@persql/sdk 1.3.0 → 1.4.1

package/dist/cli.cjs

@@ -177,6 +177,96 @@ function runOne(db, sql, params) {
   };
 }
 
+// src/connect.ts
+async function createAuthorizeUrl(opts) {
+  const base = (opts.baseURL ?? "https://api.persql.com").replace(/\/$/, "");
+  const codeVerifier = opts.codeVerifier ?? randomUrlBytes(32);
+  const state = opts.state ?? randomUrlBytes(16);
+  const challenge = await sha256Base64Url(codeVerifier);
+  const params = new URLSearchParams({
+    response_type: "code",
+    client_id: opts.clientId,
+    redirect_uri: opts.redirectUri,
+    scope: opts.scope ?? "database",
+    code_challenge: challenge,
+    code_challenge_method: "S256",
+    state
+  });
+  return { url: `${base}/oauth/authorize?${params.toString()}`, codeVerifier, state };
+}
+async function exchangeAuthorizationCode(opts) {
+  const base = (opts.baseURL ?? "https://api.persql.com").replace(/\/$/, "");
+  const fetcher = opts.fetch ?? globalThis.fetch?.bind(globalThis);
+  if (!fetcher) throw new Error("PerSQL connect: no fetch available \u2014 pass { fetch }.");
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code: opts.code,
+    client_id: opts.clientId,
+    redirect_uri: opts.redirectUri,
+    code_verifier: opts.codeVerifier
+  });
+  if (opts.clientSecret) body.set("client_secret", opts.clientSecret);
+  const res = await fetcher(`${base}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  const json = await res.json().catch(() => null);
+  if (!res.ok || !json?.access_token || !json.database) {
+    throw new Error(
+      json?.error_description ?? json?.error ?? `PerSQL connect: token exchange failed (${res.status})`
+    );
+  }
+  return {
+    accessToken: json.access_token,
+    database: json.database,
+    apiUrl: json.api_url ?? base,
+    scope: json.scope ?? "",
+    idToken: json.id_token,
+    userEmail: json.user_email
+  };
+}
+function getCrypto() {
+  const c = globalThis.crypto;
+  if (!c?.getRandomValues) {
+    throw new Error(
+      'PerSQL connect: Web Crypto is unavailable. In bare React Native, import "react-native-get-random-values" and a Web Crypto SHA-256 polyfill, or exchange the code on your server.'
+    );
+  }
+  return c;
+}
+function randomUrlBytes(n) {
+  const bytes = new Uint8Array(n);
+  getCrypto().getRandomValues(bytes);
+  return base64url(bytes);
+}
+async function sha256Base64Url(input) {
+  const c = getCrypto();
+  if (!c.subtle) {
+    throw new Error(
+      "PerSQL connect: crypto.subtle is unavailable (needed for PKCE S256). Polyfill Web Crypto, or exchange the code on your server."
+    );
+  }
+  const digest = await c.subtle.digest("SHA-256", new TextEncoder().encode(input));
+  return base64url(new Uint8Array(digest));
+}
+var B64URL = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+function base64url(bytes) {
+  let out = "";
+  for (let i = 0; i < bytes.length; i += 3) {
+    const b0 = bytes[i];
+    const b1 = bytes[i + 1];
+    const b2 = bytes[i + 2];
+    out += B64URL[b0 >> 2];
+    out += B64URL[(b0 & 3) << 4 | (b1 ?? 0) >> 4];
+    if (b1 === void 0) break;
+    out += B64URL[(b1 & 15) << 2 | (b2 ?? 0) >> 6];
+    if (b2 === void 0) break;
+    out += B64URL[b2 & 63];
+  }
+  return out;
+}
+
 // src/index.ts
 var PerSQLError = class extends Error {
   status;
@@ -286,6 +376,38 @@ var PerSQL = class _PerSQL {
     const client = new _PerSQL({ token: plaintext, baseURL, fetch: opts.fetch });
     return Object.assign(client, { handedOff });
   }
+  /**
+   * Step 1 of the `database`-scope sign-in (user-owned app databases):
+   * build the `/oauth/authorize` URL plus the PKCE verifier + state to
+   * keep. Open `url` in a browser / in-app browser / Expo AuthSession,
+   * then call {@link PerSQL.completeConnect} with the returned `code`.
+   *
+   *   const req = await PerSQL.beginConnect({
+   *     clientId, redirectUri, scope: "openid database",
+   *   });
+   *   // open req.url, capture { code, state }; verify state === req.state
+   */
+  static beginConnect(opts) {
+    return createAuthorizeUrl(opts);
+  }
+  /**
+   * Step 2: exchange the redirect's `code` for a scoped database token and
+   * get back a ready client. The granted database is on `.grant.database`.
+   *
+   *   const persql = await PerSQL.completeConnect({
+   *     clientId, redirectUri, code, codeVerifier: req.codeVerifier,
+   *   });
+   *   const db = persql.database(persql.grant.database);
+   */
+  static async completeConnect(opts) {
+    const grant = await exchangeAuthorizationCode(opts);
+    const client = new _PerSQL({
+      token: grant.accessToken,
+      baseURL: grant.apiUrl,
+      fetch: opts.fetch
+    });
+    return Object.assign(client, { grant });
+  }
   database(a, b) {
     if (b !== void 0) return new PerSQLDatabase(this, a, b);
     const [ns, slug] = a.split("/");
@@ -450,6 +572,16 @@ var PerSQLDatabases = class {
     }
     return { data: body.data ?? [], nextCursor: body.nextCursor ?? null };
   }
+  /** Delete a database by slug. Requires an admin-role unscoped token. */
+  async delete(slug) {
+    if (this.client.local) {
+      throw new Error("PerSQL: databases.delete() needs a server-mode token.");
+    }
+    return this.client.request(
+      "DELETE",
+      `/v1/databases/${encodeURIComponent(slug)}`
+    );
+  }
 };
 var PerSQLDatabase = class {
   constructor(client, namespace, slug) {