@sanity/sdk 2.13.0 → 2.14.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sanity/sdk",
-  "version": "2.13.0",
+  "version": "2.14.1",
   "private": false,
   "description": "Sanity SDK",
   "keywords": [
@@ -57,9 +57,9 @@
     "@sanity/image-url": "^2.1.1",
     "@sanity/json-match": "^1.0.5",
     "@sanity/message-protocol": "^0.23.0",
-    "@sanity/mutate": "^0.18.0",
+    "@sanity/mutate": "^0.18.1",
     "@sanity/telemetry": "^1.1.0",
-    "@sanity/types": "^5.26.0",
+    "@sanity/types": "^6.0.0",
     "groq": "3.88.1-typegen-experimental.0",
     "groq-js": "^1.30.2",
     "reselect": "^5.1.1",
@@ -68,21 +68,21 @@
   },
   "devDependencies": {
     "@sanity/browserslist-config": "^1.0.5",
-    "@sanity/pkg-utils": "^9.2.3",
-    "@sanity/prettier-config": "^1.0.6",
+    "@sanity/pkg-utils": "^10.5.5",
+    "@sanity/prettier-config": "^3.0.0",
     "@types/node": "^24.12.4",
     "@vitest/coverage-v8": "^4.1.8",
     "eslint": "^9.39.4",
-    "prettier": "^3.8.3",
-    "rollup-plugin-visualizer": "^5.14.0",
+    "prettier": "^3.8.4",
+    "rollup-plugin-visualizer": "^6.0.11",
     "typescript": "^5.9.3",
     "vite": "^7.3.5",
     "vitest": "^4.1.8",
+    "@repo/config-eslint": "0.0.0",
     "@repo/config-test": "0.0.1",
     "@repo/package.config": "0.0.1",
-    "@repo/config-eslint": "0.0.0",
-    "@repo/package.bundle": "3.82.0",
-    "@repo/tsconfig": "0.0.1"
+    "@repo/tsconfig": "0.0.1",
+    "@repo/package.bundle": "3.82.0"
   },
   "publishConfig": {
     "access": "public"

package/src/auth/authLogger.ts

@@ -0,0 +1,30 @@
+import {type SanityInstance} from '../store/createSanityInstance'
+import {createLogger, type Logger} from '../utils/logger'
+
+const loggers = new WeakMap<SanityInstance, Logger>()
+
+/**
+ * Returns the auth logger for a Sanity instance, creating it on first use.
+ *
+ * The logger is cached per instance so repeated action calls (logout,
+ * setAuthToken, handleAuthCallback) reuse the same logger instead of
+ * rebuilding it. The instance details are nested under `instanceContext`,
+ * which is what the logger's formatter reads to render the
+ * `[project:x] [dataset:y] [instance:z]` prefix.
+ *
+ * @internal
+ */
+export function getAuthLogger(instance: SanityInstance): Logger {
+  let logger = loggers.get(instance)
+  if (!logger) {
+    logger = createLogger('auth', {
+      instanceContext: {
+        instanceId: instance.instanceId,
+        projectId: instance.config.projectId,
+        dataset: instance.config.dataset,
+      },
+    })
+    loggers.set(instance, logger)
+  }
+  return logger
+}

package/src/auth/authStore.test.ts

@@ -1,7 +1,7 @@
 import {type ClientConfig, createClient, type SanityClient} from '@sanity/client'
 import {type CurrentUser} from '@sanity/types'
 import {NEVER, type Subscription} from 'rxjs'
-import {afterEach, beforeEach, describe, it, vi} from 'vitest'
+import {afterEach, beforeEach, describe, expect, it, vi} from 'vitest'
 
 import {createSanityInstance} from '../store/createSanityInstance'
 import {AuthStateType} from './authStateType'
@@ -46,6 +46,24 @@ vi.mock('./studioModeAuth', async (importOriginal) => {
 
 vi.mock('./subscribeToStateAndFetchCurrentUser')
 vi.mock('./subscribeToStorageEventsAndSetToken')
+// Mock logger to prevent actual logging during tests
+vi.mock('../utils/logger', async (importOriginal) => {
+  const original = await importOriginal<typeof import('../utils/logger')>()
+  return {
+    ...original,
+    createLogger: vi.fn(() => ({
+      info: vi.fn(),
+      debug: vi.fn(),
+      warn: vi.fn(),
+      error: vi.fn(),
+      trace: vi.fn(),
+    })),
+  }
+})
+
+// Import createLogger after mocking
+// eslint-disable-next-line import/first
+import {createLogger} from '../utils/logger'
 
 describe('authStore', () => {
   // Global beforeEach and afterEach for all tests
@@ -321,6 +339,54 @@ describe('authStore', () => {
       expect(options.authMethod).toBe('localstorage')
     })
 
+    it('logs auth initialized in logged out state when no token available', () => {
+      instance = createSanityInstance({
+        projectId: 'p',
+        dataset: 'd',
+      })
+
+      vi.mocked(getAuthCode).mockReturnValue(null)
+      vi.mocked(getTokenFromStorage).mockReturnValue(null)
+      vi.mocked(getTokenFromLocation).mockReturnValue(null)
+
+      const {authState} = authStore.getInitialState(instance, null)
+      expect(authState.type).toBe(AuthStateType.LOGGED_OUT)
+      // Logger should have been called
+      expect(createLogger).toHaveBeenCalled()
+    })
+
+    it('logs when auth initialized with storage token', () => {
+      const storageToken = 'storage-token'
+      instance = createSanityInstance({
+        projectId: 'p',
+        dataset: 'd',
+      })
+
+      vi.mocked(getAuthCode).mockReturnValue(null)
+      vi.mocked(getTokenFromStorage).mockReturnValue(storageToken)
+      vi.mocked(getTokenFromLocation).mockReturnValue(null)
+
+      const {authState} = authStore.getInitialState(instance, null)
+      expect(authState).toMatchObject({type: AuthStateType.LOGGED_IN, token: storageToken})
+      // Logger should have been called
+      expect(createLogger).toHaveBeenCalled()
+    })
+
+    it('logs when auth initialized with logging in state', () => {
+      instance = createSanityInstance({
+        projectId: 'p',
+        dataset: 'd',
+      })
+
+      vi.mocked(getAuthCode).mockReturnValue('test-code')
+      vi.mocked(getTokenFromLocation).mockReturnValue(null)
+
+      const {authState} = authStore.getInitialState(instance, null)
+      expect(authState.type).toBe(AuthStateType.LOGGING_IN)
+      // Logger should have been called
+      expect(createLogger).toHaveBeenCalled()
+    })
+
     it('checks for cookie auth during initialize when studio config is provided and no studio token exists', () => {
       const projectId = 'studio-project'
       const studioStorageKey = `__studio_auth_token_${projectId}`
@@ -574,6 +640,35 @@ describe('authStore', () => {
       expect(stateUnsubscribe).toHaveBeenCalled()
       expect(storageEventsUnsubscribe).not.toHaveBeenCalled()
     })
+
+    it('logs when checking for cookie auth in studio mode', async () => {
+      const projectId = 'studio-project'
+      const mockStorage = {
+        getItem: vi.fn(),
+        setItem: vi.fn(),
+        removeItem: vi.fn(),
+      } as unknown as Storage
+      vi.mocked(getStudioTokenFromLocalStorage).mockReturnValue(null)
+      vi.mocked(checkForCookieAuth).mockResolvedValue(true)
+
+      instance = createSanityInstance({
+        projectId,
+        dataset: 'd',
+        studioMode: {enabled: true},
+        auth: {storageArea: mockStorage},
+      })
+
+      // Trigger store initialization
+      getAuthState(instance)
+
+      // Wait for async cookie check
+      await vi.waitFor(() => {
+        expect(checkForCookieAuth).toHaveBeenCalledWith(projectId, expect.any(Function))
+      })
+
+      // Logger should have been called during initialization
+      expect(createLogger).toHaveBeenCalled()
+    })
   })
 
   describe('getCurrentUserState', () => {

package/src/auth/authStore.ts

@@ -6,6 +6,7 @@ import {bindActionGlobally} from '../store/createActionBinder'
 import {createStateSourceAction} from '../store/createStateSourceAction'
 import {defineStore} from '../store/defineStore'
 import {getStagingApiHost} from '../utils/getStagingApiHost'
+import {getAuthLogger} from './authLogger'
 import {resolveAuthMode} from './authMode'
 import {AuthStateType} from './authStateType'
 import {type AuthStrategyOptions} from './authStrategy'
@@ -102,6 +103,16 @@ export const authStore = defineStore<AuthStoreState>({
   name: 'Auth',
 
   getInitialState(instance) {
+    const logger = getAuthLogger(instance)
+
+    logger.debug('Initializing auth store', {
+      hasProvidedToken: !!instance.config.auth?.token,
+      hasCustomProviders: !!(
+        instance.config.auth?.providers && instance.config.auth.providers.length > 0
+      ),
+      studioMode: instance.config.studioMode?.enabled ?? false,
+    })
+
     const {
       apiHost: configApiHost,
       callbackUrl,
@@ -153,6 +164,12 @@ export const authStore = defineStore<AuthStoreState>({
         break
     }
 
+    logger.debug('Auth state initialized', {
+      authStateType: result.authState.type,
+      mode,
+      authMethod: result.authMethod,
+    })
+
     return {
       authState: result.authState,
       dashboardContext: result.dashboardContext,
@@ -172,10 +189,14 @@ export const authStore = defineStore<AuthStoreState>({
   },
 
   initialize(context) {
+    const logger = getAuthLogger(context.instance)
+
     const initialLocationHref =
       context.state.get().options?.initialLocationHref ?? getDefaultLocation()
     const mode = resolveAuthMode(context.instance.config, initialLocationHref)
 
+    logger.debug('Setting up auth subscriptions', {mode})
+
     let initResult
     switch (mode) {
       case 'studio':
@@ -193,7 +214,10 @@ export const authStore = defineStore<AuthStoreState>({
       tokenRefresherRunning = true
     }
 
-    return initResult.dispose
+    return () => {
+      logger.debug('Cleaning up auth subscriptions')
+      initResult.dispose()
+    }
   },
 })
 
@@ -271,27 +295,34 @@ export const getIsInDashboardState = bindActionGlobally(
  * Used internally by the Comlink token refresh.
  * @internal
  */
-export const setAuthToken = bindActionGlobally(authStore, ({state}, token: string | null) => {
-  const currentAuthState = state.get().authState
-  if (token) {
-    // Update state only if the new token is different or currently logged out
-    if (currentAuthState.type !== AuthStateType.LOGGED_IN || currentAuthState.token !== token) {
-      const currentUser =
-        currentAuthState.type === AuthStateType.LOGGED_IN ? currentAuthState.currentUser : null
-      const preservedLastTokenRefresh =
-        currentAuthState.type === AuthStateType.LOGGED_IN
-          ? currentAuthState.lastTokenRefresh
-          : undefined
-      state.set('setToken', {
-        authState: createLoggedInAuthState(token, currentUser, preservedLastTokenRefresh),
-      })
-    }
-  } else {
-    // Handle setting token to null (logging out)
-    if (currentAuthState.type !== AuthStateType.LOGGED_OUT) {
-      state.set('setToken', {
-        authState: {type: AuthStateType.LOGGED_OUT, isDestroyingSession: false},
-      })
+export const setAuthToken = bindActionGlobally(
+  authStore,
+  ({state, instance}, token: string | null) => {
+    const logger = getAuthLogger(instance)
+
+    const currentAuthState = state.get().authState
+    if (token) {
+      // Update state only if the new token is different or currently logged out
+      if (currentAuthState.type !== AuthStateType.LOGGED_IN || currentAuthState.token !== token) {
+        logger.info('Setting auth token')
+        const currentUser =
+          currentAuthState.type === AuthStateType.LOGGED_IN ? currentAuthState.currentUser : null
+        const preservedLastTokenRefresh =
+          currentAuthState.type === AuthStateType.LOGGED_IN
+            ? currentAuthState.lastTokenRefresh
+            : undefined
+        state.set('setToken', {
+          authState: createLoggedInAuthState(token, currentUser, preservedLastTokenRefresh),
+        })
+      }
+    } else {
+      // Handle setting token to null (logging out)
+      if (currentAuthState.type !== AuthStateType.LOGGED_OUT) {
+        logger.info('Clearing auth token')
+        state.set('setToken', {
+          authState: {type: AuthStateType.LOGGED_OUT, isDestroyingSession: false},
+        })
+      }
     }
-  }
-})
+  },
+)

package/src/auth/handleAuthCallback.test.ts

@@ -1,5 +1,5 @@
 import {NEVER} from 'rxjs'
-import {beforeEach, describe, it} from 'vitest'
+import {beforeEach, describe, expect, it, vi} from 'vitest'
 
 import {createSanityInstance, type SanityInstance} from '../store/createSanityInstance'
 import {AuthStateType} from './authStateType'
@@ -22,6 +22,25 @@ vi.mock('./utils', async (importOriginal) => {
 vi.mock('./subscribeToStateAndFetchCurrentUser')
 vi.mock('./subscribeToStorageEventsAndSetToken')
 
+// Mock logger to prevent actual logging during tests
+vi.mock('../utils/logger', async (importOriginal) => {
+  const original = await importOriginal<typeof import('../utils/logger')>()
+  return {
+    ...original,
+    createLogger: vi.fn(() => ({
+      info: vi.fn(),
+      debug: vi.fn(),
+      warn: vi.fn(),
+      error: vi.fn(),
+      trace: vi.fn(),
+    })),
+  }
+})
+
+// Import createLogger after mocking
+// eslint-disable-next-line import/first
+import {createLogger} from '../utils/logger'
+
 let instance: SanityInstance | undefined
 
 describe('handleCallback', () => {
@@ -254,5 +273,8 @@ describe('handleCallback', () => {
     })
     expect(clientFactory).not.toHaveBeenCalled()
     expect(setItem).not.toHaveBeenCalled()
+
+    // Verify logger was called
+    expect(createLogger).toHaveBeenCalled()
   })
 })

package/src/auth/handleAuthCallback.ts

@@ -1,5 +1,6 @@
 import {bindActionGlobally} from '../store/createActionBinder'
 import {DEFAULT_API_VERSION, REQUEST_TAG_PREFIX} from './authConstants'
+import {getAuthLogger} from './authLogger'
 import {AuthStateType} from './authStateType'
 import {authStore, type AuthStoreState, type DashboardContext} from './authStore'
 import {
@@ -15,16 +16,24 @@ import {
  */
 export const handleAuthCallback = bindActionGlobally(
   authStore,
-  async ({state}, locationHref: string = getDefaultLocation()) => {
+  async ({state, instance}, locationHref: string = getDefaultLocation()) => {
+    const logger = getAuthLogger(instance)
+
     const {providedToken, callbackUrl, clientFactory, apiHost, storageArea, storageKey} =
       state.get().options
 
     // If a token is provided, no need to handle callback
-    if (providedToken) return false
+    if (providedToken) {
+      logger.debug('Skipping auth callback - token already provided')
+      return false
+    }
 
     // Don't handle the callback if already in flight.
     const {authState} = state.get()
-    if (authState.type === AuthStateType.LOGGING_IN && authState.isExchangingToken) return false
+    if (authState.type === AuthStateType.LOGGING_IN && authState.isExchangingToken) {
+      logger.debug('Skipping auth callback - token exchange already in progress')
+      return false
+    }
 
     // Prepare the cleaned-up URL early. It will be returned on both success and error if an authCode/token was processed.
     const cleanedUrl = getCleanedUrl(locationHref)
@@ -32,6 +41,7 @@ export const handleAuthCallback = bindActionGlobally(
     // Check if there is a token in the is in the Dashboard iframe url hash
     const tokenFromUrl = getTokenFromLocation(locationHref)
     if (tokenFromUrl) {
+      logger.info('Auth token found in URL, logging in')
       state.set('setTokenFromUrl', {
         authState: createLoggedInAuthState(tokenFromUrl, null),
       })
@@ -40,7 +50,10 @@ export const handleAuthCallback = bindActionGlobally(
 
     // If there is no matching `authCode` then we can't handle the callback
     const authCode = getAuthCode(callbackUrl, locationHref)
-    if (!authCode) return false
+    if (!authCode) {
+      logger.debug('No auth code found in callback URL')
+      return false
+    }
 
     // Get the SanityOS dashboard context from the url
     const parsedUrl = new URL(locationHref)
@@ -52,15 +65,18 @@ export const handleAuthCallback = bindActionGlobally(
         if (parsedContext && typeof parsedContext === 'object') {
           delete parsedContext.sid
           dashboardContext = parsedContext
+          logger.debug('Dashboard context parsed from callback URL', {
+            hasDashboardContext: true,
+          })
         }
       }
     } catch (err) {
       // If JSON parsing fails, use empty context
-      // eslint-disable-next-line no-console
-      console.error('Failed to parse dashboard context:', err)
+      logger.warn('Failed to parse dashboard context from callback URL', {error: err})
     }
 
     // Otherwise, start the exchange
+    logger.info('Exchanging auth code for token')
     state.set('exchangeSessionForToken', {
       authState: {type: AuthStateType.LOGGING_IN, isExchangingToken: true},
       dashboardContext,
@@ -75,6 +91,7 @@ export const handleAuthCallback = bindActionGlobally(
         ...(apiHost && {apiHost}),
       })
 
+      logger.debug('Fetching token from auth endpoint')
       const {token} = await client.request<{token: string; label: string}>({
         method: 'GET',
         uri: '/auth/fetch',
@@ -82,11 +99,13 @@ export const handleAuthCallback = bindActionGlobally(
         tag: 'fetch-token',
       })
 
+      logger.info('Auth token obtained successfully, user logged in')
       storageArea?.setItem(storageKey, JSON.stringify({token}))
       state.set('setToken', {authState: createLoggedInAuthState(token, null)})
 
       return cleanedUrl
     } catch (error) {
+      logger.error('Failed to exchange auth code for token', {error})
       state.set('exchangeSessionForTokenError', {authState: {type: AuthStateType.ERROR, error}})
       return cleanedUrl
     }

package/src/auth/logout.test.ts

@@ -1,5 +1,5 @@
 import {NEVER} from 'rxjs'
-import {describe, it} from 'vitest'
+import {describe, expect, it, vi} from 'vitest'
 
 import {createSanityInstance, type SanityInstance} from '../store/createSanityInstance'
 import {AuthStateType} from './authStateType'
@@ -17,9 +17,25 @@ vi.mock('./utils', async (importOriginal) => {
 vi.mock('./subscribeToStateAndFetchCurrentUser')
 vi.mock('./subscribeToStorageEventsAndSetToken')
 
+// Mock logger to prevent actual logging during tests
+vi.mock('../utils/logger', async (importOriginal) => {
+  const original = await importOriginal<typeof import('../utils/logger')>()
+  return {
+    ...original,
+    createLogger: vi.fn(() => ({
+      info: vi.fn(),
+      debug: vi.fn(),
+      warn: vi.fn(),
+      error: vi.fn(),
+      trace: vi.fn(),
+    })),
+  }
+})
+
 let instance: SanityInstance | undefined
 
 beforeEach(() => {
+  vi.clearAllMocks()
   vi.mocked(subscribeToStateAndFetchCurrentUser).mockImplementation(() => NEVER.subscribe())
   vi.mocked(subscribeToStorageEventsAndSetToken).mockImplementation(() => NEVER.subscribe())
 })
@@ -121,4 +137,55 @@ describe('logout', () => {
     await originalLogout
     expect(removeItem).toHaveBeenCalledTimes(2)
   })
+
+  it('handles logout when already logged out', async () => {
+    vi.mocked(getTokenFromStorage).mockReturnValue(null)
+    const mockRequest = vi.fn()
+    const clientFactory = vi.fn().mockReturnValue({request: mockRequest})
+    const removeItem = vi.fn() as Storage['removeItem']
+
+    instance = createSanityInstance({
+      projectId: 'p',
+      dataset: 'd',
+      auth: {
+        clientFactory,
+        storageArea: {removeItem} as Storage,
+      },
+    })
+
+    const authState = getAuthState(instance)
+    expect(authState.getCurrent()).toMatchObject({type: AuthStateType.LOGGED_OUT})
+
+    await logout(instance)
+
+    // Should not make API call when already logged out
+    expect(clientFactory).not.toHaveBeenCalled()
+    expect(mockRequest).not.toHaveBeenCalled()
+
+    // Should still clean up storage
+    expect(removeItem).toHaveBeenCalledWith('__sanity_auth_token')
+  })
+
+  it('cleans up storage even if logout request fails', async () => {
+    vi.mocked(getTokenFromStorage).mockReturnValue('token')
+    const error = new Error('Logout request failed')
+    const mockRequest = vi.fn().mockRejectedValue(error)
+    const clientFactory = vi.fn().mockReturnValue({request: mockRequest})
+    const removeItem = vi.fn() as Storage['removeItem']
+
+    instance = createSanityInstance({
+      projectId: 'p',
+      dataset: 'd',
+      auth: {
+        clientFactory,
+        storageArea: {removeItem} as Storage,
+      },
+    })
+
+    // logout rejects when the request fails, matching the pre-logging behavior
+    await expect(logout(instance)).rejects.toThrow('Logout request failed')
+
+    // Should still clean up storage even on error
+    expect(removeItem).toHaveBeenCalledWith('__sanity_auth_token')
+  })
 })

package/src/auth/logout.ts

@@ -1,25 +1,35 @@
 import {bindActionGlobally} from '../store/createActionBinder'
 import {DEFAULT_API_VERSION, REQUEST_TAG_PREFIX} from './authConstants'
+import {getAuthLogger} from './authLogger'
 import {AuthStateType} from './authStateType'
 import {authStore} from './authStore'
 
 /**
  * @public
  */
-export const logout = bindActionGlobally(authStore, async ({state}) => {
+export const logout = bindActionGlobally(authStore, async ({state, instance}) => {
+  const logger = getAuthLogger(instance)
+
   const {clientFactory, apiHost, providedToken, storageArea, storageKey} = state.get().options
 
   // If a token is statically provided, logout does nothing
-  if (providedToken) return
+  if (providedToken) {
+    logger.debug('Skipping logout - token is statically provided')
+    return
+  }
 
   const {authState} = state.get()
 
   // If we already have an inflight request, no-op
-  if (authState.type === AuthStateType.LOGGED_OUT && authState.isDestroyingSession) return
+  if (authState.type === AuthStateType.LOGGED_OUT && authState.isDestroyingSession) {
+    logger.debug('Skipping logout - already in progress')
+    return
+  }
   const token = authState.type === AuthStateType.LOGGED_IN && authState.token
 
   try {
     if (token) {
+      logger.info('Logging out user')
       state.set('loggingOut', {
         authState: {type: AuthStateType.LOGGED_OUT, isDestroyingSession: true},
       })
@@ -33,9 +43,18 @@ export const logout = bindActionGlobally(authStore, async ({state}) => {
         useCdn: false,
       })
 
+      logger.debug('Calling logout endpoint')
       await client.request<void>({uri: '/auth/logout', method: 'POST', tag: 'logout'})
+    } else {
+      logger.debug('No token to logout - already logged out')
     }
+  } catch (error) {
+    // Re-throw to preserve the existing contract: logout rejects when the
+    // request fails. Local state is still cleared in the finally block.
+    logger.error('Logout request failed', {error})
+    throw error
   } finally {
+    logger.info('User logged out, clearing stored tokens')
     state.set('logoutSuccess', {
       authState: {type: AuthStateType.LOGGED_OUT, isDestroyingSession: false},
     })

package/src/auth/refreshStampedToken.test.ts

@@ -15,6 +15,21 @@ import {
 } from './refreshStampedToken'
 import {createLoggedInAuthState} from './utils'
 
+// Mock logger to prevent actual logging during tests
+vi.mock('../utils/logger', async (importOriginal) => {
+  const original = await importOriginal<typeof import('../utils/logger')>()
+  return {
+    ...original,
+    createLogger: vi.fn(() => ({
+      info: vi.fn(),
+      debug: vi.fn(),
+      warn: vi.fn(),
+      error: vi.fn(),
+      trace: vi.fn(),
+    })),
+  }
+})
+
 // Type definitions for Web Locks (can be kept if needed for context)
 // ... (Lock, LockOptions, LockGrantedCallback types)