frameio 3.2.2 → 4.1.1

package/dist/cjs/oauth/SPAAuth.js

@@ -0,0 +1,96 @@
+"use strict";
+/**
+ * Single Page App authentication (authorization_code + PKCE).
+ *
+ * Use for browser-based apps that cannot store a client secret.
+ */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SPAAuth = void 0;
+const BaseAuth_1 = require("./BaseAuth");
+const errors_1 = require("./errors");
+const http_1 = require("./http");
+const pkce_1 = require("./pkce");
+const validation_1 = require("./validation");
+class SPAAuth extends BaseAuth_1.BaseAuth {
+    constructor(options) {
+        var _a;
+        if (!options.redirectUri) {
+            throw new errors_1.ConfigurationError("redirectUri is required");
+        }
+        (0, validation_1.validateRedirectUriScheme)(options.redirectUri);
+        super(options);
+        this._redirectUri = options.redirectUri;
+        this._scopes = (_a = options.scopes) !== null && _a !== void 0 ? _a : http_1.DEFAULT_SCOPES;
+    }
+    /**
+     * Build the Adobe IMS authorization URL with PKCE challenge.
+     *
+     * @returns Object with `url` and `codeVerifier` (store the verifier for exchange).
+     */
+    getAuthorizationUrl(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const codeVerifier = (0, pkce_1.generateCodeVerifier)();
+            const codeChallenge = yield (0, pkce_1.generateCodeChallenge)(codeVerifier);
+            const params = new URLSearchParams({
+                client_id: this._clientId,
+                redirect_uri: this._redirectUri,
+                scope: this._scopes,
+                response_type: "code",
+                state: options.state,
+                code_challenge: codeChallenge,
+                code_challenge_method: "S256",
+            });
+            return {
+                url: `${this._authorizeUrl}?${params.toString()}`,
+                codeVerifier,
+            };
+        });
+    }
+    /**
+     * Exchange an authorization code + PKCE verifier for tokens.
+     */
+    exchangeCode(options) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const result = yield this._tokenRequest({
+                grant_type: "authorization_code",
+                client_id: this._clientId,
+                code: options.code,
+                redirect_uri: this._redirectUri,
+                code_verifier: options.codeVerifier,
+            });
+            this._storeTokens(result);
+            return result;
+        });
+    }
+    /** Manually trigger a token refresh. */
+    refresh() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const result = yield this._refresh();
+            this._storeTokens(result);
+            return result;
+        });
+    }
+    _refresh() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const refreshTok = this._tokenManager.refreshTokenValue;
+            if (!refreshTok) {
+                throw new errors_1.ConfigurationError("No refresh token available. Call exchangeCode() first.");
+            }
+            return this._tokenRequest({
+                grant_type: "refresh_token",
+                client_id: this._clientId,
+                refresh_token: refreshTok,
+            });
+        });
+    }
+}
+exports.SPAAuth = SPAAuth;

package/dist/cjs/oauth/ServerToServerAuth.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Server-to-Server authentication (client_credentials grant).
+ *
+ * Use for backend services and scripts with no user interaction.
+ */
+import { BaseAuth, type BaseAuthOptions } from "./BaseAuth";
+import type { TokenResponse } from "./TokenManager";
+export interface ServerToServerAuthOptions extends BaseAuthOptions {
+    clientSecret: string;
+}
+export declare class ServerToServerAuth extends BaseAuth {
+    private readonly _scopes;
+    constructor(options: ServerToServerAuthOptions);
+    /** Explicitly fetch a new access token. */
+    authenticate(): Promise<TokenResponse>;
+    protected _refresh(): Promise<TokenResponse>;
+}

package/dist/cjs/oauth/ServerToServerAuth.js

@@ -0,0 +1,49 @@
+"use strict";
+/**
+ * Server-to-Server authentication (client_credentials grant).
+ *
+ * Use for backend services and scripts with no user interaction.
+ */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ServerToServerAuth = void 0;
+const BaseAuth_1 = require("./BaseAuth");
+const errors_1 = require("./errors");
+const http_1 = require("./http");
+class ServerToServerAuth extends BaseAuth_1.BaseAuth {
+    constructor(options) {
+        var _a;
+        if (!options.clientSecret) {
+            throw new errors_1.ConfigurationError("clientSecret is required");
+        }
+        super(options, options.clientSecret);
+        this._scopes = (_a = options.scopes) !== null && _a !== void 0 ? _a : http_1.S2S_SCOPES;
+    }
+    /** Explicitly fetch a new access token. */
+    authenticate() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const result = yield this._refresh();
+            this._storeTokens(result);
+            return result;
+        });
+    }
+    _refresh() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this._tokenRequest({
+                grant_type: "client_credentials",
+                client_id: this._clientId,
+                client_secret: this._clientSecret,
+                scope: this._scopes,
+            });
+        });
+    }
+}
+exports.ServerToServerAuth = ServerToServerAuth;

package/dist/cjs/oauth/TokenManager.d.ts

@@ -0,0 +1,83 @@
+/**
+ * Token lifecycle manager — the core of frameio-auth-sdk.
+ *
+ * Stores access/refresh tokens, checks expiry with a configurable buffer,
+ * and coordinates async-safe automatic refresh.
+ */
+import type { Logger } from "./logger";
+/** Shape returned by refresh functions and token endpoints. */
+export interface TokenResponse {
+    access_token: string;
+    expires_in: number;
+    refresh_token?: string;
+    token_type?: string;
+    scope?: string;
+}
+/** Serialised token state for persistence. */
+export interface ExportedTokens {
+    access_token: string | null;
+    refresh_token: string | null;
+    expires_at: number;
+}
+/** A function that performs the actual token refresh / fetch. */
+export type RefreshFunction = () => Promise<TokenResponse>;
+/** Optional callback fired after every successful token refresh. */
+export type OnTokenRefreshed = (tokens: ExportedTokens) => void;
+export interface TokenManagerOptions {
+    refreshFunc: RefreshFunction;
+    /** Seconds before actual expiry to trigger proactive refresh. Default: 60. */
+    refreshBuffer?: number;
+    /** Called after every successful refresh. */
+    onTokenRefreshed?: OnTokenRefreshed;
+    /** Logger instance for diagnostic output. */
+    logger?: Logger;
+}
+/**
+ * Manages token storage, expiry detection, and auto-refresh.
+ *
+ * Pass `manager.getToken` (bound) to the Frame.io SDK:
+ * ```ts
+ * const client = new FrameioClient({ token: () => auth.getToken() });
+ * ```
+ */
+export declare class TokenManager {
+    private _refreshFunc;
+    private _refreshBuffer;
+    private _onTokenRefreshed?;
+    private _logger;
+    private _accessToken;
+    private _refreshToken;
+    private _expiresAt;
+    /** In-flight refresh promise for deduplication. */
+    private _refreshPromise;
+    /** Set by clear() to prevent an in-flight refresh from restoring tokens. */
+    private _revoked;
+    constructor(options: TokenManagerOptions);
+    /**
+     * Return a valid access token, refreshing if necessary.
+     *
+     * Safe to call concurrently — only one refresh request will fire.
+     */
+    getToken(): Promise<string>;
+    get accessToken(): string | null;
+    get refreshTokenValue(): string | null;
+    get expiresAt(): number;
+    get isExpired(): boolean;
+    /**
+     * Manually set token data (e.g. after initial code exchange).
+     */
+    setTokens(accessToken: string, expiresIn: number, refreshToken?: string): void;
+    /** Export current token state for persistence. */
+    exportTokens(): ExportedTokens;
+    /** Restore token state from a previously exported object. */
+    importTokens(data: ExportedTokens): void;
+    /** Clear all stored tokens and cancel any in-flight refresh. */
+    clear(): void;
+    private _isTokenValid;
+    /**
+     * Async-safe refresh: if a refresh is already in flight, await the
+     * existing promise instead of firing a second request.
+     */
+    private _doRefresh;
+    private _executeRefresh;
+}

package/dist/cjs/oauth/TokenManager.js

@@ -0,0 +1,174 @@
+"use strict";
+/**
+ * Token lifecycle manager — the core of frameio-auth-sdk.
+ *
+ * Stores access/refresh tokens, checks expiry with a configurable buffer,
+ * and coordinates async-safe automatic refresh.
+ */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.TokenManager = void 0;
+const errors_1 = require("./errors");
+const logger_1 = require("./logger");
+const validation_1 = require("./validation");
+/**
+ * Manages token storage, expiry detection, and auto-refresh.
+ *
+ * Pass `manager.getToken` (bound) to the Frame.io SDK:
+ * ```ts
+ * const client = new FrameioClient({ token: () => auth.getToken() });
+ * ```
+ */
+class TokenManager {
+    constructor(options) {
+        var _a, _b;
+        this._accessToken = null;
+        this._refreshToken = null;
+        this._expiresAt = 0;
+        /** In-flight refresh promise for deduplication. */
+        this._refreshPromise = null;
+        /** Set by clear() to prevent an in-flight refresh from restoring tokens. */
+        this._revoked = false;
+        this._refreshFunc = options.refreshFunc;
+        this._refreshBuffer = (_a = options.refreshBuffer) !== null && _a !== void 0 ? _a : 60;
+        this._onTokenRefreshed = options.onTokenRefreshed;
+        this._logger = (_b = options.logger) !== null && _b !== void 0 ? _b : logger_1.noopLogger;
+    }
+    // ------------------------------------------------------------------
+    // Public API
+    // ------------------------------------------------------------------
+    /**
+     * Return a valid access token, refreshing if necessary.
+     *
+     * Safe to call concurrently — only one refresh request will fire.
+     */
+    getToken() {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (this._isTokenValid()) {
+                return this._accessToken;
+            }
+            return this._doRefresh();
+        });
+    }
+    get accessToken() {
+        return this._accessToken;
+    }
+    get refreshTokenValue() {
+        return this._refreshToken;
+    }
+    get expiresAt() {
+        return this._expiresAt;
+    }
+    get isExpired() {
+        return !this._isTokenValid();
+    }
+    /**
+     * Manually set token data (e.g. after initial code exchange).
+     */
+    setTokens(accessToken, expiresIn, refreshToken) {
+        this._revoked = false;
+        this._accessToken = accessToken;
+        this._expiresAt = Date.now() / 1000 + expiresIn;
+        if (refreshToken !== undefined) {
+            this._refreshToken = refreshToken;
+        }
+    }
+    /** Export current token state for persistence. */
+    exportTokens() {
+        return {
+            access_token: this._accessToken,
+            refresh_token: this._refreshToken,
+            expires_at: this._expiresAt,
+        };
+    }
+    /** Restore token state from a previously exported object. */
+    importTokens(data) {
+        var _a;
+        (0, validation_1.validateTokenImport)(data);
+        this._revoked = false;
+        this._accessToken = data.access_token;
+        this._refreshToken = data.refresh_token;
+        this._expiresAt = (_a = data.expires_at) !== null && _a !== void 0 ? _a : 0;
+    }
+    /** Clear all stored tokens and cancel any in-flight refresh. */
+    clear() {
+        this._accessToken = null;
+        this._refreshToken = null;
+        this._expiresAt = 0;
+        this._refreshPromise = null;
+        this._revoked = true;
+    }
+    // ------------------------------------------------------------------
+    // Internals
+    // ------------------------------------------------------------------
+    _isTokenValid() {
+        return this._accessToken !== null && Date.now() / 1000 < this._expiresAt - this._refreshBuffer;
+    }
+    /**
+     * Async-safe refresh: if a refresh is already in flight, await the
+     * existing promise instead of firing a second request.
+     */
+    _doRefresh() {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (this._refreshPromise) {
+                return this._refreshPromise;
+            }
+            this._refreshPromise = this._executeRefresh();
+            try {
+                return yield this._refreshPromise;
+            }
+            finally {
+                this._refreshPromise = null;
+            }
+        });
+    }
+    _executeRefresh() {
+        return __awaiter(this, void 0, void 0, function* () {
+            var _a;
+            let result;
+            this._logger.debug("Token refresh triggered.");
+            try {
+                result = yield this._refreshFunc();
+            }
+            catch (err) {
+                if (err instanceof errors_1.AuthenticationError ||
+                    err instanceof errors_1.TokenExpiredError ||
+                    err instanceof errors_1.NetworkError ||
+                    err instanceof errors_1.RateLimitError) {
+                    throw err;
+                }
+                throw new errors_1.AuthenticationError("refresh_failed", (0, errors_1.sanitizeMessage)(`Token refresh failed: ${err instanceof Error ? err.message : String(err)}`));
+            }
+            // If clear() was called while the refresh was in flight (e.g. via
+            // revoke()), do not overwrite the cleared state with new tokens.
+            if (this._revoked) {
+                throw new errors_1.AuthenticationError("revoked", "Tokens were revoked during refresh.");
+            }
+            const token = result.access_token;
+            this._accessToken = token;
+            this._expiresAt = Date.now() / 1000 + ((_a = result.expires_in) !== null && _a !== void 0 ? _a : 86400);
+            if (result.refresh_token) {
+                this._refreshToken = result.refresh_token;
+            }
+            this._logger.info(`Token refreshed (length=${token.length}).`);
+            if (this._onTokenRefreshed) {
+                try {
+                    this._onTokenRefreshed(this.exportTokens());
+                }
+                catch (err) {
+                    this._logger.warn(`onTokenRefreshed callback raised: ${err}`);
+                }
+            }
+            return token;
+        });
+    }
+}
+exports.TokenManager = TokenManager;

package/dist/cjs/oauth/WebAppAuth.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Web App authentication (authorization_code grant).
+ *
+ * Use for server-side applications that can securely store a client secret.
+ */
+import { BaseAuth, type BaseAuthOptions } from "./BaseAuth";
+import type { TokenResponse } from "./TokenManager";
+export interface WebAppAuthOptions extends BaseAuthOptions {
+    clientSecret: string;
+    redirectUri: string;
+}
+export declare class WebAppAuth extends BaseAuth {
+    private readonly _redirectUri;
+    private readonly _scopes;
+    constructor(options: WebAppAuthOptions);
+    /**
+     * Build the Adobe IMS authorization URL.
+     *
+     * @param options.state - An opaque CSRF/state value.
+     */
+    getAuthorizationUrl(options: {
+        state: string;
+    }): string;
+    /** Exchange an authorization code for access and refresh tokens. */
+    exchangeCode(code: string): Promise<TokenResponse>;
+    /** Manually trigger a token refresh. */
+    refresh(): Promise<TokenResponse>;
+    protected _refresh(): Promise<TokenResponse>;
+}

package/dist/cjs/oauth/WebAppAuth.js

@@ -0,0 +1,88 @@
+"use strict";
+/**
+ * Web App authentication (authorization_code grant).
+ *
+ * Use for server-side applications that can securely store a client secret.
+ */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WebAppAuth = void 0;
+const BaseAuth_1 = require("./BaseAuth");
+const errors_1 = require("./errors");
+const http_1 = require("./http");
+const validation_1 = require("./validation");
+class WebAppAuth extends BaseAuth_1.BaseAuth {
+    constructor(options) {
+        var _a;
+        if (!options.clientSecret) {
+            throw new errors_1.ConfigurationError("clientSecret is required");
+        }
+        if (!options.redirectUri) {
+            throw new errors_1.ConfigurationError("redirectUri is required");
+        }
+        (0, validation_1.validateRedirectUriScheme)(options.redirectUri);
+        super(options, options.clientSecret);
+        this._redirectUri = options.redirectUri;
+        this._scopes = (_a = options.scopes) !== null && _a !== void 0 ? _a : http_1.DEFAULT_SCOPES;
+    }
+    /**
+     * Build the Adobe IMS authorization URL.
+     *
+     * @param options.state - An opaque CSRF/state value.
+     */
+    getAuthorizationUrl(options) {
+        const params = new URLSearchParams({
+            client_id: this._clientId,
+            redirect_uri: this._redirectUri,
+            scope: this._scopes,
+            response_type: "code",
+            state: options.state,
+        });
+        return `${this._authorizeUrl}?${params.toString()}`;
+    }
+    /** Exchange an authorization code for access and refresh tokens. */
+    exchangeCode(code) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const result = yield this._tokenRequest({
+                grant_type: "authorization_code",
+                client_id: this._clientId,
+                client_secret: this._clientSecret,
+                code,
+                redirect_uri: this._redirectUri,
+            });
+            this._storeTokens(result);
+            return result;
+        });
+    }
+    /** Manually trigger a token refresh. */
+    refresh() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const result = yield this._refresh();
+            this._storeTokens(result);
+            return result;
+        });
+    }
+    _refresh() {
+        return __awaiter(this, void 0, void 0, function* () {
+            const refreshTok = this._tokenManager.refreshTokenValue;
+            if (!refreshTok) {
+                throw new errors_1.ConfigurationError("No refresh token available. Call exchangeCode() first.");
+            }
+            return this._tokenRequest({
+                grant_type: "refresh_token",
+                client_id: this._clientId,
+                client_secret: this._clientSecret,
+                refresh_token: refreshTok,
+            });
+        });
+    }
+}
+exports.WebAppAuth = WebAppAuth;

package/dist/cjs/oauth/errors.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Custom error types for frameio-auth-sdk.
+ */
+/**
+ * Strip JWT-like tokens from error messages to prevent token leakage.
+ *
+ * Redacts strings matching the JWT prefix pattern (eyJ followed by 10+
+ * base64url characters). This covers Adobe IMS access and refresh tokens.
+ */
+export declare function sanitizeMessage(msg: string): string;
+/** Base error for all frameio-auth-sdk errors. */
+export declare class FrameioAuthError extends Error {
+    constructor(message: string);
+}
+/** Raised when token exchange or refresh fails. */
+export declare class AuthenticationError extends FrameioAuthError {
+    readonly errorCode: string;
+    readonly errorDescription?: string;
+    constructor(errorCode: string, errorDescription?: string);
+}
+/** Raised when the refresh token is expired and re-authentication is required. */
+export declare class TokenExpiredError extends FrameioAuthError {
+    constructor(message?: string);
+}
+/** Raised when a network request fails (timeout, connection error, etc.). */
+export declare class NetworkError extends FrameioAuthError {
+    constructor(message?: string);
+}
+/** Raised when the API returns 429 Too Many Requests and retries are exhausted. */
+export declare class RateLimitError extends FrameioAuthError {
+    readonly retryAfter: number | undefined;
+    constructor(retryAfter?: number);
+}
+/** Raised when PKCE verification fails. */
+export declare class PKCEError extends FrameioAuthError {
+    constructor(message?: string);
+}
+/** Raised when required configuration is missing or invalid. */
+export declare class ConfigurationError extends FrameioAuthError {
+    constructor(message: string);
+}

package/dist/cjs/oauth/errors.js

@@ -0,0 +1,83 @@
+"use strict";
+/**
+ * Custom error types for frameio-auth-sdk.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConfigurationError = exports.PKCEError = exports.RateLimitError = exports.NetworkError = exports.TokenExpiredError = exports.AuthenticationError = exports.FrameioAuthError = void 0;
+exports.sanitizeMessage = sanitizeMessage;
+/** Pattern to detect JWT-like tokens (eyJ...) in error messages. */
+const JWT_PATTERN = /eyJ[A-Za-z0-9_-]{10,}/g;
+/**
+ * Strip JWT-like tokens from error messages to prevent token leakage.
+ *
+ * Redacts strings matching the JWT prefix pattern (eyJ followed by 10+
+ * base64url characters). This covers Adobe IMS access and refresh tokens.
+ */
+function sanitizeMessage(msg) {
+    return msg.replace(JWT_PATTERN, "[REDACTED]");
+}
+/** Base error for all frameio-auth-sdk errors. */
+class FrameioAuthError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "FrameioAuthError";
+    }
+}
+exports.FrameioAuthError = FrameioAuthError;
+/** Raised when token exchange or refresh fails. */
+class AuthenticationError extends FrameioAuthError {
+    constructor(errorCode, errorDescription) {
+        const desc = errorDescription ? sanitizeMessage(errorDescription) : undefined;
+        const msg = desc ? `${errorCode} — ${desc}` : errorCode;
+        super(msg);
+        this.name = "AuthenticationError";
+        this.errorCode = errorCode;
+        this.errorDescription = desc;
+    }
+}
+exports.AuthenticationError = AuthenticationError;
+/** Raised when the refresh token is expired and re-authentication is required. */
+class TokenExpiredError extends FrameioAuthError {
+    constructor(message = "Refresh token expired. Re-authentication required.") {
+        super(sanitizeMessage(message));
+        this.name = "TokenExpiredError";
+    }
+}
+exports.TokenExpiredError = TokenExpiredError;
+/** Raised when a network request fails (timeout, connection error, etc.). */
+class NetworkError extends FrameioAuthError {
+    constructor(message = "Network request failed.") {
+        super(message);
+        this.name = "NetworkError";
+    }
+}
+exports.NetworkError = NetworkError;
+/** Raised when the API returns 429 Too Many Requests and retries are exhausted. */
+class RateLimitError extends FrameioAuthError {
+    constructor(retryAfter) {
+        let msg = "Rate limited by Adobe IMS.";
+        if (retryAfter !== undefined) {
+            msg += ` Retry after ${Math.round(retryAfter)}s.`;
+        }
+        super(msg);
+        this.name = "RateLimitError";
+        this.retryAfter = retryAfter;
+    }
+}
+exports.RateLimitError = RateLimitError;
+/** Raised when PKCE verification fails. */
+class PKCEError extends FrameioAuthError {
+    constructor(message = "PKCE verification failed.") {
+        super(message);
+        this.name = "PKCEError";
+    }
+}
+exports.PKCEError = PKCEError;
+/** Raised when required configuration is missing or invalid. */
+class ConfigurationError extends FrameioAuthError {
+    constructor(message) {
+        super(message);
+        this.name = "ConfigurationError";
+    }
+}
+exports.ConfigurationError = ConfigurationError;