@capgo/capacitor-social-login 8.1.1 → 8.2.1

package/dist/esm/definitions.d.ts

@@ -1,4 +1,84 @@
+/**
+ * Configuration for a single OAuth2 provider instance
+ */
+export interface OAuth2ProviderConfig {
+    /**
+     * The OAuth 2.0 client identifier (App ID / Client ID)
+     * @example 'your-client-id'
+     */
+    appId: string;
+    /**
+     * The base URL of the authorization endpoint
+     * @example 'https://accounts.example.com/oauth2/authorize'
+     */
+    authorizationBaseUrl: string;
+    /**
+     * The URL to exchange the authorization code for tokens
+     * Required for authorization code flow
+     * @example 'https://accounts.example.com/oauth2/token'
+     */
+    accessTokenEndpoint?: string;
+    /**
+     * Redirect URL that receives the OAuth callback
+     * @example 'myapp://oauth/callback'
+     */
+    redirectUrl: string;
+    /**
+     * Optional URL to fetch user profile/resource data after authentication
+     * The access token will be sent as Bearer token in the Authorization header
+     * @example 'https://api.example.com/userinfo'
+     */
+    resourceUrl?: string;
+    /**
+     * The OAuth response type
+     * - 'code': Authorization Code flow (recommended, requires accessTokenEndpoint)
+     * - 'token': Implicit flow (less secure, tokens returned directly)
+     * @default 'code'
+     */
+    responseType?: 'code' | 'token';
+    /**
+     * Enable PKCE (Proof Key for Code Exchange)
+     * Strongly recommended for public clients (mobile/web apps)
+     * @default true
+     */
+    pkceEnabled?: boolean;
+    /**
+     * Default scopes to request during authorization
+     * @example 'openid profile email'
+     */
+    scope?: string;
+    /**
+     * Additional parameters to include in the authorization request
+     * @example { prompt: 'consent', login_hint: 'user@example.com' }
+     */
+    additionalParameters?: Record<string, string>;
+    /**
+     * Additional headers to include when fetching the resource URL
+     * @example { 'X-Custom-Header': 'value' }
+     */
+    additionalResourceHeaders?: Record<string, string>;
+    /**
+     * Custom logout URL for ending the session
+     * @example 'https://accounts.example.com/logout'
+     */
+    logoutUrl?: string;
+    /**
+     * Enable debug logging
+     * @default false
+     */
+    logsEnabled?: boolean;
+}
 export interface InitializeOptions {
+    /**
+     * OAuth2 provider configurations.
+     * Supports multiple providers by using a Record with provider IDs as keys.
+     * @example
+     * {
+     *   github: { appId: '...', authorizationBaseUrl: 'https://github.com/login/oauth/authorize', ... },
+     *   azure: { appId: '...', authorizationBaseUrl: 'https://login.microsoftonline.com/.../oauth2/v2.0/authorize', ... }
+     * }
+     */
+    oauth2?: Record<string, OAuth2ProviderConfig>;
     twitter?: {
         /**
          * The OAuth 2.0 client identifier issued by X (Twitter) Developer Portal
@@ -221,6 +301,72 @@ export interface TwitterLoginOptions {
      */
     forceLogin?: boolean;
 }
+export interface OAuth2LoginOptions {
+    /**
+     * The provider ID as configured in initialize()
+     * This is required to identify which OAuth2 provider to use
+     * @example 'github', 'azure', 'keycloak'
+     */
+    providerId: string;
+    /**
+     * Override the scopes for this login request
+     * If not provided, uses the scopes from initialization
+     */
+    scope?: string;
+    /**
+     * Custom state parameter for CSRF protection
+     * If not provided, a random value is generated
+     */
+    state?: string;
+    /**
+     * Override PKCE code verifier (for testing purposes)
+     * If not provided, a secure random verifier is generated
+     */
+    codeVerifier?: string;
+    /**
+     * Override redirect URL for this login request
+     */
+    redirectUrl?: string;
+    /**
+     * Additional parameters to add to the authorization URL
+     */
+    additionalParameters?: Record<string, string>;
+}
+export interface OAuth2LoginResponse {
+    /**
+     * The provider ID that was used for this login
+     */
+    providerId: string;
+    /**
+     * The access token received from the OAuth provider
+     */
+    accessToken: AccessToken | null;
+    /**
+     * The ID token (JWT) if provided by the OAuth server (e.g., OpenID Connect)
+     */
+    idToken: string | null;
+    /**
+     * The refresh token if provided (requires appropriate scope like offline_access)
+     */
+    refreshToken: string | null;
+    /**
+     * Resource data fetched from resourceUrl if configured
+     * Contains the raw JSON response from the resource endpoint
+     */
+    resourceData: Record<string, unknown> | null;
+    /**
+     * The scopes that were granted
+     */
+    scope: string[];
+    /**
+     * Token type (usually 'bearer')
+     */
+    tokenType: string;
+    /**
+     * Token expiration time in seconds
+     */
+    expiresIn: number | null;
+}
 export interface GoogleLoginOptions {
     /**
      * Specifies the scopes required for accessing Google APIs
@@ -391,6 +537,9 @@ export type LoginOptions = {
 } | {
     provider: 'twitter';
     options: TwitterLoginOptions;
+} | {
+    provider: 'oauth2';
+    options: OAuth2LoginOptions;
 };
 export type LoginResult = {
     provider: 'facebook';
@@ -404,6 +553,9 @@ export type LoginResult = {
 } | {
     provider: 'twitter';
     result: TwitterLoginResponse;
+} | {
+    provider: 'oauth2';
+    result: OAuth2LoginResponse;
 };
 export interface AccessToken {
     applicationId?: string;
@@ -476,14 +628,24 @@ export interface AuthorizationCodeOptions {
      * Provider
      * @description Provider for the authorization code
      */
-    provider: 'apple' | 'google' | 'facebook' | 'twitter';
+    provider: 'apple' | 'google' | 'facebook' | 'twitter' | 'oauth2';
+    /**
+     * Provider ID for OAuth2 providers (required when provider is 'oauth2')
+     * @description The ID used when configuring the OAuth2 provider in initialize()
+     */
+    providerId?: string;
 }
 export interface isLoggedInOptions {
     /**
      * Provider
      * @description Provider for the isLoggedIn
      */
-    provider: 'apple' | 'google' | 'facebook' | 'twitter';
+    provider: 'apple' | 'google' | 'facebook' | 'twitter' | 'oauth2';
+    /**
+     * Provider ID for OAuth2 providers (required when provider is 'oauth2')
+     * @description The ID used when configuring the OAuth2 provider in initialize()
+     */
+    providerId?: string;
 }
 export type ProviderSpecificCall = 'facebook#getProfile' | 'facebook#requestTracking';
 export interface FacebookGetProfileOptions {
@@ -534,6 +696,7 @@ export type ProviderResponseMap = {
     google: GoogleLoginResponse;
     apple: AppleProviderResponse;
     twitter: TwitterLoginResponse;
+    oauth2: OAuth2LoginResponse;
 };
 export interface SocialLoginPlugin {
     /**
@@ -562,7 +725,8 @@ export interface SocialLoginPlugin {
      * @throws Error if Google provider is in offline mode
      */
     logout(options: {
-        provider: 'apple' | 'google' | 'facebook' | 'twitter';
+        provider: 'apple' | 'google' | 'facebook' | 'twitter' | 'oauth2';
+        providerId?: string;
     }): Promise<void>;
     /**
      * IsLoggedIn

package/dist/esm/definitions.js.map

@@ -1 +1 @@
-{"version":3,"file":"definitions.js","sourceRoot":"","sources":["../../src/definitions.ts"],"names":[],"mappings":"","sourcesContent":["export interface InitializeOptions {\n  twitter?: {\n    /**\n     * The OAuth 2.0 client identifier issued by X (Twitter) Developer Portal\n     * @example 'Y2xpZW50SWQ'\n     */\n    clientId: string;\n    /**\n     * Redirect URL that is registered inside the X Developer Portal.\n     * The plugin uses this URL on every platform to receive the authorization code.\n     * @example 'myapp://auth/x'\n     */\n    redirectUrl: string;\n    /**\n     * Default scopes appended to every login request when no custom scopes are provided.\n     * @description Defaults to the minimum required scopes for Log in with X.\n     * @default ['tweet.read','users.read']\n     */\n    defaultScopes?: string[];\n    /**\n     * Force the consent screen to show on every login attempt.\n     * Mirrors X's `force_login=true` flag.\n     * @default false\n     */\n    forceLogin?: boolean;\n    /**\n     * Optional audience value when your application has been approved for multi-tenant access.\n     */\n    audience?: string;\n  };\n  facebook?: {\n    /**\n     * Facebook App ID, provided by Facebook for web, in mobile it's set in the native files\n     */\n    appId: string;\n    /**\n     * Facebook Client Token, provided by Facebook for web, in mobile it's set in the native files\n     */\n    clientToken?: string;\n    /**\n     * Locale\n     * @description The locale to use for the Facebook SDK (e.g., 'en_US', 'fr_FR', 'es_ES')\n     * @default 'en_US'\n     * @example 'fr_FR'\n     */\n    locale?: string;\n  };\n\n  google?: {\n    /**\n     * The app's client ID, found and created in the Google Developers Console.\n     * Required for iOS platform.\n     * @example xxxxxx-xxxxxxxxxxxxxxxxxx.apps.googleusercontent.com\n     * @since 3.1.0\n     */\n    iOSClientId?: string;\n    /**\n     * The app's server client ID, required for offline mode on iOS.\n     * Should be the same value as webClientId.\n     * Found and created in the Google Developers Console.\n     * @example xxxxxx-xxxxxxxxxxxxxxxxxx.apps.googleusercontent.com\n     * @since 3.1.0\n     */\n    iOSServerClientId?: string;\n    /**\n     * The app's web client ID, found and created in the Google Developers Console.\n     * Required for Android and Web platforms.\n     * @example xxxxxx-xxxxxxxxxxxxxxxxxx.apps.googleusercontent.com\n     * @since 3.1.0\n     */\n    webClientId?: string;\n    /**\n     * The login mode, can be online or offline.\n     *\n     * **Online mode (default):**\n     * - Returns user profile data and access tokens\n     * - Supports all methods: login, logout, isLoggedIn, getAuthorizationCode\n     *\n     * **Offline mode:**\n     * - Returns only serverAuthCode for backend authentication\n     * - No user profile data available\n     * - **Limitations:** The following methods are NOT supported in offline mode:\n     *   - `logout()` - Will reject with \"not implemented when using offline mode\"\n     *   - `isLoggedIn()` - Will reject with \"not implemented when using offline mode\"\n     *   - `getAuthorizationCode()` - Will reject with \"not implemented when using offline mode\"\n     * - Only `login()` method works in offline mode, returning serverAuthCode only\n     * - Requires `iOSServerClientId` to be set on iOS\n     *\n     * @example 'offline'\n     * @default 'online'\n     * @since 3.1.0\n     */\n    mode?: 'online' | 'offline';\n    /**\n     * Filter visible accounts by hosted domain\n     * @description filter visible accounts by hosted domain\n     */\n    hostedDomain?: string;\n    /**\n     * Google Redirect URL, should be your backend url that is configured in your google app\n     */\n    redirectUrl?: string;\n  };\n  apple?: {\n    /**\n     * Apple Client ID, provided by Apple for web and Android\n     */\n    clientId?: string;\n    /**\n     * Apple Redirect URL, should be your backend url that is configured in your apple app\n     *\n     * **Note**: Use empty string `''` for iOS to prevent redirect.\n     * **Note**: Not required when using Broadcast Channel mode on Android.\n     */\n    redirectUrl?: string;\n    /**\n     * Use proper token exchange for Apple Sign-In\n     * @description Controls how Apple Sign-In tokens are handled and what gets returned:\n     *\n     * **When `true` (Recommended for new implementations):**\n     * - Exchanges authorization code for proper access tokens via Apple's token endpoint\n     * - `idToken`: JWT containing user identity information (email, name, user ID)\n     * - `accessToken.token`: Proper access token from Apple (short-lived, ~1 hour)\n     * - `authorizationCode`: Raw authorization code for backend token exchange\n     *\n     * **When `false` (Default - Legacy mode):**\n     * - Uses authorization code directly as access token for backward compatibility\n     * - `idToken`: JWT containing user identity information (email, name, user ID)\n     * - `accessToken.token`: The authorization code itself (not a real access token)\n     * - `authorizationCode`: undefined\n     *\n     * @default false\n     * @example\n     * // Enable proper token exchange (recommended)\n     * useProperTokenExchange: true\n     * // Result: idToken=JWT, accessToken=real_token, authorizationCode=present\n     *\n     * // Legacy mode (backward compatibility)\n     * useProperTokenExchange: false\n     * // Result: idToken=JWT, accessToken=auth_code, authorizationCode=undefined\n     */\n    useProperTokenExchange?: boolean;\n    /**\n     * Use Broadcast Channel for Android Apple Sign-In (Recommended)\n     * @description When enabled, Android uses Broadcast Channel API instead of URL redirects.\n     * This eliminates the need for redirect URL configuration and server-side setup.\n     *\n     * **Benefits:**\n     * - No redirect URL configuration required\n     * - No backend server needed for Android\n     * - Simpler setup and more reliable communication\n     * - Direct client-server communication via Broadcast Channel\n     *\n     * **When `true`:**\n     * - Uses Broadcast Channel for authentication flow\n     * - `redirectUrl` is ignored\n     * - Requires Broadcast Channel compatible backend or direct token handling\n     *\n     * **When `false` (Default - Legacy mode):**\n     * - Uses traditional URL redirect flow\n     * - Requires `redirectUrl` configuration\n     * - Requires backend server for token exchange\n     *\n     * @default false\n     * @since 7.10.0\n     * @example\n     * // Enable Broadcast Channel mode (recommended for new Android implementations)\n     * useBroadcastChannel: true\n     * // Result: Simplified setup, no redirect URL needed\n     *\n     * // Legacy mode (backward compatibility)\n     * useBroadcastChannel: false\n     * // Result: Traditional URL redirect flow with server-side setup\n     */\n    useBroadcastChannel?: boolean;\n  };\n}\n\nexport interface FacebookLoginOptions {\n  /**\n   * Permissions\n   * @description select permissions to login with\n   */\n  permissions: string[];\n  /**\n   * Is Limited Login\n   * @description use limited login for Facebook iOS only. Important: This is iOS-only and doesn't affect Android.\n   * Even if set to false, Facebook will automatically force it to true if App Tracking Transparency (ATT) permission is not granted.\n   * Developers should always be prepared to handle both limited and full login scenarios.\n   * @default false\n   */\n  limitedLogin?: boolean;\n  /**\n   * Nonce\n   * @description A custom nonce to use for the login request\n   */\n  nonce?: string;\n}\n\nexport interface TwitterLoginOptions {\n  /**\n   * Additional scopes to request during login.\n   * If omitted the plugin falls back to the default scopes configured during initialization.\n   * @example ['tweet.read','users.read','offline.access']\n   */\n  scopes?: string[];\n  /**\n   * Provide a custom OAuth state value.\n   * When not provided the plugin generates a cryptographically random value.\n   */\n  state?: string;\n  /**\n   * Provide a pre-computed PKCE code verifier (mostly used for testing).\n   * When omitted the plugin generates a secure verifier automatically.\n   */\n  codeVerifier?: string;\n  /**\n   * Override the redirect URI for a single login call.\n   * Useful when the same app supports multiple callback URLs per platform.\n   */\n  redirectUrl?: string;\n  /**\n   * Force the consent screen on every attempt, maps to `force_login=true`.\n   */\n  forceLogin?: boolean;\n}\n\nexport interface GoogleLoginOptions {\n  /**\n   * Specifies the scopes required for accessing Google APIs\n   * The default is defined in the configuration.\n   * @example [\"profile\", \"email\"]\n   * @see [Google OAuth2 Scopes](https://developers.google.com/identity/protocols/oauth2/scopes)\n   */\n  scopes?: string[];\n  /**\n   * Nonce\n   * @description nonce\n   */\n  nonce?: string;\n  /**\n   * Force refresh token (only for Android)\n   * @description force refresh token\n   * @default false\n   * @note On Android, the OS caches access tokens, and if a token is invalid (e.g., user revoked app access), the plugin might return an invalid accessToken. Using getAuthorizationCode() is recommended to ensure the token is valid.\n   */\n  forceRefreshToken?: boolean;\n  /**\n   * Force account selection prompt (iOS)\n   * @description forces the account selection prompt to appear on iOS\n   * @default false\n   */\n  forcePrompt?: boolean;\n  /**\n   * Style\n   * @description style\n   * @default 'standard'\n   */\n  style?: 'bottom' | 'standard';\n  /**\n   * Filter by authorized accounts (Android only)\n   * @description Only show accounts that have previously been used to sign in to the app.\n   * This option is only available for the 'bottom' style.\n   * Note: For Family Link supervised accounts, this should be set to false.\n   * @default true\n   */\n  filterByAuthorizedAccounts?: boolean;\n  /**\n   * Auto select enabled (Android only)\n   * @description Automatically select the account if only one Google account is available.\n   * This option is only available for the 'bottom' style.\n   * @default false\n   */\n  autoSelectEnabled?: boolean;\n  /**\n   * Prompt parameter for Google OAuth (Web only)\n   * @description A space-delimited, case-sensitive list of prompts to present the user.\n   * If you don't specify this parameter, the user will be prompted only the first time your project requests access.\n   *\n   * **Possible values:**\n   * - `none`: Don't display any authentication or consent screens. Must not be specified with other values.\n   * - `consent`: Prompt the user for consent.\n   * - `select_account`: Prompt the user to select an account.\n   *\n   * **Examples:**\n   * - `prompt: 'consent'` - Always show consent screen\n   * - `prompt: 'select_account'` - Always show account selection\n   * - `prompt: 'consent select_account'` - Show both consent and account selection\n   *\n   * **Note:** This parameter only affects web platform behavior. Mobile platforms use their own native prompts.\n   *\n   * @example 'consent'\n   * @example 'select_account'\n   * @example 'consent select_account'\n   * @see [Google OAuth2 Prompt Parameter](https://developers.google.com/identity/protocols/oauth2/openid-connect#prompt)\n   * @since 7.12.0\n   */\n  prompt?: 'none' | 'consent' | 'select_account' | 'consent select_account' | 'select_account consent';\n}\n\nexport interface GoogleLoginResponseOnline {\n  accessToken: AccessToken | null;\n  idToken: string | null;\n  profile: {\n    email: string | null;\n    familyName: string | null;\n    givenName: string | null;\n    id: string | null;\n    name: string | null;\n    imageUrl: string | null;\n  };\n  responseType: 'online';\n}\n\nexport interface GoogleLoginResponseOffline {\n  serverAuthCode: string;\n  responseType: 'offline';\n}\n\nexport type GoogleLoginResponse = GoogleLoginResponseOnline | GoogleLoginResponseOffline;\n\nexport interface AppleProviderOptions {\n  /**\n   * Scopes\n   * @description An array of scopes to request during login\n   * @example [\"name\", \"email\"]\n   * default: [\"name\", \"email\"]\n   */\n  scopes?: string[];\n  /**\n   * Nonce\n   * @description nonce\n   */\n  nonce?: string;\n  /**\n   * State\n   * @description state\n   */\n  state?: string;\n  /**\n   * Use Broadcast Channel for authentication flow\n   * @description When enabled, uses Broadcast Channel API for communication instead of URL redirects.\n   * Only applicable on platforms that support Broadcast Channel (Android).\n   * @default false\n   */\n  useBroadcastChannel?: boolean;\n}\n\nexport interface AppleProviderResponse {\n  /**\n   * Access token from Apple\n   * @description Content depends on `useProperTokenExchange` setting:\n   * - When `useProperTokenExchange: true`: Real access token from Apple (~1 hour validity)\n   * - When `useProperTokenExchange: false`: Contains authorization code as token (legacy mode)\n   * Use `idToken` for user authentication, `accessToken` for API calls when properly exchanged.\n   */\n  accessToken: AccessToken | null;\n\n  /**\n   * Identity token (JWT) from Apple\n   * @description Always contains the JWT with user identity information including:\n   * - User ID (sub claim)\n   * - Email (if user granted permission)\n   * - Name components (if user granted permission)\n   * - Email verification status\n   * This is the primary token for user authentication and should be verified on your backend.\n   */\n  idToken: string | null;\n\n  /**\n   * User profile information\n   * @description Basic user profile data extracted from the identity token and Apple response:\n   * - `user`: Apple's user identifier (sub claim from idToken)\n   * - `email`: User's email address (if permission granted)\n   * - `givenName`: User's first name (if permission granted)\n   * - `familyName`: User's last name (if permission granted)\n   */\n  profile: {\n    user: string;\n    email: string | null;\n    givenName: string | null;\n    familyName: string | null;\n  };\n\n  /**\n   * Authorization code for proper token exchange (when useProperTokenExchange is enabled)\n   * @description Only present when `useProperTokenExchange` is `true`. This code should be exchanged\n   * for proper access tokens on your backend using Apple's token endpoint. Use this for secure\n   * server-side token validation and to obtain refresh tokens.\n   * @see https://developer.apple.com/documentation/sign_in_with_apple/tokenresponse\n   */\n  authorizationCode?: string;\n}\n\nexport type LoginOptions =\n  | {\n      provider: 'facebook';\n      options: FacebookLoginOptions;\n    }\n  | {\n      provider: 'google';\n      options: GoogleLoginOptions;\n    }\n  | {\n      provider: 'apple';\n      options: AppleProviderOptions;\n    }\n  | {\n      provider: 'twitter';\n      options: TwitterLoginOptions;\n    };\n\nexport type LoginResult =\n  | {\n      provider: 'facebook';\n      result: FacebookLoginResponse;\n    }\n  | {\n      provider: 'google';\n      result: GoogleLoginResponse;\n    }\n  | {\n      provider: 'apple';\n      result: AppleProviderResponse;\n    }\n  | {\n      provider: 'twitter';\n      result: TwitterLoginResponse;\n    };\n\nexport interface AccessToken {\n  applicationId?: string;\n  declinedPermissions?: string[];\n  expires?: string;\n  isExpired?: boolean;\n  lastRefresh?: string;\n  permissions?: string[];\n  token: string;\n  tokenType?: string;\n  refreshToken?: string;\n  userId?: string;\n}\n\nexport interface FacebookLoginResponse {\n  accessToken: AccessToken | null;\n  idToken: string | null;\n  profile: {\n    userID: string;\n    email: string | null;\n    friendIDs: string[];\n    birthday: string | null;\n    ageRange: { min?: number; max?: number } | null;\n    gender: string | null;\n    location: { id: string; name: string } | null;\n    hometown: { id: string; name: string } | null;\n    profileURL: string | null;\n    name: string | null;\n    imageURL: string | null;\n  };\n}\n\nexport interface TwitterProfile {\n  id: string;\n  username: string;\n  name: string | null;\n  profileImageUrl: string | null;\n  verified: boolean;\n  email?: string | null;\n}\n\nexport interface TwitterLoginResponse {\n  accessToken: AccessToken | null;\n  refreshToken?: string | null;\n  scope: string[];\n  tokenType: 'bearer';\n  expiresIn?: number | null;\n  profile: TwitterProfile;\n}\n\nexport interface AuthorizationCode {\n  /**\n   * Jwt\n   * @description A JSON web token\n   */\n  jwt?: string;\n  /**\n   * Access Token\n   * @description An access token\n   */\n  accessToken?: string;\n}\n\nexport interface AuthorizationCodeOptions {\n  /**\n   * Provider\n   * @description Provider for the authorization code\n   */\n  provider: 'apple' | 'google' | 'facebook' | 'twitter';\n}\n\nexport interface isLoggedInOptions {\n  /**\n   * Provider\n   * @description Provider for the isLoggedIn\n   */\n  provider: 'apple' | 'google' | 'facebook' | 'twitter';\n}\n\n// Define the provider-specific call types\nexport type ProviderSpecificCall = 'facebook#getProfile' | 'facebook#requestTracking';\n\n// Define the options and response types for each specific call\nexport interface FacebookGetProfileOptions {\n  /**\n   * Fields to retrieve from Facebook profile\n   * @example [\"id\", \"name\", \"email\", \"picture\"]\n   */\n  fields?: string[];\n}\n\nexport interface FacebookGetProfileResponse {\n  /**\n   * Facebook profile data\n   */\n  profile: {\n    id: string | null;\n    name: string | null;\n    email: string | null;\n    first_name: string | null;\n    last_name: string | null;\n    picture?: {\n      data: {\n        height: number | null;\n        is_silhouette: boolean | null;\n        url: string | null;\n        width: number | null;\n      };\n    } | null;\n    [key: string]: any; // For additional fields that might be requested\n  };\n}\n\nexport type FacebookRequestTrackingOptions = Record<string, never>;\n\nexport interface FacebookRequestTrackingResponse {\n  /**\n   * App tracking authorization status\n   */\n  status: 'authorized' | 'denied' | 'notDetermined' | 'restricted';\n}\n\n// Map call strings to their options and response types\nexport type ProviderSpecificCallOptionsMap = {\n  'facebook#getProfile': FacebookGetProfileOptions;\n  'facebook#requestTracking': FacebookRequestTrackingOptions;\n};\n\nexport type ProviderSpecificCallResponseMap = {\n  'facebook#getProfile': FacebookGetProfileResponse;\n  'facebook#requestTracking': FacebookRequestTrackingResponse;\n};\n\n// Add a helper type to map providers to their response types\nexport type ProviderResponseMap = {\n  facebook: FacebookLoginResponse;\n  google: GoogleLoginResponse;\n  apple: AppleProviderResponse;\n  twitter: TwitterLoginResponse;\n};\n\nexport interface SocialLoginPlugin {\n  /**\n   * Initialize the plugin\n   * @description initialize the plugin with the required options\n   */\n  initialize(options: InitializeOptions): Promise<void>;\n  /**\n   * Login with the selected provider\n   * @description login with the selected provider\n   */\n  login<T extends LoginOptions['provider']>(\n    options: Extract<LoginOptions, { provider: T }>,\n  ): Promise<{ provider: T; result: ProviderResponseMap[T] }>;\n  /**\n   * Logout\n   * @description Logout the user from the specified provider\n   *\n   * **Google Offline Mode Limitation:**\n   * This method is NOT supported when Google is initialized with `mode: 'offline'`.\n   * It will reject with error: \"logout is not implemented when using offline mode\"\n   *\n   * @throws Error if Google provider is in offline mode\n   */\n  logout(options: { provider: 'apple' | 'google' | 'facebook' | 'twitter' }): Promise<void>;\n  /**\n   * IsLoggedIn\n   * @description Check if the user is currently logged in with the specified provider\n   *\n   * **Google Offline Mode Limitation:**\n   * This method is NOT supported when Google is initialized with `mode: 'offline'`.\n   * It will reject with error: \"isLoggedIn is not implemented when using offline mode\"\n   *\n   * @throws Error if Google provider is in offline mode\n   */\n  isLoggedIn(options: isLoggedInOptions): Promise<{ isLoggedIn: boolean }>;\n\n  /**\n   * Get the current authorization code\n   * @description Get the authorization code for server-side authentication\n   *\n   * **Google Offline Mode Limitation:**\n   * This method is NOT supported when Google is initialized with `mode: 'offline'`.\n   * It will reject with error: \"getAuthorizationCode is not implemented when using offline mode\"\n   *\n   * In offline mode, the authorization code (serverAuthCode) is already returned by the `login()` method.\n   *\n   * @throws Error if Google provider is in offline mode\n   */\n  getAuthorizationCode(options: AuthorizationCodeOptions): Promise<AuthorizationCode>;\n  /**\n   * Refresh the access token\n   * @description refresh the access token\n   */\n  refresh(options: LoginOptions): Promise<void>;\n\n  /**\n   * Execute provider-specific calls\n   * @description Execute a provider-specific functionality\n   */\n  providerSpecificCall<T extends ProviderSpecificCall>(options: {\n    call: T;\n    options: ProviderSpecificCallOptionsMap[T];\n  }): Promise<ProviderSpecificCallResponseMap[T]>;\n\n  /**\n   * Get the native Capacitor plugin version\n   *\n   * @returns {Promise<{ id: string }>} an Promise with version for this device\n   * @throws An error if the something went wrong\n   */\n  getPluginVersion(): Promise<{ version: string }>;\n}\n"]}
+{"version":3,"file":"definitions.js","sourceRoot":"","sources":["../../src/definitions.ts"],"names":[],"mappings":"","sourcesContent":["/**\n * Configuration for a single OAuth2 provider instance\n */\nexport interface OAuth2ProviderConfig {\n  /**\n   * The OAuth 2.0 client identifier (App ID / Client ID)\n   * @example 'your-client-id'\n   */\n  appId: string;\n  /**\n   * The base URL of the authorization endpoint\n   * @example 'https://accounts.example.com/oauth2/authorize'\n   */\n  authorizationBaseUrl: string;\n  /**\n   * The URL to exchange the authorization code for tokens\n   * Required for authorization code flow\n   * @example 'https://accounts.example.com/oauth2/token'\n   */\n  accessTokenEndpoint?: string;\n  /**\n   * Redirect URL that receives the OAuth callback\n   * @example 'myapp://oauth/callback'\n   */\n  redirectUrl: string;\n  /**\n   * Optional URL to fetch user profile/resource data after authentication\n   * The access token will be sent as Bearer token in the Authorization header\n   * @example 'https://api.example.com/userinfo'\n   */\n  resourceUrl?: string;\n  /**\n   * The OAuth response type\n   * - 'code': Authorization Code flow (recommended, requires accessTokenEndpoint)\n   * - 'token': Implicit flow (less secure, tokens returned directly)\n   * @default 'code'\n   */\n  responseType?: 'code' | 'token';\n  /**\n   * Enable PKCE (Proof Key for Code Exchange)\n   * Strongly recommended for public clients (mobile/web apps)\n   * @default true\n   */\n  pkceEnabled?: boolean;\n  /**\n   * Default scopes to request during authorization\n   * @example 'openid profile email'\n   */\n  scope?: string;\n  /**\n   * Additional parameters to include in the authorization request\n   * @example { prompt: 'consent', login_hint: 'user@example.com' }\n   */\n  additionalParameters?: Record<string, string>;\n  /**\n   * Additional headers to include when fetching the resource URL\n   * @example { 'X-Custom-Header': 'value' }\n   */\n  additionalResourceHeaders?: Record<string, string>;\n  /**\n   * Custom logout URL for ending the session\n   * @example 'https://accounts.example.com/logout'\n   */\n  logoutUrl?: string;\n  /**\n   * Enable debug logging\n   * @default false\n   */\n  logsEnabled?: boolean;\n}\n\nexport interface InitializeOptions {\n  /**\n   * OAuth2 provider configurations.\n   * Supports multiple providers by using a Record with provider IDs as keys.\n   * @example\n   * {\n   *   github: { appId: '...', authorizationBaseUrl: 'https://github.com/login/oauth/authorize', ... },\n   *   azure: { appId: '...', authorizationBaseUrl: 'https://login.microsoftonline.com/.../oauth2/v2.0/authorize', ... }\n   * }\n   */\n  oauth2?: Record<string, OAuth2ProviderConfig>;\n  twitter?: {\n    /**\n     * The OAuth 2.0 client identifier issued by X (Twitter) Developer Portal\n     * @example 'Y2xpZW50SWQ'\n     */\n    clientId: string;\n    /**\n     * Redirect URL that is registered inside the X Developer Portal.\n     * The plugin uses this URL on every platform to receive the authorization code.\n     * @example 'myapp://auth/x'\n     */\n    redirectUrl: string;\n    /**\n     * Default scopes appended to every login request when no custom scopes are provided.\n     * @description Defaults to the minimum required scopes for Log in with X.\n     * @default ['tweet.read','users.read']\n     */\n    defaultScopes?: string[];\n    /**\n     * Force the consent screen to show on every login attempt.\n     * Mirrors X's `force_login=true` flag.\n     * @default false\n     */\n    forceLogin?: boolean;\n    /**\n     * Optional audience value when your application has been approved for multi-tenant access.\n     */\n    audience?: string;\n  };\n  facebook?: {\n    /**\n     * Facebook App ID, provided by Facebook for web, in mobile it's set in the native files\n     */\n    appId: string;\n    /**\n     * Facebook Client Token, provided by Facebook for web, in mobile it's set in the native files\n     */\n    clientToken?: string;\n    /**\n     * Locale\n     * @description The locale to use for the Facebook SDK (e.g., 'en_US', 'fr_FR', 'es_ES')\n     * @default 'en_US'\n     * @example 'fr_FR'\n     */\n    locale?: string;\n  };\n\n  google?: {\n    /**\n     * The app's client ID, found and created in the Google Developers Console.\n     * Required for iOS platform.\n     * @example xxxxxx-xxxxxxxxxxxxxxxxxx.apps.googleusercontent.com\n     * @since 3.1.0\n     */\n    iOSClientId?: string;\n    /**\n     * The app's server client ID, required for offline mode on iOS.\n     * Should be the same value as webClientId.\n     * Found and created in the Google Developers Console.\n     * @example xxxxxx-xxxxxxxxxxxxxxxxxx.apps.googleusercontent.com\n     * @since 3.1.0\n     */\n    iOSServerClientId?: string;\n    /**\n     * The app's web client ID, found and created in the Google Developers Console.\n     * Required for Android and Web platforms.\n     * @example xxxxxx-xxxxxxxxxxxxxxxxxx.apps.googleusercontent.com\n     * @since 3.1.0\n     */\n    webClientId?: string;\n    /**\n     * The login mode, can be online or offline.\n     *\n     * **Online mode (default):**\n     * - Returns user profile data and access tokens\n     * - Supports all methods: login, logout, isLoggedIn, getAuthorizationCode\n     *\n     * **Offline mode:**\n     * - Returns only serverAuthCode for backend authentication\n     * - No user profile data available\n     * - **Limitations:** The following methods are NOT supported in offline mode:\n     *   - `logout()` - Will reject with \"not implemented when using offline mode\"\n     *   - `isLoggedIn()` - Will reject with \"not implemented when using offline mode\"\n     *   - `getAuthorizationCode()` - Will reject with \"not implemented when using offline mode\"\n     * - Only `login()` method works in offline mode, returning serverAuthCode only\n     * - Requires `iOSServerClientId` to be set on iOS\n     *\n     * @example 'offline'\n     * @default 'online'\n     * @since 3.1.0\n     */\n    mode?: 'online' | 'offline';\n    /**\n     * Filter visible accounts by hosted domain\n     * @description filter visible accounts by hosted domain\n     */\n    hostedDomain?: string;\n    /**\n     * Google Redirect URL, should be your backend url that is configured in your google app\n     */\n    redirectUrl?: string;\n  };\n  apple?: {\n    /**\n     * Apple Client ID, provided by Apple for web and Android\n     */\n    clientId?: string;\n    /**\n     * Apple Redirect URL, should be your backend url that is configured in your apple app\n     *\n     * **Note**: Use empty string `''` for iOS to prevent redirect.\n     * **Note**: Not required when using Broadcast Channel mode on Android.\n     */\n    redirectUrl?: string;\n    /**\n     * Use proper token exchange for Apple Sign-In\n     * @description Controls how Apple Sign-In tokens are handled and what gets returned:\n     *\n     * **When `true` (Recommended for new implementations):**\n     * - Exchanges authorization code for proper access tokens via Apple's token endpoint\n     * - `idToken`: JWT containing user identity information (email, name, user ID)\n     * - `accessToken.token`: Proper access token from Apple (short-lived, ~1 hour)\n     * - `authorizationCode`: Raw authorization code for backend token exchange\n     *\n     * **When `false` (Default - Legacy mode):**\n     * - Uses authorization code directly as access token for backward compatibility\n     * - `idToken`: JWT containing user identity information (email, name, user ID)\n     * - `accessToken.token`: The authorization code itself (not a real access token)\n     * - `authorizationCode`: undefined\n     *\n     * @default false\n     * @example\n     * // Enable proper token exchange (recommended)\n     * useProperTokenExchange: true\n     * // Result: idToken=JWT, accessToken=real_token, authorizationCode=present\n     *\n     * // Legacy mode (backward compatibility)\n     * useProperTokenExchange: false\n     * // Result: idToken=JWT, accessToken=auth_code, authorizationCode=undefined\n     */\n    useProperTokenExchange?: boolean;\n    /**\n     * Use Broadcast Channel for Android Apple Sign-In (Recommended)\n     * @description When enabled, Android uses Broadcast Channel API instead of URL redirects.\n     * This eliminates the need for redirect URL configuration and server-side setup.\n     *\n     * **Benefits:**\n     * - No redirect URL configuration required\n     * - No backend server needed for Android\n     * - Simpler setup and more reliable communication\n     * - Direct client-server communication via Broadcast Channel\n     *\n     * **When `true`:**\n     * - Uses Broadcast Channel for authentication flow\n     * - `redirectUrl` is ignored\n     * - Requires Broadcast Channel compatible backend or direct token handling\n     *\n     * **When `false` (Default - Legacy mode):**\n     * - Uses traditional URL redirect flow\n     * - Requires `redirectUrl` configuration\n     * - Requires backend server for token exchange\n     *\n     * @default false\n     * @since 7.10.0\n     * @example\n     * // Enable Broadcast Channel mode (recommended for new Android implementations)\n     * useBroadcastChannel: true\n     * // Result: Simplified setup, no redirect URL needed\n     *\n     * // Legacy mode (backward compatibility)\n     * useBroadcastChannel: false\n     * // Result: Traditional URL redirect flow with server-side setup\n     */\n    useBroadcastChannel?: boolean;\n  };\n}\n\nexport interface FacebookLoginOptions {\n  /**\n   * Permissions\n   * @description select permissions to login with\n   */\n  permissions: string[];\n  /**\n   * Is Limited Login\n   * @description use limited login for Facebook iOS only. Important: This is iOS-only and doesn't affect Android.\n   * Even if set to false, Facebook will automatically force it to true if App Tracking Transparency (ATT) permission is not granted.\n   * Developers should always be prepared to handle both limited and full login scenarios.\n   * @default false\n   */\n  limitedLogin?: boolean;\n  /**\n   * Nonce\n   * @description A custom nonce to use for the login request\n   */\n  nonce?: string;\n}\n\nexport interface TwitterLoginOptions {\n  /**\n   * Additional scopes to request during login.\n   * If omitted the plugin falls back to the default scopes configured during initialization.\n   * @example ['tweet.read','users.read','offline.access']\n   */\n  scopes?: string[];\n  /**\n   * Provide a custom OAuth state value.\n   * When not provided the plugin generates a cryptographically random value.\n   */\n  state?: string;\n  /**\n   * Provide a pre-computed PKCE code verifier (mostly used for testing).\n   * When omitted the plugin generates a secure verifier automatically.\n   */\n  codeVerifier?: string;\n  /**\n   * Override the redirect URI for a single login call.\n   * Useful when the same app supports multiple callback URLs per platform.\n   */\n  redirectUrl?: string;\n  /**\n   * Force the consent screen on every attempt, maps to `force_login=true`.\n   */\n  forceLogin?: boolean;\n}\n\nexport interface OAuth2LoginOptions {\n  /**\n   * The provider ID as configured in initialize()\n   * This is required to identify which OAuth2 provider to use\n   * @example 'github', 'azure', 'keycloak'\n   */\n  providerId: string;\n  /**\n   * Override the scopes for this login request\n   * If not provided, uses the scopes from initialization\n   */\n  scope?: string;\n  /**\n   * Custom state parameter for CSRF protection\n   * If not provided, a random value is generated\n   */\n  state?: string;\n  /**\n   * Override PKCE code verifier (for testing purposes)\n   * If not provided, a secure random verifier is generated\n   */\n  codeVerifier?: string;\n  /**\n   * Override redirect URL for this login request\n   */\n  redirectUrl?: string;\n  /**\n   * Additional parameters to add to the authorization URL\n   */\n  additionalParameters?: Record<string, string>;\n}\n\nexport interface OAuth2LoginResponse {\n  /**\n   * The provider ID that was used for this login\n   */\n  providerId: string;\n  /**\n   * The access token received from the OAuth provider\n   */\n  accessToken: AccessToken | null;\n  /**\n   * The ID token (JWT) if provided by the OAuth server (e.g., OpenID Connect)\n   */\n  idToken: string | null;\n  /**\n   * The refresh token if provided (requires appropriate scope like offline_access)\n   */\n  refreshToken: string | null;\n  /**\n   * Resource data fetched from resourceUrl if configured\n   * Contains the raw JSON response from the resource endpoint\n   */\n  resourceData: Record<string, unknown> | null;\n  /**\n   * The scopes that were granted\n   */\n  scope: string[];\n  /**\n   * Token type (usually 'bearer')\n   */\n  tokenType: string;\n  /**\n   * Token expiration time in seconds\n   */\n  expiresIn: number | null;\n}\n\nexport interface GoogleLoginOptions {\n  /**\n   * Specifies the scopes required for accessing Google APIs\n   * The default is defined in the configuration.\n   * @example [\"profile\", \"email\"]\n   * @see [Google OAuth2 Scopes](https://developers.google.com/identity/protocols/oauth2/scopes)\n   */\n  scopes?: string[];\n  /**\n   * Nonce\n   * @description nonce\n   */\n  nonce?: string;\n  /**\n   * Force refresh token (only for Android)\n   * @description force refresh token\n   * @default false\n   * @note On Android, the OS caches access tokens, and if a token is invalid (e.g., user revoked app access), the plugin might return an invalid accessToken. Using getAuthorizationCode() is recommended to ensure the token is valid.\n   */\n  forceRefreshToken?: boolean;\n  /**\n   * Force account selection prompt (iOS)\n   * @description forces the account selection prompt to appear on iOS\n   * @default false\n   */\n  forcePrompt?: boolean;\n  /**\n   * Style\n   * @description style\n   * @default 'standard'\n   */\n  style?: 'bottom' | 'standard';\n  /**\n   * Filter by authorized accounts (Android only)\n   * @description Only show accounts that have previously been used to sign in to the app.\n   * This option is only available for the 'bottom' style.\n   * Note: For Family Link supervised accounts, this should be set to false.\n   * @default true\n   */\n  filterByAuthorizedAccounts?: boolean;\n  /**\n   * Auto select enabled (Android only)\n   * @description Automatically select the account if only one Google account is available.\n   * This option is only available for the 'bottom' style.\n   * @default false\n   */\n  autoSelectEnabled?: boolean;\n  /**\n   * Prompt parameter for Google OAuth (Web only)\n   * @description A space-delimited, case-sensitive list of prompts to present the user.\n   * If you don't specify this parameter, the user will be prompted only the first time your project requests access.\n   *\n   * **Possible values:**\n   * - `none`: Don't display any authentication or consent screens. Must not be specified with other values.\n   * - `consent`: Prompt the user for consent.\n   * - `select_account`: Prompt the user to select an account.\n   *\n   * **Examples:**\n   * - `prompt: 'consent'` - Always show consent screen\n   * - `prompt: 'select_account'` - Always show account selection\n   * - `prompt: 'consent select_account'` - Show both consent and account selection\n   *\n   * **Note:** This parameter only affects web platform behavior. Mobile platforms use their own native prompts.\n   *\n   * @example 'consent'\n   * @example 'select_account'\n   * @example 'consent select_account'\n   * @see [Google OAuth2 Prompt Parameter](https://developers.google.com/identity/protocols/oauth2/openid-connect#prompt)\n   * @since 7.12.0\n   */\n  prompt?: 'none' | 'consent' | 'select_account' | 'consent select_account' | 'select_account consent';\n}\n\nexport interface GoogleLoginResponseOnline {\n  accessToken: AccessToken | null;\n  idToken: string | null;\n  profile: {\n    email: string | null;\n    familyName: string | null;\n    givenName: string | null;\n    id: string | null;\n    name: string | null;\n    imageUrl: string | null;\n  };\n  responseType: 'online';\n}\n\nexport interface GoogleLoginResponseOffline {\n  serverAuthCode: string;\n  responseType: 'offline';\n}\n\nexport type GoogleLoginResponse = GoogleLoginResponseOnline | GoogleLoginResponseOffline;\n\nexport interface AppleProviderOptions {\n  /**\n   * Scopes\n   * @description An array of scopes to request during login\n   * @example [\"name\", \"email\"]\n   * default: [\"name\", \"email\"]\n   */\n  scopes?: string[];\n  /**\n   * Nonce\n   * @description nonce\n   */\n  nonce?: string;\n  /**\n   * State\n   * @description state\n   */\n  state?: string;\n  /**\n   * Use Broadcast Channel for authentication flow\n   * @description When enabled, uses Broadcast Channel API for communication instead of URL redirects.\n   * Only applicable on platforms that support Broadcast Channel (Android).\n   * @default false\n   */\n  useBroadcastChannel?: boolean;\n}\n\nexport interface AppleProviderResponse {\n  /**\n   * Access token from Apple\n   * @description Content depends on `useProperTokenExchange` setting:\n   * - When `useProperTokenExchange: true`: Real access token from Apple (~1 hour validity)\n   * - When `useProperTokenExchange: false`: Contains authorization code as token (legacy mode)\n   * Use `idToken` for user authentication, `accessToken` for API calls when properly exchanged.\n   */\n  accessToken: AccessToken | null;\n\n  /**\n   * Identity token (JWT) from Apple\n   * @description Always contains the JWT with user identity information including:\n   * - User ID (sub claim)\n   * - Email (if user granted permission)\n   * - Name components (if user granted permission)\n   * - Email verification status\n   * This is the primary token for user authentication and should be verified on your backend.\n   */\n  idToken: string | null;\n\n  /**\n   * User profile information\n   * @description Basic user profile data extracted from the identity token and Apple response:\n   * - `user`: Apple's user identifier (sub claim from idToken)\n   * - `email`: User's email address (if permission granted)\n   * - `givenName`: User's first name (if permission granted)\n   * - `familyName`: User's last name (if permission granted)\n   */\n  profile: {\n    user: string;\n    email: string | null;\n    givenName: string | null;\n    familyName: string | null;\n  };\n\n  /**\n   * Authorization code for proper token exchange (when useProperTokenExchange is enabled)\n   * @description Only present when `useProperTokenExchange` is `true`. This code should be exchanged\n   * for proper access tokens on your backend using Apple's token endpoint. Use this for secure\n   * server-side token validation and to obtain refresh tokens.\n   * @see https://developer.apple.com/documentation/sign_in_with_apple/tokenresponse\n   */\n  authorizationCode?: string;\n}\n\nexport type LoginOptions =\n  | {\n      provider: 'facebook';\n      options: FacebookLoginOptions;\n    }\n  | {\n      provider: 'google';\n      options: GoogleLoginOptions;\n    }\n  | {\n      provider: 'apple';\n      options: AppleProviderOptions;\n    }\n  | {\n      provider: 'twitter';\n      options: TwitterLoginOptions;\n    }\n  | {\n      provider: 'oauth2';\n      options: OAuth2LoginOptions;\n    };\n\nexport type LoginResult =\n  | {\n      provider: 'facebook';\n      result: FacebookLoginResponse;\n    }\n  | {\n      provider: 'google';\n      result: GoogleLoginResponse;\n    }\n  | {\n      provider: 'apple';\n      result: AppleProviderResponse;\n    }\n  | {\n      provider: 'twitter';\n      result: TwitterLoginResponse;\n    }\n  | {\n      provider: 'oauth2';\n      result: OAuth2LoginResponse;\n    };\n\nexport interface AccessToken {\n  applicationId?: string;\n  declinedPermissions?: string[];\n  expires?: string;\n  isExpired?: boolean;\n  lastRefresh?: string;\n  permissions?: string[];\n  token: string;\n  tokenType?: string;\n  refreshToken?: string;\n  userId?: string;\n}\n\nexport interface FacebookLoginResponse {\n  accessToken: AccessToken | null;\n  idToken: string | null;\n  profile: {\n    userID: string;\n    email: string | null;\n    friendIDs: string[];\n    birthday: string | null;\n    ageRange: { min?: number; max?: number } | null;\n    gender: string | null;\n    location: { id: string; name: string } | null;\n    hometown: { id: string; name: string } | null;\n    profileURL: string | null;\n    name: string | null;\n    imageURL: string | null;\n  };\n}\n\nexport interface TwitterProfile {\n  id: string;\n  username: string;\n  name: string | null;\n  profileImageUrl: string | null;\n  verified: boolean;\n  email?: string | null;\n}\n\nexport interface TwitterLoginResponse {\n  accessToken: AccessToken | null;\n  refreshToken?: string | null;\n  scope: string[];\n  tokenType: 'bearer';\n  expiresIn?: number | null;\n  profile: TwitterProfile;\n}\n\nexport interface AuthorizationCode {\n  /**\n   * Jwt\n   * @description A JSON web token\n   */\n  jwt?: string;\n  /**\n   * Access Token\n   * @description An access token\n   */\n  accessToken?: string;\n}\n\nexport interface AuthorizationCodeOptions {\n  /**\n   * Provider\n   * @description Provider for the authorization code\n   */\n  provider: 'apple' | 'google' | 'facebook' | 'twitter' | 'oauth2';\n  /**\n   * Provider ID for OAuth2 providers (required when provider is 'oauth2')\n   * @description The ID used when configuring the OAuth2 provider in initialize()\n   */\n  providerId?: string;\n}\n\nexport interface isLoggedInOptions {\n  /**\n   * Provider\n   * @description Provider for the isLoggedIn\n   */\n  provider: 'apple' | 'google' | 'facebook' | 'twitter' | 'oauth2';\n  /**\n   * Provider ID for OAuth2 providers (required when provider is 'oauth2')\n   * @description The ID used when configuring the OAuth2 provider in initialize()\n   */\n  providerId?: string;\n}\n\n// Define the provider-specific call types\nexport type ProviderSpecificCall = 'facebook#getProfile' | 'facebook#requestTracking';\n\n// Define the options and response types for each specific call\nexport interface FacebookGetProfileOptions {\n  /**\n   * Fields to retrieve from Facebook profile\n   * @example [\"id\", \"name\", \"email\", \"picture\"]\n   */\n  fields?: string[];\n}\n\nexport interface FacebookGetProfileResponse {\n  /**\n   * Facebook profile data\n   */\n  profile: {\n    id: string | null;\n    name: string | null;\n    email: string | null;\n    first_name: string | null;\n    last_name: string | null;\n    picture?: {\n      data: {\n        height: number | null;\n        is_silhouette: boolean | null;\n        url: string | null;\n        width: number | null;\n      };\n    } | null;\n    [key: string]: any; // For additional fields that might be requested\n  };\n}\n\nexport type FacebookRequestTrackingOptions = Record<string, never>;\n\nexport interface FacebookRequestTrackingResponse {\n  /**\n   * App tracking authorization status\n   */\n  status: 'authorized' | 'denied' | 'notDetermined' | 'restricted';\n}\n\n// Map call strings to their options and response types\nexport type ProviderSpecificCallOptionsMap = {\n  'facebook#getProfile': FacebookGetProfileOptions;\n  'facebook#requestTracking': FacebookRequestTrackingOptions;\n};\n\nexport type ProviderSpecificCallResponseMap = {\n  'facebook#getProfile': FacebookGetProfileResponse;\n  'facebook#requestTracking': FacebookRequestTrackingResponse;\n};\n\n// Add a helper type to map providers to their response types\nexport type ProviderResponseMap = {\n  facebook: FacebookLoginResponse;\n  google: GoogleLoginResponse;\n  apple: AppleProviderResponse;\n  twitter: TwitterLoginResponse;\n  oauth2: OAuth2LoginResponse;\n};\n\nexport interface SocialLoginPlugin {\n  /**\n   * Initialize the plugin\n   * @description initialize the plugin with the required options\n   */\n  initialize(options: InitializeOptions): Promise<void>;\n  /**\n   * Login with the selected provider\n   * @description login with the selected provider\n   */\n  login<T extends LoginOptions['provider']>(\n    options: Extract<LoginOptions, { provider: T }>,\n  ): Promise<{ provider: T; result: ProviderResponseMap[T] }>;\n  /**\n   * Logout\n   * @description Logout the user from the specified provider\n   *\n   * **Google Offline Mode Limitation:**\n   * This method is NOT supported when Google is initialized with `mode: 'offline'`.\n   * It will reject with error: \"logout is not implemented when using offline mode\"\n   *\n   * @throws Error if Google provider is in offline mode\n   */\n  logout(options: {\n    provider: 'apple' | 'google' | 'facebook' | 'twitter' | 'oauth2';\n    providerId?: string;\n  }): Promise<void>;\n  /**\n   * IsLoggedIn\n   * @description Check if the user is currently logged in with the specified provider\n   *\n   * **Google Offline Mode Limitation:**\n   * This method is NOT supported when Google is initialized with `mode: 'offline'`.\n   * It will reject with error: \"isLoggedIn is not implemented when using offline mode\"\n   *\n   * @throws Error if Google provider is in offline mode\n   */\n  isLoggedIn(options: isLoggedInOptions): Promise<{ isLoggedIn: boolean }>;\n\n  /**\n   * Get the current authorization code\n   * @description Get the authorization code for server-side authentication\n   *\n   * **Google Offline Mode Limitation:**\n   * This method is NOT supported when Google is initialized with `mode: 'offline'`.\n   * It will reject with error: \"getAuthorizationCode is not implemented when using offline mode\"\n   *\n   * In offline mode, the authorization code (serverAuthCode) is already returned by the `login()` method.\n   *\n   * @throws Error if Google provider is in offline mode\n   */\n  getAuthorizationCode(options: AuthorizationCodeOptions): Promise<AuthorizationCode>;\n  /**\n   * Refresh the access token\n   * @description refresh the access token\n   */\n  refresh(options: LoginOptions): Promise<void>;\n\n  /**\n   * Execute provider-specific calls\n   * @description Execute a provider-specific functionality\n   */\n  providerSpecificCall<T extends ProviderSpecificCall>(options: {\n    call: T;\n    options: ProviderSpecificCallOptionsMap[T];\n  }): Promise<ProviderSpecificCallResponseMap[T]>;\n\n  /**\n   * Get the native Capacitor plugin version\n   *\n   * @returns {Promise<{ id: string }>} an Promise with version for this device\n   * @throws An error if the something went wrong\n   */\n  getPluginVersion(): Promise<{ version: string }>;\n}\n"]}

package/dist/esm/oauth2-provider.d.ts

@@ -0,0 +1,41 @@
+import { BaseSocialLogin } from './base';
+import type { AuthorizationCode, LoginResult, OAuth2LoginOptions, OAuth2ProviderConfig, ProviderResponseMap } from './definitions';
+/**
+ * OAuth2 Social Login Manager
+ * Supports multiple OAuth2 provider configurations
+ */
+export declare class OAuth2SocialLogin extends BaseSocialLogin {
+    private providers;
+    private readonly TOKENS_KEY_PREFIX;
+    private readonly STATE_PREFIX;
+    /**
+     * Initialize multiple OAuth2 providers
+     */
+    initializeProviders(configs: Record<string, OAuth2ProviderConfig>): Promise<void>;
+    private getProvider;
+    private getTokensKey;
+    login<T extends 'oauth2'>(options: OAuth2LoginOptions): Promise<{
+        provider: T;
+        result: ProviderResponseMap[T];
+    }>;
+    logout(providerId: string): Promise<void>;
+    isLoggedIn(providerId: string): Promise<{
+        isLoggedIn: boolean;
+    }>;
+    getAuthorizationCode(providerId: string): Promise<AuthorizationCode>;
+    refresh(providerId: string): Promise<void>;
+    handleOAuthRedirect(url: URL, expectedState?: string): Promise<LoginResult | {
+        error: string;
+    } | null>;
+    private exchangeAuthorizationCode;
+    private refreshWithRefreshToken;
+    private fetchResource;
+    private persistTokens;
+    private getStoredTokens;
+    private persistPendingLogin;
+    private consumePendingLogin;
+    private generateState;
+    private generateCodeVerifier;
+    private generateCodeChallenge;
+    private base64UrlEncode;
+}