npm - jazz-tools - Versions diffs - 2.0.0-alpha.34 → 2.0.0-alpha.35 - Mend

jazz-tools 2.0.0-alpha.34 → 2.0.0-alpha.35

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (292) hide show

package/bin/docs-index.db +0 -0
package/bin/docs-index.txt +111 -59
package/bin/native/jazz-tools-darwin-arm64 +0 -0
package/bin/native/jazz-tools-darwin-x64 +0 -0
package/bin/native/jazz-tools-linux-arm64 +0 -0
package/bin/native/jazz-tools-linux-x64 +0 -0
package/dist/backend/create-jazz-context.d.ts +4 -0
package/dist/backend/create-jazz-context.d.ts.map +1 -1
package/dist/backend/create-jazz-context.js +6 -5
package/dist/backend/create-jazz-context.js.map +1 -1
package/dist/backend/create-jazz-context.test.js +49 -3
package/dist/backend/create-jazz-context.test.js.map +1 -1
package/dist/backend/index.d.ts +1 -1
package/dist/backend/index.d.ts.map +1 -1
package/dist/backend/index.js.map +1 -1
package/dist/backend/request-auth.d.ts +2 -0
package/dist/backend/request-auth.d.ts.map +1 -1
package/dist/backend/request-auth.js +96 -15
package/dist/backend/request-auth.js.map +1 -1
package/dist/backend/request-auth.test.js +34 -6
package/dist/backend/request-auth.test.js.map +1 -1
package/dist/cli.d.ts +4 -0
package/dist/cli.d.ts.map +1 -1
package/dist/cli.js +83 -39
package/dist/cli.js.map +1 -1
package/dist/cli.test.js +199 -76
package/dist/cli.test.js.map +1 -1
package/dist/codegen/schema-reader.d.ts.map +1 -1
package/dist/codegen/schema-reader.js +14 -0
package/dist/codegen/schema-reader.js.map +1 -1
package/dist/dev/dev-server.d.ts.map +1 -1
package/dist/dev/dev-server.js +3 -0
package/dist/dev/dev-server.js.map +1 -1
package/dist/dev/expo.test.js +1 -1
package/dist/dev/expo.test.js.map +1 -1
package/dist/dev/inspector-link.d.ts +2 -0
package/dist/dev/inspector-link.d.ts.map +1 -0
package/dist/dev/inspector-link.js +10 -0
package/dist/dev/inspector-link.js.map +1 -0
package/dist/dev/managed-runtime.d.ts.map +1 -1
package/dist/dev/managed-runtime.js +10 -1
package/dist/dev/managed-runtime.js.map +1 -1
package/dist/dev/next.d.ts.map +1 -1
package/dist/dev/next.js +6 -0
package/dist/dev/next.js.map +1 -1
package/dist/dev/next.test.js +3 -1
package/dist/dev/next.test.js.map +1 -1
package/dist/dev/sveltekit.d.ts +9 -0
package/dist/dev/sveltekit.d.ts.map +1 -1
package/dist/dev/sveltekit.js +6 -0
package/dist/dev/sveltekit.js.map +1 -1
package/dist/dev/sveltekit.test.js +15 -1
package/dist/dev/sveltekit.test.js.map +1 -1
package/dist/dev/vite.d.ts.map +1 -1
package/dist/dev/vite.js +2 -0
package/dist/dev/vite.js.map +1 -1
package/dist/dev/vite.test.js +4 -2
package/dist/dev/vite.test.js.map +1 -1
package/dist/dev-tools/extension-panel.d.ts.map +1 -1
package/dist/dev-tools/extension-panel.js.map +1 -1
package/dist/dev-tools/protocol.d.ts.map +1 -1
package/dist/dev-tools/protocol.js +0 -1
package/dist/dev-tools/protocol.js.map +1 -1
package/dist/drivers/types.d.ts +2 -0
package/dist/drivers/types.d.ts.map +1 -1
package/dist/dsl.d.ts +8 -1
package/dist/dsl.d.ts.map +1 -1
package/dist/dsl.js +54 -0
package/dist/dsl.js.map +1 -1
package/dist/dsl.test.js +73 -0
package/dist/dsl.test.js.map +1 -1
package/dist/expo/auth-secret-store.d.ts +2 -1
package/dist/expo/auth-secret-store.d.ts.map +1 -1
package/dist/expo/auth-secret-store.js +1 -0
package/dist/expo/auth-secret-store.js.map +1 -1
package/dist/expo/index.d.ts +3 -0
package/dist/expo/index.d.ts.map +1 -0
package/dist/expo/index.js +3 -0
package/dist/expo/index.js.map +1 -0
package/dist/expo/use-local-first-auth.d.ts +3 -0
package/dist/expo/use-local-first-auth.d.ts.map +1 -0
package/dist/expo/use-local-first-auth.js +4 -0
package/dist/expo/use-local-first-auth.js.map +1 -0
package/dist/index.d.ts +1 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js.map +1 -1
package/dist/mcp/build-index.test.js +1 -1
package/dist/mcp/build-index.test.js.map +1 -1
package/dist/permissions/index.d.ts +3 -0
package/dist/permissions/index.d.ts.map +1 -1
package/dist/permissions/index.js +2 -1
package/dist/permissions/index.js.map +1 -1
package/dist/permissions/type-inference.test.js +23 -2
package/dist/permissions/type-inference.test.js.map +1 -1
package/dist/react/create-jazz-client.integration.test.js +5 -2
package/dist/react/create-jazz-client.integration.test.js.map +1 -1
package/dist/react/create-jazz-client.test.js +6 -1
package/dist/react/create-jazz-client.test.js.map +1 -1
package/dist/react/index.d.ts +2 -0
package/dist/react/index.d.ts.map +1 -1
package/dist/react/index.js +2 -0
package/dist/react/index.js.map +1 -1
package/dist/react/provider.d.ts +2 -1
package/dist/react/provider.d.ts.map +1 -1
package/dist/react/provider.js +2 -2
package/dist/react/provider.js.map +1 -1
package/dist/react/use-local-first-auth.d.ts +3 -0
package/dist/react/use-local-first-auth.d.ts.map +1 -0
package/dist/react/use-local-first-auth.js +4 -0
package/dist/react/use-local-first-auth.js.map +1 -0
package/dist/react-core/index.d.ts +2 -0
package/dist/react-core/index.d.ts.map +1 -1
package/dist/react-core/index.js +2 -0
package/dist/react-core/index.js.map +1 -1
package/dist/react-core/provider.d.ts +7 -3
package/dist/react-core/provider.d.ts.map +1 -1
package/dist/react-core/provider.js +67 -51
package/dist/react-core/provider.js.map +1 -1
package/dist/react-core/provider.onjwtexpired.test.d.ts +2 -0
package/dist/react-core/provider.onjwtexpired.test.d.ts.map +1 -0
package/dist/react-core/provider.onjwtexpired.test.js +47 -0
package/dist/react-core/provider.onjwtexpired.test.js.map +1 -0
package/dist/react-core/test-utils.d.ts +20 -0
package/dist/react-core/test-utils.d.ts.map +1 -0
package/dist/react-core/test-utils.js +34 -0
package/dist/react-core/test-utils.js.map +1 -0
package/dist/react-core/use-auth-state.d.ts +10 -0
package/dist/react-core/use-auth-state.d.ts.map +1 -0
package/dist/react-core/use-auth-state.js +14 -0
package/dist/react-core/use-auth-state.js.map +1 -0
package/dist/react-core/use-auth-state.test.d.ts +2 -0
package/dist/react-core/use-auth-state.test.d.ts.map +1 -0
package/dist/react-core/use-auth-state.test.js +42 -0
package/dist/react-core/use-auth-state.test.js.map +1 -0
package/dist/react-core/use-local-first-auth.d.ts +9 -0
package/dist/react-core/use-local-first-auth.d.ts.map +1 -0
package/dist/react-core/use-local-first-auth.js +54 -0
package/dist/react-core/use-local-first-auth.js.map +1 -0
package/dist/react-core/use-local-first-auth.test.d.ts +2 -0
package/dist/react-core/use-local-first-auth.test.d.ts.map +1 -0
package/dist/react-core/use-local-first-auth.test.js +78 -0
package/dist/react-core/use-local-first-auth.test.js.map +1 -0
package/dist/react-native/create-jazz-client.test.js +4 -2
package/dist/react-native/create-jazz-client.test.js.map +1 -1
package/dist/react-native/create-jazz-rn-runtime.d.ts.map +1 -1
package/dist/react-native/create-jazz-rn-runtime.js.map +1 -1
package/dist/react-native/db.d.ts.map +1 -1
package/dist/react-native/db.js +3 -4
package/dist/react-native/db.js.map +1 -1
package/dist/react-native/db.test.js +3 -6
package/dist/react-native/db.test.js.map +1 -1
package/dist/react-native/jazz-rn-runtime-adapter.d.ts +11 -11
package/dist/react-native/jazz-rn-runtime-adapter.d.ts.map +1 -1
package/dist/react-native/jazz-rn-runtime-adapter.js +8 -35
package/dist/react-native/jazz-rn-runtime-adapter.js.map +1 -1
package/dist/react-native/jazz-rn-runtime-adapter.test.js +10 -27
package/dist/react-native/jazz-rn-runtime-adapter.test.js.map +1 -1
package/dist/runtime/anonymous-write-denied-error.d.ts +13 -0
package/dist/runtime/anonymous-write-denied-error.d.ts.map +1 -0
package/dist/runtime/anonymous-write-denied-error.js +58 -0
package/dist/runtime/anonymous-write-denied-error.js.map +1 -0
package/dist/runtime/anonymous-write-denied-error.test.d.ts +2 -0
package/dist/runtime/anonymous-write-denied-error.test.d.ts.map +1 -0
package/dist/runtime/anonymous-write-denied-error.test.js +56 -0
package/dist/runtime/anonymous-write-denied-error.test.js.map +1 -0
package/dist/runtime/auth-secret-store.d.ts +2 -1
package/dist/runtime/auth-secret-store.d.ts.map +1 -1
package/dist/runtime/auth-secret-store.js +1 -0
package/dist/runtime/auth-secret-store.js.map +1 -1
package/dist/runtime/auth-state.d.ts +5 -14
package/dist/runtime/auth-state.d.ts.map +1 -1
package/dist/runtime/auth-state.js +39 -35
package/dist/runtime/auth-state.js.map +1 -1
package/dist/runtime/auth-state.test.js +36 -5
package/dist/runtime/auth-state.test.js.map +1 -1
package/dist/runtime/client-session.d.ts +1 -1
package/dist/runtime/client-session.d.ts.map +1 -1
package/dist/runtime/client-session.js +15 -9
package/dist/runtime/client-session.js.map +1 -1
package/dist/runtime/client-session.test.js +31 -9
package/dist/runtime/client-session.test.js.map +1 -1
package/dist/runtime/client.d.ts +66 -29
package/dist/runtime/client.d.ts.map +1 -1
package/dist/runtime/client.for-request.test.js +122 -20
package/dist/runtime/client.for-request.test.js.map +1 -1
package/dist/runtime/client.js +186 -56
package/dist/runtime/client.js.map +1 -1
package/dist/runtime/client.mutations.test.js +50 -10
package/dist/runtime/client.mutations.test.js.map +1 -1
package/dist/runtime/client.test.js +2 -0
package/dist/runtime/client.test.js.map +1 -1
package/dist/runtime/context.d.ts +7 -3
package/dist/runtime/context.d.ts.map +1 -1
package/dist/runtime/db.anonymous.test.d.ts +2 -0
package/dist/runtime/db.anonymous.test.d.ts.map +1 -0
package/dist/runtime/db.anonymous.test.js +28 -0
package/dist/runtime/db.anonymous.test.js.map +1 -0
package/dist/runtime/db.auth-state.test.js +22 -25
package/dist/runtime/db.auth-state.test.js.map +1 -1
package/dist/runtime/db.browser-storage-scope.test.js +2 -5
package/dist/runtime/db.browser-storage-scope.test.js.map +1 -1
package/dist/runtime/db.d.ts +62 -19
package/dist/runtime/db.d.ts.map +1 -1
package/dist/runtime/db.js +173 -36
package/dist/runtime/db.js.map +1 -1
package/dist/runtime/db.local-first-auth.test.js +13 -3
package/dist/runtime/db.local-first-auth.test.js.map +1 -1
package/dist/runtime/db.persisted.test.js +1 -1
package/dist/runtime/db.persisted.test.js.map +1 -1
package/dist/runtime/db.schema-order.test.js +26 -9
package/dist/runtime/db.schema-order.test.js.map +1 -1
package/dist/runtime/db.transaction.test.js +106 -4
package/dist/runtime/db.transaction.test.js.map +1 -1
package/dist/runtime/db.transport.test.js +4 -5
package/dist/runtime/db.transport.test.js.map +1 -1
package/dist/runtime/file-storage.d.ts +2 -2
package/dist/runtime/file-storage.d.ts.map +1 -1
package/dist/runtime/file-storage.js +1 -1
package/dist/runtime/file-storage.js.map +1 -1
package/dist/runtime/file-storage.test.js +2 -1
package/dist/runtime/file-storage.test.js.map +1 -1
package/dist/runtime/index.d.ts +2 -2
package/dist/runtime/index.d.ts.map +1 -1
package/dist/runtime/index.js +1 -1
package/dist/runtime/index.js.map +1 -1
package/dist/runtime/introspection-fetch.d.ts +0 -1
package/dist/runtime/introspection-fetch.d.ts.map +1 -1
package/dist/runtime/introspection-fetch.js +2 -2
package/dist/runtime/introspection-fetch.js.map +1 -1
package/dist/runtime/napi.auth-failure.test.js +1 -1
package/dist/runtime/napi.auth-failure.test.js.map +1 -1
package/dist/runtime/napi.for-request.test.js +13 -3
package/dist/runtime/napi.for-request.test.js.map +1 -1
package/dist/runtime/napi.integration.test.js +5 -2
package/dist/runtime/napi.integration.test.js.map +1 -1
package/dist/runtime/permissions.repro.test.js +264 -5
package/dist/runtime/permissions.repro.test.js.map +1 -1
package/dist/runtime/recovery-phrase.integration.test.js +2 -2
package/dist/runtime/recovery-phrase.integration.test.js.map +1 -1
package/dist/runtime/runtime-config.d.ts.map +1 -1
package/dist/runtime/runtime-config.js +8 -1
package/dist/runtime/runtime-config.js.map +1 -1
package/dist/runtime/schema-fetch.d.ts +9 -8
package/dist/runtime/schema-fetch.d.ts.map +1 -1
package/dist/runtime/schema-fetch.js +9 -10
package/dist/runtime/schema-fetch.js.map +1 -1
package/dist/runtime/schema-fetch.test.js +11 -8
package/dist/runtime/schema-fetch.test.js.map +1 -1
package/dist/runtime/sync-transport.d.ts +0 -8
package/dist/runtime/sync-transport.d.ts.map +1 -1
package/dist/runtime/sync-transport.js +0 -19
package/dist/runtime/sync-transport.js.map +1 -1
package/dist/runtime/url.d.ts +13 -6
package/dist/runtime/url.d.ts.map +1 -1
package/dist/runtime/url.js +51 -22
package/dist/runtime/url.js.map +1 -1
package/dist/runtime/url.test.js +20 -16
package/dist/runtime/url.test.js.map +1 -1
package/dist/runtime/worker-bridge.d.ts +0 -1
package/dist/runtime/worker-bridge.d.ts.map +1 -1
package/dist/runtime/worker-bridge.js +0 -1
package/dist/runtime/worker-bridge.js.map +1 -1
package/dist/runtime/worker-bridge.test.js +7 -3
package/dist/runtime/worker-bridge.test.js.map +1 -1
package/dist/schema.d.ts +3 -0
package/dist/schema.d.ts.map +1 -1
package/dist/schema.js.map +1 -1
package/dist/subscriptions-orchestrator.integration.test.js +4 -4
package/dist/subscriptions-orchestrator.integration.test.js.map +1 -1
package/dist/subscriptions-orchestrator.test.js +4 -0
package/dist/subscriptions-orchestrator.test.js.map +1 -1
package/dist/svelte/create-jazz-client.test.js +2 -1
package/dist/svelte/index.d.ts +1 -0
package/dist/svelte/index.d.ts.map +1 -1
package/dist/svelte/index.js +1 -0
package/dist/testing/index.test.js +5 -5
package/dist/testing/index.test.js.map +1 -1
package/dist/vue/create-jazz-client.integration.test.js +4 -1
package/dist/vue/create-jazz-client.integration.test.js.map +1 -1
package/dist/vue/create-jazz-client.test.js +2 -1
package/dist/vue/create-jazz-client.test.js.map +1 -1
package/dist/worker/jazz-worker.d.ts +1 -2
package/dist/worker/jazz-worker.d.ts.map +1 -1
package/dist/worker/jazz-worker.js +3 -4
package/dist/worker/jazz-worker.js.map +1 -1
package/dist/worker/jazz-worker.test.d.ts +1 -1
package/dist/worker/jazz-worker.test.js +3 -3
package/dist/worker/jazz-worker.test.js.map +1 -1
package/dist/worker/jazz-worker.ts +3 -4
package/dist/worker/worker-protocol.d.ts +0 -1
package/dist/worker/worker-protocol.d.ts.map +1 -1
package/package.json +13 -11

package/bin/docs-index.db CHANGED Viewed

Binary file

package/bin/docs-index.txt CHANGED Viewed

@@ -2,13 +2,16 @@
 TITLE:Authentication
 DESCRIPTION:"How and when to use Jazz's auth modes, and how to manage JWT auth over the lifetime of a live client."
-Jazz has two auth modes: `local-first` and `external`. Local-first auth derives a stable identity from a device secret — no server needed. Most multi-user apps will also use `external` authentication for production accounts.
+Jazz has three auth modes: `anonymous`, `local-first`, and `external`. You pick the mode implicitly by what you pass in `DbConfig`: nothing for anonymous, `secret` for local-first, or `jwtToken` for external.
 | Mode          | What it does                                           | When to use it                                   |
 | ------------- | ------------------------------------------------------ | ------------------------------------------------ |
+| `anonymous`   | Ephemeral read-only identity, no secret, no server     | Public/marketing surfaces, try-before-anything   |
 | `local-first` | Stable identity from a device secret, no server needed | Production offline-first apps, try-before-signup |
 | `external`    | Validates a JWT from your auth provider via JWKS       | Production apps with real user accounts          |
+Anonymous sessions can subscribe to queries but are **structurally denied writes** — every insert, update, and delete path checks the session's auth mode before any policy evaluation runs, and surfaces an `AnonymousWriteDeniedError` to the client. Gate reads the same way you gate any other access, via the permissions DSL (`session.where({ authMode: "anonymous" })`).
 ## Local-first auth
 Local-first auth lets users start using your app without signing up. They can later upgrade to an external provider while keeping their identity. See [Local-first auth](/docs/auth/local-first-auth) for the full guide.
@@ -89,7 +92,9 @@ For sign-in and sign-out, recreate `JazzProvider` or `Db` with a new auth config
 ```tsx
 const [jwtToken, setJwtToken] = useState<string | null>(readStoredJwt());
-const secret = use(BrowserAuthSecretStore.getOrCreateSecret());
+const { secret, isLoading } = useLocalFirstAuth();
+if (!jwtToken && (isLoading || !secret)) return <p>Loading…</p>;
 const config = jwtToken
   ? {
@@ -100,7 +105,7 @@ const config = jwtToken
   : {
       appId: "my-app",
       serverUrl: "https://sync.example.com",
-      auth: { localFirstSecret: secret },
+      secret: secret!,
     };
 ;
@@ -120,14 +125,42 @@ recommended path for login, logout, and any principal change.
 ### Reacting to expiry and unauthenticated responses
-Jazz exposes first-class auth state on `Db`:
+Auth state is flat:
 ```ts
-const stop = db.onAuthChanged(async (state) => {
-  if (state.status !== "unauthenticated") return;
+interface AuthState {
+  authMode: "anonymous" | "local-first" | "external";
+  session: Session | null;
+  error?: "expired" | "missing" | "invalid" | "disabled";
+}
+```
-  console.log(state.reason);
-  // "expired" | "missing" | "invalid" | "disabled"
+Presence of `error` indicates trouble; `authMode` and the last-known `session` are always available.
+#### React: `onJWTExpired` prop
+For JWT refresh, pass `onJWTExpired` to `JazzProvider`. Jazz calls it when the sync server rejects
+the current token as expired, serialized so concurrent failed writes trigger a single refresh:
+```tsx
+ await fetchFreshJwt()}
+>
+```
+Read auth state from any component with `useAuthState()`:
+```ts
+const { authMode, userId, claims, error } = useAuthState();
+```
+#### TypeScript: `db.onAuthChanged`
+Outside React, subscribe to auth-state changes on `Db`:
+```ts
+const stop = db.onAuthChanged(async (state) => {
+  if (state.error !== "expired") return;
   const freshJwt = await getFreshJwtForCurrentUser().catch(() => null);
   if (freshJwt) {
@@ -140,22 +173,19 @@ const stop = db.onAuthChanged(async (state) => {
 });
 ```
-You can also read the current snapshot synchronously with `db.getAuthState()`.
+Read the current snapshot synchronously with `db.getAuthState()`.
 When Jazz receives a structured unauthenticated response from the sync server, it:
-- transitions the client to `status: "unauthenticated"`
+- sets `error` on the auth state
 - preserves the last known `session`
 - pauses authenticated sync and reconnects until the app either refreshes the same user's JWT with
   `db.updateAuthToken(...)` or recreates the client with a new auth config
-This means app code should treat `authState.status` as the source of truth for whether Jazz is
-currently authenticated.
-  `useSession()` and `db.getAuthState().session` can still return the last known session while the
-  auth state is unauthenticated. That's intentional: it keeps user-scoped UI and local authorship
-  stable while your app refreshes or replaces the JWT. For signed-in vs signed-out UI, check
-  `db.getAuthState().status` instead of only checking whether a session exists.
+  `useSession()` and `db.getAuthState().session` can still return the last known session while
+  `error` is set. That's intentional: it keeps user-scoped UI and local authorship stable while your
+  app refreshes or replaces the JWT. For signed-in vs signed-out UI, check whether `error` is set
+  (or the `authMode` you expect) instead of only whether a session exists.
 ### Server configuration
@@ -186,7 +216,7 @@ When the server receives a request, it tries each auth method in priority order
 Backend impersonation always takes precedence, so a backend service can reliably impersonate users even if the request also carries a JWT.
-On TypeScript backends, `await createJazzContext(...).forRequest(req)` follows the same rule set. Configure `jwksUrl` on the backend context to verify external JWTs there too.
+On TypeScript backends, `await createJazzContext(...).forRequest(req)` follows the same rule set. Configure `jwksUrl` or `jwtPublicKey` on the backend context to verify external JWTs there too, but not both.
 ### Upgrading to external auth
@@ -210,12 +240,14 @@ Local-first auth lets users start using your app immediately — no sign-up, no
 ## Client setup
-Use `BrowserAuthSecretStore` to persist the user's secret across sessions. On first load it generates a new identity; on subsequent loads it reuses the stored one.
+Use `useLocalFirstAuth()` to manage the user's secret. On first load it generates a new identity; on subsequent loads it reuses the stored one. It also exposes `login` and `signOut` for switching or clearing the local identity.
 ```tsx
 function App() {
-  const secret = use(BrowserAuthSecretStore.getOrCreateSecret());
+  const { secret, isLoading } = useLocalFirstAuth();
+  if (isLoading || !secret) return <p>Loading…</p>;
   return (
@@ -349,36 +381,54 @@ On the server, a BetterAuth middleware hook intercepts sign-up requests, verifie
 The app switches between local-first auth and external JWT based on whether the user has a BetterAuth session:
 ```tsx
-function App() {
-  const { data: authSession, isPending } = authClient.useSession();
-  const [config, setConfig] = useState(null);
+function useBetterAuthJWT() {
+  const { data, isPending } = authClient.useSession();
+  const [jwt, setJwt] = useState<string | null>(null);
+  const [isFetching, setIsFetching] = useState(false);
   useEffect(() => {
     if (isPending) return;
-    async function resolveConfig() {
-      const sharedConfig = {
-        appId: process.env.NEXT_PUBLIC_JAZZ_APP_ID!,
-        serverUrl: process.env.NEXT_PUBLIC_JAZZ_SERVER_URL!,
-      };
-      if (authSession?.session) {
-        // User is signed in with BetterAuth — use their JWT
-        const jwtToken = await getJwtFromBetterAuth();
-        setConfig({ ...sharedConfig, jwtToken: jwtToken! });
-      } else {
-        // No external session — use local-first auth
-        const secret = await BrowserAuthSecretStore.getOrCreateSecret();
-        setConfig({ ...sharedConfig, auth: { localFirstSecret: secret } });
-      }
+    if (!data?.session) {
+      setJwt(null);
+      return;
     }
+    setIsFetching(true);
+    void getJwtFromBetterAuth().then((token) => {
+      setJwt(token ?? null);
+      setIsFetching(false);
+    });
+  }, [isPending, data?.session?.id]);
-    void resolveConfig();
-  }, [isPending, authSession?.session]);
+  return {
+    isLoading: isPending || isFetching,
+    jwt,
+    getRefreshedJWT: () => getJwtFromBetterAuth(),
+  };
+}
-  if (isPending || !config) return null;
+function App() {
+  const betterAuth = useBetterAuthJWT();
+  const { secret: localFirstSecret, isLoading: localFirstLoading } = useLocalFirstAuth();
+  // Only mint a local-first secret when there's no BetterAuth session.
+  const secret = !betterAuth.jwt ? (localFirstSecret ?? undefined) : undefined;
+  const config = useMemo(
+    () => ({
+      appId: process.env.NEXT_PUBLIC_JAZZ_APP_ID!,
+      serverUrl: process.env.NEXT_PUBLIC_JAZZ_SERVER_URL!,
+      jwtToken: betterAuth.jwt ?? undefined,
+      secret,
+    }),
+    [betterAuth.jwt, secret],
+  );
+  if (betterAuth.isLoading || (!betterAuth.jwt && localFirstLoading)) return <p>Loading auth…</p>;
   return (
+     betterAuth.getRefreshedJWT()}
+      fallback={<p>Loading Jazz DB…</p>}
+    >
   );
 }
@@ -391,7 +441,7 @@ You can restrict what local-first users can do until they sign up. Define an `is
 ```ts
   const isLocalFirstAuthMode = session.where({
-    "claims.auth_mode": "local-first",
+    authMode: "local-first",
   });
   // Everyone can read
@@ -409,7 +459,7 @@ The BetterAuth example above uses a framework-specific middleware hook. With any
 1. Accepts `proofToken` alongside the sign-up credentials
 2. Verifies it with `verifyLocalFirstIdentityProof` from `jazz-napi`
 3. Stores the proven Jazz user ID linked to the new user account
-4. Issues JWTs with either `sub: jazzId` or `jazz_principal_id: jazzId`
+4. Issues JWTs with `sub: jazzId`
 ```ts title="server.ts"
@@ -427,8 +477,7 @@ app.post("/signup", async (req, res) => {
   );
   if (!ok) return res.status(400).json({ error });
-  // Store jazzUserId so you can include it in future JWTs as `sub`
-  // or, for managed providers with provider-owned `sub`, as `jazz_principal_id`
+  // Store jazzUserId so you can mint future JWTs with it as `sub`.
   const user = await db.users.create({ email, password, jazzId: jazzUserId });
   res.json({ token: issueJwt({ sub: user.jazzId /* ... */ }) });
@@ -437,7 +486,7 @@ app.post("/signup", async (req, res) => {
 The `audience` string on the client and server must match. `jazz-napi` normalizes it internally, so any consistent string works.
-If your provider lets you control the JWT subject, you can set `sub` directly to the Jazz ID. Many managed providers keep `sub` fixed to their own user ID. In that case, call a dedicated `/link-jazz-identity` endpoint immediately after sign-up, store the Jazz ID in provider metadata or your own database, and mint or refresh JWTs with `jazz_principal_id: <jazzId>`. Jazz uses `jazz_principal_id` as `session.user_id` when present and falls back to `sub` otherwise.
+Jazz uses the JWT `sub` claim as `session.user_id`. If your provider keeps `sub` fixed to its own user ID, add a `/link-jazz-identity` endpoint that stores the Jazz ID and mint the JWT with `sub: <jazzId>` yourself — either via a custom `getSubject` hook on your provider or by issuing the JWT directly.
 ## Under the hood
@@ -906,6 +955,7 @@ edit metadata. Use the attribution helpers for this:
   const syntheticSession = {
     user_id: "user_123",
+    authMode: "external" as const,
     claims: {},
   };
@@ -1516,6 +1566,7 @@ Every backend needs an app ID, typed schema, and usually a permissions bundle. I
     backendSecret,
     adminSecret,
     jwksUrl,
+    jwtPublicKey,
     allowLocalFirstAuth,
     env: "dev",
     userBranch: "main",
@@ -1551,7 +1602,7 @@ On the client side, queries automatically run as the logged-in user. On a server
 In TypeScript backends, create the context once with both `app` and `permissions`, then use `context.asBackend()` for server-owned work and `await context.forRequest(req)` when you need a bearer-JWT-scoped high-level `Db`.
-`forRequest` reads authentication from standard HTTP headers, so `req` can be any object that exposes them: Express, Hono, Fastify, or a Web Fetch API `Request` all work. Configure `jwksUrl` on `createJazzContext(...)` if those bearer tokens come from an external IdP. Without `jwksUrl`, backend `forRequest()` only accepts Jazz self-signed tokens; set `allowLocalFirstAuth: false` to disable those too.
+`forRequest` reads authentication from standard HTTP headers, so `req` can be any object that exposes them: Express, Hono, Fastify, or a Web Fetch API `Request` all work. Configure `jwksUrl` or `jwtPublicKey` on `createJazzContext(...)` if those bearer tokens come from an external IdP, but do not set both at once. Without either one, backend `forRequest()` only accepts Jazz self-signed tokens; set `allowLocalFirstAuth: false` to disable those too.
   For embedded or local-only runtime setups where your backend is not connected to a server, use
   `context.db()` to get an unscoped, unauthenticated handle. This allows read/write access to the
@@ -2313,6 +2364,7 @@ const context = createJazzContext({
   serverUrl: process.env.JAZZ_SERVER_URL,
   backendSecret: process.env.JAZZ_BACKEND_SECRET,
   jwksUrl: process.env.JAZZ_JWKS_URL,
+  jwtPublicKey: process.env.JAZZ_JWT_PUBLIC_KEY,
   allowLocalFirstAuth: process.env.JAZZ_ALLOW_LOCAL_FIRST_AUTH !== "false",
 });
@@ -2323,7 +2375,7 @@ const api = new Hono();
 - `app` is your typed schema export.
 - `permissions` is the server-side policy bundle.
 - `serverUrl` + `backendSecret` let request-scoped handles sync through a Jazz server.
-- `jwksUrl` verifies external JWTs inside `await context.forRequest(req)`. Without it, the backend only accepts Jazz self-signed tokens unless you set `allowLocalFirstAuth: false`.
+- `jwksUrl` or `jwtPublicKey` verifies external JWTs inside `await context.forRequest(req)`. Without either one, the backend only accepts Jazz self-signed tokens unless you set `allowLocalFirstAuth: false`.
 - `dataPath` controls where local server state persists.
 Each route handler awaits `context.forRequest(c.req)` to get a database handle with [permissions](/docs/auth/permissions) scoped to the request.
@@ -2435,8 +2487,8 @@ curl -X DELETE http://localhost:3000/api/todos/<id> \
   `forRequest` verifies the caller's bearer token inside the backend context. The token above is a
   Jazz self-signed dev token, which works because `allowLocalFirstAuth` defaults to `true`. If you
-  want to accept external JWTs from your auth provider, also set `jwksUrl` so the backend can verify
-  them via JWKS.
+  want to accept external JWTs from your auth provider, also set `jwksUrl` or `jwtPublicKey` so
+  the backend can verify them.
 ## Authentication
@@ -3103,7 +3155,7 @@ Jazz supports external JWT-based authentication for production use. This recipe
 1. The user signs in with your auth provider and gets a JWT.
 2. Your client passes that JWT to Jazz.
 3. The Jazz server validates the JWT signature against the provider's JWKS endpoint.
-4. On success, Jazz derives `session.user_id` from `jazz_principal_id` when present, otherwise from the JWT's `sub` claim.
+4. On success, Jazz uses the JWT's `sub` claim as `session.user_id`.
 If you're unfamiliar with JWTs and JWKS, see the [explainer on the Authentication page](/docs/auth/authentication#external-auth-for-production).
@@ -3250,7 +3302,7 @@ Any provider that issues JWTs and exposes a JWKS endpoint will work. The key pat
 | Auth0       | `https://<tenant>.auth0.com/.well-known/jwks.json`                                          | `auth0\|<id>`      |
 | Firebase    | `https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com` | Firebase UID       |
-By default, the `sub` claim identifies the user. If your provider supports custom claims but keeps `sub` fixed to its own user ID, include `jazz_principal_id` in the JWT instead. Jazz uses `jazz_principal_id` as `session.user_id` when present and falls back to `sub` otherwise.
+Jazz uses the JWT `sub` claim as `session.user_id`. If your provider keeps `sub` fixed to its own user ID, mint the JWT with `sub` set to the Jazz user ID yourself — either via a custom `getSubject` hook on the provider or by issuing the JWT directly from your server.
 Full working examples: [Better Auth chat](https://github.com/garden-co/jazz/tree/main/examples/auth-betterauth-chat), [WorkOS chat](https://github.com/garden-co/jazz/tree/main/examples/auth-workos-chat).
@@ -3732,11 +3784,11 @@ See [Writing Data](/docs/writing/writing-data#write-durability-tiers) for detail
 Read durability controls when the **first result** of a query or subscription is delivered.
-| Option         | Values                               | Default        | What it does                                                                                                                                                                                                                                                                     |
-| -------------- | ------------------------------------ | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Option         | Values                              | Default        | What it does                                                                                                                                                                                                                                                                     |
+| -------------- | ----------------------------------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `tier`         | `"local"` \| `"edge"` \| `"global"` | Same as writes | How far the first result must come from before the query delivers.                                                                                                                                                                                                               |
-| `localUpdates` | `"immediate"` \| `"deferred"`        | `"immediate"`  | With `"immediate"`, your own local writes appear in the subscription while still waiting for the tier to confirm the initial snapshot. This only takes effect after the subscription has settled at least once. With `"deferred"`, all delivery is held until the tier confirms. |
-| `propagation`  | `"full"` \| `"local-only"`           | `"full"`       | With `"full"`, the subscription is sent to upstream servers, which push matching data back. With `"local-only"`, only local storage is queried&hairsp;—&hairsp;no server communication.                                                                                          |
+| `localUpdates` | `"immediate"` \| `"deferred"`       | `"immediate"`  | With `"immediate"`, your own local writes appear in the subscription while still waiting for the tier to confirm the initial snapshot. This only takes effect after the subscription has settled at least once. With `"deferred"`, all delivery is held until the tier confirms. |
+| `propagation`  | `"full"` \| `"local-only"`          | `"full"`       | With `"full"`, the subscription is sent to upstream servers, which push matching data back. With `"local-only"`, only local storage is queried&hairsp;—&hairsp;no server communication.                                                                                          |
 These options apply to:
@@ -5351,7 +5403,7 @@ When using `insertDurable`, `updateDurable`, or `deleteDurable`, you can pass a
 | Tier     | Resolves when                       | Default for    |
 | -------- | ----------------------------------- | -------------- |
-| `local` | Persisted to local OPFS             | Browser/client |
+| `local`  | Persisted to local OPFS             | Browser/client |
 | `edge`   | Acknowledged by nearest sync server | Backend/server |
 | `global` | Propagated to global core           | —              |
@@ -5445,4 +5497,4 @@ batch.update(app.todos, todoId, { done: true });
 console.log(batch.batchId());
 ```
-Both builders can also issue persisted writes, expose `localBatchRecord()` / `localBatchRecords()`, and let you acknowledge replayable rejections by batch id.
+Both builders can also issue persisted writes, expose `localBatchRecord()` / `localBatchRecords()`, and let you acknowledge replayable rejections by batch id.

package/bin/native/jazz-tools-darwin-arm64 CHANGED Viewed

Binary file

package/bin/native/jazz-tools-darwin-x64 CHANGED Viewed

Binary file

package/bin/native/jazz-tools-linux-arm64 CHANGED Viewed

Binary file

package/bin/native/jazz-tools-linux-x64 CHANGED Viewed

Binary file

package/dist/backend/create-jazz-context.d.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import type { JWK } from "jose";
 import type { WasmSchema } from "../drivers/types.js";
 import type { CompiledPermissions } from "../permissions/index.js";
 import { type RequestLike } from "../runtime/client.js";
@@ -10,6 +11,7 @@ export interface BackendQuerySchemaSource {
     _schema: WasmSchema;
 }
 export type BackendSchemaInput = WasmSchema | BackendSchemaSource | BackendQuerySchemaSource;
+export type BackendJwtPublicKey = JWK | string;
 export type BackendDriver = {
     type: "persistent";
     /** Path to the Fjall file used by the server runtime. */
@@ -33,6 +35,8 @@ export type BackendContextConfig = Omit<AppContext, "schema" | "driver" | "clien
     tier?: "local" | "edge" | "global";
     /** JWKS endpoint used to verify external bearer JWTs in `forRequest()`. */
     jwksUrl?: string;
+    /** Single JWK object or PEM/JWK string used to verify external bearer JWTs in `forRequest()`. */
+    jwtPublicKey?: BackendJwtPublicKey;
     /** Whether local-first bearer JWTs are accepted in `forRequest()`. Defaults to `true`. */
     allowLocalFirstAuth?: boolean;
 } & BackendContextSchemaConfig;

package/dist/backend/create-jazz-context.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"create-jazz-context.d.ts","sourceRoot":"","sources":["../../src/backend/create-jazz-context.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEtD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAc,KAAK,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACpE,OAAO,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACjE,OAAO,EAAsB,KAAK,EAAE,EAAiB,MAAM,kBAAkB,CAAC;AAI9E,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,UAAU,CAAC;CACxB;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,UAAU,CAAC;CACrB;AAED,MAAM,MAAM,kBAAkB,GAAG,UAAU,GAAG,mBAAmB,GAAG,wBAAwB,CAAC;~~AAE7F~~,MAAM,MAAM,aAAa,GACrB;IACE,IAAI,EAAE,YAAY,CAAC;IACnB,yDAAyD;IACzD,QAAQ,EAAE,MAAM,CAAC;CAClB,GACD;IACE,IAAI,EAAE,QAAQ,CAAC;CAChB,CAAC;AAEN,KAAK,0BAA0B,GAC3B;IACE,iDAAiD;IACjD,GAAG,EAAE,mBAAmB,CAAC;IACzB,iEAAiE;IACjE,WAAW,EAAE,mBAAmB,CAAC;CAClC,GACD;IACE,GAAG,CAAC,EAAE,SAAS,CAAC;IAChB,WAAW,CAAC,EAAE,SAAS,CAAC;CACzB,CAAC;AAEN,MAAM,MAAM,oBAAoB,GAAG,IAAI,CAAC,UAAU,EAAE,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,MAAM,CAAC,GAAG;IAC/F,uDAAuD;IACvD,MAAM,EAAE,aAAa,CAAC;IACtB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,QAAQ,CAAC;IACnC,2EAA2E;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,0FAA0F;IAC1F,mBAAmB,CAAC,EAAE,OAAO,CAAC;CAC/B,GAAG,0BAA0B,CAAC;~~AA6C~~/B;;;;;;;GAOG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA+B;IACtD,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAqB;IACzD,OAAO,CAAC,qBAAqB,CAAC,CAAS;IACvC,OAAO,CAAC,OAAO,CAAC,CAAc;IAC9B,OAAO,CAAC,cAAc,CAAC,CAAa;gBAExB,MAAM,EAAE,oBAAoB;IASxC,OAAO,CAAC,aAAa;IAarB,OAAO,CAAC,YAAY;~~IA0DpB~~,OAAO,CAAC,aAAa;~~IAarB~~,OAAO,CAAC,MAAM;~~IAqBd~~;;OAEG;IACH,OAAO,CAAC,SAAS;IAmBjB;;OAEG;IACH,EAAE,CAAC,MAAM,CAAC,EAAE,kBAAkB,GAAG,EAAE;IAInC;;OAEG;IACH,SAAS,CAAC,MAAM,CAAC,EAAE,kBAAkB,GAAG,EAAE;IAI1C;;;OAGG;IACH,eAAe,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,EAAE;IAMrE;;;OAGG;IACH,OAAO,CAAC,6BAA6B;YAYvB,qBAAqB;~~IAQnC~~;;OAEG;IACG,UAAU,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,EAAE,CAAC;IAOhF;;;OAGG;IACH,yBAAyB,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,EAAE;IAM5E;;;OAGG;IACG,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,EAAE,CAAC;IAI/F;;OAEG;IACH,UAAU,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,EAAE;IAM7D;;OAEG;IACH,KAAK,IAAI,IAAI;IAIb;;OAEG;IACG,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAWhC;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,oBAAoB,GAAG,WAAW,CAE3E"}
1	+ {"version":3,"file":"create-jazz-context.d.ts","sourceRoot":"","sources":["../../src/backend/create-jazz-context.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,MAAM,CAAC;AAChC,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAEtD,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AACnE,OAAO,EAAc,KAAK,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACpE,OAAO,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AACjE,OAAO,EAAsB,KAAK,EAAE,EAAiB,MAAM,kBAAkB,CAAC;AAI9E,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,UAAU,CAAC;CACxB;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,UAAU,CAAC;CACrB;AAED,MAAM,MAAM,kBAAkB,GAAG,UAAU,GAAG,mBAAmB,GAAG,wBAAwB,CAAC;AAC7F,MAAM,MAAM,mBAAmB,GAAG,GAAG,GAAG,MAAM,CAAC;AAE/C,MAAM,MAAM,aAAa,GACrB;IACE,IAAI,EAAE,YAAY,CAAC;IACnB,yDAAyD;IACzD,QAAQ,EAAE,MAAM,CAAC;CAClB,GACD;IACE,IAAI,EAAE,QAAQ,CAAC;CAChB,CAAC;AAEN,KAAK,0BAA0B,GAC3B;IACE,iDAAiD;IACjD,GAAG,EAAE,mBAAmB,CAAC;IACzB,iEAAiE;IACjE,WAAW,EAAE,mBAAmB,CAAC;CAClC,GACD;IACE,GAAG,CAAC,EAAE,SAAS,CAAC;IAChB,WAAW,CAAC,EAAE,SAAS,CAAC;CACzB,CAAC;AAEN,MAAM,MAAM,oBAAoB,GAAG,IAAI,CAAC,UAAU,EAAE,QAAQ,GAAG,QAAQ,GAAG,UAAU,GAAG,MAAM,CAAC,GAAG;IAC/F,uDAAuD;IACvD,MAAM,EAAE,aAAa,CAAC;IACtB,8CAA8C;IAC9C,IAAI,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,QAAQ,CAAC;IACnC,2EAA2E;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iGAAiG;IACjG,YAAY,CAAC,EAAE,mBAAmB,CAAC;IACnC,0FAA0F;IAC1F,mBAAmB,CAAC,EAAE,OAAO,CAAC;CAC/B,GAAG,0BAA0B,CAAC;AAmD/B;;;;;;;GAOG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAA+B;IACtD,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAqB;IACzD,OAAO,CAAC,qBAAqB,CAAC,CAAS;IACvC,OAAO,CAAC,OAAO,CAAC,CAAc;IAC9B,OAAO,CAAC,cAAc,CAAC,CAAa;gBAExB,MAAM,EAAE,oBAAoB;IASxC,OAAO,CAAC,aAAa;IAarB,OAAO,CAAC,YAAY;IAqDpB,OAAO,CAAC,aAAa;IAYrB,OAAO,CAAC,MAAM;IAoBd;;OAEG;IACH,OAAO,CAAC,SAAS;IAmBjB;;OAEG;IACH,EAAE,CAAC,MAAM,CAAC,EAAE,kBAAkB,GAAG,EAAE;IAInC;;OAEG;IACH,SAAS,CAAC,MAAM,CAAC,EAAE,kBAAkB,GAAG,EAAE;IAI1C;;;OAGG;IACH,eAAe,CAAC,WAAW,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,EAAE;IAMrE;;;OAGG;IACH,OAAO,CAAC,6BAA6B;YAYvB,qBAAqB;IASnC;;OAEG;IACG,UAAU,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,EAAE,CAAC;IAOhF;;;OAGG;IACH,yBAAyB,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,EAAE;IAM5E;;;OAGG;IACG,yBAAyB,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,OAAO,CAAC,EAAE,CAAC;IAI/F;;OAEG;IACH,UAAU,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,kBAAkB,GAAG,EAAE;IAM7D;;OAEG;IACH,KAAK,IAAI,IAAI;IAIb;;OAEG;IACG,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;CAWhC;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,oBAAoB,GAAG,WAAW,CAE3E"}

package/dist/backend/create-jazz-context.js CHANGED Viewed

@@ -8,6 +8,9 @@ function assertValidBackendConfig(config) {
     if (config.driver.type === "memory" && !config.serverUrl) {
         throw new Error("driver.type='memory' requires serverUrl.");
     }
+    if (config.jwksUrl !== undefined && config.jwtPublicKey !== undefined) {
+        throw new Error("Backend auth config cannot set both jwksUrl and jwtPublicKey. Pick one external JWT verification mode.");
+    }
 }
 function isRecord(value) {
     return typeof value === "object" && value !== null;
@@ -81,7 +84,6 @@ export class JazzContext {
             appId: this.config.appId,
             schema,
             serverUrl: this.config.serverUrl,
-            serverPathPrefix: this.config.serverPathPrefix,
             env: this.config.env,
             userBranch: this.config.userBranch,
             jwtToken: this.config.jwtToken,
@@ -97,7 +99,7 @@ export class JazzContext {
                 backend_secret: this.config.backendSecret,
                 admin_secret: this.config.adminSecret,
                 jwt_token: this.config.jwtToken,
-            }, this.config.serverPathPrefix);
+            });
         }
         return this.clientInstance;
     }
@@ -106,7 +108,6 @@ export class JazzContext {
             appId: this.config.appId,
             driver: this.config.driver.type === "memory" ? { type: "memory" } : { type: "persistent" },
             serverUrl: this.config.serverUrl,
-            serverPathPrefix: this.config.serverPathPrefix,
             env: this.config.env,
             userBranch: this.config.userBranch,
             jwtToken: this.config.jwtToken,
@@ -116,8 +117,7 @@ export class JazzContext {
     wrapDb(client, session, attribution, backendScoped = false) {
         return createDbFromClient(this.buildDbConfig(), client, session, attribution, backendScoped
             ? {
-                status: "authenticated",
-                transport: "backend",
+                authMode: session?.authMode ?? "external",
                 session: session ?? null,
             }
             : undefined);
@@ -176,6 +176,7 @@ export class JazzContext {
         return await resolveRequestSession(request, {
             appId: this.config.appId,
             jwksUrl: this.config.jwksUrl,
+            jwtPublicKey: this.config.jwtPublicKey,
             allowLocalFirstAuth: this.config.allowLocalFirstAuth,
         });
     }

package/dist/backend/create-jazz-context.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"create-jazz-context.js","sourceRoot":"","sources":["../../src/backend/create-jazz-context.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;~~AAExC~~,OAAO,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AAEnE,OAAO,EAAE,UAAU,EAAoB,MAAM,sBAAsB,CAAC;AAEpE,OAAO,EAAE,kBAAkB,EAA0B,MAAM,kBAAkB,CAAC;AAC9E,OAAO,EAAE,8BAA8B,EAAE,MAAM,0BAA0B,CAAC;AAC1E,OAAO,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;~~AAiD1D~~,SAAS,wBAAwB,CAAC,MAA4B;IAC5D,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,CAAC;AACrD,CAAC;AAED,SAAS,aAAa,CAAC,KAAc;IACnC,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,OAAO,CACL,QAAQ,CAAC,KAAK,CAAC;QACf,CAAC,CAAC,SAAS,IAAI,KAAK,CAAC;QACrB,CAAC,CAAC,YAAY,IAAI,KAAK,CAAC;QACxB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAC5D,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,KAAyB;IAC9C,IAAI,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,IAAI,KAAK,IAAI,YAAY,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QACzE,OAAO,KAAK,CAAC,OAAO,CAAC;IACvB,CAAC;IACD,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,YAAY,IAAI,KAAK,IAAI,YAAY,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/E,OAAO,KAAK,CAAC,UAAU,CAAC;IAC1B,CAAC;IAED,MAAM,IAAI,KAAK,CACb,sGAAsG,CACvG,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,OAAO,WAAW;IACL,MAAM,CAA+B;IACrC,kBAAkB,CAAsB;IACjD,qBAAqB,CAAU;IAC/B,OAAO,CAAe;IACtB,cAAc,CAAc;IAEpC,YAAY,MAA4B;QACtC,wBAAwB,CAAC,MAAM,CAAC,CAAC;QACjC,IAAI,CAAC,MAAM,GAAG;YACZ,GAAG,MAAM;YACT,mBAAmB,EAAE,MAAM,CAAC,mBAAmB,IAAI,IAAI;SACxD,CAAC;QACF,IAAI,CAAC,kBAAkB,GAAG,MAAM,CAAC,GAAG,CAAC;IACvC,CAAC;IAEO,aAAa,CAAC,MAA2B;QAC/C,MAAM,QAAQ,GAAG,MAAM,IAAI,IAAI,CAAC,kBAAkB,CAAC;QACnD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CACb,gJAAgJ,CACjJ,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACvC,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW;YAC5B,CAAC,CAAC,8BAA8B,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;YACjE,CAAC,CAAC,MAAM,CAAC;IACb,CAAC;IAEO,YAAY,CAAC,MAAkB;QACrC,MAAM,UAAU,GAAG,sBAAsB,CAAC,MAAM,EAAE;YAChD,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,SAAS;SAC1D,CAAC,CAAC;QACH,IAAI,CAAC,qBAAqB,GAAG,UAAU,CAAC;QACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC;QAE5C,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC7C,IAAI,CAAC,OAAO,GAAG,IAAI,WAAW,CAC5B,UAAU,EACV,IAAI,CAAC,MAAM,CAAC,KAAK,EACjB,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,KAAK,EACxB,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,MAAM,EAChC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,EAC3B,QAAQ,CACT,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,GAAG,WAAW,CAAC,QAAQ,CACjC,UAAU,EACV,IAAI,CAAC,MAAM,CAAC,KAAK,EACjB,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,KAAK,EACxB,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,MAAM,EAChC,QAAQ,CACT,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAe;YAC1B,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;YACxB,MAAM;YACN,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;YAChC,~~gBAAgB,EAAE,IAAI,CAAC,MAAM,CAAC,gBAAgB;YAC9C,~~GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;YACpB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;YAClC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC9B,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;YACxC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;YACpC,IAAI,EAAE,QAAQ;YACd,qBAAqB,EAAE,MAAM;SAC9B,CAAC;QAEF,IAAI,CAAC,cAAc,GAAG,UAAU,CAAC,kBAAkB,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAE3E,uEAAuE;QACvE,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC1B,IAAI,CAAC,cAAc,CAAC,gBAAgB,~~CAClC~~,IAAI,CAAC,MAAM,CAAC,SAAS,~~EACrB~~;~~gBACE~~,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;gBACzC,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;gBACrC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;aAChC,~~EACD,IAAI,~~CAAC,~~MAAM,~~CAAC~~,gBAAgB,CAC7B,CAAC~~;~~QACJ~~,CAAC;QAED,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAEO,aAAa;QACnB,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;YACxB,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE;YAC1F,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;YAChC,~~gBAAgB,EAAE,IAAI,CAAC,MAAM,CAAC,gBAAgB;YAC9C,~~GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;YACpB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;YAClC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC9B,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;SACrC,CAAC;IACJ,CAAC;IAEO,MAAM,CACZ,MAAkB,EAClB,OAAiB,EACjB,WAAoB,EACpB,aAAa,GAAG,KAAK;QAErB,OAAO,kBAAkB,CACvB,IAAI,CAAC,aAAa,EAAE,EACpB,MAAM,EACN,OAAO,EACP,WAAW,EACX,aAAa;YACX,CAAC,CAAC;gBACE,~~MAAM~~,EAAE,~~eAAe;gBACvB~~,~~SAAS,~~EAAE,~~SAAS~~;~~gBACpB~~,OAAO,EAAE,OAAO,IAAI,IAAI;aACzB;YACH,CAAC,CAAC,SAAS,CACd,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,MAA2B;QAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,UAAU,GAAG,sBAAsB,CAAC,MAAM,EAAE;YAChD,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,SAAS;SAC1D,CAAC,CAAC;QAEH,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QACnC,CAAC;QAED,IAAI,IAAI,CAAC,qBAAqB,KAAK,UAAU,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CACb,4GAA4G,CAC7G,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,EAAE,CAAC,MAA2B;QAC5B,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,MAA2B;QACnC,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;IACrF,CAAC;IAED;;;OAGG;IACH,eAAe,CAAC,WAAmB,EAAE,MAA2B;QAC9D,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACtC,IAAI,CAAC,6BAA6B,CAAC,MAAM,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;IAC3D,CAAC;IAED;;;OAGG;IACK,6BAA6B,CAAC,MAAkB;QACtD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC3B,OAAO;QACT,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CACb,sFAAsF,CACvF,CAAC;QACJ,CAAC;QACD,MAAM,CAAC,SAAS,EAAE,CAAC;IACrB,CAAC;IAEO,KAAK,CAAC,qBAAqB,CAAC,OAAoB;QACtD,OAAO,MAAM,qBAAqB,CAAC,OAAO,EAAE;YAC1C,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;YACxB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,mBAAmB,EAAE,IAAI,CAAC,MAAM,CAAC,mBAAmB;SACrD,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CAAC,OAAoB,EAAE,MAA2B;QAChE,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC1D,IAAI,CAAC,6BAA6B,CAAC,MAAM,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;IACvD,CAAC;IAED;;;OAGG;IACH,yBAAyB,CAAC,OAAgB,EAAE,MAA2B;QACrE,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACtC,IAAI,CAAC,6BAA6B,CAAC,MAAM,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC/D,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,yBAAyB,CAAC,OAAoB,EAAE,MAA2B;QAC/E,OAAO,IAAI,CAAC,yBAAyB,CAAC,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,CAAC;IAC3F,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,OAAgB,EAAE,MAA2B;QACtD,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACtC,IAAI,CAAC,6BAA6B,CAAC,MAAM,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ;QACZ,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC;QAEnC,IAAI,CAAC,cAAc,GAAG,SAAS,CAAC;QAChC,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;QACzB,IAAI,CAAC,qBAAqB,GAAG,SAAS,CAAC;QAEvC,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB,CAAC,MAA4B;IAC5D,OAAO,IAAI,WAAW,CAAC,MAAM,CAAC,CAAC;AACjC,CAAC"}
1	+ {"version":3,"file":"create-jazz-context.js","sourceRoot":"","sources":["../../src/backend/create-jazz-context.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAGxC,OAAO,EAAE,sBAAsB,EAAE,MAAM,2BAA2B,CAAC;AAEnE,OAAO,EAAE,UAAU,EAAoB,MAAM,sBAAsB,CAAC;AAEpE,OAAO,EAAE,kBAAkB,EAA0B,MAAM,kBAAkB,CAAC;AAC9E,OAAO,EAAE,8BAA8B,EAAE,MAAM,0BAA0B,CAAC;AAC1E,OAAO,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAoD1D,SAAS,wBAAwB,CAAC,MAA4B;IAC5D,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACzD,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,IAAI,MAAM,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QACtE,MAAM,IAAI,KAAK,CACb,wGAAwG,CACzG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,CAAC;AACrD,CAAC;AAED,SAAS,aAAa,CAAC,KAAc;IACnC,OAAO,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,YAAY,CAAC,KAAc;IAClC,OAAO,CACL,QAAQ,CAAC,KAAK,CAAC;QACf,CAAC,CAAC,SAAS,IAAI,KAAK,CAAC;QACrB,CAAC,CAAC,YAAY,IAAI,KAAK,CAAC;QACxB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAC5D,CAAC;AACJ,CAAC;AAED,SAAS,aAAa,CAAC,KAAyB;IAC9C,IAAI,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,IAAI,KAAK,IAAI,YAAY,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QACzE,OAAO,KAAK,CAAC,OAAO,CAAC;IACvB,CAAC;IACD,IAAI,QAAQ,CAAC,KAAK,CAAC,IAAI,YAAY,IAAI,KAAK,IAAI,YAAY,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/E,OAAO,KAAK,CAAC,UAAU,CAAC;IAC1B,CAAC;IAED,MAAM,IAAI,KAAK,CACb,sGAAsG,CACvG,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,OAAO,WAAW;IACL,MAAM,CAA+B;IACrC,kBAAkB,CAAsB;IACjD,qBAAqB,CAAU;IAC/B,OAAO,CAAe;IACtB,cAAc,CAAc;IAEpC,YAAY,MAA4B;QACtC,wBAAwB,CAAC,MAAM,CAAC,CAAC;QACjC,IAAI,CAAC,MAAM,GAAG;YACZ,GAAG,MAAM;YACT,mBAAmB,EAAE,MAAM,CAAC,mBAAmB,IAAI,IAAI;SACxD,CAAC;QACF,IAAI,CAAC,kBAAkB,GAAG,MAAM,CAAC,GAAG,CAAC;IACvC,CAAC;IAEO,aAAa,CAAC,MAA2B;QAC/C,MAAM,QAAQ,GAAG,MAAM,IAAI,IAAI,CAAC,kBAAkB,CAAC;QACnD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CACb,gJAAgJ,CACjJ,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,aAAa,CAAC,QAAQ,CAAC,CAAC;QACvC,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW;YAC5B,CAAC,CAAC,8BAA8B,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;YACjE,CAAC,CAAC,MAAM,CAAC;IACb,CAAC;IAEO,YAAY,CAAC,MAAkB;QACrC,MAAM,UAAU,GAAG,sBAAsB,CAAC,MAAM,EAAE;YAChD,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,SAAS;SAC1D,CAAC,CAAC;QACH,IAAI,CAAC,qBAAqB,GAAG,UAAU,CAAC;QACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC;QAE5C,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC7C,IAAI,CAAC,OAAO,GAAG,IAAI,WAAW,CAC5B,UAAU,EACV,IAAI,CAAC,MAAM,CAAC,KAAK,EACjB,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,KAAK,EACxB,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,MAAM,EAChC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,EAC3B,QAAQ,CACT,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,GAAG,WAAW,CAAC,QAAQ,CACjC,UAAU,EACV,IAAI,CAAC,MAAM,CAAC,KAAK,EACjB,IAAI,CAAC,MAAM,CAAC,GAAG,IAAI,KAAK,EACxB,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,MAAM,EAChC,QAAQ,CACT,CAAC;QACJ,CAAC;QAED,MAAM,OAAO,GAAe;YAC1B,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;YACxB,MAAM;YACN,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;YAChC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;YACpB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;YAClC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC9B,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;YACxC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;YACpC,IAAI,EAAE,QAAQ;YACd,qBAAqB,EAAE,MAAM;SAC9B,CAAC;QAEF,IAAI,CAAC,cAAc,GAAG,UAAU,CAAC,kBAAkB,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAE3E,uEAAuE;QACvE,IAAI,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC1B,IAAI,CAAC,cAAc,CAAC,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;gBAC1D,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;gBACzC,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;gBACrC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;aAChC,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAEO,aAAa;QACnB,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;YACxB,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE;YAC1F,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;YAChC,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;YACpB,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;YAClC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ;YAC9B,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW;SACrC,CAAC;IACJ,CAAC;IAEO,MAAM,CACZ,MAAkB,EAClB,OAAiB,EACjB,WAAoB,EACpB,aAAa,GAAG,KAAK;QAErB,OAAO,kBAAkB,CACvB,IAAI,CAAC,aAAa,EAAE,EACpB,MAAM,EACN,OAAO,EACP,WAAW,EACX,aAAa;YACX,CAAC,CAAC;gBACE,QAAQ,EAAE,OAAO,EAAE,QAAQ,IAAI,UAAU;gBACzC,OAAO,EAAE,OAAO,IAAI,IAAI;aACzB;YACH,CAAC,CAAC,SAAS,CACd,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,SAAS,CAAC,MAA2B;QAC3C,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QAC1C,MAAM,UAAU,GAAG,sBAAsB,CAAC,MAAM,EAAE;YAChD,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,SAAS;SAC1D,CAAC,CAAC;QAEH,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC;QACnC,CAAC;QAED,IAAI,IAAI,CAAC,qBAAqB,KAAK,UAAU,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CACb,4GAA4G,CAC7G,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,EAAE,CAAC,MAA2B;QAC5B,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,MAA2B;QACnC,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;IACrF,CAAC;IAED;;;OAGG;IACH,eAAe,CAAC,WAAmB,EAAE,MAA2B;QAC9D,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACtC,IAAI,CAAC,6BAA6B,CAAC,MAAM,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,IAAI,CAAC,CAAC;IAC3D,CAAC;IAED;;;OAGG;IACK,6BAA6B,CAAC,MAAkB;QACtD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YAC3B,OAAO;QACT,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CACb,sFAAsF,CACvF,CAAC;QACJ,CAAC;QACD,MAAM,CAAC,SAAS,EAAE,CAAC;IACrB,CAAC;IAEO,KAAK,CAAC,qBAAqB,CAAC,OAAoB;QACtD,OAAO,MAAM,qBAAqB,CAAC,OAAO,EAAE;YAC1C,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;YACxB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;YACtC,mBAAmB,EAAE,IAAI,CAAC,MAAM,CAAC,mBAAmB;SACrD,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,UAAU,CAAC,OAAoB,EAAE,MAA2B;QAChE,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACtC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC1D,IAAI,CAAC,6BAA6B,CAAC,MAAM,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;IACvD,CAAC;IAED;;;OAGG;IACH,yBAAyB,CAAC,OAAgB,EAAE,MAA2B;QACrE,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACtC,IAAI,CAAC,6BAA6B,CAAC,MAAM,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;IAC/D,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,yBAAyB,CAAC,OAAoB,EAAE,MAA2B;QAC/E,OAAO,IAAI,CAAC,yBAAyB,CAAC,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,CAAC;IAC3F,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,OAAgB,EAAE,MAA2B;QACtD,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QACtC,IAAI,CAAC,6BAA6B,CAAC,MAAM,CAAC,CAAC;QAC3C,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;IACvD,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,OAAO,EAAE,KAAK,EAAE,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,QAAQ;QACZ,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC;QAEnC,IAAI,CAAC,cAAc,GAAG,SAAS,CAAC;QAChC,IAAI,CAAC,OAAO,GAAG,SAAS,CAAC;QACzB,IAAI,CAAC,qBAAqB,GAAG,SAAS,CAAC;QAEvC,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB,CAAC,MAA4B;IAC5D,OAAO,IAAI,WAAW,CAAC,MAAM,CAAC,CAAC;AACjC,CAAC"}

package/dist/backend/create-jazz-context.test.js CHANGED Viewed

@@ -150,6 +150,7 @@ describe("backend/create-jazz-context", () => {
         mocks.resolveRequestSession.mockResolvedValue({
             user_id: "u1",
             claims: {},
+            authMode: "external",
         });
     });
     it("BC-U01: lazily initializes runtime/client on first access", () => {
@@ -175,6 +176,21 @@ describe("backend/create-jazz-context", () => {
         });
         expect(mocks.runtimeCtor).toHaveBeenCalledWith(expect.any(String), "server-app", "dev", "main", "/tmp/jazz.db", "edge");
     });
+    it("BC-U01b: rejects configuring both jwksUrl and jwtPublicKey", () => {
+        expect(() => createJazzContext({
+            appId: "server-app",
+            app: { wasmSchema: SCHEMA_A },
+            permissions: {},
+            driver: { type: "persistent", dataPath: "/tmp/jazz.db" },
+            jwksUrl: "https://issuer.example/.well-known/jwks.json",
+            jwtPublicKey: {
+                kty: "oct",
+                kid: "static-kid",
+                alg: "HS256",
+                k: "c3RhdGljLXNlY3JldA",
+            },
+        })).toThrow(/jwksUrl.*jwtPublicKey|jwtPublicKey.*jwksUrl/i);
+    });
     it("BC-U02: supports high-level db/backend/request/session/attribution helpers", async () => {
         const context = createJazzContext({
             appId: "server-app",
@@ -187,7 +203,7 @@ describe("backend/create-jazz-context", () => {
         const req = {
             header: (name) => name === "authorization" ? `Bearer ${makeJwt({ sub: "u1" })}` : undefined,
         };
-        const session = { user_id: "u1", claims: {} };
+        const session = { user_id: "u1", claims: {}, authMode: "external" };
         const db = context.db();
         const backendDb = context.asBackend();
         const requestDb = await context.forRequest(req);
@@ -206,7 +222,7 @@ describe("backend/create-jazz-context", () => {
         expect(requestDb).toEqual({
             kind: "scoped-db",
             client: mocks.clients[0],
-            session: { user_id: "u1", claims: {} },
+            session: { user_id: "u1", claims: {}, authMode: "external" },
         });
         expect(sessionDb).toEqual({
             kind: "scoped-db",
@@ -253,7 +269,7 @@ describe("backend/create-jazz-context", () => {
         const req = {
             header: (name) => name === "authorization" ? `Bearer ${makeJwt({ sub: "u1" })}` : undefined,
         };
-        const session = { user_id: "u1", claims: {} };
+        const session = { user_id: "u1", claims: {}, authMode: "external" };
         await expect(context.forRequest(req)).resolves.toBeDefined();
         expect(() => context.forSession(session)).not.toThrow();
         expect(() => context.withAttribution("u2")).not.toThrow();
@@ -280,6 +296,36 @@ describe("backend/create-jazz-context", () => {
             allowLocalFirstAuth: false,
         });
     });
+    it("BC-U03c: forwards jwtPublicKey into request session resolution", async () => {
+        const context = createJazzContext({
+            appId: "server-app",
+            app: { wasmSchema: SCHEMA_A },
+            permissions: {},
+            driver: { type: "persistent", dataPath: "/tmp/jazz.db" },
+            jwtPublicKey: {
+                kty: "oct",
+                kid: "static-kid",
+                alg: "HS256",
+                k: "c3RhdGljLXNlY3JldA",
+            },
+            allowLocalFirstAuth: false,
+        });
+        const req = {
+            header: (name) => name === "authorization" ? `Bearer ${makeJwt({ sub: "u1" })}` : undefined,
+        };
+        await context.forRequest(req);
+        expect(mocks.resolveRequestSession).toHaveBeenCalledWith(req, {
+            appId: "server-app",
+            jwksUrl: undefined,
+            jwtPublicKey: {
+                kty: "oct",
+                kid: "static-kid",
+                alg: "HS256",
+                k: "c3RhdGljLXNlY3JldA",
+            },
+            allowLocalFirstAuth: false,
+        });
+    });
     it("BC-U04: merges compiled permissions into the runtime schema", () => {
         const context = createJazzContext({
             appId: "server-app",