@rebasepro/auth 0.2.1 → 0.2.4

package/src/hooks/useBackendUserManagement.ts

@@ -7,6 +7,7 @@ import { Role, User } from "@rebasepro/types";
  */
 export interface UserManagement<USER extends User = User> {
     loading: boolean;
+    hasAdminUsers?: boolean;
 
     users: USER[];
     saveUser: (user: USER) => Promise<USER>;
@@ -28,7 +29,6 @@ export interface UserManagement<USER extends User = User> {
 
     isAdmin?: boolean;
     allowDefaultRolesCreation?: boolean;
-    includeCollectionConfigPermissions?: boolean;
     defineRolesFor: (user: User) => Promise<Role[] | undefined> | Role[] | undefined;
     getUser: (uid: string) => User | null;
 
@@ -55,7 +55,7 @@ export interface BackendUserManagementConfig {
     /**
      * The Rebase Client instance
      */
-    client?: any;
+    client?: { baseUrl?: string; resolveToken?: () => Promise<string | null> };
 
     /**
      * Base API URL for the backend (optional, extracted from client if not provided)
@@ -87,13 +87,17 @@ interface ApiRole {
     id: string;
     name: string;
     isAdmin?: boolean;
-    config?: Record<string, any>;
 }
 
+/** Response shapes from the admin API */
+interface ApiRolesResponse { roles: ApiRole[] }
+interface ApiUsersResponse { users: ApiUser[]; total: number }
+interface ApiUserResponse { user: ApiUser; invitationSent?: boolean; temporaryPassword?: string }
+interface ApiRoleResponse { role: ApiRole }
+
 /**
  * Convert API user to Rebase User
  * @param apiUser - The API user object
- * @param availableRoles - Optional array of available roles to look up names
  */
 function convertUser(apiUser: ApiUser): User {
     return {
@@ -115,8 +119,7 @@ function convertRole(apiRole: ApiRole): Role {
     return {
         id: apiRole.id,
         name: apiRole.name,
-        isAdmin: apiRole.isAdmin ?? false,
-        config: apiRole.config ?? undefined
+        isAdmin: apiRole.isAdmin ?? false
     };
 }
 
@@ -127,11 +130,19 @@ function convertRole(apiRole: ApiRole): Role {
 export function useBackendUserManagement(config: BackendUserManagementConfig): UserManagement {
     const { client, apiUrl, getAuthToken, currentUser } = config;
 
-    // We no longer load ALL users into memory.
-    // `users` now only holds admin/role-bearing users for getUser/defineRolesFor lookups.
-    const [users, setUsers] = useState<User[]>([]);
+    // Lazy user cache — populated on demand from search results, saves, and
+    // individual API lookups.  We never load ALL users into memory.
+    const [userCache, setUserCache] = useState<Map<string, User>>(new Map());
+    const [hasAdminUsers, setHasAdminUsers] = useState(false);
     const [roles, setRoles] = useState<Role[]>([]);
-    const [loading, setLoading] = useState(true);
+    const userRoles = currentUser?.roles ?? [];
+    const isUserAdmin = userRoles.some(r => r === "admin" || r === "schema-admin");
+
+    const [loading, setLoading] = useState(() => {
+        if (!currentUser) return false;
+        if (!isUserAdmin) return false;
+        return true;
+    });
     const [usersError, setUsersError] = useState<Error | undefined>();
     const [rolesError, setRolesError] = useState<Error | undefined>();
 
@@ -139,6 +150,19 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
     // Prevents redundant refetches on React StrictMode double-mounts.
     const lastLoadedUidRef = useRef<string | null>(null);
 
+    const effectiveLoading = loading || !!(currentUser && isUserAdmin && lastLoadedUidRef.current !== currentUser.uid);
+
+    /** Merge one or more users into the cache without replacing the whole Map. */
+    const mergeIntoCache = useCallback((incoming: User[]) => {
+        setUserCache(prev => {
+            const next = new Map(prev);
+            for (const u of incoming) {
+                next.set(u.uid, u);
+            }
+            return next;
+        });
+    }, []);
+
     // Ref to hold the latest apiRequest so the initial-load effect doesn't
     // re-trigger every time the callback identity changes.
     const apiRequestRef = useRef<typeof apiRequest | null>(null);
@@ -146,13 +170,13 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
     /**
      * Make authenticated API request
      */
-    const apiRequest = useCallback(async (
+    const apiRequest = useCallback(async <T = Record<string, unknown>>(
         endpoint: string,
         method = "GET",
         body?: Record<string, unknown>,
         retryCount = 6,
         signal?: AbortSignal
-    ): Promise<any> => {
+    ): Promise<T> => {
         let lastError: Error | null = null;
         for (let attempt = 0; attempt < retryCount; attempt++) {
             if (signal?.aborted) {
@@ -163,7 +187,7 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
 
             try {
                 // Determine token provider
-                const token = getAuthToken ? await getAuthToken() : (client ? await client.resolveToken() : null);
+                const token = getAuthToken ? await getAuthToken() : (client?.resolveToken ? await client.resolveToken() : null);
                 const baseUrl = apiUrl || (client?.baseUrl ? client.baseUrl : "");
 
                 // Use /api/admin prefix for admin endpoints
@@ -242,7 +266,7 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
      */
     const loadRoles = useCallback(async (signal?: AbortSignal) => {
         try {
-            const data = await apiRequest("/roles", "GET", undefined, 6, signal);
+            const data = await apiRequest<ApiRolesResponse>("/roles", "GET", undefined, 6, signal);
             setRoles(data.roles.map(convertRole));
             setRolesError(undefined);
         } catch (error: unknown) {
@@ -253,21 +277,25 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
     }, [apiRequest]);
 
     /**
-     * Load users for getUser/defineRolesFor lookups and for UserSelect dropdowns.
+     * Lightweight admin-existence check: fetch a single admin user.
+     * Used by the BootstrapAdminBanner to decide whether to show.
      */
-    const loadUsers = useCallback(async (signal?: AbortSignal) => {
+    const checkAdminExists = useCallback(async (signal?: AbortSignal) => {
         try {
-            // Load all users to satisfy Rebase CMS UserSelect field bindings
-            const data = await apiRequest("/users", "GET", undefined, 6, signal);
-            const allUsers: User[] = data.users.map((u: ApiUser) => convertUser(u));
-            setUsers(allUsers);
+            const data = await apiRequest<ApiUsersResponse>("/users?role=admin&limit=1", "GET", undefined, 6, signal);
+            const adminUsers: User[] = data.users.map((u: ApiUser) => convertUser(u));
+            setHasAdminUsers(adminUsers.length > 0);
+            // Also cache these admin users for getUser lookups
+            if (adminUsers.length > 0) {
+                mergeIntoCache(adminUsers);
+            }
             setUsersError(undefined);
         } catch (error: unknown) {
             if (error instanceof Error && error.name === "AbortError") return;
-            console.error("Failed to load users:", error);
+            console.error("Failed to check admin users:", error);
             setUsersError(error instanceof Error ? error : new Error(String(error)));
         }
-    }, [apiRequest]);
+    }, [apiRequest, mergeIntoCache]);
 
     /**
      * Initial data load - only when user is logged in
@@ -308,7 +336,7 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
 
             // Load roles first
             try {
-                const data = await request("/roles", "GET", undefined, 6, abortController.signal);
+                const data = await request<ApiRolesResponse>("/roles", "GET", undefined, 6, abortController.signal);
                 setRoles(data.roles.map(convertRole));
                 setRolesError(undefined);
             } catch (error: unknown) {
@@ -316,9 +344,9 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
                 console.error("Failed to load roles:", error);
                 setRolesError(error instanceof Error ? error : new Error(String(error)));
 
-                // If the error is a permission issue (e.g. 403), skip loading
-                // users — they will fail with the same error and we'd show a
-                // duplicate snackbar / error message.
+                // If the error is a permission issue (e.g. 403), skip the
+                // admin check — it will fail with the same error and we'd
+                // show a duplicate snackbar / error message.
                 const status = (error as { status?: number }).status;
                 if (status === 403 || status === 401) {
                     setUsersError(error instanceof Error ? error : new Error(String(error)));
@@ -327,16 +355,19 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
                 }
             }
 
-            // Then load all users if not aborted
+            // Lightweight admin-existence check (NOT loading all users)
             if (!abortController.signal.aborted) {
                 try {
-                    const data = await request("/users", "GET", undefined, 6, abortController.signal);
-                    const allUsers: User[] = data.users.map((u: ApiUser) => convertUser(u));
-                    setUsers(allUsers);
+                    const data = await request<ApiUsersResponse>("/users?role=admin&limit=1", "GET", undefined, 6, abortController.signal);
+                    const adminUsers: User[] = data.users.map((u: ApiUser) => convertUser(u));
+                    setHasAdminUsers(adminUsers.length > 0);
+                    if (adminUsers.length > 0) {
+                        mergeIntoCache(adminUsers);
+                    }
                     setUsersError(undefined);
                 } catch (error: unknown) {
                     if (error instanceof Error && error.name === "AbortError") return;
-                    console.error("Failed to load users:", error);
+                    console.error("Failed to check admin users:", error);
                     setUsersError(error instanceof Error ? error : new Error(String(error)));
                 }
             }
@@ -357,6 +388,7 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
     /**
      * Search users with server-side pagination.
      * This is the primary method used by the UsersView table.
+     * Results are also merged into the cache for getUser lookups.
      */
     const searchUsers = useCallback(async (options: {
         search?: string;
@@ -375,44 +407,31 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
         if (options.roleId) params.set("role", options.roleId);
         const qs = params.toString();
 
-        const data = await apiRequest("/users" + (qs ? "?" + qs : ""), "GET");
+        const data = await apiRequest<ApiUsersResponse>("/users" + (qs ? "?" + qs : ""), "GET");
+        const converted = data.users.map((u: ApiUser) => convertUser(u));
+        // Feed search results into cache for getUser/defineRolesFor
+        mergeIntoCache(converted);
         return {
-            users: data.users.map((u: ApiUser) => convertUser(u)),
+            users: converted,
             total: data.total
         };
-    }, [apiRequest]);
+    }, [apiRequest, mergeIntoCache]);
 
     /**
-     * Save user (create or update)
+     * Save user (update existing user)
      */
     const saveUser = useCallback(async (user: User): Promise<User> => {
         const roleIds = user.roles ?? [];
 
-        // Check if user exists
-        const existingUser = users.find(u => u.uid === user.uid);
-
-        if (existingUser) {
-            // Update
-            const data = await apiRequest(`/users/${user.uid}`, "PUT", {
-                email: user.email,
-                displayName: user.displayName,
-                roles: roleIds
-            });
-            const updated = convertUser(data.user);
-            setUsers(prev => prev.map(u => u.uid === updated.uid ? updated : u));
-            return updated;
-        } else {
-            // Create
-            const data = await apiRequest("/users", "POST", {
-                email: user.email,
-                displayName: user.displayName,
-                roles: roleIds
-            });
-            const created = convertUser(data.user);
-            setUsers(prev => [...prev, created]);
-            return created;
-        }
-    }, [apiRequest, users, roles]);
+        const data = await apiRequest<ApiUserResponse>(`/users/${user.uid}`, "PUT", {
+            email: user.email,
+            displayName: user.displayName,
+            roles: roleIds
+        });
+        const updated = convertUser(data.user);
+        mergeIntoCache([updated]);
+        return updated;
+    }, [apiRequest, mergeIntoCache]);
 
     /**
      * Create a new user with invitation/password generation support.
@@ -425,20 +444,19 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
     }> => {
         const roleIds = user.roles ?? [];
 
-        const data = await apiRequest("/users", "POST", {
+        const data = await apiRequest<ApiUserResponse>("/users", "POST", {
             email: user.email,
             displayName: user.displayName,
             roles: roleIds
         });
         const created = convertUser(data.user);
-        // Add to users cache
-        setUsers(prev => [...prev, created]);
+        mergeIntoCache([created]);
         return {
             user: created,
             invitationSent: data.invitationSent ?? false,
             temporaryPassword: data.temporaryPassword
         };
-    }, [apiRequest, roles]);
+    }, [apiRequest, mergeIntoCache]);
 
     /**
      * Reset the password for an existing user
@@ -448,22 +466,26 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
         invitationSent: boolean;
         temporaryPassword?: string;
     }> => {
-        const data = await apiRequest(`/users/${user.uid}/reset-password`, "POST");
+        const data = await apiRequest<ApiUserResponse>(`/users/${user.uid}/reset-password`, "POST");
         const updatedUser = convertUser(data.user);
-        setUsers(prev => prev.map(u => u.uid === updatedUser.uid ? updatedUser : u));
+        mergeIntoCache([updatedUser]);
         return {
             user: updatedUser,
             invitationSent: data.invitationSent ?? false,
             temporaryPassword: data.temporaryPassword
         };
-    }, [apiRequest]);
+    }, [apiRequest, mergeIntoCache]);
 
     /**
      * Delete user
      */
     const deleteUser = useCallback(async (user: User): Promise<void> => {
         await apiRequest(`/users/${user.uid}`, "DELETE");
-        setUsers(prev => prev.filter(u => u.uid !== user.uid));
+        setUserCache(prev => {
+            const next = new Map(prev);
+            next.delete(user.uid);
+            return next;
+        });
     }, [apiRequest]);
 
     /**
@@ -475,20 +497,18 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
 
         if (existingRole) {
             // Update
-            const data = await apiRequest(`/roles/${role.id}`, "PUT", {
+            const data = await apiRequest<ApiRoleResponse>(`/roles/${role.id}`, "PUT", {
                 name: role.name,
-                isAdmin: role.isAdmin,
-                config: role.config
+                isAdmin: role.isAdmin
             });
             const updated = convertRole(data.role);
             setRoles(prev => prev.map(r => r.id === updated.id ? updated : r));
         } else {
             // Create
-            const data = await apiRequest("/roles", "POST", {
+            const data = await apiRequest<ApiRoleResponse>("/roles", "POST", {
                 id: role.id,
                 name: role.name,
-                isAdmin: role.isAdmin ?? false,
-                config: role.config
+                isAdmin: role.isAdmin ?? false
             });
             const created = convertRole(data.role);
             setRoles(prev => [...prev, created]);
@@ -507,21 +527,32 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
      * Get user by uid
      */
     const getUser = useCallback((uid: string): User | null => {
-        return users.find(u => u.uid === uid) ?? null;
-    }, [users]);
+        return userCache.get(uid) ?? null;
+    }, [userCache]);
 
     /**
      * Define roles for a given user (for authController)
      */
     const defineRolesFor = useCallback(async (user: User): Promise<Role[] | undefined> => {
-        // Find the user in our list
-        const existingUser = users.find(u => u.uid === user.uid || u.email === user.email);
-        if (!existingUser) return undefined;
+        // Check cache first
+        let existingUser = userCache.get(user.uid)
+            ?? Array.from(userCache.values()).find(u => u.email === user.email);
+
+        // If not cached, fetch from API
+        if (!existingUser) {
+            try {
+                const data = await apiRequest<ApiUserResponse>(`/users/${user.uid}`, "GET");
+                existingUser = convertUser(data.user);
+                mergeIntoCache([existingUser]);
+            } catch {
+                return undefined;
+            }
+        }
 
         // Return roles from our cached role data (string IDs → full Role objects)
         const userRoleIds = existingUser.roles ?? [];
         return roles.filter(r => userRoleIds.includes(r.id));
-    }, [users, roles]);
+    }, [userCache, roles, apiRequest, mergeIntoCache]);
 
     /**
      * Check if current user is admin
@@ -535,20 +566,25 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
     const bootstrapAdmin = useCallback(async (): Promise<void> => {
         try {
             await apiRequest("/bootstrap", "POST");
-            // Reload users and roles after successful bootstrap
-            const data = await apiRequest("/roles");
+            // Reload roles and re-check admin existence after successful bootstrap
+            const data = await apiRequest<ApiRolesResponse>("/roles");
             const loadedRoles = data.roles.map(convertRole);
             setRoles(loadedRoles);
-            await loadUsers();
+            await checkAdminExists();
         } catch (error) {
             console.error("Failed to bootstrap admin:", error);
             throw error;
         }
-    }, [apiRequest, loadUsers]);
+    }, [apiRequest, checkAdminExists]);
+
+    // Expose cached users as an array for backward compat (BootstrapAdminBanner,
+    // UsersView fallback).  This is NOT the full user list — just the cache.
+    const users = Array.from(userCache.values());
 
     return {
-        loading,
+        loading: effectiveLoading,
         users,
+        hasAdminUsers,
         saveUser,
         createUser,
         resetPassword,
@@ -558,7 +594,6 @@ export function useBackendUserManagement(config: BackendUserManagementConfig): U
         deleteRole,
         isAdmin,
         allowDefaultRolesCreation: isAdmin,
-        includeCollectionConfigPermissions: true,
         defineRolesFor,
         getUser,
         searchUsers,

package/src/hooks/useRebaseAuthController.ts

@@ -9,7 +9,7 @@ import {
     UserInfo
 } from "../types";
 
-const STORAGE_KEY = "rebase_auth";
+const STORAGE_KEY = "rebase_react_auth";
 
 // Buffer time before expiry to trigger refresh (2 minutes)
 const TOKEN_REFRESH_BUFFER_MS = 2 * 60 * 1000;
@@ -25,7 +25,8 @@ function convertToUser(userInfo: UserInfo): User {
         photoURL: userInfo.photoURL || null,
         providerId: "custom",
         isAnonymous: false,
-        roles: userInfo.roles || []
+        roles: userInfo.roles || [],
+        metadata: userInfo.metadata
     };
 }
 
@@ -112,12 +113,11 @@ export function useRebaseAuthController(
 
     // Configure API URL on mount
     useEffect(() => {
-        if (client) {
-            authApi.setApiUrl(client.baseUrl);
-        } else if (apiUrl) {
-            authApi.setApiUrl(apiUrl);
+        const url = client?.baseUrl || apiUrl;
+        if (url) {
+            authApi.setApiUrl(url);
         }
-    }, [client, apiUrl]);
+    }, [client, client?.baseUrl, apiUrl]);
 
     const clearError = useCallback(() => {
         setAuthProviderError(null);
@@ -280,7 +280,7 @@ export function useRebaseAuthController(
     // Install token getter onto client
     useEffect(() => {
         if (client) {
-            client.setAuthTokenGetter(async () => {
+            client.setAuthTokenGetter?.(async () => {
                 try { return await getAuthToken(); } catch { return null; }
             });
             if (client.setOnUnauthorized) {
@@ -624,6 +624,10 @@ roles: customRoles.map(r => r.id) };
                     }
                 } catch (meError: unknown) {
                     if (!isMountedRef.current) return;
+                    if (meError instanceof authApi.AuthApiError && (meError.code === "NOT_FOUND" || meError.code === "UNAUTHORIZED")) {
+                        clearSessionAndSignOut();
+                        return;
+                    }
                     userToSet = convertToUser(stored.user);
                 }
 
@@ -743,10 +747,10 @@ roles: customRoles.map(r => r.id) };
             emailPasswordLogin: true,
             googleLogin: !!(props.googleClientId),
             registration: authConfig?.registrationEnabled ?? false,
-            passwordReset: true,
+            passwordReset: authConfig?.passwordReset ?? false,
             sessionManagement: true,
             profileUpdate: true,
-            emailVerification: false,
+            emailVerification: authConfig?.emailVerification ?? false,
             enabledProviders: authConfig?.enabledProviders ?? []
         }
     };

package/src/index.ts

@@ -22,5 +22,5 @@ export { useBackendUserManagement } from "./hooks/useBackendUserManagement";
 export type { BackendUserManagementConfig, UserManagement } from "./hooks/useBackendUserManagement";
 
 // API utilities
-export { setApiUrl, getApiUrl, fetchAuthConfig, clearAuthConfigCache, AuthApiError } from "./api";
+export { setApiUrl, getApiUrl, fetchAuthConfig, AuthApiError } from "./api";
 export type { AuthConfigResponse } from "./api";

package/src/types.ts

@@ -50,7 +50,13 @@ export type RebaseAuthController = AuthController & {
  */
 export interface RebaseAuthControllerProps {
     /** The Rebase Client instance */
-    client?: any;
+    client?: {
+        baseUrl?: string;
+        resolveToken?: () => Promise<string | null>;
+        setAuthTokenGetter?: (getter: () => Promise<string | null>) => void;
+        setOnUnauthorized?: (handler: () => Promise<boolean>) => void;
+        ws?: { setAuthTokenGetter: (getter: () => Promise<string>) => void };
+    };
     /** Base URL of the backend API */
     apiUrl?: string;
     /** Google OAuth client ID (optional, enables Google login) */
@@ -81,6 +87,7 @@ export interface UserInfo {
     photoURL?: string | null;
     emailVerified?: boolean;
     roles?: string[];
+    metadata?: Record<string, unknown>;
 }
 
 /**