tenneo-auth-plugin 0.1.8 → 0.1.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -129,8 +129,7 @@ function App() {
129
129
  - Pluggable storage adapters (session, cookie, memory)
130
130
  - Authentication event system for observability
131
131
  - Strict TypeScript definitions throughout
132
- - Runtime configuration override support
133
- - Window-based configuration injection
132
+ - Host-driven configuration (props / `setConfig()`)
134
133
  - Clean layered architecture
135
134
  - Tree-shakeable ESM and CJS builds
136
135
  - React 18+ compatibility
@@ -139,7 +138,11 @@ function App() {
139
138
 
140
139
  | Prop | Type | Required | Default | Description |
141
140
  |------|------|----------|---------|-------------|
141
+ | `config` | `SDKConfig` | No | - | Pass all configuration as a single object (alternative to individual props) |
142
142
  | `tenantCode` | `string` | No | - | Tenant code for configuration resolution |
143
+ | `apiBaseUrl` | `string` | Yes | - | Tenant resolution service base URL |
144
+ | `authServerUrl` | `string` | Yes | - | Authorization server base URL (OIDC authorize) |
145
+ | `callbackUrl` | `string` | Yes | - | Full callback/redirect URL |
143
146
  | `appId` | `string` | No | `''` | Application identifier for storage namespacing |
144
147
  | `autoInit` | `boolean` | No | `true` | Automatically initialize authentication on mount |
145
148
  | `storageAdapter` | `StorageAdapter` | No | `null` | Custom storage adapter instance |
@@ -276,62 +279,39 @@ const token = await engine.getAccessToken();
276
279
 
277
280
  ## Configuration
278
281
 
279
- ### Environment Variables
282
+ ### Host app configuration (required)
280
283
 
281
- Configure the plugin using environment variables. For Vite applications, use the `VITE_` prefix.
284
+ This SDK does **not** read `.env` or `window.__AUTH_CONFIG__`. Provide configuration from your host app:
282
285
 
283
- ```env
284
- # OAuth Server URL
285
- VITE_AUTH_SERVER_URL=https://auth.example.com
286
-
287
- # API Base URLs
288
- VITE_API_TENANT_RESOLUTION_BASE_URL=https://api.example.com/api/v1
289
- VITE_API_AUTH_BASE_URL=https://auth.example.com
290
-
291
- # Default Configuration
292
- VITE_CLIENT_ID=your-client-id
293
- VITE_TENANT_ID=your-tenant-id
294
- VITE_CLIENTCODE=your-tenant-code
295
- ```
296
-
297
- ### Window Runtime Configuration
298
-
299
- Inject configuration at runtime without rebuilding the application.
286
+ ```tsx
287
+ import { AuthProvider } from 'tenneo-auth-plugin';
300
288
 
301
- ```html
302
- <script>
303
- window.__AUTH_CONFIG__ = {
304
- clientId: 'runtime-client-id',
305
- tenantId: 'runtime-tenant-id',
306
- basePath: '/app',
307
- };
308
- </script>
289
+ <AuthProvider
290
+ tenantCode="your-tenant-code"
291
+ apiBaseUrl="https://tenant-service.example.com"
292
+ authServerUrl="https://auth.example.com"
293
+ callbackUrl="https://app.example.com/callback"
294
+ appId="myapp"
295
+ >
296
+ <App />
297
+ </AuthProvider>
309
298
  ```
310
299
 
311
- ### Configuration Priority
312
-
313
- Configuration is resolved in the following order (highest priority first):
314
-
315
- 1. Props passed to AuthProvider
316
- 2. Window configuration (`window.__AUTH_CONFIG__`)
317
- 3. Environment variables
318
- 4. Built-in defaults
319
-
320
300
  ### Programmatic Configuration
321
301
 
322
302
  ```tsx
323
303
  import { setConfig, Config } from 'tenneo-auth-plugin';
324
304
 
325
- // Override configuration
305
+ // Override configuration (host-driven)
326
306
  setConfig({
327
- clientId: 'custom-client-id',
328
- tenantId: 'custom-tenant-id',
329
- basePath: '/my-app',
307
+ tenantCode: 'your-tenant-code',
308
+ apiBaseUrl: 'https://tenant-service.example.com',
309
+ authServerUrl: 'https://auth.example.com',
310
+ callbackUrl: 'https://app.example.com/callback',
330
311
  });
331
312
 
332
313
  // Access resolved configuration
333
314
  const authServerUrl = Config.getAuthServerUrl();
334
- const clientId = Config.getClientId();
335
315
  const allConfig = Config.getAll();
336
316
  ```
337
317
 
@@ -420,13 +400,11 @@ import type {
420
400
  TokenResponse,
421
401
  AuthState,
422
402
  AuthContextValue,
423
- EnvConfig,
424
403
  AuthTokens,
425
404
  StorageAdapter,
426
405
  AuthEngine,
427
406
  AuthEngineState,
428
407
  SDKConfig,
429
- RuntimeConfigOverrides,
430
408
  } from 'tenneo-auth-plugin';
431
409
  ```
432
410
 
package/dist/index.d.mts CHANGED
@@ -206,6 +206,80 @@ declare function isAccessTokenExpired(): boolean;
206
206
 
207
207
  declare function useAuthContext(): AuthContextValue;
208
208
 
209
+ /**
210
+ * Configuration types.
211
+ *
212
+ * There is no "internal vs runtime" config anymore.
213
+ * Everything is provided by the host app via `AuthProvider` props / `setConfig()`.
214
+ */
215
+ interface SDKConfig {
216
+ /** Tenant resolution service base URL. */
217
+ apiBaseUrl?: string;
218
+ /** Auth API base URL (token exchange/refresh/logout). */
219
+ apiAuthBaseUrl?: string;
220
+ /** Authorization server base URL (OIDC authorize endpoint). */
221
+ authServerUrl?: string;
222
+ /** Callback/redirect URL (full URL). */
223
+ callbackUrl?: string;
224
+ /** Optional tenant code/key (used for tenant resolution). */
225
+ tenantCode?: string;
226
+ /** Optional runtime identifiers (may be returned from tenant API). */
227
+ clientId?: string;
228
+ tenantId?: string;
229
+ clientCode?: string;
230
+ /** Optional UI/runtime overrides. */
231
+ basePath?: string;
232
+ }
233
+ type HostConfigOverride = SDKConfig;
234
+ interface ResolvedConfig {
235
+ apiBaseUrl: string;
236
+ authServerUrl: string;
237
+ callbackUrl: string;
238
+ clientCode: string;
239
+ }
240
+ type ResolvedHostConfig = ResolvedConfig;
241
+
242
+ /**
243
+ * OAuth constants and storage keys. No config resolution — pure constants.
244
+ */
245
+ declare const OAUTH_CONSTANTS: {
246
+ readonly SCOPES: "openid profile email";
247
+ readonly RESPONSE_TYPE: "code";
248
+ readonly CODE_CHALLENGE_METHOD: "S256";
249
+ readonly TOKEN_GRANT_TYPE: "authorization_code";
250
+ readonly REFRESH_GRANT_TYPE: "refresh_token";
251
+ };
252
+ declare const STORAGE_KEY_PREFIX = "tenneo_auth_";
253
+ declare const STORAGE_KEYS: {
254
+ readonly authServerUrl: "tenneo_auth_auth_server_url";
255
+ readonly clientId: "tenneo_auth_client_id";
256
+ readonly redirectUri: "tenneo_auth_redirect_uri";
257
+ readonly tenantId: "tenneo_auth_tenant_id";
258
+ readonly codeVerifier: "tenneo_auth_code_verifier";
259
+ readonly state: "tenneo_auth_state";
260
+ readonly accessToken: "tenneo_auth_access_token";
261
+ readonly refreshToken: "tenneo_auth_refresh_token";
262
+ readonly expiresAt: "tenneo_auth_expires_at";
263
+ };
264
+
265
+ /**
266
+ * Config: minimal host-driven config store + facade.
267
+ *
268
+ * No "internal" or "runtime" config separation.
269
+ * Everything comes from the host app via `setConfig()` / `AuthProvider` props.
270
+ */
271
+
272
+ declare function resolveConfig(overrides?: HostConfigOverride): ResolvedConfig;
273
+ declare function getConfig(): ResolvedConfig;
274
+ declare function setConfig(overrides: HostConfigOverride): void;
275
+ declare const Config: {
276
+ readonly getApiBaseUrl: () => string;
277
+ readonly getAuthServerUrl: () => string;
278
+ readonly getClientCode: () => string;
279
+ readonly getRedirectUri: () => string;
280
+ readonly getAll: () => ResolvedHostConfig;
281
+ };
282
+
209
283
  /**
210
284
  * React Context Provider for authentication state (FINAL)
211
285
  */
@@ -213,8 +287,16 @@ declare function useAuthContext(): AuthContextValue;
213
287
  interface AuthProviderProps {
214
288
  children: React.ReactNode;
215
289
  autoInit?: boolean;
290
+ /** Optional config object from host app (alternative to passing individual props). */
291
+ config?: SDKConfig;
216
292
  /** Tenant code from host app (used to resolve tenant via GET /api/tenant/v1/public/tenants/by-code/{tenantCode}). */
217
293
  tenantCode?: string;
294
+ /** Tenant resolution base URL (host app). */
295
+ apiBaseUrl?: string;
296
+ /** Authorization server URL (host app). */
297
+ authServerUrl?: string;
298
+ /** Callback/redirect URL (host app). */
299
+ callbackUrl?: string;
218
300
  /** App id for storage namespacing (auth_${tenantId}_${appId}_*). */
219
301
  appId?: string;
220
302
  /** Optional storage adapter; default is SecureSessionStorageAdapter with namespacing. */
@@ -223,7 +305,7 @@ interface AuthProviderProps {
223
305
  /**
224
306
  * AuthProvider – UI-facing auth state only
225
307
  */
226
- declare function AuthProvider({ children, autoInit, tenantCode, appId, storageAdapter, }: AuthProviderProps): React.JSX.Element;
308
+ declare function AuthProvider({ children, autoInit, config, tenantCode, apiBaseUrl, authServerUrl, callbackUrl, appId, storageAdapter, }: AuthProviderProps): React.JSX.Element;
227
309
 
228
310
  interface AuthCallbackProps {
229
311
  loginPath?: string;
@@ -296,10 +378,7 @@ interface ConfigProvider {
296
378
  getApiBaseUrl(): string;
297
379
  getAuthServerUrl(): string;
298
380
  getRedirectUri(): string;
299
- getClientId(): string;
300
- getTenantId(): string;
301
381
  getClientCode(): string;
302
- getBasePath(): string;
303
382
  }
304
383
  /** Tenant resolution – replaces direct tenant API usage in core. */
305
384
  interface TenantResolver {
@@ -412,111 +491,6 @@ declare function isCallbackUrl(): boolean;
412
491
 
413
492
  declare function resolveTenant(tenantKey: string): Promise<TenantConfig | null>;
414
493
 
415
- /**
416
- * Configuration types.
417
- * Internal: non-overridable (from .env). Runtime: overridable (env + window + setConfig).
418
- *
419
- * BASE URL SEPARATION (mandatory — do not mix):
420
- * - API_TENANT_RESOLUTION_BASE_URL: Tenant resolution only.
421
- * - API_AUTH_BASE_URL: Token operations only (exchange, refresh, logout).
422
- * - AUTH_SERVER_URL: OpenID Connect authorization redirect only.
423
- */
424
- interface InternalConfig {
425
- API_TENANT_RESOLUTION_BASE_URL: string;
426
- API_AUTH_BASE_URL: string;
427
- AUTH_SERVER_URL: string;
428
- DEFAULT_DOMAIN: string;
429
- }
430
- /** Single source of truth: .env (VITE_CLIENT_ID, VITE_TENANT_ID, VITE_CLIENTCODE). */
431
- interface RuntimeConfig {
432
- CLIENT_ID: string;
433
- TENANT_ID: string;
434
- CLIENTCODE: string;
435
- }
436
- type ResolvedConfig = InternalConfig & RuntimeConfig;
437
- type SDKConfig = ResolvedConfig;
438
- interface RuntimeConfigOverrides {
439
- basePath?: string;
440
- redirectUri?: string;
441
- }
442
- type HostConfigOverride = Partial<RuntimeConfig> & Partial<RuntimeConfigOverrides>;
443
- /** Window __APP_CONFIG__ / __AUTH_CONFIG__ shape (clientId, tenantId, clientcode only). */
444
- interface HostRuntimeConfig {
445
- clientId?: string;
446
- tenantId?: string;
447
- clientcode?: string;
448
- }
449
- /** Full resolved config output (internal URLs + runtime + derived redirectUri, basePath). */
450
- interface ResolvedHostConfig {
451
- apiTenantResolutionBaseUrl: string;
452
- apiAuthBaseUrl: string;
453
- authServerUrl: string;
454
- defaultDomain: string;
455
- clientId: string;
456
- tenantId: string;
457
- clientCode: string;
458
- redirectUri: string;
459
- basePath: string;
460
- }
461
-
462
- /**
463
- * OAuth constants and storage keys. No config resolution — pure constants.
464
- */
465
- declare const OAUTH_CONSTANTS: {
466
- readonly SCOPES: "openid profile email";
467
- readonly RESPONSE_TYPE: "code";
468
- readonly CODE_CHALLENGE_METHOD: "S256";
469
- readonly TOKEN_GRANT_TYPE: "authorization_code";
470
- readonly REFRESH_GRANT_TYPE: "refresh_token";
471
- };
472
- declare const STORAGE_KEY_PREFIX = "tenneo_auth_";
473
- declare const STORAGE_KEYS: {
474
- readonly authServerUrl: "tenneo_auth_auth_server_url";
475
- readonly clientId: "tenneo_auth_client_id";
476
- readonly redirectUri: "tenneo_auth_redirect_uri";
477
- readonly tenantId: "tenneo_auth_tenant_id";
478
- readonly codeVerifier: "tenneo_auth_code_verifier";
479
- readonly state: "tenneo_auth_state";
480
- readonly accessToken: "tenneo_auth_access_token";
481
- readonly refreshToken: "tenneo_auth_refresh_token";
482
- readonly expiresAt: "tenneo_auth_expires_at";
483
- };
484
-
485
- /**
486
- * Config: resolver + public Config facade.
487
- * Resolution order: runtime overrides > window > env > defaults.
488
- * Single source of truth: .env (see .env.example).
489
- */
490
-
491
- declare global {
492
- interface Window {
493
- __APP_CONFIG__?: HostRuntimeConfig | {
494
- [key: string]: unknown;
495
- };
496
- __AUTH_CONFIG__?: HostRuntimeConfig | {
497
- [key: string]: unknown;
498
- };
499
- }
500
- }
501
- declare function resolveConfig(overrides?: HostConfigOverride): InternalConfig & RuntimeConfig;
502
- declare function getConfig(): InternalConfig & RuntimeConfig;
503
- declare function setConfig(overrides: HostConfigOverride): void;
504
- declare const Config: {
505
- readonly getApiTenantResolutionBaseUrl: () => string;
506
- readonly getApiAuthBaseUrl: () => string;
507
- readonly getAuthServerUrl: () => string;
508
- readonly getDefaultDomain: () => string;
509
- readonly getClientId: () => string;
510
- readonly getTenantId: () => string;
511
- readonly getClientCode: () => string;
512
- readonly getRedirectUri: () => string;
513
- readonly getBasePath: () => string;
514
- readonly hasRuntimeConfig: () => boolean;
515
- readonly getAll: () => ResolvedHostConfig;
516
- };
517
- declare function getEnvConfig(): Promise<EnvConfig | null>;
518
- declare function hasEnvFallback(): boolean;
519
-
520
494
  /**
521
495
  * Security and error utilities for authentication.
522
496
  * Domain layer: sanitized errors and HTTPS enforcement.
@@ -565,4 +539,4 @@ type AuthEventHandler = (payload?: AuthEventPayload) => void;
565
539
  declare function emitAuthEvent(event: AuthEventName, payload?: AuthEventPayload): void;
566
540
  declare function subscribeAuthEvent(event: AuthEventName | '*', handler: AuthEventHandler): () => void;
567
541
 
568
- export { AuthCallback, type AuthContextValue, type AuthEngine, type AuthEngineConfig, type AuthEngineState, type AuthEventHandler, type AuthEventName, AuthEventNames, type AuthEventPayload, AuthProvider, type AuthRuntime, type AuthState, type AuthStateListener, type AuthStrategy, type AuthTokens, Config, type ConfigProvider, type CookieClearer, type CurrentUrl, type EnvConfig, type HostConfigOverride, type InternalConfig, type Logger, OAUTH_CONSTANTS, ProtectedRoute, type ResolvedConfig, type RuntimeConfigOverrides, type SDKConfig, type RuntimeConfig as SDKRuntimeConfig, STORAGE_KEYS, STORAGE_KEY_PREFIX, SanitizedError, type StorageAdapter, type StorageNamespace, type TenantConfig, type TenantResolver, type TokenResponse, type TokenStorageAdapter, type Unsubscribe, type UrlProvider, bootstrap, buildStorageKey, createAuthEngine, createCookieStorageAdapter, createMemoryStorageAdapter, createOAuth2PkceStrategy, createSecureSessionStorageAdapter, emitAuthEvent, enforceHttps, ensureValidAccessToken, extractTenantKey, getAccessToken$1 as getAccessToken, getAuthRuntime, getConfig, getEnvConfig, getStorageAdapter, getStorageNamespace, getAccessToken as getStoredAccessToken, hasEnvFallback, isAccessTokenExpired, isCallbackUrl, logout, refreshAccessToken, resetCookieWatcher, resolveConfig, resolveTenant, sanitizeErrorMessage, setAuthRuntime, setConfig, setStorageContext, startCookieWatcher, stopCookieWatcher, subscribeAuthEvent, useAuth, useAuthContext, useAuthInit };
542
+ export { AuthCallback, type AuthContextValue, type AuthEngine, type AuthEngineConfig, type AuthEngineState, type AuthEventHandler, type AuthEventName, AuthEventNames, type AuthEventPayload, AuthProvider, type AuthRuntime, type AuthState, type AuthStateListener, type AuthStrategy, type AuthTokens, Config, type ConfigProvider, type CookieClearer, type CurrentUrl, type EnvConfig, type HostConfigOverride, type Logger, OAUTH_CONSTANTS, ProtectedRoute, type ResolvedConfig, type SDKConfig, STORAGE_KEYS, STORAGE_KEY_PREFIX, SanitizedError, type StorageAdapter, type StorageNamespace, type TenantConfig, type TenantResolver, type TokenResponse, type TokenStorageAdapter, type Unsubscribe, type UrlProvider, bootstrap, buildStorageKey, createAuthEngine, createCookieStorageAdapter, createMemoryStorageAdapter, createOAuth2PkceStrategy, createSecureSessionStorageAdapter, emitAuthEvent, enforceHttps, ensureValidAccessToken, extractTenantKey, getAccessToken$1 as getAccessToken, getAuthRuntime, getConfig, getStorageAdapter, getStorageNamespace, getAccessToken as getStoredAccessToken, isAccessTokenExpired, isCallbackUrl, logout, refreshAccessToken, resetCookieWatcher, resolveConfig, resolveTenant, sanitizeErrorMessage, setAuthRuntime, setConfig, setStorageContext, startCookieWatcher, stopCookieWatcher, subscribeAuthEvent, useAuth, useAuthContext, useAuthInit };
package/dist/index.d.ts CHANGED
@@ -206,6 +206,80 @@ declare function isAccessTokenExpired(): boolean;
206
206
 
207
207
  declare function useAuthContext(): AuthContextValue;
208
208
 
209
+ /**
210
+ * Configuration types.
211
+ *
212
+ * There is no "internal vs runtime" config anymore.
213
+ * Everything is provided by the host app via `AuthProvider` props / `setConfig()`.
214
+ */
215
+ interface SDKConfig {
216
+ /** Tenant resolution service base URL. */
217
+ apiBaseUrl?: string;
218
+ /** Auth API base URL (token exchange/refresh/logout). */
219
+ apiAuthBaseUrl?: string;
220
+ /** Authorization server base URL (OIDC authorize endpoint). */
221
+ authServerUrl?: string;
222
+ /** Callback/redirect URL (full URL). */
223
+ callbackUrl?: string;
224
+ /** Optional tenant code/key (used for tenant resolution). */
225
+ tenantCode?: string;
226
+ /** Optional runtime identifiers (may be returned from tenant API). */
227
+ clientId?: string;
228
+ tenantId?: string;
229
+ clientCode?: string;
230
+ /** Optional UI/runtime overrides. */
231
+ basePath?: string;
232
+ }
233
+ type HostConfigOverride = SDKConfig;
234
+ interface ResolvedConfig {
235
+ apiBaseUrl: string;
236
+ authServerUrl: string;
237
+ callbackUrl: string;
238
+ clientCode: string;
239
+ }
240
+ type ResolvedHostConfig = ResolvedConfig;
241
+
242
+ /**
243
+ * OAuth constants and storage keys. No config resolution — pure constants.
244
+ */
245
+ declare const OAUTH_CONSTANTS: {
246
+ readonly SCOPES: "openid profile email";
247
+ readonly RESPONSE_TYPE: "code";
248
+ readonly CODE_CHALLENGE_METHOD: "S256";
249
+ readonly TOKEN_GRANT_TYPE: "authorization_code";
250
+ readonly REFRESH_GRANT_TYPE: "refresh_token";
251
+ };
252
+ declare const STORAGE_KEY_PREFIX = "tenneo_auth_";
253
+ declare const STORAGE_KEYS: {
254
+ readonly authServerUrl: "tenneo_auth_auth_server_url";
255
+ readonly clientId: "tenneo_auth_client_id";
256
+ readonly redirectUri: "tenneo_auth_redirect_uri";
257
+ readonly tenantId: "tenneo_auth_tenant_id";
258
+ readonly codeVerifier: "tenneo_auth_code_verifier";
259
+ readonly state: "tenneo_auth_state";
260
+ readonly accessToken: "tenneo_auth_access_token";
261
+ readonly refreshToken: "tenneo_auth_refresh_token";
262
+ readonly expiresAt: "tenneo_auth_expires_at";
263
+ };
264
+
265
+ /**
266
+ * Config: minimal host-driven config store + facade.
267
+ *
268
+ * No "internal" or "runtime" config separation.
269
+ * Everything comes from the host app via `setConfig()` / `AuthProvider` props.
270
+ */
271
+
272
+ declare function resolveConfig(overrides?: HostConfigOverride): ResolvedConfig;
273
+ declare function getConfig(): ResolvedConfig;
274
+ declare function setConfig(overrides: HostConfigOverride): void;
275
+ declare const Config: {
276
+ readonly getApiBaseUrl: () => string;
277
+ readonly getAuthServerUrl: () => string;
278
+ readonly getClientCode: () => string;
279
+ readonly getRedirectUri: () => string;
280
+ readonly getAll: () => ResolvedHostConfig;
281
+ };
282
+
209
283
  /**
210
284
  * React Context Provider for authentication state (FINAL)
211
285
  */
@@ -213,8 +287,16 @@ declare function useAuthContext(): AuthContextValue;
213
287
  interface AuthProviderProps {
214
288
  children: React.ReactNode;
215
289
  autoInit?: boolean;
290
+ /** Optional config object from host app (alternative to passing individual props). */
291
+ config?: SDKConfig;
216
292
  /** Tenant code from host app (used to resolve tenant via GET /api/tenant/v1/public/tenants/by-code/{tenantCode}). */
217
293
  tenantCode?: string;
294
+ /** Tenant resolution base URL (host app). */
295
+ apiBaseUrl?: string;
296
+ /** Authorization server URL (host app). */
297
+ authServerUrl?: string;
298
+ /** Callback/redirect URL (host app). */
299
+ callbackUrl?: string;
218
300
  /** App id for storage namespacing (auth_${tenantId}_${appId}_*). */
219
301
  appId?: string;
220
302
  /** Optional storage adapter; default is SecureSessionStorageAdapter with namespacing. */
@@ -223,7 +305,7 @@ interface AuthProviderProps {
223
305
  /**
224
306
  * AuthProvider – UI-facing auth state only
225
307
  */
226
- declare function AuthProvider({ children, autoInit, tenantCode, appId, storageAdapter, }: AuthProviderProps): React.JSX.Element;
308
+ declare function AuthProvider({ children, autoInit, config, tenantCode, apiBaseUrl, authServerUrl, callbackUrl, appId, storageAdapter, }: AuthProviderProps): React.JSX.Element;
227
309
 
228
310
  interface AuthCallbackProps {
229
311
  loginPath?: string;
@@ -296,10 +378,7 @@ interface ConfigProvider {
296
378
  getApiBaseUrl(): string;
297
379
  getAuthServerUrl(): string;
298
380
  getRedirectUri(): string;
299
- getClientId(): string;
300
- getTenantId(): string;
301
381
  getClientCode(): string;
302
- getBasePath(): string;
303
382
  }
304
383
  /** Tenant resolution – replaces direct tenant API usage in core. */
305
384
  interface TenantResolver {
@@ -412,111 +491,6 @@ declare function isCallbackUrl(): boolean;
412
491
 
413
492
  declare function resolveTenant(tenantKey: string): Promise<TenantConfig | null>;
414
493
 
415
- /**
416
- * Configuration types.
417
- * Internal: non-overridable (from .env). Runtime: overridable (env + window + setConfig).
418
- *
419
- * BASE URL SEPARATION (mandatory — do not mix):
420
- * - API_TENANT_RESOLUTION_BASE_URL: Tenant resolution only.
421
- * - API_AUTH_BASE_URL: Token operations only (exchange, refresh, logout).
422
- * - AUTH_SERVER_URL: OpenID Connect authorization redirect only.
423
- */
424
- interface InternalConfig {
425
- API_TENANT_RESOLUTION_BASE_URL: string;
426
- API_AUTH_BASE_URL: string;
427
- AUTH_SERVER_URL: string;
428
- DEFAULT_DOMAIN: string;
429
- }
430
- /** Single source of truth: .env (VITE_CLIENT_ID, VITE_TENANT_ID, VITE_CLIENTCODE). */
431
- interface RuntimeConfig {
432
- CLIENT_ID: string;
433
- TENANT_ID: string;
434
- CLIENTCODE: string;
435
- }
436
- type ResolvedConfig = InternalConfig & RuntimeConfig;
437
- type SDKConfig = ResolvedConfig;
438
- interface RuntimeConfigOverrides {
439
- basePath?: string;
440
- redirectUri?: string;
441
- }
442
- type HostConfigOverride = Partial<RuntimeConfig> & Partial<RuntimeConfigOverrides>;
443
- /** Window __APP_CONFIG__ / __AUTH_CONFIG__ shape (clientId, tenantId, clientcode only). */
444
- interface HostRuntimeConfig {
445
- clientId?: string;
446
- tenantId?: string;
447
- clientcode?: string;
448
- }
449
- /** Full resolved config output (internal URLs + runtime + derived redirectUri, basePath). */
450
- interface ResolvedHostConfig {
451
- apiTenantResolutionBaseUrl: string;
452
- apiAuthBaseUrl: string;
453
- authServerUrl: string;
454
- defaultDomain: string;
455
- clientId: string;
456
- tenantId: string;
457
- clientCode: string;
458
- redirectUri: string;
459
- basePath: string;
460
- }
461
-
462
- /**
463
- * OAuth constants and storage keys. No config resolution — pure constants.
464
- */
465
- declare const OAUTH_CONSTANTS: {
466
- readonly SCOPES: "openid profile email";
467
- readonly RESPONSE_TYPE: "code";
468
- readonly CODE_CHALLENGE_METHOD: "S256";
469
- readonly TOKEN_GRANT_TYPE: "authorization_code";
470
- readonly REFRESH_GRANT_TYPE: "refresh_token";
471
- };
472
- declare const STORAGE_KEY_PREFIX = "tenneo_auth_";
473
- declare const STORAGE_KEYS: {
474
- readonly authServerUrl: "tenneo_auth_auth_server_url";
475
- readonly clientId: "tenneo_auth_client_id";
476
- readonly redirectUri: "tenneo_auth_redirect_uri";
477
- readonly tenantId: "tenneo_auth_tenant_id";
478
- readonly codeVerifier: "tenneo_auth_code_verifier";
479
- readonly state: "tenneo_auth_state";
480
- readonly accessToken: "tenneo_auth_access_token";
481
- readonly refreshToken: "tenneo_auth_refresh_token";
482
- readonly expiresAt: "tenneo_auth_expires_at";
483
- };
484
-
485
- /**
486
- * Config: resolver + public Config facade.
487
- * Resolution order: runtime overrides > window > env > defaults.
488
- * Single source of truth: .env (see .env.example).
489
- */
490
-
491
- declare global {
492
- interface Window {
493
- __APP_CONFIG__?: HostRuntimeConfig | {
494
- [key: string]: unknown;
495
- };
496
- __AUTH_CONFIG__?: HostRuntimeConfig | {
497
- [key: string]: unknown;
498
- };
499
- }
500
- }
501
- declare function resolveConfig(overrides?: HostConfigOverride): InternalConfig & RuntimeConfig;
502
- declare function getConfig(): InternalConfig & RuntimeConfig;
503
- declare function setConfig(overrides: HostConfigOverride): void;
504
- declare const Config: {
505
- readonly getApiTenantResolutionBaseUrl: () => string;
506
- readonly getApiAuthBaseUrl: () => string;
507
- readonly getAuthServerUrl: () => string;
508
- readonly getDefaultDomain: () => string;
509
- readonly getClientId: () => string;
510
- readonly getTenantId: () => string;
511
- readonly getClientCode: () => string;
512
- readonly getRedirectUri: () => string;
513
- readonly getBasePath: () => string;
514
- readonly hasRuntimeConfig: () => boolean;
515
- readonly getAll: () => ResolvedHostConfig;
516
- };
517
- declare function getEnvConfig(): Promise<EnvConfig | null>;
518
- declare function hasEnvFallback(): boolean;
519
-
520
494
  /**
521
495
  * Security and error utilities for authentication.
522
496
  * Domain layer: sanitized errors and HTTPS enforcement.
@@ -565,4 +539,4 @@ type AuthEventHandler = (payload?: AuthEventPayload) => void;
565
539
  declare function emitAuthEvent(event: AuthEventName, payload?: AuthEventPayload): void;
566
540
  declare function subscribeAuthEvent(event: AuthEventName | '*', handler: AuthEventHandler): () => void;
567
541
 
568
- export { AuthCallback, type AuthContextValue, type AuthEngine, type AuthEngineConfig, type AuthEngineState, type AuthEventHandler, type AuthEventName, AuthEventNames, type AuthEventPayload, AuthProvider, type AuthRuntime, type AuthState, type AuthStateListener, type AuthStrategy, type AuthTokens, Config, type ConfigProvider, type CookieClearer, type CurrentUrl, type EnvConfig, type HostConfigOverride, type InternalConfig, type Logger, OAUTH_CONSTANTS, ProtectedRoute, type ResolvedConfig, type RuntimeConfigOverrides, type SDKConfig, type RuntimeConfig as SDKRuntimeConfig, STORAGE_KEYS, STORAGE_KEY_PREFIX, SanitizedError, type StorageAdapter, type StorageNamespace, type TenantConfig, type TenantResolver, type TokenResponse, type TokenStorageAdapter, type Unsubscribe, type UrlProvider, bootstrap, buildStorageKey, createAuthEngine, createCookieStorageAdapter, createMemoryStorageAdapter, createOAuth2PkceStrategy, createSecureSessionStorageAdapter, emitAuthEvent, enforceHttps, ensureValidAccessToken, extractTenantKey, getAccessToken$1 as getAccessToken, getAuthRuntime, getConfig, getEnvConfig, getStorageAdapter, getStorageNamespace, getAccessToken as getStoredAccessToken, hasEnvFallback, isAccessTokenExpired, isCallbackUrl, logout, refreshAccessToken, resetCookieWatcher, resolveConfig, resolveTenant, sanitizeErrorMessage, setAuthRuntime, setConfig, setStorageContext, startCookieWatcher, stopCookieWatcher, subscribeAuthEvent, useAuth, useAuthContext, useAuthInit };
542
+ export { AuthCallback, type AuthContextValue, type AuthEngine, type AuthEngineConfig, type AuthEngineState, type AuthEventHandler, type AuthEventName, AuthEventNames, type AuthEventPayload, AuthProvider, type AuthRuntime, type AuthState, type AuthStateListener, type AuthStrategy, type AuthTokens, Config, type ConfigProvider, type CookieClearer, type CurrentUrl, type EnvConfig, type HostConfigOverride, type Logger, OAUTH_CONSTANTS, ProtectedRoute, type ResolvedConfig, type SDKConfig, STORAGE_KEYS, STORAGE_KEY_PREFIX, SanitizedError, type StorageAdapter, type StorageNamespace, type TenantConfig, type TenantResolver, type TokenResponse, type TokenStorageAdapter, type Unsubscribe, type UrlProvider, bootstrap, buildStorageKey, createAuthEngine, createCookieStorageAdapter, createMemoryStorageAdapter, createOAuth2PkceStrategy, createSecureSessionStorageAdapter, emitAuthEvent, enforceHttps, ensureValidAccessToken, extractTenantKey, getAccessToken$1 as getAccessToken, getAuthRuntime, getConfig, getStorageAdapter, getStorageNamespace, getAccessToken as getStoredAccessToken, isAccessTokenExpired, isCallbackUrl, logout, refreshAccessToken, resetCookieWatcher, resolveConfig, resolveTenant, sanitizeErrorMessage, setAuthRuntime, setConfig, setStorageContext, startCookieWatcher, stopCookieWatcher, subscribeAuthEvent, useAuth, useAuthContext, useAuthInit };