AuthModule
AuthModule
Defined in: auth-client/src/core/modules/auth.module.ts:21
Constructors
Constructor
new AuthModule(
ctx):AuthModule
Defined in: auth-client/src/core/modules/auth.module.ts:22
Parameters
ctx
Returns
AuthModule
Methods
completeSso()
completeSso(
params):Promise<AuthResponse>
Defined in: auth-client/src/core/modules/auth.module.ts:51
Complete an SSO sign-in. Pass the code + state the provider
redirected back with. The SDK exchanges with the auth-server,
handles the PKCE auth_code redemption automatically, and emits
“authenticated” on success.
Parameters
params
code
string
provider?
string
state
string
Returns
Promise<AuthResponse>
getAccessToken()
getAccessToken():
Promise<string|null>
Defined in: auth-client/src/core/modules/auth.module.ts:162
Current access token, if any. Returns null when logged out. The Transport already attaches this automatically; consumers calling other HTTP clients (axios, etc.) can use this to attach manually.
Returns
Promise<string | null>
getClaims()
getClaims():
DecodedAccessToken|null
Defined in: auth-client/src/core/modules/auth.module.ts:174
Decoded claims of the current access token. Null when logged out or token is malformed. Synchronous — reads the cached value.
Returns
DecodedAccessToken | null
getCurrentUser()
getCurrentUser(): {
string;id:string; } |null
Defined in: auth-client/src/core/modules/auth.module.ts:180
Convenience: current user reconstructed from the decoded token. For a server-authoritative snapshot, call whoami().
Returns
{ email: string; id: string; } | null
getRegistrationPolicy()
getRegistrationPolicy(
appCode?):Promise<RegistrationPolicy>
Defined in: auth-client/src/core/modules/auth.module.ts:92
Fetch the public registration policy for an app. Anonymous —
no token required. Useful for rendering the login / register UI
BEFORE the user submits: pre-filter SSO buttons against
allowed_auth_methods, show a domain hint from
allowed_email_domains. Server still enforces on the actual
register/login call. Migration 013.
If appCode is omitted, defaults to the AuthClient’s configured
appCode (set on construction). Throws if neither is set.
Parameters
appCode?
string
Returns
Promise<RegistrationPolicy>
isAuthenticated()
isAuthenticated():
boolean
Defined in: auth-client/src/core/modules/auth.module.ts:168
Are we currently authenticated? Synchronous; reflects cached state. In offline mode this is always false.
Returns
boolean
isImpersonating()
isImpersonating():
boolean
Defined in: auth-client/src/core/modules/auth.module.ts:186
True if the current session is an impersonation (AUDIT C7). UIs can use this to render an “Acting as X” banner.
Returns
boolean
login()
login(
params):Promise<AuthResponse>
Defined in: auth-client/src/core/modules/auth.module.ts:27
Password login. On success, persists tokens + emits “authenticated”. On 2FA challenge, returns {requires_2fa: true} without throwing. On hard failure (bad password, locked account, etc.), throws.
Parameters
params
Returns
Promise<AuthResponse>
logout()
logout():
Promise<void>
Defined in: auth-client/src/core/modules/auth.module.ts:98
Logout the current session — revokes the refresh token server-side, clears local state, emits “logged_out”.
Returns
Promise<void>
logoutAll()
logoutAll():
Promise<void>
Defined in: auth-client/src/core/modules/auth.module.ts:105
Revoke every refresh token for the current user AND bump the server’s per-user token-version so any outstanding access token is immediately invalid cross-replica. AUDIT 1.10.
Returns
Promise<void>
refresh()
refresh(
context?):Promise<TokenPair>
Defined in: auth-client/src/core/modules/auth.module.ts:123
Refresh the access token using the stored refresh token. Coalesced — concurrent calls share one in-flight request.
Optional context switches the issued token’s org and/or app
scope. The server honors either or both:
organizationId— re-scope to a different org the user belongs to. Membership is re-verified each refresh.appCode— re-scope to a different consuming app.
For the common “switch org” case prefer switchOrg(orgId) —
it’s a thinner shorthand that also emits the org_switched
event so subscribers can react.
Parameters
context?
appCode?
string
organizationId?
string
Returns
Promise<TokenPair>
register()
register(
params):Promise<AuthResponse>
Defined in: auth-client/src/core/modules/auth.module.ts:35
Register a new user. The mode field on the server lets registration also act as login when the email is already known (see auth-server RegistrationMode); the SDK exposes this via the explicit register_or_login parameter.
Parameters
params
Returns
Promise<AuthResponse>
requestMagicLink()
requestMagicLink(
appCode?):Promise<void>
Defined in: auth-client/src/core/modules/auth.module.ts:63
Request a magic-link email. Anonymous flow; server is silent on whether the email is registered.
appCode defaults to the AuthClient’s configured app code so the
resulting token-pair scopes correctly. Pass an explicit code to
override.
Parameters
string
appCode?
string
Returns
Promise<void>
startSso()
startSso(
params):Promise<SsoStartResult>
Defined in: auth-client/src/core/modules/auth.module.ts:42
Begin an SSO sign-in. The SDK auto-generates a PKCE pair, persists the verifier (so a subsequent /sso/callback POST can redeem it), and returns the provider’s auth URL for the caller to navigate to.
Parameters
params
Returns
Promise<SsoStartResult>
switchOrg()
switchOrg(
organizationId):Promise<TokenPair>
Defined in: auth-client/src/core/modules/auth.module.ts:142
Switch the active organization context. Refreshes the token
with the new organization_id, persists the new token-pair,
and emits org_switched (in addition to the usual
token_refreshed).
Requires the user to be a member of the target org; the server
403s otherwise and the call throws. Membership is verified
server-side on every switch, so a stale MyOrgRecord from
getMyOrgs() won’t sneak the caller into an org they were
removed from.
Pair with <OrgSwitcher> for a drop-in UI affordance, or call
directly from your own selector.
Parameters
organizationId
string
Returns
Promise<TokenPair>
verifyMagicLink()
verifyMagicLink(
token):Promise<AuthResponse>
Defined in: auth-client/src/core/modules/auth.module.ts:77
Verify a magic-link token. On success, persists the returned
tokens AND emits the authenticated event — the AuthClient’s
snapshot transitions exactly as if the user had logged in via
password. Caller’s UI can subsequently navigate away.
Throws on any error shape; the typical failure is TokenInvalid (unknown / expired / consumed token — all collapsed for anti-enumeration).
Parameters
token
string
Returns
Promise<AuthResponse>
whoami()
whoami():
Promise<User>
Defined in: auth-client/src/core/modules/auth.module.ts:155
Hit /auth/me — the source of truth for the current user. Use this after a permission grant on the server side to refresh local state.
The server returns the identity fields flat at the top level
(user_id, email, first_name, roles, permissions, …), not
wrapped under a user key. Earlier versions of this method did
resp.body.user and got undefined — every consumer crashed on
.display_name or similar. We now reshape into a User-compatible
object so callers can rely on the typed return value.
Returns
Promise<User>