@startsimpli/auth 0.4.15 → 0.4.17

package/src/client/__tests__/session-storage.test.ts

@@ -0,0 +1,118 @@
+import { describe, it, expect, beforeEach } from 'vitest';
+import {
+  createMemorySessionStorage,
+  createWebSessionStorage,
+  createRememberAwareSessionStorage,
+  SESSION_STORAGE_KEY,
+} from '../session-storage';
+import type { Session } from '../../types';
+
+const session: Session = {
+  user: {
+    id: 'u1',
+    email: 'a@x.test',
+    firstName: 'A',
+    lastName: 'B',
+    isEmailVerified: true,
+    createdAt: '',
+    updatedAt: '',
+  },
+  accessToken: 'tok',
+  expiresAt: Date.now() + 1e6,
+};
+
+describe('createMemorySessionStorage', () => {
+  it('round-trips and clears', async () => {
+    const s = createMemorySessionStorage();
+    expect(await s.load()).toBeNull();
+    await s.save(session);
+    expect((await s.load())?.user.email).toBe('a@x.test');
+    await s.clear();
+    expect(await s.load()).toBeNull();
+  });
+});
+
+describe('createWebSessionStorage', () => {
+  beforeEach(() => localStorage.clear());
+
+  it('persists to localStorage and reads it back', async () => {
+    const s = createWebSessionStorage();
+    await s.save(session);
+    expect(localStorage.getItem(SESSION_STORAGE_KEY)).toBeTruthy();
+    expect((await s.load())?.accessToken).toBe('tok');
+  });
+
+  it('honors a custom key and an injected Storage', async () => {
+    const backing = createMemoryStorage();
+    const s = createWebSessionStorage({ key: 'k2', storage: backing });
+    await s.save(session);
+    expect(backing.getItem('k2')).toBeTruthy();
+    expect((await s.load())?.user.id).toBe('u1');
+    await s.clear();
+    expect(backing.getItem('k2')).toBeNull();
+  });
+
+  it('returns null on malformed JSON rather than throwing', async () => {
+    localStorage.setItem(SESSION_STORAGE_KEY, '{not json');
+    const s = createWebSessionStorage();
+    expect(await s.load()).toBeNull();
+  });
+
+  it('returns null when the stored value is not a Session shape', async () => {
+    localStorage.setItem(SESSION_STORAGE_KEY, JSON.stringify({ nope: true }));
+    const s = createWebSessionStorage();
+    expect(await s.load()).toBeNull();
+  });
+});
+
+describe('createRememberAwareSessionStorage', () => {
+  it('persists to the persistent store when remembering', async () => {
+    const persistent = createMemorySessionStorage();
+    const s = createRememberAwareSessionStorage(persistent, () => true);
+    await s.save(session);
+    expect((await persistent.load())?.accessToken).toBe('tok');
+    expect((await s.load())?.accessToken).toBe('tok');
+  });
+
+  it('does NOT persist (and clears) when not remembering', async () => {
+    const persistent = createMemorySessionStorage();
+    const s = createRememberAwareSessionStorage(persistent, () => false);
+    await s.save(session);
+    expect(await persistent.load()).toBeNull();
+    expect(await s.load()).toBeNull();
+  });
+
+  it('clears the persistent store when switching from remember to not', async () => {
+    const persistent = createMemorySessionStorage();
+    let remember = true;
+    const s = createRememberAwareSessionStorage(persistent, () => remember);
+    await s.save(session);
+    expect(await s.load()).not.toBeNull();
+    remember = false;
+    await s.save(session);
+    expect(await persistent.load()).toBeNull();
+  });
+
+  it('clear() wipes both stores', async () => {
+    const persistent = createMemorySessionStorage();
+    const s = createRememberAwareSessionStorage(persistent, () => true);
+    await s.save(session);
+    await s.clear();
+    expect(await s.load()).toBeNull();
+  });
+});
+
+// Minimal Storage impl for the injected-storage test.
+function createMemoryStorage(): Storage {
+  const map = new Map<string, string>();
+  return {
+    get length() {
+      return map.size;
+    },
+    clear: () => map.clear(),
+    getItem: (k: string) => (map.has(k) ? map.get(k)! : null),
+    key: (i: number) => Array.from(map.keys())[i] ?? null,
+    removeItem: (k: string) => void map.delete(k),
+    setItem: (k: string, v: string) => void map.set(k, String(v)),
+  } as Storage;
+}

package/src/client/__tests__/token-auth-core.test.ts

@@ -0,0 +1,190 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import {
+  TokenAuthClient,
+  InMemoryTokenStorage,
+  type TokenStorage,
+} from '../token-auth-core';
+
+// Build a fake (unsigned) JWT with a real `exp` so getTokenExpiresAt works.
+function makeToken(secondsFromNow = 3600): string {
+  const exp = Math.floor(Date.now() / 1000) + secondsFromNow;
+  const header = btoa(JSON.stringify({ alg: 'HS256', typ: 'JWT' }));
+  const body = btoa(JSON.stringify({ tokenType: 'access', exp, iat: exp - 3600, jti: 'x', userId: '1' }));
+  return `${header}.${body}.sig`;
+}
+
+const ACCESS = makeToken();
+const ACCESS2 = makeToken(7200);
+
+// Minimal fetch-mock helper returning a Response-like object.
+function jsonResponse(body: unknown, ok = true, status = 200) {
+  return { ok, status, json: async () => body } as Response;
+}
+
+function makeClient(storage: TokenStorage = new InMemoryTokenStorage()) {
+  const fetchMock = vi.fn<typeof fetch>();
+  const client = new TokenAuthClient({
+    apiBaseUrl: 'http://localhost:8001',
+    storage,
+    fetch: fetchMock,
+  });
+  return { client, fetchMock, storage };
+}
+
+// Pull [url, init] out of the Nth fetch call for assertions.
+function call(fetchMock: ReturnType<typeof vi.fn>, n = 0): [string, RequestInit] {
+  const [url, init] = fetchMock.mock.calls[n];
+  return [String(url), (init ?? {}) as RequestInit];
+}
+
+describe('TokenAuthClient.login', () => {
+  beforeEach(() => vi.restoreAllMocks());
+
+  it('opts into token mode (X-Auth-Mode), stores the refresh token, returns a session', async () => {
+    const { client, fetchMock, storage } = makeClient();
+    fetchMock.mockResolvedValueOnce(
+      jsonResponse({ access: ACCESS, refresh: 'refresh-1', user: { id: 'u1', email: 'a@b.co' } })
+    );
+
+    const session = await client.login('a@b.co', 'pw');
+
+    const [url, init] = call(fetchMock);
+    expect(url).toBe('http://localhost:8001/api/v1/auth/token/');
+    expect(init.method).toBe('POST');
+    expect((init.headers as Record<string, string>)['X-Auth-Mode']).toBe('token');
+    expect(JSON.parse(init.body as string)).toEqual({ email: 'a@b.co', password: 'pw' });
+
+    expect(session.accessToken).toBe(ACCESS);
+    expect(session.expiresAt).toBeGreaterThan(Date.now());
+    expect(session.user.id).toBe('u1');
+    expect(client.getAccessToken()).toBe(ACCESS);
+    expect(await storage.getRefreshToken()).toBe('refresh-1');
+  });
+
+  it('fetches /me/ when the login response omits the user', async () => {
+    const { client, fetchMock } = makeClient();
+    fetchMock
+      .mockResolvedValueOnce(jsonResponse({ access: ACCESS, refresh: 'r' })) // login, no user
+      .mockResolvedValueOnce(
+        jsonResponse({ user: { id: 'u9', email: 'me@x.co', first_name: 'Me', last_name: 'X' } })
+      ); // /me/
+
+    const session = await client.login('me@x.co', 'pw');
+
+    expect(fetchMock).toHaveBeenCalledTimes(2);
+    expect(call(fetchMock, 1)[0]).toBe('http://localhost:8001/api/v1/auth/me/');
+    expect(session.user.id).toBe('u9');
+    expect(session.user.firstName).toBe('Me');
+  });
+
+  it('throws the extracted API error on failure and stores nothing', async () => {
+    const { client, fetchMock, storage } = makeClient();
+    fetchMock.mockResolvedValueOnce(
+      jsonResponse({ error: 'No active account found' }, false, 401)
+    );
+
+    await expect(client.login('a@b.co', 'bad')).rejects.toThrow('No active account found');
+    expect(await storage.getRefreshToken()).toBeNull();
+    expect(client.getAccessToken()).toBeNull();
+  });
+});
+
+describe('TokenAuthClient.refreshToken', () => {
+  beforeEach(() => vi.restoreAllMocks());
+
+  it('sends the stored refresh token in the body and rotates it', async () => {
+    const storage = new InMemoryTokenStorage();
+    await storage.setRefreshToken('refresh-old');
+    const { client, fetchMock } = makeClient(storage);
+    fetchMock.mockResolvedValueOnce(jsonResponse({ access: ACCESS2, refresh: 'refresh-new' }));
+
+    const access = await client.refreshToken();
+
+    const [url, init] = call(fetchMock);
+    expect(url).toBe('http://localhost:8001/api/v1/auth/token/refresh/');
+    expect(JSON.parse(init.body as string)).toEqual({ refresh: 'refresh-old' });
+    expect(access).toBe(ACCESS2);
+    expect(client.getAccessToken()).toBe(ACCESS2);
+    expect(await storage.getRefreshToken()).toBe('refresh-new'); // rotated
+  });
+
+  it('throws when there is no stored refresh token', async () => {
+    const { client, fetchMock } = makeClient();
+    await expect(client.refreshToken()).rejects.toThrow();
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  it('clears storage when the refresh is rejected', async () => {
+    const storage = new InMemoryTokenStorage();
+    await storage.setRefreshToken('refresh-old');
+    const { client, fetchMock } = makeClient(storage);
+    fetchMock.mockResolvedValueOnce(jsonResponse({ detail: 'expired' }, false, 401));
+
+    await expect(client.refreshToken()).rejects.toThrow();
+    expect(await storage.getRefreshToken()).toBeNull();
+  });
+});
+
+describe('TokenAuthClient.logout', () => {
+  beforeEach(() => vi.restoreAllMocks());
+
+  it('sends Bearer access + refresh in the body and clears storage', async () => {
+    const storage = new InMemoryTokenStorage();
+    await storage.setRefreshToken('refresh-1');
+    const { client, fetchMock } = makeClient(storage);
+    // seed an access token via a login
+    fetchMock.mockResolvedValueOnce(jsonResponse({ access: ACCESS, refresh: 'refresh-1', user: { id: 'u', email: 'e@e.co' } }));
+    await client.login('e@e.co', 'pw');
+    fetchMock.mockResolvedValueOnce(jsonResponse({}, true, 205));
+
+    await client.logout();
+
+    const [url, init] = call(fetchMock, 1);
+    expect(url).toBe('http://localhost:8001/api/v1/auth/logout/');
+    expect((init.headers as Record<string, string>)['Authorization']).toBe(`Bearer ${ACCESS}`);
+    expect(JSON.parse(init.body as string)).toEqual({ refresh: 'refresh-1' });
+    expect(await storage.getRefreshToken()).toBeNull();
+    expect(client.getAccessToken()).toBeNull();
+  });
+
+  it('clears storage even if the network call fails', async () => {
+    const storage = new InMemoryTokenStorage();
+    await storage.setRefreshToken('refresh-1');
+    const { client, fetchMock } = makeClient(storage);
+    fetchMock.mockRejectedValueOnce(new Error('network down'));
+
+    await client.logout();
+    expect(await storage.getRefreshToken()).toBeNull();
+  });
+});
+
+describe('TokenAuthClient.getCurrentUser', () => {
+  beforeEach(() => vi.restoreAllMocks());
+
+  it('sends Bearer and normalizes the snake_case {user} envelope', async () => {
+    const { client, fetchMock } = makeClient();
+    fetchMock.mockResolvedValueOnce(
+      jsonResponse({
+        user: {
+          id: 'abc',
+          email: 't@x.co',
+          first_name: 'Test',
+          last_name: 'User',
+          is_email_verified: true,
+          created_at: '2026-01-01T00:00:00Z',
+          updated_at: '2026-01-02T00:00:00Z',
+        },
+      })
+    );
+
+    const user = await client.getCurrentUser(ACCESS);
+
+    const [url, init] = call(fetchMock);
+    expect(url).toBe('http://localhost:8001/api/v1/auth/me/');
+    expect((init.headers as Record<string, string>)['Authorization']).toBe(`Bearer ${ACCESS}`);
+    expect(user.id).toBe('abc');
+    expect(user.firstName).toBe('Test');
+    expect(user.lastName).toBe('User');
+    expect(user.isEmailVerified).toBe(true);
+  });
+});

package/src/client/auth-client.ts

@@ -13,6 +13,7 @@ import type {
 import { isTokenExpired, getTokenExpiresAt, shouldRefreshToken } from '../utils';
 import { extractApiError, setAccessToken as setModuleAccessToken } from './functions';
 import { deleteCookie } from '../utils/cookies';
+import type { AuthBackend, RegisterPayload } from './backend';
 
 /**
  * sessionStorage key set by logout to suppress any subsequent
@@ -41,7 +42,7 @@ function hasLoggedOutFlag(): boolean {
   }
 }
 
-export class AuthClient {
+export class AuthClient implements AuthBackend {
   private config: Required<AuthConfig>;
   private session: Session | null = null;
   private refreshTimer: NodeJS.Timeout | null = null;
@@ -118,14 +119,7 @@ export class AuthClient {
    * backend returns a user in the response, use it directly; otherwise fall
    * back to /me/ (same pattern as login).
    */
-  async register(payload: {
-    email: string;
-    password: string;
-    passwordConfirm: string;
-    name?: string;
-    firstName?: string;
-    lastName?: string;
-  }): Promise<Session> {
+  async register(payload: RegisterPayload): Promise<Session> {
     // Derive first/last from `name` if the caller used it.
     const rawName = payload.name?.trim() ?? '';
     const [firstFromName, ...rest] = rawName ? rawName.split(/\s+/) : [];
@@ -138,7 +132,6 @@ export class AuthClient {
       body: JSON.stringify({
         email: payload.email,
         password: payload.password,
-        password_confirm: payload.passwordConfirm,
         name: payload.name,
         first_name: payload.firstName ?? firstFromName ?? undefined,
         last_name: payload.lastName ?? lastFromName ?? undefined,
@@ -197,8 +190,66 @@ export class AuthClient {
    * Complete a Google OAuth callback: exchange the code + state for a session.
    */
   async completeGoogleCallback(code: string, state: string): Promise<Session> {
+    return this.completeOAuthCallback('google', code, state);
+  }
+
+  /**
+   * Kick off Microsoft OAuth (Azure AD / Entra ID). Mirrors the Google flow;
+   * the backend returns `{ authorization_url }`.
+   */
+  async signInWithMicrosoft(redirectTo?: string): Promise<string> {
+    const defaultRedirect =
+      typeof window !== 'undefined'
+        ? `${window.location.origin}/oauth/microsoft/callback`
+        : '';
+    const redirectUri = redirectTo ?? defaultRedirect;
+
+    const response = await fetch(
+      `${this.config.apiBaseUrl}/api/v1/auth/oauth/microsoft/initiate/`,
+      {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        credentials: 'include',
+        body: JSON.stringify({ redirect_uri: redirectUri }),
+      }
+    );
+
+    const data = await response.json().catch(() => ({} as Record<string, unknown>));
+
+    if (!response.ok) {
+      throw new Error(
+        extractApiError(data as Record<string, unknown>, 'Failed to initiate Microsoft OAuth')
+      );
+    }
+
+    // Microsoft backend returns `authorization_url`; fall back to other casings.
+    const obj = data as { authorization_url?: string; auth_url?: string; authUrl?: string };
+    const url = obj.authorization_url ?? obj.auth_url ?? obj.authUrl;
+    if (!url) {
+      throw new Error('OAuth initiation succeeded but no authorization_url was returned');
+    }
+    return url;
+  }
+
+  /**
+   * Complete a Microsoft OAuth callback: exchange the code + state for a session.
+   */
+  async completeMicrosoftCallback(code: string, state: string): Promise<Session> {
+    return this.completeOAuthCallback('microsoft', code, state);
+  }
+
+  /**
+   * Provider-agnostic OAuth callback completion. Both Google and Microsoft
+   * speak the same `GET /api/v1/auth/oauth/<provider>/callback/?code=&state=`
+   * shape, so we share the implementation and just swap the path segment.
+   */
+  private async completeOAuthCallback(
+    provider: 'google' | 'microsoft',
+    code: string,
+    state: string,
+  ): Promise<Session> {
     const url = new URL(
-      `${this.config.apiBaseUrl}/api/v1/auth/oauth/google/callback/`
+      `${this.config.apiBaseUrl}/api/v1/auth/oauth/${provider}/callback/`
     );
     url.searchParams.set('code', code);
     url.searchParams.set('state', state);
@@ -508,6 +559,15 @@ export class AuthClient {
     }
   }
 
+  /**
+   * AuthBackend contract: restore a persisted session on mount. For the
+   * Django client this is the refresh-token-cookie bootstrap; aliased so the
+   * provider can call a backend-neutral name.
+   */
+  restoreSession(): Promise<Session | null> {
+    return this.bootstrapFromCookies();
+  }
+
   /**
    * Get current session
    */

package/src/client/auth-context.tsx

@@ -15,6 +15,7 @@ import {
 } from 'react';
 import { AuthClient } from './auth-client';
 import { setOnSessionExpired } from './functions';
+import type { AuthBackend } from './backend';
 import type { AuthConfig, AuthState, Session, AuthUser } from '../types';
 
 interface AuthContextValue extends AuthState {
@@ -25,13 +26,14 @@ interface AuthContextValue extends AuthState {
   register: (payload: {
     email: string;
     password: string;
-    passwordConfirm: string;
     name?: string;
     firstName?: string;
     lastName?: string;
   }) => Promise<void>;
   signInWithGoogle: (redirectTo?: string) => Promise<string>;
   completeGoogleCallback: (code: string, state: string) => Promise<void>;
+  signInWithMicrosoft: (redirectTo?: string) => Promise<string>;
+  completeMicrosoftCallback: (code: string, state: string) => Promise<void>;
   /**
    * Hydrate the provider with an externally-acquired session. Used by OAuth
    * callback flows that run the token exchange via a component (OAuthCallback)
@@ -45,16 +47,33 @@ const AuthContext = createContext<AuthContextValue | undefined>(undefined);
 
 interface AuthProviderProps {
   children: ReactNode;
-  config: AuthConfig;
+  /**
+   * Django/JWT configuration. Used to construct the default {@link AuthClient}.
+   * Optional when an explicit `backend` is supplied instead.
+   */
+  config?: AuthConfig;
+  /**
+   * An explicit {@link AuthBackend} to drive auth state. When provided, the
+   * provider uses it directly and ignores `config` (no AuthClient is created).
+   * This is how backendless apps inject a mock/offline backend.
+   */
+  backend?: AuthBackend;
   initialSession?: Session | null;
 }
 
 export function AuthProvider({
   children,
   config,
+  backend,
   initialSession,
 }: AuthProviderProps) {
-  const [authClient] = useState(() => new AuthClient(config));
+  const [authClient] = useState<AuthBackend>(() => {
+    if (backend) return backend;
+    if (!config) {
+      throw new Error('AuthProvider requires either a `config` or a `backend` prop');
+    }
+    return new AuthClient(config);
+  });
   const [state, setState] = useState<AuthState>(() => ({
     session: initialSession || null,
     isLoading: !initialSession,
@@ -90,7 +109,7 @@ export function AuthProvider({
     }
 
     authClient
-      .bootstrapFromCookies()
+      .restoreSession()
       .then((session) => {
         if (cancelled) return;
         setState({
@@ -111,12 +130,12 @@ export function AuthProvider({
 
   // Keep refs current on every render so the stable handleExpired closure
   // below always reads the latest config values without being in deps.
-  const loginPathRef = useRef(config.loginPath);
-  const callbackParamRef = useRef(config.callbackParam ?? 'callbackUrl');
-  const onSessionExpiredRef = useRef(config.onSessionExpired);
-  loginPathRef.current = config.loginPath;
-  callbackParamRef.current = config.callbackParam ?? 'callbackUrl';
-  onSessionExpiredRef.current = config.onSessionExpired;
+  const loginPathRef = useRef(config?.loginPath);
+  const callbackParamRef = useRef(config?.callbackParam ?? 'callbackUrl');
+  const onSessionExpiredRef = useRef(config?.onSessionExpired);
+  loginPathRef.current = config?.loginPath;
+  callbackParamRef.current = config?.callbackParam ?? 'callbackUrl';
+  onSessionExpiredRef.current = config?.onSessionExpired;
 
   // Session expiration handler — covers both AuthClient timer and authFetch 401.
   // Depends only on authClient (a useState singleton that never changes after
@@ -133,21 +152,51 @@ export function AuthProvider({
       onSessionExpiredRef.current?.();
 
       if (loginPathRef.current && typeof window !== 'undefined') {
-        const here = window.location.pathname + window.location.search;
-        const isOnLogin = window.location.pathname.startsWith(loginPathRef.current);
-        if (!isOnLogin) {
-          const callback = encodeURIComponent(here);
-          window.location.href = `${loginPathRef.current}?${callbackParamRef.current}=${callback}`;
+        const loginPath = loginPathRef.current;
+        const callbackParam = callbackParamRef.current;
+        const here = window.location.href;
+        const isAbsolute = /^https?:\/\//i.test(loginPath);
+
+        if (isAbsolute) {
+          // Full-URL loginPath (e.g. central auth host at
+          // https://auth.startsimpli.com/signin?app=vault). Avoid bouncing if
+          // we're already on that host+pathname, and preserve any pre-existing
+          // query params on the loginPath (e.g. ?app=vault) by appending the
+          // callback via URL/searchParams instead of naive string concat.
+          try {
+            const target = new URL(loginPath);
+            const current = new URL(window.location.href);
+            const isOnLogin =
+              current.host === target.host && current.pathname === target.pathname;
+            if (!isOnLogin) {
+              target.searchParams.set(callbackParam, here);
+              window.location.href = target.toString();
+            }
+          } catch {
+            // Malformed loginPath — fall through to no-op rather than crash.
+          }
+        } else {
+          const path = window.location.pathname + window.location.search;
+          const isOnLogin = window.location.pathname.startsWith(loginPath);
+          if (!isOnLogin) {
+            const callback = encodeURIComponent(path);
+            const sep = loginPath.includes('?') ? '&' : '?';
+            window.location.href = `${loginPath}${sep}${callbackParam}=${callback}`;
+          }
         }
       }
     };
 
     // Wire AuthClient's internal expiry calls and the functional API (FetchWrapper).
-    config.onSessionExpired = handleExpired;
+    // The Django client reads expiry via config; non-config backends (e.g. mock)
+    // accept the handler through the optional setOnSessionExpired method.
+    if (config) config.onSessionExpired = handleExpired;
+    authClient.setOnSessionExpired?.(handleExpired);
     setOnSessionExpired(handleExpired);
 
     return () => {
       setOnSessionExpired(null);
+      authClient.setOnSessionExpired?.(null);
       authClient.destroy();
     };
   // eslint-disable-next-line react-hooks/exhaustive-deps
@@ -208,7 +257,6 @@ export function AuthProvider({
     async (payload: {
       email: string;
       password: string;
-      passwordConfirm: string;
       name?: string;
       firstName?: string;
       lastName?: string;
@@ -247,6 +295,33 @@ export function AuthProvider({
     [authClient]
   );
 
+  const signInWithMicrosoft = useCallback(
+    async (redirectTo?: string) => {
+      if (!authClient.signInWithMicrosoft) {
+        throw new Error('signInWithMicrosoft is not supported by this auth backend');
+      }
+      return authClient.signInWithMicrosoft(redirectTo);
+    },
+    [authClient]
+  );
+
+  const completeMicrosoftCallback = useCallback(
+    async (code: string, state: string) => {
+      if (!authClient.completeMicrosoftCallback) {
+        throw new Error('completeMicrosoftCallback is not supported by this auth backend');
+      }
+      setState((prev) => ({ ...prev, isLoading: true }));
+      try {
+        const session = await authClient.completeMicrosoftCallback(code, state);
+        setState({ session, isLoading: false, isAuthenticated: true });
+      } catch (error) {
+        setState((prev) => ({ ...prev, isLoading: false }));
+        throw error;
+      }
+    },
+    [authClient]
+  );
+
   const hydrateSession = useCallback(
     (session: Session) => {
       authClient.setSession(session);
@@ -264,6 +339,8 @@ export function AuthProvider({
     register,
     signInWithGoogle,
     completeGoogleCallback,
+    signInWithMicrosoft,
+    completeMicrosoftCallback,
     hydrateSession,
   };