@stackframe/tanstack-start 2.8.93 → 2.8.94

package/dist/lib/stack-app/apps/implementations/client-app-impl.js

@@ -21,6 +21,7 @@ let _simplewebauthn_browser = require("@simplewebauthn/browser");
 let _stackframe_stack_shared_dist_sessions = require("@stackframe/stack-shared/dist/sessions");
 let _stackframe_stack_shared_dist_utils_json = require("@stackframe/stack-shared/dist/utils/json");
 let _stackframe_stack_shared_dist_utils_maps = require("@stackframe/stack-shared/dist/utils/maps");
+let _stackframe_stack_shared_dist_utils_redirect_urls = require("@stackframe/stack-shared/dist/utils/redirect-urls");
 let _stackframe_stack_shared_dist_utils_stores = require("@stackframe/stack-shared/dist/utils/stores");
 let _stackframe_stack_shared_dist_utils_turnstile_flow = require("@stackframe/stack-shared/dist/utils/turnstile-flow");
 let _stackframe_stack_shared_dist_utils_uuids = require("@stackframe/stack-shared/dist/utils/uuids");
@@ -45,6 +46,24 @@ let ____________dev_tool_index_js = require("../../../../dev-tool/index.js");
 
 //#region src/lib/stack-app/apps/implementations/client-app-impl.ts
 const prefetchedCrossDomainHandoffTtlMs = 3300 * 1e3;
+const nestedCrossDomainAuthQueryParams = {
+	refreshTokenId: "stack_nested_cross_domain_auth_refresh_token_id",
+	callbackUrl: "stack_nested_cross_domain_auth_callback_url",
+	redirectUri: "redirect_uri",
+	state: "state",
+	codeChallenge: "code_challenge",
+	codeChallengeMethod: "code_challenge_method",
+	afterCallbackRedirectUrl: "after_callback_redirect_url"
+};
+const oauthCallbackResponseQueryParams = [
+	"code",
+	"state",
+	"error",
+	"error_description",
+	"errorCode",
+	"message",
+	"details"
+];
 const allClientApps = /* @__PURE__ */ new Map();
 const STACK_AUTHORIZATION_VALUE_PREFIX = "stackauth_";
 function getAuthorizationHeaderValueFromAuthJson(authJson) {
@@ -112,7 +131,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
         `);
 			const location = await (0, _________auth_js.getNewOAuthProviderOrScopeUrl)(this._interface, {
 				provider: options.providerId,
-				redirectUrl: this.urls.oauthCallback,
+				redirectUrl: this._getOAuthCallbackRedirectUri(),
 				errorRedirectUrl: this.urls.error,
 				providerScope: (0, _stackframe_stack_shared_dist_utils_strings.mergeScopeStrings)(options.scope || "", (this._oauthScopesOnSignIn[options.providerId] ?? []).join(" "))
 			}, options.session);
@@ -247,7 +266,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 			for (const account of matchingAccounts) if ((await account.getAccessToken({ scopes })).status === "ok") return account;
 			const location = await (0, _________auth_js.getNewOAuthProviderOrScopeUrl)(this._interface, {
 				provider,
-				redirectUrl: this.urls.oauthCallback,
+				redirectUrl: this._getOAuthCallbackRedirectUri(),
 				errorRedirectUrl: this.urls.error,
 				providerScope: (0, _stackframe_stack_shared_dist_utils_strings.mergeScopeStrings)(scopeString, (this._oauthScopesOnSignIn[provider] ?? []).join(" "))
 			}, session);
@@ -351,6 +370,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		this._prefetchedCrossDomainHandoffParams = null;
 		this._prefetchedCrossDomainHandoffParamsFetchedAt = 0;
 		this._isPrefetchingCrossDomainHandoffParams = false;
+		this._pendingAuthResolutionPromises = [];
 		this._memoryTokenStore = (0, __common_js.createEmptyTokenStore)();
 		this._nextServerCookiesTokenStores = /* @__PURE__ */ new WeakMap();
 		this._requestTokenStores = /* @__PURE__ */ new WeakMap();
@@ -420,6 +440,12 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 			});
 			this._eventTracker.start();
 		}
+		if ((0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)() && this._isOAuthCallbackUrlHosted() && this._currentUrlLooksLikeStackOAuthCallback()) this._trackPendingAuthResolution(async () => {
+			if ((0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) await this.callOAuthCallback({ dontWarnAboutMissingQueryParams: true });
+		});
+		if ((0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) this._trackPendingAuthResolution(async () => {
+			await this._maybeHandleNestedCrossDomainAuth();
+		});
 		if ((0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)() && resolvedOptions.devTool !== false) (0, ____________dev_tool_index_js.mountDevTool)(this);
 	}
 	_initUniqueIdentifier() {
@@ -427,6 +453,126 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		if (allClientApps.has(this._uniqueIdentifier)) throw new _stackframe_stack_shared_dist_utils_errors.StackAssertionError("A Stack client app with the same unique identifier already exists");
 		allClientApps.set(this._uniqueIdentifier, [this._extraOptions?.checkString ?? void 0, this]);
 	}
+	_trackPendingAuthResolution(callback) {
+		const promise = (async () => {
+			await Promise.resolve();
+			try {
+				await callback();
+			} catch (error) {
+				(0, _stackframe_stack_shared_dist_utils_errors.captureError)("pending-auth-resolution-failed", error);
+			}
+		})();
+		this._pendingAuthResolutionPromises.push(promise);
+		(0, _stackframe_stack_shared_dist_utils_promises.runAsynchronously)(async () => {
+			try {
+				await promise;
+			} finally {
+				this._pendingAuthResolutionPromises = this._pendingAuthResolutionPromises.filter((p) => p !== promise);
+			}
+		});
+	}
+	async _awaitPendingAuthResolutions(overrideTokenStoreInit, options) {
+		if (options?.awaitPendingAuthResolutions === false || overrideTokenStoreInit !== void 0 || !this._hasPersistentTokenStore() || this._pendingAuthResolutionPromises.length === 0) return;
+		await Promise.all(this._pendingAuthResolutionPromises);
+	}
+	_usePendingAuthResolutions(overrideTokenStoreInit) {
+		if (overrideTokenStoreInit !== void 0 || !this._hasPersistentTokenStore() || this._pendingAuthResolutionPromises.length === 0) return;
+		(0, _stackframe_stack_shared_dist_utils_react.use)(Promise.all(this._pendingAuthResolutionPromises));
+	}
+	_isOAuthCallbackUrlHosted() {
+		const oauthCallbackTarget = this._urlOptions.oauthCallback ?? this._urlOptions.default;
+		return typeof oauthCallbackTarget !== "string" && oauthCallbackTarget?.type === "hosted";
+	}
+	_currentUrlLooksLikeOAuthCallback() {
+		if (typeof window === "undefined") return false;
+		const currentUrl = new URL(window.location.href);
+		return currentUrl.searchParams.has("code") && currentUrl.searchParams.has("state") || currentUrl.searchParams.has("errorCode") && currentUrl.searchParams.has("message");
+	}
+	_currentUrlLooksLikeStackOAuthCallback() {
+		if (typeof window === "undefined") return false;
+		const currentUrl = new URL(window.location.href);
+		const state = currentUrl.searchParams.get("state");
+		if (!currentUrl.searchParams.has("code") || state == null) return false;
+		return (0, _________cookie_js.getCookieClient)(`stack-oauth-outer-${state}`) != null;
+	}
+	_getOAuthCallbackRedirectUri() {
+		if (!this._isOAuthCallbackUrlHosted()) return this.urls.oauthCallback;
+		if (typeof window === "undefined") throw new _stackframe_stack_shared_dist_utils_errors.StackAssertionError("Hosted OAuth callback URLs require a browser environment to use the current URL as the redirect URI");
+		const currentUrl = new URL(window.location.href);
+		for (const param of oauthCallbackResponseQueryParams) currentUrl.searchParams.delete(param);
+		return currentUrl.toString();
+	}
+	async _getCurrentRefreshTokenIdIfSignedIn(options) {
+		const tokens = await (await this._getSession(void 0, options)).getOrFetchLikelyValidTokens(0, null);
+		if (tokens?.refreshToken == null) return null;
+		return tokens.accessToken.payload.refresh_token_id;
+	}
+	async _addNestedCrossDomainAuthParamsToRedirectUrl(options) {
+		const targetUrl = new URL(options.url, options.currentUrl);
+		if (targetUrl.origin === options.currentUrl.origin) return options.url;
+		const refreshTokenId = await this._getCurrentRefreshTokenIdIfSignedIn({ awaitPendingAuthResolutions: options.awaitPendingAuthResolutions });
+		if (refreshTokenId == null) return options.url;
+		targetUrl.searchParams.set(nestedCrossDomainAuthQueryParams.refreshTokenId, refreshTokenId);
+		targetUrl.searchParams.set(nestedCrossDomainAuthQueryParams.callbackUrl, new URL(this._getOAuthCallbackRedirectUri(), options.currentUrl).toString());
+		return targetUrl.toString();
+	}
+	async _maybeHandleNestedCrossDomainAuth() {
+		if (typeof window === "undefined") return false;
+		const currentUrl = new URL(window.location.href);
+		if (currentUrl.searchParams.has("code") && currentUrl.searchParams.has("state")) return false;
+		const refreshTokenId = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.refreshTokenId);
+		if (refreshTokenId == null) return false;
+		const redirectUri = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.redirectUri);
+		const state = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.state);
+		const codeChallenge = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.codeChallenge);
+		if (redirectUri != null || state != null || codeChallenge != null) {
+			if (redirectUri == null || state == null || codeChallenge == null) throw new _stackframe_stack_shared_dist_utils_errors.StackAssertionError("Nested cross-domain auth callback URL is missing OAuth request parameters", {
+				redirectUri,
+				state,
+				codeChallenge
+			});
+			if ((currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.codeChallengeMethod) ?? "S256") !== "S256") throw new _stackframe_stack_shared_dist_utils_errors.StackAssertionError("Nested cross-domain auth only supports S256 PKCE");
+			if ((0, _stackframe_stack_shared_dist_utils_urls.isRelative)(redirectUri)) throw new Error("Nested cross-domain auth redirect URI must be absolute.");
+			const redirectUriUrl = new URL(redirectUri);
+			if (!await this._isTrusted(redirectUriUrl.toString())) throw new Error(`Nested cross-domain auth redirect URI ${redirectUri} is not trusted.`);
+			const afterCallbackRedirectUrlString = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.afterCallbackRedirectUrl);
+			const afterCallbackRedirectUrl = afterCallbackRedirectUrlString == null ? redirectUriUrl : new URL(afterCallbackRedirectUrlString, redirectUriUrl);
+			if (!await this._isTrusted(afterCallbackRedirectUrl.toString())) throw new Error(`Nested cross-domain auth after-callback redirect URL ${afterCallbackRedirectUrlString} is not trusted.`);
+			if (await this._getCurrentRefreshTokenIdIfSignedIn({ awaitPendingAuthResolutions: false }) !== refreshTokenId) throw new Error("Nested cross-domain auth source session does not match the requested refresh token ID.");
+			await this._redirectTo({
+				url: await this._createCrossDomainAuthRedirectUrl({
+					redirectUri: redirectUriUrl.toString(),
+					state,
+					codeChallenge,
+					afterCallbackRedirectUrl: afterCallbackRedirectUrl.toString(),
+					awaitPendingAuthResolutions: false
+				}),
+				replace: true
+			});
+			return true;
+		}
+		if (await this._getCurrentRefreshTokenIdIfSignedIn({ awaitPendingAuthResolutions: false }) === refreshTokenId) return false;
+		const callbackUrlString = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.callbackUrl);
+		if (callbackUrlString == null) throw new _stackframe_stack_shared_dist_utils_errors.StackAssertionError("Nested cross-domain auth URL is missing callback URL");
+		if ((0, _stackframe_stack_shared_dist_utils_urls.isRelative)(callbackUrlString)) throw new Error("Nested cross-domain auth callback URL must be absolute.");
+		const callbackUrl = new URL(callbackUrlString);
+		if (!await this._isTrusted(callbackUrl.toString())) throw new Error(`Nested cross-domain auth callback URL ${callbackUrlString} is not trusted.`);
+		const afterCallbackRedirectUrl = new URL(currentUrl);
+		afterCallbackRedirectUrl.searchParams.delete(nestedCrossDomainAuthQueryParams.refreshTokenId);
+		afterCallbackRedirectUrl.searchParams.delete(nestedCrossDomainAuthQueryParams.callbackUrl);
+		const { state: newState, codeChallenge: newCodeChallenge } = await this._getCrossDomainHandoffParamsForRedirect(currentUrl);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.refreshTokenId, refreshTokenId);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.redirectUri, new URL(this._getOAuthCallbackRedirectUri(), currentUrl).toString());
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.state, newState);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.codeChallenge, newCodeChallenge);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.codeChallengeMethod, "S256");
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.afterCallbackRedirectUrl, afterCallbackRedirectUrl.toString());
+		await this._redirectTo({
+			url: callbackUrl,
+			replace: true
+		});
+		return true;
+	}
 	/**
 	* Cloudflare workers does not allow use of randomness on the global scope (on which the Stack app is probably
 	* initialized). For that reason, we generate the unique identifier lazily when it is first needed instead of in the
@@ -619,15 +765,15 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 			await (0, _________cookie_js.setOrDeleteCookie)(this._getRefreshTokenDefaultCookieNameForSecure(isSecure), null, cookieOptions);
 		});
 	}
+	async _getTrustedRedirectConfig() {
+		const project = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._currentProjectCache.getOrWait([], "write-only"));
+		return {
+			allowLocalhost: project.config.allow_localhost,
+			trustedDomains: project.config.domains.map((d) => d.domain)
+		};
+	}
 	async _getTrustedParentDomain(currentDomain) {
-		const domains = _stackframe_stack_shared_dist_utils_results.Result.orThrow(await this._interface.getClientProject()).config.domains.map((d) => d.domain.trim().replace(/^https?:\/\//, "").split("/")[0]?.toLowerCase());
-		const trustedWildcards = domains.filter((d) => d.startsWith("**."));
-		const parts = currentDomain.split(".");
-		for (let i = parts.length - 2; i >= 0; i--) {
-			const parentDomain = parts.slice(i).join(".");
-			if (domains.includes(parentDomain) && trustedWildcards.includes("**." + parentDomain)) return parentDomain;
-		}
-		return null;
+		return (0, _stackframe_stack_shared_dist_utils_redirect_urls.getTrustedParentDomain)(currentDomain, (await this._getTrustedRedirectConfig()).trustedDomains);
 	}
 	_getBrowserCookieTokenStore() {
 		if (!(0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) throw new Error("Cannot use cookie token store on the server!");
@@ -784,11 +930,13 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		sessionsBySessionKey.set(sessionKey, session);
 		return session;
 	}
-	async _getSession(overrideTokenStoreInit) {
+	async _getSession(overrideTokenStoreInit, options) {
+		await this._awaitPendingAuthResolutions(overrideTokenStoreInit, options);
 		const tokenStore = this._getOrCreateTokenStore(await this._createCookieHelper(overrideTokenStoreInit), overrideTokenStoreInit);
 		return this._getSessionFromTokenStore(tokenStore);
 	}
 	_useSession(overrideTokenStoreInit) {
+		this._usePendingAuthResolutions(overrideTokenStoreInit);
 		const tokenStore = this._useTokenStore(overrideTokenStoreInit);
 		const subscribe = (0, react.useCallback)((cb) => {
 			return (0, __session_refresh_subscription_js.subscribeSessionRefresh)({
@@ -1244,7 +1392,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 				const scopeString = options?.scopes?.join(" ") ?? "";
 				const location = await (0, _________auth_js.getNewOAuthProviderOrScopeUrl)(app._interface, {
 					provider,
-					redirectUrl: app.urls.oauthCallback,
+					redirectUrl: app._getOAuthCallbackRedirectUri(),
 					errorRedirectUrl: app.urls.error,
 					providerScope: (0, _stackframe_stack_shared_dist_utils_strings.mergeScopeStrings)(scopeString, (app._oauthScopesOnSignIn[provider] ?? []).join(" "))
 				}, session);
@@ -1778,10 +1926,17 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 	}
 	async _isTrusted(url) {
 		if ((0, _stackframe_stack_shared_dist_utils_urls.isRelative)(url)) return true;
-		if (typeof window !== "undefined" && window.location.origin === new URL(url).origin) return true;
-		return (0, ______url_targets_js.isHostedHandlerUrlForProject)({
+		const parsedUrl = (0, _stackframe_stack_shared_dist_utils_urls.createUrlIfValid)(url);
+		if (parsedUrl == null) return false;
+		if (typeof window !== "undefined" && window.location.origin === parsedUrl.origin) return true;
+		if ((0, ______url_targets_js.isHostedHandlerUrlForProject)({
 			url,
 			projectId: this.projectId
+		})) return true;
+		const trustedRedirectConfig = await this._getTrustedRedirectConfig();
+		return (0, _stackframe_stack_shared_dist_utils_redirect_urls.validateRedirectUrl)(parsedUrl, {
+			allowLocalhost: trustedRedirectConfig.allowLocalhost,
+			trustedDomains: trustedRedirectConfig.trustedDomains
 		});
 	}
 	get urls() {
@@ -1830,6 +1985,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		};
 	}
 	_getLocalOAuthCallbackHandlerUrl() {
+		if (this._isOAuthCallbackUrlHosted()) return this._getOAuthCallbackRedirectUri();
 		return (0, ______url_targets_js.resolveHandlerUrls)({
 			urls: {
 				...this._urlOptions,
@@ -1840,7 +1996,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		}).oauthCallback;
 	}
 	async _createCrossDomainAuthRedirectUrl(options) {
-		const session = await this._getSession();
+		const session = await this._getSession(void 0, { awaitPendingAuthResolutions: options.awaitPendingAuthResolutions });
 		const response = await this._interface.sendClientRequest("/auth/oauth/cross-domain/authorize", {
 			method: "POST",
 			headers: { "Content-Type": "application/json" },
@@ -1894,7 +2050,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 			...options
 		});
 	}
-	async _redirectToHandler(handlerName, options) {
+	async _redirectToHandler(handlerName, options, internalOptions) {
 		const rawHandlerUrl = (0, __common_js.getUrls)(this._urlOptions, { projectId: this.projectId })[handlerName];
 		if (!rawHandlerUrl) throw new Error(`No URL for handler name ${handlerName}`);
 		const currentUrl = typeof window === "undefined" ? null : new URL(window.location.href);
@@ -1911,7 +2067,8 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 				redirectUri: plan.redirectUri,
 				state: plan.state,
 				codeChallenge: plan.codeChallenge,
-				afterCallbackRedirectUrl: plan.afterCallbackRedirectUrl
+				afterCallbackRedirectUrl: plan.afterCallbackRedirectUrl,
+				awaitPendingAuthResolutions: internalOptions?.awaitPendingAuthResolutions
 			});
 			await this._redirectTo({
 				url: crossDomainRedirectUrl,
@@ -1919,7 +2076,12 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 			});
 			return;
 		}
-		await this._redirectIfTrusted(plan.url, options);
+		const redirectUrl = currentUrl != null && handlerName !== "signOut" && handlerName !== "afterSignOut" && handlerName !== "oauthCallback" ? await this._addNestedCrossDomainAuthParamsToRedirectUrl({
+			url: plan.url,
+			currentUrl,
+			awaitPendingAuthResolutions: internalOptions?.awaitPendingAuthResolutions
+		}) : plan.url;
+		await this._redirectIfTrusted(redirectUrl, options);
 	}
 	_redirectToHandlerDuringRender(handlerName, options) {
 		if (this._redirectMethod === "tanstack-start" && !(0, _stackframe_stack_shared_dist_utils_env.isBrowserLike)()) {
@@ -2176,7 +2338,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		const executeOAuth = async (challenge) => {
 			return await this._interface.authorizeOAuth({
 				provider,
-				redirectUrl: (0, ____________utils_url_js.constructRedirectUrl)(this.urls.oauthCallback, "redirectUrl"),
+				redirectUrl: (0, ____________utils_url_js.constructRedirectUrl)(this._getOAuthCallbackRedirectUri(), "redirectUrl"),
 				errorRedirectUrl: (0, ____________utils_url_js.constructRedirectUrl)(this.urls.error, "errorRedirectUrl"),
 				afterCallbackRedirectUrl,
 				type: "authenticate",
@@ -2224,7 +2386,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		try {
 			return await callback();
 		} catch (e) {
-			if (_stackframe_stack_shared.KnownErrors.MultiFactorAuthenticationRequired.isInstance(e)) return _stackframe_stack_shared_dist_utils_results.Result.ok(await this._experimentalMfa(e, await this._getSession()));
+			if (_stackframe_stack_shared.KnownErrors.MultiFactorAuthenticationRequired.isInstance(e)) return _stackframe_stack_shared_dist_utils_results.Result.ok(await this._experimentalMfa(e, await this._getSession(void 0, { awaitPendingAuthResolutions: false })));
 			throw e;
 		}
 	}
@@ -2299,8 +2461,8 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		}
 		if (result.status === "ok") {
 			await this._signInToAccountWithTokens(result.data);
-			if (!options?.noRedirect) if (result.data.newUser) await this.redirectToAfterSignUp({ replace: true });
-			else await this.redirectToAfterSignIn({ replace: true });
+			if (!options?.noRedirect) if (result.data.newUser) await this._redirectToHandler("afterSignUp", { replace: true }, { awaitPendingAuthResolutions: false });
+			else await this._redirectToHandler("afterSignIn", { replace: true }, { awaitPendingAuthResolutions: false });
 			return _stackframe_stack_shared_dist_utils_results.Result.ok(void 0);
 		} else return _stackframe_stack_shared_dist_utils_results.Result.error(result.error);
 	}
@@ -2415,10 +2577,10 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 			return _stackframe_stack_shared_dist_utils_results.Result.ok(void 0);
 		} else return _stackframe_stack_shared_dist_utils_results.Result.error(result.error);
 	}
-	async callOAuthCallback() {
+	async callOAuthCallback(options) {
 		if (typeof window === "undefined") throw new Error("callOAuthCallback can currently only be called in a browser environment");
-		this._ensurePersistentTokenStore();
-		let oauthCallbackRedirectUri = this.urls.oauthCallback;
+		if (this._currentUrlLooksLikeOAuthCallback()) this._ensurePersistentTokenStore();
+		let oauthCallbackRedirectUri = this._getOAuthCallbackRedirectUri();
 		const currentUrl = new URL(window.location.href);
 		if (currentUrl.searchParams.get(__redirect_page_urls_js.crossDomainAuthQueryParams.marker) === "1") {
 			currentUrl.searchParams.delete("code");
@@ -2428,7 +2590,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		let result;
 		try {
 			result = await this._catchMfaRequiredError(async () => {
-				return await (0, _________auth_js.callOAuthCallback)(this._interface, oauthCallbackRedirectUri);
+				return await (0, _________auth_js.callOAuthCallback)(this._interface, oauthCallbackRedirectUri, options);
 			});
 		} catch (e) {
 			if (_stackframe_stack_shared.KnownErrors.InvalidTotpCode.isInstance(e)) {
@@ -2437,6 +2599,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 			} else throw e;
 		}
 		if (result.status === "ok" && result.data) {
+			this._ensurePersistentTokenStore();
 			await this._signInToAccountWithTokens(result.data);
 			if ("afterCallbackRedirectUrl" in result.data && result.data.afterCallbackRedirectUrl) {
 				await this._redirectTo({
@@ -2445,10 +2608,10 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 				});
 				return true;
 			} else if (result.data.newUser) {
-				await this.redirectToAfterSignUp({ replace: true });
+				await this._redirectToHandler("afterSignUp", { replace: true }, { awaitPendingAuthResolutions: false });
 				return true;
 			} else {
-				await this.redirectToAfterSignIn({ replace: true });
+				await this._redirectToHandler("afterSignIn", { replace: true }, { awaitPendingAuthResolutions: false });
 				return true;
 			}
 		}