@supabase/auth-js 3.0.0-next.1 → 3.0.0-next.10

package/dist/module/GoTrueClient.js

@@ -2,14 +2,14 @@ import GoTrueAdminApi from './GoTrueAdminApi';
 import { AUTO_REFRESH_TICK_DURATION_MS, AUTO_REFRESH_TICK_THRESHOLD, DEFAULT_HEADERS, EXPIRY_MARGIN_MS, GOTRUE_URL, JWKS_TTL, STORAGE_KEY, } from './lib/constants';
 import { AuthImplicitGrantRedirectError, AuthInvalidCredentialsError, AuthInvalidJwtError, AuthInvalidTokenResponseError, AuthPKCECodeVerifierMissingError, AuthPKCEGrantCodeExchangeError, AuthSessionMissingError, AuthUnknownError, isAuthApiError, isAuthError, isAuthImplicitGrantRedirectError, isAuthRetryableFetchError, isAuthSessionMissingError, } from './lib/errors';
 import { _request, _sessionResponse, _sessionResponsePassword, _ssoResponse, _userResponse, } from './lib/fetch';
-import { decodeJWT, deepClone, Deferred, generateCallbackId, getAlgorithm, getCodeChallengeAndMethod, getItemAsync, insecureUserWarningProxy, isBrowser, parseParametersFromURL, removeItemAsync, resolveFetch, retryable, setItemAsync, sleep, supportsLocalStorage, userNotAvailableProxy, validateExp, } from './lib/helpers';
+import { assertPasskeyExperimentalEnabled, decodeJWT, deepClone, Deferred, generateCallbackId, getAlgorithm, getCodeChallengeAndMethod, getItemAsync, insecureUserWarningProxy, isBrowser, parseParametersFromURL, removeItemAsync, resolveFetch, retryable, setItemAsync, sleep, supportsLocalStorage, userNotAvailableProxy, validateExp, } from './lib/helpers';
 import { memoryLocalStorageAdapter } from './lib/local-storage';
 import { LockAcquireTimeoutError, navigatorLock } from './lib/locks';
 import { polyfillGlobalThis } from './lib/polyfills';
 import { version } from './lib/version';
 import { bytesToBase64URL, stringToUint8Array } from './lib/base64url';
 import { createSiweMessage, fromHex, getAddress, toHex, } from './lib/web3/ethereum';
-import { deserializeCredentialCreationOptions, deserializeCredentialRequestOptions, serializeCredentialCreationResponse, serializeCredentialRequestResponse, WebAuthnApi, } from './lib/webauthn';
+import { createCredential, deserializeCredentialCreationOptions, deserializeCredentialRequestOptions, getCredential, serializeCredentialCreationResponse, serializeCredentialRequestResponse, browserSupportsWebAuthn, webAuthnAbortService, WebAuthnApi, } from './lib/webauthn';
 polyfillGlobalThis(); // Make "globalThis" available
 const DEFAULT_OPTIONS = {
     url: GOTRUE_URL,
@@ -24,6 +24,7 @@ const DEFAULT_OPTIONS = {
     throwOnError: false,
     lockAcquireTimeout: 5000, // 5 seconds
     skipAutoInitialize: false,
+    experimental: {},
 };
 async function lockNoOp(name, acquireTimeout, fn) {
     return await fn();
@@ -62,7 +63,7 @@ class GoTrueClient {
      * ```ts
      * import { createClient } from '@supabase/supabase-js'
      *
-     * const supabase = createClient('https://xyzcompany.supabase.co', 'publishable-or-anon-key')
+     * const supabase = createClient('https://xyzcompany.supabase.co', 'your-publishable-key')
      * const { data, error } = await supabase.auth.getUser()
      * ```
      *
@@ -72,13 +73,13 @@ class GoTrueClient {
      *
      * const auth = new GoTrueClient({
      *   url: 'https://xyzcompany.supabase.co/auth/v1',
-     *   headers: { apikey: 'publishable-or-anon-key' },
+     *   headers: { apikey: 'your-publishable-key' },
      *   storageKey: 'supabase-auth',
      * })
      * ```
      */
     constructor(options) {
-        var _a, _b, _c;
+        var _a, _b, _c, _d;
         /**
          * @experimental
          */
@@ -123,10 +124,12 @@ class GoTrueClient {
         }
         this.persistSession = settings.persistSession;
         this.autoRefreshToken = settings.autoRefreshToken;
+        this.experimental = (_b = settings.experimental) !== null && _b !== void 0 ? _b : {};
         this.admin = new GoTrueAdminApi({
             url: settings.url,
             headers: settings.headers,
             fetch: settings.fetch,
+            experimental: this.experimental,
         });
         this.url = settings.url;
         this.headers = settings.headers;
@@ -140,7 +143,7 @@ class GoTrueClient {
         if (settings.lock) {
             this.lock = settings.lock;
         }
-        else if (this.persistSession && isBrowser() && ((_b = globalThis === null || globalThis === void 0 ? void 0 : globalThis.navigator) === null || _b === void 0 ? void 0 : _b.locks)) {
+        else if (this.persistSession && isBrowser() && ((_c = globalThis === null || globalThis === void 0 ? void 0 : globalThis.navigator) === null || _c === void 0 ? void 0 : _c.locks)) {
             this.lock = navigatorLock;
         }
         else {
@@ -167,6 +170,15 @@ class GoTrueClient {
             listGrants: this._listOAuthGrants.bind(this),
             revokeGrant: this._revokeOAuthGrant.bind(this),
         };
+        this.passkey = {
+            startRegistration: this._startPasskeyRegistration.bind(this),
+            verifyRegistration: this._verifyPasskeyRegistration.bind(this),
+            startAuthentication: this._startPasskeyAuthentication.bind(this),
+            verifyAuthentication: this._verifyPasskeyAuthentication.bind(this),
+            list: this._listPasskeys.bind(this),
+            update: this._updatePasskey.bind(this),
+            delete: this._deletePasskey.bind(this),
+        };
         if (this.persistSession) {
             if (settings.storage) {
                 this.storage = settings.storage;
@@ -195,7 +207,7 @@ class GoTrueClient {
             catch (e) {
                 console.error('Failed to create a new BroadcastChannel, multi-tab state changes will not be available', e);
             }
-            (_c = this.broadcastChannel) === null || _c === void 0 ? void 0 : _c.addEventListener('message', async (event) => {
+            (_d = this.broadcastChannel) === null || _d === void 0 ? void 0 : _d.addEventListener('message', async (event) => {
                 this._debug('received broadcast notification from other tab or client', event);
                 try {
                     await this._notifyAllSubscribers(event.data.event, event.data.session, false); // broadcast = false so we don't get an endless loop of messages
@@ -1478,7 +1490,7 @@ class GoTrueClient {
             }
             if (data.session) {
                 await this._saveSession(data.session);
-                await this._notifyAllSubscribers('SIGNED_IN', data.session);
+                await this._notifyAllSubscribers(redirectType === 'recovery' ? 'PASSWORD_RECOVERY' : 'SIGNED_IN', data.session);
             }
             return this._returnResult({ data: Object.assign(Object.assign({}, data), { redirectType: redirectType !== null && redirectType !== void 0 ? redirectType : null }), error });
         }
@@ -3007,6 +3019,7 @@ class GoTrueClient {
      * Gets the session data from a URL string
      */
     async _getSessionFromURL(params, callbackUrlType) {
+        var _a;
         try {
             if (!isBrowser())
                 throw new AuthImplicitGrantRedirectError('No browser detected.');
@@ -3045,7 +3058,10 @@ class GoTrueClient {
                 const url = new URL(window.location.href);
                 url.searchParams.delete('code');
                 window.history.replaceState(window.history.state, '', url.toString());
-                return { data: { session: data.session, redirectType: null }, error: null };
+                return {
+                    data: { session: data.session, redirectType: (_a = data.redirectType) !== null && _a !== void 0 ? _a : null },
+                    error: null,
+                };
             }
             const { provider_token, provider_refresh_token, access_token, refresh_token, expires_in, expires_at, token_type, } = params;
             if (!access_token || !expires_in || !refresh_token || !token_type) {
@@ -4852,6 +4868,331 @@ class GoTrueClient {
             throw error;
         }
     }
+    // --- Passkey Methods ---
+    /**
+     * Sign in with a passkey. Handles the full WebAuthn ceremony:
+     * 1. Fetches authentication challenge from server
+     * 2. Prompts user via navigator.credentials.get()
+     * 3. Verifies credential with server and creates session
+     *
+     * Requires `auth.experimental.passkey: true`.
+     */
+    async signInWithPasskey(credentials) {
+        var _a, _b, _c;
+        assertPasskeyExperimentalEnabled(this.experimental);
+        try {
+            if (!browserSupportsWebAuthn()) {
+                return this._returnResult({
+                    data: null,
+                    error: new AuthUnknownError('Browser does not support WebAuthn', null),
+                });
+            }
+            // 1. Get challenge options from server
+            const { data: options, error: optionsError } = await this._startPasskeyAuthentication({
+                options: { captchaToken: (_a = credentials === null || credentials === void 0 ? void 0 : credentials.options) === null || _a === void 0 ? void 0 : _a.captchaToken },
+            });
+            if (optionsError || !options) {
+                return this._returnResult({ data: null, error: optionsError });
+            }
+            // 2. Deserialize and prompt user via browser WebAuthn API
+            const publicKeyOptions = deserializeCredentialRequestOptions(options.options);
+            const signal = (_c = (_b = credentials === null || credentials === void 0 ? void 0 : credentials.options) === null || _b === void 0 ? void 0 : _b.signal) !== null && _c !== void 0 ? _c : webAuthnAbortService.createNewAbortSignal();
+            const { data: credential, error: credentialError } = await getCredential({
+                publicKey: publicKeyOptions,
+                signal,
+            });
+            if (credentialError || !credential) {
+                return this._returnResult({
+                    data: null,
+                    error: credentialError !== null && credentialError !== void 0 ? credentialError : new AuthUnknownError('WebAuthn ceremony failed', null),
+                });
+            }
+            // 3. Serialize and verify with server
+            const serialized = serializeCredentialRequestResponse(credential);
+            return this._verifyPasskeyAuthentication({
+                challengeId: options.challenge_id,
+                credential: serialized,
+            });
+        }
+        catch (error) {
+            if (isAuthError(error)) {
+                return this._returnResult({ data: null, error });
+            }
+            throw error;
+        }
+    }
+    /**
+     * Register a passkey for the current authenticated user. Handles the full WebAuthn ceremony:
+     * 1. Fetches registration challenge from server
+     * 2. Prompts user via navigator.credentials.create()
+     * 3. Verifies credential with server
+     *
+     * Requires an active session. Requires `auth.experimental.passkey: true`.
+     */
+    async registerPasskey(credentials) {
+        var _a, _b;
+        assertPasskeyExperimentalEnabled(this.experimental);
+        try {
+            if (!browserSupportsWebAuthn()) {
+                return this._returnResult({
+                    data: null,
+                    error: new AuthUnknownError('Browser does not support WebAuthn', null),
+                });
+            }
+            // 1. Get challenge options from server
+            const { data: options, error: optionsError } = await this._startPasskeyRegistration();
+            if (optionsError || !options) {
+                return this._returnResult({ data: null, error: optionsError });
+            }
+            // 2. Deserialize and prompt user via browser WebAuthn API
+            const publicKeyOptions = deserializeCredentialCreationOptions(options.options);
+            const signal = (_b = (_a = credentials === null || credentials === void 0 ? void 0 : credentials.options) === null || _a === void 0 ? void 0 : _a.signal) !== null && _b !== void 0 ? _b : webAuthnAbortService.createNewAbortSignal();
+            const { data: credential, error: credentialError } = await createCredential({
+                publicKey: publicKeyOptions,
+                signal,
+            });
+            if (credentialError || !credential) {
+                return this._returnResult({
+                    data: null,
+                    error: credentialError !== null && credentialError !== void 0 ? credentialError : new AuthUnknownError('WebAuthn ceremony failed', null),
+                });
+            }
+            // 3. Serialize and verify with server
+            const serialized = serializeCredentialCreationResponse(credential);
+            return this._verifyPasskeyRegistration({
+                challengeId: options.challenge_id,
+                credential: serialized,
+            });
+        }
+        catch (error) {
+            if (isAuthError(error)) {
+                return this._returnResult({ data: null, error });
+            }
+            throw error;
+        }
+    }
+    /**
+     * Start passkey registration for the current authenticated user.
+     * Returns WebAuthn credential creation options to pass to navigator.credentials.create().
+     */
+    async _startPasskeyRegistration() {
+        assertPasskeyExperimentalEnabled(this.experimental);
+        try {
+            return await this._useSession(async (result) => {
+                const { data: { session }, error: sessionError, } = result;
+                if (sessionError) {
+                    return this._returnResult({ data: null, error: sessionError });
+                }
+                if (!session) {
+                    return this._returnResult({ data: null, error: new AuthSessionMissingError() });
+                }
+                const { data, error } = await _request(this.fetch, 'POST', `${this.url}/passkeys/registration/options`, {
+                    headers: this.headers,
+                    jwt: session.access_token,
+                    body: {},
+                });
+                if (error) {
+                    return this._returnResult({ data: null, error });
+                }
+                return this._returnResult({ data, error: null });
+            });
+        }
+        catch (error) {
+            if (isAuthError(error)) {
+                return this._returnResult({ data: null, error });
+            }
+            throw error;
+        }
+    }
+    /**
+     * Verify passkey registration with the credential response.
+     * The credentialResponse should be the serialized output of navigator.credentials.create().
+     */
+    async _verifyPasskeyRegistration(params) {
+        assertPasskeyExperimentalEnabled(this.experimental);
+        try {
+            return await this._useSession(async (result) => {
+                const { data: { session }, error: sessionError, } = result;
+                if (sessionError) {
+                    return this._returnResult({ data: null, error: sessionError });
+                }
+                if (!session) {
+                    return this._returnResult({ data: null, error: new AuthSessionMissingError() });
+                }
+                const { data, error } = await _request(this.fetch, 'POST', `${this.url}/passkeys/registration/verify`, {
+                    headers: this.headers,
+                    jwt: session.access_token,
+                    body: {
+                        challenge_id: params.challengeId,
+                        credential: params.credential,
+                    },
+                });
+                if (error) {
+                    return this._returnResult({ data: null, error });
+                }
+                return this._returnResult({ data, error: null });
+            });
+        }
+        catch (error) {
+            if (isAuthError(error)) {
+                return this._returnResult({ data: null, error });
+            }
+            throw error;
+        }
+    }
+    /**
+     * Start passkey authentication.
+     * Returns WebAuthn credential request options to pass to navigator.credentials.get().
+     */
+    async _startPasskeyAuthentication(params) {
+        var _a;
+        assertPasskeyExperimentalEnabled(this.experimental);
+        try {
+            const { data, error } = await _request(this.fetch, 'POST', `${this.url}/passkeys/authentication/options`, {
+                headers: this.headers,
+                body: {
+                    gotrue_meta_security: { captcha_token: (_a = params === null || params === void 0 ? void 0 : params.options) === null || _a === void 0 ? void 0 : _a.captchaToken },
+                },
+            });
+            if (error) {
+                return this._returnResult({ data: null, error });
+            }
+            return this._returnResult({ data, error: null });
+        }
+        catch (error) {
+            if (isAuthError(error)) {
+                return this._returnResult({ data: null, error });
+            }
+            throw error;
+        }
+    }
+    /**
+     * Verify passkey authentication and create a session.
+     * The credential should be the serialized output of navigator.credentials.get().
+     */
+    async _verifyPasskeyAuthentication(params) {
+        assertPasskeyExperimentalEnabled(this.experimental);
+        try {
+            const { data, error } = await _request(this.fetch, 'POST', `${this.url}/passkeys/authentication/verify`, {
+                headers: this.headers,
+                body: {
+                    challenge_id: params.challengeId,
+                    credential: params.credential,
+                },
+                xform: _sessionResponse,
+            });
+            if (error) {
+                return this._returnResult({ data: null, error });
+            }
+            if (data.session) {
+                await this._saveSession(data.session);
+                await this._notifyAllSubscribers('SIGNED_IN', data.session);
+            }
+            return this._returnResult({ data, error: null });
+        }
+        catch (error) {
+            if (isAuthError(error)) {
+                return this._returnResult({ data: null, error });
+            }
+            throw error;
+        }
+    }
+    /**
+     * List all passkeys for the current user.
+     */
+    async _listPasskeys() {
+        assertPasskeyExperimentalEnabled(this.experimental);
+        try {
+            return await this._useSession(async (result) => {
+                const { data: { session }, error: sessionError, } = result;
+                if (sessionError) {
+                    return this._returnResult({ data: null, error: sessionError });
+                }
+                if (!session) {
+                    return this._returnResult({ data: null, error: new AuthSessionMissingError() });
+                }
+                const { data, error } = await _request(this.fetch, 'GET', `${this.url}/passkeys`, {
+                    headers: this.headers,
+                    jwt: session.access_token,
+                    xform: (data) => ({ data, error: null }),
+                });
+                if (error) {
+                    return this._returnResult({ data: null, error });
+                }
+                return this._returnResult({ data, error: null });
+            });
+        }
+        catch (error) {
+            if (isAuthError(error)) {
+                return this._returnResult({ data: null, error });
+            }
+            throw error;
+        }
+    }
+    /**
+     * Update a passkey.
+     */
+    async _updatePasskey(params) {
+        assertPasskeyExperimentalEnabled(this.experimental);
+        try {
+            return await this._useSession(async (result) => {
+                const { data: { session }, error: sessionError, } = result;
+                if (sessionError) {
+                    return this._returnResult({ data: null, error: sessionError });
+                }
+                if (!session) {
+                    return this._returnResult({ data: null, error: new AuthSessionMissingError() });
+                }
+                const { data, error } = await _request(this.fetch, 'PATCH', `${this.url}/passkeys/${params.passkeyId}`, {
+                    headers: this.headers,
+                    jwt: session.access_token,
+                    body: { friendly_name: params.friendlyName },
+                });
+                if (error) {
+                    return this._returnResult({ data: null, error });
+                }
+                return this._returnResult({ data, error: null });
+            });
+        }
+        catch (error) {
+            if (isAuthError(error)) {
+                return this._returnResult({ data: null, error });
+            }
+            throw error;
+        }
+    }
+    /**
+     * Delete a passkey.
+     */
+    async _deletePasskey(params) {
+        assertPasskeyExperimentalEnabled(this.experimental);
+        try {
+            return await this._useSession(async (result) => {
+                const { data: { session }, error: sessionError, } = result;
+                if (sessionError) {
+                    return this._returnResult({ data: null, error: sessionError });
+                }
+                if (!session) {
+                    return this._returnResult({ data: null, error: new AuthSessionMissingError() });
+                }
+                const { error } = await _request(this.fetch, 'DELETE', `${this.url}/passkeys/${params.passkeyId}`, {
+                    headers: this.headers,
+                    jwt: session.access_token,
+                    noResolveJson: true,
+                });
+                if (error) {
+                    return this._returnResult({ data: null, error });
+                }
+                return this._returnResult({ data: null, error: null });
+            });
+        }
+        catch (error) {
+            if (isAuthError(error)) {
+                return this._returnResult({ data: null, error });
+            }
+            throw error;
+        }
+    }
 }
 GoTrueClient.nextInstanceID = {};
 export default GoTrueClient;