@startsimpli/auth 0.4.13 → 0.4.15

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@startsimpli/auth",
-  "version": "0.4.13",
+  "version": "0.4.15",
   "description": "Shared authentication package for StartSimpli Next.js apps",
   "main": "./src/index.ts",
   "types": "./src/index.ts",

package/src/client/auth-client.ts

@@ -53,6 +53,8 @@ export class AuthClient {
       tokenRefreshInterval: 4 * 60 * 1000, // 4 minutes
       onSessionExpired: () => {},
       onUnauthorized: () => {},
+      loginPath: '',
+      callbackParam: 'callbackUrl',
       ...config,
     };
   }

package/src/client/auth-context.tsx

@@ -8,6 +8,7 @@ import {
   createContext,
   useContext,
   useEffect,
+  useRef,
   useState,
   useCallback,
   type ReactNode,
@@ -108,7 +109,20 @@ export function AuthProvider({
     };
   }, [authClient, initialSession]);
 
-  // Session expiration handler — covers both AuthClient timer and authFetch 401
+  // Keep refs current on every render so the stable handleExpired closure
+  // below always reads the latest config values without being in deps.
+  const loginPathRef = useRef(config.loginPath);
+  const callbackParamRef = useRef(config.callbackParam ?? 'callbackUrl');
+  const onSessionExpiredRef = useRef(config.onSessionExpired);
+  loginPathRef.current = config.loginPath;
+  callbackParamRef.current = config.callbackParam ?? 'callbackUrl';
+  onSessionExpiredRef.current = config.onSessionExpired;
+
+  // Session expiration handler — covers both AuthClient timer and authFetch 401.
+  // Depends only on authClient (a useState singleton that never changes after
+  // mount). config intentionally omitted: it's a new object literal on every
+  // render from the caller, so including it caused destroy() to fire and wipe
+  // the session on every re-render.
   useEffect(() => {
     const handleExpired = () => {
       setState({
@@ -116,18 +130,28 @@ export function AuthProvider({
         isLoading: false,
         isAuthenticated: false,
       });
-      config.onSessionExpired?.();
+      onSessionExpiredRef.current?.();
+
+      if (loginPathRef.current && typeof window !== 'undefined') {
+        const here = window.location.pathname + window.location.search;
+        const isOnLogin = window.location.pathname.startsWith(loginPathRef.current);
+        if (!isOnLogin) {
+          const callback = encodeURIComponent(here);
+          window.location.href = `${loginPathRef.current}?${callbackParamRef.current}=${callback}`;
+        }
+      }
     };
 
+    // Wire AuthClient's internal expiry calls and the functional API (FetchWrapper).
     config.onSessionExpired = handleExpired;
-    // Wire up the functional API's session expiration callback
     setOnSessionExpired(handleExpired);
 
     return () => {
       setOnSessionExpired(null);
       authClient.destroy();
     };
-  }, [authClient, config]);
+  // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [authClient]);
 
   const login = useCallback(
     async (email: string, password: string) => {

package/src/types/index.ts

@@ -111,6 +111,21 @@ export interface AuthConfig {
   tokenRefreshInterval?: number; // milliseconds, default 4 minutes
   onSessionExpired?: () => void;
   onUnauthorized?: () => void;
+  /**
+   * If set, AuthProvider redirects the browser here when the session is
+   * lost (refresh-token rejected, manual logout, etc.). The current path
+   * is appended as a query param so the login page can return the user.
+   * Same value the server-side middleware uses, e.g. `/auth/signin`.
+   * Without this set, session loss only resets React state and the user
+   * can be left on a page where every subsequent request silently 403s
+   * (raise-simpli-lxv).
+   */
+  loginPath?: string;
+  /**
+   * Query-param name appended to `loginPath` to carry the return URL.
+   * Defaults to `callbackUrl` to match the shared server middleware.
+   */
+  callbackParam?: string;
 }
 
 /**