@netlify/identity 0.1.1-alpha.2 → 0.1.1-alpha.21

package/dist/index.cjs

@@ -38,11 +38,13 @@ __export(index_exports, {
   getSettings: () => getSettings,
   getUser: () => getUser,
   handleAuthCallback: () => handleAuthCallback,
+  hydrateSession: () => hydrateSession,
   isAuthenticated: () => isAuthenticated,
   login: () => login,
   logout: () => logout,
   oauthLogin: () => oauthLogin,
   onAuthChange: () => onAuthChange,
+  recoverPassword: () => recoverPassword,
   requestPasswordRecovery: () => requestPasswordRecovery,
   signup: () => signup,
   updateUser: () => updateUser,
@@ -68,13 +70,14 @@ var AuthError = class extends Error {
   }
 };
 var MissingIdentityError = class extends Error {
-  constructor(message = "Identity is not available in this environment") {
+  constructor(message = "Netlify Identity is not available. Enable Identity in your site dashboard and use `netlify dev` for local development.") {
     super(message);
     this.name = "MissingIdentityError";
   }
 };
 
 // src/environment.ts
+var IDENTITY_PATH = "/.netlify/identity";
 var goTrueClient = null;
 var cachedApiUrl;
 var warnedMissingUrl = false;
@@ -82,13 +85,15 @@ var isBrowser = () => typeof window !== "undefined" && typeof window.location !=
 var discoverApiUrl = () => {
   if (cachedApiUrl !== void 0) return cachedApiUrl;
   if (isBrowser()) {
-    cachedApiUrl = `${window.location.origin}/.netlify/identity`;
+    cachedApiUrl = `${window.location.origin}${IDENTITY_PATH}`;
   } else {
     const identityContext = getIdentityContext();
     if (identityContext?.url) {
       cachedApiUrl = identityContext.url;
     } else if (globalThis.Netlify?.context?.url) {
-      cachedApiUrl = new URL("/.netlify/identity", globalThis.Netlify.context.url).href;
+      cachedApiUrl = new URL(IDENTITY_PATH, globalThis.Netlify.context.url).href;
+    } else if (process.env.URL) {
+      cachedApiUrl = new URL(IDENTITY_PATH, process.env.URL).href;
     }
   }
   return cachedApiUrl ?? null;
@@ -105,7 +110,7 @@ var getGoTrueClient = () => {
     }
     return null;
   }
-  goTrueClient = new import_gotrue_js.default({ APIUrl: apiUrl, setCookie: isBrowser() });
+  goTrueClient = new import_gotrue_js.default({ APIUrl: apiUrl, setCookie: false });
   return goTrueClient;
 };
 var getClient = () => {
@@ -115,18 +120,97 @@ var getClient = () => {
 };
 var getIdentityContext = () => {
   const identityContext = globalThis.netlifyIdentityContext;
-  if (identityContext?.url && typeof identityContext.url === "string") {
+  if (identityContext?.url) {
     return {
       url: identityContext.url,
-      token: typeof identityContext.token === "string" ? identityContext.token : void 0
+      token: identityContext.token
     };
   }
   if (globalThis.Netlify?.context?.url) {
-    return { url: new URL("/.netlify/identity", globalThis.Netlify.context.url).href };
+    return { url: new URL(IDENTITY_PATH, globalThis.Netlify.context.url).href };
+  }
+  const siteUrl = process.env.URL;
+  if (siteUrl) {
+    return { url: new URL(IDENTITY_PATH, siteUrl).href };
   }
   return null;
 };
 
+// src/cookies.ts
+var NF_JWT_COOKIE = "nf_jwt";
+var NF_REFRESH_COOKIE = "nf_refresh";
+var getCookie = (name) => {
+  const match = document.cookie.match(new RegExp(`(?:^|; )${name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}=([^;]*)`));
+  return match ? decodeURIComponent(match[1]) : null;
+};
+var setAuthCookies = (cookies, accessToken, refreshToken) => {
+  cookies.set({
+    name: NF_JWT_COOKIE,
+    value: accessToken,
+    httpOnly: false,
+    secure: true,
+    path: "/",
+    sameSite: "Lax"
+  });
+  if (refreshToken) {
+    cookies.set({
+      name: NF_REFRESH_COOKIE,
+      value: refreshToken,
+      httpOnly: false,
+      secure: true,
+      path: "/",
+      sameSite: "Lax"
+    });
+  }
+};
+var deleteAuthCookies = (cookies) => {
+  cookies.delete(NF_JWT_COOKIE);
+  cookies.delete(NF_REFRESH_COOKIE);
+};
+var setBrowserAuthCookies = (accessToken, refreshToken) => {
+  document.cookie = `${NF_JWT_COOKIE}=${encodeURIComponent(accessToken)}; path=/; secure; samesite=lax`;
+  if (refreshToken) {
+    document.cookie = `${NF_REFRESH_COOKIE}=${encodeURIComponent(refreshToken)}; path=/; secure; samesite=lax`;
+  }
+};
+var deleteBrowserAuthCookies = () => {
+  document.cookie = `${NF_JWT_COOKIE}=; path=/; secure; samesite=lax; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+  document.cookie = `${NF_REFRESH_COOKIE}=; path=/; secure; samesite=lax; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+};
+var getServerCookie = (name) => {
+  const cookies = globalThis.Netlify?.context?.cookies;
+  if (!cookies || typeof cookies.get !== "function") return null;
+  return cookies.get(name) ?? null;
+};
+
+// src/nextjs.ts
+var nextHeadersFn;
+var triggerNextjsDynamic = () => {
+  if (nextHeadersFn === null) return;
+  if (nextHeadersFn === void 0) {
+    try {
+      if (typeof require === "undefined") {
+        nextHeadersFn = null;
+        return;
+      }
+      const mod = require("next/headers");
+      nextHeadersFn = mod.headers;
+    } catch {
+      nextHeadersFn = null;
+      return;
+    }
+  }
+  const fn = nextHeadersFn;
+  if (!fn) return;
+  try {
+    fn();
+  } catch (e) {
+    if (e instanceof Error && ("digest" in e || /bail\s*out.*prerende/i.test(e.message))) {
+      throw e;
+    }
+  }
+};
+
 // src/user.ts
 var toAuthProvider = (value) => typeof value === "string" && AUTH_PROVIDERS.includes(value) ? value : void 0;
 var toUser = (userData) => {
@@ -152,32 +236,92 @@ var claimsToUser = (claims) => {
   const userMeta = claims.user_metadata ?? {};
   const name = userMeta.full_name || userMeta.name;
   return {
-    id: typeof claims.sub === "string" ? claims.sub : "",
-    email: typeof claims.email === "string" ? claims.email : void 0,
+    id: claims.sub ?? "",
+    email: claims.email,
     provider: toAuthProvider(appMeta.provider),
     name: typeof name === "string" ? name : void 0,
     metadata: userMeta
   };
 };
+var hydrating = false;
+var backgroundHydrate = (accessToken) => {
+  if (hydrating) return;
+  hydrating = true;
+  const refreshToken = getCookie(NF_REFRESH_COOKIE) ?? "";
+  const decoded = decodeJwtPayload(accessToken);
+  const expiresAt = decoded?.exp ?? Math.floor(Date.now() / 1e3) + 3600;
+  const expiresIn = Math.max(0, expiresAt - Math.floor(Date.now() / 1e3));
+  setTimeout(() => {
+    try {
+      const client = getClient();
+      client.createUser(
+        {
+          access_token: accessToken,
+          token_type: "bearer",
+          expires_in: expiresIn,
+          expires_at: expiresAt,
+          refresh_token: refreshToken
+        },
+        true
+      ).catch(() => {
+      }).finally(() => {
+        hydrating = false;
+      });
+    } catch {
+      hydrating = false;
+    }
+  }, 0);
+};
+var decodeJwtPayload = (token) => {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = atob(parts[1].replace(/-/g, "+").replace(/_/g, "/"));
+    return JSON.parse(payload);
+  } catch {
+    return null;
+  }
+};
 var getUser = () => {
   if (isBrowser()) {
     const client = getGoTrueClient();
     const currentUser = client?.currentUser() ?? null;
-    if (!currentUser) return null;
-    return toUser(currentUser);
+    if (currentUser) {
+      const jwt2 = getCookie(NF_JWT_COOKIE);
+      if (!jwt2) {
+        try {
+          currentUser.clearSession();
+        } catch {
+        }
+        return null;
+      }
+      return toUser(currentUser);
+    }
+    const jwt = getCookie(NF_JWT_COOKIE);
+    if (!jwt) return null;
+    const claims = decodeJwtPayload(jwt);
+    if (!claims) return null;
+    backgroundHydrate(jwt);
+    return claimsToUser(claims);
   }
+  triggerNextjsDynamic();
   const identityContext = globalThis.netlifyIdentityContext;
-  if (!identityContext) return null;
-  const claims = identityContext.user ?? (identityContext.sub ? identityContext : null);
-  if (!claims) return null;
-  return claimsToUser(claims);
+  if (identityContext?.user) {
+    return claimsToUser(identityContext.user);
+  }
+  const serverJwt = getServerCookie(NF_JWT_COOKIE);
+  if (serverJwt) {
+    const claims = decodeJwtPayload(serverJwt);
+    if (claims) return claimsToUser(claims);
+  }
+  return null;
 };
 var isAuthenticated = () => getUser() !== null;
 
 // src/config.ts
 var getIdentityConfig = () => {
   if (isBrowser()) {
-    return { url: `${window.location.origin}/.netlify/identity` };
+    return { url: `${window.location.origin}${IDENTITY_PATH}` };
   }
   return getIdentityContext();
 };
@@ -205,19 +349,37 @@ var getSettings = async () => {
 };
 
 // src/auth.ts
+var getCookies = () => {
+  const cookies = globalThis.Netlify?.context?.cookies;
+  if (!cookies) {
+    throw new AuthError("Server-side auth requires Netlify Functions runtime");
+  }
+  return cookies;
+};
+var getServerIdentityUrl = () => {
+  const ctx = getIdentityContext();
+  if (!ctx?.url) {
+    throw new AuthError("Could not determine the Identity endpoint URL on the server");
+  }
+  return ctx.url;
+};
 var persistSession = true;
 var listeners = /* @__PURE__ */ new Set();
 var emitAuthEvent = (event, user) => {
   for (const listener of listeners) {
-    listener(event, user);
+    try {
+      listener(event, user);
+    } catch {
+    }
   }
 };
+var GOTRUE_STORAGE_KEY = "gotrue.user";
 var storageListenerAttached = false;
 var attachStorageListener = () => {
   if (storageListenerAttached) return;
   storageListenerAttached = true;
   window.addEventListener("storage", (event) => {
-    if (event.key !== "gotrue.user") return;
+    if (event.key !== GOTRUE_STORAGE_KEY) return;
     if (event.newValue) {
       const client = getGoTrueClient();
       const currentUser = client?.currentUser();
@@ -239,9 +401,58 @@ var onAuthChange = (callback) => {
   };
 };
 var login = async (email, password) => {
+  if (!isBrowser()) {
+    const identityUrl = getServerIdentityUrl();
+    const cookies = getCookies();
+    const body = new URLSearchParams({
+      grant_type: "password",
+      username: email,
+      password
+    });
+    let res;
+    try {
+      res = await fetch(`${identityUrl}/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: body.toString()
+      });
+    } catch (error) {
+      throw new AuthError(error.message, void 0, { cause: error });
+    }
+    if (!res.ok) {
+      const errorBody = await res.json().catch(() => ({}));
+      throw new AuthError(
+        errorBody.msg || errorBody.error_description || `Login failed (${res.status})`,
+        res.status
+      );
+    }
+    const data = await res.json();
+    const accessToken = data.access_token;
+    let userRes;
+    try {
+      userRes = await fetch(`${identityUrl}/user`, {
+        headers: { Authorization: `Bearer ${accessToken}` }
+      });
+    } catch (error) {
+      throw new AuthError(error.message, void 0, { cause: error });
+    }
+    if (!userRes.ok) {
+      const errorBody = await userRes.json().catch(() => ({}));
+      throw new AuthError(
+        errorBody.msg || `Failed to fetch user data (${userRes.status})`,
+        userRes.status
+      );
+    }
+    const userData = await userRes.json();
+    const user = toUser(userData);
+    setAuthCookies(cookies, accessToken, data.refresh_token);
+    return user;
+  }
   const client = getClient();
   try {
     const gotrueUser = await client.login(email, password, persistSession);
+    const jwt = await gotrueUser.jwt();
+    setBrowserAuthCookies(jwt);
     const user = toUser(gotrueUser);
     emitAuthEvent("login", user);
     return user;
@@ -250,11 +461,43 @@ var login = async (email, password) => {
   }
 };
 var signup = async (email, password, data) => {
+  if (!isBrowser()) {
+    const identityUrl = getServerIdentityUrl();
+    const cookies = getCookies();
+    let res;
+    try {
+      res = await fetch(`${identityUrl}/signup`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ email, password, data })
+      });
+    } catch (error) {
+      throw new AuthError(error.message, void 0, { cause: error });
+    }
+    if (!res.ok) {
+      const errorBody = await res.json().catch(() => ({}));
+      throw new AuthError(errorBody.msg || `Signup failed (${res.status})`, res.status);
+    }
+    const responseData = await res.json();
+    const user = toUser(responseData);
+    if (responseData.confirmed_at) {
+      const responseRecord = responseData;
+      const accessToken = responseRecord.access_token;
+      if (accessToken) {
+        setAuthCookies(cookies, accessToken, responseRecord.refresh_token);
+      }
+    }
+    return user;
+  }
   const client = getClient();
   try {
     const response = await client.signup(email, password, data);
     const user = toUser(response);
     if (response.confirmed_at) {
+      const jwt = await response.jwt?.();
+      if (jwt) {
+        setBrowserAuthCookies(jwt);
+      }
       emitAuthEvent("login", user);
     }
     return user;
@@ -263,12 +506,29 @@ var signup = async (email, password, data) => {
   }
 };
 var logout = async () => {
+  if (!isBrowser()) {
+    const identityUrl = getServerIdentityUrl();
+    const cookies = getCookies();
+    const jwt = cookies.get(NF_JWT_COOKIE);
+    if (jwt) {
+      try {
+        await fetch(`${identityUrl}/logout`, {
+          method: "POST",
+          headers: { Authorization: `Bearer ${jwt}` }
+        });
+      } catch {
+      }
+    }
+    deleteAuthCookies(cookies);
+    return;
+  }
   const client = getClient();
   try {
     const currentUser = client.currentUser();
     if (currentUser) {
       await currentUser.logout();
     }
+    deleteBrowserAuthCookies();
     emitAuthEvent("logout", null);
   } catch (error) {
     throw new AuthError(error.message, void 0, { cause: error });
@@ -276,11 +536,11 @@ var logout = async () => {
 };
 var oauthLogin = (provider) => {
   if (!isBrowser()) {
-    throw new Error("oauthLogin() is only available in the browser");
+    throw new AuthError("oauthLogin() is only available in the browser");
   }
   const client = getClient();
   window.location.href = client.loginExternalUrl(provider);
-  throw new Error("Redirecting to OAuth provider");
+  throw new AuthError("Redirecting to OAuth provider");
 };
 var handleAuthCallback = async () => {
   if (!isBrowser()) return null;
@@ -291,16 +551,18 @@ var handleAuthCallback = async () => {
     const params = new URLSearchParams(hash);
     const accessToken = params.get("access_token");
     if (accessToken) {
+      const refreshToken = params.get("refresh_token") ?? "";
       const gotrueUser = await client.createUser(
         {
           access_token: accessToken,
           token_type: params.get("token_type") ?? "bearer",
           expires_in: Number(params.get("expires_in")),
           expires_at: Number(params.get("expires_at")),
-          refresh_token: params.get("refresh_token") ?? ""
+          refresh_token: refreshToken
         },
         persistSession
       );
+      setBrowserAuthCookies(accessToken, refreshToken || void 0);
       const user = toUser(gotrueUser);
       clearHash();
       emitAuthEvent("login", user);
@@ -309,6 +571,8 @@ var handleAuthCallback = async () => {
     const confirmationToken = params.get("confirmation_token");
     if (confirmationToken) {
       const gotrueUser = await client.confirm(confirmationToken, persistSession);
+      const jwt = await gotrueUser.jwt();
+      setBrowserAuthCookies(jwt);
       const user = toUser(gotrueUser);
       clearHash();
       emitAuthEvent("login", user);
@@ -317,6 +581,8 @@ var handleAuthCallback = async () => {
     const recoveryToken = params.get("recovery_token");
     if (recoveryToken) {
       const gotrueUser = await client.recover(recoveryToken, persistSession);
+      const jwt = await gotrueUser.jwt();
+      setBrowserAuthCookies(jwt);
       const user = toUser(gotrueUser);
       clearHash();
       emitAuthEvent("login", user);
@@ -331,25 +597,80 @@ var handleAuthCallback = async () => {
     if (emailChangeToken) {
       const currentUser = client.currentUser();
       if (!currentUser) {
-        clearHash();
-        return { type: "email_change", user: null, token: emailChangeToken };
+        throw new AuthError("Email change verification requires an active browser session");
       }
-      const gotrueUser = await currentUser.update({ email_change_token: emailChangeToken });
-      const user = toUser(gotrueUser);
+      const jwt = await currentUser.jwt();
+      const identityUrl = `${window.location.origin}${IDENTITY_PATH}`;
+      const emailChangeRes = await fetch(`${identityUrl}/user`, {
+        method: "PUT",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${jwt}`
+        },
+        body: JSON.stringify({ email_change_token: emailChangeToken })
+      });
+      if (!emailChangeRes.ok) {
+        const errorBody = await emailChangeRes.json().catch(() => ({}));
+        throw new AuthError(
+          errorBody.msg || `Email change verification failed (${emailChangeRes.status})`,
+          emailChangeRes.status
+        );
+      }
+      const emailChangeData = await emailChangeRes.json();
+      const user = toUser(emailChangeData);
       clearHash();
       emitAuthEvent("user_updated", user);
       return { type: "email_change", user };
     }
     return null;
   } catch (error) {
+    if (error instanceof AuthError) throw error;
     throw new AuthError(error.message, void 0, { cause: error });
   }
 };
 var clearHash = () => {
   history.replaceState(null, "", window.location.pathname + window.location.search);
 };
+var hydrateSession = async () => {
+  if (!isBrowser()) return null;
+  const client = getClient();
+  const currentUser = client.currentUser();
+  if (currentUser) return toUser(currentUser);
+  const accessToken = getCookie(NF_JWT_COOKIE);
+  if (!accessToken) return null;
+  const refreshToken = getCookie(NF_REFRESH_COOKIE) ?? "";
+  const decoded = decodeJwtPayload(accessToken);
+  const expiresAt = decoded?.exp ?? Math.floor(Date.now() / 1e3) + 3600;
+  const expiresIn = Math.max(0, expiresAt - Math.floor(Date.now() / 1e3));
+  const gotrueUser = await client.createUser(
+    {
+      access_token: accessToken,
+      token_type: "bearer",
+      expires_in: expiresIn,
+      expires_at: expiresAt,
+      refresh_token: refreshToken
+    },
+    persistSession
+  );
+  const user = toUser(gotrueUser);
+  emitAuthEvent("login", user);
+  return user;
+};
 
 // src/account.ts
+var ensureCurrentUser = async () => {
+  const client = getClient();
+  let currentUser = client.currentUser();
+  if (!currentUser && isBrowser()) {
+    try {
+      await hydrateSession();
+    } catch {
+    }
+    currentUser = client.currentUser();
+  }
+  if (!currentUser) throw new AuthError("No user is currently logged in");
+  return currentUser;
+};
 var requestPasswordRecovery = async (email) => {
   const client = getClient();
   try {
@@ -358,6 +679,18 @@ var requestPasswordRecovery = async (email) => {
     throw new AuthError(error.message, void 0, { cause: error });
   }
 };
+var recoverPassword = async (token, newPassword) => {
+  const client = getClient();
+  try {
+    const gotrueUser = await client.recover(token, persistSession);
+    const updatedUser = await gotrueUser.update({ password: newPassword });
+    const user = toUser(updatedUser);
+    emitAuthEvent("login", user);
+    return user;
+  } catch (error) {
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
 var confirmEmail = async (token) => {
   const client = getClient();
   try {
@@ -381,22 +714,37 @@ var acceptInvite = async (token, password) => {
   }
 };
 var verifyEmailChange = async (token) => {
-  const client = getClient();
-  const currentUser = client.currentUser();
-  if (!currentUser) throw new AuthError("No user is currently logged in");
+  if (!isBrowser()) throw new AuthError("verifyEmailChange() is only available in the browser");
+  const currentUser = await ensureCurrentUser();
+  const jwt = await currentUser.jwt();
+  const identityUrl = `${window.location.origin}${IDENTITY_PATH}`;
   try {
-    const gotrueUser = await currentUser.update({ email_change_token: token });
-    const user = toUser(gotrueUser);
+    const res = await fetch(`${identityUrl}/user`, {
+      method: "PUT",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${jwt}`
+      },
+      body: JSON.stringify({ email_change_token: token })
+    });
+    if (!res.ok) {
+      const errorBody = await res.json().catch(() => ({}));
+      throw new AuthError(
+        errorBody.msg || `Email change verification failed (${res.status})`,
+        res.status
+      );
+    }
+    const userData = await res.json();
+    const user = toUser(userData);
     emitAuthEvent("user_updated", user);
     return user;
   } catch (error) {
+    if (error instanceof AuthError) throw error;
     throw new AuthError(error.message, void 0, { cause: error });
   }
 };
 var updateUser = async (updates) => {
-  const client = getClient();
-  const currentUser = client.currentUser();
-  if (!currentUser) throw new AuthError("No user is currently logged in");
+  const currentUser = await ensureCurrentUser();
   try {
     const updatedUser = await currentUser.update(updates);
     const user = toUser(updatedUser);
@@ -416,11 +764,13 @@ var updateUser = async (updates) => {
   getSettings,
   getUser,
   handleAuthCallback,
+  hydrateSession,
   isAuthenticated,
   login,
   logout,
   oauthLogin,
   onAuthChange,
+  recoverPassword,
   requestPasswordRecovery,
   signup,
   updateUser,