Class: AuthClient

Class: AuthClient

Defined in: auth-server-ts/src/auth-client.ts:63

Top-level façade for @vendidit/auth-server-ts.

Composes the ports (TokenValidator, HttpTransport, SessionStore, Clock, RevocationCache) into a small surface for app code. Mirrors PHP’s Vendidit\AuthServer\AuthClient in intent and method names.

Typical use:

const auth = new AuthClient({ authServerUrl: ‘https://new-auth.vendidit.com’, accessSecret: process.env.JWT_ACCESS_SECRET!, appCode: ‘my-app’, }); const principal = await auth.validateBearer(req.headers.authorization); const session = await auth.login({ email, password }); const me = await auth.me(); const flows = auth.flows();

Constructors

Constructor

new AuthClient(options, deps?): AuthClient

Defined in: auth-server-ts/src/auth-client.ts:74

Parameters

options

AuthClientOptions

deps?

AuthClientDependencies = {}

Returns

AuthClient

Properties

clock

readonly clock: Clock

Defined in: auth-server-ts/src/auth-client.ts:68

---

config

readonly config: ResolvedConfig

Defined in: auth-server-ts/src/auth-client.ts:64

---

logger

readonly logger: LoggerPort

Defined in: auth-server-ts/src/auth-client.ts:69

---

session

readonly session: SessionStore

Defined in: auth-server-ts/src/auth-client.ts:67

---

transport

readonly transport: HttpTransportContract

Defined in: auth-server-ts/src/auth-client.ts:65

---

validator

readonly validator: TokenValidatorContract

Defined in: auth-server-ts/src/auth-client.ts:66

Methods

authenticatedRequest()

authenticatedRequest<T>(method, path, body?, headers?): Promise<T>

Defined in: auth-server-ts/src/auth-client.ts:287

Authenticated request helper. Issues the call with the current access token; on 401 (expired / invalid), attempts ONE refresh + ONE retry. Returns the decoded body.

Type Parameters

T

T = Record<string, unknown>

Parameters

method

string

path

string

body?

Record<string, unknown> | null

headers?

Record<string, string> = {}

Returns

Promise<T>

---

currentPrincipal()

currentPrincipal(): AuthPrincipal | null

Defined in: auth-server-ts/src/auth-client.ts:142

Returns

AuthPrincipal | null

---

currentUser()

currentUser(): AuthenticatedUser | null

Defined in: auth-server-ts/src/auth-client.ts:343

Returns

AuthenticatedUser | null

---

flows()

flows(): Flows

Defined in: auth-server-ts/src/auth-client.ts:357

Returns

Flows

---

isAuthenticated()

isAuthenticated(): Promise<boolean>

Defined in: auth-server-ts/src/auth-client.ts:330

Returns

Promise<boolean>

---

login()

login(opts): Promise<AuthResponse>

Defined in: auth-server-ts/src/auth-client.ts:159

Password login. Returns the AuthResponse. When the server requires 2FA, requires_2fa is true and tokens is null — the caller prompts for the TOTP code and re-calls with twoFactorCode set.

Parameters

opts

appCode?

string

email

string

organizationId?

string

password

string

rememberMe?

boolean

twoFactorCode?

string

Returns

Promise<AuthResponse>

---

logout()

logout(): Promise<void>

Defined in: auth-server-ts/src/auth-client.ts:222

Logout the current session. Best-effort: clears the local SessionStore even if the server call fails — the access token reaches natural expiry regardless. Authenticated endpoint (auth-server AUDIT 1.23) so the access token is attached.

Returns

Promise<void>

---

logoutAll()

logoutAll(): Promise<void>

Defined in: auth-server-ts/src/auth-client.ts:249

Logout-all: revoke every refresh token + bump per-user token-version. After this call, every outstanding access token for the user is invalid cross-replica within ~one cache TTL.

Returns

Promise<void>

---

me()

me(accessToken?): Promise<Record<string, unknown>>

Defined in: auth-server-ts/src/auth-client.ts:263

GET /auth/me — current user payload (server-authoritative).

Parameters

accessToken?

string

Returns

Promise<Record<string, unknown>>

---

refresh()

refresh(refreshToken?, opts?): Promise<AuthResponse>

Defined in: auth-server-ts/src/auth-client.ts:198

Refresh access + refresh tokens. Returns the new AuthResponse. Optional context fields switch the active org / app without forcing a password re-login.

Parameters

refreshToken?

string

opts?

appCode?

string

organizationId?

string

Returns

Promise<AuthResponse>

---

register()

register(payload): Promise<AuthResponse>

Defined in: auth-server-ts/src/auth-client.ts:271

POST /auth/register — create a new user.

Parameters

payload

Record<string, unknown>

Returns

Promise<AuthResponse>

---

rememberTokens()

rememberTokens(tokens): void | Promise<void>

Defined in: auth-server-ts/src/auth-client.ts:349

Stash a token-pair into the SessionStore.

Parameters

tokens

TokenPair

Returns

void | Promise<void>

---

setCurrentPrincipal()

setCurrentPrincipal(p): void

Defined in: auth-server-ts/src/auth-client.ts:146

Parameters

p

AuthPrincipal | null

Returns

void

---

validateBearer()

validateBearer(headerValue): Promise<AuthPrincipal | null>

Defined in: auth-server-ts/src/auth-client.ts:132

Validate an Authorization: Bearer … header. Returns null when the header is absent / empty (lets the caller decide whether to 401).

Parameters

headerValue

string | null | undefined

Returns

Promise<AuthPrincipal | null>

---

validateToken()

validateToken(jwtToken): Promise<AuthPrincipal>

Defined in: auth-server-ts/src/auth-client.ts:122

Validate an access (or service) token locally. Returns a typed AuthPrincipal. Throws TokenExpiredException / TokenInvalidException / TokenRevokedException (all sub-classes of VenAuthException).

Parameters

jwtToken

string

Returns

Promise<AuthPrincipal>