@insforge/sdk 1.0.1-refresh.3 → 1.0.1-refresh.5

package/dist/index.mjs

@@ -85,11 +85,11 @@ var HttpClient = class {
       method,
       headers: requestHeaders,
       body: processedBody,
-      credentials: "include",
-      // Essential for httpOnly cookies (refresh token)
-      ...fetchOptions
+      ...fetchOptions,
+      credentials: "include"
     });
-    if (response.status === 401 && !isRetry && this.refreshCallback) {
+    const isRefreshEndpoint = path.includes("/api/auth/refresh") || path.includes("/api/auth/logout");
+    if (response.status === 401 && !isRetry && !isRefreshEndpoint && this.refreshCallback) {
       const newToken = await this.handleTokenRefresh();
       if (newToken) {
         this.setAuthToken(newToken);
@@ -139,7 +139,7 @@ var HttpClient = class {
     }
     this.isRefreshing = true;
     try {
-      const newToken = await this.refreshCallback();
+      const newToken = await this.refreshCallback?.();
       this.refreshQueue.forEach(({ resolve, reject }) => {
         if (newToken) {
           resolve(newToken);
@@ -148,7 +148,7 @@ var HttpClient = class {
         }
       });
       this.refreshQueue = [];
-      return newToken;
+      return newToken || null;
     } catch (error) {
       this.refreshQueue.forEach(({ reject }) => {
         reject(error instanceof Error ? error : new Error("Token refresh failed"));
@@ -200,10 +200,9 @@ var SecureSessionStorage = class {
   saveSession(session) {
     this.accessToken = session.accessToken;
     this.user = session.user;
-    this.setAuthFlag(true);
   }
   getSession() {
-    if (!this.accessToken) return null;
+    if (!this.accessToken || !this.user) return null;
     return {
       accessToken: this.accessToken,
       user: this.user
@@ -224,25 +223,17 @@ var SecureSessionStorage = class {
   clearSession() {
     this.accessToken = null;
     this.user = null;
-    this.setAuthFlag(false);
   }
   shouldAttemptRefresh() {
     if (this.accessToken) return false;
     return this.hasAuthFlag();
   }
-  // --- Private: Auth Flag Cookie Management ---
-  setAuthFlag(authenticated) {
-    if (typeof document === "undefined") return;
-    if (authenticated) {
-      const maxAge = 7 * 24 * 60 * 60;
-      document.cookie = `${AUTH_FLAG_COOKIE}=true; path=/; max-age=${maxAge}; SameSite=Lax`;
-    } else {
-      document.cookie = `${AUTH_FLAG_COOKIE}=; path=/; max-age=0`;
-    }
-  }
+  // --- Private: Auth Flag Cookie Detection (SDK-managed on frontend domain) ---
   hasAuthFlag() {
     if (typeof document === "undefined") return false;
-    return document.cookie.includes(`${AUTH_FLAG_COOKIE}=true`);
+    return document.cookie.split(";").some(
+      (c) => c.trim().startsWith(`${AUTH_FLAG_COOKIE}=`)
+    );
   }
 };
 var LocalSessionStorage = class {
@@ -388,41 +379,6 @@ var TokenManager = class {
   }
 };
 
-// src/lib/backend-config.ts
-var DEFAULT_CONFIG = {
-  secureSessionStorage: false,
-  refreshTokens: false
-};
-async function discoverBackendConfig(baseUrl, fetchImpl = globalThis.fetch) {
-  try {
-    const response = await fetchImpl(`${baseUrl}/api/health`, {
-      method: "GET",
-      headers: {
-        "Accept": "application/json"
-      }
-    });
-    if (!response.ok) {
-      return DEFAULT_CONFIG;
-    }
-    const health = await response.json();
-    if (health.config) {
-      return health.config;
-    }
-    return DEFAULT_CONFIG;
-  } catch {
-    return DEFAULT_CONFIG;
-  }
-}
-function createSessionStorage(config, storage) {
-  if (config.secureSessionStorage && config.refreshTokens) {
-    return new SecureSessionStorage();
-  }
-  return new LocalSessionStorage(storage);
-}
-function getDefaultBackendConfig() {
-  return { ...DEFAULT_CONFIG };
-}
-
 // src/modules/database-postgrest.ts
 import { PostgrestClient } from "@supabase/postgrest-js";
 function createInsForgePostgrestFetch(httpClient, tokenManager) {
@@ -529,99 +485,75 @@ function isHostedAuthEnvironment() {
   return false;
 }
 var Auth = class {
-  constructor(http, tokenManager, initializePromise) {
+  constructor(http, tokenManager) {
     this.http = http;
     this.tokenManager = tokenManager;
-    this.authStateListeners = /* @__PURE__ */ new Set();
     this.database = new Database(http, tokenManager);
-    this.initializePromise = initializePromise ?? Promise.resolve();
+    this.detectAuthCallback();
   }
   /**
-   * Subscribe to auth state changes
-   * 
-   * New subscribers will receive an INITIAL_SESSION event after initialization completes.
-   * This ensures no race condition where subscribers miss the initial state.
-   * 
-   * @param callback - Function called when auth state changes
-   * @returns Unsubscribe function
-   * 
-   * @example
-   * ```typescript
-   * const { data: { subscription } } = client.auth.onAuthStateChange((event, session) => {
-   *   if (event === 'SIGNED_IN') {
-   *     console.log('User signed in:', session?.user.email);
-   *   } else if (event === 'SIGNED_OUT') {
-   *     console.log('User signed out');
-   *   }
-   * });
-   * 
-   * // Later: unsubscribe
-   * subscription.unsubscribe();
-   * ```
+   * Set the isAuthenticated cookie flag on the frontend domain
+   * This is managed by SDK, not backend, to work in cross-origin scenarios
    */
-  onAuthStateChange(callback) {
-    this.authStateListeners.add(callback);
-    ;
-    (async () => {
-      await this.initializePromise;
-      if (this.authStateListeners.has(callback)) {
-        const session = this.tokenManager.getSession();
-        try {
-          callback("INITIAL_SESSION", session);
-        } catch (error) {
-          console.error("[Auth] Error in auth state change listener:", error);
-        }
-      }
-    })();
-    return {
-      data: {
-        subscription: {
-          unsubscribe: () => {
-            this.authStateListeners.delete(callback);
-          }
-        }
-      }
-    };
+  setAuthenticatedCookie() {
+    if (typeof document === "undefined") return;
+    const maxAge = 7 * 24 * 60 * 60;
+    document.cookie = `${AUTH_FLAG_COOKIE}=true; path=/; max-age=${maxAge}; SameSite=Lax`;
   }
   /**
-   * Emit auth state change to all listeners
+   * Clear the isAuthenticated cookie flag from the frontend domain
+   */
+  clearAuthenticatedCookie() {
+    if (typeof document === "undefined") return;
+    document.cookie = `${AUTH_FLAG_COOKIE}=; path=/; max-age=0; SameSite=Lax`;
+  }
+  /**
+   * Switch to SecureSessionStorage (cookie-based auth)
+   * Called when backend returns sessionMode: 'secure'
    * @internal
    */
-  _emitAuthStateChange(event, session) {
-    this.authStateListeners.forEach((callback) => {
-      try {
-        callback(event, session);
-      } catch (error) {
-        console.error("[Auth] Error in auth state change listener:", error);
-      }
-    });
+  _switchToSecureStorage() {
+    if (this.tokenManager.getStrategyId() === "secure") return;
+    const currentSession = this.tokenManager.getSession();
+    this.tokenManager.setStrategy(new SecureSessionStorage());
+    if (typeof localStorage !== "undefined") {
+      localStorage.removeItem(TOKEN_KEY);
+      localStorage.removeItem(USER_KEY);
+    }
+    this.setAuthenticatedCookie();
+    if (currentSession) {
+      this.tokenManager.saveSession(currentSession);
+    }
   }
   /**
-   * Check if an error represents an authentication failure
-   * Used to determine appropriate HTTP status code (401 vs 500)
+   * Switch to LocalSessionStorage (localStorage-based auth)
+   * Called when cookie-based auth fails (fallback)
+   * @internal
    */
-  isAuthenticationError(error) {
-    if (error instanceof Error) {
-      const message = error.message.toLowerCase();
-      const authKeywords = [
-        "unauthorized",
-        "invalid token",
-        "expired token",
-        "token expired",
-        "invalid refresh token",
-        "refresh token",
-        "authentication",
-        "not authenticated",
-        "session expired"
-      ];
-      return authKeywords.some((keyword) => message.includes(keyword));
+  _switchToLocalStorage() {
+    if (this.tokenManager.getStrategyId() === "local") return;
+    const currentSession = this.tokenManager.getSession();
+    this.tokenManager.setStrategy(new LocalSessionStorage());
+    this.clearAuthenticatedCookie();
+    if (currentSession) {
+      this.tokenManager.saveSession(currentSession);
     }
-    return false;
   }
   /**
-   * Detect and handle OAuth callback parameters in the URL.
-   * Called by client after initialization.
+   * Detect storage strategy based on backend response
+   * @param sessionMode - The sessionMode returned by backend ('secure' or undefined)
+   * @internal
    */
+  _detectStorageFromResponse(sessionMode) {
+    if (sessionMode === "secure") {
+      this._switchToSecureStorage();
+    }
+  }
+  /**
+  * Automatically detect and handle OAuth callback parameters in the URL
+  * This runs on initialization to seamlessly complete the OAuth flow
+  * Matches the backend's OAuth callback response (backend/src/api/routes/auth.ts:540-544)
+  */
   detectAuthCallback() {
     if (typeof window === "undefined") return;
     try {
@@ -630,7 +562,9 @@ var Auth = class {
       const userId = params.get("user_id");
       const email = params.get("email");
       const name = params.get("name");
+      const sessionMode = params.get("session_mode");
       if (accessToken && userId && email) {
+        this._detectStorageFromResponse(sessionMode || void 0);
         const session = {
           accessToken,
           user: {
@@ -651,13 +585,14 @@ var Auth = class {
         url.searchParams.delete("user_id");
         url.searchParams.delete("email");
         url.searchParams.delete("name");
+        url.searchParams.delete("session_mode");
         if (params.has("error")) {
           url.searchParams.delete("error");
         }
         window.history.replaceState({}, document.title, url.toString());
-        this._emitAuthStateChange("SIGNED_IN", session);
       }
-    } catch {
+    } catch (error) {
+      console.debug("OAuth callback detection skipped:", error);
     }
   }
   /**
@@ -666,6 +601,8 @@ var Auth = class {
   async signUp(request) {
     try {
       const response = await this.http.post("/api/auth/users", request);
+      const sessionMode = response.sessionMode;
+      this._detectStorageFromResponse(sessionMode);
       if (response.accessToken && response.user) {
         const session = {
           accessToken: response.accessToken,
@@ -675,7 +612,6 @@ var Auth = class {
           this.tokenManager.saveSession(session);
         }
         this.http.setAuthToken(response.accessToken);
-        this._emitAuthStateChange("SIGNED_IN", session);
       }
       return {
         data: response,
@@ -701,6 +637,8 @@ var Auth = class {
   async signInWithPassword(request) {
     try {
       const response = await this.http.post("/api/auth/sessions", request);
+      const sessionMode = response.sessionMode;
+      this._detectStorageFromResponse(sessionMode);
       const session = {
         accessToken: response.accessToken || "",
         user: response.user || {
@@ -716,7 +654,6 @@ var Auth = class {
         this.tokenManager.saveSession(session);
       }
       this.http.setAuthToken(response.accessToken || "");
-      this._emitAuthStateChange("SIGNED_IN", session);
       return {
         data: response,
         error: null
@@ -783,7 +720,7 @@ var Auth = class {
       }
       this.tokenManager.clearSession();
       this.http.setAuthToken(null);
-      this._emitAuthStateChange("SIGNED_OUT", null);
+      this.clearAuthenticatedCookie();
       return { error: null };
     } catch (error) {
       return {
@@ -807,13 +744,12 @@ var Auth = class {
         "/api/auth/refresh"
       );
       if (response.accessToken) {
+        this._detectStorageFromResponse(response.sessionMode);
         this.tokenManager.setAccessToken(response.accessToken);
         this.http.setAuthToken(response.accessToken);
         if (response.user) {
           this.tokenManager.setUser(response.user);
         }
-        const session = this.tokenManager.getSession();
-        this._emitAuthStateChange("TOKEN_REFRESHED", session);
         return response.accessToken;
       }
       throw new InsForgeError(
@@ -826,18 +762,13 @@ var Auth = class {
         if (error.statusCode === 401 || error.statusCode === 403) {
           this.tokenManager.clearSession();
           this.http.setAuthToken(null);
+          this.clearAuthenticatedCookie();
         }
         throw error;
       }
-      const errorMessage = error instanceof Error ? error.message : "Token refresh failed";
-      const isAuthError = this.isAuthenticationError(error);
-      if (isAuthError) {
-        this.tokenManager.clearSession();
-        this.http.setAuthToken(null);
-      }
       throw new InsForgeError(
-        errorMessage,
-        isAuthError ? 401 : 500,
+        "Token refresh failed",
+        500,
         "REFRESH_FAILED"
       );
     }
@@ -882,14 +813,27 @@ var Auth = class {
   /**
    * Get the current user with full profile information
    * Returns both auth info (id, email, role) and profile data (dynamic fields from users table)
+   * 
+   * In secure session mode (httpOnly cookie), this method will automatically attempt
+   * to refresh the session if no access token is available (e.g., after page reload).
    */
   async getCurrentUser() {
     try {
-      const session = this.tokenManager.getSession();
-      if (!session?.accessToken) {
+      let accessToken = this.tokenManager.getAccessToken();
+      if (!accessToken && this.tokenManager.shouldAttemptRefresh()) {
+        try {
+          accessToken = await this.refreshToken();
+        } catch (error) {
+          if (error instanceof InsForgeError && (error.statusCode === 401 || error.statusCode === 403)) {
+            return { data: null, error };
+          }
+          return { data: null, error: error instanceof InsForgeError ? error : new InsForgeError("Token refresh failed", 500, "REFRESH_FAILED") };
+        }
+      }
+      if (!accessToken) {
         return { data: null, error: null };
       }
-      this.http.setAuthToken(session.accessToken);
+      this.http.setAuthToken(accessToken);
       const authResponse = await this.http.get("/api/auth/sessions/current");
       const { data: profile, error: profileError } = await this.database.from("users").select("*").eq("id", authResponse.user.id).single();
       if (profileError && profileError.code !== "PGRST116") {
@@ -1152,6 +1096,8 @@ var Auth = class {
         "/api/auth/email/verify",
         request
       );
+      const sessionMode = response.sessionMode;
+      this._detectStorageFromResponse(sessionMode);
       if (response.accessToken) {
         const session = {
           accessToken: response.accessToken,
@@ -1159,7 +1105,6 @@ var Auth = class {
         };
         this.tokenManager.saveSession(session);
         this.http.setAuthToken(response.accessToken);
-        this._emitAuthStateChange("SIGNED_IN", session);
       }
       return {
         data: response,
@@ -1703,15 +1648,19 @@ var Functions = class {
 };
 
 // src/client.ts
+function hasAuthenticatedCookie() {
+  if (typeof document === "undefined") return false;
+  return document.cookie.split(";").some(
+    (c) => c.trim().startsWith(`${AUTH_FLAG_COOKIE}=`)
+  );
+}
 var InsForgeClient = class {
   constructor(config = {}) {
-    this.backendConfig = null;
-    this.initializePromise = new Promise((resolve) => {
-      this.initializeResolve = resolve;
-    });
     this.http = new HttpClient(config);
     this.tokenManager = new TokenManager(config.storage);
-    this.auth = new Auth(this.http, this.tokenManager, this.initializePromise);
+    if (hasAuthenticatedCookie()) {
+      this.tokenManager.setStrategy(new SecureSessionStorage());
+    }
     if (config.edgeFunctionToken) {
       this.http.setAuthToken(config.edgeFunctionToken);
       this.tokenManager.saveSession({
@@ -1724,82 +1673,55 @@ var InsForgeClient = class {
       try {
         return await this.auth.refreshToken();
       } catch {
+        if (this.tokenManager.getStrategyId() === "secure") {
+          this.auth._switchToLocalStorage();
+        }
         return null;
       }
     });
     const existingSession = this.tokenManager.getSession();
     if (existingSession?.accessToken) {
       this.http.setAuthToken(existingSession.accessToken);
+    } else if (this.tokenManager.getStrategyId() === "secure") {
     }
+    this.auth = new Auth(this.http, this.tokenManager);
     this.database = new Database(this.http, this.tokenManager);
     this.storage = new Storage(this.http);
     this.ai = new AI(this.http);
     this.functions = new Functions(this.http);
-    this._initializeAsync();
-  }
-  /**
-   * Internal async initialization - discovers backend config and recovers session.
-   * Emits INITIAL_SESSION event when complete.
-   * @internal
-   */
-  async _initializeAsync() {
-    try {
-      this.backendConfig = await discoverBackendConfig(
-        this.http.baseUrl,
-        this.http.fetch
-      );
-      const strategy = createSessionStorage(this.backendConfig);
-      this.tokenManager.setStrategy(strategy);
-      this.auth.detectAuthCallback();
-      let currentSession = this.tokenManager.getSession();
-      if (!currentSession?.accessToken && this.backendConfig.refreshTokens) {
-        if (this.tokenManager.shouldAttemptRefresh()) {
-          try {
-            await this.auth.refreshToken();
-            currentSession = this.tokenManager.getSession();
-          } catch {
-            this.tokenManager.clearSession();
-            this.http.setAuthToken(null);
-          }
-        }
-      }
-      this.initializeResolve();
-    } catch {
-      this.auth.detectAuthCallback();
-      this.initializeResolve();
-    }
-  }
-  /**
-   * Wait for client initialization to complete
-   * @returns Promise that resolves when initialization is done
-   */
-  async waitForInitialization() {
-    return this.initializePromise;
   }
   /**
    * Get the underlying HTTP client for custom requests
+   * 
+   * @example
+   * ```typescript
+   * const httpClient = client.getHttpClient();
+   * const customData = await httpClient.get('/api/custom-endpoint');
+   * ```
    */
   getHttpClient() {
     return this.http;
   }
-  /**
-   * Get the discovered backend configuration
-   */
-  getBackendConfig() {
-    return this.backendConfig;
-  }
   /**
    * Get the current storage strategy identifier
    */
   getStorageStrategy() {
     return this.tokenManager.getStrategyId();
   }
+  /**
+   * Future modules will be added here:
+   * - database: Database operations
+   * - storage: File storage operations
+   * - functions: Serverless functions
+   * - tables: Table management
+   * - metadata: Backend metadata
+   */
 };
-function createClient(config = {}) {
-  return new InsForgeClient(config);
-}
 
 // src/index.ts
+function createClient(config) {
+  return new InsForgeClient(config);
+}
 var index_default = InsForgeClient;
 export {
   AI,
@@ -1815,9 +1737,6 @@ export {
   StorageBucket,
   TokenManager,
   createClient,
-  createSessionStorage,
-  index_default as default,
-  discoverBackendConfig,
-  getDefaultBackendConfig
+  index_default as default
 };
 //# sourceMappingURL=index.mjs.map