@stackframe/stack-shared 2.6.30 → 2.6.32

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @stackframe/stack-shared
 
+## 2.6.32
+
+### Patch Changes
+
+- Bugfixes
+  - @stackframe/stack-sc@2.6.32
+
+## 2.6.31
+
+### Patch Changes
+
+- Bugfixes
+  - @stackframe/stack-sc@2.6.31
+
 ## 2.6.30
 
 ### Patch Changes

package/dist/interface/adminInterface.js

@@ -30,7 +30,7 @@ export class StackAdminInterface extends StackServerInterface {
         return await response.json();
     }
     async createApiKey(options) {
-        const response = await this.sendServerRequest("/internal/api-keys", {
+        const response = await this.sendAdminRequest("/internal/api-keys", {
             method: "POST",
             headers: {
                 "content-type": "application/json",

package/dist/interface/clientInterface.d.ts

@@ -33,6 +33,7 @@ export declare class StackClientInterface {
         prodDashboard: string;
         prodBackend: string;
     }>;
+    protected _createNetworkError(cause: Error, session?: InternalSession | null, requestType?: "client" | "server" | "admin"): Promise<Error>;
     protected _networkRetry<T>(cb: () => Promise<Result<T, any>>, session?: InternalSession | null, requestType?: "client" | "server" | "admin"): Promise<T>;
     protected _networkRetryException<T>(cb: () => Promise<T>, session?: InternalSession | null, requestType?: "client" | "server" | "admin"): Promise<T>;
     fetchNewAccessToken(refreshToken: RefreshToken): Promise<AccessToken | null>;
@@ -186,6 +187,7 @@ export declare class StackClientInterface {
     createProject(project: InternalProjectsCrud['Client']['Create'], session: InternalSession): Promise<InternalProjectsCrud['Client']['Read']>;
     createProviderAccessToken(provider: string, scope: string, session: InternalSession): Promise<ConnectedAccountAccessTokenCrud['Client']['Read']>;
     createClientTeam(data: TeamsCrud['Client']['Create'], session: InternalSession): Promise<TeamsCrud['Client']['Read']>;
+    deleteTeam(teamId: string, session: InternalSession): Promise<void>;
     deleteCurrentUser(session: InternalSession): Promise<void>;
     createClientContactChannel(data: ContactChannelsCrud['Client']['Create'], session: InternalSession): Promise<ContactChannelsCrud['Client']['Read']>;
     updateClientContactChannel(id: string, data: ContactChannelsCrud['Client']['Update'], session: InternalSession): Promise<ContactChannelsCrud['Client']['Read']>;

package/dist/interface/clientInterface.js

@@ -5,7 +5,9 @@ import { AccessToken, InternalSession } from '../sessions';
 import { generateSecureRandomString } from '../utils/crypto';
 import { StackAssertionError, throwErr } from '../utils/errors';
 import { globalVar } from '../utils/globals';
+import { HTTP_METHODS } from '../utils/http';
 import { filterUndefined } from '../utils/objects';
+import { wait } from '../utils/promises';
 import { Result } from "../utils/results";
 import { deindent } from '../utils/strings';
 export class StackClientInterface {
@@ -68,6 +70,17 @@ export class StackClientInterface {
             prodBackend,
         };
     }
+    async _createNetworkError(cause, session, requestType) {
+        return new Error(deindent `
+      Stack Auth is unable to connect to the server. Please check your internet connection and try again.
+      
+      If the problem persists, please contact support and provide a screenshot of your entire browser console.
+
+      ${cause}
+      
+      ${JSON.stringify(await this.runNetworkDiagnostics(session, requestType), null, 2)}
+    `, { cause: cause });
+    }
     async _networkRetry(cb, session, requestType) {
         const retriedResult = await Result.retry(cb, 5, { exponentialDelayBase: 1000 });
         // try to diagnose the error for the user
@@ -75,15 +88,7 @@ export class StackClientInterface {
             if (globalVar.navigator && !globalVar.navigator.onLine) {
                 throw new Error("Failed to send Stack network request. It seems like you are offline. (window.navigator.onLine is falsy)", { cause: retriedResult.error });
             }
-            throw new Error(deindent `
-        Stack Auth is unable to connect to the server. Please check your internet connection and try again.
-        
-        If the problem persists, please contact support and provide a screenshot of your entire browser console.
-
-        ${retriedResult.error}
-        
-        ${JSON.stringify(await this.runNetworkDiagnostics(session, requestType), null, 2)}
-      `, { cause: retriedResult.error });
+            throw this._createNetworkError(retriedResult.error, session, requestType);
         }
         return retriedResult.data;
     }
@@ -220,8 +225,13 @@ export class StackClientInterface {
         }
         catch (e) {
             if (e instanceof TypeError) {
-                // Network error, retry
-                return Result.error(e);
+                // Likely to be a network error. Retry if the request is idempotent, throw network error otherwise.
+                if (HTTP_METHODS[(params.method ?? "GET")].idempotent) {
+                    return Result.error(e);
+                }
+                else {
+                    throw this._createNetworkError(e, session, requestType);
+                }
             }
             throw e;
         }
@@ -254,10 +264,25 @@ export class StackClientInterface {
         if (res.ok) {
             return Result.ok(res);
         }
+        else if (res.status === 429) {
+            // Rate limited, so retry if we can
+            const retryAfter = res.headers.get("Retry-After");
+            if (retryAfter !== null) {
+                await wait(Number(retryAfter) * 1000);
+                return Result.error(new Error(`Rate limited, retrying after ${retryAfter} seconds`));
+            }
+            return Result.error(new Error("Rate limited, no retry-after header received"));
+        }
         else {
             const error = await res.text();
+            const errorObj = new StackAssertionError(`Failed to send request to ${url}: ${res.status} ${error}`, { request: params, res });
+            if (res.status === 508 && error.includes("INFINITE_LOOP_DETECTED")) {
+                // Some Vercel deployments seem to have an odd infinite loop bug. In that case, retry.
+                // See: https://github.com/stack-auth/stack/issues/319
+                return Result.error(errorObj);
+            }
             // Do not retry, throw error instead of returning one
-            throw new StackAssertionError(`Failed to send request to ${url}: ${res.status} ${error}`, { request: params, res });
+            throw errorObj;
         }
     }
     async _processResponse(rawRes) {
@@ -812,6 +837,11 @@ export class StackClientInterface {
         }, session);
         return await response.json();
     }
+    async deleteTeam(teamId, session) {
+        await this.sendClientRequest(`/teams/${teamId}`, {
+            method: "DELETE",
+        }, session);
+    }
     async deleteCurrentUser(session) {
         await this.sendClientRequest("/users/me", {
             method: "DELETE",

package/dist/schema-fields.d.ts

@@ -20,6 +20,7 @@ export declare function yupMixed<A extends {}>(...args: Parameters<typeof yup.mi
 export declare function yupArray<A extends yup.Maybe<yup.AnyObject> = yup.AnyObject, B = any>(...args: Parameters<typeof yup.array<A, B>>): yup.ArraySchema<B[] | undefined, A, undefined, "">;
 export declare function yupTuple<T extends [unknown, ...unknown[]]>(...args: Parameters<typeof yup.tuple<T>>): yup.TupleSchema<T | undefined, yup.AnyObject, undefined, "">;
 export declare function yupObject<A extends yup.Maybe<yup.AnyObject>, B extends yup.ObjectShape>(...args: Parameters<typeof yup.object<A, B>>): yup.ObjectSchema<yup.TypeFromShape<B, yup.AnyObject> extends infer T ? T extends yup.TypeFromShape<B, yup.AnyObject> ? T extends {} ? { [k in keyof T]: T[k]; } : T : never : never, yup.AnyObject, yup.DefaultFromShape<B> extends infer T_1 ? T_1 extends yup.DefaultFromShape<B> ? T_1 extends {} ? { [k_1 in keyof T_1]: T_1[k_1]; } : T_1 : never : never, "">;
+export declare function yupNever(): yup.MixedSchema<never>;
 export declare function yupUnion<T extends yup.ISchema<any>[]>(...args: T): yup.MixedSchema<yup.InferType<T[number]>>;
 export declare const adaptSchema: yup.MixedSchema<typeof StackAdaptSentinel | undefined, yup.AnyObject, undefined, "">;
 /**

package/dist/schema-fields.js

@@ -123,6 +123,9 @@ export function yupObject(...args) {
     // we don't want to update the type of `object` to have a default flag
     return object.default(undefined);
 }
+export function yupNever() {
+    return yupMixed().test('never', 'This value should never be reached', () => false);
+}
 export function yupUnion(...args) {
     if (args.length === 0)
         throw new Error('yupUnion must have at least one schema');
@@ -171,7 +174,7 @@ export const urlSchema = yupString().test({
     },
 });
 export const jsonSchema = yupMixed().nullable().defined().transform((value) => JSON.parse(JSON.stringify(value)));
-export const jsonStringSchema = yupString().test("json", "Invalid JSON format", (value) => {
+export const jsonStringSchema = yupString().test("json", (params) => `${params.path} is not valid JSON`, (value) => {
     if (value == null)
         return true;
     try {
@@ -182,7 +185,7 @@ export const jsonStringSchema = yupString().test("json", "Invalid JSON format",
         return false;
     }
 });
-export const jsonStringOrEmptySchema = yupString().test("json", "Invalid JSON format", (value) => {
+export const jsonStringOrEmptySchema = yupString().test("json", (params) => `${params.path} is not valid JSON`, (value) => {
     if (!value)
         return true;
     try {
@@ -193,7 +196,7 @@ export const jsonStringOrEmptySchema = yupString().test("json", "Invalid JSON fo
         return false;
     }
 });
-export const base64Schema = yupString().test("is-base64", "Invalid base64 format", (value) => {
+export const base64Schema = yupString().test("is-base64", (params) => `${params.path} is not valid base64`, (value) => {
     if (value == null)
         return true;
     return isBase64(value);

package/dist/utils/bytes.d.ts

@@ -4,6 +4,7 @@ export declare function encodeBase64(input: Uint8Array): string;
 export declare function decodeBase64(input: string): Uint8Array;
 export declare function encodeBase64Url(input: Uint8Array): string;
 export declare function decodeBase64Url(input: string): Uint8Array;
+export declare function decodeBase64OrBase64Url(input: string): Uint8Array;
 export declare function isBase32(input: string): boolean;
 export declare function isBase64(input: string): boolean;
 export declare function isBase64Url(input: string): boolean;

package/dist/utils/bytes.js

@@ -82,6 +82,17 @@ export function decodeBase64Url(input) {
     }
     return decodeBase64(input.replace(/-/g, "+").replace(/_/g, "/") + "====".slice((input.length - 1) % 4 + 1));
 }
+export function decodeBase64OrBase64Url(input) {
+    if (isBase64Url(input)) {
+        return decodeBase64Url(input);
+    }
+    else if (isBase64(input)) {
+        return decodeBase64(input);
+    }
+    else {
+        throw new StackAssertionError("Invalid base64 or base64url string");
+    }
+}
 export function isBase32(input) {
     for (const char of input) {
         if (char === " ")

package/dist/utils/env.js

@@ -3,6 +3,10 @@ import { deindent } from "./strings";
 export function isBrowserLike() {
     return typeof window !== "undefined" && typeof document !== "undefined" && typeof document.createElement !== "undefined";
 }
+// newName: oldName
+const ENV_VAR_RENAME = {
+    NEXT_PUBLIC_STACK_API_URL: ['STACK_BASE_URL', 'NEXT_PUBLIC_STACK_URL'],
+};
 /**
  * Returns the environment variable with the given name, returning the default (if given) or throwing an error (otherwise) if it's undefined or the empty string.
  */
@@ -21,7 +25,30 @@ export function getEnvVariable(name, defaultValue) {
       Use getNextRuntime() instead.
     `);
     }
-    return ((process.env[name] || defaultValue) ?? throwErr(`Missing environment variable: ${name}`)) || (defaultValue ?? throwErr(`Empty environment variable: ${name}`));
+    // throw error if the old name is used as the retrieve key
+    for (const [newName, oldNames] of Object.entries(ENV_VAR_RENAME)) {
+        if (oldNames.includes(name)) {
+            throwErr(`Environment variable ${name} has been renamed to ${newName}. Please update your configuration to use the new name.`);
+        }
+    }
+    let value = process.env[name];
+    // check the key under the old name if the new name is not found
+    if (!value && ENV_VAR_RENAME[name]) {
+        for (const oldName of ENV_VAR_RENAME[name]) {
+            value = process.env[oldName];
+            if (value)
+                break;
+        }
+    }
+    if (value === undefined) {
+        if (defaultValue !== undefined) {
+            value = defaultValue;
+        }
+        else {
+            throwErr(`Missing environment variable: ${name}`);
+        }
+    }
+    return value;
 }
 export function getNextRuntime() {
     // This variable is compiled into the client bundle, so we can't use getEnvVariable here.

package/dist/utils/hashes.d.ts

@@ -1,3 +1,4 @@
+export declare function sha512(input: Uint8Array | string): Promise<string>;
 export declare function hashPassword(password: string): Promise<string>;
 export declare function comparePassword(password: string, hash: string): Promise<boolean>;
 export declare function isPasswordHashValid(hash: string): Promise<boolean>;

package/dist/utils/hashes.js

@@ -1,5 +1,11 @@
 import bcrypt from 'bcrypt';
 import { StackAssertionError } from './errors';
+export async function sha512(input) {
+    const bytes = typeof input === "string" ? new TextEncoder().encode(input) : input;
+    return await crypto.subtle.digest("SHA-512", bytes).then(buf => {
+        return Array.prototype.map.call(new Uint8Array(buf), x => (('00' + x.toString(16)).slice(-2))).join('');
+    });
+}
 export async function hashPassword(password) {
     const passwordBytes = new TextEncoder().encode(password);
     if (passwordBytes.length >= 72) {

package/dist/utils/http.d.ts

@@ -1,2 +1,39 @@
-export declare const HTTP_METHODS: readonly ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD", "TRACE", "CONNECT"];
-export type HttpMethod = typeof HTTP_METHODS[number];
+export declare const HTTP_METHODS: {
+    readonly GET: {
+        readonly safe: true;
+        readonly idempotent: true;
+    };
+    readonly POST: {
+        readonly safe: false;
+        readonly idempotent: false;
+    };
+    readonly PUT: {
+        readonly safe: false;
+        readonly idempotent: true;
+    };
+    readonly DELETE: {
+        readonly safe: false;
+        readonly idempotent: true;
+    };
+    readonly PATCH: {
+        readonly safe: false;
+        readonly idempotent: false;
+    };
+    readonly OPTIONS: {
+        readonly safe: true;
+        readonly idempotent: true;
+    };
+    readonly HEAD: {
+        readonly safe: true;
+        readonly idempotent: true;
+    };
+    readonly TRACE: {
+        readonly safe: true;
+        readonly idempotent: true;
+    };
+    readonly CONNECT: {
+        readonly safe: false;
+        readonly idempotent: false;
+    };
+};
+export type HttpMethod = keyof typeof HTTP_METHODS;

package/dist/utils/http.js

@@ -1 +1,38 @@
-export const HTTP_METHODS = ["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS", "HEAD", "TRACE", "CONNECT"];
+export const HTTP_METHODS = {
+    "GET": {
+        safe: true,
+        idempotent: true,
+    },
+    "POST": {
+        safe: false,
+        idempotent: false,
+    },
+    "PUT": {
+        safe: false,
+        idempotent: true,
+    },
+    "DELETE": {
+        safe: false,
+        idempotent: true,
+    },
+    "PATCH": {
+        safe: false,
+        idempotent: false,
+    },
+    "OPTIONS": {
+        safe: true,
+        idempotent: true,
+    },
+    "HEAD": {
+        safe: true,
+        idempotent: true,
+    },
+    "TRACE": {
+        safe: true,
+        idempotent: true,
+    },
+    "CONNECT": {
+        safe: false,
+        idempotent: false,
+    },
+};

package/dist/utils/jwt.d.ts

@@ -11,21 +11,26 @@ export declare function verifyJWT(options: {
     issuer: string;
     jwt: string;
 }): Promise<jose.JWTPayload>;
-export declare function getPrivateJwk(secret: string): Promise<{
-    kty: string;
-    crv: string;
+export type PrivateJwk = {
+    kty: "EC";
+    alg: "ES256";
+    crv: "P-256";
+    kid: string;
     d: string;
     x: string;
     y: string;
-}>;
-export declare function getPublicJwkSet(secret: string): Promise<{
-    keys: {
-        kid: string;
-        x: string;
-        kty: string;
-        crv: string;
-        y: string;
-    }[];
+};
+export declare function getPrivateJwk(secret: string): Promise<PrivateJwk>;
+export type PublicJwk = {
+    kty: "EC";
+    alg: "ES256";
+    crv: "P-256";
+    kid: string;
+    x: string;
+    y: string;
+};
+export declare function getPublicJwkSet(secretOrPrivateJwk: string | PrivateJwk): Promise<{
+    keys: PublicJwk[];
 }>;
 export declare function getPerAudienceSecret(options: {
     audience: string;

package/dist/utils/jwt.js

@@ -1,12 +1,11 @@
+import crypto from "crypto";
 import elliptic from "elliptic";
 import * as jose from "jose";
+import { JOSEError } from "jose/errors";
 import { encodeBase64Url } from "./bytes";
-import { getEnvVariable } from "./env";
 import { globalVar } from "./globals";
 import { pick } from "./objects";
-import crypto from "crypto";
-import { JOSEError } from "jose/errors";
-const STACK_SERVER_SECRET = getEnvVariable("STACK_SERVER_SECRET");
+const STACK_SERVER_SECRET = process.env.STACK_SERVER_SECRET ?? "";
 try {
     jose.base64url.decode(STACK_SERVER_SECRET);
 }
@@ -60,21 +59,25 @@ export async function getPrivateJwk(secret) {
     return {
         kty: 'EC',
         crv: 'P-256',
+        alg: 'ES256',
+        kid: getKid({ secret }),
         d: encodeBase64Url(priv),
         x: encodeBase64Url(publicKey.getX().toBuffer()),
         y: encodeBase64Url(publicKey.getY().toBuffer()),
     };
 }
-export async function getPublicJwkSet(secret) {
-    const privateJwk = await getPrivateJwk(secret);
-    const jwk = pick(privateJwk, ["kty", "crv", "x", "y"]);
+export async function getPublicJwkSet(secretOrPrivateJwk) {
+    const privateJwk = typeof secretOrPrivateJwk === "string" ? await getPrivateJwk(secretOrPrivateJwk) : secretOrPrivateJwk;
+    const jwk = pick(privateJwk, ["kty", "alg", "crv", "x", "y", "kid"]);
     return {
-        keys: [{ ...jwk, kid: getKid({ secret }) }],
+        keys: [jwk],
     };
 }
 export function getPerAudienceSecret(options) {
     return jose.base64url.encode(crypto
         .createHash('sha256')
+        // TODO we should prefix a string like "stack-audience-secret" before we hash so you can't use `getKid(...)` to get the secret for eg. the "kid" audience if the same secret value is used
+        // Sadly doing this modification is a bit annoying as we need to leave the old keys to be valid for a little longer
         .update(JSON.stringify([options.secret, options.audience]))
         .digest());
 }
@@ -82,6 +85,6 @@ export function getPerAudienceSecret(options) {
 export function getKid(options) {
     return jose.base64url.encode(crypto
         .createHash('sha256')
-        .update(JSON.stringify([options.secret, "kid"]))
+        .update(JSON.stringify([options.secret, "kid"])) // TODO see above in getPerAudienceSecret
         .digest()).slice(0, 12);
 }

package/dist/utils/node-http.d.ts

@@ -0,0 +1,15 @@
+/// <reference types="node" />
+/// <reference types="node" />
+import { IncomingMessage, ServerResponse } from "http";
+declare class ServerResponseWithBodyChunks extends ServerResponse {
+    bodyChunks: Uint8Array[];
+    _send(data: string, encoding: BufferEncoding, callback?: (() => void) | null, byteLength?: number): void;
+}
+export declare function createNodeHttpServerDuplex(options: {
+    method: string;
+    originalUrl?: URL;
+    url: URL;
+    headers: Headers;
+    body: Uint8Array;
+}): Promise<[IncomingMessage, ServerResponseWithBodyChunks]>;
+export {};

package/dist/utils/node-http.js

@@ -0,0 +1,38 @@
+import { IncomingMessage, ServerResponse } from "http";
+import { getRelativePart } from "./urls";
+class ServerResponseWithBodyChunks extends ServerResponse {
+    constructor() {
+        super(...arguments);
+        this.bodyChunks = [];
+    }
+    // note: we actually override this, even though it's private in the parent
+    _send(data, encoding, callback, byteLength) {
+        if (typeof encoding === "function") {
+            callback = encoding;
+            encoding = "utf-8";
+        }
+        const encodedBuffer = new Uint8Array(Buffer.from(data, encoding));
+        this.bodyChunks.push(encodedBuffer);
+        callback?.();
+    }
+}
+export async function createNodeHttpServerDuplex(options) {
+    // See https://github.com/nodejs/node/blob/main/lib/_http_incoming.js
+    // and https://github.com/nodejs/node/blob/main/lib/_http_common.js (particularly the `parserXyz` functions)
+    const incomingMessage = new IncomingMessage({
+        encrypted: options.originalUrl?.protocol === "https:", // trick frameworks into believing this is an HTTPS request
+    });
+    incomingMessage.httpVersionMajor = 1;
+    incomingMessage.httpVersionMinor = 1;
+    incomingMessage.httpVersion = '1.1';
+    incomingMessage.method = options.method;
+    incomingMessage.url = getRelativePart(options.url);
+    incomingMessage.originalUrl = options.originalUrl && getRelativePart(options.originalUrl); // originalUrl is an extension used by some servers; for example, oidc-provider reads it to construct the paths for the .well-known/openid-configuration
+    const rawHeaders = [...options.headers.entries()].flat();
+    incomingMessage._addHeaderLines(rawHeaders, rawHeaders.length);
+    incomingMessage.push(Buffer.from(options.body));
+    incomingMessage.complete = true;
+    incomingMessage.push(null); // to emit end event, see: https://github.com/nodejs/node/blob/4cf6fabce20eb3050c5b543d249e931ea3d3cad5/lib/_http_common.js#L150
+    const serverResponse = new ServerResponseWithBodyChunks(incomingMessage);
+    return [incomingMessage, serverResponse];
+}

package/dist/utils/strings.js

@@ -210,6 +210,9 @@ export function nicify(value, options = {}) {
             if (value instanceof URL) {
                 return `URL(${JSON.stringify(value.toString())})`;
             }
+            if (ArrayBuffer.isView(value)) {
+                return `${value.constructor.name}([${value.toString()}])`;
+            }
             const constructorName = [null, Object.prototype].includes(Object.getPrototypeOf(value)) ? null : (nicifiableClassNameOverrides.get(value.constructor) ?? value.constructor.name);
             const constructorString = constructorName ? `${nicifyPropertyString(constructorName)} ` : "";
             const entries = getNicifiableEntries(value).filter(([k]) => !hideFields.includes(k));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stackframe/stack-shared",
-  "version": "2.6.30",
+  "version": "2.6.32",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
   "files": [
@@ -50,7 +50,7 @@
     "oauth4webapi": "^2.10.3",
     "semver": "^7.6.3",
     "uuid": "^9.0.1",
-    "@stackframe/stack-sc": "2.6.30"
+    "@stackframe/stack-sc": "2.6.32"
   },
   "devDependencies": {
     "@simplewebauthn/types": "^11.0.0",