fix: align getUser with specs to throw, chore: spec indentation

Author: nams1570

sdks/implementations/swift/Sources/StackAuth/StackClientApp.swift

@@ -605,30 +605,29 @@ public actor StackClientApp {
 
             // Check if we should return this user
             if await user.isAnonymous && !includeAnonymous {
-                return handleNoUser(or: or)
+                return try handleNoUser(or: or)
             }
 
             if await user.isRestricted && !effectiveIncludeRestricted {
-                return handleNoUser(or: or)
+                return try handleNoUser(or: or)
             }
 
             return user
 
         } catch {
-            return handleNoUser(or: or)
+            return try handleNoUser(or: or)
         }
     }
 
-    private func handleNoUser(or: GetUserOr) -> CurrentUser? {
+    private func handleNoUser(or: GetUserOr) throws -> CurrentUser? {
         switch or {
         case .returnNull, .anonymous:
             return nil
         case .redirect:
             // Can't redirect in Swift
             return nil
         case .throw:
-            // Already thrown
-            return nil
+            throw UserNotSignedInError()
         }
     }
 

sdks/spec/src/_utilities.spec.md

@@ -10,7 +10,7 @@ All API requests follow this pattern. This section describes the complete reques
 ### Base URL
 
 Construct API URL: `{baseUrl}/api/v1{path}`
-  - baseUrl defaults to "https://api.stack-auth.com"
+  - baseUrl defaults to `https://api.stack-auth.com`
   - Remove trailing slash from final URL
   - Example: `https://api.stack-auth.com/api/v1/users/me`
 
@@ -44,6 +44,7 @@ On 401 response with code="invalid_access_token":
 2. Fetch new access token using refresh token (see Token Refresh below)
 3. Retry the request with the new token
 4. If still 401 after retry: treat as unauthenticated
+
 ### [server-only] - Server Key Required
 
 Include header: x-stack-secret-server-key: <secretServerKey>

sdks/spec/src/apps/client-app.spec.md

@@ -127,7 +127,7 @@ Configuration requirements:
 - Note: The "Client ID" field in the dashboard is for web OAuth (Services ID), not native apps
 
 Implementation notes:
-- The identityToken is a JWT that can be verified using Apple's JWKS (https://appleid.apple.com/auth/keys)
+- The identityToken is a JWT that can be verified using Apple's JWKS (`https://appleid.apple.com/auth/keys`)
 - The JWT's audience claim must match the configured Bundle ID
 - User's name and email are only provided on the FIRST authorization; cache if needed
 - The native flow does NOT use redirect URLs - tokens are returned directly