@darkauth/client 1.7.1 → 1.8.1

package/README.md

@@ -10,9 +10,9 @@ The client supports both:
 
 - **Zero-Knowledge Authentication**: Secure OAuth2/OIDC flow with PKCE and ephemeral key exchange
 - **Client-Side Encryption**: Built-in cryptographic functions for data encryption/decryption
-- **Token Management**: Automatic token storage, validation, and refresh
+- **Token Management**: First-party cookie refresh by default, with optional legacy token storage
 - **Data Encryption Keys (DEK)**: Support for deriving and managing data encryption keys
-- **Session Persistence**: Secure session storage with key obfuscation
+- **DRK Custody**: Memory-only DRK handling by default for hosted web zero-knowledge apps
 - **TypeScript Support**: Full TypeScript definitions included
 
 ## Installation
@@ -42,10 +42,10 @@ await initiateLogin();
 // Handle OAuth callback (on your callback page)
 const session = await handleCallback();
 if (session) {
-  console.log('Logged in!', session.idToken);
+  console.log('Logged in!', session.accessToken);
 }
 
-// Get existing session
+// Get existing in-memory session
 const existingSession = getStoredSession();
 if (existingSession && isTokenValid(existingSession.idToken)) {
   // User is authenticated
@@ -65,7 +65,13 @@ setConfig({
   issuer: 'https://auth.example.com',     // DarkAuth server URL
   clientId: 'your-client-id',              // Your application's client ID
   redirectUri: 'https://app.example.com/callback', // OAuth callback URL
-  zk: true                                 // Optional. Default true. Set false for non-ZK flows.
+  scope: 'openid profile email',           // Optional OAuth scopes
+  zk: true,                                // Optional. Default true. Set false for non-ZK flows.
+  firstParty: true,                        // Optional. Default true. Uses cookie refresh and memory storage.
+  tokenStorage: 'memory',                  // Optional. Default 'memory'. Use 'localStorage' only for legacy flows.
+  drkStorage: 'memory',                    // Optional. Default 'memory'. Use 'localStorage' only for explicit convenience mode.
+  refreshMode: 'cookie',                   // Optional. Default 'cookie'. Use 'token' only for legacy refresh-token clients.
+  credentials: 'include'                   // Optional. Default 'include' for cookie refresh.
 });
 ```
 
@@ -84,24 +90,30 @@ Starts the OAuth2/OIDC login flow with PKCE. Redirects the user to the DarkAuth
 
 Processes the OAuth callback after successful authentication. Returns an `AuthSession` object containing:
 - `idToken`: JWT ID token
+- `accessToken?`: OAuth access token for API authorization
 - `drk`: Derived Root Key for encryption operations. In non-ZK flows this is an empty `Uint8Array`.
 - `refreshToken?`: Optional refresh token
 
 Behavior:
+- OAuth `state` is validated before exchanging the authorization code.
 - If ZK artifacts are present in the callback/token response, ZK validation and DRK decryption are enforced.
 - If no ZK artifacts are present, callback still succeeds as a standard OIDC flow.
+- In default first-party mode, tokens and DRK are kept in memory and refresh uses `HttpOnly` cookies set by DarkAuth.
+- Legacy `localStorage` token or DRK persistence is available only when explicitly configured.
 
 #### `logout(): void`
 
-Clears all authentication data from storage.
+Clears the in-memory session, callback state, PKCE verifier, ephemeral ZK key, and any explicitly configured legacy storage.
 
 #### `getStoredSession(): AuthSession | null`
 
-Retrieves the current session from storage if valid. For non-ZK sessions, returns `drk` as an empty `Uint8Array`.
+Retrieves the current in-memory session if valid. For non-ZK sessions, returns `drk` as an empty `Uint8Array`.
+
+If `tokenStorage: 'localStorage'` or `drkStorage: 'localStorage'` is configured for a legacy app, this function can also restore those explicitly persisted values.
 
 #### `refreshSession(): Promise<AuthSession | null>`
 
-Refreshes the current session using the stored refresh token. For non-ZK sessions, returns `drk` as an empty `Uint8Array`.
+Refreshes the current session. In default first-party mode, the browser sends the DarkAuth refresh cookie and no JavaScript-readable refresh token is required. For non-ZK sessions, returns `drk` as an empty `Uint8Array`.
 
 ### User Information
 
@@ -181,6 +193,7 @@ setHooks({
 ```typescript
 interface AuthSession {
   idToken: string;
+  accessToken?: string;
   drk: Uint8Array;
   refreshToken?: string;
 }
@@ -205,6 +218,11 @@ type Config = {
   clientId: string;
   redirectUri: string;
   zk?: boolean;
+  firstParty?: boolean;
+  tokenStorage?: 'memory' | 'localStorage';
+  drkStorage?: 'memory' | 'localStorage';
+  refreshMode?: 'cookie' | 'token';
+  credentials?: RequestCredentials;
 }
 ```
 
@@ -220,16 +238,26 @@ type ClientHooks = {
 
 - **PKCE (Proof Key for Code Exchange)**: Protects against authorization code interception
 - **Zero-Knowledge Mode**: Ephemeral key exchange for enhanced privacy
-- **Key Obfuscation**: DRK is obfuscated in storage for additional protection
-- **Secure Storage**: Uses sessionStorage for tokens and localStorage for persistent data
+- **State Validation**: Verifies OAuth state before token exchange
+- **First-Party Cookie Refresh**: Supports `HttpOnly` refresh cookies instead of JavaScript-readable refresh tokens
+- **Memory-Only DRK Default**: Keeps the DRK out of persistent browser storage unless explicitly configured otherwise
 - **AEAD Encryption**: AES-GCM with additional authenticated data for all encryption operations
 
+## Custody Model
+
+Auth and session tokens are not the same as the DRK.
+
+In the default first-party hosted-web profile, DarkAuth protects refresh credentials with `HttpOnly` cookies and the SDK keeps the active ID/access token view in memory. The DRK is returned to the app because the app's browser code needs it to decrypt user data. That DRK is also memory-only by default. A page reload loses it and the app should start a fresh authorization request with a new ephemeral `zk_pub`.
+
+This model supports the hosted-web zero-knowledge claim for honest operation: the DarkAuth backend and app backend do not receive the user's password, OPAQUE export key, plaintext DRK, or plaintext app data. It still requires trusting the browser, the user's device, and the JavaScript served by the trusted origins.
+
 ## Browser Compatibility
 
 This library requires a modern browser with support for:
 - Web Crypto API
 - ES2015+ features
-- SessionStorage and LocalStorage
+- SessionStorage
+- LocalStorage only when explicitly using legacy persistence options
 
 ## Development
 

package/dist/index.d.ts

@@ -5,10 +5,20 @@ type Config = {
     issuer: string;
     clientId: string;
     redirectUri: string;
+    scope?: string;
     zk?: boolean;
+    authorizationEndpoint?: string;
+    tokenEndpoint?: string;
+    discovery?: boolean;
+    firstParty?: boolean;
+    tokenStorage?: "memory" | "localStorage";
+    drkStorage?: "memory" | "localStorage";
+    refreshMode?: "cookie" | "token";
+    credentials?: RequestCredentials;
 };
 export interface AuthSession {
     idToken: string;
+    accessToken?: string;
     drk: Uint8Array;
     refreshToken?: string;
 }

package/dist/index.js

@@ -13,6 +13,8 @@ function viteEnvGet(key) {
 }
 let callbackInFlight = null;
 let callbackInFlightCode = null;
+let endpointsInFlight = null;
+let endpointsCacheKey = null;
 let cfg = {
     issuer: (typeof window !== "undefined" && window.__APP_CONFIG__?.issuer) ||
         viteEnvGet("VITE_DARKAUTH_ISSUER") ||
@@ -32,8 +34,16 @@ let cfg = {
 const OBFUSCATION_KEY = "DarkAuth-Storage-Protection-2025";
 const EMPTY_DRK = new Uint8Array(0);
 const ID_TOKEN_KEY = "id_token";
+const ACCESS_TOKEN_KEY = "access_token";
+const REFRESH_TOKEN_KEY = "refresh_token";
+const DRK_STORAGE_KEY = "drk_protected";
+const OAUTH_STATE_KEY = "oauth_state";
+let memorySession = null;
+let memoryRefreshToken = null;
 export function setConfig(next) {
     cfg = { ...cfg, ...next };
+    endpointsInFlight = null;
+    endpointsCacheKey = null;
 }
 function setStoredIdToken(token) {
     localStorage.setItem(ID_TOKEN_KEY, token);
@@ -44,6 +54,73 @@ function getStoredIdToken() {
 function clearStoredIdToken() {
     localStorage.removeItem(ID_TOKEN_KEY);
 }
+function setStoredAccessToken(token) {
+    localStorage.setItem(ACCESS_TOKEN_KEY, token);
+}
+function getStoredAccessToken() {
+    return localStorage.getItem(ACCESS_TOKEN_KEY);
+}
+function clearStoredAccessToken() {
+    localStorage.removeItem(ACCESS_TOKEN_KEY);
+}
+function tokenStorageMode() {
+    return cfg.tokenStorage || (cfg.firstParty === false ? "localStorage" : "memory");
+}
+function drkStorageMode() {
+    return cfg.drkStorage || (cfg.firstParty === false ? "localStorage" : "memory");
+}
+function refreshMode() {
+    return cfg.refreshMode || (cfg.firstParty === false ? "token" : "cookie");
+}
+function fetchCredentials() {
+    return cfg.credentials || "include";
+}
+function rootEndpoint(path) {
+    return new URL(path, cfg.issuer).toString();
+}
+async function resolveEndpoints() {
+    const cacheKey = [
+        cfg.issuer,
+        cfg.scope || "",
+        cfg.authorizationEndpoint || "",
+        cfg.tokenEndpoint || "",
+        cfg.discovery === false ? "0" : "1",
+    ].join("|");
+    if (endpointsInFlight && endpointsCacheKey === cacheKey)
+        return endpointsInFlight;
+    endpointsCacheKey = cacheKey;
+    endpointsInFlight = (async () => {
+        const fallback = {
+            authorizationEndpoint: cfg.authorizationEndpoint || rootEndpoint("/authorize"),
+            tokenEndpoint: cfg.tokenEndpoint || rootEndpoint("/token"),
+        };
+        if (cfg.authorizationEndpoint && cfg.tokenEndpoint)
+            return fallback;
+        if (cfg.discovery === false || typeof fetch !== "function")
+            return fallback;
+        try {
+            const discoveryUrl = new URL("/.well-known/openid-configuration", cfg.issuer);
+            const response = await fetch(discoveryUrl.toString());
+            if (!response.ok)
+                return fallback;
+            const metadata = (await response.json());
+            return {
+                authorizationEndpoint: cfg.authorizationEndpoint ||
+                    (typeof metadata.authorization_endpoint === "string"
+                        ? metadata.authorization_endpoint
+                        : fallback.authorizationEndpoint),
+                tokenEndpoint: cfg.tokenEndpoint ||
+                    (typeof metadata.token_endpoint === "string"
+                        ? metadata.token_endpoint
+                        : fallback.tokenEndpoint),
+            };
+        }
+        catch {
+            return fallback;
+        }
+    })();
+    return endpointsInFlight;
+}
 function bytesToBase64Url(bytes) {
     let s = "";
     for (const b of bytes)
@@ -86,6 +163,91 @@ function obfuscateKey(drk) {
 function deobfuscateKey(obfuscated) {
     return obfuscateKey(obfuscated);
 }
+function clearStoredDrk() {
+    localStorage.removeItem(DRK_STORAGE_KEY);
+}
+function getStoredDrk() {
+    if (drkStorageMode() !== "localStorage") {
+        clearStoredDrk();
+        return null;
+    }
+    const obfuscatedDrkBase64 = localStorage.getItem(DRK_STORAGE_KEY);
+    if (!obfuscatedDrkBase64)
+        return null;
+    try {
+        const obfuscatedDrk = base64UrlToBytes(obfuscatedDrkBase64);
+        return deobfuscateKey(obfuscatedDrk);
+    }
+    catch {
+        clearStoredDrk();
+        return null;
+    }
+}
+function storeSession(session) {
+    const tokenMode = tokenStorageMode();
+    const drkMode = drkStorageMode();
+    const currentRefreshMode = refreshMode();
+    const storedSession = {
+        idToken: session.idToken,
+        accessToken: session.accessToken,
+        drk: session.drk,
+        refreshToken: currentRefreshMode === "token" ? session.refreshToken : undefined,
+    };
+    memorySession = storedSession;
+    if (tokenMode === "localStorage") {
+        setStoredIdToken(session.idToken);
+        if (session.accessToken)
+            setStoredAccessToken(session.accessToken);
+        else
+            clearStoredAccessToken();
+    }
+    else {
+        clearStoredIdToken();
+        clearStoredAccessToken();
+    }
+    if (drkMode === "localStorage" && session.drk.length > 0) {
+        const obfuscatedDrk = obfuscateKey(session.drk);
+        localStorage.setItem(DRK_STORAGE_KEY, bytesToBase64Url(obfuscatedDrk));
+    }
+    else {
+        clearStoredDrk();
+    }
+    if (currentRefreshMode === "token") {
+        memoryRefreshToken = session.refreshToken || memoryRefreshToken;
+        if (tokenMode === "localStorage" && session.refreshToken) {
+            localStorage.setItem(REFRESH_TOKEN_KEY, session.refreshToken);
+        }
+    }
+    else {
+        memoryRefreshToken = null;
+        localStorage.removeItem(REFRESH_TOKEN_KEY);
+    }
+    return storedSession;
+}
+function clearCallbackStorage() {
+    sessionStorage.removeItem("zk_eph_priv_jwk");
+    sessionStorage.removeItem(OAUTH_STATE_KEY);
+    sessionStorage.removeItem("pkce_verifier");
+}
+function stripDrkJweFragment() {
+    if (!location.hash.includes("drk_jwe="))
+        return;
+    const hash = location.hash.startsWith("#") ? location.hash.slice(1) : location.hash;
+    const params = new URLSearchParams(hash);
+    params.delete("drk_jwe");
+    const nextHash = params.toString();
+    const nextUrl = `${location.origin}${location.pathname}${location.search || ""}${nextHash ? `#${nextHash}` : ""}`;
+    try {
+        history.replaceState(null, "", nextUrl);
+    }
+    catch { }
+}
+function clearCallbackUrl() {
+    try {
+        history.replaceState(null, "", location.origin + location.pathname);
+    }
+    catch { }
+}
 export function parseJwt(token) {
     try {
         const parts = token.split(".");
@@ -120,13 +282,15 @@ export async function initiateLogin() {
     }
     const state = crypto.randomUUID();
     const verifier = bytesToBase64Url(crypto.getRandomValues(new Uint8Array(32)));
+    sessionStorage.setItem(OAUTH_STATE_KEY, state);
     sessionStorage.setItem("pkce_verifier", verifier);
     const challenge = bytesToBase64Url(await sha256(new TextEncoder().encode(verifier)));
-    const authUrl = new URL("/authorize", cfg.issuer);
+    const endpoints = await resolveEndpoints();
+    const authUrl = new URL(endpoints.authorizationEndpoint);
     authUrl.searchParams.set("client_id", cfg.clientId);
     authUrl.searchParams.set("redirect_uri", cfg.redirectUri);
     authUrl.searchParams.set("response_type", "code");
-    authUrl.searchParams.set("scope", "openid profile");
+    authUrl.searchParams.set("scope", cfg.scope || "openid profile");
     authUrl.searchParams.set("state", state);
     authUrl.searchParams.set("code_challenge", challenge);
     authUrl.searchParams.set("code_challenge_method", "S256");
@@ -141,69 +305,76 @@ export async function handleCallback() {
     const code = params.get("code");
     if (!code)
         return null;
+    const fragmentParams = parseFragmentParams(location.hash || "");
+    const drkJwe = fragmentParams.drk_jwe;
+    if (drkJwe)
+        stripDrkJweFragment();
+    const expectedState = sessionStorage.getItem(OAUTH_STATE_KEY);
+    const returnedState = params.get("state");
+    if (!expectedState)
+        throw new Error("Missing OAuth state");
+    if (!returnedState || returnedState !== expectedState)
+        throw new Error("Invalid OAuth state");
     if (callbackInFlight && callbackInFlightCode === code) {
         return callbackInFlight;
     }
     const exchangePromise = (async () => {
-        const tokenUrl = new URL("/token", cfg.issuer);
-        const verifier = sessionStorage.getItem("pkce_verifier") || "";
-        const response = await fetch(tokenUrl.toString(), {
-            method: "POST",
-            headers: { "content-type": "application/x-www-form-urlencoded" },
-            body: new URLSearchParams({
-                grant_type: "authorization_code",
-                code,
-                client_id: cfg.clientId,
-                redirect_uri: cfg.redirectUri,
-                code_verifier: verifier,
-            }),
-        });
-        if (!response.ok) {
-            throw new Error("Token exchange failed");
-        }
-        const tokenResponse = await response.json();
-        const fragmentParams = parseFragmentParams(location.hash || "");
-        const drkJwe = fragmentParams.drk_jwe;
-        const zkDrkHash = typeof tokenResponse.zk_drk_hash === "string" ? tokenResponse.zk_drk_hash : null;
-        const idToken = tokenResponse.id_token;
-        const refreshToken = tokenResponse.refresh_token;
-        const hasZkArtifacts = !!drkJwe || !!zkDrkHash;
-        if (!hasZkArtifacts) {
-            sessionStorage.removeItem("zk_eph_priv_jwk");
-            try {
-                history.replaceState(null, "", location.origin + location.pathname);
+        try {
+            const endpoints = await resolveEndpoints();
+            const tokenUrl = new URL(endpoints.tokenEndpoint);
+            const verifier = sessionStorage.getItem("pkce_verifier") || "";
+            const response = await fetch(tokenUrl.toString(), {
+                method: "POST",
+                headers: { "content-type": "application/x-www-form-urlencoded" },
+                body: new URLSearchParams({
+                    grant_type: "authorization_code",
+                    code,
+                    client_id: cfg.clientId,
+                    redirect_uri: cfg.redirectUri,
+                    code_verifier: verifier,
+                }),
+                credentials: fetchCredentials(),
+            });
+            if (!response.ok) {
+                throw new Error("Token exchange failed");
             }
-            catch { }
-            setStoredIdToken(idToken);
-            localStorage.removeItem("drk_protected");
-            if (refreshToken)
-                localStorage.setItem("refresh_token", refreshToken);
-            return { idToken, drk: EMPTY_DRK, refreshToken };
-        }
-        if (!drkJwe || typeof drkJwe !== "string")
-            throw new Error("Missing DRK JWE from URL fragment");
-        if (zkDrkHash) {
-            const hash = bytesToBase64Url(await sha256(new TextEncoder().encode(drkJwe)));
-            if (zkDrkHash !== hash)
-                throw new Error("DRK hash mismatch");
+            const tokenResponse = await response.json();
+            const zkDrkHash = typeof tokenResponse.zk_drk_hash === "string"
+                ? tokenResponse.zk_drk_hash
+                : null;
+            const idToken = tokenResponse.id_token;
+            const accessToken = typeof tokenResponse.access_token === "string"
+                ? tokenResponse.access_token
+                : undefined;
+            const tokenRefreshMode = refreshMode();
+            const refreshToken = tokenRefreshMode === "token"
+                ? tokenResponse.refresh_token
+                : undefined;
+            const hasZkArtifacts = !!drkJwe || !!zkDrkHash;
+            if (!hasZkArtifacts) {
+                clearCallbackUrl();
+                return storeSession({ idToken, accessToken, drk: EMPTY_DRK, refreshToken });
+            }
+            if (!drkJwe || typeof drkJwe !== "string")
+                throw new Error("Missing DRK JWE from URL fragment");
+            if (zkDrkHash) {
+                const hash = bytesToBase64Url(await sha256(new TextEncoder().encode(drkJwe)));
+                if (zkDrkHash !== hash)
+                    throw new Error("DRK hash mismatch");
+            }
+            const privateJwkString = sessionStorage.getItem("zk_eph_priv_jwk");
+            if (!privateJwkString)
+                throw new Error("Missing ZK private key for callback");
+            sessionStorage.removeItem("zk_eph_priv_jwk");
+            const privateKey = await crypto.subtle.importKey("jwk", JSON.parse(privateJwkString), { name: "ECDH", namedCurve: "P-256" }, true, ["deriveBits", "deriveKey"]);
+            const { plaintext } = await compactDecrypt(drkJwe, privateKey);
+            const drk = new Uint8Array(plaintext);
+            clearCallbackUrl();
+            return storeSession({ idToken, accessToken, drk, refreshToken });
         }
-        const privateJwkString = sessionStorage.getItem("zk_eph_priv_jwk");
-        if (!privateJwkString)
-            throw new Error("Missing ZK private key for callback");
-        sessionStorage.removeItem("zk_eph_priv_jwk");
-        const privateKey = await crypto.subtle.importKey("jwk", JSON.parse(privateJwkString), { name: "ECDH", namedCurve: "P-256" }, true, ["deriveBits", "deriveKey"]);
-        const { plaintext } = await compactDecrypt(drkJwe, privateKey);
-        const drk = new Uint8Array(plaintext);
-        try {
-            history.replaceState(null, "", location.origin + location.pathname);
+        finally {
+            clearCallbackStorage();
         }
-        catch { }
-        setStoredIdToken(idToken);
-        const obfuscatedDrk = obfuscateKey(drk);
-        localStorage.setItem("drk_protected", bytesToBase64Url(obfuscatedDrk));
-        if (refreshToken)
-            localStorage.setItem("refresh_token", refreshToken);
-        return { idToken, drk, refreshToken };
     })();
     callbackInFlight = exchangePromise;
     callbackInFlightCode = code;
@@ -218,69 +389,99 @@ export async function handleCallback() {
     }
 }
 export function getStoredSession() {
+    if (memorySession) {
+        if (isTokenValid(memorySession.idToken))
+            return memorySession;
+        memorySession = null;
+    }
+    if (tokenStorageMode() !== "localStorage") {
+        clearStoredIdToken();
+        clearStoredAccessToken();
+        clearStoredDrk();
+        localStorage.removeItem(REFRESH_TOKEN_KEY);
+        return null;
+    }
     const idToken = getStoredIdToken();
-    const obfuscatedDrkBase64 = localStorage.getItem("drk_protected");
+    const accessToken = getStoredAccessToken() || undefined;
     if (!idToken)
         return null;
     if (!isTokenValid(idToken))
         return null;
-    if (!obfuscatedDrkBase64)
-        return { idToken, drk: EMPTY_DRK };
-    try {
-        const obfuscatedDrk = base64UrlToBytes(obfuscatedDrkBase64);
-        const drk = deobfuscateKey(obfuscatedDrk);
-        return { idToken, drk };
-    }
-    catch {
-        localStorage.removeItem("drk_protected");
-        return null;
-    }
+    return {
+        idToken,
+        accessToken,
+        drk: getStoredDrk() || EMPTY_DRK,
+        refreshToken: refreshMode() === "token" ? localStorage.getItem(REFRESH_TOKEN_KEY) || undefined : undefined,
+    };
 }
 export async function refreshSession() {
-    const refreshToken = localStorage.getItem("refresh_token");
-    if (!refreshToken)
+    const currentRefreshMode = refreshMode();
+    const refreshToken = currentRefreshMode === "token"
+        ? memoryRefreshToken || localStorage.getItem(REFRESH_TOKEN_KEY)
+        : null;
+    if (currentRefreshMode === "token" && !refreshToken)
         return null;
-    const tokenUrl = new URL("/token", cfg.issuer);
+    const endpoints = await resolveEndpoints();
+    const tokenUrl = new URL(endpoints.tokenEndpoint);
+    const body = new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: cfg.clientId,
+    });
+    if (currentRefreshMode === "token" && refreshToken) {
+        body.set("refresh_token", refreshToken);
+    }
     const response = await fetch(tokenUrl.toString(), {
         method: "POST",
         headers: { "content-type": "application/x-www-form-urlencoded" },
-        body: new URLSearchParams({
-            grant_type: "refresh_token",
-            refresh_token: refreshToken,
-            client_id: cfg.clientId,
-        }),
+        body,
+        credentials: fetchCredentials(),
     });
     if (!response.ok) {
         if (response.status === 401) {
-            const latestRefreshToken = localStorage.getItem("refresh_token");
-            if (latestRefreshToken === refreshToken) {
-                localStorage.removeItem("refresh_token");
+            if (currentRefreshMode === "token") {
+                const latestRefreshToken = localStorage.getItem(REFRESH_TOKEN_KEY);
+                if (latestRefreshToken === refreshToken) {
+                    localStorage.removeItem(REFRESH_TOKEN_KEY);
+                }
+                if (memoryRefreshToken === refreshToken) {
+                    memoryRefreshToken = null;
+                }
             }
+            memorySession = null;
         }
         return null;
     }
     const tokenResponse = await response.json();
     const idToken = tokenResponse.id_token;
-    const newRefreshToken = tokenResponse.refresh_token;
-    setStoredIdToken(idToken);
-    if (newRefreshToken)
-        localStorage.setItem("refresh_token", newRefreshToken);
-    const obfuscatedDrkBase64 = localStorage.getItem("drk_protected");
-    if (!obfuscatedDrkBase64)
-        return { idToken, drk: EMPTY_DRK, refreshToken: newRefreshToken || refreshToken };
-    const obfuscatedDrk = base64UrlToBytes(obfuscatedDrkBase64);
-    const drk = deobfuscateKey(obfuscatedDrk);
-    return { idToken, drk, refreshToken: newRefreshToken || refreshToken };
+    const accessToken = typeof tokenResponse.access_token === "string"
+        ? tokenResponse.access_token
+        : undefined;
+    const newRefreshToken = currentRefreshMode === "token"
+        ? tokenResponse.refresh_token
+        : undefined;
+    const drk = memorySession?.drk && memorySession.drk.length > 0
+        ? memorySession.drk
+        : getStoredDrk() || EMPTY_DRK;
+    return storeSession({
+        idToken,
+        accessToken,
+        drk,
+        refreshToken: currentRefreshMode === "token" ? newRefreshToken || refreshToken || undefined : undefined,
+    });
 }
 export function logout() {
+    memorySession = null;
+    memoryRefreshToken = null;
     clearStoredIdToken();
-    localStorage.removeItem("drk_protected");
+    clearStoredAccessToken();
+    clearStoredDrk();
     sessionStorage.removeItem("zk_eph_priv_jwk");
     sessionStorage.removeItem("pkce_verifier");
-    localStorage.removeItem("refresh_token");
+    sessionStorage.removeItem(OAUTH_STATE_KEY);
+    localStorage.removeItem(REFRESH_TOKEN_KEY);
 }
 export function getCurrentUser() {
-    const idToken = getStoredIdToken();
+    const idToken = memorySession?.idToken || (tokenStorageMode() === "localStorage" ? getStoredIdToken() : null);
     if (!idToken)
         return null;
     return parseJwt(idToken);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@darkauth/client",
-  "version": "1.7.1",
+  "version": "1.8.1",
   "license": "MIT",
   "repository": {
     "directory": "packages/darkauth-client",