@kedaruma/revlm-client 1.0.60 → 1.0.63

package/README.md

@@ -17,8 +17,14 @@ The package ships both CJS and ESM bundles plus typings (`types` and `exports` a
 ```ts
 import { Revlm } from '@kedaruma/revlm-client';
 
-const revlm = new Revlm({ baseUrl: 'https://your-server.example.com' });
-const login = await revlm.login({ authId: 'user', password: 'secret' });
+const randomBytes = (length: number) => {
+  const out = new Uint8Array(length);
+  crypto.getRandomValues(out);
+  return out;
+};
+
+const revlm = new Revlm('https://your-server.example.com', { randomBytes });
+const login = await revlm.login('user', 'secret');
 const db = revlm.db('db_name');
 const coll = db.collection<any>('collection_name');
 const all = await coll.find({});

package/dist/{chunk-367MFQ4K.mjs → chunk-OBJS4AOD.mjs}

@@ -8,7 +8,7 @@ var require_package = __commonJS({
   "package.json"(exports, module) {
     module.exports = {
       name: "@kedaruma/revlm-client",
-      version: "1.0.60",
+      version: "1.0.63",
       private: false,
       description: "TypeScript client SDK for talking to the Revlm server replacement for MongoDB Realm.",
       keywords: [
@@ -69,7 +69,7 @@ var require_package = __commonJS({
         test: "NODE_OPTIONS=--experimental-vm-modules pnpm exec jest --config ../../jest.config.cjs packages/revlm-client/src/__tests__/ --runInBand --watchman=false --verbose"
       },
       dependencies: {
-        "@kedaruma/revlm-shared": "workspace:*",
+        "@kedaruma/revlm-shared": "latest",
         bson: "^6.10.4",
         dotenv: "^17.2.3"
       },
@@ -83,6 +83,7 @@ var require_package = __commonJS({
 // src/Revlm.ts
 import { EJSON } from "bson";
 import { AuthClient } from "@kedaruma/revlm-shared";
+import { initRandomBytes } from "@kedaruma/revlm-shared/random-bytes";
 
 // src/MdbCollection.ts
 var MdbCollection = class {
@@ -190,6 +191,36 @@ var LOG_LEVEL_RANK = {
   debug: 3
 };
 var SESSION_HEADER_NAME = "x-revlm-session-id";
+var STATE_STORE_KEYS = {
+  refreshSecret: "refreshSecret"
+};
+var randomBytesInitAttempted = false;
+function resolvePlatformRandomBytes() {
+  const cryptoLike = globalThis?.crypto;
+  if (cryptoLike && typeof cryptoLike.getRandomValues === "function") {
+    return (length) => {
+      const out = new Uint8Array(length);
+      cryptoLike.getRandomValues(out);
+      return out;
+    };
+  }
+  try {
+    const nodeCrypto = __require("crypto");
+    if (typeof nodeCrypto?.randomBytes === "function") {
+      return (length) => new Uint8Array(nodeCrypto.randomBytes(length));
+    }
+  } catch {
+  }
+  return void 0;
+}
+function ensureRandomBytesInitialized() {
+  if (randomBytesInitAttempted) return;
+  randomBytesInitAttempted = true;
+  const platformRandomBytes = resolvePlatformRandomBytes();
+  if (platformRandomBytes) {
+    initRandomBytes(platformRandomBytes);
+  }
+}
 function normalizeLogLevel(value) {
   if (!value) return "info";
   const lowered = value.toLowerCase();
@@ -234,6 +265,14 @@ function getRevlmClientVersion() {
   const globalVersion = globalThis?.REVLM_CLIENT_VERSION;
   return typeof globalVersion === "string" ? globalVersion : "unknown";
 }
+function resolveFetchImpl(fetchImpl) {
+  if (fetchImpl) return fetchImpl;
+  const globalFetch = globalThis?.fetch;
+  if (typeof globalFetch === "function") {
+    return globalFetch.bind(globalThis);
+  }
+  throw new Error("No fetch implementation available. Provide fetchImpl in options or run in Node 18+ with global fetch.");
+}
 var Revlm = class {
   baseUrl;
   fetchImpl;
@@ -249,11 +288,14 @@ var Revlm = class {
   refreshPromise;
   sessionId;
   sessionIdProvider;
-  cookieStore;
+  refreshSecret;
+  refreshMode = "unknown";
+  stateStore;
   constructor(baseUrl, opts = {}) {
     if (!baseUrl) throw new Error("baseUrl is required");
+    ensureRandomBytesInitialized();
     this.baseUrl = baseUrl.replace(/\/$/, "");
-    this.fetchImpl = opts.fetchImpl || (typeof fetch !== "undefined" ? fetch : void 0);
+    this.fetchImpl = resolveFetchImpl(opts.fetchImpl);
     this.defaultHeaders = opts.defaultHeaders || {};
     this.provisionalEnabled = opts.provisionalEnabled || false;
     this.provisionalAuthSecretMaster = opts.provisionalAuthSecretMaster || "";
@@ -263,10 +305,7 @@ var Revlm = class {
     this.logLevel = normalizeLogLevel(opts.logLevel);
     this.sessionId = opts.sessionId;
     this.sessionIdProvider = opts.sessionIdProvider;
-    this.cookieStore = opts.cookieStore;
-    if (!this.fetchImpl) {
-      throw new Error("No fetch implementation available. Provide fetchImpl in options or run in Node 18+ with global fetch.");
-    }
+    this.stateStore = opts.stateStore;
     this.logInfo("\u{1F680} Revlm Client Init", {
       version: getRevlmClientVersion(),
       baseUrl: this.baseUrl,
@@ -292,18 +331,33 @@ var Revlm = class {
     this.sessionId = generateSessionId();
     return this.sessionId;
   }
-  async applyCookieStore(headers, url) {
-    const existing = headers.cookie || headers.Cookie;
-    if (!this.cookieStore || existing) return;
-    const cookieHeader = await this.cookieStore.getCookieHeader(url);
-    if (cookieHeader) headers.cookie = cookieHeader;
+  normalizeCookieValue(value) {
+    if (!value) return void 0;
+    return value.replace(/^"+|"+$/g, "");
   }
-  async storeSetCookies(res, url) {
-    if (!this.cookieStore) return;
+  async updateRefreshSecretFromResponse(res) {
     const setCookies = getSetCookieHeaders(res);
     if (!setCookies.length) return;
     for (const setCookie of setCookies) {
-      await this.cookieStore.setCookie(url, setCookie);
+      const match = setCookie.match(/revlm_refresh=([^;]+)/);
+      if (match && match[1]) {
+        const normalized = this.normalizeCookieValue(match[1]);
+        this.refreshSecret = normalized;
+        if (this.stateStore && normalized) {
+          await this.stateStore.set(STATE_STORE_KEYS.refreshSecret, normalized);
+        }
+      }
+    }
+  }
+  async ensureRefreshSecretLoaded() {
+    if (this.refreshSecret || !this.stateStore) return;
+    const stored = await this.stateStore.get(STATE_STORE_KEYS.refreshSecret);
+    if (stored) this.refreshSecret = stored;
+  }
+  async clearRefreshSecret() {
+    this.refreshSecret = void 0;
+    if (this.stateStore) {
+      await this.stateStore.remove(STATE_STORE_KEYS.refreshSecret);
     }
   }
   canLog(level) {
@@ -326,11 +380,6 @@ var Revlm = class {
     if (value.length <= head + tail) return value;
     return `${value.slice(0, head)}***${value.slice(-tail)}`;
   }
-  extractRefreshSecret(cookieHeader) {
-    if (!cookieHeader) return void 0;
-    const match = cookieHeader.match(/(?:^|;\\s*)revlm_refresh=([^;]+)/);
-    return match?.[1];
-  }
   logRefreshFailureClient(params) {
     const recoverable = typeof params.code === "number" ? params.code >= 1e4 && params.code < 2e4 : params.status === 400 || params.status === 401;
     const line1 = `[refresh-token][${recoverable ? "debug" : "error"}][${recoverable ? "recoverable" : "fatal"}] cause=${params.cause}`;
@@ -461,7 +510,12 @@ var Revlm = class {
     const headers = this.makeHeaders(hasBody);
     const sessionId = await this.resolveSessionId();
     if (sessionId) headers[SESSION_HEADER_NAME] = sessionId;
-    await this.applyCookieStore(headers, url);
+    if (url.includes("/refresh-token") && this.refreshMode === "header") {
+      await this.ensureRefreshSecretLoaded();
+      if (this.refreshSecret) {
+        headers["x-revlm-refresh"] = this.refreshSecret;
+      }
+    }
     let serializedBody;
     if (hasBody) {
       serializedBody = EJSON.stringify(body);
@@ -471,9 +525,10 @@ var Revlm = class {
       const res = await this.fetchImpl(signedUrl, {
         method,
         headers: signedHeaders,
-        body: serializedBody
+        body: serializedBody,
+        credentials: url.includes("/refresh-token") && this.refreshMode === "header" ? "omit" : "include"
       });
-      await this.storeSetCookies(res, signedUrl);
+      await this.updateRefreshSecretFromResponse(res);
       const parsed = await this.parseResponse(res);
       const out = parsed && typeof parsed === "object" ? parsed : { ok: res.ok, result: parsed };
       out.status = res.status;
@@ -494,9 +549,7 @@ var Revlm = class {
             code: refreshRes.code
           };
           this.logDebug("### refresh failed:", refreshFailed, JSON.stringify(refreshFailed));
-          const refreshUrl = `${this.baseUrl}/refresh-token`;
-          const cookieHeader = await this.cookieStore?.getCookieHeader?.(refreshUrl);
-          const refreshSecret = this.extractRefreshSecret(cookieHeader);
+          const refreshSecret = this.refreshSecret;
           const refreshFailureLog = {
             cause: refreshRes.reason || "refresh_failed",
             reason: refreshFailed.reason,
@@ -507,6 +560,7 @@ var Revlm = class {
           if (refreshSecret) refreshFailureLog.refreshSecret = refreshSecret;
           this.logRefreshFailureClient(refreshFailureLog);
           if (refreshRes.reason === "no_refresh_secret") {
+            await this.clearRefreshSecret();
             const missingError = new Error("Refresh cookie missing. Provide a cookie-aware fetch implementation for Node/RN.");
             missingError.revlmReason = "no_refresh_secret";
             missingError.revlmCode = refreshRes.code;
@@ -519,12 +573,17 @@ var Revlm = class {
           const now = Math.floor(Date.now() / 1e3);
           const oldExp = beforePayload?.exp;
           const newExp = afterPayload?.exp;
+          const oldTtlSec = typeof oldExp === "number" ? oldExp - now : void 0;
+          const newTtlSec = typeof newExp === "number" ? newExp - now : void 0;
+          const oldExpDisplay = this.formatUnixSeconds(oldExp);
+          const newExpDisplay = this.formatUnixSeconds(newExp);
+          const ttlDisplay = this.formatTtlDetailed(newTtlSec);
           this.logDebug("### refresh success", {
             path,
-            oldExp,
-            newExp,
-            oldTtlSec: typeof oldExp === "number" ? oldExp - now : void 0,
-            newTtlSec: typeof newExp === "number" ? newExp - now : void 0
+            oldExp: oldExpDisplay ? `${oldExp} (${oldExpDisplay})` : oldExp,
+            newExp: newExpDisplay ? `${newExp} (${newExpDisplay})` : newExp,
+            oldTtlSec,
+            newTtlSec: typeof newTtlSec === "number" && ttlDisplay ? `${newTtlSec} (${ttlDisplay})` : newTtlSec
           });
           return this.requestWithRetry(path, method, body, { allowAuthRetry: false, retrying: true });
         }
@@ -553,7 +612,10 @@ var Revlm = class {
     }
     await this.ensureCookieSupport();
     if (!authId) throw new Error("authId is required");
-    const provisionalClient = new AuthClient({ secretMaster: this.provisionalAuthSecretMaster, authDomain: this.provisionalAuthDomain });
+    const provisionalClient = new AuthClient({
+      secretMaster: this.provisionalAuthSecretMaster,
+      authDomain: this.provisionalAuthDomain
+    });
     const provisionalPassword = await provisionalClient.producePassword(String(Date.now() * 1e3));
     const res = await this.request("/provisional-login", "POST", { authId, password: provisionalPassword });
     if (this.autoSetToken && res && res.ok && res.token) {
@@ -561,6 +623,22 @@ var Revlm = class {
     }
     return res;
   }
+  formatUnixSeconds(epochSeconds) {
+    if (typeof epochSeconds !== "number" || !Number.isFinite(epochSeconds)) return void 0;
+    const date = new Date(epochSeconds * 1e3);
+    const pad = (value) => String(value).padStart(2, "0");
+    return `${date.getFullYear()}-${pad(date.getMonth() + 1)}-${pad(date.getDate())} ${pad(date.getHours())}:${pad(date.getMinutes())}:${pad(date.getSeconds())}`;
+  }
+  formatTtlDetailed(seconds) {
+    if (typeof seconds !== "number" || !Number.isFinite(seconds)) return void 0;
+    const totalSeconds = Math.max(0, Math.floor(seconds));
+    const days = Math.floor(totalSeconds / 86400);
+    const hours = Math.floor(totalSeconds % 86400 / 3600);
+    const minutes = Math.floor(totalSeconds % 3600 / 60);
+    const secs = totalSeconds % 60;
+    const pad = (value) => String(value).padStart(2, "0");
+    return `${days} ${pad(hours)}:${pad(minutes)}:${pad(secs)}`;
+  }
   async registerUser(user, password) {
     if (!user) throw new Error("user is required");
     if (!password) throw new Error("password is required");
@@ -581,16 +659,22 @@ var Revlm = class {
   async ensureCookieSupport() {
     if (this.cookieCheckPromise) return this.cookieCheckPromise;
     this.cookieCheckPromise = (async () => {
-      const first = await this.requestWithRetry("/cookie-check", "POST", void 0, { allowAuthRetry: false, retrying: false });
-      this.logDebug("### cookie check", { step: "first", ok: first.ok, reason: first.reason, status: first.status });
-      if (first.ok) return;
-      if (first.reason !== "cookie_missing") {
-        throw new Error(`Cookie check failed: ${first.reason || first.error || "unknown_error"}`);
-      }
-      const second = await this.requestWithRetry("/cookie-check", "POST", void 0, { allowAuthRetry: false, retrying: false });
-      this.logDebug("### cookie check", { step: "second", ok: second.ok, reason: second.reason, status: second.status });
-      if (!second.ok) {
-        throw new Error("Cookie support missing. Provide a cookie-aware fetch implementation for Node/RN.");
+      try {
+        const first = await this.requestWithRetry("/cookie-check", "POST", void 0, { allowAuthRetry: false, retrying: false });
+        this.logDebug("### cookie check", { step: "first", ok: first.ok, reason: first.reason, status: first.status });
+        if (first.ok) {
+          this.refreshMode = "cookie";
+          return;
+        }
+        if (first.reason !== "cookie_missing") {
+          this.refreshMode = "header";
+          return;
+        }
+        const second = await this.requestWithRetry("/cookie-check", "POST", void 0, { allowAuthRetry: false, retrying: false });
+        this.logDebug("### cookie check", { step: "second", ok: second.ok, reason: second.reason, status: second.status });
+        this.refreshMode = second.ok ? "cookie" : "header";
+      } catch {
+        this.refreshMode = "header";
       }
     })();
     return this.cookieCheckPromise;

package/dist/index.d.mts

@@ -174,13 +174,10 @@ type UserInput = Omit<User, 'userType'> & {
     userType: User['userType'] | string;
 };
 type LogLevel = 'error' | 'warn' | 'info' | 'debug';
-type CookieStore = {
-    getCookieHeader: (url: string) => string | undefined | Promise<string | undefined>;
-    setCookie: (url: string, setCookieHeader: string) => void | Promise<void>;
-};
 type RevlmOptions = {
     fetchImpl?: typeof fetch;
     defaultHeaders?: Record<string, string>;
+    stateStore?: RevlmStateStore;
     provisionalEnabled?: boolean;
     provisionalAuthSecretMaster?: string;
     provisionalAuthDomain?: string;
@@ -189,7 +186,11 @@ type RevlmOptions = {
     logLevel?: LogLevel;
     sessionId?: string;
     sessionIdProvider?: () => string | Promise<string>;
-    cookieStore?: CookieStore;
+};
+type RevlmStateStore = {
+    get: (key: string) => Promise<string | undefined>;
+    set: (key: string, value: string) => Promise<void>;
+    remove: (key: string) => Promise<void>;
 };
 type RevlmResponse<T = any> = {
     ok: boolean;
@@ -214,18 +215,21 @@ declare class Revlm {
     private refreshPromise;
     private sessionId;
     private sessionIdProvider;
-    private cookieStore;
+    private refreshSecret;
+    private refreshMode;
+    private stateStore;
     constructor(baseUrl: string, opts?: RevlmOptions);
     private resolveSessionId;
-    private applyCookieStore;
-    private storeSetCookies;
+    private normalizeCookieValue;
+    private updateRefreshSecretFromResponse;
+    private ensureRefreshSecretLoaded;
+    private clearRefreshSecret;
     private canLog;
     logError(...args: any[]): void;
     logWarn(...args: any[]): void;
     logInfo(...args: any[]): void;
     logDebug(...args: any[]): void;
     private maskSecret;
-    private extractRefreshSecret;
     private logRefreshFailureClient;
     setToken(token: string): void;
     getToken(): string | undefined;
@@ -244,6 +248,8 @@ declare class Revlm {
     private requestWithRetry;
     login(authId: string, password: string): Promise<LoginResponse>;
     provisionalLogin(authId: string): Promise<ProvisionalLoginResponse>;
+    private formatUnixSeconds;
+    private formatTtlDetailed;
     registerUser(user: UserInput, password: string): Promise<RegisterUserResponse>;
     deleteUser(params: {
         _id?: any;
@@ -303,4 +309,4 @@ declare const BSON: typeof bson & {
     ObjectID: typeof bson.ObjectId;
 };
 
-export { type AggregatePipelineStage, App, BSON, type BaseChangeEvent, type ChangeEvent, type ChangeEventId, type CookieStore, type CountOptions, Credentials, type DeleteEvent, type DeleteResult, type DeleteUserResponse, type DeleteUserSuccess, type Document, type DocumentKey, type DocumentNamespace, type DropDatabaseEvent, type DropEvent, type Filter, type FindOneAndModifyOptions, type FindOneOptions, type FindOptions, type InsertEvent, type InsertManyResult, type InsertOneResult, type InvalidateEvent, type LoginResponse, type LoginSuccess, MdbCollection, MongoDBService, type NewDocument, ObjectID, ObjectId, type OperationType, type ProvisionalLoginResponse, type ProvisionalLoginSuccess, type RegisterUserResponse, type RegisterUserSuccess, type RenameEvent, type ReplaceEvent, Revlm, RevlmDBDatabase, type RevlmErrorResponse, type RevlmOptions, type RevlmResponse, RevlmUser, type Update, type UpdateDescription, type UpdateEvent, type UpdateOptions, type UpdateResult, type User, type UserBase, type WatchOptionsFilter, type WatchOptionsIds };
+export { type AggregatePipelineStage, App, BSON, type BaseChangeEvent, type ChangeEvent, type ChangeEventId, type CountOptions, Credentials, type DeleteEvent, type DeleteResult, type DeleteUserResponse, type DeleteUserSuccess, type Document, type DocumentKey, type DocumentNamespace, type DropDatabaseEvent, type DropEvent, type Filter, type FindOneAndModifyOptions, type FindOneOptions, type FindOptions, type InsertEvent, type InsertManyResult, type InsertOneResult, type InvalidateEvent, type LoginResponse, type LoginSuccess, MdbCollection, MongoDBService, type NewDocument, ObjectID, ObjectId, type OperationType, type ProvisionalLoginResponse, type ProvisionalLoginSuccess, type RegisterUserResponse, type RegisterUserSuccess, type RenameEvent, type ReplaceEvent, Revlm, RevlmDBDatabase, type RevlmErrorResponse, type RevlmOptions, type RevlmResponse, type RevlmStateStore, RevlmUser, type Update, type UpdateDescription, type UpdateEvent, type UpdateOptions, type UpdateResult, type User, type UserBase, type WatchOptionsFilter, type WatchOptionsIds };

package/dist/index.d.ts

@@ -174,13 +174,10 @@ type UserInput = Omit<User, 'userType'> & {
     userType: User['userType'] | string;
 };
 type LogLevel = 'error' | 'warn' | 'info' | 'debug';
-type CookieStore = {
-    getCookieHeader: (url: string) => string | undefined | Promise<string | undefined>;
-    setCookie: (url: string, setCookieHeader: string) => void | Promise<void>;
-};
 type RevlmOptions = {
     fetchImpl?: typeof fetch;
     defaultHeaders?: Record<string, string>;
+    stateStore?: RevlmStateStore;
     provisionalEnabled?: boolean;
     provisionalAuthSecretMaster?: string;
     provisionalAuthDomain?: string;
@@ -189,7 +186,11 @@ type RevlmOptions = {
     logLevel?: LogLevel;
     sessionId?: string;
     sessionIdProvider?: () => string | Promise<string>;
-    cookieStore?: CookieStore;
+};
+type RevlmStateStore = {
+    get: (key: string) => Promise<string | undefined>;
+    set: (key: string, value: string) => Promise<void>;
+    remove: (key: string) => Promise<void>;
 };
 type RevlmResponse<T = any> = {
     ok: boolean;
@@ -214,18 +215,21 @@ declare class Revlm {
     private refreshPromise;
     private sessionId;
     private sessionIdProvider;
-    private cookieStore;
+    private refreshSecret;
+    private refreshMode;
+    private stateStore;
     constructor(baseUrl: string, opts?: RevlmOptions);
     private resolveSessionId;
-    private applyCookieStore;
-    private storeSetCookies;
+    private normalizeCookieValue;
+    private updateRefreshSecretFromResponse;
+    private ensureRefreshSecretLoaded;
+    private clearRefreshSecret;
     private canLog;
     logError(...args: any[]): void;
     logWarn(...args: any[]): void;
     logInfo(...args: any[]): void;
     logDebug(...args: any[]): void;
     private maskSecret;
-    private extractRefreshSecret;
     private logRefreshFailureClient;
     setToken(token: string): void;
     getToken(): string | undefined;
@@ -244,6 +248,8 @@ declare class Revlm {
     private requestWithRetry;
     login(authId: string, password: string): Promise<LoginResponse>;
     provisionalLogin(authId: string): Promise<ProvisionalLoginResponse>;
+    private formatUnixSeconds;
+    private formatTtlDetailed;
     registerUser(user: UserInput, password: string): Promise<RegisterUserResponse>;
     deleteUser(params: {
         _id?: any;
@@ -303,4 +309,4 @@ declare const BSON: typeof bson & {
     ObjectID: typeof bson.ObjectId;
 };
 
-export { type AggregatePipelineStage, App, BSON, type BaseChangeEvent, type ChangeEvent, type ChangeEventId, type CookieStore, type CountOptions, Credentials, type DeleteEvent, type DeleteResult, type DeleteUserResponse, type DeleteUserSuccess, type Document, type DocumentKey, type DocumentNamespace, type DropDatabaseEvent, type DropEvent, type Filter, type FindOneAndModifyOptions, type FindOneOptions, type FindOptions, type InsertEvent, type InsertManyResult, type InsertOneResult, type InvalidateEvent, type LoginResponse, type LoginSuccess, MdbCollection, MongoDBService, type NewDocument, ObjectID, ObjectId, type OperationType, type ProvisionalLoginResponse, type ProvisionalLoginSuccess, type RegisterUserResponse, type RegisterUserSuccess, type RenameEvent, type ReplaceEvent, Revlm, RevlmDBDatabase, type RevlmErrorResponse, type RevlmOptions, type RevlmResponse, RevlmUser, type Update, type UpdateDescription, type UpdateEvent, type UpdateOptions, type UpdateResult, type User, type UserBase, type WatchOptionsFilter, type WatchOptionsIds };
+export { type AggregatePipelineStage, App, BSON, type BaseChangeEvent, type ChangeEvent, type ChangeEventId, type CountOptions, Credentials, type DeleteEvent, type DeleteResult, type DeleteUserResponse, type DeleteUserSuccess, type Document, type DocumentKey, type DocumentNamespace, type DropDatabaseEvent, type DropEvent, type Filter, type FindOneAndModifyOptions, type FindOneOptions, type FindOptions, type InsertEvent, type InsertManyResult, type InsertOneResult, type InvalidateEvent, type LoginResponse, type LoginSuccess, MdbCollection, MongoDBService, type NewDocument, ObjectID, ObjectId, type OperationType, type ProvisionalLoginResponse, type ProvisionalLoginSuccess, type RegisterUserResponse, type RegisterUserSuccess, type RenameEvent, type ReplaceEvent, Revlm, RevlmDBDatabase, type RevlmErrorResponse, type RevlmOptions, type RevlmResponse, type RevlmStateStore, RevlmUser, type Update, type UpdateDescription, type UpdateEvent, type UpdateOptions, type UpdateResult, type User, type UserBase, type WatchOptionsFilter, type WatchOptionsIds };

package/dist/index.js

@@ -35,7 +35,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@kedaruma/revlm-client",
-      version: "1.0.60",
+      version: "1.0.63",
       private: false,
       description: "TypeScript client SDK for talking to the Revlm server replacement for MongoDB Realm.",
       keywords: [
@@ -96,7 +96,7 @@ var require_package = __commonJS({
         test: "NODE_OPTIONS=--experimental-vm-modules pnpm exec jest --config ../../jest.config.cjs packages/revlm-client/src/__tests__/ --runInBand --watchman=false --verbose"
       },
       dependencies: {
-        "@kedaruma/revlm-shared": "workspace:*",
+        "@kedaruma/revlm-shared": "latest",
         bson: "^6.10.4",
         dotenv: "^17.2.3"
       },
@@ -126,6 +126,7 @@ module.exports = __toCommonJS(index_exports);
 // src/Revlm.ts
 var import_bson = require("bson");
 var import_revlm_shared = require("@kedaruma/revlm-shared");
+var import_random_bytes = require("@kedaruma/revlm-shared/random-bytes");
 
 // src/MdbCollection.ts
 var MdbCollection = class {
@@ -233,6 +234,36 @@ var LOG_LEVEL_RANK = {
   debug: 3
 };
 var SESSION_HEADER_NAME = "x-revlm-session-id";
+var STATE_STORE_KEYS = {
+  refreshSecret: "refreshSecret"
+};
+var randomBytesInitAttempted = false;
+function resolvePlatformRandomBytes() {
+  const cryptoLike = globalThis?.crypto;
+  if (cryptoLike && typeof cryptoLike.getRandomValues === "function") {
+    return (length) => {
+      const out = new Uint8Array(length);
+      cryptoLike.getRandomValues(out);
+      return out;
+    };
+  }
+  try {
+    const nodeCrypto = require("crypto");
+    if (typeof nodeCrypto?.randomBytes === "function") {
+      return (length) => new Uint8Array(nodeCrypto.randomBytes(length));
+    }
+  } catch {
+  }
+  return void 0;
+}
+function ensureRandomBytesInitialized() {
+  if (randomBytesInitAttempted) return;
+  randomBytesInitAttempted = true;
+  const platformRandomBytes = resolvePlatformRandomBytes();
+  if (platformRandomBytes) {
+    (0, import_random_bytes.initRandomBytes)(platformRandomBytes);
+  }
+}
 function normalizeLogLevel(value) {
   if (!value) return "info";
   const lowered = value.toLowerCase();
@@ -277,6 +308,14 @@ function getRevlmClientVersion() {
   const globalVersion = globalThis?.REVLM_CLIENT_VERSION;
   return typeof globalVersion === "string" ? globalVersion : "unknown";
 }
+function resolveFetchImpl(fetchImpl) {
+  if (fetchImpl) return fetchImpl;
+  const globalFetch = globalThis?.fetch;
+  if (typeof globalFetch === "function") {
+    return globalFetch.bind(globalThis);
+  }
+  throw new Error("No fetch implementation available. Provide fetchImpl in options or run in Node 18+ with global fetch.");
+}
 var Revlm = class {
   baseUrl;
   fetchImpl;
@@ -292,11 +331,14 @@ var Revlm = class {
   refreshPromise;
   sessionId;
   sessionIdProvider;
-  cookieStore;
+  refreshSecret;
+  refreshMode = "unknown";
+  stateStore;
   constructor(baseUrl, opts = {}) {
     if (!baseUrl) throw new Error("baseUrl is required");
+    ensureRandomBytesInitialized();
     this.baseUrl = baseUrl.replace(/\/$/, "");
-    this.fetchImpl = opts.fetchImpl || (typeof fetch !== "undefined" ? fetch : void 0);
+    this.fetchImpl = resolveFetchImpl(opts.fetchImpl);
     this.defaultHeaders = opts.defaultHeaders || {};
     this.provisionalEnabled = opts.provisionalEnabled || false;
     this.provisionalAuthSecretMaster = opts.provisionalAuthSecretMaster || "";
@@ -306,10 +348,7 @@ var Revlm = class {
     this.logLevel = normalizeLogLevel(opts.logLevel);
     this.sessionId = opts.sessionId;
     this.sessionIdProvider = opts.sessionIdProvider;
-    this.cookieStore = opts.cookieStore;
-    if (!this.fetchImpl) {
-      throw new Error("No fetch implementation available. Provide fetchImpl in options or run in Node 18+ with global fetch.");
-    }
+    this.stateStore = opts.stateStore;
     this.logInfo("\u{1F680} Revlm Client Init", {
       version: getRevlmClientVersion(),
       baseUrl: this.baseUrl,
@@ -335,18 +374,33 @@ var Revlm = class {
     this.sessionId = generateSessionId();
     return this.sessionId;
   }
-  async applyCookieStore(headers, url) {
-    const existing = headers.cookie || headers.Cookie;
-    if (!this.cookieStore || existing) return;
-    const cookieHeader = await this.cookieStore.getCookieHeader(url);
-    if (cookieHeader) headers.cookie = cookieHeader;
+  normalizeCookieValue(value) {
+    if (!value) return void 0;
+    return value.replace(/^"+|"+$/g, "");
   }
-  async storeSetCookies(res, url) {
-    if (!this.cookieStore) return;
+  async updateRefreshSecretFromResponse(res) {
     const setCookies = getSetCookieHeaders(res);
     if (!setCookies.length) return;
     for (const setCookie of setCookies) {
-      await this.cookieStore.setCookie(url, setCookie);
+      const match = setCookie.match(/revlm_refresh=([^;]+)/);
+      if (match && match[1]) {
+        const normalized = this.normalizeCookieValue(match[1]);
+        this.refreshSecret = normalized;
+        if (this.stateStore && normalized) {
+          await this.stateStore.set(STATE_STORE_KEYS.refreshSecret, normalized);
+        }
+      }
+    }
+  }
+  async ensureRefreshSecretLoaded() {
+    if (this.refreshSecret || !this.stateStore) return;
+    const stored = await this.stateStore.get(STATE_STORE_KEYS.refreshSecret);
+    if (stored) this.refreshSecret = stored;
+  }
+  async clearRefreshSecret() {
+    this.refreshSecret = void 0;
+    if (this.stateStore) {
+      await this.stateStore.remove(STATE_STORE_KEYS.refreshSecret);
     }
   }
   canLog(level) {
@@ -369,11 +423,6 @@ var Revlm = class {
     if (value.length <= head + tail) return value;
     return `${value.slice(0, head)}***${value.slice(-tail)}`;
   }
-  extractRefreshSecret(cookieHeader) {
-    if (!cookieHeader) return void 0;
-    const match = cookieHeader.match(/(?:^|;\\s*)revlm_refresh=([^;]+)/);
-    return match?.[1];
-  }
   logRefreshFailureClient(params) {
     const recoverable = typeof params.code === "number" ? params.code >= 1e4 && params.code < 2e4 : params.status === 400 || params.status === 401;
     const line1 = `[refresh-token][${recoverable ? "debug" : "error"}][${recoverable ? "recoverable" : "fatal"}] cause=${params.cause}`;
@@ -504,7 +553,12 @@ var Revlm = class {
     const headers = this.makeHeaders(hasBody);
     const sessionId = await this.resolveSessionId();
     if (sessionId) headers[SESSION_HEADER_NAME] = sessionId;
-    await this.applyCookieStore(headers, url);
+    if (url.includes("/refresh-token") && this.refreshMode === "header") {
+      await this.ensureRefreshSecretLoaded();
+      if (this.refreshSecret) {
+        headers["x-revlm-refresh"] = this.refreshSecret;
+      }
+    }
     let serializedBody;
     if (hasBody) {
       serializedBody = import_bson.EJSON.stringify(body);
@@ -514,9 +568,10 @@ var Revlm = class {
       const res = await this.fetchImpl(signedUrl, {
         method,
         headers: signedHeaders,
-        body: serializedBody
+        body: serializedBody,
+        credentials: url.includes("/refresh-token") && this.refreshMode === "header" ? "omit" : "include"
       });
-      await this.storeSetCookies(res, signedUrl);
+      await this.updateRefreshSecretFromResponse(res);
       const parsed = await this.parseResponse(res);
       const out = parsed && typeof parsed === "object" ? parsed : { ok: res.ok, result: parsed };
       out.status = res.status;
@@ -537,9 +592,7 @@ var Revlm = class {
             code: refreshRes.code
           };
           this.logDebug("### refresh failed:", refreshFailed, JSON.stringify(refreshFailed));
-          const refreshUrl = `${this.baseUrl}/refresh-token`;
-          const cookieHeader = await this.cookieStore?.getCookieHeader?.(refreshUrl);
-          const refreshSecret = this.extractRefreshSecret(cookieHeader);
+          const refreshSecret = this.refreshSecret;
           const refreshFailureLog = {
             cause: refreshRes.reason || "refresh_failed",
             reason: refreshFailed.reason,
@@ -550,6 +603,7 @@ var Revlm = class {
           if (refreshSecret) refreshFailureLog.refreshSecret = refreshSecret;
           this.logRefreshFailureClient(refreshFailureLog);
           if (refreshRes.reason === "no_refresh_secret") {
+            await this.clearRefreshSecret();
             const missingError = new Error("Refresh cookie missing. Provide a cookie-aware fetch implementation for Node/RN.");
             missingError.revlmReason = "no_refresh_secret";
             missingError.revlmCode = refreshRes.code;
@@ -562,12 +616,17 @@ var Revlm = class {
           const now = Math.floor(Date.now() / 1e3);
           const oldExp = beforePayload?.exp;
           const newExp = afterPayload?.exp;
+          const oldTtlSec = typeof oldExp === "number" ? oldExp - now : void 0;
+          const newTtlSec = typeof newExp === "number" ? newExp - now : void 0;
+          const oldExpDisplay = this.formatUnixSeconds(oldExp);
+          const newExpDisplay = this.formatUnixSeconds(newExp);
+          const ttlDisplay = this.formatTtlDetailed(newTtlSec);
           this.logDebug("### refresh success", {
             path,
-            oldExp,
-            newExp,
-            oldTtlSec: typeof oldExp === "number" ? oldExp - now : void 0,
-            newTtlSec: typeof newExp === "number" ? newExp - now : void 0
+            oldExp: oldExpDisplay ? `${oldExp} (${oldExpDisplay})` : oldExp,
+            newExp: newExpDisplay ? `${newExp} (${newExpDisplay})` : newExp,
+            oldTtlSec,
+            newTtlSec: typeof newTtlSec === "number" && ttlDisplay ? `${newTtlSec} (${ttlDisplay})` : newTtlSec
           });
           return this.requestWithRetry(path, method, body, { allowAuthRetry: false, retrying: true });
         }
@@ -596,7 +655,10 @@ var Revlm = class {
     }
     await this.ensureCookieSupport();
     if (!authId) throw new Error("authId is required");
-    const provisionalClient = new import_revlm_shared.AuthClient({ secretMaster: this.provisionalAuthSecretMaster, authDomain: this.provisionalAuthDomain });
+    const provisionalClient = new import_revlm_shared.AuthClient({
+      secretMaster: this.provisionalAuthSecretMaster,
+      authDomain: this.provisionalAuthDomain
+    });
     const provisionalPassword = await provisionalClient.producePassword(String(Date.now() * 1e3));
     const res = await this.request("/provisional-login", "POST", { authId, password: provisionalPassword });
     if (this.autoSetToken && res && res.ok && res.token) {
@@ -604,6 +666,22 @@ var Revlm = class {
     }
     return res;
   }
+  formatUnixSeconds(epochSeconds) {
+    if (typeof epochSeconds !== "number" || !Number.isFinite(epochSeconds)) return void 0;
+    const date = new Date(epochSeconds * 1e3);
+    const pad = (value) => String(value).padStart(2, "0");
+    return `${date.getFullYear()}-${pad(date.getMonth() + 1)}-${pad(date.getDate())} ${pad(date.getHours())}:${pad(date.getMinutes())}:${pad(date.getSeconds())}`;
+  }
+  formatTtlDetailed(seconds) {
+    if (typeof seconds !== "number" || !Number.isFinite(seconds)) return void 0;
+    const totalSeconds = Math.max(0, Math.floor(seconds));
+    const days = Math.floor(totalSeconds / 86400);
+    const hours = Math.floor(totalSeconds % 86400 / 3600);
+    const minutes = Math.floor(totalSeconds % 3600 / 60);
+    const secs = totalSeconds % 60;
+    const pad = (value) => String(value).padStart(2, "0");
+    return `${days} ${pad(hours)}:${pad(minutes)}:${pad(secs)}`;
+  }
   async registerUser(user, password) {
     if (!user) throw new Error("user is required");
     if (!password) throw new Error("password is required");
@@ -624,16 +702,22 @@ var Revlm = class {
   async ensureCookieSupport() {
     if (this.cookieCheckPromise) return this.cookieCheckPromise;
     this.cookieCheckPromise = (async () => {
-      const first = await this.requestWithRetry("/cookie-check", "POST", void 0, { allowAuthRetry: false, retrying: false });
-      this.logDebug("### cookie check", { step: "first", ok: first.ok, reason: first.reason, status: first.status });
-      if (first.ok) return;
-      if (first.reason !== "cookie_missing") {
-        throw new Error(`Cookie check failed: ${first.reason || first.error || "unknown_error"}`);
-      }
-      const second = await this.requestWithRetry("/cookie-check", "POST", void 0, { allowAuthRetry: false, retrying: false });
-      this.logDebug("### cookie check", { step: "second", ok: second.ok, reason: second.reason, status: second.status });
-      if (!second.ok) {
-        throw new Error("Cookie support missing. Provide a cookie-aware fetch implementation for Node/RN.");
+      try {
+        const first = await this.requestWithRetry("/cookie-check", "POST", void 0, { allowAuthRetry: false, retrying: false });
+        this.logDebug("### cookie check", { step: "first", ok: first.ok, reason: first.reason, status: first.status });
+        if (first.ok) {
+          this.refreshMode = "cookie";
+          return;
+        }
+        if (first.reason !== "cookie_missing") {
+          this.refreshMode = "header";
+          return;
+        }
+        const second = await this.requestWithRetry("/cookie-check", "POST", void 0, { allowAuthRetry: false, retrying: false });
+        this.logDebug("### cookie check", { step: "second", ok: second.ok, reason: second.reason, status: second.status });
+        this.refreshMode = second.ok ? "cookie" : "header";
+      } catch {
+        this.refreshMode = "header";
       }
     })();
     return this.cookieCheckPromise;

package/dist/index.mjs

@@ -9,7 +9,7 @@ import {
   Revlm,
   RevlmDBDatabase,
   RevlmUser
-} from "./chunk-367MFQ4K.mjs";
+} from "./chunk-OBJS4AOD.mjs";
 import "./chunk-EBO3CZXG.mjs";
 export {
   App,

package/dist/revlm-compat.d.mts

@@ -1,5 +1,5 @@
 import { MdbCollection, Document, NewDocument, Filter, Update, AggregatePipelineStage, FindOneOptions, FindOptions, FindOneAndModifyOptions, CountOptions, UpdateOptions, InsertOneResult, InsertManyResult, DeleteResult, UpdateResult, ChangeEvent, UpdateDescription, WatchOptionsIds, WatchOptionsFilter } from './index.mjs';
-export { App, BSON, BaseChangeEvent, ChangeEventId, CookieStore, Credentials, DeleteEvent, DeleteUserResponse, DeleteUserSuccess, DocumentKey, DocumentNamespace, DropDatabaseEvent, DropEvent, InsertEvent, InvalidateEvent, LoginResponse, LoginSuccess, MongoDBService, ObjectID, ObjectId, OperationType, ProvisionalLoginResponse, ProvisionalLoginSuccess, RegisterUserResponse, RegisterUserSuccess, RenameEvent, ReplaceEvent, Revlm, RevlmErrorResponse, RevlmOptions, RevlmResponse, RevlmUser, UpdateEvent, User, UserBase } from './index.mjs';
+export { App, BSON, BaseChangeEvent, ChangeEventId, Credentials, DeleteEvent, DeleteUserResponse, DeleteUserSuccess, DocumentKey, DocumentNamespace, DropDatabaseEvent, DropEvent, InsertEvent, InvalidateEvent, LoginResponse, LoginSuccess, MongoDBService, ObjectID, ObjectId, OperationType, ProvisionalLoginResponse, ProvisionalLoginSuccess, RegisterUserResponse, RegisterUserSuccess, RenameEvent, ReplaceEvent, Revlm, RevlmErrorResponse, RevlmOptions, RevlmResponse, RevlmStateStore, RevlmUser, UpdateEvent, User, UserBase } from './index.mjs';
 import '@kedaruma/revlm-shared/models/mongo-doc-base-types';
 import 'bson';
 import '@kedaruma/revlm-shared/models/user-types';

package/dist/revlm-compat.d.ts

@@ -1,5 +1,5 @@
 import { MdbCollection, Document, NewDocument, Filter, Update, AggregatePipelineStage, FindOneOptions, FindOptions, FindOneAndModifyOptions, CountOptions, UpdateOptions, InsertOneResult, InsertManyResult, DeleteResult, UpdateResult, ChangeEvent, UpdateDescription, WatchOptionsIds, WatchOptionsFilter } from './index.js';
-export { App, BSON, BaseChangeEvent, ChangeEventId, CookieStore, Credentials, DeleteEvent, DeleteUserResponse, DeleteUserSuccess, DocumentKey, DocumentNamespace, DropDatabaseEvent, DropEvent, InsertEvent, InvalidateEvent, LoginResponse, LoginSuccess, MongoDBService, ObjectID, ObjectId, OperationType, ProvisionalLoginResponse, ProvisionalLoginSuccess, RegisterUserResponse, RegisterUserSuccess, RenameEvent, ReplaceEvent, Revlm, RevlmErrorResponse, RevlmOptions, RevlmResponse, RevlmUser, UpdateEvent, User, UserBase } from './index.js';
+export { App, BSON, BaseChangeEvent, ChangeEventId, Credentials, DeleteEvent, DeleteUserResponse, DeleteUserSuccess, DocumentKey, DocumentNamespace, DropDatabaseEvent, DropEvent, InsertEvent, InvalidateEvent, LoginResponse, LoginSuccess, MongoDBService, ObjectID, ObjectId, OperationType, ProvisionalLoginResponse, ProvisionalLoginSuccess, RegisterUserResponse, RegisterUserSuccess, RenameEvent, ReplaceEvent, Revlm, RevlmErrorResponse, RevlmOptions, RevlmResponse, RevlmStateStore, RevlmUser, UpdateEvent, User, UserBase } from './index.js';
 import '@kedaruma/revlm-shared/models/mongo-doc-base-types';
 import 'bson';
 import '@kedaruma/revlm-shared/models/user-types';

package/dist/revlm-compat.js

@@ -35,7 +35,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@kedaruma/revlm-client",
-      version: "1.0.60",
+      version: "1.0.63",
       private: false,
       description: "TypeScript client SDK for talking to the Revlm server replacement for MongoDB Realm.",
       keywords: [
@@ -96,7 +96,7 @@ var require_package = __commonJS({
         test: "NODE_OPTIONS=--experimental-vm-modules pnpm exec jest --config ../../jest.config.cjs packages/revlm-client/src/__tests__/ --runInBand --watchman=false --verbose"
       },
       dependencies: {
-        "@kedaruma/revlm-shared": "workspace:*",
+        "@kedaruma/revlm-shared": "latest",
         bson: "^6.10.4",
         dotenv: "^17.2.3"
       },
@@ -124,6 +124,7 @@ module.exports = __toCommonJS(revlm_compat_exports);
 // src/Revlm.ts
 var import_bson = require("bson");
 var import_revlm_shared = require("@kedaruma/revlm-shared");
+var import_random_bytes = require("@kedaruma/revlm-shared/random-bytes");
 
 // src/MdbCollection.ts
 var MdbCollection = class {
@@ -231,6 +232,36 @@ var LOG_LEVEL_RANK = {
   debug: 3
 };
 var SESSION_HEADER_NAME = "x-revlm-session-id";
+var STATE_STORE_KEYS = {
+  refreshSecret: "refreshSecret"
+};
+var randomBytesInitAttempted = false;
+function resolvePlatformRandomBytes() {
+  const cryptoLike = globalThis?.crypto;
+  if (cryptoLike && typeof cryptoLike.getRandomValues === "function") {
+    return (length) => {
+      const out = new Uint8Array(length);
+      cryptoLike.getRandomValues(out);
+      return out;
+    };
+  }
+  try {
+    const nodeCrypto = require("crypto");
+    if (typeof nodeCrypto?.randomBytes === "function") {
+      return (length) => new Uint8Array(nodeCrypto.randomBytes(length));
+    }
+  } catch {
+  }
+  return void 0;
+}
+function ensureRandomBytesInitialized() {
+  if (randomBytesInitAttempted) return;
+  randomBytesInitAttempted = true;
+  const platformRandomBytes = resolvePlatformRandomBytes();
+  if (platformRandomBytes) {
+    (0, import_random_bytes.initRandomBytes)(platformRandomBytes);
+  }
+}
 function normalizeLogLevel(value) {
   if (!value) return "info";
   const lowered = value.toLowerCase();
@@ -275,6 +306,14 @@ function getRevlmClientVersion() {
   const globalVersion = globalThis?.REVLM_CLIENT_VERSION;
   return typeof globalVersion === "string" ? globalVersion : "unknown";
 }
+function resolveFetchImpl(fetchImpl) {
+  if (fetchImpl) return fetchImpl;
+  const globalFetch = globalThis?.fetch;
+  if (typeof globalFetch === "function") {
+    return globalFetch.bind(globalThis);
+  }
+  throw new Error("No fetch implementation available. Provide fetchImpl in options or run in Node 18+ with global fetch.");
+}
 var Revlm = class {
   baseUrl;
   fetchImpl;
@@ -290,11 +329,14 @@ var Revlm = class {
   refreshPromise;
   sessionId;
   sessionIdProvider;
-  cookieStore;
+  refreshSecret;
+  refreshMode = "unknown";
+  stateStore;
   constructor(baseUrl, opts = {}) {
     if (!baseUrl) throw new Error("baseUrl is required");
+    ensureRandomBytesInitialized();
     this.baseUrl = baseUrl.replace(/\/$/, "");
-    this.fetchImpl = opts.fetchImpl || (typeof fetch !== "undefined" ? fetch : void 0);
+    this.fetchImpl = resolveFetchImpl(opts.fetchImpl);
     this.defaultHeaders = opts.defaultHeaders || {};
     this.provisionalEnabled = opts.provisionalEnabled || false;
     this.provisionalAuthSecretMaster = opts.provisionalAuthSecretMaster || "";
@@ -304,10 +346,7 @@ var Revlm = class {
     this.logLevel = normalizeLogLevel(opts.logLevel);
     this.sessionId = opts.sessionId;
     this.sessionIdProvider = opts.sessionIdProvider;
-    this.cookieStore = opts.cookieStore;
-    if (!this.fetchImpl) {
-      throw new Error("No fetch implementation available. Provide fetchImpl in options or run in Node 18+ with global fetch.");
-    }
+    this.stateStore = opts.stateStore;
     this.logInfo("\u{1F680} Revlm Client Init", {
       version: getRevlmClientVersion(),
       baseUrl: this.baseUrl,
@@ -333,18 +372,33 @@ var Revlm = class {
     this.sessionId = generateSessionId();
     return this.sessionId;
   }
-  async applyCookieStore(headers, url) {
-    const existing = headers.cookie || headers.Cookie;
-    if (!this.cookieStore || existing) return;
-    const cookieHeader = await this.cookieStore.getCookieHeader(url);
-    if (cookieHeader) headers.cookie = cookieHeader;
+  normalizeCookieValue(value) {
+    if (!value) return void 0;
+    return value.replace(/^"+|"+$/g, "");
   }
-  async storeSetCookies(res, url) {
-    if (!this.cookieStore) return;
+  async updateRefreshSecretFromResponse(res) {
     const setCookies = getSetCookieHeaders(res);
     if (!setCookies.length) return;
     for (const setCookie of setCookies) {
-      await this.cookieStore.setCookie(url, setCookie);
+      const match = setCookie.match(/revlm_refresh=([^;]+)/);
+      if (match && match[1]) {
+        const normalized = this.normalizeCookieValue(match[1]);
+        this.refreshSecret = normalized;
+        if (this.stateStore && normalized) {
+          await this.stateStore.set(STATE_STORE_KEYS.refreshSecret, normalized);
+        }
+      }
+    }
+  }
+  async ensureRefreshSecretLoaded() {
+    if (this.refreshSecret || !this.stateStore) return;
+    const stored = await this.stateStore.get(STATE_STORE_KEYS.refreshSecret);
+    if (stored) this.refreshSecret = stored;
+  }
+  async clearRefreshSecret() {
+    this.refreshSecret = void 0;
+    if (this.stateStore) {
+      await this.stateStore.remove(STATE_STORE_KEYS.refreshSecret);
     }
   }
   canLog(level) {
@@ -367,11 +421,6 @@ var Revlm = class {
     if (value.length <= head + tail) return value;
     return `${value.slice(0, head)}***${value.slice(-tail)}`;
   }
-  extractRefreshSecret(cookieHeader) {
-    if (!cookieHeader) return void 0;
-    const match = cookieHeader.match(/(?:^|;\\s*)revlm_refresh=([^;]+)/);
-    return match?.[1];
-  }
   logRefreshFailureClient(params) {
     const recoverable = typeof params.code === "number" ? params.code >= 1e4 && params.code < 2e4 : params.status === 400 || params.status === 401;
     const line1 = `[refresh-token][${recoverable ? "debug" : "error"}][${recoverable ? "recoverable" : "fatal"}] cause=${params.cause}`;
@@ -502,7 +551,12 @@ var Revlm = class {
     const headers = this.makeHeaders(hasBody);
     const sessionId = await this.resolveSessionId();
     if (sessionId) headers[SESSION_HEADER_NAME] = sessionId;
-    await this.applyCookieStore(headers, url);
+    if (url.includes("/refresh-token") && this.refreshMode === "header") {
+      await this.ensureRefreshSecretLoaded();
+      if (this.refreshSecret) {
+        headers["x-revlm-refresh"] = this.refreshSecret;
+      }
+    }
     let serializedBody;
     if (hasBody) {
       serializedBody = import_bson.EJSON.stringify(body);
@@ -512,9 +566,10 @@ var Revlm = class {
       const res = await this.fetchImpl(signedUrl, {
         method,
         headers: signedHeaders,
-        body: serializedBody
+        body: serializedBody,
+        credentials: url.includes("/refresh-token") && this.refreshMode === "header" ? "omit" : "include"
       });
-      await this.storeSetCookies(res, signedUrl);
+      await this.updateRefreshSecretFromResponse(res);
       const parsed = await this.parseResponse(res);
       const out = parsed && typeof parsed === "object" ? parsed : { ok: res.ok, result: parsed };
       out.status = res.status;
@@ -535,9 +590,7 @@ var Revlm = class {
             code: refreshRes.code
           };
           this.logDebug("### refresh failed:", refreshFailed, JSON.stringify(refreshFailed));
-          const refreshUrl = `${this.baseUrl}/refresh-token`;
-          const cookieHeader = await this.cookieStore?.getCookieHeader?.(refreshUrl);
-          const refreshSecret = this.extractRefreshSecret(cookieHeader);
+          const refreshSecret = this.refreshSecret;
           const refreshFailureLog = {
             cause: refreshRes.reason || "refresh_failed",
             reason: refreshFailed.reason,
@@ -548,6 +601,7 @@ var Revlm = class {
           if (refreshSecret) refreshFailureLog.refreshSecret = refreshSecret;
           this.logRefreshFailureClient(refreshFailureLog);
           if (refreshRes.reason === "no_refresh_secret") {
+            await this.clearRefreshSecret();
             const missingError = new Error("Refresh cookie missing. Provide a cookie-aware fetch implementation for Node/RN.");
             missingError.revlmReason = "no_refresh_secret";
             missingError.revlmCode = refreshRes.code;
@@ -560,12 +614,17 @@ var Revlm = class {
           const now = Math.floor(Date.now() / 1e3);
           const oldExp = beforePayload?.exp;
           const newExp = afterPayload?.exp;
+          const oldTtlSec = typeof oldExp === "number" ? oldExp - now : void 0;
+          const newTtlSec = typeof newExp === "number" ? newExp - now : void 0;
+          const oldExpDisplay = this.formatUnixSeconds(oldExp);
+          const newExpDisplay = this.formatUnixSeconds(newExp);
+          const ttlDisplay = this.formatTtlDetailed(newTtlSec);
           this.logDebug("### refresh success", {
             path,
-            oldExp,
-            newExp,
-            oldTtlSec: typeof oldExp === "number" ? oldExp - now : void 0,
-            newTtlSec: typeof newExp === "number" ? newExp - now : void 0
+            oldExp: oldExpDisplay ? `${oldExp} (${oldExpDisplay})` : oldExp,
+            newExp: newExpDisplay ? `${newExp} (${newExpDisplay})` : newExp,
+            oldTtlSec,
+            newTtlSec: typeof newTtlSec === "number" && ttlDisplay ? `${newTtlSec} (${ttlDisplay})` : newTtlSec
           });
           return this.requestWithRetry(path, method, body, { allowAuthRetry: false, retrying: true });
         }
@@ -594,7 +653,10 @@ var Revlm = class {
     }
     await this.ensureCookieSupport();
     if (!authId) throw new Error("authId is required");
-    const provisionalClient = new import_revlm_shared.AuthClient({ secretMaster: this.provisionalAuthSecretMaster, authDomain: this.provisionalAuthDomain });
+    const provisionalClient = new import_revlm_shared.AuthClient({
+      secretMaster: this.provisionalAuthSecretMaster,
+      authDomain: this.provisionalAuthDomain
+    });
     const provisionalPassword = await provisionalClient.producePassword(String(Date.now() * 1e3));
     const res = await this.request("/provisional-login", "POST", { authId, password: provisionalPassword });
     if (this.autoSetToken && res && res.ok && res.token) {
@@ -602,6 +664,22 @@ var Revlm = class {
     }
     return res;
   }
+  formatUnixSeconds(epochSeconds) {
+    if (typeof epochSeconds !== "number" || !Number.isFinite(epochSeconds)) return void 0;
+    const date = new Date(epochSeconds * 1e3);
+    const pad = (value) => String(value).padStart(2, "0");
+    return `${date.getFullYear()}-${pad(date.getMonth() + 1)}-${pad(date.getDate())} ${pad(date.getHours())}:${pad(date.getMinutes())}:${pad(date.getSeconds())}`;
+  }
+  formatTtlDetailed(seconds) {
+    if (typeof seconds !== "number" || !Number.isFinite(seconds)) return void 0;
+    const totalSeconds = Math.max(0, Math.floor(seconds));
+    const days = Math.floor(totalSeconds / 86400);
+    const hours = Math.floor(totalSeconds % 86400 / 3600);
+    const minutes = Math.floor(totalSeconds % 3600 / 60);
+    const secs = totalSeconds % 60;
+    const pad = (value) => String(value).padStart(2, "0");
+    return `${days} ${pad(hours)}:${pad(minutes)}:${pad(secs)}`;
+  }
   async registerUser(user, password) {
     if (!user) throw new Error("user is required");
     if (!password) throw new Error("password is required");
@@ -622,16 +700,22 @@ var Revlm = class {
   async ensureCookieSupport() {
     if (this.cookieCheckPromise) return this.cookieCheckPromise;
     this.cookieCheckPromise = (async () => {
-      const first = await this.requestWithRetry("/cookie-check", "POST", void 0, { allowAuthRetry: false, retrying: false });
-      this.logDebug("### cookie check", { step: "first", ok: first.ok, reason: first.reason, status: first.status });
-      if (first.ok) return;
-      if (first.reason !== "cookie_missing") {
-        throw new Error(`Cookie check failed: ${first.reason || first.error || "unknown_error"}`);
-      }
-      const second = await this.requestWithRetry("/cookie-check", "POST", void 0, { allowAuthRetry: false, retrying: false });
-      this.logDebug("### cookie check", { step: "second", ok: second.ok, reason: second.reason, status: second.status });
-      if (!second.ok) {
-        throw new Error("Cookie support missing. Provide a cookie-aware fetch implementation for Node/RN.");
+      try {
+        const first = await this.requestWithRetry("/cookie-check", "POST", void 0, { allowAuthRetry: false, retrying: false });
+        this.logDebug("### cookie check", { step: "first", ok: first.ok, reason: first.reason, status: first.status });
+        if (first.ok) {
+          this.refreshMode = "cookie";
+          return;
+        }
+        if (first.reason !== "cookie_missing") {
+          this.refreshMode = "header";
+          return;
+        }
+        const second = await this.requestWithRetry("/cookie-check", "POST", void 0, { allowAuthRetry: false, retrying: false });
+        this.logDebug("### cookie check", { step: "second", ok: second.ok, reason: second.reason, status: second.status });
+        this.refreshMode = second.ok ? "cookie" : "header";
+      } catch {
+        this.refreshMode = "header";
       }
     })();
     return this.cookieCheckPromise;

package/dist/revlm-compat.mjs

@@ -7,7 +7,7 @@ import {
   ObjectId,
   Revlm,
   RevlmUser
-} from "./chunk-367MFQ4K.mjs";
+} from "./chunk-OBJS4AOD.mjs";
 import "./chunk-EBO3CZXG.mjs";
 export {
   App,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kedaruma/revlm-client",
-  "version": "1.0.60",
+  "version": "1.0.63",
   "private": false,
   "description": "TypeScript client SDK for talking to the Revlm server replacement for MongoDB Realm.",
   "keywords": [
@@ -56,9 +56,9 @@
     "access": "public"
   },
   "dependencies": {
+    "@kedaruma/revlm-shared": "latest",
     "bson": "^6.10.4",
-    "dotenv": "^17.2.3",
-    "@kedaruma/revlm-shared": "1.0.11"
+    "dotenv": "^17.2.3"
   },
   "devDependencies": {
     "tsup": "^8.5.1"