@blinkdotnew/sdk 0.19.1 → 0.19.4

package/dist/index.d.mts

@@ -118,6 +118,11 @@ type AuthProvider = 'email' | 'google' | 'github' | 'apple' | 'microsoft' | 'twi
 interface AuthOptions {
     redirectUrl?: string;
     metadata?: Record<string, any>;
+    /**
+     * Force redirect flow instead of popup (useful for Safari or when popups are blocked)
+     * When true, always uses redirect flow regardless of browser detection
+     */
+    forceRedirect?: boolean;
 }
 interface SignUpData {
     email: string;
@@ -1008,8 +1013,14 @@ declare class BlinkAuth {
      * Sign in with Microsoft (headless mode)
      */
     signInWithMicrosoft(options?: AuthOptions): Promise<BlinkUser>;
+    /**
+     * Check if current browser is Safari (desktop, iPhone, iPad)
+     * Safari has strict popup blocking, so we must use redirect flow
+     */
+    private isSafari;
     /**
      * Generic provider sign-in method (headless mode)
+     * Uses redirect flow for Safari, popup flow for other browsers
      */
     signInWithProvider(provider: AuthProvider, options?: AuthOptions): Promise<BlinkUser>;
     /**
@@ -1114,6 +1125,11 @@ declare class BlinkAuth {
     private setTokens;
     private clearTokens;
     private getStoredTokens;
+    /**
+     * Extract URL parameters from both search params and hash fragments
+     * Safari OAuth redirects often use hash fragments instead of query params
+     */
+    private extractUrlParams;
     private extractTokensFromUrl;
     private clearUrlTokens;
     private redirectToAuth;

package/dist/index.d.ts

@@ -118,6 +118,11 @@ type AuthProvider = 'email' | 'google' | 'github' | 'apple' | 'microsoft' | 'twi
 interface AuthOptions {
     redirectUrl?: string;
     metadata?: Record<string, any>;
+    /**
+     * Force redirect flow instead of popup (useful for Safari or when popups are blocked)
+     * When true, always uses redirect flow regardless of browser detection
+     */
+    forceRedirect?: boolean;
 }
 interface SignUpData {
     email: string;
@@ -1008,8 +1013,14 @@ declare class BlinkAuth {
      * Sign in with Microsoft (headless mode)
      */
     signInWithMicrosoft(options?: AuthOptions): Promise<BlinkUser>;
+    /**
+     * Check if current browser is Safari (desktop, iPhone, iPad)
+     * Safari has strict popup blocking, so we must use redirect flow
+     */
+    private isSafari;
     /**
      * Generic provider sign-in method (headless mode)
+     * Uses redirect flow for Safari, popup flow for other browsers
      */
     signInWithProvider(provider: AuthProvider, options?: AuthOptions): Promise<BlinkUser>;
     /**
@@ -1114,6 +1125,11 @@ declare class BlinkAuth {
     private setTokens;
     private clearTokens;
     private getStoredTokens;
+    /**
+     * Extract URL parameters from both search params and hash fragments
+     * Safari OAuth redirects often use hash fragments instead of query params
+     */
+    private extractUrlParams;
     private extractTokensFromUrl;
     private clearUrlTokens;
     private redirectToAuth;

package/dist/index.js

@@ -1144,6 +1144,36 @@ var BlinkAuth = class {
           return;
         }
       }
+      try {
+        if (typeof window !== "undefined") {
+          console.log("\u{1F50D} Checking URL for errors/tokens:", {
+            href: window.location.href,
+            search: window.location.search,
+            hash: window.location.hash
+          });
+          const urlParams = this.extractUrlParams();
+          const errorParam = urlParams.get("error");
+          if (errorParam) {
+            const errorCode = this.mapErrorCodeFromResponse(errorParam);
+            const errorMessage = urlParams.get("error_description") || "Authentication failed";
+            const error = new BlinkAuthError(errorCode, errorMessage);
+            console.error("\u274C Auth error in URL:", {
+              error: errorParam,
+              errorMessage,
+              allParams: Object.fromEntries(urlParams.entries())
+            });
+            if (typeof window !== "undefined") {
+              window.dispatchEvent(new CustomEvent("blink:auth:error", {
+                detail: { error, errorMessage }
+              }));
+            }
+            this.clearUrlTokens();
+            return;
+          }
+        }
+      } catch (error) {
+        console.error("Error handling failed redirect:", error);
+      }
       const tokensFromUrl = this.extractTokensFromUrl();
       if (tokensFromUrl) {
         console.log("\u{1F4E5} Found tokens in URL, setting them...");
@@ -1151,6 +1181,31 @@ var BlinkAuth = class {
         this.clearUrlTokens();
         console.log("\u2705 Auth initialization complete (from URL)");
         return;
+      } else {
+        console.log("\u26A0\uFE0F No tokens found in URL after redirect - checking if this was a redirect callback");
+        if (typeof window !== "undefined") {
+          const urlParams = this.extractUrlParams();
+          const state = urlParams.get("state");
+          if (state) {
+            console.log("\u26A0\uFE0F State found in URL but no tokens - redirect may have failed silently");
+            try {
+              const expectedState = sessionStorage.getItem("blink_oauth_state");
+              if (expectedState === state) {
+                console.error("\u274C Redirect callback received but no tokens - authentication may have failed");
+                const errorMessage = "Authentication failed. Please try again.";
+                if (typeof window !== "undefined") {
+                  window.dispatchEvent(new CustomEvent("blink:auth:error", {
+                    detail: { error: new BlinkAuthError("NETWORK_ERROR" /* NETWORK_ERROR */, errorMessage), errorMessage }
+                  }));
+                }
+                this.clearUrlTokens();
+                return;
+              }
+            } catch (e) {
+              console.error("Error checking sessionStorage:", e);
+            }
+          }
+        }
       }
       const storedTokens = await this.getStoredTokens();
       if (storedTokens) {
@@ -1504,37 +1559,145 @@ var BlinkAuth = class {
     }
     return this.signInWithProvider("microsoft", options);
   }
+  /**
+   * Check if current browser is Safari (desktop, iPhone, iPad)
+   * Safari has strict popup blocking, so we must use redirect flow
+   */
+  isSafari() {
+    if (typeof window === "undefined") return false;
+    const ua = navigator.userAgent.toLowerCase();
+    const hasSafariUA = /safari/i.test(ua) && !/chrome|chromium|android|edg|firefox|opera/i.test(ua);
+    const isSafariVendor = typeof navigator !== "undefined" && !!navigator.vendor && /apple/i.test(navigator.vendor);
+    const isIOSSafari = /safari/i.test(ua) && /iphone|ipad|ipod/i.test(ua);
+    const hasSafariProperties = typeof window !== "undefined" && ("safari" in window || window.safari !== void 0) && !("chrome" in window);
+    const isMacSafari = /macintosh/i.test(ua) && isSafariVendor && !/chrome|chromium|firefox|edg/i.test(ua);
+    const isSafari = !!(hasSafariUA || isSafariVendor || isIOSSafari || hasSafariProperties || isMacSafari);
+    if (isSafari) {
+      console.log("\u{1F34E} Safari browser detected - will use redirect flow", {
+        hasSafariUA,
+        isSafariVendor,
+        isIOSSafari,
+        hasSafariProperties,
+        isMacSafari,
+        userAgent: ua.substring(0, 100),
+        vendor: navigator.vendor
+      });
+    } else {
+      console.log("\u{1F50D} Not detected as Safari:", {
+        hasSafariUA,
+        isSafariVendor,
+        isIOSSafari,
+        hasSafariProperties,
+        isMacSafari,
+        userAgent: ua.substring(0, 100),
+        vendor: navigator.vendor
+      });
+    }
+    return isSafari;
+  }
   /**
    * Generic provider sign-in method (headless mode)
+   * Uses redirect flow for Safari, popup flow for other browsers
    */
   async signInWithProvider(provider, options) {
     if (this.authConfig.mode !== "headless") {
       throw new BlinkAuthError("INVALID_CREDENTIALS" /* INVALID_CREDENTIALS */, "signInWithProvider is only available in headless mode");
     }
-    return new Promise((resolve, reject) => {
-      const state = this.generateState();
-      try {
-        if (typeof window !== "undefined") {
-          sessionStorage.setItem("blink_oauth_state", state);
-        }
-      } catch {
+    const state = this.generateState();
+    let redirectUrl = options?.redirectUrl || "";
+    if (!redirectUrl && typeof window !== "undefined") {
+      if (window.location.href.startsWith("http")) {
+        redirectUrl = window.location.href;
+      } else {
+        redirectUrl = `${window.location.protocol}//${window.location.host}${window.location.pathname}${window.location.search}${window.location.hash}`;
       }
-      const redirectUrl = options?.redirectUrl || window.location.origin;
+    }
+    try {
+      const redirectUrlObj = new URL(redirectUrl);
+      redirectUrlObj.searchParams.delete("access_token");
+      redirectUrlObj.searchParams.delete("refresh_token");
+      redirectUrlObj.searchParams.delete("state");
+      redirectUrlObj.searchParams.delete("error");
+      redirectUrlObj.searchParams.delete("error_description");
+      redirectUrlObj.hash = "";
+      redirectUrl = redirectUrlObj.toString();
+    } catch (e) {
+      console.warn("Failed to clean redirect URL:", e);
+    }
+    try {
+      if (typeof window !== "undefined") {
+        sessionStorage.setItem("blink_oauth_state", state);
+        sessionStorage.setItem("blink_oauth_redirect_url", redirectUrl);
+        console.log("\u{1F4BE} Stored OAuth state:", { state, redirectUrl });
+      }
+    } catch (e) {
+      console.warn("Failed to store OAuth state in sessionStorage:", e);
+    }
+    const isSafari = this.isSafari();
+    const forceRedirect = options?.forceRedirect === true;
+    if ((isSafari || forceRedirect) && typeof window !== "undefined") {
+      console.log("\u{1F310} Using redirect flow (no popup)", {
+        provider,
+        projectId: this.config.projectId,
+        state,
+        redirectUrl,
+        authUrl: this.authUrl,
+        reason: isSafari ? "Safari detected" : "forceRedirect option set"
+      });
+      const authRedirectUrl = new URL("/auth", this.authUrl);
+      authRedirectUrl.searchParams.set("provider", provider);
+      authRedirectUrl.searchParams.set("project_id", this.config.projectId);
+      authRedirectUrl.searchParams.set("state", state);
+      authRedirectUrl.searchParams.set("mode", "redirect");
+      authRedirectUrl.searchParams.set("redirect_url", redirectUrl);
+      console.log("\u{1F504} Redirecting to:", authRedirectUrl.toString());
+      window.location.href = authRedirectUrl.toString();
+      return new Promise(() => {
+      });
+    }
+    return new Promise((resolve, reject) => {
       const popupUrl = new URL("/auth", this.authUrl);
       popupUrl.searchParams.set("provider", provider);
       popupUrl.searchParams.set("project_id", this.config.projectId);
       popupUrl.searchParams.set("state", state);
       popupUrl.searchParams.set("mode", "popup");
       popupUrl.searchParams.set("redirect_url", redirectUrl);
+      if (typeof window !== "undefined") {
+        popupUrl.searchParams.set("opener_origin", window.location.origin);
+      }
       const popup = window.open(
         popupUrl.toString(),
         "blink-auth",
         "width=500,height=600,scrollbars=yes,resizable=yes"
       );
       if (!popup) {
-        reject(new BlinkAuthError("POPUP_CANCELED" /* POPUP_CANCELED */, "Popup was blocked"));
+        console.warn("\u26A0\uFE0F Popup was blocked, falling back to redirect flow");
+        const authRedirectUrl = new URL("/auth", this.authUrl);
+        authRedirectUrl.searchParams.set("provider", provider);
+        authRedirectUrl.searchParams.set("project_id", this.config.projectId);
+        authRedirectUrl.searchParams.set("state", state);
+        authRedirectUrl.searchParams.set("mode", "redirect");
+        authRedirectUrl.searchParams.set("redirect_url", redirectUrl);
+        console.log("\u{1F504} Falling back to redirect:", authRedirectUrl.toString());
+        window.location.href = authRedirectUrl.toString();
         return;
       }
+      try {
+        if (popup.closed || !popup.window) {
+          console.warn("\u26A0\uFE0F Popup appears to be blocked (closed immediately), falling back to redirect flow");
+          const authRedirectUrl = new URL("/auth", this.authUrl);
+          authRedirectUrl.searchParams.set("provider", provider);
+          authRedirectUrl.searchParams.set("project_id", this.config.projectId);
+          authRedirectUrl.searchParams.set("state", state);
+          authRedirectUrl.searchParams.set("mode", "redirect");
+          authRedirectUrl.searchParams.set("redirect_url", redirectUrl);
+          console.log("\u{1F504} Falling back to redirect:", authRedirectUrl.toString());
+          window.location.href = authRedirectUrl.toString();
+          return;
+        }
+      } catch (e) {
+        console.log("\u26A0\uFE0F Could not verify popup state, assuming it opened successfully");
+      }
       let timeoutId;
       const messageListener = (event) => {
         let allowed = false;
@@ -1544,7 +1707,12 @@ var BlinkAuth = class {
         } catch {
         }
         if (event.origin === "http://localhost:3000" || event.origin === "http://localhost:3001") allowed = true;
-        if (!allowed) return;
+        if (typeof window !== "undefined" && event.origin === window.location.origin) allowed = true;
+        if (!allowed) {
+          console.log("\u{1F6AB} Blocked postMessage from untrusted origin:", event.origin);
+          return;
+        }
+        console.log("\u2705 Accepted postMessage from origin:", event.origin);
         if (event.data?.type === "BLINK_AUTH_TOKENS") {
           const { access_token, refresh_token, token_type, expires_in, refresh_expires_in, projectId, state: returnedState } = event.data;
           try {
@@ -2304,17 +2472,50 @@ var BlinkAuth = class {
       return null;
     }
   }
+  /**
+   * Extract URL parameters from both search params and hash fragments
+   * Safari OAuth redirects often use hash fragments instead of query params
+   */
+  extractUrlParams() {
+    const params = new URLSearchParams();
+    if (typeof window !== "undefined" && window.location.search) {
+      const searchParams = new URLSearchParams(window.location.search);
+      for (const [key, value] of searchParams.entries()) {
+        params.set(key, value);
+      }
+    }
+    if (typeof window !== "undefined" && window.location.hash) {
+      const hash = window.location.hash.substring(1);
+      const hashParams = new URLSearchParams(hash);
+      for (const [key, value] of hashParams.entries()) {
+        if (!params.has(key)) {
+          params.set(key, value);
+        }
+      }
+    }
+    return params;
+  }
   extractTokensFromUrl() {
     if (typeof window === "undefined") return null;
-    const params = new URLSearchParams(window.location.search);
+    const params = this.extractUrlParams();
     const accessToken = params.get("access_token");
     const refreshToken = params.get("refresh_token");
+    const state = params.get("state");
+    const error = params.get("error");
     console.log("\u{1F50D} Extracting tokens from URL:", {
       url: window.location.href,
+      search: window.location.search,
+      hash: window.location.hash,
       accessToken: accessToken ? `${accessToken.substring(0, 20)}...` : null,
       refreshToken: refreshToken ? `${refreshToken.substring(0, 20)}...` : null,
+      state: state ? `${state.substring(0, 10)}...` : null,
+      error: error || null,
       allParams: Object.fromEntries(params.entries())
     });
+    if (error) {
+      console.log("\u274C Error parameter found in URL, not extracting tokens");
+      return null;
+    }
     if (accessToken) {
       const tokens = {
         access_token: accessToken,
@@ -2329,7 +2530,8 @@ var BlinkAuth = class {
       };
       console.log("\u2705 Tokens extracted successfully:", {
         hasAccessToken: !!tokens.access_token,
-        hasRefreshToken: !!tokens.refresh_token
+        hasRefreshToken: !!tokens.refresh_token,
+        state: state || "no state"
       });
       return tokens;
     }
@@ -2349,8 +2551,9 @@ var BlinkAuth = class {
     url.searchParams.delete("code");
     url.searchParams.delete("error");
     url.searchParams.delete("error_description");
+    url.hash = "";
     window.history.replaceState({}, "", url.toString());
-    console.log("\u{1F9F9} URL cleaned up, removed auth parameters");
+    console.log("\u{1F9F9} URL cleaned up, removed auth parameters from both search and hash");
   }
   redirectToAuth() {
     if (typeof window !== "undefined") {

package/dist/index.mjs

@@ -1142,6 +1142,36 @@ var BlinkAuth = class {
           return;
         }
       }
+      try {
+        if (typeof window !== "undefined") {
+          console.log("\u{1F50D} Checking URL for errors/tokens:", {
+            href: window.location.href,
+            search: window.location.search,
+            hash: window.location.hash
+          });
+          const urlParams = this.extractUrlParams();
+          const errorParam = urlParams.get("error");
+          if (errorParam) {
+            const errorCode = this.mapErrorCodeFromResponse(errorParam);
+            const errorMessage = urlParams.get("error_description") || "Authentication failed";
+            const error = new BlinkAuthError(errorCode, errorMessage);
+            console.error("\u274C Auth error in URL:", {
+              error: errorParam,
+              errorMessage,
+              allParams: Object.fromEntries(urlParams.entries())
+            });
+            if (typeof window !== "undefined") {
+              window.dispatchEvent(new CustomEvent("blink:auth:error", {
+                detail: { error, errorMessage }
+              }));
+            }
+            this.clearUrlTokens();
+            return;
+          }
+        }
+      } catch (error) {
+        console.error("Error handling failed redirect:", error);
+      }
       const tokensFromUrl = this.extractTokensFromUrl();
       if (tokensFromUrl) {
         console.log("\u{1F4E5} Found tokens in URL, setting them...");
@@ -1149,6 +1179,31 @@ var BlinkAuth = class {
         this.clearUrlTokens();
         console.log("\u2705 Auth initialization complete (from URL)");
         return;
+      } else {
+        console.log("\u26A0\uFE0F No tokens found in URL after redirect - checking if this was a redirect callback");
+        if (typeof window !== "undefined") {
+          const urlParams = this.extractUrlParams();
+          const state = urlParams.get("state");
+          if (state) {
+            console.log("\u26A0\uFE0F State found in URL but no tokens - redirect may have failed silently");
+            try {
+              const expectedState = sessionStorage.getItem("blink_oauth_state");
+              if (expectedState === state) {
+                console.error("\u274C Redirect callback received but no tokens - authentication may have failed");
+                const errorMessage = "Authentication failed. Please try again.";
+                if (typeof window !== "undefined") {
+                  window.dispatchEvent(new CustomEvent("blink:auth:error", {
+                    detail: { error: new BlinkAuthError("NETWORK_ERROR" /* NETWORK_ERROR */, errorMessage), errorMessage }
+                  }));
+                }
+                this.clearUrlTokens();
+                return;
+              }
+            } catch (e) {
+              console.error("Error checking sessionStorage:", e);
+            }
+          }
+        }
       }
       const storedTokens = await this.getStoredTokens();
       if (storedTokens) {
@@ -1502,37 +1557,145 @@ var BlinkAuth = class {
     }
     return this.signInWithProvider("microsoft", options);
   }
+  /**
+   * Check if current browser is Safari (desktop, iPhone, iPad)
+   * Safari has strict popup blocking, so we must use redirect flow
+   */
+  isSafari() {
+    if (typeof window === "undefined") return false;
+    const ua = navigator.userAgent.toLowerCase();
+    const hasSafariUA = /safari/i.test(ua) && !/chrome|chromium|android|edg|firefox|opera/i.test(ua);
+    const isSafariVendor = typeof navigator !== "undefined" && !!navigator.vendor && /apple/i.test(navigator.vendor);
+    const isIOSSafari = /safari/i.test(ua) && /iphone|ipad|ipod/i.test(ua);
+    const hasSafariProperties = typeof window !== "undefined" && ("safari" in window || window.safari !== void 0) && !("chrome" in window);
+    const isMacSafari = /macintosh/i.test(ua) && isSafariVendor && !/chrome|chromium|firefox|edg/i.test(ua);
+    const isSafari = !!(hasSafariUA || isSafariVendor || isIOSSafari || hasSafariProperties || isMacSafari);
+    if (isSafari) {
+      console.log("\u{1F34E} Safari browser detected - will use redirect flow", {
+        hasSafariUA,
+        isSafariVendor,
+        isIOSSafari,
+        hasSafariProperties,
+        isMacSafari,
+        userAgent: ua.substring(0, 100),
+        vendor: navigator.vendor
+      });
+    } else {
+      console.log("\u{1F50D} Not detected as Safari:", {
+        hasSafariUA,
+        isSafariVendor,
+        isIOSSafari,
+        hasSafariProperties,
+        isMacSafari,
+        userAgent: ua.substring(0, 100),
+        vendor: navigator.vendor
+      });
+    }
+    return isSafari;
+  }
   /**
    * Generic provider sign-in method (headless mode)
+   * Uses redirect flow for Safari, popup flow for other browsers
    */
   async signInWithProvider(provider, options) {
     if (this.authConfig.mode !== "headless") {
       throw new BlinkAuthError("INVALID_CREDENTIALS" /* INVALID_CREDENTIALS */, "signInWithProvider is only available in headless mode");
     }
-    return new Promise((resolve, reject) => {
-      const state = this.generateState();
-      try {
-        if (typeof window !== "undefined") {
-          sessionStorage.setItem("blink_oauth_state", state);
-        }
-      } catch {
+    const state = this.generateState();
+    let redirectUrl = options?.redirectUrl || "";
+    if (!redirectUrl && typeof window !== "undefined") {
+      if (window.location.href.startsWith("http")) {
+        redirectUrl = window.location.href;
+      } else {
+        redirectUrl = `${window.location.protocol}//${window.location.host}${window.location.pathname}${window.location.search}${window.location.hash}`;
       }
-      const redirectUrl = options?.redirectUrl || window.location.origin;
+    }
+    try {
+      const redirectUrlObj = new URL(redirectUrl);
+      redirectUrlObj.searchParams.delete("access_token");
+      redirectUrlObj.searchParams.delete("refresh_token");
+      redirectUrlObj.searchParams.delete("state");
+      redirectUrlObj.searchParams.delete("error");
+      redirectUrlObj.searchParams.delete("error_description");
+      redirectUrlObj.hash = "";
+      redirectUrl = redirectUrlObj.toString();
+    } catch (e) {
+      console.warn("Failed to clean redirect URL:", e);
+    }
+    try {
+      if (typeof window !== "undefined") {
+        sessionStorage.setItem("blink_oauth_state", state);
+        sessionStorage.setItem("blink_oauth_redirect_url", redirectUrl);
+        console.log("\u{1F4BE} Stored OAuth state:", { state, redirectUrl });
+      }
+    } catch (e) {
+      console.warn("Failed to store OAuth state in sessionStorage:", e);
+    }
+    const isSafari = this.isSafari();
+    const forceRedirect = options?.forceRedirect === true;
+    if ((isSafari || forceRedirect) && typeof window !== "undefined") {
+      console.log("\u{1F310} Using redirect flow (no popup)", {
+        provider,
+        projectId: this.config.projectId,
+        state,
+        redirectUrl,
+        authUrl: this.authUrl,
+        reason: isSafari ? "Safari detected" : "forceRedirect option set"
+      });
+      const authRedirectUrl = new URL("/auth", this.authUrl);
+      authRedirectUrl.searchParams.set("provider", provider);
+      authRedirectUrl.searchParams.set("project_id", this.config.projectId);
+      authRedirectUrl.searchParams.set("state", state);
+      authRedirectUrl.searchParams.set("mode", "redirect");
+      authRedirectUrl.searchParams.set("redirect_url", redirectUrl);
+      console.log("\u{1F504} Redirecting to:", authRedirectUrl.toString());
+      window.location.href = authRedirectUrl.toString();
+      return new Promise(() => {
+      });
+    }
+    return new Promise((resolve, reject) => {
       const popupUrl = new URL("/auth", this.authUrl);
       popupUrl.searchParams.set("provider", provider);
       popupUrl.searchParams.set("project_id", this.config.projectId);
       popupUrl.searchParams.set("state", state);
       popupUrl.searchParams.set("mode", "popup");
       popupUrl.searchParams.set("redirect_url", redirectUrl);
+      if (typeof window !== "undefined") {
+        popupUrl.searchParams.set("opener_origin", window.location.origin);
+      }
       const popup = window.open(
         popupUrl.toString(),
         "blink-auth",
         "width=500,height=600,scrollbars=yes,resizable=yes"
       );
       if (!popup) {
-        reject(new BlinkAuthError("POPUP_CANCELED" /* POPUP_CANCELED */, "Popup was blocked"));
+        console.warn("\u26A0\uFE0F Popup was blocked, falling back to redirect flow");
+        const authRedirectUrl = new URL("/auth", this.authUrl);
+        authRedirectUrl.searchParams.set("provider", provider);
+        authRedirectUrl.searchParams.set("project_id", this.config.projectId);
+        authRedirectUrl.searchParams.set("state", state);
+        authRedirectUrl.searchParams.set("mode", "redirect");
+        authRedirectUrl.searchParams.set("redirect_url", redirectUrl);
+        console.log("\u{1F504} Falling back to redirect:", authRedirectUrl.toString());
+        window.location.href = authRedirectUrl.toString();
         return;
       }
+      try {
+        if (popup.closed || !popup.window) {
+          console.warn("\u26A0\uFE0F Popup appears to be blocked (closed immediately), falling back to redirect flow");
+          const authRedirectUrl = new URL("/auth", this.authUrl);
+          authRedirectUrl.searchParams.set("provider", provider);
+          authRedirectUrl.searchParams.set("project_id", this.config.projectId);
+          authRedirectUrl.searchParams.set("state", state);
+          authRedirectUrl.searchParams.set("mode", "redirect");
+          authRedirectUrl.searchParams.set("redirect_url", redirectUrl);
+          console.log("\u{1F504} Falling back to redirect:", authRedirectUrl.toString());
+          window.location.href = authRedirectUrl.toString();
+          return;
+        }
+      } catch (e) {
+        console.log("\u26A0\uFE0F Could not verify popup state, assuming it opened successfully");
+      }
       let timeoutId;
       const messageListener = (event) => {
         let allowed = false;
@@ -1542,7 +1705,12 @@ var BlinkAuth = class {
         } catch {
         }
         if (event.origin === "http://localhost:3000" || event.origin === "http://localhost:3001") allowed = true;
-        if (!allowed) return;
+        if (typeof window !== "undefined" && event.origin === window.location.origin) allowed = true;
+        if (!allowed) {
+          console.log("\u{1F6AB} Blocked postMessage from untrusted origin:", event.origin);
+          return;
+        }
+        console.log("\u2705 Accepted postMessage from origin:", event.origin);
         if (event.data?.type === "BLINK_AUTH_TOKENS") {
           const { access_token, refresh_token, token_type, expires_in, refresh_expires_in, projectId, state: returnedState } = event.data;
           try {
@@ -2302,17 +2470,50 @@ var BlinkAuth = class {
       return null;
     }
   }
+  /**
+   * Extract URL parameters from both search params and hash fragments
+   * Safari OAuth redirects often use hash fragments instead of query params
+   */
+  extractUrlParams() {
+    const params = new URLSearchParams();
+    if (typeof window !== "undefined" && window.location.search) {
+      const searchParams = new URLSearchParams(window.location.search);
+      for (const [key, value] of searchParams.entries()) {
+        params.set(key, value);
+      }
+    }
+    if (typeof window !== "undefined" && window.location.hash) {
+      const hash = window.location.hash.substring(1);
+      const hashParams = new URLSearchParams(hash);
+      for (const [key, value] of hashParams.entries()) {
+        if (!params.has(key)) {
+          params.set(key, value);
+        }
+      }
+    }
+    return params;
+  }
   extractTokensFromUrl() {
     if (typeof window === "undefined") return null;
-    const params = new URLSearchParams(window.location.search);
+    const params = this.extractUrlParams();
     const accessToken = params.get("access_token");
     const refreshToken = params.get("refresh_token");
+    const state = params.get("state");
+    const error = params.get("error");
     console.log("\u{1F50D} Extracting tokens from URL:", {
       url: window.location.href,
+      search: window.location.search,
+      hash: window.location.hash,
       accessToken: accessToken ? `${accessToken.substring(0, 20)}...` : null,
       refreshToken: refreshToken ? `${refreshToken.substring(0, 20)}...` : null,
+      state: state ? `${state.substring(0, 10)}...` : null,
+      error: error || null,
       allParams: Object.fromEntries(params.entries())
     });
+    if (error) {
+      console.log("\u274C Error parameter found in URL, not extracting tokens");
+      return null;
+    }
     if (accessToken) {
       const tokens = {
         access_token: accessToken,
@@ -2327,7 +2528,8 @@ var BlinkAuth = class {
       };
       console.log("\u2705 Tokens extracted successfully:", {
         hasAccessToken: !!tokens.access_token,
-        hasRefreshToken: !!tokens.refresh_token
+        hasRefreshToken: !!tokens.refresh_token,
+        state: state || "no state"
       });
       return tokens;
     }
@@ -2347,8 +2549,9 @@ var BlinkAuth = class {
     url.searchParams.delete("code");
     url.searchParams.delete("error");
     url.searchParams.delete("error_description");
+    url.hash = "";
     window.history.replaceState({}, "", url.toString());
-    console.log("\u{1F9F9} URL cleaned up, removed auth parameters");
+    console.log("\u{1F9F9} URL cleaned up, removed auth parameters from both search and hash");
   }
   redirectToAuth() {
     if (typeof window !== "undefined") {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blinkdotnew/sdk",
-  "version": "0.19.1",
+  "version": "0.19.4",
   "description": "Blink TypeScript SDK for client-side applications - Zero-boilerplate CRUD + auth + AI + analytics + notifications for modern SaaS/AI apps",
   "keywords": [
     "blink",