feat: Isomorphic SDKs#1511
Closed
ChiragAgg5k wants to merge 41 commits intomasterfrom
Closed
Conversation
Adds a ServerClient sibling class to the web SDK alongside the existing Client. Service classes are generic over `Client | ServerClient` when they have any client-tier methods, with TypeScript `this`-types gating admin methods (e.g. `Databases.createCollection` requires `Databases<ServerClient>`). Services with no client-tier methods (Health, Tokens, Sites, Users) are non-generic and require a ServerClient at construction. Tier detection is driven entirely off existing `x-appwrite.platforms` spec tags. The existing Client surface is unchanged — purely additive for current `appwrite` web users; sets up the path to consolidate `appwrite` + `node-appwrite` into a single isomorphic package. - Filter `Key` out of Client header iterations so Client cannot setKey - Add server-client.ts.twig (setKey/setJWT/setLocale + HTTP plumbing, no realtime, no session/devkey/impersonate) - Type-gate service methods via `this: Service<ServerClient>` (or `<Client>` for the few client-only methods like webAuth/location) - Re-export ServerClient from index.ts - Register the new template in Web.php getFiles() Verified on regenerated examples/web/: tsc --noEmit passes; negative tests confirm `new Health(browserClient)` and admin calls on a Client-bound service fail to type-check; djlint passes.
- Rename fromApiKey -> fromAPIKey for naming consistency - Make all setters private; expose only static factory methods - Guard window access with typeof window !== 'undefined' in realtime - Gate fromAPIKey behind server/console platform builds only - Normalize ClientRuntime to 'client' | 'server'; remove 'browser' - Add withJWT and withForwardedUserAgent builder methods - Fix clearTimeout misuse on interval handles
Moves the service-level auth tier detection and per-method this-gate construction from template.ts.twig set blocks into PHP helpers exposed as Twig filters (webServiceAuth, webMethodThisGate). This makes the template easier to read while keeping generated output identical.
- Rename ClientRuntime -> SDKPlatform and field runtime -> sdkPlatform - Remove ConsoleAuth type; merge cookie auth into ServerAuth (covers both console and SSR cookie-forwarding use cases) - Emit fromCookie on all platforms instead of console-only - Default mode: 'admin' in fromCookie on console builds so the wire request authenticates as admin without requiring callers to remember the X-Appwrite-Mode header - Add Prettify utility type and wrap factory params so IDE hover shows the full parameter shape instead of an opaque alias name - Simplify Web.php helpers (webServiceAuth, webMethodThisGate) by removing the platform argument now that ServerAuth covers all server-tier cases
- Wrap fromJWT in a platform guard mirroring fromAPIKey. JWT auth lives in ServerAuth, so emitting fromJWT on client builds produced a dead factory: the returned Client<'jwt'> could not satisfy any service generated from the client spec (which only carry ClientAuth). - Add selfSigned?: boolean to BaseClientParams and apply it inside applyBase so every factory gets a public migration path. Previously setSelfSigned was the only way to set the flag and was made private by the factory refactor, leaving callers without a public hook.
Replaces the hardcoded config block and ten manually-written auth setters with a single spec.global.headers loop, matching the pattern every other SDK template uses (Python, Dart, Kotlin, etc.). Setters become primitive: header write + config write + return this. The redundant sdkPlatform / x-sdk-platform writes are removed because applyBase already sets both before the setter runs, and the setters are private — only callable from inside factories. Dropping the duplication also lets the typed Client<'apiKey'> etc. flow through chained calls without `as unknown as Client<...>` casts. Each platform spec carries a different subset of securityDefinitions, so a Web.php Twig filter (webClientHeaders) augments the parsed list with auth headers the unified client needs but the loaded spec omits (e.g. Session/DevKey on console, Cookie on client). The filter has a TODO pointing at appwrite/appwrite#12211, which moves the union into each platform spec's securityDefinitions directly. Once that ships and specs regenerate, the filter and its registration can be deleted in a follow-up. Verified against console, client, and server builds plus an end-to-end smoke test calling Account.get() through fromCookie on Appwrite Cloud.
The server platform spec includes ForwardedUserAgent in securityDefinitions, so the new spec.global.headers loop generates a config field and setForwardedUserAgent setter for it on server builds. That collided with the manual versions left over in the template, producing TS2300/TS1117/TS2393 duplicate-identifier errors when running tsc --declaration in the web (server) CI job. Add ForwardedUserAgent to webClientHeaders so it is universally present across all platform builds (the unified web client always exposes withForwardedUserAgent for chained user-agent forwarding) and remove the manual config field and setter from the template. The loop now owns it on every build target. Verified npm run build:types passes for web (server), web (console), and web (client) on a clean examples/web tree.
…-server-client # Conflicts: # templates/web/src/client.ts.twig
Greptile SummaryThis PR introduces a typed factory pattern (
Confidence Score: 5/5The change is additive and backwards-compatible — existing Client() setter chains continue to compile alongside the new factory methods. No regressions were found in the core factory logic, auth header propagation, or service construction. The design notes around endpoint fatalError and the Flutter Realtime runtime type check are pre-existing patterns or intentional guards rather than new defects introduced by this PR. templates/apple/Sources/Client.swift.twig — endpoint and realtime URL validation still uses fatalError even though fromImpersonation was updated to throw; worth aligning them if the factory surface is meant to be fully throwable for invalid inputs. Important Files Changed
Reviews (3): Last reviewed commit: "Merge Flutter isomorphic SDK changes" | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Member
Author
|
Superseded by #1512, which uses the clearer branch for the consolidated isomorphic SDK changes. |
This was referenced May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the isomorphic SDK client pattern across the generated Web, Flutter, and Apple SDKs. Each SDK now exposes explicit auth factory methods for the recommended setup path while preserving the existing
Client()constructor and setter style for backwards compatibility.This consolidates the work from #1481, #1510, and #1511 into one PR.
Web SDK
The generated Web SDK now uses one typed generic
Clientacross browser, server, and console output. Static factories describe both runtime and auth capability, and generated services narrow their available methods from the client auth type.Available Web factories include
fromBrowser,fromSession,fromDevKey,fromImpersonation,fromAPIKey,fromJWT, andfromCookie, with server-only factories omitted from client-platform output.Flutter SDK
The generated Flutter client SDK now exposes a
ClientAuthinterface returned by factory-created clients. Services and Realtime acceptClientAuth, so the construction syntax stays the same while legacy setters are hidden from factory-created clients.Available Flutter factories are
fromBrowser,fromSession,fromDevKey, andfromImpersonation. This is intentionally scoped to Flutter client output and does not add server auth factories to Flutter.Apple SDK
The generated Apple SDK now exposes a
ClientAuthprotocol returned by factory-created clients. Generated services and Realtime acceptClientAuth, and services read auth values throughgetConfig(key:)instead of exposing the raw config dictionary.Available Apple factories are
fromBrowser,fromSession,fromDevKey, and throwingfromImpersonation. All factories accept optional endpoint, realtime endpoint, locale, self-signed, and compression values.fromImpersonationthrows anAppwriteErrorwhen callers pass zero or multiple impersonation targets.Backwards Compatibility
Existing constructor/setter setup remains supported in all three SDKs:
Those legacy setters are marked deprecated and remain available from direct
Client()instances. Factory-created clients intentionally expose the narrower auth surface.Implementation Notes
.clientinternals from the public generated service surface.Validation
Ran on the consolidated branch: