postex-auth-sdk-stage 2.0.0 → 2.1.0

package/dist/postex-auth-sdk-stage.es.js

@@ -1,212 +1,222 @@
-function K() {
+function O() {
   return typeof window < "u" && typeof window.PublicKeyCredential < "u" && typeof navigator < "u" && typeof navigator.credentials < "u";
 }
 async function j() {
-  if (!K()) return !1;
+  if (!O()) return !1;
   try {
     return await PublicKeyCredential.isConditionalMediationAvailable?.() ?? !1;
   } catch {
     return !1;
   }
 }
-function y(a) {
-  const e = new Uint8Array(a);
+function N(s) {
+  const e = new Uint8Array(s);
   let n = "";
   for (let t = 0; t < e.byteLength; t++)
     n += String.fromCharCode(e[t]);
   return btoa(n);
 }
-function m(a) {
-  if (typeof a != "string" || !a)
+function C(s) {
+  if (typeof s != "string" || !s)
     throw new Error("Invalid base64: expected non-empty string");
-  const e = a.replace(/\s/g, "").replace(/-/g, "+").replace(/_/g, "/"), n = e.length % 4, t = n > 0 ? e + "=".repeat(4 - n) : e;
+  const e = s.replace(/\s/g, "").replace(/-/g, "+").replace(/_/g, "/"), n = e.length % 4, t = n > 0 ? e + "=".repeat(4 - n) : e;
   try {
-    const s = atob(t), r = new Uint8Array(s.length);
-    for (let o = 0; o < s.length; o++)
-      r[o] = s.charCodeAt(o);
-    return r.buffer;
+    const r = atob(t), o = new Uint8Array(r.length);
+    for (let a = 0; a < r.length; a++)
+      o[a] = r.charCodeAt(a);
+    return o.buffer;
   } catch {
     throw new Error(
       "Invalid base64: string is not correctly encoded. Check challenge/credentialId from server."
     );
   }
 }
-function w(a) {
-  return y(a).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+function p(s) {
+  return N(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
 }
-function J(a) {
+function H(s) {
   return /^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$/i.test(
-    a
+    s
   );
 }
-function L(a) {
-  const e = a.replace(/-/g, ""), n = new Uint8Array(e.length / 2);
+function J(s) {
+  const e = s.replace(/-/g, ""), n = new Uint8Array(e.length / 2);
   for (let t = 0; t < n.length; t++)
     n[t] = parseInt(e.substr(t * 2, 2), 16);
   return n.buffer;
 }
-function M(a) {
-  if (!a || typeof a != "string")
+function b(s) {
+  if (!s || typeof s != "string")
     throw new Error("Invalid input: expected non-empty string");
-  return J(a) ? L(a) : m(a);
+  return H(s) ? J(s) : C(s);
 }
-function _(a) {
-  return new TextEncoder().encode(a).buffer;
+function T(s) {
+  return new TextEncoder().encode(s).buffer;
 }
-function W(a) {
-  return String.fromCharCode(...a);
+function F(s) {
+  return String.fromCharCode(...s);
 }
-const H = "xpay_webauthn", Y = 1, l = "passkey_data", S = "passkey_email", x = "passkey_mobile_number";
-function h() {
-  return new Promise((a, e) => {
-    const n = indexedDB.open(H, Y);
-    n.onerror = () => e(n.error), n.onsuccess = () => a(n.result), n.onupgradeneeded = () => {
+const W = "xpay_webauthn", G = 1, u = "passkey_data", _ = "passkey_email", E = "passkey_mobile_number";
+function f() {
+  return new Promise((s, e) => {
+    const n = indexedDB.open(W, G);
+    n.onerror = () => e(n.error), n.onsuccess = () => s(n.result), n.onupgradeneeded = () => {
       const t = n.result;
-      t.objectStoreNames.contains(l) || t.createObjectStore(l);
+      t.objectStoreNames.contains(u) || t.createObjectStore(u);
     };
   });
 }
-async function z() {
+async function Y() {
   try {
-    const a = await h();
+    const s = await f();
     return new Promise((e, n) => {
-      const t = a.transaction(l, "readonly"), r = t.objectStore(l).get(S);
-      r.onerror = () => n(r.error), r.onsuccess = () => e(r.result ?? null), t.oncomplete = () => a.close();
+      const t = s.transaction(u, "readonly"), o = t.objectStore(u).get(_);
+      o.onerror = () => n(o.error), o.onsuccess = () => e(o.result ?? null), t.oncomplete = () => s.close();
     });
   } catch {
     return null;
   }
 }
-async function F(a) {
+async function V(s) {
   try {
-    const e = await h();
+    const e = await f();
     return new Promise((n, t) => {
-      const s = e.transaction(l, "readwrite"), o = s.objectStore(l).put(a, S);
-      o.onerror = () => t(o.error), o.onsuccess = () => n(), s.oncomplete = () => e.close();
+      const r = e.transaction(u, "readwrite"), a = r.objectStore(u).put(s, _);
+      a.onerror = () => t(a.error), a.onsuccess = () => n(), r.oncomplete = () => e.close();
     });
   } catch {
   }
 }
-async function G() {
+async function X() {
   try {
-    const a = await h();
+    const s = await f();
     return new Promise((e, n) => {
-      const t = a.transaction(l, "readwrite"), r = t.objectStore(l).delete(S);
-      r.onerror = () => n(r.error), r.onsuccess = () => e(), t.oncomplete = () => a.close();
+      const t = s.transaction(u, "readwrite"), o = t.objectStore(u).delete(_);
+      o.onerror = () => n(o.error), o.onsuccess = () => e(), t.oncomplete = () => s.close();
     });
   } catch {
   }
 }
-async function V() {
+async function Z() {
   try {
-    const a = await h();
+    const s = await f();
     return new Promise((e, n) => {
-      const t = a.transaction(l, "readonly"), r = t.objectStore(l).get(x);
-      r.onerror = () => n(r.error), r.onsuccess = () => e(r.result ?? null), t.oncomplete = () => a.close();
+      const t = s.transaction(u, "readonly"), o = t.objectStore(u).get(E);
+      o.onerror = () => n(o.error), o.onsuccess = () => e(o.result ?? null), t.oncomplete = () => s.close();
     });
   } catch {
     return null;
   }
 }
-async function X(a) {
+async function Q(s) {
   try {
-    const e = await h();
+    const e = await f();
     return new Promise((n, t) => {
-      const s = e.transaction(l, "readwrite"), o = s.objectStore(l).put(a, x);
-      o.onerror = () => t(o.error), o.onsuccess = () => n(), s.oncomplete = () => e.close();
+      const r = e.transaction(u, "readwrite"), a = r.objectStore(u).put(s, E);
+      a.onerror = () => t(a.error), a.onsuccess = () => n(), r.oncomplete = () => e.close();
     });
   } catch {
   }
 }
-async function Q() {
+async function ee() {
   try {
-    const a = await h();
+    const s = await f();
     return new Promise((e, n) => {
-      const t = a.transaction(l, "readwrite"), r = t.objectStore(l).delete(x);
-      r.onerror = () => n(r.error), r.onsuccess = () => e(), t.oncomplete = () => a.close();
+      const t = s.transaction(u, "readwrite"), o = t.objectStore(u).delete(E);
+      o.onerror = () => n(o.error), o.onsuccess = () => e(), t.oncomplete = () => s.close();
     });
   } catch {
   }
 }
-const E = "dpop_private_key", I = "dpop_public_key_jwk";
-function D(a) {
+const S = "dpop_private_key", I = "dpop_public_key_jwk";
+function K(s) {
+  if (!s || typeof s != "object") return !1;
+  const e = s;
+  return e.kty === "EC" && e.crv === "P-256" && typeof e.x == "string" && typeof e.y == "string";
+}
+class g extends Error {
+  constructor(e) {
+    super(e), this.name = "DPoPProofGenerationError";
+  }
+}
+function te(s) {
   return {
     kty: "EC",
     crv: "P-256",
-    x: a.x,
-    y: a.y
+    x: s.x,
+    y: s.y
   };
 }
-async function q(a) {
+async function q(s) {
   const e = JSON.stringify({
-    crv: a.crv,
-    kty: a.kty,
-    x: a.x,
-    y: a.y
+    crv: s.crv,
+    kty: s.kty,
+    x: s.x,
+    y: s.y
   }), n = await crypto.subtle.digest(
     "SHA-256",
     new TextEncoder().encode(e)
   );
-  return w(n);
+  return p(n);
 }
-async function B(a) {
+async function ne(s) {
   try {
-    const e = await h();
+    const e = await f();
     return new Promise((n, t) => {
-      const s = e.transaction(l, "readwrite"), o = s.objectStore(l).put(a, E);
-      o.onerror = () => t(o.error), o.onsuccess = () => n(), s.oncomplete = () => e.close();
+      const r = e.transaction(u, "readwrite"), a = r.objectStore(u).put(s, S);
+      a.onerror = () => t(a.error), a.onsuccess = () => n(), r.oncomplete = () => e.close();
     });
   } catch (e) {
     console.error("Failed to store DPoP private key:", e);
   }
 }
-async function Z(a) {
+async function oe(s) {
   try {
-    const e = await h();
+    const e = await f();
     return new Promise((n, t) => {
-      const s = e.transaction(l, "readwrite"), o = s.objectStore(l).put(a, I);
-      o.onerror = () => t(o.error), o.onsuccess = () => n(), s.oncomplete = () => e.close();
+      const r = e.transaction(u, "readwrite"), a = r.objectStore(u).put(s, I);
+      a.onerror = () => t(a.error), a.onsuccess = () => n(), r.oncomplete = () => e.close();
     });
   } catch (e) {
     console.error("Failed to store DPoP public key JWK:", e);
   }
 }
-async function A() {
+async function $() {
   try {
-    const a = await h();
+    const s = await f();
     return new Promise((e, n) => {
-      const t = a.transaction(l, "readonly"), r = t.objectStore(l).get(E);
-      r.onerror = () => n(r.error), r.onsuccess = () => e(r.result ?? null), t.oncomplete = () => a.close();
+      const t = s.transaction(u, "readonly"), o = t.objectStore(u).get(S);
+      o.onerror = () => n(o.error), o.onsuccess = () => e(o.result ?? null), t.oncomplete = () => s.close();
     });
   } catch {
     return null;
   }
 }
-async function R() {
+async function B() {
   try {
-    const a = await h();
+    const s = await f();
     return new Promise((e, n) => {
-      const t = a.transaction(l, "readonly"), r = t.objectStore(l).get(I);
-      r.onerror = () => n(r.error), r.onsuccess = () => e(r.result ?? null), t.oncomplete = () => a.close();
+      const t = s.transaction(u, "readonly"), o = t.objectStore(u).get(I);
+      o.onerror = () => n(o.error), o.onsuccess = () => e(o.result ?? null), t.oncomplete = () => s.close();
     });
   } catch {
     return null;
   }
 }
-async function N() {
+async function U() {
   try {
-    const a = await h();
+    const s = await f();
     return new Promise((e, n) => {
-      const t = a.transaction(l, "readwrite"), s = t.objectStore(l);
-      s.delete(E), s.delete(I), t.onerror = () => n(t.error), t.oncomplete = () => {
-        a.close(), e();
+      const t = s.transaction(u, "readwrite"), r = t.objectStore(u);
+      r.delete(S), r.delete(I), t.onerror = () => n(t.error), t.oncomplete = () => {
+        s.close(), e();
       };
     });
   } catch {
   }
 }
-async function g() {
-  const a = await crypto.subtle.generateKey(
+async function re() {
+  const s = await crypto.subtle.generateKey(
     {
       name: "ECDSA",
       namedCurve: "P-256"
@@ -214,147 +224,243 @@ async function g() {
     !1,
     // Private key is non-extractable
     ["sign", "verify"]
-  ), e = await crypto.subtle.exportKey("jwk", a.publicKey), n = D(e), t = await q(n);
-  return await B(a.privateKey), await Z(n), { publicKey: n, thumbprint: t };
+  ), e = await crypto.subtle.exportKey("jwk", s.publicKey), n = te(e), t = await q(n);
+  return await ne(s.privateKey), await oe(n), { publicKey: n, thumbprint: t };
+}
+async function se() {
+  const s = await $(), e = await B();
+  return s && K(e) ? {
+    publicKey: e,
+    thumbprint: await q(e)
+  } : ((s || e) && await U(), re());
 }
-async function k(a, e, n) {
+async function ae(s, e, n) {
   try {
-    const t = await A(), s = await R();
-    if (!t || !s) return null;
-    const r = {
+    const t = await $(), r = await B();
+    if (!t || !K(r))
+      throw new g(
+        "DPoP key material is unavailable or invalid"
+      );
+    const o = {
       typ: "dpop+jwt",
       alg: "ES256",
-      jwk: s
+      jwk: r
       // Public key in JWK format
-    }, o = new URL(
+    }, a = new URL(
       e,
       typeof window < "u" ? window.location.origin : void 0
-    ), i = `${o.origin}${o.pathname}`, u = {
+    ), l = `${a.origin}${a.pathname}`, i = {
       jti: crypto.randomUUID(),
-      htm: a.toUpperCase(),
-      htu: i,
+      htm: s.toUpperCase(),
+      htu: l,
       iat: Math.floor(Date.now() / 1e3)
     };
     if (n) {
-      const P = new TextEncoder().encode(n), $ = await crypto.subtle.digest("SHA-256", P);
-      u.ath = w($);
+      const k = new TextEncoder().encode(n), z = await crypto.subtle.digest("SHA-256", k);
+      i.ath = p(z);
     }
-    const d = w(
-      new TextEncoder().encode(JSON.stringify(r)).buffer
-    ), c = w(
-      new TextEncoder().encode(JSON.stringify(u)).buffer
-    ), p = `${d}.${c}`, f = await crypto.subtle.sign(
+    const d = p(
+      new TextEncoder().encode(JSON.stringify(o)).buffer
+    ), c = p(
+      new TextEncoder().encode(JSON.stringify(i)).buffer
+    ), h = `${d}.${c}`, w = await crypto.subtle.sign(
       {
         name: "ECDSA",
         hash: { name: "SHA-256" }
       },
       t,
-      new TextEncoder().encode(p)
-    ), b = w(f);
-    return `${d}.${c}.${b}`;
+      new TextEncoder().encode(h)
+    ), m = p(w);
+    return `${d}.${c}.${m}`;
   } catch (t) {
-    return console.error("Failed to generate DPoP proof:", t), null;
+    throw console.error("Failed to generate DPoP proof:", t), t instanceof g ? t : new g("Failed to generate DPoP proof");
   }
 }
-async function ee() {
-  return await A() !== null;
-}
-const te = B, U = {
-  isWebAuthnSupported: K,
+const L = {
+  isWebAuthnSupported: O,
   isConditionalUISupported: j,
-  arrayBufferToBase64: y,
-  base64ToArrayBuffer: m,
-  arrayBufferToBase64url: w,
-  base64urlToArrayBuffer: M,
-  stringToArrayBuffer: _,
-  uint8ArrayToString: W,
-  getPasskeyEmail: z,
-  setPasskeyEmail: F,
-  clearPasskeyEmail: G,
-  getPasskeyMobileNumber: V,
-  setPasskeyMobileNumber: X,
-  clearPasskeyMobileNumber: Q,
-  toMinimalJWK: D,
-  calculateThumbprint: q,
-  getDPoPKey: A,
-  getDPoPPublicKeyJWK: R,
-  clearDPoPKey: N,
-  generateDPoPKeyPair: g,
-  generateDPoPProof: k,
-  isDPoPEnabled: ee,
-  storeDPoPKey: te
+  arrayBufferToBase64: N,
+  base64ToArrayBuffer: C,
+  arrayBufferToBase64url: p,
+  base64urlToArrayBuffer: b,
+  stringToArrayBuffer: T,
+  uint8ArrayToString: F,
+  getPasskeyEmail: Y,
+  setPasskeyEmail: V,
+  clearPasskeyEmail: X,
+  getPasskeyMobileNumber: Z,
+  setPasskeyMobileNumber: Q,
+  clearPasskeyMobileNumber: ee
 };
-typeof window < "u" && (window.WebAuthn = U);
-const ne = typeof window < "u" ? window : globalThis;
-ne.WebAuthn = U;
-const T = "postex-auth-token", re = "postexglobal", se = {
+typeof window < "u" && (window.WebAuthn = L);
+const ie = typeof window < "u" ? window : globalThis;
+ie.WebAuthn = L;
+const P = "postex-auth-token", ce = "postexglobal", le = {
   xstak: "https://auth-stage.xstak.com/public/v1",
   postex: "https://auth-stage.postex.pk/public/v1",
   callcourier: "https://auth-stage.callcourier.com.pk/public/v1",
   postexglobal: "https://auth-stage.postexglobal.com/public/v1",
   postexsa: "https://auth-stage.postex.sa/public/v1"
-};
-class oe extends Error {
+}, ue = /^[^\s@]+@[^\s@]+\.[^\s@]{2,}$/, de = /^\+[1-9]\d{6,14}$/, he = /^\d{6}$/, pe = /^[A-Za-z0-9_-]{16,512}$/, ye = /[\u0000-\u001F\u007F-\u009F]/, me = /[A-Za-z]/, fe = /[\u0400-\u04FF]/, x = 254, v = 16, A = 64;
+class we extends Error {
   constructor(e, n, t) {
     super(t ?? `Request failed with status ${e}`), this.response = { status: e, data: n }, this.name = "AuthSDKFetchError";
   }
 }
-const v = "auth_sdk_id_token", O = "auth_sdk_refresh_token";
-class C {
+class y extends Error {
+  constructor(e, n, t = "invalid_input") {
+    super(n), this.field = e, this.code = t, this.name = "SDKValidationError";
+  }
+}
+const D = "auth_sdk_id_token", R = "auth_sdk_refresh_token";
+class M {
   constructor(e) {
-    this.config = e;
+    this.config = e, this.dpopInitializationPromise = this.createDPoPInitializationPromise();
   }
   getBaseUrl() {
-    const e = this.config.appId ?? re;
-    return se[e];
+    const e = this.config.appId ?? ce;
+    return le[e];
+  }
+  async initializeDPoPState() {
+    await se();
+  }
+  async ensureDPoPInitialized() {
+    await this.dpopInitializationPromise;
+  }
+  createDPoPInitializationPromise() {
+    const e = this.initializeDPoPState();
+    return e.catch(() => {
+    }), e;
+  }
+  resetDPoPInitialization() {
+    this.dpopInitializationPromise = this.createDPoPInitializationPromise();
+  }
+  async getRequiredDPoPProof(e, n, t) {
+    return await this.ensureDPoPInitialized(), ae(e.toUpperCase(), n, t);
+  }
+  containsControlChars(e) {
+    return ye.test(e);
+  }
+  hasMixedLatinAndCyrillic(e) {
+    return me.test(e) && fe.test(e);
+  }
+  assertNoControlChars(e, n) {
+    if (this.containsControlChars(n))
+      throw new y(
+        e,
+        `${e} must not contain control characters`
+      );
+  }
+  validateEmail(e, n = "email") {
+    const t = e.trim();
+    if (!t)
+      throw new y(n, `${n} is required`);
+    if (t.length > x)
+      throw new y(
+        n,
+        `${n} must be ${x} characters or fewer`
+      );
+    this.assertNoControlChars(n, t);
+    const [r = ""] = t.split("@");
+    if (this.hasMixedLatinAndCyrillic(r))
+      throw new y(
+        n,
+        `${n} must not mix Latin and Cyrillic characters in the local part`
+      );
+    if (!ue.test(t))
+      throw new y(n, `${n} must be a valid email`);
+    return t;
+  }
+  validateMobileNumber(e, n = "mobileNumber") {
+    const t = e.trim();
+    if (!t)
+      throw new y(n, `${n} is required`);
+    if (t.length > v)
+      throw new y(
+        n,
+        `${n} must be ${v} characters or fewer`
+      );
+    if (this.assertNoControlChars(n, t), !de.test(t))
+      throw new y(n, `${n} must be in E.164 format`);
+    return t;
+  }
+  validateOTP(e, n = "otp") {
+    const t = e.trim();
+    if (this.assertNoControlChars(n, t), !he.test(t))
+      throw new y(n, `${n} must be a 6-digit code`);
+    return t;
+  }
+  validateMagicLinkToken(e, n = "token") {
+    const t = e.trim();
+    if (this.assertNoControlChars(n, t), !pe.test(t))
+      throw new y(
+        n,
+        `${n} must be 16-512 URL-safe characters`
+      );
+    return t;
+  }
+  validateRealm(e) {
+    const n = e?.trim();
+    if (n) {
+      if (this.assertNoControlChars("realm", n), n.length > A)
+        throw new y(
+          "realm",
+          `realm must be ${A} characters or fewer`
+        );
+      return n;
+    }
   }
-  normalizeAuthIdentifier(e) {
-    return typeof e == "string" ? { email: e } : {
-      email: e.email,
-      mobileNumber: e.mobileNumber
+  normalizeAndValidateIdentifier(e) {
+    return typeof e == "string" ? { email: this.validateEmail(e) } : {
+      email: e.email ? this.validateEmail(e.email) : void 0,
+      mobileNumber: e.mobileNumber ? this.validateMobileNumber(e.mobileNumber) : void 0
     };
   }
+  normalizeAuthIdentifier(e) {
+    return this.normalizeAndValidateIdentifier(e);
+  }
   extractRealm(e, n) {
-    return (n?.realm ?? (e && typeof e != "string" ? e.realm : void 0))?.trim() || void 0;
+    const t = n?.realm ?? (e && typeof e != "string" ? e.realm : void 0);
+    return this.validateRealm(t);
   }
   buildAuthRequestBody(e, n) {
-    const t = this.normalizeAuthIdentifier(e), s = this.extractRealm(e, n);
+    const t = this.normalizeAuthIdentifier(e), r = this.extractRealm(e, n);
     return {
       ...t,
-      ...s ? { realm: s } : {}
+      ...r ? { realm: r } : {}
     };
   }
   buildUrl(e, n) {
-    const t = this.getBaseUrl().replace(/\/$/, ""), s = e.startsWith("/") ? e : `/${e}`, r = `${t}${s}`;
-    if (!n || Object.keys(n).length === 0) return r;
-    const o = new URLSearchParams(n).toString();
-    return `${r}?${o}`;
+    const t = this.getBaseUrl().replace(/\/$/, ""), r = e.startsWith("/") ? e : `/${e}`, o = `${t}${r}`;
+    if (!n || Object.keys(n).length === 0) return o;
+    const a = new URLSearchParams(n).toString();
+    return `${o}?${a}`;
   }
   async request(e, n, t) {
-    const s = this.buildUrl(n, t?.params), r = {
+    const r = this.buildUrl(n, t?.params), o = {
       "Content-Type": "application/json",
       Accept: "application/json",
       "X-API-Key": this.config.apiKey ?? "",
       ...t?.headers
-    }, o = {
+    }, a = {
       method: e,
       credentials: "include",
-      headers: r
+      headers: o
     };
-    t?.body !== void 0 && t?.body !== null && (o.body = JSON.stringify(t.body));
-    const i = await fetch(s, o);
-    if (!i.ok) {
+    t?.body !== void 0 && t?.body !== null && (a.body = JSON.stringify(t.body));
+    const l = await fetch(r, a);
+    if (!l.ok) {
       let c;
       try {
-        const p = await i.text();
-        c = p ? JSON.parse(p) : void 0;
+        const h = await l.text();
+        c = h ? JSON.parse(h) : void 0;
       } catch {
         c = void 0;
       }
-      throw i.status === 401 && await this.clearTokens(), new oe(i.status, c);
+      throw l.status === 401 && await this.clearTokens(), new we(l.status, c);
     }
-    const u = await i.text();
-    return { data: u ? JSON.parse(u) : {} };
+    const i = await l.text();
+    return { data: i ? JSON.parse(i) : {} };
   }
   /**
    * Returns auth headers (Authorization + DPoP) for the given request.
@@ -363,42 +469,39 @@ class C {
    * @param url - Full request URL
    */
   async getRequestAuthHeaders(e, n) {
-    const t = localStorage.getItem(T);
+    const t = localStorage.getItem(P);
     if (!t) return {};
-    const s = n.startsWith("http") ? n : `${this.getBaseUrl()}${n}`, r = await k(
-      e.toUpperCase(),
-      s,
-      t
-    ), o = {
-      Authorization: `Bearer ${t}`
+    const r = n.startsWith("http") ? n : `${this.getBaseUrl()}${n}`, o = await this.getRequiredDPoPProof(e, r, t);
+    return {
+      Authorization: `Bearer ${t}`,
+      DPoP: o
     };
-    return r && (o.DPoP = r), o;
   }
   /**
    * GET /auth/status - Check if client has trusted device session and what auth method is available.
    * Returns no_session | session_found | webauthn_ready per PostEx Auth BFF spec.
    */
   async getStatus(e, n) {
-    const t = this.normalizeAuthIdentifier(e), s = this.extractRealm(e, n), r = {};
-    t.email && (r.email = t.email), t.mobileNumber && (r.mobileNumber = t.mobileNumber), s && (r.realm = s);
-    const o = await this.request("GET", "/auth/status", {
-      params: r
+    const t = this.normalizeAuthIdentifier(e), r = this.extractRealm(e, n), o = {};
+    t.email && (o.email = t.email), t.mobileNumber && (o.mobileNumber = t.mobileNumber), r && (o.realm = r);
+    const a = await this.request("GET", "/auth/status", {
+      params: o
     });
-    return o.data.data ?? o.data;
+    return a.data.data ?? a.data;
   }
   /**
    * POST /auth/initiate - Unified entry: returns webauthn_challenge or otp_sent.
    * Sets auth_session cookie when otp_sent.
    */
   async initiateAuth(e, n) {
-    const t = this.buildAuthRequestBody(e, n), s = await this.request("POST", "/auth/initiate", {
+    const t = this.buildAuthRequestBody(e, n), r = await this.request("POST", "/auth/initiate", {
       body: t
-    }), r = s.data.data ?? s.data;
+    }), o = r.data.data ?? r.data;
     return {
-      status: r.status,
-      challenge: r.challenge,
-      credentialIds: r.credentialIds,
-      rp: r.rp
+      status: o.status,
+      challenge: o.challenge,
+      credentialIds: o.credentialIds,
+      rp: o.rp
     };
   }
   /**
@@ -406,13 +509,16 @@ class C {
    * Requires at least one identifier: email or mobileNumber.
    */
   async initiateOTP(e, n) {
-    const t = this.normalizeAuthIdentifier(e), s = this.extractRealm(e, n), r = t.email?.trim(), o = t.mobileNumber?.trim();
-    if (!r && !o)
-      throw new Error("Either mobileNumber or email is required");
-    const i = {};
-    r && (i.email = r), o && (i.mobileNumber = o), s && (i.realm = s);
+    const t = this.normalizeAuthIdentifier(e), r = this.extractRealm(e, n), o = t.email, a = t.mobileNumber;
+    if (!o && !a)
+      throw new y(
+        "identifier",
+        "Either mobileNumber or email is required"
+      );
+    const l = {};
+    o && (l.email = o), a && (l.mobileNumber = a), r && (l.realm = r);
     const d = (await this.request("POST", "/otp/initiate", {
-      body: i
+      body: l
     })).data;
     return {
       message: d.message ?? d.data?.message
@@ -423,29 +529,28 @@ class C {
    * Stores tokens from the response.
    */
   async verifyOTP(e) {
-    await g();
-    const n = await k(
+    const n = this.validateOTP(e), t = await this.getRequiredDPoPProof(
       "POST",
       `${this.getBaseUrl()}/otp/verify`
-    ), t = await this.request("POST", "/otp/verify", {
-      body: { otp: e },
-      headers: n ? { DPoP: n } : {}
-    }), s = t.data.data ?? t.data, r = s.AuthenticationResult ?? s, o = r.access_token ?? r.accessToken ?? r.AccessToken, i = r.refresh_token ?? r.refreshToken ?? r.RefreshToken, u = r.id_token ?? r.idToken ?? r.IdToken, d = r.expires_in ?? r.expiresIn ?? r.ExpiresIn ?? 3600, c = r.token_type ?? r.tokenType ?? r.TokenType ?? "Bearer";
-    return o && await this.storeTokens({
-      accessToken: o,
+    ), r = await this.request("POST", "/otp/verify", {
+      body: { otp: n },
+      headers: { DPoP: t }
+    }), o = r.data.data ?? r.data, a = o.AuthenticationResult ?? o, l = a.access_token ?? a.accessToken ?? a.AccessToken, i = a.refresh_token ?? a.refreshToken ?? a.RefreshToken, d = a.id_token ?? a.idToken ?? a.IdToken, c = a.expires_in ?? a.expiresIn ?? a.ExpiresIn ?? 3600, h = a.token_type ?? a.tokenType ?? a.TokenType ?? "Bearer";
+    return l && await this.storeTokens({
+      accessToken: l,
       refreshToken: i ?? "",
-      idToken: u ?? "",
-      expiresIn: d ?? 3600,
-      tokenType: c ?? "Bearer"
+      idToken: d ?? "",
+      expiresIn: c ?? 3600,
+      tokenType: h ?? "Bearer"
     }), {
-      access_token: o,
+      access_token: l,
       refresh_token: i ?? "",
-      id_token: u ?? "",
-      expires_in: d,
-      token_type: c,
-      verified: r.verified,
-      email: r.email ?? r.Email ?? "",
-      ...r
+      id_token: d ?? "",
+      expires_in: c,
+      token_type: h,
+      verified: a.verified,
+      email: a.email ?? a.Email ?? "",
+      ...a
     };
   }
   /**
@@ -468,29 +573,28 @@ class C {
     mobileNumber: e,
     otp: n
   }) {
-    await g();
-    const t = await k(
+    const t = this.validateMobileNumber(e), r = this.validateOTP(n), o = await this.getRequiredDPoPProof(
       "POST",
       `${this.getBaseUrl()}/otp/signup/verify`
-    ), s = await this.request("POST", "/otp/signup/verify", {
-      body: { mobileNumber: e, otp: n },
-      headers: t ? { DPoP: t } : {}
-    }), r = s.data.data ?? s.data, o = r.AuthenticationResult ?? r, i = o.access_token ?? o.accessToken ?? o.AccessToken, u = o.refresh_token ?? o.refreshToken ?? o.RefreshToken, d = o.id_token ?? o.idToken ?? o.IdToken, c = o.expires_in ?? o.expiresIn ?? o.ExpiresIn ?? 3600, p = o.token_type ?? o.tokenType ?? o.TokenType ?? "Bearer";
-    return i && await this.storeTokens({
-      accessToken: i,
-      refreshToken: u ?? "",
-      idToken: d ?? "",
-      expiresIn: c ?? 3600,
-      tokenType: p ?? "Bearer"
+    ), a = await this.request("POST", "/otp/signup/verify", {
+      body: { mobileNumber: t, otp: r },
+      headers: { DPoP: o }
+    }), l = a.data.data ?? a.data, i = l.AuthenticationResult ?? l, d = i.access_token ?? i.accessToken ?? i.AccessToken, c = i.refresh_token ?? i.refreshToken ?? i.RefreshToken, h = i.id_token ?? i.idToken ?? i.IdToken, w = i.expires_in ?? i.expiresIn ?? i.ExpiresIn ?? 3600, m = i.token_type ?? i.tokenType ?? i.TokenType ?? "Bearer";
+    return d && await this.storeTokens({
+      accessToken: d,
+      refreshToken: c ?? "",
+      idToken: h ?? "",
+      expiresIn: w ?? 3600,
+      tokenType: m ?? "Bearer"
     }), {
-      access_token: i,
-      refresh_token: u ?? "",
-      id_token: d ?? "",
-      expires_in: c,
-      token_type: p,
-      verified: o.verified,
-      email: o.email ?? o.Email ?? "",
-      ...o
+      access_token: d,
+      refresh_token: c ?? "",
+      id_token: h ?? "",
+      expires_in: w,
+      token_type: m,
+      verified: i.verified,
+      email: i.email ?? i.Email ?? "",
+      ...i
     };
   }
   /**
@@ -500,22 +604,26 @@ class C {
     mobileNumber: e,
     email: n = ""
   }) {
-    const t = await this.request("POST", "/otp/signup/resend", {
-      body: { email: n, mobileNumber: e }
-    }), s = t.data.data ?? t.data;
+    const t = this.validateMobileNumber(e), r = n ? this.validateEmail(n) : "", o = await this.request("POST", "/otp/signup/resend", {
+      body: { email: r, mobileNumber: t }
+    }), a = o.data.data ?? o.data;
     return {
-      success: s.success,
-      message: s.message,
-      ...s
+      success: a.success,
+      message: a.message,
+      ...a
     };
   }
   /**
    * GET /magic-link - Verify a magic link token.
    * Sets auth_session cookie on success.
    */
-  async verifyMagicLink(e, n) {
+  async verifyMagicLink(e) {
+    const n = this.validateMagicLinkToken(e);
     await this.request("GET", "/verify/magic-link", {
-      params: { token: e, email: n, redirect_mode: "frontend" }
+      params: {
+        token: n,
+        redirect_mode: "frontend"
+      }
     });
   }
   /**
@@ -530,19 +638,19 @@ class C {
       {
         body: {}
       }
-    ), n = e.data.data ?? e.data, t = n.AuthenticationResult ?? n, s = t.access_token ?? t.accessToken ?? t.AccessToken, r = t.refresh_token ?? t.refreshToken ?? t.RefreshToken, o = t.id_token ?? t.idToken ?? t.IdToken, i = t.expires_in ?? t.expiresIn ?? t.ExpiresIn ?? 3600, u = t.token_type ?? t.tokenType ?? t.TokenType ?? "Bearer";
-    return s && await this.storeTokens({
-      accessToken: s,
-      refreshToken: r ?? "",
-      idToken: o ?? "",
-      expiresIn: i ?? 3600,
-      tokenType: u ?? "Bearer"
+    ), n = e.data.data ?? e.data, t = n.AuthenticationResult ?? n, r = t.access_token ?? t.accessToken ?? t.AccessToken, o = t.refresh_token ?? t.refreshToken ?? t.RefreshToken, a = t.id_token ?? t.idToken ?? t.IdToken, l = t.expires_in ?? t.expiresIn ?? t.ExpiresIn ?? 3600, i = t.token_type ?? t.tokenType ?? t.TokenType ?? "Bearer";
+    return r && await this.storeTokens({
+      accessToken: r,
+      refreshToken: o ?? "",
+      idToken: a ?? "",
+      expiresIn: l ?? 3600,
+      tokenType: i ?? "Bearer"
     }), {
-      access_token: s,
-      refresh_token: r ?? "",
-      id_token: o ?? "",
-      expires_in: i,
-      token_type: u,
+      access_token: r,
+      refresh_token: o ?? "",
+      id_token: a ?? "",
+      expires_in: l,
+      token_type: i,
       verified: t.verified,
       email: t.email ?? t.Email ?? "",
       ...t
@@ -559,39 +667,39 @@ class C {
     return e.data.data ?? e.data;
   }
   async registerPasskey(e) {
-    const n = await this.initiatePasskeyRegistration();
-    let t;
-    if (n?.user?.id)
+    const n = this.validateEmail(e), t = await this.initiatePasskeyRegistration();
+    let r;
+    if (t?.user?.id)
       try {
-        t = m(n.user.id);
+        r = b(t.user.id);
       } catch {
-        t = _(n.user.id);
+        r = T(t.user.id);
       }
     else
-      t = _(e);
-    const s = (n.pubKeyCredParams ?? [
+      r = T(n);
+    const o = (t.pubKeyCredParams ?? [
       { type: "public-key", alg: -7 },
       { type: "public-key", alg: -257 }
-    ]).map((f) => ({
+    ]).map((m) => ({
       type: "public-key",
-      alg: f.alg
-    })), r = n.excludeCredentials?.map((f) => ({
+      alg: m.alg
+    })), a = t.excludeCredentials?.map((m) => ({
       type: "public-key",
-      id: m(f)
-    })), o = {
-      challenge: m(n.challenge),
+      id: b(m)
+    })), l = {
+      challenge: b(t.challenge),
       rp: {
-        name: n.rp?.name ?? "XPay",
-        id: n.rp?.id ?? window.location.hostname
+        name: t.rp?.name ?? "XPay",
+        id: t.rp?.id ?? window.location.hostname
       },
       user: {
-        id: t,
-        name: n.user?.name ?? e,
-        displayName: n.user?.displayName ?? e
+        id: r,
+        name: t.user?.name ?? n,
+        displayName: t.user?.displayName ?? n
       },
-      pubKeyCredParams: s,
-      excludeCredentials: r,
-      timeout: n.timeout ?? 6e4,
+      pubKeyCredParams: o,
+      excludeCredentials: a,
+      timeout: t.timeout ?? 6e4,
       attestation: "direct",
       authenticatorSelection: {
         residentKey: "required",
@@ -599,28 +707,27 @@ class C {
         authenticatorAttachment: "platform"
       }
     }, i = await navigator.credentials.create({
-      publicKey: o
+      publicKey: l
     });
     if (!i) throw new Error("Credential creation failed");
-    const u = i.response, d = {
-      clientDataJSON: y(u.clientDataJSON),
-      attestationObject: y(u.attestationObject),
-      rawId: y(i.rawId)
+    const d = i.response, c = {
+      clientDataJSON: p(d.clientDataJSON),
+      attestationObject: p(d.attestationObject),
+      rawId: p(i.rawId)
     };
-    if (!d.rawId) throw new Error("Raw ID is required");
-    await g();
-    const c = await k(
+    if (!c.rawId) throw new Error("Raw ID is required");
+    const h = await this.getRequiredDPoPProof(
       "POST",
       `${this.getBaseUrl()}/webauthn/register/challenge`
-    ), p = await this.request(
+    ), w = await this.request(
       "POST",
       "/webauthn/register/challenge",
       {
-        body: d,
-        headers: c ? { DPoP: c } : {}
+        body: c,
+        headers: { DPoP: h }
       }
     );
-    return p.data.data ?? p.data;
+    return w.data.data ?? w.data;
   }
   /**
    * POST /webauthn/authenticate/challenge - Authenticate with passkey.
@@ -630,51 +737,49 @@ class C {
     rp: n,
     credentialIds: t
   }) {
-    const s = await navigator.credentials.get({
+    const r = await navigator.credentials.get({
       publicKey: {
-        challenge: m(e),
+        challenge: b(e),
         rpId: n?.host ?? void 0,
-        allowCredentials: t.map((P) => ({
+        allowCredentials: t.map((k) => ({
           type: "public-key",
-          id: m(P),
+          id: b(k),
           transports: ["internal"]
         })),
         timeout: 6e4,
         userVerification: "required"
       }
     });
-    if (!s) throw new Error("Authentication failed");
-    const r = s.response, o = {
-      clientDataJSON: y(r.clientDataJSON),
-      authenticatorData: y(
-        r.authenticatorData
+    if (!r) throw new Error("Authentication failed");
+    const o = r.response, a = {
+      clientDataJSON: p(o.clientDataJSON),
+      authenticatorData: p(
+        o.authenticatorData
       ),
-      signature: y(r.signature),
-      rawId: y(s.rawId),
-      userHandle: r.userHandle ? y(r.userHandle) : ""
-    };
-    await g();
-    const i = await k(
+      signature: p(o.signature),
+      rawId: p(r.rawId),
+      userHandle: o.userHandle ? p(o.userHandle) : ""
+    }, l = await this.getRequiredDPoPProof(
       "POST",
       `${this.getBaseUrl()}/webauthn/authenticate/challenge`
-    ), u = await this.request(
+    ), i = await this.request(
       "POST",
       "/webauthn/authenticate/challenge",
       {
-        body: o,
-        headers: i ? { DPoP: i } : {}
+        body: a,
+        headers: { DPoP: l }
       }
-    ), d = u.data.data ?? u.data, c = d.AuthenticationResult ?? d, p = c.AccessToken ?? c.accessToken ?? c.access_token, f = c.RefreshToken ?? c.refreshToken ?? c.refresh_token, b = c.IdToken ?? c.idToken ?? c.id_token;
-    return p && await this.storeTokens({
-      accessToken: p,
-      refreshToken: f ?? "",
-      idToken: b ?? "",
+    ), d = i.data.data ?? i.data, c = d.AuthenticationResult ?? d, h = c.AccessToken ?? c.accessToken ?? c.access_token, w = c.RefreshToken ?? c.refreshToken ?? c.refresh_token, m = c.IdToken ?? c.idToken ?? c.id_token;
+    return h && await this.storeTokens({
+      accessToken: h,
+      refreshToken: w ?? "",
+      idToken: m ?? "",
       expiresIn: c.expiresIn ?? c.ExpiresIn ?? 3600,
       tokenType: c.tokenType ?? c.token_type ?? "Bearer"
     }), {
-      access_token: p,
-      refresh_token: f ?? "",
-      id_token: b,
+      access_token: h,
+      refresh_token: w ?? "",
+      id_token: m,
       email: c.email,
       name: c.name ?? c.userName,
       expiresIn: c.expiresIn ?? c.ExpiresIn,
@@ -686,50 +791,50 @@ class C {
    * GET /webauthn/credentials/:username - Get user's passkey status.
    */
   async getPasskeyStatus(e) {
-    const t = `/webauthn/credentials/${encodeURIComponent(e)}`, s = await this.signRequest("GET", t), r = await this.request("GET", t, {
-      headers: s.headers
-    }), o = r.data.data ?? r.data;
+    const t = `/webauthn/credentials/${encodeURIComponent(e)}`, r = await this.signRequest("GET", t), o = await this.request("GET", t, {
+      headers: r.headers
+    }), a = o.data.data ?? o.data;
     return {
-      ...o,
-      hasCredentials: !!(o.hasCredentials ?? o.credentialId)
+      ...a,
+      hasCredentials: !!(a.hasCredentials ?? a.credentialId)
     };
   }
   /**
    * DELETE /webauthn/credentials/:username - Remove passkey.
    */
   async removePasskey(e) {
-    const t = `/webauthn/credentials/${encodeURIComponent(e)}`, s = await this.signRequest("DELETE", t);
+    const t = `/webauthn/credentials/${encodeURIComponent(e)}`, r = await this.signRequest("DELETE", t);
     await this.request("DELETE", t, {
-      headers: s.headers
+      headers: r.headers
     });
   }
   /**
    * Signs a request with DPoP and Authorization headers (internal use).
    */
   async signRequest(e, n, t = {}) {
-    const s = n.startsWith("http") ? n : `${this.getBaseUrl()}${n}`, r = await this.getRequestAuthHeaders(e, s);
-    return { ...t, headers: { ...t.headers, ...r } };
+    const r = n.startsWith("http") ? n : `${this.getBaseUrl()}${n}`, o = await this.getRequestAuthHeaders(e, r);
+    return { ...t, headers: { ...t.headers, ...o } };
   }
   /**
    * Replaces native fetch or Axios with a DPoP-signed version.
    */
   async authenticatedFetch(e, n) {
-    const t = typeof e == "string" ? e : e instanceof URL ? e.toString() : e.url, s = n?.method || "GET", r = await this.signRequest(s, t, {
+    const t = typeof e == "string" ? e : e instanceof URL ? e.toString() : e.url, r = n?.method || "GET", o = await this.signRequest(r, t, {
       headers: n?.headers
     });
-    return fetch(e, { ...n, headers: r.headers });
+    return fetch(e, { ...n, headers: o.headers });
   }
   /**
    * Store tokens from /webauthn/authenticate (per spec: sessionStorage preferred).
    */
   async storeTokens(e) {
-    localStorage.setItem(T, e.accessToken), e.refreshToken && localStorage.setItem(O, e.refreshToken), e.idToken && localStorage.setItem(v, e.idToken);
+    localStorage.setItem(P, e.accessToken), e.refreshToken && localStorage.setItem(R, e.refreshToken), e.idToken && localStorage.setItem(D, e.idToken);
   }
   /**
    * Clear stored tokens (call on logout).
    */
   async clearTokens() {
-    localStorage.removeItem(T), localStorage.removeItem(v), localStorage.removeItem(O);
+    localStorage.removeItem(P), localStorage.removeItem(D), localStorage.removeItem(R);
   }
   /**
    * POST /auth/refresh - Refresh access token using server-stored refresh token.
@@ -739,17 +844,17 @@ class C {
   async refreshToken(e) {
     const n = this.extractRealm(void 0, e), t = await this.request("POST", "/auth/refresh", {
       body: n ? { realm: n } : {}
-    }), s = t.data.data ?? t.data, r = s.access_token, o = s.id_token ?? "", i = s.token_type ?? "Bearer", u = s.expires_in ?? 3600;
-    return r && await this.storeTokens({
-      accessToken: r,
-      idToken: o,
-      expiresIn: u,
-      tokenType: i
+    }), r = t.data.data ?? t.data, o = r.access_token, a = r.id_token ?? "", l = r.token_type ?? "Bearer", i = r.expires_in ?? 3600;
+    return o && await this.storeTokens({
+      accessToken: o,
+      idToken: a,
+      expiresIn: i,
+      tokenType: l
     }), {
-      access_token: r,
-      id_token: o,
-      token_type: i,
-      expires_in: u
+      access_token: o,
+      id_token: a,
+      token_type: l,
+      expires_in: i
     };
   }
   /**
@@ -758,44 +863,35 @@ class C {
    */
   async logout() {
     try {
-      const e = await this.getAccessToken(), n = {};
-      e && (n.Authorization = `Bearer ${e}`), await this.request("POST", "/auth/logout", { body: {}, headers: n }), N();
+      const n = await this.getAccessToken() ? await this.signRequest("POST", "/auth/logout", { body: {} }) : { body: {} };
+      await this.request("POST", "/auth/logout", n), await U(), this.resetDPoPInitialization();
     } catch {
     }
     await this.clearTokens();
   }
   async getAccessToken() {
-    return localStorage.getItem(T);
+    return localStorage.getItem(P);
   }
 }
-typeof window < "u" && (window.AuthSDK = C);
-const ae = typeof window < "u" ? window : globalThis;
-ae.AuthSDK = C;
+typeof window < "u" && (window.AuthSDK = M);
+const be = typeof window < "u" ? window : globalThis;
+be.AuthSDK = M;
 export {
-  C as AuthSDK,
-  oe as AuthSDKFetchError,
-  y as arrayBufferToBase64,
-  w as arrayBufferToBase64url,
-  m as base64ToArrayBuffer,
-  M as base64urlToArrayBuffer,
-  q as calculateThumbprint,
-  N as clearDPoPKey,
-  G as clearPasskeyEmail,
-  Q as clearPasskeyMobileNumber,
-  g as generateDPoPKeyPair,
-  k as generateDPoPProof,
-  A as getDPoPKey,
-  R as getDPoPPublicKeyJWK,
-  z as getPasskeyEmail,
-  V as getPasskeyMobileNumber,
+  M as AuthSDK,
+  we as AuthSDKFetchError,
+  y as SDKValidationError,
+  N as arrayBufferToBase64,
+  p as arrayBufferToBase64url,
+  C as base64ToArrayBuffer,
+  b as base64urlToArrayBuffer,
+  X as clearPasskeyEmail,
+  ee as clearPasskeyMobileNumber,
+  Y as getPasskeyEmail,
+  Z as getPasskeyMobileNumber,
   j as isConditionalUISupported,
-  ee as isDPoPEnabled,
-  K as isWebAuthnSupported,
-  F as setPasskeyEmail,
-  X as setPasskeyMobileNumber,
-  te as storeDPoPKey,
-  _ as stringToArrayBuffer,
-  D as toMinimalJWK,
-  W as uint8ArrayToString
+  O as isWebAuthnSupported,
+  V as setPasskeyEmail,
+  Q as setPasskeyMobileNumber,
+  T as stringToArrayBuffer,
+  F as uint8ArrayToString
 };
-//# sourceMappingURL=postex-auth-sdk-stage.es.js.map