@stackframe/stack 2.8.48 → 2.8.51

package/dist/esm/lib/stack-app/apps/implementations/client-app-impl.js

@@ -2,6 +2,7 @@
 import { WebAuthnError, startAuthentication, startRegistration } from "@simplewebauthn/browser";
 import { KnownErrors, StackClientInterface } from "@stackframe/stack-shared";
 import { InternalSession } from "@stackframe/stack-shared/dist/sessions";
+import { encodeBase32 } from "@stackframe/stack-shared/dist/utils/bytes";
 import { scrambleDuringCompileTime } from "@stackframe/stack-shared/dist/utils/compile-time";
 import { isBrowserLike } from "@stackframe/stack-shared/dist/utils/env";
 import { StackAssertionError, captureError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
@@ -19,7 +20,7 @@ import * as NextNavigationUnscrambled from "next/navigation";
 import React, { useCallback, useMemo } from "react";
 import { constructRedirectUrl } from "../../../../utils/url.js";
 import { addNewOAuthProviderOrScope, callOAuthCallback, signInWithOAuth } from "../../../auth.js";
-import { createBrowserCookieHelper, createCookieHelper, createPlaceholderCookieHelper, deleteCookieClient, getCookieClient, setOrDeleteCookie, setOrDeleteCookieClient } from "../../../cookie.js";
+import { createBrowserCookieHelper, createCookieHelper, createPlaceholderCookieHelper, deleteCookieClient, isSecure as isSecureCookieContext, setOrDeleteCookie, setOrDeleteCookieClient } from "../../../cookie.js";
 import { apiKeyCreationOptionsToCrud } from "../../api-keys/index.js";
 import { stackAppInternalsSymbol } from "../../common.js";
 import { contactChannelCreateOptionsToCrud, contactChannelUpdateOptionsToCrud } from "../../contact-channels/index.js";
@@ -27,6 +28,7 @@ import { adminProjectCreateOptionsToCrud } from "../../projects/index.js";
 import { teamCreateOptionsToCrud, teamUpdateOptionsToCrud } from "../../teams/index.js";
 import { attachUserDestructureGuard, userUpdateOptionsToCrud } from "../../users/index.js";
 import { clientVersion, createCache, createCacheBySession, createEmptyTokenStore, getBaseUrl, getDefaultExtraRequestHeaders, getDefaultProjectId, getDefaultPublishableClientKey, getUrls, resolveConstructorOptions } from "./common.js";
+import { parseJson } from "@stackframe/stack-shared/dist/utils/json";
 import { useAsyncCache } from "./common.js";
 import * as sc from "@stackframe/stack-sc";
 import { cookies } from "@stackframe/stack-sc";
@@ -180,11 +182,15 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
     this._convexPartialUserCache = createCache(
       async ([ctx]) => await this._getPartialUserFromConvex(ctx)
     );
+    this._trustedParentDomainCache = createCache(
+      async ([domain]) => await this._getTrustedParentDomain(domain)
+    );
     this._anonymousSignUpInProgress = null;
     this._memoryTokenStore = createEmptyTokenStore();
     this._nextServerCookiesTokenStores = /* @__PURE__ */ new WeakMap();
     this._requestTokenStores = /* @__PURE__ */ new WeakMap();
     this._storedBrowserCookieTokenStore = null;
+    this._mostRecentQueuedCookieRefreshIndex = 0;
     /**
      * A map from token stores and session keys to sessions.
      *
@@ -200,13 +206,17 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
     }
     this._options = resolvedOptions;
     this._extraOptions = extraOptions;
+    const projectId = resolvedOptions.projectId ?? getDefaultProjectId();
+    if (projectId !== "internal" && !projectId.match(/^[0-9a-f]{8}-[0-9a-f]{4}-[1-8][0-9a-f]{3}-[089ab][0-9a-f]{3}-[0-9a-f]{12}$/i)) {
+      throw new Error(`Invalid project ID: ${projectId}. Project IDs must be UUIDs. Please check your environment variables and/or your StackApp.`);
+    }
     if (extraOptions && extraOptions.interface) {
       this._interface = extraOptions.interface;
     } else {
       this._interface = new StackClientInterface({
         getBaseUrl: () => getBaseUrl(resolvedOptions.baseUrl),
         extraRequestHeaders: resolvedOptions.extraRequestHeaders ?? getDefaultExtraRequestHeaders(),
-        projectId: resolvedOptions.projectId ?? getDefaultProjectId(),
+        projectId,
         clientVersion,
         publishableClientKey: resolvedOptions.publishableClientKey ?? getDefaultPublishableClientKey(),
         prepareRequest: async () => {
@@ -309,13 +319,90 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
     runAsynchronously(this._checkFeatureSupport(name, options));
     throw new StackAssertionError(`${name} is not currently supported. Please reach out to Stack support for more information.`);
   }
+  get _legacyRefreshTokenCookieName() {
+    return `stack-refresh-${this.projectId}`;
+  }
   get _refreshTokenCookieName() {
     return `stack-refresh-${this.projectId}`;
   }
+  _getRefreshTokenDefaultCookieNameForSecure(secure) {
+    return `${secure ? "__Host-" : ""}${this._refreshTokenCookieName}--default`;
+  }
+  _getCustomRefreshCookieName(domain) {
+    const encoded = encodeBase32(new TextEncoder().encode(domain.toLowerCase()));
+    return `${this._refreshTokenCookieName}--custom-${encoded}`;
+  }
+  _formatRefreshCookieValue(refreshToken, updatedAt) {
+    return JSON.stringify({
+      refresh_token: refreshToken,
+      updated_at_millis: updatedAt
+    });
+  }
+  _formatAccessCookieValue(refreshToken, accessToken) {
+    return refreshToken && accessToken ? JSON.stringify([refreshToken, accessToken]) : null;
+  }
+  _parseStructuredRefreshCookie(value) {
+    if (!value) {
+      return null;
+    }
+    const parsed = parseJson(value);
+    if (parsed.status !== "ok" || typeof parsed.data !== "object" || parsed.data === null) {
+      console.warn("Failed to parse structured refresh cookie");
+      return null;
+    }
+    const data = parsed.data;
+    const refreshToken = "refresh_token" in data && typeof data.refresh_token === "string" ? data.refresh_token : null;
+    const updatedAt = "updated_at_millis" in data && typeof data.updated_at_millis === "number" ? data.updated_at_millis : null;
+    if (!refreshToken) {
+      console.warn("Refresh token not found in structured refresh cookie");
+      return null;
+    }
+    return {
+      refreshToken,
+      updatedAt
+    };
+  }
+  _extractRefreshTokenFromCookieMap(cookies2) {
+    const { legacyNames, structuredPrefixes } = this._getRefreshTokenCookieNamePatterns();
+    for (const name of legacyNames) {
+      const value = cookies2[name];
+      if (value) {
+        return { refreshToken: value, updatedAt: null };
+      }
+    }
+    let selected = null;
+    for (const [name, value] of Object.entries(cookies2)) {
+      if (!structuredPrefixes.some((prefix) => name.startsWith(prefix))) continue;
+      const parsed = this._parseStructuredRefreshCookie(value);
+      if (!parsed) continue;
+      const candidateUpdatedAt = parsed.updatedAt ?? Number.NEGATIVE_INFINITY;
+      const selectedUpdatedAt = selected?.updatedAt ?? Number.NEGATIVE_INFINITY;
+      if (!selected || candidateUpdatedAt > selectedUpdatedAt) {
+        selected = parsed;
+      }
+    }
+    if (!selected) {
+      return { refreshToken: null, updatedAt: null };
+    }
+    return {
+      refreshToken: selected.refreshToken,
+      updatedAt: selected.updatedAt ?? null
+    };
+  }
   _getTokensFromCookies(cookies2) {
-    const refreshToken = cookies2.refreshTokenCookie;
-    const accessTokenObject = cookies2.accessTokenCookie?.startsWith('["') ? JSON.parse(cookies2.accessTokenCookie) : null;
-    const accessToken = accessTokenObject && refreshToken === accessTokenObject[0] ? accessTokenObject[1] : null;
+    const { refreshToken } = this._extractRefreshTokenFromCookieMap(cookies2);
+    const accessTokenCookie = cookies2[this._accessTokenCookieName] ?? null;
+    let accessToken = null;
+    if (accessTokenCookie && accessTokenCookie.startsWith('["')) {
+      const parsed = parseJson(accessTokenCookie);
+      if (parsed.status === "ok" && typeof parsed.data === "object" && parsed.data !== null && Array.isArray(parsed.data) && parsed.data.length === 2 && typeof parsed.data[0] === "string" && typeof parsed.data[1] === "string") {
+        if (parsed.data[0] === refreshToken) {
+          accessToken = parsed.data[1];
+        }
+      } else {
+        console.warn("Access token cookie has invalid format");
+      }
+    }
     return {
       refreshToken,
       accessToken
@@ -324,17 +411,100 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
   get _accessTokenCookieName() {
     return `stack-access`;
   }
+  _getAllBrowserCookies() {
+    if (!isBrowserLike()) {
+      throw new StackAssertionError("Cannot get browser cookies on the server!");
+    }
+    return cookie.parse(document.cookie || "");
+  }
+  _getRefreshTokenCookieNamePatterns() {
+    return {
+      legacyNames: [this._legacyRefreshTokenCookieName, "stack-refresh"],
+      structuredPrefixes: [
+        `${this._refreshTokenCookieName}--`,
+        `__Host-${this._refreshTokenCookieName}--`
+      ]
+    };
+  }
+  _collectRefreshTokenCookieNames(cookies2) {
+    const { legacyNames, structuredPrefixes } = this._getRefreshTokenCookieNamePatterns();
+    const names = /* @__PURE__ */ new Set();
+    for (const name of legacyNames) {
+      if (cookies2[name]) {
+        names.add(name);
+      }
+    }
+    for (const name of Object.keys(cookies2)) {
+      if (structuredPrefixes.some((prefix) => name.startsWith(prefix))) {
+        names.add(name);
+      }
+    }
+    return names;
+  }
+  _prepareRefreshCookieUpdate(existingCookies, refreshToken, accessToken, defaultCookieName) {
+    const cookieNames = this._collectRefreshTokenCookieNames(existingCookies);
+    cookieNames.delete(defaultCookieName);
+    const updatedAt = refreshToken ? Date.now() : null;
+    const refreshCookieValue = refreshToken && updatedAt !== null ? this._formatRefreshCookieValue(refreshToken, updatedAt) : null;
+    const accessTokenPayload = this._formatAccessCookieValue(refreshToken, accessToken);
+    return {
+      updatedAt,
+      refreshCookieValue,
+      accessTokenPayload,
+      cookieNamesToDelete: [...cookieNames]
+    };
+  }
+  _queueCustomRefreshCookieUpdate(refreshToken, updatedAt, context) {
+    runAsynchronously(async () => {
+      this._mostRecentQueuedCookieRefreshIndex++;
+      const updateIndex = this._mostRecentQueuedCookieRefreshIndex;
+      let hostname;
+      if (isBrowserLike()) {
+        hostname = window.location.hostname;
+      } else {
+        hostname = (await sc.headers?.())?.get("host");
+      }
+      if (!hostname) {
+        console.warn("No hostname found when queueing custom refresh cookie update");
+        return;
+      }
+      const domain = await this._trustedParentDomainCache.getOrWait([hostname], "read-write");
+      const setCookie = async (targetDomain, value2) => {
+        const name = this._getCustomRefreshCookieName(targetDomain);
+        const options = { maxAge: 60 * 60 * 24 * 365, domain: targetDomain, noOpIfServerComponent: true };
+        if (context === "browser") {
+          setOrDeleteCookieClient(name, value2, options);
+        } else {
+          await setOrDeleteCookie(name, value2, options);
+        }
+      };
+      if (domain.status === "error" || !domain.data || updateIndex !== this._mostRecentQueuedCookieRefreshIndex) {
+        return;
+      }
+      const value = refreshToken && updatedAt ? this._formatRefreshCookieValue(refreshToken, updatedAt) : null;
+      await setCookie(domain.data, value);
+    });
+  }
+  async _getTrustedParentDomain(currentDomain) {
+    const project = Result.orThrow(await this._interface.getClientProject());
+    const domains = project.config.domains.map((d) => d.domain.trim().replace(/^https?:\/\//, "").split("/")[0]?.toLowerCase());
+    const trustedWildcards = domains.filter((d) => d.startsWith("**."));
+    const parts = currentDomain.split(".");
+    for (let i = parts.length - 2; i >= 0; i--) {
+      const parentDomain = parts.slice(i).join(".");
+      if (domains.includes(parentDomain) && trustedWildcards.includes("**." + parentDomain)) {
+        return parentDomain;
+      }
+    }
+    return null;
+  }
   _getBrowserCookieTokenStore() {
     if (!isBrowserLike()) {
       throw new Error("Cannot use cookie token store on the server!");
     }
     if (this._storedBrowserCookieTokenStore === null) {
       const getCurrentValue = (old) => {
-        const tokens = this._getTokensFromCookies({
-          refreshTokenCookie: getCookieClient(this._refreshTokenCookieName) ?? getCookieClient("stack-refresh"),
-          // keep old cookie name for backwards-compatibility
-          accessTokenCookie: getCookieClient(this._accessTokenCookieName)
-        });
+        const tokens = this._getTokensFromCookies(this._getAllBrowserCookies());
         return {
           refreshToken: tokens.refreshToken,
           accessToken: tokens.accessToken ?? (old?.refreshToken === tokens.refreshToken ? old.accessToken : null)
@@ -353,9 +523,19 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
       }, 100);
       this._storedBrowserCookieTokenStore.onChange((value) => {
         try {
-          setOrDeleteCookieClient(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365 });
-          setOrDeleteCookieClient(this._accessTokenCookieName, value.accessToken ? JSON.stringify([value.refreshToken, value.accessToken]) : null, { maxAge: 60 * 60 * 24 });
-          deleteCookieClient("stack-refresh");
+          const refreshToken = value.refreshToken;
+          const secure = window.location.protocol === "https:";
+          const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(secure);
+          const { updatedAt, refreshCookieValue, accessTokenPayload, cookieNamesToDelete } = this._prepareRefreshCookieUpdate(
+            this._getAllBrowserCookies(),
+            refreshToken,
+            value.accessToken ?? null,
+            defaultName
+          );
+          setOrDeleteCookieClient(defaultName, refreshCookieValue, { maxAge: 60 * 60 * 24 * 365, secure });
+          setOrDeleteCookieClient(this._accessTokenCookieName, accessTokenPayload, { maxAge: 60 * 60 * 24 });
+          cookieNamesToDelete.forEach((name) => deleteCookieClient(name));
+          this._queueCustomRefreshCookieUpdate(refreshToken, updatedAt, "browser");
           hasSucceededInWriting = true;
         } catch (e) {
           if (!isBrowserLike()) {
@@ -378,18 +558,31 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
         if (isBrowserLike()) {
           return this._getBrowserCookieTokenStore();
         } else {
-          const tokens = this._getTokensFromCookies({
-            refreshTokenCookie: cookieHelper.get(this._refreshTokenCookieName) ?? cookieHelper.get("stack-refresh"),
-            // keep old cookie name for backwards-compatibility
-            accessTokenCookie: cookieHelper.get(this._accessTokenCookieName)
-          });
+          const tokens = this._getTokensFromCookies(cookieHelper.getAll());
           const store = new Store(tokens);
           store.onChange((value) => {
             runAsynchronously(async () => {
+              const refreshToken = value.refreshToken;
+              const secure = await isSecureCookieContext();
+              const defaultName = this._getRefreshTokenDefaultCookieNameForSecure(secure);
+              const { updatedAt, refreshCookieValue, accessTokenPayload, cookieNamesToDelete } = this._prepareRefreshCookieUpdate(
+                cookieHelper.getAll(),
+                refreshToken,
+                value.accessToken ?? null,
+                defaultName
+              );
               await Promise.all([
-                setOrDeleteCookie(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365, noOpIfServerComponent: true }),
-                setOrDeleteCookie(this._accessTokenCookieName, value.accessToken ? JSON.stringify([value.refreshToken, value.accessToken]) : null, { maxAge: 60 * 60 * 24, noOpIfServerComponent: true })
+                setOrDeleteCookie(defaultName, refreshCookieValue, { maxAge: 60 * 60 * 24 * 365, noOpIfServerComponent: true }),
+                setOrDeleteCookie(this._accessTokenCookieName, accessTokenPayload, { maxAge: 60 * 60 * 24, noOpIfServerComponent: true })
               ]);
+              if (cookieNamesToDelete.length > 0) {
+                await Promise.all(
+                  cookieNamesToDelete.map(
+                    (name) => setOrDeleteCookie(name, null, { noOpIfServerComponent: true })
+                  )
+                );
+              }
+              this._queueCustomRefreshCookieUpdate(refreshToken, updatedAt, "server");
             });
           });
           return store;
@@ -420,11 +613,7 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
           }
           const cookieHeader = tokenStoreInit.headers.get("cookie");
           const parsed = cookie.parse(cookieHeader || "");
-          const res = new Store({
-            refreshToken: parsed[this._refreshTokenCookieName] || parsed["stack-refresh"] || null,
-            // keep old cookie name for backwards-compatibility
-            accessToken: parsed[this._accessTokenCookieName] || null
-          });
+          const res = new Store(this._getTokensFromCookies(parsed));
           this._requestTokenStores.set(tokenStoreInit, res);
           return res;
         } else if ("accessToken" in tokenStoreInit || "refreshToken" in tokenStoreInit) {
@@ -770,35 +959,6 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
         const tokens = await this.currentSession.getTokens();
         return tokens;
       },
-      async registerPasskey(options) {
-        const hostname = (await app._getCurrentUrl())?.hostname;
-        if (!hostname) {
-          throw new StackAssertionError("hostname must be provided if the Stack App does not have a redirect method");
-        }
-        const initiationResult = await app._interface.initiatePasskeyRegistration({}, session);
-        if (initiationResult.status !== "ok") {
-          return Result.error(new KnownErrors.PasskeyRegistrationFailed("Failed to get initiation options for passkey registration"));
-        }
-        const { options_json, code } = initiationResult.data;
-        if (options_json.rp.id !== "THIS_VALUE_WILL_BE_REPLACED.example.com") {
-          throw new StackAssertionError(`Expected returned RP ID from server to equal sentinel, but found ${options_json.rp.id}`);
-        }
-        options_json.rp.id = hostname;
-        let attResp;
-        try {
-          attResp = await startRegistration({ optionsJSON: options_json });
-        } catch (error) {
-          if (error instanceof WebAuthnError) {
-            return Result.error(new KnownErrors.PasskeyWebAuthnError(error.message, error.name));
-          } else {
-            captureError("passkey-registration-failed", error);
-            return Result.error(new KnownErrors.PasskeyRegistrationFailed("Failed to start passkey registration due to unknown error"));
-          }
-        }
-        const registrationResult = await app._interface.registerPasskey({ credential: attResp, code }, session);
-        await app._refreshUser(session);
-        return registrationResult;
-      },
       signOut(options) {
         return app._signOut(session, options);
       }
@@ -1047,6 +1207,35 @@ var __StackClientAppImplIncomplete = class __StackClientAppImplIncomplete {
       async getOAuthProvider(id) {
         const providers = await this.listOAuthProviders();
         return providers.find((p) => p.id === id) ?? null;
+      },
+      async registerPasskey(options) {
+        const hostname = (await app._getCurrentUrl())?.hostname;
+        if (!hostname) {
+          throw new StackAssertionError("hostname must be provided if the Stack App does not have a redirect method");
+        }
+        const initiationResult = await app._interface.initiatePasskeyRegistration({}, session);
+        if (initiationResult.status !== "ok") {
+          return Result.error(new KnownErrors.PasskeyRegistrationFailed("Failed to get initiation options for passkey registration"));
+        }
+        const { options_json, code } = initiationResult.data;
+        if (options_json.rp.id !== "THIS_VALUE_WILL_BE_REPLACED.example.com") {
+          throw new StackAssertionError(`Expected returned RP ID from server to equal sentinel, but found ${options_json.rp.id}`);
+        }
+        options_json.rp.id = hostname;
+        let attResp;
+        try {
+          attResp = await startRegistration({ optionsJSON: options_json });
+        } catch (error) {
+          if (error instanceof WebAuthnError) {
+            return Result.error(new KnownErrors.PasskeyWebAuthnError(error.message, error.name));
+          } else {
+            captureError("passkey-registration-failed", error);
+            return Result.error(new KnownErrors.PasskeyRegistrationFailed("Failed to start passkey registration due to unknown error"));
+          }
+        }
+        const registrationResult = await app._interface.registerPasskey({ credential: attResp, code }, session);
+        await app._refreshUser(session);
+        return registrationResult;
       }
     };
   }
@@ -1820,10 +2009,22 @@ ${url}`);
     });
   }
   async signOut(options) {
-    const user = await this.getUser();
+    const user = await this.getUser({ tokenStore: options?.tokenStore ?? void 0 });
+    if (user) {
+      await user.signOut({ redirectUrl: options?.redirectUrl });
+    }
+  }
+  async getAuthHeaders(options) {
+    return {
+      "x-stack-auth": JSON.stringify(await this.getAuthJson(options))
+    };
+  }
+  async getAuthJson(options) {
+    const user = await this.getUser({ tokenStore: options?.tokenStore ?? void 0 });
     if (user) {
-      await user.signOut(options);
+      return await user.getAuthJson();
     }
+    return { accessToken: null, refreshToken: null };
   }
   async getProject() {
     const crud = Result.orThrow(await this._currentProjectCache.getOrWait([], "write-only"));