@instroc/auth 1.1.0 → 1.2.0

package/dist/{chunk-GV63J77S.js → chunk-E6J2FYDA.js}

@@ -27,10 +27,34 @@ function authErrorFromResponse(response, data, fallbackMessage) {
   return new AuthError(message, response.status, body.code);
 }
 
+// src/version.ts
+var SDK_NAME = "instroc-auth";
+var SDK_VERSION = true ? "1.2.0" : "0.0.0-dev";
+function withSdkHeader(init) {
+  const headers = new Headers(init?.headers ?? {});
+  headers.set("X-Instroc-SDK", `${SDK_NAME}/${SDK_VERSION}`);
+  return { ...init, headers };
+}
+
 // src/provider.tsx
 import { jsx } from "react/jsx-runtime";
 var AuthContext = createContext(null);
 var STORAGE_KEY = "instroc_auth_session";
+var WARNING_SESSION_KEY = "instroc_auth_sdk_warning_seen";
+function noteDeprecationWarning(response) {
+  const warning = response.headers?.get?.("X-Instroc-SDK-Warning");
+  if (!warning)
+    return;
+  if (typeof window === "undefined")
+    return;
+  try {
+    if (sessionStorage.getItem(WARNING_SESSION_KEY))
+      return;
+    sessionStorage.setItem(WARNING_SESSION_KEY, "1");
+  } catch {
+  }
+  console.warn(`[instroc-auth] ${warning}`);
+}
 function AuthProvider({
   children,
   projectId: initialProjectId,
@@ -57,10 +81,14 @@ function AuthProvider({
     },
     [projectId, baseUrl]
   );
-  const authFetch = useCallback(
-    (url, init) => fetch(url, { ...init, credentials: "include" }),
-    []
-  );
+  const authFetch = useCallback(async (url, init) => {
+    const response = await fetch(url, {
+      ...withSdkHeader(init),
+      credentials: "include"
+    });
+    noteDeprecationWarning(response);
+    return response;
+  }, []);
   const saveSession = useCallback(
     (sessionData) => {
       if (persistSession && typeof window !== "undefined") {
@@ -433,7 +461,11 @@ function AuthProvider({
     if (!projectId)
       return;
     try {
-      const response = await fetch(`${baseUrl}/${projectId}/auth/config`);
+      const response = await fetch(
+        `${baseUrl}/${projectId}/auth/config`,
+        withSdkHeader()
+      );
+      noteDeprecationWarning(response);
       if (response.ok) {
         const data = await response.json();
         setAuthConfig(data.config || null);
@@ -476,11 +508,14 @@ function AuthProvider({
     const params = new URLSearchParams(window.location.search);
     const verifyEmailToken = params.get("verify_email");
     if (verifyEmailToken && projectId) {
-      fetch(buildUrl("verify-email"), {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({ token: verifyEmailToken })
-      }).then((res) => res.json()).then(() => {
+      fetch(
+        buildUrl("verify-email"),
+        withSdkHeader({
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ token: verifyEmailToken })
+        })
+      ).then((res) => res.json()).then(() => {
         window.history.replaceState({}, "", window.location.pathname);
       }).catch(() => {
         window.history.replaceState({}, "", window.location.pathname);
@@ -561,6 +596,30 @@ function useAuthRequired() {
   }
   return { user, session, loading: false };
 }
+function useIsOwner() {
+  const { user, session, loading } = useAuthContext();
+  if (loading || !user || !session)
+    return false;
+  if (user.is_owner === true)
+    return true;
+  const claim = decodeIsOwnerClaim(session.access_token);
+  return claim === true;
+}
+function decodeIsOwnerClaim(accessToken) {
+  try {
+    const parts = accessToken.split(".");
+    if (parts.length !== 3)
+      return void 0;
+    const payload = parts[1];
+    const base64 = payload.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = base64 + "=".repeat((4 - base64.length % 4) % 4);
+    const json = typeof atob !== "undefined" ? atob(padded) : Buffer.from(padded, "base64").toString("utf-8");
+    const decoded = JSON.parse(json);
+    return decoded.is_owner;
+  } catch {
+    return void 0;
+  }
+}
 
 // src/forms/use-form-action.ts
 function resolveErrorMessage(err, messages, fallback) {
@@ -927,6 +986,7 @@ export {
   useUser,
   useSession,
   useAuthRequired,
+  useIsOwner,
   useLoginForm,
   useSignupForm,
   useOtpForm,

package/dist/forms.d.ts

@@ -1 +1 @@
-export { M as MessageOverrides, O as OnErrorResult, m as UseForgotPasswordFormOptions, n as UseForgotPasswordFormReturn, U as UseLoginFormOptions, h as UseLoginFormReturn, k as UseOtpFormOptions, l as UseOtpFormReturn, o as UseResetPasswordFormOptions, p as UseResetPasswordFormReturn, i as UseSignupFormOptions, j as UseSignupFormReturn, f as useForgotPasswordForm, u as useLoginForm, e as useOtpForm, g as useResetPasswordForm, d as useSignupForm } from './index-D4rCSC9H.js';
+export { M as MessageOverrides, O as OnErrorResult, m as UseForgotPasswordFormOptions, n as UseForgotPasswordFormReturn, U as UseLoginFormOptions, h as UseLoginFormReturn, k as UseOtpFormOptions, l as UseOtpFormReturn, o as UseResetPasswordFormOptions, p as UseResetPasswordFormReturn, i as UseSignupFormOptions, j as UseSignupFormReturn, f as useForgotPasswordForm, u as useLoginForm, e as useOtpForm, g as useResetPasswordForm, d as useSignupForm } from './index-iglVgSQI.js';

package/dist/forms.js

@@ -4,7 +4,7 @@ import {
   useOtpForm,
   useResetPasswordForm,
   useSignupForm
-} from "./chunk-GV63J77S.js";
+} from "./chunk-E6J2FYDA.js";
 export {
   useForgotPasswordForm,
   useLoginForm,

package/dist/{index-D4rCSC9H.d.ts → index-iglVgSQI.d.ts}

@@ -6,6 +6,13 @@ interface AuthUser {
     avatar_url: string | null;
     metadata: Record<string, unknown>;
     created_at: string;
+    /**
+     * True for the project owner (first user or explicitly designated). Mirrors
+     * the `is_owner` JWT claim used for RLS bypass on the server. Templates
+     * gate admin UIs (/admin, /studio) on this field so only the owner sees
+     * CRUD controls in production.
+     */
+    is_owner?: boolean;
 }
 interface AuthSession {
     access_token: string;

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { A as AuthProviderProps, a as AuthContextValue, b as AuthUser, c as AuthSession } from './index-D4rCSC9H.js';
-export { r as AuthConfig, w as AuthResponse, q as AuthState, L as LoginCredentials, M as MessageOverrides, s as OAuthProvider, O as OnErrorResult, R as RefreshResponse, S as SignupCredentials, t as SignupResult, v as UpdateProfileData, m as UseForgotPasswordFormOptions, n as UseForgotPasswordFormReturn, U as UseLoginFormOptions, h as UseLoginFormReturn, k as UseOtpFormOptions, l as UseOtpFormReturn, o as UseResetPasswordFormOptions, p as UseResetPasswordFormReturn, i as UseSignupFormOptions, j as UseSignupFormReturn, V as VisibilityConfig, f as useForgotPasswordForm, u as useLoginForm, e as useOtpForm, g as useResetPasswordForm, d as useSignupForm } from './index-D4rCSC9H.js';
+import { A as AuthProviderProps, a as AuthContextValue, b as AuthUser, c as AuthSession } from './index-iglVgSQI.js';
+export { r as AuthConfig, w as AuthResponse, q as AuthState, L as LoginCredentials, M as MessageOverrides, s as OAuthProvider, O as OnErrorResult, R as RefreshResponse, S as SignupCredentials, t as SignupResult, v as UpdateProfileData, m as UseForgotPasswordFormOptions, n as UseForgotPasswordFormReturn, U as UseLoginFormOptions, h as UseLoginFormReturn, k as UseOtpFormOptions, l as UseOtpFormReturn, o as UseResetPasswordFormOptions, p as UseResetPasswordFormReturn, i as UseSignupFormOptions, j as UseSignupFormReturn, V as VisibilityConfig, f as useForgotPasswordForm, u as useLoginForm, e as useOtpForm, g as useResetPasswordForm, d as useSignupForm } from './index-iglVgSQI.js';
 
 declare function AuthProvider({ children, projectId: initialProjectId, baseUrl, persistSession, onAuthStateChange, }: AuthProviderProps): JSX.Element;
 declare function useAuthContext(): AuthContextValue;
@@ -22,6 +22,18 @@ declare function useAuthRequired(): {
     session: AuthSession | null;
     loading: boolean;
 };
+/**
+ * Returns true if the current user is the project owner. Used by templates
+ * to gate admin/studio routes.
+ *
+ * Reads `user.is_owner` first (populated by the `/me` endpoint). Falls back
+ * to decoding the access token's `is_owner` claim so the check is accurate
+ * immediately after login (the login response doesn't echo is_owner — only
+ * `/me` does, and that only runs on mount).
+ *
+ * Returns `false` while loading or when unauthenticated.
+ */
+declare function useIsOwner(): boolean;
 
 /**
  * Typed error thrown by every `@instroc/auth` method when the server responds
@@ -54,4 +66,4 @@ declare class AuthError extends Error {
     constructor(message: string, status: number, code?: string);
 }
 
-export { AuthContextValue, AuthError, AuthProvider, AuthProviderProps, AuthSession, AuthUser, useAuth, useAuthContext, useAuthRequired, useSession, useUser };
+export { AuthContextValue, AuthError, AuthProvider, AuthProviderProps, AuthSession, AuthUser, useAuth, useAuthContext, useAuthRequired, useIsOwner, useSession, useUser };

package/dist/index.js

@@ -5,13 +5,14 @@ import {
   useAuthContext,
   useAuthRequired,
   useForgotPasswordForm,
+  useIsOwner,
   useLoginForm,
   useOtpForm,
   useResetPasswordForm,
   useSession,
   useSignupForm,
   useUser
-} from "./chunk-GV63J77S.js";
+} from "./chunk-E6J2FYDA.js";
 export {
   AuthError,
   AuthProvider,
@@ -19,6 +20,7 @@ export {
   useAuthContext,
   useAuthRequired,
   useForgotPasswordForm,
+  useIsOwner,
   useLoginForm,
   useOtpForm,
   useResetPasswordForm,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@instroc/auth",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Authentication hooks for Instroc Cloud — useAuth, useUser, AuthProvider, and headless form hooks",
   "type": "module",
   "main": "dist/index.js",
@@ -18,10 +18,6 @@
   "files": [
     "dist"
   ],
-  "scripts": {
-    "build": "tsup",
-    "dev": "tsup --watch"
-  },
   "peerDependencies": {
     "react": "^18.0.0"
   },
@@ -39,5 +35,9 @@
   },
   "publishConfig": {
     "access": "public"
+  },
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch"
   }
-}
+}