trustflows-client 0.1.0-alpha.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 SolidLab
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,115 @@
+# trustflows-client
+
+Trustflows client helpers for Solid applications. This package provides a lightweight browser-first auth helper plus 
+UMA utilities for Trustflows-compatible services.
+
+## Install
+
+```bash
+npm install trustflows-client
+```
+
+## Auth basics
+
+Make sure a dereferenceable Client ID exists for this application. Make sure the resource server can get this JSON-LD
+file, and that client_id is the same as the URL where this file is hosted.
+
+```json
+{
+  "@context": "https://www.w3.org/ns/solid/oidc-context.jsonld",
+  "client_id": "http://localhost:8080/app/client-id.jsonld",
+  "client_name": "App Name",
+  "redirect_uris": [ "http://localhost:8080/app/logged-in-screen" ],
+  "post_logout_redirect_uris": [ "http://localhost:8080/app/logged-out-screen" ]
+}
+```
+
+This client ID file can then be used to log in a user, make sure to use the same redirect URI as in the file.
+
+```ts
+import {
+  getDefaultAuth,
+  configureDefaultAuth
+} from "trustflows-client";
+
+configureDefaultAuth({
+  persistTokens: false,
+});
+const auth = getDefaultAuth();
+await auth.login(
+  "https://idp.example",
+  "http://localhost:8080/app/client-id.jsonld",
+  "http://localhost:8080/app/logged-in-screen"
+);
+
+```
+
+`configureDefaultAuth()` and the `Auth` constructor accept these options:
+
+- `fetch`: custom `fetch` implementation (useful for tests or custom networking).
+- `storage`: storage provider (defaults to `sessionStorage` in the browser).
+- `claimResolvers`: add or override UMA claim resolvers.
+- `persistTokens`: whether to persist OIDC tokens in storage. Defaults to `true`.
+
+Notes:
+- `configureDefaultAuth()` must be called **before** `getDefaultAuth()`; after the default instance is created,
+  calling `configureDefaultAuth()` will throw.
+- Token persistence stores an `oidc_tokens` JSON blob in `storage` and hydrates it on startup. Set
+  `persistTokens: false` to opt out.
+
+After redirecting back to your application, you can handle the incoming redirect and create an authenticated fetch
+function.
+
+```ts
+import {
+  getDefaultAuth,
+  configureDefaultAuth
+} from "trustflows-client";
+
+configureDefaultAuth({
+  persistTokens: false,
+});
+
+const auth = getDefaultAuth();
+
+await auth.handleIncomingRedirect();
+
+const authFetch = auth.createAuthFetch();
+
+const loggedIn = await auth.isLoggedIn();
+```
+
+## Custom UMA claim resolvers
+
+You can add custom UMA claim resolvers in your application without modifying this package.
+
+```ts
+import {
+  Auth,
+  type ClaimResolverDefinition,
+} from "trustflows-client";
+
+const myResolver: ClaimResolverDefinition = {
+  id: "custom-claim",
+  match: {
+    claim_type: "my-custom-claim",
+    issuer: "https://idp.example",
+  },
+  priority: 10,
+  resolve: async (requiredClaim, auth) => {
+    // Custom logic to resolve the claim
+    return {
+      claim_token: "custom-token",
+      claim_token_format: "custom-format",
+    };
+  },
+};
+
+auth.addClaimResolver(myResolver);
+```
+
+The `id` field must be unique among all registered claim resolvers and is used for logging and debugging purposes. 
+`match` can use any of: `claim_token_format`, `claim_type`, `issuer`, `name`, `friendly_name`. Each field can be a
+string, RegExp, or a predicate function. The `priority` field is used to determine the order in which resolvers are
+tried (higher priority first). The `resolve` function is called when the resolver matches a claim request. It receives
+the required claim and the auth entry that can be used to create the claim.

package/dist/auth.d.ts

@@ -0,0 +1,69 @@
+import type { ClaimResolver, ClaimResolverDefinition, ClaimResolverRegistry } from './uma/claims/types';
+export interface AuthOptions {
+    fetch?: typeof fetch;
+    storage?: Storage;
+    claimResolvers?: ClaimResolverRegistry;
+    persistTokens?: boolean;
+}
+interface OidcConfiguration {
+    authorization_endpoint?: string;
+    token_endpoint?: string;
+    end_session_endpoint?: string;
+    [key: string]: unknown;
+}
+interface UmaTokenCacheEntry {
+    token_type: string;
+    access_token: string;
+    expires_at?: number;
+}
+export declare class Auth {
+    oidcAccessToken?: string;
+    oidcToken?: string;
+    oidcRefreshToken?: string;
+    oidcTokenExpiry?: number;
+    webId?: string;
+    umaPermissionTokens: Map<string, UmaTokenCacheEntry>;
+    private readonly fetchFn;
+    private readonly storage?;
+    private readonly claimResolvers;
+    private readonly persistTokens;
+    private oidcIssuer?;
+    constructor(options?: AuthOptions);
+    addClaimResolver(format: string | ClaimResolverDefinition, resolver?: ClaimResolver): void;
+    get accessToken(): string | undefined;
+    set accessToken(value: string | undefined);
+    login(issuer: string, clientId: string, redirectUri: string, scope?: string): Promise<void>;
+    logout(postLogoutRedirectUri: string): Promise<void>;
+    handleIncomingRedirect(): Promise<boolean>;
+    isLoggedIn(): Promise<boolean>;
+    refreshTokens(tokenEndpoint: string, clientId: string): Promise<void>;
+    ensureValidToken(): Promise<void>;
+    getOidcConfig(issuer: string): Promise<OidcConfiguration>;
+    generateRandomString(bytes?: number): string;
+    pkceChallenge(verifier: string): Promise<string>;
+    createClaimToken(): Promise<string>;
+    createAuthFetch(): (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
+    clearUmaCache(): void;
+    clearOidcTokens(): void;
+    clearCache(): void;
+    extractWebId(idToken: string): string | undefined;
+    private buildUmaTokenKey;
+    private hydrateOidcTokens;
+    private persistOidcTokens;
+    private hydrateUmaTokens;
+    private persistUmaTokens;
+    getStoredUmaToken(resourceUrl: string, method?: string): UmaTokenCacheEntry | undefined;
+    storeUmaToken(resourceUrl: string, method: string, token: {
+        token_type: string;
+        access_token: string;
+        expires_in?: number;
+    }): void;
+    getClaimResolvers(): ClaimResolverRegistry;
+    getFetch(): typeof fetch;
+    private getStorage;
+    private getCrypto;
+}
+export declare function configureDefaultAuth(options: AuthOptions): void;
+export declare function getDefaultAuth(): Auth;
+export {};
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACV,aAAa,EACb,uBAAuB,EACvB,qBAAqB,EACtB,MAAM,oBAAoB,CAAC;AAO5B,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,cAAc,CAAC,EAAE,qBAAqB,CAAC;IACvC,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,UAAU,iBAAiB;IACzB,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,UAAU,kBAAkB;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,qBAAa,IAAI;IACR,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mBAAmB,kCAAyC;IAEnE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAe;IACvC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAU;IACnC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAwB;IACvD,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAU;IACxC,OAAO,CAAC,UAAU,CAAC,CAAS;gBAET,OAAO,GAAE,WAAgB;IAcrC,gBAAgB,CACrB,MAAM,EAAE,MAAM,GAAG,uBAAuB,EACxC,QAAQ,CAAC,EAAE,aAAa,GACvB,IAAI;IAeP,IAAW,WAAW,IAAI,MAAM,GAAG,SAAS,CAE3C;IAED,IAAW,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,EAE/C;IAEY,KAAK,CAChB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,KAAK,SAAgC,GACpC,OAAO,CAAC,IAAI,CAAC;IAiCH,MAAM,CAAC,qBAAqB,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkCpD,sBAAsB,IAAI,OAAO,CAAC,OAAO,CAAC;IAsE1C,UAAU,IAAI,OAAO,CAAC,OAAO,CAAC;IAS9B,aAAa,CAAC,aAAa,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAuCrE,gBAAgB,IAAI,OAAO,CAAC,IAAI,CAAC;IAsBjC,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC;IAS/D,oBAAoB,CAAC,KAAK,SAAK,GAAG,MAAM;IASlC,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAQhD,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC;IAQzC,eAAe,IAAI,CACxB,KAAK,EAAE,WAAW,GAAG,GAAG,EACxB,IAAI,CAAC,EAAE,WAAW,KACf,OAAO,CAAC,QAAQ,CAAC;IAiDf,aAAa,IAAI,IAAI;IASrB,eAAe,IAAI,IAAI;IAwBvB,UAAU,IAAI,IAAI;IAKlB,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAexD,OAAO,CAAC,gBAAgB;IAIxB,OAAO,CAAC,iBAAiB;IA2BzB,OAAO,CAAC,iBAAiB;IAkBzB,OAAO,CAAC,gBAAgB;IAuBxB,OAAO,CAAC,gBAAgB;IAYjB,iBAAiB,CACtB,WAAW,EAAE,MAAM,EACnB,MAAM,SAAQ,GACb,kBAAkB,GAAG,SAAS;IAc1B,aAAa,CAClB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE;QAAE,UAAU,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAE,GACvE,IAAI;IAaA,iBAAiB,IAAI,qBAAqB;IAI1C,QAAQ,IAAI,OAAO,KAAK;IAI/B,OAAO,CAAC,UAAU;IAOlB,OAAO,CAAC,SAAS;CAMlB;AAMD,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,WAAW,GAAG,IAAI,CAK/D;AAED,wBAAgB,cAAc,IAAI,IAAI,CAKrC"}

package/dist/auth.js

@@ -0,0 +1,467 @@
+import { createDefaultClaimResolvers } from './uma/claims/registry';
+import { fetchWithUma, parseUmaAuthenticateHeader, } from './uma/utils';
+export class Auth {
+    oidcAccessToken;
+    oidcToken;
+    oidcRefreshToken;
+    oidcTokenExpiry;
+    webId;
+    umaPermissionTokens = new Map();
+    fetchFn;
+    storage;
+    claimResolvers;
+    persistTokens;
+    oidcIssuer;
+    constructor(options = {}) {
+        this.fetchFn = options.fetch ?? fetch;
+        this.storage =
+            options.storage ??
+                (typeof sessionStorage === 'undefined' ? undefined : sessionStorage);
+        this.persistTokens = options.persistTokens ?? true;
+        this.claimResolvers = [
+            ...createDefaultClaimResolvers(),
+            ...options.claimResolvers ?? [],
+        ];
+        this.hydrateOidcTokens();
+        this.hydrateUmaTokens();
+    }
+    addClaimResolver(format, resolver) {
+        if (typeof format === 'string') {
+            if (!resolver) {
+                throw new Error('Claim resolver function is required.');
+            }
+            this.claimResolvers.push({
+                id: `custom:${format}`,
+                match: { claim_token_format: format },
+                resolve: resolver,
+            });
+            return;
+        }
+        this.claimResolvers.push(format);
+    }
+    get accessToken() {
+        return this.oidcAccessToken;
+    }
+    set accessToken(value) {
+        this.oidcAccessToken = value;
+    }
+    async login(issuer, clientId, redirectUri, scope = 'openid webid offline_access') {
+        const config = await this.getOidcConfig(issuer);
+        if (!config.authorization_endpoint) {
+            throw new Error('Missing authorization_endpoint in OIDC configuration');
+        }
+        const state = this.generateRandomString();
+        const codeVerifier = this.generateRandomString();
+        const codeChallenge = await this.pkceChallenge(codeVerifier);
+        const storage = this.getStorage();
+        storage.setItem('oidc_state', state);
+        storage.setItem('oidc_code_verifier', codeVerifier);
+        storage.setItem('oidc_issuer', issuer);
+        storage.setItem('oidc_client_id', clientId);
+        storage.setItem('oidc_redirect_uri', redirectUri);
+        this.oidcIssuer = issuer;
+        const params = new URLSearchParams({
+            response_type: 'code',
+            client_id: clientId,
+            redirect_uri: redirectUri,
+            scope,
+            state,
+            code_challenge: codeChallenge,
+            code_challenge_method: 'S256',
+            prompt: 'consent',
+            response_mode: 'query',
+        });
+        window.location.href = `${config.authorization_endpoint}?${params.toString()}`;
+    }
+    async logout(postLogoutRedirectUri) {
+        const resolvedIssuer = this.oidcIssuer ?? this.storage?.getItem('oidc_issuer') ?? undefined;
+        const idTokenHint = this.oidcToken;
+        this.clearCache();
+        if (!resolvedIssuer) {
+            return;
+        }
+        let config;
+        try {
+            config = await this.getOidcConfig(resolvedIssuer);
+        }
+        catch {
+            return;
+        }
+        if (!config.end_session_endpoint) {
+            return;
+        }
+        const params = new URLSearchParams();
+        if (idTokenHint) {
+            params.set('id_token_hint', idTokenHint);
+        }
+        params.set('post_logout_redirect_uri', postLogoutRedirectUri);
+        const logoutUrl = params.toString() ?
+            `${config.end_session_endpoint}?${params.toString()}` :
+            config.end_session_endpoint;
+        window.location.href = logoutUrl;
+    }
+    async handleIncomingRedirect() {
+        const url = new URL(window.location.href);
+        const code = url.searchParams.get('code');
+        const state = url.searchParams.get('state');
+        if (!code) {
+            return false;
+        }
+        const storage = this.getStorage();
+        const storedState = storage.getItem('oidc_state');
+        if (!state || state !== storedState) {
+            throw new Error('OIDC state mismatch');
+        }
+        const issuer = storage.getItem('oidc_issuer');
+        const clientId = storage.getItem('oidc_client_id');
+        const redirectUri = storage.getItem('oidc_redirect_uri');
+        const codeVerifier = storage.getItem('oidc_code_verifier');
+        if (!issuer || !clientId || !redirectUri || !codeVerifier) {
+            throw new Error('Missing stored OIDC parameters');
+        }
+        this.oidcIssuer = issuer;
+        const config = await this.getOidcConfig(issuer);
+        if (!config.token_endpoint) {
+            throw new Error('Missing token_endpoint in OIDC configuration');
+        }
+        const bodyParams = new URLSearchParams({
+            grant_type: 'authorization_code',
+            code,
+            redirect_uri: redirectUri,
+            client_id: clientId,
+            code_verifier: codeVerifier,
+        });
+        const tokenResp = await this.fetchFn(config.token_endpoint, {
+            method: 'POST',
+            headers: {
+                'content-type': 'application/x-www-form-urlencoded',
+            },
+            body: bodyParams.toString(),
+        });
+        if (!tokenResp.ok) {
+            throw new Error(`Token endpoint error ${tokenResp.status}`);
+        }
+        const tokenJson = (await tokenResp.json());
+        this.oidcAccessToken = tokenJson.access_token;
+        this.oidcToken = tokenJson.id_token;
+        this.oidcRefreshToken = tokenJson.refresh_token;
+        if (tokenJson.expires_in) {
+            this.oidcTokenExpiry = Date.now() + tokenJson.expires_in * 1000;
+        }
+        if (tokenJson.id_token) {
+            this.webId = this.extractWebId(tokenJson.id_token);
+        }
+        this.persistOidcTokens();
+        window.history.replaceState({}, document.title, redirectUri);
+        return true;
+    }
+    async isLoggedIn() {
+        try {
+            await this.ensureValidToken();
+        }
+        catch {
+            return false;
+        }
+        return Boolean(this.oidcAccessToken ?? this.oidcToken);
+    }
+    async refreshTokens(tokenEndpoint, clientId) {
+        if (!this.oidcRefreshToken) {
+            return;
+        }
+        const bodyParams = new URLSearchParams({
+            grant_type: 'refresh_token',
+            refresh_token: this.oidcRefreshToken,
+            client_id: clientId,
+        });
+        const resp = await this.fetchFn(tokenEndpoint, {
+            method: 'POST',
+            headers: { 'content-type': 'application/x-www-form-urlencoded' },
+            body: bodyParams.toString(),
+        });
+        if (!resp.ok) {
+            throw new Error(`Refresh token endpoint error ${resp.status}`);
+        }
+        const json = (await resp.json());
+        if (json.access_token) {
+            this.oidcAccessToken = json.access_token;
+        }
+        if (json.id_token) {
+            this.oidcToken = json.id_token;
+            this.webId = this.extractWebId(json.id_token);
+        }
+        if (json.refresh_token) {
+            this.oidcRefreshToken = json.refresh_token;
+        }
+        if (json.expires_in) {
+            this.oidcTokenExpiry = Date.now() + json.expires_in * 1000;
+        }
+        this.persistOidcTokens();
+    }
+    async ensureValidToken() {
+        if (!this.oidcTokenExpiry || !this.oidcRefreshToken) {
+            return;
+        }
+        if (Date.now() < this.oidcTokenExpiry - 60_000) {
+            return;
+        }
+        const storage = this.getStorage();
+        const issuer = storage.getItem('oidc_issuer');
+        const clientId = storage.getItem('oidc_client_id');
+        if (!issuer || !clientId) {
+            return;
+        }
+        const config = await this.getOidcConfig(issuer);
+        if (!config.token_endpoint) {
+            return;
+        }
+        await this.refreshTokens(config.token_endpoint, clientId);
+    }
+    async getOidcConfig(issuer) {
+        const url = `${issuer.replace(/\/$/u, '')}/.well-known/openid-configuration`;
+        const res = await this.fetchFn(url);
+        if (!res.ok) {
+            throw new Error('Failed fetching OIDC configuration');
+        }
+        return (await res.json());
+    }
+    generateRandomString(bytes = 64) {
+        const cryptoObj = this.getCrypto();
+        const arr = new Uint8Array(bytes);
+        cryptoObj.getRandomValues(arr);
+        return [...arr]
+            .map((b) => `0${b.toString(16)}`.slice(-2))
+            .join('');
+    }
+    async pkceChallenge(verifier) {
+        const data = new TextEncoder().encode(verifier);
+        const digest = await this.getCrypto().subtle.digest('SHA-256', data);
+        const arr = new Uint8Array(digest);
+        const base64 = btoa(String.fromCodePoint(...arr));
+        return base64.replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/u, '');
+    }
+    async createClaimToken() {
+        await this.ensureValidToken();
+        if (!this.oidcToken) {
+            throw new Error('No OIDC ID token available for UMA claims.');
+        }
+        return this.oidcToken;
+    }
+    createAuthFetch() {
+        return async (input, init = {}) => {
+            const noTokenResponse = await this.fetchFn(input, init);
+            if (noTokenResponse.ok) {
+                return noTokenResponse;
+            }
+            if (noTokenResponse.status !== 401) {
+                return noTokenResponse;
+            }
+            const wwwAuthenticateHeader = noTokenResponse.headers.get('WWW-Authenticate');
+            const isUmaChallenge = wwwAuthenticateHeader
+                ?.trim()
+                .toLowerCase()
+                .startsWith('uma');
+            if (isUmaChallenge) {
+                const challenge = parseUmaAuthenticateHeader(noTokenResponse.headers);
+                if (!challenge) {
+                    return noTokenResponse;
+                }
+                return fetchWithUma(input, init, {
+                    auth: this,
+                    challenge,
+                });
+            }
+            await this.ensureValidToken();
+            if (!this.oidcAccessToken) {
+                return noTokenResponse;
+            }
+            const headers = new Headers(init.headers);
+            headers.set('Authorization', `Bearer ${this.oidcAccessToken}`);
+            return this.fetchFn(input, { ...init, headers });
+        };
+    }
+    clearUmaCache() {
+        try {
+            this.umaPermissionTokens.clear();
+            this.storage?.removeItem('uma_permission_tokens');
+        }
+        catch {
+            /* Ignore */
+        }
+    }
+    clearOidcTokens() {
+        try {
+            this.oidcAccessToken = undefined;
+            this.oidcToken = undefined;
+            this.oidcRefreshToken = undefined;
+            this.oidcTokenExpiry = undefined;
+            this.webId = undefined;
+            this.oidcIssuer = undefined;
+        }
+        catch {
+            /* Ignore */
+        }
+        try {
+            const storage = this.storage;
+            storage?.removeItem('oidc_state');
+            storage?.removeItem('oidc_code_verifier');
+            storage?.removeItem('oidc_issuer');
+            storage?.removeItem('oidc_client_id');
+            storage?.removeItem('oidc_redirect_uri');
+            storage?.removeItem('oidc_tokens');
+        }
+        catch {
+            /* Ignore */
+        }
+    }
+    clearCache() {
+        this.clearUmaCache();
+        this.clearOidcTokens();
+    }
+    extractWebId(idToken) {
+        try {
+            const [, payload] = idToken.split('.');
+            if (!payload) {
+                return undefined;
+            }
+            const decoded = JSON.parse(atob(payload.replaceAll('-', '+').replaceAll('_', '/')));
+            return decoded.webid ?? decoded.sub;
+        }
+        catch {
+            return undefined;
+        }
+    }
+    buildUmaTokenKey(resourceUrl, method = 'GET') {
+        return `${method.toUpperCase()} ${resourceUrl}`;
+    }
+    hydrateOidcTokens() {
+        if (!this.persistTokens || !this.storage) {
+            return;
+        }
+        try {
+            const raw = this.storage.getItem('oidc_tokens');
+            if (!raw) {
+                return;
+            }
+            const data = JSON.parse(raw);
+            this.oidcAccessToken = data.access_token;
+            this.oidcToken = data.id_token;
+            this.oidcRefreshToken = data.refresh_token;
+            this.oidcTokenExpiry = data.expires_at;
+            this.webId = data.web_id ?? (data.id_token ? this.extractWebId(data.id_token) : undefined);
+            this.oidcIssuer = this.storage.getItem('oidc_issuer') ?? undefined;
+        }
+        catch {
+            /* Ignore */
+        }
+    }
+    persistOidcTokens() {
+        if (!this.persistTokens || !this.storage) {
+            return;
+        }
+        try {
+            const payload = {
+                access_token: this.oidcAccessToken,
+                id_token: this.oidcToken,
+                refresh_token: this.oidcRefreshToken,
+                expires_at: this.oidcTokenExpiry,
+                web_id: this.webId,
+            };
+            this.storage.setItem('oidc_tokens', JSON.stringify(payload));
+        }
+        catch {
+            /* Ignore */
+        }
+    }
+    hydrateUmaTokens() {
+        try {
+            const raw = this.storage?.getItem('uma_permission_tokens');
+            if (!raw) {
+                return;
+            }
+            const parsed = JSON.parse(raw);
+            const now = Date.now();
+            for (const [key, entry] of Object.entries(parsed)) {
+                if (!entry?.access_token) {
+                    continue;
+                }
+                if (entry.expires_at && now > entry.expires_at) {
+                    continue;
+                }
+                this.umaPermissionTokens.set(key, entry);
+            }
+            this.persistUmaTokens();
+        }
+        catch {
+            /* Ignore */
+        }
+    }
+    persistUmaTokens() {
+        const obj = {};
+        for (const [key, entry] of this.umaPermissionTokens.entries()) {
+            obj[key] = entry;
+        }
+        try {
+            this.storage?.setItem('uma_permission_tokens', JSON.stringify(obj));
+        }
+        catch {
+            /* Ignore */
+        }
+    }
+    getStoredUmaToken(resourceUrl, method = 'GET') {
+        const key = this.buildUmaTokenKey(resourceUrl, method);
+        const entry = this.umaPermissionTokens.get(key);
+        if (!entry) {
+            return undefined;
+        }
+        if (entry.expires_at && Date.now() > entry.expires_at) {
+            this.umaPermissionTokens.delete(key);
+            this.persistUmaTokens();
+            return undefined;
+        }
+        return entry;
+    }
+    storeUmaToken(resourceUrl, method, token) {
+        const key = this.buildUmaTokenKey(resourceUrl, method);
+        const expires_at = token.expires_in ?
+            Date.now() + token.expires_in * 1000 :
+            undefined;
+        this.umaPermissionTokens.set(key, {
+            token_type: token.token_type,
+            access_token: token.access_token,
+            expires_at,
+        });
+        this.persistUmaTokens();
+    }
+    getClaimResolvers() {
+        return [...this.claimResolvers];
+    }
+    getFetch() {
+        return this.fetchFn;
+    }
+    getStorage() {
+        if (!this.storage) {
+            throw new Error('Session storage is not available in this environment.');
+        }
+        return this.storage;
+    }
+    getCrypto() {
+        if (!globalThis.crypto) {
+            throw new Error('Web Crypto is not available in this environment.');
+        }
+        return globalThis.crypto;
+    }
+}
+let defaultAuth;
+let defaultAuthOptions;
+export function configureDefaultAuth(options) {
+    if (defaultAuth) {
+        throw new Error('Default Auth has already been created.');
+    }
+    defaultAuthOptions = options;
+}
+export function getDefaultAuth() {
+    if (!defaultAuth) {
+        defaultAuth = new Auth(defaultAuthOptions);
+    }
+    return defaultAuth;
+}

package/dist/index.d.ts

@@ -0,0 +1,10 @@
+export * from './auth';
+export * from './types';
+export * from './utils';
+export * from './uma/claims/accessToken';
+export * from './uma/claims/idToken';
+export * from './uma/claims/registry';
+export * from './uma/claims/types';
+export * from './uma/types';
+export * from './uma/utils';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,QAAQ,CAAC;AACvB,cAAc,SAAS,CAAC;AACxB,cAAc,SAAS,CAAC;AAExB,cAAc,0BAA0B,CAAC;AACzC,cAAc,sBAAsB,CAAC;AACrC,cAAc,uBAAuB,CAAC;AACtC,cAAc,oBAAoB,CAAC;AACnC,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC"}