npm - kasy-cli - Versions diffs - 1.31.14 → 1.34.0 - Mend

kasy-cli 1.31.14 → 1.34.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (127) hide show

package/lib/commands/new.js CHANGED Viewed

@@ -44,8 +44,10 @@ const { generateApiProject } = require('../scaffold/backends/api/generator');
 const { createProjectAndGetKeys, setupLinkedProject, checkLoggedIn, getOrgsList, getProjectsByOrg, getProjectKeys, classifyCreateError } = require('../scaffold/backends/supabase/deploy');
 const { writeSupabaseGoogleAuthOptions, readSupabaseGoogleCredentials, getGoogleClientSecretViaGcloud, flutterfireConfigure, writeGoogleAuthOptions, ensureGoogleServiceInfoPlist, writeGoogleIosUrlScheme, writeGoogleIosUrlSchemeFromClientId } = require('../scaffold/shared/post-build');
 const { toPackageName } = require('../scaffold/backends/firebase/tokens');
-const { setupFromScratch, setupExistingProject, listBillingAccounts, listGcpOrganizations, checkGcloudAuth, getFirebaseAccount, getGcloudInstallInstructions, enableAuthProviders, ensureFirebaseAuthInitialized, registerDebugSha1 } = require('../scaffold/backends/firebase/setup-from-scratch');
+const { setupFromScratch, setupExistingProject, listBillingAccounts, listGcpOrganizations, checkGcloudAuth, getFirebaseAccount, getGcloudInstallInstructions, enableAuthProviders, ensureFirebaseAuthInitialized, authorizeLocalhostForProject, registerDebugSha1 } = require('../scaffold/backends/firebase/setup-from-scratch');
 const { enableAuthViaFirebaseCli } = require('../scaffold/backends/firebase/enable-auth-via-cli');
+const { autoApplyAppleWebIfCached } = require('./apple-web');
+const { autoApplyFacebookIfCached } = require('./facebook');
 const { createFcmServiceAccountKey } = require('../scaffold/shared/fcm-service-account');
 // Default region for creating Supabase projects via the API.
@@ -481,7 +483,7 @@ function printCreateFromScratchStatus(result, tr) {
   }
 }
-function printSuccessCard(tr, answers, targetDir) {
+function printSuccessCard(tr, answers, targetDir, appleWebStatus = null, facebookStatus = null) {
   const folderName = path.basename(targetDir);
   const lines = [];
@@ -509,6 +511,27 @@ function printSuccessCard(tr, answers, targetDir) {
     }
   }
+  if (appleWebStatus === 'configured') {
+    lines.push(paintLime(`✓ ${tr('new.success.appleWeb.configured')}`));
+    lines.push('');
+  } else if (appleWebStatus === 'pending') {
+    lines.push(kleur.yellow(`! ${tr('new.success.appleWeb.pending')}`));
+    lines.push('');
+  }
+  if (facebookStatus === 'configured') {
+    lines.push(paintLime(`✓ ${tr('new.success.facebook.configured')}`));
+    lines.push('');
+  } else if (facebookStatus === 'pending') {
+    lines.push(kleur.yellow(`! ${tr('new.success.facebook.pending')}`));
+    lines.push('');
+  }
+  if (answers.backend === 'api') {
+    lines.push(kleur.yellow(`! ${tr('new.success.api.serverContracts')}`));
+    lines.push('');
+  }
   lines.push(kleur.bold(tr('new.success.nextSteps')));
   lines.push('');
@@ -1827,6 +1850,15 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
       // Supabase setup runs in fcmOnly mode, which intentionally leaves Firebase
       // Auth untouched, so initialize it here (idempotent) before the deploy.
       await ensureFirebaseAuthInitialized(answers.firebaseProjectId);
+      // Web Google sign-in on Supabase brokers the Google ID token through the
+      // Firebase popup (signInWithPopup), which only runs from an authorized
+      // domain. fcmOnly setup skips the authorizedDomains step, so localhost is
+      // missing here and the web popup dies with [firebase_auth/unauthorized-domain].
+      // Add it best-effort now that auth is initialized. Native (mobile) is unaffected.
+      const localhostDomains = await authorizeLocalhostForProject(answers.firebaseProjectId);
+      if (!localhostDomains.ok) {
+        ui.log.warn(tr('new.google.localhostDomainWarn'));
+      }
       const cliResult = await enableAuthViaFirebaseCli({
         projectDir: targetDir,
         projectId: answers.firebaseProjectId,
@@ -2104,7 +2136,37 @@ async function runNew(directory, { language: langHint = null, backend: backendHi
   // APNs key (iOS push) is intentionally not mentioned here — it only becomes
   // relevant when shipping to iOS, and the docs at kasy.dev/docs/apns explain it.
-  printSuccessCard(tr, answers, targetDir);
+  // Apple web: auto-configure if the developer saved credentials on a previous
+  // project; otherwise it stays pending and the success card points to the command.
+  let appleWebStatus = null;
+  try {
+    const aw = await autoApplyAppleWebIfCached(targetDir);
+    if (aw.applied) {
+      appleWebStatus = 'configured';
+      ui.log.success(tr('new.appleWeb.autoConfigured'));
+    } else if (aw.pending) {
+      appleWebStatus = 'pending';
+    }
+  } catch (_) {
+    // Non-fatal: web Apple is optional and can be configured later.
+  }
+  // Facebook: auto-configure if it's enabled in the project and credentials were
+  // saved on a previous project; otherwise pending and the card points to the command.
+  let facebookStatus = null;
+  try {
+    const fb = await autoApplyFacebookIfCached(targetDir);
+    if (fb.applied) {
+      facebookStatus = 'configured';
+      ui.log.success(tr('new.facebook.autoConfigured'));
+    } else if (fb.pending) {
+      facebookStatus = 'pending';
+    }
+  } catch (_) {
+    // Non-fatal: Facebook is optional and can be configured later.
+  }
+  printSuccessCard(tr, answers, targetDir, appleWebStatus, facebookStatus);
   ui.outro(kleur.bold(tr('new.success.title')));
 }

package/lib/scaffold/CHANGELOG.json CHANGED Viewed

@@ -1,4 +1,31 @@
 {
+  "1.34.0": {
+    "modules": {
+      "core": {
+        "pt": "Login com Facebook automatizado + Facebook na web (Firebase): novo comando `kasy facebook` guia os passos na Meta (abre o link), grava App ID + Client Token no iOS/Android e habilita o provedor no Firebase (Identity Toolkit) ou Supabase. No Firebase, o Facebook passa a funcionar na WEB (signInWithPopup) e o botão só aparece quando configurado (flag withFacebookWebSignin). Apple/Facebook na web no Supabase ficam como native-only (roadmap). Corrigido: o `kasy apple-web` agora liga o Apple web só no Firebase (não cria mais botão morto no Supabase). Credenciais ficam salvas e o `kasy new` aplica sozinho.",
+        "en": "Facebook Login automated + Facebook on web (Firebase): new `kasy facebook` command guides the Meta steps (opens the link), writes App ID + Client Token into iOS/Android and enables the provider on Firebase (Identity Toolkit) or Supabase. On Firebase, Facebook now works on the WEB (signInWithPopup) and the button only shows once configured (withFacebookWebSignin flag). Apple/Facebook on web for Supabase stay native-only (roadmap). Fixed: `kasy apple-web` now enables Apple web on Firebase only (no more dead button on Supabase). Credentials are cached and `kasy new` applies them automatically.",
+        "es": "Inicio de sesión con Facebook automatizado + Facebook en la web (Firebase): nuevo comando `kasy facebook` guía los pasos en Meta (abre el enlace), escribe App ID + Client Token en iOS/Android y habilita el proveedor en Firebase (Identity Toolkit) o Supabase. En Firebase, Facebook ahora funciona en la WEB (signInWithPopup) y el botón solo aparece cuando está configurado (flag withFacebookWebSignin). Apple/Facebook en la web para Supabase quedan como native-only (roadmap). Corregido: `kasy apple-web` ahora activa Apple web solo en Firebase (sin botón muerto en Supabase). Las credenciales se guardan y `kasy new` las aplica automáticamente."
+      }
+    }
+  },
+  "1.33.0": {
+    "modules": {
+      "core": {
+        "pt": "Login com Apple na WEB agora é automatizável (backend Firebase): novo comando `kasy apple-web` grava o codeFlowConfig (Service ID + Team ID + Key ID + .p8) no provedor Apple do Firebase, que re-assina o secret sozinho (não expira), reaproveitando suas credenciais salvas. Projetos Firebase novos já nascem com Apple web se você já configurou antes. O botão Apple na web só aparece quando funciona de verdade (sem botão morto); `kasy doctor` mostra se falta configurar. No Supabase, Apple na web é roadmap.",
+        "en": "Apple Sign-In on the WEB is now automatable (Firebase backend): new `kasy apple-web` command writes the codeFlowConfig (Service ID + Team ID + Key ID + .p8) into the Firebase Apple provider, which re-signs the secret itself (never expires), reusing your saved credentials. New Firebase projects ship web Apple ready if you configured it before. The web Apple button only shows when it actually works (no dead button); `kasy doctor` reports if it's pending. On Supabase, Apple on web is roadmap.",
+        "es": "El inicio de sesión con Apple en la WEB ahora es automatizable (backend Firebase): nuevo comando `kasy apple-web` escribe el codeFlowConfig (Service ID + Team ID + Key ID + .p8) en el proveedor Apple de Firebase, que vuelve a firmar el secret solo (no expira), reutilizando tus credenciales guardadas. Los proyectos Firebase nuevos vienen con Apple web listo si ya lo configuraste antes. El botón de Apple en la web solo aparece cuando funciona de verdad (sin botón muerto); `kasy doctor` indica si falta configurar. En Supabase, Apple en la web es roadmap."
+      }
+    }
+  },
+  "1.32.0": {
+    "modules": {
+      "core": {
+        "pt": "Proporção da web agora se adapta à largura real da janela: telas com escala alta do sistema (Windows em 125/150/175%) não ficam mais cortadas (sidebar/header), e o Mac continua igual. Ajuste só na web, nativo intocado.",
+        "en": "Web proportion now adapts to the real window width: high system-scale displays (Windows at 125/150/175%) no longer look cropped (sidebar/header), and Mac stays the same. Web-only, native untouched.",
+        "es": "La proporción en web ahora se adapta al ancho real de la ventana: pantallas con escala alta del sistema (Windows al 125/150/175%) ya no se ven recortadas (sidebar/header), y Mac queda igual. Solo en web, nativo intacto."
+      }
+    }
+  },
   "1.31.12": {
     "modules": {
       "core": {

package/lib/scaffold/backends/api/patch/README.md CHANGED Viewed

@@ -37,6 +37,7 @@ Ficam no `.vscode/launch.json` como variáveis de ambiente de build (`--dart-def
 | `RC_ANDROID_PROD_KEY` | RevenueCat | Dashboard RevenueCat → Apps → Google Play (chave `goog_`, usada automaticamente em Android físico) |
 | `SENTRY_DSN` | Sentry | Dashboard Sentry → Projeto → DSN |
 | `MIXPANEL_TOKEN` | Mixpanel | Dashboard Mixpanel → Configurações → Token |
+| `AI_CHAT_ENDPOINT` | IA Chat | URL do seu endpoint SSE de chat (ex.: `https://sua-api/ai-chat`) |
 Para atualizar, edite o `.vscode/launch.json`.
@@ -157,8 +158,92 @@ Formato de uma conversa (o "última mensagem" é desnormalizado para a lista fic
 ```
 Ao salvar uma mensagem, o servidor deve atualizar `updated_at`, `last_message_role` e
-`last_message_content` da conversa. O streaming da resposta da IA continua no endpoint
-`AI_CHAT_ENDPOINT` (SSE) — ele só recebe `message` + `history`, não persiste nada.
+`last_message_content` da conversa.
+### Endpoint: AI Chat (resposta em streaming)
+A resposta da IA é transmitida palavra a palavra via SSE por um endpoint separado,
+cuja URL vem do `--dart-define=AI_CHAT_ENDPOINT=...` (quadro de credenciais acima).
+Este endpoint **não persiste nada** — só faz o proxy para o provedor (OpenAI/Gemini)
+e devolve o texto em stream. A chave do provedor fica **só no servidor**.
+```
+POST {AI_CHAT_ENDPOINT}
+  Auth: Authorization: Bearer <token>   (enviado automaticamente pelo app)
+  Content-Type: application/json
+  body:
+  {
+    "message": "última mensagem do usuário",
+    "history": [ { "role": "user" | "assistant", "content": "..." } ]
+  }
+  200 OK  (text/event-stream)
+  → devolva o texto da resposta em chunks (stream); o app concatena e renderiza
+    em tempo real. Mantenha a chave da IA (OPENAI/GEMINI) apenas no servidor.
+```
+Se `AI_CHAT_ENDPOINT` não estiver definido, o chat mostra o estado "não configurado"
+(o app não quebra). Referência pronta: a Edge Function `ai-chat` do backend Supabase.
+---
+## Excluir conta
+O app chama um endpoint para o usuário excluir a própria conta. **É obrigatório
+para publicar na App Store e na Play Store**, então o seu backend precisa implementá-lo.
+```
+DELETE /users/me
+  Auth: Authorization: Bearer <token>   (identifica o usuário; enviado pelo app)
+  O servidor DEVE:
+   1. Apagar o usuário do sistema de auth para que aquele login nunca mais entre.
+   2. Apagar em cascata TODOS os dados do usuário: perfil, devices/tokens de push,
+      conversas + mensagens de IA, votos de feature requests, assinaturas, avatar.
+  → responda 2xx em caso de sucesso.
+```
+Sem esse endpoint, a exclusão de conta falha silenciosamente (404/405) num projeto
+API novo.
+---
+## Notificações push (FCM)
+Push **nativo (Android/iOS)** depende do seu servidor: o app registra o token do
+device e o seu backend envia via **FCM HTTP v1**. Na **web**, push é no-op de propósito
+(o app não registra token e não tenta enviar — só mostra as notificações que já existem).
+A chave de Service Account do Firebase foi salva pelo `kasy new` em
+`.kasy/fcm-service-account.json`. Carregue-a no servidor (ex.: variável
+`FIREBASE_SERVICE_ACCOUNT_JSON`) e use-a para chamar a FCM HTTP v1. Referência pronta
+de implementação: a Edge Function `send-push-notification` do backend Supabase.
+### Endpoints: devices (tokens de push)
+```
+POST   /users/{userId}/devices                          → registra/atualiza um device (body com token, platform, etc.)
+PUT    /devices/{deviceId}                               → atualiza um device existente
+DELETE /devices/{deviceId}                               → remove um device
+PATCH  /users/{userId}/devices/{installationId}/touch    → marca o device como ativo agora (last-seen)
+POST   /users/{userId}/devices/cleanup-stale             → remove devices antigos/inválidos
+DELETE /users/{userId}/devices                           → remove todos os devices do usuário (ex.: no logout)
+```
+### Endpoints: notifications
+```
+GET    /users/{userId}/notifications?page=&pageSize=     → lista paginada, mais recente primeiro
+PUT    /users/{userId}/notifications/{id}                → marca como lida
+DELETE /users/{userId}/notifications/{id}                → apaga uma notificação
+GET    /users/{userId}/notifications/unread              → SSE: stream da contagem de não-lidas (alimenta a "bolinha")
+POST   /users/{userId}/notifications                     → cria/envia para UM usuário (body: title, body, image_url?, data.route?, type)
+POST   /notifications/broadcast                          → envia para TODOS (mesmo body)
+```
+Todas exigem `Authorization: Bearer <token>` (enviado automaticamente). Ao criar uma
+notificação, o servidor persiste o registro **e** dispara o push via FCM para os devices
+do destinatário.
 ---

package/lib/scaffold/backends/api/patch/lib/features/authentication/api/authentication_api.dart CHANGED Viewed

@@ -3,6 +3,7 @@ import 'package:kasy_kit/core/data/api/http_client.dart';
 import 'package:kasy_kit/core/data/entities/user_entity.dart';
 import 'package:kasy_kit/features/authentication/api/authentication_api_interface.dart';
 import 'package:kasy_kit/features/authentication/repositories/exceptions/authentication_exceptions.dart';
+import 'package:flutter/foundation.dart' show kIsWeb;
 import 'package:flutter/services.dart' show PlatformException;
 import 'package:dio/dio.dart';
 import 'package:flutter_facebook_auth/flutter_facebook_auth.dart';
@@ -119,6 +120,15 @@ class HttpAuthenticationApi implements AuthenticationApi {
   @override
   Future<Credentials> signinWithGoogle() async {
+    // google_sign_in v7 authenticate() is unsupported on web (throws). The API
+    // backend is wire-it-yourself, so fail clearly instead of an opaque crash.
+    if (kIsWeb) {
+      throw UnimplementedError(
+        'Google sign-in on web is not wired for the API backend. Use '
+        'google_sign_in_web (renderButton) or a backend OAuth redirect, then '
+        'exchange the token with your API.',
+      );
+    }
     final googleSignIn = GoogleSignIn.instance;
     await googleSignIn.initialize(
       clientId: const String.fromEnvironment('GOOGLE_CLIENT_ID'),
@@ -153,6 +163,15 @@ class HttpAuthenticationApi implements AuthenticationApi {
   @override
   Future<Credentials> signinWithApple() async {
+    // Apple on web needs a paid Apple Service ID + secret and a backend token
+    // exchange; getAppleIDCredential crashes on web. The UI hides the Apple button
+    // on web; guard here too so a programmatic call fails clearly.
+    if (kIsWeb) {
+      throw UnimplementedError(
+        'Apple sign-in on web needs a paid Apple Service ID + secret and a backend '
+        'token exchange; it is not wired for the API backend.',
+      );
+    }
     late final AuthorizationCredentialAppleID credential;
     try {
       credential = await SignInWithApple.getAppleIDCredential(
@@ -212,6 +231,14 @@ class HttpAuthenticationApi implements AuthenticationApi {
   ///        POST /auth/link-google  {id_token, access_token}  → Credentials
   @override
   Future<Credentials> signupFromAnonymousWithGoogle() async {
+    // See signinWithGoogle: authenticate() is unsupported on web.
+    if (kIsWeb) {
+      throw UnimplementedError(
+        'Google sign-in on web is not wired for the API backend. Use '
+        'google_sign_in_web (renderButton) or a backend OAuth redirect, then '
+        'exchange the token with your API.',
+      );
+    }
     final googleSignIn = GoogleSignIn.instance;
     await googleSignIn.initialize(
       clientId: const String.fromEnvironment('GOOGLE_CLIENT_ID'),
@@ -242,6 +269,13 @@ class HttpAuthenticationApi implements AuthenticationApi {
   ///   POST /auth/link-apple  {identity_token, authorization_code}  → Credentials
   @override
   Future<Credentials> signupFromAnonymousWithApple() async {
+    // See signinWithApple: Apple on web is not wired for the API backend.
+    if (kIsWeb) {
+      throw UnimplementedError(
+        'Apple sign-in on web needs a paid Apple Service ID + secret and a backend '
+        'token exchange; it is not wired for the API backend.',
+      );
+    }
     late final AuthorizationCredentialAppleID credential;
     try {
       credential = await SignInWithApple.getAppleIDCredential(

package/lib/scaffold/backends/api/patch/lib/features/subscriptions/api/stripe_backend_api.dart CHANGED Viewed

@@ -38,6 +38,7 @@ class StripeBackendApi {
     String? successUrl,
     String? cancelUrl,
     String? locale,
+    bool? allowPromoCodes,
   }) async {
     final Response res = await _client.post(
       '/stripe/checkout-session',
@@ -46,16 +47,25 @@ class StripeBackendApi {
         if (successUrl != null) 'successUrl': successUrl,
         if (cancelUrl != null) 'cancelUrl': cancelUrl,
         if (locale != null) 'locale': locale,
+        if (allowPromoCodes != null) 'allowPromoCodes': allowPromoCodes,
       },
     );
     return (res.data as Map)['url'] as String;
   }
   /// Create a Customer Portal session (manage / cancel) and return its URL.
-  Future<String> createPortalSession({String? returnUrl}) async {
+  /// Pass [planSwitching] = true to auto-configure the portal with
+  /// upgrade/downgrade support (no manual Stripe dashboard setup needed).
+  Future<String> createPortalSession({
+    String? returnUrl,
+    bool? planSwitching,
+  }) async {
     final Response res = await _client.post(
       '/stripe/portal-session',
-      data: {if (returnUrl != null) 'returnUrl': returnUrl},
+      data: {
+        if (returnUrl != null) 'returnUrl': returnUrl,
+        if (planSwitching != null) 'planSwitching': planSwitching,
+      },
     );
     return (res.data as Map)['url'] as String;
   }

package/lib/scaffold/backends/firebase/setup-from-scratch.js CHANGED Viewed

@@ -743,6 +743,189 @@ async function ensureLocalhostAuthorizedDomains(projectId, token) {
   return { ok: true, added: missing };
 }
+/**
+ * Authorize localhost (and 127.0.0.1) on a project's Firebase Auth config,
+ * fetching the gcloud access token internally. Exported so callers that don't
+ * run the full setup (e.g. the Supabase backend, which sets up Firebase in
+ * fcmOnly mode and never reaches enableAuthProviders) can still authorize the
+ * domains the web Google popup needs. Best-effort: returns { ok, error } and
+ * never throws.
+ *
+ * @param {string} projectId
+ * @returns {{ ok: boolean, added?: string[], error?: string }}
+ */
+async function authorizeLocalhostForProject(projectId) {
+  let token;
+  try {
+    token = await getAccessToken();
+  } catch (_) {
+    return { ok: false, error: 'Could not get access token' };
+  }
+  return ensureLocalhostAuthorizedDomains(projectId, token);
+}
+/**
+ * Configure Apple Sign-In on Firebase for the WEB (and the OAuth code flow) by
+ * writing the Apple provider's codeFlowConfig (Service ID + Team ID + Key ID +
+ * `.p8`) via the Identity Toolkit Admin v2 API. Once stored, Firebase re-signs the
+ * short-lived client secret itself, so it never expires.
+ *
+ * Existing bundleIds (used by the native iOS flow) are preserved and the project's
+ * own bundleId is merged in, so configuring web never breaks native.
+ *
+ * @param {object} opts
+ * @param {string} opts.projectId
+ * @param {string} opts.serviceId  - Apple Service ID (becomes the provider clientId)
+ * @param {string} opts.teamId
+ * @param {string} opts.keyId
+ * @param {string} opts.privateKey - PEM contents of the .p8
+ * @param {string} [opts.bundleId] - app bundle id to keep allowed for native sign-in
+ * @returns {{ ok: boolean, error?: string }}
+ */
+async function configureFirebaseAppleWeb({ projectId, serviceId, teamId, keyId, privateKey, bundleId }) {
+  if (!serviceId || !teamId || !keyId || !privateKey) {
+    return { ok: false, error: 'serviceId, teamId, keyId and privateKey are required' };
+  }
+  let token;
+  try {
+    token = await getAccessToken();
+  } catch (_) {
+    return { ok: false, error: 'Could not get access token' };
+  }
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    'Content-Type': 'application/json',
+    'X-Goog-User-Project': projectId,
+  };
+  const base = `https://identitytoolkit.googleapis.com/admin/v2/projects/${projectId}/defaultSupportedIdpConfigs`;
+  // Read the current Apple config (if any) so we preserve the native bundleIds.
+  let existing = null;
+  try {
+    const getRes = await fetch(`${base}/apple.com`, { headers });
+    if (getRes.ok) existing = await getRes.json();
+  } catch (_) {
+    // No existing config (or transient) — we'll create it below.
+  }
+  const bundleIds = Array.from(
+    new Set([...(existing?.appleSignInConfig?.bundleIds || []), bundleId].filter(Boolean)),
+  );
+  const body = {
+    name: `projects/${projectId}/defaultSupportedIdpConfigs/apple.com`,
+    enabled: true,
+    clientId: serviceId,
+    appleSignInConfig: {
+      codeFlowConfig: { teamId, keyId, privateKey },
+      ...(bundleIds.length ? { bundleIds } : {}),
+    },
+  };
+  try {
+    if (existing) {
+      const res = await fetch(`${base}/apple.com?updateMask=enabled,clientId,appleSignInConfig`, {
+        method: 'PATCH',
+        headers,
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) {
+        const text = await res.text();
+        return { ok: false, error: `PATCH failed (${res.status}): ${text.slice(0, 200)}` };
+      }
+    } else {
+      const res = await fetch(`${base}?idpId=apple.com`, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) {
+        const text = await res.text();
+        // Raced with another writer — fall back to PATCH.
+        if (res.status === 409 || text.includes('ALREADY_EXISTS')) {
+          const patchRes = await fetch(`${base}/apple.com?updateMask=enabled,clientId,appleSignInConfig`, {
+            method: 'PATCH',
+            headers,
+            body: JSON.stringify(body),
+          });
+          if (!patchRes.ok) {
+            const t2 = await patchRes.text();
+            return { ok: false, error: `PATCH failed (${patchRes.status}): ${t2.slice(0, 200)}` };
+          }
+        } else {
+          return { ok: false, error: `POST failed (${res.status}): ${text.slice(0, 200)}` };
+        }
+      }
+    }
+  } catch (err) {
+    return { ok: false, error: `Network error: ${err.message}` };
+  }
+  return { ok: true };
+}
+/**
+ * Enable the Facebook provider on Firebase via the Identity Toolkit Admin v2 API.
+ * Needs the Meta App ID (clientId) + App Secret (clientSecret). The native App ID /
+ * Client Token live in Info.plist / strings.xml and are written separately.
+ *
+ * @param {object} opts - { projectId, appId, appSecret }
+ * @returns {{ ok: boolean, error?: string }}
+ */
+async function configureFirebaseFacebook({ projectId, appId, appSecret }) {
+  if (!appId || !appSecret) {
+    return { ok: false, error: 'appId and appSecret are required' };
+  }
+  let token;
+  try {
+    token = await getAccessToken();
+  } catch (_) {
+    return { ok: false, error: 'Could not get access token' };
+  }
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    'Content-Type': 'application/json',
+    'X-Goog-User-Project': projectId,
+  };
+  const base = `https://identitytoolkit.googleapis.com/admin/v2/projects/${projectId}/defaultSupportedIdpConfigs`;
+  const body = {
+    name: `projects/${projectId}/defaultSupportedIdpConfigs/facebook.com`,
+    enabled: true,
+    clientId: appId,
+    clientSecret: appSecret,
+  };
+  try {
+    let res = await fetch(`${base}?idpId=facebook.com`, {
+      method: 'POST',
+      headers,
+      body: JSON.stringify(body),
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      if (res.status === 409 || text.includes('ALREADY_EXISTS')) {
+        res = await fetch(`${base}/facebook.com?updateMask=enabled,clientId,clientSecret`, {
+          method: 'PATCH',
+          headers,
+          body: JSON.stringify(body),
+        });
+        if (!res.ok) {
+          const t2 = await res.text();
+          return { ok: false, error: `PATCH failed (${res.status}): ${t2.slice(0, 200)}` };
+        }
+      } else {
+        return { ok: false, error: `POST failed (${res.status}): ${text.slice(0, 200)}` };
+      }
+    }
+  } catch (err) {
+    return { ok: false, error: `Network error: ${err.message}` };
+  }
+  return { ok: true };
+}
 /**
  * Initialize Firebase Auth (Identity Platform) for a project. Brand-new projects
  * have no auth config, so any Admin v2 operation (PATCH /config, or the Firebase
@@ -1277,6 +1460,9 @@ module.exports = {
   enableAuthProviders,
   ensureFirebaseAuthInitialized,
   ensureLocalhostAuthorizedDomains,
+  authorizeLocalhostForProject,
+  configureFirebaseAppleWeb,
+  configureFirebaseFacebook,
   listBillingAccounts,
   listGcpOrganizations,
   checkGcloudAuth,

package/lib/scaffold/backends/supabase/deploy.js CHANGED Viewed

@@ -15,6 +15,7 @@ const path = require('node:path');
 const os = require('node:os');
 const fs = require('fs-extra');
 const { augmentedEnv } = require('../../../utils/env-tools');
+const { signAppleClientSecret } = require('../../../utils/apple-web');
 const execAsync = promisify(exec);
@@ -407,6 +408,95 @@ async function enableAppleSignIn(projectRef, bundleId) {
   return { ok: false, error: result.data.message || JSON.stringify(result.data) };
 }
+/**
+ * GET the current Supabase auth config (read-only). Used to merge values we must
+ * not clobber (e.g. the native bundle id already in external_apple_client_id).
+ */
+async function getSupabaseAuthConfig(projectRef, token) {
+  try {
+    const res = await fetch(`https://api.supabase.com/v1/projects/${projectRef}/config/auth`, {
+      headers: { Authorization: `Bearer ${token}` },
+    });
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  }
+}
+/**
+ * Enable Apple Sign-In on the WEB for Supabase.
+ *
+ * Unlike Firebase (which stores the .p8 and re-signs), Supabase stores a static,
+ * pre-signed client secret JWT that expires every ~6 months. We sign it here with
+ * the developer's `.p8` and write it as external_apple_secret. The Service ID is
+ * added to external_apple_client_id (the audience list) alongside the native bundle
+ * id, so both native iOS and the web OAuth flow validate.
+ *
+ * @param {string} projectRef
+ * @param {object} opts - { serviceId, teamId, keyId, privateKey, bundleId? }
+ * @returns {{ ok: boolean, error?: string, expiresAt?: number }}
+ */
+async function enableAppleWebSignIn(projectRef, { serviceId, teamId, keyId, privateKey, bundleId } = {}) {
+  if (!serviceId || !teamId || !keyId || !privateKey) {
+    return { ok: false, error: 'serviceId, teamId, keyId and privateKey are required' };
+  }
+  const token = await getSupabaseAccessToken();
+  if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
+  let secret;
+  let expiresAt;
+  try {
+    ({ token: secret, expiresAt } = signAppleClientSecret({ serviceId, teamId, keyId, privateKey }));
+  } catch (err) {
+    return { ok: false, error: err.message };
+  }
+  // Merge the Service ID into the existing audience list without dropping the
+  // native bundle id the CLI set at creation.
+  const current = await getSupabaseAuthConfig(projectRef, token);
+  const existingIds = String(current?.external_apple_client_id || '')
+    .split(',')
+    .map((s) => s.trim())
+    .filter(Boolean);
+  const clientIds = Array.from(new Set([...existingIds, bundleId, serviceId].filter(Boolean))).join(',');
+  const result = await patchAuthConfig(projectRef, token, {
+    external_apple_enabled: true,
+    external_apple_client_id: clientIds,
+    external_apple_secret: secret,
+  });
+  if (!result.ok) return { ok: false, error: result.error };
+  if (result.data.external_apple_enabled === true) return { ok: true, expiresAt };
+  return { ok: false, error: result.data.message || JSON.stringify(result.data) };
+}
+/**
+ * Enable the Facebook provider on Supabase via the Management API.
+ * Needs the Meta App ID (client_id) + App Secret (secret). The native App ID /
+ * Client Token live in Info.plist / strings.xml and are written separately.
+ *
+ * @param {string} projectRef
+ * @param {object} opts - { appId, appSecret }
+ * @returns {{ ok: boolean, error?: string }}
+ */
+async function enableFacebookSignIn(projectRef, { appId, appSecret } = {}) {
+  if (!appId || !appSecret) {
+    return { ok: false, error: 'appId and appSecret are required' };
+  }
+  const token = await getSupabaseAccessToken();
+  if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
+  const result = await patchAuthConfig(projectRef, token, {
+    external_facebook_enabled: true,
+    external_facebook_client_id: appId,
+    external_facebook_secret: appSecret,
+  });
+  if (!result.ok) return { ok: false, error: result.error };
+  if (result.data.external_facebook_enabled === true) return { ok: true };
+  return { ok: false, error: result.data.message || JSON.stringify(result.data) };
+}
 /**
  * Configure auth settings via Supabase Management API:
  *  - Enable anonymous sign-in
@@ -717,6 +807,8 @@ module.exports = {
   enableAnonymousSignIn,
   enableGoogleSignIn,
   enableAppleSignIn,
+  enableAppleWebSignIn,
+  enableFacebookSignIn,
   checkLoggedIn,
   getOrgsList,
   getProjectsByOrg,