@sveltebase/auth 1.0.0

package/dist/google/GoogleLogin.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GoogleLogin.svelte.d.ts","sourceRoot":"","sources":["../../src/google/GoogleLogin.svelte.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAGpE,UAAU,KAAK;IACb,SAAS,EAAE,CAAC,kBAAkB,EAAE,kBAAkB,KAAK,IAAI,CAAC;IAC5D,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IACrB,wBAAwB,CAAC,EAAE,CAAC,YAAY,EAAE,kBAAkB,KAAK,IAAI,CAAC;IACtE,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,KAAK,CAAC,EAAE,SAAS,GAAG,aAAa,GAAG,cAAc,CAAC;IACnD,IAAI,CAAC,EAAE,OAAO,GAAG,QAAQ,GAAG,OAAO,CAAC;IACpC,IAAI,CAAC,EAAE,aAAa,GAAG,aAAa,GAAG,QAAQ,GAAG,QAAQ,GAAG,eAAe,GAAG,oBAAoB,CAAC;IACpG,KAAK,CAAC,EAAE,aAAa,GAAG,MAAM,GAAG,QAAQ,GAAG,QAAQ,CAAC;IACrD,cAAc,CAAC,EAAE,MAAM,GAAG,QAAQ,CAAC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAsEH,QAAA,MAAM,WAAW,2CAAwC,CAAC;AAC1D,KAAK,WAAW,GAAG,UAAU,CAAC,OAAO,WAAW,CAAC,CAAC;AAClD,eAAe,WAAW,CAAC"}

package/dist/google/GoogleOAuthProvider.svelte

@@ -0,0 +1,39 @@
+<script lang="ts">
+  import { GoogleOAuthState, setGoogleOAuthContext } from './context.svelte.js';
+  import { loadGoogleScript } from './loader';
+
+  interface Props {
+    clientId: string;
+    onScriptLoadSuccess?: () => void;
+    onScriptLoadError?: (err: Error) => void;
+    children?: import('svelte').Snippet;
+  }
+
+  let {
+    clientId,
+    onScriptLoadSuccess,
+    onScriptLoadError,
+    children
+  }: Props = $props();
+
+  // Create and set the reactive context state using a getter closure
+  const state = new GoogleOAuthState(() => clientId);
+  setGoogleOAuthContext(state);
+
+  // Load the Google script on the client side
+  $effect(() => {
+    loadGoogleScript()
+      .then(() => {
+        state.isLoaded = true;
+        onScriptLoadSuccess?.();
+      })
+      .catch((err) => {
+        state.error = err;
+        onScriptLoadError?.(err);
+      });
+  });
+</script>
+
+{#if children}
+  {@render children()}
+{/if}

package/dist/google/GoogleOAuthProvider.svelte.d.ts

@@ -0,0 +1,10 @@
+interface Props {
+    clientId: string;
+    onScriptLoadSuccess?: () => void;
+    onScriptLoadError?: (err: Error) => void;
+    children?: import('svelte').Snippet;
+}
+declare const GoogleOAuthProvider: import("svelte").Component<Props, {}, "">;
+type GoogleOAuthProvider = ReturnType<typeof GoogleOAuthProvider>;
+export default GoogleOAuthProvider;
+//# sourceMappingURL=GoogleOAuthProvider.svelte.d.ts.map

package/dist/google/GoogleOAuthProvider.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GoogleOAuthProvider.svelte.d.ts","sourceRoot":"","sources":["../../src/google/GoogleOAuthProvider.svelte.ts"],"names":[],"mappings":"AAOE,UAAU,KAAK;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,mBAAmB,CAAC,EAAE,MAAM,IAAI,CAAC;IACjC,iBAAiB,CAAC,EAAE,CAAC,GAAG,EAAE,KAAK,KAAK,IAAI,CAAC;IACzC,QAAQ,CAAC,EAAE,OAAO,QAAQ,EAAE,OAAO,CAAC;CACrC;AAqCH,QAAA,MAAM,mBAAmB,2CAAwC,CAAC;AAClE,KAAK,mBAAmB,GAAG,UAAU,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAClE,eAAe,mBAAmB,CAAC"}

package/dist/google/GoogleOneTapLogin.svelte

@@ -0,0 +1,52 @@
+<script lang="ts">
+  import { getGoogleOAuthContext } from './context.svelte.js';
+  import type { CredentialResponse, MomentNotification } from './types';
+
+  interface Props {
+    onSuccess: (credentialResponse: CredentialResponse) => void;
+    onError?: () => void;
+    promptMomentNotification?: (notification: MomentNotification) => void;
+    auto_select?: boolean;
+    cancel_on_tap_outside?: boolean;
+    nonce?: string;
+    hosted_domain?: string;
+  }
+
+  let {
+    onSuccess,
+    onError,
+    promptMomentNotification,
+    auto_select = false,
+    cancel_on_tap_outside = true,
+    nonce,
+    hosted_domain
+  }: Props = $props();
+
+  const ctx = getGoogleOAuthContext();
+
+  $effect(() => {
+    if (!ctx.isLoaded) return;
+
+    try {
+      window.google.accounts.id.initialize({
+        client_id: ctx.clientId,
+        callback: (response) => {
+          if (response.credential) {
+            onSuccess(response);
+          } else {
+            onError?.();
+          }
+        },
+        auto_select,
+        cancel_on_tap_outside,
+        nonce,
+        hosted_domain
+      });
+
+      window.google.accounts.id.prompt(promptMomentNotification);
+    } catch (err) {
+      console.error('Error initializing Google One Tap:', err);
+      onError?.();
+    }
+  });
+</script>

package/dist/google/GoogleOneTapLogin.svelte.d.ts

@@ -0,0 +1,14 @@
+import type { CredentialResponse, MomentNotification } from './types';
+interface Props {
+    onSuccess: (credentialResponse: CredentialResponse) => void;
+    onError?: () => void;
+    promptMomentNotification?: (notification: MomentNotification) => void;
+    auto_select?: boolean;
+    cancel_on_tap_outside?: boolean;
+    nonce?: string;
+    hosted_domain?: string;
+}
+declare const GoogleOneTapLogin: import("svelte").Component<Props, {}, "">;
+type GoogleOneTapLogin = ReturnType<typeof GoogleOneTapLogin>;
+export default GoogleOneTapLogin;
+//# sourceMappingURL=GoogleOneTapLogin.svelte.d.ts.map

package/dist/google/GoogleOneTapLogin.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GoogleOneTapLogin.svelte.d.ts","sourceRoot":"","sources":["../../src/google/GoogleOneTapLogin.svelte.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAC;AAGpE,UAAU,KAAK;IACb,SAAS,EAAE,CAAC,kBAAkB,EAAE,kBAAkB,KAAK,IAAI,CAAC;IAC5D,OAAO,CAAC,EAAE,MAAM,IAAI,CAAC;IACrB,wBAAwB,CAAC,EAAE,CAAC,YAAY,EAAE,kBAAkB,KAAK,IAAI,CAAC;IACtE,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AA+CH,QAAA,MAAM,iBAAiB,2CAAwC,CAAC;AAChE,KAAK,iBAAiB,GAAG,UAAU,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAC9D,eAAe,iBAAiB,CAAC"}

package/dist/google/context.svelte.d.ts

@@ -0,0 +1,11 @@
+export declare const GOOGLE_OAUTH_CONTEXT_KEY: unique symbol;
+export declare class GoogleOAuthState {
+    #private;
+    isLoaded: boolean;
+    error: Error | null;
+    get clientId(): string;
+    constructor(clientIdGetter: () => string);
+}
+export declare function setGoogleOAuthContext(state: GoogleOAuthState): void;
+export declare function getGoogleOAuthContext(): GoogleOAuthState;
+//# sourceMappingURL=context.svelte.d.ts.map

package/dist/google/context.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.svelte.d.ts","sourceRoot":"","sources":["../../src/google/context.svelte.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,wBAAwB,eAAiC,CAAC;AAEvE,qBAAa,gBAAgB;;IAE3B,QAAQ,UAA0B;IAClC,KAAK,eAA8B;IAEnC,IAAI,QAAQ,IAAI,MAAM,CAErB;gBAEW,cAAc,EAAE,MAAM,MAAM;CAGzC;AAED,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,gBAAgB,GAAG,IAAI,CAEnE;AAED,wBAAgB,qBAAqB,IAAI,gBAAgB,CAMxD"}

package/dist/google/context.svelte.js

@@ -0,0 +1,23 @@
+import { getContext, setContext } from 'svelte';
+export const GOOGLE_OAUTH_CONTEXT_KEY = Symbol('google-oauth-context');
+export class GoogleOAuthState {
+    #clientIdGetter;
+    isLoaded = $state(false);
+    error = $state(null);
+    get clientId() {
+        return this.#clientIdGetter();
+    }
+    constructor(clientIdGetter) {
+        this.#clientIdGetter = clientIdGetter;
+    }
+}
+export function setGoogleOAuthContext(state) {
+    setContext(GOOGLE_OAUTH_CONTEXT_KEY, state);
+}
+export function getGoogleOAuthContext() {
+    const context = getContext(GOOGLE_OAUTH_CONTEXT_KEY);
+    if (!context) {
+        throw new Error('Google OAuth Context not found. Make sure your component is wrapped in <GoogleOAuthProvider>.');
+    }
+    return context;
+}

package/dist/google/google.svelte.d.ts

@@ -0,0 +1,20 @@
+import type { GoogleLoginOptions, GoogleData } from './types.js';
+/**
+ * Triggers the Google Identity Services OAuth2 flow (Token or Code client).
+ * Returns an object containing the trigger function `login`, and the reactive state properties `loading` and `error`.
+ */
+export declare function createGoogleLogin(options?: GoogleLoginOptions): {
+    login: (overrideOptions?: any) => void;
+    readonly loading: boolean;
+    readonly error: Error | null;
+};
+/**
+ * Logs out the user from Google Identity Services session (disables auto-select).
+ */
+export declare function googleLogout(): void;
+/**
+ * Decodes the credential JWT returned by Google Identity Services.
+ * Returns a typed `GoogleData` object.
+ */
+export declare function decodeCredentials<T = GoogleData>(credential: string): T;
+//# sourceMappingURL=google.svelte.d.ts.map

package/dist/google/google.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"google.svelte.d.ts","sourceRoot":"","sources":["../../src/google/google.svelte.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAEjE;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,kBAAuB;8BAM/B,GAAG;;;EAgErC;AAED;;GAEG;AACH,wBAAgB,YAAY,IAAI,IAAI,CAInC;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,GAAG,UAAU,EAAE,UAAU,EAAE,MAAM,GAAG,CAAC,CAyBvE"}

package/dist/google/google.svelte.js

@@ -0,0 +1,109 @@
+import { getGoogleOAuthContext } from './context.svelte.js';
+/**
+ * Triggers the Google Identity Services OAuth2 flow (Token or Code client).
+ * Returns an object containing the trigger function `login`, and the reactive state properties `loading` and `error`.
+ */
+export function createGoogleLogin(options = {}) {
+    const ctx = getGoogleOAuthContext();
+    let loading = $state(false);
+    let error = $state(null);
+    const login = (overrideOptions) => {
+        if (!ctx.isLoaded) {
+            console.warn('Google Identity Services script is not loaded yet');
+            return;
+        }
+        loading = true;
+        error = null;
+        const flow = options.flow ?? 'implicit';
+        const scope = options.scope ?? '';
+        const overrideScope = options.overrideScope ?? false;
+        const prompt = options.prompt;
+        const login_hint = options.login_hint;
+        const state = options.state;
+        const ux_mode = options.ux_mode ?? 'popup';
+        const redirect_uri = options.redirect_uri;
+        const clientMethod = flow === 'implicit' ? 'initTokenClient' : 'initCodeClient';
+        const finalScope = overrideScope ? scope : `openid profile email ${scope}`.trim().replace(/\s+/g, ' ');
+        try {
+            const client = window.google.accounts.oauth2[clientMethod]({
+                client_id: ctx.clientId,
+                scope: finalScope,
+                prompt,
+                login_hint,
+                state,
+                ux_mode,
+                redirect_uri,
+                callback: (response) => {
+                    loading = false;
+                    if (response.error) {
+                        error = new Error(response.error_description || response.error);
+                        options.onError?.(response);
+                    }
+                    else {
+                        options.onSuccess?.(response);
+                    }
+                },
+                error_callback: (nonOAuthError) => {
+                    loading = false;
+                    error = new Error(nonOAuthError.type || 'Non-OAuth Error');
+                    options.onNonOAuthError?.(nonOAuthError);
+                    options.onError?.(nonOAuthError);
+                }
+            });
+            if (flow === 'implicit') {
+                client.requestAccessToken(overrideOptions);
+            }
+            else {
+                client.requestCode();
+            }
+        }
+        catch (err) {
+            loading = false;
+            error = err;
+            options.onError?.(err);
+        }
+    };
+    return {
+        login,
+        get loading() { return loading; },
+        get error() { return error; }
+    };
+}
+/**
+ * Logs out the user from Google Identity Services session (disables auto-select).
+ */
+export function googleLogout() {
+    if (typeof window !== 'undefined' && window.google?.accounts?.id) {
+        window.google.accounts.id.disableAutoSelect();
+    }
+}
+/**
+ * Decodes the credential JWT returned by Google Identity Services.
+ * Returns a typed `GoogleData` object.
+ */
+export function decodeCredentials(credential) {
+    const parts = credential.split('.');
+    if (parts.length !== 3) {
+        throw new Error('Invalid token status: JWT must have 3 parts');
+    }
+    const payload = parts[1];
+    const base64 = payload.replace(/-/g, '+').replace(/_/g, '/');
+    const pad = base64.length % 4;
+    const paddedBase64 = pad ? base64 + '='.repeat(4 - pad) : base64;
+    let decodedStr;
+    if (typeof atob === 'function') {
+        decodedStr = atob(paddedBase64);
+    }
+    else if (typeof Buffer !== 'undefined') {
+        decodedStr = Buffer.from(paddedBase64, 'base64').toString('binary');
+    }
+    else {
+        throw new Error('Environment not supported: missing base64 decoding helper');
+    }
+    const bytes = new Uint8Array(decodedStr.length);
+    for (let i = 0; i < decodedStr.length; i++) {
+        bytes[i] = decodedStr.charCodeAt(i);
+    }
+    const textDecoder = new TextDecoder('utf-8');
+    return JSON.parse(textDecoder.decode(bytes));
+}

package/dist/google/index.d.ts

@@ -0,0 +1,9 @@
+export * from './google.svelte.js';
+export { loadGoogleScript } from './loader.js';
+export { GoogleOAuthState, setGoogleOAuthContext, getGoogleOAuthContext, GOOGLE_OAUTH_CONTEXT_KEY } from './context.svelte.js';
+export { default as GoogleOAuthProvider } from './GoogleOAuthProvider.svelte';
+export { default as GoogleLogin } from './GoogleLogin.svelte';
+export { default as GoogleOneTapLogin } from './GoogleOneTapLogin.svelte';
+export { verifyIdToken } from './verifier.js';
+export * from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/google/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/google/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAC;AACnC,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EACL,gBAAgB,EAChB,qBAAqB,EACrB,qBAAqB,EACrB,wBAAwB,EACzB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,OAAO,IAAI,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AAC9E,OAAO,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAAE,OAAO,IAAI,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAE1E,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,cAAc,YAAY,CAAC"}

package/dist/google/index.js

@@ -0,0 +1,8 @@
+export * from './google.svelte.js';
+export { loadGoogleScript } from './loader.js';
+export { GoogleOAuthState, setGoogleOAuthContext, getGoogleOAuthContext, GOOGLE_OAUTH_CONTEXT_KEY } from './context.svelte.js';
+export { default as GoogleOAuthProvider } from './GoogleOAuthProvider.svelte';
+export { default as GoogleLogin } from './GoogleLogin.svelte';
+export { default as GoogleOneTapLogin } from './GoogleOneTapLogin.svelte';
+export { verifyIdToken } from './verifier.js';
+export * from './types.js';

package/dist/google/loader.d.ts

@@ -0,0 +1,2 @@
+export declare function loadGoogleScript(): Promise<void>;
+//# sourceMappingURL=loader.d.ts.map

package/dist/google/loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/google/loader.ts"],"names":[],"mappings":"AAEA,wBAAgB,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC,CA6BhD"}

package/dist/google/loader.js

@@ -0,0 +1,27 @@
+let scriptLoadingPromise = null;
+export function loadGoogleScript() {
+    if (typeof window === 'undefined') {
+        return Promise.reject(new Error('Browser environment required to load Google Identity Services script'));
+    }
+    if (window.google?.accounts?.id) {
+        return Promise.resolve();
+    }
+    if (scriptLoadingPromise) {
+        return scriptLoadingPromise;
+    }
+    scriptLoadingPromise = new Promise((resolve, reject) => {
+        const script = document.createElement('script');
+        script.src = 'https://accounts.google.com/gsi/client';
+        script.async = true;
+        script.defer = true;
+        script.onload = () => {
+            resolve();
+        };
+        script.onerror = (err) => {
+            scriptLoadingPromise = null;
+            reject(new Error('Failed to load Google Identity Services script'));
+        };
+        document.head.appendChild(script);
+    });
+    return scriptLoadingPromise;
+}

package/dist/google/types.d.ts

@@ -0,0 +1,117 @@
+export interface GoogleData {
+    iss: string;
+    azp: string;
+    aud: string;
+    sub: string;
+    email: string;
+    email_verified: boolean;
+    nonce?: string;
+    nbf?: number;
+    name: string;
+    picture?: string;
+    given_name?: string;
+    family_name?: string;
+    iat: number;
+    exp: number;
+    jti?: string;
+}
+export interface CredentialResponse {
+    credential?: string;
+    select_by?: 'auto' | 'user' | 'user_1tap' | 'user_2tap' | 'btn_confirm' | 'btn_confirm_1tap' | 'btn_confirm_2tap';
+}
+export interface IdConfiguration {
+    client_id: string;
+    callback?: (response: CredentialResponse) => void;
+    auto_select?: boolean;
+    callback_parent_id?: string;
+    cancel_on_tap_outside?: boolean;
+    prompt_parent_id?: string;
+    nonce?: string;
+    context?: 'signin' | 'signup' | 'use';
+    state_cookie_domain?: string;
+    ux_mode?: 'popup' | 'redirect';
+    allowed_parent_origin?: string | string[];
+    intermediate_iframe_close_callback?: () => void;
+    itp_support?: boolean;
+    login_hint?: string;
+    hd?: string;
+}
+export interface TokenResponse {
+    access_token: string;
+    expires_in: string;
+    hd?: string;
+    prompt: string;
+    token_type: string;
+    scope: string;
+    state?: string;
+    error?: string;
+    error_description?: string;
+    error_uri?: string;
+}
+export interface TokenClientConfig {
+    client_id: string;
+    scope: string;
+    callback: (response: TokenResponse) => void;
+    error_callback?: (error: NonOAuthError) => void;
+    prompt?: 'none' | 'consent' | 'select_account';
+    enable_serial_consent?: boolean;
+    hint?: string;
+    login_hint?: string;
+    state?: string;
+    include_granted_scopes?: boolean;
+}
+export interface CodeResponse {
+    code: string;
+    scope: string;
+    state?: string;
+    error?: string;
+    error_description?: string;
+    error_uri?: string;
+}
+export interface CodeClientConfig {
+    client_id: string;
+    scope: string;
+    callback: (response: CodeResponse) => void;
+    error_callback?: (error: NonOAuthError) => void;
+    ux_mode?: 'popup' | 'redirect';
+    redirect_uri?: string;
+    prompt?: 'none' | 'consent' | 'select_account';
+    enable_serial_consent?: boolean;
+    hint?: string;
+    login_hint?: string;
+    state?: string;
+    include_granted_scopes?: boolean;
+}
+export interface NonOAuthError {
+    type: 'popup_closed' | 'popup_blocked_by_browser' | 'unknown';
+}
+export interface GoogleLoginOptions {
+    flow?: 'implicit' | 'auth-code';
+    scope?: string;
+    prompt?: 'none' | 'consent' | 'select_account';
+    login_hint?: string;
+    state?: string;
+    overrideScope?: boolean;
+    ux_mode?: 'popup' | 'redirect';
+    redirect_uri?: string;
+    onSuccess?: (response: any) => void;
+    onError?: (error: any) => void;
+    onNonOAuthError?: (error: NonOAuthError) => void;
+}
+export interface OverridableTokenClientConfig {
+    prompt?: 'none' | 'consent' | 'select_account';
+    login_hint?: string;
+    state?: string;
+}
+export interface MomentNotification {
+    isDisplayMoment: () => boolean;
+    isDisplayed: () => boolean;
+    isNotDisplayed: () => boolean;
+    getNotDisplayedReason: () => 'browser_not_supported' | 'unknown_reason' | 'opt_out' | 'user_cancel' | 'suppressed_by_user' | 'unregistered_origin' | 'unknown_sharing_id' | 'third_party_cookies_disabled' | 'iss_missing' | 'client_id_missing' | 'credential_disabled' | 'secure_context_required' | 'hd_required';
+    isSkippedMoment: () => boolean;
+    getSkippedReason: () => 'auto_cancel' | 'user_cancel' | 'tap_outside' | 'iss_missing';
+    isDismissedMoment: () => boolean;
+    getDismissedReason: () => 'credential_returned' | 'cancel_called' | 'flow_restarted' | 'user_cancel' | 'tap_outside';
+    getMomentType: () => 'display' | 'skipped' | 'dismissed';
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/google/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/google/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,cAAc,EAAE,OAAO,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,kBAAkB;IACjC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EACN,MAAM,GACN,MAAM,GACN,WAAW,GACX,WAAW,GACX,aAAa,GACb,kBAAkB,GAClB,kBAAkB,CAAC;CACxB;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,CAAC,QAAQ,EAAE,kBAAkB,KAAK,IAAI,CAAC;IAClD,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,QAAQ,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,OAAO,CAAC,EAAE,OAAO,GAAG,UAAU,CAAC;IAC/B,qBAAqB,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC1C,kCAAkC,CAAC,EAAE,MAAM,IAAI,CAAC;IAChD,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,EAAE,CAAC,EAAE,MAAM,CAAC;CACb;AAED,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,CAAC,QAAQ,EAAE,aAAa,KAAK,IAAI,CAAC;IAC5C,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAChD,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,GAAG,gBAAgB,CAAC;IAC/C,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,CAAC,QAAQ,EAAE,YAAY,KAAK,IAAI,CAAC;IAC3C,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAChD,OAAO,CAAC,EAAE,OAAO,GAAG,UAAU,CAAC;IAC/B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,GAAG,gBAAgB,CAAC;IAC/C,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,cAAc,GAAG,0BAA0B,GAAG,SAAS,CAAC;CAC/D;AAED,MAAM,WAAW,kBAAkB;IACjC,IAAI,CAAC,EAAE,UAAU,GAAG,WAAW,CAAC;IAChC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,GAAG,gBAAgB,CAAC;IAC/C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,OAAO,CAAC,EAAE,OAAO,GAAG,UAAU,CAAC;IAC/B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,CAAC,QAAQ,EAAE,GAAG,KAAK,IAAI,CAAC;IACpC,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,KAAK,IAAI,CAAC;IAC/B,eAAe,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;CAClD;AAED,MAAM,WAAW,4BAA4B;IAC3C,MAAM,CAAC,EAAE,MAAM,GAAG,SAAS,GAAG,gBAAgB,CAAC;IAC/C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,kBAAkB;IACjC,eAAe,EAAE,MAAM,OAAO,CAAC;IAC/B,WAAW,EAAE,MAAM,OAAO,CAAC;IAC3B,cAAc,EAAE,MAAM,OAAO,CAAC;IAC9B,qBAAqB,EAAE,MACnB,uBAAuB,GACvB,gBAAgB,GAChB,SAAS,GACT,aAAa,GACb,oBAAoB,GACpB,qBAAqB,GACrB,oBAAoB,GACpB,8BAA8B,GAC9B,aAAa,GACb,mBAAmB,GACnB,qBAAqB,GACrB,yBAAyB,GACzB,aAAa,CAAC;IAClB,eAAe,EAAE,MAAM,OAAO,CAAC;IAC/B,gBAAgB,EAAE,MACd,aAAa,GACb,aAAa,GACb,aAAa,GACb,aAAa,CAAC;IAClB,iBAAiB,EAAE,MAAM,OAAO,CAAC;IACjC,kBAAkB,EAAE,MAChB,qBAAqB,GACrB,eAAe,GACf,gBAAgB,GAChB,aAAa,GACb,aAAa,CAAC;IAClB,aAAa,EAAE,MAAM,SAAS,GAAG,SAAS,GAAG,WAAW,CAAC;CAC1D"}

package/dist/google/types.js

@@ -0,0 +1 @@
+export {};

package/dist/google/verifier.d.ts

@@ -0,0 +1,17 @@
+import type { GoogleData } from "./types.js";
+export interface VerifyIdTokenOptions {
+    /**
+     * The credential string (JWT token) returned by Google Identity Services.
+     */
+    credential: string;
+    /**
+     * Your Google OAuth Client ID to verify the audience.
+     */
+    clientId: string;
+}
+/**
+ * Cryptographically verifies a Google ID token (credential) signature
+ * and claims using the Web Crypto API. Does not require a Client Secret.
+ */
+export declare function verifyIdToken(options: VerifyIdTokenOptions): Promise<GoogleData>;
+//# sourceMappingURL=verifier.d.ts.map

package/dist/google/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../../src/google/verifier.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,UAAU,CAAC,CAgFtF"}

package/dist/google/verifier.js

@@ -0,0 +1,64 @@
+import { decodeCredentials } from "./google.svelte.js";
+/**
+ * Cryptographically verifies a Google ID token (credential) signature
+ * and claims using the Web Crypto API. Does not require a Client Secret.
+ */
+export async function verifyIdToken(options) {
+    const { credential, clientId } = options;
+    const parts = credential.split(".");
+    if (parts.length !== 3) {
+        throw new Error("Invalid token: JWT must have 3 parts");
+    }
+    const [headerB64, payloadB64, signatureB64] = parts;
+    // 1. Decode and parse Header
+    const headerStr = atob(headerB64.replace(/-/g, "+").replace(/_/g, "/"));
+    const header = JSON.parse(headerStr);
+    if (header.alg !== "RS256" || !header.kid) {
+        throw new Error("Unsupported algorithm or missing key ID (kid)");
+    }
+    // 2. Decode Payload and validate claims
+    const payload = decodeCredentials(credential);
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.exp < now) {
+        throw new Error("Token has expired");
+    }
+    if (payload.iss !== "https://accounts.google.com" && payload.iss !== "accounts.google.com") {
+        throw new Error("Invalid issuer");
+    }
+    if (payload.aud !== clientId) {
+        throw new Error("Invalid audience (Client ID mismatch)");
+    }
+    // 3. Fetch Google public JWKS keys
+    const res = await fetch("https://www.googleapis.com/oauth2/v3/certs");
+    if (!res.ok) {
+        throw new Error("Failed to fetch Google public keys");
+    }
+    const jwks = (await res.json());
+    const jwk = jwks.keys.find((key) => key.kid === header.kid);
+    if (!jwk) {
+        throw new Error("Matching public key not found in Google certs");
+    }
+    // 4. Import public key into Web Crypto format
+    const subtle = crypto.subtle;
+    const cryptoKey = await subtle.importKey("jwk", jwk, {
+        name: "RSASSA-PKCS1-v1_5",
+        hash: { name: "SHA-256" },
+    }, false, ["verify"]);
+    // 5. Convert Signature from base64url to Uint8Array
+    const sigBase64 = signatureB64.replace(/-/g, "+").replace(/_/g, "/");
+    const pad = sigBase64.length % 4;
+    const paddedSig = pad ? sigBase64 + "=".repeat(4 - pad) : sigBase64;
+    const sigStr = atob(paddedSig);
+    const sigBytes = new Uint8Array(sigStr.length);
+    for (let i = 0; i < sigStr.length; i++) {
+        sigBytes[i] = sigStr.charCodeAt(i);
+    }
+    // 6. Verify signature against raw message bytes (header + "." + payload)
+    const enc = new TextEncoder();
+    const data = enc.encode(`${headerB64}.${payloadB64}`);
+    const isValid = await subtle.verify("RSASSA-PKCS1-v1_5", cryptoKey, sigBytes, data);
+    if (!isValid) {
+        throw new Error("Invalid signature");
+    }
+    return payload;
+}