npm - @spidy092/auth-client - Versions diffs - 2.1.8 → 3.0.1 - Mend

@spidy092/auth-client 2.1.8 → 3.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

package/Readme.md +9 -0
package/dist/api.cjs +337 -0
package/dist/api.cjs.map +1 -0
package/dist/api.js +307 -0
package/dist/api.js.map +1 -0
package/dist/index.cjs +1065 -0
package/dist/index.cjs.map +1 -0
package/dist/index.js +1026 -0
package/dist/index.js.map +1 -0
package/dist/react/AuthProvider.cjs +700 -0
package/dist/react/AuthProvider.cjs.map +1 -0
package/dist/react/AuthProvider.js +665 -0
package/dist/react/AuthProvider.js.map +1 -0
package/dist/react/useAuth.cjs +92 -0
package/dist/react/useAuth.cjs.map +1 -0
package/dist/react/useAuth.js +58 -0
package/dist/react/useAuth.js.map +1 -0
package/dist/react/useSessionMonitor.cjs +944 -0
package/dist/react/useSessionMonitor.cjs.map +1 -0
package/dist/react/useSessionMonitor.js +910 -0
package/dist/react/useSessionMonitor.js.map +1 -0
package/dist/utils/jwt.cjs +72 -0
package/dist/utils/jwt.cjs.map +1 -0
package/dist/utils/jwt.js +46 -0
package/dist/utils/jwt.js.map +1 -0
package/package.json +34 -13
package/api.js +0 -95
package/config.js +0 -63
package/core.js +0 -567
package/index.js +0 -106
package/react/AuthProvider.jsx +0 -150
package/react/useAuth.js +0 -10
package/react/useSessionMonitor.js +0 -121
package/token.js +0 -455
package/utils/jwt.js +0 -27

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,1065 @@
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// index.js
+var index_exports = {};
+__export(index_exports, {
+  AuthProvider: () => AuthProvider,
+  auth: () => auth,
+  useAuth: () => useAuth,
+  useSessionMonitor: () => useSessionMonitor
+});
+module.exports = __toCommonJS(index_exports);
+// token.js
+var import_jwt_decode = require("jwt-decode");
+var accessToken = null;
+var listeners = /* @__PURE__ */ new Set();
+var REFRESH_COOKIE = "account_refresh_token";
+var COOKIE_MAX_AGE = 7 * 24 * 60 * 60;
+function secureAttribute() {
+  var _a;
+  try {
+    return typeof window !== "undefined" && ((_a = window.location) == null ? void 0 : _a.protocol) === "https:" ? "; Secure" : "";
+  } catch (err) {
+    return "";
+  }
+}
+function writeAccessToken(token) {
+  if (!token) {
+    try {
+      localStorage.removeItem("authToken");
+    } catch (err) {
+      console.warn("Could not clear token from localStorage:", err);
+    }
+    return;
+  }
+  try {
+    localStorage.setItem("authToken", token);
+  } catch (err) {
+    console.warn("Could not persist token to localStorage:", err);
+  }
+}
+function readAccessToken() {
+  try {
+    return localStorage.getItem("authToken");
+  } catch (err) {
+    console.warn("Could not read token from localStorage:", err);
+    return null;
+  }
+}
+function decode(token) {
+  try {
+    return (0, import_jwt_decode.jwtDecode)(token);
+  } catch (err) {
+    return null;
+  }
+}
+function getTokenExpiryTime(token) {
+  if (!token) return null;
+  const decoded = decode(token);
+  if (!(decoded == null ? void 0 : decoded.exp)) return null;
+  return new Date(decoded.exp * 1e3);
+}
+function getTimeUntilExpiry(token) {
+  if (!token) return -1;
+  const decoded = decode(token);
+  if (!(decoded == null ? void 0 : decoded.exp)) return -1;
+  const now = Date.now() / 1e3;
+  return Math.floor(decoded.exp - now);
+}
+function willExpireSoon(token, withinSeconds = 60) {
+  const timeLeft = getTimeUntilExpiry(token);
+  return timeLeft >= 0 && timeLeft <= withinSeconds;
+}
+function setToken(token) {
+  const previousToken = accessToken;
+  accessToken = token || null;
+  writeAccessToken(accessToken);
+  if (previousToken !== accessToken) {
+    listeners.forEach((listener) => {
+      try {
+        listener(accessToken, previousToken);
+      } catch (err) {
+        console.warn("Token listener error:", err);
+      }
+    });
+  }
+}
+function getToken() {
+  if (accessToken) return accessToken;
+  accessToken = readAccessToken();
+  return accessToken;
+}
+function clearToken() {
+  if (!accessToken) {
+    writeAccessToken(null);
+    clearRefreshToken();
+    return;
+  }
+  const previousToken = accessToken;
+  accessToken = null;
+  writeAccessToken(null);
+  clearRefreshToken();
+  listeners.forEach((listener) => {
+    try {
+      listener(null, previousToken);
+    } catch (err) {
+      console.warn("Token listener error:", err);
+    }
+  });
+}
+var REFRESH_TOKEN_KEY = "auth_refresh_token";
+var _persistRefreshToken = false;
+function enableRefreshTokenPersistence(enabled) {
+  _persistRefreshToken = !!enabled;
+  console.log(`\u{1F527} Refresh token persistence: ${_persistRefreshToken ? "ENABLED" : "DISABLED"}`);
+}
+function shouldUseLocalStorage() {
+  var _a;
+  if (_persistRefreshToken) return true;
+  try {
+    return typeof window !== "undefined" && ((_a = window.location) == null ? void 0 : _a.protocol) === "http:";
+  } catch (err) {
+    return false;
+  }
+}
+function setRefreshToken(token) {
+  if (!token) {
+    clearRefreshToken();
+    return;
+  }
+  if (shouldUseLocalStorage()) {
+    try {
+      localStorage.setItem(REFRESH_TOKEN_KEY, token);
+      console.log(`\u{1F4E6} Refresh token stored in localStorage (${_persistRefreshToken ? "persistence enabled" : "HTTP dev mode"})`);
+    } catch (err) {
+      console.warn("Could not store refresh token:", err);
+    }
+  } else {
+    console.log("\u{1F512} Refresh token managed by server httpOnly cookie (production mode)");
+  }
+}
+function getRefreshToken() {
+  if (shouldUseLocalStorage()) {
+    try {
+      const token = localStorage.getItem(REFRESH_TOKEN_KEY);
+      return token;
+    } catch (err) {
+      console.warn("Could not read refresh token:", err);
+      return null;
+    }
+  }
+  return null;
+}
+function clearRefreshToken() {
+  try {
+    localStorage.removeItem(REFRESH_TOKEN_KEY);
+  } catch (err) {
+  }
+  try {
+    document.cookie = `${REFRESH_COOKIE}=; Path=/; SameSite=Strict${secureAttribute()}; Expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+  } catch (err) {
+    console.warn("Could not clear refresh token cookie:", err);
+  }
+  try {
+    sessionStorage.removeItem(REFRESH_COOKIE);
+  } catch (err) {
+  }
+}
+function addTokenListener(listener) {
+  if (typeof listener !== "function") {
+    throw new Error("Token listener must be a function");
+  }
+  listeners.add(listener);
+  return () => {
+    listeners.delete(listener);
+  };
+}
+function removeTokenListener(listener) {
+  listeners.delete(listener);
+}
+function getListenerCount() {
+  return listeners.size;
+}
+// config.js
+var config = {
+  clientKey: null,
+  authBaseUrl: null,
+  redirectUri: null,
+  accountUiUrl: null,
+  isRouter: false,
+  // ✅ Add router flag
+  // ========== SESSION SECURITY SETTINGS ==========
+  // Buffer time (in seconds) before token expiry to trigger proactive refresh
+  // With 5-minute access tokens, refreshing 60s before expiry ensures seamless UX
+  tokenRefreshBuffer: 60,
+  // Interval (in milliseconds) for periodic session validation
+  // Validates that the session still exists in Keycloak (not deleted by admin)
+  // Default: 15 minutes (900000ms) - Increased from 2m to avoid frequent checks
+  sessionValidationInterval: 15 * 60 * 1e3,
+  // Enable/disable periodic session validation
+  // When enabled, the client will ping the server to verify session is still active
+  enableSessionValidation: true,
+  // Enable/disable proactive token refresh
+  // When enabled, tokens are refreshed before they expire (using tokenRefreshBuffer)
+  enableProactiveRefresh: true,
+  // Validate session when browser tab becomes visible again
+  // Catches session deletions that happened while the tab was inactive
+  validateOnVisibility: true,
+  // ========== REFRESH TOKEN PERSISTENCE ==========
+  // When true, stores refresh token in localStorage even on HTTPS
+  // Required for local dev with mkcert/self-signed certs where httpOnly cookies
+  // may not work reliably across origins
+  // ⚠️ In true production, set to false and rely on httpOnly cookies
+  persistRefreshToken: false
+};
+function setConfig(customConfig = {}) {
+  if (!customConfig.clientKey || !customConfig.authBaseUrl) {
+    throw new Error("Missing required config: clientKey and authBaseUrl are required");
+  }
+  config = {
+    ...config,
+    ...customConfig,
+    redirectUri: customConfig.redirectUri || window.location.origin + "/callback",
+    // ✅ Auto-detect router mode
+    isRouter: customConfig.isRouter || customConfig.clientKey === "account-ui"
+  };
+  if (config.persistRefreshToken) {
+    enableRefreshTokenPersistence(true);
+    console.log("\u{1F4E6} Refresh token persistence ENABLED (localStorage on HTTPS)");
+  }
+  console.log(`\u{1F527} Auth Client Mode: ${config.isRouter ? "ROUTER" : "CLIENT"}`, {
+    clientKey: config.clientKey,
+    isRouter: config.isRouter,
+    persistRefreshToken: config.persistRefreshToken
+  });
+}
+function getConfig() {
+  return { ...config };
+}
+function isRouterMode() {
+  return config.isRouter;
+}
+// core.js
+var callbackProcessed = false;
+function login(clientKeyArg, redirectUriArg) {
+  resetCallbackState();
+  const {
+    clientKey: defaultClientKey,
+    authBaseUrl,
+    redirectUri: defaultRedirectUri,
+    accountUiUrl
+  } = getConfig();
+  const clientKey = clientKeyArg || defaultClientKey;
+  const redirectUri = redirectUriArg || defaultRedirectUri;
+  console.log("\u{1F504} Smart Login initiated:", {
+    mode: isRouterMode() ? "ROUTER" : "CLIENT",
+    clientKey,
+    redirectUri
+  });
+  if (!clientKey || !redirectUri) {
+    throw new Error("Missing clientKey or redirectUri");
+  }
+  sessionStorage.setItem("originalApp", clientKey);
+  sessionStorage.setItem("returnUrl", redirectUri);
+  if (isRouterMode()) {
+    return routerLogin(clientKey, redirectUri);
+  } else {
+    return clientLogin(clientKey, redirectUri);
+  }
+}
+function routerLogin(clientKey, redirectUri) {
+  const { authBaseUrl } = getConfig();
+  const params = new URLSearchParams();
+  if (redirectUri) {
+    params.append("redirect_uri", redirectUri);
+  }
+  const query = params.toString();
+  const backendLoginUrl = `${authBaseUrl}/login/${clientKey}${query ? `?${query}` : ""}`;
+  console.log("\u{1F3ED} Router Login: Direct backend authentication", {
+    clientKey,
+    redirectUri,
+    backendUrl: backendLoginUrl
+  });
+  window.location.href = backendLoginUrl;
+}
+function clientLogin(clientKey, redirectUri) {
+  const { accountUiUrl } = getConfig();
+  const params = new URLSearchParams({
+    client: clientKey
+  });
+  if (redirectUri) {
+    params.append("redirect_uri", redirectUri);
+  }
+  const centralizedLoginUrl = `${accountUiUrl}/login?${params.toString()}`;
+  console.log("\u{1F504} Client Login: Redirecting to centralized login", {
+    clientKey,
+    redirectUri,
+    centralizedUrl: centralizedLoginUrl
+  });
+  window.location.href = centralizedLoginUrl;
+}
+function logout() {
+  resetCallbackState();
+  const { clientKey, authBaseUrl, accountUiUrl } = getConfig();
+  const token = getToken();
+  console.log("\u{1F6AA} Smart Logout initiated");
+  clearToken();
+  clearRefreshToken();
+  sessionStorage.removeItem("originalApp");
+  sessionStorage.removeItem("returnUrl");
+  if (isRouterMode()) {
+    return routerLogout(clientKey, authBaseUrl, accountUiUrl, token);
+  } else {
+    return clientLogout(clientKey, accountUiUrl);
+  }
+}
+async function routerLogout(clientKey, authBaseUrl, accountUiUrl, token) {
+  console.log("\u{1F3ED} Router Logout");
+  const refreshToken2 = getRefreshToken();
+  try {
+    const response = await fetch(`${authBaseUrl}/logout/${clientKey}`, {
+      method: "POST",
+      credentials: "include",
+      headers: {
+        "Authorization": token ? `Bearer ${token}` : "",
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        refreshToken: refreshToken2
+      })
+    });
+    const data = await response.json();
+    console.log("\u2705 Logout response:", data);
+    clearRefreshToken();
+    clearToken();
+    console.log("\u{1F504} Redirecting to login (skipping Keycloak confirmation)");
+    window.location.href = "/login";
+  } catch (error) {
+    console.warn("\u26A0\uFE0F Logout failed:", error);
+    clearRefreshToken();
+    clearToken();
+    window.location.href = "/login";
+  }
+}
+function clientLogout(clientKey, accountUiUrl) {
+  console.log("\u{1F504} Client Logout");
+  const logoutUrl = `${accountUiUrl}/login?client=${clientKey}&logout=true`;
+  window.location.href = logoutUrl;
+}
+function handleCallback() {
+  var _a;
+  const params = new URLSearchParams(window.location.search);
+  const accessToken2 = params.get("access_token");
+  const error = params.get("error");
+  console.log("\u{1F504} Callback handling:", {
+    hasAccessToken: !!accessToken2,
+    error
+  });
+  if (callbackProcessed) {
+    const existingToken = getToken();
+    if (existingToken) {
+      console.log("\u2705 Callback already processed, returning existing token");
+      return existingToken;
+    }
+    callbackProcessed = false;
+  }
+  callbackProcessed = true;
+  sessionStorage.removeItem("originalApp");
+  sessionStorage.removeItem("returnUrl");
+  if (error) {
+    const errorDescription = params.get("error_description") || error;
+    throw new Error(`Authentication failed: ${errorDescription}`);
+  }
+  if (accessToken2) {
+    setToken(accessToken2);
+    const refreshTokenInUrl = params.get("refresh_token");
+    if (refreshTokenInUrl) {
+      const { persistRefreshToken } = getConfig();
+      const isHttpDev = typeof window !== "undefined" && ((_a = window.location) == null ? void 0 : _a.protocol) === "http:";
+      if (persistRefreshToken || isHttpDev) {
+        console.log(`\u{1F4E6} Storing refresh token from callback URL (${persistRefreshToken ? "persistence enabled" : "HTTP dev mode"})`);
+        setRefreshToken(refreshTokenInUrl);
+      } else {
+        console.log("\u{1F512} HTTPS mode: Refresh token is in httpOnly cookie (ignoring URL param)");
+      }
+    }
+    const url = new URL(window.location);
+    url.searchParams.delete("access_token");
+    url.searchParams.delete("refresh_token");
+    url.searchParams.delete("state");
+    url.searchParams.delete("error");
+    url.searchParams.delete("error_description");
+    window.history.replaceState({}, "", url);
+    console.log("\u2705 Callback processed successfully, token stored");
+    return accessToken2;
+  }
+  throw new Error("No access token found in callback URL");
+}
+function resetCallbackState() {
+  callbackProcessed = false;
+}
+var refreshInProgress = false;
+var refreshPromise = null;
+async function refreshToken() {
+  const { clientKey, authBaseUrl } = getConfig();
+  if (refreshInProgress && refreshPromise) {
+    console.log("\u{1F504} Token refresh already in progress, waiting...");
+    return refreshPromise;
+  }
+  refreshInProgress = true;
+  refreshPromise = (async () => {
+    try {
+      const storedRefreshToken = getRefreshToken();
+      console.log("\u{1F504} Refreshing token:", {
+        clientKey,
+        mode: isRouterMode() ? "ROUTER" : "CLIENT",
+        hasStoredRefreshToken: !!storedRefreshToken
+      });
+      const requestOptions = {
+        method: "POST",
+        credentials: "include",
+        // ✅ Include httpOnly cookies (for HTTPS)
+        headers: {
+          "Content-Type": "application/json"
+        }
+      };
+      if (storedRefreshToken) {
+        requestOptions.headers["X-Refresh-Token"] = storedRefreshToken;
+        requestOptions.body = JSON.stringify({ refreshToken: storedRefreshToken });
+      }
+      const response = await fetch(`${authBaseUrl}/refresh/${clientKey}`, requestOptions);
+      if (!response.ok) {
+        const errorText = await response.text();
+        console.error("\u274C Token refresh failed:", response.status, errorText);
+        throw new Error(`Refresh failed: ${response.status}`);
+      }
+      const data = await response.json();
+      const { access_token, refresh_token: new_refresh_token } = data;
+      if (!access_token) {
+        throw new Error("No access token in refresh response");
+      }
+      setToken(access_token);
+      if (new_refresh_token) {
+        setRefreshToken(new_refresh_token);
+        console.log("\u{1F504} New refresh token stored from rotation");
+      }
+      console.log("\u2705 Token refresh successful, listeners notified");
+      return access_token;
+    } catch (err) {
+      console.error("\u274C Token refresh error:", err);
+      clearToken();
+      clearRefreshToken();
+      throw err;
+    } finally {
+      refreshInProgress = false;
+      refreshPromise = null;
+    }
+  })();
+  return refreshPromise;
+}
+async function validateCurrentSession() {
+  try {
+    const { authBaseUrl } = getConfig();
+    const token = getToken();
+    if (!token || !authBaseUrl) {
+      return false;
+    }
+    const response = await fetch(`${authBaseUrl}/account/validate-session`, {
+      method: "GET",
+      headers: {
+        "Authorization": `Bearer ${token}`,
+        "Content-Type": "application/json"
+      },
+      credentials: "include"
+    });
+    if (!response.ok) {
+      if (response.status === 401) {
+        return false;
+      }
+      throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+    }
+    const data = await response.json();
+    return data.valid === true;
+  } catch (error) {
+    console.warn("Session validation failed:", error.message);
+    if (error.message.includes("401")) {
+      return false;
+    }
+    throw error;
+  }
+}
+var proactiveRefreshTimer = null;
+var sessionValidationTimer = null;
+var visibilityHandler = null;
+var sessionInvalidCallbacks = /* @__PURE__ */ new Set();
+function onSessionInvalid(callback) {
+  if (typeof callback === "function") {
+    sessionInvalidCallbacks.add(callback);
+  }
+  return () => sessionInvalidCallbacks.delete(callback);
+}
+function notifySessionInvalid(reason = "session_deleted") {
+  console.log("\u{1F6A8} Session invalidated:", reason);
+  sessionInvalidCallbacks.forEach((callback) => {
+    try {
+      callback(reason);
+    } catch (err) {
+      console.error("Session invalid callback error:", err);
+    }
+  });
+}
+function startProactiveRefresh() {
+  const { enableProactiveRefresh, tokenRefreshBuffer } = getConfig();
+  if (!enableProactiveRefresh) {
+    console.log("\u23F8\uFE0F Proactive refresh disabled by config");
+    return null;
+  }
+  stopProactiveRefresh();
+  const token = getToken();
+  if (!token) {
+    console.log("\u23F8\uFE0F No token, skipping proactive refresh setup");
+    return null;
+  }
+  const timeUntilExpiry = getTimeUntilExpiry(token);
+  if (timeUntilExpiry <= 0) {
+    console.log("\u26A0\uFE0F Token already expired, attempting immediate refresh");
+    refreshToken().catch((err) => {
+      console.error("\u274C Immediate refresh failed:", err);
+      notifySessionInvalid("token_expired");
+    });
+    return null;
+  }
+  const refreshIn = Math.max(0, timeUntilExpiry - tokenRefreshBuffer) * 1e3;
+  console.log(`\u{1F504} Scheduling proactive refresh in ${Math.round(refreshIn / 1e3)}s (token expires in ${timeUntilExpiry}s)`);
+  proactiveRefreshTimer = setTimeout(async () => {
+    var _a;
+    try {
+      console.log("\u{1F504} Proactive token refresh triggered");
+      await refreshToken();
+      console.log("\u2705 Proactive refresh successful, scheduling next refresh");
+      startProactiveRefresh();
+    } catch (err) {
+      console.error("\u274C Proactive refresh failed:", err);
+      const errorMessage = ((_a = err.message) == null ? void 0 : _a.toLowerCase()) || "";
+      const isPermanentFailure = errorMessage.includes("401") || errorMessage.includes("revoked") || errorMessage.includes("invalid") || errorMessage.includes("expired") || errorMessage.includes("unauthorized");
+      if (isPermanentFailure) {
+        console.log("\u{1F6A8} Token permanently invalid, triggering session expiry");
+        notifySessionInvalid("refresh_token_revoked");
+      } else {
+        proactiveRefreshTimer = setTimeout(() => startProactiveRefresh(), 3e4);
+      }
+    }
+  }, refreshIn);
+  return proactiveRefreshTimer;
+}
+function stopProactiveRefresh() {
+  if (proactiveRefreshTimer) {
+    clearTimeout(proactiveRefreshTimer);
+    proactiveRefreshTimer = null;
+    console.log("\u23F9\uFE0F Proactive refresh stopped");
+  }
+}
+function startSessionMonitor(onInvalid) {
+  const { enableSessionValidation, sessionValidationInterval, validateOnVisibility } = getConfig();
+  if (!enableSessionValidation) {
+    console.log("\u23F8\uFE0F Session validation disabled by config");
+    return null;
+  }
+  if (onInvalid && typeof onInvalid === "function") {
+    sessionInvalidCallbacks.add(onInvalid);
+  }
+  stopSessionMonitor();
+  const token = getToken();
+  if (!token) {
+    console.log("\u23F8\uFE0F No token, skipping session monitor setup");
+    return null;
+  }
+  console.log(`\u{1F441}\uFE0F Starting session monitor (interval: ${sessionValidationInterval / 1e3}s)`);
+  sessionValidationTimer = setInterval(async () => {
+    try {
+      const currentToken = getToken();
+      if (!currentToken) {
+        console.log("\u23F8\uFE0F No token, stopping session validation");
+        stopSessionMonitor();
+        return;
+      }
+      console.log("\u{1F50D} Validating session...");
+      const isValid = await validateCurrentSession();
+      if (!isValid) {
+        console.log("\u274C Session no longer valid on server");
+        stopSessionMonitor();
+        stopProactiveRefresh();
+        clearToken();
+        clearRefreshToken();
+        notifySessionInvalid("session_deleted");
+      } else {
+        console.log("\u2705 Session still valid");
+      }
+    } catch (error) {
+      console.warn("\u26A0\uFE0F Session validation check failed:", error.message);
+    }
+  }, sessionValidationInterval);
+  if (validateOnVisibility && typeof document !== "undefined") {
+    visibilityHandler = async () => {
+      if (document.visibilityState === "visible") {
+        const currentToken = getToken();
+        if (!currentToken) return;
+        console.log("\u{1F441}\uFE0F Tab visible - validating session");
+        try {
+          const isValid = await validateCurrentSession();
+          if (!isValid) {
+            console.log("\u274C Session expired while tab was hidden");
+            stopSessionMonitor();
+            stopProactiveRefresh();
+            clearToken();
+            clearRefreshToken();
+            notifySessionInvalid("session_deleted_while_hidden");
+          }
+        } catch (error) {
+          console.warn("\u26A0\uFE0F Visibility check failed:", error.message);
+        }
+      }
+    };
+    document.addEventListener("visibilitychange", visibilityHandler);
+  }
+  return sessionValidationTimer;
+}
+function stopSessionMonitor() {
+  if (sessionValidationTimer) {
+    clearInterval(sessionValidationTimer);
+    sessionValidationTimer = null;
+    console.log("\u23F9\uFE0F Session monitor stopped");
+  }
+  if (visibilityHandler && typeof document !== "undefined") {
+    document.removeEventListener("visibilitychange", visibilityHandler);
+    visibilityHandler = null;
+  }
+}
+function startSessionSecurity(onSessionInvalidCallback) {
+  console.log("\u{1F510} Starting session security (proactive refresh + session monitoring)");
+  startProactiveRefresh();
+  startSessionMonitor(onSessionInvalidCallback);
+  return {
+    stopAll: () => {
+      stopProactiveRefresh();
+      stopSessionMonitor();
+    }
+  };
+}
+function stopSessionSecurity() {
+  stopProactiveRefresh();
+  stopSessionMonitor();
+  sessionInvalidCallbacks.clear();
+  console.log("\u{1F510} Session security stopped");
+}
+// api.js
+var import_axios = __toESM(require("axios"), 1);
+var api = import_axios.default.create({
+  withCredentials: true
+});
+api.interceptors.request.use((config2) => {
+  const runtimeConfig = getConfig();
+  if (!config2.baseURL) {
+    config2.baseURL = (runtimeConfig == null ? void 0 : runtimeConfig.authBaseUrl) || "http://auth.local.test:4000/auth";
+  }
+  if (!config2.headers) {
+    config2.headers = {};
+  }
+  if ((runtimeConfig == null ? void 0 : runtimeConfig.clientKey) && !config2.headers["X-Client-Key"]) {
+    config2.headers["X-Client-Key"] = runtimeConfig.clientKey;
+  }
+  const token = getToken();
+  if (token) {
+    config2.headers.Authorization = `Bearer ${token}`;
+  }
+  return config2;
+});
+var refreshPromise2 = null;
+api.interceptors.response.use(
+  (response) => response,
+  async (error) => {
+    const { response, config: config2 } = error || {};
+    if (!response || !config2) {
+      return Promise.reject(error);
+    }
+    if (response.status !== 401 || config2._retry) {
+      return Promise.reject(error);
+    }
+    config2._retry = true;
+    if (!refreshPromise2) {
+      refreshPromise2 = refreshToken().then((newToken) => {
+        refreshPromise2 = null;
+        if (newToken) {
+          setToken(newToken);
+        }
+        return newToken;
+      }).catch((refreshError) => {
+        refreshPromise2 = null;
+        clearToken();
+        throw refreshError;
+      });
+    }
+    try {
+      const refreshedToken = await refreshPromise2;
+      if (refreshedToken) {
+        config2.headers.Authorization = `Bearer ${refreshedToken}`;
+        return api(config2);
+      }
+    } catch (refreshErr) {
+      return Promise.reject(refreshErr);
+    }
+    return Promise.reject(error);
+  }
+);
+api.validateSession = async () => {
+  var _a;
+  try {
+    const response = await api.get("/account/validate-session");
+    return response.data.valid;
+  } catch (err) {
+    if (((_a = err.response) == null ? void 0 : _a.status) === 401) {
+      return false;
+    }
+    throw err;
+  }
+};
+var api_default = api;
+// utils/jwt.js
+var import_jwt_decode2 = require("jwt-decode");
+function decodeToken(token) {
+  try {
+    return (0, import_jwt_decode2.jwtDecode)(token);
+  } catch (err) {
+    console.warn("Failed to decode JWT:", err);
+    return null;
+  }
+}
+function isTokenExpired(token, bufferSeconds = 60) {
+  const decoded = decodeToken(token);
+  if (!decoded || !decoded.exp) return true;
+  const currentTime = Date.now() / 1e3;
+  return decoded.exp < currentTime + bufferSeconds;
+}
+function isAuthenticated() {
+  const token = getToken();
+  return !!token && !isTokenExpired(token);
+}
+// react/AuthProvider.jsx
+var import_react = __toESM(require("react"), 1);
+var AuthContext = (0, import_react.createContext)();
+function AuthProvider({ children, onSessionExpired }) {
+  const [token, setTokenState] = (0, import_react.useState)(getToken());
+  const [user, setUser] = (0, import_react.useState)(null);
+  const [loading, setLoading] = (0, import_react.useState)(!!token);
+  const [sessionValid, setSessionValid] = (0, import_react.useState)(true);
+  const sessionSecurityRef = (0, import_react.useRef)(null);
+  const handleSessionInvalid = (reason) => {
+    console.log("\u{1F6A8} AuthProvider: Session invalidated -", reason);
+    setSessionValid(false);
+    setUser(null);
+    setTokenState(null);
+    if (onSessionExpired && typeof onSessionExpired === "function") {
+      onSessionExpired(reason);
+    }
+  };
+  (0, import_react.useEffect)(() => {
+    if (token && !sessionSecurityRef.current) {
+      console.log("\u{1F510} AuthProvider: Starting session security");
+      const unsubscribe = onSessionInvalid(handleSessionInvalid);
+      sessionSecurityRef.current = startSessionSecurity(handleSessionInvalid);
+      return () => {
+        unsubscribe();
+        if (sessionSecurityRef.current) {
+          sessionSecurityRef.current.stopAll();
+          sessionSecurityRef.current = null;
+        }
+      };
+    }
+    if (!token && sessionSecurityRef.current) {
+      sessionSecurityRef.current.stopAll();
+      sessionSecurityRef.current = null;
+    }
+  }, [token]);
+  (0, import_react.useEffect)(() => {
+    console.log("\u{1F50D} AuthProvider useEffect triggered:", {
+      hasToken: !!token,
+      tokenLength: token == null ? void 0 : token.length
+    });
+    if (!token) {
+      console.log("\u26A0\uFE0F AuthProvider: No token, setting loading=false");
+      setLoading(false);
+      return;
+    }
+    const { authBaseUrl } = getConfig();
+    if (!authBaseUrl) {
+      console.warn("AuthProvider: No authBaseUrl configured");
+      setLoading(false);
+      return;
+    }
+    console.log("\u{1F310} AuthProvider: Fetching profile with token...", {
+      authBaseUrl,
+      tokenPreview: token.slice(0, 50) + "..."
+    });
+    fetch(`${authBaseUrl}/account/profile`, {
+      headers: { Authorization: `Bearer ${token}` },
+      credentials: "include"
+    }).then((res) => {
+      console.log("\u{1F4E5} Profile response status:", res.status);
+      if (!res.ok) throw new Error("Failed to fetch user");
+      return res.json();
+    }).then((userData) => {
+      console.log("\u2705 Profile fetched successfully:", userData.email);
+      setUser(userData);
+      setSessionValid(true);
+      setLoading(false);
+    }).catch((err) => {
+      console.error("\u274C Fetch user error:", err);
+      clearToken();
+      setTokenState(null);
+      setUser(null);
+      setLoading(false);
+    });
+  }, [token]);
+  const login2 = (clientKey, redirectUri, state) => {
+    login(clientKey, redirectUri, state);
+  };
+  const logout2 = () => {
+    stopSessionSecurity();
+    sessionSecurityRef.current = null;
+    logout();
+    setUser(null);
+    setTokenState(null);
+    setSessionValid(true);
+  };
+  const value = {
+    token,
+    user,
+    loading,
+    login: login2,
+    logout: logout2,
+    isAuthenticated: !!token && !!user && sessionValid,
+    sessionValid,
+    setUser,
+    setToken: (newToken) => {
+      setToken(newToken);
+      setTokenState(newToken);
+      setSessionValid(true);
+    },
+    clearToken: () => {
+      stopSessionSecurity();
+      sessionSecurityRef.current = null;
+      clearToken();
+      setTokenState(null);
+      setUser(null);
+    }
+  };
+  return /* @__PURE__ */ import_react.default.createElement(AuthContext.Provider, { value }, children);
+}
+// react/useAuth.js
+var import_react2 = require("react");
+function useAuth() {
+  const context = (0, import_react2.useContext)(AuthContext);
+  if (!context) {
+    throw new Error("useAuth must be used within an AuthProvider");
+  }
+  return context;
+}
+// react/useSessionMonitor.js
+var import_react_query = require("@tanstack/react-query");
+var import_react3 = require("react");
+var useSessionMonitor = (options = {}) => {
+  var _a, _b;
+  const queryClient = (0, import_react_query.useQueryClient)();
+  const {
+    enabled = true,
+    refetchInterval = 2 * 60 * 1e3,
+    // 2 minutes (matching config default)
+    onSessionInvalid: onSessionInvalid2,
+    onError,
+    autoLogout = true,
+    validateOnMount = true
+  } = options;
+  const handleInvalid = (0, import_react3.useCallback)(() => {
+    console.log("\u{1F6A8} useSessionMonitor: Session invalid detected");
+    queryClient.clear();
+    if (autoLogout) {
+      auth.clearToken();
+      auth.clearRefreshToken();
+    }
+    if (onSessionInvalid2) {
+      onSessionInvalid2();
+    }
+  }, [queryClient, autoLogout, onSessionInvalid2]);
+  const query = (0, import_react_query.useQuery)({
+    queryKey: ["session-validation"],
+    queryFn: async () => {
+      try {
+        const token = auth.getToken();
+        if (!token) {
+          return { valid: false, reason: "no_token" };
+        }
+        console.log("\u{1F50D} useSessionMonitor: Validating session...");
+        const isValid = await auth.validateCurrentSession();
+        if (!isValid) {
+          console.log("\u274C useSessionMonitor: Session no longer valid");
+          handleInvalid();
+          return { valid: false, reason: "session_deleted" };
+        }
+        console.log("\u2705 useSessionMonitor: Session still valid");
+        return { valid: true };
+      } catch (error) {
+        console.error("\u26A0\uFE0F useSessionMonitor: Validation error:", error);
+        if (onError) {
+          onError(error);
+        }
+        throw error;
+      }
+    },
+    enabled: enabled && !!auth.getToken(),
+    refetchInterval,
+    refetchIntervalInBackground: true,
+    retry: 2,
+    retryDelay: 5e3,
+    staleTime: refetchInterval / 2
+    // Consider stale at half the interval
+  });
+  (0, import_react3.useEffect)(() => {
+    if (!enabled) return;
+    const handleVisibilityChange = () => {
+      if (document.visibilityState === "visible" && auth.getToken()) {
+        console.log("\u{1F441}\uFE0F useSessionMonitor: Tab visible - triggering validation");
+        queryClient.invalidateQueries({ queryKey: ["session-validation"] });
+      }
+    };
+    document.addEventListener("visibilitychange", handleVisibilityChange);
+    return () => {
+      document.removeEventListener("visibilitychange", handleVisibilityChange);
+    };
+  }, [enabled, queryClient]);
+  (0, import_react3.useEffect)(() => {
+    if (validateOnMount && enabled && auth.getToken()) {
+      queryClient.invalidateQueries({ queryKey: ["session-validation"] });
+    }
+  }, [validateOnMount, enabled, queryClient]);
+  return {
+    ...query,
+    isSessionValid: ((_a = query.data) == null ? void 0 : _a.valid) ?? true,
+    invalidationReason: (_b = query.data) == null ? void 0 : _b.reason,
+    manualValidate: () => queryClient.invalidateQueries({ queryKey: ["session-validation"] })
+  };
+};
+// index.js
+var auth = {
+  // 🔧 Config
+  setConfig,
+  getConfig,
+  isRouterMode,
+  // 🔐 Core flows
+  login,
+  logout,
+  handleCallback,
+  refreshToken,
+  resetCallbackState,
+  validateCurrentSession,
+  // 🔑 Token management
+  getToken,
+  setToken,
+  clearToken,
+  setRefreshToken,
+  // ✅ Refresh token for HTTP dev
+  getRefreshToken,
+  clearRefreshToken,
+  addTokenListener,
+  // ✅ Export new functions
+  removeTokenListener,
+  getListenerCount,
+  // ✅ Debug function
+  // 🌐 Authenticated API client
+  api: api_default,
+  // 🧪 Utilities
+  decodeToken,
+  isTokenExpired,
+  isAuthenticated,
+  // ⏱️ Token Expiry Utilities (NEW)
+  getTokenExpiryTime,
+  // Get token expiry as Date object
+  getTimeUntilExpiry,
+  // Get seconds until token expires
+  willExpireSoon,
+  // Check if token expires within N seconds
+  // 🔐 Session Security (NEW - Short-lived tokens + Periodic validation)
+  startProactiveRefresh,
+  // Start proactive token refresh before expiry
+  stopProactiveRefresh,
+  // Stop proactive refresh
+  startSessionMonitor,
+  // Start periodic session validation
+  stopSessionMonitor,
+  // Stop session validation
+  startSessionSecurity,
+  // Start both proactive refresh AND session monitoring
+  stopSessionSecurity,
+  // Stop all session security
+  onSessionInvalid,
+  // Register callback for session invalidation
+  // 🔄 Legacy auto-refresh (DEPRECATED - use startSessionSecurity instead)
+  startTokenRefresh: () => {
+    console.warn("\u26A0\uFE0F startTokenRefresh is deprecated. Use startSessionSecurity() instead for better session management.");
+    const interval = setInterval(async () => {
+      const token = getToken();
+      if (token && isTokenExpired(token, 300)) {
+        try {
+          await refreshToken();
+          console.log("\u{1F504} Auto-refresh successful");
+        } catch (err) {
+          console.error("Auto-refresh failed:", err);
+          clearInterval(interval);
+        }
+      }
+    }, 6e4);
+    return interval;
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AuthProvider,
+  auth,
+  useAuth,
+  useSessionMonitor
+});
+//# sourceMappingURL=index.cjs.map