@rx-ted/packages-auth 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Ben
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,194 @@
+# @rx-ted/packages-auth
+
+Auth 客户端库，提供内存 Token 存储、刷新去重、Pinia 状态管理，与 `@rx-ted/packages-http-client` 配合使用。
+
+## 安装
+
+```bash
+pnpm add @rx-ted/packages-auth
+```
+
+需要 peer 依赖：`vue`、`pinia`。
+
+## 快速开始
+
+### 1. 创建认证提供者并注入 HTTP 客户端
+
+```typescript
+import { setAuthProvider } from '@rx-ted/packages-http-client';
+import { tokenStorage, refreshHandler, createAuthProvider } from '@rx-ted/packages-auth';
+
+setAuthProvider(
+  createAuthProvider({
+    tokenStorage,
+    refreshHandler,
+    baseUrl: '/api/v1',
+    onAuthFailure: () => {
+      window.location.href = '/login';
+    },
+  }),
+);
+```
+
+### 2. 创建 Pinia Store
+
+```typescript
+import { createAuthStore } from '@rx-ted/packages-auth';
+
+export const useSessionStore = createAuthStore('session');
+```
+
+在组件中使用：
+
+```typescript
+import { useSessionStore } from '@/stores/session';
+
+const store = useSessionStore();
+
+// 登录
+await store.login({ email: 'user@example.com', password: '***' });
+
+// 启动时自动刷新 token
+await store.bootstrap();
+
+// 登出
+await store.logout();
+
+// 响应式状态
+console.log(store.isAuthenticated);
+console.log(store.user);
+console.log(store.loading);
+```
+
+## API
+
+### `TokenStorage`
+
+内存 token 存储，跨标签页同步（`BroadcastChannel`）：
+
+```typescript
+import { TokenStorage, tokenStorage } from '@rx-ted/packages-auth';
+
+const storage = new TokenStorage();
+
+storage.token = 'my-token';           // 写入（同步广播到其他标签页）
+console.log(storage.token);           // 读取
+
+const unsub = storage.subscribe((token) => {
+  console.log('token changed:', token);
+});
+unsub(); // 取消订阅
+
+storage.destroy(); // 清理
+```
+
+通常直接使用默认单例 `tokenStorage`。
+
+### `RefreshQueue` / `refreshHandler`
+
+Token 刷新去重队列，防止并发刷新：
+
+```typescript
+import { refreshHandler } from '@rx-ted/packages-auth';
+
+// refreshToken 方法已内嵌在 createAuthStore 中
+const newToken = await store.refreshToken();
+```
+
+内部实现为 `RefreshQueue`（来自 `@rx-ted/packages-http-client`），确保同一时间只发一次刷新请求，多个等待者共享结果。
+
+### `createAuthProvider(config)`
+
+创建与 `@rx-ted/packages-http-client` 兼容的 `AuthProvider`：
+
+| 参数              | 类型                         | 必填 | 说明                           |
+| ----------------- | ---------------------------- | ---- | ------------------------------ |
+| `tokenStorage`    | `TokenStorage`               | 是   | Token 存储实例                |
+| `refreshHandler`  | `RefreshHandler`             | 是   | 刷新去重实例                  |
+| `baseUrl`         | `string`                     | 否   | API 基础路径，默认 `/api/v1`  |
+| `onAuthFailure`   | `(reason?: string) => void`  | 否   | 认证失败回调（跳转登录页等）  |
+
+返回的 `AuthProvider` 包含 `getToken`、`refreshToken`、`onAuthFailure` 方法。
+
+刷新流程：
+
+- `POST {baseUrl}/auth/refresh` with `credentials: 'include'`
+- 识别 token 被盗用（`TOKEN_STOLEN` / `reuse detected`），在 `sessionStorage` 标记
+- 刷新失败返回 `null`
+
+### `createAuthStore(id)`
+
+创建 Pinia auth store：
+
+| 状态 / 方法        | 类型                              | 说明                         |
+| ------------------ | --------------------------------- | ---------------------------- |
+| `user`             | `Ref<AuthUser \| null>`           | 当前用户                     |
+| `token`            | `Ref<string \| null>`             | Access Token                 |
+| `loading`          | `Ref<boolean>`                    | 请求中                       |
+| `isAuthenticated`  | `ComputedRef<boolean>`            | 是否已认证                   |
+| `login(params)`    | `(params) => Promise<LoginResponse>` | 登录（POST /auth/login）  |
+| `logout()`         | `() => Promise<void>`             | 登出（POST /auth/logout）    |
+| `refreshToken()`   | `() => Promise<string \| null>`   | 刷新 token                   |
+| `bootstrap()`      | `() => Promise<void>`             | 应用启动时自动恢复认证状态   |
+| `clearSession()`   | `() => void`                      | 清除本地 session              |
+
+**`bootstrap` 流程：**
+
+1. 检查 `tokenStorage` 中是否有 token
+2. 若无，尝试调用 `POST /auth/refresh`
+3. 若有 token 或刷新成功，调用 `GET /auth/me` 获取用户信息
+4. 失败则清除 token
+
+### 类型
+
+```typescript
+interface AuthUser {
+  id: string;
+  email: string;
+  name?: string;
+  // ...
+}
+
+interface LoginParams {
+  email: string;
+  password: string;
+  // ...
+}
+
+interface LoginResponse {
+  accessToken: string;
+  user: AuthUser;
+}
+
+interface TokenPair {
+  accessToken: string;
+  refreshToken: string;
+}
+```
+
+## 架构
+
+```
+┌─────────────────────┐
+│     Application     │
+├─────────────────────┤
+│  createAuthStore()  │  ← Pinia Store (login/logout/bootstrap)
+├─────────────────────┤
+│  createAuthProvider │  ← 适配 http-client 的 AuthProvider
+├────────┬────────────┤
+│        │            │
+│  TokenStorage      │  RefreshQueue (from http-client)
+│  (内存 + Broadcast  │  (刷新去重)
+│    Channel 跨页同步) │
+└────────┴────────────┘
+         │
+         ▼
+  fetch(/api/v1/auth/*)
+  或 @rx-ted/packages-http-client
+```
+
+## 测试
+
+```bash
+pnpm test
+```

package/dist/index.cjs

@@ -0,0 +1,193 @@
+'use strict';
+
+var packagesHttpClient = require('@rx-ted/packages-http-client');
+var pinia = require('pinia');
+var vue = require('vue');
+
+// src/tokenStorage.ts
+var AUTH_CHANNEL = "auth:token";
+var TokenStorage = class {
+  _token = null;
+  listeners = /* @__PURE__ */ new Set();
+  channel = null;
+  constructor() {
+    if (typeof BroadcastChannel !== "undefined") {
+      try {
+        this.channel = new BroadcastChannel(AUTH_CHANNEL);
+        this.channel.onmessage = (event) => {
+          if (event.data?.type === "token_updated") {
+            this._token = event.data.token ?? null;
+            this.notify();
+          }
+        };
+      } catch {
+      }
+    }
+  }
+  get token() {
+    return this._token;
+  }
+  set token(value) {
+    this._token = value;
+    this.channel?.postMessage({ type: "token_updated", token: value });
+    this.notify();
+  }
+  subscribe(listener) {
+    this.listeners.add(listener);
+    return () => this.listeners.delete(listener);
+  }
+  notify() {
+    for (const fn of this.listeners) fn(this._token);
+  }
+  destroy() {
+    this.listeners.clear();
+    this.channel?.close();
+  }
+};
+var tokenStorage = new TokenStorage();
+var refreshHandler = new packagesHttpClient.RefreshQueue();
+
+// src/authProvider.ts
+var STOLEN_KEY = "auth:stolen";
+function createAuthProvider(config) {
+  const { tokenStorage: tokenStorage2, refreshHandler: refreshHandler2, baseUrl = "/api/v1", onAuthFailure } = config;
+  async function doRefresh() {
+    try {
+      const res = await fetch(`${baseUrl}/auth/refresh`, {
+        method: "POST",
+        credentials: "include",
+        headers: { Accept: "application/json" }
+      });
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        const message = body?.message ?? "";
+        if (message.includes("reuse detected") || message.includes("TOKEN_STOLEN")) {
+          if (typeof sessionStorage !== "undefined") {
+            sessionStorage.setItem(STOLEN_KEY, "1");
+          }
+        }
+        return null;
+      }
+      const data = await res.json();
+      tokenStorage2.token = data.accessToken;
+      return data.accessToken;
+    } catch {
+      return null;
+    }
+  }
+  return {
+    getToken: () => tokenStorage2.token,
+    refreshToken: () => refreshHandler2.refresh(doRefresh),
+    onAuthFailure: (reason) => {
+      tokenStorage2.token = null;
+      onAuthFailure?.(reason);
+    }
+  };
+}
+var AUTH_API = "/api/v1/auth";
+async function silentRefresh() {
+  try {
+    const res = await fetch(`${AUTH_API}/refresh`, {
+      method: "POST",
+      credentials: "include",
+      headers: { Accept: "application/json" }
+    });
+    if (!res.ok) return null;
+    const data = await res.json();
+    tokenStorage.token = data.accessToken;
+    return data.accessToken;
+  } catch {
+    return null;
+  }
+}
+function createAuthStore(id) {
+  return pinia.defineStore(id, () => {
+    const user = vue.ref(null);
+    const loading = vue.ref(false);
+    const token = vue.ref(tokenStorage.token);
+    const isAuthenticated = vue.computed(() => !!token.value && !!user.value);
+    tokenStorage.subscribe((t) => {
+      token.value = t;
+      if (!t) user.value = null;
+    });
+    async function login(params) {
+      loading.value = true;
+      try {
+        const res = await fetch(`${AUTH_API}/login`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify(params),
+          credentials: "include"
+        });
+        if (!res.ok) {
+          const err = await res.json();
+          throw new Error(err.message ?? "Login failed");
+        }
+        const data = await res.json();
+        tokenStorage.token = data.accessToken;
+        token.value = data.accessToken;
+        user.value = data.user;
+        return data;
+      } finally {
+        loading.value = false;
+      }
+    }
+    async function refreshToken() {
+      return refreshHandler.refresh(silentRefresh);
+    }
+    async function bootstrap() {
+      let token2 = tokenStorage.token;
+      if (!token2) {
+        token2 = await refreshToken();
+      }
+      if (token2) {
+        try {
+          const res = await fetch(`${AUTH_API}/me`, {
+            headers: { Authorization: `Bearer ${token2}` }
+          });
+          if (res.ok) {
+            const data = await res.json();
+            user.value = data.data ?? data;
+            return;
+          }
+        } catch {
+        }
+        tokenStorage.token = null;
+        user.value = null;
+      }
+    }
+    async function logout() {
+      try {
+        await fetch(`${AUTH_API}/logout`, { method: "POST", credentials: "include" });
+      } catch {
+      }
+      tokenStorage.token = null;
+      user.value = null;
+    }
+    function clearSession() {
+      tokenStorage.token = null;
+      user.value = null;
+    }
+    return {
+      user,
+      token,
+      loading,
+      isAuthenticated,
+      login,
+      logout,
+      refreshToken,
+      bootstrap,
+      clearSession
+    };
+  });
+}
+
+Object.defineProperty(exports, "RefreshQueue", {
+  enumerable: true,
+  get: function () { return packagesHttpClient.RefreshQueue; }
+});
+exports.TokenStorage = TokenStorage;
+exports.createAuthProvider = createAuthProvider;
+exports.createAuthStore = createAuthStore;
+exports.refreshHandler = refreshHandler;
+exports.tokenStorage = tokenStorage;

package/dist/index.d.cts

@@ -0,0 +1,149 @@
+import { RefreshQueue } from '@rx-ted/packages-http-client';
+export { RefreshQueue as RefreshHandler, RefreshQueue } from '@rx-ted/packages-http-client';
+import * as pinia from 'pinia';
+import * as vue from 'vue';
+
+interface AuthUser {
+    userId: string;
+    username: string;
+    preferredLocale: string;
+    roles: string[];
+    permissions: string[];
+    tokenVersion: number;
+    lastLoginAt: string | null;
+    nickname: string | null;
+    avatarUrl: string | null;
+}
+interface LoginParams {
+    username: string;
+    password: string;
+}
+interface TokenPair {
+    accessToken: string;
+    expiresIn: string;
+}
+interface LoginResponse extends TokenPair {
+    sessionId: string;
+    user: AuthUser;
+}
+
+declare class TokenStorage {
+    private _token;
+    private listeners;
+    private channel;
+    constructor();
+    get token(): string | null;
+    set token(value: string | null);
+    subscribe(listener: (token: string | null) => void): () => void;
+    private notify;
+    destroy(): void;
+}
+declare const tokenStorage: TokenStorage;
+
+declare const refreshHandler: RefreshQueue;
+
+interface AuthProviderConfig {
+    tokenStorage: TokenStorage;
+    refreshHandler: RefreshQueue;
+    baseUrl?: string;
+    onAuthFailure?: (reason?: string) => void;
+}
+declare function createAuthProvider(config: AuthProviderConfig): {
+    getToken: () => string | null;
+    refreshToken: () => Promise<string | null>;
+    onAuthFailure: (reason?: string) => void;
+};
+
+declare function createAuthStore(id: string): pinia.StoreDefinition<string, Pick<{
+    user: vue.Ref<{
+        userId: string;
+        username: string;
+        preferredLocale: string;
+        roles: string[];
+        permissions: string[];
+        tokenVersion: number;
+        lastLoginAt: string | null;
+        nickname: string | null;
+        avatarUrl: string | null;
+    } | null, AuthUser | {
+        userId: string;
+        username: string;
+        preferredLocale: string;
+        roles: string[];
+        permissions: string[];
+        tokenVersion: number;
+        lastLoginAt: string | null;
+        nickname: string | null;
+        avatarUrl: string | null;
+    } | null>;
+    token: vue.Ref<string | null, string | null>;
+    loading: vue.Ref<boolean, boolean>;
+    isAuthenticated: vue.ComputedRef<boolean>;
+    login: (params: LoginParams) => Promise<LoginResponse>;
+    logout: () => Promise<void>;
+    refreshToken: () => Promise<string | null>;
+    bootstrap: () => Promise<void>;
+    clearSession: () => void;
+}, "user" | "token" | "loading">, Pick<{
+    user: vue.Ref<{
+        userId: string;
+        username: string;
+        preferredLocale: string;
+        roles: string[];
+        permissions: string[];
+        tokenVersion: number;
+        lastLoginAt: string | null;
+        nickname: string | null;
+        avatarUrl: string | null;
+    } | null, AuthUser | {
+        userId: string;
+        username: string;
+        preferredLocale: string;
+        roles: string[];
+        permissions: string[];
+        tokenVersion: number;
+        lastLoginAt: string | null;
+        nickname: string | null;
+        avatarUrl: string | null;
+    } | null>;
+    token: vue.Ref<string | null, string | null>;
+    loading: vue.Ref<boolean, boolean>;
+    isAuthenticated: vue.ComputedRef<boolean>;
+    login: (params: LoginParams) => Promise<LoginResponse>;
+    logout: () => Promise<void>;
+    refreshToken: () => Promise<string | null>;
+    bootstrap: () => Promise<void>;
+    clearSession: () => void;
+}, "isAuthenticated">, Pick<{
+    user: vue.Ref<{
+        userId: string;
+        username: string;
+        preferredLocale: string;
+        roles: string[];
+        permissions: string[];
+        tokenVersion: number;
+        lastLoginAt: string | null;
+        nickname: string | null;
+        avatarUrl: string | null;
+    } | null, AuthUser | {
+        userId: string;
+        username: string;
+        preferredLocale: string;
+        roles: string[];
+        permissions: string[];
+        tokenVersion: number;
+        lastLoginAt: string | null;
+        nickname: string | null;
+        avatarUrl: string | null;
+    } | null>;
+    token: vue.Ref<string | null, string | null>;
+    loading: vue.Ref<boolean, boolean>;
+    isAuthenticated: vue.ComputedRef<boolean>;
+    login: (params: LoginParams) => Promise<LoginResponse>;
+    logout: () => Promise<void>;
+    refreshToken: () => Promise<string | null>;
+    bootstrap: () => Promise<void>;
+    clearSession: () => void;
+}, "login" | "logout" | "refreshToken" | "bootstrap" | "clearSession">>;
+
+export { type AuthProviderConfig, type AuthUser, type LoginParams, type LoginResponse, type TokenPair, TokenStorage, createAuthProvider, createAuthStore, refreshHandler, tokenStorage };

package/dist/index.d.ts

@@ -0,0 +1,149 @@
+import { RefreshQueue } from '@rx-ted/packages-http-client';
+export { RefreshQueue as RefreshHandler, RefreshQueue } from '@rx-ted/packages-http-client';
+import * as pinia from 'pinia';
+import * as vue from 'vue';
+
+interface AuthUser {
+    userId: string;
+    username: string;
+    preferredLocale: string;
+    roles: string[];
+    permissions: string[];
+    tokenVersion: number;
+    lastLoginAt: string | null;
+    nickname: string | null;
+    avatarUrl: string | null;
+}
+interface LoginParams {
+    username: string;
+    password: string;
+}
+interface TokenPair {
+    accessToken: string;
+    expiresIn: string;
+}
+interface LoginResponse extends TokenPair {
+    sessionId: string;
+    user: AuthUser;
+}
+
+declare class TokenStorage {
+    private _token;
+    private listeners;
+    private channel;
+    constructor();
+    get token(): string | null;
+    set token(value: string | null);
+    subscribe(listener: (token: string | null) => void): () => void;
+    private notify;
+    destroy(): void;
+}
+declare const tokenStorage: TokenStorage;
+
+declare const refreshHandler: RefreshQueue;
+
+interface AuthProviderConfig {
+    tokenStorage: TokenStorage;
+    refreshHandler: RefreshQueue;
+    baseUrl?: string;
+    onAuthFailure?: (reason?: string) => void;
+}
+declare function createAuthProvider(config: AuthProviderConfig): {
+    getToken: () => string | null;
+    refreshToken: () => Promise<string | null>;
+    onAuthFailure: (reason?: string) => void;
+};
+
+declare function createAuthStore(id: string): pinia.StoreDefinition<string, Pick<{
+    user: vue.Ref<{
+        userId: string;
+        username: string;
+        preferredLocale: string;
+        roles: string[];
+        permissions: string[];
+        tokenVersion: number;
+        lastLoginAt: string | null;
+        nickname: string | null;
+        avatarUrl: string | null;
+    } | null, AuthUser | {
+        userId: string;
+        username: string;
+        preferredLocale: string;
+        roles: string[];
+        permissions: string[];
+        tokenVersion: number;
+        lastLoginAt: string | null;
+        nickname: string | null;
+        avatarUrl: string | null;
+    } | null>;
+    token: vue.Ref<string | null, string | null>;
+    loading: vue.Ref<boolean, boolean>;
+    isAuthenticated: vue.ComputedRef<boolean>;
+    login: (params: LoginParams) => Promise<LoginResponse>;
+    logout: () => Promise<void>;
+    refreshToken: () => Promise<string | null>;
+    bootstrap: () => Promise<void>;
+    clearSession: () => void;
+}, "user" | "token" | "loading">, Pick<{
+    user: vue.Ref<{
+        userId: string;
+        username: string;
+        preferredLocale: string;
+        roles: string[];
+        permissions: string[];
+        tokenVersion: number;
+        lastLoginAt: string | null;
+        nickname: string | null;
+        avatarUrl: string | null;
+    } | null, AuthUser | {
+        userId: string;
+        username: string;
+        preferredLocale: string;
+        roles: string[];
+        permissions: string[];
+        tokenVersion: number;
+        lastLoginAt: string | null;
+        nickname: string | null;
+        avatarUrl: string | null;
+    } | null>;
+    token: vue.Ref<string | null, string | null>;
+    loading: vue.Ref<boolean, boolean>;
+    isAuthenticated: vue.ComputedRef<boolean>;
+    login: (params: LoginParams) => Promise<LoginResponse>;
+    logout: () => Promise<void>;
+    refreshToken: () => Promise<string | null>;
+    bootstrap: () => Promise<void>;
+    clearSession: () => void;
+}, "isAuthenticated">, Pick<{
+    user: vue.Ref<{
+        userId: string;
+        username: string;
+        preferredLocale: string;
+        roles: string[];
+        permissions: string[];
+        tokenVersion: number;
+        lastLoginAt: string | null;
+        nickname: string | null;
+        avatarUrl: string | null;
+    } | null, AuthUser | {
+        userId: string;
+        username: string;
+        preferredLocale: string;
+        roles: string[];
+        permissions: string[];
+        tokenVersion: number;
+        lastLoginAt: string | null;
+        nickname: string | null;
+        avatarUrl: string | null;
+    } | null>;
+    token: vue.Ref<string | null, string | null>;
+    loading: vue.Ref<boolean, boolean>;
+    isAuthenticated: vue.ComputedRef<boolean>;
+    login: (params: LoginParams) => Promise<LoginResponse>;
+    logout: () => Promise<void>;
+    refreshToken: () => Promise<string | null>;
+    bootstrap: () => Promise<void>;
+    clearSession: () => void;
+}, "login" | "logout" | "refreshToken" | "bootstrap" | "clearSession">>;
+
+export { type AuthProviderConfig, type AuthUser, type LoginParams, type LoginResponse, type TokenPair, TokenStorage, createAuthProvider, createAuthStore, refreshHandler, tokenStorage };

package/dist/index.js

@@ -0,0 +1,184 @@
+import { RefreshQueue } from '@rx-ted/packages-http-client';
+export { RefreshQueue } from '@rx-ted/packages-http-client';
+import { defineStore } from 'pinia';
+import { ref, computed } from 'vue';
+
+// src/tokenStorage.ts
+var AUTH_CHANNEL = "auth:token";
+var TokenStorage = class {
+  _token = null;
+  listeners = /* @__PURE__ */ new Set();
+  channel = null;
+  constructor() {
+    if (typeof BroadcastChannel !== "undefined") {
+      try {
+        this.channel = new BroadcastChannel(AUTH_CHANNEL);
+        this.channel.onmessage = (event) => {
+          if (event.data?.type === "token_updated") {
+            this._token = event.data.token ?? null;
+            this.notify();
+          }
+        };
+      } catch {
+      }
+    }
+  }
+  get token() {
+    return this._token;
+  }
+  set token(value) {
+    this._token = value;
+    this.channel?.postMessage({ type: "token_updated", token: value });
+    this.notify();
+  }
+  subscribe(listener) {
+    this.listeners.add(listener);
+    return () => this.listeners.delete(listener);
+  }
+  notify() {
+    for (const fn of this.listeners) fn(this._token);
+  }
+  destroy() {
+    this.listeners.clear();
+    this.channel?.close();
+  }
+};
+var tokenStorage = new TokenStorage();
+var refreshHandler = new RefreshQueue();
+
+// src/authProvider.ts
+var STOLEN_KEY = "auth:stolen";
+function createAuthProvider(config) {
+  const { tokenStorage: tokenStorage2, refreshHandler: refreshHandler2, baseUrl = "/api/v1", onAuthFailure } = config;
+  async function doRefresh() {
+    try {
+      const res = await fetch(`${baseUrl}/auth/refresh`, {
+        method: "POST",
+        credentials: "include",
+        headers: { Accept: "application/json" }
+      });
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        const message = body?.message ?? "";
+        if (message.includes("reuse detected") || message.includes("TOKEN_STOLEN")) {
+          if (typeof sessionStorage !== "undefined") {
+            sessionStorage.setItem(STOLEN_KEY, "1");
+          }
+        }
+        return null;
+      }
+      const data = await res.json();
+      tokenStorage2.token = data.accessToken;
+      return data.accessToken;
+    } catch {
+      return null;
+    }
+  }
+  return {
+    getToken: () => tokenStorage2.token,
+    refreshToken: () => refreshHandler2.refresh(doRefresh),
+    onAuthFailure: (reason) => {
+      tokenStorage2.token = null;
+      onAuthFailure?.(reason);
+    }
+  };
+}
+var AUTH_API = "/api/v1/auth";
+async function silentRefresh() {
+  try {
+    const res = await fetch(`${AUTH_API}/refresh`, {
+      method: "POST",
+      credentials: "include",
+      headers: { Accept: "application/json" }
+    });
+    if (!res.ok) return null;
+    const data = await res.json();
+    tokenStorage.token = data.accessToken;
+    return data.accessToken;
+  } catch {
+    return null;
+  }
+}
+function createAuthStore(id) {
+  return defineStore(id, () => {
+    const user = ref(null);
+    const loading = ref(false);
+    const token = ref(tokenStorage.token);
+    const isAuthenticated = computed(() => !!token.value && !!user.value);
+    tokenStorage.subscribe((t) => {
+      token.value = t;
+      if (!t) user.value = null;
+    });
+    async function login(params) {
+      loading.value = true;
+      try {
+        const res = await fetch(`${AUTH_API}/login`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify(params),
+          credentials: "include"
+        });
+        if (!res.ok) {
+          const err = await res.json();
+          throw new Error(err.message ?? "Login failed");
+        }
+        const data = await res.json();
+        tokenStorage.token = data.accessToken;
+        token.value = data.accessToken;
+        user.value = data.user;
+        return data;
+      } finally {
+        loading.value = false;
+      }
+    }
+    async function refreshToken() {
+      return refreshHandler.refresh(silentRefresh);
+    }
+    async function bootstrap() {
+      let token2 = tokenStorage.token;
+      if (!token2) {
+        token2 = await refreshToken();
+      }
+      if (token2) {
+        try {
+          const res = await fetch(`${AUTH_API}/me`, {
+            headers: { Authorization: `Bearer ${token2}` }
+          });
+          if (res.ok) {
+            const data = await res.json();
+            user.value = data.data ?? data;
+            return;
+          }
+        } catch {
+        }
+        tokenStorage.token = null;
+        user.value = null;
+      }
+    }
+    async function logout() {
+      try {
+        await fetch(`${AUTH_API}/logout`, { method: "POST", credentials: "include" });
+      } catch {
+      }
+      tokenStorage.token = null;
+      user.value = null;
+    }
+    function clearSession() {
+      tokenStorage.token = null;
+      user.value = null;
+    }
+    return {
+      user,
+      token,
+      loading,
+      isAuthenticated,
+      login,
+      logout,
+      refreshToken,
+      bootstrap,
+      clearSession
+    };
+  });
+}
+
+export { TokenStorage, createAuthProvider, createAuthStore, refreshHandler, tokenStorage };

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@rx-ted/packages-auth",
+  "version": "1.0.0",
+  "type": "module",
+  "description": "Auth client: in-memory token storage, refresh queue, Pinia store factory",
+  "main": "./dist/index.cjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "author": "rx-ted",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@rx-ted/packages-http-client": "^1.0.0"
+  },
+  "peerDependencies": {
+    "pinia": "^3.0.4",
+    "vue": "^3.5.34"
+  },
+  "devDependencies": {
+    "pinia": "^3.0.4",
+    "tsup": "^8.5.1",
+    "typescript": "^6.0.3",
+    "vitest": "^4.1.7",
+    "vue": "^3.5.35"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "typecheck": "tsc -p tsconfig.json --noEmit",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage"
+  }
+}