postex-auth-sdk-stage 1.4.0 → 2.1.0

package/dist/postex-auth-sdk-stage.es.js

@@ -1,212 +1,222 @@
-function K() {
+function O() {
   return typeof window < "u" && typeof window.PublicKeyCredential < "u" && typeof navigator < "u" && typeof navigator.credentials < "u";
 }
 async function j() {
-  if (!K()) return !1;
+  if (!O()) return !1;
   try {
     return await PublicKeyCredential.isConditionalMediationAvailable?.() ?? !1;
   } catch {
     return !1;
   }
 }
-function y(a) {
-  const e = new Uint8Array(a);
+function N(s) {
+  const e = new Uint8Array(s);
   let n = "";
   for (let t = 0; t < e.byteLength; t++)
     n += String.fromCharCode(e[t]);
   return btoa(n);
 }
-function k(a) {
-  if (typeof a != "string" || !a)
+function C(s) {
+  if (typeof s != "string" || !s)
     throw new Error("Invalid base64: expected non-empty string");
-  const e = a.replace(/\s/g, "").replace(/-/g, "+").replace(/_/g, "/"), n = e.length % 4, t = n > 0 ? e + "=".repeat(4 - n) : e;
+  const e = s.replace(/\s/g, "").replace(/-/g, "+").replace(/_/g, "/"), n = e.length % 4, t = n > 0 ? e + "=".repeat(4 - n) : e;
   try {
-    const r = atob(t), s = new Uint8Array(r.length);
-    for (let o = 0; o < r.length; o++)
-      s[o] = r.charCodeAt(o);
-    return s.buffer;
+    const r = atob(t), o = new Uint8Array(r.length);
+    for (let a = 0; a < r.length; a++)
+      o[a] = r.charCodeAt(a);
+    return o.buffer;
   } catch {
     throw new Error(
       "Invalid base64: string is not correctly encoded. Check challenge/credentialId from server."
     );
   }
 }
-function m(a) {
-  return y(a).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+function p(s) {
+  return N(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
 }
-function J(a) {
+function H(s) {
   return /^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$/i.test(
-    a
+    s
   );
 }
-function L(a) {
-  const e = a.replace(/-/g, ""), n = new Uint8Array(e.length / 2);
+function J(s) {
+  const e = s.replace(/-/g, ""), n = new Uint8Array(e.length / 2);
   for (let t = 0; t < n.length; t++)
     n[t] = parseInt(e.substr(t * 2, 2), 16);
   return n.buffer;
 }
-function M(a) {
-  if (!a || typeof a != "string")
+function b(s) {
+  if (!s || typeof s != "string")
     throw new Error("Invalid input: expected non-empty string");
-  return J(a) ? L(a) : k(a);
+  return H(s) ? J(s) : C(s);
 }
-function _(a) {
-  return new TextEncoder().encode(a).buffer;
+function T(s) {
+  return new TextEncoder().encode(s).buffer;
 }
-function W(a) {
-  return String.fromCharCode(...a);
+function F(s) {
+  return String.fromCharCode(...s);
 }
-const H = "xpay_webauthn", Y = 1, u = "passkey_data", S = "passkey_email", E = "passkey_mobile_number";
-function h() {
-  return new Promise((a, e) => {
-    const n = indexedDB.open(H, Y);
-    n.onerror = () => e(n.error), n.onsuccess = () => a(n.result), n.onupgradeneeded = () => {
+const W = "xpay_webauthn", G = 1, u = "passkey_data", _ = "passkey_email", E = "passkey_mobile_number";
+function f() {
+  return new Promise((s, e) => {
+    const n = indexedDB.open(W, G);
+    n.onerror = () => e(n.error), n.onsuccess = () => s(n.result), n.onupgradeneeded = () => {
       const t = n.result;
       t.objectStoreNames.contains(u) || t.createObjectStore(u);
     };
   });
 }
-async function F() {
+async function Y() {
   try {
-    const a = await h();
+    const s = await f();
     return new Promise((e, n) => {
-      const t = a.transaction(u, "readonly"), s = t.objectStore(u).get(S);
-      s.onerror = () => n(s.error), s.onsuccess = () => e(s.result ?? null), t.oncomplete = () => a.close();
+      const t = s.transaction(u, "readonly"), o = t.objectStore(u).get(_);
+      o.onerror = () => n(o.error), o.onsuccess = () => e(o.result ?? null), t.oncomplete = () => s.close();
     });
   } catch {
     return null;
   }
 }
-async function G(a) {
+async function V(s) {
   try {
-    const e = await h();
+    const e = await f();
     return new Promise((n, t) => {
-      const r = e.transaction(u, "readwrite"), o = r.objectStore(u).put(a, S);
-      o.onerror = () => t(o.error), o.onsuccess = () => n(), r.oncomplete = () => e.close();
+      const r = e.transaction(u, "readwrite"), a = r.objectStore(u).put(s, _);
+      a.onerror = () => t(a.error), a.onsuccess = () => n(), r.oncomplete = () => e.close();
     });
   } catch {
   }
 }
-async function V() {
+async function X() {
   try {
-    const a = await h();
+    const s = await f();
     return new Promise((e, n) => {
-      const t = a.transaction(u, "readwrite"), s = t.objectStore(u).delete(S);
-      s.onerror = () => n(s.error), s.onsuccess = () => e(), t.oncomplete = () => a.close();
+      const t = s.transaction(u, "readwrite"), o = t.objectStore(u).delete(_);
+      o.onerror = () => n(o.error), o.onsuccess = () => e(), t.oncomplete = () => s.close();
     });
   } catch {
   }
 }
-async function z() {
+async function Z() {
   try {
-    const a = await h();
+    const s = await f();
     return new Promise((e, n) => {
-      const t = a.transaction(u, "readonly"), s = t.objectStore(u).get(E);
-      s.onerror = () => n(s.error), s.onsuccess = () => e(s.result ?? null), t.oncomplete = () => a.close();
+      const t = s.transaction(u, "readonly"), o = t.objectStore(u).get(E);
+      o.onerror = () => n(o.error), o.onsuccess = () => e(o.result ?? null), t.oncomplete = () => s.close();
     });
   } catch {
     return null;
   }
 }
-async function X(a) {
+async function Q(s) {
   try {
-    const e = await h();
+    const e = await f();
     return new Promise((n, t) => {
-      const r = e.transaction(u, "readwrite"), o = r.objectStore(u).put(a, E);
-      o.onerror = () => t(o.error), o.onsuccess = () => n(), r.oncomplete = () => e.close();
+      const r = e.transaction(u, "readwrite"), a = r.objectStore(u).put(s, E);
+      a.onerror = () => t(a.error), a.onsuccess = () => n(), r.oncomplete = () => e.close();
     });
   } catch {
   }
 }
-async function Q() {
+async function ee() {
   try {
-    const a = await h();
+    const s = await f();
     return new Promise((e, n) => {
-      const t = a.transaction(u, "readwrite"), s = t.objectStore(u).delete(E);
-      s.onerror = () => n(s.error), s.onsuccess = () => e(), t.oncomplete = () => a.close();
+      const t = s.transaction(u, "readwrite"), o = t.objectStore(u).delete(E);
+      o.onerror = () => n(o.error), o.onsuccess = () => e(), t.oncomplete = () => s.close();
     });
   } catch {
   }
 }
-const x = "dpop_private_key", I = "dpop_public_key_jwk";
-function D(a) {
+const S = "dpop_private_key", I = "dpop_public_key_jwk";
+function K(s) {
+  if (!s || typeof s != "object") return !1;
+  const e = s;
+  return e.kty === "EC" && e.crv === "P-256" && typeof e.x == "string" && typeof e.y == "string";
+}
+class g extends Error {
+  constructor(e) {
+    super(e), this.name = "DPoPProofGenerationError";
+  }
+}
+function te(s) {
   return {
     kty: "EC",
     crv: "P-256",
-    x: a.x,
-    y: a.y
+    x: s.x,
+    y: s.y
   };
 }
-async function q(a) {
+async function q(s) {
   const e = JSON.stringify({
-    crv: a.crv,
-    kty: a.kty,
-    x: a.x,
-    y: a.y
+    crv: s.crv,
+    kty: s.kty,
+    x: s.x,
+    y: s.y
   }), n = await crypto.subtle.digest(
     "SHA-256",
     new TextEncoder().encode(e)
   );
-  return m(n);
+  return p(n);
 }
-async function B(a) {
+async function ne(s) {
   try {
-    const e = await h();
+    const e = await f();
     return new Promise((n, t) => {
-      const r = e.transaction(u, "readwrite"), o = r.objectStore(u).put(a, x);
-      o.onerror = () => t(o.error), o.onsuccess = () => n(), r.oncomplete = () => e.close();
+      const r = e.transaction(u, "readwrite"), a = r.objectStore(u).put(s, S);
+      a.onerror = () => t(a.error), a.onsuccess = () => n(), r.oncomplete = () => e.close();
     });
   } catch (e) {
     console.error("Failed to store DPoP private key:", e);
   }
 }
-async function Z(a) {
+async function oe(s) {
   try {
-    const e = await h();
+    const e = await f();
     return new Promise((n, t) => {
-      const r = e.transaction(u, "readwrite"), o = r.objectStore(u).put(a, I);
-      o.onerror = () => t(o.error), o.onsuccess = () => n(), r.oncomplete = () => e.close();
+      const r = e.transaction(u, "readwrite"), a = r.objectStore(u).put(s, I);
+      a.onerror = () => t(a.error), a.onsuccess = () => n(), r.oncomplete = () => e.close();
     });
   } catch (e) {
     console.error("Failed to store DPoP public key JWK:", e);
   }
 }
-async function A() {
+async function $() {
   try {
-    const a = await h();
+    const s = await f();
     return new Promise((e, n) => {
-      const t = a.transaction(u, "readonly"), s = t.objectStore(u).get(x);
-      s.onerror = () => n(s.error), s.onsuccess = () => e(s.result ?? null), t.oncomplete = () => a.close();
+      const t = s.transaction(u, "readonly"), o = t.objectStore(u).get(S);
+      o.onerror = () => n(o.error), o.onsuccess = () => e(o.result ?? null), t.oncomplete = () => s.close();
     });
   } catch {
     return null;
   }
 }
-async function R() {
+async function B() {
   try {
-    const a = await h();
+    const s = await f();
     return new Promise((e, n) => {
-      const t = a.transaction(u, "readonly"), s = t.objectStore(u).get(I);
-      s.onerror = () => n(s.error), s.onsuccess = () => e(s.result ?? null), t.oncomplete = () => a.close();
+      const t = s.transaction(u, "readonly"), o = t.objectStore(u).get(I);
+      o.onerror = () => n(o.error), o.onsuccess = () => e(o.result ?? null), t.oncomplete = () => s.close();
     });
   } catch {
     return null;
   }
 }
-async function N() {
+async function U() {
   try {
-    const a = await h();
+    const s = await f();
     return new Promise((e, n) => {
-      const t = a.transaction(u, "readwrite"), r = t.objectStore(u);
-      r.delete(x), r.delete(I), t.onerror = () => n(t.error), t.oncomplete = () => {
-        a.close(), e();
+      const t = s.transaction(u, "readwrite"), r = t.objectStore(u);
+      r.delete(S), r.delete(I), t.onerror = () => n(t.error), t.oncomplete = () => {
+        s.close(), e();
       };
     });
   } catch {
   }
 }
-async function g() {
-  const a = await crypto.subtle.generateKey(
+async function re() {
+  const s = await crypto.subtle.generateKey(
     {
       name: "ECDSA",
       namedCurve: "P-256"
@@ -214,137 +224,243 @@ async function g() {
     !1,
     // Private key is non-extractable
     ["sign", "verify"]
-  ), e = await crypto.subtle.exportKey("jwk", a.publicKey), n = D(e), t = await q(n);
-  return await B(a.privateKey), await Z(n), { publicKey: n, thumbprint: t };
+  ), e = await crypto.subtle.exportKey("jwk", s.publicKey), n = te(e), t = await q(n);
+  return await ne(s.privateKey), await oe(n), { publicKey: n, thumbprint: t };
+}
+async function se() {
+  const s = await $(), e = await B();
+  return s && K(e) ? {
+    publicKey: e,
+    thumbprint: await q(e)
+  } : ((s || e) && await U(), re());
 }
-async function w(a, e, n) {
+async function ae(s, e, n) {
   try {
-    const t = await A(), r = await R();
-    if (!t || !r) return null;
-    const s = {
+    const t = await $(), r = await B();
+    if (!t || !K(r))
+      throw new g(
+        "DPoP key material is unavailable or invalid"
+      );
+    const o = {
       typ: "dpop+jwt",
       alg: "ES256",
       jwk: r
       // Public key in JWK format
-    }, o = new URL(
+    }, a = new URL(
       e,
       typeof window < "u" ? window.location.origin : void 0
-    ), c = `${o.origin}${o.pathname}`, d = {
+    ), l = `${a.origin}${a.pathname}`, i = {
       jti: crypto.randomUUID(),
-      htm: a.toUpperCase(),
-      htu: c,
+      htm: s.toUpperCase(),
+      htu: l,
       iat: Math.floor(Date.now() / 1e3)
     };
     if (n) {
-      const P = new TextEncoder().encode(n), $ = await crypto.subtle.digest("SHA-256", P);
-      d.ath = m($);
+      const k = new TextEncoder().encode(n), z = await crypto.subtle.digest("SHA-256", k);
+      i.ath = p(z);
     }
-    const l = m(
-      new TextEncoder().encode(JSON.stringify(s)).buffer
-    ), i = m(
-      new TextEncoder().encode(JSON.stringify(d)).buffer
-    ), p = `${l}.${i}`, f = await crypto.subtle.sign(
+    const d = p(
+      new TextEncoder().encode(JSON.stringify(o)).buffer
+    ), c = p(
+      new TextEncoder().encode(JSON.stringify(i)).buffer
+    ), h = `${d}.${c}`, w = await crypto.subtle.sign(
       {
         name: "ECDSA",
         hash: { name: "SHA-256" }
       },
       t,
-      new TextEncoder().encode(p)
-    ), b = m(f);
-    return `${l}.${i}.${b}`;
+      new TextEncoder().encode(h)
+    ), m = p(w);
+    return `${d}.${c}.${m}`;
   } catch (t) {
-    return console.error("Failed to generate DPoP proof:", t), null;
+    throw console.error("Failed to generate DPoP proof:", t), t instanceof g ? t : new g("Failed to generate DPoP proof");
   }
 }
-async function ee() {
-  return await A() !== null;
-}
-const te = B, U = {
-  isWebAuthnSupported: K,
+const L = {
+  isWebAuthnSupported: O,
   isConditionalUISupported: j,
-  arrayBufferToBase64: y,
-  base64ToArrayBuffer: k,
-  arrayBufferToBase64url: m,
-  base64urlToArrayBuffer: M,
-  stringToArrayBuffer: _,
-  uint8ArrayToString: W,
-  getPasskeyEmail: F,
-  setPasskeyEmail: G,
-  clearPasskeyEmail: V,
-  getPasskeyMobileNumber: z,
-  setPasskeyMobileNumber: X,
-  clearPasskeyMobileNumber: Q,
-  toMinimalJWK: D,
-  calculateThumbprint: q,
-  getDPoPKey: A,
-  getDPoPPublicKeyJWK: R,
-  clearDPoPKey: N,
-  generateDPoPKeyPair: g,
-  generateDPoPProof: w,
-  isDPoPEnabled: ee,
-  storeDPoPKey: te
+  arrayBufferToBase64: N,
+  base64ToArrayBuffer: C,
+  arrayBufferToBase64url: p,
+  base64urlToArrayBuffer: b,
+  stringToArrayBuffer: T,
+  uint8ArrayToString: F,
+  getPasskeyEmail: Y,
+  setPasskeyEmail: V,
+  clearPasskeyEmail: X,
+  getPasskeyMobileNumber: Z,
+  setPasskeyMobileNumber: Q,
+  clearPasskeyMobileNumber: ee
 };
-typeof window < "u" && (window.WebAuthn = U);
-const ne = typeof window < "u" ? window : globalThis;
-ne.WebAuthn = U;
-const T = "postex-auth-token", se = "postexglobal", re = {
+typeof window < "u" && (window.WebAuthn = L);
+const ie = typeof window < "u" ? window : globalThis;
+ie.WebAuthn = L;
+const P = "postex-auth-token", ce = "postexglobal", le = {
   xstak: "https://auth-stage.xstak.com/public/v1",
   postex: "https://auth-stage.postex.pk/public/v1",
   callcourier: "https://auth-stage.callcourier.com.pk/public/v1",
   postexglobal: "https://auth-stage.postexglobal.com/public/v1",
   postexsa: "https://auth-stage.postex.sa/public/v1"
-};
-class oe extends Error {
+}, ue = /^[^\s@]+@[^\s@]+\.[^\s@]{2,}$/, de = /^\+[1-9]\d{6,14}$/, he = /^\d{6}$/, pe = /^[A-Za-z0-9_-]{16,512}$/, ye = /[\u0000-\u001F\u007F-\u009F]/, me = /[A-Za-z]/, fe = /[\u0400-\u04FF]/, x = 254, v = 16, A = 64;
+class we extends Error {
   constructor(e, n, t) {
     super(t ?? `Request failed with status ${e}`), this.response = { status: e, data: n }, this.name = "AuthSDKFetchError";
   }
 }
-const O = "auth_sdk_id_token", v = "auth_sdk_refresh_token";
-class C {
+class y extends Error {
+  constructor(e, n, t = "invalid_input") {
+    super(n), this.field = e, this.code = t, this.name = "SDKValidationError";
+  }
+}
+const D = "auth_sdk_id_token", R = "auth_sdk_refresh_token";
+class M {
   constructor(e) {
-    this.config = e;
+    this.config = e, this.dpopInitializationPromise = this.createDPoPInitializationPromise();
   }
   getBaseUrl() {
-    const e = this.config.appId ?? se;
-    return re[e];
+    const e = this.config.appId ?? ce;
+    return le[e];
+  }
+  async initializeDPoPState() {
+    await se();
+  }
+  async ensureDPoPInitialized() {
+    await this.dpopInitializationPromise;
+  }
+  createDPoPInitializationPromise() {
+    const e = this.initializeDPoPState();
+    return e.catch(() => {
+    }), e;
+  }
+  resetDPoPInitialization() {
+    this.dpopInitializationPromise = this.createDPoPInitializationPromise();
+  }
+  async getRequiredDPoPProof(e, n, t) {
+    return await this.ensureDPoPInitialized(), ae(e.toUpperCase(), n, t);
+  }
+  containsControlChars(e) {
+    return ye.test(e);
+  }
+  hasMixedLatinAndCyrillic(e) {
+    return me.test(e) && fe.test(e);
+  }
+  assertNoControlChars(e, n) {
+    if (this.containsControlChars(n))
+      throw new y(
+        e,
+        `${e} must not contain control characters`
+      );
+  }
+  validateEmail(e, n = "email") {
+    const t = e.trim();
+    if (!t)
+      throw new y(n, `${n} is required`);
+    if (t.length > x)
+      throw new y(
+        n,
+        `${n} must be ${x} characters or fewer`
+      );
+    this.assertNoControlChars(n, t);
+    const [r = ""] = t.split("@");
+    if (this.hasMixedLatinAndCyrillic(r))
+      throw new y(
+        n,
+        `${n} must not mix Latin and Cyrillic characters in the local part`
+      );
+    if (!ue.test(t))
+      throw new y(n, `${n} must be a valid email`);
+    return t;
+  }
+  validateMobileNumber(e, n = "mobileNumber") {
+    const t = e.trim();
+    if (!t)
+      throw new y(n, `${n} is required`);
+    if (t.length > v)
+      throw new y(
+        n,
+        `${n} must be ${v} characters or fewer`
+      );
+    if (this.assertNoControlChars(n, t), !de.test(t))
+      throw new y(n, `${n} must be in E.164 format`);
+    return t;
+  }
+  validateOTP(e, n = "otp") {
+    const t = e.trim();
+    if (this.assertNoControlChars(n, t), !he.test(t))
+      throw new y(n, `${n} must be a 6-digit code`);
+    return t;
+  }
+  validateMagicLinkToken(e, n = "token") {
+    const t = e.trim();
+    if (this.assertNoControlChars(n, t), !pe.test(t))
+      throw new y(
+        n,
+        `${n} must be 16-512 URL-safe characters`
+      );
+    return t;
+  }
+  validateRealm(e) {
+    const n = e?.trim();
+    if (n) {
+      if (this.assertNoControlChars("realm", n), n.length > A)
+        throw new y(
+          "realm",
+          `realm must be ${A} characters or fewer`
+        );
+      return n;
+    }
+  }
+  normalizeAndValidateIdentifier(e) {
+    return typeof e == "string" ? { email: this.validateEmail(e) } : {
+      email: e.email ? this.validateEmail(e.email) : void 0,
+      mobileNumber: e.mobileNumber ? this.validateMobileNumber(e.mobileNumber) : void 0
+    };
   }
   normalizeAuthIdentifier(e) {
-    return typeof e == "string" ? { email: e } : {
-      email: e.email,
-      mobileNumber: e.mobileNumber
+    return this.normalizeAndValidateIdentifier(e);
+  }
+  extractRealm(e, n) {
+    const t = n?.realm ?? (e && typeof e != "string" ? e.realm : void 0);
+    return this.validateRealm(t);
+  }
+  buildAuthRequestBody(e, n) {
+    const t = this.normalizeAuthIdentifier(e), r = this.extractRealm(e, n);
+    return {
+      ...t,
+      ...r ? { realm: r } : {}
     };
   }
   buildUrl(e, n) {
-    const t = this.getBaseUrl().replace(/\/$/, ""), r = e.startsWith("/") ? e : `/${e}`, s = `${t}${r}`;
-    if (!n || Object.keys(n).length === 0) return s;
-    const o = new URLSearchParams(n).toString();
-    return `${s}?${o}`;
+    const t = this.getBaseUrl().replace(/\/$/, ""), r = e.startsWith("/") ? e : `/${e}`, o = `${t}${r}`;
+    if (!n || Object.keys(n).length === 0) return o;
+    const a = new URLSearchParams(n).toString();
+    return `${o}?${a}`;
   }
   async request(e, n, t) {
-    const r = this.buildUrl(n, t?.params), s = {
+    const r = this.buildUrl(n, t?.params), o = {
       "Content-Type": "application/json",
       Accept: "application/json",
       "X-API-Key": this.config.apiKey ?? "",
       ...t?.headers
-    }, o = {
+    }, a = {
       method: e,
       credentials: "include",
-      headers: s
+      headers: o
     };
-    t?.body !== void 0 && t?.body !== null && (o.body = JSON.stringify(t.body));
-    const c = await fetch(r, o);
-    if (!c.ok) {
-      let i;
+    t?.body !== void 0 && t?.body !== null && (a.body = JSON.stringify(t.body));
+    const l = await fetch(r, a);
+    if (!l.ok) {
+      let c;
       try {
-        const p = await c.text();
-        i = p ? JSON.parse(p) : void 0;
+        const h = await l.text();
+        c = h ? JSON.parse(h) : void 0;
       } catch {
-        i = void 0;
+        c = void 0;
       }
-      throw c.status === 401 && await this.clearTokens(), new oe(c.status, i);
+      throw l.status === 401 && await this.clearTokens(), new we(l.status, c);
     }
-    const d = await c.text();
-    return { data: d ? JSON.parse(d) : {} };
+    const i = await l.text();
+    return { data: i ? JSON.parse(i) : {} };
   }
   /**
    * Returns auth headers (Authorization + DPoP) for the given request.
@@ -353,59 +469,59 @@ class C {
    * @param url - Full request URL
    */
   async getRequestAuthHeaders(e, n) {
-    const t = localStorage.getItem(T);
+    const t = localStorage.getItem(P);
     if (!t) return {};
-    const r = n.startsWith("http") ? n : `${this.getBaseUrl()}${n}`, s = await w(
-      e.toUpperCase(),
-      r,
-      t
-    ), o = {
-      Authorization: `Bearer ${t}`
+    const r = n.startsWith("http") ? n : `${this.getBaseUrl()}${n}`, o = await this.getRequiredDPoPProof(e, r, t);
+    return {
+      Authorization: `Bearer ${t}`,
+      DPoP: o
     };
-    return s && (o.DPoP = s), o;
   }
   /**
    * GET /auth/status - Check if client has trusted device session and what auth method is available.
    * Returns no_session | session_found | webauthn_ready per PostEx Auth BFF spec.
    */
-  async getStatus(e) {
-    const n = {};
-    typeof e == "string" ? n.email = e : (e.email && (n.email = e.email), e.mobileNumber && (n.mobileNumber = e.mobileNumber));
-    const t = await this.request("GET", "/auth/status", {
-      params: n
+  async getStatus(e, n) {
+    const t = this.normalizeAuthIdentifier(e), r = this.extractRealm(e, n), o = {};
+    t.email && (o.email = t.email), t.mobileNumber && (o.mobileNumber = t.mobileNumber), r && (o.realm = r);
+    const a = await this.request("GET", "/auth/status", {
+      params: o
     });
-    return t.data.data ?? t.data;
+    return a.data.data ?? a.data;
   }
   /**
    * POST /auth/initiate - Unified entry: returns webauthn_challenge or otp_sent.
    * Sets auth_session cookie when otp_sent.
    */
-  async initiateAuth(e) {
-    const n = this.normalizeAuthIdentifier(e), t = await this.request("POST", "/auth/initiate", {
-      body: n
-    }), r = t.data.data ?? t.data;
+  async initiateAuth(e, n) {
+    const t = this.buildAuthRequestBody(e, n), r = await this.request("POST", "/auth/initiate", {
+      body: t
+    }), o = r.data.data ?? r.data;
     return {
-      status: r.status,
-      challenge: r.challenge,
-      credentialIds: r.credentialIds,
-      rp: r.rp
+      status: o.status,
+      challenge: o.challenge,
+      credentialIds: o.credentialIds,
+      rp: o.rp
     };
   }
   /**
    * POST /otp/initiate - Direct OTP initiation using email or mobile number.
    * Requires at least one identifier: email or mobileNumber.
    */
-  async initiateOTP(e) {
-    const n = this.normalizeAuthIdentifier(e), t = n.email?.trim(), r = n.mobileNumber?.trim();
-    if (!t && !r)
-      throw new Error("Either mobileNumber or email is required");
-    const s = {};
-    t && (s.email = t), r && (s.mobileNumber = r);
-    const c = (await this.request("POST", "/otp/initiate", {
-      body: s
+  async initiateOTP(e, n) {
+    const t = this.normalizeAuthIdentifier(e), r = this.extractRealm(e, n), o = t.email, a = t.mobileNumber;
+    if (!o && !a)
+      throw new y(
+        "identifier",
+        "Either mobileNumber or email is required"
+      );
+    const l = {};
+    o && (l.email = o), a && (l.mobileNumber = a), r && (l.realm = r);
+    const d = (await this.request("POST", "/otp/initiate", {
+      body: l
     })).data;
     return {
-      message: c.message ?? c.data?.message
+      message: d.message ?? d.data?.message
     };
   }
   /**
@@ -413,29 +529,28 @@ class C {
    * Stores tokens from the response.
    */
   async verifyOTP(e) {
-    await g();
-    const n = await w(
+    const n = this.validateOTP(e), t = await this.getRequiredDPoPProof(
       "POST",
       `${this.getBaseUrl()}/otp/verify`
-    ), t = await this.request("POST", "/otp/verify", {
-      body: { otp: e },
-      headers: n ? { DPoP: n } : {}
-    }), r = t.data.data ?? t.data, s = r.AuthenticationResult ?? r, o = s.access_token ?? s.accessToken ?? s.AccessToken, c = s.refresh_token ?? s.refreshToken ?? s.RefreshToken, d = s.id_token ?? s.idToken ?? s.IdToken, l = s.expires_in ?? s.expiresIn ?? s.ExpiresIn ?? 3600, i = s.token_type ?? s.tokenType ?? s.TokenType ?? "Bearer";
-    return o && await this.storeTokens({
-      accessToken: o,
-      refreshToken: c ?? "",
+    ), r = await this.request("POST", "/otp/verify", {
+      body: { otp: n },
+      headers: { DPoP: t }
+    }), o = r.data.data ?? r.data, a = o.AuthenticationResult ?? o, l = a.access_token ?? a.accessToken ?? a.AccessToken, i = a.refresh_token ?? a.refreshToken ?? a.RefreshToken, d = a.id_token ?? a.idToken ?? a.IdToken, c = a.expires_in ?? a.expiresIn ?? a.ExpiresIn ?? 3600, h = a.token_type ?? a.tokenType ?? a.TokenType ?? "Bearer";
+    return l && await this.storeTokens({
+      accessToken: l,
+      refreshToken: i ?? "",
       idToken: d ?? "",
-      expiresIn: l ?? 3600,
-      tokenType: i ?? "Bearer"
+      expiresIn: c ?? 3600,
+      tokenType: h ?? "Bearer"
     }), {
-      access_token: o,
-      refresh_token: c ?? "",
+      access_token: l,
+      refresh_token: i ?? "",
       id_token: d ?? "",
-      expires_in: l,
-      token_type: i,
-      verified: s.verified ?? s.Verified ?? !0,
-      email: s.email ?? s.Email ?? "",
-      ...s
+      expires_in: c,
+      token_type: h,
+      verified: a.verified,
+      email: a.email ?? a.Email ?? "",
+      ...a
     };
   }
   /**
@@ -445,7 +560,7 @@ class C {
   async resendOTP() {
     const e = await this.request("POST", "/otp/resend", {}), n = e.data.data ?? e.data;
     return {
-      success: n.success ?? !0,
+      success: n.success,
       message: n.message,
       ...n
     };
@@ -458,29 +573,28 @@ class C {
     mobileNumber: e,
     otp: n
   }) {
-    await g();
-    const t = await w(
+    const t = this.validateMobileNumber(e), r = this.validateOTP(n), o = await this.getRequiredDPoPProof(
       "POST",
       `${this.getBaseUrl()}/otp/signup/verify`
-    ), r = await this.request("POST", "/otp/signup/verify", {
-      body: { mobileNumber: e, otp: n },
-      headers: t ? { DPoP: t } : {}
-    }), s = r.data.data ?? r.data, o = s.AuthenticationResult ?? s, c = o.access_token ?? o.accessToken ?? o.AccessToken, d = o.refresh_token ?? o.refreshToken ?? o.RefreshToken, l = o.id_token ?? o.idToken ?? o.IdToken, i = o.expires_in ?? o.expiresIn ?? o.ExpiresIn ?? 3600, p = o.token_type ?? o.tokenType ?? o.TokenType ?? "Bearer";
-    return c && await this.storeTokens({
-      accessToken: c,
-      refreshToken: d ?? "",
-      idToken: l ?? "",
-      expiresIn: i ?? 3600,
-      tokenType: p ?? "Bearer"
+    ), a = await this.request("POST", "/otp/signup/verify", {
+      body: { mobileNumber: t, otp: r },
+      headers: { DPoP: o }
+    }), l = a.data.data ?? a.data, i = l.AuthenticationResult ?? l, d = i.access_token ?? i.accessToken ?? i.AccessToken, c = i.refresh_token ?? i.refreshToken ?? i.RefreshToken, h = i.id_token ?? i.idToken ?? i.IdToken, w = i.expires_in ?? i.expiresIn ?? i.ExpiresIn ?? 3600, m = i.token_type ?? i.tokenType ?? i.TokenType ?? "Bearer";
+    return d && await this.storeTokens({
+      accessToken: d,
+      refreshToken: c ?? "",
+      idToken: h ?? "",
+      expiresIn: w ?? 3600,
+      tokenType: m ?? "Bearer"
     }), {
-      access_token: c,
-      refresh_token: d ?? "",
-      id_token: l ?? "",
-      expires_in: i,
-      token_type: p,
-      verified: o.verified ?? o.Verified ?? !0,
-      email: o.email ?? o.Email ?? "",
-      ...o
+      access_token: d,
+      refresh_token: c ?? "",
+      id_token: h ?? "",
+      expires_in: w,
+      token_type: m,
+      verified: i.verified,
+      email: i.email ?? i.Email ?? "",
+      ...i
     };
   }
   /**
@@ -490,22 +604,26 @@ class C {
     mobileNumber: e,
     email: n = ""
   }) {
-    const t = await this.request("POST", "/otp/signup/resend", {
-      body: { email: n, mobileNumber: e }
-    }), r = t.data.data ?? t.data;
+    const t = this.validateMobileNumber(e), r = n ? this.validateEmail(n) : "", o = await this.request("POST", "/otp/signup/resend", {
+      body: { email: r, mobileNumber: t }
+    }), a = o.data.data ?? o.data;
     return {
-      success: r.success ?? !0,
-      message: r.message,
-      ...r
+      success: a.success,
+      message: a.message,
+      ...a
     };
   }
   /**
    * GET /magic-link - Verify a magic link token.
    * Sets auth_session cookie on success.
    */
-  async verifyMagicLink(e, n) {
+  async verifyMagicLink(e) {
+    const n = this.validateMagicLinkToken(e);
     await this.request("GET", "/verify/magic-link", {
-      params: { token: e, email: n, redirect_mode: "frontend" }
+      params: {
+        token: n,
+        redirect_mode: "frontend"
+      }
     });
   }
   /**
@@ -520,20 +638,20 @@ class C {
       {
         body: {}
       }
-    ), n = e.data.data ?? e.data, t = n.AuthenticationResult ?? n, r = t.access_token ?? t.accessToken ?? t.AccessToken, s = t.refresh_token ?? t.refreshToken ?? t.RefreshToken, o = t.id_token ?? t.idToken ?? t.IdToken, c = t.expires_in ?? t.expiresIn ?? t.ExpiresIn ?? 3600, d = t.token_type ?? t.tokenType ?? t.TokenType ?? "Bearer";
+    ), n = e.data.data ?? e.data, t = n.AuthenticationResult ?? n, r = t.access_token ?? t.accessToken ?? t.AccessToken, o = t.refresh_token ?? t.refreshToken ?? t.RefreshToken, a = t.id_token ?? t.idToken ?? t.IdToken, l = t.expires_in ?? t.expiresIn ?? t.ExpiresIn ?? 3600, i = t.token_type ?? t.tokenType ?? t.TokenType ?? "Bearer";
     return r && await this.storeTokens({
       accessToken: r,
-      refreshToken: s ?? "",
-      idToken: o ?? "",
-      expiresIn: c ?? 3600,
-      tokenType: d ?? "Bearer"
+      refreshToken: o ?? "",
+      idToken: a ?? "",
+      expiresIn: l ?? 3600,
+      tokenType: i ?? "Bearer"
     }), {
       access_token: r,
-      refresh_token: s ?? "",
-      id_token: o ?? "",
-      expires_in: c,
-      token_type: d,
-      verified: t.verified ?? t.Verified ?? !0,
+      refresh_token: o ?? "",
+      id_token: a ?? "",
+      expires_in: l,
+      token_type: i,
+      verified: t.verified,
       email: t.email ?? t.Email ?? "",
       ...t
     };
@@ -549,68 +667,67 @@ class C {
     return e.data.data ?? e.data;
   }
   async registerPasskey(e) {
-    const n = await this.initiatePasskeyRegistration();
-    let t;
-    if (n?.user?.id)
+    const n = this.validateEmail(e), t = await this.initiatePasskeyRegistration();
+    let r;
+    if (t?.user?.id)
       try {
-        t = k(n.user.id);
+        r = b(t.user.id);
       } catch {
-        t = _(n.user.id);
+        r = T(t.user.id);
       }
     else
-      t = _(e);
-    const r = (n.pubKeyCredParams ?? [
+      r = T(n);
+    const o = (t.pubKeyCredParams ?? [
       { type: "public-key", alg: -7 },
       { type: "public-key", alg: -257 }
-    ]).map((f) => ({
+    ]).map((m) => ({
       type: "public-key",
-      alg: f.alg
-    })), s = n.excludeCredentials?.map((f) => ({
+      alg: m.alg
+    })), a = t.excludeCredentials?.map((m) => ({
       type: "public-key",
-      id: k(f)
-    })), o = {
-      challenge: k(n.challenge),
+      id: b(m)
+    })), l = {
+      challenge: b(t.challenge),
       rp: {
-        name: n.rp?.name ?? "XPay",
-        id: n.rp?.id ?? window.location.hostname
+        name: t.rp?.name ?? "XPay",
+        id: t.rp?.id ?? window.location.hostname
       },
       user: {
-        id: t,
-        name: n.user?.name ?? e,
-        displayName: n.user?.displayName ?? e
+        id: r,
+        name: t.user?.name ?? n,
+        displayName: t.user?.displayName ?? n
       },
-      pubKeyCredParams: r,
-      excludeCredentials: s,
-      timeout: n.timeout ?? 6e4,
+      pubKeyCredParams: o,
+      excludeCredentials: a,
+      timeout: t.timeout ?? 6e4,
       attestation: "direct",
       authenticatorSelection: {
         residentKey: "required",
         userVerification: "required",
         authenticatorAttachment: "platform"
       }
-    }, c = await navigator.credentials.create({
-      publicKey: o
+    }, i = await navigator.credentials.create({
+      publicKey: l
     });
-    if (!c) throw new Error("Credential creation failed");
-    const d = c.response, l = {
-      clientDataJSON: y(d.clientDataJSON),
-      attestationObject: y(d.attestationObject),
-      rawId: y(c.rawId)
+    if (!i) throw new Error("Credential creation failed");
+    const d = i.response, c = {
+      clientDataJSON: p(d.clientDataJSON),
+      attestationObject: p(d.attestationObject),
+      rawId: p(i.rawId)
     };
-    if (!l.rawId) throw new Error("Raw ID is required");
-    await g();
-    const i = await w(
+    if (!c.rawId) throw new Error("Raw ID is required");
+    const h = await this.getRequiredDPoPProof(
       "POST",
       `${this.getBaseUrl()}/webauthn/register/challenge`
-    ), p = await this.request(
+    ), w = await this.request(
       "POST",
       "/webauthn/register/challenge",
       {
-        body: l,
-        headers: i ? { DPoP: i } : {}
+        body: c,
+        headers: { DPoP: h }
       }
     );
-    return p.data.data ?? p.data;
+    return w.data.data ?? w.data;
   }
   /**
    * POST /webauthn/authenticate/challenge - Authenticate with passkey.
@@ -622,11 +739,11 @@ class C {
   }) {
     const r = await navigator.credentials.get({
       publicKey: {
-        challenge: k(e),
+        challenge: b(e),
         rpId: n?.host ?? void 0,
-        allowCredentials: t.map((P) => ({
+        allowCredentials: t.map((k) => ({
           type: "public-key",
-          id: k(P),
+          id: b(k),
           transports: ["internal"]
         })),
         timeout: 6e4,
@@ -634,54 +751,52 @@ class C {
       }
     });
     if (!r) throw new Error("Authentication failed");
-    const s = r.response, o = {
-      clientDataJSON: y(s.clientDataJSON),
-      authenticatorData: y(
-        s.authenticatorData
+    const o = r.response, a = {
+      clientDataJSON: p(o.clientDataJSON),
+      authenticatorData: p(
+        o.authenticatorData
       ),
-      signature: y(s.signature),
-      rawId: y(r.rawId),
-      userHandle: s.userHandle ? y(s.userHandle) : ""
-    };
-    await g();
-    const c = await w(
+      signature: p(o.signature),
+      rawId: p(r.rawId),
+      userHandle: o.userHandle ? p(o.userHandle) : ""
+    }, l = await this.getRequiredDPoPProof(
       "POST",
       `${this.getBaseUrl()}/webauthn/authenticate/challenge`
-    ), d = await this.request(
+    ), i = await this.request(
       "POST",
       "/webauthn/authenticate/challenge",
       {
-        body: o,
-        headers: c ? { DPoP: c } : {}
+        body: a,
+        headers: { DPoP: l }
       }
-    ), l = d.data.data ?? d.data, i = l.AuthenticationResult ?? l, p = i.AccessToken ?? i.accessToken ?? i.access_token, f = i.RefreshToken ?? i.refreshToken ?? i.refresh_token, b = i.IdToken ?? i.idToken ?? i.id_token;
-    return p && await this.storeTokens({
-      accessToken: p,
-      refreshToken: f ?? "",
-      idToken: b ?? "",
-      expiresIn: i.expiresIn ?? i.ExpiresIn ?? 3600,
-      tokenType: i.tokenType ?? i.token_type ?? "Bearer"
+    ), d = i.data.data ?? i.data, c = d.AuthenticationResult ?? d, h = c.AccessToken ?? c.accessToken ?? c.access_token, w = c.RefreshToken ?? c.refreshToken ?? c.refresh_token, m = c.IdToken ?? c.idToken ?? c.id_token;
+    return h && await this.storeTokens({
+      accessToken: h,
+      refreshToken: w ?? "",
+      idToken: m ?? "",
+      expiresIn: c.expiresIn ?? c.ExpiresIn ?? 3600,
+      tokenType: c.tokenType ?? c.token_type ?? "Bearer"
     }), {
-      access_token: p,
-      refresh_token: f ?? "",
-      id_token: b,
-      email: i.email,
-      name: i.name ?? i.userName,
-      expiresIn: i.expiresIn ?? i.ExpiresIn,
-      tokenType: i.tokenType ?? i.token_type,
-      ...i
+      access_token: h,
+      refresh_token: w ?? "",
+      id_token: m,
+      email: c.email,
+      name: c.name ?? c.userName,
+      expiresIn: c.expiresIn ?? c.ExpiresIn,
+      tokenType: c.tokenType ?? c.token_type,
+      ...c
     };
   }
   /**
    * GET /webauthn/credentials/:username - Get user's passkey status.
    */
   async getPasskeyStatus(e) {
-    const t = `/webauthn/credentials/${encodeURIComponent(e)}`, r = await this.signRequest("GET", t), s = await this.request("GET", t, {
+    const t = `/webauthn/credentials/${encodeURIComponent(e)}`, r = await this.signRequest("GET", t), o = await this.request("GET", t, {
       headers: r.headers
-    }), o = s.data.data ?? s.data;
+    }), a = o.data.data ?? o.data;
     return {
-      ...o,
-      hasCredentials: !!(o.hasCredentials ?? o.credentialId)
+      ...a,
+      hasCredentials: !!(a.hasCredentials ?? a.credentialId)
     };
   }
   /**
@@ -697,49 +812,49 @@ class C {
    * Signs a request with DPoP and Authorization headers (internal use).
    */
   async signRequest(e, n, t = {}) {
-    const r = n.startsWith("http") ? n : `${this.getBaseUrl()}${n}`, s = await this.getRequestAuthHeaders(e, r);
-    return { ...t, headers: { ...t.headers, ...s } };
+    const r = n.startsWith("http") ? n : `${this.getBaseUrl()}${n}`, o = await this.getRequestAuthHeaders(e, r);
+    return { ...t, headers: { ...t.headers, ...o } };
   }
   /**
    * Replaces native fetch or Axios with a DPoP-signed version.
    */
   async authenticatedFetch(e, n) {
-    const t = typeof e == "string" ? e : e instanceof URL ? e.toString() : e.url, r = n?.method || "GET", s = await this.signRequest(r, t, {
+    const t = typeof e == "string" ? e : e instanceof URL ? e.toString() : e.url, r = n?.method || "GET", o = await this.signRequest(r, t, {
       headers: n?.headers
     });
-    return fetch(e, { ...n, headers: s.headers });
+    return fetch(e, { ...n, headers: o.headers });
   }
   /**
    * Store tokens from /webauthn/authenticate (per spec: sessionStorage preferred).
    */
   async storeTokens(e) {
-    localStorage.setItem(T, e.accessToken), e.refreshToken && localStorage.setItem(v, e.refreshToken), e.idToken && localStorage.setItem(O, e.idToken);
+    localStorage.setItem(P, e.accessToken), e.refreshToken && localStorage.setItem(R, e.refreshToken), e.idToken && localStorage.setItem(D, e.idToken);
   }
   /**
    * Clear stored tokens (call on logout).
    */
   async clearTokens() {
-    localStorage.removeItem(T), localStorage.removeItem(O), localStorage.removeItem(v);
+    localStorage.removeItem(P), localStorage.removeItem(D), localStorage.removeItem(R);
   }
   /**
    * POST /auth/refresh - Refresh access token using server-stored refresh token.
    * Requires trusted device cookie (td). Refresh token is stored server-side.
    * Rate limit: 10 requests per minute.
    */
-  async refreshToken() {
-    const e = await this.request("POST", "/auth/refresh", {
-      body: {}
-    }), n = e.data.data ?? e.data, t = n.access_token, r = n.id_token ?? "", s = n.token_type ?? "Bearer", o = n.expires_in ?? 3600;
-    return t && await this.storeTokens({
-      accessToken: t,
-      idToken: r,
-      expiresIn: o,
-      tokenType: s
+  async refreshToken(e) {
+    const n = this.extractRealm(void 0, e), t = await this.request("POST", "/auth/refresh", {
+      body: n ? { realm: n } : {}
+    }), r = t.data.data ?? t.data, o = r.access_token, a = r.id_token ?? "", l = r.token_type ?? "Bearer", i = r.expires_in ?? 3600;
+    return o && await this.storeTokens({
+      accessToken: o,
+      idToken: a,
+      expiresIn: i,
+      tokenType: l
     }), {
-      access_token: t,
-      id_token: r,
-      token_type: s,
-      expires_in: o
+      access_token: o,
+      id_token: a,
+      token_type: l,
+      expires_in: i
     };
   }
   /**
@@ -748,44 +863,35 @@ class C {
    */
   async logout() {
     try {
-      const e = await this.getAccessToken(), n = {};
-      e && (n.Authorization = `Bearer ${e}`), await this.request("POST", "/auth/logout", { body: {}, headers: n }), N();
+      const n = await this.getAccessToken() ? await this.signRequest("POST", "/auth/logout", { body: {} }) : { body: {} };
+      await this.request("POST", "/auth/logout", n), await U(), this.resetDPoPInitialization();
     } catch {
     }
     await this.clearTokens();
   }
   async getAccessToken() {
-    return localStorage.getItem(T);
+    return localStorage.getItem(P);
   }
 }
-typeof window < "u" && (window.AuthSDK = C);
-const ae = typeof window < "u" ? window : globalThis;
-ae.AuthSDK = C;
+typeof window < "u" && (window.AuthSDK = M);
+const be = typeof window < "u" ? window : globalThis;
+be.AuthSDK = M;
 export {
-  C as AuthSDK,
-  oe as AuthSDKFetchError,
-  y as arrayBufferToBase64,
-  m as arrayBufferToBase64url,
-  k as base64ToArrayBuffer,
-  M as base64urlToArrayBuffer,
-  q as calculateThumbprint,
-  N as clearDPoPKey,
-  V as clearPasskeyEmail,
-  Q as clearPasskeyMobileNumber,
-  g as generateDPoPKeyPair,
-  w as generateDPoPProof,
-  A as getDPoPKey,
-  R as getDPoPPublicKeyJWK,
-  F as getPasskeyEmail,
-  z as getPasskeyMobileNumber,
+  M as AuthSDK,
+  we as AuthSDKFetchError,
+  y as SDKValidationError,
+  N as arrayBufferToBase64,
+  p as arrayBufferToBase64url,
+  C as base64ToArrayBuffer,
+  b as base64urlToArrayBuffer,
+  X as clearPasskeyEmail,
+  ee as clearPasskeyMobileNumber,
+  Y as getPasskeyEmail,
+  Z as getPasskeyMobileNumber,
   j as isConditionalUISupported,
-  ee as isDPoPEnabled,
-  K as isWebAuthnSupported,
-  G as setPasskeyEmail,
-  X as setPasskeyMobileNumber,
-  te as storeDPoPKey,
-  _ as stringToArrayBuffer,
-  D as toMinimalJWK,
-  W as uint8ArrayToString
+  O as isWebAuthnSupported,
+  V as setPasskeyEmail,
+  Q as setPasskeyMobileNumber,
+  T as stringToArrayBuffer,
+  F as uint8ArrayToString
 };
-//# sourceMappingURL=postex-auth-sdk-stage.es.js.map