@stackframe/stack-shared 2.6.34 → 2.6.36

package/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @stackframe/stack-shared
 
+## 2.6.36
+
+### Patch Changes
+
+- Various updates
+  - @stackframe/stack-sc@2.6.36
+
+## 2.6.35
+
+### Patch Changes
+
+- Bugfixes
+  - @stackframe/stack-sc@2.6.35
+
 ## 2.6.34
 
 ### Patch Changes

package/dist/helpers/production-mode.js

@@ -1,4 +1,4 @@
-import { StackAssertionError } from "../utils/errors";
+import { StackAssertionError, captureError } from "../utils/errors";
 import { isLocalhost } from "../utils/urls";
 export function getProductionModeErrors(project) {
     const errors = [];
@@ -15,10 +15,15 @@ export function getProductionModeErrors(project) {
             url = new URL(domain);
         }
         catch (e) {
-            throw new StackAssertionError("Domain was somehow not a valid URL; we should've caught this when setting the domain in the first place", {
+            captureError("production-mode-domain-not-valid", new StackAssertionError("Domain was somehow not a valid URL; we should've caught this when setting the domain in the first place", {
                 domain,
                 projectId: project
+            }));
+            errors.push({
+                message: "Trusted domain is not a valid URL: " + domain,
+                relativeFixUrl: domainsFixUrl,
             });
+            continue;
         }
         if (isLocalhost(url)) {
             errors.push({

package/dist/interface/clientInterface.js

@@ -230,7 +230,7 @@ export class StackClientInterface {
                     return Result.error(e);
                 }
                 else {
-                    throw this._createNetworkError(e, session, requestType);
+                    throw await this._createNetworkError(e, session, requestType);
                 }
             }
             throw e;

package/dist/known-errors.js

@@ -149,7 +149,7 @@ const AccessTypeWithoutProjectId = createKnownErrorConstructor(InvalidProjectAut
     deindent `
       The x-stack-access-type header was '${accessType}', but the x-stack-project-id header was not provided.
       
-      For more information, see the docs on REST API authentication: https://docs.stack-auth.com/rest-api/auth#authentication
+      For more information, see the docs on REST API authentication: https://docs.stack-auth.com/rest-api/overview#authentication
     `,
     {
         request_type: accessType,
@@ -160,7 +160,7 @@ const AccessTypeRequired = createKnownErrorConstructor(InvalidProjectAuthenticat
     deindent `
       You must specify an access level for this Stack project. Make sure project API keys are provided (eg. x-stack-publishable-client-key) and you set the x-stack-access-type header to 'client', 'server', or 'admin'.
       
-      For more information, see the docs on REST API authentication: https://docs.stack-auth.com/rest-api/auth#authentication
+      For more information, see the docs on REST API authentication: https://docs.stack-auth.com/rest-api/overview#authentication
     `,
 ], () => []);
 const InsufficientAccessType = createKnownErrorConstructor(InvalidProjectAuthentication, "INSUFFICIENT_ACCESS_TYPE", (actualAccessType, allowedAccessTypes) => [

package/dist/schema-fields.d.ts

@@ -33,16 +33,17 @@ export declare const jsonStringOrEmptySchema: yup.StringSchema<string | undefine
 export declare const base64Schema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
 export declare const passwordSchema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
 /**
- * A stricter email schema that does some additional checks for UX input.
+ * A stricter email schema that does some additional checks for UX input. (Some emails are allowed by the spec, for
+ * example `test@localhost` or `abc@gmail`, but almost certainly a user input error.)
  *
  * Note that some users in the DB have an email that doesn't match this regex, so most of the time you should use
  * `emailSchema` instead until we do the DB migration.
  */
 export declare const strictEmailSchema: (message: string | undefined) => yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
 export declare const emailSchema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
-export declare const clientOrHigherAuthTypeSchema: yup.StringSchema<"client" | "server" | "admin" | undefined, yup.AnyObject, undefined, "">;
-export declare const serverOrHigherAuthTypeSchema: yup.StringSchema<"server" | "admin" | undefined, yup.AnyObject, undefined, "">;
-export declare const adminAuthTypeSchema: yup.StringSchema<"admin" | undefined, yup.AnyObject, undefined, "">;
+export declare const clientOrHigherAuthTypeSchema: yup.StringSchema<"client" | "server" | "admin", yup.AnyObject, undefined, "">;
+export declare const serverOrHigherAuthTypeSchema: yup.StringSchema<"server" | "admin", yup.AnyObject, undefined, "">;
+export declare const adminAuthTypeSchema: yup.StringSchema<"admin", yup.AnyObject, undefined, "">;
 export declare const projectIdSchema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
 export declare const projectDisplayNameSchema: yup.StringSchema<string | undefined, yup.AnyObject, undefined, "">;
 export declare const projectDescriptionSchema: yup.StringSchema<string | null | undefined, yup.AnyObject, undefined, "">;

package/dist/schema-fields.js

@@ -195,19 +195,20 @@ export const base64Schema = yupString().test("is-base64", (params) => `${params.
 });
 export const passwordSchema = yupString().max(70);
 /**
- * A stricter email schema that does some additional checks for UX input.
+ * A stricter email schema that does some additional checks for UX input. (Some emails are allowed by the spec, for
+ * example `test@localhost` or `abc@gmail`, but almost certainly a user input error.)
  *
  * Note that some users in the DB have an email that doesn't match this regex, so most of the time you should use
  * `emailSchema` instead until we do the DB migration.
  */
 // eslint-disable-next-line no-restricted-syntax
-export const strictEmailSchema = (message) => yupString().email(message).matches(/^.*@.*\..*$/, message);
+export const strictEmailSchema = (message) => yupString().email(message).matches(/^.*@.*\.[^.][^.]+$/, message);
 // eslint-disable-next-line no-restricted-syntax
 export const emailSchema = yupString().email();
 // Request auth
-export const clientOrHigherAuthTypeSchema = yupString().oneOf(['client', 'server', 'admin']);
-export const serverOrHigherAuthTypeSchema = yupString().oneOf(['server', 'admin']);
-export const adminAuthTypeSchema = yupString().oneOf(['admin']);
+export const clientOrHigherAuthTypeSchema = yupString().oneOf(['client', 'server', 'admin']).defined();
+export const serverOrHigherAuthTypeSchema = yupString().oneOf(['server', 'admin']).defined();
+export const adminAuthTypeSchema = yupString().oneOf(['admin']).defined();
 // Projects
 export const projectIdSchema = yupString().test((v) => v === undefined || v === "internal" || isUuid(v)).meta({ openapiField: { description: _idDescription('project'), exampleValue: 'e0b52f4d-dece-408c-af49-d23061bb0f8d' } });
 export const projectDisplayNameSchema = yupString().meta({ openapiField: { description: _displayNameDescription('project'), exampleValue: 'MyMusic' } });

package/dist/sessions.d.ts

@@ -27,9 +27,12 @@ export declare class InternalSession {
     private _accessToken;
     private readonly _refreshToken;
     /**
-     * Whether the session as a whole is known to be invalid. Used as a cache to avoid making multiple requests to the server (sessions never go back to being valid after being invalidated).
+     * Whether the session as a whole is known to be invalid (ie. both access and refresh tokens are invalid). Used as a cache to avoid making multiple requests to the server (sessions never go back to being valid after being invalidated).
      *
-     * Applies to both the access token and the refresh token (it is possible for the access token to be invalid but the refresh token to be valid, in which case the session is still valid).
+     * It is possible for the access token to be invalid but the refresh token to be valid, in which case the session is
+     * still valid (just needs a refresh). It is also possible for the access token to be valid but the refresh token to
+     * be invalid, in which case the session is also valid (eg. if the refresh token is null because the user only passed
+     * in an access token, eg. in a server-side request handler).
      */
     private _knownToBeInvalid;
     private _refreshPromise;

package/dist/sessions.js

@@ -25,14 +25,21 @@ export class InternalSession {
     constructor(_options) {
         this._options = _options;
         /**
-         * Whether the session as a whole is known to be invalid. Used as a cache to avoid making multiple requests to the server (sessions never go back to being valid after being invalidated).
+         * Whether the session as a whole is known to be invalid (ie. both access and refresh tokens are invalid). Used as a cache to avoid making multiple requests to the server (sessions never go back to being valid after being invalidated).
          *
-         * Applies to both the access token and the refresh token (it is possible for the access token to be invalid but the refresh token to be valid, in which case the session is still valid).
+         * It is possible for the access token to be invalid but the refresh token to be valid, in which case the session is
+         * still valid (just needs a refresh). It is also possible for the access token to be valid but the refresh token to
+         * be invalid, in which case the session is also valid (eg. if the refresh token is null because the user only passed
+         * in an access token, eg. in a server-side request handler).
          */
         this._knownToBeInvalid = new Store(false);
         this._refreshPromise = null;
         this._accessToken = new Store(_options.accessToken ? new AccessToken(_options.accessToken) : null);
         this._refreshToken = _options.refreshToken ? new RefreshToken(_options.refreshToken) : null;
+        if (_options.accessToken === null && _options.refreshToken === null) {
+            // this session is already invalid
+            this._knownToBeInvalid.set(true);
+        }
         this.sessionKey = InternalSession.calculateSessionKey({ accessToken: _options.accessToken ?? null, refreshToken: _options.refreshToken });
     }
     static calculateSessionKey(ofTokens) {

package/dist/utils/browser-compat.d.ts

@@ -0,0 +1,6 @@
+export declare function getBrowserCompatibilityReport(): {
+    optionalChaining: string | boolean;
+    nullishCoalescing: string | boolean;
+    weakRef: string | boolean;
+    cryptoUuid: string | boolean;
+};

package/dist/utils/browser-compat.js

@@ -0,0 +1,17 @@
+export function getBrowserCompatibilityReport() {
+    const test = (snippet) => {
+        try {
+            (0, eval)(snippet);
+            return true;
+        }
+        catch (e) {
+            return `FAILED: ${e}`;
+        }
+    };
+    return {
+        optionalChaining: test("({})?.b?.c"),
+        nullishCoalescing: test("0 ?? 1"),
+        weakRef: test("new WeakRef({})"),
+        cryptoUuid: test("crypto.randomUUID()"),
+    };
+}

package/dist/utils/errors.d.ts

@@ -3,11 +3,11 @@ export declare function throwErr(errorMessage: string, extraData?: any): never;
 export declare function throwErr(error: Error): never;
 export declare function throwErr(...args: StatusErrorConstructorParameters): never;
 /**
- * Concatenates the stacktraces of the given errors onto the first.
+ * Concatenates the (original) stacktraces of the given errors onto the first.
  *
  * Useful when you invoke an async function to receive a promise without awaiting it immediately. Browsers are smart
  * enough to keep track of the call stack in async function calls when you invoke `.then` within the same async tick,
- * but if you don't,
+ * but if you don't, the stacktrace will be lost.
  *
  * Here's an example of the unwanted behavior:
  *
@@ -24,16 +24,10 @@ export declare function throwErr(...args: StatusErrorConstructorParameters): nev
  * ```
  */
 export declare function concatStacktraces(first: Error, ...errors: Error[]): void;
-export declare class StackAssertionError extends Error implements ErrorWithCustomCapture {
-    readonly extraData?: Record<string, any> | undefined;
-    constructor(message: string, extraData?: Record<string, any> | undefined, options?: ErrorOptions);
-    customCaptureExtraArgs: {
-        cause?: {} | undefined;
-    }[];
+export declare class StackAssertionError extends Error {
+    readonly extraData?: (Record<string, any> & ErrorOptions) | undefined;
+    constructor(message: string, extraData?: (Record<string, any> & ErrorOptions) | undefined);
 }
-export type ErrorWithCustomCapture = {
-    customCaptureExtraArgs: any[];
-};
 export declare function registerErrorSink(sink: (location: string, error: unknown) => void): void;
 export declare function captureError(location: string, error: unknown): void;
 type Status = {

package/dist/utils/errors.js

@@ -1,4 +1,5 @@
 import { globalVar } from "./globals";
+import { pick } from "./objects";
 export function throwErr(...args) {
     if (typeof args[0] === "string") {
         throw new StackAssertionError(args[0], args[1]);
@@ -17,11 +18,11 @@ function removeStacktraceNameLine(stack) {
     return stack.split("\n").slice(addsNameLine ? 1 : 0).join("\n");
 }
 /**
- * Concatenates the stacktraces of the given errors onto the first.
+ * Concatenates the (original) stacktraces of the given errors onto the first.
  *
  * Useful when you invoke an async function to receive a promise without awaiting it immediately. Browsers are smart
  * enough to keep track of the call stack in async function calls when you invoke `.then` within the same async tick,
- * but if you don't,
+ * but if you don't, the stacktrace will be lost.
  *
  * Here's an example of the unwanted behavior:
  *
@@ -50,16 +51,16 @@ export function concatStacktraces(first, ...errors) {
     }
 }
 export class StackAssertionError extends Error {
-    constructor(message, extraData, options) {
+    constructor(message, extraData) {
         const disclaimer = `\n\nThis is likely an error in Stack. Please make sure you are running the newest version and report it.`;
-        super(`${message}${message.endsWith(disclaimer) ? "" : disclaimer}`, options);
+        super(`${message}${message.endsWith(disclaimer) ? "" : disclaimer}`, pick(extraData ?? {}, ["cause"]));
         this.extraData = extraData;
-        this.customCaptureExtraArgs = [
-            {
-                ...this.extraData,
-                ...this.cause ? { cause: this.cause } : {},
+        Object.defineProperty(this, "customCaptureExtraArgs", {
+            get() {
+                return [this.extraData];
             },
-        ];
+            enumerable: false,
+        });
     }
 }
 StackAssertionError.prototype.name = "StackAssertionError";
@@ -92,7 +93,7 @@ export class StatusError extends Error {
         this.name = "StatusError";
         this.statusCode = status;
         if (!message) {
-            throw new StackAssertionError("StatusError always requires a message unless a Status object is passed", {}, { cause: this });
+            throw new StackAssertionError("StatusError always requires a message unless a Status object is passed", { cause: this });
         }
     }
     isClientError() {

package/dist/utils/jwt.js

@@ -3,6 +3,7 @@ import elliptic from "elliptic";
 import * as jose from "jose";
 import { JOSEError } from "jose/errors";
 import { encodeBase64Url } from "./bytes";
+import { StackAssertionError } from "./errors";
 import { globalVar } from "./globals";
 import { pick } from "./objects";
 const STACK_SERVER_SECRET = process.env.STACK_SERVER_SECRET ?? "";
@@ -74,6 +75,9 @@ export async function getPublicJwkSet(secretOrPrivateJwk) {
     };
 }
 export function getPerAudienceSecret(options) {
+    if (options.audience === "kid") {
+        throw new StackAssertionError("You cannot use the 'kid' audience for a per-audience secret, see comment below in jwt.tsx");
+    }
     return jose.base64url.encode(crypto
         .createHash('sha256')
         // TODO we should prefix a string like "stack-audience-secret" before we hash so you can't use `getKid(...)` to get the secret for eg. the "kid" audience if the same secret value is used

package/dist/utils/results.d.ts

@@ -69,7 +69,7 @@ declare class RetryError extends AggregateError {
     constructor(errors: unknown[]);
     get retries(): number;
 }
-declare function retry<T>(fn: () => Result<T> | Promise<Result<T>>, retries: number, { exponentialDelayBase }: {
+declare function retry<T>(fn: (attempt: number) => Result<T> | Promise<Result<T>>, retries: number, { exponentialDelayBase }?: {
     exponentialDelayBase?: number | undefined;
 }): Promise<Result<T, RetryError>>;
 export {};

package/dist/utils/results.js

@@ -116,17 +116,17 @@ class RetryError extends AggregateError {
     }
 }
 RetryError.prototype.name = "RetryError";
-async function retry(fn, retries, { exponentialDelayBase = 2000 }) {
+async function retry(fn, retries, { exponentialDelayBase = 1000 } = {}) {
     const errors = [];
     for (let i = 0; i < retries; i++) {
-        const res = await fn();
+        const res = await fn(i);
         if (res.status === "ok") {
             return Result.ok(res.data);
         }
         else {
             errors.push(res.error);
             if (i < retries - 1) {
-                await wait(Math.random() * exponentialDelayBase * 2 ** i);
+                await wait((Math.random() + 0.5) * exponentialDelayBase * (2 ** i));
             }
         }
     }

package/dist/utils/sentry.d.ts

@@ -0,0 +1,2 @@
+import * as Sentry from "@sentry/nextjs";
+export declare const sentryBaseConfig: Sentry.BrowserOptions & Sentry.NodeOptions & Sentry.VercelEdgeOptions;

package/dist/utils/sentry.js

@@ -0,0 +1,15 @@
+export const sentryBaseConfig = {
+    ignoreErrors: [
+        // React throws these errors when used with some browser extensions (eg. Google Translate)
+        "NotFoundError: Failed to execute 'removeChild' on 'Node': The node to be removed is not a child of this node.",
+        "NotFoundError: Failed to execute 'insertBefore' on 'Node': The node before which the new node is to be inserted is not a child of this node.",
+    ],
+    normalizeDepth: 5,
+    maxValueLength: 5000,
+    // Adjust this value in production, or use tracesSampler for greater control
+    tracesSampleRate: 1.0,
+    // Setting this option to true will print useful information to the console while you're setting up Sentry.
+    debug: false,
+    replaysOnErrorSampleRate: 1.0,
+    replaysSessionSampleRate: 1.0,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@stackframe/stack-shared",
-  "version": "2.6.34",
+  "version": "2.6.36",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",
   "files": [
@@ -50,7 +50,7 @@
     "oauth4webapi": "^2.10.3",
     "semver": "^7.6.3",
     "uuid": "^9.0.1",
-    "@stackframe/stack-sc": "2.6.34"
+    "@stackframe/stack-sc": "2.6.36"
   },
   "devDependencies": {
     "@simplewebauthn/types": "^11.0.0",
@@ -61,7 +61,8 @@
     "rimraf": "^5.0.5",
     "react": "^18.2",
     "react-dom": "^18.2",
-    "next": "^14.1.0"
+    "next": "^14.1.0",
+    "@sentry/nextjs": "^8.40.0"
   },
   "scripts": {
     "build": "tsc",