@iqauth/sdk 2.6.3 → 2.6.4

package/dist/browser.mjs

@@ -20,21 +20,23 @@ import {
   signInWithPasskey,
   unlinkProvider,
   verifyMagicLink
-} from "./chunk-76W5TLQQ.mjs";
+} from "./chunk-XAWYUPMO.mjs";
 import {
   REFRESH_COOKIE,
   buildSignInUrl,
   clearCookie,
-  createPkcePair,
   getCookie,
   handleAuthCallback,
-  randomUrlSafe,
   redirectToSignIn,
-  s256Challenge,
   setCookie,
   signIn,
   signOut
-} from "./chunk-TKZTCPEK.mjs";
+} from "./chunk-DJIBN2N7.mjs";
+import {
+  createPkcePair,
+  randomUrlSafe,
+  s256Challenge
+} from "./chunk-C2ZTBOAC.mjs";
 import {
   encodePublishableKey,
   isPublishableKey,

package/dist/chunk-C2ZTBOAC.mjs

@@ -0,0 +1,36 @@
+// src/browser/pkce.ts
+function getCrypto() {
+  if (typeof globalThis !== "undefined" && globalThis.crypto) {
+    return globalThis.crypto;
+  }
+  throw new Error("WebCrypto is not available in this environment");
+}
+function base64UrlEncode(bytes) {
+  let bin = "";
+  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
+  const b64 = typeof btoa === "function" ? btoa(bin) : Buffer.from(bin, "binary").toString("base64");
+  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function randomUrlSafe(byteLength = 32) {
+  const bytes = new Uint8Array(byteLength);
+  getCrypto().getRandomValues(bytes);
+  return base64UrlEncode(bytes);
+}
+async function s256Challenge(verifier) {
+  const data = new TextEncoder().encode(verifier);
+  const digest = await getCrypto().subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(digest));
+}
+async function createPkcePair() {
+  const codeVerifier = randomUrlSafe(32);
+  const codeChallenge = await s256Challenge(codeVerifier);
+  const state = randomUrlSafe(16);
+  const nonce = randomUrlSafe(16);
+  return { codeVerifier, codeChallenge, state, nonce };
+}
+
+export {
+  randomUrlSafe,
+  s256Challenge,
+  createPkcePair
+};

package/dist/{chunk-TKZTCPEK.mjs → chunk-DJIBN2N7.mjs}

@@ -1,33 +1,6 @@
-// src/browser/pkce.ts
-function getCrypto() {
-  if (typeof globalThis !== "undefined" && globalThis.crypto) {
-    return globalThis.crypto;
-  }
-  throw new Error("WebCrypto is not available in this environment");
-}
-function base64UrlEncode(bytes) {
-  let bin = "";
-  for (let i = 0; i < bytes.length; i++) bin += String.fromCharCode(bytes[i]);
-  const b64 = typeof btoa === "function" ? btoa(bin) : Buffer.from(bin, "binary").toString("base64");
-  return b64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
-}
-function randomUrlSafe(byteLength = 32) {
-  const bytes = new Uint8Array(byteLength);
-  getCrypto().getRandomValues(bytes);
-  return base64UrlEncode(bytes);
-}
-async function s256Challenge(verifier) {
-  const data = new TextEncoder().encode(verifier);
-  const digest = await getCrypto().subtle.digest("SHA-256", data);
-  return base64UrlEncode(new Uint8Array(digest));
-}
-async function createPkcePair() {
-  const codeVerifier = randomUrlSafe(32);
-  const codeChallenge = await s256Challenge(codeVerifier);
-  const state = randomUrlSafe(16);
-  const nonce = randomUrlSafe(16);
-  return { codeVerifier, codeChallenge, state, nonce };
-}
+import {
+  createPkcePair
+} from "./chunk-C2ZTBOAC.mjs";
 
 // src/browser/storage.ts
 var REFRESH_COOKIE = "iqauth_rt";
@@ -221,9 +194,6 @@ export {
   setCookie,
   getCookie,
   clearCookie,
-  randomUrlSafe,
-  s256Challenge,
-  createPkcePair,
   buildSignInUrl,
   redirectToSignIn,
   signIn,

package/dist/{chunk-76W5TLQQ.mjs → chunk-XAWYUPMO.mjs}

@@ -3,7 +3,7 @@ import {
   clearCookie,
   getCookie,
   setCookie
-} from "./chunk-TKZTCPEK.mjs";
+} from "./chunk-DJIBN2N7.mjs";
 import {
   assertPublishableKey
 } from "./chunk-WQWBJSSS.mjs";

package/dist/pkce-7WKV4OIN.mjs

@@ -0,0 +1,11 @@
+import {
+  createPkcePair,
+  randomUrlSafe,
+  s256Challenge
+} from "./chunk-C2ZTBOAC.mjs";
+import "./chunk-Y6FXYEAI.mjs";
+export {
+  createPkcePair,
+  randomUrlSafe,
+  s256Challenge
+};

package/dist/react.js

@@ -104,6 +104,12 @@ var init_storage = __esm({
 });
 
 // src/browser/pkce.ts
+var pkce_exports = {};
+__export(pkce_exports, {
+  createPkcePair: () => createPkcePair,
+  randomUrlSafe: () => randomUrlSafe,
+  s256Challenge: () => s256Challenge
+});
 function getCrypto() {
   if (typeof globalThis !== "undefined" && globalThis.crypto) {
     return globalThis.crypto;
@@ -2934,13 +2940,34 @@ function SignIn(props) {
     if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
     setSubmitting(false);
   };
-  const startGoogleLogin = () => {
+  const startGoogleLogin = async () => {
     if (!ctx?.app.defaultClientId) {
       setFormError("Application is not configured for hosted sign-in.");
       return;
     }
-    const bridgeUrl = window.location.href;
-    const url2 = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/google?redirect_uri=${encodeURIComponent(bridgeUrl)}&client_id=${encodeURIComponent(ctx.app.defaultClientId)}`;
+    let pkce;
+    try {
+      const mod = await Promise.resolve().then(() => (init_pkce(), pkce_exports));
+      pkce = await mod.createPkcePair();
+    } catch (err) {
+      setFormError(err.message || "Unable to initialize Google sign-in");
+      return;
+    }
+    if (typeof document !== "undefined") {
+      const cookieAttrs = "; path=/; SameSite=Lax" + (window.location.protocol === "https:" ? "; Secure" : "");
+      document.cookie = `iqauth_pkce=${pkce.codeVerifier}${cookieAttrs}`;
+      document.cookie = `iqauth_state=${pkce.state}${cookieAttrs}`;
+    }
+    const params = new URLSearchParams({
+      redirect_uri: returnTo,
+      client_id: ctx.app.defaultClientId,
+      state: pkce.state,
+      nonce: pkce.nonce,
+      code_challenge: pkce.codeChallenge,
+      code_challenge_method: "S256",
+      scope: "openid profile email"
+    });
+    const url2 = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/google?${params.toString()}`;
     window.location.href = url2;
   };
   (0, import_react.useEffect)(() => {

package/dist/react.mjs

@@ -9,13 +9,14 @@ import {
   requestMagicLink,
   signInWithPasskey,
   unlinkProvider
-} from "./chunk-76W5TLQQ.mjs";
+} from "./chunk-XAWYUPMO.mjs";
 import {
   handleAuthCallback,
   redirectToSignIn,
   signIn,
   signOut
-} from "./chunk-TKZTCPEK.mjs";
+} from "./chunk-DJIBN2N7.mjs";
+import "./chunk-C2ZTBOAC.mjs";
 import "./chunk-WQWBJSSS.mjs";
 import {
   defaultBundle,
@@ -1189,13 +1190,34 @@ function SignIn(props) {
     if (!handlePayload(payload)) setFormError(localizeError(localeBundle, { code: payload.error, message: payload.error_description }));
     setSubmitting(false);
   };
-  const startGoogleLogin = () => {
+  const startGoogleLogin = async () => {
     if (!ctx?.app.defaultClientId) {
       setFormError("Application is not configured for hosted sign-in.");
       return;
     }
-    const bridgeUrl = window.location.href;
-    const url = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/google?redirect_uri=${encodeURIComponent(bridgeUrl)}&client_id=${encodeURIComponent(ctx.app.defaultClientId)}`;
+    let pkce;
+    try {
+      const mod = await import("./pkce-7WKV4OIN.mjs");
+      pkce = await mod.createPkcePair();
+    } catch (err) {
+      setFormError(err.message || "Unable to initialize Google sign-in");
+      return;
+    }
+    if (typeof document !== "undefined") {
+      const cookieAttrs = "; path=/; SameSite=Lax" + (window.location.protocol === "https:" ? "; Secure" : "");
+      document.cookie = `iqauth_pkce=${pkce.codeVerifier}${cookieAttrs}`;
+      document.cookie = `iqauth_state=${pkce.state}${cookieAttrs}`;
+    }
+    const params = new URLSearchParams({
+      redirect_uri: returnTo,
+      client_id: ctx.app.defaultClientId,
+      state: pkce.state,
+      nonce: pkce.nonce,
+      code_challenge: pkce.codeChallenge,
+      code_challenge_method: "S256",
+      scope: "openid profile email"
+    });
+    const url = `${iqAuthBaseUrl.replace(/\/$/, "")}/api/v1/auth/google?${params.toString()}`;
     window.location.href = url;
   };
   useEffect(() => {
@@ -1708,7 +1730,7 @@ function ImpersonationBanner({ render, onExit, className, style } = {}) {
     const { exitImpersonation } = await import("./reverify-4UEJXUS6.mjs");
     const restored = exitImpersonation(manager);
     if (restored) return;
-    const { signOut: signOut2 } = await import("./signIn-CCY4JE5G.mjs");
+    const { signOut: signOut2 } = await import("./signIn-4OKLDEIH.mjs");
     await signOut2(manager);
   }, [manager, onExit]);
   if (!info.isImpersonating) return null;

package/dist/{signIn-CCY4JE5G.mjs → signIn-4OKLDEIH.mjs}

@@ -4,7 +4,8 @@ import {
   redirectToSignIn,
   signIn,
   signOut
-} from "./chunk-TKZTCPEK.mjs";
+} from "./chunk-DJIBN2N7.mjs";
+import "./chunk-C2ZTBOAC.mjs";
 import "./chunk-Y6FXYEAI.mjs";
 export {
   buildSignInUrl,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@iqauth/sdk",
-  "version": "2.6.3",
+  "version": "2.6.4",
   "description": "TypeScript SDK for IQAuth — the canonical way for all IQ projects to integrate with IQAuthService",
   "main": "dist/index.js",
   "module": "dist/index.mjs",