@byline/host-tanstack-start 2.3.1 → 2.3.3

package/dist/admin-shell/chrome/sign-in-page.d.ts

@@ -13,6 +13,11 @@ interface SignInPageProps {
  * layout (no app bar, breadcrumbs, or menu drawer). Wraps the
  * `SignInForm` from `@byline/ui` in the admin services provider so
  * the form can call `signIn` via the typed contract.
+ *
+ * Threads the configured `serverURL` into the `SignInForm` as `homeUrl` so
+ * the form's action row can render a plain "Home" link beside the submit
+ * button. After admin sign-out users land back here; the link is what lets
+ * them get back to the public site without typing the URL.
  */
 export declare function SignInPage({ callbackUrl }: SignInPageProps): import("react").JSX.Element;
 export {};

package/dist/admin-shell/chrome/sign-in-page.js

@@ -1,9 +1,11 @@
 import { jsx } from "react/jsx-runtime";
+import { getClientConfig } from "@byline/core";
 import { BylineAdminServicesProvider, SignInForm } from "@byline/ui/react";
 import classnames from "classnames";
 import { bylineAdminServices } from "../../integrations/byline-admin-services.js";
 import sign_in_page_module from "./sign-in-page.module.js";
 function SignInPage({ callbackUrl }) {
+    const { serverURL } = getClientConfig();
     return /*#__PURE__*/ jsx(BylineAdminServicesProvider, {
         services: bylineAdminServices,
         children: /*#__PURE__*/ jsx("main", {
@@ -11,7 +13,8 @@ function SignInPage({ callbackUrl }) {
             children: /*#__PURE__*/ jsx("div", {
                 className: classnames('byline-sign-in-page-inner', sign_in_page_module.inner),
                 children: /*#__PURE__*/ jsx(SignInForm, {
-                    callbackUrl: callbackUrl
+                    callbackUrl: callbackUrl,
+                    homeUrl: serverURL
                 })
             })
         })

package/dist/auth/auth-context.js

@@ -20,7 +20,7 @@ async function getAdminRequestContext() {
     } catch  {}
     const refreshToken = readRefreshTokenCookie();
     if (!refreshToken) {
-        clearSessionCookies();
+        if (accessToken) clearSessionCookies();
         throw ERR_UNAUTHENTICATED({
             message: 'no admin session'
         });

package/dist/server-fns/auth/sign-out.js

@@ -1,6 +1,7 @@
 import { createServerFn } from "@tanstack/react-start";
 import { getServerConfig } from "@byline/core";
 import { clearSessionCookies, readRefreshTokenCookie } from "../../auth/auth-cookies.js";
+import { clearPreviewCookie } from "../../auth/preview-cookies.js";
 const adminSignOut = createServerFn({
     method: 'POST'
 }).handler(async ()=>{
@@ -10,6 +11,7 @@ const adminSignOut = createServerFn({
         await provider.revokeSession(refreshToken);
     } catch  {}
     clearSessionCookies();
+    clearPreviewCookie();
     return {
         status: 'ok'
     };

package/package.json

@@ -3,7 +3,7 @@
   "private": false,
   "type": "module",
   "license": "MPL-2.0",
-  "version": "2.3.1",
+  "version": "2.3.3",
   "engines": {
     "node": ">=20.9.0"
   },
@@ -107,12 +107,12 @@
     "react-swipeable": "^7.0.2",
     "uuid": "^14.0.0",
     "zod": "^4.4.3",
-    "@byline/ai": "2.3.1",
-    "@byline/client": "2.3.1",
-    "@byline/core": "2.3.1",
-    "@byline/admin": "2.3.1",
-    "@byline/auth": "2.3.1",
-    "@byline/ui": "2.3.1"
+    "@byline/admin": "2.3.3",
+    "@byline/client": "2.3.3",
+    "@byline/auth": "2.3.3",
+    "@byline/core": "2.3.3",
+    "@byline/ai": "2.3.3",
+    "@byline/ui": "2.3.3"
   },
   "peerDependencies": {
     "@tanstack/react-router": "^1.167.0",
@@ -124,8 +124,8 @@
     "@biomejs/biome": "2.4.15",
     "@rsbuild/plugin-react": "^2.0.0",
     "@rslib/core": "^0.21.5",
-    "@tanstack/react-router": "^1.170.6",
-    "@tanstack/react-start": "^1.168.9",
+    "@tanstack/react-router": "^1.170.7",
+    "@tanstack/react-start": "^1.168.10",
     "@types/node": "^25.9.1",
     "@types/react": "19.2.15",
     "@types/react-dom": "19.2.3",

package/src/admin-shell/chrome/sign-in-page.module.css

@@ -2,8 +2,11 @@
  * SignInPage — outer wrapper for the sign-in form.
  *
  * Override handles:
- *   .byline-sign-in-page    — outer <main>
+ *   .byline-sign-in-page       — outer <main>
  *   .byline-sign-in-page-inner — vertically-centred card container
+ *
+ * The Home link itself lives inside `SignInForm`'s action row — see
+ * `@byline/ui` `sign-in-form.module.css` for `.byline-sign-in-home-link`.
  */
 
 .main,

package/src/admin-shell/chrome/sign-in-page.tsx

@@ -6,6 +6,7 @@
  * Copyright (c) Infonomic Company Limited
  */
 
+import { getClientConfig } from '@byline/core'
 import { BylineAdminServicesProvider, SignInForm } from '@byline/ui/react'
 import cx from 'classnames'
 
@@ -21,13 +22,19 @@ interface SignInPageProps {
  * layout (no app bar, breadcrumbs, or menu drawer). Wraps the
  * `SignInForm` from `@byline/ui` in the admin services provider so
  * the form can call `signIn` via the typed contract.
+ *
+ * Threads the configured `serverURL` into the `SignInForm` as `homeUrl` so
+ * the form's action row can render a plain "Home" link beside the submit
+ * button. After admin sign-out users land back here; the link is what lets
+ * them get back to the public site without typing the URL.
  */
 export function SignInPage({ callbackUrl }: SignInPageProps) {
+  const { serverURL } = getClientConfig()
   return (
     <BylineAdminServicesProvider services={bylineAdminServices}>
       <main className={cx('byline-sign-in-page', styles.main)}>
         <div className={cx('byline-sign-in-page-inner', styles.inner)}>
-          <SignInForm callbackUrl={callbackUrl} />
+          <SignInForm callbackUrl={callbackUrl} homeUrl={serverURL} />
         </div>
       </main>
     </BylineAdminServicesProvider>

package/src/auth/auth-context.test.node.ts

@@ -137,7 +137,7 @@ describe('getAdminRequestContext', () => {
     expect(verifyAccessToken).toHaveBeenCalledWith('fresh-access')
   })
 
-  it('throws ERR_UNAUTHENTICATED and clears cookies when no session exists', async () => {
+  it('throws ERR_UNAUTHENTICATED without emitting Set-Cookie when no cookies are sent', async () => {
     cookiesReturn({})
 
     try {
@@ -147,7 +147,22 @@ describe('getAdminRequestContext', () => {
       expect(err).toBeInstanceOf(AuthError)
       expect((err as AuthError).code).toBe(AuthErrorCodes.UNAUTHENTICATED)
     }
-    // Cookie clear = setCookie with empty value and maxAge 0 for both names.
+    // Anonymous visitors must produce zero Set-Cookie headers so shared
+    // caches (Cloudflare) can cache public pages — a Set-Cookie on the
+    // response is a hard bypass signal for CDNs.
+    expect(setCookie).not.toHaveBeenCalled()
+  })
+
+  it('clears the stale access cookie when only an access token was sent', async () => {
+    cookiesReturn({ byline_access_token: 'stale' })
+    verifyAccessToken.mockRejectedValueOnce(new Error('expired'))
+
+    try {
+      await getAdminRequestContext()
+      expect.fail('expected ERR_UNAUTHENTICATED')
+    } catch (err) {
+      expect((err as AuthError).code).toBe(AuthErrorCodes.UNAUTHENTICATED)
+    }
     const clears = setCookie.mock.calls.filter((c) => c[2]?.maxAge === 0)
     const clearedNames = new Set(clears.map((c) => c[0]))
     expect(clearedNames.has('byline_access_token')).toBe(true)

package/src/auth/auth-context.ts

@@ -80,8 +80,13 @@ export async function getAdminRequestContext(): Promise<RequestContext> {
   // Refresh path: swap the refresh cookie for a fresh token pair.
   const refreshToken = readRefreshTokenCookie()
   if (!refreshToken) {
-    // No session at all — clear anything stale and reject.
-    clearSessionCookies()
+    // Only emit cookie clears when the browser actually sent a stale access
+    // cookie — otherwise the response carries no Set-Cookie at all, which
+    // lets shared caches (Cloudflare) cache public pages for anonymous
+    // visitors. Set-Cookie on the response is a hard bypass signal for CDNs.
+    if (accessToken) {
+      clearSessionCookies()
+    }
     throw ERR_UNAUTHENTICATED({ message: 'no admin session' })
   }
 

package/src/server-fns/auth/sign-out.ts

@@ -9,10 +9,16 @@
 /**
  * Admin sign-out server function.
  *
- * Revokes the current refresh token (so a stolen copy cannot be reused)
- * and clears both session cookies. Idempotent — if the caller already
- * lacks a refresh cookie, we still clear whatever's there and return
- * successfully.
+ * Revokes the current refresh token (so a stolen copy cannot be reused),
+ * clears both session cookies, and clears the preview-mode cookie.
+ * Idempotent — if the caller already lacks a refresh cookie, we still
+ * clear whatever's there and return successfully.
+ *
+ * Note: clearing `byline_preview` here is hygiene, not a security
+ * requirement. The CDN cache-bypass middleware keys off the session
+ * cookies, not the preview cookie, so a stale preview cookie left in the
+ * browser does not affect cacheability of subsequent anonymous responses.
+ * Clearing it simply means the next sign-in starts in non-preview mode.
  */
 
 import { createServerFn } from '@tanstack/react-start'
@@ -20,6 +26,7 @@ import { createServerFn } from '@tanstack/react-start'
 import { getServerConfig } from '@byline/core'
 
 import { clearSessionCookies, readRefreshTokenCookie } from '../../auth/auth-cookies.js'
+import { clearPreviewCookie } from '../../auth/preview-cookies.js'
 
 export const adminSignOut = createServerFn({ method: 'POST' }).handler(async () => {
   const provider = getServerConfig().sessionProvider
@@ -38,5 +45,6 @@ export const adminSignOut = createServerFn({ method: 'POST' }).handler(async ()
   }
 
   clearSessionCookies()
+  clearPreviewCookie()
   return { status: 'ok' as const }
 })