@every-app/sdk 0.1.10 → 0.1.12

package/dist/tanstack/useEveryAppRouter.js

@@ -1,5 +1,6 @@
 import { useEffect } from "react";
 import { useRouter } from "@tanstack/react-router";
+import { parseMessagePayload } from "../shared/parseMessagePayload.js";
 export function useEveryAppRouter({ sessionManager }) {
     const router = useRouter();
     // Route synchronization effect
@@ -8,11 +9,15 @@ export function useEveryAppRouter({ sessionManager }) {
             return;
         // Listen for route sync messages from parent
         const handleMessage = (event) => {
-            if (event.origin !== sessionManager.parentOrigin)
+            // Validate origin based on environment
+            if (!sessionManager.isTrustedHostMessage(event))
                 return;
-            if (event.data.type === "ROUTE_CHANGE" &&
-                event.data.direction === "parent-to-child") {
-                const targetRoute = event.data.route;
+            const data = parseMessagePayload(event.data);
+            if (!data)
+                return;
+            if (data.type === "ROUTE_CHANGE" &&
+                data.direction === "parent-to-child") {
+                const targetRoute = typeof data.route === "string" ? data.route : null;
                 const currentRoute = window.location.pathname;
                 // Only navigate if the route is different from current location
                 if (targetRoute && targetRoute !== currentRoute) {
@@ -30,13 +35,17 @@ export function useEveryAppRouter({ sessionManager }) {
                 return;
             }
             lastReportedPath = currentPath;
-            if (window.parent !== window) {
-                window.parent.postMessage({
-                    type: "ROUTE_CHANGE",
-                    route: currentPath,
-                    appId: sessionManager.appId,
-                    direction: "child-to-parent",
-                }, sessionManager.parentOrigin);
+            const message = {
+                type: "ROUTE_CHANGE",
+                route: currentPath,
+                appId: sessionManager.appId,
+                direction: "child-to-parent",
+            };
+            try {
+                sessionManager.postToHost(message);
+            }
+            catch {
+                return;
             }
         };
         // Listen to popstate for browser back/forward

package/dist/tanstack/useSessionTokenClientMiddleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useSessionTokenClientMiddleware.d.ts","sourceRoot":"","sources":["../../src/tanstack/useSessionTokenClientMiddleware.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,+BAA+B,6GA2B1C,CAAC"}
+{"version":3,"file":"useSessionTokenClientMiddleware.d.ts","sourceRoot":"","sources":["../../src/tanstack/useSessionTokenClientMiddleware.ts"],"names":[],"mappings":"AAOA,eAAO,MAAM,+BAA+B,6GAmC1C,CAAC"}

package/dist/tanstack/useSessionTokenClientMiddleware.js

@@ -1,7 +1,15 @@
 import { createMiddleware } from "@tanstack/react-start";
+import { BYPASS_GATEWAY_LOCAL_ONLY_TOKEN, isBypassGatewayLocalOnlyClient, } from "../shared/bypassGatewayLocalOnly.js";
 export const useSessionTokenClientMiddleware = createMiddleware({
     type: "function",
 }).client(async ({ next }) => {
+    if (isBypassGatewayLocalOnlyClient()) {
+        return next({
+            headers: {
+                Authorization: `Bearer ${BYPASS_GATEWAY_LOCAL_ONLY_TOKEN}`,
+            },
+        });
+    }
     // Get the global sessionManager - this MUST be available for embedded apps
     const sessionManager = window
         .__embeddedSessionManager;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@every-app/sdk",
-  "version": "0.1.10",
+  "version": "0.1.12",
   "license": "MIT",
   "type": "module",
   "exports": {

package/src/cloudflare/server/gateway.test.ts

@@ -56,11 +56,46 @@ describe("gateway server helpers", () => {
     );
   });
 
-  it("fetches via service binding when available", async () => {
-    const bindingFetch = vi
-      .fn()
+  it("fetches via service binding when available in production", async () => {
+    // Service binding is only used when import.meta.env.PROD is true
+    const originalProd = import.meta.env.PROD;
+    import.meta.env.PROD = true;
+
+    try {
+      const bindingFetch = vi
+        .fn()
+        .mockResolvedValue(new Response("ok", { status: 200 }));
+
+      const env: TestEnv = {
+        GATEWAY_URL: "https://gateway.example.com",
+        EVERY_APP_GATEWAY: { fetch: bindingFetch },
+        GATEWAY_APP_API_TOKEN: "eat_test_token",
+      };
+
+      await fetchGateway({
+        env,
+        url: "/api/ai/openai/v1/chat/completions",
+        init: { method: "POST" },
+      });
+
+      expect(bindingFetch).toHaveBeenCalledTimes(1);
+      const [requestArg] = bindingFetch.mock.calls[0];
+      const request = requestArg as Request;
+      expect(request.url).toBe(
+        "http://localhost/api/ai/openai/v1/chat/completions",
+      );
+    } finally {
+      import.meta.env.PROD = originalProd;
+    }
+  });
+
+  it("skips service binding in development and uses HTTP fetch", async () => {
+    const fetchMock = vi
+      .spyOn(globalThis, "fetch")
       .mockResolvedValue(new Response("ok", { status: 200 }));
 
+    const bindingFetch = vi.fn();
+
     const env: TestEnv = {
       GATEWAY_URL: "https://gateway.example.com",
       EVERY_APP_GATEWAY: { fetch: bindingFetch },
@@ -73,12 +108,9 @@ describe("gateway server helpers", () => {
       init: { method: "POST" },
     });
 
-    expect(bindingFetch).toHaveBeenCalledTimes(1);
-    const [requestArg] = bindingFetch.mock.calls[0];
-    const request = requestArg as Request;
-    expect(request.url).toBe(
-      "http://localhost/api/ai/openai/v1/chat/completions",
-    );
+    // In dev, should use HTTP fetch, not service binding
+    expect(bindingFetch).not.toHaveBeenCalled();
+    expect(fetchMock).toHaveBeenCalledTimes(1);
   });
 
   it("always injects app token and strips Authorization header", async () => {

package/src/core/authenticatedFetch.ts

@@ -1,3 +1,8 @@
+import {
+  BYPASS_GATEWAY_LOCAL_ONLY_TOKEN,
+  isBypassGatewayLocalOnlyClient,
+} from "../shared/bypassGatewayLocalOnly.js";
+
 interface SessionManager {
   getToken(): Promise<string>;
 }
@@ -10,6 +15,10 @@ interface WindowWithSessionManager extends Window {
  * Gets the current session token from the embedded session manager
  */
 export async function getSessionToken(): Promise<string> {
+  if (isBypassGatewayLocalOnlyClient()) {
+    return BYPASS_GATEWAY_LOCAL_ONLY_TOKEN;
+  }
+
   const windowWithSession = window as WindowWithSessionManager;
   const sessionManager = windowWithSession.__embeddedSessionManager;
 

package/src/core/index.ts

@@ -1,4 +1,12 @@
-export { SessionManager, isRunningInIframe } from "./sessionManager.js";
-export type { SessionManagerConfig } from "./sessionManager.js";
+export {
+  SessionManager,
+  isRunningInIframe,
+  isRunningInReactNativeWebView,
+  detectEnvironment,
+} from "./sessionManager.js";
+export type {
+  SessionManagerConfig,
+  EmbeddedEnvironment,
+} from "./sessionManager.js";
 
 export { authenticatedFetch, getSessionToken } from "./authenticatedFetch.js";

package/src/core/sessionManager.test.ts

@@ -47,6 +47,21 @@ describe("SessionManager", () => {
     } as MessageEvent);
   }
 
+  function createJwtLikeToken(payload: Record<string, unknown>): string {
+    return `header.${btoa(JSON.stringify(payload))}.signature`;
+  }
+
+  function createBase64UrlJwtLikeToken(
+    payload: Record<string, unknown>,
+  ): string {
+    const encoded = btoa(JSON.stringify(payload))
+      .replace(/\+/g, "-")
+      .replace(/\//g, "_")
+      .replace(/=+$/g, "");
+
+    return `header.${encoded}.signature`;
+  }
+
   beforeEach(async () => {
     vi.resetModules();
     vi.stubEnv("VITE_GATEWAY_URL", "https://gateway.example.com");
@@ -552,6 +567,31 @@ describe("SessionManager", () => {
         email: "", // Defaults to empty string
       });
     });
+
+    it("extracts user info from base64url-encoded JWT payload", async () => {
+      const manager = new SessionManager({ appId: "test-app" });
+
+      const fakeToken = createBase64UrlJwtLikeToken({
+        sub: "user-123",
+        email: "test@example.com",
+      });
+
+      const tokenPromise = manager.requestNewToken();
+
+      simulateTokenResponse({
+        token: fakeToken,
+        expiresAt: new Date(Date.now() + 60000).toISOString(),
+      });
+
+      await tokenPromise;
+
+      const user = manager.getUser();
+
+      expect(user).toEqual({
+        userId: "user-123",
+        email: "test@example.com",
+      });
+    });
   });
 
   describe("default token lifetime", () => {
@@ -793,4 +833,107 @@ describe("SessionManager", () => {
       expect(token).toBe("success-token");
     });
   });
+
+  describe("react-native-webview token push", () => {
+    beforeEach(() => {
+      messageHandler = null;
+      addEventListenerSpy = vi.fn((event: string, handler: Function) => {
+        if (event === "message") {
+          messageHandler = handler as (event: MessageEvent) => void;
+        }
+      });
+
+      vi.stubGlobal("window", {
+        addEventListener: addEventListenerSpy,
+        removeEventListener: removeEventListenerSpy,
+        ReactNativeWebView: {
+          postMessage: vi.fn(),
+        },
+        parent: {
+          postMessage: mockPostMessage,
+        },
+      });
+    });
+
+    it("accepts pushed token only when appId and audience match", async () => {
+      const manager = new SessionManager({ appId: "todo-app" });
+      const tokenPromise = manager.requestNewToken();
+
+      const token = createJwtLikeToken({
+        sub: "user-1",
+        aud: "todo-app",
+      });
+
+      simulateMalformedMessage("react-native", {
+        type: "SESSION_TOKEN_UPDATE",
+        appId: "todo-app",
+        token,
+        expiresAt: new Date(Date.now() + 60000).toISOString(),
+      });
+
+      await expect(tokenPromise).resolves.toBe(token);
+    });
+
+    it("accepts stringified token update payload with null-like origin", async () => {
+      const manager = new SessionManager({ appId: "todo-app" });
+      const tokenPromise = manager.requestNewToken();
+
+      const token = createJwtLikeToken({
+        sub: "user-1",
+        aud: "todo-app",
+      });
+
+      simulateMalformedMessage(
+        "null",
+        JSON.stringify({
+          type: "SESSION_TOKEN_UPDATE",
+          appId: "todo-app",
+          token,
+          expiresAt: new Date(Date.now() + 60000).toISOString(),
+        }),
+      );
+
+      await expect(tokenPromise).resolves.toBe(token);
+    });
+
+    it("ignores malformed JSON token updates", async () => {
+      vi.useFakeTimers();
+
+      const manager = new SessionManager({ appId: "todo-app" });
+      const tokenPromise = manager.requestNewToken();
+
+      simulateMalformedMessage("react-native", "{not-json");
+
+      vi.advanceTimersByTime(10001);
+
+      await expect(tokenPromise).rejects.toThrow(
+        "Timed out waiting for token from React Native bridge",
+      );
+    });
+
+    it("rejects pushed token when audience does not match expected app", async () => {
+      vi.useFakeTimers();
+
+      const manager = new SessionManager({ appId: "todo-app" });
+      const tokenPromise = manager.requestNewToken();
+
+      const wrongAudienceToken = createJwtLikeToken({
+        sub: "user-1",
+        aud: "chef-app",
+      });
+
+      simulateMalformedMessage("react-native", {
+        type: "SESSION_TOKEN_UPDATE",
+        appId: "todo-app",
+        token: wrongAudienceToken,
+        expiresAt: new Date(Date.now() + 60000).toISOString(),
+      });
+
+      vi.advanceTimersByTime(10001);
+
+      await expect(tokenPromise).rejects.toThrow(
+        "Timed out waiting for token from React Native bridge",
+      );
+    });
+  });
 });