@insforge/sdk 1.1.2-pkce.0 → 1.1.2-pkce.1

package/dist/index.mjs

@@ -304,21 +304,12 @@ var TokenManager = class {
   }
 };
 
-// src/modules/auth.ts
-function isHostedAuthEnvironment() {
-  if (typeof window === "undefined") {
-    return false;
-  }
-  const { hostname, port, protocol } = window.location;
-  if (hostname === "localhost" && port === "7130") {
-    return true;
-  }
-  if (protocol === "https:" && hostname.endsWith(".insforge.app")) {
-    return true;
-  }
-  return false;
-}
+// src/modules/auth/helpers.ts
 var PKCE_VERIFIER_KEY = "insforge_pkce_verifier";
+function base64UrlEncode(buffer) {
+  const base64 = btoa(String.fromCharCode(...buffer));
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
 function generateCodeVerifier() {
   const array = new Uint8Array(32);
   crypto.getRandomValues(array);
@@ -330,10 +321,6 @@ async function generateCodeChallenge(verifier) {
   const hash = await crypto.subtle.digest("SHA-256", data);
   return base64UrlEncode(new Uint8Array(hash));
 }
-function base64UrlEncode(buffer) {
-  const base64 = btoa(String.fromCharCode(...buffer));
-  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-}
 function storePkceVerifier(verifier) {
   if (typeof sessionStorage !== "undefined") {
     sessionStorage.setItem(PKCE_VERIFIER_KEY, verifier);
@@ -349,6 +336,42 @@ function retrievePkceVerifier() {
   }
   return verifier;
 }
+function isHostedAuthEnvironment() {
+  if (typeof window === "undefined") {
+    return false;
+  }
+  const { hostname, port, protocol } = window.location;
+  if (hostname === "localhost" && port === "7130") {
+    return true;
+  }
+  if (protocol === "https:" && hostname.endsWith(".insforge.app")) {
+    return true;
+  }
+  return false;
+}
+function wrapError(error, fallbackMessage) {
+  if (error instanceof InsForgeError) {
+    return { data: null, error };
+  }
+  return {
+    data: null,
+    error: new InsForgeError(
+      error instanceof Error ? error.message : fallbackMessage,
+      500,
+      "UNEXPECTED_ERROR"
+    )
+  };
+}
+function cleanUrlParams(...params) {
+  if (typeof window === "undefined") {
+    return;
+  }
+  const url = new URL(window.location.href);
+  params.forEach((p) => url.searchParams.delete(p));
+  window.history.replaceState({}, document.title, url.toString());
+}
+
+// src/modules/auth/auth.ts
 var Auth = class {
   constructor(http, tokenManager) {
     this.http = http;
@@ -356,12 +379,31 @@ var Auth = class {
     this.authCallbackHandled = this.detectAuthCallback();
   }
   /**
-   * Automatically detect and handle OAuth callback parameters in the URL
-   * This runs after initialization to seamlessly complete the OAuth flow
-   *
-   * Supports two flows:
-   * - PKCE flow (new): Backend returns `insforge_code` param, exchanged for tokens
-   * - Legacy flow: Backend returns tokens directly in URL (backward compatible)
+   * Save session from API response
+   * Handles token storage, CSRF token, and HTTP client auth header
+   */
+  saveSessionFromResponse(response) {
+    if (isHostedAuthEnvironment() || !response.accessToken || !response.user) {
+      return false;
+    }
+    const session = {
+      accessToken: response.accessToken,
+      user: response.user
+    };
+    if (response.csrfToken) {
+      this.tokenManager.setMemoryMode();
+      setCsrfToken(response.csrfToken);
+    }
+    this.tokenManager.saveSession(session);
+    this.http.setAuthToken(response.accessToken);
+    return true;
+  }
+  // ============================================================================
+  // OAuth Callback Detection (runs on initialization)
+  // ============================================================================
+  /**
+   * Detect and handle OAuth callback parameters in URL
+   * Supports PKCE flow (insforge_code) and legacy flow (access_token in URL)
    */
   async detectAuthCallback() {
     if (typeof window === "undefined") return;
@@ -369,17 +411,13 @@ var Auth = class {
       const params = new URLSearchParams(window.location.search);
       const error = params.get("error");
       if (error) {
-        const url = new URL(window.location.href);
-        url.searchParams.delete("error");
-        window.history.replaceState({}, document.title, url.toString());
+        cleanUrlParams("error");
         console.debug("OAuth callback error:", error);
         return;
       }
       const code = params.get("insforge_code");
       if (code) {
-        const url = new URL(window.location.href);
-        url.searchParams.delete("insforge_code");
-        window.history.replaceState({}, document.title, url.toString());
+        cleanUrlParams("insforge_code");
         const { error: exchangeError } = await this.exchangeOAuthCode(code);
         if (exchangeError) {
           console.debug("OAuth code exchange failed:", exchangeError.message);
@@ -389,9 +427,9 @@ var Auth = class {
       const accessToken = params.get("access_token");
       const userId = params.get("user_id");
       const email = params.get("email");
-      const name = params.get("name");
-      const csrfToken = params.get("csrf_token");
       if (accessToken && userId && email) {
+        const csrfToken = params.get("csrf_token");
+        const name = params.get("name");
         if (csrfToken) {
           this.tokenManager.setMemoryMode();
           setCsrfToken(csrfToken);
@@ -410,93 +448,62 @@ var Auth = class {
         };
         this.tokenManager.saveSession(session);
         this.http.setAuthToken(accessToken);
-        const url = new URL(window.location.href);
-        url.searchParams.delete("access_token");
-        url.searchParams.delete("user_id");
-        url.searchParams.delete("email");
-        url.searchParams.delete("name");
-        url.searchParams.delete("csrf_token");
-        window.history.replaceState({}, document.title, url.toString());
+        cleanUrlParams("access_token", "user_id", "email", "name", "csrf_token");
       }
     } catch (error) {
       console.debug("OAuth callback detection skipped:", error);
     }
   }
-  /**
-   * Sign up a new user
-   */
+  // ============================================================================
+  // Sign Up / Sign In / Sign Out
+  // ============================================================================
   async signUp(request) {
     try {
-      const response = await this.http.post("/api/auth/users", request, { credentials: "include" });
-      if (response.accessToken && response.user && !isHostedAuthEnvironment()) {
-        const session = {
-          accessToken: response.accessToken,
-          user: response.user
-        };
-        if (response.csrfToken) {
-          this.tokenManager.setMemoryMode();
-          setCsrfToken(response.csrfToken);
-        }
-        this.tokenManager.saveSession(session);
-        this.http.setAuthToken(response.accessToken);
+      const response = await this.http.post(
+        "/api/auth/users",
+        request,
+        { credentials: "include" }
+      );
+      if (response.accessToken && response.user) {
+        this.saveSessionFromResponse(response);
       }
-      return {
-        data: response,
-        error: null
-      };
+      return { data: response, error: null };
     } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          error instanceof Error ? error.message : "An unexpected error occurred during sign up",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+      return wrapError(error, "An unexpected error occurred during sign up");
     }
   }
-  /**
-   * Sign in with email and password
-   */
   async signInWithPassword(request) {
     try {
-      const response = await this.http.post("/api/auth/sessions", request, { credentials: "include" });
-      if (!isHostedAuthEnvironment()) {
-        const session = {
-          accessToken: response.accessToken,
-          user: response.user
-        };
-        if (response.csrfToken) {
-          this.tokenManager.setMemoryMode();
-          setCsrfToken(response.csrfToken);
-        }
-        this.tokenManager.saveSession(session);
-        this.http.setAuthToken(response.accessToken);
-      }
-      return {
-        data: response,
-        error: null
-      };
+      const response = await this.http.post(
+        "/api/auth/sessions",
+        request,
+        { credentials: "include" }
+      );
+      this.saveSessionFromResponse(response);
+      return { data: response, error: null };
     } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
+      return wrapError(error, "An unexpected error occurred during sign in");
+    }
+  }
+  async signOut() {
+    try {
+      try {
+        await this.http.post("/api/auth/logout", void 0, { credentials: "include" });
+      } catch {
       }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred during sign in",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+      this.tokenManager.clearSession();
+      this.http.setAuthToken(null);
+      clearCsrfToken();
+      return { error: null };
+    } catch {
+      return { error: new InsForgeError("Failed to sign out", 500, "SIGNOUT_ERROR") };
     }
   }
+  // ============================================================================
+  // OAuth Authentication
+  // ============================================================================
   /**
-   * Sign in with OAuth provider
-   * Uses PKCE (Proof Key for Code Exchange) for enhanced security
+   * Sign in with OAuth provider using PKCE flow
    */
   async signInWithOAuth(options) {
     try {
@@ -504,25 +511,18 @@ var Auth = class {
       const codeVerifier = generateCodeVerifier();
       const codeChallenge = await generateCodeChallenge(codeVerifier);
       storePkceVerifier(codeVerifier);
-      const params = {
-        code_challenge: codeChallenge
-      };
-      if (redirectTo) {
-        params.redirect_uri = redirectTo;
-      }
-      const endpoint = `/api/auth/oauth/${provider}`;
-      const response = await this.http.get(endpoint, { params });
+      const params = { code_challenge: codeChallenge };
+      if (redirectTo) params.redirect_uri = redirectTo;
+      const response = await this.http.get(
+        `/api/auth/oauth/${provider}`,
+        { params }
+      );
       if (typeof window !== "undefined" && !skipBrowserRedirect) {
         window.location.href = response.authUrl;
         return { data: {}, error: null };
       }
       return {
-        data: {
-          url: response.authUrl,
-          provider,
-          codeVerifier
-          // Return verifier for manual flow (skipBrowserRedirect)
-        },
+        data: { url: response.authUrl, provider, codeVerifier },
         error: null
       };
     } catch (error) {
@@ -541,30 +541,7 @@ var Auth = class {
   }
   /**
    * Exchange OAuth authorization code for tokens (PKCE flow)
-   *
-   * After OAuth callback redirects with an `insforge_code` parameter, call this method
-   * to exchange it for access tokens. The code verifier is automatically
-   * retrieved from sessionStorage if available.
-   *
-   * Note: This is called automatically by the SDK on initialization. You typically
-   * don't need to call this directly unless using `skipBrowserRedirect: true`.
-   *
-   * @param code - The authorization code from OAuth callback URL
-   * @param codeVerifier - Optional code verifier (auto-retrieved from sessionStorage if not provided)
-   * @returns Session data with access token and user info
-   *
-   * @example
-   * ```ts
-   * // Automatic verifier retrieval (recommended for browser)
-   * const params = new URLSearchParams(window.location.search);
-   * const code = params.get('insforge_code');
-   * if (code) {
-   *   const { data, error } = await insforge.auth.exchangeOAuthCode(code);
-   * }
-   *
-   * // Manual verifier (for custom flows)
-   * const { data, error } = await insforge.auth.exchangeOAuthCode(code, codeVerifier);
-   * ```
+   * Called automatically on initialization when insforge_code is in URL
    */
   async exchangeOAuthCode(code, codeVerifier) {
     try {
@@ -579,23 +556,9 @@ var Auth = class {
           )
         };
       }
-      const request = {
-        code,
-        code_verifier: verifier
-      };
+      const request = { code, code_verifier: verifier };
       const response = await this.http.post("/api/auth/oauth/exchange", request, { credentials: "include" });
-      if (!isHostedAuthEnvironment()) {
-        const session = {
-          accessToken: response.accessToken,
-          user: response.user
-        };
-        if (response.csrfToken) {
-          this.tokenManager.setMemoryMode();
-          setCsrfToken(response.csrfToken);
-        }
-        this.tokenManager.saveSession(session);
-        this.http.setAuthToken(response.accessToken);
-      }
+      this.saveSessionFromResponse(response);
       return {
         data: {
           accessToken: response.accessToken,
@@ -605,108 +568,14 @@ var Auth = class {
         error: null
       };
     } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred during OAuth code exchange",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+      return wrapError(error, "An unexpected error occurred during OAuth code exchange");
     }
   }
+  // ============================================================================
+  // Session Management
+  // ============================================================================
   /**
-   * Sign out the current user
-   */
-  async signOut() {
-    try {
-      try {
-        await this.http.post("/api/auth/logout", void 0, { credentials: "include" });
-      } catch {
-      }
-      this.tokenManager.clearSession();
-      this.http.setAuthToken(null);
-      clearCsrfToken();
-      return { error: null };
-    } catch (error) {
-      return {
-        error: new InsForgeError(
-          "Failed to sign out",
-          500,
-          "SIGNOUT_ERROR"
-        )
-      };
-    }
-  }
-  /**
-   * Get all public authentication configuration (OAuth + Email)
-   * Returns both OAuth providers and email authentication settings in one request
-   * This is a public endpoint that doesn't require authentication
-   * 
-   * @returns Complete public authentication configuration including OAuth providers and email auth settings
-   * 
-   * @example
-   * ```ts
-   * const { data, error } = await insforge.auth.getPublicAuthConfig();
-   * if (data) {
-   *   console.log(`OAuth providers: ${data.oauth.data.length}`);
-   *   console.log(`Password min length: ${data.email.passwordMinLength}`);
-   * }
-   * ```
-   */
-  async getPublicAuthConfig() {
-    try {
-      const response = await this.http.get("/api/auth/public-config");
-      return {
-        data: response,
-        error: null
-      };
-    } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred while fetching public authentication configuration",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
-    }
-  }
-  /**
-   * Get any user's profile by ID
-   * Returns profile information from the users table
-   */
-  async getProfile(userId) {
-    try {
-      const response = await this.http.get(`/api/auth/profiles/${userId}`);
-      return {
-        data: response,
-        error: null
-      };
-    } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred while fetching user profile",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
-    }
-  }
-  /**
-   * Get the current session (only session data, no API call)
-   * Returns the stored JWT token and basic user info from local storage
-   * Automatically waits for any pending OAuth callback to complete first
+   * Get current session, automatically waits for pending OAuth callback
    */
   async getCurrentSession() {
     await this.authCallbackHandled;
@@ -722,38 +591,24 @@ var Auth = class {
       if (typeof window !== "undefined") {
         try {
           const csrfToken = getCsrfToken();
-          const response = await this.http.post(
-            "/api/auth/refresh",
-            void 0,
-            {
-              headers: csrfToken ? { "X-CSRF-Token": csrfToken } : {},
-              credentials: "include"
-            }
-          );
+          const response = await this.http.post("/api/auth/refresh", void 0, {
+            headers: csrfToken ? { "X-CSRF-Token": csrfToken } : {},
+            credentials: "include"
+          });
           if (response.accessToken) {
             this.tokenManager.setMemoryMode();
             this.tokenManager.setAccessToken(response.accessToken);
             this.http.setAuthToken(response.accessToken);
-            if (response.user) {
-              this.tokenManager.setUser(response.user);
-            }
-            if (response.csrfToken) {
-              setCsrfToken(response.csrfToken);
-            }
-            return {
-              data: { session: this.tokenManager.getSession() },
-              error: null
-            };
+            if (response.user) this.tokenManager.setUser(response.user);
+            if (response.csrfToken) setCsrfToken(response.csrfToken);
+            return { data: { session: this.tokenManager.getSession() }, error: null };
           }
         } catch (error) {
           if (error instanceof InsForgeError) {
             if (error.statusCode === 404) {
               this.tokenManager.setStorageMode();
               const session2 = this.tokenManager.getSession();
-              if (session2) {
-                return { data: { session: session2 }, error: null };
-              }
-              return { data: { session: null }, error: null };
+              return { data: { session: session2 }, error: null };
             }
             return { data: { session: null }, error };
           }
@@ -774,11 +629,17 @@ var Auth = class {
       };
     }
   }
-  /**
-   * Set/Update the current user's profile
-   * Updates profile information in the users table (supports any dynamic fields)
-   * Requires authentication
-   */
+  // ============================================================================
+  // Profile Management
+  // ============================================================================
+  async getProfile(userId) {
+    try {
+      const response = await this.http.get(`/api/auth/profiles/${userId}`);
+      return { data: response, error: null };
+    } catch (error) {
+      return wrapError(error, "An unexpected error occurred while fetching user profile");
+    }
+  }
   async setProfile(profile) {
     try {
       const response = await this.http.patch(
@@ -787,217 +648,89 @@ var Auth = class {
       );
       const currentUser = this.tokenManager.getUser();
       if (currentUser && response.profile !== void 0) {
-        this.tokenManager.setUser({
-          ...currentUser,
-          profile: response.profile
-        });
+        this.tokenManager.setUser({ ...currentUser, profile: response.profile });
       }
-      return {
-        data: response,
-        error: null
-      };
+      return { data: response, error: null };
     } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred while updating user profile",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+      return wrapError(error, "An unexpected error occurred while updating user profile");
     }
   }
-  /**
-   * Resend email verification (code or link based on config)
-   *
-   * Resend email verification when the previous OTP has expired or was not received.
-   * Uses the method configured in auth settings (verifyEmailMethod).
-   * When method is 'code', sends a 6-digit numeric code. When method is 'link', sends a magic link.
-   * Prevents user enumeration by returning success even if email doesn't exist.
-   */
+  // ============================================================================
+  // Email Verification
+  // ============================================================================
   async resendVerificationEmail(request) {
     try {
       const response = await this.http.post(
         "/api/auth/email/send-verification",
         request
       );
-      return {
-        data: response,
-        error: null
-      };
+      return { data: response, error: null };
     } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred while sending verification code",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+      return wrapError(error, "An unexpected error occurred while sending verification code");
     }
   }
-  /**
-   * @deprecated Use `resendVerificationEmail` instead. This method will be removed in a future version.
-   */
+  /** @deprecated Use `resendVerificationEmail` instead */
   async sendVerificationEmail(request) {
     return this.resendVerificationEmail(request);
   }
-  /**
-   * Send password reset (code or link based on config)
-   *
-   * Send password reset email using the method configured in auth settings (resetPasswordMethod).
-   * When method is 'code', sends a 6-digit numeric code for two-step flow.
-   * When method is 'link', sends a magic link.
-   * Prevents user enumeration by returning success even if email doesn't exist.
-   */
+  async verifyEmail(request) {
+    try {
+      const response = await this.http.post(
+        "/api/auth/email/verify",
+        request,
+        { credentials: "include" }
+      );
+      this.saveSessionFromResponse(response);
+      return { data: response, error: null };
+    } catch (error) {
+      return wrapError(error, "An unexpected error occurred while verifying email");
+    }
+  }
+  // ============================================================================
+  // Password Reset
+  // ============================================================================
   async sendResetPasswordEmail(request) {
     try {
       const response = await this.http.post(
         "/api/auth/email/send-reset-password",
         request
       );
-      return {
-        data: response,
-        error: null
-      };
+      return { data: response, error: null };
     } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred while sending password reset code",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+      return wrapError(error, "An unexpected error occurred while sending password reset code");
     }
   }
-  /**
-   * Exchange reset password code for reset token
-   *
-   * Step 1 of two-step password reset flow (only used when resetPasswordMethod is 'code'):
-   * 1. Verify the 6-digit code sent to user's email
-   * 2. Return a reset token that can be used to actually reset the password
-   *
-   * This endpoint is not used when resetPasswordMethod is 'link' (magic link flow is direct).
-   */
   async exchangeResetPasswordToken(request) {
     try {
       const response = await this.http.post(
         "/api/auth/email/exchange-reset-password-token",
         request
       );
-      return {
-        data: response,
-        error: null
-      };
+      return { data: response, error: null };
     } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred while verifying reset code",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+      return wrapError(error, "An unexpected error occurred while verifying reset code");
     }
   }
-  /**
-   * Reset password with token
-   *
-   * Reset user password with a token. The token can be:
-   * - Magic link token (64-character hex token from send-reset-password when method is 'link')
-   * - Reset token (from exchange-reset-password-token after code verification when method is 'code')
-   *
-   * Both token types use RESET_PASSWORD purpose and are verified the same way.
-   *
-   * Flow summary:
-   * - Code method: send-reset-password → exchange-reset-password-token → reset-password (with resetToken)
-   * - Link method: send-reset-password → reset-password (with link token directly)
-   */
   async resetPassword(request) {
     try {
       const response = await this.http.post(
         "/api/auth/email/reset-password",
         request
       );
-      return {
-        data: response,
-        error: null
-      };
+      return { data: response, error: null };
     } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred while resetting password",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+      return wrapError(error, "An unexpected error occurred while resetting password");
     }
   }
-  /**
-   * Verify email with code or link
-   *
-   * Verify email address using the method configured in auth settings (verifyEmailMethod):
-   * - Code verification: Provide both `email` and `otp` (6-digit numeric code)
-   * - Link verification: Provide only `otp` (64-character hex token from magic link)
-   *
-   * Successfully verified users will receive a session token.
-   *
-   * The email verification link sent to users always points to the backend API endpoint.
-   * If `verifyEmailRedirectTo` is configured, the backend will redirect to that URL after successful verification.
-   * Otherwise, a default success page is displayed.
-   */
-  async verifyEmail(request) {
+  // ============================================================================
+  // Configuration
+  // ============================================================================
+  async getPublicAuthConfig() {
     try {
-      const response = await this.http.post(
-        "/api/auth/email/verify",
-        request,
-        { credentials: "include" }
-      );
-      if (!isHostedAuthEnvironment()) {
-        const session = {
-          accessToken: response.accessToken,
-          user: response.user
-        };
-        if (response.csrfToken) {
-          this.tokenManager.setMemoryMode();
-          setCsrfToken(response.csrfToken);
-        }
-        this.tokenManager.saveSession(session);
-        this.http.setAuthToken(response.accessToken);
-      }
-      return {
-        data: response,
-        error: null
-      };
+      const response = await this.http.get("/api/auth/public-config");
+      return { data: response, error: null };
     } catch (error) {
-      if (error instanceof InsForgeError) {
-        return { data: null, error };
-      }
-      return {
-        data: null,
-        error: new InsForgeError(
-          "An unexpected error occurred while verifying email",
-          500,
-          "UNEXPECTED_ERROR"
-        )
-      };
+      return wrapError(error, "An unexpected error occurred while fetching auth configuration");
     }
   }
 };