dexie-cloud-addon 4.4.3 → 4.4.4

package/dist/modern/DexieCloudAPI.d.ts

@@ -32,6 +32,19 @@ export interface LoginHints {
     oauthCode?: string;
     /** Optional redirect path (relative or absolute) to use for OAuth redirect URI. */
     redirectPath?: string;
+    /**
+     * Optional login intent hint.
+     *
+     * - `"login"`:    Only existing users are accepted. Unknown users always get
+     *                 USER_NOT_REGISTERED regardless of the database user policy.
+     * - `"register"`: New-user registration is intended. Unknown users that would
+     *                 normally get USER_NOT_REGISTERED will instead get
+     *                 USER_NOT_ACCEPTED (i.e. the policy blocked them, not the
+     *                 fact that registration isn't supported here).
+     * - `undefined`:  Default behaviour — the server returns whatever code the
+     *                 user policy dictates.
+     */
+    intent?: 'login' | 'register';
 }
 export interface DexieCloudAPI {
     version: string;

package/dist/modern/authentication/exchangeOAuthCode.d.ts

@@ -9,6 +9,8 @@ export interface ExchangeOAuthCodeOptions {
     publicKey: string;
     /** Requested scopes (defaults to ['ACCESS_DB']) */
     scopes?: string[];
+    /** Optional login intent — see LoginHints.intent for semantics. */
+    intent?: 'login' | 'register';
 }
 /**
  * Exchanges a Dexie Cloud authorization code for access and refresh tokens.

package/dist/modern/authentication/interactWithUser.d.ts

@@ -17,7 +17,7 @@ export declare function interactWithUser<T extends DXCUserInteractionRequest>(us
     [P in keyof T['fields']]: string;
 }>;
 export declare function alertUser(userInteraction: BehaviorSubject<DXCUserInteraction | undefined>, title: string, ...alerts: DXCAlert[]): Promise<{}>;
-export declare function promptForEmail(userInteraction: BehaviorSubject<DXCUserInteraction | undefined>, title: string, emailHint?: string): Promise<string>;
+export declare function promptForEmail(userInteraction: BehaviorSubject<DXCUserInteraction | undefined>, title: string, emailHint?: string, initialAlert?: DXCAlert): Promise<string>;
 export declare function promptForOTP(userInteraction: BehaviorSubject<DXCUserInteraction | undefined>, email: string, alert?: DXCAlert): Promise<string>;
 export declare function confirmLogout(userInteraction: BehaviorSubject<DXCUserInteraction | undefined>, currentUserId: string, numUnsyncedChanges: number): Promise<boolean>;
 /** Result from provider selection prompt */

package/dist/modern/dexie-cloud-addon.js

@@ -8,7 +8,7 @@
  *
  * ==========================================================================
  *
- * Version 4.4.3, Sat Mar 21 2026
+ * Version 4.4.4, Wed Mar 25 2026
  *
  * https://dexie.org
  *
@@ -1858,9 +1858,10 @@ function alertUser(userInteraction, title, ...alerts) {
         cancelLabel: null,
     });
 }
-function promptForEmail(userInteraction, title, emailHint) {
+function promptForEmail(userInteraction, title, emailHint, initialAlert) {
     return __awaiter(this, void 0, void 0, function* () {
         let email = emailHint || '';
+        let firstPrompt = true;
         // Regular expression for email validation
         // ^[\w-+.]+@([\w-]+\.)+[\w-]{2,10}(\sas\s[\w-+.]+@([\w-]+\.)+[\w-]{2,10})?$
         //
@@ -1883,19 +1884,21 @@ function promptForEmail(userInteraction, title, emailHint) {
         // and GLOBAL_WRITE permissions on the database. The email will be checked on the server before
         // allowing it and giving out a token for email2, using the OTP sent to email1.
         while (!email || !/^[\w-+.]+@([\w-]+\.)+[\w-]{2,10}(\sas\s[\w-+.]+@([\w-]+\.)+[\w-]{2,10})?$/.test(email)) {
+            const alerts = [];
+            if (firstPrompt && initialAlert)
+                alerts.push(initialAlert);
+            if (email)
+                alerts.push({
+                    type: 'error',
+                    messageCode: 'INVALID_EMAIL',
+                    message: 'Please enter a valid email address',
+                    messageParams: {},
+                });
+            firstPrompt = false;
             email = (yield interactWithUser(userInteraction, {
                 type: 'email',
                 title,
-                alerts: email
-                    ? [
-                        {
-                            type: 'error',
-                            messageCode: 'INVALID_EMAIL',
-                            message: 'Please enter a valid email address',
-                            messageParams: {},
-                        },
-                    ]
-                    : [],
+                alerts,
                 fields: {
                     email: {
                         type: 'email',
@@ -2038,6 +2041,29 @@ class OAuthRedirectError extends Error {
     }
 }
 
+/** Thrown when the server rejects a user due to a policy rule.
+ *
+ * Unlike a generic 403, this error carries a machine-readable `code` so that
+ * the addon can convert it into a DXCUserInteraction challenge rather than
+ * simply throwing.
+ */
+class PolicyRejectionError extends Error {
+    constructor(body) {
+        super(body.message);
+        this.code = body.code;
+    }
+    get name() {
+        return 'PolicyRejectionError';
+    }
+}
+/** Returns true when a plain fetch Response contains a structured PolicyError body. */
+function isPolicyErrorBody(value) {
+    return (typeof value === 'object' &&
+        value !== null &&
+        typeof value.code === 'string' &&
+        typeof value.message === 'string');
+}
+
 const SECONDS = 1000;
 const MINUTES = 60 * SECONDS;
 
@@ -2212,6 +2238,10 @@ function userAuthenticate(context, fetchToken, userInteraction, hints) {
             if (error instanceof OAuthRedirectError || (error === null || error === void 0 ? void 0 : error.name) === 'OAuthRedirectError') {
                 throw error; // Re-throw without logging
             }
+            // Policy rejections have already been shown to the user as a challenge
+            if (error instanceof PolicyRejectionError || (error === null || error === void 0 ? void 0 : error.name) === 'PolicyRejectionError') {
+                throw error;
+            }
             if (error instanceof TokenErrorResponseError) {
                 yield alertUser(userInteraction, error.title, {
                     type: 'error',
@@ -2410,13 +2440,8 @@ class OAuthError extends Error {
  */
 function exchangeOAuthCode(options) {
     return __awaiter(this, void 0, void 0, function* () {
-        const { databaseUrl, code, publicKey, scopes = ['ACCESS_DB'] } = options;
-        const tokenRequest = {
-            grant_type: 'authorization_code',
-            code,
-            public_key: publicKey,
-            scopes,
-        };
+        const { databaseUrl, code, publicKey, scopes = ['ACCESS_DB'], intent } = options;
+        const tokenRequest = Object.assign({ grant_type: 'authorization_code', code, public_key: publicKey, scopes }, (intent !== undefined ? { intent } : {}));
         try {
             const res = yield fetch(`${databaseUrl}/token`, {
                 method: 'POST',
@@ -2427,6 +2452,20 @@ function exchangeOAuthCode(options) {
             if (!res.ok) {
                 // Read body once as text to avoid stream consumption issues
                 const bodyText = yield res.text().catch(() => res.statusText);
+                // Check for structured policy rejection (403 with JSON body)
+                if (res.status === 403) {
+                    try {
+                        const body = JSON.parse(bodyText);
+                        if (isPolicyErrorBody(body)) {
+                            throw new PolicyRejectionError(body);
+                        }
+                    }
+                    catch (e) {
+                        if (e instanceof PolicyRejectionError)
+                            throw e;
+                        // Fall through to generic error
+                    }
+                }
                 if (res.status === 400 || res.status === 401) {
                     // Try to parse error response as JSON
                     try {
@@ -2562,32 +2601,59 @@ function startOAuthRedirect(options) {
 
 function otpFetchTokenCallback(db) {
     const { userInteraction } = db.cloud;
-    return function otpAuthenticate(_a) {
-        return __awaiter(this, arguments, void 0, function* ({ public_key, hints }) {
+    /**
+     * Core authentication function.
+     *
+     * @param public_key - RSA public key PEM for the session
+     * @param hints      - Optional login hints from the caller
+     * @param policyAlert - When set, a previous attempt was rejected by a server
+     *                      policy rule. The alert is injected into the first
+     *                      interactive prompt so the user sees why they were
+     *                      rejected without changing any other flow logic.
+     */
+    function otpAuthenticate(_a, policyAlert_1) {
+        return __awaiter(this, arguments, void 0, function* ({ public_key, hints }, policyAlert) {
             var _b, _c;
             let tokenRequest;
             const url = (_b = db.cloud.options) === null || _b === void 0 ? void 0 : _b.databaseUrl;
             if (!url)
                 throw new Error(`No database URL given.`);
+            const intent = hints === null || hints === void 0 ? void 0 : hints.intent;
+            // ── Non-interactive paths ──────────────────────────────────────────────
+            // These paths POST directly without prompting the user. If a policyAlert
+            // exists (from a previous rejected attempt), show it with a message-alert
+            // before proceeding so the user understands what happened.
             // Handle OAuth code exchange (from redirect/deep link flows)
             if ((hints === null || hints === void 0 ? void 0 : hints.oauthCode) && hints.provider) {
-                return yield exchangeOAuthCode({
-                    databaseUrl: url,
-                    code: hints.oauthCode,
-                    publicKey: public_key,
-                    scopes: ['ACCESS_DB'],
-                });
+                try {
+                    return yield exchangeOAuthCode({
+                        databaseUrl: url,
+                        code: hints.oauthCode,
+                        publicKey: public_key,
+                        scopes: ['ACCESS_DB'],
+                        intent,
+                    });
+                }
+                catch (err) {
+                    if (err instanceof PolicyRejectionError) {
+                        return yield otpAuthenticate({ public_key, hints: undefined }, toPolicyAlert(err));
+                    }
+                    throw err;
+                }
             }
-            // Handle OAuth provider login via redirect
+            // Handle OAuth provider login via redirect (programmatic, no interaction)
             if (hints === null || hints === void 0 ? void 0 : hints.provider) {
+                if (policyAlert) {
+                    // A previous OAuth attempt was rejected. Fall through to the
+                    // interactive flow — policyAlert will be shown inside the prompt.
+                    return yield otpAuthenticate({ public_key, hints: undefined }, policyAlert);
+                }
                 let resolvedRedirectUri = undefined;
                 if (hints.redirectPath) {
-                    // If redirectPath is absolute, use as is. If relative, resolve against current location
                     if (/^https?:\/\//i.test(hints.redirectPath)) {
                         resolvedRedirectUri = hints.redirectPath;
                     }
                     else if (typeof window !== 'undefined' && window.location) {
-                        // Use URL constructor to resolve relative path
                         resolvedRedirectUri = new URL(hints.redirectPath, window.location.href).toString();
                     }
                     else if (typeof location !== 'undefined' && location.href) {
@@ -2595,23 +2661,27 @@ function otpFetchTokenCallback(db) {
                     }
                 }
                 initiateOAuthRedirect(db, hints.provider, resolvedRedirectUri);
-                // This function never returns - page navigates away
                 throw new OAuthRedirectError(hints.provider);
             }
+            // ── Interactive paths ──────────────────────────────────────────────────
+            // policyAlert (if set) is injected into the first prompt so the user sees
+            // it alongside the normal auth UI — no separate error screen needed.
             if ((hints === null || hints === void 0 ? void 0 : hints.grant_type) === 'demo') {
-                const demo_user = yield promptForEmail(userInteraction, 'Enter a demo user email', (hints === null || hints === void 0 ? void 0 : hints.email) || (hints === null || hints === void 0 ? void 0 : hints.userId));
+                const demo_user = yield promptForEmail(userInteraction, 'Enter a demo user email', (hints === null || hints === void 0 ? void 0 : hints.email) || (hints === null || hints === void 0 ? void 0 : hints.userId), policyAlert);
                 tokenRequest = {
                     demo_user,
                     grant_type: 'demo',
                     scopes: ['ACCESS_DB'],
-                    public_key
+                    public_key,
                 };
             }
             else if ((hints === null || hints === void 0 ? void 0 : hints.otpId) && hints.otp) {
-                // User provided OTP ID and OTP code. This means that the OTP email
-                // has already gone out and the user may have clicked a magic link
-                // in the email with otp and otpId in query and the app has picked
-                // up those values and passed them to db.cloud.login().
+                // Magic-link flow: OTP already supplied by the caller (e.g. from email).
+                // No interaction — show alert as a plain message if there is one.
+                if (policyAlert) {
+                    yield alertUser(userInteraction, 'Access Denied', policyAlert);
+                    return yield otpAuthenticate({ public_key, hints: undefined }, policyAlert);
+                }
                 tokenRequest = {
                     grant_type: 'otp',
                     otp_id: hints.otpId,
@@ -2621,56 +2691,52 @@ function otpFetchTokenCallback(db) {
                 };
             }
             else if ((hints === null || hints === void 0 ? void 0 : hints.grant_type) === 'otp' || (hints === null || hints === void 0 ? void 0 : hints.email)) {
-                // User explicitly requested OTP flow - skip provider selection
-                const email = (hints === null || hints === void 0 ? void 0 : hints.email) || (yield promptForEmail(userInteraction, 'Enter email address'));
+                // Caller explicitly requested OTP — skip provider selection.
+                const email = (hints === null || hints === void 0 ? void 0 : hints.email) ||
+                    (yield promptForEmail(userInteraction, 'Enter email address', undefined, policyAlert));
                 if (/@demo.local$/.test(email)) {
                     tokenRequest = {
                         demo_user: email,
                         grant_type: 'demo',
                         scopes: ['ACCESS_DB'],
-                        public_key
+                        public_key,
                     };
                 }
                 else {
-                    tokenRequest = {
-                        email,
-                        grant_type: 'otp',
-                        scopes: ['ACCESS_DB'],
-                    };
+                    tokenRequest = Object.assign({ email, grant_type: 'otp', scopes: ['ACCESS_DB'] }, (intent !== undefined ? { intent } : {}));
                 }
             }
             else {
-                // Check for available auth providers (OAuth + OTP)
+                // Default path: check for OAuth providers, then fall back to OTP.
                 const socialAuthEnabled = ((_c = db.cloud.options) === null || _c === void 0 ? void 0 : _c.socialAuth) !== false;
                 const authProviders = yield fetchAuthProviders(url, socialAuthEnabled);
-                // If we have OAuth providers available, prompt for selection
                 if (authProviders.providers.length > 0) {
-                    const selection = yield promptForProvider(userInteraction, authProviders.providers, authProviders.otpEnabled, 'Sign in');
+                    const providerAlerts = policyAlert ? [policyAlert] : [];
+                    const selection = yield promptForProvider(userInteraction, authProviders.providers, authProviders.otpEnabled, 'Sign in', providerAlerts);
                     if (selection.type === 'provider') {
-                        // User selected an OAuth provider - initiate redirect
                         initiateOAuthRedirect(db, selection.provider);
-                        // This function never returns - page navigates away
                         throw new OAuthRedirectError(selection.provider);
                     }
-                    // User chose OTP - continue with email prompt below
+                    // User chose OTP — fall through to email prompt (no policyAlert here;
+                    // it was already shown in the provider prompt above).
                 }
-                const email = yield promptForEmail(userInteraction, 'Enter email address', hints === null || hints === void 0 ? void 0 : hints.email);
+                const email = yield promptForEmail(userInteraction, 'Enter email address', hints === null || hints === void 0 ? void 0 : hints.email, 
+                // Show policyAlert in email prompt only if there were no providers
+                // (otherwise it was already shown in the provider selection above).
+                authProviders.providers.length === 0 ? policyAlert : undefined);
                 if (/@demo.local$/.test(email)) {
                     tokenRequest = {
                         demo_user: email,
                         grant_type: 'demo',
                         scopes: ['ACCESS_DB'],
-                        public_key
+                        public_key,
                     };
                 }
                 else {
-                    tokenRequest = {
-                        email,
-                        grant_type: 'otp',
-                        scopes: ['ACCESS_DB'],
-                    };
+                    tokenRequest = Object.assign({ email, grant_type: 'otp', scopes: ['ACCESS_DB'] }, (intent !== undefined ? { intent } : {}));
                 }
             }
+            // ── POST /token (step 1) ───────────────────────────────────────────────
             const res1 = yield fetch(`${url}/token`, {
                 body: JSON.stringify(tokenRequest),
                 method: 'post',
@@ -2678,19 +2744,22 @@ function otpFetchTokenCallback(db) {
                 mode: 'cors',
             });
             if (res1.status !== 200) {
+                const alert = yield tryParsePolicyAlert(res1);
+                if (alert) {
+                    // Policy rejection — restart the flow with the error injected.
+                    return yield otpAuthenticate({ public_key, hints: undefined }, alert);
+                }
                 const errMsg = yield res1.text();
-                yield alertUser(userInteraction, "Token request failed", {
+                yield alertUser(userInteraction, 'Token request failed', {
                     type: 'error',
                     messageCode: 'GENERIC_ERROR',
                     message: errMsg,
-                    messageParams: {}
+                    messageParams: {},
                 }).catch(() => { });
                 throw new HttpError(res1, errMsg);
             }
             const response = yield res1.json();
             if (response.type === 'tokens' || response.type === 'error') {
-                // Demo user request can get a "tokens" response right away
-                // Error can also be returned right away.
                 return response;
             }
             else if (tokenRequest.grant_type === 'otp' && 'email' in tokenRequest) {
@@ -2698,6 +2767,7 @@ function otpFetchTokenCallback(db) {
                     throw new Error(`Unexpected response from ${url}/token`);
                 const otp = yield promptForOTP(userInteraction, tokenRequest.email);
                 const tokenRequest2 = Object.assign(Object.assign({}, tokenRequest), { otp: otp || '', otp_id: response.otp_id, public_key });
+                // ── POST /token (step 2: OTP verification) ─────────────────────────
                 let res2 = yield fetch(`${url}/token`, {
                     body: JSON.stringify(tokenRequest2),
                     method: 'post',
@@ -2710,7 +2780,7 @@ function otpFetchTokenCallback(db) {
                         type: 'error',
                         messageCode: 'INVALID_OTP',
                         message: errorText,
-                        messageParams: {}
+                        messageParams: {},
                     });
                     res2 = yield fetch(`${url}/token`, {
                         body: JSON.stringify(tokenRequest2),
@@ -2720,6 +2790,10 @@ function otpFetchTokenCallback(db) {
                     });
                 }
                 if (res2.status !== 200) {
+                    const alert = yield tryParsePolicyAlert(res2);
+                    if (alert) {
+                        return yield otpAuthenticate({ public_key, hints: undefined }, alert);
+                    }
                     const errMsg = yield res2.text();
                     throw new HttpError(res2, errMsg);
                 }
@@ -2730,14 +2804,11 @@ function otpFetchTokenCallback(db) {
                 throw new Error(`Unexpected response from ${url}/token`);
             }
         });
-    };
+    }
+    return ({ public_key, hints }) => otpAuthenticate({ public_key, hints });
 }
 /**
  * Initiates OAuth login via full page redirect.
- *
- * The page will navigate away to the OAuth provider. After authentication,
- * the user is redirected back with a dxc-auth query parameter that is
- * automatically detected by db.cloud.configure().
  */
 function initiateOAuthRedirect(db, provider, redirectUriOverride) {
     var _a, _b;
@@ -2747,17 +2818,44 @@ function initiateOAuthRedirect(db, provider, redirectUriOverride) {
     const redirectUri = redirectUriOverride ||
         ((_b = db.cloud.options) === null || _b === void 0 ? void 0 : _b.oauthRedirectUri) ||
         (typeof location !== 'undefined' ? location.href : undefined);
-    // CodeRabbit suggested to fail fast here, but the only situation where
-    // redirectUri would be undefined is in non-browser environments, and
-    // in those environments OAuth redirect does not make sense anyway
-    // and will fail fast in startOAuthRedirect().
-    // Start OAuth redirect flow - page navigates away
     startOAuthRedirect({
         databaseUrl: url,
         provider,
         redirectUri,
     });
 }
+/**
+ * Converts a PolicyRejectionError to a DXCAlert for injection into prompts.
+ */
+function toPolicyAlert(err) {
+    return {
+        type: 'error',
+        messageCode: err.code,
+        message: err.message,
+        messageParams: {},
+    };
+}
+/**
+ * Tries to parse a failed Response as a structured PolicyError body.
+ * Returns a DXCAlert if it is one, otherwise returns null.
+ * Safe to call: reads body via clone() so the original Response is untouched.
+ */
+function tryParsePolicyAlert(res) {
+    return __awaiter(this, void 0, void 0, function* () {
+        if (res.status !== 403)
+            return null;
+        try {
+            const body = yield res.clone().json();
+            if (isPolicyErrorBody(body)) {
+                return toPolicyAlert(new PolicyRejectionError(body));
+            }
+        }
+        catch (_a) {
+            // Not JSON
+        }
+        return null;
+    });
+}
 
 /** A way to log to console in production without terser stripping out
  * it from the release bundle.
@@ -6038,6 +6136,7 @@ function createBlobResolvingCursor(cursor, table, blobSavingQueue, db) {
                 return cursor.start(() => {
                     const rawValue = cursor.value;
                     if (!rawValue || !hasUnresolvedBlobRefs(rawValue)) {
+                        wrappedCursor.value = rawValue;
                         onNext();
                         return;
                     }
@@ -6046,6 +6145,7 @@ function createBlobResolvingCursor(cursor, table, blobSavingQueue, db) {
                         onNext();
                     }, err => {
                         console.error('Failed to resolve BlobRefs for cursor value:', err);
+                        wrappedCursor.value = rawValue;
                         onNext();
                     });
                 });
@@ -8273,7 +8373,7 @@ function dexieCloud(dexie) {
     const downloading$ = createDownloadingState();
     dexie.cloud = {
         // @ts-ignore
-        version: "4.4.3",
+        version: "4.4.4",
         options: Object.assign({}, DEFAULT_OPTIONS),
         schema: null,
         get currentUserId() {
@@ -8700,7 +8800,7 @@ function dexieCloud(dexie) {
     }
 }
 // @ts-ignore
-dexieCloud.version = "4.4.3";
+dexieCloud.version = "4.4.4";
 Dexie.Cloud = dexieCloud;
 
 export { dexieCloud as default, defineYDocTrigger, dexieCloud, getTiedObjectId, getTiedRealmId, resolveText };