@tern-secure/nextjs 3.4.3 → 4.1.0

package/dist/esm/boundary/TernSecureClientProvider.js

@@ -4,23 +4,80 @@ import { useState, useEffect, useMemo, useCallback } from "react";
 import { ternSecureAuth } from "../utils/client-init";
 import { onAuthStateChanged } from "firebase/auth";
 import { TernSecureCtx } from "./TernSecureCtx";
-import { useRouter } from "next/navigation";
+import { useRouter, usePathname } from "next/navigation";
+import { isBaseAuthRoute, isInternalRoute, isAuthRoute } from "../app-router/route-handler/internal-route";
+import { hasRedirectLoop } from "../utils/construct";
 function TernSecureClientProvider({
   children,
-  loginPath = "/sign-in",
-  loadingComponent
+  loginPath = process.env.NEXT_PUBLIC_SIGN_IN_PATH || "/sign-in",
+  signUpPath = process.env.NEXT_PUBLIC_SIGN_UP_PATH || "/sign-up",
+  loadingComponent,
+  requiresVerification
 }) {
   const auth = useMemo(() => ternSecureAuth, []);
   const router = useRouter();
+  const pathname = usePathname();
+  const [isRedirecting, setIsRedirecting] = useState(false);
   const [authState, setAuthState] = useState(() => ({
     userId: null,
     isLoaded: false,
     error: null,
     isValid: false,
+    isVerified: false,
+    isAuthenticated: false,
     token: null,
-    email: null
+    email: null,
+    status: "loading",
+    requiresVerification
   }));
+  const constructUrlWithRedirect = useCallback(
+    (loginPath2, currentPath, loginPathParam, signUpPathParam) => {
+      const baseUrl = window.location.origin;
+      const signInUrl = new URL(loginPath2, baseUrl);
+      if (!currentPath.includes(loginPathParam) && !currentPath.includes(signUpPathParam)) {
+        signInUrl.searchParams.set("redirect", currentPath);
+      }
+      return signInUrl.toString();
+    },
+    []
+  );
+  const shouldRedirect = useCallback(
+    (pathname2, isVerified) => {
+      const searchParams = new URLSearchParams(window.location.search);
+      if (isBaseAuthRoute(pathname2) && !searchParams.has("redirect")) {
+        return false;
+      }
+      if (isInternalRoute(pathname2)) {
+        return false;
+      }
+      if (isAuthRoute(pathname2) && (!requiresVerification || isVerified)) {
+        return false;
+      }
+      return true;
+    },
+    [requiresVerification]
+  );
+  const redirectToLogin = useCallback(
+    (currentPath) => {
+      const path = currentPath || pathname || "/";
+      if (isInternalRoute(path)) {
+        return;
+      }
+      if (hasRedirectLoop(path, loginPath)) {
+        return;
+      }
+      setIsRedirecting(true);
+      const loginUrl = constructUrlWithRedirect(loginPath, path, loginPath, signUpPath);
+      if (process.env.NODE_ENV === "production") {
+        window.location.href = loginUrl;
+      } else {
+        router.push(loginUrl);
+      }
+    },
+    [router, loginPath, signUpPath, pathname, constructUrlWithRedirect]
+  );
   const handleSignOut = useCallback(async (error) => {
+    const currentPath = window.location.pathname;
     await auth.signOut();
     setAuthState({
       isLoaded: true,
@@ -28,50 +85,126 @@ function TernSecureClientProvider({
       error: error || null,
       isValid: false,
       token: null,
-      email: null
+      email: null,
+      isVerified: false,
+      isAuthenticated: false,
+      status: "unauthenticated",
+      requiresVerification
     });
-    router.push(loginPath);
-  }, [auth, router, loginPath]);
+    redirectToLogin(currentPath);
+  }, [auth, redirectToLogin, requiresVerification]);
   const setEmail = useCallback((email) => {
     setAuthState((prev) => ({
       ...prev,
       email
     }));
   }, []);
+  const getAuthError = useCallback(() => {
+    if (authState.error) {
+      const error = authState.error;
+      return {
+        success: false,
+        message: error.message,
+        error: error.code,
+        user: null
+      };
+    }
+    if (authState.requiresVerification && authState.isValid && !authState.isVerified) {
+      return {
+        success: false,
+        message: "Email verification required",
+        error: "EMAIL_NOT_VERIFIED",
+        user: null
+      };
+    }
+    if (!authState.isAuthenticated && authState.status !== "loading") {
+      return {
+        success: false,
+        message: "User is not authenticated",
+        error: "AUTHENTICATED",
+        user: null
+      };
+    }
+    return {
+      success: true,
+      user: ternSecureAuth.currentUser
+    };
+  }, [
+    authState.error,
+    authState.isValid,
+    authState.isVerified,
+    authState.isAuthenticated,
+    authState.status,
+    authState.requiresVerification
+  ]);
   useEffect(() => {
-    const unsubscribe = onAuthStateChanged(auth, async (user) => {
-      if (user) {
-        setAuthState({
-          isLoaded: true,
-          userId: user.uid,
-          isValid: true,
-          token: user.getIdToken(),
-          error: null,
-          email: user.email
-        });
-      } else {
-        setAuthState({
-          isLoaded: true,
-          userId: null,
-          isValid: false,
-          token: null,
-          error: new Error("User is not authenticated"),
-          email: null
-        });
-        if (!window.location.pathname.includes("/sign-up")) {
-          router.push(loginPath);
+    let mounted = true;
+    let initialLoad = true;
+    const unsubscribe = onAuthStateChanged(
+      auth,
+      async (user) => {
+        if (!mounted) return;
+        try {
+          if (user) {
+            const isValid = !!user.uid;
+            const isVerified = user.emailVerified;
+            const isAuthenticated = isValid && (!requiresVerification || isVerified);
+            setAuthState({
+              isLoaded: true,
+              userId: user.uid,
+              isValid,
+              isVerified,
+              isAuthenticated: isValid && isVerified,
+              token: user.getIdToken(),
+              error: null,
+              email: user.email,
+              status: isAuthenticated ? "authenticated" : "unverified",
+              requiresVerification
+            });
+            if (requiresVerification && !isVerified && shouldRedirect(pathname || "", isVerified)) {
+              if (initialLoad || !isRedirecting) {
+                redirectToLogin(pathname);
+              }
+            }
+          } else {
+            setAuthState({
+              isLoaded: true,
+              userId: null,
+              isValid: false,
+              isVerified: false,
+              isAuthenticated: false,
+              token: null,
+              error: null,
+              email: null,
+              status: "unauthenticated",
+              requiresVerification
+            });
+            if (shouldRedirect(pathname || "", false) && initialLoad) {
+              redirectToLogin();
+            }
+          }
+        } catch (error) {
+          console.error("Auth state change error:", error);
+          if (mounted) {
+            handleSignOut(error instanceof Error ? error : new Error("Authentication error occurred"));
+          }
+        } finally {
+          initialLoad = false;
         }
       }
-    }, (error) => {
-      handleSignOut(error instanceof Error ? error : new Error("Authentication error occurred"));
-    });
-    return () => unsubscribe();
-  }, [auth, handleSignOut, router, loginPath]);
+    );
+    return () => {
+      mounted = false;
+      unsubscribe();
+    };
+  }, [auth, handleSignOut, redirectToLogin, requiresVerification, pathname, isRedirecting, shouldRedirect]);
   const contextValue = useMemo(() => ({
     ...authState,
     signOut: handleSignOut,
-    setEmail
-  }), [authState, auth, handleSignOut, setEmail]);
+    setEmail,
+    getAuthError,
+    redirectToLogin
+  }), [authState, handleSignOut, setEmail, getAuthError, redirectToLogin]);
   if (!authState.isLoaded) {
     return /* @__PURE__ */ jsx(TernSecureCtx.Provider, { value: contextValue, children: loadingComponent || /* @__PURE__ */ jsx("div", { "aria-live": "polite", "aria-busy": "true", children: /* @__PURE__ */ jsx("span", { className: "sr-only", children: "Loading authentication state..." }) }) });
   }

package/dist/esm/boundary/TernSecureClientProvider.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/boundary/TernSecureClientProvider.tsx"],"sourcesContent":["\"use client\"\n\nimport React, { useState, useEffect, useMemo, useCallback } from 'react'\nimport { ternSecureAuth } from '../utils/client-init'\nimport { onAuthStateChanged, User } from \"firebase/auth\"\nimport { TernSecureCtx, TernSecureCtxValue, TernSecureState } from './TernSecureCtx'\nimport { useRouter } from 'next/navigation'\n\ninterface TernSecureClientProviderProps {\n  children: React.ReactNode;\n  onUserChanged?: (user: User | null) => Promise<void>;\n  loginPath?: string;\n  loadingComponent?: React.ReactNode;\n}\n\nexport function TernSecureClientProvider({ \n  children, \n  loginPath = '/sign-in',\n  loadingComponent\n}: TernSecureClientProviderProps) {\n  const auth = useMemo(() => ternSecureAuth, []);\n  const router = useRouter();\n  const [authState, setAuthState] = useState<TernSecureState>(() => ({\n    userId: null,\n    isLoaded: false,\n    error: null,\n    isValid: false,\n    token: null,\n    email: null\n  }));\n\n  const handleSignOut = useCallback(async (error?: Error) => {\n    await auth.signOut();\n    setAuthState({\n      isLoaded: true,\n      userId: null,\n      error: error || null,\n      isValid: false,\n      token: null,\n      email: null\n    });\n    router.push(loginPath);\n  }, [auth, router, loginPath]);\n\n  const setEmail = useCallback((email: string) => {\n    setAuthState((prev) => ({\n      ...prev,\n      email,\n    }))\n  }, [])\n\nuseEffect(() => {\n    const unsubscribe = onAuthStateChanged(auth, async (user: User | null) => {\n      if (user) {\n        setAuthState({\n          isLoaded: true,\n          userId: user.uid,\n          isValid: true,\n          token: user.getIdToken(),\n          error: null,\n          email: user.email,\n        })\n      } else {\n        setAuthState({\n          isLoaded: true,\n          userId: null,\n          isValid: false,\n          token: null,\n          error: new Error('User is not authenticated'),\n          email: null\n        })\n        if (!window.location.pathname.includes(\"/sign-up\")) {\n          router.push(loginPath)\n        }\n      }\n    }, (error) => {\n      handleSignOut(error instanceof Error ? error : new Error('Authentication error occurred'));\n    })\n    \n    return () => unsubscribe()\n  }, [auth, handleSignOut, router, loginPath])\n\n  const contextValue: TernSecureCtxValue = useMemo(() => ({\n    ...authState,\n    signOut: handleSignOut,\n    setEmail\n  }), [authState, auth, handleSignOut, setEmail]);\n\n  if (!authState.isLoaded) {\n    return (\n      <TernSecureCtx.Provider value={contextValue}>\n        {loadingComponent || (\n          <div aria-live=\"polite\" aria-busy=\"true\">\n            <span className=\"sr-only\">Loading authentication state...</span>\n          </div>\n        )}\n      </TernSecureCtx.Provider>\n    );\n  }\n\n  return (\n      <TernSecureCtx.Provider value={contextValue}>\n       {children}\n      </TernSecureCtx.Provider>\n  )\n}"],"mappings":";AA6FY;AA3FZ,SAAgB,UAAU,WAAW,SAAS,mBAAmB;AACjE,SAAS,sBAAsB;AAC/B,SAAS,0BAAgC;AACzC,SAAS,qBAA0D;AACnE,SAAS,iBAAiB;AASnB,SAAS,yBAAyB;AAAA,EACvC;AAAA,EACA,YAAY;AAAA,EACZ;AACF,GAAkC;AAChC,QAAM,OAAO,QAAQ,MAAM,gBAAgB,CAAC,CAAC;AAC7C,QAAM,SAAS,UAAU;AACzB,QAAM,CAAC,WAAW,YAAY,IAAI,SAA0B,OAAO;AAAA,IACjE,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,OAAO;AAAA,IACP,SAAS;AAAA,IACT,OAAO;AAAA,IACP,OAAO;AAAA,EACT,EAAE;AAEF,QAAM,gBAAgB,YAAY,OAAO,UAAkB;AACzD,UAAM,KAAK,QAAQ;AACnB,iBAAa;AAAA,MACX,UAAU;AAAA,MACV,QAAQ;AAAA,MACR,OAAO,SAAS;AAAA,MAChB,SAAS;AAAA,MACT,OAAO;AAAA,MACP,OAAO;AAAA,IACT,CAAC;AACD,WAAO,KAAK,SAAS;AAAA,EACvB,GAAG,CAAC,MAAM,QAAQ,SAAS,CAAC;AAE5B,QAAM,WAAW,YAAY,CAAC,UAAkB;AAC9C,iBAAa,CAAC,UAAU;AAAA,MACtB,GAAG;AAAA,MACH;AAAA,IACF,EAAE;AAAA,EACJ,GAAG,CAAC,CAAC;AAEP,YAAU,MAAM;AACZ,UAAM,cAAc,mBAAmB,MAAM,OAAO,SAAsB;AACxE,UAAI,MAAM;AACR,qBAAa;AAAA,UACX,UAAU;AAAA,UACV,QAAQ,KAAK;AAAA,UACb,SAAS;AAAA,UACT,OAAO,KAAK,WAAW;AAAA,UACvB,OAAO;AAAA,UACP,OAAO,KAAK;AAAA,QACd,CAAC;AAAA,MACH,OAAO;AACL,qBAAa;AAAA,UACX,UAAU;AAAA,UACV,QAAQ;AAAA,UACR,SAAS;AAAA,UACT,OAAO;AAAA,UACP,OAAO,IAAI,MAAM,2BAA2B;AAAA,UAC5C,OAAO;AAAA,QACT,CAAC;AACD,YAAI,CAAC,OAAO,SAAS,SAAS,SAAS,UAAU,GAAG;AAClD,iBAAO,KAAK,SAAS;AAAA,QACvB;AAAA,MACF;AAAA,IACF,GAAG,CAAC,UAAU;AACZ,oBAAc,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,+BAA+B,CAAC;AAAA,IAC3F,CAAC;AAED,WAAO,MAAM,YAAY;AAAA,EAC3B,GAAG,CAAC,MAAM,eAAe,QAAQ,SAAS,CAAC;AAE3C,QAAM,eAAmC,QAAQ,OAAO;AAAA,IACtD,GAAG;AAAA,IACH,SAAS;AAAA,IACT;AAAA,EACF,IAAI,CAAC,WAAW,MAAM,eAAe,QAAQ,CAAC;AAE9C,MAAI,CAAC,UAAU,UAAU;AACvB,WACE,oBAAC,cAAc,UAAd,EAAuB,OAAO,cAC5B,8BACC,oBAAC,SAAI,aAAU,UAAS,aAAU,QAChC,8BAAC,UAAK,WAAU,WAAU,6CAA+B,GAC3D,GAEJ;AAAA,EAEJ;AAEA,SACI,oBAAC,cAAc,UAAd,EAAuB,OAAO,cAC7B,UACF;AAEN;","names":[]}
+{"version":3,"sources":["../../../src/boundary/TernSecureClientProvider.tsx"],"sourcesContent":["\"use client\"\n\nimport React, { useState, useEffect, useMemo, useCallback } from 'react'\nimport { ternSecureAuth } from '../utils/client-init'\nimport { onAuthStateChanged, User } from \"firebase/auth\"\nimport { TernSecureCtx, TernSecureCtxValue } from './TernSecureCtx'\nimport type { TernSecureState, AuthError, SignInResponse } from \"../types\"\nimport type { ERRORS } from '../errors'\nimport { useRouter, usePathname } from 'next/navigation'\nimport { isBaseAuthRoute, isInternalRoute, isAuthRoute} from '../app-router/route-handler/internal-route'\nimport { hasRedirectLoop } from '../utils/construct'\n\n\n\n/**\n * @internal\n * Internal provider props - not meant for direct usage\n */\ninterface TernSecureClientProviderProps {\n  children: React.ReactNode\n  /** Callback when user state changes */\n  onUserChanged?: (user: User | null) => Promise<void>\n  /** Login page path */\n  loginPath?: string\n  /** Signup page path */\n  signUpPath?: string\n  /** Custom loading component */\n  loadingComponent?: React.ReactNode\n  /** Whether email verification is required */\n  requiresVerification: boolean\n}\n\n/**\n * @internal\n * Internal provider component that handles authentication state\n * This is wrapped by the public TernSecureProvider\n */\n\nexport function TernSecureClientProvider({ \n  children, \n  loginPath = process.env.NEXT_PUBLIC_SIGN_IN_PATH || '/sign-in',\n  signUpPath = process.env.NEXT_PUBLIC_SIGN_UP_PATH || '/sign-up',\n  loadingComponent,\n  requiresVerification,\n}: TernSecureClientProviderProps) {\n  const auth = useMemo(() => ternSecureAuth, []);\n  const router = useRouter();\n  const pathname = usePathname() // Get current pathname\n  const [isRedirecting, setIsRedirecting] = useState(false)\n\n  const [authState, setAuthState] = useState<TernSecureState>(() => ({\n    userId: null,\n    isLoaded: false,\n    error: null,\n    isValid: false,\n    isVerified: false,\n    isAuthenticated: false,\n    token: null,\n    email: null,\n    status: \"loading\",\n    requiresVerification,\n  }));\n\n  const constructUrlWithRedirect = useCallback(\n    (loginPath: string, currentPath: string, loginPathParam: string, signUpPathParam: string): string => {\n      const baseUrl = window.location.origin\n      const signInUrl = new URL(loginPath, baseUrl)\n\n      // Only add redirect if not already on login or signup page\n      if (!currentPath.includes(loginPathParam) && !currentPath.includes(signUpPathParam)) {\n        signInUrl.searchParams.set(\"redirect\", currentPath)\n      }\n      return signInUrl.toString()\n    },\n    [],\n  )\n\n\n  const shouldRedirect = useCallback(\n    (pathname: string, isVerified: boolean) => {\n      // Get current search params\n      const searchParams = new URLSearchParams(window.location.search)\n\n      // Don't redirect if we're on the base sign-in page with no redirect param\n      if (isBaseAuthRoute(pathname) && !searchParams.has(\"redirect\")) {\n        return false\n      }\n\n      // Don't redirect if we're on an internal route\n      if (isInternalRoute(pathname)) {\n        return false\n      }\n\n      // Don't redirect if we're in auth routes (except when handling verification)\n      if (isAuthRoute(pathname) && (!requiresVerification || isVerified)) {\n        return false\n      }\n\n      return true\n    },\n    [requiresVerification],\n  )\n\n  const redirectToLogin = useCallback(\n    (currentPath?: string) => {\n      const path = currentPath || pathname || \"/\"\n\n\n      if (isInternalRoute(path)) {  // Don't redirect if we're already on an internal route\n        return\n      }\n\n       // Check for redirect loops\n      if (hasRedirectLoop(path, loginPath)) {\n        return\n      }\n\n      setIsRedirecting(true)\n\n      const loginUrl = constructUrlWithRedirect(loginPath, path, loginPath, signUpPath)\n\n      if (process.env.NODE_ENV === \"production\") {\n        window.location.href = loginUrl\n      } else {\n        // Use router.push for development\n        router.push(loginUrl)\n      }\n  }, \n  [router, loginPath, signUpPath, pathname, constructUrlWithRedirect]\n)\n\n  const handleSignOut = useCallback(async (error?: Error) => {\n    const currentPath = window.location.pathname\n    await auth.signOut();\n    setAuthState({\n      isLoaded: true,\n      userId: null,\n      error: error || null,\n      isValid: false,\n      token: null,\n      email: null,\n      isVerified: false,\n      isAuthenticated: false,\n      status: \"unauthenticated\",\n      requiresVerification,\n    })\n    redirectToLogin(currentPath)\n  }, [auth, redirectToLogin, requiresVerification])\n\n  const setEmail = useCallback((email: string) => {\n    setAuthState((prev) => ({\n      ...prev,\n      email,\n    }))\n  }, [])\n\n  const getAuthError = useCallback((): SignInResponse => {\n    if (authState.error) {\n      const error = authState.error as AuthError;\n      return {\n        success: false,\n        message: error.message,\n        error: error.code as keyof typeof ERRORS,\n        user: null,\n      }\n    }\n\n    if (authState.requiresVerification && authState.isValid && !authState.isVerified) {\n      return {\n        success: false,\n        message: 'Email verification required',\n        error: 'EMAIL_NOT_VERIFIED',\n        user: null,\n      }\n    }\n\n    if (!authState.isAuthenticated && authState.status !== \"loading\") {\n      return {\n        success: false,\n        message: 'User is not authenticated',\n        error: 'AUTHENTICATED',\n        user: null,\n      }\n    }\n\n    return {\n      success: true,\n      user: ternSecureAuth.currentUser,\n    }\n  }, [\n    authState.error,\n    authState.isValid,\n    authState.isVerified,\n    authState.isAuthenticated,\n    authState.status,\n    authState.requiresVerification,\n  ])\n\nuseEffect(() => {\n  let mounted = true\n  let initialLoad = true\n\n  const unsubscribe = onAuthStateChanged(\n    auth,\n      async (user: User | null) => {\n       if (!mounted) return\n       try {\n        if (user) {\n        const isValid = !!user.uid;\n        const isVerified = user.emailVerified;\n        const isAuthenticated = isValid && (!requiresVerification || isVerified) // Consider user authenticated if verification is not required or if email is verified\n\n        setAuthState({\n          isLoaded: true,\n          userId: user.uid,\n          isValid,\n          isVerified,\n          isAuthenticated: isValid && isVerified,\n          token: user.getIdToken(),\n          error: null,\n          email: user.email,\n          status: isAuthenticated ? \"authenticated\" : \"unverified\",\n          requiresVerification,\n        })\n       \n        if (requiresVerification && !isVerified && shouldRedirect(pathname || \"\", isVerified)) {\n          if(initialLoad || !isRedirecting) {\n            redirectToLogin(pathname)\n        }\n      }\n      } else {\n        setAuthState({\n          isLoaded: true,\n          userId: null,\n          isValid: false,\n          isVerified: false,\n          isAuthenticated: false,\n          token: null,\n          error: null,\n          email: null,\n          status: \"unauthenticated\",\n          requiresVerification,\n        })\n        \n        if (shouldRedirect(pathname || \"\", false) && initialLoad) {\n          redirectToLogin()\n        }\n      }\n    } catch (error){\n      console.error(\"Auth state change error:\", error)\n      if (mounted) {\n        handleSignOut(error instanceof Error ? error : new Error(\"Authentication error occurred\"))\n      }\n    } finally {\n      initialLoad = false\n    }\n  })\n    \n  return () => {\n    mounted = false\n    unsubscribe()\n  }\n  }, [auth, handleSignOut, redirectToLogin, requiresVerification, pathname, isRedirecting, shouldRedirect])\n\n  const contextValue: TernSecureCtxValue = useMemo(() => ({\n    ...authState,\n    signOut: handleSignOut,\n    setEmail,\n    getAuthError,\n    redirectToLogin,\n  }), [authState, handleSignOut, setEmail, getAuthError, redirectToLogin]);\n\n  if (!authState.isLoaded) {\n    return (\n      <TernSecureCtx.Provider value={contextValue}>\n        {loadingComponent || (\n          <div aria-live=\"polite\" aria-busy=\"true\">\n            <span className=\"sr-only\">Loading authentication state...</span>\n          </div>\n        )}\n      </TernSecureCtx.Provider>\n    );\n  }\n\n  return (\n      <TernSecureCtx.Provider value={contextValue}>\n       {children}\n      </TernSecureCtx.Provider>\n  )\n}"],"mappings":";AAqRY;AAnRZ,SAAgB,UAAU,WAAW,SAAS,mBAAmB;AACjE,SAAS,sBAAsB;AAC/B,SAAS,0BAAgC;AACzC,SAAS,qBAAyC;AAGlD,SAAS,WAAW,mBAAmB;AACvC,SAAS,iBAAiB,iBAAiB,mBAAkB;AAC7D,SAAS,uBAAuB;AA4BzB,SAAS,yBAAyB;AAAA,EACvC;AAAA,EACA,YAAY,QAAQ,IAAI,4BAA4B;AAAA,EACpD,aAAa,QAAQ,IAAI,4BAA4B;AAAA,EACrD;AAAA,EACA;AACF,GAAkC;AAChC,QAAM,OAAO,QAAQ,MAAM,gBAAgB,CAAC,CAAC;AAC7C,QAAM,SAAS,UAAU;AACzB,QAAM,WAAW,YAAY;AAC7B,QAAM,CAAC,eAAe,gBAAgB,IAAI,SAAS,KAAK;AAExD,QAAM,CAAC,WAAW,YAAY,IAAI,SAA0B,OAAO;AAAA,IACjE,QAAQ;AAAA,IACR,UAAU;AAAA,IACV,OAAO;AAAA,IACP,SAAS;AAAA,IACT,YAAY;AAAA,IACZ,iBAAiB;AAAA,IACjB,OAAO;AAAA,IACP,OAAO;AAAA,IACP,QAAQ;AAAA,IACR;AAAA,EACF,EAAE;AAEF,QAAM,2BAA2B;AAAA,IAC/B,CAACA,YAAmB,aAAqB,gBAAwB,oBAAoC;AACnG,YAAM,UAAU,OAAO,SAAS;AAChC,YAAM,YAAY,IAAI,IAAIA,YAAW,OAAO;AAG5C,UAAI,CAAC,YAAY,SAAS,cAAc,KAAK,CAAC,YAAY,SAAS,eAAe,GAAG;AACnF,kBAAU,aAAa,IAAI,YAAY,WAAW;AAAA,MACpD;AACA,aAAO,UAAU,SAAS;AAAA,IAC5B;AAAA,IACA,CAAC;AAAA,EACH;AAGA,QAAM,iBAAiB;AAAA,IACrB,CAACC,WAAkB,eAAwB;AAEzC,YAAM,eAAe,IAAI,gBAAgB,OAAO,SAAS,MAAM;AAG/D,UAAI,gBAAgBA,SAAQ,KAAK,CAAC,aAAa,IAAI,UAAU,GAAG;AAC9D,eAAO;AAAA,MACT;AAGA,UAAI,gBAAgBA,SAAQ,GAAG;AAC7B,eAAO;AAAA,MACT;AAGA,UAAI,YAAYA,SAAQ,MAAM,CAAC,wBAAwB,aAAa;AAClE,eAAO;AAAA,MACT;AAEA,aAAO;AAAA,IACT;AAAA,IACA,CAAC,oBAAoB;AAAA,EACvB;AAEA,QAAM,kBAAkB;AAAA,IACtB,CAAC,gBAAyB;AACxB,YAAM,OAAO,eAAe,YAAY;AAGxC,UAAI,gBAAgB,IAAI,GAAG;AACzB;AAAA,MACF;AAGA,UAAI,gBAAgB,MAAM,SAAS,GAAG;AACpC;AAAA,MACF;AAEA,uBAAiB,IAAI;AAErB,YAAM,WAAW,yBAAyB,WAAW,MAAM,WAAW,UAAU;AAEhF,UAAI,QAAQ,IAAI,aAAa,cAAc;AACzC,eAAO,SAAS,OAAO;AAAA,MACzB,OAAO;AAEL,eAAO,KAAK,QAAQ;AAAA,MACtB;AAAA,IACJ;AAAA,IACA,CAAC,QAAQ,WAAW,YAAY,UAAU,wBAAwB;AAAA,EACpE;AAEE,QAAM,gBAAgB,YAAY,OAAO,UAAkB;AACzD,UAAM,cAAc,OAAO,SAAS;AACpC,UAAM,KAAK,QAAQ;AACnB,iBAAa;AAAA,MACX,UAAU;AAAA,MACV,QAAQ;AAAA,MACR,OAAO,SAAS;AAAA,MAChB,SAAS;AAAA,MACT,OAAO;AAAA,MACP,OAAO;AAAA,MACP,YAAY;AAAA,MACZ,iBAAiB;AAAA,MACjB,QAAQ;AAAA,MACR;AAAA,IACF,CAAC;AACD,oBAAgB,WAAW;AAAA,EAC7B,GAAG,CAAC,MAAM,iBAAiB,oBAAoB,CAAC;AAEhD,QAAM,WAAW,YAAY,CAAC,UAAkB;AAC9C,iBAAa,CAAC,UAAU;AAAA,MACtB,GAAG;AAAA,MACH;AAAA,IACF,EAAE;AAAA,EACJ,GAAG,CAAC,CAAC;AAEL,QAAM,eAAe,YAAY,MAAsB;AACrD,QAAI,UAAU,OAAO;AACnB,YAAM,QAAQ,UAAU;AACxB,aAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS,MAAM;AAAA,QACf,OAAO,MAAM;AAAA,QACb,MAAM;AAAA,MACR;AAAA,IACF;AAEA,QAAI,UAAU,wBAAwB,UAAU,WAAW,CAAC,UAAU,YAAY;AAChF,aAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS;AAAA,QACT,OAAO;AAAA,QACP,MAAM;AAAA,MACR;AAAA,IACF;AAEA,QAAI,CAAC,UAAU,mBAAmB,UAAU,WAAW,WAAW;AAChE,aAAO;AAAA,QACL,SAAS;AAAA,QACT,SAAS;AAAA,QACT,OAAO;AAAA,QACP,MAAM;AAAA,MACR;AAAA,IACF;AAEA,WAAO;AAAA,MACL,SAAS;AAAA,MACT,MAAM,eAAe;AAAA,IACvB;AAAA,EACF,GAAG;AAAA,IACD,UAAU;AAAA,IACV,UAAU;AAAA,IACV,UAAU;AAAA,IACV,UAAU;AAAA,IACV,UAAU;AAAA,IACV,UAAU;AAAA,EACZ,CAAC;AAEH,YAAU,MAAM;AACd,QAAI,UAAU;AACd,QAAI,cAAc;AAElB,UAAM,cAAc;AAAA,MAClB;AAAA,MACE,OAAO,SAAsB;AAC5B,YAAI,CAAC,QAAS;AACd,YAAI;AACH,cAAI,MAAM;AACV,kBAAM,UAAU,CAAC,CAAC,KAAK;AACvB,kBAAM,aAAa,KAAK;AACxB,kBAAM,kBAAkB,YAAY,CAAC,wBAAwB;AAE7D,yBAAa;AAAA,cACX,UAAU;AAAA,cACV,QAAQ,KAAK;AAAA,cACb;AAAA,cACA;AAAA,cACA,iBAAiB,WAAW;AAAA,cAC5B,OAAO,KAAK,WAAW;AAAA,cACvB,OAAO;AAAA,cACP,OAAO,KAAK;AAAA,cACZ,QAAQ,kBAAkB,kBAAkB;AAAA,cAC5C;AAAA,YACF,CAAC;AAED,gBAAI,wBAAwB,CAAC,cAAc,eAAe,YAAY,IAAI,UAAU,GAAG;AACrF,kBAAG,eAAe,CAAC,eAAe;AAChC,gCAAgB,QAAQ;AAAA,cAC5B;AAAA,YACF;AAAA,UACA,OAAO;AACL,yBAAa;AAAA,cACX,UAAU;AAAA,cACV,QAAQ;AAAA,cACR,SAAS;AAAA,cACT,YAAY;AAAA,cACZ,iBAAiB;AAAA,cACjB,OAAO;AAAA,cACP,OAAO;AAAA,cACP,OAAO;AAAA,cACP,QAAQ;AAAA,cACR;AAAA,YACF,CAAC;AAED,gBAAI,eAAe,YAAY,IAAI,KAAK,KAAK,aAAa;AACxD,8BAAgB;AAAA,YAClB;AAAA,UACF;AAAA,QACF,SAAS,OAAM;AACb,kBAAQ,MAAM,4BAA4B,KAAK;AAC/C,cAAI,SAAS;AACX,0BAAc,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,+BAA+B,CAAC;AAAA,UAC3F;AAAA,QACF,UAAE;AACA,wBAAc;AAAA,QAChB;AAAA,MACF;AAAA,IAAC;AAED,WAAO,MAAM;AACX,gBAAU;AACV,kBAAY;AAAA,IACd;AAAA,EACA,GAAG,CAAC,MAAM,eAAe,iBAAiB,sBAAsB,UAAU,eAAe,cAAc,CAAC;AAExG,QAAM,eAAmC,QAAQ,OAAO;AAAA,IACtD,GAAG;AAAA,IACH,SAAS;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI,CAAC,WAAW,eAAe,UAAU,cAAc,eAAe,CAAC;AAEvE,MAAI,CAAC,UAAU,UAAU;AACvB,WACE,oBAAC,cAAc,UAAd,EAAuB,OAAO,cAC5B,8BACC,oBAAC,SAAI,aAAU,UAAS,aAAU,QAChC,8BAAC,UAAK,WAAU,WAAU,6CAA+B,GAC3D,GAEJ;AAAA,EAEJ;AAEA,SACI,oBAAC,cAAc,UAAd,EAAuB,OAAO,cAC7B,UACF;AAEN;","names":["loginPath","pathname"]}

package/dist/esm/boundary/TernSecureCtx.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/boundary/TernSecureCtx.tsx"],"sourcesContent":["\"use client\"\n\nimport { createContext, useContext } from 'react'\nimport { ternSecureAuth } from '../utils/client-init';\nimport { User } from 'firebase/auth';\n\nexport const TernSecureUser = (): User | null => {\n  return ternSecureAuth.currentUser;\n}\n\nexport interface TernSecureState {\n  userId: string | null\n  isLoaded: boolean\n  error: Error | null\n  isValid: boolean\n  token: any | null\n  email: string | null\n}\n\nexport interface TernSecureCtxValue extends TernSecureState {\n signOut: () => Promise<void>\n setEmail: (email: string) => void\n}\n\nexport const TernSecureCtx = createContext<TernSecureCtxValue | null>(null)\n\nTernSecureCtx.displayName = 'TernSecureCtx'\n\nexport const useTernSecure = (hookName: string) => {\n  const context = useContext(TernSecureCtx)\n  \n  if (!context) {\n    throw new Error(\n      `${hookName} must be used within TernSecureProvider`\n    )\n  }\n\n  return context\n}\n\n"],"mappings":";AAEA,SAAS,eAAe,kBAAkB;AAC1C,SAAS,sBAAsB;AAGxB,MAAM,iBAAiB,MAAmB;AAC/C,SAAO,eAAe;AACxB;AAgBO,MAAM,gBAAgB,cAAyC,IAAI;AAE1E,cAAc,cAAc;AAErB,MAAM,gBAAgB,CAAC,aAAqB;AACjD,QAAM,UAAU,WAAW,aAAa;AAExC,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI;AAAA,MACR,GAAG,QAAQ;AAAA,IACb;AAAA,EACF;AAEA,SAAO;AACT;","names":[]}
+{"version":3,"sources":["../../../src/boundary/TernSecureCtx.tsx"],"sourcesContent":["\"use client\"\n\nimport { createContext, useContext } from 'react'\nimport { ternSecureAuth } from '../utils/client-init';\nimport { User } from 'firebase/auth';\nimport type { TernSecureState, SignInResponse } from '../types';\n\nexport const TernSecureUser = (): User | null => {\n  return ternSecureAuth.currentUser;\n}\n\nexport interface TernSecureCtxValue extends TernSecureState {\n signOut: () => Promise<void>\n setEmail: (email: string) => void\n getAuthError: () => SignInResponse\n redirectToLogin: () => void\n}\n\nexport const TernSecureCtx = createContext<TernSecureCtxValue | null>(null)\n\nTernSecureCtx.displayName = 'TernSecureCtx'\n\nexport const useTernSecure = (hookName: string) => {\n  const context = useContext(TernSecureCtx)\n  \n  if (!context) {\n    throw new Error(\n      `${hookName} must be used within TernSecureProvider`\n    )\n  }\n\n  return context\n}\n\n"],"mappings":";AAEA,SAAS,eAAe,kBAAkB;AAC1C,SAAS,sBAAsB;AAIxB,MAAM,iBAAiB,MAAmB;AAC/C,SAAO,eAAe;AACxB;AASO,MAAM,gBAAgB,cAAyC,IAAI;AAE1E,cAAc,cAAc;AAErB,MAAM,gBAAgB,CAAC,aAAqB;AACjD,QAAM,UAAU,WAAW,aAAa;AAExC,MAAI,CAAC,SAAS;AACZ,UAAM,IAAI;AAAA,MACR,GAAG,QAAQ;AAAA,IACb;AAAA,EACF;AAEA,SAAO;AACT;","names":[]}

package/dist/esm/boundary/hooks/useAuth.js

@@ -7,17 +7,30 @@ function useAuth() {
     isLoaded,
     error,
     isValid,
+    isVerified,
+    isAuthenticated,
     token,
+    getAuthError,
+    status,
+    requiresVerification,
     signOut
   } = useTernSecure("useAuth");
   const user = TernSecureUser();
+  const authResponse = getAuthError();
   return {
     user,
     userId,
     isLoaded,
-    error,
-    isAuthenticated: isValid,
+    error: authResponse.success ? null : authResponse,
+    isValid,
+    // User is signed in
+    isVerified,
+    // Email is verified
+    isAuthenticated,
+    // User is both signed in and verified
     token,
+    status,
+    requiresVerification,
     signOut
   };
 }

package/dist/esm/boundary/hooks/useAuth.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../src/boundary/hooks/useAuth.ts"],"sourcesContent":["\"use client\"\n\nimport { useTernSecure } from '../TernSecureCtx'\nimport {  User } from 'firebase/auth'\nimport { TernSecureUser } from '../TernSecureCtx'\n\nexport function useAuth() {\n  const {\n    userId,\n    isLoaded,\n    error,\n    isValid,\n    token,\n    signOut\n  } = useTernSecure('useAuth')\n\n  const user: User | null = TernSecureUser()\n\n  return {\n    user,\n    userId,\n    isLoaded,\n    error,\n    isAuthenticated: isValid,\n    token,\n    signOut\n  }\n}\n"],"mappings":";AAEA,SAAS,qBAAqB;AAE9B,SAAS,sBAAsB;AAExB,SAAS,UAAU;AACxB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI,cAAc,SAAS;AAE3B,QAAM,OAAoB,eAAe;AAEzC,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,iBAAiB;AAAA,IACjB;AAAA,IACA;AAAA,EACF;AACF;","names":[]}
+{"version":3,"sources":["../../../../src/boundary/hooks/useAuth.ts"],"sourcesContent":["\"use client\"\n\nimport { useTernSecure } from '../TernSecureCtx'\nimport {  User } from 'firebase/auth'\nimport { TernSecureUser } from '../TernSecureCtx'\nimport type { SignInResponse } from '../../types'\n\n\nexport function useAuth() {\n  const {\n    userId,\n    isLoaded,\n    error,\n    isValid,\n    isVerified,\n    isAuthenticated,\n    token,\n    getAuthError,\n    status,\n    requiresVerification,\n    signOut\n  } = useTernSecure('useAuth')\n\n  const user: User | null = TernSecureUser()\n  const authResponse: SignInResponse = getAuthError()\n\n\n  return {\n    user,\n    userId,\n    isLoaded,\n    error: authResponse.success ? null : authResponse,\n    isValid,         // User is signed in\n    isVerified,      // Email is verified\n    isAuthenticated, // User is both signed in and verified\n    token,\n    status,\n    requiresVerification,\n    signOut\n  }\n}\n"],"mappings":";AAEA,SAAS,qBAAqB;AAE9B,SAAS,sBAAsB;AAIxB,SAAS,UAAU;AACxB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF,IAAI,cAAc,SAAS;AAE3B,QAAM,OAAoB,eAAe;AACzC,QAAM,eAA+B,aAAa;AAGlD,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO,aAAa,UAAU,OAAO;AAAA,IACrC;AAAA;AAAA,IACA;AAAA;AAAA,IACA;AAAA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":[]}

package/dist/esm/components/sign-in.js

@@ -1,7 +1,7 @@
 "use client";
 import { Fragment, jsx, jsxs } from "react/jsx-runtime";
 import { useState, useCallback, useEffect } from "react";
-import { useSearchParams } from "next/navigation";
+import { useSearchParams, useRouter, usePathname } from "next/navigation";
 import { signInWithEmail, signInWithRedirectGoogle, signInWithMicrosoft } from "../app-router/client/actions";
 import { Card, CardContent, CardDescription, CardFooter, CardHeader, CardTitle } from "./ui/card";
 import { Input } from "./ui/input";
@@ -10,12 +10,15 @@ import { Button } from "./ui/button";
 import { Alert, AlertDescription } from "./ui/alert";
 import { Separator } from "./ui/separator";
 import { cn } from "../lib/utils";
-import { Loader2 } from "lucide-react";
+import { Loader2, Eye, EyeOff } from "lucide-react";
 import { getRedirectResult } from "firebase/auth";
 import { ternSecureAuth } from "../utils/client-init";
 import { createSessionCookie } from "../app-router/server/sessionTernSecure";
 import { AuthBackground } from "./background";
 import { getValidRedirectUrl } from "../utils/construct";
+import { handleInternalRoute } from "../app-router/route-handler/internal-route";
+import { useAuth } from "../boundary/hooks/useAuth";
+import { getErrorAlertVariant } from "../errors";
 const authDomain = process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN;
 const appName = process.env.NEXT_PUBLIC_FIREBASE_APP_NAME || "TernSecure";
 function SignIn({
@@ -27,11 +30,65 @@ function SignIn({
 }) {
   const [loading, setLoading] = useState(false);
   const [checkingRedirect, setCheckingRedirect] = useState(true);
+  const [formError, setFormError] = useState(null);
   const [error, setError] = useState("");
   const [email, setEmail] = useState("");
   const [password, setPassword] = useState("");
+  const [showPassword, setShowPassword] = useState(false);
+  const [passwordFocused, setPasswordFocused] = useState(false);
+  const [authResponse, setAuthResponse] = useState(null);
+  const [authErrorMessage, setAuthErrorMessage] = useState(null);
   const searchParams = useSearchParams();
   const isRedirectSignIn = searchParams.get("signInRedirect") === "true";
+  const router = useRouter();
+  const pathname = usePathname();
+  const InternalComponent = handleInternalRoute(pathname || "");
+  const { requiresVerification, error: authError, status } = useAuth();
+  const validRedirectUrl = getValidRedirectUrl(searchParams, redirectUrl);
+  if (InternalComponent) {
+    return /* @__PURE__ */ jsx(InternalComponent, {});
+  }
+  useEffect(() => {
+    if (authError && status !== "loading" && status !== "unauthenticated") {
+      const message = authError.message || "Authentication failed";
+      setAuthErrorMessage(message);
+      if (!authResponse || authResponse.message !== message) {
+        setAuthResponse(authError);
+      }
+    } else {
+      setAuthErrorMessage(null);
+    }
+  }, [authError, status, authResponse]);
+  const handleSuccessfulAuth = useCallback(
+    async (user) => {
+      try {
+        const idToken = await user.getIdToken();
+        const sessionResult = await createSessionCookie(idToken);
+        if (!sessionResult.success) {
+          setFormError({
+            success: false,
+            message: sessionResult.message || "Failed to create session",
+            error: "INTERNAL_ERROR",
+            user: null
+          });
+        }
+        onSuccess == null ? void 0 : onSuccess();
+        if (process.env.NODE_ENV === "production") {
+          window.location.href = validRedirectUrl;
+        } else {
+          router.push(validRedirectUrl);
+        }
+      } catch (err) {
+        setFormError({
+          success: false,
+          message: "Failed to complete authentication",
+          error: "INTERNAL_ERROR",
+          user: null
+        });
+      }
+    },
+    [validRedirectUrl, router, onSuccess]
+  );
   const handleRedirectResult = useCallback(async () => {
     if (!isRedirectSignIn) return false;
     setCheckingRedirect(true);
@@ -52,15 +109,16 @@ function SignIn({
         const storedRedirectUrl = sessionStorage.getItem("auth_return_url");
         sessionStorage.removeItem("auth_redirect_url");
         onSuccess == null ? void 0 : onSuccess();
-        window.location.href = storedRedirectUrl || getValidRedirectUrl(redirectUrl, searchParams);
+        window.location.href = storedRedirectUrl || getValidRedirectUrl(searchParams, redirectUrl);
         return true;
       }
       setCheckingRedirect(false);
     } catch (err) {
-      console.error("Redirect result error:", err);
-      const errorMessage = err instanceof Error ? err.message : "Authentication failed";
-      setError(errorMessage);
-      onError == null ? void 0 : onError(err instanceof Error ? err : new Error(errorMessage));
+      const errorMessage = err;
+      setFormError(errorMessage);
+      if (onError && err instanceof Error) {
+        onError(err);
+      }
       sessionStorage.removeItem("auth_redirect_url");
       return false;
     }
@@ -69,21 +127,42 @@ function SignIn({
     if (isRedirectSignIn) {
       handleRedirectResult();
     }
-    ;
   }, [handleRedirectResult, isRedirectSignIn]);
   const handleSubmit = async (e) => {
     e.preventDefault();
     setLoading(true);
+    setFormError(null);
+    setAuthResponse(null);
     try {
-      const user = await signInWithEmail(email, password);
-      if (user.success) {
-        onSuccess == null ? void 0 : onSuccess();
-        window.location.href = getValidRedirectUrl(redirectUrl, searchParams);
+      const response = await signInWithEmail(email, password);
+      setAuthResponse(response);
+      if (!response.success) {
+        setFormError({
+          success: false,
+          message: response.message,
+          error: response.error,
+          user: null
+        });
+        return;
+      }
+      if (response.user) {
+        if (requiresVerification && !response.user.emailVerified) {
+          setFormError({
+            success: false,
+            message: "Email verification required",
+            error: "REQUIRES_VERIFICATION",
+            user: response.user
+          });
+          return;
+        }
+        await handleSuccessfulAuth(response.user);
       }
     } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : "Failed to sign in";
-      setError(errorMessage);
-      onError == null ? void 0 : onError(err instanceof Error ? err : new Error("Failed to sign in"));
+      const errorMessage = err;
+      setFormError(errorMessage);
+      if (onError && err instanceof Error) {
+        onError(err);
+      }
     } finally {
       setLoading(false);
     }
@@ -91,8 +170,8 @@ function SignIn({
   const handleSocialSignIn = async (provider) => {
     setLoading(true);
     try {
-      const validRedirectUrl = getValidRedirectUrl(redirectUrl, searchParams);
-      sessionStorage.setItem("auth_redirect_url", validRedirectUrl);
+      const validRedirectUrl2 = getValidRedirectUrl(searchParams, redirectUrl);
+      sessionStorage.setItem("auth_redirect_url", validRedirectUrl2);
       const currentUrl = new URL(window.location.href);
       currentUrl.searchParams.set("signInRedirect", "true");
       window.history.replaceState({}, "", currentUrl.toString());
@@ -101,29 +180,50 @@ function SignIn({
         throw new Error(result.error);
       }
     } catch (err) {
-      const errorMessage = err instanceof Error ? err.message : `Failed to sign in with ${provider}`;
-      setError(errorMessage);
-      onError == null ? void 0 : onError(err instanceof Error ? err : new Error(`Failed to sign in with ${provider}`));
+      const errorMessage = err;
+      setFormError(errorMessage);
+      if (onError && err instanceof Error) {
+        onError(err);
+      }
       setLoading(false);
       sessionStorage.removeItem("auth_redirect_url");
     }
   };
+  const handleVerificationRedirect = (e) => {
+    e.preventDefault();
+    router.push("/sign-in/verify");
+  };
   if (checkingRedirect && isRedirectSignIn) {
     return /* @__PURE__ */ jsx("div", { className: "flex min-h-screen items-center justify-center", children: /* @__PURE__ */ jsx("div", { className: "text-center space-y-4", children: /* @__PURE__ */ jsx("div", { className: "animate-spin rounded-full h-12 w-12 border-b-2 border-primary mx-auto" }) }) });
   }
+  const activeError = formError || authResponse;
+  const showEmailVerificationButton = (activeError == null ? void 0 : activeError.error) === "EMAIL_NOT_VERIFIED" || (activeError == null ? void 0 : activeError.error) === "REQUIRES_VERIFICATION";
   return /* @__PURE__ */ jsxs("div", { className: "relative flex items-center justify-center", children: [
     /* @__PURE__ */ jsx(AuthBackground, {}),
     /* @__PURE__ */ jsxs(Card, { className: cn("w-full max-w-md mx-auto mt-8", className, customStyles.card), children: [
       /* @__PURE__ */ jsxs(CardHeader, { className: "space-y-1 text-center", children: [
         /* @__PURE__ */ jsxs(CardTitle, { className: cn("font-bold", customStyles.title), children: [
           "Sign in to ",
-          `${appName}`
+          `${appName}`,
+          " "
         ] }),
         /* @__PURE__ */ jsx(CardDescription, { className: cn("text-muted-foreground", customStyles.description), children: "Please sign in to continue" })
       ] }),
       /* @__PURE__ */ jsxs(CardContent, { className: "space-y-4", children: [
         /* @__PURE__ */ jsxs("form", { onSubmit: handleSubmit, className: "space-y-4", children: [
-          error && /* @__PURE__ */ jsx(Alert, { variant: "destructive", children: /* @__PURE__ */ jsx(AlertDescription, { children: error }) }),
+          activeError && /* @__PURE__ */ jsx(Alert, { variant: getErrorAlertVariant(activeError), className: "animate-in fade-in-50", children: /* @__PURE__ */ jsxs(AlertDescription, { children: [
+            /* @__PURE__ */ jsx("span", { children: activeError.message }),
+            showEmailVerificationButton && /* @__PURE__ */ jsx(
+              Button,
+              {
+                type: "button",
+                variant: "link",
+                className: "p-0 h-auto font-normal text-sm hover:underline",
+                onClick: handleVerificationRedirect,
+                children: "Request new verification email \u2192"
+              }
+            )
+          ] }) }),
           /* @__PURE__ */ jsxs("div", { className: "space-y-2", children: [
             /* @__PURE__ */ jsx(Label, { htmlFor: "email", className: cn(customStyles.label), children: "Email" }),
             /* @__PURE__ */ jsx(
@@ -136,24 +236,47 @@ function SignIn({
                 onChange: (e) => setEmail(e.target.value),
                 disabled: loading,
                 className: cn(customStyles.input),
-                required: true
+                required: true,
+                "aria-invalid": (activeError == null ? void 0 : activeError.error) === "INVALID_EMAIL",
+                "aria-describedby": activeError ? "error-message" : void 0
               }
             )
           ] }),
           /* @__PURE__ */ jsxs("div", { className: "space-y-2", children: [
             /* @__PURE__ */ jsx(Label, { htmlFor: "password", className: cn(customStyles.label), children: "Password" }),
-            /* @__PURE__ */ jsx(
-              Input,
-              {
-                id: "password",
-                type: "password",
-                value: password,
-                onChange: (e) => setPassword(e.target.value),
-                disabled: loading,
-                className: cn(customStyles.input),
-                required: true
-              }
-            )
+            /* @__PURE__ */ jsxs("div", { className: "relative", children: [
+              /* @__PURE__ */ jsx(
+                Input,
+                {
+                  id: "password",
+                  name: "password",
+                  type: showPassword ? "text" : "password",
+                  value: password,
+                  onChange: (e) => setPassword(e.target.value),
+                  onFocus: () => setPasswordFocused(true),
+                  onBlur: () => setPasswordFocused(false),
+                  disabled: loading,
+                  className: cn(customStyles.input),
+                  required: true,
+                  "aria-invalid": (activeError == null ? void 0 : activeError.error) === "INVALID_CREDENTIALS",
+                  "aria-describedby": activeError ? "error-message" : void 0
+                }
+              ),
+              /* @__PURE__ */ jsxs(
+                Button,
+                {
+                  type: "button",
+                  variant: "ghost",
+                  size: "icon",
+                  className: "absolute right-2 top-1/2 -translate-y-1/2 h-8 w-8 hover:bg-transparent",
+                  onClick: () => setShowPassword(!showPassword),
+                  children: [
+                    showPassword ? /* @__PURE__ */ jsx(EyeOff, { className: "h-4 w-4 text-muted-foreground hover:text-foreground" }) : /* @__PURE__ */ jsx(Eye, { className: "h-4 w-4 text-muted-foreground hover:text-foreground" }),
+                    /* @__PURE__ */ jsx("span", { className: "sr-only", children: showPassword ? "Hide password" : "Show password" })
+                  ]
+                }
+              )
+            ] })
           ] }),
           /* @__PURE__ */ jsx(Button, { type: "submit", disabled: loading, className: cn("w-full", customStyles.button), children: loading ? /* @__PURE__ */ jsxs(Fragment, { children: [
             /* @__PURE__ */ jsx(Loader2, { className: "mr-2 h-4 w-4 animate-spin" }),
@@ -161,8 +284,8 @@ function SignIn({
           ] }) : "Sign in" })
         ] }),
         /* @__PURE__ */ jsxs("div", { className: "relative", children: [
-          /* @__PURE__ */ jsx("div", { className: "absolute inset-0 flex items-center", children: /* @__PURE__ */ jsx(Separator, { className: cn(customStyles.separator) }) }),
-          /* @__PURE__ */ jsx("div", { className: "relative flex justify-center text-xs uppercase", children: /* @__PURE__ */ jsx("span", { className: "bg-background px-2 text-muted-foreground", children: "Or continue with" }) })
+          /* @__PURE__ */ jsx(Separator, { className: cn(customStyles.separator) }),
+          /* @__PURE__ */ jsx("div", { className: "absolute inset-0 flex items-center justify-center", children: /* @__PURE__ */ jsx("span", { className: "bg-background px-2 text-muted-foreground text-sm", children: "Or continue with" }) })
         ] }),
         /* @__PURE__ */ jsxs("div", { className: "grid grid-cols-2 gap-4", children: [
           /* @__PURE__ */ jsxs(