@tenxyte/core 0.9.3 → 0.9.4

package/README.md

@@ -88,6 +88,10 @@ const tx = new TenxyteClient({
 
     // Optional — override auto-detected device info
     deviceInfoOverride: { app_name: 'MyApp', app_version: '2.0.0' },
+
+    // Optional — cookie-based refresh token transport (default: false)
+    // Enable when backend has TENXYTE_REFRESH_TOKEN_COOKIE_ENABLED=True
+    cookieMode: false,
 });
 ```
 
@@ -128,9 +132,16 @@ const tokens = await tx.auth.verifyMagicLink(urlToken);
 
 // Social OAuth2
 const tokens = await tx.auth.loginWithSocial('google', { id_token: 'jwt...' });
-const tokens = await tx.auth.handleSocialCallback('github', 'auth_code', 'https://myapp.com/cb');
 
-// Session management
+// Social OAuth2 with PKCE (RFC 7636)
+const tokens = await tx.auth.loginWithSocial('google', {
+    code: 'auth_code',
+    redirect_uri: 'https://myapp.com/cb',
+    code_verifier: 'pkce_verifier_string',
+});
+const tokens = await tx.auth.handleSocialCallback('github', 'auth_code', 'https://myapp.com/cb', 'pkce_verifier');
+
+// Session management (refreshToken param is optional in cookie mode)
 await tx.auth.logout('refresh_token_value');
 await tx.auth.logoutAll();
 await tx.auth.refreshToken('refresh_token_value');
@@ -384,6 +395,39 @@ const state = await tx.getState();
 
 ---
 
+## Migration Guide: v0.9 → v0.10
+
+### New Features in v0.10
+
+- **Cookie-based refresh tokens** — New `cookieMode` config option. When enabled, the SDK uses `credentials: 'include'` for refresh/logout requests and does not require a stored refresh token for silent refresh.
+- **PKCE support** — `code_verifier` parameter added to `SocialLoginRequest` and `handleSocialCallback()` for RFC 7636 compliance.
+- **Expanded error codes** — `TenxyteErrorCode` now includes all backend error codes: `MISSING_REFRESH_TOKEN`, `INVALID_REDIRECT_URI`, `PASSWORD_BREACHED`, `PASSWORD_REUSED`, `WEBAUTHN_*`, `LINK_EXPIRED`, `2FA_ALREADY_ENABLED`, and more.
+- **Optional refresh token in responses** — `TokenPair.refresh_token` is now optional (absent when cookie mode is enabled on the backend).
+
+### Breaking Changes
+
+1. **`TokenPair.refresh_token` is now optional** — If you access `tokens.refresh_token` without a null check, add one:
+   ```typescript
+   if (tokens.refresh_token) {
+       // Store or use the refresh token
+   }
+   ```
+
+2. **`logout()` and `refreshToken()` parameters are now optional** — In cookie mode, you can call them without arguments:
+   ```typescript
+   // Cookie mode (refresh token is in HttpOnly cookie)
+   await tx.auth.logout();
+   await tx.auth.refreshToken();
+
+   // Classic mode (still works)
+   await tx.auth.logout('refresh_token_value');
+   await tx.auth.refreshToken('refresh_token_value');
+   ```
+
+3. **`handleSocialCallback()` now accepts an optional 4th parameter** (`codeVerifier`).
+
+---
+
 ## Migration Guide: v0.8 → v0.9
 
 ### Breaking Changes
@@ -436,6 +480,7 @@ const state = await tx.getState();
 - High-level helpers (`isAuthenticated`, `getCurrentUser`, `isTokenExpired`)
 - `getState()` for framework wrapper integration
 - EventEmitter for reactive state (`session:expired`, `token:refreshed`, etc.)
+- WebAuthn / Passkeys (FIDO2) support
 
 ---
 

package/dist/index.cjs

@@ -174,7 +174,8 @@ function resolveConfig(config) {
     logger: config.logger ?? NOOP_LOGGER,
     logLevel: config.logLevel ?? "silent",
     deviceInfoOverride: config.deviceInfoOverride,
-    retryConfig: config.retryConfig
+    retryConfig: config.retryConfig,
+    cookieMode: config.cookieMode ?? false
   };
 }
 
@@ -396,7 +397,7 @@ function createAuthInterceptor(storage, context) {
     return { ...request, headers };
   };
 }
-function createRefreshInterceptor(client, storage, onSessionExpired, onTokenRefreshed) {
+function createRefreshInterceptor(client, storage, onSessionExpired, onTokenRefreshed, cookieMode = false) {
   let isRefreshing = false;
   let refreshQueue = [];
   const processQueue = (error, token = null) => {
@@ -406,7 +407,7 @@ function createRefreshInterceptor(client, storage, onSessionExpired, onTokenRefr
   return async (response, request) => {
     if (response.status === 401 && !request.url.includes("/auth/refresh") && !request.url.includes("/auth/login")) {
       const refreshToken = await storage.getItem("tx_refresh");
-      if (!refreshToken) {
+      if (!refreshToken && !cookieMode) {
         onSessionExpired();
         return response;
       }
@@ -424,10 +425,15 @@ function createRefreshInterceptor(client, storage, onSessionExpired, onTokenRefr
       }
       isRefreshing = true;
       try {
+        const refreshBody = {};
+        if (refreshToken) {
+          refreshBody.refresh_token = refreshToken;
+        }
         const refreshResponse = await fetch(`${client["baseUrl"]}/auth/refresh/`, {
           method: "POST",
           headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ refresh_token: refreshToken })
+          body: JSON.stringify(refreshBody),
+          ...cookieMode ? { credentials: "include" } : {}
         });
         if (!refreshResponse.ok) {
           throw new Error("Refresh failed");
@@ -585,10 +591,16 @@ var AuthModule = class {
   /**
    * Logout from the current session.
    * Informs the backend to immediately revoke the specified refresh token.
-   * @param refreshToken - The refresh token to revoke.
+   * When cookie mode is enabled, the refresh token parameter is optional —
+   * the server reads it from the HttpOnly cookie and clears it via Set-Cookie.
+   * @param refreshToken - The refresh token to revoke (optional in cookie mode).
    */
   async logout(refreshToken) {
-    await this.client.post("/api/v1/auth/logout/", { refresh_token: refreshToken });
+    const body = {};
+    if (refreshToken) {
+      body.refresh_token = refreshToken;
+    }
+    await this.client.post("/api/v1/auth/logout/", body);
     await this.clearTokens();
   }
   /**
@@ -602,11 +614,17 @@ var AuthModule = class {
   /**
    * Manually refresh the access token using a valid refresh token.
    * The refresh token is automatically rotated for improved security.
-   * @param refreshToken - The current refresh token.
+   * When cookie mode is enabled, the refresh token parameter is optional —
+   * the server reads it from the HttpOnly cookie.
+   * @param refreshToken - The current refresh token (optional in cookie mode).
    * @returns A new token pair (access + rotated refresh).
    */
   async refreshToken(refreshToken) {
-    const tokens = await this.client.post("/api/v1/auth/refresh/", { refresh_token: refreshToken });
+    const body = {};
+    if (refreshToken) {
+      body.refresh_token = refreshToken;
+    }
+    const tokens = await this.client.post("/api/v1/auth/refresh/", body);
     return this.persistTokens(tokens);
   }
   /**
@@ -641,11 +659,16 @@ var AuthModule = class {
    * @param provider - The OAuth provider ('google', 'github', etc.)
    * @param code - The authorization code retrieved from the query string parameters.
    * @param redirectUri - The original redirect URI that was requested.
+   * @param codeVerifier - Optional PKCE code verifier (RFC 7636).
    * @returns An active session token pair after successful code exchange.
    */
-  async handleSocialCallback(provider, code, redirectUri) {
+  async handleSocialCallback(provider, code, redirectUri, codeVerifier) {
+    const params = { code, redirect_uri: redirectUri };
+    if (codeVerifier) {
+      params.code_verifier = codeVerifier;
+    }
     const tokens = await this.client.get(`/api/v1/auth/social/${provider}/callback/`, {
-      params: { code, redirect_uri: redirectUri }
+      params
     });
     return this.persistTokens(tokens);
   }
@@ -1748,7 +1771,8 @@ var TenxyteClient = class {
             this.rbac.setToken(accessToken);
             this.emit("token:refreshed", { accessToken });
             this.emit("token:stored", { accessToken, refreshToken });
-          }
+          },
+          this.config.cookieMode
         )
       );
     }