postex-auth-sdk-stage 2.3.0 → 3.0.0

package/dist/postex-auth-sdk-stage.es.js

@@ -1,137 +1,137 @@
-function R() {
+function O() {
   return typeof window < "u" && typeof window.PublicKeyCredential < "u" && typeof navigator < "u" && typeof navigator.credentials < "u";
 }
-async function M() {
-  if (!R()) return !1;
+async function j() {
+  if (!O()) return !1;
   try {
     return await PublicKeyCredential.isConditionalMediationAvailable?.() ?? !1;
   } catch {
     return !1;
   }
 }
-function O(o) {
-  const e = new Uint8Array(o);
-  let r = "";
+function N(a) {
+  const e = new Uint8Array(a);
+  let s = "";
   for (let t = 0; t < e.byteLength; t++)
-    r += String.fromCharCode(e[t]);
-  return btoa(r);
+    s += String.fromCharCode(e[t]);
+  return btoa(s);
 }
-function C(o) {
-  if (typeof o != "string" || !o)
+function C(a) {
+  if (typeof a != "string" || !a)
     throw new Error("Invalid base64: expected non-empty string");
-  const e = o.replace(/\s/g, "").replace(/-/g, "+").replace(/_/g, "/"), r = e.length % 4, t = r > 0 ? e + "=".repeat(4 - r) : e;
+  const e = a.replace(/\s/g, "").replace(/-/g, "+").replace(/_/g, "/"), s = e.length % 4, t = s > 0 ? e + "=".repeat(4 - s) : e;
   try {
-    const s = atob(t), n = new Uint8Array(s.length);
-    for (let a = 0; a < s.length; a++)
-      n[a] = s.charCodeAt(a);
-    return n.buffer;
+    const n = atob(t), r = new Uint8Array(n.length);
+    for (let o = 0; o < n.length; o++)
+      r[o] = n.charCodeAt(o);
+    return r.buffer;
   } catch {
     throw new Error(
       "Invalid base64: string is not correctly encoded. Check challenge/credentialId from server."
     );
   }
 }
-function h(o) {
-  return O(o).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+function y(a) {
+  return N(a).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
 }
-function j(o) {
+function H(a) {
   return /^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$/i.test(
-    o
+    a
   );
 }
-function H(o) {
-  const e = o.replace(/-/g, ""), r = new Uint8Array(e.length / 2);
-  for (let t = 0; t < r.length; t++)
-    r[t] = parseInt(e.substr(t * 2, 2), 16);
-  return r.buffer;
+function J(a) {
+  const e = a.replace(/-/g, ""), s = new Uint8Array(e.length / 2);
+  for (let t = 0; t < s.length; t++)
+    s[t] = parseInt(e.substr(t * 2, 2), 16);
+  return s.buffer;
 }
-function P(o) {
-  if (!o || typeof o != "string")
+function b(a) {
+  if (!a || typeof a != "string")
     throw new Error("Invalid input: expected non-empty string");
-  return j(o) ? H(o) : C(o);
+  return H(a) ? J(a) : C(a);
 }
-function k(o) {
-  return new TextEncoder().encode(o).buffer;
+function k(a) {
+  return new TextEncoder().encode(a).buffer;
 }
-function J(o) {
-  return String.fromCharCode(...o);
+function F(a) {
+  return String.fromCharCode(...a);
 }
-const F = "xpay_webauthn", W = 1, u = "passkey_data", E = "passkey_email", _ = "passkey_mobile_number";
+const G = "xpay_webauthn", W = 1, u = "passkey_data", E = "passkey_email", _ = "passkey_mobile_number";
 function m() {
-  return new Promise((o, e) => {
-    const r = indexedDB.open(F, W);
-    r.onerror = () => e(r.error), r.onsuccess = () => o(r.result), r.onupgradeneeded = () => {
-      const t = r.result;
+  return new Promise((a, e) => {
+    const s = indexedDB.open(G, W);
+    s.onerror = () => e(s.error), s.onsuccess = () => a(s.result), s.onupgradeneeded = () => {
+      const t = s.result;
       t.objectStoreNames.contains(u) || t.createObjectStore(u);
     };
   });
 }
-async function G() {
+async function Y() {
   try {
-    const o = await m();
-    return new Promise((e, r) => {
-      const t = o.transaction(u, "readonly"), n = t.objectStore(u).get(E);
-      n.onerror = () => r(n.error), n.onsuccess = () => e(n.result ?? null), t.oncomplete = () => o.close();
+    const a = await m();
+    return new Promise((e, s) => {
+      const t = a.transaction(u, "readonly"), r = t.objectStore(u).get(E);
+      r.onerror = () => s(r.error), r.onsuccess = () => e(r.result ?? null), t.oncomplete = () => a.close();
     });
   } catch {
     return null;
   }
 }
-async function Y(o) {
+async function V(a) {
   try {
     const e = await m();
-    return new Promise((r, t) => {
-      const s = e.transaction(u, "readwrite"), a = s.objectStore(u).put(o, E);
-      a.onerror = () => t(a.error), a.onsuccess = () => r(), s.oncomplete = () => e.close();
+    return new Promise((s, t) => {
+      const n = e.transaction(u, "readwrite"), o = n.objectStore(u).put(a, E);
+      o.onerror = () => t(o.error), o.onsuccess = () => s(), n.oncomplete = () => e.close();
     });
   } catch {
   }
 }
-async function V() {
+async function X() {
   try {
-    const o = await m();
-    return new Promise((e, r) => {
-      const t = o.transaction(u, "readwrite"), n = t.objectStore(u).delete(E);
-      n.onerror = () => r(n.error), n.onsuccess = () => e(), t.oncomplete = () => o.close();
+    const a = await m();
+    return new Promise((e, s) => {
+      const t = a.transaction(u, "readwrite"), r = t.objectStore(u).delete(E);
+      r.onerror = () => s(r.error), r.onsuccess = () => e(), t.oncomplete = () => a.close();
     });
   } catch {
   }
 }
-async function X() {
+async function Z() {
   try {
-    const o = await m();
-    return new Promise((e, r) => {
-      const t = o.transaction(u, "readonly"), n = t.objectStore(u).get(_);
-      n.onerror = () => r(n.error), n.onsuccess = () => e(n.result ?? null), t.oncomplete = () => o.close();
+    const a = await m();
+    return new Promise((e, s) => {
+      const t = a.transaction(u, "readonly"), r = t.objectStore(u).get(_);
+      r.onerror = () => s(r.error), r.onsuccess = () => e(r.result ?? null), t.oncomplete = () => a.close();
     });
   } catch {
     return null;
   }
 }
-async function Z(o) {
+async function Q(a) {
   try {
     const e = await m();
-    return new Promise((r, t) => {
-      const s = e.transaction(u, "readwrite"), a = s.objectStore(u).put(o, _);
-      a.onerror = () => t(a.error), a.onsuccess = () => r(), s.oncomplete = () => e.close();
+    return new Promise((s, t) => {
+      const n = e.transaction(u, "readwrite"), o = n.objectStore(u).put(a, _);
+      o.onerror = () => t(o.error), o.onsuccess = () => s(), n.oncomplete = () => e.close();
     });
   } catch {
   }
 }
-async function Q() {
+async function ee() {
   try {
-    const o = await m();
-    return new Promise((e, r) => {
-      const t = o.transaction(u, "readwrite"), n = t.objectStore(u).delete(_);
-      n.onerror = () => r(n.error), n.onsuccess = () => e(), t.oncomplete = () => o.close();
+    const a = await m();
+    return new Promise((e, s) => {
+      const t = a.transaction(u, "readwrite"), r = t.objectStore(u).delete(_);
+      r.onerror = () => s(r.error), r.onsuccess = () => e(), t.oncomplete = () => a.close();
     });
   } catch {
   }
 }
-const S = "dpop_private_key", A = "dpop_public_key_jwk";
-function N(o) {
-  if (!o || typeof o != "object") return !1;
-  const e = o;
+const S = "dpop_private_key", v = "dpop_public_key_jwk";
+function K(a) {
+  if (!a || typeof a != "object") return !1;
+  const e = a;
   return e.kty === "EC" && e.crv === "P-256" && typeof e.x == "string" && typeof e.y == "string";
 }
 class g extends Error {
@@ -139,65 +139,65 @@ class g extends Error {
     super(e), this.name = "DPoPProofGenerationError";
   }
 }
-function ee(o) {
+function te(a) {
   return {
     kty: "EC",
     crv: "P-256",
-    x: o.x,
-    y: o.y
+    x: a.x,
+    y: a.y
   };
 }
-async function K(o) {
+async function q(a) {
   const e = JSON.stringify({
-    crv: o.crv,
-    kty: o.kty,
-    x: o.x,
-    y: o.y
-  }), r = await crypto.subtle.digest(
+    crv: a.crv,
+    kty: a.kty,
+    x: a.x,
+    y: a.y
+  }), s = await crypto.subtle.digest(
     "SHA-256",
     new TextEncoder().encode(e)
   );
-  return h(r);
+  return y(s);
 }
-async function te(o) {
+async function se(a) {
   try {
     const e = await m();
-    return new Promise((r, t) => {
-      const s = e.transaction(u, "readwrite"), a = s.objectStore(u).put(o, S);
-      a.onerror = () => t(a.error), a.onsuccess = () => r(), s.oncomplete = () => e.close();
+    return new Promise((s, t) => {
+      const n = e.transaction(u, "readwrite"), o = n.objectStore(u).put(a, S);
+      o.onerror = () => t(o.error), o.onsuccess = () => s(), n.oncomplete = () => e.close();
     });
   } catch (e) {
     console.error("Failed to store DPoP private key:", e);
   }
 }
-async function re(o) {
+async function re(a) {
   try {
     const e = await m();
-    return new Promise((r, t) => {
-      const s = e.transaction(u, "readwrite"), a = s.objectStore(u).put(o, A);
-      a.onerror = () => t(a.error), a.onsuccess = () => r(), s.oncomplete = () => e.close();
+    return new Promise((s, t) => {
+      const n = e.transaction(u, "readwrite"), o = n.objectStore(u).put(a, v);
+      o.onerror = () => t(o.error), o.onsuccess = () => s(), n.oncomplete = () => e.close();
     });
   } catch (e) {
     console.error("Failed to store DPoP public key JWK:", e);
   }
 }
-async function q() {
+async function $() {
   try {
-    const o = await m();
-    return new Promise((e, r) => {
-      const t = o.transaction(u, "readonly"), n = t.objectStore(u).get(S);
-      n.onerror = () => r(n.error), n.onsuccess = () => e(n.result ?? null), t.oncomplete = () => o.close();
+    const a = await m();
+    return new Promise((e, s) => {
+      const t = a.transaction(u, "readonly"), r = t.objectStore(u).get(S);
+      r.onerror = () => s(r.error), r.onsuccess = () => e(r.result ?? null), t.oncomplete = () => a.close();
     });
   } catch {
     return null;
   }
 }
-async function $() {
+async function B() {
   try {
-    const o = await m();
-    return new Promise((e, r) => {
-      const t = o.transaction(u, "readonly"), n = t.objectStore(u).get(A);
-      n.onerror = () => r(n.error), n.onsuccess = () => e(n.result ?? null), t.oncomplete = () => o.close();
+    const a = await m();
+    return new Promise((e, s) => {
+      const t = a.transaction(u, "readonly"), r = t.objectStore(u).get(v);
+      r.onerror = () => s(r.error), r.onsuccess = () => e(r.result ?? null), t.oncomplete = () => a.close();
     });
   } catch {
     return null;
@@ -205,18 +205,18 @@ async function $() {
 }
 async function T() {
   try {
-    const o = await m();
-    return new Promise((e, r) => {
-      const t = o.transaction(u, "readwrite"), s = t.objectStore(u);
-      s.delete(S), s.delete(A), t.onerror = () => r(t.error), t.oncomplete = () => {
-        o.close(), e();
+    const a = await m();
+    return new Promise((e, s) => {
+      const t = a.transaction(u, "readwrite"), n = t.objectStore(u);
+      n.delete(S), n.delete(v), t.onerror = () => s(t.error), t.oncomplete = () => {
+        a.close(), e();
       };
     });
   } catch {
   }
 }
 async function ne() {
-  const o = await crypto.subtle.generateKey(
+  const a = await crypto.subtle.generateKey(
     {
       name: "ECDSA",
       namedCurve: "P-256"
@@ -224,241 +224,253 @@ async function ne() {
     !1,
     // Private key is non-extractable
     ["sign", "verify"]
-  ), e = await crypto.subtle.exportKey("jwk", o.publicKey), r = ee(e), t = await K(r);
-  return await te(o.privateKey), await re(r), { publicKey: r, thumbprint: t };
+  ), e = await crypto.subtle.exportKey("jwk", a.publicKey), s = te(e), t = await q(s);
+  return await se(a.privateKey), await re(s), { publicKey: s, thumbprint: t };
 }
-async function se() {
-  const o = await q(), e = await $();
-  return o && N(e) ? {
+async function oe() {
+  const a = await $(), e = await B();
+  return a && K(e) ? {
     publicKey: e,
-    thumbprint: await K(e)
-  } : ((o || e) && await T(), ne());
+    thumbprint: await q(e)
+  } : ((a || e) && await T(), ne());
 }
-async function oe(o, e, r) {
+async function ae(a, e, s) {
   try {
-    const t = await q(), s = await $();
-    if (!t || !N(s))
+    const t = await $(), n = await B();
+    if (!t || !K(n))
       throw new g(
         "DPoP key material is unavailable or invalid"
       );
-    const n = {
+    const r = {
       typ: "dpop+jwt",
       alg: "ES256",
-      jwk: s
+      jwk: n
       // Public key in JWK format
-    }, a = new URL(
+    }, o = new URL(
       e,
       typeof window < "u" ? window.location.origin : void 0
-    ), l = `${a.origin}${a.pathname}`, c = {
+    ), l = `${o.origin}${o.pathname}`, c = {
       jti: crypto.randomUUID(),
-      htm: o.toUpperCase(),
+      htm: a.toUpperCase(),
       htu: l,
       iat: Math.floor(Date.now() / 1e3)
     };
-    if (r) {
-      const z = new TextEncoder().encode(r), L = await crypto.subtle.digest("SHA-256", z);
-      c.ath = h(L);
+    if (s) {
+      const L = new TextEncoder().encode(s), M = await crypto.subtle.digest("SHA-256", L);
+      c.ath = y(M);
     }
-    const d = h(
-      new TextEncoder().encode(JSON.stringify(n)).buffer
-    ), i = h(
+    const d = y(
+      new TextEncoder().encode(JSON.stringify(r)).buffer
+    ), i = y(
       new TextEncoder().encode(JSON.stringify(c)).buffer
-    ), p = `${d}.${i}`, f = await crypto.subtle.sign(
+    ), h = `${d}.${i}`, f = await crypto.subtle.sign(
       {
         name: "ECDSA",
         hash: { name: "SHA-256" }
       },
       t,
-      new TextEncoder().encode(p)
-    ), w = h(f);
+      new TextEncoder().encode(h)
+    ), w = y(f);
     return `${d}.${i}.${w}`;
   } catch (t) {
     throw console.error("Failed to generate DPoP proof:", t), t instanceof g ? t : new g("Failed to generate DPoP proof");
   }
 }
-const B = {
-  isWebAuthnSupported: R,
-  isConditionalUISupported: M,
-  arrayBufferToBase64: O,
+const U = {
+  isWebAuthnSupported: O,
+  isConditionalUISupported: j,
+  arrayBufferToBase64: N,
   base64ToArrayBuffer: C,
-  arrayBufferToBase64url: h,
-  base64urlToArrayBuffer: P,
+  arrayBufferToBase64url: y,
+  base64urlToArrayBuffer: b,
   stringToArrayBuffer: k,
-  uint8ArrayToString: J,
-  getPasskeyEmail: G,
-  setPasskeyEmail: Y,
-  clearPasskeyEmail: V,
-  getPasskeyMobileNumber: X,
-  setPasskeyMobileNumber: Z,
-  clearPasskeyMobileNumber: Q
+  uint8ArrayToString: F,
+  getPasskeyEmail: Y,
+  setPasskeyEmail: V,
+  clearPasskeyEmail: X,
+  getPasskeyMobileNumber: Z,
+  setPasskeyMobileNumber: Q,
+  clearPasskeyMobileNumber: ee
 };
-typeof window < "u" && (window.WebAuthn = B);
-const ae = typeof window < "u" ? window : globalThis;
-ae.WebAuthn = B;
-const b = "postex-auth-token", ie = "postexglobal", ce = {
+typeof window < "u" && (window.WebAuthn = U);
+const ie = typeof window < "u" ? window : globalThis;
+ie.WebAuthn = U;
+const P = "postex-auth-token", ce = "postexglobal", le = {
   xstak: "https://auth-stage.xstak.com/public/v1",
   postex: "https://auth-stage.postex.pk/public/v1",
   callcourier: "https://auth-stage.callcourier.com.pk/public/v1",
   postexglobal: "https://auth-stage.postexglobal.com/public/v1",
   postexsa: "https://auth-stage.postex.sa/public/v1"
-}, le = /^[^\s@]+@[^\s@]+\.[^\s@]{2,}$/, ue = /^\+[1-9]\d{6,14}$/, de = /^\d{6}$/, he = /^[A-Za-z0-9_-]{16,512}$/, pe = /[\u0000-\u001F\u007F-\u009F]/, ye = /[A-Za-z]/, me = /[\u0400-\u04FF]/, v = 254, x = 16, I = 64;
-class fe extends Error {
-  constructor(e, r, t) {
-    super(t ?? `Request failed with status ${e}`), this.response = { status: e, data: r }, this.name = "AuthSDKFetchError";
+}, ue = /^[^\s@]+@[^\s@]+\.[^\s@]{2,}$/, de = /^\+[1-9]\d{6,14}$/, he = /^\d{6}$/, pe = /^[A-Za-z0-9_-]{16,512}$/, ye = /[\u0000-\u001F\u007F-\u009F]/, me = /[A-Za-z]/, fe = /[\u0400-\u04FF]/, A = 254, x = 16, I = 64, D = 64;
+class we extends Error {
+  constructor(e, s, t) {
+    super(t ?? `Request failed with status ${e}`), this.response = { status: e, data: s }, this.name = "AuthSDKFetchError";
   }
 }
-class y extends Error {
-  constructor(e, r, t = "invalid_input") {
-    super(r), this.field = e, this.code = t, this.name = "SDKValidationError";
+class p extends Error {
+  constructor(e, s, t = "invalid_input") {
+    super(s), this.field = e, this.code = t, this.name = "SDKValidationError";
   }
 }
-const D = "auth_sdk_refresh_token";
-class U {
+const R = "auth_sdk_refresh_token";
+class z {
   constructor(e) {
     this.config = e, this.dpopInitializationPromise = this.createDPoPInitializationPromise();
   }
   getBaseUrl() {
-    const e = this.config.appId ?? ie;
-    return ce[e];
+    const e = this.config.appId ?? ce;
+    return le[e];
   }
   async initializeDPoPState() {
-    await se();
+    await oe();
   }
   async ensureDPoPInitialized() {
     await this.dpopInitializationPromise;
   }
   createDPoPInitializationPromise() {
     const e = this.initializeDPoPState();
-    return e.catch((r) => {
-      console.warn("[AuthSDK] DPoP initialization failed:", r);
+    return e.catch((s) => {
+      console.warn("[AuthSDK] DPoP initialization failed:", s);
     }), e;
   }
   resetDPoPInitialization() {
     this.dpopInitializationPromise = this.createDPoPInitializationPromise();
   }
-  async getRequiredDPoPProof(e, r, t) {
-    return await this.ensureDPoPInitialized(), oe(e.toUpperCase(), r, t);
+  async getRequiredDPoPProof(e, s, t) {
+    return await this.ensureDPoPInitialized(), ae(e.toUpperCase(), s, t);
   }
   containsControlChars(e) {
-    return pe.test(e);
+    return ye.test(e);
   }
   hasMixedLatinAndCyrillic(e) {
-    return ye.test(e) && me.test(e);
+    return me.test(e) && fe.test(e);
   }
-  assertNoControlChars(e, r) {
-    if (this.containsControlChars(r))
-      throw new y(
+  assertNoControlChars(e, s) {
+    if (this.containsControlChars(s))
+      throw new p(
         e,
         `${e} must not contain control characters`
       );
   }
-  validateEmail(e, r = "email") {
+  validateEmail(e, s = "email") {
     const t = e.trim();
     if (!t)
-      throw new y(r, `${r} is required`);
-    if (t.length > v)
-      throw new y(
-        r,
-        `${r} must be ${v} characters or fewer`
+      throw new p(s, `${s} is required`);
+    if (t.length > A)
+      throw new p(
+        s,
+        `${s} must be ${A} characters or fewer`
       );
-    this.assertNoControlChars(r, t);
-    const [s = ""] = t.split("@");
-    if (this.hasMixedLatinAndCyrillic(s))
-      throw new y(
-        r,
-        `${r} must not mix Latin and Cyrillic characters in the local part`
+    this.assertNoControlChars(s, t);
+    const [n = ""] = t.split("@");
+    if (this.hasMixedLatinAndCyrillic(n))
+      throw new p(
+        s,
+        `${s} must not mix Latin and Cyrillic characters in the local part`
       );
-    if (!le.test(t))
-      throw new y(r, `${r} must be a valid email`);
+    if (!ue.test(t))
+      throw new p(s, `${s} must be a valid email`);
     return t;
   }
-  validateMobileNumber(e, r = "mobileNumber") {
+  validateMobileNumber(e, s = "mobileNumber") {
     const t = e.trim();
     if (!t)
-      throw new y(r, `${r} is required`);
+      throw new p(s, `${s} is required`);
     if (t.length > x)
-      throw new y(
-        r,
-        `${r} must be ${x} characters or fewer`
+      throw new p(
+        s,
+        `${s} must be ${x} characters or fewer`
       );
-    if (this.assertNoControlChars(r, t), !ue.test(t))
-      throw new y(r, `${r} must be in E.164 format`);
+    if (this.assertNoControlChars(s, t), !de.test(t))
+      throw new p(s, `${s} must be in E.164 format`);
     return t;
   }
-  validateOTP(e, r = "otp") {
+  validateUsername(e, s = "username") {
+    const t = e.trim();
+    if (!t)
+      throw new p(s, `${s} is required`);
+    if (t.length > I)
+      throw new p(
+        s,
+        `${s} must be ${I} characters or fewer`
+      );
+    return this.assertNoControlChars(s, t), t;
+  }
+  validateOTP(e, s = "otp") {
     const t = e.trim();
-    if (this.assertNoControlChars(r, t), !de.test(t))
-      throw new y(r, `${r} must be a 6-digit code`);
+    if (this.assertNoControlChars(s, t), !he.test(t))
+      throw new p(s, `${s} must be a 6-digit code`);
     return t;
   }
-  validateMagicLinkToken(e, r = "token") {
+  validateMagicLinkToken(e, s = "token") {
     const t = e.trim();
-    if (this.assertNoControlChars(r, t), !he.test(t))
-      throw new y(
-        r,
-        `${r} must be 16-512 URL-safe characters`
+    if (this.assertNoControlChars(s, t), !pe.test(t))
+      throw new p(
+        s,
+        `${s} must be 16-512 URL-safe characters`
       );
     return t;
   }
   validateRealm(e) {
-    const r = e?.trim();
-    if (r) {
-      if (this.assertNoControlChars("realm", r), r.length > I)
-        throw new y(
+    const s = e?.trim();
+    if (s) {
+      if (this.assertNoControlChars("realm", s), s.length > D)
+        throw new p(
           "realm",
-          `realm must be ${I} characters or fewer`
+          `realm must be ${D} characters or fewer`
         );
-      return r;
+      return s;
     }
   }
   normalizeAndValidateIdentifier(e) {
     return typeof e == "string" ? { email: this.validateEmail(e) } : {
       email: e.email ? this.validateEmail(e.email) : void 0,
-      mobileNumber: e.mobileNumber ? this.validateMobileNumber(e.mobileNumber) : void 0
+      mobileNumber: e.mobileNumber ? this.validateMobileNumber(e.mobileNumber) : void 0,
+      username: e.username ? this.validateUsername(e.username) : void 0
     };
   }
   normalizeAuthIdentifier(e) {
     return this.normalizeAndValidateIdentifier(e);
   }
-  extractRealm(e, r) {
-    const t = r?.realm ?? (e && typeof e != "string" ? e.realm : void 0);
+  extractRealm(e, s) {
+    const t = s?.realm ?? (e && typeof e != "string" ? e.realm : void 0);
     return this.validateRealm(t);
   }
-  buildAuthRequestBody(e, r) {
-    const t = this.normalizeAuthIdentifier(e), s = this.extractRealm(e, r);
+  buildAuthRequestBody(e, s) {
+    const t = this.normalizeAuthIdentifier(e), n = this.extractRealm(e, s);
     return {
       ...t,
-      ...s ? { realm: s } : {}
+      ...n ? { realm: n } : {}
     };
   }
-  buildUrl(e, r) {
-    const t = this.getBaseUrl().replace(/\/$/, ""), s = e.startsWith("/") ? e : `/${e}`, n = `${t}${s}`;
-    if (!r || Object.keys(r).length === 0) return n;
-    const a = new URLSearchParams(r).toString();
-    return `${n}?${a}`;
+  buildUrl(e, s) {
+    const t = this.getBaseUrl().replace(/\/$/, ""), n = e.startsWith("/") ? e : `/${e}`, r = `${t}${n}`;
+    if (!s || Object.keys(s).length === 0) return r;
+    const o = new URLSearchParams(s).toString();
+    return `${r}?${o}`;
   }
-  async request(e, r, t) {
-    const s = this.buildUrl(r, t?.params), n = {
+  async request(e, s, t) {
+    const n = this.buildUrl(s, t?.params), r = {
       "Content-Type": "application/json",
       Accept: "application/json",
       "X-API-Key": this.config.apiKey ?? "",
       ...t?.headers
-    }, a = {
+    }, o = {
       method: e,
       credentials: "include",
-      headers: n
+      headers: r
     };
-    t?.body !== void 0 && t?.body !== null && (a.body = JSON.stringify(t.body));
-    const l = await fetch(s, a);
+    t?.body !== void 0 && t?.body !== null && (o.body = JSON.stringify(t.body));
+    const l = await fetch(n, o);
     if (!l.ok) {
       let i;
       try {
-        const p = await l.text();
-        i = p ? JSON.parse(p) : void 0;
+        const h = await l.text();
+        i = h ? JSON.parse(h) : void 0;
       } catch {
         i = void 0;
       }
-      throw l.status === 401 && (await this.clearTokens(), await T(), this.resetDPoPInitialization()), new fe(l.status, i);
+      throw l.status === 401 && (await this.clearTokens(), await T(), this.resetDPoPInitialization()), new we(l.status, i);
     }
     const c = await l.text();
     return { data: c ? JSON.parse(c) : {} };
@@ -469,60 +481,64 @@ class U {
    * @param method - HTTP method (e.g. "GET", "POST")
    * @param url - Full request URL
    */
-  async getRequestAuthHeaders(e, r) {
-    const t = localStorage.getItem(b);
+  async getRequestAuthHeaders(e, s) {
+    const t = localStorage.getItem(P);
     if (!t) return {};
-    const s = r.startsWith("http") ? r : `${this.getBaseUrl()}${r}`, n = await this.getRequiredDPoPProof(e, s, t);
+    const n = s.startsWith("http") ? s : `${this.getBaseUrl()}${s}`, r = await this.getRequiredDPoPProof(e, n, t);
     return {
       Authorization: `Bearer ${t}`,
-      DPoP: n
+      DPoP: r
     };
   }
   /**
    * GET /auth/status - Check if client has trusted device session and what auth method is available.
    * Returns no_session | session_found | webauthn_ready per PostEx Auth BFF spec.
    */
-  async getStatus(e, r) {
-    const t = this.normalizeAuthIdentifier(e), s = this.extractRealm(e, r), n = {};
-    t.email && (n.email = t.email), t.mobileNumber && (n.mobileNumber = t.mobileNumber), s && (n.realm = s);
-    const a = await this.request("GET", "/auth/status", {
-      params: n
+  async getStatus(e, s) {
+    const t = this.normalizeAuthIdentifier(e), n = this.extractRealm(e, s), r = {};
+    t.email && (r.email = t.email), t.mobileNumber && (r.mobileNumber = t.mobileNumber), t.username && (r.username = t.username), n && (r.realm = n);
+    const o = await this.request("GET", "/auth/status", {
+      params: r
     });
-    return a.data.data ?? a.data;
+    return o.data.data ?? o.data;
   }
   /**
    * POST /auth/initiate - Unified entry: returns webauthn_challenge or otp_sent.
-   * Sets auth_session cookie when otp_sent.
+   * Sets auth_session cookie and includes delivery metadata when otp_sent.
    */
-  async initiateAuth(e, r) {
-    const t = this.buildAuthRequestBody(e, r), s = await this.request("POST", "/auth/initiate", {
+  async initiateAuth(e, s) {
+    const t = this.buildAuthRequestBody(e, s), r = (await this.request("POST", "/auth/initiate", {
       body: t
-    }), n = s.data.data ?? s.data;
+    })).data, o = r.data;
     return {
-      status: n.status,
-      challenge: n.challenge,
-      credentialIds: n.credentialIds,
-      rp: n.rp
+      status: o.status,
+      message: r.message,
+      delivery: o.delivery,
+      challenge: o.challenge,
+      credentialIds: o.credentialIds,
+      rp: o.rp
     };
   }
   /**
-   * POST /otp/initiate - Direct OTP initiation using email or mobile number.
-   * Requires at least one identifier: email or mobileNumber.
+   * POST /otp/initiate - Direct OTP initiation using email, mobile number, or username.
+   * Requires at least one identifier: email, mobileNumber, or username.
    */
-  async initiateOTP(e, r) {
-    const t = this.normalizeAuthIdentifier(e), s = this.extractRealm(e, r), n = t.email, a = t.mobileNumber;
-    if (!n && !a)
-      throw new y(
+  async initiateOTP(e, s) {
+    const t = this.normalizeAuthIdentifier(e), n = this.extractRealm(e, s), r = t.email, o = t.mobileNumber, l = t.username;
+    if (!r && !o && !l)
+      throw new p(
         "identifier",
-        "Either mobileNumber or email is required"
+        "Either mobileNumber, email, or username is required"
       );
-    const l = {};
-    n && (l.email = n), a && (l.mobileNumber = a), s && (l.realm = s);
-    const d = (await this.request("POST", "/otp/initiate", {
-      body: l
-    })).data;
+    const c = {};
+    r && (c.email = r), o && (c.mobileNumber = o), l && (c.username = l), n && (c.realm = n);
+    const i = (await this.request("POST", "/otp/initiate", {
+      body: c
+    })).data, h = i.data;
     return {
-      message: d.message ?? d.data?.message
+      message: i.message,
+      success: i.success,
+      ...h
     };
   }
   /**
@@ -530,13 +546,13 @@ class U {
    * Stores tokens from the response.
    */
   async verifyOTP(e) {
-    const r = this.validateOTP(e), t = await this.getRequiredDPoPProof(
+    const s = this.validateOTP(e), t = await this.getRequiredDPoPProof(
       "POST",
       `${this.getBaseUrl()}/otp/verify`
-    ), s = await this.request("POST", "/otp/verify", {
-      body: { otp: r },
+    ), n = await this.request("POST", "/otp/verify", {
+      body: { otp: s },
       headers: { DPoP: t }
-    }), n = s.data.data ?? s.data, a = n.AuthenticationResult ?? n, l = a.access_token ?? a.accessToken ?? a.AccessToken, c = a.refresh_token ?? a.refreshToken ?? a.RefreshToken, d = a.expires_in ?? a.expiresIn, i = a.token_type ?? a.tokenType;
+    }), r = n.data.data ?? n.data, o = r.AuthenticationResult ?? r, l = o.access_token ?? o.accessToken ?? o.AccessToken, c = o.refresh_token ?? o.refreshToken ?? o.RefreshToken, d = o.expires_in ?? o.expiresIn, i = o.token_type ?? o.tokenType;
     return l && await this.storeTokens({
       accessToken: l,
       refreshToken: c,
@@ -547,21 +563,21 @@ class U {
       refresh_token: c,
       expires_in: d,
       token_type: i,
-      verified: a.verified,
-      email: a.email ?? a.Email,
-      ...a
+      verified: o.verified,
+      email: o.email ?? o.Email,
+      ...o
     };
   }
   /**
-   * POST /resend - Resend OTP code to the user's email.
+   * POST /otp/resend - Resend OTP code to the user's email or mobile number.
    * No payload required, relies on auth_session cookie.
    */
   async resendOTP() {
-    const e = await this.request("POST", "/otp/resend", {}), r = e.data.data ?? e.data;
+    const s = (await this.request("POST", "/otp/resend", {})).data;
     return {
-      success: r.success,
-      message: r.message,
-      ...r
+      message: s.message,
+      success: s.success,
+      ...s.data
     };
   }
   /**
@@ -570,24 +586,24 @@ class U {
    */
   async verifySignupOTP({
     mobileNumber: e,
-    otp: r
+    otp: s
   }) {
-    const t = this.validateMobileNumber(e), s = this.validateOTP(r), n = await this.getRequiredDPoPProof(
+    const t = this.validateMobileNumber(e), n = this.validateOTP(s), r = await this.getRequiredDPoPProof(
       "POST",
       `${this.getBaseUrl()}/otp/signup/verify`
-    ), a = await this.request("POST", "/otp/signup/verify", {
-      body: { mobileNumber: t, otp: s },
-      headers: { DPoP: n }
-    }), l = a.data.data ?? a.data, c = l.AuthenticationResult ?? l, d = c.access_token ?? c.accessToken ?? c.AccessToken, i = c.refresh_token ?? c.refreshToken ?? c.RefreshToken, p = c.expires_in ?? c.expiresIn, f = c.token_type ?? c.tokenType;
+    ), o = await this.request("POST", "/otp/signup/verify", {
+      body: { mobileNumber: t, otp: n },
+      headers: { DPoP: r }
+    }), l = o.data.data ?? o.data, c = l.AuthenticationResult ?? l, d = c.access_token ?? c.accessToken ?? c.AccessToken, i = c.refresh_token ?? c.refreshToken ?? c.RefreshToken, h = c.expires_in ?? c.expiresIn, f = c.token_type ?? c.tokenType;
     return d && await this.storeTokens({
       accessToken: d,
       refreshToken: i,
-      expiresIn: p,
+      expiresIn: h,
       tokenType: f
     }), {
       access_token: d,
       refresh_token: i,
-      expires_in: p,
+      expires_in: h,
       token_type: f,
       verified: c.verified,
       email: c.email ?? c.Email,
@@ -599,15 +615,15 @@ class U {
    */
   async resendSignupOTP({
     mobileNumber: e,
-    email: r = ""
+    email: s = ""
   }) {
-    const t = this.validateMobileNumber(e), s = r ? this.validateEmail(r) : "", n = await this.request("POST", "/otp/signup/resend", {
-      body: { email: s, mobileNumber: t }
-    }), a = n.data.data ?? n.data;
+    const t = this.validateMobileNumber(e), n = s ? this.validateEmail(s) : "", r = await this.request("POST", "/otp/signup/resend", {
+      body: { email: n, mobileNumber: t }
+    }), o = r.data.data ?? r.data;
     return {
-      success: a.success,
-      message: a.message,
-      ...a
+      success: o.success,
+      message: o.message,
+      ...o
     };
   }
   /**
@@ -615,10 +631,10 @@ class U {
    * Sets auth_session cookie on success.
    */
   async verifyMagicLink(e) {
-    const r = this.validateMagicLinkToken(e);
+    const s = this.validateMagicLinkToken(e);
     await this.request("GET", "/verify/magic-link", {
       params: {
-        token: r,
+        token: s,
         redirect_mode: "frontend"
       }
     });
@@ -635,16 +651,16 @@ class U {
       {
         body: {}
       }
-    ), r = e.data.data ?? e.data, t = r.AuthenticationResult ?? r, s = t.access_token ?? t.accessToken ?? t.AccessToken, n = t.refresh_token ?? t.refreshToken ?? t.RefreshToken, a = t.expires_in ?? t.expiresIn, l = t.token_type ?? t.tokenType;
-    return s && await this.storeTokens({
-      accessToken: s,
-      refreshToken: n,
-      expiresIn: a,
+    ), s = e.data.data ?? e.data, t = s.AuthenticationResult ?? s, n = t.access_token ?? t.accessToken ?? t.AccessToken, r = t.refresh_token ?? t.refreshToken ?? t.RefreshToken, o = t.expires_in ?? t.expiresIn, l = t.token_type ?? t.tokenType;
+    return n && await this.storeTokens({
+      accessToken: n,
+      refreshToken: r,
+      expiresIn: o,
       tokenType: l
     }), {
-      access_token: s,
-      refresh_token: n,
-      expires_in: a,
+      access_token: n,
+      refresh_token: r,
+      expires_in: o,
       token_type: l,
       verified: t.verified,
       email: t.email ?? t.Email,
@@ -662,38 +678,38 @@ class U {
     return e.data.data ?? e.data;
   }
   async registerPasskey(e) {
-    const r = this.validateEmail(e), t = await this.initiatePasskeyRegistration();
-    let s;
+    const s = this.validateEmail(e), t = await this.initiatePasskeyRegistration();
+    let n;
     if (t?.user?.id)
       try {
-        s = P(t.user.id);
+        n = b(t.user.id);
       } catch {
-        s = k(t.user.id);
+        n = k(t.user.id);
       }
     else
-      s = k(r);
-    const n = (t.pubKeyCredParams ?? [
+      n = k(s);
+    const r = (t.pubKeyCredParams ?? [
       { type: "public-key", alg: -7 },
       { type: "public-key", alg: -257 }
     ]).map((w) => ({
       type: "public-key",
       alg: w.alg
-    })), a = t.excludeCredentials?.map((w) => ({
+    })), o = t.excludeCredentials?.map((w) => ({
       type: "public-key",
-      id: P(w)
+      id: b(w)
     })), l = {
-      challenge: P(t.challenge),
+      challenge: b(t.challenge),
       rp: {
         name: t.rp?.name ?? "XPay",
         id: t.rp?.id ?? window.location.hostname
       },
       user: {
-        id: s,
-        name: t.user?.name ?? r,
-        displayName: t.user?.displayName ?? r
+        id: n,
+        name: t.user?.name ?? s,
+        displayName: t.user?.displayName ?? s
       },
-      pubKeyCredParams: n,
-      excludeCredentials: a,
+      pubKeyCredParams: r,
+      excludeCredentials: o,
       timeout: t.timeout ?? 6e4,
       attestation: "direct",
       authenticatorSelection: {
@@ -706,12 +722,12 @@ class U {
     });
     if (!c) throw new Error("Credential creation failed");
     const d = c.response, i = {
-      clientDataJSON: h(d.clientDataJSON),
-      attestationObject: h(d.attestationObject),
-      rawId: h(c.rawId)
+      clientDataJSON: y(d.clientDataJSON),
+      attestationObject: y(d.attestationObject),
+      rawId: y(c.rawId)
     };
     if (!i.rawId) throw new Error("Raw ID is required");
-    const p = await this.getRequiredDPoPProof(
+    const h = await this.getRequiredDPoPProof(
       "POST",
       `${this.getBaseUrl()}/webauthn/register/challenge`
     ), f = await this.request(
@@ -719,7 +735,7 @@ class U {
       "/webauthn/register/challenge",
       {
         body: i,
-        headers: { DPoP: p }
+        headers: { DPoP: h }
       }
     );
     return f.data.data ?? f.data;
@@ -729,31 +745,31 @@ class U {
    */
   async authenticateWithPasskey({
     challenge: e,
-    rp: r,
+    rp: s,
     credentialIds: t
   }) {
-    const s = await navigator.credentials.get({
+    const n = await navigator.credentials.get({
       publicKey: {
-        challenge: P(e),
-        rpId: r?.host ?? void 0,
+        challenge: b(e),
+        rpId: s?.host ?? void 0,
         allowCredentials: t.map((w) => ({
           type: "public-key",
-          id: P(w),
+          id: b(w),
           transports: ["internal"]
         })),
         timeout: 6e4,
         userVerification: "required"
       }
     });
-    if (!s) throw new Error("Authentication failed");
-    const n = s.response, a = {
-      clientDataJSON: h(n.clientDataJSON),
-      authenticatorData: h(
-        n.authenticatorData
+    if (!n) throw new Error("Authentication failed");
+    const r = n.response, o = {
+      clientDataJSON: y(r.clientDataJSON),
+      authenticatorData: y(
+        r.authenticatorData
       ),
-      signature: h(n.signature),
-      rawId: h(s.rawId),
-      userHandle: n.userHandle ? h(n.userHandle) : ""
+      signature: y(r.signature),
+      rawId: y(n.rawId),
+      userHandle: r.userHandle ? y(r.userHandle) : ""
     }, l = await this.getRequiredDPoPProof(
       "POST",
       `${this.getBaseUrl()}/webauthn/authenticate/challenge`
@@ -761,17 +777,17 @@ class U {
       "POST",
       "/webauthn/authenticate/challenge",
       {
-        body: a,
+        body: o,
         headers: { DPoP: l }
       }
-    ), d = c.data.data ?? c.data, i = d.AuthenticationResult ?? d, p = i.AccessToken ?? i.accessToken ?? i.access_token, f = i.RefreshToken ?? i.refreshToken ?? i.refresh_token;
-    return p && await this.storeTokens({
-      accessToken: p,
+    ), d = c.data.data ?? c.data, i = d.AuthenticationResult ?? d, h = i.AccessToken ?? i.accessToken ?? i.access_token, f = i.RefreshToken ?? i.refreshToken ?? i.refresh_token;
+    return h && await this.storeTokens({
+      accessToken: h,
       refreshToken: f,
       expiresIn: i.expiresIn ?? i.ExpiresIn,
       tokenType: i.tokenType ?? i.token_type
     }), {
-      access_token: p,
+      access_token: h,
       refresh_token: f,
       email: i.email,
       name: i.name ?? i.userName,
@@ -784,50 +800,50 @@ class U {
    * GET /webauthn/credentials/:username - Get user's passkey status.
    */
   async getPasskeyStatus(e) {
-    const t = `/webauthn/credentials/${encodeURIComponent(e)}`, s = await this.signRequest("GET", t), n = await this.request("GET", t, {
-      headers: s.headers
-    }), a = n.data.data ?? n.data;
+    const t = `/webauthn/credentials/${encodeURIComponent(e)}`, n = await this.signRequest("GET", t), r = await this.request("GET", t, {
+      headers: n.headers
+    }), o = r.data.data ?? r.data;
     return {
-      ...a,
-      hasCredentials: !!(a.hasCredentials ?? a.credentialId)
+      ...o,
+      hasCredentials: !!(o.hasCredentials ?? o.credentialId)
     };
   }
   /**
    * DELETE /webauthn/credentials/:username - Remove passkey.
    */
   async removePasskey(e) {
-    const t = `/webauthn/credentials/${encodeURIComponent(e)}`, s = await this.signRequest("DELETE", t);
+    const t = `/webauthn/credentials/${encodeURIComponent(e)}`, n = await this.signRequest("DELETE", t);
     await this.request("DELETE", t, {
-      headers: s.headers
+      headers: n.headers
     });
   }
   /**
    * Signs a request with DPoP and Authorization headers (internal use).
    */
-  async signRequest(e, r, t = {}) {
-    const s = r.startsWith("http") ? r : `${this.getBaseUrl()}${r}`, n = await this.getRequestAuthHeaders(e, s);
-    return { ...t, headers: { ...t.headers, ...n } };
+  async signRequest(e, s, t = {}) {
+    const n = s.startsWith("http") ? s : `${this.getBaseUrl()}${s}`, r = await this.getRequestAuthHeaders(e, n);
+    return { ...t, headers: { ...t.headers, ...r } };
   }
   /**
    * Replaces native fetch or Axios with a DPoP-signed version.
    */
-  async authenticatedFetch(e, r) {
-    const t = typeof e == "string" ? e : e instanceof URL ? e.toString() : e.url, s = r?.method || "GET", n = await this.signRequest(s, t, {
-      headers: r?.headers
+  async authenticatedFetch(e, s) {
+    const t = typeof e == "string" ? e : e instanceof URL ? e.toString() : e.url, n = s?.method || "GET", r = await this.signRequest(n, t, {
+      headers: s?.headers
     });
-    return fetch(e, { ...r, headers: n.headers });
+    return fetch(e, { ...s, headers: r.headers });
   }
   /**
    * Store tokens from /webauthn/authenticate (per spec: sessionStorage preferred).
    */
   async storeTokens(e) {
-    localStorage.setItem(b, e.accessToken), e.refreshToken && localStorage.setItem(D, e.refreshToken);
+    localStorage.setItem(P, e.accessToken), e.refreshToken && localStorage.setItem(R, e.refreshToken);
   }
   /**
    * Clear stored tokens (call on logout).
    */
   async clearTokens() {
-    localStorage.removeItem(b), localStorage.removeItem(D);
+    localStorage.removeItem(P), localStorage.removeItem(R);
   }
   /**
    * POST /auth/refresh - Refresh access token using server-stored refresh token.
@@ -835,16 +851,16 @@ class U {
    * Rate limit: 10 requests per minute.
    */
   async refreshToken(e) {
-    const r = this.extractRealm(void 0, e), t = await this.request("POST", "/auth/refresh", {
-      body: r ? { realm: r } : {}
-    }), s = t.data.data ?? t.data, n = s.access_token, a = s.token_type, l = s.expires_in;
-    return n && await this.storeTokens({
-      accessToken: n,
+    const s = this.extractRealm(void 0, e), t = await this.request("POST", "/auth/refresh", {
+      body: s ? { realm: s } : {}
+    }), n = t.data.data ?? t.data, r = n.access_token, o = n.token_type, l = n.expires_in;
+    return r && await this.storeTokens({
+      accessToken: r,
       expiresIn: l,
-      tokenType: a
+      tokenType: o
     }), {
-      access_token: n,
-      token_type: a,
+      access_token: r,
+      token_type: o,
       expires_in: l
     };
   }
@@ -854,35 +870,35 @@ class U {
    */
   async logout() {
     try {
-      const r = await this.getAccessToken() ? await this.signRequest("POST", "/auth/logout", { body: {} }) : { body: {} };
-      await this.request("POST", "/auth/logout", r), await T(), this.resetDPoPInitialization();
+      const s = await this.getAccessToken() ? await this.signRequest("POST", "/auth/logout", { body: {} }) : { body: {} };
+      await this.request("POST", "/auth/logout", s), await T(), this.resetDPoPInitialization();
     } catch {
     }
     await this.clearTokens();
   }
   async getAccessToken() {
-    return localStorage.getItem(b);
+    return localStorage.getItem(P);
   }
 }
-typeof window < "u" && (window.AuthSDK = U);
-const we = typeof window < "u" ? window : globalThis;
-we.AuthSDK = U;
+typeof window < "u" && (window.AuthSDK = z);
+const be = typeof window < "u" ? window : globalThis;
+be.AuthSDK = z;
 export {
-  U as AuthSDK,
-  fe as AuthSDKFetchError,
-  y as SDKValidationError,
-  O as arrayBufferToBase64,
-  h as arrayBufferToBase64url,
+  z as AuthSDK,
+  we as AuthSDKFetchError,
+  p as SDKValidationError,
+  N as arrayBufferToBase64,
+  y as arrayBufferToBase64url,
   C as base64ToArrayBuffer,
-  P as base64urlToArrayBuffer,
-  V as clearPasskeyEmail,
-  Q as clearPasskeyMobileNumber,
-  G as getPasskeyEmail,
-  X as getPasskeyMobileNumber,
-  M as isConditionalUISupported,
-  R as isWebAuthnSupported,
-  Y as setPasskeyEmail,
-  Z as setPasskeyMobileNumber,
+  b as base64urlToArrayBuffer,
+  X as clearPasskeyEmail,
+  ee as clearPasskeyMobileNumber,
+  Y as getPasskeyEmail,
+  Z as getPasskeyMobileNumber,
+  j as isConditionalUISupported,
+  O as isWebAuthnSupported,
+  V as setPasskeyEmail,
+  Q as setPasskeyMobileNumber,
   k as stringToArrayBuffer,
-  J as uint8ArrayToString
+  F as uint8ArrayToString
 };