474 lines
19 KiB
TypeScript
474 lines
19 KiB
TypeScript
import GoTrueAdminApi from './GoTrueAdminApi';
|
|
import { AuthError } from './lib/errors';
|
|
import { Fetch } from './lib/fetch';
|
|
import { Deferred } from './lib/helpers';
|
|
import type { AuthChangeEvent, AuthResponse, AuthTokenResponse, AuthTokenResponsePassword, AuthOtpResponse, CallRefreshTokenResult, GoTrueClientOptions, InitializeResult, OAuthResponse, SSOResponse, Session, SignInWithIdTokenCredentials, SignInWithOAuthCredentials, SignInWithPasswordCredentials, SignInWithPasswordlessCredentials, SignUpWithPasswordCredentials, SignInWithSSO, SignOut, Subscription, SupportedStorage, UserAttributes, UserResponse, VerifyOtpParams, GoTrueMFAApi, ResendParams, AuthFlowType, LockFunc, UserIdentity, SignInAnonymouslyCredentials, JWK, JwtPayload, JwtHeader } from './lib/types';
|
|
export default class GoTrueClient {
|
|
private static nextInstanceID;
|
|
private instanceID;
|
|
/**
|
|
* Namespace for the GoTrue admin methods.
|
|
* These methods should only be used in a trusted server-side environment.
|
|
*/
|
|
admin: GoTrueAdminApi;
|
|
/**
|
|
* Namespace for the MFA methods.
|
|
*/
|
|
mfa: GoTrueMFAApi;
|
|
/**
|
|
* The storage key used to identify the values saved in localStorage
|
|
*/
|
|
protected storageKey: string;
|
|
protected flowType: AuthFlowType;
|
|
/**
|
|
* The JWKS used for verifying asymmetric JWTs
|
|
*/
|
|
protected jwks: {
|
|
keys: JWK[];
|
|
};
|
|
protected jwks_cached_at: number;
|
|
protected autoRefreshToken: boolean;
|
|
protected persistSession: boolean;
|
|
protected storage: SupportedStorage;
|
|
protected memoryStorage: {
|
|
[key: string]: string;
|
|
} | null;
|
|
protected stateChangeEmitters: Map<string, Subscription>;
|
|
protected autoRefreshTicker: ReturnType<typeof setInterval> | null;
|
|
protected visibilityChangedCallback: (() => Promise<any>) | null;
|
|
protected refreshingDeferred: Deferred<CallRefreshTokenResult> | null;
|
|
/**
|
|
* Keeps track of the async client initialization.
|
|
* When null or not yet resolved the auth state is `unknown`
|
|
* Once resolved the the auth state is known and it's save to call any further client methods.
|
|
* Keep extra care to never reject or throw uncaught errors
|
|
*/
|
|
protected initializePromise: Promise<InitializeResult> | null;
|
|
protected detectSessionInUrl: boolean;
|
|
protected url: string;
|
|
protected headers: {
|
|
[key: string]: string;
|
|
};
|
|
protected hasCustomAuthorizationHeader: boolean;
|
|
protected suppressGetSessionWarning: boolean;
|
|
protected fetch: Fetch;
|
|
protected lock: LockFunc;
|
|
protected lockAcquired: boolean;
|
|
protected pendingInLock: Promise<any>[];
|
|
/**
|
|
* Used to broadcast state change events to other tabs listening.
|
|
*/
|
|
protected broadcastChannel: BroadcastChannel | null;
|
|
protected logDebugMessages: boolean;
|
|
protected logger: (message: string, ...args: any[]) => void;
|
|
/**
|
|
* Create a new client for use in the browser.
|
|
*/
|
|
constructor(options: GoTrueClientOptions);
|
|
private _debug;
|
|
/**
|
|
* Initializes the client session either from the url or from storage.
|
|
* This method is automatically called when instantiating the client, but should also be called
|
|
* manually when checking for an error from an auth redirect (oauth, magiclink, password recovery, etc).
|
|
*/
|
|
initialize(): Promise<InitializeResult>;
|
|
/**
|
|
* IMPORTANT:
|
|
* 1. Never throw in this method, as it is called from the constructor
|
|
* 2. Never return a session from this method as it would be cached over
|
|
* the whole lifetime of the client
|
|
*/
|
|
private _initialize;
|
|
/**
|
|
* Creates a new anonymous user.
|
|
*
|
|
* @returns A session where the is_anonymous claim in the access token JWT set to true
|
|
*/
|
|
signInAnonymously(credentials?: SignInAnonymouslyCredentials): Promise<AuthResponse>;
|
|
/**
|
|
* Creates a new user.
|
|
*
|
|
* Be aware that if a user account exists in the system you may get back an
|
|
* error message that attempts to hide this information from the user.
|
|
* This method has support for PKCE via email signups. The PKCE flow cannot be used when autoconfirm is enabled.
|
|
*
|
|
* @returns A logged-in session if the server has "autoconfirm" ON
|
|
* @returns A user if the server has "autoconfirm" OFF
|
|
*/
|
|
signUp(credentials: SignUpWithPasswordCredentials): Promise<AuthResponse>;
|
|
/**
|
|
* Log in an existing user with an email and password or phone and password.
|
|
*
|
|
* Be aware that you may get back an error message that will not distinguish
|
|
* between the cases where the account does not exist or that the
|
|
* email/phone and password combination is wrong or that the account can only
|
|
* be accessed via social login.
|
|
*/
|
|
signInWithPassword(credentials: SignInWithPasswordCredentials): Promise<AuthTokenResponsePassword>;
|
|
/**
|
|
* Log in an existing user via a third-party provider.
|
|
* This method supports the PKCE flow.
|
|
*/
|
|
signInWithOAuth(credentials: SignInWithOAuthCredentials): Promise<OAuthResponse>;
|
|
/**
|
|
* Log in an existing user by exchanging an Auth Code issued during the PKCE flow.
|
|
*/
|
|
exchangeCodeForSession(authCode: string): Promise<AuthTokenResponse>;
|
|
private _exchangeCodeForSession;
|
|
/**
|
|
* Allows signing in with an OIDC ID token. The authentication provider used
|
|
* should be enabled and configured.
|
|
*/
|
|
signInWithIdToken(credentials: SignInWithIdTokenCredentials): Promise<AuthTokenResponse>;
|
|
/**
|
|
* Log in a user using magiclink or a one-time password (OTP).
|
|
*
|
|
* If the `{{ .ConfirmationURL }}` variable is specified in the email template, a magiclink will be sent.
|
|
* If the `{{ .Token }}` variable is specified in the email template, an OTP will be sent.
|
|
* If you're using phone sign-ins, only an OTP will be sent. You won't be able to send a magiclink for phone sign-ins.
|
|
*
|
|
* Be aware that you may get back an error message that will not distinguish
|
|
* between the cases where the account does not exist or, that the account
|
|
* can only be accessed via social login.
|
|
*
|
|
* Do note that you will need to configure a Whatsapp sender on Twilio
|
|
* if you are using phone sign in with the 'whatsapp' channel. The whatsapp
|
|
* channel is not supported on other providers
|
|
* at this time.
|
|
* This method supports PKCE when an email is passed.
|
|
*/
|
|
signInWithOtp(credentials: SignInWithPasswordlessCredentials): Promise<AuthOtpResponse>;
|
|
/**
|
|
* Log in a user given a User supplied OTP or TokenHash received through mobile or email.
|
|
*/
|
|
verifyOtp(params: VerifyOtpParams): Promise<AuthResponse>;
|
|
/**
|
|
* Attempts a single-sign on using an enterprise Identity Provider. A
|
|
* successful SSO attempt will redirect the current page to the identity
|
|
* provider authorization page. The redirect URL is implementation and SSO
|
|
* protocol specific.
|
|
*
|
|
* You can use it by providing a SSO domain. Typically you can extract this
|
|
* domain by asking users for their email address. If this domain is
|
|
* registered on the Auth instance the redirect will use that organization's
|
|
* currently active SSO Identity Provider for the login.
|
|
*
|
|
* If you have built an organization-specific login page, you can use the
|
|
* organization's SSO Identity Provider UUID directly instead.
|
|
*/
|
|
signInWithSSO(params: SignInWithSSO): Promise<SSOResponse>;
|
|
/**
|
|
* Sends a reauthentication OTP to the user's email or phone number.
|
|
* Requires the user to be signed-in.
|
|
*/
|
|
reauthenticate(): Promise<AuthResponse>;
|
|
private _reauthenticate;
|
|
/**
|
|
* Resends an existing signup confirmation email, email change email, SMS OTP or phone change OTP.
|
|
*/
|
|
resend(credentials: ResendParams): Promise<AuthOtpResponse>;
|
|
/**
|
|
* Returns the session, refreshing it if necessary.
|
|
*
|
|
* The session returned can be null if the session is not detected which can happen in the event a user is not signed-in or has logged out.
|
|
*
|
|
* **IMPORTANT:** This method loads values directly from the storage attached
|
|
* to the client. If that storage is based on request cookies for example,
|
|
* the values in it may not be authentic and therefore it's strongly advised
|
|
* against using this method and its results in such circumstances. A warning
|
|
* will be emitted if this is detected. Use {@link #getUser()} instead.
|
|
*/
|
|
getSession(): Promise<{
|
|
data: {
|
|
session: Session;
|
|
};
|
|
error: null;
|
|
} | {
|
|
data: {
|
|
session: null;
|
|
};
|
|
error: AuthError;
|
|
} | {
|
|
data: {
|
|
session: null;
|
|
};
|
|
error: null;
|
|
}>;
|
|
/**
|
|
* Acquires a global lock based on the storage key.
|
|
*/
|
|
private _acquireLock;
|
|
/**
|
|
* Use instead of {@link #getSession} inside the library. It is
|
|
* semantically usually what you want, as getting a session involves some
|
|
* processing afterwards that requires only one client operating on the
|
|
* session at once across multiple tabs or processes.
|
|
*/
|
|
private _useSession;
|
|
/**
|
|
* NEVER USE DIRECTLY!
|
|
*
|
|
* Always use {@link #_useSession}.
|
|
*/
|
|
private __loadSession;
|
|
/**
|
|
* Gets the current user details if there is an existing session. This method
|
|
* performs a network request to the Supabase Auth server, so the returned
|
|
* value is authentic and can be used to base authorization rules on.
|
|
*
|
|
* @param jwt Takes in an optional access token JWT. If no JWT is provided, the JWT from the current session is used.
|
|
*/
|
|
getUser(jwt?: string): Promise<UserResponse>;
|
|
private _getUser;
|
|
/**
|
|
* Updates user data for a logged in user.
|
|
*/
|
|
updateUser(attributes: UserAttributes, options?: {
|
|
emailRedirectTo?: string | undefined;
|
|
}): Promise<UserResponse>;
|
|
protected _updateUser(attributes: UserAttributes, options?: {
|
|
emailRedirectTo?: string | undefined;
|
|
}): Promise<UserResponse>;
|
|
/**
|
|
* Sets the session data from the current session. If the current session is expired, setSession will take care of refreshing it to obtain a new session.
|
|
* If the refresh token or access token in the current session is invalid, an error will be thrown.
|
|
* @param currentSession The current session that minimally contains an access token and refresh token.
|
|
*/
|
|
setSession(currentSession: {
|
|
access_token: string;
|
|
refresh_token: string;
|
|
}): Promise<AuthResponse>;
|
|
protected _setSession(currentSession: {
|
|
access_token: string;
|
|
refresh_token: string;
|
|
}): Promise<AuthResponse>;
|
|
/**
|
|
* Returns a new session, regardless of expiry status.
|
|
* Takes in an optional current session. If not passed in, then refreshSession() will attempt to retrieve it from getSession().
|
|
* If the current session's refresh token is invalid, an error will be thrown.
|
|
* @param currentSession The current session. If passed in, it must contain a refresh token.
|
|
*/
|
|
refreshSession(currentSession?: {
|
|
refresh_token: string;
|
|
}): Promise<AuthResponse>;
|
|
protected _refreshSession(currentSession?: {
|
|
refresh_token: string;
|
|
}): Promise<AuthResponse>;
|
|
/**
|
|
* Gets the session data from a URL string
|
|
*/
|
|
private _getSessionFromURL;
|
|
/**
|
|
* Checks if the current URL contains parameters given by an implicit oauth grant flow (https://www.rfc-editor.org/rfc/rfc6749.html#section-4.2)
|
|
*/
|
|
private _isImplicitGrantCallback;
|
|
/**
|
|
* Checks if the current URL and backing storage contain parameters given by a PKCE flow
|
|
*/
|
|
private _isPKCECallback;
|
|
/**
|
|
* Inside a browser context, `signOut()` will remove the logged in user from the browser session and log them out - removing all items from localstorage and then trigger a `"SIGNED_OUT"` event.
|
|
*
|
|
* For server-side management, you can revoke all refresh tokens for a user by passing a user's JWT through to `auth.api.signOut(JWT: string)`.
|
|
* There is no way to revoke a user's access token jwt until it expires. It is recommended to set a shorter expiry on the jwt for this reason.
|
|
*
|
|
* If using `others` scope, no `SIGNED_OUT` event is fired!
|
|
*/
|
|
signOut(options?: SignOut): Promise<{
|
|
error: AuthError | null;
|
|
}>;
|
|
protected _signOut({ scope }?: SignOut): Promise<{
|
|
error: AuthError | null;
|
|
}>;
|
|
/**
|
|
* Receive a notification every time an auth event happens.
|
|
* @param callback A callback function to be invoked when an auth event happens.
|
|
*/
|
|
onAuthStateChange(callback: (event: AuthChangeEvent, session: Session | null) => void | Promise<void>): {
|
|
data: {
|
|
subscription: Subscription;
|
|
};
|
|
};
|
|
private _emitInitialSession;
|
|
/**
|
|
* Sends a password reset request to an email address. This method supports the PKCE flow.
|
|
*
|
|
* @param email The email address of the user.
|
|
* @param options.redirectTo The URL to send the user to after they click the password reset link.
|
|
* @param options.captchaToken Verification token received when the user completes the captcha on the site.
|
|
*/
|
|
resetPasswordForEmail(email: string, options?: {
|
|
redirectTo?: string;
|
|
captchaToken?: string;
|
|
}): Promise<{
|
|
data: {};
|
|
error: null;
|
|
} | {
|
|
data: null;
|
|
error: AuthError;
|
|
}>;
|
|
/**
|
|
* Gets all the identities linked to a user.
|
|
*/
|
|
getUserIdentities(): Promise<{
|
|
data: {
|
|
identities: UserIdentity[];
|
|
};
|
|
error: null;
|
|
} | {
|
|
data: null;
|
|
error: AuthError;
|
|
}>;
|
|
/**
|
|
* Links an oauth identity to an existing user.
|
|
* This method supports the PKCE flow.
|
|
*/
|
|
linkIdentity(credentials: SignInWithOAuthCredentials): Promise<OAuthResponse>;
|
|
/**
|
|
* Unlinks an identity from a user by deleting it. The user will no longer be able to sign in with that identity once it's unlinked.
|
|
*/
|
|
unlinkIdentity(identity: UserIdentity): Promise<{
|
|
data: {};
|
|
error: null;
|
|
} | {
|
|
data: null;
|
|
error: AuthError;
|
|
}>;
|
|
/**
|
|
* Generates a new JWT.
|
|
* @param refreshToken A valid refresh token that was returned on login.
|
|
*/
|
|
private _refreshAccessToken;
|
|
private _isValidSession;
|
|
private _handleProviderSignIn;
|
|
/**
|
|
* Recovers the session from LocalStorage and refreshes the token
|
|
* Note: this method is async to accommodate for AsyncStorage e.g. in React native.
|
|
*/
|
|
private _recoverAndRefresh;
|
|
private _callRefreshToken;
|
|
private _notifyAllSubscribers;
|
|
/**
|
|
* set currentSession and currentUser
|
|
* process to _startAutoRefreshToken if possible
|
|
*/
|
|
private _saveSession;
|
|
private _removeSession;
|
|
/**
|
|
* Removes any registered visibilitychange callback.
|
|
*
|
|
* {@see #startAutoRefresh}
|
|
* {@see #stopAutoRefresh}
|
|
*/
|
|
private _removeVisibilityChangedCallback;
|
|
/**
|
|
* This is the private implementation of {@link #startAutoRefresh}. Use this
|
|
* within the library.
|
|
*/
|
|
private _startAutoRefresh;
|
|
/**
|
|
* This is the private implementation of {@link #stopAutoRefresh}. Use this
|
|
* within the library.
|
|
*/
|
|
private _stopAutoRefresh;
|
|
/**
|
|
* Starts an auto-refresh process in the background. The session is checked
|
|
* every few seconds. Close to the time of expiration a process is started to
|
|
* refresh the session. If refreshing fails it will be retried for as long as
|
|
* necessary.
|
|
*
|
|
* If you set the {@link GoTrueClientOptions#autoRefreshToken} you don't need
|
|
* to call this function, it will be called for you.
|
|
*
|
|
* On browsers the refresh process works only when the tab/window is in the
|
|
* foreground to conserve resources as well as prevent race conditions and
|
|
* flooding auth with requests. If you call this method any managed
|
|
* visibility change callback will be removed and you must manage visibility
|
|
* changes on your own.
|
|
*
|
|
* On non-browser platforms the refresh process works *continuously* in the
|
|
* background, which may not be desirable. You should hook into your
|
|
* platform's foreground indication mechanism and call these methods
|
|
* appropriately to conserve resources.
|
|
*
|
|
* {@see #stopAutoRefresh}
|
|
*/
|
|
startAutoRefresh(): Promise<void>;
|
|
/**
|
|
* Stops an active auto refresh process running in the background (if any).
|
|
*
|
|
* If you call this method any managed visibility change callback will be
|
|
* removed and you must manage visibility changes on your own.
|
|
*
|
|
* See {@link #startAutoRefresh} for more details.
|
|
*/
|
|
stopAutoRefresh(): Promise<void>;
|
|
/**
|
|
* Runs the auto refresh token tick.
|
|
*/
|
|
private _autoRefreshTokenTick;
|
|
/**
|
|
* Registers callbacks on the browser / platform, which in-turn run
|
|
* algorithms when the browser window/tab are in foreground. On non-browser
|
|
* platforms it assumes always foreground.
|
|
*/
|
|
private _handleVisibilityChange;
|
|
/**
|
|
* Callback registered with `window.addEventListener('visibilitychange')`.
|
|
*/
|
|
private _onVisibilityChanged;
|
|
/**
|
|
* Generates the relevant login URL for a third-party provider.
|
|
* @param options.redirectTo A URL or mobile address to send the user to after they are confirmed.
|
|
* @param options.scopes A space-separated list of scopes granted to the OAuth application.
|
|
* @param options.queryParams An object of key-value pairs containing query parameters granted to the OAuth application.
|
|
*/
|
|
private _getUrlForProvider;
|
|
private _unenroll;
|
|
/**
|
|
* {@see GoTrueMFAApi#enroll}
|
|
*/
|
|
private _enroll;
|
|
/**
|
|
* {@see GoTrueMFAApi#verify}
|
|
*/
|
|
private _verify;
|
|
/**
|
|
* {@see GoTrueMFAApi#challenge}
|
|
*/
|
|
private _challenge;
|
|
/**
|
|
* {@see GoTrueMFAApi#challengeAndVerify}
|
|
*/
|
|
private _challengeAndVerify;
|
|
/**
|
|
* {@see GoTrueMFAApi#listFactors}
|
|
*/
|
|
private _listFactors;
|
|
/**
|
|
* {@see GoTrueMFAApi#getAuthenticatorAssuranceLevel}
|
|
*/
|
|
private _getAuthenticatorAssuranceLevel;
|
|
private fetchJwk;
|
|
/**
|
|
* @experimental This method may change in future versions.
|
|
* @description Gets the claims from a JWT. If the JWT is symmetric JWTs, it will call getUser() to verify against the server. If the JWT is asymmetric, it will be verified against the JWKS using the WebCrypto API.
|
|
*/
|
|
getClaims(jwt?: string, jwks?: {
|
|
keys: JWK[];
|
|
}): Promise<{
|
|
data: {
|
|
claims: JwtPayload;
|
|
header: JwtHeader;
|
|
signature: Uint8Array;
|
|
};
|
|
error: null;
|
|
} | {
|
|
data: null;
|
|
error: AuthError;
|
|
} | {
|
|
data: null;
|
|
error: null;
|
|
}>;
|
|
}
|
|
//# sourceMappingURL=GoTrueClient.d.ts.map
|