tijs.org
commits
The sealToken() method is needed for mobile OAuth flows where the app opens
a WebView for authentication. After OAuth completes, the callback redirects
to the app's URL scheme with a sealed token.
This does NOT restore unsealToken(), validateBearerToken(), or
refreshBearerToken() as those are genuinely unused - mobile apps use
cookie-based auth for API calls.
Breaking change: Removes mobile-specific methods that were unused by the
iOS app (which uses cookie-based auth instead):
- sealToken()
- unsealToken()
- validateBearerToken()
- refreshBearerToken()
Also removes MobileTokenData type and INVALID_TOKEN error type.
- Logger: Changed from (log, warn, error) to (debug, info, warn, error)
- SessionData renamed to CookieSessionData to avoid collision with oauth-client-deno
- SessionManager class for cookie and Bearer token sessions
- Iron Session encryption for secure cookie storage
- Mobile token seal/unseal support
- Full test coverage
The sealToken() method is needed for mobile OAuth flows where the app opens
a WebView for authentication. After OAuth completes, the callback redirects
to the app's URL scheme with a sealed token.
This does NOT restore unsealToken(), validateBearerToken(), or
refreshBearerToken() as those are genuinely unused - mobile apps use
cookie-based auth for API calls.