@every-app/sdk 0.1.11 → 0.1.12

package/src/core/index.ts

@@ -1,4 +1,12 @@
-export { SessionManager, isRunningInIframe } from "./sessionManager.js";
-export type { SessionManagerConfig } from "./sessionManager.js";
+export {
+  SessionManager,
+  isRunningInIframe,
+  isRunningInReactNativeWebView,
+  detectEnvironment,
+} from "./sessionManager.js";
+export type {
+  SessionManagerConfig,
+  EmbeddedEnvironment,
+} from "./sessionManager.js";
 
 export { authenticatedFetch, getSessionToken } from "./authenticatedFetch.js";

package/src/core/sessionManager.test.ts

@@ -47,6 +47,21 @@ describe("SessionManager", () => {
     } as MessageEvent);
   }
 
+  function createJwtLikeToken(payload: Record<string, unknown>): string {
+    return `header.${btoa(JSON.stringify(payload))}.signature`;
+  }
+
+  function createBase64UrlJwtLikeToken(
+    payload: Record<string, unknown>,
+  ): string {
+    const encoded = btoa(JSON.stringify(payload))
+      .replace(/\+/g, "-")
+      .replace(/\//g, "_")
+      .replace(/=+$/g, "");
+
+    return `header.${encoded}.signature`;
+  }
+
   beforeEach(async () => {
     vi.resetModules();
     vi.stubEnv("VITE_GATEWAY_URL", "https://gateway.example.com");
@@ -552,6 +567,31 @@ describe("SessionManager", () => {
         email: "", // Defaults to empty string
       });
     });
+
+    it("extracts user info from base64url-encoded JWT payload", async () => {
+      const manager = new SessionManager({ appId: "test-app" });
+
+      const fakeToken = createBase64UrlJwtLikeToken({
+        sub: "user-123",
+        email: "test@example.com",
+      });
+
+      const tokenPromise = manager.requestNewToken();
+
+      simulateTokenResponse({
+        token: fakeToken,
+        expiresAt: new Date(Date.now() + 60000).toISOString(),
+      });
+
+      await tokenPromise;
+
+      const user = manager.getUser();
+
+      expect(user).toEqual({
+        userId: "user-123",
+        email: "test@example.com",
+      });
+    });
   });
 
   describe("default token lifetime", () => {
@@ -793,4 +833,107 @@ describe("SessionManager", () => {
       expect(token).toBe("success-token");
     });
   });
+
+  describe("react-native-webview token push", () => {
+    beforeEach(() => {
+      messageHandler = null;
+      addEventListenerSpy = vi.fn((event: string, handler: Function) => {
+        if (event === "message") {
+          messageHandler = handler as (event: MessageEvent) => void;
+        }
+      });
+
+      vi.stubGlobal("window", {
+        addEventListener: addEventListenerSpy,
+        removeEventListener: removeEventListenerSpy,
+        ReactNativeWebView: {
+          postMessage: vi.fn(),
+        },
+        parent: {
+          postMessage: mockPostMessage,
+        },
+      });
+    });
+
+    it("accepts pushed token only when appId and audience match", async () => {
+      const manager = new SessionManager({ appId: "todo-app" });
+      const tokenPromise = manager.requestNewToken();
+
+      const token = createJwtLikeToken({
+        sub: "user-1",
+        aud: "todo-app",
+      });
+
+      simulateMalformedMessage("react-native", {
+        type: "SESSION_TOKEN_UPDATE",
+        appId: "todo-app",
+        token,
+        expiresAt: new Date(Date.now() + 60000).toISOString(),
+      });
+
+      await expect(tokenPromise).resolves.toBe(token);
+    });
+
+    it("accepts stringified token update payload with null-like origin", async () => {
+      const manager = new SessionManager({ appId: "todo-app" });
+      const tokenPromise = manager.requestNewToken();
+
+      const token = createJwtLikeToken({
+        sub: "user-1",
+        aud: "todo-app",
+      });
+
+      simulateMalformedMessage(
+        "null",
+        JSON.stringify({
+          type: "SESSION_TOKEN_UPDATE",
+          appId: "todo-app",
+          token,
+          expiresAt: new Date(Date.now() + 60000).toISOString(),
+        }),
+      );
+
+      await expect(tokenPromise).resolves.toBe(token);
+    });
+
+    it("ignores malformed JSON token updates", async () => {
+      vi.useFakeTimers();
+
+      const manager = new SessionManager({ appId: "todo-app" });
+      const tokenPromise = manager.requestNewToken();
+
+      simulateMalformedMessage("react-native", "{not-json");
+
+      vi.advanceTimersByTime(10001);
+
+      await expect(tokenPromise).rejects.toThrow(
+        "Timed out waiting for token from React Native bridge",
+      );
+    });
+
+    it("rejects pushed token when audience does not match expected app", async () => {
+      vi.useFakeTimers();
+
+      const manager = new SessionManager({ appId: "todo-app" });
+      const tokenPromise = manager.requestNewToken();
+
+      const wrongAudienceToken = createJwtLikeToken({
+        sub: "user-1",
+        aud: "chef-app",
+      });
+
+      simulateMalformedMessage("react-native", {
+        type: "SESSION_TOKEN_UPDATE",
+        appId: "todo-app",
+        token: wrongAudienceToken,
+        expiresAt: new Date(Date.now() + 60000).toISOString(),
+      });
+
+      vi.advanceTimersByTime(10001);
+
+      await expect(tokenPromise).rejects.toThrow(
+        "Timed out waiting for token from React Native bridge",
+      );
+    });
+  });
 });

package/src/core/sessionManager.ts

@@ -4,6 +4,7 @@ import {
   BYPASS_GATEWAY_LOCAL_ONLY_USER_ID,
   isBypassGatewayLocalOnlyClient,
 } from "../shared/bypassGatewayLocalOnly.js";
+import { parseMessagePayload } from "../shared/parseMessagePayload.js";
 
 interface SessionToken {
   token: string;
@@ -16,6 +17,52 @@ interface TokenResponse {
   error?: string;
 }
 
+interface TokenUpdateMessage {
+  type: "SESSION_TOKEN_UPDATE";
+  token?: string;
+  expiresAt?: string;
+  appId?: string;
+}
+
+function isTokenUpdateMessage(data: unknown): data is TokenUpdateMessage {
+  if (!data || typeof data !== "object" || Array.isArray(data)) {
+    return false;
+  }
+
+  return (data as { type?: unknown }).type === "SESSION_TOKEN_UPDATE";
+}
+
+function decodeJwtPayload(token: string): Record<string, unknown> | null {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+      return null;
+    }
+
+    const base64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    const padded = base64 + "=".repeat((4 - (base64.length % 4)) % 4);
+    return JSON.parse(atob(padded)) as Record<string, unknown>;
+  } catch {
+    return null;
+  }
+}
+
+function tokenAudienceMatchesApp(
+  payload: Record<string, unknown>,
+  appId: string,
+): boolean {
+  const aud = payload.aud;
+  if (typeof aud === "string") {
+    return aud === appId;
+  }
+
+  if (Array.isArray(aud)) {
+    return aud.some((value) => value === appId);
+  }
+
+  return false;
+}
+
 export interface SessionManagerConfig {
   appId: string;
 }
@@ -23,12 +70,25 @@ export interface SessionManagerConfig {
 const MESSAGE_TIMEOUT_MS = 5000;
 const TOKEN_EXPIRY_BUFFER_MS = 10000;
 const DEFAULT_TOKEN_LIFETIME_MS = 60000;
+const REACT_NATIVE_TOKEN_WAIT_TIMEOUT_MS = 10000;
+
+/**
+ * Environment detection types
+ */
+export type EmbeddedEnvironment =
+  | "iframe"
+  | "react-native-webview"
+  | "standalone";
 
 /**
  * Detects whether the current window is running inside an iframe.
  * Returns true if in an iframe, false if running as top-level window.
  */
 export function isRunningInIframe(): boolean {
+  if (typeof window === "undefined") {
+    return false;
+  }
+
   try {
     return window.self !== window.top;
   } catch {
@@ -38,16 +98,52 @@ export function isRunningInIframe(): boolean {
   }
 }
 
+/**
+ * Detects whether the current window is running inside a React Native WebView.
+ * Returns true if window.ReactNativeWebView is available.
+ */
+export function isRunningInReactNativeWebView(): boolean {
+  if (typeof window === "undefined") {
+    return false;
+  }
+
+  return (
+    typeof (window as any).ReactNativeWebView?.postMessage === "function" ||
+    (window as any).isReactNativeWebView === true
+  );
+}
+
+/**
+ * Detects the current embedded environment.
+ * Priority: React Native WebView > iframe > standalone
+ */
+export function detectEnvironment(): EmbeddedEnvironment {
+  const isRNWebView = isRunningInReactNativeWebView();
+  const isIframe = isRunningInIframe();
+
+  if (isRNWebView) {
+    return "react-native-webview";
+  }
+  if (isIframe) {
+    return "iframe";
+  }
+  return "standalone";
+}
+
 export class SessionManager {
   readonly parentOrigin: string;
   readonly appId: string;
   readonly isInIframe: boolean;
+  readonly environment: EmbeddedEnvironment;
   readonly isBypassGatewayLocalOnly: boolean;
-  /** @deprecated Use isBypassGatewayLocalOnly instead. */
-  readonly isDemoModeLocalOnly: boolean;
 
   private token: SessionToken | null = null;
   private refreshPromise: Promise<string> | null = null;
+  private tokenWaiters: Array<{
+    resolve: (token: string) => void;
+    reject: (error: Error) => void;
+    timeout: ReturnType<typeof setTimeout>;
+  }> = [];
 
   constructor(config: SessionManagerConfig) {
     if (!config.appId) {
@@ -55,7 +151,6 @@ export class SessionManager {
     }
 
     this.isBypassGatewayLocalOnly = isBypassGatewayLocalOnlyClient();
-    this.isDemoModeLocalOnly = this.isBypassGatewayLocalOnly;
 
     const gatewayUrl = import.meta.env.VITE_GATEWAY_URL;
     if (!this.isBypassGatewayLocalOnly) {
@@ -76,8 +171,13 @@ export class SessionManager {
     this.parentOrigin = this.isBypassGatewayLocalOnly
       ? window.location.origin
       : gatewayUrl;
+    this.environment = detectEnvironment();
     this.isInIframe = isRunningInIframe();
 
+    if (this.environment === "react-native-webview") {
+      this.setupReactNativeTokenListener();
+    }
+
     if (this.isBypassGatewayLocalOnly) {
       this.token = {
         token: BYPASS_GATEWAY_LOCAL_ONLY_TOKEN,
@@ -86,6 +186,45 @@ export class SessionManager {
     }
   }
 
+  /**
+   * Check if running in an embedded environment (iframe or React Native WebView)
+   */
+  isEmbedded(): boolean {
+    return this.environment !== "standalone";
+  }
+
+  isTrustedHostMessage(event: MessageEvent): boolean {
+    if (this.environment === "react-native-webview") {
+      const origin = (event as MessageEvent & { origin?: string | null })
+        .origin;
+      return (
+        origin === "react-native" ||
+        origin === "null" ||
+        origin === "" ||
+        origin == null
+      );
+    }
+
+    return event.origin === this.parentOrigin;
+  }
+
+  postToHost(message: object): void {
+    if (this.environment === "react-native-webview") {
+      const postMessage = (window as any).ReactNativeWebView?.postMessage;
+      if (typeof postMessage !== "function") {
+        throw new Error("React Native WebView bridge is unavailable");
+      }
+
+      postMessage.call(
+        (window as any).ReactNativeWebView,
+        JSON.stringify(message),
+      );
+      return;
+    }
+
+    window.parent.postMessage(message, this.parentOrigin);
+  }
+
   private isTokenExpiringSoon(
     bufferMs: number = TOKEN_EXPIRY_BUFFER_MS,
   ): boolean {
@@ -105,19 +244,17 @@ export class SessionManager {
       };
 
       const handler = (event: MessageEvent) => {
-        // Security: reject messages from wrong origin (including null from sandboxed iframes)
-        if (event.origin !== this.parentOrigin) return;
-        // Safety: ignore malformed messages that could crash the handler
-        if (!event.data || typeof event.data !== "object") return;
-        if (
-          event.data.type === responseType &&
-          event.data.requestId === requestId
-        ) {
+        // Security: validate message origin based on environment
+        if (!this.isTrustedHostMessage(event)) return;
+        const data = parseMessagePayload(event.data);
+        if (!data) return;
+
+        if (data.type === responseType && data.requestId === requestId) {
           cleanup();
-          if (event.data.error) {
-            reject(new Error(event.data.error));
+          if (typeof data.error === "string" && data.error) {
+            reject(new Error(data.error));
           } else {
-            resolve(event.data as T);
+            resolve(data as T);
           }
         }
       };
@@ -128,7 +265,100 @@ export class SessionManager {
       }, MESSAGE_TIMEOUT_MS);
 
       window.addEventListener("message", handler);
-      window.parent.postMessage(request, this.parentOrigin);
+
+      try {
+        this.postToHost(request);
+      } catch (error) {
+        cleanup();
+        reject(
+          error instanceof Error
+            ? error
+            : new Error("Failed to post message to host"),
+        );
+      }
+    });
+  }
+
+  private setupReactNativeTokenListener(): void {
+    window.addEventListener("message", (event: MessageEvent) => {
+      if (!this.isTrustedHostMessage(event)) {
+        return;
+      }
+
+      const data = parseMessagePayload(event.data);
+      if (!data) {
+        return;
+      }
+
+      if (!isTokenUpdateMessage(data)) {
+        return;
+      }
+
+      const message = data;
+
+      if (!message.token || typeof message.token !== "string") {
+        return;
+      }
+
+      if (typeof message.appId !== "string" || message.appId !== this.appId) {
+        return;
+      }
+
+      if (
+        message.expiresAt !== undefined &&
+        typeof message.expiresAt !== "string"
+      ) {
+        return;
+      }
+
+      const payload = decodeJwtPayload(message.token);
+      if (!payload || !tokenAudienceMatchesApp(payload, this.appId)) {
+        return;
+      }
+
+      // Native controls token minting and pushes updates into the embedded app.
+      // We only consume pushed tokens in React Native WebView mode.
+      let expiresAt = Date.now() + DEFAULT_TOKEN_LIFETIME_MS;
+      if (message.expiresAt) {
+        const parsed = new Date(message.expiresAt).getTime();
+        if (!Number.isNaN(parsed)) {
+          expiresAt = parsed;
+        }
+      }
+
+      this.token = {
+        token: message.token,
+        expiresAt,
+      };
+
+      if (this.tokenWaiters.length > 0) {
+        const waiters = this.tokenWaiters;
+        this.tokenWaiters = [];
+
+        for (const waiter of waiters) {
+          clearTimeout(waiter.timeout);
+          waiter.resolve(message.token);
+        }
+      }
+    });
+  }
+
+  private waitForReactNativeTokenPush(): Promise<string> {
+    if (this.token && !this.isTokenExpiringSoon()) {
+      return Promise.resolve(this.token.token);
+    }
+
+    return new Promise((resolve, reject) => {
+      const timeout = setTimeout(() => {
+        this.tokenWaiters = this.tokenWaiters.filter(
+          (w) => w.timeout !== timeout,
+        );
+        reject(
+          new Error("Timed out waiting for token from React Native bridge"),
+        );
+      }, REACT_NATIVE_TOKEN_WAIT_TIMEOUT_MS);
+
+      this.tokenWaiters.push({ resolve, reject, timeout });
     });
   }
 
@@ -145,6 +375,16 @@ export class SessionManager {
       return this.refreshPromise;
     }
 
+    if (this.environment === "react-native-webview") {
+      this.refreshPromise = this.waitForReactNativeTokenPush();
+
+      try {
+        return await this.refreshPromise;
+      } finally {
+        this.refreshPromise = null;
+      }
+    }
+
     this.refreshPromise = (async () => {
       const requestId = crypto.randomUUID();
 
@@ -235,23 +475,18 @@ export class SessionManager {
       return null;
     }
 
-    try {
-      const parts = this.token.token.split(".");
-      if (parts.length !== 3) {
-        return null;
-      }
-
-      const payload = JSON.parse(atob(parts[1]));
-      if (!payload.sub) {
-        return null;
-      }
+    const payload = decodeJwtPayload(this.token.token);
+    if (!payload) {
+      return null;
+    }
 
-      return {
-        userId: payload.sub,
-        email: payload.email ?? "",
-      };
-    } catch {
+    if (typeof payload.sub !== "string") {
       return null;
     }
+
+    return {
+      userId: payload.sub,
+      email: typeof payload.email === "string" ? payload.email : "",
+    };
   }
 }

package/src/shared/parseMessagePayload.ts

@@ -0,0 +1,22 @@
+export type MessagePayload = Record<string, unknown>;
+
+export function parseMessagePayload(data: unknown): MessagePayload | null {
+  if (data && typeof data === "object" && !Array.isArray(data)) {
+    return data as MessagePayload;
+  }
+
+  if (typeof data !== "string") {
+    return null;
+  }
+
+  try {
+    const parsed = JSON.parse(data);
+    if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+      return parsed as MessagePayload;
+    }
+  } catch {
+    return null;
+  }
+
+  return null;
+}

package/src/tanstack/EmbeddedAppProvider.tsx

@@ -30,8 +30,11 @@ export function EmbeddedAppProvider({
 
   if (!sessionManager) return null;
 
-  // Check if the app is running outside of the Gateway iframe (skip in demo mode)
-  if (!sessionManager.isInIframe && !sessionManager.isBypassGatewayLocalOnly) {
+  // Check if the app is running outside of the Gateway (iframe or React Native WebView)
+  if (
+    !sessionManager.isEmbedded() &&
+    !sessionManager.isBypassGatewayLocalOnly
+  ) {
     return (
       <GatewayRequiredError
         gatewayOrigin={sessionManager.parentOrigin}

package/src/tanstack/_internal/useEveryAppSession.test.ts

@@ -0,0 +1,40 @@
+import { describe, expect, it } from "vitest";
+import { shouldBootstrapSession } from "./useEveryAppSession";
+
+describe("shouldBootstrapSession", () => {
+  it("returns false for standalone apps without bypass", () => {
+    expect(
+      shouldBootstrapSession({
+        isEmbedded: () => false,
+        isBypassGatewayLocalOnly: false,
+      }),
+    ).toBe(false);
+  });
+
+  it("returns true for embedded apps", () => {
+    expect(
+      shouldBootstrapSession({
+        isEmbedded: () => true,
+        isBypassGatewayLocalOnly: false,
+      }),
+    ).toBe(true);
+  });
+
+  it("returns true for local bypass mode", () => {
+    expect(
+      shouldBootstrapSession({
+        isEmbedded: () => false,
+        isBypassGatewayLocalOnly: true,
+      }),
+    ).toBe(true);
+  });
+
+  it("does not depend on iframe detection for RN webviews", () => {
+    expect(
+      shouldBootstrapSession({
+        isEmbedded: () => true,
+        isBypassGatewayLocalOnly: false,
+      }),
+    ).toBe(true);
+  });
+});

package/src/tanstack/_internal/useEveryAppSession.tsx

@@ -9,6 +9,20 @@ interface UseEveryAppSessionParams {
   sessionManagerConfig: SessionManagerConfig;
 }
 
+type SessionBootstrapGate = Pick<
+  SessionManager,
+  "isEmbedded" | "isBypassGatewayLocalOnly"
+>;
+
+export function shouldBootstrapSession(
+  sessionManager: SessionBootstrapGate,
+): boolean {
+  // Bootstrapping should happen whenever the app is hosted by a trusted container.
+  // This intentionally keys off embedded environment semantics (iframe OR RN WebView),
+  // not iframe-only detection, so RN can initialize auth from pushed tokens.
+  return sessionManager.isEmbedded() || sessionManager.isBypassGatewayLocalOnly;
+}
+
 export function useEveryAppSession({
   sessionManagerConfig,
 }: UseEveryAppSessionParams) {
@@ -28,9 +42,8 @@ export function useEveryAppSession({
 
   useEffect(() => {
     if (!sessionManager) return;
-    // Skip token requests when not in iframe (unless in demo mode) - the app will show GatewayRequiredError instead
-    if (!sessionManager.isInIframe && !sessionManager.isBypassGatewayLocalOnly)
-      return;
+    // Skip token bootstrap when not embedded (unless in demo mode) - the app will show GatewayRequiredError instead
+    if (!shouldBootstrapSession(sessionManager)) return;
 
     const interval = setInterval(() => {
       setSessionTokenState(sessionManager.getTokenState());