@doswiftly/storefront-sdk 4.7.2 → 7.0.0

package/dist/react/hooks/use-auth.js

@@ -27,7 +27,7 @@ export function useAuth(options = {}) {
     const authStore = useAuthStoreApi();
     const [isLoggingIn, setIsLoggingIn] = useState(false);
     const [isLoggingOut, setIsLoggingOut] = useState(false);
-    const [isRenewingToken, setIsRenewingToken] = useState(false);
+    const [isRefreshingToken, setIsRenewingToken] = useState(false);
     const [error, setError] = useState(null);
     const login = useCallback(async (email, password) => {
         setError(null);
@@ -40,7 +40,7 @@ export function useAuth(options = {}) {
             }
             // Fetch customer data and set store
             try {
-                const customer = await authClient.getCustomer(result.accessToken);
+                const customer = await authClient.getCustomer();
                 if (customer) {
                     setAuth({
                         id: customer.id,
@@ -87,10 +87,8 @@ export function useAuth(options = {}) {
         setError(null);
         setIsLoggingOut(true);
         try {
-            const token = authStore.getState().accessToken;
-            if (token) {
-                await authClient.logout(token);
-            }
+            // Auth context resolved server-side from cookie/Bearer — no token arg needed
+            await authClient.logout();
             // Clear httpOnly cookie
             if (options.onClearToken) {
                 await options.onClearToken();
@@ -109,18 +107,13 @@ export function useAuth(options = {}) {
             setIsLoggingOut(false);
         }
     }, [authClient, clearAuth, options, authStore]);
-    const renewToken = useCallback(async () => {
+    const refreshToken = useCallback(async () => {
         setError(null);
         setIsRenewingToken(true);
         try {
-            const token = authStore.getState().accessToken;
-            if (!token) {
-                return {
-                    success: false,
-                    userErrors: [{ message: 'No token to renew' }],
-                };
-            }
-            const result = await authClient.renewToken(token);
+            // Auth context resolved server-side from cookie/Bearer — no token arg needed.
+            // If no active session, backend will return 401 and refreshToken throws.
+            const result = await authClient.refreshToken();
             // Update httpOnly cookie
             if (options.onSetToken) {
                 await options.onSetToken(result.accessToken);
@@ -158,11 +151,11 @@ export function useAuth(options = {}) {
     return {
         login,
         logout,
-        renewToken,
+        refreshToken,
         isLoggingIn,
         isLoggingOut,
-        isRenewingToken,
-        isLoading: isLoggingIn || isLoggingOut || isRenewingToken,
+        isRefreshingToken,
+        isLoading: isLoggingIn || isLoggingOut || isRefreshingToken,
         error,
     };
 }

package/dist/react/hooks/use-cart-manager.d.ts

@@ -9,7 +9,7 @@
  * ```tsx
  * const { addItem, updateQuantity, removeItem, isLoading } = useCartManager();
  *
- * await addItem([{ merchandiseId: 'variant-123', quantity: 1 }]);
+ * await addItem([{ variantId: 'variant-123', quantity: 1 }]);
  * ```
  */
 import type { Cart, CartLineInput, CartLineUpdateInput } from '../../core/cart/types';

package/dist/react/hooks/use-cart-manager.js

@@ -9,7 +9,7 @@
  * ```tsx
  * const { addItem, updateQuantity, removeItem, isLoading } = useCartManager();
  *
- * await addItem([{ merchandiseId: 'variant-123', quantity: 1 }]);
+ * await addItem([{ variantId: 'variant-123', quantity: 1 }]);
  * ```
  */
 'use client';

package/dist/react/index.d.ts

@@ -15,7 +15,7 @@ export { StorefrontProvider, type StorefrontProviderProps } from './providers/st
 export { StorefrontClientProvider, type StorefrontClientProviderProps } from './providers/storefront-client-provider';
 export { CurrencyProvider, type CurrencyProviderProps } from './providers/currency-provider';
 export { LanguageProvider, type LanguageProviderProps } from './providers/language-provider';
-export { useAuth, type UseAuthOptions, type LoginResult, type LogoutResult, type TokenRenewResult } from './hooks/use-auth';
+export { useAuth, type UseAuthOptions, type LoginResult, type LogoutResult, type TokenRefreshResult } from './hooks/use-auth';
 export { useCartManager } from './hooks/use-cart-manager';
 export { useStorefrontClient } from './hooks/use-storefront-client';
 export { useCurrency } from './hooks/use-currency';

package/dist/react/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/react/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,kBAAkB,EAAE,KAAK,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AACnG,OAAO,EAAE,wBAAwB,EAAE,KAAK,6BAA6B,EAAE,MAAM,wCAAwC,CAAC;AACtH,OAAO,EAAE,gBAAgB,EAAE,KAAK,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAC7F,OAAO,EAAE,gBAAgB,EAAE,KAAK,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAG7F,OAAO,EAAE,OAAO,EAAE,KAAK,cAAc,EAAE,KAAK,WAAW,EAAE,KAAK,YAAY,EAAE,KAAK,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AAC5H,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAGnD,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACxF,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC/E,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAG/E,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnE,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC/E,YAAY,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC7D,YAAY,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGtD,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACxH,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,wBAAwB,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAGlI,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,0BAA0B,EAAE,wBAAwB,EAAE,MAAM,WAAW,CAAC;AAGrH,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAG9D,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAGhE,OAAO,EACL,eAAe,EACf,YAAY,EACZ,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,SAAS,EACT,eAAe,EACf,WAAW,EACX,QAAQ,EACR,kBAAkB,EAClB,aAAa,EACb,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAGpF,OAAO,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/react/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,kBAAkB,EAAE,KAAK,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AACnG,OAAO,EAAE,wBAAwB,EAAE,KAAK,6BAA6B,EAAE,MAAM,wCAAwC,CAAC;AACtH,OAAO,EAAE,gBAAgB,EAAE,KAAK,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAC7F,OAAO,EAAE,gBAAgB,EAAE,KAAK,qBAAqB,EAAE,MAAM,+BAA+B,CAAC;AAG7F,OAAO,EAAE,OAAO,EAAE,KAAK,cAAc,EAAE,KAAK,WAAW,EAAE,KAAK,YAAY,EAAE,KAAK,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAC9H,OAAO,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAC1D,OAAO,EAAE,mBAAmB,EAAE,MAAM,+BAA+B,CAAC;AACpE,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAGnD,OAAO,EAAE,YAAY,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AACxF,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAC/E,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAG/E,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnE,YAAY,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC/E,YAAY,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAC7D,YAAY,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAGtD,OAAO,EAAE,cAAc,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACxH,OAAO,EAAE,cAAc,EAAE,qBAAqB,EAAE,wBAAwB,EAAE,sBAAsB,EAAE,MAAM,yBAAyB,CAAC;AAGlI,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,0BAA0B,EAAE,wBAAwB,EAAE,MAAM,WAAW,CAAC;AAGrH,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAG9D,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAGhE,OAAO,EACL,eAAe,EACf,YAAY,EACZ,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAC7B,YAAY,EACV,SAAS,EACT,eAAe,EACf,WAAW,EACX,QAAQ,EACR,kBAAkB,EAClB,aAAa,EACb,mBAAmB,GACpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAGpF,OAAO,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAC"}

package/dist/react/stores/auth.store.d.ts

@@ -30,7 +30,6 @@ export declare const createAuthStore: (initialIsAuthenticated?: boolean) => Omit
     persist: {
         setOptions: (options: Partial<import("zustand/middleware").PersistOptions<AuthStore, {
             customer: CustomerInfo | null;
-            accessToken: string | null;
             isAuthenticated: boolean;
         }, unknown>>) => void;
         clearStorage: () => void;
@@ -40,7 +39,6 @@ export declare const createAuthStore: (initialIsAuthenticated?: boolean) => Omit
         onFinishHydration: (fn: (state: AuthStore) => void) => () => void;
         getOptions: () => Partial<import("zustand/middleware").PersistOptions<AuthStore, {
             customer: CustomerInfo | null;
-            accessToken: string | null;
             isAuthenticated: boolean;
         }, unknown>>;
     };

package/dist/react/stores/auth.store.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth.store.d.ts","sourceRoot":"","sources":["../../../src/react/stores/auth.store.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,SAAS;IAExB,QAAQ,EAAE,YAAY,GAAG,IAAI,CAAC;IAC9B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,eAAe,EAAE,OAAO,CAAC;IACzB,SAAS,EAAE,OAAO,CAAC;IAGnB,OAAO,EAAE,CAAC,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/D,SAAS,EAAE,MAAM,IAAI,CAAC;IACtB,cAAc,EAAE,CAAC,OAAO,EAAE,OAAO,CAAC,YAAY,CAAC,KAAK,IAAI,CAAC;IACzD,UAAU,EAAE,CAAC,SAAS,EAAE,OAAO,KAAK,IAAI,CAAC;CAC1C;AAED,eAAO,MAAM,eAAe,GAAI,gCAA8B;;;;;sBA+DtC,YAAY,GAAG,IAAI;yBAChB,MAAM,GAAG,IAAI;6BACT,OAAO;;;;;;;;sBAFd,YAAY,GAAG,IAAI;yBAChB,MAAM,GAAG,IAAI;6BACT,OAAO;;;CAWnC,CAAC"}
+{"version":3,"file":"auth.store.d.ts","sourceRoot":"","sources":["../../../src/react/stores/auth.store.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,SAAS;IAExB,QAAQ,EAAE,YAAY,GAAG,IAAI,CAAC;IAC9B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,eAAe,EAAE,OAAO,CAAC;IACzB,SAAS,EAAE,OAAO,CAAC;IAGnB,OAAO,EAAE,CAAC,QAAQ,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/D,SAAS,EAAE,MAAM,IAAI,CAAC;IACtB,cAAc,EAAE,CAAC,OAAO,EAAE,OAAO,CAAC,YAAY,CAAC,KAAK,IAAI,CAAC;IACzD,UAAU,EAAE,CAAC,SAAS,EAAE,OAAO,KAAK,IAAI,CAAC;CAC1C;AAED,eAAO,MAAM,eAAe,GAAI,gCAA8B;;;;;sBAkEtC,YAAY,GAAG,IAAI;6BACZ,OAAO;;;;;;;;sBADd,YAAY,GAAG,IAAI;6BACZ,OAAO;;;CAUnC,CAAC"}

package/dist/react/stores/auth.store.js

@@ -32,10 +32,12 @@ export const createAuthStore = (initialIsAuthenticated = false) => createStore()
     setLoading: (isLoading) => set({ isLoading }),
 }), {
     name: 'auth-storage',
-    version: 2, // Invalidate stale data from old module-level store era
+    version: 3, // v3 (Iteracja 2 — XSS fix): accessToken DROP'owany z localStorage
+    // persistence. Token żyje tylko w-memory + httpOnly cookie (browser auto-sent).
+    // Non-browser klienci (mobile native, server-to-server) ustawiają token explicit
+    // przez setAuth() — nigdy nie persistowany w localStorage SDK.
     partialize: (state) => ({
         customer: state.customer,
-        accessToken: state.accessToken,
         isAuthenticated: state.isAuthenticated,
     }),
     /**
@@ -51,16 +53,17 @@ export const createAuthStore = (initialIsAuthenticated = false) => createStore()
         return {
             ...currentState,
             customer: persisted.customer ?? currentState.customer,
-            accessToken: persisted.accessToken ?? currentState.accessToken,
+            // accessToken NIE persistowany — initialize zawsze na null (in-memory only)
             // Server cookie is the authority — never let stale localStorage override it
             isAuthenticated: currentState.isAuthenticated,
         };
     },
     migrate: (persistedState, version) => {
-        if (version < 2) {
-            // Data from old module-level store may be unreliable (Turbopack duplication)
-            // Clear it — user will re-authenticate via cookie or login
-            return { customer: null, accessToken: null, isAuthenticated: false };
+        if (version < 3) {
+            // v1→v2: Turbopack duplication cleanup; v2→v3: XSS fix — accessToken usunięty
+            // z localStorage. Po migracji store start fresh, użytkownik re-auth przez
+            // cookie hydration (BFF /api/auth/whoami) lub login flow.
+            return { customer: null, isAuthenticated: false };
         }
         return persistedState;
     },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@doswiftly/storefront-sdk",
-  "version": "4.7.2",
+  "version": "7.0.0",
   "description": "Storefront runtime SDK for DoSwiftly Commerce — layered transport, middleware pipeline, React providers, Zustand stores, cache strategies. 0 runtime dependencies in core.",
   "type": "module",
   "files": [
@@ -35,8 +35,7 @@
     "graphql",
     "react",
     "zustand",
-    "middleware",
-    "hydrogen"
+    "middleware"
   ],
   "author": "DoSwiftly Team",
   "license": "MIT",