npm - @braintwopoint0/playback-commons - Versions diffs - 0.2.5 → 0.2.6 - Mend

@braintwopoint0/playback-commons 0.2.5 → 0.2.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/api/index.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+type CorsOptions = {
+    /** Comma-separated method list. Default: 'POST, OPTIONS'. */
+    methods?: string;
+    /** Comma-separated header allowlist. Default: 'Content-Type'. */
+    headers?: string;
+    /** Preflight cache duration in seconds. Default: 86400 (24h). */
+    maxAge?: number;
+};
+/**
+ * Build CORS response headers.
+ *
+ * Always returns `Vary: Origin` so caches don't serve a CORS-allowed response
+ * to a different origin. Only emits `Access-Control-*` headers when the request
+ * Origin is in the allowlist — exact-match, no wildcards, so a typo'd subdomain
+ * or rogue preview URL can't post into a production endpoint.
+ *
+ * Same-origin requests have no Origin header on POST in some browsers and never
+ * preflight, so an absent or unknown origin returning the empty CORS set is the
+ * correct behavior.
+ */
+declare function corsHeaders(origin: string | null, allowed: ReadonlySet<string>, opts?: CorsOptions): Record<string, string>;
+/**
+ * Build a preflight (OPTIONS) Response. Use directly as the route's OPTIONS export:
+ *
+ *   export const OPTIONS = (req: NextRequest) => corsPreflight(req, ALLOWED_ORIGINS)
+ *
+ * Returns 204 No Content with the CORS headers built from the request's Origin
+ * against the allowlist. If the origin isn't allowed, the response still returns
+ * 204 but without the `Access-Control-Allow-*` headers — which is what the browser
+ * needs to see in order to block the subsequent real request.
+ */
+declare function corsPreflight(req: Request, allowed: ReadonlySet<string>, opts?: CorsOptions): Response;
+export { type CorsOptions, corsHeaders, corsPreflight };

package/dist/api/index.js ADDED Viewed

@@ -0,0 +1,26 @@
+// src/api/index.ts
+var DEFAULT_METHODS = "POST, OPTIONS";
+var DEFAULT_HEADERS = "Content-Type";
+var DEFAULT_MAX_AGE = 86400;
+function corsHeaders(origin, allowed, opts = {}) {
+  const headers = { Vary: "Origin" };
+  if (origin && allowed.has(origin)) {
+    headers["Access-Control-Allow-Origin"] = origin;
+    headers["Access-Control-Allow-Methods"] = opts.methods ?? DEFAULT_METHODS;
+    headers["Access-Control-Allow-Headers"] = opts.headers ?? DEFAULT_HEADERS;
+    headers["Access-Control-Max-Age"] = String(opts.maxAge ?? DEFAULT_MAX_AGE);
+  }
+  return headers;
+}
+function corsPreflight(req, allowed, opts) {
+  const origin = req.headers.get("origin");
+  return new Response(null, {
+    status: 204,
+    headers: corsHeaders(origin, allowed, opts)
+  });
+}
+export {
+  corsHeaders,
+  corsPreflight
+};
+//# sourceMappingURL=index.js.map

package/dist/api/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../../src/api/index.ts"],"sourcesContent":["// CORS primitives for cross-origin API routes between PLAYBACK / PLAYHUB / future\n// PLAYBACK-suite apps.\n//\n// The mechanism (header construction, preflight response) lives here. The policy\n// — i.e. which origins are allowed to call a given endpoint — is intentionally\n// per-route, since \"who can hit my newsletter endpoint\" is a different decision\n// from \"who can hit my admin endpoint\".\n\nexport type CorsOptions = {\n /** Comma-separated method list. Default: 'POST, OPTIONS'. */\n methods?: string\n /** Comma-separated header allowlist. Default: 'Content-Type'. */\n headers?: string\n /** Preflight cache duration in seconds. Default: 86400 (24h). */\n maxAge?: number\n}\n\nconst DEFAULT_METHODS = 'POST, OPTIONS'\nconst DEFAULT_HEADERS = 'Content-Type'\nconst DEFAULT_MAX_AGE = 86400\n\n/**\n * Build CORS response headers.\n *\n * Always returns `Vary: Origin` so caches don't serve a CORS-allowed response\n * to a different origin. Only emits `Access-Control-*` headers when the request\n * Origin is in the allowlist — exact-match, no wildcards, so a typo'd subdomain\n * or rogue preview URL can't post into a production endpoint.\n *\n * Same-origin requests have no Origin header on POST in some browsers and never\n * preflight, so an absent or unknown origin returning the empty CORS set is the\n * correct behavior.\n */\nexport function corsHeaders(\n origin: string | null,\n allowed: ReadonlySet<string>,\n opts: CorsOptions = {}\n): Record<string, string> {\n const headers: Record<string, string> = { Vary: 'Origin' }\n if (origin && allowed.has(origin)) {\n headers['Access-Control-Allow-Origin'] = origin\n headers['Access-Control-Allow-Methods'] = opts.methods ?? DEFAULT_METHODS\n headers['Access-Control-Allow-Headers'] = opts.headers ?? DEFAULT_HEADERS\n headers['Access-Control-Max-Age'] = String(opts.maxAge ?? DEFAULT_MAX_AGE)\n }\n return headers\n}\n\n/**\n * Build a preflight (OPTIONS) Response. Use directly as the route's OPTIONS export:\n *\n * export const OPTIONS = (req: NextRequest) => corsPreflight(req, ALLOWED_ORIGINS)\n *\n * Returns 204 No Content with the CORS headers built from the request's Origin\n * against the allowlist. If the origin isn't allowed, the response still returns\n * 204 but without the `Access-Control-Allow-*` headers — which is what the browser\n * needs to see in order to block the subsequent real request.\n */\nexport function corsPreflight(\n req: Request,\n allowed: ReadonlySet<string>,\n opts?: CorsOptions\n): Response {\n const origin = req.headers.get('origin')\n return new Response(null, {\n status: 204,\n headers: corsHeaders(origin, allowed, opts),\n })\n}\n"],"mappings":";AAiBA,IAAM,kBAAkB;AACxB,IAAM,kBAAkB;AACxB,IAAM,kBAAkB;AAcjB,SAAS,YACd,QACA,SACA,OAAoB,CAAC,GACG;AACxB,QAAM,UAAkC,EAAE,MAAM,SAAS;AACzD,MAAI,UAAU,QAAQ,IAAI,MAAM,GAAG;AACjC,YAAQ,6BAA6B,IAAI;AACzC,YAAQ,8BAA8B,IAAI,KAAK,WAAW;AAC1D,YAAQ,8BAA8B,IAAI,KAAK,WAAW;AAC1D,YAAQ,wBAAwB,IAAI,OAAO,KAAK,UAAU,eAAe;AAAA,EAC3E;AACA,SAAO;AACT;AAYO,SAAS,cACd,KACA,SACA,MACU;AACV,QAAM,SAAS,IAAI,QAAQ,IAAI,QAAQ;AACvC,SAAO,IAAI,SAAS,MAAM;AAAA,IACxB,QAAQ;AAAA,IACR,SAAS,YAAY,QAAQ,SAAS,IAAI;AAAA,EAC5C,CAAC;AACH;","names":[]}

package/dist/ui/index.js CHANGED Viewed

@@ -2744,7 +2744,7 @@ function NewsletterForm2({
     const trimmed = email.trim();
     const ok = /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(trimmed);
     if (!ok) {
-      setState("error");
+      setState("invalid_format");
       return;
     }
     inFlight.current = true;
@@ -2765,11 +2765,13 @@ function NewsletterForm2({
         setEmail("");
       } else if (res.status === 429) {
         setState("rate_limited");
+      } else if (res.status === 400) {
+        setState("invalid_format");
       } else {
-        setState("error");
+        setState("server_error");
       }
     } catch {
-      setState("error");
+      setState("server_error");
     } finally {
       inFlight.current = false;
     }
@@ -2820,16 +2822,17 @@ function NewsletterForm2({
               value: email,
               onChange: (e) => {
                 setEmail(e.target.value);
-                if (state === "error" || state === "rate_limited") setState("idle");
+                if (state === "invalid_format" || state === "server_error" || state === "rate_limited")
+                  setState("idle");
               },
               placeholder,
-              "aria-invalid": state === "error",
+              "aria-invalid": state === "invalid_format",
               "aria-describedby": feedbackId,
               className: cn(
                 "w-full sm:flex-1 h-12 sm:h-11 rounded-full bg-[var(--surface-1,#0f1512)] border px-5 text-[16px] sm:text-[14px] text-[var(--timberwolf)] placeholder:text-[rgba(214,213,201,0.44)]",
                 "focus:outline-none focus-visible:ring-2 focus-visible:ring-[var(--timberwolf)] focus-visible:ring-offset-2 focus-visible:ring-offset-[var(--night)]",
                 "disabled:opacity-60",
-                state === "error" ? "border-[rgba(237,106,106,0.5)]" : "border-[rgba(214,213,201,0.08)]"
+                state === "invalid_format" || state === "server_error" ? "border-[rgba(237,106,106,0.5)]" : "border-[rgba(214,213,201,0.08)]"
               )
             }
           ),
@@ -2851,13 +2854,14 @@ function NewsletterForm2({
             className: cn(
               "mt-2 -ml-0.5 text-[13px] min-h-[1.25rem]",
               state === "sent" && "text-[var(--timberwolf)]",
-              (state === "error" || state === "rate_limited") && "text-[rgb(237,106,106)]",
+              (state === "invalid_format" || state === "server_error" || state === "rate_limited") && "text-[rgb(237,106,106)]",
               (state === "idle" || state === "sending") && "text-[rgba(214,213,201,0.44)]"
             ),
-            role: state === "error" || state === "rate_limited" ? "alert" : void 0,
+            role: state === "invalid_format" || state === "server_error" || state === "rate_limited" ? "alert" : void 0,
             children: [
               state === "sent" && "Thanks \u2014 we\u2019ll be in touch.",
-              state === "error" && "Please enter a valid email address.",
+              state === "invalid_format" && "Please enter a valid email address.",
+              state === "server_error" && "Could not subscribe right now. Please try again in a moment.",
               state === "rate_limited" && "Too many attempts. Try again in a minute."
             ]
           }