@stackframe/stack 2.4.20 → 2.4.22

package/dist/lib/stack-app.d.ts

@@ -1,5 +1,5 @@
 import { ServerUserJson, OAuthProviderConfigJson, KnownErrors } from '@stackframe/stack-shared';
-import { UserJson, UserUpdateJson, ProjectJson, ProductionModeError, TeamJson, EmailConfigJson, DomainConfigJson, ClientProjectJson } from '@stackframe/stack-shared/dist/interface/clientInterface';
+import { StandardProvider, UserJson, UserUpdateJson, ProjectJson, ProductionModeError, TeamJson, EmailConfigJson, DomainConfigJson, ClientProjectJson } from '@stackframe/stack-shared/dist/interface/clientInterface';
 import { ReadonlyJson } from '@stackframe/stack-shared/dist/utils/json';
 import { ProjectUpdateOptions, ApiKeySetCreateOptions } from '@stackframe/stack-shared/dist/interface/adminInterface';
 import { ServerUserUpdateJson, ServerTeamCustomizableJson, ServerPermissionDefinitionCustomizableJson, ServerPermissionDefinitionJson, EmailTemplateType } from '@stackframe/stack-shared/dist/interface/serverInterface';
@@ -30,6 +30,10 @@ type HandlerUrls = {
     oauthCallback: string;
     magicLinkCallback: string;
     accountSettings: string;
+    error: string;
+};
+type OAuthScopesOnSignIn = {
+    [key in StandardProvider]: string[];
 };
 type ProjectCurrentUser<ProjectId> = ProjectId extends "internal" ? CurrentInternalUser : CurrentUser;
 type StackClientAppConstructorOptions<HasTokenStore extends boolean, ProjectId extends string> = {
@@ -37,6 +41,7 @@ type StackClientAppConstructorOptions<HasTokenStore extends boolean, ProjectId e
     projectId?: ProjectId;
     publishableClientKey?: string;
     urls?: Partial<HandlerUrls>;
+    oauthScopesOnSignIn?: Partial<OAuthScopesOnSignIn>;
     tokenStore: TokenStoreInit<HasTokenStore>;
 };
 type StackServerAppConstructorOptions<HasTokenStore extends boolean, ProjectId extends string> = StackClientAppConstructorOptions<HasTokenStore, ProjectId> & {
@@ -67,6 +72,77 @@ type Auth<T, C> = {
     readonly _internalSession: InternalSession;
     readonly currentSession: Session;
     signOut(this: T): Promise<void>;
+    /**
+     * Returns headers for sending authenticated HTTP requests to external servers. Most commonly used in cross-origin
+     * requests. Similar to `getAuthJson`, but specifically for HTTP requests.
+     *
+     * If you are using `tokenStore: "cookie"`, you don't need this for same-origin requests. However, most
+     * browsers now disable third-party cookies by default, so we must pass authentication tokens by header instead
+     * if the client and server are on different hostnames.
+     *
+     * This function returns a header object that can be used with `fetch` or other HTTP request libraries to send
+     * authenticated requests.
+     *
+     * On the server, you can then pass in the `Request` object to the `tokenStore` option
+     * of your Stack app. Please note that CORS does not allow most headers by default, so you
+     * must include `x-stack-auth` in the [`Access-Control-Allow-Headers` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers)
+     * of the CORS preflight response.
+     *
+     * If you are not using HTTP (and hence cannot set headers), you will need to use the `getAuthJson()` function
+     * instead.
+     *
+     * Example:
+     *
+     * ```ts
+     * // client
+     * const res = await fetch("https://api.example.com", {
+     *   headers: {
+     *     ...await stackApp.getAuthHeaders()
+     *     // you can also add your own headers here
+     *   },
+     * });
+     *
+     * // server
+     * function handleRequest(req: Request) {
+     *   const user = await stackServerApp.getUser({ tokenStore: req });
+     *   return new Response("Welcome, " + user.displayName);
+     * }
+     * ```
+     */
+    getAuthHeaders(): Promise<{
+        "x-stack-auth": string;
+    }>;
+    /**
+     * Creates a JSON-serializable object containing the information to authenticate a user on an external server.
+     * Similar to `getAuthHeaders`, but returns an object that can be sent over any protocol instead of just
+     * HTTP headers.
+     *
+     * While `getAuthHeaders` is the recommended way to send authentication tokens over HTTP, your app may use
+     * a different protocol, for example WebSockets or gRPC. This function returns a token object that can be JSON-serialized and sent to the server in any way you like.
+     *
+     * On the server, you can pass in this token object into the `tokenStore` option to fetch user details.
+     *
+     * Example:
+     *
+     * ```ts
+     * // client
+     * const res = await rpcCall(rpcEndpoint, {
+     *   data: {
+     *     auth: await stackApp.getAuthJson(),
+     *   },
+     * });
+     *
+     * // server
+     * function handleRequest(data) {
+     *   const user = await stackServerApp.getUser({ tokenStore: data.auth });
+     *   return new Response("Welcome, " + user.displayName);
+     * }
+     * ```
+     */
+    getAuthJson(): Promise<{
+        accessToken: string | null;
+        refreshToken: string | null;
+    }>;
     update(this: T, user: C): Promise<void>;
     updateSelectedTeam(this: T, team: Team | null): Promise<void>;
     sendVerificationEmail(this: T): Promise<KnownErrors["EmailAlreadyVerified"] | void>;
@@ -104,6 +180,28 @@ type User = ({
     hasPermission(this: CurrentUser, scope: Team, permissionId: string): Promise<boolean>;
     getSelectedTeam(this: CurrentUser): Promise<Team | null>;
     useSelectedTeam(this: CurrentUser): Team | null;
+    getConnection(id: StandardProvider, options?: {
+        scopes?: string[];
+    }): Promise<OAuthConnection | null>;
+    getConnection(id: StandardProvider, options: {
+        or: 'redirect';
+        scopes?: string[];
+    }): Promise<OAuthConnection>;
+    getConnection(id: StandardProvider, options?: {
+        or?: 'redirect';
+        scopes?: string[];
+    }): Promise<OAuthConnection | null>;
+    useConnection(id: StandardProvider, options?: {
+        scopes?: string[];
+    }): OAuthConnection | null;
+    useConnection(id: StandardProvider, options: {
+        or: 'redirect';
+        scopes?: string[];
+    }): OAuthConnection;
+    useConnection(id: StandardProvider, options?: {
+        or?: 'redirect';
+        scopes?: string[];
+    }): OAuthConnection | null;
     toJson(this: CurrentUser): UserJson;
 } & AsyncStoreProperty<"team", [id: string], Team | null, false> & AsyncStoreProperty<"teams", [], Team[], true> & Omit<AsyncStoreProperty<"permission", [scope: Team, permissionId: string, options?: {
     direct?: boolean;
@@ -193,6 +291,17 @@ type ServerPermission = Permission & {
     readonly description?: string;
     readonly containPermissionIds: string[];
 };
+type Connection = {
+    id: string;
+};
+type OAuthConnection = Connection & {
+    getAccessToken(): Promise<{
+        accessToken: string;
+    }>;
+    useAccessToken(): {
+        accessToken: string;
+    };
+};
 type ApiKeySetBase = {
     id: string;
     description: string;
@@ -262,69 +371,6 @@ type StackClientApp<HasTokenStore extends boolean = boolean, ProjectId extends s
     verifyPasswordResetCode(code: string): Promise<KnownErrors["PasswordResetCodeError"] | void>;
     verifyEmail(code: string): Promise<KnownErrors["EmailVerificationError"] | void>;
     signInWithMagicLink(code: string): Promise<KnownErrors["MagicLinkError"] | void>;
-    /**
-     * With most browsers now disabling third-party cookies by default, the best way to send authenticated requests
-     * across different origins is to pass the tokens in a header.
-     *
-     * This function returns a header object that can be used with `fetch` or other HTTP request libraries to send
-     * authenticated requests.
-     *
-     * On the server, you can then pass in the `Request` object to the `tokenStore` option
-     * on your Stack app to fetch user details. Please note that CORS by default does not allow custom headers, so you
-     * must set the [`Access-Control-Allow-Headers` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers)
-     * to include `x-stack-auth` in the CORS preflight response.
-     *
-     * Example:
-     *
-     * ```ts
-     * // client
-     * const res = await fetch("https://api.example.com", {
-     *   headers: {
-     *     ...await stackApp.getCrossOriginHeaders()
-     *     // you can also add your own headers here
-     *   },
-     * });
-     *
-     * // server
-     * function handleRequest(req: Request) {
-     *   const user = await stackServerApp.getUser({ tokenStore: req });
-     *   return new Response("Welcome, " + user.displayName);
-     * }
-     * ```
-     */
-    getCrossOriginHeaders(): Promise<{
-        "x-stack-auth": string;
-    }>;
-    /**
-     * With most browsers now disabling third-party cookies by default, there need to be new ways to send authenticated
-     * requests across different origins. While `getCrossOriginHeaders` is the recommended way to do this, there
-     * are some cases where you might want to send the tokens differently, for example when you are using WebSockets
-     * or non-HTTP protocols.
-     *
-     * This function returns a token object that can be JSON-serialized and sent to the server in any way you like.
-     * There, you can use the `tokenStore` option on your Stack app to fetch user details.
-     *
-     * Example:
-     *
-     * ```ts
-     * // client
-     * const res = await rpcCall(rpcEndpoint, {
-     *   data: {
-     *     auth: await stackApp.getCrossOriginTokenObject(),
-     *   },
-     * });
-     *
-     * // server
-     * function handleRequest(data) {
-     *   const user = await stackServerApp.getUser({ tokenStore: data.auth });
-     *   return new Response("Welcome, " + user.displayName);
-     * }
-     * ```
-     */
-    getCrossOriginTokenObject(): Promise<{
-        accessToken: string | null;
-        refreshToken: string | null;
-    }>;
     [stackAppInternalsSymbol]: {
         toClientJson(): StackClientAppJson<HasTokenStore, ProjectId>;
         setCurrentUser(userJsonPromise: Promise<UserJson | null>): void;
@@ -376,4 +422,4 @@ type StackAdminApp<HasTokenStore extends boolean = boolean, ProjectId extends st
 });
 declare const StackAdminApp: StackAdminAppConstructor;
 
-export { type ApiKeySet, type ApiKeySetBase, type ApiKeySetFirstView, type CurrentInternalServerUser, type CurrentInternalUser, type CurrentServerUser, type CurrentUser, type DomainConfig, type EmailConfig, type GetUserOptions, type HandlerUrls, type OAuthProviderConfig, type Permission, type Project, type ServerPermission, type ServerTeam, type ServerTeamMember, type ServerUser, StackAdminApp, type StackAdminAppConstructorOptions, StackClientApp, type StackClientAppConstructorOptions, type StackClientAppJson, StackServerApp, type StackServerAppConstructorOptions, type Team, type TeamMember, type TokenStoreInit, type User, stackAppInternalsSymbol };
+export { type ApiKeySet, type ApiKeySetBase, type ApiKeySetFirstView, type Connection, type CurrentInternalServerUser, type CurrentInternalUser, type CurrentServerUser, type CurrentUser, type DomainConfig, type EmailConfig, type GetUserOptions, type HandlerUrls, type OAuthConnection, type OAuthProviderConfig, type OAuthScopesOnSignIn, type Permission, type Project, type ServerPermission, type ServerTeam, type ServerTeamMember, type ServerUser, StackAdminApp, type StackAdminAppConstructorOptions, StackClientApp, type StackClientAppConstructorOptions, type StackClientAppJson, StackServerApp, type StackServerAppConstructorOptions, type Team, type TeamMember, type TokenStoreInit, type User, stackAppInternalsSymbol };

package/dist/lib/stack-app.js

@@ -45,7 +45,7 @@ var import_results = require("@stackframe/stack-shared/dist/utils/results");
 var import_react2 = require("@stackframe/stack-shared/dist/utils/react");
 var import_stores = require("@stackframe/stack-shared/dist/utils/stores");
 var import_clientInterface = require("@stackframe/stack-shared/dist/interface/clientInterface");
-var import_env = require("@stackframe/stack-shared/src/utils/env");
+var import_env = require("@stackframe/stack-shared/dist/utils/env");
 var import_auth = require("./auth");
 var NextNavigationUnscrambled = __toESM(require("next/navigation"));
 var import_url = require("../utils/url");
@@ -58,8 +58,9 @@ var import_stack_sc = require("@stackframe/stack-sc");
 var cookie = __toESM(require("cookie"));
 var import_sessions = require("@stackframe/stack-shared/dist/sessions");
 var import_use_trigger = require("@stackframe/stack-shared/dist/hooks/use-trigger");
+var import_strings = require("@stackframe/stack-shared/src/utils/strings");
 var NextNavigation = (0, import_compile_time.scrambleDuringCompileTime)(NextNavigationUnscrambled);
-var clientVersion = "js @stackframe/stack@2.4.20";
+var clientVersion = "js @stackframe/stack@2.4.22";
 function permissionDefinitionScopeToType(scope) {
   return { "any-team": "team", "specific-team": "team", "global": "global" }[scope.type];
 }
@@ -80,9 +81,22 @@ function getUrls(partial) {
     magicLinkCallback: `${handler}/magic-link-callback`,
     home: "/",
     accountSettings: `${handler}/account-settings`,
+    error: `${handler}/error`,
     ...(0, import_objects.filterUndefined)(partial)
   };
 }
+async function _redirectTo(url, options) {
+  if (import_stack_sc.isReactServer) {
+    NextNavigation.redirect(url, options?.replace ? NextNavigation.RedirectType.replace : NextNavigation.RedirectType.push);
+  } else {
+    if (options?.replace) {
+      window.location.replace(url);
+    } else {
+      window.location.assign(url);
+    }
+    await (0, import_promises.wait)(2e3);
+  }
+}
 function getDefaultProjectId() {
   return process.env.NEXT_PUBLIC_STACK_PROJECT_ID || (0, import_errors.throwErr)(new Error("Welcome to Stack! It seems that you haven't provided a project ID. Please create a project on the Stack dashboard at https://app.stack-auth.com and put it in the NEXT_PUBLIC_STACK_PROJECT_ID environment variable."));
 }
@@ -157,6 +171,7 @@ var _StackClientAppImpl = class __StackClientAppImpl {
     }
     this._tokenStoreInit = _options.tokenStore;
     this._urlOptions = _options.urls ?? {};
+    this._oauthScopesOnSignIn = _options.oauthScopesOnSignIn ?? {};
     if (_options.uniqueIdentifier) {
       this._uniqueIdentifier = _options.uniqueIdentifier;
       this._initUniqueIdentifier();
@@ -170,6 +185,7 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   _interface;
   _tokenStoreInit;
   _urlOptions;
+  _oauthScopesOnSignIn;
   __DEMO_ENABLE_SLIGHT_FETCH_DELAY = false;
   _currentUserCache = createCacheBySession(async (session) => {
     if (this.__DEMO_ENABLE_SLIGHT_FETCH_DELAY) {
@@ -190,6 +206,64 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   _currentUserTeamsCache = createCacheBySession(async (session) => {
     return await this._interface.listClientUserTeams(session);
   });
+  _currentUserOAuthConnectionAccessTokensCache = createCacheBySession(
+    async (session, [accountId, scope]) => {
+      try {
+        return await this._interface.getAccessToken(accountId, scope || "", session);
+      } catch (err) {
+        if (!(err instanceof import_stack_shared.KnownErrors.OAuthConnectionDoesNotHaveRequiredScope || err instanceof import_stack_shared.KnownErrors.OAuthConnectionNotConnectedToUser)) {
+          throw err;
+        }
+      }
+      return null;
+    }
+  );
+  _currentUserOAuthConnectionCache = createCacheBySession(
+    async (session, [connectionId, scope, redirect]) => {
+      const user = await this._currentUserCache.getOrWait([session], "write-only");
+      let hasConnection = true;
+      if (!user || !user.oauthProviders.find((p) => p === connectionId)) {
+        hasConnection = false;
+      }
+      const token = await this._currentUserOAuthConnectionAccessTokensCache.getOrWait([session, connectionId, scope || ""], "write-only");
+      if (!token) {
+        hasConnection = false;
+      }
+      if (!hasConnection && redirect) {
+        await (0, import_auth.addNewOAuthProviderOrScope)(
+          this._interface,
+          {
+            provider: connectionId,
+            redirectUrl: this.urls.oauthCallback,
+            errorRedirectUrl: this.urls.error,
+            providerScope: (0, import_strings.mergeScopeStrings)(scope || "", (this._oauthScopesOnSignIn[connectionId] ?? []).join(" "))
+          },
+          this._getSession()
+        );
+        return await (0, import_promises.neverResolve)();
+      } else if (!hasConnection) {
+        return null;
+      }
+      const app = this;
+      return {
+        id: connectionId,
+        async getAccessToken() {
+          const result = await app._currentUserOAuthConnectionAccessTokensCache.getOrWait([session, connectionId, scope || ""], "write-only");
+          if (!result) {
+            throw new import_errors.StackAssertionError("No access token available");
+          }
+          return result;
+        },
+        useAccessToken() {
+          const result = useAsyncCache(app._currentUserOAuthConnectionAccessTokensCache, [session, connectionId, scope || ""], "oauthAccount.useAccessToken()");
+          if (!result) {
+            throw new import_errors.StackAssertionError("No access token available");
+          }
+          return result;
+        }
+      };
+    }
+  );
   _initUniqueIdentifier() {
     if (!this._uniqueIdentifier) {
       throw new import_errors.StackAssertionError("Unique identifier not initialized");
@@ -426,6 +500,14 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   }
   _userFromJson(json) {
     const app = this;
+    async function getConnection(id, options) {
+      const scopeString = options?.scopes?.join(" ");
+      return await app._currentUserOAuthConnectionCache.getOrWait([app._getSession(), id, scopeString || "", options?.or === "redirect"], "write-only");
+    }
+    function useConnection(id, options) {
+      const scopeString = options?.scopes?.join(" ");
+      return useAsyncCache(app._currentUserOAuthConnectionCache, [app._useSession(), id, scopeString || "", options?.or === "redirect"], "user.useConnection()");
+    }
     return {
       projectId: json.projectId,
       id: json.id,
@@ -439,6 +521,8 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       hasPassword: json.hasPassword,
       authWithEmail: json.authWithEmail,
       oauthProviders: json.oauthProviders,
+      getConnection,
+      useConnection,
       async getSelectedTeam() {
         return await this.getTeam(json.selectedTeamId || "");
       },
@@ -508,12 +592,9 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       displayName: json.displayName
     };
   }
-  _currentUserFromJson(json, session) {
-    if (json === null)
-      return null;
+  _authFromJson(session) {
     const app = this;
-    const currentUser = {
-      ...this._userFromJson(json),
+    return {
       _internalSession: session,
       currentSession: {
         async getTokens() {
@@ -524,15 +605,25 @@ var _StackClientAppImpl = class __StackClientAppImpl {
           };
         }
       },
+      async getAuthHeaders() {
+        return {
+          "x-stack-auth": JSON.stringify(await this.getAuthJson())
+        };
+      },
+      async getAuthJson() {
+        const tokens = await this.currentSession.getTokens();
+        return tokens;
+      },
+      signOut() {
+        return app._signOut(session);
+      },
+      // TODO these should not actually be on Auth, instead on User
       async updateSelectedTeam(team) {
         await app._updateUser({ selectedTeamId: team?.id ?? null }, session);
       },
       update(update) {
         return app._updateUser(update, session);
       },
-      signOut() {
-        return app._signOut(session);
-      },
       sendVerificationEmail() {
         return app._sendVerificationEmail(session);
       },
@@ -540,6 +631,15 @@ var _StackClientAppImpl = class __StackClientAppImpl {
         return app._updatePassword(options, session);
       }
     };
+  }
+  _currentUserFromJson(json, session) {
+    if (json === null)
+      return null;
+    const app = this;
+    const currentUser = {
+      ...this._userFromJson(json),
+      ...this._authFromJson(session)
+    };
     if (this._isInternalProject()) {
       const internalUser = {
         ...currentUser,
@@ -610,33 +710,12 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   get urls() {
     return getUrls(this._urlOptions);
   }
-  async getCrossOriginHeaders() {
-    return {
-      "x-stack-auth": JSON.stringify(await this.getCrossOriginTokenObject())
-    };
-  }
-  async getCrossOriginTokenObject() {
-    const user = await this.getUser();
-    if (!user)
-      return { accessToken: null, refreshToken: null };
-    const tokens = await user.currentSession.getTokens();
-    return tokens;
-  }
   async _redirectTo(handlerName, options) {
     const url = this.urls[handlerName];
     if (!url) {
       throw new Error(`No URL for handler name ${handlerName}`);
     }
-    if (import_stack_sc.isReactServer) {
-      NextNavigation.redirect(url, options?.replace ? NextNavigation.RedirectType.replace : NextNavigation.RedirectType.push);
-    } else {
-      if (options?.replace) {
-        window.location.replace(url);
-      } else {
-        window.location.assign(url);
-      }
-      await (0, import_promises.wait)(2e3);
-    }
+    await _redirectTo(url, options);
   }
   async redirectToSignIn() {
     return await this._redirectTo("signIn");
@@ -677,6 +756,9 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   async redirectToAccountSettings() {
     return await this._redirectTo("accountSettings");
   }
+  async redirectToError() {
+    return await this._redirectTo("error");
+  }
   async sendForgotPasswordEmail(email) {
     const redirectUrl = (0, import_url.constructRedirectUrl)(this.urls.passwordReset);
     const error = await this._interface.sendForgotPasswordEmail(email, redirectUrl);
@@ -756,7 +838,15 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   }
   async signInWithOAuth(provider) {
     this._ensurePersistentTokenStore();
-    await (0, import_auth.signInWithOAuth)(this._interface, { provider, redirectUrl: this.urls.oauthCallback });
+    await (0, import_auth.signInWithOAuth)(
+      this._interface,
+      {
+        provider,
+        redirectUrl: this.urls.oauthCallback,
+        errorRedirectUrl: this.urls.error,
+        providerScope: this._oauthScopesOnSignIn[provider]?.join(" ")
+      }
+    );
   }
   async signInWithCredential(options) {
     this._ensurePersistentTokenStore();
@@ -803,7 +893,10 @@ var _StackClientAppImpl = class __StackClientAppImpl {
     const result = await (0, import_auth.callOAuthCallback)(this._interface, this.urls.oauthCallback);
     if (result) {
       await this._signInToAccountWithTokens(result);
-      if (result.newUser) {
+      if (result.afterCallbackRedirectUrl) {
+        await _redirectTo(result.afterCallbackRedirectUrl, { replace: true });
+        return true;
+      } else if (result.newUser) {
         await this.redirectToAfterSignUp({ replace: true });
         return true;
       } else {
@@ -883,6 +976,9 @@ var _StackClientAppImpl = class __StackClientAppImpl {
     return res;
   }
   async _refreshUser(session) {
+    await this._refreshSession(session);
+  }
+  async _refreshSession(session) {
     await this._currentUserCache.refresh([session]);
   }
   async _refreshUsers() {
@@ -926,6 +1022,7 @@ var _StackClientAppImpl = class __StackClientAppImpl {
           publishableClientKey: this._interface.options.publishableClientKey,
           tokenStore: this._tokenStoreInit,
           urls: this._urlOptions,
+          oauthScopesOnSignIn: this._oauthScopesOnSignIn,
           uniqueIdentifier: this._getUniqueIdentifier()
         };
       },
@@ -967,7 +1064,8 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
     super("interface" in options ? {
       interface: options.interface,
       tokenStore: options.tokenStore,
-      urls: options.urls
+      urls: options.urls,
+      oauthScopesOnSignIn: options.oauthScopesOnSignIn
     } : {
       interface: new import_stack_shared.StackServerInterface({
         baseUrl: options.baseUrl ?? getDefaultBaseUrl(),
@@ -977,7 +1075,8 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
         secretServerKey: options.secretServerKey ?? getDefaultSecretServerKey()
       }),
       tokenStore: options.tokenStore,
-      urls: options.urls ?? {}
+      urls: options.urls ?? {},
+      oauthScopesOnSignIn: options.oauthScopesOnSignIn ?? {}
     });
   }
   _serverUserFromJson(json) {
@@ -1073,40 +1172,14 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
     const nonCurrentServerUser = this._serverUserFromJson(json);
     const currentUser = {
       ...nonCurrentServerUser,
-      _internalSession: session,
-      currentSession: {
-        async getTokens() {
-          const tokens = await session.getPotentiallyExpiredTokens();
-          return {
-            accessToken: tokens?.accessToken.token ?? null,
-            refreshToken: tokens?.refreshToken?.token ?? null
-          };
-        }
-      },
+      ...this._authFromJson(session),
       async delete() {
         const res = await nonCurrentServerUser.delete();
         await app._refreshUser(session);
         return res;
       },
-      async updateSelectedTeam(team) {
-        await this.update({ selectedTeamId: team?.id ?? null });
-      },
-      async update(update) {
-        const res = await nonCurrentServerUser.update(update);
-        await app._refreshUser(session);
-        return res;
-      },
-      signOut() {
-        return app._signOut(session);
-      },
       getClientUser() {
         return app._currentUserFromJson(json, session);
-      },
-      sendVerificationEmail() {
-        return app._sendVerificationEmail(session);
-      },
-      updatePassword(options) {
-        return app._updatePassword(options, session);
       }
     };
     if (this._isInternalProject()) {
@@ -1281,7 +1354,7 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
       return teams.find((t) => t.id === teamId) ?? null;
     }, [teams, teamId]);
   }
-  async _refreshUser(session) {
+  async _refreshSession(session) {
     await Promise.all([
       super._refreshUser(session),
       this._currentServerUserCache.refresh([session])
@@ -1330,7 +1403,8 @@ var _StackAdminAppImpl = class extends _StackServerAppImpl {
         }
       }),
       tokenStore: options.tokenStore,
-      urls: options.urls
+      urls: options.urls,
+      oauthScopesOnSignIn: options.oauthScopesOnSignIn
     });
   }
   _createApiKeySetBaseFromJson(data) {