npm - @zuzjs/flare - Versions diffs - 0.2.12 → 0.2.13 - Mend

@zuzjs/flare 0.2.12 → 0.2.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { AuthToken, AuthGuard, ProviderId } from '@zuzjs/auth';
+import { AuthToken } from '@zuzjs/auth';
 export { Anonymous, Apple, AuthGuard, AuthToken, CreateUserWithEmailAndPasswordInput, Credentials, Dropbox, Facebook, GitHub, Google, NormalizedProfile, OAuthProvider, ProviderId, Providers, SignInAnonymouslyInput, SignInWithEmailAndPasswordInput, Twitter, setupProvider } from '@zuzjs/auth';
 /**
@@ -29,6 +29,12 @@ interface FlareConfig {
      * Defaults to OAuth-compatible form encoding.
      */
     authRequestContentType?: "application/x-www-form-urlencoded" | "application/json";
+    /**
+     * Controls how onAuthStateChanged initializes auth in browser runtime.
+     * - `refresh` (default): attempt /auth/refresh once in httpBase mode.
+     * - `none`: skip automatic refresh bootstrap; listeners receive current in-memory state only.
+     */
+    authBootstrapMode?: "refresh" | "none";
     /** Public key for the application. */
     publicKey?: string;
     /** Whether to automatically reconnect on connection loss. */
@@ -97,6 +103,23 @@ interface FlareAuthUser {
     email_verified: string;
     [x: string]: any;
 }
+interface FlareAuthHydrationInput {
+    uid?: string | null;
+    id?: string | null;
+    accessToken?: string | null;
+    refreshToken?: string | null;
+    ticket?: string | null;
+    provider?: string;
+    email?: string | null;
+    emailVerified?: boolean;
+    email_verified?: boolean;
+    profile?: Partial<FlareAuthUser> | null;
+}
+interface FlareAuthHydrationOptions {
+    source?: string;
+    markBootstrapAttempted?: boolean;
+    syncSocket?: boolean;
+}
 interface RegisterPushTokenInput {
     token: string;
     platform?: string;
@@ -979,62 +1002,42 @@ declare class FlareBase<TPresetMap extends QueryPresetMap = {}> {
     protected handleIncoming(msg: any): void;
 }
-/**
- * FlareAuth extends FlareBase with all authentication and CSRF logic.
- *
- * CSRF strategy
- * ─────────────
- * The server sets an HttpOnly cookie on /auth/config responses. The raw
- * cookie value is NOT readable by JS (HttpOnly), but the server also echoes
- * the token in the `x-flare-csrf` response header so the client can send
- * it back as `x-flare-csrf` on every mutating request.
- *
- * Two environments are supported:
- *   1. Browser  – header is read from the /auth/config fetch; stored in
- *                 `this.csrfToken` (in-memory only, never written to a
- *                 readable cookie by the client).
- *   2. Next.js SSR – use the standalone `createCsrfProxy()` handler
- *                 (see Client/proxy.ts) which captures the Set-Cookie header
- *                 from Flare server and sets it on the client domain too, so
- *                 the browser owns two HttpOnly cookies: one from the Flare
- *                 domain and one from the Next.js domain.
- */
 declare class FlareAuth<TPresetMap extends QueryPresetMap = {}> extends FlareBase<TPresetMap> {
     static AUTH_TRACE_STORAGE_KEY: string;
-    protected authToken?: string;
+    protected pushServiceWorkerInitPromise?: Promise<ServiceWorkerRegistration | null>;
+    /** Current authentication configuration */
     protected userId?: string;
-    protected authGuard?: AuthGuard;
+    protected authToken?: string;
+    protected authTicket?: string;
     protected authConfig?: FlareAuthConfig;
-    /** In-memory CSRF token extracted from the `x-flare-csrf` response header */
-    protected csrfToken?: string;
-    protected csrfInitPromise?: Promise<void>;
-    protected csrfBootstrapAttempted: boolean;
-    protected socketAuthSyncPromise?: Promise<void>;
-    protected pushServiceWorkerInitPromise?: Promise<ServiceWorkerRegistration | null>;
-    protected authSession: FlareAuthSession | null;
-    protected authBootstrapPromise?: Promise<void>;
-    protected authBootstrapAttempted: boolean;
     protected authStateListeners: AuthStateListener[];
     protected authConfigListeners: AuthConfigListener[];
+    protected authSession: FlareAuthSession | null;
     protected currentProfile: FlareAuthUser | undefined;
+    protected authBootstrapAttempted: boolean;
+    protected authBootstrapPromise?: Promise<void>;
+    protected socketAuthSyncPromise?: Promise<void>;
+    /** In-memory CSRF token extracted from the `x-flare-csrf` response header */
+    protected csrfToken?: string;
+    protected csrfBootstrapAttempted: boolean;
+    protected csrfInitPromise?: Promise<void>;
     protected isAuthTraceEnabled(): boolean;
-    setAuthTrace(enabled: boolean, persist?: boolean): void;
     protected traceAuth(event: string, details?: Record<string, unknown>): void;
-    private getAuthRequestContentType;
-    private buildAuthRequestBody;
+    setAuthTrace(enabled: boolean, persist?: boolean): void;
+    protected fetchAuthMe(token?: string): Promise<{
+        id?: string;
+        email?: string | null;
+        email_verified?: boolean;
+    }>;
+    isBootstrapAttempted(): boolean;
+    hydrateAuthState(input: FlareAuthHydrationInput | null, options?: FlareAuthHydrationOptions): Promise<void>;
+    loadAuthConfig(): Promise<FlareAuthConfig>;
+    onAuthConfigLoaded(listener: AuthConfigListener): () => void;
+    onAuthStateChanged(listener: AuthStateListener): () => void;
+    getCurrentUser(): FlareAuthUser | undefined;
+    getAuthTicket(): string | undefined;
+    consumeAuthTicket(): string | undefined;
     private getDefaultCsrfCookieName;
-    getCsrfCookieName(): string;
-    /**
-     * Read the CSRF token from a browser-readable cookie (set by the server as
-     * a non-HttpOnly fallback) or fall back to the in-memory value captured
-     * from the response header.
-     *
-     * Priority:
-     *   1. Non-HttpOnly cookie on the current domain (browser only)
-     *   2. In-memory value from `x-flare-csrf` response header
-     */
-    getCsrfToken(): string | null;
-    private getCookieValue;
     /**
      * Extract CSRF token from a server response.
      * The server now sends it ONLY as the `x-flare-csrf` response header
@@ -1047,35 +1050,71 @@ declare class FlareAuth<TPresetMap extends QueryPresetMap = {}> extends FlareBas
         };
     }): string | undefined;
     getCsrfHeaders(): Record<string, string>;
+    getCsrfCookieName(): string;
     /**
-     * Inject CSRF token directly (used by SSR middleware).
-     * This allows the server to bootstrap CSRF once and inject it into the client,
-     * preventing redundant /auth/config calls.
+     * Read the CSRF token from a browser-readable cookie (set by the server as
+     * a non-HttpOnly fallback) or fall back to the in-memory value captured
+     * from the response header.
      *
-     * @example
-     * // In Next.js middleware
-     * const csrf = extractCsrfFromRequest(request, appId);
-     * if (csrf) {
-     *   flareClient.setCsrfToken(csrf);
-     * }
+     * Priority:
+     *   1. Non-HttpOnly cookie on the current domain (browser only)
+     *   2. In-memory value from `x-flare-csrf` response header
      */
-    setCsrfToken(token: string): void;
+    getCsrfToken(): string | null;
     ensureCsrfProtection(): Promise<void>;
-    loadAuthConfig(): Promise<FlareAuthConfig>;
-    protected fetchAuthConfig(): Promise<FlareAuthConfig>;
-    onAuthConfigLoaded(listener: AuthConfigListener): () => void;
-    protected setProfile(profile: FlareAuthUser): void;
     protected setAuthSession(session: FlareAuthSession | null, source?: string): void;
-    onAuthStateChanged(listener: AuthStateListener): () => void;
-    onAuthStateChange(listener: AuthStateListener): () => void;
-    get currentUser(): FlareAuthUser | undefined;
-    getCurrentUser(): FlareAuthUser | undefined;
-    protected syncSocketAuth(accessToken?: string | null): Promise<void>;
+    protected emitAuthState(): void;
+    protected setProfile(profile: FlareAuthUser): void;
+    protected ensureSessionForSocketAuth(reason: string): Promise<boolean>;
+    refreshAuthSession(refresh_token?: string): Promise<FlareAuthSession | null>;
     protected updateSocketIdentity(uid?: string, forceReplay?: boolean): Promise<void>;
+    protected waitUntilConnected(): Promise<void>;
+    protected syncSocketAuth(accessToken?: string | null): Promise<void>;
     protected beforeActivateSubscription(_entry: any): Promise<void>;
+    /**
+     * Fetch a fresh one-time WebSocket ticket from the server.
+     * Called on reconnect when neither an access token nor a cached ticket exists.
+     * Requires `config.ticketRefreshUrl` to be configured.
+     */
+    protected fetchFreshTicket(): Promise<string | null>;
     protected onConnected(): void;
-    protected handleIncoming(msg: any): void;
+    private toUint8ArrayFromBase64Url;
+    private encodePushTokenFromSubscription;
+    private fetchPushSetupConfig;
+    setupPushServiceWorker(): Promise<ServiceWorkerRegistration | null>;
+    requestPushPermission(): Promise<NotificationPermission>;
+    acquireBrowserPushToken(options?: BrowserPushTokenOptions): Promise<{
+        token: string;
+        subscription: PushSubscription;
+    }>;
+    enableBrowserPush(options?: BrowserPushRegistrationOptions): Promise<{
+        registered: boolean;
+        appId: string;
+        uid: string;
+        token: string;
+        platform?: string;
+        subscription: PushSubscription;
+    }>;
+    registerPushToken(input: RegisterPushTokenInput): Promise<{
+        registered: boolean;
+        appId: string;
+        uid: string;
+        token: string;
+        platform?: string;
+    }>;
+    unregisterPushToken(token: string, authAppId?: string): Promise<{
+        unregistered: boolean;
+        appId: string;
+        token: string;
+        removed: boolean;
+    }>;
+    sendPushNotification(input: SendPushNotificationInput): Promise<PushSendResult>;
     auth(token: string): Promise<AuthResult>;
+    private getAuthRequestContentType;
+    private buildAuthRequestBody;
+    protected requestEmailPasswordToken(email: string, password: string, scope?: string[]): Promise<AuthToken & {
+        kind: string;
+    }>;
     signInWithEmailAndPassword(email: string, password: string, options?: {
         scope?: string[];
         createIfMissing?: boolean;
@@ -1241,96 +1280,12 @@ declare class FlareAuth<TPresetMap extends QueryPresetMap = {}> extends FlareBas
         email: string;
         sessionsRevoked?: number;
     }>;
-    private toUint8ArrayFromBase64Url;
-    private encodePushTokenFromSubscription;
-    private fetchPushSetupConfig;
-    setupPushServiceWorker(): Promise<ServiceWorkerRegistration | null>;
-    requestPushPermission(): Promise<NotificationPermission>;
-    acquireBrowserPushToken(options?: BrowserPushTokenOptions): Promise<{
-        token: string;
-        subscription: PushSubscription;
-    }>;
-    enableBrowserPush(options?: BrowserPushRegistrationOptions): Promise<{
-        registered: boolean;
-        appId: string;
-        uid: string;
-        token: string;
-        platform?: string;
-        subscription: PushSubscription;
-    }>;
-    registerPushToken(input: RegisterPushTokenInput): Promise<{
-        registered: boolean;
-        appId: string;
-        uid: string;
-        token: string;
-        platform?: string;
-    }>;
-    unregisterPushToken(token: string, authAppId?: string): Promise<{
-        unregistered: boolean;
-        appId: string;
-        token: string;
-        removed: boolean;
-    }>;
-    sendPushNotification(input: SendPushNotificationInput): Promise<PushSendResult>;
-    sendEmail(input: SendEmailInput): Promise<EmailSendResult>;
-    verifyEmailLink(input: VerifyEmailLinkInput): Promise<EmailLinkVerifyResult>;
-    signIn(providerId: ProviderId, options?: {
-        returnTo?: string;
-        metaTag?: string;
-    }): Promise<any>;
-    signIn(authGuard: Pick<AuthGuard, 'signIn'>, providerId: ProviderId, options?: {
-        returnTo?: string;
-        metaTag?: string;
-    }): Promise<any>;
-    signInWithGoogle(options?: {
-        returnTo?: string;
-        metaTag?: string;
-    }): Promise<any>;
-    signInWithGitHub(options?: {
-        returnTo?: string;
-        metaTag?: string;
-    }): Promise<any>;
-    signInWithFacebook(options?: {
-        returnTo?: string;
-        metaTag?: string;
-    }): Promise<any>;
-    signInWithDropbox(options?: {
-        returnTo?: string;
-        metaTag?: string;
-    }): Promise<any>;
-    handleSignInRedirect(autoRedirect?: boolean): Promise<(AuthResult & {
-        authToken: AuthToken;
-        provider?: ProviderId;
-    }) | null>;
-    handleSignInRedirect(authGuard: Pick<AuthGuard, 'handleRedirect'>, autoRedirect?: boolean): Promise<(AuthResult & {
-        authToken: AuthToken;
-        provider?: ProviderId;
-    }) | null>;
-    private exchangeProviderToken;
-    protected getAuthGuard(): Promise<AuthGuard>;
-    refreshAuthSession(refresh_token?: string): Promise<FlareAuthSession | null>;
-    issueSsrToken(ttlSeconds?: number): Promise<{
-        token: string;
-        token_type: string;
-        expires_in: number;
-        uid: string;
-        role: string;
-        email?: string;
-    }>;
     signOut(): Promise<void>;
     protected registerWithEmail(email: string, password: string, options?: {
         scope?: string[];
         additionalParams?: Record<string, string>;
         signInIfAllowed?: boolean;
     }): Promise<Record<string, any>>;
-    protected requestEmailPasswordToken(email: string, password: string, scope?: string[]): Promise<AuthToken & {
-        kind: string;
-    }>;
-    protected fetchAuthMe(token?: string): Promise<{
-        id?: string;
-        email?: string | null;
-        email_verified?: boolean;
-    }>;
 }
 /**
@@ -1553,4 +1508,4 @@ declare const getFlare: () => FlareClient | null;
  */
 declare const disconnectFlare: () => void;
-export { type AggregateFunction, type AggregateSpec, type AndFilter, type AnyFilter, type AuthConfigListener, type AuthConfigResponse, type AuthResult, type AuthStateListener, type AuthWithPendingVerificationResult, type AuthWithTokenResult, type BaseMessage, type BrowserPushRegistrationOptions, type BrowserPushTokenOptions, type ChangeEvent, type ChangeOperation, type CollectionExternalStore, type CollectionPresetMethods, type CollectionQuery, CollectionReference, type CollectionStream, type CollectionStreamListener, type CollectionStreamMeta, type CollectionStreamOptions, type ConnectionState, type CsrfProxyConfig, type CursorValue, type DataMapperFn, type DataMapperRegistry, type DocAddedCallback, type DocChangedCallback, type DocDeletedCallback, type DocUpdatedCallback, DocumentQueryBuilder, DocumentReference, type DocumentSnapshot, type EmailLinkVerifyResult, type EmailSendResult, FlareAction, type FlareAuthConfig, type FlareAuthProviderId, type FlareAuthProviderPublicConfig, type FlareAuthSession, type FlareAuthUser, FlareClient, type FlareConfig, FlareError, FlareErrors, FlareEvent, FlareResponseCodes, type FlareRule, type GroupByClause, type HavingClause, type JoinClause, type JoinQueryPattern, type NestedJoinClause, type OfflineOperation, type OrFilter, type OrderByClause, type PresenceCallback, type PresenceJoinCallback, type PresenceLeaveCallback, type PresenceMember, type PushSendResult, type QueryConfig, type QueryOperator, type QueryPresetMap, type QueryPresetParams, type QueryPresetRow, type QueryPresetSpec, type QuerySnapshot, type RegisterPushTokenInput, type RulePermission, type SecurityRuleEntry, type SecurityRulesMap, type SendEmailInput, type SendPushNotificationInput, type SnapshotEvent, type StreamFlushReason, type StructuredJoinClause, type StructuredQuery, type SubscribeMessage, type SubscribeOptions, type SubscriptionCallback, type SubscriptionData, type SubscriptionError, type SubscriptionErrorCallback, type SubscriptionHandle, type VectorFieldConfig, type VectorSearchClause, type VerifyEmailLinkInput, type WhereCondition, buildFlareHeaders, connectApp, createCsrfProxy, createCsrfProxyHandler, disconnectFlare, extractCsrfFromRequest, flareRulesToSecurityMap, getFlare, parseValue, parseWhereCondition, securityMapToFlareRules };
+export { type AggregateFunction, type AggregateSpec, type AndFilter, type AnyFilter, type AuthConfigListener, type AuthConfigResponse, type AuthResult, type AuthStateListener, type AuthWithPendingVerificationResult, type AuthWithTokenResult, type BaseMessage, type BrowserPushRegistrationOptions, type BrowserPushTokenOptions, type ChangeEvent, type ChangeOperation, type CollectionExternalStore, type CollectionPresetMethods, type CollectionQuery, CollectionReference, type CollectionStream, type CollectionStreamListener, type CollectionStreamMeta, type CollectionStreamOptions, type ConnectionState, type CsrfProxyConfig, type CursorValue, type DataMapperFn, type DataMapperRegistry, type DocAddedCallback, type DocChangedCallback, type DocDeletedCallback, type DocUpdatedCallback, DocumentQueryBuilder, DocumentReference, type DocumentSnapshot, type EmailLinkVerifyResult, type EmailSendResult, FlareAction, type FlareAuthConfig, type FlareAuthHydrationInput, type FlareAuthHydrationOptions, type FlareAuthProviderId, type FlareAuthProviderPublicConfig, type FlareAuthSession, type FlareAuthUser, FlareClient, type FlareConfig, FlareError, FlareErrors, FlareEvent, FlareResponseCodes, type FlareRule, type GroupByClause, type HavingClause, type JoinClause, type JoinQueryPattern, type NestedJoinClause, type OfflineOperation, type OrFilter, type OrderByClause, type PresenceCallback, type PresenceJoinCallback, type PresenceLeaveCallback, type PresenceMember, type PushSendResult, type QueryConfig, type QueryOperator, type QueryPresetMap, type QueryPresetParams, type QueryPresetRow, type QueryPresetSpec, type QuerySnapshot, type RegisterPushTokenInput, type RulePermission, type SecurityRuleEntry, type SecurityRulesMap, type SendEmailInput, type SendPushNotificationInput, type SnapshotEvent, type StreamFlushReason, type StructuredJoinClause, type StructuredQuery, type SubscribeMessage, type SubscribeOptions, type SubscriptionCallback, type SubscriptionData, type SubscriptionError, type SubscriptionErrorCallback, type SubscriptionHandle, type VectorFieldConfig, type VectorSearchClause, type VerifyEmailLinkInput, type WhereCondition, buildFlareHeaders, connectApp, createCsrfProxy, createCsrfProxyHandler, disconnectFlare, extractCsrfFromRequest, flareRulesToSecurityMap, getFlare, parseValue, parseWhereCondition, securityMapToFlareRules };

package/dist/index.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { AuthToken, AuthGuard, ProviderId } from '@zuzjs/auth';
+import { AuthToken } from '@zuzjs/auth';
 export { Anonymous, Apple, AuthGuard, AuthToken, CreateUserWithEmailAndPasswordInput, Credentials, Dropbox, Facebook, GitHub, Google, NormalizedProfile, OAuthProvider, ProviderId, Providers, SignInAnonymouslyInput, SignInWithEmailAndPasswordInput, Twitter, setupProvider } from '@zuzjs/auth';
 /**
@@ -29,6 +29,12 @@ interface FlareConfig {
      * Defaults to OAuth-compatible form encoding.
      */
     authRequestContentType?: "application/x-www-form-urlencoded" | "application/json";
+    /**
+     * Controls how onAuthStateChanged initializes auth in browser runtime.
+     * - `refresh` (default): attempt /auth/refresh once in httpBase mode.
+     * - `none`: skip automatic refresh bootstrap; listeners receive current in-memory state only.
+     */
+    authBootstrapMode?: "refresh" | "none";
     /** Public key for the application. */
     publicKey?: string;
     /** Whether to automatically reconnect on connection loss. */
@@ -97,6 +103,23 @@ interface FlareAuthUser {
     email_verified: string;
     [x: string]: any;
 }
+interface FlareAuthHydrationInput {
+    uid?: string | null;
+    id?: string | null;
+    accessToken?: string | null;
+    refreshToken?: string | null;
+    ticket?: string | null;
+    provider?: string;
+    email?: string | null;
+    emailVerified?: boolean;
+    email_verified?: boolean;
+    profile?: Partial<FlareAuthUser> | null;
+}
+interface FlareAuthHydrationOptions {
+    source?: string;
+    markBootstrapAttempted?: boolean;
+    syncSocket?: boolean;
+}
 interface RegisterPushTokenInput {
     token: string;
     platform?: string;
@@ -979,62 +1002,42 @@ declare class FlareBase<TPresetMap extends QueryPresetMap = {}> {
     protected handleIncoming(msg: any): void;
 }
-/**
- * FlareAuth extends FlareBase with all authentication and CSRF logic.
- *
- * CSRF strategy
- * ─────────────
- * The server sets an HttpOnly cookie on /auth/config responses. The raw
- * cookie value is NOT readable by JS (HttpOnly), but the server also echoes
- * the token in the `x-flare-csrf` response header so the client can send
- * it back as `x-flare-csrf` on every mutating request.
- *
- * Two environments are supported:
- *   1. Browser  – header is read from the /auth/config fetch; stored in
- *                 `this.csrfToken` (in-memory only, never written to a
- *                 readable cookie by the client).
- *   2. Next.js SSR – use the standalone `createCsrfProxy()` handler
- *                 (see Client/proxy.ts) which captures the Set-Cookie header
- *                 from Flare server and sets it on the client domain too, so
- *                 the browser owns two HttpOnly cookies: one from the Flare
- *                 domain and one from the Next.js domain.
- */
 declare class FlareAuth<TPresetMap extends QueryPresetMap = {}> extends FlareBase<TPresetMap> {
     static AUTH_TRACE_STORAGE_KEY: string;
-    protected authToken?: string;
+    protected pushServiceWorkerInitPromise?: Promise<ServiceWorkerRegistration | null>;
+    /** Current authentication configuration */
     protected userId?: string;
-    protected authGuard?: AuthGuard;
+    protected authToken?: string;
+    protected authTicket?: string;
     protected authConfig?: FlareAuthConfig;
-    /** In-memory CSRF token extracted from the `x-flare-csrf` response header */
-    protected csrfToken?: string;
-    protected csrfInitPromise?: Promise<void>;
-    protected csrfBootstrapAttempted: boolean;
-    protected socketAuthSyncPromise?: Promise<void>;
-    protected pushServiceWorkerInitPromise?: Promise<ServiceWorkerRegistration | null>;
-    protected authSession: FlareAuthSession | null;
-    protected authBootstrapPromise?: Promise<void>;
-    protected authBootstrapAttempted: boolean;
     protected authStateListeners: AuthStateListener[];
     protected authConfigListeners: AuthConfigListener[];
+    protected authSession: FlareAuthSession | null;
     protected currentProfile: FlareAuthUser | undefined;
+    protected authBootstrapAttempted: boolean;
+    protected authBootstrapPromise?: Promise<void>;
+    protected socketAuthSyncPromise?: Promise<void>;
+    /** In-memory CSRF token extracted from the `x-flare-csrf` response header */
+    protected csrfToken?: string;
+    protected csrfBootstrapAttempted: boolean;
+    protected csrfInitPromise?: Promise<void>;
     protected isAuthTraceEnabled(): boolean;
-    setAuthTrace(enabled: boolean, persist?: boolean): void;
     protected traceAuth(event: string, details?: Record<string, unknown>): void;
-    private getAuthRequestContentType;
-    private buildAuthRequestBody;
+    setAuthTrace(enabled: boolean, persist?: boolean): void;
+    protected fetchAuthMe(token?: string): Promise<{
+        id?: string;
+        email?: string | null;
+        email_verified?: boolean;
+    }>;
+    isBootstrapAttempted(): boolean;
+    hydrateAuthState(input: FlareAuthHydrationInput | null, options?: FlareAuthHydrationOptions): Promise<void>;
+    loadAuthConfig(): Promise<FlareAuthConfig>;
+    onAuthConfigLoaded(listener: AuthConfigListener): () => void;
+    onAuthStateChanged(listener: AuthStateListener): () => void;
+    getCurrentUser(): FlareAuthUser | undefined;
+    getAuthTicket(): string | undefined;
+    consumeAuthTicket(): string | undefined;
     private getDefaultCsrfCookieName;
-    getCsrfCookieName(): string;
-    /**
-     * Read the CSRF token from a browser-readable cookie (set by the server as
-     * a non-HttpOnly fallback) or fall back to the in-memory value captured
-     * from the response header.
-     *
-     * Priority:
-     *   1. Non-HttpOnly cookie on the current domain (browser only)
-     *   2. In-memory value from `x-flare-csrf` response header
-     */
-    getCsrfToken(): string | null;
-    private getCookieValue;
     /**
      * Extract CSRF token from a server response.
      * The server now sends it ONLY as the `x-flare-csrf` response header
@@ -1047,35 +1050,71 @@ declare class FlareAuth<TPresetMap extends QueryPresetMap = {}> extends FlareBas
         };
     }): string | undefined;
     getCsrfHeaders(): Record<string, string>;
+    getCsrfCookieName(): string;
     /**
-     * Inject CSRF token directly (used by SSR middleware).
-     * This allows the server to bootstrap CSRF once and inject it into the client,
-     * preventing redundant /auth/config calls.
+     * Read the CSRF token from a browser-readable cookie (set by the server as
+     * a non-HttpOnly fallback) or fall back to the in-memory value captured
+     * from the response header.
      *
-     * @example
-     * // In Next.js middleware
-     * const csrf = extractCsrfFromRequest(request, appId);
-     * if (csrf) {
-     *   flareClient.setCsrfToken(csrf);
-     * }
+     * Priority:
+     *   1. Non-HttpOnly cookie on the current domain (browser only)
+     *   2. In-memory value from `x-flare-csrf` response header
      */
-    setCsrfToken(token: string): void;
+    getCsrfToken(): string | null;
     ensureCsrfProtection(): Promise<void>;
-    loadAuthConfig(): Promise<FlareAuthConfig>;
-    protected fetchAuthConfig(): Promise<FlareAuthConfig>;
-    onAuthConfigLoaded(listener: AuthConfigListener): () => void;
-    protected setProfile(profile: FlareAuthUser): void;
     protected setAuthSession(session: FlareAuthSession | null, source?: string): void;
-    onAuthStateChanged(listener: AuthStateListener): () => void;
-    onAuthStateChange(listener: AuthStateListener): () => void;
-    get currentUser(): FlareAuthUser | undefined;
-    getCurrentUser(): FlareAuthUser | undefined;
-    protected syncSocketAuth(accessToken?: string | null): Promise<void>;
+    protected emitAuthState(): void;
+    protected setProfile(profile: FlareAuthUser): void;
+    protected ensureSessionForSocketAuth(reason: string): Promise<boolean>;
+    refreshAuthSession(refresh_token?: string): Promise<FlareAuthSession | null>;
     protected updateSocketIdentity(uid?: string, forceReplay?: boolean): Promise<void>;
+    protected waitUntilConnected(): Promise<void>;
+    protected syncSocketAuth(accessToken?: string | null): Promise<void>;
     protected beforeActivateSubscription(_entry: any): Promise<void>;
+    /**
+     * Fetch a fresh one-time WebSocket ticket from the server.
+     * Called on reconnect when neither an access token nor a cached ticket exists.
+     * Requires `config.ticketRefreshUrl` to be configured.
+     */
+    protected fetchFreshTicket(): Promise<string | null>;
     protected onConnected(): void;
-    protected handleIncoming(msg: any): void;
+    private toUint8ArrayFromBase64Url;
+    private encodePushTokenFromSubscription;
+    private fetchPushSetupConfig;
+    setupPushServiceWorker(): Promise<ServiceWorkerRegistration | null>;
+    requestPushPermission(): Promise<NotificationPermission>;
+    acquireBrowserPushToken(options?: BrowserPushTokenOptions): Promise<{
+        token: string;
+        subscription: PushSubscription;
+    }>;
+    enableBrowserPush(options?: BrowserPushRegistrationOptions): Promise<{
+        registered: boolean;
+        appId: string;
+        uid: string;
+        token: string;
+        platform?: string;
+        subscription: PushSubscription;
+    }>;
+    registerPushToken(input: RegisterPushTokenInput): Promise<{
+        registered: boolean;
+        appId: string;
+        uid: string;
+        token: string;
+        platform?: string;
+    }>;
+    unregisterPushToken(token: string, authAppId?: string): Promise<{
+        unregistered: boolean;
+        appId: string;
+        token: string;
+        removed: boolean;
+    }>;
+    sendPushNotification(input: SendPushNotificationInput): Promise<PushSendResult>;
     auth(token: string): Promise<AuthResult>;
+    private getAuthRequestContentType;
+    private buildAuthRequestBody;
+    protected requestEmailPasswordToken(email: string, password: string, scope?: string[]): Promise<AuthToken & {
+        kind: string;
+    }>;
     signInWithEmailAndPassword(email: string, password: string, options?: {
         scope?: string[];
         createIfMissing?: boolean;
@@ -1241,96 +1280,12 @@ declare class FlareAuth<TPresetMap extends QueryPresetMap = {}> extends FlareBas
         email: string;
         sessionsRevoked?: number;
     }>;
-    private toUint8ArrayFromBase64Url;
-    private encodePushTokenFromSubscription;
-    private fetchPushSetupConfig;
-    setupPushServiceWorker(): Promise<ServiceWorkerRegistration | null>;
-    requestPushPermission(): Promise<NotificationPermission>;
-    acquireBrowserPushToken(options?: BrowserPushTokenOptions): Promise<{
-        token: string;
-        subscription: PushSubscription;
-    }>;
-    enableBrowserPush(options?: BrowserPushRegistrationOptions): Promise<{
-        registered: boolean;
-        appId: string;
-        uid: string;
-        token: string;
-        platform?: string;
-        subscription: PushSubscription;
-    }>;
-    registerPushToken(input: RegisterPushTokenInput): Promise<{
-        registered: boolean;
-        appId: string;
-        uid: string;
-        token: string;
-        platform?: string;
-    }>;
-    unregisterPushToken(token: string, authAppId?: string): Promise<{
-        unregistered: boolean;
-        appId: string;
-        token: string;
-        removed: boolean;
-    }>;
-    sendPushNotification(input: SendPushNotificationInput): Promise<PushSendResult>;
-    sendEmail(input: SendEmailInput): Promise<EmailSendResult>;
-    verifyEmailLink(input: VerifyEmailLinkInput): Promise<EmailLinkVerifyResult>;
-    signIn(providerId: ProviderId, options?: {
-        returnTo?: string;
-        metaTag?: string;
-    }): Promise<any>;
-    signIn(authGuard: Pick<AuthGuard, 'signIn'>, providerId: ProviderId, options?: {
-        returnTo?: string;
-        metaTag?: string;
-    }): Promise<any>;
-    signInWithGoogle(options?: {
-        returnTo?: string;
-        metaTag?: string;
-    }): Promise<any>;
-    signInWithGitHub(options?: {
-        returnTo?: string;
-        metaTag?: string;
-    }): Promise<any>;
-    signInWithFacebook(options?: {
-        returnTo?: string;
-        metaTag?: string;
-    }): Promise<any>;
-    signInWithDropbox(options?: {
-        returnTo?: string;
-        metaTag?: string;
-    }): Promise<any>;
-    handleSignInRedirect(autoRedirect?: boolean): Promise<(AuthResult & {
-        authToken: AuthToken;
-        provider?: ProviderId;
-    }) | null>;
-    handleSignInRedirect(authGuard: Pick<AuthGuard, 'handleRedirect'>, autoRedirect?: boolean): Promise<(AuthResult & {
-        authToken: AuthToken;
-        provider?: ProviderId;
-    }) | null>;
-    private exchangeProviderToken;
-    protected getAuthGuard(): Promise<AuthGuard>;
-    refreshAuthSession(refresh_token?: string): Promise<FlareAuthSession | null>;
-    issueSsrToken(ttlSeconds?: number): Promise<{
-        token: string;
-        token_type: string;
-        expires_in: number;
-        uid: string;
-        role: string;
-        email?: string;
-    }>;
     signOut(): Promise<void>;
     protected registerWithEmail(email: string, password: string, options?: {
         scope?: string[];
         additionalParams?: Record<string, string>;
         signInIfAllowed?: boolean;
     }): Promise<Record<string, any>>;
-    protected requestEmailPasswordToken(email: string, password: string, scope?: string[]): Promise<AuthToken & {
-        kind: string;
-    }>;
-    protected fetchAuthMe(token?: string): Promise<{
-        id?: string;
-        email?: string | null;
-        email_verified?: boolean;
-    }>;
 }
 /**
@@ -1553,4 +1508,4 @@ declare const getFlare: () => FlareClient | null;
  */
 declare const disconnectFlare: () => void;
-export { type AggregateFunction, type AggregateSpec, type AndFilter, type AnyFilter, type AuthConfigListener, type AuthConfigResponse, type AuthResult, type AuthStateListener, type AuthWithPendingVerificationResult, type AuthWithTokenResult, type BaseMessage, type BrowserPushRegistrationOptions, type BrowserPushTokenOptions, type ChangeEvent, type ChangeOperation, type CollectionExternalStore, type CollectionPresetMethods, type CollectionQuery, CollectionReference, type CollectionStream, type CollectionStreamListener, type CollectionStreamMeta, type CollectionStreamOptions, type ConnectionState, type CsrfProxyConfig, type CursorValue, type DataMapperFn, type DataMapperRegistry, type DocAddedCallback, type DocChangedCallback, type DocDeletedCallback, type DocUpdatedCallback, DocumentQueryBuilder, DocumentReference, type DocumentSnapshot, type EmailLinkVerifyResult, type EmailSendResult, FlareAction, type FlareAuthConfig, type FlareAuthProviderId, type FlareAuthProviderPublicConfig, type FlareAuthSession, type FlareAuthUser, FlareClient, type FlareConfig, FlareError, FlareErrors, FlareEvent, FlareResponseCodes, type FlareRule, type GroupByClause, type HavingClause, type JoinClause, type JoinQueryPattern, type NestedJoinClause, type OfflineOperation, type OrFilter, type OrderByClause, type PresenceCallback, type PresenceJoinCallback, type PresenceLeaveCallback, type PresenceMember, type PushSendResult, type QueryConfig, type QueryOperator, type QueryPresetMap, type QueryPresetParams, type QueryPresetRow, type QueryPresetSpec, type QuerySnapshot, type RegisterPushTokenInput, type RulePermission, type SecurityRuleEntry, type SecurityRulesMap, type SendEmailInput, type SendPushNotificationInput, type SnapshotEvent, type StreamFlushReason, type StructuredJoinClause, type StructuredQuery, type SubscribeMessage, type SubscribeOptions, type SubscriptionCallback, type SubscriptionData, type SubscriptionError, type SubscriptionErrorCallback, type SubscriptionHandle, type VectorFieldConfig, type VectorSearchClause, type VerifyEmailLinkInput, type WhereCondition, buildFlareHeaders, connectApp, createCsrfProxy, createCsrfProxyHandler, disconnectFlare, extractCsrfFromRequest, flareRulesToSecurityMap, getFlare, parseValue, parseWhereCondition, securityMapToFlareRules };
+export { type AggregateFunction, type AggregateSpec, type AndFilter, type AnyFilter, type AuthConfigListener, type AuthConfigResponse, type AuthResult, type AuthStateListener, type AuthWithPendingVerificationResult, type AuthWithTokenResult, type BaseMessage, type BrowserPushRegistrationOptions, type BrowserPushTokenOptions, type ChangeEvent, type ChangeOperation, type CollectionExternalStore, type CollectionPresetMethods, type CollectionQuery, CollectionReference, type CollectionStream, type CollectionStreamListener, type CollectionStreamMeta, type CollectionStreamOptions, type ConnectionState, type CsrfProxyConfig, type CursorValue, type DataMapperFn, type DataMapperRegistry, type DocAddedCallback, type DocChangedCallback, type DocDeletedCallback, type DocUpdatedCallback, DocumentQueryBuilder, DocumentReference, type DocumentSnapshot, type EmailLinkVerifyResult, type EmailSendResult, FlareAction, type FlareAuthConfig, type FlareAuthHydrationInput, type FlareAuthHydrationOptions, type FlareAuthProviderId, type FlareAuthProviderPublicConfig, type FlareAuthSession, type FlareAuthUser, FlareClient, type FlareConfig, FlareError, FlareErrors, FlareEvent, FlareResponseCodes, type FlareRule, type GroupByClause, type HavingClause, type JoinClause, type JoinQueryPattern, type NestedJoinClause, type OfflineOperation, type OrFilter, type OrderByClause, type PresenceCallback, type PresenceJoinCallback, type PresenceLeaveCallback, type PresenceMember, type PushSendResult, type QueryConfig, type QueryOperator, type QueryPresetMap, type QueryPresetParams, type QueryPresetRow, type QueryPresetSpec, type QuerySnapshot, type RegisterPushTokenInput, type RulePermission, type SecurityRuleEntry, type SecurityRulesMap, type SendEmailInput, type SendPushNotificationInput, type SnapshotEvent, type StreamFlushReason, type StructuredJoinClause, type StructuredQuery, type SubscribeMessage, type SubscribeOptions, type SubscriptionCallback, type SubscriptionData, type SubscriptionError, type SubscriptionErrorCallback, type SubscriptionHandle, type VectorFieldConfig, type VectorSearchClause, type VerifyEmailLinkInput, type WhereCondition, buildFlareHeaders, connectApp, createCsrfProxy, createCsrfProxyHandler, disconnectFlare, extractCsrfFromRequest, flareRulesToSecurityMap, getFlare, parseValue, parseWhereCondition, securityMapToFlareRules };