@instroc/auth 1.1.1 → 1.3.0

package/dist/{chunk-T7NGX4DQ.js → chunk-WPSPVFVM.js}

@@ -1,5 +1,8 @@
 // src/forms/use-login-form.ts
-import { useState as useState2, useCallback as useCallback2, useRef as useRef2, useEffect as useEffect2 } from "react";
+import { useState as useState3, useCallback as useCallback2, useRef as useRef2, useEffect as useEffect3 } from "react";
+
+// src/use-auth.ts
+import { useEffect as useEffect2, useState as useState2 } from "react";
 
 // src/provider.tsx
 import {
@@ -29,7 +32,7 @@ function authErrorFromResponse(response, data, fallbackMessage) {
 
 // src/version.ts
 var SDK_NAME = "instroc-auth";
-var SDK_VERSION = true ? "1.1.1" : "0.0.0-dev";
+var SDK_VERSION = true ? "1.3.0" : "0.0.0-dev";
 function withSdkHeader(init) {
   const headers = new Headers(init?.headers ?? {});
   headers.set("X-Instroc-SDK", `${SDK_NAME}/${SDK_VERSION}`);
@@ -42,7 +45,7 @@ var AuthContext = createContext(null);
 var STORAGE_KEY = "instroc_auth_session";
 var WARNING_SESSION_KEY = "instroc_auth_sdk_warning_seen";
 function noteDeprecationWarning(response) {
-  const warning = response.headers.get("X-Instroc-SDK-Warning");
+  const warning = response.headers?.get?.("X-Instroc-SDK-Warning");
   if (!warning)
     return;
   if (typeof window === "undefined")
@@ -596,6 +599,67 @@ function useAuthRequired() {
   }
   return { user, session, loading: false };
 }
+function useIsOwner() {
+  const { user, session, loading } = useAuthContext();
+  if (loading || !user || !session)
+    return false;
+  if (user.is_owner === true)
+    return true;
+  const claim = decodeIsOwnerClaim(session.access_token);
+  return claim === true;
+}
+function useIsWorkspaceMember() {
+  const [isMember, setIsMember] = useState2(() => isDevHost());
+  useEffect2(() => {
+    if (typeof window === "undefined")
+      return;
+    let cancelled = false;
+    (async () => {
+      try {
+        const res = await fetch("/__instroc/workspace-status", {
+          credentials: "include",
+          cache: "no-store"
+        });
+        if (cancelled)
+          return;
+        if (!res.ok) {
+          setIsMember(isDevHost());
+          return;
+        }
+        const data = await res.json();
+        setIsMember(data.isWorkspaceMember === true);
+      } catch {
+        if (!cancelled)
+          setIsMember(isDevHost());
+      }
+    })();
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+  return isMember;
+}
+function isDevHost() {
+  if (typeof window === "undefined")
+    return false;
+  const h = window.location.hostname;
+  return h === "localhost" || h === "127.0.0.1" || h.endsWith(".fly.dev") || h.endsWith(".workers.dev");
+}
+function decodeIsOwnerClaim(accessToken) {
+  try {
+    const parts = accessToken.split(".");
+    if (parts.length !== 3)
+      return void 0;
+    const payload = parts[1];
+    const base64 = payload.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = base64 + "=".repeat((4 - base64.length % 4) % 4);
+    const json = typeof atob !== "undefined" ? atob(padded) : Buffer.from(padded, "base64").toString("utf-8");
+    const decoded = JSON.parse(json);
+    return decoded.is_owner;
+  } catch {
+    return void 0;
+  }
+}
 
 // src/forms/use-form-action.ts
 function resolveErrorMessage(err, messages, fallback) {
@@ -623,10 +687,10 @@ function applyErrorResult(err, onError, messages, fallback, setError) {
 function useLoginForm(options = {}) {
   const { login, user } = useAuth();
   const { onSuccess, onNeedsVerification, onError, messages } = options;
-  const [loading, setLoading] = useState2(false);
-  const [error, setError] = useState2(null);
+  const [loading, setLoading] = useState3(false);
+  const [error, setError] = useState3(null);
   const mountedRef = useRef2(true);
-  useEffect2(() => {
+  useEffect3(() => {
     mountedRef.current = true;
     return () => {
       mountedRef.current = false;
@@ -678,14 +742,14 @@ function useLoginForm(options = {}) {
 }
 
 // src/forms/use-signup-form.ts
-import { useState as useState3, useCallback as useCallback3, useRef as useRef3, useEffect as useEffect3 } from "react";
+import { useState as useState4, useCallback as useCallback3, useRef as useRef3, useEffect as useEffect4 } from "react";
 function useSignupForm(options = {}) {
   const { signup } = useAuth();
   const { onSuccess, onNeedsVerification, onNeedsApproval, onError, messages } = options;
-  const [loading, setLoading] = useState3(false);
-  const [error, setError] = useState3(null);
+  const [loading, setLoading] = useState4(false);
+  const [error, setError] = useState4(null);
   const mountedRef = useRef3(true);
-  useEffect3(() => {
+  useEffect4(() => {
     mountedRef.current = true;
     return () => {
       mountedRef.current = false;
@@ -742,7 +806,7 @@ function useSignupForm(options = {}) {
 }
 
 // src/forms/use-otp-form.ts
-import { useState as useState4, useCallback as useCallback4, useRef as useRef4, useEffect as useEffect4 } from "react";
+import { useState as useState5, useCallback as useCallback4, useRef as useRef4, useEffect as useEffect5 } from "react";
 function useOtpForm(options) {
   const { verifyOTP, resendOTP } = useAuth();
   const {
@@ -753,18 +817,18 @@ function useOtpForm(options) {
     messages,
     resendCooldownSeconds = 60
   } = options;
-  const [loading, setLoading] = useState4(false);
-  const [resending, setResending] = useState4(false);
-  const [resendCooldown, setResendCooldown] = useState4(0);
-  const [error, setError] = useState4(null);
+  const [loading, setLoading] = useState5(false);
+  const [resending, setResending] = useState5(false);
+  const [resendCooldown, setResendCooldown] = useState5(0);
+  const [error, setError] = useState5(null);
   const mountedRef = useRef4(true);
-  useEffect4(() => {
+  useEffect5(() => {
     mountedRef.current = true;
     return () => {
       mountedRef.current = false;
     };
   }, []);
-  useEffect4(() => {
+  useEffect5(() => {
     if (resendCooldown <= 0)
       return;
     const id = setTimeout(() => setResendCooldown((s) => s - 1), 1e3);
@@ -846,15 +910,15 @@ function useOtpForm(options) {
 }
 
 // src/forms/use-forgot-password-form.ts
-import { useState as useState5, useCallback as useCallback5, useRef as useRef5, useEffect as useEffect5 } from "react";
+import { useState as useState6, useCallback as useCallback5, useRef as useRef5, useEffect as useEffect6 } from "react";
 function useForgotPasswordForm(options = {}) {
   const { forgotPassword } = useAuth();
   const { onSuccess, onError, messages } = options;
-  const [loading, setLoading] = useState5(false);
-  const [submitted, setSubmitted] = useState5(false);
-  const [error, setError] = useState5(null);
+  const [loading, setLoading] = useState6(false);
+  const [submitted, setSubmitted] = useState6(false);
+  const [error, setError] = useState6(null);
   const mountedRef = useRef5(true);
-  useEffect5(() => {
+  useEffect6(() => {
     mountedRef.current = true;
     return () => {
       mountedRef.current = false;
@@ -909,14 +973,14 @@ function useForgotPasswordForm(options = {}) {
 }
 
 // src/forms/use-reset-password-form.ts
-import { useState as useState6, useCallback as useCallback6, useRef as useRef6, useEffect as useEffect6 } from "react";
+import { useState as useState7, useCallback as useCallback6, useRef as useRef6, useEffect as useEffect7 } from "react";
 function useResetPasswordForm(options) {
   const { resetPassword } = useAuth();
   const { token, onSuccess, onError, messages } = options;
-  const [loading, setLoading] = useState6(false);
-  const [error, setError] = useState6(null);
+  const [loading, setLoading] = useState7(false);
+  const [error, setError] = useState7(null);
   const mountedRef = useRef6(true);
-  useEffect6(() => {
+  useEffect7(() => {
     mountedRef.current = true;
     return () => {
       mountedRef.current = false;
@@ -962,6 +1026,8 @@ export {
   useUser,
   useSession,
   useAuthRequired,
+  useIsOwner,
+  useIsWorkspaceMember,
   useLoginForm,
   useSignupForm,
   useOtpForm,

package/dist/forms.d.ts

@@ -1 +1 @@
-export { M as MessageOverrides, O as OnErrorResult, m as UseForgotPasswordFormOptions, n as UseForgotPasswordFormReturn, U as UseLoginFormOptions, h as UseLoginFormReturn, k as UseOtpFormOptions, l as UseOtpFormReturn, o as UseResetPasswordFormOptions, p as UseResetPasswordFormReturn, i as UseSignupFormOptions, j as UseSignupFormReturn, f as useForgotPasswordForm, u as useLoginForm, e as useOtpForm, g as useResetPasswordForm, d as useSignupForm } from './index-D4rCSC9H.js';
+export { M as MessageOverrides, O as OnErrorResult, m as UseForgotPasswordFormOptions, n as UseForgotPasswordFormReturn, U as UseLoginFormOptions, h as UseLoginFormReturn, k as UseOtpFormOptions, l as UseOtpFormReturn, o as UseResetPasswordFormOptions, p as UseResetPasswordFormReturn, i as UseSignupFormOptions, j as UseSignupFormReturn, f as useForgotPasswordForm, u as useLoginForm, e as useOtpForm, g as useResetPasswordForm, d as useSignupForm } from './index-iglVgSQI.js';

package/dist/forms.js

@@ -4,7 +4,7 @@ import {
   useOtpForm,
   useResetPasswordForm,
   useSignupForm
-} from "./chunk-T7NGX4DQ.js";
+} from "./chunk-WPSPVFVM.js";
 export {
   useForgotPasswordForm,
   useLoginForm,

package/dist/{index-D4rCSC9H.d.ts → index-iglVgSQI.d.ts}

@@ -6,6 +6,13 @@ interface AuthUser {
     avatar_url: string | null;
     metadata: Record<string, unknown>;
     created_at: string;
+    /**
+     * True for the project owner (first user or explicitly designated). Mirrors
+     * the `is_owner` JWT claim used for RLS bypass on the server. Templates
+     * gate admin UIs (/admin, /studio) on this field so only the owner sees
+     * CRUD controls in production.
+     */
+    is_owner?: boolean;
 }
 interface AuthSession {
     access_token: string;

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-import { A as AuthProviderProps, a as AuthContextValue, b as AuthUser, c as AuthSession } from './index-D4rCSC9H.js';
-export { r as AuthConfig, w as AuthResponse, q as AuthState, L as LoginCredentials, M as MessageOverrides, s as OAuthProvider, O as OnErrorResult, R as RefreshResponse, S as SignupCredentials, t as SignupResult, v as UpdateProfileData, m as UseForgotPasswordFormOptions, n as UseForgotPasswordFormReturn, U as UseLoginFormOptions, h as UseLoginFormReturn, k as UseOtpFormOptions, l as UseOtpFormReturn, o as UseResetPasswordFormOptions, p as UseResetPasswordFormReturn, i as UseSignupFormOptions, j as UseSignupFormReturn, V as VisibilityConfig, f as useForgotPasswordForm, u as useLoginForm, e as useOtpForm, g as useResetPasswordForm, d as useSignupForm } from './index-D4rCSC9H.js';
+import { A as AuthProviderProps, a as AuthContextValue, b as AuthUser, c as AuthSession } from './index-iglVgSQI.js';
+export { r as AuthConfig, w as AuthResponse, q as AuthState, L as LoginCredentials, M as MessageOverrides, s as OAuthProvider, O as OnErrorResult, R as RefreshResponse, S as SignupCredentials, t as SignupResult, v as UpdateProfileData, m as UseForgotPasswordFormOptions, n as UseForgotPasswordFormReturn, U as UseLoginFormOptions, h as UseLoginFormReturn, k as UseOtpFormOptions, l as UseOtpFormReturn, o as UseResetPasswordFormOptions, p as UseResetPasswordFormReturn, i as UseSignupFormOptions, j as UseSignupFormReturn, V as VisibilityConfig, f as useForgotPasswordForm, u as useLoginForm, e as useOtpForm, g as useResetPasswordForm, d as useSignupForm } from './index-iglVgSQI.js';
 
 declare function AuthProvider({ children, projectId: initialProjectId, baseUrl, persistSession, onAuthStateChange, }: AuthProviderProps): JSX.Element;
 declare function useAuthContext(): AuthContextValue;
@@ -22,6 +22,47 @@ declare function useAuthRequired(): {
     session: AuthSession | null;
     loading: boolean;
 };
+/**
+ * Returns true if the current user is the project owner. Used by templates
+ * to gate admin/studio routes.
+ *
+ * Reads `user.is_owner` first (populated by the `/me` endpoint). Falls back
+ * to decoding the access token's `is_owner` claim so the check is accurate
+ * immediately after login (the login response doesn't echo is_owner — only
+ * `/me` does, and that only runs on mount).
+ *
+ * Returns `false` while loading or when unauthenticated.
+ */
+declare function useIsOwner(): boolean;
+/**
+ * Minimal JWT payload decoder — no signature check (the server already
+ * verified it). Returns undefined if the token is malformed. We only read
+ * the `is_owner` boolean claim, which the BaaS auth signer sets from
+ * `_users.is_owner`.
+ */
+/**
+ * Returns true if the current visitor is a member of the Instroc workspace
+ * that owns this published app. Used by premium templates to gate owner-only
+ * UI such as `/admin` or `/studio` routes.
+ *
+ * This is distinct from {@link useIsOwner} — workspace members are the humans
+ * who built the project (via Instroc), whereas app users (BaaS `_users`) are
+ * the end users of the published app. The two populations never overlap, so
+ * `useIsOwner` always returns `false` for regular app visitors. Admin UI on
+ * premium templates should gate on this hook instead.
+ *
+ * Implementation: calls `GET /__instroc/workspace-status` on the subdomain
+ * router, which validates the `instroc_wa` cookie (HttpOnly, set after
+ * Instroc workspace login) against the project's `workspaceId`. The same
+ * cookie is what the privacy gate uses to allow workspace members into
+ * private apps.
+ *
+ * Dev/preview note: when running on `localhost`, `*.fly.dev`, or
+ * `*.workers.dev` (dev-session HMR, editor preview), the hook returns `true`
+ * so template authors can see admin UI while building. In production
+ * (`*.instroc.app` and custom domains) the server answer is authoritative.
+ */
+declare function useIsWorkspaceMember(): boolean;
 
 /**
  * Typed error thrown by every `@instroc/auth` method when the server responds
@@ -54,4 +95,4 @@ declare class AuthError extends Error {
     constructor(message: string, status: number, code?: string);
 }
 
-export { AuthContextValue, AuthError, AuthProvider, AuthProviderProps, AuthSession, AuthUser, useAuth, useAuthContext, useAuthRequired, useSession, useUser };
+export { AuthContextValue, AuthError, AuthProvider, AuthProviderProps, AuthSession, AuthUser, useAuth, useAuthContext, useAuthRequired, useIsOwner, useIsWorkspaceMember, useSession, useUser };

package/dist/index.js

@@ -5,13 +5,15 @@ import {
   useAuthContext,
   useAuthRequired,
   useForgotPasswordForm,
+  useIsOwner,
+  useIsWorkspaceMember,
   useLoginForm,
   useOtpForm,
   useResetPasswordForm,
   useSession,
   useSignupForm,
   useUser
-} from "./chunk-T7NGX4DQ.js";
+} from "./chunk-WPSPVFVM.js";
 export {
   AuthError,
   AuthProvider,
@@ -19,6 +21,8 @@ export {
   useAuthContext,
   useAuthRequired,
   useForgotPasswordForm,
+  useIsOwner,
+  useIsWorkspaceMember,
   useLoginForm,
   useOtpForm,
   useResetPasswordForm,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@instroc/auth",
-  "version": "1.1.1",
+  "version": "1.3.0",
   "description": "Authentication hooks for Instroc Cloud — useAuth, useUser, AuthProvider, and headless form hooks",
   "type": "module",
   "main": "dist/index.js",