npm - @insforge/sdk - Versions diffs - 1.4.0 → 1.4.2 - Mend

@insforge/sdk 1.4.0 → 1.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/README.md +139 -10
package/SDK-REFERENCE.md +34 -20
package/dist/{client-CqfpCc8Z.d.mts → client-BR9o-WUm.d.ts} +53 -112
package/dist/{client-CqfpCc8Z.d.ts → client-C-qBRoea.d.mts} +53 -112
package/dist/index.d.mts +4 -2
package/dist/index.d.ts +4 -2
package/dist/index.js +124 -19
package/dist/index.js.map +1 -1
package/dist/index.mjs +121 -16
package/dist/index.mjs.map +1 -1
package/dist/middleware-K59XjpUX.d.mts +67 -0
package/dist/middleware-Tu_RlUAt.d.ts +67 -0
package/dist/ssr/middleware.d.mts +3 -0
package/dist/ssr/middleware.d.ts +3 -0
package/dist/ssr/middleware.js +461 -0
package/dist/ssr/middleware.js.map +1 -0
package/dist/ssr/middleware.mjs +428 -0
package/dist/ssr/middleware.mjs.map +1 -0
package/dist/ssr.d.mts +45 -66
package/dist/ssr.d.ts +45 -66
package/dist/ssr.js +234 -15
package/dist/ssr.js.map +1 -1
package/dist/ssr.mjs +233 -15
package/dist/ssr.mjs.map +1 -1
package/dist/types-Dk-44JJf.d.mts +130 -0
package/dist/types-Dk-44JJf.d.ts +130 -0
package/package.json +6 -1

package/dist/ssr.d.ts CHANGED Viewed

@@ -1,72 +1,27 @@
-import { a as InsForgeConfig, I as InsForgeClient, m as AuthRefreshResponse, e as InsForgeError } from './client-CqfpCc8Z.js';
+import { I as InsForgeClient } from './client-BR9o-WUm.js';
+import { I as InsForgeConfig, e as AuthRefreshResponse, d as InsForgeError } from './types-Dk-44JJf.js';
+import { A as AuthCookieSettings, C as CookieStore, a as CookieWriter } from './middleware-Tu_RlUAt.js';
+export { h as AuthCookieNames, i as AuthCookieOptions, j as CookieOptions, k as CookieReader, D as DEFAULT_ACCESS_TOKEN_COOKIE, c as DEFAULT_REFRESH_TOKEN_COOKIE, U as UpdateSessionOptions, b as UpdateSessionResult, d as accessTokenCookieOptions, e as clearAuthCookies, g as getAccessTokenCookieName, f as getRefreshTokenCookieName, r as refreshTokenCookieOptions, s as setAuthCookies, u as updateSession } from './middleware-Tu_RlUAt.js';
 import '@insforge/shared-schemas';
 import '@supabase/postgrest-js';
-declare const DEFAULT_ACCESS_TOKEN_COOKIE = "insforge_access_token";
-declare const DEFAULT_REFRESH_TOKEN_COOKIE = "insforge_refresh_token";
-interface AuthCookieNames {
-    accessToken?: string;
-    refreshToken?: string;
-}
-interface CookieOptions {
-    domain?: string;
-    path?: string;
-    expires?: Date;
-    maxAge?: number;
-    httpOnly?: boolean;
-    secure?: boolean;
-    sameSite?: 'lax' | 'strict' | 'none';
-}
-interface AuthCookieOptions {
-    accessToken?: CookieOptions;
-    refreshToken?: CookieOptions;
-}
-type CookieStoreValue = string | {
-    value?: string | null;
-} | undefined | null;
-interface CookieReader {
-    get(name: string): CookieStoreValue;
-}
-interface CookieWriter {
-    set?(name: string, value: string, options?: CookieOptions): unknown;
-    set?(options: {
-        name: string;
-        value: string;
-    } & CookieOptions): unknown;
-    delete?(name: string): unknown;
-    delete?(options: {
-        name: string;
-    } & CookieOptions): unknown;
-}
-interface CookieStore extends CookieReader, CookieWriter {
-}
-interface AuthCookieSettings {
-    names?: AuthCookieNames;
-    options?: AuthCookieOptions;
-}
-declare function getAccessTokenCookieName(names?: AuthCookieNames): string;
-declare function getRefreshTokenCookieName(names?: AuthCookieNames): string;
-declare function accessTokenCookieOptions(token: string, overrides?: CookieOptions): CookieOptions;
-declare function refreshTokenCookieOptions(token: string, overrides?: CookieOptions): CookieOptions;
-declare function setAuthCookies(cookies: CookieWriter | undefined, tokens: {
-    accessToken: string;
-    refreshToken?: string | null;
-}, settings?: AuthCookieSettings): void;
-declare function clearAuthCookies(cookies: CookieWriter | undefined, settings?: AuthCookieSettings): void;
-interface CreateBrowserClientOptions extends Omit<InsForgeConfig, 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
+type BrowserAuth = Pick<InsForgeClient['auth'], 'getCurrentUser' | 'getProfile' | 'getPublicAuthConfig'>;
+type BrowserInsForgeClient = Omit<InsForgeClient, 'auth'> & {
+    readonly auth: BrowserAuth;
+};
+interface CreateBrowserClientOptions extends Omit<InsForgeConfig, 'accessToken' | 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
     refreshUrl?: string;
     refreshLeewaySeconds?: number;
 }
-declare function createBrowserClient(options?: CreateBrowserClientOptions): InsForgeClient;
+declare function createBrowserClient(options?: CreateBrowserClientOptions): BrowserInsForgeClient;
-interface CreateServerClientOptions extends Omit<InsForgeConfig, 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
+interface CreateServerClientOptions extends Omit<InsForgeConfig, 'accessToken' | 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
     cookies?: Pick<CookieStore, 'get'>;
     accessToken?: string;
 }
 declare function createServerClient(options?: CreateServerClientOptions): InsForgeClient;
-interface RefreshAuthOptions extends Omit<InsForgeConfig, 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
+interface RefreshAuthOptions extends Omit<InsForgeConfig, 'accessToken' | 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
     request?: Request;
     cookies?: Pick<CookieStore, 'get'>;
     refreshToken?: string;
@@ -84,16 +39,40 @@ declare function createRefreshAuthRouter(options?: Omit<RefreshAuthOptions, 'req
     POST: RefreshAuthRouteHandler;
 };
-interface UpdateSessionOptions extends Omit<InsForgeConfig, 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
-    requestCookies: CookieStore;
-    responseCookies: CookieStore;
-    refreshLeewaySeconds?: number;
+interface CreateAuthActionsOptions extends Omit<InsForgeConfig, 'accessToken' | 'edgeFunctionToken' | 'isServerMode' | 'auth'>, AuthCookieSettings {
+    /**
+     * Read/write cookie store. Use this in Next.js Server Actions:
+     * `createAuthActions({ cookies: await cookies() })`.
+     */
+    cookies?: CookieStore;
+    /**
+     * Request cookie reader. Use with `responseCookies` in Route Handlers where
+     * request and response cookies are separate objects.
+     */
+    requestCookies?: Pick<CookieStore, 'get'>;
+    /**
+     * Response cookie writer. Use with `requestCookies` in Route Handlers.
+     */
+    responseCookies?: CookieWriter;
 }
-interface UpdateSessionResult {
-    refreshed: boolean;
-    accessToken: string | null;
+type AuthTokenKeys = 'accessToken' | 'refreshToken' | 'csrfToken';
+type SafeAuthData<T> = Omit<NonNullable<T>, AuthTokenKeys>;
+type AuthResultData<TMethod extends (...args: any[]) => Promise<any>> = Awaited<ReturnType<TMethod>> extends {
+    data: infer TData;
+} ? TData : never;
+type SafeAuthAction<TMethod extends (...args: any[]) => Promise<any>> = (...args: Parameters<TMethod>) => Promise<{
+    data: SafeAuthData<AuthResultData<TMethod>> | null;
     error: InsForgeError | null;
+}>;
+interface AuthActions {
+    signUp: SafeAuthAction<InsForgeClient['auth']['signUp']>;
+    signInWithPassword: SafeAuthAction<InsForgeClient['auth']['signInWithPassword']>;
+    signInWithOAuth: InsForgeClient['auth']['signInWithOAuth'];
+    signInWithIdToken: SafeAuthAction<InsForgeClient['auth']['signInWithIdToken']>;
+    exchangeOAuthCode: SafeAuthAction<InsForgeClient['auth']['exchangeOAuthCode']>;
+    verifyEmail: SafeAuthAction<InsForgeClient['auth']['verifyEmail']>;
+    signOut: InsForgeClient['auth']['signOut'];
 }
-declare function updateSession(options: UpdateSessionOptions): Promise<UpdateSessionResult>;
+declare function createAuthActions(options?: CreateAuthActionsOptions): AuthActions;
-export { type AuthCookieNames, type AuthCookieOptions, type AuthCookieSettings, type CookieOptions, type CookieReader, type CookieStore, type CookieWriter, type CreateBrowserClientOptions, type CreateServerClientOptions, DEFAULT_ACCESS_TOKEN_COOKIE, DEFAULT_REFRESH_TOKEN_COOKIE, type RefreshAuthOptions, type RefreshAuthResult, type RefreshAuthRouteHandler, type UpdateSessionOptions, type UpdateSessionResult, accessTokenCookieOptions, clearAuthCookies, createBrowserClient, createRefreshAuthRouter, createServerClient, getAccessTokenCookieName, getRefreshTokenCookieName, refreshAuth, refreshTokenCookieOptions, setAuthCookies, updateSession };
+export { type AuthActions, AuthCookieSettings, CookieStore, CookieWriter, type CreateAuthActionsOptions, type CreateBrowserClientOptions, type CreateServerClientOptions, type RefreshAuthOptions, type RefreshAuthResult, type RefreshAuthRouteHandler, createAuthActions, createBrowserClient, createRefreshAuthRouter, createServerClient, refreshAuth };

package/dist/ssr.js CHANGED Viewed

@@ -34,6 +34,7 @@ __export(ssr_exports, {
   DEFAULT_REFRESH_TOKEN_COOKIE: () => DEFAULT_REFRESH_TOKEN_COOKIE,
   accessTokenCookieOptions: () => accessTokenCookieOptions,
   clearAuthCookies: () => clearAuthCookies,
+  createAuthActions: () => createAuthActions,
   createBrowserClient: () => createBrowserClient,
   createRefreshAuthRouter: () => createRefreshAuthRouter,
   createServerClient: () => createServerClient,
@@ -445,7 +446,7 @@ var HttpClient = class {
     return Math.round(jitter);
   }
   shouldRefreshAccessToken(statusCode, errorCode, authToken, options = {}) {
-    return statusCode === 401 && REFRESHABLE_AUTH_ERROR_CODES.has(errorCode ?? "") && !this.config.isServerMode && !this.config.edgeFunctionToken && !options.skipAuthRefresh && authToken !== null;
+    return statusCode === 401 && REFRESHABLE_AUTH_ERROR_CODES.has(errorCode ?? "") && !this.config.isServerMode && !this.config.accessToken && !this.config.edgeFunctionToken && !options.skipAuthRefresh && authToken !== null;
   }
   async fetchWithRetry(args) {
     const {
@@ -881,19 +882,32 @@ var HttpClient = class {
 // src/modules/auth/helpers.ts
 var PKCE_VERIFIER_KEY = "insforge_pkce_verifier";
+async function getWebCrypto() {
+  const webCrypto = globalThis.crypto;
+  if (typeof webCrypto?.getRandomValues === "function" && webCrypto.subtle) {
+    return webCrypto;
+  }
+  if (typeof process !== "undefined" && process.versions?.node) {
+    const { webcrypto } = await import("crypto");
+    return webcrypto;
+  }
+  throw new Error("Web Crypto API is not available in this environment");
+}
 function base64UrlEncode(buffer) {
   const base64 = btoa(String.fromCharCode(...buffer));
   return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
-function generateCodeVerifier() {
+async function generateCodeVerifier() {
+  const webCrypto = await getWebCrypto();
   const array = new Uint8Array(32);
-  crypto.getRandomValues(array);
+  webCrypto.getRandomValues(array);
   return base64UrlEncode(array);
 }
 async function generateCodeChallenge(verifier) {
+  const webCrypto = await getWebCrypto();
   const encoder = new TextEncoder();
   const data = encoder.encode(verifier);
-  const hash = await crypto.subtle.digest("SHA-256", data);
+  const hash = await webCrypto.subtle.digest("SHA-256", data);
   return base64UrlEncode(new Uint8Array(hash));
 }
 function storePkceVerifier(verifier) {
@@ -940,7 +954,7 @@ var Auth = class {
     this.http = http;
     this.tokenManager = tokenManager;
     this.options = options;
-    this.authCallbackHandled = this.detectAuthCallback();
+    this.authCallbackHandled = options.detectOAuthCallback === false ? Promise.resolve() : this.detectAuthCallback();
   }
   isServerMode() {
     return !!this.options.isServerMode;
@@ -1086,7 +1100,7 @@ var Auth = class {
       }
       const { provider } = signInOptions;
       const providerKey = encodeURIComponent(provider.toLowerCase());
-      const codeVerifier = generateCodeVerifier();
+      const codeVerifier = await generateCodeVerifier();
       const codeChallenge = await generateCodeChallenge(codeVerifier);
       storePkceVerifier(codeVerifier);
       const params = {
@@ -1657,7 +1671,7 @@ var StorageBucket = class {
           size: file.size,
           mimeType: file.type || "application/octet-stream",
           uploadedAt: (/* @__PURE__ */ new Date()).toISOString(),
-          url: this.getPublicUrl(strategy.key)
+          url: this.getPublicUrl(strategy.key).data.publicUrl
         },
         error: null
       };
@@ -1729,11 +1743,101 @@ var StorageBucket = class {
     }
   }
   /**
-   * Get public URL for a file
+   * Get the public URL for an object in a public bucket.
+   *
+   * Pure string construction — no network call, no auth. The URL only resolves
+   * if the bucket is public; for private objects use {@link createSignedUrl}.
+   *
    * @param path - The object key/path
+   * @returns `{ data: { publicUrl }, error }` — matches the external SDK pattern,
+   *   so `const { data } = getPublicUrl(path)` then `data.publicUrl`.
    */
   getPublicUrl(path) {
-    return `${this.http.baseUrl}/api/storage/buckets/${this.bucketName}/objects/${encodeURIComponent(path)}`;
+    const publicUrl = `${this.http.baseUrl}/api/storage/buckets/${this.bucketName}/objects/${encodeURIComponent(path)}`;
+    return { data: { publicUrl }, error: null };
+  }
+  /**
+   * Resolve a download strategy (signed or direct URL) for an object with a
+   * caller-supplied TTL. Prefers the canonical GET route and falls back to the
+   * legacy POST alias so signed-URL creation still works against older backends
+   * that predate the GET route (they return 404/405 for it). A genuine
+   * "object not found" (STORAGE_NOT_FOUND) is not retried.
+   */
+  async requestDownloadStrategy(path, expiresIn) {
+    const encoded = encodeURIComponent(path);
+    try {
+      return await this.http.get(
+        `/api/storage/buckets/${this.bucketName}/download-strategy/objects/${encoded}`,
+        { params: { expiresIn: expiresIn.toString() } }
+      );
+    } catch (error) {
+      const status = error instanceof InsForgeError ? error.statusCode : void 0;
+      const isMissingRoute = (status === 404 || status === 405) && !(error instanceof InsForgeError && error.error === "STORAGE_NOT_FOUND");
+      if (!isMissingRoute) throw error;
+      return await this.http.post(
+        `/api/storage/buckets/${this.bucketName}/objects/${encoded}/download-strategy`,
+        { expiresIn }
+      );
+    }
+  }
+  /**
+   * Create a signed URL for an object.
+   *
+   * Returns a time-limited, credential-free URL that can be handed directly to
+   * a browser (`<img src>`), an email, or a third party — no SDK or session is
+   * needed to fetch it. Authorization is enforced when the URL is minted (the
+   * caller must be allowed to read the object), so the resulting link is a
+   * pre-authorized capability scoped to this one object until it expires.
+   *
+   * @param path - The object key/path
+   * @param expiresIn - Lifetime in seconds (default 3600 = 1h, max 604800 = 7d).
+   *   Honored for private buckets; public buckets return their long-lived URL.
+   */
+  async createSignedUrl(path, expiresIn = 3600) {
+    try {
+      const strategy = await this.requestDownloadStrategy(path, expiresIn);
+      return {
+        data: {
+          signedUrl: strategy.url,
+          expiresAt: strategy.expiresAt ? new Date(strategy.expiresAt).toISOString() : null
+        },
+        error: null
+      };
+    } catch (error) {
+      return {
+        data: null,
+        error: error instanceof InsForgeError ? error : new InsForgeError("Failed to create signed URL", 500, "STORAGE_ERROR")
+      };
+    }
+  }
+  /**
+   * Create signed URLs for multiple objects in a single call.
+   *
+   * Each entry resolves independently: a failure on one key (not found / not
+   * permitted) is reported on that entry's `error` without failing the rest.
+   *
+   * @param paths - The object keys/paths
+   * @param expiresIn - Lifetime in seconds (default 3600 = 1h, max 604800 = 7d)
+   */
+  async createSignedUrls(paths, expiresIn = 3600) {
+    try {
+      const data = await Promise.all(
+        paths.map(async (path) => {
+          const { data: signed, error } = await this.createSignedUrl(path, expiresIn);
+          return {
+            path,
+            signedUrl: signed?.signedUrl ?? null,
+            error: error ? error.message : null
+          };
+        })
+      );
+      return { data, error: null };
+    } catch (error) {
+      return {
+        data: null,
+        error: error instanceof InsForgeError ? error : new InsForgeError("Failed to create signed URLs", 500, "STORAGE_ERROR")
+      };
+    }
   }
   /**
    * List objects in the bucket
@@ -2712,12 +2816,14 @@ var InsForgeClient = class {
     const logger = new Logger(config.debug);
     this.tokenManager = new TokenManager();
     this.http = new HttpClient(config, this.tokenManager, logger);
-    if (config.edgeFunctionToken) {
-      this.http.setAuthToken(config.edgeFunctionToken);
-      this.tokenManager.setAccessToken(config.edgeFunctionToken);
+    const accessToken = config.accessToken ?? config.edgeFunctionToken;
+    if (accessToken) {
+      this.http.setAuthToken(accessToken);
+      this.tokenManager.setAccessToken(accessToken);
     }
     this.auth = new Auth(this.http, this.tokenManager, {
-      isServerMode: config.isServerMode ?? !!config.edgeFunctionToken
+      isServerMode: config.isServerMode ?? !!accessToken,
+      detectOAuthCallback: config.auth?.detectOAuthCallback
     });
     this.database = new Database(this.http);
     this.storage = new Storage(this.http);
@@ -3123,7 +3229,13 @@ function createBrowserClient(options = {}) {
     ...options,
     baseUrl,
     anonKey,
-    fetch: ssrFetch
+    fetch: ssrFetch,
+    // Browser clients manage tokens via the refresh route, not a static
+    // config token; shadow any untyped accessToken in the options spread.
+    accessToken: void 0,
+    auth: {
+      detectOAuthCallback: false
+    }
   });
   const setAccessToken = client.setAccessToken.bind(client);
   client.setAccessToken = (token) => {
@@ -3161,7 +3273,10 @@ function createServerClient(options = {}) {
     baseUrl,
     anonKey,
     isServerMode: true,
-    edgeFunctionToken: accessToken ?? void 0
+    accessToken: accessToken ?? void 0,
+    // The cookie/option token is the only credential source here; shadow any
+    // untyped edgeFunctionToken smuggled through the options spread.
+    edgeFunctionToken: void 0
   });
 }
@@ -3325,6 +3440,109 @@ function createRefreshAuthRouter(options = {}) {
   };
 }
+// src/ssr/auth-actions.ts
+function persistSessionCookies(cookies, data, settings) {
+  if (!data?.accessToken) return;
+  setAuthCookies(
+    cookies,
+    {
+      accessToken: data.accessToken,
+      refreshToken: data.refreshToken
+    },
+    settings
+  );
+}
+function sanitizeAuthData(data) {
+  if (!data) return null;
+  const {
+    accessToken: _accessToken,
+    refreshToken: _refreshToken,
+    csrfToken: _csrfToken,
+    ...safeData
+  } = data;
+  return safeData;
+}
+function toSafeAuthResult(result) {
+  return {
+    data: sanitizeAuthData(result.data),
+    error: result.error
+  };
+}
+function createAuthActions(options = {}) {
+  const {
+    cookies,
+    requestCookies,
+    responseCookies,
+    names,
+    options: cookieOptions,
+    ...clientOptions
+  } = options;
+  const readCookies = requestCookies ?? cookies;
+  const writeCookies = responseCookies ?? cookies;
+  if (!writeCookies?.set) {
+    throw new Error(
+      "createAuthActions() requires a writable cookie store. Pass cookies in Server Actions or responseCookies in Route Handlers."
+    );
+  }
+  const cookieSettings = {
+    names,
+    options: cookieOptions
+  };
+  const createClient = () => createServerClient({
+    ...clientOptions,
+    names,
+    options: cookieOptions,
+    cookies: readCookies
+  });
+  return {
+    signUp: async (request) => {
+      const result = await createClient().auth.signUp(request);
+      persistSessionCookies(writeCookies, result.data, cookieSettings);
+      return toSafeAuthResult(result);
+    },
+    signInWithPassword: async (request) => {
+      const result = await createClient().auth.signInWithPassword(request);
+      persistSessionCookies(writeCookies, result.data, cookieSettings);
+      return toSafeAuthResult(
+        result
+      );
+    },
+    signInWithOAuth: async (providerOrOptions, signInOptions) => {
+      return createClient().auth.signInWithOAuth(
+        providerOrOptions,
+        signInOptions
+      );
+    },
+    signInWithIdToken: async (credentials) => {
+      const result = await createClient().auth.signInWithIdToken(credentials);
+      persistSessionCookies(writeCookies, result.data, cookieSettings);
+      return toSafeAuthResult(
+        result
+      );
+    },
+    exchangeOAuthCode: async (code, codeVerifier) => {
+      const result = await createClient().auth.exchangeOAuthCode(
+        code,
+        codeVerifier
+      );
+      persistSessionCookies(writeCookies, result.data, cookieSettings);
+      return toSafeAuthResult(
+        result
+      );
+    },
+    verifyEmail: async (request) => {
+      const result = await createClient().auth.verifyEmail(request);
+      persistSessionCookies(writeCookies, result.data, cookieSettings);
+      return toSafeAuthResult(result);
+    },
+    signOut: async () => {
+      const result = await createClient().auth.signOut();
+      clearAuthCookies(writeCookies, cookieSettings);
+      return result;
+    }
+  };
+}
 // src/ssr/update-session.ts
 async function updateSession(options) {
   const accessCookieName = getAccessTokenCookieName(options.names);
@@ -3386,6 +3604,7 @@ async function updateSession(options) {
   DEFAULT_REFRESH_TOKEN_COOKIE,
   accessTokenCookieOptions,
   clearAuthCookies,
+  createAuthActions,
   createBrowserClient,
   createRefreshAuthRouter,
   createServerClient,