@snackbase/sdk 0.1.1 → 0.3.0

package/dist/index.mjs

@@ -36,8 +36,11 @@ var SnackBaseError = class SnackBaseError extends Error {
 	details;
 	field;
 	retryable;
-	constructor(message, code, status, details, retryable = false, field) {
+	constructor(message, code, status, details, retryable = false, field, redirectUrl, authProvider, providerName) {
 		super(message);
+		this.redirectUrl = redirectUrl;
+		this.authProvider = authProvider;
+		this.providerName = providerName;
 		this.name = this.constructor.name;
 		this.code = code;
 		this.status = status;
@@ -66,6 +69,30 @@ var AuthorizationError = class AuthorizationError extends SnackBaseError {
 	}
 };
 /**
+* Thrown when an API key is restricted to superadmin users (403).
+*/
+var ApiKeyRestrictedError = class ApiKeyRestrictedError extends SnackBaseError {
+	constructor(message, details) {
+		super(message || "API keys are restricted to superadmin users. Please use JWT authentication.", "API_KEY_RESTRICTED", 403, details || {
+			suggestion: "Remove apiKey config and use login() instead",
+			documentation: "https://docs.snackbase.com/authentication/api-keys"
+		}, false);
+		Object.setPrototypeOf(this, ApiKeyRestrictedError.prototype);
+	}
+};
+/**
+* Thrown when email verification is required (401).
+*/
+var EmailVerificationRequiredError = class EmailVerificationRequiredError extends SnackBaseError {
+	constructor(message, details) {
+		super(message || "Please check your email inbox to verify your account before logging in.", "EMAIL_VERIFICATION_REQUIRED", 401, details || {
+			suggestion: "Click the verification link sent to your email address",
+			canResend: true
+		}, false);
+		Object.setPrototypeOf(this, EmailVerificationRequiredError.prototype);
+	}
+};
+/**
 * Thrown when a resource is not found (404).
 */
 var NotFoundError = class NotFoundError extends SnackBaseError {
@@ -319,9 +346,9 @@ var Logger = class {
 	constructor(level = LogLevel.NONE) {
 		this.level = level;
 		this.handlers.push((entry) => {
-			const { level: level$1, message, data } = entry;
+			const { level, message, data } = entry;
 			const args = data ? [message, data] : [message];
-			switch (level$1) {
+			switch (level) {
 				case LogLevel.ERROR:
 					console.error("[SnackBase]", ...args);
 					break;
@@ -389,7 +416,9 @@ const contentTypeInterceptor = (request) => {
 const createAuthInterceptor = (getToken, apiKey) => {
 	return (request) => {
 		const isUserSpecific = request.url.includes("/auth/oauth/") || request.url.includes("/auth/saml/");
-		if (apiKey && !isUserSpecific) request.headers["X-API-Key"] = apiKey;
+		if (apiKey && !isUserSpecific) {
+			if (!(request.url.includes("/auth/login") || request.url.includes("/auth/register"))) request.headers["X-API-Key"] = apiKey;
+		}
 		const token = getToken();
 		if (token) request.headers["Authorization"] = `Bearer ${token}`;
 		return request;
@@ -433,6 +462,51 @@ function createErrorFromResponse(response) {
 			return new SnackBaseError(message, "UNKNOWN_ERROR", status, data, false);
 	}
 }
+/**
+* Enhanced error interceptor to handle 403 API key errors and preserve redirects.
+*/
+const createAuthErrorInterceptor = (onAuthError) => {
+	return (error) => {
+		if (error.status === 403 && error.details) {
+			const detail = error.details.detail || error.details.message || "";
+			if (detail.includes("superadmin") || detail.includes("restricted")) {
+				const restrictedError = new ApiKeyRestrictedError(detail, error.details);
+				if (onAuthError) onAuthError(restrictedError);
+				throw restrictedError;
+			}
+		}
+		if (error.status === 403 && error.details?.redirect_url) {
+			error.redirectUrl = error.details.redirect_url;
+			error.authProvider = error.details.auth_provider;
+			error.providerName = error.details.provider_name;
+		}
+		if (error.status === 401 && error.details) {
+			const detail = error.details.detail || error.details.message || "";
+			if (detail.includes("verify") || detail.includes("email")) {
+				const verificationError = new EmailVerificationRequiredError(detail, error.details);
+				if (onAuthError) onAuthError(verificationError);
+				throw verificationError;
+			}
+		}
+		if (error.status === 401 || error.status === 403) {
+			if (onAuthError) onAuthError(error);
+		}
+		throw error;
+	};
+};
+
+//#endregion
+//#region src/types/auth.ts
+/**
+* Token type enum matching backend TokenType
+*/
+let TokenType = /* @__PURE__ */ function(TokenType) {
+	TokenType["JWT"] = "jwt";
+	TokenType["API_KEY"] = "api_key";
+	TokenType["PERSONAL_TOKEN"] = "personal_token";
+	TokenType["OAUTH"] = "oauth";
+	return TokenType;
+}({});
 
 //#endregion
 //#region src/core/events.ts
@@ -453,6 +527,74 @@ var AuthEventEmitter = class {
 	}
 };
 
+//#endregion
+//#region src/core/constants.ts
+/**
+* System account ID for superadmin detection
+* Nil UUID format used by backend
+* @see https://github.com/snackbase/snackbase/blob/main/src/snackbase/infrastructure/api/middleware/authorization.py
+*/
+const SYSTEM_ACCOUNT_ID = "00000000-0000-0000-0000-000000000000";
+/**
+* Token type prefixes matching backend TokenCodec
+*/
+const TOKEN_PREFIXES = {
+	JWT: "sb_jwt",
+	API_KEY: "sb_ak",
+	PERSONAL_TOKEN: "sb_pt",
+	OAUTH: "sb_ot"
+};
+/**
+* Valid token prefixes for validation
+*/
+const VALID_TOKEN_PREFIXES = new Set(Object.values(TOKEN_PREFIXES));
+/**
+* API key endpoint path
+*/
+const API_KEY_BASE_PATH = "/api/v1/admin/api-keys";
+
+//#endregion
+//#region src/utils/token-utils.ts
+/**
+* Detect token type from token string
+* @param token - The token to analyze
+* @returns Detected token type or undefined
+*/
+function detectTokenType(token) {
+	if (!token) return void 0;
+	switch (token.split(".")[0]) {
+		case TOKEN_PREFIXES.API_KEY: return TokenType.API_KEY;
+		case TOKEN_PREFIXES.PERSONAL_TOKEN: return TokenType.PERSONAL_TOKEN;
+		case TOKEN_PREFIXES.OAUTH: return TokenType.OAUTH;
+		case TOKEN_PREFIXES.JWT: return TokenType.JWT;
+		default: return token.startsWith("ey") ? TokenType.JWT : void 0;
+	}
+}
+/**
+* Check if user is a superadmin
+* @param user - User object to check
+* @returns true if user is superadmin
+*/
+function isSuperadmin(user) {
+	if (!user) return false;
+	return user.account_id === SYSTEM_ACCOUNT_ID;
+}
+/**
+* Format masked API key for display
+* @param key - The full or masked key
+* @returns Formatted masked key
+*/
+function formatMaskedKey(key) {
+	if (!key) return "";
+	if (key.includes("...")) return key;
+	const parts = key.split(".");
+	if (parts.length === 3) {
+		const [, payload, signature] = parts;
+		return `${parts[0]}.${payload.slice(0, 4)}...${signature.slice(-4)}`;
+	}
+	return key;
+}
+
 //#endregion
 //#region src/core/auth.ts
 const DEFAULT_AUTH_STATE = {
@@ -461,7 +603,8 @@ const DEFAULT_AUTH_STATE = {
 	token: null,
 	refreshToken: null,
 	isAuthenticated: false,
-	expiresAt: null
+	expiresAt: null,
+	tokenType: TokenType.JWT
 };
 var AuthManager = class {
 	state = { ...DEFAULT_AUTH_STATE };
@@ -495,6 +638,76 @@ var AuthManager = class {
 	get isAuthenticated() {
 		return this.state.isAuthenticated;
 	}
+	get tokenType() {
+		return this.state.tokenType;
+	}
+	/**
+	* Update auth state (enhanced to extract token_type)
+	*/
+	async updateState(data) {
+		const user = data.user || (data.user_id ? {
+			id: data.user_id,
+			email: data.email || "",
+			role: data.role || "user",
+			account_id: data.account_id || "",
+			groups: [],
+			is_active: true,
+			created_at: "",
+			last_login: null,
+			token_type: TokenType.JWT
+		} : null);
+		const token = data.token || null;
+		const refreshToken = data.refresh_token || data.refreshToken || null;
+		let tokenType = TokenType.JWT;
+		if (token) tokenType = detectTokenType(token) || TokenType.JWT;
+		else if (user?.token_type) tokenType = user.token_type;
+		this.state = {
+			...this.state,
+			user,
+			account: data.account || (data.account_id ? {
+				id: data.account_id,
+				slug: "",
+				name: "",
+				created_at: ""
+			} : this.state.account),
+			token: token || this.state.token,
+			refreshToken: refreshToken || this.state.refreshToken,
+			isAuthenticated: !!((token || this.state.token) && user),
+			expiresAt: this.calculateExpiry(data) || this.state.expiresAt,
+			tokenType
+		};
+		await this.persist();
+		if (token || user) this.events.emit("auth:login", this.state);
+	}
+	/**
+	* Check if current user is superadmin
+	*/
+	isSuperadmin() {
+		return isSuperadmin(this.state.user);
+	}
+	/**
+	* Check if current session uses API key authentication
+	*/
+	isApiKeySession() {
+		return this.state.tokenType === TokenType.API_KEY;
+	}
+	/**
+	* Check if current session uses personal token authentication
+	*/
+	isPersonalTokenSession() {
+		return this.state.tokenType === TokenType.PERSONAL_TOKEN;
+	}
+	/**
+	* Check if current session uses OAuth authentication
+	*/
+	isOAuthSession() {
+		return this.state.tokenType === TokenType.OAUTH;
+	}
+	calculateExpiry(data) {
+		if (data.expiresAt) return data.expiresAt;
+		if (data.expires_in) return new Date(Date.now() + data.expires_in * 1e3).toISOString();
+		return null;
+	}
 	async setState(newState) {
 		this.state = {
 			...this.state,
@@ -568,13 +781,8 @@ var AuthService = class {
 		const data = { ...credentials };
 		if (!data.account && this.defaultAccount) data.account = this.defaultAccount;
 		const authData = (await this.http.post("/api/v1/auth/login", data)).data;
-		await this.auth.setState({
-			user: authData.user,
-			account: authData.account,
-			token: authData.token,
-			refreshToken: authData.refreshToken,
-			expiresAt: authData.expiresAt
-		});
+		console.log("Login Response:", JSON.stringify(authData, null, 2));
+		await this.auth.updateState(authData);
 		return authData;
 	}
 	/**
@@ -582,7 +790,7 @@ var AuthService = class {
 	*/
 	async register(data) {
 		const payload = { ...data };
-		if (!payload.accountName && this.defaultAccount) payload.accountName = this.defaultAccount;
+		if (!payload.account_name && this.defaultAccount) payload.account_name = this.defaultAccount;
 		return (await this.http.post("/api/v1/auth/register", payload)).data;
 	}
 	/**
@@ -591,14 +799,8 @@ var AuthService = class {
 	async refreshToken() {
 		const refreshToken = this.auth.refreshToken;
 		if (!refreshToken) throw new Error("No refresh token available");
-		const authData = (await this.http.post("/api/v1/auth/refresh", { refreshToken })).data;
-		await this.auth.setState({
-			user: authData.user,
-			account: authData.account,
-			token: authData.token,
-			refreshToken: authData.refreshToken,
-			expiresAt: authData.expiresAt
-		});
+		const authData = (await this.http.post("/api/v1/auth/refresh", { refresh_token: refreshToken })).data;
+		await this.auth.updateState(authData);
 		return authData;
 	}
 	/**
@@ -617,10 +819,8 @@ var AuthService = class {
 	*/
 	async getCurrentUser() {
 		const authData = (await this.http.get("/api/v1/auth/me")).data;
-		await this.auth.setState({
-			user: authData.user,
-			account: authData.account
-		});
+		console.log("GetMe Response:", JSON.stringify(authData, null, 2));
+		await this.auth.updateState(authData);
 		return authData;
 	}
 	/**
@@ -694,13 +894,7 @@ var AuthService = class {
 			redirectUri,
 			state
 		})).data;
-		await this.auth.setState({
-			user: authData.user,
-			account: authData.account,
-			token: authData.token,
-			refreshToken: authData.refreshToken,
-			expiresAt: authData.expiresAt
-		});
+		await this.auth.updateState(authData);
 		return authData;
 	}
 	/**
@@ -719,13 +913,7 @@ var AuthService = class {
 	*/
 	async handleSAMLCallback(params) {
 		const authData = (await this.http.post("/api/v1/auth/saml/acs", params)).data;
-		await this.auth.setState({
-			user: authData.user,
-			account: authData.account,
-			token: authData.token,
-			refreshToken: authData.refreshToken,
-			expiresAt: authData.expiresAt
-		});
+		await this.auth.updateState(authData);
 		return authData;
 	}
 	/**
@@ -907,6 +1095,62 @@ var CollectionService = class {
 		await this.http.delete(`/api/v1/collections/${collectionId}`);
 		return { success: true };
 	}
+	/**
+	* Export collections to JSON format.
+	* Returns collection schemas and rules for backup or migration.
+	*
+	* @param params Optional filter by collection IDs
+	* @returns Complete export data structure with collections, schemas, and rules
+	* @throws {AuthorizationError} If user is not a superadmin
+	*
+	* @example
+	* // Export all collections
+	* const exportData = await client.collections.export();
+	*
+	* @example
+	* // Export specific collections
+	* const exportData = await client.collections.export({
+	*   collection_ids: ['col-123', 'col-456']
+	* });
+	*/
+	async export(params) {
+		const queryParams = {};
+		if (params?.collection_ids && params.collection_ids.length > 0) queryParams.collection_ids = params.collection_ids.join(",");
+		return (await this.http.get("/api/v1/collections/export", { params: queryParams })).data;
+	}
+	/**
+	* Import collections from JSON export.
+	*
+	* @param request Import request with data and conflict strategy
+	* @returns Import result with per-collection status and migration IDs
+	* @throws {ValidationError} If import data is invalid
+	* @throws {ConflictError} If collection exists and strategy is 'error'
+	* @throws {AuthorizationError} If user is not a superadmin
+	*
+	* @example
+	* // Import with error strategy (fail on conflicts)
+	* const result = await client.collections.import({
+	*   data: exportData,
+	*   strategy: 'error'
+	* });
+	*
+	* @example
+	* // Import with skip strategy (skip existing collections)
+	* const result = await client.collections.import({
+	*   data: exportData,
+	*   strategy: 'skip'
+	* });
+	*
+	* @example
+	* // Import with update strategy (update existing collections)
+	* const result = await client.collections.import({
+	*   data: exportData,
+	*   strategy: 'update'
+	* });
+	*/
+	async import(request) {
+		return (await this.http.post("/api/v1/collections/import", request)).data;
+	}
 };
 
 //#endregion
@@ -1090,7 +1334,14 @@ var RecordService = class {
 			if (params.sort !== void 0) formattedParams.sort = params.sort;
 			if (params.fields) formattedParams.fields = Array.isArray(params.fields) ? params.fields.join(",") : params.fields;
 			if (params.expand) formattedParams.expand = Array.isArray(params.expand) ? params.expand.join(",") : params.expand;
-			if (params.filter) formattedParams.filter = typeof params.filter === "string" ? params.filter : JSON.stringify(params.filter);
+			if (params.filter) {
+				const filterStr = typeof params.filter === "string" ? params.filter : JSON.stringify(params.filter);
+				const match = filterStr.match(/^\(?\s*(\w+)\s*=\s*(["']?)([^"'\)]+)\2\s*\)?$/);
+				if (match) {
+					const [, key, , value] = match;
+					formattedParams[key] = value;
+				} else formattedParams.filter = filterStr;
+			}
 		}
 		return (await this.http.get(`/api/v1/records/${collection}`, { params: formattedParams })).data;
 	}
@@ -1276,33 +1527,34 @@ var ApiKeyService = class {
 		this.http = http;
 	}
 	/**
-	* List all API keys for the current user.
-	* Keys are masked except for the last 4 characters.
+	* List all API keys
+	* GET /api/v1/admin/api-keys
 	*/
-	async list() {
-		return (await this.http.get("/api/v1/admin/api-keys")).data;
+	async list(params) {
+		return (await this.http.get(API_KEY_BASE_PATH, { params })).data;
 	}
 	/**
-	* Get details for a specific API key.
-	* The key itself is masked.
+	* Get specific API key
+	* GET /api/v1/admin/api-keys/{id}
 	*/
 	async get(keyId) {
-		return (await this.http.get(`/api/v1/admin/api-keys/${keyId}`)).data;
+		return (await this.http.get(`${API_KEY_BASE_PATH}/${encodeURIComponent(keyId)}`)).data;
 	}
 	/**
-	* Create a new API key.
-	* The response includes the full key, which is shown only once.
+	* Create a new API key
+	* POST /api/v1/admin/api-keys
 	*/
 	async create(data) {
-		return (await this.http.post("/api/v1/admin/api-keys", data)).data;
+		const apiKey = (await this.http.post(API_KEY_BASE_PATH, data)).data;
+		if (apiKey.key && !apiKey.masked_key) apiKey.masked_key = formatMaskedKey(apiKey.key);
+		return apiKey;
 	}
 	/**
-	* Revoke an existing API key.
-	* Once revoked, the key can no longer be used.
+	* Revoke an API key
+	* DELETE /api/v1/admin/api-keys/{id}
 	*/
 	async revoke(keyId) {
-		await this.http.delete(`/api/v1/admin/api-keys/${keyId}`);
-		return { success: true };
+		return (await this.http.delete(`${API_KEY_BASE_PATH}/${encodeURIComponent(keyId)}`)).data;
 	}
 };
 
@@ -1325,7 +1577,25 @@ var AuditLogService = class {
 		return (await this.httpClient.get(`/api/v1/audit-logs/${logId}`)).data;
 	}
 	/**
-	* Exports audit logs in the specified format.
+	* Exports audit logs in the specified format (JSON, CSV, or PDF).
+	*
+	* @param params Optional filters (account_id, table_name, operation, date range, etc.)
+	* @param format Export format: 'json', 'csv', or 'pdf' (default: 'json')
+	* @returns Exported data as string (base64-encoded for PDF format)
+	* @throws {AuthorizationError} If user is not a superadmin
+	*
+	* @example
+	* // Export as JSON
+	* const jsonData = await client.auditLogs.export({ table_name: 'users' }, 'json');
+	*
+	* @example
+	* // Export as CSV
+	* const csvData = await client.auditLogs.export({ table_name: 'users' }, 'csv');
+	*
+	* @example
+	* // Export as PDF
+	* const pdfBase64 = await client.auditLogs.export({ table_name: 'users' }, 'pdf');
+	* // pdfBase64 is a base64-encoded PDF string
 	*/
 	async export(params, format = "json") {
 		return (await this.httpClient.get("/api/v1/audit-logs/export", { params: {
@@ -2278,6 +2548,7 @@ var SnackBaseClient = class {
 		this.http.addRequestInterceptor(contentTypeInterceptor);
 		this.http.addRequestInterceptor(createAuthInterceptor(() => this.authManager.token || void 0, this.config.apiKey));
 		this.http.addResponseInterceptor(errorNormalizationInterceptor);
+		this.http.addErrorInterceptor(createAuthErrorInterceptor(this.config.onAuthError));
 		this.http.addErrorInterceptor(errorInterceptor);
 	}
 	/**
@@ -2299,6 +2570,36 @@ var SnackBaseClient = class {
 		return this.authManager.isAuthenticated;
 	}
 	/**
+	* Check if current user is superadmin.
+	*/
+	get isSuperadmin() {
+		return this.authManager.isSuperadmin();
+	}
+	/**
+	* Check if current session uses API key authentication.
+	*/
+	get isApiKeySession() {
+		return this.authManager.isApiKeySession();
+	}
+	/**
+	* Check if current session uses personal token authentication.
+	*/
+	get isPersonalTokenSession() {
+		return this.authManager.isPersonalTokenSession();
+	}
+	/**
+	* Check if current session uses OAuth authentication.
+	*/
+	get isOAuthSession() {
+		return this.authManager.isOAuthSession();
+	}
+	/**
+	* Returns the current token type.
+	*/
+	get tokenType() {
+		return this.authManager.tokenType;
+	}
+	/**
 	* Access to authentication methods.
 	*/
 	get auth() {
@@ -2513,4 +2814,4 @@ var SnackBaseClient = class {
 };
 
 //#endregion
-export { DEFAULT_CONFIG, QueryBuilder, SnackBaseClient, getAutoDetectedStorage };
+export { ApiKeyRestrictedError, AuthenticationError, AuthorizationError, ConflictError, DEFAULT_CONFIG, EmailVerificationRequiredError, NetworkError, NotFoundError, QueryBuilder, RateLimitError, ServerError, SnackBaseClient, SnackBaseError, TimeoutError, TokenType, ValidationError, getAutoDetectedStorage };

package/package.json

@@ -1,48 +1,43 @@
 {
   "name": "@snackbase/sdk",
-  "version": "0.1.1",
-  "description": "JavaScript/TypeScript SDK for SnackBase",
+  "version": "0.3.0",
+  "description": "Core SDK for SnackBase",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.cts",
   "exports": {
     ".": {
-      "import": "./dist/index.mjs",
-      "require": "./dist/index.js",
-      "types": "./dist/index.d.ts"
-    },
-    "./react": {
-      "import": "./dist/react/index.mjs",
-      "require": "./dist/react/index.js",
-      "types": "./dist/react/index.d.ts"
+      "import": {
+        "types": "./dist/index.d.mts",
+        "default": "./dist/index.mjs"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
     }
   },
+  "files": [
+    "dist"
+  ],
+  "keywords": [
+    "snackbase",
+    "sdk",
+    "database"
+  ],
+  "author": "SnackBase Team",
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "devDependencies": {
+    "@snackbase/tsconfig": "0.1.0"
+  },
   "scripts": {
-    "dev": "tsdown src/index.ts src/react/index.ts --watch",
-    "build": "tsdown src/index.ts src/react/index.ts",
+    "dev": "tsdown src/index.ts --format esm,cjs --watch",
+    "build": "tsdown src/index.ts --format esm,cjs --dts",
     "test": "vitest run",
-    "test:watch": "vitest",
-    "test:integration": "vitest run --config vitest.integration.config.ts",
-    "test:coverage": "vitest run --coverage",
     "typecheck": "tsc --noEmit",
-    "lint": "eslint src --ext .ts,.tsx",
-    "prepublishOnly": "npm run build && npm run test"
-  },
-  "peerDependencies": {
-    "react": "^18.0.0 || ^19.0.0"
-  },
-  "peerDependenciesMeta": {
-    "react": {
-      "optional": true
-    }
-  },
-  "devDependencies": {
-    "@testing-library/jest-dom": "^6.9.1",
-    "@testing-library/react": "^16.3.2",
-    "@vitejs/plugin-react": "^5.1.2",
-    "jsdom": "^27.4.0",
-    "react": "^18.2.0",
-    "react-dom": "^18.2.0",
-    "tsdown": "^0.20.0-beta.4",
-    "typescript": "^5.3.3",
-    "vite": "^7.3.1",
-    "vitest": "^1.2.1"
+    "clean": "rm -rf dist"
   }
-}
+}