kasy-cli 1.19.3 → 1.20.1

package/lib/scaffold/backends/supabase/deploy.js

@@ -197,6 +197,51 @@ async function enableGoogleSignIn(projectRef, webClientId, clientSecret) {
   }
 }
 
+/**
+ * Enable Apple Sign-In on the Supabase project via Management API.
+ *
+ * For native iOS sign-in (signInWithIdToken) Supabase validates the ID token's
+ * audience against external_apple_client_id, a comma-separated list of allowed
+ * client IDs. For a native iOS app that audience is the app's bundle ID, so we
+ * set it there. No secret is required for native sign-in; external_apple_secret
+ * is only needed for the web OAuth flow (Sign in with Apple JS), which requires
+ * an Apple Developer Service ID and is configured manually later.
+ *
+ * Note: external_apple_additional_client_ids is NOT used here. The Management API
+ * only appends it onto external_apple_client_id on write and always returns it as
+ * null on read, which makes the configured value impossible to verify.
+ *
+ * @param {string} projectRef
+ * @param {string} bundleId - iOS bundle identifier (e.g. com.acme.app)
+ */
+async function enableAppleSignIn(projectRef, bundleId) {
+  if (!bundleId) return { ok: false, error: 'bundleId is required' };
+  const token = await getSupabaseAccessToken();
+  if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
+  const payload = JSON.stringify({
+    external_apple_enabled: true,
+    external_apple_client_id: bundleId,
+  });
+  const result = await run(
+    `curl -s -X PATCH "https://api.supabase.com/v1/projects/${projectRef}/config/auth" ` +
+    `-H "Authorization: Bearer ${token}" ` +
+    `-H "Content-Type: application/json" ` +
+    `-d '${payload}'`,
+    process.cwd()
+  );
+  if (!result.ok) return { ok: false, error: result.error };
+  try {
+    const data = JSON.parse(result.stdout);
+    const allowedIds = String(data.external_apple_client_id || '')
+      .split(',')
+      .map((s) => s.trim());
+    if (data.external_apple_enabled === true && allowedIds.includes(bundleId)) return { ok: true };
+    return { ok: false, error: data.message || JSON.stringify(data) };
+  } catch {
+    return { ok: false, error: 'Could not parse Management API response' };
+  }
+}
+
 /**
  * Configure auth settings via Supabase Management API:
  *  - Enable anonymous sign-in
@@ -386,12 +431,13 @@ async function createProjectAndGetKeys(projectName, dbPassword, region = 'sa-eas
 
 /**
  * Setup linked project: init, link, db push, anonymous sign-in, Google Sign-In,
- * functions deploy, secrets.
+ * Apple Sign-In, functions deploy, secrets.
  * Run AFTER generate.
  * @param {object} secrets - { rcWebhookKey, metaAccessToken, metaDatasetId, firebaseProjectId }
- * @param {object} google  - { webClientId, clientSecret } — optional, configures Google OAuth
+ * @param {object} google  - { webClientId, clientSecret } - optional, configures Google OAuth
+ * @param {object} apple   - { bundleId } - optional, enables native iOS Apple Sign-In
  */
-async function setupLinkedProject(projectDir, projectRef, dbPassword, secrets = {}, google = {}) {
+async function setupLinkedProject(projectDir, projectRef, dbPassword, secrets = {}, google = {}, apple = {}) {
   const steps = [];
 
   const init = await ensureSupabaseInit(projectDir);
@@ -413,6 +459,12 @@ async function setupLinkedProject(projectDir, projectRef, dbPassword, secrets =
     steps.push({ name: 'google sign-in', ok: googleResult.ok, detail: googleResult.error });
   }
 
+  // Enable native iOS Apple Sign-In if a bundle ID was provided (no secret needed).
+  if (apple.bundleId) {
+    const appleResult = await enableAppleSignIn(projectRef, apple.bundleId);
+    steps.push({ name: 'apple sign-in', ok: appleResult.ok, detail: appleResult.error });
+  }
+
   // Always deploy all edge functions (send-push-notification, revenuecat-webhook, etc.)
   const fnResult = await deployFunctions(projectDir);
   if (Array.isArray(fnResult)) {
@@ -473,6 +525,7 @@ module.exports = {
   setupLinkedProject,
   enableAnonymousSignIn,
   enableGoogleSignIn,
+  enableAppleSignIn,
   checkLoggedIn,
   getOrgsList,
   getProjectsByOrg,

package/lib/scaffold/backends/supabase/patch/lib/core/data/api/storage_api.dart

@@ -11,24 +11,18 @@ final storageApiProvider = Provider<StorageApi>(
   ),
 );
 
-class StorageApi {
-  StorageApi();
-
-  /// upload a file to firebase storage
-  /// and return a stream of the upload progress
+abstract class StorageApi {
+  /// upload a file to storage and return a stream of the upload progress
   Stream<UploadResult> uploadData(
     Uint8List data,
     String folder,
     String filename, {
     String? mimeType, // ex 'image/jpg'
     bool isPublic = true,
-  }) async* {
-    throw UnimplementedError();
-  }
+  });
 
-  Future<void> deleteFile(String? imagePath) {
-    throw UnimplementedError();
-  }
+  /// request to delete a file from path
+  Future<void> deleteFile(String? path);
 }
 
 class SupabaseStorageApi implements StorageApi {

package/lib/scaffold/backends/supabase/patch/lib/core/data/entities/user_entity.dart

@@ -29,7 +29,7 @@ class Credentials {
   final String id;
   // session access token — used internally for session tracking
   // Supabase manages token refresh automatically via SupabaseClient
-  final String token;
+  final String? token;
 
   Credentials({
     required this.id,
@@ -42,7 +42,7 @@ class Credentials {
     }
     return Credentials(
       id: json['id']! as String,
-      token: json['token'] as String? ?? '',
+      token: json['token'] as String?,
     );
   }
 }

package/lib/scaffold/backends/supabase/patch/lib/features/notifications/api/device_api.dart

@@ -99,12 +99,18 @@ class FirebaseDeviceApi implements DeviceApi {
         }
       }
       final token = await _messaging.getToken();
+      if (token == null) {
+        throw ApiError(
+          code: 0,
+          message: 'FCM token is null — check Firebase setup and notification permissions',
+        );
+      }
       final os = Platform.isAndroid
           ? OperatingSystem.android //
           : OperatingSystem.ios;
       return DeviceEntity(
         installationId: installationId,
-        token: token!,
+        token: token,
         operatingSystem: os,
         creationDate: DateTime.now(),
         lastUpdateDate: DateTime.now(),
@@ -289,6 +295,7 @@ class FirebaseDeviceApi implements DeviceApi {
   }
 
   Future<String?> getIpAddress() async {
+    if (kIsWeb) return null;
     try {
       // First, try to find a public IP in network interfaces
       final interfaces = await io.NetworkInterface.list();
@@ -333,6 +340,29 @@ class FirebaseDeviceApi implements DeviceApi {
   /// Returns a map with all device information
   @override
   Future<Map<String, String>> fetchDeviceProperties() async {
+    // On web there is no native device layer (no NetworkInterface, no Platform):
+    // return static values so the app works as a PWA without throwing at runtime.
+    if (kIsWeb) {
+      final webLocale = PlatformDispatcher.instance.locale.toLanguageTag().replaceAll('-', '_');
+      return {
+        'appLongVersion': '',
+        'osVersion': 'web',
+        'deviceModel': 'browser',
+        'deviceLocale': webLocale,
+        'timezone': '',
+        'carrier': '',
+        'screenWidth': '',
+        'screenHeight': '',
+        'screenDensity': '',
+        'cpuCores': '',
+        'storageSize': '',
+        'freeStorage': '',
+        'deviceTimezone': '',
+        'mobileAdvertiserId': '',
+        'anonymousFbId': '',
+        'clientIpAddress': '',
+      };
+    }
     try {
       final deviceInfo = DeviceInfoPlugin();
       final packageInfo = await PackageInfo.fromPlatform();

package/lib/scaffold/backends/supabase/patch/lib/features/onboarding/api/entities/user_info_entity.dart

@@ -18,7 +18,7 @@ sealed class UserInfoEntity with _$UserInfoEntity {
     @JsonKey(name: 'user_id') required String userId,
     @JsonKey(name: 'info_key') required String key,
     @JsonKey(name: 'info_value') required String value,
-  }) = SubscriptionEntityData;
+  }) = UserInfoEntityData;
 
   factory UserInfoEntity.fromJson(Map<String, Object?> json) =>
       _$UserInfoEntityFromJson(json);

package/lib/scaffold/backends/supabase/patch/lib/features/subscription/api/entities/subscription_entity.dart

@@ -21,7 +21,7 @@ sealed class SubscriptionEntity with _$SubscriptionEntity {
   const factory SubscriptionEntity({
     @JsonKey(includeIfNull: false) String? id,
     @JsonKey(name: 'user_id') String? userId,
-    @JsonKey(name: 'offer_id') required String offerId,
+    @JsonKey(name: 'offer_id') String? offerId,
     @JsonKey(name: 'sku_id') required String skuId,
     @JsonKey(name: 'creation_date') DateTime? creationDate,
     @JsonKey(name: 'last_update_date') DateTime? lastUpdateDate,

package/lib/scaffold/backends/supabase/pubspec.yaml.tpl

@@ -52,6 +52,7 @@ dependencies:
   intl: ^0.20.2
   jiffy: ^6.4.4
   json_annotation: ^4.9.0
+  local_auth: ^3.0.1
   logger: ^2.6.2
   lucide_icons_flutter: ^3.1.10
   mixpanel_flutter: ^2.5.0
@@ -73,6 +74,7 @@ dependencies:
   universal_html: ^2.3.0
   universal_io: ^2.3.1
   url_launcher: ^6.3.2
+  web: ^1.1.1
 
 dev_dependencies:
   build_runner: ^2.11.1

package/lib/scaffold/catalog.js

@@ -50,12 +50,12 @@ const FEATURE_CATALOG = [
   { id: 'revenuecat',          displayName: 'RevenueCat',             status: 'public',   availableIn: ['firebase', 'supabase', 'api'], defaultInPresets: ['saas', 'full'], enhances: 'subscription' },
   // features
   { id: 'onboarding',          displayName: 'Onboarding',             status: 'public',   availableIn: ['firebase', 'supabase', 'api'], defaultInPresets: ['starter', 'saas', 'content', 'full'] },
-  { id: 'web',                 displayName: 'Web Support (PWA)',      status: 'public',   availableIn: ['firebase'],                    defaultInPresets: [], tag: 'firebaseOnly' },
+  { id: 'web',                 displayName: 'Web Support (PWA)',      status: 'public',   availableIn: ['firebase', 'supabase', 'api'], defaultInPresets: ['full'] },
   { id: 'widget',              displayName: 'Home Widget',            status: 'public',   availableIn: ['firebase', 'supabase', 'api'], defaultInPresets: ['full'] },
   { id: 'llm_chat',            displayName: 'AI Chat',                status: 'public',   availableIn: ['firebase', 'supabase', 'api'], defaultInPresets: ['content', 'full'] },
   { id: 'local_notifications', displayName: 'Local Reminders',        status: 'public',   availableIn: ['firebase', 'supabase', 'api'], defaultInPresets: [] },
   // feedback (Firebase/Supabase only)
-  { id: 'feedback',            displayName: 'Feature Requests',       status: 'public',   availableIn: ['firebase', 'supabase'],        defaultInPresets: ['saas', 'full'], tag: 'requiresDb' },
+  { id: 'feedback',            displayName: 'Feature Requests',       status: 'public',   availableIn: ['firebase', 'supabase', 'api'], defaultInPresets: ['saas', 'full'], tag: 'requiresDb' },
   // ci/cd
   { id: 'ci',                  displayName: 'CI/CD',                  status: 'public',   availableIn: ['firebase', 'supabase', 'api'], defaultInPresets: ['full'] },
 ];

package/lib/scaffold/engine.js

@@ -41,6 +41,11 @@ const ALWAYS_EXCLUDE_BASENAMES = new Set([
   'google-services.json',   // Firebase Android config — client must generate their own
   'GoogleService-Info.plist', // Firebase iOS config — client must generate their own
   'firebase_options_dev.dart', // Dev Firebase options — internal only
+  'firebase_options.dart',  // Kit's own Firebase options — dead code in generated
+                            // projects (main.dart imports firebase_options_dev.dart,
+                            // which flutterfire regenerates per-user). Shipping it
+                            // would leak the kit's project id (fir-kit-8e56b) into
+                            // every generated app. Never copy it.
 ]);
 
 // File extensions that may contain generated Dart code — skip these

package/lib/scaffold/generate.js

@@ -48,6 +48,7 @@ const {
   writeEnvExample,
   writeEnvFileIfMissing,
   writeFirebaserc,
+  cleanFirebaseJsonKitRefs,
   writeFeaturesConfig,
   writeKitSetup,
   writeMakefile,
@@ -57,6 +58,7 @@ const {
   removeFacebookSigninFromAuthPages,
   removeAndroidFacebookMetadata,
   writeNoOpAdminHomeWidgets,
+  patchLanguageSwitcherNoWidget,
   writeNoOpFeatureRequestRepository,
   writeNoOpSubscriptionStubs,
   writeNoOpSentryUsages,
@@ -66,7 +68,7 @@ const {
   removeDevelopmentTeam,
   localizeReleaseDocs,
 } = require('./shared/generator-utils');
-const { pubGet, slangGenerate, buildRunner, dartFix, flutterfireConfigure, writeGoogleAuthOptions, writeGoogleIosUrlScheme, patchFirebaseServiceWorker } = require('./shared/post-build');
+const { pubGet, slangGenerate, buildRunner, dartFix, flutterfireConfigure, writeGoogleAuthOptions, writeGoogleIosUrlScheme, patchFirebaseServiceWorker, deployFirestoreRules } = require('./shared/post-build');
 const { FIREBASE_SOURCE_DIR } = require('./shared/backend-config');
 
 /**
@@ -263,6 +265,9 @@ async function generateProject(targetDir, backend, options, hooks = {}) {
     // (imports home_widget_mywidget_service which only exists when widget is selected)
     if (!modules.includes('widget')) {
       await writeNoOpAdminHomeWidgets(targetDir);
+      // The language switcher pushes locale changes to the home widget — strip
+      // that hook so it doesn't reference the (now absent) widget provider.
+      await patchLanguageSwitcherNoWidget(targetDir);
       // Remove Android native widget files and unregister the receiver from the manifest
       // so the widget does not appear in the Android widget picker when not selected
       await removeAndroidWidgetArtifacts(targetDir, bundleId);
@@ -340,8 +345,10 @@ async function generateProject(targetDir, backend, options, hooks = {}) {
       });
     }
 
-    // iOS: register REVERSED_CLIENT_ID as a URL scheme in ios/Runner/Info.plist
-    if (!deferGoogleAuthPatches) {
+    // iOS: register REVERSED_CLIENT_ID as a URL scheme in ios/Runner/Info.plist.
+    // Skip for Supabase — REVERSED_CLIENT_ID isn't present until Google Sign-In is
+    // enabled later in new.js; that flow calls writeGoogleIosUrlSchemeFromClientId instead.
+    if (backend !== 'supabase' && !deferGoogleAuthPatches) {
       const iosSchemeResult = await writeGoogleIosUrlScheme(targetDir);
       steps.push({
         name: 'google-ios-url-scheme',
@@ -362,6 +369,19 @@ async function generateProject(targetDir, backend, options, hooks = {}) {
   }
 
   await writeFirebaserc(targetDir, firebaseProjectId);
+  // Drop the stale firebase.json entry that still points at the kit project
+  // (the dead lib/firebase_options.dart we no longer ship).
+  await cleanFirebaseJsonKitRefs(targetDir);
+
+  // Deploy Firestore security rules so the app works immediately after
+  // `kasy new` without needing `kasy deploy` first. Fast (<30s), billing-free.
+  // Without this the project gets Firebase's default deny-all rules, causing
+  // every Firestore read to throw permission-denied and the app to log the user out.
+  if (firebaseProjectId) {
+    onProgress('firestore-rules');
+    const rulesResult = await deployFirestoreRules(targetDir, firebaseProjectId);
+    steps.push({ name: 'firestore-rules', ok: rulesResult.ok, detail: rulesResult.ok ? null : rulesResult.error });
+  }
 
   // ── 3. Post-build específico do backend ────────────────────────────────────
   if (postBuild) {