Skip to content
rw3iss Auth

AuthModule

AuthModule

Defined in: auth-client/src/core/modules/auth.module.ts:21

Constructors

Constructor

new AuthModule(ctx): AuthModule

Defined in: auth-client/src/core/modules/auth.module.ts:22

Parameters

ctx

ModuleContext

Returns

AuthModule

Methods

completeSso()

completeSso(params): Promise<AuthResponse>

Defined in: auth-client/src/core/modules/auth.module.ts:51

Complete an SSO sign-in. Pass the code + state the provider redirected back with. The SDK exchanges with the auth-server, handles the PKCE auth_code redemption automatically, and emits “authenticated” on success.

Parameters

params
code

string

provider?

string

state

string

Returns

Promise<AuthResponse>


getAccessToken()

getAccessToken(): Promise<string | null>

Defined in: auth-client/src/core/modules/auth.module.ts:162

Current access token, if any. Returns null when logged out. The Transport already attaches this automatically; consumers calling other HTTP clients (axios, etc.) can use this to attach manually.

Returns

Promise<string | null>


getClaims()

getClaims(): DecodedAccessToken | null

Defined in: auth-client/src/core/modules/auth.module.ts:174

Decoded claims of the current access token. Null when logged out or token is malformed. Synchronous — reads the cached value.

Returns

DecodedAccessToken | null


getCurrentUser()

getCurrentUser(): { email: string; id: string; } | null

Defined in: auth-client/src/core/modules/auth.module.ts:180

Convenience: current user reconstructed from the decoded token. For a server-authoritative snapshot, call whoami().

Returns

{ email: string; id: string; } | null


getRegistrationPolicy()

getRegistrationPolicy(appCode?): Promise<RegistrationPolicy>

Defined in: auth-client/src/core/modules/auth.module.ts:92

Fetch the public registration policy for an app. Anonymous — no token required. Useful for rendering the login / register UI BEFORE the user submits: pre-filter SSO buttons against allowed_auth_methods, show a domain hint from allowed_email_domains. Server still enforces on the actual register/login call. Migration 013.

If appCode is omitted, defaults to the AuthClient’s configured appCode (set on construction). Throws if neither is set.

Parameters

appCode?

string

Returns

Promise<RegistrationPolicy>


isAuthenticated()

isAuthenticated(): boolean

Defined in: auth-client/src/core/modules/auth.module.ts:168

Are we currently authenticated? Synchronous; reflects cached state. In offline mode this is always false.

Returns

boolean


isImpersonating()

isImpersonating(): boolean

Defined in: auth-client/src/core/modules/auth.module.ts:186

True if the current session is an impersonation (AUDIT C7). UIs can use this to render an “Acting as X” banner.

Returns

boolean


login()

login(params): Promise<AuthResponse>

Defined in: auth-client/src/core/modules/auth.module.ts:27

Password login. On success, persists tokens + emits “authenticated”. On 2FA challenge, returns {requires_2fa: true} without throwing. On hard failure (bad password, locked account, etc.), throws.

Parameters

params

LoginParams

Returns

Promise<AuthResponse>


logout()

logout(): Promise<void>

Defined in: auth-client/src/core/modules/auth.module.ts:98

Logout the current session — revokes the refresh token server-side, clears local state, emits “logged_out”.

Returns

Promise<void>


logoutAll()

logoutAll(): Promise<void>

Defined in: auth-client/src/core/modules/auth.module.ts:105

Revoke every refresh token for the current user AND bump the server’s per-user token-version so any outstanding access token is immediately invalid cross-replica. AUDIT 1.10.

Returns

Promise<void>


refresh()

refresh(context?): Promise<TokenPair>

Defined in: auth-client/src/core/modules/auth.module.ts:123

Refresh the access token using the stored refresh token. Coalesced — concurrent calls share one in-flight request.

Optional context switches the issued token’s org and/or app scope. The server honors either or both:

  • organizationId — re-scope to a different org the user belongs to. Membership is re-verified each refresh.
  • appCode — re-scope to a different consuming app.

For the common “switch org” case prefer switchOrg(orgId) — it’s a thinner shorthand that also emits the org_switched event so subscribers can react.

Parameters

context?
appCode?

string

organizationId?

string

Returns

Promise<TokenPair>


register()

register(params): Promise<AuthResponse>

Defined in: auth-client/src/core/modules/auth.module.ts:35

Register a new user. The mode field on the server lets registration also act as login when the email is already known (see auth-server RegistrationMode); the SDK exposes this via the explicit register_or_login parameter.

Parameters

params

RegisterParams

Returns

Promise<AuthResponse>


requestMagicLink(email, appCode?): Promise<void>

Defined in: auth-client/src/core/modules/auth.module.ts:63

Request a magic-link email. Anonymous flow; server is silent on whether the email is registered.

appCode defaults to the AuthClient’s configured app code so the resulting token-pair scopes correctly. Pass an explicit code to override.

Parameters

email

string

appCode?

string

Returns

Promise<void>


startSso()

startSso(params): Promise<SsoStartResult>

Defined in: auth-client/src/core/modules/auth.module.ts:42

Begin an SSO sign-in. The SDK auto-generates a PKCE pair, persists the verifier (so a subsequent /sso/callback POST can redeem it), and returns the provider’s auth URL for the caller to navigate to.

Parameters

params

SsoStartParams

Returns

Promise<SsoStartResult>


switchOrg()

switchOrg(organizationId): Promise<TokenPair>

Defined in: auth-client/src/core/modules/auth.module.ts:142

Switch the active organization context. Refreshes the token with the new organization_id, persists the new token-pair, and emits org_switched (in addition to the usual token_refreshed).

Requires the user to be a member of the target org; the server 403s otherwise and the call throws. Membership is verified server-side on every switch, so a stale MyOrgRecord from getMyOrgs() won’t sneak the caller into an org they were removed from.

Pair with <OrgSwitcher> for a drop-in UI affordance, or call directly from your own selector.

Parameters

organizationId

string

Returns

Promise<TokenPair>


verifyMagicLink(token): Promise<AuthResponse>

Defined in: auth-client/src/core/modules/auth.module.ts:77

Verify a magic-link token. On success, persists the returned tokens AND emits the authenticated event — the AuthClient’s snapshot transitions exactly as if the user had logged in via password. Caller’s UI can subsequently navigate away.

Throws on any error shape; the typical failure is TokenInvalid (unknown / expired / consumed token — all collapsed for anti-enumeration).

Parameters

token

string

Returns

Promise<AuthResponse>


whoami()

whoami(): Promise<User>

Defined in: auth-client/src/core/modules/auth.module.ts:155

Hit /auth/me — the source of truth for the current user. Use this after a permission grant on the server side to refresh local state.

The server returns the identity fields flat at the top level (user_id, email, first_name, roles, permissions, …), not wrapped under a user key. Earlier versions of this method did resp.body.user and got undefined — every consumer crashed on .display_name or similar. We now reshape into a User-compatible object so callers can rely on the typed return value.

Returns

Promise<User>