@stackframe/stack-shared 2.5.2 → 2.5.4

package/dist/interface/clientInterface.js

@@ -1,11 +1,11 @@
 import * as oauth from 'oauth4webapi';
-import { Result } from "../utils/results";
-import { KnownError, KnownErrors } from '../known-errors';
-import { StackAssertionError, captureError, throwErr } from '../utils/errors';
 import { cookies } from '@stackframe/stack-sc';
-import { generateSecureRandomString } from '../utils/crypto';
+import { KnownError, KnownErrors } from '../known-errors';
 import { AccessToken, InternalSession } from '../sessions';
+import { generateSecureRandomString } from '../utils/crypto';
+import { StackAssertionError, throwErr } from '../utils/errors';
 import { globalVar } from '../utils/globals';
+import { Result } from "../utils/results";
 export const sharedProviders = [
     "shared-github",
     "shared-google",
@@ -27,7 +27,6 @@ export function toSharedProvider(provider) {
     return "shared-" + provider;
 }
 export class StackClientInterface {
-    options;
     constructor(options) {
         this.options = options;
         // nothing here
@@ -46,12 +45,12 @@ export class StackClientInterface {
         const as = {
             issuer: this.options.baseUrl,
             algorithm: 'oauth2',
-            token_endpoint: this.getApiUrl() + '/auth/token',
+            token_endpoint: this.getApiUrl() + '/auth/oauth/token',
         };
         const client = {
             client_id: this.projectId,
             client_secret: this.options.publishableClientKey,
-            token_endpoint_auth_method: 'client_secret_basic',
+            token_endpoint_auth_method: 'client_secret_post',
         };
         const rawResponse = await oauth.refreshTokenGrantRequest(as, client, refreshToken.token);
         const response = await this._processResponse(rawResponse);
@@ -115,7 +114,7 @@ export class StackClientInterface {
         const params = {
             /**
              * This fetch may be cross-origin, in which case we don't want to send cookies of the
-             * original origin (this is the default behaviour of `credentials`).
+             * original origin (this is the default behavior of `credentials`).
              *
              * To help debugging, also omit cookies on same-origin, so we don't accidentally
              * implement reliance on cookies anywhere.
@@ -130,10 +129,9 @@ export class StackClientInterface {
             headers: {
                 "X-Stack-Override-Error-Status": "true",
                 "X-Stack-Project-Id": this.projectId,
-                "X-Stack-Request-Type": requestType,
+                "X-Stack-Access-Type": requestType,
                 "X-Stack-Client-Version": this.options.clientVersion,
                 ...(tokenObj ? {
-                    "Authorization": "StackSession " + tokenObj.accessToken.token,
                     "X-Stack-Access-Token": tokenObj.accessToken.token,
                 } : {}),
                 ...(tokenObj?.refreshToken ? {
@@ -241,15 +239,15 @@ export class StackClientInterface {
         }, null);
         throw new StackAssertionError(await res.text());
     }
-    async sendForgotPasswordEmail(email, redirectUrl) {
-        const res = await this.sendClientRequestAndCatchKnownError("/auth/forgot-password", {
+    async sendForgotPasswordEmail(email, callbackUrl) {
+        const res = await this.sendClientRequestAndCatchKnownError("/auth/password/send-reset-code", {
             method: "POST",
             headers: {
                 "Content-Type": "application/json"
             },
             body: JSON.stringify({
                 email,
-                redirectUrl,
+                callback_url: callbackUrl,
             }),
         }, null, [KnownErrors.UserNotFound]);
         if (res.status === "error") {
@@ -257,7 +255,7 @@ export class StackClientInterface {
         }
     }
     async sendVerificationEmail(emailVerificationRedirectUrl, session) {
-        const res = await this.sendClientRequestAndCatchKnownError("/auth/send-verification-email", {
+        const res = await this.sendClientRequestAndCatchKnownError("/contact-channels/send-verification-code", {
             method: "POST",
             headers: {
                 "Content-Type": "application/json"
@@ -270,15 +268,15 @@ export class StackClientInterface {
             return res.error;
         }
     }
-    async sendMagicLinkEmail(email, redirectUrl) {
-        const res = await this.sendClientRequestAndCatchKnownError("/auth/send-magic-link", {
+    async sendMagicLinkEmail(email, callbackUrl) {
+        const res = await this.sendClientRequestAndCatchKnownError("/auth/otp/send-sign-in-code", {
             method: "POST",
             headers: {
                 "Content-Type": "application/json"
             },
             body: JSON.stringify({
                 email,
-                redirectUrl,
+                callback_url: callbackUrl,
             }),
         }, null, [KnownErrors.RedirectUrlNotWhitelisted]);
         if (res.status === "error") {
@@ -286,7 +284,7 @@ export class StackClientInterface {
         }
     }
     async resetPassword(options) {
-        const res = await this.sendClientRequestAndCatchKnownError("/auth/password-reset", {
+        const res = await this.sendClientRequestAndCatchKnownError("/auth/password/reset", {
             method: "POST",
             headers: {
                 "Content-Type": "application/json"
@@ -298,13 +296,16 @@ export class StackClientInterface {
         }
     }
     async updatePassword(options, session) {
-        const res = await this.sendClientRequestAndCatchKnownError("/auth/update-password", {
+        const res = await this.sendClientRequestAndCatchKnownError("/auth/password/update", {
             method: "POST",
             headers: {
                 "Content-Type": "application/json"
             },
-            body: JSON.stringify(options),
-        }, session, [KnownErrors.PasswordMismatch, KnownErrors.PasswordRequirementsNotMet]);
+            body: JSON.stringify({
+                old_password: options.oldPassword,
+                new_password: options.newPassword,
+            }),
+        }, session, [KnownErrors.PasswordConfirmationMismatch, KnownErrors.PasswordRequirementsNotMet]);
         if (res.status === "error") {
             return res.error;
         }
@@ -317,7 +318,7 @@ export class StackClientInterface {
         return res;
     }
     async verifyEmail(code) {
-        const res = await this.sendClientRequestAndCatchKnownError("/auth/email-verification", {
+        const res = await this.sendClientRequestAndCatchKnownError("/contact-channels/verify", {
             method: "POST",
             headers: {
                 "Content-Type": "application/json"
@@ -331,7 +332,7 @@ export class StackClientInterface {
         }
     }
     async signInWithCredential(email, password, session) {
-        const res = await this.sendClientRequestAndCatchKnownError("/auth/signin", {
+        const res = await this.sendClientRequestAndCatchKnownError("/auth/password/sign-in", {
             method: "POST",
             headers: {
                 "Content-Type": "application/json"
@@ -346,12 +347,12 @@ export class StackClientInterface {
         }
         const result = await res.data.json();
         return {
-            accessToken: result.accessToken,
-            refreshToken: result.refreshToken,
+            accessToken: result.access_token,
+            refreshToken: result.refresh_token,
         };
     }
     async signUpWithCredential(email, password, emailVerificationRedirectUrl, session) {
-        const res = await this.sendClientRequestAndCatchKnownError("/auth/signup", {
+        const res = await this.sendClientRequestAndCatchKnownError("/auth/password/sign-up", {
             headers: {
                 "Content-Type": "application/json"
             },
@@ -359,7 +360,7 @@ export class StackClientInterface {
             body: JSON.stringify({
                 email,
                 password,
-                emailVerificationRedirectUrl,
+                verification_callback_url: emailVerificationRedirectUrl,
             }),
         }, session, [KnownErrors.UserEmailAlreadyExists, KnownErrors.PasswordRequirementsNotMet]);
         if (res.status === "error") {
@@ -367,12 +368,12 @@ export class StackClientInterface {
         }
         const result = await res.data.json();
         return {
-            accessToken: result.accessToken,
-            refreshToken: result.refreshToken,
+            accessToken: result.access_token,
+            refreshToken: result.refresh_token,
         };
     }
-    async signInWithMagicLink(code, session) {
-        const res = await this.sendClientRequestAndCatchKnownError("/auth/magic-link-verification", {
+    async signInWithMagicLink(code) {
+        const res = await this.sendClientRequestAndCatchKnownError("/auth/otp/sign-in", {
             method: "POST",
             headers: {
                 "Content-Type": "application/json"
@@ -386,9 +387,9 @@ export class StackClientInterface {
         }
         const result = await res.data.json();
         return {
-            accessToken: result.accessToken,
-            refreshToken: result.refreshToken,
-            newUser: result.newUser,
+            accessToken: result.access_token,
+            refreshToken: result.refresh_token,
+            newUser: result.new_user,
         };
     }
     async getOAuthUrl(options) {
@@ -403,26 +404,26 @@ export class StackClientInterface {
             // TODO fix
             throw new Error("Admin session token is currently not supported for OAuth");
         }
-        const url = new URL(this.getApiUrl() + "/auth/authorize/" + options.provider.toLowerCase());
+        const url = new URL(this.getApiUrl() + "/auth/oauth/authorize/" + options.provider.toLowerCase());
         url.searchParams.set("client_id", this.projectId);
         url.searchParams.set("client_secret", this.options.publishableClientKey);
         url.searchParams.set("redirect_uri", updatedRedirectUrl.toString());
-        url.searchParams.set("scope", "openid");
+        url.searchParams.set("scope", "legacy");
         url.searchParams.set("state", options.state);
         url.searchParams.set("grant_type", "authorization_code");
         url.searchParams.set("code_challenge", options.codeChallenge);
         url.searchParams.set("code_challenge_method", "S256");
         url.searchParams.set("response_type", "code");
         url.searchParams.set("type", options.type);
-        url.searchParams.set("errorRedirectUrl", options.errorRedirectUrl);
+        url.searchParams.set("error_redirect_url", options.errorRedirectUrl);
         if (options.afterCallbackRedirectUrl) {
-            url.searchParams.set("afterCallbackRedirectUrl", options.afterCallbackRedirectUrl);
+            url.searchParams.set("after_callback_redirect_rrl", options.afterCallbackRedirectUrl);
         }
         if (options.type === "link") {
             const tokens = await options.session.getPotentiallyExpiredTokens();
             url.searchParams.set("token", tokens?.accessToken.token || "");
             if (options.providerScope) {
-                url.searchParams.set("providerScope", options.providerScope);
+                url.searchParams.set("provider_scope", options.providerScope);
             }
         }
         return url.toString();
@@ -435,12 +436,12 @@ export class StackClientInterface {
         const as = {
             issuer: this.options.baseUrl,
             algorithm: 'oauth2',
-            token_endpoint: this.getApiUrl() + '/auth/token',
+            token_endpoint: this.getApiUrl() + '/auth/oauth/token',
         };
         const client = {
             client_id: this.projectId,
             client_secret: this.options.publishableClientKey,
-            token_endpoint_auth_method: 'client_secret_basic',
+            token_endpoint_auth_method: 'client_secret_post',
         };
         const params = oauth.validateAuthResponse(as, client, options.oauthParams, options.state);
         if (oauth.isOAuth2Error(params)) {
@@ -462,52 +463,66 @@ export class StackClientInterface {
     async signOut(session) {
         const tokenObj = await session.getPotentiallyExpiredTokens();
         if (tokenObj) {
-            if (!tokenObj.refreshToken) {
-                // TODO implement this
-                captureError("clientInterface.signOut()", new StackAssertionError("Signing out a user without access to the refresh token does not invalidate the session on the server. Please open an issue in the Stack repository if you see this error"));
+            const resOrError = await this.sendClientRequestAndCatchKnownError("/auth/sessions/current", {
+                method: "DELETE",
+                headers: {
+                    "Content-Type": "application/json"
+                },
+                body: JSON.stringify({}),
+            }, session, [KnownErrors.RefreshTokenError]);
+            if (resOrError.status === "error") {
+                if (resOrError.error instanceof KnownErrors.RefreshTokenError) {
+                    // refresh token was already invalid, just continue like nothing happened
+                }
+                else {
+                    // this should never happen
+                    throw new StackAssertionError("Unexpected error", { error: resOrError.error });
+                }
             }
             else {
-                const res = await this.sendClientRequest("/auth/signout", {
-                    method: "POST",
-                    headers: {
-                        "Content-Type": "application/json"
-                    },
-                    body: JSON.stringify({
-                        refreshToken: tokenObj.refreshToken.token,
-                    }),
-                }, session);
-                await res.json();
+                // user was signed out successfully, all good
             }
         }
         session.markInvalid();
     }
-    async getClientUserByToken(tokenStore) {
-        const response = await this.sendClientRequest("/current-user", {}, tokenStore);
+    async getClientUserByToken(session) {
+        const responseOrError = await this.sendClientRequestAndCatchKnownError("/users/me", {}, session, [KnownErrors.CannotGetOwnUserWithoutUser]);
+        if (responseOrError.status === "error") {
+            if (responseOrError.error instanceof KnownErrors.CannotGetOwnUserWithoutUser) {
+                return null;
+            }
+            else {
+                throw new StackAssertionError("Unexpected uncaught error", { cause: responseOrError.error });
+            }
+        }
+        const response = responseOrError.data;
         const user = await response.json();
         if (!user)
-            return Result.error(new Error("Failed to get user"));
-        return Result.ok(user);
+            throw new StackAssertionError("User endpoint returned null; this should never happen");
+        return user;
     }
-    async listClientUserTeamPermissions(options, session) {
-        const response = await this.sendClientRequest(`/current-user/teams/${options.teamId}/permissions?type=${options.type}&direct=${options.direct}`, {}, session);
-        const permissions = await response.json();
-        return permissions;
+    async listCurrentUserTeamPermissions(options, session) {
+        const response = await this.sendClientRequest(`/team-permissions?team_id=${options.teamId}?user_id=me&recursive=${options.recursive}`, {}, session);
+        const result = await response.json();
+        return result.items;
     }
-    async listClientUserTeams(session) {
-        const response = await this.sendClientRequest("/current-user/teams", {}, session);
-        const teams = await response.json();
-        return teams;
+    async listCurrentUserTeams(session) {
+        const response = await this.sendClientRequest("/teams?user_id=me", {}, session);
+        const result = await response.json();
+        return result.items;
     }
     async getClientProject() {
-        const response = await this.sendClientRequest("/projects/" + this.options.projectId, {}, null);
+        const responseOrError = await this.sendClientRequestAndCatchKnownError("/projects/current", {}, null, [KnownErrors.ProjectNotFound]);
+        if (responseOrError.status === "error") {
+            return Result.error(responseOrError.error);
+        }
+        const response = responseOrError.data;
         const project = await response.json();
-        if (!project)
-            return Result.error(new Error("Failed to get project"));
         return Result.ok(project);
     }
-    async setClientUserCustomizableData(update, session) {
-        await this.sendClientRequest("/current-user", {
-            method: "PUT",
+    async updateClientUser(update, session) {
+        await this.sendClientRequest("/users/me", {
+            method: "PATCH",
             headers: {
                 "content-type": "application/json",
             },
@@ -515,15 +530,15 @@ export class StackClientInterface {
         }, session);
     }
     async listProjects(session) {
-        const response = await this.sendClientRequest("/projects", {}, session);
+        const response = await this.sendClientRequest("/internal/projects", {}, session);
         if (!response.ok) {
             throw new Error("Failed to list projects: " + response.status + " " + (await response.text()));
         }
         const json = await response.json();
-        return json;
+        return json.items;
     }
     async createProject(project, session) {
-        const fetchResponse = await this.sendClientRequest("/projects", {
+        const fetchResponse = await this.sendClientRequest("/internal/projects", {
             method: "POST",
             headers: {
                 "content-type": "application/json",
@@ -537,7 +552,7 @@ export class StackClientInterface {
         return json;
     }
     async getAccessToken(provider, scope, session) {
-        const response = await this.sendClientRequest(`/auth/access-token/${provider}`, {
+        const response = await this.sendClientRequest(`/auth/oauth/connected-account/${provider}/access-token`, {
             method: "POST",
             headers: {
                 "content-type": "application/json",
@@ -550,7 +565,7 @@ export class StackClientInterface {
         };
     }
     async createTeamForCurrentUser(data, session) {
-        const response = await this.sendClientRequest("/current-user/teams?server=false", {
+        const response = await this.sendClientRequest("/teams?add_current_user=true", {
             method: "POST",
             headers: {
                 "content-type": "application/json",
@@ -560,45 +575,3 @@ export class StackClientInterface {
         return await response.json();
     }
 }
-export function getProductionModeErrors(project) {
-    const errors = [];
-    const fixUrlRelative = `/projects/${project.id}/domains`;
-    if (project.evaluatedConfig.allowLocalhost) {
-        errors.push({
-            errorMessage: "Localhost is not allowed in production mode, turn off 'Allow localhost' in project settings",
-            fixUrlRelative,
-        });
-    }
-    for (const { domain } of project.evaluatedConfig.domains) {
-        let url;
-        try {
-            url = new URL(domain);
-        }
-        catch (e) {
-            errors.push({
-                errorMessage: "Domain should be a valid URL: " + domain,
-                fixUrlRelative,
-            });
-            continue;
-        }
-        if (url.hostname === "localhost") {
-            errors.push({
-                errorMessage: "Domain should not be localhost: " + domain,
-                fixUrlRelative,
-            });
-        }
-        else if (!url.hostname.includes(".") || url.hostname.match(/\d+(\.\d+)*/)) {
-            errors.push({
-                errorMessage: "Not a valid domain" + domain,
-                fixUrlRelative,
-            });
-        }
-        else if (url.protocol !== "https:") {
-            errors.push({
-                errorMessage: "Domain should be HTTPS: " + domain,
-                fixUrlRelative,
-            });
-        }
-    }
-    return errors;
-}

package/dist/interface/crud/api-keys.d.ts

@@ -0,0 +1,134 @@
+import { CrudTypeOf } from "../../crud";
+export declare const apiKeysCreateInputSchema: import("yup").ObjectSchema<{
+    description: string;
+    expires_at_millis: number;
+    has_publishable_client_key: NonNullable<boolean | undefined>;
+    has_secret_server_key: NonNullable<boolean | undefined>;
+    has_super_secret_admin_key: NonNullable<boolean | undefined>;
+}, import("yup").AnyObject, {
+    description: undefined;
+    expires_at_millis: undefined;
+    has_publishable_client_key: undefined;
+    has_secret_server_key: undefined;
+    has_super_secret_admin_key: undefined;
+}, "">;
+export declare const apiKeysCreateOutputSchema: import("yup").ObjectSchema<{
+    id: string;
+    description: string;
+    expires_at_millis: number;
+    manually_revoked_at_millis: number | undefined;
+    created_at_millis: number;
+} & {
+    publishable_client_key: string | undefined;
+    secret_server_key: string | undefined;
+    super_secret_admin_key: string | undefined;
+}, import("yup").AnyObject, {
+    id: undefined;
+    description: undefined;
+    expires_at_millis: undefined;
+    manually_revoked_at_millis: undefined;
+    created_at_millis: undefined;
+    publishable_client_key: undefined;
+    secret_server_key: undefined;
+    super_secret_admin_key: undefined;
+}, "">;
+export declare const apiKeysCrudAdminObfuscatedReadSchema: import("yup").ObjectSchema<{
+    id: string;
+    description: string;
+    expires_at_millis: number;
+    manually_revoked_at_millis: number | undefined;
+    created_at_millis: number;
+} & {
+    publishable_client_key: {
+        last_four: string;
+    } | undefined;
+    secret_server_key: {
+        last_four: string;
+    } | undefined;
+    super_secret_admin_key: {
+        last_four: string;
+    } | undefined;
+}, import("yup").AnyObject, {
+    id: undefined;
+    description: undefined;
+    expires_at_millis: undefined;
+    manually_revoked_at_millis: undefined;
+    created_at_millis: undefined;
+    publishable_client_key: {
+        last_four: undefined;
+    };
+    secret_server_key: {
+        last_four: undefined;
+    };
+    super_secret_admin_key: {
+        last_four: undefined;
+    };
+}, "">;
+export declare const apiKeysCrudAdminUpdateSchema: import("yup").ObjectSchema<{
+    description: string | undefined;
+    revoked: boolean | undefined;
+}, import("yup").AnyObject, {
+    description: undefined;
+    revoked: undefined;
+}, "">;
+export declare const apiKeysCrudAdminDeleteSchema: import("yup").MixedSchema<{} | undefined, import("yup").AnyObject, undefined, "">;
+export declare const apiKeysCrud: import("../../crud").CrudSchemaFromOptions<{
+    adminReadSchema: import("yup").ObjectSchema<{
+        id: string;
+        description: string;
+        expires_at_millis: number;
+        manually_revoked_at_millis: number | undefined;
+        created_at_millis: number;
+    } & {
+        publishable_client_key: {
+            last_four: string;
+        } | undefined;
+        secret_server_key: {
+            last_four: string;
+        } | undefined;
+        super_secret_admin_key: {
+            last_four: string;
+        } | undefined;
+    }, import("yup").AnyObject, {
+        id: undefined;
+        description: undefined;
+        expires_at_millis: undefined;
+        manually_revoked_at_millis: undefined;
+        created_at_millis: undefined;
+        publishable_client_key: {
+            last_four: undefined;
+        };
+        secret_server_key: {
+            last_four: undefined;
+        };
+        super_secret_admin_key: {
+            last_four: undefined;
+        };
+    }, "">;
+    adminUpdateSchema: import("yup").ObjectSchema<{
+        description: string | undefined;
+        revoked: boolean | undefined;
+    }, import("yup").AnyObject, {
+        description: undefined;
+        revoked: undefined;
+    }, "">;
+    adminDeleteSchema: import("yup").MixedSchema<{} | undefined, import("yup").AnyObject, undefined, "">;
+    docs: {
+        adminList: {
+            hidden: true;
+        };
+        adminRead: {
+            hidden: true;
+        };
+        adminCreate: {
+            hidden: true;
+        };
+        adminUpdate: {
+            hidden: true;
+        };
+        adminDelete: {
+            hidden: true;
+        };
+    };
+}>;
+export type ApiKeysCrud = CrudTypeOf<typeof apiKeysCrud>;

package/dist/interface/crud/api-keys.js

@@ -0,0 +1,61 @@
+import { createCrud } from "../../crud";
+import { yupBoolean, yupMixed, yupNumber, yupObject, yupString } from "../../schema-fields";
+const baseApiKeysReadSchema = yupObject({
+    id: yupString().required(),
+    description: yupString().required(),
+    expires_at_millis: yupNumber().required(),
+    manually_revoked_at_millis: yupNumber().optional(),
+    created_at_millis: yupNumber().required(),
+});
+// Used for the result of the create endpoint
+export const apiKeysCreateInputSchema = yupObject({
+    description: yupString().required(),
+    expires_at_millis: yupNumber().required(),
+    has_publishable_client_key: yupBoolean().required(),
+    has_secret_server_key: yupBoolean().required(),
+    has_super_secret_admin_key: yupBoolean().required(),
+});
+export const apiKeysCreateOutputSchema = baseApiKeysReadSchema.concat(yupObject({
+    publishable_client_key: yupString().optional(),
+    secret_server_key: yupString().optional(),
+    super_secret_admin_key: yupString().optional(),
+}).required());
+// Used for list, read and update endpoints after the initial creation
+export const apiKeysCrudAdminObfuscatedReadSchema = baseApiKeysReadSchema.concat(yupObject({
+    publishable_client_key: yupObject({
+        last_four: yupString().required(),
+    }).optional(),
+    secret_server_key: yupObject({
+        last_four: yupString().required(),
+    }).optional(),
+    super_secret_admin_key: yupObject({
+        last_four: yupString().required(),
+    }).optional(),
+}));
+export const apiKeysCrudAdminUpdateSchema = yupObject({
+    description: yupString().optional(),
+    revoked: yupBoolean().oneOf([true]).optional(),
+}).required();
+export const apiKeysCrudAdminDeleteSchema = yupMixed();
+export const apiKeysCrud = createCrud({
+    adminReadSchema: apiKeysCrudAdminObfuscatedReadSchema,
+    adminUpdateSchema: apiKeysCrudAdminUpdateSchema,
+    adminDeleteSchema: apiKeysCrudAdminDeleteSchema,
+    docs: {
+        adminList: {
+            hidden: true,
+        },
+        adminRead: {
+            hidden: true,
+        },
+        adminCreate: {
+            hidden: true,
+        },
+        adminUpdate: {
+            hidden: true,
+        },
+        adminDelete: {
+            hidden: true,
+        },
+    },
+});