@bunbase-ae/js 2.4.1-next.161.79fd318 → 2.4.1-next.162.9c38140

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bunbase-ae/js",
-  "version": "2.4.1-next.161.79fd318",
+  "version": "2.4.1-next.162.9c38140",
   "type": "module",
   "description": "TypeScript/JavaScript SDK for BunBase",
   "license": "UNLICENSED",

package/src/auth.ts

@@ -181,6 +181,41 @@ export class AuthClient {
     return result;
   }
 
+  // Redeem an OAuth handoff code for the token pair.
+  //
+  // The OAuth callback redirects to `{APP_URL}/auth/callback?handoff=<code>`.
+  // Tokens no longer travel through the URL query string (which would leak
+  // them into browser history, proxy logs, and third-party Referer headers);
+  // instead, the frontend reads the `handoff` param and posts it here.
+  //
+  // Single-use — a second call with the same code returns 404.
+  async exchangeHandoff(code: string): Promise<{
+    access_token: string;
+    refresh_token: string;
+    expires_in: number;
+  }> {
+    const result = await this.http.request<{
+      access_token: string;
+      refresh_token: string;
+      expires_in: number;
+    }>("POST", "/api/v1/auth/oauth/handoff", {
+      body: { handoff: code },
+      skipAuth: true,
+    });
+    this.http.setTokens(result.access_token, result.refresh_token);
+    // Populate the reactive snapshot so useAuth() lights up without the caller
+    // having to issue a separate me() round-trip. Swallow errors here — the
+    // token store is already primed; any auth-dependent view can retry.
+    try {
+      const user = await this.me();
+      this.cachedUser = user;
+      this.patchSnapshot({ user });
+    } catch {
+      // Caller can retry via auth.me() — tokens are already stored.
+    }
+    return result;
+  }
+
   async refresh(): Promise<AuthResult> {
     const refreshToken = this.http.getRefreshToken();
     if (!refreshToken) throw new Error("No refresh token stored. Call login() first.");