@stackframe/react 2.7.20

package/dist/esm/lib/stack-app.js

@@ -0,0 +1,2398 @@
+// src/lib/stack-app.ts
+import { WebAuthnError, startAuthentication, startRegistration } from "@simplewebauthn/browser";
+import { KnownErrors, StackAdminInterface, StackClientInterface, StackServerInterface } from "@stackframe/stack-shared";
+import { getProductionModeErrors } from "@stackframe/stack-shared/dist/helpers/production-mode";
+import { InternalSession } from "@stackframe/stack-shared/dist/sessions";
+import { encodeBase64 } from "@stackframe/stack-shared/dist/utils/bytes";
+import { AsyncCache } from "@stackframe/stack-shared/dist/utils/caches";
+import { isBrowserLike } from "@stackframe/stack-shared/dist/utils/env";
+import { StackAssertionError, concatStacktraces, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
+import { DependenciesMap } from "@stackframe/stack-shared/dist/utils/maps";
+import { deepPlainEquals, filterUndefined, omit, pick } from "@stackframe/stack-shared/dist/utils/objects";
+import { neverResolve, runAsynchronously, wait } from "@stackframe/stack-shared/dist/utils/promises";
+import { suspend, suspendIfSsr } from "@stackframe/stack-shared/dist/utils/react";
+import { Result } from "@stackframe/stack-shared/dist/utils/results";
+import { Store, storeLock } from "@stackframe/stack-shared/dist/utils/stores";
+import { mergeScopeStrings } from "@stackframe/stack-shared/dist/utils/strings";
+import { getRelativePart, isRelative } from "@stackframe/stack-shared/dist/utils/urls";
+import { generateUuid } from "@stackframe/stack-shared/dist/utils/uuids";
+import * as cookie from "cookie";
+import React, { useCallback, useMemo } from "react";
+import { constructRedirectUrl } from "../utils/url";
+import { addNewOAuthProviderOrScope, callOAuthCallback, signInWithOAuth } from "./auth";
+import { createBrowserCookieHelper, createCookieHelper, createEmptyCookieHelper, deleteCookieClient, getCookieClient, setOrDeleteCookie, setOrDeleteCookieClient } from "./cookie";
+var isReactServer = false;
+var clientVersion = "js @stackframe/react@2.7.20";
+if (clientVersion.startsWith("STACK_COMPILE_TIME")) {
+  throw new StackAssertionError("Client version was not replaced. Something went wrong during build!");
+}
+var process = globalThis.process ?? { env: {} };
+function getUrls(partial) {
+  const handler = partial.handler ?? "/handler";
+  const home = partial.home ?? "/";
+  const afterSignIn = partial.afterSignIn ?? home;
+  return {
+    handler,
+    signIn: `${handler}/sign-in`,
+    afterSignIn: home,
+    signUp: `${handler}/sign-up`,
+    afterSignUp: afterSignIn,
+    signOut: `${handler}/sign-out`,
+    afterSignOut: home,
+    emailVerification: `${handler}/email-verification`,
+    passwordReset: `${handler}/password-reset`,
+    forgotPassword: `${handler}/forgot-password`,
+    oauthCallback: `${handler}/oauth-callback`,
+    magicLinkCallback: `${handler}/magic-link-callback`,
+    home,
+    accountSettings: `${handler}/account-settings`,
+    error: `${handler}/error`,
+    teamInvitation: `${handler}/team-invitation`,
+    ...filterUndefined(partial)
+  };
+}
+function getDefaultProjectId() {
+  return process.env.NEXT_PUBLIC_STACK_PROJECT_ID || throwErr(new Error("Welcome to Stack Auth! It seems that you haven't provided a project ID. Please create a project on the Stack dashboard at https://app.stack-auth.com and put it in the NEXT_PUBLIC_STACK_PROJECT_ID environment variable."));
+}
+function getDefaultPublishableClientKey() {
+  return process.env.NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY || throwErr(new Error("Welcome to Stack Auth! It seems that you haven't provided a publishable client key. Please create an API key for your project on the Stack dashboard at https://app.stack-auth.com and copy your publishable client key into the NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY environment variable."));
+}
+function getDefaultSecretServerKey() {
+  return process.env.STACK_SECRET_SERVER_KEY || throwErr(new Error("No secret server key provided. Please copy your key from the Stack dashboard and put your it in the STACK_SECRET_SERVER_KEY environment variable."));
+}
+function getDefaultSuperSecretAdminKey() {
+  return process.env.STACK_SUPER_SECRET_ADMIN_KEY || throwErr(new Error("No super secret admin key provided. Please copy your key from the Stack dashboard and put it in the STACK_SUPER_SECRET_ADMIN_KEY environment variable."));
+}
+function getBaseUrl(userSpecifiedBaseUrl) {
+  let url;
+  if (userSpecifiedBaseUrl) {
+    if (typeof userSpecifiedBaseUrl === "string") {
+      url = userSpecifiedBaseUrl;
+    } else {
+      if (isBrowserLike()) {
+        url = userSpecifiedBaseUrl.browser;
+      } else {
+        url = userSpecifiedBaseUrl.server;
+      }
+    }
+  } else {
+    if (isBrowserLike()) {
+      url = process.env.NEXT_PUBLIC_BROWSER_STACK_API_URL;
+    } else {
+      url = process.env.NEXT_PUBLIC_SERVER_STACK_API_URL;
+    }
+    url = url || process.env.NEXT_PUBLIC_STACK_API_URL || process.env.NEXT_PUBLIC_STACK_URL || defaultBaseUrl;
+  }
+  return url.endsWith("/") ? url.slice(0, -1) : url;
+}
+var defaultBaseUrl = "https://api.stack-auth.com";
+function createEmptyTokenStore() {
+  return new Store({
+    refreshToken: null,
+    accessToken: null
+  });
+}
+var cachePromiseByComponentId = /* @__PURE__ */ new Map();
+function useAsyncCache(cache, dependencies, caller) {
+  suspendIfSsr(caller);
+  const id = React.useId();
+  const subscribe = useCallback((cb) => {
+    const { unsubscribe } = cache.onStateChange(dependencies, () => {
+      cachePromiseByComponentId.delete(id);
+      cb();
+    });
+    return unsubscribe;
+  }, [cache, ...dependencies]);
+  const getSnapshot = useCallback(() => {
+    if (!cachePromiseByComponentId.has(id)) {
+      cachePromiseByComponentId.set(id, cache.getOrWait(dependencies, "read-write"));
+    }
+    return cachePromiseByComponentId.get(id);
+  }, [cache, ...dependencies]);
+  const promise = React.useSyncExternalStore(
+    subscribe,
+    getSnapshot,
+    () => throwErr(new Error("getServerSnapshot should never be called in useAsyncCache because we restrict to CSR earlier"))
+  );
+  const result = React.use(promise);
+  if (result.status === "error") {
+    const error = result.error;
+    if (error instanceof Error && !error.__stackHasConcatenatedStacktraces) {
+      concatStacktraces(error, new Error());
+      error.__stackHasConcatenatedStacktraces = true;
+    }
+    throw error;
+  }
+  return result.data;
+}
+var stackAppInternalsSymbol = Symbol.for("StackAuth--DO-NOT-USE-OR-YOU-WILL-BE-FIRED--StackAppInternals");
+var allClientApps = /* @__PURE__ */ new Map();
+var createCache = (fetcher) => {
+  return new AsyncCache(
+    async (dependencies) => await Result.fromThrowingAsync(async () => await fetcher(dependencies)),
+    {}
+  );
+};
+var createCacheBySession = (fetcher) => {
+  return new AsyncCache(
+    async ([session, ...extraDependencies]) => await Result.fromThrowingAsync(async () => await fetcher(session, extraDependencies)),
+    {
+      onSubscribe: ([session], refresh) => {
+        const handler = session.onInvalidate(() => refresh());
+        return () => handler.unsubscribe();
+      }
+    }
+  );
+};
+var numberOfAppsCreated = 0;
+var _StackClientAppImpl = class __StackClientAppImpl {
+  constructor(_options) {
+    this._options = _options;
+    this._uniqueIdentifier = void 0;
+    this.__DEMO_ENABLE_SLIGHT_FETCH_DELAY = false;
+    this._ownedAdminApps = new DependenciesMap();
+    this._currentUserCache = createCacheBySession(async (session) => {
+      if (this.__DEMO_ENABLE_SLIGHT_FETCH_DELAY) {
+        await wait(2e3);
+      }
+      if (session.isKnownToBeInvalid()) {
+        return null;
+      }
+      return await this._interface.getClientUserByToken(session);
+    });
+    this._currentProjectCache = createCache(async () => {
+      return Result.orThrow(await this._interface.getClientProject());
+    });
+    this._ownedProjectsCache = createCacheBySession(async (session) => {
+      return await this._interface.listProjects(session);
+    });
+    this._currentUserPermissionsCache = createCacheBySession(async (session, [teamId, recursive]) => {
+      return await this._interface.listCurrentUserTeamPermissions({ teamId, recursive }, session);
+    });
+    this._currentUserTeamsCache = createCacheBySession(async (session) => {
+      return await this._interface.listCurrentUserTeams(session);
+    });
+    this._currentUserOAuthConnectionAccessTokensCache = createCacheBySession(
+      async (session, [providerId, scope]) => {
+        try {
+          const result = await this._interface.createProviderAccessToken(providerId, scope || "", session);
+          return { accessToken: result.access_token };
+        } catch (err) {
+          if (!(err instanceof KnownErrors.OAuthConnectionDoesNotHaveRequiredScope || err instanceof KnownErrors.OAuthConnectionNotConnectedToUser)) {
+            throw err;
+          }
+        }
+        return null;
+      }
+    );
+    this._currentUserOAuthConnectionCache = createCacheBySession(
+      async (session, [providerId, scope, redirect]) => {
+        return await this._getUserOAuthConnectionCacheFn({
+          getUser: async () => Result.orThrow(await this._currentUserCache.getOrWait([session], "write-only")),
+          getOrWaitOAuthToken: async () => Result.orThrow(await this._currentUserOAuthConnectionAccessTokensCache.getOrWait([session, providerId, scope || ""], "write-only")),
+          useOAuthToken: () => useAsyncCache(this._currentUserOAuthConnectionAccessTokensCache, [session, providerId, scope || ""], "useOAuthToken"),
+          providerId,
+          scope,
+          redirect,
+          session
+        });
+      }
+    );
+    this._teamMemberProfilesCache = createCacheBySession(
+      async (session, [teamId]) => {
+        return await this._interface.listTeamMemberProfiles({ teamId }, session);
+      }
+    );
+    this._teamInvitationsCache = createCacheBySession(
+      async (session, [teamId]) => {
+        return await this._interface.listTeamInvitations({ teamId }, session);
+      }
+    );
+    this._currentUserTeamProfileCache = createCacheBySession(
+      async (session, [teamId]) => {
+        return await this._interface.getTeamMemberProfile({ teamId, userId: "me" }, session);
+      }
+    );
+    this._clientContactChannelsCache = createCacheBySession(
+      async (session) => {
+        return await this._interface.listClientContactChannels(session);
+      }
+    );
+    this._memoryTokenStore = createEmptyTokenStore();
+    this._requestTokenStores = /* @__PURE__ */ new WeakMap();
+    this._storedBrowserCookieTokenStore = null;
+    /**
+     * A map from token stores and session keys to sessions.
+     *
+     * This isn't just a map from session keys to sessions for two reasons:
+     *
+     * - So we can garbage-collect Session objects when the token store is garbage-collected
+     * - So different token stores are separated and don't leak information between each other, eg. if the same user sends two requests to the same server they should get a different session object
+     */
+    this._sessionsByTokenStoreAndSessionKey = /* @__PURE__ */ new WeakMap();
+    if ("interface" in _options) {
+      this._interface = _options.interface;
+    } else {
+      this._interface = new StackClientInterface({
+        getBaseUrl: () => getBaseUrl(_options.baseUrl),
+        projectId: _options.projectId ?? getDefaultProjectId(),
+        clientVersion,
+        publishableClientKey: _options.publishableClientKey ?? getDefaultPublishableClientKey(),
+        prepareRequest: async () => {
+        }
+      });
+    }
+    this._tokenStoreInit = _options.tokenStore;
+    this._redirectMethod = _options.redirectMethod || "none";
+    this._urlOptions = _options.urls ?? {};
+    this._oauthScopesOnSignIn = _options.oauthScopesOnSignIn ?? {};
+    if (_options.uniqueIdentifier) {
+      this._uniqueIdentifier = _options.uniqueIdentifier;
+      this._initUniqueIdentifier();
+    }
+    if (!_options.noAutomaticPrefetch) {
+      numberOfAppsCreated++;
+      if (numberOfAppsCreated > 10) {
+        (process.env.NODE_ENV === "development" ? console.log : console.warn)(`You have created more than 10 Stack apps with automatic pre-fetch enabled (${numberOfAppsCreated}). This is usually a sign of a memory leak, but can sometimes be caused by hot reload of your tech stack. If you are getting this error and it is not caused by hot reload, make sure to minimize the number of Stack apps per page (usually, one per project). (If it is caused by hot reload and does not occur in production, you can safely ignore it.)`);
+      }
+    }
+  }
+  async _createCookieHelper() {
+    if (this._tokenStoreInit === "nextjs-cookie" || this._tokenStoreInit === "cookie") {
+      return await createCookieHelper();
+    } else {
+      return await createEmptyCookieHelper();
+    }
+  }
+  async _getUserOAuthConnectionCacheFn(options) {
+    const user = await options.getUser();
+    let hasConnection = true;
+    if (!user || !user.oauth_providers.find((p) => p.id === options.providerId)) {
+      hasConnection = false;
+    }
+    const token = await options.getOrWaitOAuthToken();
+    if (!token) {
+      hasConnection = false;
+    }
+    if (!hasConnection && options.redirect) {
+      if (!options.session) {
+        throw new Error("No session found. You might be calling getConnectedAccount with redirect without having a user session.");
+      }
+      await addNewOAuthProviderOrScope(
+        this._interface,
+        {
+          provider: options.providerId,
+          redirectUrl: this.urls.oauthCallback,
+          errorRedirectUrl: this.urls.error,
+          providerScope: mergeScopeStrings(options.scope || "", (this._oauthScopesOnSignIn[options.providerId] ?? []).join(" "))
+        },
+        options.session
+      );
+      return await neverResolve();
+    } else if (!hasConnection) {
+      return null;
+    }
+    const app = this;
+    return {
+      id: options.providerId,
+      async getAccessToken() {
+        const result = await options.getOrWaitOAuthToken();
+        if (!result) {
+          throw new StackAssertionError("No access token available");
+        }
+        return result;
+      },
+      useAccessToken() {
+        const result = options.useOAuthToken();
+        if (!result) {
+          throw new StackAssertionError("No access token available");
+        }
+        return result;
+      }
+    };
+  }
+  _initUniqueIdentifier() {
+    if (!this._uniqueIdentifier) {
+      throw new StackAssertionError("Unique identifier not initialized");
+    }
+    if (allClientApps.has(this._uniqueIdentifier)) {
+      throw new StackAssertionError("A Stack client app with the same unique identifier already exists");
+    }
+    allClientApps.set(this._uniqueIdentifier, [this._options.checkString ?? "default check string", this]);
+  }
+  /**
+   * Cloudflare workers does not allow use of randomness on the global scope (on which the Stack app is probably
+   * initialized). For that reason, we generate the unique identifier lazily when it is first needed instead of in the
+   * constructor.
+   */
+  _getUniqueIdentifier() {
+    if (!this._uniqueIdentifier) {
+      this._uniqueIdentifier = generateUuid();
+      this._initUniqueIdentifier();
+    }
+    return this._uniqueIdentifier;
+  }
+  async _checkFeatureSupport(name, options) {
+    return await this._interface.checkFeatureSupport({ ...options, name });
+  }
+  _useCheckFeatureSupport(name, options) {
+    runAsynchronously(this._checkFeatureSupport(name, options));
+    throw new StackAssertionError(`${name} is not currently supported. Please reach out to Stack support for more information.`);
+  }
+  get _refreshTokenCookieName() {
+    return `stack-refresh-${this.projectId}`;
+  }
+  _getTokensFromCookies(cookies) {
+    const refreshToken = cookies.refreshTokenCookie;
+    const accessTokenObject = cookies.accessTokenCookie?.startsWith('["') ? JSON.parse(cookies.accessTokenCookie) : null;
+    const accessToken = accessTokenObject && refreshToken === accessTokenObject[0] ? accessTokenObject[1] : null;
+    return {
+      refreshToken,
+      accessToken
+    };
+  }
+  get _accessTokenCookieName() {
+    return `stack-access`;
+  }
+  _getBrowserCookieTokenStore() {
+    if (!isBrowserLike()) {
+      throw new Error("Cannot use cookie token store on the server!");
+    }
+    if (this._storedBrowserCookieTokenStore === null) {
+      const getCurrentValue = (old) => {
+        const tokens = this._getTokensFromCookies({
+          refreshTokenCookie: getCookieClient(this._refreshTokenCookieName) ?? getCookieClient("stack-refresh"),
+          // keep old cookie name for backwards-compatibility
+          accessTokenCookie: getCookieClient(this._accessTokenCookieName)
+        });
+        return {
+          refreshToken: tokens.refreshToken,
+          accessToken: tokens.accessToken ?? (old?.refreshToken === tokens.refreshToken ? old.accessToken : null)
+        };
+      };
+      this._storedBrowserCookieTokenStore = new Store(getCurrentValue(null));
+      let hasSucceededInWriting = true;
+      setInterval(() => {
+        if (hasSucceededInWriting) {
+          const oldValue = this._storedBrowserCookieTokenStore.get();
+          const currentValue = getCurrentValue(oldValue);
+          if (!deepPlainEquals(currentValue, oldValue)) {
+            this._storedBrowserCookieTokenStore.set(currentValue);
+          }
+        }
+      }, 100);
+      this._storedBrowserCookieTokenStore.onChange((value) => {
+        try {
+          setOrDeleteCookieClient(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365 });
+          setOrDeleteCookieClient(this._accessTokenCookieName, value.accessToken ? JSON.stringify([value.refreshToken, value.accessToken]) : null, { maxAge: 60 * 60 * 24 });
+          deleteCookieClient("stack-refresh");
+          hasSucceededInWriting = true;
+        } catch (e) {
+          if (!isBrowserLike()) {
+            hasSucceededInWriting = false;
+          } else {
+            throw e;
+          }
+        }
+      });
+    }
+    return this._storedBrowserCookieTokenStore;
+  }
+  _getOrCreateTokenStore(cookieHelper, overrideTokenStoreInit) {
+    const tokenStoreInit = overrideTokenStoreInit === void 0 ? this._tokenStoreInit : overrideTokenStoreInit;
+    switch (tokenStoreInit) {
+      case "cookie": {
+        return this._getBrowserCookieTokenStore();
+      }
+      case "nextjs-cookie": {
+        if (isBrowserLike()) {
+          return this._getBrowserCookieTokenStore();
+        } else {
+          const tokens = this._getTokensFromCookies({
+            refreshTokenCookie: cookieHelper.get(this._refreshTokenCookieName) ?? cookieHelper.get("stack-refresh"),
+            // keep old cookie name for backwards-compatibility
+            accessTokenCookie: cookieHelper.get(this._accessTokenCookieName)
+          });
+          const store = new Store(tokens);
+          store.onChange((value) => {
+            runAsynchronously(async () => {
+              await Promise.all([
+                setOrDeleteCookie(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365, noOpIfServerComponent: true }),
+                setOrDeleteCookie(this._accessTokenCookieName, value.accessToken ? JSON.stringify([value.refreshToken, value.accessToken]) : null, { maxAge: 60 * 60 * 24, noOpIfServerComponent: true })
+              ]);
+            });
+          });
+          return store;
+        }
+      }
+      case "memory": {
+        return this._memoryTokenStore;
+      }
+      default: {
+        if (tokenStoreInit === null) {
+          return createEmptyTokenStore();
+        } else if (typeof tokenStoreInit === "object" && "headers" in tokenStoreInit) {
+          if (this._requestTokenStores.has(tokenStoreInit)) return this._requestTokenStores.get(tokenStoreInit);
+          const stackAuthHeader = tokenStoreInit.headers.get("x-stack-auth");
+          if (stackAuthHeader) {
+            let parsed2;
+            try {
+              parsed2 = JSON.parse(stackAuthHeader);
+              if (typeof parsed2 !== "object") throw new Error("x-stack-auth header must be a JSON object");
+              if (parsed2 === null) throw new Error("x-stack-auth header must not be null");
+            } catch (e) {
+              throw new Error(`Invalid x-stack-auth header: ${stackAuthHeader}`, { cause: e });
+            }
+            return this._getOrCreateTokenStore(cookieHelper, {
+              accessToken: parsed2.accessToken ?? null,
+              refreshToken: parsed2.refreshToken ?? null
+            });
+          }
+          const cookieHeader = tokenStoreInit.headers.get("cookie");
+          const parsed = cookie.parse(cookieHeader || "");
+          const res = new Store({
+            refreshToken: parsed[this._refreshTokenCookieName] || parsed["stack-refresh"] || null,
+            // keep old cookie name for backwards-compatibility
+            accessToken: parsed[this._accessTokenCookieName] || null
+          });
+          this._requestTokenStores.set(tokenStoreInit, res);
+          return res;
+        } else if ("accessToken" in tokenStoreInit || "refreshToken" in tokenStoreInit) {
+          return new Store({
+            refreshToken: tokenStoreInit.refreshToken,
+            accessToken: tokenStoreInit.accessToken
+          });
+        }
+        throw new Error(`Invalid token store ${tokenStoreInit}`);
+      }
+    }
+  }
+  _useTokenStore(overrideTokenStoreInit) {
+    suspendIfSsr();
+    const cookieHelper = createBrowserCookieHelper();
+    const tokenStore = this._getOrCreateTokenStore(cookieHelper, overrideTokenStoreInit);
+    return tokenStore;
+  }
+  _getSessionFromTokenStore(tokenStore) {
+    const tokenObj = tokenStore.get();
+    const sessionKey = InternalSession.calculateSessionKey(tokenObj);
+    const existing = sessionKey ? this._sessionsByTokenStoreAndSessionKey.get(tokenStore)?.get(sessionKey) : null;
+    if (existing) return existing;
+    const session = this._interface.createSession({
+      refreshToken: tokenObj.refreshToken,
+      accessToken: tokenObj.accessToken
+    });
+    session.onAccessTokenChange((newAccessToken) => {
+      tokenStore.update((old) => ({
+        ...old,
+        accessToken: newAccessToken?.token ?? null
+      }));
+    });
+    session.onInvalidate(() => {
+      tokenStore.update((old) => ({
+        ...old,
+        accessToken: null,
+        refreshToken: null
+      }));
+    });
+    let sessionsBySessionKey = this._sessionsByTokenStoreAndSessionKey.get(tokenStore) ?? /* @__PURE__ */ new Map();
+    this._sessionsByTokenStoreAndSessionKey.set(tokenStore, sessionsBySessionKey);
+    sessionsBySessionKey.set(sessionKey, session);
+    return session;
+  }
+  async _getSession(overrideTokenStoreInit) {
+    const tokenStore = this._getOrCreateTokenStore(await this._createCookieHelper(), overrideTokenStoreInit);
+    return this._getSessionFromTokenStore(tokenStore);
+  }
+  _useSession(overrideTokenStoreInit) {
+    const tokenStore = this._useTokenStore(overrideTokenStoreInit);
+    const subscribe = useCallback((cb) => {
+      const { unsubscribe } = tokenStore.onChange(() => {
+        cb();
+      });
+      return unsubscribe;
+    }, [tokenStore]);
+    const getSnapshot = useCallback(() => this._getSessionFromTokenStore(tokenStore), [tokenStore]);
+    return React.useSyncExternalStore(subscribe, getSnapshot, getSnapshot);
+  }
+  async _signInToAccountWithTokens(tokens) {
+    if (!("accessToken" in tokens) || !("refreshToken" in tokens)) {
+      throw new StackAssertionError("Invalid tokens object; can't sign in with this", { tokens });
+    }
+    const tokenStore = this._getOrCreateTokenStore(await this._createCookieHelper());
+    tokenStore.set(tokens);
+  }
+  _hasPersistentTokenStore(overrideTokenStoreInit) {
+    return (overrideTokenStoreInit !== void 0 ? overrideTokenStoreInit : this._tokenStoreInit) !== null;
+  }
+  _ensurePersistentTokenStore(overrideTokenStoreInit) {
+    if (!this._hasPersistentTokenStore(overrideTokenStoreInit)) {
+      throw new Error("Cannot call this function on a Stack app without a persistent token store. Make sure the tokenStore option on the constructor is set to a non-null value when initializing Stack.\n\nStack uses token stores to access access tokens of the current user. For example, on web frontends it is commonly the string value 'cookies' for cookie storage.");
+    }
+  }
+  _isInternalProject() {
+    return this.projectId === "internal";
+  }
+  _ensureInternalProject() {
+    if (!this._isInternalProject()) {
+      throw new Error("Cannot call this function on a Stack app with a project ID other than 'internal'.");
+    }
+  }
+  _clientProjectFromCrud(crud) {
+    return {
+      id: crud.id,
+      displayName: crud.display_name,
+      config: {
+        signUpEnabled: crud.config.sign_up_enabled,
+        credentialEnabled: crud.config.credential_enabled,
+        magicLinkEnabled: crud.config.magic_link_enabled,
+        passkeyEnabled: crud.config.passkey_enabled,
+        clientTeamCreationEnabled: crud.config.client_team_creation_enabled,
+        clientUserDeletionEnabled: crud.config.client_user_deletion_enabled,
+        oauthProviders: crud.config.enabled_oauth_providers.map((p) => ({
+          id: p.id
+        }))
+      }
+    };
+  }
+  _clientTeamPermissionFromCrud(crud) {
+    return {
+      id: crud.id
+    };
+  }
+  _clientTeamUserFromCrud(crud) {
+    return {
+      id: crud.user_id,
+      teamProfile: {
+        displayName: crud.display_name,
+        profileImageUrl: crud.profile_image_url
+      }
+    };
+  }
+  _clientTeamInvitationFromCrud(session, crud) {
+    return {
+      id: crud.id,
+      recipientEmail: crud.recipient_email,
+      expiresAt: new Date(crud.expires_at_millis),
+      revoke: async () => {
+        await this._interface.revokeTeamInvitation(crud.id, crud.team_id, session);
+        await this._teamInvitationsCache.refresh([session, crud.team_id]);
+      }
+    };
+  }
+  _clientTeamFromCrud(crud, session) {
+    const app = this;
+    return {
+      id: crud.id,
+      displayName: crud.display_name,
+      profileImageUrl: crud.profile_image_url,
+      clientMetadata: crud.client_metadata,
+      clientReadOnlyMetadata: crud.client_read_only_metadata,
+      async inviteUser(options) {
+        if (!options.callbackUrl && !await app._getCurrentUrl()) {
+          throw new Error("Cannot invite user without a callback URL from the server or without a redirect method. Make sure you pass the `callbackUrl` option: `inviteUser({ email, callbackUrl: ... })`");
+        }
+        await app._interface.sendTeamInvitation({
+          teamId: crud.id,
+          email: options.email,
+          session,
+          callbackUrl: options.callbackUrl ?? constructRedirectUrl(app.urls.teamInvitation)
+        });
+        await app._teamInvitationsCache.refresh([session, crud.id]);
+      },
+      async listUsers() {
+        const result = Result.orThrow(await app._teamMemberProfilesCache.getOrWait([session, crud.id], "write-only"));
+        return result.map((crud2) => app._clientTeamUserFromCrud(crud2));
+      },
+      useUsers() {
+        const result = useAsyncCache(app._teamMemberProfilesCache, [session, crud.id], "team.useUsers()");
+        return result.map((crud2) => app._clientTeamUserFromCrud(crud2));
+      },
+      async listInvitations() {
+        const result = Result.orThrow(await app._teamInvitationsCache.getOrWait([session, crud.id], "write-only"));
+        return result.map((crud2) => app._clientTeamInvitationFromCrud(session, crud2));
+      },
+      useInvitations() {
+        const result = useAsyncCache(app._teamInvitationsCache, [session, crud.id], "team.useInvitations()");
+        return result.map((crud2) => app._clientTeamInvitationFromCrud(session, crud2));
+      },
+      async update(data) {
+        await app._interface.updateTeam({ data: teamUpdateOptionsToCrud(data), teamId: crud.id }, session);
+        await app._currentUserTeamsCache.refresh([session]);
+      },
+      async delete() {
+        await app._interface.deleteTeam(crud.id, session);
+        await app._currentUserTeamsCache.refresh([session]);
+      }
+    };
+  }
+  _clientContactChannelFromCrud(crud, session) {
+    const app = this;
+    return {
+      id: crud.id,
+      value: crud.value,
+      type: crud.type,
+      isVerified: crud.is_verified,
+      isPrimary: crud.is_primary,
+      usedForAuth: crud.used_for_auth,
+      async sendVerificationEmail() {
+        await app._interface.sendCurrentUserContactChannelVerificationEmail(crud.id, constructRedirectUrl(app.urls.emailVerification), session);
+      },
+      async update(data) {
+        await app._interface.updateClientContactChannel(crud.id, contactChannelUpdateOptionsToCrud(data), session);
+        await app._clientContactChannelsCache.refresh([session]);
+      },
+      async delete() {
+        await app._interface.deleteClientContactChannel(crud.id, session);
+        await app._clientContactChannelsCache.refresh([session]);
+      }
+    };
+  }
+  _createAuth(session) {
+    const app = this;
+    return {
+      _internalSession: session,
+      currentSession: {
+        async getTokens() {
+          const tokens = await session.getOrFetchLikelyValidTokens(2e4);
+          return {
+            accessToken: tokens?.accessToken.token ?? null,
+            refreshToken: tokens?.refreshToken?.token ?? null
+          };
+        }
+      },
+      async getAuthHeaders() {
+        return {
+          "x-stack-auth": JSON.stringify(await this.getAuthJson())
+        };
+      },
+      async getAuthJson() {
+        const tokens = await this.currentSession.getTokens();
+        return tokens;
+      },
+      async registerPasskey(options) {
+        const hostname = (await app._getCurrentUrl())?.hostname;
+        if (!hostname) {
+          throw new StackAssertionError("hostname must be provided if the Stack App does not have a redirect method");
+        }
+        const initiationResult = await app._interface.initiatePasskeyRegistration({}, session);
+        if (initiationResult.status !== "ok") {
+          return Result.error(new KnownErrors.PasskeyRegistrationFailed("Failed to get initiation options for passkey registration"));
+        }
+        const { options_json, code } = initiationResult.data;
+        if (options_json.rp.id !== "THIS_VALUE_WILL_BE_REPLACED.example.com") {
+          throw new StackAssertionError(`Expected returned RP ID from server to equal sentinel, but found ${options_json.rp.id}`);
+        }
+        options_json.rp.id = hostname;
+        let attResp;
+        try {
+          attResp = await startRegistration({ optionsJSON: options_json });
+          debugger;
+        } catch (error) {
+          if (error instanceof WebAuthnError) {
+            return Result.error(new KnownErrors.PasskeyWebAuthnError(error.message, error.name));
+          } else {
+            return Result.error(new KnownErrors.PasskeyRegistrationFailed("Failed to start passkey registration"));
+          }
+        }
+        const registrationResult = await app._interface.registerPasskey({ credential: attResp, code }, session);
+        await app._refreshUser(session);
+        return registrationResult;
+      },
+      signOut(options) {
+        return app._signOut(session, options);
+      }
+    };
+  }
+  _editableTeamProfileFromCrud(crud, session) {
+    const app = this;
+    return {
+      displayName: crud.display_name,
+      profileImageUrl: crud.profile_image_url,
+      async update(update) {
+        await app._interface.updateTeamMemberProfile({
+          teamId: crud.team_id,
+          userId: crud.user_id,
+          profile: {
+            display_name: update.displayName,
+            profile_image_url: update.profileImageUrl
+          }
+        }, session);
+        await app._currentUserTeamProfileCache.refresh([session, crud.team_id]);
+      }
+    };
+  }
+  _createBaseUser(crud) {
+    return {
+      id: crud.id,
+      displayName: crud.display_name,
+      primaryEmail: crud.primary_email,
+      primaryEmailVerified: crud.primary_email_verified,
+      profileImageUrl: crud.profile_image_url,
+      signedUpAt: new Date(crud.signed_up_at_millis),
+      clientMetadata: crud.client_metadata,
+      clientReadOnlyMetadata: crud.client_read_only_metadata,
+      hasPassword: crud.has_password,
+      emailAuthEnabled: crud.auth_with_email,
+      otpAuthEnabled: crud.otp_auth_enabled,
+      oauthProviders: crud.oauth_providers,
+      passkeyAuthEnabled: crud.passkey_auth_enabled,
+      isMultiFactorRequired: crud.requires_totp_mfa,
+      toClientJson() {
+        return crud;
+      }
+    };
+  }
+  _createUserExtraFromCurrent(crud, session) {
+    const app = this;
+    async function getConnectedAccount(id, options) {
+      const scopeString = options?.scopes?.join(" ");
+      return Result.orThrow(await app._currentUserOAuthConnectionCache.getOrWait([session, id, scopeString || "", options?.or === "redirect"], "write-only"));
+    }
+    function useConnectedAccount(id, options) {
+      const scopeString = options?.scopes?.join(" ");
+      return useAsyncCache(app._currentUserOAuthConnectionCache, [session, id, scopeString || "", options?.or === "redirect"], "user.useConnectedAccount()");
+    }
+    return {
+      setDisplayName(displayName) {
+        return this.update({ displayName });
+      },
+      setClientMetadata(metadata) {
+        return this.update({ clientMetadata: metadata });
+      },
+      async setSelectedTeam(team) {
+        await this.update({ selectedTeamId: team?.id ?? null });
+      },
+      getConnectedAccount,
+      useConnectedAccount,
+      async getTeam(teamId) {
+        const teams = await this.listTeams();
+        return teams.find((t) => t.id === teamId) ?? null;
+      },
+      useTeam(teamId) {
+        const teams = this.useTeams();
+        return useMemo(() => {
+          return teams.find((t) => t.id === teamId) ?? null;
+        }, [teams, teamId]);
+      },
+      async listTeams() {
+        const teams = Result.orThrow(await app._currentUserTeamsCache.getOrWait([session], "write-only"));
+        return teams.map((crud2) => app._clientTeamFromCrud(crud2, session));
+      },
+      useTeams() {
+        const teams = useAsyncCache(app._currentUserTeamsCache, [session], "user.useTeams()");
+        return useMemo(() => teams.map((crud2) => app._clientTeamFromCrud(crud2, session)), [teams]);
+      },
+      async createTeam(data) {
+        const crud2 = await app._interface.createClientTeam(teamCreateOptionsToCrud(data, "me"), session);
+        await app._currentUserTeamsCache.refresh([session]);
+        return app._clientTeamFromCrud(crud2, session);
+      },
+      async leaveTeam(team) {
+        await app._interface.leaveTeam(team.id, session);
+      },
+      async listPermissions(scope, options) {
+        const recursive = options?.recursive ?? true;
+        const permissions = Result.orThrow(await app._currentUserPermissionsCache.getOrWait([session, scope.id, recursive], "write-only"));
+        return permissions.map((crud2) => app._clientTeamPermissionFromCrud(crud2));
+      },
+      usePermissions(scope, options) {
+        const recursive = options?.recursive ?? true;
+        const permissions = useAsyncCache(app._currentUserPermissionsCache, [session, scope.id, recursive], "user.usePermissions()");
+        return useMemo(() => permissions.map((crud2) => app._clientTeamPermissionFromCrud(crud2)), [permissions]);
+      },
+      usePermission(scope, permissionId) {
+        const permissions = this.usePermissions(scope);
+        return useMemo(() => permissions.find((p) => p.id === permissionId) ?? null, [permissions, permissionId]);
+      },
+      async getPermission(scope, permissionId) {
+        const permissions = await this.listPermissions(scope);
+        return permissions.find((p) => p.id === permissionId) ?? null;
+      },
+      async hasPermission(scope, permissionId) {
+        return await this.getPermission(scope, permissionId) !== null;
+      },
+      async update(update) {
+        return await app._updateClientUser(update, session);
+      },
+      async sendVerificationEmail(options) {
+        if (!crud.primary_email) {
+          throw new StackAssertionError("User does not have a primary email");
+        }
+        if (!options?.callbackUrl && !await app._getCurrentUrl()) {
+          throw new Error("Cannot send verification email without a callback URL from the server or without a redirect method. Make sure you pass the `callbackUrl` option: `sendVerificationEmail({ callbackUrl: ... })`");
+        }
+        return await app._interface.sendVerificationEmail(crud.primary_email, options?.callbackUrl ?? constructRedirectUrl(app.urls.emailVerification), session);
+      },
+      async updatePassword(options) {
+        const result = await app._interface.updatePassword(options, session);
+        await app._currentUserCache.refresh([session]);
+        return result;
+      },
+      async setPassword(options) {
+        const result = await app._interface.setPassword(options, session);
+        await app._currentUserCache.refresh([session]);
+        return result;
+      },
+      selectedTeam: crud.selected_team && this._clientTeamFromCrud(crud.selected_team, session),
+      async getTeamProfile(team) {
+        const result = Result.orThrow(await app._currentUserTeamProfileCache.getOrWait([session, team.id], "write-only"));
+        return app._editableTeamProfileFromCrud(result, session);
+      },
+      useTeamProfile(team) {
+        const result = useAsyncCache(app._currentUserTeamProfileCache, [session, team.id], "user.useTeamProfile()");
+        return app._editableTeamProfileFromCrud(result, session);
+      },
+      async delete() {
+        await app._interface.deleteCurrentUser(session);
+        session.markInvalid();
+      },
+      async listContactChannels() {
+        const result = Result.orThrow(await app._clientContactChannelsCache.getOrWait([session], "write-only"));
+        return result.map((crud2) => app._clientContactChannelFromCrud(crud2, session));
+      },
+      useContactChannels() {
+        const result = useAsyncCache(app._clientContactChannelsCache, [session], "user.useContactChannels()");
+        return result.map((crud2) => app._clientContactChannelFromCrud(crud2, session));
+      },
+      async createContactChannel(data) {
+        const crud2 = await app._interface.createClientContactChannel(contactChannelCreateOptionsToCrud("me", data), session);
+        await app._clientContactChannelsCache.refresh([session]);
+        return app._clientContactChannelFromCrud(crud2, session);
+      }
+    };
+  }
+  _createInternalUserExtra(session) {
+    const app = this;
+    this._ensureInternalProject();
+    return {
+      createProject(newProject) {
+        return app._createProject(session, newProject);
+      },
+      listOwnedProjects() {
+        return app._listOwnedProjects(session);
+      },
+      useOwnedProjects() {
+        return app._useOwnedProjects(session);
+      }
+    };
+  }
+  _currentUserFromCrud(crud, session) {
+    const currentUser = {
+      ...this._createBaseUser(crud),
+      ...this._createAuth(session),
+      ...this._createUserExtraFromCurrent(crud, session),
+      ...this._isInternalProject() ? this._createInternalUserExtra(session) : {}
+    };
+    Object.freeze(currentUser);
+    return currentUser;
+  }
+  _getOwnedAdminApp(forProjectId, session) {
+    if (!this._ownedAdminApps.has([session, forProjectId])) {
+      this._ownedAdminApps.set([session, forProjectId], new _StackAdminAppImpl({
+        baseUrl: this._interface.options.getBaseUrl(),
+        projectId: forProjectId,
+        tokenStore: null,
+        projectOwnerSession: session,
+        noAutomaticPrefetch: true
+      }));
+    }
+    return this._ownedAdminApps.get([session, forProjectId]);
+  }
+  get projectId() {
+    return this._interface.projectId;
+  }
+  async _isTrusted(url) {
+    return isRelative(url);
+  }
+  get urls() {
+    return getUrls(this._urlOptions);
+  }
+  async _getCurrentUrl() {
+    if (this._redirectMethod === "none") {
+      return null;
+    }
+    return new URL(window.location.href);
+  }
+  async _redirectTo(options) {
+    if (this._redirectMethod === "none") {
+      return;
+    } else if (typeof this._redirectMethod === "object" && this._redirectMethod.navigate) {
+      this._redirectMethod.navigate(options.url.toString());
+    } else {
+      if (options.replace) {
+        window.location.replace(options.url);
+      } else {
+        window.location.assign(options.url);
+      }
+    }
+    await wait(2e3);
+  }
+  useNavigate() {
+    if (typeof this._redirectMethod === "object") {
+      return this._redirectMethod.useNavigate();
+    } else if (this._redirectMethod === "window") {
+      return () => window.location.assign;
+    } else {
+      return (to) => {
+      };
+    }
+  }
+  async _redirectIfTrusted(url, options) {
+    if (!await this._isTrusted(url)) {
+      throw new Error(`Redirect URL ${url} is not trusted; should be relative.`);
+    }
+    return await this._redirectTo({ url, ...options });
+  }
+  async _redirectToHandler(handlerName, options) {
+    let url = this.urls[handlerName];
+    if (!url) {
+      throw new Error(`No URL for handler name ${handlerName}`);
+    }
+    if (!options?.noRedirectBack) {
+      if (handlerName === "afterSignIn" || handlerName === "afterSignUp") {
+        if (isReactServer || typeof window === "undefined") {
+          try {
+            await this._checkFeatureSupport("rsc-handler-" + handlerName, {});
+          } catch (e) {
+          }
+        } else {
+          const queryParams = new URLSearchParams(window.location.search);
+          url = queryParams.get("after_auth_return_to") || url;
+        }
+      } else if (handlerName === "signIn" || handlerName === "signUp") {
+        if (isReactServer || typeof window === "undefined") {
+          try {
+            await this._checkFeatureSupport("rsc-handler-" + handlerName, {});
+          } catch (e) {
+          }
+        } else {
+          const currentUrl = new URL(window.location.href);
+          const nextUrl = new URL(url, currentUrl);
+          if (currentUrl.searchParams.has("after_auth_return_to")) {
+            nextUrl.searchParams.set("after_auth_return_to", currentUrl.searchParams.get("after_auth_return_to"));
+          } else if (currentUrl.protocol === nextUrl.protocol && currentUrl.host === nextUrl.host) {
+            nextUrl.searchParams.set("after_auth_return_to", getRelativePart(currentUrl));
+          }
+          url = getRelativePart(nextUrl);
+        }
+      }
+    }
+    await this._redirectIfTrusted(url, options);
+  }
+  async redirectToSignIn(options) {
+    return await this._redirectToHandler("signIn", options);
+  }
+  async redirectToSignUp(options) {
+    return await this._redirectToHandler("signUp", options);
+  }
+  async redirectToSignOut(options) {
+    return await this._redirectToHandler("signOut", options);
+  }
+  async redirectToEmailVerification(options) {
+    return await this._redirectToHandler("emailVerification", options);
+  }
+  async redirectToPasswordReset(options) {
+    return await this._redirectToHandler("passwordReset", options);
+  }
+  async redirectToForgotPassword(options) {
+    return await this._redirectToHandler("forgotPassword", options);
+  }
+  async redirectToHome(options) {
+    return await this._redirectToHandler("home", options);
+  }
+  async redirectToOAuthCallback(options) {
+    return await this._redirectToHandler("oauthCallback", options);
+  }
+  async redirectToMagicLinkCallback(options) {
+    return await this._redirectToHandler("magicLinkCallback", options);
+  }
+  async redirectToAfterSignIn(options) {
+    return await this._redirectToHandler("afterSignIn", options);
+  }
+  async redirectToAfterSignUp(options) {
+    return await this._redirectToHandler("afterSignUp", options);
+  }
+  async redirectToAfterSignOut(options) {
+    return await this._redirectToHandler("afterSignOut", options);
+  }
+  async redirectToAccountSettings(options) {
+    return await this._redirectToHandler("accountSettings", options);
+  }
+  async redirectToError(options) {
+    return await this._redirectToHandler("error", options);
+  }
+  async redirectToTeamInvitation(options) {
+    return await this._redirectToHandler("teamInvitation", options);
+  }
+  async sendForgotPasswordEmail(email, options) {
+    if (!options?.callbackUrl && !await this._getCurrentUrl()) {
+      throw new Error("Cannot send forgot password email without a callback URL from the server or without a redirect method. Make sure you pass the `callbackUrl` option: `sendForgotPasswordEmail({ email, callbackUrl: ... })`");
+    }
+    return await this._interface.sendForgotPasswordEmail(email, options?.callbackUrl ?? constructRedirectUrl(this.urls.passwordReset));
+  }
+  async sendMagicLinkEmail(email, options) {
+    if (!options?.callbackUrl && !await this._getCurrentUrl()) {
+      throw new Error("Cannot send magic link email without a callback URL from the server or without a redirect method. Make sure you pass the `callbackUrl` option: `sendMagicLinkEmail({ email, callbackUrl: ... })`");
+    }
+    return await this._interface.sendMagicLinkEmail(email, options?.callbackUrl ?? constructRedirectUrl(this.urls.magicLinkCallback));
+  }
+  async resetPassword(options) {
+    return await this._interface.resetPassword(options);
+  }
+  async verifyPasswordResetCode(code) {
+    return await this._interface.verifyPasswordResetCode(code);
+  }
+  async verifyTeamInvitationCode(code) {
+    return await this._interface.acceptTeamInvitation({
+      type: "check",
+      code,
+      session: await this._getSession()
+    });
+  }
+  async acceptTeamInvitation(code) {
+    const result = await this._interface.acceptTeamInvitation({
+      type: "use",
+      code,
+      session: await this._getSession()
+    });
+    if (result.status === "ok") {
+      return Result.ok(void 0);
+    } else {
+      return Result.error(result.error);
+    }
+  }
+  async getTeamInvitationDetails(code) {
+    const result = await this._interface.acceptTeamInvitation({
+      type: "details",
+      code,
+      session: await this._getSession()
+    });
+    if (result.status === "ok") {
+      return Result.ok({ teamDisplayName: result.data.team_display_name });
+    } else {
+      return Result.error(result.error);
+    }
+  }
+  async verifyEmail(code) {
+    const result = await this._interface.verifyEmail(code);
+    await this._currentUserCache.refresh([await this._getSession()]);
+    await this._clientContactChannelsCache.refresh([await this._getSession()]);
+    return result;
+  }
+  async getUser(options) {
+    this._ensurePersistentTokenStore(options?.tokenStore);
+    const session = await this._getSession(options?.tokenStore);
+    const crud = Result.orThrow(await this._currentUserCache.getOrWait([session], "write-only"));
+    if (crud === null) {
+      switch (options?.or) {
+        case "redirect": {
+          await this.redirectToSignIn({ replace: true });
+          break;
+        }
+        case "throw": {
+          throw new Error("User is not signed in but getUser was called with { or: 'throw' }");
+        }
+        default: {
+          return null;
+        }
+      }
+    }
+    return crud && this._currentUserFromCrud(crud, session);
+  }
+  useUser(options) {
+    this._ensurePersistentTokenStore(options?.tokenStore);
+    const session = this._useSession(options?.tokenStore);
+    const crud = useAsyncCache(this._currentUserCache, [session], "useUser()");
+    if (crud === null) {
+      switch (options?.or) {
+        case "redirect": {
+          runAsynchronously(this.redirectToSignIn({ replace: true }));
+          suspend();
+          throw new StackAssertionError("suspend should never return");
+        }
+        case "throw": {
+          throw new Error("User is not signed in but useUser was called with { or: 'throw' }");
+        }
+        case void 0:
+        case "return-null": {
+        }
+      }
+    }
+    return useMemo(() => {
+      return crud && this._currentUserFromCrud(crud, session);
+    }, [crud, session, options?.or]);
+  }
+  async _updateClientUser(update, session) {
+    const res = await this._interface.updateClientUser(userUpdateOptionsToCrud(update), session);
+    await this._refreshUser(session);
+    return res;
+  }
+  async signInWithOAuth(provider) {
+    if (typeof window === "undefined") {
+      throw new Error("signInWithOAuth can currently only be called in a browser environment");
+    }
+    this._ensurePersistentTokenStore();
+    await signInWithOAuth(
+      this._interface,
+      {
+        provider,
+        redirectUrl: this.urls.oauthCallback,
+        errorRedirectUrl: this.urls.error,
+        providerScope: this._oauthScopesOnSignIn[provider]?.join(" ")
+      }
+    );
+  }
+  /**
+   * @deprecated
+   * TODO remove
+   */
+  async _experimentalMfa(error, session) {
+    const otp = prompt("Please enter the six-digit TOTP code from your authenticator app.");
+    if (!otp) {
+      throw new KnownErrors.InvalidTotpCode();
+    }
+    return await this._interface.totpMfa(
+      error.details?.attempt_code ?? throwErr("attempt code missing"),
+      otp,
+      session
+    );
+  }
+  /**
+   * @deprecated
+   * TODO remove
+   */
+  async _catchMfaRequiredError(callback) {
+    try {
+      return await callback();
+    } catch (e) {
+      if (e instanceof KnownErrors.MultiFactorAuthenticationRequired) {
+        return Result.ok(await this._experimentalMfa(e, await this._getSession()));
+      }
+      throw e;
+    }
+  }
+  async signInWithCredential(options) {
+    this._ensurePersistentTokenStore();
+    const session = await this._getSession();
+    let result;
+    try {
+      result = await this._catchMfaRequiredError(async () => {
+        return await this._interface.signInWithCredential(options.email, options.password, session);
+      });
+    } catch (e) {
+      if (e instanceof KnownErrors.InvalidTotpCode) {
+        return Result.error(e);
+      }
+      throw e;
+    }
+    if (result.status === "ok") {
+      await this._signInToAccountWithTokens(result.data);
+      if (!options.noRedirect) {
+        await this.redirectToAfterSignIn({ replace: true });
+      }
+      return Result.ok(void 0);
+    } else {
+      return Result.error(result.error);
+    }
+  }
+  async signUpWithCredential(options) {
+    this._ensurePersistentTokenStore();
+    const session = await this._getSession();
+    const emailVerificationRedirectUrl = constructRedirectUrl(this.urls.emailVerification);
+    const result = await this._interface.signUpWithCredential(
+      options.email,
+      options.password,
+      emailVerificationRedirectUrl,
+      session
+    );
+    if (result.status === "ok") {
+      await this._signInToAccountWithTokens(result.data);
+      if (!options.noRedirect) {
+        await this.redirectToAfterSignUp({ replace: true });
+      }
+      return Result.ok(void 0);
+    } else {
+      return Result.error(result.error);
+    }
+  }
+  async signInWithMagicLink(code) {
+    this._ensurePersistentTokenStore();
+    let result;
+    try {
+      result = await this._catchMfaRequiredError(async () => {
+        return await this._interface.signInWithMagicLink(code);
+      });
+    } catch (e) {
+      if (e instanceof KnownErrors.InvalidTotpCode) {
+        return Result.error(e);
+      }
+      throw e;
+    }
+    if (result.status === "ok") {
+      await this._signInToAccountWithTokens(result.data);
+      if (result.data.newUser) {
+        await this.redirectToAfterSignUp({ replace: true });
+      } else {
+        await this.redirectToAfterSignIn({ replace: true });
+      }
+      return Result.ok(void 0);
+    } else {
+      return Result.error(result.error);
+    }
+  }
+  async signInWithPasskey() {
+    this._ensurePersistentTokenStore();
+    const session = await this._getSession();
+    let result;
+    try {
+      result = await this._catchMfaRequiredError(async () => {
+        const initiationResult = await this._interface.initiatePasskeyAuthentication({}, session);
+        if (initiationResult.status !== "ok") {
+          return Result.error(new KnownErrors.PasskeyAuthenticationFailed("Failed to get initiation options for passkey authentication"));
+        }
+        const { options_json, code } = initiationResult.data;
+        if (options_json.rpId !== "THIS_VALUE_WILL_BE_REPLACED.example.com") {
+          throw new StackAssertionError(`Expected returned RP ID from server to equal sentinel, but found ${options_json.rpId}`);
+        }
+        options_json.rpId = window.location.hostname;
+        const authentication_response = await startAuthentication({ optionsJSON: options_json });
+        return await this._interface.signInWithPasskey({ authentication_response, code });
+      });
+    } catch (error) {
+      if (error instanceof WebAuthnError) {
+        return Result.error(new KnownErrors.PasskeyWebAuthnError(error.message, error.name));
+      } else {
+        return Result.error(new KnownErrors.PasskeyAuthenticationFailed("Failed to sign in with passkey"));
+      }
+    }
+    if (result.status === "ok") {
+      await this._signInToAccountWithTokens(result.data);
+      await this.redirectToAfterSignIn({ replace: true });
+      return Result.ok(void 0);
+    } else {
+      return Result.error(result.error);
+    }
+  }
+  async callOAuthCallback() {
+    if (typeof window === "undefined") {
+      throw new Error("callOAuthCallback can currently only be called in a browser environment");
+    }
+    this._ensurePersistentTokenStore();
+    let result;
+    try {
+      result = await this._catchMfaRequiredError(async () => {
+        return await callOAuthCallback(this._interface, this.urls.oauthCallback);
+      });
+    } catch (e) {
+      if (e instanceof KnownErrors.InvalidTotpCode) {
+        alert("Invalid TOTP code. Please try signing in again.");
+        return false;
+      } else {
+        throw e;
+      }
+    }
+    if (result.status === "ok" && result.data) {
+      await this._signInToAccountWithTokens(result.data);
+      if ("afterCallbackRedirectUrl" in result.data && result.data.afterCallbackRedirectUrl) {
+        await this._redirectTo({ url: result.data.afterCallbackRedirectUrl, replace: true });
+        return true;
+      } else if (result.data.newUser) {
+        await this.redirectToAfterSignUp({ replace: true });
+        return true;
+      } else {
+        await this.redirectToAfterSignIn({ replace: true });
+        return true;
+      }
+    }
+    return false;
+  }
+  async _signOut(session, options) {
+    await storeLock.withWriteLock(async () => {
+      await this._interface.signOut(session);
+      if (options?.redirectUrl) {
+        await this._redirectTo({ url: options.redirectUrl, replace: true });
+      } else {
+        await this.redirectToAfterSignOut();
+      }
+    });
+  }
+  async signOut(options) {
+    const user = await this.getUser();
+    if (user) {
+      await user.signOut(options);
+    }
+  }
+  async getProject() {
+    const crud = Result.orThrow(await this._currentProjectCache.getOrWait([], "write-only"));
+    return this._clientProjectFromCrud(crud);
+  }
+  useProject() {
+    const crud = useAsyncCache(this._currentProjectCache, [], "useProject()");
+    return useMemo(() => this._clientProjectFromCrud(crud), [crud]);
+  }
+  async _listOwnedProjects(session) {
+    this._ensureInternalProject();
+    const crud = Result.orThrow(await this._ownedProjectsCache.getOrWait([session], "write-only"));
+    return crud.map((j) => this._getOwnedAdminApp(j.id, session)._adminOwnedProjectFromCrud(
+      j,
+      () => this._refreshOwnedProjects(session)
+    ));
+  }
+  _useOwnedProjects(session) {
+    this._ensureInternalProject();
+    const projects = useAsyncCache(this._ownedProjectsCache, [session], "useOwnedProjects()");
+    return useMemo(() => projects.map((j) => this._getOwnedAdminApp(j.id, session)._adminOwnedProjectFromCrud(
+      j,
+      () => this._refreshOwnedProjects(session)
+    )), [projects]);
+  }
+  async _createProject(session, newProject) {
+    this._ensureInternalProject();
+    const crud = await this._interface.createProject(adminProjectCreateOptionsToCrud(newProject), session);
+    const res = this._getOwnedAdminApp(crud.id, session)._adminOwnedProjectFromCrud(
+      crud,
+      () => this._refreshOwnedProjects(session)
+    );
+    await this._refreshOwnedProjects(session);
+    return res;
+  }
+  async _refreshUser(session) {
+    await this._refreshSession(session);
+  }
+  async _refreshSession(session) {
+    await this._currentUserCache.refresh([session]);
+  }
+  async _refreshUsers() {
+  }
+  async _refreshProject() {
+    await this._currentProjectCache.refresh([]);
+  }
+  async _refreshOwnedProjects(session) {
+    await this._ownedProjectsCache.refresh([session]);
+  }
+  static get [stackAppInternalsSymbol]() {
+    return {
+      fromClientJson: (json) => {
+        const providedCheckString = JSON.stringify(omit(json, [
+          /* none currently */
+        ]));
+        const existing = allClientApps.get(json.uniqueIdentifier);
+        if (existing) {
+          const [existingCheckString, clientApp] = existing;
+          if (existingCheckString !== providedCheckString) {
+            throw new StackAssertionError("The provided app JSON does not match the configuration of the existing client app with the same unique identifier", { providedObj: json, existingString: existingCheckString });
+          }
+          return clientApp;
+        }
+        return new __StackClientAppImpl({
+          ...json,
+          checkString: providedCheckString
+        });
+      }
+    };
+  }
+  get [stackAppInternalsSymbol]() {
+    return {
+      toClientJson: () => {
+        if (!("publishableClientKey" in this._interface.options)) {
+          throw new StackAssertionError("Cannot serialize to JSON from an application without a publishable client key");
+        }
+        if (typeof this._redirectMethod !== "string") {
+          throw new StackAssertionError("Cannot serialize to JSON from an application with a non-string redirect method");
+        }
+        return {
+          baseUrl: this._options.baseUrl,
+          projectId: this.projectId,
+          publishableClientKey: this._interface.options.publishableClientKey,
+          tokenStore: this._tokenStoreInit,
+          urls: this._urlOptions,
+          oauthScopesOnSignIn: this._oauthScopesOnSignIn,
+          uniqueIdentifier: this._getUniqueIdentifier(),
+          redirectMethod: this._redirectMethod
+        };
+      },
+      setCurrentUser: (userJsonPromise) => {
+        runAsynchronously(async () => {
+          await this._currentUserCache.forceSetCachedValueAsync([await this._getSession()], Result.fromPromise(userJsonPromise));
+        });
+      },
+      sendRequest: async (path, requestOptions, requestType = "client") => {
+        return await this._interface.sendClientRequest(path, requestOptions, await this._getSession(), requestType);
+      }
+    };
+  }
+};
+var _StackServerAppImpl = class extends _StackClientAppImpl {
+  constructor(options) {
+    super("interface" in options ? {
+      interface: options.interface,
+      tokenStore: options.tokenStore,
+      urls: options.urls,
+      oauthScopesOnSignIn: options.oauthScopesOnSignIn
+    } : {
+      interface: new StackServerInterface({
+        getBaseUrl: () => getBaseUrl(options.baseUrl),
+        projectId: options.projectId ?? getDefaultProjectId(),
+        clientVersion,
+        publishableClientKey: options.publishableClientKey ?? getDefaultPublishableClientKey(),
+        secretServerKey: options.secretServerKey ?? getDefaultSecretServerKey()
+      }),
+      baseUrl: options.baseUrl,
+      projectId: options.projectId,
+      publishableClientKey: options.publishableClientKey,
+      tokenStore: options.tokenStore,
+      urls: options.urls ?? {},
+      oauthScopesOnSignIn: options.oauthScopesOnSignIn ?? {},
+      redirectMethod: options.redirectMethod
+    });
+    // TODO override the client user cache to use the server user cache, so we save some requests
+    this._currentServerUserCache = createCacheBySession(async (session) => {
+      if (session.isKnownToBeInvalid()) {
+        return null;
+      }
+      return await this._interface.getServerUserByToken(session);
+    });
+    this._serverUsersCache = createCache(async ([cursor, limit, orderBy, desc, query]) => {
+      return await this._interface.listServerUsers({ cursor, limit, orderBy, desc, query });
+    });
+    this._serverUserCache = createCache(async ([userId]) => {
+      const user = await this._interface.getServerUserById(userId);
+      return Result.or(user, null);
+    });
+    this._serverTeamsCache = createCache(async ([userId]) => {
+      return await this._interface.listServerTeams({ userId });
+    });
+    this._serverTeamUserPermissionsCache = createCache(async ([teamId, userId, recursive]) => {
+      return await this._interface.listServerTeamPermissions({ teamId, userId, recursive }, null);
+    });
+    this._serverUserOAuthConnectionAccessTokensCache = createCache(
+      async ([userId, providerId, scope]) => {
+        try {
+          const result = await this._interface.createServerProviderAccessToken(userId, providerId, scope || "");
+          return { accessToken: result.access_token };
+        } catch (err) {
+          if (!(err instanceof KnownErrors.OAuthConnectionDoesNotHaveRequiredScope || err instanceof KnownErrors.OAuthConnectionNotConnectedToUser)) {
+            throw err;
+          }
+        }
+        return null;
+      }
+    );
+    this._serverUserOAuthConnectionCache = createCache(
+      async ([userId, providerId, scope, redirect]) => {
+        return await this._getUserOAuthConnectionCacheFn({
+          getUser: async () => Result.orThrow(await this._serverUserCache.getOrWait([userId], "write-only")),
+          getOrWaitOAuthToken: async () => Result.orThrow(await this._serverUserOAuthConnectionAccessTokensCache.getOrWait([userId, providerId, scope || ""], "write-only")),
+          useOAuthToken: () => useAsyncCache(this._serverUserOAuthConnectionAccessTokensCache, [userId, providerId, scope || ""], "user.useConnectedAccount()"),
+          providerId,
+          scope,
+          redirect,
+          session: null
+        });
+      }
+    );
+    this._serverTeamMemberProfilesCache = createCache(
+      async ([teamId]) => {
+        return await this._interface.listServerTeamMemberProfiles({ teamId });
+      }
+    );
+    this._serverTeamInvitationsCache = createCache(
+      async ([teamId]) => {
+        return await this._interface.listServerTeamInvitations({ teamId });
+      }
+    );
+    this._serverUserTeamProfileCache = createCache(
+      async ([teamId, userId]) => {
+        return await this._interface.getServerTeamMemberProfile({ teamId, userId });
+      }
+    );
+    this._serverContactChannelsCache = createCache(
+      async ([userId]) => {
+        return await this._interface.listServerContactChannels(userId);
+      }
+    );
+  }
+  async _updateServerUser(userId, update) {
+    const result = await this._interface.updateServerUser(userId, serverUserUpdateOptionsToCrud(update));
+    await this._refreshUsers();
+    return result;
+  }
+  _serverEditableTeamProfileFromCrud(crud) {
+    const app = this;
+    return {
+      displayName: crud.display_name,
+      profileImageUrl: crud.profile_image_url,
+      async update(update) {
+        await app._interface.updateServerTeamMemberProfile({
+          teamId: crud.team_id,
+          userId: crud.user_id,
+          profile: {
+            display_name: update.displayName,
+            profile_image_url: update.profileImageUrl
+          }
+        });
+        await app._serverUserTeamProfileCache.refresh([crud.team_id, crud.user_id]);
+      }
+    };
+  }
+  _serverContactChannelFromCrud(userId, crud) {
+    const app = this;
+    return {
+      id: crud.id,
+      value: crud.value,
+      type: crud.type,
+      isVerified: crud.is_verified,
+      isPrimary: crud.is_primary,
+      usedForAuth: crud.used_for_auth,
+      async sendVerificationEmail(options) {
+        if (!options?.callbackUrl && !await app._getCurrentUrl()) {
+          throw new Error("Cannot send verification email without a callback URL from the server or without a redirect method. Make sure you pass the `callbackUrl` option: `sendVerificationEmail({ callbackUrl: ... })`");
+        }
+        await app._interface.sendServerContactChannelVerificationEmail(userId, crud.id, options?.callbackUrl ?? constructRedirectUrl(app.urls.emailVerification));
+      },
+      async update(data) {
+        await app._interface.updateServerContactChannel(userId, crud.id, serverContactChannelUpdateOptionsToCrud(data));
+      },
+      async delete() {
+        await app._interface.deleteServerContactChannel(userId, crud.id);
+      }
+    };
+  }
+  _serverUserFromCrud(crud) {
+    const app = this;
+    async function getConnectedAccount(id, options) {
+      const scopeString = options?.scopes?.join(" ");
+      return Result.orThrow(await app._serverUserOAuthConnectionCache.getOrWait([crud.id, id, scopeString || "", options?.or === "redirect"], "write-only"));
+    }
+    function useConnectedAccount(id, options) {
+      const scopeString = options?.scopes?.join(" ");
+      return useAsyncCache(app._serverUserOAuthConnectionCache, [crud.id, id, scopeString || "", options?.or === "redirect"], "user.useConnectedAccount()");
+    }
+    return {
+      ...super._createBaseUser(crud),
+      lastActiveAt: new Date(crud.last_active_at_millis),
+      serverMetadata: crud.server_metadata,
+      async setPrimaryEmail(email, options) {
+        await app._updateServerUser(crud.id, { primaryEmail: email, primaryEmailVerified: options?.verified });
+      },
+      async grantPermission(scope, permissionId) {
+        await app._interface.grantServerTeamUserPermission(scope.id, crud.id, permissionId);
+        for (const recursive of [true, false]) {
+          await app._serverTeamUserPermissionsCache.refresh([scope.id, crud.id, recursive]);
+        }
+      },
+      async revokePermission(scope, permissionId) {
+        await app._interface.revokeServerTeamUserPermission(scope.id, crud.id, permissionId);
+        for (const recursive of [true, false]) {
+          await app._serverTeamUserPermissionsCache.refresh([scope.id, crud.id, recursive]);
+        }
+      },
+      async delete() {
+        const res = await app._interface.deleteServerServerUser(crud.id);
+        await app._refreshUsers();
+        return res;
+      },
+      async createSession(options) {
+        const tokens = await app._interface.createServerUserSession(crud.id, options.expiresInMillis ?? 1e3 * 60 * 60 * 24 * 365);
+        return {
+          async getTokens() {
+            return tokens;
+          }
+        };
+      },
+      async setDisplayName(displayName) {
+        return await this.update({ displayName });
+      },
+      async setClientMetadata(metadata) {
+        return await this.update({ clientMetadata: metadata });
+      },
+      async setClientReadOnlyMetadata(metadata) {
+        return await this.update({ clientReadOnlyMetadata: metadata });
+      },
+      async setServerMetadata(metadata) {
+        return await this.update({ serverMetadata: metadata });
+      },
+      async setSelectedTeam(team) {
+        return await this.update({ selectedTeamId: team?.id ?? null });
+      },
+      getConnectedAccount,
+      useConnectedAccount,
+      selectedTeam: crud.selected_team ? app._serverTeamFromCrud(crud.selected_team) : null,
+      async getTeam(teamId) {
+        const teams = await this.listTeams();
+        return teams.find((t) => t.id === teamId) ?? null;
+      },
+      useTeam(teamId) {
+        const teams = this.useTeams();
+        return useMemo(() => {
+          return teams.find((t) => t.id === teamId) ?? null;
+        }, [teams, teamId]);
+      },
+      async listTeams() {
+        const teams = Result.orThrow(await app._serverTeamsCache.getOrWait([crud.id], "write-only"));
+        return teams.map((t) => app._serverTeamFromCrud(t));
+      },
+      useTeams() {
+        const teams = useAsyncCache(app._serverTeamsCache, [crud.id], "user.useTeams()");
+        return useMemo(() => teams.map((t) => app._serverTeamFromCrud(t)), [teams]);
+      },
+      createTeam: async (data) => {
+        const team = await app._interface.createServerTeam(serverTeamCreateOptionsToCrud({
+          creatorUserId: crud.id,
+          ...data
+        }));
+        await app._serverTeamsCache.refresh([void 0]);
+        return app._serverTeamFromCrud(team);
+      },
+      leaveTeam: async (team) => {
+        await app._interface.leaveServerTeam({ teamId: team.id, userId: crud.id });
+      },
+      async listPermissions(scope, options) {
+        const recursive = options?.recursive ?? true;
+        const permissions = Result.orThrow(await app._serverTeamUserPermissionsCache.getOrWait([scope.id, crud.id, recursive], "write-only"));
+        return permissions.map((crud2) => app._serverPermissionFromCrud(crud2));
+      },
+      usePermissions(scope, options) {
+        const recursive = options?.recursive ?? true;
+        const permissions = useAsyncCache(app._serverTeamUserPermissionsCache, [scope.id, crud.id, recursive], "user.usePermissions()");
+        return useMemo(() => permissions.map((crud2) => app._serverPermissionFromCrud(crud2)), [permissions]);
+      },
+      async getPermission(scope, permissionId) {
+        const permissions = await this.listPermissions(scope);
+        return permissions.find((p) => p.id === permissionId) ?? null;
+      },
+      usePermission(scope, permissionId) {
+        const permissions = this.usePermissions(scope);
+        return useMemo(() => permissions.find((p) => p.id === permissionId) ?? null, [permissions, permissionId]);
+      },
+      async hasPermission(scope, permissionId) {
+        return await this.getPermission(scope, permissionId) !== null;
+      },
+      async update(update) {
+        await app._updateServerUser(crud.id, update);
+      },
+      async sendVerificationEmail() {
+        return await app._checkFeatureSupport("sendVerificationEmail() on ServerUser", {});
+      },
+      async updatePassword(options) {
+        const result = await this.update({ password: options.newPassword });
+        await app._serverUserCache.refresh([crud.id]);
+        return result;
+      },
+      async setPassword(options) {
+        const result = await this.update(options);
+        await app._serverUserCache.refresh([crud.id]);
+        return result;
+      },
+      async getTeamProfile(team) {
+        const result = Result.orThrow(await app._serverUserTeamProfileCache.getOrWait([team.id, crud.id], "write-only"));
+        return app._serverEditableTeamProfileFromCrud(result);
+      },
+      useTeamProfile(team) {
+        const result = useAsyncCache(app._serverUserTeamProfileCache, [team.id, crud.id], "user.useTeamProfile()");
+        return useMemo(() => app._serverEditableTeamProfileFromCrud(result), [result]);
+      },
+      async listContactChannels() {
+        const result = Result.orThrow(await app._serverContactChannelsCache.getOrWait([crud.id], "write-only"));
+        return result.map((data) => app._serverContactChannelFromCrud(crud.id, data));
+      },
+      useContactChannels() {
+        const result = useAsyncCache(app._serverContactChannelsCache, [crud.id], "user.useContactChannels()");
+        return useMemo(() => result.map((data) => app._serverContactChannelFromCrud(crud.id, data)), [result]);
+      },
+      createContactChannel: async (data) => {
+        const contactChannel = await app._interface.createServerContactChannel(serverContactChannelCreateOptionsToCrud(crud.id, data));
+        await app._serverContactChannelsCache.refresh([crud.id]);
+        return app._serverContactChannelFromCrud(crud.id, contactChannel);
+      }
+    };
+  }
+  _serverTeamUserFromCrud(crud) {
+    return {
+      ...this._serverUserFromCrud(crud.user),
+      teamProfile: {
+        displayName: crud.display_name,
+        profileImageUrl: crud.profile_image_url
+      }
+    };
+  }
+  _serverTeamInvitationFromCrud(crud) {
+    return {
+      id: crud.id,
+      recipientEmail: crud.recipient_email,
+      expiresAt: new Date(crud.expires_at_millis),
+      revoke: async () => {
+        await this._interface.revokeServerTeamInvitation(crud.id, crud.team_id);
+      }
+    };
+  }
+  _currentUserFromCrud(crud, session) {
+    const app = this;
+    const currentUser = {
+      ...this._serverUserFromCrud(crud),
+      ...this._createAuth(session),
+      ...this._isInternalProject() ? this._createInternalUserExtra(session) : {}
+    };
+    Object.freeze(currentUser);
+    return currentUser;
+  }
+  _serverTeamFromCrud(crud) {
+    const app = this;
+    return {
+      id: crud.id,
+      displayName: crud.display_name,
+      profileImageUrl: crud.profile_image_url,
+      createdAt: new Date(crud.created_at_millis),
+      clientMetadata: crud.client_metadata,
+      clientReadOnlyMetadata: crud.client_read_only_metadata,
+      serverMetadata: crud.server_metadata,
+      async update(update) {
+        await app._interface.updateServerTeam(crud.id, serverTeamUpdateOptionsToCrud(update));
+        await app._serverTeamsCache.refresh([void 0]);
+      },
+      async delete() {
+        await app._interface.deleteServerTeam(crud.id);
+        await app._serverTeamsCache.refresh([void 0]);
+      },
+      async listUsers() {
+        const result = Result.orThrow(await app._serverTeamMemberProfilesCache.getOrWait([crud.id], "write-only"));
+        return result.map((u) => app._serverTeamUserFromCrud(u));
+      },
+      useUsers() {
+        const result = useAsyncCache(app._serverTeamMemberProfilesCache, [crud.id], "team.useUsers()");
+        return useMemo(() => result.map((u) => app._serverTeamUserFromCrud(u)), [result]);
+      },
+      async addUser(userId) {
+        await app._interface.addServerUserToTeam({
+          teamId: crud.id,
+          userId
+        });
+        await app._serverTeamMemberProfilesCache.refresh([crud.id]);
+      },
+      async removeUser(userId) {
+        await app._interface.removeServerUserFromTeam({
+          teamId: crud.id,
+          userId
+        });
+        await app._serverTeamMemberProfilesCache.refresh([crud.id]);
+      },
+      async inviteUser(options) {
+        if (!options.callbackUrl && !await app._getCurrentUrl()) {
+          throw new Error("Cannot invite user without a callback URL from the server or without a redirect method. Make sure you pass the `callbackUrl` option: `inviteUser({ email, callbackUrl: ... })`");
+        }
+        await app._interface.sendServerTeamInvitation({
+          teamId: crud.id,
+          email: options.email,
+          callbackUrl: options.callbackUrl ?? constructRedirectUrl(app.urls.teamInvitation)
+        });
+        await app._serverTeamInvitationsCache.refresh([crud.id]);
+      },
+      async listInvitations() {
+        const result = Result.orThrow(await app._serverTeamInvitationsCache.getOrWait([crud.id], "write-only"));
+        return result.map((crud2) => app._serverTeamInvitationFromCrud(crud2));
+      },
+      useInvitations() {
+        const result = useAsyncCache(app._serverTeamInvitationsCache, [crud.id], "team.useInvitations()");
+        return useMemo(() => result.map((crud2) => app._serverTeamInvitationFromCrud(crud2)), [result]);
+      }
+    };
+  }
+  async createUser(options) {
+    const crud = await this._interface.createServerUser(serverUserCreateOptionsToCrud(options));
+    await this._refreshUsers();
+    return this._serverUserFromCrud(crud);
+  }
+  async getUser(options) {
+    if (typeof options === "string") {
+      return await this.getServerUserById(options);
+    } else {
+      this._ensurePersistentTokenStore(options?.tokenStore);
+      const session = await this._getSession(options?.tokenStore);
+      const crud = Result.orThrow(await this._currentServerUserCache.getOrWait([session], "write-only"));
+      if (crud === null) {
+        switch (options?.or) {
+          case "redirect": {
+            await this.redirectToSignIn({ replace: true });
+            break;
+          }
+          case "throw": {
+            throw new Error("User is not signed in but getUser was called with { or: 'throw' }");
+          }
+          default: {
+            return null;
+          }
+        }
+      }
+      return crud && this._currentUserFromCrud(crud, session);
+    }
+  }
+  async getServerUser() {
+    console.warn("stackServerApp.getServerUser is deprecated; use stackServerApp.getUser instead");
+    return await this.getUser();
+  }
+  async getServerUserById(userId) {
+    const crud = Result.orThrow(await this._serverUserCache.getOrWait([userId], "write-only"));
+    return crud && this._serverUserFromCrud(crud);
+  }
+  useUser(options) {
+    if (typeof options === "string") {
+      return this.useUserById(options);
+    } else {
+      this._ensurePersistentTokenStore(options?.tokenStore);
+      const session = this._useSession(options?.tokenStore);
+      const crud = useAsyncCache(this._currentServerUserCache, [session], "useUser()");
+      if (crud === null) {
+        switch (options?.or) {
+          case "redirect": {
+            runAsynchronously(this.redirectToSignIn({ replace: true }));
+            suspend();
+            throw new StackAssertionError("suspend should never return");
+          }
+          case "throw": {
+            throw new Error("User is not signed in but useUser was called with { or: 'throw' }");
+          }
+          case void 0:
+          case "return-null": {
+          }
+        }
+      }
+      return useMemo(() => {
+        return crud && this._currentUserFromCrud(crud, session);
+      }, [crud, session, options?.or]);
+    }
+  }
+  useUserById(userId) {
+    const crud = useAsyncCache(this._serverUserCache, [userId], "useUserById()");
+    return useMemo(() => {
+      return crud && this._serverUserFromCrud(crud);
+    }, [crud]);
+  }
+  async listUsers(options) {
+    const crud = Result.orThrow(await this._serverUsersCache.getOrWait([options?.cursor, options?.limit, options?.orderBy, options?.desc, options?.query], "write-only"));
+    const result = crud.items.map((j) => this._serverUserFromCrud(j));
+    result.nextCursor = crud.pagination?.next_cursor ?? null;
+    return result;
+  }
+  useUsers(options) {
+    const crud = useAsyncCache(this._serverUsersCache, [options?.cursor, options?.limit, options?.orderBy, options?.desc, options?.query], "useServerUsers()");
+    const result = crud.items.map((j) => this._serverUserFromCrud(j));
+    result.nextCursor = crud.pagination?.next_cursor ?? null;
+    return result;
+  }
+  _serverPermissionFromCrud(crud) {
+    return {
+      id: crud.id
+    };
+  }
+  _serverTeamPermissionDefinitionFromCrud(crud) {
+    return {
+      id: crud.id,
+      description: crud.description,
+      containedPermissionIds: crud.contained_permission_ids
+    };
+  }
+  async listTeams() {
+    const teams = Result.orThrow(await this._serverTeamsCache.getOrWait([void 0], "write-only"));
+    return teams.map((t) => this._serverTeamFromCrud(t));
+  }
+  async createTeam(data) {
+    const team = await this._interface.createServerTeam(serverTeamCreateOptionsToCrud(data));
+    await this._serverTeamsCache.refresh([void 0]);
+    return this._serverTeamFromCrud(team);
+  }
+  useTeams() {
+    const teams = useAsyncCache(this._serverTeamsCache, [void 0], "useServerTeams()");
+    return useMemo(() => {
+      return teams.map((t) => this._serverTeamFromCrud(t));
+    }, [teams]);
+  }
+  async getTeam(teamId) {
+    const teams = await this.listTeams();
+    return teams.find((t) => t.id === teamId) ?? null;
+  }
+  useTeam(teamId) {
+    const teams = this.useTeams();
+    return useMemo(() => {
+      return teams.find((t) => t.id === teamId) ?? null;
+    }, [teams, teamId]);
+  }
+  async _refreshSession(session) {
+    await Promise.all([
+      super._refreshUser(session),
+      this._currentServerUserCache.refresh([session])
+    ]);
+  }
+  async _refreshUsers() {
+    await Promise.all([
+      super._refreshUsers(),
+      this._serverUserCache.refreshWhere(() => true),
+      this._serverUsersCache.refreshWhere(() => true),
+      this._serverContactChannelsCache.refreshWhere(() => true)
+    ]);
+  }
+};
+var _StackAdminAppImpl = class extends _StackServerAppImpl {
+  constructor(options) {
+    super({
+      interface: new StackAdminInterface({
+        getBaseUrl: () => getBaseUrl(options.baseUrl),
+        projectId: options.projectId ?? getDefaultProjectId(),
+        clientVersion,
+        ..."projectOwnerSession" in options ? {
+          projectOwnerSession: options.projectOwnerSession
+        } : {
+          publishableClientKey: options.publishableClientKey ?? getDefaultPublishableClientKey(),
+          secretServerKey: options.secretServerKey ?? getDefaultSecretServerKey(),
+          superSecretAdminKey: options.superSecretAdminKey ?? getDefaultSuperSecretAdminKey()
+        }
+      }),
+      baseUrl: options.baseUrl,
+      projectId: options.projectId,
+      tokenStore: options.tokenStore,
+      urls: options.urls,
+      oauthScopesOnSignIn: options.oauthScopesOnSignIn,
+      redirectMethod: options.redirectMethod
+    });
+    this._adminProjectCache = createCache(async () => {
+      return await this._interface.getProject();
+    });
+    this._apiKeysCache = createCache(async () => {
+      return await this._interface.listApiKeys();
+    });
+    this._adminEmailTemplatesCache = createCache(async () => {
+      return await this._interface.listEmailTemplates();
+    });
+    this._adminTeamPermissionDefinitionsCache = createCache(async () => {
+      return await this._interface.listPermissionDefinitions();
+    });
+    this._svixTokenCache = createCache(async () => {
+      return await this._interface.getSvixToken();
+    });
+    this._metricsCache = createCache(async () => {
+      return await this._interface.getMetrics();
+    });
+  }
+  _adminOwnedProjectFromCrud(data, onRefresh) {
+    if (this._tokenStoreInit !== null) {
+      throw new StackAssertionError("Owned apps must always have tokenStore === null \u2014 did you not create this project with app._createOwnedApp()?");
+      ;
+    }
+    return {
+      ...this._adminProjectFromCrud(data, onRefresh),
+      app: this
+    };
+  }
+  _adminProjectFromCrud(data, onRefresh) {
+    if (data.id !== this.projectId) {
+      throw new StackAssertionError(`The project ID of the provided project JSON (${data.id}) does not match the project ID of the app (${this.projectId})!`);
+    }
+    const app = this;
+    return {
+      id: data.id,
+      displayName: data.display_name,
+      description: data.description,
+      createdAt: new Date(data.created_at_millis),
+      userCount: data.user_count,
+      isProductionMode: data.is_production_mode,
+      config: {
+        id: data.config.id,
+        signUpEnabled: data.config.sign_up_enabled,
+        credentialEnabled: data.config.credential_enabled,
+        magicLinkEnabled: data.config.magic_link_enabled,
+        passkeyEnabled: data.config.passkey_enabled,
+        clientTeamCreationEnabled: data.config.client_team_creation_enabled,
+        clientUserDeletionEnabled: data.config.client_user_deletion_enabled,
+        allowLocalhost: data.config.allow_localhost,
+        oauthProviders: data.config.oauth_providers.map((p) => p.type === "shared" ? {
+          id: p.id,
+          enabled: p.enabled,
+          type: "shared"
+        } : {
+          id: p.id,
+          enabled: p.enabled,
+          type: "standard",
+          clientId: p.client_id ?? throwErr("Client ID is missing"),
+          clientSecret: p.client_secret ?? throwErr("Client secret is missing"),
+          facebookConfigId: p.facebook_config_id,
+          microsoftTenantId: p.microsoft_tenant_id
+        }),
+        emailConfig: data.config.email_config.type === "shared" ? {
+          type: "shared"
+        } : {
+          type: "standard",
+          host: data.config.email_config.host ?? throwErr("Email host is missing"),
+          port: data.config.email_config.port ?? throwErr("Email port is missing"),
+          username: data.config.email_config.username ?? throwErr("Email username is missing"),
+          password: data.config.email_config.password ?? throwErr("Email password is missing"),
+          senderName: data.config.email_config.sender_name ?? throwErr("Email sender name is missing"),
+          senderEmail: data.config.email_config.sender_email ?? throwErr("Email sender email is missing")
+        },
+        domains: data.config.domains.map((d) => ({
+          domain: d.domain,
+          handlerPath: d.handler_path
+        })),
+        createTeamOnSignUp: data.config.create_team_on_sign_up,
+        teamCreatorDefaultPermissions: data.config.team_creator_default_permissions,
+        teamMemberDefaultPermissions: data.config.team_member_default_permissions
+      },
+      async update(update) {
+        await app._interface.updateProject(adminProjectUpdateOptionsToCrud(update));
+        await onRefresh();
+      },
+      async delete() {
+        await app._interface.deleteProject();
+      },
+      async getProductionModeErrors() {
+        return getProductionModeErrors(data);
+      },
+      useProductionModeErrors() {
+        return getProductionModeErrors(data);
+      }
+    };
+  }
+  _adminEmailTemplateFromCrud(data) {
+    return {
+      type: data.type,
+      subject: data.subject,
+      content: data.content,
+      isDefault: data.is_default
+    };
+  }
+  async getProject() {
+    return this._adminProjectFromCrud(
+      Result.orThrow(await this._adminProjectCache.getOrWait([], "write-only")),
+      () => this._refreshProject()
+    );
+  }
+  useProject() {
+    const crud = useAsyncCache(this._adminProjectCache, [], "useProjectAdmin()");
+    return useMemo(() => this._adminProjectFromCrud(
+      crud,
+      () => this._refreshProject()
+    ), [crud]);
+  }
+  _createApiKeyBaseFromCrud(data) {
+    const app = this;
+    return {
+      id: data.id,
+      description: data.description,
+      expiresAt: new Date(data.expires_at_millis),
+      manuallyRevokedAt: data.manually_revoked_at_millis ? new Date(data.manually_revoked_at_millis) : null,
+      createdAt: new Date(data.created_at_millis),
+      isValid() {
+        return this.whyInvalid() === null;
+      },
+      whyInvalid() {
+        if (this.expiresAt.getTime() < Date.now()) return "expired";
+        if (this.manuallyRevokedAt) return "manually-revoked";
+        return null;
+      },
+      async revoke() {
+        const res = await app._interface.revokeApiKeyById(data.id);
+        await app._refreshApiKeys();
+        return res;
+      }
+    };
+  }
+  _createApiKeyFromCrud(data) {
+    return {
+      ...this._createApiKeyBaseFromCrud(data),
+      publishableClientKey: data.publishable_client_key ? { lastFour: data.publishable_client_key.last_four } : null,
+      secretServerKey: data.secret_server_key ? { lastFour: data.secret_server_key.last_four } : null,
+      superSecretAdminKey: data.super_secret_admin_key ? { lastFour: data.super_secret_admin_key.last_four } : null
+    };
+  }
+  _createApiKeyFirstViewFromCrud(data) {
+    return {
+      ...this._createApiKeyBaseFromCrud(data),
+      publishableClientKey: data.publishable_client_key,
+      secretServerKey: data.secret_server_key,
+      superSecretAdminKey: data.super_secret_admin_key
+    };
+  }
+  async listApiKeys() {
+    const crud = Result.orThrow(await this._apiKeysCache.getOrWait([], "write-only"));
+    return crud.map((j) => this._createApiKeyFromCrud(j));
+  }
+  useApiKeys() {
+    const crud = useAsyncCache(this._apiKeysCache, [], "useApiKeys()");
+    return useMemo(() => {
+      return crud.map((j) => this._createApiKeyFromCrud(j));
+    }, [crud]);
+  }
+  async createApiKey(options) {
+    const crud = await this._interface.createApiKey(apiKeyCreateOptionsToCrud(options));
+    await this._refreshApiKeys();
+    return this._createApiKeyFirstViewFromCrud(crud);
+  }
+  useEmailTemplates() {
+    const crud = useAsyncCache(this._adminEmailTemplatesCache, [], "useEmailTemplates()");
+    return useMemo(() => {
+      return crud.map((j) => this._adminEmailTemplateFromCrud(j));
+    }, [crud]);
+  }
+  async listEmailTemplates() {
+    const crud = Result.orThrow(await this._adminEmailTemplatesCache.getOrWait([], "write-only"));
+    return crud.map((j) => this._adminEmailTemplateFromCrud(j));
+  }
+  async updateEmailTemplate(type, data) {
+    await this._interface.updateEmailTemplate(type, adminEmailTemplateUpdateOptionsToCrud(data));
+    await this._adminEmailTemplatesCache.refresh([]);
+  }
+  async resetEmailTemplate(type) {
+    await this._interface.resetEmailTemplate(type);
+    await this._adminEmailTemplatesCache.refresh([]);
+  }
+  async createTeamPermissionDefinition(data) {
+    const crud = await this._interface.createPermissionDefinition(serverTeamPermissionDefinitionCreateOptionsToCrud(data));
+    await this._adminTeamPermissionDefinitionsCache.refresh([]);
+    return this._serverTeamPermissionDefinitionFromCrud(crud);
+  }
+  async updateTeamPermissionDefinition(permissionId, data) {
+    await this._interface.updatePermissionDefinition(permissionId, serverTeamPermissionDefinitionUpdateOptionsToCrud(data));
+    await this._adminTeamPermissionDefinitionsCache.refresh([]);
+  }
+  async deleteTeamPermissionDefinition(permissionId) {
+    await this._interface.deletePermissionDefinition(permissionId);
+    await this._adminTeamPermissionDefinitionsCache.refresh([]);
+  }
+  async listTeamPermissionDefinitions() {
+    const crud = Result.orThrow(await this._adminTeamPermissionDefinitionsCache.getOrWait([], "write-only"));
+    return crud.map((p) => this._serverTeamPermissionDefinitionFromCrud(p));
+  }
+  useTeamPermissionDefinitions() {
+    const crud = useAsyncCache(this._adminTeamPermissionDefinitionsCache, [], "usePermissions()");
+    return useMemo(() => {
+      return crud.map((p) => this._serverTeamPermissionDefinitionFromCrud(p));
+    }, [crud]);
+  }
+  useSvixToken() {
+    const crud = useAsyncCache(this._svixTokenCache, [], "useSvixToken()");
+    return crud.token;
+  }
+  async _refreshProject() {
+    await Promise.all([
+      super._refreshProject(),
+      this._adminProjectCache.refresh([])
+    ]);
+  }
+  async _refreshApiKeys() {
+    await this._apiKeysCache.refresh([]);
+  }
+  get [stackAppInternalsSymbol]() {
+    return {
+      ...super[stackAppInternalsSymbol],
+      useMetrics: () => {
+        return useAsyncCache(this._metricsCache, [], "useMetrics()");
+      }
+    };
+  }
+  async sendTestEmail(options) {
+    const response = await this._interface.sendTestEmail({
+      recipient_email: options.recipientEmail,
+      email_config: {
+        ...pick(options.emailConfig, ["host", "port", "username", "password"]),
+        sender_email: options.emailConfig.senderEmail,
+        sender_name: options.emailConfig.senderName
+      }
+    });
+    if (response.success) {
+      return Result.ok(void 0);
+    } else {
+      return Result.error({ errorMessage: response.error_message ?? throwErr("Email test error not specified") });
+    }
+  }
+};
+function contactChannelCreateOptionsToCrud(userId, options) {
+  return {
+    value: options.value,
+    type: options.type,
+    used_for_auth: options.usedForAuth,
+    user_id: userId
+  };
+}
+function contactChannelUpdateOptionsToCrud(options) {
+  return {
+    value: options.value,
+    used_for_auth: options.usedForAuth,
+    is_primary: options.isPrimary
+  };
+}
+function serverContactChannelUpdateOptionsToCrud(options) {
+  return {
+    value: options.value,
+    is_verified: options.isVerified,
+    used_for_auth: options.usedForAuth
+  };
+}
+function serverContactChannelCreateOptionsToCrud(userId, options) {
+  return {
+    type: options.type,
+    value: options.value,
+    is_verified: options.isVerified,
+    user_id: userId,
+    used_for_auth: options.usedForAuth
+  };
+}
+function userUpdateOptionsToCrud(options) {
+  return {
+    display_name: options.displayName,
+    client_metadata: options.clientMetadata,
+    selected_team_id: options.selectedTeamId,
+    totp_secret_base64: options.totpMultiFactorSecret != null ? encodeBase64(options.totpMultiFactorSecret) : options.totpMultiFactorSecret,
+    profile_image_url: options.profileImageUrl,
+    otp_auth_enabled: options.otpAuthEnabled,
+    passkey_auth_enabled: options.passkeyAuthEnabled
+  };
+}
+function serverUserUpdateOptionsToCrud(options) {
+  return {
+    display_name: options.displayName,
+    primary_email: options.primaryEmail,
+    client_metadata: options.clientMetadata,
+    client_read_only_metadata: options.clientReadOnlyMetadata,
+    server_metadata: options.serverMetadata,
+    selected_team_id: options.selectedTeamId,
+    primary_email_auth_enabled: options.primaryEmailAuthEnabled,
+    primary_email_verified: options.primaryEmailVerified,
+    password: options.password,
+    profile_image_url: options.profileImageUrl,
+    totp_secret_base64: options.totpMultiFactorSecret != null ? encodeBase64(options.totpMultiFactorSecret) : options.totpMultiFactorSecret
+  };
+}
+function serverUserCreateOptionsToCrud(options) {
+  return {
+    primary_email: options.primaryEmail,
+    password: options.password,
+    otp_auth_enabled: options.otpAuthEnabled,
+    primary_email_auth_enabled: options.primaryEmailAuthEnabled,
+    display_name: options.displayName,
+    primary_email_verified: options.primaryEmailVerified,
+    client_metadata: options.clientMetadata,
+    client_read_only_metadata: options.clientReadOnlyMetadata,
+    server_metadata: options.serverMetadata
+  };
+}
+function adminProjectUpdateOptionsToCrud(options) {
+  return {
+    display_name: options.displayName,
+    description: options.description,
+    is_production_mode: options.isProductionMode,
+    config: {
+      domains: options.config?.domains?.map((d) => ({
+        domain: d.domain,
+        handler_path: d.handlerPath
+      })),
+      oauth_providers: options.config?.oauthProviders?.map((p) => ({
+        id: p.id,
+        enabled: p.enabled,
+        type: p.type,
+        ...p.type === "standard" && {
+          client_id: p.clientId,
+          client_secret: p.clientSecret,
+          facebook_config_id: p.facebookConfigId,
+          microsoft_tenant_id: p.microsoftTenantId
+        }
+      })),
+      email_config: options.config?.emailConfig && (options.config.emailConfig.type === "shared" ? {
+        type: "shared"
+      } : {
+        type: "standard",
+        host: options.config.emailConfig.host,
+        port: options.config.emailConfig.port,
+        username: options.config.emailConfig.username,
+        password: options.config.emailConfig.password,
+        sender_name: options.config.emailConfig.senderName,
+        sender_email: options.config.emailConfig.senderEmail
+      }),
+      sign_up_enabled: options.config?.signUpEnabled,
+      credential_enabled: options.config?.credentialEnabled,
+      magic_link_enabled: options.config?.magicLinkEnabled,
+      passkey_enabled: options.config?.passkeyEnabled,
+      allow_localhost: options.config?.allowLocalhost,
+      create_team_on_sign_up: options.config?.createTeamOnSignUp,
+      client_team_creation_enabled: options.config?.clientTeamCreationEnabled,
+      client_user_deletion_enabled: options.config?.clientUserDeletionEnabled,
+      team_creator_default_permissions: options.config?.teamCreatorDefaultPermissions,
+      team_member_default_permissions: options.config?.teamMemberDefaultPermissions
+    }
+  };
+}
+function adminProjectCreateOptionsToCrud(options) {
+  return {
+    ...adminProjectUpdateOptionsToCrud(options),
+    display_name: options.displayName
+  };
+}
+function apiKeyCreateOptionsToCrud(options) {
+  return {
+    description: options.description,
+    expires_at_millis: options.expiresAt.getTime(),
+    has_publishable_client_key: options.hasPublishableClientKey,
+    has_secret_server_key: options.hasSecretServerKey,
+    has_super_secret_admin_key: options.hasSuperSecretAdminKey
+  };
+}
+function teamUpdateOptionsToCrud(options) {
+  return {
+    display_name: options.displayName,
+    profile_image_url: options.profileImageUrl,
+    client_metadata: options.clientMetadata
+  };
+}
+function teamCreateOptionsToCrud(options, creatorUserId) {
+  return {
+    display_name: options.displayName,
+    profile_image_url: options.profileImageUrl,
+    creator_user_id: creatorUserId
+  };
+}
+function serverTeamCreateOptionsToCrud(options) {
+  return {
+    display_name: options.displayName,
+    profile_image_url: options.profileImageUrl,
+    creator_user_id: options.creatorUserId
+  };
+}
+function serverTeamUpdateOptionsToCrud(options) {
+  return {
+    display_name: options.displayName,
+    profile_image_url: options.profileImageUrl,
+    client_metadata: options.clientMetadata,
+    client_read_only_metadata: options.clientReadOnlyMetadata,
+    server_metadata: options.serverMetadata
+  };
+}
+function serverTeamPermissionDefinitionCreateOptionsToCrud(options) {
+  return {
+    id: options.id,
+    description: options.description,
+    contained_permission_ids: options.containedPermissionIds
+  };
+}
+function serverTeamPermissionDefinitionUpdateOptionsToCrud(options) {
+  return {
+    id: options.id,
+    description: options.description,
+    contained_permission_ids: options.containedPermissionIds
+  };
+}
+var StackClientApp = _StackClientAppImpl;
+var StackServerApp = _StackServerAppImpl;
+var StackAdminApp = _StackAdminAppImpl;
+function adminEmailTemplateUpdateOptionsToCrud(options) {
+  return {
+    subject: options.subject,
+    content: options.content
+  };
+}
+export {
+  StackAdminApp,
+  StackClientApp,
+  StackServerApp,
+  serverTeamPermissionDefinitionCreateOptionsToCrud,
+  serverTeamPermissionDefinitionUpdateOptionsToCrud,
+  stackAppInternalsSymbol
+};
+//# sourceMappingURL=stack-app.js.map