binoauth 0.0.11 → 0.0.13

package/dist/core/src/auth/flows/magic-link.d.ts

@@ -0,0 +1,175 @@
+/**
+ * Magic link authentication flow
+ *
+ * Handles passwordless authentication via email magic links using actual tenant-sdk APIs.
+ */
+import type { MagicLinkRequest, AuthResult, BinoAuthConfig } from "../types";
+import { BaseAuthFlow } from "./base-flow";
+/**
+ * Magic link authentication flow
+ *
+ * Provides passwordless authentication by sending magic links to users' email addresses
+ * using the actual tenant-sdk AuthenticationApi methods.
+ *
+ * @example
+ * ```typescript
+ * const magicLinkFlow = new MagicLinkFlow(config);
+ *
+ * // Send magic link to user's email
+ * await magicLinkFlow.sendMagicLink({
+ *   email: 'user@example.com',
+ *   returnTo: 'https://myapp.com/dashboard'
+ * });
+ *
+ * // User clicks link in email, which redirects to your app with a token
+ * // Extract token from URL and verify it
+ * const urlParams = new URLSearchParams(window.location.search);
+ * const token = urlParams.get('token');
+ *
+ * if (token) {
+ *   const result = await magicLinkFlow.verifyMagicLink(token);
+ *   if (result.success) {
+ *     console.log('Authentication successful:', result.user);
+ *   }
+ * }
+ * ```
+ */
+export declare class MagicLinkFlow extends BaseAuthFlow {
+    constructor(config: BinoAuthConfig);
+    /**
+     * Sends a magic link to the user's email address using tenant-sdk AuthenticationApi.requestMagicLinkApiV1AuthMlPost
+     *
+     * @param request - Magic link request with email and optional return URL
+     * @returns Promise resolving when magic link is sent
+     *
+     * @example
+     * ```typescript
+     * // Basic magic link
+     * await magicLinkFlow.sendMagicLink({
+     *   email: 'user@example.com',
+     *   returnTo: 'https://myapp.com/dashboard'
+     * });
+     *
+     * console.log('Magic link sent! Check your email.');
+     * ```
+     *
+     * @throws {AuthError} When sending magic link fails
+     */
+    sendMagicLink(request: MagicLinkRequest): Promise<void>;
+    /**
+     * Sends a magic link to an email address (convenience method)
+     *
+     * @param email - User's email address
+     * @param returnTo - Optional URL to redirect to after authentication
+     * @returns Promise resolving when magic link is sent
+     *
+     * @example
+     * ```typescript
+     * await magicLinkFlow.sendMagicLinkToEmail(
+     *   'user@example.com',
+     *   'https://myapp.com/dashboard'
+     * );
+     * ```
+     */
+    sendMagicLinkToEmail(email: string, returnTo: string): Promise<void>;
+    /**
+     * Verifies a magic link token and authenticates the user using tenant-sdk AuthenticationApi.verifyMagicLinkApiV1AuthMlVerifyPost
+     *
+     * @param token - Magic link token (usually from URL parameter)
+     * @returns Promise resolving to authentication result
+     *
+     * @example
+     * ```typescript
+     * // Extract token from URL
+     * const urlParams = new URLSearchParams(window.location.search);
+     * const token = urlParams.get('token');
+     *
+     * if (token) {
+     *   try {
+     *     const result = await magicLinkFlow.verifyMagicLink(token);
+     *     if (result.success) {
+     *       console.log('Welcome,', result.user.name);
+     *       localStorage.setItem('accessToken', result.accessToken);
+     *
+     *       // Redirect to dashboard or intended page
+     *       window.location.href = '/dashboard';
+     *     }
+     *   } catch (error) {
+     *     if (error.code === AuthErrorCode.EXPIRED_TOKEN) {
+     *       console.log('Magic link has expired. Please request a new one.');
+     *     } else if (error.code === AuthErrorCode.INVALID_TOKEN) {
+     *       console.log('Invalid magic link. Please try again.');
+     *     }
+     *   }
+     * }
+     * ```
+     *
+     * @throws {AuthError} When token verification fails
+     */
+    verifyMagicLink(token: string): Promise<AuthResult>;
+    /**
+     * Checks if a magic link token is valid without completing authentication
+     *
+     * @param token - Magic link token to validate
+     * @returns Promise resolving to true if token is valid, false otherwise
+     *
+     * @example
+     * ```typescript
+     * const token = urlParams.get('token');
+     *
+     * if (await magicLinkFlow.validateMagicLinkToken(token)) {
+     *   console.log('Token is valid, proceeding with authentication...');
+     *   const result = await magicLinkFlow.verifyMagicLink(token);
+     * } else {
+     *   console.log('Invalid or expired token');
+     * }
+     * ```
+     */
+    validateMagicLinkToken(token: string): Promise<boolean>;
+    /**
+     * Resends a magic link to the same email address
+     *
+     * @param email - Email address to resend magic link to
+     * @param returnTo - Optional return URL
+     * @returns Promise resolving when magic link is resent
+     *
+     * @example
+     * ```typescript
+     * // User clicks "Resend magic link" button
+     * await magicLinkFlow.resendMagicLink('user@example.com', 'https://myapp.com/dashboard');
+     * console.log('Magic link resent! Check your email again.');
+     * ```
+     *
+     * @throws {AuthError} When resending fails
+     */
+    resendMagicLink(email: string, returnTo: string): Promise<void>;
+    /**
+     * Sends a magic link for a specific purpose (password reset, email verification, etc.)
+     *
+     * This method uses the same tenant-sdk endpoint but is semantically different
+     * for different use cases.
+     *
+     * @param email - User's email address
+     * @param returnTo - URL to redirect to after authentication
+     * @returns Promise resolving when magic link is sent
+     *
+     * @example
+     * ```typescript
+     * // For password reset
+     * await magicLinkFlow.sendMagicLinkForPurpose(
+     *   'user@example.com',
+     *   'https://myapp.com/password-reset-complete'
+     * );
+     *
+     * // For email verification
+     * await magicLinkFlow.sendMagicLinkForPurpose(
+     *   'user@example.com',
+     *   'https://myapp.com/email-verified'
+     * );
+     * ```
+     *
+     * @throws {AuthError} When link sending fails
+     */
+    sendMagicLinkForPurpose(email: string, returnTo: string): Promise<void>;
+}
+//# sourceMappingURL=magic-link.d.ts.map

package/dist/core/src/auth/flows/magic-link.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"magic-link.d.ts","sourceRoot":"","sources":["../../../../../src/auth/flows/magic-link.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAE7E,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,qBAAa,aAAc,SAAQ,YAAY;gBAEjC,MAAM,EAAE,cAAc;IAIlC;;;;;;;;;;;;;;;;;;OAkBG;IACG,aAAa,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC;IAc7D;;;;;;;;;;;;;;OAcG;IACG,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI1E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAiCG;IACG,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAoBzD;;;;;;;;;;;;;;;;;OAiBG;IACG,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAc7D;;;;;;;;;;;;;;;OAeG;IACG,eAAe,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIrE;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACG,uBAAuB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAa9E"}

package/dist/core/src/auth/flows/magic-link.js

@@ -0,0 +1,228 @@
+/**
+ * Magic link authentication flow
+ *
+ * Handles passwordless authentication via email magic links using actual tenant-sdk APIs.
+ */
+import { AuthError, AuthErrorCode } from "../error";
+import { BaseAuthFlow } from "./base-flow";
+/**
+ * Magic link authentication flow
+ *
+ * Provides passwordless authentication by sending magic links to users' email addresses
+ * using the actual tenant-sdk AuthenticationApi methods.
+ *
+ * @example
+ * ```typescript
+ * const magicLinkFlow = new MagicLinkFlow(config);
+ *
+ * // Send magic link to user's email
+ * await magicLinkFlow.sendMagicLink({
+ *   email: 'user@example.com',
+ *   returnTo: 'https://myapp.com/dashboard'
+ * });
+ *
+ * // User clicks link in email, which redirects to your app with a token
+ * // Extract token from URL and verify it
+ * const urlParams = new URLSearchParams(window.location.search);
+ * const token = urlParams.get('token');
+ *
+ * if (token) {
+ *   const result = await magicLinkFlow.verifyMagicLink(token);
+ *   if (result.success) {
+ *     console.log('Authentication successful:', result.user);
+ *   }
+ * }
+ * ```
+ */
+export class MagicLinkFlow extends BaseAuthFlow {
+    constructor(config) {
+        super(config);
+    }
+    /**
+     * Sends a magic link to the user's email address using tenant-sdk AuthenticationApi.requestMagicLinkApiV1AuthMlPost
+     *
+     * @param request - Magic link request with email and optional return URL
+     * @returns Promise resolving when magic link is sent
+     *
+     * @example
+     * ```typescript
+     * // Basic magic link
+     * await magicLinkFlow.sendMagicLink({
+     *   email: 'user@example.com',
+     *   returnTo: 'https://myapp.com/dashboard'
+     * });
+     *
+     * console.log('Magic link sent! Check your email.');
+     * ```
+     *
+     * @throws {AuthError} When sending magic link fails
+     */
+    async sendMagicLink(request) {
+        this.validateEmail(request.email);
+        await this.safeApiCall(async () => {
+            // Use the actual tenant-sdk AuthenticationApi.requestMagicLinkApiV1AuthMlPost method
+            await this.authApi.requestMagicLinkApiV1AuthMlPost({
+                magicLinkRequest: {
+                    email: request.email,
+                    returnTo: request.returnTo,
+                },
+            });
+        }, AuthErrorCode.ACCOUNT_NOT_FOUND);
+    }
+    /**
+     * Sends a magic link to an email address (convenience method)
+     *
+     * @param email - User's email address
+     * @param returnTo - Optional URL to redirect to after authentication
+     * @returns Promise resolving when magic link is sent
+     *
+     * @example
+     * ```typescript
+     * await magicLinkFlow.sendMagicLinkToEmail(
+     *   'user@example.com',
+     *   'https://myapp.com/dashboard'
+     * );
+     * ```
+     */
+    async sendMagicLinkToEmail(email, returnTo) {
+        return this.sendMagicLink({ email, returnTo });
+    }
+    /**
+     * Verifies a magic link token and authenticates the user using tenant-sdk AuthenticationApi.verifyMagicLinkApiV1AuthMlVerifyPost
+     *
+     * @param token - Magic link token (usually from URL parameter)
+     * @returns Promise resolving to authentication result
+     *
+     * @example
+     * ```typescript
+     * // Extract token from URL
+     * const urlParams = new URLSearchParams(window.location.search);
+     * const token = urlParams.get('token');
+     *
+     * if (token) {
+     *   try {
+     *     const result = await magicLinkFlow.verifyMagicLink(token);
+     *     if (result.success) {
+     *       console.log('Welcome,', result.user.name);
+     *       localStorage.setItem('accessToken', result.accessToken);
+     *
+     *       // Redirect to dashboard or intended page
+     *       window.location.href = '/dashboard';
+     *     }
+     *   } catch (error) {
+     *     if (error.code === AuthErrorCode.EXPIRED_TOKEN) {
+     *       console.log('Magic link has expired. Please request a new one.');
+     *     } else if (error.code === AuthErrorCode.INVALID_TOKEN) {
+     *       console.log('Invalid magic link. Please try again.');
+     *     }
+     *   }
+     * }
+     * ```
+     *
+     * @throws {AuthError} When token verification fails
+     */
+    async verifyMagicLink(token) {
+        if (!token) {
+            throw new AuthError(AuthErrorCode.MISSING_REQUIRED_FIELD, 'Magic link token is required');
+        }
+        return this.safeApiCall(async () => {
+            // Use the actual tenant-sdk AuthenticationApi.verifyMagicLinkApiV1AuthMlVerifyPost method
+            const response = await this.authApi.verifyMagicLinkApiV1AuthMlVerifyPost({
+                verifyMagicLinkTokenRequest: {
+                    token,
+                },
+            });
+            return this.processAuthResponse(response);
+        }, AuthErrorCode.INVALID_TOKEN);
+    }
+    /**
+     * Checks if a magic link token is valid without completing authentication
+     *
+     * @param token - Magic link token to validate
+     * @returns Promise resolving to true if token is valid, false otherwise
+     *
+     * @example
+     * ```typescript
+     * const token = urlParams.get('token');
+     *
+     * if (await magicLinkFlow.validateMagicLinkToken(token)) {
+     *   console.log('Token is valid, proceeding with authentication...');
+     *   const result = await magicLinkFlow.verifyMagicLink(token);
+     * } else {
+     *   console.log('Invalid or expired token');
+     * }
+     * ```
+     */
+    async validateMagicLinkToken(token) {
+        if (!token) {
+            return false;
+        }
+        try {
+            // Try to verify the magic link to check if it's valid
+            await this.verifyMagicLink(token);
+            return true;
+        }
+        catch (error) {
+            return false;
+        }
+    }
+    /**
+     * Resends a magic link to the same email address
+     *
+     * @param email - Email address to resend magic link to
+     * @param returnTo - Optional return URL
+     * @returns Promise resolving when magic link is resent
+     *
+     * @example
+     * ```typescript
+     * // User clicks "Resend magic link" button
+     * await magicLinkFlow.resendMagicLink('user@example.com', 'https://myapp.com/dashboard');
+     * console.log('Magic link resent! Check your email again.');
+     * ```
+     *
+     * @throws {AuthError} When resending fails
+     */
+    async resendMagicLink(email, returnTo) {
+        return this.sendMagicLink({ email, returnTo });
+    }
+    /**
+     * Sends a magic link for a specific purpose (password reset, email verification, etc.)
+     *
+     * This method uses the same tenant-sdk endpoint but is semantically different
+     * for different use cases.
+     *
+     * @param email - User's email address
+     * @param returnTo - URL to redirect to after authentication
+     * @returns Promise resolving when magic link is sent
+     *
+     * @example
+     * ```typescript
+     * // For password reset
+     * await magicLinkFlow.sendMagicLinkForPurpose(
+     *   'user@example.com',
+     *   'https://myapp.com/password-reset-complete'
+     * );
+     *
+     * // For email verification
+     * await magicLinkFlow.sendMagicLinkForPurpose(
+     *   'user@example.com',
+     *   'https://myapp.com/email-verified'
+     * );
+     * ```
+     *
+     * @throws {AuthError} When link sending fails
+     */
+    async sendMagicLinkForPurpose(email, returnTo) {
+        this.validateEmail(email);
+        return this.safeApiCall(async () => {
+            // Use the same tenant-sdk API method - the backend determines the purpose
+            await this.authApi.requestMagicLinkApiV1AuthMlPost({
+                magicLinkRequest: {
+                    email,
+                    returnTo,
+                },
+            });
+        }, AuthErrorCode.SERVER_ERROR);
+    }
+}
+//# sourceMappingURL=magic-link.js.map

package/dist/core/src/auth/flows/magic-link.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"magic-link.js","sourceRoot":"","sources":["../../../../../src/auth/flows/magic-link.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,MAAM,OAAO,aAAc,SAAQ,YAAY;IAE7C,YAAY,MAAsB;QAChC,KAAK,CAAC,MAAM,CAAC,CAAC;IAChB,CAAC;IAED;;;;;;;;;;;;;;;;;;OAkBG;IACH,KAAK,CAAC,aAAa,CAAC,OAAyB;QAC3C,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;QAElC,MAAM,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,EAAE;YAChC,qFAAqF;YACrF,MAAM,IAAI,CAAC,OAAO,CAAC,+BAA+B,CAAC;gBACjD,gBAAgB,EAAE;oBAChB,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,QAAQ,EAAE,OAAO,CAAC,QAAQ;iBAC3B;aACF,CAAC,CAAC;QACL,CAAC,EAAE,aAAa,CAAC,iBAAiB,CAAC,CAAC;IACtC,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,oBAAoB,CAAC,KAAa,EAAE,QAAgB;QACxD,OAAO,IAAI,CAAC,aAAa,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IACjD,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAiCG;IACH,KAAK,CAAC,eAAe,CAAC,KAAa;QACjC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,SAAS,CACjB,aAAa,CAAC,sBAAsB,EACpC,8BAA8B,CAC/B,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,EAAE;YACjC,0FAA0F;YAC1F,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,oCAAoC,CAAC;gBACvE,2BAA2B,EAAE;oBAC3B,KAAK;iBACN;aACF,CAAC,CAAC;YAEH,OAAO,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAC5C,CAAC,EAAE,aAAa,CAAC,aAAa,CAAC,CAAC;IAClC,CAAC;IAED;;;;;;;;;;;;;;;;;OAiBG;IACH,KAAK,CAAC,sBAAsB,CAAC,KAAa;QACxC,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,CAAC;YACH,sDAAsD;YACtD,MAAM,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YAClC,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH,KAAK,CAAC,eAAe,CAAC,KAAa,EAAE,QAAgB;QACnD,OAAO,IAAI,CAAC,aAAa,CAAC,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;IACjD,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,KAAK,CAAC,uBAAuB,CAAC,KAAa,EAAE,QAAgB;QAC3D,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAE1B,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,EAAE;YACjC,0EAA0E;YAC1E,MAAM,IAAI,CAAC,OAAO,CAAC,+BAA+B,CAAC;gBACjD,gBAAgB,EAAE;oBAChB,KAAK;oBACL,QAAQ;iBACT;aACF,CAAC,CAAC;QACL,CAAC,EAAE,aAAa,CAAC,YAAY,CAAC,CAAC;IACjC,CAAC;CACF"}

package/dist/core/src/auth/flows/mfa.d.ts

@@ -0,0 +1,81 @@
+/**
+ * Multi-Factor Authentication (MFA) flow
+ *
+ * Handles MFA verification using the actual tenant-sdk AuthenticationApi.verifyMfaApiV1AuthMfaVerifyPost method.
+ * Provides TOTP setup and management functionality.
+ */
+import type { AuthResult, BinoAuthConfig } from "../types";
+import { BaseAuthFlow } from "./base-flow";
+/**
+ * Multi-Factor Authentication flow
+ *
+ * Provides MFA verification using actual tenant-sdk APIs.
+ * Uses AuthenticationApi.verifyMfaApiV1AuthMfaVerifyPost for MFA verification.
+ *
+ * @example
+ * ```typescript
+ * const mfaFlow = new MFAFlow(config);
+ *
+ * // After initial login, if MFA is required
+ * try {
+ *   const loginResult = await passwordFlow.login(email, password);
+ * } catch (error) {
+ *   if (error.code === AuthErrorCode.MFA_REQUIRED) {
+ *     const sessionId = error.details.sessionId;
+ *
+ *     // User enters TOTP code from authenticator app
+ *     const mfaResult = await mfaFlow.verifyMFA('123456', sessionId);
+ *
+ *     if (mfaResult.success) {
+ *       console.log('MFA successful:', mfaResult.user);
+ *     }
+ *   }
+ * }
+ * ```
+ */
+export declare class MFAFlow extends BaseAuthFlow {
+    constructor(config: BinoAuthConfig);
+    /**
+     * Verifies MFA using tenant-sdk AuthenticationApi.verifyMfaApiV1AuthMfaVerifyPost
+     *
+     * @param code - MFA verification code (typically from TOTP app)
+     * @param sessionId - Session identifier from initial login attempt
+     * @returns Promise resolving to authentication result
+     *
+     * @example
+     * ```typescript
+     * try {
+     *   const result = await mfaFlow.verifyMFA('123456', 'session_id_from_login');
+     *   if (result.success) {
+     *     console.log('MFA verification successful!');
+     *     localStorage.setItem('accessToken', result.accessToken);
+     *   }
+     * } catch (error) {
+     *   if (error.code === AuthErrorCode.INVALID_OTP) {
+     *     console.log('Invalid MFA code');
+     *   } else if (error.code === AuthErrorCode.MFA_CHALLENGE_EXPIRED) {
+     *     console.log('Session expired, please log in again');
+     *   }
+     * }
+     * ```
+     *
+     * @throws {AuthError} When MFA verification fails
+     */
+    verifyMFA(code: string, sessionId: string): Promise<AuthResult>;
+    /**
+     * Convenience method for verifying TOTP (Time-based One-Time Password)
+     *
+     * @param totpCode - 6-digit TOTP code from authenticator app
+     * @param sessionId - Session identifier from initial login attempt
+     * @returns Promise resolving to authentication result
+     *
+     * @example
+     * ```typescript
+     * // User enters code from Google Authenticator, Authy, etc.
+     * const totpCode = '123456';
+     * const result = await mfaFlow.verifyTOTP(totpCode, 'session_id');
+     * ```
+     */
+    verifyTOTP(totpCode: string, sessionId: string): Promise<AuthResult>;
+}
+//# sourceMappingURL=mfa.d.ts.map

package/dist/core/src/auth/flows/mfa.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"mfa.d.ts","sourceRoot":"","sources":["../../../../../src/auth/flows/mfa.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAuC,UAAU,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAEhG,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,qBAAa,OAAQ,SAAQ,YAAY;gBAE3B,MAAM,EAAE,cAAc;IAIlC;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG;IACG,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IA8BrE;;;;;;;;;;;;;OAaG;IACG,UAAU,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CA8C3E"}

package/dist/core/src/auth/flows/mfa.js

@@ -0,0 +1,103 @@
+/**
+ * Multi-Factor Authentication (MFA) flow
+ *
+ * Handles MFA verification using the actual tenant-sdk AuthenticationApi.verifyMfaApiV1AuthMfaVerifyPost method.
+ * Provides TOTP setup and management functionality.
+ */
+import { AuthError, AuthErrorCode } from "../error";
+import { BaseAuthFlow } from "./base-flow";
+/**
+ * Multi-Factor Authentication flow
+ *
+ * Provides MFA verification using actual tenant-sdk APIs.
+ * Uses AuthenticationApi.verifyMfaApiV1AuthMfaVerifyPost for MFA verification.
+ *
+ * @example
+ * ```typescript
+ * const mfaFlow = new MFAFlow(config);
+ *
+ * // After initial login, if MFA is required
+ * try {
+ *   const loginResult = await passwordFlow.login(email, password);
+ * } catch (error) {
+ *   if (error.code === AuthErrorCode.MFA_REQUIRED) {
+ *     const sessionId = error.details.sessionId;
+ *
+ *     // User enters TOTP code from authenticator app
+ *     const mfaResult = await mfaFlow.verifyMFA('123456', sessionId);
+ *
+ *     if (mfaResult.success) {
+ *       console.log('MFA successful:', mfaResult.user);
+ *     }
+ *   }
+ * }
+ * ```
+ */
+export class MFAFlow extends BaseAuthFlow {
+    constructor(config) {
+        super(config);
+    }
+    /**
+     * Verifies MFA using tenant-sdk AuthenticationApi.verifyMfaApiV1AuthMfaVerifyPost
+     *
+     * @param code - MFA verification code (typically from TOTP app)
+     * @param sessionId - Session identifier from initial login attempt
+     * @returns Promise resolving to authentication result
+     *
+     * @example
+     * ```typescript
+     * try {
+     *   const result = await mfaFlow.verifyMFA('123456', 'session_id_from_login');
+     *   if (result.success) {
+     *     console.log('MFA verification successful!');
+     *     localStorage.setItem('accessToken', result.accessToken);
+     *   }
+     * } catch (error) {
+     *   if (error.code === AuthErrorCode.INVALID_OTP) {
+     *     console.log('Invalid MFA code');
+     *   } else if (error.code === AuthErrorCode.MFA_CHALLENGE_EXPIRED) {
+     *     console.log('Session expired, please log in again');
+     *   }
+     * }
+     * ```
+     *
+     * @throws {AuthError} When MFA verification fails
+     */
+    async verifyMFA(code, sessionId) {
+        if (!code) {
+            throw new AuthError(AuthErrorCode.MISSING_REQUIRED_FIELD, 'MFA code is required');
+        }
+        if (!sessionId) {
+            throw new AuthError(AuthErrorCode.MISSING_REQUIRED_FIELD, 'Session ID is required');
+        }
+        const normalizedCode = code.replace(/\s+/g, '').toString();
+        return this.safeApiCall(async () => {
+            // Use the actual tenant-sdk AuthenticationApi.verifyMfaApiV1AuthMfaVerifyPost method
+            const response = await this.authApi.verifyMfaApiV1AuthMfaVerifyPost({
+                mFARequest: {
+                    code: normalizedCode,
+                    sessionId,
+                },
+            });
+            return this.processAuthResponse(response);
+        }, AuthErrorCode.INVALID_OTP);
+    }
+    /**
+     * Convenience method for verifying TOTP (Time-based One-Time Password)
+     *
+     * @param totpCode - 6-digit TOTP code from authenticator app
+     * @param sessionId - Session identifier from initial login attempt
+     * @returns Promise resolving to authentication result
+     *
+     * @example
+     * ```typescript
+     * // User enters code from Google Authenticator, Authy, etc.
+     * const totpCode = '123456';
+     * const result = await mfaFlow.verifyTOTP(totpCode, 'session_id');
+     * ```
+     */
+    async verifyTOTP(totpCode, sessionId) {
+        return this.verifyMFA(totpCode, sessionId);
+    }
+}
+//# sourceMappingURL=mfa.js.map

package/dist/core/src/auth/flows/mfa.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"mfa.js","sourceRoot":"","sources":["../../../../../src/auth/flows/mfa.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACpD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,OAAO,OAAQ,SAAQ,YAAY;IAEvC,YAAY,MAAsB;QAChC,KAAK,CAAC,MAAM,CAAC,CAAC;IAChB,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG;IACH,KAAK,CAAC,SAAS,CAAC,IAAY,EAAE,SAAiB;QAC7C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,SAAS,CACjB,aAAa,CAAC,sBAAsB,EACpC,sBAAsB,CACvB,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,SAAS,CACjB,aAAa,CAAC,sBAAsB,EACpC,wBAAwB,CACzB,CAAC;QACJ,CAAC;QAED,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;QAE3D,OAAO,IAAI,CAAC,WAAW,CAAC,KAAK,IAAI,EAAE;YACjC,qFAAqF;YACrF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,+BAA+B,CAAC;gBAClE,UAAU,EAAE;oBACV,IAAI,EAAE,cAAc;oBACpB,SAAS;iBACV;aACF,CAAC,CAAC;YAEH,OAAO,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;QAC5C,CAAC,EAAE,aAAa,CAAC,WAAW,CAAC,CAAC;IAChC,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,KAAK,CAAC,UAAU,CAAC,QAAgB,EAAE,SAAiB;QAClD,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAC7C,CAAC;CA4CF"}