Skip to main content
Deno 2 is finally here 🎉️
Learn more
Module

x/deco/deps.ts>supabase.GoTrueClient

Open-Source web editor based on Preact, Tailwind and TypeScript. The other side of code.
Go to Latest
class supabase.GoTrueClient
Re-export
import { supabase } from "https://deno.land/x/deco@1.59.1/deps.ts";
const { GoTrueClient } = supabase;

Constructors

new
GoTrueClient(options: GoTrueClientOptions)

Create a new client for use in the browser.

Properties

private
__loadSession

NEVER USE DIRECTLY!

Always use #_useSession.

private
_acquireLock

Acquires a global lock based on the storage key.

private
_autoRefreshTokenTick

Runs the auto refresh token tick.

private
_callRefreshToken
private
_challenge

{@see GoTrueMFAApi#challenge}

private
_challengeAndVerify

{@see GoTrueMFAApi#challengeAndVerify}

private
_debug
private
_decodeJWT

Decodes a JWT (without performing any validation).

private
_emitInitialSession
private
_enroll

{@see GoTrueMFAApi#enroll}

private
_exchangeCodeForSession
private
_getAuthenticatorAssuranceLevel

{@see GoTrueMFAApi#getAuthenticatorAssuranceLevel}

private
_getSessionFromURL

Gets the session data from a URL string

private
_getUrlForProvider

Generates the relevant login URL for a third-party provider.

private
_getUser
private
_handleProviderSignIn
private
_handleVisibilityChange

Registers callbacks on the browser / platform, which in-turn run algorithms when the browser window/tab are in foreground. On non-browser platforms it assumes always foreground.

private
_initialize

IMPORTANT:

  1. Never throw in this method, as it is called from the constructor
  2. Never return a session from this method as it would be cached over the whole lifetime of the client
private
_isImplicitGrantFlow

Checks if the current URL contains parameters given by an implicit oauth grant flow (https://www.rfc-editor.org/rfc/rfc6749.html#section-4.2)

private
_isPKCEFlow

Checks if the current URL and backing storage contain parameters given by a PKCE flow

private
_isValidSession
private
_listFactors

{@see GoTrueMFAApi#listFactors}

private
_notifyAllSubscribers
private
_onVisibilityChanged

Callback registered with window.addEventListener('visibilitychange').

private
_persistSession
private
_reauthenticate
private
_recoverAndRefresh

Recovers the session from LocalStorage and refreshes Note: this method is async to accommodate for AsyncStorage e.g. in React native.

private
_refreshAccessToken

Generates a new JWT.

private
_removeSession
private
_removeVisibilityChangedCallback

Removes any registered visibilitychange callback.

{@see #startAutoRefresh} {@see #stopAutoRefresh}

private
_saveSession

set currentSession and currentUser process to _startAutoRefreshToken if possible

private
_startAutoRefresh

This is the private implementation of #startAutoRefresh. Use this within the library.

private
_stopAutoRefresh

This is the private implementation of #stopAutoRefresh. Use this within the library.

private
_unenroll
private
_useSession

Use instead of #getSession inside the library. It is semantically usually what you want, as getting a session involves some processing afterwards that requires only one client operating on the session at once across multiple tabs or processes.

private
_verify

{@see GoTrueMFAApi#verify}

private
instanceID
protected
autoRefreshTicker: ReturnType<setInterval> | null
protected
autoRefreshToken: boolean
protected
broadcastChannel: BroadcastChannel | null

Used to broadcast state change events to other tabs listening.

protected
detectSessionInUrl: boolean
protected
fetch: Fetch
protected
flowType: AuthFlowType
protected
headers: { [key: string]: string; }
protected
initializePromise: Promise<InitializeResult> | null

Keeps track of the async client initialization. When null or not yet resolved the auth state is unknown Once resolved the the auth state is known and it's save to call any further client methods. Keep extra care to never reject or throw uncaught errors

protected
lock: LockFunc
protected
lockAcquired: boolean
protected
logDebugMessages: boolean
protected
logger: (message: string, ...args: any[]) => void
protected
memoryStorage: { [key: string]: string; } | null
protected
pendingInLock: Promise<any>[]
protected
persistSession: boolean
protected
refreshingDeferred: Deferred<CallRefreshTokenResult> | null
protected
stateChangeEmitters: Map<string, Subscription>
protected
storage: SupportedStorage
protected
storageKey: string

The storage key used to identify the values saved in localStorage

protected
url: string
protected
visibilityChangedCallback: (() => Promise<any>) | null

Namespace for the GoTrue admin methods. These methods should only be used in a trusted server-side environment.

Namespace for the MFA methods.

Methods

protected
_refreshSession(currentSession?: { refresh_token: string; }): Promise<AuthResponse>
protected
_setSession(currentSession: { access_token: string; refresh_token: string; }): Promise<AuthResponse>
protected
_signOut(unnamed 0?: SignOut): Promise<{ error: AuthError | null; }>
protected
_updateUser(attributes: UserAttributes, options?: { emailRedirectTo?: string | undefined; }): Promise<UserResponse>
exchangeCodeForSession(authCode: string): Promise<AuthTokenResponse>

Log in an existing user by exchanging an Auth Code issued during the PKCE flow.

getSession(): Promise<{ data: { session: Session; }; error: null; } | { data: { session: null; }; error: AuthError; } | { data: { session: null; }; error: null; }>

Returns the session, refreshing it if necessary. The session returned can be null if the session is not detected which can happen in the event a user is not signed-in or has logged out.

getUser(jwt?: string): Promise<UserResponse>

Gets the current user details if there is an existing session.

Initializes the client session either from the url or from storage. This method is automatically called when instantiating the client, but should also be called manually when checking for an error from an auth redirect (oauth, magiclink, password recovery, etc).

onAuthStateChange(callback: (event: AuthChangeEvent, session: Session | null) => void | Promise<void>): { data: { subscription: Subscription; }; }

Receive a notification every time an auth event happens.

Sends a reauthentication OTP to the user's email or phone number. Requires the user to be signed-in.

refreshSession(currentSession?: { refresh_token: string; }): Promise<AuthResponse>

Returns a new session, regardless of expiry status. Takes in an optional current session. If not passed in, then refreshSession() will attempt to retrieve it from getSession(). If the current session's refresh token is invalid, an error will be thrown.

resend(credentials: ResendParams): Promise<AuthOtpResponse>

Resends an existing signup confirmation email, email change email, SMS OTP or phone change OTP.

resetPasswordForEmail(email: string, options?: { redirectTo?: string; captchaToken?: string; }): Promise<{ data: { }; error: null; } | { data: null; error: AuthError; }>

Sends a password reset request to an email address. This method supports the PKCE flow.

setSession(currentSession: { access_token: string; refresh_token: string; }): Promise<AuthResponse>

Sets the session data from the current session. If the current session is expired, setSession will take care of refreshing it to obtain a new session. If the refresh token or access token in the current session is invalid, an error will be thrown.

Allows signing in with an OIDC ID token. The authentication provider used should be enabled and configured.

Log in an existing user via a third-party provider. This method supports the PKCE flow.

Log in a user using magiclink or a one-time password (OTP).

If the {{ .ConfirmationURL }} variable is specified in the email template, a magiclink will be sent. If the {{ .Token }} variable is specified in the email template, an OTP will be sent. If you're using phone sign-ins, only an OTP will be sent. You won't be able to send a magiclink for phone sign-ins.

Be aware that you may get back an error message that will not distinguish between the cases where the account does not exist or, that the account can only be accessed via social login.

Do note that you will need to configure a Whatsapp sender on Twilio if you are using phone sign in with the 'whatsapp' channel. The whatsapp channel is not supported on other providers at this time. This method supports PKCE when an email is passed.

Log in an existing user with an email and password or phone and password.

Be aware that you may get back an error message that will not distinguish between the cases where the account does not exist or that the email/phone and password combination is wrong or that the account can only be accessed via social login.

Attempts a single-sign on using an enterprise Identity Provider. A successful SSO attempt will redirect the current page to the identity provider authorization page. The redirect URL is implementation and SSO protocol specific.

You can use it by providing a SSO domain. Typically you can extract this domain by asking users for their email address. If this domain is registered on the Auth instance the redirect will use that organization's currently active SSO Identity Provider for the login.

If you have built an organization-specific login page, you can use the organization's SSO Identity Provider UUID directly instead.

signOut(options?: SignOut): Promise<{ error: AuthError | null; }>

Inside a browser context, signOut() will remove the logged in user from the browser session and log them out - removing all items from localstorage and then trigger a "SIGNED_OUT" event.

For server-side management, you can revoke all refresh tokens for a user by passing a user's JWT through to auth.api.signOut(JWT: string). There is no way to revoke a user's access token jwt until it expires. It is recommended to set a shorter expiry on the jwt for this reason.

If using others scope, no SIGNED_OUT event is fired!

Creates a new user.

Be aware that if a user account exists in the system you may get back an error message that attempts to hide this information from the user. This method has support for PKCE via email signups. The PKCE flow cannot be used when autoconfirm is enabled.

startAutoRefresh(): Promise<void>

Starts an auto-refresh process in the background. The session is checked every few seconds. Close to the time of expiration a process is started to refresh the session. If refreshing fails it will be retried for as long as necessary.

If you set the GoTrueClientOptions#autoRefreshToken you don't need to call this function, it will be called for you.

On browsers the refresh process works only when the tab/window is in the foreground to conserve resources as well as prevent race conditions and flooding auth with requests. If you call this method any managed visibility change callback will be removed and you must manage visibility changes on your own.

On non-browser platforms the refresh process works continuously in the background, which may not be desirable. You should hook into your platform's foreground indication mechanism and call these methods appropriately to conserve resources.

{@see #stopAutoRefresh}

stopAutoRefresh(): Promise<void>

Stops an active auto refresh process running in the background (if any).

If you call this method any managed visibility change callback will be removed and you must manage visibility changes on your own.

See #startAutoRefresh for more details.

updateUser(attributes: UserAttributes, options?: { emailRedirectTo?: string | undefined; }): Promise<UserResponse>

Updates user data for a logged in user.

Log in a user given a User supplied OTP or TokenHash received through mobile or email.

Static Properties

private
nextInstanceID