@stackframe/stack-shared 2.4.21 → 2.4.22

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @stackframe/stack-shared
 
+## 2.4.22
+
+### Patch Changes
+
+- OAuth scopes
+- Updated dependencies
+  - @stackframe/stack-sc@2.4.22
+
 ## 2.4.21
 
 ### Patch Changes

package/dist/interface/adminInterface.d.ts

@@ -15,7 +15,6 @@ export type OAuthProviderUpdateOptions = {
     type: StandardProvider;
     clientId: string;
     clientSecret: string;
-    tenantId?: string;
 });
 export type ProjectUpdateOptions = {
     displayName?: string;

package/dist/interface/clientInterface.d.ts

@@ -78,7 +78,6 @@ export type OAuthProviderConfigJson = {
     type: StandardProvider;
     clientId: string;
     clientSecret: string;
-    tenantId?: string;
 });
 export type EmailConfigJson = ({
     type: "standard";
@@ -173,9 +172,29 @@ export declare class StackClientInterface {
         accessToken: string;
         refreshToken: string;
     }>;
-    getOAuthUrl(provider: string, redirectUrl: string, codeChallenge: string, state: string): Promise<string>;
-    callOAuthCallback(oauthParams: URLSearchParams, redirectUri: string, codeVerifier: string, state: string): Promise<{
+    getOAuthUrl(options: {
+        provider: string;
+        redirectUrl: string;
+        errorRedirectUrl: string;
+        afterCallbackRedirectUrl?: string;
+        codeChallenge: string;
+        state: string;
+        type: "authenticate" | "link";
+        providerScope?: string;
+    } & ({
+        type: "authenticate";
+    } | {
+        type: "link";
+        session: InternalSession;
+    })): Promise<string>;
+    callOAuthCallback(options: {
+        oauthParams: URLSearchParams;
+        redirectUri: string;
+        codeVerifier: string;
+        state: string;
+    }): Promise<{
         newUser: boolean;
+        afterCallbackRedirectUrl?: string;
         accessToken: string;
         refreshToken: string;
     }>;
@@ -193,6 +212,9 @@ export declare class StackClientInterface {
     createProject(project: ProjectUpdateOptions & {
         displayName: string;
     }, session: InternalSession): Promise<ProjectJson>;
+    getAccessToken(provider: string, scope: string, session: InternalSession): Promise<{
+        accessToken: string;
+    }>;
 }
 export declare function getProductionModeErrors(project: ProjectJson): ProductionModeError[];
 export {};

package/dist/interface/clientInterface.js

@@ -66,11 +66,6 @@ export class StackClientInterface {
             const body = await response.data.text();
             throw new Error(`Failed to send refresh token request: ${response.status} ${body}`);
         }
-        let challenges;
-        if ((challenges = oauth.parseWwwAuthenticateChallenges(response.data))) {
-            // TODO Handle WWW-Authenticate Challenges as needed
-            throw new StackAssertionError("OAuth WWW-Authenticate challenge not implemented", { challenges });
-        }
         const result = await oauth.processRefreshTokenResponse(as, client, response.data);
         if (oauth.isOAuth2Error(result)) {
             // TODO Handle OAuth 2.0 response body error
@@ -128,28 +123,28 @@ export class StackClientInterface {
              * However, Cloudflare Workers don't actually support `credentials`, so we only set it
              * if Cloudflare-exclusive globals are not detected. https://github.com/cloudflare/workers-sdk/issues/2514
              */
-            ..."WebSocketPair" in globalVar ? {} : {
+            ...("WebSocketPair" in globalVar ? {} : {
                 credentials: "omit",
-            },
+            }),
             ...options,
             headers: {
                 "X-Stack-Override-Error-Status": "true",
                 "X-Stack-Project-Id": this.projectId,
                 "X-Stack-Request-Type": requestType,
                 "X-Stack-Client-Version": this.options.clientVersion,
-                ...tokenObj ? {
+                ...(tokenObj ? {
                     "Authorization": "StackSession " + tokenObj.accessToken.token,
                     "X-Stack-Access-Token": tokenObj.accessToken.token,
-                } : {},
-                ...tokenObj?.refreshToken ? {
+                } : {}),
+                ...(tokenObj?.refreshToken ? {
                     "X-Stack-Refresh-Token": tokenObj.refreshToken.token,
-                } : {},
-                ...'publishableClientKey' in this.options ? {
+                } : {}),
+                ...('publishableClientKey' in this.options ? {
                     "X-Stack-Publishable-Client-Key": this.options.publishableClientKey,
-                } : {},
-                ...adminTokenObj ? {
+                } : {}),
+                ...(adminTokenObj ? {
                     "X-Stack-Admin-Access-Token": adminTokenObj.accessToken.token,
-                } : {},
+                } : {}),
                 /**
                  * Next.js until v15 would cache fetch requests by default, and forcefully disabling it was nearly impossible.
                  *
@@ -164,9 +159,9 @@ export class StackClientInterface {
             /**
              * Cloudflare Workers does not support cache, so don't pass it there
              */
-            ..."WebSocketPair" in globalVar ? {} : {
+            ...("WebSocketPair" in globalVar ? {} : {
                 cache: "no-store",
-            },
+            }),
         };
         let rawRes;
         try {
@@ -386,8 +381,8 @@ export class StackClientInterface {
             newUser: result.newUser,
         };
     }
-    async getOAuthUrl(provider, redirectUrl, codeChallenge, state) {
-        const updatedRedirectUrl = new URL(redirectUrl);
+    async getOAuthUrl(options) {
+        const updatedRedirectUrl = new URL(options.redirectUrl);
         for (const key of ["code", "state"]) {
             if (updatedRedirectUrl.searchParams.has(key)) {
                 console.warn("Redirect URL already contains " + key + " parameter, removing it as it will be overwritten by the OAuth callback");
@@ -398,19 +393,31 @@ export class StackClientInterface {
             // TODO fix
             throw new Error("Admin session token is currently not supported for OAuth");
         }
-        const url = new URL(this.getApiUrl() + "/auth/authorize/" + provider.toLowerCase());
+        const url = new URL(this.getApiUrl() + "/auth/authorize/" + options.provider.toLowerCase());
         url.searchParams.set("client_id", this.projectId);
         url.searchParams.set("client_secret", this.options.publishableClientKey);
         url.searchParams.set("redirect_uri", updatedRedirectUrl.toString());
         url.searchParams.set("scope", "openid");
-        url.searchParams.set("state", state);
+        url.searchParams.set("state", options.state);
         url.searchParams.set("grant_type", "authorization_code");
-        url.searchParams.set("code_challenge", codeChallenge);
+        url.searchParams.set("code_challenge", options.codeChallenge);
         url.searchParams.set("code_challenge_method", "S256");
         url.searchParams.set("response_type", "code");
+        url.searchParams.set("type", options.type);
+        url.searchParams.set("errorRedirectUrl", options.errorRedirectUrl);
+        if (options.afterCallbackRedirectUrl) {
+            url.searchParams.set("afterCallbackRedirectUrl", options.afterCallbackRedirectUrl);
+        }
+        if (options.type === "link") {
+            const tokens = await options.session.getPotentiallyExpiredTokens();
+            url.searchParams.set("token", tokens?.accessToken.token || "");
+            if (options.providerScope) {
+                url.searchParams.set("providerScope", options.providerScope);
+            }
+        }
         return url.toString();
     }
-    async callOAuthCallback(oauthParams, redirectUri, codeVerifier, state) {
+    async callOAuthCallback(options) {
         if (!('publishableClientKey' in this.options)) {
             // TODO fix
             throw new Error("Admin session token is currently not supported for OAuth");
@@ -425,16 +432,11 @@ export class StackClientInterface {
             client_secret: this.options.publishableClientKey,
             token_endpoint_auth_method: 'client_secret_basic',
         };
-        const params = oauth.validateAuthResponse(as, client, oauthParams, state);
+        const params = oauth.validateAuthResponse(as, client, options.oauthParams, options.state);
         if (oauth.isOAuth2Error(params)) {
             throw new StackAssertionError("Error validating outer OAuth response", { params }); // Handle OAuth 2.0 redirect error
         }
-        const response = await oauth.authorizationCodeGrantRequest(as, client, params, redirectUri, codeVerifier);
-        let challenges;
-        if ((challenges = oauth.parseWwwAuthenticateChallenges(response))) {
-            // TODO Handle WWW-Authenticate Challenges as needed
-            throw new StackAssertionError("Outer OAuth WWW-Authenticate challenge not implemented", { challenges });
-        }
+        const response = await oauth.authorizationCodeGrantRequest(as, client, params, options.redirectUri, options.codeVerifier);
         const result = await oauth.processAuthorizationCodeOAuth2Response(as, client, response);
         if (oauth.isOAuth2Error(result)) {
             // TODO Handle OAuth 2.0 response body error
@@ -442,6 +444,7 @@ export class StackClientInterface {
         }
         return {
             newUser: result.newUser,
+            afterCallbackRedirectUrl: result.afterCallbackRedirectUrl,
             accessToken: result.access_token,
             refreshToken: result.refresh_token ?? throwErr("Refresh token not found in outer OAuth response"),
         };
@@ -523,6 +526,19 @@ export class StackClientInterface {
         const json = await fetchResponse.json();
         return json;
     }
+    async getAccessToken(provider, scope, session) {
+        const response = await this.sendClientRequest(`/auth/access-token/${provider}`, {
+            method: "POST",
+            headers: {
+                "content-type": "application/json",
+            },
+            body: JSON.stringify({ scope }),
+        }, session);
+        const json = await response.json();
+        return {
+            accessToken: json.accessToken,
+        };
+    }
 }
 export function getProductionModeErrors(project) {
     const errors = [];

package/dist/interface/crud/oauth.d.ts

@@ -0,0 +1,61 @@
+import { CrudTypeOf } from "../../crud";
+import * as yup from "yup";
+export declare const accessTokenReadSchema: yup.ObjectSchema<{
+    accessToken: string;
+}, yup.AnyObject, {
+    accessToken: undefined;
+}, "">;
+export declare const accessTokenCreateSchema: yup.ObjectSchema<{
+    scope: string | undefined;
+}, yup.AnyObject, {
+    scope: undefined;
+}, "">;
+export declare const accessTokenCrud: {
+    client: {
+        createSchema: yup.ObjectSchema<{
+            scope: string | undefined;
+        }, yup.AnyObject, {
+            scope: undefined;
+        }, "">;
+        readSchema: yup.ObjectSchema<{
+            accessToken: string;
+        }, yup.AnyObject, {
+            accessToken: undefined;
+        }, "">;
+        updateSchema: undefined;
+        deleteSchema: undefined;
+    };
+    server: {
+        createSchema: yup.ObjectSchema<{
+            scope: string | undefined;
+        }, yup.AnyObject, {
+            scope: undefined;
+        }, "">;
+        readSchema: yup.ObjectSchema<{
+            accessToken: string;
+        }, yup.AnyObject, {
+            accessToken: undefined;
+        }, "">;
+        updateSchema: undefined;
+        deleteSchema: undefined;
+    };
+    admin: {
+        createSchema: yup.ObjectSchema<{
+            scope: string | undefined;
+        }, yup.AnyObject, {
+            scope: undefined;
+        }, "">;
+        readSchema: yup.ObjectSchema<{
+            accessToken: string;
+        }, yup.AnyObject, {
+            accessToken: undefined;
+        }, "">;
+        updateSchema: undefined;
+        deleteSchema: undefined;
+    };
+    hasCreate: boolean;
+    hasRead: boolean;
+    hasUpdate: boolean;
+    hasDelete: boolean;
+};
+export type AccessTokenCrud = CrudTypeOf<typeof accessTokenCrud>;

package/dist/interface/crud/oauth.js

@@ -0,0 +1,12 @@
+import { createCrud } from "../../crud";
+import * as yup from "yup";
+export const accessTokenReadSchema = yup.object({
+    accessToken: yup.string().required(),
+}).required();
+export const accessTokenCreateSchema = yup.object({
+    scope: yup.string().optional(),
+}).required();
+export const accessTokenCrud = createCrud({
+    clientReadSchema: accessTokenReadSchema,
+    clientCreateSchema: accessTokenCreateSchema,
+});

package/dist/known-errors.d.ts

@@ -236,11 +236,32 @@ export declare const KnownErrors: {
     PermissionScopeMismatch: KnownErrorConstructor<KnownError & KnownErrorBrand<"PERMISSION_SCOPE_MISMATCH">, [permissionId: string, permissionScope: PermissionDefinitionScopeJson, testScope: PermissionDefinitionScopeJson]> & {
         errorCode: "PERMISSION_SCOPE_MISMATCH";
     };
+    UserNotInTeam: KnownErrorConstructor<KnownError & KnownErrorBrand<"USER_NOT_IN_TEAM">, [userId: string, teamId: string]> & {
+        errorCode: "USER_NOT_IN_TEAM";
+    };
     TeamNotFound: KnownErrorConstructor<KnownError & KnownErrorBrand<"TEAM_NOT_FOUND">, [teamId: string]> & {
         errorCode: "TEAM_NOT_FOUND";
     };
     EmailTemplateAlreadyExists: KnownErrorConstructor<KnownError & KnownErrorBrand<"EMAIL_TEMPLATE_ALREADY_EXISTS">, []> & {
         errorCode: "EMAIL_TEMPLATE_ALREADY_EXISTS";
     };
+    OAuthConnectionNotConnectedToUser: KnownErrorConstructor<KnownError & KnownErrorBrand<"OAUTH_CONNECTION_NOT_CONNECTED_TO_USER">, []> & {
+        errorCode: "OAUTH_CONNECTION_NOT_CONNECTED_TO_USER";
+    };
+    OAuthConnectionAlreadyConnectedToAnotherUser: KnownErrorConstructor<KnownError & KnownErrorBrand<"OAUTH_CONNECTION_ALREADY_CONNECTED_TO_ANOTHER_USER">, []> & {
+        errorCode: "OAUTH_CONNECTION_ALREADY_CONNECTED_TO_ANOTHER_USER";
+    };
+    OAuthConnectionDoesNotHaveRequiredScope: KnownErrorConstructor<KnownError & KnownErrorBrand<"OAUTH_CONNECTION_DOES_NOT_HAVE_REQUIRED_SCOPE">, []> & {
+        errorCode: "OAUTH_CONNECTION_DOES_NOT_HAVE_REQUIRED_SCOPE";
+    };
+    OAuthExtraScopeNotAvailableWithSharedOAuthKeys: KnownErrorConstructor<KnownError & KnownErrorBrand<"OAUTH_EXTRA_SCOPE_NOT_AVAILABLE_WITH_SHARED_OAUTH_KEYS">, []> & {
+        errorCode: "OAUTH_EXTRA_SCOPE_NOT_AVAILABLE_WITH_SHARED_OAUTH_KEYS";
+    };
+    OAuthAccessTokenNotAvailableWithSharedOAuthKeys: KnownErrorConstructor<KnownError & KnownErrorBrand<"OAUTH_ACCESS_TOKEN_NOT_AVAILABLE_WITH_SHARED_OAUTH_KEYS">, []> & {
+        errorCode: "OAUTH_ACCESS_TOKEN_NOT_AVAILABLE_WITH_SHARED_OAUTH_KEYS";
+    };
+    UserAlreadyConnectedToAnotherOAuthConnection: KnownErrorConstructor<KnownError & KnownErrorBrand<"USER_ALREADY_CONNECTED_TO_ANOTHER_OAUTH_CONNECTION">, []> & {
+        errorCode: "USER_ALREADY_CONNECTED_TO_ANOTHER_OAUTH_CONNECTION";
+    };
 };
 export {};

package/dist/known-errors.js

@@ -341,6 +341,30 @@ const EmailTemplateAlreadyExists = createKnownErrorConstructor(KnownError, "EMAI
     400,
     "Email template already exists.",
 ], () => []);
+const OAuthConnectionNotConnectedToUser = createKnownErrorConstructor(KnownError, "OAUTH_CONNECTION_NOT_CONNECTED_TO_USER", () => [
+    400,
+    "The OAuth connection is not connected to any user.",
+], () => []);
+const OAuthConnectionAlreadyConnectedToAnotherUser = createKnownErrorConstructor(KnownError, "OAUTH_CONNECTION_ALREADY_CONNECTED_TO_ANOTHER_USER", () => [
+    400,
+    "The OAuth connection is already connected to another user.",
+], () => []);
+const OAuthConnectionDoesNotHaveRequiredScope = createKnownErrorConstructor(KnownError, "OAUTH_CONNECTION_DOES_NOT_HAVE_REQUIRED_SCOPE", () => [
+    400,
+    "The OAuth connection does not have the required scope.",
+], () => []);
+const OAuthExtraScopeNotAvailableWithSharedOAuthKeys = createKnownErrorConstructor(KnownError, "OAUTH_EXTRA_SCOPE_NOT_AVAILABLE_WITH_SHARED_OAUTH_KEYS", () => [
+    400,
+    "Extra scopes are not available with shared OAuth keys. Please add your own OAuth keys on the Stack dashboard to use extra scopes.",
+], () => []);
+const OAuthAccessTokenNotAvailableWithSharedOAuthKeys = createKnownErrorConstructor(KnownError, "OAUTH_ACCESS_TOKEN_NOT_AVAILABLE_WITH_SHARED_OAUTH_KEYS", () => [
+    400,
+    "Access tokens are not available with shared OAuth keys. Please add your own OAuth keys on the Stack dashboard to use access tokens.",
+], () => []);
+const UserAlreadyConnectedToAnotherOAuthConnection = createKnownErrorConstructor(KnownError, "USER_ALREADY_CONNECTED_TO_ANOTHER_OAUTH_CONNECTION", () => [
+    400,
+    "The user is already connected to another OAuth account. Did you maybe selected the wrong account?",
+], () => []);
 export const KnownErrors = {
     UnsupportedError,
     BodyParsingError,
@@ -406,8 +430,15 @@ export const KnownErrors = {
     EmailAlreadyVerified,
     PermissionNotFound,
     PermissionScopeMismatch,
+    UserNotInTeam,
     TeamNotFound,
     EmailTemplateAlreadyExists,
+    OAuthConnectionNotConnectedToUser,
+    OAuthConnectionAlreadyConnectedToAnotherUser,
+    OAuthConnectionDoesNotHaveRequiredScope,
+    OAuthExtraScopeNotAvailableWithSharedOAuthKeys,
+    OAuthAccessTokenNotAvailableWithSharedOAuthKeys,
+    UserAlreadyConnectedToAnotherOAuthConnection,
 };
 // ensure that all known error codes are unique
 const knownErrorCodes = new Set();

package/dist/utils/react.js

@@ -32,7 +32,25 @@ export function suspend() {
 export function suspendIfSsr(caller) {
     if (!isBrowserLike()) {
         const error = Object.assign(new Error(deindent `
-        ${caller ?? "This code path"} attempted to display a loading indicator during SSR by falling back to the nearest Suspense boundary. If you see this error, it means no Suspense boundary was found, and no loading indicator could be displayed. Make sure you are not catching this error with try-catch, and that the component is rendered inside a Suspense boundary, for example by adding a \`loading.tsx\` file in your app directory.
+        ${caller ?? "This code path"} attempted to display a loading indicator during SSR by falling back to the nearest Suspense boundary. If you see this error, it means no Suspense boundary was found, and no loading indicator could be displayed.
+        
+        This usually has one of three causes:
+        
+        1. You are missing a loading.tsx file in your app directory. Fix it by adding a loading.tsx file in your app directory.
+
+        2. The component is rendered in the root (outermost) layout.tsx or template.tsx file. Next.js does not wrap those files in a Suspense boundary, even if there is a loading.tsx file in the same folder. To fix it, wrap your layout inside a route group like this:
+
+          - app
+            - layout.tsx  // contains <html> and <body>, alongside providers and other components that don't need ${caller ?? "this code path"}
+            - loading.tsx  // required for suspense
+            - (main)
+              - layout.tsx  // contains the main layout of your app, like a sidebar or a header, and can use ${caller ?? "this code path"}
+              - route.tsx  // your actual main page
+              - the rest of your app
+
+          For more information on this approach, see Next's documentation on route groups: https://nextjs.org/docs/app/building-your-application/routing/route-groups
+        
+        3. You caught this error with try-catch or a custom error boundary. Fix this by rethrowing the error or not catching it in the first place.
 
         See: https://nextjs.org/docs/messages/missing-suspense-with-csr-bailout
 

package/dist/utils/strings.d.ts

@@ -39,6 +39,8 @@ export declare function trimLines(s: string): string;
 export declare function templateIdentity(strings: TemplateStringsArray | readonly string[], ...values: any[]): string;
 export declare function deindent(code: string): string;
 export declare function deindent(strings: TemplateStringsArray | readonly string[], ...values: any[]): string;
+export declare function extractScopes(scope: string, removeDuplicates?: boolean): string[];
+export declare function mergeScopeStrings(...scopes: string[]): string;
 export declare function nicify(value: unknown, { depth }?: {
     depth?: number | undefined;
 }): string;

package/dist/utils/strings.js

@@ -92,6 +92,16 @@ export function deindent(strings, ...values) {
     });
     return templateIdentity(deindentedStrings, ...indentedValues);
 }
+export function extractScopes(scope, removeDuplicates = true) {
+    const trimmedString = scope.trim();
+    const scopesArray = trimmedString.split(/\s+/);
+    const filtered = scopesArray.filter(scope => scope.length > 0);
+    return removeDuplicates ? [...new Set(filtered)] : filtered;
+}
+export function mergeScopeStrings(...scopes) {
+    const allScope = scopes.map((s) => extractScopes(s)).flat().join(" ");
+    return extractScopes(allScope).join(" ");
+}
 export function nicify(value, { depth = 5 } = {}) {
     switch (typeof value) {
         case "string":

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stackframe/stack-shared",
-  "version": "2.4.21",
+  "version": "2.4.22",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
   "files": [
@@ -26,7 +26,7 @@
     "jose": "^5.2.2",
     "oauth4webapi": "^2.10.3",
     "uuid": "^9.0.1",
-    "@stackframe/stack-sc": "2.4.21"
+    "@stackframe/stack-sc": "2.4.22"
   },
   "devDependencies": {
     "rimraf": "^5.0.5",