@netlify/identity 0.1.1-alpha.0 → 0.1.1-alpha.10

package/dist/index.d.cts

@@ -30,6 +30,11 @@ interface User {
 /**
  * Returns the currently authenticated user, or `null` if not logged in.
  * Synchronous. Never throws.
+ *
+ * In the browser, checks gotrue-js localStorage first. If no localStorage
+ * session exists, falls back to decoding the `nf_jwt` cookie (set by
+ * server-side login). This gives immediate synchronous read access without
+ * waiting for async hydration via `hydrateSession()`.
  */
 declare const getUser: () => User | null;
 /**
@@ -59,11 +64,11 @@ type AuthCallback = (event: AuthEvent, user: User | null) => void;
  * Returns an unsubscribe function. No-op on the server.
  */
 declare const onAuthChange: (callback: AuthCallback) => (() => void);
-/** Logs in with email and password. Browser only. */
+/** Logs in with email and password. Works in both browser and server contexts. */
 declare const login: (email: string, password: string) => Promise<User>;
-/** Creates a new account. Emits 'login' if autoconfirm is enabled. Browser only. */
+/** Creates a new account. Emits 'login' if autoconfirm is enabled. Works in both browser and server contexts. */
 declare const signup: (email: string, password: string, data?: Record<string, unknown>) => Promise<User>;
-/** Logs out the current user and clears the session. Browser only. */
+/** Logs out the current user and clears the session. Works in both browser and server contexts. */
 declare const logout: () => Promise<void>;
 /** Redirects to an OAuth provider. Always throws (the page navigates away). Browser only. */
 declare const oauthLogin: (provider: string) => never;
@@ -100,9 +105,15 @@ declare const recoverPassword: (token: string, newPassword: string) => Promise<U
 declare const confirmEmail: (token: string) => Promise<User>;
 /** Accepts an invite token and sets a password for the new account. Logs the user in on success. */
 declare const acceptInvite: (token: string, password: string) => Promise<User>;
-/** Verifies an email change using the token from a verification email. */
+/**
+ * Verifies an email change using the token from a verification email.
+ * Auto-hydrates from auth cookies if no browser session exists.
+ */
 declare const verifyEmailChange: (token: string) => Promise<User>;
-/** Updates the current user's metadata or credentials. Requires an active session. */
+/**
+ * Updates the current user's metadata or credentials.
+ * Auto-hydrates from auth cookies if no browser session exists.
+ */
 declare const updateUser: (updates: Record<string, unknown>) => Promise<User>;
 
 export { type AppMetadata, type AuthCallback, AuthError, type AuthEvent, type AuthProvider, type CallbackResult, type IdentityConfig, MissingIdentityError, type Settings, type User, acceptInvite, confirmEmail, getIdentityConfig, getSettings, getUser, handleAuthCallback, isAuthenticated, login, logout, oauthLogin, onAuthChange, recoverPassword, requestPasswordRecovery, signup, updateUser, verifyEmailChange };

package/dist/index.d.ts

@@ -30,6 +30,11 @@ interface User {
 /**
  * Returns the currently authenticated user, or `null` if not logged in.
  * Synchronous. Never throws.
+ *
+ * In the browser, checks gotrue-js localStorage first. If no localStorage
+ * session exists, falls back to decoding the `nf_jwt` cookie (set by
+ * server-side login). This gives immediate synchronous read access without
+ * waiting for async hydration via `hydrateSession()`.
  */
 declare const getUser: () => User | null;
 /**
@@ -59,11 +64,11 @@ type AuthCallback = (event: AuthEvent, user: User | null) => void;
  * Returns an unsubscribe function. No-op on the server.
  */
 declare const onAuthChange: (callback: AuthCallback) => (() => void);
-/** Logs in with email and password. Browser only. */
+/** Logs in with email and password. Works in both browser and server contexts. */
 declare const login: (email: string, password: string) => Promise<User>;
-/** Creates a new account. Emits 'login' if autoconfirm is enabled. Browser only. */
+/** Creates a new account. Emits 'login' if autoconfirm is enabled. Works in both browser and server contexts. */
 declare const signup: (email: string, password: string, data?: Record<string, unknown>) => Promise<User>;
-/** Logs out the current user and clears the session. Browser only. */
+/** Logs out the current user and clears the session. Works in both browser and server contexts. */
 declare const logout: () => Promise<void>;
 /** Redirects to an OAuth provider. Always throws (the page navigates away). Browser only. */
 declare const oauthLogin: (provider: string) => never;
@@ -100,9 +105,15 @@ declare const recoverPassword: (token: string, newPassword: string) => Promise<U
 declare const confirmEmail: (token: string) => Promise<User>;
 /** Accepts an invite token and sets a password for the new account. Logs the user in on success. */
 declare const acceptInvite: (token: string, password: string) => Promise<User>;
-/** Verifies an email change using the token from a verification email. */
+/**
+ * Verifies an email change using the token from a verification email.
+ * Auto-hydrates from auth cookies if no browser session exists.
+ */
 declare const verifyEmailChange: (token: string) => Promise<User>;
-/** Updates the current user's metadata or credentials. Requires an active session. */
+/**
+ * Updates the current user's metadata or credentials.
+ * Auto-hydrates from auth cookies if no browser session exists.
+ */
 declare const updateUser: (updates: Record<string, unknown>) => Promise<User>;
 
 export { type AppMetadata, type AuthCallback, AuthError, type AuthEvent, type AuthProvider, type CallbackResult, type IdentityConfig, MissingIdentityError, type Settings, type User, acceptInvite, confirmEmail, getIdentityConfig, getSettings, getUser, handleAuthCallback, isAuthenticated, login, logout, oauthLogin, onAuthChange, recoverPassword, requestPasswordRecovery, signup, updateUser, verifyEmailChange };

package/dist/index.js

@@ -23,6 +23,7 @@ var MissingIdentityError = class extends Error {
 };
 
 // src/environment.ts
+var IDENTITY_PATH = "/.netlify/identity";
 var goTrueClient = null;
 var cachedApiUrl;
 var warnedMissingUrl = false;
@@ -30,13 +31,15 @@ var isBrowser = () => typeof window !== "undefined" && typeof window.location !=
 var discoverApiUrl = () => {
   if (cachedApiUrl !== void 0) return cachedApiUrl;
   if (isBrowser()) {
-    cachedApiUrl = `${window.location.origin}/.netlify/identity`;
+    cachedApiUrl = `${window.location.origin}${IDENTITY_PATH}`;
   } else {
     const identityContext = getIdentityContext();
     if (identityContext?.url) {
       cachedApiUrl = identityContext.url;
     } else if (globalThis.Netlify?.context?.url) {
-      cachedApiUrl = new URL("/.netlify/identity", globalThis.Netlify.context.url).href;
+      cachedApiUrl = new URL(IDENTITY_PATH, globalThis.Netlify.context.url).href;
+    } else if (process.env.URL) {
+      cachedApiUrl = new URL(IDENTITY_PATH, process.env.URL).href;
     }
   }
   return cachedApiUrl ?? null;
@@ -63,18 +66,64 @@ var getClient = () => {
 };
 var getIdentityContext = () => {
   const identityContext = globalThis.netlifyIdentityContext;
-  if (identityContext?.url && typeof identityContext.url === "string") {
+  if (identityContext?.url) {
     return {
       url: identityContext.url,
-      token: typeof identityContext.token === "string" ? identityContext.token : void 0
+      token: identityContext.token
     };
   }
   if (globalThis.Netlify?.context?.url) {
-    return { url: new URL("/.netlify/identity", globalThis.Netlify.context.url).href };
+    return { url: new URL(IDENTITY_PATH, globalThis.Netlify.context.url).href };
+  }
+  const siteUrl = process.env.URL;
+  if (siteUrl) {
+    return { url: new URL(IDENTITY_PATH, siteUrl).href };
   }
   return null;
 };
 
+// src/cookies.ts
+var NF_JWT_COOKIE = "nf_jwt";
+var NF_REFRESH_COOKIE = "nf_refresh";
+var getCookie = (name) => {
+  const match = document.cookie.match(new RegExp(`(?:^|; )${name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}=([^;]*)`));
+  return match ? decodeURIComponent(match[1]) : null;
+};
+var setAuthCookies = (cookies, accessToken, refreshToken) => {
+  cookies.set({
+    name: NF_JWT_COOKIE,
+    value: accessToken,
+    httpOnly: false,
+    secure: true,
+    path: "/",
+    sameSite: "Lax"
+  });
+  if (refreshToken) {
+    cookies.set({
+      name: NF_REFRESH_COOKIE,
+      value: refreshToken,
+      httpOnly: false,
+      secure: true,
+      path: "/",
+      sameSite: "Lax"
+    });
+  }
+};
+var deleteAuthCookies = (cookies) => {
+  cookies.delete(NF_JWT_COOKIE);
+  cookies.delete(NF_REFRESH_COOKIE);
+};
+var setBrowserAuthCookies = (accessToken, refreshToken) => {
+  document.cookie = `${NF_JWT_COOKIE}=${encodeURIComponent(accessToken)}; path=/; secure; samesite=lax`;
+  if (refreshToken) {
+    document.cookie = `${NF_REFRESH_COOKIE}=${encodeURIComponent(refreshToken)}; path=/; secure; samesite=lax`;
+  }
+};
+var deleteBrowserAuthCookies = () => {
+  document.cookie = `${NF_JWT_COOKIE}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+  document.cookie = `${NF_REFRESH_COOKIE}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+};
+
 // src/user.ts
 var toAuthProvider = (value) => typeof value === "string" && AUTH_PROVIDERS.includes(value) ? value : void 0;
 var toUser = (userData) => {
@@ -100,32 +149,56 @@ var claimsToUser = (claims) => {
   const userMeta = claims.user_metadata ?? {};
   const name = userMeta.full_name || userMeta.name;
   return {
-    id: typeof claims.sub === "string" ? claims.sub : "",
-    email: typeof claims.email === "string" ? claims.email : void 0,
+    id: claims.sub ?? "",
+    email: claims.email,
     provider: toAuthProvider(appMeta.provider),
     name: typeof name === "string" ? name : void 0,
     metadata: userMeta
   };
 };
+var decodeJwtPayload = (token) => {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = atob(parts[1].replace(/-/g, "+").replace(/_/g, "/"));
+    return JSON.parse(payload);
+  } catch {
+    return null;
+  }
+};
 var getUser = () => {
   if (isBrowser()) {
     const client = getGoTrueClient();
     const currentUser = client?.currentUser() ?? null;
-    if (!currentUser) return null;
-    return toUser(currentUser);
+    if (currentUser) {
+      const jwt2 = getCookie(NF_JWT_COOKIE);
+      if (!jwt2) {
+        try {
+          currentUser.logout();
+        } catch {
+        }
+        return null;
+      }
+      return toUser(currentUser);
+    }
+    const jwt = getCookie(NF_JWT_COOKIE);
+    if (!jwt) return null;
+    const claims = decodeJwtPayload(jwt);
+    if (!claims) return null;
+    return claimsToUser(claims);
   }
   const identityContext = globalThis.netlifyIdentityContext;
-  if (!identityContext) return null;
-  const claims = identityContext.user ?? (identityContext.sub ? identityContext : null);
-  if (!claims) return null;
-  return claimsToUser(claims);
+  if (identityContext?.user) {
+    return claimsToUser(identityContext.user);
+  }
+  return null;
 };
 var isAuthenticated = () => getUser() !== null;
 
 // src/config.ts
 var getIdentityConfig = () => {
   if (isBrowser()) {
-    return { url: `${window.location.origin}/.netlify/identity` };
+    return { url: `${window.location.origin}${IDENTITY_PATH}` };
   }
   return getIdentityContext();
 };
@@ -153,6 +226,20 @@ var getSettings = async () => {
 };
 
 // src/auth.ts
+var getCookies = () => {
+  const cookies = globalThis.Netlify?.context?.cookies;
+  if (!cookies) {
+    throw new AuthError("Server-side auth requires Netlify Functions runtime");
+  }
+  return cookies;
+};
+var getServerIdentityUrl = () => {
+  const ctx = getIdentityContext();
+  if (!ctx?.url) {
+    throw new AuthError("Could not determine the Identity endpoint URL on the server");
+  }
+  return ctx.url;
+};
 var persistSession = true;
 var listeners = /* @__PURE__ */ new Set();
 var emitAuthEvent = (event, user) => {
@@ -187,9 +274,58 @@ var onAuthChange = (callback) => {
   };
 };
 var login = async (email, password) => {
+  if (!isBrowser()) {
+    const identityUrl = getServerIdentityUrl();
+    const cookies = getCookies();
+    const body = new URLSearchParams({
+      grant_type: "password",
+      username: email,
+      password
+    });
+    let res;
+    try {
+      res = await fetch(`${identityUrl}/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: body.toString()
+      });
+    } catch (error) {
+      throw new AuthError(error.message, void 0, { cause: error });
+    }
+    if (!res.ok) {
+      const errorBody = await res.json().catch(() => ({}));
+      throw new AuthError(
+        errorBody.msg || errorBody.error_description || `Login failed (${res.status})`,
+        res.status
+      );
+    }
+    const data = await res.json();
+    const accessToken = data.access_token;
+    let userRes;
+    try {
+      userRes = await fetch(`${identityUrl}/user`, {
+        headers: { Authorization: `Bearer ${accessToken}` }
+      });
+    } catch (error) {
+      throw new AuthError(error.message, void 0, { cause: error });
+    }
+    if (!userRes.ok) {
+      const errorBody = await userRes.json().catch(() => ({}));
+      throw new AuthError(
+        errorBody.msg || `Failed to fetch user data (${userRes.status})`,
+        userRes.status
+      );
+    }
+    const userData = await userRes.json();
+    const user = toUser(userData);
+    setAuthCookies(cookies, accessToken, data.refresh_token);
+    return user;
+  }
   const client = getClient();
   try {
     const gotrueUser = await client.login(email, password, persistSession);
+    const jwt = await gotrueUser.jwt();
+    setBrowserAuthCookies(jwt);
     const user = toUser(gotrueUser);
     emitAuthEvent("login", user);
     return user;
@@ -198,6 +334,34 @@ var login = async (email, password) => {
   }
 };
 var signup = async (email, password, data) => {
+  if (!isBrowser()) {
+    const identityUrl = getServerIdentityUrl();
+    const cookies = getCookies();
+    let res;
+    try {
+      res = await fetch(`${identityUrl}/signup`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ email, password, data })
+      });
+    } catch (error) {
+      throw new AuthError(error.message, void 0, { cause: error });
+    }
+    if (!res.ok) {
+      const errorBody = await res.json().catch(() => ({}));
+      throw new AuthError(errorBody.msg || `Signup failed (${res.status})`, res.status);
+    }
+    const responseData = await res.json();
+    const user = toUser(responseData);
+    if (responseData.confirmed_at) {
+      const responseRecord = responseData;
+      const accessToken = responseRecord.access_token;
+      if (accessToken) {
+        setAuthCookies(cookies, accessToken, responseRecord.refresh_token);
+      }
+    }
+    return user;
+  }
   const client = getClient();
   try {
     const response = await client.signup(email, password, data);
@@ -211,12 +375,30 @@ var signup = async (email, password, data) => {
   }
 };
 var logout = async () => {
+  if (!isBrowser()) {
+    const identityUrl = getServerIdentityUrl();
+    const cookies = getCookies();
+    const jwt = cookies.get(NF_JWT_COOKIE);
+    if (jwt) {
+      try {
+        await fetch(`${identityUrl}/logout`, {
+          method: "POST",
+          headers: { Authorization: `Bearer ${jwt}` }
+        });
+      } catch (error) {
+        throw new AuthError(error.message, void 0, { cause: error });
+      }
+    }
+    deleteAuthCookies(cookies);
+    return;
+  }
   const client = getClient();
   try {
     const currentUser = client.currentUser();
     if (currentUser) {
       await currentUser.logout();
     }
+    deleteBrowserAuthCookies();
     emitAuthEvent("logout", null);
   } catch (error) {
     throw new AuthError(error.message, void 0, { cause: error });
@@ -239,16 +421,18 @@ var handleAuthCallback = async () => {
     const params = new URLSearchParams(hash);
     const accessToken = params.get("access_token");
     if (accessToken) {
+      const refreshToken = params.get("refresh_token") ?? "";
       const gotrueUser = await client.createUser(
         {
           access_token: accessToken,
           token_type: params.get("token_type") ?? "bearer",
           expires_in: Number(params.get("expires_in")),
           expires_at: Number(params.get("expires_at")),
-          refresh_token: params.get("refresh_token") ?? ""
+          refresh_token: refreshToken
         },
         persistSession
       );
+      setBrowserAuthCookies(accessToken, refreshToken || void 0);
       const user = toUser(gotrueUser);
       clearHash();
       emitAuthEvent("login", user);
@@ -257,6 +441,8 @@ var handleAuthCallback = async () => {
     const confirmationToken = params.get("confirmation_token");
     if (confirmationToken) {
       const gotrueUser = await client.confirm(confirmationToken, persistSession);
+      const jwt = await gotrueUser.jwt();
+      setBrowserAuthCookies(jwt);
       const user = toUser(gotrueUser);
       clearHash();
       emitAuthEvent("login", user);
@@ -265,6 +451,8 @@ var handleAuthCallback = async () => {
     const recoveryToken = params.get("recovery_token");
     if (recoveryToken) {
       const gotrueUser = await client.recover(recoveryToken, persistSession);
+      const jwt = await gotrueUser.jwt();
+      setBrowserAuthCookies(jwt);
       const user = toUser(gotrueUser);
       clearHash();
       emitAuthEvent("login", user);
@@ -277,8 +465,29 @@ var handleAuthCallback = async () => {
     }
     const emailChangeToken = params.get("email_change_token");
     if (emailChangeToken) {
-      const gotrueUser = await client.verify("email_change", emailChangeToken, persistSession);
-      const user = toUser(gotrueUser);
+      const currentUser = client.currentUser();
+      if (!currentUser) {
+        throw new AuthError("Email change verification requires an active browser session");
+      }
+      const jwt = await currentUser.jwt();
+      const identityUrl = `${window.location.origin}${IDENTITY_PATH}`;
+      const emailChangeRes = await fetch(`${identityUrl}/user`, {
+        method: "PUT",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${jwt}`
+        },
+        body: JSON.stringify({ email_change_token: emailChangeToken })
+      });
+      if (!emailChangeRes.ok) {
+        const errorBody = await emailChangeRes.json().catch(() => ({}));
+        throw new AuthError(
+          errorBody.msg || `Email change verification failed (${emailChangeRes.status})`,
+          emailChangeRes.status
+        );
+      }
+      const emailChangeData = await emailChangeRes.json();
+      const user = toUser(emailChangeData);
       clearHash();
       emitAuthEvent("user_updated", user);
       return { type: "email_change", user };
@@ -291,8 +500,43 @@ var handleAuthCallback = async () => {
 var clearHash = () => {
   history.replaceState(null, "", window.location.pathname + window.location.search);
 };
+var hydrateSession = async () => {
+  if (!isBrowser()) return null;
+  const client = getClient();
+  const currentUser = client.currentUser();
+  if (currentUser) return toUser(currentUser);
+  const accessToken = getCookie(NF_JWT_COOKIE);
+  if (!accessToken) return null;
+  const refreshToken = getCookie(NF_REFRESH_COOKIE) ?? "";
+  const gotrueUser = await client.createUser(
+    {
+      access_token: accessToken,
+      token_type: "bearer",
+      expires_in: 3600,
+      expires_at: Math.floor(Date.now() / 1e3) + 3600,
+      refresh_token: refreshToken
+    },
+    persistSession
+  );
+  const user = toUser(gotrueUser);
+  emitAuthEvent("login", user);
+  return user;
+};
 
 // src/account.ts
+var ensureCurrentUser = async () => {
+  const client = getClient();
+  let currentUser = client.currentUser();
+  if (!currentUser && isBrowser()) {
+    try {
+      await hydrateSession();
+    } catch {
+    }
+    currentUser = client.currentUser();
+  }
+  if (!currentUser) throw new AuthError("No user is currently logged in");
+  return currentUser;
+};
 var requestPasswordRecovery = async (email) => {
   const client = getClient();
   try {
@@ -336,20 +580,37 @@ var acceptInvite = async (token, password) => {
   }
 };
 var verifyEmailChange = async (token) => {
-  const client = getClient();
+  if (!isBrowser()) throw new AuthError("verifyEmailChange() is only available in the browser");
+  const currentUser = await ensureCurrentUser();
+  const jwt = await currentUser.jwt();
+  const identityUrl = `${window.location.origin}${IDENTITY_PATH}`;
   try {
-    const gotrueUser = await client.verify("email_change", token, persistSession);
-    const user = toUser(gotrueUser);
+    const res = await fetch(`${identityUrl}/user`, {
+      method: "PUT",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${jwt}`
+      },
+      body: JSON.stringify({ email_change_token: token })
+    });
+    if (!res.ok) {
+      const errorBody = await res.json().catch(() => ({}));
+      throw new AuthError(
+        errorBody.msg || `Email change verification failed (${res.status})`,
+        res.status
+      );
+    }
+    const userData = await res.json();
+    const user = toUser(userData);
     emitAuthEvent("user_updated", user);
     return user;
   } catch (error) {
+    if (error instanceof AuthError) throw error;
     throw new AuthError(error.message, void 0, { cause: error });
   }
 };
 var updateUser = async (updates) => {
-  const client = getClient();
-  const currentUser = client.currentUser();
-  if (!currentUser) throw new AuthError("No user is currently logged in");
+  const currentUser = await ensureCurrentUser();
   try {
     const updatedUser = await currentUser.update(updates);
     const user = toUser(updatedUser);