npm - auth-vir - Versions diffs - 5.0.1 → 5.0.3 - Mend

auth-vir 5.0.1 → 5.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/auth-client/backend-auth.client.js +7 -2
package/dist/auth.d.ts +8 -1
package/dist/auth.js +6 -2
package/package.json +1 -1
package/src/auth-client/backend-auth.client.ts +8 -0
package/src/auth.ts +13 -1

package/dist/auth-client/backend-auth.client.js CHANGED Viewed

@@ -265,17 +265,22 @@ export class BackendAuthClient {
     }
     /** Use these headers to log out the user. */
     async createLogoutHeaders(params) {
+        const clearingAllCookies = !!params.allCookies;
         const signUpCookieHeaders = params.allCookies || params.isSignUpCookie
             ? generateLogoutHeaders(await this.getCookieParams({
                 isSignUpCookie: true,
                 requestHeaders: undefined,
-            }))
+            }), {
+                preserveCsrf: !clearingAllCookies,
+            })
             : undefined;
         const authCookieHeaders = params.allCookies || !params.isSignUpCookie
             ? generateLogoutHeaders(await this.getCookieParams({
                 isSignUpCookie: false,
                 requestHeaders: undefined,
-            }))
+            }), {
+                preserveCsrf: !clearingAllCookies,
+            })
             : undefined;
         return {
             'set-cookie': mergeHeaderValues(signUpCookieHeaders?.['set-cookie'], authCookieHeaders?.['set-cookie']),

package/dist/auth.d.ts CHANGED Viewed

@@ -71,4 +71,11 @@ sessionStartedAt?: number | undefined): Promise<Record<string, string[]>>;
 export declare function generateLogoutHeaders(cookieConfig: Readonly<SelectFrom<CookieParams, {
     hostOrigin: true;
     isDev: true;
-}>>): Record<string, string[]>;
+}>>, options?: Readonly<{
+    /**
+     * When `true`, the CSRF cookie is preserved (not cleared). Use this when clearing only one
+     * cookie type (e.g., the auth cookie) while keeping the other active session (e.g.,
+     * sign-up) that still needs its CSRF token.
+     */
+    preserveCsrf?: boolean | undefined;
+}>): Record<string, string[]>;

package/dist/auth.js CHANGED Viewed

@@ -118,11 +118,15 @@ sessionStartedAt) {
  *
  * @category Auth : Host
  */
-export function generateLogoutHeaders(cookieConfig) {
+export function generateLogoutHeaders(cookieConfig, options) {
     return {
         'set-cookie': [
             clearAuthCookie(cookieConfig),
-            clearCsrfCookie(cookieConfig),
+            ...(options?.preserveCsrf
+                ? []
+                : [
+                    clearCsrfCookie(cookieConfig),
+                ]),
         ],
     };
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "auth-vir",
-    "version": "5.0.1",
+    "version": "5.0.3",
     "description": "Auth made easy and secure via JWT cookies, CSRF tokens, and password hashing helpers.",
     "keywords": [
         "auth",

package/src/auth-client/backend-auth.client.ts CHANGED Viewed

@@ -578,6 +578,8 @@ export class BackendAuthClient<
             'set-cookie': string[];
         }
     > {
+        const clearingAllCookies = !!params.allCookies;
         const signUpCookieHeaders =
             params.allCookies || params.isSignUpCookie
                 ? generateLogoutHeaders(
@@ -585,6 +587,9 @@ export class BackendAuthClient<
                           isSignUpCookie: true,
                           requestHeaders: undefined,
                       }),
+                      {
+                          preserveCsrf: !clearingAllCookies,
+                      },
                   )
                 : undefined;
         const authCookieHeaders =
@@ -594,6 +599,9 @@ export class BackendAuthClient<
                           isSignUpCookie: false,
                           requestHeaders: undefined,
                       }),
+                      {
+                          preserveCsrf: !clearingAllCookies,
+                      },
                   )
                 : undefined;

package/src/auth.ts CHANGED Viewed

@@ -189,11 +189,23 @@ export async function generateSuccessfulLoginHeaders(
  */
 export function generateLogoutHeaders(
     cookieConfig: Readonly<SelectFrom<CookieParams, {hostOrigin: true; isDev: true}>>,
+    options?: Readonly<{
+        /**
+         * When `true`, the CSRF cookie is preserved (not cleared). Use this when clearing only one
+         * cookie type (e.g., the auth cookie) while keeping the other active session (e.g.,
+         * sign-up) that still needs its CSRF token.
+         */
+        preserveCsrf?: boolean | undefined;
+    }>,
 ): Record<string, string[]> {
     return {
         'set-cookie': [
             clearAuthCookie(cookieConfig),
-            clearCsrfCookie(cookieConfig),
+            ...(options?.preserveCsrf
+                ? []
+                : [
+                      clearCsrfCookie(cookieConfig),
+                  ]),
         ],
     };
 }