@insforge/sdk 1.4.0 → 1.4.2

package/dist/ssr.mjs

@@ -397,7 +397,7 @@ var HttpClient = class {
     return Math.round(jitter);
   }
   shouldRefreshAccessToken(statusCode, errorCode, authToken, options = {}) {
-    return statusCode === 401 && REFRESHABLE_AUTH_ERROR_CODES.has(errorCode ?? "") && !this.config.isServerMode && !this.config.edgeFunctionToken && !options.skipAuthRefresh && authToken !== null;
+    return statusCode === 401 && REFRESHABLE_AUTH_ERROR_CODES.has(errorCode ?? "") && !this.config.isServerMode && !this.config.accessToken && !this.config.edgeFunctionToken && !options.skipAuthRefresh && authToken !== null;
   }
   async fetchWithRetry(args) {
     const {
@@ -833,19 +833,32 @@ var HttpClient = class {
 
 // src/modules/auth/helpers.ts
 var PKCE_VERIFIER_KEY = "insforge_pkce_verifier";
+async function getWebCrypto() {
+  const webCrypto = globalThis.crypto;
+  if (typeof webCrypto?.getRandomValues === "function" && webCrypto.subtle) {
+    return webCrypto;
+  }
+  if (typeof process !== "undefined" && process.versions?.node) {
+    const { webcrypto } = await import("crypto");
+    return webcrypto;
+  }
+  throw new Error("Web Crypto API is not available in this environment");
+}
 function base64UrlEncode(buffer) {
   const base64 = btoa(String.fromCharCode(...buffer));
   return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
-function generateCodeVerifier() {
+async function generateCodeVerifier() {
+  const webCrypto = await getWebCrypto();
   const array = new Uint8Array(32);
-  crypto.getRandomValues(array);
+  webCrypto.getRandomValues(array);
   return base64UrlEncode(array);
 }
 async function generateCodeChallenge(verifier) {
+  const webCrypto = await getWebCrypto();
   const encoder = new TextEncoder();
   const data = encoder.encode(verifier);
-  const hash = await crypto.subtle.digest("SHA-256", data);
+  const hash = await webCrypto.subtle.digest("SHA-256", data);
   return base64UrlEncode(new Uint8Array(hash));
 }
 function storePkceVerifier(verifier) {
@@ -892,7 +905,7 @@ var Auth = class {
     this.http = http;
     this.tokenManager = tokenManager;
     this.options = options;
-    this.authCallbackHandled = this.detectAuthCallback();
+    this.authCallbackHandled = options.detectOAuthCallback === false ? Promise.resolve() : this.detectAuthCallback();
   }
   isServerMode() {
     return !!this.options.isServerMode;
@@ -1038,7 +1051,7 @@ var Auth = class {
       }
       const { provider } = signInOptions;
       const providerKey = encodeURIComponent(provider.toLowerCase());
-      const codeVerifier = generateCodeVerifier();
+      const codeVerifier = await generateCodeVerifier();
       const codeChallenge = await generateCodeChallenge(codeVerifier);
       storePkceVerifier(codeVerifier);
       const params = {
@@ -1609,7 +1622,7 @@ var StorageBucket = class {
           size: file.size,
           mimeType: file.type || "application/octet-stream",
           uploadedAt: (/* @__PURE__ */ new Date()).toISOString(),
-          url: this.getPublicUrl(strategy.key)
+          url: this.getPublicUrl(strategy.key).data.publicUrl
         },
         error: null
       };
@@ -1681,11 +1694,101 @@ var StorageBucket = class {
     }
   }
   /**
-   * Get public URL for a file
+   * Get the public URL for an object in a public bucket.
+   *
+   * Pure string construction — no network call, no auth. The URL only resolves
+   * if the bucket is public; for private objects use {@link createSignedUrl}.
+   *
    * @param path - The object key/path
+   * @returns `{ data: { publicUrl }, error }` — matches the external SDK pattern,
+   *   so `const { data } = getPublicUrl(path)` then `data.publicUrl`.
    */
   getPublicUrl(path) {
-    return `${this.http.baseUrl}/api/storage/buckets/${this.bucketName}/objects/${encodeURIComponent(path)}`;
+    const publicUrl = `${this.http.baseUrl}/api/storage/buckets/${this.bucketName}/objects/${encodeURIComponent(path)}`;
+    return { data: { publicUrl }, error: null };
+  }
+  /**
+   * Resolve a download strategy (signed or direct URL) for an object with a
+   * caller-supplied TTL. Prefers the canonical GET route and falls back to the
+   * legacy POST alias so signed-URL creation still works against older backends
+   * that predate the GET route (they return 404/405 for it). A genuine
+   * "object not found" (STORAGE_NOT_FOUND) is not retried.
+   */
+  async requestDownloadStrategy(path, expiresIn) {
+    const encoded = encodeURIComponent(path);
+    try {
+      return await this.http.get(
+        `/api/storage/buckets/${this.bucketName}/download-strategy/objects/${encoded}`,
+        { params: { expiresIn: expiresIn.toString() } }
+      );
+    } catch (error) {
+      const status = error instanceof InsForgeError ? error.statusCode : void 0;
+      const isMissingRoute = (status === 404 || status === 405) && !(error instanceof InsForgeError && error.error === "STORAGE_NOT_FOUND");
+      if (!isMissingRoute) throw error;
+      return await this.http.post(
+        `/api/storage/buckets/${this.bucketName}/objects/${encoded}/download-strategy`,
+        { expiresIn }
+      );
+    }
+  }
+  /**
+   * Create a signed URL for an object.
+   *
+   * Returns a time-limited, credential-free URL that can be handed directly to
+   * a browser (`<img src>`), an email, or a third party — no SDK or session is
+   * needed to fetch it. Authorization is enforced when the URL is minted (the
+   * caller must be allowed to read the object), so the resulting link is a
+   * pre-authorized capability scoped to this one object until it expires.
+   *
+   * @param path - The object key/path
+   * @param expiresIn - Lifetime in seconds (default 3600 = 1h, max 604800 = 7d).
+   *   Honored for private buckets; public buckets return their long-lived URL.
+   */
+  async createSignedUrl(path, expiresIn = 3600) {
+    try {
+      const strategy = await this.requestDownloadStrategy(path, expiresIn);
+      return {
+        data: {
+          signedUrl: strategy.url,
+          expiresAt: strategy.expiresAt ? new Date(strategy.expiresAt).toISOString() : null
+        },
+        error: null
+      };
+    } catch (error) {
+      return {
+        data: null,
+        error: error instanceof InsForgeError ? error : new InsForgeError("Failed to create signed URL", 500, "STORAGE_ERROR")
+      };
+    }
+  }
+  /**
+   * Create signed URLs for multiple objects in a single call.
+   *
+   * Each entry resolves independently: a failure on one key (not found / not
+   * permitted) is reported on that entry's `error` without failing the rest.
+   *
+   * @param paths - The object keys/paths
+   * @param expiresIn - Lifetime in seconds (default 3600 = 1h, max 604800 = 7d)
+   */
+  async createSignedUrls(paths, expiresIn = 3600) {
+    try {
+      const data = await Promise.all(
+        paths.map(async (path) => {
+          const { data: signed, error } = await this.createSignedUrl(path, expiresIn);
+          return {
+            path,
+            signedUrl: signed?.signedUrl ?? null,
+            error: error ? error.message : null
+          };
+        })
+      );
+      return { data, error: null };
+    } catch (error) {
+      return {
+        data: null,
+        error: error instanceof InsForgeError ? error : new InsForgeError("Failed to create signed URLs", 500, "STORAGE_ERROR")
+      };
+    }
   }
   /**
    * List objects in the bucket
@@ -2664,12 +2767,14 @@ var InsForgeClient = class {
     const logger = new Logger(config.debug);
     this.tokenManager = new TokenManager();
     this.http = new HttpClient(config, this.tokenManager, logger);
-    if (config.edgeFunctionToken) {
-      this.http.setAuthToken(config.edgeFunctionToken);
-      this.tokenManager.setAccessToken(config.edgeFunctionToken);
+    const accessToken = config.accessToken ?? config.edgeFunctionToken;
+    if (accessToken) {
+      this.http.setAuthToken(accessToken);
+      this.tokenManager.setAccessToken(accessToken);
     }
     this.auth = new Auth(this.http, this.tokenManager, {
-      isServerMode: config.isServerMode ?? !!config.edgeFunctionToken
+      isServerMode: config.isServerMode ?? !!accessToken,
+      detectOAuthCallback: config.auth?.detectOAuthCallback
     });
     this.database = new Database(this.http);
     this.storage = new Storage(this.http);
@@ -3075,7 +3180,13 @@ function createBrowserClient(options = {}) {
     ...options,
     baseUrl,
     anonKey,
-    fetch: ssrFetch
+    fetch: ssrFetch,
+    // Browser clients manage tokens via the refresh route, not a static
+    // config token; shadow any untyped accessToken in the options spread.
+    accessToken: void 0,
+    auth: {
+      detectOAuthCallback: false
+    }
   });
   const setAccessToken = client.setAccessToken.bind(client);
   client.setAccessToken = (token) => {
@@ -3113,7 +3224,10 @@ function createServerClient(options = {}) {
     baseUrl,
     anonKey,
     isServerMode: true,
-    edgeFunctionToken: accessToken ?? void 0
+    accessToken: accessToken ?? void 0,
+    // The cookie/option token is the only credential source here; shadow any
+    // untyped edgeFunctionToken smuggled through the options spread.
+    edgeFunctionToken: void 0
   });
 }
 
@@ -3277,6 +3391,109 @@ function createRefreshAuthRouter(options = {}) {
   };
 }
 
+// src/ssr/auth-actions.ts
+function persistSessionCookies(cookies, data, settings) {
+  if (!data?.accessToken) return;
+  setAuthCookies(
+    cookies,
+    {
+      accessToken: data.accessToken,
+      refreshToken: data.refreshToken
+    },
+    settings
+  );
+}
+function sanitizeAuthData(data) {
+  if (!data) return null;
+  const {
+    accessToken: _accessToken,
+    refreshToken: _refreshToken,
+    csrfToken: _csrfToken,
+    ...safeData
+  } = data;
+  return safeData;
+}
+function toSafeAuthResult(result) {
+  return {
+    data: sanitizeAuthData(result.data),
+    error: result.error
+  };
+}
+function createAuthActions(options = {}) {
+  const {
+    cookies,
+    requestCookies,
+    responseCookies,
+    names,
+    options: cookieOptions,
+    ...clientOptions
+  } = options;
+  const readCookies = requestCookies ?? cookies;
+  const writeCookies = responseCookies ?? cookies;
+  if (!writeCookies?.set) {
+    throw new Error(
+      "createAuthActions() requires a writable cookie store. Pass cookies in Server Actions or responseCookies in Route Handlers."
+    );
+  }
+  const cookieSettings = {
+    names,
+    options: cookieOptions
+  };
+  const createClient = () => createServerClient({
+    ...clientOptions,
+    names,
+    options: cookieOptions,
+    cookies: readCookies
+  });
+  return {
+    signUp: async (request) => {
+      const result = await createClient().auth.signUp(request);
+      persistSessionCookies(writeCookies, result.data, cookieSettings);
+      return toSafeAuthResult(result);
+    },
+    signInWithPassword: async (request) => {
+      const result = await createClient().auth.signInWithPassword(request);
+      persistSessionCookies(writeCookies, result.data, cookieSettings);
+      return toSafeAuthResult(
+        result
+      );
+    },
+    signInWithOAuth: async (providerOrOptions, signInOptions) => {
+      return createClient().auth.signInWithOAuth(
+        providerOrOptions,
+        signInOptions
+      );
+    },
+    signInWithIdToken: async (credentials) => {
+      const result = await createClient().auth.signInWithIdToken(credentials);
+      persistSessionCookies(writeCookies, result.data, cookieSettings);
+      return toSafeAuthResult(
+        result
+      );
+    },
+    exchangeOAuthCode: async (code, codeVerifier) => {
+      const result = await createClient().auth.exchangeOAuthCode(
+        code,
+        codeVerifier
+      );
+      persistSessionCookies(writeCookies, result.data, cookieSettings);
+      return toSafeAuthResult(
+        result
+      );
+    },
+    verifyEmail: async (request) => {
+      const result = await createClient().auth.verifyEmail(request);
+      persistSessionCookies(writeCookies, result.data, cookieSettings);
+      return toSafeAuthResult(result);
+    },
+    signOut: async () => {
+      const result = await createClient().auth.signOut();
+      clearAuthCookies(writeCookies, cookieSettings);
+      return result;
+    }
+  };
+}
+
 // src/ssr/update-session.ts
 async function updateSession(options) {
   const accessCookieName = getAccessTokenCookieName(options.names);
@@ -3337,6 +3554,7 @@ export {
   DEFAULT_REFRESH_TOKEN_COOKIE,
   accessTokenCookieOptions,
   clearAuthCookies,
+  createAuthActions,
   createBrowserClient,
   createRefreshAuthRouter,
   createServerClient,