@insforge/sdk 1.0.2-dev.0 → 1.0.3-dev.0

package/dist/index.mjs

@@ -138,8 +138,31 @@ var HttpClient = class {
 // src/lib/token-manager.ts
 var TOKEN_KEY = "insforge-auth-token";
 var USER_KEY = "insforge-auth-user";
+var CSRF_TOKEN_COOKIE = "insforge_csrf_token";
+function getCsrfToken() {
+  if (typeof document === "undefined") return null;
+  const match = document.cookie.split(";").find((c) => c.trim().startsWith(`${CSRF_TOKEN_COOKIE}=`));
+  if (!match) return null;
+  return match.split("=")[1] || null;
+}
+function setCsrfToken(token) {
+  if (typeof document === "undefined") return;
+  const maxAge = 7 * 24 * 60 * 60;
+  const secure = typeof window !== "undefined" && window.location.protocol === "https:" ? "; Secure" : "";
+  document.cookie = `${CSRF_TOKEN_COOKIE}=${encodeURIComponent(token)}; path=/; max-age=${maxAge}; SameSite=Lax${secure}`;
+}
+function clearCsrfToken() {
+  if (typeof document === "undefined") return;
+  const secure = typeof window !== "undefined" && window.location.protocol === "https:" ? "; Secure" : "";
+  document.cookie = `${CSRF_TOKEN_COOKIE}=; path=/; max-age=0; SameSite=Lax${secure}`;
+}
 var TokenManager = class {
   constructor(storage) {
+    // In-memory storage
+    this.accessToken = null;
+    this.user = null;
+    // Mode: 'memory' (new backend) or 'storage' (legacy backend, default)
+    this._mode = "storage";
     if (storage) {
       this.storage = storage;
     } else if (typeof window !== "undefined" && window.localStorage) {
@@ -157,126 +180,117 @@ var TokenManager = class {
       };
     }
   }
-  saveSession(session) {
-    this.storage.setItem(TOKEN_KEY, session.accessToken);
-    this.storage.setItem(USER_KEY, JSON.stringify(session.user));
+  /**
+   * Get current mode
+   */
+  get mode() {
+    return this._mode;
   }
-  getSession() {
+  /**
+   * Set mode to memory (new backend with cookies + memory)
+   */
+  setMemoryMode() {
+    if (this._mode === "storage") {
+      this.storage.removeItem(TOKEN_KEY);
+      this.storage.removeItem(USER_KEY);
+    }
+    this._mode = "memory";
+  }
+  /**
+   * Set mode to storage (legacy backend with localStorage)
+   * Also loads existing session from localStorage
+   */
+  setStorageMode() {
+    this._mode = "storage";
+    this.loadFromStorage();
+  }
+  /**
+   * Load session from localStorage
+   */
+  loadFromStorage() {
     const token = this.storage.getItem(TOKEN_KEY);
     const userStr = this.storage.getItem(USER_KEY);
-    if (!token || !userStr) {
-      return null;
+    if (token && userStr) {
+      try {
+        this.accessToken = token;
+        this.user = JSON.parse(userStr);
+      } catch {
+        this.clearSession();
+      }
     }
-    try {
-      const user = JSON.parse(userStr);
-      return { accessToken: token, user };
-    } catch {
-      this.clearSession();
-      return null;
+  }
+  /**
+   * Save session (memory always, localStorage only in storage mode)
+   */
+  saveSession(session) {
+    this.accessToken = session.accessToken;
+    this.user = session.user;
+    if (this._mode === "storage") {
+      this.storage.setItem(TOKEN_KEY, session.accessToken);
+      this.storage.setItem(USER_KEY, JSON.stringify(session.user));
     }
   }
+  /**
+   * Get current session
+   */
+  getSession() {
+    this.loadFromStorage();
+    if (!this.accessToken || !this.user) return null;
+    return {
+      accessToken: this.accessToken,
+      user: this.user
+    };
+  }
+  /**
+   * Get access token
+   */
   getAccessToken() {
-    const token = this.storage.getItem(TOKEN_KEY);
-    return typeof token === "string" ? token : null;
+    this.loadFromStorage();
+    return this.accessToken;
   }
+  /**
+   * Set access token
+   */
+  setAccessToken(token) {
+    this.accessToken = token;
+    if (this._mode === "storage") {
+      this.storage.setItem(TOKEN_KEY, token);
+    }
+  }
+  /**
+   * Get user
+   */
+  getUser() {
+    return this.user;
+  }
+  /**
+   * Set user
+   */
+  setUser(user) {
+    this.user = user;
+    if (this._mode === "storage") {
+      this.storage.setItem(USER_KEY, JSON.stringify(user));
+    }
+  }
+  /**
+   * Clear session (both memory and localStorage)
+   */
   clearSession() {
+    this.accessToken = null;
+    this.user = null;
     this.storage.removeItem(TOKEN_KEY);
     this.storage.removeItem(USER_KEY);
   }
-};
-
-// src/modules/database-postgrest.ts
-import { PostgrestClient } from "@supabase/postgrest-js";
-function createInsForgePostgrestFetch(httpClient, tokenManager) {
-  return async (input, init) => {
-    const url = typeof input === "string" ? input : input.toString();
-    const urlObj = new URL(url);
-    const tableName = urlObj.pathname.slice(1);
-    const insforgeUrl = `${httpClient.baseUrl}/api/database/records/${tableName}${urlObj.search}`;
-    const token = tokenManager.getAccessToken();
-    const httpHeaders = httpClient.getHeaders();
-    const authToken = token || httpHeaders["Authorization"]?.replace("Bearer ", "");
-    const headers = new Headers(init?.headers);
-    if (authToken && !headers.has("Authorization")) {
-      headers.set("Authorization", `Bearer ${authToken}`);
-    }
-    const response = await fetch(insforgeUrl, {
-      ...init,
-      headers
-    });
-    return response;
-  };
-}
-var Database = class {
-  constructor(httpClient, tokenManager) {
-    this.postgrest = new PostgrestClient("http://dummy", {
-      fetch: createInsForgePostgrestFetch(httpClient, tokenManager),
-      headers: {}
-    });
-  }
   /**
-   * Create a query builder for a table
-   * 
-   * @example
-   * // Basic query
-   * const { data, error } = await client.database
-   *   .from('posts')
-   *   .select('*')
-   *   .eq('user_id', userId);
-   * 
-   * // With count (Supabase style!)
-   * const { data, error, count } = await client.database
-   *   .from('posts')
-   *   .select('*', { count: 'exact' })
-   *   .range(0, 9);
-   * 
-   * // Just get count, no data
-   * const { count } = await client.database
-   *   .from('posts')
-   *   .select('*', { count: 'exact', head: true });
-   * 
-   * // Complex queries with OR
-   * const { data } = await client.database
-   *   .from('posts')
-   *   .select('*, users!inner(*)')
-   *   .or('status.eq.active,status.eq.pending');
-   * 
-   * // All features work:
-   * - Nested selects
-   * - Foreign key expansion  
-   * - OR/AND/NOT conditions
-   * - Count with head
-   * - Range pagination
-   * - Upserts
+   * Check if there's a session in localStorage (for legacy detection)
    */
-  from(table) {
-    return this.postgrest.from(table);
+  hasStoredSession() {
+    const token = this.storage.getItem(TOKEN_KEY);
+    return !!token;
   }
 };
 
 // src/modules/auth.ts
-function convertDbProfileToCamelCase(dbProfile) {
-  const result = {
-    id: dbProfile.id
-  };
-  Object.keys(dbProfile).forEach((key) => {
-    result[key] = dbProfile[key];
-    if (key.includes("_")) {
-      const camelKey = key.replace(/_([a-z])/g, (_, letter) => letter.toUpperCase());
-      result[camelKey] = dbProfile[key];
-    }
-  });
-  return result;
-}
-function convertCamelCaseToDbProfile(profile) {
-  const dbProfile = {};
-  Object.keys(profile).forEach((key) => {
-    if (profile[key] === void 0) return;
-    const snakeKey = key.replace(/[A-Z]/g, (letter) => `_${letter.toLowerCase()}`);
-    dbProfile[snakeKey] = profile[key];
-  });
-  return dbProfile;
-}
 function isHostedAuthEnvironment() {
   if (typeof window === "undefined") {
     return false;
@@ -294,15 +308,14 @@ var Auth = class {
   constructor(http, tokenManager) {
     this.http = http;
     this.tokenManager = tokenManager;
-    this.database = new Database(http, tokenManager);
     this.detectAuthCallback();
   }
   /**
    * Automatically detect and handle OAuth callback parameters in the URL
-   * This runs on initialization to seamlessly complete the OAuth flow
+   * This runs after initialization to seamlessly complete the OAuth flow
    * Matches the backend's OAuth callback response (backend/src/api/routes/auth.ts:540-544)
    */
-  detectAuthCallback() {
+  async detectAuthCallback() {
     if (typeof window === "undefined") return;
     try {
       const params = new URLSearchParams(window.location.search);
@@ -310,13 +323,20 @@ var Auth = class {
       const userId = params.get("user_id");
       const email = params.get("email");
       const name = params.get("name");
+      const csrfToken = params.get("csrf_token");
       if (accessToken && userId && email) {
+        if (csrfToken) {
+          this.tokenManager.setMemoryMode();
+          setCsrfToken(csrfToken);
+        }
+        const { data: profileData } = await this.getProfile(userId);
         const session = {
           accessToken,
           user: {
             id: userId,
             email,
-            name: name || "",
+            profile: profileData?.profile || { name: name || "" },
+            metadata: null,
             // These fields are not provided by backend OAuth callback
             // They'll be populated when calling getCurrentUser()
             emailVerified: false,
@@ -331,6 +351,7 @@ var Auth = class {
         url.searchParams.delete("user_id");
         url.searchParams.delete("email");
         url.searchParams.delete("name");
+        url.searchParams.delete("csrf_token");
         if (params.has("error")) {
           url.searchParams.delete("error");
         }
@@ -346,15 +367,16 @@ var Auth = class {
   async signUp(request) {
     try {
       const response = await this.http.post("/api/auth/users", request);
-      if (response.accessToken && response.user) {
+      if (response.accessToken && response.user && !isHostedAuthEnvironment()) {
         const session = {
           accessToken: response.accessToken,
           user: response.user
         };
-        if (!isHostedAuthEnvironment()) {
-          this.tokenManager.saveSession(session);
-        }
+        this.tokenManager.saveSession(session);
         this.http.setAuthToken(response.accessToken);
+        if (response.csrfToken) {
+          setCsrfToken(response.csrfToken);
+        }
       }
       return {
         data: response,
@@ -380,21 +402,17 @@ var Auth = class {
   async signInWithPassword(request) {
     try {
       const response = await this.http.post("/api/auth/sessions", request);
-      const session = {
-        accessToken: response.accessToken || "",
-        user: response.user || {
-          id: "",
-          email: "",
-          name: "",
-          emailVerified: false,
-          createdAt: "",
-          updatedAt: ""
-        }
-      };
       if (!isHostedAuthEnvironment()) {
+        const session = {
+          accessToken: response.accessToken,
+          user: response.user
+        };
         this.tokenManager.saveSession(session);
+        this.http.setAuthToken(response.accessToken);
+        if (response.csrfToken) {
+          setCsrfToken(response.csrfToken);
+        }
       }
-      this.http.setAuthToken(response.accessToken || "");
       return {
         data: response,
         error: null
@@ -452,8 +470,13 @@ var Auth = class {
    */
   async signOut() {
     try {
+      try {
+        await this.http.post("/api/auth/logout", void 0, { credentials: "include" });
+      } catch {
+      }
       this.tokenManager.clearSession();
       this.http.setAuthToken(null);
+      clearCsrfToken();
       return { error: null };
     } catch (error) {
       return {
@@ -514,14 +537,9 @@ var Auth = class {
       }
       this.http.setAuthToken(session.accessToken);
       const authResponse = await this.http.get("/api/auth/sessions/current");
-      const { data: profile, error: profileError } = await this.database.from("users").select("*").eq("id", authResponse.user.id).single();
-      if (profileError && profileError.code !== "PGRST116") {
-        return { data: null, error: profileError };
-      }
       return {
         data: {
-          user: authResponse.user,
-          profile: profile ? convertDbProfileToCamelCase(profile) : null
+          user: authResponse.user
         },
         error: null
       };
@@ -545,29 +563,80 @@ var Auth = class {
   }
   /**
    * Get any user's profile by ID
-   * Returns profile information from the users table (dynamic fields)
+   * Returns profile information from the users table
    */
   async getProfile(userId) {
-    const { data, error } = await this.database.from("users").select("*").eq("id", userId).single();
-    if (error && error.code === "PGRST116") {
-      return { data: null, error: null };
-    }
-    if (data) {
-      return { data: convertDbProfileToCamelCase(data), error: null };
+    try {
+      const response = await this.http.get(`/api/auth/profiles/${userId}`);
+      return {
+        data: response,
+        error: null
+      };
+    } catch (error) {
+      if (error instanceof InsForgeError) {
+        return { data: null, error };
+      }
+      return {
+        data: null,
+        error: new InsForgeError(
+          "An unexpected error occurred while fetching user profile",
+          500,
+          "UNEXPECTED_ERROR"
+        )
+      };
     }
-    return { data: null, error };
   }
   /**
    * Get the current session (only session data, no API call)
    * Returns the stored JWT token and basic user info from local storage
    */
-  getCurrentSession() {
+  async getCurrentSession() {
     try {
       const session = this.tokenManager.getSession();
-      if (session?.accessToken) {
+      if (session) {
         this.http.setAuthToken(session.accessToken);
         return { data: { session }, error: null };
       }
+      if (typeof window !== "undefined") {
+        try {
+          const csrfToken = getCsrfToken();
+          const response = await this.http.post(
+            "/api/auth/refresh",
+            void 0,
+            {
+              headers: csrfToken ? { "X-CSRF-Token": csrfToken } : {},
+              credentials: "include"
+            }
+          );
+          if (response.accessToken) {
+            this.tokenManager.setMemoryMode();
+            this.tokenManager.setAccessToken(response.accessToken);
+            this.http.setAuthToken(response.accessToken);
+            if (response.user) {
+              this.tokenManager.setUser(response.user);
+            }
+            if (response.csrfToken) {
+              setCsrfToken(response.csrfToken);
+            }
+            return {
+              data: { session: this.tokenManager.getSession() },
+              error: null
+            };
+          }
+        } catch (error) {
+          if (error instanceof InsForgeError) {
+            if (error.statusCode === 404) {
+              this.tokenManager.setStorageMode();
+              const session2 = this.tokenManager.getSession();
+              if (session2) {
+                return { data: { session: session2 }, error: null };
+              }
+              return { data: { session: null }, error: null };
+            }
+            return { data: { session: null }, error };
+          }
+        }
+      }
       return { data: { session: null }, error: null };
     } catch (error) {
       if (error instanceof InsForgeError) {
@@ -586,42 +655,31 @@ var Auth = class {
   /**
    * Set/Update the current user's profile
    * Updates profile information in the users table (supports any dynamic fields)
+   * Requires authentication
    */
   async setProfile(profile) {
-    const session = this.tokenManager.getSession();
-    if (!session?.accessToken) {
+    try {
+      const response = await this.http.patch(
+        "/api/auth/profiles/current",
+        { profile }
+      );
+      return {
+        data: response,
+        error: null
+      };
+    } catch (error) {
+      if (error instanceof InsForgeError) {
+        return { data: null, error };
+      }
       return {
         data: null,
         error: new InsForgeError(
-          "No authenticated user found",
-          401,
-          "UNAUTHENTICATED"
+          "An unexpected error occurred while updating user profile",
+          500,
+          "UNEXPECTED_ERROR"
         )
       };
     }
-    if (!session.user?.id) {
-      const { data: data2, error: error2 } = await this.getCurrentUser();
-      if (error2) {
-        return { data: null, error: error2 };
-      }
-      if (data2?.user) {
-        session.user = {
-          id: data2.user.id,
-          email: data2.user.email,
-          name: "",
-          emailVerified: false,
-          createdAt: (/* @__PURE__ */ new Date()).toISOString(),
-          updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-        };
-        this.tokenManager.saveSession(session);
-      }
-    }
-    const dbProfile = convertCamelCaseToDbProfile(profile);
-    const { data, error } = await this.database.from("users").update(dbProfile).eq("id", session.user.id).select().single();
-    if (data) {
-      return { data: convertDbProfileToCamelCase(data), error: null };
-    }
-    return { data: null, error };
   }
   /**
    * Send email verification (code or link based on config)
@@ -775,13 +833,16 @@ var Auth = class {
         "/api/auth/email/verify",
         request
       );
-      if (response.accessToken) {
+      if (!isHostedAuthEnvironment()) {
         const session = {
           accessToken: response.accessToken,
-          user: response.user || {}
+          user: response.user
         };
         this.tokenManager.saveSession(session);
         this.http.setAuthToken(response.accessToken);
+        if (response.csrfToken) {
+          setCsrfToken(response.csrfToken);
+        }
       }
       return {
         data: response,
@@ -803,6 +864,75 @@ var Auth = class {
   }
 };
 
+// src/modules/database-postgrest.ts
+import { PostgrestClient } from "@supabase/postgrest-js";
+function createInsForgePostgrestFetch(httpClient, tokenManager) {
+  return async (input, init) => {
+    const url = typeof input === "string" ? input : input.toString();
+    const urlObj = new URL(url);
+    const tableName = urlObj.pathname.slice(1);
+    const insforgeUrl = `${httpClient.baseUrl}/api/database/records/${tableName}${urlObj.search}`;
+    const token = tokenManager.getAccessToken();
+    const httpHeaders = httpClient.getHeaders();
+    const authToken = token || httpHeaders["Authorization"]?.replace("Bearer ", "");
+    const headers = new Headers(init?.headers);
+    if (authToken && !headers.has("Authorization")) {
+      headers.set("Authorization", `Bearer ${authToken}`);
+    }
+    const response = await fetch(insforgeUrl, {
+      ...init,
+      headers
+    });
+    return response;
+  };
+}
+var Database = class {
+  constructor(httpClient, tokenManager) {
+    this.postgrest = new PostgrestClient("http://dummy", {
+      fetch: createInsForgePostgrestFetch(httpClient, tokenManager),
+      headers: {}
+    });
+  }
+  /**
+   * Create a query builder for a table
+   * 
+   * @example
+   * // Basic query
+   * const { data, error } = await client.database
+   *   .from('posts')
+   *   .select('*')
+   *   .eq('user_id', userId);
+   * 
+   * // With count (Supabase style!)
+   * const { data, error, count } = await client.database
+   *   .from('posts')
+   *   .select('*', { count: 'exact' })
+   *   .range(0, 9);
+   * 
+   * // Just get count, no data
+   * const { count } = await client.database
+   *   .from('posts')
+   *   .select('*', { count: 'exact', head: true });
+   * 
+   * // Complex queries with OR
+   * const { data } = await client.database
+   *   .from('posts')
+   *   .select('*, users!inner(*)')
+   *   .or('status.eq.active,status.eq.pending');
+   * 
+   * // All features work:
+   * - Nested selects
+   * - Foreign key expansion  
+   * - OR/AND/NOT conditions
+   * - Count with head
+   * - Range pagination
+   * - Upserts
+   */
+  from(table) {
+    return this.postgrest.from(table);
+  }
+};
+
 // src/modules/storage.ts
 var StorageBucket = class {
   constructor(bucketName, http) {
@@ -1597,10 +1727,7 @@ var InsForgeClient = class {
     if (existingSession?.accessToken) {
       this.http.setAuthToken(existingSession.accessToken);
     }
-    this.auth = new Auth(
-      this.http,
-      this.tokenManager
-    );
+    this.auth = new Auth(this.http, this.tokenManager);
     this.database = new Database(this.http, this.tokenManager);
     this.storage = new Storage(this.http);
     this.ai = new AI(this.http);