clefbase 2.0.2 → 2.0.4

package/dist/auth/index.d.ts

@@ -1,163 +1,107 @@
 import { HttpClient } from "../http";
-import type { AuthUser, AuthResult } from "../types";
-/**
- * Options for `auth.signInWithGateway()`.
- */
+import type { AuthUser, AuthResult, AuthOptions } from "../types";
 export interface GatewaySignInOptions {
     /**
-     * The URL the gateway should redirect back to after authentication.
-     * Defaults to `window.location.origin` (your app's root).
-     * Must be registered as an allowed redirect for your project in the gateway.
+     * Where the gateway should redirect after sign-in.
+     * Defaults to `window.location.origin`.
+     * Must be registered as an allowed redirect for your project.
      */
     redirectUrl?: string;
 }
+export interface OpenAuthUIOptions {
+    /**
+     * How to display the auth UI.
+     * - `"modal"` (default) — overlay on top of the current page
+     * - `"redirect"` — full-page redirect to auth.cleforyx.com
+     */
+    mode?: "modal" | "redirect";
+    /** Called when the user successfully signs in. */
+    onSuccess?: (result: AuthResult) => void;
+    /** Called when the modal is dismissed without signing in. */
+    onDismiss?: () => void;
+    /** Where to redirect after sign-in (redirect mode only). Defaults to current page. */
+    redirectUrl?: string;
+}
 type AuthStateCallback = (user: AuthUser | null) => void;
-/**
- * Authentication service. Obtain via `getAuth(app)`.
- *
- * @example
- * const auth = getAuth(app);
- *
- * // Email / password
- * const { user } = await auth.signIn("alice@example.com", "pass");
- *
- * // Google — redirect to gateway, come back signed in
- * await auth.signInWithGateway("google");
- *
- * // On every page load, handle the gateway callback:
- * const result = await auth.handleGatewayCallback();
- * if (result) console.log("Signed in via gateway:", result.user.email);
- */
 export declare class Auth {
     private readonly http;
     private readonly store;
     private listeners;
-    /** The base URL of the Cleforyx auth gateway (e.g. https://auth.cleforyx.com) */
     private readonly gatewayUrl;
-    /** The project ID — used as the `?project=` param when redirecting to the gateway */
     private readonly projectId;
-    constructor(http: HttpClient, gatewayUrl: string, projectId: string);
+    private _modalCleanup;
+    private readonly apiEndpoint;
+    private readonly dbId?;
+    constructor(http: HttpClient, gatewayUrl: string, projectId: string, options?: AuthOptions);
+    /**
+     * Get the appropriate endpoint base path for API calls.
+     * - "public": /auth/public (for client-side flows)
+     * - "external": /auth (for server-side flows with API key)
+     * @internal
+     */
+    private getEndpointPath;
     private notify;
     private handleResult;
     /** @internal — used by Storage to attach the bearer token to upload requests */
     getAuthHeaders(): Record<string, string>;
-    /** The currently signed-in user, or null. */
     get currentUser(): AuthUser | null;
-    /** The raw bearer token for the active session, or null. */
     get currentToken(): string | null;
-    /**
-     * Create a new account with email + password.
-     *
-     * @example
-     * const { user } = await auth.signUp("alice@example.com", "pass123", {
-     *   displayName: "Alice",
-     *   metadata: { role: "admin" },
-     * });
-     */
     signUp(email: string, password: string, profile?: {
         displayName?: string;
         photoUrl?: string;
         metadata?: Record<string, unknown>;
     }): Promise<AuthResult>;
-    /**
-     * Sign in with email + password.
-     *
-     * @example
-     * const { user, token } = await auth.signIn("alice@example.com", "pass");
-     */
     signIn(email: string, password: string): Promise<AuthResult>;
     /**
-     * Redirect the user to the Cleforyx auth gateway to sign in with an
-     * OAuth provider (currently `"google"`).
-     *
-     * The gateway handles the OAuth flow and redirects back to your app with
-     * `?cfx_token=<token>&cfx_project=<projectId>` in the URL.
-     * Call `auth.handleGatewayCallback()` on page load to complete sign-in.
+     * Open the Cleforyx hosted auth UI as a modal overlay on top of your page.
+     * Handles sign-in via email/password, Google, and magic link seamlessly.
      *
-     * **This method never returns** — it calls `window.location.href`.
+     * The modal closes automatically on successful sign-in and fires `onSuccess`.
      *
      * @example
-     * // On button click:
-     * await auth.signInWithGateway("google");
-     *
-     * // With a custom return URL:
-     * await auth.signInWithGateway("google", {
-     *   redirectUrl: "https://myapp.cleforyx.com/dashboard",
+     * auth.openAuthUI({
+     *   onSuccess: (result) => {
+     *     console.log("Signed in:", result.user.email);
+     *     navigate("/dashboard");
+     *   },
      * });
      */
-    signInWithGateway(provider: "google", options?: GatewaySignInOptions): Promise<never>;
+    openAuthUI(options?: OpenAuthUIOptions): void;
+    /** Close the auth modal programmatically if open. */
+    closeAuthUI(): void;
     /**
-     * Check if the current URL contains a gateway callback (`?cfx_token=`).
-     * Useful for rendering a "Finishing sign-in…" loading state before calling
-     * `handleGatewayCallback()`.
+     * Redirect to the Cleforyx auth gateway for OAuth sign-in.
+     * Use `openAuthUI()` for a modal experience instead.
      *
      * @example
-     * if (auth.isGatewayCallbackPending()) {
-     *   showLoadingSpinner();
-     * }
+     * await auth.signInWithGateway("google");
      */
+    signInWithGateway(provider: "google", options?: GatewaySignInOptions): Promise<never>;
     isGatewayCallbackPending(): boolean;
     /**
-     * Call this on every page load (ideally before rendering your app).
-     * If the URL contains `?cfx_token=`, the token is validated against
-     * the server, the session is saved, and the signed-in `AuthResult` is
-     * returned. The query params are cleaned from the URL automatically.
-     *
-     * Returns `null` if there is no pending callback.
+     * Call on every page load to handle the gateway redirect callback.
+     * Detects `?cfx_token=` in the URL, validates it, and returns the signed-in user.
      *
      * @example
-     * // In your app's root component or entry point:
      * useEffect(() => {
      *   auth.handleGatewayCallback().then(result => {
-     *     if (result) {
-     *       console.log("Signed in:", result.user.email);
-     *       navigate("/dashboard");
-     *     }
+     *     if (result) navigate("/dashboard");
      *   });
      * }, []);
-     *
-     * // Or outside React:
-     * const result = await auth.handleGatewayCallback();
-     * if (result) showDashboard(result.user);
      */
     handleGatewayCallback(): Promise<AuthResult | null>;
-    /** Sign out and clear the local session. */
     signOut(): Promise<void>;
-    /** Re-fetch the current user's profile from the server and update the cache. */
     refreshCurrentUser(): Promise<AuthUser | null>;
-    /**
-     * Update the signed-in user's profile.
-     *
-     * @example
-     * await auth.updateProfile({ displayName: "Bob", metadata: { theme: "dark" } });
-     */
     updateProfile(updates: {
         displayName?: string;
         photoUrl?: string;
         metadata?: Record<string, unknown>;
     }): Promise<AuthUser>;
-    /** Change password. All other sessions are invalidated server-side. */
     changePassword(currentPassword: string, newPassword: string): Promise<void>;
-    /** Request a password-reset email. Safe to call even for unregistered addresses. */
     sendPasswordResetEmail(email: string): Promise<void>;
-    /** Complete a password reset with the token from the reset email. */
     confirmPasswordReset(resetToken: string, newPassword: string): Promise<void>;
-    /** Send an email verification code to the currently signed-in user. */
     sendEmailVerification(): Promise<void>;
-    /** Verify email with the code the user received. */
     verifyEmail(code: string): Promise<AuthUser>;
-    /**
-     * Subscribe to auth state changes.
-     * Fires immediately with the current user, then on every sign-in or sign-out.
-     * Returns an unsubscribe function.
-     *
-     * @example
-     * const unsubscribe = auth.onAuthStateChanged(user => {
-     *   if (user) console.log("signed in:", user.email);
-     *   else console.log("signed out");
-     * });
-     * unsubscribe();
-     */
     onAuthStateChanged(callback: AuthStateCallback): () => void;
 }
 export {};

package/dist/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AAkDrD;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAID,KAAK,iBAAiB,GAAG,CAAC,IAAI,EAAE,QAAQ,GAAG,IAAI,KAAK,IAAI,CAAC;AAEzD;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,IAAI;IAWb,OAAO,CAAC,QAAQ,CAAC,IAAI;IAVvB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAsB;IAC5C,OAAO,CAAC,SAAS,CAA2B;IAE5C,iFAAiF;IACjF,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IAEpC,qFAAqF;IACrF,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;gBAGhB,IAAI,EAAE,UAAU,EACjC,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,MAAM;IASnB,OAAO,CAAC,MAAM;IAMd,OAAO,CAAC,YAAY;IAUpB,gFAAgF;IAChF,cAAc,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAOxC,6CAA6C;IAC7C,IAAI,WAAW,IAAI,QAAQ,GAAG,IAAI,CAA4C;IAE9E,4DAA4D;IAC5D,IAAI,YAAY,IAAI,MAAM,GAAG,IAAI,CAA6C;IAI9E;;;;;;;;OAQG;IACG,MAAM,CACV,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QACR,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACpC,GACA,OAAO,CAAC,UAAU,CAAC;IAKtB;;;;;OAKG;IACG,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAOlE;;;;;;;;;;;;;;;;;;OAkBG;IACG,iBAAiB,CACrB,QAAQ,EAAE,QAAQ,EAClB,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CAAC,KAAK,CAAC;IAqBjB;;;;;;;;;OASG;IACH,wBAAwB,IAAI,OAAO;IAKnC;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACG,qBAAqB,IAAI,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IA0CzD,4CAA4C;IACtC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAW9B,gFAAgF;IAC1E,kBAAkB,IAAI,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAYpD;;;;;OAKG;IACG,aAAa,CAAC,OAAO,EAAE;QAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACpC,GAAG,OAAO,CAAC,QAAQ,CAAC;IAYrB,uEAAuE;IACjE,cAAc,CAAC,eAAe,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAUjF,oFAAoF;IAC9E,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI1D,qEAAqE;IAC/D,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIlF,uEAAuE;IACjE,qBAAqB,IAAI,OAAO,CAAC,IAAI,CAAC;IAM5C,oDAAoD;IAC9C,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAIlD;;;;;;;;;;;OAWG;IACH,kBAAkB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,MAAM,IAAI;CAO5D"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,KAAK,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAkDlE,MAAM,WAAW,oBAAoB;IACnC;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,iBAAiB;IAChC;;;;OAIG;IACH,IAAI,CAAC,EAAE,OAAO,GAAG,UAAU,CAAC;IAC5B,kDAAkD;IAClD,SAAS,CAAC,EAAE,CAAC,MAAM,EAAE,UAAU,KAAK,IAAI,CAAC;IACzC,6DAA6D;IAC7D,SAAS,CAAC,EAAE,MAAM,IAAI,CAAC;IACvB,sFAAsF;IACtF,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAID,KAAK,iBAAiB,GAAG,CAAC,IAAI,EAAE,QAAQ,GAAG,IAAI,KAAK,IAAI,CAAC;AAEzD,qBAAa,IAAI;IAUb,OAAO,CAAC,QAAQ,CAAC,IAAI;IATvB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAsB;IAC5C,OAAO,CAAC,SAAS,CAA2B;IAC5C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,aAAa,CAA6B;IAClD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAwB;IACpD,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAS;gBAGZ,IAAI,EAAE,UAAU,EACjC,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,WAAW;IASvB;;;;;OAKG;IACH,OAAO,CAAC,eAAe;IAevB,OAAO,CAAC,MAAM;IAMd,OAAO,CAAC,YAAY;IAUpB,gFAAgF;IAChF,cAAc,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;IAOxC,IAAI,WAAW,IAAI,QAAQ,GAAG,IAAI,CAA4C;IAC9E,IAAI,YAAY,IAAI,MAAM,GAAG,IAAI,CAA8C;IAIzE,MAAM,CACV,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,GACxF,OAAO,CAAC,UAAU,CAAC;IAKhB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAOlE;;;;;;;;;;;;;OAaG;IACH,UAAU,CAAC,OAAO,GAAE,iBAAsB,GAAG,IAAI;IAmIjD,qDAAqD;IACrD,WAAW,IAAI,IAAI;IAMnB;;;;;;OAMG;IACG,iBAAiB,CACrB,QAAQ,EAAE,QAAQ,EAClB,OAAO,CAAC,EAAE,oBAAoB,GAC7B,OAAO,CAAC,KAAK,CAAC;IAUjB,wBAAwB,IAAI,OAAO;IAKnC;;;;;;;;;;OAUG;IACG,qBAAqB,IAAI,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAqCnD,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAWxB,kBAAkB,IAAI,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAY9C,aAAa,CAAC,OAAO,EAAE;QAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACpC,GAAG,OAAO,CAAC,QAAQ,CAAC;IAUf,cAAc,CAAC,eAAe,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAM3E,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAIpD,oBAAoB,CAAC,UAAU,EAAE,MAAM,EAAE,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI5E,qBAAqB,IAAI,OAAO,CAAC,IAAI,CAAC;IAMtC,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAIlD,kBAAkB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,MAAM,IAAI;CAK5D"}

package/dist/auth/index.js

@@ -47,31 +47,34 @@ class SessionStore {
         catch { /* ignore */ }
     }
 }
-/**
- * Authentication service. Obtain via `getAuth(app)`.
- *
- * @example
- * const auth = getAuth(app);
- *
- * // Email / password
- * const { user } = await auth.signIn("alice@example.com", "pass");
- *
- * // Google — redirect to gateway, come back signed in
- * await auth.signInWithGateway("google");
- *
- * // On every page load, handle the gateway callback:
- * const result = await auth.handleGatewayCallback();
- * if (result) console.log("Signed in via gateway:", result.user.email);
- */
 class Auth {
-    constructor(http, gatewayUrl, projectId) {
+    constructor(http, gatewayUrl, projectId, options) {
         this.http = http;
         this.store = new SessionStore();
         this.listeners = [];
+        this._modalCleanup = null;
         this.gatewayUrl = gatewayUrl.replace(/\/+$/, "");
         this.projectId = projectId;
+        this.apiEndpoint = options?.apiEndpoint ?? "external";
+        this.dbId = options?.dbId;
         this.store.load();
     }
+    /**
+     * Get the appropriate endpoint base path for API calls.
+     * - "public": /auth/public (for client-side flows)
+     * - "external": /auth (for server-side flows with API key)
+     * @internal
+     */
+    getEndpointPath(operation) {
+        if (this.apiEndpoint === "public") {
+            if (!this.dbId) {
+                throw new Error(`dbId is required for public routes. Pass it when initializing Auth with apiEndpoint: "public".`);
+            }
+            // For public routes, append dbId as query param and operation path
+            return `/public${operation}?dbId=${encodeURIComponent(this.dbId)}`;
+        }
+        return operation;
+    }
     // ── Internals ─────────────────────────────────────────────────────────────
     notify(user) {
         for (const cb of this.listeners) {
@@ -96,104 +99,185 @@ class Auth {
         return s ? { Authorization: `Bearer ${s.token}` } : {};
     }
     // ── Public API ────────────────────────────────────────────────────────────
-    /** The currently signed-in user, or null. */
     get currentUser() { return this.store.load()?.user ?? null; }
-    /** The raw bearer token for the active session, or null. */
     get currentToken() { return this.store.load()?.token ?? null; }
     // ── Email / password ──────────────────────────────────────────────────────
-    /**
-     * Create a new account with email + password.
-     *
-     * @example
-     * const { user } = await auth.signUp("alice@example.com", "pass123", {
-     *   displayName: "Alice",
-     *   metadata: { role: "admin" },
-     * });
-     */
     async signUp(email, password, profile) {
         const result = await this.http.post("/signup", { email, password, ...profile });
         return this.handleResult(result);
     }
-    /**
-     * Sign in with email + password.
-     *
-     * @example
-     * const { user, token } = await auth.signIn("alice@example.com", "pass");
-     */
     async signIn(email, password) {
         const result = await this.http.post("/signin", { email, password });
         return this.handleResult(result);
     }
-    // ── Gateway OAuth (redirect flow) ─────────────────────────────────────────
+    // ── Auth UI modal ─────────────────────────────────────────────────────────
     /**
-     * Redirect the user to the Cleforyx auth gateway to sign in with an
-     * OAuth provider (currently `"google"`).
+     * Open the Cleforyx hosted auth UI as a modal overlay on top of your page.
+     * Handles sign-in via email/password, Google, and magic link seamlessly.
      *
-     * The gateway handles the OAuth flow and redirects back to your app with
-     * `?cfx_token=<token>&cfx_project=<projectId>` in the URL.
-     * Call `auth.handleGatewayCallback()` on page load to complete sign-in.
-     *
-     * **This method never returns** — it calls `window.location.href`.
+     * The modal closes automatically on successful sign-in and fires `onSuccess`.
      *
      * @example
-     * // On button click:
-     * await auth.signInWithGateway("google");
-     *
-     * // With a custom return URL:
-     * await auth.signInWithGateway("google", {
-     *   redirectUrl: "https://myapp.cleforyx.com/dashboard",
+     * auth.openAuthUI({
+     *   onSuccess: (result) => {
+     *     console.log("Signed in:", result.user.email);
+     *     navigate("/dashboard");
+     *   },
      * });
      */
-    async signInWithGateway(provider, options) {
+    openAuthUI(options = {}) {
         if (typeof window === "undefined") {
-            throw new types_1.ClefbaseError("signInWithGateway() requires a browser environment.", "UNSUPPORTED_ENVIRONMENT");
+            throw new types_1.ClefbaseError("openAuthUI() requires a browser environment.", "UNSUPPORTED_ENVIRONMENT");
         }
-        const redirectUrl = options?.redirectUrl ?? window.location.origin;
+        const { mode = "modal", onSuccess, onDismiss, redirectUrl } = options;
+        const currentUrl = window.location.href;
+        const returnUrl = redirectUrl ?? currentUrl;
         const params = new URLSearchParams({
             project: this.projectId,
-            redirect: redirectUrl,
+            redirect: returnUrl,
+            embed: "popup",
         });
-        window.location.href = `${this.gatewayUrl}/${provider}?${params.toString()}`;
-        // This line is unreachable but TypeScript needs it for `never` return type
-        return new Promise(() => { });
+        const authUrl = `${this.gatewayUrl}/login?${params}`;
+        if (mode === "redirect") {
+            window.location.href = authUrl;
+            return;
+        }
+        // ── Modal mode ──────────────────────────────────────────────────────────
+        // Inject styles once
+        if (!document.getElementById("cfx-modal-styles")) {
+            const style = document.createElement("style");
+            style.id = "cfx-modal-styles";
+            style.textContent = `
+        @keyframes cfxFadeIn  { from { opacity: 0 } to { opacity: 1 } }
+        @keyframes cfxSlideUp { from { transform: translateY(20px); opacity: 0 } to { transform: none; opacity: 1 } }
+        #cfx-auth-overlay {
+          position: fixed; inset: 0; z-index: 999999;
+          background: rgba(15,23,42,0.6); backdrop-filter: blur(4px);
+          display: flex; align-items: center; justify-content: center;
+          animation: cfxFadeIn 0.18s ease;
+          padding: 16px; box-sizing: border-box;
+        }
+        #cfx-auth-card {
+          background: white; border-radius: 20px;
+          box-shadow: 0 24px 64px rgba(0,0,0,0.2);
+          overflow: hidden; width: 100%; max-width: 460px;
+          animation: cfxSlideUp 0.22s ease; position: relative;
+        }
+        #cfx-auth-frame {
+          width: 100%; height: 560px; border: none; display: block;
+        }
+        #cfx-auth-close {
+          position: absolute; top: 14px; right: 16px;
+          background: rgba(0,0,0,0.06); border: none;
+          width: 28px; height: 28px; border-radius: 50%;
+          font-size: 16px; line-height: 1; cursor: pointer;
+          display: flex; align-items: center; justify-content: center;
+          color: #64748b; z-index: 1; transition: background 0.15s;
+        }
+        #cfx-auth-close:hover { background: rgba(0,0,0,0.12); }
+      `;
+            document.head.appendChild(style);
+        }
+        // Create overlay
+        const overlay = document.createElement("div");
+        overlay.id = "cfx-auth-overlay";
+        const card = document.createElement("div");
+        card.id = "cfx-auth-card";
+        const closeBtn = document.createElement("button");
+        closeBtn.id = "cfx-auth-close";
+        closeBtn.innerHTML = "&#x2715;";
+        closeBtn.setAttribute("aria-label", "Close");
+        const iframe = document.createElement("iframe");
+        iframe.id = "cfx-auth-frame";
+        iframe.src = authUrl;
+        iframe.setAttribute("allow", "identity-credentials-get");
+        card.appendChild(closeBtn);
+        card.appendChild(iframe);
+        overlay.appendChild(card);
+        document.body.appendChild(overlay);
+        // Prevent body scroll
+        const prevOverflow = document.body.style.overflow;
+        document.body.style.overflow = "hidden";
+        const cleanup = () => {
+            overlay.remove();
+            document.body.style.overflow = prevOverflow;
+            window.removeEventListener("message", messageHandler);
+            this._modalCleanup = null;
+        };
+        const messageHandler = async (e) => {
+            if (e.data?.source !== "cleforyx-auth" || e.data?.type !== "auth_success")
+                return;
+            const { token, user: rawUser } = e.data;
+            if (!token)
+                return;
+            cleanup();
+            // Build a full AuthResult — fetch fresh user data to get expiresAt
+            // Use the public /me endpoint (no API key needed, just dbId + bearer)
+            try {
+                const serverUrl = this.http.getBaseUrl().replace(/\/auth$/, "");
+                const res = await fetch(`${serverUrl}/auth/public/me?dbId=${encodeURIComponent(this.projectId)}`, {
+                    headers: { Authorization: `Bearer ${token}` },
+                });
+                const user = res.ok ? await res.json() : rawUser;
+                const expiresAt = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString();
+                const result = { user, token, session: { token, expiresAt } };
+                this.handleResult(result);
+                onSuccess?.(result);
+            }
+            catch {
+                // Fallback: use the user data from postMessage directly
+                const expiresAt = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString();
+                const result = { user: rawUser, token, session: { token, expiresAt } };
+                this.handleResult(result);
+                onSuccess?.(result);
+            }
+        };
+        closeBtn.onclick = () => { cleanup(); onDismiss?.(); };
+        overlay.addEventListener("click", (e) => {
+            if (e.target === overlay) {
+                cleanup();
+                onDismiss?.();
+            }
+        });
+        window.addEventListener("message", messageHandler);
+        this._modalCleanup = cleanup;
+    }
+    /** Close the auth modal programmatically if open. */
+    closeAuthUI() {
+        this._modalCleanup?.();
     }
+    // ── Gateway redirect flow ─────────────────────────────────────────────────
     /**
-     * Check if the current URL contains a gateway callback (`?cfx_token=`).
-     * Useful for rendering a "Finishing sign-in…" loading state before calling
-     * `handleGatewayCallback()`.
+     * Redirect to the Cleforyx auth gateway for OAuth sign-in.
+     * Use `openAuthUI()` for a modal experience instead.
      *
      * @example
-     * if (auth.isGatewayCallbackPending()) {
-     *   showLoadingSpinner();
-     * }
+     * await auth.signInWithGateway("google");
      */
+    async signInWithGateway(provider, options) {
+        if (typeof window === "undefined") {
+            throw new types_1.ClefbaseError("signInWithGateway() requires a browser environment.", "UNSUPPORTED_ENVIRONMENT");
+        }
+        const redirectUrl = options?.redirectUrl ?? window.location.href;
+        const params = new URLSearchParams({ project: this.projectId, redirect: redirectUrl });
+        window.location.href = `${this.gatewayUrl}/google?${params}`;
+        return new Promise(() => { });
+    }
     isGatewayCallbackPending() {
         if (typeof window === "undefined")
             return false;
         return new URLSearchParams(window.location.search).has("cfx_token");
     }
     /**
-     * Call this on every page load (ideally before rendering your app).
-     * If the URL contains `?cfx_token=`, the token is validated against
-     * the server, the session is saved, and the signed-in `AuthResult` is
-     * returned. The query params are cleaned from the URL automatically.
-     *
-     * Returns `null` if there is no pending callback.
+     * Call on every page load to handle the gateway redirect callback.
+     * Detects `?cfx_token=` in the URL, validates it, and returns the signed-in user.
      *
      * @example
-     * // In your app's root component or entry point:
      * useEffect(() => {
      *   auth.handleGatewayCallback().then(result => {
-     *     if (result) {
-     *       console.log("Signed in:", result.user.email);
-     *       navigate("/dashboard");
-     *     }
+     *     if (result) navigate("/dashboard");
      *   });
      * }, []);
-     *
-     * // Or outside React:
-     * const result = await auth.handleGatewayCallback();
-     * if (result) showDashboard(result.user);
      */
     async handleGatewayCallback() {
         if (typeof window === "undefined")
@@ -202,33 +286,25 @@ class Auth {
         const token = params.get("cfx_token");
         if (!token)
             return null;
-        // Clean the token + project params from the URL immediately so they
-        // aren't reprocessed on refresh or shared in links
+        // Clean URL
         params.delete("cfx_token");
         params.delete("cfx_project");
-        const cleanSearch = params.toString();
-        const cleanUrl = window.location.pathname + (cleanSearch ? `?${cleanSearch}` : "");
-        window.history.replaceState({}, "", cleanUrl);
-        // Validate the token against the server and fetch the full user object
+        window.history.replaceState({}, "", window.location.pathname + (params.toString() ? `?${params}` : ""));
+        // Use /auth/public/me — no API key needed, just dbId + bearer
+        const serverUrl = this.http.getBaseUrl().replace(/\/auth$/, "");
         try {
-            const user = await this.http.get("/me", { Authorization: `Bearer ${token}` });
-            // We don't have an expiresAt from the URL — fetch it from /me is enough
-            // for the session; use a generous 30-day default matching server config
+            const res = await fetch(`${serverUrl}/auth/public/me?dbId=${encodeURIComponent(this.projectId)}`, { headers: { Authorization: `Bearer ${token}` } });
+            if (!res.ok)
+                throw new Error(`${res.status} ${res.statusText}`);
+            const user = await res.json();
             const expiresAt = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString();
-            const result = {
-                user,
-                token,
-                session: { token, expiresAt },
-            };
-            return this.handleResult(result);
+            return this.handleResult({ user, token, session: { token, expiresAt } });
         }
         catch (err) {
-            // Token was invalid or expired — don't sign in
             throw new types_1.ClefbaseError(`Gateway callback failed: ${err.message}`, "GATEWAY_CALLBACK_ERROR");
         }
     }
     // ── Session management ────────────────────────────────────────────────────
-    /** Sign out and clear the local session. */
     async signOut() {
         const token = this.currentToken;
         if (token) {
@@ -240,7 +316,6 @@ class Auth {
         this.store.clear();
         this.notify(null);
     }
-    /** Re-fetch the current user's profile from the server and update the cache. */
     async refreshCurrentUser() {
         const token = this.currentToken;
         if (!token)
@@ -257,72 +332,45 @@ class Auth {
             return null;
         }
     }
-    /**
-     * Update the signed-in user's profile.
-     *
-     * @example
-     * await auth.updateProfile({ displayName: "Bob", metadata: { theme: "dark" } });
-     */
     async updateProfile(updates) {
         const token = this.currentToken;
         if (!token)
             throw new Error("No user is currently signed in.");
-        const user = await this.http.patch("/me", updates, {
-            Authorization: `Bearer ${token}`,
-        });
+        const user = await this.http.patch("/me", updates, { Authorization: `Bearer ${token}` });
         const session = this.store.load();
         if (session)
             this.store.save({ ...session, user });
         this.notify(user);
         return user;
     }
-    /** Change password. All other sessions are invalidated server-side. */
     async changePassword(currentPassword, newPassword) {
         const token = this.currentToken;
         if (!token)
             throw new Error("No user is currently signed in.");
         await this.http.post("/change-password", { currentPassword, newPassword }, { Authorization: `Bearer ${token}` });
     }
-    /** Request a password-reset email. Safe to call even for unregistered addresses. */
     async sendPasswordResetEmail(email) {
         await this.http.post("/forgot-password", { email });
     }
-    /** Complete a password reset with the token from the reset email. */
     async confirmPasswordReset(resetToken, newPassword) {
         await this.http.post("/reset-password", { token: resetToken, newPassword });
     }
-    /** Send an email verification code to the currently signed-in user. */
     async sendEmailVerification() {
         const token = this.currentToken;
         if (!token)
             throw new Error("No user is currently signed in.");
         await this.http.post("/send-verification", undefined, { Authorization: `Bearer ${token}` });
     }
-    /** Verify email with the code the user received. */
     async verifyEmail(code) {
         return this.http.post("/verify-email", { code });
     }
-    /**
-     * Subscribe to auth state changes.
-     * Fires immediately with the current user, then on every sign-in or sign-out.
-     * Returns an unsubscribe function.
-     *
-     * @example
-     * const unsubscribe = auth.onAuthStateChanged(user => {
-     *   if (user) console.log("signed in:", user.email);
-     *   else console.log("signed out");
-     * });
-     * unsubscribe();
-     */
     onAuthStateChanged(callback) {
         this.listeners.push(callback);
         try {
             callback(this.currentUser);
         }
         catch { /* ignore */ }
-        return () => {
-            this.listeners = this.listeners.filter(cb => cb !== callback);
-        };
+        return () => { this.listeners = this.listeners.filter(cb => cb !== callback); };
     }
 }
 exports.Auth = Auth;