@adventurelabs/scout-core 1.4.74 → 1.4.76

package/dist/providers/ScoutRefreshProvider.js

@@ -1,47 +1,202 @@
 "use client";
 import { jsx as _jsx } from "react/jsx-runtime";
 import { useScoutRefresh, } from "../hooks/useScoutRefresh";
-import { createContext, useContext, useMemo, useRef } from "react";
+import { createContext, useCallback, useContext, useEffect, useMemo, useRef, useState, } from "react";
 import { createBrowserClient } from "@supabase/ssr";
-// Create context for the Supabase client
-const SupabaseContext = createContext(null);
-const ConnectionStatusContext = createContext(null);
-// Hook to use the Supabase client
-export function useSupabase() {
-    const supabase = useContext(SupabaseContext);
-    if (!supabase) {
-        throw new Error("useSupabase must be used within a SupabaseProvider");
+import { CLIENT_ABILITIES_TOKEN_TTL_SEC, } from "../types/client_abilities_token";
+import { EnumWebResponse } from "../types/requests";
+import { get_client_abilities_jwt_public_keys, mint_client_abilities_token, verify_client_abilities_token, } from "../helpers/client_abilities_token";
+import { scoutCache } from "../helpers/cache";
+import { get_pubsub_jwt_public_keys, mint_pubsub_token, verify_pubsub_token, } from "../helpers/pubsub_token";
+import { PUBSUB_TOKEN_TTL_SEC } from "../types/pubsub_token";
+import { derive_jwt_mint_status, } from "../types/jwt_mint";
+const ScoutRefreshContext = createContext(null);
+const DEFAULT_REFRESH_BEFORE_EXPIRY_SEC = 120;
+const DEFAULT_PUBLIC_KEYS_CACHE_MS = 10 * 60 * 1000;
+function mintExpiresAt(mint, ttlSec) {
+    if (mint.exp > mint.iat) {
+        return mint.exp;
     }
-    return supabase;
+    return mint.iat + ttlSec;
 }
-// Hook to use connection status
-export function useConnectionStatus() {
-    const connectionStatus = useContext(ConnectionStatusContext);
-    if (!connectionStatus) {
-        throw new Error("useConnectionStatus must be used within a ScoutRefreshProvider");
+function useScoutRefreshContext() {
+    const ctx = useContext(ScoutRefreshContext);
+    if (!ctx) {
+        throw new Error("Scout refresh hooks must be used within ScoutRefreshProvider");
     }
-    return connectionStatus;
+    return ctx;
+}
+export function useSupabase() {
+    return useScoutRefreshContext().supabase;
+}
+export function useClientAbilitiesMint() {
+    return useScoutRefreshContext().abilities;
+}
+export function usePubsubTokenMint() {
+    return useScoutRefreshContext().pubsub;
+}
+function resolveAbilityParams(abilityParams) {
+    return {
+        mintClientAbilitiesToken: abilityParams?.mintClientAbilitiesToken ?? true,
+        mintPubsubToken: abilityParams?.mintPubsubToken ?? false,
+        clientAbilitiesTokenTtlSec: abilityParams?.clientAbilitiesTokenTtlSec ??
+            CLIENT_ABILITIES_TOKEN_TTL_SEC,
+        pubsubTokenTtlSec: abilityParams?.pubsubTokenTtlSec ?? PUBSUB_TOKEN_TTL_SEC,
+        refreshBeforeExpirySec: abilityParams?.refreshBeforeExpirySec ??
+            DEFAULT_REFRESH_BEFORE_EXPIRY_SEC,
+        publicKeysCacheTtlMs: abilityParams?.publicKeysCacheTtlMs ?? DEFAULT_PUBLIC_KEYS_CACHE_MS,
+    };
+}
+function useCachedPublicKeys(supabase, publicKeysCacheTtlMs, fetchKeys) {
+    const keysRef = useRef(null);
+    const keysAtRef = useRef(0);
+    return useCallback(async (force = false) => {
+        const now = Date.now();
+        if (!force &&
+            keysRef.current?.length &&
+            now - keysAtRef.current < publicKeysCacheTtlMs) {
+            return keysRef.current;
+        }
+        const { status, data, msg } = await fetchKeys(supabase);
+        if (status !== EnumWebResponse.SUCCESS || !data?.length) {
+            throw new Error(msg ?? "jwt public keys RPC returned no keys");
+        }
+        keysRef.current = data;
+        keysAtRef.current = now;
+        return data;
+    }, [supabase, publicKeysCacheTtlMs, fetchKeys]);
+}
+function useJwtMintLifecycle({ enabled, supabase, cacheKey, ttlSec, refreshBeforeExpirySec, loadPublicKeys, mintToken, verifyToken, }) {
+    const [mint, setMint] = useState(null);
+    const [inFlight, setInFlight] = useState(false);
+    const [error, setError] = useState(null);
+    const inFlightRef = useRef(false);
+    const status = useMemo(() => derive_jwt_mint_status(enabled, mint, inFlight, error), [enabled, mint, inFlight, error]);
+    const refreshMint = useCallback(async () => {
+        if (!enabled || inFlightRef.current) {
+            return;
+        }
+        inFlightRef.current = true;
+        setInFlight(true);
+        setError(null);
+        try {
+            const { data: { session }, } = await supabase.auth.getSession();
+            if (!session) {
+                setMint(null);
+                await scoutCache.clearJwtMint(cacheKey);
+                return;
+            }
+            const mintResponse = await mintToken(supabase);
+            if (mintResponse.status !== EnumWebResponse.SUCCESS ||
+                !mintResponse.data) {
+                setError(mintResponse.msg ?? "mint failed");
+                return;
+            }
+            let keys = await loadPublicKeys();
+            let verified;
+            try {
+                verified = await verifyToken(mintResponse.data, keys);
+            }
+            catch {
+                keys = await loadPublicKeys(true);
+                verified = await verifyToken(mintResponse.data, keys);
+            }
+            setMint(verified);
+            try {
+                await scoutCache.setJwtMint(cacheKey, verified);
+            }
+            catch (cacheError) {
+                console.warn(`[ScoutRefreshProvider] ${cacheKey} cache save failed:`, cacheError);
+            }
+        }
+        catch (e) {
+            setError(e instanceof Error ? e.message : "mint failed");
+        }
+        finally {
+            inFlightRef.current = false;
+            setInFlight(false);
+        }
+    }, [enabled, supabase, cacheKey, loadPublicKeys, mintToken, verifyToken]);
+    useEffect(() => {
+        if (!enabled) {
+            setMint(null);
+            setError(null);
+            return;
+        }
+        let cancelled = false;
+        void scoutCache.getJwtMint(cacheKey).then((cached) => {
+            if (!cancelled && cached.data) {
+                setMint(cached.data);
+            }
+        });
+        void refreshMint();
+        const { data: { subscription }, } = supabase.auth.onAuthStateChange((event) => {
+            if (event === "SIGNED_OUT") {
+                setMint(null);
+                setError(null);
+                void scoutCache.clearJwtMint(cacheKey);
+                return;
+            }
+            if (event === "SIGNED_IN" || event === "TOKEN_REFRESHED") {
+                void refreshMint();
+            }
+        });
+        return () => {
+            cancelled = true;
+            subscription.unsubscribe();
+        };
+    }, [enabled, supabase, cacheKey, refreshMint]);
+    useEffect(() => {
+        if (!enabled || !mint) {
+            return;
+        }
+        const nowSec = Math.floor(Date.now() / 1000);
+        const expSec = mintExpiresAt(mint, ttlSec);
+        const refreshAtSec = Math.max(expSec - refreshBeforeExpirySec, mint.iat + 1);
+        const delayMs = Math.max((refreshAtSec - nowSec) * 1000, 1000);
+        const timer = setTimeout(() => {
+            void refreshMint();
+        }, delayMs);
+        return () => clearTimeout(timer);
+    }, [enabled, mint, ttlSec, refreshBeforeExpirySec, refreshMint]);
+    return useMemo(() => ({ mint, status, error, refreshMint }), [mint, status, error, refreshMint]);
+}
+function useClientAbilitiesMintLifecycle(supabase, config) {
+    const { mintClientAbilitiesToken: enabled, clientAbilitiesTokenTtlSec: ttlSec, refreshBeforeExpirySec, publicKeysCacheTtlMs, } = config;
+    const loadPublicKeys = useCachedPublicKeys(supabase, publicKeysCacheTtlMs, get_client_abilities_jwt_public_keys);
+    return useJwtMintLifecycle({
+        enabled,
+        supabase,
+        cacheKey: "client_abilities",
+        ttlSec,
+        refreshBeforeExpirySec,
+        loadPublicKeys,
+        mintToken: mint_client_abilities_token,
+        verifyToken: verify_client_abilities_token,
+    });
+}
+function usePubsubTokenMintLifecycle(supabase, config) {
+    const { mintPubsubToken: enabled, pubsubTokenTtlSec: ttlSec, refreshBeforeExpirySec, publicKeysCacheTtlMs, } = config;
+    const loadPublicKeys = useCachedPublicKeys(supabase, publicKeysCacheTtlMs, get_pubsub_jwt_public_keys);
+    return useJwtMintLifecycle({
+        enabled,
+        supabase,
+        cacheKey: "pubsub",
+        ttlSec,
+        refreshBeforeExpirySec,
+        loadPublicKeys,
+        mintToken: mint_pubsub_token,
+        verifyToken: verify_pubsub_token,
+    });
 }
-export function ScoutRefreshProvider({ children, ...refreshOptions }) {
-    // Use refs to store the URL and key to prevent unnecessary recreations
-    // Assumes Next.js environment variables (NEXT_PUBLIC_*)
+export function ScoutRefreshProvider({ children, abilityParams, ...refreshOptions }) {
     const urlRef = useRef(process.env.NEXT_PUBLIC_SUPABASE_URL || "");
     const anonKeyRef = useRef(process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY || "");
-    // Create a single Supabase client instance that only runs once
-    const supabaseClient = useMemo(() => {
-        console.log("[ScoutRefreshProvider] Creating Supabase client");
-        return createBrowserClient(urlRef.current, anonKeyRef.current);
-    }, []); // Empty dependency array ensures this only runs once
-    useScoutRefresh({ ...refreshOptions, supabase: supabaseClient });
-    // // Log connection status changes for debugging
-    // if (connectionStatus.lastError) {
-    //   console.warn(
-    //     "[ScoutRefreshProvider] DB Listener error:",
-    //     connectionStatus.lastError
-    //   );
-    // }
-    // if (connectionStatus.isConnected) {
-    //   console.log("[ScoutRefreshProvider] ✅ DB Listener connected");
-    // }
-    return (_jsx(SupabaseContext.Provider, { value: supabaseClient, children: children }));
+    const supabase = useMemo(() => createBrowserClient(urlRef.current, anonKeyRef.current), []);
+    const abilitiesConfig = useMemo(() => resolveAbilityParams(abilityParams), [abilityParams]);
+    useScoutRefresh({ ...refreshOptions, supabase });
+    const abilities = useClientAbilitiesMintLifecycle(supabase, abilitiesConfig);
+    const pubsub = usePubsubTokenMintLifecycle(supabase, abilitiesConfig);
+    const value = useMemo(() => ({ supabase, abilities, pubsub }), [supabase, abilities, pubsub]);
+    return (_jsx(ScoutRefreshContext.Provider, { value: value, children: children }));
 }

package/dist/types/client_abilities_token.d.ts

@@ -0,0 +1,19 @@
+export interface IClientAbilitiesHerdClaim {
+    herd_id: number;
+    slug: string;
+    abilities: string[];
+}
+export interface IClientAbilitiesTokenMint {
+    token: string;
+    platform_superadmin: boolean;
+    herds: IClientAbilitiesHerdClaim[];
+    iat: number;
+    exp: number;
+}
+export interface IClientAbilitiesJwtPublicKeyEntry {
+    kid: string;
+    jwk: Record<string, unknown>;
+}
+export declare const CLIENT_ABILITIES_JWT_AUDIENCE = "scout-client";
+export declare const CLIENT_ABILITIES_TOKEN_TTL_SEC = 3600;
+export declare function can_herd_ability(mint: IClientAbilitiesTokenMint | null | undefined, herd_id: number, ability: string, require_valid_expiry?: boolean): boolean;

package/dist/types/client_abilities_token.js

@@ -0,0 +1,16 @@
+export const CLIENT_ABILITIES_JWT_AUDIENCE = "scout-client";
+export const CLIENT_ABILITIES_TOKEN_TTL_SEC = 3600;
+export function can_herd_ability(mint, herd_id, ability, require_valid_expiry = true) {
+    if (!mint?.token) {
+        return false;
+    }
+    if (require_valid_expiry &&
+        mint.exp <= Math.floor(Date.now() / 1000)) {
+        return false;
+    }
+    if (mint.platform_superadmin) {
+        return true;
+    }
+    const herd = mint.herds.find((h) => h.herd_id === herd_id);
+    return herd?.abilities.includes(ability) ?? false;
+}

package/dist/types/db.d.ts

@@ -1,7 +1,6 @@
 import { SupabaseClient, User } from "@supabase/supabase-js";
 import { Database } from "./supabase";
 export type ScoutDatabaseClient = SupabaseClient<Database, "public">;
-export type Role = Database["public"]["Enums"]["role"];
 export type DeviceType = Database["public"]["Enums"]["device_type"];
 export type MediaType = Database["public"]["Enums"]["media_type"];
 export type TagObservationType = Database["public"]["Enums"]["tag_observation_type"];
@@ -27,6 +26,15 @@ export type ILayer = Database["public"]["Tables"]["layers"]["Row"];
 export type IAction = Database["public"]["Tables"]["actions"]["Row"];
 export type IZone = Database["public"]["Tables"]["zones"]["Row"];
 export type IUserRolePerHerd = Database["public"]["Tables"]["users_roles_per_herd"]["Row"];
+export type IAbility = Database["public"]["Tables"]["abilities"]["Row"];
+export type IHerdRole = Database["public"]["Tables"]["herd_roles"]["Row"];
+export type IHerdRoleAbilityRow = Database["public"]["Tables"]["herd_role_abilities"]["Row"];
+export type IHerdRoleWithAbilities = IHerdRole & {
+    abilities: IAbility[];
+    ability_ids: number[];
+};
+/** Stable machine id on `herd_roles` (e.g. admin, editor, viewer). Not `herds.slug`. */
+export type HerdRoleSystemName = string;
 export type IHerdInvitation = Database["public"]["Tables"]["herd_invitations"]["Row"];
 export type IHerdInvitationWithHerdSlug = Database["public"]["CompositeTypes"]["herd_invitation_with_herd_slug"];
 export type IHerdAllowedDomain = Database["public"]["Tables"]["herd_allowed_domains"]["Row"];
@@ -141,7 +149,8 @@ export interface IEventWithSession extends IEvent {
 }
 export type IUserAndRole = {
     user: IUserProfileRow | null;
-    role: Role;
+    herd_role_id: number;
+    herd_role: IHerdRole | null;
 };
 export interface IApiKeyScout {
     id: string;

package/dist/types/jwt_mint.d.ts

@@ -0,0 +1,10 @@
+export declare enum EnumJwtMintStatus {
+    IDLE = "idle",
+    LOADING = "loading",
+    REFRESHING = "refreshing",
+    READY = "ready",
+    ERROR = "error"
+}
+export declare function derive_jwt_mint_status(enabled: boolean, mint: {
+    token: string;
+} | null | undefined, inFlight: boolean, error: string | null): EnumJwtMintStatus;

package/dist/types/jwt_mint.js

@@ -0,0 +1,26 @@
+export var EnumJwtMintStatus;
+(function (EnumJwtMintStatus) {
+    EnumJwtMintStatus["IDLE"] = "idle";
+    EnumJwtMintStatus["LOADING"] = "loading";
+    EnumJwtMintStatus["REFRESHING"] = "refreshing";
+    EnumJwtMintStatus["READY"] = "ready";
+    EnumJwtMintStatus["ERROR"] = "error";
+})(EnumJwtMintStatus || (EnumJwtMintStatus = {}));
+export function derive_jwt_mint_status(enabled, mint, inFlight, error) {
+    if (!enabled) {
+        return EnumJwtMintStatus.IDLE;
+    }
+    if (inFlight && !mint?.token) {
+        return EnumJwtMintStatus.LOADING;
+    }
+    if (inFlight && mint?.token) {
+        return EnumJwtMintStatus.REFRESHING;
+    }
+    if (error) {
+        return EnumJwtMintStatus.ERROR;
+    }
+    if (mint?.token) {
+        return EnumJwtMintStatus.READY;
+    }
+    return EnumJwtMintStatus.LOADING;
+}

package/dist/types/pubsub_token.d.ts

@@ -5,3 +5,8 @@ export interface IPubsubTokenMint {
     iat: number;
     exp: number;
 }
+export interface IPubsubJwtPublicKeyEntry {
+    kid: string;
+    jwk: Record<string, unknown>;
+}
+export declare const PUBSUB_TOKEN_TTL_SEC = 3600;

package/dist/types/pubsub_token.js

@@ -1 +1 @@
-export {};
+export const PUBSUB_TOKEN_TTL_SEC = 3600;