"use strict";
var __defProp = Object.defineProperty;
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
var __getOwnPropNames = Object.getOwnPropertyNames;
var __hasOwnProp = Object.prototype.hasOwnProperty;
var __export = (target, all) => {
  for (var name in all)
    __defProp(target, name, { get: all[name], enumerable: true });
};
var __copyProps = (to, from, except, desc) => {
  if (from && typeof from === "object" || typeof from === "function") {
    for (let key of __getOwnPropNames(from))
      if (!__hasOwnProp.call(to, key) && key !== except)
        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
  }
  return to;
};
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);

// src/adapters/angular.ts
var angular_exports = {};
__export(angular_exports, {
  provideZitadelAuth: () => provideZitadelAuth,
  zitadelGuard: () => zitadelGuard
});
module.exports = __toCommonJS(angular_exports);

// src/client.ts
var import_oidc_client_ts = require("oidc-client-ts");

// src/guards.ts
var RedirectGuard = class {
  constructor(maxRedirects, windowSeconds, prefix) {
    this.maxRedirects = maxRedirects;
    this.windowSeconds = windowSeconds;
    this.countKey = `${prefix}redirect_count`;
    this.tsKey = `${prefix}redirect_ts`;
  }
  isLooping() {
    const count = parseInt(sessionStorage.getItem(this.countKey) ?? "0", 10);
    const ts = parseInt(sessionStorage.getItem(this.tsKey) ?? "0", 10);
    if (ts > 0 && Date.now() - ts > this.windowSeconds * 1e3) {
      this.clear();
      return false;
    }
    return count > this.maxRedirects;
  }
  recordRedirect() {
    const count = parseInt(sessionStorage.getItem(this.countKey) ?? "0", 10);
    if (count === 0) {
      sessionStorage.setItem(this.tsKey, String(Date.now()));
    }
    sessionStorage.setItem(this.countKey, String(count + 1));
  }
  clear() {
    sessionStorage.removeItem(this.countKey);
    sessionStorage.removeItem(this.tsKey);
  }
};

// src/client.ts
var ZitadelAuth = class {
  constructor(config) {
    this.currentUser = null;
    this._isLoading = true;
    this._error = null;
    this.listeners = /* @__PURE__ */ new Set();
    this.prefix = config.storagePrefix ?? "kuns_auth_";
    this.redirectGuard = new RedirectGuard(
      config.maxRedirects ?? 3,
      config.redirectWindowSeconds ?? 30,
      this.prefix
    );
    this.manager = new import_oidc_client_ts.UserManager({
      authority: config.issuer ?? "https://auth.kuns.dev",
      client_id: config.clientId,
      redirect_uri: config.redirectUri ?? `${window.location.origin}/auth/callback`,
      post_logout_redirect_uri: config.postLogoutUri ?? window.location.origin,
      scope: (config.scopes ?? ["openid", "profile", "email"]).join(" "),
      automaticSilentRenew: config.silentRenew ?? true,
      userStore: new import_oidc_client_ts.WebStorageStateStore({ store: window.localStorage })
    });
    this.manager.events.addUserLoaded((user) => {
      this.currentUser = user;
      this.notify();
    });
    this.manager.events.addUserUnloaded(() => {
      this.currentUser = null;
      this.notify();
    });
    this.manager.events.addSilentRenewError(() => {
    });
  }
  get isAuthenticated() {
    return this.currentUser != null && !this.currentUser.expired;
  }
  get isLoading() {
    return this._isLoading;
  }
  get user() {
    if (!this.currentUser) return null;
    return {
      sub: this.currentUser.profile.sub,
      name: this.currentUser.profile.name ?? "",
      email: this.currentUser.profile.email ?? ""
    };
  }
  get accessToken() {
    if (!this.currentUser || this.currentUser.expired) return null;
    return this.currentUser.access_token;
  }
  get error() {
    return this._error;
  }
  async init() {
    this._isLoading = true;
    this.notify();
    try {
      if (window.location.pathname.endsWith("/auth/callback")) {
        const user = await this.manager.signinRedirectCallback();
        this.currentUser = user;
        this.redirectGuard.clear();
        const returnUrl = sessionStorage.getItem(`${this.prefix}return_url`) ?? "/";
        sessionStorage.removeItem(`${this.prefix}return_url`);
        window.history.replaceState({}, "", returnUrl);
      } else {
        const user = await this.manager.getUser();
        if (user?.expired) {
          await this.manager.removeUser();
          this.currentUser = null;
        } else {
          this.currentUser = user;
        }
      }
    } catch (e) {
      this._error = `Auth initialization failed: ${e instanceof Error ? e.message : String(e)}`;
      await this.manager.removeUser().catch(() => {
      });
      this.currentUser = null;
      if (window.location.pathname.endsWith("/auth/callback")) {
        window.history.replaceState({}, "", "/");
      }
    } finally {
      this._isLoading = false;
      this.notify();
    }
  }
  login() {
    if (this.redirectGuard.isLooping()) {
      this._error = "Redirect loop detected. Please clear your browser cache and cookies, then try again.";
      this.notify();
      return;
    }
    this.redirectGuard.recordRedirect();
    sessionStorage.setItem(
      `${this.prefix}return_url`,
      window.location.pathname + window.location.search
    );
    this.manager.signinRedirect();
  }
  async logout() {
    this.redirectGuard.clear();
    await this.manager.signoutRedirect();
  }
  requireAuth() {
    if (this._isLoading) return false;
    if (!this.isAuthenticated) {
      this.login();
      return false;
    }
    return true;
  }
  async fetch(url, init) {
    const token = this.accessToken;
    if (!token) {
      this.login();
      return new Response(null, { status: 401 });
    }
    const headers = new Headers(init?.headers);
    headers.set("Authorization", `Bearer ${token}`);
    return window.fetch(url, { ...init, headers });
  }
  onAuthChange(cb) {
    this.listeners.add(cb);
    return () => this.listeners.delete(cb);
  }
  notify() {
    const state = {
      isAuthenticated: this.isAuthenticated,
      isLoading: this._isLoading,
      user: this.user,
      error: this._error
    };
    this.listeners.forEach((cb) => cb(state));
  }
};

// src/adapters/angular.ts
var AUTH_INSTANCE_KEY = "__kuns_zitadel_auth__";
function provideZitadelAuth(config) {
  const auth = new ZitadelAuth(config);
  globalThis[AUTH_INSTANCE_KEY] = auth;
  return {
    provide: "KUNS_ZITADEL_AUTH",
    useValue: auth
  };
}
function getAuthInstance() {
  const auth = globalThis[AUTH_INSTANCE_KEY];
  if (!auth) throw new Error("Call provideZitadelAuth() before using zitadelGuard()");
  return auth;
}
function zitadelGuard() {
  let initPromise = null;
  return async () => {
    const auth = getAuthInstance();
    if (!initPromise) {
      initPromise = auth.init();
    }
    await initPromise;
    if (auth.isAuthenticated) return true;
    auth.login();
    return false;
  };
}
// Annotate the CommonJS export names for ESM import in node:
0 && (module.exports = {
  provideZitadelAuth,
  zitadelGuard
});