@supabase/auth-js 2.73.0-rc.6 → 2.73.1-canary.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@supabase/auth-js",
-  "version": "2.73.0-rc.6",
+  "version": "2.73.1-canary.4",
   "private": false,
   "description": "Official client library for Supabase Auth",
   "keywords": [
@@ -9,8 +9,8 @@
     "auth",
     "authentication"
   ],
-  "homepage": "https://github.com/supabase/auth-js",
-  "bugs": "https://github.com/supabase/auth-js/issues",
+  "homepage": "https://github.com/supabase/supabase-js/tree/master/packages/core/auth-js",
+  "bugs": "https://github.com/supabase/supabase-js/issues",
   "license": "MIT",
   "author": "Supabase",
   "files": [
@@ -20,16 +20,19 @@
   "main": "dist/main/index.js",
   "module": "dist/module/index.js",
   "types": "dist/module/index.d.ts",
-  "repository": "github:supabase/auth-js",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/supabase/supabase-js.git",
+    "directory": "packages/core/auth-js"
+  },
   "scripts": {
     "clean": "rimraf dist docs",
     "coverage": "echo \"run npm test\"",
-    "format": "prettier --write \"{src,test}/**/*.ts\"",
-    "build": "genversion src/lib/version.ts --es6 && run-s clean format build:* && run-s lint",
+    "build:node18": "npm run clean && npm run build:main && npm run build:module",
+    "build": "npm run clean && npx nx build:main auth-js && npx nx build:module auth-js",
     "build:main": "tsc -p tsconfig.json",
     "build:module": "tsc -p tsconfig.module.json",
-    "lint": "eslint ./src/**/* test/**/*.test.ts",
-    "test": "run-s test:clean test:infra test:suite test:clean",
+    "test:auth": "npm run test:clean && npm run test:infra && npm run test:suite && npm run test:clean",
     "test:suite": "npm --prefix ./test run test",
     "test:infra": "cd infra && docker compose down && docker compose pull && docker compose up -d && sleep 30",
     "test:clean": "cd infra && docker compose down",
@@ -37,34 +40,10 @@
     "docs:json": "typedoc --json docs/v2/spec.json --excludeExternals --excludePrivate --excludeProtected src/index.ts"
   },
   "dependencies": {
-    "@supabase/node-fetch": "^2.6.14"
+    "@supabase/node-fetch": "2.6.15"
   },
   "devDependencies": {
-    "@types/faker": "^5.1.6",
-    "@types/jest": "^28.1.6",
-    "@types/jsonwebtoken": "^8.5.6",
-    "@types/node": "^18.16.19",
-    "@types/node-fetch": "^2.6.4",
-    "@typescript-eslint/eslint-plugin": "^5.30.7",
-    "@typescript-eslint/parser": "^5.30.7",
-    "eslint": "^8.20.0",
-    "eslint-config-prettier": "^8.5.0",
-    "eslint-config-standard": "^17.0.0",
-    "eslint-plugin-import": "^2.26.0",
-    "eslint-plugin-node": "^11.1.0",
-    "eslint-plugin-promise": "^6.0.0",
-    "faker": "^5.3.1",
-    "genversion": "^3.1.1",
     "jest": "^28.1.3",
-    "jest-environment-jsdom": "^28.1.3",
-    "jest-mock-server": "^0.1.0",
-    "jsonwebtoken": "^9.0.0",
-    "npm-run-all": "^4.1.5",
-    "prettier": "2.7.1",
-    "rimraf": "^3.0.2",
-    "semantic-release-plugin-update-version-in-files": "^1.1.0",
-    "ts-jest": "^28.0.7",
-    "typedoc": "^0.23.28",
-    "typescript": "^4.7.4"
+    "ts-jest": "^28.0.7"
   }
 }

package/src/GoTrueAdminApi.ts

@@ -21,6 +21,10 @@ import {
   PageParams,
   SIGN_OUT_SCOPES,
   SignOutScope,
+  GoTrueAdminOAuthApi,
+  CreateOAuthClientParams,
+  OAuthClientResponse,
+  OAuthClientListResponse,
 } from './lib/types'
 import { AuthError, isAuthError } from './lib/errors'
 
@@ -28,6 +32,12 @@ export default class GoTrueAdminApi {
   /** Contains all MFA administration methods. */
   mfa: GoTrueAdminMFAApi
 
+  /**
+   * Contains all OAuth client administration methods.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   */
+  oauth: GoTrueAdminOAuthApi
+
   protected url: string
   protected headers: {
     [key: string]: string
@@ -52,6 +62,13 @@ export default class GoTrueAdminApi {
       listFactors: this._listFactors.bind(this),
       deleteFactor: this._deleteFactor.bind(this),
     }
+    this.oauth = {
+      listClients: this._listOAuthClients.bind(this),
+      createClient: this._createOAuthClient.bind(this),
+      getClient: this._getOAuthClient.bind(this),
+      deleteClient: this._deleteOAuthClient.bind(this),
+      regenerateClientSecret: this._regenerateOAuthClientSecret.bind(this),
+    }
   }
 
   /**
@@ -349,4 +366,150 @@ export default class GoTrueAdminApi {
       throw error
     }
   }
+
+  /**
+   * Lists all OAuth clients with optional pagination.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  private async _listOAuthClients(params?: PageParams): Promise<OAuthClientListResponse> {
+    try {
+      const pagination: Pagination = { nextPage: null, lastPage: 0, total: 0 }
+      const response = await _request(this.fetch, 'GET', `${this.url}/admin/oauth/clients`, {
+        headers: this.headers,
+        noResolveJson: true,
+        query: {
+          page: params?.page?.toString() ?? '',
+          per_page: params?.perPage?.toString() ?? '',
+        },
+        xform: _noResolveJsonResponse,
+      })
+      if (response.error) throw response.error
+
+      const clients = await response.json()
+      const total = response.headers.get('x-total-count') ?? 0
+      const links = response.headers.get('link')?.split(',') ?? []
+      if (links.length > 0) {
+        links.forEach((link: string) => {
+          const page = parseInt(link.split(';')[0].split('=')[1].substring(0, 1))
+          const rel = JSON.parse(link.split(';')[1].split('=')[1])
+          pagination[`${rel}Page`] = page
+        })
+
+        pagination.total = parseInt(total)
+      }
+      return { data: { ...clients, ...pagination }, error: null }
+    } catch (error) {
+      if (isAuthError(error)) {
+        return { data: { clients: [] }, error }
+      }
+      throw error
+    }
+  }
+
+  /**
+   * Creates a new OAuth client.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  private async _createOAuthClient(
+    params: CreateOAuthClientParams
+  ): Promise<OAuthClientResponse> {
+    try {
+      return await _request(this.fetch, 'POST', `${this.url}/admin/oauth/clients`, {
+        body: params,
+        headers: this.headers,
+        xform: (client: any) => {
+          return { data: client, error: null }
+        },
+      })
+    } catch (error) {
+      if (isAuthError(error)) {
+        return { data: null, error }
+      }
+
+      throw error
+    }
+  }
+
+  /**
+   * Gets details of a specific OAuth client.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  private async _getOAuthClient(clientId: string): Promise<OAuthClientResponse> {
+    try {
+      return await _request(this.fetch, 'GET', `${this.url}/admin/oauth/clients/${clientId}`, {
+        headers: this.headers,
+        xform: (client: any) => {
+          return { data: client, error: null }
+        },
+      })
+    } catch (error) {
+      if (isAuthError(error)) {
+        return { data: null, error }
+      }
+
+      throw error
+    }
+  }
+
+  /**
+   * Deletes an OAuth client.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  private async _deleteOAuthClient(clientId: string): Promise<OAuthClientResponse> {
+    try {
+      return await _request(
+        this.fetch,
+        'DELETE',
+        `${this.url}/admin/oauth/clients/${clientId}`,
+        {
+          headers: this.headers,
+          xform: (client: any) => {
+            return { data: client, error: null }
+          },
+        }
+      )
+    } catch (error) {
+      if (isAuthError(error)) {
+        return { data: null, error }
+      }
+
+      throw error
+    }
+  }
+
+  /**
+   * Regenerates the secret for an OAuth client.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  private async _regenerateOAuthClientSecret(clientId: string): Promise<OAuthClientResponse> {
+    try {
+      return await _request(
+        this.fetch,
+        'POST',
+        `${this.url}/admin/oauth/clients/${clientId}/regenerate_secret`,
+        {
+          headers: this.headers,
+          xform: (client: any) => {
+            return { data: client, error: null }
+          },
+        }
+      )
+    } catch (error) {
+      if (isAuthError(error)) {
+        return { data: null, error }
+      }
+
+      throw error
+    }
+  }
 }

package/src/GoTrueClient.ts

@@ -2078,8 +2078,30 @@ export default class GoTrueClient {
 
   /**
    * Receive a notification every time an auth event happens.
+   * Safe to use without an async function as callback.
+   *
    * @param callback A callback function to be invoked when an auth event happens.
    */
+  onAuthStateChange(callback: (event: AuthChangeEvent, session: Session | null) => void): {
+    data: { subscription: Subscription }
+  }
+
+  /**
+   * Avoid using an async function inside `onAuthStateChange` as you might end
+   * up with a deadlock. The callback function runs inside an exclusive lock,
+   * so calling other Supabase Client APIs that also try to acquire the
+   * exclusive lock, might cause a deadlock. This behavior is observable across
+   * tabs. In the next major library version, this behavior will not be supported.
+   *
+   * Receive a notification every time an auth event happens.
+   *
+   * @param callback A callback function to be invoked when an auth event happens.
+   * @deprecated Due to the possibility of deadlocks with async functions as callbacks, use the version without an async function.
+   */
+  onAuthStateChange(callback: (event: AuthChangeEvent, session: Session | null) => Promise<void>): {
+    data: { subscription: Subscription }
+  }
+
   onAuthStateChange(
     callback: (event: AuthChangeEvent, session: Session | null) => void | Promise<void>
   ): {
@@ -3022,8 +3044,8 @@ export default class GoTrueClient {
           ...(params.factorType === 'phone'
             ? { phone: params.phone }
             : params.factorType === 'totp'
-            ? { issuer: params.issuer }
-            : {}),
+              ? { issuer: params.issuer }
+              : {}),
         }
 
         const { data, error } = (await _request(this.fetch, 'POST', `${this.url}/factors`, {
@@ -3072,12 +3094,9 @@ export default class GoTrueClient {
             | Prettify<
                 StrictOmit<MFAVerifyWebauthnParams, 'webauthn'> & {
                   webauthn: Prettify<
-                    | StrictOmit<
-                        MFAVerifyWebauthnParamFields['webauthn'],
-                        'credential_response'
-                      > & {
-                        credential_response: PublicKeyCredentialJSON
-                      }
+                    StrictOmit<MFAVerifyWebauthnParamFields['webauthn'], 'credential_response'> & {
+                      credential_response: PublicKeyCredentialJSON
+                    }
                   >
                 }
               >,
@@ -3271,7 +3290,7 @@ export default class GoTrueClient {
     for (const factor of user?.factors ?? []) {
       data.all.push(factor)
       if (factor.status === 'verified') {
-        ;(data[factor.factor_type] as typeof factor[]).push(factor)
+        ;(data[factor.factor_type] as (typeof factor)[]).push(factor)
       }
     }
 

package/src/lib/types.ts

@@ -111,7 +111,7 @@ export type GoTrueClientOptions = {
 
 const WeakPasswordReasons = ['length', 'characters', 'pwned'] as const
 
-export type WeakPasswordReasons = typeof WeakPasswordReasons[number]
+export type WeakPasswordReasons = (typeof WeakPasswordReasons)[number]
 export type WeakPassword = {
   reasons: WeakPasswordReasons[]
   message: string
@@ -266,7 +266,7 @@ const AMRMethods = [
   'web3',
 ] as const
 
-export type AMRMethod = typeof AMRMethods[number] | (string & {})
+export type AMRMethod = (typeof AMRMethods)[number] | (string & {})
 
 /**
  * An authentication methord reference (AMR) entry.
@@ -305,14 +305,14 @@ const FactorTypes = ['totp', 'phone', 'webauthn'] as const
 /**
  * Type of factor. `totp` and `phone` supported with this version
  */
-export type FactorType = typeof FactorTypes[number]
+export type FactorType = (typeof FactorTypes)[number]
 
 const FactorVerificationStatuses = ['verified', 'unverified'] as const
 
 /**
  * The verification status of the factor, default is `unverified` after `.enroll()`, then `verified` after the user verifies it with `.verify()`
  */
-type FactorVerificationStatus = typeof FactorVerificationStatuses[number]
+type FactorVerificationStatus = (typeof FactorVerificationStatuses)[number]
 
 /**
  * A MFA factor.
@@ -323,7 +323,7 @@ type FactorVerificationStatus = typeof FactorVerificationStatuses[number]
  */
 export type Factor<
   Type extends FactorType = FactorType,
-  Status extends FactorVerificationStatus = typeof FactorVerificationStatuses[number]
+  Status extends FactorVerificationStatus = (typeof FactorVerificationStatuses)[number],
 > = {
   /** ID of the factor. */
   id: string
@@ -938,7 +938,7 @@ type MFAChallengeParamsBase = {
 }
 
 const MFATOTPChannels = ['sms', 'whatsapp'] as const
-export type MFATOTPChannel = typeof MFATOTPChannels[number]
+export type MFATOTPChannel = (typeof MFATOTPChannels)[number]
 
 export type MFAChallengeTOTPParams = Prettify<MFAChallengeParamsBase>
 
@@ -1447,4 +1447,146 @@ export interface JWK {
 }
 
 export const SIGN_OUT_SCOPES = ['global', 'local', 'others'] as const
-export type SignOutScope = typeof SIGN_OUT_SCOPES[number]
+export type SignOutScope = (typeof SIGN_OUT_SCOPES)[number]
+
+/**
+ * OAuth client grant types supported by the OAuth 2.1 server.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthClientGrantType = 'authorization_code' | 'refresh_token'
+
+/**
+ * OAuth client response types supported by the OAuth 2.1 server.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthClientResponseType = 'code'
+
+/**
+ * OAuth client type indicating whether the client can keep credentials confidential.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthClientType = 'public' | 'confidential'
+
+/**
+ * OAuth client registration type.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthClientRegistrationType = 'dynamic' | 'manual'
+
+/**
+ * OAuth client object returned from the OAuth 2.1 server.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthClient = {
+  /** Unique identifier for the OAuth client */
+  client_id: string
+  /** Human-readable name of the OAuth client */
+  client_name: string
+  /** Client secret (only returned on registration and regeneration) */
+  client_secret?: string
+  /** Type of OAuth client */
+  client_type: OAuthClientType
+  /** Token endpoint authentication method */
+  token_endpoint_auth_method: string
+  /** Registration type of the client */
+  registration_type: OAuthClientRegistrationType
+  /** URI of the OAuth client */
+  client_uri?: string
+  /** Array of allowed redirect URIs */
+  redirect_uris: string[]
+  /** Array of allowed grant types */
+  grant_types: OAuthClientGrantType[]
+  /** Array of allowed response types */
+  response_types: OAuthClientResponseType[]
+  /** Scope of the OAuth client */
+  scope?: string
+  /** Timestamp when the client was created */
+  created_at: string
+  /** Timestamp when the client was last updated */
+  updated_at: string
+}
+
+/**
+ * Parameters for creating a new OAuth client.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type CreateOAuthClientParams = {
+  /** Human-readable name of the OAuth client */
+  client_name: string
+  /** URI of the OAuth client */
+  client_uri?: string
+  /** Array of allowed redirect URIs */
+  redirect_uris: string[]
+  /** Array of allowed grant types (optional, defaults to authorization_code and refresh_token) */
+  grant_types?: OAuthClientGrantType[]
+  /** Array of allowed response types (optional, defaults to code) */
+  response_types?: OAuthClientResponseType[]
+  /** Scope of the OAuth client */
+  scope?: string
+}
+
+/**
+ * Response type for OAuth client operations.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthClientResponse = RequestResult<OAuthClient>
+
+/**
+ * Response type for listing OAuth clients.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export type OAuthClientListResponse =
+  | {
+      data: { clients: OAuthClient[]; aud: string } & Pagination
+      error: null
+    }
+  | {
+      data: { clients: [] }
+      error: AuthError
+    }
+
+/**
+ * Contains all OAuth client administration methods.
+ * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+ */
+export interface GoTrueAdminOAuthApi {
+  /**
+   * Lists all OAuth clients with optional pagination.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  listClients(params?: PageParams): Promise<OAuthClientListResponse>
+
+  /**
+   * Creates a new OAuth client.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  createClient(params: CreateOAuthClientParams): Promise<OAuthClientResponse>
+
+  /**
+   * Gets details of a specific OAuth client.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  getClient(clientId: string): Promise<OAuthClientResponse>
+
+  /**
+   * Deletes an OAuth client.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  deleteClient(clientId: string): Promise<OAuthClientResponse>
+
+  /**
+   * Regenerates the secret for an OAuth client.
+   * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
+   *
+   * This function should only be called on a server. Never expose your `service_role` key in the browser.
+   */
+  regenerateClientSecret(clientId: string): Promise<OAuthClientResponse>
+}

package/src/lib/version.ts

@@ -1 +1,7 @@
-export const version = '2.73.0-rc.6'
+// Generated automatically during releases by scripts/update-version-files.ts
+// This file provides runtime access to the package version for:
+// - HTTP request headers (e.g., X-Client-Info header for API requests)
+// - Debugging and support (identifying which version is running)
+// - Telemetry and logging (version reporting in errors/analytics)
+// - Ensuring build artifacts match the published package version
+export const version = '2.73.1-canary.4'

package/src/lib/webauthn.dom.ts

@@ -535,7 +535,7 @@ export type PublicKeyCredentialJSON = RegistrationResponseJSON | AuthenticationR
  * @see {@link https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential MDN - PublicKeyCredential}
  */
 export interface PublicKeyCredentialFuture<
-  T extends PublicKeyCredentialJSON = PublicKeyCredentialJSON
+  T extends PublicKeyCredentialJSON = PublicKeyCredentialJSON,
 > extends PublicKeyCredential {
   /**
    * The type of the credential (always "public-key").