@netlify/identity 0.3.0-alpha.6 → 0.3.0

package/dist/index.js

@@ -22,6 +22,7 @@ var AuthError = class _AuthError extends Error {
     }
   }
   static from(error) {
+    if (error instanceof _AuthError) return error;
     const message = error instanceof Error ? error.message : String(error);
     return new _AuthError(message, void 0, { cause: error });
   }
@@ -97,6 +98,7 @@ var getIdentityContext = () => {
 var NF_JWT_COOKIE = "nf_jwt";
 var NF_REFRESH_COOKIE = "nf_refresh";
 var getCookie = (name) => {
+  if (typeof document === "undefined") return null;
   const match = document.cookie.match(new RegExp(`(?:^|; )${name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}=([^;]*)`));
   if (!match) return null;
   try {
@@ -130,12 +132,14 @@ var deleteAuthCookies = (cookies) => {
   cookies.delete(NF_REFRESH_COOKIE);
 };
 var setBrowserAuthCookies = (accessToken, refreshToken) => {
+  if (typeof document === "undefined") return;
   document.cookie = `${NF_JWT_COOKIE}=${encodeURIComponent(accessToken)}; path=/; secure; samesite=lax`;
   if (refreshToken) {
     document.cookie = `${NF_REFRESH_COOKIE}=${encodeURIComponent(refreshToken)}; path=/; secure; samesite=lax`;
   }
 };
 var deleteBrowserAuthCookies = () => {
+  if (typeof document === "undefined") return;
   document.cookie = `${NF_JWT_COOKIE}=; path=/; secure; samesite=lax; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
   document.cookie = `${NF_REFRESH_COOKIE}=; path=/; secure; samesite=lax; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
 };
@@ -218,6 +222,105 @@ var onAuthChange = (callback) => {
   };
 };
 
+// src/refresh.ts
+var REFRESH_MARGIN_S = 60;
+var refreshTimer = null;
+var startTokenRefresh = () => {
+  if (!isBrowser()) return;
+  stopTokenRefresh();
+  const client = getGoTrueClient();
+  const user = client?.currentUser();
+  if (!user) return;
+  const token = user.tokenDetails();
+  if (!token?.expires_at) return;
+  const nowS = Math.floor(Date.now() / 1e3);
+  const expiresAtS = typeof token.expires_at === "number" && token.expires_at > 1e12 ? Math.floor(token.expires_at / 1e3) : token.expires_at;
+  const delayMs = Math.max(0, expiresAtS - nowS - REFRESH_MARGIN_S) * 1e3;
+  refreshTimer = setTimeout(async () => {
+    try {
+      const freshJwt = await user.jwt(true);
+      const freshDetails = user.tokenDetails();
+      setBrowserAuthCookies(freshJwt, freshDetails?.refresh_token);
+      emitAuthEvent(AUTH_EVENTS.TOKEN_REFRESH, toUser(user));
+      startTokenRefresh();
+    } catch {
+      stopTokenRefresh();
+    }
+  }, delayMs);
+};
+var stopTokenRefresh = () => {
+  if (refreshTimer !== null) {
+    clearTimeout(refreshTimer);
+    refreshTimer = null;
+  }
+};
+var refreshSession = async () => {
+  if (isBrowser()) {
+    const client = getGoTrueClient();
+    const user = client?.currentUser();
+    if (!user) return null;
+    const details = user.tokenDetails();
+    if (details?.expires_at) {
+      const nowS2 = Math.floor(Date.now() / 1e3);
+      const expiresAtS = typeof details.expires_at === "number" && details.expires_at > 1e12 ? Math.floor(details.expires_at / 1e3) : details.expires_at;
+      if (expiresAtS - nowS2 > REFRESH_MARGIN_S) {
+        return null;
+      }
+    }
+    try {
+      const jwt = await user.jwt(true);
+      setBrowserAuthCookies(jwt, user.tokenDetails()?.refresh_token);
+      emitAuthEvent(AUTH_EVENTS.TOKEN_REFRESH, toUser(user));
+      startTokenRefresh();
+      return jwt;
+    } catch {
+      stopTokenRefresh();
+      return null;
+    }
+  }
+  const accessToken = getServerCookie(NF_JWT_COOKIE);
+  const refreshToken = getServerCookie(NF_REFRESH_COOKIE);
+  if (!accessToken || !refreshToken) return null;
+  const decoded = decodeJwtPayload(accessToken);
+  if (!decoded?.exp) return null;
+  const nowS = Math.floor(Date.now() / 1e3);
+  if (decoded.exp - nowS > REFRESH_MARGIN_S) {
+    return null;
+  }
+  const ctx = getIdentityContext();
+  const identityUrl = ctx?.url ?? (globalThis.Netlify?.context?.url ? new URL(IDENTITY_PATH, globalThis.Netlify.context.url).href : null);
+  if (!identityUrl) {
+    throw new AuthError("Could not determine the Identity endpoint URL for token refresh");
+  }
+  let res;
+  try {
+    res = await fetch(`${identityUrl}/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({ grant_type: "refresh_token", refresh_token: refreshToken }).toString()
+    });
+  } catch (error) {
+    throw AuthError.from(error);
+  }
+  if (!res.ok) {
+    const errorBody = await res.json().catch(() => ({}));
+    if (res.status === 401 || res.status === 400) {
+      const cookies2 = globalThis.Netlify?.context?.cookies;
+      if (cookies2) {
+        deleteAuthCookies(cookies2);
+      }
+      return null;
+    }
+    throw new AuthError(errorBody.msg || `Token refresh failed (${res.status})`, res.status);
+  }
+  const data = await res.json();
+  const cookies = globalThis.Netlify?.context?.cookies;
+  if (cookies) {
+    setAuthCookies(cookies, data.access_token, data.refresh_token);
+  }
+  return data.access_token;
+};
+
 // src/auth.ts
 var getCookies = () => {
   const cookies = globalThis.Netlify?.context?.cookies;
@@ -282,6 +385,7 @@ var login = async (email, password) => {
     const jwt = await gotrueUser.jwt();
     setBrowserAuthCookies(jwt, gotrueUser.tokenDetails()?.refresh_token);
     const user = toUser(gotrueUser);
+    startTokenRefresh();
     emitAuthEvent(AUTH_EVENTS.LOGIN, user);
     return user;
   } catch (error) {
@@ -326,6 +430,7 @@ var signup = async (email, password, data) => {
         const refreshToken = response.tokenDetails?.()?.refresh_token;
         setBrowserAuthCookies(jwt, refreshToken);
       }
+      startTokenRefresh();
       emitAuthEvent(AUTH_EVENTS.LOGIN, user);
     }
     return user;
@@ -357,6 +462,7 @@ var logout = async () => {
       await currentUser.logout();
     }
     deleteBrowserAuthCookies();
+    stopTokenRefresh();
     emitAuthEvent(AUTH_EVENTS.LOGOUT, null);
   } catch (error) {
     throw AuthError.from(error);
@@ -409,6 +515,7 @@ var handleOAuthCallback = async (client, params, accessToken) => {
   );
   setBrowserAuthCookies(accessToken, refreshToken || void 0);
   const user = toUser(gotrueUser);
+  startTokenRefresh();
   clearHash();
   emitAuthEvent(AUTH_EVENTS.LOGIN, user);
   return { type: "oauth", user };
@@ -418,6 +525,7 @@ var handleConfirmationCallback = async (client, token) => {
   const jwt = await gotrueUser.jwt();
   setBrowserAuthCookies(jwt, gotrueUser.tokenDetails()?.refresh_token);
   const user = toUser(gotrueUser);
+  startTokenRefresh();
   clearHash();
   emitAuthEvent(AUTH_EVENTS.LOGIN, user);
   return { type: "confirmation", user };
@@ -427,6 +535,7 @@ var handleRecoveryCallback = async (client, token) => {
   const jwt = await gotrueUser.jwt();
   setBrowserAuthCookies(jwt, gotrueUser.tokenDetails()?.refresh_token);
   const user = toUser(gotrueUser);
+  startTokenRefresh();
   clearHash();
   emitAuthEvent(AUTH_EVENTS.RECOVERY, user);
   return { type: "recovery", user };
@@ -470,7 +579,10 @@ var hydrateSession = async () => {
   if (!isBrowser()) return null;
   const client = getClient();
   const currentUser = client.currentUser();
-  if (currentUser) return toUser(currentUser);
+  if (currentUser) {
+    startTokenRefresh();
+    return toUser(currentUser);
+  }
   const accessToken = getCookie(NF_JWT_COOKIE);
   if (!accessToken) return null;
   const refreshToken = getCookie(NF_REFRESH_COOKIE) ?? "";
@@ -494,6 +606,7 @@ var hydrateSession = async () => {
     return null;
   }
   const user = toUser(gotrueUser);
+  startTokenRefresh();
   emitAuthEvent(AUTH_EVENTS.LOGIN, user);
   return user;
 };
@@ -588,6 +701,7 @@ var getUser = async () => {
         }
         return null;
       }
+      startTokenRefresh();
       return toUser(currentUser);
     }
     const jwt = getCookie(NF_JWT_COOKIE);
@@ -595,8 +709,7 @@ var getUser = async () => {
     const claims2 = decodeJwtPayload(jwt);
     if (!claims2) return null;
     const hydrated = await hydrateSession();
-    if (hydrated) return hydrated;
-    return claimsToUser(claims2);
+    return hydrated ?? null;
   }
   triggerNextjsDynamic();
   const identityContext = globalThis.netlifyIdentityContext;
@@ -608,7 +721,7 @@ var getUser = async () => {
       if (fullUser) return fullUser;
     }
   }
-  const claims = identityContext?.user ?? (serverJwt ? decodeJwtPayload(serverJwt) : null);
+  const claims = identityContext?.user ?? null;
   return claims ? claimsToUser(claims) : null;
 };
 var isAuthenticated = async () => await getUser() !== null;
@@ -671,6 +784,7 @@ var recoverPassword = async (token, newPassword) => {
     const gotrueUser = await client.recover(token, persistSession);
     const updatedUser = await gotrueUser.update({ password: newPassword });
     const user = toUser(updatedUser);
+    startTokenRefresh();
     emitAuthEvent(AUTH_EVENTS.LOGIN, user);
     return user;
   } catch (error) {
@@ -682,6 +796,7 @@ var confirmEmail = async (token) => {
   try {
     const gotrueUser = await client.confirm(token, persistSession);
     const user = toUser(gotrueUser);
+    startTokenRefresh();
     emitAuthEvent(AUTH_EVENTS.LOGIN, user);
     return user;
   } catch (error) {
@@ -693,6 +808,7 @@ var acceptInvite = async (token, password) => {
   try {
     const gotrueUser = await client.acceptInvite(token, password, persistSession);
     const user = toUser(gotrueUser);
+    startTokenRefresh();
     emitAuthEvent(AUTH_EVENTS.LOGIN, user);
     return user;
   } catch (error) {
@@ -889,6 +1005,7 @@ export {
   oauthLogin,
   onAuthChange,
   recoverPassword,
+  refreshSession,
   requestPasswordRecovery,
   signup,
   updateUser,