@supabase/auth-js 2.58.1-canary.0

package/src/index.ts

@@ -0,0 +1,13 @@
+import GoTrueAdminApi from './GoTrueAdminApi'
+import GoTrueClient from './GoTrueClient'
+import AuthAdminApi from './AuthAdminApi'
+import AuthClient from './AuthClient'
+export { GoTrueAdminApi, GoTrueClient, AuthAdminApi, AuthClient }
+export * from './lib/types'
+export * from './lib/errors'
+export {
+  navigatorLock,
+  NavigatorLockAcquireTimeoutError,
+  internals as lockInternals,
+  processLock,
+} from './lib/locks'

package/src/lib/base64url.ts

@@ -0,0 +1,308 @@
+/**
+ * Avoid modifying this file. It's part of
+ * https://github.com/supabase-community/base64url-js.  Submit all fixes on
+ * that repo!
+ */
+
+import { Uint8Array_ } from './webauthn.dom'
+
+/**
+ * An array of characters that encode 6 bits into a Base64-URL alphabet
+ * character.
+ */
+const TO_BASE64URL = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_'.split('')
+
+/**
+ * An array of characters that can appear in a Base64-URL encoded string but
+ * should be ignored.
+ */
+const IGNORE_BASE64URL = ' \t\n\r='.split('')
+
+/**
+ * An array of 128 numbers that map a Base64-URL character to 6 bits, or if -2
+ * used to skip the character, or if -1 used to error out.
+ */
+const FROM_BASE64URL = (() => {
+  const charMap: number[] = new Array(128)
+
+  for (let i = 0; i < charMap.length; i += 1) {
+    charMap[i] = -1
+  }
+
+  for (let i = 0; i < IGNORE_BASE64URL.length; i += 1) {
+    charMap[IGNORE_BASE64URL[i].charCodeAt(0)] = -2
+  }
+
+  for (let i = 0; i < TO_BASE64URL.length; i += 1) {
+    charMap[TO_BASE64URL[i].charCodeAt(0)] = i
+  }
+
+  return charMap
+})()
+
+/**
+ * Converts a byte to a Base64-URL string.
+ *
+ * @param byte The byte to convert, or null to flush at the end of the byte sequence.
+ * @param state The Base64 conversion state. Pass an initial value of `{ queue: 0, queuedBits: 0 }`.
+ * @param emit A function called with the next Base64 character when ready.
+ */
+export function byteToBase64URL(
+  byte: number | null,
+  state: { queue: number; queuedBits: number },
+  emit: (char: string) => void
+) {
+  if (byte !== null) {
+    state.queue = (state.queue << 8) | byte
+    state.queuedBits += 8
+
+    while (state.queuedBits >= 6) {
+      const pos = (state.queue >> (state.queuedBits - 6)) & 63
+      emit(TO_BASE64URL[pos])
+      state.queuedBits -= 6
+    }
+  } else if (state.queuedBits > 0) {
+    state.queue = state.queue << (6 - state.queuedBits)
+    state.queuedBits = 6
+
+    while (state.queuedBits >= 6) {
+      const pos = (state.queue >> (state.queuedBits - 6)) & 63
+      emit(TO_BASE64URL[pos])
+      state.queuedBits -= 6
+    }
+  }
+}
+
+/**
+ * Converts a String char code (extracted using `string.charCodeAt(position)`) to a sequence of Base64-URL characters.
+ *
+ * @param charCode The char code of the JavaScript string.
+ * @param state The Base64 state. Pass an initial value of `{ queue: 0, queuedBits: 0 }`.
+ * @param emit A function called with the next byte.
+ */
+export function byteFromBase64URL(
+  charCode: number,
+  state: { queue: number; queuedBits: number },
+  emit: (byte: number) => void
+) {
+  const bits = FROM_BASE64URL[charCode]
+
+  if (bits > -1) {
+    // valid Base64-URL character
+    state.queue = (state.queue << 6) | bits
+    state.queuedBits += 6
+
+    while (state.queuedBits >= 8) {
+      emit((state.queue >> (state.queuedBits - 8)) & 0xff)
+      state.queuedBits -= 8
+    }
+  } else if (bits === -2) {
+    // ignore spaces, tabs, newlines, =
+    return
+  } else {
+    throw new Error(`Invalid Base64-URL character "${String.fromCharCode(charCode)}"`)
+  }
+}
+
+/**
+ * Converts a JavaScript string (which may include any valid character) into a
+ * Base64-URL encoded string. The string is first encoded in UTF-8 which is
+ * then encoded as Base64-URL.
+ *
+ * @param str The string to convert.
+ */
+export function stringToBase64URL(str: string) {
+  const base64: string[] = []
+
+  const emitter = (char: string) => {
+    base64.push(char)
+  }
+
+  const state = { queue: 0, queuedBits: 0 }
+
+  stringToUTF8(str, (byte: number) => {
+    byteToBase64URL(byte, state, emitter)
+  })
+
+  byteToBase64URL(null, state, emitter)
+
+  return base64.join('')
+}
+
+/**
+ * Converts a Base64-URL encoded string into a JavaScript string. It is assumed
+ * that the underlying string has been encoded as UTF-8.
+ *
+ * @param str The Base64-URL encoded string.
+ */
+export function stringFromBase64URL(str: string) {
+  const conv: string[] = []
+
+  const utf8Emit = (codepoint: number) => {
+    conv.push(String.fromCodePoint(codepoint))
+  }
+
+  const utf8State = {
+    utf8seq: 0,
+    codepoint: 0,
+  }
+
+  const b64State = { queue: 0, queuedBits: 0 }
+
+  const byteEmit = (byte: number) => {
+    stringFromUTF8(byte, utf8State, utf8Emit)
+  }
+
+  for (let i = 0; i < str.length; i += 1) {
+    byteFromBase64URL(str.charCodeAt(i), b64State, byteEmit)
+  }
+
+  return conv.join('')
+}
+
+/**
+ * Converts a Unicode codepoint to a multi-byte UTF-8 sequence.
+ *
+ * @param codepoint The Unicode codepoint.
+ * @param emit      Function which will be called for each UTF-8 byte that represents the codepoint.
+ */
+export function codepointToUTF8(codepoint: number, emit: (byte: number) => void) {
+  if (codepoint <= 0x7f) {
+    emit(codepoint)
+    return
+  } else if (codepoint <= 0x7ff) {
+    emit(0xc0 | (codepoint >> 6))
+    emit(0x80 | (codepoint & 0x3f))
+    return
+  } else if (codepoint <= 0xffff) {
+    emit(0xe0 | (codepoint >> 12))
+    emit(0x80 | ((codepoint >> 6) & 0x3f))
+    emit(0x80 | (codepoint & 0x3f))
+    return
+  } else if (codepoint <= 0x10ffff) {
+    emit(0xf0 | (codepoint >> 18))
+    emit(0x80 | ((codepoint >> 12) & 0x3f))
+    emit(0x80 | ((codepoint >> 6) & 0x3f))
+    emit(0x80 | (codepoint & 0x3f))
+    return
+  }
+
+  throw new Error(`Unrecognized Unicode codepoint: ${codepoint.toString(16)}`)
+}
+
+/**
+ * Converts a JavaScript string to a sequence of UTF-8 bytes.
+ *
+ * @param str  The string to convert to UTF-8.
+ * @param emit Function which will be called for each UTF-8 byte of the string.
+ */
+export function stringToUTF8(str: string, emit: (byte: number) => void) {
+  for (let i = 0; i < str.length; i += 1) {
+    let codepoint = str.charCodeAt(i)
+
+    if (codepoint > 0xd7ff && codepoint <= 0xdbff) {
+      // most UTF-16 codepoints are Unicode codepoints, except values in this
+      // range where the next UTF-16 codepoint needs to be combined with the
+      // current one to get the Unicode codepoint
+      const highSurrogate = ((codepoint - 0xd800) * 0x400) & 0xffff
+      const lowSurrogate = (str.charCodeAt(i + 1) - 0xdc00) & 0xffff
+      codepoint = (lowSurrogate | highSurrogate) + 0x10000
+      i += 1
+    }
+
+    codepointToUTF8(codepoint, emit)
+  }
+}
+
+/**
+ * Converts a UTF-8 byte to a Unicode codepoint.
+ *
+ * @param byte  The UTF-8 byte next in the sequence.
+ * @param state The shared state between consecutive UTF-8 bytes in the
+ *              sequence, an object with the shape `{ utf8seq: 0, codepoint: 0 }`.
+ * @param emit  Function which will be called for each codepoint.
+ */
+export function stringFromUTF8(
+  byte: number,
+  state: { utf8seq: number; codepoint: number },
+  emit: (codepoint: number) => void
+) {
+  if (state.utf8seq === 0) {
+    if (byte <= 0x7f) {
+      emit(byte)
+      return
+    }
+
+    // count the number of 1 leading bits until you reach 0
+    for (let leadingBit = 1; leadingBit < 6; leadingBit += 1) {
+      if (((byte >> (7 - leadingBit)) & 1) === 0) {
+        state.utf8seq = leadingBit
+        break
+      }
+    }
+
+    if (state.utf8seq === 2) {
+      state.codepoint = byte & 31
+    } else if (state.utf8seq === 3) {
+      state.codepoint = byte & 15
+    } else if (state.utf8seq === 4) {
+      state.codepoint = byte & 7
+    } else {
+      throw new Error('Invalid UTF-8 sequence')
+    }
+
+    state.utf8seq -= 1
+  } else if (state.utf8seq > 0) {
+    if (byte <= 0x7f) {
+      throw new Error('Invalid UTF-8 sequence')
+    }
+
+    state.codepoint = (state.codepoint << 6) | (byte & 63)
+    state.utf8seq -= 1
+
+    if (state.utf8seq === 0) {
+      emit(state.codepoint)
+    }
+  }
+}
+
+/**
+ * Helper functions to convert different types of strings to Uint8Array
+ */
+
+export function base64UrlToUint8Array(str: string): Uint8Array_ {
+  const result: number[] = []
+  const state = { queue: 0, queuedBits: 0 }
+
+  const onByte = (byte: number) => {
+    result.push(byte)
+  }
+
+  for (let i = 0; i < str.length; i += 1) {
+    byteFromBase64URL(str.charCodeAt(i), state, onByte)
+  }
+
+  return new Uint8Array(result)
+}
+
+export function stringToUint8Array(str: string): Uint8Array_ {
+  const result: number[] = []
+  stringToUTF8(str, (byte: number) => result.push(byte))
+  return new Uint8Array(result)
+}
+
+export function bytesToBase64URL(bytes: Uint8Array) {
+  const result: string[] = []
+  const state = { queue: 0, queuedBits: 0 }
+
+  const onChar = (char: string) => {
+    result.push(char)
+  }
+
+  bytes.forEach((byte) => byteToBase64URL(byte, state, onChar))
+
+  // always call with `null` after processing all bytes
+  byteToBase64URL(null, state, onChar)
+
+  return result.join('')
+}

package/src/lib/constants.ts

@@ -0,0 +1,34 @@
+import { version } from './version'
+
+/** Current session will be checked for refresh at this interval. */
+export const AUTO_REFRESH_TICK_DURATION_MS = 30 * 1000
+
+/**
+ * A token refresh will be attempted this many ticks before the current session expires. */
+export const AUTO_REFRESH_TICK_THRESHOLD = 3
+
+/*
+ * Earliest time before an access token expires that the session should be refreshed.
+ */
+export const EXPIRY_MARGIN_MS = AUTO_REFRESH_TICK_THRESHOLD * AUTO_REFRESH_TICK_DURATION_MS
+
+export const GOTRUE_URL = 'http://localhost:9999'
+export const STORAGE_KEY = 'supabase.auth.token'
+export const AUDIENCE = ''
+export const DEFAULT_HEADERS = { 'X-Client-Info': `gotrue-js/${version}` }
+export const NETWORK_FAILURE = {
+  MAX_RETRIES: 10,
+  RETRY_INTERVAL: 2, // in deciseconds
+}
+
+export const API_VERSION_HEADER_NAME = 'X-Supabase-Api-Version'
+export const API_VERSIONS = {
+  '2024-01-01': {
+    timestamp: Date.parse('2024-01-01T00:00:00.0Z'),
+    name: '2024-01-01',
+  },
+}
+
+export const BASE64URL_REGEX = /^([a-z0-9_-]{4})*($|[a-z0-9_-]{3}$|[a-z0-9_-]{2}$)$/i
+
+export const JWKS_TTL = 10 * 60 * 1000 // 10 minutes

package/src/lib/error-codes.ts

@@ -0,0 +1,90 @@
+/**
+ * Known error codes. Note that the server may also return other error codes
+ * not included in this list (if the client library is older than the version
+ * on the server).
+ */
+export type ErrorCode =
+  | 'unexpected_failure'
+  | 'validation_failed'
+  | 'bad_json'
+  | 'email_exists'
+  | 'phone_exists'
+  | 'bad_jwt'
+  | 'not_admin'
+  | 'no_authorization'
+  | 'user_not_found'
+  | 'session_not_found'
+  | 'session_expired'
+  | 'refresh_token_not_found'
+  | 'refresh_token_already_used'
+  | 'flow_state_not_found'
+  | 'flow_state_expired'
+  | 'signup_disabled'
+  | 'user_banned'
+  | 'provider_email_needs_verification'
+  | 'invite_not_found'
+  | 'bad_oauth_state'
+  | 'bad_oauth_callback'
+  | 'oauth_provider_not_supported'
+  | 'unexpected_audience'
+  | 'single_identity_not_deletable'
+  | 'email_conflict_identity_not_deletable'
+  | 'identity_already_exists'
+  | 'email_provider_disabled'
+  | 'phone_provider_disabled'
+  | 'too_many_enrolled_mfa_factors'
+  | 'mfa_factor_name_conflict'
+  | 'mfa_factor_not_found'
+  | 'mfa_ip_address_mismatch'
+  | 'mfa_challenge_expired'
+  | 'mfa_verification_failed'
+  | 'mfa_verification_rejected'
+  | 'insufficient_aal'
+  | 'captcha_failed'
+  | 'saml_provider_disabled'
+  | 'manual_linking_disabled'
+  | 'sms_send_failed'
+  | 'email_not_confirmed'
+  | 'phone_not_confirmed'
+  | 'reauth_nonce_missing'
+  | 'saml_relay_state_not_found'
+  | 'saml_relay_state_expired'
+  | 'saml_idp_not_found'
+  | 'saml_assertion_no_user_id'
+  | 'saml_assertion_no_email'
+  | 'user_already_exists'
+  | 'sso_provider_not_found'
+  | 'saml_metadata_fetch_failed'
+  | 'saml_idp_already_exists'
+  | 'sso_domain_already_exists'
+  | 'saml_entity_id_mismatch'
+  | 'conflict'
+  | 'provider_disabled'
+  | 'user_sso_managed'
+  | 'reauthentication_needed'
+  | 'same_password'
+  | 'reauthentication_not_valid'
+  | 'otp_expired'
+  | 'otp_disabled'
+  | 'identity_not_found'
+  | 'weak_password'
+  | 'over_request_rate_limit'
+  | 'over_email_send_rate_limit'
+  | 'over_sms_send_rate_limit'
+  | 'bad_code_verifier'
+  | 'anonymous_provider_disabled'
+  | 'hook_timeout'
+  | 'hook_timeout_after_retry'
+  | 'hook_payload_over_size_limit'
+  | 'hook_payload_invalid_content_type'
+  | 'request_timeout'
+  | 'mfa_phone_enroll_not_enabled'
+  | 'mfa_phone_verify_not_enabled'
+  | 'mfa_totp_enroll_not_enabled'
+  | 'mfa_totp_verify_not_enabled'
+  | 'mfa_webauthn_enroll_not_enabled'
+  | 'mfa_webauthn_verify_not_enabled'
+  | 'mfa_verified_factor_exists'
+  | 'invalid_credentials'
+  | 'email_address_not_authorized'
+  | 'email_address_invalid'

package/src/lib/errors.ts

@@ -0,0 +1,165 @@
+import { WeakPasswordReasons } from './types'
+import { ErrorCode } from './error-codes'
+
+export class AuthError extends Error {
+  /**
+   * Error code associated with the error. Most errors coming from
+   * HTTP responses will have a code, though some errors that occur
+   * before a response is received will not have one present. In that
+   * case {@link #status} will also be undefined.
+   */
+  code: ErrorCode | (string & {}) | undefined
+
+  /** HTTP status code that caused the error. */
+  status: number | undefined
+
+  protected __isAuthError = true
+
+  constructor(message: string, status?: number, code?: string) {
+    super(message)
+    this.name = 'AuthError'
+    this.status = status
+    this.code = code
+  }
+}
+
+export function isAuthError(error: unknown): error is AuthError {
+  return typeof error === 'object' && error !== null && '__isAuthError' in error
+}
+
+export class AuthApiError extends AuthError {
+  status: number
+
+  constructor(message: string, status: number, code: string | undefined) {
+    super(message, status, code)
+    this.name = 'AuthApiError'
+    this.status = status
+    this.code = code
+  }
+}
+
+export function isAuthApiError(error: unknown): error is AuthApiError {
+  return isAuthError(error) && error.name === 'AuthApiError'
+}
+
+export class AuthUnknownError extends AuthError {
+  originalError: unknown
+
+  constructor(message: string, originalError: unknown) {
+    super(message)
+    this.name = 'AuthUnknownError'
+    this.originalError = originalError
+  }
+}
+
+export class CustomAuthError extends AuthError {
+  name: string
+  status: number
+
+  constructor(message: string, name: string, status: number, code: string | undefined) {
+    super(message, status, code)
+    this.name = name
+    this.status = status
+  }
+}
+
+export class AuthSessionMissingError extends CustomAuthError {
+  constructor() {
+    super('Auth session missing!', 'AuthSessionMissingError', 400, undefined)
+  }
+}
+
+export function isAuthSessionMissingError(error: any): error is AuthSessionMissingError {
+  return isAuthError(error) && error.name === 'AuthSessionMissingError'
+}
+
+export class AuthInvalidTokenResponseError extends CustomAuthError {
+  constructor() {
+    super('Auth session or user missing', 'AuthInvalidTokenResponseError', 500, undefined)
+  }
+}
+
+export class AuthInvalidCredentialsError extends CustomAuthError {
+  constructor(message: string) {
+    super(message, 'AuthInvalidCredentialsError', 400, undefined)
+  }
+}
+
+export class AuthImplicitGrantRedirectError extends CustomAuthError {
+  details: { error: string; code: string } | null = null
+  constructor(message: string, details: { error: string; code: string } | null = null) {
+    super(message, 'AuthImplicitGrantRedirectError', 500, undefined)
+    this.details = details
+  }
+
+  toJSON() {
+    return {
+      name: this.name,
+      message: this.message,
+      status: this.status,
+      details: this.details,
+    }
+  }
+}
+
+export function isAuthImplicitGrantRedirectError(
+  error: any
+): error is AuthImplicitGrantRedirectError {
+  return isAuthError(error) && error.name === 'AuthImplicitGrantRedirectError'
+}
+
+export class AuthPKCEGrantCodeExchangeError extends CustomAuthError {
+  details: { error: string; code: string } | null = null
+
+  constructor(message: string, details: { error: string; code: string } | null = null) {
+    super(message, 'AuthPKCEGrantCodeExchangeError', 500, undefined)
+    this.details = details
+  }
+
+  toJSON() {
+    return {
+      name: this.name,
+      message: this.message,
+      status: this.status,
+      details: this.details,
+    }
+  }
+}
+
+export class AuthRetryableFetchError extends CustomAuthError {
+  constructor(message: string, status: number) {
+    super(message, 'AuthRetryableFetchError', status, undefined)
+  }
+}
+
+export function isAuthRetryableFetchError(error: unknown): error is AuthRetryableFetchError {
+  return isAuthError(error) && error.name === 'AuthRetryableFetchError'
+}
+
+/**
+ * This error is thrown on certain methods when the password used is deemed
+ * weak. Inspect the reasons to identify what password strength rules are
+ * inadequate.
+ */
+export class AuthWeakPasswordError extends CustomAuthError {
+  /**
+   * Reasons why the password is deemed weak.
+   */
+  reasons: WeakPasswordReasons[]
+
+  constructor(message: string, status: number, reasons: WeakPasswordReasons[]) {
+    super(message, 'AuthWeakPasswordError', status, 'weak_password')
+
+    this.reasons = reasons
+  }
+}
+
+export function isAuthWeakPasswordError(error: unknown): error is AuthWeakPasswordError {
+  return isAuthError(error) && error.name === 'AuthWeakPasswordError'
+}
+
+export class AuthInvalidJwtError extends CustomAuthError {
+  constructor(message: string) {
+    super(message, 'AuthInvalidJwtError', 400, 'invalid_jwt')
+  }
+}