lemma-sdk 0.2.3 → 0.2.4

package/README.md

@@ -39,6 +39,35 @@ const supportAssistant = await client.assistants.get("support_assistant");
 - `client.request(method, path, options)` escape hatch for endpoints not yet modeled.
 - `client.resources` for generic file resource APIs (`conversation`, `assistant`, `task`, etc.).
 - Ergonomic type aliases exported at top level: `Agent`, `Assistant`, `Conversation`, `Task`, `TaskMessage`, `CreateAgentInput`, `CreateAssistantInput`, etc.
+- `client.withPod(podId)` returns a pod-scoped client that shares auth state with the parent client.
+
+## Auth Helpers
+
+```ts
+import { LemmaClient, buildAuthUrl, resolveSafeRedirectUri } from "lemma-sdk";
+
+const client = new LemmaClient({
+  apiUrl: "https://api-next.asur.work",
+  authUrl: "https://auth.asur.work/auth",
+});
+
+// Build auth URLs (server/client)
+const loginUrl = buildAuthUrl(client.authUrl, { redirectUri: "https://app.asur.work/" });
+const signupUrl = buildAuthUrl(client.authUrl, { mode: "signup", redirectUri: "https://app.asur.work/" });
+
+// Redirect safety helper for auth route handlers
+const safeRedirect = resolveSafeRedirectUri("/pod/123", {
+  siteOrigin: "https://app.asur.work",
+  fallback: "/",
+});
+
+// Browser helpers
+await client.auth.checkAuth();
+await client.auth.signOut();
+const token = await client.auth.getAccessToken();
+const refreshed = await client.auth.refreshAccessToken();
+client.auth.redirectToAuth({ mode: "signup", redirectUri: safeRedirect });
+```
 
 ## Assistants + Agent Runs
 

package/dist/auth.d.ts

@@ -28,6 +28,27 @@ export interface AuthState {
     user: UserInfo | null;
 }
 export type AuthListener = (state: AuthState) => void;
+export type AuthRedirectMode = "login" | "signup";
+export interface BuildAuthUrlOptions {
+    /** Optional auth path segment relative to authUrl pathname, e.g. "callback" -> /auth/callback. */
+    path?: string;
+    /** Adds signup mode query, preserving existing params. */
+    mode?: AuthRedirectMode;
+    /** Redirect URI passed to auth service. */
+    redirectUri?: string;
+    /** Additional query parameters appended to auth URL. */
+    params?: Record<string, string | number | boolean | Array<string | number | boolean> | null | undefined>;
+}
+export interface ResolveSafeRedirectUriOptions {
+    /** Origin for resolving relative paths. */
+    siteOrigin: string;
+    /** Fallback path or URL when input is empty/invalid/blocked. Defaults to "/". */
+    fallback?: string;
+    /** Local paths blocked as redirect targets to avoid auth loops. */
+    blockedPaths?: string[];
+}
+export declare function buildAuthUrl(authUrl: string, options?: BuildAuthUrlOptions): string;
+export declare function resolveSafeRedirectUri(rawValue: string | null | undefined, options: ResolveSafeRedirectUriOptions): string;
 export declare class AuthManager {
     private readonly apiUrl;
     private readonly authUrl;
@@ -47,6 +68,23 @@ export declare class AuthManager {
     subscribe(listener: AuthListener): () => void;
     private notify;
     private setState;
+    private assertBrowserContext;
+    private getCookie;
+    private clearInjectedToken;
+    private rawSignOutViaBackend;
+    /**
+     * Check whether a cookie-backed session is active without mutating auth state.
+     */
+    isAuthenticatedViaCookie(): Promise<boolean>;
+    /**
+     * Return a browser access token from the session layer.
+     * Throws if no token is available.
+     */
+    getAccessToken(): Promise<string>;
+    /**
+     * Force a refresh-token flow and return the new access token.
+     */
+    refreshAccessToken(): Promise<string>;
     /**
      * Build request headers for an API call.
      * Uses Bearer token if one was injected, otherwise omits Authorization
@@ -63,10 +101,21 @@ export declare class AuthManager {
      * Does NOT redirect — call redirectToAuth() explicitly if desired.
      */
     markUnauthenticated(): void;
+    /**
+     * Sign out the current user session.
+     * Returns true when the session is no longer active.
+     */
+    signOut(): Promise<boolean>;
+    /**
+     * Build auth URL for login/signup/custom auth sub-path.
+     */
+    getAuthUrl(options?: BuildAuthUrlOptions): string;
     /**
      * Redirect to the auth service, passing the current URL as redirect_uri.
      * After the user authenticates, the auth service should redirect back to
      * the original URL and set the session cookie.
      */
-    redirectToAuth(): void;
+    redirectToAuth(options?: Omit<BuildAuthUrlOptions, "redirectUri"> & {
+        redirectUri?: string;
+    }): void;
 }

package/dist/auth.js

@@ -16,7 +16,9 @@
  * Auth state is determined by calling GET /users/me (user.current.get).
  * 401 → unauthenticated. 200 → authenticated.
  */
+import Session from "supertokens-web-js/recipe/session";
 import { ensureCookieSessionSupport } from "./supertokens.js";
+const DEFAULT_BLOCKED_REDIRECT_PATHS = ["/login", "/signup", "/auth"];
 const LOCALSTORAGE_TOKEN_KEY = "lemma_token";
 const QUERY_PARAM_TOKEN_KEY = "lemma_token";
 function detectInjectedToken() {
@@ -51,6 +53,79 @@ function detectInjectedToken() {
     catch { /* ignore */ }
     return null;
 }
+function normalizePath(path) {
+    const trimmed = path.trim();
+    if (!trimmed)
+        return "/";
+    if (trimmed === "/")
+        return "/";
+    const withLeadingSlash = trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
+    return withLeadingSlash.endsWith("/") ? withLeadingSlash.slice(0, -1) : withLeadingSlash;
+}
+function resolveAuthPath(basePath, path) {
+    const normalizedBase = normalizePath(basePath);
+    if (!path || !path.trim()) {
+        return normalizedBase;
+    }
+    const segment = path.trim().replace(/^\/+/, "");
+    if (!segment) {
+        return normalizedBase;
+    }
+    return `${normalizedBase}/${segment}`.replace(/\/{2,}/g, "/");
+}
+function isBlockedLocalPath(pathname, blockedPaths) {
+    const normalizedPathname = normalizePath(pathname);
+    return blockedPaths.some((rawBlockedPath) => {
+        const blockedPath = normalizePath(rawBlockedPath);
+        return normalizedPathname === blockedPath || normalizedPathname.startsWith(`${blockedPath}/`);
+    });
+}
+function normalizeOrigin(rawOrigin) {
+    const parsed = new URL(rawOrigin);
+    return parsed.origin;
+}
+export function buildAuthUrl(authUrl, options = {}) {
+    const url = new URL(authUrl);
+    url.pathname = resolveAuthPath(url.pathname, options.path);
+    for (const [key, value] of Object.entries(options.params ?? {})) {
+        if (value === null || value === undefined)
+            continue;
+        if (Array.isArray(value)) {
+            url.searchParams.delete(key);
+            for (const item of value) {
+                url.searchParams.append(key, String(item));
+            }
+            continue;
+        }
+        url.searchParams.set(key, String(value));
+    }
+    if (options.mode === "signup") {
+        url.searchParams.set("show", "signup");
+    }
+    if (options.redirectUri && options.redirectUri.trim()) {
+        url.searchParams.set("redirect_uri", options.redirectUri);
+    }
+    return url.toString();
+}
+export function resolveSafeRedirectUri(rawValue, options) {
+    const siteOrigin = normalizeOrigin(options.siteOrigin);
+    const blockedPaths = options.blockedPaths ?? DEFAULT_BLOCKED_REDIRECT_PATHS;
+    const fallbackTarget = options.fallback ?? "/";
+    const fallback = new URL(fallbackTarget, siteOrigin).toString();
+    if (!rawValue || !rawValue.trim()) {
+        return fallback;
+    }
+    try {
+        const parsed = new URL(rawValue, siteOrigin);
+        if (parsed.origin === siteOrigin && isBlockedLocalPath(parsed.pathname, blockedPaths)) {
+            return fallback;
+        }
+        return parsed.toString();
+    }
+    catch {
+        return fallback;
+    }
+}
 export class AuthManager {
     apiUrl;
     authUrl;
@@ -93,6 +168,109 @@ export class AuthManager {
         this.state = state;
         this.notify();
     }
+    assertBrowserContext() {
+        if (typeof window === "undefined") {
+            throw new Error("This auth method is only available in browser environments.");
+        }
+    }
+    getCookie(name) {
+        if (typeof document === "undefined")
+            return undefined;
+        const escaped = name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+        const match = document.cookie.match(new RegExp(`(?:^|; )${escaped}=([^;]*)`));
+        return match ? decodeURIComponent(match[1]) : undefined;
+    }
+    clearInjectedToken() {
+        this.injectedToken = null;
+        if (typeof window === "undefined")
+            return;
+        try {
+            sessionStorage.removeItem(LOCALSTORAGE_TOKEN_KEY);
+        }
+        catch {
+            // ignore storage errors
+        }
+        try {
+            localStorage.removeItem(LOCALSTORAGE_TOKEN_KEY);
+        }
+        catch {
+            // ignore storage errors
+        }
+    }
+    async rawSignOutViaBackend() {
+        const antiCsrf = this.getCookie("sAntiCsrf");
+        const headers = {
+            Accept: "application/json",
+            "Content-Type": "application/json",
+            rid: "anti-csrf",
+            "fdi-version": "4.2",
+            "st-auth-mode": "cookie",
+        };
+        if (antiCsrf) {
+            headers["anti-csrf"] = antiCsrf;
+        }
+        const separator = this.apiUrl.includes("?") ? "&" : "?";
+        const signOutUrl = `${this.apiUrl.replace(/\/$/, "")}/st/auth/signout${separator}superTokensDoNotDoInterception=true`;
+        await fetch(signOutUrl, {
+            method: "POST",
+            credentials: "include",
+            headers,
+        });
+    }
+    /**
+     * Check whether a cookie-backed session is active without mutating auth state.
+     */
+    async isAuthenticatedViaCookie() {
+        if (this.injectedToken) {
+            return this.isAuthenticated();
+        }
+        try {
+            const response = await fetch(`${this.apiUrl}/users/me`, {
+                method: "GET",
+                credentials: "include",
+                headers: { Accept: "application/json" },
+            });
+            return response.status !== 401;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Return a browser access token from the session layer.
+     * Throws if no token is available.
+     */
+    async getAccessToken() {
+        if (this.injectedToken) {
+            return this.injectedToken;
+        }
+        this.assertBrowserContext();
+        ensureCookieSessionSupport(this.apiUrl, () => this.markUnauthenticated());
+        const token = await Session.getAccessToken();
+        if (!token) {
+            throw new Error("Token unavailable");
+        }
+        return token;
+    }
+    /**
+     * Force a refresh-token flow and return the new access token.
+     */
+    async refreshAccessToken() {
+        if (this.injectedToken) {
+            return this.injectedToken;
+        }
+        this.assertBrowserContext();
+        ensureCookieSessionSupport(this.apiUrl, () => this.markUnauthenticated());
+        const refreshed = await Session.attemptRefreshingSession();
+        if (!refreshed) {
+            throw new Error("Session refresh failed");
+        }
+        const token = await Session.getAccessToken();
+        if (!token) {
+            throw new Error("Token unavailable");
+        }
+        return token;
+    }
     /**
      * Build request headers for an API call.
      * Uses Bearer token if one was injected, otherwise omits Authorization
@@ -151,16 +329,54 @@ export class AuthManager {
     markUnauthenticated() {
         this.setState({ status: "unauthenticated", user: null });
     }
+    /**
+     * Sign out the current user session.
+     * Returns true when the session is no longer active.
+     */
+    async signOut() {
+        if (this.injectedToken) {
+            this.clearInjectedToken();
+            this.markUnauthenticated();
+            return true;
+        }
+        this.assertBrowserContext();
+        ensureCookieSessionSupport(this.apiUrl, () => this.markUnauthenticated());
+        try {
+            await Session.signOut();
+        }
+        catch {
+            // continue with raw fallback
+        }
+        if (await this.isAuthenticatedViaCookie()) {
+            try {
+                await this.rawSignOutViaBackend();
+            }
+            catch {
+                // best effort fallback only
+            }
+        }
+        const isAuthenticated = await this.isAuthenticatedViaCookie();
+        if (!isAuthenticated) {
+            this.markUnauthenticated();
+        }
+        return !isAuthenticated;
+    }
+    /**
+     * Build auth URL for login/signup/custom auth sub-path.
+     */
+    getAuthUrl(options = {}) {
+        return buildAuthUrl(this.authUrl, options);
+    }
     /**
      * Redirect to the auth service, passing the current URL as redirect_uri.
      * After the user authenticates, the auth service should redirect back to
      * the original URL and set the session cookie.
      */
-    redirectToAuth() {
+    redirectToAuth(options = {}) {
         if (typeof window === "undefined") {
             return;
         }
-        const redirectUri = encodeURIComponent(window.location.href);
-        window.location.href = `${this.authUrl}?redirect_uri=${redirectUri}`;
+        const redirectUri = options.redirectUri ?? window.location.href;
+        window.location.href = this.getAuthUrl({ ...options, redirectUri });
     }
 }

package/dist/browser/lemma-client.js

@@ -3,7 +3,7 @@
 "./browser.js": function (module, exports, require) {
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ApiError = exports.AuthManager = exports.LemmaClient = void 0;
+exports.ApiError = exports.resolveSafeRedirectUri = exports.buildAuthUrl = exports.AuthManager = exports.LemmaClient = void 0;
 /**
  * Browser bundle entry point.
  * Exposes LemmaClient as globalThis.LemmaClient.LemmaClient
@@ -18,6 +18,8 @@ var client_js_1 = require("./client.js");
 Object.defineProperty(exports, "LemmaClient", { enumerable: true, get: function () { return client_js_1.LemmaClient; } });
 var auth_js_1 = require("./auth.js");
 Object.defineProperty(exports, "AuthManager", { enumerable: true, get: function () { return auth_js_1.AuthManager; } });
+Object.defineProperty(exports, "buildAuthUrl", { enumerable: true, get: function () { return auth_js_1.buildAuthUrl; } });
+Object.defineProperty(exports, "resolveSafeRedirectUri", { enumerable: true, get: function () { return auth_js_1.resolveSafeRedirectUri; } });
 var http_js_1 = require("./http.js");
 Object.defineProperty(exports, "ApiError", { enumerable: true, get: function () { return http_js_1.ApiError; } });
 
@@ -50,11 +52,11 @@ const tasks_js_1 = require("./namespaces/tasks.js");
 const users_js_1 = require("./namespaces/users.js");
 const workflows_js_1 = require("./namespaces/workflows.js");
 class LemmaClient {
-    constructor(overrides = {}) {
+    constructor(overrides = {}, internalOptions = {}) {
         this._config = (0, config_js_1.resolveConfig)(overrides);
         this._currentPodId = this._config.podId;
         this._podId = this._config.podId;
-        this.auth = new auth_js_1.AuthManager(this._config.apiUrl, this._config.authUrl);
+        this.auth = internalOptions.authManager ?? new auth_js_1.AuthManager(this._config.apiUrl, this._config.authUrl);
         this._http = new http_js_1.HttpClient(this._config.apiUrl, this.auth);
         this._generated = new generated_js_1.GeneratedClientAdapter(this._config.apiUrl, this.auth);
         const podIdFn = () => {
@@ -89,7 +91,7 @@ class LemmaClient {
     }
     /** Return a new client scoped to a specific pod, sharing auth state. */
     withPod(podId) {
-        return new LemmaClient({ ...this._config, podId });
+        return new LemmaClient({ ...this._config, podId }, { authManager: this.auth });
     }
     get podId() {
         return this._currentPodId;
@@ -192,7 +194,11 @@ function resolveConfig(overrides = {}) {
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AuthManager = void 0;
+exports.buildAuthUrl = buildAuthUrl;
+exports.resolveSafeRedirectUri = resolveSafeRedirectUri;
+const session_1 = require("supertokens-web-js/recipe/session");
 const supertokens_js_1 = require("./supertokens.js");
+const DEFAULT_BLOCKED_REDIRECT_PATHS = ["/login", "/signup", "/auth"];
 const LOCALSTORAGE_TOKEN_KEY = "lemma_token";
 const QUERY_PARAM_TOKEN_KEY = "lemma_token";
 function detectInjectedToken() {
@@ -227,6 +233,79 @@ function detectInjectedToken() {
     catch { /* ignore */ }
     return null;
 }
+function normalizePath(path) {
+    const trimmed = path.trim();
+    if (!trimmed)
+        return "/";
+    if (trimmed === "/")
+        return "/";
+    const withLeadingSlash = trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
+    return withLeadingSlash.endsWith("/") ? withLeadingSlash.slice(0, -1) : withLeadingSlash;
+}
+function resolveAuthPath(basePath, path) {
+    const normalizedBase = normalizePath(basePath);
+    if (!path || !path.trim()) {
+        return normalizedBase;
+    }
+    const segment = path.trim().replace(/^\/+/, "");
+    if (!segment) {
+        return normalizedBase;
+    }
+    return `${normalizedBase}/${segment}`.replace(/\/{2,}/g, "/");
+}
+function isBlockedLocalPath(pathname, blockedPaths) {
+    const normalizedPathname = normalizePath(pathname);
+    return blockedPaths.some((rawBlockedPath) => {
+        const blockedPath = normalizePath(rawBlockedPath);
+        return normalizedPathname === blockedPath || normalizedPathname.startsWith(`${blockedPath}/`);
+    });
+}
+function normalizeOrigin(rawOrigin) {
+    const parsed = new URL(rawOrigin);
+    return parsed.origin;
+}
+function buildAuthUrl(authUrl, options = {}) {
+    const url = new URL(authUrl);
+    url.pathname = resolveAuthPath(url.pathname, options.path);
+    for (const [key, value] of Object.entries(options.params ?? {})) {
+        if (value === null || value === undefined)
+            continue;
+        if (Array.isArray(value)) {
+            url.searchParams.delete(key);
+            for (const item of value) {
+                url.searchParams.append(key, String(item));
+            }
+            continue;
+        }
+        url.searchParams.set(key, String(value));
+    }
+    if (options.mode === "signup") {
+        url.searchParams.set("show", "signup");
+    }
+    if (options.redirectUri && options.redirectUri.trim()) {
+        url.searchParams.set("redirect_uri", options.redirectUri);
+    }
+    return url.toString();
+}
+function resolveSafeRedirectUri(rawValue, options) {
+    const siteOrigin = normalizeOrigin(options.siteOrigin);
+    const blockedPaths = options.blockedPaths ?? DEFAULT_BLOCKED_REDIRECT_PATHS;
+    const fallbackTarget = options.fallback ?? "/";
+    const fallback = new URL(fallbackTarget, siteOrigin).toString();
+    if (!rawValue || !rawValue.trim()) {
+        return fallback;
+    }
+    try {
+        const parsed = new URL(rawValue, siteOrigin);
+        if (parsed.origin === siteOrigin && isBlockedLocalPath(parsed.pathname, blockedPaths)) {
+            return fallback;
+        }
+        return parsed.toString();
+    }
+    catch {
+        return fallback;
+    }
+}
 class AuthManager {
     constructor(apiUrl, authUrl) {
         this.state = { status: "loading", user: null };
@@ -266,6 +345,109 @@ class AuthManager {
         this.state = state;
         this.notify();
     }
+    assertBrowserContext() {
+        if (typeof window === "undefined") {
+            throw new Error("This auth method is only available in browser environments.");
+        }
+    }
+    getCookie(name) {
+        if (typeof document === "undefined")
+            return undefined;
+        const escaped = name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+        const match = document.cookie.match(new RegExp(`(?:^|; )${escaped}=([^;]*)`));
+        return match ? decodeURIComponent(match[1]) : undefined;
+    }
+    clearInjectedToken() {
+        this.injectedToken = null;
+        if (typeof window === "undefined")
+            return;
+        try {
+            sessionStorage.removeItem(LOCALSTORAGE_TOKEN_KEY);
+        }
+        catch {
+            // ignore storage errors
+        }
+        try {
+            localStorage.removeItem(LOCALSTORAGE_TOKEN_KEY);
+        }
+        catch {
+            // ignore storage errors
+        }
+    }
+    async rawSignOutViaBackend() {
+        const antiCsrf = this.getCookie("sAntiCsrf");
+        const headers = {
+            Accept: "application/json",
+            "Content-Type": "application/json",
+            rid: "anti-csrf",
+            "fdi-version": "4.2",
+            "st-auth-mode": "cookie",
+        };
+        if (antiCsrf) {
+            headers["anti-csrf"] = antiCsrf;
+        }
+        const separator = this.apiUrl.includes("?") ? "&" : "?";
+        const signOutUrl = `${this.apiUrl.replace(/\/$/, "")}/st/auth/signout${separator}superTokensDoNotDoInterception=true`;
+        await fetch(signOutUrl, {
+            method: "POST",
+            credentials: "include",
+            headers,
+        });
+    }
+    /**
+     * Check whether a cookie-backed session is active without mutating auth state.
+     */
+    async isAuthenticatedViaCookie() {
+        if (this.injectedToken) {
+            return this.isAuthenticated();
+        }
+        try {
+            const response = await fetch(`${this.apiUrl}/users/me`, {
+                method: "GET",
+                credentials: "include",
+                headers: { Accept: "application/json" },
+            });
+            return response.status !== 401;
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Return a browser access token from the session layer.
+     * Throws if no token is available.
+     */
+    async getAccessToken() {
+        if (this.injectedToken) {
+            return this.injectedToken;
+        }
+        this.assertBrowserContext();
+        (0, supertokens_js_1.ensureCookieSessionSupport)(this.apiUrl, () => this.markUnauthenticated());
+        const token = await session_1.default.getAccessToken();
+        if (!token) {
+            throw new Error("Token unavailable");
+        }
+        return token;
+    }
+    /**
+     * Force a refresh-token flow and return the new access token.
+     */
+    async refreshAccessToken() {
+        if (this.injectedToken) {
+            return this.injectedToken;
+        }
+        this.assertBrowserContext();
+        (0, supertokens_js_1.ensureCookieSessionSupport)(this.apiUrl, () => this.markUnauthenticated());
+        const refreshed = await session_1.default.attemptRefreshingSession();
+        if (!refreshed) {
+            throw new Error("Session refresh failed");
+        }
+        const token = await session_1.default.getAccessToken();
+        if (!token) {
+            throw new Error("Token unavailable");
+        }
+        return token;
+    }
     /**
      * Build request headers for an API call.
      * Uses Bearer token if one was injected, otherwise omits Authorization
@@ -324,17 +506,55 @@ class AuthManager {
     markUnauthenticated() {
         this.setState({ status: "unauthenticated", user: null });
     }
+    /**
+     * Sign out the current user session.
+     * Returns true when the session is no longer active.
+     */
+    async signOut() {
+        if (this.injectedToken) {
+            this.clearInjectedToken();
+            this.markUnauthenticated();
+            return true;
+        }
+        this.assertBrowserContext();
+        (0, supertokens_js_1.ensureCookieSessionSupport)(this.apiUrl, () => this.markUnauthenticated());
+        try {
+            await session_1.default.signOut();
+        }
+        catch {
+            // continue with raw fallback
+        }
+        if (await this.isAuthenticatedViaCookie()) {
+            try {
+                await this.rawSignOutViaBackend();
+            }
+            catch {
+                // best effort fallback only
+            }
+        }
+        const isAuthenticated = await this.isAuthenticatedViaCookie();
+        if (!isAuthenticated) {
+            this.markUnauthenticated();
+        }
+        return !isAuthenticated;
+    }
+    /**
+     * Build auth URL for login/signup/custom auth sub-path.
+     */
+    getAuthUrl(options = {}) {
+        return buildAuthUrl(this.authUrl, options);
+    }
     /**
      * Redirect to the auth service, passing the current URL as redirect_uri.
      * After the user authenticates, the auth service should redirect back to
      * the original URL and set the session cookie.
      */
-    redirectToAuth() {
+    redirectToAuth(options = {}) {
         if (typeof window === "undefined") {
             return;
         }
-        const redirectUri = encodeURIComponent(window.location.href);
-        window.location.href = `${this.authUrl}?redirect_uri=${redirectUri}`;
+        const redirectUri = options.redirectUri ?? window.location.href;
+        window.location.href = this.getAuthUrl({ ...options, redirectUri });
     }
 }
 exports.AuthManager = AuthManager;

package/dist/browser.d.ts

@@ -9,5 +9,5 @@
  *   </script>
  */
 export { LemmaClient } from "./client.js";
-export { AuthManager } from "./auth.js";
+export { AuthManager, buildAuthUrl, resolveSafeRedirectUri } from "./auth.js";
 export { ApiError } from "./http.js";

package/dist/browser.js

@@ -9,5 +9,5 @@
  *   </script>
  */
 export { LemmaClient } from "./client.js";
-export { AuthManager } from "./auth.js";
+export { AuthManager, buildAuthUrl, resolveSafeRedirectUri } from "./auth.js";
 export { ApiError } from "./http.js";

package/dist/client.d.ts

@@ -21,6 +21,9 @@ import { WorkflowsNamespace } from "./namespaces/workflows.js";
 export type { LemmaConfig };
 export { AuthManager };
 export type { AuthState, AuthListener };
+interface LemmaClientInternalOptions {
+    authManager?: AuthManager;
+}
 export declare class LemmaClient {
     private readonly _config;
     private readonly _podId;
@@ -48,7 +51,7 @@ export declare class LemmaClient {
     readonly podMembers: PodMembersNamespace;
     readonly organizations: OrganizationsNamespace;
     readonly podSurfaces: PodSurfacesNamespace;
-    constructor(overrides?: Partial<LemmaConfig>);
+    constructor(overrides?: Partial<LemmaConfig>, internalOptions?: LemmaClientInternalOptions);
     /** Change the active pod ID for subsequent calls. */
     setPodId(podId: string): void;
     /** Return a new client scoped to a specific pod, sharing auth state. */

package/dist/client.js

@@ -49,11 +49,11 @@ export class LemmaClient {
     podMembers;
     organizations;
     podSurfaces;
-    constructor(overrides = {}) {
+    constructor(overrides = {}, internalOptions = {}) {
         this._config = resolveConfig(overrides);
         this._currentPodId = this._config.podId;
         this._podId = this._config.podId;
-        this.auth = new AuthManager(this._config.apiUrl, this._config.authUrl);
+        this.auth = internalOptions.authManager ?? new AuthManager(this._config.apiUrl, this._config.authUrl);
         this._http = new HttpClient(this._config.apiUrl, this.auth);
         this._generated = new GeneratedClientAdapter(this._config.apiUrl, this.auth);
         const podIdFn = () => {
@@ -88,7 +88,7 @@ export class LemmaClient {
     }
     /** Return a new client scoped to a specific pod, sharing auth state. */
     withPod(podId) {
-        return new LemmaClient({ ...this._config, podId });
+        return new LemmaClient({ ...this._config, podId }, { authManager: this.auth });
     }
     get podId() {
         return this._currentPodId;

package/dist/index.d.ts

@@ -1,7 +1,7 @@
 export { LemmaClient } from "./client.js";
 export type { LemmaConfig } from "./client.js";
-export { AuthManager } from "./auth.js";
-export type { AuthState, AuthListener, AuthStatus, UserInfo } from "./auth.js";
+export { AuthManager, buildAuthUrl, resolveSafeRedirectUri } from "./auth.js";
+export type { AuthState, AuthListener, AuthStatus, UserInfo, AuthRedirectMode, BuildAuthUrlOptions, ResolveSafeRedirectUriOptions, } from "./auth.js";
 export { ApiError } from "./http.js";
 export * from "./types.js";
 export { readSSE, parseSSEJson } from "./streams.js";

package/dist/index.js

@@ -1,5 +1,5 @@
 export { LemmaClient } from "./client.js";
-export { AuthManager } from "./auth.js";
+export { AuthManager, buildAuthUrl, resolveSafeRedirectUri } from "./auth.js";
 export { ApiError } from "./http.js";
 export * from "./types.js";
 export { readSSE, parseSSEJson } from "./streams.js";

package/dist/react/useAuth.d.ts

@@ -1,11 +1,14 @@
 import type { LemmaClient } from "../client.js";
-import type { AuthState } from "../auth.js";
+import type { AuthState, BuildAuthUrlOptions } from "../auth.js";
+type RedirectToAuthOptions = Omit<BuildAuthUrlOptions, "redirectUri"> & {
+    redirectUri?: string;
+};
 export interface UseAuthResult {
     status: AuthState["status"];
     user: AuthState["user"];
     isLoading: boolean;
     isAuthenticated: boolean;
-    redirectToAuth: () => void;
+    redirectToAuth: (options?: RedirectToAuthOptions) => void;
 }
 /**
  * React hook for subscribing to Lemma auth state.
@@ -14,3 +17,4 @@ export interface UseAuthResult {
  *   const { isAuthenticated, isLoading, redirectToAuth } = useAuth(client);
  */
 export declare function useAuth(client: LemmaClient): UseAuthResult;
+export {};

package/dist/react/useAuth.js

@@ -24,6 +24,6 @@ export function useAuth(client) {
         user: state.user,
         isLoading: state.status === "loading",
         isAuthenticated: state.status === "authenticated",
-        redirectToAuth: () => client.auth.redirectToAuth(),
+        redirectToAuth: (options) => client.auth.redirectToAuth(options),
     };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "lemma-sdk",
-  "version": "0.2.3",
+  "version": "0.2.4",
   "description": "Official TypeScript SDK for Lemma pod-scoped APIs",
   "type": "module",
   "main": "dist/index.js",