@theranova/auth-sdk 0.1.0

package/README.md

@@ -0,0 +1,161 @@
+# @theranova/auth-sdk
+
+Theranova Platform OAuth2 Authentication SDK for frontend applications.
+
+## Installation
+
+```bash
+npm install @theranova/auth-sdk
+# or
+yarn add @theranova/auth-sdk
+# or
+pnpm add @theranova/auth-sdk
+```
+
+## Quick Start
+
+```typescript
+import { TheranovaAuth } from '@theranova/auth-sdk';
+
+const auth = new TheranovaAuth({
+  issuer: 'https://auth.theranova.com',
+  clientId: 'your-client-id',
+  redirectUri: 'https://your-app.com/callback',
+});
+
+// Start login flow
+await auth.login();
+```
+
+## Configuration
+
+```typescript
+interface TheranovaAuthConfig {
+  /** Authorization server issuer URL */
+  issuer: string;
+  /** OAuth2 client ID */
+  clientId: string;
+  /** Redirect URI for OAuth2 callback */
+  redirectUri: string;
+  /** OAuth2 scopes (default: openid profile email offline_access) */
+  scopes?: string[];
+  /** Storage key for tokens (default: theranova_auth_tokens) */
+  storageKey?: string;
+  /** Post-logout redirect URI */
+  postLogoutRedirectUri?: string;
+}
+```
+
+## Usage
+
+### Login
+
+```typescript
+// Start OAuth2 PKCE login flow
+// This will redirect to the authorization server
+await auth.login();
+```
+
+### Handle Callback
+
+In your callback page:
+
+```typescript
+try {
+  const tokens = await auth.handleCallback();
+  console.log('Login successful:', tokens);
+  // Redirect to your app
+  window.location.href = '/dashboard';
+} catch (error) {
+  console.error('Login failed:', error);
+}
+```
+
+### Check Authentication
+
+```typescript
+if (auth.isAuthenticated()) {
+  console.log('User is logged in');
+}
+```
+
+### Get Access Token
+
+```typescript
+// Automatically refreshes if expired
+const token = await auth.getAccessToken();
+
+// Use in API calls
+fetch('/api/data', {
+  headers: {
+    'Authorization': `Bearer ${token}`,
+  },
+});
+```
+
+### Get User Info
+
+```typescript
+// Get user info from ID token
+const userInfo = auth.getUserInfo();
+console.log('User:', userInfo.name, userInfo.email);
+```
+
+### Local Logout
+
+Clears tokens from the current app only. Other connected apps remain logged in.
+
+```typescript
+auth.logout();
+// Redirect to login page
+window.location.href = '/login';
+```
+
+### Global Logout (SSO)
+
+Logs out from all connected applications via the authorization server.
+
+```typescript
+// Get logout URL (useful if you need to do something before logout)
+const logoutUrl = auth.getGlobalLogoutUrl();
+
+// Or logout and redirect immediately
+auth.logoutGlobal();
+```
+
+## Token Management
+
+### TokenManager
+
+For advanced token management:
+
+```typescript
+import { TokenManager } from '@theranova/auth-sdk';
+
+const tokenManager = new TokenManager('my-app-tokens');
+
+// Get tokens
+const tokens = tokenManager.get();
+
+// Check if expired
+if (tokenManager.isExpired()) {
+  // Refresh or re-login
+}
+
+// Clear tokens
+tokenManager.clear();
+```
+
+## Important Notes
+
+1. **Device Management**: This SDK handles authentication only. Device management is handled separately by the Theranova Platform.
+
+2. **PKCE**: This SDK uses OAuth2 with PKCE (Proof Key for Code Exchange) for enhanced security in public clients (browser apps).
+
+3. **JWT Access Tokens**: The Theranova Platform issues JWT access tokens. Opaque tokens are not supported.
+
+4. **SSO Logout**: When using `logoutGlobal()`, all connected applications will be logged out via OIDC front-channel or back-channel logout.
+
+## License
+
+MIT

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@theranova/auth-sdk",
+  "version": "0.1.0",
+  "description": "Theranova Platform OAuth2 Authentication SDK for frontend applications",
+  "main": "./src/index.js",
+  "types": "./src/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./src/index.js",
+      "require": "./src/index.js",
+      "types": "./src/index.d.ts"
+    }
+  },
+  "files": [
+    "src"
+  ],
+  "keywords": [
+    "theranova",
+    "oauth2",
+    "authentication",
+    "sso",
+    "pkce",
+    "oidc"
+  ],
+  "author": "Theranova",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/theranova/hopsys.git",
+    "directory": "libs/theranova/auth-sdk"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "peerDependencies": {
+    "react": ">=18.0.0"
+  },
+  "peerDependenciesMeta": {
+    "react": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "typescript": "^5.0.0"
+  },
+  "module": "./src/index.js",
+  "type": "module"
+}

package/src/core/TheranovaAuth.d.ts

@@ -0,0 +1,93 @@
+/**
+ * TheranovaAuth
+ * Main class for OAuth2 PKCE authentication
+ */
+import { type TokenStorage } from './token-manager';
+export interface TheranovaAuthConfig {
+    /** Authorization server issuer URL (e.g., https://auth.theranova.com) */
+    issuer: string;
+    /** OAuth2 client ID */
+    clientId: string;
+    /** Redirect URI for OAuth2 callback */
+    redirectUri: string;
+    /** OAuth2 scopes (default: openid profile email offline_access) */
+    scopes?: string[];
+    /** Storage key for tokens (default: theranova_auth_tokens) */
+    storageKey?: string;
+    /** Post-logout redirect URI */
+    postLogoutRedirectUri?: string;
+}
+export interface TheranovaAuthTokens {
+    accessToken: string;
+    refreshToken?: string;
+    idToken?: string;
+    expiresIn: number;
+    tokenType: string;
+}
+export declare class TheranovaAuth {
+    private config;
+    private tokenManager;
+    constructor(config: TheranovaAuthConfig);
+    /**
+     * Start OAuth2 PKCE login flow
+     * Generates PKCE challenge and redirects to authorization server
+     */
+    login(): Promise<void>;
+    /**
+     * Handle OAuth2 callback
+     * Exchanges authorization code for tokens
+     *
+     * @returns The tokens if successful, null if there was an error
+     */
+    handleCallback(): Promise<TheranovaAuthTokens | null>;
+    /**
+     * Exchange authorization code for tokens
+     */
+    private exchangeCodeForTokens;
+    /**
+     * Refresh access token using refresh token
+     */
+    refreshAccessToken(): Promise<TheranovaAuthTokens | null>;
+    /**
+     * Get current access token (refreshes if expired)
+     */
+    getAccessToken(): Promise<string | null>;
+    /**
+     * Get stored tokens
+     */
+    getTokens(): TokenStorage | null;
+    /**
+     * Check if user is authenticated
+     */
+    isAuthenticated(): boolean;
+    /**
+     * Local logout (clears tokens from this app only)
+     */
+    logout(): void;
+    /**
+     * Global logout (SSO logout - logs out from all connected apps)
+     * Returns the logout URL to redirect to
+     */
+    getGlobalLogoutUrl(): string | null;
+    /**
+     * Perform global logout and redirect
+     */
+    logoutGlobal(): void;
+    /**
+     * Get user info from ID token
+     */
+    getUserInfo(): Record<string, unknown> | null;
+    /**
+     * Generate random string for state and code verifier
+     */
+    private generateRandomString;
+    /**
+     * Generate PKCE code challenge from verifier
+     */
+    private generateCodeChallenge;
+    /**
+     * Base64 URL encode
+     */
+    private base64UrlEncode;
+}
+//# sourceMappingURL=TheranovaAuth.d.ts.map

package/src/core/TheranovaAuth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"TheranovaAuth.d.ts","sourceRoot":"","sources":["../../../../../../libs/theranova/auth-sdk/src/core/TheranovaAuth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAgB,KAAK,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAGlE,MAAM,WAAW,mBAAmB;IAClC,yEAAyE;IACzE,MAAM,EAAE,MAAM,CAAC;IACf,uBAAuB;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,uCAAuC;IACvC,WAAW,EAAE,MAAM,CAAC;IACpB,mEAAmE;IACnE,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,8DAA8D;IAC9D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,+BAA+B;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAChC;AAED,MAAM,WAAW,mBAAmB;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAUD,qBAAa,aAAa;IACxB,OAAO,CAAC,MAAM,CAAsB;IACpC,OAAO,CAAC,YAAY,CAAe;gBAEvB,MAAM,EAAE,mBAAmB;IAQvC;;;OAGG;IACG,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IA8B5B;;;;;OAKG;IACG,cAAc,IAAI,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IAmD3D;;OAEG;YACW,qBAAqB;IAiCnC;;OAEG;IACG,kBAAkB,IAAI,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC;IAoD/D;;OAEG;IACG,cAAc,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAY9C;;OAEG;IACH,SAAS,IAAI,YAAY,GAAG,IAAI;IAIhC;;OAEG;IACH,eAAe,IAAI,OAAO;IAI1B;;OAEG;IACH,MAAM,IAAI,IAAI;IAId;;;OAGG;IACH,kBAAkB,IAAI,MAAM,GAAG,IAAI;IAQnC;;OAEG;IACH,YAAY,IAAI,IAAI;IAQpB;;OAEG;IACH,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAkB7C;;OAEG;IACH,OAAO,CAAC,oBAAoB;IAM5B;;OAEG;YACW,qBAAqB;IAOnC;;OAEG;IACH,OAAO,CAAC,eAAe;CAUxB"}

package/src/core/TheranovaAuth.js

@@ -0,0 +1,273 @@
+/**
+ * TheranovaAuth
+ * Main class for OAuth2 PKCE authentication
+ */
+import { TokenManager } from './token-manager';
+import { logout as localLogout, logoutGlobal, logoutAndRedirect } from './logout';
+export class TheranovaAuth {
+    constructor(config) {
+        this.config = {
+            ...config,
+            scopes: config.scopes || ['openid', 'profile', 'email', 'offline_access'],
+        };
+        this.tokenManager = new TokenManager(config.storageKey);
+    }
+    /**
+     * Start OAuth2 PKCE login flow
+     * Generates PKCE challenge and redirects to authorization server
+     */
+    async login() {
+        // Generate state for CSRF protection
+        const state = this.generateRandomString(32);
+        // Generate PKCE code verifier and challenge
+        const codeVerifier = this.generateRandomString(64);
+        const codeChallenge = await this.generateCodeChallenge(codeVerifier);
+        // Store state and code verifier in sessionStorage
+        if (typeof sessionStorage !== 'undefined') {
+            sessionStorage.setItem('oauth2_state', state);
+            sessionStorage.setItem('oauth2_code_verifier', codeVerifier);
+        }
+        // Build authorization URL
+        const authUrl = new URL('/auth', this.config.issuer);
+        authUrl.searchParams.set('response_type', 'code');
+        authUrl.searchParams.set('client_id', this.config.clientId);
+        authUrl.searchParams.set('redirect_uri', this.config.redirectUri);
+        authUrl.searchParams.set('scope', this.config.scopes.join(' '));
+        authUrl.searchParams.set('state', state);
+        authUrl.searchParams.set('code_challenge', codeChallenge);
+        authUrl.searchParams.set('code_challenge_method', 'S256');
+        // Redirect to authorization server
+        if (typeof window !== 'undefined') {
+            window.location.href = authUrl.toString();
+        }
+    }
+    /**
+     * Handle OAuth2 callback
+     * Exchanges authorization code for tokens
+     *
+     * @returns The tokens if successful, null if there was an error
+     */
+    async handleCallback() {
+        if (typeof window === 'undefined') {
+            return null;
+        }
+        const urlParams = new URLSearchParams(window.location.search);
+        const code = urlParams.get('code');
+        const state = urlParams.get('state');
+        const error = urlParams.get('error');
+        const errorDescription = urlParams.get('error_description');
+        // Check for errors
+        if (error) {
+            console.error('[TheranovaAuth] OAuth2 error:', error, errorDescription);
+            throw new Error(errorDescription || error);
+        }
+        if (!code) {
+            throw new Error('Authorization code not found in callback URL');
+        }
+        // Validate state
+        const savedState = sessionStorage.getItem('oauth2_state');
+        if (state !== savedState) {
+            throw new Error('State mismatch - possible CSRF attack');
+        }
+        // Get code verifier
+        const codeVerifier = sessionStorage.getItem('oauth2_code_verifier');
+        if (!codeVerifier) {
+            throw new Error('Code verifier not found. Please try logging in again.');
+        }
+        // Exchange code for tokens
+        const tokens = await this.exchangeCodeForTokens(code, codeVerifier);
+        // Save tokens
+        this.tokenManager.save({
+            accessToken: tokens.accessToken,
+            refreshToken: tokens.refreshToken,
+            idToken: tokens.idToken,
+            expiresAt: Date.now() + tokens.expiresIn * 1000,
+        });
+        // Clean up sessionStorage
+        sessionStorage.removeItem('oauth2_state');
+        sessionStorage.removeItem('oauth2_code_verifier');
+        return tokens;
+    }
+    /**
+     * Exchange authorization code for tokens
+     */
+    async exchangeCodeForTokens(code, codeVerifier) {
+        const tokenUrl = new URL('/token', this.config.issuer);
+        const response = await fetch(tokenUrl.toString(), {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+            },
+            body: new URLSearchParams({
+                grant_type: 'authorization_code',
+                code,
+                redirect_uri: this.config.redirectUri,
+                client_id: this.config.clientId,
+                code_verifier: codeVerifier,
+            }),
+        });
+        if (!response.ok) {
+            const errorData = await response.json().catch(() => ({}));
+            throw new Error(errorData.error_description || errorData.error || 'Token exchange failed');
+        }
+        const data = await response.json();
+        return {
+            accessToken: data.access_token,
+            refreshToken: data.refresh_token,
+            idToken: data.id_token,
+            expiresIn: data.expires_in,
+            tokenType: data.token_type,
+        };
+    }
+    /**
+     * Refresh access token using refresh token
+     */
+    async refreshAccessToken() {
+        const refreshToken = this.tokenManager.getRefreshToken();
+        if (!refreshToken) {
+            return null;
+        }
+        const tokenUrl = new URL('/token', this.config.issuer);
+        try {
+            const response = await fetch(tokenUrl.toString(), {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                },
+                body: new URLSearchParams({
+                    grant_type: 'refresh_token',
+                    refresh_token: refreshToken,
+                    client_id: this.config.clientId,
+                }),
+            });
+            if (!response.ok) {
+                // Refresh failed, clear tokens
+                this.tokenManager.clear();
+                return null;
+            }
+            const data = await response.json();
+            const tokens = {
+                accessToken: data.access_token,
+                refreshToken: data.refresh_token || refreshToken,
+                idToken: data.id_token,
+                expiresIn: data.expires_in,
+                tokenType: data.token_type,
+            };
+            // Save new tokens
+            this.tokenManager.save({
+                accessToken: tokens.accessToken,
+                refreshToken: tokens.refreshToken,
+                idToken: tokens.idToken,
+                expiresAt: Date.now() + tokens.expiresIn * 1000,
+            });
+            return tokens;
+        }
+        catch {
+            this.tokenManager.clear();
+            return null;
+        }
+    }
+    /**
+     * Get current access token (refreshes if expired)
+     */
+    async getAccessToken() {
+        // Try to get non-expired token
+        let token = this.tokenManager.getAccessToken();
+        if (token) {
+            return token;
+        }
+        // Token expired, try to refresh
+        const newTokens = await this.refreshAccessToken();
+        return newTokens?.accessToken || null;
+    }
+    /**
+     * Get stored tokens
+     */
+    getTokens() {
+        return this.tokenManager.get();
+    }
+    /**
+     * Check if user is authenticated
+     */
+    isAuthenticated() {
+        return !this.tokenManager.isExpired();
+    }
+    /**
+     * Local logout (clears tokens from this app only)
+     */
+    logout() {
+        localLogout({ tokenManager: this.tokenManager });
+    }
+    /**
+     * Global logout (SSO logout - logs out from all connected apps)
+     * Returns the logout URL to redirect to
+     */
+    getGlobalLogoutUrl() {
+        return logoutGlobal({
+            tokenManager: this.tokenManager,
+            issuer: this.config.issuer,
+            postLogoutRedirectUri: this.config.postLogoutRedirectUri || this.config.redirectUri,
+        });
+    }
+    /**
+     * Perform global logout and redirect
+     */
+    logoutGlobal() {
+        logoutAndRedirect({
+            tokenManager: this.tokenManager,
+            issuer: this.config.issuer,
+            postLogoutRedirectUri: this.config.postLogoutRedirectUri || this.config.redirectUri,
+        });
+    }
+    /**
+     * Get user info from ID token
+     */
+    getUserInfo() {
+        const idToken = this.tokenManager.getIdToken();
+        if (!idToken) {
+            return null;
+        }
+        try {
+            const parts = idToken.split('.');
+            if (parts.length !== 3) {
+                return null;
+            }
+            const payload = JSON.parse(atob(parts[1]));
+            return payload;
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Generate random string for state and code verifier
+     */
+    generateRandomString(length) {
+        const array = new Uint8Array(length);
+        crypto.getRandomValues(array);
+        return Array.from(array, (byte) => byte.toString(16).padStart(2, '0')).join('').slice(0, length);
+    }
+    /**
+     * Generate PKCE code challenge from verifier
+     */
+    async generateCodeChallenge(verifier) {
+        const encoder = new TextEncoder();
+        const data = encoder.encode(verifier);
+        const digest = await crypto.subtle.digest('SHA-256', data);
+        return this.base64UrlEncode(new Uint8Array(digest));
+    }
+    /**
+     * Base64 URL encode
+     */
+    base64UrlEncode(buffer) {
+        let binary = '';
+        for (let i = 0; i < buffer.length; i++) {
+            binary += String.fromCharCode(buffer[i]);
+        }
+        return btoa(binary)
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=/g, '');
+    }
+}
+//# sourceMappingURL=TheranovaAuth.js.map

package/src/core/TheranovaAuth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"TheranovaAuth.js","sourceRoot":"","sources":["../../../../../../libs/theranova/auth-sdk/src/core/TheranovaAuth.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,YAAY,EAAqB,MAAM,iBAAiB,CAAC;AAClE,OAAO,EAAE,MAAM,IAAI,WAAW,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAiClF,MAAM,OAAO,aAAa;IAIxB,YAAY,MAA2B;QACrC,IAAI,CAAC,MAAM,GAAG;YACZ,GAAG,MAAM;YACT,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,gBAAgB,CAAC;SAC1E,CAAC;QACF,IAAI,CAAC,YAAY,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAC1D,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,KAAK;QACT,qCAAqC;QACrC,MAAM,KAAK,GAAG,IAAI,CAAC,oBAAoB,CAAC,EAAE,CAAC,CAAC;QAE5C,4CAA4C;QAC5C,MAAM,YAAY,GAAG,IAAI,CAAC,oBAAoB,CAAC,EAAE,CAAC,CAAC;QACnD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,YAAY,CAAC,CAAC;QAErE,kDAAkD;QAClD,IAAI,OAAO,cAAc,KAAK,WAAW,EAAE,CAAC;YAC1C,cAAc,CAAC,OAAO,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;YAC9C,cAAc,CAAC,OAAO,CAAC,sBAAsB,EAAE,YAAY,CAAC,CAAC;QAC/D,CAAC;QAED,0BAA0B;QAC1B,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACrD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;QAClD,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC5D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QAClE,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,MAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACjE,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QACzC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC;QAC1D,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;QAE1D,mCAAmC;QACnC,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC;QAC5C,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,cAAc;QAClB,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,eAAe,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC9D,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACnC,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,KAAK,GAAG,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QACrC,MAAM,gBAAgB,GAAG,SAAS,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;QAE5D,mBAAmB;QACnB,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,KAAK,CAAC,+BAA+B,EAAE,KAAK,EAAE,gBAAgB,CAAC,CAAC;YACxE,MAAM,IAAI,KAAK,CAAC,gBAAgB,IAAI,KAAK,CAAC,CAAC;QAC7C,CAAC;QAED,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAClE,CAAC;QAED,iBAAiB;QACjB,MAAM,UAAU,GAAG,cAAc,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QAC1D,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QAED,oBAAoB;QACpB,MAAM,YAAY,GAAG,cAAc,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAAC;QACpE,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;QAC3E,CAAC;QAED,2BAA2B;QAC3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;QAEpE,cAAc;QACd,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;YACrB,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;YACjC,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,IAAI;SAChD,CAAC,CAAC;QAEH,0BAA0B;QAC1B,cAAc,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;QAC1C,cAAc,CAAC,UAAU,CAAC,sBAAsB,CAAC,CAAC;QAElD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,qBAAqB,CAAC,IAAY,EAAE,YAAoB;QACpE,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAEvD,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,QAAQ,EAAE,EAAE;YAChD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;aACpD;YACD,IAAI,EAAE,IAAI,eAAe,CAAC;gBACxB,UAAU,EAAE,oBAAoB;gBAChC,IAAI;gBACJ,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;gBACrC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;gBAC/B,aAAa,EAAE,YAAY;aAC5B,CAAC;SACH,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAC1D,MAAM,IAAI,KAAK,CAAC,SAAS,CAAC,iBAAiB,IAAI,SAAS,CAAC,KAAK,IAAI,uBAAuB,CAAC,CAAC;QAC7F,CAAC;QAED,MAAM,IAAI,GAAkB,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAElD,OAAO;YACL,WAAW,EAAE,IAAI,CAAC,YAAY;YAC9B,YAAY,EAAE,IAAI,CAAC,aAAa;YAChC,OAAO,EAAE,IAAI,CAAC,QAAQ;YACtB,SAAS,EAAE,IAAI,CAAC,UAAU;YAC1B,SAAS,EAAE,IAAI,CAAC,UAAU;SAC3B,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,kBAAkB;QACtB,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,eAAe,EAAE,CAAC;QACzD,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAEvD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,QAAQ,EAAE,EAAE;gBAChD,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,mCAAmC;iBACpD;gBACD,IAAI,EAAE,IAAI,eAAe,CAAC;oBACxB,UAAU,EAAE,eAAe;oBAC3B,aAAa,EAAE,YAAY;oBAC3B,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;iBAChC,CAAC;aACH,CAAC,CAAC;YAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,+BAA+B;gBAC/B,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;gBAC1B,OAAO,IAAI,CAAC;YACd,CAAC;YAED,MAAM,IAAI,GAAkB,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YAElD,MAAM,MAAM,GAAwB;gBAClC,WAAW,EAAE,IAAI,CAAC,YAAY;gBAC9B,YAAY,EAAE,IAAI,CAAC,aAAa,IAAI,YAAY;gBAChD,OAAO,EAAE,IAAI,CAAC,QAAQ;gBACtB,SAAS,EAAE,IAAI,CAAC,UAAU;gBAC1B,SAAS,EAAE,IAAI,CAAC,UAAU;aAC3B,CAAC;YAEF,kBAAkB;YAClB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;gBACrB,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,OAAO,EAAE,MAAM,CAAC,OAAO;gBACvB,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,GAAG,IAAI;aAChD,CAAC,CAAC;YAEH,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc;QAClB,+BAA+B;QAC/B,IAAI,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,CAAC;QAC/C,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,KAAK,CAAC;QACf,CAAC;QAED,gCAAgC;QAChC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,kBAAkB,EAAE,CAAC;QAClD,OAAO,SAAS,EAAE,WAAW,IAAI,IAAI,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,YAAY,CAAC,GAAG,EAAE,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,eAAe;QACb,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,MAAM;QACJ,WAAW,CAAC,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC;IACnD,CAAC;IAED;;;OAGG;IACH,kBAAkB;QAChB,OAAO,YAAY,CAAC;YAClB,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,qBAAqB,EAAE,IAAI,CAAC,MAAM,CAAC,qBAAqB,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW;SACpF,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,YAAY;QACV,iBAAiB,CAAC;YAChB,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM;YAC1B,qBAAqB,EAAE,IAAI,CAAC,MAAM,CAAC,qBAAqB,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW;SACpF,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,WAAW;QACT,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,UAAU,EAAE,CAAC;QAC/C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACjC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,OAAO,IAAI,CAAC;YACd,CAAC;YACD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC3C,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACK,oBAAoB,CAAC,MAAc;QACzC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;QACrC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC9B,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;IACnG,CAAC;IAED;;OAEG;IACK,KAAK,CAAC,qBAAqB,CAAC,QAAgB;QAClD,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACtC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAC3D,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;IACtD,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,MAAkB;QACxC,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;aAChB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;aACnB,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACvB,CAAC;CACF"}

package/src/core/logout.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Logout utilities
+ * Handles local and global (SSO) logout
+ */
+import { TokenManager } from './token-manager';
+export interface LogoutOptions {
+    /** Token manager instance */
+    tokenManager?: TokenManager;
+    /** Custom storage key if not using default TokenManager */
+    storageKey?: string;
+    /** Authorization server issuer URL */
+    issuer?: string;
+    /** Post-logout redirect URI */
+    postLogoutRedirectUri?: string;
+    /** ID token for global logout */
+    idToken?: string;
+}
+/**
+ * Local logout
+ * Clears tokens from localStorage without affecting other apps
+ */
+export declare function logout(options?: LogoutOptions): void;
+/**
+ * Global logout (SSO logout)
+ * Redirects to the authorization server's end_session endpoint
+ * This will log out from all connected applications
+ *
+ * @returns The logout URL to redirect to, or null if issuer is not provided
+ */
+export declare function logoutGlobal(options: LogoutOptions): string | null;
+/**
+ * Perform global logout and redirect
+ * Convenience function that combines logoutGlobal with navigation
+ */
+export declare function logoutAndRedirect(options: LogoutOptions): void;
+//# sourceMappingURL=logout.d.ts.map

package/src/core/logout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.d.ts","sourceRoot":"","sources":["../../../../../../libs/theranova/auth-sdk/src/core/logout.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAE/C,MAAM,WAAW,aAAa;IAC5B,6BAA6B;IAC7B,YAAY,CAAC,EAAE,YAAY,CAAC;IAC5B,2DAA2D;IAC3D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,+BAA+B;IAC/B,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,iCAAiC;IACjC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,wBAAgB,MAAM,CAAC,OAAO,GAAE,aAAkB,GAAG,IAAI,CASxD;AAED;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,aAAa,GAAG,MAAM,GAAG,IAAI,CA8BlE;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,aAAa,GAAG,IAAI,CAM9D"}

package/src/core/logout.js

@@ -0,0 +1,60 @@
+/**
+ * Logout utilities
+ * Handles local and global (SSO) logout
+ */
+import { TokenManager } from './token-manager';
+/**
+ * Local logout
+ * Clears tokens from localStorage without affecting other apps
+ */
+export function logout(options = {}) {
+    const tokenManager = options.tokenManager || new TokenManager(options.storageKey);
+    tokenManager.clear();
+    // Also clear any PKCE state
+    if (typeof sessionStorage !== 'undefined') {
+        sessionStorage.removeItem('oauth2_state');
+        sessionStorage.removeItem('oauth2_code_verifier');
+    }
+}
+/**
+ * Global logout (SSO logout)
+ * Redirects to the authorization server's end_session endpoint
+ * This will log out from all connected applications
+ *
+ * @returns The logout URL to redirect to, or null if issuer is not provided
+ */
+export function logoutGlobal(options) {
+    const { issuer, postLogoutRedirectUri, idToken, tokenManager, storageKey } = options;
+    if (!issuer) {
+        console.warn('[TheranovaAuth] Cannot perform global logout: issuer not provided');
+        return null;
+    }
+    // Get ID token from options or storage
+    let idTokenHint = idToken;
+    if (!idTokenHint) {
+        const tm = tokenManager || new TokenManager(storageKey);
+        idTokenHint = tm.getIdToken() || undefined;
+    }
+    // Build end_session URL
+    const url = new URL('/session/end', issuer);
+    if (idTokenHint) {
+        url.searchParams.set('id_token_hint', idTokenHint);
+    }
+    if (postLogoutRedirectUri) {
+        url.searchParams.set('post_logout_redirect_uri', postLogoutRedirectUri);
+    }
+    // Clear local tokens
+    logout({ tokenManager, storageKey });
+    return url.toString();
+}
+/**
+ * Perform global logout and redirect
+ * Convenience function that combines logoutGlobal with navigation
+ */
+export function logoutAndRedirect(options) {
+    const logoutUrl = logoutGlobal(options);
+    if (logoutUrl && typeof window !== 'undefined') {
+        window.location.href = logoutUrl;
+    }
+}
+//# sourceMappingURL=logout.js.map

package/src/core/logout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../../../../../libs/theranova/auth-sdk/src/core/logout.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAe/C;;;GAGG;AACH,MAAM,UAAU,MAAM,CAAC,UAAyB,EAAE;IAChD,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,IAAI,YAAY,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAClF,YAAY,CAAC,KAAK,EAAE,CAAC;IAErB,4BAA4B;IAC5B,IAAI,OAAO,cAAc,KAAK,WAAW,EAAE,CAAC;QAC1C,cAAc,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;QAC1C,cAAc,CAAC,UAAU,CAAC,sBAAsB,CAAC,CAAC;IACpD,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAAC,OAAsB;IACjD,MAAM,EAAE,MAAM,EAAE,qBAAqB,EAAE,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAErF,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;QAClF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,uCAAuC;IACvC,IAAI,WAAW,GAAG,OAAO,CAAC;IAC1B,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,EAAE,GAAG,YAAY,IAAI,IAAI,YAAY,CAAC,UAAU,CAAC,CAAC;QACxD,WAAW,GAAG,EAAE,CAAC,UAAU,EAAE,IAAI,SAAS,CAAC;IAC7C,CAAC;IAED,wBAAwB;IACxB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;IAE5C,IAAI,WAAW,EAAE,CAAC;QAChB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,eAAe,EAAE,WAAW,CAAC,CAAC;IACrD,CAAC;IAED,IAAI,qBAAqB,EAAE,CAAC;QAC1B,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,0BAA0B,EAAE,qBAAqB,CAAC,CAAC;IAC1E,CAAC;IAED,qBAAqB;IACrB,MAAM,CAAC,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC,CAAC;IAErC,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAsB;IACtD,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IAExC,IAAI,SAAS,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAC/C,MAAM,CAAC,QAAQ,CAAC,IAAI,GAAG,SAAS,CAAC;IACnC,CAAC;AACH,CAAC"}

package/src/core/token-manager.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Token Manager
+ * Handles token storage and retrieval
+ */
+export interface TokenStorage {
+    accessToken: string;
+    refreshToken?: string;
+    idToken?: string;
+    expiresAt: number;
+}
+export declare class TokenManager {
+    private storageKey;
+    constructor(storageKey?: string);
+    /**
+     * Save tokens to localStorage
+     */
+    save(tokens: TokenStorage): void;
+    /**
+     * Get tokens from localStorage
+     */
+    get(): TokenStorage | null;
+    /**
+     * Clear tokens from localStorage
+     */
+    clear(): void;
+    /**
+     * Check if access token is expired
+     */
+    isExpired(): boolean;
+    /**
+     * Get access token if not expired
+     */
+    getAccessToken(): string | null;
+    /**
+     * Get refresh token
+     */
+    getRefreshToken(): string | null;
+    /**
+     * Get ID token
+     */
+    getIdToken(): string | null;
+}
+//# sourceMappingURL=token-manager.d.ts.map

package/src/core/token-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-manager.d.ts","sourceRoot":"","sources":["../../../../../../libs/theranova/auth-sdk/src/core/token-manager.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,YAAY;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,qBAAa,YAAY;IACvB,OAAO,CAAC,UAAU,CAAS;gBAEf,UAAU,GAAE,MAA4B;IAIpD;;OAEG;IACH,IAAI,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI;IAQhC;;OAEG;IACH,GAAG,IAAI,YAAY,GAAG,IAAI;IAiB1B;;OAEG;IACH,KAAK,IAAI,IAAI;IAOb;;OAEG;IACH,SAAS,IAAI,OAAO;IASpB;;OAEG;IACH,cAAc,IAAI,MAAM,GAAG,IAAI;IAO/B;;OAEG;IACH,eAAe,IAAI,MAAM,GAAG,IAAI;IAIhC;;OAEG;IACH,UAAU,IAAI,MAAM,GAAG,IAAI;CAG5B"}

package/src/core/token-manager.js

@@ -0,0 +1,80 @@
+/**
+ * Token Manager
+ * Handles token storage and retrieval
+ */
+const DEFAULT_STORAGE_KEY = 'theranova_auth_tokens';
+export class TokenManager {
+    constructor(storageKey = DEFAULT_STORAGE_KEY) {
+        this.storageKey = storageKey;
+    }
+    /**
+     * Save tokens to localStorage
+     */
+    save(tokens) {
+        if (typeof localStorage === 'undefined') {
+            console.warn('[TokenManager] localStorage is not available');
+            return;
+        }
+        localStorage.setItem(this.storageKey, JSON.stringify(tokens));
+    }
+    /**
+     * Get tokens from localStorage
+     */
+    get() {
+        if (typeof localStorage === 'undefined') {
+            return null;
+        }
+        const stored = localStorage.getItem(this.storageKey);
+        if (!stored) {
+            return null;
+        }
+        try {
+            return JSON.parse(stored);
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Clear tokens from localStorage
+     */
+    clear() {
+        if (typeof localStorage === 'undefined') {
+            return;
+        }
+        localStorage.removeItem(this.storageKey);
+    }
+    /**
+     * Check if access token is expired
+     */
+    isExpired() {
+        const tokens = this.get();
+        if (!tokens) {
+            return true;
+        }
+        // Consider token expired 60 seconds before actual expiry
+        return Date.now() >= tokens.expiresAt - 60000;
+    }
+    /**
+     * Get access token if not expired
+     */
+    getAccessToken() {
+        if (this.isExpired()) {
+            return null;
+        }
+        return this.get()?.accessToken || null;
+    }
+    /**
+     * Get refresh token
+     */
+    getRefreshToken() {
+        return this.get()?.refreshToken || null;
+    }
+    /**
+     * Get ID token
+     */
+    getIdToken() {
+        return this.get()?.idToken || null;
+    }
+}
+//# sourceMappingURL=token-manager.js.map

package/src/core/token-manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"token-manager.js","sourceRoot":"","sources":["../../../../../../libs/theranova/auth-sdk/src/core/token-manager.ts"],"names":[],"mappings":"AAAA;;;GAGG;AASH,MAAM,mBAAmB,GAAG,uBAAuB,CAAC;AAEpD,MAAM,OAAO,YAAY;IAGvB,YAAY,aAAqB,mBAAmB;QAClD,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,IAAI,CAAC,MAAoB;QACvB,IAAI,OAAO,YAAY,KAAK,WAAW,EAAE,CAAC;YACxC,OAAO,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;YAC7D,OAAO;QACT,CAAC;QACD,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAChE,CAAC;IAED;;OAEG;IACH,GAAG;QACD,IAAI,OAAO,YAAY,KAAK,WAAW,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACrD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAiB,CAAC;QAC5C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,OAAO,YAAY,KAAK,WAAW,EAAE,CAAC;YACxC,OAAO;QACT,CAAC;QACD,YAAY,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,SAAS;QACP,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC1B,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC;QACd,CAAC;QACD,yDAAyD;QACzD,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC,SAAS,GAAG,KAAK,CAAC;IAChD,CAAC;IAED;;OAEG;IACH,cAAc;QACZ,IAAI,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC;YACrB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE,WAAW,IAAI,IAAI,CAAC;IACzC,CAAC;IAED;;OAEG;IACH,eAAe;QACb,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE,YAAY,IAAI,IAAI,CAAC;IAC1C,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,IAAI,CAAC,GAAG,EAAE,EAAE,OAAO,IAAI,IAAI,CAAC;IACrC,CAAC;CACF"}

package/src/index.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Theranova Auth SDK
+ * OAuth2 PKCE Authentication SDK for frontend applications
+ *
+ * @example
+ * ```typescript
+ * import { TheranovaAuth } from '@theranova/auth-sdk';
+ *
+ * const auth = new TheranovaAuth({
+ *   issuer: 'https://auth.theranova.com',
+ *   clientId: 'my-app',
+ *   redirectUri: 'https://my-app.com/callback',
+ * });
+ *
+ * // Start login flow
+ * await auth.login();
+ *
+ * // Handle callback
+ * await auth.handleCallback();
+ *
+ * // Get current user
+ * const user = await auth.getUser();
+ *
+ * // Logout
+ * await auth.logout();
+ * ```
+ */
+export { TheranovaAuth, type TheranovaAuthConfig, type TheranovaAuthTokens } from './core/TheranovaAuth';
+export { TokenManager, type TokenStorage } from './core/token-manager';
+export { logout, logoutGlobal, type LogoutOptions } from './core/logout';
+//# sourceMappingURL=index.d.ts.map

package/src/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../libs/theranova/auth-sdk/src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,EAAE,aAAa,EAAE,KAAK,mBAAmB,EAAE,KAAK,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AACzG,OAAO,EAAE,YAAY,EAAE,KAAK,YAAY,EAAE,MAAM,sBAAsB,CAAC;AACvE,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,KAAK,aAAa,EAAE,MAAM,eAAe,CAAC"}

package/src/index.js

@@ -0,0 +1,31 @@
+/**
+ * Theranova Auth SDK
+ * OAuth2 PKCE Authentication SDK for frontend applications
+ *
+ * @example
+ * ```typescript
+ * import { TheranovaAuth } from '@theranova/auth-sdk';
+ *
+ * const auth = new TheranovaAuth({
+ *   issuer: 'https://auth.theranova.com',
+ *   clientId: 'my-app',
+ *   redirectUri: 'https://my-app.com/callback',
+ * });
+ *
+ * // Start login flow
+ * await auth.login();
+ *
+ * // Handle callback
+ * await auth.handleCallback();
+ *
+ * // Get current user
+ * const user = await auth.getUser();
+ *
+ * // Logout
+ * await auth.logout();
+ * ```
+ */
+export { TheranovaAuth } from './core/TheranovaAuth';
+export { TokenManager } from './core/token-manager';
+export { logout, logoutGlobal } from './core/logout';
+//# sourceMappingURL=index.js.map

package/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../libs/theranova/auth-sdk/src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,EAAE,aAAa,EAAsD,MAAM,sBAAsB,CAAC;AACzG,OAAO,EAAE,YAAY,EAAqB,MAAM,sBAAsB,CAAC;AACvE,OAAO,EAAE,MAAM,EAAE,YAAY,EAAsB,MAAM,eAAe,CAAC"}