npm - @delopay/sdk - Versions diffs - 0.3.1 → 0.3.3 - Mend

@delopay/sdk 0.3.1 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -2985,13 +2985,20 @@ declare class Users {
     rotatePassword(params: ResetPasswordRequest): Promise<UserResponse>;
     forgotPassword(params: ForgotPasswordRequest): Promise<Record<string, unknown>>;
     /**
-     * Reset a user's password using the single-purpose JWT delivered by the
-     * forgot-password email.
+     * Reset a user's password using the email link token.
      *
-     * The backend's `SinglePurposeJWTAuth` reads the token from the
-     * `Authorization: Bearer …` header, not from the request body, so the
-     * SDK lifts the `token` field out of `params` and sends it as the header.
-     * Callers still pass `{ password, token }` — the shape is unchanged.
+     * The email link delivers an `EmailToken`, but `/user/reset_password` is
+     * gated by `SinglePurposeJWTAuth` which expects a different JWT type
+     * (`SinglePurposeToken`). The SDK hides this two-step dance:
+     *
+     * 1. Exchange the EmailToken for a SinglePurposeToken at `/user/from_email`
+     *    (`crates/router/src/core/user.rs:2773`, no auth required).
+     * 2. Call `/user/reset_password` with the SinglePurposeToken as
+     *    `Authorization: Bearer` and the original EmailToken in the body —
+     *    the handler decodes body.token as an EmailToken to look up the user
+     *    (`crates/router/src/core/user.rs:687`).
+     *
+     * Callers just pass `{ password, token }` (the token from the URL).
      */
     resetPassword(params: ResetPasswordRequest): Promise<Record<string, unknown>>;
     verifyEmail(params: Record<string, unknown>): Promise<AuthResponse>;

package/dist/index.d.ts CHANGED Viewed

@@ -2985,13 +2985,20 @@ declare class Users {
     rotatePassword(params: ResetPasswordRequest): Promise<UserResponse>;
     forgotPassword(params: ForgotPasswordRequest): Promise<Record<string, unknown>>;
     /**
-     * Reset a user's password using the single-purpose JWT delivered by the
-     * forgot-password email.
+     * Reset a user's password using the email link token.
      *
-     * The backend's `SinglePurposeJWTAuth` reads the token from the
-     * `Authorization: Bearer …` header, not from the request body, so the
-     * SDK lifts the `token` field out of `params` and sends it as the header.
-     * Callers still pass `{ password, token }` — the shape is unchanged.
+     * The email link delivers an `EmailToken`, but `/user/reset_password` is
+     * gated by `SinglePurposeJWTAuth` which expects a different JWT type
+     * (`SinglePurposeToken`). The SDK hides this two-step dance:
+     *
+     * 1. Exchange the EmailToken for a SinglePurposeToken at `/user/from_email`
+     *    (`crates/router/src/core/user.rs:2773`, no auth required).
+     * 2. Call `/user/reset_password` with the SinglePurposeToken as
+     *    `Authorization: Bearer` and the original EmailToken in the body —
+     *    the handler decodes body.token as an EmailToken to look up the user
+     *    (`crates/router/src/core/user.rs:687`).
+     *
+     * Callers just pass `{ password, token }` (the token from the URL).
      */
     resetPassword(params: ResetPasswordRequest): Promise<Record<string, unknown>>;
     verifyEmail(params: Record<string, unknown>): Promise<AuthResponse>;

package/dist/index.js CHANGED Viewed

@@ -2030,19 +2030,30 @@ var Users = class {
     return this.request("POST", "/user/forgot_password", { body: params });
   }
   /**
-   * Reset a user's password using the single-purpose JWT delivered by the
-   * forgot-password email.
+   * Reset a user's password using the email link token.
    *
-   * The backend's `SinglePurposeJWTAuth` reads the token from the
-   * `Authorization: Bearer …` header, not from the request body, so the
-   * SDK lifts the `token` field out of `params` and sends it as the header.
-   * Callers still pass `{ password, token }` — the shape is unchanged.
+   * The email link delivers an `EmailToken`, but `/user/reset_password` is
+   * gated by `SinglePurposeJWTAuth` which expects a different JWT type
+   * (`SinglePurposeToken`). The SDK hides this two-step dance:
+   *
+   * 1. Exchange the EmailToken for a SinglePurposeToken at `/user/from_email`
+   *    (`crates/router/src/core/user.rs:2773`, no auth required).
+   * 2. Call `/user/reset_password` with the SinglePurposeToken as
+   *    `Authorization: Bearer` and the original EmailToken in the body —
+   *    the handler decodes body.token as an EmailToken to look up the user
+   *    (`crates/router/src/core/user.rs:687`).
+   *
+   * Callers just pass `{ password, token }` (the token from the URL).
    */
   async resetPassword(params) {
-    const { token, password } = params;
+    const exchange = await this.request(
+      "POST",
+      "/user/from_email",
+      { body: { token: params.token } }
+    );
     return this.request("POST", "/user/reset_password", {
-      body: { password },
-      headers: { Authorization: `Bearer ${token}` }
+      body: { token: params.token, password: params.password },
+      headers: { Authorization: `Bearer ${exchange.token}` }
     });
   }
   async verifyEmail(params) {