clearauth 0.3.0

package/dist/oauth/handler.js

@@ -0,0 +1,277 @@
+/**
+ * OAuth HTTP Request Handler
+ *
+ * Handles OAuth-related HTTP requests for GitHub and Google authentication.
+ * Provides login initiation and callback handling endpoints.
+ */
+import { generateGitHubAuthUrl, handleGitHubCallback } from './github.js';
+import { generateGoogleAuthUrl, handleGoogleCallback } from './google.js';
+import { normalizeAuthPath } from '../utils/normalize-auth-path.js';
+import { upsertOAuthUser, createSession, parseCookies, createCookieHeader, createDeleteCookieHeader, } from './callbacks.js';
+/**
+ * Helper to create Headers with multiple Set-Cookie headers
+ *
+ * HTTP spec requires each cookie to be a separate Set-Cookie header entry,
+ * not comma-separated in a single header.
+ *
+ * @param cookies - Array of cookie header strings
+ * @param location - Redirect location URL
+ * @returns Headers object with proper Set-Cookie headers
+ */
+function createHeadersWithCookies(cookies, location) {
+    const headers = new Headers();
+    if (location) {
+        headers.set('Location', location);
+    }
+    for (const cookie of cookies) {
+        headers.append('Set-Cookie', cookie);
+    }
+    return headers;
+}
+/**
+ * OAuth Request Handler
+ *
+ * Main handler for OAuth-related requests. Routes requests to appropriate
+ * provider handlers based on URL path.
+ *
+ * @param request - HTTP request
+ * @param config - Clear Auth configuration
+ * @returns HTTP response
+ *
+ * @example
+ * ```ts
+ * export default {
+ *   async fetch(request: Request, env: Env) {
+ *     const url = new URL(request.url)
+ *     if (url.pathname.startsWith('/auth/oauth/')) {
+ *       return handleOAuthRequest(request, config)
+ *     }
+ *     // ... other routes
+ *   }
+ * }
+ * ```
+ */
+export async function handleOAuthRequest(request, config) {
+    const url = new URL(request.url);
+    const pathname = normalizeAuthPath(url.pathname);
+    // GitHub OAuth routes
+    if (pathname === '/auth/oauth/github' || pathname === '/auth/github/login') {
+        return handleGitHubLogin(request, config);
+    }
+    if (pathname === '/auth/callback/github' || pathname === '/auth/github/callback') {
+        return handleGitHubCallbackRequest(request, config);
+    }
+    // Google OAuth routes
+    if (pathname === '/auth/oauth/google' || pathname === '/auth/google/login') {
+        return handleGoogleLogin(request, config);
+    }
+    if (pathname === '/auth/callback/google' || pathname === '/auth/google/callback') {
+        return handleGoogleCallbackRequest(request, config);
+    }
+    return new Response('Not Found', { status: 404 });
+}
+/**
+ * Handle GitHub login initiation
+ *
+ * Generates GitHub OAuth URL and redirects user to GitHub for authentication.
+ * Stores state parameter in cookie for CSRF protection.
+ */
+async function handleGitHubLogin(request, config) {
+    try {
+        const { url, state } = await generateGitHubAuthUrl(config);
+        // Store state in cookie for validation
+        const stateCookie = createCookieHeader('oauth_state', state, {
+            httpOnly: true,
+            secure: config.isProduction ?? true,
+            sameSite: 'lax',
+            path: '/',
+            maxAge: 600, // 10 minutes
+        });
+        return new Response(null, {
+            status: 302,
+            headers: {
+                Location: url.toString(),
+                'Set-Cookie': stateCookie,
+            },
+        });
+    }
+    catch (error) {
+        console.error('GitHub login error:', error);
+        return new Response('OAuth configuration error', { status: 500 });
+    }
+}
+/**
+ * Handle GitHub OAuth callback
+ *
+ * Validates OAuth callback, creates/updates user, and creates session.
+ */
+async function handleGitHubCallbackRequest(request, config) {
+    try {
+        const url = new URL(request.url);
+        const code = url.searchParams.get('code');
+        const returnedState = url.searchParams.get('state');
+        const error = url.searchParams.get('error');
+        // Check for OAuth errors
+        if (error) {
+            return new Response(`OAuth error: ${error}`, { status: 400 });
+        }
+        if (!code || !returnedState) {
+            return new Response('Missing code or state parameter', { status: 400 });
+        }
+        // Get stored state from cookie
+        const cookies = parseCookies(request.headers.get('Cookie') || '');
+        const storedState = cookies['oauth_state'];
+        if (!storedState) {
+            return new Response('Missing state cookie', { status: 400 });
+        }
+        // Handle OAuth callback
+        const result = await handleGitHubCallback(config, code, storedState, returnedState);
+        // Upsert user
+        const user = await upsertOAuthUser(config.database, 'github', result.profile);
+        // Create session
+        const context = getRequestContext(request);
+        const expiresInSeconds = config.session?.expiresIn ?? 2592000; // 30 days
+        const sessionId = await createSession(config.database, user.id, expiresInSeconds, context);
+        // Create session cookie
+        const cookieName = config.session?.cookie?.name ?? 'session';
+        const sessionCookie = createCookieHeader(cookieName, sessionId, {
+            httpOnly: config.session?.cookie?.httpOnly ?? true,
+            secure: config.session?.cookie?.secure ?? config.isProduction ?? true,
+            sameSite: config.session?.cookie?.sameSite ?? 'lax',
+            path: config.session?.cookie?.path ?? '/',
+            maxAge: expiresInSeconds,
+        });
+        // Clear state cookie
+        const deleteStateCookie = createDeleteCookieHeader('oauth_state', { path: '/' });
+        // Redirect to success page or home
+        const headers = createHeadersWithCookies([sessionCookie, deleteStateCookie], '/' // TODO: Make this configurable
+        );
+        return new Response(null, {
+            status: 302,
+            headers,
+        });
+    }
+    catch (error) {
+        console.error('GitHub callback error:', error);
+        const message = error instanceof Error ? error.message : 'OAuth callback failed';
+        return new Response(message, { status: 400 });
+    }
+}
+/**
+ * Handle Google login initiation
+ *
+ * Generates Google OAuth URL and redirects user to Google for authentication.
+ * Stores state and code verifier in cookies for CSRF protection and PKCE.
+ */
+async function handleGoogleLogin(request, config) {
+    try {
+        const { url, state, codeVerifier } = await generateGoogleAuthUrl(config);
+        // Store state and code verifier in cookies for validation
+        const stateCookie = createCookieHeader('oauth_state', state, {
+            httpOnly: true,
+            secure: config.isProduction ?? true,
+            sameSite: 'lax',
+            path: '/',
+            maxAge: 600, // 10 minutes
+        });
+        const verifierCookie = createCookieHeader('oauth_code_verifier', codeVerifier, {
+            httpOnly: true,
+            secure: config.isProduction ?? true,
+            sameSite: 'lax',
+            path: '/',
+            maxAge: 600, // 10 minutes
+        });
+        const headers = createHeadersWithCookies([stateCookie, verifierCookie], url.toString());
+        return new Response(null, {
+            status: 302,
+            headers,
+        });
+    }
+    catch (error) {
+        console.error('Google login error:', error);
+        return new Response('OAuth configuration error', { status: 500 });
+    }
+}
+/**
+ * Handle Google OAuth callback
+ *
+ * Validates OAuth callback, creates/updates user, and creates session.
+ */
+async function handleGoogleCallbackRequest(request, config) {
+    try {
+        const url = new URL(request.url);
+        const code = url.searchParams.get('code');
+        const returnedState = url.searchParams.get('state');
+        const error = url.searchParams.get('error');
+        // Check for OAuth errors
+        if (error) {
+            return new Response(`OAuth error: ${error}`, { status: 400 });
+        }
+        if (!code || !returnedState) {
+            return new Response('Missing code or state parameter', { status: 400 });
+        }
+        // Get stored state and code verifier from cookies
+        const cookies = parseCookies(request.headers.get('Cookie') || '');
+        const storedState = cookies['oauth_state'];
+        const codeVerifier = cookies['oauth_code_verifier'];
+        if (!storedState) {
+            return new Response('Missing state cookie', { status: 400 });
+        }
+        if (!codeVerifier) {
+            return new Response('Missing code verifier cookie', { status: 400 });
+        }
+        // Handle OAuth callback
+        const result = await handleGoogleCallback(config, code, storedState, returnedState, codeVerifier);
+        // Upsert user
+        const user = await upsertOAuthUser(config.database, 'google', result.profile);
+        // Create session
+        const context = getRequestContext(request);
+        const expiresInSeconds = config.session?.expiresIn ?? 2592000; // 30 days
+        const sessionId = await createSession(config.database, user.id, expiresInSeconds, context);
+        // Create session cookie
+        const cookieName = config.session?.cookie?.name ?? 'session';
+        const sessionCookie = createCookieHeader(cookieName, sessionId, {
+            httpOnly: config.session?.cookie?.httpOnly ?? true,
+            secure: config.session?.cookie?.secure ?? config.isProduction ?? true,
+            sameSite: config.session?.cookie?.sameSite ?? 'lax',
+            path: config.session?.cookie?.path ?? '/',
+            maxAge: expiresInSeconds,
+        });
+        // Clear state and verifier cookies
+        const deleteStateCookie = createDeleteCookieHeader('oauth_state', { path: '/' });
+        const deleteVerifierCookie = createDeleteCookieHeader('oauth_code_verifier', { path: '/' });
+        // Redirect to success page or home
+        const headers = createHeadersWithCookies([sessionCookie, deleteStateCookie, deleteVerifierCookie], '/' // TODO: Make this configurable
+        );
+        return new Response(null, {
+            status: 302,
+            headers,
+        });
+    }
+    catch (error) {
+        console.error('Google callback error:', error);
+        const message = error instanceof Error ? error.message : 'OAuth callback failed';
+        return new Response(message, { status: 400 });
+    }
+}
+/**
+ * Extract request context from HTTP request
+ *
+ * Extracts IP address and user agent from request headers.
+ *
+ * @internal
+ */
+function getRequestContext(request) {
+    // Try various headers for IP address
+    const headers = request.headers;
+    const ipAddress = headers.get('cf-connecting-ip') || // Cloudflare
+        headers.get('x-real-ip') || // Nginx
+        headers.get('x-forwarded-for')?.split(',')[0] || // Standard proxy header
+        undefined;
+    const userAgent = headers.get('user-agent') || undefined;
+    return {
+        ipAddress,
+        userAgent,
+    };
+}
+//# sourceMappingURL=handler.js.map

package/dist/oauth/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../../src/oauth/handler.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAA;AACzE,OAAO,EAAE,qBAAqB,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAA;AACzE,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAA;AACnE,OAAO,EACL,eAAe,EACf,aAAa,EACb,YAAY,EACZ,kBAAkB,EAClB,wBAAwB,GACzB,MAAM,gBAAgB,CAAA;AAEvB;;;;;;;;;GASG;AACH,SAAS,wBAAwB,CAAC,OAAiB,EAAE,QAAiB;IACpE,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAA;IAC7B,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAA;IACnC,CAAC;IACD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,OAAO,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;IACtC,CAAC;IACD,OAAO,OAAO,CAAA;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAAgB,EAChB,MAAuB;IAEvB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAChC,MAAM,QAAQ,GAAG,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IAEhD,sBAAsB;IACtB,IAAI,QAAQ,KAAK,oBAAoB,IAAI,QAAQ,KAAK,oBAAoB,EAAE,CAAC;QAC3E,OAAO,iBAAiB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IAC3C,CAAC;IAED,IAAI,QAAQ,KAAK,uBAAuB,IAAI,QAAQ,KAAK,uBAAuB,EAAE,CAAC;QACjF,OAAO,2BAA2B,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IACrD,CAAC;IAED,sBAAsB;IACtB,IAAI,QAAQ,KAAK,oBAAoB,IAAI,QAAQ,KAAK,oBAAoB,EAAE,CAAC;QAC3E,OAAO,iBAAiB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IAC3C,CAAC;IAED,IAAI,QAAQ,KAAK,uBAAuB,IAAI,QAAQ,KAAK,uBAAuB,EAAE,CAAC;QACjF,OAAO,2BAA2B,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IACrD,CAAC;IAED,OAAO,IAAI,QAAQ,CAAC,WAAW,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;AACnD,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,iBAAiB,CAAC,OAAgB,EAAE,MAAuB;IACxE,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,MAAM,qBAAqB,CAAC,MAAM,CAAC,CAAA;QAE1D,uCAAuC;QACvC,MAAM,WAAW,GAAG,kBAAkB,CAAC,aAAa,EAAE,KAAK,EAAE;YAC3D,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,MAAM,CAAC,YAAY,IAAI,IAAI;YACnC,QAAQ,EAAE,KAAK;YACf,IAAI,EAAE,GAAG;YACT,MAAM,EAAE,GAAG,EAAE,aAAa;SAC3B,CAAC,CAAA;QAEF,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;YACxB,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE;gBACxB,YAAY,EAAE,WAAW;aAC1B;SACF,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAAA;QAC3C,OAAO,IAAI,QAAQ,CAAC,2BAA2B,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IACnE,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,2BAA2B,CACxC,OAAgB,EAChB,MAAuB;IAEvB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAChC,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACzC,MAAM,aAAa,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACnD,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QAE3C,yBAAyB;QACzB,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,IAAI,QAAQ,CAAC,gBAAgB,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QAC/D,CAAC;QAED,IAAI,CAAC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YAC5B,OAAO,IAAI,QAAQ,CAAC,iCAAiC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QACzE,CAAC;QAED,+BAA+B;QAC/B,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAA;QACjE,MAAM,WAAW,GAAG,OAAO,CAAC,aAAa,CAAC,CAAA;QAE1C,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,IAAI,QAAQ,CAAC,sBAAsB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QAC9D,CAAC;QAED,wBAAwB;QACxB,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,aAAa,CAAC,CAAA;QAEnF,cAAc;QACd,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,CAAA;QAE7E,iBAAiB;QACjB,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAA;QAC1C,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,EAAE,SAAS,IAAI,OAAO,CAAA,CAAC,UAAU;QACxE,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,EAAE,gBAAgB,EAAE,OAAO,CAAC,CAAA;QAE1F,wBAAwB;QACxB,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,IAAI,SAAS,CAAA;QAC5D,MAAM,aAAa,GAAG,kBAAkB,CAAC,UAAU,EAAE,SAAS,EAAE;YAC9D,QAAQ,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,IAAI,IAAI;YAClD,MAAM,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,IAAI,MAAM,CAAC,YAAY,IAAI,IAAI;YACrE,QAAQ,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,IAAI,KAAK;YACnD,IAAI,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,IAAI,GAAG;YACzC,MAAM,EAAE,gBAAgB;SACzB,CAAC,CAAA;QAEF,qBAAqB;QACrB,MAAM,iBAAiB,GAAG,wBAAwB,CAAC,aAAa,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAA;QAEhF,mCAAmC;QACnC,MAAM,OAAO,GAAG,wBAAwB,CACtC,CAAC,aAAa,EAAE,iBAAiB,CAAC,EAClC,GAAG,CAAC,+BAA+B;SACpC,CAAA;QAED,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;YACxB,MAAM,EAAE,GAAG;YACX,OAAO;SACR,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,wBAAwB,EAAE,KAAK,CAAC,CAAA;QAC9C,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAA;QAChF,OAAO,IAAI,QAAQ,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IAC/C,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,iBAAiB,CAAC,OAAgB,EAAE,MAAuB;IACxE,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,YAAY,EAAE,GAAG,MAAM,qBAAqB,CAAC,MAAM,CAAC,CAAA;QAExE,0DAA0D;QAC1D,MAAM,WAAW,GAAG,kBAAkB,CAAC,aAAa,EAAE,KAAK,EAAE;YAC3D,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,MAAM,CAAC,YAAY,IAAI,IAAI;YACnC,QAAQ,EAAE,KAAK;YACf,IAAI,EAAE,GAAG;YACT,MAAM,EAAE,GAAG,EAAE,aAAa;SAC3B,CAAC,CAAA;QAEF,MAAM,cAAc,GAAG,kBAAkB,CAAC,qBAAqB,EAAE,YAAY,EAAE;YAC7E,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,MAAM,CAAC,YAAY,IAAI,IAAI;YACnC,QAAQ,EAAE,KAAK;YACf,IAAI,EAAE,GAAG;YACT,MAAM,EAAE,GAAG,EAAE,aAAa;SAC3B,CAAC,CAAA;QAEF,MAAM,OAAO,GAAG,wBAAwB,CAAC,CAAC,WAAW,EAAE,cAAc,CAAC,EAAE,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAA;QAEvF,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;YACxB,MAAM,EAAE,GAAG;YACX,OAAO;SACR,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAAA;QAC3C,OAAO,IAAI,QAAQ,CAAC,2BAA2B,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IACnE,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,2BAA2B,CACxC,OAAgB,EAChB,MAAuB;IAEvB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;QAChC,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACzC,MAAM,aAAa,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QACnD,MAAM,KAAK,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAA;QAE3C,yBAAyB;QACzB,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,IAAI,QAAQ,CAAC,gBAAgB,KAAK,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QAC/D,CAAC;QAED,IAAI,CAAC,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YAC5B,OAAO,IAAI,QAAQ,CAAC,iCAAiC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QACzE,CAAC;QAED,kDAAkD;QAClD,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAA;QACjE,MAAM,WAAW,GAAG,OAAO,CAAC,aAAa,CAAC,CAAA;QAC1C,MAAM,YAAY,GAAG,OAAO,CAAC,qBAAqB,CAAC,CAAA;QAEnD,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,IAAI,QAAQ,CAAC,sBAAsB,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QAC9D,CAAC;QAED,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,IAAI,QAAQ,CAAC,8BAA8B,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QACtE,CAAC;QAED,wBAAwB;QACxB,MAAM,MAAM,GAAG,MAAM,oBAAoB,CAAC,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,aAAa,EAAE,YAAY,CAAC,CAAA;QAEjG,cAAc;QACd,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,CAAA;QAE7E,iBAAiB;QACjB,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAA;QAC1C,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,EAAE,SAAS,IAAI,OAAO,CAAA,CAAC,UAAU;QACxE,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,EAAE,EAAE,gBAAgB,EAAE,OAAO,CAAC,CAAA;QAE1F,wBAAwB;QACxB,MAAM,UAAU,GAAG,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,IAAI,SAAS,CAAA;QAC5D,MAAM,aAAa,GAAG,kBAAkB,CAAC,UAAU,EAAE,SAAS,EAAE;YAC9D,QAAQ,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,IAAI,IAAI;YAClD,MAAM,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,IAAI,MAAM,CAAC,YAAY,IAAI,IAAI;YACrE,QAAQ,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,IAAI,KAAK;YACnD,IAAI,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,IAAI,GAAG;YACzC,MAAM,EAAE,gBAAgB;SACzB,CAAC,CAAA;QAEF,mCAAmC;QACnC,MAAM,iBAAiB,GAAG,wBAAwB,CAAC,aAAa,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAA;QAChF,MAAM,oBAAoB,GAAG,wBAAwB,CAAC,qBAAqB,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CAAA;QAE3F,mCAAmC;QACnC,MAAM,OAAO,GAAG,wBAAwB,CACtC,CAAC,aAAa,EAAE,iBAAiB,EAAE,oBAAoB,CAAC,EACxD,GAAG,CAAC,+BAA+B;SACpC,CAAA;QAED,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;YACxB,MAAM,EAAE,GAAG;YACX,OAAO;SACR,CAAC,CAAA;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,wBAAwB,EAAE,KAAK,CAAC,CAAA;QAC9C,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAA;QAChF,OAAO,IAAI,QAAQ,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;IAC/C,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iBAAiB,CAAC,OAAgB;IACzC,qCAAqC;IACrC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAA;IAC/B,MAAM,SAAS,GACb,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,IAAI,aAAa;QAChD,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,IAAI,QAAQ;QACpC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,wBAAwB;QACzE,SAAS,CAAA;IAEX,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,SAAS,CAAA;IAExD,OAAO;QACL,SAAS;QACT,SAAS;KACV,CAAA;AACH,CAAC"}

package/dist/password-hasher-argon2.d.ts

@@ -0,0 +1,7 @@
+import type { PasswordHasher } from './password-hasher.js';
+export type Argon2idPasswordHasherOptions = {
+    memoryCost?: number;
+    timeCost?: number;
+    parallelism?: number;
+};
+export declare function createArgon2idPasswordHasher(options?: Argon2idPasswordHasherOptions): PasswordHasher;

package/dist/password-hasher-argon2.js

@@ -0,0 +1,16 @@
+import { hash as argon2Hash, verify as argon2Verify } from '@node-rs/argon2';
+export function createArgon2idPasswordHasher(options = {}) {
+    const memoryCost = options.memoryCost ?? 19456;
+    const timeCost = options.timeCost ?? 2;
+    const parallelism = options.parallelism ?? 1;
+    return {
+        id: 'argon2id',
+        async hash(password) {
+            return await argon2Hash(password, { memoryCost, timeCost, parallelism });
+        },
+        async verify(hash, password) {
+            return await argon2Verify(hash, password);
+        },
+    };
+}
+//# sourceMappingURL=password-hasher-argon2.js.map

package/dist/password-hasher-argon2.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-hasher-argon2.js","sourceRoot":"","sources":["../src/password-hasher-argon2.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,IAAI,UAAU,EAAE,MAAM,IAAI,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAU5E,MAAM,UAAU,4BAA4B,CAAC,UAAyC,EAAE;IACtF,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,KAAK,CAAA;IAC9C,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,CAAC,CAAA;IACtC,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,CAAC,CAAA;IAE5C,OAAO;QACL,EAAE,EAAE,UAAU;QACd,KAAK,CAAC,IAAI,CAAC,QAAgB;YACzB,OAAO,MAAM,UAAU,CAAC,QAAQ,EAAE,EAAE,UAAU,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC,CAAA;QAC1E,CAAC;QACD,KAAK,CAAC,MAAM,CAAC,IAAY,EAAE,QAAgB;YACzC,OAAO,MAAM,YAAY,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAA;QAC3C,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/password-hasher.d.ts

@@ -0,0 +1,12 @@
+export interface PasswordHasher {
+    id: string;
+    hash(password: string): Promise<string>;
+    verify(hash: string, password: string): Promise<boolean>;
+}
+export type Pbkdf2PasswordHasherOptions = {
+    iterations?: number;
+    hash?: 'SHA-256' | 'SHA-512';
+    saltLength?: number;
+    keyLength?: number;
+};
+export declare function createPbkdf2PasswordHasher(options?: Pbkdf2PasswordHasherOptions): PasswordHasher;

package/dist/password-hasher.js

@@ -0,0 +1,115 @@
+import { base64url } from 'oslo/encoding';
+function encodeBase64UrlNoPadding(bytes) {
+    return base64url.encode(bytes, { includePadding: false });
+}
+function decodeBase64UrlNoPadding(value) {
+    return base64url.decode(value, { strict: false });
+}
+function timingSafeEqual(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    let diff = 0;
+    for (let i = 0; i < a.length; i++) {
+        diff |= a[i] ^ b[i];
+    }
+    return diff === 0;
+}
+async function pbkdf2DeriveKeyBytes(params) {
+    const encoder = new TextEncoder();
+    const keyMaterial = await crypto.subtle.importKey('raw', encoder.encode(params.password), 'PBKDF2', false, [
+        'deriveBits',
+    ]);
+    // WebCrypto types can be picky about the exact ArrayBuffer type; Uint8Array is valid at runtime.
+    const saltBufferSource = params.salt;
+    const bits = await crypto.subtle.deriveBits({
+        name: 'PBKDF2',
+        salt: saltBufferSource,
+        iterations: params.iterations,
+        hash: params.hash,
+    }, keyMaterial, params.keyLength * 8);
+    return new Uint8Array(bits);
+}
+export function createPbkdf2PasswordHasher(options = {}) {
+    const iterations = options.iterations ?? 600000;
+    const hash = options.hash ?? 'SHA-256';
+    const saltLength = options.saltLength ?? 16;
+    const keyLength = options.keyLength ?? 32;
+    const MIN_ITERATIONS = 100000;
+    const MAX_ITERATIONS = 2000000;
+    const MIN_KEY_LENGTH = 16;
+    const MAX_KEY_LENGTH = 64;
+    const MIN_SALT_LENGTH = 8;
+    const MAX_SALT_LENGTH = 64;
+    return {
+        id: 'pbkdf2',
+        async hash(password) {
+            const salt = new Uint8Array(saltLength);
+            crypto.getRandomValues(salt);
+            const derivedKey = await pbkdf2DeriveKeyBytes({ password, salt, iterations, hash, keyLength });
+            const saltB64 = encodeBase64UrlNoPadding(salt);
+            const keyB64 = encodeBase64UrlNoPadding(derivedKey);
+            const hashName = hash.toLowerCase().replace('-', '');
+            return `$pbkdf2$${hashName}$i=${iterations}$l=${keyLength}$${saltB64}$${keyB64}`;
+        },
+        async verify(storedHash, password) {
+            if (!storedHash.startsWith('$pbkdf2$')) {
+                return false;
+            }
+            const parts = storedHash.split('$');
+            if (parts.length !== 7) {
+                return false;
+            }
+            const algorithm = parts[2];
+            const iterationsPart = parts[3];
+            const keyLengthPart = parts[4];
+            const saltPart = parts[5];
+            const keyPart = parts[6];
+            if (!iterationsPart?.startsWith('i=') || !keyLengthPart?.startsWith('l=')) {
+                return false;
+            }
+            const parsedIterations = Number(iterationsPart.slice(2));
+            const parsedKeyLength = Number(keyLengthPart.slice(2));
+            if (!Number.isFinite(parsedIterations) || parsedIterations < MIN_ITERATIONS || parsedIterations > MAX_ITERATIONS) {
+                return false;
+            }
+            if (!Number.isFinite(parsedKeyLength) || parsedKeyLength < MIN_KEY_LENGTH || parsedKeyLength > MAX_KEY_LENGTH) {
+                return false;
+            }
+            let parsedHash = null;
+            if (algorithm === 'sha256') {
+                parsedHash = 'SHA-256';
+            }
+            else if (algorithm === 'sha512') {
+                parsedHash = 'SHA-512';
+            }
+            if (!parsedHash) {
+                return false;
+            }
+            let salt;
+            let expectedKey;
+            try {
+                salt = decodeBase64UrlNoPadding(saltPart);
+                expectedKey = decodeBase64UrlNoPadding(keyPart);
+            }
+            catch {
+                return false;
+            }
+            if (salt.length < MIN_SALT_LENGTH || salt.length > MAX_SALT_LENGTH) {
+                return false;
+            }
+            if (expectedKey.length !== parsedKeyLength) {
+                return false;
+            }
+            const derivedKey = await pbkdf2DeriveKeyBytes({
+                password,
+                salt,
+                iterations: parsedIterations,
+                hash: parsedHash,
+                keyLength: parsedKeyLength,
+            });
+            return timingSafeEqual(derivedKey, expectedKey);
+        },
+    };
+}
+//# sourceMappingURL=password-hasher.js.map

package/dist/password-hasher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"password-hasher.js","sourceRoot":"","sources":["../src/password-hasher.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAA;AAezC,SAAS,wBAAwB,CAAC,KAAiB;IACjD,OAAO,SAAS,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC,CAAA;AAC3D,CAAC;AAED,SAAS,wBAAwB,CAAC,KAAa;IAC7C,OAAO,SAAS,CAAC,MAAM,CAAC,KAAK,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAA;AACnD,CAAC;AAED,SAAS,eAAe,CAAC,CAAa,EAAE,CAAa;IACnD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAA;IACd,CAAC;IACD,IAAI,IAAI,GAAG,CAAC,CAAA;IACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;IACrB,CAAC;IACD,OAAO,IAAI,KAAK,CAAC,CAAA;AACnB,CAAC;AAED,KAAK,UAAU,oBAAoB,CAAC,MAMnC;IACC,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAA;IACjC,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE;QACzG,YAAY;KACb,CAAC,CAAA;IAEF,iGAAiG;IACjG,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAA+B,CAAA;IAC/D,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,UAAU,CACzC;QACE,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE,gBAAgB;QACtB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,EACD,WAAW,EACX,MAAM,CAAC,SAAS,GAAG,CAAC,CACrB,CAAA;IACD,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,CAAA;AAC7B,CAAC;AAED,MAAM,UAAU,0BAA0B,CAAC,UAAuC,EAAE;IAClF,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,MAAO,CAAA;IAChD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,IAAI,SAAS,CAAA;IACtC,MAAM,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,EAAE,CAAA;IAC3C,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,EAAE,CAAA;IAEzC,MAAM,cAAc,GAAG,MAAO,CAAA;IAC9B,MAAM,cAAc,GAAG,OAAS,CAAA;IAChC,MAAM,cAAc,GAAG,EAAE,CAAA;IACzB,MAAM,cAAc,GAAG,EAAE,CAAA;IACzB,MAAM,eAAe,GAAG,CAAC,CAAA;IACzB,MAAM,eAAe,GAAG,EAAE,CAAA;IAE1B,OAAO;QACL,EAAE,EAAE,QAAQ;QACZ,KAAK,CAAC,IAAI,CAAC,QAAgB;YACzB,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAA;YACvC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,CAAA;YAC5B,MAAM,UAAU,GAAG,MAAM,oBAAoB,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAA;YAE9F,MAAM,OAAO,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAA;YAC9C,MAAM,MAAM,GAAG,wBAAwB,CAAC,UAAU,CAAC,CAAA;YACnD,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAA;YAEpD,OAAO,WAAW,QAAQ,MAAM,UAAU,MAAM,SAAS,IAAI,OAAO,IAAI,MAAM,EAAE,CAAA;QAClF,CAAC;QACD,KAAK,CAAC,MAAM,CAAC,UAAkB,EAAE,QAAgB;YAC/C,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBACvC,OAAO,KAAK,CAAA;YACd,CAAC;YAED,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,OAAO,KAAK,CAAA;YACd,CAAC;YAED,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;YAC1B,MAAM,cAAc,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;YAC/B,MAAM,aAAa,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;YAC9B,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;YACzB,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;YAExB,IAAI,CAAC,cAAc,EAAE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC1E,OAAO,KAAK,CAAA;YACd,CAAC;YAED,MAAM,gBAAgB,GAAG,MAAM,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;YACxD,MAAM,eAAe,GAAG,MAAM,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;YACtD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,gBAAgB,GAAG,cAAc,IAAI,gBAAgB,GAAG,cAAc,EAAE,CAAC;gBACjH,OAAO,KAAK,CAAA;YACd,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,eAAe,GAAG,cAAc,IAAI,eAAe,GAAG,cAAc,EAAE,CAAC;gBAC9G,OAAO,KAAK,CAAA;YACd,CAAC;YAED,IAAI,UAAU,GAAiC,IAAI,CAAA;YACnD,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;gBAC3B,UAAU,GAAG,SAAS,CAAA;YACxB,CAAC;iBAAM,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;gBAClC,UAAU,GAAG,SAAS,CAAA;YACxB,CAAC;YACD,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,OAAO,KAAK,CAAA;YACd,CAAC;YAED,IAAI,IAAgB,CAAA;YACpB,IAAI,WAAuB,CAAA;YAC3B,IAAI,CAAC;gBACH,IAAI,GAAG,wBAAwB,CAAC,QAAQ,CAAC,CAAA;gBACzC,WAAW,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAA;YACjD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAA;YACd,CAAC;YAED,IAAI,IAAI,CAAC,MAAM,GAAG,eAAe,IAAI,IAAI,CAAC,MAAM,GAAG,eAAe,EAAE,CAAC;gBACnE,OAAO,KAAK,CAAA;YACd,CAAC;YACD,IAAI,WAAW,CAAC,MAAM,KAAK,eAAe,EAAE,CAAC;gBAC3C,OAAO,KAAK,CAAA;YACd,CAAC;YAED,MAAM,UAAU,GAAG,MAAM,oBAAoB,CAAC;gBAC5C,QAAQ;gBACR,IAAI;gBACJ,UAAU,EAAE,gBAAgB;gBAC5B,IAAI,EAAE,UAAU;gBAChB,SAAS,EAAE,eAAe;aAC3B,CAAC,CAAA;YAEF,OAAO,eAAe,CAAC,UAAU,EAAE,WAAW,CAAC,CAAA;QACjD,CAAC;KACF,CAAA;AACH,CAAC"}

package/dist/react.d.ts

@@ -0,0 +1,152 @@
+/**
+ * React hooks and utilities for ClearAuth
+ *
+ * This module provides React hooks for authentication with ClearAuth.
+ * Works with any React framework (Next.js, Vite, Create React App, etc.).
+ *
+ * @module react
+ */
+import type { User } from './database/schema.js';
+/**
+ * Authentication state returned by useAuth hook
+ */
+export interface AuthState {
+    /** Current authenticated user, null if not authenticated */
+    user: User | null;
+    /** True while checking session status */
+    loading: boolean;
+    /** Error message if authentication failed */
+    error: string | null;
+}
+/**
+ * Authentication actions provided by useAuth hook
+ */
+export interface AuthActions {
+    /** Sign in with email and password */
+    signIn: (email: string, password: string) => Promise<void>;
+    /** Sign up with email and password */
+    signUp: (email: string, password: string, name?: string) => Promise<void>;
+    /** Sign out the current user */
+    signOut: () => Promise<void>;
+    /** Initiate GitHub OAuth flow */
+    loginWithGitHub: () => void;
+    /** Initiate Google OAuth flow */
+    loginWithGoogle: () => void;
+    /** Request password reset for email */
+    requestPasswordReset: (email: string) => Promise<void>;
+    /** Reset password with token */
+    resetPassword: (token: string, newPassword: string) => Promise<void>;
+    /** Verify email with token */
+    verifyEmail: (token: string) => Promise<void>;
+    /** Resend email verification */
+    resendVerification: (email: string) => Promise<void>;
+    /** Refresh session to get latest user data */
+    refresh: () => Promise<void>;
+}
+/**
+ * Combined auth state and actions
+ */
+export type AuthContextValue = AuthState & AuthActions;
+/**
+ * Configuration for the auth provider
+ */
+export interface AuthProviderConfig {
+    /** Base URL for auth API (e.g., "https://api.example.com" or "/api/auth") */
+    baseUrl?: string;
+    /** Custom fetch function (useful for testing or adding auth headers) */
+    fetchFn?: typeof fetch;
+}
+/**
+ * Authentication provider component
+ *
+ * Wrap your app with this provider to enable authentication hooks.
+ *
+ * @param props - Provider props
+ * @param props.children - Child components
+ * @param props.baseUrl - Base URL for auth API (defaults to "/api/auth")
+ * @param props.fetchFn - Custom fetch function (defaults to global fetch)
+ *
+ * @example
+ * ```tsx
+ * import { AuthProvider } from 'clearauth/react'
+ *
+ * function App() {
+ *   return (
+ *     <AuthProvider baseUrl="/api/auth">
+ *       <YourApp />
+ *     </AuthProvider>
+ *   )
+ * }
+ * ```
+ *
+ * @example With custom base URL
+ * ```tsx
+ * <AuthProvider baseUrl="https://api.example.com/auth">
+ *   <YourApp />
+ * </AuthProvider>
+ * ```
+ */
+export declare function AuthProvider({ children, baseUrl, fetchFn, }: {
+    children: React.ReactNode;
+} & AuthProviderConfig): import("react/jsx-runtime").JSX.Element;
+/**
+ * Hook to access authentication state and actions
+ *
+ * Must be used within an AuthProvider.
+ *
+ * @returns Auth state and actions
+ * @throws Error if used outside AuthProvider
+ *
+ * @example
+ * ```tsx
+ * function LoginForm() {
+ *   const { signIn, loading, error } = useAuth()
+ *
+ *   const handleSubmit = async (e) => {
+ *     e.preventDefault()
+ *     await signIn(email, password)
+ *   }
+ *
+ *   return <form onSubmit={handleSubmit}>...</form>
+ * }
+ * ```
+ */
+export declare function useAuth(): AuthContextValue;
+/**
+ * Hook to access current user
+ *
+ * Convenience hook that only returns the user object.
+ *
+ * @returns Current user or null
+ *
+ * @example
+ * ```tsx
+ * function UserProfile() {
+ *   const user = useUser()
+ *
+ *   if (!user) return <div>Not logged in</div>
+ *
+ *   return <div>Welcome, {user.name}!</div>
+ * }
+ * ```
+ */
+export declare function useUser(): User | null;
+/**
+ * Hook to check if user is authenticated
+ *
+ * @returns True if user is authenticated
+ *
+ * @example
+ * ```tsx
+ * function ProtectedContent() {
+ *   const isAuthenticated = useIsAuthenticated()
+ *
+ *   if (!isAuthenticated) {
+ *     return <LoginPrompt />
+ *   }
+ *
+ *   return <SecretContent />
+ * }
+ * ```
+ */
+export declare function useIsAuthenticated(): boolean;