edmaxlabs-core 2.7.2 → 2.9.4

package/dist/index.cjs

@@ -32,42 +32,90 @@ module.exports = __toCommonJS(src_exports);
 
 // src/authentication/Credentials.ts
 var Credentials = class _Credentials {
-  constructor(uid, displayInfo, createdAt, updatedAt, lastLogged, logged) {
+  constructor(uid, displayInfo, data, verified, disabled, provider, createdAt, updatedAt, lastLogin) {
     this.uid = uid;
     this.displayInfo = displayInfo;
+    this.data = data;
+    this.verified = verified;
+    this.disabled = disabled;
+    this.provider = provider;
     this.createdAt = createdAt;
     this.updatedAt = updatedAt;
-    this.lastLogged = lastLogged;
-    this.logged = logged === true;
+    this.lastLogin = lastLogin;
   }
   static fromMap(map) {
-    const uid = map.id ?? map.uid ?? "";
-    const data = map.data ?? map;
-    const d_info = data.displayInfo;
-    const createdAt = data.createdAt;
-    const updatedAt = data.updatedAt;
-    const lastLogged = data.lastLogged;
-    const logged = data.logged;
-    const result = new _Credentials(
+    const uid = map.uid ?? map.id ?? map._id ?? null;
+    let displayInfo;
+    let data;
+    let createdAt;
+    let updatedAt;
+    let lastLogin;
+    let verified;
+    let disabled;
+    let provider;
+    const inner = map;
+    displayInfo = inner.displayInfo ?? {
+      firstname: "",
+      lastname: "",
+      surname: "",
+      profile: "",
+      email: "",
+      phone: ""
+    };
+    data = inner.data ?? {};
+    createdAt = inner.createdAt ?? map.createdAt ?? null;
+    updatedAt = inner.updatedAt ?? map.updatedAt ?? null;
+    lastLogin = inner.lastLogin ?? map.lastLogin ?? null;
+    verified = inner.verified ?? map.verified ?? false;
+    disabled = inner.disabled ?? map.disabled ?? false;
+    provider = inner.provider ?? map.provider ?? "EAuth";
+    const output = new _Credentials(
       uid,
-      d_info,
+      displayInfo,
+      data,
+      verified,
+      disabled,
+      provider,
       createdAt,
       updatedAt,
-      lastLogged,
-      logged
+      lastLogin
     );
-    return result;
+    return output;
   }
+  // toMap() produces the nested shape — used by:
+  //   - localStorage.setItem("eauth", JSON.stringify(creds.toMap()))
+  //   - authState snapshot listener: Credentials.fromMap(snapshot.toMap())
+  // Keep this stable so existing persisted sessions restore correctly.
   toMap() {
     return {
       uid: this.uid,
       displayInfo: this.displayInfo,
+      data: this.data,
+      verified: this.verified,
+      disabled: this.disabled,
+      provider: this.provider,
       createdAt: this.createdAt,
       updatedAt: this.updatedAt,
-      lastLogged: this.lastLogged,
-      logged: this.logged
+      lastLogin: this.lastLogin
     };
   }
+  // ── Convenience getters ───────────────────────────────────────────────────
+  // So callers don't have to drill into displayInfo everywhere.
+  get email() {
+    return this.displayInfo.email ?? "";
+  }
+  get firstname() {
+    return this.displayInfo.firstname ?? "";
+  }
+  get lastname() {
+    return this.displayInfo.lastname ?? "";
+  }
+  get displayName() {
+    return `${this.firstname} ${this.lastname}`.trim() || this.email;
+  }
+  get photoUrl() {
+    return this.displayInfo.profile ?? "";
+  }
 };
 
 // src/utils/HttpsRequest.ts
@@ -100,11 +148,7 @@ var HttpsRequest = class {
           headers: this.headers,
           body: formData
         });
-        if (!response2.ok) {
-          const errorText = await response2.text().catch(() => "Network error");
-          throw new Error(`HTTP ${response2.status}: ${errorText}`);
-        }
-        return await response2.json().catch(() => ({}));
+        return response2;
       }
       const response = await fetch(this.endpoint, {
         method: this.method,
@@ -114,11 +158,7 @@ var HttpsRequest = class {
         },
         body: this.method !== "GET" /* GET */ ? JSON.stringify(this.body) : void 0
       });
-      if (!response.ok) {
-        const errorText = await response.text().catch(() => "Network error");
-        throw new Error(`HTTP ${response.status}: ${errorText}`);
-      }
-      return await response.json().catch(() => ({}));
+      return response;
     } catch (error) {
       if (error.name === "TypeError" && error.message.includes("fetch")) {
         throw new Error("Network connection failed. Please check your internet connection.");
@@ -134,221 +174,292 @@ var HttpsRequest = class {
 // src/authentication/Authentication.ts
 var _Authentication = class _Authentication {
   constructor() {
+    // accessToken lives in MEMORY ONLY — never written to localStorage or logged.
+    // Reason: localStorage is readable by any JS on the page (XSS).
+    // On page reload it starts null; the first authenticated request that gets
+    // 401 "Access token expired" triggers _refreshAccessToken() automatically.
+    this.accessToken = null;
+    // The user SHAPE (no tokens, no passwordHash) is safe to persist.
+    // Used to restore who is signed in across page reloads without a network call.
+    this.eUser = null;
+    this.isRefreshing = false;
+    this.refreshQueue = [];
     this.eventListeners = /* @__PURE__ */ new Map();
-    this.eventWaiters = /* @__PURE__ */ new Map();
-    this.unsubscribers = /* @__PURE__ */ new Set();
-    this.isSameCredentials = (a, b) => {
-      if (!a && !b)
-        return true;
-      if (!a || !b)
-        return false;
-      return JSON.stringify(a.toMap()) === JSON.stringify(b.toMap());
-    };
-    this.createUserWithEmailAndPassword = async ({
-      email,
-      password
-    }) => {
-      this.eUser = void 0;
-      this.saveCredentials(null);
-      const app = this.app?.getDatabase;
-      const data = await app?.collection("authentication").query.where({
-        key: "email",
-        op: "===",
-        value: email
-      }).get();
-      if (data.length > 0) {
-        throw new Error("Email Already In Use.");
-      }
-      const userRef = await app?.collection("authentication").add({
-        email,
-        password,
-        logged: true,
-        lastLogged: Date.now(),
-        displayInfo: {
-          firstname: email.split("@")[0],
-          lastname: "",
-          surname: "",
-          profile: "./logo.png",
-          email,
-          phone: ""
-        }
-      });
-      if (!userRef?.id || userRef?.id === "") {
-        throw new Error("Something went wrong try Again.");
-      }
-      this.eUser = Credentials.fromMap(userRef);
-      this.saveCredentials(this.eUser);
-      return Credentials.fromMap(userRef.toMap());
-    };
-    this.signInWithEmailAndPassword = async ({
-      email,
-      password
-    }) => {
-      const app = this.app?.getDatabase;
-      const data = await app?.collection("authentication").query.where({
-        key: "email",
-        op: "===",
-        value: email
-      }).where({
-        key: "password",
-        op: "===",
-        value: password
-      }).get();
-      console.log("Auth Data:", data);
-      if (data === void 0) {
-        throw new Error("Auth Failed.");
-      }
-      if (data?.length === 0) {
-        throw new Error("User Not Found.");
+    // ─── Sign up ──────────────────────────────────────────────────────────────
+    this.createUserWithEmailAndPassword = async (data) => {
+      this._saveSession(null);
+      const r = await new HttpsRequest({
+        method: "POST" /* POST */,
+        endpoint: `${this.app?.getBaseUrl()}/auth/signup`,
+        // ← /auth/signup
+        headers: this.buildProjectHeaders(),
+        body: data
+      }).sendRequest();
+      const res = await r.json().catch(() => ({}));
+      const error = res?.error ?? null;
+      if (error) {
+        console.error(`[Authentication] Registration failed :`, error);
+        throw new Error(error);
       }
-      const _data = data[0];
-      await app?.collection("authentication").doc(_data.id).update({
-        logged: true,
-        lastLogged: Date.now()
-      });
-      this.eUser = Credentials.fromMap(_data);
-      this.saveCredentials(this.eUser);
-      return Credentials.fromMap(_data);
+      const creds = Credentials.fromMap(res.result);
+      this._saveSession(creds, res.accessToken ?? null);
+      return creds;
     };
-    this.deleteUser = async () => {
-      if (!this.eUser) {
-        throw new Error("No User Signed in");
-      }
-      const app = this.app?.getDatabase;
-      const userRef = await app?.collection("authentication").doc(this.eUser.uid).delete();
-      if (userRef) {
-        throw new Error("Something went wrong try Again.");
+    // ─── Sign in ──────────────────────────────────────────────────────────────
+    this.signInWithEmailAndPassword = async ({ email, password }) => {
+      const r = await new HttpsRequest({
+        method: "POST" /* POST */,
+        endpoint: `${this.app?.getBaseUrl()}/auth/login`,
+        headers: this.buildProjectHeaders(),
+        body: { email, password }
+      }).sendRequest();
+      const res = await r.json().catch(() => ({}));
+      const error = res?.error ?? null;
+      if (error) {
+        console.error(`[Authentication] Login failed :`, error);
+        throw new Error(error);
       }
-      this.eUser = void 0;
-      this.saveCredentials(null);
+      const creds = Credentials.fromMap(res.result);
+      this._saveSession(creds, res.accessToken ?? null);
+      return creds;
     };
+    // ─── Sign out ─────────────────────────────────────────────────────────────
+    //
+    // Server call bumps tokenVersion — instantly invalidates all existing
+    // access tokens for this user without waiting for the 1h expiry.
+    // Local state is always cleared even if the server call fails.
     this.signOut = async () => {
-      const app = this.app?.getDatabase;
-      const luid = this.currentUser();
-      this.eUser = void 0;
-      this.saveCredentials(null);
-      if (luid)
-        await app?.collection("authentication").doc(luid?.uid).update({
-          logged: false,
-          lastLogged: Date.now()
-        });
-      return;
-    };
-    this.resetPassword = async () => {
-      const app = this.app?.getDatabase;
-      const luid = this.currentUser();
-      const payload = {
-        uid: luid?.uid,
-        ttl: 3
-        //minutes
-      };
-      const id = await app?.collection("_auth_tokens").add(payload);
-      if (id) {
-        return `https://auth.edmaxlabs.com/reset/${id}`;
+      try {
+        await new HttpsRequest({
+          method: "POST" /* POST */,
+          endpoint: `${this.app?.getBaseUrl()}/auth/signout`,
+          headers: this.buildUserHeaders(),
+          body: {}
+        }).sendRequest();
+      } catch {
+      } finally {
+        this._saveSession(null);
       }
-      throw new Error("Failed to request reset tokens. Try Again");
     };
-    this.rules = async (path, context) => {
-      const res = await new HttpsRequest({
+    // ─── Delete user ──────────────────────────────────────────────────────────
+    this.deleteUser = async () => {
+      if (!this.eUser)
+        throw new Error("No user signed in");
+      const res = await this.makeRequest({
         method: "POST" /* POST */,
-        endpoint: this.client.getBaseUrl() + "/auth/rules/verify",
-        headers: {
-          authorization: this.client.getConfig().token,
-          project: this.client.getConfig().project
-        },
-        body: {
-          path,
-          context
-        }
+        endpoint: `${this.app?.getBaseUrl()}/auth/users/delete`,
+        body: { userId: this.eUser.uid }
+      });
+      if (!res.success)
+        throw new Error(res.error ?? "Delete failed");
+      this._saveSession(null);
+    };
+    // ─── Password reset ───────────────────────────────────────────────────────
+    //
+    // Takes email — NOT uid. Never expose uid in client-controlled reset flows.
+    // Server always responds with success regardless of whether the email exists
+    // (prevents email enumeration attacks).
+    this.resetPassword = async ({ email }) => {
+      await new HttpsRequest({
+        method: "POST" /* POST */,
+        endpoint: `${this.app?.getBaseUrl()}/auth/password/reset-request`,
+        headers: this.buildProjectHeaders(),
+        body: { email }
       }).sendRequest();
-      return res;
     };
     if (_Authentication.instance)
       return _Authentication.instance;
-    this.client = EdmaxLabs.instance;
-    this.app = new EdmaxLabs({
-      token: "auth",
-      project: "698457c2f7448550b9e166c4"
-    });
+    this.app = EdmaxLabs.instance;
     _Authentication.instance = this;
-    this.restoreSession();
-  }
-  restoreSession() {
-    const saved = this.currentUser();
-    if (saved) {
-      this.eUser = saved;
-      this.emitValue("creds", saved);
-    }
+    this._restoreSession();
   }
-  // Better singleton
   static getInstance() {
-    if (!_Authentication.instance) {
-      _Authentication.instance = new _Authentication();
-    }
+    if (!_Authentication.instance)
+      new _Authentication();
     return _Authentication.instance;
   }
-  emitValue(key, value) {
-    const listeners = this.eventListeners.get(key) || [];
-    listeners.forEach((l) => l(value));
-    const waiters = this.eventWaiters.get(key) || [];
-    waiters.forEach((resolve) => resolve(value));
-    this.eventWaiters.delete(key);
-  }
-  onValue(key, callback) {
-    const listeners = this.eventListeners.get(key) || [];
-    listeners.push(callback);
-    this.eventListeners.set(key, listeners);
-    return () => {
-      const filtered = listeners.filter((cb) => cb !== callback);
-      this.eventListeners.set(key, filtered);
+  // ─── Header builders ──────────────────────────────────────────────────────
+  buildProjectHeaders() {
+    return {
+      "Authorization": `${this.app?.getConfig().token ?? ""}`,
+      "X-Project": `${this.app?.getConfig().project ?? ""}`,
+      "Content-Type": "application/json"
     };
   }
-  currentUser() {
-    const data = localStorage.getItem("eauth");
-    if (!data)
-      return null;
+  buildUserHeaders() {
+    const headers = this.buildProjectHeaders();
+    const userToken = localStorage.getItem("user_token");
+    if (userToken) {
+      headers["X-User"] = `${userToken}`;
+    }
+    return headers;
+  }
+  /** Exposed so database/RequestHeaders.ts can read current headers */
+  getHeaders() {
+    return this.buildUserHeaders();
+  }
+  getUserToken() {
+    const userToken = localStorage.getItem("user_token");
+    if (userToken) {
+      return userToken;
+    }
+    return "";
+  }
+  // ─── Session persistence ──────────────────────────────────────────────────
+  //
+  // WHAT IS STORED:
+  //   localStorage["eauth"]  — Credentials shape (uid, email, displayName …)
+  //                            Safe to persist. No tokens. No secrets.
+  //
+  // WHAT IS NOT STORED:
+  //   accessToken            — memory only. Lost on page reload.
+  //                            Restored transparently via auto-refresh on first
+  //                            authenticated request.
+  //   refreshToken           — never touches JS at all. Lives in an httpOnly
+  //                            cookie the server sets. The browser sends it
+  //                            automatically on POST /auth/refresh.
+  /** Synchronous. Reads only from localStorage — no network call. */
+  _restoreSession() {
+    const raw = localStorage.getItem("eauth");
+    const userToken = localStorage.getItem("user_token");
+    if (userToken) {
+      this.accessToken = userToken;
+    }
+    if (!raw)
+      return;
     try {
-      return Credentials.fromMap(JSON.parse(data));
+      const creds = Credentials.fromMap(JSON.parse(raw));
+      this.eUser = creds;
+      this._emit("creds", creds);
     } catch {
       localStorage.removeItem("eauth");
-      return null;
     }
   }
-  saveCredentials(credentials) {
+  /**
+   * Persist the user shape and update the in-memory access token.
+   * Pass credentials=null to fully clear the session (sign out).
+   */
+  _saveSession(credentials, accessToken) {
     if (!credentials) {
       localStorage.removeItem("eauth");
+      localStorage.removeItem("user_token");
       this.eUser = null;
-      this.emitValue("creds", null);
+      this.accessToken = null;
+      this._emit("creds", null);
       return;
     }
     localStorage.setItem("eauth", JSON.stringify(credentials.toMap()));
     this.eUser = credentials;
-    this.emitValue("creds", credentials);
+    if (accessToken !== void 0) {
+      localStorage.setItem("user_token", accessToken ?? "");
+      this.accessToken = accessToken ?? null;
+    }
+    this._emit("creds", credentials);
+  }
+  /**
+   * Returns the locally cached user — no network call.
+   * Returns null if nobody is signed in.
+   */
+  currentUser() {
+    return this.eUser;
+  }
+  // ─── Auto-refresh ─────────────────────────────────────────────────────────
+  //
+  // When the access token expires (1h), the next request gets 401.
+  // makeRequest() catches this, calls _refreshAccessToken() once, then retries.
+  //
+  // The queue pattern prevents N parallel requests from triggering N refreshes.
+  // Only the first caller refreshes; the rest wait and get the same new token.
+  async _refreshAccessToken() {
+    if (this.isRefreshing) {
+      return new Promise((resolve) => this.refreshQueue.push(resolve));
+    }
+    this.isRefreshing = true;
+    try {
+      const r = await new HttpsRequest({
+        method: "POST" /* POST */,
+        endpoint: `${this.app?.getBaseUrl()}/auth/refresh`,
+        headers: this.buildProjectHeaders(),
+        body: {}
+      }).sendRequest();
+      const res = await r.json().catch(() => ({}));
+      if (!res.success || !res.accessToken) {
+        this._saveSession(null);
+        this._drainQueue(null);
+        return null;
+      }
+      this.accessToken = res.accessToken;
+      this._drainQueue(res.accessToken);
+      return res.accessToken;
+    } catch {
+      this._saveSession(null);
+      this._drainQueue(null);
+      return null;
+    } finally {
+      this.isRefreshing = false;
+    }
+  }
+  _drainQueue(token) {
+    this.refreshQueue.forEach((resolve) => resolve(token));
+    this.refreshQueue = [];
   }
-  // Main auth state listener - should be called ONCE at app root
+  /**
+   * Central request method — all auth HTTP calls go through here.
+   * Handles the access-token-expired → refresh → retry cycle automatically.
+   */
+  async makeRequest(options) {
+    const res = await new HttpsRequest({
+      method: options.method,
+      endpoint: options.endpoint,
+      headers: {
+        ...options.headers,
+        ...this.getHeaders()
+      },
+      body: options.body ?? {},
+      file: options.file,
+      isMultipart: options.isMultipart ?? !!options.file
+    }).sendRequest();
+    const body = await res.json().catch(() => ({}));
+    const error = body.error ?? "";
+    if (!options.isRetry && res.status === 401 && typeof error === "string" && (error.toLowerCase() === "access token expired" || error.toLowerCase() === "invalid access token")) {
+      const newToken = await this._refreshAccessToken();
+      if (!newToken)
+        throw new Error("Session expired. Please sign in again.");
+      console.log("[Auth] Retrying request with new access token");
+      return this.makeRequest({ ...options, headers: this.buildUserHeaders(), isRetry: true });
+    }
+    return body;
+  }
+  // ─── Auth state listener ──────────────────────────────────────────────────
+  //
+  // Synchronous setup — fires onChange immediately with the current user
+  // (from localStorage restore), then streams changes as they happen.
+  //
+  // Also subscribes to __users via onSnapshot — if the user is disabled
+  // server-side, the client signs out in real time without a page reload.
+  //
+  // Returns an unsubscribe function (no Promise — matches Firebase's API shape).
   authState({
     onChange,
     onSignOut,
     onDeleted
   }) {
-    let userDocUnsubscribe;
+    let userDocUnsub;
     const handleCredsChange = (creds) => {
-      if (userDocUnsubscribe) {
-        userDocUnsubscribe();
-        userDocUnsubscribe = void 0;
-      }
+      userDocUnsub?.();
+      userDocUnsub = void 0;
       if (!creds) {
         this.eUser = null;
         onSignOut?.();
         return;
       }
-      const userRef = this.app?.getDatabase.collection("authentication").doc(creds.uid);
+      const userRef = this.app?.getDatabase.collection("__users").doc(creds.uid);
       if (!userRef)
         return;
-      userDocUnsubscribe = userRef.onSnapshot(
+      userDocUnsub = userRef.onSnapshot(
         (snapshot, change) => {
           if (change === "delete") {
-            this.saveCredentials(null);
+            this._saveSession(null);
             onSignOut?.();
             onDeleted?.();
             return;
@@ -356,33 +467,49 @@ var _Authentication = class _Authentication {
           if (change === "insert" || change === "update") {
             if (!snapshot)
               return;
-            if (snapshot.data.logged === false || snapshot.data.logged === "false") {
-              this.saveCredentials(null);
+            if (snapshot.data.disabled === true) {
+              this._saveSession(null);
               onSignOut?.();
               return;
             }
             const newCreds = Credentials.fromMap(snapshot.toMap());
-            if (!this.isSameCredentials(this.eUser, newCreds)) {
+            if (JSON.stringify(newCreds.toMap()) !== JSON.stringify(this.eUser?.toMap())) {
               this.eUser = newCreds;
-              this.saveCredentials(newCreds);
+              this._saveSession(newCreds);
               onChange(newCreds);
             }
           }
         }
       );
     };
-    const initialUser = this.currentUser();
-    if (initialUser) {
-      this.eUser = initialUser;
-      onChange(initialUser);
-    }
-    handleCredsChange(initialUser);
+    const initial = this.currentUser();
+    if (initial)
+      onChange(initial);
+    handleCredsChange(initial);
     const credsUnsub = this.onValue("creds", handleCredsChange);
     return () => {
       credsUnsub();
-      userDocUnsubscribe?.();
+      userDocUnsub?.();
     };
   }
+  // ─── Event system ─────────────────────────────────────────────────────────
+  _emit(key, value) {
+    (this.eventListeners.get(key) ?? []).forEach((l) => l(value));
+  }
+  onValue(key, callback) {
+    const listeners = this.eventListeners.get(key) ?? [];
+    listeners.push(callback);
+    this.eventListeners.set(key, listeners);
+    return () => {
+      this.eventListeners.set(key, listeners.filter((cb) => cb !== callback));
+    };
+  }
+  // ─── Dispose ──────────────────────────────────────────────────────────────
+  dispose() {
+    this._saveSession(null);
+    this.eventListeners.clear();
+    _Authentication.instance = null;
+  }
 };
 _Authentication.instance = null;
 var Authentication = _Authentication;
@@ -394,7 +521,7 @@ var DocumentSnapshot = class _DocumentSnapshot {
     this.data = doc;
   }
   static fromMap(map) {
-    const id = map.id ?? map._id ?? "";
+    const id = map._id ?? map.id ?? null;
     const document2 = map.document ?? map.documents ?? map.data ?? map;
     return new _DocumentSnapshot(id, document2);
   }
@@ -456,16 +583,12 @@ var DocumentRef = class {
     try {
       validateDocumentData(data, "DocumentRef.update");
       if (!this.persistence) {
-        const res = await new HttpsRequest({
+        const res = await this.app.getAuthentication.makeRequest({
           method: "POST" /* POST */,
           endpoint: `${this.app.getBaseUrl()}/db/update`,
-          headers: {
-            authorization: this.app.getConfig().token,
-            "x-project": this.app.getConfig().project,
-            "x-user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap())
-          },
+          headers: {},
           body: { collection: this.collection, id: this.id, data }
-        }).sendRequest();
+        });
         return res?.success ? DocumentSnapshot.fromMap({ ...data, id: this.id }) : null;
       }
       const old = await this.persistence.getDoc(this.collection, this.id);
@@ -503,16 +626,12 @@ var DocumentRef = class {
   async set(data) {
     validateDocumentData(data, "DocumentRef.set");
     if (!this.persistence) {
-      const res = await new HttpsRequest({
+      const res = await this.app.getAuthentication.makeRequest({
         method: "POST" /* POST */,
         endpoint: `${this.app.getBaseUrl()}/db/create`,
-        headers: {
-          authorization: this.app.getConfig().token,
-          "x-project": this.app.getConfig().project,
-          "x-user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap())
-        },
+        headers: {},
         body: { collection: this.collection, data: { ...data, id: this.id } }
-      }).sendRequest();
+      });
       return res?.success ? DocumentSnapshot.fromMap({ ...data, id: this.id }) : null;
     }
     const existing = await this.persistence.getDoc(this.collection, this.id);
@@ -560,16 +679,12 @@ var DocumentRef = class {
       this.syncEngine?.flush().catch(console.error);
       return true;
     }
-    const res = await new HttpsRequest({
+    const res = await this.app.getAuthentication.makeRequest({
       method: "POST" /* POST */,
       endpoint: `${this.app.getBaseUrl()}/db/delete`,
-      headers: {
-        authorization: this.app.getConfig().token,
-        "x-project": this.app.getConfig().project,
-        "x-user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap())
-      },
+      headers: {},
       body: { collection: this.collection, id: this.id }
-    }).sendRequest();
+    });
     return !!res?.success;
   }
   onSnapshot(callback) {
@@ -594,20 +709,17 @@ var DocumentRef = class {
   }
   async fetchRemoteSnapshot() {
     try {
-      const res = await new HttpsRequest({
+      const res = await this.app.getAuthentication.makeRequest({
         method: "POST" /* POST */,
         endpoint: `${this.app.getBaseUrl()}/db/read`,
-        headers: {
-          authorization: this.app.getConfig().token,
-          "x-project": this.app.getConfig().project,
-          "x-user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap())
-        },
-        body: {
-          collection: this.collection,
-          id: this.id,
-          single: true
-        }
-      }).sendRequest();
+        headers: {},
+        body: { collection: this.collection, id: this.id, single: true }
+      });
+      const error = res?.error ?? null;
+      if (error) {
+        console.error(`[DocumentRef]:`, error);
+        return null;
+      }
       if (!res?.success || !res.document)
         return null;
       const snapshot = DocumentSnapshot.fromMap(res.document);
@@ -616,7 +728,7 @@ var DocumentRef = class {
       }
       return snapshot;
     } catch (error) {
-      console.error(`[DocumentRef] get(${this.collection}/${this.id}) failed:`, error);
+      console.error(`[DocumentRef]:`, error);
       return null;
     }
   }
@@ -718,9 +830,8 @@ var Query = class {
     const persistence = this.app.offline().persistence;
     if (this.filter.length > 0 && persistence) {
       const local = await this.getLocalFilteredSnapshots();
-      if (typeof navigator === "undefined" || !navigator.onLine) {
+      if (typeof navigator === "undefined" || !navigator.onLine)
         return local;
-      }
       return this.refreshFromRemote();
     }
     if (persistence) {
@@ -734,17 +845,12 @@ var Query = class {
     return this.refreshFromRemote();
   }
   async update(data) {
-    const genfilter = this.buildFilter();
-    return new HttpsRequest({
+    return await this.app.getAuthentication.makeRequest({
       method: "POST" /* POST */,
       endpoint: `${this.app.getBaseUrl()}/db/update`,
-      headers: { authorization: this.app.getConfig().token, "x-project": this.app.getConfig().project, "x-user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap()) },
-      body: {
-        collection: this.collection,
-        filter: genfilter,
-        data
-      }
-    }).sendRequest();
+      headers: {},
+      body: { collection: this.collection, filter: this.buildFilter(), data }
+    });
   }
   onSnapshot(callback) {
     const genfilter = this.buildFilter();
@@ -874,32 +980,22 @@ var Query = class {
   }
   async refreshFromRemote() {
     try {
-      const genfilter = this.buildFilter();
-      const res = await new HttpsRequest({
+      const res = await this.app.getAuthentication.makeRequest({
         method: "POST" /* POST */,
         endpoint: `${this.app.getBaseUrl()}/db/read`,
-        headers: {
-          authorization: this.app.getConfig().token,
-          "x-project": this.app.getConfig().project,
-          "x-user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap())
-        },
-        body: {
-          collection: this.collection,
-          filter: genfilter
-        }
-      }).sendRequest();
-      if (!res?.success || !Array.isArray(res.documents)) {
+        headers: {},
+        body: { collection: this.collection, filter: this.buildFilter() }
+      });
+      if (!res?.success || !Array.isArray(res.documents))
         return [];
-      }
       const snapshots = res.documents.map((d) => {
         d.id = d.id ?? d._id;
         delete d._id;
         return DocumentSnapshot.fromMap(d);
       });
       const persistence = this.app.offline().persistence;
-      if (!persistence) {
+      if (!persistence)
         return snapshots;
-      }
       for (const snapshot of snapshots) {
         await persistence.applyRemoteDoc(this.collection, snapshot.data);
       }
@@ -950,13 +1046,12 @@ var Query = class {
             newIndex: childChange.newIndex,
             previousDoc: childChange.previousDoc
           };
-          if (childChange.type === "added") {
+          if (childChange.type === "added")
             callbacks.onChildAdded?.(childChange.doc, context);
-          } else if (childChange.type === "modified") {
+          else if (childChange.type === "modified")
             callbacks.onChildUpdated?.(childChange.doc, context);
-          } else if (childChange.type === "removed") {
+          else if (childChange.type === "removed")
             callbacks.onChildRemoved?.(childChange.doc, context);
-          }
         });
       },
       this.buildFilter()
@@ -1033,19 +1128,12 @@ var CollectionRef = class {
       this.syncEngine?.flush().catch(console.error);
       return snap;
     }
-    const res = await new HttpsRequest({
+    const res = await this.app.getAuthentication.makeRequest({
       method: "POST" /* POST */,
       endpoint: `${this.app.getBaseUrl()}/db/create`,
-      headers: {
-        authorization: this.app.getConfig().token,
-        "x-project": this.app.getConfig().project,
-        user: JSON.stringify(this.authentication.currentUser()?.toMap())
-      },
-      body: {
-        collection: this.collection,
-        data: { ...data, id: "" }
-      }
-    }).sendRequest();
+      headers: {},
+      body: { collection: this.collection, data: { ...data } }
+    });
     if (!res?.success || !res.document)
       return null;
     return DocumentSnapshot.fromMap(res.document);
@@ -1094,23 +1182,19 @@ var CollectionRef = class {
   }
   async refreshFromRemote() {
     try {
-      const res = await new HttpsRequest({
+      const res = await this.app.getAuthentication.makeRequest({
         method: "POST" /* POST */,
         endpoint: `${serverURI}/db/read`,
-        headers: {
-          authorization: this.app.getConfig().token,
-          "x-project": this.app.getConfig().project,
-          user: JSON.stringify(this.authentication.currentUser()?.toMap()),
-          "x-user": JSON.stringify(this.authentication.currentUser()?.toMap())
-        },
-        body: {
-          collection: this.collection,
-          filter: {}
-        }
-      }).sendRequest();
-      if (!res?.success || !Array.isArray(res.documents)) {
+        headers: {},
+        body: { collection: this.collection, filter: {} }
+      });
+      const error = res?.error ?? null;
+      if (error) {
+        console.error(`[CollectionRef]:`, error);
         return [];
       }
+      if (!res?.success || !Array.isArray(res.documents))
+        return [];
       const normalized = res.documents.map((raw) => {
         const doc = { ...raw };
         doc.id = doc.id ?? doc._id;
@@ -1125,36 +1209,32 @@ var CollectionRef = class {
       }
       return normalized.map((doc) => DocumentSnapshot.fromMap(doc));
     } catch (error) {
-      console.error("[EdmaxLabs] refreshFromRemote failed:", error);
+      console.error(`[CollectionRef]:`, error);
       return [];
     }
   }
   async fetchRemoteSnapshots() {
     try {
-      const res = await new HttpsRequest({
+      const res = await this.app.getAuthentication.makeRequest({
         method: "POST" /* POST */,
         endpoint: `${serverURI}/db/read`,
-        headers: {
-          authorization: this.app.getConfig().token,
-          "x-project": this.app.getConfig().project,
-          user: JSON.stringify(this.authentication.currentUser()?.toMap()),
-          "x-user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap())
-        },
-        body: {
-          collection: this.collection,
-          filter: {}
-        }
-      }).sendRequest();
-      if (!res?.success || !Array.isArray(res.documents)) {
+        headers: {},
+        body: { collection: this.collection, filter: {} }
+      });
+      const error = res?.error ?? null;
+      if (error) {
+        console.error(`[CollectionRef]:`, error);
         return [];
       }
+      if (!res?.success || !Array.isArray(res.documents))
+        return [];
       return res.documents.map((d) => {
         d.id = d.id ?? d._id;
         delete d._id;
         return DocumentSnapshot.fromMap(d);
       });
     } catch (error) {
-      console.error("[EdmaxLabs] Collection get failed:", error);
+      console.error(`[CollectionRef]:`, error);
       return [];
     }
   }
@@ -1193,20 +1273,18 @@ var CollectionRef = class {
           newIndex: childChange.newIndex,
           previousDoc: childChange.previousDoc
         };
-        if (childChange.type === "added") {
+        if (childChange.type === "added")
           callbacks.onChildAdded?.(childChange.doc, context);
-        } else if (childChange.type === "modified") {
+        else if (childChange.type === "modified")
           callbacks.onChildUpdated?.(childChange.doc, context);
-        } else if (childChange.type === "removed") {
+        else if (childChange.type === "removed")
           callbacks.onChildRemoved?.(childChange.doc, context);
-        }
       });
     });
   }
   emitInitialChildEvents(snapshots, callbacks) {
-    const childChanges = diffSnapshots([], snapshots);
-    childChanges.forEach((change) => {
-      const context = {
+    diffSnapshots([], snapshots).forEach((change) => {
+      callbacks.onChildAdded?.(change.doc, {
         snapshots,
         source: "initial",
         changedDocId: change.doc.id,
@@ -1214,8 +1292,7 @@ var CollectionRef = class {
         oldIndex: change.oldIndex,
         newIndex: change.newIndex,
         previousDoc: change.previousDoc
-      };
-      callbacks.onChildAdded?.(change.doc, context);
+      });
     });
   }
 };
@@ -1227,38 +1304,19 @@ var Batch = class {
     this.app = app;
   }
   set(docRef, data) {
-    this.ops.push({
-      op: "set",
-      collection: docRef.collection,
-      id: docRef.id,
-      data
-    });
+    this.ops.push({ op: "set", collection: docRef.collection, id: docRef.id, data });
     return this;
   }
   create(docRef, data) {
-    this.ops.push({
-      op: "create",
-      collection: docRef.collection,
-      id: docRef.id,
-      data
-    });
+    this.ops.push({ op: "create", collection: docRef.collection, id: docRef.id, data });
     return this;
   }
   update(docRef, data) {
-    this.ops.push({
-      op: "update",
-      collection: docRef.collection,
-      id: docRef.id,
-      data
-    });
+    this.ops.push({ op: "update", collection: docRef.collection, id: docRef.id, data });
     return this;
   }
   delete(docRef) {
-    this.ops.push({
-      op: "delete",
-      collection: docRef.collection,
-      id: docRef.id
-    });
+    this.ops.push({ op: "delete", collection: docRef.collection, id: docRef.id });
     return this;
   }
   async commit() {
@@ -1307,16 +1365,12 @@ var Batch = class {
       syncEngine?.flush().catch(console.error);
       return { success: true, results };
     }
-    const res = await new HttpsRequest({
+    const res = await this.app.getAuthentication.makeRequest({
       method: "POST" /* POST */,
       endpoint: `${serverURI}/db/batch`,
-      headers: {
-        authorization: this.app.getConfig().token,
-        "x-project": this.app.getConfig().project,
-        "x-user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap())
-      },
+      headers: {},
       body: { ops: this.ops }
-    }).sendRequest();
+    });
     if (res?.error) {
       throw new Error(res.error.message || "Batch commit failed");
     }
@@ -1363,12 +1417,12 @@ var Database = class {
       }
     };
     await transactionFn(tx);
-    const res = await new HttpsRequest({
+    const res = await this.app.getAuthentication.makeRequest({
       method: "POST" /* POST */,
       endpoint: `${this.app.getBaseUrl()}/db/transaction`,
-      headers: { authorization: this.app.getConfig().token, "x-project": this.app.getConfig().project },
+      headers: {},
       body: { ops: tx.ops }
-    }).sendRequest();
+    });
     if (res?.error) {
       throw new Error(res.error.message || "Transaction failed");
     }
@@ -1395,6 +1449,14 @@ var Database = class {
   }
 };
 
+// src/core/RequestHeaders.ts
+function socketAuth(app) {
+  const base = {
+    ...app.getAuthentication.getHeaders()
+  };
+  return base;
+}
+
 // src/database/Realtime.ts
 var import_socket = require("socket.io-client");
 
@@ -1404,7 +1466,7 @@ function normalizePayload(payload) {
   if (!raw)
     return null;
   const doc = { ...raw };
-  doc.id = doc.id ?? raw?.id ?? raw?._id ?? payload?.id ?? payload?._id;
+  doc.id = raw?._id ?? doc.id ?? raw?.id ?? payload?._id ?? payload?.id;
   delete doc._id;
   return {
     change: payload?.change ?? raw?.change ?? null,
@@ -1429,11 +1491,7 @@ var Realtime = class {
     this.socket = (0, import_socket.io)(this.app.getSocketUrl(), {
       transports: ["websocket"],
       auth: {
-        token: this.app.getConfig().token,
-        "x-project": this.app.getConfig().project,
-        "x-user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap()),
-        user: this.app.getAuthentication.currentUser()
-        // Pass user info for personalized permissions
+        ...socketAuth(this.app)
       },
       autoConnect: true,
       reconnection: true,
@@ -1477,19 +1535,19 @@ var Realtime = class {
   /**
    * Low-level collection subscription (used by RealtimeBridge)
    */
+  // Realtime.ts - subscribeToCollectionRaw
   subscribeToCollectionRaw(collection, callback, filter = {}) {
     this.connect();
-    const lid = collection;
+    const lid = `${collection}_${Date.now()}_${Math.random().toString(36).slice(2)}`;
     const handlers = [];
-    this.socket.emit("subscribe", { collection, filter });
+    this.socket.emit("subscribe", { collection, filter, lid });
     this.events.forEach((event) => {
       const channel = `${lid}-${event}`;
       const fn = (payload) => {
         const normalized = normalizePayload(payload);
         if (!normalized) {
-          if (event === "delete") {
+          if (event === "delete")
             callback(payload, "delete");
-          }
           return;
         }
         callback(normalized.data, event);
@@ -1505,10 +1563,10 @@ var Realtime = class {
    */
   subscribeToDocumentRaw(collection, id, callback) {
     this.connect();
-    const lid = collection;
+    const lid = `${collection}_${id}_${Date.now()}_${Math.random().toString(36).slice(2)}`;
     const filter = { _id: id };
     const handlers = [];
-    this.socket.emit("subscribe", { collection, filter });
+    this.socket.emit("subscribe", { collection, filter, lid });
     this.events.forEach((event) => {
       const channel = `${lid}-${event}`;
       const fn = (payload) => {
@@ -1568,12 +1626,12 @@ var Functions = class {
   }
   async call(functionName, data) {
     try {
-      const res = await new HttpsRequest({
+      const res = await this.app.getAuthentication.makeRequest({
         method: "POST" /* POST */,
         endpoint: serverURI + "/functions/call/" + functionName,
-        headers: { authorization: this.app.getConfig().token, "x-project": this.app.getConfig().project, "user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap()), "x-user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap()) },
+        headers: {},
         body: data
-      }).sendRequest();
+      });
       return res;
     } catch (err) {
       throw {
@@ -1591,15 +1649,15 @@ var Hosting = class {
   }
   async createSubdomain(name) {
     try {
-      const res = await new HttpsRequest({
+      const res = await this.app.getAuthentication.makeRequest({
         method: "POST" /* POST */,
         endpoint: this.app.getBaseUrl() + "/hosting/register",
-        headers: { authorization: this.app.getConfig().token, "x-project": this.app.getConfig().project },
+        headers: {},
         body: {
           hostname: name,
           project: this.app.getConfig().project
         }
-      }).sendRequest();
+      });
       return res;
     } catch (err) {
       throw {
@@ -2445,6 +2503,7 @@ var SyncEngine = class {
   constructor(app, persistence, store, realtimeBridge) {
     this.realtimeBridge = null;
     this.syncing = false;
+    // Use ReturnType<typeof setTimeout> for cross-env timeout type (works in browser and Node)
     this.retryTimeout = null;
     this.MAX_RETRIES = 5;
     this.BASE_RETRY_DELAY = 2e3;
@@ -2457,6 +2516,7 @@ var SyncEngine = class {
     this.persistence = persistence;
     this.store = store;
     this.realtimeBridge = realtimeBridge || null;
+    this.authentication = app.getAuthentication;
     this.persistence.recoverSyncingMutations().catch(console.error);
     if (typeof window !== "undefined") {
       window.addEventListener("online", this.handleOnline);
@@ -2533,15 +2593,15 @@ var SyncEngine = class {
     }
   }
   async syncCreate(mutation) {
-    const res = await new HttpsRequest({
+    const res = await this.authentication.makeRequest({
       method: "POST" /* POST */,
       endpoint: `${this.app.getBaseUrl()}/db/create`,
-      headers: { authorization: this.app.getConfig().token, "x-project": this.app.getConfig().project, user: JSON.stringify(this.app.getAuthentication.currentUser()?.toMap()), "x-user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap()) },
+      headers: {},
       body: {
         collection: mutation.collection,
         data: mutation.payload
       }
-    }).sendRequest();
+    });
     if (!res?.success || !res.id)
       return false;
     const oldId = mutation.documentId;
@@ -2559,21 +2619,16 @@ var SyncEngine = class {
     return true;
   }
   async syncUpdate(mutation) {
-    const res = await new HttpsRequest({
+    const res = await this.authentication.makeRequest({
       method: "POST" /* POST */,
       endpoint: `${this.app.getBaseUrl()}/db/update`,
-      headers: {
-        authorization: this.app.getConfig().token,
-        "x-project": this.app.getConfig().project,
-        user: JSON.stringify(this.app.getAuthentication.currentUser()?.toMap()),
-        "x-user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap())
-      },
+      headers: {},
       body: {
         collection: mutation.collection,
         document: mutation.documentId,
         data: mutation.payload
       }
-    }).sendRequest();
+    });
     if (!res?.success)
       return false;
     const local = await this.persistence.upsertDoc({
@@ -2596,20 +2651,15 @@ var SyncEngine = class {
     return true;
   }
   async syncDelete(mutation) {
-    const res = await new HttpsRequest({
+    const res = await this.authentication.makeRequest({
       method: "POST" /* POST */,
       endpoint: `${this.app.getBaseUrl()}/db/delete`,
-      headers: {
-        authorization: this.app.getConfig().token,
-        "x-project": this.app.getConfig().project,
-        user: JSON.stringify(this.app.getAuthentication.currentUser()?.toMap()),
-        "x-user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap())
-      },
+      headers: {},
       body: {
         collection: mutation.collection,
         document: mutation.documentId
       }
-    }).sendRequest();
+    });
     if (!res?.success)
       return false;
     await this.persistence.markDeleted(mutation.collection, mutation.documentId, 0);
@@ -2708,13 +2758,11 @@ var StorageRef = class {
     this.app = app;
   }
   async get(id) {
-    const res = await new HttpsRequest({
+    const res = await this.app.getAuthentication.makeRequest({
       method: "GET" /* GET */,
       endpoint: serverURI + `/storage/${id}`,
-      headers: {
-        //authorization: this.app.getConfig.token,
-      }
-    }).sendRequest();
+      headers: {}
+    });
     if (res.success) {
       if (res.document === void 0)
         return void 0;
@@ -2725,13 +2773,11 @@ var StorageRef = class {
     }
   }
   async getMeta(id) {
-    const res = await new HttpsRequest({
+    const res = await this.app.getAuthentication.makeRequest({
       method: "GET" /* GET */,
       endpoint: serverURI + `/storage/${id}/info`,
-      headers: {
-        //authorization: this.app.getConfig.token,
-      }
-    }).sendRequest();
+      headers: {}
+    });
     if (res.success) {
       if (res.document === void 0)
         return void 0;
@@ -2745,13 +2791,13 @@ var StorageRef = class {
     if (!srcFile) {
       throw new Error("Invalid File");
     }
-    const res = await new HttpsRequest({
+    const res = await this.app.getAuthentication.makeRequest({
       method: "POST" /* POST */,
       endpoint: serverURI + "/storage/file/upload",
-      headers: { authorization: this.app.getConfig().token, "x-project": this.app.getConfig().project, "x-user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap()), "user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap()) },
+      headers: {},
       file: srcFile,
       isMultipart: true
-    }).sendRequest();
+    });
     if (res.success) {
       if (res.document === void 0)
         return void 0;
@@ -2762,14 +2808,14 @@ var StorageRef = class {
     }
   }
   async delete(id) {
-    const res = await new HttpsRequest({
+    const res = await this.app.getAuthentication.makeRequest({
       method: "POST" /* POST */,
       endpoint: serverURI + "/storage/file/delete",
-      headers: { authorization: this.app.getConfig().token, "x-project": this.app.getConfig().project, "x-user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap()), "user": JSON.stringify(this.app.getAuthentication.currentUser()?.toMap()) },
+      headers: {},
       body: {
         file_id: id
       }
-    }).sendRequest();
+    });
     return res;
   }
 };