@sanity/client 7.22.0 → 7.22.1

package/dist/stega.browser.d.cts

@@ -1134,9 +1134,9 @@ declare interface ContentSourceMapValueMapping_2 {
 
 /** @public */
 export declare class CorsOriginError extends Error {
-  projectId: string
+  projectId?: string
   addOriginUrl?: URL
-  constructor({projectId}: {projectId: string})
+  constructor({projectId, credentials}?: {projectId?: string; credentials?: boolean})
 }
 
 /**

package/dist/stega.browser.d.ts

@@ -1134,9 +1134,9 @@ declare interface ContentSourceMapValueMapping_2 {
 
 /** @public */
 export declare class CorsOriginError extends Error {
-  projectId: string
+  projectId?: string
   addOriginUrl?: URL
-  constructor({projectId}: {projectId: string})
+  constructor({projectId, credentials}?: {projectId?: string; credentials?: boolean})
 }
 
 /**

package/dist/stega.d.cts

@@ -1134,9 +1134,9 @@ declare interface ContentSourceMapValueMapping_2 {
 
 /** @public */
 export declare class CorsOriginError extends Error {
-  projectId: string
+  projectId?: string
   addOriginUrl?: URL
-  constructor({projectId}: {projectId: string})
+  constructor({projectId, credentials}?: {projectId?: string; credentials?: boolean})
 }
 
 /**

package/dist/stega.d.ts

@@ -1134,9 +1134,9 @@ declare interface ContentSourceMapValueMapping_2 {
 
 /** @public */
 export declare class CorsOriginError extends Error {
-  projectId: string
+  projectId?: string
   addOriginUrl?: URL
-  constructor({projectId}: {projectId: string})
+  constructor({projectId, credentials}?: {projectId?: string; credentials?: boolean})
 }
 
 /**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sanity/client",
-  "version": "7.22.0",
+  "version": "7.22.1",
   "description": "Client for retrieving, creating and patching data from Sanity.io",
   "keywords": [
     "sanity",

package/src/data/live.ts

@@ -1,4 +1,4 @@
-import {catchError, mergeMap, Observable, of} from 'rxjs'
+import {catchError, mergeMap, Observable, of, throwError} from 'rxjs'
 import {finalize, map} from 'rxjs/operators'
 
 import {CorsOriginError} from '../http/errors'
@@ -122,16 +122,10 @@ export class LiveClient {
       'goaway',
     ])
 
-    const checkCors = fetchObservable(url, {
-      method: 'OPTIONS',
-      mode: 'cors',
-      credentials: esOptions.withCredentials ? 'include' : 'omit',
-      headers: esOptions.headers,
-    }).pipe(
-      catchError(() => {
-        // If the request fails, then we assume it was due to CORS, and we rethrow a special error that allows special handling in userland
-        throw new CorsOriginError({projectId: projectId!})
-      }),
+    const checkCors = checkCorsObservable(
+      new URL(this.#client.getUrl('/check/cors', false)),
+      projectId,
+      esOptions.withCredentials === true,
     )
 
     const observable = events
@@ -145,6 +139,12 @@ export class LiveClient {
           return of(event)
         }),
         catchError((err) => {
+          // If a prior `reconnect` already ran the CORS probe and produced a
+          // `CorsOriginError`, just rethrow it instead of calling `/check/cors`
+          // a second time only to get the same answer.
+          if (err instanceof CorsOriginError) {
+            return throwError(() => err)
+          }
           return checkCors.pipe(
             mergeMap(() => {
               // rethrow the original error if checkCors passed
@@ -172,21 +172,92 @@ export class LiveClient {
   }
 }
 
-function fetchObservable(url: URL, init: RequestInit) {
-  return new Observable((observer) => {
+/**
+ * Probes the `/check/cors` endpoint to confirm whether the current origin is
+ * allowed by the project's CORS configuration. EventSource failures are opaque,
+ * so we use this side-channel purely to tell "the server actively rejected our
+ * origin" apart from every other class of failure.
+ *
+ * Errors with `CorsOriginError` when either:
+ *
+ * - `requireCredentials` is `true` (the EventSource was about to send
+ *   credentials) and `/check/cors` reports `result.withCredentials === false`.
+ *   The credentialed request would fail due to a missing
+ *   `access-control-allow-credentials` header. The resulting error carries
+ *   `credentials: true` so its `addOriginUrl` deep-link pre-selects the
+ *   "Allow credentials" toggle in the Sanity management form.
+ * - `/check/cors` reports `result.allowed === false` (origin is not on the
+ *   project's CORS allow-list). The error carries `credentials: requireCredentials`
+ *   so the deep-link still pre-selects credentials when the caller needed them.
+ *
+ * Every other outcome is intentionally treated as "we don't know": the
+ * observable emits a single `void` value and then completes, so downstream
+ * `mergeMap(() => ...)` consumers can continue. No error is surfaced for any
+ * of these cases:
+ *
+ * - `allowed: true` (with credentials satisfied if required) or an
+ *   unrecognised body shape: the server did not confirm a CORS rejection.
+ * - Non-2xx HTTP response from `/check/cors`: same - no signal either way, and
+ *   a 5xx on the probe shouldn't poison the EventSource's original error.
+ * - `fetch` / network / JSON parse failures: indistinguishable from ordinary
+ *   connectivity hiccups (offline, DNS, certs, transient outages). Reporting
+ *   those as CORS errors is exactly the false-positive class this helper
+ *   exists to prevent.
+ * - The subscription was aborted: nothing to emit and nothing to complete.
+ *
+ * In all of those cases the caller's original underlying error from the
+ * EventSource is allowed to propagate unchanged.
+ */
+function checkCorsObservable(
+  url: URL,
+  projectId: string | undefined,
+  requireCredentials: boolean,
+): Observable<void> {
+  return new Observable<void>((observer) => {
     const controller = new AbortController()
-    const signal = controller.signal
-    fetch(url, {...init, signal: controller.signal}).then(
-      (response) => {
-        observer.next(response)
-        observer.complete()
-      },
-      (err) => {
-        if (!signal.aborted) {
-          observer.error(err)
+    const {signal} = controller
+    fetch(url, {method: 'GET', mode: 'cors', credentials: 'omit', signal})
+      .then((response) => {
+        // Aborted or non-2xx: not a confirmed CORS rejection. Fall through with
+        // an undefined body so the next step takes the silent-completion path.
+        if (signal.aborted || !response.ok) return
+        return response.json() as Promise<{
+          result?: {allowed?: boolean; withCredentials?: boolean}
+        }>
+      })
+      .then((body) => {
+        if (signal.aborted) return
+        // Check the credentialed case first: if the EventSource was about to
+        // send credentials but the project's CORS config doesn't permit them,
+        // the credentialed request would fail with a missing
+        // `access-control-allow-credentials` header. Surface this as a CORS
+        // rejection with `credentials: true` so the deep-link pre-selects the
+        // "Allow credentials" toggle.
+        if (requireCredentials && body?.result?.withCredentials === false) {
+          observer.error(new CorsOriginError({projectId, credentials: true}))
+          return
         }
-      },
-    )
+        // Generic case: the server actively rejected this origin. Propagate
+        // `credentials: requireCredentials` so the deep-link still pre-selects
+        // credentials when the caller needed them.
+        if (body?.result?.allowed === false) {
+          observer.error(new CorsOriginError({projectId, credentials: requireCredentials}))
+          return
+        }
+        // Anything else (allowed + credentials satisfied, unrecognised body)
+        // is treated as "not a confirmed CORS rejection" - let the caller's
+        // original error surface instead.
+        observer.next()
+        observer.complete()
+      })
+      // Fetch/network/JSON parse errors are intentionally ignored - see the
+      // helper's docblock for the rationale. We still need to settle the
+      // observer so downstream `mergeMap(checkCors, ...)` consumers can proceed.
+      .catch(() => {
+        if (signal.aborted || observer.closed) return
+        observer.next()
+        observer.complete()
+      })
     return () => controller.abort()
   })
 }

package/src/http/errors.ts

@@ -256,23 +256,33 @@ function sliceWithEllipsis(str: string, max: number) {
 
 /** @public */
 export class CorsOriginError extends Error {
-  projectId: string
+  projectId?: string
   addOriginUrl?: URL
 
-  constructor({projectId}: {projectId: string}) {
+  constructor({projectId, credentials}: {projectId?: string; credentials?: boolean} = {}) {
     super('CorsOriginError')
     this.name = 'CorsOriginError'
     this.projectId = projectId
 
-    const url = new URL(`https://sanity.io/manage/project/${projectId}/api`)
-    if (typeof location !== 'undefined') {
+    // Only build a deep-link when we know which project the user needs to
+    // configure - without `projectId` the management URL can't actually route
+    // them anywhere useful.
+    if (projectId && typeof location !== 'undefined') {
+      const url = new URL(`https://sanity.io/manage/project/${projectId}/api`)
       const {origin} = location
       url.searchParams.set('cors', 'add')
       url.searchParams.set('origin', origin)
+      if (credentials) {
+        // Pre-selects the "Allow credentials (token-based auth)" toggle in
+        // the Sanity management CORS form.
+        url.searchParams.set('credentials', '')
+      }
       this.addOriginUrl = url
       this.message = `The current origin is not allowed to connect to the Live Content API. Add it here: ${url}`
+    } else if (projectId) {
+      this.message = `The current origin is not allowed to connect to the Live Content API. Change your configuration here: https://sanity.io/manage/project/${projectId}/api`
     } else {
-      this.message = `The current origin is not allowed to connect to the Live Content API. Change your configuration here: ${url}`
+      this.message = `The current origin is not allowed to connect to the Live Content API.`
     }
   }
 }

package/umd/sanityClient.js

@@ -2148,14 +2148,11 @@ ${codeFrame(query, { start, end }, description)}${withTag}${withTraceId}`;
   class CorsOriginError extends Error {
     projectId;
     addOriginUrl;
-    constructor({ projectId: projectId2 }) {
-      super("CorsOriginError"), this.name = "CorsOriginError", this.projectId = projectId2;
-      const url = new URL(`https://sanity.io/manage/project/${projectId2}/api`);
-      if (typeof location < "u") {
-        const { origin } = location;
-        url.searchParams.set("cors", "add"), url.searchParams.set("origin", origin), this.addOriginUrl = url, this.message = `The current origin is not allowed to connect to the Live Content API. Add it here: ${url}`;
-      } else
-        this.message = `The current origin is not allowed to connect to the Live Content API. Change your configuration here: ${url}`;
+    constructor({ projectId: projectId2, credentials } = {}) {
+      if (super("CorsOriginError"), this.name = "CorsOriginError", this.projectId = projectId2, projectId2 && typeof location < "u") {
+        const url = new URL(`https://sanity.io/manage/project/${projectId2}/api`), { origin } = location;
+        url.searchParams.set("cors", "add"), url.searchParams.set("origin", origin), credentials && url.searchParams.set("credentials", ""), this.addOriginUrl = url, this.message = `The current origin is not allowed to connect to the Live Content API. Add it here: ${url}`;
+      } else projectId2 ? this.message = `The current origin is not allowed to connect to the Live Content API. Change your configuration here: https://sanity.io/manage/project/${projectId2}/api` : this.message = "The current origin is not allowed to connect to the Live Content API.";
     }
   }
   const httpError = {
@@ -3472,19 +3469,14 @@ ${selectionOpts}`);
         "welcome",
         "reconnect",
         "goaway"
-      ]), checkCors = fetchObservable(url, {
-        method: "OPTIONS",
-        mode: "cors",
-        credentials: esOptions.withCredentials ? "include" : "omit",
-        headers: esOptions.headers
-      }).pipe(
-        catchError(() => {
-          throw new CorsOriginError({ projectId: projectId2 });
-        })
+      ]), checkCors = checkCorsObservable(
+        new URL(this.#client.getUrl("/check/cors", false)),
+        projectId2,
+        esOptions.withCredentials === true
       ), observable2 = events.pipe(
         reconnectOnConnectionFailure(),
         mergeMap((event) => event.type === "reconnect" ? checkCors.pipe(mergeMap(() => of(event))) : of(event)),
-        catchError((err) => checkCors.pipe(
+        catchError((err) => err instanceof CorsOriginError ? throwError(() => err) : checkCors.pipe(
           mergeMap(() => {
             throw err;
           })
@@ -3505,17 +3497,27 @@ ${selectionOpts}`);
       return eventsCache.set(key, observable2), observable2;
     }
   }
-  function fetchObservable(url, init) {
+  function checkCorsObservable(url, projectId2, requireCredentials) {
     return new Observable((observer) => {
-      const controller = new AbortController(), signal = controller.signal;
-      return fetch(url, { ...init, signal: controller.signal }).then(
-        (response) => {
-          observer.next(response), observer.complete();
-        },
-        (err) => {
-          signal.aborted || observer.error(err);
+      const controller = new AbortController(), { signal } = controller;
+      return fetch(url, { method: "GET", mode: "cors", credentials: "omit", signal }).then((response) => {
+        if (!(signal.aborted || !response.ok))
+          return response.json();
+      }).then((body) => {
+        if (!signal.aborted) {
+          if (requireCredentials && body?.result?.withCredentials === false) {
+            observer.error(new CorsOriginError({ projectId: projectId2, credentials: true }));
+            return;
+          }
+          if (body?.result?.allowed === false) {
+            observer.error(new CorsOriginError({ projectId: projectId2, credentials: requireCredentials }));
+            return;
+          }
+          observer.next(), observer.complete();
         }
-      ), () => controller.abort();
+      }).catch(() => {
+        signal.aborted || observer.closed || (observer.next(), observer.complete());
+      }), () => controller.abort();
     });
   }
   const eventsCache = /* @__PURE__ */ new Map();