stellar-drive 1.0.0

package/dist/supabase/auth.js

@@ -0,0 +1,459 @@
+/**
+ * @fileoverview Supabase Authentication Module
+ *
+ * Provides core authentication utilities on top of Supabase Auth for the
+ * single-user PIN/password gate system:
+ *
+ * - **Sign-out & teardown**: Full 10-step teardown sequence to ensure no stale
+ *   data leaks across sessions.
+ *
+ * - **Session management**: `getSession()` falls back to localStorage when the
+ *   device is offline, ensuring the app can still render authenticated views
+ *   with stale-but-usable session data.
+ *
+ * - **Profile CRUD**: Read and update user profile metadata on Supabase and
+ *   in the offline credential cache.
+ *
+ * - **Email confirmation & OTP**: Resend confirmation emails and verify OTP
+ *   token hashes from confirmation links.
+ *
+ * Security considerations:
+ *   - Corrupted sessions are detected and automatically cleared to prevent
+ *     infinite error loops.
+ *   - Sign-out follows a strict 10-step teardown sequence to ensure no stale
+ *     data leaks across user boundaries.
+ *
+ * Integration patterns:
+ *   - Used internally by single-user auth (`../auth/singleUser.ts`) and the
+ *     scaffolded confirm page (`../kit/confirm.ts`).
+ *   - Works in tandem with `./client.ts` (lazy Supabase singleton) and
+ *     `../engine.ts` (sync engine lifecycle).
+ *   - Offline credential helpers live in `../auth/offlineCredentials.ts`.
+ *
+ * @module supabase/auth
+ */
+import { supabase } from './client';
+import { clearOfflineCredentials, updateOfflineCredentialsProfile } from '../auth/offlineCredentials';
+import { clearOfflineSession } from '../auth/offlineSession';
+import { resetLoginGuard } from '../auth/loginGuard';
+import { debugWarn, debugError } from '../debug';
+import { getEngineConfig } from '../config';
+import { syncStatusStore } from '../stores/sync';
+import { authState } from '../stores/authState';
+import { isDemoMode } from '../demo';
+// =============================================================================
+// SECTION: Helpers
+// =============================================================================
+/**
+ * Get the email confirmation redirect URL.
+ *
+ * Points to the `/confirm` page (or the path configured via
+ * `auth.confirmRedirectPath`) which handles the token verification flow
+ * after a user clicks the link in their confirmation email.
+ *
+ * @returns The fully-qualified redirect URL, e.g. `https://app.example.com/confirm`.
+ *          Falls back to a relative `/confirm` path in SSR environments where
+ *          `window` is unavailable.
+ *
+ * @see {@link resendConfirmationEmail} — uses this URL
+ */
+function getConfirmRedirectUrl() {
+    if (typeof window !== 'undefined') {
+        const path = getEngineConfig().auth?.confirmRedirectPath || '/confirm';
+        return `${window.location.origin}${path}`;
+    }
+    // Fallback for SSR (shouldn't be called, but just in case)
+    return '/confirm';
+}
+// =============================================================================
+// SECTION: Sign Out
+// =============================================================================
+/**
+ * Sign the current user out and perform a full teardown of local state.
+ *
+ * The teardown follows a strict **10-step sequence** to ensure no stale data
+ * leaks between user sessions:
+ *
+ *   1. Stop the sync engine (dynamic import avoids circular deps).
+ *   2. Clear the pending sync queue (unless `preserveLocalData` is set).
+ *   3. Clear the local cache (unless `preserveLocalData` is set).
+ *   4. Clear the offline session token.
+ *   5. Clear offline credentials (only when online, to preserve offline re-login).
+ *   6. Call `supabase.auth.signOut()`.
+ *   7. Remove all `sb-*` keys from localStorage (Supabase internal storage).
+ *   8. Reset the login guard (brute-force counters).
+ *   9. Reset the sync status store.
+ *  10. Reset the auth state store.
+ *
+ * Each step is wrapped in its own try/catch so that a failure in one step
+ * does not prevent subsequent cleanup from running.
+ *
+ * @param options - Optional flags to control teardown behavior.
+ * @param options.preserveOfflineCredentials - When `true`, offline credentials
+ *        are kept so the user can re-authenticate without network access.
+ * @param options.preserveLocalData - When `true`, pending sync queue and local
+ *        cache are retained.
+ * @returns An object with an `error` field (`null` on success).
+ *
+ * @example
+ * ```ts
+ * await signOut(); // full teardown
+ * await signOut({ preserveLocalData: true }); // keep cached data
+ * ```
+ */
+export async function signOut(options) {
+    if (isDemoMode()) {
+        authState.reset();
+        syncStatusStore.reset();
+        return { error: null };
+    }
+    // 1. Stop sync engine (import dynamically to avoid circular deps)
+    try {
+        const { stopSyncEngine, clearLocalCache, clearPendingSyncQueue } = await import('../engine');
+        await stopSyncEngine();
+        if (!options?.preserveLocalData) {
+            // 2. Clear pending sync queue
+            await clearPendingSyncQueue();
+            // 3. Clear local cache
+            await clearLocalCache();
+        }
+    }
+    catch (e) {
+        debugError('[Auth] Failed to stop engine/clear data:', e);
+    }
+    // 4. Clear offline session
+    try {
+        await clearOfflineSession();
+    }
+    catch (e) {
+        debugError('[Auth] Failed to clear offline session:', e);
+    }
+    // 5. Clear offline credentials (only if online, for offline re-login preservation)
+    try {
+        if (!options?.preserveOfflineCredentials) {
+            /* Only clear when online — if the user is offline, we want to keep
+               the cached credentials so they can still sign back in without
+               network access. This is a deliberate security trade-off favouring
+               availability over strict credential erasure. */
+            const isOnline = typeof navigator !== 'undefined' && navigator.onLine;
+            if (isOnline) {
+                await clearOfflineCredentials();
+            }
+        }
+    }
+    catch (e) {
+        debugError('[Auth] Failed to clear offline credentials:', e);
+    }
+    // 6. Supabase auth signOut
+    const { error } = await supabase.auth.signOut();
+    // 7. Clear sb-* localStorage keys
+    try {
+        if (typeof localStorage !== 'undefined') {
+            const keys = Object.keys(localStorage).filter((k) => k.startsWith('sb-'));
+            keys.forEach((k) => localStorage.removeItem(k));
+        }
+    }
+    catch {
+        // Ignore storage errors
+    }
+    // 8. Reset login guard state
+    resetLoginGuard();
+    // 9. Reset sync status store
+    syncStatusStore.reset();
+    // 10. Reset auth state store
+    authState.reset();
+    return { error: error?.message || null };
+}
+// =============================================================================
+// SECTION: Session Management
+// =============================================================================
+/**
+ * Get the current Supabase session.
+ *
+ * When the device is **online**, this delegates to `supabase.auth.getSession()`
+ * which may trigger a token refresh if the access token is close to expiry.
+ *
+ * When the device is **offline**, or if the Supabase call fails with a
+ * corrupted-session error, this falls back to reading the session directly
+ * from localStorage via {@link getSessionFromStorage}. The returned session
+ * may be expired, but callers can use {@link isSessionExpired} to check and
+ * should handle offline mode appropriately (e.g. show cached data, queue
+ * mutations for later sync).
+ *
+ * @returns The current `Session` object, or `null` if no valid session exists.
+ *
+ * @example
+ * ```ts
+ * const session = await getSession();
+ * if (session && !isSessionExpired(session)) {
+ *   // Fully authenticated
+ * }
+ * ```
+ *
+ * @see {@link getSessionFromStorage} — direct localStorage fallback
+ * @see {@link isSessionExpired} — expiry check helper
+ * @see {@link getValidSession} — combined convenience wrapper
+ */
+export async function getSession() {
+    if (isDemoMode())
+        return null;
+    const isOffline = typeof navigator !== 'undefined' && !navigator.onLine;
+    try {
+        const { data, error } = await supabase.auth.getSession();
+        if (error) {
+            debugError('[Auth] getSession error:', error.message);
+            // If offline and we got an error, don't clear session - it might just be a network issue
+            if (isOffline) {
+                debugWarn('[Auth] Offline - keeping session despite error');
+                // Try to get session from localStorage directly
+                return getSessionFromStorage();
+            }
+            /* Detect corrupted session data (e.g. "can't access property 'hash'
+               of undefined") which can occur when localStorage is partially written.
+               Signing out clears the corrupt state so subsequent calls succeed. */
+            if (error.message?.includes('hash') || error.message?.includes('undefined')) {
+                debugWarn('[Auth] Detected corrupted session, attempting to clear');
+                await supabase.auth.signOut();
+            }
+            return null;
+        }
+        return data.session;
+    }
+    catch (e) {
+        debugError('[Auth] Unexpected error getting session:', e);
+        // If offline, don't clear anything - try to get from storage
+        if (isOffline) {
+            debugWarn('[Auth] Offline - attempting to get session from storage');
+            return getSessionFromStorage();
+        }
+        // Attempt to clear any corrupted state when online
+        try {
+            await supabase.auth.signOut();
+        }
+        catch {
+            // Ignore signOut errors
+        }
+        return null;
+    }
+}
+/**
+ * Read the session directly from localStorage, bypassing Supabase's
+ * built-in token refresh logic.
+ *
+ * This is used as a **fallback** when the device is offline and the normal
+ * `supabase.auth.getSession()` call fails. The returned session may be
+ * expired, but it still contains the user identity, which is sufficient for
+ * rendering cached offline views.
+ *
+ * Supabase stores its auth token in localStorage under a key matching the
+ * pattern `sb-{project-ref}-auth-token`. The internal structure has changed
+ * between Supabase versions, so we check for both `currentSession` (older)
+ * and `session` (newer) shapes.
+ *
+ * @returns The cached `Session`, or `null` if nothing usable is found.
+ */
+function getSessionFromStorage() {
+    try {
+        // Supabase stores session in localStorage with key pattern: sb-{project-ref}-auth-token
+        const keys = Object.keys(localStorage);
+        const sessionKey = keys.find((k) => k.includes('-auth-token'));
+        if (!sessionKey)
+            return null;
+        const stored = localStorage.getItem(sessionKey);
+        if (!stored)
+            return null;
+        const parsed = JSON.parse(stored);
+        if (parsed?.currentSession) {
+            return parsed.currentSession;
+        }
+        // Newer Supabase versions use different structure
+        if (parsed?.session) {
+            return parsed.session;
+        }
+        return null;
+    }
+    catch (e) {
+        debugError('[Auth] Failed to get session from storage:', e);
+        return null;
+    }
+}
+/**
+ * Check whether a session's access token has expired.
+ *
+ * The `expires_at` field on a Supabase session is a **Unix timestamp in
+ * seconds**. We compare it against `Date.now() / 1000` (which is in
+ * milliseconds, hence the division).
+ *
+ * @param session - The session to check, or `null`.
+ * @returns `true` if the session is `null`, missing `expires_at`, or past
+ *          its expiry time; `false` otherwise.
+ *
+ * @example
+ * ```ts
+ * if (isSessionExpired(session)) {
+ *   // Prompt re-authentication or attempt token refresh
+ * }
+ * ```
+ */
+export function isSessionExpired(session) {
+    if (!session)
+        return true;
+    // expires_at is in seconds
+    const expiresAt = session.expires_at;
+    if (!expiresAt)
+        return true;
+    return Date.now() / 1000 > expiresAt;
+}
+// =============================================================================
+// SECTION: User Profile
+// =============================================================================
+/**
+ * Extract the user's profile from their Supabase `user_metadata`.
+ *
+ * If the engine config provides a custom `auth.profileExtractor`, it is
+ * invoked to transform the raw metadata into the app's profile shape.
+ * Otherwise the raw `user_metadata` object is returned as-is.
+ *
+ * @param user - The Supabase `User` object (may be `null`).
+ * @returns A key-value record representing the user's profile fields.
+ *
+ * @example
+ * ```ts
+ * const profile = getUserProfile(session.user);
+ * console.log(profile.display_name);
+ * ```
+ */
+export function getUserProfile(user) {
+    const config = getEngineConfig();
+    if (config.auth?.profileExtractor && user) {
+        return config.auth.profileExtractor(user.user_metadata || {});
+    }
+    return user?.user_metadata || {};
+}
+/**
+ * Update the current user's profile metadata on Supabase.
+ *
+ * The profile data is transformed through `auth.profileToMetadata` (if
+ * configured) before being sent. On success the offline credential cache
+ * is also updated so that the profile stays consistent across online and
+ * offline modes.
+ *
+ * @param profile - The updated profile fields to persist.
+ * @returns An object with an `error` field (`null` on success).
+ *
+ * @example
+ * ```ts
+ * const { error } = await updateProfile({ display_name: 'New Name' });
+ * ```
+ *
+ * @see {@link updateOfflineCredentialsProfile} — keeps the offline cache in sync
+ */
+export async function updateProfile(profile) {
+    if (isDemoMode())
+        return { error: null };
+    const config = getEngineConfig();
+    const metadata = config.auth?.profileToMetadata
+        ? config.auth.profileToMetadata(profile)
+        : profile;
+    const { error } = await supabase.auth.updateUser({
+        data: metadata
+    });
+    if (!error) {
+        // Update offline cache
+        try {
+            await updateOfflineCredentialsProfile(profile);
+        }
+        catch (e) {
+            debugError('[Auth] Failed to update offline profile:', e);
+        }
+    }
+    return { error: error?.message || null };
+}
+// =============================================================================
+// SECTION: Email Confirmation & OTP
+// =============================================================================
+/**
+ * Resend the signup confirmation email for a given address.
+ *
+ * The caller should enforce a client-side cooldown (recommended: 30 seconds)
+ * to prevent abuse, since Supabase may not always rate-limit resends on its
+ * own.
+ *
+ * @param email - The email address that needs a new confirmation link.
+ * @returns An object with an `error` field (`null` on success).
+ *
+ * @example
+ * ```ts
+ * const { error } = await resendConfirmationEmail('user@example.com');
+ * ```
+ */
+export async function resendConfirmationEmail(email) {
+    if (isDemoMode())
+        return { error: null };
+    const { error } = await supabase.auth.resend({
+        type: 'signup',
+        email,
+        options: {
+            emailRedirectTo: getConfirmRedirectUrl()
+        }
+    });
+    return { error: error?.message || null };
+}
+/**
+ * Verify an OTP token hash received from a confirmation email link.
+ *
+ * This absorbs the direct Supabase call that would otherwise live in the
+ * confirm page component, keeping all auth logic centralised in this module.
+ *
+ * @param tokenHash - The `token_hash` query parameter from the confirmation URL.
+ * @param type      - The type of OTP: `'signup'`, `'email'`, or `'email_change'`.
+ * @returns An object with an `error` field (`null` on success).
+ *
+ * @example
+ * ```ts
+ * // On the /confirm page:
+ * const hash = new URL(location.href).searchParams.get('token_hash');
+ * const { error } = await verifyOtp(hash, 'signup');
+ * ```
+ */
+export async function verifyOtp(tokenHash, type) {
+    if (isDemoMode())
+        return { error: null };
+    const { error } = await supabase.auth.verifyOtp({
+        token_hash: tokenHash,
+        type
+    });
+    return { error: error?.message || null };
+}
+// =============================================================================
+// SECTION: Convenience Wrappers
+// =============================================================================
+/**
+ * Get a valid (non-expired) session, or `null`.
+ *
+ * This is a convenience wrapper that combines {@link getSession} and
+ * {@link isSessionExpired} into a single call, useful when the caller only
+ * cares about sessions that can still be used for API requests.
+ *
+ * @returns A non-expired `Session`, or `null`.
+ *
+ * @example
+ * ```ts
+ * const session = await getValidSession();
+ * if (!session) {
+ *   redirectToLogin();
+ * }
+ * ```
+ *
+ * @see {@link getSession}
+ * @see {@link isSessionExpired}
+ */
+export async function getValidSession() {
+    const session = await getSession();
+    if (!session)
+        return null;
+    if (isSessionExpired(session))
+        return null;
+    return session;
+}
+//# sourceMappingURL=auth.js.map

package/dist/supabase/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/supabase/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AAEpC,OAAO,EACL,uBAAuB,EACvB,+BAA+B,EAChC,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,UAAU,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AACjD,OAAO,EAAE,SAAS,EAAE,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAErC,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;;;;;;;;;;;GAYG;AACH,SAAS,qBAAqB;IAC5B,IAAI,OAAO,MAAM,KAAK,WAAW,EAAE,CAAC;QAClC,MAAM,IAAI,GAAG,eAAe,EAAE,CAAC,IAAI,EAAE,mBAAmB,IAAI,UAAU,CAAC;QACvE,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;IAC5C,CAAC;IACD,2DAA2D;IAC3D,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,gFAAgF;AAChF,oBAAoB;AACpB,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,OAG7B;IACC,IAAI,UAAU,EAAE,EAAE,CAAC;QACjB,SAAS,CAAC,KAAK,EAAE,CAAC;QAClB,eAAe,CAAC,KAAK,EAAE,CAAC;QACxB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzB,CAAC;IACD,kEAAkE;IAClE,IAAI,CAAC;QACH,MAAM,EAAE,cAAc,EAAE,eAAe,EAAE,qBAAqB,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;QAE7F,MAAM,cAAc,EAAE,CAAC;QAEvB,IAAI,CAAC,OAAO,EAAE,iBAAiB,EAAE,CAAC;YAChC,8BAA8B;YAC9B,MAAM,qBAAqB,EAAE,CAAC;YAE9B,uBAAuB;YACvB,MAAM,eAAe,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED,2BAA2B;IAC3B,IAAI,CAAC;QACH,MAAM,mBAAmB,EAAE,CAAC;IAC9B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,yCAAyC,EAAE,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,mFAAmF;IACnF,IAAI,CAAC;QACH,IAAI,CAAC,OAAO,EAAE,0BAA0B,EAAE,CAAC;YACzC;;;8DAGkD;YAClD,MAAM,QAAQ,GAAG,OAAO,SAAS,KAAK,WAAW,IAAI,SAAS,CAAC,MAAM,CAAC;YACtE,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,uBAAuB,EAAE,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,6CAA6C,EAAE,CAAC,CAAC,CAAC;IAC/D,CAAC;IAED,2BAA2B;IAC3B,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;IAEhD,kCAAkC;IAClC,IAAI,CAAC;QACH,IAAI,OAAO,YAAY,KAAK,WAAW,EAAE,CAAC;YACxC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC;YAC1E,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,wBAAwB;IAC1B,CAAC;IAED,6BAA6B;IAC7B,eAAe,EAAE,CAAC;IAElB,6BAA6B;IAC7B,eAAe,CAAC,KAAK,EAAE,CAAC;IAExB,6BAA6B;IAC7B,SAAS,CAAC,KAAK,EAAE,CAAC;IAElB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,IAAI,IAAI,EAAE,CAAC;AAC3C,CAAC;AAED,gFAAgF;AAChF,8BAA8B;AAC9B,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU;IAC9B,IAAI,UAAU,EAAE;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,SAAS,GAAG,OAAO,SAAS,KAAK,WAAW,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC;IAExE,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;QAEzD,IAAI,KAAK,EAAE,CAAC;YACV,UAAU,CAAC,0BAA0B,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;YAEtD,yFAAyF;YACzF,IAAI,SAAS,EAAE,CAAC;gBACd,SAAS,CAAC,gDAAgD,CAAC,CAAC;gBAC5D,gDAAgD;gBAChD,OAAO,qBAAqB,EAAE,CAAC;YACjC,CAAC;YAED;;mFAEuE;YACvE,IAAI,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC5E,SAAS,CAAC,wDAAwD,CAAC,CAAC;gBACpE,MAAM,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAChC,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;QAE1D,6DAA6D;QAC7D,IAAI,SAAS,EAAE,CAAC;YACd,SAAS,CAAC,yDAAyD,CAAC,CAAC;YACrE,OAAO,qBAAqB,EAAE,CAAC;QACjC,CAAC;QAED,mDAAmD;QACnD,IAAI,CAAC;YACH,MAAM,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAS,qBAAqB;IAC5B,IAAI,CAAC;QACH,wFAAwF;QACxF,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACvC,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC;QAC/D,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAE7B,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAChD,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAClC,IAAI,MAAM,EAAE,cAAc,EAAE,CAAC;YAC3B,OAAO,MAAM,CAAC,cAAyB,CAAC;QAC1C,CAAC;QACD,kDAAkD;QAClD,IAAI,MAAM,EAAE,OAAO,EAAE,CAAC;YACpB,OAAO,MAAM,CAAC,OAAkB,CAAC;QACnC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,UAAU,CAAC,4CAA4C,EAAE,CAAC,CAAC,CAAC;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAuB;IACtD,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,2BAA2B;IAC3B,MAAM,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC;IACrC,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,GAAG,SAAS,CAAC;AACvC,CAAC;AAED,gFAAgF;AAChF,wBAAwB;AACxB,gFAAgF;AAEhF;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,cAAc,CAAC,IAAiB;IAC9C,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;IACjC,IAAI,MAAM,CAAC,IAAI,EAAE,gBAAgB,IAAI,IAAI,EAAE,CAAC;QAC1C,OAAO,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,aAAa,IAAI,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,IAAI,EAAE,aAAa,IAAI,EAAE,CAAC;AACnC,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,OAAgC;IAEhC,IAAI,UAAU,EAAE;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzC,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;IACjC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,EAAE,iBAAiB;QAC7C,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC;QACxC,CAAC,CAAC,OAAO,CAAC;IAEZ,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC;QAC/C,IAAI,EAAE,QAAQ;KACf,CAAC,CAAC;IAEH,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,uBAAuB;QACvB,IAAI,CAAC;YACH,MAAM,+BAA+B,CAAC,OAAO,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,UAAU,CAAC,0CAA0C,EAAE,CAAC,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,IAAI,IAAI,EAAE,CAAC;AAC3C,CAAC;AAED,gFAAgF;AAChF,oCAAoC;AACpC,gFAAgF;AAEhF;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAAC,KAAa;IACzD,IAAI,UAAU,EAAE;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzC,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC;QAC3C,IAAI,EAAE,QAAQ;QACd,KAAK;QACL,OAAO,EAAE;YACP,eAAe,EAAE,qBAAqB,EAAE;SACzC;KACF,CAAC,CAAC;IAEH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,IAAI,IAAI,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,SAAiB,EACjB,IAAyC;IAEzC,IAAI,UAAU,EAAE;QAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACzC,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC;QAC9C,UAAU,EAAE,SAAS;QACrB,IAAI;KACL,CAAC,CAAC;IAEH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,IAAI,IAAI,EAAE,CAAC;AAC3C,CAAC;AAED,gFAAgF;AAChF,gCAAgC;AAChC,gFAAgF;AAEhF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,OAAO,GAAG,MAAM,UAAU,EAAE,CAAC;IACnC,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,IAAI,gBAAgB,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/supabase/client.d.ts

@@ -0,0 +1,88 @@
+/**
+ * @fileoverview Supabase Client — Lazy Initialization via ES Proxy
+ *
+ * This module exports a single `supabase` constant that looks and behaves
+ * exactly like a `SupabaseClient` instance, but is actually an ES `Proxy`
+ * that defers client creation until the **first property access**. This
+ * "lazy singleton" pattern solves a critical bootstrapping problem:
+ *
+ *   The Supabase URL and anon key are loaded at **runtime** (via
+ *   `getConfig()` from `../runtime/runtimeConfig`), not at build time.
+ *   Modules that `import { supabase }` at the top level would otherwise
+ *   crash because the config has not been initialized yet when the import
+ *   executes.
+ *
+ * How the Proxy pattern works:
+ *   1. `supabase` is exported as `new Proxy({} as SupabaseClient, handler)`.
+ *   2. The handler's `get` trap intercepts every property access (e.g.
+ *      `supabase.auth`, `supabase.from(...)`).
+ *   3. On first access, `getOrCreateClient()` reads the runtime config and
+ *      calls `createClient(url, key, options)` to build the real client.
+ *   4. The real client is cached in a module-level `realClient` variable;
+ *      subsequent accesses reuse it (standard singleton).
+ *   5. Function values are `.bind(client)` to preserve `this` context.
+ *
+ * Additional responsibilities:
+ *   - **Corrupted session cleanup**: Before the client is created, any
+ *     malformed `sb-*` entries in localStorage are detected and removed to
+ *     prevent "can't access property 'hash'" runtime errors.
+ *   - **Unhandled rejection handler**: A global listener catches Supabase
+ *     auth errors that escape normal error handling, clears storage, and
+ *     performs a single guarded page reload to recover.
+ *   - **iOS PWA detection**: The client sends a custom `x-client-info`
+ *     header indicating whether it is running as a standalone PWA on iOS,
+ *     which helps with server-side debugging of session eviction issues.
+ *
+ * Security considerations:
+ *   - The anon key is a **public** key (safe to include in client bundles).
+ *   - PKCE flow is used instead of the implicit flow for stronger OAuth
+ *     security and better compatibility with PWA environments.
+ *   - Session persistence uses localStorage; the module proactively scrubs
+ *     corrupted entries to prevent denial-of-service via bad local state.
+ *
+ * @module supabase/client
+ */
+import { type SupabaseClient } from '@supabase/supabase-js';
+/**
+ * Override the storage key prefix used by the Supabase client.
+ *
+ * Must be called **before** the first access to the `supabase` export,
+ * since the prefix is baked into the client options at creation time.
+ *
+ * @param prefix - The new prefix string (e.g. the app's name).
+ *
+ * @example
+ * ```ts
+ * _setClientPrefix('myapp');
+ * // Later accesses will use storageKey 'myapp-auth'
+ * ```
+ */
+export declare function _setClientPrefix(prefix: string): void;
+/**
+ * The public Supabase client — a Proxy-based lazy singleton.
+ *
+ * **Why a Proxy?**
+ * The Supabase URL and anon key are not available at import time (they come
+ * from a runtime config that is loaded asynchronously). A Proxy lets every
+ * module `import { supabase }` at the top level without worrying about
+ * initialization order. The real client is created transparently on first
+ * property access.
+ *
+ * **How it works:**
+ * - The `get` trap intercepts every property read (e.g. `supabase.auth`,
+ *   `supabase.from`).
+ * - It calls `getOrCreateClient()` to ensure the real client exists.
+ * - It forwards the property access via `Reflect.get`.
+ * - Function values are `.bind(client)` to keep `this` correct when the
+ *   caller destructures methods (e.g. `const { from } = supabase`).
+ *
+ * @example
+ * ```ts
+ * import { supabase } from './client';
+ *
+ * // Works immediately — the Proxy defers creation until this line runs:
+ * const { data } = await supabase.from('users').select('*');
+ * ```
+ */
+export declare const supabase: SupabaseClient;
+//# sourceMappingURL=client.d.ts.map

package/dist/supabase/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/supabase/client.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2CG;AAEH,OAAO,EAAgB,KAAK,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAgB1E;;;;;;;;;;;;;GAaG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,QAE9C;AAqOD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,eAAO,MAAM,QAAQ,EAAE,cASrB,CAAC"}