@thunderid/nuxt 0.0.1

package/dist/runtime/plugins/thunderid.js

@@ -0,0 +1,128 @@
+import { getRedirectBasedSignUpUrl } from "@thunderid/browser";
+import { ThunderIDPlugin, THUNDERID_KEY } from "@thunderid/vue";
+import { computed } from "vue";
+import ThunderIDRoot from "../components/ThunderIDRoot.js";
+import { defineNuxtPlugin, useState, useRequestEvent, useRuntimeConfig, navigateTo } from "#app";
+export default defineNuxtPlugin((nuxtApp) => {
+  const publicConfig = useRuntimeConfig().public.thunderid;
+  if (import.meta.client && import.meta.dev) {
+    if (!publicConfig?.baseUrl || !publicConfig?.clientId) {
+      console.warn(
+        "[@thunderid/nuxt] Missing baseUrl or clientId. Set NUXT_PUBLIC_THUNDERID_BASE_URL and NUXT_PUBLIC_THUNDERID_CLIENT_ID, or configure `thunderid` in nuxt.config. Auth endpoints will not function until this is resolved."
+      );
+    }
+  }
+  const authState = useState("thunderid:auth", () => ({
+    isLoading: true,
+    isSignedIn: false,
+    user: null
+  }));
+  const userProfileState = useState("thunderid:user-profile", () => null);
+  const currentOrgState = useState("thunderid:current-org", () => null);
+  const myOrgsState = useState("thunderid:my-orgs", () => []);
+  const brandingState = useState(
+    "thunderid:branding",
+    () => null
+  );
+  if (import.meta.server) {
+    const event = useRequestEvent();
+    const ssr = event?.context?.thunderid?.ssr;
+    if (ssr) {
+      authState.value = {
+        isLoading: false,
+        isSignedIn: ssr.isSignedIn,
+        user: ssr.user
+      };
+      userProfileState.value = ssr.userProfile;
+      currentOrgState.value = ssr.currentOrganization;
+      myOrgsState.value = ssr.myOrganizations;
+      brandingState.value = ssr.brandingPreference;
+    } else {
+      const ssrContext = event?.context?.thunderid;
+      if (ssrContext) {
+        authState.value = {
+          isLoading: false,
+          isSignedIn: ssrContext.isSignedIn ?? false,
+          user: ssrContext.session?.sub ? { sub: ssrContext.session.sub } : null
+        };
+      } else {
+        const legacyAuth = event?.context?.["__thunderidAuth"];
+        authState.value = legacyAuth ?? { isLoading: false, isSignedIn: false, user: null };
+      }
+    }
+  }
+  if (import.meta.client) {
+    authState.value = { ...authState.value, isLoading: false };
+  }
+  const isSignedIn = computed(() => authState.value.isSignedIn);
+  const isLoading = computed(() => authState.value.isLoading);
+  const isInitialized = computed(() => !authState.value.isLoading);
+  const user = computed(() => authState.value.user ?? null);
+  const organizationRef = computed(() => currentOrgState.value);
+  const signIn = async (options) => {
+    const returnTo = typeof options?.["returnTo"] === "string" ? options["returnTo"] : void 0;
+    const url = returnTo ? `/api/auth/signin?returnTo=${encodeURIComponent(returnTo)}` : "/api/auth/signin";
+    await navigateTo(url, { external: true });
+  };
+  const signOut = async () => {
+    const res = await $fetch("/api/auth/signout", { method: "POST" });
+    await navigateTo(res.redirectUrl || "/", { external: true });
+  };
+  const signUp = async () => {
+    if (publicConfig.signUpUrl) {
+      await navigateTo(publicConfig.signUpUrl, { external: true });
+      return;
+    }
+    const redirectUrl = getRedirectBasedSignUpUrl({
+      applicationId: publicConfig.applicationId,
+      baseUrl: publicConfig.baseUrl,
+      clientId: publicConfig.clientId
+    });
+    if (redirectUrl) {
+      await navigateTo(redirectUrl, { external: true });
+      return;
+    }
+    await navigateTo("/api/auth/signup", { external: true });
+  };
+  const getAccessToken = async () => {
+    try {
+      const res = await $fetch("/api/auth/token");
+      return res.accessToken ?? "";
+    } catch {
+      return "";
+    }
+  };
+  const noop = async () => void 0;
+  nuxtApp.vueApp.provide(THUNDERID_KEY, {
+    afterSignInUrl: publicConfig.afterSignInUrl,
+    applicationId: publicConfig.applicationId,
+    baseUrl: publicConfig.baseUrl,
+    clearSession: noop,
+    clientId: publicConfig.clientId,
+    exchangeToken: noop,
+    getAccessToken,
+    getDecodedIdToken: noop,
+    getIdToken: noop,
+    http: { request: noop, requestAll: noop },
+    instanceId: 0,
+    isInitialized,
+    isLoading,
+    isSignedIn,
+    organization: organizationRef,
+    organizationHandle: publicConfig.organizationHandle,
+    platform: void 0,
+    reInitialize: async () => false,
+    signIn,
+    signInOptions: void 0,
+    signInSilently: noop,
+    signInUrl: publicConfig.signInUrl,
+    signOut,
+    signUp,
+    signUpUrl: publicConfig.signUpUrl,
+    storage: void 0,
+    switchOrganization: noop,
+    user
+  });
+  nuxtApp.vueApp.component("ThunderIDRoot", ThunderIDRoot);
+  nuxtApp.vueApp.use(ThunderIDPlugin, { mode: "delegated" });
+});

package/dist/runtime/server/ThunderIDNuxtClient.d.ts

@@ -0,0 +1,186 @@
+/**
+ * Copyright (c) 2025, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+import { ThunderIDNodeClient, type IdToken, type Organization, type OrganizationDetails, type CreateOrganizationPayload, type Storage, type TokenExchangeRequestConfig, type TokenResponse, type User, type UserProfile, type UpdateMeProfileConfig, type AllOrganizationsApiResponse, type GetBrandingPreferenceConfig, type BrandingPreference, type EmbeddedFlowExecuteRequestPayload, type EmbeddedFlowExecuteResponse, type ExtendedAuthorizeRequestUrlParams, type SignUpOptions } from '@thunderid/node';
+import type { ThunderIDNuxtConfig, ThunderIDSessionPayload } from '../types.js';
+/**
+ * Singleton ThunderID client for Nuxt applications.
+ *
+ * Mirrors the {@link ThunderIDNextClient} pattern: a single shared instance per
+ * server process that delegates OAuth/OIDC operations to an internal
+ * {@link LegacyThunderIDNodeClient}. The legacy client provisions its own default
+ * in-memory store (`MemoryCacheStore`) for PKCE state and tokens so that state
+ * persists across the sign-in → callback boundary.
+ *
+ * Consumers call {@link getInstance} directly from server routes and plugins —
+ * there is no per-request wrapper factory. Initialization happens once per
+ * process (guarded by {@link isInitialized}) from the `thunderid-init` Nitro
+ * plugin on the first request.
+ *
+ * @example
+ * ```ts
+ * // In a Nitro API route:
+ * export default defineEventHandler(async (event) => {
+ *   const client = ThunderIDNuxtClient.getInstance();
+ *   return client.getUser(sessionId);
+ * });
+ * ```
+ */
+declare class ThunderIDNuxtClient extends ThunderIDNodeClient<ThunderIDNuxtConfig> {
+    private static instance;
+    private legacy;
+    isInitialized: boolean;
+    private constructor();
+    /**
+     * Get the singleton instance of ThunderIDNuxtClient.
+     */
+    static getInstance(): ThunderIDNuxtClient;
+    /**
+     * Initializes the underlying legacy client with OAuth/OIDC settings derived
+     * from the Nuxt module config. Idempotent — repeated calls are no-ops after
+     * the first successful initialization.
+     */
+    initialize(config: ThunderIDNuxtConfig, storage?: Storage): Promise<boolean>;
+    reInitialize(config: Partial<ThunderIDNuxtConfig>): Promise<boolean>;
+    /**
+     * Seeds the legacy in-memory token store from a verified session JWT payload.
+     *
+     * The signed session cookie is the source of truth for tokens in this SDK — it
+     * survives server restarts and new worker processes. The underlying
+     * {@link LegacyThunderIDNodeClient}, however, keeps tokens in a
+     * {@link MemoryCacheStore} keyed by `sessionId`, and its
+     * `getAccessToken` / `getUser` / `getDecodedIdToken` / `signOut` paths all
+     * read from that store. Without rehydration, those calls fail whenever the
+     * in-memory store and the cookie diverge (the classic case: `nuxi dev`
+     * restart while the browser still holds a valid session cookie).
+     *
+     * Writes the snake_case token shape the legacy helper expects
+     * (see `AuthenticationHelper.processTokenResponse`). Safe to call on every
+     * request — it's an in-memory write and the cookie always reflects the
+     * freshest tokens (the refresh path re-issues the cookie too).
+     */
+    rehydrateSessionFromPayload(session: ThunderIDSessionPayload): Promise<void>;
+    /**
+     * Initiates the authorization code flow, handles an embedded sign-in step,
+     * or exchanges a code for tokens.
+     *
+     * Overload 1 — **redirect-flow** (existing callers like `signin.get.ts`):
+     * ```
+     * signIn(authURLCallback, sessionId, code?, sessionState?, state?, config?)
+     * ```
+     * Overload 2 — **embedded flow initiate** (flowId === ''):
+     * ```
+     * signIn({flowId: ''}, request, sessionId)
+     * ```
+     * Dispatches to `initializeEmbeddedSignInFlow`.
+     *
+     * Overload 3 — **embedded flow execute** (flowId set):
+     * ```
+     * signIn(payload, request, sessionId)
+     * ```
+     * Dispatches to `executeEmbeddedSignInFlow`.
+     *
+     * Overload 4 — **code exchange** (completion after embedded flow):
+     * ```
+     * signIn({code, state, session_state}, {}, sessionId)
+     * ```
+     * Falls through to the legacy redirect-flow code-exchange path.
+     */
+    signIn(...args: any[]): Promise<any>;
+    /**
+     * Executes the embedded sign-up flow step.
+     * Mirrors `ThunderIDNextClient.signUp` with an `EmbeddedFlowExecuteRequestPayload`.
+     */
+    signUp(options?: SignUpOptions): Promise<void>;
+    signUp(payload: EmbeddedFlowExecuteRequestPayload): Promise<EmbeddedFlowExecuteResponse>;
+    /**
+     * Returns the OAuth2 authorization URL.
+     * Used by the redirect-flow GET handler and the embedded-flow initiation path.
+     *
+     * Mirrors `ThunderIDNextClient.getAuthorizeRequestUrl`.
+     */
+    getAuthorizeRequestUrl(customParams: ExtendedAuthorizeRequestUrlParams, userId?: string): Promise<string>;
+    /**
+     * Clears the session and returns the RP-Initiated Logout URL.
+     * Accepts either `(sessionId: string)` or `(options?, sessionId?, callback?)`.
+     *
+     * For ThunderIDV2 (Thunder), RP-Initiated Logout is not yet supported by the platform.
+     * Skip the /oidc/logout call and return afterSignOutUrl directly — the caller
+     * (signout.post.ts) is responsible for clearing session cookies.
+     */
+    signOut(...args: any[]): Promise<string>;
+    getUser(sessionId?: string): Promise<User>;
+    getAccessToken(sessionId?: string): Promise<string>;
+    /**
+     * Decodes and returns the ID token claims for the given session.
+     * Exposed here (as on {@link ThunderIDNextClient}) so route handlers can
+     * access ID token claims without falling back to the legacy client.
+     */
+    getDecodedIdToken(sessionId?: string, idToken?: string): Promise<IdToken>;
+    isSignedIn(sessionId?: string): Promise<boolean>;
+    exchangeToken(config: TokenExchangeRequestConfig, sessionId?: string): Promise<TokenResponse | Response>;
+    /**
+     * Fetches the flattened SCIM2 user profile for the given session.
+     * Mirrors `ThunderIDNextClient.getUserProfile` — calls `getScim2Me` +
+     * `getSchemas` + `generateFlattenedUserProfile` and falls back to
+     * `getUser` claims if SCIM2 is unavailable.
+     */
+    getUserProfile(sessionId: string): Promise<UserProfile>;
+    /**
+     * Extracts the current organisation from the decoded ID token.
+     * Returns null when the user is not acting within an organisation.
+     */
+    getCurrentOrganization(sessionId: string): Promise<Organization | null>;
+    /**
+     * Returns the list of organisations the authenticated user is a member of.
+     */
+    getMyOrganizations(sessionId: string): Promise<Organization[]>;
+    /**
+     * Fetches the branding preference for the tenant / application.
+     * Delegates to the standalone `getBrandingPreference` API helper from
+     * `@thunderid/node`, which does not require an authenticated session.
+     */
+    getBrandingPreference(config: GetBrandingPreferenceConfig): Promise<BrandingPreference>;
+    /**
+     * Updates the SCIM2 /Me profile for the authenticated user.
+     * Mirrors `ThunderIDNextClient.updateUserProfile`.
+     */
+    updateUserProfile(config: UpdateMeProfileConfig, sessionId: string): Promise<User>;
+    /**
+     * Retrieves all organisations accessible to the authenticated user
+     * (paginated). Mirrors `ThunderIDNextClient.getAllOrganizations`.
+     */
+    getAllOrganizations(options?: any, sessionId?: string): Promise<AllOrganizationsApiResponse>;
+    /**
+     * Creates a new sub-organisation. Mirrors `ThunderIDNextClient.createOrganization`.
+     */
+    createOrganization(payload: CreateOrganizationPayload, sessionId: string): Promise<Organization>;
+    /**
+     * Fetches the details of a single organisation by ID.
+     * Mirrors `ThunderIDNextClient.getOrganization`.
+     */
+    getOrganization(organizationId: string, sessionId: string): Promise<OrganizationDetails>;
+    /**
+     * Performs an organisation-switch token exchange and returns the new
+     * `TokenResponse`. The caller (the Nitro route) is responsible for
+     * persisting the new session cookie.
+     *
+     * Mirrors `ThunderIDNextClient.switchOrganization`.
+     */
+    switchOrganization(organization: Organization, sessionId: string): Promise<TokenResponse | Response>;
+}
+export default ThunderIDNuxtClient;

package/dist/runtime/server/ThunderIDNuxtClient.js

@@ -0,0 +1,384 @@
+import {
+  ThunderIDNodeClient,
+  LegacyThunderIDNodeClient,
+  Platform,
+  getBrandingPreference,
+  getMeOrganizations,
+  getAllOrganizations,
+  createOrganization,
+  getOrganization,
+  getScim2Me,
+  getSchemas,
+  flattenUserSchema,
+  generateFlattenedUserProfile,
+  updateMeProfile,
+  initializeEmbeddedSignInFlow,
+  executeEmbeddedSignInFlow,
+  executeEmbeddedSignUpFlow
+} from "@thunderid/node";
+class ThunderIDNuxtClient extends ThunderIDNodeClient {
+  static instance;
+  legacy;
+  isInitialized = false;
+  constructor() {
+    super();
+    this.legacy = new LegacyThunderIDNodeClient();
+  }
+  /**
+   * Get the singleton instance of ThunderIDNuxtClient.
+   */
+  static getInstance() {
+    if (!ThunderIDNuxtClient.instance) {
+      ThunderIDNuxtClient.instance = new ThunderIDNuxtClient();
+    }
+    return ThunderIDNuxtClient.instance;
+  }
+  /**
+   * Initializes the underlying legacy client with OAuth/OIDC settings derived
+   * from the Nuxt module config. Idempotent — repeated calls are no-ops after
+   * the first successful initialization.
+   */
+  async initialize(config, storage) {
+    if (this.isInitialized) {
+      return true;
+    }
+    const authConfig = {
+      afterSignInUrl: config.afterSignInUrl,
+      afterSignOutUrl: config.afterSignOutUrl || "/",
+      baseUrl: config.baseUrl,
+      clientId: config.clientId,
+      clientSecret: config.clientSecret || void 0,
+      enablePKCE: true,
+      platform: config.platform,
+      scopes: config.scopes || ["openid", "profile"],
+      tokenRequest: config.tokenRequest
+    };
+    const result = await this.legacy.initialize(authConfig, storage);
+    this.isInitialized = true;
+    return result;
+  }
+  async reInitialize(config) {
+    await this.legacy.reInitialize(config);
+    return true;
+  }
+  /**
+   * Seeds the legacy in-memory token store from a verified session JWT payload.
+   *
+   * The signed session cookie is the source of truth for tokens in this SDK — it
+   * survives server restarts and new worker processes. The underlying
+   * {@link LegacyThunderIDNodeClient}, however, keeps tokens in a
+   * {@link MemoryCacheStore} keyed by `sessionId`, and its
+   * `getAccessToken` / `getUser` / `getDecodedIdToken` / `signOut` paths all
+   * read from that store. Without rehydration, those calls fail whenever the
+   * in-memory store and the cookie diverge (the classic case: `nuxi dev`
+   * restart while the browser still holds a valid session cookie).
+   *
+   * Writes the snake_case token shape the legacy helper expects
+   * (see `AuthenticationHelper.processTokenResponse`). Safe to call on every
+   * request — it's an in-memory write and the cookie always reflects the
+   * freshest tokens (the refresh path re-issues the cookie too).
+   */
+  async rehydrateSessionFromPayload(session) {
+    if (!this.isInitialized || !session?.sessionId || !session?.accessToken) {
+      return;
+    }
+    const storageManager = await this.legacy.getStorageManager();
+    const iatSeconds = typeof session.iat === "number" ? session.iat : Math.floor(Date.now() / 1e3);
+    const expiresInSeconds = typeof session.accessTokenExpiresAt === "number" ? Math.max(0, session.accessTokenExpiresAt - iatSeconds) : 3600;
+    await storageManager.setSessionData(
+      {
+        access_token: session.accessToken,
+        created_at: iatSeconds * 1e3,
+        expires_in: String(expiresInSeconds || 3600),
+        id_token: session.idToken ?? "",
+        refresh_token: session.refreshToken ?? "",
+        scope: session.scopes ?? "",
+        session_state: "",
+        token_type: "Bearer"
+      },
+      session.sessionId
+    );
+  }
+  /**
+   * Initiates the authorization code flow, handles an embedded sign-in step,
+   * or exchanges a code for tokens.
+   *
+   * Overload 1 — **redirect-flow** (existing callers like `signin.get.ts`):
+   * ```
+   * signIn(authURLCallback, sessionId, code?, sessionState?, state?, config?)
+   * ```
+   * Overload 2 — **embedded flow initiate** (flowId === ''):
+   * ```
+   * signIn({flowId: ''}, request, sessionId)
+   * ```
+   * Dispatches to `initializeEmbeddedSignInFlow`.
+   *
+   * Overload 3 — **embedded flow execute** (flowId set):
+   * ```
+   * signIn(payload, request, sessionId)
+   * ```
+   * Dispatches to `executeEmbeddedSignInFlow`.
+   *
+   * Overload 4 — **code exchange** (completion after embedded flow):
+   * ```
+   * signIn({code, state, session_state}, {}, sessionId)
+   * ```
+   * Falls through to the legacy redirect-flow code-exchange path.
+   */
+  signIn(...args) {
+    const arg0 = args[0];
+    if (typeof arg0 === "object" && arg0 !== null && "flowId" in arg0) {
+      const sessionId = args[2];
+      if (arg0.flowId === "") {
+        return this.getAuthorizeRequestUrl(
+          { client_secret: "{{clientSecret}}", response_mode: "direct" },
+          sessionId
+        ).then((authorizeUrl) => {
+          const url = new URL(authorizeUrl);
+          return initializeEmbeddedSignInFlow({
+            payload: Object.fromEntries(url.searchParams.entries()),
+            url: `${url.origin}${url.pathname}`
+          });
+        });
+      }
+      const request = args[1] ?? {};
+      return executeEmbeddedSignInFlow({
+        payload: arg0,
+        url: request.url
+      });
+    }
+    if (typeof arg0 === "object" && arg0 !== null && ("code" in arg0 || "state" in arg0)) {
+      const payload = arg0;
+      const code = typeof payload.code === "string" ? payload.code : void 0;
+      const sessionState = typeof payload.session_state === "string" ? payload.session_state : void 0;
+      const state = typeof payload.state === "string" ? payload.state : void 0;
+      const extraParams = {};
+      if (code) {
+        extraParams.code = code;
+      }
+      if (sessionState) {
+        extraParams.session_state = sessionState;
+      }
+      if (state) {
+        extraParams.state = state;
+      }
+      return this.legacy.signIn(args[3], args[2], code, sessionState, state, extraParams);
+    }
+    return this.legacy.signIn(args[0], args[1], args[2], args[3], args[4], args[5]);
+  }
+  async signUp(payloadOrOptions) {
+    if (!payloadOrOptions || !("flowType" in payloadOrOptions)) {
+      return void 0;
+    }
+    const configData = await this.legacy.getConfigData?.();
+    const baseUrl = configData?.baseUrl;
+    const response = await executeEmbeddedSignUpFlow({
+      baseUrl,
+      payload: payloadOrOptions
+    });
+    return response;
+  }
+  /**
+   * Returns the OAuth2 authorization URL.
+   * Used by the redirect-flow GET handler and the embedded-flow initiation path.
+   *
+   * Mirrors `ThunderIDNextClient.getAuthorizeRequestUrl`.
+   */
+  async getAuthorizeRequestUrl(customParams, userId) {
+    return this.legacy.getSignInUrl(customParams, userId);
+  }
+  /**
+   * Clears the session and returns the RP-Initiated Logout URL.
+   * Accepts either `(sessionId: string)` or `(options?, sessionId?, callback?)`.
+   *
+   * For ThunderIDV2 (Thunder), RP-Initiated Logout is not yet supported by the platform.
+   * Skip the /oidc/logout call and return afterSignOutUrl directly — the caller
+   * (signout.post.ts) is responsible for clearing session cookies.
+   */
+  async signOut(...args) {
+    const sessionId = typeof args[0] === "string" ? args[0] : args[1];
+    const configData = await this.legacy.getConfigData?.();
+    if (configData?.platform === Platform.ThunderIDV2) {
+      return configData?.afterSignOutUrl || configData?.afterSignInUrl || "/";
+    }
+    return this.legacy.signOut(sessionId);
+  }
+  getUser(sessionId) {
+    return this.legacy.getUser(sessionId);
+  }
+  getAccessToken(sessionId) {
+    return this.legacy.getAccessToken(sessionId);
+  }
+  /**
+   * Decodes and returns the ID token claims for the given session.
+   * Exposed here (as on {@link ThunderIDNextClient}) so route handlers can
+   * access ID token claims without falling back to the legacy client.
+   */
+  getDecodedIdToken(sessionId, idToken) {
+    return this.legacy.getDecodedIdToken(sessionId, idToken);
+  }
+  isSignedIn(sessionId) {
+    return this.legacy.isSignedIn(sessionId);
+  }
+  exchangeToken(config, sessionId) {
+    return this.legacy.exchangeToken(config, sessionId);
+  }
+  /**
+   * Fetches the flattened SCIM2 user profile for the given session.
+   * Mirrors `ThunderIDNextClient.getUserProfile` — calls `getScim2Me` +
+   * `getSchemas` + `generateFlattenedUserProfile` and falls back to
+   * `getUser` claims if SCIM2 is unavailable.
+   */
+  async getUserProfile(sessionId) {
+    const accessToken = await this.getAccessToken(sessionId);
+    const configData = await this.legacy.getConfigData?.();
+    const baseUrl = configData?.baseUrl ?? "";
+    if (configData?.platform === Platform.ThunderIDV2) {
+      const user = await this.getUser(sessionId);
+      return { flattenedProfile: user, profile: user, schemas: [] };
+    }
+    try {
+      const authHeaders = { Authorization: `Bearer ${accessToken}` };
+      const [profile, schemas] = await Promise.all([
+        getScim2Me({ baseUrl, headers: authHeaders }),
+        getSchemas({ baseUrl, headers: authHeaders })
+      ]);
+      const processedSchemas = flattenUserSchema(schemas);
+      return {
+        flattenedProfile: generateFlattenedUserProfile(profile, processedSchemas),
+        profile,
+        schemas: processedSchemas
+      };
+    } catch {
+      const user = await this.getUser(sessionId);
+      return { flattenedProfile: user, profile: user, schemas: [] };
+    }
+  }
+  /**
+   * Extracts the current organisation from the decoded ID token.
+   * Returns null when the user is not acting within an organisation.
+   */
+  async getCurrentOrganization(sessionId) {
+    try {
+      const idToken = await this.getDecodedIdToken(sessionId);
+      if (!idToken?.org_id) {
+        return null;
+      }
+      return {
+        id: idToken.org_id,
+        name: idToken.org_name ?? "",
+        orgHandle: idToken.org_handle ?? ""
+      };
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Returns the list of organisations the authenticated user is a member of.
+   */
+  async getMyOrganizations(sessionId) {
+    const accessToken = await this.getAccessToken(sessionId);
+    const configData = await this.legacy.getConfigData?.();
+    const baseUrl = configData?.baseUrl ?? "";
+    return getMeOrganizations({
+      baseUrl,
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+  }
+  /**
+   * Fetches the branding preference for the tenant / application.
+   * Delegates to the standalone `getBrandingPreference` API helper from
+   * `@thunderid/node`, which does not require an authenticated session.
+   */
+  // eslint-disable-next-line class-methods-use-this
+  async getBrandingPreference(config) {
+    return getBrandingPreference(config);
+  }
+  /**
+   * Updates the SCIM2 /Me profile for the authenticated user.
+   * Mirrors `ThunderIDNextClient.updateUserProfile`.
+   */
+  async updateUserProfile(config, sessionId) {
+    const accessToken = await this.getAccessToken(sessionId);
+    const configData = await this.legacy.getConfigData?.();
+    const baseUrl = configData?.baseUrl ?? "";
+    if (configData?.platform === Platform.ThunderIDV2) {
+      throw new Error("Profile updates are not supported for the ThunderIDV2 (Thunder) platform.");
+    }
+    return updateMeProfile({
+      ...config,
+      // pass-through, includes payload
+      baseUrl,
+      headers: { ...config.headers, Authorization: `Bearer ${accessToken}` }
+    });
+  }
+  /**
+   * Retrieves all organisations accessible to the authenticated user
+   * (paginated). Mirrors `ThunderIDNextClient.getAllOrganizations`.
+   */
+  async getAllOrganizations(options, sessionId) {
+    const resolvedSessionId = sessionId ?? "";
+    const accessToken = await this.getAccessToken(resolvedSessionId);
+    const configData = await this.legacy.getConfigData?.();
+    const baseUrl = configData?.baseUrl ?? "";
+    return getAllOrganizations({
+      baseUrl,
+      headers: { Authorization: `Bearer ${accessToken}` }
+    });
+  }
+  /**
+   * Creates a new sub-organisation. Mirrors `ThunderIDNextClient.createOrganization`.
+   */
+  async createOrganization(payload, sessionId) {
+    const accessToken = await this.getAccessToken(sessionId);
+    const configData = await this.legacy.getConfigData?.();
+    const baseUrl = configData?.baseUrl ?? "";
+    return createOrganization({
+      baseUrl,
+      headers: { Authorization: `Bearer ${accessToken}` },
+      payload
+    });
+  }
+  /**
+   * Fetches the details of a single organisation by ID.
+   * Mirrors `ThunderIDNextClient.getOrganization`.
+   */
+  async getOrganization(organizationId, sessionId) {
+    const accessToken = await this.getAccessToken(sessionId);
+    const configData = await this.legacy.getConfigData?.();
+    const baseUrl = configData?.baseUrl ?? "";
+    return getOrganization({
+      baseUrl,
+      headers: { Authorization: `Bearer ${accessToken}` },
+      organizationId
+    });
+  }
+  /**
+   * Performs an organisation-switch token exchange and returns the new
+   * `TokenResponse`. The caller (the Nitro route) is responsible for
+   * persisting the new session cookie.
+   *
+   * Mirrors `ThunderIDNextClient.switchOrganization`.
+   */
+  async switchOrganization(organization, sessionId) {
+    if (!organization.id) {
+      throw new Error("Organization ID is required for switching organizations.");
+    }
+    const exchangeConfig = {
+      attachToken: false,
+      data: {
+        client_id: "{{clientId}}",
+        client_secret: "{{clientSecret}}",
+        grant_type: "organization_switch",
+        scope: "{{scopes}}",
+        switching_organization: organization.id,
+        token: "{{accessToken}}"
+      },
+      id: "organization-switch",
+      returnsSession: true,
+      signInRequired: true
+    };
+    return this.legacy.exchangeToken(exchangeConfig, sessionId);
+  }
+}
+export default ThunderIDNuxtClient;