@stackframe/stack-shared 2.6.26 → 2.6.27

package/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @stackframe/stack-shared
 
+## 2.6.27
+
+### Patch Changes
+
+- Bugfixes
+  - @stackframe/stack-sc@2.6.27
+
 ## 2.6.26
 
 ### Patch Changes

package/dist/interface/crud/current-user.d.ts

@@ -135,6 +135,7 @@ export declare const currentUserCrud: import("../../crud").CrudSchemaFromOptions
         primary_email_auth_enabled: undefined;
         passkey_auth_enabled: undefined;
         password: undefined;
+        password_hash: undefined;
         otp_auth_enabled: undefined;
         totp_secret_base64: undefined;
         selected_team_id: undefined;
@@ -150,6 +151,7 @@ export declare const currentUserCrud: import("../../crud").CrudSchemaFromOptions
         primary_email_auth_enabled: boolean | undefined;
         passkey_auth_enabled: boolean | undefined;
         password: string | null | undefined;
+        password_hash: string | undefined;
         otp_auth_enabled: boolean | undefined;
         totp_secret_base64: string | null | undefined;
         selected_team_id: string | null | undefined;
@@ -164,6 +166,7 @@ export declare const currentUserCrud: import("../../crud").CrudSchemaFromOptions
         primary_email_auth_enabled: undefined;
         passkey_auth_enabled: undefined;
         password: undefined;
+        password_hash: undefined;
         otp_auth_enabled: undefined;
         totp_secret_base64: undefined;
         selected_team_id: undefined;

package/dist/interface/crud/users.d.ts

@@ -10,6 +10,7 @@ export declare const usersCrudServerUpdateSchema: import("yup").ObjectSchema<{
     primary_email_auth_enabled: boolean | undefined;
     passkey_auth_enabled: boolean | undefined;
     password: string | null | undefined;
+    password_hash: string | undefined;
     otp_auth_enabled: boolean | undefined;
     totp_secret_base64: string | null | undefined;
     selected_team_id: string | null | undefined;
@@ -24,6 +25,7 @@ export declare const usersCrudServerUpdateSchema: import("yup").ObjectSchema<{
     primary_email_auth_enabled: undefined;
     passkey_auth_enabled: undefined;
     password: undefined;
+    password_hash: undefined;
     otp_auth_enabled: undefined;
     totp_secret_base64: undefined;
     selected_team_id: undefined;
@@ -100,6 +102,7 @@ export declare const usersCrudServerCreateSchema: import("yup").ObjectSchema<{
     primary_email_verified: boolean | undefined;
     primary_email_auth_enabled: boolean | undefined;
     passkey_auth_enabled: boolean | undefined;
+    password_hash: string | undefined;
     otp_auth_enabled: boolean | undefined;
     totp_secret_base64: string | null | undefined;
 } & {
@@ -119,6 +122,7 @@ export declare const usersCrudServerCreateSchema: import("yup").ObjectSchema<{
     primary_email_auth_enabled: undefined;
     passkey_auth_enabled: undefined;
     password: undefined;
+    password_hash: undefined;
     otp_auth_enabled: undefined;
     totp_secret_base64: undefined;
     selected_team_id: undefined;
@@ -198,6 +202,7 @@ export declare const usersCrud: import("../../crud").CrudSchemaFromOptions<{
         primary_email_auth_enabled: boolean | undefined;
         passkey_auth_enabled: boolean | undefined;
         password: string | null | undefined;
+        password_hash: string | undefined;
         otp_auth_enabled: boolean | undefined;
         totp_secret_base64: string | null | undefined;
         selected_team_id: string | null | undefined;
@@ -212,6 +217,7 @@ export declare const usersCrud: import("../../crud").CrudSchemaFromOptions<{
         primary_email_auth_enabled: undefined;
         passkey_auth_enabled: undefined;
         password: undefined;
+        password_hash: undefined;
         otp_auth_enabled: undefined;
         totp_secret_base64: undefined;
         selected_team_id: undefined;
@@ -227,6 +233,7 @@ export declare const usersCrud: import("../../crud").CrudSchemaFromOptions<{
         primary_email_verified: boolean | undefined;
         primary_email_auth_enabled: boolean | undefined;
         passkey_auth_enabled: boolean | undefined;
+        password_hash: string | undefined;
         otp_auth_enabled: boolean | undefined;
         totp_secret_base64: string | null | undefined;
     } & {
@@ -246,6 +253,7 @@ export declare const usersCrud: import("../../crud").CrudSchemaFromOptions<{
         primary_email_auth_enabled: undefined;
         passkey_auth_enabled: undefined;
         password: undefined;
+        password_hash: undefined;
         otp_auth_enabled: undefined;
         totp_secret_base64: undefined;
         selected_team_id: undefined;

package/dist/interface/crud/users.js

@@ -12,6 +12,7 @@ export const usersCrudServerUpdateSchema = fieldSchema.yupObject({
     primary_email_auth_enabled: fieldSchema.primaryEmailAuthEnabledSchema.optional(),
     passkey_auth_enabled: fieldSchema.userOtpAuthEnabledSchema.optional(),
     password: fieldSchema.userPasswordMutationSchema.optional(),
+    password_hash: fieldSchema.userPasswordHashMutationSchema.optional(),
     otp_auth_enabled: fieldSchema.userOtpAuthEnabledMutationSchema.optional(),
     totp_secret_base64: fieldSchema.userTotpSecretMutationSchema.optional(),
     selected_team_id: fieldSchema.selectedTeamIdSchema.nullable().optional(),

package/dist/schema-fields.d.ts

@@ -20,10 +20,7 @@ export declare function yupMixed<A extends {}>(...args: Parameters<typeof yup.mi
 export declare function yupArray<A extends yup.Maybe<yup.AnyObject> = yup.AnyObject, B = any>(...args: Parameters<typeof yup.array<A, B>>): yup.ArraySchema<B[] | undefined, A, undefined, "">;
 export declare function yupTuple<T extends [unknown, ...unknown[]]>(...args: Parameters<typeof yup.tuple<T>>): yup.TupleSchema<T | undefined, yup.AnyObject, undefined, "">;
 export declare function yupObject<A extends yup.Maybe<yup.AnyObject>, B extends yup.ObjectShape>(...args: Parameters<typeof yup.object<A, B>>): yup.ObjectSchema<yup.TypeFromShape<B, yup.AnyObject> extends infer T ? T extends yup.TypeFromShape<B, yup.AnyObject> ? T extends {} ? { [k in keyof T]: T[k]; } : T : never : never, yup.AnyObject, yup.DefaultFromShape<B> extends infer T_1 ? T_1 extends yup.DefaultFromShape<B> ? T_1 extends {} ? { [k_1 in keyof T_1]: T_1[k_1]; } : T_1 : never : never, "">;
-/**
- * Note that the .defined() on unions is implicit.
- */
-export declare function yupUnion<T extends yup.ISchema<any>[]>(...args: T): yup.ISchema<yup.InferType<T[number]>>;
+export declare function yupUnion<T extends yup.ISchema<any>[]>(...args: T): yup.MixedSchema<yup.InferType<T[number]>>;
 export declare const adaptSchema: yup.MixedSchema<typeof StackAdaptSentinel | undefined, yup.AnyObject, undefined, "">;
 /**
  * Yup's URL schema does not recognize some URLs (including `http://localhost`) as a valid URL. This schema is a workaround for that.
@@ -32,8 +29,16 @@ export declare const urlSchema: yup.StringSchema<string | undefined, yup.AnyObje
 export declare const jsonSchema: yup.MixedSchema<{} | null, yup.AnyObject, undefined, "">;
 export declare const jsonStringSchema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
 export declare const jsonStringOrEmptySchema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
-export declare const emailSchema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
 export declare const base64Schema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
+export declare const passwordSchema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
+/**
+ * A stricter email schema that does some additional checks for UX input.
+ *
+ * Note that some users in the DB have an email that doesn't match this regex, so most of the time you should use
+ * `emailSchema` instead until we do the DB migration.
+ */
+export declare const strictEmailSchema: (message: string | undefined) => yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
+export declare const emailSchema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
 export declare const clientOrHigherAuthTypeSchema: yup.StringSchema<"client" | "server" | "admin" | undefined, yup.AnyObject, undefined, "">;
 export declare const serverOrHigherAuthTypeSchema: yup.StringSchema<"server" | "admin" | undefined, yup.AnyObject, undefined, "">;
 export declare const adminAuthTypeSchema: yup.StringSchema<"admin" | undefined, yup.AnyObject, undefined, "">;
@@ -97,6 +102,7 @@ export declare const userOtpAuthEnabledSchema: yup.BooleanSchema<boolean | undef
 export declare const userOtpAuthEnabledMutationSchema: yup.BooleanSchema<boolean | undefined, yup.AnyObject, undefined, "">;
 export declare const userHasPasswordSchema: yup.BooleanSchema<boolean | undefined, yup.AnyObject, undefined, "">;
 export declare const userPasswordMutationSchema: yup.StringSchema<string | null | undefined, yup.AnyObject, undefined, "">;
+export declare const userPasswordHashMutationSchema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
 export declare const userTotpSecretMutationSchema: yup.StringSchema<string | null | undefined, yup.AnyObject, undefined, "">;
 export declare const signInEmailSchema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
 export declare const emailOtpSignInCallbackUrlSchema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;

package/dist/schema-fields.js

@@ -123,9 +123,6 @@ export function yupObject(...args) {
     // we don't want to update the type of `object` to have a default flag
     return object.default(undefined);
 }
-/**
- * Note that the .defined() on unions is implicit.
- */
 export function yupUnion(...args) {
     if (args.length === 0)
         throw new Error('yupUnion must have at least one schema');
@@ -136,7 +133,7 @@ export function yupUnion(...args) {
         if (desc.type !== firstDesc.type)
             throw new StackAssertionError(`yupUnion must have schemas of the same type (got: ${firstDesc.type} and ${desc.type})`, { first, schema, firstDesc, desc });
     }
-    return yupMixed().defined().test('is-one-of', 'Invalid value', async (value, context) => {
+    return yupMixed().test('is-one-of', 'Invalid value', async (value, context) => {
         const errors = [];
         for (const schema of args) {
             try {
@@ -196,12 +193,22 @@ export const jsonStringOrEmptySchema = yupString().test("json", "Invalid JSON fo
         return false;
     }
 });
-export const emailSchema = yupString().email();
 export const base64Schema = yupString().test("is-base64", "Invalid base64 format", (value) => {
     if (value == null)
         return true;
     return isBase64(value);
 });
+export const passwordSchema = yupString().max(70);
+/**
+ * A stricter email schema that does some additional checks for UX input.
+ *
+ * Note that some users in the DB have an email that doesn't match this regex, so most of the time you should use
+ * `emailSchema` instead until we do the DB migration.
+ */
+// eslint-disable-next-line no-restricted-syntax
+export const strictEmailSchema = (message) => yupString().email(message).matches(/^.*@.*\..*$/, message);
+// eslint-disable-next-line no-restricted-syntax
+export const emailSchema = yupString().email();
 // Request auth
 export const clientOrHigherAuthTypeSchema = yupString().oneOf(['client', 'server', 'admin']);
 export const serverOrHigherAuthTypeSchema = yupString().oneOf(['server', 'admin']);
@@ -236,7 +243,7 @@ export const emailHostSchema = yupString().meta({ openapiField: { description: '
 export const emailPortSchema = yupNumber().meta({ openapiField: { description: 'Email port. Needs to be specified when using type="standard"', exampleValue: 587 } });
 export const emailUsernameSchema = yupString().meta({ openapiField: { description: 'Email username. Needs to be specified when using type="standard"', exampleValue: 'smtp-email' } });
 export const emailSenderEmailSchema = emailSchema.meta({ openapiField: { description: 'Email sender email. Needs to be specified when using type="standard"', exampleValue: 'example@your-domain.com' } });
-export const emailPasswordSchema = yupString().meta({ openapiField: { description: 'Email password. Needs to be specified when using type="standard"', exampleValue: 'your-email-password' } });
+export const emailPasswordSchema = passwordSchema.meta({ openapiField: { description: 'Email password. Needs to be specified when using type="standard"', exampleValue: 'your-email-password' } });
 // Project domain config
 export const projectTrustedDomainSchema = yupString().test('is-https', 'Trusted domain must start with https://', (value) => value?.startsWith('https://')).meta({ openapiField: { description: 'Your domain URL. Make sure you own and trust this domain. Needs to start with https://', exampleValue: 'https://example.com' } });
 export const handlerPathSchema = yupString().test('is-handler-path', 'Handler path must start with /', (value) => value?.startsWith('/')).meta({ openapiField: { description: 'Handler path. If you did not setup a custom handler path, it should be "/handler" by default. It needs to start with /', exampleValue: '/handler' } });
@@ -283,7 +290,10 @@ export const userPasskeyAuthEnabledSchema = yupBoolean().meta({ openapiField: {
 export const userOtpAuthEnabledSchema = yupBoolean().meta({ openapiField: { hidden: true, description: 'Whether the user has OTP/magic link enabled. ', exampleValue: true } });
 export const userOtpAuthEnabledMutationSchema = yupBoolean().meta({ openapiField: { hidden: true, description: 'Whether the user has OTP/magic link enabled. Note that only accounts with verified emails can sign-in with OTP.', exampleValue: true } });
 export const userHasPasswordSchema = yupBoolean().meta({ openapiField: { hidden: true, description: 'Whether the user has a password set. If the user does not have a password set, they will not be able to sign in with email/password.', exampleValue: true } });
-export const userPasswordMutationSchema = yupString().nullable().meta({ openapiField: { description: 'Sets the user\'s password. Doing so revokes all current sessions.', exampleValue: 'my-new-password' } });
+export const userPasswordMutationSchema = passwordSchema.nullable().meta({ openapiField: { description: 'Sets the user\'s password. Doing so revokes all current sessions.', exampleValue: 'my-new-password' } }).max(70);
+export const userPasswordHashMutationSchema = yupString()
+    .nonEmpty()
+    .meta({ openapiField: { description: 'If `password` is not given, sets the user\'s password hash to the given string in Modular Crypt Format (ex.: `$2a$10$VIhIOofSMqGdGlL4wzE//e.77dAQGqNtF/1dT7bqCrVtQuInWy2qi`). Doing so revokes all current sessions.' } }); // we don't set an exampleValue here because it's exclusive with the password field and having both would break the generated example
 export const userTotpSecretMutationSchema = base64Schema.nullable().meta({ openapiField: { description: 'Enables 2FA and sets a TOTP secret for the user. Set to null to disable 2FA.', exampleValue: 'dG90cC1zZWNyZXQ=' } });
 // Auth
 export const signInEmailSchema = emailSchema.meta({ openapiField: { description: 'The email to sign in with.', exampleValue: 'johndoe@example.com' } });

package/dist/utils/errors.d.ts

@@ -2,6 +2,27 @@ import { Json } from "./json";
 export declare function throwErr(errorMessage: string, extraData?: any): never;
 export declare function throwErr(error: Error): never;
 export declare function throwErr(...args: StatusErrorConstructorParameters): never;
+/**
+ * Concatenates the stacktraces of the given errors onto the first.
+ *
+ * Useful when you invoke an async function to receive a promise without awaiting it immediately. Browsers are smart
+ * enough to keep track of the call stack in async function calls when you invoke `.then` within the same async tick,
+ * but if you don't,
+ *
+ * Here's an example of the unwanted behavior:
+ *
+ * ```tsx
+ * async function log() {
+ *   await wait(0);  // simulate an put the task on the event loop
+ *   console.log(new Error().stack);
+ * }
+ *
+ * async function main() {
+ *   await log();  // good; prints both "log" and "main" on the stacktrace
+ *   log();  // bad; prints only "log" on the stacktrace
+ * }
+ * ```
+ */
 export declare function concatStacktraces(first: Error, ...errors: Error[]): void;
 export declare class StackAssertionError extends Error implements ErrorWithCustomCapture {
     readonly extraData?: Record<string, any> | undefined;

package/dist/utils/errors.js

@@ -16,6 +16,27 @@ function removeStacktraceNameLine(stack) {
     const addsNameLine = new Error().stack?.startsWith("Error\n");
     return stack.split("\n").slice(addsNameLine ? 1 : 0).join("\n");
 }
+/**
+ * Concatenates the stacktraces of the given errors onto the first.
+ *
+ * Useful when you invoke an async function to receive a promise without awaiting it immediately. Browsers are smart
+ * enough to keep track of the call stack in async function calls when you invoke `.then` within the same async tick,
+ * but if you don't,
+ *
+ * Here's an example of the unwanted behavior:
+ *
+ * ```tsx
+ * async function log() {
+ *   await wait(0);  // simulate an put the task on the event loop
+ *   console.log(new Error().stack);
+ * }
+ *
+ * async function main() {
+ *   await log();  // good; prints both "log" and "main" on the stacktrace
+ *   log();  // bad; prints only "log" on the stacktrace
+ * }
+ * ```
+ */
 export function concatStacktraces(first, ...errors) {
     // some browsers (eg. Firefox) add an extra empty line at the end
     const addsEmptyLineAtEnd = first.stack?.endsWith("\n");

package/dist/utils/hashes.d.ts

@@ -0,0 +1,4 @@
+export declare function hashPassword(password: string): Promise<string>;
+export declare function comparePassword(password: string, hash: string): Promise<boolean>;
+export declare function isPasswordHashValid(hash: string): Promise<boolean>;
+export declare function getPasswordHashAlgorithm(hash: string): Promise<"bcrypt" | undefined>;

package/dist/utils/hashes.js

@@ -0,0 +1,44 @@
+import bcrypt from 'bcrypt';
+import { StackAssertionError } from './errors';
+export async function hashPassword(password) {
+    const passwordBytes = new TextEncoder().encode(password);
+    if (passwordBytes.length >= 72) {
+        throw new StackAssertionError(`Password is too long for bcrypt`, { len: passwordBytes.length });
+    }
+    const salt = await bcrypt.genSalt(10);
+    return await bcrypt.hash(password, salt);
+}
+export async function comparePassword(password, hash) {
+    switch (await getPasswordHashAlgorithm(hash)) {
+        case "bcrypt": {
+            return await bcrypt.compare(password, hash);
+        }
+        default: {
+            return false;
+        }
+    }
+}
+export async function isPasswordHashValid(hash) {
+    return !!(await getPasswordHashAlgorithm(hash));
+}
+export async function getPasswordHashAlgorithm(hash) {
+    if (typeof hash !== "string") {
+        throw new StackAssertionError(`Passed non-string value to getPasswordHashAlgorithm`, { hash });
+    }
+    if (hash.match(/^\$2[ayb]\$.{56}$/)) {
+        try {
+            if (bcrypt.getRounds(hash) > 16) {
+                return undefined;
+            }
+            await bcrypt.compare("any string", hash);
+            return "bcrypt";
+        }
+        catch (e) {
+            console.warn(`Error while checking bcrypt password hash. Assuming the hash is invalid`, e);
+            return undefined;
+        }
+    }
+    else {
+        return undefined;
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stackframe/stack-shared",
-  "version": "2.6.26",
+  "version": "2.6.27",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
   "files": [
@@ -50,7 +50,7 @@
     "oauth4webapi": "^2.10.3",
     "semver": "^7.6.3",
     "uuid": "^9.0.1",
-    "@stackframe/stack-sc": "2.6.26"
+    "@stackframe/stack-sc": "2.6.27"
   },
   "devDependencies": {
     "@simplewebauthn/types": "^11.0.0",

package/dist/utils/password.d.ts

@@ -1,2 +0,0 @@
-export declare function hashPassword(password: string): Promise<string>;
-export declare function comparePassword(password: string, hash: string): Promise<boolean>;

package/dist/utils/password.js

@@ -1,8 +0,0 @@
-import bcrypt from 'bcrypt';
-export async function hashPassword(password) {
-    const salt = await bcrypt.genSalt(10);
-    return await bcrypt.hash(password, salt);
-}
-export async function comparePassword(password, hash) {
-    return await bcrypt.compare(password, hash);
-}