@fluxbase/sdk 0.0.1-rc.116 → 0.0.1-rc.117

package/dist/index.cjs

@@ -333,6 +333,7 @@ async function wrapAsyncVoid(operation) {
 
 // src/auth.ts
 var AUTH_STORAGE_KEY = "fluxbase.auth.session";
+var OAUTH_PROVIDER_KEY = "fluxbase.auth.oauth_provider";
 var AUTO_REFRESH_TICK_THRESHOLD = 10;
 var AUTO_REFRESH_TICK_MINIMUM = 1e3;
 var MAX_REFRESH_RETRIES = 3;
@@ -910,13 +911,24 @@ var FluxbaseAuth = class {
    * Exchange OAuth authorization code for session
    * This is typically called in your OAuth callback handler
    * @param code - Authorization code from OAuth callback
+   * @param state - State parameter from OAuth callback (for CSRF protection)
    */
-  async exchangeCodeForSession(code) {
+  async exchangeCodeForSession(code, state) {
     return wrapAsync(async () => {
-      const response = await this.fetch.post(
-        "/api/v1/auth/oauth/callback",
-        { code }
+      const provider = this.storage?.getItem(OAUTH_PROVIDER_KEY);
+      if (!provider) {
+        throw new Error(
+          "No OAuth provider found. Call signInWithOAuth first."
+        );
+      }
+      const params = new URLSearchParams({ code });
+      if (state) {
+        params.append("state", state);
+      }
+      const response = await this.fetch.get(
+        `/api/v1/auth/oauth/${provider}/callback?${params.toString()}`
       );
+      this.storage?.removeItem(OAUTH_PROVIDER_KEY);
       const session = {
         ...response,
         expires_at: Date.now() + response.expires_in * 1e3
@@ -939,6 +951,7 @@ var FluxbaseAuth = class {
       }
       const url = result.data.url;
       if (typeof window !== "undefined") {
+        this.storage?.setItem(OAUTH_PROVIDER_KEY, provider);
         window.location.href = url;
       } else {
         throw new Error(