@rebasepro/auth 0.0.1-canary.eae7889 → 0.1.0

package/dist/api.d.ts

@@ -20,9 +20,24 @@ export declare function register(email: string, password: string, displayName?:
  */
 export declare function login(email: string, password: string): Promise<AuthResponse>;
 /**
- * Login with Google ID token
+ * Google login payload — one of the three supported flows.
  */
-export declare function googleLogin(idToken: string): Promise<AuthResponse>;
+export type GoogleLoginPayload = {
+    idToken: string;
+} | {
+    accessToken: string;
+} | {
+    code: string;
+    redirectUri: string;
+};
+/**
+ * Login with Google.
+ *
+ * Overload 1 (legacy): `googleLogin("token", "idToken" | "accessToken")`
+ * Overload 2 (code flow): `googleLogin({ code, redirectUri })`
+ */
+export declare function googleLogin(payload: GoogleLoginPayload): Promise<AuthResponse>;
+export declare function googleLogin(token: string, tokenType?: "idToken" | "accessToken"): Promise<AuthResponse>;
 /**
  * Login with LinkedIn OAuth code
  */
@@ -126,7 +141,10 @@ export interface AuthConfigResponse {
 }
 /**
  * Fetch auth configuration / status from the backend
- * This is an unauthenticated endpoint used to detect bootstrap mode
+ * This is an unauthenticated endpoint used to detect bootstrap mode.
+ *
+ * Concurrent calls are deduplicated: only one network request is made
+ * and all callers share the same promise.
  */
 export declare function fetchAuthConfig(): Promise<AuthConfigResponse>;
 export { AuthApiError };

package/dist/components/RebaseLoginView.d.ts

@@ -49,3 +49,25 @@ export interface RebaseLoginViewProps {
  * Login view component for custom JWT authentication
  */
 export declare function RebaseLoginView({ logo, authController, noUserComponent, disableSignupScreen, disabled, notAllowedError, googleEnabled, googleClientId }: RebaseLoginViewProps): import("react/jsx-runtime").JSX.Element;
+/** Google Identity Services SDK — injected by the GIS <script> tag. */
+declare global {
+    interface Window {
+        google?: {
+            accounts: {
+                oauth2: {
+                    initCodeClient(config: {
+                        client_id: string;
+                        scope: string;
+                        ux_mode: "popup" | "redirect";
+                        callback: (response: {
+                            code?: string;
+                            error?: string;
+                        }) => void;
+                    }): {
+                        requestCode(): void;
+                    };
+                };
+            };
+        };
+    }
+}

package/dist/index.es.js

@@ -72,11 +72,12 @@ async function login(email, password) {
   });
   return handleResponse(response);
 }
-async function googleLogin(idToken) {
+async function googleLogin(tokenOrPayload, tokenType = "idToken") {
+  const body = typeof tokenOrPayload === "string" ? { [tokenType]: tokenOrPayload } : tokenOrPayload;
   const response = await fetchWithHandling(`${baseApiUrl}/api/auth/google`, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ idToken })
+    body: JSON.stringify(body)
   });
   return handleResponse(response);
 }
@@ -196,12 +197,23 @@ async function revokeAllSessions(accessToken) {
   });
   return handleResponse(response);
 }
+let authConfigInflight = null;
 async function fetchAuthConfig() {
-  const response = await fetchWithHandling(`${baseApiUrl}/api/auth/config`, {
-    method: "GET",
-    headers: { "Content-Type": "application/json" }
-  });
-  return handleResponse(response);
+  if (authConfigInflight) {
+    return authConfigInflight;
+  }
+  authConfigInflight = (async () => {
+    const response = await fetchWithHandling(`${baseApiUrl}/api/auth/config`, {
+      method: "GET",
+      headers: { "Content-Type": "application/json" }
+    });
+    return handleResponse(response);
+  })();
+  try {
+    return await authConfigInflight;
+  } finally {
+    authConfigInflight = null;
+  }
 }
 const STORAGE_KEY = "rebase_auth";
 const TOKEN_REFRESH_BUFFER_MS = 2 * 60 * 1e3;
@@ -412,6 +424,7 @@ function useRebaseAuthController(props = {}) {
     }
   }, [client, getAuthToken, refreshAccessToken$1, clearSessionAndSignOut]);
   const handleAuthSuccess = useCallback(async (userInfo, tokens) => {
+    console.log("[Auth] handleAuthSuccess called, user:", userInfo.email, "uid:", userInfo.uid);
     tokensRef.current = tokens;
     let convertedUser = convertToUser(userInfo);
     if (defineRolesFor) {
@@ -424,11 +437,13 @@ function useRebaseAuthController(props = {}) {
       }
     }
     saveAuthToStorage(tokens, userInfo);
+    console.log("[Auth] Calling setUser, roles:", convertedUser.roles);
     setUser(convertedUser);
     setAuthError(null);
     setAuthProviderError(null);
     setLoginSkipped(false);
     scheduleTokenRefresh(tokens);
+    console.log("[Auth] handleAuthSuccess completed");
   }, [scheduleTokenRefresh, defineRolesFor]);
   const emailPasswordLogin = useCallback(async (email, password) => {
     setAuthLoading(true);
@@ -456,11 +471,11 @@ function useRebaseAuthController(props = {}) {
       setAuthLoading(false);
     }
   }, [handleAuthSuccess]);
-  const googleLogin$1 = useCallback(async (idToken) => {
+  const googleLogin$1 = useCallback(async (tokenOrPayload, tokenType) => {
     setAuthLoading(true);
     setAuthProviderError(null);
     try {
-      const response = await googleLogin(idToken);
+      const response = typeof tokenOrPayload === "string" ? await googleLogin(tokenOrPayload, tokenType ?? "idToken") : await googleLogin(tokenOrPayload);
       await handleAuthSuccess(response.user, response.tokens);
     } catch (error) {
       setAuthProviderError(error);
@@ -795,6 +810,8 @@ function useBackendUserManagement(config) {
   const [loading, setLoading] = useState(true);
   const [usersError, setUsersError] = useState();
   const [rolesError, setRolesError] = useState();
+  const lastLoadedUidRef = useRef(null);
+  const apiRequestRef = useRef(null);
   const apiRequest = useCallback(async (endpoint, method = "GET", body, retryCount = 6, signal) => {
     let lastError = null;
     for (let attempt = 0; attempt < retryCount; attempt++) {
@@ -862,6 +879,7 @@ function useBackendUserManagement(config) {
     }
     throw lastError;
   }, [apiUrl, getAuthToken]);
+  apiRequestRef.current = apiRequest;
   useCallback(async (signal) => {
     try {
       const data = await apiRequest("/roles", "GET", void 0, 6, signal);
@@ -890,23 +908,43 @@ function useBackendUserManagement(config) {
       setLoading(false);
       return;
     }
+    if (lastLoadedUidRef.current === currentUser.uid) {
+      setLoading(false);
+      return;
+    }
     const abortController = new AbortController();
     const load = async () => {
       setLoading(true);
+      const request = apiRequestRef.current;
       try {
-        const data = await apiRequest("/roles", "GET", void 0, 6, abortController.signal);
+        const data = await request("/roles", "GET", void 0, 6, abortController.signal);
         setRoles(data.roles.map(convertRole));
         setRolesError(void 0);
       } catch (error) {
-        if (error instanceof Error && error.name !== "AbortError") {
-          console.error("Failed to load roles:", error);
-          setRolesError(error);
+        if (error instanceof Error && error.name === "AbortError") return;
+        console.error("Failed to load roles:", error);
+        setRolesError(error instanceof Error ? error : new Error(String(error)));
+        const status = error.status;
+        if (status === 403 || status === 401) {
+          setUsersError(error instanceof Error ? error : new Error(String(error)));
+          setLoading(false);
+          return;
         }
       }
       if (!abortController.signal.aborted) {
-        await loadUsers(abortController.signal);
+        try {
+          const data = await request("/users", "GET", void 0, 6, abortController.signal);
+          const allUsers = data.users.map((u) => convertUser(u));
+          setUsers(allUsers);
+          setUsersError(void 0);
+        } catch (error) {
+          if (error instanceof Error && error.name === "AbortError") return;
+          console.error("Failed to load users:", error);
+          setUsersError(error instanceof Error ? error : new Error(String(error)));
+        }
       }
       if (!abortController.signal.aborted) {
+        lastLoadedUidRef.current = currentUser.uid;
         setLoading(false);
       }
     };
@@ -914,7 +952,7 @@ function useBackendUserManagement(config) {
     return () => {
       abortController.abort();
     };
-  }, [currentUser, apiRequest, loadUsers]);
+  }, [currentUser?.uid]);
   const searchUsers = useCallback(async (options) => {
     const params = new URLSearchParams();
     if (options.limit !== void 0) params.set("limit", String(options.limit));
@@ -1115,7 +1153,7 @@ function RebaseLoginView({
     "div",
     {
       className: cls(
-        "relative flex items-center justify-center h-screen w-screen p-4 transition-opacity duration-500 bg-white dark:bg-surface-950",
+        "relative flex items-center justify-center h-screen w-screen p-4 transition-opacity duration-500 bg-white dark:bg-surface-900",
         fadeIn ? "opacity-100" : "opacity-0"
       ),
       children: [
@@ -1269,74 +1307,79 @@ function LoginButton({
     }
   );
 }
+const GoogleIcon = () => /* @__PURE__ */ jsxs("svg", { viewBox: "0 0 24 24", width: "20", height: "20", children: [
+  /* @__PURE__ */ jsx(
+    "path",
+    {
+      fill: "#4285F4",
+      d: "M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z"
+    }
+  ),
+  /* @__PURE__ */ jsx(
+    "path",
+    {
+      fill: "#34A853",
+      d: "M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z"
+    }
+  ),
+  /* @__PURE__ */ jsx(
+    "path",
+    {
+      fill: "#FBBC05",
+      d: "M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z"
+    }
+  ),
+  /* @__PURE__ */ jsx(
+    "path",
+    {
+      fill: "#EA4335",
+      d: "M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z"
+    }
+  )
+] });
 function GoogleLoginButton({
   disabled,
   googleClientId,
   authController
 }) {
-  const handleGoogleLogin = async () => {
-    try {
-      const google = window.google;
-      if (!google) {
-        console.error("Google Sign-In not loaded");
-        return;
-      }
-      google.accounts.id.initialize({
-        client_id: googleClientId,
-        callback: async (response) => {
-          try {
-            await authController.googleLogin(response.credential);
-          } catch (err) {
-            console.error("Google login error:", err);
-          }
+  const codeClientRef = useRef(null);
+  useEffect(() => {
+    const google = window.google;
+    if (!google || codeClientRef.current) return;
+    codeClientRef.current = google.accounts.oauth2.initCodeClient({
+      client_id: googleClientId,
+      scope: "openid email profile",
+      ux_mode: "popup",
+      callback: async (response) => {
+        if (response.error || !response.code) {
+          console.error("Google login error:", response.error);
+          return;
         }
-      });
-      google.accounts.id.prompt();
-    } catch (err) {
-      console.error("Google login error:", err);
+        try {
+          await authController.googleLogin({
+            code: response.code,
+            redirectUri: "postmessage"
+          });
+        } catch (err) {
+          console.error("Google login error:", err);
+        }
+      }
+    });
+  }, [googleClientId, authController]);
+  const handleClick = () => {
+    if (!codeClientRef.current) {
+      console.error("Google Sign-In not loaded");
+      return;
     }
+    codeClientRef.current.requestCode();
   };
   return /* @__PURE__ */ jsx(
-    Button,
+    LoginButton,
     {
       disabled,
-      className: "w-full",
-      variant: "outlined",
-      size: "large",
-      onClick: handleGoogleLogin,
-      children: /* @__PURE__ */ jsxs("div", { className: "flex items-center justify-center w-full gap-3 py-1", children: [
-        /* @__PURE__ */ jsxs("svg", { viewBox: "0 0 24 24", width: "20", height: "20", children: [
-          /* @__PURE__ */ jsx(
-            "path",
-            {
-              fill: "#4285F4",
-              d: "M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92c-.26 1.37-1.04 2.53-2.21 3.31v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.09z"
-            }
-          ),
-          /* @__PURE__ */ jsx(
-            "path",
-            {
-              fill: "#34A853",
-              d: "M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z"
-            }
-          ),
-          /* @__PURE__ */ jsx(
-            "path",
-            {
-              fill: "#FBBC05",
-              d: "M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z"
-            }
-          ),
-          /* @__PURE__ */ jsx(
-            "path",
-            {
-              fill: "#EA4335",
-              d: "M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z"
-            }
-          )
-        ] }),
-        /* @__PURE__ */ jsx(Typography, { variant: "button", children: "Continue with Google" })
-      ] })
+      text: "Sign in with Google",
+      icon: /* @__PURE__ */ jsx(GoogleIcon, {}),
+      onClick: handleClick
     }
   );
 }
@@ -1457,6 +1500,7 @@ function LoginForm({
       {
         type: "submit",
         variant: "filled",
+        color: "primary",
         className: "w-full mt-1",
         size: "large",
         loading: authController.authLoading,
@@ -1578,6 +1622,7 @@ function ForgotPasswordForm({
       {
         type: "submit",
         variant: "filled",
+        color: "primary",
         className: "w-full",
         size: "large",
         loading: authController.authLoading,
@@ -1605,14 +1650,12 @@ function createUserManagementAdminViews({ userManagement, apiUrl, getAuthToken,
     {
       slug: "dev/users",
       name: "CMS Users",
-      group: "Admin",
       icon: "face",
       view: /* @__PURE__ */ jsx(UsersView, { userManagement, apiUrl, getAuthToken })
     },
     {
       slug: "dev/roles",
       name: "Roles",
-      group: "Admin",
       icon: "gpp_good",
       view: /* @__PURE__ */ jsx(RolesView, { userManagement, collections })
     }
@@ -1633,6 +1676,7 @@ function RoleChip({ role }) {
 }
 function UsersView({ userManagement, apiUrl, getAuthToken }) {
   const { users, roles, saveUser, deleteUser, loading } = userManagement;
+  const usersError = "usersError" in userManagement ? userManagement.usersError : void 0;
   const snackbarController = useSnackbarController();
   const { user: loggedInUser } = useAuthController();
   const [dialogOpen, setDialogOpen] = useState(false);
@@ -1752,7 +1796,10 @@ function UsersView({ userManagement, apiUrl, getAuthToken }) {
             return role ? /* @__PURE__ */ jsx(RoleChip, { role }, roleId) : /* @__PURE__ */ jsx("span", { children: roleId }, roleId);
           }) }) })
         ] }, user.uid)),
-        users.length === 0 && /* @__PURE__ */ jsx(TableRow, { children: /* @__PURE__ */ jsx(TableCell, { colspan: 4, children: /* @__PURE__ */ jsx(CenteredView, { className: "flex flex-col gap-4 my-8 items-center", children: /* @__PURE__ */ jsx(Typography, { variant: "label", children: "There are no users yet" }) }) }) })
+        users.length === 0 && /* @__PURE__ */ jsx(TableRow, { children: /* @__PURE__ */ jsx(TableCell, { colspan: 4, children: /* @__PURE__ */ jsxs(CenteredView, { className: "flex flex-col gap-4 my-8 items-center", children: [
+          /* @__PURE__ */ jsx(Typography, { variant: "label", children: usersError ? "You don't have permission to view users" : "There are no users yet" }),
+          usersError && /* @__PURE__ */ jsx(Typography, { variant: "caption", className: "text-surface-500", children: "Contact an administrator if you need access to this section." })
+        ] }) }) })
       ] })
     ] }) }),
     /* @__PURE__ */ jsx(
@@ -1909,6 +1956,7 @@ function UserDetailsForm({
 }
 function RolesView({ userManagement, collections = [] }) {
   const { roles, saveRole, deleteRole, loading, allowDefaultRolesCreation } = userManagement;
+  const rolesError = "rolesError" in userManagement ? userManagement.rolesError : void 0;
   const snackbarController = useSnackbarController();
   const [dialogOpen, setDialogOpen] = useState(false);
   const [selectedRole, setSelectedRole] = useState();
@@ -2001,8 +2049,9 @@ function RolesView({ userManagement, collections = [] }) {
           ] }, role.id);
         }),
         roles.length === 0 && /* @__PURE__ */ jsx(TableRow, { children: /* @__PURE__ */ jsx(TableCell, { colspan: 4, children: /* @__PURE__ */ jsxs(CenteredView, { className: "flex flex-col gap-4 my-8 items-center", children: [
-          /* @__PURE__ */ jsx(Typography, { variant: "label", children: "You don't have any roles yet." }),
-          allowDefaultRolesCreation && /* @__PURE__ */ jsx(Button, { onClick: createDefaultRoles, children: "Create default roles" })
+          /* @__PURE__ */ jsx(Typography, { variant: "label", children: rolesError ? "You don't have permission to view roles" : "You don&apos;t have any roles yet." }),
+          rolesError && /* @__PURE__ */ jsx(Typography, { variant: "caption", className: "text-surface-500", children: "Contact an administrator if you need access to this section." }),
+          !rolesError && allowDefaultRolesCreation && /* @__PURE__ */ jsx(Button, { onClick: createDefaultRoles, children: "Create default roles" })
         ] }) }) })
       ] })
     ] }) }),