@ejazullah/smart-browser-automation
Version:
A smart AI-driven browser automation library and REST API server using MCP (Model Context Protocol) and LangChain for multi-step task execution. Includes both programmatic library usage and HTTP API server for remote automation.
1,034 lines • 111 kB
JavaScript
import GoTrueAdminApi from './GoTrueAdminApi';
import { DEFAULT_HEADERS, EXPIRY_MARGIN_MS, AUTO_REFRESH_TICK_DURATION_MS, AUTO_REFRESH_TICK_THRESHOLD, GOTRUE_URL, STORAGE_KEY, JWKS_TTL, } from './lib/constants';
import { AuthImplicitGrantRedirectError, AuthPKCEGrantCodeExchangeError, AuthInvalidCredentialsError, AuthSessionMissingError, AuthInvalidTokenResponseError, AuthUnknownError, isAuthApiError, isAuthError, isAuthRetryableFetchError, isAuthSessionMissingError, isAuthImplicitGrantRedirectError, AuthInvalidJwtError, } from './lib/errors';
import { _request, _sessionResponse, _sessionResponsePassword, _userResponse, _ssoResponse, } from './lib/fetch';
import { Deferred, getItemAsync, isBrowser, removeItemAsync, resolveFetch, setItemAsync, uuid, retryable, sleep, parseParametersFromURL, getCodeChallengeAndMethod, getAlgorithm, validateExp, decodeJWT, userNotAvailableProxy, supportsLocalStorage, } from './lib/helpers';
import { memoryLocalStorageAdapter } from './lib/local-storage';
import { polyfillGlobalThis } from './lib/polyfills';
import { version } from './lib/version';
import { LockAcquireTimeoutError, navigatorLock } from './lib/locks';
import { stringToUint8Array, bytesToBase64URL } from './lib/base64url';
import { deepClone } from './lib/helpers';
polyfillGlobalThis(); // Make "globalThis" available
const DEFAULT_OPTIONS = {
url: GOTRUE_URL,
storageKey: STORAGE_KEY,
autoRefreshToken: true,
persistSession: true,
detectSessionInUrl: true,
headers: DEFAULT_HEADERS,
flowType: 'implicit',
debug: false,
hasCustomAuthorizationHeader: false,
};
async function lockNoOp(name, acquireTimeout, fn) {
return await fn();
}
/**
* Caches JWKS values for all clients created in the same environment. This is
* especially useful for shared-memory execution environments such as Vercel's
* Fluid Compute, AWS Lambda or Supabase's Edge Functions. Regardless of how
* many clients are created, if they share the same storage key they will use
* the same JWKS cache, significantly speeding up getClaims() with asymmetric
* JWTs.
*/
const GLOBAL_JWKS = {};
export default class GoTrueClient {
/**
* Create a new client for use in the browser.
*/
constructor(options) {
var _a, _b;
/**
* @experimental
*/
this.userStorage = null;
this.memoryStorage = null;
this.stateChangeEmitters = new Map();
this.autoRefreshTicker = null;
this.visibilityChangedCallback = null;
this.refreshingDeferred = null;
/**
* Keeps track of the async client initialization.
* When null or not yet resolved the auth state is `unknown`
* Once resolved the the auth state is known and it's save to call any further client methods.
* Keep extra care to never reject or throw uncaught errors
*/
this.initializePromise = null;
this.detectSessionInUrl = true;
this.hasCustomAuthorizationHeader = false;
this.suppressGetSessionWarning = false;
this.lockAcquired = false;
this.pendingInLock = [];
/**
* Used to broadcast state change events to other tabs listening.
*/
this.broadcastChannel = null;
this.logger = console.log;
this.instanceID = GoTrueClient.nextInstanceID;
GoTrueClient.nextInstanceID += 1;
if (this.instanceID > 0 && isBrowser()) {
console.warn('Multiple GoTrueClient instances detected in the same browser context. It is not an error, but this should be avoided as it may produce undefined behavior when used concurrently under the same storage key.');
}
const settings = Object.assign(Object.assign({}, DEFAULT_OPTIONS), options);
this.logDebugMessages = !!settings.debug;
if (typeof settings.debug === 'function') {
this.logger = settings.debug;
}
this.persistSession = settings.persistSession;
this.storageKey = settings.storageKey;
this.autoRefreshToken = settings.autoRefreshToken;
this.admin = new GoTrueAdminApi({
url: settings.url,
headers: settings.headers,
fetch: settings.fetch,
});
this.url = settings.url;
this.headers = settings.headers;
this.fetch = resolveFetch(settings.fetch);
this.lock = settings.lock || lockNoOp;
this.detectSessionInUrl = settings.detectSessionInUrl;
this.flowType = settings.flowType;
this.hasCustomAuthorizationHeader = settings.hasCustomAuthorizationHeader;
if (settings.lock) {
this.lock = settings.lock;
}
else if (isBrowser() && ((_a = globalThis === null || globalThis === void 0 ? void 0 : globalThis.navigator) === null || _a === void 0 ? void 0 : _a.locks)) {
this.lock = navigatorLock;
}
else {
this.lock = lockNoOp;
}
if (!this.jwks) {
this.jwks = { keys: [] };
this.jwks_cached_at = Number.MIN_SAFE_INTEGER;
}
this.mfa = {
verify: this._verify.bind(this),
enroll: this._enroll.bind(this),
unenroll: this._unenroll.bind(this),
challenge: this._challenge.bind(this),
listFactors: this._listFactors.bind(this),
challengeAndVerify: this._challengeAndVerify.bind(this),
getAuthenticatorAssuranceLevel: this._getAuthenticatorAssuranceLevel.bind(this),
};
if (this.persistSession) {
if (settings.storage) {
this.storage = settings.storage;
}
else {
if (supportsLocalStorage()) {
this.storage = globalThis.localStorage;
}
else {
this.memoryStorage = {};
this.storage = memoryLocalStorageAdapter(this.memoryStorage);
}
}
if (settings.userStorage) {
this.userStorage = settings.userStorage;
}
}
else {
this.memoryStorage = {};
this.storage = memoryLocalStorageAdapter(this.memoryStorage);
}
if (isBrowser() && globalThis.BroadcastChannel && this.persistSession && this.storageKey) {
try {
this.broadcastChannel = new globalThis.BroadcastChannel(this.storageKey);
}
catch (e) {
console.error('Failed to create a new BroadcastChannel, multi-tab state changes will not be available', e);
}
(_b = this.broadcastChannel) === null || _b === void 0 ? void 0 : _b.addEventListener('message', async (event) => {
this._debug('received broadcast notification from other tab or client', event);
await this._notifyAllSubscribers(event.data.event, event.data.session, false); // broadcast = false so we don't get an endless loop of messages
});
}
this.initialize();
}
/**
* The JWKS used for verifying asymmetric JWTs
*/
get jwks() {
var _a, _b;
return (_b = (_a = GLOBAL_JWKS[this.storageKey]) === null || _a === void 0 ? void 0 : _a.jwks) !== null && _b !== void 0 ? _b : { keys: [] };
}
set jwks(value) {
GLOBAL_JWKS[this.storageKey] = Object.assign(Object.assign({}, GLOBAL_JWKS[this.storageKey]), { jwks: value });
}
get jwks_cached_at() {
var _a, _b;
return (_b = (_a = GLOBAL_JWKS[this.storageKey]) === null || _a === void 0 ? void 0 : _a.cachedAt) !== null && _b !== void 0 ? _b : Number.MIN_SAFE_INTEGER;
}
set jwks_cached_at(value) {
GLOBAL_JWKS[this.storageKey] = Object.assign(Object.assign({}, GLOBAL_JWKS[this.storageKey]), { cachedAt: value });
}
_debug(...args) {
if (this.logDebugMessages) {
this.logger(`GoTrueClient@${this.instanceID} (${version}) ${new Date().toISOString()}`, ...args);
}
return this;
}
/**
* Initializes the client session either from the url or from storage.
* This method is automatically called when instantiating the client, but should also be called
* manually when checking for an error from an auth redirect (oauth, magiclink, password recovery, etc).
*/
async initialize() {
if (this.initializePromise) {
return await this.initializePromise;
}
this.initializePromise = (async () => {
return await this._acquireLock(-1, async () => {
return await this._initialize();
});
})();
return await this.initializePromise;
}
/**
* IMPORTANT:
* 1. Never throw in this method, as it is called from the constructor
* 2. Never return a session from this method as it would be cached over
* the whole lifetime of the client
*/
async _initialize() {
var _a;
try {
const params = parseParametersFromURL(window.location.href);
let callbackUrlType = 'none';
if (this._isImplicitGrantCallback(params)) {
callbackUrlType = 'implicit';
}
else if (await this._isPKCECallback(params)) {
callbackUrlType = 'pkce';
}
/**
* Attempt to get the session from the URL only if these conditions are fulfilled
*
* Note: If the URL isn't one of the callback url types (implicit or pkce),
* then there could be an existing session so we don't want to prematurely remove it
*/
if (isBrowser() && this.detectSessionInUrl && callbackUrlType !== 'none') {
const { data, error } = await this._getSessionFromURL(params, callbackUrlType);
if (error) {
this._debug('#_initialize()', 'error detecting session from URL', error);
if (isAuthImplicitGrantRedirectError(error)) {
const errorCode = (_a = error.details) === null || _a === void 0 ? void 0 : _a.code;
if (errorCode === 'identity_already_exists' ||
errorCode === 'identity_not_found' ||
errorCode === 'single_identity_not_deletable') {
return { error };
}
}
// failed login attempt via url,
// remove old session as in verifyOtp, signUp and signInWith*
await this._removeSession();
return { error };
}
const { session, redirectType } = data;
this._debug('#_initialize()', 'detected session in URL', session, 'redirect type', redirectType);
await this._saveSession(session);
setTimeout(async () => {
if (redirectType === 'recovery') {
await this._notifyAllSubscribers('PASSWORD_RECOVERY', session);
}
else {
await this._notifyAllSubscribers('SIGNED_IN', session);
}
}, 0);
return { error: null };
}
// no login attempt via callback url try to recover session from storage
await this._recoverAndRefresh();
return { error: null };
}
catch (error) {
if (isAuthError(error)) {
return { error };
}
return {
error: new AuthUnknownError('Unexpected error during initialization', error),
};
}
finally {
await this._handleVisibilityChange();
this._debug('#_initialize()', 'end');
}
}
/**
* Creates a new anonymous user.
*
* @returns A session where the is_anonymous claim in the access token JWT set to true
*/
async signInAnonymously(credentials) {
var _a, _b, _c;
try {
const res = await _request(this.fetch, 'POST', `${this.url}/signup`, {
headers: this.headers,
body: {
data: (_b = (_a = credentials === null || credentials === void 0 ? void 0 : credentials.options) === null || _a === void 0 ? void 0 : _a.data) !== null && _b !== void 0 ? _b : {},
gotrue_meta_security: { captcha_token: (_c = credentials === null || credentials === void 0 ? void 0 : credentials.options) === null || _c === void 0 ? void 0 : _c.captchaToken },
},
xform: _sessionResponse,
});
const { data, error } = res;
if (error || !data) {
return { data: { user: null, session: null }, error: error };
}
const session = data.session;
const user = data.user;
if (data.session) {
await this._saveSession(data.session);
await this._notifyAllSubscribers('SIGNED_IN', session);
}
return { data: { user, session }, error: null };
}
catch (error) {
if (isAuthError(error)) {
return { data: { user: null, session: null }, error };
}
throw error;
}
}
/**
* Creates a new user.
*
* Be aware that if a user account exists in the system you may get back an
* error message that attempts to hide this information from the user.
* This method has support for PKCE via email signups. The PKCE flow cannot be used when autoconfirm is enabled.
*
* @returns A logged-in session if the server has "autoconfirm" ON
* @returns A user if the server has "autoconfirm" OFF
*/
async signUp(credentials) {
var _a, _b, _c;
try {
let res;
if ('email' in credentials) {
const { email, password, options } = credentials;
let codeChallenge = null;
let codeChallengeMethod = null;
if (this.flowType === 'pkce') {
;
[codeChallenge, codeChallengeMethod] = await getCodeChallengeAndMethod(this.storage, this.storageKey);
}
res = await _request(this.fetch, 'POST', `${this.url}/signup`, {
headers: this.headers,
redirectTo: options === null || options === void 0 ? void 0 : options.emailRedirectTo,
body: {
email,
password,
data: (_a = options === null || options === void 0 ? void 0 : options.data) !== null && _a !== void 0 ? _a : {},
gotrue_meta_security: { captcha_token: options === null || options === void 0 ? void 0 : options.captchaToken },
code_challenge: codeChallenge,
code_challenge_method: codeChallengeMethod,
},
xform: _sessionResponse,
});
}
else if ('phone' in credentials) {
const { phone, password, options } = credentials;
res = await _request(this.fetch, 'POST', `${this.url}/signup`, {
headers: this.headers,
body: {
phone,
password,
data: (_b = options === null || options === void 0 ? void 0 : options.data) !== null && _b !== void 0 ? _b : {},
channel: (_c = options === null || options === void 0 ? void 0 : options.channel) !== null && _c !== void 0 ? _c : 'sms',
gotrue_meta_security: { captcha_token: options === null || options === void 0 ? void 0 : options.captchaToken },
},
xform: _sessionResponse,
});
}
else {
throw new AuthInvalidCredentialsError('You must provide either an email or phone number and a password');
}
const { data, error } = res;
if (error || !data) {
return { data: { user: null, session: null }, error: error };
}
const session = data.session;
const user = data.user;
if (data.session) {
await this._saveSession(data.session);
await this._notifyAllSubscribers('SIGNED_IN', session);
}
return { data: { user, session }, error: null };
}
catch (error) {
if (isAuthError(error)) {
return { data: { user: null, session: null }, error };
}
throw error;
}
}
/**
* Log in an existing user with an email and password or phone and password.
*
* Be aware that you may get back an error message that will not distinguish
* between the cases where the account does not exist or that the
* email/phone and password combination is wrong or that the account can only
* be accessed via social login.
*/
async signInWithPassword(credentials) {
try {
let res;
if ('email' in credentials) {
const { email, password, options } = credentials;
res = await _request(this.fetch, 'POST', `${this.url}/token?grant_type=password`, {
headers: this.headers,
body: {
email,
password,
gotrue_meta_security: { captcha_token: options === null || options === void 0 ? void 0 : options.captchaToken },
},
xform: _sessionResponsePassword,
});
}
else if ('phone' in credentials) {
const { phone, password, options } = credentials;
res = await _request(this.fetch, 'POST', `${this.url}/token?grant_type=password`, {
headers: this.headers,
body: {
phone,
password,
gotrue_meta_security: { captcha_token: options === null || options === void 0 ? void 0 : options.captchaToken },
},
xform: _sessionResponsePassword,
});
}
else {
throw new AuthInvalidCredentialsError('You must provide either an email or phone number and a password');
}
const { data, error } = res;
if (error) {
return { data: { user: null, session: null }, error };
}
else if (!data || !data.session || !data.user) {
return { data: { user: null, session: null }, error: new AuthInvalidTokenResponseError() };
}
if (data.session) {
await this._saveSession(data.session);
await this._notifyAllSubscribers('SIGNED_IN', data.session);
}
return {
data: Object.assign({ user: data.user, session: data.session }, (data.weak_password ? { weakPassword: data.weak_password } : null)),
error,
};
}
catch (error) {
if (isAuthError(error)) {
return { data: { user: null, session: null }, error };
}
throw error;
}
}
/**
* Log in an existing user via a third-party provider.
* This method supports the PKCE flow.
*/
async signInWithOAuth(credentials) {
var _a, _b, _c, _d;
return await this._handleProviderSignIn(credentials.provider, {
redirectTo: (_a = credentials.options) === null || _a === void 0 ? void 0 : _a.redirectTo,
scopes: (_b = credentials.options) === null || _b === void 0 ? void 0 : _b.scopes,
queryParams: (_c = credentials.options) === null || _c === void 0 ? void 0 : _c.queryParams,
skipBrowserRedirect: (_d = credentials.options) === null || _d === void 0 ? void 0 : _d.skipBrowserRedirect,
});
}
/**
* Log in an existing user by exchanging an Auth Code issued during the PKCE flow.
*/
async exchangeCodeForSession(authCode) {
await this.initializePromise;
return this._acquireLock(-1, async () => {
return this._exchangeCodeForSession(authCode);
});
}
/**
* Signs in a user by verifying a message signed by the user's private key.
* Only Solana supported at this time, using the Sign in with Solana standard.
*/
async signInWithWeb3(credentials) {
const { chain } = credentials;
if (chain === 'solana') {
return await this.signInWithSolana(credentials);
}
throw new Error(`@supabase/auth-js: Unsupported chain "${chain}"`);
}
async signInWithSolana(credentials) {
var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m;
let message;
let signature;
if ('message' in credentials) {
message = credentials.message;
signature = credentials.signature;
}
else {
const { chain, wallet, statement, options } = credentials;
let resolvedWallet;
if (!isBrowser()) {
if (typeof wallet !== 'object' || !(options === null || options === void 0 ? void 0 : options.url)) {
throw new Error('@supabase/auth-js: Both wallet and url must be specified in non-browser environments.');
}
resolvedWallet = wallet;
}
else if (typeof wallet === 'object') {
resolvedWallet = wallet;
}
else {
const windowAny = window;
if ('solana' in windowAny &&
typeof windowAny.solana === 'object' &&
(('signIn' in windowAny.solana && typeof windowAny.solana.signIn === 'function') ||
('signMessage' in windowAny.solana &&
typeof windowAny.solana.signMessage === 'function'))) {
resolvedWallet = windowAny.solana;
}
else {
throw new Error(`@supabase/auth-js: No compatible Solana wallet interface on the window object (window.solana) detected. Make sure the user already has a wallet installed and connected for this app. Prefer passing the wallet interface object directly to signInWithWeb3({ chain: 'solana', wallet: resolvedUserWallet }) instead.`);
}
}
const url = new URL((_a = options === null || options === void 0 ? void 0 : options.url) !== null && _a !== void 0 ? _a : window.location.href);
if ('signIn' in resolvedWallet && resolvedWallet.signIn) {
const output = await resolvedWallet.signIn(Object.assign(Object.assign(Object.assign({ issuedAt: new Date().toISOString() }, options === null || options === void 0 ? void 0 : options.signInWithSolana), {
// non-overridable properties
version: '1', domain: url.host, uri: url.href }), (statement ? { statement } : null)));
let outputToProcess;
if (Array.isArray(output) && output[0] && typeof output[0] === 'object') {
outputToProcess = output[0];
}
else if (output &&
typeof output === 'object' &&
'signedMessage' in output &&
'signature' in output) {
outputToProcess = output;
}
else {
throw new Error('@supabase/auth-js: Wallet method signIn() returned unrecognized value');
}
if ('signedMessage' in outputToProcess &&
'signature' in outputToProcess &&
(typeof outputToProcess.signedMessage === 'string' ||
outputToProcess.signedMessage instanceof Uint8Array) &&
outputToProcess.signature instanceof Uint8Array) {
message =
typeof outputToProcess.signedMessage === 'string'
? outputToProcess.signedMessage
: new TextDecoder().decode(outputToProcess.signedMessage);
signature = outputToProcess.signature;
}
else {
throw new Error('@supabase/auth-js: Wallet method signIn() API returned object without signedMessage and signature fields');
}
}
else {
if (!('signMessage' in resolvedWallet) ||
typeof resolvedWallet.signMessage !== 'function' ||
!('publicKey' in resolvedWallet) ||
typeof resolvedWallet !== 'object' ||
!resolvedWallet.publicKey ||
!('toBase58' in resolvedWallet.publicKey) ||
typeof resolvedWallet.publicKey.toBase58 !== 'function') {
throw new Error('@supabase/auth-js: Wallet does not have a compatible signMessage() and publicKey.toBase58() API');
}
message = [
`${url.host} wants you to sign in with your Solana account:`,
resolvedWallet.publicKey.toBase58(),
...(statement ? ['', statement, ''] : ['']),
'Version: 1',
`URI: ${url.href}`,
`Issued At: ${(_c = (_b = options === null || options === void 0 ? void 0 : options.signInWithSolana) === null || _b === void 0 ? void 0 : _b.issuedAt) !== null && _c !== void 0 ? _c : new Date().toISOString()}`,
...(((_d = options === null || options === void 0 ? void 0 : options.signInWithSolana) === null || _d === void 0 ? void 0 : _d.notBefore)
? [`Not Before: ${options.signInWithSolana.notBefore}`]
: []),
...(((_e = options === null || options === void 0 ? void 0 : options.signInWithSolana) === null || _e === void 0 ? void 0 : _e.expirationTime)
? [`Expiration Time: ${options.signInWithSolana.expirationTime}`]
: []),
...(((_f = options === null || options === void 0 ? void 0 : options.signInWithSolana) === null || _f === void 0 ? void 0 : _f.chainId)
? [`Chain ID: ${options.signInWithSolana.chainId}`]
: []),
...(((_g = options === null || options === void 0 ? void 0 : options.signInWithSolana) === null || _g === void 0 ? void 0 : _g.nonce) ? [`Nonce: ${options.signInWithSolana.nonce}`] : []),
...(((_h = options === null || options === void 0 ? void 0 : options.signInWithSolana) === null || _h === void 0 ? void 0 : _h.requestId)
? [`Request ID: ${options.signInWithSolana.requestId}`]
: []),
...(((_k = (_j = options === null || options === void 0 ? void 0 : options.signInWithSolana) === null || _j === void 0 ? void 0 : _j.resources) === null || _k === void 0 ? void 0 : _k.length)
? [
'Resources',
...options.signInWithSolana.resources.map((resource) => `- ${resource}`),
]
: []),
].join('\n');
const maybeSignature = await resolvedWallet.signMessage(new TextEncoder().encode(message), 'utf8');
if (!maybeSignature || !(maybeSignature instanceof Uint8Array)) {
throw new Error('@supabase/auth-js: Wallet signMessage() API returned an recognized value');
}
signature = maybeSignature;
}
}
try {
const { data, error } = await _request(this.fetch, 'POST', `${this.url}/token?grant_type=web3`, {
headers: this.headers,
body: Object.assign({ chain: 'solana', message, signature: bytesToBase64URL(signature) }, (((_l = credentials.options) === null || _l === void 0 ? void 0 : _l.captchaToken)
? { gotrue_meta_security: { captcha_token: (_m = credentials.options) === null || _m === void 0 ? void 0 : _m.captchaToken } }
: null)),
xform: _sessionResponse,
});
if (error) {
throw error;
}
if (!data || !data.session || !data.user) {
return {
data: { user: null, session: null },
error: new AuthInvalidTokenResponseError(),
};
}
if (data.session) {
await this._saveSession(data.session);
await this._notifyAllSubscribers('SIGNED_IN', data.session);
}
return { data: Object.assign({}, data), error };
}
catch (error) {
if (isAuthError(error)) {
return { data: { user: null, session: null }, error };
}
throw error;
}
}
async _exchangeCodeForSession(authCode) {
const storageItem = await getItemAsync(this.storage, `${this.storageKey}-code-verifier`);
const [codeVerifier, redirectType] = (storageItem !== null && storageItem !== void 0 ? storageItem : '').split('/');
try {
const { data, error } = await _request(this.fetch, 'POST', `${this.url}/token?grant_type=pkce`, {
headers: this.headers,
body: {
auth_code: authCode,
code_verifier: codeVerifier,
},
xform: _sessionResponse,
});
await removeItemAsync(this.storage, `${this.storageKey}-code-verifier`);
if (error) {
throw error;
}
if (!data || !data.session || !data.user) {
return {
data: { user: null, session: null, redirectType: null },
error: new AuthInvalidTokenResponseError(),
};
}
if (data.session) {
await this._saveSession(data.session);
await this._notifyAllSubscribers('SIGNED_IN', data.session);
}
return { data: Object.assign(Object.assign({}, data), { redirectType: redirectType !== null && redirectType !== void 0 ? redirectType : null }), error };
}
catch (error) {
if (isAuthError(error)) {
return { data: { user: null, session: null, redirectType: null }, error };
}
throw error;
}
}
/**
* Allows signing in with an OIDC ID token. The authentication provider used
* should be enabled and configured.
*/
async signInWithIdToken(credentials) {
try {
const { options, provider, token, access_token, nonce } = credentials;
const res = await _request(this.fetch, 'POST', `${this.url}/token?grant_type=id_token`, {
headers: this.headers,
body: {
provider,
id_token: token,
access_token,
nonce,
gotrue_meta_security: { captcha_token: options === null || options === void 0 ? void 0 : options.captchaToken },
},
xform: _sessionResponse,
});
const { data, error } = res;
if (error) {
return { data: { user: null, session: null }, error };
}
else if (!data || !data.session || !data.user) {
return {
data: { user: null, session: null },
error: new AuthInvalidTokenResponseError(),
};
}
if (data.session) {
await this._saveSession(data.session);
await this._notifyAllSubscribers('SIGNED_IN', data.session);
}
return { data, error };
}
catch (error) {
if (isAuthError(error)) {
return { data: { user: null, session: null }, error };
}
throw error;
}
}
/**
* Log in a user using magiclink or a one-time password (OTP).
*
* If the `{{ .ConfirmationURL }}` variable is specified in the email template, a magiclink will be sent.
* If the `{{ .Token }}` variable is specified in the email template, an OTP will be sent.
* If you're using phone sign-ins, only an OTP will be sent. You won't be able to send a magiclink for phone sign-ins.
*
* Be aware that you may get back an error message that will not distinguish
* between the cases where the account does not exist or, that the account
* can only be accessed via social login.
*
* Do note that you will need to configure a Whatsapp sender on Twilio
* if you are using phone sign in with the 'whatsapp' channel. The whatsapp
* channel is not supported on other providers
* at this time.
* This method supports PKCE when an email is passed.
*/
async signInWithOtp(credentials) {
var _a, _b, _c, _d, _e;
try {
if ('email' in credentials) {
const { email, options } = credentials;
let codeChallenge = null;
let codeChallengeMethod = null;
if (this.flowType === 'pkce') {
;
[codeChallenge, codeChallengeMethod] = await getCodeChallengeAndMethod(this.storage, this.storageKey);
}
const { error } = await _request(this.fetch, 'POST', `${this.url}/otp`, {
headers: this.headers,
body: {
email,
data: (_a = options === null || options === void 0 ? void 0 : options.data) !== null && _a !== void 0 ? _a : {},
create_user: (_b = options === null || options === void 0 ? void 0 : options.shouldCreateUser) !== null && _b !== void 0 ? _b : true,
gotrue_meta_security: { captcha_token: options === null || options === void 0 ? void 0 : options.captchaToken },
code_challenge: codeChallenge,
code_challenge_method: codeChallengeMethod,
},
redirectTo: options === null || options === void 0 ? void 0 : options.emailRedirectTo,
});
return { data: { user: null, session: null }, error };
}
if ('phone' in credentials) {
const { phone, options } = credentials;
const { data, error } = await _request(this.fetch, 'POST', `${this.url}/otp`, {
headers: this.headers,
body: {
phone,
data: (_c = options === null || options === void 0 ? void 0 : options.data) !== null && _c !== void 0 ? _c : {},
create_user: (_d = options === null || options === void 0 ? void 0 : options.shouldCreateUser) !== null && _d !== void 0 ? _d : true,
gotrue_meta_security: { captcha_token: options === null || options === void 0 ? void 0 : options.captchaToken },
channel: (_e = options === null || options === void 0 ? void 0 : options.channel) !== null && _e !== void 0 ? _e : 'sms',
},
});
return { data: { user: null, session: null, messageId: data === null || data === void 0 ? void 0 : data.message_id }, error };
}
throw new AuthInvalidCredentialsError('You must provide either an email or phone number.');
}
catch (error) {
if (isAuthError(error)) {
return { data: { user: null, session: null }, error };
}
throw error;
}
}
/**
* Log in a user given a User supplied OTP or TokenHash received through mobile or email.
*/
async verifyOtp(params) {
var _a, _b;
try {
let redirectTo = undefined;
let captchaToken = undefined;
if ('options' in params) {
redirectTo = (_a = params.options) === null || _a === void 0 ? void 0 : _a.redirectTo;
captchaToken = (_b = params.options) === null || _b === void 0 ? void 0 : _b.captchaToken;
}
const { data, error } = await _request(this.fetch, 'POST', `${this.url}/verify`, {
headers: this.headers,
body: Object.assign(Object.assign({}, params), { gotrue_meta_security: { captcha_token: captchaToken } }),
redirectTo,
xform: _sessionResponse,
});
if (error) {
throw error;
}
if (!data) {
throw new Error('An error occurred on token verification.');
}
const session = data.session;
const user = data.user;
if (session === null || session === void 0 ? void 0 : session.access_token) {
await this._saveSession(session);
await this._notifyAllSubscribers(params.type == 'recovery' ? 'PASSWORD_RECOVERY' : 'SIGNED_IN', session);
}
return { data: { user, session }, error: null };
}
catch (error) {
if (isAuthError(error)) {
return { data: { user: null, session: null }, error };
}
throw error;
}
}
/**
* Attempts a single-sign on using an enterprise Identity Provider. A
* successful SSO attempt will redirect the current page to the identity
* provider authorization page. The redirect URL is implementation and SSO
* protocol specific.
*
* You can use it by providing a SSO domain. Typically you can extract this
* domain by asking users for their email address. If this domain is
* registered on the Auth instance the redirect will use that organization's
* currently active SSO Identity Provider for the login.
*
* If you have built an organization-specific login page, you can use the
* organization's SSO Identity Provider UUID directly instead.
*/
async signInWithSSO(params) {
var _a, _b, _c;
try {
let codeChallenge = null;
let codeChallengeMethod = null;
if (this.flowType === 'pkce') {
;
[codeChallenge, codeChallengeMethod] = await getCodeChallengeAndMethod(this.storage, this.storageKey);
}
return await _request(this.fetch, 'POST', `${this.url}/sso`, {
body: Object.assign(Object.assign(Object.assign(Object.assign(Object.assign({}, ('providerId' in params ? { provider_id: params.providerId } : null)), ('domain' in params ? { domain: params.domain } : null)), { redirect_to: (_b = (_a = params.options) === null || _a === void 0 ? void 0 : _a.redirectTo) !== null && _b !== void 0 ? _b : undefined }), (((_c = params === null || params === void 0 ? void 0 : params.options) === null || _c === void 0 ? void 0 : _c.captchaToken)
? { gotrue_meta_security: { captcha_token: params.options.captchaToken } }
: null)), { skip_http_redirect: true, code_challenge: codeChallenge, code_challenge_method: codeChallengeMethod }),
headers: this.headers,
xform: _ssoResponse,
});
}
catch (error) {
if (isAuthError(error)) {
return { data: null, error };
}
throw error;
}
}
/**
* Sends a reauthentication OTP to the user's email or phone number.
* Requires the user to be signed-in.
*/
async reauthenticate() {
await this.initializePromise;
return await this._acquireLock(-1, async () => {
return await this._reauthenticate();
});
}
async _reauthenticate() {
try {
return await this._useSession(async (result) => {
const { data: { session }, error: sessionError, } = result;
if (sessionError)
throw sessionError;
if (!session)
throw new AuthSessionMissingError();
const { error } = await _request(this.fetch, 'GET', `${this.url}/reauthenticate`, {
headers: this.headers,
jwt: session.access_token,
});
return { data: { user: null, session: null }, error };
});
}
catch (error) {
if (isAuthError(error)) {
return { data: { user: null, session: null }, error };
}
throw error;
}
}
/**
* Resends an existing signup confirmation email, email change email, SMS OTP or phone change OTP.
*/
async resend(credentials) {
try {
const endpoint = `${this.url}/resend`;
if ('email' in credentials) {
const { email, type, options } = credentials;
const { error } = await _request(this.fetch, 'POST', endpoint, {
headers: this.headers,
body: {
email,
type,
gotrue_meta_security: { captcha_token: options === null || options === void 0 ? void 0 : options.captchaToken },
},
redirectTo: options === null || options === void 0 ? void 0 : options.emailRedirectTo,
});
return { data: { user: null, session: null }, error };
}
else if ('phone' in credentials) {
const { phone, type, options } = credentials;
const { data, error } = await _request(this.fetch, 'POST', endpoint, {
headers: this.headers,
body: {
phone,
type,
gotrue_meta_security: { captcha_token: options === null || options === void 0 ? void 0 : options.captchaToken },
},
});
return { data: { user: null, session: null, messageId: data === null || data === void 0 ? void 0 : data.message_id }, error };
}
throw new AuthInvalidCredentialsError('You must provide either an email or phone number and a type');
}
catch (error) {
if (isAuthError(error)) {
return { data: { user: null, session: null }, error };
}
throw error;
}
}
/**
* Returns the session, refreshing it if necessary.
*
* The session returned can be null if the session is not detected which can happen in the event a user is not signed-in or has logged out.
*
* **IMPORTANT:** This method loads values directly from the storage attached
* to the client. If that storage is based on request cookies for example,
* the values in it may not be authentic and therefore it's strongly advised
* against using this method and its results in such circumstances. A warning
* will be emitted if this is detected. Use {@link #getUser()} instead.
*/
async getSession() {
await this.initializePromise;
const result = await this._acquireLock(-1, async () => {
return this._useSession(async (result) => {
return result;
});
});
return result;
}
/**
* Acquires a global lock based on the storage key.
*/
async _acquireLock(acquireTimeout, fn) {
this._debug('#_acquireLock', 'begin', acquireTimeout);
try {
if (this.lockAcquired) {
const last = this.pendingInLock.length
? this.pendingInLock[this.pendingInLock.length - 1]
: Promise.resolve();
const result = (async () => {
await last;
return await fn();
})();
this.pendingInLock.push((async () => {
try {
await result;
}
catch (e) {
// we just care if it finished
}
})());
return result;
}
return await this.lock(`lock:${this.storageKey}`, acquireTimeout, async () => {
this._debug('#_acquireLock', 'lock acquired for storage key', this.storageKey);
try {
this.lockAcquired = true;
const result = fn();
this.pendingInLock.push((async () => {
try {
await result;
}
catch (e) {
// we just care if it finished
}
})());
await result;
// keep draining the queue until there's nothing to wait on
while (this.pendingInLock.length) {
const waitOn = [...this.pendingInLock];
await Promise.all(waitOn);
this.pendingInLock.splice(0, waitOn.length);
}
return await result;
}
finally {
this._debug('#_acquireLock', 'lock released for storage key', this.storageKey);
this.lockAcquired = false;
}
});
}
finally {
this._debug('#_acquireLock', 'end');
}
}
/**
* Use instead of {@link #getSession} inside the library. It is
* semantically usually what you want, as getting a session involves some
* processing afterwards that requires only one client operating on the
* session at once across multiple tabs or processes.
*/
async _useSession(fn) {
this._debug('#_useSession', 'begin');
try {
// the use of __loadSession here is the only correct use of the function!
const result = await this.__loadSession();
return await fn(result);
}
finally {
this._debug('#_useSession', 'end');
}
}
/**
* NEVER USE DIRECTLY!
*
* Always use {@link #_useSession}.
*/
async __loadSession() {
this._debug('#__loadSession()', 'begin');
if (!this.lockAcquired) {
this._debug('#__loadSession()', 'used outside of an acquired lock!', new Error().stack);
}
try {
let currentSession = null;
const maybeSession = await getItemAsync(this.storage, this.storageKey);
this._debug('#getSession()', 'session from storage', maybeSession);
if (maybeSession !== null) {
if (this._isValidSession(maybeSession)) {
currentSession = maybeSession;
}
else {
this._debug('#getSession()', 'session from storage is not valid');
await this._removeSession();
}
}
if (!currentSession) {
return { data: { session: null }, error: null };
}
// A session is considered expired before the access token _actually_
// expires. When the autoRefreshToken option is off (or when the tab is
// in the background), very eager users of getSession() -- like
// realtime-js -- might send a valid JWT which will expire by the time it
// reaches the server.
const hasExpired = currentSession.expires_at
? currentSession.expires_at * 1000 - Date.now() < EXPIRY_MARGIN_MS
: false;
this._debug('#__loadSession()', `session has${hasExpired ? '' : ' not'} expired`, 'expires_at', currentSession.expires_at);
if (!hasExpired) {
if (this.userStorage) {
const maybeUser = (await getItemAsync(this.userStorage, this.storageKey + '-user'));
if (maybeUser === null || maybeUser === void 0 ? void 0 : maybeUser.user) {
currentSession.user = maybeUser.user;
}
else {
currentSession.user = userNotAvailableProxy();
}
}
if (this.storage.isServer && currentSession.user) {
let suppressWarning = this.suppressGetSessionWarning;
const proxySession = new Proxy(currentSession, {
get: (target, prop, receiver) => {
if (!suppressWarning && prop === 'user') {
// only show warning when the user object is being accessed from the server
console.warn('Using the user object as returned from supabase.auth.getSession() or from some supabase.auth.onAuthStateChange() events could be insecure! This value comes directly from the storage medium (usually cookies on the server) and may not be authentic. Use supabase.auth.getUser() instead w