@stackframe/stack 2.8.56 → 2.8.59

package/dist/lib/cookie.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/lib/cookie.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY\n//===========================================\nimport { cookies as rscCookies, headers as rscHeaders } from '@stackframe/stack-sc/force-react-server'; // THIS_LINE_PLATFORM next\nimport { isBrowserLike } from '@stackframe/stack-shared/dist/utils/env';\nimport { StackAssertionError } from '@stackframe/stack-shared/dist/utils/errors';\nimport Cookies from \"js-cookie\";\nimport { calculatePKCECodeChallenge, generateRandomCodeVerifier, generateRandomState } from \"oauth4webapi\";\n\n\n// INFO: This file is used to manage cookies. It also sets some cookie flags automatically, see this description.\n//\n// It provides asynchronous setCookie, getCookie, deleteCookie, etc. functions that can be used in various environments\n// (browser + Next.js for now). Under the hood, they just get a CookieHelper object and then set the cookies there.\n//\n// The CookieHelper object is a simple object that lets you set, get and delete cookies synchronously. Acquiring one\n// is asynchronous (except for browser environments, where they can be acquired synchronously), but once you have it,\n// you can use it synchronously. This function is useful if you cannot await in the calling code, but otherwise you\n// should prefer to await the functions directly.\n//\n// Some cookie flags are set automatically by the CookieHelper (and hence also the <xyz>Cookie functions).\n// In particular:\n//  - SameSite is set to `Lax` by default, which is already true in Chromium-based browsers, so this creates\n//    compatibility with other browsers that use either Strict or None (particularly Safari and Firefox, and older\n//    versions of Chrome). If Partitioned is automatically set (as described below), then this value is set to `None`\n//    instead.\n//  - Secure is set depending on whether we could successfully determine that the client is on HTTPS. For this, we use a\n//    set of heuristics:\n//     - In a browser environment, we check window.location.protocol which is always accurate\n//     - In a Next.js server environment:\n//        - First we check the `stack-is-https` cookie, which is set in various places on the\n//          client with a Secure attribute. If that one is passed on to the server, we know that the client is on HTTPS\n//          and we can set the Secure flag on the cookie. TODO: Should we also do this with a second cookie with a\n//          __Host- prefix, so a malicious subdomain of the current domain cannot forcibly enable HTTPS mode and\n//          therefore prevent new cookies from being set?\n//        - Otherwise, we check the X-Forwarded-Proto header. If that one is `https`, we know that the client is\n//          (pretending to be) on HTTPS and we can set the Secure flag on the cookie. Note that this header is\n//          spoofable by malicious clients (so is the cookie actually), but since setting this value can only *increase*\n//          security (and therefore prevent setting of a cookie), and requires a malicious client, this is still safe.\n//        - If neither of the above is true, we don't set the Secure flag on the cookie.\n//  - Partitioned is set depending on whether it is needed & supported. Unfortunately, the fact that Partitioned\n//    cookies require SameSite=None, browsers that don't support it will still set them as normal third-party cookies,\n//    which are fundamentally unsafe. Therefore, we need to take extra care that we only ever set Partitioned cookies\n//    if we know for sure that the browser supports it.\n//    - In a browser environment, we check:\n//       - Whether `Secure` is set. If it's not, we don't set Partitioned.\n//       - Whether we can set & retrieve cookies without Partitioned being set. If this is the case, we are likely in a\n//         top-level context or a browser that partitions cookies by default (eg. Firefox). In this case, we don't need\n//         Partitioned and can just proceed as normal.\n//       - Whether CHIPS is supported. To prevent the case where CHIPS is not supported but third-party cookies are (in\n//         which we would accidentally set SameSite=None without Partitioned as the latter requires the former), we\n//         check this by running a simple test with document.cookie.\n//       - Whether the browser supports Partitioned cookies. If yes, set Partitioned. Otherwise, don't set Partitioned.\n//         Since there's no easy cross-compat way to do this (CookieStore and document.cookie do not return whether a\n//         cookie is partitioned on some/all versions of Safari and Firefox), we use a heuristic; we run this test by\n//         creating two cookies with the same name: One with Partitioned and one without. If there are two resulting\n//         cookies, that means they were put into different jars, implying that the browser supports Partitioned cookies\n//         (but doesn't partition cookies by default). If they result in just one cookie, that could mean that the\n//         browser doesn't support Partitioned cookies, or that the browser doesn't put partitioned cookies into\n//         different jars by default, in which case we still don't know. This heuristic works on Chrome, but may\n//         incorrectly conclude that some other browsers don't support Partitioned. But from a security perspective,\n//         that is better than accidentally setting SameSite=None without Partitioned. TODO: Find a better heuristic to\n//         to determine whether the browser supports Partitioned cookies or not.\n//    - In a Next.js server environment, right now we do nothing because of the complexity involved :( TODO: In the\n//      future, we could improve this for example by setting hint cookies from the client, but we need to make sure that\n//      no malicious actor (eg. on a malicious subdomain) can forcefully enable Partitioned cookies on a browser that\n//      does not support it.\n\n\ntype SetCookieOptions = { maxAge: number | \"session\", noOpIfServerComponent?: boolean, domain?: string, secure?: boolean };\ntype DeleteCookieOptions = { noOpIfServerComponent?: boolean, domain?: string };\n\nfunction ensureClient() {\n  if (!isBrowserLike()) {\n    throw new Error(\"cookieClient functions can only be called in a browser environment, yet window is undefined\");\n  }\n}\n\nexport type CookieHelper = {\n  get: (name: string) => string | null,\n  getAll: () => Record<string, string>,\n  set: (name: string, value: string, options: SetCookieOptions) => void,\n  setOrDelete: (name: string, value: string | null, options: SetCookieOptions & DeleteCookieOptions) => void,\n  delete: (name: string, options: DeleteCookieOptions) => void,\n};\n\nconst placeholderCookieHelperIdentity = { \"placeholder cookie helper identity\": true };\nexport async function createPlaceholderCookieHelper(): Promise<CookieHelper> {\n  function throwError(): never {\n    throw new StackAssertionError(\"Throwing cookie helper is just a placeholder. This should never be called\");\n  }\n  return {\n    get: throwError,\n    getAll: throwError,\n    set: throwError,\n    setOrDelete: throwError,\n    delete: throwError,\n  };\n}\n\nexport async function createCookieHelper(): Promise<CookieHelper> {\n  if (isBrowserLike()) {\n    return createBrowserCookieHelper();\n  } else {\n    return createNextCookieHelper(\n      await rscCookies(),\n      await rscHeaders(),\n    );\n  }\n}\n\nexport function createBrowserCookieHelper(): CookieHelper {\n  return {\n    get: getCookieClient,\n    getAll: getAllCookiesClient,\n    set: setCookieClient,\n    setOrDelete: setOrDeleteCookieClient,\n    delete: deleteCookieClient,\n  };\n}\n\nfunction handleCookieError(e: unknown, options: DeleteCookieOptions | SetCookieOptions) {\n  if (e instanceof Error && e.message.includes(\"Cookies can only be modified in\")) {\n    if (options.noOpIfServerComponent) {\n      // ignore\n    } else {\n      throw new StackAssertionError(\"Attempted to set cookie in server component. Pass { noOpIfServerComponent: true } in the options of Stack's cookie functions if this is intentional and you want to ignore this error. Read more: https://nextjs.org/docs/app/api-reference/functions/cookies#options\");\n    }\n  } else {\n    throw e;\n  }\n}\n\nfunction createNextCookieHelper(\n  rscCookiesAwaited: Awaited<ReturnType<typeof rscCookies>>,\n  rscHeadersAwaited: Awaited<ReturnType<typeof rscHeaders>>,\n): CookieHelper {\n  const cookieHelper = {\n    get: (name: string) => {\n      const all = cookieHelper.getAll();\n      return all[name] ?? null;\n    },\n    getAll: () => {\n      // set a helper cookie, see comment in `NextCookieHelper.set` below\n      try {\n        rscCookiesAwaited.set(\"stack-is-https\", \"true\", { secure: true, expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365) });\n      } catch (e) {\n        if (\n          typeof e === 'object'\n          && e !== null\n          && 'message' in e\n          && typeof e.message === 'string'\n          && e.message.includes('Cookies can only be modified in a Server Action or Route Handler')\n        ) {\n          // ignore\n        } else {\n          throw e;\n        }\n      }\n      const all = rscCookiesAwaited.getAll();\n      return all.reduce((acc, entry) => {\n        acc[entry.name] = entry.value;\n        return acc;\n      }, {} as Record<string, string>);\n    },\n    set: (name: string, value: string, options: SetCookieOptions) => {\n      // Whenever the client is on HTTPS, we want to set the Secure flag on the cookie.\n      //\n      // This is not easy to find out on a Next.js server, so see the algorithm at the top of this file.\n      //\n      // Note that malicious clients could theoretically manipulate the `stack-is-https` cookie or\n      // the `X-Forwarded-Proto` header; that wouldn't cause any trouble except for themselves,\n      // though.\n      const isSecureCookie = determineSecureFromServerContext(rscCookiesAwaited, rscHeadersAwaited);\n\n      try {\n        rscCookiesAwaited.set(name, value, {\n          secure: isSecureCookie,\n          maxAge: options.maxAge === \"session\" ? undefined : options.maxAge,\n          domain: options.domain,\n          sameSite: \"lax\",\n        });\n      } catch (e) {\n        handleCookieError(e, options);\n      }\n    },\n    setOrDelete(name: string, value: string | null, options: SetCookieOptions & DeleteCookieOptions) {\n      if (value === null) {\n        this.delete(name, options);\n      } else {\n        this.set(name, value, options);\n      }\n    },\n    delete(name: string, options: DeleteCookieOptions) {\n      try {\n        if (options.domain !== undefined) {\n          rscCookiesAwaited.delete({ name, domain: options.domain });\n        } else {\n          rscCookiesAwaited.delete(name);\n        }\n      } catch (e) {\n        handleCookieError(e, options);\n      }\n    },\n  };\n  return cookieHelper;\n}\n\nexport function getCookieClient(name: string): string | null {\n  const all = getAllCookiesClient();\n  return all[name] ?? null;\n}\n\nexport function getAllCookiesClient(): Record<string, string> {\n  ensureClient();\n  // set a helper cookie, see comment in `NextCookieHelper.set` above\n  Cookies.set(\"stack-is-https\", \"true\", { secure: true, expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365) });\n  return Cookies.get();\n}\n\nexport async function getCookie(name: string): Promise<string | null> {\n  const cookieHelper = await createCookieHelper();\n  return cookieHelper.get(name);\n}\n\nexport async function isSecure(): Promise<boolean> {\n  if (isBrowserLike()) {\n    return determineSecureFromClientContext();\n  }\n  return determineSecureFromServerContext(await rscCookies(), await rscHeaders());\n  return false;\n}\n\nfunction determineSecureFromClientContext(): boolean {\n  return typeof window !== \"undefined\" && window.location.protocol === \"https:\";\n}\nfunction determineSecureFromServerContext(\n  cookies: Awaited<ReturnType<typeof rscCookies>>,\n  headers: Awaited<ReturnType<typeof rscHeaders>>,\n): boolean {\n  // see the algorithm at the top of this file\n  // TODO: We should probably also check that the stack-is-https cookie has a Secure attribute itself,\n  // TODO: We should consider adding another cookie __Host-stack-is-https, see the comment in the algorithm at the top of this file\n  return cookies.has(\"stack-is-https\") || headers.get(\"x-forwarded-proto\") === \"https\";\n}\n\n\nlet _shouldSetPartitionedClientCache: boolean | undefined = undefined;\nfunction shouldSetPartitionedClient() {\n  return _shouldSetPartitionedClientCache ??= _internalShouldSetPartitionedClient();\n}\nfunction _internalShouldSetPartitionedClient() {\n  ensureClient();\n\n  if (!(determineSecureFromClientContext())) {\n    return false;\n  }\n\n  // check whether we can set & retrieve normal cookies (either because we're on a top-level/same-origin context or the browser partitions cookies by default)\n  const cookie1Name = \"__Host-stack-temporary-chips-test-\" + Math.random().toString(36).substring(2, 15);\n  document.cookie = `${cookie1Name}=value1; Secure; path=/`;\n  const cookies1 = document.cookie.split(\"; \");\n  document.cookie = `${cookie1Name}=delete1; Secure; path=/; expires=Thu, 01 Jan 1970 00:00:00 UTC;`;\n  if (cookies1.some((c) => c.startsWith(cookie1Name + \"=\"))) {\n    return false;\n  }\n\n\n  // check whether Partitioned cookies are supported by the browser\n  // TODO: See comment at the top. Feels like we should find a better way to do this\n  const cookie2Name = \"__Host-stack-temporary-chips-test-\" + Math.random().toString(36).substring(2, 15);\n\n  // just to be safe, delete the cookie first to avoid weird RNG-prediction attacks\n  // I don't know what they look like (since this is a host cookie) but better safe than sorry\n  // (this function should be 100% bulletproof so we don't accidentally fall back to non-partitioned third party cookies on unsupported browsers)\n  document.cookie = `${cookie2Name}=delete1; Secure; SameSite=None; Partitioned; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n  document.cookie = `${cookie2Name}=delete2; Secure; SameSite=None; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n\n  // set the cookie, once partitioned and once not partitioned\n  document.cookie = `${cookie2Name}=set1; Secure; SameSite=None; Partitioned; path=/`;\n  document.cookie = `${cookie2Name}=set2; Secure; SameSite=None; path=/`;\n\n  // check if there are two cookies\n  const cookies2 = document.cookie.split(\"; \");\n  const numberOfCookiesWithThisName = cookies2.filter((c) => c.startsWith(cookie2Name + \"=\")).length;\n\n  // clean up\n  document.cookie = `${cookie2Name}=delete3; Secure; SameSite=None; Partitioned; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n  document.cookie = `${cookie2Name}=delete4; Secure; SameSite=None; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n\n  return numberOfCookiesWithThisName === 2;\n}\n\nfunction setCookieClientInternal(name: string, value: string, options: SetCookieOptions) {\n  const secure = options.secure ?? determineSecureFromClientContext();\n  const partitioned = shouldSetPartitionedClient();\n  Cookies.set(name, value, {\n    expires: options.maxAge === \"session\" ? undefined : new Date(Date.now() + (options.maxAge) * 1000),\n    domain: options.domain,\n    secure,\n    sameSite: \"Lax\",\n    ...(partitioned ? {\n      partitioned,\n      sameSite: \"None\",\n    } : {}),\n  });\n}\n\nfunction deleteCookieClientInternal(name: string, options: DeleteCookieOptions) {\n  for (const partitioned of [true, false]) {\n    if (options.domain !== undefined) {\n      Cookies.remove(name, { domain: options.domain, secure: determineSecureFromClientContext(), partitioned });\n    }\n    Cookies.remove(name, { secure: determineSecureFromClientContext(), partitioned });\n  }\n}\n\nexport function setOrDeleteCookieClient(name: string, value: string | null, options: SetCookieOptions & DeleteCookieOptions) {\n  ensureClient();\n  if (value === null) {\n    deleteCookieClientInternal(name, options);\n  } else {\n    setCookieClientInternal(name, value, options);\n  }\n}\n\nexport async function setOrDeleteCookie(name: string, value: string | null, options: SetCookieOptions & DeleteCookieOptions) {\n  const cookieHelper = await createCookieHelper();\n  cookieHelper.setOrDelete(name, value, options);\n}\n\nexport function deleteCookieClient(name: string, options: DeleteCookieOptions) {\n  ensureClient();\n  deleteCookieClientInternal(name, options);\n}\n\nexport async function deleteCookie(name: string, options: DeleteCookieOptions) {\n  const cookieHelper = await createCookieHelper();\n  cookieHelper.delete(name, options);\n}\n\nexport function setCookieClient(name: string, value: string, options: SetCookieOptions) {\n  ensureClient();\n  setCookieClientInternal(name, value, options);\n}\n\nexport async function setCookie(name: string, value: string, options: SetCookieOptions) {\n  const cookieHelper = await createCookieHelper();\n  cookieHelper.set(name, value, options);\n}\n\nexport async function saveVerifierAndState() {\n  const codeVerifier = generateRandomCodeVerifier();\n  const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);\n  const state = generateRandomState();\n\n  await setCookie(\"stack-oauth-outer-\" + state, codeVerifier, { maxAge: 60 * 60 });\n\n  return {\n    codeChallenge,\n    state,\n  };\n}\n\nexport function consumeVerifierAndStateCookie(state: string) {\n  ensureClient();\n  const cookieName = \"stack-oauth-outer-\" + state;\n  const codeVerifier = getCookieClient(cookieName);\n  if (!codeVerifier) {\n    return null;\n  }\n  deleteCookieClient(cookieName, {});\n  return {\n    codeVerifier,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAIA,gCAA6D;AAC7D,iBAA8B;AAC9B,oBAAoC;AACpC,uBAAoB;AACpB,0BAA4F;AAiE5F,SAAS,eAAe;AACtB,MAAI,KAAC,0BAAc,GAAG;AACpB,UAAM,IAAI,MAAM,6FAA6F;AAAA,EAC/G;AACF;AAWA,eAAsB,gCAAuD;AAC3E,WAAS,aAAoB;AAC3B,UAAM,IAAI,kCAAoB,2EAA2E;AAAA,EAC3G;AACA,SAAO;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,KAAK;AAAA,IACL,aAAa;AAAA,IACb,QAAQ;AAAA,EACV;AACF;AAEA,eAAsB,qBAA4C;AAChE,UAAI,0BAAc,GAAG;AACnB,WAAO,0BAA0B;AAAA,EACnC,OAAO;AACL,WAAO;AAAA,MACL,UAAM,0BAAAA,SAAW;AAAA,MACjB,UAAM,0BAAAC,SAAW;AAAA,IACnB;AAAA,EACF;AACF;AAEO,SAAS,4BAA0C;AACxD,SAAO;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,KAAK;AAAA,IACL,aAAa;AAAA,IACb,QAAQ;AAAA,EACV;AACF;AAEA,SAAS,kBAAkB,GAAY,SAAiD;AACtF,MAAI,aAAa,SAAS,EAAE,QAAQ,SAAS,iCAAiC,GAAG;AAC/E,QAAI,QAAQ,uBAAuB;AAAA,IAEnC,OAAO;AACL,YAAM,IAAI,kCAAoB,uQAAuQ;AAAA,IACvS;AAAA,EACF,OAAO;AACL,UAAM;AAAA,EACR;AACF;AAEA,SAAS,uBACP,mBACA,mBACc;AACd,QAAM,eAAe;AAAA,IACnB,KAAK,CAAC,SAAiB;AACrB,YAAM,MAAM,aAAa,OAAO;AAChC,aAAO,IAAI,IAAI,KAAK;AAAA,IACtB;AAAA,IACA,QAAQ,MAAM;AAEZ,UAAI;AACF,0BAAkB,IAAI,kBAAkB,QAAQ,EAAE,QAAQ,MAAM,SAAS,IAAI,KAAK,KAAK,IAAI,IAAI,MAAO,KAAK,KAAK,KAAK,GAAG,EAAE,CAAC;AAAA,MAC7H,SAAS,GAAG;AACV,YACE,OAAO,MAAM,YACV,MAAM,QACN,aAAa,KACb,OAAO,EAAE,YAAY,YACrB,EAAE,QAAQ,SAAS,kEAAkE,GACxF;AAAA,QAEF,OAAO;AACL,gBAAM;AAAA,QACR;AAAA,MACF;AACA,YAAM,MAAM,kBAAkB,OAAO;AACrC,aAAO,IAAI,OAAO,CAAC,KAAK,UAAU;AAChC,YAAI,MAAM,IAAI,IAAI,MAAM;AACxB,eAAO;AAAA,MACT,GAAG,CAAC,CAA2B;AAAA,IACjC;AAAA,IACA,KAAK,CAAC,MAAc,OAAe,YAA8B;AAQ/D,YAAM,iBAAiB,iCAAiC,mBAAmB,iBAAiB;AAE5F,UAAI;AACF,0BAAkB,IAAI,MAAM,OAAO;AAAA,UACjC,QAAQ;AAAA,UACR,QAAQ,QAAQ,WAAW,YAAY,SAAY,QAAQ;AAAA,UAC3D,QAAQ,QAAQ;AAAA,UAChB,UAAU;AAAA,QACZ,CAAC;AAAA,MACH,SAAS,GAAG;AACV,0BAAkB,GAAG,OAAO;AAAA,MAC9B;AAAA,IACF;AAAA,IACA,YAAY,MAAc,OAAsB,SAAiD;AAC/F,UAAI,UAAU,MAAM;AAClB,aAAK,OAAO,MAAM,OAAO;AAAA,MAC3B,OAAO;AACL,aAAK,IAAI,MAAM,OAAO,OAAO;AAAA,MAC/B;AAAA,IACF;AAAA,IACA,OAAO,MAAc,SAA8B;AACjD,UAAI;AACF,YAAI,QAAQ,WAAW,QAAW;AAChC,4BAAkB,OAAO,EAAE,MAAM,QAAQ,QAAQ,OAAO,CAAC;AAAA,QAC3D,OAAO;AACL,4BAAkB,OAAO,IAAI;AAAA,QAC/B;AAAA,MACF,SAAS,GAAG;AACV,0BAAkB,GAAG,OAAO;AAAA,MAC9B;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAEO,SAAS,gBAAgB,MAA6B;AAC3D,QAAM,MAAM,oBAAoB;AAChC,SAAO,IAAI,IAAI,KAAK;AACtB;AAEO,SAAS,sBAA8C;AAC5D,eAAa;AAEb,mBAAAC,QAAQ,IAAI,kBAAkB,QAAQ,EAAE,QAAQ,MAAM,SAAS,IAAI,KAAK,KAAK,IAAI,IAAI,MAAO,KAAK,KAAK,KAAK,GAAG,EAAE,CAAC;AACjH,SAAO,iBAAAA,QAAQ,IAAI;AACrB;AAEA,eAAsB,UAAU,MAAsC;AACpE,QAAM,eAAe,MAAM,mBAAmB;AAC9C,SAAO,aAAa,IAAI,IAAI;AAC9B;AAEA,eAAsB,WAA6B;AACjD,UAAI,0BAAc,GAAG;AACnB,WAAO,iCAAiC;AAAA,EAC1C;AACA,SAAO,iCAAiC,UAAM,0BAAAF,SAAW,GAAG,UAAM,0BAAAC,SAAW,CAAC;AAC9E,SAAO;AACT;AAEA,SAAS,mCAA4C;AACnD,SAAO,OAAO,WAAW,eAAe,OAAO,SAAS,aAAa;AACvE;AACA,SAAS,iCACP,SACA,SACS;AAIT,SAAO,QAAQ,IAAI,gBAAgB,KAAK,QAAQ,IAAI,mBAAmB,MAAM;AAC/E;AAGA,IAAI,mCAAwD;AAC5D,SAAS,6BAA6B;AACpC,SAAO,qCAAqC,oCAAoC;AAClF;AACA,SAAS,sCAAsC;AAC7C,eAAa;AAEb,MAAI,CAAE,iCAAiC,GAAI;AACzC,WAAO;AAAA,EACT;AAGA,QAAM,cAAc,uCAAuC,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,UAAU,GAAG,EAAE;AACrG,WAAS,SAAS,GAAG,WAAW;AAChC,QAAM,WAAW,SAAS,OAAO,MAAM,IAAI;AAC3C,WAAS,SAAS,GAAG,WAAW;AAChC,MAAI,SAAS,KAAK,CAAC,MAAM,EAAE,WAAW,cAAc,GAAG,CAAC,GAAG;AACzD,WAAO;AAAA,EACT;AAKA,QAAM,cAAc,uCAAuC,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,UAAU,GAAG,EAAE;AAKrG,WAAS,SAAS,GAAG,WAAW;AAChC,WAAS,SAAS,GAAG,WAAW;AAGhC,WAAS,SAAS,GAAG,WAAW;AAChC,WAAS,SAAS,GAAG,WAAW;AAGhC,QAAM,WAAW,SAAS,OAAO,MAAM,IAAI;AAC3C,QAAM,8BAA8B,SAAS,OAAO,CAAC,MAAM,EAAE,WAAW,cAAc,GAAG,CAAC,EAAE;AAG5F,WAAS,SAAS,GAAG,WAAW;AAChC,WAAS,SAAS,GAAG,WAAW;AAEhC,SAAO,gCAAgC;AACzC;AAEA,SAAS,wBAAwB,MAAc,OAAe,SAA2B;AACvF,QAAM,SAAS,QAAQ,UAAU,iCAAiC;AAClE,QAAM,cAAc,2BAA2B;AAC/C,mBAAAC,QAAQ,IAAI,MAAM,OAAO;AAAA,IACvB,SAAS,QAAQ,WAAW,YAAY,SAAY,IAAI,KAAK,KAAK,IAAI,IAAK,QAAQ,SAAU,GAAI;AAAA,IACjG,QAAQ,QAAQ;AAAA,IAChB;AAAA,IACA,UAAU;AAAA,IACV,GAAI,cAAc;AAAA,MAChB;AAAA,MACA,UAAU;AAAA,IACZ,IAAI,CAAC;AAAA,EACP,CAAC;AACH;AAEA,SAAS,2BAA2B,MAAc,SAA8B;AAC9E,aAAW,eAAe,CAAC,MAAM,KAAK,GAAG;AACvC,QAAI,QAAQ,WAAW,QAAW;AAChC,uBAAAA,QAAQ,OAAO,MAAM,EAAE,QAAQ,QAAQ,QAAQ,QAAQ,iCAAiC,GAAG,YAAY,CAAC;AAAA,IAC1G;AACA,qBAAAA,QAAQ,OAAO,MAAM,EAAE,QAAQ,iCAAiC,GAAG,YAAY,CAAC;AAAA,EAClF;AACF;AAEO,SAAS,wBAAwB,MAAc,OAAsB,SAAiD;AAC3H,eAAa;AACb,MAAI,UAAU,MAAM;AAClB,+BAA2B,MAAM,OAAO;AAAA,EAC1C,OAAO;AACL,4BAAwB,MAAM,OAAO,OAAO;AAAA,EAC9C;AACF;AAEA,eAAsB,kBAAkB,MAAc,OAAsB,SAAiD;AAC3H,QAAM,eAAe,MAAM,mBAAmB;AAC9C,eAAa,YAAY,MAAM,OAAO,OAAO;AAC/C;AAEO,SAAS,mBAAmB,MAAc,SAA8B;AAC7E,eAAa;AACb,6BAA2B,MAAM,OAAO;AAC1C;AAEA,eAAsB,aAAa,MAAc,SAA8B;AAC7E,QAAM,eAAe,MAAM,mBAAmB;AAC9C,eAAa,OAAO,MAAM,OAAO;AACnC;AAEO,SAAS,gBAAgB,MAAc,OAAe,SAA2B;AACtF,eAAa;AACb,0BAAwB,MAAM,OAAO,OAAO;AAC9C;AAEA,eAAsB,UAAU,MAAc,OAAe,SAA2B;AACtF,QAAM,eAAe,MAAM,mBAAmB;AAC9C,eAAa,IAAI,MAAM,OAAO,OAAO;AACvC;AAEA,eAAsB,uBAAuB;AAC3C,QAAM,mBAAe,gDAA2B;AAChD,QAAM,gBAAgB,UAAM,gDAA2B,YAAY;AACnE,QAAM,YAAQ,yCAAoB;AAElC,QAAM,UAAU,uBAAuB,OAAO,cAAc,EAAE,QAAQ,KAAK,GAAG,CAAC;AAE/E,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,8BAA8B,OAAe;AAC3D,eAAa;AACb,QAAM,aAAa,uBAAuB;AAC1C,QAAM,eAAe,gBAAgB,UAAU;AAC/C,MAAI,CAAC,cAAc;AACjB,WAAO;AAAA,EACT;AACA,qBAAmB,YAAY,CAAC,CAAC;AACjC,SAAO;AAAA,IACL;AAAA,EACF;AACF;","names":["rscCookies","rscHeaders","Cookies"]}
+{"version":3,"sources":["../../src/lib/cookie.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY, INSTEAD EDIT THE CORRESPONDING FILE IN packages/template\n//===========================================\nimport { cookies as rscCookies, headers as rscHeaders } from '@stackframe/stack-sc/force-react-server'; // THIS_LINE_PLATFORM next\nimport { isBrowserLike } from '@stackframe/stack-shared/dist/utils/env';\nimport { StackAssertionError } from '@stackframe/stack-shared/dist/utils/errors';\nimport Cookies from \"js-cookie\";\nimport { calculatePKCECodeChallenge, generateRandomCodeVerifier, generateRandomState } from \"oauth4webapi\";\n\n\n// INFO: This file is used to manage cookies. It also sets some cookie flags automatically, see this description.\n//\n// It provides asynchronous setCookie, getCookie, deleteCookie, etc. functions that can be used in various environments\n// (browser + Next.js for now). Under the hood, they just get a CookieHelper object and then set the cookies there.\n//\n// The CookieHelper object is a simple object that lets you set, get and delete cookies synchronously. Acquiring one\n// is asynchronous (except for browser environments, where they can be acquired synchronously), but once you have it,\n// you can use it synchronously. This function is useful if you cannot await in the calling code, but otherwise you\n// should prefer to await the functions directly.\n//\n// Some cookie flags are set automatically by the CookieHelper (and hence also the <xyz>Cookie functions).\n// In particular:\n//  - SameSite is set to `Lax` by default, which is already true in Chromium-based browsers, so this creates\n//    compatibility with other browsers that use either Strict or None (particularly Safari and Firefox, and older\n//    versions of Chrome). If Partitioned is automatically set (as described below), then this value is set to `None`\n//    instead.\n//  - Secure is set depending on whether we could successfully determine that the client is on HTTPS. For this, we use a\n//    set of heuristics:\n//     - In a browser environment, we check window.location.protocol which is always accurate\n//     - In a Next.js server environment:\n//        - First we check the `stack-is-https` cookie, which is set in various places on the\n//          client with a Secure attribute. If that one is passed on to the server, we know that the client is on HTTPS\n//          and we can set the Secure flag on the cookie. TODO: Should we also do this with a second cookie with a\n//          __Host- prefix, so a malicious subdomain of the current domain cannot forcibly enable HTTPS mode and\n//          therefore prevent new cookies from being set?\n//        - Otherwise, we check the X-Forwarded-Proto header. If that one is `https`, we know that the client is\n//          (pretending to be) on HTTPS and we can set the Secure flag on the cookie. Note that this header is\n//          spoofable by malicious clients (so is the cookie actually), but since setting this value can only *increase*\n//          security (and therefore prevent setting of a cookie), and requires a malicious client, this is still safe.\n//        - If neither of the above is true, we don't set the Secure flag on the cookie.\n//  - Partitioned is set depending on whether it is needed & supported. Unfortunately, the fact that Partitioned\n//    cookies require SameSite=None, browsers that don't support it will still set them as normal third-party cookies,\n//    which are fundamentally unsafe. Therefore, we need to take extra care that we only ever set Partitioned cookies\n//    if we know for sure that the browser supports it.\n//    - In a browser environment, we check:\n//       - Whether `Secure` is set. If it's not, we don't set Partitioned.\n//       - Whether we can set & retrieve cookies without Partitioned being set. If this is the case, we are likely in a\n//         top-level context or a browser that partitions cookies by default (eg. Firefox). In this case, we don't need\n//         Partitioned and can just proceed as normal.\n//       - Whether CHIPS is supported. To prevent the case where CHIPS is not supported but third-party cookies are (in\n//         which we would accidentally set SameSite=None without Partitioned as the latter requires the former), we\n//         check this by running a simple test with document.cookie.\n//       - Whether the browser supports Partitioned cookies. If yes, set Partitioned. Otherwise, don't set Partitioned.\n//         Since there's no easy cross-compat way to do this (CookieStore and document.cookie do not return whether a\n//         cookie is partitioned on some/all versions of Safari and Firefox), we use a heuristic; we run this test by\n//         creating two cookies with the same name: One with Partitioned and one without. If there are two resulting\n//         cookies, that means they were put into different jars, implying that the browser supports Partitioned cookies\n//         (but doesn't partition cookies by default). If they result in just one cookie, that could mean that the\n//         browser doesn't support Partitioned cookies, or that the browser doesn't put partitioned cookies into\n//         different jars by default, in which case we still don't know. This heuristic works on Chrome, but may\n//         incorrectly conclude that some other browsers don't support Partitioned. But from a security perspective,\n//         that is better than accidentally setting SameSite=None without Partitioned. TODO: Find a better heuristic to\n//         to determine whether the browser supports Partitioned cookies or not.\n//    - In a Next.js server environment, right now we do nothing because of the complexity involved :( TODO: In the\n//      future, we could improve this for example by setting hint cookies from the client, but we need to make sure that\n//      no malicious actor (eg. on a malicious subdomain) can forcefully enable Partitioned cookies on a browser that\n//      does not support it.\n\n\ntype SetCookieOptions = { maxAge: number | \"session\", noOpIfServerComponent?: boolean, domain?: string, secure?: boolean };\ntype DeleteCookieOptions = { noOpIfServerComponent?: boolean, domain?: string };\n\nfunction ensureClient() {\n  if (!isBrowserLike()) {\n    throw new Error(\"cookieClient functions can only be called in a browser environment, yet window is undefined\");\n  }\n}\n\nexport type CookieHelper = {\n  get: (name: string) => string | null,\n  getAll: () => Record<string, string>,\n  set: (name: string, value: string, options: SetCookieOptions) => void,\n  setOrDelete: (name: string, value: string | null, options: SetCookieOptions & DeleteCookieOptions) => void,\n  delete: (name: string, options: DeleteCookieOptions) => void,\n};\n\nconst placeholderCookieHelperIdentity = { \"placeholder cookie helper identity\": true };\nexport async function createPlaceholderCookieHelper(): Promise<CookieHelper> {\n  function throwError(): never {\n    throw new StackAssertionError(\"Throwing cookie helper is just a placeholder. This should never be called\");\n  }\n  return {\n    get: throwError,\n    getAll: throwError,\n    set: throwError,\n    setOrDelete: throwError,\n    delete: throwError,\n  };\n}\n\nexport async function createCookieHelper(): Promise<CookieHelper> {\n  if (isBrowserLike()) {\n    return createBrowserCookieHelper();\n  } else {\n    return createNextCookieHelper(\n      await rscCookies(),\n      await rscHeaders(),\n    );\n  }\n}\n\nexport function createBrowserCookieHelper(): CookieHelper {\n  return {\n    get: getCookieClient,\n    getAll: getAllCookiesClient,\n    set: setCookieClient,\n    setOrDelete: setOrDeleteCookieClient,\n    delete: deleteCookieClient,\n  };\n}\n\nfunction handleCookieError(e: unknown, options: DeleteCookieOptions | SetCookieOptions) {\n  if (e instanceof Error && e.message.includes(\"Cookies can only be modified in\")) {\n    if (options.noOpIfServerComponent) {\n      // ignore\n    } else {\n      throw new StackAssertionError(\"Attempted to set cookie in server component. Pass { noOpIfServerComponent: true } in the options of Stack's cookie functions if this is intentional and you want to ignore this error. Read more: https://nextjs.org/docs/app/api-reference/functions/cookies#options\");\n    }\n  } else {\n    throw e;\n  }\n}\n\nfunction createNextCookieHelper(\n  rscCookiesAwaited: Awaited<ReturnType<typeof rscCookies>>,\n  rscHeadersAwaited: Awaited<ReturnType<typeof rscHeaders>>,\n): CookieHelper {\n  const cookieHelper = {\n    get: (name: string) => {\n      const all = cookieHelper.getAll();\n      return all[name] ?? null;\n    },\n    getAll: () => {\n      // set a helper cookie, see comment in `NextCookieHelper.set` below\n      try {\n        rscCookiesAwaited.set(\"stack-is-https\", \"true\", { secure: true, expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365) });\n      } catch (e) {\n        if (\n          typeof e === 'object'\n          && e !== null\n          && 'message' in e\n          && typeof e.message === 'string'\n          && e.message.includes('Cookies can only be modified in a Server Action or Route Handler')\n        ) {\n          // ignore\n        } else {\n          throw e;\n        }\n      }\n      const all = rscCookiesAwaited.getAll();\n      return all.reduce((acc, entry) => {\n        acc[entry.name] = entry.value;\n        return acc;\n      }, {} as Record<string, string>);\n    },\n    set: (name: string, value: string, options: SetCookieOptions) => {\n      // Whenever the client is on HTTPS, we want to set the Secure flag on the cookie.\n      //\n      // This is not easy to find out on a Next.js server, so see the algorithm at the top of this file.\n      //\n      // Note that malicious clients could theoretically manipulate the `stack-is-https` cookie or\n      // the `X-Forwarded-Proto` header; that wouldn't cause any trouble except for themselves,\n      // though.\n      const isSecureCookie = determineSecureFromServerContext(rscCookiesAwaited, rscHeadersAwaited);\n\n      try {\n        rscCookiesAwaited.set(name, value, {\n          secure: isSecureCookie,\n          maxAge: options.maxAge === \"session\" ? undefined : options.maxAge,\n          domain: options.domain,\n          sameSite: \"lax\",\n        });\n      } catch (e) {\n        handleCookieError(e, options);\n      }\n    },\n    setOrDelete(name: string, value: string | null, options: SetCookieOptions & DeleteCookieOptions) {\n      if (value === null) {\n        this.delete(name, options);\n      } else {\n        this.set(name, value, options);\n      }\n    },\n    delete(name: string, options: DeleteCookieOptions) {\n      try {\n        if (options.domain !== undefined) {\n          rscCookiesAwaited.delete({ name, domain: options.domain });\n        } else {\n          rscCookiesAwaited.delete(name);\n        }\n      } catch (e) {\n        handleCookieError(e, options);\n      }\n    },\n  };\n  return cookieHelper;\n}\n\nexport function getCookieClient(name: string): string | null {\n  const all = getAllCookiesClient();\n  return all[name] ?? null;\n}\n\nexport function getAllCookiesClient(): Record<string, string> {\n  ensureClient();\n  // set a helper cookie, see comment in `NextCookieHelper.set` above\n  Cookies.set(\"stack-is-https\", \"true\", { secure: true, expires: new Date(Date.now() + 1000 * 60 * 60 * 24 * 365) });\n  return Cookies.get();\n}\n\nexport async function getCookie(name: string): Promise<string | null> {\n  const cookieHelper = await createCookieHelper();\n  return cookieHelper.get(name);\n}\n\nexport async function isSecure(): Promise<boolean> {\n  if (isBrowserLike()) {\n    return determineSecureFromClientContext();\n  }\n  return determineSecureFromServerContext(await rscCookies(), await rscHeaders());\n  return false;\n}\n\nfunction determineSecureFromClientContext(): boolean {\n  return typeof window !== \"undefined\" && window.location.protocol === \"https:\";\n}\nfunction determineSecureFromServerContext(\n  cookies: Awaited<ReturnType<typeof rscCookies>>,\n  headers: Awaited<ReturnType<typeof rscHeaders>>,\n): boolean {\n  // see the algorithm at the top of this file\n  // TODO: We should probably also check that the stack-is-https cookie has a Secure attribute itself,\n  // TODO: We should consider adding another cookie __Host-stack-is-https, see the comment in the algorithm at the top of this file\n  return cookies.has(\"stack-is-https\") || headers.get(\"x-forwarded-proto\") === \"https\";\n}\n\n\nlet _shouldSetPartitionedClientCache: boolean | undefined = undefined;\nfunction shouldSetPartitionedClient() {\n  return _shouldSetPartitionedClientCache ??= _internalShouldSetPartitionedClient();\n}\nfunction _internalShouldSetPartitionedClient() {\n  ensureClient();\n\n  if (!(determineSecureFromClientContext())) {\n    return false;\n  }\n\n  // check whether we can set & retrieve normal cookies (either because we're on a top-level/same-origin context or the browser partitions cookies by default)\n  const cookie1Name = \"__Host-stack-temporary-chips-test-\" + Math.random().toString(36).substring(2, 15);\n  document.cookie = `${cookie1Name}=value1; Secure; path=/`;\n  const cookies1 = document.cookie.split(\"; \");\n  document.cookie = `${cookie1Name}=delete1; Secure; path=/; expires=Thu, 01 Jan 1970 00:00:00 UTC;`;\n  if (cookies1.some((c) => c.startsWith(cookie1Name + \"=\"))) {\n    return false;\n  }\n\n\n  // check whether Partitioned cookies are supported by the browser\n  // TODO: See comment at the top. Feels like we should find a better way to do this\n  const cookie2Name = \"__Host-stack-temporary-chips-test-\" + Math.random().toString(36).substring(2, 15);\n\n  // just to be safe, delete the cookie first to avoid weird RNG-prediction attacks\n  // I don't know what they look like (since this is a host cookie) but better safe than sorry\n  // (this function should be 100% bulletproof so we don't accidentally fall back to non-partitioned third party cookies on unsupported browsers)\n  document.cookie = `${cookie2Name}=delete1; Secure; SameSite=None; Partitioned; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n  document.cookie = `${cookie2Name}=delete2; Secure; SameSite=None; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n\n  // set the cookie, once partitioned and once not partitioned\n  document.cookie = `${cookie2Name}=set1; Secure; SameSite=None; Partitioned; path=/`;\n  document.cookie = `${cookie2Name}=set2; Secure; SameSite=None; path=/`;\n\n  // check if there are two cookies\n  const cookies2 = document.cookie.split(\"; \");\n  const numberOfCookiesWithThisName = cookies2.filter((c) => c.startsWith(cookie2Name + \"=\")).length;\n\n  // clean up\n  document.cookie = `${cookie2Name}=delete3; Secure; SameSite=None; Partitioned; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n  document.cookie = `${cookie2Name}=delete4; Secure; SameSite=None; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/`;\n\n  return numberOfCookiesWithThisName === 2;\n}\n\nfunction setCookieClientInternal(name: string, value: string, options: SetCookieOptions) {\n  const secure = options.secure ?? determineSecureFromClientContext();\n  const partitioned = shouldSetPartitionedClient();\n  Cookies.set(name, value, {\n    expires: options.maxAge === \"session\" ? undefined : new Date(Date.now() + (options.maxAge) * 1000),\n    domain: options.domain,\n    secure,\n    sameSite: \"Lax\",\n    ...(partitioned ? {\n      partitioned,\n      sameSite: \"None\",\n    } : {}),\n  });\n}\n\nfunction deleteCookieClientInternal(name: string, options: DeleteCookieOptions) {\n  for (const partitioned of [true, false]) {\n    if (options.domain !== undefined) {\n      Cookies.remove(name, { domain: options.domain, secure: determineSecureFromClientContext(), partitioned });\n    }\n    Cookies.remove(name, { secure: determineSecureFromClientContext(), partitioned });\n  }\n}\n\nexport function setOrDeleteCookieClient(name: string, value: string | null, options: SetCookieOptions & DeleteCookieOptions) {\n  ensureClient();\n  if (value === null) {\n    deleteCookieClientInternal(name, options);\n  } else {\n    setCookieClientInternal(name, value, options);\n  }\n}\n\nexport async function setOrDeleteCookie(name: string, value: string | null, options: SetCookieOptions & DeleteCookieOptions) {\n  const cookieHelper = await createCookieHelper();\n  cookieHelper.setOrDelete(name, value, options);\n}\n\nexport function deleteCookieClient(name: string, options: DeleteCookieOptions) {\n  ensureClient();\n  deleteCookieClientInternal(name, options);\n}\n\nexport async function deleteCookie(name: string, options: DeleteCookieOptions) {\n  const cookieHelper = await createCookieHelper();\n  cookieHelper.delete(name, options);\n}\n\nexport function setCookieClient(name: string, value: string, options: SetCookieOptions) {\n  ensureClient();\n  setCookieClientInternal(name, value, options);\n}\n\nexport async function setCookie(name: string, value: string, options: SetCookieOptions) {\n  const cookieHelper = await createCookieHelper();\n  cookieHelper.set(name, value, options);\n}\n\nexport async function saveVerifierAndState() {\n  const codeVerifier = generateRandomCodeVerifier();\n  const codeChallenge = await calculatePKCECodeChallenge(codeVerifier);\n  const state = generateRandomState();\n\n  await setCookie(\"stack-oauth-outer-\" + state, codeVerifier, { maxAge: 60 * 60 });\n\n  return {\n    codeChallenge,\n    state,\n  };\n}\n\nexport function consumeVerifierAndStateCookie(state: string) {\n  ensureClient();\n  const cookieName = \"stack-oauth-outer-\" + state;\n  const codeVerifier = getCookieClient(cookieName);\n  if (!codeVerifier) {\n    return null;\n  }\n  deleteCookieClient(cookieName, {});\n  return {\n    codeVerifier,\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAIA,gCAA6D;AAC7D,iBAA8B;AAC9B,oBAAoC;AACpC,uBAAoB;AACpB,0BAA4F;AAiE5F,SAAS,eAAe;AACtB,MAAI,KAAC,0BAAc,GAAG;AACpB,UAAM,IAAI,MAAM,6FAA6F;AAAA,EAC/G;AACF;AAWA,eAAsB,gCAAuD;AAC3E,WAAS,aAAoB;AAC3B,UAAM,IAAI,kCAAoB,2EAA2E;AAAA,EAC3G;AACA,SAAO;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,KAAK;AAAA,IACL,aAAa;AAAA,IACb,QAAQ;AAAA,EACV;AACF;AAEA,eAAsB,qBAA4C;AAChE,UAAI,0BAAc,GAAG;AACnB,WAAO,0BAA0B;AAAA,EACnC,OAAO;AACL,WAAO;AAAA,MACL,UAAM,0BAAAA,SAAW;AAAA,MACjB,UAAM,0BAAAC,SAAW;AAAA,IACnB;AAAA,EACF;AACF;AAEO,SAAS,4BAA0C;AACxD,SAAO;AAAA,IACL,KAAK;AAAA,IACL,QAAQ;AAAA,IACR,KAAK;AAAA,IACL,aAAa;AAAA,IACb,QAAQ;AAAA,EACV;AACF;AAEA,SAAS,kBAAkB,GAAY,SAAiD;AACtF,MAAI,aAAa,SAAS,EAAE,QAAQ,SAAS,iCAAiC,GAAG;AAC/E,QAAI,QAAQ,uBAAuB;AAAA,IAEnC,OAAO;AACL,YAAM,IAAI,kCAAoB,uQAAuQ;AAAA,IACvS;AAAA,EACF,OAAO;AACL,UAAM;AAAA,EACR;AACF;AAEA,SAAS,uBACP,mBACA,mBACc;AACd,QAAM,eAAe;AAAA,IACnB,KAAK,CAAC,SAAiB;AACrB,YAAM,MAAM,aAAa,OAAO;AAChC,aAAO,IAAI,IAAI,KAAK;AAAA,IACtB;AAAA,IACA,QAAQ,MAAM;AAEZ,UAAI;AACF,0BAAkB,IAAI,kBAAkB,QAAQ,EAAE,QAAQ,MAAM,SAAS,IAAI,KAAK,KAAK,IAAI,IAAI,MAAO,KAAK,KAAK,KAAK,GAAG,EAAE,CAAC;AAAA,MAC7H,SAAS,GAAG;AACV,YACE,OAAO,MAAM,YACV,MAAM,QACN,aAAa,KACb,OAAO,EAAE,YAAY,YACrB,EAAE,QAAQ,SAAS,kEAAkE,GACxF;AAAA,QAEF,OAAO;AACL,gBAAM;AAAA,QACR;AAAA,MACF;AACA,YAAM,MAAM,kBAAkB,OAAO;AACrC,aAAO,IAAI,OAAO,CAAC,KAAK,UAAU;AAChC,YAAI,MAAM,IAAI,IAAI,MAAM;AACxB,eAAO;AAAA,MACT,GAAG,CAAC,CAA2B;AAAA,IACjC;AAAA,IACA,KAAK,CAAC,MAAc,OAAe,YAA8B;AAQ/D,YAAM,iBAAiB,iCAAiC,mBAAmB,iBAAiB;AAE5F,UAAI;AACF,0BAAkB,IAAI,MAAM,OAAO;AAAA,UACjC,QAAQ;AAAA,UACR,QAAQ,QAAQ,WAAW,YAAY,SAAY,QAAQ;AAAA,UAC3D,QAAQ,QAAQ;AAAA,UAChB,UAAU;AAAA,QACZ,CAAC;AAAA,MACH,SAAS,GAAG;AACV,0BAAkB,GAAG,OAAO;AAAA,MAC9B;AAAA,IACF;AAAA,IACA,YAAY,MAAc,OAAsB,SAAiD;AAC/F,UAAI,UAAU,MAAM;AAClB,aAAK,OAAO,MAAM,OAAO;AAAA,MAC3B,OAAO;AACL,aAAK,IAAI,MAAM,OAAO,OAAO;AAAA,MAC/B;AAAA,IACF;AAAA,IACA,OAAO,MAAc,SAA8B;AACjD,UAAI;AACF,YAAI,QAAQ,WAAW,QAAW;AAChC,4BAAkB,OAAO,EAAE,MAAM,QAAQ,QAAQ,OAAO,CAAC;AAAA,QAC3D,OAAO;AACL,4BAAkB,OAAO,IAAI;AAAA,QAC/B;AAAA,MACF,SAAS,GAAG;AACV,0BAAkB,GAAG,OAAO;AAAA,MAC9B;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAEO,SAAS,gBAAgB,MAA6B;AAC3D,QAAM,MAAM,oBAAoB;AAChC,SAAO,IAAI,IAAI,KAAK;AACtB;AAEO,SAAS,sBAA8C;AAC5D,eAAa;AAEb,mBAAAC,QAAQ,IAAI,kBAAkB,QAAQ,EAAE,QAAQ,MAAM,SAAS,IAAI,KAAK,KAAK,IAAI,IAAI,MAAO,KAAK,KAAK,KAAK,GAAG,EAAE,CAAC;AACjH,SAAO,iBAAAA,QAAQ,IAAI;AACrB;AAEA,eAAsB,UAAU,MAAsC;AACpE,QAAM,eAAe,MAAM,mBAAmB;AAC9C,SAAO,aAAa,IAAI,IAAI;AAC9B;AAEA,eAAsB,WAA6B;AACjD,UAAI,0BAAc,GAAG;AACnB,WAAO,iCAAiC;AAAA,EAC1C;AACA,SAAO,iCAAiC,UAAM,0BAAAF,SAAW,GAAG,UAAM,0BAAAC,SAAW,CAAC;AAC9E,SAAO;AACT;AAEA,SAAS,mCAA4C;AACnD,SAAO,OAAO,WAAW,eAAe,OAAO,SAAS,aAAa;AACvE;AACA,SAAS,iCACP,SACA,SACS;AAIT,SAAO,QAAQ,IAAI,gBAAgB,KAAK,QAAQ,IAAI,mBAAmB,MAAM;AAC/E;AAGA,IAAI,mCAAwD;AAC5D,SAAS,6BAA6B;AACpC,SAAO,qCAAqC,oCAAoC;AAClF;AACA,SAAS,sCAAsC;AAC7C,eAAa;AAEb,MAAI,CAAE,iCAAiC,GAAI;AACzC,WAAO;AAAA,EACT;AAGA,QAAM,cAAc,uCAAuC,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,UAAU,GAAG,EAAE;AACrG,WAAS,SAAS,GAAG,WAAW;AAChC,QAAM,WAAW,SAAS,OAAO,MAAM,IAAI;AAC3C,WAAS,SAAS,GAAG,WAAW;AAChC,MAAI,SAAS,KAAK,CAAC,MAAM,EAAE,WAAW,cAAc,GAAG,CAAC,GAAG;AACzD,WAAO;AAAA,EACT;AAKA,QAAM,cAAc,uCAAuC,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,UAAU,GAAG,EAAE;AAKrG,WAAS,SAAS,GAAG,WAAW;AAChC,WAAS,SAAS,GAAG,WAAW;AAGhC,WAAS,SAAS,GAAG,WAAW;AAChC,WAAS,SAAS,GAAG,WAAW;AAGhC,QAAM,WAAW,SAAS,OAAO,MAAM,IAAI;AAC3C,QAAM,8BAA8B,SAAS,OAAO,CAAC,MAAM,EAAE,WAAW,cAAc,GAAG,CAAC,EAAE;AAG5F,WAAS,SAAS,GAAG,WAAW;AAChC,WAAS,SAAS,GAAG,WAAW;AAEhC,SAAO,gCAAgC;AACzC;AAEA,SAAS,wBAAwB,MAAc,OAAe,SAA2B;AACvF,QAAM,SAAS,QAAQ,UAAU,iCAAiC;AAClE,QAAM,cAAc,2BAA2B;AAC/C,mBAAAC,QAAQ,IAAI,MAAM,OAAO;AAAA,IACvB,SAAS,QAAQ,WAAW,YAAY,SAAY,IAAI,KAAK,KAAK,IAAI,IAAK,QAAQ,SAAU,GAAI;AAAA,IACjG,QAAQ,QAAQ;AAAA,IAChB;AAAA,IACA,UAAU;AAAA,IACV,GAAI,cAAc;AAAA,MAChB;AAAA,MACA,UAAU;AAAA,IACZ,IAAI,CAAC;AAAA,EACP,CAAC;AACH;AAEA,SAAS,2BAA2B,MAAc,SAA8B;AAC9E,aAAW,eAAe,CAAC,MAAM,KAAK,GAAG;AACvC,QAAI,QAAQ,WAAW,QAAW;AAChC,uBAAAA,QAAQ,OAAO,MAAM,EAAE,QAAQ,QAAQ,QAAQ,QAAQ,iCAAiC,GAAG,YAAY,CAAC;AAAA,IAC1G;AACA,qBAAAA,QAAQ,OAAO,MAAM,EAAE,QAAQ,iCAAiC,GAAG,YAAY,CAAC;AAAA,EAClF;AACF;AAEO,SAAS,wBAAwB,MAAc,OAAsB,SAAiD;AAC3H,eAAa;AACb,MAAI,UAAU,MAAM;AAClB,+BAA2B,MAAM,OAAO;AAAA,EAC1C,OAAO;AACL,4BAAwB,MAAM,OAAO,OAAO;AAAA,EAC9C;AACF;AAEA,eAAsB,kBAAkB,MAAc,OAAsB,SAAiD;AAC3H,QAAM,eAAe,MAAM,mBAAmB;AAC9C,eAAa,YAAY,MAAM,OAAO,OAAO;AAC/C;AAEO,SAAS,mBAAmB,MAAc,SAA8B;AAC7E,eAAa;AACb,6BAA2B,MAAM,OAAO;AAC1C;AAEA,eAAsB,aAAa,MAAc,SAA8B;AAC7E,QAAM,eAAe,MAAM,mBAAmB;AAC9C,eAAa,OAAO,MAAM,OAAO;AACnC;AAEO,SAAS,gBAAgB,MAAc,OAAe,SAA2B;AACtF,eAAa;AACb,0BAAwB,MAAM,OAAO,OAAO;AAC9C;AAEA,eAAsB,UAAU,MAAc,OAAe,SAA2B;AACtF,QAAM,eAAe,MAAM,mBAAmB;AAC9C,eAAa,IAAI,MAAM,OAAO,OAAO;AACvC;AAEA,eAAsB,uBAAuB;AAC3C,QAAM,mBAAe,gDAA2B;AAChD,QAAM,gBAAgB,UAAM,gDAA2B,YAAY;AACnE,QAAM,YAAQ,yCAAoB;AAElC,QAAM,UAAU,uBAAuB,OAAO,cAAc,EAAE,QAAQ,KAAK,GAAG,CAAC;AAE/E,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;AAEO,SAAS,8BAA8B,OAAe;AAC3D,eAAa;AACb,QAAM,aAAa,uBAAuB;AAC1C,QAAM,eAAe,gBAAgB,UAAU;AAC/C,MAAI,CAAC,cAAc;AACjB,WAAO;AAAA,EACT;AACA,qBAAmB,YAAY,CAAC,CAAC;AACjC,SAAO;AAAA,IACL;AAAA,EACF;AACF;","names":["rscCookies","rscHeaders","Cookies"]}

package/dist/lib/hooks.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../src/lib/hooks.tsx"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY\n//===========================================\nimport { useContext } from \"react\";\nimport { StackContext } from \"../providers/stack-provider-client\";\nimport { GetUserOptions as AppGetUserOptions, CurrentInternalUser, CurrentUser, StackClientApp } from \"./stack-app\";\n\ntype GetUserOptions = AppGetUserOptions<true> & {\n  projectIdMustMatch?: string,\n};\n\n/**\n * Returns the current user object. Equivalent to `useStackApp().useUser()`.\n *\n * @returns the current user\n */\nexport function useUser(options: GetUserOptions & { or: 'redirect' | 'throw', projectIdMustMatch: \"internal\" }): CurrentInternalUser;\nexport function useUser(options: GetUserOptions & { or: 'redirect' | 'throw' }): CurrentUser;\nexport function useUser(options: GetUserOptions & { projectIdMustMatch: \"internal\" }): CurrentInternalUser | null;\nexport function useUser(options?: GetUserOptions): CurrentUser | CurrentInternalUser | null;\nexport function useUser(options: GetUserOptions = {}): CurrentUser | CurrentInternalUser | null {\n  const stackApp = useStackApp(options);\n  if (options.projectIdMustMatch && stackApp.projectId !== options.projectIdMustMatch) {\n    throw new Error(\"Unexpected project ID in useStackApp: \" + stackApp.projectId);\n  }\n  if (options.projectIdMustMatch === \"internal\") {\n    return stackApp.useUser(options) as CurrentInternalUser;\n  } else {\n    return stackApp.useUser(options) as CurrentUser;\n  }\n}\n\n/**\n * Returns the current Stack app associated with the StackProvider.\n *\n * @returns the current Stack app\n */\nexport function useStackApp<ProjectId extends string>(options: { projectIdMustMatch?: ProjectId } = {}): StackClientApp<true, ProjectId> {\n  if (typeof useContext !== \"function\") {\n    throw new Error(\"useStackApp() can only be used in a React Client Component. Make sure you're not calling it from a Server Component, or any other environment.\");\n  }\n  const context = useContext(StackContext);\n  if (context === null) {\n    throw new Error(\"useStackApp must be used within a StackProvider\");\n  }\n  const stackApp = context.app;\n  if (options.projectIdMustMatch && stackApp.projectId !== options.projectIdMustMatch) {\n    throw new Error(\"Unexpected project ID in useStackApp: \" + stackApp.projectId);\n  }\n  return stackApp as StackClientApp<true, ProjectId>;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAIA,mBAA2B;AAC3B,mCAA6B;AAgBtB,SAAS,QAAQ,UAA0B,CAAC,GAA6C;AAC9F,QAAM,WAAW,YAAY,OAAO;AACpC,MAAI,QAAQ,sBAAsB,SAAS,cAAc,QAAQ,oBAAoB;AACnF,UAAM,IAAI,MAAM,2CAA2C,SAAS,SAAS;AAAA,EAC/E;AACA,MAAI,QAAQ,uBAAuB,YAAY;AAC7C,WAAO,SAAS,QAAQ,OAAO;AAAA,EACjC,OAAO;AACL,WAAO,SAAS,QAAQ,OAAO;AAAA,EACjC;AACF;AAOO,SAAS,YAAsC,UAA8C,CAAC,GAAoC;AACvI,MAAI,OAAO,4BAAe,YAAY;AACpC,UAAM,IAAI,MAAM,gJAAgJ;AAAA,EAClK;AACA,QAAM,cAAU,yBAAW,yCAAY;AACvC,MAAI,YAAY,MAAM;AACpB,UAAM,IAAI,MAAM,iDAAiD;AAAA,EACnE;AACA,QAAM,WAAW,QAAQ;AACzB,MAAI,QAAQ,sBAAsB,SAAS,cAAc,QAAQ,oBAAoB;AACnF,UAAM,IAAI,MAAM,2CAA2C,SAAS,SAAS;AAAA,EAC/E;AACA,SAAO;AACT;","names":[]}
+{"version":3,"sources":["../../src/lib/hooks.tsx"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY, INSTEAD EDIT THE CORRESPONDING FILE IN packages/template\n//===========================================\nimport { useContext } from \"react\";\nimport { StackContext } from \"../providers/stack-provider-client\";\nimport { GetUserOptions as AppGetUserOptions, CurrentInternalUser, CurrentUser, StackClientApp } from \"./stack-app\";\n\ntype GetUserOptions = AppGetUserOptions<true> & {\n  projectIdMustMatch?: string,\n};\n\n/**\n * Returns the current user object. Equivalent to `useStackApp().useUser()`.\n *\n * @returns the current user\n */\nexport function useUser(options: GetUserOptions & { or: 'redirect' | 'throw', projectIdMustMatch: \"internal\" }): CurrentInternalUser;\nexport function useUser(options: GetUserOptions & { or: 'redirect' | 'throw' }): CurrentUser;\nexport function useUser(options: GetUserOptions & { projectIdMustMatch: \"internal\" }): CurrentInternalUser | null;\nexport function useUser(options?: GetUserOptions): CurrentUser | CurrentInternalUser | null;\nexport function useUser(options: GetUserOptions = {}): CurrentUser | CurrentInternalUser | null {\n  const stackApp = useStackApp(options);\n  if (options.projectIdMustMatch && stackApp.projectId !== options.projectIdMustMatch) {\n    throw new Error(\"Unexpected project ID in useStackApp: \" + stackApp.projectId);\n  }\n  if (options.projectIdMustMatch === \"internal\") {\n    return stackApp.useUser(options) as CurrentInternalUser;\n  } else {\n    return stackApp.useUser(options) as CurrentUser;\n  }\n}\n\n/**\n * Returns the current Stack app associated with the StackProvider.\n *\n * @returns the current Stack app\n */\nexport function useStackApp<ProjectId extends string>(options: { projectIdMustMatch?: ProjectId } = {}): StackClientApp<true, ProjectId> {\n  if (typeof useContext !== \"function\") {\n    throw new Error(\"useStackApp() can only be used in a React Client Component. Make sure you're not calling it from a Server Component, or any other environment.\");\n  }\n  const context = useContext(StackContext);\n  if (context === null) {\n    throw new Error(\"useStackApp must be used within a StackProvider\");\n  }\n  const stackApp = context.app;\n  if (options.projectIdMustMatch && stackApp.projectId !== options.projectIdMustMatch) {\n    throw new Error(\"Unexpected project ID in useStackApp: \" + stackApp.projectId);\n  }\n  return stackApp as StackClientApp<true, ProjectId>;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAIA,mBAA2B;AAC3B,mCAA6B;AAgBtB,SAAS,QAAQ,UAA0B,CAAC,GAA6C;AAC9F,QAAM,WAAW,YAAY,OAAO;AACpC,MAAI,QAAQ,sBAAsB,SAAS,cAAc,QAAQ,oBAAoB;AACnF,UAAM,IAAI,MAAM,2CAA2C,SAAS,SAAS;AAAA,EAC/E;AACA,MAAI,QAAQ,uBAAuB,YAAY;AAC7C,WAAO,SAAS,QAAQ,OAAO;AAAA,EACjC,OAAO;AACL,WAAO,SAAS,QAAQ,OAAO;AAAA,EACjC;AACF;AAOO,SAAS,YAAsC,UAA8C,CAAC,GAAoC;AACvI,MAAI,OAAO,4BAAe,YAAY;AACpC,UAAM,IAAI,MAAM,gJAAgJ;AAAA,EAClK;AACA,QAAM,cAAU,yBAAW,yCAAY;AACvC,MAAI,YAAY,MAAM;AACpB,UAAM,IAAI,MAAM,iDAAiD;AAAA,EACnE;AACA,QAAM,WAAW,QAAQ;AACzB,MAAI,QAAQ,sBAAsB,SAAS,cAAc,QAAQ,oBAAoB;AACnF,UAAM,IAAI,MAAM,2CAA2C,SAAS,SAAS;AAAA,EAC/E;AACA,SAAO;AACT;","names":[]}

package/dist/lib/stack-app/api-keys/index.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../../src/lib/stack-app/api-keys/index.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY\n//===========================================\nimport { TeamApiKeysCrud, UserApiKeysCrud, teamApiKeysCreateInputSchema, userApiKeysCreateInputSchema } from \"@stackframe/stack-shared/dist/interface/crud/project-api-keys\";\nimport { filterUndefined } from \"@stackframe/stack-shared/dist/utils/objects\";\nimport { IfAndOnlyIf, PrettifyType } from \"@stackframe/stack-shared/dist/utils/types\";\nimport type * as yup from \"yup\";\n\nexport type ApiKeyType = \"user\" | \"team\";\n\nexport type ApiKey<Type extends ApiKeyType = ApiKeyType, IsFirstView extends boolean = false> =\n  & {\n      id: string,\n      description: string,\n      expiresAt?: Date,\n      manuallyRevokedAt?: Date | null,\n      createdAt: Date,\n      value: IfAndOnlyIf<IsFirstView, true, string, { lastFour: string }>,\n      update(options: ApiKeyUpdateOptions<Type>): Promise<void>,\n      revoke: () => Promise<void>,\n      isValid: () => boolean,\n      whyInvalid: () => \"manually-revoked\" | \"expired\" | null,\n    }\n  & (\n    | (\"user\" extends Type ? { type: \"user\", userId: string } : never)\n    | (\"team\" extends Type ? { type: \"team\", teamId: string } : never)\n  );\n\nexport type UserApiKeyFirstView = PrettifyType<ApiKey<\"user\", true>>;\nexport type UserApiKey = PrettifyType<ApiKey<\"user\", false>>;\n\nexport type TeamApiKeyFirstView = PrettifyType<ApiKey<\"team\", true>>;\nexport type TeamApiKey = PrettifyType<ApiKey<\"team\", false>>;\n\nexport type ApiKeyCreationOptions<Type extends ApiKeyType = ApiKeyType> =\n  & {\n    description: string,\n    expiresAt: Date | null,\n    /**\n     * Whether the API key should be considered public. A public API key will not be detected by the secret scanner, which\n     * automatically revokes API keys when it detects that they may have been exposed to the public.\n     */\n    isPublic?: boolean,\n  };\nexport function apiKeyCreationOptionsToCrud(type: \"user\", userId: string, options: ApiKeyCreationOptions<\"user\">): Promise<yup.InferType<typeof userApiKeysCreateInputSchema>>;\nexport function apiKeyCreationOptionsToCrud(type: \"team\", teamId: string, options: ApiKeyCreationOptions<\"team\">): Promise<yup.InferType<typeof teamApiKeysCreateInputSchema>>;\nexport function apiKeyCreationOptionsToCrud(type: ApiKeyType, userIdOrTeamId: string, options: ApiKeyCreationOptions): Promise<yup.InferType<typeof userApiKeysCreateInputSchema> | yup.InferType<typeof teamApiKeysCreateInputSchema>>;\nexport async function apiKeyCreationOptionsToCrud(type: ApiKeyType, userIdOrTeamId: string, options: ApiKeyCreationOptions): Promise<yup.InferType<typeof userApiKeysCreateInputSchema> | yup.InferType<typeof teamApiKeysCreateInputSchema>> {\n  return {\n    description: options.description,\n    expires_at_millis: options.expiresAt == null ? options.expiresAt : options.expiresAt.getTime(),\n    is_public: options.isPublic,\n    ...(type === \"user\" ? { user_id: userIdOrTeamId } : { team_id: userIdOrTeamId }),\n  };\n}\n\n\nexport type ApiKeyUpdateOptions<Type extends ApiKeyType = ApiKeyType> = {\n  description?: string,\n  expiresAt?: Date | null,\n  revoked?: boolean,\n};\nexport function apiKeyUpdateOptionsToCrud(type: \"user\", options: ApiKeyUpdateOptions<\"user\">): Promise<UserApiKeysCrud[\"Client\"][\"Update\"]>;\nexport function apiKeyUpdateOptionsToCrud(type: \"team\", options: ApiKeyUpdateOptions<\"team\">): Promise<TeamApiKeysCrud[\"Client\"][\"Update\"]>;\nexport function apiKeyUpdateOptionsToCrud(type: ApiKeyType, options: ApiKeyUpdateOptions): Promise<UserApiKeysCrud[\"Client\"][\"Update\"] | TeamApiKeysCrud[\"Client\"][\"Update\"]>;\nexport async function apiKeyUpdateOptionsToCrud(type: ApiKeyType, options: ApiKeyUpdateOptions): Promise<UserApiKeysCrud[\"Client\"][\"Update\"] | TeamApiKeysCrud[\"Client\"][\"Update\"]> {\n  return filterUndefined({\n    description: options.description,\n    expires_at_millis: options.expiresAt == null ? options.expiresAt : options.expiresAt.getTime(),\n    revoked: options.revoked,\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAKA,qBAAgC;AA2ChC,eAAsB,4BAA4B,MAAkB,gBAAwB,SAAkJ;AAC5O,SAAO;AAAA,IACL,aAAa,QAAQ;AAAA,IACrB,mBAAmB,QAAQ,aAAa,OAAO,QAAQ,YAAY,QAAQ,UAAU,QAAQ;AAAA,IAC7F,WAAW,QAAQ;AAAA,IACnB,GAAI,SAAS,SAAS,EAAE,SAAS,eAAe,IAAI,EAAE,SAAS,eAAe;AAAA,EAChF;AACF;AAWA,eAAsB,0BAA0B,MAAkB,SAAkH;AAClL,aAAO,gCAAgB;AAAA,IACrB,aAAa,QAAQ;AAAA,IACrB,mBAAmB,QAAQ,aAAa,OAAO,QAAQ,YAAY,QAAQ,UAAU,QAAQ;AAAA,IAC7F,SAAS,QAAQ;AAAA,EACnB,CAAC;AACH;","names":[]}
+{"version":3,"sources":["../../../../src/lib/stack-app/api-keys/index.ts"],"sourcesContent":["\n//===========================================\n// THIS FILE IS AUTO-GENERATED FROM TEMPLATE. DO NOT EDIT IT DIRECTLY, INSTEAD EDIT THE CORRESPONDING FILE IN packages/template\n//===========================================\nimport { TeamApiKeysCrud, UserApiKeysCrud, teamApiKeysCreateInputSchema, userApiKeysCreateInputSchema } from \"@stackframe/stack-shared/dist/interface/crud/project-api-keys\";\nimport { filterUndefined } from \"@stackframe/stack-shared/dist/utils/objects\";\nimport { IfAndOnlyIf, PrettifyType } from \"@stackframe/stack-shared/dist/utils/types\";\nimport type * as yup from \"yup\";\n\nexport type ApiKeyType = \"user\" | \"team\";\n\nexport type ApiKey<Type extends ApiKeyType = ApiKeyType, IsFirstView extends boolean = false> =\n  & {\n      id: string,\n      description: string,\n      expiresAt?: Date,\n      manuallyRevokedAt?: Date | null,\n      createdAt: Date,\n      value: IfAndOnlyIf<IsFirstView, true, string, { lastFour: string }>,\n      update(options: ApiKeyUpdateOptions<Type>): Promise<void>,\n      revoke: () => Promise<void>,\n      isValid: () => boolean,\n      whyInvalid: () => \"manually-revoked\" | \"expired\" | null,\n    }\n  & (\n    | (\"user\" extends Type ? { type: \"user\", userId: string } : never)\n    | (\"team\" extends Type ? { type: \"team\", teamId: string } : never)\n  );\n\nexport type UserApiKeyFirstView = PrettifyType<ApiKey<\"user\", true>>;\nexport type UserApiKey = PrettifyType<ApiKey<\"user\", false>>;\n\nexport type TeamApiKeyFirstView = PrettifyType<ApiKey<\"team\", true>>;\nexport type TeamApiKey = PrettifyType<ApiKey<\"team\", false>>;\n\nexport type ApiKeyCreationOptions<Type extends ApiKeyType = ApiKeyType> =\n  & {\n    description: string,\n    expiresAt: Date | null,\n    /**\n     * Whether the API key should be considered public. A public API key will not be detected by the secret scanner, which\n     * automatically revokes API keys when it detects that they may have been exposed to the public.\n     */\n    isPublic?: boolean,\n  };\nexport function apiKeyCreationOptionsToCrud(type: \"user\", userId: string, options: ApiKeyCreationOptions<\"user\">): Promise<yup.InferType<typeof userApiKeysCreateInputSchema>>;\nexport function apiKeyCreationOptionsToCrud(type: \"team\", teamId: string, options: ApiKeyCreationOptions<\"team\">): Promise<yup.InferType<typeof teamApiKeysCreateInputSchema>>;\nexport function apiKeyCreationOptionsToCrud(type: ApiKeyType, userIdOrTeamId: string, options: ApiKeyCreationOptions): Promise<yup.InferType<typeof userApiKeysCreateInputSchema> | yup.InferType<typeof teamApiKeysCreateInputSchema>>;\nexport async function apiKeyCreationOptionsToCrud(type: ApiKeyType, userIdOrTeamId: string, options: ApiKeyCreationOptions): Promise<yup.InferType<typeof userApiKeysCreateInputSchema> | yup.InferType<typeof teamApiKeysCreateInputSchema>> {\n  return {\n    description: options.description,\n    expires_at_millis: options.expiresAt == null ? options.expiresAt : options.expiresAt.getTime(),\n    is_public: options.isPublic,\n    ...(type === \"user\" ? { user_id: userIdOrTeamId } : { team_id: userIdOrTeamId }),\n  };\n}\n\n\nexport type ApiKeyUpdateOptions<Type extends ApiKeyType = ApiKeyType> = {\n  description?: string,\n  expiresAt?: Date | null,\n  revoked?: boolean,\n};\nexport function apiKeyUpdateOptionsToCrud(type: \"user\", options: ApiKeyUpdateOptions<\"user\">): Promise<UserApiKeysCrud[\"Client\"][\"Update\"]>;\nexport function apiKeyUpdateOptionsToCrud(type: \"team\", options: ApiKeyUpdateOptions<\"team\">): Promise<TeamApiKeysCrud[\"Client\"][\"Update\"]>;\nexport function apiKeyUpdateOptionsToCrud(type: ApiKeyType, options: ApiKeyUpdateOptions): Promise<UserApiKeysCrud[\"Client\"][\"Update\"] | TeamApiKeysCrud[\"Client\"][\"Update\"]>;\nexport async function apiKeyUpdateOptionsToCrud(type: ApiKeyType, options: ApiKeyUpdateOptions): Promise<UserApiKeysCrud[\"Client\"][\"Update\"] | TeamApiKeysCrud[\"Client\"][\"Update\"]> {\n  return filterUndefined({\n    description: options.description,\n    expires_at_millis: options.expiresAt == null ? options.expiresAt : options.expiresAt.getTime(),\n    revoked: options.revoked,\n  });\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAKA,qBAAgC;AA2ChC,eAAsB,4BAA4B,MAAkB,gBAAwB,SAAkJ;AAC5O,SAAO;AAAA,IACL,aAAa,QAAQ;AAAA,IACrB,mBAAmB,QAAQ,aAAa,OAAO,QAAQ,YAAY,QAAQ,UAAU,QAAQ;AAAA,IAC7F,WAAW,QAAQ;AAAA,IACnB,GAAI,SAAS,SAAS,EAAE,SAAS,eAAe,IAAI,EAAE,SAAS,eAAe;AAAA,EAChF;AACF;AAWA,eAAsB,0BAA0B,MAAkB,SAAkH;AAClL,aAAO,gCAAgB;AAAA,IACrB,aAAa,QAAQ;AAAA,IACrB,mBAAmB,QAAQ,aAAa,OAAO,QAAQ,YAAY,QAAQ,UAAU,QAAQ;AAAA,IAC7F,SAAS,QAAQ;AAAA,EACnB,CAAC;AACH;","names":[]}

package/dist/lib/stack-app/apps/implementations/admin-app-impl.js

@@ -533,6 +533,226 @@ var _StackAdminAppImplIncomplete = class extends import_server_app_impl._StackSe
     const crud = import_results.Result.orThrow(await this._transactionsCache.getOrWait([params.cursor, params.limit, params.type, params.customerType], "write-only"));
     return crud;
   }
+  // Email Outbox methods
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- Complex discriminated union conversion from API response
+  _emailOutboxCrudToAdmin(crud) {
+    const recipient = crud.to;
+    let to;
+    if (recipient.type === "user-primary-email") {
+      to = { type: "user-primary-email", userId: recipient.user_id };
+    } else if (recipient.type === "user-custom-emails") {
+      to = { type: "user-custom-emails", userId: recipient.user_id, emails: recipient.emails };
+    } else {
+      to = { type: "custom-emails", emails: recipient.emails };
+    }
+    const base = {
+      id: crud.id,
+      createdAt: new Date(crud.created_at_millis),
+      updatedAt: new Date(crud.updated_at_millis),
+      to,
+      scheduledAt: new Date(crud.scheduled_at_millis),
+      isPaused: false,
+      hasRendered: false,
+      hasDelivered: false
+    };
+    const rendered = crud.has_rendered ? {
+      ...base,
+      startedRenderingAt: new Date(crud.started_rendering_at_millis),
+      renderedAt: new Date(crud.rendered_at_millis),
+      subject: crud.subject,
+      html: crud.html,
+      text: crud.text,
+      isTransactional: crud.is_transactional,
+      isHighPriority: crud.is_high_priority,
+      notificationCategoryId: crud.notification_category_id,
+      hasRendered: true
+    } : null;
+    const startedSending = rendered && crud.started_sending_at_millis ? {
+      ...rendered,
+      startedSendingAt: new Date(crud.started_sending_at_millis)
+    } : null;
+    const finishedDelivering = startedSending && crud.has_delivered ? {
+      ...startedSending,
+      deliveredAt: new Date(crud.delivered_at_millis),
+      hasDelivered: true
+    } : null;
+    const result = (() => {
+      switch (crud.status) {
+        case "paused": {
+          return {
+            ...base,
+            status: "paused",
+            simpleStatus: "in-progress",
+            isPaused: true
+          };
+        }
+        case "preparing": {
+          return {
+            ...base,
+            status: "preparing",
+            simpleStatus: "in-progress"
+          };
+        }
+        case "rendering": {
+          return {
+            ...base,
+            status: "rendering",
+            simpleStatus: "in-progress",
+            startedRenderingAt: new Date(crud.started_rendering_at_millis)
+          };
+        }
+        case "render-error": {
+          return {
+            ...base,
+            status: "render-error",
+            simpleStatus: "error",
+            startedRenderingAt: new Date(crud.started_rendering_at_millis),
+            renderedAt: new Date(crud.rendered_at_millis),
+            renderError: crud.render_error
+          };
+        }
+        case "scheduled": {
+          return {
+            ...rendered,
+            status: "scheduled",
+            simpleStatus: "in-progress"
+          };
+        }
+        case "queued": {
+          return {
+            ...rendered,
+            status: "queued",
+            simpleStatus: "in-progress"
+          };
+        }
+        case "sending": {
+          return {
+            ...startedSending,
+            status: "sending",
+            simpleStatus: "in-progress"
+          };
+        }
+        case "server-error": {
+          return {
+            ...startedSending,
+            status: "server-error",
+            simpleStatus: "error",
+            errorAt: new Date(crud.error_at_millis),
+            serverError: crud.server_error
+          };
+        }
+        case "skipped": {
+          return {
+            ...base,
+            status: "skipped",
+            simpleStatus: "ok",
+            skippedAt: new Date(crud.skipped_at_millis),
+            skippedReason: crud.skipped_reason,
+            skippedDetails: crud.skipped_details ?? {},
+            hasRendered: crud.has_rendered,
+            // Optional fields
+            startedRenderingAt: crud.started_rendering_at_millis ? new Date(crud.started_rendering_at_millis) : void 0,
+            renderedAt: crud.rendered_at_millis ? new Date(crud.rendered_at_millis) : void 0,
+            subject: crud.subject,
+            html: crud.html,
+            text: crud.text,
+            isTransactional: crud.is_transactional,
+            isHighPriority: crud.is_high_priority,
+            notificationCategoryId: crud.notification_category_id,
+            startedSendingAt: crud.started_sending_at_millis ? new Date(crud.started_sending_at_millis) : void 0
+          };
+        }
+        case "bounced": {
+          return {
+            ...startedSending,
+            status: "bounced",
+            simpleStatus: "error",
+            bouncedAt: new Date(crud.bounced_at_millis)
+          };
+        }
+        case "delivery-delayed": {
+          return {
+            ...startedSending,
+            status: "delivery-delayed",
+            simpleStatus: "ok",
+            deliveryDelayedAt: new Date(crud.delivery_delayed_at_millis)
+          };
+        }
+        case "sent": {
+          return {
+            ...finishedDelivering,
+            status: "sent",
+            simpleStatus: "ok",
+            canHaveDeliveryInfo: crud.can_have_delivery_info
+          };
+        }
+        case "opened": {
+          return {
+            ...finishedDelivering,
+            status: "opened",
+            simpleStatus: "ok",
+            openedAt: new Date(crud.opened_at_millis),
+            canHaveDeliveryInfo: true
+          };
+        }
+        case "clicked": {
+          return {
+            ...finishedDelivering,
+            status: "clicked",
+            simpleStatus: "ok",
+            clickedAt: new Date(crud.clicked_at_millis),
+            canHaveDeliveryInfo: true
+          };
+        }
+        case "marked-as-spam": {
+          return {
+            ...finishedDelivering,
+            status: "marked-as-spam",
+            simpleStatus: "ok",
+            markedAsSpamAt: new Date(crud.marked_as_spam_at_millis),
+            canHaveDeliveryInfo: true
+          };
+        }
+        default: {
+          throw new import_errors.StackAssertionError(`Unknown email outbox status: ${crud.status}`, { status: crud.status });
+        }
+      }
+    })();
+    return result;
+  }
+  async listOutboxEmails(options) {
+    const response = await this._interface.listOutboxEmails({
+      status: options?.status,
+      simple_status: options?.simpleStatus,
+      limit: options?.limit,
+      cursor: options?.cursor
+    });
+    return {
+      items: response.items.map((item) => this._emailOutboxCrudToAdmin(item)),
+      nextCursor: response.pagination?.next_cursor ?? null
+    };
+  }
+  async getOutboxEmail(id) {
+    const response = await this._interface.getOutboxEmail(id);
+    return this._emailOutboxCrudToAdmin(response);
+  }
+  async updateOutboxEmail(id, options) {
+    const response = await this._interface.updateOutboxEmail(id, {
+      is_paused: options.isPaused,
+      scheduled_at_millis: options.scheduledAtMillis,
+      cancel: options.cancel
+    });
+    return this._emailOutboxCrudToAdmin(response);
+  }
+  async pauseOutboxEmail(id) {
+    return await this.updateOutboxEmail(id, { isPaused: true });
+  }
+  async unpauseOutboxEmail(id) {
+    return await this.updateOutboxEmail(id, { isPaused: false });
+  }
+  async cancelOutboxEmail(id) {
+    return await this.updateOutboxEmail(id, { cancel: true });
+  }
   useTransactions(params) {
     const data = (0, import_common3.useAsyncCache)(this._transactionsCache, [params.cursor, params.limit, params.type, params.customerType], "adminApp.useTransactions()");
     return data;
@@ -544,6 +764,21 @@ var _StackAdminAppImplIncomplete = class extends import_server_app_impl._StackSe
     const data = (0, import_common3.useAsyncCache)(this._stripeAccountInfoCache, [], "adminApp.useStripeAccountInfo()");
     return data;
   }
+  async previewAffectedUsersByOnboardingChange(onboarding, limit) {
+    const result = await this._interface.previewAffectedUsersByOnboardingChange(
+      { require_email_verification: onboarding.requireEmailVerification },
+      limit
+    );
+    return {
+      affectedUsers: result.affected_users.map((u) => ({
+        id: u.id,
+        displayName: u.display_name,
+        primaryEmail: u.primary_email,
+        restrictedReason: u.restricted_reason
+      })),
+      totalAffectedCount: result.total_affected_count
+    };
+  }
 };
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {