@sanity/sdk 2.11.0 → 2.11.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sanity/sdk",
-  "version": "2.11.0",
+  "version": "2.11.1",
   "private": false,
   "description": "Sanity SDK",
   "keywords": [
@@ -48,36 +48,36 @@
   "browserslist": "extends @sanity/browserslist-config",
   "prettier": "@sanity/prettier-config",
   "dependencies": {
-    "@sanity/bifur-client": "^0.4.1",
+    "@sanity/bifur-client": "^1.0.0",
     "@sanity/client": "^7.22.0",
-    "@sanity/comlink": "^3.1.1",
+    "@sanity/comlink": "^4.0.1",
     "@sanity/diff-match-patch": "^3.2.0",
     "@sanity/diff-patch": "^6.0.0",
     "@sanity/id-utils": "^1.0.0",
-    "@sanity/image-url": "^2.0.3",
+    "@sanity/image-url": "^2.1.1",
     "@sanity/json-match": "^1.0.5",
     "@sanity/message-protocol": "^0.23.0",
     "@sanity/mutate": "^0.16.1",
     "@sanity/telemetry": "^1.1.0",
-    "@sanity/types": "^5.2.0",
+    "@sanity/types": "^5.24.0",
     "groq": "3.88.1-typegen-experimental.0",
     "groq-js": "^1.30.1",
     "reselect": "^5.1.1",
     "rxjs": "^7.8.2",
-    "zustand": "^5.0.12"
+    "zustand": "^5.0.13"
   },
   "devDependencies": {
     "@sanity/browserslist-config": "^1.0.5",
     "@sanity/pkg-utils": "^8.1.29",
     "@sanity/prettier-config": "^1.0.6",
-    "@types/node": "^22.19.1",
+    "@types/node": "^24.12.3",
     "@vitest/coverage-v8": "4.1.5",
-    "eslint": "^9.22.0",
-    "prettier": "^3.7.3",
+    "eslint": "^9.39.4",
+    "prettier": "^3.8.3",
     "rollup-plugin-visualizer": "^5.14.0",
-    "typescript": "^5.8.3",
-    "vite": "^7.0.0",
-    "vitest": "^4.1.4",
+    "typescript": "^5.9.3",
+    "vite": "^7.3.3",
+    "vitest": "^4.1.5",
     "@repo/config-eslint": "0.0.0",
     "@repo/package.bundle": "3.82.0",
     "@repo/config-test": "0.0.1",

package/src/auth/refreshStampedToken.test.ts

@@ -59,8 +59,8 @@ describe('refreshStampedToken', () => {
       request: vi.fn(
         async (
           _name: string,
-          _options: LockOptions | LockGrantedCallback,
-          callback?: LockGrantedCallback,
+          _options: LockOptions | LockGrantedCallback<unknown>,
+          callback?: LockGrantedCallback<unknown>,
         ) => {
           const actualCallback = typeof _options === 'function' ? _options : callback
           if (!actualCallback) return false

package/src/auth/subscribeToStateAndFetchCurrentUser.test.ts

@@ -112,4 +112,120 @@ describe('subscribeToStateAndFetchCurrentUser', () => {
 
     subscription.unsubscribe()
   })
+
+  it('recovers from a fetch error when a new token is set', () => {
+    const error = new Error('Unauthorized')
+    const mockUser = {id: 'recovered-user'} as CurrentUser
+    const mockRequest = vi
+      .fn()
+      .mockReturnValueOnce(throwError(() => error))
+      .mockReturnValueOnce(of(mockUser))
+    const mockClient = {observable: {request: mockRequest}}
+    const clientFactory = vi.fn().mockReturnValue(mockClient)
+    const instance = createSanityInstance({projectId: 'p', dataset: 'd', auth: {clientFactory}})
+
+    const state = createStoreState(authStore.getInitialState(instance, null))
+    const subscription = subscribeToStateAndFetchCurrentUser({state, instance, key: null})
+
+    // First token causes a 401 — state should transition to ERROR
+    state.set('setLoggedIn', {
+      authState: {type: AuthStateType.LOGGED_IN, token: 'expired-token', currentUser: null},
+    })
+    expect(state.get()).toMatchObject({authState: {type: AuthStateType.ERROR, error}})
+
+    // Simulate comlink providing a fresh token (setAuthToken sets LOGGED_IN with new token)
+    state.set('setNewToken', {
+      authState: {type: AuthStateType.LOGGED_IN, token: 'fresh-token', currentUser: null},
+    })
+
+    // Subscription should still be alive — re-fetches /users/me with the new token
+    expect(state.get()).toMatchObject({
+      authState: {type: AuthStateType.LOGGED_IN, token: 'fresh-token', currentUser: mockUser},
+    })
+    expect(mockRequest).toHaveBeenCalledTimes(2)
+
+    subscription.unsubscribe()
+  })
+
+  it('recovers from multiple consecutive fetch errors', () => {
+    const error1 = new Error('Unauthorized')
+    const error2 = new Error('Unauthorized again')
+    const mockUser = {id: 'finally-recovered'} as CurrentUser
+    const mockRequest = vi
+      .fn()
+      .mockReturnValueOnce(throwError(() => error1))
+      .mockReturnValueOnce(throwError(() => error2))
+      .mockReturnValueOnce(of(mockUser))
+    const mockClient = {observable: {request: mockRequest}}
+    const clientFactory = vi.fn().mockReturnValue(mockClient)
+    const instance = createSanityInstance({projectId: 'p', dataset: 'd', auth: {clientFactory}})
+
+    const state = createStoreState(authStore.getInitialState(instance, null))
+    const subscription = subscribeToStateAndFetchCurrentUser({state, instance, key: null})
+
+    // First attempt fails
+    state.set('setLoggedIn', {
+      authState: {type: AuthStateType.LOGGED_IN, token: 'token-1', currentUser: null},
+    })
+    expect(state.get()).toMatchObject({authState: {type: AuthStateType.ERROR, error: error1}})
+
+    // Second attempt also fails
+    state.set('setNewToken', {
+      authState: {type: AuthStateType.LOGGED_IN, token: 'token-2', currentUser: null},
+    })
+    expect(state.get()).toMatchObject({authState: {type: AuthStateType.ERROR, error: error2}})
+
+    // Third attempt succeeds
+    state.set('setNewToken', {
+      authState: {type: AuthStateType.LOGGED_IN, token: 'token-3', currentUser: null},
+    })
+    expect(state.get()).toMatchObject({
+      authState: {type: AuthStateType.LOGGED_IN, token: 'token-3', currentUser: mockUser},
+    })
+    expect(mockRequest).toHaveBeenCalledTimes(3)
+
+    subscription.unsubscribe()
+  })
+
+  it('does not re-fetch with the same token but recovers with a different token', () => {
+    const error = new Error('Unauthorized')
+    const mockUser = {id: 'recovered-user'} as CurrentUser
+    const mockRequest = vi
+      .fn()
+      .mockReturnValueOnce(throwError(() => error))
+      .mockReturnValueOnce(of(mockUser))
+    const mockClient = {observable: {request: mockRequest}}
+    const clientFactory = vi.fn().mockReturnValue(mockClient)
+    const instance = createSanityInstance({projectId: 'p', dataset: 'd', auth: {clientFactory}})
+
+    const state = createStoreState(authStore.getInitialState(instance, null))
+    const subscription = subscribeToStateAndFetchCurrentUser({state, instance, key: null})
+
+    // First attempt fails
+    state.set('setLoggedIn', {
+      authState: {type: AuthStateType.LOGGED_IN, token: 'same-token', currentUser: null},
+    })
+    expect(state.get()).toMatchObject({authState: {type: AuthStateType.ERROR, error}})
+
+    // Same token should be blocked by distinctUntilChanged — no re-fetch
+    state.set('setNewToken', {
+      authState: {type: AuthStateType.LOGGED_IN, token: 'same-token', currentUser: null},
+    })
+    expect(mockRequest).toHaveBeenCalledTimes(1)
+
+    // A different token should pass distinctUntilChanged and trigger recovery
+    state.set('setNewToken', {
+      authState: {type: AuthStateType.LOGGED_IN, token: 'different-token', currentUser: null},
+    })
+    expect(state.get()).toMatchObject({
+      authState: {
+        type: AuthStateType.LOGGED_IN,
+        token: 'different-token',
+        currentUser: mockUser,
+      },
+    })
+    expect(mockRequest).toHaveBeenCalledTimes(2)
+
+    subscription.unsubscribe()
+  })
 })

package/src/auth/subscribeToStateAndFetchCurrentUser.ts

@@ -1,5 +1,13 @@
 import {type CurrentUser} from '@sanity/types'
-import {distinctUntilChanged, filter, map, type Subscription, switchMap} from 'rxjs'
+import {
+  catchError,
+  distinctUntilChanged,
+  EMPTY,
+  filter,
+  map,
+  type Subscription,
+  switchMap,
+} from 'rxjs'
 
 import {type StoreContext} from '../store/defineStore'
 import {DEFAULT_API_VERSION, REQUEST_TAG_PREFIX} from './authConstants'
@@ -60,11 +68,24 @@ export const subscribeToStateAndFetchCurrentUser = (
         }),
       ),
       switchMap((client) =>
-        client.observable.request<CurrentUser>({
-          uri: '/users/me',
-          method: 'GET',
-          tag: 'users.get-current',
-        }),
+        client.observable
+          .request<CurrentUser>({
+            uri: '/users/me',
+            method: 'GET',
+            tag: 'users.get-current',
+          })
+          .pipe(
+            /**
+             * Catch inside switchMap so the outer subscription survives.
+             * Without this, a 401 terminates the subscription permanently
+             * and subsequent token refreshes via comlink never re-fetch /users/me.
+             * @see SDK-1409
+             */
+            catchError((error) => {
+              state.set('setError', {authState: {type: AuthStateType.ERROR, error}})
+              return EMPTY
+            }),
+          ),
       ),
     )
 
@@ -77,8 +98,5 @@ export const subscribeToStateAndFetchCurrentUser = (
             : prev.authState,
       }))
     },
-    error: (error) => {
-      state.set('setError', {authState: {type: AuthStateType.ERROR, error}})
-    },
   })
 }

package/src/document/documentStore.ts

@@ -59,7 +59,7 @@ import {
   type DocumentPermissionsResult,
   type Grant,
 } from './permissions'
-import {ActionError} from './processActions'
+import {ActionError} from './processActions/processActions'
 import {
   type AppliedTransaction,
   applyFirstQueuedTransaction,

package/src/document/permissions.ts

@@ -7,7 +7,7 @@ import {isReleasePerspective} from '../releases/utils/isReleasePerspective'
 import {type SelectorContext} from '../store/createStateSourceAction'
 import {MultiKeyWeakMap} from '../utils/MultiKeyWeakMap'
 import {type DocumentAction} from './actions'
-import {ActionError, PermissionActionError, processActions} from './processActions'
+import {ActionError, PermissionActionError, processActions} from './processActions/processActions'
 import {type DocumentSet} from './processMutations'
 import {type SyncTransactionState} from './reducers'
 

package/src/document/processActions/create.ts

@@ -0,0 +1,135 @@
+import {DocumentId, getDraftId, getPublishedId, getVersionId} from '@sanity/id-utils'
+import {type Mutation, type SanityDocument} from '@sanity/types'
+
+import {isReleasePerspective} from '../../releases/utils/isReleasePerspective'
+import {type CreateDocumentAction} from '../actions'
+import {getId, processMutations} from '../processMutations'
+import {
+  ActionError,
+  type ActionHandlerContext,
+  type ActionHandlerResult,
+  checkGrant,
+  PermissionActionError,
+} from './shared'
+
+export function handleCreate(
+  action: CreateDocumentAction,
+  ctx: ActionHandlerContext,
+): ActionHandlerResult {
+  const {transactionId, timestamp, grants, outgoingActions, outgoingMutations} = ctx
+  let {base, working} = ctx
+
+  const documentId = getId(action.documentId)
+
+  if (action.liveEdit) {
+    if (working[documentId]) {
+      throw new ActionError({
+        documentId,
+        transactionId,
+        message: `This document already exists.`,
+      })
+    }
+
+    const newDocBase = {_type: action.documentType, _id: documentId, ...action.initialValue}
+    const newDocWorking = {
+      _type: action.documentType,
+      _id: documentId,
+      ...action.initialValue,
+    }
+    const mutations: Mutation[] = [{create: newDocWorking}]
+
+    base = processMutations({
+      documents: base,
+      transactionId,
+      mutations: [{create: newDocBase}],
+      timestamp,
+    })
+    working = processMutations({
+      documents: working,
+      transactionId,
+      mutations,
+      timestamp,
+    })
+
+    if (!checkGrant(grants.create, working[documentId] as SanityDocument)) {
+      throw new PermissionActionError({
+        documentId,
+        transactionId,
+        message: `You do not have permission to create document "${documentId}".`,
+      })
+    }
+
+    // liveEdit documents use the mutation endpoint directly -- we don't send actions
+    outgoingMutations.push(...mutations)
+    return {base, working}
+  }
+
+  // Standard draft/published/version logic
+  const versionId = isReleasePerspective(action.perspective)
+    ? getVersionId(DocumentId(documentId), action.perspective.releaseName)
+    : undefined
+  const draftId = getDraftId(DocumentId(documentId))
+  const publishedId = getPublishedId(DocumentId(documentId))
+
+  const alreadyHasVersion = versionId ? working[versionId] : working[draftId]
+
+  if (alreadyHasVersion) {
+    const errorDocType = versionId ? 'release version' : 'draft'
+    throw new ActionError({
+      documentId,
+      transactionId,
+      message: `A ${errorDocType} of this document already exists. Please use or discard the existing ${errorDocType} before creating a new one.`,
+    })
+  }
+
+  // Spread the (possibly undefined) draft or published version directly.
+  // (studio uses the draft version as a base if you are in a release perspective)
+  const newDocBase = {
+    ...(base[draftId] ?? base[publishedId]),
+    _type: action.documentType,
+    _id: versionId ?? draftId,
+    ...action.initialValue,
+  }
+  const newDocWorking = {
+    ...(working[draftId] ?? working[publishedId]),
+    _type: action.documentType,
+    _id: versionId ?? draftId,
+    ...action.initialValue,
+  }
+  const mutations: Mutation[] = [{create: newDocWorking}]
+
+  base = processMutations({
+    documents: base,
+    transactionId,
+    mutations: [{create: newDocBase}],
+    timestamp,
+  })
+  working = processMutations({
+    documents: working,
+    transactionId,
+    mutations,
+    timestamp,
+  })
+
+  if (versionId && !checkGrant(grants.create, working[versionId] as SanityDocument)) {
+    throw new PermissionActionError({
+      documentId,
+      transactionId,
+      message: `You do not have permission to create a release version for document "${documentId}".`,
+    })
+  } else if (!versionId && !checkGrant(grants.create, working[draftId] as SanityDocument)) {
+    throw new PermissionActionError({
+      documentId,
+      transactionId,
+      message: `You do not have permission to create a draft for document "${documentId}".`,
+    })
+  }
+
+  outgoingMutations.push(...mutations)
+  outgoingActions.push({
+    actionType: 'sanity.action.document.version.create',
+    publishedId,
+    attributes: newDocWorking,
+  })
+  return {base, working}
+}

package/src/document/processActions/delete.ts

@@ -0,0 +1,100 @@
+import {DocumentId, getDraftId, getPublishedId} from '@sanity/id-utils'
+import {type Mutation} from '@sanity/types'
+
+import {isReleasePerspective} from '../../releases/utils/isReleasePerspective'
+import {type DeleteDocumentAction} from '../actions'
+import {processMutations} from '../processMutations'
+import {
+  ActionError,
+  type ActionHandlerContext,
+  type ActionHandlerResult,
+  checkGrant,
+  PermissionActionError,
+} from './shared'
+
+export function handleDelete(
+  action: DeleteDocumentAction,
+  ctx: ActionHandlerContext,
+): ActionHandlerResult {
+  const {transactionId, timestamp, grants, outgoingActions, outgoingMutations} = ctx
+  let {base, working} = ctx
+
+  const documentId = action.documentId
+
+  if (isReleasePerspective(action.perspective)) {
+    throw new ActionError({
+      documentId,
+      transactionId,
+      message: `Cannot delete a version document. You may want to use the "unpublish" or "discard" actions instead.`,
+    })
+  }
+
+  if (action.liveEdit) {
+    if (!working[documentId]) {
+      throw new ActionError({
+        documentId,
+        transactionId,
+        message: 'The document you are trying to delete does not exist.',
+      })
+    }
+
+    if (!checkGrant(grants.update, working[documentId])) {
+      throw new PermissionActionError({
+        documentId,
+        transactionId,
+        message: `You do not have permission to delete this document.`,
+      })
+    }
+
+    const mutations: Mutation[] = [{delete: {id: documentId}}]
+
+    base = processMutations({documents: base, transactionId, mutations, timestamp})
+    working = processMutations({documents: working, transactionId, mutations, timestamp})
+
+    // although liveEdit documents can use the actions API for deletion,
+    // having this be an action while other operations are mutations creates an inconsistency
+    // (and a possible race condition in document store where mutations might get skipped)
+    outgoingMutations.push(...mutations)
+    return {base, working}
+  }
+
+  // Standard draft/published logic
+  const draftId = getDraftId(DocumentId(documentId))
+  const publishedId = getPublishedId(DocumentId(documentId))
+
+  if (!working[publishedId]) {
+    throw new ActionError({
+      documentId,
+      transactionId,
+      message: working[draftId]
+        ? 'Cannot delete a document without a published version.'
+        : 'The document you are trying to delete does not exist.',
+    })
+  }
+
+  const cantDeleteDraft = working[draftId] && !checkGrant(grants.update, working[draftId])
+  const cantDeletePublished =
+    working[publishedId] && !checkGrant(grants.update, working[publishedId])
+
+  if (cantDeleteDraft || cantDeletePublished) {
+    throw new PermissionActionError({
+      documentId,
+      transactionId,
+      message: `You do not have permission to delete this document.`,
+    })
+  }
+
+  const mutations: Mutation[] = [{delete: {id: publishedId}}, {delete: {id: draftId}}]
+  const includeDrafts = working[draftId] ? [draftId] : undefined
+
+  base = processMutations({documents: base, transactionId, mutations, timestamp})
+  working = processMutations({documents: working, transactionId, mutations, timestamp})
+
+  outgoingMutations.push(...mutations)
+  outgoingActions.push({
+    actionType: 'sanity.action.document.delete',
+    publishedId,
+    ...(includeDrafts ? {includeDrafts} : {}),
+  })
+  return {base, working}
+}

package/src/document/processActions/discard.ts

@@ -0,0 +1,63 @@
+import {DocumentId, getDraftId, getVersionId} from '@sanity/id-utils'
+import {type Mutation} from '@sanity/types'
+
+import {isReleasePerspective} from '../../releases/utils/isReleasePerspective'
+import {type DiscardDocumentAction} from '../actions'
+import {getId, processMutations} from '../processMutations'
+import {
+  ActionError,
+  type ActionHandlerContext,
+  type ActionHandlerResult,
+  checkGrant,
+  PermissionActionError,
+} from './shared'
+
+export function handleDiscard(
+  action: DiscardDocumentAction,
+  ctx: ActionHandlerContext,
+): ActionHandlerResult {
+  const {transactionId, timestamp, grants, outgoingActions, outgoingMutations} = ctx
+  let {base, working} = ctx
+
+  const documentId = getId(action.documentId)
+
+  if (action.liveEdit) {
+    throw new ActionError({
+      documentId,
+      transactionId,
+      message: `Cannot discard changes for liveEdit document "${documentId}". LiveEdit documents do not support drafts.`,
+    })
+  }
+
+  // draft/published or version logic
+  const versionId = isReleasePerspective(action.perspective)
+    ? getVersionId(DocumentId(documentId), action.perspective.releaseName)
+    : getDraftId(DocumentId(documentId))
+  const mutations: Mutation[] = [{delete: {id: versionId}}]
+
+  if (!working[versionId]) {
+    throw new ActionError({
+      documentId,
+      transactionId,
+      message: `There is no draft or version available to discard for document "${documentId}".`,
+    })
+  }
+
+  if (!checkGrant(grants.update, working[versionId])) {
+    throw new PermissionActionError({
+      documentId,
+      transactionId,
+      message: `You do not have permission to discard changes for document "${documentId}".`,
+    })
+  }
+
+  base = processMutations({documents: base, transactionId, mutations, timestamp})
+  working = processMutations({documents: working, transactionId, mutations, timestamp})
+
+  outgoingMutations.push(...mutations)
+  outgoingActions.push({
+    actionType: 'sanity.action.document.version.discard',
+    versionId,
+  })
+  return {base, working}
+}