@insforge/sdk 1.0.1-refresh.7 → 1.0.1-refresh.9

package/dist/index.js

@@ -27,8 +27,6 @@ __export(index_exports, {
   HttpClient: () => HttpClient,
   InsForgeClient: () => InsForgeClient,
   InsForgeError: () => InsForgeError,
-  LocalSessionStorage: () => LocalSessionStorage,
-  SecureSessionStorage: () => SecureSessionStorage,
   Storage: () => Storage,
   StorageBucket: () => StorageBucket,
   TokenManager: () => TokenManager,
@@ -60,8 +58,6 @@ var InsForgeError = class _InsForgeError extends Error {
 var HttpClient = class {
   constructor(config) {
     this.userToken = null;
-    this.isRefreshing = false;
-    this.refreshQueue = [];
     this.baseUrl = config.baseUrl || "http://localhost:7130";
     this.fetch = config.fetch || (globalThis.fetch ? globalThis.fetch.bind(globalThis) : void 0);
     this.anonKey = config.anonKey;
@@ -74,12 +70,6 @@ var HttpClient = class {
       );
     }
   }
-  /**
-   * Set the refresh callback for automatic token refresh on 401
-   */
-  setRefreshCallback(callback) {
-    this.refreshCallback = callback;
-  }
   buildUrl(path, params) {
     const url = new URL(path, this.baseUrl);
     if (params) {
@@ -96,9 +86,6 @@ var HttpClient = class {
     return url.toString();
   }
   async request(method, path, options = {}) {
-    return this.performRequest(method, path, options, false);
-  }
-  async performRequest(method, path, options = {}, isRetry = false) {
     const { params, headers = {}, body, ...fetchOptions } = options;
     const url = this.buildUrl(path, params);
     const requestHeaders = {
@@ -124,17 +111,9 @@ var HttpClient = class {
       method,
       headers: requestHeaders,
       body: processedBody,
-      ...fetchOptions,
-      credentials: "include"
+      credentials: "include",
+      ...fetchOptions
     });
-    const isRefreshEndpoint = path.includes("/api/auth/refresh") || path.includes("/api/auth/logout");
-    if (response.status === 401 && !isRetry && !isRefreshEndpoint && this.refreshCallback) {
-      const newToken = await this.handleTokenRefresh();
-      if (newToken) {
-        this.setAuthToken(newToken);
-        return this.performRequest(method, path, options, true);
-      }
-    }
     if (response.status === 204) {
       return void 0;
     }
@@ -166,38 +145,6 @@ var HttpClient = class {
     }
     return data;
   }
-  /**
-   * Handle token refresh with queue to prevent duplicate refreshes
-   * Multiple concurrent 401s will wait for a single refresh to complete
-   */
-  async handleTokenRefresh() {
-    if (this.isRefreshing) {
-      return new Promise((resolve, reject) => {
-        this.refreshQueue.push({ resolve, reject });
-      });
-    }
-    this.isRefreshing = true;
-    try {
-      const newToken = await this.refreshCallback?.();
-      this.refreshQueue.forEach(({ resolve, reject }) => {
-        if (newToken) {
-          resolve(newToken);
-        } else {
-          reject(new Error("Token refresh failed"));
-        }
-      });
-      this.refreshQueue = [];
-      return newToken || null;
-    } catch (error) {
-      this.refreshQueue.forEach(({ reject }) => {
-        reject(error instanceof Error ? error : new Error("Token refresh failed"));
-      });
-      this.refreshQueue = [];
-      return null;
-    } finally {
-      this.isRefreshing = false;
-    }
-  }
   get(path, options) {
     return this.request("GET", path, options);
   }
@@ -226,58 +173,48 @@ var HttpClient = class {
   }
 };
 
-// src/lib/session-storage.ts
+// src/lib/token-manager.ts
 var TOKEN_KEY = "insforge-auth-token";
 var USER_KEY = "insforge-auth-user";
 var AUTH_FLAG_COOKIE = "isAuthenticated";
-var SecureSessionStorage = class {
-  constructor() {
-    this.strategyId = "secure";
-    this.accessToken = null;
-    this.user = null;
-  }
-  saveSession(session) {
-    this.accessToken = session.accessToken;
-    this.user = session.user;
-  }
-  getSession() {
-    if (!this.accessToken || !this.user) return null;
-    return {
-      accessToken: this.accessToken,
-      user: this.user
-    };
-  }
-  getAccessToken() {
-    return this.accessToken;
-  }
-  setAccessToken(token) {
-    this.accessToken = token;
-  }
-  getUser() {
-    return this.user;
-  }
-  setUser(user) {
-    this.user = user;
-  }
-  clearSession() {
+var CSRF_TOKEN_COOKIE = "insforge_csrf_token";
+function hasAuthCookie() {
+  if (typeof document === "undefined") return false;
+  return document.cookie.split(";").some(
+    (c) => c.trim().startsWith(`${AUTH_FLAG_COOKIE}=`)
+  );
+}
+function setAuthCookie() {
+  if (typeof document === "undefined") return;
+  const maxAge = 7 * 24 * 60 * 60;
+  document.cookie = `${AUTH_FLAG_COOKIE}=true; path=/; max-age=${maxAge}; SameSite=Lax`;
+}
+function clearAuthCookie() {
+  if (typeof document === "undefined") return;
+  document.cookie = `${AUTH_FLAG_COOKIE}=; path=/; max-age=0; SameSite=Lax`;
+}
+function getCsrfToken() {
+  if (typeof document === "undefined") return null;
+  const match = document.cookie.split(";").find((c) => c.trim().startsWith(`${CSRF_TOKEN_COOKIE}=`));
+  if (!match) return null;
+  return match.split("=")[1] || null;
+}
+function setCsrfToken(token) {
+  if (typeof document === "undefined") return;
+  const maxAge = 7 * 24 * 60 * 60;
+  document.cookie = `${CSRF_TOKEN_COOKIE}=${token}; path=/; max-age=${maxAge}; SameSite=Lax`;
+}
+function clearCsrfToken() {
+  if (typeof document === "undefined") return;
+  document.cookie = `${CSRF_TOKEN_COOKIE}=; path=/; max-age=0; SameSite=Lax`;
+}
+var TokenManager = class {
+  constructor(storage) {
+    // In-memory storage
     this.accessToken = null;
     this.user = null;
-  }
-  shouldAttemptRefresh() {
-    if (this.accessToken) return false;
-    return this.hasAuthFlag();
-  }
-  // --- Private: Auth Flag Cookie Detection (SDK-managed on frontend domain) ---
-  hasAuthFlag() {
-    if (typeof document === "undefined") return false;
-    return document.cookie.split(";").some(
-      (c) => c.trim().startsWith(`${AUTH_FLAG_COOKIE}=`)
-    );
-  }
-};
-var LocalSessionStorage = class {
-  constructor(storage) {
-    this.strategyId = "local";
+    // Mode: 'memory' (new backend) or 'storage' (legacy backend, default)
+    this._mode = "storage";
     if (storage) {
       this.storage = storage;
     } else if (typeof window !== "undefined" && window.localStorage) {
@@ -295,126 +232,111 @@ var LocalSessionStorage = class {
       };
     }
   }
-  saveSession(session) {
-    this.storage.setItem(TOKEN_KEY, session.accessToken);
-    this.storage.setItem(USER_KEY, JSON.stringify(session.user));
-  }
-  getSession() {
-    const token = this.storage.getItem(TOKEN_KEY);
-    const userStr = this.storage.getItem(USER_KEY);
-    if (!token || !userStr) return null;
-    try {
-      const user = JSON.parse(userStr);
-      return { accessToken: token, user };
-    } catch {
-      this.clearSession();
-      return null;
-    }
-  }
-  getAccessToken() {
-    const token = this.storage.getItem(TOKEN_KEY);
-    return typeof token === "string" ? token : null;
-  }
-  setAccessToken(token) {
-    this.storage.setItem(TOKEN_KEY, token);
-  }
-  getUser() {
-    const userStr = this.storage.getItem(USER_KEY);
-    if (!userStr) return null;
-    try {
-      return JSON.parse(userStr);
-    } catch {
-      return null;
-    }
-  }
-  setUser(user) {
-    this.storage.setItem(USER_KEY, JSON.stringify(user));
-  }
-  clearSession() {
-    this.storage.removeItem(TOKEN_KEY);
-    this.storage.removeItem(USER_KEY);
-  }
-  shouldAttemptRefresh() {
-    return false;
-  }
-};
-
-// src/lib/token-manager.ts
-var TokenManager = class {
   /**
-   * Create a new TokenManager
-   * @param storage - Optional custom storage adapter (used for initial LocalSessionStorage)
+   * Get current mode
    */
-  constructor(storage) {
-    this.strategy = new LocalSessionStorage(storage);
+  get mode() {
+    return this._mode;
   }
   /**
-   * Set the storage strategy
-   * Called after capability discovery to switch to the appropriate strategy
+   * Set mode to memory (new backend with cookies + memory)
    */
-  setStrategy(strategy) {
-    const existingSession = this.strategy.getSession();
-    const previousId = this.strategy.strategyId;
-    this.strategy = strategy;
-    if (existingSession && previousId !== strategy.strategyId) {
-      strategy.saveSession(existingSession);
+  setMemoryMode() {
+    if (this._mode === "storage") {
+      this.storage.removeItem(TOKEN_KEY);
+      this.storage.removeItem(USER_KEY);
     }
+    this._mode = "memory";
   }
   /**
-   * Get the current strategy identifier
+   * Set mode to storage (legacy backend with localStorage)
+   * Also loads existing session from localStorage
    */
-  getStrategyId() {
-    return this.strategy.strategyId;
+  setStorageMode() {
+    this._mode = "storage";
+    this.loadFromStorage();
   }
-  // --- Delegated Methods ---
   /**
-   * Save session data
+   * Load session from localStorage
+   */
+  loadFromStorage() {
+    const token = this.storage.getItem(TOKEN_KEY);
+    const userStr = this.storage.getItem(USER_KEY);
+    if (token && userStr) {
+      try {
+        this.accessToken = token;
+        this.user = JSON.parse(userStr);
+      } catch {
+        this.clearSession();
+      }
+    }
+  }
+  /**
+   * Save session (memory always, localStorage only in storage mode)
    */
   saveSession(session) {
-    this.strategy.saveSession(session);
+    this.accessToken = session.accessToken;
+    this.user = session.user;
+    if (this._mode === "storage") {
+      this.storage.setItem(TOKEN_KEY, session.accessToken);
+      this.storage.setItem(USER_KEY, JSON.stringify(session.user));
+    }
   }
   /**
    * Get current session
    */
   getSession() {
-    return this.strategy.getSession();
+    if (!this.accessToken || !this.user) return null;
+    return {
+      accessToken: this.accessToken,
+      user: this.user
+    };
   }
   /**
    * Get access token
    */
   getAccessToken() {
-    return this.strategy.getAccessToken();
+    return this.accessToken;
   }
   /**
-   * Update access token (e.g., after refresh)
+   * Set access token
    */
   setAccessToken(token) {
-    this.strategy.setAccessToken(token);
+    this.accessToken = token;
+    if (this._mode === "storage") {
+      this.storage.setItem(TOKEN_KEY, token);
+    }
   }
   /**
-   * Get user data
+   * Get user
    */
   getUser() {
-    return this.strategy.getUser();
+    return this.user;
   }
   /**
-   * Update user data
+   * Set user
    */
   setUser(user) {
-    this.strategy.setUser(user);
+    this.user = user;
+    if (this._mode === "storage") {
+      this.storage.setItem(USER_KEY, JSON.stringify(user));
+    }
   }
   /**
-   * Clear all session data
+   * Clear session (both memory and localStorage)
    */
   clearSession() {
-    this.strategy.clearSession();
+    this.accessToken = null;
+    this.user = null;
+    this.storage.removeItem(TOKEN_KEY);
+    this.storage.removeItem(USER_KEY);
   }
   /**
-   * Check if token refresh should be attempted
-   * (e.g., on page reload in secure mode)
+   * Check if there's a session in localStorage (for legacy detection)
    */
-  shouldAttemptRefresh() {
-    return this.strategy.shouldAttemptRefresh();
+  hasStoredSession() {
+    const token = this.storage.getItem(TOKEN_KEY);
+    return !!token;
   }
 };
 
@@ -531,77 +453,83 @@ var Auth = class {
     this.detectAuthCallback();
   }
   /**
-   * Set the isAuthenticated cookie flag on the frontend domain
-   * This is managed by SDK, not backend, to work in cross-origin scenarios
-   */
-  setAuthenticatedCookie() {
-    if (typeof document === "undefined") return;
-    const maxAge = 7 * 24 * 60 * 60;
-    document.cookie = `${AUTH_FLAG_COOKIE}=true; path=/; max-age=${maxAge}; SameSite=Lax`;
-  }
-  /**
-   * Clear the isAuthenticated cookie flag from the frontend domain
-   */
-  clearAuthenticatedCookie() {
-    if (typeof document === "undefined") return;
-    document.cookie = `${AUTH_FLAG_COOKIE}=; path=/; max-age=0; SameSite=Lax`;
-  }
-  /**
-   * Switch to SecureSessionStorage (cookie-based auth)
-   * Called when backend returns sessionMode: 'secure'
-   * @internal
-   */
-  _switchToSecureStorage() {
-    console.log("[InsForge:Auth] _switchToSecureStorage() called, current strategy:", this.tokenManager.getStrategyId());
-    if (this.tokenManager.getStrategyId() === "secure") {
-      console.log("[InsForge:Auth] _switchToSecureStorage() - already in secure mode, skipping");
-      return;
+  * Restore session on app initialization
+  * 
+  * @returns Object with isLoggedIn status
+  * 
+  * @example
+  * ```typescript
+  * const client = new InsForgeClient({ baseUrl: '...' });
+  * const { isLoggedIn } = await client.auth.restoreSession();
+  * 
+  * if (isLoggedIn) {
+  *   const { data } = await client.auth.getCurrentUser();
+  * }
+  * ```
+  */
+  async restoreSession() {
+    if (typeof window === "undefined") {
+      return { isLoggedIn: false };
     }
-    const currentSession = this.tokenManager.getSession();
-    this.tokenManager.setStrategy(new SecureSessionStorage());
-    if (typeof localStorage !== "undefined") {
-      console.log("[InsForge:Auth] _switchToSecureStorage() - clearing localStorage");
-      localStorage.removeItem(TOKEN_KEY);
-      localStorage.removeItem(USER_KEY);
+    if (this.tokenManager.getAccessToken()) {
+      return { isLoggedIn: true };
     }
-    console.log("[InsForge:Auth] _switchToSecureStorage() - setting isAuthenticated cookie");
-    this.setAuthenticatedCookie();
-    if (currentSession) {
-      this.tokenManager.saveSession(currentSession);
+    if (hasAuthCookie()) {
+      try {
+        const csrfToken = getCsrfToken();
+        const response = await this.http.post(
+          "/api/auth/refresh",
+          {
+            headers: csrfToken ? { "X-CSRF-Token": csrfToken } : {}
+          }
+        );
+        if (response.accessToken) {
+          this.tokenManager.setMemoryMode();
+          this.tokenManager.setAccessToken(response.accessToken);
+          this.http.setAuthToken(response.accessToken);
+          if (response.user) {
+            this.tokenManager.setUser(response.user);
+          }
+          if (response.csrfToken) {
+            setCsrfToken(response.csrfToken);
+          }
+          return { isLoggedIn: true };
+        }
+      } catch (error) {
+        if (error instanceof InsForgeError) {
+          if (error.statusCode === 404) {
+            this.tokenManager.setStorageMode();
+            const token = this.tokenManager.getAccessToken();
+            if (token) {
+              this.http.setAuthToken(token);
+              return { isLoggedIn: true };
+            }
+            return { isLoggedIn: false };
+          }
+          if (error.statusCode === 401 || error.statusCode === 403) {
+            clearAuthCookie();
+            clearCsrfToken();
+            return { isLoggedIn: false };
+          }
+        }
+        return { isLoggedIn: false };
+      }
     }
-  }
-  /**
-   * Switch to LocalSessionStorage (localStorage-based auth)
-   * Called when cookie-based auth fails (fallback)
-   * @internal
-   */
-  _switchToLocalStorage() {
-    if (this.tokenManager.getStrategyId() === "local") return;
-    const currentSession = this.tokenManager.getSession();
-    this.tokenManager.setStrategy(new LocalSessionStorage());
-    this.clearAuthenticatedCookie();
-    if (currentSession) {
-      this.tokenManager.saveSession(currentSession);
+    if (this.tokenManager.hasStoredSession()) {
+      this.tokenManager.setStorageMode();
+      const token = this.tokenManager.getAccessToken();
+      if (token) {
+        this.http.setAuthToken(token);
+        return { isLoggedIn: true };
+      }
     }
+    return { isLoggedIn: false };
   }
   /**
-   * Detect storage strategy based on backend response
-   * @param sessionMode - The sessionMode returned by backend ('secure' or undefined)
-   * @internal
+   * Automatically detect and handle OAuth callback parameters in the URL
+   * This runs on initialization to seamlessly complete the OAuth flow
+   * Matches the backend's OAuth callback response (backend/src/api/routes/auth.ts:540-544)
    */
-  _detectStorageFromResponse(sessionMode) {
-    console.log("[InsForge:Auth] _detectStorageFromResponse() - sessionMode:", sessionMode);
-    if (sessionMode === "secure") {
-      this._switchToSecureStorage();
-    } else {
-      this._switchToLocalStorage();
-    }
-  }
-  /**
-  * Automatically detect and handle OAuth callback parameters in the URL
-  * This runs on initialization to seamlessly complete the OAuth flow
-  * Matches the backend's OAuth callback response (backend/src/api/routes/auth.ts:540-544)
-  */
   detectAuthCallback() {
     if (typeof window === "undefined") return;
     try {
@@ -610,9 +538,8 @@ var Auth = class {
       const userId = params.get("user_id");
       const email = params.get("email");
       const name = params.get("name");
-      const sessionMode = params.get("session_mode");
+      const csrfToken = params.get("csrf_token");
       if (accessToken && userId && email) {
-        this._detectStorageFromResponse(sessionMode || void 0);
         const session = {
           accessToken,
           user: {
@@ -626,14 +553,18 @@ var Auth = class {
             updatedAt: (/* @__PURE__ */ new Date()).toISOString()
           }
         };
-        this.tokenManager.saveSession(session);
         this.http.setAuthToken(accessToken);
+        this.tokenManager.saveSession(session);
+        setAuthCookie();
+        if (csrfToken) {
+          setCsrfToken(csrfToken);
+        }
         const url = new URL(window.location.href);
         url.searchParams.delete("access_token");
         url.searchParams.delete("user_id");
         url.searchParams.delete("email");
         url.searchParams.delete("name");
-        url.searchParams.delete("session_mode");
+        url.searchParams.delete("csrf_token");
         if (params.has("error")) {
           url.searchParams.delete("error");
         }
@@ -649,17 +580,17 @@ var Auth = class {
   async signUp(request) {
     try {
       const response = await this.http.post("/api/auth/users", request);
-      const sessionMode = response.sessionMode;
-      this._detectStorageFromResponse(sessionMode);
-      if (response.accessToken && response.user) {
+      if (response.accessToken && response.user && !isHostedAuthEnvironment()) {
         const session = {
           accessToken: response.accessToken,
           user: response.user
         };
-        if (!isHostedAuthEnvironment()) {
-          this.tokenManager.saveSession(session);
-        }
+        this.tokenManager.saveSession(session);
+        setAuthCookie();
         this.http.setAuthToken(response.accessToken);
+        if (response.csrfToken) {
+          setCsrfToken(response.csrfToken);
+        }
       }
       return {
         data: response,
@@ -685,23 +616,18 @@ var Auth = class {
   async signInWithPassword(request) {
     try {
       const response = await this.http.post("/api/auth/sessions", request);
-      const sessionMode = response.sessionMode;
-      this._detectStorageFromResponse(sessionMode);
-      const session = {
-        accessToken: response.accessToken || "",
-        user: response.user || {
-          id: "",
-          email: "",
-          name: "",
-          emailVerified: false,
-          createdAt: "",
-          updatedAt: ""
-        }
-      };
-      if (!isHostedAuthEnvironment()) {
+      if (response.accessToken && response.user && !isHostedAuthEnvironment()) {
+        const session = {
+          accessToken: response.accessToken,
+          user: response.user
+        };
         this.tokenManager.saveSession(session);
+        setAuthCookie();
+        this.http.setAuthToken(response.accessToken);
+        if (response.csrfToken) {
+          setCsrfToken(response.csrfToken);
+        }
       }
-      this.http.setAuthToken(response.accessToken || "");
       return {
         data: response,
         error: null
@@ -756,28 +682,19 @@ var Auth = class {
   }
   /**
    * Sign out the current user
-   * In modern mode, also calls backend to clear the refresh token cookie
    */
   async signOut() {
-    console.log("[InsForge:Auth] signOut() called");
-    console.log("[InsForge:Auth] signOut() stack trace:", new Error().stack);
     try {
-      if (this.tokenManager.getStrategyId() === "secure") {
-        console.log("[InsForge:Auth] signOut() - calling backend /api/auth/logout");
-        try {
-          await this.http.post("/api/auth/logout");
-          console.log("[InsForge:Auth] signOut() - backend logout successful");
-        } catch (e) {
-          console.log("[InsForge:Auth] signOut() - backend logout failed (ignored):", e);
-        }
+      try {
+        await this.http.post("/api/auth/logout");
+      } catch {
       }
       this.tokenManager.clearSession();
       this.http.setAuthToken(null);
-      this.clearAuthenticatedCookie();
-      console.log("[InsForge:Auth] signOut() - completed");
+      clearAuthCookie();
+      clearCsrfToken();
       return { error: null };
     } catch (error) {
-      console.error("[InsForge:Auth] signOut() - error:", error);
       return {
         error: new InsForgeError(
           "Failed to sign out",
@@ -787,58 +704,6 @@ var Auth = class {
       };
     }
   }
-  /**
-   * Refresh the access token using the httpOnly refresh token cookie
-   * Only works when backend supports secure session storage (httpOnly cookies)
-   * 
-   * @returns New access token or throws an error
-   */
-  async refreshToken() {
-    console.log("[InsForge:Auth] refreshToken() called");
-    try {
-      const response = await this.http.post(
-        "/api/auth/refresh"
-      );
-      console.log("[InsForge:Auth] refreshToken() - response received, hasAccessToken:", !!response.accessToken);
-      if (response.accessToken) {
-        this._detectStorageFromResponse(response.sessionMode);
-        this.tokenManager.setAccessToken(response.accessToken);
-        this.http.setAuthToken(response.accessToken);
-        if (response.user) {
-          this.tokenManager.setUser(response.user);
-        }
-        console.log("[InsForge:Auth] refreshToken() - success");
-        return response.accessToken;
-      }
-      throw new InsForgeError(
-        "No access token in refresh response",
-        500,
-        "REFRESH_FAILED"
-      );
-    } catch (error) {
-      console.error("[InsForge:Auth] refreshToken() - error:", error);
-      if (error instanceof InsForgeError) {
-        if (error.statusCode === 404) {
-          console.log("[InsForge:Auth] refreshToken() - 404 detected, backend does not support refresh endpoint");
-          console.log("[InsForge:Auth] refreshToken() - switching to LocalSessionStorage for backward compatibility");
-          this._switchToLocalStorage();
-          this.clearAuthenticatedCookie();
-        }
-        if (error.statusCode === 401 || error.statusCode === 403) {
-          console.log("[InsForge:Auth] refreshToken() - clearing session due to 401/403");
-          this.tokenManager.clearSession();
-          this.http.setAuthToken(null);
-          this.clearAuthenticatedCookie();
-        }
-        throw error;
-      }
-      throw new InsForgeError(
-        "Token refresh failed",
-        500,
-        "REFRESH_FAILED"
-      );
-    }
-  }
   /**
    * Get all public authentication configuration (OAuth + Email)
    * Returns both OAuth providers and email authentication settings in one request
@@ -879,40 +744,19 @@ var Auth = class {
   /**
    * Get the current user with full profile information
    * Returns both auth info (id, email, role) and profile data (dynamic fields from users table)
-   * 
-   * In secure session mode (httpOnly cookie), this method will automatically attempt
-   * to refresh the session if no access token is available (e.g., after page reload).
    */
   async getCurrentUser() {
-    console.log("[InsForge:Auth] getCurrentUser() called");
     try {
-      let accessToken = this.tokenManager.getAccessToken();
-      const shouldRefresh = this.tokenManager.shouldAttemptRefresh();
-      console.log("[InsForge:Auth] getCurrentUser() - hasAccessToken:", !!accessToken, "shouldAttemptRefresh:", shouldRefresh);
-      if (!accessToken && shouldRefresh) {
-        console.log("[InsForge:Auth] getCurrentUser() - attempting refresh");
-        try {
-          accessToken = await this.refreshToken();
-        } catch (error) {
-          console.log("[InsForge:Auth] getCurrentUser() - refresh failed:", error);
-          if (error instanceof InsForgeError && (error.statusCode === 401 || error.statusCode === 403)) {
-            return { data: null, error };
-          }
-          return { data: null, error: error instanceof InsForgeError ? error : new InsForgeError("Token refresh failed", 500, "REFRESH_FAILED") };
-        }
-      }
-      if (!accessToken) {
-        console.log("[InsForge:Auth] getCurrentUser() - no access token, returning null");
+      const session = this.tokenManager.getSession();
+      if (!session?.accessToken) {
         return { data: null, error: null };
       }
-      this.http.setAuthToken(accessToken);
-      console.log("[InsForge:Auth] getCurrentUser() - fetching user from API");
+      this.http.setAuthToken(session.accessToken);
       const authResponse = await this.http.get("/api/auth/sessions/current");
       const { data: profile, error: profileError } = await this.database.from("users").select("*").eq("id", authResponse.user.id).single();
       if (profileError && profileError.code !== "PGRST116") {
         return { data: null, error: profileError };
       }
-      console.log("[InsForge:Auth] getCurrentUser() - success");
       return {
         data: {
           user: authResponse.user,
@@ -921,12 +765,8 @@ var Auth = class {
         error: null
       };
     } catch (error) {
-      console.error("[InsForge:Auth] getCurrentUser() - catch error:", error);
       if (error instanceof InsForgeError && error.statusCode === 401) {
-        console.log("[InsForge:Auth] getCurrentUser() - 401 error, clearing local session only (NOT calling signOut)");
-        this.tokenManager.clearSession();
-        this.http.setAuthToken(null);
-        this.clearAuthenticatedCookie();
+        await this.signOut();
         return { data: null, error: null };
       }
       if (error instanceof InsForgeError) {
@@ -1174,15 +1014,17 @@ var Auth = class {
         "/api/auth/email/verify",
         request
       );
-      const sessionMode = response.sessionMode;
-      this._detectStorageFromResponse(sessionMode);
-      if (response.accessToken) {
+      if (response.accessToken && !isHostedAuthEnvironment()) {
         const session = {
           accessToken: response.accessToken,
           user: response.user || {}
         };
         this.tokenManager.saveSession(session);
         this.http.setAuthToken(response.accessToken);
+        setAuthCookie();
+        if (response.csrfToken) {
+          setCsrfToken(response.csrfToken);
+        }
       }
       return {
         data: response,
@@ -1726,24 +1568,10 @@ var Functions = class {
 };
 
 // src/client.ts
-function hasAuthenticatedCookie() {
-  if (typeof document === "undefined") return false;
-  return document.cookie.split(";").some(
-    (c) => c.trim().startsWith(`${AUTH_FLAG_COOKIE}=`)
-  );
-}
 var InsForgeClient = class {
   constructor(config = {}) {
-    console.log("[InsForge:Client] Initializing SDK");
     this.http = new HttpClient(config);
     this.tokenManager = new TokenManager(config.storage);
-    const hasAuthCookie = hasAuthenticatedCookie();
-    console.log("[InsForge:Client] hasAuthenticatedCookie:", hasAuthCookie);
-    console.log("[InsForge:Client] document.cookie:", typeof document !== "undefined" ? document.cookie : "N/A (SSR)");
-    if (hasAuthCookie) {
-      console.log("[InsForge:Client] Switching to SecureSessionStorage");
-      this.tokenManager.setStrategy(new SecureSessionStorage());
-    }
     if (config.edgeFunctionToken) {
       this.http.setAuthToken(config.edgeFunctionToken);
       this.tokenManager.saveSession({
@@ -1752,32 +1580,15 @@ var InsForgeClient = class {
         // Will be populated by getCurrentUser()
       });
     }
-    this.http.setRefreshCallback(async () => {
-      console.log("[InsForge:Client] HTTP 401 refresh callback triggered");
-      try {
-        return await this.auth.refreshToken();
-      } catch (e) {
-        console.log("[InsForge:Client] Refresh callback failed:", e);
-        if (this.tokenManager.getStrategyId() === "secure") {
-          console.log("[InsForge:Client] Falling back to LocalSessionStorage");
-          this.auth._switchToLocalStorage();
-        }
-        return null;
-      }
-    });
     const existingSession = this.tokenManager.getSession();
-    console.log("[InsForge:Client] existingSession:", !!existingSession, "strategyId:", this.tokenManager.getStrategyId());
     if (existingSession?.accessToken) {
       this.http.setAuthToken(existingSession.accessToken);
-    } else if (this.tokenManager.getStrategyId() === "secure") {
-      console.log("[InsForge:Client] Secure mode, no session in memory - will refresh on first API call");
     }
     this.auth = new Auth(this.http, this.tokenManager);
     this.database = new Database(this.http, this.tokenManager);
     this.storage = new Storage(this.http);
     this.ai = new AI(this.http);
     this.functions = new Functions(this.http);
-    console.log("[InsForge:Client] SDK initialized");
   }
   /**
    * Get the underlying HTTP client for custom requests
@@ -1791,12 +1602,6 @@ var InsForgeClient = class {
   getHttpClient() {
     return this.http;
   }
-  /**
-   * Get the current storage strategy identifier
-   */
-  getStorageStrategy() {
-    return this.tokenManager.getStrategyId();
-  }
   /**
    * Future modules will be added here:
    * - database: Database operations
@@ -1821,8 +1626,6 @@ var index_default = InsForgeClient;
   HttpClient,
   InsForgeClient,
   InsForgeError,
-  LocalSessionStorage,
-  SecureSessionStorage,
   Storage,
   StorageBucket,
   TokenManager,