@giaeulate/baas-sdk 1.2.0 → 1.3.0

package/dist/index.cjs

@@ -30,14 +30,28 @@ module.exports = __toCommonJS(index_exports);
 var HttpClient = class {
   url;
   apiKey = "";
+  keyType;
   token = null;
   environment = "prod";
   _onForceLogout = null;
-  constructor(url, apiKey) {
+  constructor(url, apiKey, options) {
     let baseUrl = url || (typeof window !== "undefined" ? window.location.origin : "http://localhost:8080");
     this.url = baseUrl.endsWith("/") ? baseUrl.slice(0, -1) : baseUrl;
     if (apiKey) this.apiKey = apiKey;
-    this.token = this.cleanValue(localStorage.getItem("baas_token"));
+    this.keyType = options?.keyType ?? "service_role";
+    this.warnIfUnsafeKey();
+    this.token = typeof localStorage !== "undefined" ? this.cleanValue(localStorage.getItem("baas_token")) : null;
+  }
+  /** SECURITY: a service_role key bypasses RLS and grants admin over every
+   *  tenant. If it ends up in a browser bundle, anyone can extract it. Warn
+   *  loudly when a non-anon key is constructed in a browser context. */
+  warnIfUnsafeKey() {
+    const inBrowser = typeof window !== "undefined" && typeof document !== "undefined";
+    if (inBrowser && this.apiKey && this.keyType !== "anon") {
+      console.warn(
+        '[baas-sdk] SECURITY WARNING: a non-anon (service_role) key is running in a browser. It bypasses Row-Level Security and grants admin over ALL tenants, and is extractable from the bundle. Mint an anon key in the dashboard and construct the client with { keyType: "anon" }.'
+      );
+    }
   }
   /**
    * Set the auth token manually (e.g. restoring from SecureStore in React Native).
@@ -114,7 +128,14 @@ var HttpClient = class {
       if (res.status === 403 && data?.error === "ip_not_allowed") {
         this.handleIPBlocked(data.ip);
       }
-      return { error: data?.error || `Request failed: ${res.status}`, ...data };
+      const rateLimited = res.status === 429;
+      const retryHint = res.headers.get("retry-after") || res.headers.get("x-ratelimit-reset");
+      return {
+        error: data?.error || `Request failed: ${res.status}`,
+        status: res.status,
+        ...rateLimited ? { rateLimited: true, retryAfter: retryHint ? parseInt(retryHint, 10) : void 0 } : {},
+        ...data
+      };
     }
     return data;
   }
@@ -231,10 +252,49 @@ var QueryBuilder = class {
     this.queryParams.set(column, `not.${operator}.${value}`);
     return this;
   }
+  /** Array/jsonb/range contains (@>). Arrays become a `{a,b}` literal. */
+  contains(column, values) {
+    this.queryParams.set(column, `cs.${this.arrayLiteral(values)}`);
+    return this;
+  }
+  /** Array/jsonb/range contained-by (<@). */
+  containedBy(column, values) {
+    this.queryParams.set(column, `cd.${this.arrayLiteral(values)}`);
+    return this;
+  }
+  /** Array/range overlap (&&). */
+  overlaps(column, values) {
+    this.queryParams.set(column, `ov.${this.arrayLiteral(values)}`);
+    return this;
+  }
+  /** Full-text search (@@). type: fts|plfts|phfts|wfts (tsquery flavour). */
+  textSearch(column, query, type = "fts") {
+    this.queryParams.set(column, `${type}.${query}`);
+    return this;
+  }
+  arrayLiteral(values) {
+    return Array.isArray(values) ? `{${values.join(",")}}` : `${values}`;
+  }
+  /** OR group: `or=(c1,c2)`. Members are dotted `col.op.value` strings. */
   or(filters) {
     this.queryParams.set("or", `(${filters})`);
     return this;
   }
+  /** AND group: `and=(c1,c2)` — e.g. a range `qty.gt.5,qty.lt.20`. */
+  and(filters) {
+    this.queryParams.set("and", `(${filters})`);
+    return this;
+  }
+  /** Negated AND group: `not.and=(...)`. */
+  notAnd(filters) {
+    this.queryParams.set("not.and", `(${filters})`);
+    return this;
+  }
+  /** Negated OR group: `not.or=(...)`. */
+  notOr(filters) {
+    this.queryParams.set("not.or", `(${filters})`);
+    return this;
+  }
   order(column, { ascending = true } = {}) {
     this.queryParams.set("order", `${column}.${ascending ? "asc" : "desc"}`);
     return this;
@@ -278,6 +338,34 @@ var QueryBuilder = class {
     if (res.status === 204) return { success: true };
     return await this.handleResponse(res);
   }
+  /** Insert-or-update on conflict. [onConflict] is the conflict-target column(s). */
+  async upsert(data, onConflict) {
+    const res = await fetch(`${this.url}/api/v1/data/${this.table}/upsert`, {
+      method: "POST",
+      headers: this.getHeaders(),
+      body: JSON.stringify({ ...data, on_conflict: onConflict })
+    });
+    return await this.handleResponse(res);
+  }
+  /**
+   * Count rows matching the current filters (PostgREST parity). Sends
+   * `Prefer: count=exact` and parses the total from the `Content-Range`
+   * response header. Returns `{ count, error, status }`.
+   */
+  async count() {
+    const res = await fetch(`${this.url}/api/v1/data/${this.table}?${this.queryParams.toString()}`, {
+      headers: { ...this.getHeaders(), Prefer: "count=exact", "Cache-Control": "no-cache" },
+      cache: "no-store"
+    });
+    if (!res.ok) {
+      if (res.status === 401) this.client.forceLogout();
+      const body = await res.json().catch(() => null);
+      return { count: 0, error: body?.error || "Request failed", status: res.status };
+    }
+    const cr = res.headers.get("content-range");
+    const total = cr && cr.includes("/") ? parseInt(cr.split("/").pop() || "", 10) : NaN;
+    return { count: Number.isNaN(total) ? 0 : total, error: null, status: res.status };
+  }
   getHeaders() {
     return this.client.getHeaders();
   }
@@ -333,6 +421,43 @@ function createAuthModule(client) {
         localStorage.removeItem("baas_token");
       }
     },
+    // Anonymous sign-in (Supabase parity). Response carries access_token (+ a
+    // back-compat `token`); store whichever is present.
+    async signInAnonymous() {
+      const data = await post("/api/auth/anonymous");
+      const tok = data?.access_token || data?.token;
+      if (tok) {
+        client.token = tok;
+        localStorage.setItem("baas_token", tok);
+      }
+      return data;
+    },
+    // Passwordless: request a magic link + 6-digit email OTP. Always resolves on
+    // a well-formed request (no account enumeration).
+    async requestOtp(email, createUser = true) {
+      return post("/api/auth/otp", { email, create_user: createUser });
+    },
+    // Verify a passwordless OTP/magic-link and complete sign-in.
+    async verifyOtp(type, email, token) {
+      const data = await post("/api/auth/verify", { type, email, token });
+      const tok = data?.access_token || data?.token;
+      if (tok) {
+        client.token = tok;
+        localStorage.setItem("baas_token", tok);
+      }
+      return data;
+    },
+    // Upgrade the current anonymous guest to a real account (preserves user id).
+    // Requires the anonymous Bearer to be set (call after signInAnonymous).
+    async upgradeAnonymous(email, password) {
+      const data = await post("/api/auth/upgrade", { email, password });
+      const tok = data?.access_token || data?.token;
+      if (tok) {
+        client.token = tok;
+        localStorage.setItem("baas_token", tok);
+      }
+      return data;
+    },
     async verifyMFA(mfaToken, code) {
       const data = await post("/api/mfa/finalize", { mfa_token: mfaToken, code });
       if (data.token) {
@@ -530,6 +655,7 @@ function createDatabaseModule(client) {
 function createStorageModule(client) {
   const get = (endpoint) => client.get(endpoint);
   const post = (endpoint, body) => client.post(endpoint, body);
+  const put = (endpoint, body) => client.put(endpoint, body);
   const del = (endpoint) => client.delete(endpoint);
   async function uploadFile(fileOrTable, fileOrBucketId) {
     let file;
@@ -564,8 +690,15 @@ function createStorageModule(client) {
     async listFiles() {
       return get("/api/storage/files");
     },
-    async getFile(fileId) {
-      return get(`/api/storage/files/${fileId}`);
+    async getFile(fileId, expiresIn) {
+      const q = expiresIn && expiresIn > 0 ? `?expiresIn=${expiresIn}` : "";
+      return get(`/api/storage/files/${fileId}${q}`);
+    },
+    async createSignedUrl(fileId, expiresIn) {
+      const res = await get(
+        `/api/storage/files/${fileId}${expiresIn && expiresIn > 0 ? `?expiresIn=${expiresIn}` : ""}`
+      );
+      return { signedUrl: res?.url };
     },
     async deleteFile(fileId) {
       return del(`/api/storage/files/${fileId}`);
@@ -573,6 +706,9 @@ function createStorageModule(client) {
     async createBucket(name, isPublic = false) {
       return post("/api/storage/buckets", { name, is_public: isPublic });
     },
+    async updateBucket(bucketId, opts) {
+      return put(`/api/storage/buckets/${bucketId}`, { is_public: opts.isPublic });
+    },
     async listBuckets() {
       return get("/api/storage/buckets");
     },
@@ -584,6 +720,17 @@ function createStorageModule(client) {
     },
     async listBucketFiles(bucketId) {
       return get(`/api/storage/buckets/${bucketId}/files`);
+    },
+    async download(fileId) {
+      const res = await fetch(`${client.url}/api/storage/files/${fileId}/download`, {
+        headers: client.getHeaders("")
+      });
+      if (!res.ok) {
+        if (res.status === 401) client.forceLogout();
+        const err = await res.json().catch(() => ({ error: `Download failed: ${res.status}` }));
+        throw new Error(err.error ?? `Download failed: ${res.status}`);
+      }
+      return res.blob();
     }
   };
 }
@@ -684,7 +831,9 @@ function createFunctionsModule(client) {
       return del(`/api/functions/${id}`);
     },
     async update(id, code, options) {
-      return put(`/api/functions/${id}`, { code, ...options });
+      const current = await get(`/api/functions/${id}`);
+      const name = current?.name ?? current?.data?.name;
+      return post("/api/functions", { name, code, ...options });
     },
     async executeCode(code, options) {
       return post("/api/functions/execute", { code, ...options });
@@ -830,7 +979,9 @@ function createGraphQLModule(client) {
       return post("/api/graphql", { query, variables });
     },
     async getSchema() {
-      return get("/api/graphql/schema");
+      return post("/api/graphql", {
+        query: "{ __schema { queryType { name } mutationType { name } types { name kind } } }"
+      });
     },
     getPlaygroundUrl() {
       return `${client.url}/api/graphql/playground`;
@@ -876,6 +1027,7 @@ function createMetricsModule(client) {
 // src/modules/audit.ts
 function createAuditModule(client) {
   const get = (endpoint) => client.get(endpoint);
+  const del = (endpoint) => client.delete(endpoint);
   return {
     async list(options) {
       const params = new URLSearchParams();
@@ -892,6 +1044,40 @@ function createAuditModule(client) {
     },
     async getActions() {
       return get("/api/audit/actions");
+    },
+    async exportLogs(format, options) {
+      const params = new URLSearchParams();
+      params.set("format", format);
+      if (options?.action) params.set("action", options.action);
+      if (options?.method) params.set("method", options.method);
+      if (options?.path) params.set("path", options.path);
+      if (options?.status_code) params.set("status_code", options.status_code.toString());
+      if (options?.start_date) params.set("start_date", options.start_date);
+      if (options?.end_date) params.set("end_date", options.end_date);
+      const res = await fetch(`${client.url}/api/audit/export?${params.toString()}`, {
+        headers: client.getHeaders(),
+        credentials: "include"
+      });
+      if (!res.ok) {
+        const data = await res.json();
+        return { error: data.error || `Export failed: ${res.status}` };
+      }
+      const blob = await res.blob();
+      const url = window.URL.createObjectURL(blob);
+      const a = document.createElement("a");
+      a.href = url;
+      a.download = `audit_logs_${(/* @__PURE__ */ new Date()).toISOString().split("T")[0]}.${format}`;
+      document.body.appendChild(a);
+      a.click();
+      window.URL.revokeObjectURL(url);
+      document.body.removeChild(a);
+      return { success: true };
+    },
+    async purgePreview(olderThanDays) {
+      return get(`/api/audit/purge/preview?older_than_days=${olderThanDays}`);
+    },
+    async purge(olderThanDays) {
+      return del(`/api/audit/purge?older_than_days=${olderThanDays}`);
     }
   };
 }
@@ -1017,6 +1203,9 @@ var RealtimeService = class {
       socket.onopen = () => {
         console.log("BaaS Realtime: Connected");
         this.reconnectAttempts = 0;
+        for (const table of this.subscribers.keys()) {
+          this.sendSub("subscribe", table);
+        }
         resolve();
       };
       socket.onmessage = (event) => {
@@ -1054,11 +1243,15 @@ var RealtimeService = class {
    */
   async subscribe(table, action, callback) {
     await this.connect();
-    if (!this.subscribers.has(table)) {
+    const isNewTable = !this.subscribers.has(table);
+    if (isNewTable) {
       this.subscribers.set(table, /* @__PURE__ */ new Set());
     }
     const sub = { action, callback };
     this.subscribers.get(table).add(sub);
+    if (isNewTable && table !== "*") {
+      this.sendSub("subscribe", table);
+    }
     return {
       unsubscribe: () => {
         const tableSubs = this.subscribers.get(table);
@@ -1066,11 +1259,18 @@ var RealtimeService = class {
           tableSubs.delete(sub);
           if (tableSubs.size === 0) {
             this.subscribers.delete(table);
+            if (table !== "*") this.sendSub("unsubscribe", table);
           }
         }
       }
     };
   }
+  /** Send a subscribe/unsubscribe control frame to the server. */
+  sendSub(event, table) {
+    if (this.socket?.readyState === WebSocket.OPEN) {
+      this.socket.send(JSON.stringify({ event, table }));
+    }
+  }
   /**
    * Handle incoming CDC events from the server
    */
@@ -1242,6 +1442,44 @@ function createIPWhitelistModule(client) {
   };
 }
 
+// src/modules/cache.ts
+function createCacheModule(client) {
+  const get = (endpoint) => client.get(endpoint);
+  const post = (endpoint, body) => client.post(endpoint, body);
+  const patch = (endpoint, body) => client.patch(endpoint, body);
+  const del = (endpoint) => client.delete(endpoint);
+  return {
+    async getStatus() {
+      return get("/api/cache/status");
+    },
+    async getStats() {
+      return get("/api/cache/stats");
+    },
+    async listPolicies() {
+      return get("/api/cache/policies");
+    },
+    async updatePolicy(namespace, body) {
+      return patch(`/api/cache/policies/${encodeURIComponent(namespace)}`, body);
+    },
+    async removePolicy(namespace) {
+      return del(`/api/cache/policies/${encodeURIComponent(namespace)}`);
+    },
+    async invalidateNamespace(namespace) {
+      return post(`/api/cache/invalidate/${encodeURIComponent(namespace)}`);
+    },
+    async invalidateAll() {
+      return post("/api/cache/invalidate-all");
+    },
+    async listKeys(prefix, cursor = 0, count = 100) {
+      const params = new URLSearchParams({ prefix, cursor: String(cursor), count: String(count) });
+      return get(`/api/cache/keys?${params}`);
+    },
+    async inspectKey(key) {
+      return get(`/api/cache/keys/inspect?key=${encodeURIComponent(key)}`);
+    }
+  };
+}
+
 // src/client.ts
 var BaasClient = class extends HttpClient {
   // Feature modules
@@ -1268,8 +1506,9 @@ var BaasClient = class extends HttpClient {
   corsOrigins;
   policies;
   ipWhitelist;
-  constructor(url, apiKey) {
-    super(url, apiKey);
+  cache;
+  constructor(url, apiKey, options) {
+    super(url, apiKey, options);
     this.auth = createAuthModule(this);
     this.users = createUsersModule(this);
     this.database = createDatabaseModule(this);
@@ -1293,6 +1532,7 @@ var BaasClient = class extends HttpClient {
     this.corsOrigins = createCorsOriginsModule(this);
     this.policies = createPoliciesModule(this);
     this.ipWhitelist = createIPWhitelistModule(this);
+    this.cache = createCacheModule(this);
   }
   /**
    * Create a query builder for fluent data queries
@@ -1300,6 +1540,18 @@ var BaasClient = class extends HttpClient {
   from(table) {
     return new QueryBuilder(table, this.url, this);
   }
+  /**
+   * Invoke a PL/pgSQL function (PostgREST `.rpc()` parity). Runs under the
+   * caller's RLS context; args bind by name and are $N-safe. Pass [params] for
+   * POST (named args in the body) or set `opts.get = true` for the GET variant.
+   */
+  async rpc(fn, params, opts) {
+    if (opts?.get) {
+      const qs = params ? "?" + new URLSearchParams(Object.entries(params).map(([k, v]) => [k, String(v)])).toString() : "";
+      return this.get(`/api/v1/rpc/${fn}${qs}`);
+    }
+    return this.post(`/api/v1/rpc/${fn}`, params ?? {});
+  }
   // ============================================
   // BACKWARD COMPATIBILITY METHODS
   // These delegate to the appropriate modules
@@ -1667,6 +1919,15 @@ var BaasClient = class extends HttpClient {
   async getAuditActions() {
     return this.audit.getActions();
   }
+  async exportAuditLogs(format, options) {
+    return this.audit.exportLogs(format, options);
+  }
+  async previewPurgeAuditLogs(olderThanDays) {
+    return this.audit.purgePreview(olderThanDays);
+  }
+  async purgeAuditLogs(olderThanDays) {
+    return this.audit.purge(olderThanDays);
+  }
   // Realtime shortcuts
   subscribe(table, action, callback) {
     return this.realtime.subscribe(table, action, callback);
@@ -1721,3 +1982,4 @@ var BaasClient = class extends HttpClient {
   HttpClient,
   QueryBuilder
 });
+//# sourceMappingURL=index.cjs.map