garmin-connect-client 1.2.0 → 2.0.0

package/README.md

@@ -11,17 +11,18 @@ npm install garmin-connect-client
 ## Usage
 
 ```typescript
-import { createAuthContext, create } from 'garmin-connect-client';
+import { login } from 'garmin-connect-client';
 
-// Step 1: Create an authentication context
-const authContext = await createAuthContext({
+// Step 1: Log in with credentials
+const result = await login({
   username: 'your-username',
   password: 'your-password',
 });
 
-// Step 2: Create authenticated client (provide MFA code if required)
-const mfaCode = authContext.mfaRequired ? await getUserMfaCode() : undefined;
-const client = await create(authContext, mfaCode);
+// Step 2: If MFA is required, resume the login with the user's code
+const client = result.mfaRequired
+  ? await login(result, await getUserMfaCode())
+  : result.client;
 
 // Use the client
 const activities = await client.getActivities();
@@ -32,20 +33,21 @@ const activities = await client.getActivities();
 Authenticate once, then persist and restore the session to avoid repeated logins (and MFA prompts):
 
 ```typescript
-import { create, createAuthContext, createFromSession } from 'garmin-connect-client';
+import { login, fromSession } from 'garmin-connect-client';
 import fs from 'fs/promises';
 
 // 1. Authenticate and save session
-const authContext = await createAuthContext({ username, password });
-const mfaCode = authContext.mfaRequired ? await getUserMfaCode() : undefined;
-const client = await create(authContext, mfaCode);
+const result = await login({ username, password });
+const client = result.mfaRequired
+  ? await login(result, await getUserMfaCode())
+  : result.client;
 
 const session = client.getSession();
 await fs.writeFile('session.json', JSON.stringify(session));
 
 // 2. Restore client from saved session (no network call)
 const sessionData = JSON.parse(await fs.readFile('session.json', 'utf-8'));
-const restoredClient = createFromSession(sessionData);
+const restoredClient = fromSession(sessionData);
 const activities = await restoredClient.getActivities();
 ```
 

package/dist/auth-html-parser.d.ts

@@ -0,0 +1,18 @@
+export type SsoPostResult = {
+    type: 'success';
+    ticket: string;
+} | {
+    type: 'mfa_required';
+} | {
+    type: 'locked';
+    message?: string;
+} | {
+    type: 'invalid';
+    message?: string;
+} | {
+    type: 'error';
+    message?: string;
+};
+export declare function parseCsrfToken(html: string): string;
+export declare function parseSsoPostResponse(html: string): SsoPostResult;
+//# sourceMappingURL=auth-html-parser.d.ts.map

package/dist/auth-html-parser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-html-parser.d.ts","sourceRoot":"","sources":["../src/auth-html-parser.ts"],"names":[],"mappings":"AAQA,MAAM,MAAM,aAAa,GACrB;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACnC;IAAE,IAAI,EAAE,cAAc,CAAA;CAAE,GACxB;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,GACpC;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,GACrC;IAAE,IAAI,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAIxC,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAMnD;AAQD,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,CAuBhE"}

package/dist/auth-html-parser.js

@@ -0,0 +1,88 @@
+"use strict";
+// Pure-function parsers for Garmin's auth HTML responses.
+//
+// The SSO embed login flow returns HTML pages rather than JSON. These helpers
+// exist so the parsing logic is trivially unit-testable without any network or
+// libcurl machinery.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseCsrfToken = parseCsrfToken;
+exports.parseSsoPostResponse = parseSsoPostResponse;
+const errors_1 = require("./errors");
+// Extracts the `_csrf` token from the signin / MFA form HTML.
+// Throws CsrfTokenError when the token is missing.
+function parseCsrfToken(html) {
+    const match = /name="_csrf"\s+value="([^"]+)"/i.exec(html);
+    if (!match) {
+        throw new errors_1.CsrfTokenError();
+    }
+    return match[1];
+}
+// Classifies the response to a credentials or MFA POST.
+//
+// The SSO embed login form encodes outcome in the <title> element:
+//   - "Success"             → extract service ticket from response URL
+//   - title contains "MFA"  → MFA challenge required
+//   - anything else         → error (locked / invalid / generic)
+function parseSsoPostResponse(html) {
+    const title = extractTitle(html);
+    if (title === 'Success') {
+        const ticket = extractTicket(html);
+        if (!ticket) {
+            return { type: 'error', message: 'Login reported success but ticket not found in response' };
+        }
+        return { type: 'success', ticket };
+    }
+    if (title && /mfa/i.test(title)) {
+        return { type: 'mfa_required' };
+    }
+    const message = extractErrorMessage(html) ?? title ?? undefined;
+    if (message && /lock/i.test(message)) {
+        return { type: 'locked', message };
+    }
+    if (message && /(invalid|incorrect|wrong|password|credentials)/i.test(message)) {
+        return { type: 'invalid', message };
+    }
+    return { type: 'error', message };
+}
+// --- helpers -----------------------------------------------------------------
+function extractTitle(html) {
+    const match = /<title>([^<]*)<\/title>/i.exec(html);
+    return match ? match[1].trim() : undefined;
+}
+// Garmin's SSO embed login form embeds the post-login redirect URL in one of two forms:
+//   var response_url = "https://...?ticket=...";
+//   window.location.replace("https://...?ticket=...");
+// We extract the ticket value from whichever is present.
+function extractTicket(html) {
+    const patterns = [/var response_url\s*=\s*"([^"]+)"/i, /window\.location\.replace\("([^"]+)"\)/i];
+    for (const pattern of patterns) {
+        const match = pattern.exec(html);
+        if (match) {
+            const url = match[1].replaceAll('\\/', '/'); // unescape \/ → / in Garmin's JS string literals
+            const ticketMatch = /[&?]ticket=([\da-z-]+)/i.exec(url);
+            if (ticketMatch)
+                return ticketMatch[1];
+        }
+    }
+    return undefined;
+}
+// Error copy is usually inside an element with class "login-error" or similar.
+// We extract the first non-empty textual error node, falling back to a generic
+// status class if the specific one is absent.
+function extractErrorMessage(html) {
+    const patterns = [
+        /<[^>]*class="[^"]*(?:login-error|error-message|alert)[^"]*"[^>]*>([^<]+)<\/[^>]+>/i,
+        /<div[^>]*id="[^"]*error[^"]*"[^>]*>([^<]+)<\/div>/i,
+    ];
+    for (const pattern of patterns) {
+        const match = pattern.exec(html);
+        if (match) {
+            const text = match[1].trim();
+            if (text.length > 0) {
+                return text;
+            }
+        }
+    }
+    return undefined;
+}
+//# sourceMappingURL=auth-html-parser.js.map

package/dist/auth-html-parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-html-parser.js","sourceRoot":"","sources":["../src/auth-html-parser.ts"],"names":[],"mappings":";AAAA,0DAA0D;AAC1D,EAAE;AACF,8EAA8E;AAC9E,+EAA+E;AAC/E,qBAAqB;;AAarB,wCAMC;AAQD,oDAuBC;AAhDD,qCAA0C;AAS1C,8DAA8D;AAC9D,mDAAmD;AACnD,SAAgB,cAAc,CAAC,IAAY;IACzC,MAAM,KAAK,GAAG,iCAAiC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,uBAAc,EAAE,CAAC;IAC7B,CAAC;IACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,wDAAwD;AACxD,EAAE;AACF,mEAAmE;AACnE,uEAAuE;AACvE,qDAAqD;AACrD,iEAAiE;AACjE,SAAgB,oBAAoB,CAAC,IAAY;IAC/C,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAEjC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QACxB,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,yDAAyD,EAAE,CAAC;QAC/F,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC;IACrC,CAAC;IAED,IAAI,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAChC,OAAO,EAAE,IAAI,EAAE,cAAc,EAAE,CAAC;IAClC,CAAC;IAED,MAAM,OAAO,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,KAAK,IAAI,SAAS,CAAC;IAChE,IAAI,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACrC,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;IACrC,CAAC;IACD,IAAI,OAAO,IAAI,iDAAiD,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/E,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC;IACtC,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AACpC,CAAC;AAED,gFAAgF;AAEhF,SAAS,YAAY,CAAC,IAAY;IAChC,MAAM,KAAK,GAAG,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpD,OAAO,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AAC7C,CAAC;AAED,wFAAwF;AACxF,iDAAiD;AACjD,uDAAuD;AACvD,yDAAyD;AACzD,SAAS,aAAa,CAAC,IAAY;IACjC,MAAM,QAAQ,GAAG,CAAC,mCAAmC,EAAE,yCAAyC,CAAC,CAAC;IAClG,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,iDAAiD;YAC9F,MAAM,WAAW,GAAG,yBAAyB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACxD,IAAI,WAAW;gBAAE,OAAO,WAAW,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,+EAA+E;AAC/E,+EAA+E;AAC/E,8CAA8C;AAC9C,SAAS,mBAAmB,CAAC,IAAY;IACvC,MAAM,QAAQ,GAAG;QACf,oFAAoF;QACpF,oDAAoD;KACrD,CAAC;IACF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC7B,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACpB,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/authentication-service.d.ts

@@ -1,32 +1,17 @@
-import { MfaMethod } from './auth-context';
 import { HttpClient } from './http-client';
 import { GarminUrls } from './urls';
-export type AuthenticationParameters = {
-    type: 'ticket';
-    ticket: string;
-} | {
-    type: 'mfa';
-    mfaCode: string;
-    mfaMethod: MfaMethod;
-};
-export declare class AuthenticationSuccess {
-    readonly ticket: string;
+export type AuthContext = {
+    readonly mfaRequired: false;
     readonly cookies: string;
-    constructor(ticket: string, cookies: string);
-}
-export declare class MfaRequiredResult {
-    readonly mfaMethod: MfaMethod;
+    readonly ticket: string;
+} | {
+    readonly mfaRequired: true;
     readonly cookies: string;
-    constructor(mfaMethod: MfaMethod, cookies: string);
-}
+};
 export declare class AuthenticationService {
-    static startAuthentication(urls: GarminUrls, username: string, password: string): Promise<AuthenticationSuccess | MfaRequiredResult>;
-    static completeAuthentication(urls: GarminUrls, cookies: string, parameters: AuthenticationParameters): Promise<HttpClient>;
-    private static extractServiceTicketId;
-    private static getLoginTicket;
+    static startAuthentication(urls: GarminUrls, username: string, password: string): Promise<AuthContext>;
+    static completeAuthentication(urls: GarminUrls, context: AuthContext, mfaCode?: string): Promise<HttpClient>;
     private static verifyMfaCode;
-    private static completeOAuthFlow;
-    private static getOauth1Token;
-    private static exchange;
+    private static loginError;
 }
 //# sourceMappingURL=authentication-service.d.ts.map

package/dist/authentication-service.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authentication-service.d.ts","sourceRoot":"","sources":["../src/authentication-service.ts"],"names":[],"mappings":"AAUA,OAAO,EAAe,SAAS,EAAkB,MAAM,gBAAgB,CAAC;AAExE,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAS3C,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAGpC,MAAM,MAAM,wBAAwB,GAChC;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAClC;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,SAAS,CAAA;CAAE,CAAC;AAG3D,qBAAa,qBAAqB;IAChC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;gBAEb,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CAI5C;AAED,qBAAa,iBAAiB;IAC5B,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;IAC9B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;gBAEb,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM;CAIlD;AAyGD,qBAAa,qBAAqB;WAGnB,mBAAmB,CAC9B,IAAI,EAAE,UAAU,EAChB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,qBAAqB,GAAG,iBAAiB,CAAC;WAYxC,sBAAsB,CACjC,IAAI,EAAE,UAAU,EAChB,OAAO,EAAE,MAAM,EACf,UAAU,EAAE,wBAAwB,GACnC,OAAO,CAAC,UAAU,CAAC;mBA8BD,sBAAsB;mBA6BtB,cAAc;mBA2Dd,aAAa;mBAyCb,iBAAiB;mBAajB,cAAc;mBAwCd,QAAQ;CA8B9B"}
+{"version":3,"file":"authentication-service.d.ts","sourceRoot":"","sources":["../src/authentication-service.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAE3C,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAOpC,MAAM,MAAM,WAAW,GACnB;IAAE,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAClF;IAAE,QAAQ,CAAC,WAAW,EAAE,IAAI,CAAC;IAAC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAE7D,qBAAa,qBAAqB;WAGnB,mBAAmB,CAAC,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;WAsC/F,sBAAsB,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;mBAW7F,aAAa;IAqClC,OAAO,CAAC,MAAM,CAAC,UAAU;CAY1B"}

package/dist/authentication-service.js

@@ -1,321 +1,109 @@
 "use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthenticationService = exports.MfaRequiredResult = exports.AuthenticationSuccess = void 0;
-// Authentication service for Garmin Connect API.
-//
-// Handles the complete authentication flow:
-// 1. Submit credentials and handle MFA if required
-// 2. Exchange login ticket for OAuth 1.0 token
-// 3. Exchange OAuth 1.0 token for OAuth 2.0 bearer token
+// Authentication service for Garmin Connect.
 //
-// This service uses HttpClient internally to perform HTTP requests during authentication.
-const zod_1 = require("zod");
-const auth_context_1 = require("./auth-context");
+// Orchestrates the SSO embed login flow:
+//   1. Drives steps 1–4 (embed → signin → credentials → MFA) over CurlClient
+//      so Cloudflare accepts the request.
+//   2. The resulting service ticket is exchanged for an OAuth2 bearer token
+//      via the device-identity endpoint (diauth.garmin.com).
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthenticationService = void 0;
+const auth_html_parser_1 = require("./auth-html-parser");
+const curl_client_1 = require("./curl-client");
 const errors_1 = require("./errors");
 const http_client_1 = require("./http-client");
-const oauth_utils_1 = require("./oauth-utils");
-// Result classes for authentication flow
-class AuthenticationSuccess {
-    constructor(ticket, cookies) {
-        this.ticket = ticket;
-        this.cookies = cookies;
-    }
-}
-exports.AuthenticationSuccess = AuthenticationSuccess;
-class MfaRequiredResult {
-    constructor(mfaMethod, cookies) {
-        this.mfaMethod = mfaMethod;
-        this.cookies = cookies;
-    }
-}
-exports.MfaRequiredResult = MfaRequiredResult;
-// Zod schemas for API responses
-const LoginResponseSchema = zod_1.z
-    .object({
-    serviceURL: zod_1.z.string().nullable().optional(),
-    serviceTicketId: zod_1.z.string().nullable().optional(),
-    responseStatus: zod_1.z
-        .object({
-        type: zod_1.z.string(),
-        message: zod_1.z.string().optional(),
-        httpStatus: zod_1.z.string().optional(),
-    })
-        .optional(),
-    responseReason: zod_1.z.string().nullable().optional(),
-    customerMfaInfo: zod_1.z
-        .object({
-        mfaLastMethodUsed: zod_1.z.string().optional(),
-        email: zod_1.z.string().optional(),
-        phoneNumber: zod_1.z.string().nullable().optional(),
-        defaultMfaMethod: zod_1.z.string().nullable().optional(),
-        mfaUISetting: zod_1.z
-            .object({
-            allowPhoneOption: zod_1.z.boolean().optional(),
-            allowAddEmailAddress: zod_1.z.boolean().optional(),
-            chooseDifferentWayShown: zod_1.z.boolean().optional(),
-        })
-            .optional(),
-    })
-        .nullable()
-        .optional(),
-    consentTypeList: zod_1.z.array(zod_1.z.unknown()).nullable().optional(),
-    captchaAlreadyPassed: zod_1.z.boolean().optional(),
-    samlResponse: zod_1.z.string().nullable().optional(),
-    authType: zod_1.z.string().nullable().optional(),
-})
-    .passthrough();
-// Helper function to parse login response and extract error information
-function parseLoginResponseError(error) {
-    if (error instanceof errors_1.HttpError && error.responseData) {
-        const errorResponse = LoginResponseSchema.safeParse(error.responseData);
-        if (errorResponse.success) {
-            return errorResponse.data;
-        }
-    }
-    return undefined;
-}
-// Helper function to extract InvalidCredentialsError from login response errors
-function extractInvalidCredentialsError(error) {
-    const loginResponse = parseLoginResponseError(error);
-    if (loginResponse) {
-        const responseStatus = loginResponse.responseStatus;
-        if (responseStatus?.type === 'INVALID_USERNAME_PASSWORD') {
-            return new errors_1.InvalidCredentialsError('Invalid username or password');
-        }
-    }
-    // Fallback to status code check if responseStatus not available
-    if (error instanceof errors_1.HttpError && (error.statusCode === 401 || error.statusCode === 403)) {
-        return new errors_1.InvalidCredentialsError('Invalid username or password');
-    }
-    return undefined;
-}
-// Helper function to extract MfaCodeInvalidError from MFA verification errors
-function extractMfaCodeInvalidError(error) {
-    const loginResponse = parseLoginResponseError(error);
-    if (loginResponse?.responseStatus) {
-        const responseStatus = loginResponse.responseStatus;
-        if (responseStatus.type === 'SESSION_EXPIRED') {
-            return new errors_1.MfaCodeInvalidError('Session expired. Please try logging in again.');
-        }
-    }
-    // Fallback to status code check
-    if (error instanceof errors_1.HttpError) {
-        if (error.statusCode === 401 || error.statusCode === 403) {
-            return new errors_1.MfaCodeInvalidError('Invalid MFA code');
-        }
-        // Handle 409 Conflict (session expired)
-        if (error.statusCode === 409) {
-            return new errors_1.MfaCodeInvalidError('Session expired. Please try logging in again.');
-        }
-    }
-    return undefined;
-}
-// Helper function to create common JSON API headers for authentication requests
-function getJsonApiHeaders(urls, referer) {
-    return {
-        'Content-Type': 'application/json',
-        Accept: 'application/json, text/plain, */*',
-        Origin: urls.GARMIN_SSO_ORIGIN,
-        Referer: referer,
-        'User-Agent': oauth_utils_1.USER_AGENT_MOBILE_IOS,
-        'Accept-Language': 'en-US,en;q=0.9',
-        'Accept-Encoding': 'gzip, deflate, br',
-    };
-}
+const oauth2_exchanger_1 = require("./oauth2-exchanger");
 class AuthenticationService {
-    // Starts authentication and returns MFA context if MFA is required
-    // Returns AuthenticationSuccess with ticket and cookies if authentication succeeds, or MfaRequiredResult if MFA is needed
+    // Drives the SSO flow up to (and not including) the OAuth exchange.
+    // Returns either a service ticket ready for exchange, or an MFA challenge.
     static async startAuthentication(urls, username, password) {
-        const httpClient = new http_client_1.HttpClient(urls);
-        const ticketResult = await AuthenticationService.getLoginTicket(httpClient, urls, username, password);
-        const cookies = httpClient.getCookies();
-        if (ticketResult.type === 'success') {
-            return new AuthenticationSuccess(ticketResult.ticket, cookies);
+        const curl = new curl_client_1.CurlClient();
+        try {
+            // Seed session cookies via the embed endpoint before fetching the signin form.
+            await curl.get(urls.SSO_EMBED());
+            const signinHtml = await curl.get(urls.SSO_SIGNIN(), {
+                headers: ['Referer: ' + urls.SSO_BASE + '/embed'],
+            });
+            const csrf = (0, auth_html_parser_1.parseCsrfToken)(signinHtml);
+            const credBody = new URLSearchParams({
+                username,
+                password,
+                embed: 'true',
+                _csrf: csrf,
+            }).toString();
+            const postHtml = await curl.post(urls.SSO_SIGNIN(), credBody, {
+                headers: ['Referer: ' + urls.SSO_SIGNIN(), 'Content-Type: application/x-www-form-urlencoded'],
+                allowClientError: true,
+            });
+            const result = (0, auth_html_parser_1.parseSsoPostResponse)(postHtml);
+            const cookies = curl.getCookies();
+            if (result.type === 'success') {
+                return { mfaRequired: false, cookies, ticket: result.ticket };
+            }
+            if (result.type === 'mfa_required') {
+                return { mfaRequired: true, cookies };
+            }
+            throw AuthenticationService.loginError(result);
+        }
+        finally {
+            curl.close();
         }
-        return new MfaRequiredResult(ticketResult.mfaMethod, cookies);
     }
-    // Completes authentication using either a ticket (non-MFA) or MFA code
-    // Returns an authenticated HttpClient instance
-    static async completeAuthentication(urls, cookies, parameters) {
-        // Create an unauthenticated HttpClient with cookies for making auth requests
-        // We'll create an authenticated one after completing OAuth flow
-        const httpClient = new http_client_1.HttpClient(urls, undefined, cookies);
-        // Extract ticket from parameters (either directly or via MFA verification)
-        const serviceTicketId = await AuthenticationService.extractServiceTicketId(httpClient, urls, parameters);
-        // Complete OAuth flow
-        const { oauth1Token, oauth2Token } = await AuthenticationService.completeOAuthFlow(httpClient, urls, serviceTicketId);
-        const updatedCookies = httpClient.getCookies();
-        // Create fully authenticated AuthContext with OAuth tokens
-        const authenticatedContext = new auth_context_1.AuthContext(false, // mfaRequired is false after OAuth completes
-        updatedCookies, undefined, // mfaMethod not needed after auth
-        undefined, // ticket not needed after OAuth
-        oauth1Token, oauth2Token);
-        // Create a new authenticated HttpClient with the authenticated context
-        return new http_client_1.HttpClient(urls, authenticatedContext);
+    // Completes authentication by turning an AuthContext (plus an optional MFA
+    // code when one is required) into a fully authenticated HttpClient.
+    static async completeAuthentication(urls, context, mfaCode) {
+        const { ticket } = context.mfaRequired
+            ? await AuthenticationService.verifyMfaCode(urls, context.cookies, mfaCode)
+            : context;
+        const { oauth2Token, diClientId } = await (0, oauth2_exchanger_1.exchangeDiToken)(urls, ticket);
+        return new http_client_1.HttpClient(urls, { oauth2Token, diClientId });
     }
-    // Extracts service ticket ID from authentication parameters
-    // Handles both ticket-based (non-MFA) and MFA-based authentication
-    static async extractServiceTicketId(httpClient, urls, parameters) {
-        if (parameters.type === 'ticket') {
-            // Non-MFA case - use provided ticket
-            return parameters.ticket;
-        }
-        // MFA case - verify code and get ticket
-        if (!parameters.mfaCode.trim()) {
+    // Resumes the SSO session with the user-supplied MFA code. Requires the
+    // cookies captured by `startAuthentication` so Garmin accepts the POST.
+    static async verifyMfaCode(urls, cookies, mfaCode) {
+        if (!mfaCode?.trim()) {
             throw new errors_1.MfaCodeError();
         }
-        const mfaResult = await AuthenticationService.verifyMfaCode(httpClient, urls, parameters.mfaCode.trim(), parameters.mfaMethod);
-        if (!mfaResult.serviceTicketId) {
-            throw new errors_1.MfaCodeInvalidError('MFA code submitted but ticket not found - please check your MFA code');
-        }
-        return mfaResult.serviceTicketId;
-    }
-    // Obtains a login ticket
-    // Returns discriminated union with ticket if successful, or MFA requirement if MFA needed
-    static async getLoginTicket(httpClient, urls, username, password) {
-        // First, visit the sign-in page to establish a session and get cookies
-        const signInUrl = urls.SIGN_IN_PAGE();
-        await httpClient.get(signInUrl, {
-            headers: {
-                Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
-                'User-Agent': oauth_utils_1.USER_AGENT_MOBILE_IOS,
-                'Accept-Language': 'en-US,en;q=0.9',
-                'Accept-Encoding': 'gzip, deflate, br',
-            },
-        });
-        const loginUrl = urls.LOGIN_API();
-        const loginBody = {
-            username,
-            password,
-            rememberMe: false,
-            captchaToken: '',
-        };
-        let loginResponse;
+        const curl = new curl_client_1.CurlClient(cookies);
         try {
-            const response = await httpClient.post(loginUrl, loginBody, {
-                headers: getJsonApiHeaders(urls, urls.SIGN_IN_REFERER()),
+            // Re-scrape the CSRF token from the MFA page — it rotates across requests.
+            await curl.get(urls.SSO_EMBED());
+            const mfaPageHtml = await curl.get(urls.SSO_SIGNIN(), {
+                headers: ['Referer: ' + urls.SSO_BASE + '/embed'],
             });
-            loginResponse = LoginResponseSchema.parse(response);
-        }
-        catch (error) {
-            const credentialsError = extractInvalidCredentialsError(error);
-            if (credentialsError) {
-                throw credentialsError;
+            const csrf = (0, auth_html_parser_1.parseCsrfToken)(mfaPageHtml);
+            const mfaBody = new URLSearchParams({
+                'mfa-code': mfaCode.trim(),
+                embed: 'true',
+                _csrf: csrf,
+                fromPage: 'setupEnterMfaCode',
+            }).toString();
+            const postHtml = await curl.post(urls.SSO_MFA_VERIFY(), mfaBody, {
+                headers: ['Referer: ' + urls.SSO_SIGNIN(), 'Content-Type: application/x-www-form-urlencoded'],
+                allowClientError: true,
+            });
+            const result = (0, auth_html_parser_1.parseSsoPostResponse)(postHtml);
+            if (result.type === 'success') {
+                return { ticket: result.ticket };
             }
-            throw error;
-        }
-        // Try to extract ticket first - if present, login was successful
-        if (loginResponse.serviceTicketId) {
-            return { type: 'success', ticket: loginResponse.serviceTicketId };
+            if (result.type === 'mfa_required') {
+                throw new errors_1.MfaCodeInvalidError('MFA code rejected; server still requires MFA');
+            }
+            throw new errors_1.MfaCodeInvalidError(result.message ?? 'Invalid MFA code');
         }
-        // No ticket found - check if MFA is required
-        if (loginResponse.responseStatus?.type === 'MFA_REQUIRED') {
-            const methodString = loginResponse.customerMfaInfo?.mfaLastMethodUsed || 'email';
-            const mfaMethod = (0, auth_context_1.parseMfaMethod)(methodString);
-            return { type: 'mfa_required', mfaMethod };
+        finally {
+            curl.close();
         }
-        throw new errors_1.InvalidCredentialsError('login failed (Ticket not found or MFA), please check username and password');
     }
-    // Verifies a multi-factor authentication code
-    // Returns the authentication response containing the login ticket
-    // Throws MfaCodeInvalidError if the MFA code is invalid or expired
-    static async verifyMfaCode(httpClient, urls, mfaCode, mfaMethod = auth_context_1.MfaMethod.EMAIL) {
-        const mfaUrl = urls.MFA_VERIFY_API();
-        const mfaBody = {
-            mfaMethod: mfaMethod,
-            mfaVerificationCode: mfaCode,
-            rememberMyBrowser: false,
-            reconsentList: [],
-            mfaSetup: false,
-        };
-        try {
-            const response = await httpClient.post(mfaUrl, mfaBody, {
-                headers: getJsonApiHeaders(urls, urls.MFA_REFERER()),
-            });
-            const result = LoginResponseSchema.parse(response);
-            // Check for MFA_CODE_INVALID in response status (can occur even with 200 OK)
-            if (result.responseStatus?.type === 'MFA_CODE_INVALID') {
-                throw new errors_1.MfaCodeInvalidError(result.responseStatus.message || 'Invalid MFA code. Please check your code and try again.');
-            }
-            return result;
+    static loginError(result) {
+        if (result.type === 'locked') {
+            return new errors_1.InvalidCredentialsError(result.message ?? 'Account is locked');
         }
-        catch (error) {
-            const mfaError = extractMfaCodeInvalidError(error);
-            if (mfaError) {
-                throw mfaError;
-            }
-            throw error;
+        if (result.type === 'invalid' || result.type === 'error') {
+            return new errors_1.InvalidCredentialsError(result.message ?? 'Login failed');
         }
-    }
-    // Completes the OAuth flow: exchanges ticket for OAuth 1.0 token, then OAuth 2.0 token
-    // Returns the tokens for creating an authenticated HttpClient
-    static async completeOAuthFlow(httpClient, urls, ticket) {
-        const oauth1Token = await AuthenticationService.getOauth1Token(httpClient, urls, ticket);
-        const oauth2Token = await AuthenticationService.exchange(httpClient, urls, oauth1Token);
-        return { oauth1Token, oauth2Token };
-    }
-    // Exchanges a login ticket for an OAuth 1.0 token
-    // Uses OAuth 1.0a signing to authenticate the request
-    // Returns OAuth 1.0 token containing oauth_token and oauth_token_secret
-    static async getOauth1Token(httpClient, urls, ticket) {
-        const oauthParameters = {
-            ticket,
-            'login-url': urls.MOBILE_SERVICE,
-            'accepts-mfa-tokens': true,
-        };
-        const appOauthIdentity = (0, oauth_utils_1.getAppOauthIdentity)();
-        const oauth = (0, oauth_utils_1.createOauthClient)(appOauthIdentity);
-        const baseUrl = urls.OAUTH_PREAUTHORIZED_BASE();
-        const requestData = {
-            url: baseUrl,
-            method: 'GET',
-            data: oauthParameters,
-        };
-        const authData = oauth.authorize(requestData);
-        // Convert Authorization object to plain object for URL building
-        const authParameters = { ...authData };
-        const url = urls.OAUTH_PREAUTHORIZED(oauthParameters, authParameters);
-        const response = await httpClient.get(url, {
-            headers: {
-                'User-Agent': oauth_utils_1.USER_AGENT_CONNECTMOBILE,
-            },
-        });
-        // Parse the query string response (format: "oauth_token=xxx&oauth_token_secret=yyy")
-        const responseParameters = new URLSearchParams(response);
-        const token = {
-            oauth_token: responseParameters.get('oauth_token') || '',
-            oauth_token_secret: responseParameters.get('oauth_token_secret') || '',
-        };
-        return token;
-    }
-    // Exchanges an OAuth 1.0 token for an OAuth 2.0 bearer token
-    //
-    // This is the final step in the authentication flow. The OAuth 2.0 token
-    // is used for all subsequent API requests via Bearer authentication.
-    // Returns OAuth 2.0 bearer token with expiration metadata
-    static async exchange(httpClient, urls, oauth1Token) {
-        const appOauthIdentity = (0, oauth_utils_1.getAppOauthIdentity)();
-        const oauth = (0, oauth_utils_1.createOauthClient)(appOauthIdentity);
-        const token = {
-            key: oauth1Token.oauth_token,
-            secret: oauth1Token.oauth_token_secret,
-        };
-        const baseUrl = urls.OAUTH_EXCHANGE_BASE();
-        const requestData = {
-            url: baseUrl,
-            method: 'POST',
-        };
-        const step5AuthData = oauth.authorize(requestData, token);
-        // Convert Authorization object to plain object for URL building
-        const oauthParameters = { ...step5AuthData };
-        const url = urls.OAUTH_EXCHANGE(oauthParameters);
-        const response = await httpClient.post(url, undefined, {
-            headers: {
-                'User-Agent': oauth_utils_1.USER_AGENT_CONNECTMOBILE,
-                'Content-Type': 'application/x-www-form-urlencoded',
-            },
-        });
-        return (0, oauth_utils_1.setOauth2TokenExpiresAt)(response);
+        const _exhaustive = result;
+        return _exhaustive;
     }
 }
 exports.AuthenticationService = AuthenticationService;