say-auth 1.0.0

package/dist/index.js

@@ -0,0 +1,1496 @@
+'use strict';
+
+var axios = require('axios');
+var CryptoJS = require('crypto-js');
+var OTPAuth = require('otpauth');
+var QRCode = require('qrcode');
+var rfc4648 = require('rfc4648');
+var react = require('react');
+var navigation = require('next/navigation');
+var jsxRuntime = require('react/jsx-runtime');
+var lucideReact = require('lucide-react');
+
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var axios__default = /*#__PURE__*/_interopDefault(axios);
+var CryptoJS__default = /*#__PURE__*/_interopDefault(CryptoJS);
+var OTPAuth__namespace = /*#__PURE__*/_interopNamespace(OTPAuth);
+var QRCode__default = /*#__PURE__*/_interopDefault(QRCode);
+
+// src/services/auth-service.ts
+
+// src/utils/constants.ts
+var AUTH_CONFIG = {
+  tokenRefreshThreshold: 5 * 60 * 1e3,
+  // 5 minutes
+  maxLoginAttempts: 5,
+  lockoutDuration: 15 * 60 * 1e3,
+  // 15 minutes
+  sessionTimeout: 30 * 60 * 1e3,
+  // 30 minutes
+  mfaCodeLength: 6,
+  backupCodesCount: 10,
+  trustDeviceDuration: 30 * 24 * 60 * 60 * 1e3
+  // 30 days
+};
+var STORAGE_KEYS = {
+  tokens: "auth_tokens_encrypted",
+  user: "auth_user_encrypted",
+  encryptionKey: "encryption_key",
+  deviceId: "device_id",
+  trustedDevices: "trusted_devices"
+};
+var API_ENDPOINTS = {
+  login: "/auth/login",
+  logout: "/auth/logout",
+  register: "/auth/register",
+  refresh: "/auth/refresh",
+  mfaSetup: "/auth/mfa/setup",
+  mfaVerify: "/auth/mfa/verify",
+  mfaDisable: "/auth/mfa/disable",
+  changePassword: "/auth/change-password",
+  audit: "/auth/audit"
+};
+
+// src/services/token-storage.ts
+var SecureTokenStorage = class _SecureTokenStorage {
+  // Backward compatible versions
+  constructor() {
+    this.memoryCache = /* @__PURE__ */ new Map();
+    this.TOKEN_VERSION = "2.0";
+    // Current version
+    this.SUPPORTED_VERSIONS = ["1.0", "2.0"];
+    this.encryptionKey = this.getOrCreateEncryptionKey();
+  }
+  static getInstance() {
+    if (!_SecureTokenStorage.instance) {
+      _SecureTokenStorage.instance = new _SecureTokenStorage();
+    }
+    return _SecureTokenStorage.instance;
+  }
+  getOrCreateEncryptionKey() {
+    if (typeof window === "undefined") return "";
+    let key = localStorage.getItem(STORAGE_KEYS.encryptionKey);
+    if (!key) {
+      key = this.generateEncryptionKey();
+      localStorage.setItem(STORAGE_KEYS.encryptionKey, key);
+    }
+    return key;
+  }
+  generateEncryptionKey() {
+    return CryptoJS__default.default.lib.WordArray.random(32).toString();
+  }
+  encrypt(data) {
+    return CryptoJS__default.default.AES.encrypt(JSON.stringify(data), this.encryptionKey).toString();
+  }
+  decrypt(encrypted) {
+    try {
+      const bytes = CryptoJS__default.default.AES.decrypt(encrypted, this.encryptionKey);
+      return JSON.parse(bytes.toString(CryptoJS__default.default.enc.Utf8));
+    } catch {
+      return null;
+    }
+  }
+  // NEW: Set tokens with versioning
+  setTokens(tokens) {
+    const dataWithVersion = {
+      version: this.TOKEN_VERSION,
+      data: tokens,
+      timestamp: Date.now()
+    };
+    const encrypted = this.encrypt(dataWithVersion);
+    if (typeof window !== "undefined") {
+      localStorage.setItem(STORAGE_KEYS.tokens, encrypted);
+    }
+    this.memoryCache.set("tokens", tokens);
+  }
+  // NEW: Get tokens with backward compatibility
+  getTokens() {
+    if (this.memoryCache.has("tokens")) {
+      return this.memoryCache.get("tokens");
+    }
+    if (typeof window !== "undefined") {
+      const encrypted = localStorage.getItem(STORAGE_KEYS.tokens);
+      if (encrypted) {
+        const decrypted = this.decrypt(encrypted);
+        if (decrypted) {
+          if (decrypted.version && this.SUPPORTED_VERSIONS.includes(decrypted.version)) {
+            const tokens = decrypted.data;
+            this.memoryCache.set("tokens", tokens);
+            if (decrypted.version !== this.TOKEN_VERSION) {
+              this.migrateTokenFormat(tokens);
+            }
+            return tokens;
+          } else if (decrypted.accessToken) {
+            const tokens = decrypted;
+            this.migrateTokenFormat(tokens);
+            this.memoryCache.set("tokens", tokens);
+            return tokens;
+          }
+        }
+      }
+    }
+    return null;
+  }
+  // NEW: Migrate legacy tokens to versioned format
+  migrateTokenFormat(tokens) {
+    try {
+      const dataWithVersion = {
+        version: this.TOKEN_VERSION,
+        data: tokens,
+        timestamp: Date.now()
+      };
+      const encrypted = this.encrypt(dataWithVersion);
+      localStorage.setItem(STORAGE_KEYS.tokens, encrypted);
+      console.log("Token format migrated to version", this.TOKEN_VERSION);
+    } catch (error) {
+      console.error("Token migration failed:", error);
+    }
+  }
+  // NEW: Check if token needs refresh based on timestamp
+  shouldRefreshToken() {
+    if (typeof window === "undefined") return false;
+    const encrypted = localStorage.getItem(STORAGE_KEYS.tokens);
+    if (!encrypted) return false;
+    const decrypted = this.decrypt(encrypted);
+    if (!decrypted) return false;
+    if (decrypted.timestamp) {
+      Date.now() - decrypted.timestamp;
+      const REFRESH_THRESHOLD = 5 * 60 * 1e3;
+      const tokens = decrypted.data || decrypted;
+      if (tokens.accessToken) {
+        try {
+          const payload = JSON.parse(atob(tokens.accessToken.split(".")[1]));
+          const expiresIn = payload.exp * 1e3 - Date.now();
+          return expiresIn < REFRESH_THRESHOLD;
+        } catch {
+          return false;
+        }
+      }
+    }
+    return false;
+  }
+  // NEW: Get token age (for debugging)
+  getTokenAge() {
+    if (typeof window === "undefined") return null;
+    const encrypted = localStorage.getItem(STORAGE_KEYS.tokens);
+    if (!encrypted) return null;
+    const decrypted = this.decrypt(encrypted);
+    if (decrypted?.timestamp) {
+      return Date.now() - decrypted.timestamp;
+    }
+    return null;
+  }
+  setUser(user) {
+    const dataWithVersion = {
+      version: this.TOKEN_VERSION,
+      data: user,
+      timestamp: Date.now()
+    };
+    const encrypted = this.encrypt(dataWithVersion);
+    if (typeof window !== "undefined") {
+      localStorage.setItem(STORAGE_KEYS.user, encrypted);
+    }
+    this.memoryCache.set("user", user);
+  }
+  getUser() {
+    if (this.memoryCache.has("user")) {
+      return this.memoryCache.get("user");
+    }
+    if (typeof window !== "undefined") {
+      const encrypted = localStorage.getItem(STORAGE_KEYS.user);
+      if (encrypted) {
+        const decrypted = this.decrypt(encrypted);
+        if (decrypted) {
+          if (decrypted.version && this.SUPPORTED_VERSIONS.includes(decrypted.version)) {
+            const user = decrypted.data;
+            this.memoryCache.set("user", user);
+            return user;
+          } else if (decrypted.id) {
+            this.memoryCache.set("user", decrypted);
+            return decrypted;
+          }
+        }
+      }
+    }
+    return null;
+  }
+  clear() {
+    this.memoryCache.clear();
+    if (typeof window !== "undefined") {
+      localStorage.removeItem(STORAGE_KEYS.tokens);
+      localStorage.removeItem(STORAGE_KEYS.user);
+    }
+  }
+  // NEW: Clear everything including encryption key (use with caution)
+  hardClear() {
+    this.memoryCache.clear();
+    if (typeof window !== "undefined") {
+      localStorage.removeItem(STORAGE_KEYS.tokens);
+      localStorage.removeItem(STORAGE_KEYS.user);
+      localStorage.removeItem(STORAGE_KEYS.encryptionKey);
+      localStorage.removeItem(STORAGE_KEYS.deviceId);
+      localStorage.removeItem(STORAGE_KEYS.trustedDevices);
+    }
+  }
+  // NEW: Get storage info (for debugging)
+  getStorageInfo() {
+    let tokenVersion = null;
+    if (typeof window !== "undefined") {
+      const encrypted = localStorage.getItem(STORAGE_KEYS.tokens);
+      if (encrypted) {
+        const decrypted = this.decrypt(encrypted);
+        if (decrypted?.version) {
+          tokenVersion = decrypted.version;
+        }
+      }
+    }
+    return {
+      hasTokens: !!this.getTokens(),
+      hasUser: !!this.getUser(),
+      tokenVersion
+    };
+  }
+};
+
+// src/services/token-manager.ts
+var TokenManager = class _TokenManager {
+  constructor() {
+    this.refreshPromise = null;
+  }
+  static getInstance() {
+    if (!_TokenManager.instance) {
+      _TokenManager.instance = new _TokenManager();
+    }
+    return _TokenManager.instance;
+  }
+  getAccessToken() {
+    const tokens = SecureTokenStorage.getInstance().getTokens();
+    return tokens?.accessToken || null;
+  }
+  isTokenExpired() {
+    const tokens = SecureTokenStorage.getInstance().getTokens();
+    if (!tokens) return true;
+    try {
+      const payload = JSON.parse(atob(tokens.accessToken.split(".")[1]));
+      return payload.exp * 1e3 < Date.now();
+    } catch {
+      return true;
+    }
+  }
+  async refreshToken(refreshFn) {
+    if (this.refreshPromise) {
+      return this.refreshPromise;
+    }
+    this.refreshPromise = this.performRefresh(refreshFn);
+    return this.refreshPromise;
+  }
+  async performRefresh(refreshFn) {
+    try {
+      const tokens = await refreshFn();
+      SecureTokenStorage.getInstance().setTokens(tokens);
+      return tokens.accessToken;
+    } finally {
+      this.refreshPromise = null;
+    }
+  }
+};
+
+// src/services/token-blacklist.ts
+var TokenBlacklist = class _TokenBlacklist {
+  constructor() {
+    this.blacklist = /* @__PURE__ */ new Map();
+    this.cleanupInterval = null;
+    this.startCleanup();
+  }
+  static getInstance() {
+    if (!_TokenBlacklist.instance) {
+      _TokenBlacklist.instance = new _TokenBlacklist();
+    }
+    return _TokenBlacklist.instance;
+  }
+  async addToBlacklist(token, userId, reason) {
+    try {
+      const payload = JSON.parse(atob(token.split(".")[1]));
+      const expiresAt = new Date(payload.exp * 1e3);
+      const entry = {
+        token,
+        userId,
+        expiresAt,
+        reason
+      };
+      this.blacklist.set(this.hashToken(token), entry);
+      await this.syncToBackend(entry);
+    } catch (error) {
+      console.error("Failed to blacklist token:", error);
+    }
+  }
+  async isBlacklisted(token) {
+    const hashedToken = this.hashToken(token);
+    const entry = this.blacklist.get(hashedToken);
+    if (!entry) return false;
+    if (entry.expiresAt < /* @__PURE__ */ new Date()) {
+      this.blacklist.delete(hashedToken);
+      return false;
+    }
+    return true;
+  }
+  async revokeAllUserTokens(userId) {
+    for (const [key, entry] of this.blacklist.entries()) {
+      if (entry.userId === userId) {
+        this.blacklist.delete(key);
+      }
+    }
+    await this.revokeAllOnBackend(userId);
+  }
+  hashToken(token) {
+    let hash = 0;
+    for (let i = 0; i < token.length; i++) {
+      const char = token.charCodeAt(i);
+      hash = (hash << 5) - hash + char;
+      hash = hash & hash;
+    }
+    return hash.toString();
+  }
+  async syncToBackend(entry) {
+    try {
+      await fetch(`${process.env.NEXT_PUBLIC_API_URL}/auth/blacklist`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(entry)
+      });
+    } catch (error) {
+      console.error("Failed to sync blacklist to backend");
+    }
+  }
+  async revokeAllOnBackend(userId) {
+    try {
+      await fetch(`${process.env.NEXT_PUBLIC_API_URL}/auth/revoke-all/${userId}`, {
+        method: "POST"
+      });
+    } catch (error) {
+      console.error("Failed to revoke tokens on backend");
+    }
+  }
+  startCleanup() {
+    this.cleanupInterval = setInterval(() => {
+      const now = /* @__PURE__ */ new Date();
+      for (const [key, entry] of this.blacklist.entries()) {
+        if (entry.expiresAt < now) {
+          this.blacklist.delete(key);
+        }
+      }
+    }, 60 * 60 * 1e3);
+  }
+  stopCleanup() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+      this.cleanupInterval = null;
+    }
+  }
+};
+var MFAService = class _MFAService {
+  static getInstance() {
+    if (!_MFAService.instance) {
+      _MFAService.instance = new _MFAService();
+    }
+    return _MFAService.instance;
+  }
+  async setupMFA(userId, email) {
+    const secret = new OTPAuth__namespace.Secret({ size: 20 });
+    const secretBase32 = secret.base32;
+    const totp = new OTPAuth__namespace.TOTP({
+      issuer: "YourApp",
+      label: email,
+      algorithm: "SHA1",
+      digits: 6,
+      period: 30,
+      secret
+    });
+    const otpUri = totp.toString();
+    const qrCode = await QRCode__default.default.toDataURL(otpUri);
+    const backupCodes = this.generateBackupCodes();
+    sessionStorage.setItem(`mfa_setup_${userId}`, secretBase32);
+    sessionStorage.setItem(`mfa_backup_${userId}`, JSON.stringify(backupCodes));
+    return { secret: secretBase32, qrCode, backupCodes };
+  }
+  async verifyAndEnableMFA(userId, code) {
+    const storedSecret = sessionStorage.getItem(`mfa_setup_${userId}`);
+    if (!storedSecret) return false;
+    try {
+      const secretBuffer = rfc4648.base32.parse(storedSecret);
+      const secret = new OTPAuth__namespace.Secret({ buffer: secretBuffer.buffer });
+      const totp = new OTPAuth__namespace.TOTP({
+        issuer: "YourApp",
+        label: userId,
+        algorithm: "SHA1",
+        digits: 6,
+        period: 30,
+        secret
+      });
+      const isValid = totp.validate({ token: code, window: 1 }) !== null;
+      if (isValid) {
+        const backupCodes = JSON.parse(sessionStorage.getItem(`mfa_backup_${userId}`) || "[]");
+        await this.saveMFAConfig(userId, storedSecret, backupCodes);
+        sessionStorage.removeItem(`mfa_setup_${userId}`);
+        sessionStorage.removeItem(`mfa_backup_${userId}`);
+      }
+      return isValid;
+    } catch (error) {
+      console.error("MFA verification failed:", error);
+      return false;
+    }
+  }
+  async verifyMFA(userId, code) {
+    const mfaSecret = await this.getUserMFASecret(userId);
+    if (!mfaSecret) return false;
+    try {
+      const secretBuffer = rfc4648.base32.parse(mfaSecret);
+      const secret = new OTPAuth__namespace.Secret({ buffer: secretBuffer.buffer });
+      const totp = new OTPAuth__namespace.TOTP({
+        issuer: "YourApp",
+        label: userId,
+        algorithm: "SHA1",
+        digits: 6,
+        period: 30,
+        secret
+      });
+      return totp.validate({ token: code, window: 1 }) !== null;
+    } catch (error) {
+      console.error("MFA verification failed:", error);
+      return false;
+    }
+  }
+  generateBackupCodes() {
+    const codes = [];
+    for (let i = 0; i < 10; i++) {
+      const code = Math.random().toString(36).substring(2, 10).toUpperCase();
+      codes.push(code);
+    }
+    return codes;
+  }
+  async saveMFAConfig(userId, secret, backupCodes) {
+    try {
+      await fetch(`${process.env.NEXT_PUBLIC_API_URL}/auth/mfa/enable`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ userId, secret, backupCodes })
+      });
+    } catch (error) {
+      console.error("Failed to save MFA config:", error);
+      throw error;
+    }
+  }
+  async getUserMFASecret(userId) {
+    try {
+      const response = await fetch(`${process.env.NEXT_PUBLIC_API_URL}/auth/mfa/secret/${userId}`);
+      if (!response.ok) return null;
+      const data = await response.json();
+      return data.secret || null;
+    } catch (error) {
+      console.error("Failed to get user MFA secret:", error);
+      return null;
+    }
+  }
+};
+
+// src/services/rate-limiter.ts
+var RateLimiter = class _RateLimiter {
+  constructor() {
+    this.attempts = /* @__PURE__ */ new Map();
+    this.MAX_ATTEMPTS = 5;
+    this.WINDOW_MS = 15 * 60 * 1e3;
+    this.BLOCK_DURATION_MS = 30 * 60 * 1e3;
+  }
+  static getInstance() {
+    if (!_RateLimiter.instance) {
+      _RateLimiter.instance = new _RateLimiter();
+    }
+    return _RateLimiter.instance;
+  }
+  checkRateLimit(identifier) {
+    const now = Date.now();
+    const record = this.attempts.get(identifier);
+    if (record && record.blockedUntil > now) {
+      return {
+        allowed: false,
+        waitTime: Math.ceil((record.blockedUntil - now) / 1e3)
+      };
+    }
+    if (record && now - record.firstAttempt > this.WINDOW_MS) {
+      this.attempts.delete(identifier);
+      return { allowed: true };
+    }
+    if (!record) {
+      this.attempts.set(identifier, { count: 1, firstAttempt: now, blockedUntil: 0 });
+      return { allowed: true };
+    }
+    record.count++;
+    if (record.count >= this.MAX_ATTEMPTS) {
+      record.blockedUntil = now + this.BLOCK_DURATION_MS;
+      this.attempts.set(identifier, record);
+      return {
+        allowed: false,
+        waitTime: Math.ceil(this.BLOCK_DURATION_MS / 1e3)
+      };
+    }
+    this.attempts.set(identifier, record);
+    return { allowed: true };
+  }
+  reset(identifier) {
+    this.attempts.delete(identifier);
+  }
+};
+
+// src/services/audit-logger.ts
+var AuditAction = /* @__PURE__ */ ((AuditAction2) => {
+  AuditAction2["LOGIN_SUCCESS"] = "LOGIN_SUCCESS";
+  AuditAction2["LOGIN_FAILURE"] = "LOGIN_FAILURE";
+  AuditAction2["LOGOUT"] = "LOGOUT";
+  AuditAction2["REGISTER_SUCCESS"] = "REGISTER_SUCCESS";
+  AuditAction2["PASSWORD_CHANGE"] = "PASSWORD_CHANGE";
+  AuditAction2["TOKEN_REFRESH"] = "TOKEN_REFRESH";
+  AuditAction2["SESSION_TERMINATED"] = "SESSION_TERMINATED";
+  AuditAction2["MFA_ENABLED"] = "MFA_ENABLED";
+  AuditAction2["MFA_DISABLED"] = "MFA_DISABLED";
+  AuditAction2["MFA_VERIFIED"] = "MFA_VERIFIED";
+  return AuditAction2;
+})(AuditAction || {});
+var AuditLogger = class _AuditLogger {
+  constructor() {
+    this.logQueue = [];
+    this.isFlushing = false;
+  }
+  static getInstance() {
+    if (!_AuditLogger.instance) {
+      _AuditLogger.instance = new _AuditLogger();
+    }
+    return _AuditLogger.instance;
+  }
+  async log(entry) {
+    const fullEntry = {
+      ...entry,
+      timestamp: /* @__PURE__ */ new Date(),
+      ipAddress: await this.getClientIP(),
+      userAgent: navigator.userAgent
+    };
+    this.logQueue.push(fullEntry);
+    this.scheduleFlush();
+  }
+  scheduleFlush() {
+    if (this.isFlushing) return;
+    setTimeout(() => this.flush(), 5e3);
+  }
+  async flush() {
+    if (this.logQueue.length === 0) return;
+    this.isFlushing = true;
+    const entries = [...this.logQueue];
+    this.logQueue = [];
+    try {
+      await fetch(`${process.env.NEXT_PUBLIC_API_URL}/auth/audit`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ entries }),
+        keepalive: true
+      });
+    } catch (error) {
+      this.logQueue.unshift(...entries);
+    } finally {
+      this.isFlushing = false;
+      if (this.logQueue.length > 0) {
+        this.scheduleFlush();
+      }
+    }
+  }
+  async getClientIP() {
+    try {
+      const response = await fetch("https://api.ipify.org?format=json");
+      const data = await response.json();
+      return data.ip;
+    } catch {
+      return "unknown";
+    }
+  }
+};
+
+// src/services/device-fingerprint.ts
+var DeviceFingerprint = class {
+  static async generate() {
+    const components = {
+      userAgent: navigator.userAgent,
+      language: navigator.language,
+      platform: navigator.platform,
+      screenResolution: `${screen.width}x${screen.height}`,
+      timezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
+      hardwareConcurrency: navigator.hardwareConcurrency,
+      deviceMemory: navigator.deviceMemory,
+      colorDepth: screen.colorDepth
+    };
+    const fingerprint = await this.hashObject(components);
+    return fingerprint;
+  }
+  static async hashObject(obj) {
+    const str = JSON.stringify(obj);
+    const encoder = new TextEncoder();
+    const data = encoder.encode(str);
+    const hash = await crypto.subtle.digest("SHA-256", data);
+    return Array.from(new Uint8Array(hash)).map((b) => b.toString(16).padStart(2, "0")).join("");
+  }
+};
+
+// src/services/session-manager.ts
+var SessionManager = class _SessionManager {
+  constructor() {
+    this.activeSessions = /* @__PURE__ */ new Map();
+  }
+  static getInstance() {
+    if (!_SessionManager.instance) {
+      _SessionManager.instance = new _SessionManager();
+    }
+    return _SessionManager.instance;
+  }
+  async registerSession(userId) {
+    const deviceId = await DeviceFingerprint.generate();
+    this.activeSessions.set(userId, { deviceId, lastActive: /* @__PURE__ */ new Date() });
+    return deviceId;
+  }
+  async validateSession(userId, deviceId) {
+    const session = this.activeSessions.get(userId);
+    if (!session) return false;
+    session.lastActive = /* @__PURE__ */ new Date();
+    this.activeSessions.set(userId, session);
+    return session.deviceId === deviceId;
+  }
+  async terminateSession(userId) {
+    this.activeSessions.delete(userId);
+  }
+  async terminateAllOtherSessions(userId, currentDeviceId) {
+    const session = this.activeSessions.get(userId);
+    if (session && session.deviceId !== currentDeviceId) {
+      this.activeSessions.delete(userId);
+    }
+  }
+  getActiveSessionsCount(userId) {
+    let count = 0;
+    for (const [key] of this.activeSessions.entries()) {
+      if (key === userId) count++;
+    }
+    return count;
+  }
+};
+
+// src/services/auth-service.ts
+var AuthService = class _AuthService {
+  constructor(apiUrl) {
+    this.state = {
+      user: null,
+      tokens: null,
+      isAuthenticated: false,
+      isLoading: true,
+      error: null
+    };
+    this.listeners = [];
+    this.baseURL = apiUrl || process.env.NEXT_PUBLIC_API_URL || "http://localhost:3001/api";
+    this.axiosInstance = axios__default.default.create({
+      baseURL: this.baseURL,
+      withCredentials: true,
+      timeout: 3e4
+    });
+    this.loadInitialState();
+  }
+  static getInstance(apiUrl) {
+    if (!_AuthService.instance) {
+      _AuthService.instance = new _AuthService(apiUrl);
+    }
+    return _AuthService.instance;
+  }
+  // ============ NEW: Retry Logic & Health Check ============
+  async makeRequest(method, url, data, retries = 3) {
+    let lastError = null;
+    for (let i = 0; i < retries; i++) {
+      try {
+        const response = await this.axiosInstance.request({
+          method,
+          url,
+          data,
+          // Exponential backoff
+          timeout: 3e4 * (i + 1)
+        });
+        return response.data;
+      } catch (error) {
+        lastError = error;
+        if (error.response?.status >= 400 && error.response?.status < 500) {
+          throw error;
+        }
+        if (i === retries - 1) {
+          throw error;
+        }
+        const delay = 1e3 * Math.pow(2, i);
+        console.warn(`Request failed, retrying in ${delay}ms... (Attempt ${i + 2}/${retries})`);
+        await new Promise((resolve) => setTimeout(resolve, delay));
+      }
+    }
+    throw lastError || new Error("Request failed after multiple retries");
+  }
+  async healthCheck() {
+    try {
+      const response = await this.axiosInstance.get("/health", { timeout: 5e3 });
+      return response.status === 200;
+    } catch (error) {
+      console.error("Health check failed:", error);
+      return false;
+    }
+  }
+  async healthCheckWithRetry(retries = 2) {
+    for (let i = 0; i < retries; i++) {
+      const isHealthy = await this.healthCheck();
+      if (isHealthy) return true;
+      if (i < retries - 1) {
+        await new Promise((resolve) => setTimeout(resolve, 1e3 * (i + 1)));
+      }
+    }
+    return false;
+  }
+  // ============ END NEW METHODS ============
+  async loadInitialState() {
+    const tokens = SecureTokenStorage.getInstance().getTokens();
+    const user = SecureTokenStorage.getInstance().getUser();
+    this.state = {
+      user,
+      tokens,
+      isAuthenticated: !!tokens && !TokenManager.getInstance().isTokenExpired(),
+      isLoading: false,
+      error: null
+    };
+    this.notifyListeners();
+  }
+  notifyListeners() {
+    this.listeners.forEach((listener) => listener({ ...this.state }));
+  }
+  subscribe(listener) {
+    this.listeners.push(listener);
+    listener({ ...this.state });
+    return () => {
+      this.listeners = this.listeners.filter((l) => l !== listener);
+    };
+  }
+  updateState(updates) {
+    this.state = { ...this.state, ...updates };
+    this.notifyListeners();
+  }
+  async login(credentials) {
+    this.updateState({ isLoading: true, error: null });
+    const rateLimit = RateLimiter.getInstance().checkRateLimit(credentials.email);
+    if (!rateLimit.allowed) {
+      await AuditLogger.getInstance().log({
+        action: "LOGIN_FAILURE" /* LOGIN_FAILURE */,
+        email: credentials.email,
+        details: { reason: "Rate limit exceeded" },
+        success: false
+      });
+      this.updateState({ isLoading: false, error: `Too many attempts. Try again later.` });
+      throw new Error(`Too many attempts. Try again later.`);
+    }
+    try {
+      const response = await this.makeRequest("POST", API_ENDPOINTS.login, credentials);
+      const { user, requiresMFA, accessToken, refreshToken, expiresIn } = response;
+      if (requiresMFA) {
+        sessionStorage.setItem("temp_auth_email", credentials.email);
+        sessionStorage.setItem("temp_auth_user_id", user.id);
+        this.updateState({ isLoading: false });
+        return { requiresMFA: true };
+      }
+      const deviceId = await SessionManager.getInstance().registerSession(user.id);
+      const tokens = { accessToken, refreshToken, expiresIn };
+      SecureTokenStorage.getInstance().setTokens(tokens);
+      SecureTokenStorage.getInstance().setUser(user);
+      await AuditLogger.getInstance().log({
+        action: "LOGIN_SUCCESS" /* LOGIN_SUCCESS */,
+        userId: user.id,
+        email: user.email,
+        details: { deviceId },
+        success: true
+      });
+      RateLimiter.getInstance().reset(credentials.email);
+      this.updateState({
+        user,
+        tokens,
+        isAuthenticated: true,
+        isLoading: false,
+        error: null
+      });
+      return { requiresMFA: false, user };
+    } catch (error) {
+      await AuditLogger.getInstance().log({
+        action: "LOGIN_FAILURE" /* LOGIN_FAILURE */,
+        email: credentials.email,
+        success: false,
+        errorMessage: error.message
+      });
+      this.updateState({
+        isLoading: false,
+        error: error.response?.data?.message || error.message || "Login failed"
+      });
+      throw error;
+    }
+  }
+  async verifyMFA(code, trustDevice = false) {
+    const email = sessionStorage.getItem("temp_auth_email");
+    const userId = sessionStorage.getItem("temp_auth_user_id");
+    if (!email || !userId) {
+      throw new Error("No pending MFA verification");
+    }
+    const isValid = await MFAService.getInstance().verifyMFA(userId, code);
+    if (!isValid) {
+      throw new Error("Invalid MFA code");
+    }
+    const response = await this.makeRequest("POST", API_ENDPOINTS.mfaVerify, {
+      email,
+      userId,
+      trustDevice
+    });
+    const { user, accessToken, refreshToken, expiresIn } = response;
+    const tokens = { accessToken, refreshToken, expiresIn };
+    SecureTokenStorage.getInstance().setTokens(tokens);
+    SecureTokenStorage.getInstance().setUser(user);
+    sessionStorage.removeItem("temp_auth_email");
+    sessionStorage.removeItem("temp_auth_user_id");
+    this.updateState({
+      user,
+      tokens,
+      isAuthenticated: true,
+      isLoading: false,
+      error: null
+    });
+    return user;
+  }
+  async register(data) {
+    this.updateState({ isLoading: true, error: null });
+    try {
+      const response = await this.makeRequest("POST", API_ENDPOINTS.register, data);
+      const { user, accessToken, refreshToken, expiresIn } = response;
+      const tokens = { accessToken, refreshToken, expiresIn };
+      SecureTokenStorage.getInstance().setTokens(tokens);
+      SecureTokenStorage.getInstance().setUser(user);
+      await AuditLogger.getInstance().log({
+        action: "REGISTER_SUCCESS" /* REGISTER_SUCCESS */,
+        userId: user.id,
+        email: user.email,
+        success: true
+      });
+      this.updateState({
+        user,
+        tokens,
+        isAuthenticated: true,
+        isLoading: false,
+        error: null
+      });
+      return user;
+    } catch (error) {
+      this.updateState({
+        isLoading: false,
+        error: error.response?.data?.message || error.message || "Registration failed"
+      });
+      throw error;
+    }
+  }
+  async logout(reason = "logout") {
+    const user = SecureTokenStorage.getInstance().getUser();
+    const tokens = SecureTokenStorage.getInstance().getTokens();
+    if (tokens?.accessToken) {
+      await TokenBlacklist.getInstance().addToBlacklist(
+        tokens.accessToken,
+        user?.id || "",
+        reason
+      );
+    }
+    try {
+      await this.axiosInstance.post(API_ENDPOINTS.logout);
+    } catch (error) {
+      console.warn("Logout API call failed, but clearing local state");
+    }
+    SecureTokenStorage.getInstance().clear();
+    this.updateState({
+      user: null,
+      tokens: null,
+      isAuthenticated: false,
+      isLoading: false,
+      error: null
+    });
+    if (typeof window !== "undefined") {
+      window.location.href = "/login";
+    }
+  }
+  async refreshSession() {
+    try {
+      const tokens = SecureTokenStorage.getInstance().getTokens();
+      if (!tokens?.refreshToken) throw new Error("No refresh token");
+      const response = await this.makeRequest("POST", API_ENDPOINTS.refresh, {
+        refreshToken: tokens.refreshToken
+      });
+      const { accessToken, refreshToken, expiresIn } = response;
+      SecureTokenStorage.getInstance().setTokens({ accessToken, refreshToken, expiresIn });
+      this.updateState({
+        tokens: { accessToken, refreshToken, expiresIn },
+        isAuthenticated: true
+      });
+    } catch (error) {
+      console.error("Session refresh failed:", error);
+      this.logout("security");
+    }
+  }
+  async logoutAllDevices() {
+    const user = SecureTokenStorage.getInstance().getUser();
+    if (!user) return;
+    try {
+      await TokenBlacklist.getInstance().revokeAllUserTokens(user.id);
+      await this.axiosInstance.post("/auth/logout-all");
+    } catch (error) {
+      console.warn("Logout all devices API call failed");
+    }
+    this.logout("revoke");
+  }
+  async changePassword(currentPassword, newPassword) {
+    const user = SecureTokenStorage.getInstance().getUser();
+    try {
+      await this.makeRequest("POST", API_ENDPOINTS.changePassword, {
+        currentPassword,
+        newPassword
+      });
+      await AuditLogger.getInstance().log({
+        action: "PASSWORD_CHANGE" /* PASSWORD_CHANGE */,
+        userId: user?.id,
+        email: user?.email,
+        success: true
+      });
+    } catch (error) {
+      await AuditLogger.getInstance().log({
+        action: "PASSWORD_CHANGE" /* PASSWORD_CHANGE */,
+        userId: user?.id,
+        email: user?.email,
+        success: false,
+        errorMessage: error.message
+      });
+      throw error;
+    }
+  }
+  hasRole(role) {
+    if (!this.state.user) return false;
+    const roles = Array.isArray(role) ? role : [role];
+    return roles.includes(this.state.user.role || "");
+  }
+  getAxiosInstance() {
+    return this.axiosInstance;
+  }
+  getUser() {
+    return this.state.user;
+  }
+  getState() {
+    return { ...this.state };
+  }
+};
+function useAuth(apiUrl) {
+  const [state, setState] = react.useState(AuthService.getInstance(apiUrl).getState());
+  react.useEffect(() => {
+    const unsubscribe = AuthService.getInstance(apiUrl).subscribe(setState);
+    return unsubscribe;
+  }, [apiUrl]);
+  const login = async (credentials) => {
+    return AuthService.getInstance(apiUrl).login(credentials);
+  };
+  const verifyMFA = async (code, trustDevice = false) => {
+    return AuthService.getInstance(apiUrl).verifyMFA(code, trustDevice);
+  };
+  const register = async (data) => {
+    return AuthService.getInstance(apiUrl).register(data);
+  };
+  const logout = async () => {
+    return AuthService.getInstance(apiUrl).logout();
+  };
+  const refreshSession = async () => {
+    return AuthService.getInstance(apiUrl).refreshSession();
+  };
+  const hasRole = (role) => {
+    return AuthService.getInstance(apiUrl).hasRole(role);
+  };
+  return {
+    ...state,
+    login,
+    verifyMFA,
+    register,
+    logout,
+    refreshSession,
+    hasRole
+  };
+}
+function useProtectedRoute(redirectTo = "/login", requiredRole) {
+  const { isAuthenticated, isLoading, hasRole } = useAuth();
+  const router = navigation.useRouter();
+  react.useEffect(() => {
+    if (!isLoading && !isAuthenticated) {
+      router.push(redirectTo);
+    }
+    if (!isLoading && isAuthenticated && requiredRole && !hasRole(requiredRole)) {
+      router.push("/unauthorized");
+    }
+  }, [isAuthenticated, isLoading, router, redirectTo, requiredRole, hasRole]);
+  return { isAuthenticated, isLoading };
+}
+var AuthContext = react.createContext(null);
+function AuthProvider({ children, apiUrl }) {
+  const [state, setState] = react.useState({
+    user: null,
+    tokens: null,
+    isAuthenticated: false,
+    isLoading: true,
+    error: null
+  });
+  react.useEffect(() => {
+    const authService2 = AuthService.getInstance(apiUrl);
+    const unsubscribe = authService2.subscribe(setState);
+    return unsubscribe;
+  }, [apiUrl]);
+  const authService = AuthService.getInstance(apiUrl);
+  const value = {
+    ...state,
+    login: (credentials) => authService.login(credentials),
+    register: (data) => authService.register(data),
+    logout: () => authService.logout(),
+    refreshSession: () => authService.refreshSession(),
+    verifyMFA: (code, trustDevice) => authService.verifyMFA(code, trustDevice),
+    hasRole: (role) => authService.hasRole(role),
+    getAxiosInstance: () => authService.getAxiosInstance(),
+    getUser: () => authService.getUser()
+  };
+  return /* @__PURE__ */ jsxRuntime.jsx(AuthContext.Provider, { value, children });
+}
+function ProtectedRoute({ children, requiredRole, fallback }) {
+  const { isAuthenticated, isLoading } = useProtectedRoute("/login", requiredRole);
+  if (isLoading) {
+    return /* @__PURE__ */ jsxRuntime.jsx("div", { className: "flex items-center justify-center min-h-screen", children: /* @__PURE__ */ jsxRuntime.jsx("div", { className: "animate-spin rounded-full h-8 w-8 border-b-2 border-blue-600" }) });
+  }
+  if (!isAuthenticated) {
+    return null;
+  }
+  return /* @__PURE__ */ jsxRuntime.jsx(jsxRuntime.Fragment, { children });
+}
+function MFASetup({ userId, email, onComplete, onCancel }) {
+  const [step, setStep] = react.useState("setup");
+  const [qrCode, setQrCode] = react.useState("");
+  const [backupCodes, setBackupCodes] = react.useState([]);
+  const [verificationCode, setVerificationCode] = react.useState("");
+  const [error, setError] = react.useState("");
+  const [copied, setCopied] = react.useState(false);
+  const [isLoading, setIsLoading] = react.useState(false);
+  const handleSetup = async () => {
+    setIsLoading(true);
+    try {
+      const result = await MFAService.getInstance().setupMFA(userId, email);
+      setQrCode(result.qrCode);
+      setBackupCodes(result.backupCodes);
+      setStep("verify");
+    } catch (err) {
+      setError("Failed to setup MFA");
+    } finally {
+      setIsLoading(false);
+    }
+  };
+  const handleVerify = async () => {
+    if (!verificationCode) {
+      setError("Please enter verification code");
+      return;
+    }
+    setIsLoading(true);
+    try {
+      const isValid = await MFAService.getInstance().verifyAndEnableMFA(userId, verificationCode);
+      if (isValid) {
+        onComplete();
+      } else {
+        setError("Invalid verification code");
+      }
+    } catch (err) {
+      setError("Verification failed");
+    } finally {
+      setIsLoading(false);
+    }
+  };
+  const copyBackupCodes = () => {
+    navigator.clipboard.writeText(backupCodes.join("\n"));
+    setCopied(true);
+    setTimeout(() => setCopied(false), 2e3);
+  };
+  if (step === "setup") {
+    return /* @__PURE__ */ jsxRuntime.jsxs("div", { className: "max-w-md mx-auto p-6 bg-white dark:bg-gray-900 rounded-lg border shadow-xl", children: [
+      /* @__PURE__ */ jsxRuntime.jsxs("div", { className: "text-center mb-6", children: [
+        /* @__PURE__ */ jsxRuntime.jsx("div", { className: "inline-flex p-3 rounded-full bg-blue-100 dark:bg-blue-900/30 mb-4", children: /* @__PURE__ */ jsxRuntime.jsx(lucideReact.Shield, { className: "h-6 w-6 text-blue-600" }) }),
+        /* @__PURE__ */ jsxRuntime.jsx("h2", { className: "text-xl font-semibold", children: "Set Up Two-Factor Authentication" }),
+        /* @__PURE__ */ jsxRuntime.jsx("p", { className: "text-sm text-gray-500 mt-2", children: "Enhance your account security with 2FA" })
+      ] }),
+      /* @__PURE__ */ jsxRuntime.jsxs("div", { className: "space-y-4", children: [
+        /* @__PURE__ */ jsxRuntime.jsx("div", { className: "p-4 bg-blue-50 dark:bg-blue-950 rounded-lg", children: /* @__PURE__ */ jsxRuntime.jsx("p", { className: "text-sm text-blue-700 dark:text-blue-300", children: "Two-factor authentication adds an extra layer of security to your account. You'll need to enter a verification code from your authenticator app when signing in." }) }),
+        /* @__PURE__ */ jsxRuntime.jsx(
+          "button",
+          {
+            onClick: handleSetup,
+            disabled: isLoading,
+            className: "w-full py-2 bg-blue-600 text-white rounded-lg font-medium hover:bg-blue-700 transition-colors disabled:opacity-50",
+            children: isLoading ? "Setting up..." : "Get Started"
+          }
+        ),
+        /* @__PURE__ */ jsxRuntime.jsx(
+          "button",
+          {
+            onClick: onCancel,
+            className: "w-full py-2 border rounded-lg hover:bg-gray-50 dark:hover:bg-gray-800 transition-colors",
+            children: "Cancel"
+          }
+        )
+      ] })
+    ] });
+  }
+  return /* @__PURE__ */ jsxRuntime.jsxs("div", { className: "max-w-md mx-auto p-6 bg-white dark:bg-gray-900 rounded-lg border shadow-xl", children: [
+    /* @__PURE__ */ jsxRuntime.jsxs("div", { className: "text-center mb-6", children: [
+      /* @__PURE__ */ jsxRuntime.jsx("h2", { className: "text-xl font-semibold", children: "Scan QR Code" }),
+      /* @__PURE__ */ jsxRuntime.jsx("p", { className: "text-sm text-gray-500 mt-2", children: "Scan this QR code with your authenticator app" })
+    ] }),
+    qrCode && /* @__PURE__ */ jsxRuntime.jsx("div", { className: "flex justify-center mb-6", children: /* @__PURE__ */ jsxRuntime.jsx("img", { src: qrCode, alt: "QR Code", className: "w-48 h-48" }) }),
+    /* @__PURE__ */ jsxRuntime.jsxs("div", { className: "space-y-4", children: [
+      /* @__PURE__ */ jsxRuntime.jsxs("div", { children: [
+        /* @__PURE__ */ jsxRuntime.jsx("label", { className: "block text-sm font-medium mb-2", children: "Backup Codes" }),
+        /* @__PURE__ */ jsxRuntime.jsxs("div", { className: "bg-gray-50 dark:bg-gray-800 rounded-lg p-3", children: [
+          /* @__PURE__ */ jsxRuntime.jsx("div", { className: "grid grid-cols-2 gap-1 font-mono text-xs", children: backupCodes.map((code, idx) => /* @__PURE__ */ jsxRuntime.jsx("div", { children: code }, idx)) }),
+          /* @__PURE__ */ jsxRuntime.jsxs("div", { className: "flex gap-2 mt-3", children: [
+            /* @__PURE__ */ jsxRuntime.jsxs(
+              "button",
+              {
+                onClick: copyBackupCodes,
+                className: "flex-1 py-1.5 text-sm border rounded hover:bg-gray-100 dark:hover:bg-gray-700 transition-colors flex items-center justify-center gap-1",
+                children: [
+                  copied ? /* @__PURE__ */ jsxRuntime.jsx(lucideReact.Check, { className: "h-3 w-3" }) : /* @__PURE__ */ jsxRuntime.jsx(lucideReact.Copy, { className: "h-3 w-3" }),
+                  copied ? "Copied!" : "Copy Codes"
+                ]
+              }
+            ),
+            /* @__PURE__ */ jsxRuntime.jsxs(
+              "button",
+              {
+                onClick: () => {
+                  const blob = new Blob([backupCodes.join("\n")], { type: "text/plain" });
+                  const url = URL.createObjectURL(blob);
+                  const a = document.createElement("a");
+                  a.href = url;
+                  a.download = "backup-codes.txt";
+                  a.click();
+                  URL.revokeObjectURL(url);
+                },
+                className: "flex-1 py-1.5 text-sm border rounded hover:bg-gray-100 dark:hover:bg-gray-700 transition-colors flex items-center justify-center gap-1",
+                children: [
+                  /* @__PURE__ */ jsxRuntime.jsx(lucideReact.Download, { className: "h-3 w-3" }),
+                  "Download"
+                ]
+              }
+            )
+          ] })
+        ] }),
+        /* @__PURE__ */ jsxRuntime.jsx("p", { className: "text-xs text-gray-500 mt-2", children: "Save these backup codes in a secure place. You can use them to access your account if you lose your device." })
+      ] }),
+      /* @__PURE__ */ jsxRuntime.jsxs("div", { children: [
+        /* @__PURE__ */ jsxRuntime.jsx("label", { className: "block text-sm font-medium mb-2", children: "Verification Code" }),
+        /* @__PURE__ */ jsxRuntime.jsx(
+          "input",
+          {
+            type: "text",
+            value: verificationCode,
+            onChange: (e) => setVerificationCode(e.target.value),
+            placeholder: "Enter 6-digit code",
+            className: "w-full px-3 py-2 border rounded-lg focus:ring-2 focus:ring-blue-500 focus:border-transparent",
+            maxLength: 6
+          }
+        )
+      ] }),
+      error && /* @__PURE__ */ jsxRuntime.jsx("div", { className: "p-3 bg-red-50 dark:bg-red-950/50 border border-red-200 rounded-lg text-sm text-red-600", children: error }),
+      /* @__PURE__ */ jsxRuntime.jsx(
+        "button",
+        {
+          onClick: handleVerify,
+          disabled: isLoading,
+          className: "w-full py-2 bg-blue-600 text-white rounded-lg font-medium hover:bg-blue-700 transition-colors disabled:opacity-50",
+          children: isLoading ? "Verifying..." : "Verify and Enable"
+        }
+      )
+    ] })
+  ] });
+}
+function MFAVerification({ onSubmit, onBack }) {
+  const [code, setCode] = react.useState("");
+  const [trustDevice, setTrustDevice] = react.useState(false);
+  const [error, setError] = react.useState("");
+  const [isLoading, setIsLoading] = react.useState(false);
+  const handleSubmit = async (e) => {
+    e.preventDefault();
+    if (code.length !== 6) {
+      setError("Please enter a valid 6-digit code");
+      return;
+    }
+    setIsLoading(true);
+    try {
+      await onSubmit(code, trustDevice);
+    } catch (err) {
+      setError(err.message || "Invalid verification code");
+    } finally {
+      setIsLoading(false);
+    }
+  };
+  return /* @__PURE__ */ jsxRuntime.jsxs("div", { className: "max-w-md mx-auto p-6 bg-white dark:bg-gray-900 rounded-lg border shadow-xl", children: [
+    /* @__PURE__ */ jsxRuntime.jsxs("div", { className: "text-center mb-6", children: [
+      /* @__PURE__ */ jsxRuntime.jsx("div", { className: "inline-flex p-3 rounded-full bg-blue-100 dark:bg-blue-900/30 mb-4", children: /* @__PURE__ */ jsxRuntime.jsx(lucideReact.Shield, { className: "h-6 w-6 text-blue-600" }) }),
+      /* @__PURE__ */ jsxRuntime.jsx("h2", { className: "text-xl font-semibold", children: "Two-Factor Authentication" }),
+      /* @__PURE__ */ jsxRuntime.jsx("p", { className: "text-sm text-gray-500 mt-2", children: "Enter the verification code from your authenticator app" })
+    ] }),
+    /* @__PURE__ */ jsxRuntime.jsxs("form", { onSubmit: handleSubmit, className: "space-y-4", children: [
+      /* @__PURE__ */ jsxRuntime.jsxs("div", { children: [
+        /* @__PURE__ */ jsxRuntime.jsx("label", { className: "block text-sm font-medium mb-2", children: "Verification Code" }),
+        /* @__PURE__ */ jsxRuntime.jsx(
+          "input",
+          {
+            type: "text",
+            value: code,
+            onChange: (e) => setCode(e.target.value.replace(/\D/g, "").slice(0, 6)),
+            placeholder: "000000",
+            className: "w-full text-center text-2xl tracking-widest font-mono px-3 py-3 border rounded-lg focus:ring-2 focus:ring-blue-500 focus:border-transparent",
+            maxLength: 6,
+            autoFocus: true
+          }
+        )
+      ] }),
+      /* @__PURE__ */ jsxRuntime.jsxs("label", { className: "flex items-center gap-2 cursor-pointer", children: [
+        /* @__PURE__ */ jsxRuntime.jsx(
+          "input",
+          {
+            type: "checkbox",
+            checked: trustDevice,
+            onChange: (e) => setTrustDevice(e.target.checked),
+            className: "rounded border-gray-300 text-blue-600 focus:ring-blue-500"
+          }
+        ),
+        /* @__PURE__ */ jsxRuntime.jsx("span", { className: "text-sm text-gray-600 dark:text-gray-400", children: "Trust this device for 30 days" })
+      ] }),
+      error && /* @__PURE__ */ jsxRuntime.jsxs("div", { className: "p-3 bg-red-50 dark:bg-red-950/50 border border-red-200 rounded-lg flex items-start gap-2", children: [
+        /* @__PURE__ */ jsxRuntime.jsx(lucideReact.AlertCircle, { className: "h-4 w-4 text-red-600 mt-0.5" }),
+        /* @__PURE__ */ jsxRuntime.jsx("p", { className: "text-sm text-red-600", children: error })
+      ] }),
+      /* @__PURE__ */ jsxRuntime.jsx(
+        "button",
+        {
+          type: "submit",
+          disabled: isLoading,
+          className: "w-full py-2 bg-blue-600 text-white rounded-lg font-medium hover:bg-blue-700 transition-colors disabled:opacity-50",
+          children: isLoading ? "Verifying..." : "Verify & Continue"
+        }
+      ),
+      onBack && /* @__PURE__ */ jsxRuntime.jsx(
+        "button",
+        {
+          type: "button",
+          onClick: onBack,
+          className: "w-full py-2 border rounded-lg hover:bg-gray-50 dark:hover:bg-gray-800 transition-colors",
+          children: "Back to Login"
+        }
+      )
+    ] })
+  ] });
+}
+function SessionWarning({ warningMinutes = 2 }) {
+  const { refreshSession } = useAuth();
+  const [showWarning, setShowWarning] = react.useState(false);
+  const [timeLeft, setTimeLeft] = react.useState(0);
+  react.useEffect(() => {
+    const checkSession = () => {
+      const tokens = localStorage.getItem("auth_tokens_encrypted");
+      if (!tokens) return;
+      try {
+        const payload = JSON.parse(atob(tokens.split(".")[1]));
+        const expiresIn = payload.exp * 1e3 - Date.now();
+        const minutesLeft = Math.floor(expiresIn / 1e3 / 60);
+        if (minutesLeft <= warningMinutes && minutesLeft > 0) {
+          setShowWarning(true);
+          setTimeLeft(minutesLeft);
+        } else if (minutesLeft <= 0) {
+          setShowWarning(false);
+        } else {
+          setShowWarning(false);
+        }
+      } catch {
+      }
+    };
+    checkSession();
+    const interval = setInterval(checkSession, 6e4);
+    return () => clearInterval(interval);
+  }, [warningMinutes]);
+  const handleRefresh = async () => {
+    await refreshSession();
+    setShowWarning(false);
+  };
+  if (!showWarning) return null;
+  return /* @__PURE__ */ jsxRuntime.jsx("div", { className: "fixed bottom-4 right-4 z-50 animate-in slide-in-from-right-5", children: /* @__PURE__ */ jsxRuntime.jsx("div", { className: "bg-yellow-50 dark:bg-yellow-950 border border-yellow-200 dark:border-yellow-800 rounded-lg shadow-lg p-4 max-w-sm", children: /* @__PURE__ */ jsxRuntime.jsx("div", { className: "flex items-start gap-3", children: /* @__PURE__ */ jsxRuntime.jsxs("div", { className: "flex-1", children: [
+    /* @__PURE__ */ jsxRuntime.jsx("h3", { className: "font-semibold text-yellow-800 dark:text-yellow-200", children: "Session Expiring Soon" }),
+    /* @__PURE__ */ jsxRuntime.jsxs("p", { className: "text-sm text-yellow-700 dark:text-yellow-300 mt-1", children: [
+      "Your session will expire in ",
+      timeLeft,
+      " minute",
+      timeLeft !== 1 ? "s" : "",
+      '. Click "Stay Logged In" to extend your session.'
+    ] }),
+    /* @__PURE__ */ jsxRuntime.jsxs("div", { className: "flex gap-2 mt-3", children: [
+      /* @__PURE__ */ jsxRuntime.jsx(
+        "button",
+        {
+          onClick: handleRefresh,
+          className: "px-3 py-1 text-sm bg-yellow-600 text-white rounded hover:bg-yellow-700 transition-colors",
+          children: "Stay Logged In"
+        }
+      ),
+      /* @__PURE__ */ jsxRuntime.jsx(
+        "button",
+        {
+          onClick: () => setShowWarning(false),
+          className: "px-3 py-1 text-sm border border-yellow-300 rounded hover:bg-yellow-100 dark:hover:bg-yellow-900 transition-colors",
+          children: "Dismiss"
+        }
+      )
+    ] })
+  ] }) }) }) });
+}
+function setupAuthInterceptors(axiosInstance, baseURL) {
+  axiosInstance.interceptors.request.use(
+    async (config) => {
+      const token = TokenManager.getInstance().getAccessToken();
+      if (token) {
+        const isBlacklisted = await TokenBlacklist.getInstance().isBlacklisted(token);
+        if (isBlacklisted) {
+          SecureTokenStorage.getInstance().clear();
+          window.location.href = "/login";
+          return Promise.reject(new Error("Token revoked"));
+        }
+        if (!TokenManager.getInstance().isTokenExpired()) {
+          config.headers.Authorization = `Bearer ${token}`;
+        }
+      }
+      return config;
+    },
+    (error) => Promise.reject(error)
+  );
+  let isRefreshing = false;
+  let failedQueue = [];
+  const processQueue = (error, token = null) => {
+    failedQueue.forEach((prom) => {
+      if (error) {
+        prom.reject(error);
+      } else {
+        if (prom.config.headers) {
+          prom.config.headers.Authorization = `Bearer ${token}`;
+        }
+        axiosInstance(prom.config).then(prom.resolve).catch(prom.reject);
+      }
+    });
+    failedQueue = [];
+  };
+  axiosInstance.interceptors.response.use(
+    (response) => response,
+    async (error) => {
+      const originalRequest = error.config;
+      if (error.response?.status === 401 && !originalRequest._retry) {
+        if (isRefreshing) {
+          return new Promise((resolve, reject) => {
+            failedQueue.push({ resolve, reject, config: originalRequest });
+          });
+        }
+        originalRequest._retry = true;
+        isRefreshing = true;
+        try {
+          const refreshToken = SecureTokenStorage.getInstance().getTokens()?.refreshToken;
+          if (!refreshToken) throw new Error("No refresh token");
+          const response = await axios__default.default.post(`${baseURL}${API_ENDPOINTS.refresh}`, { refreshToken });
+          const { accessToken, refreshToken: newRefreshToken } = response.data;
+          SecureTokenStorage.getInstance().setTokens({
+            accessToken,
+            refreshToken: newRefreshToken,
+            expiresIn: 900
+          });
+          processQueue(null, accessToken);
+          if (originalRequest.headers) {
+            originalRequest.headers.Authorization = `Bearer ${accessToken}`;
+          }
+          return axiosInstance(originalRequest);
+        } catch (refreshError) {
+          processQueue(refreshError);
+          SecureTokenStorage.getInstance().clear();
+          window.location.href = "/login";
+          return Promise.reject(refreshError);
+        } finally {
+          isRefreshing = false;
+        }
+      }
+      return Promise.reject(error);
+    }
+  );
+}
+
+// src/utils/helpers.ts
+function cn(...classes) {
+  return classes.filter(Boolean).join(" ");
+}
+function getErrorMessage(error) {
+  if (error instanceof Error) return error.message;
+  if (typeof error === "string") return error;
+  return "An unexpected error occurred";
+}
+function isValidEmail(email) {
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  return emailRegex.test(email);
+}
+
+exports.API_ENDPOINTS = API_ENDPOINTS;
+exports.AUTH_CONFIG = AUTH_CONFIG;
+exports.AuditAction = AuditAction;
+exports.AuditLogger = AuditLogger;
+exports.AuthProvider = AuthProvider;
+exports.AuthService = AuthService;
+exports.DeviceFingerprint = DeviceFingerprint;
+exports.MFAService = MFAService;
+exports.MFASetup = MFASetup;
+exports.MFAVerification = MFAVerification;
+exports.ProtectedRoute = ProtectedRoute;
+exports.RateLimiter = RateLimiter;
+exports.STORAGE_KEYS = STORAGE_KEYS;
+exports.SessionManager = SessionManager;
+exports.SessionWarning = SessionWarning;
+exports.TokenBlacklist = TokenBlacklist;
+exports.TokenManager = TokenManager;
+exports.TokenStorage = SecureTokenStorage;
+exports.cn = cn;
+exports.getErrorMessage = getErrorMessage;
+exports.isValidEmail = isValidEmail;
+exports.setupAuthInterceptors = setupAuthInterceptors;
+exports.useAuth = useAuth;
+exports.useProtectedRoute = useProtectedRoute;
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map