@stackframe/stack 2.4.22 → 2.4.24

package/dist/esm/lib/stack-app.js

@@ -1,7 +1,7 @@
 // src/lib/stack-app.ts
 import React, { use, useCallback, useMemo } from "react";
 import { KnownError, KnownErrors, StackAdminInterface, StackClientInterface, StackServerInterface } from "@stackframe/stack-shared";
-import { getCookie, setOrDeleteCookie } from "./cookie";
+import { deleteCookie, getCookie, setOrDeleteCookie } from "./cookie";
 import { StackAssertionError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
 import { generateUuid } from "@stackframe/stack-shared/dist/utils/uuids";
 import { AsyncResult, Result } from "@stackframe/stack-shared/dist/utils/results";
@@ -12,7 +12,7 @@ import { isBrowserLike } from "@stackframe/stack-shared/dist/utils/env";
 import { addNewOAuthProviderOrScope, callOAuthCallback, signInWithOAuth } from "./auth";
 import * as NextNavigationUnscrambled from "next/navigation";
 import { constructRedirectUrl } from "../utils/url";
-import { deepPlainEquals, filterUndefined, omit } from "@stackframe/stack-shared/dist/utils/objects";
+import { deepPlainEquals, filterUndefined, omit, pick } from "@stackframe/stack-shared/dist/utils/objects";
 import { neverResolve, resolved, runAsynchronously, wait } from "@stackframe/stack-shared/dist/utils/promises";
 import { AsyncCache } from "@stackframe/stack-shared/dist/utils/caches";
 import { suspend } from "@stackframe/stack-shared/dist/utils/react";
@@ -21,9 +21,9 @@ import { isReactServer } from "@stackframe/stack-sc";
 import * as cookie from "cookie";
 import { InternalSession } from "@stackframe/stack-shared/dist/sessions";
 import { useTrigger } from "@stackframe/stack-shared/dist/hooks/use-trigger";
-import { mergeScopeStrings } from "@stackframe/stack-shared/src/utils/strings";
+import { mergeScopeStrings } from "@stackframe/stack-shared/dist/utils/strings";
 var NextNavigation = scrambleDuringCompileTime(NextNavigationUnscrambled);
-var clientVersion = "js @stackframe/stack@2.4.22";
+var clientVersion = "js @stackframe/stack@2.4.24";
 function permissionDefinitionScopeToType(scope) {
   return { "any-team": "team", "specific-team": "team", "global": "global" }[scope.type];
 }
@@ -201,7 +201,7 @@ var _StackClientAppImpl = class __StackClientAppImpl {
             errorRedirectUrl: this.urls.error,
             providerScope: mergeScopeStrings(scope || "", (this._oauthScopesOnSignIn[connectionId] ?? []).join(" "))
           },
-          this._getSession()
+          session
         );
         return await neverResolve();
       } else if (!hasConnection) {
@@ -247,12 +247,28 @@ var _StackClientAppImpl = class __StackClientAppImpl {
     }
     return this._uniqueIdentifier;
   }
+  async _checkFeatureSupport(featureName, options) {
+    return await this._interface.checkFeatureSupport({ ...options, featureName });
+  }
+  _useCheckFeatureSupport(featureName, options) {
+    runAsynchronously(this._checkFeatureSupport(featureName, options));
+    throw new StackAssertionError(`${featureName} is not currently supported. Please reach out to Stack support for more information.`);
+  }
   _memoryTokenStore = createEmptyTokenStore();
   _requestTokenStores = /* @__PURE__ */ new WeakMap();
   _storedCookieTokenStore = null;
   get _refreshTokenCookieName() {
     return `stack-refresh-${this.projectId}`;
   }
+  _getTokensFromCookies(cookies) {
+    const refreshToken = cookies.refreshTokenCookie;
+    const accessTokenObject = cookies.accessTokenCookie?.startsWith('["') ? JSON.parse(cookies.accessTokenCookie) : null;
+    const accessToken = accessTokenObject && refreshToken === accessTokenObject[0] ? accessTokenObject[1] : null;
+    return {
+      refreshToken,
+      accessToken
+    };
+  }
   get _accessTokenCookieName() {
     return `stack-access`;
   }
@@ -261,14 +277,17 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       throw new Error("Cannot use cookie token store on the server!");
     }
     if (this._storedCookieTokenStore === null) {
-      const getCurrentValue = (old) => ({
-        refreshToken: getCookie(this._refreshTokenCookieName) ?? getCookie("stack-refresh"),
-        // keep old cookie name for backwards-compatibility
-        // if there is an access token in memory already, don't update the access token based on cookies (access token
-        // cookies may be set by another project on the same domain)
-        // see the comment in _accessTokenCookieName for more information
-        accessToken: old === null ? getCookie(this._accessTokenCookieName) : old.accessToken
-      });
+      const getCurrentValue = (old) => {
+        const tokens = this._getTokensFromCookies({
+          refreshTokenCookie: getCookie(this._refreshTokenCookieName) ?? getCookie("stack-refresh"),
+          // keep old cookie name for backwards-compatibility
+          accessTokenCookie: getCookie(this._accessTokenCookieName)
+        });
+        return {
+          refreshToken: tokens.refreshToken,
+          accessToken: tokens.accessToken ?? (old?.refreshToken === tokens.refreshToken ? old.accessToken : null)
+        };
+      };
       this._storedCookieTokenStore = new Store(getCurrentValue(null));
       let hasSucceededInWriting = true;
       setInterval(() => {
@@ -283,7 +302,8 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       this._storedCookieTokenStore.onChange((value) => {
         try {
           setOrDeleteCookie(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365 });
-          setOrDeleteCookie(this._accessTokenCookieName, value.accessToken, { maxAge: 60 * 60 * 24 });
+          setOrDeleteCookie(this._accessTokenCookieName, value.accessToken ? JSON.stringify([value.refreshToken, value.accessToken]) : null, { maxAge: 60 * 60 * 24 });
+          deleteCookie("stack-refresh");
           hasSucceededInWriting = true;
         } catch (e) {
           if (!isBrowserLike()) {
@@ -306,15 +326,16 @@ var _StackClientAppImpl = class __StackClientAppImpl {
         if (isBrowserLike()) {
           return this._getCookieTokenStore();
         } else {
-          const store = new Store({
-            refreshToken: getCookie(this._refreshTokenCookieName) ?? getCookie("stack-refresh"),
+          const tokens = this._getTokensFromCookies({
+            refreshTokenCookie: getCookie(this._refreshTokenCookieName) ?? getCookie("stack-refresh"),
             // keep old cookie name for backwards-compatibility
-            accessToken: getCookie(this._accessTokenCookieName)
+            accessTokenCookie: getCookie(this._accessTokenCookieName)
           });
+          const store = new Store(tokens);
           store.onChange((value) => {
             try {
               setOrDeleteCookie(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365 });
-              setOrDeleteCookie(this._accessTokenCookieName, value.accessToken, { maxAge: 60 * 60 * 24 });
+              setOrDeleteCookie(this._accessTokenCookieName, value.accessToken ? JSON.stringify([value.refreshToken, value.accessToken]) : null, { maxAge: 60 * 60 * 24 });
             } catch (e) {
             }
           });
@@ -410,7 +431,9 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   _useSession(overrideTokenStoreInit) {
     const tokenStore = this._getOrCreateTokenStore(overrideTokenStoreInit);
     const subscribe = useCallback((cb) => {
-      const { unsubscribe } = tokenStore.onChange(() => cb());
+      const { unsubscribe } = tokenStore.onChange(() => {
+        cb();
+      });
       return unsubscribe;
     }, [tokenStore]);
     const getSnapshot = useCallback(() => this._getSessionFromTokenStore(tokenStore), [tokenStore]);
@@ -461,16 +484,43 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       }
     };
   }
-  _userFromJson(json) {
+  _teamMemberFromJson(json) {
+    if (json === null)
+      return null;
+    return {
+      teamId: json.teamId,
+      userId: json.userId,
+      displayName: json.displayName
+    };
+  }
+  _createAuth(session) {
     const app = this;
-    async function getConnection(id, options) {
-      const scopeString = options?.scopes?.join(" ");
-      return await app._currentUserOAuthConnectionCache.getOrWait([app._getSession(), id, scopeString || "", options?.or === "redirect"], "write-only");
-    }
-    function useConnection(id, options) {
-      const scopeString = options?.scopes?.join(" ");
-      return useAsyncCache(app._currentUserOAuthConnectionCache, [app._useSession(), id, scopeString || "", options?.or === "redirect"], "user.useConnection()");
-    }
+    return {
+      _internalSession: session,
+      currentSession: {
+        async getTokens() {
+          const tokens = await session.getPotentiallyExpiredTokens();
+          return {
+            accessToken: tokens?.accessToken.token ?? null,
+            refreshToken: tokens?.refreshToken?.token ?? null
+          };
+        }
+      },
+      async getAuthHeaders() {
+        return {
+          "x-stack-auth": JSON.stringify(await this.getAuthJson())
+        };
+      },
+      async getAuthJson() {
+        const tokens = await this.currentSession.getTokens();
+        return tokens;
+      },
+      signOut() {
+        return app._signOut(session);
+      }
+    };
+  }
+  _createBaseUser(json) {
     return {
       projectId: json.projectId,
       id: json.id,
@@ -480,18 +530,52 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       profileImageUrl: json.profileImageUrl,
       signedUpAt: new Date(json.signedUpAtMillis),
       clientMetadata: json.clientMetadata,
-      authMethod: json.authMethod,
       hasPassword: json.hasPassword,
       authWithEmail: json.authWithEmail,
       oauthProviders: json.oauthProviders,
-      getConnection,
-      useConnection,
-      async getSelectedTeam() {
-        return await this.getTeam(json.selectedTeamId || "");
+      selectedTeam: json.selectedTeam && this._teamFromJson(json.selectedTeam),
+      toClientJson() {
+        return pick(json, [
+          "projectId",
+          "id",
+          "displayName",
+          "primaryEmail",
+          "primaryEmailVerified",
+          "profileImageUrl",
+          "signedUpAtMillis",
+          "clientMetadata",
+          "hasPassword",
+          "authMethod",
+          "authWithEmail",
+          "selectedTeamId",
+          "selectedTeam",
+          "oauthProviders"
+        ]);
+      }
+    };
+  }
+  _createUserExtra(json, session) {
+    const app = this;
+    async function getConnectedAccount(id, options) {
+      const scopeString = options?.scopes?.join(" ");
+      return await app._currentUserOAuthConnectionCache.getOrWait([session, id, scopeString || "", options?.or === "redirect"], "write-only");
+    }
+    function useConnectedAccount(id, options) {
+      const scopeString = options?.scopes?.join(" ");
+      return useAsyncCache(app._currentUserOAuthConnectionCache, [session, id, scopeString || "", options?.or === "redirect"], "user.useConnectedAccount()");
+    }
+    return {
+      setDisplayName(displayName) {
+        return this.update({ displayName });
+      },
+      setClientMetadata(metadata) {
+        return this.update({ clientMetadata: metadata });
       },
-      useSelectedTeam() {
-        return this.useTeam(json.selectedTeamId || "");
+      async setSelectedTeam(team) {
+        await this.update({ selectedTeamId: team?.id ?? null });
       },
+      getConnectedAccount,
+      useConnectedAccount,
       async getTeam(teamId) {
         const teams = await this.listTeams();
         return teams.find((t) => t.id === teamId) ?? null;
@@ -502,32 +586,20 @@ var _StackClientAppImpl = class __StackClientAppImpl {
           return teams.find((t) => t.id === teamId) ?? null;
         }, [teams, teamId]);
       },
-      onTeamChange(teamId, callback) {
-        return this.onTeamsChange((teams) => {
-          const team = teams.find((t) => t.id === teamId) ?? null;
-          callback(team);
-        });
-      },
       async listTeams() {
-        const teams = await app._currentUserTeamsCache.getOrWait([app._getSession()], "write-only");
+        const teams = await app._currentUserTeamsCache.getOrWait([session], "write-only");
         return teams.map((json2) => app._teamFromJson(json2));
       },
       useTeams() {
-        const session = app._useSession();
         const teams = useAsyncCache(app._currentUserTeamsCache, [session], "user.useTeams()");
         return useMemo(() => teams.map((json2) => app._teamFromJson(json2)), [teams]);
       },
-      onTeamsChange(callback) {
-        return app._currentUserTeamsCache.onChange([app._getSession()], (value, oldValue) => {
-          callback(value.map((json2) => app._teamFromJson(json2)), oldValue?.map((json2) => app._teamFromJson(json2)));
-        });
-      },
       async listPermissions(scope, options) {
-        const permissions = await app._currentUserPermissionsCache.getOrWait([app._getSession(), scope.id, "team", !!options?.direct], "write-only");
+        const permissions = await app._currentUserPermissionsCache.getOrWait([session, scope.id, "team", !!options?.direct], "write-only");
         return permissions.map((json2) => app._permissionFromJson(json2));
       },
       usePermissions(scope, options) {
-        const permissions = useAsyncCache(app._currentUserPermissionsCache, [app._getSession(), scope.id, "team", !!options?.direct], "user.usePermissions()");
+        const permissions = useAsyncCache(app._currentUserPermissionsCache, [session, scope.id, "team", !!options?.direct], "user.usePermissions()");
         return useMemo(() => permissions.map((json2) => app._permissionFromJson(json2)), [permissions]);
       },
       usePermission(scope, permissionId) {
@@ -541,49 +613,6 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       async hasPermission(scope, permissionId) {
         return await this.getPermission(scope, permissionId) !== null;
       },
-      toJson() {
-        return json;
-      }
-    };
-  }
-  _teamMemberFromJson(json) {
-    if (json === null)
-      return null;
-    return {
-      teamId: json.teamId,
-      userId: json.userId,
-      displayName: json.displayName
-    };
-  }
-  _authFromJson(session) {
-    const app = this;
-    return {
-      _internalSession: session,
-      currentSession: {
-        async getTokens() {
-          const tokens = await session.getPotentiallyExpiredTokens();
-          return {
-            accessToken: tokens?.accessToken.token ?? null,
-            refreshToken: tokens?.refreshToken?.token ?? null
-          };
-        }
-      },
-      async getAuthHeaders() {
-        return {
-          "x-stack-auth": JSON.stringify(await this.getAuthJson())
-        };
-      },
-      async getAuthJson() {
-        const tokens = await this.currentSession.getTokens();
-        return tokens;
-      },
-      signOut() {
-        return app._signOut(session);
-      },
-      // TODO these should not actually be on Auth, instead on User
-      async updateSelectedTeam(team) {
-        await app._updateUser({ selectedTeamId: team?.id ?? null }, session);
-      },
       update(update) {
         return app._updateUser(update, session);
       },
@@ -595,36 +624,30 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       }
     };
   }
-  _currentUserFromJson(json, session) {
-    if (json === null)
-      return null;
+  _createInternalUserExtra(session) {
     const app = this;
+    this._ensureInternalProject();
+    return {
+      createProject(newProject) {
+        return app._createProject(session, newProject);
+      },
+      listOwnedProjects() {
+        return app._listOwnedProjects(session);
+      },
+      useOwnedProjects() {
+        return app._useOwnedProjects(session);
+      }
+    };
+  }
+  _createCurrentUser(json, session) {
     const currentUser = {
-      ...this._userFromJson(json),
-      ...this._authFromJson(session)
+      ...this._createBaseUser(json),
+      ...this._createAuth(session),
+      ...this._createUserExtra(json, session),
+      ...this._isInternalProject() ? this._createInternalUserExtra(session) : {}
     };
-    if (this._isInternalProject()) {
-      const internalUser = {
-        ...currentUser,
-        createProject(newProject) {
-          return app._createProject(newProject);
-        },
-        listOwnedProjects() {
-          return app._listOwnedProjects();
-        },
-        useOwnedProjects() {
-          return app._useOwnedProjects();
-        },
-        onOwnedProjectsChange(callback) {
-          return app._onOwnedProjectsChange(callback);
-        }
-      };
-      Object.freeze(internalUser);
-      return internalUser;
-    } else {
-      Object.freeze(currentUser);
-      return currentUser;
-    }
+    Object.freeze(currentUser);
+    return currentUser;
   }
   _projectAdminFromJson(data, adminInterface, onRefresh) {
     if (data.id !== adminInterface.projectId) {
@@ -760,12 +783,12 @@ var _StackClientAppImpl = class __StackClientAppImpl {
         }
       }
     }
-    return this._currentUserFromJson(userJson, session);
+    return userJson && this._createCurrentUser(userJson, session);
   }
   useUser(options) {
     this._ensurePersistentTokenStore(options?.tokenStore);
     const router = NextNavigation.useRouter();
-    const session = this._getSession(options?.tokenStore);
+    const session = this._useSession(options?.tokenStore);
     const userJson = useAsyncCache(this._currentUserCache, [session], "useUser()");
     const triggerRedirectToSignIn = useTrigger(() => router.replace(this.urls.signIn));
     if (userJson === null) {
@@ -784,16 +807,9 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       }
     }
     return useMemo(() => {
-      return this._currentUserFromJson(userJson, session);
+      return userJson && this._createCurrentUser(userJson, session);
     }, [userJson, session, options?.or]);
   }
-  onUserChange(callback) {
-    this._ensurePersistentTokenStore();
-    const session = this._getSession();
-    return this._currentUserCache.onChange([session], (userJson) => {
-      callback(this._currentUserFromJson(userJson, session));
-    });
-  }
   async _updateUser(update, session) {
     const res = await this._interface.setClientUserCustomizableData(update, session);
     await this._refreshUser(session);
@@ -892,12 +908,8 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   useProject() {
     return useAsyncCache(this._currentProjectCache, [], "useProject()");
   }
-  onProjectChange(callback) {
-    return this._currentProjectCache.onChange([], callback);
-  }
-  async _listOwnedProjects() {
+  async _listOwnedProjects(session) {
     this._ensureInternalProject();
-    const session = this._getSession();
     const json = await this._ownedProjectsCache.getOrWait([session], "write-only");
     return json.map((j) => this._projectAdminFromJson(
       j,
@@ -905,9 +917,8 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       () => this._refreshOwnedProjects(session)
     ));
   }
-  _useOwnedProjects() {
+  _useOwnedProjects(session) {
     this._ensureInternalProject();
-    const session = this._getSession();
     const json = useAsyncCache(this._ownedProjectsCache, [session], "useOwnedProjects()");
     return useMemo(() => json.map((j) => this._projectAdminFromJson(
       j,
@@ -915,20 +926,8 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       () => this._refreshOwnedProjects(session)
     )), [json]);
   }
-  _onOwnedProjectsChange(callback) {
+  async _createProject(session, newProject) {
     this._ensureInternalProject();
-    const session = this._getSession();
-    return this._ownedProjectsCache.onChange([session], (projects) => {
-      callback(projects.map((j) => this._projectAdminFromJson(
-        j,
-        this._createAdminInterface(j.id, session),
-        () => this._refreshOwnedProjects(session)
-      )));
-    });
-  }
-  async _createProject(newProject) {
-    this._ensureInternalProject();
-    const session = this._getSession();
     const json = await this._interface.createProject(newProject, session);
     const res = this._projectAdminFromJson(
       json,
@@ -1042,37 +1041,45 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
       oauthScopesOnSignIn: options.oauthScopesOnSignIn ?? {}
     });
   }
-  _serverUserFromJson(json) {
-    if (json === null)
-      return null;
+  _createBaseUser(json) {
+    return {
+      ...super._createBaseUser(json),
+      ..."serverMetadata" in json ? {
+        serverMetadata: json.serverMetadata,
+        toServerJson() {
+          return {
+            ...this.toClientJson(),
+            ...pick(json, [
+              "serverMetadata"
+            ])
+          };
+        }
+      } : {}
+    };
+  }
+  _createUserExtra(json) {
     const app = this;
     return {
-      ...this._userFromJson(json),
-      serverMetadata: json.serverMetadata,
-      async delete() {
-        const res = await app._interface.deleteServerUser(this.id);
-        await app._refreshUsers();
-        return res;
+      async setDisplayName(displayName) {
+        return await this.update({ displayName });
       },
-      async update(update) {
-        const res = await app._interface.setServerUserCustomizableData(this.id, update);
-        await app._refreshUsers();
-        return res;
+      async setClientMetadata(metadata) {
+        return await this.update({ clientMetadata: metadata });
       },
-      getClientUser() {
-        return app._userFromJson(json);
+      async setServerMetadata(metadata) {
+        return await this.update({ serverMetadata: metadata });
       },
-      async grantPermission(scope, permissionId) {
-        await app._interface.grantTeamUserPermission(scope.id, json.id, permissionId, "team");
-        for (const direct of [true, false]) {
-          await app._serverTeamUserPermissionsCache.refresh([scope.id, json.id, "team", direct]);
-        }
+      async setSelectedTeam(team) {
+        return await this.update({ selectedTeamId: team?.id ?? null });
       },
-      async revokePermission(scope, permissionId) {
-        await app._interface.revokeTeamUserPermission(scope.id, json.id, permissionId, "team");
-        for (const direct of [true, false]) {
-          await app._serverTeamUserPermissionsCache.refresh([scope.id, json.id, "team", direct]);
-        }
+      async setPrimaryEmail(email, options) {
+        return await this.update({ primaryEmail: email });
+      },
+      getConnectedAccount: async () => {
+        return await app._checkFeatureSupport("getConnectedAccount() on ServerUser", {});
+      },
+      useConnectedAccount: () => {
+        return app._useCheckFeatureSupport("useConnectedAccount() on ServerUser", {});
       },
       async getTeam(teamId) {
         const teams = await this.listTeams();
@@ -1084,24 +1091,13 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
           return teams.find((t) => t.id === teamId) ?? null;
         }, [teams, teamId]);
       },
-      onTeamChange(teamId, callback) {
-        return this.onTeamsChange((teams) => {
-          const team = teams.find((t) => t.id === teamId) ?? null;
-          callback(team);
-        });
-      },
       async listTeams() {
-        const teams = await app._serverTeamsCache.getOrWait([app._getSession()], "write-only");
-        return teams.map((json2) => app._serverTeamFromJson(json2));
+        const teams = await app.listTeams();
+        const withMembers = await Promise.all(teams.map(async (t) => [t, await t.listMembers()]));
+        return withMembers.filter(([_, members]) => members.find((m) => m.userId === json.id)).map(([t]) => t);
       },
       useTeams() {
-        const teams = useAsyncCache(app._serverTeamsCache, [app._getSession()], "user.useTeams()");
-        return useMemo(() => teams.map((json2) => app._serverTeamFromJson(json2)), [teams]);
-      },
-      onTeamsChange(callback) {
-        return app._serverTeamsCache.onChange([app._getSession()], (value, oldValue) => {
-          callback(value.map((json2) => app._serverTeamFromJson(json2)), oldValue?.map((json2) => app._serverTeamFromJson(json2)));
-        });
+        return app._useCheckFeatureSupport("useTeams() on ServerUser", {});
       },
       async listPermissions(scope, options) {
         const permissions = await app._serverTeamUserPermissionsCache.getOrWait([scope.id, json.id, "team", !!options?.direct], "write-only");
@@ -1111,62 +1107,62 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
         const permissions = useAsyncCache(app._serverTeamUserPermissionsCache, [scope.id, json.id, "team", !!options?.direct], "user.usePermissions()");
         return useMemo(() => permissions.map((json2) => app._serverPermissionFromJson(json2)), [permissions]);
       },
-      usePermission(scope, permissionId) {
-        const permissions = this.usePermissions(scope);
-        return useMemo(() => permissions.find((p) => p.id === permissionId) ?? null, [permissions, permissionId]);
-      },
       async getPermission(scope, permissionId) {
         const permissions = await this.listPermissions(scope);
         return permissions.find((p) => p.id === permissionId) ?? null;
       },
+      usePermission(scope, permissionId) {
+        const permissions = this.usePermissions(scope);
+        return useMemo(() => permissions.find((p) => p.id === permissionId) ?? null, [permissions, permissionId]);
+      },
       async hasPermission(scope, permissionId) {
-        const permissions = await this.listPermissions(scope);
-        return permissions.some((p) => p.id === permissionId);
+        return await this.getPermission(scope, permissionId) !== null;
       },
-      toJson() {
-        return json;
+      async grantPermission(scope, permissionId) {
+        await app._interface.grantTeamUserPermission(scope.id, json.id, permissionId, "team");
+        for (const direct of [true, false]) {
+          await app._serverTeamUserPermissionsCache.refresh([scope.id, json.id, "team", direct]);
+        }
+      },
+      async revokePermission(scope, permissionId) {
+        await app._interface.revokeTeamUserPermission(scope.id, json.id, permissionId, "team");
+        for (const direct of [true, false]) {
+          await app._serverTeamUserPermissionsCache.refresh([scope.id, json.id, "team", direct]);
+        }
+      },
+      async delete() {
+        const res = await app._interface.deleteServerUser(json.id);
+        await app._refreshUsers();
+        return res;
+      },
+      async update(update) {
+        const res = await app._interface.setServerUserCustomizableData(json.id, update);
+        await app._refreshUsers();
+        return res;
+      },
+      async sendVerificationEmail() {
+        return await app._checkFeatureSupport("sendVerificationEmail() on ServerUser", {});
+      },
+      async updatePassword(options) {
+        return await app._checkFeatureSupport("updatePassword() on ServerUser", {});
       }
     };
   }
-  _currentServerUserFromJson(json, session) {
-    if (json === null)
-      return null;
+  _createUser(json) {
+    return {
+      ...this._createBaseUser(json),
+      ...this._createUserExtra(json)
+    };
+  }
+  _createCurrentUser(json, session) {
     const app = this;
-    const nonCurrentServerUser = this._serverUserFromJson(json);
     const currentUser = {
-      ...nonCurrentServerUser,
-      ...this._authFromJson(session),
-      async delete() {
-        const res = await nonCurrentServerUser.delete();
-        await app._refreshUser(session);
-        return res;
-      },
-      getClientUser() {
-        return app._currentUserFromJson(json, session);
-      }
+      ...this._createUser(json),
+      ...this._createAuth(session),
+      ...this._isInternalProject() ? this._createInternalUserExtra(session) : {}
     };
-    if (this._isInternalProject()) {
-      const internalUser = {
-        ...currentUser,
-        createProject(newProject) {
-          return app._createProject(newProject);
-        },
-        listOwnedProjects() {
-          return app._listOwnedProjects();
-        },
-        useOwnedProjects() {
-          return app._useOwnedProjects();
-        },
-        onOwnedProjectsChange(callback) {
-          return app._onOwnedProjectsChange(callback);
-        }
-      };
-      Object.freeze(internalUser);
-      return internalUser;
-    } else {
-      Object.freeze(currentUser);
-      return currentUser;
-    }
+    Object.freeze(currentUser);
+    return currentUser;
   }
   _serverTeamMemberFromJson(json) {
     if (json === null)
@@ -1174,12 +1170,7 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
     const app = this;
     return {
       ...app._teamMemberFromJson(json),
-      async getUser() {
-        const user = app._serverUserFromJson(await app._serverUserCache.getOrWait([json.userId], "write-only"));
-        if (!user)
-          throw new Error(`User ${json.userId} not found`);
-        return user;
-      }
+      user: app._createUser(json.user)
     };
   }
   _serverTeamFromJson(json) {
@@ -1222,49 +1213,75 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
       }
     };
   }
-  async getServerUser() {
-    this._ensurePersistentTokenStore();
-    const session = this._getSession();
+  async getUser(options) {
+    this._ensurePersistentTokenStore(options?.tokenStore);
+    const session = this._getSession(options?.tokenStore);
     const userJson = await this._currentServerUserCache.getOrWait([session], "write-only");
-    return this._currentServerUserFromJson(userJson, session);
+    if (userJson === null) {
+      switch (options?.or) {
+        case "redirect": {
+          await this.redirectToSignIn();
+          break;
+        }
+        case "throw": {
+          throw new Error("User is not signed in but getUser was called with { or: 'throw' }");
+        }
+        default: {
+          return null;
+        }
+      }
+    }
+    return userJson && this._createCurrentUser(userJson, session);
+  }
+  async getServerUser() {
+    console.warn("stackServerApp.getServerUser is deprecated; use stackServerApp.getUser instead");
+    return await this.getUser();
   }
   async getServerUserById(userId) {
     const json = await this._serverUserCache.getOrWait([userId], "write-only");
-    return this._serverUserFromJson(json);
+    return json && this._createUser(json);
   }
-  useServerUser(options) {
-    this._ensurePersistentTokenStore();
-    const session = this._getSession();
-    const userJson = useAsyncCache(this._currentServerUserCache, [session], "useServerUser()");
-    return useMemo(() => {
-      if (options?.required && userJson === null) {
-        use(this.redirectToSignIn());
+  useUser(options) {
+    this._ensurePersistentTokenStore(options?.tokenStore);
+    const router = NextNavigation.useRouter();
+    const session = this._getSession(options?.tokenStore);
+    const userJson = useAsyncCache(this._currentServerUserCache, [session], "useUser()");
+    const triggerRedirectToSignIn = useTrigger(() => router.replace(this.urls.signIn));
+    if (userJson === null) {
+      switch (options?.or) {
+        case "redirect": {
+          triggerRedirectToSignIn();
+          suspend();
+          throw new StackAssertionError("suspend should never return");
+        }
+        case "throw": {
+          throw new Error("User is not signed in but useUser was called with { or: 'throw' }");
+        }
+        case void 0:
+        case "return-null": {
+        }
       }
-      return this._currentServerUserFromJson(userJson, session);
-    }, [userJson, session, options?.required]);
+    }
+    return useMemo(() => {
+      return userJson && this._createCurrentUser(userJson, session);
+    }, [userJson, session, options?.or]);
   }
-  onServerUserChange(callback) {
-    this._ensurePersistentTokenStore();
-    const session = this._getSession();
-    return this._currentServerUserCache.onChange([session], (userJson) => {
-      callback(this._currentServerUserFromJson(userJson, session));
-    });
+  useUserById(userId) {
+    const json = useAsyncCache(this._serverUserCache, [userId], "useUserById()");
+    return useMemo(() => {
+      return json && this._createUser(json);
+    }, [json]);
   }
-  async listServerUsers() {
+  async listUsers() {
     const json = await this._serverUsersCache.getOrWait([], "write-only");
-    return json.map((j) => this._serverUserFromJson(j));
+    return json.map((j) => this._createUser(j));
   }
-  useServerUsers() {
+  useUsers() {
     const json = useAsyncCache(this._serverUsersCache, [], "useServerUsers()");
     return useMemo(() => {
-      return json.map((j) => this._serverUserFromJson(j));
+      return json.map((j) => this._createUser(j));
     }, [json]);
   }
-  onServerUsersChange(callback) {
-    return this._serverUsersCache.onChange([], (users) => {
-      callback(users.map((j) => this._serverUserFromJson(j)));
-    });
-  }
   async listPermissionDefinitions() {
     return await this._serverTeamPermissionDefinitionsCache.getOrWait([], "write-only");
   }
@@ -1426,15 +1443,6 @@ var _StackAdminAppImpl = class extends _StackServerAppImpl {
       () => this._refreshProject()
     ), [json]);
   }
-  onProjectAdminChange(callback) {
-    return this._adminProjectCache.onChange([], (project) => {
-      callback(this._projectAdminFromJson(
-        project,
-        this._interface,
-        () => this._refreshProject()
-      ));
-    });
-  }
   async listApiKeySets() {
     const json = await this._apiKeySetsCache.getOrWait([], "write-only");
     return json.map((j) => this._createApiKeySetFromJson(j));
@@ -1445,11 +1453,6 @@ var _StackAdminAppImpl = class extends _StackServerAppImpl {
       return json.map((j) => this._createApiKeySetFromJson(j));
     }, [json]);
   }
-  onApiKeySetsChange(callback) {
-    return this._apiKeySetsCache.onChange([], (apiKeySets) => {
-      callback(apiKeySets.map((j) => this._createApiKeySetFromJson(j)));
-    });
-  }
   async createApiKeySet(options) {
     const json = await this._interface.createApiKeySet(options);
     await this._refreshApiKeySets();