Refresh token impl

[infomiho]

Closes #2124

What was done

• Moved init of OAuth clients (google, github, discord and keycloak) to the SDK so users can also import them and use them
  • These clients are needed to refresh auth tokens
• Move some of the OAuth helpers to SDK - because they are only used in the SDK or could be useful for users
  • The env helpers are only used in the SDK
  • The redirect and one-time token helpers can be useful if users implement some OAuth client themselves
• Updated the OAuth tokens that we provide in auth hooks: we now provide all the data we get and not just the access token
  • We forward the data we receive so users will get the refresh token if we receive it

Left to do

• Update docs
• Fix provider name types

[sodic]

Nice work, just took a look at the docs for now to familiarize myself with the feature.

I'm now going for the code.

[sodic]

Nice work!

Left some suggestions, don't think I found anything major.

Please remember to change the public API table if you're changing the new API 😬

[sodic]

Should be public though, right? According to the "public types" rule from Effective TypeScript.

[infomiho]

Didn't we want to hide parts in the top level exports so the users don't get autocomplete suggestions that are not really used by them? Based on that I put "private API" since ideally, users wouldn't need to see this when using the SDK.

[sodic]

Oh, you're refering to what we did with OnBeforeSignupHookParams and friends?

Ok, if you think this is one of those cases, we can keep it private, just add a note like we did there.

FWIW, I'm not sure this is one of thouse cases though.

The fact that we export many symbols isn't a problem by iteself - users will type up what they need and choose a quick action to import it. It only becomes a problem when the IDE suggests a niche export before a common one.

In the hooks params case, the parameter types had the same prefix as the function types. Since people are likely to use function types and unlikely to use params types, we decided to keep the params private to avoid these frustrating autocomplete/autoimport errors. But I don't think that's the case here.

[infomiho]

This should be a public API since the users can access it anyways through other types, yes? I'll make it public then 👍 It doesn't make sense to hide it and your other arguments make sense as well.

[sodic]

Any chance of avoiding a singleton module here?

[infomiho]

We need the one time tokens to allow the client to exchange one time codes for session IDs. If the server and client were on the same domain, it would be possible. This is not the case right now, so we need this kind of a singleton that keeps track of the tokens. This is not introduced in this PR btw. so I wouldn't change it in this PR irregardless.

At some point in the future, we'll need to figure out the cookies story so we can avoid this.

[sodic]

We need the one time tokens to allow the client to exchange one time codes for session IDs. If the server and client were on the same domain, it would be possible.

Oh, I understand we need the single instance that keeps the tokens. What I meant was "Can we not use a singleton pattern for it?"

This is not introduced in this PR btw. so I wouldn't change it in this PR irregardless.

It's perfectly fine not to do it now. FYI, here are two good posts I have bookmarked that will help us avoid singletons in the future (although I admit I sometimes break this rule myself):

• https://softwareengineering.stackexchange.com/questions/40373/so-singletons-are-bad-then-what
• https://stackoverflow.com/questions/1300655/whats-alternative-to-singleton

Good thing we're not testing anything so the singletons aren't causing any problems 🥲

Feel free to resolve.

[infomiho]

It's not a singleton in a sense that there can only exist only one instance of the object. It's true that we create a single instance that we have to use in both places where it's needed. In the case of unit tests, we could make the token store a param of the which ever fn we wanted to unit test.

[sodic]

Ok, resolved most of the stuff.

I left several more comments with suggestions I'd like, but it can definitely go out as is!

[sodic]

Oh, you're refering to what we did with OnBeforeSignupHookParams and friends?

Ok, if you think this is one of those cases, we can keep it private, just add a note like we did there.

FWIW, I'm not sure this is one of thouse cases though.

The fact that we export many symbols isn't a problem by iteself - users will type up what they need and choose a quick action to import it. It only becomes a problem when the IDE suggests a niche export before a common one.

In the hooks params case, the parameter types had the same prefix as the function types. Since people are likely to use function types and unlikely to use params types, we decided to keep the params private to avoid these frustrating autocomplete/autoimport errors. But I don't think that's the case here.

[sodic]

#1851 (comment)

[sodic]

We need the one time tokens to allow the client to exchange one time codes for session IDs. If the server and client were on the same domain, it would be possible.

Oh, I understand we need the single instance that keeps the tokens. What I meant was "Can we not use a singleton pattern for it?"

This is not introduced in this PR btw. so I wouldn't change it in this PR irregardless.

It's perfectly fine not to do it now. FYI, here are two good posts I have bookmarked that will help us avoid singletons in the future (although I admit I sometimes break this rule myself):

• https://softwareengineering.stackexchange.com/questions/40373/so-singletons-are-bad-then-what
• https://stackoverflow.com/questions/1300655/whats-alternative-to-singleton

Good thing we're not testing anything so the singletons aren't causing any problems 🥲

Feel free to resolve.

[sodic]

Missing empty lines in some of these files.

Working without the linter on these templates really is a pain. It's all trivial stuff, but very annoying (for example, once you notice how inconsistent we are with the semicolons, you can't unsee it).

[sodic]

Another great change with scoping the providers flags under enabledProviders