@startsimpli/auth 0.1.0 → 0.1.3

package/dist/client/index.js

@@ -0,0 +1,858 @@
+'use strict';
+
+var react = require('react');
+var jsxRuntime = require('react/jsx-runtime');
+
+// src/utils/token.ts
+function decodeToken(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+      return null;
+    }
+    const payload = parts[1];
+    const decoded = JSON.parse(atob(payload));
+    return decoded;
+  } catch (error) {
+    console.error("Failed to decode token:", error);
+    return null;
+  }
+}
+function isTokenExpired(token) {
+  const payload = decodeToken(token);
+  if (!payload) {
+    return true;
+  }
+  const now = Math.floor(Date.now() / 1e3);
+  return payload.exp <= now;
+}
+function getTokenExpiresAt(token) {
+  const payload = decodeToken(token);
+  if (!payload) {
+    return null;
+  }
+  return payload.exp * 1e3;
+}
+function shouldRefreshToken(token) {
+  const expiresAt = getTokenExpiresAt(token);
+  if (!expiresAt) {
+    return true;
+  }
+  const now = Date.now();
+  const timeUntilExpiry = expiresAt - now;
+  const FIVE_MINUTES = 5 * 60 * 1e3;
+  return timeUntilExpiry < FIVE_MINUTES;
+}
+
+// src/utils/cookies.ts
+function getCookie(name) {
+  if (typeof document === "undefined") {
+    return null;
+  }
+  const value = `; ${document.cookie}`;
+  const parts = value.split(`; ${name}=`);
+  if (parts.length === 2) {
+    return parts.pop()?.split(";").shift() || null;
+  }
+  return null;
+}
+function getCsrfToken() {
+  return getCookie("csrftoken");
+}
+
+// src/client/auth-client.ts
+var AuthClient = class {
+  constructor(config) {
+    this.session = null;
+    this.refreshTimer = null;
+    this.isRefreshing = false;
+    this.refreshPromise = null;
+    this.config = {
+      tokenRefreshInterval: 4 * 60 * 1e3,
+      // 4 minutes
+      onSessionExpired: () => {
+      },
+      onUnauthorized: () => {
+      },
+      ...config
+    };
+  }
+  /**
+   * Login with email and password
+   */
+  async login(email, password) {
+    const response = await fetch(`${this.config.apiBaseUrl}/api/v1/auth/token/`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      credentials: "include",
+      // Include cookies for refresh token
+      body: JSON.stringify({ email, password })
+    });
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({ detail: "Login failed" }));
+      throw new Error(error.detail || "Login failed");
+    }
+    const data = await response.json();
+    const expiresAt = getTokenExpiresAt(data.access);
+    if (!expiresAt) {
+      throw new Error("Invalid token received");
+    }
+    const tempSession = {
+      user: data.user || { id: "", email: "", firstName: "", lastName: "", isEmailVerified: false, createdAt: "", updatedAt: "" },
+      accessToken: data.access,
+      expiresAt
+    };
+    this.session = tempSession;
+    if (!data.user) {
+      try {
+        const user = await this.getCurrentUser();
+        this.session.user = user;
+      } catch (error) {
+        console.error("Failed to fetch user data after login:", error);
+      }
+    }
+    this.startRefreshTimer();
+    return this.session;
+  }
+  /**
+   * Logout and clear session
+   */
+  async logout() {
+    try {
+      await fetch(`${this.config.apiBaseUrl}/api/v1/auth/logout/`, {
+        method: "POST",
+        headers: this.getAuthHeaders(),
+        credentials: "include"
+      });
+    } catch (error) {
+      console.error("Logout error:", error);
+    } finally {
+      this.clearSession();
+    }
+  }
+  /**
+   * Refresh access token using refresh token cookie
+   */
+  async refreshToken() {
+    if (this.isRefreshing && this.refreshPromise) {
+      return this.refreshPromise;
+    }
+    this.isRefreshing = true;
+    this.refreshPromise = this.performTokenRefresh();
+    try {
+      const newToken = await this.refreshPromise;
+      return newToken;
+    } finally {
+      this.isRefreshing = false;
+      this.refreshPromise = null;
+    }
+  }
+  async performTokenRefresh() {
+    const response = await fetch(`${this.config.apiBaseUrl}/api/v1/auth/token/refresh/`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      credentials: "include"
+      // Send refresh token cookie
+    });
+    if (!response.ok) {
+      this.clearSession();
+      this.config.onSessionExpired();
+      throw new Error("Token refresh failed");
+    }
+    const data = await response.json();
+    const expiresAt = getTokenExpiresAt(data.access);
+    if (!expiresAt) {
+      throw new Error("Invalid token received");
+    }
+    if (this.session) {
+      this.session.accessToken = data.access;
+      this.session.expiresAt = expiresAt;
+    }
+    this.startRefreshTimer();
+    return data.access;
+  }
+  /**
+   * Get current user data from backend
+   */
+  async getCurrentUser() {
+    const response = await fetch(`${this.config.apiBaseUrl}/api/v1/auth/me/`, {
+      headers: this.getAuthHeaders(),
+      credentials: "include"
+    });
+    if (!response.ok) {
+      if (response.status === 401) {
+        this.config.onUnauthorized();
+      }
+      throw new Error("Failed to fetch user data");
+    }
+    const data = await response.json();
+    const raw = data.user || data;
+    const user = {
+      id: raw.id,
+      email: raw.email,
+      firstName: raw.first_name || raw.firstName || "",
+      lastName: raw.last_name || raw.lastName || "",
+      isEmailVerified: raw.is_email_verified ?? raw.isEmailVerified ?? false,
+      createdAt: raw.created_at || raw.createdAt || "",
+      updatedAt: raw.updated_at || raw.updatedAt || ""
+    };
+    if (this.session) {
+      this.session.user = user;
+    }
+    return user;
+  }
+  /**
+   * Get current session
+   */
+  getSession() {
+    if (!this.session) {
+      return null;
+    }
+    if (isTokenExpired(this.session.accessToken)) {
+      this.clearSession();
+      this.config.onSessionExpired();
+      return null;
+    }
+    return this.session;
+  }
+  /**
+   * Set session (for SSR/hydration)
+   */
+  setSession(session) {
+    this.session = session;
+    this.startRefreshTimer();
+  }
+  /**
+   * Get auth headers for API requests
+   */
+  getAuthHeaders() {
+    const session = this.getSession();
+    if (!session) {
+      return {};
+    }
+    return {
+      Authorization: `Bearer ${session.accessToken}`
+    };
+  }
+  /**
+   * Get valid access token (refreshes if needed)
+   */
+  async getAccessToken() {
+    const session = this.getSession();
+    if (!session) {
+      return null;
+    }
+    if (shouldRefreshToken(session.accessToken)) {
+      try {
+        return await this.refreshToken();
+      } catch (error) {
+        console.error("Token refresh failed:", error);
+        return null;
+      }
+    }
+    return session.accessToken;
+  }
+  /**
+   * Start automatic token refresh timer
+   */
+  startRefreshTimer() {
+    if (this.refreshTimer) {
+      clearInterval(this.refreshTimer);
+    }
+    this.refreshTimer = setInterval(() => {
+      const session = this.getSession();
+      if (session && shouldRefreshToken(session.accessToken)) {
+        this.refreshToken().catch((error) => {
+          console.error("Auto-refresh failed:", error);
+        });
+      }
+    }, this.config.tokenRefreshInterval);
+  }
+  /**
+   * Clear session and stop refresh timer
+   */
+  clearSession() {
+    this.session = null;
+    if (this.refreshTimer) {
+      clearInterval(this.refreshTimer);
+      this.refreshTimer = null;
+    }
+  }
+  /**
+   * Cleanup resources
+   */
+  destroy() {
+    this.clearSession();
+  }
+};
+var AuthContext = react.createContext(void 0);
+function AuthProvider({
+  children,
+  config,
+  initialSession
+}) {
+  const [authClient] = react.useState(() => new AuthClient(config));
+  const [state, setState] = react.useState(() => ({
+    session: initialSession || null,
+    isLoading: !initialSession,
+    isAuthenticated: !!initialSession
+  }));
+  react.useEffect(() => {
+    if (initialSession) {
+      authClient.setSession(initialSession);
+      setState({
+        session: initialSession,
+        isLoading: false,
+        isAuthenticated: true
+      });
+    } else {
+      const session = authClient.getSession();
+      setState({
+        session,
+        isLoading: false,
+        isAuthenticated: !!session
+      });
+    }
+  }, [authClient, initialSession]);
+  react.useEffect(() => {
+    const originalOnExpired = config.onSessionExpired;
+    config.onSessionExpired = () => {
+      setState({
+        session: null,
+        isLoading: false,
+        isAuthenticated: false
+      });
+      originalOnExpired?.();
+    };
+    return () => {
+      authClient.destroy();
+    };
+  }, [authClient, config]);
+  const login = react.useCallback(
+    async (email, password) => {
+      setState((prev) => ({ ...prev, isLoading: true }));
+      try {
+        const session = await authClient.login(email, password);
+        setState({
+          session,
+          isLoading: false,
+          isAuthenticated: true
+        });
+      } catch (error) {
+        setState((prev) => ({ ...prev, isLoading: false }));
+        throw error;
+      }
+    },
+    [authClient]
+  );
+  const logout = react.useCallback(async () => {
+    setState((prev) => ({ ...prev, isLoading: true }));
+    try {
+      await authClient.logout();
+    } finally {
+      setState({
+        session: null,
+        isLoading: false,
+        isAuthenticated: false
+      });
+    }
+  }, [authClient]);
+  const refreshUser = react.useCallback(async () => {
+    try {
+      const user = await authClient.getCurrentUser();
+      setState((prev) => ({
+        ...prev,
+        session: prev.session ? { ...prev.session, user } : null
+      }));
+    } catch (error) {
+      console.error("Failed to refresh user:", error);
+    }
+  }, [authClient]);
+  const getAccessToken2 = react.useCallback(async () => {
+    return authClient.getAccessToken();
+  }, [authClient]);
+  const value = {
+    ...state,
+    login,
+    logout,
+    refreshUser,
+    getAccessToken: getAccessToken2
+  };
+  return /* @__PURE__ */ jsxRuntime.jsx(AuthContext.Provider, { value, children });
+}
+function useAuthContext() {
+  const context = react.useContext(AuthContext);
+  if (!context) {
+    throw new Error("useAuthContext must be used within AuthProvider");
+  }
+  return context;
+}
+
+// src/client/use-auth.ts
+function useAuth() {
+  const {
+    session,
+    isLoading,
+    isAuthenticated,
+    login,
+    logout,
+    refreshUser,
+    getAccessToken: getAccessToken2
+  } = useAuthContext();
+  return {
+    user: session?.user || null,
+    session,
+    isLoading,
+    isAuthenticated,
+    login,
+    logout,
+    refreshUser,
+    getAccessToken: getAccessToken2
+  };
+}
+
+// src/types/index.ts
+var ROLE_HIERARCHY = {
+  owner: 4,
+  admin: 3,
+  member: 2,
+  viewer: 1
+};
+function hasRolePermission(userRole, requiredRole) {
+  return ROLE_HIERARCHY[userRole] >= ROLE_HIERARCHY[requiredRole];
+}
+
+// src/client/use-permissions.ts
+function usePermissions() {
+  const { user } = useAuth();
+  const currentCompanyId = user?.currentCompanyId || null;
+  const currentCompany = react.useMemo(() => {
+    if (!user?.companies || !currentCompanyId) {
+      return null;
+    }
+    return user.companies.find((c) => c.id === currentCompanyId);
+  }, [user, currentCompanyId]);
+  const currentRole = currentCompany?.role || null;
+  const hasRole = (requiredRole, companyId) => {
+    if (!user?.companies) {
+      return false;
+    }
+    const targetCompanyId = companyId || currentCompanyId;
+    if (!targetCompanyId) {
+      return false;
+    }
+    const company = user.companies.find((c) => c.id === targetCompanyId);
+    if (!company) {
+      return false;
+    }
+    return hasRolePermission(company.role, requiredRole);
+  };
+  const isOwner = (companyId) => {
+    return hasRole("owner", companyId);
+  };
+  const isAdmin = (companyId) => {
+    return hasRole("admin", companyId);
+  };
+  const canEdit = (companyId) => {
+    return hasRole("member", companyId);
+  };
+  const canView = (companyId) => {
+    return hasRole("viewer", companyId);
+  };
+  return {
+    hasRole,
+    isOwner,
+    isAdmin,
+    canEdit,
+    canView,
+    currentRole,
+    currentCompanyId
+  };
+}
+
+// src/client/functions.ts
+var API_BASE = "/api/v1";
+var AUTH_PATHS = {
+  TOKEN: `${API_BASE}/auth/token/`,
+  TOKEN_REFRESH: `${API_BASE}/auth/token/refresh/`,
+  REGISTER: `${API_BASE}/auth/register/`,
+  LOGOUT: `${API_BASE}/auth/logout/`,
+  FORGOT_PASSWORD: `${API_BASE}/auth/forgot-password/`,
+  RESET_PASSWORD: `${API_BASE}/auth/reset-password/`,
+  VERIFY_EMAIL: `${API_BASE}/auth/verify-email/`,
+  RESEND_VERIFICATION: `${API_BASE}/auth/resend-verification/`,
+  OAUTH_GOOGLE_INITIATE: `${API_BASE}/auth/oauth/google/initiate/`,
+  OAUTH_GOOGLE_CALLBACK: `${API_BASE}/auth/oauth/google/callback/`,
+  ME: `${API_BASE}/auth/me/`
+};
+var AUTH_BASE_URL = typeof process !== "undefined" && (process.env.NEXT_PUBLIC_API_URL || process.env.NEXT_PUBLIC_API_BASE_URL) || "";
+var AUTH_BASE_IS_ABSOLUTE = /^https?:\/\//i.test(AUTH_BASE_URL);
+function isAbsoluteUrl(url) {
+  return /^https?:\/\//i.test(url);
+}
+function resolveAuthUrl(path) {
+  if (isAbsoluteUrl(path)) return path;
+  const normalized = path.startsWith("/") ? path : `/${path}`;
+  if (AUTH_BASE_IS_ABSOLUTE) {
+    return new URL(normalized, AUTH_BASE_URL).toString();
+  }
+  if (normalized.startsWith("/api/")) return normalized;
+  if (!AUTH_BASE_URL) return normalized;
+  if (AUTH_BASE_URL.endsWith("/") && normalized.startsWith("/")) {
+    return `${AUTH_BASE_URL.slice(0, -1)}${normalized}`;
+  }
+  return `${AUTH_BASE_URL}${normalized}`;
+}
+var TOKEN_STORAGE_KEY = "auth_access_token";
+var _memToken = null;
+function _sessionStorageAvailable() {
+  try {
+    return typeof window !== "undefined" && !!window.sessionStorage;
+  } catch {
+    return false;
+  }
+}
+function getAccessToken() {
+  if (_sessionStorageAvailable()) {
+    return sessionStorage.getItem(TOKEN_STORAGE_KEY);
+  }
+  return _memToken;
+}
+function setAccessToken(token) {
+  if (_sessionStorageAvailable()) {
+    if (token === null) {
+      sessionStorage.removeItem(TOKEN_STORAGE_KEY);
+    } else {
+      sessionStorage.setItem(TOKEN_STORAGE_KEY, token);
+    }
+    return;
+  }
+  _memToken = token;
+}
+var AUTH_TIMEOUT_MS = 15e3;
+function extractApiError(d, fallback) {
+  if (typeof d.detail === "string") return d.detail;
+  for (const val of Object.values(d)) {
+    if (typeof val === "string") return val;
+    if (Array.isArray(val) && val.length > 0 && typeof val[0] === "string") return val[0];
+  }
+  return fallback;
+}
+function fetchWithTimeout(url, options) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), AUTH_TIMEOUT_MS);
+  return fetch(url, { ...options, signal: controller.signal }).finally(
+    () => clearTimeout(timer)
+  );
+}
+function normalizeUser(raw) {
+  if (!raw || typeof raw !== "object") return null;
+  const obj = raw;
+  const payload = obj.user && typeof obj.user === "object" ? obj.user : obj;
+  if (!payload?.id || !payload?.email) return null;
+  const firstName = payload.first_name ?? payload.firstName ?? null;
+  const lastName = payload.last_name ?? payload.lastName ?? null;
+  const name = payload.name ?? ([firstName, lastName].filter(Boolean).join(" ") || null);
+  return {
+    id: payload.id,
+    email: payload.email,
+    name,
+    firstName,
+    lastName,
+    groups: Array.isArray(payload.groups) ? payload.groups : [],
+    permissions: Array.isArray(payload.permissions) ? payload.permissions : [],
+    isActive: payload.isActive ?? payload.is_active,
+    isEmailVerified: payload.isEmailVerified ?? payload.is_email_verified
+  };
+}
+function parseAuthResponse(data) {
+  if (!data || typeof data !== "object") return {};
+  const obj = data;
+  const payload = obj.data && typeof obj.data === "object" ? obj.data : obj;
+  const access = payload.access || payload.access_token || payload.token;
+  const userRaw = payload.user || payload.me || payload.profile || payload;
+  const user = normalizeUser(userRaw);
+  return { access, user: user ?? void 0 };
+}
+async function signInWithCredentials(email, password) {
+  const response = await fetchWithTimeout(resolveAuthUrl(AUTH_PATHS.TOKEN), {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    credentials: "include",
+    body: JSON.stringify({ email, password })
+  });
+  const data = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    const d = data;
+    if (d?.error === "ACCOUNT_LOCKED" && d?.locked_until) {
+      throw new Error(`Account locked until ${new Date(d.locked_until).toLocaleTimeString()}`);
+    }
+    const message = d?.detail || d?.error || "Authentication failed";
+    throw new Error(message);
+  }
+  const parsed = parseAuthResponse(data);
+  if (parsed.access) {
+    setAccessToken(parsed.access);
+  }
+  return parsed;
+}
+async function registerAccount(payload) {
+  const rawName = payload.name?.trim() || "";
+  const [firstFromName, ...rest] = rawName ? rawName.split(/\s+/) : [];
+  const lastFromName = rest.length ? rest.join(" ") : void 0;
+  const response = await fetchWithTimeout(resolveAuthUrl(AUTH_PATHS.REGISTER), {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    credentials: "include",
+    body: JSON.stringify({
+      email: payload.email,
+      password: payload.password,
+      password_confirm: payload.passwordConfirm,
+      first_name: payload.firstName ?? firstFromName ?? void 0,
+      last_name: payload.lastName ?? lastFromName ?? void 0
+    })
+  });
+  const data = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    throw new Error(extractApiError(data, "Registration failed"));
+  }
+  const parsed = parseAuthResponse(data);
+  if (parsed.access) {
+    setAccessToken(parsed.access);
+  }
+  return parsed;
+}
+async function requestPasswordReset(email) {
+  const response = await fetch(resolveAuthUrl(AUTH_PATHS.FORGOT_PASSWORD), {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ email })
+  });
+  if (!response.ok) {
+    const data = await response.json().catch(() => ({}));
+    const d = data;
+    const message = d?.detail || d?.error || "Failed to send reset link";
+    throw new Error(message);
+  }
+}
+async function resetPassword(payload) {
+  const response = await fetchWithTimeout(resolveAuthUrl(AUTH_PATHS.RESET_PASSWORD), {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      token: payload.token,
+      password: payload.password,
+      password_confirm: payload.passwordConfirm,
+      ...payload.email ? { email: payload.email } : {}
+    })
+  });
+  if (!response.ok) {
+    const data = await response.json().catch(() => ({}));
+    const d = data;
+    const message = d?.detail || d?.error || "Failed to reset password";
+    throw new Error(message);
+  }
+}
+async function verifyEmail(token) {
+  const response = await fetchWithTimeout(resolveAuthUrl(AUTH_PATHS.VERIFY_EMAIL), {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ token })
+  });
+  if (!response.ok) {
+    const data = await response.json().catch(() => ({}));
+    const d = data;
+    const message = d?.detail || d?.error || "Failed to verify email";
+    throw new Error(message);
+  }
+}
+async function resendVerification(access) {
+  const response = await fetch(resolveAuthUrl(AUTH_PATHS.RESEND_VERIFICATION), {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      ...access ? { Authorization: `Bearer ${access}` } : {}
+    },
+    credentials: "include"
+  });
+  if (!response.ok) {
+    const data = await response.json().catch(() => ({}));
+    const d = data;
+    const message = d?.detail || d?.error || "Failed to resend verification email";
+    throw new Error(message);
+  }
+}
+async function initiateGoogleOAuth(redirectUri) {
+  const response = await fetch(resolveAuthUrl(AUTH_PATHS.OAUTH_GOOGLE_INITIATE), {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    credentials: "include",
+    body: JSON.stringify({ redirect_uri: redirectUri })
+  });
+  const data = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    const d = data;
+    const message = d?.detail || d?.error || "Failed to initiate Google OAuth";
+    throw new Error(message);
+  }
+  return data;
+}
+async function completeGoogleOAuth(code, state) {
+  const response = await fetchWithTimeout(
+    resolveAuthUrl(
+      `${AUTH_PATHS.OAUTH_GOOGLE_CALLBACK}?code=${encodeURIComponent(code)}&state=${encodeURIComponent(state)}`
+    ),
+    { credentials: "include" }
+  );
+  const data = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    const d = data;
+    const message = d?.detail || d?.error || "OAuth authentication failed";
+    throw new Error(message);
+  }
+  const parsed = parseAuthResponse(data);
+  if (parsed.access) {
+    setAccessToken(parsed.access);
+  }
+  return parsed;
+}
+async function fetchCsrfToken() {
+  if (getCsrfToken()) return;
+  try {
+    await fetch(resolveAuthUrl(`${API_BASE}/auth/csrf/`), {
+      credentials: "include",
+      cache: "no-store"
+    });
+  } catch (err) {
+    console.warn("[auth] CSRF token fetch failed \u2014 token refresh will fail:", err);
+  }
+}
+async function refreshAccessToken() {
+  await fetchCsrfToken();
+  const csrfToken = getCsrfToken();
+  if (!csrfToken) return null;
+  const response = await fetchWithTimeout(resolveAuthUrl(AUTH_PATHS.TOKEN_REFRESH), {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "X-CSRFToken": csrfToken
+    },
+    credentials: "include"
+  });
+  const data = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    return null;
+  }
+  const parsed = parseAuthResponse(data);
+  if (parsed.access) {
+    setAccessToken(parsed.access);
+    return parsed.access;
+  }
+  return null;
+}
+async function getMe() {
+  const token = getAccessToken();
+  if (!token) return null;
+  const response = await fetch(resolveAuthUrl(AUTH_PATHS.ME), {
+    headers: {
+      Authorization: `Bearer ${token}`
+    },
+    credentials: "include",
+    cache: "no-store"
+  });
+  if (!response.ok) {
+    return null;
+  }
+  const data = await response.json().catch(() => ({}));
+  const obj = data;
+  const payload = obj.data && typeof obj.data === "object" ? obj.data : obj;
+  const userRaw = payload.user || payload;
+  return normalizeUser(userRaw);
+}
+async function signOut() {
+  const csrfToken = getCsrfToken();
+  const token = getAccessToken();
+  try {
+    await fetch(resolveAuthUrl(AUTH_PATHS.LOGOUT), {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...csrfToken ? { "X-CSRFToken": csrfToken } : {},
+        ...token ? { Authorization: `Bearer ${token}` } : {}
+      },
+      credentials: "include"
+    });
+  } finally {
+    setAccessToken(null);
+  }
+}
+var _refreshPromise = null;
+function _refreshOnce() {
+  if (!_refreshPromise) {
+    _refreshPromise = refreshAccessToken().finally(() => {
+      _refreshPromise = null;
+    });
+  }
+  return _refreshPromise;
+}
+async function authFetch(input, init = {}) {
+  const token = getAccessToken();
+  const headers = new Headers(init.headers || {});
+  if (token && !headers.has("Authorization")) {
+    headers.set("Authorization", `Bearer ${token}`);
+  }
+  const resolvedInput = typeof input === "string" ? resolveAuthUrl(input) : input;
+  const response = await fetch(resolvedInput, {
+    ...init,
+    headers,
+    credentials: init.credentials ?? "include"
+  });
+  if (response.status === 401) {
+    const refreshed = await _refreshOnce();
+    if (refreshed) {
+      const retryHeaders = new Headers(init.headers || {});
+      retryHeaders.set("Authorization", `Bearer ${refreshed}`);
+      return fetch(resolvedInput, {
+        ...init,
+        headers: retryHeaders,
+        credentials: init.credentials ?? "include"
+      });
+    }
+  }
+  return response;
+}
+function hasPermission(user, permission) {
+  if (!user) return false;
+  if (!user.permissions || user.permissions.length === 0) return false;
+  return user.permissions.includes(permission);
+}
+function hasGroup(user, group) {
+  if (!user) return false;
+  if (!user.groups || user.groups.length === 0) return false;
+  return user.groups.includes(group);
+}
+
+exports.AuthClient = AuthClient;
+exports.AuthProvider = AuthProvider;
+exports.authFetch = authFetch;
+exports.completeGoogleOAuth = completeGoogleOAuth;
+exports.getAccessToken = getAccessToken;
+exports.getMe = getMe;
+exports.hasGroup = hasGroup;
+exports.hasPermission = hasPermission;
+exports.initiateGoogleOAuth = initiateGoogleOAuth;
+exports.refreshAccessToken = refreshAccessToken;
+exports.registerAccount = registerAccount;
+exports.requestPasswordReset = requestPasswordReset;
+exports.resendVerification = resendVerification;
+exports.resetPassword = resetPassword;
+exports.resolveAuthUrl = resolveAuthUrl;
+exports.setAccessToken = setAccessToken;
+exports.signInWithCredentials = signInWithCredentials;
+exports.signOut = signOut;
+exports.useAuth = useAuth;
+exports.useAuthContext = useAuthContext;
+exports.usePermissions = usePermissions;
+exports.verifyEmail = verifyEmail;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map