@nauth-toolkit/client 0.1.18 → 0.1.22

package/dist/angular/index.mjs

@@ -193,12 +193,12 @@ var defaultEndpoints = {
   mfaPreferred: "/mfa/preferred-method",
   mfaBackupCodes: "/mfa/backup-codes/generate",
   mfaExemption: "/mfa/exemption",
-  socialAuthUrl: "/social/auth-url",
-  socialCallback: "/social/callback",
   socialLinked: "/social/linked",
   socialLink: "/social/link",
   socialUnlink: "/social/unlink",
   socialVerify: "/social/:provider/verify",
+  socialRedirectStart: "/social/:provider/redirect",
+  socialExchange: "/social/exchange",
   trustDevice: "/trust-device",
   isTrustedDevice: "/is-trusted-device",
   auditHistory: "/audit/history",
@@ -350,6 +350,9 @@ var _BrowserStorage = class _BrowserStorage {
   async removeItem(key) {
     this.storage.removeItem(key);
   }
+  async clear() {
+    this.storage.clear();
+  }
 };
 __name(_BrowserStorage, "BrowserStorage");
 var BrowserStorage = _BrowserStorage;
@@ -368,6 +371,9 @@ var _InMemoryStorage = class _InMemoryStorage {
   async removeItem(key) {
     this.store.delete(key);
   }
+  async clear() {
+    this.store.clear();
+  }
 };
 __name(_InMemoryStorage, "InMemoryStorage");
 var InMemoryStorage = _InMemoryStorage;
@@ -492,9 +498,9 @@ var _FetchAdapter = class _FetchAdapter {
     });
     if (!response.ok) {
       const errorData = typeof data === "object" && data !== null ? data : {};
-      const code = typeof errorData["code"] === "string" ? errorData.code : "INTERNAL_ERROR" /* INTERNAL_ERROR */;
-      const message = typeof errorData["message"] === "string" ? errorData.message : `Request failed with status ${status}`;
-      const timestamp = typeof errorData["timestamp"] === "string" ? errorData.timestamp : void 0;
+      const code = typeof errorData["code"] === "string" ? errorData["code"] : "INTERNAL_ERROR" /* INTERNAL_ERROR */;
+      const message = typeof errorData["message"] === "string" ? errorData["message"] : `Request failed with status ${status}`;
+      const timestamp = typeof errorData["timestamp"] === "string" ? errorData["timestamp"] : void 0;
       const details = errorData["details"];
       throw new NAuthClientError(code, message, {
         statusCode: status,
@@ -808,7 +814,9 @@ var _NAuthClient = class _NAuthClient {
    */
   async confirmForgotPassword(identifier, code, newPassword) {
     const payload = { identifier, code, newPassword };
-    return this.post(this.config.endpoints.confirmForgotPassword, payload);
+    const result = await this.post(this.config.endpoints.confirmForgotPassword, payload);
+    await this.clearAuthState(false);
+    return result;
   }
   /**
    * Request password change (must change on next login).
@@ -918,126 +926,57 @@ var _NAuthClient = class _NAuthClient {
   // Social Authentication
   // ============================================================================
   /**
-   * Start social OAuth flow with automatic state management.
+   * Start redirect-first social OAuth flow (web).
+   *
+   * This performs a browser navigation to:
+   * `GET {baseUrl}/social/:provider/redirect?returnTo=...&appState=...`
    *
-   * Generates a secure state token, stores OAuth context, and redirects to the OAuth provider.
-   * After OAuth callback, use `handleOAuthCallback()` to complete authentication.
+   * The backend:
+   * - generates and stores CSRF state (cluster-safe)
+   * - redirects the user to the provider
+   * - completes OAuth on callback and sets cookies (or issues an exchange token)
+   * - redirects back to `returnTo` with `appState` (and `exchangeToken` for json/hybrid)
    *
    * @param provider - OAuth provider ('google', 'apple', 'facebook')
-   * @param options - Optional configuration
+   * @param options - Optional redirect options
    *
    * @example
    * ```typescript
-   * // Simple usage
-   * await client.loginWithSocial('google');
-   *
-   * // With custom redirect URI
-   * await client.loginWithSocial('apple', {
-   *   redirectUri: 'https://example.com/auth/callback'
-   * });
+   * await client.loginWithSocial('google', { returnTo: '/auth/callback', appState: '12345' });
    * ```
    */
-  async loginWithSocial(provider, _options) {
+  async loginWithSocial(provider, options) {
     this.eventEmitter.emit({ type: "oauth:started", data: { provider }, timestamp: Date.now() });
-    const { url } = await this.getSocialAuthUrl({ provider });
     if (hasWindow()) {
-      window.location.href = url;
-    }
-  }
-  /**
-   * Auto-detect and handle OAuth callback.
-   *
-   * Call this on app initialization or in callback route.
-   * Returns null if not an OAuth callback (no provider/code params).
-   *
-   * The SDK validates the state token, completes authentication via backend,
-   * and emits appropriate events.
-   *
-   * @param urlOrParams - Optional URL string or URLSearchParams (auto-detects from window.location if not provided)
-   * @returns AuthResponse if OAuth callback detected, null otherwise
-   *
-   * @example
-   * ```typescript
-   * // Auto-detect on app init
-   * const response = await client.handleOAuthCallback();
-   * if (response) {
-   *   if (response.challengeName) {
-   *     router.navigate(['/challenge', response.challengeName]);
-   *   } else {
-   *     router.navigate(['/']); // Navigate to your app's home route
-   *   }
-   * }
-   *
-   * // In callback route
-   * const response = await client.handleOAuthCallback(window.location.search);
-   * ```
-   */
-  async handleOAuthCallback(urlOrParams) {
-    let params;
-    if (urlOrParams instanceof URLSearchParams) {
-      params = urlOrParams;
-    } else if (typeof urlOrParams === "string") {
-      params = new URLSearchParams(urlOrParams);
-    } else if (hasWindow()) {
-      params = new URLSearchParams(window.location.search);
-    } else {
-      return null;
-    }
-    const provider = params.get("provider");
-    const code = params.get("code");
-    const state = params.get("state");
-    const error = params.get("error");
-    if (!provider || !code && !error) {
-      return null;
-    }
-    this.eventEmitter.emit({ type: "oauth:callback", data: { provider }, timestamp: Date.now() });
-    try {
-      if (error) {
-        const authError = new NAuthClientError(
-          "SOCIAL_TOKEN_INVALID" /* SOCIAL_TOKEN_INVALID */,
-          params.get("error_description") || error,
-          { details: { error, provider } }
-        );
-        this.eventEmitter.emit({ type: "oauth:error", data: authError, timestamp: Date.now() });
-        throw authError;
+      const startPath = this.config.endpoints.socialRedirectStart.replace(":provider", provider);
+      const base = this.config.baseUrl.replace(/\/$/, "");
+      const startUrl = new URL(`${base}${startPath}`);
+      const returnTo = options?.returnTo ?? this.config.redirects?.success ?? "/";
+      startUrl.searchParams.set("returnTo", returnTo);
+      if (options?.action === "link") {
+        startUrl.searchParams.set("action", "link");
       }
-      if (!state) {
-        throw new NAuthClientError("CHALLENGE_INVALID" /* CHALLENGE_INVALID */, "Missing OAuth state parameter");
+      if (typeof options?.appState === "string" && options.appState.trim() !== "") {
+        startUrl.searchParams.set("appState", options.appState);
       }
-      const response = await this.handleSocialCallback({
-        provider,
-        code,
-        state
-      });
-      if (response.challengeName) {
-        this.eventEmitter.emit({ type: "auth:challenge", data: response, timestamp: Date.now() });
-      } else {
-        this.eventEmitter.emit({ type: "auth:success", data: response, timestamp: Date.now() });
-      }
-      this.eventEmitter.emit({ type: "oauth:completed", data: response, timestamp: Date.now() });
-      return response;
-    } catch (error2) {
-      const authError = error2 instanceof NAuthClientError ? error2 : new NAuthClientError(
-        "SOCIAL_TOKEN_INVALID" /* SOCIAL_TOKEN_INVALID */,
-        error2.message || "OAuth callback failed"
-      );
-      this.eventEmitter.emit({ type: "oauth:error", data: authError, timestamp: Date.now() });
-      throw authError;
+      window.location.href = startUrl.toString();
     }
   }
   /**
-   * Get social auth URL (low-level API).
+   * Exchange an `exchangeToken` (from redirect callback URL) into an AuthResponse.
    *
-   * For most cases, use `loginWithSocial()` which handles state management automatically.
-   */
-  async getSocialAuthUrl(request) {
-    return this.post(this.config.endpoints.socialAuthUrl, request);
-  }
-  /**
-   * Handle social callback.
+   * Used for `tokenDelivery: 'json'` or hybrid flows where the backend redirects back
+   * with `exchangeToken` instead of setting cookies.
+   *
+   * @param exchangeToken - One-time exchange token from the callback URL
+   * @returns AuthResponse
    */
-  async handleSocialCallback(request) {
-    const result = await this.post(this.config.endpoints.socialCallback, request);
+  async exchangeSocialRedirect(exchangeToken) {
+    const token = exchangeToken?.trim();
+    if (!token) {
+      throw new NAuthClientError("CHALLENGE_INVALID" /* CHALLENGE_INVALID */, "Missing exchangeToken");
+    }
+    const result = await this.post(this.config.endpoints.socialExchange, { exchangeToken: token });
     await this.handleAuthResponse(result);
     return result;
   }
@@ -1226,7 +1165,9 @@ var _NAuthClient = class _NAuthClient {
       await this.setDeviceToken(response.deviceToken);
     }
     if (response.user) {
-      await this.setUser(response.user);
+      const user = response.user;
+      user.sessionAuthMethod = response.authMethod ?? null;
+      await this.setUser(user);
     }
     await this.clearChallenge();
   }
@@ -1298,6 +1239,15 @@ var _NAuthClient = class _NAuthClient {
         headers["Authorization"] = `Bearer ${accessToken}`;
       }
     }
+    if (this.config.tokenDelivery === "json") {
+      try {
+        const deviceToken = await this.config.storage.getItem(this.config.deviceTrust.storageKey);
+        if (deviceToken) {
+          headers[this.config.deviceTrust.headerName] = deviceToken;
+        }
+      } catch {
+      }
+    }
     if (this.config.tokenDelivery === "cookies" && hasWindow()) {
       const csrfToken = this.getCsrfToken();
       if (csrfToken) {
@@ -1546,6 +1496,22 @@ var AuthService = class {
   refresh() {
     return from(this.client.refreshTokens());
   }
+  /**
+   * Refresh tokens (promise-based).
+   *
+   * Returns a promise instead of an Observable, matching the core NAuthClient API.
+   * Useful for async/await patterns in guards and interceptors.
+   *
+   * @returns Promise of TokenResponse
+   *
+   * @example
+   * ```typescript
+   * const tokens = await auth.refreshTokensPromise();
+   * ```
+   */
+  refreshTokensPromise() {
+    return this.client.refreshTokens();
+  }
   // ============================================================================
   // Account Recovery (Forgot Password)
   // ============================================================================
@@ -1561,6 +1527,95 @@ var AuthService = class {
   confirmForgotPassword(identifier, code, newPassword) {
     return from(this.client.confirmForgotPassword(identifier, code, newPassword));
   }
+  /**
+   * Change user password (requires current password).
+   *
+   * @param oldPassword - Current password
+   * @param newPassword - New password (must meet requirements)
+   * @returns Observable that completes when password is changed
+   *
+   * @example
+   * ```typescript
+   * this.auth.changePassword('oldPassword123', 'newSecurePassword456!').subscribe({
+   *   next: () => console.log('Password changed successfully'),
+   *   error: (err) => console.error('Failed to change password:', err)
+   * });
+   * ```
+   */
+  changePassword(oldPassword, newPassword) {
+    return from(this.client.changePassword(oldPassword, newPassword));
+  }
+  /**
+   * Request password change (must change on next login).
+   *
+   * @returns Observable that completes when request is sent
+   */
+  requestPasswordChange() {
+    return from(this.client.requestPasswordChange());
+  }
+  // ============================================================================
+  // Profile Management
+  // ============================================================================
+  /**
+   * Get current user profile.
+   *
+   * @returns Observable of current user profile
+   *
+   * @example
+   * ```typescript
+   * this.auth.getProfile().subscribe(user => {
+   *   console.log('User profile:', user);
+   * });
+   * ```
+   */
+  getProfile() {
+    return from(
+      this.client.getProfile().then((user) => {
+        this.currentUserSubject.next(user);
+        return user;
+      })
+    );
+  }
+  /**
+   * Get current user profile (promise-based).
+   *
+   * Returns a promise instead of an Observable, matching the core NAuthClient API.
+   * Useful for async/await patterns in guards and interceptors.
+   *
+   * @returns Promise of current user profile
+   *
+   * @example
+   * ```typescript
+   * const user = await auth.getProfilePromise();
+   * ```
+   */
+  getProfilePromise() {
+    return this.client.getProfile().then((user) => {
+      this.currentUserSubject.next(user);
+      return user;
+    });
+  }
+  /**
+   * Update user profile.
+   *
+   * @param updates - Profile fields to update
+   * @returns Observable of updated user profile
+   *
+   * @example
+   * ```typescript
+   * this.auth.updateProfile({ firstName: 'John', lastName: 'Doe' }).subscribe(user => {
+   *   console.log('Profile updated:', user);
+   * });
+   * ```
+   */
+  updateProfile(updates) {
+    return from(
+      this.client.updateProfile(updates).then((user) => {
+        this.currentUserSubject.next(user);
+        return user;
+      })
+    );
+  }
   // ============================================================================
   // Challenge Flow Methods (Essential for any auth flow)
   // ============================================================================
@@ -1617,26 +1672,189 @@ var AuthService = class {
   // ============================================================================
   /**
    * Initiate social OAuth login flow.
-   * Redirects to OAuth provider with automatic state management.
+   * Redirects the browser to backend `/auth/social/:provider/redirect`.
    */
   loginWithSocial(provider, options) {
     return this.client.loginWithSocial(provider, options);
   }
   /**
-   * Get social auth URL to redirect user for OAuth (low-level API).
+   * Exchange an exchangeToken (from redirect callback URL) into an AuthResponse.
+   *
+   * Used for `tokenDelivery: 'json'` or hybrid flows where the backend redirects back
+   * with `exchangeToken` instead of setting cookies.
+   *
+   * @param exchangeToken - One-time exchange token from the callback URL
+   * @returns Observable of AuthResponse
    */
-  getSocialAuthUrl(provider, redirectUri) {
-    return from(
-      this.client.getSocialAuthUrl({ provider, redirectUri })
-    );
+  exchangeSocialRedirect(exchangeToken) {
+    return from(this.client.exchangeSocialRedirect(exchangeToken).then((res) => this.updateChallengeState(res)));
   }
   /**
-   * Handle social auth callback (low-level API).
+   * Exchange an exchangeToken (from redirect callback URL) into an AuthResponse (promise-based).
+   *
+   * Returns a promise instead of an Observable, matching the core NAuthClient API.
+   * Useful for async/await patterns in guards and interceptors.
+   *
+   * @param exchangeToken - One-time exchange token from the callback URL
+   * @returns Promise of AuthResponse
+   *
+   * @example
+   * ```typescript
+   * const response = await auth.exchangeSocialRedirectPromise(exchangeToken);
+   * ```
    */
-  handleSocialCallback(provider, code, state) {
-    return from(
-      this.client.handleSocialCallback({ provider, code, state }).then((res) => this.updateChallengeState(res))
-    );
+  exchangeSocialRedirectPromise(exchangeToken) {
+    return this.client.exchangeSocialRedirect(exchangeToken).then((res) => this.updateChallengeState(res));
+  }
+  /**
+   * Verify native social token (mobile).
+   *
+   * @param request - Social verification request with provider and token
+   * @returns Observable of AuthResponse
+   */
+  verifyNativeSocial(request) {
+    return from(this.client.verifyNativeSocial(request).then((res) => this.updateChallengeState(res)));
+  }
+  /**
+   * Get linked social accounts.
+   *
+   * @returns Observable of linked accounts response
+   */
+  getLinkedAccounts() {
+    return from(this.client.getLinkedAccounts());
+  }
+  /**
+   * Link social account.
+   *
+   * @param provider - Social provider to link
+   * @param code - OAuth authorization code
+   * @param state - OAuth state parameter
+   * @returns Observable with success message
+   */
+  linkSocialAccount(provider, code, state) {
+    return from(this.client.linkSocialAccount(provider, code, state));
+  }
+  /**
+   * Unlink social account.
+   *
+   * @param provider - Social provider to unlink
+   * @returns Observable with success message
+   */
+  unlinkSocialAccount(provider) {
+    return from(this.client.unlinkSocialAccount(provider));
+  }
+  // ============================================================================
+  // MFA Management
+  // ============================================================================
+  /**
+   * Get MFA status for the current user.
+   *
+   * @returns Observable of MFA status
+   */
+  getMfaStatus() {
+    return from(this.client.getMfaStatus());
+  }
+  /**
+   * Get MFA devices for the current user.
+   *
+   * @returns Observable of MFA devices array
+   */
+  getMfaDevices() {
+    return from(this.client.getMfaDevices());
+  }
+  /**
+   * Setup MFA device (authenticated user).
+   *
+   * @param method - MFA method to set up
+   * @returns Observable of setup data
+   */
+  setupMfaDevice(method) {
+    return from(this.client.setupMfaDevice(method));
+  }
+  /**
+   * Verify MFA setup (authenticated user).
+   *
+   * @param method - MFA method
+   * @param setupData - Setup data from setupMfaDevice
+   * @param deviceName - Optional device name
+   * @returns Observable with device ID
+   */
+  verifyMfaSetup(method, setupData, deviceName) {
+    return from(this.client.verifyMfaSetup(method, setupData, deviceName));
+  }
+  /**
+   * Remove MFA device.
+   *
+   * @param method - MFA method to remove
+   * @returns Observable with success message
+   */
+  removeMfaDevice(method) {
+    return from(this.client.removeMfaDevice(method));
+  }
+  /**
+   * Set preferred MFA method.
+   *
+   * @param method - Device method to set as preferred ('totp', 'sms', 'email', or 'passkey')
+   * @returns Observable with success message
+   */
+  setPreferredMfaMethod(method) {
+    return from(this.client.setPreferredMfaMethod(method));
+  }
+  /**
+   * Generate backup codes.
+   *
+   * @returns Observable of backup codes array
+   */
+  generateBackupCodes() {
+    return from(this.client.generateBackupCodes());
+  }
+  /**
+   * Set MFA exemption (admin/test scenarios).
+   *
+   * @param exempt - Whether to exempt user from MFA
+   * @param reason - Optional reason for exemption
+   * @returns Observable that completes when exemption is set
+   */
+  setMfaExemption(exempt, reason) {
+    return from(this.client.setMfaExemption(exempt, reason));
+  }
+  // ============================================================================
+  // Device Trust
+  // ============================================================================
+  /**
+   * Trust current device.
+   *
+   * @returns Observable with device token
+   */
+  trustDevice() {
+    return from(this.client.trustDevice());
+  }
+  /**
+   * Check if the current device is trusted.
+   *
+   * @returns Observable with trusted status
+   */
+  isTrustedDevice() {
+    return from(this.client.isTrustedDevice());
+  }
+  // ============================================================================
+  // Audit History
+  // ============================================================================
+  /**
+   * Get paginated audit history for the current user.
+   *
+   * @param params - Query parameters for filtering and pagination
+   * @returns Observable of audit history response
+   *
+   * @example
+   * ```typescript
+   * this.auth.getAuditHistory({ page: 1, limit: 20, eventType: 'LOGIN_SUCCESS' }).subscribe(history => {
+   *   console.log('Audit history:', history);
+   * });
+   * ```
+   */
+  getAuditHistory(params) {
+    return from(this.client.getAuditHistory(params));
   }
   // ============================================================================
   // Escape Hatch
@@ -1644,20 +1862,19 @@ var AuthService = class {
   /**
    * Expose underlying NAuthClient for advanced scenarios.
    *
-   * Use this for operations not directly exposed by this service:
-   * - Profile management (getProfile, updateProfile)
-   * - MFA management (getMfaStatus, setupMfaDevice, etc.)
-   * - Social account linking (linkSocialAccount, unlinkSocialAccount)
-   * - Audit history (getAuditHistory)
-   * - Device trust (trustDevice)
+   * @deprecated All core functionality is now exposed directly on AuthService as Observables.
+   * Use the direct methods on AuthService instead (e.g., `auth.changePassword()` instead of `auth.getClient().changePassword()`).
+   * This method is kept for backward compatibility only and may be removed in a future version.
+   *
+   * @returns The underlying NAuthClient instance
    *
    * @example
    * ```typescript
-   * // Get MFA status
+   * // Deprecated - use direct methods instead
    * const status = await this.auth.getClient().getMfaStatus();
    *
-   * // Update profile
-   * const user = await this.auth.getClient().updateProfile({ firstName: 'John' });
+   * // Preferred - use Observable-based methods
+   * this.auth.getMfaStatus().subscribe(status => ...);
    * ```
    */
   getClient() {
@@ -1736,12 +1953,11 @@ var authInterceptor = /* @__PURE__ */ __name((req, next) => {
   const refreshPath = endpoints.refresh ?? "/refresh";
   const loginPath = endpoints.login ?? "/login";
   const signupPath = endpoints.signup ?? "/signup";
-  const socialAuthUrlPath = endpoints.socialAuthUrl ?? "/social/auth-url";
-  const socialCallbackPath = endpoints.socialCallback ?? "/social/callback";
+  const socialExchangePath = endpoints.socialExchange ?? "/social/exchange";
   const refreshUrl = `${baseUrl}${refreshPath}`;
   const isAuthApiRequest = req.url.includes(baseUrl);
   const isRefreshEndpoint = req.url.includes(refreshPath);
-  const isPublicEndpoint = req.url.includes(loginPath) || req.url.includes(signupPath) || req.url.includes(socialAuthUrlPath) || req.url.includes(socialCallbackPath);
+  const isPublicEndpoint = req.url.includes(loginPath) || req.url.includes(signupPath) || req.url.includes(socialExchangePath);
   let authReq = req;
   if (tokenDelivery === "cookies") {
     authReq = authReq.clone({ withCredentials: true });
@@ -1769,7 +1985,7 @@ var authInterceptor = /* @__PURE__ */ __name((req, next) => {
         if (config.debug) {
           console.warn("[nauth-interceptor] Starting refresh...");
         }
-        const refresh$ = tokenDelivery === "cookies" ? http.post(refreshUrl, {}, { withCredentials: true }) : from2(authService.getClient().refreshTokens());
+        const refresh$ = tokenDelivery === "cookies" ? http.post(refreshUrl, {}, { withCredentials: true }) : from2(authService.refreshTokensPromise());
         return refresh$.pipe(
           switchMap((response) => {
             if (config.debug) {
@@ -1876,10 +2092,10 @@ var _AuthGuard = class _AuthGuard {
 __name(_AuthGuard, "AuthGuard");
 var AuthGuard = _AuthGuard;
 
-// src/angular/oauth-callback.guard.ts
+// src/angular/social-redirect-callback.guard.ts
 import { inject as inject5, PLATFORM_ID as PLATFORM_ID2 } from "@angular/core";
 import { isPlatformBrowser as isPlatformBrowser2 } from "@angular/common";
-var oauthCallbackGuard = /* @__PURE__ */ __name(async () => {
+var socialRedirectCallbackGuard = /* @__PURE__ */ __name(async () => {
   const auth = inject5(AuthService);
   const config = inject5(NAUTH_CLIENT_CONFIG);
   const platformId = inject5(PLATFORM_ID2);
@@ -1887,38 +2103,37 @@ var oauthCallbackGuard = /* @__PURE__ */ __name(async () => {
   if (!isBrowser) {
     return false;
   }
-  try {
-    const response = await auth.getClient().handleOAuthCallback();
-    if (!response) {
-      const homeUrl = config.redirects?.success || "/";
-      window.location.replace(homeUrl);
-      return false;
-    }
-    if (response.challengeName) {
-      const challengeBase = config.redirects?.challengeBase || "/auth/challenge";
-      const challengeRoute = response.challengeName.toLowerCase().replace(/_/g, "-");
-      const challengePath = `${challengeBase}/${challengeRoute}`;
-      if (config.debug) {
-        console.warn("[oauth-callback-guard] Redirecting to challenge:", challengePath);
-      }
-      window.location.replace(challengePath);
-    } else {
-      const successUrl = config.redirects?.success || "/";
-      if (config.debug) {
-        console.warn("[oauth-callback-guard] Redirecting to success URL:", successUrl);
-      }
-      window.location.replace(successUrl);
-    }
-  } catch (error) {
-    console.error("[oauth-callback-guard] OAuth callback failed:", error);
+  const params = new URLSearchParams(window.location.search);
+  const error = params.get("error");
+  const exchangeToken = params.get("exchangeToken");
+  if (error) {
     const errorUrl = config.redirects?.oauthError || "/login";
-    if (config.debug) {
-      console.warn("[oauth-callback-guard] Redirecting to error URL:", errorUrl);
-    }
     window.location.replace(errorUrl);
+    return false;
+  }
+  if (!exchangeToken) {
+    try {
+      await auth.getProfilePromise();
+    } catch {
+      const errorUrl = config.redirects?.oauthError || "/login";
+      window.location.replace(errorUrl);
+      return false;
+    }
+    const successUrl2 = config.redirects?.success || "/";
+    window.location.replace(successUrl2);
+    return false;
+  }
+  const response = await auth.exchangeSocialRedirectPromise(exchangeToken);
+  if (response.challengeName) {
+    const challengeBase = config.redirects?.challengeBase || "/auth/challenge";
+    const challengeRoute = response.challengeName.toLowerCase().replace(/_/g, "-");
+    window.location.replace(`${challengeBase}/${challengeRoute}`);
+    return false;
   }
+  const successUrl = config.redirects?.success || "/";
+  window.location.replace(successUrl);
   return false;
-}, "oauthCallbackGuard");
+}, "socialRedirectCallbackGuard");
 
 // src/angular/auth.module.ts
 import { NgModule } from "@angular/core";
@@ -1952,6 +2167,6 @@ export {
   NAuthModule,
   authGuard,
   authInterceptor,
-  oauthCallbackGuard
+  socialRedirectCallbackGuard
 };
 //# sourceMappingURL=index.mjs.map