@stackframe/stack 2.5.35 → 2.6.0

package/dist/esm/lib/auth.js

@@ -2,6 +2,7 @@
 import { KnownError } from "@stackframe/stack-shared";
 import { StackAssertionError, captureError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
 import { neverResolve } from "@stackframe/stack-shared/dist/utils/promises";
+import { Result } from "@stackframe/stack-shared/dist/utils/results";
 import { deindent } from "@stackframe/stack-shared/dist/utils/strings";
 import { constructRedirectUrl } from "../utils/url";
 import { consumeVerifierAndStateCookie, saveVerifierAndState } from "./cookie";
@@ -71,14 +72,14 @@ function consumeOAuthCallbackQueryParams() {
 }
 async function callOAuthCallback(iface, redirectUrl) {
   const consumed = consumeOAuthCallbackQueryParams();
-  if (!consumed) return null;
+  if (!consumed) return Result.ok(void 0);
   try {
-    return await iface.callOAuthCallback({
+    return Result.ok(await iface.callOAuthCallback({
       oauthParams: consumed.originalUrl.searchParams,
       redirectUri: constructRedirectUrl(redirectUrl),
       codeVerifier: consumed.codeVerifier,
       state: consumed.state
-    });
+    }));
   } catch (e) {
     if (e instanceof KnownError) {
       throw e;

package/dist/esm/lib/auth.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../src/lib/auth.ts"],"sourcesContent":["import { KnownError, StackClientInterface } from \"@stackframe/stack-shared\";\nimport { InternalSession } from \"@stackframe/stack-shared/dist/sessions\";\nimport { StackAssertionError, captureError, throwErr } from \"@stackframe/stack-shared/dist/utils/errors\";\nimport { neverResolve } from \"@stackframe/stack-shared/dist/utils/promises\";\nimport { deindent } from \"@stackframe/stack-shared/dist/utils/strings\";\nimport { constructRedirectUrl } from \"../utils/url\";\nimport { consumeVerifierAndStateCookie, saveVerifierAndState } from \"./cookie\";\n\nexport async function signInWithOAuth(\n  iface: StackClientInterface,\n  options: {\n    provider: string,\n    redirectUrl: string,\n    errorRedirectUrl: string,\n    providerScope?: string,\n  }\n) {\n  const { codeChallenge, state } = await saveVerifierAndState();\n  const location = await iface.getOAuthUrl({\n    provider: options.provider,\n    redirectUrl: constructRedirectUrl(options.redirectUrl),\n    errorRedirectUrl: constructRedirectUrl(options.errorRedirectUrl),\n    codeChallenge,\n    state,\n    type: \"authenticate\",\n    providerScope: options.providerScope,\n  });\n  window.location.assign(location);\n  await neverResolve();\n}\n\nexport async function addNewOAuthProviderOrScope(\n  iface: StackClientInterface,\n  options: {\n    provider: string,\n    redirectUrl: string,\n    errorRedirectUrl: string,\n    providerScope?: string,\n  },\n  session: InternalSession,\n) {\n  const { codeChallenge, state } = await saveVerifierAndState();\n  const location = await iface.getOAuthUrl({\n    provider: options.provider,\n    redirectUrl: constructRedirectUrl(options.redirectUrl),\n    errorRedirectUrl: constructRedirectUrl(options.errorRedirectUrl),\n    afterCallbackRedirectUrl: constructRedirectUrl(window.location.href),\n    codeChallenge,\n    state,\n    type: \"link\",\n    session,\n    providerScope: options.providerScope,\n  });\n  window.location.assign(location);\n  await neverResolve();\n}\n\n/**\n * Checks if the current URL has the query parameters for an OAuth callback, and if so, removes them.\n *\n * Must be synchronous for the logic in callOAuthCallback to work without race conditions.\n */\nfunction consumeOAuthCallbackQueryParams() {\n  const requiredParams = [\"code\", \"state\"];\n  const originalUrl = new URL(window.location.href);\n  for (const param of requiredParams) {\n    if (!originalUrl.searchParams.has(param)) {\n      captureError(\"consumeOAuthCallbackQueryParams\", new Error(`Missing required query parameter on OAuth callback: ${param}`));\n      return null;\n    }\n  }\n\n  const expectedState = originalUrl.searchParams.get(\"state\") ?? throwErr(\"This should never happen; isn't state required above?\");\n  const cookieResult = consumeVerifierAndStateCookie(expectedState);\n\n  if (!cookieResult) {\n    // If the state can't be found in the cookies, then the callback wasn't meant for us.\n    // Maybe the website uses another OAuth library?\n    captureError(\"consumeOAuthCallbackQueryParams\", new Error(deindent`\n      Stack found an outer OAuth callback state in the query parameters, but not in cookies.\n      \n      This could have multiple reasons:\n        - The cookie expired, because the OAuth flow took too long.\n        - The user's browser deleted the cookie, either manually or because of a very strict cookie policy.\n        - The cookie was already consumed by this page, and the user already logged in.\n        - You are using another OAuth client library with the same callback URL as Stack.\n    `));\n    return null;\n  }\n\n\n  const newUrl = new URL(originalUrl);\n  for (const param of requiredParams) {\n    newUrl.searchParams.delete(param);\n  }\n\n  // let's get rid of the authorization code in the history as we\n  // don't redirect to `redirectUrl` if there's a validation error\n  // (as the redirectUrl might be malicious!).\n  //\n  // We use history.replaceState instead of location.assign(...) to\n  // prevent an unnecessary reload\n  window.history.replaceState({}, \"\", newUrl.toString());\n\n  return {\n    originalUrl,\n    codeVerifier: cookieResult.codeVerifier,\n    state: expectedState,\n  };\n}\n\nexport async function callOAuthCallback(\n  iface: StackClientInterface,\n  redirectUrl: string,\n) {\n  // note: this part of the function (until the return) needs\n  // to be synchronous, to prevent race conditions when\n  // callOAuthCallback is called multiple times in parallel\n  const consumed = consumeOAuthCallbackQueryParams();\n  if (!consumed) return null;\n\n  // the rest can be asynchronous (we now know that we are the\n  // intended recipient of the callback, and the only instance\n  // of callOAuthCallback that's running)\n  try {\n    return await iface.callOAuthCallback({\n      oauthParams: consumed.originalUrl.searchParams,\n      redirectUri: constructRedirectUrl(redirectUrl),\n      codeVerifier: consumed.codeVerifier,\n      state: consumed.state,\n    });\n  } catch (e) {\n    if (e instanceof KnownError) {\n      throw e;\n    }\n    throw new StackAssertionError(\"Error signing in during OAuth callback. Please try again.\", { cause: e });\n  }\n}\n"],"mappings":";AAAA,SAAS,kBAAwC;AAEjD,SAAS,qBAAqB,cAAc,gBAAgB;AAC5D,SAAS,oBAAoB;AAC7B,SAAS,gBAAgB;AACzB,SAAS,4BAA4B;AACrC,SAAS,+BAA+B,4BAA4B;AAEpE,eAAsB,gBACpB,OACA,SAMA;AACA,QAAM,EAAE,eAAe,MAAM,IAAI,MAAM,qBAAqB;AAC5D,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,UAAU,QAAQ;AAAA,IAClB,aAAa,qBAAqB,QAAQ,WAAW;AAAA,IACrD,kBAAkB,qBAAqB,QAAQ,gBAAgB;AAAA,IAC/D;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,eAAe,QAAQ;AAAA,EACzB,CAAC;AACD,SAAO,SAAS,OAAO,QAAQ;AAC/B,QAAM,aAAa;AACrB;AAEA,eAAsB,2BACpB,OACA,SAMA,SACA;AACA,QAAM,EAAE,eAAe,MAAM,IAAI,MAAM,qBAAqB;AAC5D,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,UAAU,QAAQ;AAAA,IAClB,aAAa,qBAAqB,QAAQ,WAAW;AAAA,IACrD,kBAAkB,qBAAqB,QAAQ,gBAAgB;AAAA,IAC/D,0BAA0B,qBAAqB,OAAO,SAAS,IAAI;AAAA,IACnE;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN;AAAA,IACA,eAAe,QAAQ;AAAA,EACzB,CAAC;AACD,SAAO,SAAS,OAAO,QAAQ;AAC/B,QAAM,aAAa;AACrB;AAOA,SAAS,kCAAkC;AACzC,QAAM,iBAAiB,CAAC,QAAQ,OAAO;AACvC,QAAM,cAAc,IAAI,IAAI,OAAO,SAAS,IAAI;AAChD,aAAW,SAAS,gBAAgB;AAClC,QAAI,CAAC,YAAY,aAAa,IAAI,KAAK,GAAG;AACxC,mBAAa,mCAAmC,IAAI,MAAM,uDAAuD,KAAK,EAAE,CAAC;AACzH,aAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,gBAAgB,YAAY,aAAa,IAAI,OAAO,KAAK,SAAS,uDAAuD;AAC/H,QAAM,eAAe,8BAA8B,aAAa;AAEhE,MAAI,CAAC,cAAc;AAGjB,iBAAa,mCAAmC,IAAI,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAQzD,CAAC;AACF,WAAO;AAAA,EACT;AAGA,QAAM,SAAS,IAAI,IAAI,WAAW;AAClC,aAAW,SAAS,gBAAgB;AAClC,WAAO,aAAa,OAAO,KAAK;AAAA,EAClC;AAQA,SAAO,QAAQ,aAAa,CAAC,GAAG,IAAI,OAAO,SAAS,CAAC;AAErD,SAAO;AAAA,IACL;AAAA,IACA,cAAc,aAAa;AAAA,IAC3B,OAAO;AAAA,EACT;AACF;AAEA,eAAsB,kBACpB,OACA,aACA;AAIA,QAAM,WAAW,gCAAgC;AACjD,MAAI,CAAC,SAAU,QAAO;AAKtB,MAAI;AACF,WAAO,MAAM,MAAM,kBAAkB;AAAA,MACnC,aAAa,SAAS,YAAY;AAAA,MAClC,aAAa,qBAAqB,WAAW;AAAA,MAC7C,cAAc,SAAS;AAAA,MACvB,OAAO,SAAS;AAAA,IAClB,CAAC;AAAA,EACH,SAAS,GAAG;AACV,QAAI,aAAa,YAAY;AAC3B,YAAM;AAAA,IACR;AACA,UAAM,IAAI,oBAAoB,6DAA6D,EAAE,OAAO,EAAE,CAAC;AAAA,EACzG;AACF;","names":[]}
+{"version":3,"sources":["../../../src/lib/auth.ts"],"sourcesContent":["import { KnownError, StackClientInterface } from \"@stackframe/stack-shared\";\nimport { InternalSession } from \"@stackframe/stack-shared/dist/sessions\";\nimport { StackAssertionError, captureError, throwErr } from \"@stackframe/stack-shared/dist/utils/errors\";\nimport { neverResolve } from \"@stackframe/stack-shared/dist/utils/promises\";\nimport { Result } from \"@stackframe/stack-shared/dist/utils/results\";\nimport { deindent } from \"@stackframe/stack-shared/dist/utils/strings\";\nimport { constructRedirectUrl } from \"../utils/url\";\nimport { consumeVerifierAndStateCookie, saveVerifierAndState } from \"./cookie\";\n\nexport async function signInWithOAuth(\n  iface: StackClientInterface,\n  options: {\n    provider: string,\n    redirectUrl: string,\n    errorRedirectUrl: string,\n    providerScope?: string,\n  }\n) {\n  const { codeChallenge, state } = await saveVerifierAndState();\n  const location = await iface.getOAuthUrl({\n    provider: options.provider,\n    redirectUrl: constructRedirectUrl(options.redirectUrl),\n    errorRedirectUrl: constructRedirectUrl(options.errorRedirectUrl),\n    codeChallenge,\n    state,\n    type: \"authenticate\",\n    providerScope: options.providerScope,\n  });\n  window.location.assign(location);\n  await neverResolve();\n}\n\nexport async function addNewOAuthProviderOrScope(\n  iface: StackClientInterface,\n  options: {\n    provider: string,\n    redirectUrl: string,\n    errorRedirectUrl: string,\n    providerScope?: string,\n  },\n  session: InternalSession,\n) {\n  const { codeChallenge, state } = await saveVerifierAndState();\n  const location = await iface.getOAuthUrl({\n    provider: options.provider,\n    redirectUrl: constructRedirectUrl(options.redirectUrl),\n    errorRedirectUrl: constructRedirectUrl(options.errorRedirectUrl),\n    afterCallbackRedirectUrl: constructRedirectUrl(window.location.href),\n    codeChallenge,\n    state,\n    type: \"link\",\n    session,\n    providerScope: options.providerScope,\n  });\n  window.location.assign(location);\n  await neverResolve();\n}\n\n/**\n * Checks if the current URL has the query parameters for an OAuth callback, and if so, removes them.\n *\n * Must be synchronous for the logic in callOAuthCallback to work without race conditions.\n */\nfunction consumeOAuthCallbackQueryParams() {\n  const requiredParams = [\"code\", \"state\"];\n  const originalUrl = new URL(window.location.href);\n  for (const param of requiredParams) {\n    if (!originalUrl.searchParams.has(param)) {\n      captureError(\"consumeOAuthCallbackQueryParams\", new Error(`Missing required query parameter on OAuth callback: ${param}`));\n      return null;\n    }\n  }\n\n  const expectedState = originalUrl.searchParams.get(\"state\") ?? throwErr(\"This should never happen; isn't state required above?\");\n  const cookieResult = consumeVerifierAndStateCookie(expectedState);\n\n  if (!cookieResult) {\n    // If the state can't be found in the cookies, then the callback wasn't meant for us.\n    // Maybe the website uses another OAuth library?\n    captureError(\"consumeOAuthCallbackQueryParams\", new Error(deindent`\n      Stack found an outer OAuth callback state in the query parameters, but not in cookies.\n      \n      This could have multiple reasons:\n        - The cookie expired, because the OAuth flow took too long.\n        - The user's browser deleted the cookie, either manually or because of a very strict cookie policy.\n        - The cookie was already consumed by this page, and the user already logged in.\n        - You are using another OAuth client library with the same callback URL as Stack.\n    `));\n    return null;\n  }\n\n\n  const newUrl = new URL(originalUrl);\n  for (const param of requiredParams) {\n    newUrl.searchParams.delete(param);\n  }\n\n  // let's get rid of the authorization code in the history as we\n  // don't redirect to `redirectUrl` if there's a validation error\n  // (as the redirectUrl might be malicious!).\n  //\n  // We use history.replaceState instead of location.assign(...) to\n  // prevent an unnecessary reload\n  window.history.replaceState({}, \"\", newUrl.toString());\n\n  return {\n    originalUrl,\n    codeVerifier: cookieResult.codeVerifier,\n    state: expectedState,\n  };\n}\n\nexport async function callOAuthCallback(\n  iface: StackClientInterface,\n  redirectUrl: string,\n) {\n  // note: this part of the function (until the return) needs\n  // to be synchronous, to prevent race conditions when\n  // callOAuthCallback is called multiple times in parallel\n  const consumed = consumeOAuthCallbackQueryParams();\n  if (!consumed) return Result.ok(undefined);\n\n  // the rest can be asynchronous (we now know that we are the\n  // intended recipient of the callback, and the only instance\n  // of callOAuthCallback that's running)\n  try {\n    return Result.ok(await iface.callOAuthCallback({\n      oauthParams: consumed.originalUrl.searchParams,\n      redirectUri: constructRedirectUrl(redirectUrl),\n      codeVerifier: consumed.codeVerifier,\n      state: consumed.state,\n    }));\n  } catch (e) {\n    if (e instanceof KnownError) {\n      throw e;\n    }\n    throw new StackAssertionError(\"Error signing in during OAuth callback. Please try again.\", { cause: e });\n  }\n}\n"],"mappings":";AAAA,SAAS,kBAAwC;AAEjD,SAAS,qBAAqB,cAAc,gBAAgB;AAC5D,SAAS,oBAAoB;AAC7B,SAAS,cAAc;AACvB,SAAS,gBAAgB;AACzB,SAAS,4BAA4B;AACrC,SAAS,+BAA+B,4BAA4B;AAEpE,eAAsB,gBACpB,OACA,SAMA;AACA,QAAM,EAAE,eAAe,MAAM,IAAI,MAAM,qBAAqB;AAC5D,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,UAAU,QAAQ;AAAA,IAClB,aAAa,qBAAqB,QAAQ,WAAW;AAAA,IACrD,kBAAkB,qBAAqB,QAAQ,gBAAgB;AAAA,IAC/D;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN,eAAe,QAAQ;AAAA,EACzB,CAAC;AACD,SAAO,SAAS,OAAO,QAAQ;AAC/B,QAAM,aAAa;AACrB;AAEA,eAAsB,2BACpB,OACA,SAMA,SACA;AACA,QAAM,EAAE,eAAe,MAAM,IAAI,MAAM,qBAAqB;AAC5D,QAAM,WAAW,MAAM,MAAM,YAAY;AAAA,IACvC,UAAU,QAAQ;AAAA,IAClB,aAAa,qBAAqB,QAAQ,WAAW;AAAA,IACrD,kBAAkB,qBAAqB,QAAQ,gBAAgB;AAAA,IAC/D,0BAA0B,qBAAqB,OAAO,SAAS,IAAI;AAAA,IACnE;AAAA,IACA;AAAA,IACA,MAAM;AAAA,IACN;AAAA,IACA,eAAe,QAAQ;AAAA,EACzB,CAAC;AACD,SAAO,SAAS,OAAO,QAAQ;AAC/B,QAAM,aAAa;AACrB;AAOA,SAAS,kCAAkC;AACzC,QAAM,iBAAiB,CAAC,QAAQ,OAAO;AACvC,QAAM,cAAc,IAAI,IAAI,OAAO,SAAS,IAAI;AAChD,aAAW,SAAS,gBAAgB;AAClC,QAAI,CAAC,YAAY,aAAa,IAAI,KAAK,GAAG;AACxC,mBAAa,mCAAmC,IAAI,MAAM,uDAAuD,KAAK,EAAE,CAAC;AACzH,aAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,gBAAgB,YAAY,aAAa,IAAI,OAAO,KAAK,SAAS,uDAAuD;AAC/H,QAAM,eAAe,8BAA8B,aAAa;AAEhE,MAAI,CAAC,cAAc;AAGjB,iBAAa,mCAAmC,IAAI,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAQzD,CAAC;AACF,WAAO;AAAA,EACT;AAGA,QAAM,SAAS,IAAI,IAAI,WAAW;AAClC,aAAW,SAAS,gBAAgB;AAClC,WAAO,aAAa,OAAO,KAAK;AAAA,EAClC;AAQA,SAAO,QAAQ,aAAa,CAAC,GAAG,IAAI,OAAO,SAAS,CAAC;AAErD,SAAO;AAAA,IACL;AAAA,IACA,cAAc,aAAa;AAAA,IAC3B,OAAO;AAAA,EACT;AACF;AAEA,eAAsB,kBACpB,OACA,aACA;AAIA,QAAM,WAAW,gCAAgC;AACjD,MAAI,CAAC,SAAU,QAAO,OAAO,GAAG,MAAS;AAKzC,MAAI;AACF,WAAO,OAAO,GAAG,MAAM,MAAM,kBAAkB;AAAA,MAC7C,aAAa,SAAS,YAAY;AAAA,MAClC,aAAa,qBAAqB,WAAW;AAAA,MAC7C,cAAc,SAAS;AAAA,MACvB,OAAO,SAAS;AAAA,IAClB,CAAC,CAAC;AAAA,EACJ,SAAS,GAAG;AACV,QAAI,aAAa,YAAY;AAC3B,YAAM;AAAA,IACR;AACA,UAAM,IAAI,oBAAoB,6DAA6D,EAAE,OAAO,EAAE,CAAC;AAAA,EACzG;AACF;","names":[]}

package/dist/esm/lib/stack-app.js

@@ -1,6 +1,6 @@
 // src/lib/stack-app.ts
 import { isReactServer } from "@stackframe/stack-sc";
-import { KnownError, KnownErrors, StackAdminInterface, StackClientInterface, StackServerInterface } from "@stackframe/stack-shared";
+import { KnownErrors, StackAdminInterface, StackClientInterface, StackServerInterface } from "@stackframe/stack-shared";
 import { getProductionModeErrors } from "@stackframe/stack-shared/dist/helpers/production-mode";
 import { InternalSession } from "@stackframe/stack-shared/dist/sessions";
 import { encodeBase64 } from "@stackframe/stack-shared/dist/utils/bytes";
@@ -24,7 +24,7 @@ import { constructRedirectUrl } from "../utils/url";
 import { addNewOAuthProviderOrScope, callOAuthCallback, signInWithOAuth } from "./auth";
 import { deleteCookie, getCookie, setOrDeleteCookie } from "./cookie";
 var NextNavigation = scrambleDuringCompileTime(NextNavigationUnscrambled);
-var clientVersion = "js @stackframe/stack@2.5.35";
+var clientVersion = "js @stackframe/stack@2.6.0";
 function getUrls(partial) {
   const handler = partial.handler ?? "/handler";
   const home = partial.home ?? "/";
@@ -499,6 +499,7 @@ var _StackClientAppImpl = class __StackClientAppImpl {
         credentialEnabled: crud.config.credential_enabled,
         magicLinkEnabled: crud.config.magic_link_enabled,
         clientTeamCreationEnabled: crud.config.client_team_creation_enabled,
+        clientUserDeletionEnabled: crud.config.client_user_deletion_enabled,
         oauthProviders: crud.config.enabled_oauth_providers.map((p) => ({
           id: p.id
         }))
@@ -525,6 +526,8 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       id: crud.id,
       displayName: crud.display_name,
       profileImageUrl: crud.profile_image_url,
+      clientMetadata: crud.client_metadata,
+      clientReadOnlyMetadata: crud.client_read_only_metadata,
       async inviteUser(options) {
         return await app._interface.sendTeamInvitation({
           teamId: crud.id,
@@ -703,6 +706,10 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       useTeamProfile(team) {
         const result = useAsyncCache(app._currentUserTeamProfileCache, [session, team.id], "user.useTeamProfile()");
         return app._editableTeamProfileFromCrud(result);
+      },
+      async delete() {
+        await app._interface.deleteCurrentUser(session);
+        session.markInvalid();
       }
     };
   }
@@ -841,32 +848,24 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   }
   async sendForgotPasswordEmail(email) {
     const redirectUrl = constructRedirectUrl(this.urls.passwordReset);
-    const error = await this._interface.sendForgotPasswordEmail(email, redirectUrl);
-    return error;
+    return await this._interface.sendForgotPasswordEmail(email, redirectUrl);
   }
   async sendMagicLinkEmail(email) {
     const magicLinkRedirectUrl = constructRedirectUrl(this.urls.magicLinkCallback);
-    const error = await this._interface.sendMagicLinkEmail(email, magicLinkRedirectUrl);
-    return error;
+    return await this._interface.sendMagicLinkEmail(email, magicLinkRedirectUrl);
   }
   async resetPassword(options) {
-    const error = await this._interface.resetPassword(options);
-    return error;
+    return await this._interface.resetPassword(options);
   }
   async verifyPasswordResetCode(code) {
     return await this._interface.verifyPasswordResetCode(code);
   }
   async verifyTeamInvitationCode(code) {
-    const result = await this._interface.acceptTeamInvitation({
+    return await this._interface.acceptTeamInvitation({
       type: "check",
       code,
       session: this._getSession()
     });
-    if (result.status === "ok") {
-      return Result.ok(void 0);
-    } else {
-      return Result.error(result.error);
-    }
   }
   async acceptTeamInvitation(code) {
     const result = await this._interface.acceptTeamInvitation({
@@ -980,7 +979,7 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       return await callback();
     } catch (e) {
       if (e instanceof KnownErrors.MultiFactorAuthenticationRequired) {
-        return await this._experimentalMfa(e, this._getSession());
+        return Result.ok(await this._experimentalMfa(e, this._getSession()));
       }
       throw e;
     }
@@ -995,19 +994,19 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       });
     } catch (e) {
       if (e instanceof KnownErrors.InvalidTotpCode) {
-        return e;
+        return Result.error(e);
       }
       throw e;
     }
-    if (!(result instanceof KnownError)) {
-      await this._signInToAccountWithTokens(result);
+    if (result.status === "ok") {
+      await this._signInToAccountWithTokens(result.data);
       if (!options.noRedirect) {
-        return await this.redirectToAfterSignIn({ replace: true });
-      } else {
-        return;
+        await this.redirectToAfterSignIn({ replace: true });
       }
+      return Result.ok(void 0);
+    } else {
+      return Result.error(result.error);
     }
-    return result;
   }
   async signUpWithCredential(options) {
     this._ensurePersistentTokenStore();
@@ -1019,15 +1018,15 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       emailVerificationRedirectUrl,
       session
     );
-    if (!(result instanceof KnownError)) {
-      await this._signInToAccountWithTokens(result);
+    if (result.status === "ok") {
+      await this._signInToAccountWithTokens(result.data);
       if (!options.noRedirect) {
-        return await this.redirectToAfterSignUp({ replace: true });
-      } else {
-        return;
+        await this.redirectToAfterSignUp({ replace: true });
       }
+      return Result.ok(void 0);
+    } else {
+      return Result.error(result.error);
     }
-    return result;
   }
   async signInWithMagicLink(code) {
     this._ensurePersistentTokenStore();
@@ -1038,18 +1037,20 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       });
     } catch (e) {
       if (e instanceof KnownErrors.InvalidTotpCode) {
-        return e;
+        return Result.error(e);
       }
       throw e;
     }
-    if (result instanceof KnownError) {
-      return result;
-    }
-    await this._signInToAccountWithTokens(result);
-    if (result.newUser) {
-      await this.redirectToAfterSignUp({ replace: true });
+    if (result.status === "ok") {
+      await this._signInToAccountWithTokens(result.data);
+      if (result.data.newUser) {
+        await this.redirectToAfterSignUp({ replace: true });
+      } else {
+        await this.redirectToAfterSignIn({ replace: true });
+      }
+      return Result.ok(void 0);
     } else {
-      await this.redirectToAfterSignIn({ replace: true });
+      return Result.error(result.error);
     }
   }
   async callOAuthCallback() {
@@ -1065,13 +1066,12 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       }
       throw e;
     }
-    if (result) {
-      console.log("OAuth callback result", result);
-      await this._signInToAccountWithTokens(result);
-      if ("afterCallbackRedirectUrl" in result && result.afterCallbackRedirectUrl) {
-        await _redirectTo(result.afterCallbackRedirectUrl, { replace: true });
+    if (result.status === "ok" && result.data) {
+      await this._signInToAccountWithTokens(result.data);
+      if ("afterCallbackRedirectUrl" in result.data && result.data.afterCallbackRedirectUrl) {
+        await _redirectTo(result.data.afterCallbackRedirectUrl, { replace: true });
         return true;
-      } else if (result.newUser) {
+      } else if (result.data.newUser) {
         await this.redirectToAfterSignUp({ replace: true });
         return true;
       } else {
@@ -1391,7 +1391,7 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
         return await app._checkFeatureSupport("sendVerificationEmail() on ServerUser", {});
       },
       async updatePassword(options) {
-        return await app._checkFeatureSupport("updatePassword() on ServerUser", {});
+        return await this.update({ password: options.newPassword });
       },
       async getTeamProfile(team) {
         const result = await app._serverUserTeamProfileCache.getOrWait([team.id, crud.id], "write-only");
@@ -1429,6 +1429,9 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
       displayName: crud.display_name,
       profileImageUrl: crud.profile_image_url,
       createdAt: new Date(crud.created_at_millis),
+      clientMetadata: crud.client_metadata,
+      clientReadOnlyMetadata: crud.client_read_only_metadata,
+      serverMetadata: crud.server_metadata,
       async update(update) {
         await app._interface.updateServerTeam(crud.id, serverTeamUpdateOptionsToCrud(update));
         await app._serverTeamsCache.refresh([void 0]);
@@ -1665,6 +1668,7 @@ var _StackAdminAppImpl = class extends _StackServerAppImpl {
         credentialEnabled: data.config.credential_enabled,
         magicLinkEnabled: data.config.magic_link_enabled,
         clientTeamCreationEnabled: data.config.client_team_creation_enabled,
+        clientUserDeletionEnabled: data.config.client_user_deletion_enabled,
         allowLocalhost: data.config.allow_localhost,
         oauthProviders: data.config.oauth_providers.map((p) => p.type === "shared" ? {
           id: p.id,
@@ -1914,6 +1918,7 @@ function adminProjectUpdateOptionsToCrud(options) {
       allow_localhost: options.config?.allowLocalhost,
       create_team_on_sign_up: options.config?.createTeamOnSignUp,
       client_team_creation_enabled: options.config?.clientTeamCreationEnabled,
+      client_user_deletion_enabled: options.config?.clientUserDeletionEnabled,
       team_creator_default_permissions: options.config?.teamCreatorDefaultPermissions,
       team_member_default_permissions: options.config?.teamMemberDefaultPermissions
     }
@@ -1937,7 +1942,8 @@ function apiKeyCreateOptionsToCrud(options) {
 function teamUpdateOptionsToCrud(options) {
   return {
     display_name: options.displayName,
-    profile_image_url: options.profileImageUrl
+    profile_image_url: options.profileImageUrl,
+    client_metadata: options.clientMetadata
   };
 }
 function teamCreateOptionsToCrud(options) {
@@ -1952,7 +1958,10 @@ function serverTeamCreateOptionsToCrud(options) {
 function serverTeamUpdateOptionsToCrud(options) {
   return {
     display_name: options.displayName,
-    profile_image_url: options.profileImageUrl
+    profile_image_url: options.profileImageUrl,
+    client_metadata: options.clientMetadata,
+    client_read_only_metadata: options.clientReadOnlyMetadata,
+    server_metadata: options.serverMetadata
   };
 }
 function serverTeamPermissionDefinitionCreateOptionsToCrud(options) {