@workos-inc/node 8.0.0 → 8.2.0

package/lib/roles/interfaces/index.d.cts

@@ -1,2 +1,2 @@
-import { a as RoleEventResponse, i as RoleEvent, n as OrganizationRoleResponse, o as RoleList, r as Role, s as RoleResponse, t as ListOrganizationRolesResponse } from "../../role.interface-BfMq5Bju.cjs";
+import { Fn as RoleEventResponse, In as RoleList, Ln as RoleResponse, Mn as OrganizationRoleResponse, Nn as Role, Pn as RoleEvent, jn as ListOrganizationRolesResponse } from "../../index-DBcxvLj5.cjs";
 export { ListOrganizationRolesResponse, OrganizationRoleResponse, Role, RoleEvent, RoleEventResponse, RoleList, RoleResponse };

package/lib/roles/interfaces/role.interface.d.cts

@@ -1,2 +1,2 @@
-import { a as RoleEventResponse, i as RoleEvent, n as OrganizationRoleResponse, o as RoleList, r as Role, s as RoleResponse, t as ListOrganizationRolesResponse } from "../../role.interface-BfMq5Bju.cjs";
+import { Fn as RoleEventResponse, In as RoleList, Ln as RoleResponse, Mn as OrganizationRoleResponse, Nn as Role, Pn as RoleEvent, jn as ListOrganizationRolesResponse } from "../../index-DBcxvLj5.cjs";
 export { ListOrganizationRolesResponse, OrganizationRoleResponse, Role, RoleEvent, RoleEventResponse, RoleList, RoleResponse };

package/lib/roles/interfaces/role.interface.d.ts

@@ -1,3 +1,6 @@
+import { EnvironmentRole } from "../../authorization/interfaces/environment-role.interface.js";
+import { OrganizationRole } from "../../authorization/interfaces/organization-role.interface.js";
+
 //#region src/roles/interfaces/role.interface.d.ts
 interface RoleResponse {
   slug: string;
@@ -31,17 +34,7 @@ interface OrganizationRoleResponse {
   created_at: string;
   updated_at: string;
 }
-interface Role {
-  object: 'role';
-  id: string;
-  name: string;
-  slug: string;
-  description: string | null;
-  permissions: string[];
-  type: 'EnvironmentRole' | 'OrganizationRole';
-  createdAt: string;
-  updatedAt: string;
-}
+type Role = EnvironmentRole | OrganizationRole;
 interface RoleList {
   object: 'list';
   data: Role[];

package/lib/roles/serializers/role.serializer.d.cts

@@ -1,4 +1,4 @@
-import { n as OrganizationRoleResponse, r as Role } from "../../role.interface-BfMq5Bju.cjs";
+import { Mn as OrganizationRoleResponse, Nn as Role } from "../../index-DBcxvLj5.cjs";
 
 //#region src/roles/serializers/role.serializer.d.ts
 declare const deserializeRole: (role: OrganizationRoleResponse) => Role;

package/lib/runtime-info-CkgTBGi9.cjs

@@ -0,0 +1,56 @@
+const require_env = require('./env-CCN5u8Rv.cjs');
+
+//#region src/common/utils/runtime-info.ts
+/**
+* Get runtime information including name and version.
+* Safely extracts version information for different JavaScript runtimes.
+* @returns RuntimeInfo object with name and optional version
+*/
+function getRuntimeInfo() {
+	const name = require_env.detectRuntime();
+	let version;
+	try {
+		switch (name) {
+			case "node":
+				version = typeof process !== "undefined" ? process.version : void 0;
+				break;
+			case "deno":
+				version = globalThis.Deno?.version?.deno;
+				break;
+			case "bun":
+				version = globalThis.Bun?.version || extractBunVersionFromUserAgent();
+				break;
+			case "cloudflare":
+			case "fastly":
+			case "edge-light":
+			case "other":
+			default:
+				version = void 0;
+				break;
+		}
+	} catch {
+		version = void 0;
+	}
+	return {
+		name,
+		version
+	};
+}
+/**
+* Extract Bun version from navigator.userAgent as fallback.
+* @returns Bun version string or undefined
+*/
+function extractBunVersionFromUserAgent() {
+	try {
+		if (typeof navigator !== "undefined" && navigator.userAgent) return navigator.userAgent.match(/Bun\/(\d+\.\d+\.\d+)/)?.[1];
+	} catch {}
+}
+
+//#endregion
+Object.defineProperty(exports, 'getRuntimeInfo', {
+  enumerable: true,
+  get: function () {
+    return getRuntimeInfo;
+  }
+});
+//# sourceMappingURL=runtime-info-CkgTBGi9.cjs.map

package/lib/runtime-info-CkgTBGi9.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"runtime-info-CkgTBGi9.cjs","names":["detectRuntime","version: string | undefined"],"sources":["../src/common/utils/runtime-info.ts"],"sourcesContent":["import { detectRuntime } from './env';\n\n// Extend globalThis to include runtime-specific globals\ndeclare global {\n  var Deno:\n    | {\n        version: {\n          deno: string;\n        };\n      }\n    | undefined;\n\n  var Bun:\n    | {\n        version: string;\n      }\n    | undefined;\n}\n\nexport interface RuntimeInfo {\n  name: string;\n  version?: string;\n}\n\n/**\n * Get runtime information including name and version.\n * Safely extracts version information for different JavaScript runtimes.\n * @returns RuntimeInfo object with name and optional version\n */\nexport function getRuntimeInfo(): RuntimeInfo {\n  const name = detectRuntime();\n  let version: string | undefined;\n\n  try {\n    switch (name) {\n      case 'node':\n        // process.version includes 'v' prefix (e.g., \"v20.5.0\")\n        version = typeof process !== 'undefined' ? process.version : undefined;\n        break;\n\n      case 'deno':\n        // Deno.version.deno returns just version number (e.g., \"1.36.4\")\n        version = globalThis.Deno?.version?.deno;\n        break;\n\n      case 'bun':\n        version = globalThis.Bun?.version || extractBunVersionFromUserAgent();\n        break;\n\n      // These environments typically don't expose version info\n      case 'cloudflare':\n      case 'fastly':\n      case 'edge-light':\n      case 'other':\n      default:\n        version = undefined;\n        break;\n    }\n  } catch {\n    version = undefined;\n  }\n\n  return {\n    name,\n    version,\n  };\n}\n\n/**\n * Extract Bun version from navigator.userAgent as fallback.\n * @returns Bun version string or undefined\n */\nfunction extractBunVersionFromUserAgent(): string | undefined {\n  try {\n    if (typeof navigator !== 'undefined' && navigator.userAgent) {\n      const match = navigator.userAgent.match(/Bun\\/(\\d+\\.\\d+\\.\\d+)/);\n      return match?.[1];\n    }\n  } catch {\n    // Ignore errors\n  }\n  return undefined;\n}\n"],"mappings":";;;;;;;;AA6BA,SAAgB,iBAA8B;CAC5C,MAAM,OAAOA,2BAAe;CAC5B,IAAIC;AAEJ,KAAI;AACF,UAAQ,MAAR;GACE,KAAK;AAEH,cAAU,OAAO,YAAY,cAAc,QAAQ,UAAU;AAC7D;GAEF,KAAK;AAEH,cAAU,WAAW,MAAM,SAAS;AACpC;GAEF,KAAK;AACH,cAAU,WAAW,KAAK,WAAW,gCAAgC;AACrE;GAGF,KAAK;GACL,KAAK;GACL,KAAK;GACL,KAAK;GACL;AACE,cAAU;AACV;;SAEE;AACN,YAAU;;AAGZ,QAAO;EACL;EACA;EACD;;;;;;AAOH,SAAS,iCAAqD;AAC5D,KAAI;AACF,MAAI,OAAO,cAAc,eAAe,UAAU,UAEhD,QADc,UAAU,UAAU,MAAM,uBAAuB,GAChD;SAEX"}

package/lib/send-invitation-options.interface-C2RofyVU.d.cts

@@ -0,0 +1,22 @@
+import { t as Locale } from "./locale.interface-DtJ_6jKP.cjs";
+
+//#region src/user-management/interfaces/send-invitation-options.interface.d.ts
+interface SendInvitationOptions {
+  email: string;
+  organizationId?: string;
+  expiresInDays?: number;
+  inviterUserId?: string;
+  roleSlug?: string;
+  locale?: Locale;
+}
+interface SerializedSendInvitationOptions {
+  email: string;
+  organization_id?: string;
+  expires_in_days?: number;
+  inviter_user_id?: string;
+  role_slug?: string;
+  locale?: Locale;
+}
+//#endregion
+export { SerializedSendInvitationOptions as n, SendInvitationOptions as t };
+//# sourceMappingURL=send-invitation-options.interface-C2RofyVU.d.cts.map

package/lib/send-invitation-options.serializer-BX9N-pl6.cjs

@@ -0,0 +1,19 @@
+
+//#region src/user-management/serializers/send-invitation-options.serializer.ts
+const serializeSendInvitationOptions = (options) => ({
+	email: options.email,
+	organization_id: options.organizationId,
+	expires_in_days: options.expiresInDays,
+	inviter_user_id: options.inviterUserId,
+	role_slug: options.roleSlug,
+	locale: options.locale
+});
+
+//#endregion
+Object.defineProperty(exports, 'serializeSendInvitationOptions', {
+  enumerable: true,
+  get: function () {
+    return serializeSendInvitationOptions;
+  }
+});
+//# sourceMappingURL=send-invitation-options.serializer-BX9N-pl6.cjs.map

package/lib/send-invitation-options.serializer-BX9N-pl6.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"send-invitation-options.serializer-BX9N-pl6.cjs","names":[],"sources":["../src/user-management/serializers/send-invitation-options.serializer.ts"],"sourcesContent":["import {} from '../interfaces';\nimport {\n  SendInvitationOptions,\n  SerializedSendInvitationOptions,\n} from '../interfaces/send-invitation-options.interface';\n\nexport const serializeSendInvitationOptions = (\n  options: SendInvitationOptions,\n): SerializedSendInvitationOptions => ({\n  email: options.email,\n  organization_id: options.organizationId,\n  expires_in_days: options.expiresInDays,\n  inviter_user_id: options.inviterUserId,\n  role_slug: options.roleSlug,\n  locale: options.locale,\n});\n"],"mappings":";;AAMA,MAAa,kCACX,aACqC;CACrC,OAAO,QAAQ;CACf,iBAAiB,QAAQ;CACzB,iBAAiB,QAAQ;CACzB,iBAAiB,QAAQ;CACzB,WAAW,QAAQ;CACnB,QAAQ,QAAQ;CACjB"}

package/lib/send-session-response.interface-CMl4tWw_.d.cts

@@ -0,0 +1,8 @@
+//#region src/passwordless/interfaces/send-session-response.interface.d.ts
+interface SendSessionResponse {
+  message?: string;
+  success?: boolean;
+}
+//#endregion
+export { SendSessionResponse as t };
+//# sourceMappingURL=send-session-response.interface-CMl4tWw_.d.cts.map

package/lib/send-verification-email-options.interface-BtOygLys.d.cts

@@ -0,0 +1,7 @@
+//#region src/user-management/interfaces/send-verification-email-options.interface.d.ts
+interface SendVerificationEmailOptions {
+  userId: string;
+}
+//#endregion
+export { SendVerificationEmailOptions as t };
+//# sourceMappingURL=send-verification-email-options.interface-BtOygLys.d.cts.map

package/lib/session-BspC-lF9.cjs

@@ -0,0 +1,144 @@
+const require_oauth_exception = require('./oauth.exception-BJAv3tg-.cjs');
+const require_seal = require('./seal-Dl5Et6Vv.cjs');
+const require_authenticate_with_session_cookie_interface = require('./authenticate-with-session-cookie.interface-wRJr18ep.cjs');
+const require_refresh_and_seal_session_data_interface = require('./refresh-and-seal-session-data.interface-BC_uVnK1.cjs');
+const require_jose = require('./jose-D4-VExnk.cjs');
+
+//#region src/user-management/session.ts
+var CookieSession = class {
+	userManagement;
+	cookiePassword;
+	sessionData;
+	constructor(userManagement, sessionData, cookiePassword) {
+		if (!cookiePassword) throw new Error("cookiePassword is required");
+		this.userManagement = userManagement;
+		this.cookiePassword = cookiePassword;
+		this.sessionData = sessionData;
+	}
+	/**
+	* Authenticates a user with a session cookie.
+	*
+	* @returns An object indicating whether the authentication was successful or not. If successful, it will include the user's session data.
+	*/
+	async authenticate() {
+		if (!this.sessionData) return {
+			authenticated: false,
+			reason: require_authenticate_with_session_cookie_interface.AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED
+		};
+		const session = await require_seal.unsealData(this.sessionData, { password: this.cookiePassword });
+		if (!session.accessToken) return {
+			authenticated: false,
+			reason: require_authenticate_with_session_cookie_interface.AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE
+		};
+		if (!await this.isValidJwt(session.accessToken)) return {
+			authenticated: false,
+			reason: require_authenticate_with_session_cookie_interface.AuthenticateWithSessionCookieFailureReason.INVALID_JWT
+		};
+		const { decodeJwt } = await require_jose.getJose();
+		const { sid: sessionId, org_id: organizationId, role, roles, permissions, entitlements, feature_flags: featureFlags } = decodeJwt(session.accessToken);
+		return {
+			authenticated: true,
+			sessionId,
+			organizationId,
+			role,
+			roles,
+			permissions,
+			entitlements,
+			featureFlags,
+			user: session.user,
+			authenticationMethod: session.authenticationMethod,
+			impersonator: session.impersonator,
+			accessToken: session.accessToken
+		};
+	}
+	/**
+	* Refreshes the user's session.
+	*
+	* @param options - Optional options for refreshing the session.
+	* @param options.cookiePassword - The password to use for the new session cookie.
+	* @param options.organizationId - The organization ID to use for the new session cookie.
+	* @returns An object indicating whether the refresh was successful or not. If successful, it will include the new sealed session data.
+	*/
+	async refresh(options = {}) {
+		const { decodeJwt } = await require_jose.getJose();
+		const session = await require_seal.unsealData(this.sessionData, { password: this.cookiePassword });
+		if (!session.refreshToken || !session.user) return {
+			authenticated: false,
+			reason: require_refresh_and_seal_session_data_interface.RefreshSessionFailureReason.INVALID_SESSION_COOKIE
+		};
+		const { org_id: organizationIdFromAccessToken } = decodeJwt(session.accessToken);
+		try {
+			const cookiePassword = options.cookiePassword ?? this.cookiePassword;
+			const authenticationResponse = await this.userManagement.authenticateWithRefreshToken({
+				clientId: this.userManagement.clientId,
+				refreshToken: session.refreshToken,
+				organizationId: options.organizationId ?? organizationIdFromAccessToken,
+				session: {
+					sealSession: true,
+					cookiePassword
+				}
+			});
+			if (options.cookiePassword) this.cookiePassword = options.cookiePassword;
+			this.sessionData = authenticationResponse.sealedSession;
+			const { sid: sessionId, org_id: organizationId, role, roles, permissions, entitlements, feature_flags: featureFlags } = decodeJwt(authenticationResponse.accessToken);
+			return {
+				authenticated: true,
+				sealedSession: authenticationResponse.sealedSession,
+				session: authenticationResponse,
+				authenticationMethod: authenticationResponse.authenticationMethod,
+				sessionId,
+				organizationId,
+				role,
+				roles,
+				permissions,
+				entitlements,
+				featureFlags,
+				user: session.user,
+				impersonator: session.impersonator
+			};
+		} catch (error) {
+			if (error instanceof require_oauth_exception.OauthException && (error.error === require_refresh_and_seal_session_data_interface.RefreshSessionFailureReason.INVALID_GRANT || error.error === require_refresh_and_seal_session_data_interface.RefreshSessionFailureReason.MFA_ENROLLMENT || error.error === require_refresh_and_seal_session_data_interface.RefreshSessionFailureReason.SSO_REQUIRED)) return {
+				authenticated: false,
+				reason: error.error
+			};
+			throw error;
+		}
+	}
+	/**
+	* Gets the URL to redirect the user to for logging out.
+	*
+	* @returns The URL to redirect the user to for logging out.
+	*/
+	async getLogoutUrl({ returnTo } = {}) {
+		const authenticationResponse = await this.authenticate();
+		if (!authenticationResponse.authenticated) {
+			const { reason } = authenticationResponse;
+			throw new Error(`Failed to extract session ID for logout URL: ${reason}`);
+		}
+		return this.userManagement.getLogoutUrl({
+			sessionId: authenticationResponse.sessionId,
+			returnTo
+		});
+	}
+	async isValidJwt(accessToken) {
+		const { jwtVerify } = await require_jose.getJose();
+		const jwks = await this.userManagement.getJWKS();
+		if (!jwks) throw new Error("Missing client ID. Did you provide it when initializing WorkOS?");
+		try {
+			await jwtVerify(accessToken, jwks);
+			return true;
+		} catch (e) {
+			if (e instanceof Error && "code" in e && typeof e.code === "string" && (e.code.startsWith("ERR_JWT_") || e.code.startsWith("ERR_JWS_"))) return false;
+			throw e;
+		}
+	}
+};
+
+//#endregion
+Object.defineProperty(exports, 'CookieSession', {
+  enumerable: true,
+  get: function () {
+    return CookieSession;
+  }
+});
+//# sourceMappingURL=session-BspC-lF9.cjs.map

package/lib/session-BspC-lF9.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-BspC-lF9.cjs","names":["AuthenticateWithSessionCookieFailureReason","unsealData","getJose","RefreshSessionFailureReason","OauthException"],"sources":["../src/user-management/session.ts"],"sourcesContent":["import { OauthException } from '../common/exceptions/oauth.exception';\nimport {\n  AccessToken,\n  AuthenticateWithSessionCookieFailedResponse,\n  AuthenticateWithSessionCookieFailureReason,\n  AuthenticateWithSessionCookieSuccessResponse,\n  AuthenticationResponse,\n  RefreshSessionFailureReason,\n  RefreshSessionResponse,\n  SessionCookieData,\n} from './interfaces';\nimport { UserManagement } from './user-management';\nimport { unsealData } from '../common/crypto/seal';\nimport { getJose } from '../utils/jose';\n\ntype RefreshOptions = {\n  cookiePassword?: string;\n  organizationId?: string;\n};\n\nexport class CookieSession {\n  private userManagement: UserManagement;\n  private cookiePassword: string;\n  private sessionData: string;\n\n  constructor(\n    userManagement: UserManagement,\n    sessionData: string,\n    cookiePassword: string,\n  ) {\n    if (!cookiePassword) {\n      throw new Error('cookiePassword is required');\n    }\n\n    this.userManagement = userManagement;\n    this.cookiePassword = cookiePassword;\n    this.sessionData = sessionData;\n  }\n\n  /**\n   * Authenticates a user with a session cookie.\n   *\n   * @returns An object indicating whether the authentication was successful or not. If successful, it will include the user's session data.\n   */\n  async authenticate(): Promise<\n    | AuthenticateWithSessionCookieSuccessResponse\n    | AuthenticateWithSessionCookieFailedResponse\n  > {\n    if (!this.sessionData) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.NO_SESSION_COOKIE_PROVIDED,\n      };\n    }\n\n    // unsealData returns {} for known seal errors (expired, bad hmac, etc.)\n    // Unknown errors propagate - don't catch them as \"invalid session\"\n    const session = await unsealData<SessionCookieData>(this.sessionData, {\n      password: this.cookiePassword,\n    });\n\n    if (!session.accessToken) {\n      return {\n        authenticated: false,\n        reason:\n          AuthenticateWithSessionCookieFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    if (!(await this.isValidJwt(session.accessToken))) {\n      return {\n        authenticated: false,\n        reason: AuthenticateWithSessionCookieFailureReason.INVALID_JWT,\n      };\n    }\n\n    const { decodeJwt } = await getJose();\n\n    const {\n      sid: sessionId,\n      org_id: organizationId,\n      role,\n      roles,\n      permissions,\n      entitlements,\n      feature_flags: featureFlags,\n    } = decodeJwt<AccessToken>(session.accessToken);\n\n    return {\n      authenticated: true,\n      sessionId,\n      organizationId,\n      role,\n      roles,\n      permissions,\n      entitlements,\n      featureFlags,\n      user: session.user,\n      authenticationMethod: session.authenticationMethod,\n      impersonator: session.impersonator,\n      accessToken: session.accessToken,\n    };\n  }\n\n  /**\n   * Refreshes the user's session.\n   *\n   * @param options - Optional options for refreshing the session.\n   * @param options.cookiePassword - The password to use for the new session cookie.\n   * @param options.organizationId - The organization ID to use for the new session cookie.\n   * @returns An object indicating whether the refresh was successful or not. If successful, it will include the new sealed session data.\n   */\n  async refresh(options: RefreshOptions = {}): Promise<RefreshSessionResponse> {\n    const { decodeJwt } = await getJose();\n    const session = await unsealData<SessionCookieData>(this.sessionData, {\n      password: this.cookiePassword,\n    });\n\n    if (!session.refreshToken || !session.user) {\n      return {\n        authenticated: false,\n        reason: RefreshSessionFailureReason.INVALID_SESSION_COOKIE,\n      };\n    }\n\n    const { org_id: organizationIdFromAccessToken } = decodeJwt<AccessToken>(\n      session.accessToken,\n    );\n\n    try {\n      const cookiePassword = options.cookiePassword ?? this.cookiePassword;\n\n      const authenticationResponse =\n        await this.userManagement.authenticateWithRefreshToken({\n          clientId: this.userManagement.clientId as string,\n          refreshToken: session.refreshToken,\n          organizationId:\n            options.organizationId ?? organizationIdFromAccessToken,\n          session: {\n            // We want to store the new sealed session in this class instance, so this always needs to be true\n            sealSession: true,\n            cookiePassword,\n          },\n        });\n\n      // Update the password if a new one was provided\n      if (options.cookiePassword) {\n        this.cookiePassword = options.cookiePassword;\n      }\n\n      this.sessionData = authenticationResponse.sealedSession as string;\n\n      const {\n        sid: sessionId,\n        org_id: organizationId,\n        role,\n        roles,\n        permissions,\n        entitlements,\n        feature_flags: featureFlags,\n      } = decodeJwt<AccessToken>(authenticationResponse.accessToken);\n\n      // TODO: Returning `session` here means there's some duplicated data.\n      // Slim down the return type in a future major version.\n      return {\n        authenticated: true,\n        sealedSession: authenticationResponse.sealedSession,\n        session: authenticationResponse as AuthenticationResponse,\n        authenticationMethod: authenticationResponse.authenticationMethod,\n        sessionId,\n        organizationId,\n        role,\n        roles,\n        permissions,\n        entitlements,\n        featureFlags,\n        user: session.user,\n        impersonator: session.impersonator,\n      };\n    } catch (error) {\n      if (\n        error instanceof OauthException &&\n        // TODO: Add additional known errors and remove re-throw\n        (error.error === RefreshSessionFailureReason.INVALID_GRANT ||\n          error.error === RefreshSessionFailureReason.MFA_ENROLLMENT ||\n          error.error === RefreshSessionFailureReason.SSO_REQUIRED)\n      ) {\n        return {\n          authenticated: false,\n          reason: error.error,\n        };\n      }\n\n      throw error;\n    }\n  }\n\n  /**\n   * Gets the URL to redirect the user to for logging out.\n   *\n   * @returns The URL to redirect the user to for logging out.\n   */\n  async getLogoutUrl({\n    returnTo,\n  }: { returnTo?: string } = {}): Promise<string> {\n    const authenticationResponse = await this.authenticate();\n\n    if (!authenticationResponse.authenticated) {\n      const { reason } = authenticationResponse;\n      throw new Error(`Failed to extract session ID for logout URL: ${reason}`);\n    }\n\n    return this.userManagement.getLogoutUrl({\n      sessionId: authenticationResponse.sessionId,\n      returnTo,\n    });\n  }\n\n  private async isValidJwt(accessToken: string): Promise<boolean> {\n    const { jwtVerify } = await getJose();\n    const jwks = await this.userManagement.getJWKS();\n    if (!jwks) {\n      throw new Error(\n        'Missing client ID. Did you provide it when initializing WorkOS?',\n      );\n    }\n\n    try {\n      await jwtVerify(accessToken, jwks);\n      return true;\n    } catch (e) {\n      // Only treat as invalid JWT if it's an actual JWT/JWS error from jose\n      // Network errors, crypto failures, etc. should propagate\n      if (\n        e instanceof Error &&\n        'code' in e &&\n        typeof e.code === 'string' &&\n        (e.code.startsWith('ERR_JWT_') || e.code.startsWith('ERR_JWS_'))\n      ) {\n        return false;\n      }\n      throw e;\n    }\n  }\n}\n"],"mappings":";;;;;;;AAoBA,IAAa,gBAAb,MAA2B;CACzB,AAAQ;CACR,AAAQ;CACR,AAAQ;CAER,YACE,gBACA,aACA,gBACA;AACA,MAAI,CAAC,eACH,OAAM,IAAI,MAAM,6BAA6B;AAG/C,OAAK,iBAAiB;AACtB,OAAK,iBAAiB;AACtB,OAAK,cAAc;;;;;;;CAQrB,MAAM,eAGJ;AACA,MAAI,CAAC,KAAK,YACR,QAAO;GACL,eAAe;GACf,QACEA,8FAA2C;GAC9C;EAKH,MAAM,UAAU,MAAMC,wBAA8B,KAAK,aAAa,EACpE,UAAU,KAAK,gBAChB,CAAC;AAEF,MAAI,CAAC,QAAQ,YACX,QAAO;GACL,eAAe;GACf,QACED,8FAA2C;GAC9C;AAGH,MAAI,CAAE,MAAM,KAAK,WAAW,QAAQ,YAAY,CAC9C,QAAO;GACL,eAAe;GACf,QAAQA,8FAA2C;GACpD;EAGH,MAAM,EAAE,cAAc,MAAME,sBAAS;EAErC,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,QAAQ,YAAY;AAE/C,SAAO;GACL,eAAe;GACf;GACA;GACA;GACA;GACA;GACA;GACA;GACA,MAAM,QAAQ;GACd,sBAAsB,QAAQ;GAC9B,cAAc,QAAQ;GACtB,aAAa,QAAQ;GACtB;;;;;;;;;;CAWH,MAAM,QAAQ,UAA0B,EAAE,EAAmC;EAC3E,MAAM,EAAE,cAAc,MAAMA,sBAAS;EACrC,MAAM,UAAU,MAAMD,wBAA8B,KAAK,aAAa,EACpE,UAAU,KAAK,gBAChB,CAAC;AAEF,MAAI,CAAC,QAAQ,gBAAgB,CAAC,QAAQ,KACpC,QAAO;GACL,eAAe;GACf,QAAQE,4EAA4B;GACrC;EAGH,MAAM,EAAE,QAAQ,kCAAkC,UAChD,QAAQ,YACT;AAED,MAAI;GACF,MAAM,iBAAiB,QAAQ,kBAAkB,KAAK;GAEtD,MAAM,yBACJ,MAAM,KAAK,eAAe,6BAA6B;IACrD,UAAU,KAAK,eAAe;IAC9B,cAAc,QAAQ;IACtB,gBACE,QAAQ,kBAAkB;IAC5B,SAAS;KAEP,aAAa;KACb;KACD;IACF,CAAC;AAGJ,OAAI,QAAQ,eACV,MAAK,iBAAiB,QAAQ;AAGhC,QAAK,cAAc,uBAAuB;GAE1C,MAAM,EACJ,KAAK,WACL,QAAQ,gBACR,MACA,OACA,aACA,cACA,eAAe,iBACb,UAAuB,uBAAuB,YAAY;AAI9D,UAAO;IACL,eAAe;IACf,eAAe,uBAAuB;IACtC,SAAS;IACT,sBAAsB,uBAAuB;IAC7C;IACA;IACA;IACA;IACA;IACA;IACA;IACA,MAAM,QAAQ;IACd,cAAc,QAAQ;IACvB;WACM,OAAO;AACd,OACE,iBAAiBC,2CAEhB,MAAM,UAAUD,4EAA4B,iBAC3C,MAAM,UAAUA,4EAA4B,kBAC5C,MAAM,UAAUA,4EAA4B,cAE9C,QAAO;IACL,eAAe;IACf,QAAQ,MAAM;IACf;AAGH,SAAM;;;;;;;;CASV,MAAM,aAAa,EACjB,aACyB,EAAE,EAAmB;EAC9C,MAAM,yBAAyB,MAAM,KAAK,cAAc;AAExD,MAAI,CAAC,uBAAuB,eAAe;GACzC,MAAM,EAAE,WAAW;AACnB,SAAM,IAAI,MAAM,gDAAgD,SAAS;;AAG3E,SAAO,KAAK,eAAe,aAAa;GACtC,WAAW,uBAAuB;GAClC;GACD,CAAC;;CAGJ,MAAc,WAAW,aAAuC;EAC9D,MAAM,EAAE,cAAc,MAAMD,sBAAS;EACrC,MAAM,OAAO,MAAM,KAAK,eAAe,SAAS;AAChD,MAAI,CAAC,KACH,OAAM,IAAI,MACR,kEACD;AAGH,MAAI;AACF,SAAM,UAAU,aAAa,KAAK;AAClC,UAAO;WACA,GAAG;AAGV,OACE,aAAa,SACb,UAAU,KACV,OAAO,EAAE,SAAS,aACjB,EAAE,KAAK,WAAW,WAAW,IAAI,EAAE,KAAK,WAAW,WAAW,EAE/D,QAAO;AAET,SAAM"}

package/lib/session-handler-options.interface-BVTuA5uU.d.cts

@@ -0,0 +1,9 @@
+//#region src/user-management/interfaces/session-handler-options.interface.d.ts
+interface SessionHandlerOptions {
+  sessionData: string;
+  cookiePassword?: string;
+  organizationId?: string;
+}
+//#endregion
+export { SessionHandlerOptions as t };
+//# sourceMappingURL=session-handler-options.interface-BVTuA5uU.d.cts.map

package/lib/session.interface-zszewQtk.d.cts

@@ -0,0 +1,38 @@
+import { t as Impersonator } from "./impersonator.interface-BLJ5uqT4.cjs";
+
+//#region src/user-management/interfaces/session.interface.d.ts
+type AuthMethod = 'external_auth' | 'impersonation' | 'magic_code' | 'migrated_session' | 'oauth' | 'passkey' | 'password' | 'sso' | 'unknown';
+type SessionStatus = 'active' | 'expired' | 'revoked';
+interface Session {
+  object: 'session';
+  id: string;
+  userId: string;
+  ipAddress: string | null;
+  userAgent: string | null;
+  organizationId?: string;
+  impersonator?: Impersonator;
+  authMethod: AuthMethod;
+  status: SessionStatus;
+  expiresAt: string;
+  endedAt: string | null;
+  createdAt: string;
+  updatedAt: string;
+}
+interface SessionResponse {
+  object: 'session';
+  id: string;
+  user_id: string;
+  ip_address: string | null;
+  user_agent: string | null;
+  organization_id?: string;
+  impersonator?: Impersonator;
+  auth_method: AuthMethod;
+  status: SessionStatus;
+  expires_at: string;
+  ended_at: string | null;
+  created_at: string;
+  updated_at: string;
+}
+//#endregion
+export { SessionStatus as i, Session as n, SessionResponse as r, AuthMethod as t };
+//# sourceMappingURL=session.interface-zszewQtk.d.cts.map

package/lib/session.serializer-DAUllV3H.d.cts

@@ -0,0 +1,7 @@
+import { n as Session, r as SessionResponse } from "./session.interface-zszewQtk.cjs";
+
+//#region src/user-management/serializers/session.serializer.d.ts
+declare const deserializeSession: (session: SessionResponse) => Session;
+//#endregion
+export { deserializeSession as t };
+//# sourceMappingURL=session.serializer-DAUllV3H.d.cts.map

package/lib/set-environment-role-permissions-options.interface-CJm4G5CM.d.cts

@@ -0,0 +1,7 @@
+//#region src/authorization/interfaces/set-environment-role-permissions-options.interface.d.ts
+interface SetEnvironmentRolePermissionsOptions {
+  permissions: string[];
+}
+//#endregion
+export { SetEnvironmentRolePermissionsOptions as t };
+//# sourceMappingURL=set-environment-role-permissions-options.interface-CJm4G5CM.d.cts.map

package/lib/set-organization-role-permissions-options.interface-F54jbJ3q.d.cts

@@ -0,0 +1,7 @@
+//#region src/authorization/interfaces/set-organization-role-permissions-options.interface.d.ts
+interface SetOrganizationRolePermissionsOptions {
+  permissions: string[];
+}
+//#endregion
+export { SetOrganizationRolePermissionsOptions as t };
+//# sourceMappingURL=set-organization-role-permissions-options.interface-F54jbJ3q.d.cts.map

package/lib/signature-verification.exception-D2-xkCRS.d.cts

@@ -0,0 +1,8 @@
+//#region src/common/exceptions/signature-verification.exception.d.ts
+declare class SignatureVerificationException extends Error {
+  readonly name = "SignatureVerificationException";
+  constructor(message: string);
+}
+//#endregion
+export { SignatureVerificationException as t };
+//# sourceMappingURL=signature-verification.exception-D2-xkCRS.d.cts.map

package/lib/sms.interface-f_7eFA1B.d.cts

@@ -0,0 +1,10 @@
+//#region src/mfa/interfaces/sms.interface.d.ts
+interface Sms {
+  phoneNumber: string;
+}
+interface SmsResponse {
+  phone_number: string;
+}
+//#endregion
+export { SmsResponse as n, Sms as t };
+//# sourceMappingURL=sms.interface-f_7eFA1B.d.cts.map

package/lib/sso/interfaces/authorization-url-options.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as SSOPKCEAuthorizationURLResult, t as SSOAuthorizationURLOptions } from "../../authorization-url-options.interface-ZrBipUt2.cjs";
+import { n as SSOPKCEAuthorizationURLResult, t as SSOAuthorizationURLOptions } from "../../authorization-url-options.interface-C5ABtdiE.cjs";
 export { SSOAuthorizationURLOptions, SSOPKCEAuthorizationURLResult };

package/lib/sso/interfaces/connection-type.enum.cjs

@@ -1,3 +1,3 @@
-const require_connection_type_enum = require('../../connection-type.enum-CZfRWY9b.cjs');
+const require_connection_type_enum = require('../../connection-type.enum-CQncLVbr.cjs');
 
 exports.ConnectionType = require_connection_type_enum.ConnectionType;

package/lib/sso/interfaces/connection-type.enum.d.cts

@@ -1,2 +1,2 @@
-import { t as ConnectionType } from "../../connection-type.enum-CjWDQ5dq.cjs";
+import { t as ConnectionType } from "../../connection-type.enum-BCSkvlg6.cjs";
 export { ConnectionType };

package/lib/sso/interfaces/connection.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as ConnectionDomain, r as ConnectionResponse, t as Connection } from "../../connection.interface-DV7VmsKj.cjs";
+import { n as ConnectionDomain, r as ConnectionResponse, t as Connection } from "../../connection.interface-D1HP4q90.cjs";
 export { Connection, ConnectionDomain, ConnectionResponse };

package/lib/sso/interfaces/get-profile-and-token-options.interface.d.cts

@@ -1,2 +1,2 @@
-import { t as GetProfileAndTokenOptions } from "../../get-profile-and-token-options.interface-CgiTXQNg.cjs";
+import { t as GetProfileAndTokenOptions } from "../../get-profile-and-token-options.interface-B4HEexcv.cjs";
 export { GetProfileAndTokenOptions };

package/lib/sso/interfaces/get-profile-options.interface.d.cts

@@ -1,2 +1,2 @@
-import { t as GetProfileOptions } from "../../get-profile-options.interface-CF_TcBM6.cjs";
+import { t as GetProfileOptions } from "../../get-profile-options.interface-BTqozSx_.cjs";
 export { GetProfileOptions };

package/lib/sso/interfaces/index.cjs

@@ -1,3 +1,3 @@
-const require_connection_type_enum = require('../../connection-type.enum-CZfRWY9b.cjs');
+const require_connection_type_enum = require('../../connection-type.enum-CQncLVbr.cjs');
 
 exports.ConnectionType = require_connection_type_enum.ConnectionType;

package/lib/sso/interfaces/index.d.cts

@@ -1,9 +1,8 @@
-import { n as SSOPKCEAuthorizationURLResult, t as SSOAuthorizationURLOptions } from "../../authorization-url-options.interface-ZrBipUt2.cjs";
-import { t as ConnectionType } from "../../connection-type.enum-CjWDQ5dq.cjs";
-import { n as ConnectionDomain, r as ConnectionResponse, t as Connection } from "../../connection.interface-DV7VmsKj.cjs";
-import { t as GetProfileOptions } from "../../get-profile-options.interface-CF_TcBM6.cjs";
-import { t as GetProfileAndTokenOptions } from "../../get-profile-and-token-options.interface-CgiTXQNg.cjs";
-import { n as SerializedListConnectionsOptions, t as ListConnectionsOptions } from "../../list-connections-options.interface-C_4eo9BU.cjs";
-import { n as ProfileResponse, t as Profile } from "../../profile.interface-CPseQwyu.cjs";
-import { n as ProfileAndTokenResponse, t as ProfileAndToken } from "../../profile-and-token.interface-ZhaI1B_G.cjs";
+import { Cn as ProfileAndTokenResponse, Sn as ProfileAndToken, Tn as ProfileResponse, wn as Profile } from "../../index-DBcxvLj5.cjs";
+import { n as SSOPKCEAuthorizationURLResult, t as SSOAuthorizationURLOptions } from "../../authorization-url-options.interface-C5ABtdiE.cjs";
+import { t as ConnectionType } from "../../connection-type.enum-BCSkvlg6.cjs";
+import { n as ConnectionDomain, r as ConnectionResponse, t as Connection } from "../../connection.interface-D1HP4q90.cjs";
+import { t as GetProfileOptions } from "../../get-profile-options.interface-BTqozSx_.cjs";
+import { t as GetProfileAndTokenOptions } from "../../get-profile-and-token-options.interface-B4HEexcv.cjs";
+import { n as SerializedListConnectionsOptions, t as ListConnectionsOptions } from "../../list-connections-options.interface-zYzKu8PV.cjs";
 export { Connection, ConnectionDomain, ConnectionResponse, ConnectionType, GetProfileAndTokenOptions, GetProfileOptions, ListConnectionsOptions, Profile, ProfileAndToken, ProfileAndTokenResponse, ProfileResponse, SSOAuthorizationURLOptions, SSOPKCEAuthorizationURLResult, SerializedListConnectionsOptions };

package/lib/sso/interfaces/list-connections-options.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as SerializedListConnectionsOptions, t as ListConnectionsOptions } from "../../list-connections-options.interface-C_4eo9BU.cjs";
+import { n as SerializedListConnectionsOptions, t as ListConnectionsOptions } from "../../list-connections-options.interface-zYzKu8PV.cjs";
 export { ListConnectionsOptions, SerializedListConnectionsOptions };

package/lib/sso/interfaces/profile-and-token.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as ProfileAndTokenResponse, t as ProfileAndToken } from "../../profile-and-token.interface-ZhaI1B_G.cjs";
+import { Cn as ProfileAndTokenResponse, Sn as ProfileAndToken } from "../../index-DBcxvLj5.cjs";
 export { ProfileAndToken, ProfileAndTokenResponse };

package/lib/sso/interfaces/profile.interface.d.cts

@@ -1,2 +1,2 @@
-import { n as ProfileResponse, t as Profile } from "../../profile.interface-CPseQwyu.cjs";
+import { Tn as ProfileResponse, wn as Profile } from "../../index-DBcxvLj5.cjs";
 export { Profile, ProfileResponse };

package/lib/sso/serializers/connection.serializer.d.cts

@@ -1,2 +1,2 @@
-import { t as deserializeConnection } from "../../connection.serializer-Biy7KKu3.cjs";
+import { t as deserializeConnection } from "../../connection.serializer-B47qKsDN.cjs";
 export { deserializeConnection };

package/lib/sso/serializers/index.d.cts

@@ -1,5 +1,5 @@
-import { t as deserializeConnection } from "../../connection.serializer-Biy7KKu3.cjs";
-import { t as serializeListConnectionsOptions } from "../../list-connections-options.serializer-DfJliOZZ.cjs";
-import { t as deserializeProfileAndToken } from "../../profile-and-token.serializer-jvVxElaa.cjs";
-import { t as deserializeProfile } from "../../profile.serializer-DdojQSTs.cjs";
+import { t as deserializeConnection } from "../../connection.serializer-B47qKsDN.cjs";
+import { t as serializeListConnectionsOptions } from "../../list-connections-options.serializer-BQ887b-b.cjs";
+import { t as deserializeProfileAndToken } from "../../profile-and-token.serializer-BL6rgjRg.cjs";
+import { t as deserializeProfile } from "../../profile.serializer-C-SA2vtS.cjs";
 export { deserializeConnection, deserializeProfile, deserializeProfileAndToken, serializeListConnectionsOptions };

package/lib/sso/serializers/list-connections-options.serializer.d.cts

@@ -1,2 +1,2 @@
-import { t as serializeListConnectionsOptions } from "../../list-connections-options.serializer-DfJliOZZ.cjs";
+import { t as serializeListConnectionsOptions } from "../../list-connections-options.serializer-BQ887b-b.cjs";
 export { serializeListConnectionsOptions };

package/lib/sso/serializers/profile-and-token.serializer.d.cts

@@ -1,2 +1,2 @@
-import { t as deserializeProfileAndToken } from "../../profile-and-token.serializer-jvVxElaa.cjs";
+import { t as deserializeProfileAndToken } from "../../profile-and-token.serializer-BL6rgjRg.cjs";
 export { deserializeProfileAndToken };

package/lib/sso/serializers/profile.serializer.d.cts

@@ -1,2 +1,2 @@
-import { t as deserializeProfile } from "../../profile.serializer-DdojQSTs.cjs";
+import { t as deserializeProfile } from "../../profile.serializer-C-SA2vtS.cjs";
 export { deserializeProfile };

package/lib/sso/sso.d.cts

@@ -1,2 +1,2 @@
-import { v as SSO } from "../api-keys-mDyp4q6k.cjs";
+import { y as SSO } from "../api-keys-4KSJ7vul.cjs";
 export { SSO };