npm - @stackframe/js - Versions diffs - 2.8.48 → 2.8.51 - Mend

@stackframe/js 2.8.48 → 2.8.51

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/dist/esm/lib/stack-app/apps/implementations/client-app-impl.js CHANGED Viewed

@@ -2,6 +2,7 @@
 import { WebAuthnError, startAuthentication, startRegistration } from "@simplewebauthn/browser";
 import { KnownErrors, StackClientInterface } from "@stackframe/stack-shared";
 import { InternalSession } from "@stackframe/stack-shared/dist/sessions";
+import { encodeBase32 } from "@stackframe/stack-shared/dist/utils/bytes";
 import { isBrowserLike } from "@stackframe/stack-shared/dist/utils/env";
 import { StackAssertionError, captureError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
 import { DependenciesMap } from "@stackframe/stack-shared/dist/utils/maps";
@@ -15,7 +16,7 @@ import { generateUuid } from "@stackframe/stack-shared/dist/utils/uuids";
 import * as cookie from "cookie";
 import { constructRedirectUrl } from "../../../../utils/url.js";
 import { addNewOAuthProviderOrScope, callOAuthCallback, signInWithOAuth } from "../../../auth.js";
-import { createCookieHelper, createPlaceholderCookieHelper, deleteCookieClient, getCookieClient, setOrDeleteCookie, setOrDeleteCookieClient } from "../../../cookie.js";
+import { createCookieHelper, createPlaceholderCookieHelper, deleteCookieClient, isSecure as isSecureCookieContext, setOrDeleteCookie, setOrDeleteCookieClient } from "../../../cookie.js";
 import { apiKeyCreationOptionsToCrud } from "../../api-keys/index.js";
 import { stackAppInternalsSymbol } from "../../common.js";
 import { contactChannelCreateOptionsToCrud, contactChannelUpdateOptionsToCrud } from "../../contact-channels/index.js";
@@ -23,6 +24,7 @@ import { adminProjectCreateOptionsToCrud } from "../../projects/index.js";
 import { teamCreateOptionsToCrud, teamUpdateOptionsToCrud } from "../../teams/index.js";
 import { attachUserDestructureGuard, userUpdateOptionsToCrud } from "../../users/index.js";
 import { clientVersion, createCache, createCacheBySession, createEmptyTokenStore, getBaseUrl, getDefaultExtraRequestHeaders, getDefaultProjectId, getDefaultPublishableClientKey, getUrls, resolveConstructorOptions } from "./common.js";
+import { parseJson } from "@stackframe/stack-shared/dist/utils/json";
 var isReactServer = false;
 var process = globalThis.process ?? { env: {} };
 var allClientApps = /* @__PURE__ */ new Map();
@@ -171,11 +173,15 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
     this._convexPartialUserCache = createCache(
       async ([ctx]) => await this._getPartialUserFromConvex(ctx)
     );
+    this._trustedParentDomainCache = createCache(
+      async ([domain]) => await this._getTrustedParentDomain(domain)
+    );
     this._anonymousSignUpInProgress = null;
     this._memoryTokenStore = createEmptyTokenStore();
     this._nextServerCookiesTokenStores = /* @__PURE__ */ new WeakMap();
     this._requestTokenStores = /* @__PURE__ */ new WeakMap();
     this._storedBrowserCookieTokenStore = null;
+    this._mostRecentQueuedCookieRefreshIndex = 0;
     /**
      * A map from token stores and session keys to sessions.
      *
@@ -191,13 +197,17 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
     }
     this._options = resolvedOptions;
     this._extraOptions = extraOptions;
+    const projectId = resolvedOptions.projectId ?? getDefaultProjectId();
+    if (projectId !== "internal" && !projectId.match(/^[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[089ab][0-9a-f]{3}-[0-9a-f]{12}$/i)) {
+      throw new Error(`Invalid project ID: ${projectId}. Project IDs must be UUIDs. Please check your environment variables and/or your StackApp.`);
+    }
     if (extraOptions && extraOptions.interface) {
       this._interface = extraOptions.interface;
     } else {
       this._interface = new StackClientInterface({
         getBaseUrl: () => getBaseUrl(resolvedOptions.baseUrl),
         extraRequestHeaders: resolvedOptions.extraRequestHeaders ?? getDefaultExtraRequestHeaders(),
-        projectId: resolvedOptions.projectId ?? getDefaultProjectId(),
+        projectId,
         clientVersion,
         publishableClientKey: resolvedOptions.publishableClientKey ?? getDefaultPublishableClientKey(),
         prepareRequest: async () => {
@@ -291,13 +301,90 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
     runAsynchronously(this._checkFeatureSupport(name, options));
     throw new StackAssertionError(`${name} is not currently supported. Please reach out to Stack support for more information.`);
   }
+  get _legacyRefreshTokenCookieName() {
+    return `stack-refresh-${this.projectId}`;
+  }
   get _refreshTokenCookieName() {
     return `stack-refresh-${this.projectId}`;
   }
+  _getRefreshTokenDefaultCookieNameForSecure(secure) {
+    return `${secure ? "__Host-" : ""}${this._refreshTokenCookieName}--default`;
+  }
+  _getCustomRefreshCookieName(domain) {
+    const encoded = encodeBase32(new TextEncoder().encode(domain.toLowerCase()));
+    return `${this._refreshTokenCookieName}--custom-${encoded}`;
+  }
+  _formatRefreshCookieValue(refreshToken, updatedAt) {
+    return JSON.stringify({
+      refresh_token: refreshToken,
+      updated_at_millis: updatedAt
+    });
+  }
+  _formatAccessCookieValue(refreshToken, accessToken) {
+    return refreshToken && accessToken ? JSON.stringify([refreshToken, accessToken]) : null;
+  }
+  _parseStructuredRefreshCookie(value) {
+    if (!value) {
+      return null;
+    }
+    const parsed = parseJson(value);
+    if (parsed.status !== "ok" || typeof parsed.data !== "object" || parsed.data === null) {
+      console.warn("Failed to parse structured refresh cookie");
+      return null;
+    }
+    const data = parsed.data;
+    const refreshToken = "refresh_token" in data && typeof data.refresh_token === "string" ? data.refresh_token : null;
+    const updatedAt = "updated_at_millis" in data && typeof data.updated_at_millis === "number" ? data.updated_at_millis : null;
+    if (!refreshToken) {
+      console.warn("Refresh token not found in structured refresh cookie");
+      return null;
+    }
+    return {
+      refreshToken,
+      updatedAt
+    };
+  }
+  _extractRefreshTokenFromCookieMap(cookies) {
+    const { legacyNames, structuredPrefixes } = this._getRefreshTokenCookieNamePatterns();
+    for (const name of legacyNames) {
+      const value = cookies[name];
+      if (value) {
+        return { refreshToken: value, updatedAt: null };
+      }
+    }
+    let selected = null;
+    for (const [name, value] of Object.entries(cookies)) {
+      if (!structuredPrefixes.some((prefix) => name.startsWith(prefix))) continue;
+      const parsed = this._parseStructuredRefreshCookie(value);
+      if (!parsed) continue;
+      const candidateUpdatedAt = parsed.updatedAt ?? Number.NEGATIVE_INFINITY;
+      const selectedUpdatedAt = selected?.updatedAt ?? Number.NEGATIVE_INFINITY;
+      if (!selected || candidateUpdatedAt > selectedUpdatedAt) {
+        selected = parsed;
+      }
+    }
+    if (!selected) {
+      return { refreshToken: null, updatedAt: null };
+    }
+    return {
+      refreshToken: selected.refreshToken,
+      updatedAt: selected.updatedAt ?? null
+    };
+  }
   _getTokensFromCookies(cookies) {
-    const refreshToken = cookies.refreshTokenCookie;
-    const accessTokenObject = cookies.accessTokenCookie?.startsWith('["') ? JSON.parse(cookies.accessTokenCookie) : null;
-    const accessToken = accessTokenObject && refreshToken === accessTokenObject[0] ? accessTokenObject[1] : null;
+    const { refreshToken } = this._extractRefreshTokenFromCookieMap(cookies);
+    const accessTokenCookie = cookies[this._accessTokenCookieName] ?? null;
+    let accessToken = null;
+    if (accessTokenCookie && accessTokenCookie.startsWith('["')) {
+      const parsed = parseJson(accessTokenCookie);
+      if (parsed.status === "ok" && typeof parsed.data === "object" && parsed.data !== null && Array.isArray(parsed.data) && parsed.data.length === 2 && typeof parsed.data[0] === "string" && typeof parsed.data[1] === "string") {
+        if (parsed.data[0] === refreshToken) {
+          accessToken = parsed.data[1];
+        }
+      } else {
+        console.warn("Access token cookie has invalid format");
+      }
+    }
     return {
       refreshToken,
       accessToken
@@ -306,17 +393,98 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
   get _accessTokenCookieName() {
     return `stack-access`;
   }
+  _getAllBrowserCookies() {
+    if (!isBrowserLike()) {
+      throw new StackAssertionError("Cannot get browser cookies on the server!");
+    }
+    return cookie.parse(document.cookie || "");
+  }
+  _getRefreshTokenCookieNamePatterns() {
+    return {
+      legacyNames: [this._legacyRefreshTokenCookieName, "stack-refresh"],
+      structuredPrefixes: [
+        `${this._refreshTokenCookieName}--`,
+        `__Host-${this._refreshTokenCookieName}--`
+      ]
+    };
+  }
+  _collectRefreshTokenCookieNames(cookies) {
+    const { legacyNames, structuredPrefixes } = this._getRefreshTokenCookieNamePatterns();
+    const names = /* @__PURE__ */ new Set();
+    for (const name of legacyNames) {
+      if (cookies[name]) {
+        names.add(name);
+      }
+    }
+    for (const name of Object.keys(cookies)) {
+      if (structuredPrefixes.some((prefix) => name.startsWith(prefix))) {
+        names.add(name);
+      }
+    }
+    return names;
+  }
+  _prepareRefreshCookieUpdate(existingCookies, refreshToken, accessToken, defaultCookieName) {
+    const cookieNames = this._collectRefreshTokenCookieNames(existingCookies);
+    cookieNames.delete(defaultCookieName);
+    const updatedAt = refreshToken ? Date.now() : null;
+    const refreshCookieValue = refreshToken && updatedAt !== null ? this._formatRefreshCookieValue(refreshToken, updatedAt) : null;
+    const accessTokenPayload = this._formatAccessCookieValue(refreshToken, accessToken);
+    return {
+      updatedAt,
+      refreshCookieValue,
+      accessTokenPayload,
+      cookieNamesToDelete: [...cookieNames]
+    };
+  }
+  _queueCustomRefreshCookieUpdate(refreshToken, updatedAt, context) {
+    runAsynchronously(async () => {
+      this._mostRecentQueuedCookieRefreshIndex++;
+      const updateIndex = this._mostRecentQueuedCookieRefreshIndex;
+      let hostname;
+      if (isBrowserLike()) {
+        hostname = window.location.hostname;
+      }
+      if (!hostname) {
+        console.warn("No hostname found when queueing custom refresh cookie update");
+        return;
+      }
+      const domain = await this._trustedParentDomainCache.getOrWait([hostname], "read-write");
+      const setCookie = async (targetDomain, value2) => {
+        const name = this._getCustomRefreshCookieName(targetDomain);
+        const options = { maxAge: 60 * 60 * 24 * 365, domain: targetDomain, noOpIfServerComponent: true };
+        if (context === "browser") {
+          setOrDeleteCookieClient(name, value2, options);
+        } else {
+          await setOrDeleteCookie(name, value2, options);
+        }
+      };
+      if (domain.status === "error" || !domain.data || updateIndex !== this._mostRecentQueuedCookieRefreshIndex) {
+        return;
+      }
+      const value = refreshToken && updatedAt ? this._formatRefreshCookieValue(refreshToken, updatedAt) : null;
+      await setCookie(domain.data, value);
+    });
+  }
+  async _getTrustedParentDomain(currentDomain) {
+    const project = Result.orThrow(await this._interface.getClientProject());
+    const domains = project.config.domains.map((d) => d.domain.trim().replace(/^https?:\/\//, "").split("/")[0]?.toLowerCase());
+    const trustedWildcards = domains.filter((d) => d.startsWith("**."));
+    const parts = currentDomain.split(".");
+    for (let i = parts.length - 2; i >= 0; i--) {
+      const parentDomain = parts.slice(i).join(".");
+      if (domains.includes(parentDomain) && trustedWildcards.includes("**." + parentDomain)) {
+        return parentDomain;
+      }
+    }
+    return null;
+  }
   _getBrowserCookieTokenStore() {
     if (!isBrowserLike()) {
       throw new Error("Cannot use cookie token store on the server!");
     }
     if (this._storedBrowserCookieTokenStore === null) {
       const getCurrentValue = (old) => {
-        const tokens = this._getTokensFromCookies({
-          refreshTokenCookie: getCookieClient(this._refreshTokenCookieName) ?? getCookieClient("stack-refresh"),
-          // keep old cookie name for backwards-compatibility
-          accessTokenCookie: getCookieClient(this._accessTokenCookieName)
-        });
+        const tokens = this._getTokensFromCookies(this._getAllBrowserCookies());
         return {
           refreshToken: tokens.refreshToken,
           accessToken: tokens.accessToken ?? (old?.refreshToken === tokens.refreshToken ? old.accessToken : null)
@@ -335,9 +503,19 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
       }, 100);
       this._storedBrowserCookieTokenStore.onChange((value) => {
         try {
-          setOrDeleteCookieClient(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365 });
-          setOrDeleteCookieClient(this._accessTokenCookieName, value.accessToken ? JSON.stringify([value.refreshToken, value.accessToken]) : null, { maxAge: 60 * 60 * 24 });
-          deleteCookieClient("stack-refresh");
+          const refreshToken = value.refreshToken;
+          const secure = window.location.protocol === "https:";
+          const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(secure);
+          const { updatedAt, refreshCookieValue, accessTokenPayload, cookieNamesToDelete } = this._prepareRefreshCookieUpdate(
+            this._getAllBrowserCookies(),
+            refreshToken,
+            value.accessToken ?? null,
+            defaultName
+          );
+          setOrDeleteCookieClient(defaultName, refreshCookieValue, { maxAge: 60 * 60 * 24 * 365, secure });
+          setOrDeleteCookieClient(this._accessTokenCookieName, accessTokenPayload, { maxAge: 60 * 60 * 24 });
+          cookieNamesToDelete.forEach((name) => deleteCookieClient(name));
+          this._queueCustomRefreshCookieUpdate(refreshToken, updatedAt, "browser");
           hasSucceededInWriting = true;
         } catch (e) {
           if (!isBrowserLike()) {
@@ -360,18 +538,31 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
         if (isBrowserLike()) {
           return this._getBrowserCookieTokenStore();
         } else {
-          const tokens = this._getTokensFromCookies({
-            refreshTokenCookie: cookieHelper.get(this._refreshTokenCookieName) ?? cookieHelper.get("stack-refresh"),
-            // keep old cookie name for backwards-compatibility
-            accessTokenCookie: cookieHelper.get(this._accessTokenCookieName)
-          });
+          const tokens = this._getTokensFromCookies(cookieHelper.getAll());
           const store = new Store(tokens);
           store.onChange((value) => {
             runAsynchronously(async () => {
+              const refreshToken = value.refreshToken;
+              const secure = await isSecureCookieContext();
+              const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(secure);
+              const { updatedAt, refreshCookieValue, accessTokenPayload, cookieNamesToDelete } = this._prepareRefreshCookieUpdate(
+                cookieHelper.getAll(),
+                refreshToken,
+                value.accessToken ?? null,
+                defaultName
+              );
               await Promise.all([
-                setOrDeleteCookie(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365, noOpIfServerComponent: true }),
-                setOrDeleteCookie(this._accessTokenCookieName, value.accessToken ? JSON.stringify([value.refreshToken, value.accessToken]) : null, { maxAge: 60 * 60 * 24, noOpIfServerComponent: true })
+                setOrDeleteCookie(defaultName, refreshCookieValue, { maxAge: 60 * 60 * 24 * 365, noOpIfServerComponent: true }),
+                setOrDeleteCookie(this._accessTokenCookieName, accessTokenPayload, { maxAge: 60 * 60 * 24, noOpIfServerComponent: true })
               ]);
+              if (cookieNamesToDelete.length > 0) {
+                await Promise.all(
+                  cookieNamesToDelete.map(
+                    (name) => setOrDeleteCookie(name, null, { noOpIfServerComponent: true })
+                  )
+                );
+              }
+              this._queueCustomRefreshCookieUpdate(refreshToken, updatedAt, "server");
             });
           });
           return store;
@@ -402,11 +593,7 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
           }
           const cookieHeader = tokenStoreInit.headers.get("cookie");
           const parsed = cookie.parse(cookieHeader || "");
-          const res = new Store({
-            refreshToken: parsed[this._refreshTokenCookieName] || parsed["stack-refresh"] || null,
-            // keep old cookie name for backwards-compatibility
-            accessToken: parsed[this._accessTokenCookieName] || null
-          });
+          const res = new Store(this._getTokensFromCookies(parsed));
           this._requestTokenStores.set(tokenStoreInit, res);
           return res;
         } else if ("accessToken" in tokenStoreInit || "refreshToken" in tokenStoreInit) {
@@ -723,35 +910,6 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
         const tokens = await this.currentSession.getTokens();
         return tokens;
       },
-      async registerPasskey(options) {
-        const hostname = (await app._getCurrentUrl())?.hostname;
-        if (!hostname) {
-          throw new StackAssertionError("hostname must be provided if the Stack App does not have a redirect method");
-        }
-        const initiationResult = await app._interface.initiatePasskeyRegistration({}, session);
-        if (initiationResult.status !== "ok") {
-          return Result.error(new KnownErrors.PasskeyRegistrationFailed("Failed to get initiation options for passkey registration"));
-        }
-        const { options_json, code } = initiationResult.data;
-        if (options_json.rp.id !== "THIS_VALUE_WILL_BE_REPLACED.example.com") {
-          throw new StackAssertionError(`Expected returned RP ID from server to equal sentinel, but found ${options_json.rp.id}`);
-        }
-        options_json.rp.id = hostname;
-        let attResp;
-        try {
-          attResp = await startRegistration({ optionsJSON: options_json });
-        } catch (error) {
-          if (error instanceof WebAuthnError) {
-            return Result.error(new KnownErrors.PasskeyWebAuthnError(error.message, error.name));
-          } else {
-            captureError("passkey-registration-failed", error);
-            return Result.error(new KnownErrors.PasskeyRegistrationFailed("Failed to start passkey registration due to unknown error"));
-          }
-        }
-        const registrationResult = await app._interface.registerPasskey({ credential: attResp, code }, session);
-        await app._refreshUser(session);
-        return registrationResult;
-      },
       signOut(options) {
         return app._signOut(session, options);
       }
@@ -936,6 +1094,35 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
       async getOAuthProvider(id) {
         const providers = await this.listOAuthProviders();
         return providers.find((p) => p.id === id) ?? null;
+      },
+      async registerPasskey(options) {
+        const hostname = (await app._getCurrentUrl())?.hostname;
+        if (!hostname) {
+          throw new StackAssertionError("hostname must be provided if the Stack App does not have a redirect method");
+        }
+        const initiationResult = await app._interface.initiatePasskeyRegistration({}, session);
+        if (initiationResult.status !== "ok") {
+          return Result.error(new KnownErrors.PasskeyRegistrationFailed("Failed to get initiation options for passkey registration"));
+        }
+        const { options_json, code } = initiationResult.data;
+        if (options_json.rp.id !== "THIS_VALUE_WILL_BE_REPLACED.example.com") {
+          throw new StackAssertionError(`Expected returned RP ID from server to equal sentinel, but found ${options_json.rp.id}`);
+        }
+        options_json.rp.id = hostname;
+        let attResp;
+        try {
+          attResp = await startRegistration({ optionsJSON: options_json });
+        } catch (error) {
+          if (error instanceof WebAuthnError) {
+            return Result.error(new KnownErrors.PasskeyWebAuthnError(error.message, error.name));
+          } else {
+            captureError("passkey-registration-failed", error);
+            return Result.error(new KnownErrors.PasskeyRegistrationFailed("Failed to start passkey registration due to unknown error"));
+          }
+        }
+        const registrationResult = await app._interface.registerPasskey({ credential: attResp, code }, session);
+        await app._refreshUser(session);
+        return registrationResult;
       }
     };
   }
@@ -1618,10 +1805,22 @@ ${url}`);
     });
   }
   async signOut(options) {
-    const user = await this.getUser();
+    const user = await this.getUser({ tokenStore: options?.tokenStore ?? void 0 });
+    if (user) {
+      await user.signOut({ redirectUrl: options?.redirectUrl });
+    }
+  }
+  async getAuthHeaders(options) {
+    return {
+      "x-stack-auth": JSON.stringify(await this.getAuthJson(options))
+    };
+  }
+  async getAuthJson(options) {
+    const user = await this.getUser({ tokenStore: options?.tokenStore ?? void 0 });
     if (user) {
-      await user.signOut(options);
+      return await user.getAuthJson();
     }
+    return { accessToken: null, refreshToken: null };
   }
   async getProject() {
     const crud = Result.orThrow(await this._currentProjectCache.getOrWait([], "write-only"));