astro-tokenkit 1.0.11 → 1.0.13

package/README.md

@@ -61,8 +61,8 @@ Now you can use the `api` client anywhere in your Astro pages or components with
 // src/pages/profile.astro
 import { api } from 'astro-tokenkit';
 
-// No need to pass context, it's handled by middleware!
-const user = await api.get('/me');
+// Request methods return an APIResponse object
+const { data: user } = await api.get('/me');
 ---
 
 <h1>Welcome, {user.name}</h1>
@@ -130,10 +130,10 @@ const specializedClient = createClient({
 | `loginData` | `Record<string, any>` | Extra data to be sent with login request. |
 | `refreshData` | `Record<string, any>` | Extra data to be sent with refresh request. |
 | `refreshRequestField` | `string` | Field name for the refresh token in the refresh request (default: `refreshToken`). |
-| `fields` | `FieldMapping` | Custom mapping for token fields in API responses. |
+| `fields` | `FieldMapping` | Custom mapping for token fields in API responses (`accessToken`, `refreshToken`, `expiresAt`, `expiresIn`, `tokenType`, `sessionPayload`). |
 | `parseLogin` | `Function` | Custom parser for login response: `(body: any) => TokenBundle`. |
 | `parseRefresh`| `Function` | Custom parser for refresh response: `(body: any) => TokenBundle`. |
-| `injectToken` | `Function` | Custom token injection: `(token: string) => string` (default: Bearer). |
+| `injectToken` | `Function` | Custom token injection: `(token: string, type?: string) => string` (default: Bearer). |
 | `cookies` | `CookieConfig` | Configuration for auth cookies. |
 | `policy` | `RefreshPolicy` | Strategy for when to trigger token refresh. |
 
@@ -142,6 +142,7 @@ const specializedClient = createClient({
 | Property | Type | Description |
 | :--- | :--- | :--- |
 | `onLogin` | `Function` | Callback after successful login: `(bundle, body, ctx) => void`. |
+| `onError` | `Function` | Callback after failed login: `(error, ctx) => void`. |
 | `headers` | `Record<string, string>` | Extra headers for this specific login request. |
 | `data` | `Record<string, any>` | Extra data for this specific login request. |
 
@@ -167,7 +168,7 @@ If you prefer not to use middleware, you can bind the Astro context manually for
 ```typescript
 import { runWithContext } from 'astro-tokenkit';
 
-const data = await runWithContext(Astro, () => api.get('/data'));
+const { data } = await runWithContext(Astro, () => api.get('/data'));
 ```
 
 ### Interceptors
@@ -190,16 +191,56 @@ const api = createClient({
 
 ```typescript
 // In an API route or server-side component
-await api.login({ username, password }, {
+const { data: bundle } = await api.login({ username, password }, {
   onLogin: (bundle, body, ctx) => {
     // Post-login logic (e.g., sync session to another store)
     console.log('User logged in!', bundle.sessionPayload);
+  },
+  onError: (error, ctx) => {
+    // Handle error (e.g., log it or perform cleanup)
+    console.error('Login failed:', error.message);
   }
 });
 
 await api.logout();
 ```
 
+### Using Promises (.then, .catch, .finally)
+
+All API methods return a Promise that resolves to an `APIResponse` object. You can use traditional promise chaining:
+
+```typescript
+// Example with GET request
+api.get('/me')
+  .then(({ data: user, status }) => {
+    console.log(`User ${user.name} fetched with status ${status}`);
+  })
+  .catch(err => {
+    console.error('Failed to fetch user:', err.message);
+  })
+  .finally(() => {
+    console.log('Request finished');
+  });
+
+// Example with login
+api.login(credentials)
+  .then(({ data: token }) => {
+    console.log('Successfully logged in!', token.accessToken);
+  })
+  .catch(err => {
+    if (err instanceof AuthError) {
+      console.error('Authentication failed:', err.message);
+    } else {
+      console.error('An unexpected error occurred:', err.message);
+    }
+  })
+  .finally(() => {
+    // E.g. stop loading state
+  });
+```
+
+> **Note:** Since all methods return an `APIResponse` object, you can use destructuring in `.then()` to access the data directly, which allows for clean syntax like `.then(({ data: token }) => ... )`.
+
 ## License
 
 MIT © [oamm](https://github.com/oamm)

package/dist/auth/detector.js

@@ -35,6 +35,13 @@ const EXPIRES_IN_FIELDS = [
     'expiresIn',
     'ttl',
 ];
+/**
+ * Common field names for token type
+ */
+const TOKEN_TYPE_FIELDS = [
+    'token_type',
+    'tokenType',
+];
 /**
  * Common field names for session payload
  */
@@ -97,10 +104,13 @@ export function autoDetectFields(body, fieldMapping) {
     }
     // Detect session payload (optional)
     const sessionPayload = findField(SESSION_PAYLOAD_FIELDS, fieldMapping === null || fieldMapping === void 0 ? void 0 : fieldMapping.sessionPayload);
+    // Detect token type (optional)
+    const tokenType = findField(TOKEN_TYPE_FIELDS, fieldMapping === null || fieldMapping === void 0 ? void 0 : fieldMapping.tokenType);
     return {
         accessToken,
         refreshToken,
         accessExpiresAt,
+        tokenType: tokenType || undefined,
         sessionPayload: sessionPayload || undefined,
     };
 }
@@ -114,6 +124,10 @@ export function parseJWTPayload(token) {
             return null;
         }
         const payload = parts[1];
+        // Better UTF-8 support for environments with Buffer (like Node.js/Astro)
+        if (typeof Buffer !== 'undefined') {
+            return JSON.parse(Buffer.from(payload, 'base64').toString('utf8'));
+        }
         const decoded = atob(payload.replace(/-/g, '+').replace(/_/g, '/'));
         return JSON.parse(decoded);
     }

package/dist/auth/manager.d.ts

@@ -1,3 +1,4 @@
+import { APIResponse } from '../types';
 import type { TokenBundle, Session, AuthConfig, TokenKitContext, AuthOptions, LoginOptions } from '../types';
 /**
  * Token Manager handles all token operations
@@ -10,7 +11,7 @@ export declare class TokenManager {
     /**
      * Perform login
      */
-    login(ctx: TokenKitContext, credentials: any, options?: LoginOptions): Promise<TokenBundle>;
+    login(ctx: TokenKitContext, credentials: any, options?: LoginOptions): Promise<APIResponse<TokenBundle>>;
     /**
      * Perform token refresh
      */
@@ -39,4 +40,8 @@ export declare class TokenManager {
      * Create flight key for single-flight deduplication
      */
     private createFlightKey;
+    /**
+     * Join base URL and path safely
+     */
+    private joinURL;
 }

package/dist/auth/manager.js

@@ -54,7 +54,7 @@ export class TokenManager {
      */
     login(ctx, credentials, options) {
         return __awaiter(this, void 0, void 0, function* () {
-            const url = this.baseURL + this.config.login;
+            const url = this.joinURL(this.baseURL, this.config.login);
             const contentType = this.config.contentType || 'application/json';
             const headers = Object.assign(Object.assign({ 'Content-Type': contentType }, this.config.headers), options === null || options === void 0 ? void 0 : options.headers);
             const data = Object.assign(Object.assign(Object.assign({}, this.config.loginData), options === null || options === void 0 ? void 0 : options.data), credentials);
@@ -65,15 +65,25 @@ export class TokenManager {
             else {
                 requestBody = JSON.stringify(data);
             }
-            const response = yield fetch(url, {
-                method: 'POST',
-                headers,
-                body: requestBody,
-            }).catch(error => {
-                throw new AuthError(`Login request failed: ${error.message}`);
-            });
+            let response;
+            try {
+                response = yield fetch(url, {
+                    method: 'POST',
+                    headers,
+                    body: requestBody,
+                });
+            }
+            catch (error) {
+                const authError = new AuthError(`Login request failed: ${error.message}`);
+                if (options === null || options === void 0 ? void 0 : options.onError)
+                    yield options.onError(authError, ctx);
+                throw authError;
+            }
             if (!response.ok) {
-                throw new AuthError(`Login failed: ${response.status} ${response.statusText}`, response.status, response);
+                const authError = new AuthError(`Login failed: ${response.status} ${response.statusText}`, response.status, response);
+                if (options === null || options === void 0 ? void 0 : options.onError)
+                    yield options.onError(authError, ctx);
+                throw authError;
             }
             const body = yield response.json().catch(() => ({}));
             // Parse response
@@ -84,7 +94,10 @@ export class TokenManager {
                     : autoDetectFields(body, this.config.fields);
             }
             catch (error) {
-                throw new AuthError(`Invalid login response: ${error.message}`, response.status, response);
+                const authError = new AuthError(`Invalid login response: ${error.message}`, response.status, response);
+                if (options === null || options === void 0 ? void 0 : options.onError)
+                    yield options.onError(authError, ctx);
+                throw authError;
             }
             // Store in cookies
             storeTokens(ctx, bundle, this.config.cookies);
@@ -92,7 +105,14 @@ export class TokenManager {
             if (options === null || options === void 0 ? void 0 : options.onLogin) {
                 yield options.onLogin(bundle, body, ctx);
             }
-            return bundle;
+            return {
+                data: bundle,
+                status: response.status,
+                statusText: response.statusText,
+                headers: response.headers,
+                url: response.url,
+                ok: response.ok,
+            };
         });
     }
     /**
@@ -114,7 +134,7 @@ export class TokenManager {
      */
     performRefresh(ctx, refreshToken, options, extraHeaders) {
         return __awaiter(this, void 0, void 0, function* () {
-            const url = this.baseURL + this.config.refresh;
+            const url = this.joinURL(this.baseURL, this.config.refresh);
             const contentType = this.config.contentType || 'application/json';
             const headers = Object.assign(Object.assign({ 'Content-Type': contentType }, this.config.headers), extraHeaders);
             const refreshField = this.config.refreshRequestField || 'refreshToken';
@@ -126,13 +146,17 @@ export class TokenManager {
             else {
                 requestBody = JSON.stringify(data);
             }
-            const response = yield fetch(url, {
-                method: 'POST',
-                headers,
-                body: requestBody,
-            }).catch(error => {
+            let response;
+            try {
+                response = yield fetch(url, {
+                    method: 'POST',
+                    headers,
+                    body: requestBody,
+                });
+            }
+            catch (error) {
                 throw new AuthError(`Refresh request failed: ${error.message}`);
-            });
+            }
             if (!response.ok) {
                 // 401/403 = invalid refresh token
                 if (response.status === 401 || response.status === 403) {
@@ -166,7 +190,7 @@ export class TokenManager {
      */
     ensure(ctx, options, headers) {
         return __awaiter(this, void 0, void 0, function* () {
-            var _a, _b, _c, _d, _e;
+            var _a, _b, _c, _d, _e, _f;
             const now = Math.floor(Date.now() / 1000);
             const tokens = retrieveTokens(ctx, this.config.cookies);
             // No tokens
@@ -182,6 +206,7 @@ export class TokenManager {
                 return {
                     accessToken: bundle.accessToken,
                     expiresAt: bundle.accessExpiresAt,
+                    tokenType: bundle.tokenType,
                     payload: (_b = (_a = bundle.sessionPayload) !== null && _a !== void 0 ? _a : parseJWTPayload(bundle.accessToken)) !== null && _b !== void 0 ? _b : undefined,
                 };
             }
@@ -193,6 +218,7 @@ export class TokenManager {
                     return {
                         accessToken: bundle.accessToken,
                         expiresAt: bundle.accessExpiresAt,
+                        tokenType: bundle.tokenType,
                         payload: (_d = (_c = bundle.sessionPayload) !== null && _c !== void 0 ? _c : parseJWTPayload(bundle.accessToken)) !== null && _d !== void 0 ? _d : undefined,
                     };
                 }
@@ -206,7 +232,8 @@ export class TokenManager {
             return {
                 accessToken: tokens.accessToken,
                 expiresAt: tokens.expiresAt,
-                payload: (_e = parseJWTPayload(tokens.accessToken)) !== null && _e !== void 0 ? _e : undefined,
+                tokenType: (_e = tokens.tokenType) !== null && _e !== void 0 ? _e : undefined,
+                payload: (_f = parseJWTPayload(tokens.accessToken)) !== null && _f !== void 0 ? _f : undefined,
             };
         });
     }
@@ -215,15 +242,22 @@ export class TokenManager {
      */
     logout(ctx) {
         return __awaiter(this, void 0, void 0, function* () {
+            var _a;
             // Optionally call logout endpoint
             if (this.config.logout) {
                 try {
-                    const url = this.baseURL + this.config.logout;
-                    yield fetch(url, { method: 'POST' });
+                    const url = this.joinURL(this.baseURL, this.config.logout);
+                    const session = this.getSession(ctx);
+                    const headers = {};
+                    if (session === null || session === void 0 ? void 0 : session.accessToken) {
+                        const injectFn = (_a = this.config.injectToken) !== null && _a !== void 0 ? _a : ((token, type) => `${type !== null && type !== void 0 ? type : 'Bearer'} ${token}`);
+                        headers['Authorization'] = injectFn(session.accessToken, session.tokenType);
+                    }
+                    yield fetch(url, { method: 'POST', headers });
                 }
                 catch (error) {
                     // Ignore logout endpoint errors
-                    console.warn('Logout endpoint failed:', error);
+                    console.warn('[TokenKit] Logout endpoint failed:', error);
                 }
             }
             clearTokens(ctx, this.config.cookies);
@@ -233,7 +267,7 @@ export class TokenManager {
      * Get current session (no refresh)
      */
     getSession(ctx) {
-        var _a;
+        var _a, _b;
         const tokens = retrieveTokens(ctx, this.config.cookies);
         if (!tokens.accessToken || !tokens.expiresAt) {
             return null;
@@ -241,7 +275,8 @@ export class TokenManager {
         return {
             accessToken: tokens.accessToken,
             expiresAt: tokens.expiresAt,
-            payload: (_a = parseJWTPayload(tokens.accessToken)) !== null && _a !== void 0 ? _a : undefined,
+            tokenType: (_a = tokens.tokenType) !== null && _a !== void 0 ? _a : undefined,
+            payload: (_b = parseJWTPayload(tokens.accessToken)) !== null && _b !== void 0 ? _b : undefined,
         };
     }
     /**
@@ -255,12 +290,15 @@ export class TokenManager {
      * Create flight key for single-flight deduplication
      */
     createFlightKey(token) {
-        let hash = 0;
-        for (let i = 0; i < token.length; i++) {
-            const char = token.charCodeAt(i);
-            hash = ((hash << 5) - hash) + char;
-            hash = hash & hash;
-        }
-        return `flight_${Math.abs(hash).toString(36)}`;
+        // Avoid weak hashing of sensitive tokens
+        return `refresh_${token}`;
+    }
+    /**
+     * Join base URL and path safely
+     */
+    joinURL(base, path) {
+        const b = base.endsWith('/') ? base : base + '/';
+        const p = path.startsWith('/') ? path.slice(1) : path;
+        return b + p;
     }
 }

package/dist/auth/policy.js

@@ -62,5 +62,6 @@ export function isExpired(expiresAt, now, policy = {}) {
     const clockSkew = typeof normalized.clockSkew === 'number'
         ? normalized.clockSkew
         : parseTime(normalized.clockSkew);
-    return now > expiresAt + clockSkew;
+    // Pessimistic: consider it expired if current time + skew is past expiration
+    return now + clockSkew > expiresAt;
 }

package/dist/auth/storage.d.ts

@@ -7,6 +7,7 @@ export interface CookieNames {
     refreshToken: string;
     expiresAt: string;
     lastRefreshAt: string;
+    tokenType: string;
 }
 /**
  * Get cookie names with optional prefix
@@ -33,6 +34,7 @@ export declare function retrieveTokens(ctx: TokenKitContext, cookieConfig?: Cook
     refreshToken: string | null;
     expiresAt: number | null;
     lastRefreshAt: number | null;
+    tokenType: string | null;
 };
 /**
  * Clear all auth cookies

package/dist/auth/storage.js

@@ -9,6 +9,7 @@ export function getCookieNames(prefix) {
         refreshToken: `${p}refresh_token`,
         expiresAt: `${p}access_expires_at`,
         lastRefreshAt: `${p}last_refresh_at`,
+        tokenType: `${p}token_type`,
     };
 }
 /**
@@ -44,20 +45,25 @@ export function storeTokens(ctx, bundle, cookieConfig = {}) {
     ctx.cookies.set(names.expiresAt, bundle.accessExpiresAt.toString(), Object.assign(Object.assign({}, options), { maxAge: accessMaxAge, path: '/' }));
     // Set last refresh timestamp
     ctx.cookies.set(names.lastRefreshAt, now.toString(), Object.assign(Object.assign({}, options), { maxAge: accessMaxAge, path: '/' }));
+    // Set token type if available
+    if (bundle.tokenType) {
+        ctx.cookies.set(names.tokenType, bundle.tokenType, Object.assign(Object.assign({}, options), { maxAge: accessMaxAge, path: '/' }));
+    }
 }
 /**
  * Retrieve tokens from cookies
  */
 export function retrieveTokens(ctx, cookieConfig = {}) {
-    var _a, _b, _c, _d;
+    var _a, _b, _c, _d, _e;
     const names = getCookieNames(cookieConfig.prefix);
     const accessToken = ((_a = ctx.cookies.get(names.accessToken)) === null || _a === void 0 ? void 0 : _a.value) || null;
     const refreshToken = ((_b = ctx.cookies.get(names.refreshToken)) === null || _b === void 0 ? void 0 : _b.value) || null;
-    const expiresAtStr = (_c = ctx.cookies.get(names.expiresAt)) === null || _c === void 0 ? void 0 : _c.value;
+    const tokenType = ((_c = ctx.cookies.get(names.tokenType)) === null || _c === void 0 ? void 0 : _c.value) || null;
+    const expiresAtStr = (_d = ctx.cookies.get(names.expiresAt)) === null || _d === void 0 ? void 0 : _d.value;
     const expiresAt = expiresAtStr ? parseInt(expiresAtStr, 10) : null;
-    const lastRefreshAtStr = (_d = ctx.cookies.get(names.lastRefreshAt)) === null || _d === void 0 ? void 0 : _d.value;
+    const lastRefreshAtStr = (_e = ctx.cookies.get(names.lastRefreshAt)) === null || _e === void 0 ? void 0 : _e.value;
     const lastRefreshAt = lastRefreshAtStr ? parseInt(lastRefreshAtStr, 10) : null;
-    return { accessToken, refreshToken, expiresAt, lastRefreshAt };
+    return { accessToken, refreshToken, expiresAt, lastRefreshAt, tokenType };
 }
 /**
  * Clear all auth cookies
@@ -69,4 +75,5 @@ export function clearTokens(ctx, cookieConfig = {}) {
     ctx.cookies.delete(names.refreshToken, Object.assign(Object.assign({}, options), { path: '/' }));
     ctx.cookies.delete(names.expiresAt, Object.assign(Object.assign({}, options), { path: '/' }));
     ctx.cookies.delete(names.lastRefreshAt, Object.assign(Object.assign({}, options), { path: '/' }));
+    ctx.cookies.delete(names.tokenType, Object.assign(Object.assign({}, options), { path: '/' }));
 }

package/dist/client/client.d.ts

@@ -1,4 +1,4 @@
-import type { ClientConfig, RequestConfig, RequestOptions, Session, TokenKitConfig, LoginOptions } from '../types';
+import type { APIResponse, ClientConfig, RequestConfig, RequestOptions, Session, TokenKitConfig, LoginOptions, TokenBundle } from '../types';
 import { TokenManager } from '../auth/manager';
 /**
  * API Client
@@ -25,27 +25,27 @@ export declare class APIClient {
     /**
      * GET request
      */
-    get<T = any>(url: string, options?: RequestOptions): Promise<T>;
+    get<T = any>(url: string, options?: RequestOptions): Promise<APIResponse<T>>;
     /**
      * POST request
      */
-    post<T = any>(url: string, data?: any, options?: RequestOptions): Promise<T>;
+    post<T = any>(url: string, data?: any, options?: RequestOptions): Promise<APIResponse<T>>;
     /**
      * PUT request
      */
-    put<T = any>(url: string, data?: any, options?: RequestOptions): Promise<T>;
+    put<T = any>(url: string, data?: any, options?: RequestOptions): Promise<APIResponse<T>>;
     /**
      * PATCH request
      */
-    patch<T = any>(url: string, data?: any, options?: RequestOptions): Promise<T>;
+    patch<T = any>(url: string, data?: any, options?: RequestOptions): Promise<APIResponse<T>>;
     /**
      * DELETE request
      */
-    delete<T = any>(url: string, options?: RequestOptions): Promise<T>;
+    delete<T = any>(url: string, options?: RequestOptions): Promise<APIResponse<T>>;
     /**
      * Generic request method
      */
-    request<T = any>(config: RequestConfig): Promise<T>;
+    request<T = any>(config: RequestConfig): Promise<APIResponse<T>>;
     /**
      * Execute single request
      */
@@ -62,10 +62,14 @@ export declare class APIClient {
      * Build request headers
      */
     private buildHeaders;
+    /**
+     * Check if a URL is safe for token injection (same origin as baseURL)
+     */
+    private isSafeURL;
     /**
      * Login
      */
-    login(credentials: any, options?: LoginOptions): Promise<void>;
+    login(credentials: any, options?: LoginOptions): Promise<APIResponse<TokenBundle>>;
     /**
      * Logout
      */

package/dist/client/client.js

@@ -115,15 +115,12 @@ export class APIClient {
         return __awaiter(this, void 0, void 0, function* () {
             const ctx = getContextStore();
             let attempt = 0;
-            let lastError;
             while (true) {
                 attempt++;
                 try {
-                    const response = yield this.executeRequest(config, ctx, attempt);
-                    return response.data;
+                    return yield this.executeRequest(config, ctx, attempt);
                 }
                 catch (error) {
-                    lastError = error;
                     // Check if we should retry
                     if (shouldRetry(error.status, attempt, this.config.retry)) {
                         const delay = calculateDelay(attempt, this.config.retry);
@@ -149,7 +146,7 @@ export class APIClient {
             // Build full URL
             const fullURL = this.buildURL(config.url, config.params);
             // Build headers
-            const headers = this.buildHeaders(config, ctx);
+            const headers = this.buildHeaders(config, ctx, fullURL);
             // Build request init
             const init = {
                 method: config.method,
@@ -246,6 +243,7 @@ export class APIClient {
                 statusText: response.statusText,
                 headers: response.headers,
                 url,
+                ok: response.ok,
             };
         });
     }
@@ -267,19 +265,33 @@ export class APIClient {
     /**
      * Build request headers
      */
-    buildHeaders(config, ctx) {
+    buildHeaders(config, ctx, targetURL) {
         var _a, _b;
         const headers = Object.assign(Object.assign({ 'Content-Type': 'application/json' }, this.config.headers), config.headers);
-        // Add auth token if available
-        if (this.tokenManager && !config.skipAuth) {
+        // Add auth token if available (only for safe URLs)
+        if (this.tokenManager && !config.skipAuth && this.isSafeURL(targetURL)) {
             const session = this.tokenManager.getSession(ctx);
             if (session === null || session === void 0 ? void 0 : session.accessToken) {
-                const injectFn = (_b = (_a = this.config.auth) === null || _a === void 0 ? void 0 : _a.injectToken) !== null && _b !== void 0 ? _b : ((token) => `Bearer ${token}`);
-                headers['Authorization'] = injectFn(session.accessToken);
+                const injectFn = (_b = (_a = this.config.auth) === null || _a === void 0 ? void 0 : _a.injectToken) !== null && _b !== void 0 ? _b : ((token, type) => `${type !== null && type !== void 0 ? type : 'Bearer'} ${token}`);
+                headers['Authorization'] = injectFn(session.accessToken, session.tokenType);
             }
         }
         return headers;
     }
+    /**
+     * Check if a URL is safe for token injection (same origin as baseURL)
+     */
+    isSafeURL(url) {
+        try {
+            const requestUrl = new URL(url, this.config.baseURL);
+            const baseUrl = new URL(this.config.baseURL || 'http://localhost');
+            return requestUrl.origin === baseUrl.origin;
+        }
+        catch (_a) {
+            // Only allow relative paths if baseURL is missing or invalid
+            return !url.startsWith('http') && !url.startsWith('//');
+        }
+    }
     /**
      * Login
      */
@@ -289,7 +301,7 @@ export class APIClient {
                 throw new Error('Auth is not configured for this client');
             }
             const context = getContextStore();
-            yield this.tokenManager.login(context, credentials, options);
+            return this.tokenManager.login(context, credentials, options);
         });
     }
     /**

package/dist/config.js

@@ -1,43 +1,63 @@
 // packages/astro-tokenkit/src/config.ts
 import { TokenManager } from "./auth/manager";
-let config = {
-    runWithContext: undefined,
-    getContextStore: undefined,
-    setContextStore: undefined,
-    baseURL: "",
-};
-let tokenManager;
+const CONFIG_KEY = Symbol.for('astro-tokenkit.config');
+const MANAGER_KEY = Symbol.for('astro-tokenkit.manager');
+const globalStorage = globalThis;
+// Initialize global storage if not present
+if (!globalStorage[CONFIG_KEY]) {
+    globalStorage[CONFIG_KEY] = {
+        runWithContext: undefined,
+        getContextStore: undefined,
+        setContextStore: undefined,
+        baseURL: "",
+    };
+}
 /**
  * Set configuration
  */
 export function setConfig(userConfig) {
-    const finalConfig = Object.assign(Object.assign({}, config), userConfig);
+    const currentConfig = globalStorage[CONFIG_KEY];
+    const finalConfig = Object.assign(Object.assign({}, currentConfig), userConfig);
     // Validate that getter and setter are defined together
     if ((finalConfig.getContextStore && !finalConfig.setContextStore) ||
         (!finalConfig.getContextStore && finalConfig.setContextStore)) {
         throw new Error("[TokenKit] getContextStore and setContextStore must be defined together.");
     }
-    config = finalConfig;
+    globalStorage[CONFIG_KEY] = finalConfig;
     // Re-initialize global token manager if auth changed
-    if (config.auth) {
-        tokenManager = new TokenManager(config.auth, config.baseURL);
+    if (finalConfig.auth) {
+        globalStorage[MANAGER_KEY] = new TokenManager(finalConfig.auth, finalConfig.baseURL);
+    }
+    else {
+        globalStorage[MANAGER_KEY] = undefined;
     }
 }
 /**
  * Get current configuration
  */
 export function getConfig() {
-    return config;
+    return globalStorage[CONFIG_KEY];
 }
 /**
  * Get global token manager
  */
 export function getTokenManager() {
-    return tokenManager;
+    return globalStorage[MANAGER_KEY];
 }
 /**
  * Set global token manager (mainly for testing)
  */
 export function setTokenManager(manager) {
-    tokenManager = manager;
+    globalStorage[MANAGER_KEY] = manager;
+}
+// Handle injected configuration from Astro integration
+try {
+    // @ts-ignore
+    const injectedConfig = typeof __TOKENKIT_CONFIG__ !== 'undefined' ? __TOKENKIT_CONFIG__ : undefined;
+    if (injectedConfig) {
+        setConfig(injectedConfig);
+    }
+}
+catch (e) {
+    // Ignore errors in environments where __TOKENKIT_CONFIG__ might be restricted
 }