@stackframe/stack 2.8.48 → 2.8.51

package/dist/lib/stack-app/apps/implementations/client-app-impl.js

@@ -36,6 +36,7 @@ module.exports = __toCommonJS(client_app_impl_exports);
 var import_browser = require("@simplewebauthn/browser");
 var import_stack_shared = require("@stackframe/stack-shared");
 var import_sessions = require("@stackframe/stack-shared/dist/sessions");
+var import_bytes = require("@stackframe/stack-shared/dist/utils/bytes");
 var import_compile_time = require("@stackframe/stack-shared/dist/utils/compile-time");
 var import_env = require("@stackframe/stack-shared/dist/utils/env");
 var import_errors = require("@stackframe/stack-shared/dist/utils/errors");
@@ -61,6 +62,7 @@ var import_projects = require("../../projects/index.js");
 var import_teams = require("../../teams/index.js");
 var import_users = require("../../users/index.js");
 var import_common2 = require("./common.js");
+var import_json = require("@stackframe/stack-shared/dist/utils/json");
 var import_common3 = require("./common.js");
 var sc = __toESM(require("@stackframe/stack-sc"));
 var import_stack_sc = require("@stackframe/stack-sc");
@@ -214,11 +216,15 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
     this._convexPartialUserCache = (0, import_common2.createCache)(
       async ([ctx]) => await this._getPartialUserFromConvex(ctx)
     );
+    this._trustedParentDomainCache = (0, import_common2.createCache)(
+      async ([domain]) => await this._getTrustedParentDomain(domain)
+    );
     this._anonymousSignUpInProgress = null;
     this._memoryTokenStore = (0, import_common2.createEmptyTokenStore)();
     this._nextServerCookiesTokenStores = /* @__PURE__ */ new WeakMap();
     this._requestTokenStores = /* @__PURE__ */ new WeakMap();
     this._storedBrowserCookieTokenStore = null;
+    this._mostRecentQueuedCookieRefreshIndex = 0;
     /**
      * A map from token stores and session keys to sessions.
      *
@@ -234,13 +240,17 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
     }
     this._options = resolvedOptions;
     this._extraOptions = extraOptions;
+    const projectId = resolvedOptions.projectId ?? (0, import_common2.getDefaultProjectId)();
+    if (projectId !== "internal" && !projectId.match(/^[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[089ab][0-9a-f]{3}-[0-9a-f]{12}$/i)) {
+      throw new Error(`Invalid project ID: ${projectId}. Project IDs must be UUIDs. Please check your environment variables and/or your StackApp.`);
+    }
     if (extraOptions && extraOptions.interface) {
       this._interface = extraOptions.interface;
     } else {
       this._interface = new import_stack_shared.StackClientInterface({
         getBaseUrl: () => (0, import_common2.getBaseUrl)(resolvedOptions.baseUrl),
         extraRequestHeaders: resolvedOptions.extraRequestHeaders ?? (0, import_common2.getDefaultExtraRequestHeaders)(),
-        projectId: resolvedOptions.projectId ?? (0, import_common2.getDefaultProjectId)(),
+        projectId,
         clientVersion: import_common2.clientVersion,
         publishableClientKey: resolvedOptions.publishableClientKey ?? (0, import_common2.getDefaultPublishableClientKey)(),
         prepareRequest: async () => {
@@ -343,13 +353,90 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
     (0, import_promises.runAsynchronously)(this._checkFeatureSupport(name, options));
     throw new import_errors.StackAssertionError(`${name} is not currently supported. Please reach out to Stack support for more information.`);
   }
+  get _legacyRefreshTokenCookieName() {
+    return `stack-refresh-${this.projectId}`;
+  }
   get _refreshTokenCookieName() {
     return `stack-refresh-${this.projectId}`;
   }
+  _getRefreshTokenDefaultCookieNameForSecure(secure) {
+    return `${secure ? "__Host-" : ""}${this._refreshTokenCookieName}--default`;
+  }
+  _getCustomRefreshCookieName(domain) {
+    const encoded = (0, import_bytes.encodeBase32)(new TextEncoder().encode(domain.toLowerCase()));
+    return `${this._refreshTokenCookieName}--custom-${encoded}`;
+  }
+  _formatRefreshCookieValue(refreshToken, updatedAt) {
+    return JSON.stringify({
+      refresh_token: refreshToken,
+      updated_at_millis: updatedAt
+    });
+  }
+  _formatAccessCookieValue(refreshToken, accessToken) {
+    return refreshToken && accessToken ? JSON.stringify([refreshToken, accessToken]) : null;
+  }
+  _parseStructuredRefreshCookie(value) {
+    if (!value) {
+      return null;
+    }
+    const parsed = (0, import_json.parseJson)(value);
+    if (parsed.status !== "ok" || typeof parsed.data !== "object" || parsed.data === null) {
+      console.warn("Failed to parse structured refresh cookie");
+      return null;
+    }
+    const data = parsed.data;
+    const refreshToken = "refresh_token" in data && typeof data.refresh_token === "string" ? data.refresh_token : null;
+    const updatedAt = "updated_at_millis" in data && typeof data.updated_at_millis === "number" ? data.updated_at_millis : null;
+    if (!refreshToken) {
+      console.warn("Refresh token not found in structured refresh cookie");
+      return null;
+    }
+    return {
+      refreshToken,
+      updatedAt
+    };
+  }
+  _extractRefreshTokenFromCookieMap(cookies2) {
+    const { legacyNames, structuredPrefixes } = this._getRefreshTokenCookieNamePatterns();
+    for (const name of legacyNames) {
+      const value = cookies2[name];
+      if (value) {
+        return { refreshToken: value, updatedAt: null };
+      }
+    }
+    let selected = null;
+    for (const [name, value] of Object.entries(cookies2)) {
+      if (!structuredPrefixes.some((prefix) => name.startsWith(prefix))) continue;
+      const parsed = this._parseStructuredRefreshCookie(value);
+      if (!parsed) continue;
+      const candidateUpdatedAt = parsed.updatedAt ?? Number.NEGATIVE_INFINITY;
+      const selectedUpdatedAt = selected?.updatedAt ?? Number.NEGATIVE_INFINITY;
+      if (!selected || candidateUpdatedAt > selectedUpdatedAt) {
+        selected = parsed;
+      }
+    }
+    if (!selected) {
+      return { refreshToken: null, updatedAt: null };
+    }
+    return {
+      refreshToken: selected.refreshToken,
+      updatedAt: selected.updatedAt ?? null
+    };
+  }
   _getTokensFromCookies(cookies2) {
-    const refreshToken = cookies2.refreshTokenCookie;
-    const accessTokenObject = cookies2.accessTokenCookie?.startsWith('["') ? JSON.parse(cookies2.accessTokenCookie) : null;
-    const accessToken = accessTokenObject && refreshToken === accessTokenObject[0] ? accessTokenObject[1] : null;
+    const { refreshToken } = this._extractRefreshTokenFromCookieMap(cookies2);
+    const accessTokenCookie = cookies2[this._accessTokenCookieName] ?? null;
+    let accessToken = null;
+    if (accessTokenCookie && accessTokenCookie.startsWith('["')) {
+      const parsed = (0, import_json.parseJson)(accessTokenCookie);
+      if (parsed.status === "ok" && typeof parsed.data === "object" && parsed.data !== null && Array.isArray(parsed.data) && parsed.data.length === 2 && typeof parsed.data[0] === "string" && typeof parsed.data[1] === "string") {
+        if (parsed.data[0] === refreshToken) {
+          accessToken = parsed.data[1];
+        }
+      } else {
+        console.warn("Access token cookie has invalid format");
+      }
+    }
     return {
       refreshToken,
       accessToken
@@ -358,17 +445,100 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
   get _accessTokenCookieName() {
     return `stack-access`;
   }
+  _getAllBrowserCookies() {
+    if (!(0, import_env.isBrowserLike)()) {
+      throw new import_errors.StackAssertionError("Cannot get browser cookies on the server!");
+    }
+    return cookie.parse(document.cookie || "");
+  }
+  _getRefreshTokenCookieNamePatterns() {
+    return {
+      legacyNames: [this._legacyRefreshTokenCookieName, "stack-refresh"],
+      structuredPrefixes: [
+        `${this._refreshTokenCookieName}--`,
+        `__Host-${this._refreshTokenCookieName}--`
+      ]
+    };
+  }
+  _collectRefreshTokenCookieNames(cookies2) {
+    const { legacyNames, structuredPrefixes } = this._getRefreshTokenCookieNamePatterns();
+    const names = /* @__PURE__ */ new Set();
+    for (const name of legacyNames) {
+      if (cookies2[name]) {
+        names.add(name);
+      }
+    }
+    for (const name of Object.keys(cookies2)) {
+      if (structuredPrefixes.some((prefix) => name.startsWith(prefix))) {
+        names.add(name);
+      }
+    }
+    return names;
+  }
+  _prepareRefreshCookieUpdate(existingCookies, refreshToken, accessToken, defaultCookieName) {
+    const cookieNames = this._collectRefreshTokenCookieNames(existingCookies);
+    cookieNames.delete(defaultCookieName);
+    const updatedAt = refreshToken ? Date.now() : null;
+    const refreshCookieValue = refreshToken && updatedAt !== null ? this._formatRefreshCookieValue(refreshToken, updatedAt) : null;
+    const accessTokenPayload = this._formatAccessCookieValue(refreshToken, accessToken);
+    return {
+      updatedAt,
+      refreshCookieValue,
+      accessTokenPayload,
+      cookieNamesToDelete: [...cookieNames]
+    };
+  }
+  _queueCustomRefreshCookieUpdate(refreshToken, updatedAt, context) {
+    (0, import_promises.runAsynchronously)(async () => {
+      this._mostRecentQueuedCookieRefreshIndex++;
+      const updateIndex = this._mostRecentQueuedCookieRefreshIndex;
+      let hostname;
+      if ((0, import_env.isBrowserLike)()) {
+        hostname = window.location.hostname;
+      } else {
+        hostname = (await sc.headers?.())?.get("host");
+      }
+      if (!hostname) {
+        console.warn("No hostname found when queueing custom refresh cookie update");
+        return;
+      }
+      const domain = await this._trustedParentDomainCache.getOrWait([hostname], "read-write");
+      const setCookie = async (targetDomain, value2) => {
+        const name = this._getCustomRefreshCookieName(targetDomain);
+        const options = { maxAge: 60 * 60 * 24 * 365, domain: targetDomain, noOpIfServerComponent: true };
+        if (context === "browser") {
+          (0, import_cookie.setOrDeleteCookieClient)(name, value2, options);
+        } else {
+          await (0, import_cookie.setOrDeleteCookie)(name, value2, options);
+        }
+      };
+      if (domain.status === "error" || !domain.data || updateIndex !== this._mostRecentQueuedCookieRefreshIndex) {
+        return;
+      }
+      const value = refreshToken && updatedAt ? this._formatRefreshCookieValue(refreshToken, updatedAt) : null;
+      await setCookie(domain.data, value);
+    });
+  }
+  async _getTrustedParentDomain(currentDomain) {
+    const project = import_results.Result.orThrow(await this._interface.getClientProject());
+    const domains = project.config.domains.map((d) => d.domain.trim().replace(/^https?:\/\//, "").split("/")[0]?.toLowerCase());
+    const trustedWildcards = domains.filter((d) => d.startsWith("**."));
+    const parts = currentDomain.split(".");
+    for (let i = parts.length - 2; i >= 0; i--) {
+      const parentDomain = parts.slice(i).join(".");
+      if (domains.includes(parentDomain) && trustedWildcards.includes("**." + parentDomain)) {
+        return parentDomain;
+      }
+    }
+    return null;
+  }
   _getBrowserCookieTokenStore() {
     if (!(0, import_env.isBrowserLike)()) {
       throw new Error("Cannot use cookie token store on the server!");
     }
     if (this._storedBrowserCookieTokenStore === null) {
       const getCurrentValue = (old) => {
-        const tokens = this._getTokensFromCookies({
-          refreshTokenCookie: (0, import_cookie.getCookieClient)(this._refreshTokenCookieName) ?? (0, import_cookie.getCookieClient)("stack-refresh"),
-          // keep old cookie name for backwards-compatibility
-          accessTokenCookie: (0, import_cookie.getCookieClient)(this._accessTokenCookieName)
-        });
+        const tokens = this._getTokensFromCookies(this._getAllBrowserCookies());
         return {
           refreshToken: tokens.refreshToken,
           accessToken: tokens.accessToken ?? (old?.refreshToken === tokens.refreshToken ? old.accessToken : null)
@@ -387,9 +557,19 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
       }, 100);
       this._storedBrowserCookieTokenStore.onChange((value) => {
         try {
-          (0, import_cookie.setOrDeleteCookieClient)(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365 });
-          (0, import_cookie.setOrDeleteCookieClient)(this._accessTokenCookieName, value.accessToken ? JSON.stringify([value.refreshToken, value.accessToken]) : null, { maxAge: 60 * 60 * 24 });
-          (0, import_cookie.deleteCookieClient)("stack-refresh");
+          const refreshToken = value.refreshToken;
+          const secure = window.location.protocol === "https:";
+          const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(secure);
+          const { updatedAt, refreshCookieValue, accessTokenPayload, cookieNamesToDelete } = this._prepareRefreshCookieUpdate(
+            this._getAllBrowserCookies(),
+            refreshToken,
+            value.accessToken ?? null,
+            defaultName
+          );
+          (0, import_cookie.setOrDeleteCookieClient)(defaultName, refreshCookieValue, { maxAge: 60 * 60 * 24 * 365, secure });
+          (0, import_cookie.setOrDeleteCookieClient)(this._accessTokenCookieName, accessTokenPayload, { maxAge: 60 * 60 * 24 });
+          cookieNamesToDelete.forEach((name) => (0, import_cookie.deleteCookieClient)(name));
+          this._queueCustomRefreshCookieUpdate(refreshToken, updatedAt, "browser");
           hasSucceededInWriting = true;
         } catch (e) {
           if (!(0, import_env.isBrowserLike)()) {
@@ -412,18 +592,31 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
         if ((0, import_env.isBrowserLike)()) {
           return this._getBrowserCookieTokenStore();
         } else {
-          const tokens = this._getTokensFromCookies({
-            refreshTokenCookie: cookieHelper.get(this._refreshTokenCookieName) ?? cookieHelper.get("stack-refresh"),
-            // keep old cookie name for backwards-compatibility
-            accessTokenCookie: cookieHelper.get(this._accessTokenCookieName)
-          });
+          const tokens = this._getTokensFromCookies(cookieHelper.getAll());
           const store = new import_stores.Store(tokens);
           store.onChange((value) => {
             (0, import_promises.runAsynchronously)(async () => {
+              const refreshToken = value.refreshToken;
+              const secure = await (0, import_cookie.isSecure)();
+              const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(secure);
+              const { updatedAt, refreshCookieValue, accessTokenPayload, cookieNamesToDelete } = this._prepareRefreshCookieUpdate(
+                cookieHelper.getAll(),
+                refreshToken,
+                value.accessToken ?? null,
+                defaultName
+              );
               await Promise.all([
-                (0, import_cookie.setOrDeleteCookie)(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365, noOpIfServerComponent: true }),
-                (0, import_cookie.setOrDeleteCookie)(this._accessTokenCookieName, value.accessToken ? JSON.stringify([value.refreshToken, value.accessToken]) : null, { maxAge: 60 * 60 * 24, noOpIfServerComponent: true })
+                (0, import_cookie.setOrDeleteCookie)(defaultName, refreshCookieValue, { maxAge: 60 * 60 * 24 * 365, noOpIfServerComponent: true }),
+                (0, import_cookie.setOrDeleteCookie)(this._accessTokenCookieName, accessTokenPayload, { maxAge: 60 * 60 * 24, noOpIfServerComponent: true })
               ]);
+              if (cookieNamesToDelete.length > 0) {
+                await Promise.all(
+                  cookieNamesToDelete.map(
+                    (name) => (0, import_cookie.setOrDeleteCookie)(name, null, { noOpIfServerComponent: true })
+                  )
+                );
+              }
+              this._queueCustomRefreshCookieUpdate(refreshToken, updatedAt, "server");
             });
           });
           return store;
@@ -454,11 +647,7 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
           }
           const cookieHeader = tokenStoreInit.headers.get("cookie");
           const parsed = cookie.parse(cookieHeader || "");
-          const res = new import_stores.Store({
-            refreshToken: parsed[this._refreshTokenCookieName] || parsed["stack-refresh"] || null,
-            // keep old cookie name for backwards-compatibility
-            accessToken: parsed[this._accessTokenCookieName] || null
-          });
+          const res = new import_stores.Store(this._getTokensFromCookies(parsed));
           this._requestTokenStores.set(tokenStoreInit, res);
           return res;
         } else if ("accessToken" in tokenStoreInit || "refreshToken" in tokenStoreInit) {
@@ -804,35 +993,6 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
         const tokens = await this.currentSession.getTokens();
         return tokens;
       },
-      async registerPasskey(options) {
-        const hostname = (await app._getCurrentUrl())?.hostname;
-        if (!hostname) {
-          throw new import_errors.StackAssertionError("hostname must be provided if the Stack App does not have a redirect method");
-        }
-        const initiationResult = await app._interface.initiatePasskeyRegistration({}, session);
-        if (initiationResult.status !== "ok") {
-          return import_results.Result.error(new import_stack_shared.KnownErrors.PasskeyRegistrationFailed("Failed to get initiation options for passkey registration"));
-        }
-        const { options_json, code } = initiationResult.data;
-        if (options_json.rp.id !== "THIS_VALUE_WILL_BE_REPLACED.example.com") {
-          throw new import_errors.StackAssertionError(`Expected returned RP ID from server to equal sentinel, but found ${options_json.rp.id}`);
-        }
-        options_json.rp.id = hostname;
-        let attResp;
-        try {
-          attResp = await (0, import_browser.startRegistration)({ optionsJSON: options_json });
-        } catch (error) {
-          if (error instanceof import_browser.WebAuthnError) {
-            return import_results.Result.error(new import_stack_shared.KnownErrors.PasskeyWebAuthnError(error.message, error.name));
-          } else {
-            (0, import_errors.captureError)("passkey-registration-failed", error);
-            return import_results.Result.error(new import_stack_shared.KnownErrors.PasskeyRegistrationFailed("Failed to start passkey registration due to unknown error"));
-          }
-        }
-        const registrationResult = await app._interface.registerPasskey({ credential: attResp, code }, session);
-        await app._refreshUser(session);
-        return registrationResult;
-      },
       signOut(options) {
         return app._signOut(session, options);
       }
@@ -1081,6 +1241,35 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
       async getOAuthProvider(id) {
         const providers = await this.listOAuthProviders();
         return providers.find((p) => p.id === id) ?? null;
+      },
+      async registerPasskey(options) {
+        const hostname = (await app._getCurrentUrl())?.hostname;
+        if (!hostname) {
+          throw new import_errors.StackAssertionError("hostname must be provided if the Stack App does not have a redirect method");
+        }
+        const initiationResult = await app._interface.initiatePasskeyRegistration({}, session);
+        if (initiationResult.status !== "ok") {
+          return import_results.Result.error(new import_stack_shared.KnownErrors.PasskeyRegistrationFailed("Failed to get initiation options for passkey registration"));
+        }
+        const { options_json, code } = initiationResult.data;
+        if (options_json.rp.id !== "THIS_VALUE_WILL_BE_REPLACED.example.com") {
+          throw new import_errors.StackAssertionError(`Expected returned RP ID from server to equal sentinel, but found ${options_json.rp.id}`);
+        }
+        options_json.rp.id = hostname;
+        let attResp;
+        try {
+          attResp = await (0, import_browser.startRegistration)({ optionsJSON: options_json });
+        } catch (error) {
+          if (error instanceof import_browser.WebAuthnError) {
+            return import_results.Result.error(new import_stack_shared.KnownErrors.PasskeyWebAuthnError(error.message, error.name));
+          } else {
+            (0, import_errors.captureError)("passkey-registration-failed", error);
+            return import_results.Result.error(new import_stack_shared.KnownErrors.PasskeyRegistrationFailed("Failed to start passkey registration due to unknown error"));
+          }
+        }
+        const registrationResult = await app._interface.registerPasskey({ credential: attResp, code }, session);
+        await app._refreshUser(session);
+        return registrationResult;
       }
     };
   }
@@ -1854,10 +2043,22 @@ ${url}`);
     });
   }
   async signOut(options) {
-    const user = await this.getUser();
+    const user = await this.getUser({ tokenStore: options?.tokenStore ?? void 0 });
+    if (user) {
+      await user.signOut({ redirectUrl: options?.redirectUrl });
+    }
+  }
+  async getAuthHeaders(options) {
+    return {
+      "x-stack-auth": JSON.stringify(await this.getAuthJson(options))
+    };
+  }
+  async getAuthJson(options) {
+    const user = await this.getUser({ tokenStore: options?.tokenStore ?? void 0 });
     if (user) {
-      await user.signOut(options);
+      return await user.getAuthJson();
     }
+    return { accessToken: null, refreshToken: null };
   }
   async getProject() {
     const crud = import_results.Result.orThrow(await this._currentProjectCache.getOrWait([], "write-only"));