@netlify/identity 1.0.0 → 1.2.0

package/dist/{index.cjs → main.cjs}

@@ -27,9 +27,9 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 
-// src/index.ts
-var index_exports = {};
-__export(index_exports, {
+// src/main.ts
+var main_exports = {};
+__export(main_exports, {
   AUTH_EVENTS: () => AUTH_EVENTS,
   AuthError: () => AuthError,
   MissingIdentityError: () => MissingIdentityError,
@@ -51,9 +51,10 @@ __export(index_exports, {
   requestPasswordRecovery: () => requestPasswordRecovery,
   signup: () => signup,
   updateUser: () => updateUser,
-  verifyEmailChange: () => verifyEmailChange
+  verifyEmailChange: () => verifyEmailChange,
+  verifyRequestOrigin: () => verifyRequestOrigin
 });
-module.exports = __toCommonJS(index_exports);
+module.exports = __toCommonJS(main_exports);
 
 // src/types.ts
 var AUTH_PROVIDERS = ["google", "github", "gitlab", "bitbucket", "facebook", "email"];
@@ -149,7 +150,7 @@ var NF_JWT_COOKIE = "nf_jwt";
 var NF_REFRESH_COOKIE = "nf_refresh";
 var getCookie = (name) => {
   if (typeof document === "undefined") return null;
-  const match = document.cookie.match(new RegExp(`(?:^|; )${name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}=([^;]*)`));
+  const match = new RegExp(`(?:^|; )${name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}=([^;]*)`).exec(document.cookie);
   if (!match) return null;
   try {
     return decodeURIComponent(match[1]);
@@ -231,13 +232,15 @@ var triggerNextjsDynamic = () => {
 var DEFAULT_TIMEOUT_MS = 5e3;
 var fetchWithTimeout = async (url, options = {}, timeoutMs = DEFAULT_TIMEOUT_MS) => {
   const controller = new AbortController();
-  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  const timer = setTimeout(() => {
+    controller.abort();
+  }, timeoutMs);
   try {
     return await fetch(url, { ...options, signal: controller.signal });
   } catch (error) {
     if (error instanceof Error && error.name === "AbortError") {
       const pathname = new URL(url).pathname;
-      throw new AuthError(`Identity request to ${pathname} timed out after ${timeoutMs}ms`);
+      throw new AuthError(`Identity request to ${pathname} timed out after ${String(timeoutMs)}ms`);
     }
     throw error;
   } finally {
@@ -304,16 +307,18 @@ var startTokenRefresh = () => {
   const nowS = Math.floor(Date.now() / 1e3);
   const expiresAtS = typeof token.expires_at === "number" && token.expires_at > 1e12 ? Math.floor(token.expires_at / 1e3) : token.expires_at;
   const delayMs = Math.max(0, expiresAtS - nowS - REFRESH_MARGIN_S) * 1e3;
-  refreshTimer = setTimeout(async () => {
-    try {
-      const freshJwt = await user.jwt(true);
-      const freshDetails = user.tokenDetails();
-      setBrowserAuthCookies(freshJwt, freshDetails?.refresh_token);
-      emitAuthEvent(AUTH_EVENTS.TOKEN_REFRESH, toUser(user));
-      startTokenRefresh();
-    } catch {
-      stopTokenRefresh();
-    }
+  refreshTimer = setTimeout(() => {
+    void (async () => {
+      try {
+        const freshJwt = await user.jwt(true);
+        const freshDetails = user.tokenDetails();
+        setBrowserAuthCookies(freshJwt, freshDetails?.refresh_token);
+        emitAuthEvent(AUTH_EVENTS.TOKEN_REFRESH, toUser(user));
+        startTokenRefresh();
+      } catch {
+        stopTokenRefresh();
+      }
+    })();
   }, delayMs);
 };
 var stopTokenRefresh = () => {
@@ -379,7 +384,7 @@ var refreshSession = async () => {
       }
       return null;
     }
-    throw new AuthError(errorBody.msg || `Token refresh failed (${res.status})`, res.status);
+    throw new AuthError(errorBody.msg ?? `Token refresh failed (${String(res.status)})`, res.status);
   }
   const data = await res.json();
   const cookies = globalThis.Netlify?.context?.cookies;
@@ -426,7 +431,10 @@ var login = async (email, password) => {
     }
     if (!res.ok) {
       const errorBody = await res.json().catch(() => ({}));
-      throw new AuthError(errorBody.msg || errorBody.error_description || `Login failed (${res.status})`, res.status);
+      throw new AuthError(
+        errorBody.msg ?? errorBody.error_description ?? `Login failed (${String(res.status)})`,
+        res.status
+      );
     }
     const data = await res.json();
     const accessToken = data.access_token;
@@ -440,7 +448,7 @@ var login = async (email, password) => {
     }
     if (!userRes.ok) {
       const errorBody = await userRes.json().catch(() => ({}));
-      throw new AuthError(errorBody.msg || `Failed to fetch user data (${userRes.status})`, userRes.status);
+      throw new AuthError(errorBody.msg ?? `Failed to fetch user data (${String(userRes.status)})`, userRes.status);
     }
     const userData = await userRes.json();
     const user = toUser(userData);
@@ -476,7 +484,7 @@ var signup = async (email, password, data) => {
     }
     if (!res.ok) {
       const errorBody = await res.json().catch(() => ({}));
-      throw new AuthError(errorBody.msg || `Signup failed (${res.status})`, res.status);
+      throw new AuthError(errorBody.msg ?? `Signup failed (${String(res.status)})`, res.status);
     }
     const responseData = await res.json();
     const user = toUser(responseData);
@@ -630,7 +638,7 @@ var handleEmailChangeCallback = async (client, emailChangeToken) => {
   if (!emailChangeRes.ok) {
     const errorBody = await emailChangeRes.json().catch(() => ({}));
     throw new AuthError(
-      errorBody.msg || `Email change verification failed (${emailChangeRes.status})`,
+      errorBody.msg ?? `Email change verification failed (${String(emailChangeRes.status)})`,
       emailChangeRes.status
     );
   }
@@ -692,7 +700,7 @@ var toRoles = (appMeta) => {
 var toUser = (userData) => {
   const userMeta = userData.user_metadata ?? {};
   const appMeta = userData.app_metadata ?? {};
-  const name = userMeta.full_name || userMeta.name;
+  const name = userMeta.full_name ?? userMeta.name;
   const pictureUrl = userMeta.avatar_url;
   return {
     id: userData.id,
@@ -718,7 +726,7 @@ var toUser = (userData) => {
 var claimsToUser = (claims) => {
   const appMeta = claims.app_metadata ?? {};
   const userMeta = claims.user_metadata ?? {};
-  const name = userMeta.full_name || userMeta.name;
+  const name = userMeta.full_name ?? userMeta.name;
   const pictureUrl = userMeta.avatar_url;
   return {
     id: claims.sub ?? "",
@@ -790,7 +798,7 @@ var getUser = async () => {
   }
   triggerNextjsDynamic();
   const identityContext = globalThis.netlifyIdentityContext;
-  const serverJwt = identityContext?.token || getServerCookie(NF_JWT_COOKIE);
+  const serverJwt = identityContext?.token ?? getServerCookie(NF_JWT_COOKIE);
   if (serverJwt) {
     const identityUrl = resolveIdentityUrl();
     if (identityUrl) {
@@ -832,6 +840,18 @@ var getSettings = async () => {
   }
 };
 
+// src/csrf.ts
+var verifyRequestOrigin = (request, options) => {
+  const origin = request.headers.get("origin");
+  if (!origin) {
+    throw new AuthError("Cross-origin request refused: missing Origin header.", 403);
+  }
+  const allowed = options?.allowedOrigins ?? [new URL(request.url).origin];
+  if (!allowed.includes(origin)) {
+    throw new AuthError(`Cross-origin request refused: Origin ${origin} did not match an allowed origin.`, 403);
+  }
+};
+
 // src/account.ts
 var resolveCurrentUser = async () => {
   const client = getClient();
@@ -907,7 +927,7 @@ var verifyEmailChange = async (token) => {
     });
     if (!res.ok) {
       const errorBody = await res.json().catch(() => ({}));
-      throw new AuthError(errorBody.msg || `Email change verification failed (${res.status})`, res.status);
+      throw new AuthError(errorBody.msg ?? `Email change verification failed (${String(res.status)})`, res.status);
     }
     const userData = await res.json();
     const user = toUser(userData);
@@ -971,7 +991,10 @@ var adminFetch = async (path, options = {}) => {
   }
   if (!res.ok) {
     const errorBody = await res.json().catch(() => ({}));
-    throw new AuthError(errorBody.msg || `Admin request failed (${res.status})`, res.status);
+    throw new AuthError(
+      errorBody.msg ?? `Admin request failed (${String(res.status)})`,
+      res.status
+    );
   }
   return res;
 };
@@ -1061,6 +1084,6 @@ var admin = { listUsers, getUser: getUser2, createUser, updateUser: updateUser2,
   requestPasswordRecovery,
   signup,
   updateUser,
-  verifyEmailChange
+  verifyEmailChange,
+  verifyRequestOrigin
 });
-//# sourceMappingURL=index.cjs.map

package/dist/{index.d.ts → main.d.cts}

@@ -278,6 +278,10 @@ declare const onAuthChange: (callback: AuthCallback) => (() => void);
  * try/catch. Next.js implements `redirect()` by throwing a special error; wrapping it in
  * try/catch will swallow the redirect.
  *
+ * **Server-side CSRF:** When called from a server endpoint, the endpoint must have CSRF
+ * protection. If your framework does not check the request's `Origin` by default, call
+ * {@link verifyRequestOrigin} at the start of the handler before invoking `login()`.
+ *
  * @example
  * ```ts
  * // Next.js server action
@@ -295,6 +299,11 @@ declare const login: (email: string, password: string) => Promise<User>;
  * In that case, no cookies are set and no auth event is emitted.
  *
  * @throws {AuthError} On duplicate email, validation failure, network error, or missing Netlify runtime.
+ *
+ * @remarks
+ * **Server-side CSRF:** When called from a server endpoint, the endpoint must have CSRF
+ * protection. If your framework does not check the request's `Origin` by default, call
+ * {@link verifyRequestOrigin} at the start of the handler before invoking `signup()`.
  */
 declare const signup: (email: string, password: string, data?: SignupData) => Promise<User>;
 /**
@@ -304,6 +313,11 @@ declare const signup: (email: string, password: string, data?: SignupData) => Pr
  * invalidation request fails. In the browser, emits a `'logout'` event via {@link onAuthChange}.
  *
  * @throws {AuthError} On missing Netlify runtime (server) or logout failure (browser).
+ *
+ * @remarks
+ * **Server-side CSRF:** When called from a server endpoint, the endpoint must have CSRF
+ * protection. If your framework does not check the request's `Origin` by default, call
+ * {@link verifyRequestOrigin} at the start of the handler before invoking `logout()`.
  */
 declare const logout: () => Promise<void>;
 /**
@@ -443,6 +457,63 @@ declare class MissingIdentityError extends Error {
     constructor(message?: string);
 }
 
+/**
+ * Options for {@link verifyRequestOrigin}.
+ */
+interface VerifyRequestOriginOptions {
+    /**
+     * Origins that are allowed to make state-changing requests to this endpoint.
+     *
+     * If omitted, the request is only accepted from its own origin (the origin of `request.url`),
+     * which is the right default for sites whose login form and login endpoint live on the same origin.
+     *
+     * Pass an explicit list when you trust additional origins (for example, a separate frontend domain
+     * posting to an API on another domain). The list replaces the default, so it must include every
+     * origin you want to allow, including the request's own origin if applicable.
+     *
+     * Each value should be a full origin string with scheme and host: `'https://example.com'`.
+     */
+    allowedOrigins?: string[];
+}
+/**
+ * Same-origin check for state-changing requests, can be used to defend against Cross-Site Request
+ * Forgery (CSRF) on server-side endpoints that call {@link login}, {@link signup}, or {@link logout}.
+ *
+ * Compares the incoming request's `Origin` header against the request's own origin (or an explicit
+ * allowlist via `options.allowedOrigins`) and throws if they don't match. Call this at the start of
+ * any server-side handler that performs an auth mutation, before invoking the auth function.
+ *
+ * The check runs unconditionally on every call: any HTTP method, with or without an `Origin` header.
+ * If you don't want the check to apply to a given method or path, simply don't call the helper there.
+ *
+ * @throws {AuthError} with status `403` when the request has no `Origin` header.
+ * @throws {AuthError} with status `403` when the request's `Origin` is not in the allowed origins.
+ *
+ * @example
+ * ```ts
+ * // Netlify Function
+ * import { login, verifyRequestOrigin } from '@netlify/identity'
+ * import type { Context } from '@netlify/functions'
+ *
+ * export default async (req: Request, context: Context) => {
+ *   verifyRequestOrigin(req)
+ *   const { email, password } = await req.json()
+ *   await login(email, password)
+ *   return new Response(null, { status: 302, headers: { Location: '/dashboard' } })
+ * }
+ * ```
+ *
+ * @example
+ * ```ts
+ * // Allow a separate trusted origin (e.g. a marketing site posting to an app domain).
+ * // The list replaces the default, so include the request's own origin if you still want it allowed.
+ * verifyRequestOrigin(request, {
+ *   allowedOrigins: ['https://app.example.com', 'https://www.example.com'],
+ * })
+ * ```
+ */
+declare const verifyRequestOrigin: (request: Request, options?: VerifyRequestOriginOptions) => void;
+
 /**
  * The admin namespace for privileged user management operations.
  * All methods are server-only and require the operator token
@@ -546,4 +617,4 @@ declare const verifyEmailChange: (token: string) => Promise<User>;
  */
 declare const updateUser: (updates: UserUpdates) => Promise<User>;
 
-export { AUTH_EVENTS, type Admin, type AdminUserUpdates, type AppMetadata, type AuthCallback, AuthError, type AuthEvent, type AuthProvider, type CallbackResult, type CreateUserParams, type IdentityConfig, type ListUsersOptions, MissingIdentityError, type Settings, type SignupData, type User, type UserUpdates, acceptInvite, admin, confirmEmail, getIdentityConfig, getSettings, getUser, handleAuthCallback, hydrateSession, isAuthenticated, login, logout, oauthLogin, onAuthChange, recoverPassword, refreshSession, requestPasswordRecovery, signup, updateUser, verifyEmailChange };
+export { AUTH_EVENTS, type Admin, type AdminUserUpdates, type AppMetadata, type AuthCallback, AuthError, type AuthEvent, type AuthProvider, type CallbackResult, type CreateUserParams, type IdentityConfig, type ListUsersOptions, MissingIdentityError, type Settings, type SignupData, type User, type UserUpdates, type VerifyRequestOriginOptions, acceptInvite, admin, confirmEmail, getIdentityConfig, getSettings, getUser, handleAuthCallback, hydrateSession, isAuthenticated, login, logout, oauthLogin, onAuthChange, recoverPassword, refreshSession, requestPasswordRecovery, signup, updateUser, verifyEmailChange, verifyRequestOrigin };

package/dist/{index.d.cts → main.d.ts}

@@ -278,6 +278,10 @@ declare const onAuthChange: (callback: AuthCallback) => (() => void);
  * try/catch. Next.js implements `redirect()` by throwing a special error; wrapping it in
  * try/catch will swallow the redirect.
  *
+ * **Server-side CSRF:** When called from a server endpoint, the endpoint must have CSRF
+ * protection. If your framework does not check the request's `Origin` by default, call
+ * {@link verifyRequestOrigin} at the start of the handler before invoking `login()`.
+ *
  * @example
  * ```ts
  * // Next.js server action
@@ -295,6 +299,11 @@ declare const login: (email: string, password: string) => Promise<User>;
  * In that case, no cookies are set and no auth event is emitted.
  *
  * @throws {AuthError} On duplicate email, validation failure, network error, or missing Netlify runtime.
+ *
+ * @remarks
+ * **Server-side CSRF:** When called from a server endpoint, the endpoint must have CSRF
+ * protection. If your framework does not check the request's `Origin` by default, call
+ * {@link verifyRequestOrigin} at the start of the handler before invoking `signup()`.
  */
 declare const signup: (email: string, password: string, data?: SignupData) => Promise<User>;
 /**
@@ -304,6 +313,11 @@ declare const signup: (email: string, password: string, data?: SignupData) => Pr
  * invalidation request fails. In the browser, emits a `'logout'` event via {@link onAuthChange}.
  *
  * @throws {AuthError} On missing Netlify runtime (server) or logout failure (browser).
+ *
+ * @remarks
+ * **Server-side CSRF:** When called from a server endpoint, the endpoint must have CSRF
+ * protection. If your framework does not check the request's `Origin` by default, call
+ * {@link verifyRequestOrigin} at the start of the handler before invoking `logout()`.
  */
 declare const logout: () => Promise<void>;
 /**
@@ -443,6 +457,63 @@ declare class MissingIdentityError extends Error {
     constructor(message?: string);
 }
 
+/**
+ * Options for {@link verifyRequestOrigin}.
+ */
+interface VerifyRequestOriginOptions {
+    /**
+     * Origins that are allowed to make state-changing requests to this endpoint.
+     *
+     * If omitted, the request is only accepted from its own origin (the origin of `request.url`),
+     * which is the right default for sites whose login form and login endpoint live on the same origin.
+     *
+     * Pass an explicit list when you trust additional origins (for example, a separate frontend domain
+     * posting to an API on another domain). The list replaces the default, so it must include every
+     * origin you want to allow, including the request's own origin if applicable.
+     *
+     * Each value should be a full origin string with scheme and host: `'https://example.com'`.
+     */
+    allowedOrigins?: string[];
+}
+/**
+ * Same-origin check for state-changing requests, can be used to defend against Cross-Site Request
+ * Forgery (CSRF) on server-side endpoints that call {@link login}, {@link signup}, or {@link logout}.
+ *
+ * Compares the incoming request's `Origin` header against the request's own origin (or an explicit
+ * allowlist via `options.allowedOrigins`) and throws if they don't match. Call this at the start of
+ * any server-side handler that performs an auth mutation, before invoking the auth function.
+ *
+ * The check runs unconditionally on every call: any HTTP method, with or without an `Origin` header.
+ * If you don't want the check to apply to a given method or path, simply don't call the helper there.
+ *
+ * @throws {AuthError} with status `403` when the request has no `Origin` header.
+ * @throws {AuthError} with status `403` when the request's `Origin` is not in the allowed origins.
+ *
+ * @example
+ * ```ts
+ * // Netlify Function
+ * import { login, verifyRequestOrigin } from '@netlify/identity'
+ * import type { Context } from '@netlify/functions'
+ *
+ * export default async (req: Request, context: Context) => {
+ *   verifyRequestOrigin(req)
+ *   const { email, password } = await req.json()
+ *   await login(email, password)
+ *   return new Response(null, { status: 302, headers: { Location: '/dashboard' } })
+ * }
+ * ```
+ *
+ * @example
+ * ```ts
+ * // Allow a separate trusted origin (e.g. a marketing site posting to an app domain).
+ * // The list replaces the default, so include the request's own origin if you still want it allowed.
+ * verifyRequestOrigin(request, {
+ *   allowedOrigins: ['https://app.example.com', 'https://www.example.com'],
+ * })
+ * ```
+ */
+declare const verifyRequestOrigin: (request: Request, options?: VerifyRequestOriginOptions) => void;
+
 /**
  * The admin namespace for privileged user management operations.
  * All methods are server-only and require the operator token
@@ -546,4 +617,4 @@ declare const verifyEmailChange: (token: string) => Promise<User>;
  */
 declare const updateUser: (updates: UserUpdates) => Promise<User>;
 
-export { AUTH_EVENTS, type Admin, type AdminUserUpdates, type AppMetadata, type AuthCallback, AuthError, type AuthEvent, type AuthProvider, type CallbackResult, type CreateUserParams, type IdentityConfig, type ListUsersOptions, MissingIdentityError, type Settings, type SignupData, type User, type UserUpdates, acceptInvite, admin, confirmEmail, getIdentityConfig, getSettings, getUser, handleAuthCallback, hydrateSession, isAuthenticated, login, logout, oauthLogin, onAuthChange, recoverPassword, refreshSession, requestPasswordRecovery, signup, updateUser, verifyEmailChange };
+export { AUTH_EVENTS, type Admin, type AdminUserUpdates, type AppMetadata, type AuthCallback, AuthError, type AuthEvent, type AuthProvider, type CallbackResult, type CreateUserParams, type IdentityConfig, type ListUsersOptions, MissingIdentityError, type Settings, type SignupData, type User, type UserUpdates, type VerifyRequestOriginOptions, acceptInvite, admin, confirmEmail, getIdentityConfig, getSettings, getUser, handleAuthCallback, hydrateSession, isAuthenticated, login, logout, oauthLogin, onAuthChange, recoverPassword, refreshSession, requestPasswordRecovery, signup, updateUser, verifyEmailChange, verifyRequestOrigin };

package/dist/{index.js → main.js}

@@ -99,7 +99,7 @@ var NF_JWT_COOKIE = "nf_jwt";
 var NF_REFRESH_COOKIE = "nf_refresh";
 var getCookie = (name) => {
   if (typeof document === "undefined") return null;
-  const match = document.cookie.match(new RegExp(`(?:^|; )${name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}=([^;]*)`));
+  const match = new RegExp(`(?:^|; )${name.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}=([^;]*)`).exec(document.cookie);
   if (!match) return null;
   try {
     return decodeURIComponent(match[1]);
@@ -181,13 +181,15 @@ var triggerNextjsDynamic = () => {
 var DEFAULT_TIMEOUT_MS = 5e3;
 var fetchWithTimeout = async (url, options = {}, timeoutMs = DEFAULT_TIMEOUT_MS) => {
   const controller = new AbortController();
-  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  const timer = setTimeout(() => {
+    controller.abort();
+  }, timeoutMs);
   try {
     return await fetch(url, { ...options, signal: controller.signal });
   } catch (error) {
     if (error instanceof Error && error.name === "AbortError") {
       const pathname = new URL(url).pathname;
-      throw new AuthError(`Identity request to ${pathname} timed out after ${timeoutMs}ms`);
+      throw new AuthError(`Identity request to ${pathname} timed out after ${String(timeoutMs)}ms`);
     }
     throw error;
   } finally {
@@ -254,16 +256,18 @@ var startTokenRefresh = () => {
   const nowS = Math.floor(Date.now() / 1e3);
   const expiresAtS = typeof token.expires_at === "number" && token.expires_at > 1e12 ? Math.floor(token.expires_at / 1e3) : token.expires_at;
   const delayMs = Math.max(0, expiresAtS - nowS - REFRESH_MARGIN_S) * 1e3;
-  refreshTimer = setTimeout(async () => {
-    try {
-      const freshJwt = await user.jwt(true);
-      const freshDetails = user.tokenDetails();
-      setBrowserAuthCookies(freshJwt, freshDetails?.refresh_token);
-      emitAuthEvent(AUTH_EVENTS.TOKEN_REFRESH, toUser(user));
-      startTokenRefresh();
-    } catch {
-      stopTokenRefresh();
-    }
+  refreshTimer = setTimeout(() => {
+    void (async () => {
+      try {
+        const freshJwt = await user.jwt(true);
+        const freshDetails = user.tokenDetails();
+        setBrowserAuthCookies(freshJwt, freshDetails?.refresh_token);
+        emitAuthEvent(AUTH_EVENTS.TOKEN_REFRESH, toUser(user));
+        startTokenRefresh();
+      } catch {
+        stopTokenRefresh();
+      }
+    })();
   }, delayMs);
 };
 var stopTokenRefresh = () => {
@@ -329,7 +333,7 @@ var refreshSession = async () => {
       }
       return null;
     }
-    throw new AuthError(errorBody.msg || `Token refresh failed (${res.status})`, res.status);
+    throw new AuthError(errorBody.msg ?? `Token refresh failed (${String(res.status)})`, res.status);
   }
   const data = await res.json();
   const cookies = globalThis.Netlify?.context?.cookies;
@@ -376,7 +380,10 @@ var login = async (email, password) => {
     }
     if (!res.ok) {
       const errorBody = await res.json().catch(() => ({}));
-      throw new AuthError(errorBody.msg || errorBody.error_description || `Login failed (${res.status})`, res.status);
+      throw new AuthError(
+        errorBody.msg ?? errorBody.error_description ?? `Login failed (${String(res.status)})`,
+        res.status
+      );
     }
     const data = await res.json();
     const accessToken = data.access_token;
@@ -390,7 +397,7 @@ var login = async (email, password) => {
     }
     if (!userRes.ok) {
       const errorBody = await userRes.json().catch(() => ({}));
-      throw new AuthError(errorBody.msg || `Failed to fetch user data (${userRes.status})`, userRes.status);
+      throw new AuthError(errorBody.msg ?? `Failed to fetch user data (${String(userRes.status)})`, userRes.status);
     }
     const userData = await userRes.json();
     const user = toUser(userData);
@@ -426,7 +433,7 @@ var signup = async (email, password, data) => {
     }
     if (!res.ok) {
       const errorBody = await res.json().catch(() => ({}));
-      throw new AuthError(errorBody.msg || `Signup failed (${res.status})`, res.status);
+      throw new AuthError(errorBody.msg ?? `Signup failed (${String(res.status)})`, res.status);
     }
     const responseData = await res.json();
     const user = toUser(responseData);
@@ -580,7 +587,7 @@ var handleEmailChangeCallback = async (client, emailChangeToken) => {
   if (!emailChangeRes.ok) {
     const errorBody = await emailChangeRes.json().catch(() => ({}));
     throw new AuthError(
-      errorBody.msg || `Email change verification failed (${emailChangeRes.status})`,
+      errorBody.msg ?? `Email change verification failed (${String(emailChangeRes.status)})`,
       emailChangeRes.status
     );
   }
@@ -642,7 +649,7 @@ var toRoles = (appMeta) => {
 var toUser = (userData) => {
   const userMeta = userData.user_metadata ?? {};
   const appMeta = userData.app_metadata ?? {};
-  const name = userMeta.full_name || userMeta.name;
+  const name = userMeta.full_name ?? userMeta.name;
   const pictureUrl = userMeta.avatar_url;
   return {
     id: userData.id,
@@ -668,7 +675,7 @@ var toUser = (userData) => {
 var claimsToUser = (claims) => {
   const appMeta = claims.app_metadata ?? {};
   const userMeta = claims.user_metadata ?? {};
-  const name = userMeta.full_name || userMeta.name;
+  const name = userMeta.full_name ?? userMeta.name;
   const pictureUrl = userMeta.avatar_url;
   return {
     id: claims.sub ?? "",
@@ -740,7 +747,7 @@ var getUser = async () => {
   }
   triggerNextjsDynamic();
   const identityContext = globalThis.netlifyIdentityContext;
-  const serverJwt = identityContext?.token || getServerCookie(NF_JWT_COOKIE);
+  const serverJwt = identityContext?.token ?? getServerCookie(NF_JWT_COOKIE);
   if (serverJwt) {
     const identityUrl = resolveIdentityUrl();
     if (identityUrl) {
@@ -782,6 +789,18 @@ var getSettings = async () => {
   }
 };
 
+// src/csrf.ts
+var verifyRequestOrigin = (request, options) => {
+  const origin = request.headers.get("origin");
+  if (!origin) {
+    throw new AuthError("Cross-origin request refused: missing Origin header.", 403);
+  }
+  const allowed = options?.allowedOrigins ?? [new URL(request.url).origin];
+  if (!allowed.includes(origin)) {
+    throw new AuthError(`Cross-origin request refused: Origin ${origin} did not match an allowed origin.`, 403);
+  }
+};
+
 // src/account.ts
 var resolveCurrentUser = async () => {
   const client = getClient();
@@ -857,7 +876,7 @@ var verifyEmailChange = async (token) => {
     });
     if (!res.ok) {
       const errorBody = await res.json().catch(() => ({}));
-      throw new AuthError(errorBody.msg || `Email change verification failed (${res.status})`, res.status);
+      throw new AuthError(errorBody.msg ?? `Email change verification failed (${String(res.status)})`, res.status);
     }
     const userData = await res.json();
     const user = toUser(userData);
@@ -921,7 +940,10 @@ var adminFetch = async (path, options = {}) => {
   }
   if (!res.ok) {
     const errorBody = await res.json().catch(() => ({}));
-    throw new AuthError(errorBody.msg || `Admin request failed (${res.status})`, res.status);
+    throw new AuthError(
+      errorBody.msg ?? `Admin request failed (${String(res.status)})`,
+      res.status
+    );
   }
   return res;
 };
@@ -1010,6 +1032,6 @@ export {
   requestPasswordRecovery,
   signup,
   updateUser,
-  verifyEmailChange
+  verifyEmailChange,
+  verifyRequestOrigin
 };
-//# sourceMappingURL=index.js.map