chore: cleanup

[DanielRivers]

Explain your changes

Removing redundant dependencies and cleaning up some bits.

Checklist

• I have read the “Pull requests” section in the contributing guidelines.
• I agree to the terms within the code of conduct.

🛟 If you need help, consider asking for advice over in the Kinde community.

[coderabbitai]

Walkthrough

Updates CHANGELOG.md for v2.13.1/2.13.0, simplifies ESLint config, converts two client option interfaces to type aliases, adds error logging and state passthrough in OAuth2 flows, enhances token util error messages, converts sdk-version.js to ESM, adds ts-nocheck to a template, and tightens a test type assertion.

Changes

Cohort / File(s)	Summary of changes
Documentation CHANGELOG.md	Reorganized headers to 2.13.1 with a nested 2.13.0 section; documented dependency updates and two features; no code changes.
Linting config eslint.config.mjs	Replaced granular per-file ESLint setup with recommended presets; added globalIgnores; set browser globals; removed Prettier config.
Client option types lib/sdk/clients/types.ts	Converted PKCEClientOptions and CCClientOptions from empty interfaces extending other types to direct type aliases.
OAuth2 flows lib/sdk/oauth2-flows/AuthCodeAbstract.ts, lib/sdk/oauth2-flows/ClientCredentials.ts	Added console.error logging in isAuthenticated catch blocks; ensured auth URL includes state by passing through authUrlParams.state.
Token utilities lib/sdk/utilities/token-utils.ts	Improved error messages: include caught error message in commit failures; log error on isTokenExpired exceptions and continue returning true.
Build/tooling sdk-version.js	Migrated from CommonJS to ES modules; imported package.json as JSON; updated __dirname derivation; preserved version replacement logic.
Templates templates/index.mustache	Added // @ts-nocheck to generated index template.
Tests setup vitest.setup.ts	Tightened typing by assigning global.crypto as Crypto instead of any.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Consumer Code
  participant AC as AuthCodeAbstract
  participant URL as Authorization Server

  Note over Dev,AC: Generate authorization URL (state passthrough)
  Dev->>AC: generateAuthURLParams(options with authUrlParams.state?)
  AC->>AC: build searchParams incl. state if provided
  AC-->>Dev: URLSearchParams

  Note over Dev,AC: Authentication check with error logging
  Dev->>AC: isAuthenticated()
  AC->>AC: validate tokens/session
  alt validation fails (throws)
    AC->>AC: console.error(error.message)
    AC-->>Dev: false
  else valid
    AC-->>Dev: true
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Feat/migrate jose to kinde jwt validator/decoder #76 — Also changes lib/sdk/utilities/token-utils.ts, focusing on signature/validation updates, overlapping with this PR’s logging changes.
• bump Jose to 6 to support Cloudflare workers, update ESlint #70 — Adjusts ESLint configuration, related to this PR’s overhaul of eslint.config.mjs.

Suggested reviewers

• coel

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/repo-tidy

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 6

🧹 Nitpick comments (7)

templates/index.mustache (1)

3-3: Avoid blanket TypeScript suppression on generated index

// @ts-nocheck hides real typing issues and can mask regressions. Prefer narrowing (e.g., exclude generated file from type-checking in tsconfig) or add a clear “generated” header to reduce confusion.

Suggested tweak to make intent explicit:

+// This file is generated. Do not edit.
 // @ts-nocheck

vitest.setup.ts (1)

7-7: Use globalThis for portability and safer mutation

Prefer globalThis over global to match the web platform and avoid Node-only globals. Define the property to avoid type/readonly issues.

-  global.crypto = webcrypto as Crypto;
+  // Prefer globalThis to align with the web platform
+  Object.defineProperty(globalThis as any, 'crypto', {
+    value: webcrypto as Crypto,
+    configurable: true,
+    writable: true,
+  });

lib/sdk/oauth2-flows/AuthCodeAbstract.ts (1)

171-173: Sanitize error logging to avoid leaking sensitive details

Catching and logging .message can inadvertently expose secrets if upstream errors include tokens. Log a generic message or a safe error code instead.

-      console.error(`Error checking if authenticated: ${(error as Error).message}`);
+      console.error('Error checking if authenticated.');

Please confirm upstream errors never embed raw tokens in messages after the token-utils fix below.

lib/sdk/oauth2-flows/ClientCredentials.ts (1)

108-110: Mirror sanitized logging here as well

Same concern as in AuthCodeAbstract: prefer not to log raw error messages.

-      console.error(`Error checking if authenticated: ${(error as Error).message}`);
+      console.error('Error checking if authenticated.');

lib/sdk/utilities/token-utils.ts (1)

186-188: Consider gating noisy error logs in hot path

isTokenExpired may run frequently; unconditional console.error can flood logs. Gate behind a debug flag or use a configurable logger.

sdk-version.js (1)

19-20: Replace all occurrences, not just the first

String.replace only updates the first match. Use replaceAll so clean/build toggles are idempotent even if the placeholder appears more than once.

-  const updatedContent = fileContent.replace(searchValue, replaceValue);
+  const updatedContent = fileContent.replaceAll(searchValue, replaceValue);

eslint.config.mjs (1)

9-10: Consider type-aware rules if desired

The current setup uses tseslint.configs.recommended (no type-checking). If you want type-aware linting, switch to recommendedTypeChecked and provide project tsconfig.

-  ...tseslint.configs.recommended,
+  ...tseslint.configs.recommendedTypeChecked,
+  {
+    languageOptions: {
+      parserOptions: { project: ['./tsconfig.json'] },
+    },
+  },

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c39f1ef and b643245.

⛔ Files ignored due to path filters (3)

• package.json is excluded by !**/*.json
• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml, !**/*.yaml
• tsconfig.json is excluded by !**/*.json

📒 Files selected for processing (9)

• CHANGELOG.md (2 hunks)
• eslint.config.mjs (1 hunks)
• lib/sdk/clients/types.ts (1 hunks)
• lib/sdk/oauth2-flows/AuthCodeAbstract.ts (1 hunks)
• lib/sdk/oauth2-flows/ClientCredentials.ts (1 hunks)
• lib/sdk/utilities/token-utils.ts (2 hunks)
• sdk-version.js (1 hunks)
• templates/index.mustache (1 hunks)
• vitest.setup.ts (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

lib/sdk/utilities/token-utils.ts (1)

lib/sdk/exceptions.ts (1)

• KindeSDKError (6-15)

lib/sdk/clients/types.ts (1)

lib/sdk/oauth2-flows/types.ts (2)

• AuthorizationCodeOptions (44-48)
• ClientCredentialsOptions (50-54)

🪛 GitHub Actions: Build and test TypeScript SDK CI

eslint.config.mjs

[error] 1-1: ESLint failed: Cannot find package 'globals' imported from eslint.config.mjs. Did you mean to import [email protected]/node_modules/globals/index.js?

🔇 Additional comments (1)

sdk-version.js (1)

1-1: Verify Node version compatibility before changing JSON import
I couldn’t locate any CI workflow configs or an “engines.node” setting to confirm which Node versions you support, so please verify your build environment’s Node versions before replacing

import packageJson from './package.json' with { type: 'json' };

with either the assert { type: 'json' } import or the fs-based JSON load.

[coderabbitai]

⚠️ Potential issue

Incorrect compare link in 2.13.1 header

"compare/4.6.2...2.13.1" appears wrong; likely should compare v2.13.0...v2.13.1.

-#### [2.13.1](https://github.com/kinde-oss/kinde-typescript-sdk/compare/4.6.2...2.13.1)
+#### [v2.13.1](https://github.com/kinde-oss/kinde-typescript-sdk/compare/v2.13.0...v2.13.1)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	#### [2.13.1](https://github.com/kinde-oss/kinde-typescript-sdk/compare/4.6.2...2.13.1)
	#### [v2.13.1](https://github.com/kinde-oss/kinde-typescript-sdk/compare/v2.13.0...v2.13.1)

🤖 Prompt for AI Agents

CHANGELOG.md around lines 7 to 7: the release header for 2.13.1 contains an
incorrect GitHub compare link "compare/4.6.2...2.13.1"; update the URL to
compare the previous tag to this tag (e.g., "compare/v2.13.0...v2.13.1" or the
repo's tag naming convention) so the link correctly shows changes between the
prior release and 2.13.1.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Misordered/duplicated sections: v2.13.0 nested under 4.6.2

The "4.6.2" section precedes and embeds "v2.13.0" dated 31 August 2025, which is chronologically inconsistent and confusing.

Proposed cleanup (outline):

• Keep v2.13.1 at top.
• Follow with v2.13.0 (31 August 2025).
• Move 4.6.2 back to its correct 2024 position.
• Use consistent "v" prefix for tags.

If using auto-changelog, regenerate:

---

🏁 Script executed:

#!/bin/bash
npx auto-changelog -p -u --tag-prefix v

Length of output: 510

---

🏁 Script executed:

#!/bin/bash
echo "Searching for package.json..."
fd -t f package.json || echo "package.json not found"
echo "Searching for CHANGELOG.md..."
fd -t f CHANGELOG.md || echo "CHANGELOG.md not found"

Length of output: 196

---

🏁 Script executed:

sed -n '40,100p' CHANGELOG.md

Length of output: 5715

---

Reorder and dedupe CHANGELOG.md sections

• Remove the nested #### [v2.13.0] under ### [4.6.2] (it’s already listed at the top).
• Move ### [4.6.2] (24 January 2024) below the v2.12.0 block to restore chronological order.
• Prefix all release headers consistently with v (e.g., ### [v4.6.2]).
• Note: there’s no root package.json, so npx auto-changelog will fail—either add package.json or apply these edits manually.

🤖 Prompt for AI Agents

In CHANGELOG.md around lines 51-83, the v2.13.0 block is incorrectly nested
under the 4.6.2 entry and header formats/ordering are inconsistent; remove the
nested "#### [v2.13.0]" block from under "### [4.6.2]" (it already exists at the
top), move the entire "### [4.6.2] (24 January 2024)" section so it appears
chronologically below the v2.12.0 block, and update all release headers to
consistently use the "v" prefix (e.g., change "### [4.6.2]" to "### [v4.6.2]");
apply these edits directly in the file (manual change) since there is no root
package.json for auto-changelog.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

CI failing: missing 'globals' dependency; add it or avoid the import

Build pipeline error: "Cannot find package 'globals'". Add it to devDependencies (preferred) or drop the dependency and inline minimal globals.

Option A (add dependency):

--- a/package.json
+++ b/package.json
@@
   "devDependencies": {
+    "globals": "^15.0.0"
   }
 }

Option B (avoid dependency; inline minimal globals):

-import globals from 'globals';
+const browserGlobals = { window: 'readonly', document: 'readonly', navigator: 'readonly' };
@@
-export default defineConfig([
-  { languageOptions: { globals: globals.browser } },
+export default defineConfig([
+  { languageOptions: { globals: browserGlobals } },

Additionally, to fix Node globals for scripts (and remove no-undef comments), scope Node globals:

+  { files: ['sdk-version.js', 'scripts/**'], languageOptions: { globals: { process: 'readonly', __dirname: 'readonly', module: 'readonly', require: 'readonly' } } },

After applying, re-run ESLint locally/CI.

Also applies to: 7-11

---

🏁 Script executed:

#!/bin/bash
node -v
npm ls globals || echo "globals not installed"
npx eslint . -v

Length of output: 232

---

Add missing ‘globals’ package (or inline minimal globals) to fix ESLint CI
CI is failing: 'globals' is not installed (npm ls globals reports “globals not installed”).
Option A: add to devDependencies (preferred)

--- a/package.json
+++ b/package.json
@@ -...devDependencies
   "devDependencies": {
+    "globals": "^15.0.0"
   }

Option B: inline minimal browser globals in eslint.config.mjs

-import globals from 'globals';
+const browserGlobals = { window: 'readonly', document: 'readonly', navigator: 'readonly' };
@@
-export default defineConfig([
-  { languageOptions: { globals: globals.browser } },
+export default defineConfig([
+  { languageOptions: { globals: browserGlobals } },

Also scope Node globals for scripts:

+  { files: ['sdk-version.js', 'scripts/**'], languageOptions: { globals: { process: 'readonly', __dirname: 'readonly', module: 'readonly', require: 'readonly' } } },

Re-run ESLint locally/CI to confirm.

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 GitHub Actions: Build and test TypeScript SDK CI

[error] 1-1: ESLint failed: Cannot find package 'globals' imported from eslint.config.mjs. Did you mean to import [email protected]/node_modules/globals/index.js?

🤖 Prompt for AI Agents

In eslint.config.mjs around lines 1-3, CI is failing because the 'globals'
package is not installed; fix by either (preferred) adding "globals" to
devDependencies (run npm/yarn add --dev globals and update package.json) and
re-run ESLint, or (alternative) remove the import and inline a minimal globals
object (e.g., declare needed browser globals and Node globals scoped to scripts)
directly in eslint.config.mjs so ESLint can resolve them; after applying either
change, run ESLint locally/CI to confirm the failure is resolved.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Changing interface to type alias may break declaration merging

External consumers can augment interfaces via declaration merging; type aliases cannot be merged. This can be a subtle semver break.

If any consumer augments PKCEClientOptions/CCClientOptions, keep them as interfaces. Otherwise, add a note to the changelog under "Potentially breaking (types only)". To verify in-repo usage:

If you want the newer style without risk, keep interfaces but export companion aliases:

export interface PKCEClientOptions extends AuthorizationCodeOptions {}
export type PKCEClientOptionsT = AuthorizationCodeOptions;

export interface CCClientOptions extends ClientCredentialsOptions {}
export type CCClientOptionsT = ClientCredentialsOptions;

---

🏁 Script executed:

#!/bin/bash
rg -nP '\b(interface|type)\s+PKCEClientOptions\b|extends\s+PKCEClientOptions\b|declare\s+module[^\n]*\{[^\}]*interface\s+PKCEClientOptions' -C2
rg -nP '\b(interface|type)\s+CCClientOptions\b|extends\s+CCClientOptions\b|declare\s+module[^\n]*\{[^\}]*interface\s+CCClientOptions' -C2

Length of output: 1612

---

Add changelog entry for potential type-breaking change
No internal declaration merges for PKCEClientOptions/CCClientOptions were found; both are now type aliases. Add a note under “Potentially breaking (types only)” in CHANGELOG.md. If you need to preserve declaration-merging compatibility for external consumers, revert these to interfaces or export companion aliases.

🤖 Prompt for AI Agents

In lib/sdk/clients/types.ts around lines 18-19, PKCEClientOptions and
CCClientOptions were changed to type aliases which can break external
declaration-merging; either add a note under “Potentially breaking (types only)”
in CHANGELOG.md describing this change and its impact, or restore
declaration-merging compatibility by reverting these to exported interfaces (or
add companion exported interface aliases) so external consumers relying on
declaration merging won’t break—update CHANGELOG.md if you keep the aliases, or
change the types back to interfaces and run a quick type-check to confirm no
regressions.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Secret leakage: error message includes the raw token

Embedding the full access/id token in the thrown error is a high-severity issue. These errors are now logged by callers, which would leak tokens to logs.

Apply this to remove the token from the message (or replace with a minimal fingerprint if you need correlation):

-        `Attempting to commit invalid ${type} token "${token}" to memory: ${(error as Error).message}`
+        `Attempting to commit invalid ${type} token to memory: ${(error as Error).message}`

Please scan for any other error/log strings that include secrets (tokens, client secrets).

---

🏁 Script executed:

#!/bin/bash
set -e
# Search for any string interpolation including “token” (potential secret leakage)
rg -n --color=never '\$\{[^}]*token' -C2 .
# Search for console.log/error/warn usages including “token”
rg -n --color=never 'console\.(log|error|warn).*token' -C2 .
# Search for thrown errors that reference “token”
rg -n --color=never 'throw new .*token' -C2 .
# Search for any literal “secret” in error/log messages
rg -n --color=never 'secret' -C2 .

Length of output: 12689

---

Sanitize secret values in error messages

• lib/sdk/utilities/token-utils.ts: remove raw ${token} from the KindeSDKError message (replace with a fingerprint or omit entirely)

  - `Attempting to commit invalid ${type} token "${token}" to memory: ${(error as Error).message}`
  + `Attempting to commit invalid ${type} token to memory: ${(error as Error).message}`

• lib/sdk/oauth2-flows/ClientCredentials.ts (generateTokenURLParams): remove ${this.config.clientSecret} from the thrown Error
• lib/sdk/oauth2-flows/AuthorizationCode.ts: remove ${this.clientSecret} from all thrown Errors

Scan the codebase for any other error/log strings that interpolate tokens or client secrets and mask or omit them.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	} catch (error) {
	throw new KindeSDKError(
	KindeSDKErrorCode.INVALID_TOKEN_MEMORY_COMMIT,
	`Attempting to commit invalid ${type} token "${token}" to memory`
	`Attempting to commit invalid ${type} token "${token}" to memory: ${(error as Error).message}`
	);
	} catch (error) {
	throw new KindeSDKError(
	KindeSDKErrorCode.INVALID_TOKEN_MEMORY_COMMIT,
	`Attempting to commit invalid ${type} token to memory: ${(error as Error).message}`
	);

🤖 Prompt for AI Agents

In lib/sdk/utilities/token-utils.ts around lines 43-47, remove the raw
`${token}` from the KindeSDKError message and either omit the token or replace
it with a non-reversible fingerprint (e.g., short hash or last 4 chars only) to
avoid leaking secrets; similarly, in lib/sdk/oauth2-flows/ClientCredentials.ts
(generateTokenURLParams) and lib/sdk/oauth2-flows/AuthorizationCode.ts remove
any interpolation of `${this.config.clientSecret}` / `${this.clientSecret}` from
thrown Errors and logs and replace with a masked placeholder or fingerprint.
Apply the same change across the codebase: search for error/log strings that
interpolate tokens, client secrets, or other credentials and replace them with
masked values or omit them entirely, ensuring no raw secrets are present in
exceptions or logging messages.

[coderabbitai]

🛠️ Refactor suggestion

Remove eslint-disable by scoping Node globals in ESLint

This file runs in Node; configure ESLint to know about process instead of disabling the rule.

In eslint.config.mjs add a file override:

 export default defineConfig([
-  { languageOptions: { globals: globals.browser } },
+  { languageOptions: { globals: { ...globals.browser } } },
+  { files: ['sdk-version.js', 'scripts/**'], languageOptions: { globals: { ...globals.node } } },
   globalIgnores(['dist', 'node_modules', 'coverage/**', 'dist-cjs']),
   pluginJs.configs.recommended,
   ...tseslint.configs.recommended,
 ]);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// eslint-disable-next-line no-undef
	const isCleanArg = process.argv[2] === 'clean';
	export default defineConfig([
	// explicitly spread the browser globals object
	{ languageOptions: { globals: { ...globals.browser } } },
	// enable Node globals (e.g. `process`) for sdk-version.js and scripts/**
	{ files: ['sdk-version.js', 'scripts/**'], languageOptions: { globals: { ...globals.node } } },
	globalIgnores(['dist', 'node_modules', 'coverage/**', 'dist-cjs']),
	pluginJs.configs.recommended,
	...tseslint.configs.recommended,
	]);

🤖 Prompt for AI Agents

In sdk-version.js around lines 13 to 14, the rule is disabled with an inline
eslint comment for the Node global "process"; instead configure ESLint to
recognize Node globals by adding a file override in eslint.config.mjs that
targets this file (or its pattern) and sets env: { node: true } (or declares the
needed globals), then remove the inline eslint-disable comment from
sdk-version.js so the file relies on the linter config.