Add additional parameter support

[Fermionic-Lyu]

Note

Add additionalParams support and provider-first signature to Auth.signInWithOAuth

• Adds function overloading to signInWithOAuth in auth.ts: new preferred signature takes provider as the first argument and an options object { redirectTo, additionalParams, skipBrowserRedirect } as the second; the old object-wrapper signature is retained as deprecated.
• Adds additionalParams to forward provider-specific OAuth hints in the init request; server-owned fields (redirect_uri, code_challenge) always override any colliding keys in additionalParams.
• Adds runtime validation returning a 400 INVALID_INPUT error when options or redirectTo are missing.
• Behavioral Change: redirectTo is now required for both signatures at runtime; callers omitting it will receive an error instead of proceeding silently.

Changes since #88 opened

• Incremented version in package.json from 1.3.0 to 1.3.1 [4587eb8]

^{Macroscope summarized 595788a.}

Summary by CodeRabbit

• New Features

  • Added additionalParams option to support provider-specific OAuth configuration hints during sign-in requests, with built-in protection against overriding server-managed fields.

• Documentation

  • Updated OAuth sign-in examples and SDK reference documentation with clarified method signatures and enhanced guidance on OAuth field management.

• Chores

  • Package version bumped to 1.3.1 with dependency updates.

---

Summary by cubic

Adds a provider-first auth.signInWithOAuth(provider, options) with additionalParams for provider-specific OAuth hints. Enforces redirectTo, tightens runtime validation, and bumps @insforge/sdk to 1.3.1.

• New Features

  • Merges additionalParams into the OAuth init request; blocks overrides to redirect_uri and code_challenge.
  • Returns a 400 INVALID_INPUT error when options are missing or redirectTo is not provided.
  • Bundles @insforge/shared-schemas for CJS and updates to ^1.1.55.

• Migration

  • Replace signInWithOAuth({ provider, ... }) with signInWithOAuth("google", { redirectTo, ... }) (redirectTo is required).
  • Send provider-specific values via additionalParams; the legacy signature still works but is deprecated.

^{Written for commit 4587eb8. Summary will update on new commits.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3ed6f0cf-ec8f-4b82-aa58-23c7211f29c7

📥 Commits

Reviewing files that changed from the base of the PR and between 3837e16 and 4587eb8.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

---

Walkthrough

The PR refactors Auth.signInWithOAuth from an object-based signature to accept the provider as the first positional argument, adds support for provider-specific additionalParams in OAuth requests, implements protections against override of protected OAuth fields, maintains backward compatibility with legacy syntax, and updates all integration tests, unit tests, and documentation accordingly. Package version and a dependency are bumped.

Changes

OAuth Sign-In API Refactoring

Layer / File(s)	Summary
Type Definitions and Imports src/modules/auth/auth.ts	Added OAuthInitRequest import and introduced OAuthSignInOptions and OAuthSignInLegacyOptions types to support both new (provider, options) and legacy ({ provider, ...}) call signatures.
Core OAuth Sign-In Implementation src/modules/auth/auth.ts	Replaced single-object signInWithOAuth with overloads accepting (provider, options) or legacy object form; implementation normalizes inputs, validates redirectTo, generates/stores PKCE values, constructs OAuthInitRequest with redirect_uri and optional additionalParams while preventing overrides of protected fields, and conditionally performs browser redirect.
Unit Tests for OAuth Sign-In src/modules/auth/__tests__/auth.test.ts	Comprehensive Vitest suite with mocked PKCE and Response helpers; covers new signature behavior, legacy object-shape compatibility, additionalParams inclusion in init requests, protection against overriding protected OAuth init fields, and negative-path validation that returns INVALID_INPUT without fetch calls when options are missing or redirectTo is invalid.
Integration Tests Update integration-tests/auth.test.ts	Updated OAuth integration tests for built-in (google) and custom providers to call signInWithOAuth(provider, options) with redirectTo and skipBrowserRedirect inside the options object.
Documentation Updates README.md, SDK-REFERENCE.md	Updated OAuth examples to use provider-first signature and document additionalParams for provider-specific hints; clarified that OAuth client fields (client_id, scope, redirect_uri, state) are server-managed and must not be provided via additionalParams.
Version and Dependency Bumps package.json	Package version incremented from 1.3.0 to 1.3.1; @insforge/shared-schemas dependency updated from ^1.1.53 to ^1.1.55.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• InsForge/InsForge-sdk-js#69: Modifies the OAuth initialization request in signInWithOAuth to add skipAuthRefresh: true, touching the same core OAuth flow as this refactor.
• InsForge/InsForge-sdk-js#70: Updates package.json version and dependency fields alongside this PR's version and dependency bumps.

Suggested reviewers

• jwfing

Poem

🐰 A rabbit's tale of OAuth redesign,
From object nests to args that align—
Provider first, then options so fine,
Protected fields that stay in line,
Legacy calls still work divine! 🔐✨

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title "Add additional parameter support" is vague and does not clearly convey the main change. While it references the new additionalParams feature, it omits the primary refactoring: the new provider-first signature for signInWithOAuth.	Consider a more specific title that highlights the provider-first signature refactoring, such as "Refactor signInWithOAuth to accept provider as first argument and add additionalParams support."

✅ Passed checks (3 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/oauth-additional-params

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jwfing]

Review — Add additional parameter support

Summary: Adds a new positional signInWithOAuth(provider, options) signature with provider-specific additionalParams, keeps the old object-form as a deprecated overload, and bumps @insforge/shared-schemas to pick up the OAuthInitRequest string-catchall that makes the passthrough params type-safe.

Requirements context

No matching spec/plan found under /docs/superpowers/ (the only documents there cover functions-in-process-dispatch, unrelated to OAuth). Assessed against the PR title/body and the existing code. PR body is empty — a one-line description of intent/backcompat would help future readers.

Verification performed in a clean checkout of the head commit: npx tsc --noEmit passes, and the new src/modules/auth/__tests__/auth.test.ts (3 tests) passes.

Findings

Critical

(none)

The most security-relevant aspect — whether caller-supplied additionalParams can override the PKCE code_challenge or redirect_uri — is handled correctly. In src/modules/auth/auth.ts:285-289 the spread is placed first so the explicit redirect_uri/code_challenge always win, and additionalParams values are appended via URLSearchParams (src/lib/http-client.ts:180-182), so they are URL-encoded and cannot inject extra parameters. This is directly covered by the "does not let additionalParams override OAuth init fields" test — good defensive test.

Suggestion

• Functionality — redirectTo is now required; behavior change for callers that omitted it. src/modules/auth/auth.ts:285-289 always sets redirect_uri: signInOptions.redirectTo, whereas the previous code only set it when truthy (if (redirectTo) params.redirect_uri = redirectTo). The new OAuthSignInOptions.redirectTo (auth.ts:50) is a required string, so TS callers are protected, but a plain-JS caller using the deprecated form and omitting redirectTo would now send the literal redirect_uri=undefined (buildUrl appends the raw value). Since the server schema requires redirect_uri this is likely acceptable, but consider guarding (if (signInOptions.redirectTo)) to preserve the old behavior, or call out the breaking change explicitly.
• Software engineering — no test for the missing-options error branch. The runtime branch at auth.ts:267-275 returns a structured INVALID_INPUT error when called with a bare provider and no options. The overload signature makes this unreachable for TS users, but it's reachable from JS and currently untested. A small test would lock in that contract.

Information

• Functionality — null handling in overload dispatch. auth.ts:263 uses typeof providerOrOptions === 'object', so an accidental signInWithOAuth(null) is treated as legacy options, then const { provider } = signInOptions throws and is caught as a generic 500 UNEXPECTED_ERROR rather than the cleaner 400 INVALID_INPUT. Edge case only; fine to leave.
• Documentation — reserved params. The README/SDK-REFERENCE describe additionalParams as "provider-specific OAuth params" but don't note that redirect_uri and code_challenge are reserved and cannot be overridden. A one-line note would set expectations.
• Dependency bump. @insforge/shared-schemas ^1.1.53 → ^1.1.55 (first-party, caret range consistent with repo convention) is what introduces the z.string() catchall on oAuthInitRequestSchema, enabling the typed passthrough. Confirmed against the published 1.1.55 type definitions. Looks correct and intentional.

Performance

No performance-relevant changes — same single GET to the OAuth init endpoint; the only addition is a shallow object spread per call.

Verdict

approved (informational; no blocking issues). Clean, well-tested change with good backward compatibility via the deprecated overload. The suggestions above are non-blocking. The human approver still gives the explicit GitHub approval.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/modules/auth/__tests__/auth.test.ts`:
- Around line 6-20: The createJsonResponse helper currently sets clone: () =>
response which returns an inner object lacking its own clone, causing failures
on repeated cloning; update createJsonResponse so the returned Response object
is self-referential (the clone() implementation returns the outer object itself
that includes clone/text/json/headers), i.e., ensure the object returned by
createJsonResponse (not the inner `response` variable) is what clone() returns;
verify the returned object exposes json(), text(), headers, status, ok, and
clone() consistently.
- Around line 22-66: The test fails because signInWithOAuth() calls the PKCE
helpers generateCodeVerifier() and generateCodeChallenge() (in
src/modules/auth/helpers.ts called from src/modules/auth/auth.ts) which rely on
Web Crypto globals (crypto.getRandomValues, crypto.subtle.digest), TextEncoder
and btoa; CI may not provide these so the helpers throw and set a non-null
error. Fix the test by stubbing or polyfilling the PKCE dependency before
constructing Auth: either (A) mock/spy on generateCodeVerifier and
generateCodeChallenge to return deterministic values, or (B) set global test
shims for crypto.getRandomValues, crypto.subtle.digest, TextEncoder and btoa so
the real helpers succeed; ensure the stubs are applied prior to new Auth(...) /
auth.signInWithOAuth() calls so the HTTP mock receives the generated PKCE
params.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 53c889ee-288d-4b62-aad3-273cbc565032

📥 Commits

Reviewing files that changed from the base of the PR and between 178b871 and 9f36b5f.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (6)

• README.md
• SDK-REFERENCE.md
• integration-tests/auth.test.ts
• package.json
• src/modules/auth/__tests__/auth.test.ts
• src/modules/auth/auth.ts

[cubic-dev-ai]

1 issue found across 7 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[jwfing]

LGTM - approved.

[cubic-dev-ai]

1 issue found across 2 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="package.json">

<violation number="1" location="package.json:3">
P2: Version bumped as patch (1.3.1) but PR introduces new features — should be a minor bump (1.4.0) per semver and repository conventions</violation>
</file>

<sub>Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic</sub>

[cubic-dev-ai]

P2: Version bumped as patch (1.3.1) but PR introduces new features — should be a minor bump (1.4.0) per semver and repository conventions

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At package.json, line 3:

<comment>Version bumped as patch (1.3.1) but PR introduces new features — should be a minor bump (1.4.0) per semver and repository conventions</comment>

<file context>
@@ -1,6 +1,6 @@
 {
   "name": "@insforge/sdk",
-  "version": "1.3.0",
+  "version": "1.3.1",
   "description": "Official JavaScript/TypeScript client for InsForge Backend-as-a-Service platform",
   "main": "./dist/index.js",
</file context>

Suggested change

	"version": "1.3.1",
	"version": "1.4.0",