@insforge/sdk 1.3.0-ssr.0 → 1.3.0-ssr.2

package/README.md

@@ -264,7 +264,7 @@ const insforge = createClient({
 ### SSR / Next.js
 
 Use `@insforge/sdk/ssr` for apps that need the same auth session in Server Components, Client Components, Storage, and Realtime.
-The helper reads `NEXT_PUBLIC_INSFORGE_URL` / `NEXT_PUBLIC_INSFORGE_ANON_KEY` in the browser and `INSFORGE_URL` / `INSFORGE_ANON_KEY` on the server, with public env fallbacks.
+The helper uses explicit `baseUrl` / `anonKey` when provided. Otherwise it reads `NEXT_PUBLIC_INSFORGE_URL` / `NEXT_PUBLIC_INSFORGE_ANON_KEY`. Missing config throws a clear error.
 
 By default, the SSR helpers use:
 
@@ -295,7 +295,19 @@ import { createRefreshAuthRouter } from "@insforge/sdk/ssr";
 export const { POST } = createRefreshAuthRouter();
 ```
 
-For server-owned refresh cookies, run sign-in in a Route Handler or Server Action and use `setAuthCookies()` from `@insforge/sdk/ssr` with the auth response.
+For server-owned refresh cookies, run sign-in in a Route Handler or Server Action and use `setAuthCookies()` from `@insforge/sdk/ssr` with the framework cookie writer. In Next.js Route Handlers, pass `response.cookies`:
+
+```typescript
+import { NextResponse } from "next/server";
+import { setAuthCookies } from "@insforge/sdk/ssr";
+
+const response = NextResponse.json({ user: data.user });
+setAuthCookies(response.cookies, {
+  accessToken: data.accessToken,
+  refreshToken: data.refreshToken,
+});
+return response;
+```
 
 If your refresh route needs custom side effects:
 

package/dist/ssr.d.mts

@@ -2,11 +2,6 @@ import { a as InsForgeConfig, I as InsForgeClient, l as AuthRefreshResponse, d a
 import '@insforge/shared-schemas';
 import '@supabase/postgrest-js';
 
-type SsrClientConfig = Omit<InsForgeConfig, 'baseUrl' | 'anonKey' | 'edgeFunctionToken' | 'isServerMode' | 'auth'> & {
-    baseUrl?: string;
-    anonKey?: string;
-};
-
 declare const DEFAULT_ACCESS_TOKEN_COOKIE = "insforge_access_token";
 declare const DEFAULT_REFRESH_TOKEN_COOKIE = "insforge_refresh_token";
 interface AuthCookieNames {
@@ -29,10 +24,21 @@ interface AuthCookieOptions {
 type CookieStoreValue = string | {
     value?: string | null;
 } | undefined | null;
-interface CookieStore {
+interface CookieReader {
     get(name: string): CookieStoreValue;
+}
+interface CookieWriter {
     set?(name: string, value: string, options?: CookieOptions): unknown;
-    delete?(name: string, options?: CookieOptions): unknown;
+    set?(options: {
+        name: string;
+        value: string;
+    } & CookieOptions): unknown;
+    delete?(name: string): unknown;
+    delete?(options: {
+        name: string;
+    } & CookieOptions): unknown;
+}
+interface CookieStore extends CookieReader, CookieWriter {
 }
 interface AuthCookieSettings {
     names?: AuthCookieNames;
@@ -42,25 +48,25 @@ declare function getAccessTokenCookieName(names?: AuthCookieNames): string;
 declare function getRefreshTokenCookieName(names?: AuthCookieNames): string;
 declare function accessTokenCookieOptions(token: string, overrides?: CookieOptions): CookieOptions;
 declare function refreshTokenCookieOptions(token: string, overrides?: CookieOptions): CookieOptions;
-declare function setAuthCookies(target: Headers | CookieStore | undefined, tokens: {
+declare function setAuthCookies(cookies: CookieWriter | undefined, tokens: {
     accessToken: string;
     refreshToken?: string | null;
 }, settings?: AuthCookieSettings): void;
-declare function clearAuthCookies(target: Headers | CookieStore | undefined, settings?: AuthCookieSettings): void;
+declare function clearAuthCookies(cookies: CookieWriter | undefined, settings?: AuthCookieSettings): void;
 
-interface CreateBrowserClientOptions extends SsrClientConfig, AuthCookieSettings {
+interface CreateBrowserClientOptions extends Omit<InsForgeConfig, 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
     refreshUrl?: string;
     refreshLeewaySeconds?: number;
 }
 declare function createBrowserClient(options?: CreateBrowserClientOptions): InsForgeClient;
 
-interface CreateServerClientOptions extends SsrClientConfig, AuthCookieSettings {
+interface CreateServerClientOptions extends Omit<InsForgeConfig, 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
     cookies?: Pick<CookieStore, 'get'>;
     accessToken?: string;
 }
 declare function createServerClient(options?: CreateServerClientOptions): InsForgeClient;
 
-interface RefreshAuthOptions extends SsrClientConfig, AuthCookieSettings {
+interface RefreshAuthOptions extends Omit<InsForgeConfig, 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
     request?: Request;
     cookies?: Pick<CookieStore, 'get'>;
     refreshToken?: string;
@@ -78,7 +84,7 @@ declare function createRefreshAuthRouter(options?: Omit<RefreshAuthOptions, 'req
     POST: RefreshAuthRouteHandler;
 };
 
-interface UpdateSessionOptions extends SsrClientConfig, AuthCookieSettings {
+interface UpdateSessionOptions extends Omit<InsForgeConfig, 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
     requestCookies: CookieStore;
     responseCookies: CookieStore;
     refreshLeewaySeconds?: number;
@@ -90,4 +96,4 @@ interface UpdateSessionResult {
 }
 declare function updateSession(options: UpdateSessionOptions): Promise<UpdateSessionResult>;
 
-export { type AuthCookieNames, type AuthCookieOptions, type AuthCookieSettings, type CookieOptions, type CookieStore, type CreateBrowserClientOptions, type CreateServerClientOptions, DEFAULT_ACCESS_TOKEN_COOKIE, DEFAULT_REFRESH_TOKEN_COOKIE, type RefreshAuthOptions, type RefreshAuthResult, type RefreshAuthRouteHandler, type UpdateSessionOptions, type UpdateSessionResult, accessTokenCookieOptions, clearAuthCookies, createBrowserClient, createRefreshAuthRouter, createServerClient, getAccessTokenCookieName, getRefreshTokenCookieName, refreshAuth, refreshTokenCookieOptions, setAuthCookies, updateSession };
+export { type AuthCookieNames, type AuthCookieOptions, type AuthCookieSettings, type CookieOptions, type CookieReader, type CookieStore, type CookieWriter, type CreateBrowserClientOptions, type CreateServerClientOptions, DEFAULT_ACCESS_TOKEN_COOKIE, DEFAULT_REFRESH_TOKEN_COOKIE, type RefreshAuthOptions, type RefreshAuthResult, type RefreshAuthRouteHandler, type UpdateSessionOptions, type UpdateSessionResult, accessTokenCookieOptions, clearAuthCookies, createBrowserClient, createRefreshAuthRouter, createServerClient, getAccessTokenCookieName, getRefreshTokenCookieName, refreshAuth, refreshTokenCookieOptions, setAuthCookies, updateSession };

package/dist/ssr.d.ts

@@ -2,11 +2,6 @@ import { a as InsForgeConfig, I as InsForgeClient, l as AuthRefreshResponse, d a
 import '@insforge/shared-schemas';
 import '@supabase/postgrest-js';
 
-type SsrClientConfig = Omit<InsForgeConfig, 'baseUrl' | 'anonKey' | 'edgeFunctionToken' | 'isServerMode' | 'auth'> & {
-    baseUrl?: string;
-    anonKey?: string;
-};
-
 declare const DEFAULT_ACCESS_TOKEN_COOKIE = "insforge_access_token";
 declare const DEFAULT_REFRESH_TOKEN_COOKIE = "insforge_refresh_token";
 interface AuthCookieNames {
@@ -29,10 +24,21 @@ interface AuthCookieOptions {
 type CookieStoreValue = string | {
     value?: string | null;
 } | undefined | null;
-interface CookieStore {
+interface CookieReader {
     get(name: string): CookieStoreValue;
+}
+interface CookieWriter {
     set?(name: string, value: string, options?: CookieOptions): unknown;
-    delete?(name: string, options?: CookieOptions): unknown;
+    set?(options: {
+        name: string;
+        value: string;
+    } & CookieOptions): unknown;
+    delete?(name: string): unknown;
+    delete?(options: {
+        name: string;
+    } & CookieOptions): unknown;
+}
+interface CookieStore extends CookieReader, CookieWriter {
 }
 interface AuthCookieSettings {
     names?: AuthCookieNames;
@@ -42,25 +48,25 @@ declare function getAccessTokenCookieName(names?: AuthCookieNames): string;
 declare function getRefreshTokenCookieName(names?: AuthCookieNames): string;
 declare function accessTokenCookieOptions(token: string, overrides?: CookieOptions): CookieOptions;
 declare function refreshTokenCookieOptions(token: string, overrides?: CookieOptions): CookieOptions;
-declare function setAuthCookies(target: Headers | CookieStore | undefined, tokens: {
+declare function setAuthCookies(cookies: CookieWriter | undefined, tokens: {
     accessToken: string;
     refreshToken?: string | null;
 }, settings?: AuthCookieSettings): void;
-declare function clearAuthCookies(target: Headers | CookieStore | undefined, settings?: AuthCookieSettings): void;
+declare function clearAuthCookies(cookies: CookieWriter | undefined, settings?: AuthCookieSettings): void;
 
-interface CreateBrowserClientOptions extends SsrClientConfig, AuthCookieSettings {
+interface CreateBrowserClientOptions extends Omit<InsForgeConfig, 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
     refreshUrl?: string;
     refreshLeewaySeconds?: number;
 }
 declare function createBrowserClient(options?: CreateBrowserClientOptions): InsForgeClient;
 
-interface CreateServerClientOptions extends SsrClientConfig, AuthCookieSettings {
+interface CreateServerClientOptions extends Omit<InsForgeConfig, 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
     cookies?: Pick<CookieStore, 'get'>;
     accessToken?: string;
 }
 declare function createServerClient(options?: CreateServerClientOptions): InsForgeClient;
 
-interface RefreshAuthOptions extends SsrClientConfig, AuthCookieSettings {
+interface RefreshAuthOptions extends Omit<InsForgeConfig, 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
     request?: Request;
     cookies?: Pick<CookieStore, 'get'>;
     refreshToken?: string;
@@ -78,7 +84,7 @@ declare function createRefreshAuthRouter(options?: Omit<RefreshAuthOptions, 'req
     POST: RefreshAuthRouteHandler;
 };
 
-interface UpdateSessionOptions extends SsrClientConfig, AuthCookieSettings {
+interface UpdateSessionOptions extends Omit<InsForgeConfig, 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
     requestCookies: CookieStore;
     responseCookies: CookieStore;
     refreshLeewaySeconds?: number;
@@ -90,4 +96,4 @@ interface UpdateSessionResult {
 }
 declare function updateSession(options: UpdateSessionOptions): Promise<UpdateSessionResult>;
 
-export { type AuthCookieNames, type AuthCookieOptions, type AuthCookieSettings, type CookieOptions, type CookieStore, type CreateBrowserClientOptions, type CreateServerClientOptions, DEFAULT_ACCESS_TOKEN_COOKIE, DEFAULT_REFRESH_TOKEN_COOKIE, type RefreshAuthOptions, type RefreshAuthResult, type RefreshAuthRouteHandler, type UpdateSessionOptions, type UpdateSessionResult, accessTokenCookieOptions, clearAuthCookies, createBrowserClient, createRefreshAuthRouter, createServerClient, getAccessTokenCookieName, getRefreshTokenCookieName, refreshAuth, refreshTokenCookieOptions, setAuthCookies, updateSession };
+export { type AuthCookieNames, type AuthCookieOptions, type AuthCookieSettings, type CookieOptions, type CookieReader, type CookieStore, type CookieWriter, type CreateBrowserClientOptions, type CreateServerClientOptions, DEFAULT_ACCESS_TOKEN_COOKIE, DEFAULT_REFRESH_TOKEN_COOKIE, type RefreshAuthOptions, type RefreshAuthResult, type RefreshAuthRouteHandler, type UpdateSessionOptions, type UpdateSessionResult, accessTokenCookieOptions, clearAuthCookies, createBrowserClient, createRefreshAuthRouter, createServerClient, getAccessTokenCookieName, getRefreshTokenCookieName, refreshAuth, refreshTokenCookieOptions, setAuthCookies, updateSession };

package/dist/ssr.js

@@ -2659,26 +2659,6 @@ function isJwtExpiredOrExpiring(token, leewaySeconds = 60) {
   return expires.getTime() <= Date.now() + leewaySeconds * 1e3;
 }
 
-// src/ssr/config.ts
-function env(name) {
-  if (typeof process === "undefined") return void 0;
-  return process.env[name];
-}
-function resolveBrowserConfig(config = {}) {
-  return {
-    ...config,
-    baseUrl: config.baseUrl ?? env("NEXT_PUBLIC_INSFORGE_URL"),
-    anonKey: config.anonKey ?? env("NEXT_PUBLIC_INSFORGE_ANON_KEY")
-  };
-}
-function resolveServerConfig(config = {}) {
-  return {
-    ...config,
-    baseUrl: config.baseUrl ?? env("INSFORGE_URL") ?? env("NEXT_PUBLIC_INSFORGE_URL"),
-    anonKey: config.anonKey ?? env("INSFORGE_ANON_KEY") ?? env("NEXT_PUBLIC_INSFORGE_ANON_KEY")
-  };
-}
-
 // src/ssr/browser-client.ts
 var import_shared_schemas2 = require("@insforge/shared-schemas");
 
@@ -2755,11 +2735,11 @@ function setCookie(cookies, name, value, options) {
 }
 function deleteCookie(cookies, name, options) {
   if (!cookies) return;
-  if (cookies.delete) {
-    cookies.delete(name, options);
+  if (cookies.set) {
+    cookies.set(name, "", expiredCookieOptions(options));
     return;
   }
-  cookies.set?.(name, "", expiredCookieOptions(options));
+  cookies.delete?.(name);
 }
 function serializeCookie(name, value, options = {}) {
   const parts = [`${encodeURIComponent(name)}=${encodeURIComponent(value)}`];
@@ -2778,32 +2758,17 @@ function serializeCookie(name, value, options = {}) {
 function appendSetCookie(headers, name, value, options) {
   headers.append("Set-Cookie", serializeCookie(name, value, options));
 }
-function setAuthCookies(target, tokens, settings = {}) {
+function setAuthCookies(cookies, tokens, settings = {}) {
   const accessName = getAccessTokenCookieName(settings.names);
   const refreshName = getRefreshTokenCookieName(settings.names);
   const accessOptions = accessTokenCookieOptions(
     tokens.accessToken,
     settings.options?.accessToken
   );
-  if (target instanceof Headers) {
-    appendSetCookie(target, accessName, tokens.accessToken, accessOptions);
-    if (tokens.refreshToken) {
-      appendSetCookie(
-        target,
-        refreshName,
-        tokens.refreshToken,
-        refreshTokenCookieOptions(
-          tokens.refreshToken,
-          settings.options?.refreshToken
-        )
-      );
-    }
-    return;
-  }
-  setCookie(target, accessName, tokens.accessToken, accessOptions);
+  setCookie(cookies, accessName, tokens.accessToken, accessOptions);
   if (tokens.refreshToken) {
     setCookie(
-      target,
+      cookies,
       refreshName,
       tokens.refreshToken,
       refreshTokenCookieOptions(
@@ -2813,18 +2778,48 @@ function setAuthCookies(target, tokens, settings = {}) {
     );
   }
 }
-function clearAuthCookies(target, settings = {}) {
+function clearAuthCookies(cookies, settings = {}) {
   const accessName = getAccessTokenCookieName(settings.names);
   const refreshName = getRefreshTokenCookieName(settings.names);
   const accessOptions = expiredCookieOptions(settings.options?.accessToken);
   const refreshOptions = expiredCookieOptions(settings.options?.refreshToken);
-  if (target instanceof Headers) {
-    appendSetCookie(target, accessName, "", accessOptions);
-    appendSetCookie(target, refreshName, "", refreshOptions);
-    return;
+  deleteCookie(cookies, accessName, accessOptions);
+  deleteCookie(cookies, refreshName, refreshOptions);
+}
+function setAuthCookieHeaders(headers, tokens, settings = {}) {
+  const accessName = getAccessTokenCookieName(settings.names);
+  const refreshName = getRefreshTokenCookieName(settings.names);
+  appendSetCookie(
+    headers,
+    accessName,
+    tokens.accessToken,
+    accessTokenCookieOptions(tokens.accessToken, settings.options?.accessToken)
+  );
+  if (tokens.refreshToken) {
+    appendSetCookie(
+      headers,
+      refreshName,
+      tokens.refreshToken,
+      refreshTokenCookieOptions(
+        tokens.refreshToken,
+        settings.options?.refreshToken
+      )
+    );
   }
-  deleteCookie(target, accessName, accessOptions);
-  deleteCookie(target, refreshName, refreshOptions);
+}
+function clearAuthCookieHeaders(headers, settings = {}) {
+  appendSetCookie(
+    headers,
+    getAccessTokenCookieName(settings.names),
+    "",
+    expiredCookieOptions(settings.options?.accessToken)
+  );
+  appendSetCookie(
+    headers,
+    getRefreshTokenCookieName(settings.names),
+    "",
+    expiredCookieOptions(settings.options?.refreshToken)
+  );
 }
 
 // src/ssr/browser-client.ts
@@ -2873,6 +2868,17 @@ function withAuthHeader(init, token) {
   };
 }
 function createBrowserClient(options = {}) {
+  let { baseUrl, anonKey } = options;
+  try {
+    baseUrl || (baseUrl = process.env.NEXT_PUBLIC_INSFORGE_URL);
+    anonKey || (anonKey = process.env.NEXT_PUBLIC_INSFORGE_ANON_KEY);
+  } catch {
+  }
+  if (!baseUrl || !anonKey) {
+    throw new Error(
+      "Missing InsForge baseUrl or anonKey. Pass baseUrl and anonKey to createBrowserClient() or set NEXT_PUBLIC_INSFORGE_URL and NEXT_PUBLIC_INSFORGE_ANON_KEY."
+    );
+  }
   let accessToken = getBrowserCookie(
     getAccessTokenCookieName(options.names)
   );
@@ -2949,7 +2955,9 @@ function createBrowserClient(options = {}) {
     return fetchImpl(input, withAuthHeader(init, refreshed.accessToken));
   };
   client = new InsForgeClient({
-    ...resolveBrowserConfig(options),
+    ...options,
+    baseUrl,
+    anonKey,
     fetch: ssrFetch
   });
   const setAccessToken = client.setAccessToken.bind(client);
@@ -2968,12 +2976,25 @@ function createBrowserClient(options = {}) {
 
 // src/ssr/server-client.ts
 function createServerClient(options = {}) {
+  let { baseUrl, anonKey } = options;
+  try {
+    baseUrl || (baseUrl = process.env.NEXT_PUBLIC_INSFORGE_URL);
+    anonKey || (anonKey = process.env.NEXT_PUBLIC_INSFORGE_ANON_KEY);
+  } catch {
+  }
+  if (!baseUrl || !anonKey) {
+    throw new Error(
+      "Missing InsForge baseUrl or anonKey. Pass baseUrl and anonKey to createServerClient() or set NEXT_PUBLIC_INSFORGE_URL and NEXT_PUBLIC_INSFORGE_ANON_KEY."
+    );
+  }
   const accessToken = options.accessToken ?? getCookieValue(
     options.cookies,
     getAccessTokenCookieName(options.names)
   );
   return new InsForgeClient({
-    ...resolveServerConfig(options),
+    ...options,
+    baseUrl,
+    anonKey,
     isServerMode: true,
     edgeFunctionToken: accessToken ?? void 0
   });
@@ -2990,12 +3011,25 @@ function jsonResponse(body, init = {}, headers = new Headers(init.headers)) {
 }
 function normalizeError(error) {
   if (error instanceof InsForgeError) return error;
+  if (error && typeof error === "object") {
+    const body = error;
+    return new InsForgeError(
+      typeof body.message === "string" ? body.message : "Failed to refresh auth session",
+      typeof body.statusCode === "number" ? body.statusCode : 500,
+      typeof body.error === "string" ? body.error : import_shared_schemas3.ERROR_CODES.UNKNOWN_ERROR
+    );
+  }
   return new InsForgeError(
     error instanceof Error ? error.message : "Failed to refresh auth session",
     500,
     import_shared_schemas3.ERROR_CODES.UNKNOWN_ERROR
   );
 }
+async function readJson(response) {
+  const contentType = response.headers.get("content-type");
+  if (!contentType?.includes("json")) return null;
+  return response.json();
+}
 function readRefreshToken(options) {
   if (options.refreshToken) return options.refreshToken;
   const refreshCookieName = getRefreshTokenCookieName(options.names);
@@ -3010,7 +3044,7 @@ async function refreshAuth(options = {}) {
   const headers = new Headers();
   const refreshToken = readRefreshToken(options);
   if (!refreshToken) {
-    clearAuthCookies(headers, options);
+    clearAuthCookieHeaders(headers, options);
     const error2 = new InsForgeError(
       "Refresh token cookie is missing",
       401,
@@ -3032,13 +3066,55 @@ async function refreshAuth(options = {}) {
       error: error2
     };
   }
-  const client = new InsForgeClient({
-    ...resolveServerConfig(options),
-    isServerMode: true
-  });
-  const { data, error } = await client.auth.refreshSession({ refreshToken });
+  let { baseUrl, anonKey } = options;
+  try {
+    baseUrl || (baseUrl = process.env.NEXT_PUBLIC_INSFORGE_URL);
+    anonKey || (anonKey = process.env.NEXT_PUBLIC_INSFORGE_ANON_KEY);
+  } catch {
+  }
+  if (!baseUrl || !anonKey) {
+    throw new Error(
+      "Missing InsForge baseUrl or anonKey. Pass baseUrl and anonKey to refreshAuth() or set NEXT_PUBLIC_INSFORGE_URL and NEXT_PUBLIC_INSFORGE_ANON_KEY."
+    );
+  }
+  const fetchImpl = options.fetch ?? (globalThis.fetch ? globalThis.fetch.bind(globalThis) : void 0);
+  if (!fetchImpl) {
+    throw new Error(
+      "Fetch is not available. Please provide a fetch implementation."
+    );
+  }
+  const requestHeaders = new Headers(options.headers);
+  requestHeaders.set("Authorization", `Bearer ${anonKey}`);
+  requestHeaders.set("Content-Type", "application/json");
+  requestHeaders.set("Accept", "application/json");
+  let data = null;
+  let error = null;
+  try {
+    const response = await fetchImpl(
+      new URL("/api/auth/refresh?client_type=mobile", baseUrl).toString(),
+      {
+        method: "POST",
+        headers: requestHeaders,
+        body: JSON.stringify({ refresh_token: refreshToken })
+      }
+    );
+    const body = await readJson(response);
+    if (!response.ok) {
+      error = normalizeError(
+        body ?? {
+          message: "Failed to refresh auth session",
+          statusCode: response.status,
+          error: import_shared_schemas3.ERROR_CODES.UNKNOWN_ERROR
+        }
+      );
+    } else {
+      data = body;
+    }
+  } catch (caught) {
+    error = normalizeError(caught);
+  }
   if (error || !data?.accessToken) {
-    clearAuthCookies(headers, options);
+    clearAuthCookieHeaders(headers, options);
     const normalized = normalizeError(error);
     return {
       response: jsonResponse(
@@ -3057,7 +3133,7 @@ async function refreshAuth(options = {}) {
     };
   }
   const nextRefreshToken = data.refreshToken ?? refreshToken;
-  setAuthCookies(
+  setAuthCookieHeaders(
     headers,
     {
       accessToken: data.accessToken,