@stackframe/js 2.8.56 → 2.8.59

package/dist/esm/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/index.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY\n//===========================================\nexport * from './lib/stack-app';\n\nexport { getConvexProvidersConfig } from \"./integrations/convex\";\n\n"],"mappings":";AAIA,cAAc;AAEd,SAAS,gCAAgC;","names":[]}
+{"version":3,"sources":["../../src/index.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY, INSTEAD EDIT THE CORRESPONDING FILE IN packages/template\n//===========================================\nexport * from './lib/stack-app';\n\nexport { getConvexProvidersConfig } from \"./integrations/convex\";\n\n"],"mappings":";AAIA,cAAc;AAEd,SAAS,gCAAgC;","names":[]}

package/dist/esm/integrations/convex/component/convex.config.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../../src/integrations/convex/component/convex.config.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY\n//===========================================\nimport { defineComponent } from \"convex/server\";\n\nconst component = defineComponent(\"stack_auth\");\n\nexport default component;\n"],"mappings":";AAIA,SAAS,uBAAuB;AAEhC,IAAM,YAAY,gBAAgB,YAAY;AAE9C,IAAO,wBAAQ;","names":[]}
+{"version":3,"sources":["../../../../../src/integrations/convex/component/convex.config.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY, INSTEAD EDIT THE CORRESPONDING FILE IN packages/template\n//===========================================\nimport { defineComponent } from \"convex/server\";\n\nconst component = defineComponent(\"stack_auth\");\n\nexport default component;\n"],"mappings":";AAIA,SAAS,uBAAuB;AAEhC,IAAM,YAAY,gBAAgB,YAAY;AAE9C,IAAO,wBAAQ;","names":[]}

package/dist/esm/integrations/convex.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/integrations/convex.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY\n//===========================================\nimport { urlString } from \"@stackframe/stack-shared/dist/utils/urls\";\nimport { defaultBaseUrl } from \"../lib/stack-app/apps/implementations/common\";\n\nexport function getConvexProvidersConfig(options: {\n  baseUrl?: string,\n  projectId: string,\n}) {\n  const baseUrl = options.baseUrl || defaultBaseUrl;\n  const projectId = options.projectId;\n  return [\n    {\n      type: \"customJwt\",\n      issuer: new URL(urlString`/api/v1/projects/${projectId}`, baseUrl),\n      jwks: new URL(urlString`/api/v1/projects/${projectId}/.well-known/jwks.json`, baseUrl),\n      algorithm: \"ES256\",\n    },\n    {\n      type: \"customJwt\",\n      issuer: new URL(urlString`/api/v1/projects-anonymous-users/${projectId}`, baseUrl),\n      jwks: new URL(urlString`/api/v1/projects/${projectId}/.well-known/jwks.json?include_anonymous=true`, baseUrl),\n      algorithm: \"ES256\",\n    },\n  ];\n}\n"],"mappings":";AAIA,SAAS,iBAAiB;AAC1B,SAAS,sBAAsB;AAExB,SAAS,yBAAyB,SAGtC;AACD,QAAM,UAAU,QAAQ,WAAW;AACnC,QAAM,YAAY,QAAQ;AAC1B,SAAO;AAAA,IACL;AAAA,MACE,MAAM;AAAA,MACN,QAAQ,IAAI,IAAI,6BAA6B,SAAS,IAAI,OAAO;AAAA,MACjE,MAAM,IAAI,IAAI,6BAA6B,SAAS,0BAA0B,OAAO;AAAA,MACrF,WAAW;AAAA,IACb;AAAA,IACA;AAAA,MACE,MAAM;AAAA,MACN,QAAQ,IAAI,IAAI,6CAA6C,SAAS,IAAI,OAAO;AAAA,MACjF,MAAM,IAAI,IAAI,6BAA6B,SAAS,iDAAiD,OAAO;AAAA,MAC5G,WAAW;AAAA,IACb;AAAA,EACF;AACF;","names":[]}
+{"version":3,"sources":["../../../src/integrations/convex.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY, INSTEAD EDIT THE CORRESPONDING FILE IN packages/template\n//===========================================\nimport { urlString } from \"@stackframe/stack-shared/dist/utils/urls\";\nimport { defaultBaseUrl } from \"../lib/stack-app/apps/implementations/common\";\n\nexport function getConvexProvidersConfig(options: {\n  baseUrl?: string,\n  projectId: string,\n}) {\n  const baseUrl = options.baseUrl || defaultBaseUrl;\n  const projectId = options.projectId;\n  return [\n    {\n      type: \"customJwt\",\n      issuer: new URL(urlString`/api/v1/projects/${projectId}`, baseUrl),\n      jwks: new URL(urlString`/api/v1/projects/${projectId}/.well-known/jwks.json`, baseUrl),\n      algorithm: \"ES256\",\n    },\n    {\n      type: \"customJwt\",\n      issuer: new URL(urlString`/api/v1/projects-anonymous-users/${projectId}`, baseUrl),\n      jwks: new URL(urlString`/api/v1/projects/${projectId}/.well-known/jwks.json?include_anonymous=true`, baseUrl),\n      algorithm: \"ES256\",\n    },\n  ];\n}\n"],"mappings":";AAIA,SAAS,iBAAiB;AAC1B,SAAS,sBAAsB;AAExB,SAAS,yBAAyB,SAGtC;AACD,QAAM,UAAU,QAAQ,WAAW;AACnC,QAAM,YAAY,QAAQ;AAC1B,SAAO;AAAA,IACL;AAAA,MACE,MAAM;AAAA,MACN,QAAQ,IAAI,IAAI,6BAA6B,SAAS,IAAI,OAAO;AAAA,MACjE,MAAM,IAAI,IAAI,6BAA6B,SAAS,0BAA0B,OAAO;AAAA,MACrF,WAAW;AAAA,IACb;AAAA,IACA;AAAA,MACE,MAAM;AAAA,MACN,QAAQ,IAAI,IAAI,6CAA6C,SAAS,IAAI,OAAO;AAAA,MACjF,MAAM,IAAI,IAAI,6BAA6B,SAAS,iDAAiD,OAAO;AAAA,MAC5G,WAAW;AAAA,IACb;AAAA,EACF;AACF;","names":[]}

package/dist/esm/lib/auth.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/lib/auth.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY\n//===========================================\nimport { KnownError, StackClientInterface } from \"@stackframe/stack-shared\";\nimport { InternalSession } from \"@stackframe/stack-shared/dist/sessions\";\nimport { StackAssertionError, throwErr } from \"@stackframe/stack-shared/dist/utils/errors\";\nimport { neverResolve } from \"@stackframe/stack-shared/dist/utils/promises\";\nimport { Result } from \"@stackframe/stack-shared/dist/utils/results\";\nimport { deindent } from \"@stackframe/stack-shared/dist/utils/strings\";\nimport { constructRedirectUrl } from \"../utils/url\";\nimport { consumeVerifierAndStateCookie, saveVerifierAndState } from \"./cookie\";\n\nexport async function signInWithOAuth(\n  iface: StackClientInterface,\n  options: {\n    provider: string,\n    redirectUrl: string,\n    errorRedirectUrl: string,\n    providerScope?: string,\n  },\n  session: InternalSession,\n) {\n  const { codeChallenge, state } = await saveVerifierAndState();\n  const location = await iface.getOAuthUrl({\n    provider: options.provider,\n    redirectUrl: constructRedirectUrl(options.redirectUrl, \"redirectUrl\"),\n    errorRedirectUrl: constructRedirectUrl(options.errorRedirectUrl, \"errorRedirectUrl\"),\n    codeChallenge,\n    state,\n    type: \"authenticate\",\n    providerScope: options.providerScope,\n    session,\n  });\n  window.location.assign(location);\n  await neverResolve();\n}\n\nexport async function addNewOAuthProviderOrScope(\n  iface: StackClientInterface,\n  options: {\n    provider: string,\n    redirectUrl: string,\n    errorRedirectUrl: string,\n    providerScope?: string,\n  },\n  session: InternalSession,\n) {\n  const { codeChallenge, state } = await saveVerifierAndState();\n  const location = await iface.getOAuthUrl({\n    provider: options.provider,\n    redirectUrl: constructRedirectUrl(options.redirectUrl, \"redirectUrl\"),\n    errorRedirectUrl: constructRedirectUrl(options.errorRedirectUrl, \"errorRedirectUrl\"),\n    afterCallbackRedirectUrl: constructRedirectUrl(window.location.href, \"afterCallbackRedirectUrl\"),\n    codeChallenge,\n    state,\n    type: \"link\",\n    session,\n    providerScope: options.providerScope,\n  });\n  window.location.assign(location);\n  await neverResolve();\n}\n\n/**\n * Checks if the current URL has the query parameters for an OAuth callback, and if so, removes them.\n *\n * Must be synchronous for the logic in callOAuthCallback to work without race conditions.\n */\nfunction consumeOAuthCallbackQueryParams() {\n  const requiredParams = [\"code\", \"state\"];\n  const originalUrl = new URL(window.location.href);\n  for (const param of requiredParams) {\n    if (!originalUrl.searchParams.has(param)) {\n      console.warn(new Error(`Missing required query parameter on OAuth callback: ${param}. Maybe you opened or reloaded the oauth-callback page from your history?`));\n      return null;\n    }\n  }\n\n  const expectedState = originalUrl.searchParams.get(\"state\") ?? throwErr(\"This should never happen; isn't state required above?\");\n  const cookieResult = consumeVerifierAndStateCookie(expectedState);\n\n  if (!cookieResult) {\n    // If the state can't be found in the cookies, then the callback wasn't meant for us.\n    // Maybe the website uses another OAuth library?\n    console.warn(deindent`\n      Stack found an outer OAuth callback state in the query parameters, but not in cookies.\n      \n      This could have multiple reasons:\n        - The cookie expired, because the OAuth flow took too long.\n        - The user's browser deleted the cookie, either manually or because of a very strict cookie policy.\n        - The cookie was already consumed by this page, and the user already logged in.\n        - You are using another OAuth client library with the same callback URL as Stack.\n        - The user opened the OAuth callback page from their history.\n\n      Either way, it is probably safe to ignore this warning unless you are debugging an OAuth issue.\n    `);\n    return null;\n  }\n\n\n  const newUrl = new URL(originalUrl);\n  for (const param of requiredParams) {\n    newUrl.searchParams.delete(param);\n  }\n\n  // let's get rid of the authorization code in the history as we\n  // don't redirect to `redirectUrl` if there's a validation error\n  // (as the redirectUrl might be malicious!).\n  //\n  // We use history.replaceState instead of location.assign(...) to\n  // prevent an unnecessary reload\n  window.history.replaceState({}, \"\", newUrl.toString());\n\n  return {\n    originalUrl,\n    codeVerifier: cookieResult.codeVerifier,\n    state: expectedState,\n  };\n}\n\nexport async function callOAuthCallback(\n  iface: StackClientInterface,\n  redirectUrl: string,\n) {\n  // note: this part of the function (until the return) needs\n  // to be synchronous, to prevent race conditions when\n  // callOAuthCallback is called multiple times in parallel\n  const consumed = consumeOAuthCallbackQueryParams();\n  if (!consumed) return Result.ok(undefined);\n\n  // the rest can be asynchronous (we now know that we are the\n  // intended recipient of the callback, and the only instance\n  // of callOAuthCallback that's running)\n  try {\n    return Result.ok(await iface.callOAuthCallback({\n      oauthParams: consumed.originalUrl.searchParams,\n      redirectUri: constructRedirectUrl(redirectUrl, \"redirectUri\"),\n      codeVerifier: consumed.codeVerifier,\n      state: consumed.state,\n    }));\n  } catch (e) {\n    if (KnownError.isKnownError(e)) {\n      throw e;\n    }\n    throw new StackAssertionError(\"Error signing in during OAuth callback. Please try again.\", { cause: e });\n  }\n}\n"],"mappings":";AAIA,SAAS,kBAAwC;AAEjD,SAAS,qBAAqB,gBAAgB;AAC9C,SAAS,oBAAoB;AAC7B,SAAS,cAAc;AACvB,SAAS,gBAAgB;AACzB,SAAS,4BAA4B;AACrC,SAAS,+BAA+B,4BAA4B;AAEpE,eAAsB,gBACpB,OACA,SAMA,SACA;AACA,QAAM,EAAE,eAAe,MAAM,IAAI,MAAM,qBAAqB;AAC5D,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,UAAU,QAAQ;AAAA,IAClB,aAAa,qBAAqB,QAAQ,aAAa,aAAa;AAAA,IACpE,kBAAkB,qBAAqB,QAAQ,kBAAkB,kBAAkB;AAAA,IACnF;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,eAAe,QAAQ;AAAA,IACvB;AAAA,EACF,CAAC;AACD,SAAO,SAAS,OAAO,QAAQ;AAC/B,QAAM,aAAa;AACrB;AAEA,eAAsB,2BACpB,OACA,SAMA,SACA;AACA,QAAM,EAAE,eAAe,MAAM,IAAI,MAAM,qBAAqB;AAC5D,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,UAAU,QAAQ;AAAA,IAClB,aAAa,qBAAqB,QAAQ,aAAa,aAAa;AAAA,IACpE,kBAAkB,qBAAqB,QAAQ,kBAAkB,kBAAkB;AAAA,IACnF,0BAA0B,qBAAqB,OAAO,SAAS,MAAM,0BAA0B;AAAA,IAC/F;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN;AAAA,IACA,eAAe,QAAQ;AAAA,EACzB,CAAC;AACD,SAAO,SAAS,OAAO,QAAQ;AAC/B,QAAM,aAAa;AACrB;AAOA,SAAS,kCAAkC;AACzC,QAAM,iBAAiB,CAAC,QAAQ,OAAO;AACvC,QAAM,cAAc,IAAI,IAAI,OAAO,SAAS,IAAI;AAChD,aAAW,SAAS,gBAAgB;AAClC,QAAI,CAAC,YAAY,aAAa,IAAI,KAAK,GAAG;AACxC,cAAQ,KAAK,IAAI,MAAM,uDAAuD,KAAK,2EAA2E,CAAC;AAC/J,aAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,gBAAgB,YAAY,aAAa,IAAI,OAAO,KAAK,SAAS,uDAAuD;AAC/H,QAAM,eAAe,8BAA8B,aAAa;AAEhE,MAAI,CAAC,cAAc;AAGjB,YAAQ,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAWZ;AACD,WAAO;AAAA,EACT;AAGA,QAAM,SAAS,IAAI,IAAI,WAAW;AAClC,aAAW,SAAS,gBAAgB;AAClC,WAAO,aAAa,OAAO,KAAK;AAAA,EAClC;AAQA,SAAO,QAAQ,aAAa,CAAC,GAAG,IAAI,OAAO,SAAS,CAAC;AAErD,SAAO;AAAA,IACL;AAAA,IACA,cAAc,aAAa;AAAA,IAC3B,OAAO;AAAA,EACT;AACF;AAEA,eAAsB,kBACpB,OACA,aACA;AAIA,QAAM,WAAW,gCAAgC;AACjD,MAAI,CAAC,SAAU,QAAO,OAAO,GAAG,MAAS;AAKzC,MAAI;AACF,WAAO,OAAO,GAAG,MAAM,MAAM,kBAAkB;AAAA,MAC7C,aAAa,SAAS,YAAY;AAAA,MAClC,aAAa,qBAAqB,aAAa,aAAa;AAAA,MAC5D,cAAc,SAAS;AAAA,MACvB,OAAO,SAAS;AAAA,IAClB,CAAC,CAAC;AAAA,EACJ,SAAS,GAAG;AACV,QAAI,WAAW,aAAa,CAAC,GAAG;AAC9B,YAAM;AAAA,IACR;AACA,UAAM,IAAI,oBAAoB,6DAA6D,EAAE,OAAO,EAAE,CAAC;AAAA,EACzG;AACF;","names":[]}
+{"version":3,"sources":["../../../src/lib/auth.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY, INSTEAD EDIT THE CORRESPONDING FILE IN packages/template\n//===========================================\nimport { KnownError, StackClientInterface } from \"@stackframe/stack-shared\";\nimport { InternalSession } from \"@stackframe/stack-shared/dist/sessions\";\nimport { StackAssertionError, throwErr } from \"@stackframe/stack-shared/dist/utils/errors\";\nimport { neverResolve } from \"@stackframe/stack-shared/dist/utils/promises\";\nimport { Result } from \"@stackframe/stack-shared/dist/utils/results\";\nimport { deindent } from \"@stackframe/stack-shared/dist/utils/strings\";\nimport { constructRedirectUrl } from \"../utils/url\";\nimport { consumeVerifierAndStateCookie, saveVerifierAndState } from \"./cookie\";\n\nexport async function signInWithOAuth(\n  iface: StackClientInterface,\n  options: {\n    provider: string,\n    redirectUrl: string,\n    errorRedirectUrl: string,\n    providerScope?: string,\n  },\n  session: InternalSession,\n) {\n  const { codeChallenge, state } = await saveVerifierAndState();\n  const location = await iface.getOAuthUrl({\n    provider: options.provider,\n    redirectUrl: constructRedirectUrl(options.redirectUrl, \"redirectUrl\"),\n    errorRedirectUrl: constructRedirectUrl(options.errorRedirectUrl, \"errorRedirectUrl\"),\n    codeChallenge,\n    state,\n    type: \"authenticate\",\n    providerScope: options.providerScope,\n    session,\n  });\n  window.location.assign(location);\n  await neverResolve();\n}\n\nexport async function addNewOAuthProviderOrScope(\n  iface: StackClientInterface,\n  options: {\n    provider: string,\n    redirectUrl: string,\n    errorRedirectUrl: string,\n    providerScope?: string,\n  },\n  session: InternalSession,\n) {\n  const { codeChallenge, state } = await saveVerifierAndState();\n  const location = await iface.getOAuthUrl({\n    provider: options.provider,\n    redirectUrl: constructRedirectUrl(options.redirectUrl, \"redirectUrl\"),\n    errorRedirectUrl: constructRedirectUrl(options.errorRedirectUrl, \"errorRedirectUrl\"),\n    afterCallbackRedirectUrl: constructRedirectUrl(window.location.href, \"afterCallbackRedirectUrl\"),\n    codeChallenge,\n    state,\n    type: \"link\",\n    session,\n    providerScope: options.providerScope,\n  });\n  window.location.assign(location);\n  await neverResolve();\n}\n\n/**\n * Checks if the current URL has the query parameters for an OAuth callback, and if so, removes them.\n *\n * Must be synchronous for the logic in callOAuthCallback to work without race conditions.\n */\nfunction consumeOAuthCallbackQueryParams() {\n  const requiredParams = [\"code\", \"state\"];\n  const originalUrl = new URL(window.location.href);\n  for (const param of requiredParams) {\n    if (!originalUrl.searchParams.has(param)) {\n      console.warn(new Error(`Missing required query parameter on OAuth callback: ${param}. Maybe you opened or reloaded the oauth-callback page from your history?`));\n      return null;\n    }\n  }\n\n  const expectedState = originalUrl.searchParams.get(\"state\") ?? throwErr(\"This should never happen; isn't state required above?\");\n  const cookieResult = consumeVerifierAndStateCookie(expectedState);\n\n  if (!cookieResult) {\n    // If the state can't be found in the cookies, then the callback wasn't meant for us.\n    // Maybe the website uses another OAuth library?\n    console.warn(deindent`\n      Stack found an outer OAuth callback state in the query parameters, but not in cookies.\n      \n      This could have multiple reasons:\n        - The cookie expired, because the OAuth flow took too long.\n        - The user's browser deleted the cookie, either manually or because of a very strict cookie policy.\n        - The cookie was already consumed by this page, and the user already logged in.\n        - You are using another OAuth client library with the same callback URL as Stack.\n        - The user opened the OAuth callback page from their history.\n\n      Either way, it is probably safe to ignore this warning unless you are debugging an OAuth issue.\n    `);\n    return null;\n  }\n\n\n  const newUrl = new URL(originalUrl);\n  for (const param of requiredParams) {\n    newUrl.searchParams.delete(param);\n  }\n\n  // let's get rid of the authorization code in the history as we\n  // don't redirect to `redirectUrl` if there's a validation error\n  // (as the redirectUrl might be malicious!).\n  //\n  // We use history.replaceState instead of location.assign(...) to\n  // prevent an unnecessary reload\n  window.history.replaceState({}, \"\", newUrl.toString());\n\n  return {\n    originalUrl,\n    codeVerifier: cookieResult.codeVerifier,\n    state: expectedState,\n  };\n}\n\nexport async function callOAuthCallback(\n  iface: StackClientInterface,\n  redirectUrl: string,\n) {\n  // note: this part of the function (until the return) needs\n  // to be synchronous, to prevent race conditions when\n  // callOAuthCallback is called multiple times in parallel\n  const consumed = consumeOAuthCallbackQueryParams();\n  if (!consumed) return Result.ok(undefined);\n\n  // the rest can be asynchronous (we now know that we are the\n  // intended recipient of the callback, and the only instance\n  // of callOAuthCallback that's running)\n  try {\n    return Result.ok(await iface.callOAuthCallback({\n      oauthParams: consumed.originalUrl.searchParams,\n      redirectUri: constructRedirectUrl(redirectUrl, \"redirectUri\"),\n      codeVerifier: consumed.codeVerifier,\n      state: consumed.state,\n    }));\n  } catch (e) {\n    if (KnownError.isKnownError(e)) {\n      throw e;\n    }\n    throw new StackAssertionError(\"Error signing in during OAuth callback. Please try again.\", { cause: e });\n  }\n}\n"],"mappings":";AAIA,SAAS,kBAAwC;AAEjD,SAAS,qBAAqB,gBAAgB;AAC9C,SAAS,oBAAoB;AAC7B,SAAS,cAAc;AACvB,SAAS,gBAAgB;AACzB,SAAS,4BAA4B;AACrC,SAAS,+BAA+B,4BAA4B;AAEpE,eAAsB,gBACpB,OACA,SAMA,SACA;AACA,QAAM,EAAE,eAAe,MAAM,IAAI,MAAM,qBAAqB;AAC5D,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,UAAU,QAAQ;AAAA,IAClB,aAAa,qBAAqB,QAAQ,aAAa,aAAa;AAAA,IACpE,kBAAkB,qBAAqB,QAAQ,kBAAkB,kBAAkB;AAAA,IACnF;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,eAAe,QAAQ;AAAA,IACvB;AAAA,EACF,CAAC;AACD,SAAO,SAAS,OAAO,QAAQ;AAC/B,QAAM,aAAa;AACrB;AAEA,eAAsB,2BACpB,OACA,SAMA,SACA;AACA,QAAM,EAAE,eAAe,MAAM,IAAI,MAAM,qBAAqB;AAC5D,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,UAAU,QAAQ;AAAA,IAClB,aAAa,qBAAqB,QAAQ,aAAa,aAAa;AAAA,IACpE,kBAAkB,qBAAqB,QAAQ,kBAAkB,kBAAkB;AAAA,IACnF,0BAA0B,qBAAqB,OAAO,SAAS,MAAM,0BAA0B;AAAA,IAC/F;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN;AAAA,IACA,eAAe,QAAQ;AAAA,EACzB,CAAC;AACD,SAAO,SAAS,OAAO,QAAQ;AAC/B,QAAM,aAAa;AACrB;AAOA,SAAS,kCAAkC;AACzC,QAAM,iBAAiB,CAAC,QAAQ,OAAO;AACvC,QAAM,cAAc,IAAI,IAAI,OAAO,SAAS,IAAI;AAChD,aAAW,SAAS,gBAAgB;AAClC,QAAI,CAAC,YAAY,aAAa,IAAI,KAAK,GAAG;AACxC,cAAQ,KAAK,IAAI,MAAM,uDAAuD,KAAK,2EAA2E,CAAC;AAC/J,aAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,gBAAgB,YAAY,aAAa,IAAI,OAAO,KAAK,SAAS,uDAAuD;AAC/H,QAAM,eAAe,8BAA8B,aAAa;AAEhE,MAAI,CAAC,cAAc;AAGjB,YAAQ,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAWZ;AACD,WAAO;AAAA,EACT;AAGA,QAAM,SAAS,IAAI,IAAI,WAAW;AAClC,aAAW,SAAS,gBAAgB;AAClC,WAAO,aAAa,OAAO,KAAK;AAAA,EAClC;AAQA,SAAO,QAAQ,aAAa,CAAC,GAAG,IAAI,OAAO,SAAS,CAAC;AAErD,SAAO;AAAA,IACL;AAAA,IACA,cAAc,aAAa;AAAA,IAC3B,OAAO;AAAA,EACT;AACF;AAEA,eAAsB,kBACpB,OACA,aACA;AAIA,QAAM,WAAW,gCAAgC;AACjD,MAAI,CAAC,SAAU,QAAO,OAAO,GAAG,MAAS;AAKzC,MAAI;AACF,WAAO,OAAO,GAAG,MAAM,MAAM,kBAAkB;AAAA,MAC7C,aAAa,SAAS,YAAY;AAAA,MAClC,aAAa,qBAAqB,aAAa,aAAa;AAAA,MAC5D,cAAc,SAAS;AAAA,MACvB,OAAO,SAAS;AAAA,IAClB,CAAC,CAAC;AAAA,EACJ,SAAS,GAAG;AACV,QAAI,WAAW,aAAa,CAAC,GAAG;AAC9B,YAAM;AAAA,IACR;AACA,UAAM,IAAI,oBAAoB,6DAA6D,EAAE,OAAO,EAAE,CAAC;AAAA,EACzG;AACF;","names":[]}

package/dist/esm/lib/cookie.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/lib/cookie.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY\n//===========================================\nimport { isBrowserLike } from '@stackframe/stack-shared/dist/utils/env';\nimport { StackAssertionError } from '@stackframe/stack-shared/dist/utils/errors';\nimport Cookies from \"js-cookie\";\nimport { calculatePKCECodeChallenge, generateRandomCodeVerifier, generateRandomState } from \"oauth4webapi\";\n\n\n// INFO: This file is used to manage cookies. It also sets some cookie flags automatically, see this description.\n//\n// It provides asynchronous setCookie, getCookie, deleteCookie, etc. functions that can be used in various environments\n// (browser + Next.js for now). Under the hood, they just get a CookieHelper object and then set the cookies there.\n//\n// The CookieHelper object is a simple object that lets you set, get and delete cookies synchronously. Acquiring one\n// is asynchronous (except for browser environments, where they can be acquired synchronously), but once you have it,\n// you can use it synchronously. This function is useful if you cannot await in the calling code, but otherwise you\n// should prefer to await the functions directly.\n//\n// Some cookie flags are set automatically by the CookieHelper (and hence also the <xyz>Cookie functions).\n// In particular:\n//  - SameSite is set to `Lax` by default, which is already true in Chromium-based browsers, so this creates\n//    compatibility with other browsers that use either Strict or None (particularly Safari and Firefox, and older\n//    versions of Chrome). If Partitioned is automatically set (as described below), then this value is set to `None`\n//    instead.\n//  - Secure is set depending on whether we could successfully determine that the client is on HTTPS. For this, we use a\n//    set of heuristics:\n//     - In a browser environment, we check window.location.protocol which is always accurate\n//     - In a Next.js server environment:\n//        - First we check the `stack-is-https` cookie, which is set in various places on the\n//          client with a Secure attribute. If that one is passed on to the server, we know that the client is on HTTPS\n//          and we can set the Secure flag on the cookie. TODO: Should we also do this with a second cookie with a\n//          __Host- prefix, so a malicious subdomain of the current domain cannot forcibly enable HTTPS mode and\n//          therefore prevent new cookies from being set?\n//        - Otherwise, we check the X-Forwarded-Proto header. If that one is `https`, we know that the client is\n//          (pretending to be) on HTTPS and we can set the Secure flag on the cookie. Note that this header is\n//          spoofable by malicious clients (so is the cookie actually), but since setting this value can only *increase*\n//          security (and therefore prevent setting of a cookie), and requires a malicious client, this is still safe.\n//        - If neither of the above is true, we don't set the Secure flag on the cookie.\n//  - Partitioned is set depending on whether it is needed & supported. Unfortunately, the fact that Partitioned\n//    cookies require SameSite=None, browsers that don't support it will still set them as normal third-party cookies,\n//    which are fundamentally unsafe. Therefore, we need to take extra care that we only ever set Partitioned cookies\n//    if we know for sure that the browser supports it.\n//    - In a browser environment, we check:\n//       - Whether `Secure` is set. If it's not, we don't set Partitioned.\n//       - Whether we can set & retrieve cookies without Partitioned being set. If this is the case, we are likely in a\n//         top-level context or a browser that partitions cookies by default (eg. Firefox). In this case, we don't need\n//         Partitioned and can just proceed as normal.\n//       - Whether CHIPS is supported. To prevent the case where CHIPS is not supported but third-party cookies are (in\n//         which we would accidentally set SameSite=None without Partitioned as the latter requires the former), we\n//         check this by running a simple test with document.cookie.\n//       - Whether the browser supports Partitioned cookies. If yes, set Partitioned. Otherwise, don't set Partitioned.\n//         Since there's no easy cross-compat way to do this (CookieStore and document.cookie do not return whether a\n//         cookie is partitioned on some/all versions of Safari and Firefox), we use a heuristic; we run this test by\n//         creating two cookies with the same name: One with Partitioned and one without. If there are two resulting\n//         cookies, that means they were put into different jars, implying that the browser supports Partitioned cookies\n//         (but doesn't partition cookies by default). If they result in just one cookie, that could mean that the\n//         browser doesn't support Partitioned cookies, or that the browser doesn't put partitioned cookies into\n//         different jars by default, in which case we still don't know. This heuristic works on Chrome, but may\n//         incorrectly conclude that some other browsers don't support Partitioned. But from a security perspective,\n//         that is better than accidentally setting SameSite=None without Partitioned. TODO: Find a better heuristic to\n//         to determine whether the browser supports Partitioned cookies or not.\n//    - In a Next.js server environment, right now we do nothing because of the complexity involved :( TODO: In the\n//      future, we could improve this for example by setting hint cookies from the client, but we need to make sure that\n//      no malicious actor (eg. on a malicious subdomain) can forcefully enable Partitioned cookies on a browser that\n//      does not support it.\n\n\ntype SetCookieOptions = { maxAge: number | \"session\", noOpIfServerComponent?: boolean, domain?: string, secure?: boolean };\ntype DeleteCookieOptions = { noOpIfServerComponent?: boolean, domain?: string };\n\nfunction ensureClient() {\n  if (!isBrowserLike()) {\n    throw new Error(\"cookieClient functions can only be called in a browser environment, yet window is undefined\");\n  }\n}\n\nexport type CookieHelper = {\n  get: (name: string) => string | null,\n  getAll: () => Record<string, string>,\n  set: (name: string, value: string, options: SetCookieOptions) => void,\n  setOrDelete: (name: string, value: string | null, options: SetCookieOptions & DeleteCookieOptions) => void,\n  delete: (name: string, options: DeleteCookieOptions) => void,\n};\n\nconst placeholderCookieHelperIdentity = { \"placeholder cookie helper identity\": true };\nexport async function createPlaceholderCookieHelper(): Promise<CookieHelper> {\n  function throwError(): never {\n    throw new StackAssertionError(\"Throwing cookie helper is just a placeholder. This should never be called\");\n  }\n  return {\n    get: throwError,\n    getAll: throwError,\n    set: throwError,\n    setOrDelete: throwError,\n    delete: throwError,\n  };\n}\n\nexport async function createCookieHelper(): Promise<CookieHelper> {\n  if (isBrowserLike()) {\n    return createBrowserCookieHelper();\n  } else {\n    return await createPlaceholderCookieHelper();\n  }\n}\n\nexport function createBrowserCookieHelper(): CookieHelper {\n  return {\n    get: getCookieClient,\n    getAll: getAllCookiesClient,\n    set: setCookieClient,\n    setOrDelete: setOrDeleteCookieClient,\n    delete: deleteCookieClient,\n  };\n}\n\nfunction handleCookieError(e: unknown, options: DeleteCookieOptions | SetCookieOptions) {\n  if (e instanceof Error && e.message.includes(\"Cookies can only be modified in\")) {\n    if (options.noOpIfServerComponent) {\n      // ignore\n    } else {\n      throw new StackAssertionError(\"Attempted to set cookie in server component. Pass { noOpIfServerComponent: true } in the options of Stack's cookie functions if this is intentional and you want to ignore this error. Read more: https://nextjs.org/docs/app/api-reference/functions/cookies#options\");\n    }\n  } else {\n    throw e;\n  }\n}\n\n\nexport function getCookieClient(name: string): string | null {\n  const all = getAllCookiesClient();\n  return all[name] ?? null;\n}\n\nexport function getAllCookiesClient(): Record<string, string> {\n  ensureClient();\n  // set a helper cookie, see comment in `NextCookieHelper.set` above\n  Cookies.set(\"stack-is-https\", \"true\", { secure: true, expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365) });\n  return Cookies.get();\n}\n\nexport async function getCookie(name: string): Promise<string | null> {\n  const cookieHelper = await createCookieHelper();\n  return cookieHelper.get(name);\n}\n\nexport async function isSecure(): Promise<boolean> {\n  if (isBrowserLike()) {\n    return determineSecureFromClientContext();\n  }\n  return false;\n}\n\nfunction determineSecureFromClientContext(): boolean {\n  return typeof window !== \"undefined\" && window.location.protocol === \"https:\";\n}\n\n\nlet _shouldSetPartitionedClientCache: boolean | undefined = undefined;\nfunction shouldSetPartitionedClient() {\n  return _shouldSetPartitionedClientCache ??= _internalShouldSetPartitionedClient();\n}\nfunction _internalShouldSetPartitionedClient() {\n  ensureClient();\n\n  if (!(determineSecureFromClientContext())) {\n    return false;\n  }\n\n  // check whether we can set & retrieve normal cookies (either because we're on a top-level/same-origin context or the browser partitions cookies by default)\n  const cookie1Name = \"__Host-stack-temporary-chips-test-\" + Math.random().toString(36).substring(2, 15);\n  document.cookie = `${cookie1Name}=value1; Secure; path=/`;\n  const cookies1 = document.cookie.split(\"; \");\n  document.cookie = `${cookie1Name}=delete1; Secure; path=/; expires=Thu, 01 Jan 1970 00:00:00 UTC;`;\n  if (cookies1.some((c) => c.startsWith(cookie1Name + \"=\"))) {\n    return false;\n  }\n\n\n  // check whether Partitioned cookies are supported by the browser\n  // TODO: See comment at the top. Feels like we should find a better way to do this\n  const cookie2Name = \"__Host-stack-temporary-chips-test-\" + Math.random().toString(36).substring(2, 15);\n\n  // just to be safe, delete the cookie first to avoid weird RNG-prediction attacks\n  // I don't know what they look like (since this is a host cookie) but better safe than sorry\n  // (this function should be 100% bulletproof so we don't accidentally fall back to non-partitioned third party cookies on unsupported browsers)\n  document.cookie = `${cookie2Name}=delete1; Secure; SameSite=None; Partitioned; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n  document.cookie = `${cookie2Name}=delete2; Secure; SameSite=None; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n\n  // set the cookie, once partitioned and once not partitioned\n  document.cookie = `${cookie2Name}=set1; Secure; SameSite=None; Partitioned; path=/`;\n  document.cookie = `${cookie2Name}=set2; Secure; SameSite=None; path=/`;\n\n  // check if there are two cookies\n  const cookies2 = document.cookie.split(\"; \");\n  const numberOfCookiesWithThisName = cookies2.filter((c) => c.startsWith(cookie2Name + \"=\")).length;\n\n  // clean up\n  document.cookie = `${cookie2Name}=delete3; Secure; SameSite=None; Partitioned; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n  document.cookie = `${cookie2Name}=delete4; Secure; SameSite=None; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n\n  return numberOfCookiesWithThisName === 2;\n}\n\nfunction setCookieClientInternal(name: string, value: string, options: SetCookieOptions) {\n  const secure = options.secure ?? determineSecureFromClientContext();\n  const partitioned = shouldSetPartitionedClient();\n  Cookies.set(name, value, {\n    expires: options.maxAge === \"session\" ? undefined : new Date(Date.now() + (options.maxAge) * 1000),\n    domain: options.domain,\n    secure,\n    sameSite: \"Lax\",\n    ...(partitioned ? {\n      partitioned,\n      sameSite: \"None\",\n    } : {}),\n  });\n}\n\nfunction deleteCookieClientInternal(name: string, options: DeleteCookieOptions) {\n  for (const partitioned of [true, false]) {\n    if (options.domain !== undefined) {\n      Cookies.remove(name, { domain: options.domain, secure: determineSecureFromClientContext(), partitioned });\n    }\n    Cookies.remove(name, { secure: determineSecureFromClientContext(), partitioned });\n  }\n}\n\nexport function setOrDeleteCookieClient(name: string, value: string | null, options: SetCookieOptions & DeleteCookieOptions) {\n  ensureClient();\n  if (value === null) {\n    deleteCookieClientInternal(name, options);\n  } else {\n    setCookieClientInternal(name, value, options);\n  }\n}\n\nexport async function setOrDeleteCookie(name: string, value: string | null, options: SetCookieOptions & DeleteCookieOptions) {\n  const cookieHelper = await createCookieHelper();\n  cookieHelper.setOrDelete(name, value, options);\n}\n\nexport function deleteCookieClient(name: string, options: DeleteCookieOptions) {\n  ensureClient();\n  deleteCookieClientInternal(name, options);\n}\n\nexport async function deleteCookie(name: string, options: DeleteCookieOptions) {\n  const cookieHelper = await createCookieHelper();\n  cookieHelper.delete(name, options);\n}\n\nexport function setCookieClient(name: string, value: string, options: SetCookieOptions) {\n  ensureClient();\n  setCookieClientInternal(name, value, options);\n}\n\nexport async function setCookie(name: string, value: string, options: SetCookieOptions) {\n  const cookieHelper = await createCookieHelper();\n  cookieHelper.set(name, value, options);\n}\n\nexport async function saveVerifierAndState() {\n  const codeVerifier = generateRandomCodeVerifier();\n  const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);\n  const state = generateRandomState();\n\n  await setCookie(\"stack-oauth-outer-\" + state, codeVerifier, { maxAge: 60 * 60 });\n\n  return {\n    codeChallenge,\n    state,\n  };\n}\n\nexport function consumeVerifierAndStateCookie(state: string) {\n  ensureClient();\n  const cookieName = \"stack-oauth-outer-\" + state;\n  const codeVerifier = getCookieClient(cookieName);\n  if (!codeVerifier) {\n    return null;\n  }\n  deleteCookieClient(cookieName, {});\n  return {\n    codeVerifier,\n  };\n}\n"],"mappings":";AAIA,SAAS,qBAAqB;AAC9B,SAAS,2BAA2B;AACpC,OAAO,aAAa;AACpB,SAAS,4BAA4B,4BAA4B,2BAA2B;AAiE5F,SAAS,eAAe;AACtB,MAAI,CAAC,cAAc,GAAG;AACpB,UAAM,IAAI,MAAM,6FAA6F;AAAA,EAC/G;AACF;AAWA,eAAsB,gCAAuD;AAC3E,WAAS,aAAoB;AAC3B,UAAM,IAAI,oBAAoB,2EAA2E;AAAA,EAC3G;AACA,SAAO;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,KAAK;AAAA,IACL,aAAa;AAAA,IACb,QAAQ;AAAA,EACV;AACF;AAEA,eAAsB,qBAA4C;AAChE,MAAI,cAAc,GAAG;AACnB,WAAO,0BAA0B;AAAA,EACnC,OAAO;AACL,WAAO,MAAM,8BAA8B;AAAA,EAC7C;AACF;AAEO,SAAS,4BAA0C;AACxD,SAAO;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,KAAK;AAAA,IACL,aAAa;AAAA,IACb,QAAQ;AAAA,EACV;AACF;AAeO,SAAS,gBAAgB,MAA6B;AAC3D,QAAM,MAAM,oBAAoB;AAChC,SAAO,IAAI,IAAI,KAAK;AACtB;AAEO,SAAS,sBAA8C;AAC5D,eAAa;AAEb,UAAQ,IAAI,kBAAkB,QAAQ,EAAE,QAAQ,MAAM,SAAS,IAAI,KAAK,KAAK,IAAI,IAAI,MAAO,KAAK,KAAK,KAAK,GAAG,EAAE,CAAC;AACjH,SAAO,QAAQ,IAAI;AACrB;AAEA,eAAsB,UAAU,MAAsC;AACpE,QAAM,eAAe,MAAM,mBAAmB;AAC9C,SAAO,aAAa,IAAI,IAAI;AAC9B;AAEA,eAAsB,WAA6B;AACjD,MAAI,cAAc,GAAG;AACnB,WAAO,iCAAiC;AAAA,EAC1C;AACA,SAAO;AACT;AAEA,SAAS,mCAA4C;AACnD,SAAO,OAAO,WAAW,eAAe,OAAO,SAAS,aAAa;AACvE;AAGA,IAAI,mCAAwD;AAC5D,SAAS,6BAA6B;AACpC,SAAO,qCAAqC,oCAAoC;AAClF;AACA,SAAS,sCAAsC;AAC7C,eAAa;AAEb,MAAI,CAAE,iCAAiC,GAAI;AACzC,WAAO;AAAA,EACT;AAGA,QAAM,cAAc,uCAAuC,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,UAAU,GAAG,EAAE;AACrG,WAAS,SAAS,GAAG,WAAW;AAChC,QAAM,WAAW,SAAS,OAAO,MAAM,IAAI;AAC3C,WAAS,SAAS,GAAG,WAAW;AAChC,MAAI,SAAS,KAAK,CAAC,MAAM,EAAE,WAAW,cAAc,GAAG,CAAC,GAAG;AACzD,WAAO;AAAA,EACT;AAKA,QAAM,cAAc,uCAAuC,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,UAAU,GAAG,EAAE;AAKrG,WAAS,SAAS,GAAG,WAAW;AAChC,WAAS,SAAS,GAAG,WAAW;AAGhC,WAAS,SAAS,GAAG,WAAW;AAChC,WAAS,SAAS,GAAG,WAAW;AAGhC,QAAM,WAAW,SAAS,OAAO,MAAM,IAAI;AAC3C,QAAM,8BAA8B,SAAS,OAAO,CAAC,MAAM,EAAE,WAAW,cAAc,GAAG,CAAC,EAAE;AAG5F,WAAS,SAAS,GAAG,WAAW;AAChC,WAAS,SAAS,GAAG,WAAW;AAEhC,SAAO,gCAAgC;AACzC;AAEA,SAAS,wBAAwB,MAAc,OAAe,SAA2B;AACvF,QAAM,SAAS,QAAQ,UAAU,iCAAiC;AAClE,QAAM,cAAc,2BAA2B;AAC/C,UAAQ,IAAI,MAAM,OAAO;AAAA,IACvB,SAAS,QAAQ,WAAW,YAAY,SAAY,IAAI,KAAK,KAAK,IAAI,IAAK,QAAQ,SAAU,GAAI;AAAA,IACjG,QAAQ,QAAQ;AAAA,IAChB;AAAA,IACA,UAAU;AAAA,IACV,GAAI,cAAc;AAAA,MAChB;AAAA,MACA,UAAU;AAAA,IACZ,IAAI,CAAC;AAAA,EACP,CAAC;AACH;AAEA,SAAS,2BAA2B,MAAc,SAA8B;AAC9E,aAAW,eAAe,CAAC,MAAM,KAAK,GAAG;AACvC,QAAI,QAAQ,WAAW,QAAW;AAChC,cAAQ,OAAO,MAAM,EAAE,QAAQ,QAAQ,QAAQ,QAAQ,iCAAiC,GAAG,YAAY,CAAC;AAAA,IAC1G;AACA,YAAQ,OAAO,MAAM,EAAE,QAAQ,iCAAiC,GAAG,YAAY,CAAC;AAAA,EAClF;AACF;AAEO,SAAS,wBAAwB,MAAc,OAAsB,SAAiD;AAC3H,eAAa;AACb,MAAI,UAAU,MAAM;AAClB,+BAA2B,MAAM,OAAO;AAAA,EAC1C,OAAO;AACL,4BAAwB,MAAM,OAAO,OAAO;AAAA,EAC9C;AACF;AAEA,eAAsB,kBAAkB,MAAc,OAAsB,SAAiD;AAC3H,QAAM,eAAe,MAAM,mBAAmB;AAC9C,eAAa,YAAY,MAAM,OAAO,OAAO;AAC/C;AAEO,SAAS,mBAAmB,MAAc,SAA8B;AAC7E,eAAa;AACb,6BAA2B,MAAM,OAAO;AAC1C;AAEA,eAAsB,aAAa,MAAc,SAA8B;AAC7E,QAAM,eAAe,MAAM,mBAAmB;AAC9C,eAAa,OAAO,MAAM,OAAO;AACnC;AAEO,SAAS,gBAAgB,MAAc,OAAe,SAA2B;AACtF,eAAa;AACb,0BAAwB,MAAM,OAAO,OAAO;AAC9C;AAEA,eAAsB,UAAU,MAAc,OAAe,SAA2B;AACtF,QAAM,eAAe,MAAM,mBAAmB;AAC9C,eAAa,IAAI,MAAM,OAAO,OAAO;AACvC;AAEA,eAAsB,uBAAuB;AAC3C,QAAM,eAAe,2BAA2B;AAChD,QAAM,gBAAgB,MAAM,2BAA2B,YAAY;AACnE,QAAM,QAAQ,oBAAoB;AAElC,QAAM,UAAU,uBAAuB,OAAO,cAAc,EAAE,QAAQ,KAAK,GAAG,CAAC;AAE/E,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,8BAA8B,OAAe;AAC3D,eAAa;AACb,QAAM,aAAa,uBAAuB;AAC1C,QAAM,eAAe,gBAAgB,UAAU;AAC/C,MAAI,CAAC,cAAc;AACjB,WAAO;AAAA,EACT;AACA,qBAAmB,YAAY,CAAC,CAAC;AACjC,SAAO;AAAA,IACL;AAAA,EACF;AACF;","names":[]}
+{"version":3,"sources":["../../../src/lib/cookie.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY, INSTEAD EDIT THE CORRESPONDING FILE IN packages/template\n//===========================================\nimport { isBrowserLike } from '@stackframe/stack-shared/dist/utils/env';\nimport { StackAssertionError } from '@stackframe/stack-shared/dist/utils/errors';\nimport Cookies from \"js-cookie\";\nimport { calculatePKCECodeChallenge, generateRandomCodeVerifier, generateRandomState } from \"oauth4webapi\";\n\n\n// INFO: This file is used to manage cookies. It also sets some cookie flags automatically, see this description.\n//\n// It provides asynchronous setCookie, getCookie, deleteCookie, etc. functions that can be used in various environments\n// (browser + Next.js for now). Under the hood, they just get a CookieHelper object and then set the cookies there.\n//\n// The CookieHelper object is a simple object that lets you set, get and delete cookies synchronously. Acquiring one\n// is asynchronous (except for browser environments, where they can be acquired synchronously), but once you have it,\n// you can use it synchronously. This function is useful if you cannot await in the calling code, but otherwise you\n// should prefer to await the functions directly.\n//\n// Some cookie flags are set automatically by the CookieHelper (and hence also the <xyz>Cookie functions).\n// In particular:\n//  - SameSite is set to `Lax` by default, which is already true in Chromium-based browsers, so this creates\n//    compatibility with other browsers that use either Strict or None (particularly Safari and Firefox, and older\n//    versions of Chrome). If Partitioned is automatically set (as described below), then this value is set to `None`\n//    instead.\n//  - Secure is set depending on whether we could successfully determine that the client is on HTTPS. For this, we use a\n//    set of heuristics:\n//     - In a browser environment, we check window.location.protocol which is always accurate\n//     - In a Next.js server environment:\n//        - First we check the `stack-is-https` cookie, which is set in various places on the\n//          client with a Secure attribute. If that one is passed on to the server, we know that the client is on HTTPS\n//          and we can set the Secure flag on the cookie. TODO: Should we also do this with a second cookie with a\n//          __Host- prefix, so a malicious subdomain of the current domain cannot forcibly enable HTTPS mode and\n//          therefore prevent new cookies from being set?\n//        - Otherwise, we check the X-Forwarded-Proto header. If that one is `https`, we know that the client is\n//          (pretending to be) on HTTPS and we can set the Secure flag on the cookie. Note that this header is\n//          spoofable by malicious clients (so is the cookie actually), but since setting this value can only *increase*\n//          security (and therefore prevent setting of a cookie), and requires a malicious client, this is still safe.\n//        - If neither of the above is true, we don't set the Secure flag on the cookie.\n//  - Partitioned is set depending on whether it is needed & supported. Unfortunately, the fact that Partitioned\n//    cookies require SameSite=None, browsers that don't support it will still set them as normal third-party cookies,\n//    which are fundamentally unsafe. Therefore, we need to take extra care that we only ever set Partitioned cookies\n//    if we know for sure that the browser supports it.\n//    - In a browser environment, we check:\n//       - Whether `Secure` is set. If it's not, we don't set Partitioned.\n//       - Whether we can set & retrieve cookies without Partitioned being set. If this is the case, we are likely in a\n//         top-level context or a browser that partitions cookies by default (eg. Firefox). In this case, we don't need\n//         Partitioned and can just proceed as normal.\n//       - Whether CHIPS is supported. To prevent the case where CHIPS is not supported but third-party cookies are (in\n//         which we would accidentally set SameSite=None without Partitioned as the latter requires the former), we\n//         check this by running a simple test with document.cookie.\n//       - Whether the browser supports Partitioned cookies. If yes, set Partitioned. Otherwise, don't set Partitioned.\n//         Since there's no easy cross-compat way to do this (CookieStore and document.cookie do not return whether a\n//         cookie is partitioned on some/all versions of Safari and Firefox), we use a heuristic; we run this test by\n//         creating two cookies with the same name: One with Partitioned and one without. If there are two resulting\n//         cookies, that means they were put into different jars, implying that the browser supports Partitioned cookies\n//         (but doesn't partition cookies by default). If they result in just one cookie, that could mean that the\n//         browser doesn't support Partitioned cookies, or that the browser doesn't put partitioned cookies into\n//         different jars by default, in which case we still don't know. This heuristic works on Chrome, but may\n//         incorrectly conclude that some other browsers don't support Partitioned. But from a security perspective,\n//         that is better than accidentally setting SameSite=None without Partitioned. TODO: Find a better heuristic to\n//         to determine whether the browser supports Partitioned cookies or not.\n//    - In a Next.js server environment, right now we do nothing because of the complexity involved :( TODO: In the\n//      future, we could improve this for example by setting hint cookies from the client, but we need to make sure that\n//      no malicious actor (eg. on a malicious subdomain) can forcefully enable Partitioned cookies on a browser that\n//      does not support it.\n\n\ntype SetCookieOptions = { maxAge: number | \"session\", noOpIfServerComponent?: boolean, domain?: string, secure?: boolean };\ntype DeleteCookieOptions = { noOpIfServerComponent?: boolean, domain?: string };\n\nfunction ensureClient() {\n  if (!isBrowserLike()) {\n    throw new Error(\"cookieClient functions can only be called in a browser environment, yet window is undefined\");\n  }\n}\n\nexport type CookieHelper = {\n  get: (name: string) => string | null,\n  getAll: () => Record<string, string>,\n  set: (name: string, value: string, options: SetCookieOptions) => void,\n  setOrDelete: (name: string, value: string | null, options: SetCookieOptions & DeleteCookieOptions) => void,\n  delete: (name: string, options: DeleteCookieOptions) => void,\n};\n\nconst placeholderCookieHelperIdentity = { \"placeholder cookie helper identity\": true };\nexport async function createPlaceholderCookieHelper(): Promise<CookieHelper> {\n  function throwError(): never {\n    throw new StackAssertionError(\"Throwing cookie helper is just a placeholder. This should never be called\");\n  }\n  return {\n    get: throwError,\n    getAll: throwError,\n    set: throwError,\n    setOrDelete: throwError,\n    delete: throwError,\n  };\n}\n\nexport async function createCookieHelper(): Promise<CookieHelper> {\n  if (isBrowserLike()) {\n    return createBrowserCookieHelper();\n  } else {\n    return await createPlaceholderCookieHelper();\n  }\n}\n\nexport function createBrowserCookieHelper(): CookieHelper {\n  return {\n    get: getCookieClient,\n    getAll: getAllCookiesClient,\n    set: setCookieClient,\n    setOrDelete: setOrDeleteCookieClient,\n    delete: deleteCookieClient,\n  };\n}\n\nfunction handleCookieError(e: unknown, options: DeleteCookieOptions | SetCookieOptions) {\n  if (e instanceof Error && e.message.includes(\"Cookies can only be modified in\")) {\n    if (options.noOpIfServerComponent) {\n      // ignore\n    } else {\n      throw new StackAssertionError(\"Attempted to set cookie in server component. Pass { noOpIfServerComponent: true } in the options of Stack's cookie functions if this is intentional and you want to ignore this error. Read more: https://nextjs.org/docs/app/api-reference/functions/cookies#options\");\n    }\n  } else {\n    throw e;\n  }\n}\n\n\nexport function getCookieClient(name: string): string | null {\n  const all = getAllCookiesClient();\n  return all[name] ?? null;\n}\n\nexport function getAllCookiesClient(): Record<string, string> {\n  ensureClient();\n  // set a helper cookie, see comment in `NextCookieHelper.set` above\n  Cookies.set(\"stack-is-https\", \"true\", { secure: true, expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365) });\n  return Cookies.get();\n}\n\nexport async function getCookie(name: string): Promise<string | null> {\n  const cookieHelper = await createCookieHelper();\n  return cookieHelper.get(name);\n}\n\nexport async function isSecure(): Promise<boolean> {\n  if (isBrowserLike()) {\n    return determineSecureFromClientContext();\n  }\n  return false;\n}\n\nfunction determineSecureFromClientContext(): boolean {\n  return typeof window !== \"undefined\" && window.location.protocol === \"https:\";\n}\n\n\nlet _shouldSetPartitionedClientCache: boolean | undefined = undefined;\nfunction shouldSetPartitionedClient() {\n  return _shouldSetPartitionedClientCache ??= _internalShouldSetPartitionedClient();\n}\nfunction _internalShouldSetPartitionedClient() {\n  ensureClient();\n\n  if (!(determineSecureFromClientContext())) {\n    return false;\n  }\n\n  // check whether we can set & retrieve normal cookies (either because we're on a top-level/same-origin context or the browser partitions cookies by default)\n  const cookie1Name = \"__Host-stack-temporary-chips-test-\" + Math.random().toString(36).substring(2, 15);\n  document.cookie = `${cookie1Name}=value1; Secure; path=/`;\n  const cookies1 = document.cookie.split(\"; \");\n  document.cookie = `${cookie1Name}=delete1; Secure; path=/; expires=Thu, 01 Jan 1970 00:00:00 UTC;`;\n  if (cookies1.some((c) => c.startsWith(cookie1Name + \"=\"))) {\n    return false;\n  }\n\n\n  // check whether Partitioned cookies are supported by the browser\n  // TODO: See comment at the top. Feels like we should find a better way to do this\n  const cookie2Name = \"__Host-stack-temporary-chips-test-\" + Math.random().toString(36).substring(2, 15);\n\n  // just to be safe, delete the cookie first to avoid weird RNG-prediction attacks\n  // I don't know what they look like (since this is a host cookie) but better safe than sorry\n  // (this function should be 100% bulletproof so we don't accidentally fall back to non-partitioned third party cookies on unsupported browsers)\n  document.cookie = `${cookie2Name}=delete1; Secure; SameSite=None; Partitioned; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n  document.cookie = `${cookie2Name}=delete2; Secure; SameSite=None; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n\n  // set the cookie, once partitioned and once not partitioned\n  document.cookie = `${cookie2Name}=set1; Secure; SameSite=None; Partitioned; path=/`;\n  document.cookie = `${cookie2Name}=set2; Secure; SameSite=None; path=/`;\n\n  // check if there are two cookies\n  const cookies2 = document.cookie.split(\"; \");\n  const numberOfCookiesWithThisName = cookies2.filter((c) => c.startsWith(cookie2Name + \"=\")).length;\n\n  // clean up\n  document.cookie = `${cookie2Name}=delete3; Secure; SameSite=None; Partitioned; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n  document.cookie = `${cookie2Name}=delete4; Secure; SameSite=None; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n\n  return numberOfCookiesWithThisName === 2;\n}\n\nfunction setCookieClientInternal(name: string, value: string, options: SetCookieOptions) {\n  const secure = options.secure ?? determineSecureFromClientContext();\n  const partitioned = shouldSetPartitionedClient();\n  Cookies.set(name, value, {\n    expires: options.maxAge === \"session\" ? undefined : new Date(Date.now() + (options.maxAge) * 1000),\n    domain: options.domain,\n    secure,\n    sameSite: \"Lax\",\n    ...(partitioned ? {\n      partitioned,\n      sameSite: \"None\",\n    } : {}),\n  });\n}\n\nfunction deleteCookieClientInternal(name: string, options: DeleteCookieOptions) {\n  for (const partitioned of [true, false]) {\n    if (options.domain !== undefined) {\n      Cookies.remove(name, { domain: options.domain, secure: determineSecureFromClientContext(), partitioned });\n    }\n    Cookies.remove(name, { secure: determineSecureFromClientContext(), partitioned });\n  }\n}\n\nexport function setOrDeleteCookieClient(name: string, value: string | null, options: SetCookieOptions & DeleteCookieOptions) {\n  ensureClient();\n  if (value === null) {\n    deleteCookieClientInternal(name, options);\n  } else {\n    setCookieClientInternal(name, value, options);\n  }\n}\n\nexport async function setOrDeleteCookie(name: string, value: string | null, options: SetCookieOptions & DeleteCookieOptions) {\n  const cookieHelper = await createCookieHelper();\n  cookieHelper.setOrDelete(name, value, options);\n}\n\nexport function deleteCookieClient(name: string, options: DeleteCookieOptions) {\n  ensureClient();\n  deleteCookieClientInternal(name, options);\n}\n\nexport async function deleteCookie(name: string, options: DeleteCookieOptions) {\n  const cookieHelper = await createCookieHelper();\n  cookieHelper.delete(name, options);\n}\n\nexport function setCookieClient(name: string, value: string, options: SetCookieOptions) {\n  ensureClient();\n  setCookieClientInternal(name, value, options);\n}\n\nexport async function setCookie(name: string, value: string, options: SetCookieOptions) {\n  const cookieHelper = await createCookieHelper();\n  cookieHelper.set(name, value, options);\n}\n\nexport async function saveVerifierAndState() {\n  const codeVerifier = generateRandomCodeVerifier();\n  const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);\n  const state = generateRandomState();\n\n  await setCookie(\"stack-oauth-outer-\" + state, codeVerifier, { maxAge: 60 * 60 });\n\n  return {\n    codeChallenge,\n    state,\n  };\n}\n\nexport function consumeVerifierAndStateCookie(state: string) {\n  ensureClient();\n  const cookieName = \"stack-oauth-outer-\" + state;\n  const codeVerifier = getCookieClient(cookieName);\n  if (!codeVerifier) {\n    return null;\n  }\n  deleteCookieClient(cookieName, {});\n  return {\n    codeVerifier,\n  };\n}\n"],"mappings":";AAIA,SAAS,qBAAqB;AAC9B,SAAS,2BAA2B;AACpC,OAAO,aAAa;AACpB,SAAS,4BAA4B,4BAA4B,2BAA2B;AAiE5F,SAAS,eAAe;AACtB,MAAI,CAAC,cAAc,GAAG;AACpB,UAAM,IAAI,MAAM,6FAA6F;AAAA,EAC/G;AACF;AAWA,eAAsB,gCAAuD;AAC3E,WAAS,aAAoB;AAC3B,UAAM,IAAI,oBAAoB,2EAA2E;AAAA,EAC3G;AACA,SAAO;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,KAAK;AAAA,IACL,aAAa;AAAA,IACb,QAAQ;AAAA,EACV;AACF;AAEA,eAAsB,qBAA4C;AAChE,MAAI,cAAc,GAAG;AACnB,WAAO,0BAA0B;AAAA,EACnC,OAAO;AACL,WAAO,MAAM,8BAA8B;AAAA,EAC7C;AACF;AAEO,SAAS,4BAA0C;AACxD,SAAO;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,KAAK;AAAA,IACL,aAAa;AAAA,IACb,QAAQ;AAAA,EACV;AACF;AAeO,SAAS,gBAAgB,MAA6B;AAC3D,QAAM,MAAM,oBAAoB;AAChC,SAAO,IAAI,IAAI,KAAK;AACtB;AAEO,SAAS,sBAA8C;AAC5D,eAAa;AAEb,UAAQ,IAAI,kBAAkB,QAAQ,EAAE,QAAQ,MAAM,SAAS,IAAI,KAAK,KAAK,IAAI,IAAI,MAAO,KAAK,KAAK,KAAK,GAAG,EAAE,CAAC;AACjH,SAAO,QAAQ,IAAI;AACrB;AAEA,eAAsB,UAAU,MAAsC;AACpE,QAAM,eAAe,MAAM,mBAAmB;AAC9C,SAAO,aAAa,IAAI,IAAI;AAC9B;AAEA,eAAsB,WAA6B;AACjD,MAAI,cAAc,GAAG;AACnB,WAAO,iCAAiC;AAAA,EAC1C;AACA,SAAO;AACT;AAEA,SAAS,mCAA4C;AACnD,SAAO,OAAO,WAAW,eAAe,OAAO,SAAS,aAAa;AACvE;AAGA,IAAI,mCAAwD;AAC5D,SAAS,6BAA6B;AACpC,SAAO,qCAAqC,oCAAoC;AAClF;AACA,SAAS,sCAAsC;AAC7C,eAAa;AAEb,MAAI,CAAE,iCAAiC,GAAI;AACzC,WAAO;AAAA,EACT;AAGA,QAAM,cAAc,uCAAuC,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,UAAU,GAAG,EAAE;AACrG,WAAS,SAAS,GAAG,WAAW;AAChC,QAAM,WAAW,SAAS,OAAO,MAAM,IAAI;AAC3C,WAAS,SAAS,GAAG,WAAW;AAChC,MAAI,SAAS,KAAK,CAAC,MAAM,EAAE,WAAW,cAAc,GAAG,CAAC,GAAG;AACzD,WAAO;AAAA,EACT;AAKA,QAAM,cAAc,uCAAuC,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,UAAU,GAAG,EAAE;AAKrG,WAAS,SAAS,GAAG,WAAW;AAChC,WAAS,SAAS,GAAG,WAAW;AAGhC,WAAS,SAAS,GAAG,WAAW;AAChC,WAAS,SAAS,GAAG,WAAW;AAGhC,QAAM,WAAW,SAAS,OAAO,MAAM,IAAI;AAC3C,QAAM,8BAA8B,SAAS,OAAO,CAAC,MAAM,EAAE,WAAW,cAAc,GAAG,CAAC,EAAE;AAG5F,WAAS,SAAS,GAAG,WAAW;AAChC,WAAS,SAAS,GAAG,WAAW;AAEhC,SAAO,gCAAgC;AACzC;AAEA,SAAS,wBAAwB,MAAc,OAAe,SAA2B;AACvF,QAAM,SAAS,QAAQ,UAAU,iCAAiC;AAClE,QAAM,cAAc,2BAA2B;AAC/C,UAAQ,IAAI,MAAM,OAAO;AAAA,IACvB,SAAS,QAAQ,WAAW,YAAY,SAAY,IAAI,KAAK,KAAK,IAAI,IAAK,QAAQ,SAAU,GAAI;AAAA,IACjG,QAAQ,QAAQ;AAAA,IAChB;AAAA,IACA,UAAU;AAAA,IACV,GAAI,cAAc;AAAA,MAChB;AAAA,MACA,UAAU;AAAA,IACZ,IAAI,CAAC;AAAA,EACP,CAAC;AACH;AAEA,SAAS,2BAA2B,MAAc,SAA8B;AAC9E,aAAW,eAAe,CAAC,MAAM,KAAK,GAAG;AACvC,QAAI,QAAQ,WAAW,QAAW;AAChC,cAAQ,OAAO,MAAM,EAAE,QAAQ,QAAQ,QAAQ,QAAQ,iCAAiC,GAAG,YAAY,CAAC;AAAA,IAC1G;AACA,YAAQ,OAAO,MAAM,EAAE,QAAQ,iCAAiC,GAAG,YAAY,CAAC;AAAA,EAClF;AACF;AAEO,SAAS,wBAAwB,MAAc,OAAsB,SAAiD;AAC3H,eAAa;AACb,MAAI,UAAU,MAAM;AAClB,+BAA2B,MAAM,OAAO;AAAA,EAC1C,OAAO;AACL,4BAAwB,MAAM,OAAO,OAAO;AAAA,EAC9C;AACF;AAEA,eAAsB,kBAAkB,MAAc,OAAsB,SAAiD;AAC3H,QAAM,eAAe,MAAM,mBAAmB;AAC9C,eAAa,YAAY,MAAM,OAAO,OAAO;AAC/C;AAEO,SAAS,mBAAmB,MAAc,SAA8B;AAC7E,eAAa;AACb,6BAA2B,MAAM,OAAO;AAC1C;AAEA,eAAsB,aAAa,MAAc,SAA8B;AAC7E,QAAM,eAAe,MAAM,mBAAmB;AAC9C,eAAa,OAAO,MAAM,OAAO;AACnC;AAEO,SAAS,gBAAgB,MAAc,OAAe,SAA2B;AACtF,eAAa;AACb,0BAAwB,MAAM,OAAO,OAAO;AAC9C;AAEA,eAAsB,UAAU,MAAc,OAAe,SAA2B;AACtF,QAAM,eAAe,MAAM,mBAAmB;AAC9C,eAAa,IAAI,MAAM,OAAO,OAAO;AACvC;AAEA,eAAsB,uBAAuB;AAC3C,QAAM,eAAe,2BAA2B;AAChD,QAAM,gBAAgB,MAAM,2BAA2B,YAAY;AACnE,QAAM,QAAQ,oBAAoB;AAElC,QAAM,UAAU,uBAAuB,OAAO,cAAc,EAAE,QAAQ,KAAK,GAAG,CAAC;AAE/E,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,8BAA8B,OAAe;AAC3D,eAAa;AACb,QAAM,aAAa,uBAAuB;AAC1C,QAAM,eAAe,gBAAgB,UAAU;AAC/C,MAAI,CAAC,cAAc;AACjB,WAAO;AAAA,EACT;AACA,qBAAmB,YAAY,CAAC,CAAC;AACjC,SAAO;AAAA,IACL;AAAA,EACF;AACF;","names":[]}

package/dist/esm/lib/stack-app/api-keys/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../../src/lib/stack-app/api-keys/index.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY\n//===========================================\nimport { TeamApiKeysCrud, UserApiKeysCrud, teamApiKeysCreateInputSchema, userApiKeysCreateInputSchema } from \"@stackframe/stack-shared/dist/interface/crud/project-api-keys\";\nimport { filterUndefined } from \"@stackframe/stack-shared/dist/utils/objects\";\nimport { IfAndOnlyIf, PrettifyType } from \"@stackframe/stack-shared/dist/utils/types\";\nimport type * as yup from \"yup\";\n\nexport type ApiKeyType = \"user\" | \"team\";\n\nexport type ApiKey<Type extends ApiKeyType = ApiKeyType, IsFirstView extends boolean = false> =\n  & {\n      id: string,\n      description: string,\n      expiresAt?: Date,\n      manuallyRevokedAt?: Date | null,\n      createdAt: Date,\n      value: IfAndOnlyIf<IsFirstView, true, string, { lastFour: string }>,\n      update(options: ApiKeyUpdateOptions<Type>): Promise<void>,\n      revoke: () => Promise<void>,\n      isValid: () => boolean,\n      whyInvalid: () => \"manually-revoked\" | \"expired\" | null,\n    }\n  & (\n    | (\"user\" extends Type ? { type: \"user\", userId: string } : never)\n    | (\"team\" extends Type ? { type: \"team\", teamId: string } : never)\n  );\n\nexport type UserApiKeyFirstView = PrettifyType<ApiKey<\"user\", true>>;\nexport type UserApiKey = PrettifyType<ApiKey<\"user\", false>>;\n\nexport type TeamApiKeyFirstView = PrettifyType<ApiKey<\"team\", true>>;\nexport type TeamApiKey = PrettifyType<ApiKey<\"team\", false>>;\n\nexport type ApiKeyCreationOptions<Type extends ApiKeyType = ApiKeyType> =\n  & {\n    description: string,\n    expiresAt: Date | null,\n    /**\n     * Whether the API key should be considered public. A public API key will not be detected by the secret scanner, which\n     * automatically revokes API keys when it detects that they may have been exposed to the public.\n     */\n    isPublic?: boolean,\n  };\nexport function apiKeyCreationOptionsToCrud(type: \"user\", userId: string, options: ApiKeyCreationOptions<\"user\">): Promise<yup.InferType<typeof userApiKeysCreateInputSchema>>;\nexport function apiKeyCreationOptionsToCrud(type: \"team\", teamId: string, options: ApiKeyCreationOptions<\"team\">): Promise<yup.InferType<typeof teamApiKeysCreateInputSchema>>;\nexport function apiKeyCreationOptionsToCrud(type: ApiKeyType, userIdOrTeamId: string, options: ApiKeyCreationOptions): Promise<yup.InferType<typeof userApiKeysCreateInputSchema> | yup.InferType<typeof teamApiKeysCreateInputSchema>>;\nexport async function apiKeyCreationOptionsToCrud(type: ApiKeyType, userIdOrTeamId: string, options: ApiKeyCreationOptions): Promise<yup.InferType<typeof userApiKeysCreateInputSchema> | yup.InferType<typeof teamApiKeysCreateInputSchema>> {\n  return {\n    description: options.description,\n    expires_at_millis: options.expiresAt == null ? options.expiresAt : options.expiresAt.getTime(),\n    is_public: options.isPublic,\n    ...(type === \"user\" ? { user_id: userIdOrTeamId } : { team_id: userIdOrTeamId }),\n  };\n}\n\n\nexport type ApiKeyUpdateOptions<Type extends ApiKeyType = ApiKeyType> = {\n  description?: string,\n  expiresAt?: Date | null,\n  revoked?: boolean,\n};\nexport function apiKeyUpdateOptionsToCrud(type: \"user\", options: ApiKeyUpdateOptions<\"user\">): Promise<UserApiKeysCrud[\"Client\"][\"Update\"]>;\nexport function apiKeyUpdateOptionsToCrud(type: \"team\", options: ApiKeyUpdateOptions<\"team\">): Promise<TeamApiKeysCrud[\"Client\"][\"Update\"]>;\nexport function apiKeyUpdateOptionsToCrud(type: ApiKeyType, options: ApiKeyUpdateOptions): Promise<UserApiKeysCrud[\"Client\"][\"Update\"] | TeamApiKeysCrud[\"Client\"][\"Update\"]>;\nexport async function apiKeyUpdateOptionsToCrud(type: ApiKeyType, options: ApiKeyUpdateOptions): Promise<UserApiKeysCrud[\"Client\"][\"Update\"] | TeamApiKeysCrud[\"Client\"][\"Update\"]> {\n  return filterUndefined({\n    description: options.description,\n    expires_at_millis: options.expiresAt == null ? options.expiresAt : options.expiresAt.getTime(),\n    revoked: options.revoked,\n  });\n}\n"],"mappings":";AAKA,SAAS,uBAAuB;AA2ChC,eAAsB,4BAA4B,MAAkB,gBAAwB,SAAkJ;AAC5O,SAAO;AAAA,IACL,aAAa,QAAQ;AAAA,IACrB,mBAAmB,QAAQ,aAAa,OAAO,QAAQ,YAAY,QAAQ,UAAU,QAAQ;AAAA,IAC7F,WAAW,QAAQ;AAAA,IACnB,GAAI,SAAS,SAAS,EAAE,SAAS,eAAe,IAAI,EAAE,SAAS,eAAe;AAAA,EAChF;AACF;AAWA,eAAsB,0BAA0B,MAAkB,SAAkH;AAClL,SAAO,gBAAgB;AAAA,IACrB,aAAa,QAAQ;AAAA,IACrB,mBAAmB,QAAQ,aAAa,OAAO,QAAQ,YAAY,QAAQ,UAAU,QAAQ;AAAA,IAC7F,SAAS,QAAQ;AAAA,EACnB,CAAC;AACH;","names":[]}
+{"version":3,"sources":["../../../../../src/lib/stack-app/api-keys/index.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY, INSTEAD EDIT THE CORRESPONDING FILE IN packages/template\n//===========================================\nimport { TeamApiKeysCrud, UserApiKeysCrud, teamApiKeysCreateInputSchema, userApiKeysCreateInputSchema } from \"@stackframe/stack-shared/dist/interface/crud/project-api-keys\";\nimport { filterUndefined } from \"@stackframe/stack-shared/dist/utils/objects\";\nimport { IfAndOnlyIf, PrettifyType } from \"@stackframe/stack-shared/dist/utils/types\";\nimport type * as yup from \"yup\";\n\nexport type ApiKeyType = \"user\" | \"team\";\n\nexport type ApiKey<Type extends ApiKeyType = ApiKeyType, IsFirstView extends boolean = false> =\n  & {\n      id: string,\n      description: string,\n      expiresAt?: Date,\n      manuallyRevokedAt?: Date | null,\n      createdAt: Date,\n      value: IfAndOnlyIf<IsFirstView, true, string, { lastFour: string }>,\n      update(options: ApiKeyUpdateOptions<Type>): Promise<void>,\n      revoke: () => Promise<void>,\n      isValid: () => boolean,\n      whyInvalid: () => \"manually-revoked\" | \"expired\" | null,\n    }\n  & (\n    | (\"user\" extends Type ? { type: \"user\", userId: string } : never)\n    | (\"team\" extends Type ? { type: \"team\", teamId: string } : never)\n  );\n\nexport type UserApiKeyFirstView = PrettifyType<ApiKey<\"user\", true>>;\nexport type UserApiKey = PrettifyType<ApiKey<\"user\", false>>;\n\nexport type TeamApiKeyFirstView = PrettifyType<ApiKey<\"team\", true>>;\nexport type TeamApiKey = PrettifyType<ApiKey<\"team\", false>>;\n\nexport type ApiKeyCreationOptions<Type extends ApiKeyType = ApiKeyType> =\n  & {\n    description: string,\n    expiresAt: Date | null,\n    /**\n     * Whether the API key should be considered public. A public API key will not be detected by the secret scanner, which\n     * automatically revokes API keys when it detects that they may have been exposed to the public.\n     */\n    isPublic?: boolean,\n  };\nexport function apiKeyCreationOptionsToCrud(type: \"user\", userId: string, options: ApiKeyCreationOptions<\"user\">): Promise<yup.InferType<typeof userApiKeysCreateInputSchema>>;\nexport function apiKeyCreationOptionsToCrud(type: \"team\", teamId: string, options: ApiKeyCreationOptions<\"team\">): Promise<yup.InferType<typeof teamApiKeysCreateInputSchema>>;\nexport function apiKeyCreationOptionsToCrud(type: ApiKeyType, userIdOrTeamId: string, options: ApiKeyCreationOptions): Promise<yup.InferType<typeof userApiKeysCreateInputSchema> | yup.InferType<typeof teamApiKeysCreateInputSchema>>;\nexport async function apiKeyCreationOptionsToCrud(type: ApiKeyType, userIdOrTeamId: string, options: ApiKeyCreationOptions): Promise<yup.InferType<typeof userApiKeysCreateInputSchema> | yup.InferType<typeof teamApiKeysCreateInputSchema>> {\n  return {\n    description: options.description,\n    expires_at_millis: options.expiresAt == null ? options.expiresAt : options.expiresAt.getTime(),\n    is_public: options.isPublic,\n    ...(type === \"user\" ? { user_id: userIdOrTeamId } : { team_id: userIdOrTeamId }),\n  };\n}\n\n\nexport type ApiKeyUpdateOptions<Type extends ApiKeyType = ApiKeyType> = {\n  description?: string,\n  expiresAt?: Date | null,\n  revoked?: boolean,\n};\nexport function apiKeyUpdateOptionsToCrud(type: \"user\", options: ApiKeyUpdateOptions<\"user\">): Promise<UserApiKeysCrud[\"Client\"][\"Update\"]>;\nexport function apiKeyUpdateOptionsToCrud(type: \"team\", options: ApiKeyUpdateOptions<\"team\">): Promise<TeamApiKeysCrud[\"Client\"][\"Update\"]>;\nexport function apiKeyUpdateOptionsToCrud(type: ApiKeyType, options: ApiKeyUpdateOptions): Promise<UserApiKeysCrud[\"Client\"][\"Update\"] | TeamApiKeysCrud[\"Client\"][\"Update\"]>;\nexport async function apiKeyUpdateOptionsToCrud(type: ApiKeyType, options: ApiKeyUpdateOptions): Promise<UserApiKeysCrud[\"Client\"][\"Update\"] | TeamApiKeysCrud[\"Client\"][\"Update\"]> {\n  return filterUndefined({\n    description: options.description,\n    expires_at_millis: options.expiresAt == null ? options.expiresAt : options.expiresAt.getTime(),\n    revoked: options.revoked,\n  });\n}\n"],"mappings":";AAKA,SAAS,uBAAuB;AA2ChC,eAAsB,4BAA4B,MAAkB,gBAAwB,SAAkJ;AAC5O,SAAO;AAAA,IACL,aAAa,QAAQ;AAAA,IACrB,mBAAmB,QAAQ,aAAa,OAAO,QAAQ,YAAY,QAAQ,UAAU,QAAQ;AAAA,IAC7F,WAAW,QAAQ;AAAA,IACnB,GAAI,SAAS,SAAS,EAAE,SAAS,eAAe,IAAI,EAAE,SAAS,eAAe;AAAA,EAChF;AACF;AAWA,eAAsB,0BAA0B,MAAkB,SAAkH;AAClL,SAAO,gBAAgB;AAAA,IACrB,aAAa,QAAQ;AAAA,IACrB,mBAAmB,QAAQ,aAAa,OAAO,QAAQ,YAAY,QAAQ,UAAU,QAAQ;AAAA,IAC7F,SAAS,QAAQ;AAAA,EACnB,CAAC;AACH;","names":[]}

package/dist/esm/lib/stack-app/apps/implementations/admin-app-impl.js

@@ -425,9 +425,244 @@ var _StackAdminAppImplIncomplete = class extends _StackServerAppImplIncomplete {
     const crud = Result.orThrow(await this._transactionsCache.getOrWait([params.cursor, params.limit, params.type, params.customerType], "write-only"));
     return crud;
   }
+  // Email Outbox methods
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Complex discriminated union conversion from API response
+  _emailOutboxCrudToAdmin(crud) {
+    const recipient = crud.to;
+    let to;
+    if (recipient.type === "user-primary-email") {
+      to = { type: "user-primary-email", userId: recipient.user_id };
+    } else if (recipient.type === "user-custom-emails") {
+      to = { type: "user-custom-emails", userId: recipient.user_id, emails: recipient.emails };
+    } else {
+      to = { type: "custom-emails", emails: recipient.emails };
+    }
+    const base = {
+      id: crud.id,
+      createdAt: new Date(crud.created_at_millis),
+      updatedAt: new Date(crud.updated_at_millis),
+      to,
+      scheduledAt: new Date(crud.scheduled_at_millis),
+      isPaused: false,
+      hasRendered: false,
+      hasDelivered: false
+    };
+    const rendered = crud.has_rendered ? {
+      ...base,
+      startedRenderingAt: new Date(crud.started_rendering_at_millis),
+      renderedAt: new Date(crud.rendered_at_millis),
+      subject: crud.subject,
+      html: crud.html,
+      text: crud.text,
+      isTransactional: crud.is_transactional,
+      isHighPriority: crud.is_high_priority,
+      notificationCategoryId: crud.notification_category_id,
+      hasRendered: true
+    } : null;
+    const startedSending = rendered && crud.started_sending_at_millis ? {
+      ...rendered,
+      startedSendingAt: new Date(crud.started_sending_at_millis)
+    } : null;
+    const finishedDelivering = startedSending && crud.has_delivered ? {
+      ...startedSending,
+      deliveredAt: new Date(crud.delivered_at_millis),
+      hasDelivered: true
+    } : null;
+    const result = (() => {
+      switch (crud.status) {
+        case "paused": {
+          return {
+            ...base,
+            status: "paused",
+            simpleStatus: "in-progress",
+            isPaused: true
+          };
+        }
+        case "preparing": {
+          return {
+            ...base,
+            status: "preparing",
+            simpleStatus: "in-progress"
+          };
+        }
+        case "rendering": {
+          return {
+            ...base,
+            status: "rendering",
+            simpleStatus: "in-progress",
+            startedRenderingAt: new Date(crud.started_rendering_at_millis)
+          };
+        }
+        case "render-error": {
+          return {
+            ...base,
+            status: "render-error",
+            simpleStatus: "error",
+            startedRenderingAt: new Date(crud.started_rendering_at_millis),
+            renderedAt: new Date(crud.rendered_at_millis),
+            renderError: crud.render_error
+          };
+        }
+        case "scheduled": {
+          return {
+            ...rendered,
+            status: "scheduled",
+            simpleStatus: "in-progress"
+          };
+        }
+        case "queued": {
+          return {
+            ...rendered,
+            status: "queued",
+            simpleStatus: "in-progress"
+          };
+        }
+        case "sending": {
+          return {
+            ...startedSending,
+            status: "sending",
+            simpleStatus: "in-progress"
+          };
+        }
+        case "server-error": {
+          return {
+            ...startedSending,
+            status: "server-error",
+            simpleStatus: "error",
+            errorAt: new Date(crud.error_at_millis),
+            serverError: crud.server_error
+          };
+        }
+        case "skipped": {
+          return {
+            ...base,
+            status: "skipped",
+            simpleStatus: "ok",
+            skippedAt: new Date(crud.skipped_at_millis),
+            skippedReason: crud.skipped_reason,
+            skippedDetails: crud.skipped_details ?? {},
+            hasRendered: crud.has_rendered,
+            // Optional fields
+            startedRenderingAt: crud.started_rendering_at_millis ? new Date(crud.started_rendering_at_millis) : void 0,
+            renderedAt: crud.rendered_at_millis ? new Date(crud.rendered_at_millis) : void 0,
+            subject: crud.subject,
+            html: crud.html,
+            text: crud.text,
+            isTransactional: crud.is_transactional,
+            isHighPriority: crud.is_high_priority,
+            notificationCategoryId: crud.notification_category_id,
+            startedSendingAt: crud.started_sending_at_millis ? new Date(crud.started_sending_at_millis) : void 0
+          };
+        }
+        case "bounced": {
+          return {
+            ...startedSending,
+            status: "bounced",
+            simpleStatus: "error",
+            bouncedAt: new Date(crud.bounced_at_millis)
+          };
+        }
+        case "delivery-delayed": {
+          return {
+            ...startedSending,
+            status: "delivery-delayed",
+            simpleStatus: "ok",
+            deliveryDelayedAt: new Date(crud.delivery_delayed_at_millis)
+          };
+        }
+        case "sent": {
+          return {
+            ...finishedDelivering,
+            status: "sent",
+            simpleStatus: "ok",
+            canHaveDeliveryInfo: crud.can_have_delivery_info
+          };
+        }
+        case "opened": {
+          return {
+            ...finishedDelivering,
+            status: "opened",
+            simpleStatus: "ok",
+            openedAt: new Date(crud.opened_at_millis),
+            canHaveDeliveryInfo: true
+          };
+        }
+        case "clicked": {
+          return {
+            ...finishedDelivering,
+            status: "clicked",
+            simpleStatus: "ok",
+            clickedAt: new Date(crud.clicked_at_millis),
+            canHaveDeliveryInfo: true
+          };
+        }
+        case "marked-as-spam": {
+          return {
+            ...finishedDelivering,
+            status: "marked-as-spam",
+            simpleStatus: "ok",
+            markedAsSpamAt: new Date(crud.marked_as_spam_at_millis),
+            canHaveDeliveryInfo: true
+          };
+        }
+        default: {
+          throw new StackAssertionError(`Unknown email outbox status: ${crud.status}`, { status: crud.status });
+        }
+      }
+    })();
+    return result;
+  }
+  async listOutboxEmails(options) {
+    const response = await this._interface.listOutboxEmails({
+      status: options?.status,
+      simple_status: options?.simpleStatus,
+      limit: options?.limit,
+      cursor: options?.cursor
+    });
+    return {
+      items: response.items.map((item) => this._emailOutboxCrudToAdmin(item)),
+      nextCursor: response.pagination?.next_cursor ?? null
+    };
+  }
+  async getOutboxEmail(id) {
+    const response = await this._interface.getOutboxEmail(id);
+    return this._emailOutboxCrudToAdmin(response);
+  }
+  async updateOutboxEmail(id, options) {
+    const response = await this._interface.updateOutboxEmail(id, {
+      is_paused: options.isPaused,
+      scheduled_at_millis: options.scheduledAtMillis,
+      cancel: options.cancel
+    });
+    return this._emailOutboxCrudToAdmin(response);
+  }
+  async pauseOutboxEmail(id) {
+    return await this.updateOutboxEmail(id, { isPaused: true });
+  }
+  async unpauseOutboxEmail(id) {
+    return await this.updateOutboxEmail(id, { isPaused: false });
+  }
+  async cancelOutboxEmail(id) {
+    return await this.updateOutboxEmail(id, { cancel: true });
+  }
   async getStripeAccountInfo() {
     return await this._interface.getStripeAccountInfo();
   }
+  async previewAffectedUsersByOnboardingChange(onboarding, limit) {
+    const result = await this._interface.previewAffectedUsersByOnboardingChange(
+      { require_email_verification: onboarding.requireEmailVerification },
+      limit
+    );
+    return {
+      affectedUsers: result.affected_users.map((u) => ({
+        id: u.id,
+        displayName: u.display_name,
+        primaryEmail: u.primary_email,
+        restrictedReason: u.restricted_reason
+      })),
+      totalAffectedCount: result.total_affected_count
+    };
+  }
 };
 export {
   _StackAdminAppImplIncomplete