@imtbl/auth 2.12.5-alpha.21 → 2.12.5-alpha.23

package/src/Auth.ts

@@ -779,21 +779,15 @@ export class Auth {
         try {
           const newOidcUser = await this.userManager.signinSilent();
           if (newOidcUser) {
-            const user = Auth.mapOidcUserToDomainModel(newOidcUser);
-            // Emit TOKEN_REFRESHED event so consumers (e.g., auth-next-client) can sync
-            // the new tokens to their session. This is critical for refresh token
-            // rotation - without this, the server-side session may have stale tokens.
-            this.eventEmitter.emit(AuthEvents.TOKEN_REFRESHED, user);
-            resolve(user);
+            resolve(Auth.mapOidcUserToDomainModel(newOidcUser));
             return;
           }
           resolve(null);
         } catch (err) {
           let passportErrorType = PassportErrorType.AUTHENTICATION_ERROR;
           let errorMessage = 'Failed to refresh token';
-          // Default to REMOVING user - safer to log out on unknown errors
-          // Only keep user logged in for explicitly known transient errors
           let removeUser = true;
+
           if (err instanceof ErrorTimeout) {
             passportErrorType = PassportErrorType.SILENT_LOGIN_ERROR;
             errorMessage = `${errorMessage}: ${err.message}`;
@@ -808,13 +802,6 @@ export class Auth {
           }
 
           if (removeUser) {
-            // Emit USER_REMOVED event BEFORE removing user so consumers can react
-            // (e.g., auth-next-client can clear the NextAuth session)
-            this.eventEmitter.emit(AuthEvents.USER_REMOVED, {
-              reason: 'refresh_failed',
-              error: errorMessage,
-            });
-
             try {
               await this.userManager.removeUser();
             } catch (removeUserError) {

package/src/index.ts

@@ -22,7 +22,6 @@ export type {
   IdTokenPayload,
   PKCEData,
   AuthEventMap,
-  UserRemovedReason,
 } from './types';
 export {
   isUserZkEvm,
@@ -41,17 +40,3 @@ export {
 } from './errors';
 
 export { decodeJwtPayload } from './utils/jwt';
-
-// ============================================================================
-// Standalone Login Functions (stateless, for use with NextAuth or similar)
-// ============================================================================
-
-export {
-  loginWithPopup,
-  loginWithEmbedded,
-  loginWithRedirect,
-  handleLoginCallback,
-  type LoginConfig,
-  type TokenResponse,
-  type StandaloneLoginOptions,
-} from './login/standalone';

package/src/types.ts

@@ -163,44 +163,12 @@ export type LoginOptions = {
 export enum AuthEvents {
   LOGGED_OUT = 'loggedOut',
   LOGGED_IN = 'loggedIn',
-  /**
-   * Emitted when tokens are refreshed via signinSilent().
-   * This is critical for refresh token rotation - when client-side refresh happens,
-   * the new tokens must be synced to server-side session to prevent race conditions.
-   */
-  TOKEN_REFRESHED = 'tokenRefreshed',
-  /**
-   * Emitted when the user is removed from local storage due to a permanent auth error.
-   * Only emitted for errors where the refresh token is truly invalid:
-   * - invalid_grant: refresh token expired, revoked, or already used
-   * - login_required: user must re-authenticate
-   * - consent_required / interaction_required: user must interact with auth server
-   *
-   * NOT emitted for transient errors (network, timeout, server errors) - user stays logged in.
-   * Consumers should sync this state by clearing their session (e.g., NextAuth signOut).
-   */
-  USER_REMOVED = 'userRemoved',
 }
 
-/**
- * Error reason for USER_REMOVED event.
- * Note: Network/timeout errors do NOT emit USER_REMOVED (user stays logged in),
- * so 'network_error' is not a valid reason.
- */
-export type UserRemovedReason =
-  // OAuth permanent errors (invalid_grant, login_required, etc.)
-  | 'refresh_token_invalid'
-  // Unknown non-OAuth errors
-  | 'refresh_failed'
-  // Fallback for truly unknown error types
-  | 'unknown';
-
 /**
  * Event map for typed event emitter
  */
 export interface AuthEventMap extends Record<string, any> {
   [AuthEvents.LOGGED_OUT]: [];
   [AuthEvents.LOGGED_IN]: [User];
-  [AuthEvents.TOKEN_REFRESHED]: [User];
-  [AuthEvents.USER_REMOVED]: [{ reason: UserRemovedReason; error?: string }];
 }

package/README.md

@@ -1,163 +0,0 @@
-# @imtbl/auth
-
-Authentication utilities for the Immutable SDK.
-
-## Installation
-
-```bash
-npm install @imtbl/auth
-```
-
-## Overview
-
-This package provides two ways to handle Immutable authentication:
-
-1. **Auth Class** - Full-featured authentication with session managed on client side.
-2. **Standalone Login Functions** - Stateless login functions for use with external session managers (e.g., NextAuth)
-
-## Standalone Login Functions
-
-For Next.js applications using NextAuth, use the standalone login functions. These handle OAuth flows and return tokens without managing session state.
-
-### loginWithPopup
-
-Opens a popup window for authentication and returns tokens when complete.
-
-```typescript
-import { loginWithPopup } from '@imtbl/auth';
-import { signIn } from 'next-auth/react';
-
-async function handleLogin() {
-  const tokens = await loginWithPopup({
-    clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
-    redirectUri: `${window.location.origin}/callback`,
-  });
-  
-  // Sign in to NextAuth with the tokens
-  await signIn('immutable', {
-    tokens: JSON.stringify(tokens),
-    redirect: false,
-  });
-}
-```
-
-### loginWithRedirect
-
-Redirects the page to the authentication provider. Use `handleLoginCallback` on the callback page.
-
-```typescript
-import { loginWithRedirect } from '@imtbl/auth';
-
-function handleLogin() {
-  loginWithRedirect({
-    clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
-    redirectUri: `${window.location.origin}/callback`,
-  });
-}
-```
-
-### handleLoginCallback
-
-Handles the OAuth callback and exchanges the authorization code for tokens.
-
-```typescript
-import { handleLoginCallback } from '@imtbl/auth';
-import { signIn } from 'next-auth/react';
-
-// In your callback page
-async function processCallback() {
-  const tokens = await handleLoginCallback({
-    clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
-    redirectUri: `${window.location.origin}/callback`,
-  });
-  
-  if (tokens) {
-    await signIn('immutable', {
-      tokens: JSON.stringify(tokens),
-      redirect: false,
-    });
-    // Redirect to home or dashboard
-    window.location.href = '/';
-  }
-}
-```
-
-### LoginConfig
-
-Configuration options for standalone login functions:
-
-```typescript
-interface LoginConfig {
-  /** Your Immutable application client ID */
-  clientId: string;
-  /** The OAuth redirect URI for your application */
-  redirectUri: string;
-  /** Optional separate redirect URI for popup flows */
-  popupRedirectUri?: string;
-  /** OAuth audience (default: "platform_api") */
-  audience?: string;
-  /** OAuth scopes (default: "openid profile email offline_access transact") */
-  scope?: string;
-  /** Authentication domain (default: "https://auth.immutable.com") */
-  authenticationDomain?: string;
-}
-```
-
-### TokenResponse
-
-The token data returned from successful authentication:
-
-```typescript
-interface TokenResponse {
-  /** OAuth access token for API calls */
-  accessToken: string;
-  /** OAuth refresh token for token renewal */
-  refreshToken?: string;
-  /** OpenID Connect ID token */
-  idToken?: string;
-  /** Unix timestamp (ms) when the access token expires */
-  accessTokenExpires: number;
-  /** User profile information */
-  profile: {
-    sub: string;
-    email?: string;
-    nickname?: string;
-  };
-  /** zkEVM wallet information if available */
-  zkEvm?: {
-    ethAddress: string;
-    userAdminAddress: string;
-  };
-}
-```
-
-## Auth Class
-
-For applications that need full authentication management (like the Passport SDK), use the `Auth` class:
-
-```typescript
-import { Auth } from '@imtbl/auth';
-
-const auth = new Auth({
-  clientId: 'your-client-id',
-  redirectUri: 'https://your-app.com/callback',
-  scope: 'openid profile email offline_access transact',
-});
-
-// Login with popup
-const user = await auth.login();
-
-// Get current user
-const user = await auth.getUser();
-
-// Logout
-await auth.logout();
-```
-
-## Integration with NextAuth
-
-For a complete Next.js authentication setup, use this package with:
-- `@imtbl/auth-next-server` - Server-side NextAuth configuration
-- `@imtbl/auth-next-client` - Client-side components and hooks
-
-See those packages for full integration documentation.

package/dist/types/login/standalone.d.ts

@@ -1,144 +0,0 @@
-/**
- * Standalone login functions for stateless authentication flows.
- * These functions handle OAuth login without managing session state,
- * making them ideal for use with external session managers like NextAuth.
- */
-import type { DirectLoginOptions } from '../types';
-/**
- * Configuration for standalone login functions
- */
-export interface LoginConfig {
-    /** Your Immutable application client ID */
-    clientId: string;
-    /** The OAuth redirect URI for your application */
-    redirectUri: string;
-    /** Optional separate redirect URI for popup flows */
-    popupRedirectUri?: string;
-    /** OAuth audience (default: "platform_api") */
-    audience?: string;
-    /** OAuth scopes (default: "openid profile email offline_access transact") */
-    scope?: string;
-    /** Authentication domain (default: "https://auth.immutable.com") */
-    authenticationDomain?: string;
-}
-/**
- * Token response from successful authentication
- */
-export interface TokenResponse {
-    /** OAuth access token for API calls */
-    accessToken: string;
-    /** OAuth refresh token for token renewal */
-    refreshToken?: string;
-    /** OpenID Connect ID token */
-    idToken?: string;
-    /** Unix timestamp (ms) when the access token expires */
-    accessTokenExpires: number;
-    /** User profile information */
-    profile: {
-        sub: string;
-        email?: string;
-        nickname?: string;
-    };
-    /** zkEVM wallet information if available */
-    zkEvm?: {
-        ethAddress: string;
-        userAdminAddress: string;
-    };
-}
-/**
- * Extended login options for popup/redirect flows
- */
-export interface StandaloneLoginOptions {
-    /** Direct login options (social provider, email, etc.) */
-    directLoginOptions?: DirectLoginOptions;
-}
-/**
- * Login with a popup window.
- * Opens a popup for OAuth authentication and returns tokens when complete.
- *
- * @param config - Login configuration
- * @param options - Optional login options (direct login, etc.)
- * @returns Promise resolving to token response
- * @throws Error if popup is blocked or login fails
- *
- * @example
- * ```typescript
- * import { loginWithPopup } from '@imtbl/auth';
- *
- * const tokens = await loginWithPopup({
- *   clientId: 'your-client-id',
- *   redirectUri: 'https://your-app.com/callback',
- * });
- * console.log(tokens.accessToken);
- * ```
- */
-export declare function loginWithPopup(config: LoginConfig, options?: StandaloneLoginOptions): Promise<TokenResponse>;
-/**
- * Login with an embedded iframe modal.
- * First displays a modal for the user to select their login method (email, Google, etc.),
- * then opens a popup for OAuth authentication and returns tokens when complete.
- *
- * This provides a smoother user experience compared to loginWithPopup as the user
- * can choose their login method before the OAuth popup opens.
- *
- * @param config - Login configuration
- * @returns Promise resolving to token response
- * @throws Error if modal is closed or login fails
- *
- * @example
- * ```typescript
- * import { loginWithEmbedded } from '@imtbl/auth';
- *
- * const tokens = await loginWithEmbedded({
- *   clientId: 'your-client-id',
- *   redirectUri: 'https://your-app.com/callback',
- * });
- * console.log(tokens.accessToken);
- * ```
- */
-export declare function loginWithEmbedded(config: LoginConfig): Promise<TokenResponse>;
-/**
- * Login with redirect.
- * Redirects the current page to OAuth authentication.
- * After authentication, the user will be redirected back to your redirectUri.
- * Use `handleLoginCallback` to complete the flow.
- *
- * @param config - Login configuration
- * @param options - Optional login options (direct login, etc.)
- *
- * @example
- * ```typescript
- * import { loginWithRedirect } from '@imtbl/auth';
- *
- * // In your login button handler
- * loginWithRedirect({
- *   clientId: 'your-client-id',
- *   redirectUri: 'https://your-app.com/callback',
- * });
- * ```
- */
-export declare function loginWithRedirect(config: LoginConfig, options?: StandaloneLoginOptions): Promise<void>;
-/**
- * Handle the OAuth callback after redirect-based login.
- * Extracts the authorization code from the URL and exchanges it for tokens.
- *
- * @param config - Login configuration (must match what was used in loginWithRedirect)
- * @returns Promise resolving to token response, or undefined if not a valid callback
- *
- * @example
- * ```typescript
- * // In your callback page
- * import { handleLoginCallback } from '@imtbl/auth';
- *
- * const tokens = await handleLoginCallback({
- *   clientId: 'your-client-id',
- *   redirectUri: 'https://your-app.com/callback',
- * });
- *
- * if (tokens) {
- *   // Login successful, tokens contains accessToken, refreshToken, etc.
- *   await signIn('immutable', { tokens: JSON.stringify(tokens) });
- * }
- * ```
- */
-export declare function handleLoginCallback(config: LoginConfig): Promise<TokenResponse | undefined>;