@depup/supabase__auth-js 2.99.2-depup.0

package/src/lib/errors.ts

@@ -0,0 +1,324 @@
+import { WeakPasswordReasons } from './types'
+import { ErrorCode } from './error-codes'
+
+/**
+ * Base error thrown by Supabase Auth helpers.
+ *
+ * @example
+ * ```ts
+ * import { AuthError } from '@supabase/auth-js'
+ *
+ * throw new AuthError('Unexpected auth error', 500, 'unexpected')
+ * ```
+ */
+export class AuthError extends Error {
+  /**
+   * Error code associated with the error. Most errors coming from
+   * HTTP responses will have a code, though some errors that occur
+   * before a response is received will not have one present. In that
+   * case {@link #status} will also be undefined.
+   */
+  code: ErrorCode | (string & {}) | undefined
+
+  /** HTTP status code that caused the error. */
+  status: number | undefined
+
+  protected __isAuthError = true
+
+  constructor(message: string, status?: number, code?: string) {
+    super(message)
+    this.name = 'AuthError'
+    this.status = status
+    this.code = code
+  }
+}
+
+export function isAuthError(error: unknown): error is AuthError {
+  return typeof error === 'object' && error !== null && '__isAuthError' in error
+}
+
+/**
+ * Error returned directly from the GoTrue REST API.
+ *
+ * @example
+ * ```ts
+ * import { AuthApiError } from '@supabase/auth-js'
+ *
+ * throw new AuthApiError('Invalid credentials', 400, 'invalid_credentials')
+ * ```
+ */
+export class AuthApiError extends AuthError {
+  status: number
+
+  constructor(message: string, status: number, code: string | undefined) {
+    super(message, status, code)
+    this.name = 'AuthApiError'
+    this.status = status
+    this.code = code
+  }
+}
+
+export function isAuthApiError(error: unknown): error is AuthApiError {
+  return isAuthError(error) && error.name === 'AuthApiError'
+}
+
+/**
+ * Wraps non-standard errors so callers can inspect the root cause.
+ *
+ * @example
+ * ```ts
+ * import { AuthUnknownError } from '@supabase/auth-js'
+ *
+ * try {
+ *   await someAuthCall()
+ * } catch (err) {
+ *   throw new AuthUnknownError('Auth failed', err)
+ * }
+ * ```
+ */
+export class AuthUnknownError extends AuthError {
+  originalError: unknown
+
+  constructor(message: string, originalError: unknown) {
+    super(message)
+    this.name = 'AuthUnknownError'
+    this.originalError = originalError
+  }
+}
+
+/**
+ * Flexible error class used to create named auth errors at runtime.
+ *
+ * @example
+ * ```ts
+ * import { CustomAuthError } from '@supabase/auth-js'
+ *
+ * throw new CustomAuthError('My custom auth error', 'MyAuthError', 400, 'custom_code')
+ * ```
+ */
+export class CustomAuthError extends AuthError {
+  name: string
+  status: number
+
+  constructor(message: string, name: string, status: number, code: string | undefined) {
+    super(message, status, code)
+    this.name = name
+    this.status = status
+  }
+}
+
+/**
+ * Error thrown when an operation requires a session but none is present.
+ *
+ * @example
+ * ```ts
+ * import { AuthSessionMissingError } from '@supabase/auth-js'
+ *
+ * throw new AuthSessionMissingError()
+ * ```
+ */
+export class AuthSessionMissingError extends CustomAuthError {
+  constructor() {
+    super('Auth session missing!', 'AuthSessionMissingError', 400, undefined)
+  }
+}
+
+export function isAuthSessionMissingError(error: any): error is AuthSessionMissingError {
+  return isAuthError(error) && error.name === 'AuthSessionMissingError'
+}
+
+/**
+ * Error thrown when the token response is malformed.
+ *
+ * @example
+ * ```ts
+ * import { AuthInvalidTokenResponseError } from '@supabase/auth-js'
+ *
+ * throw new AuthInvalidTokenResponseError()
+ * ```
+ */
+export class AuthInvalidTokenResponseError extends CustomAuthError {
+  constructor() {
+    super('Auth session or user missing', 'AuthInvalidTokenResponseError', 500, undefined)
+  }
+}
+
+/**
+ * Error thrown when email/password credentials are invalid.
+ *
+ * @example
+ * ```ts
+ * import { AuthInvalidCredentialsError } from '@supabase/auth-js'
+ *
+ * throw new AuthInvalidCredentialsError('Email or password is incorrect')
+ * ```
+ */
+export class AuthInvalidCredentialsError extends CustomAuthError {
+  constructor(message: string) {
+    super(message, 'AuthInvalidCredentialsError', 400, undefined)
+  }
+}
+
+/**
+ * Error thrown when implicit grant redirects contain an error.
+ *
+ * @example
+ * ```ts
+ * import { AuthImplicitGrantRedirectError } from '@supabase/auth-js'
+ *
+ * throw new AuthImplicitGrantRedirectError('OAuth redirect failed', {
+ *   error: 'access_denied',
+ *   code: 'oauth_error',
+ * })
+ * ```
+ */
+export class AuthImplicitGrantRedirectError extends CustomAuthError {
+  details: { error: string; code: string } | null = null
+  constructor(message: string, details: { error: string; code: string } | null = null) {
+    super(message, 'AuthImplicitGrantRedirectError', 500, undefined)
+    this.details = details
+  }
+
+  toJSON() {
+    return {
+      name: this.name,
+      message: this.message,
+      status: this.status,
+      details: this.details,
+    }
+  }
+}
+
+export function isAuthImplicitGrantRedirectError(
+  error: any
+): error is AuthImplicitGrantRedirectError {
+  return isAuthError(error) && error.name === 'AuthImplicitGrantRedirectError'
+}
+
+/**
+ * Error thrown during PKCE code exchanges.
+ *
+ * @example
+ * ```ts
+ * import { AuthPKCEGrantCodeExchangeError } from '@supabase/auth-js'
+ *
+ * throw new AuthPKCEGrantCodeExchangeError('PKCE exchange failed')
+ * ```
+ */
+export class AuthPKCEGrantCodeExchangeError extends CustomAuthError {
+  details: { error: string; code: string } | null = null
+
+  constructor(message: string, details: { error: string; code: string } | null = null) {
+    super(message, 'AuthPKCEGrantCodeExchangeError', 500, undefined)
+    this.details = details
+  }
+
+  toJSON() {
+    return {
+      name: this.name,
+      message: this.message,
+      status: this.status,
+      details: this.details,
+    }
+  }
+}
+
+/**
+ * Error thrown when the PKCE code verifier is not found in storage.
+ * This typically happens when the auth flow was initiated in a different
+ * browser, device, or the storage was cleared.
+ *
+ * @example
+ * ```ts
+ * import { AuthPKCECodeVerifierMissingError } from '@supabase/auth-js'
+ *
+ * throw new AuthPKCECodeVerifierMissingError()
+ * ```
+ */
+export class AuthPKCECodeVerifierMissingError extends CustomAuthError {
+  constructor() {
+    super(
+      'PKCE code verifier not found in storage. ' +
+        'This can happen if the auth flow was initiated in a different browser or device, ' +
+        'or if the storage was cleared. For SSR frameworks (Next.js, SvelteKit, etc.), ' +
+        'use @supabase/ssr on both the server and client to store the code verifier in cookies.',
+      'AuthPKCECodeVerifierMissingError',
+      400,
+      'pkce_code_verifier_not_found'
+    )
+  }
+}
+
+export function isAuthPKCECodeVerifierMissingError(
+  error: unknown
+): error is AuthPKCECodeVerifierMissingError {
+  return isAuthError(error) && error.name === 'AuthPKCECodeVerifierMissingError'
+}
+
+/**
+ * Error thrown when a transient fetch issue occurs.
+ *
+ * @example
+ * ```ts
+ * import { AuthRetryableFetchError } from '@supabase/auth-js'
+ *
+ * throw new AuthRetryableFetchError('Service temporarily unavailable', 503)
+ * ```
+ */
+export class AuthRetryableFetchError extends CustomAuthError {
+  constructor(message: string, status: number) {
+    super(message, 'AuthRetryableFetchError', status, undefined)
+  }
+}
+
+export function isAuthRetryableFetchError(error: unknown): error is AuthRetryableFetchError {
+  return isAuthError(error) && error.name === 'AuthRetryableFetchError'
+}
+
+/**
+ * This error is thrown on certain methods when the password used is deemed
+ * weak. Inspect the reasons to identify what password strength rules are
+ * inadequate.
+ */
+/**
+ * Error thrown when a supplied password is considered weak.
+ *
+ * @example
+ * ```ts
+ * import { AuthWeakPasswordError } from '@supabase/auth-js'
+ *
+ * throw new AuthWeakPasswordError('Password too short', 400, ['min_length'])
+ * ```
+ */
+export class AuthWeakPasswordError extends CustomAuthError {
+  /**
+   * Reasons why the password is deemed weak.
+   */
+  reasons: WeakPasswordReasons[]
+
+  constructor(message: string, status: number, reasons: WeakPasswordReasons[]) {
+    super(message, 'AuthWeakPasswordError', status, 'weak_password')
+
+    this.reasons = reasons
+  }
+}
+
+export function isAuthWeakPasswordError(error: unknown): error is AuthWeakPasswordError {
+  return isAuthError(error) && error.name === 'AuthWeakPasswordError'
+}
+
+/**
+ * Error thrown when a JWT cannot be verified or parsed.
+ *
+ * @example
+ * ```ts
+ * import { AuthInvalidJwtError } from '@supabase/auth-js'
+ *
+ * throw new AuthInvalidJwtError('Token signature is invalid')
+ * ```
+ */
+export class AuthInvalidJwtError extends CustomAuthError {
+  constructor(message: string) {
+    super(message, 'AuthInvalidJwtError', 400, 'invalid_jwt')
+  }
+}

package/src/lib/fetch.ts

@@ -0,0 +1,283 @@
+import { API_VERSIONS, API_VERSION_HEADER_NAME } from './constants'
+import { expiresAt, looksLikeFetchResponse, parseResponseAPIVersion } from './helpers'
+import {
+  AuthResponse,
+  AuthResponsePassword,
+  SSOResponse,
+  GenerateLinkProperties,
+  GenerateLinkResponse,
+  User,
+  UserResponse,
+} from './types'
+import {
+  AuthApiError,
+  AuthRetryableFetchError,
+  AuthWeakPasswordError,
+  AuthUnknownError,
+  AuthSessionMissingError,
+} from './errors'
+
+export type Fetch = typeof fetch
+
+export interface FetchOptions {
+  headers?: {
+    [key: string]: string
+  }
+  noResolveJson?: boolean
+}
+
+export interface FetchParameters {
+  signal?: AbortSignal
+}
+
+export type RequestMethodType = 'GET' | 'POST' | 'PUT' | 'DELETE'
+
+const _getErrorMessage = (err: any): string =>
+  err.msg || err.message || err.error_description || err.error || JSON.stringify(err)
+
+const NETWORK_ERROR_CODES = [502, 503, 504]
+
+export async function handleError(error: unknown) {
+  if (!looksLikeFetchResponse(error)) {
+    throw new AuthRetryableFetchError(_getErrorMessage(error), 0)
+  }
+
+  if (NETWORK_ERROR_CODES.includes(error.status)) {
+    // status in 500...599 range - server had an error, request might be retryed.
+    throw new AuthRetryableFetchError(_getErrorMessage(error), error.status)
+  }
+
+  let data: any
+  try {
+    data = await error.json()
+  } catch (e: any) {
+    throw new AuthUnknownError(_getErrorMessage(e), e)
+  }
+
+  let errorCode: string | undefined = undefined
+
+  const responseAPIVersion = parseResponseAPIVersion(error)
+  if (
+    responseAPIVersion &&
+    responseAPIVersion.getTime() >= API_VERSIONS['2024-01-01'].timestamp &&
+    typeof data === 'object' &&
+    data &&
+    typeof data.code === 'string'
+  ) {
+    errorCode = data.code
+  } else if (typeof data === 'object' && data && typeof data.error_code === 'string') {
+    errorCode = data.error_code
+  }
+
+  if (!errorCode) {
+    // Legacy support for weak password errors, when there were no error codes
+    if (
+      typeof data === 'object' &&
+      data &&
+      typeof data.weak_password === 'object' &&
+      data.weak_password &&
+      Array.isArray(data.weak_password.reasons) &&
+      data.weak_password.reasons.length &&
+      data.weak_password.reasons.reduce((a: boolean, i: any) => a && typeof i === 'string', true)
+    ) {
+      throw new AuthWeakPasswordError(
+        _getErrorMessage(data),
+        error.status,
+        data.weak_password.reasons
+      )
+    }
+  } else if (errorCode === 'weak_password') {
+    throw new AuthWeakPasswordError(
+      _getErrorMessage(data),
+      error.status,
+      data.weak_password?.reasons || []
+    )
+  } else if (errorCode === 'session_not_found') {
+    // The `session_id` inside the JWT does not correspond to a row in the
+    // `sessions` table. This usually means the user has signed out, has been
+    // deleted, or their session has somehow been terminated.
+    throw new AuthSessionMissingError()
+  }
+
+  throw new AuthApiError(_getErrorMessage(data), error.status || 500, errorCode)
+}
+
+const _getRequestParams = (
+  method: RequestMethodType,
+  options?: FetchOptions,
+  parameters?: FetchParameters,
+  body?: object
+) => {
+  const params: { [k: string]: any } = { method, headers: options?.headers || {} }
+
+  if (method === 'GET') {
+    return params
+  }
+
+  params.headers = { 'Content-Type': 'application/json;charset=UTF-8', ...options?.headers }
+  params.body = JSON.stringify(body)
+  return { ...params, ...parameters }
+}
+
+interface GotrueRequestOptions extends FetchOptions {
+  jwt?: string
+  redirectTo?: string
+  body?: object
+  query?: { [key: string]: string }
+  /**
+   * Function that transforms api response from gotrue into a desirable / standardised format
+   */
+  xform?: (data: any) => any
+}
+
+export async function _request(
+  fetcher: Fetch,
+  method: RequestMethodType,
+  url: string,
+  options?: GotrueRequestOptions
+) {
+  const headers = {
+    ...options?.headers,
+  }
+
+  if (!headers[API_VERSION_HEADER_NAME]) {
+    headers[API_VERSION_HEADER_NAME] = API_VERSIONS['2024-01-01'].name
+  }
+
+  if (options?.jwt) {
+    headers['Authorization'] = `Bearer ${options.jwt}`
+  }
+
+  const qs = options?.query ?? {}
+  if (options?.redirectTo) {
+    qs['redirect_to'] = options.redirectTo
+  }
+
+  const queryString = Object.keys(qs).length ? '?' + new URLSearchParams(qs).toString() : ''
+  const data = await _handleRequest(
+    fetcher,
+    method,
+    url + queryString,
+    {
+      headers,
+      noResolveJson: options?.noResolveJson,
+    },
+    {},
+    options?.body
+  )
+  return options?.xform ? options?.xform(data) : { data: { ...data }, error: null }
+}
+
+async function _handleRequest(
+  fetcher: Fetch,
+  method: RequestMethodType,
+  url: string,
+  options?: FetchOptions,
+  parameters?: FetchParameters,
+  body?: object
+): Promise<any> {
+  const requestParams = _getRequestParams(method, options, parameters, body)
+
+  let result: any
+
+  try {
+    result = await fetcher(url, {
+      ...requestParams,
+    })
+  } catch (e) {
+    console.error(e)
+
+    // fetch failed, likely due to a network or CORS error
+    throw new AuthRetryableFetchError(_getErrorMessage(e), 0)
+  }
+
+  if (!result.ok) {
+    await handleError(result)
+  }
+
+  if (options?.noResolveJson) {
+    return result
+  }
+
+  try {
+    return await result.json()
+  } catch (e: any) {
+    await handleError(e)
+  }
+}
+
+export function _sessionResponse(data: any): AuthResponse {
+  let session = null
+  if (hasSession(data)) {
+    session = { ...data }
+
+    if (!data.expires_at) {
+      session.expires_at = expiresAt(data.expires_in)
+    }
+  }
+
+  const user: User = data.user ?? (data as User)
+  return { data: { session, user }, error: null }
+}
+
+export function _sessionResponsePassword(data: any): AuthResponsePassword {
+  const response = _sessionResponse(data) as AuthResponsePassword
+
+  if (
+    !response.error &&
+    data.weak_password &&
+    typeof data.weak_password === 'object' &&
+    Array.isArray(data.weak_password.reasons) &&
+    data.weak_password.reasons.length &&
+    data.weak_password.message &&
+    typeof data.weak_password.message === 'string' &&
+    data.weak_password.reasons.reduce((a: boolean, i: any) => a && typeof i === 'string', true)
+  ) {
+    response.data.weak_password = data.weak_password
+  }
+
+  return response
+}
+
+export function _userResponse(data: any): UserResponse {
+  const user: User = data.user ?? (data as User)
+  return { data: { user }, error: null }
+}
+
+export function _ssoResponse(data: any): SSOResponse {
+  return { data, error: null }
+}
+
+export function _generateLinkResponse(data: any): GenerateLinkResponse {
+  const { action_link, email_otp, hashed_token, redirect_to, verification_type, ...rest } = data
+
+  const properties: GenerateLinkProperties = {
+    action_link,
+    email_otp,
+    hashed_token,
+    redirect_to,
+    verification_type,
+  }
+
+  const user: User = { ...rest }
+  return {
+    data: {
+      properties,
+      user,
+    },
+    error: null,
+  }
+}
+
+export function _noResolveJsonResponse(data: any): Response {
+  return data
+}
+
+/**
+ * hasSession checks if the response object contains a valid session
+ * @param data A response object
+ * @returns true if a session is in the response
+ */
+function hasSession(data: any): boolean {
+  return data.access_token && data.refresh_token && data.expires_in
+}