@tenxyte/core 0.9.3 → 0.9.4

package/dist/index.d.cts

@@ -146,7 +146,7 @@ declare function createAuthInterceptor(storage: TenxyteStorage, context: Tenxyte
     params?: Record<string, string | number | boolean>;
     url: string;
 }>;
-declare function createRefreshInterceptor(client: TenxyteHttpClient, storage: TenxyteStorage, onSessionExpired: () => void, onTokenRefreshed?: (accessToken: string, refreshToken?: string) => void): (response: Response, request: {
+declare function createRefreshInterceptor(client: TenxyteHttpClient, storage: TenxyteStorage, onSessionExpired: () => void, onTokenRefreshed?: (accessToken: string, refreshToken?: string) => void, cookieMode?: boolean): (response: Response, request: {
     url: string;
     config: RequestConfig;
 }) => Promise<Response>;
@@ -289,6 +289,15 @@ interface TenxyteClientConfig {
      * with exponential backoff. Pass `{}` for sensible defaults.
      */
     retryConfig?: RetryConfig;
+    /**
+     * When true, the SDK assumes the backend is configured with
+     * `TENXYTE_REFRESH_TOKEN_COOKIE_ENABLED=True`. In this mode:
+     * - `refresh_token` is omitted from JSON response bodies (delivered via HttpOnly cookie).
+     * - `credentials: 'include'` is added to refresh/logout requests so the browser sends cookies.
+     * - The SDK does not require a stored refresh token to attempt a silent refresh.
+     * Defaults to false.
+     */
+    cookieMode?: boolean;
 }
 /**
  * Fully resolved configuration where every optional field has been
@@ -307,6 +316,7 @@ interface ResolvedTenxyteConfig {
     logLevel: LogLevel;
     deviceInfoOverride: CustomDeviceInfo | undefined;
     retryConfig: RetryConfig | undefined;
+    cookieMode: boolean;
 }
 /** Silent no-op logger used when the consumer does not provide one. */
 declare const NOOP_LOGGER: TenxyteLogger;
@@ -1233,7 +1243,7 @@ interface TenxyteUser {
  */
 interface TokenPair {
     access_token: string;
-    refresh_token: string;
+    refresh_token?: string;
     token_type: 'Bearer';
     expires_in: number;
     device_summary: string | null;
@@ -1247,7 +1257,7 @@ interface TenxyteError {
     details?: Record<string, string[]> | string;
     retry_after?: number;
 }
-type TenxyteErrorCode = 'LOGIN_FAILED' | 'INVALID_CREDENTIALS' | 'ACCOUNT_LOCKED' | 'ACCOUNT_BANNED' | '2FA_REQUIRED' | 'ADMIN_2FA_SETUP_REQUIRED' | 'TOKEN_EXPIRED' | 'TOKEN_BLACKLISTED' | 'REFRESH_FAILED' | 'PERMISSION_DENIED' | 'SESSION_LIMIT_EXCEEDED' | 'DEVICE_LIMIT_EXCEEDED' | 'RATE_LIMITED' | 'INVALID_OTP' | 'OTP_EXPIRED' | 'INVALID_PROVIDER' | 'SOCIAL_AUTH_FAILED' | 'VALIDATION_URL_REQUIRED' | 'INVALID_TOKEN' | 'CONFIRMATION_REQUIRED' | 'PASSWORD_REQUIRED' | 'INVALID_PASSWORD' | 'INVALID_DEVICE_INFO' | 'ORG_NOT_FOUND' | 'NOT_ORG_MEMBER' | 'NOT_OWNER' | 'ALREADY_MEMBER' | 'MEMBER_LIMIT_EXCEEDED' | 'HAS_CHILDREN' | 'CIRCULAR_HIERARCHY' | 'LAST_OWNER_REQUIRED' | 'INVITATION_EXISTS' | 'INVALID_ROLE' | 'AGENT_NOT_FOUND' | 'AGENT_SUSPENDED' | 'AGENT_REVOKED' | 'AGENT_EXPIRED' | 'BUDGET_EXCEEDED' | 'RATE_LIMIT_EXCEEDED' | 'HEARTBEAT_MISSING' | 'AIRS_DISABLED' | 'TIMEOUT' | 'NETWORK_ERROR';
+type TenxyteErrorCode = 'LOGIN_FAILED' | 'INVALID_CREDENTIALS' | 'ACCOUNT_LOCKED' | 'ACCOUNT_BANNED' | '2FA_REQUIRED' | 'ADMIN_2FA_SETUP_REQUIRED' | 'TOKEN_EXPIRED' | 'TOKEN_BLACKLISTED' | 'REFRESH_FAILED' | 'PERMISSION_DENIED' | 'SESSION_LIMIT_EXCEEDED' | 'DEVICE_LIMIT_EXCEEDED' | 'RATE_LIMITED' | 'INVALID_OTP' | 'OTP_EXPIRED' | 'MAX_ATTEMPTS_REACHED' | 'RESET_FAILED' | 'INVALID_PROVIDER' | 'SOCIAL_AUTH_FAILED' | 'VALIDATION_URL_REQUIRED' | 'INVALID_TOKEN' | 'MISSING_REFRESH_TOKEN' | 'APP_AUTH_REQUIRED' | 'REGISTRATION_FAILED' | 'INVALID_2FA_CODE' | 'REDIRECT_URI_REQUIRED' | 'REDIRECT_URI_NOT_ALLOWED' | 'INVALID_REDIRECT_URI' | 'MISSING_REDIRECT_URI' | 'MISSING_CREDENTIALS' | 'MISSING_CODE' | 'PROVIDER_NOT_SUPPORTED' | 'PROVIDER_AUTH_FAILED' | 'CODE_EXCHANGE_FAILED' | 'CALLBACK_ERROR' | 'CONFIRMATION_REQUIRED' | 'PASSWORD_REQUIRED' | 'INVALID_PASSWORD' | 'PASSWORD_BREACHED' | 'PASSWORD_REUSED' | 'INVALID_DEVICE_INFO' | 'ORG_NOT_FOUND' | 'NOT_ORG_MEMBER' | 'NOT_OWNER' | 'ALREADY_MEMBER' | 'MEMBER_LIMIT_EXCEEDED' | 'HAS_CHILDREN' | 'CIRCULAR_HIERARCHY' | 'LAST_OWNER_REQUIRED' | 'INVITATION_EXISTS' | 'INVALID_ROLE' | 'AGENT_NOT_FOUND' | 'AGENT_SUSPENDED' | 'AGENT_REVOKED' | 'AGENT_EXPIRED' | 'BUDGET_EXCEEDED' | 'RATE_LIMIT_EXCEEDED' | 'HEARTBEAT_MISSING' | 'AIRS_DISABLED' | 'TOKEN_REQUIRED' | 'MAGIC_LINK_INVALID' | 'LINK_EXPIRED' | 'LINK_ALREADY_USED' | '2FA_ALREADY_ENABLED' | 'INVALID_CODE' | 'CODE_REQUIRED' | 'WEBAUTHN_DISABLED' | 'WEBAUTHN_ERROR' | 'WEBAUTHN_AUTH_FAILED' | 'CREDENTIAL_EXISTS' | 'CREDENTIAL_NOT_FOUND' | 'REPLAY_ATTACK' | 'TIMEOUT' | 'NETWORK_ERROR';
 /**
  * Organization Structure defining a B2B tenant or hierarchical unit.
  */
@@ -1346,6 +1356,12 @@ interface SocialLoginRequest {
     access_token?: string;
     authorization_code?: string;
     id_token?: string;
+    /** Authorization code for the code exchange flow. */
+    code?: string;
+    /** Redirect URI matching the one used in the authorization request. */
+    redirect_uri?: string;
+    /** PKCE code verifier (RFC 7636). Required if the authorization request included a code_challenge. */
+    code_verifier?: string;
 }
 /** Response from the registration endpoint (may include tokens if `login: true`). */
 interface RegisterResponse {
@@ -1393,9 +1409,11 @@ declare class AuthModule {
     /**
      * Logout from the current session.
      * Informs the backend to immediately revoke the specified refresh token.
-     * @param refreshToken - The refresh token to revoke.
+     * When cookie mode is enabled, the refresh token parameter is optional —
+     * the server reads it from the HttpOnly cookie and clears it via Set-Cookie.
+     * @param refreshToken - The refresh token to revoke (optional in cookie mode).
      */
-    logout(refreshToken: string): Promise<void>;
+    logout(refreshToken?: string): Promise<void>;
     /**
      * Logout from all sessions across all devices.
      * Revokes all refresh tokens currently assigned to the user.
@@ -1404,10 +1422,12 @@ declare class AuthModule {
     /**
      * Manually refresh the access token using a valid refresh token.
      * The refresh token is automatically rotated for improved security.
-     * @param refreshToken - The current refresh token.
+     * When cookie mode is enabled, the refresh token parameter is optional —
+     * the server reads it from the HttpOnly cookie.
+     * @param refreshToken - The current refresh token (optional in cookie mode).
      * @returns A new token pair (access + rotated refresh).
      */
-    refreshToken(refreshToken: string): Promise<TokenPair>;
+    refreshToken(refreshToken?: string): Promise<TokenPair>;
     /**
      * Request a Magic Link for passwordless sign-in.
      * @param data - The email to send the logic link to.
@@ -1432,9 +1452,10 @@ declare class AuthModule {
      * @param provider - The OAuth provider ('google', 'github', etc.)
      * @param code - The authorization code retrieved from the query string parameters.
      * @param redirectUri - The original redirect URI that was requested.
+     * @param codeVerifier - Optional PKCE code verifier (RFC 7636).
      * @returns An active session token pair after successful code exchange.
      */
-    handleSocialCallback(provider: 'google' | 'github' | 'microsoft' | 'facebook', code: string, redirectUri: string): Promise<TokenPair>;
+    handleSocialCallback(provider: 'google' | 'github' | 'microsoft' | 'facebook', code: string, redirectUri: string, codeVerifier?: string): Promise<TokenPair>;
 }
 
 declare class SecurityModule {

package/dist/index.d.ts

@@ -146,7 +146,7 @@ declare function createAuthInterceptor(storage: TenxyteStorage, context: Tenxyte
     params?: Record<string, string | number | boolean>;
     url: string;
 }>;
-declare function createRefreshInterceptor(client: TenxyteHttpClient, storage: TenxyteStorage, onSessionExpired: () => void, onTokenRefreshed?: (accessToken: string, refreshToken?: string) => void): (response: Response, request: {
+declare function createRefreshInterceptor(client: TenxyteHttpClient, storage: TenxyteStorage, onSessionExpired: () => void, onTokenRefreshed?: (accessToken: string, refreshToken?: string) => void, cookieMode?: boolean): (response: Response, request: {
     url: string;
     config: RequestConfig;
 }) => Promise<Response>;
@@ -289,6 +289,15 @@ interface TenxyteClientConfig {
      * with exponential backoff. Pass `{}` for sensible defaults.
      */
     retryConfig?: RetryConfig;
+    /**
+     * When true, the SDK assumes the backend is configured with
+     * `TENXYTE_REFRESH_TOKEN_COOKIE_ENABLED=True`. In this mode:
+     * - `refresh_token` is omitted from JSON response bodies (delivered via HttpOnly cookie).
+     * - `credentials: 'include'` is added to refresh/logout requests so the browser sends cookies.
+     * - The SDK does not require a stored refresh token to attempt a silent refresh.
+     * Defaults to false.
+     */
+    cookieMode?: boolean;
 }
 /**
  * Fully resolved configuration where every optional field has been
@@ -307,6 +316,7 @@ interface ResolvedTenxyteConfig {
     logLevel: LogLevel;
     deviceInfoOverride: CustomDeviceInfo | undefined;
     retryConfig: RetryConfig | undefined;
+    cookieMode: boolean;
 }
 /** Silent no-op logger used when the consumer does not provide one. */
 declare const NOOP_LOGGER: TenxyteLogger;
@@ -1233,7 +1243,7 @@ interface TenxyteUser {
  */
 interface TokenPair {
     access_token: string;
-    refresh_token: string;
+    refresh_token?: string;
     token_type: 'Bearer';
     expires_in: number;
     device_summary: string | null;
@@ -1247,7 +1257,7 @@ interface TenxyteError {
     details?: Record<string, string[]> | string;
     retry_after?: number;
 }
-type TenxyteErrorCode = 'LOGIN_FAILED' | 'INVALID_CREDENTIALS' | 'ACCOUNT_LOCKED' | 'ACCOUNT_BANNED' | '2FA_REQUIRED' | 'ADMIN_2FA_SETUP_REQUIRED' | 'TOKEN_EXPIRED' | 'TOKEN_BLACKLISTED' | 'REFRESH_FAILED' | 'PERMISSION_DENIED' | 'SESSION_LIMIT_EXCEEDED' | 'DEVICE_LIMIT_EXCEEDED' | 'RATE_LIMITED' | 'INVALID_OTP' | 'OTP_EXPIRED' | 'INVALID_PROVIDER' | 'SOCIAL_AUTH_FAILED' | 'VALIDATION_URL_REQUIRED' | 'INVALID_TOKEN' | 'CONFIRMATION_REQUIRED' | 'PASSWORD_REQUIRED' | 'INVALID_PASSWORD' | 'INVALID_DEVICE_INFO' | 'ORG_NOT_FOUND' | 'NOT_ORG_MEMBER' | 'NOT_OWNER' | 'ALREADY_MEMBER' | 'MEMBER_LIMIT_EXCEEDED' | 'HAS_CHILDREN' | 'CIRCULAR_HIERARCHY' | 'LAST_OWNER_REQUIRED' | 'INVITATION_EXISTS' | 'INVALID_ROLE' | 'AGENT_NOT_FOUND' | 'AGENT_SUSPENDED' | 'AGENT_REVOKED' | 'AGENT_EXPIRED' | 'BUDGET_EXCEEDED' | 'RATE_LIMIT_EXCEEDED' | 'HEARTBEAT_MISSING' | 'AIRS_DISABLED' | 'TIMEOUT' | 'NETWORK_ERROR';
+type TenxyteErrorCode = 'LOGIN_FAILED' | 'INVALID_CREDENTIALS' | 'ACCOUNT_LOCKED' | 'ACCOUNT_BANNED' | '2FA_REQUIRED' | 'ADMIN_2FA_SETUP_REQUIRED' | 'TOKEN_EXPIRED' | 'TOKEN_BLACKLISTED' | 'REFRESH_FAILED' | 'PERMISSION_DENIED' | 'SESSION_LIMIT_EXCEEDED' | 'DEVICE_LIMIT_EXCEEDED' | 'RATE_LIMITED' | 'INVALID_OTP' | 'OTP_EXPIRED' | 'MAX_ATTEMPTS_REACHED' | 'RESET_FAILED' | 'INVALID_PROVIDER' | 'SOCIAL_AUTH_FAILED' | 'VALIDATION_URL_REQUIRED' | 'INVALID_TOKEN' | 'MISSING_REFRESH_TOKEN' | 'APP_AUTH_REQUIRED' | 'REGISTRATION_FAILED' | 'INVALID_2FA_CODE' | 'REDIRECT_URI_REQUIRED' | 'REDIRECT_URI_NOT_ALLOWED' | 'INVALID_REDIRECT_URI' | 'MISSING_REDIRECT_URI' | 'MISSING_CREDENTIALS' | 'MISSING_CODE' | 'PROVIDER_NOT_SUPPORTED' | 'PROVIDER_AUTH_FAILED' | 'CODE_EXCHANGE_FAILED' | 'CALLBACK_ERROR' | 'CONFIRMATION_REQUIRED' | 'PASSWORD_REQUIRED' | 'INVALID_PASSWORD' | 'PASSWORD_BREACHED' | 'PASSWORD_REUSED' | 'INVALID_DEVICE_INFO' | 'ORG_NOT_FOUND' | 'NOT_ORG_MEMBER' | 'NOT_OWNER' | 'ALREADY_MEMBER' | 'MEMBER_LIMIT_EXCEEDED' | 'HAS_CHILDREN' | 'CIRCULAR_HIERARCHY' | 'LAST_OWNER_REQUIRED' | 'INVITATION_EXISTS' | 'INVALID_ROLE' | 'AGENT_NOT_FOUND' | 'AGENT_SUSPENDED' | 'AGENT_REVOKED' | 'AGENT_EXPIRED' | 'BUDGET_EXCEEDED' | 'RATE_LIMIT_EXCEEDED' | 'HEARTBEAT_MISSING' | 'AIRS_DISABLED' | 'TOKEN_REQUIRED' | 'MAGIC_LINK_INVALID' | 'LINK_EXPIRED' | 'LINK_ALREADY_USED' | '2FA_ALREADY_ENABLED' | 'INVALID_CODE' | 'CODE_REQUIRED' | 'WEBAUTHN_DISABLED' | 'WEBAUTHN_ERROR' | 'WEBAUTHN_AUTH_FAILED' | 'CREDENTIAL_EXISTS' | 'CREDENTIAL_NOT_FOUND' | 'REPLAY_ATTACK' | 'TIMEOUT' | 'NETWORK_ERROR';
 /**
  * Organization Structure defining a B2B tenant or hierarchical unit.
  */
@@ -1346,6 +1356,12 @@ interface SocialLoginRequest {
     access_token?: string;
     authorization_code?: string;
     id_token?: string;
+    /** Authorization code for the code exchange flow. */
+    code?: string;
+    /** Redirect URI matching the one used in the authorization request. */
+    redirect_uri?: string;
+    /** PKCE code verifier (RFC 7636). Required if the authorization request included a code_challenge. */
+    code_verifier?: string;
 }
 /** Response from the registration endpoint (may include tokens if `login: true`). */
 interface RegisterResponse {
@@ -1393,9 +1409,11 @@ declare class AuthModule {
     /**
      * Logout from the current session.
      * Informs the backend to immediately revoke the specified refresh token.
-     * @param refreshToken - The refresh token to revoke.
+     * When cookie mode is enabled, the refresh token parameter is optional —
+     * the server reads it from the HttpOnly cookie and clears it via Set-Cookie.
+     * @param refreshToken - The refresh token to revoke (optional in cookie mode).
      */
-    logout(refreshToken: string): Promise<void>;
+    logout(refreshToken?: string): Promise<void>;
     /**
      * Logout from all sessions across all devices.
      * Revokes all refresh tokens currently assigned to the user.
@@ -1404,10 +1422,12 @@ declare class AuthModule {
     /**
      * Manually refresh the access token using a valid refresh token.
      * The refresh token is automatically rotated for improved security.
-     * @param refreshToken - The current refresh token.
+     * When cookie mode is enabled, the refresh token parameter is optional —
+     * the server reads it from the HttpOnly cookie.
+     * @param refreshToken - The current refresh token (optional in cookie mode).
      * @returns A new token pair (access + rotated refresh).
      */
-    refreshToken(refreshToken: string): Promise<TokenPair>;
+    refreshToken(refreshToken?: string): Promise<TokenPair>;
     /**
      * Request a Magic Link for passwordless sign-in.
      * @param data - The email to send the logic link to.
@@ -1432,9 +1452,10 @@ declare class AuthModule {
      * @param provider - The OAuth provider ('google', 'github', etc.)
      * @param code - The authorization code retrieved from the query string parameters.
      * @param redirectUri - The original redirect URI that was requested.
+     * @param codeVerifier - Optional PKCE code verifier (RFC 7636).
      * @returns An active session token pair after successful code exchange.
      */
-    handleSocialCallback(provider: 'google' | 'github' | 'microsoft' | 'facebook', code: string, redirectUri: string): Promise<TokenPair>;
+    handleSocialCallback(provider: 'google' | 'github' | 'microsoft' | 'facebook', code: string, redirectUri: string, codeVerifier?: string): Promise<TokenPair>;
 }
 
 declare class SecurityModule {

package/dist/index.js

@@ -124,7 +124,8 @@ function resolveConfig(config) {
     logger: config.logger ?? NOOP_LOGGER,
     logLevel: config.logLevel ?? "silent",
     deviceInfoOverride: config.deviceInfoOverride,
-    retryConfig: config.retryConfig
+    retryConfig: config.retryConfig,
+    cookieMode: config.cookieMode ?? false
   };
 }
 
@@ -346,7 +347,7 @@ function createAuthInterceptor(storage, context) {
     return { ...request, headers };
   };
 }
-function createRefreshInterceptor(client, storage, onSessionExpired, onTokenRefreshed) {
+function createRefreshInterceptor(client, storage, onSessionExpired, onTokenRefreshed, cookieMode = false) {
   let isRefreshing = false;
   let refreshQueue = [];
   const processQueue = (error, token = null) => {
@@ -356,7 +357,7 @@ function createRefreshInterceptor(client, storage, onSessionExpired, onTokenRefr
   return async (response, request) => {
     if (response.status === 401 && !request.url.includes("/auth/refresh") && !request.url.includes("/auth/login")) {
       const refreshToken = await storage.getItem("tx_refresh");
-      if (!refreshToken) {
+      if (!refreshToken && !cookieMode) {
         onSessionExpired();
         return response;
       }
@@ -374,10 +375,15 @@ function createRefreshInterceptor(client, storage, onSessionExpired, onTokenRefr
       }
       isRefreshing = true;
       try {
+        const refreshBody = {};
+        if (refreshToken) {
+          refreshBody.refresh_token = refreshToken;
+        }
         const refreshResponse = await fetch(`${client["baseUrl"]}/auth/refresh/`, {
           method: "POST",
           headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ refresh_token: refreshToken })
+          body: JSON.stringify(refreshBody),
+          ...cookieMode ? { credentials: "include" } : {}
         });
         if (!refreshResponse.ok) {
           throw new Error("Refresh failed");
@@ -535,10 +541,16 @@ var AuthModule = class {
   /**
    * Logout from the current session.
    * Informs the backend to immediately revoke the specified refresh token.
-   * @param refreshToken - The refresh token to revoke.
+   * When cookie mode is enabled, the refresh token parameter is optional —
+   * the server reads it from the HttpOnly cookie and clears it via Set-Cookie.
+   * @param refreshToken - The refresh token to revoke (optional in cookie mode).
    */
   async logout(refreshToken) {
-    await this.client.post("/api/v1/auth/logout/", { refresh_token: refreshToken });
+    const body = {};
+    if (refreshToken) {
+      body.refresh_token = refreshToken;
+    }
+    await this.client.post("/api/v1/auth/logout/", body);
     await this.clearTokens();
   }
   /**
@@ -552,11 +564,17 @@ var AuthModule = class {
   /**
    * Manually refresh the access token using a valid refresh token.
    * The refresh token is automatically rotated for improved security.
-   * @param refreshToken - The current refresh token.
+   * When cookie mode is enabled, the refresh token parameter is optional —
+   * the server reads it from the HttpOnly cookie.
+   * @param refreshToken - The current refresh token (optional in cookie mode).
    * @returns A new token pair (access + rotated refresh).
    */
   async refreshToken(refreshToken) {
-    const tokens = await this.client.post("/api/v1/auth/refresh/", { refresh_token: refreshToken });
+    const body = {};
+    if (refreshToken) {
+      body.refresh_token = refreshToken;
+    }
+    const tokens = await this.client.post("/api/v1/auth/refresh/", body);
     return this.persistTokens(tokens);
   }
   /**
@@ -591,11 +609,16 @@ var AuthModule = class {
    * @param provider - The OAuth provider ('google', 'github', etc.)
    * @param code - The authorization code retrieved from the query string parameters.
    * @param redirectUri - The original redirect URI that was requested.
+   * @param codeVerifier - Optional PKCE code verifier (RFC 7636).
    * @returns An active session token pair after successful code exchange.
    */
-  async handleSocialCallback(provider, code, redirectUri) {
+  async handleSocialCallback(provider, code, redirectUri, codeVerifier) {
+    const params = { code, redirect_uri: redirectUri };
+    if (codeVerifier) {
+      params.code_verifier = codeVerifier;
+    }
     const tokens = await this.client.get(`/api/v1/auth/social/${provider}/callback/`, {
-      params: { code, redirect_uri: redirectUri }
+      params
     });
     return this.persistTokens(tokens);
   }
@@ -1698,7 +1721,8 @@ var TenxyteClient = class {
             this.rbac.setToken(accessToken);
             this.emit("token:refreshed", { accessToken });
             this.emit("token:stored", { accessToken, refreshToken });
-          }
+          },
+          this.config.cookieMode
         )
       );
     }