Merge pull request #480 from supabase/j0_merge_rc_into_mfa

fix: merge rc into mfa

Author: J0

Diff for: src/GoTrueClient.ts

@@ -17,6 +17,7 @@ import {
 } from './lib/errors'
 import { Fetch, _request, _sessionResponse, _userResponse } from './lib/fetch'
 import {
+  decodeBase64URL,
   Deferred,
   getItemAsync,
   getParameterByName,
@@ -348,6 +349,7 @@ export default class GoTrueClient {
           headers: this.headers,
           body: {
             email,
+            data: options?.data ?? {},
             create_user: options?.shouldCreateUser ?? true,
             gotrue_meta_security: { captcha_token: options?.captchaToken },
           },
@@ -361,6 +363,7 @@ export default class GoTrueClient {
           headers: this.headers,
           body: {
             phone,
+            data: options?.data ?? {},
             create_user: options?.shouldCreateUser ?? true,
             gotrue_meta_security: { captcha_token: options?.captchaToken },
           },
@@ -496,7 +499,7 @@ export default class GoTrueClient {
         }
 
         // Default to Authorization header if there is no existing session
-        jwt = data.session?.access_token ?? this.headers['Authorization']
+        jwt = data.session?.access_token ?? undefined
       }
 
       return await _request(this.fetch, 'GET', `${this.url}/user`, {
@@ -548,28 +551,59 @@ export default class GoTrueClient {
   }
 
   /**
-   * Sets the session data from refresh token and returns current session or an error if the refresh token is invalid.
-   * @param refresh_token A refresh token returned by supabase auth.
+   * Sets the session data from the current session. If the current session is expired, setSession will take care of refreshing it to obtain a new session.
+   * If the refresh token in the current session is invalid and the current session has expired, an error will be thrown.
+   * If the current session does not contain at expires_at field, setSession will use the exp claim defined in the access token.
+   * @param currentSession The current session that minimally contains an access token, refresh token and a user.
    */
-  async setSession(refresh_token: string): Promise<AuthResponse> {
+  async setSession(
+    currentSession: Pick<Session, 'access_token' | 'refresh_token'>
+  ): Promise<AuthResponse> {
     try {
-      if (!refresh_token) {
-        throw new AuthSessionMissingError()
-      }
-      const { data, error } = await this._refreshAccessToken(refresh_token)
-      if (error) {
-        return { data: { session: null, user: null }, error: error }
+      const timeNow = Date.now() / 1000
+      let expiresAt = timeNow
+      let hasExpired = true
+      let session: Session | null = null
+      if (currentSession.access_token && currentSession.access_token.split('.')[1]) {
+        const payload = JSON.parse(decodeBase64URL(currentSession.access_token.split('.')[1]))
+        if (payload.exp) {
+          expiresAt = payload.exp
+          hasExpired = expiresAt <= timeNow
+        }
       }
 
-      if (!data.session) {
-        return { data: { session: null, user: null }, error: null }
-      }
+      if (hasExpired) {
+        if (!currentSession.refresh_token) {
+          throw new AuthSessionMissingError()
+        }
+        const { data, error } = await this._refreshAccessToken(currentSession.refresh_token)
+        if (error) {
+          return { data: { session: null, user: null }, error: error }
+        }
 
-      await this._saveSession(data.session)
+        if (!data.session) {
+          return { data: { session: null, user: null }, error: null }
+        }
+        session = data.session
+      } else {
+        const { data, error } = await this.getUser(currentSession.access_token)
+        if (error) {
+          throw error
+        }
+        session = {
+          access_token: currentSession.access_token,
+          refresh_token: currentSession.refresh_token,
+          user: data.user,
+          token_type: 'bearer',
+          expires_in: expiresAt - timeNow,
+          expires_at: expiresAt,
+        }
+      }
 
-      this._notifyAllSubscribers('TOKEN_REFRESHED', data.session)
+      await this._saveSession(session)
+      this._notifyAllSubscribers('TOKEN_REFRESHED', session)
 
-      return { data, error: null }
+      return { data: { session, user: session.user }, error: null }
     } catch (error) {
       if (isAuthError(error)) {
         return { data: { session: null, user: null }, error }
@@ -606,6 +640,7 @@ export default class GoTrueClient {
       }
 
       const provider_token = getParameterByName('provider_token')
+      const provider_refresh_token = getParameterByName('provider_refresh_token')
       const access_token = getParameterByName('access_token')
       if (!access_token) throw new AuthImplicitGrantRedirectError('No access_token detected.')
       const expires_in = getParameterByName('expires_in')
@@ -623,6 +658,7 @@ export default class GoTrueClient {
       const user: User = data.user
       const session: Session = {
         provider_token,
+        provider_refresh_token,
         access_token,
         expires_in: parseInt(expires_in),
         expires_at,
@@ -893,7 +929,7 @@ export default class GoTrueClient {
       const timeNow = Math.round(Date.now() / 1000)
       const expiresIn = expiresAt - timeNow
       const refreshDurationBeforeExpires = expiresIn > EXPIRY_MARGIN ? EXPIRY_MARGIN : 0.5
-      this._startAutoRefreshToken((expiresIn - refreshDurationBeforeExpires) * 1000, session)
+      this._startAutoRefreshToken((expiresIn - refreshDurationBeforeExpires) * 1000)
     }
 
     if (this.persistSession && session.expires_at) {
@@ -922,22 +958,25 @@ export default class GoTrueClient {
    * @param value time intervals in milliseconds.
    * @param session The current session.
    */
-  private _startAutoRefreshToken(value: number, session: Session) {
+  private _startAutoRefreshToken(value: number) {
     if (this.refreshTokenTimer) clearTimeout(this.refreshTokenTimer)
     if (value <= 0 || !this.autoRefreshToken) return
 
     this.refreshTokenTimer = setTimeout(async () => {
       this.networkRetries++
-      const { error } = await this._callRefreshToken(session.refresh_token)
-      if (!error) this.networkRetries = 0
-      if (
-        error instanceof AuthRetryableFetchError &&
-        this.networkRetries < NETWORK_FAILURE.MAX_RETRIES
-      )
-        this._startAutoRefreshToken(
-          NETWORK_FAILURE.RETRY_INTERVAL ** this.networkRetries * 100,
-          session
-        ) // exponential backoff
+      const {
+        data: { session },
+        error: sessionError,
+      } = await this.getSession()
+      if (!sessionError && session) {
+        const { error } = await this._callRefreshToken(session.refresh_token)
+        if (!error) this.networkRetries = 0
+        if (
+          error instanceof AuthRetryableFetchError &&
+          this.networkRetries < NETWORK_FAILURE.MAX_RETRIES
+        )
+          this._startAutoRefreshToken(NETWORK_FAILURE.RETRY_INTERVAL ** this.networkRetries * 100) // exponential backoff
+      }
     }, value)
     if (typeof this.refreshTokenTimer.unref === 'function') this.refreshTokenTimer.unref()
   }

Diff for: src/lib/fetch.ts

@@ -27,9 +27,10 @@ const _getErrorMessage = (err: any): string =>
   err.msg || err.message || err.error_description || err.error || JSON.stringify(err)
 
 const handleError = async (error: unknown, reject: (reason?: any) => void) => {
+  const NETWORK_ERROR_CODES = [502, 503, 504]
   if (!looksLikeFetchResponse(error)) {
     reject(new AuthRetryableFetchError(_getErrorMessage(error), 0))
-  } else if (error.status >= 500 && error.status <= 599) {
+  } else if (NETWORK_ERROR_CODES.includes(error.status)) {
     // status in 500...599 range - server had an error, request might be retryed.
     reject(new AuthRetryableFetchError(_getErrorMessage(error), error.status))
   } else {

Diff for: src/lib/helpers.ts

@@ -78,6 +78,24 @@ export const removeItemAsync = async (storage: SupportedStorage, key: string): P
   await storage.removeItem(key)
 }
 
+export const decodeBase64URL = (value: string): string => {
+  try {
+    // atob is present in all browsers and nodejs >= 16
+    // but if it is not it will throw a ReferenceError in which case we can try to use Buffer
+    // replace are here to convert the Base64-URL into Base64 which is what atob supports
+    // replace with //g regex acts like replaceAll
+    return atob(value.replace(/[-]/g, '+').replace(/[_]/g, '/'))
+  } catch (e) {
+    if (e instanceof ReferenceError) {
+      // running on nodejs < 16
+      // Buffer supports Base64-URL transparently
+      return Buffer.from(value, 'base64').toString('utf-8')
+    } else {
+      throw e
+    }
+  }
+}
+
 /**
  * A deferred represents some asynchronous work that is not yet finished, which
  * may or may not culminate in a value.

Diff for: src/lib/types.ts

@@ -139,7 +139,15 @@ export type UserResponse =
     }
 
 export interface Session {
+  /**
+   * The oauth provider token. If present, this can be used to make external API requests to the oauth provider used.
+   */
   provider_token?: string | null
+  /**
+   * The oauth provider refresh token. If present, this can be used to refresh the provider_token via the oauth provider's API.
+   * Not all oauth providers return a provider refresh token. If the provider_refresh_token is missing, please refer to the oauth provider's documentation for information on how to obtain the provider refresh token.
+   */
+  provider_refresh_token?: string | null
   /**
    * The access token jwt. It is recommended to set the JWT_EXPIRY to a shorter expiry value.
    */
@@ -187,15 +195,19 @@ export interface Factor {
   factor_type: string
 }
 
+export interface UserAppMetadata {
+  provider?: string
+  [key: string]: any
+}
+
+export interface UserMetadata {
+  [key: string]: any
+}
+
 export interface User {
   id: string
-  app_metadata: {
-    provider?: string
-    [key: string]: any
-  }
-  user_metadata: {
-    [key: string]: any
-  }
+  app_metadata: UserAppMetadata
+  user_metadata: UserMetadata
   aud: string
   confirmation_sent_at?: string
   recovery_sent_at?: string
@@ -278,6 +290,18 @@ export interface AdminUserAttributes extends UserAttributes {
    * Only a service role can modify.
    */
   phone_confirm?: boolean
+
+  /**
+   * Determines how long a user is banned for.
+   *
+   * The format for the ban duration follows a strict sequence of decimal numbers with a unit suffix.
+   * Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
+   *
+   * For example, some possible durations include: '300ms', '2h45m'.
+   *
+   * Setting the ban duration to 'none' lifts the ban on the user.
+   */
+  ban_duration?: string | 'none'
 }
 
 export interface Subscription {
@@ -365,6 +389,12 @@ export type SignInWithPasswordlessCredentials =
         emailRedirectTo?: string
         /** If set to false, this method will not create a new user. Defaults to true. */
         shouldCreateUser?: boolean
+        /**
+         * A custom data object to store the user's metadata. This maps to the `auth.users.user_metadata` column.
+         *
+         * The `data` should be a JSON object that includes user-specific info, such as their first and last name.
+         */
+        data?: object
         /** Verification token received when the user completes the captcha on the site. */
         captchaToken?: string
       }
@@ -375,6 +405,12 @@ export type SignInWithPasswordlessCredentials =
       options?: {
         /** If set to false, this method will not create a new user. Defaults to true. */
         shouldCreateUser?: boolean
+        /**
+         * A custom data object to store the user's metadata. This maps to the `auth.users.user_metadata` column.
+         *
+         * The `data` should be a JSON object that includes user-specific info, such as their first and last name.
+         */
+        data?: object
         /** Verification token received when the user completes the captcha on the site. */
         captchaToken?: string
       }