: string): Promise<TokenResponse> {\n    const data: Record<string, string> = {\n      grant_type: 'authorization_code',\n      code,\n      redirect_uri: redirectUri,\n      client_id: this.config.clientId,\n      client_secret: this.clientSecret,\n    };\n    if (codeVerifier) {\n      data['code_verifier'] = codeVerifier;\n    }\n    return this.http.postForm<TokenResponse>('/token', data);\n  }\n\n  async refreshTokens(options: RefreshOptions): Promise<TokenResponse> {\n    const data: Record<string, string> = {\n      grant_type: 'refresh_token',\n      refresh_token: options.refreshToken,\n      client_id: this.config.clientId,\n      client_secret: this.clientSecret,\n    };\n    if (options.scope) {\n      data['scope'] = options.scope;\n    }\n    return this.http.postForm<TokenResponse>('/token', data);\n  }\n\n  async revokeToken(token: string, tokenTypeHint?: 'access_token' | 'refresh_token'): Promise<void> {\n    const data: Record<string, string> = {\n      token,\n      client_id: this.config.clientId,\n      client_secret: this.clientSecret,\n    };\n    if (tokenTypeHint) {\n      data['token_type_hint'] = tokenTypeHint;\n    }\n    await this.http.postForm<void>('/revoke', data);\n  }\n\n  async getProfileWithRefresh(storage: TokenStorage, userId: string): Promise<Profile> {\n    const tokens = await this.ensureValidTokens(storage, userId);\n    return this.getProfile(tokens.accessToken);\n  }\n\n  async updateProfileWithRefresh(storage: TokenStorage, userId: string, data: ProfileUpdate): Promise<Profile> {\n    const tokens = await this.ensureValidTokens(storage, userId);\n    return this.updateProfile(tokens.accessToken, data);\n  }\n\n  async getUserInfoWithRefresh(storage: TokenStorage, userId: string): Promise<UserInfo> {\n    const tokens = await this.ensureValidTokens(storage, userId);\n    return this.getUserInfo(tokens.accessToken);\n  }\n\n  private async ensureValidTokens(storage: TokenStorage, userId: string): Promise<StoredTokens> {\n    const tokens = await storage.getTokens(userId);\n    if (!tokens) {\n      throw new PulseIdError('invalid_token', 'No tokens found. User needs to re-authenticate.', 401);\n    }\n\n    const bufferMs = 5 * 60 * 1000;\n    const isExpired = tokens.expiresAt.getTime() - bufferMs < Date.now();\n    if (!isExpired) {\n      return tokens;\n    }\n\n    try {\n      const newTokens = await this.refreshTokens({ refreshToken: tokens.refreshToken });\n      const updatedTokens: StoredTokens = {\n        accessToken: newTokens.access_token,\n        refreshToken: newTokens.refresh_token ?? tokens.refreshToken,\n        expiresAt: new Date(Date.now() + newTokens.expires_in * 1000),\n        ...(newTokens.scope ?? tokens.scope ? { scope: newTokens.scope ?? tokens.scope } : {}),\n      };\n      await storage.setTokens(userId, updatedTokens);\n      return updatedTokens;\n    } catch {\n      await storage.deleteTokens(userId);\n      throw new PulseIdError('invalid_token', 'Token refresh failed. User needs to re-authenticate.', 401);\n    }\n  }\n}\n\nexport type { TokenResponse, Profile, ProfileUpdate, PulseIdConfig, UserInfo } from './types.js';\nexport { PulseIdError, InvalidTokenError, InsufficientScopeError } from './errors.js';\n"]}

package/package.json

@@ -0,0 +1,75 @@
+{
+  "name": "@pulseid/client",
+  "version": "0.1.0",
+  "description": "TypeScript SDK for PULSE ID - Your athlete identity",
+  "author": "Patrick Hübl-Neschkudla <patrick@pulserunning.at>",
+  "license": "MIT",
+  "type": "module",
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./server": {
+      "import": "./dist/server.js",
+      "types": "./dist/server.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=22.0.0"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "lint": "eslint src --ext .ts",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist",
+    "changeset": "changeset",
+    "version": "changeset version",
+    "release": "pnpm build && changeset publish",
+    "prepublishOnly": "npm run build",
+    "docs:dev": "cd docs && pnpm dev",
+    "docs:build": "cd docs && pnpm build"
+  },
+  "devDependencies": {
+    "@changesets/changelog-github": "0.5.2",
+    "@changesets/cli": "2.29.8",
+    "@types/node": "22.15.3",
+    "@vitest/coverage-v8": "4.0.18",
+    "eslint": "9.39.2",
+    "tsup": "8.5.1",
+    "typescript": "5.8.3",
+    "vitest": "4.0.18"
+  },
+  "keywords": [
+    "pulse",
+    "pulseid",
+    "oauth",
+    "oidc",
+    "authentication",
+    "identity",
+    "sports",
+    "athlete"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/flipace/pulse-id-sdk-ts.git"
+  },
+  "bugs": {
+    "url": "https://github.com/flipace/pulse-id-sdk-ts/issues"
+  },
+  "homepage": "https://github.com/flipace/pulse-id-sdk-ts#readme",
+  "directories": {
+    "doc": "docs"
+  }
+}