npm - @tenxyte/core - Versions diffs - 0.9.2 → 0.9.4 - Mend

@tenxyte/core 0.9.2 → 0.9.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 Tenxyte
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md CHANGED Viewed

@@ -88,6 +88,10 @@ const tx = new TenxyteClient({
     // Optional — override auto-detected device info
     deviceInfoOverride: { app_name: 'MyApp', app_version: '2.0.0' },
+    // Optional — cookie-based refresh token transport (default: false)
+    // Enable when backend has TENXYTE_REFRESH_TOKEN_COOKIE_ENABLED=True
+    cookieMode: false,
 });
 ```
@@ -128,9 +132,16 @@ const tokens = await tx.auth.verifyMagicLink(urlToken);
 // Social OAuth2
 const tokens = await tx.auth.loginWithSocial('google', { id_token: 'jwt...' });
-const tokens = await tx.auth.handleSocialCallback('github', 'auth_code', 'https://myapp.com/cb');
-// Session management
+// Social OAuth2 with PKCE (RFC 7636)
+const tokens = await tx.auth.loginWithSocial('google', {
+    code: 'auth_code',
+    redirect_uri: 'https://myapp.com/cb',
+    code_verifier: 'pkce_verifier_string',
+});
+const tokens = await tx.auth.handleSocialCallback('github', 'auth_code', 'https://myapp.com/cb', 'pkce_verifier');
+// Session management (refreshToken param is optional in cookie mode)
 await tx.auth.logout('refresh_token_value');
 await tx.auth.logoutAll();
 await tx.auth.refreshToken('refresh_token_value');
@@ -384,16 +395,49 @@ const state = await tx.getState();
 ---
-## Migration Guide: v0.9 → v1.0
+## Migration Guide: v0.9 → v0.10
+### New Features in v0.10
+- **Cookie-based refresh tokens** — New `cookieMode` config option. When enabled, the SDK uses `credentials: 'include'` for refresh/logout requests and does not require a stored refresh token for silent refresh.
+- **PKCE support** — `code_verifier` parameter added to `SocialLoginRequest` and `handleSocialCallback()` for RFC 7636 compliance.
+- **Expanded error codes** — `TenxyteErrorCode` now includes all backend error codes: `MISSING_REFRESH_TOKEN`, `INVALID_REDIRECT_URI`, `PASSWORD_BREACHED`, `PASSWORD_REUSED`, `WEBAUTHN_*`, `LINK_EXPIRED`, `2FA_ALREADY_ENABLED`, and more.
+- **Optional refresh token in responses** — `TokenPair.refresh_token` is now optional (absent when cookie mode is enabled on the backend).
+### Breaking Changes
+1. **`TokenPair.refresh_token` is now optional** — If you access `tokens.refresh_token` without a null check, add one:
+   ```typescript
+   if (tokens.refresh_token) {
+       // Store or use the refresh token
+   }
+   ```
+2. **`logout()` and `refreshToken()` parameters are now optional** — In cookie mode, you can call them without arguments:
+   ```typescript
+   // Cookie mode (refresh token is in HttpOnly cookie)
+   await tx.auth.logout();
+   await tx.auth.refreshToken();
+   // Classic mode (still works)
+   await tx.auth.logout('refresh_token_value');
+   await tx.auth.refreshToken('refresh_token_value');
+   ```
+3. **`handleSocialCallback()` now accepts an optional 4th parameter** (`codeVerifier`).
+---
+## Migration Guide: v0.8 → v0.9
 ### Breaking Changes
 1. **Constructor signature changed** — The client now accepts a `TenxyteClientConfig` object:
    ```typescript
-   // Before (v0.9)
+   // Before (v0.8)
    const tx = new TenxyteClient({ baseUrl: '...', headers: { ... } });
-   // After (v1.0) — same, but new options available
+   // After (v0.9) — same, but new options available
    const tx = new TenxyteClient({
        baseUrl: '...',
        headers: { ... },
@@ -405,10 +449,10 @@ const state = await tx.getState();
 2. **`loginWithEmail` now requires `device_info`**:
    ```typescript
-   // Before (v0.9)
+   // Before (v0.8)
    await tx.auth.loginWithEmail({ email, password });
-   // After (v1.0)
+   // After (v0.9)
    await tx.auth.loginWithEmail({ email, password, device_info: '' });
    ```
@@ -427,7 +471,7 @@ const state = await tx.getState();
 6. **`register()` return type changed** — Now returns `RegisterResponse` (may include tokens if auto-login is enabled).
-### New Features in v1.0
+### New Features in v0.9
 - Auto-refresh interceptor (silent 401 → refresh → retry)
 - Configurable retry with exponential backoff (429/5xx)
@@ -436,6 +480,7 @@ const state = await tx.getState();
 - High-level helpers (`isAuthenticated`, `getCurrentUser`, `isTokenExpired`)
 - `getState()` for framework wrapper integration
 - EventEmitter for reactive state (`session:expired`, `token:refreshed`, etc.)
+- WebAuthn / Passkeys (FIDO2) support
 ---

package/dist/index.cjs CHANGED Viewed

@@ -174,7 +174,8 @@ function resolveConfig(config) {
     logger: config.logger ?? NOOP_LOGGER,
     logLevel: config.logLevel ?? "silent",
     deviceInfoOverride: config.deviceInfoOverride,
-    retryConfig: config.retryConfig
+    retryConfig: config.retryConfig,
+    cookieMode: config.cookieMode ?? false
   };
 }
@@ -396,7 +397,7 @@ function createAuthInterceptor(storage, context) {
     return { ...request, headers };
   };
 }
-function createRefreshInterceptor(client, storage, onSessionExpired, onTokenRefreshed) {
+function createRefreshInterceptor(client, storage, onSessionExpired, onTokenRefreshed, cookieMode = false) {
   let isRefreshing = false;
   let refreshQueue = [];
   const processQueue = (error, token = null) => {
@@ -406,7 +407,7 @@ function createRefreshInterceptor(client, storage, onSessionExpired, onTokenRefr
   return async (response, request) => {
     if (response.status === 401 && !request.url.includes("/auth/refresh") && !request.url.includes("/auth/login")) {
       const refreshToken = await storage.getItem("tx_refresh");
-      if (!refreshToken) {
+      if (!refreshToken && !cookieMode) {
         onSessionExpired();
         return response;
       }
@@ -424,10 +425,15 @@ function createRefreshInterceptor(client, storage, onSessionExpired, onTokenRefr
       }
       isRefreshing = true;
       try {
+        const refreshBody = {};
+        if (refreshToken) {
+          refreshBody.refresh_token = refreshToken;
+        }
         const refreshResponse = await fetch(`${client["baseUrl"]}/auth/refresh/`, {
           method: "POST",
           headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ refresh_token: refreshToken })
+          body: JSON.stringify(refreshBody),
+          ...cookieMode ? { credentials: "include" } : {}
         });
         if (!refreshResponse.ok) {
           throw new Error("Refresh failed");
@@ -585,10 +591,16 @@ var AuthModule = class {
   /**
    * Logout from the current session.
    * Informs the backend to immediately revoke the specified refresh token.
-   * @param refreshToken - The refresh token to revoke.
+   * When cookie mode is enabled, the refresh token parameter is optional —
+   * the server reads it from the HttpOnly cookie and clears it via Set-Cookie.
+   * @param refreshToken - The refresh token to revoke (optional in cookie mode).
    */
   async logout(refreshToken) {
-    await this.client.post("/api/v1/auth/logout/", { refresh_token: refreshToken });
+    const body = {};
+    if (refreshToken) {
+      body.refresh_token = refreshToken;
+    }
+    await this.client.post("/api/v1/auth/logout/", body);
     await this.clearTokens();
   }
   /**
@@ -602,11 +614,17 @@ var AuthModule = class {
   /**
    * Manually refresh the access token using a valid refresh token.
    * The refresh token is automatically rotated for improved security.
-   * @param refreshToken - The current refresh token.
+   * When cookie mode is enabled, the refresh token parameter is optional —
+   * the server reads it from the HttpOnly cookie.
+   * @param refreshToken - The current refresh token (optional in cookie mode).
    * @returns A new token pair (access + rotated refresh).
    */
   async refreshToken(refreshToken) {
-    const tokens = await this.client.post("/api/v1/auth/refresh/", { refresh_token: refreshToken });
+    const body = {};
+    if (refreshToken) {
+      body.refresh_token = refreshToken;
+    }
+    const tokens = await this.client.post("/api/v1/auth/refresh/", body);
     return this.persistTokens(tokens);
   }
   /**
@@ -641,11 +659,16 @@ var AuthModule = class {
    * @param provider - The OAuth provider ('google', 'github', etc.)
    * @param code - The authorization code retrieved from the query string parameters.
    * @param redirectUri - The original redirect URI that was requested.
+   * @param codeVerifier - Optional PKCE code verifier (RFC 7636).
    * @returns An active session token pair after successful code exchange.
    */
-  async handleSocialCallback(provider, code, redirectUri) {
+  async handleSocialCallback(provider, code, redirectUri, codeVerifier) {
+    const params = { code, redirect_uri: redirectUri };
+    if (codeVerifier) {
+      params.code_verifier = codeVerifier;
+    }
     const tokens = await this.client.get(`/api/v1/auth/social/${provider}/callback/`, {
-      params: { code, redirect_uri: redirectUri }
+      params
     });
     return this.persistTokens(tokens);
   }
@@ -1748,7 +1771,8 @@ var TenxyteClient = class {
             this.rbac.setToken(accessToken);
             this.emit("token:refreshed", { accessToken });
             this.emit("token:stored", { accessToken, refreshToken });
-          }
+          },
+          this.config.cookieMode
         )
       );
     }