npm - @softwarepatterns/am - Versions diffs - 0.0.2 → 0.2.0 - Mend

@softwarepatterns/am 0.0.2 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -57,6 +57,8 @@ type UserId = `uid${string}`;
 type AccountId = `acc${string}`;
 /** Identifier for a membership linking a user to an account. */
 type MembershipId = `mbr${string}`;
+/** Identifier for an application (namespace for users and clients). */
+type ApplicationId = `app${string}`;
 /**
  * Possible statuses for an account.
  *
@@ -80,6 +82,8 @@ type AccountStatus = "active" | "trial" | "past_due" | "suspended" | "closed";
  */
 type AccountResource = {
     id: AccountId;
+    /** Parent application ID - accounts always belong to an application */
+    parentId: ApplicationId;
     /** Display name chosen by the account owner */
     name: string | null;
     /** URL to the account's avatar image */
@@ -98,14 +102,17 @@ type AccountResource = {
  * - suspended: Access restricted due to billing or policy
  * - closed: Permanently closed
  */
-type UserStatus = "active" | "trial" | "past_due" | "suspended" | "closed";
+type UserStatus = "active" | "disabled" | "suspended" | "deleted";
 /**
  * A reference to a user. Will not be deleted even due to GDPR requests or account closures,
  * to maintain referential integrity in audit logs and historical records.
+ *
+ * Users belong to an Application. They access Accounts via Memberships.
  */
 type UserResource = {
     id: UserId;
-    accountId: AccountId;
+    /** The application this user belongs to */
+    applicationId: ApplicationId;
     status: UserStatus;
     preferredMembershipId: MembershipId | null;
 };
@@ -174,17 +181,21 @@ type SessionTokens = {
 type SessionProfile = UserResource & {
     identity: UserIdentity | null;
     emailCredentials: EmailCredential[];
-    memberships: Membership[];
-    /** Currently active membership in the accessToken (determined by preferredMembershipId or context) */
+    memberships: (Membership & {
+        account: AccountResource;
+    })[];
+    /** Currently active membership in the accessToken */
     activeMembership: Membership | null;
     lastUpdatedAt: number;
+    /** Convenience: the account ID from the active membership (for navigation) */
+    accountId: AccountId | null;
 };
 /**
  * Combined authentication state containing tokens and optional profile.
  */
 type Authentication = {
     tokens: SessionTokens;
-    profile: SessionProfile | null;
+    profile: SessionProfile;
 };
 /**
  * Result of checkEmail() indicating whether the email is registered.
@@ -213,34 +224,21 @@ type Config = {
     baseUrl: string;
     earlyRefreshMs: number;
     fetchFn: FetchFn;
-    onRefresh?: (tokens: SessionTokens) => void | Promise<void>;
-    onProfileRefetch?: (profile: SessionProfile) => void | Promise<void>;
-    onUnauthenticated?: (e: AuthError) => void | Promise<void>;
     profileStorageKey: string;
     storage: StorageConfig;
     tokensStorageKey: string;
 };
+type AuthEventMap = {
+    refresh: SessionTokens;
+    profileChange: SessionProfile;
+    unauthenticated: AuthError;
+    sessionChange: AuthSession | null;
+};
 /**
- * Error type for authentication-related failures.
- *
- * Always thrown on non-2xx responses from auth endpoints. Contains structured ProblemDetails
- * from the server when available.
- *
- * Most 400 errors will also contain `invalidParams` for parameters that caused
- * the error, which can be used to display field-level validation messages.
+ * AuthError represents structured authentication failures from Accountmaker endpoints.
  *
- * Note that network errors, timeouts, etc. will throw other Error types (e.g. TypeError) unrelated
- * to AuthError.
- *
- * Note that HTTP error codes are distinctly:
- * - 400: Client error (bad request, invalid input, etc.)
- * - 401: Unauthenticated (we don't know who you are)
- * - 402: Payment required (e.g. billing issue)
- * - 403: Unauthorized (we know who you are, but you don't have permission)
- * - 404: Not found
- * - 409: Conflict (email already registered, user already invited, etc.)
- * - 429: Too many requests (rate limiting)
- * - 500: Internal server error (server's fault)
+ * AuthError wraps RFC 7807 Problem Details. invalidParams may be present for field-level validation.
+ * Network failures throw other error types.
  *
  * Also note that the `type` field often contains a URI that points to documentation about the
  * specific error type, including how to resolve it, code samples, and links to the RFCs or other
@@ -263,6 +261,16 @@ type Config = {
  *   }
  * }
  * ```
+ *
+ * Note that HTTP error codes are distinctly:
+ * - 400: Client error (bad request, invalid input, etc.)
+ * - 401: Unauthenticated (we don't know who you are)
+ * - 402: Payment required (e.g. billing issue)
+ * - 403: Unauthorized (we know who you are, but you don't have permission)
+ * - 404: Not found
+ * - 409: Conflict (email already registered, user already invited, etc.)
+ * - 429: Too many requests (rate limiting)
+ * - 500: Internal server error (server's fault)
  */
 declare class AuthError extends Error {
     readonly problem: ProblemDetails;
@@ -275,45 +283,20 @@ declare class AuthError extends Error {
     get invalidParams(): ProblemDetails["invalidParams"] | undefined;
 }
 /**
- * You receive an AuthSession after successful sign-in/register/etc.
- *
- * It contains the current access token, user profile, and methods to perform authorized
- * requests.
+ * AuthSession represents an authenticated user with automatic token refresh and persisted state.
  *
- * Features:
- * - session.fetch() will always use a valid access token (refreshing automatically)
- * - All non-2xx responses throw AuthError
- * - Tokens and profile are automatically persisted to storage (if configured)
+ * AuthSession owns tokens, profile data, refresh logic, and authenticated requests.
  */
 declare class AuthSession {
     constructor(initial: Authentication, config: Partial<Config>);
-    /**
-     * Restores an AuthSession from persisted storage. Returns null if no valid session
-     * is found.
-     *
-     * @example
-     * ```ts
-     * const session = AuthSession.restoreSession();
-     * if (session) {
-     *   console.log("Restored session for user:", session.profile);
-     * } else {
-     *   console.log("No valid session found.");
-     * }
-     * ```
-     */
-    static restoreSession(config?: Partial<Config>): AuthSession | null;
     /**
      * Removes all persisted data (tokens, profile) from storage, and prevents future
-     * refreshs of token and profile data. Does NOT clear current token or profile data from the
+     * refreshes of token and profile data. Does NOT clear current token or profile data from the
      * session memory, but effectively deactivates the session for future use.
      */
     clear(): void;
-    accessToken(): string;
-    refreshToken(): string;
-    idToken(): string | undefined;
-    expiresIn(): number;
-    expiresAt(): Date;
-    profile(): SessionProfile | null;
+    get tokens(): SessionTokens;
+    get profile(): SessionProfile;
     toJSON(): Authentication;
     /**
      * Creates an AuthSession from existing authentication data. Useful for restoring
@@ -326,38 +309,31 @@ declare class AuthSession {
      */
     isExpired(): boolean;
     /**
-     * Perform an authenticated fetch. Used to call your own APIs with the current
-     * session's access token. Any service can validate the token against Am's public
-     * keys at https://api.accountmaker.com/.well-known/jwks.json?client_id={clientId}
-     *
-     * Automatically:
-     *   - Adds Authorization header
-     *   - Refreshes token if expired
-     *   - Retries once on 401 if refresh succeeds
+     * Performs standard fetch() with a Bearer token and automatic refresh.
      *
-     * Assumes the response is JSON and parses it. Throws AuthError on non-2xx responses.
-     *
-     * If the error is a RFC 7807 Problem Details response, the AuthError.problem
-     * will contain the full details.
+     * Returns Response, does not parse the body, does not throw for HTTP status codes.
+     * Throws AuthError when refresh fails, trows runtime errors on network failure.
      *
      * @example
      * ```ts
-     * const res = await session.fetch('/api/projects');
+     * const res = await session.fetch("/api/projects");
      * const projects = await res.json();
      * ```
      *
-     * Throws AuthError on network errors, etc.
-     * @throws AuthError
+     * Any service can validate tokens using:
+     * https://api.accountmaker.com/.well-known/jwks.json?client_id={clientId}
      */
-    fetch(url: string | URL, init?: RequestInit): Promise<any>;
+    fetch(url: string | URL, init?: RequestInit): Promise<Response>;
     /**
-     * Refreshes the access token using the refresh token. Updates the stored tokens on
-     * success. This is called automatically by fetch() if the token is expired or close to
-     * expiring.
+     * Replaces the access token using the refresh token.
+     *
+     * It is called automatically by all other methods when the access token is expired or near expiry.
      */
     refresh(): Promise<void>;
     /**
-     * Refetches the user's profile from the server and updates the stored profile.
+     * refetchProfile() replaces the cached profile with server state.
+     *
+     * Concurrent calls are deduplicated.
      *
      * @example
      * ```ts
@@ -370,29 +346,19 @@ declare class AuthSession {
      */
     refetchProfile(): Promise<void>;
     /**
-     * Sends a verification email to the user's primary email address. This only succeeds if
-     * called by the currently authenticated user or an account admin.
+     * Requests a verification email for the current user.
      *
      * Throws AuthError on network errors, etc.
      * @throws AuthError
      */
     sendVerificationEmail(): Promise<void>;
-    /**
-     * Fetches a user by ID.
-     *
-     * Throws AuthError on invalid user ID, network errors, etc.
-     * @throws AuthError
-     */
-    user(id: UserId): Promise<UserResource>;
 }
 /**
- * Use `Am` to perform initial sign-in, registration, password reset flows, magic links,
- * invite acceptance, and other unauthenticated actions.
+ * Am runs authentication flows and produces AuthSession.
  *
- * Once authentication succeeds, these methods return an `AuthSession` that you use
- * for all subsequent authenticated requests.
+ * Use Am before a session exists (sign-in, sign-up, magic link, invites, password reset, CSRF).
  *
- * Example:
+ * @example
  * ```ts
  * const am = new Am();
  * const session = await am.signIn({ email: 'user@example.com', password: 'secret' });
@@ -400,68 +366,55 @@ declare class AuthSession {
  * ```
  */
 declare class Am {
-    private options;
     constructor(config?: Partial<Config>);
     /**
-     * Creates an AuthSession from existing authentication data. Useful for restoring
-     * a session from custom storage or creating a session from custom server-provided data.
+     * session returns the current AuthSession or null.
+     *
+     * Use restoreSession() to load from storage.
+     *
+     * @example
+     * ```ts
+     * const session = am.session;
+     * if (!session) throw new Error("Not authenticated");
+     * ```
      */
-    static createAuthSession(initial: Authentication, config?: Partial<Config>): AuthSession;
+    get session(): AuthSession | null;
     /**
-     * Creates an AuthSession from existing authentication data. Useful for restoring
-     * a session from custom storage or creating a session from custom server-provided data.
+     * Constructs AuthSession from existing tokens and profile.
+     *
+     * Use this after a server-side auth handshake or custom persistence.
      */
-    createAuthSession(initial: Authentication): AuthSession;
+    createSession(initial: Authentication): AuthSession;
     /**
-     * Accepts an invitation to join an account. On success, returns an AuthSession
-     * containing fresh tokens and profile. Tokens are automatically persisted (if
-     * storage is enabled).
+     * restoreSession loads AuthSession from storage or returns null.
      *
-     * Throws AuthError on invalid or expired token, etc.
-     * @throws AuthError
+     * Invalid or partial stored data is cleared.
+     *
+     * @example
+     * ```ts
+     * const am = new Am({ storage: 'localStorage' });
+     * const session = am.restoreSession();
+     * if (session) session.fetch("/api/me");
+     * ```
      */
-    static acceptInvite(query: {
-        clientId: ClientId;
-        token: string;
-    }, config?: Partial<Config>): Promise<AuthSession>;
+    restoreSession(): AuthSession | null;
     /**
-     * Accepts an invitation to join an account. On success, returns an AuthSession
-     * containing fresh tokens and profile. Tokens are automatically persisted (if
-     * storage is enabled).
+     * Subscribes to auth events and returns an unsubscribe function.
+     */
+    on<K extends keyof AuthEventMap>(event: K, fn: (v: AuthEventMap[K]) => void): () => boolean;
+    /**
+     * acceptInvite exchanges an invite token for a fresh AuthSession.
      *
-     * Throws AuthError on invalid or expired token, etc.
-     * @throws AuthError
+     * Throws AuthError on invalid, expired, or already-used tokens.
      */
     acceptInvite(query: {
         clientId: ClientId;
         token: string;
     }): Promise<AuthSession>;
     /**
-     * Checks the status of an email address for authentication purposes. Indicates whether the
-     * email is associated with an active account, and what login methods are preferred and
-     * available for that user. This can be used to enforce login expierences for enterprise SSO or
-     * to prefer passwordless login methods.
-     *
-     * Throws AuthError on invalid client ID, network errors, etc.
-     * @throws AuthError
-     */
-    static checkEmail(body: {
-        clientId: ClientId;
-        email: string;
-        csrfToken?: string;
-    }, config?: Partial<Config>): Promise<{
-        status: EmailCheckStatus;
-        preferred: LoginMethod[];
-        available: LoginMethod[];
-    }>;
-    /**
-     * Checks the status of an email address for authentication purposes. Indicates whether the
-     * email is associated with an active account, and what login methods are preferred and
-     * available for that user. This can be used to enforce login expierences for enterprise SSO or
-     * to prefer passwordless login methods.
+     * checkEmail returns how an email should authenticate for this client.
      *
-     * Throws AuthError on invalid client ID, network errors, etc.
-     * @throws AuthError
+     * Use this to choose password vs magic link vs SSO before rendering a login form.
      */
     checkEmail(body: {
         clientId: ClientId;
@@ -473,66 +426,25 @@ declare class Am {
         available: LoginMethod[];
     }>;
     /**
-     * When called, sets a httpOnly CSRF session cookie. Then when rendering a form, call csrfToken()
-     * to get the signed token to include in the form. When the form is submitted, the server
-     * will verify the signed token against the session cookie. This prevents a certain class
-     * of CSRF attacks that rely on being able to read values from the target site.
-     */
-    static csrfSession(config?: Partial<Config>): Promise<{
-        csrfToken: string;
-    }>;
-    /**
-     * When called, sets a httpOnly CSRF session cookie. Then when rendering a form, call csrfToken()
-     * to get the signed token to include in the form. When the form is submitted, the server
-     * will verify the signed token against the session cookie. This prevents a certain class
-     * of CSRF attacks that rely on being able to read values from the target site.
-     */
-    csrfSession(): Promise<{
-        csrfToken: string;
-    }>;
-    /**
-     * Fetches a signed CSRF token for use in forms. Call csrfSession() first to set a httpOnly CSRF
-     * session cookie, then call this method to get the signed token, then include the token in your
-     * form submissions. When the form is submitted, the server will verify the signed token against
-     * the httpOnly session cookie. This prevents a certain class of CSRF attacks that rely on being
-     * able to read values from the target site.
+     * Sets the httpOnly CSRF cookie.
      *
-     * @throws AuthError
+     * Call csrfToken() next to fetch a signed token for form posts.
      */
-    static csrfToken(config?: Partial<Config>): Promise<{
+    csrfSession(): Promise<{
         csrfToken: string;
     }>;
     /**
-     * Fetches a signed CSRF token for use in forms. Call csrfSession() first to set a httpOnly CSRF
-     * session cookie, then call this method to get the signed token, then include the token in your
-     * form submissions. When the form is submitted, the server will verify the signed token against
-     * the httpOnly session cookie. This prevents a certain class of CSRF attacks that rely on being
-     * able to read values from the target site.
+     * Returns a signed CSRF token for form posts.
      *
-     * @throws AuthError
+     * Call csrfSession() first to set the CSRF cookie.
      */
     csrfToken(): Promise<{
         csrfToken: string;
     }>;
     /**
-     * On success, returns an AuthSession containing fresh tokens and profile.
-     * Tokens are automatically persisted (if storage is enabled).
+     * Authenticates with email and password and returns a new AuthSession.
      *
-     * Throws AuthError on invalid credentials, unverified email, etc.
-     * @throws AuthError
-     */
-    static signIn(body: {
-        clientId: ClientId;
-        email: string;
-        password: string;
-        csrfToken?: string;
-    }, config?: Partial<Config>): Promise<AuthSession>;
-    /**
-     * On success, returns an AuthSession containing fresh tokens and profile.
-     * Tokens are automatically persisted (if storage is enabled).
-     *
-     * Throws AuthError on invalid credentials, unverified email, etc.
-     * @throws AuthError
+     * Tokens and profile are persisted when storage is configured.
      */
     signIn(body: {
         clientId: ClientId;
@@ -541,62 +453,15 @@ declare class Am {
         csrfToken?: string;
     }): Promise<AuthSession>;
     /**
-     * Authenticates using a one-time token (e.g., magic link or invite token).
-     *
-     * On success, returns an AuthSession containing fresh tokens and profile.
-     * Tokens are automatically persisted (if storage is enabled).
-     *
-     * Throws AuthError on invalid or expired token, etc.
-     * @throws AuthError
-     */
-    static signInWithToken(token: string, config?: Partial<Config>): Promise<AuthSession>;
-    /**
-     * Authenticates using a one-time token (e.g., magic link or invite token).
+     * Authenticates with a one-time token and returns a new AuthSession.
      *
-     * On success, returns an AuthSession containing fresh tokens and profile.
-     * Tokens are automatically persisted (if storage is enabled).
-     *
-     * Throws AuthError on invalid or expired token, etc.
-     * @throws AuthError
+     * Use this for magic links and similar one-time login flows.
      */
     signInWithToken(token: string): Promise<AuthSession>;
     /**
-     * Manually refreshes session tokens using the provided refresh token. Does NOT
-     * persist tokens. Use AuthSession.refresh() to refresh and persist tokens in an
-     * existing session.
+     * Creates a new user and returns a new AuthSession.
      *
-     * Throws AuthError on invalid or expired refresh token, etc.
-     * @throws AuthError
-     */
-    static refresh(refreshToken: string, config?: Partial<Config>): Promise<SessionTokens>;
-    /**
-     * Manually refreshes session tokens using the provided refresh token. Does NOT
-     * persist tokens. Use AuthSession.refresh() to refresh and persist tokens in an
-     * existing session.
-     *
-     * Throws AuthError on invalid or expired refresh token, etc.
-     * @throws AuthError
-     */
-    refresh(refreshToken: string): Promise<SessionTokens>;
-    /**
-     * Successful registration immediately authenticates the user and returns an
-     * AuthSession. Tokens are automatically persisted (if storage is enabled).
-     *
-     * Throws AuthError on invalid data, existing email, etc.
-     * @throws AuthError
-     */
-    static signUp(body: {
-        clientId: ClientId;
-        email: string;
-        password: string;
-        csrfToken?: string;
-    }, config?: Partial<Config>): Promise<AuthSession>;
-    /**
-     * Successful registration immediately authenticates the user and returns an
-     * AuthSession. Tokens are automatically persisted (if storage is enabled).
-     *
-     * Throws AuthError on invalid data, existing email, etc.
-     * @throws AuthError
+     * Tokens and profile are persisted when storage is configured.
      */
     signUp(body: {
         clientId: ClientId;
@@ -605,45 +470,14 @@ declare class Am {
         csrfToken?: string;
     }): Promise<AuthSession>;
     /**
-     * Completes a password reset using the token received via email. On success,
-     * the user's password is updated.
-     *
-     * Throws AuthError on invalid or expired token, weak password, etc.
-     * @throws AuthError
-     */
-    static resetPassword(body: {
-        token: string;
-        newPassword: string;
-    }, config?: Partial<Config>): Promise<void>;
-    /**
-     * Completes a password reset using the token received via email. On success,
-     * the user's password is updated.
-     *
-     * Throws AuthError on invalid or expired token, weak password, etc.
-     * @throws AuthError
+     * Sets a new password using a one-time reset token.
      */
     resetPassword(body: {
         token: string;
         newPassword: string;
     }): Promise<void>;
     /**
-     * Sends a magic link email to the specified address. A magic link allows
-     * passwordless authentication.
-     *
-     * Throws AuthError on invalid email format, etc.
-     * @throws AuthError
-     */
-    static sendMagicLink(body: {
-        clientId: ClientId;
-        email: string;
-        csrfToken?: string;
-    }, config?: Partial<Config>): Promise<void>;
-    /**
-     * Sends a magic link email to the specified address. A magic link allows
-     * passwordless authentication.
-     *
-     * Throws AuthError on invalid email format, etc.
-     * @throws AuthError
+     * Sends a one-time sign-in link to an email address.
      */
     sendMagicLink(body: {
         clientId: ClientId;
@@ -651,21 +485,7 @@ declare class Am {
         csrfToken?: string;
     }): Promise<void>;
     /**
-     * Sends a password reset email to the specified address.
-     *
-     * Throws AuthError on invalid email format, etc.
-     * @throws AuthError
-     */
-    static sendPasswordReset(body: {
-        clientId: ClientId;
-        email: string;
-        csrfToken?: string;
-    }, config?: Partial<Config>): Promise<void>;
-    /**
-     * Sends a password reset email to the specified address.
-     *
-     * Throws AuthError on invalid email format, etc.
-     * @throws AuthError
+     * Sends a password reset link to an email address.
      */
     sendPasswordReset(body: {
         clientId: ClientId;
@@ -675,4 +495,4 @@ declare class Am {
 }
 export { Am, AuthError, AuthSession };
-export type { AccountId, AccountResource, AccountStatus, Authentication, ClientId, EmailCheckStatus, EmailCredential, LoginMethod, Membership, MembershipId, MembershipRole, ProblemDetails, SessionProfile, SessionTokens, StorageLike, UserId, UserIdentity, UserResource, UserStatus };
+export type { AccountId, AccountResource, AccountStatus, ApplicationId, Authentication, ClientId, EmailCheckStatus, EmailCredential, LoginMethod, Membership, MembershipId, MembershipRole, ProblemDetails, SessionProfile, SessionTokens, StorageLike, UserId, UserIdentity, UserResource, UserStatus };

package/dist/index.mjs CHANGED Viewed

@@ -1,2 +1,2 @@
-const t=Symbol("state");function e(t){return t?"localStorage"===t?function(){try{return"undefined"==typeof window?null:window.localStorage?window.localStorage:null}catch{return null}}():t:null}function n(t,e){return t?function(t){if(!t)return null;try{return JSON.parse(t)}catch{return null}}(t.getItem(e)):null}function r(t,e,n){if(t)try{t.setItem(e,JSON.stringify(n))}catch{}}function s(t,e){if(t)try{t.removeItem(e)}catch{}}function o(t,e,o){if(!t)return;const i=n(t,e),c=a(i)?i:null;null===i||c||s(t,e),c&&c.expiresAt>=o.expiresAt||r(t,e,o)}function i(t,e,o){if(!t)return;const i=n(t,e),a=c(i)?i:null;null===i||a||s(t,e),a&&a.lastUpdatedAt>=o.lastUpdatedAt||r(t,e,o)}function a(t){return!!t&&"string"==typeof t.accessToken&&"string"==typeof t.refreshToken&&"number"==typeof t.expiresAt&&"number"==typeof t.expiresIn&&"Bearer"===t.tokenType}function c(t){return!!t&&"string"==typeof t.id&&"string"==typeof t.accountId&&"string"==typeof t.status&&"number"==typeof t.lastUpdatedAt&&("object"==typeof t.identity||null===t.identity)}function u(e){return e[t]}function l(t){return t.replace(/_([a-z])/g,(t,e)=>e.toUpperCase())}function f(t){if(null===t||"object"!=typeof t)return t;if(Array.isArray(t))return t.map(t=>f(t));const e=t,n={};for(const t of Object.keys(e))Object.prototype.hasOwnProperty.call(e,t)&&(n[l(t)]=f(e[t]));return n}function p(t){return t.replace(/[A-Z]/g,t=>`_${t.toLowerCase()}`)}function h(t){if(null===t||"object"!=typeof t)return t;if(Array.isArray(t))return t.map(t=>h(t));const e=t,n={};for(const t of Object.keys(e))Object.prototype.hasOwnProperty.call(e,t)&&(n[p(t)]=h(e[t]));return n}class y extends Error{constructor(t){super(t.title),this.name="AuthError",this.problem=Object.freeze(t)}get type(){return this.problem.type}get title(){return this.problem.title}get status(){return this.problem.status}get code(){return this.problem.code}get detail(){return this.problem.detail}get invalidParams(){return this.problem.invalidParams}}const g={fetchFn:function(){const t=globalThis.fetch;return"function"==typeof t?t.bind(globalThis):async()=>{throw new Error("Missing fetch implementation. Provide config.fetchFn or use a runtime with global fetch.")}}(),baseUrl:"https://api.accountmaker.com",earlyRefreshMs:6e4,storage:null,tokensStorageKey:"am_tokens",profileStorageKey:"am_profile"};const d=async t=>{if(204===t.status)return;const e=f(await async function(t){const e=t.headers.get("Content-Type")||"";if(!e.includes("application/json")&&!e.includes("+json"))return null;try{return await t.json()}catch{return null}}(t));if(!t.ok)throw new y(function(t,e){return function(t){return(t.headers.get("Content-Type")||"").includes("application/problem+json")}(t)&&e&&"object"==typeof e&&"string"==typeof e.type&&"string"==typeof e.title&&"number"==typeof e.status?e:function(t,e){return{type:"about:blank",title:t.statusText||"Request failed",status:t.status,detail:"string"==typeof e?e:void 0}}(t,e)}(t,e));return e},w=async({fetchFn:t,baseUrl:e},n,r={})=>{const s=new URLSearchParams(h(r)).toString(),o=s?`${e}${n}?${s}`:`${e}${n}`,i=await t(o,{method:"GET",headers:{Accept:"application/json"}});return d(i)},m=async({fetchFn:t,baseUrl:e},n,r)=>{const s=await t(`${e}${n}`,{method:"POST",headers:{Accept:"application/json","Content-Type":"application/json"},body:JSON.stringify(h(r))});return d(s)},k=async(t,e,n={})=>{const r=await t.config.fetchFn(e,{...n,headers:{...n.headers||{},Authorization:`Bearer ${t.tokens.accessToken}`}});return d(r)},b=t=>{const e=Math.min(Math.max(t.config.earlyRefreshMs,0),3e5);return Date.now()>=t.tokens.expiresAt-e},S=async t=>{if(!t.cleared){t.refreshPromise||(t.refreshPromise=async function(t){const{fetchFn:n,baseUrl:r}=t.config,s=await n(`${r}/auth/refresh`,{method:"POST",headers:{Accept:"application/json","Content-Type":"application/json"},body:JSON.stringify(h({refreshToken:t.tokens.refreshToken}))}),i=j(await d(s));t.tokens=i;const a=e(t.config.storage);o(a,t.config.tokensStorageKey,i),await(t.config.onRefresh?.(i))}(t));try{await t.refreshPromise}finally{t.refreshPromise=null}}},T=t=>t instanceof y&&401===t.status,P=async(t,e,n={})=>{b(t)&&await S(t);try{return await k(t,e,n)}catch(r){if(!T(r))throw r;if(t.cleared)throw r;try{return await S(t),await k(t,e,n)}catch(e){if(t.config.onUnauthenticated&&!t.cleared&&T(e))try{await t.config.onUnauthenticated(e)}catch{}throw e}}},A=async(t,e,n={})=>{const r=new URLSearchParams(h(n)).toString(),s=t.config.baseUrl,o=r?`${s}${e}?${r}`:`${s}${e}`;return await P(t,o,{method:"GET",headers:{Accept:"application/json"}})},j=t=>{const e="number"==typeof t.expiresIn?t.expiresIn:0;return{...t,expiresAt:Date.now()+1e3*e}},I=t=>({...t,lastUpdatedAt:Date.now()});const U=t=>({tokens:j(t.tokens),profile:I(t.profile)});class ${constructor(n,r){const s={...g,...r},a={...n,config:s,refreshPromise:null,profilePromise:null,cleared:!1};!function(e,n){e[t]=n}(this,a);const c=e(s.storage);o(c,s.tokensStorageKey,a.tokens),a.profile&&i(c,s.profileStorageKey,a.profile)}static restoreSession(t={}){const r={...g,...t},o=e(r.storage);if(!o)return null;const i=n(o,r.tokensStorageKey),u=a(i)?i:null;if(!u)return null!==i&&s(o,r.tokensStorageKey),s(o,r.profileStorageKey),null;const l=n(o,r.profileStorageKey),f=c(l)?l:null;return null===l||f||s(o,r.profileStorageKey),new $({tokens:u,profile:f},r)}clear(){const t=u(this);!function(t){const n=e(t.storage);s(n,t.profileStorageKey),s(n,t.tokensStorageKey)}(t.config),t.cleared=!0}accessToken(){return u(this).tokens.accessToken}refreshToken(){return u(this).tokens.refreshToken}idToken(){return u(this).tokens.idToken}expiresIn(){return u(this).tokens.expiresIn}expiresAt(){return new Date(u(this).tokens.expiresAt)}profile(){return u(this).profile}toJSON(){const t=u(this);return{tokens:t.tokens,profile:t.profile}}static fromJSON(t,e){return new $(t,e)}isExpired(){return b(u(this))}async fetch(t,e={}){return P(u(this),t,e)}async refresh(){return S(u(this))}async refetchProfile(){const t=u(this);if(!t.cleared){t.profilePromise||(t.profilePromise=async function(t){const n=I(await A(t,"/auth/me",{}));t.profile=n,i(e(t.config.storage),t.config.profileStorageKey,n),await(t.config.onProfileRefetch?.(n))}(t));try{await t.profilePromise}finally{t.profilePromise=null}}}async sendVerificationEmail(){await(async(t,e,n)=>{const r=t.config.baseUrl;return await P(t,`${r}${e}`,{method:"POST",headers:{Accept:"application/json","Content-Type":"application/json"},body:JSON.stringify(h(n))})})(u(this),"/auth/send-verification-email",{})}async user(t){return A(u(this),`/auth/user/${t}`,{})}}class x{constructor(t){this.options={...g,...t}}static createAuthSession(t,e){return new x(e).createAuthSession(t)}createAuthSession(t){return new $(t,this.options)}static async acceptInvite(t,e){return new x(e).acceptInvite(t)}async acceptInvite(t){const e=U(await w(this.options,"/auth/accept-invite",t));return new $(e,this.options)}static async checkEmail(t,e){return new x(e).checkEmail(t)}async checkEmail(t){return m(this.options,"/auth/check-email",t)}static async csrfSession(t){return new x(t).csrfSession()}async csrfSession(){return w(this.options,"/auth/csrf-session")}static async csrfToken(t){return new x(t).csrfToken()}async csrfToken(){return w(this.options,"/auth/csrf-token")}static async signIn(t,e){return new x(e).signIn(t)}async signIn(t){const e=U(await m(this.options,"/auth/sign-in",t));return new $(e,this.options)}static async signInWithToken(t,e){return new x(e).signInWithToken(t)}async signInWithToken(t){const e=this.options,n=U(await w(e,"/auth/sign-in-with-token",{token:t}));return new $(n,e)}static async refresh(t,e){return new x(e).refresh(t)}async refresh(t){return j(await m(this.options,"/auth/refresh",{refreshToken:t}))}static async signUp(t,e){return new x(e).signUp(t)}async signUp(t){const e=U(await m(this.options,"/auth/sign-up",t));return new $(e,this.options)}static async resetPassword(t,e){return new x(e).resetPassword(t)}async resetPassword(t){return m(this.options,"/auth/reset-password",t)}static async sendMagicLink(t,e){return new x(e).sendMagicLink(t)}async sendMagicLink(t){return m(this.options,"/auth/send-magic-link",t)}static async sendPasswordReset(t,e){return new x(e).sendPasswordReset(t)}async sendPasswordReset(t){return m(this.options,"/auth/send-password-reset",t)}}export{x as Am,y as AuthError,$ as AuthSession};
+const t=Symbol("session_state"),e=Symbol("auth_session"),n=Symbol("auth_state"),r=Symbol("emitter");function s(t){return t?"localStorage"===t?function(){try{return"undefined"==typeof window?null:window.localStorage?window.localStorage:null}catch{return null}}():t:null}function o(t,e){return t?function(t){if(!t)return null;try{return JSON.parse(t)}catch{return null}}(t.getItem(e)):null}function i(t,e,n){if(t)try{t.setItem(e,JSON.stringify(n))}catch{}}function a(t,e){if(t)try{t.removeItem(e)}catch{}}function c(t,e,n){if(!t)return;const r=o(t,e),s=u(r)?r:null;null===r||s||a(t,e),s&&s.expiresAt>=n.expiresAt||i(t,e,n)}function l(t,e,n){if(!t)return;const r=o(t,e),s=f(r)?r:null;null===r||s||a(t,e),s&&s.lastUpdatedAt>=n.lastUpdatedAt||i(t,e,n)}function u(t){return!!t&&"string"==typeof t.accessToken&&"string"==typeof t.refreshToken&&"number"==typeof t.expiresAt&&"number"==typeof t.expiresIn&&"Bearer"===t.tokenType}function f(t){return!!t&&"string"==typeof t.id&&"string"==typeof t.applicationId&&"string"==typeof t.status&&"number"==typeof t.lastUpdatedAt&&("object"==typeof t.identity||null===t.identity)}function p(e){return e[t]}function h(t){return t[n]}function y(t,n){t[e]=n;const s=p(n);!function(t,e){t[r]=(t,n)=>{const r=h(e).listeners[t];if(r)for(const e of r)try{e(n)}catch{console.warn("Unhandled error in AuthEvent listener for event",t)}}}(s,t),g(s,"sessionChange",n)}function g(t,e,n){(0,t[r])(e,n)}function d(t){return t.replace(/_([a-z])/g,(t,e)=>e.toUpperCase())}function m(t){if(null===t||"object"!=typeof t)return t;if(Array.isArray(t))return t.map(t=>m(t));const e=t,n={};for(const t of Object.keys(e))Object.prototype.hasOwnProperty.call(e,t)&&(n[d(t)]=m(e[t]));return n}function w(t){return t.replace(/[A-Z]/g,t=>`_${t.toLowerCase()}`)}function b(t){if(null===t||"object"!=typeof t)return t;if(Array.isArray(t))return t.map(t=>b(t));const e=t,n={};for(const t of Object.keys(e))Object.prototype.hasOwnProperty.call(e,t)&&(n[w(t)]=b(e[t]));return n}class k extends Error{constructor(t){super(t.title),this.name="AuthError",this.problem=Object.freeze(t)}get type(){return this.problem.type}get title(){return this.problem.title}get status(){return this.problem.status}get code(){return this.problem.code}get detail(){return this.problem.detail}get invalidParams(){return this.problem.invalidParams}}const S={fetchFn:function(){const t=globalThis.fetch;return"function"==typeof t?t.bind(globalThis):async()=>{throw new Error("Missing fetch implementation. Provide config.fetchFn or use a runtime with global fetch.")}}(),baseUrl:"https://api.accountmaker.com",earlyRefreshMs:6e4,storage:null,tokensStorageKey:"am_tokens",profileStorageKey:"am_profile"};const P=async(t,e,n={})=>t.config.fetchFn(e,function(t,e){const n=new Headers(t.headers);return n.set("Authorization",`Bearer ${e}`),{...t,headers:n}}(n,t.tokens.accessToken)),A=async(t,e,n={})=>{U(t)&&await x(t);let r=await P(t,e,n);return 401!==r.status||t.cleared||(await x(t),r=await P(t,e,n)),r},j=async t=>{if(204===t.status)return;const e=m(await async function(t){const e=t.headers.get("Content-Type")||"";if(!e.includes("application/json")&&!e.includes("+json"))return null;try{return await t.json()}catch{return null}}(t));if(!t.ok)throw new k(function(t,e){return function(t){return(t.headers.get("Content-Type")||"").includes("application/problem+json")}(t)&&e&&"object"==typeof e&&"string"==typeof e.type&&"string"==typeof e.title&&"number"==typeof e.status?e:function(t,e){return{type:"about:blank",title:t.statusText||"Request failed",status:t.status,detail:"string"==typeof e?e:void 0}}(t,e)}(t,e));return e},T=async(t,e,n={})=>{const r=await A(t,e,n);return j(r)},O=async({fetchFn:t,baseUrl:e},n,r={})=>{const s=new URLSearchParams(b(r)).toString(),o=s?`${e}${n}?${s}`:`${e}${n}`,i=await t(o,{method:"GET",headers:{Accept:"application/json"}});return j(i)},$=async({fetchFn:t,baseUrl:e},n,r)=>{const s=await t(`${e}${n}`,{method:"POST",headers:{Accept:"application/json","Content-Type":"application/json"},body:JSON.stringify(b(r))});return j(s)},U=t=>{const e=Math.min(Math.max(t.config.earlyRefreshMs,0),3e5);return Date.now()>=t.tokens.expiresAt-e},x=async t=>{if(!t.cleared){t.refreshPromise||(t.refreshPromise=async function(t){const{fetchFn:e,baseUrl:n}=t.config,r=await e(`${n}/auth/refresh`,{method:"POST",headers:{Accept:"application/json","Content-Type":"application/json"},body:JSON.stringify(b({refreshToken:t.tokens.refreshToken}))});let o;try{o=await j(r)}catch(e){throw!t.cleared&&K(e)&&g(t,"unauthenticated",e),e}const i=v(o);t.tokens=i;const a=s(t.config.storage);c(a,t.config.tokensStorageKey,i),g(t,"refresh",i)}(t));try{await t.refreshPromise}finally{t.refreshPromise=null}}},K=t=>t instanceof k&&401===t.status,v=t=>{const e="number"==typeof t.expiresIn?t.expiresIn:0;return{...t,expiresAt:Date.now()+1e3*e}},I=t=>({...t,lastUpdatedAt:Date.now()});async function C(t){const e=I(await(async(t,e,n={})=>{const r=new URLSearchParams(b(n)).toString(),s=t.config.baseUrl,o=r?`${s}${e}?${r}`:`${s}${e}`;return await T(t,o,{method:"GET",headers:{Accept:"application/json"}})})(t,"/auth/me",{}));t.profile=e;l(s(t.config.storage),t.config.profileStorageKey,e),g(t,"profileChange",e)}const E=t=>({tokens:v(t.tokens),profile:I(t.profile)});class J{constructor(e,n){const r={...S,...n},o={...e,config:r,refreshPromise:null,profilePromise:null,cleared:!1};!function(e,n){e[t]=n}(this,o);const i=s(r.storage);c(i,r.tokensStorageKey,o.tokens),o.profile&&l(i,r.profileStorageKey,o.profile)}clear(){const t=p(this);!function(t){const e=s(t.storage);a(e,t.profileStorageKey),a(e,t.tokensStorageKey)}(t.config),t.cleared=!0}get tokens(){return p(this).tokens}get profile(){return p(this).profile}toJSON(){const t=p(this);return{tokens:t.tokens,profile:t.profile}}static fromJSON(t,e){return new J(t,e)}isExpired(){return U(p(this))}async fetch(t,e={}){return A(p(this),t,e)}async refresh(){return x(p(this))}async refetchProfile(){const t=p(this);if(!t.cleared){t.profilePromise||(t.profilePromise=C(t));try{await t.profilePromise}finally{t.profilePromise=null}}}async sendVerificationEmail(){await(async(t,e,n)=>{const r=t.config.baseUrl;return await T(t,`${r}${e}`,{method:"POST",headers:{Accept:"application/json","Content-Type":"application/json"},body:JSON.stringify(b(n))})})(p(this),"/auth/send-verification-email",{})}}class N{constructor(t){var e,r;e=this,r={config:{...S,...t},listeners:{}},e[n]=r}get session(){return this[e]||null}createSession(t){const e=new J(t,h(this).config);return y(this,e),e}restoreSession(){const t=h(this).config,e=s(t.storage);if(!e)return null;const n=o(e,t.tokensStorageKey),r=u(n)?n:null,i=o(e,t.profileStorageKey),c=f(i)?i:null;if(!r||!c)return a(e,t.tokensStorageKey),a(e,t.profileStorageKey),null;const l=new J({tokens:r,profile:c},t);return y(this,l),l}on(t,e){const n=h(this).listeners,r=n[t]??(n[t]=new Set);return r.add(e),()=>r.delete(e)}async acceptInvite(t){const e=h(this).config,n=E(await O(e,"/auth/accept-invite",t)),r=new J(n,e);return y(this,r),r}async checkEmail(t){return $(h(this).config,"/auth/check-email",t)}async csrfSession(){return O(h(this).config,"/auth/csrf-session")}async csrfToken(){return O(h(this).config,"/auth/csrf-token")}async signIn(t){const e=h(this).config,n=E(await $(e,"/auth/sign-in",t)),r=new J(n,e);return y(this,r),r}async signInWithToken(t){const e=h(this).config,n=E(await O(e,"/auth/sign-in-with-token",{token:t})),r=new J(n,e);return y(this,r),r}async signUp(t){const e=h(this).config,n=E(await $(e,"/auth/sign-up",t)),r=new J(n,e);return y(this,r),r}async resetPassword(t){return $(h(this).config,"/auth/reset-password",t)}async sendMagicLink(t){return $(h(this).config,"/auth/send-magic-link",t)}async sendPasswordReset(t){return $(h(this).config,"/auth/send-password-reset",t)}}export{N as Am,k as AuthError,J as AuthSession};
 //# sourceMappingURL=index.mjs.map