@hexclave/tanstack-start 1.0.21 → 1.0.23

package/src/lib/auth.ts

@@ -2,7 +2,7 @@
 //===========================================
 // THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY UNLESS YOU ALSO EDIT THE CORRESPONDING FILE IN packages/template
 //===========================================
-import { KnownError, HexclaveClientInterface } from "@hexclave/shared";
+import { KnownError, KnownErrors, HexclaveClientInterface } from "@hexclave/shared";
 import { InternalSession } from "@hexclave/shared/dist/sessions";
 import { HexclaveAssertionError, throwErr } from "@hexclave/shared/dist/utils/errors";
 import { Result } from "@hexclave/shared/dist/utils/results";
@@ -50,10 +50,39 @@ type OAuthCallbackConsumptionResult =
     error: KnownError,
   };
 
+const oauthErrorParams = ["error", "error_description", "errorCode", "message", "details"] as const;
+
+function removeOAuthErrorParamsFromHistory(originalUrl: URL): void {
+  const newUrl = new URL(originalUrl);
+  for (const param of oauthErrorParams) {
+    newUrl.searchParams.delete(param);
+  }
+  window.history.replaceState({}, "", newUrl.toString());
+}
+
+function getProviderOAuthErrorFromUrl(originalUrl: URL): KnownError | null {
+  const providerError = originalUrl.searchParams.get("error");
+  const providerErrorDescription = originalUrl.searchParams.get("error_description");
+  if (providerError == null && providerErrorDescription == null) {
+    return null;
+  }
+
+  switch (providerError) {
+    case "access_denied":
+    case "consent_required": {
+      return new KnownErrors.OAuthProviderAccessDenied();
+    }
+    case "server_error":
+    case "temporarily_unavailable":
+    default: {
+      return new KnownErrors.OAuthProviderTemporarilyUnavailable();
+    }
+  }
+}
+
 function consumeOAuthCallbackQueryParams(options?: {
   dontWarnAboutMissingQueryParams?: boolean,
 }): OAuthCallbackConsumptionResult | null {
-  const oauthErrorParams = ["error", "error_description", "errorCode", "message", "details"] as const;
   const requiredParams = ["code", "state"];
   const originalUrl = new URL(window.location.href);
   const knownErrorCode = originalUrl.searchParams.get("errorCode");
@@ -72,11 +101,7 @@ function consumeOAuthCallbackQueryParams(options?: {
       }
     }
 
-    const newUrl = new URL(originalUrl);
-    for (const param of oauthErrorParams) {
-      newUrl.searchParams.delete(param);
-    }
-    window.history.replaceState({}, "", newUrl.toString());
+    removeOAuthErrorParamsFromHistory(originalUrl);
 
     return {
       type: "known-error",
@@ -88,6 +113,15 @@ function consumeOAuthCallbackQueryParams(options?: {
     };
   }
 
+  const providerOAuthError = getProviderOAuthErrorFromUrl(originalUrl);
+  if (providerOAuthError != null && !requiredParams.every(param => originalUrl.searchParams.has(param))) {
+    removeOAuthErrorParamsFromHistory(originalUrl);
+    return {
+      type: "known-error",
+      error: providerOAuthError,
+    };
+  }
+
   for (const param of requiredParams) {
     if (!originalUrl.searchParams.has(param)) {
       if (!options?.dontWarnAboutMissingQueryParams) {

package/src/lib/hexclave-app/apps/implementations/admin-app-impl.ts

@@ -1092,10 +1092,11 @@ export class _HexclaveAdminAppImplIncomplete<HasTokenStore extends boolean, Proj
     return result as AdminEmailOutbox;
   }
 
-  async listOutboxEmails(options?: { status?: string, simpleStatus?: string, limit?: number, cursor?: string }): Promise<{ items: AdminEmailOutbox[], nextCursor: string | null }> {
+  async listOutboxEmails(options?: { status?: string, simpleStatus?: string, userId?: string, limit?: number, cursor?: string }): Promise<{ items: AdminEmailOutbox[], nextCursor: string | null }> {
     const response = await this._interface.listOutboxEmails({
       status: options?.status,
       simple_status: options?.simpleStatus,
+      user_id: options?.userId,
       limit: options?.limit,
       cursor: options?.cursor,
     });

package/src/lib/hexclave-app/apps/implementations/client-app-impl.cross-domain.test.ts

@@ -439,6 +439,72 @@ describe("StackClientApp cross-domain auth", () => {
     }
   });
 
+  it("redirects hosted current-page OAuth callback errors to the hosted error handler during startup", async () => {
+    const projectId = "00000000-0000-4000-8000-000000000010";
+    const previousWindow = globalThis.window;
+    const previousDocument = globalThis.document;
+    const callbackUrl = new URL("https://demo.stack-auth.com/dashboard");
+    callbackUrl.searchParams.set("errorCode", "SIGN_UP_REJECTED");
+    callbackUrl.searchParams.set("message", "Your sign up was rejected by an administrator's sign-up rule.");
+    callbackUrl.searchParams.set("details", JSON.stringify({
+      message: "Your sign up was rejected by an administrator's sign-up rule.",
+    }));
+    let currentHref = callbackUrl.toString();
+    let redirectedUrl = "";
+    const redirectSpy = vi.spyOn(StackClientApp.prototype as any, "_redirectTo").mockImplementation(async (...args: unknown[]) => {
+      const options = args[0] as { url: string | URL };
+      redirectedUrl = options.url.toString();
+    });
+
+    globalThis.document = createMockDocument();
+    globalThis.window = {
+      location: {
+        get href() {
+          return currentHref;
+        },
+        set href(value: string) {
+          currentHref = value;
+        },
+        origin: callbackUrl.origin,
+      },
+      history: {
+        replaceState: (_state: unknown, _title: string, url: string) => {
+          currentHref = new URL(url, currentHref).toString();
+        },
+      },
+      addEventListener: () => {},
+      removeEventListener: () => {},
+    } as any;
+
+    try {
+      new StackClientApp({
+        baseUrl: "http://localhost:12345",
+        projectId,
+        publishableClientKey: "stack-pk-test",
+        tokenStore: "memory",
+        redirectMethod: "window",
+        urls: {
+          default: { type: "hosted" },
+        },
+        noAutomaticPrefetch: true,
+      });
+
+      await new Promise((resolve) => setTimeout(resolve, 0));
+      await new Promise((resolve) => setTimeout(resolve, 0));
+    } finally {
+      redirectSpy.mockRestore();
+      globalThis.window = previousWindow;
+      globalThis.document = previousDocument;
+    }
+
+    const errorUrl = new URL(redirectedUrl);
+    expect(errorUrl.origin).toBe(`https://${projectId}.built-with-stack-auth.com`);
+    expect(errorUrl.pathname).toBe("/handler/error");
+    expect(errorUrl.searchParams.get("errorCode")).toBe("SIGN_UP_REJECTED");
+    expect(errorUrl.searchParams.get("message")).toBe("Your sign up was rejected by an administrator's sign-up rule.");
+    expect(new URL(currentHref).searchParams.has("errorCode")).toBe(false);
+  });
+
   it("uses direct sign-out instead of hosted sign-out redirects when code execution is available", async () => {
     const clientApp = new StackClientApp({
       baseUrl: "http://localhost:12345",

package/src/lib/hexclave-app/apps/implementations/client-app-impl.ts

@@ -3,7 +3,7 @@
 // THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY UNLESS YOU ALSO EDIT THE CORRESPONDING FILE IN packages/template
 //===========================================
 import { WebAuthnError, startAuthentication, startRegistration } from "@simplewebauthn/browser";
-import { KnownErrors, HexclaveClientInterface } from "@hexclave/shared";
+import { KnownError, KnownErrors, HexclaveClientInterface } from "@hexclave/shared";
 import type { RequestListener } from "@hexclave/shared/dist/interface/client-interface";
 import { ContactChannelsCrud } from "@hexclave/shared/dist/interface/crud/contact-channels";
 import { CurrentUserCrud } from "@hexclave/shared/dist/interface/crud/current-user";
@@ -715,11 +715,11 @@ export class _HexclaveClientAppImplIncomplete<HasTokenStore extends boolean, Pro
     if (
       isBrowserLike()
       && (this._isOAuthCallbackUrlHosted() || this._currentUrlLooksLikeNestedCrossDomainOAuthCallback())
-      && this._currentUrlLooksLikeHexclaveOAuthCallback()
+      && (this._currentUrlLooksLikeHexclaveOAuthCallback() || this._currentUrlLooksLikeOAuthCallbackError())
     ) {
       this._trackPendingAuthResolution(async () => {
         if (isBrowserLike()) {
-          await this.callOAuthCallback({ dontWarnAboutMissingQueryParams: true });
+          await this._handleHostedOAuthCallbackDuringStartup();
         }
       });
     }
@@ -735,7 +735,7 @@ export class _HexclaveClientAppImplIncomplete<HasTokenStore extends boolean, Pro
     }
 
     if (isBrowserLike() && resolvedOptions.devTool !== false) {
-      mountDevTool(this as any);
+      mountDevTool(this as any, resolvedOptions.devTool);
     }
     if (isBrowserLike()) {
       // Independent of the dev tool: the clickmap overlay only ever renders
@@ -819,6 +819,22 @@ export class _HexclaveClientAppImplIncomplete<HasTokenStore extends boolean, Pro
       currentUrl.searchParams.has("code") && currentUrl.searchParams.has("state")
     ) || (
       currentUrl.searchParams.has("errorCode") && currentUrl.searchParams.has("message")
+    ) || (
+      this._currentUrlLooksLikeOAuthCallbackError()
+    );
+  }
+
+  protected _currentUrlLooksLikeOAuthCallbackError(): boolean {
+    if (typeof window === "undefined") {
+      return false;
+    }
+    const currentUrl = new URL(window.location.href);
+    if (currentUrl.searchParams.has("errorCode") && currentUrl.searchParams.has("message")) {
+      return true;
+    }
+    return (
+      (currentUrl.searchParams.has("error") || currentUrl.searchParams.has("error_description"))
+      && !(currentUrl.searchParams.has("code") && currentUrl.searchParams.has("state"))
     );
   }
 
@@ -860,6 +876,26 @@ export class _HexclaveClientAppImplIncomplete<HasTokenStore extends boolean, Pro
     return currentUrl.toString();
   }
 
+  protected async _redirectToOAuthCallbackError(error: KnownError): Promise<void> {
+    const errorUrl = new URL(this._getUrls().error, window.location.href);
+    errorUrl.searchParams.set("errorCode", error.errorCode);
+    errorUrl.searchParams.set("message", error.message);
+    errorUrl.searchParams.set("details", JSON.stringify(error.details ?? {}));
+    await this._redirectIfTrusted(errorUrl.toString(), { replace: true });
+  }
+
+  protected async _handleHostedOAuthCallbackDuringStartup(): Promise<void> {
+    try {
+      await this.callOAuthCallback({ dontWarnAboutMissingQueryParams: true });
+    } catch (error) {
+      if (KnownError.isKnownError(error)) {
+        await this._redirectToOAuthCallbackError(error);
+        return;
+      }
+      throw error;
+    }
+  }
+
   protected async _fetchCurrentRefreshTokenIdIfSignedIn(options?: {
     awaitPendingAuthResolutions?: boolean,
     overrideTokenStoreInit?: TokenStoreInit,

package/src/lib/hexclave-app/apps/interfaces/admin-app.ts

@@ -20,6 +20,7 @@ import { StackServerApp, StackServerAppConstructorOptions } from "./server-app";
 export type EmailOutboxListOptions = {
   status?: string,
   simpleStatus?: string,
+  userId?: string,
   limit?: number,
   cursor?: string,
 };

package/src/lib/hexclave-app/apps/interfaces/client-app.ts

@@ -26,11 +26,13 @@ export type StackClientAppConstructorOptions<HasTokenStore extends boolean, Proj
   inheritsFrom?: StackClientApp<any, any>,
 
   /**
-   * Whether to show the Hexclave dev tool indicator in browser-like development environments.
+   * Whether to show the Hexclave dev tool indicator in browser-like environments.
    *
-   * Defaults to true.
+   * - `true`: always show
+   * - `false`: never show
+   * - `"auto"` (default): show based on NODE_ENV or origin heuristics
    */
-  devTool?: boolean,
+  devTool?: boolean | "auto",
 
   /**
    * By default, the Stack app will automatically prefetch some data from Stack's server when this app is first