@supabase/server 0.1.1-rc.25 → 0.1.1-rc.26

package/dist/core/index.d.cts

@@ -1,3 +1,195 @@
-import "../types-CnKoFCMX.cjs";
-import { a as extractCredentials, i as verifyCredentials, n as createContextClient, o as resolveEnv, r as verifyAuth, t as createAdminClient } from "../create-admin-client-Cp7FxI6O.cjs";
+import { i as Credentials, n as AllowWithKey, r as AuthResult, s as SupabaseEnv } from "../types-CnKoFCMX.cjs";
+import { n as EnvError, t as AuthError } from "../errors-BmSsOAvx.cjs";
+import { SupabaseClient } from "@supabase/supabase-js";
+
+//#region src/core/resolve-env.d.ts
+/**
+ * Resolves Supabase environment configuration from runtime environment variables.
+ *
+ * Reads `SUPABASE_URL`, keys (`SUPABASE_PUBLISHABLE_KEYS` / `SUPABASE_SECRET_KEYS`),
+ * and `SUPABASE_JWKS`. Works across Deno, Node.js, and Bun. For Cloudflare Workers,
+ * use `overrides` or enable node-compat.
+ *
+ * @param overrides - Partial values that take precedence over env vars.
+ * @returns `{ data: SupabaseEnv, error: null }` on success, `{ data: null, error: EnvError }` on failure.
+ *
+ * @example
+ * ```ts
+ * const { data: env, error } = resolveEnv()
+ * if (error) throw error
+ *
+ * // Override for tests
+ * const { data: env } = resolveEnv({ url: 'http://localhost:54321' })
+ * ```
+ */
+declare function resolveEnv(overrides?: Partial<SupabaseEnv>): {
+  data: SupabaseEnv;
+  error: null;
+} | {
+  data: null;
+  error: EnvError;
+};
+//#endregion
+//#region src/core/extract-credentials.d.ts
+/**
+ * Extracts authentication credentials from an incoming HTTP request.
+ *
+ * Reads two headers:
+ * - `Authorization: Bearer <token>` → extracted as `token`
+ * - `apikey: <key>` → extracted as `apikey`
+ *
+ * This is a pure extraction step — no validation or verification is performed.
+ * Pass the result to {@link verifyCredentials} to validate against allowed auth modes.
+ *
+ * @param request - The incoming HTTP request.
+ * @returns The extracted {@link Credentials}. Fields are `null` when the corresponding header is absent.
+ *
+ * @example
+ * ```ts
+ * import { extractCredentials } from '@supabase/server/core'
+ *
+ * const creds = extractCredentials(request)
+ * console.log(creds.token)  // "eyJhbGci..." or null
+ * console.log(creds.apikey) // "sb-abc123-publishable-..." or null
+ * ```
+ */
+declare function extractCredentials(request: Request): Credentials;
+//#endregion
+//#region src/core/verify-credentials.d.ts
+/**
+ * Options for {@link verifyCredentials}.
+ */
+interface VerifyCredentialsOptions {
+  /**
+   * Auth mode(s) to try. Modes are attempted in order — the first match wins.
+   *
+   * @see {@link AllowWithKey} for the full syntax including named keys.
+   */
+  allow: AllowWithKey | AllowWithKey[];
+  /** Optional environment overrides (passed through to {@link resolveEnv}). */
+  env?: Partial<SupabaseEnv>;
+}
+/**
+ * Verifies pre-extracted credentials against one or more allowed auth modes.
+ *
+ * Tries each mode in order — first match wins. Use {@link verifyAuth} to extract
+ * and verify in a single call.
+ *
+ * @param credentials - The credentials to verify (from {@link extractCredentials}).
+ * @param options - Allowed auth modes and optional env overrides.
+ * @returns `{ data: AuthResult, error: null }` on success, `{ data: null, error: AuthError }` on failure.
+ *
+ * @example
+ * ```ts
+ * const credentials = extractCredentials(request)
+ * const { data: auth, error } = await verifyCredentials(credentials, {
+ *   allow: ['user', 'public'],
+ * })
+ * if (error) {
+ *   return Response.json({ error: error.message }, { status: error.status })
+ * }
+ * ```
+ */
+declare function verifyCredentials(credentials: Credentials, options: VerifyCredentialsOptions): Promise<{
+  data: AuthResult;
+  error: null;
+} | {
+  data: null;
+  error: AuthError;
+}>;
+//#endregion
+//#region src/core/verify-auth.d.ts
+/**
+ * Options for {@link verifyAuth}.
+ */
+interface VerifyAuthOptions {
+  /**
+   * Auth mode(s) to try. Modes are attempted in order — the first match wins.
+   *
+   * @see {@link AllowWithKey} for the full syntax including named keys.
+   */
+  allow: AllowWithKey | AllowWithKey[];
+  /** Optional environment overrides (passed through to {@link resolveEnv}). */
+  env?: Partial<SupabaseEnv>;
+}
+/**
+ * Extracts credentials from a request and verifies them in a single step.
+ *
+ * This is a convenience function that combines {@link extractCredentials} and
+ * {@link verifyCredentials}. Use it when you want the full auth flow without
+ * needing to inspect the raw credentials.
+ *
+ * @param request - The incoming HTTP request.
+ * @param options - Auth modes to accept and optional environment overrides.
+ *
+ * @returns A result tuple: `{ data, error }`.
+ *   - On success: `{ data: AuthResult, error: null }`
+ *   - On failure: `{ data: null, error: AuthError }`
+ *
+ * @example
+ * ```ts
+ * import { verifyAuth } from '@supabase/server/core'
+ *
+ * const { data: auth, error } = await verifyAuth(request, {
+ *   allow: 'user',
+ * })
+ *
+ * if (error) {
+ *   return Response.json({ error: error.message }, { status: error.status })
+ * }
+ *
+ * console.log(auth.userClaims!.id) // "d0f1a2b3-..."
+ * ```
+ */
+declare function verifyAuth(request: Request, options: VerifyAuthOptions): Promise<{
+  data: AuthResult;
+  error: null;
+} | {
+  data: null;
+  error: AuthError;
+}>;
+//#endregion
+//#region src/core/create-context-client.d.ts
+/**
+ * Creates a Supabase client scoped to the caller's context.
+ *
+ * Configured with a publishable key and (optionally) the caller's JWT,
+ * so Row-Level Security policies apply. Session persistence is disabled
+ * (stateless, one client per request).
+ *
+ * @param token - The caller's JWT, or `null` for anonymous access.
+ * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
+ * @param keyName - Name of the publishable key to use. Falls back to `"default"`, then first available.
+ * @returns A configured {@link SupabaseClient} with RLS enforced.
+ * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified publishable key is not found.
+ *
+ * @example
+ * ```ts
+ * const { data: auth } = await verifyAuth(request, { allow: 'user' })
+ * const supabase = createContextClient(auth.token)
+ * const { data } = await supabase.rpc('get_my_items')
+ * ```
+ */
+declare function createContextClient<Database = unknown>(token?: string | null, env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
+//#endregion
+//#region src/core/create-admin-client.d.ts
+/**
+ * Creates an admin Supabase client that bypasses Row-Level Security.
+ *
+ * Uses a secret key for authentication, giving full access to all data.
+ * Session persistence is disabled (stateless, one client per request).
+ *
+ * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
+ * @param keyName - Name of the secret key to use. Falls back to `"default"`, then first available.
+ * @returns A configured {@link SupabaseClient} with admin (service-role) privileges.
+ * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified secret key is not found.
+ *
+ * @example
+ * ```ts
+ * const supabaseAdmin = createAdminClient()
+ * const { data } = await supabaseAdmin.from('audit_log').insert({ action: 'user_login' })
+ * ```
+ */
+declare function createAdminClient<Database = unknown>(env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
+//#endregion
 export { createAdminClient, createContextClient, extractCredentials, resolveEnv, verifyAuth, verifyCredentials };

package/dist/core/index.d.mts

@@ -1,3 +1,195 @@
-import "../types-ClmJ8pi8.mjs";
-import { a as extractCredentials, i as verifyCredentials, n as createContextClient, o as resolveEnv, r as verifyAuth, t as createAdminClient } from "../create-admin-client-ZTnl1zMe.mjs";
+import { i as Credentials, n as AllowWithKey, r as AuthResult, s as SupabaseEnv } from "../types-ClmJ8pi8.mjs";
+import { n as EnvError, t as AuthError } from "../errors-5ivL23qo.mjs";
+import { SupabaseClient } from "@supabase/supabase-js";
+
+//#region src/core/resolve-env.d.ts
+/**
+ * Resolves Supabase environment configuration from runtime environment variables.
+ *
+ * Reads `SUPABASE_URL`, keys (`SUPABASE_PUBLISHABLE_KEYS` / `SUPABASE_SECRET_KEYS`),
+ * and `SUPABASE_JWKS`. Works across Deno, Node.js, and Bun. For Cloudflare Workers,
+ * use `overrides` or enable node-compat.
+ *
+ * @param overrides - Partial values that take precedence over env vars.
+ * @returns `{ data: SupabaseEnv, error: null }` on success, `{ data: null, error: EnvError }` on failure.
+ *
+ * @example
+ * ```ts
+ * const { data: env, error } = resolveEnv()
+ * if (error) throw error
+ *
+ * // Override for tests
+ * const { data: env } = resolveEnv({ url: 'http://localhost:54321' })
+ * ```
+ */
+declare function resolveEnv(overrides?: Partial<SupabaseEnv>): {
+  data: SupabaseEnv;
+  error: null;
+} | {
+  data: null;
+  error: EnvError;
+};
+//#endregion
+//#region src/core/extract-credentials.d.ts
+/**
+ * Extracts authentication credentials from an incoming HTTP request.
+ *
+ * Reads two headers:
+ * - `Authorization: Bearer <token>` → extracted as `token`
+ * - `apikey: <key>` → extracted as `apikey`
+ *
+ * This is a pure extraction step — no validation or verification is performed.
+ * Pass the result to {@link verifyCredentials} to validate against allowed auth modes.
+ *
+ * @param request - The incoming HTTP request.
+ * @returns The extracted {@link Credentials}. Fields are `null` when the corresponding header is absent.
+ *
+ * @example
+ * ```ts
+ * import { extractCredentials } from '@supabase/server/core'
+ *
+ * const creds = extractCredentials(request)
+ * console.log(creds.token)  // "eyJhbGci..." or null
+ * console.log(creds.apikey) // "sb-abc123-publishable-..." or null
+ * ```
+ */
+declare function extractCredentials(request: Request): Credentials;
+//#endregion
+//#region src/core/verify-credentials.d.ts
+/**
+ * Options for {@link verifyCredentials}.
+ */
+interface VerifyCredentialsOptions {
+  /**
+   * Auth mode(s) to try. Modes are attempted in order — the first match wins.
+   *
+   * @see {@link AllowWithKey} for the full syntax including named keys.
+   */
+  allow: AllowWithKey | AllowWithKey[];
+  /** Optional environment overrides (passed through to {@link resolveEnv}). */
+  env?: Partial<SupabaseEnv>;
+}
+/**
+ * Verifies pre-extracted credentials against one or more allowed auth modes.
+ *
+ * Tries each mode in order — first match wins. Use {@link verifyAuth} to extract
+ * and verify in a single call.
+ *
+ * @param credentials - The credentials to verify (from {@link extractCredentials}).
+ * @param options - Allowed auth modes and optional env overrides.
+ * @returns `{ data: AuthResult, error: null }` on success, `{ data: null, error: AuthError }` on failure.
+ *
+ * @example
+ * ```ts
+ * const credentials = extractCredentials(request)
+ * const { data: auth, error } = await verifyCredentials(credentials, {
+ *   allow: ['user', 'public'],
+ * })
+ * if (error) {
+ *   return Response.json({ error: error.message }, { status: error.status })
+ * }
+ * ```
+ */
+declare function verifyCredentials(credentials: Credentials, options: VerifyCredentialsOptions): Promise<{
+  data: AuthResult;
+  error: null;
+} | {
+  data: null;
+  error: AuthError;
+}>;
+//#endregion
+//#region src/core/verify-auth.d.ts
+/**
+ * Options for {@link verifyAuth}.
+ */
+interface VerifyAuthOptions {
+  /**
+   * Auth mode(s) to try. Modes are attempted in order — the first match wins.
+   *
+   * @see {@link AllowWithKey} for the full syntax including named keys.
+   */
+  allow: AllowWithKey | AllowWithKey[];
+  /** Optional environment overrides (passed through to {@link resolveEnv}). */
+  env?: Partial<SupabaseEnv>;
+}
+/**
+ * Extracts credentials from a request and verifies them in a single step.
+ *
+ * This is a convenience function that combines {@link extractCredentials} and
+ * {@link verifyCredentials}. Use it when you want the full auth flow without
+ * needing to inspect the raw credentials.
+ *
+ * @param request - The incoming HTTP request.
+ * @param options - Auth modes to accept and optional environment overrides.
+ *
+ * @returns A result tuple: `{ data, error }`.
+ *   - On success: `{ data: AuthResult, error: null }`
+ *   - On failure: `{ data: null, error: AuthError }`
+ *
+ * @example
+ * ```ts
+ * import { verifyAuth } from '@supabase/server/core'
+ *
+ * const { data: auth, error } = await verifyAuth(request, {
+ *   allow: 'user',
+ * })
+ *
+ * if (error) {
+ *   return Response.json({ error: error.message }, { status: error.status })
+ * }
+ *
+ * console.log(auth.userClaims!.id) // "d0f1a2b3-..."
+ * ```
+ */
+declare function verifyAuth(request: Request, options: VerifyAuthOptions): Promise<{
+  data: AuthResult;
+  error: null;
+} | {
+  data: null;
+  error: AuthError;
+}>;
+//#endregion
+//#region src/core/create-context-client.d.ts
+/**
+ * Creates a Supabase client scoped to the caller's context.
+ *
+ * Configured with a publishable key and (optionally) the caller's JWT,
+ * so Row-Level Security policies apply. Session persistence is disabled
+ * (stateless, one client per request).
+ *
+ * @param token - The caller's JWT, or `null` for anonymous access.
+ * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
+ * @param keyName - Name of the publishable key to use. Falls back to `"default"`, then first available.
+ * @returns A configured {@link SupabaseClient} with RLS enforced.
+ * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified publishable key is not found.
+ *
+ * @example
+ * ```ts
+ * const { data: auth } = await verifyAuth(request, { allow: 'user' })
+ * const supabase = createContextClient(auth.token)
+ * const { data } = await supabase.rpc('get_my_items')
+ * ```
+ */
+declare function createContextClient<Database = unknown>(token?: string | null, env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
+//#endregion
+//#region src/core/create-admin-client.d.ts
+/**
+ * Creates an admin Supabase client that bypasses Row-Level Security.
+ *
+ * Uses a secret key for authentication, giving full access to all data.
+ * Session persistence is disabled (stateless, one client per request).
+ *
+ * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
+ * @param keyName - Name of the secret key to use. Falls back to `"default"`, then first available.
+ * @returns A configured {@link SupabaseClient} with admin (service-role) privileges.
+ * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified secret key is not found.
+ *
+ * @example
+ * ```ts
+ * const supabaseAdmin = createAdminClient()
+ * const { data } = await supabaseAdmin.from('audit_log').insert({ action: 'user_login' })
+ * ```
+ */
+declare function createAdminClient<Database = unknown>(env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
+//#endregion
 export { createAdminClient, createContextClient, extractCredentials, resolveEnv, verifyAuth, verifyCredentials };

package/dist/errors-5ivL23qo.d.mts

@@ -0,0 +1,78 @@
+//#region src/errors.d.ts
+/**
+ * Thrown when a required environment variable is missing or malformed.
+ *
+ * Has a fixed `status` of `500` since environment errors are server-side
+ * configuration issues, not client errors.
+ *
+ * @example
+ * ```ts
+ * import { EnvError } from '@supabase/server'
+ *
+ * try {
+ *   const client = createAdminClient()
+ * } catch (e) {
+ *   if (e instanceof EnvError) {
+ *     console.error(`Config issue [${e.code}]: ${e.message}`)
+ *     // → "Config issue [MISSING_SUPABASE_URL]: SUPABASE_URL is required but not set"
+ *   }
+ * }
+ * ```
+ */
+declare class EnvError extends Error {
+  /** Always `500` — environment errors are server-side issues. */
+  readonly status = 500;
+  /**
+   * Machine-readable error code.
+   *
+   * Known codes:
+   * - `"MISSING_SUPABASE_URL"` — `SUPABASE_URL` not set
+   * - `"MISSING_PUBLISHABLE_KEY"` — No publishable key found
+   * - `"MISSING_SECRET_KEY"` — No secret key found
+   * - `"ENV_ERROR"` — Generic environment error
+   */
+  readonly code: string;
+  constructor(message: string, code?: string);
+}
+/**
+ * Thrown when authentication or authorization fails.
+ *
+ * Carries an HTTP `status` code suitable for returning directly in a response
+ * (typically `401` for invalid credentials, `500` for server-side auth failures).
+ *
+ * @example
+ * ```ts
+ * import { AuthError, createSupabaseContext } from '@supabase/server'
+ *
+ * const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
+ * if (error) {
+ *   // error is an AuthError
+ *   return Response.json(
+ *     { error: error.message, code: error.code },
+ *     { status: error.status },
+ *   )
+ * }
+ * ```
+ */
+declare class AuthError extends Error {
+  /**
+   * HTTP status code.
+   *
+   * - `401` — Invalid or missing credentials
+   * - `500` — Server-side auth failure (e.g., missing JWKS, env misconfiguration)
+   */
+  readonly status: number;
+  /**
+   * Machine-readable error code.
+   *
+   * Known codes:
+   * - `"INVALID_CREDENTIALS"` — No credential matched any allowed auth mode
+   * - `"CLIENT_ERROR"` — Failed to create a Supabase client after auth succeeded
+   * - `"AUTH_ERROR"` — Generic authentication error
+   * - Any `EnvError` code (propagated when env resolution fails during auth)
+   */
+  readonly code: string;
+  constructor(message: string, code?: string, status?: number);
+}
+//#endregion
+export { EnvError as n, AuthError as t };

package/dist/errors-BmSsOAvx.d.cts

@@ -0,0 +1,78 @@
+//#region src/errors.d.ts
+/**
+ * Thrown when a required environment variable is missing or malformed.
+ *
+ * Has a fixed `status` of `500` since environment errors are server-side
+ * configuration issues, not client errors.
+ *
+ * @example
+ * ```ts
+ * import { EnvError } from '@supabase/server'
+ *
+ * try {
+ *   const client = createAdminClient()
+ * } catch (e) {
+ *   if (e instanceof EnvError) {
+ *     console.error(`Config issue [${e.code}]: ${e.message}`)
+ *     // → "Config issue [MISSING_SUPABASE_URL]: SUPABASE_URL is required but not set"
+ *   }
+ * }
+ * ```
+ */
+declare class EnvError extends Error {
+  /** Always `500` — environment errors are server-side issues. */
+  readonly status = 500;
+  /**
+   * Machine-readable error code.
+   *
+   * Known codes:
+   * - `"MISSING_SUPABASE_URL"` — `SUPABASE_URL` not set
+   * - `"MISSING_PUBLISHABLE_KEY"` — No publishable key found
+   * - `"MISSING_SECRET_KEY"` — No secret key found
+   * - `"ENV_ERROR"` — Generic environment error
+   */
+  readonly code: string;
+  constructor(message: string, code?: string);
+}
+/**
+ * Thrown when authentication or authorization fails.
+ *
+ * Carries an HTTP `status` code suitable for returning directly in a response
+ * (typically `401` for invalid credentials, `500` for server-side auth failures).
+ *
+ * @example
+ * ```ts
+ * import { AuthError, createSupabaseContext } from '@supabase/server'
+ *
+ * const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
+ * if (error) {
+ *   // error is an AuthError
+ *   return Response.json(
+ *     { error: error.message, code: error.code },
+ *     { status: error.status },
+ *   )
+ * }
+ * ```
+ */
+declare class AuthError extends Error {
+  /**
+   * HTTP status code.
+   *
+   * - `401` — Invalid or missing credentials
+   * - `500` — Server-side auth failure (e.g., missing JWKS, env misconfiguration)
+   */
+  readonly status: number;
+  /**
+   * Machine-readable error code.
+   *
+   * Known codes:
+   * - `"INVALID_CREDENTIALS"` — No credential matched any allowed auth mode
+   * - `"CLIENT_ERROR"` — Failed to create a Supabase client after auth succeeded
+   * - `"AUTH_ERROR"` — Generic authentication error
+   * - Any `EnvError` code (propagated when env resolution fails during auth)
+   */
+  readonly code: string;
+  constructor(message: string, code?: string, status?: number);
+}
+//#endregion
+export { EnvError as n, AuthError as t };

package/dist/index.cjs

@@ -85,11 +85,5 @@ function withSupabase(config, handler) {
 //#endregion
 exports.AuthError = require_verify_auth.AuthError;
 exports.EnvError = require_verify_auth.EnvError;
-exports.createAdminClient = require_verify_auth.createAdminClient;
-exports.createContextClient = require_verify_auth.createContextClient;
 exports.createSupabaseContext = require_create_supabase_context.createSupabaseContext;
-exports.extractCredentials = require_verify_auth.extractCredentials;
-exports.resolveEnv = require_verify_auth.resolveEnv;
-exports.verifyAuth = require_verify_auth.verifyAuth;
-exports.verifyCredentials = require_verify_auth.verifyCredentials;
 exports.withSupabase = withSupabase;

package/dist/index.d.cts

@@ -1,5 +1,5 @@
 import { a as JWTClaims, c as UserClaims, i as Credentials, l as WithSupabaseConfig, n as AllowWithKey, o as SupabaseContext, r as AuthResult, s as SupabaseEnv, t as Allow } from "./types-CnKoFCMX.cjs";
-import { a as extractCredentials, c as EnvError, i as verifyCredentials, n as createContextClient, o as resolveEnv, r as verifyAuth, s as AuthError, t as createAdminClient } from "./create-admin-client-Cp7FxI6O.cjs";
+import { n as EnvError, t as AuthError } from "./errors-BmSsOAvx.cjs";
 
 //#region src/with-supabase.d.ts
 /**
@@ -56,4 +56,4 @@ declare function createSupabaseContext<Database = unknown>(request: Request, opt
   error: AuthError;
 }>;
 //#endregion
-export { type Allow, type AllowWithKey, AuthError, type AuthResult, type Credentials, EnvError, type JWTClaims, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createAdminClient, createContextClient, createSupabaseContext, extractCredentials, resolveEnv, verifyAuth, verifyCredentials, withSupabase };
+export { type Allow, type AllowWithKey, AuthError, type AuthResult, type Credentials, EnvError, type JWTClaims, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createSupabaseContext, withSupabase };

package/dist/index.d.mts

@@ -1,5 +1,5 @@
 import { a as JWTClaims, c as UserClaims, i as Credentials, l as WithSupabaseConfig, n as AllowWithKey, o as SupabaseContext, r as AuthResult, s as SupabaseEnv, t as Allow } from "./types-ClmJ8pi8.mjs";
-import { a as extractCredentials, c as EnvError, i as verifyCredentials, n as createContextClient, o as resolveEnv, r as verifyAuth, s as AuthError, t as createAdminClient } from "./create-admin-client-ZTnl1zMe.mjs";
+import { n as EnvError, t as AuthError } from "./errors-5ivL23qo.mjs";
 
 //#region src/with-supabase.d.ts
 /**
@@ -56,4 +56,4 @@ declare function createSupabaseContext<Database = unknown>(request: Request, opt
   error: AuthError;
 }>;
 //#endregion
-export { type Allow, type AllowWithKey, AuthError, type AuthResult, type Credentials, EnvError, type JWTClaims, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createAdminClient, createContextClient, createSupabaseContext, extractCredentials, resolveEnv, verifyAuth, verifyCredentials, withSupabase };
+export { type Allow, type AllowWithKey, AuthError, type AuthResult, type Credentials, EnvError, type JWTClaims, type SupabaseContext, type SupabaseEnv, type UserClaims, type WithSupabaseConfig, createSupabaseContext, withSupabase };

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { a as createAdminClient, c as EnvError, i as createContextClient, n as verifyCredentials, o as resolveEnv, r as extractCredentials, s as AuthError, t as verifyAuth } from "./verify-auth-2S7zFfR-.mjs";
+import { c as EnvError, s as AuthError } from "./verify-auth-2S7zFfR-.mjs";
 import { t as createSupabaseContext } from "./create-supabase-context-CmWaH3s6.mjs";
 import { corsHeaders } from "@supabase/supabase-js/cors";
 
@@ -82,4 +82,4 @@ function withSupabase(config, handler) {
 }
 
 //#endregion
-export { AuthError, EnvError, createAdminClient, createContextClient, createSupabaseContext, extractCredentials, resolveEnv, verifyAuth, verifyCredentials, withSupabase };
+export { AuthError, EnvError, createSupabaseContext, withSupabase };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@supabase/server",
-  "version": "0.1.1-rc.25",
+  "version": "0.1.1-rc.26",
   "description": "Server-side utilities for Supabase. Handles auth, client creation, and context injection so you write business logic, not boilerplate.",
   "keywords": [
     "edge",

package/dist/create-admin-client-Cp7FxI6O.d.cts

@@ -1,271 +0,0 @@
-import { i as Credentials, n as AllowWithKey, r as AuthResult, s as SupabaseEnv } from "./types-CnKoFCMX.cjs";
-import { SupabaseClient } from "@supabase/supabase-js";
-
-//#region src/errors.d.ts
-/**
- * Thrown when a required environment variable is missing or malformed.
- *
- * Has a fixed `status` of `500` since environment errors are server-side
- * configuration issues, not client errors.
- *
- * @example
- * ```ts
- * import { EnvError } from '@supabase/server'
- *
- * try {
- *   const client = createAdminClient()
- * } catch (e) {
- *   if (e instanceof EnvError) {
- *     console.error(`Config issue [${e.code}]: ${e.message}`)
- *     // → "Config issue [MISSING_SUPABASE_URL]: SUPABASE_URL is required but not set"
- *   }
- * }
- * ```
- */
-declare class EnvError extends Error {
-  /** Always `500` — environment errors are server-side issues. */
-  readonly status = 500;
-  /**
-   * Machine-readable error code.
-   *
-   * Known codes:
-   * - `"MISSING_SUPABASE_URL"` — `SUPABASE_URL` not set
-   * - `"MISSING_PUBLISHABLE_KEY"` — No publishable key found
-   * - `"MISSING_SECRET_KEY"` — No secret key found
-   * - `"ENV_ERROR"` — Generic environment error
-   */
-  readonly code: string;
-  constructor(message: string, code?: string);
-}
-/**
- * Thrown when authentication or authorization fails.
- *
- * Carries an HTTP `status` code suitable for returning directly in a response
- * (typically `401` for invalid credentials, `500` for server-side auth failures).
- *
- * @example
- * ```ts
- * import { AuthError, createSupabaseContext } from '@supabase/server'
- *
- * const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
- * if (error) {
- *   // error is an AuthError
- *   return Response.json(
- *     { error: error.message, code: error.code },
- *     { status: error.status },
- *   )
- * }
- * ```
- */
-declare class AuthError extends Error {
-  /**
-   * HTTP status code.
-   *
-   * - `401` — Invalid or missing credentials
-   * - `500` — Server-side auth failure (e.g., missing JWKS, env misconfiguration)
-   */
-  readonly status: number;
-  /**
-   * Machine-readable error code.
-   *
-   * Known codes:
-   * - `"INVALID_CREDENTIALS"` — No credential matched any allowed auth mode
-   * - `"CLIENT_ERROR"` — Failed to create a Supabase client after auth succeeded
-   * - `"AUTH_ERROR"` — Generic authentication error
-   * - Any `EnvError` code (propagated when env resolution fails during auth)
-   */
-  readonly code: string;
-  constructor(message: string, code?: string, status?: number);
-}
-//#endregion
-//#region src/core/resolve-env.d.ts
-/**
- * Resolves Supabase environment configuration from runtime environment variables.
- *
- * Reads `SUPABASE_URL`, keys (`SUPABASE_PUBLISHABLE_KEYS` / `SUPABASE_SECRET_KEYS`),
- * and `SUPABASE_JWKS`. Works across Deno, Node.js, and Bun. For Cloudflare Workers,
- * use `overrides` or enable node-compat.
- *
- * @param overrides - Partial values that take precedence over env vars.
- * @returns `{ data: SupabaseEnv, error: null }` on success, `{ data: null, error: EnvError }` on failure.
- *
- * @example
- * ```ts
- * const { data: env, error } = resolveEnv()
- * if (error) throw error
- *
- * // Override for tests
- * const { data: env } = resolveEnv({ url: 'http://localhost:54321' })
- * ```
- */
-declare function resolveEnv(overrides?: Partial<SupabaseEnv>): {
-  data: SupabaseEnv;
-  error: null;
-} | {
-  data: null;
-  error: EnvError;
-};
-//#endregion
-//#region src/core/extract-credentials.d.ts
-/**
- * Extracts authentication credentials from an incoming HTTP request.
- *
- * Reads two headers:
- * - `Authorization: Bearer <token>` → extracted as `token`
- * - `apikey: <key>` → extracted as `apikey`
- *
- * This is a pure extraction step — no validation or verification is performed.
- * Pass the result to {@link verifyCredentials} to validate against allowed auth modes.
- *
- * @param request - The incoming HTTP request.
- * @returns The extracted {@link Credentials}. Fields are `null` when the corresponding header is absent.
- *
- * @example
- * ```ts
- * import { extractCredentials } from '@supabase/server/core'
- *
- * const creds = extractCredentials(request)
- * console.log(creds.token)  // "eyJhbGci..." or null
- * console.log(creds.apikey) // "sb-abc123-publishable-..." or null
- * ```
- */
-declare function extractCredentials(request: Request): Credentials;
-//#endregion
-//#region src/core/verify-credentials.d.ts
-/**
- * Options for {@link verifyCredentials}.
- */
-interface VerifyCredentialsOptions {
-  /**
-   * Auth mode(s) to try. Modes are attempted in order — the first match wins.
-   *
-   * @see {@link AllowWithKey} for the full syntax including named keys.
-   */
-  allow: AllowWithKey | AllowWithKey[];
-  /** Optional environment overrides (passed through to {@link resolveEnv}). */
-  env?: Partial<SupabaseEnv>;
-}
-/**
- * Verifies pre-extracted credentials against one or more allowed auth modes.
- *
- * Tries each mode in order — first match wins. Use {@link verifyAuth} to extract
- * and verify in a single call.
- *
- * @param credentials - The credentials to verify (from {@link extractCredentials}).
- * @param options - Allowed auth modes and optional env overrides.
- * @returns `{ data: AuthResult, error: null }` on success, `{ data: null, error: AuthError }` on failure.
- *
- * @example
- * ```ts
- * const credentials = extractCredentials(request)
- * const { data: auth, error } = await verifyCredentials(credentials, {
- *   allow: ['user', 'public'],
- * })
- * if (error) {
- *   return Response.json({ error: error.message }, { status: error.status })
- * }
- * ```
- */
-declare function verifyCredentials(credentials: Credentials, options: VerifyCredentialsOptions): Promise<{
-  data: AuthResult;
-  error: null;
-} | {
-  data: null;
-  error: AuthError;
-}>;
-//#endregion
-//#region src/core/verify-auth.d.ts
-/**
- * Options for {@link verifyAuth}.
- */
-interface VerifyAuthOptions {
-  /**
-   * Auth mode(s) to try. Modes are attempted in order — the first match wins.
-   *
-   * @see {@link AllowWithKey} for the full syntax including named keys.
-   */
-  allow: AllowWithKey | AllowWithKey[];
-  /** Optional environment overrides (passed through to {@link resolveEnv}). */
-  env?: Partial<SupabaseEnv>;
-}
-/**
- * Extracts credentials from a request and verifies them in a single step.
- *
- * This is a convenience function that combines {@link extractCredentials} and
- * {@link verifyCredentials}. Use it when you want the full auth flow without
- * needing to inspect the raw credentials.
- *
- * @param request - The incoming HTTP request.
- * @param options - Auth modes to accept and optional environment overrides.
- *
- * @returns A result tuple: `{ data, error }`.
- *   - On success: `{ data: AuthResult, error: null }`
- *   - On failure: `{ data: null, error: AuthError }`
- *
- * @example
- * ```ts
- * import { verifyAuth } from '@supabase/server/core'
- *
- * const { data: auth, error } = await verifyAuth(request, {
- *   allow: 'user',
- * })
- *
- * if (error) {
- *   return Response.json({ error: error.message }, { status: error.status })
- * }
- *
- * console.log(auth.userClaims!.id) // "d0f1a2b3-..."
- * ```
- */
-declare function verifyAuth(request: Request, options: VerifyAuthOptions): Promise<{
-  data: AuthResult;
-  error: null;
-} | {
-  data: null;
-  error: AuthError;
-}>;
-//#endregion
-//#region src/core/create-context-client.d.ts
-/**
- * Creates a Supabase client scoped to the caller's context.
- *
- * Configured with a publishable key and (optionally) the caller's JWT,
- * so Row-Level Security policies apply. Session persistence is disabled
- * (stateless, one client per request).
- *
- * @param token - The caller's JWT, or `null` for anonymous access.
- * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
- * @param keyName - Name of the publishable key to use. Falls back to `"default"`, then first available.
- * @returns A configured {@link SupabaseClient} with RLS enforced.
- * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified publishable key is not found.
- *
- * @example
- * ```ts
- * const { data: auth } = await verifyAuth(request, { allow: 'user' })
- * const supabase = createContextClient(auth.token)
- * const { data } = await supabase.rpc('get_my_items')
- * ```
- */
-declare function createContextClient<Database = unknown>(token?: string | null, env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
-//#endregion
-//#region src/core/create-admin-client.d.ts
-/**
- * Creates an admin Supabase client that bypasses Row-Level Security.
- *
- * Uses a secret key for authentication, giving full access to all data.
- * Session persistence is disabled (stateless, one client per request).
- *
- * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
- * @param keyName - Name of the secret key to use. Falls back to `"default"`, then first available.
- * @returns A configured {@link SupabaseClient} with admin (service-role) privileges.
- * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified secret key is not found.
- *
- * @example
- * ```ts
- * const supabaseAdmin = createAdminClient()
- * const { data } = await supabaseAdmin.from('audit_log').insert({ action: 'user_login' })
- * ```
- */
-declare function createAdminClient<Database = unknown>(env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
-//#endregion
-export { extractCredentials as a, EnvError as c, verifyCredentials as i, createContextClient as n, resolveEnv as o, verifyAuth as r, AuthError as s, createAdminClient as t };

package/dist/create-admin-client-ZTnl1zMe.d.mts

@@ -1,271 +0,0 @@
-import { i as Credentials, n as AllowWithKey, r as AuthResult, s as SupabaseEnv } from "./types-ClmJ8pi8.mjs";
-import { SupabaseClient } from "@supabase/supabase-js";
-
-//#region src/errors.d.ts
-/**
- * Thrown when a required environment variable is missing or malformed.
- *
- * Has a fixed `status` of `500` since environment errors are server-side
- * configuration issues, not client errors.
- *
- * @example
- * ```ts
- * import { EnvError } from '@supabase/server'
- *
- * try {
- *   const client = createAdminClient()
- * } catch (e) {
- *   if (e instanceof EnvError) {
- *     console.error(`Config issue [${e.code}]: ${e.message}`)
- *     // → "Config issue [MISSING_SUPABASE_URL]: SUPABASE_URL is required but not set"
- *   }
- * }
- * ```
- */
-declare class EnvError extends Error {
-  /** Always `500` — environment errors are server-side issues. */
-  readonly status = 500;
-  /**
-   * Machine-readable error code.
-   *
-   * Known codes:
-   * - `"MISSING_SUPABASE_URL"` — `SUPABASE_URL` not set
-   * - `"MISSING_PUBLISHABLE_KEY"` — No publishable key found
-   * - `"MISSING_SECRET_KEY"` — No secret key found
-   * - `"ENV_ERROR"` — Generic environment error
-   */
-  readonly code: string;
-  constructor(message: string, code?: string);
-}
-/**
- * Thrown when authentication or authorization fails.
- *
- * Carries an HTTP `status` code suitable for returning directly in a response
- * (typically `401` for invalid credentials, `500` for server-side auth failures).
- *
- * @example
- * ```ts
- * import { AuthError, createSupabaseContext } from '@supabase/server'
- *
- * const { data: ctx, error } = await createSupabaseContext(request, { allow: 'user' })
- * if (error) {
- *   // error is an AuthError
- *   return Response.json(
- *     { error: error.message, code: error.code },
- *     { status: error.status },
- *   )
- * }
- * ```
- */
-declare class AuthError extends Error {
-  /**
-   * HTTP status code.
-   *
-   * - `401` — Invalid or missing credentials
-   * - `500` — Server-side auth failure (e.g., missing JWKS, env misconfiguration)
-   */
-  readonly status: number;
-  /**
-   * Machine-readable error code.
-   *
-   * Known codes:
-   * - `"INVALID_CREDENTIALS"` — No credential matched any allowed auth mode
-   * - `"CLIENT_ERROR"` — Failed to create a Supabase client after auth succeeded
-   * - `"AUTH_ERROR"` — Generic authentication error
-   * - Any `EnvError` code (propagated when env resolution fails during auth)
-   */
-  readonly code: string;
-  constructor(message: string, code?: string, status?: number);
-}
-//#endregion
-//#region src/core/resolve-env.d.ts
-/**
- * Resolves Supabase environment configuration from runtime environment variables.
- *
- * Reads `SUPABASE_URL`, keys (`SUPABASE_PUBLISHABLE_KEYS` / `SUPABASE_SECRET_KEYS`),
- * and `SUPABASE_JWKS`. Works across Deno, Node.js, and Bun. For Cloudflare Workers,
- * use `overrides` or enable node-compat.
- *
- * @param overrides - Partial values that take precedence over env vars.
- * @returns `{ data: SupabaseEnv, error: null }` on success, `{ data: null, error: EnvError }` on failure.
- *
- * @example
- * ```ts
- * const { data: env, error } = resolveEnv()
- * if (error) throw error
- *
- * // Override for tests
- * const { data: env } = resolveEnv({ url: 'http://localhost:54321' })
- * ```
- */
-declare function resolveEnv(overrides?: Partial<SupabaseEnv>): {
-  data: SupabaseEnv;
-  error: null;
-} | {
-  data: null;
-  error: EnvError;
-};
-//#endregion
-//#region src/core/extract-credentials.d.ts
-/**
- * Extracts authentication credentials from an incoming HTTP request.
- *
- * Reads two headers:
- * - `Authorization: Bearer <token>` → extracted as `token`
- * - `apikey: <key>` → extracted as `apikey`
- *
- * This is a pure extraction step — no validation or verification is performed.
- * Pass the result to {@link verifyCredentials} to validate against allowed auth modes.
- *
- * @param request - The incoming HTTP request.
- * @returns The extracted {@link Credentials}. Fields are `null` when the corresponding header is absent.
- *
- * @example
- * ```ts
- * import { extractCredentials } from '@supabase/server/core'
- *
- * const creds = extractCredentials(request)
- * console.log(creds.token)  // "eyJhbGci..." or null
- * console.log(creds.apikey) // "sb-abc123-publishable-..." or null
- * ```
- */
-declare function extractCredentials(request: Request): Credentials;
-//#endregion
-//#region src/core/verify-credentials.d.ts
-/**
- * Options for {@link verifyCredentials}.
- */
-interface VerifyCredentialsOptions {
-  /**
-   * Auth mode(s) to try. Modes are attempted in order — the first match wins.
-   *
-   * @see {@link AllowWithKey} for the full syntax including named keys.
-   */
-  allow: AllowWithKey | AllowWithKey[];
-  /** Optional environment overrides (passed through to {@link resolveEnv}). */
-  env?: Partial<SupabaseEnv>;
-}
-/**
- * Verifies pre-extracted credentials against one or more allowed auth modes.
- *
- * Tries each mode in order — first match wins. Use {@link verifyAuth} to extract
- * and verify in a single call.
- *
- * @param credentials - The credentials to verify (from {@link extractCredentials}).
- * @param options - Allowed auth modes and optional env overrides.
- * @returns `{ data: AuthResult, error: null }` on success, `{ data: null, error: AuthError }` on failure.
- *
- * @example
- * ```ts
- * const credentials = extractCredentials(request)
- * const { data: auth, error } = await verifyCredentials(credentials, {
- *   allow: ['user', 'public'],
- * })
- * if (error) {
- *   return Response.json({ error: error.message }, { status: error.status })
- * }
- * ```
- */
-declare function verifyCredentials(credentials: Credentials, options: VerifyCredentialsOptions): Promise<{
-  data: AuthResult;
-  error: null;
-} | {
-  data: null;
-  error: AuthError;
-}>;
-//#endregion
-//#region src/core/verify-auth.d.ts
-/**
- * Options for {@link verifyAuth}.
- */
-interface VerifyAuthOptions {
-  /**
-   * Auth mode(s) to try. Modes are attempted in order — the first match wins.
-   *
-   * @see {@link AllowWithKey} for the full syntax including named keys.
-   */
-  allow: AllowWithKey | AllowWithKey[];
-  /** Optional environment overrides (passed through to {@link resolveEnv}). */
-  env?: Partial<SupabaseEnv>;
-}
-/**
- * Extracts credentials from a request and verifies them in a single step.
- *
- * This is a convenience function that combines {@link extractCredentials} and
- * {@link verifyCredentials}. Use it when you want the full auth flow without
- * needing to inspect the raw credentials.
- *
- * @param request - The incoming HTTP request.
- * @param options - Auth modes to accept and optional environment overrides.
- *
- * @returns A result tuple: `{ data, error }`.
- *   - On success: `{ data: AuthResult, error: null }`
- *   - On failure: `{ data: null, error: AuthError }`
- *
- * @example
- * ```ts
- * import { verifyAuth } from '@supabase/server/core'
- *
- * const { data: auth, error } = await verifyAuth(request, {
- *   allow: 'user',
- * })
- *
- * if (error) {
- *   return Response.json({ error: error.message }, { status: error.status })
- * }
- *
- * console.log(auth.userClaims!.id) // "d0f1a2b3-..."
- * ```
- */
-declare function verifyAuth(request: Request, options: VerifyAuthOptions): Promise<{
-  data: AuthResult;
-  error: null;
-} | {
-  data: null;
-  error: AuthError;
-}>;
-//#endregion
-//#region src/core/create-context-client.d.ts
-/**
- * Creates a Supabase client scoped to the caller's context.
- *
- * Configured with a publishable key and (optionally) the caller's JWT,
- * so Row-Level Security policies apply. Session persistence is disabled
- * (stateless, one client per request).
- *
- * @param token - The caller's JWT, or `null` for anonymous access.
- * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
- * @param keyName - Name of the publishable key to use. Falls back to `"default"`, then first available.
- * @returns A configured {@link SupabaseClient} with RLS enforced.
- * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified publishable key is not found.
- *
- * @example
- * ```ts
- * const { data: auth } = await verifyAuth(request, { allow: 'user' })
- * const supabase = createContextClient(auth.token)
- * const { data } = await supabase.rpc('get_my_items')
- * ```
- */
-declare function createContextClient<Database = unknown>(token?: string | null, env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
-//#endregion
-//#region src/core/create-admin-client.d.ts
-/**
- * Creates an admin Supabase client that bypasses Row-Level Security.
- *
- * Uses a secret key for authentication, giving full access to all data.
- * Session persistence is disabled (stateless, one client per request).
- *
- * @param env - Optional environment overrides (passed through to {@link resolveEnv}).
- * @param keyName - Name of the secret key to use. Falls back to `"default"`, then first available.
- * @returns A configured {@link SupabaseClient} with admin (service-role) privileges.
- * @throws {@link EnvError} If `SUPABASE_URL` is missing or the specified secret key is not found.
- *
- * @example
- * ```ts
- * const supabaseAdmin = createAdminClient()
- * const { data } = await supabaseAdmin.from('audit_log').insert({ action: 'user_login' })
- * ```
- */
-declare function createAdminClient<Database = unknown>(env?: Partial<SupabaseEnv>, keyName?: string | null): SupabaseClient<Database>;
-//#endregion
-export { extractCredentials as a, EnvError as c, verifyCredentials as i, createContextClient as n, resolveEnv as o, verifyAuth as r, AuthError as s, createAdminClient as t };