@stackframe/stack 2.8.47 → 2.8.49

package/dist/lib/stack-app/apps/implementations/client-app-impl.js

@@ -36,6 +36,7 @@ module.exports = __toCommonJS(client_app_impl_exports);
 var import_browser = require("@simplewebauthn/browser");
 var import_stack_shared = require("@stackframe/stack-shared");
 var import_sessions = require("@stackframe/stack-shared/dist/sessions");
+var import_bytes = require("@stackframe/stack-shared/dist/utils/bytes");
 var import_compile_time = require("@stackframe/stack-shared/dist/utils/compile-time");
 var import_env = require("@stackframe/stack-shared/dist/utils/env");
 var import_errors = require("@stackframe/stack-shared/dist/utils/errors");
@@ -61,6 +62,7 @@ var import_projects = require("../../projects/index.js");
 var import_teams = require("../../teams/index.js");
 var import_users = require("../../users/index.js");
 var import_common2 = require("./common.js");
+var import_json = require("@stackframe/stack-shared/dist/utils/json");
 var import_common3 = require("./common.js");
 var sc = __toESM(require("@stackframe/stack-sc"));
 var import_stack_sc = require("@stackframe/stack-sc");
@@ -214,11 +216,15 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
     this._convexPartialUserCache = (0, import_common2.createCache)(
       async ([ctx]) => await this._getPartialUserFromConvex(ctx)
     );
+    this._trustedParentDomainCache = (0, import_common2.createCache)(
+      async ([domain]) => await this._getTrustedParentDomain(domain)
+    );
     this._anonymousSignUpInProgress = null;
     this._memoryTokenStore = (0, import_common2.createEmptyTokenStore)();
     this._nextServerCookiesTokenStores = /* @__PURE__ */ new WeakMap();
     this._requestTokenStores = /* @__PURE__ */ new WeakMap();
     this._storedBrowserCookieTokenStore = null;
+    this._mostRecentQueuedCookieRefreshIndex = 0;
     /**
      * A map from token stores and session keys to sessions.
      *
@@ -343,13 +349,90 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
     (0, import_promises.runAsynchronously)(this._checkFeatureSupport(name, options));
     throw new import_errors.StackAssertionError(`${name} is not currently supported. Please reach out to Stack support for more information.`);
   }
+  get _legacyRefreshTokenCookieName() {
+    return `stack-refresh-${this.projectId}`;
+  }
   get _refreshTokenCookieName() {
     return `stack-refresh-${this.projectId}`;
   }
+  _getRefreshTokenDefaultCookieNameForSecure(secure) {
+    return `${secure ? "__Host-" : ""}${this._refreshTokenCookieName}--default`;
+  }
+  _getCustomRefreshCookieName(domain) {
+    const encoded = (0, import_bytes.encodeBase32)(new TextEncoder().encode(domain.toLowerCase()));
+    return `${this._refreshTokenCookieName}--custom-${encoded}`;
+  }
+  _formatRefreshCookieValue(refreshToken, updatedAt) {
+    return JSON.stringify({
+      refresh_token: refreshToken,
+      updated_at_millis: updatedAt
+    });
+  }
+  _formatAccessCookieValue(refreshToken, accessToken) {
+    return refreshToken && accessToken ? JSON.stringify([refreshToken, accessToken]) : null;
+  }
+  _parseStructuredRefreshCookie(value) {
+    if (!value) {
+      return null;
+    }
+    const parsed = (0, import_json.parseJson)(value);
+    if (parsed.status !== "ok" || typeof parsed.data !== "object" || parsed.data === null) {
+      console.warn("Failed to parse structured refresh cookie");
+      return null;
+    }
+    const data = parsed.data;
+    const refreshToken = "refresh_token" in data && typeof data.refresh_token === "string" ? data.refresh_token : null;
+    const updatedAt = "updated_at_millis" in data && typeof data.updated_at_millis === "number" ? data.updated_at_millis : null;
+    if (!refreshToken) {
+      console.warn("Refresh token not found in structured refresh cookie");
+      return null;
+    }
+    return {
+      refreshToken,
+      updatedAt
+    };
+  }
+  _extractRefreshTokenFromCookieMap(cookies2) {
+    const { legacyNames, structuredPrefixes } = this._getRefreshTokenCookieNamePatterns();
+    for (const name of legacyNames) {
+      const value = cookies2[name];
+      if (value) {
+        return { refreshToken: value, updatedAt: null };
+      }
+    }
+    let selected = null;
+    for (const [name, value] of Object.entries(cookies2)) {
+      if (!structuredPrefixes.some((prefix) => name.startsWith(prefix))) continue;
+      const parsed = this._parseStructuredRefreshCookie(value);
+      if (!parsed) continue;
+      const candidateUpdatedAt = parsed.updatedAt ?? Number.NEGATIVE_INFINITY;
+      const selectedUpdatedAt = selected?.updatedAt ?? Number.NEGATIVE_INFINITY;
+      if (!selected || candidateUpdatedAt > selectedUpdatedAt) {
+        selected = parsed;
+      }
+    }
+    if (!selected) {
+      return { refreshToken: null, updatedAt: null };
+    }
+    return {
+      refreshToken: selected.refreshToken,
+      updatedAt: selected.updatedAt ?? null
+    };
+  }
   _getTokensFromCookies(cookies2) {
-    const refreshToken = cookies2.refreshTokenCookie;
-    const accessTokenObject = cookies2.accessTokenCookie?.startsWith('["') ? JSON.parse(cookies2.accessTokenCookie) : null;
-    const accessToken = accessTokenObject && refreshToken === accessTokenObject[0] ? accessTokenObject[1] : null;
+    const { refreshToken } = this._extractRefreshTokenFromCookieMap(cookies2);
+    const accessTokenCookie = cookies2[this._accessTokenCookieName] ?? null;
+    let accessToken = null;
+    if (accessTokenCookie && accessTokenCookie.startsWith('["')) {
+      const parsed = (0, import_json.parseJson)(accessTokenCookie);
+      if (parsed.status === "ok" && typeof parsed.data === "object" && parsed.data !== null && Array.isArray(parsed.data) && parsed.data.length === 2 && typeof parsed.data[0] === "string" && typeof parsed.data[1] === "string") {
+        if (parsed.data[0] === refreshToken) {
+          accessToken = parsed.data[1];
+        }
+      } else {
+        console.warn("Access token cookie has invalid format");
+      }
+    }
     return {
       refreshToken,
       accessToken
@@ -358,17 +441,98 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
   get _accessTokenCookieName() {
     return `stack-access`;
   }
+  _getAllBrowserCookies() {
+    if (!(0, import_env.isBrowserLike)()) {
+      throw new import_errors.StackAssertionError("Cannot get browser cookies on the server!");
+    }
+    return cookie.parse(document.cookie || "");
+  }
+  _getRefreshTokenCookieNamePatterns() {
+    return {
+      legacyNames: [this._legacyRefreshTokenCookieName, "stack-refresh"],
+      structuredPrefixes: [
+        `${this._refreshTokenCookieName}--`,
+        `__Host-${this._refreshTokenCookieName}--`
+      ]
+    };
+  }
+  _collectRefreshTokenCookieNames(cookies2) {
+    const { legacyNames, structuredPrefixes } = this._getRefreshTokenCookieNamePatterns();
+    const names = /* @__PURE__ */ new Set();
+    for (const name of legacyNames) {
+      if (cookies2[name]) {
+        names.add(name);
+      }
+    }
+    for (const name of Object.keys(cookies2)) {
+      if (structuredPrefixes.some((prefix) => name.startsWith(prefix))) {
+        names.add(name);
+      }
+    }
+    return names;
+  }
+  _prepareRefreshCookieUpdate(existingCookies, refreshToken, accessToken, defaultCookieName) {
+    const cookieNames = this._collectRefreshTokenCookieNames(existingCookies);
+    cookieNames.delete(defaultCookieName);
+    const updatedAt = refreshToken ? Date.now() : null;
+    const refreshCookieValue = refreshToken && updatedAt !== null ? this._formatRefreshCookieValue(refreshToken, updatedAt) : null;
+    const accessTokenPayload = this._formatAccessCookieValue(refreshToken, accessToken);
+    return {
+      updatedAt,
+      refreshCookieValue,
+      accessTokenPayload,
+      cookieNamesToDelete: [...cookieNames]
+    };
+  }
+  _queueCustomRefreshCookieUpdate(refreshToken, updatedAt, context) {
+    (0, import_promises.runAsynchronously)(async () => {
+      this._mostRecentQueuedCookieRefreshIndex++;
+      const updateIndex = this._mostRecentQueuedCookieRefreshIndex;
+      let hostname;
+      if ((0, import_env.isBrowserLike)()) {
+        hostname = window.location.hostname;
+      }
+      hostname = (await sc.headers?.())?.get("host");
+      if (!hostname) {
+        return;
+      }
+      const domain = await this._trustedParentDomainCache.getOrWait([hostname], "read-write");
+      const setCookie = async (targetDomain, value2) => {
+        const name = this._getCustomRefreshCookieName(targetDomain);
+        const options = { maxAge: 60 * 60 * 24 * 365, domain: targetDomain, noOpIfServerComponent: true };
+        if (context === "browser") {
+          (0, import_cookie.setOrDeleteCookieClient)(name, value2, options);
+        } else {
+          await (0, import_cookie.setOrDeleteCookie)(name, value2, options);
+        }
+      };
+      if (domain.status === "error" || !domain.data || updateIndex !== this._mostRecentQueuedCookieRefreshIndex) {
+        return;
+      }
+      const value = refreshToken && updatedAt ? this._formatRefreshCookieValue(refreshToken, updatedAt) : null;
+      await setCookie(domain.data, value);
+    });
+  }
+  async _getTrustedParentDomain(currentDomain) {
+    const project = import_results.Result.orThrow(await this._interface.getClientProject());
+    const domains = project.config.domains.map((d) => d.domain.trim().replace(/^https?:\/\//, "").split("/")[0]?.toLowerCase());
+    const trustedWildcards = domains.filter((d) => d.startsWith("**."));
+    const parts = currentDomain.split(".");
+    for (let i = parts.length - 2; i >= 0; i--) {
+      const parentDomain = parts.slice(i).join(".");
+      if (domains.includes(parentDomain) && trustedWildcards.includes("**." + parentDomain)) {
+        return parentDomain;
+      }
+    }
+    return null;
+  }
   _getBrowserCookieTokenStore() {
     if (!(0, import_env.isBrowserLike)()) {
       throw new Error("Cannot use cookie token store on the server!");
     }
     if (this._storedBrowserCookieTokenStore === null) {
       const getCurrentValue = (old) => {
-        const tokens = this._getTokensFromCookies({
-          refreshTokenCookie: (0, import_cookie.getCookieClient)(this._refreshTokenCookieName) ?? (0, import_cookie.getCookieClient)("stack-refresh"),
-          // keep old cookie name for backwards-compatibility
-          accessTokenCookie: (0, import_cookie.getCookieClient)(this._accessTokenCookieName)
-        });
+        const tokens = this._getTokensFromCookies(this._getAllBrowserCookies());
         return {
           refreshToken: tokens.refreshToken,
           accessToken: tokens.accessToken ?? (old?.refreshToken === tokens.refreshToken ? old.accessToken : null)
@@ -387,9 +551,19 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
       }, 100);
       this._storedBrowserCookieTokenStore.onChange((value) => {
         try {
-          (0, import_cookie.setOrDeleteCookieClient)(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365 });
-          (0, import_cookie.setOrDeleteCookieClient)(this._accessTokenCookieName, value.accessToken ? JSON.stringify([value.refreshToken, value.accessToken]) : null, { maxAge: 60 * 60 * 24 });
-          (0, import_cookie.deleteCookieClient)("stack-refresh");
+          const refreshToken = value.refreshToken;
+          const secure = window.location.protocol === "https:";
+          const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(secure);
+          const { updatedAt, refreshCookieValue, accessTokenPayload, cookieNamesToDelete } = this._prepareRefreshCookieUpdate(
+            this._getAllBrowserCookies(),
+            refreshToken,
+            value.accessToken ?? null,
+            defaultName
+          );
+          (0, import_cookie.setOrDeleteCookieClient)(defaultName, refreshCookieValue, { maxAge: 60 * 60 * 24 * 365, secure });
+          (0, import_cookie.setOrDeleteCookieClient)(this._accessTokenCookieName, accessTokenPayload, { maxAge: 60 * 60 * 24 });
+          cookieNamesToDelete.forEach((name) => (0, import_cookie.deleteCookieClient)(name));
+          this._queueCustomRefreshCookieUpdate(refreshToken, updatedAt, "browser");
           hasSucceededInWriting = true;
         } catch (e) {
           if (!(0, import_env.isBrowserLike)()) {
@@ -412,18 +586,31 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
         if ((0, import_env.isBrowserLike)()) {
           return this._getBrowserCookieTokenStore();
         } else {
-          const tokens = this._getTokensFromCookies({
-            refreshTokenCookie: cookieHelper.get(this._refreshTokenCookieName) ?? cookieHelper.get("stack-refresh"),
-            // keep old cookie name for backwards-compatibility
-            accessTokenCookie: cookieHelper.get(this._accessTokenCookieName)
-          });
+          const tokens = this._getTokensFromCookies(cookieHelper.getAll());
           const store = new import_stores.Store(tokens);
           store.onChange((value) => {
             (0, import_promises.runAsynchronously)(async () => {
+              const refreshToken = value.refreshToken;
+              const secure = await (0, import_cookie.isSecure)();
+              const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(secure);
+              const { updatedAt, refreshCookieValue, accessTokenPayload, cookieNamesToDelete } = this._prepareRefreshCookieUpdate(
+                cookieHelper.getAll(),
+                refreshToken,
+                value.accessToken ?? null,
+                defaultName
+              );
               await Promise.all([
-                (0, import_cookie.setOrDeleteCookie)(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365, noOpIfServerComponent: true }),
-                (0, import_cookie.setOrDeleteCookie)(this._accessTokenCookieName, value.accessToken ? JSON.stringify([value.refreshToken, value.accessToken]) : null, { maxAge: 60 * 60 * 24, noOpIfServerComponent: true })
+                (0, import_cookie.setOrDeleteCookie)(defaultName, refreshCookieValue, { maxAge: 60 * 60 * 24 * 365, noOpIfServerComponent: true }),
+                (0, import_cookie.setOrDeleteCookie)(this._accessTokenCookieName, accessTokenPayload, { maxAge: 60 * 60 * 24, noOpIfServerComponent: true })
               ]);
+              if (cookieNamesToDelete.length > 0) {
+                await Promise.all(
+                  cookieNamesToDelete.map(
+                    (name) => (0, import_cookie.setOrDeleteCookie)(name, null, { noOpIfServerComponent: true })
+                  )
+                );
+              }
+              this._queueCustomRefreshCookieUpdate(refreshToken, updatedAt, "server");
             });
           });
           return store;
@@ -454,11 +641,7 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
           }
           const cookieHeader = tokenStoreInit.headers.get("cookie");
           const parsed = cookie.parse(cookieHeader || "");
-          const res = new import_stores.Store({
-            refreshToken: parsed[this._refreshTokenCookieName] || parsed["stack-refresh"] || null,
-            // keep old cookie name for backwards-compatibility
-            accessToken: parsed[this._accessTokenCookieName] || null
-          });
+          const res = new import_stores.Store(this._getTokensFromCookies(parsed));
           this._requestTokenStores.set(tokenStoreInit, res);
           return res;
         } else if ("accessToken" in tokenStoreInit || "refreshToken" in tokenStoreInit) {
@@ -1586,15 +1769,28 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
     }
   }
   async signUpWithCredential(options) {
+    if (options.noVerificationCallback && options.verificationCallbackUrl) {
+      throw new import_errors.StackAssertionError("verificationCallbackUrl is not allowed when noVerificationCallback is true");
+    }
     this._ensurePersistentTokenStore();
     const session = await this._getSession();
-    const emailVerificationRedirectUrl = options.verificationCallbackUrl ?? (0, import_url.constructRedirectUrl)(this.urls.emailVerification, "verificationCallbackUrl");
-    const result = await this._interface.signUpWithCredential(
+    const emailVerificationRedirectUrl = options.noVerificationCallback ? void 0 : options.verificationCallbackUrl ?? (0, import_url.constructRedirectUrl)(this.urls.emailVerification, "verificationCallbackUrl");
+    let result = await this._interface.signUpWithCredential(
       options.email,
       options.password,
       emailVerificationRedirectUrl,
       session
     );
+    if (result.status === "error" && result.error instanceof import_stack_shared.KnownErrors.RedirectUrlNotWhitelisted && !options.noVerificationCallback && emailVerificationRedirectUrl !== void 0) {
+      console.error("Warning: The verification callback URL is not trusted. Proceeding with signup without email verification. Please add your domain to the trusted domains list in your Stack Auth dashboard.", { url: emailVerificationRedirectUrl });
+      result = await this._interface.signUpWithCredential(
+        options.email,
+        options.password,
+        void 0,
+        // No email verification
+        session
+      );
+    }
     if (result.status === "ok") {
       await this._signInToAccountWithTokens(result.data);
       if (!options.noRedirect) {