@nauth-toolkit/client 0.1.18 → 0.1.22

package/dist/index.mjs

@@ -126,12 +126,12 @@ var defaultEndpoints = {
   mfaPreferred: "/mfa/preferred-method",
   mfaBackupCodes: "/mfa/backup-codes/generate",
   mfaExemption: "/mfa/exemption",
-  socialAuthUrl: "/social/auth-url",
-  socialCallback: "/social/callback",
   socialLinked: "/social/linked",
   socialLink: "/social/link",
   socialUnlink: "/social/unlink",
   socialVerify: "/social/:provider/verify",
+  socialRedirectStart: "/social/:provider/redirect",
+  socialExchange: "/social/exchange",
   trustDevice: "/trust-device",
   isTrustedDevice: "/is-trusted-device",
   auditHistory: "/audit/history",
@@ -367,6 +367,9 @@ var BrowserStorage = class {
   async removeItem(key) {
     this.storage.removeItem(key);
   }
+  async clear() {
+    this.storage.clear();
+  }
 };
 
 // src/storage/memory.ts
@@ -383,6 +386,9 @@ var InMemoryStorage = class {
   async removeItem(key) {
     this.store.delete(key);
   }
+  async clear() {
+    this.store.clear();
+  }
 };
 
 // src/core/events.ts
@@ -503,9 +509,9 @@ var FetchAdapter = class {
     });
     if (!response.ok) {
       const errorData = typeof data === "object" && data !== null ? data : {};
-      const code = typeof errorData["code"] === "string" ? errorData.code : "INTERNAL_ERROR" /* INTERNAL_ERROR */;
-      const message = typeof errorData["message"] === "string" ? errorData.message : `Request failed with status ${status}`;
-      const timestamp = typeof errorData["timestamp"] === "string" ? errorData.timestamp : void 0;
+      const code = typeof errorData["code"] === "string" ? errorData["code"] : "INTERNAL_ERROR" /* INTERNAL_ERROR */;
+      const message = typeof errorData["message"] === "string" ? errorData["message"] : `Request failed with status ${status}`;
+      const timestamp = typeof errorData["timestamp"] === "string" ? errorData["timestamp"] : void 0;
       const details = errorData["details"];
       throw new NAuthClientError(code, message, {
         statusCode: status,
@@ -817,7 +823,9 @@ var NAuthClient = class {
    */
   async confirmForgotPassword(identifier, code, newPassword) {
     const payload = { identifier, code, newPassword };
-    return this.post(this.config.endpoints.confirmForgotPassword, payload);
+    const result = await this.post(this.config.endpoints.confirmForgotPassword, payload);
+    await this.clearAuthState(false);
+    return result;
   }
   /**
    * Request password change (must change on next login).
@@ -927,126 +935,57 @@ var NAuthClient = class {
   // Social Authentication
   // ============================================================================
   /**
-   * Start social OAuth flow with automatic state management.
+   * Start redirect-first social OAuth flow (web).
    *
-   * Generates a secure state token, stores OAuth context, and redirects to the OAuth provider.
-   * After OAuth callback, use `handleOAuthCallback()` to complete authentication.
+   * This performs a browser navigation to:
+   * `GET {baseUrl}/social/:provider/redirect?returnTo=...&appState=...`
+   *
+   * The backend:
+   * - generates and stores CSRF state (cluster-safe)
+   * - redirects the user to the provider
+   * - completes OAuth on callback and sets cookies (or issues an exchange token)
+   * - redirects back to `returnTo` with `appState` (and `exchangeToken` for json/hybrid)
    *
    * @param provider - OAuth provider ('google', 'apple', 'facebook')
-   * @param options - Optional configuration
+   * @param options - Optional redirect options
    *
    * @example
    * ```typescript
-   * // Simple usage
-   * await client.loginWithSocial('google');
-   *
-   * // With custom redirect URI
-   * await client.loginWithSocial('apple', {
-   *   redirectUri: 'https://example.com/auth/callback'
-   * });
+   * await client.loginWithSocial('google', { returnTo: '/auth/callback', appState: '12345' });
    * ```
    */
-  async loginWithSocial(provider, _options) {
+  async loginWithSocial(provider, options) {
     this.eventEmitter.emit({ type: "oauth:started", data: { provider }, timestamp: Date.now() });
-    const { url } = await this.getSocialAuthUrl({ provider });
     if (hasWindow()) {
-      window.location.href = url;
-    }
-  }
-  /**
-   * Auto-detect and handle OAuth callback.
-   *
-   * Call this on app initialization or in callback route.
-   * Returns null if not an OAuth callback (no provider/code params).
-   *
-   * The SDK validates the state token, completes authentication via backend,
-   * and emits appropriate events.
-   *
-   * @param urlOrParams - Optional URL string or URLSearchParams (auto-detects from window.location if not provided)
-   * @returns AuthResponse if OAuth callback detected, null otherwise
-   *
-   * @example
-   * ```typescript
-   * // Auto-detect on app init
-   * const response = await client.handleOAuthCallback();
-   * if (response) {
-   *   if (response.challengeName) {
-   *     router.navigate(['/challenge', response.challengeName]);
-   *   } else {
-   *     router.navigate(['/']); // Navigate to your app's home route
-   *   }
-   * }
-   *
-   * // In callback route
-   * const response = await client.handleOAuthCallback(window.location.search);
-   * ```
-   */
-  async handleOAuthCallback(urlOrParams) {
-    let params;
-    if (urlOrParams instanceof URLSearchParams) {
-      params = urlOrParams;
-    } else if (typeof urlOrParams === "string") {
-      params = new URLSearchParams(urlOrParams);
-    } else if (hasWindow()) {
-      params = new URLSearchParams(window.location.search);
-    } else {
-      return null;
-    }
-    const provider = params.get("provider");
-    const code = params.get("code");
-    const state = params.get("state");
-    const error = params.get("error");
-    if (!provider || !code && !error) {
-      return null;
-    }
-    this.eventEmitter.emit({ type: "oauth:callback", data: { provider }, timestamp: Date.now() });
-    try {
-      if (error) {
-        const authError = new NAuthClientError(
-          "SOCIAL_TOKEN_INVALID" /* SOCIAL_TOKEN_INVALID */,
-          params.get("error_description") || error,
-          { details: { error, provider } }
-        );
-        this.eventEmitter.emit({ type: "oauth:error", data: authError, timestamp: Date.now() });
-        throw authError;
+      const startPath = this.config.endpoints.socialRedirectStart.replace(":provider", provider);
+      const base = this.config.baseUrl.replace(/\/$/, "");
+      const startUrl = new URL(`${base}${startPath}`);
+      const returnTo = options?.returnTo ?? this.config.redirects?.success ?? "/";
+      startUrl.searchParams.set("returnTo", returnTo);
+      if (options?.action === "link") {
+        startUrl.searchParams.set("action", "link");
       }
-      if (!state) {
-        throw new NAuthClientError("CHALLENGE_INVALID" /* CHALLENGE_INVALID */, "Missing OAuth state parameter");
+      if (typeof options?.appState === "string" && options.appState.trim() !== "") {
+        startUrl.searchParams.set("appState", options.appState);
       }
-      const response = await this.handleSocialCallback({
-        provider,
-        code,
-        state
-      });
-      if (response.challengeName) {
-        this.eventEmitter.emit({ type: "auth:challenge", data: response, timestamp: Date.now() });
-      } else {
-        this.eventEmitter.emit({ type: "auth:success", data: response, timestamp: Date.now() });
-      }
-      this.eventEmitter.emit({ type: "oauth:completed", data: response, timestamp: Date.now() });
-      return response;
-    } catch (error2) {
-      const authError = error2 instanceof NAuthClientError ? error2 : new NAuthClientError(
-        "SOCIAL_TOKEN_INVALID" /* SOCIAL_TOKEN_INVALID */,
-        error2.message || "OAuth callback failed"
-      );
-      this.eventEmitter.emit({ type: "oauth:error", data: authError, timestamp: Date.now() });
-      throw authError;
+      window.location.href = startUrl.toString();
     }
   }
   /**
-   * Get social auth URL (low-level API).
+   * Exchange an `exchangeToken` (from redirect callback URL) into an AuthResponse.
    *
-   * For most cases, use `loginWithSocial()` which handles state management automatically.
-   */
-  async getSocialAuthUrl(request) {
-    return this.post(this.config.endpoints.socialAuthUrl, request);
-  }
-  /**
-   * Handle social callback.
+   * Used for `tokenDelivery: 'json'` or hybrid flows where the backend redirects back
+   * with `exchangeToken` instead of setting cookies.
+   *
+   * @param exchangeToken - One-time exchange token from the callback URL
+   * @returns AuthResponse
    */
-  async handleSocialCallback(request) {
-    const result = await this.post(this.config.endpoints.socialCallback, request);
+  async exchangeSocialRedirect(exchangeToken) {
+    const token = exchangeToken?.trim();
+    if (!token) {
+      throw new NAuthClientError("CHALLENGE_INVALID" /* CHALLENGE_INVALID */, "Missing exchangeToken");
+    }
+    const result = await this.post(this.config.endpoints.socialExchange, { exchangeToken: token });
     await this.handleAuthResponse(result);
     return result;
   }
@@ -1235,7 +1174,9 @@ var NAuthClient = class {
       await this.setDeviceToken(response.deviceToken);
     }
     if (response.user) {
-      await this.setUser(response.user);
+      const user = response.user;
+      user.sessionAuthMethod = response.authMethod ?? null;
+      await this.setUser(user);
     }
     await this.clearChallenge();
   }
@@ -1307,6 +1248,15 @@ var NAuthClient = class {
         headers["Authorization"] = `Bearer ${accessToken}`;
       }
     }
+    if (this.config.tokenDelivery === "json") {
+      try {
+        const deviceToken = await this.config.storage.getItem(this.config.deviceTrust.storageKey);
+        if (deviceToken) {
+          headers[this.config.deviceTrust.headerName] = deviceToken;
+        }
+      } catch {
+      }
+    }
     if (this.config.tokenDelivery === "cookies" && hasWindow()) {
       const csrfToken = this.getCsrfToken();
       if (csrfToken) {