@pylonsync/sync 0.3.140 → 0.3.144

package/package.json

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "0.3.140",
+  "version": "0.3.144",
   "type": "module",
   "main": "src/index.ts",
   "types": "src/index.ts",

package/src/index.ts

@@ -1113,6 +1113,19 @@ export class SyncEngine {
           return;
         }
 
+        // Session mutated server-side. Fires for select-org / clear-org
+        // / session revoke — every tab connected as this user gets the
+        // envelope (cross-machine too via the cluster bus). Trigger
+        // a fresh /api/auth/me read which updates the cached session
+        // AND, on tenant flip, resets the replica so stale rows from
+        // the previous tenant disappear. App code calling
+        // /api/auth/select-org via raw fetch no longer needs the
+        // manual `notifySessionChanged()` step.
+        if (msg.type === "session-changed") {
+          void this.refreshResolvedSession();
+          return;
+        }
+
         // Reactive query push: the server-side ReactiveRegistry re-ran
         // a subscribed handler and the result hash changed. Route to
         // the handler registered by `subscribeReactive` so the React
@@ -1679,15 +1692,109 @@ export class SyncEngine {
   }
 
   /**
-   * Public alias for `refreshResolvedSession`. Call after anything that
-   * mutates the server session (sign-in, sign-out, `/api/auth/select-org`)
-   * so the cached session and React subscribers pick up the change without
-   * waiting for the next pull.
+   * Public alias for `refreshResolvedSession`. Almost never needed by
+   * app code today — the server pushes a `session-changed` envelope
+   * over WS whenever the session is mutated (select-org, clear-org,
+   * session revoke, even from other tabs / admin tools / server
+   * actions), and the engine's WS handler refreshes automatically.
+   *
+   * Kept as an escape hatch for the rare case where you mutated the
+   * session via a path that doesn't go through the framework's auth
+   * surface (e.g. directly writing to the SessionStore from a Rust
+   * plugin that bypassed `notify_session_changed`).
+   *
+   * The `selectOrg` / `clearOrg` / `signOut` helpers below remain as
+   * convenience wrappers that combine the HTTP call with an immediate
+   * local refresh — useful when the same tab needs the new state
+   * before the WS round-trip lands.
    */
   notifySessionChanged(): Promise<void> {
     return this.refreshResolvedSession();
   }
 
+  /**
+   * Switch the caller's active tenant (organization) and refresh the
+   * resolved session in one shot. Membership is verified server-side
+   * (POST /api/auth/select-org throws 403 if the user isn't a member
+   * of the target org), and the engine's local replica resets so
+   * `db.useQuery` stops returning the previous tenant's rows.
+   *
+   * Throws on any non-2xx response. The error carries the
+   * server-issued JSON error body when available, so callers can
+   * branch on `err.code === "NOT_A_MEMBER"` etc.
+   */
+  async selectOrg(orgId: string): Promise<void> {
+    await this.authMutate("/api/auth/select-org", { orgId });
+    await this.refreshResolvedSession();
+  }
+
+  /**
+   * Drop the caller's active tenant — back to the "no active org"
+   * state typical of a login-lobby route. Refreshes the resolved
+   * session so React subscribers re-render with `tenantId: null`.
+   */
+  async clearOrg(): Promise<void> {
+    await this.authMutate("/api/auth/select-org", { orgId: null });
+    await this.refreshResolvedSession();
+  }
+
+  /**
+   * Revoke the current session server-side (DELETE /api/auth/session)
+   * and refresh — leaves the caller anonymous. Local sync stops on
+   * the next pull cycle; replica content stays in IndexedDB so a
+   * subsequent sign-in as the same user is instant.
+   */
+  async signOut(): Promise<void> {
+    await this.authMutate("/api/auth/session", undefined, "DELETE");
+    await this.refreshResolvedSession();
+  }
+
+  /** Shared transport for the auth helpers above. Same bearer/cookie
+   *  policy as `request()` — keeps the auth flows on the same
+   *  authentication footing as data sync. */
+  private async authMutate(
+    path: string,
+    body?: unknown,
+    method = "POST",
+  ): Promise<unknown> {
+    const headers: Record<string, string> = {};
+    if (body !== undefined) headers["Content-Type"] = "application/json";
+    const token =
+      this.config.token ??
+      this.storage.get(this.tokenStorageKey()) ??
+      undefined;
+    if (token) headers["Authorization"] = `Bearer ${token}`;
+    const res = await fetch(`${this.config.baseUrl}${path}`, {
+      method,
+      headers,
+      credentials: "include",
+      body: body !== undefined ? JSON.stringify(body) : undefined,
+    });
+    const text = await res.text();
+    let parsed: unknown = null;
+    if (text) {
+      try {
+        parsed = JSON.parse(text);
+      } catch {
+        // Server returned non-JSON (HTML error page from a proxy,
+        // empty 204, etc.) — fall through; the !res.ok branch will
+        // synthesise a useful Error from the status.
+      }
+    }
+    if (!res.ok) {
+      const err = new Error(
+        (parsed as { error?: { message?: string } } | null)?.error?.message ??
+          `${method} ${path} failed: ${res.status}`,
+      ) as Error & { status?: number; code?: string };
+      err.status = res.status;
+      const code = (parsed as { error?: { code?: string } } | null)?.error
+        ?.code;
+      if (code) err.code = code;
+      throw err;
+    }
+    return parsed;
+  }
+
   /**
    * In-flight push promise. Used as a mutex so a slow push can't be restarted
    * by the poll timer or a user mutation, which would resend the same batch