@stackframe/stack 2.8.47 → 2.8.49

package/dist/esm/lib/stack-app/apps/implementations/client-app-impl.js

@@ -2,6 +2,7 @@
 import { WebAuthnError, startAuthentication, startRegistration } from "@simplewebauthn/browser";
 import { KnownErrors, StackClientInterface } from "@stackframe/stack-shared";
 import { InternalSession } from "@stackframe/stack-shared/dist/sessions";
+import { encodeBase32 } from "@stackframe/stack-shared/dist/utils/bytes";
 import { scrambleDuringCompileTime } from "@stackframe/stack-shared/dist/utils/compile-time";
 import { isBrowserLike } from "@stackframe/stack-shared/dist/utils/env";
 import { StackAssertionError, captureError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
@@ -19,7 +20,7 @@ import * as NextNavigationUnscrambled from "next/navigation";
 import React, { useCallback, useMemo } from "react";
 import { constructRedirectUrl } from "../../../../utils/url.js";
 import { addNewOAuthProviderOrScope, callOAuthCallback, signInWithOAuth } from "../../../auth.js";
-import { createBrowserCookieHelper, createCookieHelper, createPlaceholderCookieHelper, deleteCookieClient, getCookieClient, setOrDeleteCookie, setOrDeleteCookieClient } from "../../../cookie.js";
+import { createBrowserCookieHelper, createCookieHelper, createPlaceholderCookieHelper, deleteCookieClient, isSecure as isSecureCookieContext, setOrDeleteCookie, setOrDeleteCookieClient } from "../../../cookie.js";
 import { apiKeyCreationOptionsToCrud } from "../../api-keys/index.js";
 import { stackAppInternalsSymbol } from "../../common.js";
 import { contactChannelCreateOptionsToCrud, contactChannelUpdateOptionsToCrud } from "../../contact-channels/index.js";
@@ -27,6 +28,7 @@ import { adminProjectCreateOptionsToCrud } from "../../projects/index.js";
 import { teamCreateOptionsToCrud, teamUpdateOptionsToCrud } from "../../teams/index.js";
 import { attachUserDestructureGuard, userUpdateOptionsToCrud } from "../../users/index.js";
 import { clientVersion, createCache, createCacheBySession, createEmptyTokenStore, getBaseUrl, getDefaultExtraRequestHeaders, getDefaultProjectId, getDefaultPublishableClientKey, getUrls, resolveConstructorOptions } from "./common.js";
+import { parseJson } from "@stackframe/stack-shared/dist/utils/json";
 import { useAsyncCache } from "./common.js";
 import * as sc from "@stackframe/stack-sc";
 import { cookies } from "@stackframe/stack-sc";
@@ -180,11 +182,15 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
     this._convexPartialUserCache = createCache(
       async ([ctx]) => await this._getPartialUserFromConvex(ctx)
     );
+    this._trustedParentDomainCache = createCache(
+      async ([domain]) => await this._getTrustedParentDomain(domain)
+    );
     this._anonymousSignUpInProgress = null;
     this._memoryTokenStore = createEmptyTokenStore();
     this._nextServerCookiesTokenStores = /* @__PURE__ */ new WeakMap();
     this._requestTokenStores = /* @__PURE__ */ new WeakMap();
     this._storedBrowserCookieTokenStore = null;
+    this._mostRecentQueuedCookieRefreshIndex = 0;
     /**
      * A map from token stores and session keys to sessions.
      *
@@ -309,13 +315,90 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
     runAsynchronously(this._checkFeatureSupport(name, options));
     throw new StackAssertionError(`${name} is not currently supported. Please reach out to Stack support for more information.`);
   }
+  get _legacyRefreshTokenCookieName() {
+    return `stack-refresh-${this.projectId}`;
+  }
   get _refreshTokenCookieName() {
     return `stack-refresh-${this.projectId}`;
   }
+  _getRefreshTokenDefaultCookieNameForSecure(secure) {
+    return `${secure ? "__Host-" : ""}${this._refreshTokenCookieName}--default`;
+  }
+  _getCustomRefreshCookieName(domain) {
+    const encoded = encodeBase32(new TextEncoder().encode(domain.toLowerCase()));
+    return `${this._refreshTokenCookieName}--custom-${encoded}`;
+  }
+  _formatRefreshCookieValue(refreshToken, updatedAt) {
+    return JSON.stringify({
+      refresh_token: refreshToken,
+      updated_at_millis: updatedAt
+    });
+  }
+  _formatAccessCookieValue(refreshToken, accessToken) {
+    return refreshToken && accessToken ? JSON.stringify([refreshToken, accessToken]) : null;
+  }
+  _parseStructuredRefreshCookie(value) {
+    if (!value) {
+      return null;
+    }
+    const parsed = parseJson(value);
+    if (parsed.status !== "ok" || typeof parsed.data !== "object" || parsed.data === null) {
+      console.warn("Failed to parse structured refresh cookie");
+      return null;
+    }
+    const data = parsed.data;
+    const refreshToken = "refresh_token" in data && typeof data.refresh_token === "string" ? data.refresh_token : null;
+    const updatedAt = "updated_at_millis" in data && typeof data.updated_at_millis === "number" ? data.updated_at_millis : null;
+    if (!refreshToken) {
+      console.warn("Refresh token not found in structured refresh cookie");
+      return null;
+    }
+    return {
+      refreshToken,
+      updatedAt
+    };
+  }
+  _extractRefreshTokenFromCookieMap(cookies2) {
+    const { legacyNames, structuredPrefixes } = this._getRefreshTokenCookieNamePatterns();
+    for (const name of legacyNames) {
+      const value = cookies2[name];
+      if (value) {
+        return { refreshToken: value, updatedAt: null };
+      }
+    }
+    let selected = null;
+    for (const [name, value] of Object.entries(cookies2)) {
+      if (!structuredPrefixes.some((prefix) => name.startsWith(prefix))) continue;
+      const parsed = this._parseStructuredRefreshCookie(value);
+      if (!parsed) continue;
+      const candidateUpdatedAt = parsed.updatedAt ?? Number.NEGATIVE_INFINITY;
+      const selectedUpdatedAt = selected?.updatedAt ?? Number.NEGATIVE_INFINITY;
+      if (!selected || candidateUpdatedAt > selectedUpdatedAt) {
+        selected = parsed;
+      }
+    }
+    if (!selected) {
+      return { refreshToken: null, updatedAt: null };
+    }
+    return {
+      refreshToken: selected.refreshToken,
+      updatedAt: selected.updatedAt ?? null
+    };
+  }
   _getTokensFromCookies(cookies2) {
-    const refreshToken = cookies2.refreshTokenCookie;
-    const accessTokenObject = cookies2.accessTokenCookie?.startsWith('["') ? JSON.parse(cookies2.accessTokenCookie) : null;
-    const accessToken = accessTokenObject && refreshToken === accessTokenObject[0] ? accessTokenObject[1] : null;
+    const { refreshToken } = this._extractRefreshTokenFromCookieMap(cookies2);
+    const accessTokenCookie = cookies2[this._accessTokenCookieName] ?? null;
+    let accessToken = null;
+    if (accessTokenCookie && accessTokenCookie.startsWith('["')) {
+      const parsed = parseJson(accessTokenCookie);
+      if (parsed.status === "ok" && typeof parsed.data === "object" && parsed.data !== null && Array.isArray(parsed.data) && parsed.data.length === 2 && typeof parsed.data[0] === "string" && typeof parsed.data[1] === "string") {
+        if (parsed.data[0] === refreshToken) {
+          accessToken = parsed.data[1];
+        }
+      } else {
+        console.warn("Access token cookie has invalid format");
+      }
+    }
     return {
       refreshToken,
       accessToken
@@ -324,17 +407,98 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
   get _accessTokenCookieName() {
     return `stack-access`;
   }
+  _getAllBrowserCookies() {
+    if (!isBrowserLike()) {
+      throw new StackAssertionError("Cannot get browser cookies on the server!");
+    }
+    return cookie.parse(document.cookie || "");
+  }
+  _getRefreshTokenCookieNamePatterns() {
+    return {
+      legacyNames: [this._legacyRefreshTokenCookieName, "stack-refresh"],
+      structuredPrefixes: [
+        `${this._refreshTokenCookieName}--`,
+        `__Host-${this._refreshTokenCookieName}--`
+      ]
+    };
+  }
+  _collectRefreshTokenCookieNames(cookies2) {
+    const { legacyNames, structuredPrefixes } = this._getRefreshTokenCookieNamePatterns();
+    const names = /* @__PURE__ */ new Set();
+    for (const name of legacyNames) {
+      if (cookies2[name]) {
+        names.add(name);
+      }
+    }
+    for (const name of Object.keys(cookies2)) {
+      if (structuredPrefixes.some((prefix) => name.startsWith(prefix))) {
+        names.add(name);
+      }
+    }
+    return names;
+  }
+  _prepareRefreshCookieUpdate(existingCookies, refreshToken, accessToken, defaultCookieName) {
+    const cookieNames = this._collectRefreshTokenCookieNames(existingCookies);
+    cookieNames.delete(defaultCookieName);
+    const updatedAt = refreshToken ? Date.now() : null;
+    const refreshCookieValue = refreshToken && updatedAt !== null ? this._formatRefreshCookieValue(refreshToken, updatedAt) : null;
+    const accessTokenPayload = this._formatAccessCookieValue(refreshToken, accessToken);
+    return {
+      updatedAt,
+      refreshCookieValue,
+      accessTokenPayload,
+      cookieNamesToDelete: [...cookieNames]
+    };
+  }
+  _queueCustomRefreshCookieUpdate(refreshToken, updatedAt, context) {
+    runAsynchronously(async () => {
+      this._mostRecentQueuedCookieRefreshIndex++;
+      const updateIndex = this._mostRecentQueuedCookieRefreshIndex;
+      let hostname;
+      if (isBrowserLike()) {
+        hostname = window.location.hostname;
+      }
+      hostname = (await sc.headers?.())?.get("host");
+      if (!hostname) {
+        return;
+      }
+      const domain = await this._trustedParentDomainCache.getOrWait([hostname], "read-write");
+      const setCookie = async (targetDomain, value2) => {
+        const name = this._getCustomRefreshCookieName(targetDomain);
+        const options = { maxAge: 60 * 60 * 24 * 365, domain: targetDomain, noOpIfServerComponent: true };
+        if (context === "browser") {
+          setOrDeleteCookieClient(name, value2, options);
+        } else {
+          await setOrDeleteCookie(name, value2, options);
+        }
+      };
+      if (domain.status === "error" || !domain.data || updateIndex !== this._mostRecentQueuedCookieRefreshIndex) {
+        return;
+      }
+      const value = refreshToken && updatedAt ? this._formatRefreshCookieValue(refreshToken, updatedAt) : null;
+      await setCookie(domain.data, value);
+    });
+  }
+  async _getTrustedParentDomain(currentDomain) {
+    const project = Result.orThrow(await this._interface.getClientProject());
+    const domains = project.config.domains.map((d) => d.domain.trim().replace(/^https?:\/\//, "").split("/")[0]?.toLowerCase());
+    const trustedWildcards = domains.filter((d) => d.startsWith("**."));
+    const parts = currentDomain.split(".");
+    for (let i = parts.length - 2; i >= 0; i--) {
+      const parentDomain = parts.slice(i).join(".");
+      if (domains.includes(parentDomain) && trustedWildcards.includes("**." + parentDomain)) {
+        return parentDomain;
+      }
+    }
+    return null;
+  }
   _getBrowserCookieTokenStore() {
     if (!isBrowserLike()) {
       throw new Error("Cannot use cookie token store on the server!");
     }
     if (this._storedBrowserCookieTokenStore === null) {
       const getCurrentValue = (old) => {
-        const tokens = this._getTokensFromCookies({
-          refreshTokenCookie: getCookieClient(this._refreshTokenCookieName) ?? getCookieClient("stack-refresh"),
-          // keep old cookie name for backwards-compatibility
-          accessTokenCookie: getCookieClient(this._accessTokenCookieName)
-        });
+        const tokens = this._getTokensFromCookies(this._getAllBrowserCookies());
         return {
           refreshToken: tokens.refreshToken,
           accessToken: tokens.accessToken ?? (old?.refreshToken === tokens.refreshToken ? old.accessToken : null)
@@ -353,9 +517,19 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
       }, 100);
       this._storedBrowserCookieTokenStore.onChange((value) => {
         try {
-          setOrDeleteCookieClient(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365 });
-          setOrDeleteCookieClient(this._accessTokenCookieName, value.accessToken ? JSON.stringify([value.refreshToken, value.accessToken]) : null, { maxAge: 60 * 60 * 24 });
-          deleteCookieClient("stack-refresh");
+          const refreshToken = value.refreshToken;
+          const secure = window.location.protocol === "https:";
+          const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(secure);
+          const { updatedAt, refreshCookieValue, accessTokenPayload, cookieNamesToDelete } = this._prepareRefreshCookieUpdate(
+            this._getAllBrowserCookies(),
+            refreshToken,
+            value.accessToken ?? null,
+            defaultName
+          );
+          setOrDeleteCookieClient(defaultName, refreshCookieValue, { maxAge: 60 * 60 * 24 * 365, secure });
+          setOrDeleteCookieClient(this._accessTokenCookieName, accessTokenPayload, { maxAge: 60 * 60 * 24 });
+          cookieNamesToDelete.forEach((name) => deleteCookieClient(name));
+          this._queueCustomRefreshCookieUpdate(refreshToken, updatedAt, "browser");
           hasSucceededInWriting = true;
         } catch (e) {
           if (!isBrowserLike()) {
@@ -378,18 +552,31 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
         if (isBrowserLike()) {
           return this._getBrowserCookieTokenStore();
         } else {
-          const tokens = this._getTokensFromCookies({
-            refreshTokenCookie: cookieHelper.get(this._refreshTokenCookieName) ?? cookieHelper.get("stack-refresh"),
-            // keep old cookie name for backwards-compatibility
-            accessTokenCookie: cookieHelper.get(this._accessTokenCookieName)
-          });
+          const tokens = this._getTokensFromCookies(cookieHelper.getAll());
           const store = new Store(tokens);
           store.onChange((value) => {
             runAsynchronously(async () => {
+              const refreshToken = value.refreshToken;
+              const secure = await isSecureCookieContext();
+              const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(secure);
+              const { updatedAt, refreshCookieValue, accessTokenPayload, cookieNamesToDelete } = this._prepareRefreshCookieUpdate(
+                cookieHelper.getAll(),
+                refreshToken,
+                value.accessToken ?? null,
+                defaultName
+              );
               await Promise.all([
-                setOrDeleteCookie(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365, noOpIfServerComponent: true }),
-                setOrDeleteCookie(this._accessTokenCookieName, value.accessToken ? JSON.stringify([value.refreshToken, value.accessToken]) : null, { maxAge: 60 * 60 * 24, noOpIfServerComponent: true })
+                setOrDeleteCookie(defaultName, refreshCookieValue, { maxAge: 60 * 60 * 24 * 365, noOpIfServerComponent: true }),
+                setOrDeleteCookie(this._accessTokenCookieName, accessTokenPayload, { maxAge: 60 * 60 * 24, noOpIfServerComponent: true })
               ]);
+              if (cookieNamesToDelete.length > 0) {
+                await Promise.all(
+                  cookieNamesToDelete.map(
+                    (name) => setOrDeleteCookie(name, null, { noOpIfServerComponent: true })
+                  )
+                );
+              }
+              this._queueCustomRefreshCookieUpdate(refreshToken, updatedAt, "server");
             });
           });
           return store;
@@ -420,11 +607,7 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
           }
           const cookieHeader = tokenStoreInit.headers.get("cookie");
           const parsed = cookie.parse(cookieHeader || "");
-          const res = new Store({
-            refreshToken: parsed[this._refreshTokenCookieName] || parsed["stack-refresh"] || null,
-            // keep old cookie name for backwards-compatibility
-            accessToken: parsed[this._accessTokenCookieName] || null
-          });
+          const res = new Store(this._getTokensFromCookies(parsed));
           this._requestTokenStores.set(tokenStoreInit, res);
           return res;
         } else if ("accessToken" in tokenStoreInit || "refreshToken" in tokenStoreInit) {
@@ -1552,15 +1735,28 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
     }
   }
   async signUpWithCredential(options) {
+    if (options.noVerificationCallback && options.verificationCallbackUrl) {
+      throw new StackAssertionError("verificationCallbackUrl is not allowed when noVerificationCallback is true");
+    }
     this._ensurePersistentTokenStore();
     const session = await this._getSession();
-    const emailVerificationRedirectUrl = options.verificationCallbackUrl ?? constructRedirectUrl(this.urls.emailVerification, "verificationCallbackUrl");
-    const result = await this._interface.signUpWithCredential(
+    const emailVerificationRedirectUrl = options.noVerificationCallback ? void 0 : options.verificationCallbackUrl ?? constructRedirectUrl(this.urls.emailVerification, "verificationCallbackUrl");
+    let result = await this._interface.signUpWithCredential(
       options.email,
       options.password,
       emailVerificationRedirectUrl,
       session
     );
+    if (result.status === "error" && result.error instanceof KnownErrors.RedirectUrlNotWhitelisted && !options.noVerificationCallback && emailVerificationRedirectUrl !== void 0) {
+      console.error("Warning: The verification callback URL is not trusted. Proceeding with signup without email verification. Please add your domain to the trusted domains list in your Stack Auth dashboard.", { url: emailVerificationRedirectUrl });
+      result = await this._interface.signUpWithCredential(
+        options.email,
+        options.password,
+        void 0,
+        // No email verification
+        session
+      );
+    }
     if (result.status === "ok") {
       await this._signInToAccountWithTokens(result.data);
       if (!options.noRedirect) {