feat(auth): add missing auth admin methods (#715)

* feat(auth): add missing auth admin methods

* add tests for admin features

* make ids an uuid

* deprecate deleteUser with id string

* remove renamed

* remove CodingKeys

* wip

* decode GenerateLinkResponse

* comment generate link related code

* rollback AnyJSON encoder and decoder

Author: grdsdev

Examples/UserManagement/ProfileView.swift

@@ -185,7 +185,7 @@ struct ProfileView: View {
       do {
         let currentUserId = try await supabase.auth.session.user.id
         try await supabase.auth.admin.deleteUser(
-          id: currentUserId.uuidString,
+          id: currentUserId,
           shouldSoftDelete: true
         )
       } catch {

Sources/Auth/AuthAdmin.swift

@@ -6,8 +6,8 @@
 //
 
 import Foundation
-import Helpers
 import HTTPTypes
+import Helpers
 
 public struct AuthAdmin: Sendable {
   let clientID: AuthClientID
@@ -16,14 +16,97 @@ public struct AuthAdmin: Sendable {
   var api: APIClient { Dependencies[clientID].api }
   var encoder: JSONEncoder { Dependencies[clientID].encoder }
 
+  /// Get user by id.
+  /// - Parameter uid: The user's unique identifier.
+  /// - Note: This function should only be called on a server. Never expose your `service_role` key in the browser.
+  public func getUserById(_ uid: UUID) async throws -> User {
+    try await api.execute(
+      HTTPRequest(
+        url: configuration.url.appendingPathComponent("admin/users/\(uid)"),
+        method: .get
+      )
+    ).decoded(decoder: configuration.decoder)
+  }
+
+  /// Updates the user data.
+  /// - Parameters:
+  ///   - uid: The user id you want to update.
+  ///   - attributes: The data you want to update.
+  @discardableResult
+  public func updateUserById(_ uid: UUID, attributes: AdminUserAttributes) async throws -> User {
+    try await api.execute(
+      HTTPRequest(
+        url: configuration.url.appendingPathComponent("admin/users/\(uid)"),
+        method: .put,
+        body: configuration.encoder.encode(attributes)
+      )
+    ).decoded(decoder: configuration.decoder)
+  }
+
+  /// Creates a new user.
+  ///
+  /// - To confirm the user's email address or phone number, set ``AdminUserAttributes/emailConfirm`` or ``AdminUserAttributes/phoneConfirm`` to `true`. Both arguments default to `false`.
+  /// - ``createUser(attributes:)`` will not send a confirmation email to the user. You can use ``inviteUserByEmail(_:data:redirectTo:)`` if you want to send them an email invite instead.
+  /// - If you are sure that the created user's email or phone number is legitimate and verified, you can set the ``AdminUserAttributes/emailConfirm`` or ``AdminUserAttributes/phoneConfirm`` param to true.
+  /// - Warning: Never expose your `service_role` key on the client.
+  @discardableResult
+  public func createUser(attributes: AdminUserAttributes) async throws -> User {
+    try await api.execute(
+      HTTPRequest(
+        url: configuration.url.appendingPathComponent("admin/users"),
+        method: .post,
+        body: encoder.encode(attributes)
+      )
+    )
+    .decoded(decoder: configuration.decoder)
+  }
+
+  /// Sends an invite link to an email address.
+  ///
+  /// - Sends an invite link to the user's email address.
+  /// - The ``inviteUserByEmail(_:data:redirectTo:)`` method is typically used by administrators to invite users to join the application.
+  /// - Parameters:
+  ///   - email: The email address of the user.
+  ///   - data: A custom data object to store additional metadata about the user. This maps to the `auth.users.user_metadata` column.
+  ///   - redirectTo: The URL which will be appended to the email link sent to the user's email address. Once clicked the user will end up on this URL.
+  /// - Note: that PKCE is not supported when using ``inviteUserByEmail(_:data:redirectTo:)``. This is because the browser initiating the invite is often different from the browser accepting the invite which makes it difficult to provide the security guarantees required of the PKCE flow.
+  @discardableResult
+  public func inviteUserByEmail(
+    _ email: String,
+    data: [String: AnyJSON]? = nil,
+    redirectTo: URL? = nil
+  ) async throws -> User {
+    try await api.execute(
+      HTTPRequest(
+        url: configuration.url.appendingPathComponent("admin/invite"),
+        method: .post,
+        query: [
+          (redirectTo ?? configuration.redirectToURL).map {
+            URLQueryItem(
+              name: "redirect_to",
+              value: $0.absoluteString
+            )
+          }
+        ].compactMap { $0 },
+        body: encoder.encode(
+          [
+            "email": .string(email),
+            "data": data.map({ AnyJSON.object($0) }) ?? .null,
+          ]
+        )
+      )
+    )
+    .decoded(decoder: configuration.decoder)
+  }
+
   /// Delete a user. Requires `service_role` key.
   /// - Parameter id: The id of the user you want to delete.
   /// - Parameter shouldSoftDelete: If true, then the user will be soft-deleted (setting
   /// `deleted_at` to the current timestamp and disabling their account while preserving their data)
   /// from the auth schema.
   ///
   /// - Warning: Never expose your `service_role` key on the client.
-  public func deleteUser(id: String, shouldSoftDelete: Bool = false) async throws {
+  public func deleteUser(id: UUID, shouldSoftDelete: Bool = false) async throws {
     _ = try await api.execute(
       HTTPRequest(
         url: configuration.url.appendingPathComponent("admin/users/\(id)"),
@@ -69,7 +152,9 @@ public struct AuthAdmin: Sendable {
     let links = httpResponse.headers[.link]?.components(separatedBy: ",") ?? []
     if !links.isEmpty {
       for link in links {
-        let page = link.components(separatedBy: ";")[0].components(separatedBy: "=")[1].prefix(while: \.isNumber)
+        let page = link.components(separatedBy: ";")[0].components(separatedBy: "=")[1].prefix(
+          while: \.isNumber
+        )
         let rel = link.components(separatedBy: ";")[1].components(separatedBy: "=")[1]
 
         if rel == "\"last\"", let lastPage = Int(page) {
@@ -82,6 +167,35 @@ public struct AuthAdmin: Sendable {
 
     return pagination
   }
+
+  /*
+   Generate link is commented out temporarily due issues with they Auth's decoding is configured.
+   Will revisit it later.
+
+  /// Generates email links and OTPs to be sent via a custom email provider.
+  ///
+  /// - Parameter params: The parameters for the link generation.
+  /// - Throws: An error if the link generation fails.
+  /// - Returns: The generated link.
+  public func generateLink(params: GenerateLinkParams) async throws -> GenerateLinkResponse {
+    try await api.execute(
+      HTTPRequest(
+        url: configuration.url.appendingPathComponent("admin/generate_link").appendingQueryItems(
+          [
+            (params.redirectTo ?? configuration.redirectToURL).map {
+              URLQueryItem(
+                name: "redirect_to",
+                value: $0.absoluteString
+              )
+            }
+          ].compactMap { $0 }
+        ),
+        method: .post,
+        body: encoder.encode(params.body)
+      )
+    ).decoded(decoder: configuration.decoder)
+  }
+   */
 }
 
 extension HTTPField.Name {

Sources/Auth/Deprecated.swift

@@ -32,7 +32,8 @@ extension JSONEncoder {
     *,
     deprecated,
     renamed: "AuthClient.Configuration.jsonEncoder",
-    message: "Access to the default JSONEncoder instance moved to AuthClient.Configuration.jsonEncoder"
+    message:
+      "Access to the default JSONEncoder instance moved to AuthClient.Configuration.jsonEncoder"
   )
   public static var goTrue: JSONEncoder {
     AuthClient.Configuration.jsonEncoder
@@ -44,7 +45,8 @@ extension JSONDecoder {
     *,
     deprecated,
     renamed: "AuthClient.Configuration.jsonDecoder",
-    message: "Access to the default JSONDecoder instance moved to AuthClient.Configuration.jsonDecoder"
+    message:
+      "Access to the default JSONDecoder instance moved to AuthClient.Configuration.jsonDecoder"
   )
   public static var goTrue: JSONDecoder {
     AuthClient.Configuration.jsonDecoder
@@ -65,7 +67,8 @@ extension AuthClient.Configuration {
   @available(
     *,
     deprecated,
-    message: "Replace usages of this initializer with new init(url:headers:flowType:localStorage:logger:encoder:decoder:fetch)"
+    message:
+      "Replace usages of this initializer with new init(url:headers:flowType:localStorage:logger:encoder:decoder:fetch)"
   )
   public init(
     url: URL,
@@ -103,7 +106,8 @@ extension AuthClient {
   @available(
     *,
     deprecated,
-    message: "Replace usages of this initializer with new init(url:headers:flowType:localStorage:logger:encoder:decoder:fetch)"
+    message:
+      "Replace usages of this initializer with new init(url:headers:flowType:localStorage:logger:encoder:decoder:fetch)"
   )
   public init(
     url: URL,
@@ -129,3 +133,18 @@ extension AuthClient {
 
 @available(*, deprecated, message: "Use MFATotpEnrollParams or MFAPhoneEnrollParams instead.")
 public typealias MFAEnrollParams = MFATotpEnrollParams
+
+extension AuthAdmin {
+  @available(
+    *,
+    deprecated,
+    message: "Use deleteUser with UUID instead of string."
+  )
+  public func deleteUser(id: String, shouldSoftDelete: Bool = false) async throws {
+    guard let id = UUID(uuidString: id) else {
+      fatalError("id should be a valid UUID")
+    }
+
+    try await self.deleteUser(id: id, shouldSoftDelete: shouldSoftDelete)
+  }
+}

Sources/Auth/Internal/APIClient.swift

@@ -1,6 +1,6 @@
 import Foundation
-import Helpers
 import HTTPTypes
+import Helpers
 
 extension HTTPClient {
   init(configuration: AuthClient.Configuration) {
@@ -12,7 +12,7 @@ extension HTTPClient {
     interceptors.append(
       RetryRequestInterceptor(
         retryableHTTPMethods: RetryRequestInterceptor.defaultRetryableHTTPMethods.union(
-          [.post] // Add POST method so refresh token are also retried.
+          [.post]  // Add POST method so refresh token are also retried.
         )
       )
     )
@@ -42,7 +42,7 @@ struct APIClient: Sendable {
 
     let response = try await http.send(request)
 
-    guard 200 ..< 300 ~= response.statusCode else {
+    guard 200..<300 ~= response.statusCode else {
       throw handleError(response: response)
     }
 
@@ -64,10 +64,12 @@ struct APIClient: Sendable {
   }
 
   func handleError(response: Helpers.HTTPResponse) -> AuthError {
-    guard let error = try? response.decoded(
-      as: _RawAPIErrorResponse.self,
-      decoder: configuration.decoder
-    ) else {
+    guard
+      let error = try? response.decoded(
+        as: _RawAPIErrorResponse.self,
+        decoder: configuration.decoder
+      )
+    else {
       return .api(
         message: "Unexpected error",
         errorCode: .unexpectedFailure,
@@ -78,11 +80,14 @@ struct APIClient: Sendable {
 
     let responseAPIVersion = parseResponseAPIVersion(response)
 
-    let errorCode: ErrorCode? = if let responseAPIVersion, responseAPIVersion >= apiVersions[._20240101]!.timestamp, let code = error.code {
-      ErrorCode(code)
-    } else {
-      error.errorCode
-    }
+    let errorCode: ErrorCode? =
+      if let responseAPIVersion, responseAPIVersion >= apiVersions[._20240101]!.timestamp,
+        let code = error.code
+      {
+        ErrorCode(code)
+      } else {
+        error.errorCode
+      }
 
     if errorCode == nil, let weakPassword = error.weakPassword {
       return .weakPassword(