tenneo-auth-plugin 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,558 @@
1
+ import React from 'react';
2
+
3
+ /**
4
+ * Public bootstrap API. Delegates to default engine.init() when set; otherwise runs runBootstrap().
5
+ */
6
+ declare function bootstrap(): Promise<void>;
7
+
8
+ /**
9
+ * Logout functionality.
10
+ * Sets force_login, clears auth storage; does not redirect (bootstrap handles that).
11
+ */
12
+ interface LogoutResponse {
13
+ success?: boolean;
14
+ message?: string;
15
+ logout?: boolean;
16
+ }
17
+ declare function logout(tenantKey?: string): Promise<{
18
+ success: boolean;
19
+ message: string;
20
+ serverResponse?: LogoutResponse;
21
+ }>;
22
+
23
+ /**
24
+ * Domain types for the authentication gateway plugin.
25
+ * Pure types; no I/O.
26
+ */
27
+ interface TenantConfig {
28
+ tenantId: string;
29
+ authServer: string;
30
+ tenantKey?: string;
31
+ client: {
32
+ clientId: string;
33
+ clientCode?: string;
34
+ redirectUri: string;
35
+ scopes: string;
36
+ };
37
+ }
38
+ interface TokenResponse {
39
+ access_token: string;
40
+ refresh_token: string;
41
+ expires_in: number;
42
+ token_type?: string;
43
+ }
44
+ interface AuthState {
45
+ isAuthenticated: boolean;
46
+ accessToken: string | null;
47
+ isLoading: boolean;
48
+ error: string | null;
49
+ }
50
+ interface AuthContextValue extends AuthState {
51
+ login: () => Promise<void>;
52
+ logout: () => Promise<void>;
53
+ refreshToken: () => Promise<string>;
54
+ getAccessToken: () => Promise<string>;
55
+ setTokens: (accessToken: string) => void;
56
+ }
57
+ interface EnvConfig {
58
+ authServerUrl: string;
59
+ clientId: string;
60
+ redirectUri: string;
61
+ tenantId: string;
62
+ }
63
+
64
+ /**
65
+ * OAuth2 PKCE token exchange and refresh.
66
+ * Strategy-owned implementation; uses API_AUTH_BASE_URL only.
67
+ */
68
+
69
+ declare function refreshAccessToken(): Promise<string>;
70
+
71
+ /**
72
+ * Token API: facades for public API.
73
+ * ensureValidAccessToken delegates to default engine when set; otherwise uses strategy refresh.
74
+ */
75
+
76
+ declare function ensureValidAccessToken(): Promise<string>;
77
+ declare function getAccessToken$1(): string | null;
78
+
79
+ /**
80
+ * Storage adapter types for enterprise-grade token and key-value storage.
81
+ * SSR-safe: no direct window/document usage in interface.
82
+ */
83
+ /**
84
+ * Shape of tokens stored by the adapter (used for getTokens/setTokens).
85
+ */
86
+ interface AuthTokens {
87
+ accessToken: string;
88
+ refreshToken: string;
89
+ expiresAt: number;
90
+ }
91
+ /**
92
+ * Token-only storage contract (spec).
93
+ * Implementations must be SSR-safe: avoid window/document in method bodies
94
+ * or guard with typeof window !== 'undefined'.
95
+ */
96
+ interface TokenStorageAdapter {
97
+ getTokens(): Promise<AuthTokens | null>;
98
+ setTokens(tokens: AuthTokens): Promise<void>;
99
+ clearTokens(): Promise<void>;
100
+ }
101
+ /**
102
+ * Optional key-value contract for config/flow flags.
103
+ * When implemented, allows replacing all sessionStorage/localStorage usage
104
+ * with a single injected adapter. Namespacing is applied by the adapter.
105
+ */
106
+ interface KeyValueStorageAdapter {
107
+ getItem(key: string): Promise<string | null>;
108
+ setItem(key: string, value: string): Promise<void>;
109
+ removeItem(key: string): Promise<void>;
110
+ clear(): Promise<void>;
111
+ }
112
+ /**
113
+ * Optional synchronous access for backward compatibility with existing sync APIs.
114
+ * When implemented, storage layer uses these so callers remain sync.
115
+ */
116
+ interface SyncStorageAdapter {
117
+ getTokensSync?(): AuthTokens | null;
118
+ setTokensSync?(tokens: AuthTokens): void;
119
+ clearTokensSync?(): void;
120
+ getItemSync?(key: string): string | null;
121
+ setItemSync?(key: string, value: string): void;
122
+ removeItemSync?(key: string): void;
123
+ clearSync?(): void;
124
+ }
125
+ /**
126
+ * Full storage adapter: tokens + key-value.
127
+ * Default adapters implement this and SyncStorageAdapter for sync compatibility.
128
+ */
129
+ type StorageAdapter = TokenStorageAdapter & KeyValueStorageAdapter & Partial<SyncStorageAdapter>;
130
+ /**
131
+ * Namespace for storage keys: auth_${tenantId}_${appId}_*
132
+ * Used to isolate data per tenant and app (microfrontend support).
133
+ */
134
+ interface StorageNamespace {
135
+ tenantId: string;
136
+ appId: string;
137
+ }
138
+
139
+ /**
140
+ * Storage key namespacing: auth_${tenantId}_${appId}_*
141
+ * Backward compatibility: when both tenantId and appId are empty, use dynamic prefix (from tenant code).
142
+ */
143
+
144
+ /**
145
+ * Builds a namespaced storage key.
146
+ * - When tenantId and appId are both falsy: returns getStorageKeyPrefix() + suffix (tenant-code-based or default).
147
+ * - Otherwise: returns auth_${tenantId}_${appId}_${suffix}.
148
+ */
149
+ declare function buildStorageKey(ns: StorageNamespace, suffix: string): string;
150
+
151
+ /**
152
+ * Storage context: current adapter and namespace.
153
+ * Can be set via setStorageContext (legacy) or setAuthRuntime (full runtime).
154
+ * No window/document usage.
155
+ */
156
+
157
+ declare function setStorageContext(adapter: StorageAdapter | null, namespace?: Partial<StorageNamespace>): void;
158
+ declare function getStorageAdapter(): StorageAdapter | null;
159
+ declare function getStorageNamespace(): StorageNamespace;
160
+
161
+ /**
162
+ * In-memory storage adapter. SSR-safe; no window/document usage.
163
+ * Default for server-side or when no persistent storage is desired.
164
+ */
165
+
166
+ declare function createMemoryStorageAdapter(namespace: StorageNamespace): StorageAdapter;
167
+
168
+ /**
169
+ * Session storage adapter with namespaced keys. SSR-safe: guards all
170
+ * window/sessionStorage access with typeof window !== 'undefined'.
171
+ */
172
+
173
+ declare function createSecureSessionStorageAdapter(namespace: StorageNamespace): StorageAdapter;
174
+
175
+ /**
176
+ * Cookie-based storage adapter (HttpOnly-compatible abstraction).
177
+ * Tokens are stored in cookies; config/flow flags use cookies or fallback.
178
+ * SSR-safe: all document/window access guarded with typeof window !== 'undefined'.
179
+ *
180
+ * Note: True HttpOnly cookies must be set by the server. This adapter uses
181
+ * document.cookie for client-readable tokens when running in the browser,
182
+ * and can be replaced by a server-backed implementation for HttpOnly.
183
+ */
184
+
185
+ declare function createCookieStorageAdapter(namespace: StorageNamespace, options?: {
186
+ cookiePrefix?: string;
187
+ }): StorageAdapter;
188
+
189
+ /**
190
+ * Storage API: adapter-based get/set/clear. No direct window/sessionStorage.
191
+ * Keys use dynamic prefix from tenant code (see prefix.ts).
192
+ */
193
+
194
+ declare function getAccessToken(): string | null;
195
+ declare function isAccessTokenExpired(): boolean;
196
+
197
+ declare function useAuthContext(): AuthContextValue;
198
+
199
+ /**
200
+ * React Context Provider for authentication state (FINAL)
201
+ */
202
+
203
+ interface AuthProviderProps {
204
+ children: React.ReactNode;
205
+ autoInit?: boolean;
206
+ /** Tenant code from host app (used to resolve tenant via GET /api/tenant/v1/public/tenants/by-code/{tenantCode}). */
207
+ tenantCode?: string;
208
+ /** App id for storage namespacing (auth_${tenantId}_${appId}_*). */
209
+ appId?: string;
210
+ /** Optional storage adapter; default is SecureSessionStorageAdapter with namespacing. */
211
+ storageAdapter?: StorageAdapter | null;
212
+ }
213
+ /**
214
+ * AuthProvider – UI-facing auth state only
215
+ */
216
+ declare function AuthProvider({ children, autoInit, tenantCode, appId, storageAdapter, }: AuthProviderProps): React.JSX.Element;
217
+
218
+ interface AuthCallbackProps {
219
+ loginPath?: string;
220
+ successPath?: string;
221
+ homePath?: string;
222
+ }
223
+ declare function AuthCallback({ loginPath, successPath, homePath, }: AuthCallbackProps): React.JSX.Element;
224
+
225
+ interface ProtectedRouteProps {
226
+ children: React.ReactNode;
227
+ fallback?: React.ReactNode;
228
+ autoLogin?: boolean;
229
+ }
230
+ declare function ProtectedRoute({ children, fallback, autoLogin, }: ProtectedRouteProps): React.JSX.Element;
231
+
232
+ /**
233
+ * useAuth hook for accessing authentication state and methods
234
+ */
235
+
236
+ /**
237
+ * Hook to access authentication state and methods
238
+ * @returns Authentication context value
239
+ */
240
+ declare function useAuth(): AuthContextValue;
241
+
242
+ /**
243
+ * useAuthInit hook
244
+ *
245
+ * RULES:
246
+ * - Only prevents parallel init calls
247
+ * - Does NOT block based on flags (bootstrap handles that)
248
+ */
249
+ interface UseAuthInitResult {
250
+ isLoading: boolean;
251
+ error: string | null;
252
+ init: () => Promise<void>;
253
+ }
254
+ declare function useAuthInit(): UseAuthInitResult;
255
+
256
+ /**
257
+ * Framework-agnostic runtime interfaces for the auth core.
258
+ * No React, window, or document dependencies.
259
+ */
260
+
261
+ /** Current URL snapshot (replaces direct window.location usage in core). */
262
+ interface CurrentUrl {
263
+ href: string;
264
+ origin: string;
265
+ pathname: string;
266
+ search: string;
267
+ hostname: string;
268
+ }
269
+ /** Logger interface – no console in core. */
270
+ interface Logger {
271
+ info(message: string, meta?: Record<string, unknown>): void;
272
+ warn(message: string, meta?: Record<string, unknown>): void;
273
+ error(message: string, meta?: Record<string, unknown>): void;
274
+ debug(message: string, meta?: Record<string, unknown>): void;
275
+ }
276
+ /** URL and navigation – replaces window.location / window.history in core. */
277
+ interface UrlProvider {
278
+ getCurrentUrl(): CurrentUrl;
279
+ /** Full redirect (e.g. window.location.replace). */
280
+ redirect(url: string): void;
281
+ /** Soft replace (e.g. history.replaceState) without reload. */
282
+ replaceState(url: string): void;
283
+ }
284
+ /** Configuration – replaces direct Config / window.__APP_CONFIG__ in core. */
285
+ interface ConfigProvider {
286
+ getApiBaseUrl(): string;
287
+ getAuthServerUrl(): string;
288
+ getRedirectUri(): string;
289
+ getClientId(): string;
290
+ getTenantId(): string;
291
+ getClientCode(): string;
292
+ getBasePath(): string;
293
+ }
294
+ /** Tenant resolution – replaces direct tenant API usage in core. */
295
+ interface TenantResolver {
296
+ resolve(tenantKey: string): Promise<TenantConfig | null>;
297
+ }
298
+ /** Optional: clear cookies (e.g. on logout). Called by core when provided. */
299
+ interface CookieClearer {
300
+ clearCookies(): void;
301
+ }
302
+ /**
303
+ * Auth runtime: all external dependencies injected.
304
+ * Core uses only this; no direct browser or framework APIs.
305
+ */
306
+ interface AuthRuntime {
307
+ /** Required. Token + key-value storage. */
308
+ storageAdapter: StorageAdapter;
309
+ storageNamespace: StorageNamespace;
310
+ /** Required. No console.log in core. */
311
+ logger: Logger;
312
+ /** Required for redirects and URL checks. */
313
+ urlProvider: UrlProvider;
314
+ /** Required for OAuth and tenant config. */
315
+ configProvider: ConfigProvider;
316
+ /** Required for resolving tenant by key. */
317
+ tenantResolver: TenantResolver;
318
+ /** Optional. If not set, core will not clear cookies on logout. */
319
+ clearCookies?: CookieClearer;
320
+ }
321
+
322
+ /**
323
+ * Runtime context: single get/set for auth runtime.
324
+ * Core reads from here; host (e.g. React layer) sets before any core code runs.
325
+ */
326
+
327
+ declare function setAuthRuntime(runtime: AuthRuntime | null): void;
328
+ declare function getAuthRuntime(): AuthRuntime | null;
329
+
330
+ /**
331
+ * Auth strategy interface for pluggable authentication.
332
+ * Engine and bootstrap depend on this interface, not concrete OAuth2 PKCE.
333
+ */
334
+
335
+ interface AuthStrategy {
336
+ /** Start the auth flow (e.g. redirect to IdP). */
337
+ initiate(tenantConfig: TenantConfig): Promise<void>;
338
+ /** Handle OAuth callback (code exchange). Returns true if callback was handled. */
339
+ handleCallback(): Promise<boolean>;
340
+ /** Refresh access token. Returns new access token or throws. */
341
+ refresh(): Promise<string>;
342
+ /** Log out and clear session. */
343
+ logout(options?: {
344
+ tenantKey?: string;
345
+ }): Promise<void>;
346
+ }
347
+
348
+ /**
349
+ * Auth engine types. No React, no browser globals.
350
+ */
351
+
352
+ type AuthEngineConfig = AuthRuntime & {
353
+ strategy?: AuthStrategy;
354
+ };
355
+ interface AuthEngineState {
356
+ status: 'idle' | 'loading' | 'authenticated' | 'unauthenticated' | 'error';
357
+ accessToken: string | null;
358
+ expiresAt: number | null;
359
+ error: string | null;
360
+ }
361
+ type AuthStateListener = (state: AuthEngineState) => void;
362
+ type Unsubscribe = () => void;
363
+ interface AuthEngine {
364
+ init(): Promise<void>;
365
+ login(): Promise<void>;
366
+ logout(options?: {
367
+ tenantKey?: string;
368
+ }): Promise<void>;
369
+ refresh(): Promise<string>;
370
+ getAccessToken(): Promise<string>;
371
+ handleCallback(): Promise<boolean>;
372
+ subscribe(listener: AuthStateListener): Unsubscribe;
373
+ getState(): AuthEngineState;
374
+ }
375
+
376
+ /**
377
+ * Creates the auth engine. No React, no direct browser usage.
378
+ */
379
+
380
+ declare function createAuthEngine(config: AuthEngineConfig): AuthEngine;
381
+
382
+ /**
383
+ * OAuth2 PKCE implementation of AuthStrategy.
384
+ * Wraps initiateAuthFlow, handleCallback, refreshAccessToken, and logout.
385
+ */
386
+
387
+ declare function createOAuth2PkceStrategy(): AuthStrategy;
388
+
389
+ /**
390
+ * Runtime-backed facade for domain tenant/callback helpers.
391
+ * Provides extractTenantKey(), isCallbackUrl(), isLocalhost() for public API and internal use.
392
+ * Uses runtime when set; falls back to window for backward compatibility.
393
+ */
394
+
395
+ declare function extractTenantKey(): string | null;
396
+ declare function isCallbackUrl(): boolean;
397
+
398
+ /**
399
+ * Tenant resolution API client.
400
+ * Resolves tenant configuration via GET /api/tenant/v1/public/tenants/by-code/{tenantCode}.
401
+ */
402
+
403
+ declare function resolveTenant(tenantKey: string): Promise<TenantConfig | null>;
404
+
405
+ /**
406
+ * Configuration types.
407
+ * Internal: non-overridable (from .env). Runtime: overridable (env + window + setConfig).
408
+ *
409
+ * BASE URL SEPARATION (mandatory — do not mix):
410
+ * - API_TENANT_RESOLUTION_BASE_URL: Tenant resolution only.
411
+ * - API_AUTH_BASE_URL: Token operations only (exchange, refresh, logout).
412
+ * - AUTH_SERVER_URL: OpenID Connect authorization redirect only.
413
+ */
414
+ interface InternalConfig {
415
+ API_TENANT_RESOLUTION_BASE_URL: string;
416
+ API_AUTH_BASE_URL: string;
417
+ AUTH_SERVER_URL: string;
418
+ DEFAULT_DOMAIN: string;
419
+ }
420
+ /** Single source of truth: .env (VITE_CLIENT_ID, VITE_TENANT_ID, VITE_CLIENTCODE). */
421
+ interface RuntimeConfig {
422
+ CLIENT_ID: string;
423
+ TENANT_ID: string;
424
+ CLIENTCODE: string;
425
+ }
426
+ type ResolvedConfig = InternalConfig & RuntimeConfig;
427
+ type SDKConfig = ResolvedConfig;
428
+ interface RuntimeConfigOverrides {
429
+ basePath?: string;
430
+ redirectUri?: string;
431
+ }
432
+ type HostConfigOverride = Partial<RuntimeConfig> & Partial<RuntimeConfigOverrides>;
433
+ /** Window __APP_CONFIG__ / __AUTH_CONFIG__ shape (clientId, tenantId, clientcode only). */
434
+ interface HostRuntimeConfig {
435
+ clientId?: string;
436
+ tenantId?: string;
437
+ clientcode?: string;
438
+ }
439
+ /** Full resolved config output (internal URLs + runtime + derived redirectUri, basePath). */
440
+ interface ResolvedHostConfig {
441
+ apiTenantResolutionBaseUrl: string;
442
+ apiAuthBaseUrl: string;
443
+ authServerUrl: string;
444
+ defaultDomain: string;
445
+ clientId: string;
446
+ tenantId: string;
447
+ clientCode: string;
448
+ redirectUri: string;
449
+ basePath: string;
450
+ }
451
+
452
+ /**
453
+ * OAuth constants and storage keys. No config resolution — pure constants.
454
+ */
455
+ declare const OAUTH_CONSTANTS: {
456
+ readonly SCOPES: "openid profile email";
457
+ readonly RESPONSE_TYPE: "code";
458
+ readonly CODE_CHALLENGE_METHOD: "S256";
459
+ readonly TOKEN_GRANT_TYPE: "authorization_code";
460
+ readonly REFRESH_GRANT_TYPE: "refresh_token";
461
+ };
462
+ declare const STORAGE_KEY_PREFIX = "tenneo_auth_";
463
+ declare const STORAGE_KEYS: {
464
+ readonly authServerUrl: "tenneo_auth_auth_server_url";
465
+ readonly clientId: "tenneo_auth_client_id";
466
+ readonly redirectUri: "tenneo_auth_redirect_uri";
467
+ readonly tenantId: "tenneo_auth_tenant_id";
468
+ readonly codeVerifier: "tenneo_auth_code_verifier";
469
+ readonly state: "tenneo_auth_state";
470
+ readonly accessToken: "tenneo_auth_access_token";
471
+ readonly refreshToken: "tenneo_auth_refresh_token";
472
+ readonly expiresAt: "tenneo_auth_expires_at";
473
+ };
474
+
475
+ /**
476
+ * Config: resolver + public Config facade.
477
+ * Resolution order: runtime overrides > window > env > defaults.
478
+ * Single source of truth: .env (see .env.example).
479
+ */
480
+
481
+ declare global {
482
+ interface Window {
483
+ __APP_CONFIG__?: HostRuntimeConfig | {
484
+ [key: string]: unknown;
485
+ };
486
+ __AUTH_CONFIG__?: HostRuntimeConfig | {
487
+ [key: string]: unknown;
488
+ };
489
+ }
490
+ }
491
+ declare function resolveConfig(overrides?: HostConfigOverride): InternalConfig & RuntimeConfig;
492
+ declare function getConfig(): InternalConfig & RuntimeConfig;
493
+ declare function setConfig(overrides: HostConfigOverride): void;
494
+ declare const Config: {
495
+ readonly getApiTenantResolutionBaseUrl: () => string;
496
+ readonly getApiAuthBaseUrl: () => string;
497
+ readonly getAuthServerUrl: () => string;
498
+ readonly getDefaultDomain: () => string;
499
+ readonly getClientId: () => string;
500
+ readonly getTenantId: () => string;
501
+ readonly getClientCode: () => string;
502
+ readonly getRedirectUri: () => string;
503
+ readonly getBasePath: () => string;
504
+ readonly hasRuntimeConfig: () => boolean;
505
+ readonly getAll: () => ResolvedHostConfig;
506
+ };
507
+ declare function getEnvConfig(): Promise<EnvConfig | null>;
508
+ declare function hasEnvFallback(): boolean;
509
+
510
+ /**
511
+ * Security and error utilities for authentication.
512
+ * Domain layer: sanitized errors and HTTPS enforcement.
513
+ */
514
+ declare function enforceHttps(allowLocalhost?: boolean): void;
515
+ declare function sanitizeErrorMessage(error: unknown, genericMessage: string): string;
516
+ declare class SanitizedError extends Error {
517
+ readonly code: string;
518
+ readonly originalMessage?: string;
519
+ constructor(code: string, genericMessage: string, originalError?: unknown);
520
+ }
521
+
522
+ /**
523
+ * Cookie watcher to detect cookie deletion and clear session.
524
+ * Infrastructure layer: uses storage and callback; application sets callback to bootstrap.
525
+ */
526
+ declare function startCookieWatcher(): void;
527
+ declare function stopCookieWatcher(): void;
528
+ declare function resetCookieWatcher(): void;
529
+
530
+ /**
531
+ * Structured auth event emitter for observability and audit.
532
+ */
533
+ declare const AuthEventNames: {
534
+ readonly LOGIN_STARTED: "LOGIN_STARTED";
535
+ readonly LOGIN_SUCCESS: "LOGIN_SUCCESS";
536
+ readonly LOGIN_FAILED: "LOGIN_FAILED";
537
+ readonly CALLBACK_SUCCESS: "CALLBACK_SUCCESS";
538
+ readonly CALLBACK_FAILED: "CALLBACK_FAILED";
539
+ readonly TOKEN_REFRESH_SUCCESS: "TOKEN_REFRESH_SUCCESS";
540
+ readonly TOKEN_REFRESH_FAILED: "TOKEN_REFRESH_FAILED";
541
+ readonly TENANT_SWITCHED: "TENANT_SWITCHED";
542
+ readonly LOGOUT_COMPLETED: "LOGOUT_COMPLETED";
543
+ readonly BOOTSTRAP_STATE_DETECTED: "BOOTSTRAP_STATE_DETECTED";
544
+ readonly REDIRECT_LOOP_RISK: "REDIRECT_LOOP_RISK";
545
+ };
546
+ type AuthEventName = (typeof AuthEventNames)[keyof typeof AuthEventNames];
547
+ interface AuthEventPayload {
548
+ state?: string;
549
+ tenantKey?: string;
550
+ error?: string;
551
+ message?: string;
552
+ [key: string]: unknown;
553
+ }
554
+ type AuthEventHandler = (payload?: AuthEventPayload) => void;
555
+ declare function emitAuthEvent(event: AuthEventName, payload?: AuthEventPayload): void;
556
+ declare function subscribeAuthEvent(event: AuthEventName | '*', handler: AuthEventHandler): () => void;
557
+
558
+ export { AuthCallback, type AuthContextValue, type AuthEngine, type AuthEngineConfig, type AuthEngineState, type AuthEventHandler, type AuthEventName, AuthEventNames, type AuthEventPayload, AuthProvider, type AuthRuntime, type AuthState, type AuthStateListener, type AuthStrategy, type AuthTokens, Config, type ConfigProvider, type CookieClearer, type CurrentUrl, type EnvConfig, type HostConfigOverride, type InternalConfig, type Logger, OAUTH_CONSTANTS, ProtectedRoute, type ResolvedConfig, type RuntimeConfigOverrides, type SDKConfig, type RuntimeConfig as SDKRuntimeConfig, STORAGE_KEYS, STORAGE_KEY_PREFIX, SanitizedError, type StorageAdapter, type StorageNamespace, type TenantConfig, type TenantResolver, type TokenResponse, type TokenStorageAdapter, type Unsubscribe, type UrlProvider, bootstrap, buildStorageKey, createAuthEngine, createCookieStorageAdapter, createMemoryStorageAdapter, createOAuth2PkceStrategy, createSecureSessionStorageAdapter, emitAuthEvent, enforceHttps, ensureValidAccessToken, extractTenantKey, getAccessToken$1 as getAccessToken, getAuthRuntime, getConfig, getEnvConfig, getStorageAdapter, getStorageNamespace, getAccessToken as getStoredAccessToken, hasEnvFallback, isAccessTokenExpired, isCallbackUrl, logout, refreshAccessToken, resetCookieWatcher, resolveConfig, resolveTenant, sanitizeErrorMessage, setAuthRuntime, setConfig, setStorageContext, startCookieWatcher, stopCookieWatcher, subscribeAuthEvent, useAuth, useAuthContext, useAuthInit };