@superbuilders/primer-tives 3.5.1 → 3.7.0

package/dist/client/auth/provider.d.ts

@@ -8,7 +8,22 @@ type AccessTokenResolverOptions = {
     readonly hostedAuth?: HostedAuthOptions;
     readonly logger: PrimerLogger;
 };
-declare function resolveRuntimeAccessToken(options: AccessTokenResolverOptions): Promise<ResolvedAccessToken>;
-export { resolveRuntimeAccessToken };
-export type { AccessTokenResolverOptions };
+type ResolvedAccessTokenResult = {
+    readonly kind: "resolved";
+    readonly accessToken: ResolvedAccessToken;
+};
+type UnauthenticatedAccessTokenResult = {
+    readonly kind: "unauthenticated";
+    readonly error: Error | null;
+};
+type FatalAccessTokenResult = {
+    readonly kind: "fatal";
+    readonly error: Error;
+};
+type ExistingAccessTokenResult = ResolvedAccessTokenResult | UnauthenticatedAccessTokenResult | FatalAccessTokenResult;
+type HostedLoginResult = ResolvedAccessTokenResult | UnauthenticatedAccessTokenResult;
+declare function resolveExistingAccessToken(options: AccessTokenResolverOptions): ExistingAccessTokenResult;
+declare function beginHostedLogin(options: AccessTokenResolverOptions): Promise<HostedLoginResult>;
+export { beginHostedLogin, resolveExistingAccessToken };
+export type { AccessTokenResolverOptions, ExistingAccessTokenResult, HostedLoginResult };
 //# sourceMappingURL=provider.d.ts.map

package/dist/client/auth/provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../src/client/auth/provider.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AACtE,OAAO,EAKN,KAAK,iBAAiB,EACtB,MAAM,iDAAiD,CAAA;AAMxD,OAAO,EAEN,KAAK,mBAAmB,EACxB,MAAM,sDAAsD,CAAA;AAS7D,KAAK,0BAA0B,GAAG;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,UAAU,CAAC,EAAE,iBAAiB,CAAA;IACvC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAA;CAC7B,CAAA;AAqCD,iBAAe,yBAAyB,CACvC,OAAO,EAAE,0BAA0B,GACjC,OAAO,CAAC,mBAAmB,CAAC,CAK9B;AAED,OAAO,EAAE,yBAAyB,EAAE,CAAA;AACpC,YAAY,EAAE,0BAA0B,EAAE,CAAA"}
+{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../src/client/auth/provider.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AACtE,OAAO,EAIN,KAAK,iBAAiB,EACtB,MAAM,iDAAiD,CAAA;AAExD,OAAO,EAEN,KAAK,mBAAmB,EACxB,MAAM,sDAAsD,CAAA;AAS7D,KAAK,0BAA0B,GAAG;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,UAAU,CAAC,EAAE,iBAAiB,CAAA;IACvC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAA;CAC7B,CAAA;AAED,KAAK,yBAAyB,GAAG;IAChC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAA;IACzB,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAA;CACzC,CAAA;AAED,KAAK,gCAAgC,GAAG;IACvC,QAAQ,CAAC,IAAI,EAAE,iBAAiB,CAAA;IAChC,QAAQ,CAAC,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;CAC5B,CAAA;AAED,KAAK,sBAAsB,GAAG;IAC7B,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAA;IACtB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;CACrB,CAAA;AAED,KAAK,yBAAyB,GAC3B,yBAAyB,GACzB,gCAAgC,GAChC,sBAAsB,CAAA;AAEzB,KAAK,iBAAiB,GAAG,yBAAyB,GAAG,gCAAgC,CAAA;AA4DrF,iBAAS,0BAA0B,CAClC,OAAO,EAAE,0BAA0B,GACjC,yBAAyB,CAe3B;AAED,iBAAe,gBAAgB,CAAC,OAAO,EAAE,0BAA0B,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAqC/F;AAED,OAAO,EAAE,gBAAgB,EAAE,0BAA0B,EAAE,CAAA;AACvD,YAAY,EAAE,0BAA0B,EAAE,yBAAyB,EAAE,iBAAiB,EAAE,CAAA"}

package/dist/client/auth/storage.d.ts

@@ -2,8 +2,9 @@ declare function accessTokenStorageKey(publishableKey: string): string;
 declare function authStateStorageKey(publishableKey: string): string;
 declare function loadStoredAccessToken(storage: Storage, publishableKey: string): string | null;
 declare function storeAccessToken(storage: Storage, publishableKey: string, accessToken: string): void;
+declare function clearStoredAccessToken(storage: Storage, publishableKey: string): void;
 declare function loadAuthState(storage: Storage, publishableKey: string): string | null;
 declare function storeAuthState(storage: Storage, publishableKey: string, state: string): void;
 declare function clearAuthState(storage: Storage, publishableKey: string): void;
-export { accessTokenStorageKey, authStateStorageKey, clearAuthState, loadAuthState, loadStoredAccessToken, storeAccessToken, storeAuthState };
+export { accessTokenStorageKey, authStateStorageKey, clearAuthState, clearStoredAccessToken, loadAuthState, loadStoredAccessToken, storeAccessToken, storeAuthState };
 //# sourceMappingURL=storage.d.ts.map

package/dist/client/auth/storage.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../../src/client/auth/storage.ts"],"names":[],"mappings":"AAGA,iBAAS,qBAAqB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAE7D;AAED,iBAAS,mBAAmB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAE3D;AAED,iBAAS,qBAAqB,CAAC,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAMtF;AAED,iBAAS,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAE7F;AAED,iBAAS,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAM9E;AAED,iBAAS,cAAc,CAAC,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAErF;AAED,iBAAS,cAAc,CAAC,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,GAAG,IAAI,CAEtE;AAED,OAAO,EACN,qBAAqB,EACrB,mBAAmB,EACnB,cAAc,EACd,aAAa,EACb,qBAAqB,EACrB,gBAAgB,EAChB,cAAc,EACd,CAAA"}
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../../src/client/auth/storage.ts"],"names":[],"mappings":"AAGA,iBAAS,qBAAqB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAE7D;AAED,iBAAS,mBAAmB,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAE3D;AAED,iBAAS,qBAAqB,CAAC,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAMtF;AAED,iBAAS,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI,CAE7F;AAED,iBAAS,sBAAsB,CAAC,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,GAAG,IAAI,CAE9E;AAED,iBAAS,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAM9E;AAED,iBAAS,cAAc,CAAC,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAErF;AAED,iBAAS,cAAc,CAAC,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,GAAG,IAAI,CAEtE;AAED,OAAO,EACN,qBAAqB,EACrB,mBAAmB,EACnB,cAAc,EACd,sBAAsB,EACtB,aAAa,EACb,qBAAqB,EACrB,gBAAgB,EAChB,cAAc,EACd,CAAA"}

package/dist/client/index.d.ts

@@ -1,4 +1,4 @@
-export { create } from "./create";
-export type { PrimerOptions } from "./create";
-export type { ChoiceState, CompletedState, ErroredState, ExtendedTextMultipleState, ExtendedTextSingleState, ExtendedTextState, FatalState, FeedbackState, InteractionState, MatchState, NonSerializable, ObservationState, OrderState, PciInteractionState, PciPendingRenderProps, PciRenderProps, PciSubmittedRenderProps, PrimerState, TextEntryState } from "./types";
+export { start } from "./start";
+export type { PrimerOptions } from "./start";
+export type { ChoiceState, CompletedState, ErroredState, ExtendedTextMultipleState, ExtendedTextSingleState, ExtendedTextState, FatalState, FeedbackState, InteractionState, MatchState, NonSerializable, ObservationState, OrderState, PciInteractionState, PciPendingRenderProps, PciRenderProps, PciSubmittedRenderProps, PrimerState, TextEntryState, UnauthenticatedState } from "./types";
 //# sourceMappingURL=index.d.ts.map

package/dist/client/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,2CAA2C,CAAA;AAClE,YAAY,EAAE,aAAa,EAAE,MAAM,2CAA2C,CAAA;AAE9E,YAAY,EACX,WAAW,EACX,cAAc,EACd,YAAY,EACZ,yBAAyB,EACzB,uBAAuB,EACvB,iBAAiB,EACjB,UAAU,EACV,aAAa,EACb,gBAAgB,EAChB,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,UAAU,EACV,mBAAmB,EACnB,qBAAqB,EACrB,cAAc,EACd,uBAAuB,EACvB,WAAW,EACX,cAAc,EACd,MAAM,0CAA0C,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,0CAA0C,CAAA;AAChE,YAAY,EAAE,aAAa,EAAE,MAAM,0CAA0C,CAAA;AAE7E,YAAY,EACX,WAAW,EACX,cAAc,EACd,YAAY,EACZ,yBAAyB,EACzB,uBAAuB,EACvB,iBAAiB,EACjB,UAAU,EACV,aAAa,EACb,gBAAgB,EAChB,UAAU,EACV,eAAe,EACf,gBAAgB,EAChB,UAAU,EACV,mBAAmB,EACnB,qBAAqB,EACrB,cAAc,EACd,uBAAuB,EACvB,WAAW,EACX,cAAc,EACd,oBAAoB,EACpB,MAAM,0CAA0C,CAAA"}

package/dist/client/index.js

@@ -1,3 +1,41 @@
+var __dispose = Symbol.dispose || /* @__PURE__ */ Symbol.for("Symbol.dispose");
+var __asyncDispose = Symbol.asyncDispose || /* @__PURE__ */ Symbol.for("Symbol.asyncDispose");
+var __using = (stack, value, async) => {
+  if (value != null) {
+    if (typeof value !== "object" && typeof value !== "function")
+      throw TypeError('Object expected to be assigned to "using" declaration');
+    var dispose;
+    if (async)
+      dispose = value[__asyncDispose];
+    if (dispose === undefined)
+      dispose = value[__dispose];
+    if (typeof dispose !== "function")
+      throw TypeError("Object not disposable");
+    stack.push([async, dispose, value]);
+  } else if (async) {
+    stack.push([async]);
+  }
+  return value;
+};
+var __callDispose = (stack, error, hasError) => {
+  var E = typeof SuppressedError === "function" ? SuppressedError : function(e, s, m, _) {
+    return _ = Error(m), _.name = "SuppressedError", _.error = e, _.suppressed = s, _;
+  }, fail = (e) => error = hasError ? new E(e, error, "An error was suppressed during disposal") : (hasError = true, e), next = (it) => {
+    while (it = stack.pop()) {
+      try {
+        var result = it[1] && it[1].call(it[2]);
+        if (it[0])
+          return Promise.resolve(result).then(next, (e) => (fail(e), next()));
+      } catch (e) {
+        fail(e);
+      }
+    }
+    if (hasError)
+      throw error;
+  };
+  return next();
+};
+
 // src/errors.ts
 import * as errors from "@superbuilders/errors";
 var ErrNetwork = errors.new("network");
@@ -341,7 +379,7 @@ function submissionValidationMessage(result) {
 import * as errors2 from "@superbuilders/errors";
 
 // src/version.ts
-var SDK_VERSION = "3.5.1";
+var SDK_VERSION = "3.7.0";
 var NPM_PACKAGE_URL = "https://www.npmjs.com/package/@superbuilders/primer-tives";
 
 // src/client/transport.ts
@@ -1133,8 +1171,10 @@ function makeSession(sc) {
   return { execute };
 }
 
+// src/client/auth/provider.ts
+import * as errors11 from "@superbuilders/errors";
+
 // src/client/auth/browser.ts
-import * as errors10 from "@superbuilders/errors";
 function browserStorage(options, logger) {
   if (options !== undefined && options.storage !== undefined) {
     return options.storage;
@@ -1182,16 +1222,6 @@ function randomClientState(logger) {
   }
   return result;
 }
-function clearCallbackHash(options, url) {
-  if (options !== undefined && options.currentUrl !== undefined) {
-    return;
-  }
-  if (typeof globalThis.history === "undefined") {
-    return;
-  }
-  const cleanUrl = `${url.pathname}${url.search}`;
-  globalThis.history.replaceState(globalThis.history.state, "", cleanUrl);
-}
 function openAuthPopup(url, options, logger) {
   if (typeof globalThis.open === "undefined") {
     logger.error("auth popup api unavailable");
@@ -1212,67 +1242,12 @@ function openAuthPopup(url, options, logger) {
   }
   return popup;
 }
-function readablePopupUrl(popup) {
-  const result = errors10.trySync(function readLocation() {
-    return popup.location.href;
-  });
-  if (result.error) {
-    return null;
-  }
-  return result.data;
-}
-function sleep(ms) {
-  return new Promise(function resolveLater(resolve) {
-    setTimeout(resolve, ms);
-  });
-}
-
-// src/client/auth/callback.ts
-var ACCESS_TOKEN_HASH_PARAM = "primer_access_token";
-var AUTH_STATUS_HASH_PARAM = "primer_auth";
-var AUTH_STATE_HASH_PARAM = "primer_state";
-var AUTH_SUCCESS = "success";
-var AUTH_ERROR = "error";
-function readAuthCallback(url, logger) {
-  if (url.hash.length === 0) {
-    return null;
-  }
-  const hash = new URLSearchParams(url.hash.slice(1));
-  const authStatus = hash.get(AUTH_STATUS_HASH_PARAM);
-  if (authStatus === null) {
-    return null;
-  }
-  if (authStatus === AUTH_ERROR) {
-    logger.error("auth callback returned error");
-    throw ErrAuthCallbackInvalid;
-  }
-  if (authStatus !== AUTH_SUCCESS) {
-    logger.error("auth callback status invalid", { authStatus });
-    throw ErrAuthCallbackInvalid;
-  }
-  const accessToken = hash.get(ACCESS_TOKEN_HASH_PARAM);
-  const state = hash.get(AUTH_STATE_HASH_PARAM);
-  if (accessToken === null || accessToken.length === 0 || state === null || state.length === 0) {
-    logger.error("auth callback missing token or state");
-    throw ErrAuthCallbackInvalid;
-  }
-  return { accessToken, state };
-}
-function requireMatchingCallbackState(callback, expectedState, logger) {
-  if (expectedState === null) {
-    logger.error("auth callback expected state missing");
-    throw ErrAuthCallbackInvalid;
-  }
-  if (callback.state !== expectedState) {
-    logger.error("auth callback state mismatch");
-    throw ErrAuthStateMismatch;
-  }
-}
 
 // src/client/auth/hosted-popup.ts
-import * as errors11 from "@superbuilders/errors";
 var DEFAULT_POPUP_TIMEOUT_MS = 10 * 60 * 1000;
 var POPUP_POLL_MS = 250;
+var AUTH_MESSAGE_TYPE = "primer-tives.auth.result.v1";
+var AUTH_RESPONSE_MODE = "web_message";
 function hostedAuthUrl(config) {
   const logger = config.logger;
   if (!URL.canParse(config.origin)) {
@@ -1283,6 +1258,7 @@ function hostedAuthUrl(config) {
   authUrl.searchParams.set("publishableKey", config.publishableKey);
   authUrl.searchParams.set("redirectUri", redirectUri(config.options, config.currentUrl, logger));
   authUrl.searchParams.set("state", config.clientState);
+  authUrl.searchParams.set("responseMode", AUTH_RESPONSE_MODE);
   return authUrl.toString();
 }
 function popupTimeoutMs(options) {
@@ -1291,62 +1267,132 @@ function popupTimeoutMs(options) {
   }
   return DEFAULT_POPUP_TIMEOUT_MS;
 }
-function readPopupCallback(href, config) {
-  const logger = config.logger;
-  if (!URL.canParse(href)) {
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function stringField(value, key) {
+  const field = value[key];
+  if (typeof field !== "string" || field.length === 0) {
     return null;
   }
-  const callbackResult = errors11.trySync(function readCallback() {
-    return readAuthCallback(new URL(href), logger);
-  });
-  if (callbackResult.error) {
-    logger.error("hosted auth popup callback invalid", { error: callbackResult.error });
-    throw callbackResult.error;
+  return field;
+}
+function readPopupMessage(event, popup, config, expectedOrigin) {
+  if (event.source !== popup) {
+    return { kind: "ignore" };
   }
-  const callback = callbackResult.data;
-  if (callback === null) {
-    return null;
+  if (event.origin !== expectedOrigin) {
+    return { kind: "ignore" };
   }
-  if (callback.state !== config.clientState) {
-    logger.error("hosted auth popup state mismatch");
-    throw ErrAuthStateMismatch;
+  const data = event.data;
+  if (!isRecord(data)) {
+    return { kind: "ignore" };
   }
-  return callback.accessToken;
+  const messageType = stringField(data, "type");
+  if (messageType !== AUTH_MESSAGE_TYPE) {
+    return { kind: "ignore" };
+  }
+  const state = stringField(data, "state");
+  if (state === null) {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
+  }
+  if (state !== config.clientState) {
+    return { kind: "error", error: ErrAuthStateMismatch };
+  }
+  const status = stringField(data, "status");
+  if (status === "error") {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
+  }
+  if (status !== "success") {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
+  }
+  const accessToken = stringField(data, "accessToken");
+  if (accessToken === null) {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
+  }
+  return { kind: "success", accessToken };
 }
-async function beginHostedPopup(config) {
-  const logger = config.logger;
-  const popup = openAuthPopup(hostedAuthUrl(config), config.options, logger);
-  const expiresAt = Date.now() + popupTimeoutMs(config.options);
-  while (Date.now() < expiresAt) {
-    if (popup.closed) {
-      logger.error("hosted auth popup closed");
-      throw ErrAuthCancelled;
-    }
-    const href = readablePopupUrl(popup);
-    if (href !== null) {
-      const accessTokenResult = errors11.trySync(function readAccessToken() {
-        return readPopupCallback(href, config);
-      });
-      if (accessTokenResult.error) {
-        popup.close();
-        logger.error("hosted auth popup failed", { error: accessTokenResult.error });
-        throw accessTokenResult.error;
+async function waitForPopupMessage(popup, config, expectedOrigin) {
+  let __stack = [];
+  try {
+    const logger = config.logger;
+    const stack = __using(__stack, new AsyncDisposableStack, 1);
+    stack.defer(function closePopup() {
+      popup.close();
+    });
+    const result = await new Promise(function waitForMessage(resolve, reject) {
+      let settled = false;
+      function finishWithError(error) {
+        if (settled) {
+          return;
+        }
+        settled = true;
+        reject(error);
       }
-      if (accessTokenResult.data !== null) {
-        popup.close();
+      function finishWithToken(token) {
+        if (settled) {
+          return;
+        }
+        settled = true;
         logger.debug("hosted auth popup completed");
-        return accessTokenResult.data;
+        resolve(token);
       }
-    }
-    await sleep(POPUP_POLL_MS);
+      const timeoutId = globalThis.setTimeout(function timeout() {
+        logger.error("hosted auth popup timed out");
+        finishWithError(ErrAuthCancelled);
+      }, popupTimeoutMs(config.options));
+      stack.defer(function clearPopupTimeout() {
+        globalThis.clearTimeout(timeoutId);
+      });
+      const closedPollId = globalThis.setInterval(function checkClosed() {
+        if (!popup.closed) {
+          return;
+        }
+        logger.error("hosted auth popup closed");
+        finishWithError(ErrAuthCancelled);
+      }, POPUP_POLL_MS);
+      stack.defer(function clearClosedPoll() {
+        globalThis.clearInterval(closedPollId);
+      });
+      function handleMessage(event) {
+        const result2 = readPopupMessage(event, popup, config, expectedOrigin);
+        if (result2.kind === "ignore") {
+          return;
+        }
+        if (result2.kind === "error") {
+          logger.error("hosted auth popup failed", { error: result2.error });
+          finishWithError(result2.error);
+          return;
+        }
+        finishWithToken(result2.accessToken);
+      }
+      globalThis.addEventListener("message", handleMessage);
+      stack.defer(function removeMessageListener() {
+        globalThis.removeEventListener("message", handleMessage);
+      });
+    });
+    return result;
+  } catch (_catch) {
+    var _err = _catch, _hasErr = 1;
+  } finally {
+    var _promise = __callDispose(__stack, _err, _hasErr);
+    _promise && await _promise;
+  }
+}
+async function beginHostedPopup(config) {
+  const logger = config.logger;
+  const url = hostedAuthUrl(config);
+  if (!URL.canParse(config.origin)) {
+    logger.error("hosted auth origin invalid", { origin: config.origin });
+    throw ErrAuthCallbackInvalid;
   }
-  popup.close();
-  logger.error("hosted auth popup timed out");
-  throw ErrAuthCancelled;
+  const expectedOrigin = new URL(config.origin).origin;
+  const popup = openAuthPopup(url, config.options, logger);
+  return waitForPopupMessage(popup, config, expectedOrigin);
 }
 
 // src/client/auth/access-token.ts
-import * as errors12 from "@superbuilders/errors";
+import * as errors10 from "@superbuilders/errors";
 var ACCESS_TOKEN_PREFIX = "eyJ";
 var resolvedAccessTokenBrand = Symbol("primer resolved access token");
 function isMalformedJws(token) {
@@ -1359,7 +1405,7 @@ function isMalformedJws(token) {
 function resolveAccessToken(token, logger) {
   if (isMalformedJws(token)) {
     logger.error("malformed access token", { prefix: ACCESS_TOKEN_PREFIX });
-    throw errors12.wrap(ErrMalformedAccessToken, `token must start with '${ACCESS_TOKEN_PREFIX}' and contain two dots`);
+    throw errors10.wrap(ErrMalformedAccessToken, `token must start with '${ACCESS_TOKEN_PREFIX}' and contain two dots`);
   }
   return { value: token, [resolvedAccessTokenBrand]: true };
 }
@@ -1383,12 +1429,8 @@ function loadStoredAccessToken(storage, publishableKey) {
 function storeAccessToken(storage, publishableKey, accessToken) {
   storage.setItem(accessTokenStorageKey(publishableKey), accessToken);
 }
-function loadAuthState(storage, publishableKey) {
-  const state = storage.getItem(authStateStorageKey(publishableKey));
-  if (state === null || state.length === 0) {
-    return null;
-  }
-  return state;
+function clearStoredAccessToken(storage, publishableKey) {
+  storage.removeItem(accessTokenStorageKey(publishableKey));
 }
 function storeAuthState(storage, publishableKey, state) {
   storage.setItem(authStateStorageKey(publishableKey), state);
@@ -1398,44 +1440,119 @@ function clearAuthState(storage, publishableKey) {
 }
 
 // src/client/auth/provider.ts
-async function resolveHostedAccessToken(options) {
+function resolveProvidedAccessToken(token, logger) {
+  const result = errors11.trySync(function resolveProvidedToken() {
+    return resolveAccessToken(token, logger);
+  });
+  if (result.error) {
+    return { kind: "fatal", error: result.error };
+  }
+  return { kind: "resolved", accessToken: result.data };
+}
+function resolveManagedAccessToken(token, logger) {
+  const result = errors11.trySync(function resolveManagedToken() {
+    return resolveAccessToken(token, logger);
+  });
+  if (result.error) {
+    return { kind: "unauthenticated", error: result.error };
+  }
+  return { kind: "resolved", accessToken: result.data };
+}
+function readBrowserAuthContext(options) {
   const logger = options.logger;
-  const storage = browserStorage(options.hostedAuth, logger);
-  const url = currentUrl(options.hostedAuth, logger);
-  const callback = readAuthCallback(url, logger);
-  if (callback !== null) {
-    requireMatchingCallbackState(callback, loadAuthState(storage, options.publishableKey), logger);
-    storeAccessToken(storage, options.publishableKey, callback.accessToken);
-    clearAuthState(storage, options.publishableKey);
-    clearCallbackHash(options.hostedAuth, url);
-    return resolveAccessToken(callback.accessToken, logger);
-  }
-  const stored = loadStoredAccessToken(storage, options.publishableKey);
+  const contextResult = errors11.trySync(function readContext() {
+    const storage = browserStorage(options.hostedAuth, logger);
+    const url = currentUrl(options.hostedAuth, logger);
+    return { storage, url };
+  });
+  if (contextResult.error) {
+    return { kind: "unauthenticated", error: contextResult.error };
+  }
+  return contextResult.data;
+}
+function resolveStoredAccessToken(context, options) {
+  const stored = loadStoredAccessToken(context.storage, options.publishableKey);
+  if (stored === null) {
+    return null;
+  }
+  const resolved = resolveManagedAccessToken(stored, options.logger);
+  if (resolved.kind === "unauthenticated") {
+    clearStoredAccessToken(context.storage, options.publishableKey);
+  }
+  return resolved;
+}
+function resolveExistingAccessToken(options) {
+  if (options.accessToken !== undefined) {
+    return resolveProvidedAccessToken(options.accessToken, options.logger);
+  }
+  const context = readBrowserAuthContext(options);
+  if ("kind" in context) {
+    return context;
+  }
+  const stored = resolveStoredAccessToken(context, options);
   if (stored !== null) {
-    return resolveAccessToken(stored, logger);
+    return stored;
+  }
+  return { kind: "unauthenticated", error: null };
+}
+async function beginHostedLogin(options) {
+  const logger = options.logger;
+  const context = readBrowserAuthContext(options);
+  if ("kind" in context) {
+    return context;
+  }
+  const clientStateResult = errors11.trySync(function prepareHostedLogin() {
+    const clientState2 = randomClientState(logger);
+    storeAuthState(context.storage, options.publishableKey, clientState2);
+    return clientState2;
+  });
+  if (clientStateResult.error) {
+    return { kind: "unauthenticated", error: clientStateResult.error };
   }
-  const clientState = randomClientState(logger);
-  storeAuthState(storage, options.publishableKey, clientState);
-  const accessToken = await beginHostedPopup({
+  const clientState = clientStateResult.data;
+  const accessTokenResult = await errors11.try(beginHostedPopup({
     origin: options.origin,
     publishableKey: options.publishableKey,
-    currentUrl: url,
+    currentUrl: context.url,
     clientState,
     options: options.hostedAuth,
     logger
-  });
-  storeAccessToken(storage, options.publishableKey, accessToken);
-  clearAuthState(storage, options.publishableKey);
-  return resolveAccessToken(accessToken, logger);
+  }));
+  if (accessTokenResult.error) {
+    clearAuthState(context.storage, options.publishableKey);
+    return { kind: "unauthenticated", error: accessTokenResult.error };
+  }
+  const resolved = resolveManagedAccessToken(accessTokenResult.data, logger);
+  if (resolved.kind === "unauthenticated") {
+    clearAuthState(context.storage, options.publishableKey);
+    return resolved;
+  }
+  storeAccessToken(context.storage, options.publishableKey, accessTokenResult.data);
+  clearAuthState(context.storage, options.publishableKey);
+  return resolved;
 }
-async function resolveRuntimeAccessToken(options) {
-  if (options.accessToken !== undefined) {
-    return resolveAccessToken(options.accessToken, options.logger);
+
+// src/client/unauthenticated-state.ts
+function unauthenticatedState(config) {
+  let pending;
+  function login() {
+    if (pending) {
+      return pending;
+    }
+    pending = config.login().finally(function clearPending() {
+      pending = undefined;
+    });
+    return pending;
   }
-  return resolveHostedAccessToken(options);
+  return {
+    phase: "unauthenticated",
+    error: config.error,
+    login,
+    toJSON: poisonToJSON
+  };
 }
 
-// src/client/create.ts
+// src/client/start.ts
 function supportedPcisOrEmpty(supportedPcis) {
   if (supportedPcis !== undefined) {
     return supportedPcis;
@@ -1448,35 +1565,76 @@ function runtimeSubject(subject) {
   }
   return subject;
 }
-async function create(options) {
-  const logger = options.logger;
-  logger.debug("create");
-  const subject = runtimeSubject(options.subject);
-  const accessToken = await resolveRuntimeAccessToken({
-    accessToken: options.accessToken,
-    publishableKey: options.publishableKey,
-    origin: options.origin,
-    logger
-  });
+async function startRuntime(config, accessToken) {
   const transport = createTransport({
     accessToken,
+    publishableKey: config.publishableKey,
+    subject: config.subject,
+    origin: config.origin,
+    fetch: config.fetch,
+    abort: config.abort,
+    logger: config.logger
+  });
+  const session = makeSession({
+    subject: config.subject,
+    supportedPcis: config.supportedPcis,
+    logger: config.logger,
+    transport
+  });
+  return session.execute({ kind: "observation" }, "start");
+}
+function makeUnauthenticatedState(config, error) {
+  return unauthenticatedState({
+    error,
+    login: function login() {
+      return loginAndStart(config);
+    }
+  });
+}
+async function loginAndStart(config) {
+  const result = await beginHostedLogin({
+    origin: config.origin,
+    publishableKey: config.publishableKey,
+    logger: config.logger
+  });
+  if (result.kind === "unauthenticated") {
+    return makeUnauthenticatedState(config, result.error);
+  }
+  return startRuntime(config, result.accessToken);
+}
+async function start(options) {
+  const logger = options.logger;
+  logger.debug("start");
+  const config = {
     publishableKey: options.publishableKey,
-    subject,
     origin: options.origin,
     fetch: options.fetch,
     abort: options.abort,
-    logger
-  });
-  const session = makeSession({
-    subject,
-    supportedPcis: supportedPcisOrEmpty(options.supportedPcis),
     logger,
-    transport
+    subject: runtimeSubject(options.subject),
+    supportedPcis: supportedPcisOrEmpty(options.supportedPcis)
+  };
+  const accessToken = resolveExistingAccessToken({
+    accessToken: options.accessToken,
+    publishableKey: options.publishableKey,
+    origin: options.origin,
+    logger
   });
-  return session.execute({ kind: "observation" }, "observation");
+  if (accessToken.kind === "fatal") {
+    return {
+      phase: "fatal",
+      error: accessToken.error,
+      retriable: false,
+      toJSON: poisonToJSON
+    };
+  }
+  if (accessToken.kind === "unauthenticated") {
+    return makeUnauthenticatedState(config, accessToken.error);
+  }
+  return startRuntime(config, accessToken.accessToken);
 }
 export {
-  create
+  start
 };
 
-//# debugId=DE8A27A355B8A82664756E2164756E21
+//# debugId=9A3E7149C52454D064756E2164756E21