authvital-sdk 0.1.1-dev.3.cefb119.0

package/dist/chunk-FXVD4Y5G.js

@@ -0,0 +1,412 @@
+"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireWildcard(obj) { if (obj && obj.__esModule) { return obj; } else { var newObj = {}; if (obj != null) { for (var key in obj) { if (Object.prototype.hasOwnProperty.call(obj, key)) { newObj[key] = obj[key]; } } } newObj.default = obj; return newObj; } } function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }// src/webhooks/types.ts
+var SYNC_EVENT_TYPES = {
+  // Invitations
+  INVITE_CREATED: "invite.created",
+  INVITE_ACCEPTED: "invite.accepted",
+  INVITE_DELETED: "invite.deleted",
+  INVITE_EXPIRED: "invite.expired",
+  // Subjects (users, service accounts, etc.)
+  SUBJECT_CREATED: "subject.created",
+  SUBJECT_UPDATED: "subject.updated",
+  SUBJECT_DELETED: "subject.deleted",
+  SUBJECT_DEACTIVATED: "subject.deactivated",
+  // Memberships
+  MEMBER_JOINED: "member.joined",
+  MEMBER_LEFT: "member.left",
+  MEMBER_ROLE_CHANGED: "member.role_changed",
+  MEMBER_SUSPENDED: "member.suspended",
+  MEMBER_ACTIVATED: "member.activated",
+  // App Access
+  APP_ACCESS_GRANTED: "app_access.granted",
+  APP_ACCESS_REVOKED: "app_access.revoked",
+  APP_ACCESS_ROLE_CHANGED: "app_access.role_changed",
+  // Licenses
+  LICENSE_ASSIGNED: "license.assigned",
+  LICENSE_REVOKED: "license.revoked",
+  LICENSE_CHANGED: "license.changed"
+};
+function isInviteEvent(event) {
+  return event.type.startsWith("invite.");
+}
+function isSubjectEvent(event) {
+  return event.type.startsWith("subject.");
+}
+function isMemberEvent(event) {
+  return event.type.startsWith("member.");
+}
+function isAppAccessEvent(event) {
+  return event.type.startsWith("app_access.");
+}
+function isLicenseEvent(event) {
+  return event.type.startsWith("license.");
+}
+
+// src/webhooks/event-interfaces.ts
+var InviteEventHandler = class {
+  onInviteCreated(_event) {
+  }
+  onInviteAccepted(_event) {
+  }
+  onInviteDeleted(_event) {
+  }
+  onInviteExpired(_event) {
+  }
+};
+var SubjectEventHandler = class {
+  onSubjectCreated(_event) {
+  }
+  onSubjectUpdated(_event) {
+  }
+  onSubjectDeleted(_event) {
+  }
+  onSubjectDeactivated(_event) {
+  }
+};
+var MemberEventHandler = class {
+  onMemberJoined(_event) {
+  }
+  onMemberLeft(_event) {
+  }
+  onMemberRoleChanged(_event) {
+  }
+  onMemberSuspended(_event) {
+  }
+  onMemberActivated(_event) {
+  }
+};
+var AppAccessEventHandler = class {
+  onAppAccessGranted(_event) {
+  }
+  onAppAccessRevoked(_event) {
+  }
+  /**
+   * @deprecated Use onAppAccessRevoked instead. This method exists for backwards compatibility.
+   */
+  onAppAccessDeactivated(event) {
+    return _optionalChain([this, 'access', _ => _.onAppAccessRevoked, 'optionalCall', _2 => _2(event)]);
+  }
+  onAppAccessRoleChanged(_event) {
+  }
+};
+var LicenseEventHandler = class {
+  onLicenseAssigned(_event) {
+  }
+  onLicenseRevoked(_event) {
+  }
+  onLicenseChanged(_event) {
+  }
+};
+var AuthVitalEventHandler = class {
+  // Invite events
+  onInviteCreated(_event) {
+  }
+  onInviteAccepted(_event) {
+  }
+  onInviteDeleted(_event) {
+  }
+  onInviteExpired(_event) {
+  }
+  // Subject events
+  onSubjectCreated(_event) {
+  }
+  onSubjectUpdated(_event) {
+  }
+  onSubjectDeleted(_event) {
+  }
+  onSubjectDeactivated(_event) {
+  }
+  // Member events
+  onMemberJoined(_event) {
+  }
+  onMemberLeft(_event) {
+  }
+  onMemberRoleChanged(_event) {
+  }
+  onMemberSuspended(_event) {
+  }
+  onMemberActivated(_event) {
+  }
+  // App access events
+  onAppAccessGranted(_event) {
+  }
+  onAppAccessRevoked(_event) {
+  }
+  /**
+   * @deprecated Use onAppAccessRevoked instead. This method exists for backwards compatibility.
+   */
+  onAppAccessDeactivated(event) {
+    return _optionalChain([this, 'access', _3 => _3.onAppAccessRevoked, 'optionalCall', _4 => _4(event)]);
+  }
+  onAppAccessRoleChanged(_event) {
+  }
+  // License events
+  onLicenseAssigned(_event) {
+  }
+  onLicenseRevoked(_event) {
+  }
+  onLicenseChanged(_event) {
+  }
+  // Catch-all
+  onUnhandledEvent(_event) {
+  }
+};
+
+// src/webhooks/webhook-handler.ts
+var _crypto = require('crypto'); var crypto = _interopRequireWildcard(_crypto);
+var AuthVitalWebhooks = class {
+  constructor(options) {
+    this.keysCache = /* @__PURE__ */ new Map();
+    this.keysCacheExpiry = 0;
+    this.jwksUrl = options.jwksUrl;
+    this.maxTimestampAge = _nullishCoalesce(options.maxTimestampAge, () => ( 300));
+    this.keysCacheTtl = _nullishCoalesce(options.keysCacheTtl, () => ( 36e5));
+  }
+  /**
+   * Verify and parse a webhook payload
+   *
+   * @param body - The raw request body (string or object)
+   * @param headers - The request headers (can pass full headers object)
+   * @returns The parsed and verified event
+   * @throws Error if verification fails
+   */
+  async verifyAndParse(body, headers) {
+    const normalizedHeaders = this.normalizeHeaders(headers);
+    const signature = normalizedHeaders["x-authvital-signature"];
+    const keyId = normalizedHeaders["x-authvital-key-id"];
+    const timestamp = normalizedHeaders["x-authvital-timestamp"];
+    if (!signature) {
+      throw new Error("Missing X-AuthVital-Signature header");
+    }
+    if (!keyId) {
+      throw new Error("Missing X-AuthVital-Key-Id header");
+    }
+    if (!timestamp) {
+      throw new Error("Missing X-AuthVital-Timestamp header");
+    }
+    const timestampNum = parseInt(timestamp, 10);
+    if (isNaN(timestampNum)) {
+      throw new Error("Invalid timestamp format");
+    }
+    const now = Math.floor(Date.now() / 1e3);
+    const age = now - timestampNum;
+    if (age > this.maxTimestampAge) {
+      throw new Error(`Timestamp too old: ${age}s (max ${this.maxTimestampAge}s)`);
+    }
+    if (age < -60) {
+      throw new Error("Timestamp is in the future");
+    }
+    const bodyString = typeof body === "string" ? body : JSON.stringify(body);
+    const signedPayload = `${timestamp}.${bodyString}`;
+    const publicKey = await this.getPublicKey(keyId);
+    const isValid = crypto.verify(
+      "RSA-SHA256",
+      Buffer.from(signedPayload),
+      publicKey,
+      Buffer.from(signature, "base64")
+    );
+    if (!isValid) {
+      throw new Error("Invalid signature");
+    }
+    const event = typeof body === "string" ? JSON.parse(body) : body;
+    return event;
+  }
+  /**
+   * Verify signature only (without parsing)
+   * Useful if you want to handle parsing yourself
+   */
+  async verify(body, signature, keyId, timestamp) {
+    try {
+      const timestampNum = parseInt(timestamp, 10);
+      const now = Math.floor(Date.now() / 1e3);
+      const age = now - timestampNum;
+      if (age > this.maxTimestampAge || age < -60) {
+        return false;
+      }
+      const bodyString = typeof body === "string" ? body : JSON.stringify(body);
+      const signedPayload = `${timestamp}.${bodyString}`;
+      const publicKey = await this.getPublicKey(keyId);
+      return crypto.verify(
+        "RSA-SHA256",
+        Buffer.from(signedPayload),
+        publicKey,
+        Buffer.from(signature, "base64")
+      );
+    } catch (e2) {
+      return false;
+    }
+  }
+  /**
+   * Get a public key from the JWKS endpoint
+   */
+  async getPublicKey(kid) {
+    const now = Date.now();
+    if (this.keysCache.has(kid) && now < this.keysCacheExpiry) {
+      return this.keysCache.get(kid);
+    }
+    const response = await fetch(this.jwksUrl);
+    if (!response.ok) {
+      throw new Error(`Failed to fetch JWKS: ${response.status}`);
+    }
+    const jwks = await response.json();
+    this.keysCache.clear();
+    this.keysCacheExpiry = now + this.keysCacheTtl;
+    for (const key of jwks.keys) {
+      if (key.kty === "RSA" && key.n && key.e) {
+        const publicKey2 = crypto.createPublicKey({
+          key: {
+            kty: key.kty,
+            n: key.n,
+            e: key.e
+          },
+          format: "jwk"
+        });
+        this.keysCache.set(key.kid, publicKey2);
+      }
+    }
+    const publicKey = this.keysCache.get(kid);
+    if (!publicKey) {
+      throw new Error(`Key not found: ${kid}`);
+    }
+    return publicKey;
+  }
+  /**
+   * Normalize headers to lowercase keys and string values
+   */
+  normalizeHeaders(headers) {
+    const normalized = {};
+    for (const [key, value] of Object.entries(headers)) {
+      const normalizedKey = key.toLowerCase();
+      normalized[normalizedKey] = Array.isArray(value) ? value[0] : value;
+    }
+    return normalized;
+  }
+  /**
+   * Clear the key cache (useful for testing or key rotation)
+   */
+  clearCache() {
+    this.keysCache.clear();
+    this.keysCacheExpiry = 0;
+  }
+};
+
+// src/webhooks/webhook-router.ts
+var WebhookRouter = class {
+  constructor(options) {
+    const authVitalHost = options.authVitalHost || process.env.AV_HOST;
+    if (!authVitalHost) {
+      throw new Error(
+        "AuthVital URL is required. Either pass authVitalHost in options or set AV_HOST environment variable."
+      );
+    }
+    const jwksUrl = `${authVitalHost.replace(/\/$/, "")}/.well-known/jwks.json`;
+    this.verifier = new AuthVitalWebhooks({
+      jwksUrl,
+      maxTimestampAge: options.maxTimestampAge,
+      keysCacheTtl: options.keysCacheTtl
+    });
+    this.handler = options.handler;
+  }
+  /**
+   * Handle a webhook request
+   */
+  async handle(body, headers) {
+    try {
+      const event = await this.verifier.verifyAndParse(body, headers);
+      await this.dispatch(event);
+      return {
+        status: 200,
+        body: { success: true, message: `Processed ${event.type}` }
+      };
+    } catch (error) {
+      return {
+        status: 400,
+        body: { success: false, error: error.message || "Webhook processing failed" }
+      };
+    }
+  }
+  /**
+   * Dispatch event to the appropriate handler method
+   */
+  async dispatch(event) {
+    const h = this.handler;
+    switch (event.type) {
+      // Invite events
+      case "invite.created":
+        return _optionalChain([h, 'access', _5 => _5.onInviteCreated, 'optionalCall', _6 => _6(event)]);
+      case "invite.accepted":
+        return _optionalChain([h, 'access', _7 => _7.onInviteAccepted, 'optionalCall', _8 => _8(event)]);
+      case "invite.deleted":
+        return _optionalChain([h, 'access', _9 => _9.onInviteDeleted, 'optionalCall', _10 => _10(event)]);
+      case "invite.expired":
+        return _optionalChain([h, 'access', _11 => _11.onInviteExpired, 'optionalCall', _12 => _12(event)]);
+      // Subject events (users, service accounts, machines)
+      case "subject.created":
+        return _optionalChain([h, 'access', _13 => _13.onSubjectCreated, 'optionalCall', _14 => _14(event)]);
+      case "subject.updated":
+        return _optionalChain([h, 'access', _15 => _15.onSubjectUpdated, 'optionalCall', _16 => _16(event)]);
+      case "subject.deleted":
+        return _optionalChain([h, 'access', _17 => _17.onSubjectDeleted, 'optionalCall', _18 => _18(event)]);
+      case "subject.deactivated":
+        return _optionalChain([h, 'access', _19 => _19.onSubjectDeactivated, 'optionalCall', _20 => _20(event)]);
+      // Member events
+      case "member.joined":
+        return _optionalChain([h, 'access', _21 => _21.onMemberJoined, 'optionalCall', _22 => _22(event)]);
+      case "member.left":
+        return _optionalChain([h, 'access', _23 => _23.onMemberLeft, 'optionalCall', _24 => _24(event)]);
+      case "member.role_changed":
+        return _optionalChain([h, 'access', _25 => _25.onMemberRoleChanged, 'optionalCall', _26 => _26(event)]);
+      case "member.suspended":
+        return _optionalChain([h, 'access', _27 => _27.onMemberSuspended, 'optionalCall', _28 => _28(event)]);
+      case "member.activated":
+        return _optionalChain([h, 'access', _29 => _29.onMemberActivated, 'optionalCall', _30 => _30(event)]);
+      // App access events
+      case "app_access.granted":
+        return _optionalChain([h, 'access', _31 => _31.onAppAccessGranted, 'optionalCall', _32 => _32(event)]);
+      case "app_access.revoked":
+        return _optionalChain([h, 'access', _33 => _33.onAppAccessRevoked, 'optionalCall', _34 => _34(event)]);
+      case "app_access.role_changed":
+        return _optionalChain([h, 'access', _35 => _35.onAppAccessRoleChanged, 'optionalCall', _36 => _36(event)]);
+      // License events
+      case "license.assigned":
+        return _optionalChain([h, 'access', _37 => _37.onLicenseAssigned, 'optionalCall', _38 => _38(event)]);
+      case "license.revoked":
+        return _optionalChain([h, 'access', _39 => _39.onLicenseRevoked, 'optionalCall', _40 => _40(event)]);
+      case "license.changed":
+        return _optionalChain([h, 'access', _41 => _41.onLicenseChanged, 'optionalCall', _42 => _42(event)]);
+      default:
+        return _optionalChain([h, 'access', _43 => _43.onUnhandledEvent, 'optionalCall', _44 => _44(event)]);
+    }
+  }
+  /**
+   * Express middleware handler
+   */
+  expressHandler() {
+    return async (req, res) => {
+      const result = await this.handle(req.body, req.headers);
+      res.status(result.status).json(result.body);
+    };
+  }
+  /**
+   * Get the underlying verifier
+   */
+  getVerifier() {
+    return this.verifier;
+  }
+};
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+exports.SYNC_EVENT_TYPES = SYNC_EVENT_TYPES; exports.isInviteEvent = isInviteEvent; exports.isSubjectEvent = isSubjectEvent; exports.isMemberEvent = isMemberEvent; exports.isAppAccessEvent = isAppAccessEvent; exports.isLicenseEvent = isLicenseEvent; exports.InviteEventHandler = InviteEventHandler; exports.SubjectEventHandler = SubjectEventHandler; exports.MemberEventHandler = MemberEventHandler; exports.AppAccessEventHandler = AppAccessEventHandler; exports.LicenseEventHandler = LicenseEventHandler; exports.AuthVitalEventHandler = AuthVitalEventHandler; exports.AuthVitalWebhooks = AuthVitalWebhooks; exports.WebhookRouter = WebhookRouter;

package/dist/chunk-JNEJMHGA.mjs

@@ -0,0 +1,235 @@
+// src/client/oauth.ts
+function encodeState(csrf, codeVerifier) {
+  const encodedVerifier = btoa(codeVerifier).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  return `${csrf}:${encodedVerifier}`;
+}
+function decodeState(state) {
+  const colonIndex = state.indexOf(":");
+  if (colonIndex === -1) return null;
+  const csrf = state.substring(0, colonIndex);
+  const encodedVerifier = state.substring(colonIndex + 1);
+  try {
+    const padded = encodedVerifier + "===".slice(0, (4 - encodedVerifier.length % 4) % 4);
+    const codeVerifier = atob(padded.replace(/-/g, "+").replace(/_/g, "/"));
+    return { csrf, codeVerifier };
+  } catch {
+    return null;
+  }
+}
+function loginToAuthVital(authVitalHost, options) {
+  const screen = options?.screen || "login";
+  const page = screen === "signup" ? "/auth/signup" : "/auth/login";
+  const url = new URL(`${authVitalHost}${page}`);
+  if (options?.clientId) {
+    url.searchParams.set("client_id", options.clientId);
+  }
+  window.location.href = url.toString();
+}
+function signupAtAuthVital(authVitalHost, options) {
+  loginToAuthVital(authVitalHost, { ...options, screen: "signup" });
+}
+function generateCodeVerifier() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return base64UrlEncode(array);
+}
+async function generateCodeChallenge(verifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+function base64UrlEncode(buffer) {
+  let binary = "";
+  for (let i = 0; i < buffer.length; i++) {
+    binary += String.fromCharCode(buffer[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+var LOGIN_ATTEMPT_KEY = "authvital_login_attempt";
+var LOGIN_COOLDOWN_MS = 5e3;
+function canAttemptLogin() {
+  const lastAttempt = sessionStorage.getItem(LOGIN_ATTEMPT_KEY);
+  if (!lastAttempt) return true;
+  return Date.now() - parseInt(lastAttempt, 10) > LOGIN_COOLDOWN_MS;
+}
+function recordLoginAttempt() {
+  sessionStorage.setItem(LOGIN_ATTEMPT_KEY, Date.now().toString());
+}
+function clearLoginAttempt() {
+  sessionStorage.removeItem(LOGIN_ATTEMPT_KEY);
+}
+async function startAuthorizationFlow(config, params = {}) {
+  if (!canAttemptLogin()) {
+    throw new Error("Too many login attempts. Please wait a moment and try again.");
+  }
+  recordLoginAttempt();
+  const codeVerifier = generateCodeVerifier();
+  const codeChallenge = await generateCodeChallenge(codeVerifier);
+  const csrf = params.state || generateCodeVerifier().substring(0, 16);
+  const state = encodeState(csrf, codeVerifier);
+  const authorizeUrl = new URL(`${config.authVitalHost}/oauth/authorize`);
+  authorizeUrl.searchParams.set("client_id", config.clientId);
+  authorizeUrl.searchParams.set("redirect_uri", config.redirectUri);
+  authorizeUrl.searchParams.set("response_type", "code");
+  authorizeUrl.searchParams.set("scope", config.scope || "openid profile email");
+  authorizeUrl.searchParams.set("state", state);
+  authorizeUrl.searchParams.set("code_challenge", codeChallenge);
+  authorizeUrl.searchParams.set("code_challenge_method", "S256");
+  if (params.nonce) {
+    authorizeUrl.searchParams.set("nonce", params.nonce);
+  }
+  if (params.screen === "signup") {
+    authorizeUrl.searchParams.set("screen", "signup");
+  }
+  window.location.href = authorizeUrl.toString();
+}
+async function startLogin(options) {
+  await startAuthorizationFlow(
+    {
+      authVitalHost: options.authVitalHost,
+      clientId: options.clientId,
+      redirectUri: options.redirectUri,
+      scope: options.scope
+    },
+    { state: options.state }
+  );
+}
+async function startSignup(options) {
+  await startAuthorizationFlow(
+    {
+      authVitalHost: options.authVitalHost,
+      clientId: options.clientId,
+      redirectUri: options.redirectUri,
+      scope: options.scope
+    },
+    { state: options.state, screen: "signup" }
+  );
+}
+var callbackInProgress = null;
+async function handleCallback(config) {
+  if (callbackInProgress) {
+    await callbackInProgress;
+    return;
+  }
+  const params = new URLSearchParams(window.location.search);
+  const code = params.get("code");
+  const state = params.get("state");
+  const error = params.get("error");
+  const errorDescription = params.get("error_description");
+  if (error) {
+    throw new Error(errorDescription || error);
+  }
+  if (!code) {
+    throw new Error("No authorization code received");
+  }
+  if (!state) {
+    throw new Error("No state parameter received");
+  }
+  const decoded = decodeState(state);
+  if (!decoded) {
+    throw new Error("Invalid state format - could not extract PKCE verifier");
+  }
+  callbackInProgress = exchangeCodeForTokens(config, code, decoded.codeVerifier);
+  try {
+    await callbackInProgress;
+    window.history.replaceState({}, "", window.location.pathname);
+    clearLoginAttempt();
+  } finally {
+    callbackInProgress = null;
+  }
+}
+function extractCallbackParams() {
+  const params = new URLSearchParams(window.location.search);
+  const code = params.get("code");
+  const state = params.get("state");
+  const error = params.get("error");
+  const errorDescription = params.get("error_description");
+  if (error) {
+    return { code: null, codeVerifier: null, csrf: null, error, errorDescription };
+  }
+  if (!state) {
+    return { code, codeVerifier: null, csrf: null, error: "missing_state", errorDescription: "No state parameter" };
+  }
+  const decoded = decodeState(state);
+  if (!decoded) {
+    return { code, codeVerifier: null, csrf: null, error: "invalid_state", errorDescription: "Could not decode state" };
+  }
+  return { code, codeVerifier: decoded.codeVerifier, csrf: decoded.csrf, error: null, errorDescription: null };
+}
+async function exchangeCodeForTokens(config, code, codeVerifier) {
+  const response = await fetch(`${config.authVitalHost}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    credentials: "include",
+    // Important: receive and send cookies
+    body: JSON.stringify({
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: config.redirectUri,
+      client_id: config.clientId,
+      code_verifier: codeVerifier
+    })
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({}));
+    throw new Error(error.message || "Token exchange failed");
+  }
+  return response.json();
+}
+async function checkAuthStatus(authVitalHost) {
+  try {
+    const response = await fetch(`${authVitalHost}/api/auth/me`, {
+      method: "GET",
+      credentials: "include"
+      // Send cookies
+    });
+    if (!response.ok) {
+      return { authenticated: false };
+    }
+    const data = await response.json();
+    return {
+      authenticated: data.authenticated ?? false,
+      user: data.user
+    };
+  } catch {
+    return { authenticated: false };
+  }
+}
+async function logout(authVitalHost, options) {
+  sessionStorage.removeItem(LOGIN_ATTEMPT_KEY);
+  const logoutUrl = new URL(`${authVitalHost}/api/auth/logout/redirect`);
+  if (options?.postLogoutRedirectUri) {
+    logoutUrl.searchParams.set("post_logout_redirect_uri", options.postLogoutRedirectUri);
+  }
+  window.location.href = logoutUrl.toString();
+}
+function decodeJwt(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = parts[1];
+    const decoded = atob(payload.replace(/-/g, "+").replace(/_/g, "/"));
+    return JSON.parse(decoded);
+  } catch {
+    return null;
+  }
+}
+
+export {
+  encodeState,
+  decodeState,
+  loginToAuthVital,
+  signupAtAuthVital,
+  generateCodeVerifier,
+  generateCodeChallenge,
+  startAuthorizationFlow,
+  startLogin,
+  startSignup,
+  handleCallback,
+  extractCallbackParams,
+  exchangeCodeForTokens,
+  checkAuthStatus,
+  logout,
+  decodeJwt
+};