@sparkvault/sdk 1.23.2 → 1.23.4

package/dist/sparkvault.esm.js

@@ -1963,6 +1963,21 @@ function getStyles(options) {
       text-align: left;
       padding: 12px 14px;
       margin-bottom: 8px;
+      /* Inset 2px on either side so the focus outline (drawn outside the
+         border-box) has room to render without clipping against the
+         dialog's container edges. width:auto pairs with this to prevent
+         the row from forcing horizontal overflow. */
+      margin-left: 2px;
+      margin-right: 2px;
+      width: calc(100% - 4px);
+    }
+
+    /* The shared .sv-btn focus rule sets outline-offset:2px which sits
+       outside the row's edges and gets clipped by the parent. Method
+       rows are full-width by design, so render the focus indicator
+       flush against the border instead. */
+    .sv-btn-method:focus-visible {
+      outline-offset: 0;
     }
 
     .sv-btn-method:hover:not(:disabled) {
@@ -5446,14 +5461,9 @@ class IdentityRenderer {
         const currentMethod = this.verificationState.totp.method ?? 'email';
         const result = await this.totpHandler.verify(code);
         if (result.success && result.result) {
-            // Handle redirect for OIDC/simple mode flows
-            if (result.result.redirect) {
-                this.close();
-                window.location.href = result.result.redirect;
-                return;
-            }
-            // Check if we should prompt for passkey registration
-            if (await this.shouldShowPasskeyPrompt()) {
+            // Passkey upsell only when there's no redirect target — with one,
+            // we head to the destination immediately.
+            if (!result.result.redirect && await this.shouldShowPasskeyPrompt()) {
                 this.setState({
                     view: 'passkey-prompt',
                     email: this.recipient,
@@ -5462,7 +5472,18 @@ class IdentityRenderer {
                 return;
             }
             this.close();
-            this.callbacks.onSuccess(result.result);
+            // Hand the full result (including redirect) to the host first so the
+            // page-level handler can act before we navigate away.
+            try {
+                this.callbacks.onSuccess(result.result);
+            }
+            catch (err) {
+                // eslint-disable-next-line no-console
+                console.warn('[SparkVault SDK] onSuccess threw, continuing to redirect', err);
+            }
+            if (typeof result.result.redirect === 'string' && result.result.redirect) {
+                window.location.href = result.result.redirect;
+            }
         }
         else {
             // Check if error is expiry - auto-resend if so
@@ -5525,14 +5546,17 @@ class IdentityRenderer {
             ? await this.passkeyHandler.register()
             : await this.passkeyHandler.verify();
         if (result.success && result.result) {
-            // Handle redirect for OIDC/simple mode flows
-            if (result.result.redirect) {
-                this.close();
+            this.close();
+            try {
+                this.callbacks.onSuccess(result.result);
+            }
+            catch (err) {
+                // eslint-disable-next-line no-console
+                console.warn('[SparkVault SDK] onSuccess threw, continuing to redirect', err);
+            }
+            if (typeof result.result.redirect === 'string' && result.result.redirect) {
                 window.location.href = result.result.redirect;
-                return;
             }
-            this.close();
-            this.callbacks.onSuccess(result.result);
         }
         else {
             // Handle different error types
@@ -5570,14 +5594,17 @@ class IdentityRenderer {
         const pendingResult = this.verificationState.passkey.pendingResult;
         if (pendingResult) {
             this.verificationState.setPendingResult(null);
-            // Handle redirect for OIDC/simple mode flows
-            if (pendingResult.redirect) {
-                this.close();
+            this.close();
+            try {
+                this.callbacks.onSuccess(pendingResult);
+            }
+            catch (err) {
+                // eslint-disable-next-line no-console
+                console.warn('[SparkVault SDK] onSuccess threw, continuing to redirect', err);
+            }
+            if (typeof pendingResult.redirect === 'string' && pendingResult.redirect) {
                 window.location.href = pendingResult.redirect;
-                return;
             }
-            this.close();
-            this.callbacks.onSuccess(pendingResult);
         }
     }
     handleSocialLogin(provider) {
@@ -5659,15 +5686,18 @@ class IdentityRenderer {
         // Directly trigger passkey registration
         const result = await this.passkeyHandler.register();
         if (result.success && result.result) {
-            // Handle redirect for OIDC/simple mode flows
-            if (result.result.redirect) {
-                this.close();
-                window.location.href = result.result.redirect;
-                return;
-            }
             // Passkey created successfully - use the new token
             this.close();
-            this.callbacks.onSuccess(result.result);
+            try {
+                this.callbacks.onSuccess(result.result);
+            }
+            catch (err) {
+                // eslint-disable-next-line no-console
+                console.warn('[SparkVault SDK] onSuccess threw, continuing to redirect', err);
+            }
+            if (typeof result.result.redirect === 'string' && result.result.redirect) {
+                window.location.href = result.result.redirect;
+            }
         }
         else if (result.errorType === 'cancelled') {
             // User cancelled browser dialog - go back to prompt so they can skip or try again
@@ -5694,15 +5724,18 @@ class IdentityRenderer {
     handlePasskeyPromptSkip(pendingResult) {
         // Set 30-day cookie to suppress future prompts
         this.verificationState.dismissPasskeyPrompt();
-        // Handle redirect for OIDC/simple mode flows
-        if (pendingResult.redirect) {
-            this.close();
-            window.location.href = pendingResult.redirect;
-            return;
-        }
         // Complete the verification
         this.close();
-        this.callbacks.onSuccess(pendingResult);
+        try {
+            this.callbacks.onSuccess(pendingResult);
+        }
+        catch (err) {
+            // eslint-disable-next-line no-console
+            console.warn('[SparkVault SDK] onSuccess threw, continuing to redirect', err);
+        }
+        if (typeof pendingResult.redirect === 'string' && pendingResult.redirect) {
+            window.location.href = pendingResult.redirect;
+        }
     }
     /**
      * Open a WebSocket connection and return the connectionId.
@@ -5804,6 +5837,19 @@ class IdentityRenderer {
             catch {
                 return;
             }
+            // Diagnostic: dump the parsed message so we can see on the client
+            // EXACTLY what arrives. Keys + redirect prefix tell us whether the
+            // field made it across API Gateway. Remove once we've confirmed.
+            // eslint-disable-next-line no-console
+            console.info('[SparkVault SDK] sparklink WS message', {
+                type: data.type,
+                keys: Object.keys(data),
+                hasRedirect: typeof data.redirect === 'string',
+                redirectPrefix: typeof data.redirect === 'string'
+                    ? data.redirect.slice(0, 80)
+                    : null,
+                rawLength: event.data.length,
+            });
             switch (data.type) {
                 case 'sparklink_verified':
                     this.handleSparkLinkVerified({
@@ -5842,17 +5888,18 @@ class IdentityRenderer {
     }
     /**
      * Handle successful SparkLink verification via WebSocket push.
+     *
+     * Always invokes the host callback with the full result (including any
+     * redirect URL) before attempting top-level navigation. The host page
+     * is the source of truth for what should happen after verification:
+     * the SDK's window.location.href call is a fallback for hosts that
+     * delegate navigation entirely to the SDK.
      */
     async handleSparkLinkVerified(result) {
         this.cleanupSparkLink();
-        // Handle redirect for OIDC/simple mode flows
-        if (result.redirect) {
-            this.close();
-            window.location.href = result.redirect;
-            return;
-        }
-        // Check if we should prompt for passkey registration
-        if (await this.shouldShowPasskeyPrompt()) {
+        // Passkey upsell only when there's no redirect target — once we have
+        // a destination we go there immediately, no upsell.
+        if (!result.redirect && await this.shouldShowPasskeyPrompt()) {
             this.setState({
                 view: 'passkey-prompt',
                 email: this.recipient,
@@ -5861,7 +5908,22 @@ class IdentityRenderer {
             return;
         }
         this.close();
-        this.callbacks.onSuccess(result);
+        // Hand the full result (including redirect) to the host first so the
+        // page-level handler can do app-specific work (logging, navigation,
+        // etc.) before we steal the browsing context with a navigation.
+        try {
+            this.callbacks.onSuccess(result);
+        }
+        catch (err) {
+            // eslint-disable-next-line no-console
+            console.warn('[SparkVault SDK] onSuccess threw, continuing to redirect', err);
+        }
+        // SDK-side fallback navigation. If the host already navigated this is
+        // a no-op (the document is already unloading); if not, this rescues
+        // simple-mode flows whose host forgot to act on result.redirect.
+        if (typeof result.redirect === 'string' && result.redirect) {
+            window.location.href = result.redirect;
+        }
     }
     /**
      * Clean up SparkLink WebSocket connection.