@stackframe/tanstack-start 2.8.93 → 2.8.95

package/dist/esm/lib/stack-app/apps/implementations/client-app-impl.js

@@ -4,12 +4,13 @@ import React, { useCallback, useMemo } from "react";
 import { KnownErrors, StackClientInterface } from "@stackframe/stack-shared";
 import { suspend, suspendIfSsr, use } from "@stackframe/stack-shared/dist/utils/react";
 import { deepPlainEquals, omit } from "@stackframe/stack-shared/dist/utils/objects";
-import { isRelative } from "@stackframe/stack-shared/dist/utils/urls";
+import { createUrlIfValid, isRelative } from "@stackframe/stack-shared/dist/utils/urls";
 import { Result } from "@stackframe/stack-shared/dist/utils/results";
 import { deindent, mergeScopeStrings } from "@stackframe/stack-shared/dist/utils/strings";
 import { isBrowserLike } from "@stackframe/stack-shared/dist/utils/env";
 import * as tanstackStartServerContext from "@stackframe/tanstack-start/tanstack-start-server-context";
 import { clientVersion, createCache, createCacheBySession, createEmptyTokenStore, getAnalyticsBaseUrl, getDefaultExtraRequestHeaders, getDefaultProjectId, getDefaultPublishableClientKey, getUrls, resolveApiUrls, resolveConstructorOptions, useAsyncCache } from "./common.js";
+import { getTrustedParentDomain, validateRedirectUrl } from "@stackframe/stack-shared/dist/utils/redirect-urls";
 import { decodeBase32, decodeBase64, encodeBase32, encodeBase64 } from "@stackframe/stack-shared/dist/utils/bytes";
 import { stackAppInternalsSymbol } from "../../common.js";
 import { adminProjectCreateOptionsToCrud } from "../../projects/index.js";
@@ -24,12 +25,12 @@ import * as TanStackRouter from "@tanstack/react-router";
 import * as cookie from "cookie";
 import { constructRedirectUrl } from "../../../../utils/url.js";
 import { callOAuthCallback, getNewOAuthProviderOrScopeUrl } from "../../../auth.js";
-import { createBrowserCookieHelper, createCookieHelper, createPlaceholderCookieHelper, deleteCookie, deleteCookieClient, isSecure, saveVerifierAndState, setOrDeleteCookie, setOrDeleteCookieClient } from "../../../cookie.js";
+import { createBrowserCookieHelper, createCookieHelper, createPlaceholderCookieHelper, deleteCookie, deleteCookieClient, getCookieClient, isSecure, saveVerifierAndState, setOrDeleteCookie, setOrDeleteCookieClient } from "../../../cookie.js";
 import { envVars } from "../../../env.js";
 import { apiKeyCreationOptionsToCrud } from "../../api-keys/index.js";
 import { contactChannelCreateOptionsToCrud, contactChannelUpdateOptionsToCrud } from "../../contact-channels/index.js";
 import { teamCreateOptionsToCrud, teamUpdateOptionsToCrud } from "../../teams/index.js";
-import { buildCliAuthConfirmUrl, isHostedHandlerUrlForProject, resolveHandlerUrls } from "../../url-targets.js";
+import { buildCliAuthConfirmUrl, getHostedHandlerUrl, isHostedHandlerUrlForProject, resolveHandlerUrls } from "../../url-targets.js";
 import { userUpdateOptionsToCrud, withUserDestructureGuard } from "../../users/index.js";
 import { EventTracker } from "./event-tracker.js";
 import { crossDomainAuthQueryParams, getCrossDomainHandoffParamsFromCurrentUrl, planRedirectToHandler } from "./redirect-page-urls.js";
@@ -39,6 +40,24 @@ import { mountDevTool } from "../../../../dev-tool/index.js";
 
 //#region src/lib/stack-app/apps/implementations/client-app-impl.ts
 const prefetchedCrossDomainHandoffTtlMs = 3300 * 1e3;
+const nestedCrossDomainAuthQueryParams = {
+	refreshTokenId: "stack_nested_cross_domain_auth_refresh_token_id",
+	callbackUrl: "stack_nested_cross_domain_auth_callback_url",
+	redirectUri: "redirect_uri",
+	state: "state",
+	codeChallenge: "code_challenge",
+	codeChallengeMethod: "code_challenge_method",
+	afterCallbackRedirectUrl: "after_callback_redirect_url"
+};
+const oauthCallbackResponseQueryParams = [
+	"code",
+	"state",
+	"error",
+	"error_description",
+	"errorCode",
+	"message",
+	"details"
+];
 const allClientApps = /* @__PURE__ */ new Map();
 const STACK_AUTHORIZATION_VALUE_PREFIX = "stackauth_";
 function getAuthorizationHeaderValueFromAuthJson(authJson) {
@@ -106,7 +125,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
         `);
 			const location = await getNewOAuthProviderOrScopeUrl(this._interface, {
 				provider: options.providerId,
-				redirectUrl: this.urls.oauthCallback,
+				redirectUrl: this._getOAuthCallbackRedirectUri(),
 				errorRedirectUrl: this.urls.error,
 				providerScope: mergeScopeStrings(options.scope || "", (this._oauthScopesOnSignIn[options.providerId] ?? []).join(" "))
 			}, options.session);
@@ -241,7 +260,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 			for (const account of matchingAccounts) if ((await account.getAccessToken({ scopes })).status === "ok") return account;
 			const location = await getNewOAuthProviderOrScopeUrl(this._interface, {
 				provider,
-				redirectUrl: this.urls.oauthCallback,
+				redirectUrl: this._getOAuthCallbackRedirectUri(),
 				errorRedirectUrl: this.urls.error,
 				providerScope: mergeScopeStrings(scopeString, (this._oauthScopesOnSignIn[provider] ?? []).join(" "))
 			}, session);
@@ -345,6 +364,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		this._prefetchedCrossDomainHandoffParams = null;
 		this._prefetchedCrossDomainHandoffParamsFetchedAt = 0;
 		this._isPrefetchingCrossDomainHandoffParams = false;
+		this._pendingAuthResolutionPromises = [];
 		this._memoryTokenStore = createEmptyTokenStore();
 		this._nextServerCookiesTokenStores = /* @__PURE__ */ new WeakMap();
 		this._requestTokenStores = /* @__PURE__ */ new WeakMap();
@@ -414,6 +434,12 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 			});
 			this._eventTracker.start();
 		}
+		if (isBrowserLike() && this._isOAuthCallbackUrlHosted() && this._currentUrlLooksLikeStackOAuthCallback()) this._trackPendingAuthResolution(async () => {
+			if (isBrowserLike()) await this.callOAuthCallback({ dontWarnAboutMissingQueryParams: true });
+		});
+		if (isBrowserLike()) this._trackPendingAuthResolution(async () => {
+			await this._maybeHandleNestedCrossDomainAuth();
+		});
 		if (isBrowserLike() && resolvedOptions.devTool !== false) mountDevTool(this);
 	}
 	_initUniqueIdentifier() {
@@ -421,6 +447,126 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		if (allClientApps.has(this._uniqueIdentifier)) throw new StackAssertionError("A Stack client app with the same unique identifier already exists");
 		allClientApps.set(this._uniqueIdentifier, [this._extraOptions?.checkString ?? void 0, this]);
 	}
+	_trackPendingAuthResolution(callback) {
+		const promise = (async () => {
+			await Promise.resolve();
+			try {
+				await callback();
+			} catch (error) {
+				captureError("pending-auth-resolution-failed", error);
+			}
+		})();
+		this._pendingAuthResolutionPromises.push(promise);
+		runAsynchronously(async () => {
+			try {
+				await promise;
+			} finally {
+				this._pendingAuthResolutionPromises = this._pendingAuthResolutionPromises.filter((p) => p !== promise);
+			}
+		});
+	}
+	async _awaitPendingAuthResolutions(overrideTokenStoreInit, options) {
+		if (options?.awaitPendingAuthResolutions === false || overrideTokenStoreInit !== void 0 || !this._hasPersistentTokenStore() || this._pendingAuthResolutionPromises.length === 0) return;
+		await Promise.all(this._pendingAuthResolutionPromises);
+	}
+	_usePendingAuthResolutions(overrideTokenStoreInit) {
+		if (overrideTokenStoreInit !== void 0 || !this._hasPersistentTokenStore() || this._pendingAuthResolutionPromises.length === 0) return;
+		use(Promise.all(this._pendingAuthResolutionPromises));
+	}
+	_isOAuthCallbackUrlHosted() {
+		const oauthCallbackTarget = this._urlOptions.oauthCallback ?? this._urlOptions.default;
+		return typeof oauthCallbackTarget !== "string" && oauthCallbackTarget?.type === "hosted";
+	}
+	_currentUrlLooksLikeOAuthCallback() {
+		if (typeof window === "undefined") return false;
+		const currentUrl = new URL(window.location.href);
+		return currentUrl.searchParams.has("code") && currentUrl.searchParams.has("state") || currentUrl.searchParams.has("errorCode") && currentUrl.searchParams.has("message");
+	}
+	_currentUrlLooksLikeStackOAuthCallback() {
+		if (typeof window === "undefined") return false;
+		const currentUrl = new URL(window.location.href);
+		const state = currentUrl.searchParams.get("state");
+		if (!currentUrl.searchParams.has("code") || state == null) return false;
+		return getCookieClient(`stack-oauth-outer-${state}`) != null;
+	}
+	_getOAuthCallbackRedirectUri() {
+		if (!this._isOAuthCallbackUrlHosted()) return this.urls.oauthCallback;
+		if (typeof window === "undefined") throw new StackAssertionError("Hosted OAuth callback URLs require a browser environment to use the current URL as the redirect URI");
+		const currentUrl = new URL(window.location.href);
+		for (const param of oauthCallbackResponseQueryParams) currentUrl.searchParams.delete(param);
+		return currentUrl.toString();
+	}
+	async _getCurrentRefreshTokenIdIfSignedIn(options) {
+		const tokens = await (await this._getSession(void 0, options)).getOrFetchLikelyValidTokens(0, null);
+		if (tokens?.refreshToken == null) return null;
+		return tokens.accessToken.payload.refresh_token_id;
+	}
+	async _addNestedCrossDomainAuthParamsToRedirectUrl(options) {
+		const targetUrl = new URL(options.url, options.currentUrl);
+		if (targetUrl.origin === options.currentUrl.origin) return options.url;
+		const refreshTokenId = await this._getCurrentRefreshTokenIdIfSignedIn({ awaitPendingAuthResolutions: options.awaitPendingAuthResolutions });
+		if (refreshTokenId == null) return options.url;
+		targetUrl.searchParams.set(nestedCrossDomainAuthQueryParams.refreshTokenId, refreshTokenId);
+		targetUrl.searchParams.set(nestedCrossDomainAuthQueryParams.callbackUrl, new URL(this._getOAuthCallbackRedirectUri(), options.currentUrl).toString());
+		return targetUrl.toString();
+	}
+	async _maybeHandleNestedCrossDomainAuth() {
+		if (typeof window === "undefined") return false;
+		const currentUrl = new URL(window.location.href);
+		if (currentUrl.searchParams.has("code") && currentUrl.searchParams.has("state")) return false;
+		const refreshTokenId = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.refreshTokenId);
+		if (refreshTokenId == null) return false;
+		const redirectUri = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.redirectUri);
+		const state = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.state);
+		const codeChallenge = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.codeChallenge);
+		if (redirectUri != null || state != null || codeChallenge != null) {
+			if (redirectUri == null || state == null || codeChallenge == null) throw new StackAssertionError("Nested cross-domain auth callback URL is missing OAuth request parameters", {
+				redirectUri,
+				state,
+				codeChallenge
+			});
+			if ((currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.codeChallengeMethod) ?? "S256") !== "S256") throw new StackAssertionError("Nested cross-domain auth only supports S256 PKCE");
+			if (isRelative(redirectUri)) throw new Error("Nested cross-domain auth redirect URI must be absolute.");
+			const redirectUriUrl = new URL(redirectUri);
+			if (!await this._isTrusted(redirectUriUrl.toString())) throw new Error(`Nested cross-domain auth redirect URI ${redirectUri} is not trusted.`);
+			const afterCallbackRedirectUrlString = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.afterCallbackRedirectUrl);
+			const afterCallbackRedirectUrl = afterCallbackRedirectUrlString == null ? redirectUriUrl : new URL(afterCallbackRedirectUrlString, redirectUriUrl);
+			if (!await this._isTrusted(afterCallbackRedirectUrl.toString())) throw new Error(`Nested cross-domain auth after-callback redirect URL ${afterCallbackRedirectUrlString} is not trusted.`);
+			if (await this._getCurrentRefreshTokenIdIfSignedIn({ awaitPendingAuthResolutions: false }) !== refreshTokenId) throw new Error("Nested cross-domain auth source session does not match the requested refresh token ID.");
+			await this._redirectTo({
+				url: await this._createCrossDomainAuthRedirectUrl({
+					redirectUri: redirectUriUrl.toString(),
+					state,
+					codeChallenge,
+					afterCallbackRedirectUrl: afterCallbackRedirectUrl.toString(),
+					awaitPendingAuthResolutions: false
+				}),
+				replace: true
+			});
+			return true;
+		}
+		if (await this._getCurrentRefreshTokenIdIfSignedIn({ awaitPendingAuthResolutions: false }) === refreshTokenId) return false;
+		const callbackUrlString = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.callbackUrl);
+		if (callbackUrlString == null) throw new StackAssertionError("Nested cross-domain auth URL is missing callback URL");
+		if (isRelative(callbackUrlString)) throw new Error("Nested cross-domain auth callback URL must be absolute.");
+		const callbackUrl = new URL(callbackUrlString);
+		if (!await this._isTrusted(callbackUrl.toString())) throw new Error(`Nested cross-domain auth callback URL ${callbackUrlString} is not trusted.`);
+		const afterCallbackRedirectUrl = new URL(currentUrl);
+		afterCallbackRedirectUrl.searchParams.delete(nestedCrossDomainAuthQueryParams.refreshTokenId);
+		afterCallbackRedirectUrl.searchParams.delete(nestedCrossDomainAuthQueryParams.callbackUrl);
+		const { state: newState, codeChallenge: newCodeChallenge } = await this._getCrossDomainHandoffParamsForRedirect(currentUrl);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.refreshTokenId, refreshTokenId);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.redirectUri, new URL(this._getOAuthCallbackRedirectUri(), currentUrl).toString());
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.state, newState);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.codeChallenge, newCodeChallenge);
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.codeChallengeMethod, "S256");
+		callbackUrl.searchParams.set(nestedCrossDomainAuthQueryParams.afterCallbackRedirectUrl, afterCallbackRedirectUrl.toString());
+		await this._redirectTo({
+			url: callbackUrl,
+			replace: true
+		});
+		return true;
+	}
 	/**
 	* Cloudflare workers does not allow use of randomness on the global scope (on which the Stack app is probably
 	* initialized). For that reason, we generate the unique identifier lazily when it is first needed instead of in the
@@ -613,15 +759,18 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 			await setOrDeleteCookie(this._getRefreshTokenDefaultCookieNameForSecure(isSecure$1), null, cookieOptions);
 		});
 	}
+	async _getTrustedRedirectConfig() {
+		const project = Result.orThrow(await this._currentProjectCache.getOrWait([], "write-only"));
+		return {
+			allowLocalhost: project.config.allow_localhost,
+			trustedDomains: [...project.config.domains.map((d) => d.domain), new URL(getHostedHandlerUrl({
+				projectId: this.projectId,
+				pagePath: ""
+			})).origin]
+		};
+	}
 	async _getTrustedParentDomain(currentDomain) {
-		const domains = Result.orThrow(await this._interface.getClientProject()).config.domains.map((d) => d.domain.trim().replace(/^https?:\/\//, "").split("/")[0]?.toLowerCase());
-		const trustedWildcards = domains.filter((d) => d.startsWith("**."));
-		const parts = currentDomain.split(".");
-		for (let i = parts.length - 2; i >= 0; i--) {
-			const parentDomain = parts.slice(i).join(".");
-			if (domains.includes(parentDomain) && trustedWildcards.includes("**." + parentDomain)) return parentDomain;
-		}
-		return null;
+		return getTrustedParentDomain(currentDomain, (await this._getTrustedRedirectConfig()).trustedDomains);
 	}
 	_getBrowserCookieTokenStore() {
 		if (!isBrowserLike()) throw new Error("Cannot use cookie token store on the server!");
@@ -778,11 +927,13 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		sessionsBySessionKey.set(sessionKey, session);
 		return session;
 	}
-	async _getSession(overrideTokenStoreInit) {
+	async _getSession(overrideTokenStoreInit, options) {
+		await this._awaitPendingAuthResolutions(overrideTokenStoreInit, options);
 		const tokenStore = this._getOrCreateTokenStore(await this._createCookieHelper(overrideTokenStoreInit), overrideTokenStoreInit);
 		return this._getSessionFromTokenStore(tokenStore);
 	}
 	_useSession(overrideTokenStoreInit) {
+		this._usePendingAuthResolutions(overrideTokenStoreInit);
 		const tokenStore = this._useTokenStore(overrideTokenStoreInit);
 		const subscribe = useCallback((cb) => {
 			return subscribeSessionRefresh({
@@ -1238,7 +1389,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 				const scopeString = options?.scopes?.join(" ") ?? "";
 				const location = await getNewOAuthProviderOrScopeUrl(app._interface, {
 					provider,
-					redirectUrl: app.urls.oauthCallback,
+					redirectUrl: app._getOAuthCallbackRedirectUri(),
 					errorRedirectUrl: app.urls.error,
 					providerScope: mergeScopeStrings(scopeString, (app._oauthScopesOnSignIn[provider] ?? []).join(" "))
 				}, session);
@@ -1772,10 +1923,17 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 	}
 	async _isTrusted(url) {
 		if (isRelative(url)) return true;
-		if (typeof window !== "undefined" && window.location.origin === new URL(url).origin) return true;
-		return isHostedHandlerUrlForProject({
+		const parsedUrl = createUrlIfValid(url);
+		if (parsedUrl == null) return false;
+		if (typeof window !== "undefined" && window.location.origin === parsedUrl.origin) return true;
+		if (isHostedHandlerUrlForProject({
 			url,
 			projectId: this.projectId
+		})) return true;
+		const trustedRedirectConfig = await this._getTrustedRedirectConfig();
+		return validateRedirectUrl(parsedUrl, {
+			allowLocalhost: trustedRedirectConfig.allowLocalhost,
+			trustedDomains: trustedRedirectConfig.trustedDomains
 		});
 	}
 	get urls() {
@@ -1824,6 +1982,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		};
 	}
 	_getLocalOAuthCallbackHandlerUrl() {
+		if (this._isOAuthCallbackUrlHosted()) return this._getOAuthCallbackRedirectUri();
 		return resolveHandlerUrls({
 			urls: {
 				...this._urlOptions,
@@ -1834,7 +1993,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		}).oauthCallback;
 	}
 	async _createCrossDomainAuthRedirectUrl(options) {
-		const session = await this._getSession();
+		const session = await this._getSession(void 0, { awaitPendingAuthResolutions: options.awaitPendingAuthResolutions });
 		const response = await this._interface.sendClientRequest("/auth/oauth/cross-domain/authorize", {
 			method: "POST",
 			headers: { "Content-Type": "application/json" },
@@ -1888,7 +2047,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 			...options
 		});
 	}
-	async _redirectToHandler(handlerName, options) {
+	async _redirectToHandler(handlerName, options, internalOptions) {
 		const rawHandlerUrl = getUrls(this._urlOptions, { projectId: this.projectId })[handlerName];
 		if (!rawHandlerUrl) throw new Error(`No URL for handler name ${handlerName}`);
 		const currentUrl = typeof window === "undefined" ? null : new URL(window.location.href);
@@ -1905,7 +2064,8 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 				redirectUri: plan.redirectUri,
 				state: plan.state,
 				codeChallenge: plan.codeChallenge,
-				afterCallbackRedirectUrl: plan.afterCallbackRedirectUrl
+				afterCallbackRedirectUrl: plan.afterCallbackRedirectUrl,
+				awaitPendingAuthResolutions: internalOptions?.awaitPendingAuthResolutions
 			});
 			await this._redirectTo({
 				url: crossDomainRedirectUrl,
@@ -1913,7 +2073,12 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 			});
 			return;
 		}
-		await this._redirectIfTrusted(plan.url, options);
+		const redirectUrl = currentUrl != null && handlerName !== "signOut" && handlerName !== "afterSignOut" && handlerName !== "oauthCallback" ? await this._addNestedCrossDomainAuthParamsToRedirectUrl({
+			url: plan.url,
+			currentUrl,
+			awaitPendingAuthResolutions: internalOptions?.awaitPendingAuthResolutions
+		}) : plan.url;
+		await this._redirectIfTrusted(redirectUrl, options);
 	}
 	_redirectToHandlerDuringRender(handlerName, options) {
 		if (this._redirectMethod === "tanstack-start" && !isBrowserLike()) {
@@ -2170,7 +2335,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		const executeOAuth = async (challenge) => {
 			return await this._interface.authorizeOAuth({
 				provider,
-				redirectUrl: constructRedirectUrl(this.urls.oauthCallback, "redirectUrl"),
+				redirectUrl: constructRedirectUrl(this._getOAuthCallbackRedirectUri(), "redirectUrl"),
 				errorRedirectUrl: constructRedirectUrl(this.urls.error, "errorRedirectUrl"),
 				afterCallbackRedirectUrl,
 				type: "authenticate",
@@ -2218,7 +2383,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		try {
 			return await callback();
 		} catch (e) {
-			if (KnownErrors.MultiFactorAuthenticationRequired.isInstance(e)) return Result.ok(await this._experimentalMfa(e, await this._getSession()));
+			if (KnownErrors.MultiFactorAuthenticationRequired.isInstance(e)) return Result.ok(await this._experimentalMfa(e, await this._getSession(void 0, { awaitPendingAuthResolutions: false })));
 			throw e;
 		}
 	}
@@ -2293,8 +2458,8 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		}
 		if (result.status === "ok") {
 			await this._signInToAccountWithTokens(result.data);
-			if (!options?.noRedirect) if (result.data.newUser) await this.redirectToAfterSignUp({ replace: true });
-			else await this.redirectToAfterSignIn({ replace: true });
+			if (!options?.noRedirect) if (result.data.newUser) await this._redirectToHandler("afterSignUp", { replace: true }, { awaitPendingAuthResolutions: false });
+			else await this._redirectToHandler("afterSignIn", { replace: true }, { awaitPendingAuthResolutions: false });
 			return Result.ok(void 0);
 		} else return Result.error(result.error);
 	}
@@ -2409,10 +2574,10 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 			return Result.ok(void 0);
 		} else return Result.error(result.error);
 	}
-	async callOAuthCallback() {
+	async callOAuthCallback(options) {
 		if (typeof window === "undefined") throw new Error("callOAuthCallback can currently only be called in a browser environment");
-		this._ensurePersistentTokenStore();
-		let oauthCallbackRedirectUri = this.urls.oauthCallback;
+		if (this._currentUrlLooksLikeOAuthCallback()) this._ensurePersistentTokenStore();
+		let oauthCallbackRedirectUri = this._getOAuthCallbackRedirectUri();
 		const currentUrl = new URL(window.location.href);
 		if (currentUrl.searchParams.get(crossDomainAuthQueryParams.marker) === "1") {
 			currentUrl.searchParams.delete("code");
@@ -2422,7 +2587,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 		let result;
 		try {
 			result = await this._catchMfaRequiredError(async () => {
-				return await callOAuthCallback(this._interface, oauthCallbackRedirectUri);
+				return await callOAuthCallback(this._interface, oauthCallbackRedirectUri, options);
 			});
 		} catch (e) {
 			if (KnownErrors.InvalidTotpCode.isInstance(e)) {
@@ -2431,6 +2596,7 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 			} else throw e;
 		}
 		if (result.status === "ok" && result.data) {
+			this._ensurePersistentTokenStore();
 			await this._signInToAccountWithTokens(result.data);
 			if ("afterCallbackRedirectUrl" in result.data && result.data.afterCallbackRedirectUrl) {
 				await this._redirectTo({
@@ -2439,10 +2605,10 @@ var _StackClientAppImplIncomplete = class _StackClientAppImplIncomplete {
 				});
 				return true;
 			} else if (result.data.newUser) {
-				await this.redirectToAfterSignUp({ replace: true });
+				await this._redirectToHandler("afterSignUp", { replace: true }, { awaitPendingAuthResolutions: false });
 				return true;
 			} else {
-				await this.redirectToAfterSignIn({ replace: true });
+				await this._redirectToHandler("afterSignIn", { replace: true }, { awaitPendingAuthResolutions: false });
 				return true;
 			}
 		}