@nhost/hasura-auth-js
Version:
Hasura-auth client
2 lines • 61.8 kB
JavaScript
"use strict";Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const er=require("jwt-decode"),u=require("xstate"),W=require("js-cookie"),rr=require("fetch-ponyfill"),N="nhostRefreshToken",D="nhostRefreshTokenId",v="nhostRefreshTokenExpiresAt",ie=3,Y=60,F=5,J=0,ee=1,A=10,b=20;class O extends Error{constructor(e){super(e.message),Error.captureStackTrace&&Error.captureStackTrace(this,this.constructor),e instanceof Error?(this.name=e.name,this.error={error:e.name,status:ee,message:e.message}):(this.name=e.error,this.error=e)}}const k={status:A,error:"invalid-email",message:"Email is incorrectly formatted"},oe={status:A,error:"invalid-mfa-type",message:"MFA type is invalid"},ae={status:A,error:"invalid-mfa-code",message:"MFA code is invalid"},V={status:A,error:"invalid-password",message:"Password is incorrectly formatted"},j={status:A,error:"invalid-phone-number",message:"Phone number is incorrectly formatted"},ce={status:A,error:"invalid-mfa-ticket",message:"MFA ticket is invalid"},le={status:A,error:"no-mfa-ticket",message:"No MFA ticket has been provided"},ue={status:A,error:"no-refresh-token",message:"No refresh token has been provided"},de={status:b,error:"refresher-already-running",message:"The token refresher is already running. You must wait until is has finished before submitting a new token."},w={status:b,error:"already-signed-in",message:"User is already signed in"},he={status:b,error:"unauthenticated-user",message:"User is not authenticated"},sr={status:b,error:"user-not-anonymous",message:"User is not anonymous"},fe={status:b,error:"unverified-user",message:"Email needs verification"},Ee={status:A,error:"invalid-refresh-token",message:"Invalid or expired refresh token"},me={status:ee,error:"invalid-sign-in-method",message:"Invalid sign-in method"},U={user:null,mfa:null,accessToken:{value:null,expiresAt:null,expiresInSeconds:15},refreshTimer:{startedAt:null,attempts:0,lastAttempt:null},refreshToken:{value:null},importTokenAttempts:0,errors:{}};function nr(n){return new TextEncoder().encode(n)}function P(n){const e=new Uint8Array(n);let r="";for(const t of e)r+=String.fromCharCode(t);return btoa(r).replace(/\+/g,"-").replace(/\//g,"_").replace(/=/g,"")}function re(n){const e=n.replace(/-/g,"+").replace(/_/g,"/"),r=(4-e.length%4)%4,s=e.padEnd(e.length+r,"="),t=atob(s),i=new ArrayBuffer(t.length),l=new Uint8Array(i);for(let f=0;f<t.length;f++)l[f]=t.charCodeAt(f);return i}function ge(){return(window==null?void 0:window.PublicKeyCredential)!==void 0&&typeof window.PublicKeyCredential=="function"}function Te(n){const{id:e}=n;return{...n,id:re(e),transports:n.transports}}function pe(n){return n==="localhost"||/^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$/i.test(n)}class p extends Error{constructor({message:e,code:r,cause:s,name:t}){super(e,{cause:s}),this.name=t!=null?t:s.name,this.code=r}}function tr({error:n,options:e}){var s,t;const{publicKey:r}=e;if(!r)throw Error("options was missing required publicKey property");if(n.name==="AbortError"){if(e.signal instanceof AbortSignal)return new p({message:"Registration ceremony was sent an abort signal",code:"ERROR_CEREMONY_ABORTED",cause:n})}else if(n.name==="ConstraintError"){if(((s=r.authenticatorSelection)==null?void 0:s.requireResidentKey)===!0)return new p({message:"Discoverable credentials were required but no available authenticator supported it",code:"ERROR_AUTHENTICATOR_MISSING_DISCOVERABLE_CREDENTIAL_SUPPORT",cause:n});if(((t=r.authenticatorSelection)==null?void 0:t.userVerification)==="required")return new p({message:"User verification was required but no available authenticator supported it",code:"ERROR_AUTHENTICATOR_MISSING_USER_VERIFICATION_SUPPORT",cause:n})}else{if(n.name==="InvalidStateError")return new p({message:"The authenticator was previously registered",code:"ERROR_AUTHENTICATOR_PREVIOUSLY_REGISTERED",cause:n});if(n.name==="NotAllowedError")return new p({message:n.message,code:"ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",cause:n});if(n.name==="NotSupportedError")return r.pubKeyCredParams.filter(l=>l.type==="public-key").length===0?new p({message:'No entry in pubKeyCredParams was of type "public-key"',code:"ERROR_MALFORMED_PUBKEYCREDPARAMS",cause:n}):new p({message:"No available authenticator supported any of the specified pubKeyCredParams algorithms",code:"ERROR_AUTHENTICATOR_NO_SUPPORTED_PUBKEYCREDPARAMS_ALG",cause:n});if(n.name==="SecurityError"){const i=window.location.hostname;if(pe(i)){if(r.rp.id!==i)return new p({message:`The RP ID "${r.rp.id}" is invalid for this domain`,code:"ERROR_INVALID_RP_ID",cause:n})}else return new p({message:`${window.location.hostname} is an invalid domain`,code:"ERROR_INVALID_DOMAIN",cause:n})}else if(n.name==="TypeError"){if(r.user.id.byteLength<1||r.user.id.byteLength>64)return new p({message:"User ID was not between 1 and 64 characters",code:"ERROR_INVALID_USER_ID_LENGTH",cause:n})}else if(n.name==="UnknownError")return new p({message:"The authenticator was unable to process the specified options, or could not create a new credential",code:"ERROR_AUTHENTICATOR_GENERAL_ERROR",cause:n})}return n}class ir{createNewAbortSignal(){if(this.controller){const r=new Error("Cancelling existing WebAuthn API call for new one");r.name="AbortError",this.controller.abort(r)}const e=new AbortController;return this.controller=e,e.signal}cancelCeremony(){if(this.controller){const e=new Error("Manually cancelling existing WebAuthn API call");e.name="AbortError",this.controller.abort(e),this.controller=void 0}}}const we=new ir,or=["cross-platform","platform"];function Ie(n){if(n&&!(or.indexOf(n)<0))return n}async function Se(n){var a;if(!ge())throw new Error("WebAuthn is not supported in this browser");const r={publicKey:{...n,challenge:re(n.challenge),user:{...n.user,id:nr(n.user.id)},excludeCredentials:(a=n.excludeCredentials)==null?void 0:a.map(Te)}};r.signal=we.createNewAbortSignal();let s;try{s=await navigator.credentials.create(r)}catch(o){throw tr({error:o,options:r})}if(!s)throw new Error("Registration was not completed");const{id:t,rawId:i,response:l,type:f}=s;let h;typeof l.getTransports=="function"&&(h=l.getTransports());let E;if(typeof l.getPublicKeyAlgorithm=="function")try{E=l.getPublicKeyAlgorithm()}catch(o){$("getPublicKeyAlgorithm()",o)}let g;if(typeof l.getPublicKey=="function")try{const o=l.getPublicKey();o!==null&&(g=P(o))}catch(o){$("getPublicKey()",o)}let T;if(typeof l.getAuthenticatorData=="function")try{T=P(l.getAuthenticatorData())}catch(o){$("getAuthenticatorData()",o)}return{id:t,rawId:P(i),response:{attestationObject:P(l.attestationObject),clientDataJSON:P(l.clientDataJSON),transports:h,publicKeyAlgorithm:E,publicKey:g,authenticatorData:T},type:f,clientExtensionResults:s.getClientExtensionResults(),authenticatorAttachment:Ie(s.authenticatorAttachment)}}function $(n,e){console.warn(`The browser extension that intercepted this WebAuthn API call incorrectly implemented ${n}. You should report this error to them.
`,e)}function ar(n){return new TextDecoder("utf-8").decode(n)}function cr(){const n=window.PublicKeyCredential;return n.isConditionalMediationAvailable===void 0?new Promise(e=>e(!1)):n.isConditionalMediationAvailable()}function lr({error:n,options:e}){const{publicKey:r}=e;if(!r)throw Error("options was missing required publicKey property");if(n.name==="AbortError"){if(e.signal instanceof AbortSignal)return new p({message:"Authentication ceremony was sent an abort signal",code:"ERROR_CEREMONY_ABORTED",cause:n})}else{if(n.name==="NotAllowedError")return new p({message:n.message,code:"ERROR_PASSTHROUGH_SEE_CAUSE_PROPERTY",cause:n});if(n.name==="SecurityError"){const s=window.location.hostname;if(pe(s)){if(r.rpId!==s)return new p({message:`The RP ID "${r.rpId}" is invalid for this domain`,code:"ERROR_INVALID_RP_ID",cause:n})}else return new p({message:`${window.location.hostname} is an invalid domain`,code:"ERROR_INVALID_DOMAIN",cause:n})}else if(n.name==="UnknownError")return new p({message:"The authenticator was unable to process the specified options, or could not create a new assertion signature",code:"ERROR_AUTHENTICATOR_GENERAL_ERROR",cause:n})}return n}async function q(n,e=!1){var T,a;if(!ge())throw new Error("WebAuthn is not supported in this browser");let r;((T=n.allowCredentials)==null?void 0:T.length)!==0&&(r=(a=n.allowCredentials)==null?void 0:a.map(Te));const s={...n,challenge:re(n.challenge),allowCredentials:r},t={};if(e){if(!await cr())throw Error("Browser does not support WebAuthn autofill");if(document.querySelectorAll("input[autocomplete$='webauthn']").length<1)throw Error('No <input> with "webauthn" as the only or last value in its `autocomplete` attribute was detected');t.mediation="conditional",s.allowCredentials=[]}t.publicKey=s,t.signal=we.createNewAbortSignal();let i;try{i=await navigator.credentials.get(t)}catch(o){throw lr({error:o,options:t})}if(!i)throw new Error("Authentication was not completed");const{id:l,rawId:f,response:h,type:E}=i;let g;return h.userHandle&&(g=ar(h.userHandle)),{id:l,rawId:P(f),response:{authenticatorData:P(h.authenticatorData),clientDataJSON:P(h.clientDataJSON),signature:P(h.signature),userHandle:g},type:E,clientExtensionResults:i.getClientExtensionResults(),authenticatorAttachment:Ie(i.authenticatorAttachment)}}const H=typeof window!="undefined",K=new Map,ur=n=>{var e;return H&&typeof localStorage!="undefined"?localStorage.getItem(n):(e=K.get(n))!=null?e:null},dr=(n,e)=>{H&&typeof localStorage!="undefined"?e?localStorage.setItem(n,e):localStorage.removeItem(n):e?K.set(n,e):K.has(n)&&K.delete(n)},Re=(n,e)=>{if(n==="localStorage"||n==="web")return ur;if(n==="cookie")return r=>{var s;return H&&(s=W.get(r))!=null?s:null};if(!e)throw Error(`clientStorageType is set to '${n}' but no clientStorage has been given`);if(n==="react-native")return r=>{var s;return(s=e.getItem)==null?void 0:s.call(e,r)};if(n==="capacitor")return r=>{var s;return(s=e.get)==null?void 0:s.call(e,{key:r})};if(n==="expo-secure-storage")return r=>{var s;return(s=e.getItemAsync)==null?void 0:s.call(e,r)};if(n==="custom"){if(e.getItem&&e.removeItem)return e.getItem;if(e.getItemAsync)return e.getItemAsync;throw Error(`clientStorageType is set to 'custom' but clientStorage is missing either "getItem" and "removeItem" properties or "getItemAsync" property`)}throw Error(`Unknown storage type: ${n}`)},_e=(n,e)=>{if(n==="localStorage"||n==="web")return dr;if(n==="cookie")return(r,s)=>{H&&(s?W.set(r,s,{expires:30,sameSite:"lax",httpOnly:!1}):W.remove(r))};if(!e)throw Error(`clientStorageType is set to '${n}' but no clienStorage has been given`);if(n==="react-native")return(r,s)=>{var t,i;return s?(t=e.setItem)==null?void 0:t.call(e,r,s):(i=e.removeItem)==null?void 0:i.call(e,r)};if(n==="capacitor")return(r,s)=>{var t,i;return s?(t=e.set)==null?void 0:t.call(e,{key:r,value:s}):(i=e.remove)==null?void 0:i.call(e,{key:r})};if(n==="expo-secure-storage")return async(r,s)=>{var t,i;return s?(t=e.setItemAsync)==null?void 0:t.call(e,r,s):(i=e.deleteItemAsync)==null?void 0:i.call(e,r)};if(n==="custom"){if(!e.removeItem)throw Error("clientStorageType is set to 'custom' but clientStorage is missing a removeItem property");if(e.setItem)return(r,s)=>{var t,i;return s?(t=e.setItem)==null?void 0:t.call(e,r,s):(i=e.removeItem)==null?void 0:i.call(e,r)};if(e.setItemAsync)return async(r,s)=>{var t,i;return s?(t=e.setItemAsync)==null?void 0:t.call(e,r,s):(i=e.removeItem)==null?void 0:i.call(e,r)};throw Error("clientStorageType is set to 'custom' but clientStorage is missing setItem or setItemAsync property")}throw Error(`Unknown storage type: ${n}`)},C=n=>!n||!n.accessToken.value||!n.accessToken.expiresAt||!n.user?null:{accessToken:n.accessToken.value,accessTokenExpiresIn:(n.accessToken.expiresAt.getTime()-Date.now())/1e3,refreshToken:n.refreshToken.value,user:n.user},_=({accessToken:n,refreshToken:e,isError:r,user:s,error:t})=>r?{session:null,error:t}:s&&n?{session:{accessToken:n,accessTokenExpiresIn:0,refreshToken:e,user:s},error:null}:{session:null,error:null},M=()=>typeof window!="undefined"&&typeof window.location!="undefined";let ke=globalThis.fetch;typeof EdgeRuntime!="string"&&(ke=rr().fetch);const ye=async(n,e,{token:r,body:s,extraHeaders:t}={})=>{const i={"Content-Type":"application/json",Accept:"*/*"};r&&(i.Authorization=`Bearer ${r}`);const l={...i,...t},f={method:e,headers:l};s&&(f.body=JSON.stringify(s));try{const h=await ke(n,f);if(!h.ok){const E=await h.json();return Promise.reject({error:E})}try{return{data:await h.json(),error:null}}catch{return console.warn(`Unexpected response: can't parse the response of the server at ${n}`),{data:"OK",error:null}}}catch{const E={message:"Network Error",status:J,error:"network"};return Promise.reject({error:E})}},I=async(n,e,r,s)=>ye(n,"POST",{token:r,body:e,extraHeaders:s}),Ae=(n,e)=>ye(n,"GET",{token:e}),L=(n,e)=>{const r=e&&Object.entries(e).map(([s,t])=>{const i=Array.isArray(t)?t.join(","):typeof t=="object"?JSON.stringify(t):t;return`${s}=${encodeURIComponent(i)}`}).join("&");return r?`${n}?${r}`:n},R=(n,e)=>{if(!(e!=null&&e.redirectTo))return e;const{redirectTo:r,...s}=e;if(!n)return r.startsWith("/")?s:e;const t=new URL(n),i=Object.fromEntries(new URLSearchParams(t.search)),l=new URL(r.startsWith("/")?t.origin+r:r),f=new URLSearchParams(l.search);let h=Object.fromEntries(f);r.startsWith("/")&&(h={...i,...h});let E=t.pathname;return l.pathname.length>1&&(E+=l.pathname.slice(1)),{...s,redirectTo:L(l.origin+E,h)}};function x(n,e){var t;if(!e){if(typeof window=="undefined")return;e=((t=window.location)==null?void 0:t.href)||""}n=n.replace(/[\[\]]/g,"\\$&");const r=new RegExp("[?&#]"+n+"(=([^&#]*)|&|#|$)"),s=r.exec(e);return s?s[2]?decodeURIComponent(s[2].replace(/\+/g," ")):"":null}function B(n){var r;if(typeof window=="undefined")return;const e=window==null?void 0:window.location;if(e&&e){const s=new URLSearchParams(e.search),t=new URLSearchParams((r=e.hash)==null?void 0:r.slice(1));s.delete(n),t.delete(n);let i=window.location.pathname;Array.from(s).length&&(i+=`?${s.toString()}`),Array.from(t).length&&(i+=`#${t.toString()}`),window.history.pushState({},"",i)}}const y=n=>!!n&&typeof n=="string"&&!!String(n).toLowerCase().match(/^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/),G=n=>!!n&&typeof n=="string"&&n.length>=ie,Q=n=>!!n&&typeof n=="string",Pe=n=>n&&typeof n=="string"&&n.match(/^mfaTotp:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i),ve=({backendUrl:n,clientUrl:e,broadcastKey:r,clientStorageType:s="web",clientStorage:t,refreshIntervalTime:i,autoRefreshToken:l=!0,autoSignIn:f=!0})=>{const h=Re(s,t),E=_e(s,t),g=async(a,o,c,d)=>(await I(`${n}${a}`,o,c,d)).data;let T=null;if(typeof window!="undefined"&&r)try{T=new BroadcastChannel(r)}catch{}return u.createMachine({schema:{context:{},events:{},services:{}},tsTypes:{},context:U,predictableActionArguments:!0,id:"nhost",type:"parallel",states:{authentication:{initial:"starting",on:{SESSION_UPDATE:[{cond:"hasSession",actions:["saveSession","resetTimer","reportTokenChanged"],target:".signedIn"}]},states:{starting:{tags:["loading"],always:{cond:"isSignedIn",target:"signedIn"},invoke:{id:"importRefreshToken",src:"importRefreshToken",onDone:[{cond:"hasSession",actions:["saveSession","reportTokenChanged"],target:"signedIn"},{target:"signedOut"}],onError:[{cond:"shouldRetryImportToken",actions:"incrementTokenImportAttempts",target:"retryTokenImport"},{actions:["saveAuthenticationError"],target:"signedOut"}]}},retryTokenImport:{tags:["loading"],after:{RETRY_IMPORT_TOKEN_DELAY:"starting"}},signedOut:{initial:"noErrors",entry:"reportSignedOut",states:{noErrors:{},success:{},needsSmsOtp:{},needsMfa:{},failed:{},signingOut:{entry:["clearContextExceptTokens"],exit:["destroyAccessToken","destroyRefreshToken","reportTokenChanged"],invoke:{src:"signout",id:"signingOut",onDone:{target:"success"},onError:{target:"failed",actions:["saveAuthenticationError"]}}}},on:{SIGNIN_PASSWORD:"authenticating.password",SIGNIN_ANONYMOUS:"authenticating.anonymous",SIGNIN_SECURITY_KEY_EMAIL:"authenticating.securityKeyEmail",SIGNIN_SECURITY_KEY:"authenticating.securityKey",SIGNIN_MFA_TOTP:"authenticating.mfa.totp",SIGNIN_PAT:"authenticating.pat",SIGNIN_ID_TOKEN:"authenticating.idToken"}},authenticating:{entry:"resetErrors",states:{password:{invoke:{src:"signInPassword",id:"authenticateUserWithPassword",onDone:[{cond:"hasMfaTicket",actions:["saveMfaTicket"],target:"#nhost.authentication.signedOut.needsMfa"},{actions:["saveSession","reportTokenChanged"],target:"#nhost.authentication.signedIn"}],onError:[{cond:"unverified",target:["#nhost.authentication.signedOut","#nhost.registration.incomplete.needsEmailVerification"]},{actions:"saveAuthenticationError",target:"#nhost.authentication.signedOut.failed"}]}},pat:{invoke:{src:"signInPAT",id:"authenticateWithPAT",onDone:{actions:["savePATSession","reportTokenChanged"],target:"#nhost.authentication.signedIn"},onError:{actions:"saveAuthenticationError",target:"#nhost.authentication.signedOut.failed"}}},idToken:{invoke:{src:"signInIdToken",id:"authenticateWithIdToken",onDone:{actions:["saveSession","reportTokenChanged"],target:"#nhost.authentication.signedIn"},onError:{actions:"saveAuthenticationError",target:"#nhost.authentication.signedOut.failed"}}},anonymous:{invoke:{src:"signInAnonymous",id:"authenticateAnonymously",onDone:{actions:["saveSession","reportTokenChanged"],target:"#nhost.authentication.signedIn"},onError:{actions:"saveAuthenticationError",target:"#nhost.authentication.signedOut.failed"}}},mfa:{states:{totp:{invoke:{src:"signInMfaTotp",id:"signInMfaTotp",onDone:{actions:["saveSession","reportTokenChanged"],target:"#nhost.authentication.signedIn"},onError:{actions:["saveAuthenticationError"],target:"#nhost.authentication.signedOut.failed"}}}}},securityKeyEmail:{invoke:{src:"signInSecurityKeyEmail",id:"authenticateUserWithSecurityKey",onDone:{actions:["saveSession","reportTokenChanged"],target:"#nhost.authentication.signedIn"},onError:[{cond:"unverified",target:["#nhost.authentication.signedOut","#nhost.registration.incomplete.needsEmailVerification"]},{actions:"saveAuthenticationError",target:"#nhost.authentication.signedOut.failed"}]}},securityKey:{invoke:{src:"signInSecurityKey",id:"authenticateUserWithSecurityKey",onDone:{actions:["saveSession","reportTokenChanged"],target:"#nhost.authentication.signedIn"},onError:[{cond:"unverified",target:["#nhost.authentication.signedOut","#nhost.registration.incomplete.needsEmailVerification"]},{actions:"saveAuthenticationError",target:"#nhost.authentication.signedOut.failed"}]}}}},signedIn:{type:"parallel",entry:["reportSignedIn","cleanUrl","broadcastToken","resetErrors"],on:{SIGNOUT:"signedOut.signingOut"},states:{refreshTimer:{id:"timer",initial:"idle",states:{disabled:{type:"final"},stopped:{always:{cond:"noToken",target:"idle"}},idle:{always:[{cond:"isAutoRefreshDisabled",target:"disabled"},{cond:"isRefreshTokenPAT",target:"disabled"},{cond:"hasRefreshToken",target:"running"}]},running:{initial:"pending",entry:"resetTimer",states:{pending:{after:{1e3:{internal:!1,target:"pending"}},always:{cond:"refreshTimerShouldRefresh",target:"refreshing"}},refreshing:{invoke:{src:"refreshToken",id:"refreshToken",onDone:{actions:["saveSession","resetTimer","reportTokenChanged","broadcastToken"],target:"pending"},onError:[{cond:"isUnauthorizedError",target:"#nhost.authentication.signedOut"},{actions:"saveRefreshAttempt",target:"pending"}]}}}}}}}}}},token:{initial:"idle",states:{idle:{on:{TRY_TOKEN:"running"},initial:"noErrors",states:{noErrors:{},error:{}}},running:{invoke:{src:"refreshToken",id:"authenticateWithToken",onDone:{actions:["saveSession","reportTokenChanged","broadcastToken"],target:["#nhost.authentication.signedIn","idle.noErrors"]},onError:[{cond:"isSignedIn",target:"idle.error"},{actions:"saveAuthenticationError",target:["#nhost.authentication.signedOut.failed","idle.error"]}]}}}},registration:{initial:"incomplete",on:{SIGNED_IN:[{cond:"isAnonymous",target:".incomplete"},".complete"]},states:{incomplete:{on:{SIGNUP_EMAIL_PASSWORD:"emailPassword",SIGNUP_SECURITY_KEY:"securityKey",PASSWORDLESS_EMAIL:"passwordlessEmail",PASSWORDLESS_SMS:"passwordlessSms",PASSWORDLESS_SMS_OTP:"passwordlessSmsOtp",SIGNIN_EMAIL_OTP:"signInEmailOTP",VERIFY_EMAIL_OTP:"verifyEmailOTP"},initial:"noErrors",states:{noErrors:{},needsEmailVerification:{},needsOtp:{},failed:{}}},emailPassword:{entry:["resetErrors"],invoke:{src:"signUpEmailPassword",id:"signUpEmailPassword",onDone:[{cond:"hasSession",actions:["saveSession","reportTokenChanged"],target:"#nhost.authentication.signedIn"},{actions:"clearContext",target:["#nhost.authentication.signedOut","incomplete.needsEmailVerification"]}],onError:[{cond:"unverified",target:"incomplete.needsEmailVerification"},{actions:"saveRegistrationError",target:"incomplete.failed"}]}},securityKey:{entry:["resetErrors"],invoke:{src:"signUpSecurityKey",id:"signUpSecurityKey",onDone:[{cond:"hasSession",actions:["saveSession","reportTokenChanged"],target:"#nhost.authentication.signedIn"},{actions:"clearContext",target:["#nhost.authentication.signedOut","incomplete.needsEmailVerification"]}],onError:[{cond:"unverified",target:"incomplete.needsEmailVerification"},{actions:"saveRegistrationError",target:"incomplete.failed"}]}},passwordlessEmail:{entry:["resetErrors"],invoke:{src:"passwordlessEmail",id:"passwordlessEmail",onDone:{actions:"clearContext",target:["#nhost.authentication.signedOut","incomplete.needsEmailVerification"]},onError:{actions:"saveRegistrationError",target:"incomplete.failed"}}},passwordlessSms:{entry:["resetErrors"],invoke:{src:"passwordlessSms",id:"passwordlessSms",onDone:{actions:"clearContext",target:["#nhost.authentication.signedOut","incomplete.needsOtp"]},onError:{actions:"saveRegistrationError",target:"incomplete.failed"}}},passwordlessSmsOtp:{entry:["resetErrors"],invoke:{src:"passwordlessSmsOtp",id:"passwordlessSmsOtp",onDone:{actions:["saveSession","reportTokenChanged"],target:"#nhost.authentication.signedIn"},onError:{actions:"saveRegistrationError",target:"incomplete.failed"}}},signInEmailOTP:{entry:["resetErrors"],invoke:{src:"signInEmailOTP",id:"signInEmailOTP",onDone:{actions:"clearContext",target:["#nhost.authentication.signedOut","incomplete.needsOtp"]},onError:{actions:"saveRegistrationError",target:"incomplete.failed"}}},verifyEmailOTP:{entry:["resetErrors"],invoke:{src:"verifyEmailOTP",id:"verifyEmailOTP",onDone:{actions:["saveSession","reportTokenChanged"],target:"#nhost.authentication.signedIn"},onError:{actions:"saveRegistrationError",target:"incomplete.failed"}}},complete:{on:{SIGNED_OUT:"incomplete"}}}}}},{actions:{reportSignedIn:u.send("SIGNED_IN"),reportSignedOut:u.send("SIGNED_OUT"),reportTokenChanged:u.send("TOKEN_CHANGED"),incrementTokenImportAttempts:u.assign({importTokenAttempts:({importTokenAttempts:a})=>a+1}),clearContext:u.assign(()=>(E(v,null),E(N,null),E(D,null),{...U})),clearContextExceptTokens:u.assign(({accessToken:a,refreshToken:o})=>({...U,accessToken:a,refreshToken:o})),saveSession:u.assign({user:(a,{data:o})=>{var c;return((c=o==null?void 0:o.session)==null?void 0:c.user)||null},accessToken:(a,{data:o})=>{if(o.session){const{accessTokenExpiresIn:c,accessToken:d}=o.session,m=new Date(Date.now()+c*1e3);return E(v,m.toISOString()),{value:d,expiresAt:m,expiresInSeconds:c}}return E(v,null),{value:null,expiresAt:null,expiresInSeconds:null}},refreshToken:(a,{data:o})=>{var m,S;const c=((m=o.session)==null?void 0:m.refreshToken)||null,d=((S=o.session)==null?void 0:S.refreshTokenId)||null;return c&&E(N,c),d&&E(D,d),{value:c}}}),savePATSession:u.assign({user:(a,{data:o})=>{var c;return((c=o==null?void 0:o.session)==null?void 0:c.user)||null},accessToken:(a,{data:o})=>{if(o.session){const{accessTokenExpiresIn:c,accessToken:d}=o.session,m=new Date(Date.now()+c*1e3);return E(v,m.toISOString()),{value:d,expiresAt:m,expiresInSeconds:c}}return E(v,null),{value:null,expiresAt:null,expiresInSeconds:null}},refreshToken:(a,{data:o})=>{var m,S;const c=((m=o.session)==null?void 0:m.refreshToken)||null,d=((S=o.session)==null?void 0:S.refreshTokenId)||null;return c&&E(N,c),d&&E(D,d),{value:c,isPAT:!0}}}),saveMfaTicket:u.assign({mfa:(a,o)=>{var c;return(c=o.data)==null?void 0:c.mfa}}),resetTimer:u.assign({refreshTimer:a=>({startedAt:new Date,attempts:0,lastAttempt:null})}),saveRefreshAttempt:u.assign({refreshTimer:(a,o)=>({startedAt:a.refreshTimer.startedAt,attempts:a.refreshTimer.attempts+1,lastAttempt:new Date})}),saveAuthenticationError:u.assign({errors:({errors:a},{data:{error:o}})=>({...a,authentication:o})}),resetErrors:u.assign({errors:a=>({}),importTokenAttempts:a=>0}),saveRegistrationError:u.assign({errors:({errors:a},{data:{error:o}})=>({...a,registration:o})}),destroyRefreshToken:u.assign({refreshToken:a=>(E(N,null),E(D,null),{value:null})}),destroyAccessToken:u.assign({accessToken:a=>(E(v,null),{value:null,expiresAt:null,expiresInSeconds:null})}),cleanUrl:()=>{f&&x("refreshToken")&&(B("refreshToken"),B("type"))},broadcastToken:a=>{if(f&&r&&T)try{T.postMessage({type:"broadcast_session",payload:{token:a.refreshToken.value,accessToken:a.accessToken.value,user:a.user,expiresAt:a.accessToken.expiresAt?a.accessToken.expiresAt.toISOString():null,expiresInSeconds:a.accessToken.expiresInSeconds}})}catch{}}},guards:{isAnonymous:(a,o)=>{var c;return!!((c=a.user)!=null&&c.isAnonymous)},isSignedIn:a=>!!a.user&&!!a.accessToken.value,noToken:a=>!a.refreshToken.value,isRefreshTokenPAT:a=>{var o;return!!((o=a.refreshToken)!=null&&o.isPAT)},hasRefreshToken:a=>!!a.refreshToken.value,isAutoRefreshDisabled:()=>!l,refreshTimerShouldRefresh:a=>{const{expiresAt:o}=a.accessToken;if(!o)return!1;if(a.refreshTimer.lastAttempt)return a.refreshTimer.attempts>F?!1:Date.now()-a.refreshTimer.lastAttempt.getTime()>Math.pow(2,a.refreshTimer.attempts-1)*5e3;if(o.getTime()<Date.now()||i&&Date.now()-a.refreshTimer.startedAt.getTime()>i*1e3)return!0;if(!a.accessToken.expiresInSeconds)return!1;const d=o.getTime()-Date.now();return d<=Y*1e3/2||d<=Y*1e3&&Math.random()<.1},shouldRetryImportToken:(a,o)=>a.importTokenAttempts<F&&(o.data.error.status===J||o.data.error.status>=500),unverified:(a,{data:{error:o}})=>o.status===401&&(o.message==="Email is not verified"||o.error==="unverified-user"),hasSession:(a,o)=>{var c;return!!((c=o.data)!=null&&c.session)},hasMfaTicket:(a,o)=>{var c;return!!((c=o.data)!=null&&c.mfa)},isUnauthorizedError:(a,{data:{error:o}})=>o.status===401},services:{signInPassword:(a,{email:o,password:c})=>y(o)?G(c)?g("/signin/email-password",{email:o,password:c}):Promise.reject({error:V}):Promise.reject({error:k}),signInPAT:(a,{pat:o})=>g("/signin/pat",{personalAccessToken:o}),signInIdToken:(a,{provider:o,idToken:c,nonce:d})=>g("/signin/idtoken",{provider:o,idToken:c,...d&&{nonce:d}}),passwordlessSms:(a,{phoneNumber:o,options:c})=>{var d;return Q(o)?(d=a.user)!=null&&d.isAnonymous?(console.warn("Deanonymisation from a phone number is not yet implemented in hasura-auth"),g("/user/deanonymize",{signInMethod:"passwordless",connection:"sms",phoneNumber:o,options:R(e,c)},a.accessToken.value)):g("/signin/passwordless/sms",{phoneNumber:o,options:R(e,c)}):Promise.reject({error:j})},passwordlessSmsOtp:(a,{phoneNumber:o,otp:c})=>Q(o)?g("/signin/passwordless/sms/otp",{phoneNumber:o,otp:c}):Promise.reject({error:j}),signInEmailOTP:(a,{email:o,options:c})=>y(o)?g("/signin/otp/email",{email:o,options:R(e,c)}):Promise.reject({error:k}),verifyEmailOTP:(a,{email:o,otp:c})=>y(o)?g("/signin/otp/email/verify",{email:o,otp:c}):Promise.reject({error:k}),passwordlessEmail:(a,{email:o,options:c})=>{var d;return y(o)?(d=a.user)!=null&&d.isAnonymous?g("/user/deanonymize",{signInMethod:"passwordless",connection:"email",email:o,options:R(e,c)},a.accessToken.value):g("/signin/passwordless/email",{email:o,options:R(e,c)}):Promise.reject({error:k})},signInAnonymous:a=>g("/signin/anonymous"),signInMfaTotp:(a,o)=>{var d;const c=o.ticket||((d=a.mfa)==null?void 0:d.ticket);return c?Pe(c)?g("/signin/mfa/totp",{ticket:c,otp:o.otp}):Promise.reject({error:ce}):Promise.reject({error:le})},signInSecurityKeyEmail:async(a,{email:o})=>{if(!y(o))throw new O(k);const c=await g("/signin/webauthn",{email:o});let d;try{d=await q(c)}catch(m){throw new O(m)}return g("/signin/webauthn/verify",{email:o,credential:d})},refreshToken:async(a,o)=>{const c=o.type==="TRY_TOKEN"?o.token:a.refreshToken.value;return{session:await g("/token",{refreshToken:c}),error:null}},signInSecurityKey:async()=>{try{const a=await g("/signin/webauthn",{});let o;try{o=await q(a)}catch(c){throw new O(c)}return g("/signin/webauthn/verify",{credential:o})}catch(a){throw new O(a)}},signout:async(a,o)=>{const c=await g("/signout",{refreshToken:a.refreshToken.value,all:!!o.all},o.all?a.accessToken.value:void 0);if(r&&T)try{T.postMessage({type:"signout"})}catch{}return c},signUpEmailPassword:async(a,{email:o,password:c,options:d,requestOptions:m})=>{var S;return y(o)?G(c)?(S=a.user)!=null&&S.isAnonymous?g("/user/deanonymize",{signInMethod:"email-password",email:o,password:c,options:R(e,d)},a.accessToken.value,m==null?void 0:m.headers):g("/signup/email-password",{email:o,password:c,options:R(e,d)},null,m==null?void 0:m.headers):Promise.reject({error:V}):Promise.reject({error:k})},signUpSecurityKey:async(a,{email:o,options:c,requestOptions:d})=>{if(!y(o))return Promise.reject({error:k});const m=c==null?void 0:c.nickname;m&&delete c.nickname;const S=await g("/signup/webauthn",{email:o,options:c},null,d==null?void 0:d.headers);let ne;try{ne=await Se(S)}catch(Je){throw new O(Je)}return g("/signup/webauthn/verify",{credential:ne,options:{redirectTo:c==null?void 0:c.redirectTo,nickname:m,displayName:c==null?void 0:c.displayName,...(c==null?void 0:c.metadata)&&{metadata:c==null?void 0:c.metadata}}})},importRefreshToken:async a=>{if(a.user&&a.refreshToken.value&&a.accessToken.value&&a.accessToken.expiresAt)return{session:{accessToken:a.accessToken.value,accessTokenExpiresIn:a.accessToken.expiresAt.getTime()-Date.now(),refreshToken:a.refreshToken.value,user:a.user},error:null};let o=null;if(f){const d=x("refreshToken")||null;if(d)try{return{session:await g("/token",{refreshToken:d}),error:null}}catch(m){o=m.error}else{const m=x("error"),S=x("errorDescription");if(m&&S!=="social user already exists")return Promise.reject({session:null,error:{status:A,error:m,message:S||m}})}}const c=await h(N);if(c)try{return{session:await g("/token",{refreshToken:c}),error:null}}catch(d){o=d.error}return o?Promise.reject({error:o,session:null}):{error:null,session:null}}},delays:{RETRY_IMPORT_TOKEN_DELAY:({importTokenAttempts:a})=>Math.pow(2,a-1)*5e3}})},Oe=({backendUrl:n,clientUrl:e,interpreter:r})=>u.createMachine({schema:{context:{},events:{},services:{}},tsTypes:{},predictableActionArguments:!0,id:"changeEmail",initial:"idle",context:{error:null},states:{idle:{on:{REQUEST:[{cond:"invalidEmail",actions:"saveInvalidEmailError",target:".error"},{target:"requesting"}]},initial:"initial",states:{initial:{},success:{},error:{}}},requesting:{invoke:{src:"requestChange",id:"requestChange",onDone:{target:"idle.success",actions:"reportSuccess"},onError:{actions:["saveRequestError","reportError"],target:"idle.error"}}}}},{actions:{saveInvalidEmailError:u.assign({error:s=>k}),saveRequestError:u.assign({error:(s,{data:{error:t}})=>t}),reportError:u.send(s=>({type:"ERROR",error:s.error})),reportSuccess:u.send("SUCCESS")},guards:{invalidEmail:(s,{email:t})=>!y(t)},services:{requestChange:async(s,{email:t,options:i})=>(await I(`${n}/user/email/change`,{newEmail:t,options:R(e,i)},r==null?void 0:r.getSnapshot().context.accessToken.value)).data}}),Ne=({backendUrl:n,interpreter:e})=>u.createMachine({schema:{context:{},events:{},services:{}},tsTypes:{},predictableActionArguments:!0,id:"changePassword",initial:"idle",context:{error:null},states:{idle:{on:{REQUEST:[{cond:"invalidPassword",actions:"saveInvalidPasswordError",target:".error"},{target:"requesting"}]},initial:"initial",states:{initial:{},success:{},error:{}}},requesting:{invoke:{src:"requestChange",id:"requestChange",onDone:{target:"idle.success",actions:"reportSuccess"},onError:{actions:["saveRequestError","reportError"],target:"idle.error"}}}}},{actions:{saveInvalidPasswordError:u.assign({error:r=>V}),saveRequestError:u.assign({error:(r,{data:{error:s}})=>s}),reportError:u.send(r=>({type:"ERROR",error:r.error})),reportSuccess:u.send("SUCCESS")},guards:{invalidPassword:(r,{password:s})=>!G(s)},services:{requestChange:(r,{password:s,ticket:t})=>I(`${n}/user/password`,{newPassword:s,ticket:t},e==null?void 0:e.getSnapshot().context.accessToken.value)}}),hr=({backendUrl:n,interpreter:e})=>u.createMachine({schema:{context:{},events:{}},tsTypes:{},predictableActionArguments:!0,id:"enableMfa",initial:"idle",context:{error:null,imageUrl:null,secret:null},states:{idle:{initial:"initial",on:{GENERATE:"generating",DISABLE:"disabling"},states:{initial:{},error:{},disabled:{}}},generating:{invoke:{src:"generate",id:"generate",onDone:{target:"generated",actions:["reportGeneratedSuccess","saveGeneration"]},onError:{actions:["saveError","reportGeneratedError"],target:"idle.error"}}},generated:{initial:"idle",states:{idle:{initial:"idle",on:{ACTIVATE:[{cond:"invalidMfaType",actions:"saveInvalidMfaTypeError",target:".error"},{cond:"invalidMfaCode",actions:"saveInvalidMfaCodeError",target:".error"},{target:"activating"}],DISABLE:"#enableMfa.disabling"},states:{idle:{},error:{}}},activating:{invoke:{src:"activate",id:"activate",onDone:{target:"activated",actions:"reportSuccess"},onError:{actions:["saveError","reportError"],target:"idle.error"}}},activated:{type:"final"}}},disabling:{invoke:{src:"disable",id:"disable",onDone:{target:"idle.disabled",actions:"reportSuccess"},onError:{actions:["saveError","reportError"],target:"idle.error"}}}}},{actions:{saveInvalidMfaTypeError:u.assign({error:r=>oe}),saveInvalidMfaCodeError:u.assign({error:r=>ae}),saveError:u.assign({error:(r,{data:{error:s}})=>s}),saveGeneration:u.assign({imageUrl:(r,{data:{imageUrl:s}})=>s,secret:(r,{data:{totpSecret:s}})=>s}),reportError:u.send((r,s)=>({type:"ERROR",error:r.error})),reportSuccess:u.send("SUCCESS"),reportGeneratedSuccess:u.send("GENERATED"),reportGeneratedError:u.send(r=>({type:"GENERATED_ERROR",error:r.error}))},guards:{invalidMfaCode:(r,{code:s})=>!s,invalidMfaType:(r,{activeMfaType:s})=>!s||s!=="totp"},services:{generate:async r=>{const{data:s}=await Ae(`${n}/mfa/totp/generate`,e==null?void 0:e.getSnapshot().context.accessToken.value);return s},activate:(r,{code:s,activeMfaType:t})=>I(`${n}/user/mfa`,{code:s,activeMfaType:t},e==null?void 0:e.getSnapshot().context.accessToken.value),disable:(r,{code:s})=>I(`${n}/user/mfa`,{code:s,activeMfaType:""},e==null?void 0:e.getSnapshot().context.accessToken.value)}}),be=({backendUrl:n,clientUrl:e})=>u.createMachine({schema:{context:{},events:{},services:{}},tsTypes:{},predictableActionArguments:!0,id:"changePassword",initial:"idle",context:{error:null},states:{idle:{on:{REQUEST:[{cond:"invalidEmail",actions:"saveInvalidEmailError",target:".error"},{target:"requesting"}]},initial:"initial",states:{initial:{},success:{},error:{}}},requesting:{invoke:{src:"requestChange",id:"requestChange",onDone:{target:"idle.success",actions:"reportSuccess"},onError:{actions:["saveRequestError","reportError"],target:"idle.error"}}}}},{actions:{saveInvalidEmailError:u.assign({error:r=>k}),saveRequestError:u.assign({error:(r,{data:{error:s}})=>s}),reportError:u.send(r=>({type:"ERROR",error:r.error})),reportSuccess:u.send("SUCCESS")},guards:{invalidEmail:(r,{email:s})=>!y(s)},services:{requestChange:(r,{email:s,options:t})=>I(`${n}/user/password/reset`,{email:s,options:R(e,t)})}}),De=({backendUrl:n,clientUrl:e})=>u.createMachine({schema:{context:{},events:{},services:{}},tsTypes:{},predictableActionArguments:!0,id:"sendVerificationEmail",initial:"idle",context:{error:null},states:{idle:{on:{REQUEST:[{cond:"invalidEmail",actions:"saveInvalidEmailError",target:".error"},{target:"requesting"}]},initial:"initial",states:{initial:{},success:{},error:{}}},requesting:{invoke:{src:"request",id:"request",onDone:{target:"idle.success",actions:"reportSuccess"},onError:{actions:["saveRequestError","reportError"],target:"idle.error"}}}}},{actions:{saveInvalidEmailError:u.assign({error:r=>k}),saveRequestError:u.assign({error:(r,{data:{error:s}})=>s}),reportError:u.send(r=>({type:"ERROR",error:r.error})),reportSuccess:u.send("SUCCESS")},guards:{invalidEmail:(r,{email:s})=>!y(s)},services:{request:async(r,{email:s,options:t})=>(await I(`${n}/user/email/send-verification-email`,{email:s,options:R(e,t)})).data}});class se{constructor({clientStorageType:e="web",autoSignIn:r=!0,autoRefreshToken:s=!0,start:t=!0,backendUrl:i,clientUrl:l,broadcastKey:f,devTools:h,...E}){var g;if(this._started=!1,this._subscriptionsQueue=new Set,this._subscriptions=new Set,this.backendUrl=i,this.clientUrl=l,this._machine=ve({...E,backendUrl:i,clientUrl:l,broadcastKey:f,clientStorageType:e,autoSignIn:r,autoRefreshToken:s}),t&&this.start({devTools:h}),typeof window!="undefined"&&f)try{this._channel=new BroadcastChannel(f),r&&((g=this._channel)==null||g.addEventListener("message",T=>{var c;const{type:a,payload:o}=T.data;if(a==="broadcast_session"){const d=(c=this.interpreter)==null?void 0:c.getSnapshot().context,m=d==null?void 0:d.refreshToken.value;this.interpreter&&o.token&&o.token!==m&&this.interpreter.send("SESSION_UPDATE",{data:{session:{user:o.user,accessToken:o.accessToken,refreshToken:o.token,accessTokenExpiresIn:o.expiresInSeconds}}})}})),this._channel.addEventListener("message",T=>{const{type:a}=T.data;a==="signout"&&this.interpreter&&this.interpreter.send("SIGNOUT")})}catch{}}start({devTools:e=!1,initialSession:r,interpreter:s}={}){var l,f;const t={...this.machine.context,accessToken:{...this.machine.context.accessToken},refreshToken:{...this.machine.context.refreshToken}};r&&(t.user=r.user,t.refreshToken.value=(l=r.refreshToken)!=null?l:null,t.accessToken.value=(f=r.accessToken)!=null?f:null,t.accessToken.expiresAt=new Date(Date.now()+r.accessTokenExpiresIn*1e3));const i=this.machine.withContext(t);this._interpreter||(this._interpreter=s||u.interpret(i,{devTools:e})),(!this._started||typeof window=="undefined")&&(this._interpreter.initialized&&(this._interpreter.stop(),this._subscriptions.forEach(h=>h())),this._interpreter.start(i.initialState),this._subscriptionsQueue.forEach(h=>h(this))),this._started=!0}get machine(){return this._machine}get interpreter(){return this._interpreter}get started(){return this._started}subscribe(e){if(this.started){const r=e(this);return this._subscriptions.add(r),r}else return this._subscriptionsQueue.add(e),()=>{console.log("onTokenChanged was added before the interpreter started. Cannot unsubscribe listener.")}}}class Ce extends se{constructor({...e}){super({...e,autoSignIn:M()&&e.autoSignIn,autoRefreshToken:M()&&e.autoRefreshToken,clientStorageType:"cookie"})}}const fr=Ce,xe=async({backendUrl:n,interpreter:e},r)=>{try{const{data:s}=await I(`${n}/user/webauthn/add`,{},e==null?void 0:e.getSnapshot().context.accessToken.value);let t;try{t=await Se(s)}catch(l){throw new O(l)}const{data:i}=await I(`${n}/user/webauthn/verify`,{credential:t,nickname:r},e==null?void 0:e.getSnapshot().context.accessToken.value);return{key:i,isError:!1,error:null,isSuccess:!0}}catch(s){const{error:t}=s;return{isError:!0,error:t,isSuccess:!1}}},Me=async(n,e,r)=>new Promise(s=>{n.send("REQUEST",{email:e,options:r}),n.onTransition(t=>{t.matches({idle:"error"})?s({error:t.context.error,isError:!0,needsEmailVerification:!1}):t.matches({idle:"success"})&&s({error:null,isError:!1,needsEmailVerification:!0})})}),Ue=async(n,e,r)=>new Promise(s=>{n.send("REQUEST",{password:e,ticket:r}),n.onTransition(t=>{t.matches({idle:"error"})?s({error:t.context.error,isError:!0,isSuccess:!1}):t.matches({idle:"success"})&&s({error:null,isError:!1,isSuccess:!0})})}),Er=n=>new Promise(e=>{n.send("GENERATE"),n.onTransition(r=>{r.matches("generated")?e({error:null,isError:!1,isGenerated:!0,qrCodeDataUrl:r.context.imageUrl||"",totpSecret:r.context.secret}):r.matches({idle:"error"})&&e({error:r.context.error||null,isError:!0,isGenerated:!1,qrCodeDataUrl:"",totpSecret:r.context.secret})})}),mr=(n,e)=>new Promise(r=>{n.send("ACTIVATE",{activeMfaType:"totp",code:e}),n.onTransition(s=>{s.matches({generated:"activated"})?r({error:null,isActivated:!0,isError:!1}):s.matches({generated:{idle:"error"}})&&r({error:s.context.error,isActivated:!1,isError:!0})})}),gr=(n,e)=>new Promise(r=>{n.send("DISABLE",{code:e}),n.onTransition(s=>{s.matches({idle:"disabled"})?r({error:null,isDisabled:!0,isError:!1}):s.matches({idle:"error"})&&r({error:s.context.error,isDisabled:!1,isError:!0})})}),Ke=async(n,e,r)=>new Promise(s=>{n.send("REQUEST",{email:e,options:r}),n.onTransition(t=>{t.matches({idle:"error"})?s({error:t.context.error,isError:!0,isSent:!1}):t.matches({idle:"success"})&&s({error:null,isError:!1,isSent:!0})})}),Ve=(n,e,r)=>new Promise(s=>{n.send("REQUEST",{email:e,options:r}),n.onTransition(t=>{t.matches({idle:"error"})?s({error:t.context.error,isError:!0,isSent:!1}):t.matches({idle:"success"})&&s({error:null,isError:!1,isSent:!0})})}),Le=n=>new Promise(e=>{const{changed:r}=n.send("SIGNIN_ANONYMOUS");r||e({isSuccess:!1,isError:!0,error:w,user:null,accessToken:null,refreshToken:null}),n.onTransition(s=>{s.matches({authentication:"signedIn"})&&e({isSuccess:!0,isError:!1,error:null,user:s.context.user,accessToken:s.context.accessToken.value,refreshToken:s.context.refreshToken.value}),s.matches({authentication:{signedOut:"failed"}})&&e({isSuccess:!1,isError:!0,error:s.context.errors.authentication||null,user:null,accessToken:null,refreshToken:null})})}),Ge=(n,e,r)=>new Promise(s=>{const{changed:t,context:i}=n.send("SIGNIN_PASSWORD",{email:e,password:r});if(!t)return s({accessToken:i.accessToken.value,refreshToken:i.refreshToken.value,error:w,isError:!0,isSuccess:!1,needsEmailVerification:!1,needsMfaOtp:!1,mfa:null,user:i.user});n.onTransition(l=>{l.matches({authentication:{signedOut:"noErrors"},registration:{incomplete:"needsEmailVerification"}})?s({accessToken:null,refreshToken:null,error:null,isError:!1,isSuccess:!1,needsEmailVerification:!0,needsMfaOtp:!1,mfa:null,user:null}):l.matches({authentication:{signedOut:"needsMfa"}})?s({accessToken:null,refreshToken:null,error:null,isError:!1,isSuccess:!1,needsEmailVerification:!1,needsMfaOtp:!0,mfa:l.context.mfa,user:null}):l.matches({authentication:{signedOut:"failed"}})?s({accessToken:null,refreshToken:null,error:l.context.errors.authentication||null,isError:!0,isSuccess:!1,needsEmailVerification:!1,needsMfaOtp:!1,mfa:null,user:null}):l.matches({authentication:"signedIn"})&&s({accessToken:l.context.accessToken.value,refreshToken:l.context.refreshToken.value,error:null,isError:!1,isSuccess:!0,needsEmailVerification:!1,needsMfaOtp:!1,mfa:null,user:l.context.user})})}),z=(n,e,r)=>new Promise(s=>{const{changed:t}=n.send("PASSWORDLESS_EMAIL",{email:e,options:r});if(!t)return s({error:w,isError:!0,isSuccess:!1});n.onTransition(i=>{i.matches("registration.incomplete.failed")?s({error:i.context.errors.registration||null,isError:!0,isSuccess:!1}):i.matches({authentication:{signedOut:"noErrors"},registration:{incomplete:"needsEmailVerification"}})&&s({error:null,isError:!1,isSuccess:!0})})}),He=(n,e)=>new Promise(r=>{const{changed:s,context:t}=n.send({type:"SIGNIN_SECURITY_KEY_EMAIL",email:e});if(!s)return r({accessToken:t.accessToken.value,refreshToken:t.refreshToken.value,error:w,isError:!0,isSuccess:!1,needsEmailVerification:!1,user:t.user});n.onTransition(i=>{i.matches({authentication:{signedOut:"noErrors"},registration:{incomplete:"needsEmailVerification"}})?r({accessToken:null,refreshToken:null,error:null,isError:!1,isSuccess:!1,needsEmailVerification:!0,user:null}):i.matches({authentication:{signedOut:"failed"}})?r({accessToken:null,refreshToken:null,error:i.context.errors.authentication||null,isError:!0,isSuccess:!1,needsEmailVerification:!1,user:null}):i.matches({authentication:"signedIn"})&&r({accessToken:i.context.accessToken.value,refreshToken:i.context.refreshToken.value,error:null,isError:!1,isSuccess:!0,needsEmailVerification:!1,user:i.context.user})})});function te(n){return{error:n.message||"Something went wrong!",status:n.status||1,message:n.message||"Something went wrong!"}}const $e=async(n,e)=>{var l,f;const r=(l=n.interpreter)==null?void 0:l.getSnapshot(),s=r==null?void 0:r.context.accessToken.value;let t;try{t=(await I(`${n.backendUrl}/elevate/webauthn`,{email:e},s)).data}catch(h){return{error:te(h),isError:!0,isSuccess:!1,elevated:!1}}let i;try{i=await q(t)}catch(h){return{error:te(h),isError:!0,isSuccess:!1,elevated:!1}}try{const{data:{session:h},error:E}=await I(`${n.backendUrl}/elevate/webauthn/verify`,{email:e,credential:i},s);return h&&!E?((f=n.interpreter)==null||f.send({type:"SESSION_UPDATE",data:{session:h}}),{error:null,isError:!1,isSuccess:!0,elevated:!0}):{error:E,isError:!0,isSuccess:!1,elevated:!1}}catch(h){const{error:E}=h;return{error:E,isError:!0,isSuccess:!1,elevated:!1}}},We=(n,e,r)=>new Promise(s=>{const{changed:t,context:i}=n.send("SIGNIN_MFA_TOTP",{otp:e,ticket:r});if(!t)return s({accessToken:i.accessToken.value,refreshToken:i.refreshToken.value,error:w,isError:!0,isSuccess:!1,user:i.user});n.onTransition(l=>{l.matches({authentication:{signedOut:"failed"}})?s({accessToken:null,refreshToken:null,error:l.context.errors.authentication||null,isError:!0,isSuccess:!1,user:null}):l.matches({authentication:"signedIn"})&&s({accessToken:l.context.accessToken.value,refreshToken:l.context.refreshToken.value,error:null,isError:!1,isSuccess:!0,user:l.context.user})})}),Ye=(n,e)=>new Promise(r=>{const{changed:s}=n.send("SIGNIN_PAT",{pat:e});s||r({isSuccess:!1,isError:!0,error:w,user:null,accessToken:null,refreshToken:null}),n.onTransition(t=>{if(t.matches({authentication:{signedOut:"failed"}}))return r({accessToken:null,refreshToken:null,user:null,error:t.context.errors.authentication||null,isError:!0,isSuccess:!1});if(t.matches({authentication:"signedIn"}))return r({accessToken:t.context.accessToken.value,refreshToken:t.context.refreshToken.value,user:t.context.user,error:null,isError:!1,isSuccess:!0})})}),X=(n,e,r)=>new Promise(s=>{const{changed:t}=n.send("PASSWORDLESS_SMS",{phoneNumber:e,options:r});if(!t)return s({error:w,isError:!0,isSuccess:!1,needsOtp:!1});n.onTransition(i=>{i.matches("registration.incomplete.needsOtp")?s({error:null,isError:!1,isSuccess:!1,needsOtp:!0}):i.matches("registration.incomplete.failed")&&s({error:i.context.errors.authentication||null,isError:!0,isSuccess:!1,needsOtp:!1})})}),Fe=(n,e,r)=>new Promise(s=>{const{changed:t}=n.send({type:"PASSWORDLESS_SMS_OTP",phoneNumber:e,otp:r});if(!t)return s({error:w,isError:!0,isSuccess:!1,user:null,accessToken:null,refreshToken:null});n.onTransition(i=>{i.matches({authentication:"signedIn"})?s({error:null,isError:!1,isSuccess:!0,user:i.context.user,accessToken:i.context.accessToken.value,refreshToken:i.context.refreshToken.value}):i.matches({registration:{incomplete:"failed"}})&&s({error:i.context.errors.authentication||null,isError:!0,isSuccess:!1,user:null,accessToken:null,refreshToken:null})})}),je=async(n,e)=>new Promise(r=>{const{event:s}=n.send("SIGNOUT",{all:e});if(s.type!=="SIGNED_OUT")return r({isSuccess:!1,isError:!0,error:he});n.onTransition(t=>{t.matches({authentication:{signedOut:"success"}})?r({isSuccess:!0,isError:!1,error:null}):t.matches("authentication.signedOut.failed")&&r({isSuccess:!1,isError:!0,error:t.context.errors.signout||null})})}),Z=(n,e,r,s,t)=>new Promise(i=>{const{changed:l,context:f}=n.send("SIGNUP_EMAIL_PASSWORD",{email:e,password:r,options:s,requestOptions:t});if(!l)return i({error:w,accessToken:f.accessToken.value,refreshToken:f.refreshToken.value,isError:!0,isSuccess:!1,needsEmailVerification:!1,user:f.user});n.onTransition(h=>{h.matches("registration.incomplete.failed")?i({accessToken:null,refreshToken:null,error:h.context.errors.registration||null,isError:!0,isSuccess:!1,needsEmailVerification:!1,user:null}):h.matches({authentication:{signedOut:"noErrors"},registration:{incomplete:"needsEmailVerification"}})?i({accessToken:null,refreshToken:null,error:null,isError:!1,isSuccess:!1,needsEmailVerification:!0,user:null}):h.matches({authentication:"signedIn",registration:"complete"})&&i({accessToken:h.context.accessToken.value,refreshToken:h.context.refreshToken.value,error:null,isError:!1,isSuccess:!0,needsEmailVerification:!1,user:h.context.user})})}),qe=(n,e,r,s)=>new Promise(t=>{const{changed:i,context:l}=n.send("SIGNUP_SECURITY_KEY",{email:e,options:r,requestOptions:s});if(!i)return t({error:w,accessToken:l.accessToken.value,refreshToken:l.refreshToken.value,isError:!0,isSuccess:!1,needsEmailVerification:!1,user:l.user});n.onTransition(f=>{f.matches("registration.incomplete.failed")?t({accessToken:null,refreshToken:null,error:f.context.errors.registration||null,isError:!0,isSuccess:!1,needsEmailVerification:!1,user:null}):f.matches({authentication:{signedOut:"noErrors"},registration:{incomplete:"needsEmailVerification"}})?t({accessToken:null,refreshToken:null,error:null,isError:!1,isSuccess:!1,needsEmailVerification:!0,user:null}):f.matches({authentication:"signedIn",registration:"complete"})&&t({accessToken:f.context.accessToken.value,refreshToken:f.context.refreshToken.value,error:null,isError:!1,isSuccess:!0,needsEmailVerification:!1,user:f.context.user})})}),Be=(n,e,r)=>new Promise(s=>{const{changed:t}=n.send("SIGNIN_EMAIL_OTP",{email:e,options:r});if(!t)return s({error:w,isError:!0,isSuccess:!1,needsOtp:!1});n.onTransition(i=>{i.matches("registration.incomplete.needsOtp")?s({error:null,isError:!1,isSuccess:!0,needsOtp:!0}):i.matches("registration.incomplete.failed")&&s({error:i.context.errors.authentication||null,isError:!0,isSuccess:!1,needsOtp:!1})})}),Qe=(n,e,r)=>new Promise(s=>{const{changed:t}=n.send({type:"VERIFY_EMAIL_OTP",email:e,otp:r});if(!t)return s({error:w,is