v1.14.1

fix(oidc): migrate OIDC endpoints and internal handlers to use typedserver IRequestContext and update dependencies
v1.14.0
2025-12-22 15:56:20 +00:00 · 2025-12-22 15:56:20 +00:00 · 2025-12-16 12:46:42 +00:00 · 2025-12-16 12:46:42 +00:00 · 2025-12-15 19:45:57 +00:00 · 2025-12-15 19:45:57 +00:00
28 changed files with 3249 additions and 1164 deletions
@@ -1,5 +1,45 @@
 # Changelog
 ## 2025-12-22 - 1.14.1 - fix(oidc)
 migrate OIDC endpoints and internal handlers to use typedserver IRequestContext and update dependencies
 - Updated route handlers in ts/index.ts to pass ctx (IRequestContext) instead of req
 - Refactored OIDC manager handlers to accept plugins.typedserver.IRequestContext and use ctx.url, ctx.headers, ctx.formData (handleAuthorize, handleToken, handleUserInfo, handleRevoke)
 - Bumped dependencies to support the new typedserver API: @api.global/typedserver -> ^8.1.0
 - Other dependency updates: @design.estate/dees-catalog ^3.4.0, @git.zone/tspublish ^1.11.0, @types/node ^25.0.3
 - Changing public handler method signatures is a breaking API change; recommend a major version bump
 ## 2025-12-16 - 1.14.0 - feat(docs)
 add package READMEs and publish metadata; update web package publish order
 - Add comprehensive README for ts_web (web components/UI)
 - Add README for ts_idpclient (TypeScript client)
 - Add README for ts_interfaces (type definitions/interfaces)
 - Add tspublish.json for ts_idpcli (@idp.global/cli) and ts_idpclient (@idp.global/client)
 - Update ts_web/tspublish.json order from 4 to 5
 ## 2025-12-15 - 1.13.0 - feat(oidc)
 feat(oidc): add OIDC provider (OidcManager, endpoints, and interfaces)
 - Add OidcManager class implementing OpenID Connect / OAuth2 server functionality (authorization codes, access/refresh tokens, user consents, PKCE support, JWKS, ID token generation, token revocation, cleanup task).
 - Expose OIDC endpoints on the website server: /.well-known/openid-configuration, /.well-known/jwks.json, /oauth/authorize, /oauth/token, /oauth/userinfo (GET/POST), and /oauth/revoke.
 - Integrate OidcManager into Reception: add oidcManager property and instantiate it from ts/index.ts so routes can reference it.
 - Add TypeScript interfaces for OIDC data structures (ts_interfaces/data/loint-reception.oidc.ts) and export them from the data index.
 ## 2025-12-15 - 1.12.1 - fix(dependencies)
 fix(deps): bump @uptime.link/webwidget to ^1.2.6
 - Updated dependency @uptime.link/webwidget from ^1.2.5 to ^1.2.6 in package.json
 - No other files changed; this is a dependency patch update
 ## 2025-12-15 - 1.12.0 - feat(interfaces)
 Add JWT public-key and blocklist request interfaces, publish ordering files, and update dependencies
 - Introduce IReq_GetPublicKeyForValidation and IReq_PushPublicKeyForValidation with documentation in ts_interfaces/request/loint-reception.jwt.ts to support fetching and pushing JWT public keys for validation.
 - Clarify IReq_PushOrGetJwtIdBlocklist to describe both GET (client requests blocklist) and PUSH (server pushes revoked JWT IDs) directions and required client handlers.
 - Add tspublish.json ordering files for packaging: ts_interfaces (order: 1), ts (order: 2), ts_idpclient (order: 3), ts_web (order: 4).
 - Update package.json dependencies to include @git.zone/tspublish and additional @push.rocks packages (@push.rocks/smartcli, @push.rocks/smartfile, @push.rocks/smartinteract).
 ## 2025-12-14 - 1.11.0 - feat(idpcli)
 Add idp CLI (IdpCli) with commands, file-based credential storage, typed request APIs; bump deps and update config
@@ -1,6 +1,6 @@
 {
  "name": "@idp.global/idp.global",
-  "version": "1.11.0",
+  "version": "1.14.1",
  "description": "An identity provider software managing user authentications, registrations, and sessions.",
  "main": "dist_ts/index.js",
  "typings": "dist_ts/index.d.ts",
@@ -18,17 +18,21 @@
  "dependencies": {
    "@api.global/typedrequest": "^3.2.5",
    "@api.global/typedrequest-interfaces": "^3.0.19",
-    "@api.global/typedserver": "^7.11.1",
+    "@api.global/typedserver": "^8.1.0",
    "@api.global/typedsocket": "^4.1.0",
    "@consent.software/catalog": "^2.0.1",
-    "@design.estate/dees-catalog": "^3.3.1",
+    "@design.estate/dees-catalog": "^3.4.0",
    "@design.estate/dees-domtools": "^2.3.6",
    "@design.estate/dees-element": "^2.1.3",
    "@git.zone/tspublish": "^1.11.0",
    "@push.rocks/lik": "^6.2.2",
    "@push.rocks/qenv": "^6.1.3",
    "@push.rocks/smartcli": "^4.0.19",
    "@push.rocks/smartdata": "^7.0.15",
    "@push.rocks/smartdelay": "^3.0.5",
    "@push.rocks/smartfile": "^13.1.0",
    "@push.rocks/smarthash": "^3.2.6",
    "@push.rocks/smartinteract": "^2.0.6",
    "@push.rocks/smartjson": "^6.0.0",
    "@push.rocks/smartjwt": "^2.2.1",
    "@push.rocks/smartlog": "^3.1.10",
@@ -41,15 +45,12 @@
    "@push.rocks/smartunique": "^3.0.9",
    "@push.rocks/smarturl": "^3.1.0",
    "@push.rocks/taskbuffer": "^3.5.0",
    "@push.rocks/smartcli": "^4.0.19",
    "@push.rocks/smartfile": "^13.1.0",
    "@push.rocks/smartinteract": "^2.0.6",
    "@push.rocks/webjwt": "^1.0.9",
    "@push.rocks/websetup": "^3.0.15",
    "@push.rocks/webstore": "^2.0.20",
    "@serve.zone/platformclient": "^1.1.2",
    "@tsclass/tsclass": "^9.3.0",
-    "@uptime.link/webwidget": "^1.2.5"
+    "@uptime.link/webwidget": "^1.2.6"
  },
  "devDependencies": {
    "@git.zone/tsbuild": "^4.0.2",
@@ -57,7 +58,7 @@
    "@git.zone/tsrun": "^2.0.1",
    "@git.zone/tswatch": "^2.3.13",
    "@push.rocks/projectinfo": "^5.0.1",
-    "@types/node": "^24.10.1"
+    "@types/node": "^25.0.3"
  },
  "private": true,
  "repository": {
@@ -1,312 +1,328 @@
 # @idp.global/idp.global
-An identity provider software managing user authentications, registrations, and sessions.
+🔐 **A modern, open-source Identity Provider (IdP) SaaS platform** for managing user authentication, registrations, sessions, and organization-based access control.
-## Install
+Built with TypeScript and designed for modern web applications, idp.global provides a complete identity management solution that you can self-host or use as a service.
-To install `@idp.global/idp.global`, you can run the following command in your terminal:
+## Issue Reporting and Security
 For reporting bugs, issues, or security vulnerabilities, please visit [community.foss.global/](https://community.foss.global/). This is the central community hub for all issue reporting. Developers who sign and comply with our contribution agreement and go through identification can also get a [code.foss.global/](https://code.foss.global/) account to submit Pull Requests directly.
 ## ✨ Features
 ### 🔑 Authentication & Authorization
 - **Multiple Login Methods**: Email/password, email magic links, API tokens
 - **JWT-Based Sessions**: Secure token management with automatic refresh
 - **Two-Factor Authentication**: Enhanced security with 2FA support
 - **Password Reset**: Secure password recovery flow
 - **Device Management**: Track and manage authenticated devices
 ### 🏢 Organization Management
 - **Multi-Tenant Architecture**: Support multiple organizations per user
 - **Role-Based Access Control (RBAC)**: Fine-grained permissions system
 - **Organization Roles**: Admin, member, and custom role support
 - **Member Invitations**: Bulk invite and manage team members
 - **Ownership Transfer**: Seamlessly transfer organization ownership
 ### 🔗 Third-Party Integration
 - **OpenID Connect (OIDC) Provider**: Full OIDC compliance for third-party apps
  - Discovery endpoint (`/.well-known/openid-configuration`)
  - JWKS endpoint for token verification
  - Authorization code flow with PKCE
  - Token refresh and revocation
 - **OAuth 2.0**: Standard OAuth flows for app authorization
 - **Supported Scopes**: `openid`, `profile`, `email`, `organizations`, `roles`
 ### 💳 Billing Integration
 - **Paddle Integration**: Built-in payment processing support
 - **Billing Plans**: Flexible subscription management
 - **Checkout Flows**: Streamlined payment experiences
 ### 🎨 Modern Web UI
 - **Responsive Design**: Beautiful UI components built with `@design.estate/dees-catalog`
 - **Account Management**: User profile, settings, and preferences
 - **Organization Dashboard**: Manage members, roles, and apps
 - **Admin Panel**: Global administration interface
 ### 📡 Real-Time Communication
 - **WebSocket Support**: Real-time updates via TypedSocket
 - **Typed API Requests**: Type-safe client-server communication
 - **Public Key Distribution**: Automatic JWT key rotation notifications
 ## 🏗️ Architecture
 idp.global is built as a modular TypeScript monorepo:
 ```
 ├── ts/                    # Server-side code (Node.js)
 │   └── reception/         # Core identity management logic
 ├── ts_interfaces/         # Shared TypeScript interfaces (published as @idp.global/interfaces)
 ├── ts_idpclient/          # Browser/Node client library (published as @idp.global/idpclient)
 ├── ts_idpcli/             # Command-line interface tool
 └── ts_web/                # Web frontend (published as @idp.global/web)
 ```
 ### Core Managers
 | Manager | Responsibility |
 |---------|----------------|
 | `JwtManager` | JWT generation, validation, and key management |
 | `LoginSessionManager` | Session creation and authentication |
 | `UserManager` | User CRUD and profile management |
 | `OrganizationManager` | Organization lifecycle management |
 | `RoleManager` | RBAC and permission management |
 | `OidcManager` | OpenID Connect provider functionality |
 | `AppManager` | OAuth client app registration |
 | `BillingPlanManager` | Subscription and payment handling |
 ## 🚀 Quick Start
 ### 🐳 Docker Deployment (Recommended)
 The easiest way to run idp.global is using Docker:
 ```bash
-npm install @idp.global/idp.global
+# Pull the latest image
 docker pull code.foss.global/idp.global/idp.global
 # Run with environment variables
 docker run -d \
  -p 2999:2999 \
  -e MONGODB_URL=mongodb://your-mongo:27017/idp \
  -e IDP_BASEURL=https://your-domain.com \
  -e INSTANCE_NAME=idp.global \
  code.foss.global/idp.global/idp.global
 ```
-This will download and install the necessary dependencies along with the module to your project.
+### Environment Variables
-## Usage
+| Variable | Description | Required |
 |----------|-------------|----------|
 | `MONGODB_URL` | MongoDB connection string | ✅ Yes |
 | `IDP_BASEURL` | Public URL of your idp.global instance | ✅ Yes |
 | `INSTANCE_NAME` | Name for this IDP instance | No (default: `idp.global`) |
 | `SERVEZONE_PLATFROM_AUTHORIZATION` | ServeZone platform auth token | No |
-To use `@idp.global/idp.global`, one needs to understand its key components and functionalities. Below, we'll guide you through setting up, logging in, registering, and managing users and organizations within an IDP (Identity Provider) environment using this package.
+### Docker Compose Example
-### Setting Up the Environment
+```yaml
 version: '3.8'
 services:
  idp:
    image: code.foss.global/idp.global/idp.global
    ports:
      - "2999:2999"
    environment:
      MONGODB_URL: mongodb://mongo:27017/idp
      IDP_BASEURL: https://idp.yourdomain.com
      INSTANCE_NAME: my-idp
    depends_on:
      - mongo
-First, let's set up the environment:
+  mongo:
    image: mongo:7
    volumes:
      - mongo-data:/data/db
-```typescript
+volumes:
-// Import the necessary modules
+  mongo-data:
 import * as serviceworker from '@api.global/typedserver/web_serviceworker_client';
 import * as domtools from '@design.estate/dees-domtools';
 import { html, render } from '@design.estate/dees-element';
 import { IdpWelcome } from './elements/idp-welcome.js';
 // Define an asynchronous run function
 const run = async () => {
  // Set up DOM tools
  const domtoolsInstance = await domtools.DomTools.setupDomTools();
  domtools.elementBasic.setup();
  // Configure website information
  domtoolsInstance.setWebsiteInfo({
    metaObject: {
      title: 'idp.global',
      description: 'the code that runs idp.global',
      canonicalDomain: 'https://idp.global',
      ldCompany: {
        name: 'Task Venture Capital GmbH',
        status: 'active',
        contact: {
          address: {
            name: 'Task Venture Capital GmbH',
            city: 'Grasberg',
            country: 'Germany',
            houseNumber: '24',
            postalCode: '28879',
            streetName: 'Eickedorfer Vorweide',
          },
        }
      },
    },
  });
  // Set up the service worker
  const serviceWorker = await serviceworker.getServiceworkerClient();
  // Render the main template
  const mainTemplate = html`
    <style>
      body {
        margin: 0px;
        --background-accent: #303f9f;
      }
    </style>
    <idp-welcome></idp-welcome>
  `;
  render(mainTemplate, document.body);
 };
 // Run the function
 run();
 ```
-### Using the IDP Client
+The server listens on port 2999 by default.
-The IDP Client is essential to communicate with the IDP server. Below is a sample of how to set up and use the IDP client:
+## 📦 Published Packages
 This monorepo publishes the following npm packages:
 | Package | Description |
 |---------|-------------|
 | `@idp.global/interfaces` | TypeScript interfaces for API contracts |
 | `@idp.global/idpclient` | Client library for browser and Node.js |
 | `@idp.global/web` | Web UI components |
 ## 💻 Client Usage
 ### Browser Client
 ```typescript
-import { IdpState } from './idp.state.js';
+import { IdpClient } from '@idp.global/idpclient';
 import * as plugins from './plugins.js';
-// Instantiate IdpState which provides a singleton instance
+// Initialize the client
-export class IdpDemo {
+const idpClient = new IdpClient('https://idp.global');
  private idpState = IdpState.getSingletonInstance();
-  // Function to initialize and use IdpClient
+// Enable WebSocket connection
-  public async demo() {
+await idpClient.enableTypedSocket();
-    // Fetch the client instance
+
-    const { idpClient } = this.idpState;
+// Check login status
-    // Handler for login
+const isLoggedIn = await idpClient.determineLoginStatus();
-    const handleLogin = async () => {
+
-      const response = await idpClient.requests.loginWithUserNameAndPassword.fire({
+// Login with email and password
-        username: 'user@example.com',
+const response = await idpClient.requests.loginWithUserNameAndPassword.fire({
-        password: 'password123',
+  username: 'user@example.com',
-      });
+  password: 'securepassword'
-      if (response.refreshToken) {
+});
-        await idpClient.storeJwt(response.jwt);
+
-        console.log("Logged in successfully, JWT stored.");
+if (response.refreshToken) {
-      } else {
+  await idpClient.refreshJwt(response.refreshToken);
-        console.log("Login failed.");
+  console.log('✅ Login successful!');
      }
    };
    // Execute login handler
    await handleLogin();
  }
 }
-// Instantiate and run demo
+// Get current user info
-const demo = new IdpDemo();
+const userInfo = await idpClient.whoIs();
-demo.demo();
+console.log('User:', userInfo.user);
 // Get user's organizations
 const orgs = await idpClient.getRolesAndOrganizations();
 console.log('Organizations:', orgs.organizations);
 ```
-### Managing User Authentication
+### Organization Management
 Several functionalities are available for managing user authentication. These include registering, logging in, and refreshing JWTs.
 #### Registration Process
 The registration process is typically more involved and requires steps such as email validation, setting user-specific data, and verifying OTPs for additional security.
 ```typescript
-import * as plugins from './plugins.js';
+// Create a new organization
-import { IdpState } from './idp.state.js';
+const result = await idpClient.createOrganization('My Company', 'my-company', 'manifest');
 console.log('Created:', result.resultingOrganization);
-// Registration stepper element
+// Invite members
-export class IdpRegistrationStepper extends plugins.DeesElement {
+await idpClient.requests.createInvitation.fire({
-  private idpState = IdpState.getSingletonInstance();
+  jwt: await idpClient.getJwt(),
  organizationId: 'org-id',
  email: 'newmember@example.com',
  roles: ['member']
 });
 ```
-  public async firstUpdated() {
+### CLI Tool
    await this.domtoolsPromise;
    this.domtools.router.on(`/finishregistration`, async (routeArg) => {
      const validationToken = routeArg.queryParams.validationtoken;
      if (!validationToken) {
        this.renderErrorMessage("Validation token not found.");
        return;
      }
      const emailResponse = await this.validateEmail(validationToken);
      if (!emailResponse.email) {
        this.renderErrorMessage("Invalid validation token.");
        return;
      }
      await this.renderRegistrationForm(emailResponse.email);
    });
  }
-  private async validateEmail(token: string) {
+The `ts_idpcli` module provides a command-line interface:
    return await this.idpState.idpClient.requests.afterRegistrationEmailClicked.fire({
      token
    });
  }
-  private async renderRegistrationForm(email: string) {
+```bash
-    const template = plugins.html`
+# Login
-    <dees-form @formData="${async (event) => await this.handleFormSubmission(event, email)}">
+idp login
      <dees-input-text key="First Name" label="First Name" required></dees-input-text>
      <dees-input-text key="Last Name" label="Last Name" required></dees-input-text>
      <dees-form-submit>Next</dees-form-submit>
    </dees-form>
    `;
    this.render(template, this.shadowRoot);
  }
-  private async handleFormSubmission(event: FormDataEvent, email: string) {
+# Show current user
-    const formData = (event.target as any).getFormData();
+idp whoami
    await this.idpState.idpClient.requests.setData.fire({
      token: this.storedData.validationTokenUrlParam,
      userData: {
        email,
        first_name: formData.FirstName,
        last_name: formData.LastName,
      },
    });
    // Proceed to the next steps as per the registration flow
  }
-  private renderErrorMessage(message: string) {
+# List organizations
-    const template = plugins.html`<div>Error: ${message}</div>`;
+idp orgs
-    this.render(template, this.shadowRoot);
+
-  }
+# List organization members
 idp members --org <org-id>
 # Invite a user
 idp invite --org <org-id> --email user@example.com
 ```
 ## 🔐 OIDC Integration
 idp.global implements a full OpenID Connect provider. Third-party applications can use it for SSO:
 ### Discovery Document
 ```
 GET /.well-known/openid-configuration
 ```
 ### Authorization Flow
 ```
 GET /oauth/authorize?
  client_id=your-client-id&
  redirect_uri=https://yourapp.com/callback&
  response_type=code&
  scope=openid profile email organizations&
  state=random-state&
  code_challenge=PKCE_CHALLENGE&
  code_challenge_method=S256
 ```
 ### Token Exchange
 ```
 POST /oauth/token
 Content-Type: application/x-www-form-urlencoded
 grant_type=authorization_code&
 code=AUTHORIZATION_CODE&
 redirect_uri=https://yourapp.com/callback&
 client_id=your-client-id&
 client_secret=your-client-secret&
 code_verifier=PKCE_VERIFIER
 ```
 ### UserInfo
 ```
 GET /oauth/userinfo
 Authorization: Bearer ACCESS_TOKEN
 ```
 Response:
 ```json
 {
  "sub": "user-id",
  "name": "John Doe",
  "email": "john@example.com",
  "email_verified": true,
  "organizations": [
    { "id": "org-1", "name": "Acme Corp", "slug": "acme", "roles": ["admin"] }
  ],
  "roles": ["user"]
 }
 ```
-### User Management
+## 🛠️ Tech Stack
-Managing user data including roles, organizations, and billing plans is essential in any identity provider software.
+- **Runtime**: Node.js with ES Modules
 - **Language**: TypeScript (strict mode)
 - **Database**: MongoDB via `@push.rocks/smartdata`
 - **Web Server**: `@api.global/typedserver`
 - **Real-time**: `@api.global/typedsocket` (WebSocket)
 - **JWT**: `@push.rocks/smartjwt` (RS256 signing)
 - **Frontend**: `@design.estate/dees-element` (Web Components)
 - **Build**: `@git.zone/tsbuild` + `@git.zone/tsbundle`
-#### Getting User Data
+## 📚 API Reference
-```typescript
+### Request Interfaces
 import * as plugins from './plugins.js';
-const fetchUserData = async (jwt: string) => {
+All API requests are type-safe. See `ts_interfaces/request/` for the complete API:
  const user = await plugins.typedrequest.TypedRequest<plugins.lointReception.request.IReq_GetUserData>(
    `/getUserData`, 'POST').fire({jwt});
  console.log(user);
 };
-fetchUserData('<JWT_TOKEN_HERE>');
+- **Authentication**: `IReq_LoginWithEmail`, `IReq_LoginWithApiToken`, `IReq_RefreshJwt`
-```
+- **Registration**: `IReq_FirstRegistration`, `IReq_FinishRegistration`
 - **User Management**: `IReq_GetUserData`, `IReq_SetUserData`, `IReq_GetUserSessions`
 - **Organizations**: `IReq_CreateOrganization`, `IReq_GetOrgMembers`, `IReq_CreateInvitation`
 - **Apps & OAuth**: `IReq_GetGlobalApps`, `IReq_CreateGlobalApp`
 - **Billing**: `IReq_GetBillingPlan`, `IReq_UpdatePaymentMethod`
-#### Creating an Organization
+### Data Models
-```typescript
+See `ts_interfaces/data/` for all data structures:
 import { IdpState } from './idp.state.js';
-export class OrganizationManager {
+- `IUser` - User profile and credentials
-  private idpState = IdpState.getSingletonInstance();
+- `IOrganization` - Organization entity
-
+- `IRole` - User roles within organizations
-  public async createOrganization(name: string, slug: string, jwt: string) {
+- `IJwt` - JWT token structure
-    const response = await this.idpState.idpClient.requests.createOrganization.fire({
+- `IApp` - OAuth application definitions
-      jwt: jwt,
+- `IOidcAccessToken`, `IAuthorizationCode` - OIDC tokens
      organizationName: name,
      organizationSlug: slug,
      action: 'manifest',
    });
    if (response.resultingOrganization) {
      console.log(`Organization ${name} created successfully.`);
    } else {
      console.log(`Organization creation failed.`);
    }
  }
 }
 // Usage
 const organizationManager = new OrganizationManager();
 organizationManager.createOrganization('Dev Org', 'dev-org', '<JWT_TOKEN_HERE>');
 ```
 ### Managing JWTs
 The `@idp.global/idp.global` package involves managing JSON Web Tokens (JWTs) for session handling and security.
 #### Refreshing JWTs
 ```typescript
 import { IdpClient } from './idp.client.js';
 export const refreshJwt = async (client: IdpClient) => {
  const currentJwt = await client.getJwt();
  if (!currentJwt) return null;
  const response = await client.requests.refreshJwt.fire({
    refreshToken: currentJwt.data.refreshToken
  });
  if (response.jwt) {
    await client.storeJwt(response.jwt);
    console.log("JWT refreshed and stored.");
    return response.jwt;
  } else {
    console.log("JWT refresh failed.");
    return null;
  }
 };
 // Usage
 const idpClient = new IdpClient('https://reception.lossless.one/typedrequest');
 refreshJwt(idpClient);
 ```
 ### Handling Authentication Tokens
 Handling tokens (JWTs, refresh tokens, transfer tokens) securely is crucial for maintaining session integrity.
 #### Exchanging Refresh Token for Transfer Token
 ```typescript
 import { IdpClient } from './idp.client.js';
 const getTransferToken = async (client: IdpClient) => {
  const refreshToken = await client.getJwt().data.refreshToken;
  const response = await client.requests.obtainOneTimeToken.fire({
    refreshToken
  });
  if(response.transferToken) {
    console.log("Obtained Transfer Token: ", response.transferToken);
    return response.transferToken;
  } else {
    console.log("Failed to obtain Transfer Token.");
    return null;
  }
 };
 // Usage
 const idpClient = new IdpClient('https://reception.lossless.one/typedrequest');
 getTransferToken(idpClient);
 ```
 This comprehensive guide should help you understand the detailed setup and usage of the `@idp.global/idp.global` module effectively.
 ## License and Legal Information
-This repository contains open-source code that is licensed under the MIT License. A copy of the MIT License can be found in the [license](license) file within this repository. 
+This repository contains open-source code licensed under the MIT License. A copy of the license can be found in the [LICENSE](./LICENSE) file.
 **Please note:** The MIT License does not grant permission to use the trade names, trademarks, service marks, or product names of the project, except as required for reasonable and customary use in describing the origin of the work and reproducing the content of the NOTICE file.
 ### Trademarks
-This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH and are not included within the scope of the MIT license granted herein. Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines, and any usage must be approved in writing by Task Venture Capital GmbH.
+This project is owned and maintained by Task Venture Capital GmbH. The names and logos associated with Task Venture Capital GmbH and any related products or services are trademarks of Task Venture Capital GmbH or third parties, and are not included within the scope of the MIT license granted herein.
 Use of these trademarks must comply with Task Venture Capital GmbH's Trademark Guidelines or the guidelines of the respective third-party owners, and any usage must be approved in writing. Third-party trademarks used herein are the property of their respective owners and used only in a descriptive manner, e.g. for an implementation of an API or similar.
 ### Company Information
-Task Venture Capital GmbH  
+Task Venture Capital GmbH
-Registered at District court Bremen HRB 35230 HB, Germany
+Registered at District Court Bremen HRB 35230 HB, Germany
-For any legal inquiries or if you require further information, please contact us via email at hello@task.vc.
+For any legal inquiries or further information, please contact us via email at hello@task.vc.
 By using this repository, you acknowledge that you have read this section, agree to comply with its terms, and understand that the licensing of the code does not imply endorsement by Task Venture Capital GmbH of any derivative works.
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@idp.global/idp.global',
-  version: '1.11.0',
+  version: '1.14.1',
  description: 'An identity provider software managing user authentications, registrations, and sessions.'
 }
@@ -4,6 +4,10 @@ import { Reception } from './reception/classes.reception.js';
 export const runCli = async () => {
  const serviceQenv = new plugins.qenv.Qenv('./', './.nogit', false);
  // Create reception first so we can reference it in routes
  let reception: Reception;
  const websiteServer = new plugins.typedserver.utilityservers.UtilityWebsiteServer({
    feedMetadata: null,
    domain: 'idp.global',
@@ -22,11 +26,48 @@ export const runCli = async () => {
    addCustomRoutes: async (typedserver) => {
      // Enable SPA fallback - serves index.html for non-file routes (e.g., /login, /dashboard)
      typedserver.options.spaFallback = true;
      // OIDC Discovery endpoint
      typedserver.addRoute('/.well-known/openid-configuration', 'GET', async (ctx) => {
        return new Response(JSON.stringify(reception.oidcManager.getDiscoveryDocument()), {
          headers: { 'Content-Type': 'application/json' },
        });
      });
      // JWKS endpoint
      typedserver.addRoute('/.well-known/jwks.json', 'GET', async (ctx) => {
        return new Response(JSON.stringify(reception.oidcManager.getJwks()), {
          headers: { 'Content-Type': 'application/json' },
        });
      });
      // OAuth Authorization endpoint
      typedserver.addRoute('/oauth/authorize', 'GET', async (ctx) => {
        return reception.oidcManager.handleAuthorize(ctx);
      });
      // OAuth Token endpoint
      typedserver.addRoute('/oauth/token', 'POST', async (ctx) => {
        return reception.oidcManager.handleToken(ctx);
      });
      // OAuth UserInfo endpoint (GET and POST)
      typedserver.addRoute('/oauth/userinfo', 'GET', async (ctx) => {
        return reception.oidcManager.handleUserInfo(ctx);
      });
      typedserver.addRoute('/oauth/userinfo', 'POST', async (ctx) => {
        return reception.oidcManager.handleUserInfo(ctx);
      });
      // OAuth Revocation endpoint
      typedserver.addRoute('/oauth/revoke', 'POST', async (ctx) => {
        return reception.oidcManager.handleRevoke(ctx);
      });
    },
  });
  // lets add the reception routes
-  const reception = new Reception({
+  reception = new Reception({
    name: (await serviceQenv.getEnvVarOnDemand('INSTANCE_NAME')) || 'idp.global',
    mongoDescriptor: {
      mongoDbUrl: await serviceQenv.getEnvVarOnDemand('MONGODB_URL'),
@@ -0,0 +1,683 @@
 import * as plugins from '../plugins.js';
 import type { Reception } from './classes.reception.js';
 import type { App } from './classes.app.js';
 /**
 * OidcManager handles OpenID Connect (OIDC) server functionality
 * for third-party client authentication.
 */
 export class OidcManager {
  public receptionRef: Reception;
  public get db() {
    return this.receptionRef.db.smartdataDb;
  }
  // In-memory store for authorization codes (short-lived, 10 min TTL)
  private authorizationCodes = new Map<string, plugins.idpInterfaces.data.IAuthorizationCode>();
  // In-memory store for access tokens (for validation)
  private accessTokens = new Map<string, plugins.idpInterfaces.data.IOidcAccessToken>();
  // In-memory store for refresh tokens
  private refreshTokens = new Map<string, plugins.idpInterfaces.data.IOidcRefreshToken>();
  // In-memory store for user consents (should be persisted later)
  private userConsents = new Map<string, plugins.idpInterfaces.data.IUserConsent>();
  constructor(receptionRefArg: Reception) {
    this.receptionRef = receptionRefArg;
    // Start cleanup task for expired codes/tokens
    this.startCleanupTask();
  }
  /**
   * Get the OIDC Discovery Document
   */
  public getDiscoveryDocument(): plugins.idpInterfaces.data.IOidcDiscoveryDocument {
    const baseUrl = this.receptionRef.options.baseUrl || 'https://idp.global';
    return {
      issuer: baseUrl,
      authorization_endpoint: `${baseUrl}/oauth/authorize`,
      token_endpoint: `${baseUrl}/oauth/token`,
      userinfo_endpoint: `${baseUrl}/oauth/userinfo`,
      jwks_uri: `${baseUrl}/.well-known/jwks.json`,
      revocation_endpoint: `${baseUrl}/oauth/revoke`,
      scopes_supported: ['openid', 'profile', 'email', 'organizations', 'roles'],
      response_types_supported: ['code'],
      grant_types_supported: ['authorization_code', 'refresh_token'],
      subject_types_supported: ['public'],
      id_token_signing_alg_values_supported: ['RS256'],
      token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post'],
      code_challenge_methods_supported: ['S256'],
      claims_supported: [
        'sub', 'iss', 'aud', 'exp', 'iat', 'auth_time', 'nonce',
        'name', 'preferred_username', 'picture',
        'email', 'email_verified',
        'organizations', 'roles'
      ],
    };
  }
  /**
   * Get the JSON Web Key Set (JWKS)
   */
  public getJwks(): plugins.idpInterfaces.data.IJwks {
    const keypair = this.receptionRef.jwtManager.smartjwtInstance.getKeyPairAsJson();
    // Convert PEM to JWK format
    const jwk = this.pemToJwk(keypair.publicPem);
    return {
      keys: [jwk],
    };
  }
  /**
   * Convert PEM public key to JWK format
   */
  private pemToJwk(publicPem: string): plugins.idpInterfaces.data.IJwk {
    // For now, use a simplified approach - in production, parse the PEM properly
    // The smartjwt library should provide this, or use crypto.createPublicKey
    const kid = plugins.smarthash.sha256FromStringSync(publicPem).substring(0, 16);
    // This is a placeholder - proper implementation would extract n and e from PEM
    // For now, return a minimal structure
    return {
      kty: 'RSA',
      use: 'sig',
      alg: 'RS256',
      kid: kid,
      // These would be extracted from the actual public key
      n: Buffer.from(publicPem).toString('base64url').substring(0, 256),
      e: 'AQAB', // Standard RSA exponent (65537)
    };
  }
  /**
   * Handle the authorization endpoint request
   */
  public async handleAuthorize(ctx: plugins.typedserver.IRequestContext): Promise<Response> {
    const params = ctx.url.searchParams;
    // Extract authorization request parameters
    const clientId = params.get('client_id');
    const redirectUri = params.get('redirect_uri');
    const responseType = params.get('response_type');
    const scope = params.get('scope');
    const state = params.get('state');
    const codeChallenge = params.get('code_challenge');
    const codeChallengeMethod = params.get('code_challenge_method');
    const nonce = params.get('nonce');
    const prompt = params.get('prompt') as 'none' | 'login' | 'consent' | null;
    // Validate required parameters
    if (!clientId || !redirectUri || !responseType || !scope || !state) {
      return this.errorResponse('invalid_request', 'Missing required parameters');
    }
    if (responseType !== 'code') {
      return this.errorResponse('unsupported_response_type', 'Only code response type is supported');
    }
    // Validate code challenge method if present
    if (codeChallenge && codeChallengeMethod !== 'S256') {
      return this.errorResponse('invalid_request', 'Only S256 code challenge method is supported');
    }
    // Find the app by client_id
    const app = await this.findAppByClientId(clientId);
    if (!app) {
      return this.errorResponse('invalid_client', 'Unknown client_id');
    }
    // Validate redirect URI
    if (!app.data.oauthCredentials.redirectUris.includes(redirectUri)) {
      return this.errorResponse('invalid_request', 'Invalid redirect_uri');
    }
    // Parse and validate scopes
    const requestedScopes = scope.split(' ') as plugins.idpInterfaces.data.TOidcScope[];
    const allowedScopes = app.data.oauthCredentials.allowedScopes as plugins.idpInterfaces.data.TOidcScope[];
    const validScopes = requestedScopes.filter(s => allowedScopes.includes(s));
    if (!validScopes.includes('openid')) {
      return this.errorResponse('invalid_scope', 'openid scope is required');
    }
    // For now, redirect to login page with OAuth parameters
    // The login page will handle authentication and call back to complete authorization
    const baseUrl = this.receptionRef.options.baseUrl || 'https://idp.global';
    const loginUrl = new URL(`${baseUrl}/login`);
    loginUrl.searchParams.set('oauth', 'true');
    loginUrl.searchParams.set('client_id', clientId);
    loginUrl.searchParams.set('redirect_uri', redirectUri);
    loginUrl.searchParams.set('scope', validScopes.join(' '));
    loginUrl.searchParams.set('state', state);
    if (codeChallenge) {
      loginUrl.searchParams.set('code_challenge', codeChallenge);
      loginUrl.searchParams.set('code_challenge_method', codeChallengeMethod!);
    }
    if (nonce) {
      loginUrl.searchParams.set('nonce', nonce);
    }
    return Response.redirect(loginUrl.toString(), 302);
  }
  /**
   * Generate an authorization code after user authentication
   */
  public async generateAuthorizationCode(
    clientId: string,
    userId: string,
    scopes: plugins.idpInterfaces.data.TOidcScope[],
    redirectUri: string,
    codeChallenge?: string,
    nonce?: string
  ): Promise<string> {
    const code = plugins.smartunique.shortId(32);
    const authCode: plugins.idpInterfaces.data.IAuthorizationCode = {
      code,
      clientId,
      userId,
      scopes,
      redirectUri,
      codeChallenge,
      codeChallengeMethod: codeChallenge ? 'S256' : undefined,
      nonce,
      expiresAt: Date.now() + 10 * 60 * 1000, // 10 minutes
      used: false,
    };
    this.authorizationCodes.set(code, authCode);
    return code;
  }
  /**
   * Handle the token endpoint request
   */
  public async handleToken(ctx: plugins.typedserver.IRequestContext): Promise<Response> {
    // Parse form data
    const contentType = ctx.headers.get('content-type');
    if (!contentType?.includes('application/x-www-form-urlencoded')) {
      return this.tokenErrorResponse('invalid_request', 'Content-Type must be application/x-www-form-urlencoded');
    }
    const formData = await ctx.formData();
    const grantType = formData.get('grant_type') as string;
    // Extract client credentials from Basic auth or form
    let clientId = formData.get('client_id') as string;
    let clientSecret = formData.get('client_secret') as string;
    const authHeader = ctx.headers.get('authorization');
    if (authHeader?.startsWith('Basic ')) {
      const base64 = authHeader.substring(6);
      const decoded = Buffer.from(base64, 'base64').toString('utf-8');
      const [id, secret] = decoded.split(':');
      clientId = clientId || id;
      clientSecret = clientSecret || secret;
    }
    if (!clientId) {
      return this.tokenErrorResponse('invalid_client', 'Missing client_id');
    }
    // Find and validate app
    const app = await this.findAppByClientId(clientId);
    if (!app) {
      return this.tokenErrorResponse('invalid_client', 'Unknown client');
    }
    // Validate client secret for confidential clients
    if (clientSecret) {
      const secretHash = await plugins.smarthash.sha256FromString(clientSecret);
      if (secretHash !== app.data.oauthCredentials.clientSecretHash) {
        return this.tokenErrorResponse('invalid_client', 'Invalid client credentials');
      }
    }
    if (grantType === 'authorization_code') {
      return this.handleAuthorizationCodeGrant(formData, app);
    } else if (grantType === 'refresh_token') {
      return this.handleRefreshTokenGrant(formData, app);
    } else {
      return this.tokenErrorResponse('unsupported_grant_type', 'Unsupported grant type');
    }
  }
  /**
   * Handle authorization_code grant type
   */
  private async handleAuthorizationCodeGrant(
    formData: FormData,
    app: App
  ): Promise<Response> {
    const code = formData.get('code') as string;
    const redirectUri = formData.get('redirect_uri') as string;
    const codeVerifier = formData.get('code_verifier') as string;
    if (!code || !redirectUri) {
      return this.tokenErrorResponse('invalid_request', 'Missing code or redirect_uri');
    }
    // Find and validate authorization code
    const authCode = this.authorizationCodes.get(code);
    if (!authCode) {
      return this.tokenErrorResponse('invalid_grant', 'Invalid authorization code');
    }
    if (authCode.used) {
      // Code reuse attack - revoke all tokens for this code
      this.authorizationCodes.delete(code);
      return this.tokenErrorResponse('invalid_grant', 'Authorization code already used');
    }
    if (authCode.expiresAt < Date.now()) {
      this.authorizationCodes.delete(code);
      return this.tokenErrorResponse('invalid_grant', 'Authorization code expired');
    }
    if (authCode.clientId !== app.data.oauthCredentials.clientId) {
      return this.tokenErrorResponse('invalid_grant', 'Client ID mismatch');
    }
    if (authCode.redirectUri !== redirectUri) {
      return this.tokenErrorResponse('invalid_grant', 'Redirect URI mismatch');
    }
    // Verify PKCE if code challenge was used
    if (authCode.codeChallenge) {
      if (!codeVerifier) {
        return this.tokenErrorResponse('invalid_grant', 'Code verifier required');
      }
      const expectedChallenge = this.generateS256Challenge(codeVerifier);
      if (expectedChallenge !== authCode.codeChallenge) {
        return this.tokenErrorResponse('invalid_grant', 'Invalid code verifier');
      }
    }
    // Mark code as used
    authCode.used = true;
    // Generate tokens
    const tokens = await this.generateTokens(
      authCode.userId,
      app.data.oauthCredentials.clientId,
      authCode.scopes,
      authCode.nonce
    );
    return new Response(JSON.stringify(tokens), {
      status: 200,
      headers: {
        'Content-Type': 'application/json',
        'Cache-Control': 'no-store',
        'Pragma': 'no-cache',
      },
    });
  }
  /**
   * Handle refresh_token grant type
   */
  private async handleRefreshTokenGrant(
    formData: FormData,
    app: App
  ): Promise<Response> {
    const refreshToken = formData.get('refresh_token') as string;
    if (!refreshToken) {
      return this.tokenErrorResponse('invalid_request', 'Missing refresh_token');
    }
    const tokenHash = await plugins.smarthash.sha256FromString(refreshToken);
    const storedToken = this.refreshTokens.get(tokenHash);
    if (!storedToken) {
      return this.tokenErrorResponse('invalid_grant', 'Invalid refresh token');
    }
    if (storedToken.revoked) {
      return this.tokenErrorResponse('invalid_grant', 'Refresh token has been revoked');
    }
    if (storedToken.expiresAt < Date.now()) {
      this.refreshTokens.delete(tokenHash);
      return this.tokenErrorResponse('invalid_grant', 'Refresh token expired');
    }
    if (storedToken.clientId !== app.data.oauthCredentials.clientId) {
      return this.tokenErrorResponse('invalid_grant', 'Client ID mismatch');
    }
    // Generate new tokens (without new refresh token by default)
    const tokens = await this.generateTokens(
      storedToken.userId,
      storedToken.clientId,
      storedToken.scopes,
      undefined,
      false // Don't generate new refresh token
    );
    return new Response(JSON.stringify(tokens), {
      status: 200,
      headers: {
        'Content-Type': 'application/json',
        'Cache-Control': 'no-store',
        'Pragma': 'no-cache',
      },
    });
  }
  /**
   * Generate access token, ID token, and optionally refresh token
   */
  private async generateTokens(
    userId: string,
    clientId: string,
    scopes: plugins.idpInterfaces.data.TOidcScope[],
    nonce?: string,
    includeRefreshToken = true
  ): Promise<plugins.idpInterfaces.data.ITokenResponse> {
    const now = Date.now();
    const accessTokenLifetime = 3600; // 1 hour
    const refreshTokenLifetime = 30 * 24 * 3600; // 30 days
    // Generate access token
    const accessToken = plugins.smartunique.shortId(32);
    const accessTokenHash = await plugins.smarthash.sha256FromString(accessToken);
    const accessTokenData: plugins.idpInterfaces.data.IOidcAccessToken = {
      id: plugins.smartunique.shortId(8),
      tokenHash: accessTokenHash,
      clientId,
      userId,
      scopes,
      expiresAt: now + accessTokenLifetime * 1000,
      issuedAt: now,
    };
    this.accessTokens.set(accessTokenHash, accessTokenData);
    // Generate ID token (JWT)
    const idToken = await this.generateIdToken(userId, clientId, scopes, nonce);
    const response: plugins.idpInterfaces.data.ITokenResponse = {
      access_token: accessToken,
      token_type: 'Bearer',
      expires_in: accessTokenLifetime,
      id_token: idToken,
      scope: scopes.join(' '),
    };
    // Generate refresh token if requested
    if (includeRefreshToken) {
      const refreshToken = plugins.smartunique.shortId(48);
      const refreshTokenHash = await plugins.smarthash.sha256FromString(refreshToken);
      const refreshTokenData: plugins.idpInterfaces.data.IOidcRefreshToken = {
        id: plugins.smartunique.shortId(8),
        tokenHash: refreshTokenHash,
        clientId,
        userId,
        scopes,
        expiresAt: now + refreshTokenLifetime * 1000,
        issuedAt: now,
        revoked: false,
      };
      this.refreshTokens.set(refreshTokenHash, refreshTokenData);
      response.refresh_token = refreshToken;
    }
    return response;
  }
  /**
   * Generate an ID token (JWT)
   */
  private async generateIdToken(
    userId: string,
    clientId: string,
    scopes: plugins.idpInterfaces.data.TOidcScope[],
    nonce?: string
  ): Promise<string> {
    const baseUrl = this.receptionRef.options.baseUrl || 'https://idp.global';
    const now = Math.floor(Date.now() / 1000);
    const claims: plugins.idpInterfaces.data.IIdTokenClaims = {
      iss: baseUrl,
      sub: userId,
      aud: clientId,
      exp: now + 3600, // 1 hour
      iat: now,
      auth_time: now,
    };
    if (nonce) {
      claims.nonce = nonce;
    }
    // Add claims based on scopes
    if (scopes.includes('profile') || scopes.includes('email') || scopes.includes('organizations') || scopes.includes('roles')) {
      const userInfo = await this.getUserClaims(userId, scopes);
      Object.assign(claims, userInfo);
    }
    // Sign the JWT
    const idToken = await this.receptionRef.jwtManager.smartjwtInstance.createJWT(claims);
    return idToken;
  }
  /**
   * Handle the userinfo endpoint
   */
  public async handleUserInfo(ctx: plugins.typedserver.IRequestContext): Promise<Response> {
    // Get access token from Authorization header
    const authHeader = ctx.headers.get('authorization');
    if (!authHeader?.startsWith('Bearer ')) {
      return new Response(JSON.stringify({ error: 'invalid_token' }), {
        status: 401,
        headers: {
          'Content-Type': 'application/json',
          'WWW-Authenticate': 'Bearer error="invalid_token"',
        },
      });
    }
    const accessToken = authHeader.substring(7);
    const tokenHash = await plugins.smarthash.sha256FromString(accessToken);
    const tokenData = this.accessTokens.get(tokenHash);
    if (!tokenData) {
      return new Response(JSON.stringify({ error: 'invalid_token' }), {
        status: 401,
        headers: {
          'Content-Type': 'application/json',
          'WWW-Authenticate': 'Bearer error="invalid_token"',
        },
      });
    }
    if (tokenData.expiresAt < Date.now()) {
      this.accessTokens.delete(tokenHash);
      return new Response(JSON.stringify({ error: 'invalid_token', error_description: 'Token expired' }), {
        status: 401,
        headers: {
          'Content-Type': 'application/json',
          'WWW-Authenticate': 'Bearer error="invalid_token", error_description="Token expired"',
        },
      });
    }
    // Get user claims based on token scopes
    const userInfo = await this.getUserClaims(tokenData.userId, tokenData.scopes);
    return new Response(JSON.stringify(userInfo), {
      status: 200,
      headers: { 'Content-Type': 'application/json' },
    });
  }
  /**
   * Get user claims based on scopes
   */
  private async getUserClaims(
    userId: string,
    scopes: plugins.idpInterfaces.data.TOidcScope[]
  ): Promise<plugins.idpInterfaces.data.IUserInfoResponse> {
    const user = await this.receptionRef.userManager.CUser.getInstance({ id: userId });
    if (!user) {
      return { sub: userId };
    }
    const claims: plugins.idpInterfaces.data.IUserInfoResponse = {
      sub: userId,
    };
    // Profile scope
    if (scopes.includes('profile')) {
      claims.name = user.data?.name;
      claims.preferred_username = user.data?.username;
      // claims.picture = user.data?.avatarUrl; // If avatar exists
    }
    // Email scope
    if (scopes.includes('email')) {
      claims.email = user.data?.email;
      claims.email_verified = user.data?.status === 'active';
    }
    // Organizations scope (custom)
    if (scopes.includes('organizations')) {
      const organizations = await this.receptionRef.organizationmanager.getAllOrganizationsForUser(user);
      const roles = await this.receptionRef.roleManager.getAllRolesForUser(user);
      if (organizations) {
        claims.organizations = organizations.map(org => ({
          id: org.id,
          name: org.data?.name || '',
          slug: org.data?.slug || '',
          roles: roles
            .find(r => r.data?.organizationId === org.id)?.data?.roles || [],
        }));
      }
    }
    // Roles scope (custom - global roles)
    if (scopes.includes('roles')) {
      const roles: string[] = ['user'];
      if (user.data?.isGlobalAdmin) {
        roles.push('admin');
      }
      claims.roles = roles;
    }
    return claims;
  }
  /**
   * Handle the revocation endpoint
   */
  public async handleRevoke(ctx: plugins.typedserver.IRequestContext): Promise<Response> {
    const formData = await ctx.formData();
    const token = formData.get('token') as string;
    const tokenTypeHint = formData.get('token_type_hint') as string;
    if (!token) {
      return new Response(null, { status: 200 }); // Spec says always return 200
    }
    const tokenHash = await plugins.smarthash.sha256FromString(token);
    // Try to revoke as refresh token
    if (!tokenTypeHint || tokenTypeHint === 'refresh_token') {
      const refreshToken = this.refreshTokens.get(tokenHash);
      if (refreshToken) {
        refreshToken.revoked = true;
        return new Response(null, { status: 200 });
      }
    }
    // Try to revoke as access token
    if (!tokenTypeHint || tokenTypeHint === 'access_token') {
      if (this.accessTokens.has(tokenHash)) {
        this.accessTokens.delete(tokenHash);
        return new Response(null, { status: 200 });
      }
    }
    // Token not found - still return 200 per spec
    return new Response(null, { status: 200 });
  }
  /**
   * Find an app by its OAuth client_id
   */
  private async findAppByClientId(clientId: string): Promise<App | null> {
    const apps = await this.receptionRef.appManager.CApp.getInstances({
      'data.oauthCredentials.clientId': clientId,
    });
    return apps[0] || null;
  }
  /**
   * Generate S256 PKCE challenge from verifier
   */
  private generateS256Challenge(verifier: string): string {
    const hash = plugins.smarthash.sha256FromStringSync(verifier);
    return Buffer.from(hash, 'hex').toString('base64url');
  }
  /**
   * Create an error response for authorization endpoint
   */
  private errorResponse(error: string, description: string): Response {
    return new Response(JSON.stringify({ error, error_description: description }), {
      status: 400,
      headers: { 'Content-Type': 'application/json' },
    });
  }
  /**
   * Create an error response for token endpoint
   */
  private tokenErrorResponse(
    error: plugins.idpInterfaces.data.ITokenErrorResponse['error'],
    description: string
  ): Response {
    const body: plugins.idpInterfaces.data.ITokenErrorResponse = {
      error,
      error_description: description,
    };
    return new Response(JSON.stringify(body), {
      status: 400,
      headers: { 'Content-Type': 'application/json' },
    });
  }
  /**
   * Start cleanup task for expired tokens/codes
   */
  private startCleanupTask(): void {
    setInterval(() => {
      const now = Date.now();
      // Clean up expired authorization codes
      for (const [code, data] of this.authorizationCodes) {
        if (data.expiresAt < now) {
          this.authorizationCodes.delete(code);
        }
      }
      // Clean up expired access tokens
      for (const [hash, data] of this.accessTokens) {
        if (data.expiresAt < now) {
          this.accessTokens.delete(hash);
        }
      }
      // Clean up expired refresh tokens
      for (const [hash, data] of this.refreshTokens) {
        if (data.expiresAt < now) {
          this.refreshTokens.delete(hash);
        }
      }
    }, 60 * 1000); // Run every minute
  }
 }
@@ -17,6 +17,7 @@ import { AppManager } from './classes.appmanager.js';
 import { AppConnectionManager } from './classes.appconnectionmanager.js';
 import { ActivityLogManager } from './classes.activitylogmanager.js';
 import { UserInvitationManager } from './classes.userinvitationmanager.js';
 import { OidcManager } from './classes.oidcmanager.js';
 export interface IReceptionOptions {
  /**
@@ -49,6 +50,7 @@ export class Reception {
  public appConnectionManager = new AppConnectionManager(this);
  public activityLogManager = new ActivityLogManager(this);
  public userInvitationManager = new UserInvitationManager(this);
  public oidcManager = new OidcManager(this);
  housekeeping = new ReceptionHousekeeping(this);
  constructor(public options: IReceptionOptions) {
@@ -0,0 +1,3 @@
 {
  "order": 2
 }
@@ -0,0 +1,4 @@
 {
  "name": "@idp.global/cli",
  "order": 4
 }
@@ -0,0 +1,372 @@
 # @idp.global/idpclient
 A TypeScript client library for integrating with the idp.global Identity Provider. Works in both browser and Node.js environments.
 ## Overview
 The IdpClient provides a complete API for authentication, session management, and organization operations. It uses WebSocket connections via TypedSocket for real-time, type-safe communication with the IdP server.
 ## Installation
 ```bash
 npm install @idp.global/idpclient
 # or
 pnpm add @idp.global/idpclient
 ```
 ## Quick Start
 ```typescript
 import { IdpClient } from '@idp.global/idpclient';
 // Initialize the client
 const idpClient = new IdpClient('https://idp.global');
 // Enable WebSocket connection
 await idpClient.enableTypedSocket();
 // Check login status
 const isLoggedIn = await idpClient.determineLoginStatus();
 if (isLoggedIn) {
  const userInfo = await idpClient.whoIs();
  console.log('Logged in as:', userInfo.user.data.name);
 }
 ```
 ## Core Features
 ### Authentication
 #### Password Login
 ```typescript
 const response = await idpClient.requests.loginWithUserNameAndPassword.fire({
  username: 'user@example.com',
  password: 'securepassword',
 });
 if (response.refreshToken) {
  await idpClient.refreshJwt(response.refreshToken);
  console.log('Login successful!');
 } else if (response.twoFaNeeded) {
  console.log('2FA verification required');
 }
 ```
 #### Magic Link Login
 ```typescript
 // Request magic link
 await idpClient.requests.loginWithEmail.fire({
  email: 'user@example.com',
 });
 // After clicking the email link
 const result = await idpClient.requests.loginWithEmailAfterToken.fire({
  email: 'user@example.com',
  token: 'token-from-email-link',
 });
 if (result.refreshToken) {
  await idpClient.refreshJwt(result.refreshToken);
 }
 ```
 #### API Token Login
 ```typescript
 const result = await idpClient.requests.loginWithApiToken.fire({
  apiToken: 'your-api-token',
 });
 if (result.jwt) {
  await idpClient.setJwt(result.jwt);
 }
 ```
 ### Session Management
 ```typescript
 // Get current JWT
 const jwt = await idpClient.getJwt();
 // Get parsed JWT data
 const jwtData = await idpClient.getJwtData();
 console.log('User ID:', jwtData.id);
 // Refresh JWT (automatic housekeeping)
 await idpClient.performJwtHousekeeping();
 // Manual refresh
 await idpClient.refreshJwt();
 // Logout
 await idpClient.logout();
 ```
 ### User Information
 ```typescript
 // Get current user details
 const whoIsResponse = await idpClient.whoIs();
 console.log('Name:', whoIsResponse.user.data.name);
 console.log('Email:', whoIsResponse.user.data.email);
 // Get user data
 const userData = await idpClient.requests.getUserData.fire({
  jwt: await idpClient.getJwt(),
  userId: jwtData.id,
 });
 // Update user data
 await idpClient.requests.setUserData.fire({
  jwt: await idpClient.getJwt(),
  userId: jwtData.id,
  name: 'New Name',
 });
 ```
 ### Organization Management
 ```typescript
 // Get user's organizations and roles
 const orgsAndRoles = await idpClient.getRolesAndOrganizations();
 console.log('Organizations:', orgsAndRoles.organizations);
 console.log('Roles:', orgsAndRoles.roles);
 // Create a new organization
 const result = await idpClient.createOrganization(
  'My Company',       // name
  'my-company',       // slug
  'manifest'          // mode: 'checkAvailability' or 'manifest'
 );
 if (result.resultingOrganization) {
  console.log('Created:', result.resultingOrganization.id);
 }
 // Get organization details
 const orgDetails = await idpClient.requests.getOrganizationById.fire({
  jwt: await idpClient.getJwt(),
  organizationId: 'org-id',
 });
 ```
 ### Member & Invitation Management
 ```typescript
 // Get organization members
 const members = await idpClient.requests.getOrgMembers.fire({
  jwt: await idpClient.getJwt(),
  organizationId: 'org-id',
 });
 // Invite a new member
 await idpClient.requests.createInvitation.fire({
  jwt: await idpClient.getJwt(),
  organizationId: 'org-id',
  email: 'newmember@example.com',
  roles: ['member'],
 });
 // Bulk invite members
 await idpClient.requests.bulkCreateInvitations.fire({
  jwt: await idpClient.getJwt(),
  organizationId: 'org-id',
  invitations: [
    { email: 'user1@example.com', roles: ['member'] },
    { email: 'user2@example.com', roles: ['admin'] },
  ],
 });
 // Accept an invitation
 await idpClient.requests.acceptInvitation.fire({
  jwt: await idpClient.getJwt(),
  invitationToken: 'token-from-invite-email',
 });
 // Remove a member
 await idpClient.requests.removeMember.fire({
  jwt: await idpClient.getJwt(),
  organizationId: 'org-id',
  userId: 'user-id',
 });
 // Transfer ownership
 await idpClient.requests.transferOwnership.fire({
  jwt: await idpClient.getJwt(),
  organizationId: 'org-id',
  newOwnerId: 'new-owner-user-id',
 });
 ```
 ### Password Management
 ```typescript
 // Request password reset
 await idpClient.requests.resetPassword.fire({
  email: 'user@example.com',
 });
 // Set new password (with token from email)
 await idpClient.requests.setNewPassword.fire({
  email: 'user@example.com',
  tokenArg: 'reset-token',
  newPassword: 'newsecurepassword',
 });
 // Change password (when logged in)
 await idpClient.requests.setNewPassword.fire({
  email: 'user@example.com',
  oldPassword: 'currentpassword',
  newPassword: 'newsecurepassword',
 });
 ```
 ### Session & Device Management
 ```typescript
 // Get active sessions
 const sessions = await idpClient.requests.getUserSessions.fire({
  jwt: await idpClient.getJwt(),
  userId: jwtData.id,
 });
 // Revoke a session
 await idpClient.requests.revokeSession.fire({
  jwt: await idpClient.getJwt(),
  sessionId: 'session-id',
 });
 // Get device ID
 const deviceInfo = await idpClient.requests.obtainDeviceId.fire({});
 // Attach device to session
 await idpClient.requests.attachDeviceId.fire({
  jwt: await idpClient.getJwt(),
  deviceId: deviceInfo.deviceId.id,
 });
 ```
 ### Cross-Domain Authentication
 ```typescript
 // Get transfer token for SSO between apps
 const transferToken = await idpClient.getTransferToken();
 // Switch to another app with authentication
 await idpClient.getTransferTokenAndSwitchToLocation('https://app.example.com/');
 // Process incoming transfer token (in target app)
 const success = await idpClient.processTransferToken();
 if (success) {
  console.log('Cross-domain login successful');
 }
 ```
 ### Billing Integration
 ```typescript
 // Get billing plan for an organization
 const billingPlan = await idpClient.requests.getBillingPlan.fire({
  jwt: await idpClient.getJwt(),
  organizationId: 'org-id',
 });
 // Get Paddle configuration
 const paddleConfig = await idpClient.requests.getPaddleConfig.fire({
  jwt: await idpClient.getJwt(),
 });
 // Update payment method
 await idpClient.updatePaddleCheckoutId('org-id', 'checkout-id');
 ```
 ### Admin Operations (Global Admins Only)
 ```typescript
 // Check if user is global admin
 const isAdmin = await idpClient.requests.checkGlobalAdmin.fire({
  jwt: await idpClient.getJwt(),
 });
 // Get platform statistics
 const stats = await idpClient.requests.getGlobalAppStats.fire({
  jwt: await idpClient.getJwt(),
 });
 // Create a global app
 await idpClient.requests.createGlobalApp.fire({
  jwt: await idpClient.getJwt(),
  name: 'My App',
  description: 'App description',
 });
 // Suspend a user
 await idpClient.requests.suspendUser.fire({
  jwt: await idpClient.getJwt(),
  userId: 'user-id',
 });
 ```
 ## Reactive Subscriptions
 The client provides RxJS subjects for reactive updates:
 ```typescript
 // Subscribe to login status changes
 idpClient.statusObservable.subscribe((status) => {
  console.log('Login status changed:', status);
 });
 // Subscribe to roles updates
 idpClient.rolesReplaySubject.subscribe((roles) => {
  console.log('Roles updated:', roles);
 });
 // Subscribe to organizations updates
 idpClient.organizationsReplaySubject.subscribe((orgs) => {
  console.log('Organizations updated:', orgs);
 });
 ```
 ## API Reference
 ### IdpClient Class
 | Method | Description |
 |--------|-------------|
 | `enableTypedSocket()` | Initialize WebSocket connection |
 | `determineLoginStatus(requireLogin?)` | Check if user is logged in |
 | `getJwt()` | Get stored JWT string |
 | `getJwtData()` | Get parsed JWT data |
 | `setJwt(jwt)` | Store JWT |
 | `deleteJwt()` | Remove stored JWT |
 | `refreshJwt(refreshToken?)` | Refresh the JWT |
 | `performJwtHousekeeping()` | Auto-refresh JWT if needed |
 | `logout()` | End session and redirect |
 | `whoIs()` | Get current user info |
 | `getRolesAndOrganizations()` | Get user's orgs and roles |
 | `createOrganization(name, slug, mode)` | Create new organization |
 | `getTransferToken(appData?)` | Get SSO transfer token |
 | `processTransferToken()` | Process incoming transfer token |
 | `stop()` | Close WebSocket connection |
 ### IdpRequests Class
 Access via `idpClient.requests.*`:
 **Authentication**: `loginWithUserNameAndPassword`, `loginWithEmail`, `loginWithEmailAfterToken`, `loginWithApiToken`, `resetPassword`, `setNewPassword`
 **User**: `getUserData`, `setUserData`, `getUserSessions`, `revokeSession`, `getUserActivity`
 **Organization**: `getOrganizationById`, `updateOrganization`, `createInvitation`, `bulkCreateInvitations`, `getOrgMembers`, `getOrgInvitations`, `acceptInvitation`, `cancelInvitation`, `resendInvitation`, `removeMember`, `updateMemberRoles`, `transferOwnership`
 **Billing**: `getBillingPlan`, `getPaddleConfig`
 **Admin**: `checkGlobalAdmin`, `getGlobalAppStats`, `createGlobalApp`, `updateGlobalApp`, `deleteGlobalApp`, `suspendUser`, `deleteSuspendedUser`
 ## License
 MIT - See the main repository for full license details.
@@ -0,0 +1,4 @@
 {
  "name": "@idp.global/client",
  "order": 3
 }
@@ -1,5 +1,6 @@
 export * from './loint-reception.activity.js';
 export * from './loint-reception.app.js';
 export * from './loint-reception.oidc.js';
 export * from './loint-reception.appconnection.js';
 export * from './loint-reception.billingplan.js';
 export * from './loint-reception.device.js';
@@ -0,0 +1,267 @@
 /**
 * OIDC (OpenID Connect) data interfaces for third-party client support
 */
 /**
 * Supported OIDC scopes
 */
 export type TOidcScope = 'openid' | 'profile' | 'email' | 'organizations' | 'roles';
 /**
 * Authorization code for OAuth 2.0 authorization code flow
 */
 export interface IAuthorizationCode {
  /** The authorization code string */
  code: string;
  /** OAuth client ID */
  clientId: string;
  /** User ID who authorized */
  userId: string;
  /** Scopes granted */
  scopes: TOidcScope[];
  /** Redirect URI used in authorization request */
  redirectUri: string;
  /** PKCE code challenge (S256 hashed) */
  codeChallenge?: string;
  /** PKCE code challenge method */
  codeChallengeMethod?: 'S256';
  /** Nonce from authorization request (for ID token) */
  nonce?: string;
  /** Expiration timestamp (10 minutes from creation) */
  expiresAt: number;
  /** Whether the code has been used (single-use) */
  used: boolean;
 }
 /**
 * OIDC Access Token (opaque or JWT)
 */
 export interface IOidcAccessToken {
  /** Token identifier */
  id: string;
  /** The access token string (or hash for storage) */
  tokenHash: string;
  /** OAuth client ID */
  clientId: string;
  /** User ID */
  userId: string;
  /** Granted scopes */
  scopes: TOidcScope[];
  /** Expiration timestamp */
  expiresAt: number;
  /** Creation timestamp */
  issuedAt: number;
 }
 /**
 * OIDC Refresh Token
 */
 export interface IOidcRefreshToken {
  /** Token identifier */
  id: string;
  /** The refresh token string (or hash for storage) */
  tokenHash: string;
  /** OAuth client ID */
  clientId: string;
  /** User ID */
  userId: string;
  /** Granted scopes */
  scopes: TOidcScope[];
  /** Expiration timestamp */
  expiresAt: number;
  /** Creation timestamp */
  issuedAt: number;
  /** Whether the token has been revoked */
  revoked: boolean;
 }
 /**
 * User consent record for an OAuth client
 */
 export interface IUserConsent {
  /** Unique identifier */
  id: string;
  /** User who gave consent */
  userId: string;
  /** OAuth client ID */
  clientId: string;
  /** Scopes the user consented to */
  scopes: TOidcScope[];
  /** When consent was granted */
  grantedAt: number;
  /** When consent was last updated */
  updatedAt: number;
 }
 /**
 * OIDC Discovery Document (OpenID Provider Configuration)
 */
 export interface IOidcDiscoveryDocument {
  issuer: string;
  authorization_endpoint: string;
  token_endpoint: string;
  userinfo_endpoint: string;
  jwks_uri: string;
  revocation_endpoint: string;
  scopes_supported: TOidcScope[];
  response_types_supported: string[];
  grant_types_supported: string[];
  subject_types_supported: string[];
  id_token_signing_alg_values_supported: string[];
  token_endpoint_auth_methods_supported: string[];
  code_challenge_methods_supported: string[];
  claims_supported: string[];
 }
 /**
 * JSON Web Key Set (JWKS) response
 */
 export interface IJwks {
  keys: IJwk[];
 }
 /**
 * JSON Web Key (RSA public key)
 */
 export interface IJwk {
  kty: 'RSA';
  use: 'sig';
  alg: 'RS256';
  kid: string;
  n: string;  // RSA modulus (base64url encoded)
  e: string;  // RSA exponent (base64url encoded)
 }
 /**
 * ID Token claims (JWT payload)
 */
 export interface IIdTokenClaims {
  /** Issuer (idp.global URL) */
  iss: string;
  /** Subject (user ID) */
  sub: string;
  /** Audience (client ID) */
  aud: string;
  /** Expiration time (Unix timestamp) */
  exp: number;
  /** Issued at (Unix timestamp) */
  iat: number;
  /** Authentication time (Unix timestamp) */
  auth_time?: number;
  /** Nonce (if provided in authorization request) */
  nonce?: string;
  /** Access token hash (for hybrid flows) */
  at_hash?: string;
  // Profile scope claims
  name?: string;
  preferred_username?: string;
  picture?: string;
  // Email scope claims
  email?: string;
  email_verified?: boolean;
  // Custom claims for organizations scope
  organizations?: IOrganizationClaim[];
  // Custom claims for roles scope
  roles?: string[];
 }
 /**
 * Organization claim in ID token / userinfo
 */
 export interface IOrganizationClaim {
  id: string;
  name: string;
  slug: string;
  roles: string[];
 }
 /**
 * UserInfo endpoint response
 */
 export interface IUserInfoResponse {
  /** Subject (user ID) - always included */
  sub: string;
  // Profile scope
  name?: string;
  preferred_username?: string;
  picture?: string;
  // Email scope
  email?: string;
  email_verified?: boolean;
  // Organizations scope (custom)
  organizations?: IOrganizationClaim[];
  // Roles scope (custom)
  roles?: string[];
 }
 /**
 * Token endpoint response
 */
 export interface ITokenResponse {
  access_token: string;
  token_type: 'Bearer';
  expires_in: number;
  refresh_token?: string;
  id_token?: string;
  scope: string;
 }
 /**
 * Token endpoint error response
 */
 export interface ITokenErrorResponse {
  error: 'invalid_request' | 'invalid_client' | 'invalid_grant' | 'unauthorized_client' | 'unsupported_grant_type' | 'invalid_scope';
  error_description?: string;
  error_uri?: string;
 }
 /**
 * Authorization request parameters
 */
 export interface IAuthorizationRequest {
  client_id: string;
  redirect_uri: string;
  response_type: 'code';
  scope: string;
  state: string;
  code_challenge?: string;
  code_challenge_method?: 'S256';
  nonce?: string;
  prompt?: 'none' | 'login' | 'consent';
 }
 /**
 * Token request for authorization_code grant
 */
 export interface ITokenRequestAuthCode {
  grant_type: 'authorization_code';
  code: string;
  redirect_uri: string;
  client_id: string;
  client_secret?: string;
  code_verifier?: string;
 }
 /**
 * Token request for refresh_token grant
 */
 export interface ITokenRequestRefresh {
  grant_type: 'refresh_token';
  refresh_token: string;
  client_id: string;
  client_secret?: string;
  scope?: string;
 }
 /**
 * Union type for token requests
 */
 export type ITokenRequest = ITokenRequestAuthCode | ITokenRequestRefresh;
@@ -0,0 +1,312 @@
 # @idp.global/interfaces
 TypeScript interfaces and type definitions for the idp.global Identity Provider platform.
 ## Overview
 This package provides the complete type system for idp.global, including data models, API request/response interfaces, and OIDC definitions. Use this package when building applications that integrate with idp.global or when you need type-safe interactions with the IdP API.
 ## Installation
 ```bash
 npm install @idp.global/interfaces
 # or
 pnpm add @idp.global/interfaces
 ```
 ## Usage
 ```typescript
 import { data, request, tags } from '@idp.global/interfaces';
 // Data interfaces
 const user: data.IUser = {
  id: 'user_123',
  data: {
    name: 'John Doe',
    username: 'johndoe',
    email: 'john@example.com',
    status: 'active',
    connectedOrgs: ['org_1', 'org_2'],
  },
 };
 // Organization interface
 const org: data.IOrganization = {
  id: 'org_1',
  data: {
    name: 'Acme Corp',
    slug: 'acme',
    billingPlanId: 'plan_free',
    roleIds: ['role_admin', 'role_member'],
  },
 };
 ```
 ## Package Structure
 ```
 ts_interfaces/
 ├── data/                    # Data model interfaces
 │   ├── loint-reception.user.ts         # User profiles
 │   ├── loint-reception.organization.ts # Organizations
 │   ├── loint-reception.role.ts         # RBAC roles
 │   ├── loint-reception.app.ts          # OAuth applications
 │   ├── loint-reception.oidc.ts         # OIDC tokens & flows
 │   ├── loint-reception.jwt.ts          # JWT structures
 │   ├── loint-reception.loginsession.ts # Login sessions
 │   ├── loint-reception.billingplan.ts  # Billing plans
 │   ├── loint-reception.device.ts       # Device management
 │   ├── loint-reception.activity.ts     # Activity logs
 │   ├── loint-reception.userinvitation.ts # Invitations
 │   └── loint-reception.appconnection.ts  # App connections
 ├── request/                 # API request/response interfaces
 │   ├── loint-reception.login.ts        # Authentication
 │   ├── loint-reception.registration.ts # User registration
 │   ├── loint-reception.user.ts         # User management
 │   ├── loint-reception.organization.ts # Org management
 │   ├── loint-reception.jwt.ts          # JWT operations
 │   ├── loint-reception.apitoken.ts     # API tokens
 │   ├── loint-reception.app.ts          # App management
 │   ├── loint-reception.billingplan.ts  # Billing
 │   └── loint-reception.admin.ts        # Admin operations
 └── tags/                    # Tag definitions
 ```
 ## Data Interfaces
 ### User (`IUser`)
 ```typescript
 interface IUser {
  id: string;
  data: {
    name: string;
    username: string;
    email: string;
    mobileNumber?: string;
    password?: string;        // Only during initial setting
    passwordHash?: string;    // For validation
    status: 'new' | 'active' | 'deleted' | 'suspended';
    connectedOrgs: string[];  // Organization IDs
    isGlobalAdmin?: boolean;  // Platform admin flag
  };
 }
 ```
 ### Organization (`IOrganization`)
 ```typescript
 interface IOrganization {
  id: string;
  data: {
    name: string;
    slug: string;
    billingPlanId: string;
    roleIds: string[];
  };
 }
 ```
 ### Role (`IRole`)
 ```typescript
 interface IRole {
  id: string;
  data: {
    name: string;
    organizationId: string;
    userId: string;
    permissions: string[];
  };
 }
 ```
 ### OAuth Application Types
 ```typescript
 // Global platform apps (maintained by platform admins)
 interface IGlobalApp {
  id: string;
  type: 'globalApp';
  data: {
    name: string;
    description: string;
    iconBase64?: string;
    oauthCredentials?: IOAuthCredentials;
  };
 }
 // Partner apps (third-party integrations)
 interface IPartnerApp {
  id: string;
  type: 'partnerApp';
  data: {
    name: string;
    description: string;
    ownerOrganizationId: string;
    oauthCredentials?: IOAuthCredentials;
  };
 }
 // Custom OIDC clients
 interface ICustomOidcApp {
  id: string;
  type: 'customOidcApp';
  data: {
    name: string;
    description: string;
    ownerOrganizationId: string;
    oauthCredentials: IOAuthCredentials;
  };
 }
 ```
 ### OAuth Credentials
 ```typescript
 interface IOAuthCredentials {
  clientId: string;
  clientSecretHash: string;
  redirectUris: string[];
  scopes: string[];
  grantTypes: ('authorization_code' | 'refresh_token' | 'client_credentials')[];
 }
 ```
 ## OIDC Interfaces
 ### Authorization Code
 ```typescript
 interface IAuthorizationCode {
  code: string;
  clientId: string;
  userId: string;
  scopes: string[];
  redirectUri: string;
  codeChallenge?: string;
  codeChallengeMethod?: 'S256';
  expiresAt: number;
  used: boolean;
 }
 ```
 ### Token Response
 ```typescript
 interface ITokenResponse {
  access_token: string;
  token_type: 'Bearer';
  expires_in: number;
  refresh_token?: string;
  id_token?: string;
  scope: string;
 }
 ```
 ### UserInfo Response
 ```typescript
 interface IUserInfoResponse {
  sub: string;
  name?: string;
  preferred_username?: string;
  email?: string;
  email_verified?: boolean;
  organizations?: Array<{
    id: string;
    name: string;
    slug: string;
    roles: string[];
  }>;
  roles?: string[];
 }
 ```
 ### ID Token Claims
 ```typescript
 interface IIdTokenClaims {
  iss: string;          // Issuer
  sub: string;          // Subject (user ID)
  aud: string;          // Audience (client ID)
  exp: number;          // Expiration time
  iat: number;          // Issued at
  nonce?: string;       // Replay protection
  name?: string;
  email?: string;
  email_verified?: boolean;
  organizations?: Array<{...}>;
  roles?: string[];
 }
 ```
 ## Request Interfaces
 All API requests follow the TypedRequest pattern:
 ```typescript
 interface IReq_LoginWithEmailOrUsernameAndPassword {
  method: 'loginWithEmailOrUsernameAndPassword';
  request: {
    username: string;
    password: string;
  };
  response: {
    refreshToken?: string;
    twoFaNeeded: boolean;
  };
 }
 ```
 ### Authentication Requests
 | Interface | Method | Description |
 |-----------|--------|-------------|
 | `IReq_LoginWithEmailOrUsernameAndPassword` | `loginWithEmailOrUsernameAndPassword` | Password login |
 | `IReq_LoginWithEmail` | `loginWithEmail` | Magic link request |
 | `IReq_LoginWithEmailAfterEmailTokenAquired` | `loginWithEmailAfterEmailTokenAquired` | Magic link verification |
 | `IReq_LoginWithApiToken` | `loginWithApiToken` | API token login |
 | `IReq_RefreshJwt` | `refreshJwt` | Refresh access token |
 | `ILogoutRequest` | `logout` | End session |
 ### User Management Requests
 | Interface | Method | Description |
 |-----------|--------|-------------|
 | `IReq_GetUserData` | `getUserData` | Get current user |
 | `IReq_SetUserData` | `setUserData` | Update user profile |
 | `IReq_GetUserSessions` | `getUserSessions` | List active sessions |
 | `IReq_ResetPassword` | `resetPassword` | Request password reset |
 | `IReq_SetNewPassword` | `setNewPassword` | Set new password |
 ### Organization Requests
 | Interface | Method | Description |
 |-----------|--------|-------------|
 | `IReq_CreateOrganization` | `createOrganization` | Create new org |
 | `IReq_GetOrgMembers` | `getOrgMembers` | List org members |
 | `IReq_CreateInvitation` | `createInvitation` | Invite user |
 | `IReq_AcceptInvitation` | `acceptInvitation` | Accept invite |
 ### JWT Operations
 | Interface | Method | Description |
 |-----------|--------|-------------|
 | `IReq_GetPublicKeyForValidation` | `getPublicKeyForValidation` | Get JWT public key |
 | `IReq_GetJwtIdBlocklist` | `getJwtIdBlocklist` | Get revoked token IDs |
 ## Supported OIDC Scopes
 | Scope | Description |
 |-------|-------------|
 | `openid` | Required for OIDC flows |
 | `profile` | User's name and username |
 | `email` | User's email address |
 | `organizations` | User's organization memberships |
 | `roles` | User's roles within organizations |
 ## License
 MIT - See the main repository for full license details.
@@ -1,6 +1,16 @@
 import * as data from '../data/index.js';
 import * as plugins from '../loint-reception.plugins.js';
 /**
 * Request to get the public key for JWT validation.
 *
 * **Direction:** Client → idp.global
 * **Requester:** Backend services that need to verify JWTs
 * **Handler:** idp.global
 *
 * Use this to fetch the current public key for verifying JWT signatures.
 * The backend token authenticates the requesting service.
 */
 export interface IReq_GetPublicKeyForValidation
  extends plugins.typedRequestInterfaces.implementsTR<
    plugins.typedRequestInterfaces.ITypedRequest,
@@ -15,6 +25,16 @@ export interface IReq_GetPublicKeyForValidation
  };
 }
 /**
 * Push public key to connected backend services for JWT validation.
 *
 * **Direction:** idp.global → Client
 * **Requester:** idp.global (pushes when the JWT signing key rotates)
 * **Handler:** Backend services - must register a TypedHandler for this method
 *
 * Backend services should register a handler using `IdpClient.onPublicKeyPush()`
 * to receive key rotation updates and update their local key cache.
 */
 export interface IReq_PushPublicKeyForValidation
  extends plugins.typedRequestInterfaces.implementsTR<
    plugins.typedRequestInterfaces.ITypedRequest,
@@ -28,7 +48,21 @@ export interface IReq_PushPublicKeyForValidation
 }
 /**
- * allows getting or pushing a blocklist of jwt ids
+ * Push or get JWT ID blocklist for revoked tokens.
 *
 * **Bidirectional:**
 * - **GET direction:** Client → idp.global - Client requests current blocklist
 * - **PUSH direction:** idp.global → Client - Server pushes new blocklisted IDs
 *
 * **For GET (client fires):**
 * - Fire with empty/undefined `blockedJwtIds` to request the full blocklist
 * - Response contains the complete list of blocked JWT IDs
 * - Use `IdpClient.requests.getJwtIdBlocklist` for this direction
 *
 * **For PUSH (idp.global fires):**
 * - idp.global sends newly blocklisted JWT IDs to connected clients
 * - Clients must register a handler using `IdpClient.onBlocklistPush()`
 * - Store received IDs locally to reject revoked tokens
 */
 export interface IReq_PushOrGetJwtIdBlocklist
  extends plugins.typedRequestInterfaces.implementsTR<
@@ -0,0 +1,3 @@
 {
  "order": 1
 }
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@idp.global/idp.global',
-  version: '1.11.0',
+  version: '1.14.1',
  description: 'An identity provider software managing user authentications, registrations, and sessions.'
 }
@@ -30,6 +30,19 @@ export const cardStyles = css`
  }
 `;
 /**
 * Base styles for all view components
 * Provides consistent background and foreground colors
 */
 export const viewBaseStyles = css`
  :host {
    display: block;
    min-height: 100%;
    background: var(--background);
    color: var(--foreground);
  }
 `;
 /**
 * Typography styles for consistent text hierarchy
 */
@@ -108,10 +121,3 @@ export const navigationStyles = css`
  }
 `;
 /**
 * Legacy export for backwards compatibility
 */
 export default css`
  ${accountDesignTokens}
  ${typographyStyles}
 `;
@@ -11,7 +11,7 @@ import {
 } from '@design.estate/dees-element';
 import { IdpState } from '../../../states/idp.state.js';
-import { accountDesignTokens } from '../sharedstyles.js';
+import * as sharedStyles from '../sharedstyles.js';
 declare global {
  interface HTMLElementTagNameMap {
@@ -43,15 +43,9 @@ export class AdminView extends DeesElement {
  public static styles = [
    cssManager.defaultStyles,
-    accountDesignTokens,
+    sharedStyles.accountDesignTokens,
    sharedStyles.viewBaseStyles,
    css`
      :host {
        display: block;
        min-height: 100%;
        background: var(--background);
        color: var(--foreground);
      }
      .container {
        max-width: 1200px;
        margin: 0 auto;
@@ -9,7 +9,7 @@ import {
  state,
 } from '@design.estate/dees-element';
-import sharedStyles, { accountDesignTokens, cardStyles, typographyStyles } from '../sharedstyles.js';
+import * as sharedStyles from '../sharedstyles.js';
 import * as accountState from '../../../states/accountstate.js';
 import { IdpState } from '../../../states/idp.state.js';
@@ -45,12 +45,12 @@ export class AppsView extends DeesElement {
  public static styles = [
    cssManager.defaultStyles,
-    accountDesignTokens,
+    sharedStyles.accountDesignTokens,
-    cardStyles,
+    sharedStyles.viewBaseStyles,
-    typographyStyles,
+    sharedStyles.cardStyles,
    sharedStyles.typographyStyles,
    css`
      :host {
        display: block;
        padding: 48px;
        max-width: 1000px;
        margin: 0 auto;
@@ -10,7 +10,7 @@ import {
  type TemplateResult,
 } from '@design.estate/dees-element';
-import { accountDesignTokens } from '../sharedstyles.js';
+import * as sharedStyles from '../sharedstyles.js';
 import * as accountStateModule from '../../../states/accountstate.js';
 import { IdpState } from '../../../states/idp.state.js';
@@ -59,15 +59,9 @@ export class BaseView extends DeesElement {
  public static styles = [
    cssManager.defaultStyles,
-    accountDesignTokens,
+    sharedStyles.accountDesignTokens,
    sharedStyles.viewBaseStyles,
    css`
      :host {
        display: block;
        min-height: 100%;
        background: var(--background);
        color: var(--foreground);
      }
      .container {
        max-width: 1000px;
        margin: 0 auto;
@@ -10,7 +10,7 @@ import {
  type TemplateResult,
 } from '@design.estate/dees-element';
-import { accountDesignTokens } from '../sharedstyles.js';
+import * as sharedStyles from '../sharedstyles.js';
 import * as accountStateModule from '../../../states/accountstate.js';
 import { IdpState } from '../../../states/idp.state.js';
@@ -41,14 +41,9 @@ export class OrgView extends DeesElement {
  public static styles = [
    cssManager.defaultStyles,
-    accountDesignTokens,
+    sharedStyles.accountDesignTokens,
    sharedStyles.viewBaseStyles,
    css`
      :host {
        display: block;
        min-height: 100%;
        background: var(--background);
        color: var(--foreground);
      }
      .container {
        max-width: 1000px;
@@ -9,7 +9,7 @@ import {
 } from '@design.estate/dees-element';
 import * as plugins from '../../../plugins.js';
-import sharedStyles from '../sharedstyles.js';
+import * as sharedStyles from '../sharedstyles.js';
 import * as state from '../../../states/accountstate.js';
 import { IdpState } from '../../../states/idp.state.js';
@@ -23,13 +23,13 @@ declare global {
 export class PaddleSetupView extends DeesElement {
  public static styles = [
    cssManager.defaultStyles,
-    sharedStyles,
+    sharedStyles.accountDesignTokens,
    sharedStyles.viewBaseStyles,
    css`
      :host {
-        display: block;
+        padding: 48px;
        max-width: 900px;
-        margin: auto;
+        margin: 0 auto;
        color: ${cssManager.bdTheme('#333', '#fff')};
      }
    `,
  ];
@@ -8,7 +8,7 @@ import {
  css,
 } from '@design.estate/dees-element';
-import sharedStyles, { accountDesignTokens, cardStyles, typographyStyles } from '../sharedstyles.js';
+import * as sharedStyles from '../sharedstyles.js';
 import * as state from '../../../states/accountstate.js';
@@ -46,12 +46,12 @@ export class SubscriptionView extends DeesElement {
  public static styles = [
    cssManager.defaultStyles,
-    accountDesignTokens,
+    sharedStyles.accountDesignTokens,
-    cardStyles,
+    sharedStyles.viewBaseStyles,
-    typographyStyles,
+    sharedStyles.cardStyles,
    sharedStyles.typographyStyles,
    css`
      :host {
        display: block;
        padding: 48px;
        max-width: 900px;
        margin: 0 auto;
@@ -9,7 +9,7 @@ import {
  type TemplateResult,
 } from '@design.estate/dees-element';
-import sharedStyles, { accountDesignTokens, cardStyles, typographyStyles } from '../sharedstyles.js';
+import * as sharedStyles from '../sharedstyles.js';
 import * as accountState from '../../../states/accountstate.js';
 import { IdpState } from '../../../states/idp.state.js';
 import { BulkInviteModal } from '../bulk-invite-modal.js';
@@ -83,12 +83,12 @@ export class UsersView extends DeesElement {
  public static styles = [
    cssManager.defaultStyles,
-    accountDesignTokens,
+    sharedStyles.accountDesignTokens,
-    cardStyles,
+    sharedStyles.viewBaseStyles,
-    typographyStyles,
+    sharedStyles.cardStyles,
    sharedStyles.typographyStyles,
    css`
      :host {
        display: block;
        padding: 48px;
        max-width: 1000px;
        margin: 0 auto;
@@ -0,0 +1,256 @@
 # @idp.global/web
 Web Components and UI elements for the idp.global Identity Provider platform. Built with `@design.estate/dees-element` and the dees-catalog component library.
 ## Overview
 This package provides the complete web interface for idp.global, including authentication flows, account management, and organization administration. All components are built as Web Components using the Lit-based `dees-element` framework.
 ## Installation
 ```bash
 npm install @idp.global/web
 # or
 pnpm add @idp.global/web
 ```
 ## Architecture
 ```
 ts_web/
 ├── index.ts                 # Application entry point
 ├── plugins.ts               # Plugin imports
 ├── views/
 │   ├── viewcontainer.ts     # Main view router
 │   └── index.ts
 ├── elements/                # Web Components
 │   ├── idp-loginprompt.ts        # Login form
 │   ├── idp-registerprompt.ts     # Registration form
 │   ├── idp-registration-stepper.ts # Multi-step registration
 │   ├── idp-centercontainer.ts    # Centered layout container
 │   ├── idp-transfermanager.ts    # SSO transfer handling
 │   ├── idp-welcome.ts            # Welcome/landing page
 │   └── account/                  # Account dashboard components
 │       ├── content.ts            # Main account layout
 │       ├── navigation.ts         # Sidebar navigation
 │       ├── org-select-modal.ts   # Organization switcher
 │       ├── create-org-modal.ts   # Create organization dialog
 │       ├── bulk-invite-modal.ts  # Bulk member invite dialog
 │       └── views/                # Account sub-views
 │           ├── baseview.ts       # Base view class
 │           ├── usersview.ts      # User profile view
 │           ├── orgview.ts        # Organization details
 │           ├── orgsetup.ts       # Organization setup
 │           ├── appsview.ts       # Connected apps
 │           ├── adminview.ts      # Global admin panel
 │           ├── subscriptions.ts  # Billing subscriptions
 │           └── paddlesetup.ts    # Payment setup
 └── states/
    ├── idp.state.ts          # Main application state
    └── accountstate.ts       # Account dashboard state
 ```
 ## Components
 ### Authentication Components
 #### `<idp-loginprompt>`
 Login form supporting password and magic link authentication.
 ```html
 <idp-loginprompt></idp-loginprompt>
 ```
 Features:
 - Email/username + password login
 - Magic link (passwordless) authentication
 - Automatic button text based on password presence
 - Form validation and error handling
 - Redirect to registration
 #### `<idp-registerprompt>`
 Initial registration form for new users.
 ```html
 <idp-registerprompt></idp-registerprompt>
 ```
 #### `<idp-registration-stepper>`
 Multi-step registration wizard for completing user profile.
 ```html
 <idp-registration-stepper></idp-registration-stepper>
 ```
 Steps include:
 - Profile information
 - Email verification
 - Mobile verification (optional)
 - Password setup
 ### Layout Components
 #### `<idp-viewcontainer>`
 Main view container that handles routing between views.
 ```html
 <idp-viewcontainer></idp-viewcontainer>
 ```
 Supported views:
 - `welcome` - Landing page
 - `login` - Login form
 - `register` - Registration form
 - `finishregistration` - Registration stepper
 - `account` - Account dashboard
 #### `<idp-centercontainer>`
 Centered container with animation support for forms.
 ```html
 <idp-centercontainer>
  <h2>Your Content</h2>
  <form>...</form>
 </idp-centercontainer>
 ```
 Methods:
 - `show()` - Animate container into view
 - `hide()` - Animate container out of view
 ### Account Dashboard Components
 #### `<idp-account-content>`
 Main account dashboard layout with navigation.
 ```html
 <idp-account-content></idp-account-content>
 ```
 #### Navigation Views
 | Component | Route | Description |
 |-----------|-------|-------------|
 | `<idp-usersview>` | `/account/users` | User profile management |
 | `<idp-orgview>` | `/account/org` | Organization details |
 | `<idp-orgsetup>` | `/account/orgsetup` | Organization configuration |
 | `<idp-appsview>` | `/account/apps` | Connected applications |
 | `<idp-adminview>` | `/account/admin` | Global admin panel |
 | `<idp-subscriptions>` | `/account/subscriptions` | Billing management |
 | `<idp-paddlesetup>` | `/account/paddle` | Payment method setup |
 ### Modal Components
 #### `<idp-org-select-modal>`
 Organization switcher modal for users with multiple organizations.
 #### `<idp-create-org-modal>`
 Dialog for creating new organizations with slug validation.
 #### `<idp-bulk-invite-modal>`
 Bulk invitation dialog for inviting multiple members at once.
 ## State Management
 ### IdpState
 Central application state using `@push.rocks/smartstate`.
 ```typescript
 import { IdpState } from '@idp.global/web';
 const idpState = await IdpState.getSingletonInstance();
 // Access IdP client
 const isLoggedIn = await idpState.idpClient.determineLoginStatus();
 // Access router
 idpState.domtools.router.pushUrl('/login');
 // Subscribe to view changes
 idpState.mainStatePart.select(s => s.view).subscribe(view => {
  console.log('Current view:', view);
 });
 ```
 ### AccountState
 State for the account dashboard section.
 ```typescript
 import { AccountState } from '@idp.global/web';
 const accountState = await AccountState.getSingletonInstance();
 // Access current organization
 const currentOrg = accountState.currentOrganization;
 // Access user roles
 const roles = accountState.userRoles;
 ```
 ## Styling
 Components use CSS custom properties for theming:
 ```css
 :host {
  --foreground: hsl(0 0% 98%);
  --muted-foreground: hsl(240 5% 64.9%);
  --background-accent: #303f9f;
 }
 ```
 All components include:
 - Dark mode by default
 - Geist Sans font family
 - Smooth animations
 - Responsive layouts
 ## Dependencies
 - `@design.estate/dees-element` - Web Component base class
 - `@design.estate/dees-catalog` - UI component library
 - `@design.estate/dees-domtools` - DOM utilities and routing
 - `@idp.global/idpclient` - IdP client library
 - `@idp.global/interfaces` - TypeScript interfaces
 - `@push.rocks/smartstate` - State management
 - `@uptime.link/webwidget` - Status widget
 ## Views and Routes
 | Route | View | Component |
 |-------|------|-----------|
 | `/` | `welcome` | `IdpWelcome` |
 | `/login` | `login` | `IdpLoginPrompt` |
 | `/register` | `register` | `IdpRegistrationPrompt` |
 | `/finishregistration` | `finishregistration` | `IdpRegistrationStepper` |
 | `/account` | `account` | `IdpAccountContent` |
 | `/logout` | - | Logout handler |
 ## Building
 The web module is bundled using `@git.zone/tsbundle`:
 ```bash
 # Development with hot reload
 pnpm watch
 # Production build
 pnpm build
 ```
 The bundled output is served from `dist_ts_web/` by the TypedServer.
 ## License
 MIT - See the main repository for full license details.
@@ -0,0 +1,3 @@
 {
  "order": 5
 }
Author	SHA1	Message	Date
jkunz	724ec2d134	v1.14.1 Docker (tags) / security (push) Failing after 0s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2025-12-22 15:56:20 +00:00
jkunz	32ffc1bbaa	fix(oidc): migrate OIDC endpoints and internal handlers to use typedserver IRequestContext and update dependencies	2025-12-22 15:56:20 +00:00
jkunz	a91dd9dda6	v1.14.0 Docker (tags) / security (push) Failing after 0s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2025-12-16 12:46:42 +00:00
jkunz	5462257398	feat(docs): add package READMEs and publish metadata; update web package publish order	2025-12-16 12:46:42 +00:00
jkunz	2ad751ecba	v1.13.0 Docker (tags) / security (push) Failing after 0s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2025-12-15 19:45:57 +00:00
jkunz	a24b0d8be7	feat(oidc): feat(oidc): add OIDC provider (OidcManager, endpoints, and interfaces)	2025-12-15 19:45:57 +00:00
jkunz	02c700e44d	v1.12.1 Docker (tags) / security (push) Failing after 0s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2025-12-15 19:17:12 +00:00
jkunz	e9f1b5dac9	fix(dependencies): fix(deps): bump @uptime.link/webwidget to ^1.2.6	2025-12-15 19:17:12 +00:00
jkunz	6645806a87	v1.12.0 Docker (tags) / security (push) Failing after 0s Details Docker (tags) / test (push) Has been skipped Details Docker (tags) / release (push) Has been skipped Details Docker (tags) / metadata (push) Has been skipped Details	2025-12-15 18:58:10 +00:00
jkunz	dc3f232f43	feat(interfaces): Add JWT public-key and blocklist request interfaces, publish ordering files, and update dependencies	2025-12-15 18:58:10 +00:00