@hexclave/tanstack-start 1.0.5 → 1.0.6

package/dist/esm/lib/hexclave-app/apps/implementations/client-app-impl.js

@@ -4,9 +4,9 @@ import React, { useCallback, useMemo } from "react";
 import { HexclaveClientInterface, KnownErrors } from "@hexclave/shared";
 import { suspend, suspendIfSsr, use } from "@hexclave/shared/dist/utils/react";
 import { deepPlainEquals, omit } from "@hexclave/shared/dist/utils/objects";
-import { createUrlIfValid, isRelative } from "@hexclave/shared/dist/utils/urls";
-import { deindent, mergeScopeStrings } from "@hexclave/shared/dist/utils/strings";
+import { createUrlIfValid, getRelativePart, isRelative } from "@hexclave/shared/dist/utils/urls";
 import { Result } from "@hexclave/shared/dist/utils/results";
+import { deindent, mergeScopeStrings } from "@hexclave/shared/dist/utils/strings";
 import { isBrowserLike } from "@hexclave/shared/dist/utils/env";
 import * as tanstackStartServerContext from "@hexclave/tanstack-start/tanstack-start-server-context";
 import { clientVersion, createCache, createCacheBySession, createEmptyTokenStore, getAnalyticsBaseUrl, getDefaultExtraRequestHeaders, getDefaultProjectId, getDefaultPublishableClientKey, getUrls, resolveApiUrls, resolveConstructorOptions, useAsyncCache } from "./common.js";
@@ -14,11 +14,11 @@ import { getTrustedParentDomain, validateRedirectUrl } from "@hexclave/shared/di
 import { decodeBase32, decodeBase64, encodeBase32, encodeBase64 } from "@hexclave/shared/dist/utils/bytes";
 import { hexclaveAppInternalsSymbol } from "../../common.js";
 import { adminProjectCreateOptionsToCrud } from "../../projects/index.js";
-import { WebAuthnError, startAuthentication, startRegistration } from "@simplewebauthn/browser";
 import { InternalSession } from "@hexclave/shared/dist/sessions";
+import { Store, storeLock } from "@hexclave/shared/dist/utils/stores";
+import { WebAuthnError, startAuthentication, startRegistration } from "@simplewebauthn/browser";
 import { parseJson } from "@hexclave/shared/dist/utils/json";
 import { DependenciesMap } from "@hexclave/shared/dist/utils/maps";
-import { Store, storeLock } from "@hexclave/shared/dist/utils/stores";
 import { BotChallengeExecutionFailedError, BotChallengeUserCancelledError, withBotChallengeFlow } from "@hexclave/shared/dist/utils/turnstile-flow";
 import { generateUuid } from "@hexclave/shared/dist/utils/uuids";
 import * as TanStackRouter from "@tanstack/react-router";
@@ -26,7 +26,7 @@ import * as cookie from "cookie";
 import { constructRedirectUrl } from "../../../../utils/url.js";
 import { callOAuthCallback, getNewOAuthProviderOrScopeUrl } from "../../../auth.js";
 import { createBrowserCookieHelper, createCookieHelper, createPlaceholderCookieHelper, deleteCookie, deleteCookieClient, getCookieClient, isSecure, saveVerifierAndState, setOrDeleteCookie, setOrDeleteCookieClient } from "../../../cookie.js";
-import { envVars } from "../../../env.js";
+import { envVars } from "../../../../generated/env.js";
 import { apiKeyCreationOptionsToCrud } from "../../api-keys/index.js";
 import { contactChannelCreateOptionsToCrud, contactChannelUpdateOptionsToCrud } from "../../contact-channels/index.js";
 import { teamCreateOptionsToCrud, teamUpdateOptionsToCrud } from "../../teams/index.js";
@@ -503,15 +503,15 @@ var _HexclaveClientAppImplIncomplete = class _HexclaveClientAppImplIncomplete {
 		for (const param of oauthCallbackResponseQueryParams) currentUrl.searchParams.delete(param);
 		return currentUrl.toString();
 	}
-	async _getCurrentRefreshTokenIdIfSignedIn(options) {
-		const tokens = await (await this._getSession(options?.overrideTokenStoreInit, options)).getOrFetchLikelyValidTokens(0, null);
+	async _fetchCurrentRefreshTokenIdIfSignedIn(options) {
+		const tokens = await (await this._getSession(options?.overrideTokenStoreInit, options)).fetchNewTokens();
 		if (tokens?.refreshToken == null) return null;
 		return tokens.accessToken.payload.refresh_token_id;
 	}
 	async _addNestedCrossDomainAuthParamsToRedirectUrl(options) {
 		const targetUrl = new URL(options.url, options.currentUrl);
 		if (targetUrl.origin === options.currentUrl.origin) return options.url;
-		const refreshTokenId = await this._getCurrentRefreshTokenIdIfSignedIn({
+		const refreshTokenId = await this._fetchCurrentRefreshTokenIdIfSignedIn({
 			awaitPendingAuthResolutions: options.awaitPendingAuthResolutions,
 			overrideTokenStoreInit: options.overrideTokenStoreInit
 		});
@@ -542,7 +542,7 @@ var _HexclaveClientAppImplIncomplete = class _HexclaveClientAppImplIncomplete {
 			const afterCallbackRedirectUrlString = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.afterCallbackRedirectUrl);
 			const afterCallbackRedirectUrl = afterCallbackRedirectUrlString == null ? redirectUriUrl : new URL(afterCallbackRedirectUrlString, redirectUriUrl);
 			if (!await this._isTrusted(afterCallbackRedirectUrl.toString())) throw new Error(`Nested cross-domain auth after-callback redirect URL ${afterCallbackRedirectUrlString} is not trusted.`);
-			if (await this._getCurrentRefreshTokenIdIfSignedIn({ awaitPendingAuthResolutions: false }) !== refreshTokenId) throw new Error("Nested cross-domain auth source session does not match the requested refresh token ID.");
+			if (await this._fetchCurrentRefreshTokenIdIfSignedIn({ awaitPendingAuthResolutions: false }) !== refreshTokenId) throw new Error("Nested cross-domain auth source session does not match the requested refresh token ID.");
 			await this._redirectTo({
 				url: await this._createCrossDomainAuthRedirectUrl({
 					redirectUri: redirectUriUrl.toString(),
@@ -555,7 +555,9 @@ var _HexclaveClientAppImplIncomplete = class _HexclaveClientAppImplIncomplete {
 			});
 			return true;
 		}
-		if (await this._getCurrentRefreshTokenIdIfSignedIn({ awaitPendingAuthResolutions: false }) === refreshTokenId) return false;
+		const currentRefreshTokenId = await this._fetchCurrentRefreshTokenIdIfSignedIn({ awaitPendingAuthResolutions: false });
+		if (currentRefreshTokenId === refreshTokenId) return false;
+		if (currentRefreshTokenId != null) (await this._getSession(void 0, { awaitPendingAuthResolutions: false })).markInvalid();
 		const callbackUrlString = currentUrl.searchParams.get(nestedCrossDomainAuthQueryParams.callbackUrl);
 		if (callbackUrlString == null) throw new HexclaveAssertionError("Nested cross-domain auth URL is missing callback URL");
 		if (isRelative(callbackUrlString)) throw new Error("Nested cross-domain auth callback URL must be absolute.");
@@ -708,6 +710,13 @@ var _HexclaveClientAppImplIncomplete = class _HexclaveClientAppImplIncomplete {
 			accessToken
 		};
 	}
+	_getCurrentBrowserCookieTokenStoreValue(old) {
+		const tokens = this._getTokensFromCookies(this._getAllBrowserCookies());
+		return {
+			refreshToken: tokens.refreshToken,
+			accessToken: tokens.accessToken ?? (old?.refreshToken === tokens.refreshToken ? old.accessToken : null)
+		};
+	}
 	get _accessTokenCookieName() {
 		return `hexclave-access`;
 	}
@@ -812,19 +821,12 @@ var _HexclaveClientAppImplIncomplete = class _HexclaveClientAppImplIncomplete {
 	_getBrowserCookieTokenStore() {
 		if (!isBrowserLike()) throw new Error("Cannot use cookie token store on the server!");
 		if (this._storedBrowserCookieTokenStore === null) {
-			const getCurrentValue = (old) => {
-				const tokens = this._getTokensFromCookies(this._getAllBrowserCookies());
-				return {
-					refreshToken: tokens.refreshToken,
-					accessToken: tokens.accessToken ?? (old?.refreshToken === tokens.refreshToken ? old.accessToken : null)
-				};
-			};
-			this._storedBrowserCookieTokenStore = new Store(getCurrentValue(null));
+			this._storedBrowserCookieTokenStore = new Store(this._getCurrentBrowserCookieTokenStoreValue(null));
 			let hasSucceededInWriting = true;
 			setInterval(() => {
 				if (hasSucceededInWriting) {
 					const oldValue = this._storedBrowserCookieTokenStore.get();
-					const currentValue = getCurrentValue(oldValue);
+					const currentValue = this._getCurrentBrowserCookieTokenStoreValue(oldValue);
 					if (!deepPlainEquals(currentValue, oldValue)) this._storedBrowserCookieTokenStore.set(currentValue);
 				}
 			}, 100);
@@ -850,6 +852,10 @@ var _HexclaveClientAppImplIncomplete = class _HexclaveClientAppImplIncomplete {
 					else throw e;
 				}
 			});
+		} else {
+			const oldValue = this._storedBrowserCookieTokenStore.get();
+			const currentValue = this._getCurrentBrowserCookieTokenStoreValue(oldValue);
+			if (!deepPlainEquals(currentValue, oldValue)) this._storedBrowserCookieTokenStore.set(currentValue);
 		}
 		return this._storedBrowserCookieTokenStore;
 	}
@@ -947,17 +953,17 @@ var _HexclaveClientAppImplIncomplete = class _HexclaveClientAppImplIncomplete {
 			accessToken: tokenObj.accessToken
 		});
 		session.onAccessTokenChange((newAccessToken) => {
-			tokenStore.update((old) => ({
+			tokenStore.update((old) => InternalSession.calculateSessionKey(old) === sessionKey ? {
 				...old,
 				accessToken: newAccessToken?.token ?? null
-			}));
+			} : old);
 		});
 		session.onInvalidate(() => {
-			tokenStore.update((old) => ({
+			tokenStore.update((old) => InternalSession.calculateSessionKey(old) === sessionKey ? {
 				...old,
 				accessToken: null,
 				refreshToken: null
-			}));
+			} : old);
 		});
 		let sessionsBySessionKey = this._sessionsByTokenStoreAndSessionKey.get(tokenStore) ?? /* @__PURE__ */ new Map();
 		this._sessionsByTokenStoreAndSessionKey.set(tokenStore, sessionsBySessionKey);
@@ -1906,17 +1912,17 @@ var _HexclaveClientAppImplIncomplete = class _HexclaveClientAppImplIncomplete {
 	}
 	_getBotChallengeSiteKeys() {
 		if (!isBrowserLike()) return null;
-		const visibleSiteKey = envVars.NEXT_PUBLIC_STACK_BOT_CHALLENGE_SITE_KEY;
+		const visibleSiteKey = envVars.HEXCLAVE_BOT_CHALLENGE_SITE_KEY;
 		if (!visibleSiteKey) {
 			if (!this._botChallengeSiteKeysWarned) {
 				this._botChallengeSiteKeysWarned = true;
-				console.warn("[stack-auth] NEXT_PUBLIC_STACK_BOT_CHALLENGE_SITE_KEY is not set — bot challenge fraud protection is disabled. Set the env variable to enable it.");
+				console.warn("[stack-auth] HEXCLAVE_BOT_CHALLENGE_SITE_KEY is not set — bot challenge fraud protection is disabled. Set the env variable to enable it.");
 			}
 			return null;
 		}
 		return {
 			visibleSiteKey,
-			invisibleSiteKey: envVars.NEXT_PUBLIC_STACK_BOT_CHALLENGE_INVISIBLE_SITE_KEY ?? visibleSiteKey
+			invisibleSiteKey: envVars.HEXCLAVE_BOT_CHALLENGE_INVISIBLE_SITE_KEY ?? visibleSiteKey
 		};
 	}
 	_getBotChallengeFlowFailure(error) {
@@ -2038,6 +2044,7 @@ var _HexclaveClientAppImplIncomplete = class _HexclaveClientAppImplIncomplete {
 	}
 	async _createCrossDomainAuthRedirectUrl(options) {
 		const session = await this._getSession(options.overrideTokenStoreInit, { awaitPendingAuthResolutions: options.awaitPendingAuthResolutions });
+		await session.fetchNewTokens();
 		const response = await this._interface.sendClientRequest("/auth/oauth/cross-domain/authorize", {
 			method: "POST",
 			headers: { "Content-Type": "application/json" },
@@ -2147,6 +2154,8 @@ var _HexclaveClientAppImplIncomplete = class _HexclaveClientAppImplIncomplete {
 		return await this._redirectToHandler("signUp", options);
 	}
 	async redirectToSignOut(options) {
+		const configuredSignOutTarget = this._urlOptions.signOut ?? this._urlOptions.default;
+		if (typeof configuredSignOutTarget !== "string" && configuredSignOutTarget?.type === "hosted") return await this.signOut();
 		return await this._redirectToHandler("signOut", options);
 	}
 	async redirectToEmailVerification(options) {
@@ -2684,9 +2693,27 @@ var _HexclaveClientAppImplIncomplete = class _HexclaveClientAppImplIncomplete {
 				url: options.redirectUrl,
 				replace: true
 			});
-			else await this.redirectToAfterSignOut();
+			else await this._redirectToDefaultAfterSignOut();
 		});
 	}
+	async _redirectToDefaultAfterSignOut() {
+		if (this._urlOptions.afterSignOut != null) {
+			await this.redirectToAfterSignOut({ replace: true });
+			return;
+		}
+		if (this._urlOptions.home != null) {
+			await this.redirectToHome({ replace: true });
+			return;
+		}
+		if (this._urlOptions.default?.type === "hosted" && typeof window !== "undefined") {
+			await this._redirectTo({
+				url: getRelativePart(new URL(window.location.href)),
+				replace: true
+			});
+			return;
+		}
+		await this.redirectToAfterSignOut({ replace: true });
+	}
 	async signOut(options) {
 		const user = await this.getUser({ tokenStore: options?.tokenStore ?? void 0 });
 		if (user) await user.signOut({ redirectUrl: options?.redirectUrl });