@spidy092/auth-client 2.1.8 → 3.0.0

package/dist/index.js

@@ -0,0 +1,1008 @@
+// config.js
+var config = {
+  clientKey: null,
+  authBaseUrl: null,
+  redirectUri: null,
+  accountUiUrl: null,
+  isRouter: false,
+  // ✅ Add router flag
+  // ========== SESSION SECURITY SETTINGS ==========
+  // Buffer time (in seconds) before token expiry to trigger proactive refresh
+  // With 5-minute access tokens, refreshing 60s before expiry ensures seamless UX
+  tokenRefreshBuffer: 60,
+  // Interval (in milliseconds) for periodic session validation
+  // Validates that the session still exists in Keycloak (not deleted by admin)
+  // Default: 2 minutes (120000ms) - balances responsiveness vs server load
+  sessionValidationInterval: 2 * 60 * 1e3,
+  // Enable/disable periodic session validation
+  // When enabled, the client will ping the server to verify session is still active
+  enableSessionValidation: true,
+  // Enable/disable proactive token refresh
+  // When enabled, tokens are refreshed before they expire (using tokenRefreshBuffer)
+  enableProactiveRefresh: true,
+  // Validate session when browser tab becomes visible again
+  // Catches session deletions that happened while the tab was inactive
+  validateOnVisibility: true
+};
+function setConfig(customConfig = {}) {
+  if (!customConfig.clientKey || !customConfig.authBaseUrl) {
+    throw new Error("Missing required config: clientKey and authBaseUrl are required");
+  }
+  config = {
+    ...config,
+    ...customConfig,
+    redirectUri: customConfig.redirectUri || window.location.origin + "/callback",
+    // ✅ Auto-detect router mode
+    isRouter: customConfig.isRouter || customConfig.clientKey === "account-ui"
+  };
+  console.log(`\u{1F527} Auth Client Mode: ${config.isRouter ? "ROUTER" : "CLIENT"}`, {
+    clientKey: config.clientKey,
+    isRouter: config.isRouter
+  });
+}
+function getConfig() {
+  return { ...config };
+}
+function isRouterMode() {
+  return config.isRouter;
+}
+
+// token.js
+import { jwtDecode } from "jwt-decode";
+var accessToken = null;
+var listeners = /* @__PURE__ */ new Set();
+var REFRESH_COOKIE = "account_refresh_token";
+var COOKIE_MAX_AGE = 7 * 24 * 60 * 60;
+function secureAttribute() {
+  var _a;
+  try {
+    return typeof window !== "undefined" && ((_a = window.location) == null ? void 0 : _a.protocol) === "https:" ? "; Secure" : "";
+  } catch (err) {
+    return "";
+  }
+}
+function writeAccessToken(token) {
+  if (!token) {
+    try {
+      localStorage.removeItem("authToken");
+    } catch (err) {
+      console.warn("Could not clear token from localStorage:", err);
+    }
+    return;
+  }
+  try {
+    localStorage.setItem("authToken", token);
+  } catch (err) {
+    console.warn("Could not persist token to localStorage:", err);
+  }
+}
+function readAccessToken() {
+  try {
+    return localStorage.getItem("authToken");
+  } catch (err) {
+    console.warn("Could not read token from localStorage:", err);
+    return null;
+  }
+}
+function decode(token) {
+  try {
+    return jwtDecode(token);
+  } catch (err) {
+    return null;
+  }
+}
+function getTokenExpiryTime(token) {
+  if (!token) return null;
+  const decoded = decode(token);
+  if (!(decoded == null ? void 0 : decoded.exp)) return null;
+  return new Date(decoded.exp * 1e3);
+}
+function getTimeUntilExpiry(token) {
+  if (!token) return -1;
+  const decoded = decode(token);
+  if (!(decoded == null ? void 0 : decoded.exp)) return -1;
+  const now = Date.now() / 1e3;
+  return Math.floor(decoded.exp - now);
+}
+function willExpireSoon(token, withinSeconds = 60) {
+  const timeLeft = getTimeUntilExpiry(token);
+  return timeLeft >= 0 && timeLeft <= withinSeconds;
+}
+function setToken(token) {
+  const previousToken = accessToken;
+  accessToken = token || null;
+  writeAccessToken(accessToken);
+  if (previousToken !== accessToken) {
+    listeners.forEach((listener) => {
+      try {
+        listener(accessToken, previousToken);
+      } catch (err) {
+        console.warn("Token listener error:", err);
+      }
+    });
+  }
+}
+function getToken() {
+  if (accessToken) return accessToken;
+  accessToken = readAccessToken();
+  return accessToken;
+}
+function clearToken() {
+  if (!accessToken) {
+    writeAccessToken(null);
+    clearRefreshToken();
+    return;
+  }
+  const previousToken = accessToken;
+  accessToken = null;
+  writeAccessToken(null);
+  clearRefreshToken();
+  listeners.forEach((listener) => {
+    try {
+      listener(null, previousToken);
+    } catch (err) {
+      console.warn("Token listener error:", err);
+    }
+  });
+}
+var REFRESH_TOKEN_KEY = "auth_refresh_token";
+function isHttpDevelopment() {
+  var _a;
+  try {
+    return typeof window !== "undefined" && ((_a = window.location) == null ? void 0 : _a.protocol) === "http:";
+  } catch (err) {
+    return false;
+  }
+}
+function setRefreshToken(token) {
+  if (!token) {
+    clearRefreshToken();
+    return;
+  }
+  if (isHttpDevelopment()) {
+    try {
+      localStorage.setItem(REFRESH_TOKEN_KEY, token);
+      console.log("\u{1F4E6} Refresh token stored in localStorage (HTTP dev mode)");
+    } catch (err) {
+      console.warn("Could not store refresh token:", err);
+    }
+  } else {
+    console.log("\u{1F512} Refresh token managed by server httpOnly cookie (production mode)");
+  }
+}
+function getRefreshToken() {
+  if (isHttpDevelopment()) {
+    try {
+      const token = localStorage.getItem(REFRESH_TOKEN_KEY);
+      return token;
+    } catch (err) {
+      console.warn("Could not read refresh token:", err);
+      return null;
+    }
+  }
+  return null;
+}
+function clearRefreshToken() {
+  try {
+    localStorage.removeItem(REFRESH_TOKEN_KEY);
+  } catch (err) {
+  }
+  try {
+    document.cookie = `${REFRESH_COOKIE}=; Path=/; SameSite=Strict${secureAttribute()}; Expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+  } catch (err) {
+    console.warn("Could not clear refresh token cookie:", err);
+  }
+  try {
+    sessionStorage.removeItem(REFRESH_COOKIE);
+  } catch (err) {
+  }
+}
+function addTokenListener(listener) {
+  if (typeof listener !== "function") {
+    throw new Error("Token listener must be a function");
+  }
+  listeners.add(listener);
+  return () => {
+    listeners.delete(listener);
+  };
+}
+function removeTokenListener(listener) {
+  listeners.delete(listener);
+}
+function getListenerCount() {
+  return listeners.size;
+}
+
+// core.js
+var callbackProcessed = false;
+function login(clientKeyArg, redirectUriArg) {
+  resetCallbackState();
+  const {
+    clientKey: defaultClientKey,
+    authBaseUrl,
+    redirectUri: defaultRedirectUri,
+    accountUiUrl
+  } = getConfig();
+  const clientKey = clientKeyArg || defaultClientKey;
+  const redirectUri = redirectUriArg || defaultRedirectUri;
+  console.log("\u{1F504} Smart Login initiated:", {
+    mode: isRouterMode() ? "ROUTER" : "CLIENT",
+    clientKey,
+    redirectUri
+  });
+  if (!clientKey || !redirectUri) {
+    throw new Error("Missing clientKey or redirectUri");
+  }
+  sessionStorage.setItem("originalApp", clientKey);
+  sessionStorage.setItem("returnUrl", redirectUri);
+  if (isRouterMode()) {
+    return routerLogin(clientKey, redirectUri);
+  } else {
+    return clientLogin(clientKey, redirectUri);
+  }
+}
+function routerLogin(clientKey, redirectUri) {
+  const { authBaseUrl } = getConfig();
+  const params = new URLSearchParams();
+  if (redirectUri) {
+    params.append("redirect_uri", redirectUri);
+  }
+  const query = params.toString();
+  const backendLoginUrl = `${authBaseUrl}/login/${clientKey}${query ? `?${query}` : ""}`;
+  console.log("\u{1F3ED} Router Login: Direct backend authentication", {
+    clientKey,
+    redirectUri,
+    backendUrl: backendLoginUrl
+  });
+  window.location.href = backendLoginUrl;
+}
+function clientLogin(clientKey, redirectUri) {
+  const { accountUiUrl } = getConfig();
+  const params = new URLSearchParams({
+    client: clientKey
+  });
+  if (redirectUri) {
+    params.append("redirect_uri", redirectUri);
+  }
+  const centralizedLoginUrl = `${accountUiUrl}/login?${params.toString()}`;
+  console.log("\u{1F504} Client Login: Redirecting to centralized login", {
+    clientKey,
+    redirectUri,
+    centralizedUrl: centralizedLoginUrl
+  });
+  window.location.href = centralizedLoginUrl;
+}
+function logout() {
+  resetCallbackState();
+  const { clientKey, authBaseUrl, accountUiUrl } = getConfig();
+  const token = getToken();
+  console.log("\u{1F6AA} Smart Logout initiated");
+  clearToken();
+  clearRefreshToken();
+  sessionStorage.removeItem("originalApp");
+  sessionStorage.removeItem("returnUrl");
+  if (isRouterMode()) {
+    return routerLogout(clientKey, authBaseUrl, accountUiUrl, token);
+  } else {
+    return clientLogout(clientKey, accountUiUrl);
+  }
+}
+async function routerLogout(clientKey, authBaseUrl, accountUiUrl, token) {
+  console.log("\u{1F3ED} Router Logout");
+  const refreshToken2 = getRefreshToken();
+  try {
+    const response = await fetch(`${authBaseUrl}/logout/${clientKey}`, {
+      method: "POST",
+      credentials: "include",
+      headers: {
+        "Authorization": token ? `Bearer ${token}` : "",
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        refreshToken: refreshToken2
+      })
+    });
+    const data = await response.json();
+    console.log("\u2705 Logout response:", data);
+    clearRefreshToken();
+    clearToken();
+    console.log("\u{1F504} Redirecting to login (skipping Keycloak confirmation)");
+    window.location.href = "/login";
+  } catch (error) {
+    console.warn("\u26A0\uFE0F Logout failed:", error);
+    clearRefreshToken();
+    clearToken();
+    window.location.href = "/login";
+  }
+}
+function clientLogout(clientKey, accountUiUrl) {
+  console.log("\u{1F504} Client Logout");
+  const logoutUrl = `${accountUiUrl}/login?client=${clientKey}&logout=true`;
+  window.location.href = logoutUrl;
+}
+function handleCallback() {
+  var _a;
+  const params = new URLSearchParams(window.location.search);
+  const accessToken2 = params.get("access_token");
+  const error = params.get("error");
+  console.log("\u{1F504} Callback handling:", {
+    hasAccessToken: !!accessToken2,
+    error
+  });
+  if (callbackProcessed) {
+    const existingToken = getToken();
+    if (existingToken) {
+      console.log("\u2705 Callback already processed, returning existing token");
+      return existingToken;
+    }
+    callbackProcessed = false;
+  }
+  callbackProcessed = true;
+  sessionStorage.removeItem("originalApp");
+  sessionStorage.removeItem("returnUrl");
+  if (error) {
+    const errorDescription = params.get("error_description") || error;
+    throw new Error(`Authentication failed: ${errorDescription}`);
+  }
+  if (accessToken2) {
+    setToken(accessToken2);
+    const refreshTokenInUrl = params.get("refresh_token");
+    if (refreshTokenInUrl) {
+      const isHttpDev = typeof window !== "undefined" && ((_a = window.location) == null ? void 0 : _a.protocol) === "http:";
+      if (isHttpDev) {
+        console.log("\u{1F4E6} HTTP dev mode: Storing refresh token from callback URL");
+        setRefreshToken(refreshTokenInUrl);
+      } else {
+        console.log("\u{1F512} HTTPS mode: Refresh token is in httpOnly cookie (ignoring URL param)");
+      }
+    }
+    const url = new URL(window.location);
+    url.searchParams.delete("access_token");
+    url.searchParams.delete("refresh_token");
+    url.searchParams.delete("state");
+    url.searchParams.delete("error");
+    url.searchParams.delete("error_description");
+    window.history.replaceState({}, "", url);
+    console.log("\u2705 Callback processed successfully, token stored");
+    return accessToken2;
+  }
+  throw new Error("No access token found in callback URL");
+}
+function resetCallbackState() {
+  callbackProcessed = false;
+}
+var refreshInProgress = false;
+var refreshPromise = null;
+async function refreshToken() {
+  const { clientKey, authBaseUrl } = getConfig();
+  if (refreshInProgress && refreshPromise) {
+    console.log("\u{1F504} Token refresh already in progress, waiting...");
+    return refreshPromise;
+  }
+  refreshInProgress = true;
+  refreshPromise = (async () => {
+    try {
+      const storedRefreshToken = getRefreshToken();
+      console.log("\u{1F504} Refreshing token:", {
+        clientKey,
+        mode: isRouterMode() ? "ROUTER" : "CLIENT",
+        hasStoredRefreshToken: !!storedRefreshToken
+      });
+      const requestOptions = {
+        method: "POST",
+        credentials: "include",
+        // ✅ Include httpOnly cookies (for HTTPS)
+        headers: {
+          "Content-Type": "application/json"
+        }
+      };
+      if (storedRefreshToken) {
+        requestOptions.headers["X-Refresh-Token"] = storedRefreshToken;
+        requestOptions.body = JSON.stringify({ refreshToken: storedRefreshToken });
+      }
+      const response = await fetch(`${authBaseUrl}/refresh/${clientKey}`, requestOptions);
+      if (!response.ok) {
+        const errorText = await response.text();
+        console.error("\u274C Token refresh failed:", response.status, errorText);
+        throw new Error(`Refresh failed: ${response.status}`);
+      }
+      const data = await response.json();
+      const { access_token, refresh_token: new_refresh_token } = data;
+      if (!access_token) {
+        throw new Error("No access token in refresh response");
+      }
+      setToken(access_token);
+      if (new_refresh_token) {
+        setRefreshToken(new_refresh_token);
+        console.log("\u{1F504} New refresh token stored from rotation");
+      }
+      console.log("\u2705 Token refresh successful, listeners notified");
+      return access_token;
+    } catch (err) {
+      console.error("\u274C Token refresh error:", err);
+      clearToken();
+      clearRefreshToken();
+      throw err;
+    } finally {
+      refreshInProgress = false;
+      refreshPromise = null;
+    }
+  })();
+  return refreshPromise;
+}
+async function validateCurrentSession() {
+  try {
+    const { authBaseUrl } = getConfig();
+    const token = getToken();
+    if (!token || !authBaseUrl) {
+      return false;
+    }
+    const response = await fetch(`${authBaseUrl}/account/validate-session`, {
+      method: "GET",
+      headers: {
+        "Authorization": `Bearer ${token}`,
+        "Content-Type": "application/json"
+      },
+      credentials: "include"
+    });
+    if (!response.ok) {
+      if (response.status === 401) {
+        return false;
+      }
+      throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+    }
+    const data = await response.json();
+    return data.valid === true;
+  } catch (error) {
+    console.warn("Session validation failed:", error.message);
+    if (error.message.includes("401")) {
+      return false;
+    }
+    throw error;
+  }
+}
+var proactiveRefreshTimer = null;
+var sessionValidationTimer = null;
+var visibilityHandler = null;
+var sessionInvalidCallbacks = /* @__PURE__ */ new Set();
+function onSessionInvalid(callback) {
+  if (typeof callback === "function") {
+    sessionInvalidCallbacks.add(callback);
+  }
+  return () => sessionInvalidCallbacks.delete(callback);
+}
+function notifySessionInvalid(reason = "session_deleted") {
+  console.log("\u{1F6A8} Session invalidated:", reason);
+  sessionInvalidCallbacks.forEach((callback) => {
+    try {
+      callback(reason);
+    } catch (err) {
+      console.error("Session invalid callback error:", err);
+    }
+  });
+}
+function startProactiveRefresh() {
+  const { enableProactiveRefresh, tokenRefreshBuffer } = getConfig();
+  if (!enableProactiveRefresh) {
+    console.log("\u23F8\uFE0F Proactive refresh disabled by config");
+    return null;
+  }
+  stopProactiveRefresh();
+  const token = getToken();
+  if (!token) {
+    console.log("\u23F8\uFE0F No token, skipping proactive refresh setup");
+    return null;
+  }
+  const timeUntilExpiry = getTimeUntilExpiry(token);
+  if (timeUntilExpiry <= 0) {
+    console.log("\u26A0\uFE0F Token already expired, attempting immediate refresh");
+    refreshToken().catch((err) => {
+      console.error("\u274C Immediate refresh failed:", err);
+      notifySessionInvalid("token_expired");
+    });
+    return null;
+  }
+  const refreshIn = Math.max(0, timeUntilExpiry - tokenRefreshBuffer) * 1e3;
+  console.log(`\u{1F504} Scheduling proactive refresh in ${Math.round(refreshIn / 1e3)}s (token expires in ${timeUntilExpiry}s)`);
+  proactiveRefreshTimer = setTimeout(async () => {
+    var _a;
+    try {
+      console.log("\u{1F504} Proactive token refresh triggered");
+      await refreshToken();
+      console.log("\u2705 Proactive refresh successful, scheduling next refresh");
+      startProactiveRefresh();
+    } catch (err) {
+      console.error("\u274C Proactive refresh failed:", err);
+      const errorMessage = ((_a = err.message) == null ? void 0 : _a.toLowerCase()) || "";
+      const isPermanentFailure = errorMessage.includes("401") || errorMessage.includes("revoked") || errorMessage.includes("invalid") || errorMessage.includes("expired") || errorMessage.includes("unauthorized");
+      if (isPermanentFailure) {
+        console.log("\u{1F6A8} Token permanently invalid, triggering session expiry");
+        notifySessionInvalid("refresh_token_revoked");
+      } else {
+        proactiveRefreshTimer = setTimeout(() => startProactiveRefresh(), 3e4);
+      }
+    }
+  }, refreshIn);
+  return proactiveRefreshTimer;
+}
+function stopProactiveRefresh() {
+  if (proactiveRefreshTimer) {
+    clearTimeout(proactiveRefreshTimer);
+    proactiveRefreshTimer = null;
+    console.log("\u23F9\uFE0F Proactive refresh stopped");
+  }
+}
+function startSessionMonitor(onInvalid) {
+  const { enableSessionValidation, sessionValidationInterval, validateOnVisibility } = getConfig();
+  if (!enableSessionValidation) {
+    console.log("\u23F8\uFE0F Session validation disabled by config");
+    return null;
+  }
+  if (onInvalid && typeof onInvalid === "function") {
+    sessionInvalidCallbacks.add(onInvalid);
+  }
+  stopSessionMonitor();
+  const token = getToken();
+  if (!token) {
+    console.log("\u23F8\uFE0F No token, skipping session monitor setup");
+    return null;
+  }
+  console.log(`\u{1F441}\uFE0F Starting session monitor (interval: ${sessionValidationInterval / 1e3}s)`);
+  sessionValidationTimer = setInterval(async () => {
+    try {
+      const currentToken = getToken();
+      if (!currentToken) {
+        console.log("\u23F8\uFE0F No token, stopping session validation");
+        stopSessionMonitor();
+        return;
+      }
+      console.log("\u{1F50D} Validating session...");
+      const isValid = await validateCurrentSession();
+      if (!isValid) {
+        console.log("\u274C Session no longer valid on server");
+        stopSessionMonitor();
+        stopProactiveRefresh();
+        clearToken();
+        clearRefreshToken();
+        notifySessionInvalid("session_deleted");
+      } else {
+        console.log("\u2705 Session still valid");
+      }
+    } catch (error) {
+      console.warn("\u26A0\uFE0F Session validation check failed:", error.message);
+    }
+  }, sessionValidationInterval);
+  if (validateOnVisibility && typeof document !== "undefined") {
+    visibilityHandler = async () => {
+      if (document.visibilityState === "visible") {
+        const currentToken = getToken();
+        if (!currentToken) return;
+        console.log("\u{1F441}\uFE0F Tab visible - validating session");
+        try {
+          const isValid = await validateCurrentSession();
+          if (!isValid) {
+            console.log("\u274C Session expired while tab was hidden");
+            stopSessionMonitor();
+            stopProactiveRefresh();
+            clearToken();
+            clearRefreshToken();
+            notifySessionInvalid("session_deleted_while_hidden");
+          }
+        } catch (error) {
+          console.warn("\u26A0\uFE0F Visibility check failed:", error.message);
+        }
+      }
+    };
+    document.addEventListener("visibilitychange", visibilityHandler);
+  }
+  return sessionValidationTimer;
+}
+function stopSessionMonitor() {
+  if (sessionValidationTimer) {
+    clearInterval(sessionValidationTimer);
+    sessionValidationTimer = null;
+    console.log("\u23F9\uFE0F Session monitor stopped");
+  }
+  if (visibilityHandler && typeof document !== "undefined") {
+    document.removeEventListener("visibilitychange", visibilityHandler);
+    visibilityHandler = null;
+  }
+}
+function startSessionSecurity(onSessionInvalidCallback) {
+  console.log("\u{1F510} Starting session security (proactive refresh + session monitoring)");
+  startProactiveRefresh();
+  startSessionMonitor(onSessionInvalidCallback);
+  return {
+    stopAll: () => {
+      stopProactiveRefresh();
+      stopSessionMonitor();
+    }
+  };
+}
+function stopSessionSecurity() {
+  stopProactiveRefresh();
+  stopSessionMonitor();
+  sessionInvalidCallbacks.clear();
+  console.log("\u{1F510} Session security stopped");
+}
+
+// api.js
+import axios from "axios";
+var api = axios.create({
+  withCredentials: true
+});
+api.interceptors.request.use((config2) => {
+  const runtimeConfig = getConfig();
+  if (!config2.baseURL) {
+    config2.baseURL = (runtimeConfig == null ? void 0 : runtimeConfig.authBaseUrl) || "http://auth.local.test:4000/auth";
+  }
+  if (!config2.headers) {
+    config2.headers = {};
+  }
+  if ((runtimeConfig == null ? void 0 : runtimeConfig.clientKey) && !config2.headers["X-Client-Key"]) {
+    config2.headers["X-Client-Key"] = runtimeConfig.clientKey;
+  }
+  const token = getToken();
+  if (token) {
+    config2.headers.Authorization = `Bearer ${token}`;
+  }
+  return config2;
+});
+var refreshPromise2 = null;
+api.interceptors.response.use(
+  (response) => response,
+  async (error) => {
+    const { response, config: config2 } = error || {};
+    if (!response || !config2) {
+      return Promise.reject(error);
+    }
+    if (response.status !== 401 || config2._retry) {
+      return Promise.reject(error);
+    }
+    config2._retry = true;
+    if (!refreshPromise2) {
+      refreshPromise2 = refreshToken().then((newToken) => {
+        refreshPromise2 = null;
+        if (newToken) {
+          setToken(newToken);
+        }
+        return newToken;
+      }).catch((refreshError) => {
+        refreshPromise2 = null;
+        clearToken();
+        throw refreshError;
+      });
+    }
+    try {
+      const refreshedToken = await refreshPromise2;
+      if (refreshedToken) {
+        config2.headers.Authorization = `Bearer ${refreshedToken}`;
+        return api(config2);
+      }
+    } catch (refreshErr) {
+      return Promise.reject(refreshErr);
+    }
+    return Promise.reject(error);
+  }
+);
+api.validateSession = async () => {
+  var _a;
+  try {
+    const response = await api.get("/account/validate-session");
+    return response.data.valid;
+  } catch (err) {
+    if (((_a = err.response) == null ? void 0 : _a.status) === 401) {
+      return false;
+    }
+    throw err;
+  }
+};
+var api_default = api;
+
+// utils/jwt.js
+import { jwtDecode as jwtDecode2 } from "jwt-decode";
+function decodeToken(token) {
+  try {
+    return jwtDecode2(token);
+  } catch (err) {
+    console.warn("Failed to decode JWT:", err);
+    return null;
+  }
+}
+function isTokenExpired(token, bufferSeconds = 60) {
+  const decoded = decodeToken(token);
+  if (!decoded || !decoded.exp) return true;
+  const currentTime = Date.now() / 1e3;
+  return decoded.exp < currentTime + bufferSeconds;
+}
+function isAuthenticated() {
+  const token = getToken();
+  return !!token && !isTokenExpired(token);
+}
+
+// react/AuthProvider.jsx
+import React, { createContext, useState, useEffect, useRef } from "react";
+var AuthContext = createContext();
+function AuthProvider({ children, onSessionExpired }) {
+  const [token, setTokenState] = useState(getToken());
+  const [user, setUser] = useState(null);
+  const [loading, setLoading] = useState(!!token);
+  const [sessionValid, setSessionValid] = useState(true);
+  const sessionSecurityRef = useRef(null);
+  const handleSessionInvalid = (reason) => {
+    console.log("\u{1F6A8} AuthProvider: Session invalidated -", reason);
+    setSessionValid(false);
+    setUser(null);
+    setTokenState(null);
+    if (onSessionExpired && typeof onSessionExpired === "function") {
+      onSessionExpired(reason);
+    }
+  };
+  useEffect(() => {
+    if (token && !sessionSecurityRef.current) {
+      console.log("\u{1F510} AuthProvider: Starting session security");
+      const unsubscribe = onSessionInvalid(handleSessionInvalid);
+      sessionSecurityRef.current = startSessionSecurity(handleSessionInvalid);
+      return () => {
+        unsubscribe();
+        if (sessionSecurityRef.current) {
+          sessionSecurityRef.current.stopAll();
+          sessionSecurityRef.current = null;
+        }
+      };
+    }
+    if (!token && sessionSecurityRef.current) {
+      sessionSecurityRef.current.stopAll();
+      sessionSecurityRef.current = null;
+    }
+  }, [token]);
+  useEffect(() => {
+    console.log("\u{1F50D} AuthProvider useEffect triggered:", {
+      hasToken: !!token,
+      tokenLength: token == null ? void 0 : token.length
+    });
+    if (!token) {
+      console.log("\u26A0\uFE0F AuthProvider: No token, setting loading=false");
+      setLoading(false);
+      return;
+    }
+    const { authBaseUrl } = getConfig();
+    if (!authBaseUrl) {
+      console.warn("AuthProvider: No authBaseUrl configured");
+      setLoading(false);
+      return;
+    }
+    console.log("\u{1F310} AuthProvider: Fetching profile with token...", {
+      authBaseUrl,
+      tokenPreview: token.slice(0, 50) + "..."
+    });
+    fetch(`${authBaseUrl}/account/profile`, {
+      headers: { Authorization: `Bearer ${token}` },
+      credentials: "include"
+    }).then((res) => {
+      console.log("\u{1F4E5} Profile response status:", res.status);
+      if (!res.ok) throw new Error("Failed to fetch user");
+      return res.json();
+    }).then((userData) => {
+      console.log("\u2705 Profile fetched successfully:", userData.email);
+      setUser(userData);
+      setSessionValid(true);
+      setLoading(false);
+    }).catch((err) => {
+      console.error("\u274C Fetch user error:", err);
+      clearToken();
+      setTokenState(null);
+      setUser(null);
+      setLoading(false);
+    });
+  }, [token]);
+  const login2 = (clientKey, redirectUri, state) => {
+    login(clientKey, redirectUri, state);
+  };
+  const logout2 = () => {
+    stopSessionSecurity();
+    sessionSecurityRef.current = null;
+    logout();
+    setUser(null);
+    setTokenState(null);
+    setSessionValid(true);
+  };
+  const value = {
+    token,
+    user,
+    loading,
+    login: login2,
+    logout: logout2,
+    isAuthenticated: !!token && !!user && sessionValid,
+    sessionValid,
+    setUser,
+    setToken: (newToken) => {
+      setToken(newToken);
+      setTokenState(newToken);
+      setSessionValid(true);
+    },
+    clearToken: () => {
+      stopSessionSecurity();
+      sessionSecurityRef.current = null;
+      clearToken();
+      setTokenState(null);
+      setUser(null);
+    }
+  };
+  return /* @__PURE__ */ React.createElement(AuthContext.Provider, { value }, children);
+}
+
+// react/useAuth.js
+import { useContext } from "react";
+function useAuth() {
+  const context = useContext(AuthContext);
+  if (!context) {
+    throw new Error("useAuth must be used within an AuthProvider");
+  }
+  return context;
+}
+
+// react/useSessionMonitor.js
+import { useQuery, useQueryClient } from "@tanstack/react-query";
+import { useEffect as useEffect2, useCallback } from "react";
+var useSessionMonitor = (options = {}) => {
+  var _a, _b;
+  const queryClient = useQueryClient();
+  const {
+    enabled = true,
+    refetchInterval = 2 * 60 * 1e3,
+    // 2 minutes (matching config default)
+    onSessionInvalid: onSessionInvalid2,
+    onError,
+    autoLogout = true,
+    validateOnMount = true
+  } = options;
+  const handleInvalid = useCallback(() => {
+    console.log("\u{1F6A8} useSessionMonitor: Session invalid detected");
+    queryClient.clear();
+    if (autoLogout) {
+      auth.clearToken();
+      auth.clearRefreshToken();
+    }
+    if (onSessionInvalid2) {
+      onSessionInvalid2();
+    }
+  }, [queryClient, autoLogout, onSessionInvalid2]);
+  const query = useQuery({
+    queryKey: ["session-validation"],
+    queryFn: async () => {
+      try {
+        const token = auth.getToken();
+        if (!token) {
+          return { valid: false, reason: "no_token" };
+        }
+        console.log("\u{1F50D} useSessionMonitor: Validating session...");
+        const isValid = await auth.validateCurrentSession();
+        if (!isValid) {
+          console.log("\u274C useSessionMonitor: Session no longer valid");
+          handleInvalid();
+          return { valid: false, reason: "session_deleted" };
+        }
+        console.log("\u2705 useSessionMonitor: Session still valid");
+        return { valid: true };
+      } catch (error) {
+        console.error("\u26A0\uFE0F useSessionMonitor: Validation error:", error);
+        if (onError) {
+          onError(error);
+        }
+        throw error;
+      }
+    },
+    enabled: enabled && !!auth.getToken(),
+    refetchInterval,
+    refetchIntervalInBackground: true,
+    retry: 2,
+    retryDelay: 5e3,
+    staleTime: refetchInterval / 2
+    // Consider stale at half the interval
+  });
+  useEffect2(() => {
+    if (!enabled) return;
+    const handleVisibilityChange = () => {
+      if (document.visibilityState === "visible" && auth.getToken()) {
+        console.log("\u{1F441}\uFE0F useSessionMonitor: Tab visible - triggering validation");
+        queryClient.invalidateQueries({ queryKey: ["session-validation"] });
+      }
+    };
+    document.addEventListener("visibilitychange", handleVisibilityChange);
+    return () => {
+      document.removeEventListener("visibilitychange", handleVisibilityChange);
+    };
+  }, [enabled, queryClient]);
+  useEffect2(() => {
+    if (validateOnMount && enabled && auth.getToken()) {
+      queryClient.invalidateQueries({ queryKey: ["session-validation"] });
+    }
+  }, [validateOnMount, enabled, queryClient]);
+  return {
+    ...query,
+    isSessionValid: ((_a = query.data) == null ? void 0 : _a.valid) ?? true,
+    invalidationReason: (_b = query.data) == null ? void 0 : _b.reason,
+    manualValidate: () => queryClient.invalidateQueries({ queryKey: ["session-validation"] })
+  };
+};
+
+// index.js
+var auth = {
+  // 🔧 Config
+  setConfig,
+  getConfig,
+  isRouterMode,
+  // 🔐 Core flows
+  login,
+  logout,
+  handleCallback,
+  refreshToken,
+  resetCallbackState,
+  validateCurrentSession,
+  // 🔑 Token management
+  getToken,
+  setToken,
+  clearToken,
+  setRefreshToken,
+  // ✅ Refresh token for HTTP dev
+  getRefreshToken,
+  clearRefreshToken,
+  addTokenListener,
+  // ✅ Export new functions
+  removeTokenListener,
+  getListenerCount,
+  // ✅ Debug function
+  // 🌐 Authenticated API client
+  api: api_default,
+  // 🧪 Utilities
+  decodeToken,
+  isTokenExpired,
+  isAuthenticated,
+  // ⏱️ Token Expiry Utilities (NEW)
+  getTokenExpiryTime,
+  // Get token expiry as Date object
+  getTimeUntilExpiry,
+  // Get seconds until token expires
+  willExpireSoon,
+  // Check if token expires within N seconds
+  // 🔐 Session Security (NEW - Short-lived tokens + Periodic validation)
+  startProactiveRefresh,
+  // Start proactive token refresh before expiry
+  stopProactiveRefresh,
+  // Stop proactive refresh
+  startSessionMonitor,
+  // Start periodic session validation
+  stopSessionMonitor,
+  // Stop session validation
+  startSessionSecurity,
+  // Start both proactive refresh AND session monitoring
+  stopSessionSecurity,
+  // Stop all session security
+  onSessionInvalid,
+  // Register callback for session invalidation
+  // 🔄 Legacy auto-refresh (DEPRECATED - use startSessionSecurity instead)
+  startTokenRefresh: () => {
+    console.warn("\u26A0\uFE0F startTokenRefresh is deprecated. Use startSessionSecurity() instead for better session management.");
+    const interval = setInterval(async () => {
+      const token = getToken();
+      if (token && isTokenExpired(token, 300)) {
+        try {
+          await refreshToken();
+          console.log("\u{1F504} Auto-refresh successful");
+        } catch (err) {
+          console.error("Auto-refresh failed:", err);
+          clearInterval(interval);
+        }
+      }
+    }, 6e4);
+    return interval;
+  }
+};
+export {
+  AuthProvider,
+  auth,
+  useAuth,
+  useSessionMonitor
+};
+//# sourceMappingURL=index.js.map