@insforge/sdk 1.1.0 → 1.1.2-edge.0

package/dist/index.d.mts

@@ -53,7 +53,7 @@ interface TokenStorage {
     removeItem(key: string): void | Promise<void>;
 }
 interface AuthSession {
-    user: UserSchema;
+    user: UserSchema | null;
     accessToken: string;
     expiresAt?: Date;
 }
@@ -166,11 +166,19 @@ declare class TokenManager {
 declare class Auth {
     private http;
     private tokenManager;
+    /**
+     * Promise that resolves when OAuth callback handling is complete.
+     * Resolves immediately if no OAuth callback is detected in the URL.
+     */
+    private authCallbackHandled;
     constructor(http: HttpClient, tokenManager: TokenManager);
     /**
      * Automatically detect and handle OAuth callback parameters in the URL
      * This runs after initialization to seamlessly complete the OAuth flow
-     * Matches the backend's OAuth callback response (backend/src/api/routes/auth.ts:540-544)
+     *
+     * Supports two flows:
+     * - PKCE flow (new): Backend returns `insforge_code` param, exchanged for tokens
+     * - Legacy flow: Backend returns tokens directly in URL (backward compatible)
      */
     private detectAuthCallback;
     /**
@@ -189,6 +197,7 @@ declare class Auth {
     }>;
     /**
      * Sign in with OAuth provider
+     * Uses PKCE (Proof Key for Code Exchange) for enhanced security
      */
     signInWithOAuth(options: {
         provider: OAuthProvidersSchema;
@@ -198,9 +207,45 @@ declare class Auth {
         data: {
             url?: string;
             provider?: string;
+            codeVerifier?: string;
         };
         error: InsForgeError | null;
     }>;
+    /**
+     * Exchange OAuth authorization code for tokens (PKCE flow)
+     *
+     * After OAuth callback redirects with an `insforge_code` parameter, call this method
+     * to exchange it for access tokens. The code verifier is automatically
+     * retrieved from sessionStorage if available.
+     *
+     * Note: This is called automatically by the SDK on initialization. You typically
+     * don't need to call this directly unless using `skipBrowserRedirect: true`.
+     *
+     * @param code - The authorization code from OAuth callback URL
+     * @param codeVerifier - Optional code verifier (auto-retrieved from sessionStorage if not provided)
+     * @returns Session data with access token and user info
+     *
+     * @example
+     * ```ts
+     * // Automatic verifier retrieval (recommended for browser)
+     * const params = new URLSearchParams(window.location.search);
+     * const code = params.get('insforge_code');
+     * if (code) {
+     *   const { data, error } = await insforge.auth.exchangeOAuthCode(code);
+     * }
+     *
+     * // Manual verifier (for custom flows)
+     * const { data, error } = await insforge.auth.exchangeOAuthCode(code, codeVerifier);
+     * ```
+     */
+    exchangeOAuthCode(code: string, codeVerifier?: string): Promise<{
+        data: {
+            accessToken: string;
+            user: UserSchema;
+            redirectTo?: string;
+        } | null;
+        error: InsForgeError | null;
+    }>;
     /**
      * Sign out the current user
      */
@@ -238,6 +283,7 @@ declare class Auth {
     /**
      * Get the current session (only session data, no API call)
      * Returns the stored JWT token and basic user info from local storage
+     * Automatically waits for any pending OAuth callback to complete first
      */
     getCurrentSession(): Promise<{
         data: {
@@ -395,6 +441,27 @@ declare class Database {
      * - Upserts
      */
     from(table: string): _supabase_postgrest_js.PostgrestQueryBuilder<any, any, any, string, unknown>;
+    /**
+     * Call a PostgreSQL function (RPC)
+     *
+     * @example
+     * // Call a function with parameters
+     * const { data, error } = await client.database
+     *   .rpc('get_user_stats', { user_id: 123 });
+     *
+     * // Call a function with no parameters
+     * const { data, error } = await client.database
+     *   .rpc('get_all_active_users');
+     *
+     * // With options (head, count, get)
+     * const { data, count } = await client.database
+     *   .rpc('search_posts', { query: 'hello' }, { count: 'exact' });
+     */
+    rpc(fn: string, args?: Record<string, unknown>, options?: {
+        head?: boolean;
+        get?: boolean;
+        count?: 'exact' | 'planned' | 'estimated';
+    }): _supabase_postgrest_js.PostgrestFilterBuilder<any, any, any, any, string, null, "RPC">;
 }
 
 /**

package/dist/index.d.ts

@@ -53,7 +53,7 @@ interface TokenStorage {
     removeItem(key: string): void | Promise<void>;
 }
 interface AuthSession {
-    user: UserSchema;
+    user: UserSchema | null;
     accessToken: string;
     expiresAt?: Date;
 }
@@ -166,11 +166,19 @@ declare class TokenManager {
 declare class Auth {
     private http;
     private tokenManager;
+    /**
+     * Promise that resolves when OAuth callback handling is complete.
+     * Resolves immediately if no OAuth callback is detected in the URL.
+     */
+    private authCallbackHandled;
     constructor(http: HttpClient, tokenManager: TokenManager);
     /**
      * Automatically detect and handle OAuth callback parameters in the URL
      * This runs after initialization to seamlessly complete the OAuth flow
-     * Matches the backend's OAuth callback response (backend/src/api/routes/auth.ts:540-544)
+     *
+     * Supports two flows:
+     * - PKCE flow (new): Backend returns `insforge_code` param, exchanged for tokens
+     * - Legacy flow: Backend returns tokens directly in URL (backward compatible)
      */
     private detectAuthCallback;
     /**
@@ -189,6 +197,7 @@ declare class Auth {
     }>;
     /**
      * Sign in with OAuth provider
+     * Uses PKCE (Proof Key for Code Exchange) for enhanced security
      */
     signInWithOAuth(options: {
         provider: OAuthProvidersSchema;
@@ -198,9 +207,45 @@ declare class Auth {
         data: {
             url?: string;
             provider?: string;
+            codeVerifier?: string;
         };
         error: InsForgeError | null;
     }>;
+    /**
+     * Exchange OAuth authorization code for tokens (PKCE flow)
+     *
+     * After OAuth callback redirects with an `insforge_code` parameter, call this method
+     * to exchange it for access tokens. The code verifier is automatically
+     * retrieved from sessionStorage if available.
+     *
+     * Note: This is called automatically by the SDK on initialization. You typically
+     * don't need to call this directly unless using `skipBrowserRedirect: true`.
+     *
+     * @param code - The authorization code from OAuth callback URL
+     * @param codeVerifier - Optional code verifier (auto-retrieved from sessionStorage if not provided)
+     * @returns Session data with access token and user info
+     *
+     * @example
+     * ```ts
+     * // Automatic verifier retrieval (recommended for browser)
+     * const params = new URLSearchParams(window.location.search);
+     * const code = params.get('insforge_code');
+     * if (code) {
+     *   const { data, error } = await insforge.auth.exchangeOAuthCode(code);
+     * }
+     *
+     * // Manual verifier (for custom flows)
+     * const { data, error } = await insforge.auth.exchangeOAuthCode(code, codeVerifier);
+     * ```
+     */
+    exchangeOAuthCode(code: string, codeVerifier?: string): Promise<{
+        data: {
+            accessToken: string;
+            user: UserSchema;
+            redirectTo?: string;
+        } | null;
+        error: InsForgeError | null;
+    }>;
     /**
      * Sign out the current user
      */
@@ -238,6 +283,7 @@ declare class Auth {
     /**
      * Get the current session (only session data, no API call)
      * Returns the stored JWT token and basic user info from local storage
+     * Automatically waits for any pending OAuth callback to complete first
      */
     getCurrentSession(): Promise<{
         data: {
@@ -395,6 +441,27 @@ declare class Database {
      * - Upserts
      */
     from(table: string): _supabase_postgrest_js.PostgrestQueryBuilder<any, any, any, string, unknown>;
+    /**
+     * Call a PostgreSQL function (RPC)
+     *
+     * @example
+     * // Call a function with parameters
+     * const { data, error } = await client.database
+     *   .rpc('get_user_stats', { user_id: 123 });
+     *
+     * // Call a function with no parameters
+     * const { data, error } = await client.database
+     *   .rpc('get_all_active_users');
+     *
+     * // With options (head, count, get)
+     * const { data, count } = await client.database
+     *   .rpc('search_posts', { query: 'hello' }, { count: 'exact' });
+     */
+    rpc(fn: string, args?: Record<string, unknown>, options?: {
+        head?: boolean;
+        get?: boolean;
+        count?: 'exact' | 'planned' | 'estimated';
+    }): _supabase_postgrest_js.PostgrestFilterBuilder<any, any, any, any, string, null, "RPC">;
 }
 
 /**

package/dist/index.js

@@ -357,21 +357,74 @@ function isHostedAuthEnvironment() {
   }
   return false;
 }
+var PKCE_VERIFIER_KEY = "insforge_pkce_verifier";
+function generateCodeVerifier() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  return base64UrlEncode(array);
+}
+async function generateCodeChallenge(verifier) {
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  return base64UrlEncode(new Uint8Array(hash));
+}
+function base64UrlEncode(buffer) {
+  const base64 = btoa(String.fromCharCode(...buffer));
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function storePkceVerifier(verifier) {
+  if (typeof sessionStorage !== "undefined") {
+    sessionStorage.setItem(PKCE_VERIFIER_KEY, verifier);
+  }
+}
+function retrievePkceVerifier() {
+  if (typeof sessionStorage === "undefined") {
+    return null;
+  }
+  const verifier = sessionStorage.getItem(PKCE_VERIFIER_KEY);
+  if (verifier) {
+    sessionStorage.removeItem(PKCE_VERIFIER_KEY);
+  }
+  return verifier;
+}
 var Auth = class {
   constructor(http, tokenManager) {
     this.http = http;
     this.tokenManager = tokenManager;
-    this.detectAuthCallback();
+    this.authCallbackHandled = this.detectAuthCallback();
   }
   /**
    * Automatically detect and handle OAuth callback parameters in the URL
    * This runs after initialization to seamlessly complete the OAuth flow
-   * Matches the backend's OAuth callback response (backend/src/api/routes/auth.ts:540-544)
+   *
+   * Supports two flows:
+   * - PKCE flow (new): Backend returns `insforge_code` param, exchanged for tokens
+   * - Legacy flow: Backend returns tokens directly in URL (backward compatible)
    */
-  detectAuthCallback() {
+  async detectAuthCallback() {
     if (typeof window === "undefined") return;
     try {
       const params = new URLSearchParams(window.location.search);
+      const error = params.get("error");
+      if (error) {
+        const url = new URL(window.location.href);
+        url.searchParams.delete("error");
+        window.history.replaceState({}, document.title, url.toString());
+        console.debug("OAuth callback error:", error);
+        return;
+      }
+      const code = params.get("insforge_code");
+      if (code) {
+        const url = new URL(window.location.href);
+        url.searchParams.delete("insforge_code");
+        window.history.replaceState({}, document.title, url.toString());
+        const { error: exchangeError } = await this.exchangeOAuthCode(code);
+        if (exchangeError) {
+          console.debug("OAuth code exchange failed:", exchangeError.message);
+        }
+        return;
+      }
       const accessToken = params.get("access_token");
       const userId = params.get("user_id");
       const email = params.get("email");
@@ -389,8 +442,6 @@ var Auth = class {
             email,
             profile: { name: name || "" },
             metadata: null,
-            // These fields are not provided by backend OAuth callback
-            // They'll be populated when calling getCurrentUser()
             emailVerified: false,
             createdAt: (/* @__PURE__ */ new Date()).toISOString(),
             updatedAt: (/* @__PURE__ */ new Date()).toISOString()
@@ -404,9 +455,6 @@ var Auth = class {
         url.searchParams.delete("email");
         url.searchParams.delete("name");
         url.searchParams.delete("csrf_token");
-        if (params.has("error")) {
-          url.searchParams.delete("error");
-        }
         window.history.replaceState({}, document.title, url.toString());
       }
     } catch (error) {
@@ -487,11 +535,20 @@ var Auth = class {
   }
   /**
    * Sign in with OAuth provider
+   * Uses PKCE (Proof Key for Code Exchange) for enhanced security
    */
   async signInWithOAuth(options) {
     try {
       const { provider, redirectTo, skipBrowserRedirect } = options;
-      const params = redirectTo ? { redirect_uri: redirectTo } : void 0;
+      const codeVerifier = generateCodeVerifier();
+      const codeChallenge = await generateCodeChallenge(codeVerifier);
+      storePkceVerifier(codeVerifier);
+      const params = {
+        code_challenge: codeChallenge
+      };
+      if (redirectTo) {
+        params.redirect_uri = redirectTo;
+      }
       const endpoint = `/api/auth/oauth/${provider}`;
       const response = await this.http.get(endpoint, { params });
       if (typeof window !== "undefined" && !skipBrowserRedirect) {
@@ -501,7 +558,9 @@ var Auth = class {
       return {
         data: {
           url: response.authUrl,
-          provider
+          provider,
+          codeVerifier
+          // Return verifier for manual flow (skipBrowserRedirect)
         },
         error: null
       };
@@ -519,6 +578,85 @@ var Auth = class {
       };
     }
   }
+  /**
+   * Exchange OAuth authorization code for tokens (PKCE flow)
+   *
+   * After OAuth callback redirects with an `insforge_code` parameter, call this method
+   * to exchange it for access tokens. The code verifier is automatically
+   * retrieved from sessionStorage if available.
+   *
+   * Note: This is called automatically by the SDK on initialization. You typically
+   * don't need to call this directly unless using `skipBrowserRedirect: true`.
+   *
+   * @param code - The authorization code from OAuth callback URL
+   * @param codeVerifier - Optional code verifier (auto-retrieved from sessionStorage if not provided)
+   * @returns Session data with access token and user info
+   *
+   * @example
+   * ```ts
+   * // Automatic verifier retrieval (recommended for browser)
+   * const params = new URLSearchParams(window.location.search);
+   * const code = params.get('insforge_code');
+   * if (code) {
+   *   const { data, error } = await insforge.auth.exchangeOAuthCode(code);
+   * }
+   *
+   * // Manual verifier (for custom flows)
+   * const { data, error } = await insforge.auth.exchangeOAuthCode(code, codeVerifier);
+   * ```
+   */
+  async exchangeOAuthCode(code, codeVerifier) {
+    try {
+      const verifier = codeVerifier ?? retrievePkceVerifier();
+      if (!verifier) {
+        return {
+          data: null,
+          error: new InsForgeError(
+            "PKCE code verifier not found. Ensure signInWithOAuth was called in the same browser session.",
+            400,
+            "PKCE_VERIFIER_MISSING"
+          )
+        };
+      }
+      const request = {
+        code,
+        code_verifier: verifier
+      };
+      const response = await this.http.post("/api/auth/oauth/exchange", request, { credentials: "include" });
+      if (!isHostedAuthEnvironment()) {
+        const session = {
+          accessToken: response.accessToken,
+          user: response.user
+        };
+        if (response.csrfToken) {
+          this.tokenManager.setMemoryMode();
+          setCsrfToken(response.csrfToken);
+        }
+        this.tokenManager.saveSession(session);
+        this.http.setAuthToken(response.accessToken);
+      }
+      return {
+        data: {
+          accessToken: response.accessToken,
+          user: response.user,
+          redirectTo: response.redirectTo
+        },
+        error: null
+      };
+    } catch (error) {
+      if (error instanceof InsForgeError) {
+        return { data: null, error };
+      }
+      return {
+        data: null,
+        error: new InsForgeError(
+          "An unexpected error occurred during OAuth code exchange",
+          500,
+          "UNEXPECTED_ERROR"
+        )
+      };
+    }
+  }
   /**
    * Sign out the current user
    */
@@ -607,8 +745,10 @@ var Auth = class {
   /**
    * Get the current session (only session data, no API call)
    * Returns the stored JWT token and basic user info from local storage
+   * Automatically waits for any pending OAuth callback to complete first
    */
   async getCurrentSession() {
+    await this.authCallbackHandled;
     if (isHostedAuthEnvironment()) {
       return { data: { session: null }, error: null };
     }
@@ -616,6 +756,11 @@ var Auth = class {
       const session = this.tokenManager.getSession();
       if (session) {
         this.http.setAuthToken(session.accessToken);
+        if (!session.user) {
+          const authResponse = await this.http.get("/api/auth/sessions/current", { credentials: "include" });
+          session.user = authResponse.user;
+          this.tokenManager.setUser(session.user);
+        }
         return { data: { session }, error: null };
       }
       if (typeof window !== "undefined") {
@@ -907,8 +1052,10 @@ function createInsForgePostgrestFetch(httpClient, tokenManager) {
   return async (input, init) => {
     const url = typeof input === "string" ? input : input.toString();
     const urlObj = new URL(url);
-    const tableName = urlObj.pathname.slice(1);
-    const insforgeUrl = `${httpClient.baseUrl}/api/database/records/${tableName}${urlObj.search}`;
+    const pathname = urlObj.pathname.slice(1);
+    const rpcMatch = pathname.match(/^rpc\/(.+)$/);
+    const endpoint = rpcMatch ? `/api/database/rpc/${rpcMatch[1]}` : `/api/database/records/${pathname}`;
+    const insforgeUrl = `${httpClient.baseUrl}${endpoint}${urlObj.search}`;
     const token = tokenManager.getAccessToken();
     const httpHeaders = httpClient.getHeaders();
     const authToken = token || httpHeaders["Authorization"]?.replace("Bearer ", "");
@@ -968,6 +1115,25 @@ var Database = class {
   from(table) {
     return this.postgrest.from(table);
   }
+  /**
+   * Call a PostgreSQL function (RPC)
+   *
+   * @example
+   * // Call a function with parameters
+   * const { data, error } = await client.database
+   *   .rpc('get_user_stats', { user_id: 123 });
+   *
+   * // Call a function with no parameters
+   * const { data, error } = await client.database
+   *   .rpc('get_all_active_users');
+   *
+   * // With options (head, count, get)
+   * const { data, count } = await client.database
+   *   .rpc('search_posts', { query: 'hello' }, { count: 'exact' });
+   */
+  rpc(fn, args, options) {
+    return this.postgrest.rpc(fn, args, options);
+  }
 };
 
 // src/modules/storage.ts
@@ -1773,8 +1939,7 @@ var InsForgeClient = class {
       this.http.setAuthToken(config.edgeFunctionToken);
       this.tokenManager.saveSession({
         accessToken: config.edgeFunctionToken,
-        user: {}
-        // Will be populated by getCurrentUser()
+        user: null
       });
     }
     const existingSession = this.tokenManager.getSession();