@spidy092/auth-client 2.1.3 → 2.1.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/core.js +9 -5
- package/package.json +1 -1
package/core.js
CHANGED
|
@@ -189,18 +189,22 @@ export function handleCallback() {
|
|
|
189
189
|
if (accessToken) {
|
|
190
190
|
setToken(accessToken);
|
|
191
191
|
|
|
192
|
-
// ✅
|
|
193
|
-
//
|
|
192
|
+
// ✅ For HTTP development, store refresh token from URL
|
|
193
|
+
// In HTTPS production, refresh token is in httpOnly cookie (more secure)
|
|
194
194
|
const refreshTokenInUrl = params.get('refresh_token');
|
|
195
195
|
if (refreshTokenInUrl) {
|
|
196
|
-
|
|
197
|
-
|
|
196
|
+
const isHttpDev = typeof window !== 'undefined' && window.location?.protocol === 'http:';
|
|
197
|
+
if (isHttpDev) {
|
|
198
|
+
console.log('📦 HTTP dev mode: Storing refresh token from callback URL');
|
|
199
|
+
setRefreshToken(refreshTokenInUrl);
|
|
200
|
+
} else {
|
|
201
|
+
console.log('🔒 HTTPS mode: Refresh token is in httpOnly cookie (ignoring URL param)');
|
|
202
|
+
}
|
|
198
203
|
}
|
|
199
204
|
|
|
200
205
|
const url = new URL(window.location);
|
|
201
206
|
url.searchParams.delete('access_token');
|
|
202
207
|
url.searchParams.delete('refresh_token');
|
|
203
|
-
url.searchParams.delete('refresh_token');
|
|
204
208
|
url.searchParams.delete('state');
|
|
205
209
|
url.searchParams.delete('error');
|
|
206
210
|
url.searchParams.delete('error_description');
|