@aithos/sdk 0.1.0-alpha.10 → 0.1.0-alpha.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/src/auth.d.ts +24 -0
- package/dist/src/auth.js +20 -1
- package/package.json +1 -1
package/dist/src/auth.d.ts
CHANGED
|
@@ -64,7 +64,31 @@ export interface DelegateInfo {
|
|
|
64
64
|
readonly label?: string;
|
|
65
65
|
}
|
|
66
66
|
export interface SignInWithGoogleOptions {
|
|
67
|
+
/**
|
|
68
|
+
* Opaque state the consumer app wants to recover after the OAuth
|
|
69
|
+
* round-trip (e.g. a deep-link to resume on). Echoed back as
|
|
70
|
+
* `?app_state=` on the final redirect.
|
|
71
|
+
*/
|
|
67
72
|
readonly appState?: string;
|
|
73
|
+
/**
|
|
74
|
+
* App id registered in the Aithos `aithos-auth-apps` table. When set
|
|
75
|
+
* together with {@link returnTo}, the auth backend redirects the
|
|
76
|
+
* browser to {@link returnTo} (post Google + Aithos sign-in) instead
|
|
77
|
+
* of the legacy hard-coded `app.aithos.be/auth/callback`.
|
|
78
|
+
*
|
|
79
|
+
* The pair is required together: the backend rejects half-presence
|
|
80
|
+
* with `sso_app_redirect_pair_required`. Use it for any consumer app
|
|
81
|
+
* other than the canonical `app.aithos.be` (typically your own
|
|
82
|
+
* domain in prod, `http://localhost:<port>/auth/callback` in dev).
|
|
83
|
+
*/
|
|
84
|
+
readonly appId?: string;
|
|
85
|
+
/**
|
|
86
|
+
* Where the auth backend should 302 the browser back to after a
|
|
87
|
+
* successful Google sign-in. MUST be on the app's
|
|
88
|
+
* `allowed_redirect_uris` allowlist (registered with Aithos out of
|
|
89
|
+
* band; see {@link appId}). Exact-match — wildcards rejected.
|
|
90
|
+
*/
|
|
91
|
+
readonly returnTo?: string;
|
|
68
92
|
}
|
|
69
93
|
export interface SignInInput {
|
|
70
94
|
readonly email: string;
|
package/dist/src/auth.js
CHANGED
|
@@ -445,6 +445,13 @@ export class AithosAuth {
|
|
|
445
445
|
if (!this.#win) {
|
|
446
446
|
throw new AithosSDKError("auth_no_window", "AithosAuth.signInWithGoogle requires a browser window");
|
|
447
447
|
}
|
|
448
|
+
// appId + returnTo must come together — the backend rejects
|
|
449
|
+
// half-presence at /sso/google/start. Surface that as a clean SDK
|
|
450
|
+
// error before the network round-trip rather than letting the user
|
|
451
|
+
// bounce to Google and back for nothing.
|
|
452
|
+
if ((opts?.appId && !opts?.returnTo) || (!opts?.appId && opts?.returnTo)) {
|
|
453
|
+
throw new AithosSDKError("auth_sso_app_redirect_pair_required", "appId and returnTo must be provided together (or both omitted to use the legacy redirect)");
|
|
454
|
+
}
|
|
448
455
|
const url = new URL(`${this.authBaseUrl}/auth/sso/google/start`);
|
|
449
456
|
if (opts?.appState) {
|
|
450
457
|
if (opts.appState.length > 1024) {
|
|
@@ -452,6 +459,10 @@ export class AithosAuth {
|
|
|
452
459
|
}
|
|
453
460
|
url.searchParams.set("app_state", opts.appState);
|
|
454
461
|
}
|
|
462
|
+
if (opts?.appId && opts?.returnTo) {
|
|
463
|
+
url.searchParams.set("app_id", opts.appId);
|
|
464
|
+
url.searchParams.set("redirect_uri", opts.returnTo);
|
|
465
|
+
}
|
|
455
466
|
this.#win.location.assign(url.toString());
|
|
456
467
|
throw new AithosSDKError("auth_redirecting", "redirecting to google");
|
|
457
468
|
}
|
|
@@ -468,8 +479,16 @@ export class AithosAuth {
|
|
|
468
479
|
}
|
|
469
480
|
if (!code)
|
|
470
481
|
return null;
|
|
471
|
-
|
|
482
|
+
// Strip the aithos_code from the URL SYNCHRONOUSLY, before any
|
|
483
|
+
// await. React StrictMode (dev) invokes effects twice — without
|
|
484
|
+
// this, the first call awaits exchange (microtask, code still in
|
|
485
|
+
// the URL), the second invocation reads the same code and POSTs
|
|
486
|
+
// again, hitting `auth_code_consumed: aithos_code expired or
|
|
487
|
+
// already used`. Cleaning before the await makes the second
|
|
488
|
+
// invocation read a clean URL and return null without a network
|
|
489
|
+
// round-trip.
|
|
472
490
|
cleanCallbackParams(this.#win, here);
|
|
491
|
+
const session = await this.exchange(code);
|
|
473
492
|
// Hydrate signers if the SSO response carried an enc_key (Google flow
|
|
474
493
|
// gives us the AES-GCM key in plaintext, encrypted only in transit
|
|
475
494
|
// by TLS — see auth.aithos.be design doc).
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@aithos/sdk",
|
|
3
|
-
"version": "0.1.0-alpha.
|
|
3
|
+
"version": "0.1.0-alpha.12",
|
|
4
4
|
"description": "Aithos SDK — high-level TypeScript developer kit for building agentic apps on the Aithos protocol. Wraps @aithos/protocol-client and exposes the Aithos compute proxy and wallet (Stripe top-up) endpoints.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"aithos",
|