npm - kasy-cli - Versions diffs - 1.32.0 → 1.35.0 - Mend

kasy-cli 1.32.0 → 1.35.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (169) hide show

package/lib/scaffold/backends/api/patch/lib/features/authentication/api/authentication_api_interface.dart CHANGED Viewed

@@ -73,6 +73,21 @@ abstract class AuthenticationApi implements OnStartService {
   /// Returns the display name of the current user, or null.
   Future<String?> getCurrentUserDisplayName();
+  /// Returns the photo URL of the current user, or null.
+  Future<String?> getCurrentUserPhotoUrl();
+  /// Returns all sign-in providers linked to the current account.
+  Future<List<String>> getLinkedProviders();
+  /// Sets or updates an email/password credential for the current user.
+  Future<void> setPassword(String password);
+  /// Social providers the current user can still link to their account.
+  Future<List<String>> linkableSocialProviders();
+  /// Links a social provider to the current account.
+  Future<void> linkSocialProvider(String provider);
 }
 class PhoneAlreadyLinkedException implements Exception {

package/lib/scaffold/backends/api/patch/lib/features/authentication/repositories/authentication_repository.dart CHANGED Viewed

@@ -99,6 +99,18 @@ abstract class AuthenticationRepository {
   /// Returns the display name of the current user, or null.
   Future<String?> getCurrentUserDisplayName();
+  /// Returns the photo URL of the current user, or null.
+  Future<String?> getCurrentUserPhotoUrl();
+  /// Returns the sign-in provider used ('google'|'apple'|'facebook'|'email'|'phone'), or null.
+  Future<List<String>> getLinkedProviders();
+  Future<void> setPassword(String password);
+  Future<List<String>> linkableSocialProviders();
+  Future<void> linkSocialProvider(String provider);
 }
 /// this is an example on how to create an authentication repository using firebase
@@ -403,4 +415,19 @@ class HttpAuthenticationRepository implements AuthenticationRepository {
   @override
   Future<String?> getCurrentUserDisplayName() => _authenticationApi.getCurrentUserDisplayName();
+  @override
+  Future<String?> getCurrentUserPhotoUrl() => _authenticationApi.getCurrentUserPhotoUrl();
+  @override
+  Future<List<String>> getLinkedProviders() => _authenticationApi.getLinkedProviders();
+  @override
+  Future<void> setPassword(String password) => _authenticationApi.setPassword(password);
+  @override
+  Future<List<String>> linkableSocialProviders() => _authenticationApi.linkableSocialProviders();
+  @override
+  Future<void> linkSocialProvider(String provider) => _authenticationApi.linkSocialProvider(provider);
 }

package/lib/scaffold/backends/api/patch/lib/features/subscriptions/api/entities/subscription_entity.dart CHANGED Viewed

@@ -36,6 +36,7 @@ sealed class SubscriptionEntity with _$SubscriptionEntity {
     @JsonKey(name: 'creation_date') DateTime? creationDate,
     @JsonKey(name: 'last_update_date') DateTime? lastUpdateDate,
     @JsonKey(name: 'period_end_date') DateTime? periodEndDate,
+    @JsonKey(name: 'trial_end') DateTime? trialEnd,
     @JsonKey(name: 'status') required SubscriptionStatus status,
     @JsonKey(name: 'store', unknownEnumValue: SubscriptionStore.unknown)
     SubscriptionStore? store,

package/lib/scaffold/backends/firebase/setup-from-scratch.js CHANGED Viewed

@@ -710,37 +710,51 @@ async function checkBillingEnabled(projectId) {
  * with only [localhost] would wipe firebaseapp.com / web.app. Idempotent: it's a
  * no-op when both entries are already present.
  *
+ * Right after a project's auth config is initialized, the Admin v2 config endpoint
+ * can briefly answer 403/404/409 before it settles (and a PATCH can 409 on a
+ * concurrent edit). Those are retried — re-reading each round so the merge stays
+ * correct; 400 and other client errors are treated as fatal. Best-effort: returns
+ * { ok: false } after exhausting retries instead of throwing.
+ *
+ * @param {string} projectId
+ * @param {string} token
+ * @param {{ maxRetries?: number, retryDelayMs?: number }} [opts]
  * @returns {{ ok: boolean, added?: string[], error?: string }}
  */
-async function ensureLocalhostAuthorizedDomains(projectId, token) {
+async function ensureLocalhostAuthorizedDomains(projectId, token, { maxRetries = 4, retryDelayMs = 4000 } = {}) {
   const base = `https://identitytoolkit.googleapis.com/admin/v2/projects/${projectId}/config`;
   const headers = {
     Authorization: `Bearer ${token}`,
     'Content-Type': 'application/json',
     'X-Goog-User-Project': projectId,
   };
-  // 1. Read the current authorized domains.
-  const getRes = await fetch(base, { headers });
-  if (!getRes.ok) {
-    const text = await getRes.text();
-    return { ok: false, error: `${getRes.status}: ${text}` };
-  }
-  const config = await getRes.json();
-  const current = Array.isArray(config.authorizedDomains) ? config.authorizedDomains : [];
   const required = ['localhost', '127.0.0.1'];
-  const missing = required.filter((d) => !current.includes(d));
-  if (missing.length === 0) return { ok: true, added: [] };
-  // 2. Merge and write back, keeping every domain that was already there.
-  const patchRes = await fetch(`${base}?updateMask=authorizedDomains`, {
-    method: 'PATCH',
-    headers,
-    body: JSON.stringify({ authorizedDomains: [...current, ...missing] }),
-  });
-  if (!patchRes.ok) {
-    const text = await patchRes.text();
-    return { ok: false, error: `${patchRes.status}: ${text}` };
+  const TRANSIENT = new Set([403, 404, 409, 429, 500, 503]);
+  let lastError = 'unknown';
+  for (let attempt = 1; attempt <= maxRetries; attempt++) {
+    // 1. Read the current authorized domains.
+    const getRes = await fetch(base, { headers });
+    if (!getRes.ok) {
+      lastError = `GET ${getRes.status}: ${await getRes.text()}`;
+      if (attempt < maxRetries && TRANSIENT.has(getRes.status)) { await sleep(retryDelayMs); continue; }
+      return { ok: false, error: lastError };
+    }
+    const config = await getRes.json();
+    const current = Array.isArray(config.authorizedDomains) ? config.authorizedDomains : [];
+    const missing = required.filter((d) => !current.includes(d));
+    if (missing.length === 0) return { ok: true, added: [] };
+    // 2. Merge and write back, keeping every domain that was already there.
+    const patchRes = await fetch(`${base}?updateMask=authorizedDomains`, {
+      method: 'PATCH',
+      headers,
+      body: JSON.stringify({ authorizedDomains: [...current, ...missing] }),
+    });
+    if (patchRes.ok) return { ok: true, added: missing };
+    lastError = `PATCH ${patchRes.status}: ${await patchRes.text()}`;
+    if (attempt < maxRetries && TRANSIENT.has(patchRes.status)) { await sleep(retryDelayMs); continue; }
+    return { ok: false, error: lastError };
   }
-  return { ok: true, added: missing };
+  return { ok: false, error: lastError };
 }
 /**
@@ -764,6 +778,168 @@ async function authorizeLocalhostForProject(projectId) {
   return ensureLocalhostAuthorizedDomains(projectId, token);
 }
+/**
+ * Configure Apple Sign-In on Firebase for the WEB (and the OAuth code flow) by
+ * writing the Apple provider's codeFlowConfig (Service ID + Team ID + Key ID +
+ * `.p8`) via the Identity Toolkit Admin v2 API. Once stored, Firebase re-signs the
+ * short-lived client secret itself, so it never expires.
+ *
+ * Existing bundleIds (used by the native iOS flow) are preserved and the project's
+ * own bundleId is merged in, so configuring web never breaks native.
+ *
+ * @param {object} opts
+ * @param {string} opts.projectId
+ * @param {string} opts.serviceId  - Apple Service ID (becomes the provider clientId)
+ * @param {string} opts.teamId
+ * @param {string} opts.keyId
+ * @param {string} opts.privateKey - PEM contents of the .p8
+ * @param {string} [opts.bundleId] - app bundle id to keep allowed for native sign-in
+ * @returns {{ ok: boolean, error?: string }}
+ */
+async function configureFirebaseAppleWeb({ projectId, serviceId, teamId, keyId, privateKey, bundleId }) {
+  if (!serviceId || !teamId || !keyId || !privateKey) {
+    return { ok: false, error: 'serviceId, teamId, keyId and privateKey are required' };
+  }
+  let token;
+  try {
+    token = await getAccessToken();
+  } catch (_) {
+    return { ok: false, error: 'Could not get access token' };
+  }
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    'Content-Type': 'application/json',
+    'X-Goog-User-Project': projectId,
+  };
+  const base = `https://identitytoolkit.googleapis.com/admin/v2/projects/${projectId}/defaultSupportedIdpConfigs`;
+  // Read the current Apple config (if any) so we preserve the native bundleIds.
+  let existing = null;
+  try {
+    const getRes = await fetch(`${base}/apple.com`, { headers });
+    if (getRes.ok) existing = await getRes.json();
+  } catch (_) {
+    // No existing config (or transient) — we'll create it below.
+  }
+  const bundleIds = Array.from(
+    new Set([...(existing?.appleSignInConfig?.bundleIds || []), bundleId].filter(Boolean)),
+  );
+  const body = {
+    name: `projects/${projectId}/defaultSupportedIdpConfigs/apple.com`,
+    enabled: true,
+    clientId: serviceId,
+    appleSignInConfig: {
+      codeFlowConfig: { teamId, keyId, privateKey },
+      ...(bundleIds.length ? { bundleIds } : {}),
+    },
+  };
+  try {
+    if (existing) {
+      const res = await fetch(`${base}/apple.com?updateMask=enabled,clientId,appleSignInConfig`, {
+        method: 'PATCH',
+        headers,
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) {
+        const text = await res.text();
+        return { ok: false, error: `PATCH failed (${res.status}): ${text.slice(0, 200)}` };
+      }
+    } else {
+      const res = await fetch(`${base}?idpId=apple.com`, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify(body),
+      });
+      if (!res.ok) {
+        const text = await res.text();
+        // Raced with another writer — fall back to PATCH.
+        if (res.status === 409 || text.includes('ALREADY_EXISTS')) {
+          const patchRes = await fetch(`${base}/apple.com?updateMask=enabled,clientId,appleSignInConfig`, {
+            method: 'PATCH',
+            headers,
+            body: JSON.stringify(body),
+          });
+          if (!patchRes.ok) {
+            const t2 = await patchRes.text();
+            return { ok: false, error: `PATCH failed (${patchRes.status}): ${t2.slice(0, 200)}` };
+          }
+        } else {
+          return { ok: false, error: `POST failed (${res.status}): ${text.slice(0, 200)}` };
+        }
+      }
+    }
+  } catch (err) {
+    return { ok: false, error: `Network error: ${err.message}` };
+  }
+  return { ok: true };
+}
+/**
+ * Enable the Facebook provider on Firebase via the Identity Toolkit Admin v2 API.
+ * Needs the Meta App ID (clientId) + App Secret (clientSecret). The native App ID /
+ * Client Token live in Info.plist / strings.xml and are written separately.
+ *
+ * @param {object} opts - { projectId, appId, appSecret }
+ * @returns {{ ok: boolean, error?: string }}
+ */
+async function configureFirebaseFacebook({ projectId, appId, appSecret }) {
+  if (!appId || !appSecret) {
+    return { ok: false, error: 'appId and appSecret are required' };
+  }
+  let token;
+  try {
+    token = await getAccessToken();
+  } catch (_) {
+    return { ok: false, error: 'Could not get access token' };
+  }
+  const headers = {
+    Authorization: `Bearer ${token}`,
+    'Content-Type': 'application/json',
+    'X-Goog-User-Project': projectId,
+  };
+  const base = `https://identitytoolkit.googleapis.com/admin/v2/projects/${projectId}/defaultSupportedIdpConfigs`;
+  const body = {
+    name: `projects/${projectId}/defaultSupportedIdpConfigs/facebook.com`,
+    enabled: true,
+    clientId: appId,
+    clientSecret: appSecret,
+  };
+  try {
+    let res = await fetch(`${base}?idpId=facebook.com`, {
+      method: 'POST',
+      headers,
+      body: JSON.stringify(body),
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      if (res.status === 409 || text.includes('ALREADY_EXISTS')) {
+        res = await fetch(`${base}/facebook.com?updateMask=enabled,clientId,clientSecret`, {
+          method: 'PATCH',
+          headers,
+          body: JSON.stringify(body),
+        });
+        if (!res.ok) {
+          const t2 = await res.text();
+          return { ok: false, error: `PATCH failed (${res.status}): ${t2.slice(0, 200)}` };
+        }
+      } else {
+        return { ok: false, error: `POST failed (${res.status}): ${text.slice(0, 200)}` };
+      }
+    }
+  } catch (err) {
+    return { ok: false, error: `Network error: ${err.message}` };
+  }
+  return { ok: true };
+}
 /**
  * Initialize Firebase Auth (Identity Platform) for a project. Brand-new projects
  * have no auth config, so any Admin v2 operation (PATCH /config, or the Firebase
@@ -1299,6 +1475,8 @@ module.exports = {
   ensureFirebaseAuthInitialized,
   ensureLocalhostAuthorizedDomains,
   authorizeLocalhostForProject,
+  configureFirebaseAppleWeb,
+  configureFirebaseFacebook,
   listBillingAccounts,
   listGcpOrganizations,
   checkGcloudAuth,

package/lib/scaffold/backends/patch-base-hashes.json ADDED Viewed

@@ -0,0 +1,66 @@
+{
+  "api/android/app/src/main/AndroidManifest.xml": "0579c57068ee50d43837ef9c7bee884b6232e92975301c8305ce389282f68291",
+  "api/ios/Runner/AppDelegate.swift": "9f1027a03ad1fef2dab45464fbd7e98364b6a9cb6d2a6abe770ee9c45fa19122",
+  "api/lib/core/data/api/storage_api.dart": "d77fecc6923ea9544b6ec20571dcab5c8f3d38be81ec618b0cf4f1b08be7bbae",
+  "api/lib/core/data/api/user_api.dart": "06f491ebf4548b87431e2d6983148f4082e120ec7d6a928108cba954d16d8c56",
+  "api/lib/core/data/entities/json_converters.dart": "92a5efd595a03a862fa03e77ab3ca3d556523d0c9e0daca6e296e35d24b760a8",
+  "api/lib/core/data/entities/user_entity.dart": "5c1e56e4be3ba2ed95cdcd276112a02b526f2a3fa7ee5bba08a3ec2b51153688",
+  "api/lib/environments.dart": "c41f0843a4d627b717579eec5607b7ff5c16369bdd4b2a82e081058a20ffb7a5",
+  "api/lib/features/ai_chat/api/ai_chat_api.dart": "749047d30390e8d624c5a17d421096b05651e28b34a42071a9b73efc71d0a5f7",
+  "api/lib/features/ai_chat/api/ai_chat_conversation_entity.dart": "1c4e4223e802d7fe8e93d9e7a09fcc6be81a41792d722e8b7e697837cde4737f",
+  "api/lib/features/ai_chat/api/ai_chat_message_entity.dart": "5aca4fdb5b1c38df04c9d377c6e6eeb6930ef85b2a32689fe6403e7cc7645373",
+  "api/lib/features/ai_chat/providers/ai_chat_notifier.dart": "f16ea3f3266e63a5591ceff9bc1900845f0b96e9bbbc5463ec6ab894f878eae3",
+  "api/lib/features/authentication/api/authentication_api_interface.dart": "ef9219237babd73e4b3ac148a24ebbbdf39ab98166d21f578c359074b528e5da",
+  "api/lib/features/authentication/api/authentication_api.dart": "8b460722bb3bee7eee015f34aaa39c1c97cb264df1024b2855060dac232c620a",
+  "api/lib/features/authentication/repositories/authentication_repository.dart": "8e98ca0d39df3aac1dab159e6bdfe8d2bbb8e43931459984eb4ecfb676698ca2",
+  "api/lib/features/feedbacks/api/entities/feature_request_entity.dart": "e72c683c7321bf1f3c19fc1c6d54c6964bd99970e87c9ff31d8918efa93f0090",
+  "api/lib/features/feedbacks/api/entities/feature_vote_entity.dart": "a13ccfc493d8f5277beffc8e28f77ec322ab0c0a56358c3669353206b7c6756b",
+  "api/lib/features/feedbacks/api/feature_request_api.dart": "a741395509b95e8cae135bc8bdcca1ba0d48785b1e1b201732219659d271346b",
+  "api/lib/features/feedbacks/api/feature_vote_api.dart": "89dcaeea29460a7f219c2ede3759707b45066272fe6837c29a40f3d79fade4e9",
+  "api/lib/features/notifications/api/device_api.dart": "0d6bccb6813cceec29c54220daac9d0cd35687c4fa9f10ffde07dad88b204ed3",
+  "api/lib/features/notifications/api/entities/device_entity.dart": "54fce6274c5fe60ba663d8693e0c9d88fd6cd6fcd9ec906e021621a2e51176b7",
+  "api/lib/features/notifications/api/entities/notifications_entity.dart": "f9ee62111a6f122657e105df317f1f5f803e3a525a96686c0a2728ff02cd8964",
+  "api/lib/features/notifications/api/notifications_api.dart": "30cdb1bc52c3249b2cda6b1c7eb7fb6a977db5744da5a9c2980784f41e75d9e7",
+  "api/lib/features/onboarding/api/entities/user_info_entity.dart": "cd5aabc68310025f3ab9676cab126e1f755431f9e8752f868ee9fcd6f5892ce2",
+  "api/lib/features/onboarding/api/user_infos_api.dart": "cf728bcef364259912ee1e87151c4f791faee0c0d49232c9af260bb5681bd429",
+  "api/lib/features/onboarding/models/user_info.dart": "946fd34a33b630a34a3b6248594cbca717f4fab9d23f669510145b9032bd1321",
+  "api/lib/features/onboarding/repositories/user_infos_repository.dart": "487a5177dcaed7f87e613b2b4f04329c4995274e6a52809d4917c037cb3c3c55",
+  "api/lib/features/settings/ui/components/admin/admin_users_api.dart": "0ffb232ffb193154c0366d6f7da0ca499b3e06fed4fd71af572b8dc53ecd844e",
+  "api/lib/features/settings/ui/widgets/avatar_utils.dart": "bb9126409bbbb245f2dec613bd096ac53c208a56bd55f3d2ab2599e43534904f",
+  "api/lib/features/subscriptions/api/entities/subscription_entity.dart": "20c1d75ed9d88acb96e94a592dcb4de0f63c792302ea07df53cebbdeb6d0cf7e",
+  "api/lib/features/subscriptions/api/stripe_backend_api.dart": "e370bd05211462f2fc94c69af1749eb5330f997e9ec5e73e5c4e119999bf666f",
+  "api/lib/features/subscriptions/api/subscription_api.dart": "c7484c9301d16245748025a3d420a89397e9e956b2211b7ed001c073ff2e4449",
+  "api/README.md": "1f30fc1ebf8fe02df6f3ee2f94c17f4bb4952abd5b125312d2c43eb6374eb354",
+  "supabase/android/app/src/main/AndroidManifest.xml": "0579c57068ee50d43837ef9c7bee884b6232e92975301c8305ce389282f68291",
+  "supabase/ios/Runner/AppDelegate.swift": "9f1027a03ad1fef2dab45464fbd7e98364b6a9cb6d2a6abe770ee9c45fa19122",
+  "supabase/lib/core/data/api/storage_api.dart": "d77fecc6923ea9544b6ec20571dcab5c8f3d38be81ec618b0cf4f1b08be7bbae",
+  "supabase/lib/core/data/api/user_api.dart": "06f491ebf4548b87431e2d6983148f4082e120ec7d6a928108cba954d16d8c56",
+  "supabase/lib/core/data/entities/json_converters.dart": "92a5efd595a03a862fa03e77ab3ca3d556523d0c9e0daca6e296e35d24b760a8",
+  "supabase/lib/core/data/entities/user_entity.dart": "5c1e56e4be3ba2ed95cdcd276112a02b526f2a3fa7ee5bba08a3ec2b51153688",
+  "supabase/lib/environments.dart": "c41f0843a4d627b717579eec5607b7ff5c16369bdd4b2a82e081058a20ffb7a5",
+  "supabase/lib/features/ai_chat/api/ai_chat_api.dart": "749047d30390e8d624c5a17d421096b05651e28b34a42071a9b73efc71d0a5f7",
+  "supabase/lib/features/ai_chat/api/ai_chat_conversation_entity.dart": "1c4e4223e802d7fe8e93d9e7a09fcc6be81a41792d722e8b7e697837cde4737f",
+  "supabase/lib/features/ai_chat/api/ai_chat_message_entity.dart": "5aca4fdb5b1c38df04c9d377c6e6eeb6930ef85b2a32689fe6403e7cc7645373",
+  "supabase/lib/features/ai_chat/providers/ai_chat_notifier.dart": "f16ea3f3266e63a5591ceff9bc1900845f0b96e9bbbc5463ec6ab894f878eae3",
+  "supabase/lib/features/authentication/api/authentication_api.dart": "8b460722bb3bee7eee015f34aaa39c1c97cb264df1024b2855060dac232c620a",
+  "supabase/lib/features/authentication/repositories/authentication_repository.dart": "8e98ca0d39df3aac1dab159e6bdfe8d2bbb8e43931459984eb4ecfb676698ca2",
+  "supabase/lib/features/feedbacks/api/entities/feature_request_entity.dart": "e72c683c7321bf1f3c19fc1c6d54c6964bd99970e87c9ff31d8918efa93f0090",
+  "supabase/lib/features/feedbacks/api/entities/feature_vote_entity.dart": "a13ccfc493d8f5277beffc8e28f77ec322ab0c0a56358c3669353206b7c6756b",
+  "supabase/lib/features/feedbacks/api/feature_request_api.dart": "a741395509b95e8cae135bc8bdcca1ba0d48785b1e1b201732219659d271346b",
+  "supabase/lib/features/feedbacks/api/feature_vote_api.dart": "89dcaeea29460a7f219c2ede3759707b45066272fe6837c29a40f3d79fade4e9",
+  "supabase/lib/features/notifications/api/device_api.dart": "0d6bccb6813cceec29c54220daac9d0cd35687c4fa9f10ffde07dad88b204ed3",
+  "supabase/lib/features/notifications/api/entities/device_entity.dart": "54fce6274c5fe60ba663d8693e0c9d88fd6cd6fcd9ec906e021621a2e51176b7",
+  "supabase/lib/features/notifications/api/entities/notifications_entity.dart": "f9ee62111a6f122657e105df317f1f5f803e3a525a96686c0a2728ff02cd8964",
+  "supabase/lib/features/notifications/api/notifications_api.dart": "30cdb1bc52c3249b2cda6b1c7eb7fb6a977db5744da5a9c2980784f41e75d9e7",
+  "supabase/lib/features/onboarding/api/entities/user_info_entity.dart": "cd5aabc68310025f3ab9676cab126e1f755431f9e8752f868ee9fcd6f5892ce2",
+  "supabase/lib/features/onboarding/api/user_infos_api.dart": "cf728bcef364259912ee1e87151c4f791faee0c0d49232c9af260bb5681bd429",
+  "supabase/lib/features/onboarding/models/user_info.dart": "946fd34a33b630a34a3b6248594cbca717f4fab9d23f669510145b9032bd1321",
+  "supabase/lib/features/onboarding/repositories/user_infos_repository.dart": "487a5177dcaed7f87e613b2b4f04329c4995274e6a52809d4917c037cb3c3c55",
+  "supabase/lib/features/settings/ui/components/admin/admin_users_api.dart": "0ffb232ffb193154c0366d6f7da0ca499b3e06fed4fd71af572b8dc53ecd844e",
+  "supabase/lib/features/settings/ui/widgets/avatar_utils.dart": "bb9126409bbbb245f2dec613bd096ac53c208a56bd55f3d2ab2599e43534904f",
+  "supabase/lib/features/subscriptions/api/entities/subscription_entity.dart": "20c1d75ed9d88acb96e94a592dcb4de0f63c792302ea07df53cebbdeb6d0cf7e",
+  "supabase/lib/features/subscriptions/api/stripe_backend_api.dart": "e370bd05211462f2fc94c69af1749eb5330f997e9ec5e73e5c4e119999bf666f",
+  "supabase/lib/features/subscriptions/api/subscription_api.dart": "c7484c9301d16245748025a3d420a89397e9e956b2211b7ed001c073ff2e4449",
+  "supabase/lib/google_auth_options.dart": "9d3ab9be5928f3100b9b217864d916edd1223d186e60ed130c35628812cace66",
+  "supabase/README.md": "1f30fc1ebf8fe02df6f3ee2f94c17f4bb4952abd5b125312d2c43eb6374eb354"
+}

package/lib/scaffold/backends/supabase/deploy.js CHANGED Viewed

@@ -15,6 +15,7 @@ const path = require('node:path');
 const os = require('node:os');
 const fs = require('fs-extra');
 const { augmentedEnv } = require('../../../utils/env-tools');
+const { signAppleClientSecret } = require('../../../utils/apple-web');
 const execAsync = promisify(exec);
@@ -407,6 +408,95 @@ async function enableAppleSignIn(projectRef, bundleId) {
   return { ok: false, error: result.data.message || JSON.stringify(result.data) };
 }
+/**
+ * GET the current Supabase auth config (read-only). Used to merge values we must
+ * not clobber (e.g. the native bundle id already in external_apple_client_id).
+ */
+async function getSupabaseAuthConfig(projectRef, token) {
+  try {
+    const res = await fetch(`https://api.supabase.com/v1/projects/${projectRef}/config/auth`, {
+      headers: { Authorization: `Bearer ${token}` },
+    });
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  }
+}
+/**
+ * Enable Apple Sign-In on the WEB for Supabase.
+ *
+ * Unlike Firebase (which stores the .p8 and re-signs), Supabase stores a static,
+ * pre-signed client secret JWT that expires every ~6 months. We sign it here with
+ * the developer's `.p8` and write it as external_apple_secret. The Service ID is
+ * added to external_apple_client_id (the audience list) alongside the native bundle
+ * id, so both native iOS and the web OAuth flow validate.
+ *
+ * @param {string} projectRef
+ * @param {object} opts - { serviceId, teamId, keyId, privateKey, bundleId? }
+ * @returns {{ ok: boolean, error?: string, expiresAt?: number }}
+ */
+async function enableAppleWebSignIn(projectRef, { serviceId, teamId, keyId, privateKey, bundleId } = {}) {
+  if (!serviceId || !teamId || !keyId || !privateKey) {
+    return { ok: false, error: 'serviceId, teamId, keyId and privateKey are required' };
+  }
+  const token = await getSupabaseAccessToken();
+  if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
+  let secret;
+  let expiresAt;
+  try {
+    ({ token: secret, expiresAt } = signAppleClientSecret({ serviceId, teamId, keyId, privateKey }));
+  } catch (err) {
+    return { ok: false, error: err.message };
+  }
+  // Merge the Service ID into the existing audience list without dropping the
+  // native bundle id the CLI set at creation.
+  const current = await getSupabaseAuthConfig(projectRef, token);
+  const existingIds = String(current?.external_apple_client_id || '')
+    .split(',')
+    .map((s) => s.trim())
+    .filter(Boolean);
+  const clientIds = Array.from(new Set([...existingIds, bundleId, serviceId].filter(Boolean))).join(',');
+  const result = await patchAuthConfig(projectRef, token, {
+    external_apple_enabled: true,
+    external_apple_client_id: clientIds,
+    external_apple_secret: secret,
+  });
+  if (!result.ok) return { ok: false, error: result.error };
+  if (result.data.external_apple_enabled === true) return { ok: true, expiresAt };
+  return { ok: false, error: result.data.message || JSON.stringify(result.data) };
+}
+/**
+ * Enable the Facebook provider on Supabase via the Management API.
+ * Needs the Meta App ID (client_id) + App Secret (secret). The native App ID /
+ * Client Token live in Info.plist / strings.xml and are written separately.
+ *
+ * @param {string} projectRef
+ * @param {object} opts - { appId, appSecret }
+ * @returns {{ ok: boolean, error?: string }}
+ */
+async function enableFacebookSignIn(projectRef, { appId, appSecret } = {}) {
+  if (!appId || !appSecret) {
+    return { ok: false, error: 'appId and appSecret are required' };
+  }
+  const token = await getSupabaseAccessToken();
+  if (!token) return { ok: false, error: 'Could not retrieve Supabase access token' };
+  const result = await patchAuthConfig(projectRef, token, {
+    external_facebook_enabled: true,
+    external_facebook_client_id: appId,
+    external_facebook_secret: appSecret,
+  });
+  if (!result.ok) return { ok: false, error: result.error };
+  if (result.data.external_facebook_enabled === true) return { ok: true };
+  return { ok: false, error: result.data.message || JSON.stringify(result.data) };
+}
 /**
  * Configure auth settings via Supabase Management API:
  *  - Enable anonymous sign-in
@@ -717,6 +807,8 @@ module.exports = {
   enableAnonymousSignIn,
   enableGoogleSignIn,
   enableAppleSignIn,
+  enableAppleWebSignIn,
+  enableFacebookSignIn,
   checkLoggedIn,
   getOrgsList,
   getProjectsByOrg,

package/lib/scaffold/backends/supabase/edge-functions/stripe-webhook/index.ts CHANGED Viewed

@@ -101,11 +101,13 @@ Deno.serve(async (req: Request) => {
     const item = sub.items?.data?.[0];
     const priceId = item?.price?.id ?? "";
     const ms = periodEndMs(sub);
+    const trialMs = sub.trial_end ? sub.trial_end * 1000 : null;
     const now = new Date().toISOString();
     const payload = {
       status: statusFromStripe(sub),
       last_update_date: now,
       period_end_date: ms ? new Date(ms).toISOString() : null,
+      trial_end: trialMs ? new Date(trialMs).toISOString() : null,
       sku_id: priceId,
       offer_id: priceId,
       store: "STRIPE",

package/lib/scaffold/backends/supabase/migrations/20240101000007_welcome_notification.sql CHANGED Viewed

@@ -1,35 +1,36 @@
--- Send a welcome notification when the user's first device is registered.
+-- Send a welcome notification ONCE per account when a device is registered.
 --
 -- Why on device registration and not on user creation?
--- At user creation time no device token exists yet. By firing on the first
--- INSERT into `devices` we guarantee the locale is set and the notification
--- can be localised accurately.
+-- At user creation time no device token exists yet. By firing on INSERT into
+-- `devices` we guarantee the locale is set and the notification can be localised
+-- accurately.
 --
--- notify_user = false: the user is already inside the app at registration
--- time, so no push is needed — the notification is saved to the DB only.
+-- Why a `welcome_sent` flag and not a device count?
+-- Logout removes the device row and login re-creates it, so a device count
+-- ("is this the first device?") sees a brand-new first device on every
+-- re-login and re-sent the welcome each time. A one-shot flag on the user,
+-- claimed atomically, sends it exactly once for the life of the account.
 --
--- Anonymous users (no email in public.users) are skipped.
--- The message is localised using the `locale` field of public.users.
+-- notify_user = false: the user is already inside the app at registration time,
+-- so no push is needed — the notification is saved to the DB only.
+--
+-- Anonymous users (no email in public.users) are skipped until they have one.
+-- One-time welcome guard (idempotent so re-running the migration is safe).
+ALTER TABLE public.users
+  ADD COLUMN IF NOT EXISTS welcome_sent boolean NOT NULL DEFAULT false;
 CREATE OR REPLACE FUNCTION public.trigger_welcome_notification()
 RETURNS TRIGGER AS $$
 DECLARE
-  v_email  text;
-  v_locale text;
-  v_count  int;
-  v_title  text;
-  v_body   text;
+  v_email   text;
+  v_locale  text;
+  v_claimed int;
+  v_title   text;
+  v_body    text;
 BEGIN
-  -- Only fire for the very first device of this user.
-  SELECT COUNT(*) INTO v_count
-  FROM public.devices
-  WHERE user_id = NEW.user_id AND id != NEW.id;
-  IF v_count > 0 THEN
-    RETURN NEW;
-  END IF;
-  -- Skip anonymous users (no email set yet).
+  -- Skip anonymous users (no email yet); they get welcomed once they have one,
+  -- WITHOUT consuming the one-time claim below.
   SELECT email, locale INTO v_email, v_locale
   FROM public.users
   WHERE id = NEW.user_id;
@@ -38,6 +39,18 @@ BEGIN
     RETURN NEW;
   END IF;
+  -- Atomically claim the one-time welcome: flip welcome_sent to true only if it
+  -- isn't already. ROW_COUNT is 1 for the very first claim, 0 for any later
+  -- device registration — including one re-created after a logout/login cycle.
+  UPDATE public.users
+  SET welcome_sent = true
+  WHERE id = NEW.user_id AND welcome_sent = false;
+  GET DIAGNOSTICS v_claimed = ROW_COUNT;
+  IF v_claimed = 0 THEN
+    RETURN NEW;
+  END IF;
   -- Localised welcome message (falls back to English).
   IF v_locale = 'pt' THEN
     v_title := 'Bem-vindo!';

package/lib/scaffold/backends/supabase/migrations/20240101000014_subscription_trial_end.sql ADDED Viewed

@@ -0,0 +1,6 @@
+-- Adds trial_end to subscriptions so trial periods are persisted and the app
+-- can detect an active trial. Mirrors the Firebase backend, where the Stripe
+-- webhook writes trial_end (RevenueCat trials are read from the SDK, not the DB).
+-- Idempotent: safe to run on a fresh project or an already-deployed database.
+ALTER TABLE public.subscriptions
+  ADD COLUMN IF NOT EXISTS trial_end TIMESTAMPTZ;