@superbuilders/primer-tives 3.6.0 → 3.7.0

package/README.md

@@ -17,7 +17,7 @@ bun add @superbuilders/primer-tives
 
 ## Version
 
-The current SDK version is `3.6.0`.
+The current SDK version is `3.7.0`.
 
 ## Entrypoints
 

package/dist/client/auth/browser.d.ts

@@ -11,10 +11,7 @@ declare function browserStorage(options: HostedAuthOptions | undefined, logger:
 declare function currentUrl(options: HostedAuthOptions | undefined, logger: PrimerLogger): URL;
 declare function redirectUri(options: HostedAuthOptions | undefined, url: URL, logger: PrimerLogger): string;
 declare function randomClientState(logger: PrimerLogger): string;
-declare function clearCallbackHash(options: HostedAuthOptions | undefined, url: URL): void;
 declare function openAuthPopup(url: string, options: HostedAuthOptions | undefined, logger: PrimerLogger): Window;
-declare function readablePopupUrl(popup: Window): string | null;
-declare function sleep(ms: number): Promise<void>;
-export { browserStorage, clearCallbackHash, currentUrl, openAuthPopup, randomClientState, readablePopupUrl, redirectUri, sleep };
+export { browserStorage, currentUrl, openAuthPopup, randomClientState, redirectUri };
 export type { HostedAuthOptions };
 //# sourceMappingURL=browser.d.ts.map

package/dist/client/auth/browser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"browser.d.ts","sourceRoot":"","sources":["../../../src/client/auth/browser.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AAEtE,KAAK,iBAAiB,GAAG;IACxB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAA;IAC1B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAA;CAChC,CAAA;AAED,iBAAS,cAAc,CAAC,OAAO,EAAE,iBAAiB,GAAG,SAAS,EAAE,MAAM,EAAE,YAAY,GAAG,OAAO,CAS7F;AAED,iBAAS,UAAU,CAAC,OAAO,EAAE,iBAAiB,GAAG,SAAS,EAAE,MAAM,EAAE,YAAY,GAAG,GAAG,CAarF;AAED,iBAAS,WAAW,CACnB,OAAO,EAAE,iBAAiB,GAAG,SAAS,EACtC,GAAG,EAAE,GAAG,EACR,MAAM,EAAE,YAAY,GAClB,MAAM,CASR;AAED,iBAAS,iBAAiB,CAAC,MAAM,EAAE,YAAY,GAAG,MAAM,CAYvD;AAED,iBAAS,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,GAAG,SAAS,EAAE,GAAG,EAAE,GAAG,GAAG,IAAI,CASjF;AAED,iBAAS,aAAa,CACrB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,iBAAiB,GAAG,SAAS,EACtC,MAAM,EAAE,YAAY,GAClB,MAAM,CAmBR;AAED,iBAAS,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAQtD;AAED,iBAAS,KAAK,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAIxC;AAED,OAAO,EACN,cAAc,EACd,iBAAiB,EACjB,UAAU,EACV,aAAa,EACb,iBAAiB,EACjB,gBAAgB,EAChB,WAAW,EACX,KAAK,EACL,CAAA;AACD,YAAY,EAAE,iBAAiB,EAAE,CAAA"}
+{"version":3,"file":"browser.d.ts","sourceRoot":"","sources":["../../../src/client/auth/browser.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AAEtE,KAAK,iBAAiB,GAAG;IACxB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAA;IAC1B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,aAAa,CAAC,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,cAAc,CAAC,EAAE,MAAM,CAAA;CAChC,CAAA;AAED,iBAAS,cAAc,CAAC,OAAO,EAAE,iBAAiB,GAAG,SAAS,EAAE,MAAM,EAAE,YAAY,GAAG,OAAO,CAS7F;AAED,iBAAS,UAAU,CAAC,OAAO,EAAE,iBAAiB,GAAG,SAAS,EAAE,MAAM,EAAE,YAAY,GAAG,GAAG,CAarF;AAED,iBAAS,WAAW,CACnB,OAAO,EAAE,iBAAiB,GAAG,SAAS,EACtC,GAAG,EAAE,GAAG,EACR,MAAM,EAAE,YAAY,GAClB,MAAM,CASR;AAED,iBAAS,iBAAiB,CAAC,MAAM,EAAE,YAAY,GAAG,MAAM,CAYvD;AAED,iBAAS,aAAa,CACrB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,iBAAiB,GAAG,SAAS,EACtC,MAAM,EAAE,YAAY,GAClB,MAAM,CAmBR;AAED,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,aAAa,EAAE,iBAAiB,EAAE,WAAW,EAAE,CAAA;AACpF,YAAY,EAAE,iBAAiB,EAAE,CAAA"}

package/dist/client/auth/hosted-popup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hosted-popup.d.ts","sourceRoot":"","sources":["../../../src/client/auth/hosted-popup.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AACtE,OAAO,EAKN,KAAK,iBAAiB,EACtB,MAAM,iDAAiD,CAAA;AAMxD,KAAK,iBAAiB,GAAG;IACxB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,UAAU,EAAE,GAAG,CAAA;IACxB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,OAAO,CAAC,EAAE,iBAAiB,CAAA;IACpC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAA;CAC7B,CAAA;AA6CD,iBAAe,gBAAgB,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC,CA8B1E;AAED,OAAO,EAAE,gBAAgB,EAAE,CAAA;AAC3B,YAAY,EAAE,iBAAiB,EAAE,CAAA"}
+{"version":3,"file":"hosted-popup.d.ts","sourceRoot":"","sources":["../../../src/client/auth/hosted-popup.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AACtE,OAAO,EAGN,KAAK,iBAAiB,EACtB,MAAM,iDAAiD,CAAA;AAOxD,KAAK,iBAAiB,GAAG;IACxB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,UAAU,EAAE,GAAG,CAAA;IACxB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,OAAO,CAAC,EAAE,iBAAiB,CAAA;IACpC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAA;CAC7B,CAAA;AAwJD,iBAAe,gBAAgB,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,MAAM,CAAC,CAU1E;AAED,OAAO,EAAE,gBAAgB,EAAE,CAAA;AAC3B,YAAY,EAAE,iBAAiB,EAAE,CAAA"}

package/dist/client/auth/provider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../src/client/auth/provider.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AACtE,OAAO,EAKN,KAAK,iBAAiB,EACtB,MAAM,iDAAiD,CAAA;AAMxD,OAAO,EAEN,KAAK,mBAAmB,EACxB,MAAM,sDAAsD,CAAA;AAU7D,KAAK,0BAA0B,GAAG;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,UAAU,CAAC,EAAE,iBAAiB,CAAA;IACvC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAA;CAC7B,CAAA;AAED,KAAK,yBAAyB,GAAG;IAChC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAA;IACzB,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAA;CACzC,CAAA;AAED,KAAK,gCAAgC,GAAG;IACvC,QAAQ,CAAC,IAAI,EAAE,iBAAiB,CAAA;IAChC,QAAQ,CAAC,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;CAC5B,CAAA;AAED,KAAK,sBAAsB,GAAG;IAC7B,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAA;IACtB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;CACrB,CAAA;AAED,KAAK,yBAAyB,GAC3B,yBAAyB,GACzB,gCAAgC,GAChC,sBAAsB,CAAA;AAEzB,KAAK,iBAAiB,GAAG,yBAAyB,GAAG,gCAAgC,CAAA;AAkGrF,iBAAS,0BAA0B,CAClC,OAAO,EAAE,0BAA0B,GACjC,yBAAyB,CAqB3B;AAED,iBAAe,gBAAgB,CAAC,OAAO,EAAE,0BAA0B,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAqC/F;AAED,OAAO,EAAE,gBAAgB,EAAE,0BAA0B,EAAE,CAAA;AACvD,YAAY,EAAE,0BAA0B,EAAE,yBAAyB,EAAE,iBAAiB,EAAE,CAAA"}
+{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../../src/client/auth/provider.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AACtE,OAAO,EAIN,KAAK,iBAAiB,EACtB,MAAM,iDAAiD,CAAA;AAExD,OAAO,EAEN,KAAK,mBAAmB,EACxB,MAAM,sDAAsD,CAAA;AAS7D,KAAK,0BAA0B,GAAG;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAA;IAC/B,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,UAAU,CAAC,EAAE,iBAAiB,CAAA;IACvC,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAA;CAC7B,CAAA;AAED,KAAK,yBAAyB,GAAG;IAChC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAA;IACzB,QAAQ,CAAC,WAAW,EAAE,mBAAmB,CAAA;CACzC,CAAA;AAED,KAAK,gCAAgC,GAAG;IACvC,QAAQ,CAAC,IAAI,EAAE,iBAAiB,CAAA;IAChC,QAAQ,CAAC,KAAK,EAAE,KAAK,GAAG,IAAI,CAAA;CAC5B,CAAA;AAED,KAAK,sBAAsB,GAAG;IAC7B,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAA;IACtB,QAAQ,CAAC,KAAK,EAAE,KAAK,CAAA;CACrB,CAAA;AAED,KAAK,yBAAyB,GAC3B,yBAAyB,GACzB,gCAAgC,GAChC,sBAAsB,CAAA;AAEzB,KAAK,iBAAiB,GAAG,yBAAyB,GAAG,gCAAgC,CAAA;AA4DrF,iBAAS,0BAA0B,CAClC,OAAO,EAAE,0BAA0B,GACjC,yBAAyB,CAe3B;AAED,iBAAe,gBAAgB,CAAC,OAAO,EAAE,0BAA0B,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAqC/F;AAED,OAAO,EAAE,gBAAgB,EAAE,0BAA0B,EAAE,CAAA;AACvD,YAAY,EAAE,0BAA0B,EAAE,yBAAyB,EAAE,iBAAiB,EAAE,CAAA"}

package/dist/client/index.js

@@ -1,3 +1,41 @@
+var __dispose = Symbol.dispose || /* @__PURE__ */ Symbol.for("Symbol.dispose");
+var __asyncDispose = Symbol.asyncDispose || /* @__PURE__ */ Symbol.for("Symbol.asyncDispose");
+var __using = (stack, value, async) => {
+  if (value != null) {
+    if (typeof value !== "object" && typeof value !== "function")
+      throw TypeError('Object expected to be assigned to "using" declaration');
+    var dispose;
+    if (async)
+      dispose = value[__asyncDispose];
+    if (dispose === undefined)
+      dispose = value[__dispose];
+    if (typeof dispose !== "function")
+      throw TypeError("Object not disposable");
+    stack.push([async, dispose, value]);
+  } else if (async) {
+    stack.push([async]);
+  }
+  return value;
+};
+var __callDispose = (stack, error, hasError) => {
+  var E = typeof SuppressedError === "function" ? SuppressedError : function(e, s, m, _) {
+    return _ = Error(m), _.name = "SuppressedError", _.error = e, _.suppressed = s, _;
+  }, fail = (e) => error = hasError ? new E(e, error, "An error was suppressed during disposal") : (hasError = true, e), next = (it) => {
+    while (it = stack.pop()) {
+      try {
+        var result = it[1] && it[1].call(it[2]);
+        if (it[0])
+          return Promise.resolve(result).then(next, (e) => (fail(e), next()));
+      } catch (e) {
+        fail(e);
+      }
+    }
+    if (hasError)
+      throw error;
+  };
+  return next();
+};
+
 // src/errors.ts
 import * as errors from "@superbuilders/errors";
 var ErrNetwork = errors.new("network");
@@ -341,7 +379,7 @@ function submissionValidationMessage(result) {
 import * as errors2 from "@superbuilders/errors";
 
 // src/version.ts
-var SDK_VERSION = "3.6.0";
+var SDK_VERSION = "3.7.0";
 var NPM_PACKAGE_URL = "https://www.npmjs.com/package/@superbuilders/primer-tives";
 
 // src/client/transport.ts
@@ -1134,10 +1172,9 @@ function makeSession(sc) {
 }
 
 // src/client/auth/provider.ts
-import * as errors13 from "@superbuilders/errors";
+import * as errors11 from "@superbuilders/errors";
 
 // src/client/auth/browser.ts
-import * as errors10 from "@superbuilders/errors";
 function browserStorage(options, logger) {
   if (options !== undefined && options.storage !== undefined) {
     return options.storage;
@@ -1185,16 +1222,6 @@ function randomClientState(logger) {
   }
   return result;
 }
-function clearCallbackHash(options, url) {
-  if (options !== undefined && options.currentUrl !== undefined) {
-    return;
-  }
-  if (typeof globalThis.history === "undefined") {
-    return;
-  }
-  const cleanUrl = `${url.pathname}${url.search}`;
-  globalThis.history.replaceState(globalThis.history.state, "", cleanUrl);
-}
 function openAuthPopup(url, options, logger) {
   if (typeof globalThis.open === "undefined") {
     logger.error("auth popup api unavailable");
@@ -1215,67 +1242,12 @@ function openAuthPopup(url, options, logger) {
   }
   return popup;
 }
-function readablePopupUrl(popup) {
-  const result = errors10.trySync(function readLocation() {
-    return popup.location.href;
-  });
-  if (result.error) {
-    return null;
-  }
-  return result.data;
-}
-function sleep(ms) {
-  return new Promise(function resolveLater(resolve) {
-    setTimeout(resolve, ms);
-  });
-}
-
-// src/client/auth/callback.ts
-var ACCESS_TOKEN_HASH_PARAM = "primer_access_token";
-var AUTH_STATUS_HASH_PARAM = "primer_auth";
-var AUTH_STATE_HASH_PARAM = "primer_state";
-var AUTH_SUCCESS = "success";
-var AUTH_ERROR = "error";
-function readAuthCallback(url, logger) {
-  if (url.hash.length === 0) {
-    return null;
-  }
-  const hash = new URLSearchParams(url.hash.slice(1));
-  const authStatus = hash.get(AUTH_STATUS_HASH_PARAM);
-  if (authStatus === null) {
-    return null;
-  }
-  if (authStatus === AUTH_ERROR) {
-    logger.error("auth callback returned error");
-    throw ErrAuthCallbackInvalid;
-  }
-  if (authStatus !== AUTH_SUCCESS) {
-    logger.error("auth callback status invalid", { authStatus });
-    throw ErrAuthCallbackInvalid;
-  }
-  const accessToken = hash.get(ACCESS_TOKEN_HASH_PARAM);
-  const state = hash.get(AUTH_STATE_HASH_PARAM);
-  if (accessToken === null || accessToken.length === 0 || state === null || state.length === 0) {
-    logger.error("auth callback missing token or state");
-    throw ErrAuthCallbackInvalid;
-  }
-  return { accessToken, state };
-}
-function requireMatchingCallbackState(callback, expectedState, logger) {
-  if (expectedState === null) {
-    logger.error("auth callback expected state missing");
-    throw ErrAuthCallbackInvalid;
-  }
-  if (callback.state !== expectedState) {
-    logger.error("auth callback state mismatch");
-    throw ErrAuthStateMismatch;
-  }
-}
 
 // src/client/auth/hosted-popup.ts
-import * as errors11 from "@superbuilders/errors";
 var DEFAULT_POPUP_TIMEOUT_MS = 10 * 60 * 1000;
 var POPUP_POLL_MS = 250;
+var AUTH_MESSAGE_TYPE = "primer-tives.auth.result.v1";
+var AUTH_RESPONSE_MODE = "web_message";
 function hostedAuthUrl(config) {
   const logger = config.logger;
   if (!URL.canParse(config.origin)) {
@@ -1286,6 +1258,7 @@ function hostedAuthUrl(config) {
   authUrl.searchParams.set("publishableKey", config.publishableKey);
   authUrl.searchParams.set("redirectUri", redirectUri(config.options, config.currentUrl, logger));
   authUrl.searchParams.set("state", config.clientState);
+  authUrl.searchParams.set("responseMode", AUTH_RESPONSE_MODE);
   return authUrl.toString();
 }
 function popupTimeoutMs(options) {
@@ -1294,62 +1267,132 @@ function popupTimeoutMs(options) {
   }
   return DEFAULT_POPUP_TIMEOUT_MS;
 }
-function readPopupCallback(href, config) {
-  const logger = config.logger;
-  if (!URL.canParse(href)) {
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function stringField(value, key) {
+  const field = value[key];
+  if (typeof field !== "string" || field.length === 0) {
     return null;
   }
-  const callbackResult = errors11.trySync(function readCallback() {
-    return readAuthCallback(new URL(href), logger);
-  });
-  if (callbackResult.error) {
-    logger.error("hosted auth popup callback invalid", { error: callbackResult.error });
-    throw callbackResult.error;
+  return field;
+}
+function readPopupMessage(event, popup, config, expectedOrigin) {
+  if (event.source !== popup) {
+    return { kind: "ignore" };
   }
-  const callback = callbackResult.data;
-  if (callback === null) {
-    return null;
+  if (event.origin !== expectedOrigin) {
+    return { kind: "ignore" };
+  }
+  const data = event.data;
+  if (!isRecord(data)) {
+    return { kind: "ignore" };
+  }
+  const messageType = stringField(data, "type");
+  if (messageType !== AUTH_MESSAGE_TYPE) {
+    return { kind: "ignore" };
+  }
+  const state = stringField(data, "state");
+  if (state === null) {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
+  }
+  if (state !== config.clientState) {
+    return { kind: "error", error: ErrAuthStateMismatch };
   }
-  if (callback.state !== config.clientState) {
-    logger.error("hosted auth popup state mismatch");
-    throw ErrAuthStateMismatch;
+  const status = stringField(data, "status");
+  if (status === "error") {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
   }
-  return callback.accessToken;
+  if (status !== "success") {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
+  }
+  const accessToken = stringField(data, "accessToken");
+  if (accessToken === null) {
+    return { kind: "error", error: ErrAuthCallbackInvalid };
+  }
+  return { kind: "success", accessToken };
 }
-async function beginHostedPopup(config) {
-  const logger = config.logger;
-  const popup = openAuthPopup(hostedAuthUrl(config), config.options, logger);
-  const expiresAt = Date.now() + popupTimeoutMs(config.options);
-  while (Date.now() < expiresAt) {
-    if (popup.closed) {
-      logger.error("hosted auth popup closed");
-      throw ErrAuthCancelled;
-    }
-    const href = readablePopupUrl(popup);
-    if (href !== null) {
-      const accessTokenResult = errors11.trySync(function readAccessToken() {
-        return readPopupCallback(href, config);
-      });
-      if (accessTokenResult.error) {
-        popup.close();
-        logger.error("hosted auth popup failed", { error: accessTokenResult.error });
-        throw accessTokenResult.error;
+async function waitForPopupMessage(popup, config, expectedOrigin) {
+  let __stack = [];
+  try {
+    const logger = config.logger;
+    const stack = __using(__stack, new AsyncDisposableStack, 1);
+    stack.defer(function closePopup() {
+      popup.close();
+    });
+    const result = await new Promise(function waitForMessage(resolve, reject) {
+      let settled = false;
+      function finishWithError(error) {
+        if (settled) {
+          return;
+        }
+        settled = true;
+        reject(error);
       }
-      if (accessTokenResult.data !== null) {
-        popup.close();
+      function finishWithToken(token) {
+        if (settled) {
+          return;
+        }
+        settled = true;
         logger.debug("hosted auth popup completed");
-        return accessTokenResult.data;
+        resolve(token);
       }
-    }
-    await sleep(POPUP_POLL_MS);
+      const timeoutId = globalThis.setTimeout(function timeout() {
+        logger.error("hosted auth popup timed out");
+        finishWithError(ErrAuthCancelled);
+      }, popupTimeoutMs(config.options));
+      stack.defer(function clearPopupTimeout() {
+        globalThis.clearTimeout(timeoutId);
+      });
+      const closedPollId = globalThis.setInterval(function checkClosed() {
+        if (!popup.closed) {
+          return;
+        }
+        logger.error("hosted auth popup closed");
+        finishWithError(ErrAuthCancelled);
+      }, POPUP_POLL_MS);
+      stack.defer(function clearClosedPoll() {
+        globalThis.clearInterval(closedPollId);
+      });
+      function handleMessage(event) {
+        const result2 = readPopupMessage(event, popup, config, expectedOrigin);
+        if (result2.kind === "ignore") {
+          return;
+        }
+        if (result2.kind === "error") {
+          logger.error("hosted auth popup failed", { error: result2.error });
+          finishWithError(result2.error);
+          return;
+        }
+        finishWithToken(result2.accessToken);
+      }
+      globalThis.addEventListener("message", handleMessage);
+      stack.defer(function removeMessageListener() {
+        globalThis.removeEventListener("message", handleMessage);
+      });
+    });
+    return result;
+  } catch (_catch) {
+    var _err = _catch, _hasErr = 1;
+  } finally {
+    var _promise = __callDispose(__stack, _err, _hasErr);
+    _promise && await _promise;
+  }
+}
+async function beginHostedPopup(config) {
+  const logger = config.logger;
+  const url = hostedAuthUrl(config);
+  if (!URL.canParse(config.origin)) {
+    logger.error("hosted auth origin invalid", { origin: config.origin });
+    throw ErrAuthCallbackInvalid;
   }
-  popup.close();
-  logger.error("hosted auth popup timed out");
-  throw ErrAuthCancelled;
+  const expectedOrigin = new URL(config.origin).origin;
+  const popup = openAuthPopup(url, config.options, logger);
+  return waitForPopupMessage(popup, config, expectedOrigin);
 }
 
 // src/client/auth/access-token.ts
-import * as errors12 from "@superbuilders/errors";
+import * as errors10 from "@superbuilders/errors";
 var ACCESS_TOKEN_PREFIX = "eyJ";
 var resolvedAccessTokenBrand = Symbol("primer resolved access token");
 function isMalformedJws(token) {
@@ -1362,7 +1405,7 @@ function isMalformedJws(token) {
 function resolveAccessToken(token, logger) {
   if (isMalformedJws(token)) {
     logger.error("malformed access token", { prefix: ACCESS_TOKEN_PREFIX });
-    throw errors12.wrap(ErrMalformedAccessToken, `token must start with '${ACCESS_TOKEN_PREFIX}' and contain two dots`);
+    throw errors10.wrap(ErrMalformedAccessToken, `token must start with '${ACCESS_TOKEN_PREFIX}' and contain two dots`);
   }
   return { value: token, [resolvedAccessTokenBrand]: true };
 }
@@ -1389,13 +1432,6 @@ function storeAccessToken(storage, publishableKey, accessToken) {
 function clearStoredAccessToken(storage, publishableKey) {
   storage.removeItem(accessTokenStorageKey(publishableKey));
 }
-function loadAuthState(storage, publishableKey) {
-  const state = storage.getItem(authStateStorageKey(publishableKey));
-  if (state === null || state.length === 0) {
-    return null;
-  }
-  return state;
-}
 function storeAuthState(storage, publishableKey, state) {
   storage.setItem(authStateStorageKey(publishableKey), state);
 }
@@ -1405,7 +1441,7 @@ function clearAuthState(storage, publishableKey) {
 
 // src/client/auth/provider.ts
 function resolveProvidedAccessToken(token, logger) {
-  const result = errors13.trySync(function resolveProvidedToken() {
+  const result = errors11.trySync(function resolveProvidedToken() {
     return resolveAccessToken(token, logger);
   });
   if (result.error) {
@@ -1414,7 +1450,7 @@ function resolveProvidedAccessToken(token, logger) {
   return { kind: "resolved", accessToken: result.data };
 }
 function resolveManagedAccessToken(token, logger) {
-  const result = errors13.trySync(function resolveManagedToken() {
+  const result = errors11.trySync(function resolveManagedToken() {
     return resolveAccessToken(token, logger);
   });
   if (result.error) {
@@ -1424,7 +1460,7 @@ function resolveManagedAccessToken(token, logger) {
 }
 function readBrowserAuthContext(options) {
   const logger = options.logger;
-  const contextResult = errors13.trySync(function readContext() {
+  const contextResult = errors11.trySync(function readContext() {
     const storage = browserStorage(options.hostedAuth, logger);
     const url = currentUrl(options.hostedAuth, logger);
     return { storage, url };
@@ -1434,36 +1470,6 @@ function readBrowserAuthContext(options) {
   }
   return contextResult.data;
 }
-function resolveCallbackAccessToken(context, options) {
-  const logger = options.logger;
-  const callbackResult = errors13.trySync(function readCallback() {
-    return readAuthCallback(context.url, logger);
-  });
-  if (callbackResult.error) {
-    clearAuthState(context.storage, options.publishableKey);
-    return { kind: "unauthenticated", error: callbackResult.error };
-  }
-  const callback = callbackResult.data;
-  if (callback === null) {
-    return null;
-  }
-  const stateResult = errors13.trySync(function requireState() {
-    requireMatchingCallbackState(callback, loadAuthState(context.storage, options.publishableKey), logger);
-  });
-  if (stateResult.error) {
-    clearAuthState(context.storage, options.publishableKey);
-    return { kind: "unauthenticated", error: stateResult.error };
-  }
-  const resolved = resolveManagedAccessToken(callback.accessToken, logger);
-  if (resolved.kind === "unauthenticated") {
-    clearAuthState(context.storage, options.publishableKey);
-    return resolved;
-  }
-  storeAccessToken(context.storage, options.publishableKey, callback.accessToken);
-  clearAuthState(context.storage, options.publishableKey);
-  clearCallbackHash(options.hostedAuth, context.url);
-  return resolved;
-}
 function resolveStoredAccessToken(context, options) {
   const stored = loadStoredAccessToken(context.storage, options.publishableKey);
   if (stored === null) {
@@ -1483,10 +1489,6 @@ function resolveExistingAccessToken(options) {
   if ("kind" in context) {
     return context;
   }
-  const callback = resolveCallbackAccessToken(context, options);
-  if (callback !== null) {
-    return callback;
-  }
   const stored = resolveStoredAccessToken(context, options);
   if (stored !== null) {
     return stored;
@@ -1499,7 +1501,7 @@ async function beginHostedLogin(options) {
   if ("kind" in context) {
     return context;
   }
-  const clientStateResult = errors13.trySync(function prepareHostedLogin() {
+  const clientStateResult = errors11.trySync(function prepareHostedLogin() {
     const clientState2 = randomClientState(logger);
     storeAuthState(context.storage, options.publishableKey, clientState2);
     return clientState2;
@@ -1508,7 +1510,7 @@ async function beginHostedLogin(options) {
     return { kind: "unauthenticated", error: clientStateResult.error };
   }
   const clientState = clientStateResult.data;
-  const accessTokenResult = await errors13.try(beginHostedPopup({
+  const accessTokenResult = await errors11.try(beginHostedPopup({
     origin: options.origin,
     publishableKey: options.publishableKey,
     currentUrl: context.url,
@@ -1635,4 +1637,4 @@ export {
   start
 };
 
-//# debugId=94171F205AFFEEE264756E2164756E21
+//# debugId=9A3E7149C52454D064756E2164756E21