@supabase/auth-js 3.0.0-next.2 → 3.0.0-next.20

package/src/lib/fetch.ts

@@ -3,11 +3,13 @@ import { expiresAt, looksLikeFetchResponse, parseResponseAPIVersion } from './he
 import {
   AuthResponse,
   AuthResponsePassword,
+  Session,
   SSOResponse,
   GenerateLinkProperties,
   GenerateLinkResponse,
   User,
   UserResponse,
+  WeakPassword,
 } from './types'
 import {
   AuthApiError,
@@ -19,6 +21,30 @@ import {
 
 export type Fetch = typeof fetch
 
+/** Raw session data from GoTrue server response. */
+interface GoTrueSessionData {
+  access_token?: string
+  refresh_token?: string
+  expires_in?: number
+  expires_at?: number
+  user?: User
+  [key: string]: any // server returns additional fields (token_type, provider_token, etc.) copied into Session
+}
+
+/** Raw session data that includes weak password info (password sign-in endpoints). */
+interface GoTrueSessionPasswordData extends GoTrueSessionData {
+  weak_password?: WeakPassword
+}
+
+/** Raw user data — either `{ user: User }` or the User object itself. */
+interface GoTrueUserData {
+  user?: User
+  [key: string]: any // data may BE the User directly (fallback path)
+}
+
+/** Raw generate-link data — link properties + User fields flattened into one object. */
+type GoTrueGenerateLinkData = GenerateLinkProperties & Record<string, any>
+
 export interface FetchOptions {
   headers?: {
     [key: string]: string
@@ -30,10 +56,18 @@ export interface FetchParameters {
   signal?: AbortSignal
 }
 
-export type RequestMethodType = 'GET' | 'POST' | 'PUT' | 'DELETE'
+export type RequestMethodType = 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE'
 
-const _getErrorMessage = (err: any): string =>
-  err.msg || err.message || err.error_description || err.error || JSON.stringify(err)
+const _getErrorMessage = (err: unknown): string => {
+  if (typeof err === 'object' && err !== null) {
+    const e = err as Record<string, unknown>
+    if (typeof e.msg === 'string') return e.msg
+    if (typeof e.message === 'string') return e.message
+    if (typeof e.error_description === 'string') return e.error_description
+    if (typeof e.error === 'string') return e.error
+  }
+  return JSON.stringify(err)
+}
 
 // 502, 503, 504: Standard server/gateway errors
 // 520-524, 530: Cloudflare-specific error codes (web server down, connection timed out, etc.)
@@ -53,7 +87,7 @@ export async function handleError(error: unknown) {
   let data: any
   try {
     data = await error.json()
-  } catch (e: any) {
+  } catch (e) {
     throw new AuthUnknownError(_getErrorMessage(e), e)
   }
 
@@ -181,7 +215,7 @@ async function _handleRequest(
 ): Promise<any> {
   const requestParams = _getRequestParams(method, options, parameters, body)
 
-  let result: any
+  let result: Response
 
   try {
     result = await fetcher(url, {
@@ -204,18 +238,18 @@ async function _handleRequest(
 
   try {
     return await result.json()
-  } catch (e: any) {
+  } catch (e) {
     await handleError(e)
   }
 }
 
-export function _sessionResponse(data: any): AuthResponse {
+export function _sessionResponse(data: GoTrueSessionData): AuthResponse {
   let session = null
   if (hasSession(data)) {
-    session = { ...data }
+    session = { ...data } as Session
 
     if (!data.expires_at) {
-      session.expires_at = expiresAt(data.expires_in)
+      session.expires_at = expiresAt(data.expires_in!)
     }
   }
 
@@ -223,7 +257,7 @@ export function _sessionResponse(data: any): AuthResponse {
   return { data: { session, user }, error: null }
 }
 
-export function _sessionResponsePassword(data: any): AuthResponsePassword {
+export function _sessionResponsePassword(data: GoTrueSessionPasswordData): AuthResponsePassword {
   const response = _sessionResponse(data) as AuthResponsePassword
 
   if (
@@ -234,7 +268,7 @@ export function _sessionResponsePassword(data: any): AuthResponsePassword {
     data.weak_password.reasons.length &&
     data.weak_password.message &&
     typeof data.weak_password.message === 'string' &&
-    data.weak_password.reasons.reduce((a: boolean, i: any) => a && typeof i === 'string', true)
+    data.weak_password.reasons.reduce((a: boolean, i: unknown) => a && typeof i === 'string', true)
   ) {
     response.data.weak_password = data.weak_password
   }
@@ -242,16 +276,16 @@ export function _sessionResponsePassword(data: any): AuthResponsePassword {
   return response
 }
 
-export function _userResponse(data: any): UserResponse {
+export function _userResponse(data: GoTrueUserData): UserResponse {
   const user: User = data.user ?? (data as User)
   return { data: { user }, error: null }
 }
 
-export function _ssoResponse(data: any): SSOResponse {
-  return { data, error: null }
+export function _ssoResponse(data: Record<string, any>): SSOResponse {
+  return { data, error: null } as SSOResponse
 }
 
-export function _generateLinkResponse(data: any): GenerateLinkResponse {
+export function _generateLinkResponse(data: GoTrueGenerateLinkData): GenerateLinkResponse {
   const { action_link, email_otp, hashed_token, redirect_to, verification_type, ...rest } = data
 
   const properties: GenerateLinkProperties = {
@@ -262,7 +296,7 @@ export function _generateLinkResponse(data: any): GenerateLinkResponse {
     verification_type,
   }
 
-  const user: User = { ...rest }
+  const user = { ...rest } as User
   return {
     data: {
       properties,
@@ -272,7 +306,7 @@ export function _generateLinkResponse(data: any): GenerateLinkResponse {
   }
 }
 
-export function _noResolveJsonResponse(data: any): Response {
+export function _noResolveJsonResponse(data: Response): Response {
   return data
 }
 
@@ -281,6 +315,6 @@ export function _noResolveJsonResponse(data: any): Response {
  * @param data A response object
  * @returns true if a session is in the response
  */
-function hasSession(data: any): boolean {
-  return data.access_token && data.refresh_token && data.expires_in
+function hasSession(data: GoTrueSessionData): boolean {
+  return !!data.access_token && !!data.refresh_token && !!data.expires_in
 }

package/src/lib/helpers.ts

@@ -87,7 +87,7 @@ export function parseParametersFromURL(href: string) {
       hashSearchParams.forEach((value, key) => {
         result[key] = value
       })
-    } catch (e: any) {
+    } catch (_e) {
       // hash is not a query string
     }
   }
@@ -235,7 +235,7 @@ export function retryable<T>(
             accept(result)
             return
           }
-        } catch (e: any) {
+        } catch (e) {
           if (!isRetryable(attempt, e)) {
             reject(e)
             return
@@ -304,7 +304,7 @@ export async function getCodeChallengeAndMethod(
   const codeVerifier = generatePKCEVerifier()
   let storedCodeVerifier = codeVerifier
   if (isPasswordRecovery) {
-    storedCodeVerifier += '/PASSWORD_RECOVERY'
+    storedCodeVerifier += '/recovery'
   }
   await setItemAsync(storage, `${storageKey}-code-verifier`, storedCodeVerifier)
   const codeChallenge = await generatePKCEChallenge(codeVerifier)
@@ -329,7 +329,7 @@ export function parseResponseAPIVersion(response: Response) {
   try {
     const date = new Date(`${apiVersion}T00:00:00.0Z`)
     return date
-  } catch (e: any) {
+  } catch (_e) {
     return null
   }
 }
@@ -345,7 +345,7 @@ export function validateExp(exp: number) {
 }
 
 export function getAlgorithm(
-  alg: 'HS256' | 'RS256' | 'ES256'
+  alg: 'HS256' | 'RS256' | 'ES256' | (string & {})
 ): RsaHashedImportParams | EcKeyImportParams {
   switch (alg) {
     case 'RS256':
@@ -372,6 +372,14 @@ export function validateUUID(str: string) {
   }
 }
 
+export function assertPasskeyExperimentalEnabled(experimental: { passkey?: boolean }): void {
+  if (!experimental.passkey) {
+    throw new Error(
+      '@supabase/auth-js: the passkey API is experimental and disabled by default. Enable it by passing `auth: { experimental: { passkey: true } }` to createClient (or to the GoTrueClient constructor).'
+    )
+  }
+}
+
 export function userNotAvailableProxy(): User {
   const proxyTarget = {} as User
 

package/src/lib/locks.ts

@@ -176,7 +176,7 @@ export async function navigatorLock<R>(
                   '@supabase/gotrue-js: Navigator LockManager state',
                   JSON.stringify(result, null, '  ')
                 )
-              } catch (e: any) {
+              } catch (e) {
                 console.warn(
                   '@supabase/gotrue-js: Error when querying Navigator LockManager state',
                   e
@@ -198,14 +198,21 @@ export async function navigatorLock<R>(
         }
       }
     )
-  } catch (e: any) {
+  } catch (e) {
     // Always clear the acquire timeout once the request settles, so it cannot
     // fire later and incorrectly abort/log after a rejection.
     if (acquireTimeout > 0) {
       clearTimeout(acquireTimeoutTimer)
     }
 
-    if (e?.name === 'AbortError' && acquireTimeout > 0) {
+    // DOMException does not extend Error in Node.js, so use structural check
+    if (
+      e !== null &&
+      typeof e === 'object' &&
+      'name' in e &&
+      e.name === 'AbortError' &&
+      acquireTimeout > 0
+    ) {
       if (abortController.signal.aborted) {
         // OUR timeout fired — the lock is genuinely orphaned. Steal it.
         //
@@ -370,14 +377,14 @@ export async function processLock<R>(
       if (timeoutId !== null) {
         clearTimeout(timeoutId)
       }
-    } catch (e: any) {
+    } catch (e) {
       // Clear the timeout on error path as well
       if (timeoutId !== null) {
         clearTimeout(timeoutId)
       }
 
       // Re-throw timeout errors, ignore others
-      if (e && e.isAcquireTimeout) {
+      if (e instanceof LockAcquireTimeoutError) {
         throw e
       }
       // Fall through to run fn() - previous operation finished with error
@@ -391,8 +398,8 @@ export async function processLock<R>(
   PROCESS_LOCKS[name] = (async () => {
     try {
       return await currentOperation
-    } catch (e: any) {
-      if (e && e.isAcquireTimeout) {
+    } catch (e) {
+      if (e instanceof LockAcquireTimeoutError) {
         // if the current operation timed out, it doesn't mean that the previous
         // operation finished, so we need continue waiting for it to finish
         try {

package/src/lib/types.ts

@@ -6,6 +6,12 @@ import {
   ServerCredentialCreationOptions,
   ServerCredentialRequestOptions,
   WebAuthnApi,
+  WebAuthnError,
+} from './webauthn'
+import type {
+  RegistrationResponseJSON,
+  AuthenticationResponseJSON,
+  ServerCredentialResponse,
 } from './webauthn'
 import {
   AuthenticationCredential,
@@ -174,6 +180,27 @@ export type GoTrueClientOptions = {
    * @default false
    */
   skipAutoInitialize?: boolean
+
+  /**
+   * Opt-in flags for experimental features. These APIs may change without
+   * notice and are disabled by default.
+   *
+   * @experimental
+   */
+  experimental?: ExperimentalFeatureFlags
+}
+
+export type ExperimentalFeatureFlags = {
+  /**
+   * Enables passkey support:
+   *   - `auth.signInWithPasskey()`, `auth.registerPasskey()`
+   *   - `auth.passkey.*`
+   *   - `auth.admin.passkey.*`
+   *
+   * Defaults to `false`. Calling any passkey method while this flag is
+   * disabled throws a descriptive error at call time.
+   */
+  passkey?: boolean
 }
 
 const WeakPasswordReasons = ['length', 'characters', 'pwned'] as const
@@ -666,7 +693,7 @@ export type SignInWithPasswordlessCredentials =
       }
     }
 
-export type AuthFlowType = 'implicit' | 'pkce'
+export type AuthFlowType = 'implicit' | 'pkce' | (string & {})
 export type SignInWithOAuthCredentials = {
   /** One of the providers supported by GoTrue. */
   provider: Provider
@@ -831,8 +858,15 @@ export interface VerifyTokenHashParams {
   type: EmailOtpType
 }
 
-export type MobileOtpType = 'sms' | 'phone_change'
-export type EmailOtpType = 'signup' | 'invite' | 'magiclink' | 'recovery' | 'email_change' | 'email'
+export type MobileOtpType = 'sms' | 'phone_change' | (string & {})
+export type EmailOtpType =
+  | 'signup'
+  | 'invite'
+  | 'magiclink'
+  | 'recovery'
+  | 'email_change'
+  | 'email'
+  | (string & {})
 
 export type ResendParams =
   | {
@@ -1211,7 +1245,7 @@ export type AuthMFAListFactorsResponse<T extends typeof FactorTypes = typeof Fac
     }
   >
 
-export type AuthenticatorAssuranceLevels = 'aal1' | 'aal2'
+export type AuthenticatorAssuranceLevels = 'aal1' | 'aal2' | (string & {})
 
 export type AuthMFAGetAuthenticatorAssuranceLevelResponse = RequestResult<{
   /** Current AAL level of the session. */
@@ -1905,7 +1939,7 @@ export type AuthMFAEnrollWebauthnResponse = RequestResult<
 >
 
 export type JwtHeader = {
-  alg: 'RS256' | 'ES256' | 'HS256'
+  alg: 'RS256' | 'ES256' | 'HS256' | (string & {})
   kid: string
   typ: string
 }
@@ -1956,7 +1990,7 @@ export interface JwtPayload extends RequiredClaims {
 }
 
 export interface JWK {
-  kty: 'RSA' | 'EC' | 'oct'
+  kty: 'RSA' | 'EC' | 'oct' | (string & {})
   key_ops: string[]
   alg?: string
   kid?: string
@@ -1970,7 +2004,7 @@ export type SignOutScope = (typeof SIGN_OUT_SCOPES)[number]
  * OAuth client grant types supported by the OAuth 2.1 server.
  * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
  */
-export type OAuthClientGrantType = 'authorization_code' | 'refresh_token'
+export type OAuthClientGrantType = 'authorization_code' | 'refresh_token' | (string & {})
 
 /**
  * OAuth client response types supported by the OAuth 2.1 server.
@@ -1982,13 +2016,13 @@ export type OAuthClientResponseType = 'code'
  * OAuth client type indicating whether the client can keep credentials confidential.
  * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
  */
-export type OAuthClientType = 'public' | 'confidential'
+export type OAuthClientType = 'public' | 'confidential' | (string & {})
 
 /**
  * OAuth client registration type.
  * Only relevant when the OAuth 2.1 server is enabled in Supabase Auth.
  */
-export type OAuthClientRegistrationType = 'dynamic' | 'manual'
+export type OAuthClientRegistrationType = 'dynamic' | 'manual' | (string & {})
 
 /**
  * OAuth client token endpoint authentication method.
@@ -2164,7 +2198,7 @@ export interface GoTrueAdminOAuthApi {
 /**
  * Type of custom identity provider.
  */
-export type CustomProviderType = 'oauth2' | 'oidc'
+export type CustomProviderType = 'oauth2' | 'oidc' | (string & {})
 
 /**
  * OIDC discovery document fields.
@@ -2624,3 +2658,154 @@ export interface AuthOAuthServerApi {
    */
   revokeGrant(options: { clientId: string }): Promise<AuthOAuthRevokeGrantResponse>
 }
+
+// --- Passkey Types ---
+
+/** Response from POST /passkeys/registration/options */
+export type PasskeyRegistrationOptionsResponse = {
+  challenge_id: string
+  options: ServerCredentialCreationOptions
+  expires_at: number
+}
+
+/** Request body for POST /passkeys/registration/verify */
+export type PasskeyRegistrationVerifyParams = {
+  challenge_id: string
+  credential: RegistrationResponseJSON
+}
+
+/** Response from POST /passkeys/registration/verify */
+export type PasskeyMetadata = {
+  id: string
+  friendly_name?: string
+  created_at: string
+}
+
+/** Response from POST /passkeys/authentication/options */
+export type PasskeyAuthenticationOptionsResponse = {
+  challenge_id: string
+  options: ServerCredentialRequestOptions
+  expires_at: number
+}
+
+/** Request body for POST /passkeys/authentication/verify */
+export type PasskeyAuthenticationVerifyParams = {
+  challenge_id: string
+  credential: AuthenticationResponseJSON
+}
+
+/** Item in the passkeys list (GET /passkeys/ and admin list) */
+export type PasskeyListItem = {
+  id: string
+  friendly_name?: string
+  created_at: string
+  last_used_at?: string
+}
+
+// --- Passkey SDK Method Parameter/Response Types ---
+
+export type SignInWithPasskeyCredentials = {
+  options?: {
+    captchaToken?: string
+    signal?: AbortSignal
+  }
+}
+
+export type RegisterPasskeyCredentials = {
+  options?: {
+    signal?: AbortSignal
+  }
+}
+
+export type VerifyPasskeyRegistrationParams = {
+  /** Challenge ID from startRegistration */
+  challengeId: string
+  /** Serialized credential from navigator.credentials.create() */
+  credential: ServerCredentialResponse
+}
+
+export type StartPasskeyAuthenticationParams = {
+  options?: {
+    captchaToken?: string
+  }
+}
+
+export type VerifyPasskeyAuthenticationParams = {
+  /** Challenge ID from startAuthentication */
+  challengeId: string
+  /** Serialized credential from navigator.credentials.get() */
+  credential: ServerCredentialResponse
+}
+
+export type PasskeyUpdateParams = {
+  /** UUID of the passkey to update */
+  passkeyId: string
+  /** New friendly name (max 120 chars) */
+  friendlyName: string
+}
+
+export type PasskeyDeleteParams = {
+  /** UUID of the passkey to delete */
+  passkeyId: string
+}
+
+// --- Passkey Response Types ---
+
+export type AuthPasskeyRegistrationOptionsResponse =
+  RequestResult<PasskeyRegistrationOptionsResponse>
+export type AuthPasskeyRegistrationVerifyResponse = RequestResult<
+  PasskeyMetadata,
+  WebAuthnError | AuthError
+>
+export type AuthPasskeyAuthenticationOptionsResponse =
+  RequestResult<PasskeyAuthenticationOptionsResponse>
+export type AuthPasskeyAuthenticationVerifyResponse = RequestResult<
+  { session: Session | null; user: User | null },
+  WebAuthnError | AuthError
+>
+export type AuthPasskeyListResponse = RequestResult<PasskeyListItem[]>
+export type AuthPasskeyUpdateResponse = RequestResult<PasskeyListItem>
+export type AuthPasskeyDeleteResponse = RequestResult<null>
+
+// --- Passkey Admin Types ---
+
+export type AuthPasskeyAdminListParams = {
+  userId: string
+}
+
+export type AuthPasskeyAdminDeleteParams = {
+  userId: string
+  passkeyId: string
+}
+
+// --- Passkey Namespace Interfaces ---
+
+/**
+ * Lower-level two-step API and management methods for passkeys.
+ * Access via `supabase.auth.passkey`.
+ */
+export interface AuthPasskeyApi {
+  // Two-step registration
+  startRegistration(): Promise<AuthPasskeyRegistrationOptionsResponse>
+  verifyRegistration(
+    params: VerifyPasskeyRegistrationParams
+  ): Promise<AuthPasskeyRegistrationVerifyResponse>
+
+  // Two-step authentication
+  startAuthentication(
+    params?: StartPasskeyAuthenticationParams
+  ): Promise<AuthPasskeyAuthenticationOptionsResponse>
+  verifyAuthentication(
+    params: VerifyPasskeyAuthenticationParams
+  ): Promise<AuthPasskeyAuthenticationVerifyResponse>
+
+  // Management
+  list(): Promise<AuthPasskeyListResponse>
+  update(params: PasskeyUpdateParams): Promise<AuthPasskeyUpdateResponse>
+  delete(params: PasskeyDeleteParams): Promise<AuthPasskeyDeleteResponse>
+}
+
+export interface GoTrueAdminPasskeyApi {
+  listPasskeys(params: AuthPasskeyAdminListParams): Promise<AuthPasskeyListResponse>
+  deletePasskey(params: AuthPasskeyAdminDeleteParams): Promise<AuthPasskeyDeleteResponse>
+}

package/src/lib/version.ts

@@ -4,4 +4,4 @@
 // - Debugging and support (identifying which version is running)
 // - Telemetry and logging (version reporting in errors/analytics)
 // - Ensuring build artifacts match the published package version
-export const version = '3.0.0-next.2'
+export const version = '3.0.0-next.20'

package/src/lib/webauthn.dom.ts

@@ -575,7 +575,7 @@ export interface PublicKeyCredentialFuture<
  *
  * @see {@link https://w3c.github.io/webauthn/#sctn-authenticator-data W3C WebAuthn Spec - Authenticator Data}
  */
-export type CredentialDeviceType = 'singleDevice' | 'multiDevice'
+export type CredentialDeviceType = 'singleDevice' | 'multiDevice' | (string & {})
 
 /**
  * Categories of authenticators that Relying Parties can pass along to browsers during
@@ -591,7 +591,7 @@ export type CredentialDeviceType = 'singleDevice' | 'multiDevice'
  * @see {@link https://w3c.github.io/webauthn/#enumdef-publickeycredentialhint W3C WebAuthn Spec - PublicKeyCredentialHint}
  * @see {@link https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions#hints MDN - hints}
  */
-export type PublicKeyCredentialHint = 'hybrid' | 'security-key' | 'client-device'
+export type PublicKeyCredentialHint = 'hybrid' | 'security-key' | 'client-device' | (string & {})
 
 /**
  * Values for an attestation object's `fmt`.
@@ -633,4 +633,4 @@ export type Uint8Array_ = ReturnType<Uint8Array['slice']>
  * @see {@link https://w3c.github.io/webauthn/#enum-attachment W3C WebAuthn Spec - AuthenticatorAttachment}
  * @see {@link https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions/authenticatorSelection#authenticatorattachment MDN - authenticatorAttachment}
  */
-export type AuthenticatorAttachment = 'cross-platform' | 'platform'
+export type AuthenticatorAttachment = 'cross-platform' | 'platform' | (string & {})

package/src/lib/webauthn.errors.ts

@@ -45,6 +45,18 @@ export class WebAuthnError extends Error {
     this.name = name ?? (cause instanceof Error ? cause.name : undefined) ?? 'Unknown Error'
     this.code = code
   }
+
+  toJSON(): {
+    name: string
+    message: string
+    code: WebAuthnErrorCode
+  } {
+    return {
+      name: this.name,
+      message: this.message,
+      code: this.code,
+    }
+  }
 }
 
 /**

package/src/lib/webauthn.ts

@@ -356,7 +356,7 @@ export function isValidDomain(hostname: string): boolean {
  * @returns {boolean} True if browser supports WebAuthn
  * @see {@link https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredential#browser_compatibility MDN - PublicKeyCredential Browser Compatibility}
  */
-function browserSupportsWebAuthn(): boolean {
+export function browserSupportsWebAuthn(): boolean {
   return !!(
     isBrowser() &&
     'PublicKeyCredential' in window &&