joopjs 2.0.0

package/dist/auth/index.mjs

@@ -0,0 +1,979 @@
+// src/events/index.ts
+var JoopSubject = class {
+  _listeners = [];
+  subscribe(listener) {
+    this._listeners.push(listener);
+    return () => {
+      this._listeners = this._listeners.filter((l) => l !== listener);
+    };
+  }
+  next(value) {
+    for (const listener of this._listeners) {
+      listener(value);
+    }
+  }
+  asObservable() {
+    return new JoopObservable((listener) => this.subscribe(listener));
+  }
+};
+var JoopBehaviorSubject = class extends JoopSubject {
+  _value;
+  constructor(initialValue) {
+    super();
+    this._value = initialValue;
+  }
+  getValue() {
+    return this._value;
+  }
+  next(value) {
+    this._value = value;
+    super.next(value);
+  }
+  subscribe(listener) {
+    listener(this._value);
+    return super.subscribe(listener);
+  }
+  asObservable() {
+    return new JoopObservable((listener) => this.subscribe(listener));
+  }
+};
+var JoopObservable = class {
+  constructor(_subscribeFn) {
+    this._subscribeFn = _subscribeFn;
+  }
+  _subscribeFn;
+  subscribe(listener) {
+    return this._subscribeFn(listener);
+  }
+  /** Returns the current value without subscribing (only meaningful for BehaviorSubject-backed observables). */
+  getOnce() {
+    let result;
+    const unsub = this.subscribe((v) => {
+      result = v;
+    });
+    unsub();
+    return result;
+  }
+};
+
+// src/auth/auth.service.ts
+var JoopAuthService = class {
+  constructor(_storage) {
+    this._storage = _storage;
+  }
+  _storage;
+  _loggedIn$ = new JoopBehaviorSubject(false);
+  setLoggedIn(isLoggedIn, menuData = { menuObj: [] }) {
+    this._loggedIn$.next(isLoggedIn);
+    if (isLoggedIn) {
+      this._storage.setMenuData(menuData);
+    } else {
+      this._storage.clearMenuData();
+    }
+  }
+  isLoggedIn() {
+    return this._loggedIn$.getValue();
+  }
+  isLoggedIn$() {
+    return this._loggedIn$.asObservable();
+  }
+  logout() {
+    this.setLoggedIn(false);
+  }
+};
+
+// src/auth/token.service.ts
+var JoopTokenService = class {
+  _access = "";
+  _refresh = "";
+  _refreshCb = null;
+  _timer = null;
+  setTokens(accessToken, refreshToken) {
+    this._access = accessToken;
+    this._refresh = refreshToken;
+    this._scheduleRefresh();
+  }
+  getAccessToken() {
+    return this._access;
+  }
+  getRefreshToken() {
+    return this._refresh;
+  }
+  decode(token) {
+    try {
+      const parts = token.split(".");
+      if (parts.length !== 3) return null;
+      const padded = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+      return JSON.parse(atob(padded));
+    } catch {
+      return null;
+    }
+  }
+  isExpired(token) {
+    const payload = this.decode(token ?? this._access);
+    if (!payload?.exp) return true;
+    return Date.now() >= payload.exp * 1e3;
+  }
+  expiresInMs(token) {
+    const payload = this.decode(token ?? this._access);
+    if (!payload?.exp) return 0;
+    return Math.max(0, payload.exp * 1e3 - Date.now());
+  }
+  onRefreshNeeded(callback) {
+    this._refreshCb = callback;
+  }
+  async refreshNow() {
+    if (!this._refreshCb) throw new Error("No refresh callback registered");
+    const newToken = await this._refreshCb(this._refresh);
+    this._access = newToken;
+    this._scheduleRefresh();
+    return newToken;
+  }
+  clear() {
+    this._access = "";
+    this._refresh = "";
+    if (this._timer) clearTimeout(this._timer);
+    this._timer = null;
+  }
+  _scheduleRefresh() {
+    if (this._timer) clearTimeout(this._timer);
+    const ms = this.expiresInMs();
+    const delay = ms > 3e4 ? ms - 3e4 : 0;
+    if (delay > 0 && this._refreshCb) {
+      this._timer = setTimeout(() => this.refreshNow().catch(() => {
+      }), delay);
+    }
+  }
+};
+
+// src/auth/pkce.service.ts
+var JoopPKCEService = class {
+  _verifier = "";
+  async generate() {
+    const array = new Uint8Array(32);
+    crypto.getRandomValues(array);
+    const verifier = this._base64url(array);
+    this._verifier = verifier;
+    const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(verifier));
+    const challenge = this._base64url(new Uint8Array(digest));
+    return { codeVerifier: verifier, codeChallenge: challenge, codeChallengeMethod: "S256" };
+  }
+  getVerifier() {
+    return this._verifier;
+  }
+  generateState() {
+    const arr = new Uint8Array(16);
+    crypto.getRandomValues(arr);
+    return this._base64url(arr);
+  }
+  buildAuthUrl(baseUrl, params) {
+    const q = new URLSearchParams({
+      response_type: "code",
+      client_id: params.clientId,
+      redirect_uri: params.redirectUri,
+      scope: params.scope,
+      state: params.state,
+      code_challenge: params.codeChallenge,
+      code_challenge_method: "S256"
+    });
+    return `${baseUrl}?${q.toString()}`;
+  }
+  _base64url(buf) {
+    return btoa(String.fromCharCode(...buf)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  }
+};
+
+// src/auth/otp.service.ts
+var JoopOtpService = class {
+  _period = 30;
+  _digits = 6;
+  async generateTOTP(secretBase32, time) {
+    const key = this._base32Decode(secretBase32);
+    const counter = Math.floor((time ?? Date.now()) / 1e3 / this._period);
+    return this._hotp(key, counter);
+  }
+  async verifyTOTP(token, secretBase32, window2 = 1) {
+    const now = Math.floor(Date.now() / 1e3 / this._period);
+    for (let i = -window2; i <= window2; i++) {
+      const expected = await this._hotp(this._base32Decode(secretBase32), now + i);
+      if (expected === token) return true;
+    }
+    return false;
+  }
+  generateNumericOTP(length = 6) {
+    const arr = new Uint8Array(length);
+    crypto.getRandomValues(arr);
+    return Array.from(arr).map((b) => b % 10).join("");
+  }
+  generateAlphanumericOTP(length = 8) {
+    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+    const arr = new Uint8Array(length);
+    crypto.getRandomValues(arr);
+    return Array.from(arr).map((b) => chars[b % chars.length]).join("");
+  }
+  async _hotp(key, counter) {
+    const buf = new ArrayBuffer(8);
+    new DataView(buf).setUint32(4, counter, false);
+    const safeKey = new Uint8Array(new ArrayBuffer(key.length));
+    safeKey.set(key);
+    const cryptoKey = await crypto.subtle.importKey("raw", safeKey, { name: "HMAC", hash: "SHA-1" }, false, ["sign"]);
+    const sig = new Uint8Array(await crypto.subtle.sign("HMAC", cryptoKey, buf));
+    const offset = sig[19] & 15;
+    const code = (sig[offset] & 127) << 24 | sig[offset + 1] << 16 | sig[offset + 2] << 8 | sig[offset + 3];
+    return String(code % Math.pow(10, this._digits)).padStart(this._digits, "0");
+  }
+  _base32Decode(s) {
+    const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+    const clean = s.toUpperCase().replace(/=+$/, "");
+    const bits = clean.split("").map((c) => alphabet.indexOf(c).toString(2).padStart(5, "0")).join("");
+    return new Uint8Array(bits.match(/.{8}/g)?.map((b) => parseInt(b, 2)) ?? []);
+  }
+};
+
+// src/auth/otp-timer.service.ts
+var JoopOtpTimer = class {
+  _duration;
+  _resendCooldown;
+  _remaining = 0;
+  _cooldownRemaining = 0;
+  _phase = "idle";
+  _ticker = null;
+  _cooldownTicker = null;
+  _state$;
+  _onExpire = null;
+  _onTick = null;
+  constructor(config = {}) {
+    this._duration = config.duration ?? 60;
+    this._resendCooldown = config.resendCooldown ?? 30;
+    this._state$ = new JoopBehaviorSubject(this._snapshot());
+    if (config.autoStart) this.start();
+  }
+  start() {
+    this._clearTickers();
+    this._remaining = this._duration;
+    this._phase = "counting";
+    this._emit();
+    this._ticker = setInterval(() => {
+      this._remaining--;
+      this._onTick?.(this._remaining);
+      if (this._remaining <= 0) {
+        this._clearTickers();
+        this._phase = "expired";
+        this._remaining = 0;
+        this._onExpire?.();
+      }
+      this._emit();
+    }, 1e3);
+  }
+  resend() {
+    if (!this.canResend) return false;
+    this._startCooldown();
+    this.start();
+    return true;
+  }
+  stop() {
+    this._clearTickers();
+    this._phase = "idle";
+    this._remaining = 0;
+    this._emit();
+  }
+  reset() {
+    this.stop();
+  }
+  onExpire(fn) {
+    this._onExpire = fn;
+    return this;
+  }
+  onTick(fn) {
+    this._onTick = fn;
+    return this;
+  }
+  get remaining() {
+    return this._remaining;
+  }
+  get phase() {
+    return this._phase;
+  }
+  get isExpired() {
+    return this._phase === "expired";
+  }
+  get isCounting() {
+    return this._phase === "counting";
+  }
+  get canResend() {
+    return this._phase !== "cooldown" && this._cooldownRemaining === 0;
+  }
+  remaining$() {
+    return this._state$;
+  }
+  progress() {
+    if (this._duration === 0) return 0;
+    return Math.max(0, Math.min(1, this._remaining / this._duration));
+  }
+  destroy() {
+    this._clearTickers();
+  }
+  _startCooldown() {
+    this._cooldownRemaining = this._resendCooldown;
+    this._cooldownTicker = setInterval(() => {
+      this._cooldownRemaining--;
+      if (this._cooldownRemaining <= 0) {
+        this._cooldownRemaining = 0;
+        clearInterval(this._cooldownTicker);
+        this._cooldownTicker = null;
+      }
+      this._emit();
+    }, 1e3);
+  }
+  _clearTickers() {
+    if (this._ticker) {
+      clearInterval(this._ticker);
+      this._ticker = null;
+    }
+  }
+  _snapshot() {
+    return {
+      remaining: this._remaining,
+      phase: this._phase,
+      canResend: this.canResend,
+      cooldownRemaining: this._cooldownRemaining
+    };
+  }
+  _emit() {
+    this._state$.next(this._snapshot());
+  }
+};
+
+// src/auth/biometric.service.ts
+var JoopBiometricService = class {
+  isSupported() {
+    return typeof window !== "undefined" && "credentials" in navigator && "PublicKeyCredential" in window;
+  }
+  async isAvailable() {
+    if (!this.isSupported()) return false;
+    return PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
+  }
+  async register(options) {
+    const createOptions = {
+      challenge: options.challenge,
+      rp: { id: options.rpId, name: options.rpName },
+      user: {
+        id: new TextEncoder().encode(options.userId),
+        name: options.userName,
+        displayName: options.userDisplayName
+      },
+      pubKeyCredParams: [
+        { alg: -7, type: "public-key" },
+        // ES256
+        { alg: -257, type: "public-key" }
+        // RS256
+      ],
+      authenticatorSelection: {
+        authenticatorAttachment: "platform",
+        userVerification: "required"
+      },
+      timeout: 6e4
+    };
+    return navigator.credentials.create({ publicKey: createOptions });
+  }
+  async authenticate(options) {
+    const getOptions = {
+      challenge: options.challenge,
+      rpId: options.rpId,
+      allowCredentials: options.allowCredentials ?? [],
+      userVerification: "required",
+      timeout: 6e4
+    };
+    return navigator.credentials.get({ publicKey: getOptions });
+  }
+  generateChallenge() {
+    const buf = new Uint8Array(32);
+    crypto.getRandomValues(buf);
+    return buf.buffer;
+  }
+  credentialIdToBase64(id) {
+    return btoa(String.fromCharCode(...new Uint8Array(id)));
+  }
+};
+
+// src/auth/mfa.service.ts
+var BASE32_CHARS = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567";
+var JoopMfaService = class {
+  _otp = new JoopOtpService();
+  _bio = new JoopBiometricService();
+  _challenges = /* @__PURE__ */ new Map();
+  _expired$ = new JoopSubject();
+  // ── TOTP ──────────────────────────────────────────────────────────────────
+  generateTotpSecret(length = 20) {
+    const bytes = crypto.getRandomValues(new Uint8Array(length));
+    let result = "";
+    for (const byte of bytes) result += BASE32_CHARS[byte % 32];
+    return result;
+  }
+  getTotpUri(secret, account, issuer = "JoopApp") {
+    const label = encodeURIComponent(`${issuer}:${account}`);
+    return `otpauth://totp/${label}?secret=${secret}&issuer=${encodeURIComponent(issuer)}&algorithm=SHA1&digits=6&period=30`;
+  }
+  async setupTotp(account, issuer) {
+    const secret = this.generateTotpSecret();
+    const uri = this.getTotpUri(secret, account, issuer);
+    const backupCodes = this.generateBackupCodes();
+    return { secret, uri, backupCodes };
+  }
+  async verifyTotp(token, secret, window2 = 1) {
+    return this._otp.verifyTOTP(token, secret, window2);
+  }
+  // ── OTP Challenge (SMS/Email) ──────────────────────────────────────────────
+  createChallenge(destination, channel, ttlMs = 5 * 60 * 1e3, maxAttempts = 3) {
+    const code = this._otp.generateNumericOTP(6);
+    const challenge = {
+      id: crypto.randomUUID(),
+      channel,
+      destination,
+      expiresAt: Date.now() + ttlMs,
+      attempts: 0,
+      maxAttempts,
+      verified: false,
+      _code: code
+    };
+    this._challenges.set(challenge.id, challenge);
+    setTimeout(() => {
+      if (!this._challenges.get(challenge.id)?.verified) {
+        this._challenges.delete(challenge.id);
+        this._expired$.next(challenge.id);
+      }
+    }, ttlMs);
+    return challenge;
+  }
+  /** Get the OTP code for a challenge (pass to your SMS/email sendFn) */
+  getChallengeOtp(challengeId) {
+    return this._challenges.get(challengeId)?._code ?? null;
+  }
+  verifyChallenge(challengeId, token) {
+    const ch = this._challenges.get(challengeId);
+    if (!ch) return { success: false, reason: "challenge_not_found" };
+    if (Date.now() > ch.expiresAt) {
+      this._challenges.delete(challengeId);
+      return { success: false, reason: "expired" };
+    }
+    if (ch.verified) return { success: false, reason: "already_verified" };
+    ch.attempts++;
+    if (ch._code !== token) {
+      const attemptsLeft = ch.maxAttempts - ch.attempts;
+      if (attemptsLeft <= 0) this._challenges.delete(challengeId);
+      return { success: false, reason: "invalid_code", attemptsLeft };
+    }
+    ch.verified = true;
+    return { success: true };
+  }
+  // ── Backup Codes ──────────────────────────────────────────────────────────
+  generateBackupCodes(count = 10, length = 8) {
+    return Array.from({ length: count }, () => this._otp.generateAlphanumericOTP(length));
+  }
+  async hashBackupCodes(codes) {
+    const hashed = [];
+    for (const code of codes) {
+      const buf = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(code));
+      hashed.push(Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, "0")).join(""));
+    }
+    return hashed;
+  }
+  async verifyBackupCode(code, hashedCodes) {
+    const hash = Array.from(
+      new Uint8Array(await crypto.subtle.digest("SHA-256", new TextEncoder().encode(code)))
+    ).map((b) => b.toString(16).padStart(2, "0")).join("");
+    const idx = hashedCodes.indexOf(hash);
+    if (idx === -1) return { valid: false, remaining: hashedCodes };
+    return { valid: true, remaining: hashedCodes.filter((_, i) => i !== idx) };
+  }
+  // ── Biometric ─────────────────────────────────────────────────────────────
+  async isBiometricAvailable() {
+    return this._bio.isAvailable();
+  }
+  async registerBiometric(userId, displayName) {
+    const challengeBytes = crypto.getRandomValues(new Uint8Array(32));
+    return this._bio.register({
+      challenge: challengeBytes.buffer,
+      rpId: window.location.hostname,
+      rpName: document.title || "JoopApp",
+      userId,
+      userName: userId,
+      userDisplayName: displayName ?? userId
+    });
+  }
+  async verifyBiometric(credentialId) {
+    try {
+      const challengeBytes = crypto.getRandomValues(new Uint8Array(32));
+      const result = await this._bio.authenticate({
+        challenge: challengeBytes.buffer,
+        rpId: window.location.hostname,
+        allowCredentials: [{ id: new TextEncoder().encode(credentialId), type: "public-key" }]
+      });
+      return !!result;
+    } catch {
+      return false;
+    }
+  }
+  // ── Challenge state ────────────────────────────────────────────────────────
+  onChallengeExpired(handler) {
+    return this._expired$.subscribe(handler);
+  }
+  clearExpiredChallenges() {
+    const now = Date.now();
+    let removed = 0;
+    for (const [id, ch] of this._challenges) {
+      if (now > ch.expiresAt) {
+        this._challenges.delete(id);
+        removed++;
+      }
+    }
+    return removed;
+  }
+  getChallenge(id) {
+    const ch = this._challenges.get(id);
+    if (!ch) return null;
+    const { _code: _, ...safe } = ch;
+    return safe;
+  }
+};
+
+// src/platform/platform.ts
+var _webStorage = (store) => ({
+  getItem: (k) => store.getItem(k),
+  setItem: (k, v) => store.setItem(k, v),
+  removeItem: (k) => store.removeItem(k),
+  clear: () => store.clear()
+});
+var _MemStorageImpl = class {
+  _m = /* @__PURE__ */ new Map();
+  getItem(k) {
+    return this._m.get(k) ?? null;
+  }
+  setItem(k, v) {
+    this._m.set(k, v);
+  }
+  removeItem(k) {
+    this._m.delete(k);
+  }
+  clear() {
+    this._m.clear();
+  }
+};
+function _detect() {
+  if (typeof navigator !== "undefined" && navigator.product === "ReactNative") return "react-native";
+  const _proc = globalThis["process"];
+  if (typeof window === "undefined" && _proc?.versions?.node) return "node";
+  if (typeof window !== "undefined") return "web";
+  return "unknown";
+}
+var JoopPlatform = class {
+  static _type = _detect();
+  static _adapter = {};
+  static _memStorage = null;
+  /**
+   * Call once at app startup to configure adapters for your platform.
+   *
+   * Web (default — no call needed):
+   *   JoopPlatform.init();
+   *
+   * React Native with react-native-mmkv:
+   *   import { MMKV } from 'react-native-mmkv';
+   *   const mmkv = new MMKV();
+   *   JoopPlatform.init({ adapter: { storage: mmkv } });
+   *
+   * React Native with custom compression (fflate):
+   *   import { gzip, ungzip } from 'fflate';
+   *   JoopPlatform.init({
+   *     adapter: {
+   *       compression: {
+   *         compress: (d, fmt) => new Promise((res, rej) => gzip(d, (e, r) => e ? rej(e) : res(r))),
+   *         decompress: (d, fmt) => new Promise((res, rej) => ungzip(d, (e, r) => e ? rej(e) : res(r))),
+   *       },
+   *     },
+   *   });
+   */
+  static init(config = {}) {
+    if (config.platform) this._type = config.platform;
+    this._adapter = { ...this._adapter, ...config.adapter ?? {} };
+  }
+  /** Current detected or overridden platform type */
+  static get type() {
+    return this._type;
+  }
+  static is(type) {
+    return this._type === type;
+  }
+  static isMobile() {
+    return this._type === "react-native";
+  }
+  static isWeb() {
+    return this._type === "web";
+  }
+  static isNode() {
+    return this._type === "node";
+  }
+  /** Raw adapter config registered via init() */
+  static getAdapter() {
+    return this._adapter;
+  }
+  /**
+   * Returns the best available storage adapter:
+   *   1. Custom adapter registered via init()
+   *   2. localStorage (web)
+   *   3. In-memory fallback (Node / RN without adapter)
+   */
+  static getStorage() {
+    if (this._adapter.storage) return this._adapter.storage;
+    if (typeof localStorage !== "undefined") return _webStorage(localStorage);
+    if (!this._memStorage) this._memStorage = new _MemStorageImpl();
+    return this._memStorage;
+  }
+  /**
+   * Returns the best available session-scoped storage:
+   *   1. Custom adapter registered via init()
+   *   2. sessionStorage (web)
+   *   3. Shared in-memory fallback
+   */
+  static getSessionStorage() {
+    if (this._adapter.storage) return this._adapter.storage;
+    if (typeof sessionStorage !== "undefined") return _webStorage(sessionStorage);
+    if (!this._memStorage) this._memStorage = new _MemStorageImpl();
+    return this._memStorage;
+  }
+  /** What APIs are available in the current environment */
+  static capabilities() {
+    return {
+      compression: typeof CompressionStream !== "undefined" || !!this._adapter.compression,
+      workers: typeof Worker !== "undefined" || !!this._adapter.worker,
+      cryptoSubtle: !!(typeof globalThis !== "undefined" && globalThis.crypto?.subtle),
+      persistentStorage: typeof localStorage !== "undefined" || !!this._adapter.storage,
+      dom: typeof document !== "undefined",
+      serviceWorker: typeof navigator !== "undefined" && "serviceWorker" in navigator
+    };
+  }
+  /** Reset to auto-detected defaults — useful between tests */
+  static _reset() {
+    this._type = _detect();
+    this._adapter = {};
+    this._memStorage = null;
+  }
+};
+
+// src/auth/oidc-client.ts
+var JoopOIDCClient = class {
+  _cfg;
+  _metadata = null;
+  _tokens$ = new JoopBehaviorSubject(null);
+  _storage;
+  _renewTimer = null;
+  _KEY = "joop_oidc_tokens";
+  _VER_KEY = "joop_oidc_verifier";
+  _STATE_KEY = "joop_oidc_state";
+  constructor(config) {
+    this._cfg = { scope: "openid profile email", responseType: "code", ...config };
+    this._storage = config.storage ?? JoopPlatform.getSessionStorage();
+    const stored = this._storage.getItem(this._KEY);
+    if (stored) {
+      try {
+        this._tokens$.next(JSON.parse(stored));
+      } catch {
+      }
+    }
+  }
+  async discover() {
+    if (this._metadata) return this._metadata;
+    const url = `${this._cfg.issuer}/.well-known/openid-configuration`;
+    const res = await fetch(url);
+    if (!res.ok) throw new Error(`OIDC discovery failed: ${res.status}`);
+    const json = await res.json();
+    this._metadata = {
+      authorizationEndpoint: json.authorization_endpoint,
+      tokenEndpoint: json.token_endpoint,
+      jwksUri: json.jwks_uri,
+      userInfoEndpoint: json.userinfo_endpoint,
+      endSessionEndpoint: json.end_session_endpoint
+    };
+    return this._metadata;
+  }
+  async login(options = {}) {
+    const meta = await this.discover();
+    const { verifier, challenge } = await _generatePKCE();
+    const state = options.state ?? _randomBase64(16);
+    this._storage.setItem(this._VER_KEY, verifier);
+    this._storage.setItem(this._STATE_KEY, state);
+    const params = new URLSearchParams({
+      response_type: this._cfg.responseType,
+      client_id: this._cfg.clientId,
+      redirect_uri: this._cfg.redirectUri,
+      scope: this._cfg.scope,
+      state,
+      code_challenge: challenge,
+      code_challenge_method: "S256",
+      nonce: options.nonce ?? _randomBase64(16),
+      ...options.prompt ? { prompt: options.prompt } : {},
+      ...options.loginHint ? { login_hint: options.loginHint } : {},
+      ...options.extraParams
+    });
+    if (typeof window !== "undefined") {
+      window.location.href = `${meta.authorizationEndpoint}?${params}`;
+    } else {
+      return Promise.resolve();
+    }
+  }
+  /** Returns the authorization URL without redirecting (useful for React Native) */
+  async buildLoginUrl(options = {}) {
+    const meta = await this.discover();
+    const { verifier, challenge } = await _generatePKCE();
+    const state = options.state ?? _randomBase64(16);
+    this._storage.setItem(this._VER_KEY, verifier);
+    this._storage.setItem(this._STATE_KEY, state);
+    const params = new URLSearchParams({
+      response_type: this._cfg.responseType,
+      client_id: this._cfg.clientId,
+      redirect_uri: this._cfg.redirectUri,
+      scope: this._cfg.scope,
+      state,
+      code_challenge: challenge,
+      code_challenge_method: "S256",
+      nonce: options.nonce ?? _randomBase64(16),
+      ...options.prompt ? { prompt: options.prompt } : {},
+      ...options.loginHint ? { login_hint: options.loginHint } : {},
+      ...options.extraParams
+    });
+    return `${meta.authorizationEndpoint}?${params}`;
+  }
+  async handleCallback(url = typeof location !== "undefined" ? location.href : "") {
+    const params = new URLSearchParams(url.split("?")[1] ?? "");
+    const code = params.get("code");
+    const state = params.get("state");
+    const error = params.get("error");
+    if (error) throw new Error(`OIDC error: ${error} \u2014 ${params.get("error_description") ?? ""}`);
+    if (!code) throw new Error("OIDC callback: missing code");
+    const storedState = this._storage.getItem(this._STATE_KEY);
+    if (storedState && state !== storedState) throw new Error("OIDC callback: state mismatch (CSRF?)");
+    const verifier = this._storage.getItem(this._VER_KEY) ?? "";
+    this._storage.removeItem(this._VER_KEY);
+    this._storage.removeItem(this._STATE_KEY);
+    const meta = await this.discover();
+    const res = await fetch(meta.tokenEndpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({ grant_type: "authorization_code", code, redirect_uri: this._cfg.redirectUri, client_id: this._cfg.clientId, code_verifier: verifier })
+    });
+    if (!res.ok) throw new Error(`OIDC token exchange failed: ${await res.text()}`);
+    return this._storeTokens(await res.json());
+  }
+  async refreshToken() {
+    const tokens = this._tokens$.getValue();
+    if (!tokens?.refreshToken) throw new Error("No refresh token available");
+    const meta = await this.discover();
+    const res = await fetch(meta.tokenEndpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({ grant_type: "refresh_token", refresh_token: tokens.refreshToken, client_id: this._cfg.clientId })
+    });
+    if (!res.ok) {
+      this.logout();
+      throw new Error(`Token refresh failed: ${res.status}`);
+    }
+    return this._storeTokens(await res.json());
+  }
+  async getUserInfo() {
+    const meta = await this.discover();
+    if (!meta.userInfoEndpoint) throw new Error("No userInfo endpoint in OIDC metadata");
+    const tokens = this._tokens$.getValue();
+    if (!tokens) throw new Error("Not authenticated");
+    const res = await fetch(meta.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokens.accessToken}` } });
+    if (!res.ok) throw new Error(`UserInfo failed: ${res.status}`);
+    return res.json();
+  }
+  async logout(options = {}) {
+    this._tokens$.next(null);
+    this._storage.removeItem(this._KEY);
+    if (this._renewTimer) {
+      clearTimeout(this._renewTimer);
+      this._renewTimer = null;
+    }
+    if (this._metadata?.endSessionEndpoint && typeof window !== "undefined") {
+      const params = new URLSearchParams({ client_id: this._cfg.clientId, ...options.redirectUri ? { post_logout_redirect_uri: options.redirectUri } : {} });
+      window.location.href = `${this._metadata.endSessionEndpoint}?${params}`;
+    }
+  }
+  silentRenew(renewBeforeMs = 6e4) {
+    const tokens = this._tokens$.getValue();
+    if (!tokens?.refreshToken) return;
+    const delay = Math.max(0, tokens.expiresAt - Date.now() - renewBeforeMs);
+    if (this._renewTimer) clearTimeout(this._renewTimer);
+    this._renewTimer = setTimeout(async () => {
+      try {
+        await this.refreshToken();
+        this.silentRenew(renewBeforeMs);
+      } catch {
+        this._tokens$.next(null);
+      }
+    }, delay);
+  }
+  isAuthenticated() {
+    const t = this._tokens$.getValue();
+    return !!t && t.expiresAt > Date.now();
+  }
+  getTokens() {
+    return this._tokens$.getValue();
+  }
+  tokens$() {
+    return this._tokens$.asObservable();
+  }
+  _storeTokens(json) {
+    const tokens = {
+      accessToken: json.access_token,
+      idToken: json.id_token,
+      refreshToken: json.refresh_token,
+      expiresAt: Date.now() + (json.expires_in ?? 3600) * 1e3,
+      tokenType: json.token_type ?? "Bearer",
+      scope: json.scope
+    };
+    this._tokens$.next(tokens);
+    this._storage.setItem(this._KEY, JSON.stringify(tokens));
+    return tokens;
+  }
+};
+async function _generatePKCE() {
+  const verifier = _randomBase64(32);
+  const hash = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(verifier));
+  const challenge = btoa(String.fromCharCode(...new Uint8Array(hash))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+  return { verifier, challenge };
+}
+function _randomBase64(bytes) {
+  const buf = new Uint8Array(bytes);
+  crypto.getRandomValues(buf);
+  return btoa(String.fromCharCode(...buf)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+
+// src/auth/sso.service.ts
+var JoopSsoService = class {
+  _config;
+  _token = null;
+  _storageKey;
+  constructor(config) {
+    this._config = config;
+    this._storageKey = config.storageKey ?? "__joop_sso_token";
+    this._loadFromStorage();
+  }
+  // ── Token management ────────────────────────────────────────────────────────
+  setToken(token) {
+    this._token = token;
+    sessionStorage.setItem(this._storageKey, JSON.stringify(token));
+  }
+  getToken() {
+    return this._token;
+  }
+  isAuthenticated() {
+    return !!this._token && this._token.expiresAt > Date.now();
+  }
+  clearToken() {
+    this._token = null;
+    sessionStorage.removeItem(this._storageKey);
+  }
+  // ── Token exchange (Authorization Code → Access Token) ─────────────────────
+  async exchange(req) {
+    if (!this._config.tokenEndpoint) throw new Error("JoopSso: tokenEndpoint not configured");
+    const body = {
+      grant_type: "authorization_code",
+      code: req.code,
+      redirect_uri: req.redirectUri
+    };
+    if (req.codeVerifier) body["code_verifier"] = req.codeVerifier;
+    const res = await fetch(this._config.tokenEndpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams(body).toString()
+    });
+    if (!res.ok) throw new Error(`JoopSso: token exchange failed (${res.status})`);
+    const data = await res.json();
+    const token = {
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token,
+      idToken: data.id_token,
+      expiresAt: Date.now() + (data.expires_in ?? 3600) * 1e3,
+      scopes: (data.scope ?? "").split(" ").filter(Boolean)
+    };
+    this.setToken(token);
+    return token;
+  }
+  // ── Whitelist-based external link opening ───────────────────────────────────
+  /**
+   * Open an external URL only if its origin is in allowedOrigins.
+   * Prevents open-redirect attacks.
+   */
+  openExternal(url, target = "blank") {
+    if (!this._isOriginAllowed(url)) {
+      console.warn(`JoopSso: blocked external link to ${url} \u2014 origin not in allowedOrigins`);
+      return false;
+    }
+    const anchor = document.createElement("a");
+    anchor.href = url;
+    anchor.target = target === "self" ? "_self" : target === "parent" ? "_parent" : "_blank";
+    anchor.rel = "noopener noreferrer";
+    document.body.appendChild(anchor);
+    anchor.click();
+    anchor.remove();
+    return true;
+  }
+  /** Check whether a URL's origin is whitelisted. */
+  isOriginAllowed(url) {
+    return this._isOriginAllowed(url);
+  }
+  // ── Internal API passthrough ────────────────────────────────────────────────
+  /**
+   * Make an authenticated internal API call.
+   * Automatically attaches the SSO bearer token.
+   * Rejects if the URL does not match internalBases.
+   */
+  async callInternal(url, init = {}) {
+    if (!this._isInternalUrl(url)) {
+      throw new Error(`JoopSso: URL "${url}" is not in internalBases`);
+    }
+    const token = this.getToken();
+    const headers = new Headers(init.headers);
+    if (token?.accessToken) headers.set("Authorization", `Bearer ${token.accessToken}`);
+    const res = await fetch(url, { ...init, headers });
+    if (!res.ok) throw new Error(`JoopSso: internal API error ${res.status}`);
+    const text = await res.text();
+    return text ? JSON.parse(text) : void 0;
+  }
+  // ── SSO Logout ──────────────────────────────────────────────────────────────
+  logout(redirectUri) {
+    this.clearToken();
+    if (this._config.logoutUrl) {
+      const url = redirectUri ? `${this._config.logoutUrl}?post_logout_redirect_uri=${encodeURIComponent(redirectUri)}` : this._config.logoutUrl;
+      window.location.href = url;
+    }
+  }
+  // ── Helpers ─────────────────────────────────────────────────────────────────
+  _isOriginAllowed(url) {
+    try {
+      const origin = new URL(url).origin;
+      return this._config.allowedOrigins.some((allowed) => {
+        const aOrigin = allowed.endsWith("/") ? allowed.slice(0, -1) : allowed;
+        return origin === aOrigin || origin.endsWith("." + aOrigin);
+      });
+    } catch {
+      return false;
+    }
+  }
+  _isInternalUrl(url) {
+    if (!this._config.internalBases?.length) return true;
+    return this._config.internalBases.some((base) => url.startsWith(base));
+  }
+  _loadFromStorage() {
+    try {
+      const raw = sessionStorage.getItem(this._storageKey);
+      if (raw) this._token = JSON.parse(raw);
+    } catch {
+    }
+  }
+};
+
+export { JoopAuthService, JoopBiometricService, JoopMfaService, JoopOIDCClient, JoopOtpService, JoopOtpTimer, JoopPKCEService, JoopSsoService, JoopTokenService };
+//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map