Fixed build bug

dist/client-CTKWBZ26.d.mts

@@ -0,0 +1,185 @@
+/**
+ * Stuffle IAM SDK Types
+ */
+interface StuffleIAMConfig {
+    /** IAM server base URL (e.g., http://localhost:5000) */
+    issuer: string;
+    /** OAuth2 client ID */
+    clientId: string;
+    /** Redirect URI after login */
+    redirectUri: string;
+    /** Requested scopes (default: openid profile email) */
+    scopes?: string[];
+    /** Post-logout redirect URI */
+    postLogoutRedirectUri?: string;
+    /** Enable PKCE (default: true, recommended for SPAs) */
+    usePkce?: boolean;
+    /** Storage type for tokens (default: sessionStorage) */
+    storage?: 'localStorage' | 'sessionStorage' | 'memory';
+    /** Auto-refresh tokens before expiry (default: true) */
+    autoRefresh?: boolean;
+    /** Seconds before expiry to trigger refresh (default: 60) */
+    refreshThreshold?: number;
+}
+interface TokenResponse {
+    access_token: string;
+    token_type: string;
+    expires_in: number;
+    refresh_token?: string;
+    id_token?: string;
+    scope?: string;
+}
+interface User {
+    sub: string;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    given_name?: string;
+    family_name?: string;
+    picture?: string;
+    username?: string;
+    roles?: string[];
+    tenantId?: string;
+    [key: string]: unknown;
+}
+interface AuthState {
+    isAuthenticated: boolean;
+    isLoading: boolean;
+    user: User | null;
+    accessToken: string | null;
+    idToken: string | null;
+    error: Error | null;
+}
+interface LoginOptions {
+    /** Additional scopes to request */
+    scopes?: string[];
+    /** State parameter (auto-generated if not provided) */
+    state?: string;
+    /** Nonce for ID token validation */
+    nonce?: string;
+    /** Redirect to signup instead of login */
+    signup?: boolean;
+    /** Prompt parameter (none, login, consent, select_account) */
+    prompt?: 'none' | 'login' | 'consent' | 'select_account';
+    /** Login hint (email or username) */
+    loginHint?: string;
+}
+interface LogoutOptions {
+    /** Post-logout redirect URI */
+    returnTo?: string;
+    /** Include id_token_hint in logout request */
+    idTokenHint?: string;
+}
+interface CallbackResult {
+    success: boolean;
+    user?: User;
+    accessToken?: string;
+    idToken?: string;
+    refreshToken?: string;
+    error?: string;
+    errorDescription?: string;
+}
+interface OIDCDiscovery {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    userinfo_endpoint: string;
+    jwks_uri: string;
+    end_session_endpoint?: string;
+    registration_endpoint?: string;
+    scopes_supported: string[];
+    response_types_supported: string[];
+    grant_types_supported: string[];
+    token_endpoint_auth_methods_supported: string[];
+    code_challenge_methods_supported?: string[];
+}
+
+/**
+ * Stuffle IAM Client
+ *
+ * OIDC/OAuth2 client for browser-based applications.
+ * Supports authorization code flow with PKCE.
+ */
+
+declare class StuffleIAMClient {
+    private config;
+    private storage;
+    private discovery;
+    private refreshTimer;
+    private listeners;
+    constructor(config: StuffleIAMConfig);
+    /**
+     * Fetch OIDC discovery document
+     */
+    getDiscovery(): Promise<OIDCDiscovery>;
+    /**
+     * Start login flow - redirects to authorization endpoint
+     */
+    login(options?: LoginOptions): Promise<void>;
+    /**
+     * Alias for login({ signup: true })
+     */
+    signup(options?: Omit<LoginOptions, 'signup'>): Promise<void>;
+    /**
+     * Handle callback from authorization server
+     */
+    handleCallback(url?: string): Promise<CallbackResult>;
+    /**
+     * Exchange authorization code for tokens
+     */
+    private exchangeCode;
+    /**
+     * Refresh access token using refresh token
+     */
+    refreshToken(): Promise<TokenResponse | null>;
+    /**
+     * Logout - end session
+     */
+    logout(options?: LogoutOptions): Promise<void>;
+    /**
+     * Get current access token (refreshes if needed)
+     */
+    getAccessToken(): Promise<string | null>;
+    /**
+     * Get current user from stored ID token
+     */
+    getUser(): User | null;
+    /**
+     * Fetch user info from userinfo endpoint
+     */
+    fetchUserInfo(accessToken?: string): Promise<User | null>;
+    /**
+     * Check if user is authenticated
+     */
+    isAuthenticated(): boolean;
+    /**
+     * Get current auth state
+     */
+    getAuthState(): AuthState;
+    /**
+     * Subscribe to auth state changes
+     */
+    subscribe(listener: (state: AuthState) => void): () => void;
+    /**
+     * Store tokens in storage
+     */
+    private storeTokens;
+    /**
+     * Clear all stored tokens
+     */
+    private clearTokens;
+    /**
+     * Setup auto-refresh timer
+     */
+    private setupAutoRefresh;
+    /**
+     * Notify all listeners of state change
+     */
+    private notifyListeners;
+}
+/**
+ * Create a new Stuffle IAM client instance
+ */
+declare function createStuffleIAMClient(config: StuffleIAMConfig): StuffleIAMClient;
+
+export { type AuthState as A, type CallbackResult as C, type LoginOptions as L, type OIDCDiscovery as O, StuffleIAMClient as S, type TokenResponse as T, type User as U, type StuffleIAMConfig as a, type LogoutOptions as b, createStuffleIAMClient as c };

dist/client-CTKWBZ26.d.ts

@@ -0,0 +1,185 @@
+/**
+ * Stuffle IAM SDK Types
+ */
+interface StuffleIAMConfig {
+    /** IAM server base URL (e.g., http://localhost:5000) */
+    issuer: string;
+    /** OAuth2 client ID */
+    clientId: string;
+    /** Redirect URI after login */
+    redirectUri: string;
+    /** Requested scopes (default: openid profile email) */
+    scopes?: string[];
+    /** Post-logout redirect URI */
+    postLogoutRedirectUri?: string;
+    /** Enable PKCE (default: true, recommended for SPAs) */
+    usePkce?: boolean;
+    /** Storage type for tokens (default: sessionStorage) */
+    storage?: 'localStorage' | 'sessionStorage' | 'memory';
+    /** Auto-refresh tokens before expiry (default: true) */
+    autoRefresh?: boolean;
+    /** Seconds before expiry to trigger refresh (default: 60) */
+    refreshThreshold?: number;
+}
+interface TokenResponse {
+    access_token: string;
+    token_type: string;
+    expires_in: number;
+    refresh_token?: string;
+    id_token?: string;
+    scope?: string;
+}
+interface User {
+    sub: string;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    given_name?: string;
+    family_name?: string;
+    picture?: string;
+    username?: string;
+    roles?: string[];
+    tenantId?: string;
+    [key: string]: unknown;
+}
+interface AuthState {
+    isAuthenticated: boolean;
+    isLoading: boolean;
+    user: User | null;
+    accessToken: string | null;
+    idToken: string | null;
+    error: Error | null;
+}
+interface LoginOptions {
+    /** Additional scopes to request */
+    scopes?: string[];
+    /** State parameter (auto-generated if not provided) */
+    state?: string;
+    /** Nonce for ID token validation */
+    nonce?: string;
+    /** Redirect to signup instead of login */
+    signup?: boolean;
+    /** Prompt parameter (none, login, consent, select_account) */
+    prompt?: 'none' | 'login' | 'consent' | 'select_account';
+    /** Login hint (email or username) */
+    loginHint?: string;
+}
+interface LogoutOptions {
+    /** Post-logout redirect URI */
+    returnTo?: string;
+    /** Include id_token_hint in logout request */
+    idTokenHint?: string;
+}
+interface CallbackResult {
+    success: boolean;
+    user?: User;
+    accessToken?: string;
+    idToken?: string;
+    refreshToken?: string;
+    error?: string;
+    errorDescription?: string;
+}
+interface OIDCDiscovery {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    userinfo_endpoint: string;
+    jwks_uri: string;
+    end_session_endpoint?: string;
+    registration_endpoint?: string;
+    scopes_supported: string[];
+    response_types_supported: string[];
+    grant_types_supported: string[];
+    token_endpoint_auth_methods_supported: string[];
+    code_challenge_methods_supported?: string[];
+}
+
+/**
+ * Stuffle IAM Client
+ *
+ * OIDC/OAuth2 client for browser-based applications.
+ * Supports authorization code flow with PKCE.
+ */
+
+declare class StuffleIAMClient {
+    private config;
+    private storage;
+    private discovery;
+    private refreshTimer;
+    private listeners;
+    constructor(config: StuffleIAMConfig);
+    /**
+     * Fetch OIDC discovery document
+     */
+    getDiscovery(): Promise<OIDCDiscovery>;
+    /**
+     * Start login flow - redirects to authorization endpoint
+     */
+    login(options?: LoginOptions): Promise<void>;
+    /**
+     * Alias for login({ signup: true })
+     */
+    signup(options?: Omit<LoginOptions, 'signup'>): Promise<void>;
+    /**
+     * Handle callback from authorization server
+     */
+    handleCallback(url?: string): Promise<CallbackResult>;
+    /**
+     * Exchange authorization code for tokens
+     */
+    private exchangeCode;
+    /**
+     * Refresh access token using refresh token
+     */
+    refreshToken(): Promise<TokenResponse | null>;
+    /**
+     * Logout - end session
+     */
+    logout(options?: LogoutOptions): Promise<void>;
+    /**
+     * Get current access token (refreshes if needed)
+     */
+    getAccessToken(): Promise<string | null>;
+    /**
+     * Get current user from stored ID token
+     */
+    getUser(): User | null;
+    /**
+     * Fetch user info from userinfo endpoint
+     */
+    fetchUserInfo(accessToken?: string): Promise<User | null>;
+    /**
+     * Check if user is authenticated
+     */
+    isAuthenticated(): boolean;
+    /**
+     * Get current auth state
+     */
+    getAuthState(): AuthState;
+    /**
+     * Subscribe to auth state changes
+     */
+    subscribe(listener: (state: AuthState) => void): () => void;
+    /**
+     * Store tokens in storage
+     */
+    private storeTokens;
+    /**
+     * Clear all stored tokens
+     */
+    private clearTokens;
+    /**
+     * Setup auto-refresh timer
+     */
+    private setupAutoRefresh;
+    /**
+     * Notify all listeners of state change
+     */
+    private notifyListeners;
+}
+/**
+ * Create a new Stuffle IAM client instance
+ */
+declare function createStuffleIAMClient(config: StuffleIAMConfig): StuffleIAMClient;
+
+export { type AuthState as A, type CallbackResult as C, type LoginOptions as L, type OIDCDiscovery as O, StuffleIAMClient as S, type TokenResponse as T, type User as U, type StuffleIAMConfig as a, type LogoutOptions as b, createStuffleIAMClient as c };

dist/index.d.mts

@@ -0,0 +1,41 @@
+export { A as AuthState, C as CallbackResult, L as LoginOptions, b as LogoutOptions, O as OIDCDiscovery, S as StuffleIAMClient, a as StuffleIAMConfig, T as TokenResponse, U as User, c as createStuffleIAMClient } from './client-CTKWBZ26.mjs';
+
+/**
+ * Utility functions for PKCE and crypto operations
+ */
+/**
+ * Generate a random string for state/nonce
+ */
+declare function generateRandomString(length?: number): string;
+/**
+ * Generate PKCE code verifier (43-128 characters)
+ */
+declare function generateCodeVerifier(): string;
+/**
+ * Generate PKCE code challenge from verifier
+ */
+declare function generateCodeChallenge(verifier: string): Promise<string>;
+/**
+ * Decode JWT payload (without verification)
+ */
+declare function decodeJwtPayload<T = Record<string, unknown>>(token: string): T | null;
+/**
+ * Check if token is expired
+ */
+declare function isTokenExpired(token: string, thresholdSeconds?: number): boolean;
+
+/**
+ * Token storage abstraction
+ */
+interface TokenStorage {
+    get(key: string): string | null;
+    set(key: string, value: string): void;
+    remove(key: string): void;
+    clear(): void;
+}
+/**
+ * Get storage adapter based on type
+ */
+declare function getStorage(type: 'localStorage' | 'sessionStorage' | 'memory'): TokenStorage;
+
+export { type TokenStorage, decodeJwtPayload, generateCodeChallenge, generateCodeVerifier, generateRandomString, getStorage, isTokenExpired };

dist/index.d.ts

@@ -0,0 +1,41 @@
+export { A as AuthState, C as CallbackResult, L as LoginOptions, b as LogoutOptions, O as OIDCDiscovery, S as StuffleIAMClient, a as StuffleIAMConfig, T as TokenResponse, U as User, c as createStuffleIAMClient } from './client-CTKWBZ26.js';
+
+/**
+ * Utility functions for PKCE and crypto operations
+ */
+/**
+ * Generate a random string for state/nonce
+ */
+declare function generateRandomString(length?: number): string;
+/**
+ * Generate PKCE code verifier (43-128 characters)
+ */
+declare function generateCodeVerifier(): string;
+/**
+ * Generate PKCE code challenge from verifier
+ */
+declare function generateCodeChallenge(verifier: string): Promise<string>;
+/**
+ * Decode JWT payload (without verification)
+ */
+declare function decodeJwtPayload<T = Record<string, unknown>>(token: string): T | null;
+/**
+ * Check if token is expired
+ */
+declare function isTokenExpired(token: string, thresholdSeconds?: number): boolean;
+
+/**
+ * Token storage abstraction
+ */
+interface TokenStorage {
+    get(key: string): string | null;
+    set(key: string, value: string): void;
+    remove(key: string): void;
+    clear(): void;
+}
+/**
+ * Get storage adapter based on type
+ */
+declare function getStorage(type: 'localStorage' | 'sessionStorage' | 'memory'): TokenStorage;
+
+export { type TokenStorage, decodeJwtPayload, generateCodeChallenge, generateCodeVerifier, generateRandomString, getStorage, isTokenExpired };

dist/index.js

@@ -0,0 +1,545 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  StuffleIAMClient: () => StuffleIAMClient,
+  createStuffleIAMClient: () => createStuffleIAMClient,
+  decodeJwtPayload: () => decodeJwtPayload,
+  generateCodeChallenge: () => generateCodeChallenge,
+  generateCodeVerifier: () => generateCodeVerifier,
+  generateRandomString: () => generateRandomString,
+  getStorage: () => getStorage,
+  isTokenExpired: () => isTokenExpired
+});
+module.exports = __toCommonJS(src_exports);
+
+// src/utils.ts
+function generateRandomString(length = 32) {
+  const array = new Uint8Array(length);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => byte.toString(16).padStart(2, "0")).join("");
+}
+function generateCodeVerifier() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return base64UrlEncode(array);
+}
+async function generateCodeChallenge(verifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+function base64UrlEncode(buffer) {
+  let binary = "";
+  for (let i = 0; i < buffer.length; i++) {
+    binary += String.fromCharCode(buffer[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = parts[1];
+    const decoded = atob(payload.replace(/-/g, "+").replace(/_/g, "/"));
+    return JSON.parse(decoded);
+  } catch {
+    return null;
+  }
+}
+function isTokenExpired(token, thresholdSeconds = 0) {
+  const payload = decodeJwtPayload(token);
+  if (!payload?.exp) return true;
+  const now = Math.floor(Date.now() / 1e3);
+  return payload.exp - thresholdSeconds <= now;
+}
+function parseUrlParams(url) {
+  const params = {};
+  const hashIndex = url.indexOf("#");
+  const queryIndex = url.indexOf("?");
+  let paramString = "";
+  if (hashIndex !== -1) {
+    paramString = url.substring(hashIndex + 1);
+  } else if (queryIndex !== -1) {
+    paramString = url.substring(queryIndex + 1);
+  }
+  if (!paramString) return params;
+  const searchParams = new URLSearchParams(paramString);
+  searchParams.forEach((value, key) => {
+    params[key] = value;
+  });
+  return params;
+}
+function buildUrl(base, params) {
+  const url = new URL(base);
+  Object.entries(params).forEach(([key, value]) => {
+    if (value !== void 0 && value !== null) {
+      url.searchParams.append(key, value);
+    }
+  });
+  return url.toString();
+}
+
+// src/storage.ts
+var STORAGE_PREFIX = "stuffle_iam_";
+var LocalStorageAdapter = class {
+  get(key) {
+    try {
+      return localStorage.getItem(STORAGE_PREFIX + key);
+    } catch {
+      return null;
+    }
+  }
+  set(key, value) {
+    try {
+      localStorage.setItem(STORAGE_PREFIX + key, value);
+    } catch {
+      console.warn("LocalStorage not available");
+    }
+  }
+  remove(key) {
+    try {
+      localStorage.removeItem(STORAGE_PREFIX + key);
+    } catch {
+    }
+  }
+  clear() {
+    try {
+      Object.keys(localStorage).filter((k) => k.startsWith(STORAGE_PREFIX)).forEach((k) => localStorage.removeItem(k));
+    } catch {
+    }
+  }
+};
+var SessionStorageAdapter = class {
+  get(key) {
+    try {
+      return sessionStorage.getItem(STORAGE_PREFIX + key);
+    } catch {
+      return null;
+    }
+  }
+  set(key, value) {
+    try {
+      sessionStorage.setItem(STORAGE_PREFIX + key, value);
+    } catch {
+      console.warn("SessionStorage not available");
+    }
+  }
+  remove(key) {
+    try {
+      sessionStorage.removeItem(STORAGE_PREFIX + key);
+    } catch {
+    }
+  }
+  clear() {
+    try {
+      Object.keys(sessionStorage).filter((k) => k.startsWith(STORAGE_PREFIX)).forEach((k) => sessionStorage.removeItem(k));
+    } catch {
+    }
+  }
+};
+var MemoryStorageAdapter = class {
+  constructor() {
+    this.store = /* @__PURE__ */ new Map();
+  }
+  get(key) {
+    return this.store.get(key) ?? null;
+  }
+  set(key, value) {
+    this.store.set(key, value);
+  }
+  remove(key) {
+    this.store.delete(key);
+  }
+  clear() {
+    this.store.clear();
+  }
+};
+function getStorage(type) {
+  switch (type) {
+    case "localStorage":
+      return new LocalStorageAdapter();
+    case "sessionStorage":
+      return new SessionStorageAdapter();
+    case "memory":
+      return new MemoryStorageAdapter();
+    default:
+      return new SessionStorageAdapter();
+  }
+}
+
+// src/client.ts
+var STORAGE_KEYS = {
+  ACCESS_TOKEN: "access_token",
+  REFRESH_TOKEN: "refresh_token",
+  ID_TOKEN: "id_token",
+  CODE_VERIFIER: "code_verifier",
+  STATE: "state",
+  NONCE: "nonce",
+  USER: "user",
+  EXPIRES_AT: "expires_at"
+};
+var StuffleIAMClient = class {
+  constructor(config) {
+    this.discovery = null;
+    this.refreshTimer = null;
+    this.listeners = /* @__PURE__ */ new Set();
+    this.config = {
+      issuer: config.issuer.replace(/\/$/, ""),
+      // Remove trailing slash
+      clientId: config.clientId,
+      redirectUri: config.redirectUri,
+      scopes: config.scopes ?? ["openid", "profile", "email"],
+      postLogoutRedirectUri: config.postLogoutRedirectUri ?? config.redirectUri,
+      usePkce: config.usePkce ?? true,
+      storage: config.storage ?? "sessionStorage",
+      autoRefresh: config.autoRefresh ?? true,
+      refreshThreshold: config.refreshThreshold ?? 60
+    };
+    this.storage = getStorage(this.config.storage);
+  }
+  /**
+   * Fetch OIDC discovery document
+   */
+  async getDiscovery() {
+    if (this.discovery) return this.discovery;
+    const response = await fetch(
+      `${this.config.issuer}/.well-known/openid-configuration`
+    );
+    if (!response.ok) {
+      throw new Error(`Failed to fetch OIDC discovery: ${response.status}`);
+    }
+    this.discovery = await response.json();
+    return this.discovery;
+  }
+  /**
+   * Start login flow - redirects to authorization endpoint
+   */
+  async login(options = {}) {
+    const discovery = await this.getDiscovery();
+    const state = options.state ?? generateRandomString();
+    const nonce = options.nonce ?? generateRandomString();
+    const scopes = [...this.config.scopes, ...options.scopes ?? []];
+    this.storage.set(STORAGE_KEYS.STATE, state);
+    this.storage.set(STORAGE_KEYS.NONCE, nonce);
+    const params = {
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      response_type: "code",
+      scope: scopes.join(" "),
+      state,
+      nonce,
+      prompt: options.prompt,
+      login_hint: options.loginHint
+    };
+    if (this.config.usePkce) {
+      const codeVerifier = generateCodeVerifier();
+      const codeChallenge = await generateCodeChallenge(codeVerifier);
+      this.storage.set(STORAGE_KEYS.CODE_VERIFIER, codeVerifier);
+      params.code_challenge = codeChallenge;
+      params.code_challenge_method = "S256";
+    }
+    const endpoint = options.signup ? discovery.authorization_endpoint.replace("/authorize", "/authorize/signup") : discovery.authorization_endpoint;
+    const authUrl = buildUrl(endpoint, params);
+    window.location.href = authUrl;
+  }
+  /**
+   * Alias for login({ signup: true })
+   */
+  async signup(options = {}) {
+    return this.login({ ...options, signup: true });
+  }
+  /**
+   * Handle callback from authorization server
+   */
+  async handleCallback(url) {
+    const callbackUrl = url ?? window.location.href;
+    const params = parseUrlParams(callbackUrl);
+    if (params.error) {
+      return {
+        success: false,
+        error: params.error,
+        errorDescription: params.error_description
+      };
+    }
+    const storedState = this.storage.get(STORAGE_KEYS.STATE);
+    if (!storedState || storedState !== params.state) {
+      return {
+        success: false,
+        error: "invalid_state",
+        errorDescription: "State mismatch - possible CSRF attack"
+      };
+    }
+    if (!params.code) {
+      return {
+        success: false,
+        error: "missing_code",
+        errorDescription: "No authorization code received"
+      };
+    }
+    try {
+      const tokens = await this.exchangeCode(params.code);
+      if (tokens.id_token) {
+        const payload = decodeJwtPayload(tokens.id_token);
+        const storedNonce = this.storage.get(STORAGE_KEYS.NONCE);
+        if (payload?.nonce !== storedNonce) {
+          return {
+            success: false,
+            error: "invalid_nonce",
+            errorDescription: "Nonce mismatch - possible replay attack"
+          };
+        }
+      }
+      this.storeTokens(tokens);
+      this.storage.remove(STORAGE_KEYS.STATE);
+      this.storage.remove(STORAGE_KEYS.NONCE);
+      this.storage.remove(STORAGE_KEYS.CODE_VERIFIER);
+      const user = await this.fetchUserInfo(tokens.access_token);
+      if (this.config.autoRefresh && tokens.refresh_token) {
+        this.setupAutoRefresh();
+      }
+      this.notifyListeners();
+      return {
+        success: true,
+        user: user || void 0,
+        accessToken: tokens.access_token,
+        idToken: tokens.id_token,
+        refreshToken: tokens.refresh_token
+      };
+    } catch (error) {
+      return {
+        success: false,
+        error: "token_exchange_failed",
+        errorDescription: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  }
+  /**
+   * Exchange authorization code for tokens
+   */
+  async exchangeCode(code) {
+    const discovery = await this.getDiscovery();
+    const body = {
+      grant_type: "authorization_code",
+      client_id: this.config.clientId,
+      code,
+      redirect_uri: this.config.redirectUri
+    };
+    if (this.config.usePkce) {
+      const codeVerifier = this.storage.get(STORAGE_KEYS.CODE_VERIFIER);
+      if (codeVerifier) {
+        body.code_verifier = codeVerifier;
+      }
+    }
+    const response = await fetch(discovery.token_endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams(body)
+    });
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({}));
+      throw new Error(error.error_description || error.error || "Token exchange failed");
+    }
+    return response.json();
+  }
+  /**
+   * Refresh access token using refresh token
+   */
+  async refreshToken() {
+    const refreshToken = this.storage.get(STORAGE_KEYS.REFRESH_TOKEN);
+    if (!refreshToken) return null;
+    const discovery = await this.getDiscovery();
+    const response = await fetch(discovery.token_endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: this.config.clientId,
+        refresh_token: refreshToken
+      })
+    });
+    if (!response.ok) {
+      this.clearTokens();
+      this.notifyListeners();
+      return null;
+    }
+    const tokens = await response.json();
+    this.storeTokens(tokens);
+    this.notifyListeners();
+    return tokens;
+  }
+  /**
+   * Logout - end session
+   */
+  async logout(options = {}) {
+    const discovery = await this.getDiscovery();
+    const idToken = this.storage.get(STORAGE_KEYS.ID_TOKEN);
+    this.clearTokens();
+    this.notifyListeners();
+    if (discovery.end_session_endpoint) {
+      const params = {
+        post_logout_redirect_uri: options.returnTo ?? this.config.postLogoutRedirectUri,
+        id_token_hint: options.idTokenHint ?? idToken ?? void 0,
+        client_id: this.config.clientId
+      };
+      const logoutUrl = buildUrl(discovery.end_session_endpoint, params);
+      window.location.href = logoutUrl;
+    }
+  }
+  /**
+   * Get current access token (refreshes if needed)
+   */
+  async getAccessToken() {
+    const accessToken = this.storage.get(STORAGE_KEYS.ACCESS_TOKEN);
+    if (!accessToken) return null;
+    if (isTokenExpired(accessToken, this.config.refreshThreshold)) {
+      const tokens = await this.refreshToken();
+      return tokens?.access_token ?? null;
+    }
+    return accessToken;
+  }
+  /**
+   * Get current user from stored ID token
+   */
+  getUser() {
+    const idToken = this.storage.get(STORAGE_KEYS.ID_TOKEN);
+    if (!idToken) return null;
+    return decodeJwtPayload(idToken);
+  }
+  /**
+   * Fetch user info from userinfo endpoint
+   */
+  async fetchUserInfo(accessToken) {
+    const token = accessToken ?? await this.getAccessToken();
+    if (!token) return null;
+    const discovery = await this.getDiscovery();
+    const response = await fetch(discovery.userinfo_endpoint, {
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
+    });
+    if (!response.ok) return null;
+    const user = await response.json();
+    this.storage.set(STORAGE_KEYS.USER, JSON.stringify(user));
+    return user;
+  }
+  /**
+   * Check if user is authenticated
+   */
+  isAuthenticated() {
+    const accessToken = this.storage.get(STORAGE_KEYS.ACCESS_TOKEN);
+    if (!accessToken) return false;
+    return !isTokenExpired(accessToken);
+  }
+  /**
+   * Get current auth state
+   */
+  getAuthState() {
+    const accessToken = this.storage.get(STORAGE_KEYS.ACCESS_TOKEN);
+    const idToken = this.storage.get(STORAGE_KEYS.ID_TOKEN);
+    const user = this.getUser();
+    return {
+      isAuthenticated: this.isAuthenticated(),
+      isLoading: false,
+      user,
+      accessToken,
+      idToken,
+      error: null
+    };
+  }
+  /**
+   * Subscribe to auth state changes
+   */
+  subscribe(listener) {
+    this.listeners.add(listener);
+    return () => this.listeners.delete(listener);
+  }
+  /**
+   * Store tokens in storage
+   */
+  storeTokens(tokens) {
+    this.storage.set(STORAGE_KEYS.ACCESS_TOKEN, tokens.access_token);
+    if (tokens.refresh_token) {
+      this.storage.set(STORAGE_KEYS.REFRESH_TOKEN, tokens.refresh_token);
+    }
+    if (tokens.id_token) {
+      this.storage.set(STORAGE_KEYS.ID_TOKEN, tokens.id_token);
+    }
+    const expiresAt = Date.now() + tokens.expires_in * 1e3;
+    this.storage.set(STORAGE_KEYS.EXPIRES_AT, expiresAt.toString());
+  }
+  /**
+   * Clear all stored tokens
+   */
+  clearTokens() {
+    if (this.refreshTimer) {
+      clearTimeout(this.refreshTimer);
+      this.refreshTimer = null;
+    }
+    this.storage.clear();
+  }
+  /**
+   * Setup auto-refresh timer
+   */
+  setupAutoRefresh() {
+    if (this.refreshTimer) {
+      clearTimeout(this.refreshTimer);
+    }
+    const expiresAt = this.storage.get(STORAGE_KEYS.EXPIRES_AT);
+    if (!expiresAt) return;
+    const expiresAtMs = parseInt(expiresAt, 10);
+    const refreshAt = expiresAtMs - this.config.refreshThreshold * 1e3;
+    const delay = refreshAt - Date.now();
+    if (delay > 0) {
+      this.refreshTimer = setTimeout(async () => {
+        await this.refreshToken();
+        this.setupAutoRefresh();
+      }, delay);
+    }
+  }
+  /**
+   * Notify all listeners of state change
+   */
+  notifyListeners() {
+    const state = this.getAuthState();
+    this.listeners.forEach((listener) => listener(state));
+  }
+};
+function createStuffleIAMClient(config) {
+  return new StuffleIAMClient(config);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  StuffleIAMClient,
+  createStuffleIAMClient,
+  decodeJwtPayload,
+  generateCodeChallenge,
+  generateCodeVerifier,
+  generateRandomString,
+  getStorage,
+  isTokenExpired
+});
+//# sourceMappingURL=index.js.map

dist/index.mjs

@@ -0,0 +1,511 @@
+// src/utils.ts
+function generateRandomString(length = 32) {
+  const array = new Uint8Array(length);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => byte.toString(16).padStart(2, "0")).join("");
+}
+function generateCodeVerifier() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return base64UrlEncode(array);
+}
+async function generateCodeChallenge(verifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+function base64UrlEncode(buffer) {
+  let binary = "";
+  for (let i = 0; i < buffer.length; i++) {
+    binary += String.fromCharCode(buffer[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = parts[1];
+    const decoded = atob(payload.replace(/-/g, "+").replace(/_/g, "/"));
+    return JSON.parse(decoded);
+  } catch {
+    return null;
+  }
+}
+function isTokenExpired(token, thresholdSeconds = 0) {
+  const payload = decodeJwtPayload(token);
+  if (!payload?.exp) return true;
+  const now = Math.floor(Date.now() / 1e3);
+  return payload.exp - thresholdSeconds <= now;
+}
+function parseUrlParams(url) {
+  const params = {};
+  const hashIndex = url.indexOf("#");
+  const queryIndex = url.indexOf("?");
+  let paramString = "";
+  if (hashIndex !== -1) {
+    paramString = url.substring(hashIndex + 1);
+  } else if (queryIndex !== -1) {
+    paramString = url.substring(queryIndex + 1);
+  }
+  if (!paramString) return params;
+  const searchParams = new URLSearchParams(paramString);
+  searchParams.forEach((value, key) => {
+    params[key] = value;
+  });
+  return params;
+}
+function buildUrl(base, params) {
+  const url = new URL(base);
+  Object.entries(params).forEach(([key, value]) => {
+    if (value !== void 0 && value !== null) {
+      url.searchParams.append(key, value);
+    }
+  });
+  return url.toString();
+}
+
+// src/storage.ts
+var STORAGE_PREFIX = "stuffle_iam_";
+var LocalStorageAdapter = class {
+  get(key) {
+    try {
+      return localStorage.getItem(STORAGE_PREFIX + key);
+    } catch {
+      return null;
+    }
+  }
+  set(key, value) {
+    try {
+      localStorage.setItem(STORAGE_PREFIX + key, value);
+    } catch {
+      console.warn("LocalStorage not available");
+    }
+  }
+  remove(key) {
+    try {
+      localStorage.removeItem(STORAGE_PREFIX + key);
+    } catch {
+    }
+  }
+  clear() {
+    try {
+      Object.keys(localStorage).filter((k) => k.startsWith(STORAGE_PREFIX)).forEach((k) => localStorage.removeItem(k));
+    } catch {
+    }
+  }
+};
+var SessionStorageAdapter = class {
+  get(key) {
+    try {
+      return sessionStorage.getItem(STORAGE_PREFIX + key);
+    } catch {
+      return null;
+    }
+  }
+  set(key, value) {
+    try {
+      sessionStorage.setItem(STORAGE_PREFIX + key, value);
+    } catch {
+      console.warn("SessionStorage not available");
+    }
+  }
+  remove(key) {
+    try {
+      sessionStorage.removeItem(STORAGE_PREFIX + key);
+    } catch {
+    }
+  }
+  clear() {
+    try {
+      Object.keys(sessionStorage).filter((k) => k.startsWith(STORAGE_PREFIX)).forEach((k) => sessionStorage.removeItem(k));
+    } catch {
+    }
+  }
+};
+var MemoryStorageAdapter = class {
+  constructor() {
+    this.store = /* @__PURE__ */ new Map();
+  }
+  get(key) {
+    return this.store.get(key) ?? null;
+  }
+  set(key, value) {
+    this.store.set(key, value);
+  }
+  remove(key) {
+    this.store.delete(key);
+  }
+  clear() {
+    this.store.clear();
+  }
+};
+function getStorage(type) {
+  switch (type) {
+    case "localStorage":
+      return new LocalStorageAdapter();
+    case "sessionStorage":
+      return new SessionStorageAdapter();
+    case "memory":
+      return new MemoryStorageAdapter();
+    default:
+      return new SessionStorageAdapter();
+  }
+}
+
+// src/client.ts
+var STORAGE_KEYS = {
+  ACCESS_TOKEN: "access_token",
+  REFRESH_TOKEN: "refresh_token",
+  ID_TOKEN: "id_token",
+  CODE_VERIFIER: "code_verifier",
+  STATE: "state",
+  NONCE: "nonce",
+  USER: "user",
+  EXPIRES_AT: "expires_at"
+};
+var StuffleIAMClient = class {
+  constructor(config) {
+    this.discovery = null;
+    this.refreshTimer = null;
+    this.listeners = /* @__PURE__ */ new Set();
+    this.config = {
+      issuer: config.issuer.replace(/\/$/, ""),
+      // Remove trailing slash
+      clientId: config.clientId,
+      redirectUri: config.redirectUri,
+      scopes: config.scopes ?? ["openid", "profile", "email"],
+      postLogoutRedirectUri: config.postLogoutRedirectUri ?? config.redirectUri,
+      usePkce: config.usePkce ?? true,
+      storage: config.storage ?? "sessionStorage",
+      autoRefresh: config.autoRefresh ?? true,
+      refreshThreshold: config.refreshThreshold ?? 60
+    };
+    this.storage = getStorage(this.config.storage);
+  }
+  /**
+   * Fetch OIDC discovery document
+   */
+  async getDiscovery() {
+    if (this.discovery) return this.discovery;
+    const response = await fetch(
+      `${this.config.issuer}/.well-known/openid-configuration`
+    );
+    if (!response.ok) {
+      throw new Error(`Failed to fetch OIDC discovery: ${response.status}`);
+    }
+    this.discovery = await response.json();
+    return this.discovery;
+  }
+  /**
+   * Start login flow - redirects to authorization endpoint
+   */
+  async login(options = {}) {
+    const discovery = await this.getDiscovery();
+    const state = options.state ?? generateRandomString();
+    const nonce = options.nonce ?? generateRandomString();
+    const scopes = [...this.config.scopes, ...options.scopes ?? []];
+    this.storage.set(STORAGE_KEYS.STATE, state);
+    this.storage.set(STORAGE_KEYS.NONCE, nonce);
+    const params = {
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      response_type: "code",
+      scope: scopes.join(" "),
+      state,
+      nonce,
+      prompt: options.prompt,
+      login_hint: options.loginHint
+    };
+    if (this.config.usePkce) {
+      const codeVerifier = generateCodeVerifier();
+      const codeChallenge = await generateCodeChallenge(codeVerifier);
+      this.storage.set(STORAGE_KEYS.CODE_VERIFIER, codeVerifier);
+      params.code_challenge = codeChallenge;
+      params.code_challenge_method = "S256";
+    }
+    const endpoint = options.signup ? discovery.authorization_endpoint.replace("/authorize", "/authorize/signup") : discovery.authorization_endpoint;
+    const authUrl = buildUrl(endpoint, params);
+    window.location.href = authUrl;
+  }
+  /**
+   * Alias for login({ signup: true })
+   */
+  async signup(options = {}) {
+    return this.login({ ...options, signup: true });
+  }
+  /**
+   * Handle callback from authorization server
+   */
+  async handleCallback(url) {
+    const callbackUrl = url ?? window.location.href;
+    const params = parseUrlParams(callbackUrl);
+    if (params.error) {
+      return {
+        success: false,
+        error: params.error,
+        errorDescription: params.error_description
+      };
+    }
+    const storedState = this.storage.get(STORAGE_KEYS.STATE);
+    if (!storedState || storedState !== params.state) {
+      return {
+        success: false,
+        error: "invalid_state",
+        errorDescription: "State mismatch - possible CSRF attack"
+      };
+    }
+    if (!params.code) {
+      return {
+        success: false,
+        error: "missing_code",
+        errorDescription: "No authorization code received"
+      };
+    }
+    try {
+      const tokens = await this.exchangeCode(params.code);
+      if (tokens.id_token) {
+        const payload = decodeJwtPayload(tokens.id_token);
+        const storedNonce = this.storage.get(STORAGE_KEYS.NONCE);
+        if (payload?.nonce !== storedNonce) {
+          return {
+            success: false,
+            error: "invalid_nonce",
+            errorDescription: "Nonce mismatch - possible replay attack"
+          };
+        }
+      }
+      this.storeTokens(tokens);
+      this.storage.remove(STORAGE_KEYS.STATE);
+      this.storage.remove(STORAGE_KEYS.NONCE);
+      this.storage.remove(STORAGE_KEYS.CODE_VERIFIER);
+      const user = await this.fetchUserInfo(tokens.access_token);
+      if (this.config.autoRefresh && tokens.refresh_token) {
+        this.setupAutoRefresh();
+      }
+      this.notifyListeners();
+      return {
+        success: true,
+        user: user || void 0,
+        accessToken: tokens.access_token,
+        idToken: tokens.id_token,
+        refreshToken: tokens.refresh_token
+      };
+    } catch (error) {
+      return {
+        success: false,
+        error: "token_exchange_failed",
+        errorDescription: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  }
+  /**
+   * Exchange authorization code for tokens
+   */
+  async exchangeCode(code) {
+    const discovery = await this.getDiscovery();
+    const body = {
+      grant_type: "authorization_code",
+      client_id: this.config.clientId,
+      code,
+      redirect_uri: this.config.redirectUri
+    };
+    if (this.config.usePkce) {
+      const codeVerifier = this.storage.get(STORAGE_KEYS.CODE_VERIFIER);
+      if (codeVerifier) {
+        body.code_verifier = codeVerifier;
+      }
+    }
+    const response = await fetch(discovery.token_endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams(body)
+    });
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({}));
+      throw new Error(error.error_description || error.error || "Token exchange failed");
+    }
+    return response.json();
+  }
+  /**
+   * Refresh access token using refresh token
+   */
+  async refreshToken() {
+    const refreshToken = this.storage.get(STORAGE_KEYS.REFRESH_TOKEN);
+    if (!refreshToken) return null;
+    const discovery = await this.getDiscovery();
+    const response = await fetch(discovery.token_endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: this.config.clientId,
+        refresh_token: refreshToken
+      })
+    });
+    if (!response.ok) {
+      this.clearTokens();
+      this.notifyListeners();
+      return null;
+    }
+    const tokens = await response.json();
+    this.storeTokens(tokens);
+    this.notifyListeners();
+    return tokens;
+  }
+  /**
+   * Logout - end session
+   */
+  async logout(options = {}) {
+    const discovery = await this.getDiscovery();
+    const idToken = this.storage.get(STORAGE_KEYS.ID_TOKEN);
+    this.clearTokens();
+    this.notifyListeners();
+    if (discovery.end_session_endpoint) {
+      const params = {
+        post_logout_redirect_uri: options.returnTo ?? this.config.postLogoutRedirectUri,
+        id_token_hint: options.idTokenHint ?? idToken ?? void 0,
+        client_id: this.config.clientId
+      };
+      const logoutUrl = buildUrl(discovery.end_session_endpoint, params);
+      window.location.href = logoutUrl;
+    }
+  }
+  /**
+   * Get current access token (refreshes if needed)
+   */
+  async getAccessToken() {
+    const accessToken = this.storage.get(STORAGE_KEYS.ACCESS_TOKEN);
+    if (!accessToken) return null;
+    if (isTokenExpired(accessToken, this.config.refreshThreshold)) {
+      const tokens = await this.refreshToken();
+      return tokens?.access_token ?? null;
+    }
+    return accessToken;
+  }
+  /**
+   * Get current user from stored ID token
+   */
+  getUser() {
+    const idToken = this.storage.get(STORAGE_KEYS.ID_TOKEN);
+    if (!idToken) return null;
+    return decodeJwtPayload(idToken);
+  }
+  /**
+   * Fetch user info from userinfo endpoint
+   */
+  async fetchUserInfo(accessToken) {
+    const token = accessToken ?? await this.getAccessToken();
+    if (!token) return null;
+    const discovery = await this.getDiscovery();
+    const response = await fetch(discovery.userinfo_endpoint, {
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
+    });
+    if (!response.ok) return null;
+    const user = await response.json();
+    this.storage.set(STORAGE_KEYS.USER, JSON.stringify(user));
+    return user;
+  }
+  /**
+   * Check if user is authenticated
+   */
+  isAuthenticated() {
+    const accessToken = this.storage.get(STORAGE_KEYS.ACCESS_TOKEN);
+    if (!accessToken) return false;
+    return !isTokenExpired(accessToken);
+  }
+  /**
+   * Get current auth state
+   */
+  getAuthState() {
+    const accessToken = this.storage.get(STORAGE_KEYS.ACCESS_TOKEN);
+    const idToken = this.storage.get(STORAGE_KEYS.ID_TOKEN);
+    const user = this.getUser();
+    return {
+      isAuthenticated: this.isAuthenticated(),
+      isLoading: false,
+      user,
+      accessToken,
+      idToken,
+      error: null
+    };
+  }
+  /**
+   * Subscribe to auth state changes
+   */
+  subscribe(listener) {
+    this.listeners.add(listener);
+    return () => this.listeners.delete(listener);
+  }
+  /**
+   * Store tokens in storage
+   */
+  storeTokens(tokens) {
+    this.storage.set(STORAGE_KEYS.ACCESS_TOKEN, tokens.access_token);
+    if (tokens.refresh_token) {
+      this.storage.set(STORAGE_KEYS.REFRESH_TOKEN, tokens.refresh_token);
+    }
+    if (tokens.id_token) {
+      this.storage.set(STORAGE_KEYS.ID_TOKEN, tokens.id_token);
+    }
+    const expiresAt = Date.now() + tokens.expires_in * 1e3;
+    this.storage.set(STORAGE_KEYS.EXPIRES_AT, expiresAt.toString());
+  }
+  /**
+   * Clear all stored tokens
+   */
+  clearTokens() {
+    if (this.refreshTimer) {
+      clearTimeout(this.refreshTimer);
+      this.refreshTimer = null;
+    }
+    this.storage.clear();
+  }
+  /**
+   * Setup auto-refresh timer
+   */
+  setupAutoRefresh() {
+    if (this.refreshTimer) {
+      clearTimeout(this.refreshTimer);
+    }
+    const expiresAt = this.storage.get(STORAGE_KEYS.EXPIRES_AT);
+    if (!expiresAt) return;
+    const expiresAtMs = parseInt(expiresAt, 10);
+    const refreshAt = expiresAtMs - this.config.refreshThreshold * 1e3;
+    const delay = refreshAt - Date.now();
+    if (delay > 0) {
+      this.refreshTimer = setTimeout(async () => {
+        await this.refreshToken();
+        this.setupAutoRefresh();
+      }, delay);
+    }
+  }
+  /**
+   * Notify all listeners of state change
+   */
+  notifyListeners() {
+    const state = this.getAuthState();
+    this.listeners.forEach((listener) => listener(state));
+  }
+};
+function createStuffleIAMClient(config) {
+  return new StuffleIAMClient(config);
+}
+export {
+  StuffleIAMClient,
+  createStuffleIAMClient,
+  decodeJwtPayload,
+  generateCodeChallenge,
+  generateCodeVerifier,
+  generateRandomString,
+  getStorage,
+  isTokenExpired
+};
+//# sourceMappingURL=index.mjs.map

dist/react.d.mts

@@ -0,0 +1,61 @@
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { ReactNode } from 'react';
+import { a as StuffleIAMConfig, C as CallbackResult, S as StuffleIAMClient, U as User, L as LoginOptions, b as LogoutOptions } from './client-CTKWBZ26.mjs';
+export { A as AuthState } from './client-CTKWBZ26.mjs';
+
+interface StuffleIAMContextValue {
+    client: StuffleIAMClient;
+    isAuthenticated: boolean;
+    isLoading: boolean;
+    user: User | null;
+    accessToken: string | null;
+    error: Error | null;
+    login: (options?: LoginOptions) => Promise<void>;
+    signup: (options?: Omit<LoginOptions, 'signup'>) => Promise<void>;
+    logout: (options?: LogoutOptions) => Promise<void>;
+    handleCallback: (url?: string) => Promise<CallbackResult>;
+    getAccessToken: () => Promise<string | null>;
+}
+interface StuffleIAMProviderProps extends StuffleIAMConfig {
+    children: ReactNode;
+    /** Called after successful login callback */
+    onLoginSuccess?: (result: CallbackResult) => void;
+    /** Called on login error */
+    onLoginError?: (error: Error) => void;
+    /** Auto-handle callback on mount if URL has code/error */
+    autoHandleCallback?: boolean;
+}
+declare function StuffleIAMProvider({ children, onLoginSuccess, onLoginError, autoHandleCallback, ...config }: StuffleIAMProviderProps): react_jsx_runtime.JSX.Element;
+/**
+ * Hook to access auth state and methods
+ */
+declare function useAuth(): StuffleIAMContextValue;
+/**
+ * Hook to get current user
+ */
+declare function useUser(): User | null;
+/**
+ * Hook to check if user is authenticated
+ */
+declare function useIsAuthenticated(): boolean;
+/**
+ * Hook to get access token (refreshes if needed)
+ */
+declare function useAccessToken(): () => Promise<string | null>;
+/**
+ * Hook to check if user has specific role(s)
+ */
+declare function useHasRole(roles: string | string[]): boolean;
+/**
+ * Higher-order component for protected routes
+ */
+declare function withAuth<P extends object>(WrappedComponent: React.ComponentType<P>, options?: {
+    /** Component to show while loading */
+    LoadingComponent?: React.ComponentType;
+    /** Component to show if not authenticated */
+    UnauthorizedComponent?: React.ComponentType;
+    /** Required roles */
+    roles?: string[];
+}): (props: P) => react_jsx_runtime.JSX.Element | null;
+
+export { CallbackResult, LoginOptions, LogoutOptions, StuffleIAMConfig, StuffleIAMProvider, type StuffleIAMProviderProps, User, useAccessToken, useAuth, useHasRole, useIsAuthenticated, useUser, withAuth };

dist/react.d.ts

@@ -0,0 +1,61 @@
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { ReactNode } from 'react';
+import { a as StuffleIAMConfig, C as CallbackResult, S as StuffleIAMClient, U as User, L as LoginOptions, b as LogoutOptions } from './client-CTKWBZ26.js';
+export { A as AuthState } from './client-CTKWBZ26.js';
+
+interface StuffleIAMContextValue {
+    client: StuffleIAMClient;
+    isAuthenticated: boolean;
+    isLoading: boolean;
+    user: User | null;
+    accessToken: string | null;
+    error: Error | null;
+    login: (options?: LoginOptions) => Promise<void>;
+    signup: (options?: Omit<LoginOptions, 'signup'>) => Promise<void>;
+    logout: (options?: LogoutOptions) => Promise<void>;
+    handleCallback: (url?: string) => Promise<CallbackResult>;
+    getAccessToken: () => Promise<string | null>;
+}
+interface StuffleIAMProviderProps extends StuffleIAMConfig {
+    children: ReactNode;
+    /** Called after successful login callback */
+    onLoginSuccess?: (result: CallbackResult) => void;
+    /** Called on login error */
+    onLoginError?: (error: Error) => void;
+    /** Auto-handle callback on mount if URL has code/error */
+    autoHandleCallback?: boolean;
+}
+declare function StuffleIAMProvider({ children, onLoginSuccess, onLoginError, autoHandleCallback, ...config }: StuffleIAMProviderProps): react_jsx_runtime.JSX.Element;
+/**
+ * Hook to access auth state and methods
+ */
+declare function useAuth(): StuffleIAMContextValue;
+/**
+ * Hook to get current user
+ */
+declare function useUser(): User | null;
+/**
+ * Hook to check if user is authenticated
+ */
+declare function useIsAuthenticated(): boolean;
+/**
+ * Hook to get access token (refreshes if needed)
+ */
+declare function useAccessToken(): () => Promise<string | null>;
+/**
+ * Hook to check if user has specific role(s)
+ */
+declare function useHasRole(roles: string | string[]): boolean;
+/**
+ * Higher-order component for protected routes
+ */
+declare function withAuth<P extends object>(WrappedComponent: React.ComponentType<P>, options?: {
+    /** Component to show while loading */
+    LoadingComponent?: React.ComponentType;
+    /** Component to show if not authenticated */
+    UnauthorizedComponent?: React.ComponentType;
+    /** Required roles */
+    roles?: string[];
+}): (props: P) => react_jsx_runtime.JSX.Element | null;
+
+export { CallbackResult, LoginOptions, LogoutOptions, StuffleIAMConfig, StuffleIAMProvider, type StuffleIAMProviderProps, User, useAccessToken, useAuth, useHasRole, useIsAuthenticated, useUser, withAuth };

dist/react.js

@@ -0,0 +1,671 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/react/index.tsx
+var react_exports = {};
+__export(react_exports, {
+  StuffleIAMProvider: () => StuffleIAMProvider,
+  useAccessToken: () => useAccessToken,
+  useAuth: () => useAuth,
+  useHasRole: () => useHasRole,
+  useIsAuthenticated: () => useIsAuthenticated,
+  useUser: () => useUser,
+  withAuth: () => withAuth
+});
+module.exports = __toCommonJS(react_exports);
+var import_react = require("react");
+
+// src/utils.ts
+function generateRandomString(length = 32) {
+  const array = new Uint8Array(length);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => byte.toString(16).padStart(2, "0")).join("");
+}
+function generateCodeVerifier() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return base64UrlEncode(array);
+}
+async function generateCodeChallenge(verifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+function base64UrlEncode(buffer) {
+  let binary = "";
+  for (let i = 0; i < buffer.length; i++) {
+    binary += String.fromCharCode(buffer[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = parts[1];
+    const decoded = atob(payload.replace(/-/g, "+").replace(/_/g, "/"));
+    return JSON.parse(decoded);
+  } catch {
+    return null;
+  }
+}
+function isTokenExpired(token, thresholdSeconds = 0) {
+  const payload = decodeJwtPayload(token);
+  if (!payload?.exp) return true;
+  const now = Math.floor(Date.now() / 1e3);
+  return payload.exp - thresholdSeconds <= now;
+}
+function parseUrlParams(url) {
+  const params = {};
+  const hashIndex = url.indexOf("#");
+  const queryIndex = url.indexOf("?");
+  let paramString = "";
+  if (hashIndex !== -1) {
+    paramString = url.substring(hashIndex + 1);
+  } else if (queryIndex !== -1) {
+    paramString = url.substring(queryIndex + 1);
+  }
+  if (!paramString) return params;
+  const searchParams = new URLSearchParams(paramString);
+  searchParams.forEach((value, key) => {
+    params[key] = value;
+  });
+  return params;
+}
+function buildUrl(base, params) {
+  const url = new URL(base);
+  Object.entries(params).forEach(([key, value]) => {
+    if (value !== void 0 && value !== null) {
+      url.searchParams.append(key, value);
+    }
+  });
+  return url.toString();
+}
+
+// src/storage.ts
+var STORAGE_PREFIX = "stuffle_iam_";
+var LocalStorageAdapter = class {
+  get(key) {
+    try {
+      return localStorage.getItem(STORAGE_PREFIX + key);
+    } catch {
+      return null;
+    }
+  }
+  set(key, value) {
+    try {
+      localStorage.setItem(STORAGE_PREFIX + key, value);
+    } catch {
+      console.warn("LocalStorage not available");
+    }
+  }
+  remove(key) {
+    try {
+      localStorage.removeItem(STORAGE_PREFIX + key);
+    } catch {
+    }
+  }
+  clear() {
+    try {
+      Object.keys(localStorage).filter((k) => k.startsWith(STORAGE_PREFIX)).forEach((k) => localStorage.removeItem(k));
+    } catch {
+    }
+  }
+};
+var SessionStorageAdapter = class {
+  get(key) {
+    try {
+      return sessionStorage.getItem(STORAGE_PREFIX + key);
+    } catch {
+      return null;
+    }
+  }
+  set(key, value) {
+    try {
+      sessionStorage.setItem(STORAGE_PREFIX + key, value);
+    } catch {
+      console.warn("SessionStorage not available");
+    }
+  }
+  remove(key) {
+    try {
+      sessionStorage.removeItem(STORAGE_PREFIX + key);
+    } catch {
+    }
+  }
+  clear() {
+    try {
+      Object.keys(sessionStorage).filter((k) => k.startsWith(STORAGE_PREFIX)).forEach((k) => sessionStorage.removeItem(k));
+    } catch {
+    }
+  }
+};
+var MemoryStorageAdapter = class {
+  constructor() {
+    this.store = /* @__PURE__ */ new Map();
+  }
+  get(key) {
+    return this.store.get(key) ?? null;
+  }
+  set(key, value) {
+    this.store.set(key, value);
+  }
+  remove(key) {
+    this.store.delete(key);
+  }
+  clear() {
+    this.store.clear();
+  }
+};
+function getStorage(type) {
+  switch (type) {
+    case "localStorage":
+      return new LocalStorageAdapter();
+    case "sessionStorage":
+      return new SessionStorageAdapter();
+    case "memory":
+      return new MemoryStorageAdapter();
+    default:
+      return new SessionStorageAdapter();
+  }
+}
+
+// src/client.ts
+var STORAGE_KEYS = {
+  ACCESS_TOKEN: "access_token",
+  REFRESH_TOKEN: "refresh_token",
+  ID_TOKEN: "id_token",
+  CODE_VERIFIER: "code_verifier",
+  STATE: "state",
+  NONCE: "nonce",
+  USER: "user",
+  EXPIRES_AT: "expires_at"
+};
+var StuffleIAMClient = class {
+  constructor(config) {
+    this.discovery = null;
+    this.refreshTimer = null;
+    this.listeners = /* @__PURE__ */ new Set();
+    this.config = {
+      issuer: config.issuer.replace(/\/$/, ""),
+      // Remove trailing slash
+      clientId: config.clientId,
+      redirectUri: config.redirectUri,
+      scopes: config.scopes ?? ["openid", "profile", "email"],
+      postLogoutRedirectUri: config.postLogoutRedirectUri ?? config.redirectUri,
+      usePkce: config.usePkce ?? true,
+      storage: config.storage ?? "sessionStorage",
+      autoRefresh: config.autoRefresh ?? true,
+      refreshThreshold: config.refreshThreshold ?? 60
+    };
+    this.storage = getStorage(this.config.storage);
+  }
+  /**
+   * Fetch OIDC discovery document
+   */
+  async getDiscovery() {
+    if (this.discovery) return this.discovery;
+    const response = await fetch(
+      `${this.config.issuer}/.well-known/openid-configuration`
+    );
+    if (!response.ok) {
+      throw new Error(`Failed to fetch OIDC discovery: ${response.status}`);
+    }
+    this.discovery = await response.json();
+    return this.discovery;
+  }
+  /**
+   * Start login flow - redirects to authorization endpoint
+   */
+  async login(options = {}) {
+    const discovery = await this.getDiscovery();
+    const state = options.state ?? generateRandomString();
+    const nonce = options.nonce ?? generateRandomString();
+    const scopes = [...this.config.scopes, ...options.scopes ?? []];
+    this.storage.set(STORAGE_KEYS.STATE, state);
+    this.storage.set(STORAGE_KEYS.NONCE, nonce);
+    const params = {
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      response_type: "code",
+      scope: scopes.join(" "),
+      state,
+      nonce,
+      prompt: options.prompt,
+      login_hint: options.loginHint
+    };
+    if (this.config.usePkce) {
+      const codeVerifier = generateCodeVerifier();
+      const codeChallenge = await generateCodeChallenge(codeVerifier);
+      this.storage.set(STORAGE_KEYS.CODE_VERIFIER, codeVerifier);
+      params.code_challenge = codeChallenge;
+      params.code_challenge_method = "S256";
+    }
+    const endpoint = options.signup ? discovery.authorization_endpoint.replace("/authorize", "/authorize/signup") : discovery.authorization_endpoint;
+    const authUrl = buildUrl(endpoint, params);
+    window.location.href = authUrl;
+  }
+  /**
+   * Alias for login({ signup: true })
+   */
+  async signup(options = {}) {
+    return this.login({ ...options, signup: true });
+  }
+  /**
+   * Handle callback from authorization server
+   */
+  async handleCallback(url) {
+    const callbackUrl = url ?? window.location.href;
+    const params = parseUrlParams(callbackUrl);
+    if (params.error) {
+      return {
+        success: false,
+        error: params.error,
+        errorDescription: params.error_description
+      };
+    }
+    const storedState = this.storage.get(STORAGE_KEYS.STATE);
+    if (!storedState || storedState !== params.state) {
+      return {
+        success: false,
+        error: "invalid_state",
+        errorDescription: "State mismatch - possible CSRF attack"
+      };
+    }
+    if (!params.code) {
+      return {
+        success: false,
+        error: "missing_code",
+        errorDescription: "No authorization code received"
+      };
+    }
+    try {
+      const tokens = await this.exchangeCode(params.code);
+      if (tokens.id_token) {
+        const payload = decodeJwtPayload(tokens.id_token);
+        const storedNonce = this.storage.get(STORAGE_KEYS.NONCE);
+        if (payload?.nonce !== storedNonce) {
+          return {
+            success: false,
+            error: "invalid_nonce",
+            errorDescription: "Nonce mismatch - possible replay attack"
+          };
+        }
+      }
+      this.storeTokens(tokens);
+      this.storage.remove(STORAGE_KEYS.STATE);
+      this.storage.remove(STORAGE_KEYS.NONCE);
+      this.storage.remove(STORAGE_KEYS.CODE_VERIFIER);
+      const user = await this.fetchUserInfo(tokens.access_token);
+      if (this.config.autoRefresh && tokens.refresh_token) {
+        this.setupAutoRefresh();
+      }
+      this.notifyListeners();
+      return {
+        success: true,
+        user: user || void 0,
+        accessToken: tokens.access_token,
+        idToken: tokens.id_token,
+        refreshToken: tokens.refresh_token
+      };
+    } catch (error) {
+      return {
+        success: false,
+        error: "token_exchange_failed",
+        errorDescription: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  }
+  /**
+   * Exchange authorization code for tokens
+   */
+  async exchangeCode(code) {
+    const discovery = await this.getDiscovery();
+    const body = {
+      grant_type: "authorization_code",
+      client_id: this.config.clientId,
+      code,
+      redirect_uri: this.config.redirectUri
+    };
+    if (this.config.usePkce) {
+      const codeVerifier = this.storage.get(STORAGE_KEYS.CODE_VERIFIER);
+      if (codeVerifier) {
+        body.code_verifier = codeVerifier;
+      }
+    }
+    const response = await fetch(discovery.token_endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams(body)
+    });
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({}));
+      throw new Error(error.error_description || error.error || "Token exchange failed");
+    }
+    return response.json();
+  }
+  /**
+   * Refresh access token using refresh token
+   */
+  async refreshToken() {
+    const refreshToken = this.storage.get(STORAGE_KEYS.REFRESH_TOKEN);
+    if (!refreshToken) return null;
+    const discovery = await this.getDiscovery();
+    const response = await fetch(discovery.token_endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: this.config.clientId,
+        refresh_token: refreshToken
+      })
+    });
+    if (!response.ok) {
+      this.clearTokens();
+      this.notifyListeners();
+      return null;
+    }
+    const tokens = await response.json();
+    this.storeTokens(tokens);
+    this.notifyListeners();
+    return tokens;
+  }
+  /**
+   * Logout - end session
+   */
+  async logout(options = {}) {
+    const discovery = await this.getDiscovery();
+    const idToken = this.storage.get(STORAGE_KEYS.ID_TOKEN);
+    this.clearTokens();
+    this.notifyListeners();
+    if (discovery.end_session_endpoint) {
+      const params = {
+        post_logout_redirect_uri: options.returnTo ?? this.config.postLogoutRedirectUri,
+        id_token_hint: options.idTokenHint ?? idToken ?? void 0,
+        client_id: this.config.clientId
+      };
+      const logoutUrl = buildUrl(discovery.end_session_endpoint, params);
+      window.location.href = logoutUrl;
+    }
+  }
+  /**
+   * Get current access token (refreshes if needed)
+   */
+  async getAccessToken() {
+    const accessToken = this.storage.get(STORAGE_KEYS.ACCESS_TOKEN);
+    if (!accessToken) return null;
+    if (isTokenExpired(accessToken, this.config.refreshThreshold)) {
+      const tokens = await this.refreshToken();
+      return tokens?.access_token ?? null;
+    }
+    return accessToken;
+  }
+  /**
+   * Get current user from stored ID token
+   */
+  getUser() {
+    const idToken = this.storage.get(STORAGE_KEYS.ID_TOKEN);
+    if (!idToken) return null;
+    return decodeJwtPayload(idToken);
+  }
+  /**
+   * Fetch user info from userinfo endpoint
+   */
+  async fetchUserInfo(accessToken) {
+    const token = accessToken ?? await this.getAccessToken();
+    if (!token) return null;
+    const discovery = await this.getDiscovery();
+    const response = await fetch(discovery.userinfo_endpoint, {
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
+    });
+    if (!response.ok) return null;
+    const user = await response.json();
+    this.storage.set(STORAGE_KEYS.USER, JSON.stringify(user));
+    return user;
+  }
+  /**
+   * Check if user is authenticated
+   */
+  isAuthenticated() {
+    const accessToken = this.storage.get(STORAGE_KEYS.ACCESS_TOKEN);
+    if (!accessToken) return false;
+    return !isTokenExpired(accessToken);
+  }
+  /**
+   * Get current auth state
+   */
+  getAuthState() {
+    const accessToken = this.storage.get(STORAGE_KEYS.ACCESS_TOKEN);
+    const idToken = this.storage.get(STORAGE_KEYS.ID_TOKEN);
+    const user = this.getUser();
+    return {
+      isAuthenticated: this.isAuthenticated(),
+      isLoading: false,
+      user,
+      accessToken,
+      idToken,
+      error: null
+    };
+  }
+  /**
+   * Subscribe to auth state changes
+   */
+  subscribe(listener) {
+    this.listeners.add(listener);
+    return () => this.listeners.delete(listener);
+  }
+  /**
+   * Store tokens in storage
+   */
+  storeTokens(tokens) {
+    this.storage.set(STORAGE_KEYS.ACCESS_TOKEN, tokens.access_token);
+    if (tokens.refresh_token) {
+      this.storage.set(STORAGE_KEYS.REFRESH_TOKEN, tokens.refresh_token);
+    }
+    if (tokens.id_token) {
+      this.storage.set(STORAGE_KEYS.ID_TOKEN, tokens.id_token);
+    }
+    const expiresAt = Date.now() + tokens.expires_in * 1e3;
+    this.storage.set(STORAGE_KEYS.EXPIRES_AT, expiresAt.toString());
+  }
+  /**
+   * Clear all stored tokens
+   */
+  clearTokens() {
+    if (this.refreshTimer) {
+      clearTimeout(this.refreshTimer);
+      this.refreshTimer = null;
+    }
+    this.storage.clear();
+  }
+  /**
+   * Setup auto-refresh timer
+   */
+  setupAutoRefresh() {
+    if (this.refreshTimer) {
+      clearTimeout(this.refreshTimer);
+    }
+    const expiresAt = this.storage.get(STORAGE_KEYS.EXPIRES_AT);
+    if (!expiresAt) return;
+    const expiresAtMs = parseInt(expiresAt, 10);
+    const refreshAt = expiresAtMs - this.config.refreshThreshold * 1e3;
+    const delay = refreshAt - Date.now();
+    if (delay > 0) {
+      this.refreshTimer = setTimeout(async () => {
+        await this.refreshToken();
+        this.setupAutoRefresh();
+      }, delay);
+    }
+  }
+  /**
+   * Notify all listeners of state change
+   */
+  notifyListeners() {
+    const state = this.getAuthState();
+    this.listeners.forEach((listener) => listener(state));
+  }
+};
+function createStuffleIAMClient(config) {
+  return new StuffleIAMClient(config);
+}
+
+// src/react/index.tsx
+var import_jsx_runtime = require("react/jsx-runtime");
+var StuffleIAMContext = (0, import_react.createContext)(null);
+function StuffleIAMProvider({
+  children,
+  onLoginSuccess,
+  onLoginError,
+  autoHandleCallback = true,
+  ...config
+}) {
+  const [client] = (0, import_react.useState)(() => createStuffleIAMClient(config));
+  const [state, setState] = (0, import_react.useState)(() => ({
+    isAuthenticated: false,
+    isLoading: true,
+    user: null,
+    accessToken: null,
+    idToken: null,
+    error: null
+  }));
+  (0, import_react.useEffect)(() => {
+    const unsubscribe = client.subscribe(setState);
+    const initialState = client.getAuthState();
+    setState({ ...initialState, isLoading: false });
+    return unsubscribe;
+  }, [client]);
+  (0, import_react.useEffect)(() => {
+    if (!autoHandleCallback) return;
+    const url = window.location.href;
+    const hasCode = url.includes("code=");
+    const hasError = url.includes("error=");
+    if (hasCode || hasError) {
+      setState((prev) => ({ ...prev, isLoading: true }));
+      client.handleCallback(url).then((result) => {
+        setState((prev) => ({ ...prev, isLoading: false }));
+        if (result.success) {
+          onLoginSuccess?.(result);
+          window.history.replaceState({}, "", window.location.pathname);
+        } else {
+          const error = new Error(result.errorDescription || result.error || "Login failed");
+          onLoginError?.(error);
+          setState((prev) => ({ ...prev, error }));
+        }
+      });
+    }
+  }, [client, autoHandleCallback, onLoginSuccess, onLoginError]);
+  const login = (0, import_react.useCallback)(
+    (options) => client.login(options),
+    [client]
+  );
+  const signup = (0, import_react.useCallback)(
+    (options) => client.signup(options),
+    [client]
+  );
+  const logout = (0, import_react.useCallback)(
+    (options) => client.logout(options),
+    [client]
+  );
+  const handleCallback = (0, import_react.useCallback)(
+    (url) => client.handleCallback(url),
+    [client]
+  );
+  const getAccessToken = (0, import_react.useCallback)(
+    () => client.getAccessToken(),
+    [client]
+  );
+  const value = (0, import_react.useMemo)(
+    () => ({
+      client,
+      isAuthenticated: state.isAuthenticated,
+      isLoading: state.isLoading,
+      user: state.user,
+      accessToken: state.accessToken,
+      error: state.error,
+      login,
+      signup,
+      logout,
+      handleCallback,
+      getAccessToken
+    }),
+    [client, state, login, signup, logout, handleCallback, getAccessToken]
+  );
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(StuffleIAMContext.Provider, { value, children });
+}
+function useAuth() {
+  const context = (0, import_react.useContext)(StuffleIAMContext);
+  if (!context) {
+    throw new Error("useAuth must be used within a StuffleIAMProvider");
+  }
+  return context;
+}
+function useUser() {
+  const { user } = useAuth();
+  return user;
+}
+function useIsAuthenticated() {
+  const { isAuthenticated } = useAuth();
+  return isAuthenticated;
+}
+function useAccessToken() {
+  const { getAccessToken } = useAuth();
+  return getAccessToken;
+}
+function useHasRole(roles) {
+  const { user } = useAuth();
+  if (!user?.roles) return false;
+  const requiredRoles = Array.isArray(roles) ? roles : [roles];
+  return requiredRoles.some((role) => user.roles?.includes(role));
+}
+function withAuth(WrappedComponent, options) {
+  return function AuthenticatedComponent(props) {
+    const { isAuthenticated, isLoading, user } = useAuth();
+    if (isLoading) {
+      return options?.LoadingComponent ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(options.LoadingComponent, {}) : null;
+    }
+    if (!isAuthenticated) {
+      return options?.UnauthorizedComponent ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(options.UnauthorizedComponent, {}) : null;
+    }
+    if (options?.roles && options.roles.length > 0) {
+      const hasRequiredRole = options.roles.some((role) => user?.roles?.includes(role));
+      if (!hasRequiredRole) {
+        return options?.UnauthorizedComponent ? /* @__PURE__ */ (0, import_jsx_runtime.jsx)(options.UnauthorizedComponent, {}) : null;
+      }
+    }
+    return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(WrappedComponent, { ...props });
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  StuffleIAMProvider,
+  useAccessToken,
+  useAuth,
+  useHasRole,
+  useIsAuthenticated,
+  useUser,
+  withAuth
+});
+//# sourceMappingURL=react.js.map

dist/react.mjs

@@ -0,0 +1,647 @@
+// src/react/index.tsx
+import {
+  createContext,
+  useContext,
+  useState,
+  useEffect,
+  useCallback,
+  useMemo
+} from "react";
+
+// src/utils.ts
+function generateRandomString(length = 32) {
+  const array = new Uint8Array(length);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => byte.toString(16).padStart(2, "0")).join("");
+}
+function generateCodeVerifier() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return base64UrlEncode(array);
+}
+async function generateCodeChallenge(verifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+function base64UrlEncode(buffer) {
+  let binary = "";
+  for (let i = 0; i < buffer.length; i++) {
+    binary += String.fromCharCode(buffer[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = parts[1];
+    const decoded = atob(payload.replace(/-/g, "+").replace(/_/g, "/"));
+    return JSON.parse(decoded);
+  } catch {
+    return null;
+  }
+}
+function isTokenExpired(token, thresholdSeconds = 0) {
+  const payload = decodeJwtPayload(token);
+  if (!payload?.exp) return true;
+  const now = Math.floor(Date.now() / 1e3);
+  return payload.exp - thresholdSeconds <= now;
+}
+function parseUrlParams(url) {
+  const params = {};
+  const hashIndex = url.indexOf("#");
+  const queryIndex = url.indexOf("?");
+  let paramString = "";
+  if (hashIndex !== -1) {
+    paramString = url.substring(hashIndex + 1);
+  } else if (queryIndex !== -1) {
+    paramString = url.substring(queryIndex + 1);
+  }
+  if (!paramString) return params;
+  const searchParams = new URLSearchParams(paramString);
+  searchParams.forEach((value, key) => {
+    params[key] = value;
+  });
+  return params;
+}
+function buildUrl(base, params) {
+  const url = new URL(base);
+  Object.entries(params).forEach(([key, value]) => {
+    if (value !== void 0 && value !== null) {
+      url.searchParams.append(key, value);
+    }
+  });
+  return url.toString();
+}
+
+// src/storage.ts
+var STORAGE_PREFIX = "stuffle_iam_";
+var LocalStorageAdapter = class {
+  get(key) {
+    try {
+      return localStorage.getItem(STORAGE_PREFIX + key);
+    } catch {
+      return null;
+    }
+  }
+  set(key, value) {
+    try {
+      localStorage.setItem(STORAGE_PREFIX + key, value);
+    } catch {
+      console.warn("LocalStorage not available");
+    }
+  }
+  remove(key) {
+    try {
+      localStorage.removeItem(STORAGE_PREFIX + key);
+    } catch {
+    }
+  }
+  clear() {
+    try {
+      Object.keys(localStorage).filter((k) => k.startsWith(STORAGE_PREFIX)).forEach((k) => localStorage.removeItem(k));
+    } catch {
+    }
+  }
+};
+var SessionStorageAdapter = class {
+  get(key) {
+    try {
+      return sessionStorage.getItem(STORAGE_PREFIX + key);
+    } catch {
+      return null;
+    }
+  }
+  set(key, value) {
+    try {
+      sessionStorage.setItem(STORAGE_PREFIX + key, value);
+    } catch {
+      console.warn("SessionStorage not available");
+    }
+  }
+  remove(key) {
+    try {
+      sessionStorage.removeItem(STORAGE_PREFIX + key);
+    } catch {
+    }
+  }
+  clear() {
+    try {
+      Object.keys(sessionStorage).filter((k) => k.startsWith(STORAGE_PREFIX)).forEach((k) => sessionStorage.removeItem(k));
+    } catch {
+    }
+  }
+};
+var MemoryStorageAdapter = class {
+  constructor() {
+    this.store = /* @__PURE__ */ new Map();
+  }
+  get(key) {
+    return this.store.get(key) ?? null;
+  }
+  set(key, value) {
+    this.store.set(key, value);
+  }
+  remove(key) {
+    this.store.delete(key);
+  }
+  clear() {
+    this.store.clear();
+  }
+};
+function getStorage(type) {
+  switch (type) {
+    case "localStorage":
+      return new LocalStorageAdapter();
+    case "sessionStorage":
+      return new SessionStorageAdapter();
+    case "memory":
+      return new MemoryStorageAdapter();
+    default:
+      return new SessionStorageAdapter();
+  }
+}
+
+// src/client.ts
+var STORAGE_KEYS = {
+  ACCESS_TOKEN: "access_token",
+  REFRESH_TOKEN: "refresh_token",
+  ID_TOKEN: "id_token",
+  CODE_VERIFIER: "code_verifier",
+  STATE: "state",
+  NONCE: "nonce",
+  USER: "user",
+  EXPIRES_AT: "expires_at"
+};
+var StuffleIAMClient = class {
+  constructor(config) {
+    this.discovery = null;
+    this.refreshTimer = null;
+    this.listeners = /* @__PURE__ */ new Set();
+    this.config = {
+      issuer: config.issuer.replace(/\/$/, ""),
+      // Remove trailing slash
+      clientId: config.clientId,
+      redirectUri: config.redirectUri,
+      scopes: config.scopes ?? ["openid", "profile", "email"],
+      postLogoutRedirectUri: config.postLogoutRedirectUri ?? config.redirectUri,
+      usePkce: config.usePkce ?? true,
+      storage: config.storage ?? "sessionStorage",
+      autoRefresh: config.autoRefresh ?? true,
+      refreshThreshold: config.refreshThreshold ?? 60
+    };
+    this.storage = getStorage(this.config.storage);
+  }
+  /**
+   * Fetch OIDC discovery document
+   */
+  async getDiscovery() {
+    if (this.discovery) return this.discovery;
+    const response = await fetch(
+      `${this.config.issuer}/.well-known/openid-configuration`
+    );
+    if (!response.ok) {
+      throw new Error(`Failed to fetch OIDC discovery: ${response.status}`);
+    }
+    this.discovery = await response.json();
+    return this.discovery;
+  }
+  /**
+   * Start login flow - redirects to authorization endpoint
+   */
+  async login(options = {}) {
+    const discovery = await this.getDiscovery();
+    const state = options.state ?? generateRandomString();
+    const nonce = options.nonce ?? generateRandomString();
+    const scopes = [...this.config.scopes, ...options.scopes ?? []];
+    this.storage.set(STORAGE_KEYS.STATE, state);
+    this.storage.set(STORAGE_KEYS.NONCE, nonce);
+    const params = {
+      client_id: this.config.clientId,
+      redirect_uri: this.config.redirectUri,
+      response_type: "code",
+      scope: scopes.join(" "),
+      state,
+      nonce,
+      prompt: options.prompt,
+      login_hint: options.loginHint
+    };
+    if (this.config.usePkce) {
+      const codeVerifier = generateCodeVerifier();
+      const codeChallenge = await generateCodeChallenge(codeVerifier);
+      this.storage.set(STORAGE_KEYS.CODE_VERIFIER, codeVerifier);
+      params.code_challenge = codeChallenge;
+      params.code_challenge_method = "S256";
+    }
+    const endpoint = options.signup ? discovery.authorization_endpoint.replace("/authorize", "/authorize/signup") : discovery.authorization_endpoint;
+    const authUrl = buildUrl(endpoint, params);
+    window.location.href = authUrl;
+  }
+  /**
+   * Alias for login({ signup: true })
+   */
+  async signup(options = {}) {
+    return this.login({ ...options, signup: true });
+  }
+  /**
+   * Handle callback from authorization server
+   */
+  async handleCallback(url) {
+    const callbackUrl = url ?? window.location.href;
+    const params = parseUrlParams(callbackUrl);
+    if (params.error) {
+      return {
+        success: false,
+        error: params.error,
+        errorDescription: params.error_description
+      };
+    }
+    const storedState = this.storage.get(STORAGE_KEYS.STATE);
+    if (!storedState || storedState !== params.state) {
+      return {
+        success: false,
+        error: "invalid_state",
+        errorDescription: "State mismatch - possible CSRF attack"
+      };
+    }
+    if (!params.code) {
+      return {
+        success: false,
+        error: "missing_code",
+        errorDescription: "No authorization code received"
+      };
+    }
+    try {
+      const tokens = await this.exchangeCode(params.code);
+      if (tokens.id_token) {
+        const payload = decodeJwtPayload(tokens.id_token);
+        const storedNonce = this.storage.get(STORAGE_KEYS.NONCE);
+        if (payload?.nonce !== storedNonce) {
+          return {
+            success: false,
+            error: "invalid_nonce",
+            errorDescription: "Nonce mismatch - possible replay attack"
+          };
+        }
+      }
+      this.storeTokens(tokens);
+      this.storage.remove(STORAGE_KEYS.STATE);
+      this.storage.remove(STORAGE_KEYS.NONCE);
+      this.storage.remove(STORAGE_KEYS.CODE_VERIFIER);
+      const user = await this.fetchUserInfo(tokens.access_token);
+      if (this.config.autoRefresh && tokens.refresh_token) {
+        this.setupAutoRefresh();
+      }
+      this.notifyListeners();
+      return {
+        success: true,
+        user: user || void 0,
+        accessToken: tokens.access_token,
+        idToken: tokens.id_token,
+        refreshToken: tokens.refresh_token
+      };
+    } catch (error) {
+      return {
+        success: false,
+        error: "token_exchange_failed",
+        errorDescription: error instanceof Error ? error.message : "Unknown error"
+      };
+    }
+  }
+  /**
+   * Exchange authorization code for tokens
+   */
+  async exchangeCode(code) {
+    const discovery = await this.getDiscovery();
+    const body = {
+      grant_type: "authorization_code",
+      client_id: this.config.clientId,
+      code,
+      redirect_uri: this.config.redirectUri
+    };
+    if (this.config.usePkce) {
+      const codeVerifier = this.storage.get(STORAGE_KEYS.CODE_VERIFIER);
+      if (codeVerifier) {
+        body.code_verifier = codeVerifier;
+      }
+    }
+    const response = await fetch(discovery.token_endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams(body)
+    });
+    if (!response.ok) {
+      const error = await response.json().catch(() => ({}));
+      throw new Error(error.error_description || error.error || "Token exchange failed");
+    }
+    return response.json();
+  }
+  /**
+   * Refresh access token using refresh token
+   */
+  async refreshToken() {
+    const refreshToken = this.storage.get(STORAGE_KEYS.REFRESH_TOKEN);
+    if (!refreshToken) return null;
+    const discovery = await this.getDiscovery();
+    const response = await fetch(discovery.token_endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: this.config.clientId,
+        refresh_token: refreshToken
+      })
+    });
+    if (!response.ok) {
+      this.clearTokens();
+      this.notifyListeners();
+      return null;
+    }
+    const tokens = await response.json();
+    this.storeTokens(tokens);
+    this.notifyListeners();
+    return tokens;
+  }
+  /**
+   * Logout - end session
+   */
+  async logout(options = {}) {
+    const discovery = await this.getDiscovery();
+    const idToken = this.storage.get(STORAGE_KEYS.ID_TOKEN);
+    this.clearTokens();
+    this.notifyListeners();
+    if (discovery.end_session_endpoint) {
+      const params = {
+        post_logout_redirect_uri: options.returnTo ?? this.config.postLogoutRedirectUri,
+        id_token_hint: options.idTokenHint ?? idToken ?? void 0,
+        client_id: this.config.clientId
+      };
+      const logoutUrl = buildUrl(discovery.end_session_endpoint, params);
+      window.location.href = logoutUrl;
+    }
+  }
+  /**
+   * Get current access token (refreshes if needed)
+   */
+  async getAccessToken() {
+    const accessToken = this.storage.get(STORAGE_KEYS.ACCESS_TOKEN);
+    if (!accessToken) return null;
+    if (isTokenExpired(accessToken, this.config.refreshThreshold)) {
+      const tokens = await this.refreshToken();
+      return tokens?.access_token ?? null;
+    }
+    return accessToken;
+  }
+  /**
+   * Get current user from stored ID token
+   */
+  getUser() {
+    const idToken = this.storage.get(STORAGE_KEYS.ID_TOKEN);
+    if (!idToken) return null;
+    return decodeJwtPayload(idToken);
+  }
+  /**
+   * Fetch user info from userinfo endpoint
+   */
+  async fetchUserInfo(accessToken) {
+    const token = accessToken ?? await this.getAccessToken();
+    if (!token) return null;
+    const discovery = await this.getDiscovery();
+    const response = await fetch(discovery.userinfo_endpoint, {
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
+    });
+    if (!response.ok) return null;
+    const user = await response.json();
+    this.storage.set(STORAGE_KEYS.USER, JSON.stringify(user));
+    return user;
+  }
+  /**
+   * Check if user is authenticated
+   */
+  isAuthenticated() {
+    const accessToken = this.storage.get(STORAGE_KEYS.ACCESS_TOKEN);
+    if (!accessToken) return false;
+    return !isTokenExpired(accessToken);
+  }
+  /**
+   * Get current auth state
+   */
+  getAuthState() {
+    const accessToken = this.storage.get(STORAGE_KEYS.ACCESS_TOKEN);
+    const idToken = this.storage.get(STORAGE_KEYS.ID_TOKEN);
+    const user = this.getUser();
+    return {
+      isAuthenticated: this.isAuthenticated(),
+      isLoading: false,
+      user,
+      accessToken,
+      idToken,
+      error: null
+    };
+  }
+  /**
+   * Subscribe to auth state changes
+   */
+  subscribe(listener) {
+    this.listeners.add(listener);
+    return () => this.listeners.delete(listener);
+  }
+  /**
+   * Store tokens in storage
+   */
+  storeTokens(tokens) {
+    this.storage.set(STORAGE_KEYS.ACCESS_TOKEN, tokens.access_token);
+    if (tokens.refresh_token) {
+      this.storage.set(STORAGE_KEYS.REFRESH_TOKEN, tokens.refresh_token);
+    }
+    if (tokens.id_token) {
+      this.storage.set(STORAGE_KEYS.ID_TOKEN, tokens.id_token);
+    }
+    const expiresAt = Date.now() + tokens.expires_in * 1e3;
+    this.storage.set(STORAGE_KEYS.EXPIRES_AT, expiresAt.toString());
+  }
+  /**
+   * Clear all stored tokens
+   */
+  clearTokens() {
+    if (this.refreshTimer) {
+      clearTimeout(this.refreshTimer);
+      this.refreshTimer = null;
+    }
+    this.storage.clear();
+  }
+  /**
+   * Setup auto-refresh timer
+   */
+  setupAutoRefresh() {
+    if (this.refreshTimer) {
+      clearTimeout(this.refreshTimer);
+    }
+    const expiresAt = this.storage.get(STORAGE_KEYS.EXPIRES_AT);
+    if (!expiresAt) return;
+    const expiresAtMs = parseInt(expiresAt, 10);
+    const refreshAt = expiresAtMs - this.config.refreshThreshold * 1e3;
+    const delay = refreshAt - Date.now();
+    if (delay > 0) {
+      this.refreshTimer = setTimeout(async () => {
+        await this.refreshToken();
+        this.setupAutoRefresh();
+      }, delay);
+    }
+  }
+  /**
+   * Notify all listeners of state change
+   */
+  notifyListeners() {
+    const state = this.getAuthState();
+    this.listeners.forEach((listener) => listener(state));
+  }
+};
+function createStuffleIAMClient(config) {
+  return new StuffleIAMClient(config);
+}
+
+// src/react/index.tsx
+import { jsx } from "react/jsx-runtime";
+var StuffleIAMContext = createContext(null);
+function StuffleIAMProvider({
+  children,
+  onLoginSuccess,
+  onLoginError,
+  autoHandleCallback = true,
+  ...config
+}) {
+  const [client] = useState(() => createStuffleIAMClient(config));
+  const [state, setState] = useState(() => ({
+    isAuthenticated: false,
+    isLoading: true,
+    user: null,
+    accessToken: null,
+    idToken: null,
+    error: null
+  }));
+  useEffect(() => {
+    const unsubscribe = client.subscribe(setState);
+    const initialState = client.getAuthState();
+    setState({ ...initialState, isLoading: false });
+    return unsubscribe;
+  }, [client]);
+  useEffect(() => {
+    if (!autoHandleCallback) return;
+    const url = window.location.href;
+    const hasCode = url.includes("code=");
+    const hasError = url.includes("error=");
+    if (hasCode || hasError) {
+      setState((prev) => ({ ...prev, isLoading: true }));
+      client.handleCallback(url).then((result) => {
+        setState((prev) => ({ ...prev, isLoading: false }));
+        if (result.success) {
+          onLoginSuccess?.(result);
+          window.history.replaceState({}, "", window.location.pathname);
+        } else {
+          const error = new Error(result.errorDescription || result.error || "Login failed");
+          onLoginError?.(error);
+          setState((prev) => ({ ...prev, error }));
+        }
+      });
+    }
+  }, [client, autoHandleCallback, onLoginSuccess, onLoginError]);
+  const login = useCallback(
+    (options) => client.login(options),
+    [client]
+  );
+  const signup = useCallback(
+    (options) => client.signup(options),
+    [client]
+  );
+  const logout = useCallback(
+    (options) => client.logout(options),
+    [client]
+  );
+  const handleCallback = useCallback(
+    (url) => client.handleCallback(url),
+    [client]
+  );
+  const getAccessToken = useCallback(
+    () => client.getAccessToken(),
+    [client]
+  );
+  const value = useMemo(
+    () => ({
+      client,
+      isAuthenticated: state.isAuthenticated,
+      isLoading: state.isLoading,
+      user: state.user,
+      accessToken: state.accessToken,
+      error: state.error,
+      login,
+      signup,
+      logout,
+      handleCallback,
+      getAccessToken
+    }),
+    [client, state, login, signup, logout, handleCallback, getAccessToken]
+  );
+  return /* @__PURE__ */ jsx(StuffleIAMContext.Provider, { value, children });
+}
+function useAuth() {
+  const context = useContext(StuffleIAMContext);
+  if (!context) {
+    throw new Error("useAuth must be used within a StuffleIAMProvider");
+  }
+  return context;
+}
+function useUser() {
+  const { user } = useAuth();
+  return user;
+}
+function useIsAuthenticated() {
+  const { isAuthenticated } = useAuth();
+  return isAuthenticated;
+}
+function useAccessToken() {
+  const { getAccessToken } = useAuth();
+  return getAccessToken;
+}
+function useHasRole(roles) {
+  const { user } = useAuth();
+  if (!user?.roles) return false;
+  const requiredRoles = Array.isArray(roles) ? roles : [roles];
+  return requiredRoles.some((role) => user.roles?.includes(role));
+}
+function withAuth(WrappedComponent, options) {
+  return function AuthenticatedComponent(props) {
+    const { isAuthenticated, isLoading, user } = useAuth();
+    if (isLoading) {
+      return options?.LoadingComponent ? /* @__PURE__ */ jsx(options.LoadingComponent, {}) : null;
+    }
+    if (!isAuthenticated) {
+      return options?.UnauthorizedComponent ? /* @__PURE__ */ jsx(options.UnauthorizedComponent, {}) : null;
+    }
+    if (options?.roles && options.roles.length > 0) {
+      const hasRequiredRole = options.roles.some((role) => user?.roles?.includes(role));
+      if (!hasRequiredRole) {
+        return options?.UnauthorizedComponent ? /* @__PURE__ */ jsx(options.UnauthorizedComponent, {}) : null;
+      }
+    }
+    return /* @__PURE__ */ jsx(WrappedComponent, { ...props });
+  };
+}
+export {
+  StuffleIAMProvider,
+  useAccessToken,
+  useAuth,
+  useHasRole,
+  useIsAuthenticated,
+  useUser,
+  withAuth
+};
+//# sourceMappingURL=react.mjs.map

src/react/index.tsx

@@ -108,7 +108,7 @@ export function StuffleIAMProvider({
   // Subscribe to auth state changes
   useEffect(() => {
     const unsubscribe = client.subscribe(setState);
-    
+
     // Initialize state
     const initialState = client.getAuthState();
     setState({ ...initialState, isLoading: false });
@@ -126,10 +126,10 @@ export function StuffleIAMProvider({
 
     if (hasCode || hasError) {
       setState(prev => ({ ...prev, isLoading: true }));
-      
+
       client.handleCallback(url).then(result => {
         setState(prev => ({ ...prev, isLoading: false }));
-        
+
         if (result.success) {
           onLoginSuccess?.(result);
           // Clean URL
@@ -238,7 +238,7 @@ export function useAccessToken(): () => Promise<string | null> {
 export function useHasRole(roles: string | string[]): boolean {
   const { user } = useAuth();
   if (!user?.roles) return false;
-  
+
   const requiredRoles = Array.isArray(roles) ? roles : [roles];
   return requiredRoles.some(role => user.roles?.includes(role));
 }
@@ -260,18 +260,21 @@ export function withAuth<P extends object>(
   return function AuthenticatedComponent(props: P) {
     const { isAuthenticated, isLoading, user } = useAuth();
 
+    const LoadingComp = options?.LoadingComponent;
+    const UnauthorizedComp = options?.UnauthorizedComponent;
+
     if (isLoading) {
-      return options?.LoadingComponent ? <options.LoadingComponent /> : null;
+      return LoadingComp ? <LoadingComp /> : null;
     }
 
     if (!isAuthenticated) {
-      return options?.UnauthorizedComponent ? <options.UnauthorizedComponent /> : null;
+      return UnauthorizedComp ? <UnauthorizedComp /> : null;
     }
 
     if (options?.roles && options.roles.length > 0) {
       const hasRequiredRole = options.roles.some(role => user?.roles?.includes(role));
       if (!hasRequiredRole) {
-        return options?.UnauthorizedComponent ? <options.UnauthorizedComponent /> : null;
+        return UnauthorizedComp ? <UnauthorizedComp /> : null;
       }
     }
 

tsup.config.ts

@@ -3,7 +3,7 @@ import { defineConfig } from 'tsup'
 export default defineConfig({
   entry: {
     index: 'src/index.ts',
-    react: 'src/react/index.ts',
+    react: 'src/react/index.tsx',
   },
   format: ['cjs', 'esm'],
   dts: true,
@@ -11,4 +11,7 @@ export default defineConfig({
   splitting: false,
   sourcemap: true,
   external: ['react'],
+  esbuildOptions(options) {
+    options.jsx = 'automatic'
+  },
 })