@insforge/sdk 1.4.0 → 1.4.2

package/dist/index.mjs

@@ -397,7 +397,7 @@ var HttpClient = class {
     return Math.round(jitter);
   }
   shouldRefreshAccessToken(statusCode, errorCode, authToken, options = {}) {
-    return statusCode === 401 && REFRESHABLE_AUTH_ERROR_CODES.has(errorCode ?? "") && !this.config.isServerMode && !this.config.edgeFunctionToken && !options.skipAuthRefresh && authToken !== null;
+    return statusCode === 401 && REFRESHABLE_AUTH_ERROR_CODES.has(errorCode ?? "") && !this.config.isServerMode && !this.config.accessToken && !this.config.edgeFunctionToken && !options.skipAuthRefresh && authToken !== null;
   }
   async fetchWithRetry(args) {
     const {
@@ -833,19 +833,32 @@ var HttpClient = class {
 
 // src/modules/auth/helpers.ts
 var PKCE_VERIFIER_KEY = "insforge_pkce_verifier";
+async function getWebCrypto() {
+  const webCrypto = globalThis.crypto;
+  if (typeof webCrypto?.getRandomValues === "function" && webCrypto.subtle) {
+    return webCrypto;
+  }
+  if (typeof process !== "undefined" && process.versions?.node) {
+    const { webcrypto } = await import("crypto");
+    return webcrypto;
+  }
+  throw new Error("Web Crypto API is not available in this environment");
+}
 function base64UrlEncode(buffer) {
   const base64 = btoa(String.fromCharCode(...buffer));
   return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
-function generateCodeVerifier() {
+async function generateCodeVerifier() {
+  const webCrypto = await getWebCrypto();
   const array = new Uint8Array(32);
-  crypto.getRandomValues(array);
+  webCrypto.getRandomValues(array);
   return base64UrlEncode(array);
 }
 async function generateCodeChallenge(verifier) {
+  const webCrypto = await getWebCrypto();
   const encoder = new TextEncoder();
   const data = encoder.encode(verifier);
-  const hash = await crypto.subtle.digest("SHA-256", data);
+  const hash = await webCrypto.subtle.digest("SHA-256", data);
   return base64UrlEncode(new Uint8Array(hash));
 }
 function storePkceVerifier(verifier) {
@@ -892,7 +905,7 @@ var Auth = class {
     this.http = http;
     this.tokenManager = tokenManager;
     this.options = options;
-    this.authCallbackHandled = this.detectAuthCallback();
+    this.authCallbackHandled = options.detectOAuthCallback === false ? Promise.resolve() : this.detectAuthCallback();
   }
   isServerMode() {
     return !!this.options.isServerMode;
@@ -1038,7 +1051,7 @@ var Auth = class {
       }
       const { provider } = signInOptions;
       const providerKey = encodeURIComponent(provider.toLowerCase());
-      const codeVerifier = generateCodeVerifier();
+      const codeVerifier = await generateCodeVerifier();
       const codeChallenge = await generateCodeChallenge(codeVerifier);
       storePkceVerifier(codeVerifier);
       const params = {
@@ -1609,7 +1622,7 @@ var StorageBucket = class {
           size: file.size,
           mimeType: file.type || "application/octet-stream",
           uploadedAt: (/* @__PURE__ */ new Date()).toISOString(),
-          url: this.getPublicUrl(strategy.key)
+          url: this.getPublicUrl(strategy.key).data.publicUrl
         },
         error: null
       };
@@ -1681,11 +1694,101 @@ var StorageBucket = class {
     }
   }
   /**
-   * Get public URL for a file
+   * Get the public URL for an object in a public bucket.
+   *
+   * Pure string construction — no network call, no auth. The URL only resolves
+   * if the bucket is public; for private objects use {@link createSignedUrl}.
+   *
    * @param path - The object key/path
+   * @returns `{ data: { publicUrl }, error }` — matches the external SDK pattern,
+   *   so `const { data } = getPublicUrl(path)` then `data.publicUrl`.
    */
   getPublicUrl(path) {
-    return `${this.http.baseUrl}/api/storage/buckets/${this.bucketName}/objects/${encodeURIComponent(path)}`;
+    const publicUrl = `${this.http.baseUrl}/api/storage/buckets/${this.bucketName}/objects/${encodeURIComponent(path)}`;
+    return { data: { publicUrl }, error: null };
+  }
+  /**
+   * Resolve a download strategy (signed or direct URL) for an object with a
+   * caller-supplied TTL. Prefers the canonical GET route and falls back to the
+   * legacy POST alias so signed-URL creation still works against older backends
+   * that predate the GET route (they return 404/405 for it). A genuine
+   * "object not found" (STORAGE_NOT_FOUND) is not retried.
+   */
+  async requestDownloadStrategy(path, expiresIn) {
+    const encoded = encodeURIComponent(path);
+    try {
+      return await this.http.get(
+        `/api/storage/buckets/${this.bucketName}/download-strategy/objects/${encoded}`,
+        { params: { expiresIn: expiresIn.toString() } }
+      );
+    } catch (error) {
+      const status = error instanceof InsForgeError ? error.statusCode : void 0;
+      const isMissingRoute = (status === 404 || status === 405) && !(error instanceof InsForgeError && error.error === "STORAGE_NOT_FOUND");
+      if (!isMissingRoute) throw error;
+      return await this.http.post(
+        `/api/storage/buckets/${this.bucketName}/objects/${encoded}/download-strategy`,
+        { expiresIn }
+      );
+    }
+  }
+  /**
+   * Create a signed URL for an object.
+   *
+   * Returns a time-limited, credential-free URL that can be handed directly to
+   * a browser (`<img src>`), an email, or a third party — no SDK or session is
+   * needed to fetch it. Authorization is enforced when the URL is minted (the
+   * caller must be allowed to read the object), so the resulting link is a
+   * pre-authorized capability scoped to this one object until it expires.
+   *
+   * @param path - The object key/path
+   * @param expiresIn - Lifetime in seconds (default 3600 = 1h, max 604800 = 7d).
+   *   Honored for private buckets; public buckets return their long-lived URL.
+   */
+  async createSignedUrl(path, expiresIn = 3600) {
+    try {
+      const strategy = await this.requestDownloadStrategy(path, expiresIn);
+      return {
+        data: {
+          signedUrl: strategy.url,
+          expiresAt: strategy.expiresAt ? new Date(strategy.expiresAt).toISOString() : null
+        },
+        error: null
+      };
+    } catch (error) {
+      return {
+        data: null,
+        error: error instanceof InsForgeError ? error : new InsForgeError("Failed to create signed URL", 500, "STORAGE_ERROR")
+      };
+    }
+  }
+  /**
+   * Create signed URLs for multiple objects in a single call.
+   *
+   * Each entry resolves independently: a failure on one key (not found / not
+   * permitted) is reported on that entry's `error` without failing the rest.
+   *
+   * @param paths - The object keys/paths
+   * @param expiresIn - Lifetime in seconds (default 3600 = 1h, max 604800 = 7d)
+   */
+  async createSignedUrls(paths, expiresIn = 3600) {
+    try {
+      const data = await Promise.all(
+        paths.map(async (path) => {
+          const { data: signed, error } = await this.createSignedUrl(path, expiresIn);
+          return {
+            path,
+            signedUrl: signed?.signedUrl ?? null,
+            error: error ? error.message : null
+          };
+        })
+      );
+      return { data, error: null };
+    } catch (error) {
+      return {
+        data: null,
+        error: error instanceof InsForgeError ? error : new InsForgeError("Failed to create signed URLs", 500, "STORAGE_ERROR")
+      };
+    }
   }
   /**
    * List objects in the bucket
@@ -2664,12 +2767,14 @@ var InsForgeClient = class {
     const logger = new Logger(config.debug);
     this.tokenManager = new TokenManager();
     this.http = new HttpClient(config, this.tokenManager, logger);
-    if (config.edgeFunctionToken) {
-      this.http.setAuthToken(config.edgeFunctionToken);
-      this.tokenManager.setAccessToken(config.edgeFunctionToken);
+    const accessToken = config.accessToken ?? config.edgeFunctionToken;
+    if (accessToken) {
+      this.http.setAuthToken(accessToken);
+      this.tokenManager.setAccessToken(accessToken);
     }
     this.auth = new Auth(this.http, this.tokenManager, {
-      isServerMode: config.isServerMode ?? !!config.edgeFunctionToken
+      isServerMode: config.isServerMode ?? !!accessToken,
+      detectOAuthCallback: config.auth?.detectOAuthCallback
     });
     this.database = new Database(this.http);
     this.storage = new Storage(this.http);
@@ -2748,11 +2853,11 @@ function createAdminClient(config) {
   }
   return new InsForgeClient({
     ...clientConfig,
-    edgeFunctionToken: apiKey,
+    accessToken: apiKey,
     isServerMode: true
   });
 }
-var index_default = InsForgeClient;
+var src_default = InsForgeClient;
 export {
   AI,
   Auth,
@@ -2770,6 +2875,6 @@ export {
   TokenManager,
   createAdminClient,
   createClient,
-  index_default as default
+  src_default as default
 };
 //# sourceMappingURL=index.mjs.map