@netlify/identity 0.1.1 → 0.3.0-alpha.1

package/dist/index.cjs

@@ -30,12 +30,27 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  AUTH_EVENTS: () => AUTH_EVENTS,
   AuthError: () => AuthError,
   MissingIdentityError: () => MissingIdentityError,
+  acceptInvite: () => acceptInvite,
+  admin: () => admin,
+  confirmEmail: () => confirmEmail,
   getIdentityConfig: () => getIdentityConfig,
   getSettings: () => getSettings,
   getUser: () => getUser,
-  isAuthenticated: () => isAuthenticated
+  handleAuthCallback: () => handleAuthCallback,
+  hydrateSession: () => hydrateSession,
+  isAuthenticated: () => isAuthenticated,
+  login: () => login,
+  logout: () => logout,
+  oauthLogin: () => oauthLogin,
+  onAuthChange: () => onAuthChange,
+  recoverPassword: () => recoverPassword,
+  requestPasswordRecovery: () => requestPasswordRecovery,
+  signup: () => signup,
+  updateUser: () => updateUser,
+  verifyEmailChange: () => verifyEmailChange
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -44,6 +59,26 @@ var AUTH_PROVIDERS = ["google", "github", "gitlab", "bitbucket", "facebook", "sa
 
 // src/environment.ts
 var import_gotrue_js = __toESM(require("gotrue-js"), 1);
+
+// src/errors.ts
+var AuthError = class extends Error {
+  constructor(message, status, options) {
+    super(message);
+    this.name = "AuthError";
+    this.status = status;
+    if (options && "cause" in options) {
+      this.cause = options.cause;
+    }
+  }
+};
+var MissingIdentityError = class extends Error {
+  constructor(message = "Netlify Identity is not available.") {
+    super(message);
+    this.name = "MissingIdentityError";
+  }
+};
+
+// src/environment.ts
 var IDENTITY_PATH = "/.netlify/identity";
 var goTrueClient = null;
 var cachedApiUrl;
@@ -59,6 +94,8 @@ var discoverApiUrl = () => {
       cachedApiUrl = identityContext.url;
     } else if (globalThis.Netlify?.context?.url) {
       cachedApiUrl = new URL(IDENTITY_PATH, globalThis.Netlify.context.url).href;
+    } else if (process.env.URL) {
+      cachedApiUrl = new URL(IDENTITY_PATH, process.env.URL).href;
     }
   }
   return cachedApiUrl ?? null;
@@ -75,9 +112,14 @@ var getGoTrueClient = () => {
     }
     return null;
   }
-  goTrueClient = new import_gotrue_js.default({ APIUrl: apiUrl, setCookie: isBrowser() });
+  goTrueClient = new import_gotrue_js.default({ APIUrl: apiUrl, setCookie: false });
   return goTrueClient;
 };
+var getClient = () => {
+  const client = getGoTrueClient();
+  if (!client) throw new MissingIdentityError();
+  return client;
+};
 var getIdentityContext = () => {
   const identityContext = globalThis.netlifyIdentityContext;
   if (identityContext?.url) {
@@ -89,9 +131,88 @@ var getIdentityContext = () => {
   if (globalThis.Netlify?.context?.url) {
     return { url: new URL(IDENTITY_PATH, globalThis.Netlify.context.url).href };
   }
+  const siteUrl = process.env.URL;
+  if (siteUrl) {
+    return { url: new URL(IDENTITY_PATH, siteUrl).href };
+  }
   return null;
 };
 
+// src/cookies.ts
+var NF_JWT_COOKIE = "nf_jwt";
+var NF_REFRESH_COOKIE = "nf_refresh";
+var getCookie = (name) => {
+  const match = document.cookie.match(new RegExp(`(?:^|; )${name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}=([^;]*)`));
+  return match ? decodeURIComponent(match[1]) : null;
+};
+var setAuthCookies = (cookies, accessToken, refreshToken) => {
+  cookies.set({
+    name: NF_JWT_COOKIE,
+    value: accessToken,
+    httpOnly: false,
+    secure: true,
+    path: "/",
+    sameSite: "Lax"
+  });
+  if (refreshToken) {
+    cookies.set({
+      name: NF_REFRESH_COOKIE,
+      value: refreshToken,
+      httpOnly: false,
+      secure: true,
+      path: "/",
+      sameSite: "Lax"
+    });
+  }
+};
+var deleteAuthCookies = (cookies) => {
+  cookies.delete(NF_JWT_COOKIE);
+  cookies.delete(NF_REFRESH_COOKIE);
+};
+var setBrowserAuthCookies = (accessToken, refreshToken) => {
+  document.cookie = `${NF_JWT_COOKIE}=${encodeURIComponent(accessToken)}; path=/; secure; samesite=lax`;
+  if (refreshToken) {
+    document.cookie = `${NF_REFRESH_COOKIE}=${encodeURIComponent(refreshToken)}; path=/; secure; samesite=lax`;
+  }
+};
+var deleteBrowserAuthCookies = () => {
+  document.cookie = `${NF_JWT_COOKIE}=; path=/; secure; samesite=lax; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+  document.cookie = `${NF_REFRESH_COOKIE}=; path=/; secure; samesite=lax; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+};
+var getServerCookie = (name) => {
+  const cookies = globalThis.Netlify?.context?.cookies;
+  if (!cookies || typeof cookies.get !== "function") return null;
+  return cookies.get(name) ?? null;
+};
+
+// src/nextjs.ts
+var nextHeadersFn;
+var triggerNextjsDynamic = () => {
+  if (nextHeadersFn === null) return;
+  if (nextHeadersFn === void 0) {
+    try {
+      if (typeof require === "undefined") {
+        nextHeadersFn = null;
+        return;
+      }
+      const mod = require("next/headers");
+      nextHeadersFn = mod.headers;
+    } catch {
+      nextHeadersFn = null;
+      return;
+    }
+  }
+  const fn = nextHeadersFn;
+  if (!fn) return;
+  try {
+    fn();
+  } catch (e) {
+    if (e instanceof Error && ("digest" in e || /bail\s*out.*prerende/i.test(e.message))) {
+      throw e;
+    }
+  }
+};
+
 // src/user.ts
 var toAuthProvider = (value) => typeof value === "string" && AUTH_PROVIDERS.includes(value) ? value : void 0;
 var toUser = (userData) => {
@@ -124,36 +245,80 @@ var claimsToUser = (claims) => {
     metadata: userMeta
   };
 };
+var hydrating = false;
+var backgroundHydrate = (accessToken) => {
+  if (hydrating) return;
+  hydrating = true;
+  const refreshToken = getCookie(NF_REFRESH_COOKIE) ?? "";
+  const decoded = decodeJwtPayload(accessToken);
+  const expiresAt = decoded?.exp ?? Math.floor(Date.now() / 1e3) + 3600;
+  const expiresIn = Math.max(0, expiresAt - Math.floor(Date.now() / 1e3));
+  setTimeout(() => {
+    try {
+      const client = getClient();
+      client.createUser(
+        {
+          access_token: accessToken,
+          token_type: "bearer",
+          expires_in: expiresIn,
+          expires_at: expiresAt,
+          refresh_token: refreshToken
+        },
+        true
+      ).catch(() => {
+      }).finally(() => {
+        hydrating = false;
+      });
+    } catch {
+      hydrating = false;
+    }
+  }, 0);
+};
+var decodeJwtPayload = (token) => {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = atob(parts[1].replace(/-/g, "+").replace(/_/g, "/"));
+    return JSON.parse(payload);
+  } catch {
+    return null;
+  }
+};
 var getUser = () => {
   if (isBrowser()) {
     const client = getGoTrueClient();
     const currentUser = client?.currentUser() ?? null;
-    if (!currentUser) return null;
-    return toUser(currentUser);
+    if (currentUser) {
+      const jwt2 = getCookie(NF_JWT_COOKIE);
+      if (!jwt2) {
+        try {
+          currentUser.clearSession();
+        } catch {
+        }
+        return null;
+      }
+      return toUser(currentUser);
+    }
+    const jwt = getCookie(NF_JWT_COOKIE);
+    if (!jwt) return null;
+    const claims = decodeJwtPayload(jwt);
+    if (!claims) return null;
+    backgroundHydrate(jwt);
+    return claimsToUser(claims);
   }
+  triggerNextjsDynamic();
   const identityContext = globalThis.netlifyIdentityContext;
-  if (!identityContext?.user) return null;
-  return claimsToUser(identityContext.user);
-};
-var isAuthenticated = () => getUser() !== null;
-
-// src/errors.ts
-var AuthError = class extends Error {
-  constructor(message, status, options) {
-    super(message);
-    this.name = "AuthError";
-    this.status = status;
-    if (options && "cause" in options) {
-      this.cause = options.cause;
-    }
+  if (identityContext?.user) {
+    return claimsToUser(identityContext.user);
   }
-};
-var MissingIdentityError = class extends Error {
-  constructor(message = "Identity is not available in this environment") {
-    super(message);
-    this.name = "MissingIdentityError";
+  const serverJwt = getServerCookie(NF_JWT_COOKIE);
+  if (serverJwt) {
+    const claims = decodeJwtPayload(serverJwt);
+    if (claims) return claimsToUser(claims);
   }
+  return null;
 };
+var isAuthenticated = () => getUser() !== null;
 
 // src/config.ts
 var getIdentityConfig = () => {
@@ -163,8 +328,7 @@ var getIdentityConfig = () => {
   return getIdentityContext();
 };
 var getSettings = async () => {
-  const client = getGoTrueClient();
-  if (!client) throw new MissingIdentityError();
+  const client = getClient();
   try {
     const raw = await client.settings();
     const external = raw.external ?? {};
@@ -185,13 +349,573 @@ var getSettings = async () => {
     throw new AuthError(err instanceof Error ? err.message : "Failed to fetch identity settings", 502, { cause: err });
   }
 };
+
+// src/events.ts
+var AUTH_EVENTS = {
+  LOGIN: "login",
+  LOGOUT: "logout",
+  TOKEN_REFRESH: "token_refresh",
+  USER_UPDATED: "user_updated",
+  RECOVERY: "recovery"
+};
+var GOTRUE_STORAGE_KEY = "gotrue.user";
+var listeners = /* @__PURE__ */ new Set();
+var emitAuthEvent = (event, user) => {
+  for (const listener of listeners) {
+    try {
+      listener(event, user);
+    } catch {
+    }
+  }
+};
+var storageListenerAttached = false;
+var attachStorageListener = () => {
+  if (storageListenerAttached || !isBrowser()) return;
+  storageListenerAttached = true;
+  window.addEventListener("storage", (event) => {
+    if (event.key !== GOTRUE_STORAGE_KEY) return;
+    if (event.newValue) {
+      const client = getGoTrueClient();
+      const currentUser = client?.currentUser();
+      emitAuthEvent(AUTH_EVENTS.LOGIN, currentUser ? toUser(currentUser) : null);
+    } else {
+      emitAuthEvent(AUTH_EVENTS.LOGOUT, null);
+    }
+  });
+};
+var onAuthChange = (callback) => {
+  if (!isBrowser()) {
+    return () => {
+    };
+  }
+  listeners.add(callback);
+  attachStorageListener();
+  return () => {
+    listeners.delete(callback);
+  };
+};
+
+// src/auth.ts
+var getCookies = () => {
+  const cookies = globalThis.Netlify?.context?.cookies;
+  if (!cookies) {
+    throw new AuthError("Server-side auth requires Netlify Functions runtime");
+  }
+  return cookies;
+};
+var getServerIdentityUrl = () => {
+  const ctx = getIdentityContext();
+  if (!ctx?.url) {
+    throw new AuthError("Could not determine the Identity endpoint URL on the server");
+  }
+  return ctx.url;
+};
+var persistSession = true;
+var login = async (email, password) => {
+  if (!isBrowser()) {
+    const identityUrl = getServerIdentityUrl();
+    const cookies = getCookies();
+    const body = new URLSearchParams({
+      grant_type: "password",
+      username: email,
+      password
+    });
+    let res;
+    try {
+      res = await fetch(`${identityUrl}/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: body.toString()
+      });
+    } catch (error) {
+      throw new AuthError(error.message, void 0, { cause: error });
+    }
+    if (!res.ok) {
+      const errorBody = await res.json().catch(() => ({}));
+      throw new AuthError(errorBody.msg || errorBody.error_description || `Login failed (${res.status})`, res.status);
+    }
+    const data = await res.json();
+    const accessToken = data.access_token;
+    let userRes;
+    try {
+      userRes = await fetch(`${identityUrl}/user`, {
+        headers: { Authorization: `Bearer ${accessToken}` }
+      });
+    } catch (error) {
+      throw new AuthError(error.message, void 0, { cause: error });
+    }
+    if (!userRes.ok) {
+      const errorBody = await userRes.json().catch(() => ({}));
+      throw new AuthError(errorBody.msg || `Failed to fetch user data (${userRes.status})`, userRes.status);
+    }
+    const userData = await userRes.json();
+    const user = toUser(userData);
+    setAuthCookies(cookies, accessToken, data.refresh_token);
+    return user;
+  }
+  const client = getClient();
+  try {
+    const gotrueUser = await client.login(email, password, persistSession);
+    const jwt = await gotrueUser.jwt();
+    setBrowserAuthCookies(jwt);
+    const user = toUser(gotrueUser);
+    emitAuthEvent(AUTH_EVENTS.LOGIN, user);
+    return user;
+  } catch (error) {
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
+var signup = async (email, password, data) => {
+  if (!isBrowser()) {
+    const identityUrl = getServerIdentityUrl();
+    const cookies = getCookies();
+    let res;
+    try {
+      res = await fetch(`${identityUrl}/signup`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ email, password, data })
+      });
+    } catch (error) {
+      throw new AuthError(error.message, void 0, { cause: error });
+    }
+    if (!res.ok) {
+      const errorBody = await res.json().catch(() => ({}));
+      throw new AuthError(errorBody.msg || `Signup failed (${res.status})`, res.status);
+    }
+    const responseData = await res.json();
+    const user = toUser(responseData);
+    if (responseData.confirmed_at) {
+      const accessToken = responseData.access_token;
+      if (accessToken) {
+        setAuthCookies(cookies, accessToken, responseData.refresh_token);
+      }
+    }
+    return user;
+  }
+  const client = getClient();
+  try {
+    const response = await client.signup(email, password, data);
+    const user = toUser(response);
+    if (response.confirmed_at) {
+      const jwt = await response.jwt?.();
+      if (jwt) {
+        setBrowserAuthCookies(jwt);
+      }
+      emitAuthEvent(AUTH_EVENTS.LOGIN, user);
+    }
+    return user;
+  } catch (error) {
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
+var logout = async () => {
+  if (!isBrowser()) {
+    const identityUrl = getServerIdentityUrl();
+    const cookies = getCookies();
+    const jwt = cookies.get(NF_JWT_COOKIE);
+    if (jwt) {
+      try {
+        await fetch(`${identityUrl}/logout`, {
+          method: "POST",
+          headers: { Authorization: `Bearer ${jwt}` }
+        });
+      } catch {
+      }
+    }
+    deleteAuthCookies(cookies);
+    return;
+  }
+  const client = getClient();
+  try {
+    const currentUser = client.currentUser();
+    if (currentUser) {
+      await currentUser.logout();
+    }
+    deleteBrowserAuthCookies();
+    emitAuthEvent(AUTH_EVENTS.LOGOUT, null);
+  } catch (error) {
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
+var oauthLogin = (provider) => {
+  if (!isBrowser()) {
+    throw new AuthError("oauthLogin() is only available in the browser");
+  }
+  const client = getClient();
+  window.location.href = client.loginExternalUrl(provider);
+  throw new AuthError("Redirecting to OAuth provider");
+};
+var handleAuthCallback = async () => {
+  if (!isBrowser()) return null;
+  const hash = window.location.hash.substring(1);
+  if (!hash) return null;
+  const client = getClient();
+  const params = new URLSearchParams(hash);
+  try {
+    const accessToken = params.get("access_token");
+    if (accessToken) return await handleOAuthCallback(client, params, accessToken);
+    const confirmationToken = params.get("confirmation_token");
+    if (confirmationToken) return await handleConfirmationCallback(client, confirmationToken);
+    const recoveryToken = params.get("recovery_token");
+    if (recoveryToken) return await handleRecoveryCallback(client, recoveryToken);
+    const inviteToken = params.get("invite_token");
+    if (inviteToken) return handleInviteCallback(inviteToken);
+    const emailChangeToken = params.get("email_change_token");
+    if (emailChangeToken) return await handleEmailChangeCallback(client, emailChangeToken);
+    return null;
+  } catch (error) {
+    if (error instanceof AuthError) throw error;
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
+var handleOAuthCallback = async (client, params, accessToken) => {
+  const refreshToken = params.get("refresh_token") ?? "";
+  const gotrueUser = await client.createUser(
+    {
+      access_token: accessToken,
+      token_type: params.get("token_type") ?? "bearer",
+      expires_in: Number(params.get("expires_in")),
+      expires_at: Number(params.get("expires_at")),
+      refresh_token: refreshToken
+    },
+    persistSession
+  );
+  setBrowserAuthCookies(accessToken, refreshToken || void 0);
+  const user = toUser(gotrueUser);
+  clearHash();
+  emitAuthEvent(AUTH_EVENTS.LOGIN, user);
+  return { type: "oauth", user };
+};
+var handleConfirmationCallback = async (client, token) => {
+  const gotrueUser = await client.confirm(token, persistSession);
+  const jwt = await gotrueUser.jwt();
+  setBrowserAuthCookies(jwt);
+  const user = toUser(gotrueUser);
+  clearHash();
+  emitAuthEvent(AUTH_EVENTS.LOGIN, user);
+  return { type: "confirmation", user };
+};
+var handleRecoveryCallback = async (client, token) => {
+  const gotrueUser = await client.recover(token, persistSession);
+  const jwt = await gotrueUser.jwt();
+  setBrowserAuthCookies(jwt);
+  const user = toUser(gotrueUser);
+  clearHash();
+  emitAuthEvent(AUTH_EVENTS.RECOVERY, user);
+  return { type: "recovery", user };
+};
+var handleInviteCallback = (token) => {
+  clearHash();
+  return { type: "invite", user: null, token };
+};
+var handleEmailChangeCallback = async (client, emailChangeToken) => {
+  const currentUser = client.currentUser();
+  if (!currentUser) {
+    throw new AuthError("Email change verification requires an active browser session");
+  }
+  const jwt = await currentUser.jwt();
+  const identityUrl = `${window.location.origin}${IDENTITY_PATH}`;
+  const emailChangeRes = await fetch(`${identityUrl}/user`, {
+    method: "PUT",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${jwt}`
+    },
+    body: JSON.stringify({ email_change_token: emailChangeToken })
+  });
+  if (!emailChangeRes.ok) {
+    const errorBody = await emailChangeRes.json().catch(() => ({}));
+    throw new AuthError(
+      errorBody.msg || `Email change verification failed (${emailChangeRes.status})`,
+      emailChangeRes.status
+    );
+  }
+  const emailChangeData = await emailChangeRes.json();
+  const user = toUser(emailChangeData);
+  clearHash();
+  emitAuthEvent(AUTH_EVENTS.USER_UPDATED, user);
+  return { type: "email_change", user };
+};
+var clearHash = () => {
+  history.replaceState(null, "", window.location.pathname + window.location.search);
+};
+var hydrateSession = async () => {
+  if (!isBrowser()) return null;
+  const client = getClient();
+  const currentUser = client.currentUser();
+  if (currentUser) return toUser(currentUser);
+  const accessToken = getCookie(NF_JWT_COOKIE);
+  if (!accessToken) return null;
+  const refreshToken = getCookie(NF_REFRESH_COOKIE) ?? "";
+  const decoded = decodeJwtPayload(accessToken);
+  const expiresAt = decoded?.exp ?? Math.floor(Date.now() / 1e3) + 3600;
+  const expiresIn = Math.max(0, expiresAt - Math.floor(Date.now() / 1e3));
+  const gotrueUser = await client.createUser(
+    {
+      access_token: accessToken,
+      token_type: "bearer",
+      expires_in: expiresIn,
+      expires_at: expiresAt,
+      refresh_token: refreshToken
+    },
+    persistSession
+  );
+  const user = toUser(gotrueUser);
+  emitAuthEvent(AUTH_EVENTS.LOGIN, user);
+  return user;
+};
+
+// src/account.ts
+var resolveCurrentUser = async () => {
+  const client = getClient();
+  let currentUser = client.currentUser();
+  if (!currentUser && isBrowser()) {
+    try {
+      await hydrateSession();
+    } catch {
+    }
+    currentUser = client.currentUser();
+  }
+  if (!currentUser) throw new AuthError("No user is currently logged in");
+  return currentUser;
+};
+var requestPasswordRecovery = async (email) => {
+  const client = getClient();
+  try {
+    await client.requestPasswordRecovery(email);
+  } catch (error) {
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
+var recoverPassword = async (token, newPassword) => {
+  const client = getClient();
+  try {
+    const gotrueUser = await client.recover(token, persistSession);
+    const updatedUser = await gotrueUser.update({ password: newPassword });
+    const user = toUser(updatedUser);
+    emitAuthEvent(AUTH_EVENTS.LOGIN, user);
+    return user;
+  } catch (error) {
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
+var confirmEmail = async (token) => {
+  const client = getClient();
+  try {
+    const gotrueUser = await client.confirm(token, persistSession);
+    const user = toUser(gotrueUser);
+    emitAuthEvent(AUTH_EVENTS.LOGIN, user);
+    return user;
+  } catch (error) {
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
+var acceptInvite = async (token, password) => {
+  const client = getClient();
+  try {
+    const gotrueUser = await client.acceptInvite(token, password, persistSession);
+    const user = toUser(gotrueUser);
+    emitAuthEvent(AUTH_EVENTS.LOGIN, user);
+    return user;
+  } catch (error) {
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
+var verifyEmailChange = async (token) => {
+  if (!isBrowser()) throw new AuthError("verifyEmailChange() is only available in the browser");
+  const currentUser = await resolveCurrentUser();
+  const jwt = await currentUser.jwt();
+  const identityUrl = `${window.location.origin}${IDENTITY_PATH}`;
+  try {
+    const res = await fetch(`${identityUrl}/user`, {
+      method: "PUT",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${jwt}`
+      },
+      body: JSON.stringify({ email_change_token: token })
+    });
+    if (!res.ok) {
+      const errorBody = await res.json().catch(() => ({}));
+      throw new AuthError(errorBody.msg || `Email change verification failed (${res.status})`, res.status);
+    }
+    const userData = await res.json();
+    const user = toUser(userData);
+    emitAuthEvent(AUTH_EVENTS.USER_UPDATED, user);
+    return user;
+  } catch (error) {
+    if (error instanceof AuthError) throw error;
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
+var updateUser = async (updates) => {
+  const currentUser = await resolveCurrentUser();
+  try {
+    const updatedUser = await currentUser.update(updates);
+    const user = toUser(updatedUser);
+    emitAuthEvent(AUTH_EVENTS.USER_UPDATED, user);
+    return user;
+  } catch (error) {
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
+
+// src/admin.ts
+var getAdminAuth = () => {
+  const ctx = getIdentityContext();
+  if (!ctx?.url) {
+    throw new AuthError("Could not determine the Identity endpoint URL on the server");
+  }
+  if (!ctx.token) {
+    throw new AuthError("Admin operations require an operator token (only available in Netlify Functions)");
+  }
+  return { url: ctx.url, token: ctx.token };
+};
+var adminFetch = async (path, options = {}) => {
+  const { url, token } = getAdminAuth();
+  let res;
+  try {
+    res = await fetch(`${url}${path}`, {
+      ...options,
+      headers: {
+        ...options.headers,
+        Authorization: `Bearer ${token}`,
+        "Content-Type": "application/json"
+      }
+    });
+  } catch (error) {
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+  if (!res.ok) {
+    const errorBody = await res.json().catch(() => ({}));
+    throw new AuthError(errorBody.msg || `Admin request failed (${res.status})`, res.status);
+  }
+  return res;
+};
+var getAdminUser = () => {
+  const client = getClient();
+  const user = client.currentUser();
+  if (!user) {
+    throw new AuthError("Admin operations require a logged-in user with admin role");
+  }
+  return user;
+};
+var listUsers = async (options) => {
+  if (!isBrowser()) {
+    const params = new URLSearchParams();
+    if (options?.page != null) params.set("page", String(options.page));
+    if (options?.perPage != null) params.set("per_page", String(options.perPage));
+    const query = params.toString();
+    const path = `/admin/users${query ? `?${query}` : ""}`;
+    const res = await adminFetch(path);
+    const body = await res.json();
+    return body.users.map(toUser);
+  }
+  try {
+    const user = getAdminUser();
+    const users = await user.admin.listUsers("");
+    return users.map(toUser);
+  } catch (error) {
+    if (error instanceof AuthError) throw error;
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
+var getUser2 = async (userId) => {
+  if (!isBrowser()) {
+    const res = await adminFetch(`/admin/users/${userId}`);
+    const userData = await res.json();
+    return toUser(userData);
+  }
+  try {
+    const user = getAdminUser();
+    const userData = await user.admin.getUser({ id: userId });
+    return toUser(userData);
+  } catch (error) {
+    if (error instanceof AuthError) throw error;
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
+var createUser = async (params) => {
+  if (!isBrowser()) {
+    const res = await adminFetch("/admin/users", {
+      method: "POST",
+      body: JSON.stringify({
+        email: params.email,
+        password: params.password,
+        ...params.data,
+        confirm: true
+      })
+    });
+    const userData = await res.json();
+    return toUser(userData);
+  }
+  try {
+    const user = getAdminUser();
+    const userData = await user.admin.createUser(params.email, params.password, {
+      ...params.data,
+      confirm: true
+    });
+    return toUser(userData);
+  } catch (error) {
+    if (error instanceof AuthError) throw error;
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
+var updateUser2 = async (userId, attributes) => {
+  if (!isBrowser()) {
+    const res = await adminFetch(`/admin/users/${userId}`, {
+      method: "PUT",
+      body: JSON.stringify(attributes)
+    });
+    const userData = await res.json();
+    return toUser(userData);
+  }
+  try {
+    const user = getAdminUser();
+    const userData = await user.admin.updateUser({ id: userId }, attributes);
+    return toUser(userData);
+  } catch (error) {
+    if (error instanceof AuthError) throw error;
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
+var deleteUser = async (userId) => {
+  if (!isBrowser()) {
+    await adminFetch(`/admin/users/${userId}`, { method: "DELETE" });
+    return;
+  }
+  try {
+    const user = getAdminUser();
+    await user.admin.deleteUser({ id: userId });
+  } catch (error) {
+    if (error instanceof AuthError) throw error;
+    throw new AuthError(error.message, void 0, { cause: error });
+  }
+};
+var admin = { listUsers, getUser: getUser2, createUser, updateUser: updateUser2, deleteUser };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  AUTH_EVENTS,
   AuthError,
   MissingIdentityError,
+  acceptInvite,
+  admin,
+  confirmEmail,
   getIdentityConfig,
   getSettings,
   getUser,
-  isAuthenticated
+  handleAuthCallback,
+  hydrateSession,
+  isAuthenticated,
+  login,
+  logout,
+  oauthLogin,
+  onAuthChange,
+  recoverPassword,
+  requestPasswordRecovery,
+  signup,
+  updateUser,
+  verifyEmailChange
 });
 //# sourceMappingURL=index.cjs.map