@every-app/sdk 0.1.11 → 0.1.13

package/src/cloudflare/server/gateway.test.ts

@@ -56,31 +56,110 @@ describe("gateway server helpers", () => {
     );
   });
 
-  it("fetches via service binding when available", async () => {
-    const bindingFetch = vi
-      .fn()
+  it("throws when absolute URL points to non-gateway origin", async () => {
+    const fetchMock = vi
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValue(new Response("ok", { status: 200 }));
+
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+      GATEWAY_APP_API_TOKEN: "eat_test_token",
+    };
+
+    await expect(
+      fetchGateway({
+        env,
+        url: "https://evil.example.com/api/ai/openai/v1/responses",
+        init: { method: "POST" },
+      }),
+    ).rejects.toThrow(
+      "Refusing to send gateway token to non-gateway origin: https://evil.example.com",
+    );
+
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  it("allows absolute URL when it matches gateway origin", async () => {
+    const fetchMock = vi
+      .spyOn(globalThis, "fetch")
       .mockResolvedValue(new Response("ok", { status: 200 }));
 
     const env: TestEnv = {
       GATEWAY_URL: "https://gateway.example.com",
-      EVERY_APP_GATEWAY: { fetch: bindingFetch },
       GATEWAY_APP_API_TOKEN: "eat_test_token",
     };
 
     await fetchGateway({
       env,
-      url: "/api/ai/openai/v1/chat/completions",
+      url: "https://gateway.example.com/api/ai/openai/v1/responses",
       init: { method: "POST" },
     });
 
-    expect(bindingFetch).toHaveBeenCalledTimes(1);
-    const [requestArg] = bindingFetch.mock.calls[0];
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    const [requestArg] = fetchMock.mock.calls[0];
     const request = requestArg as Request;
     expect(request.url).toBe(
-      "http://localhost/api/ai/openai/v1/chat/completions",
+      "https://gateway.example.com/api/ai/openai/v1/responses",
     );
   });
 
+  it("fetches via service binding when available in production", async () => {
+    // Service binding is only used when import.meta.env.PROD is true
+    const originalProd = import.meta.env.PROD;
+    import.meta.env.PROD = true;
+
+    try {
+      const bindingFetch = vi
+        .fn()
+        .mockResolvedValue(new Response("ok", { status: 200 }));
+
+      const env: TestEnv = {
+        GATEWAY_URL: "https://gateway.example.com",
+        EVERY_APP_GATEWAY: { fetch: bindingFetch },
+        GATEWAY_APP_API_TOKEN: "eat_test_token",
+      };
+
+      await fetchGateway({
+        env,
+        url: "/api/ai/openai/v1/chat/completions",
+        init: { method: "POST" },
+      });
+
+      expect(bindingFetch).toHaveBeenCalledTimes(1);
+      const [requestArg] = bindingFetch.mock.calls[0];
+      const request = requestArg as Request;
+      expect(request.url).toBe(
+        "http://localhost/api/ai/openai/v1/chat/completions",
+      );
+    } finally {
+      import.meta.env.PROD = originalProd;
+    }
+  });
+
+  it("skips service binding in development and uses HTTP fetch", async () => {
+    const fetchMock = vi
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValue(new Response("ok", { status: 200 }));
+
+    const bindingFetch = vi.fn();
+
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+      EVERY_APP_GATEWAY: { fetch: bindingFetch },
+      GATEWAY_APP_API_TOKEN: "eat_test_token",
+    };
+
+    await fetchGateway({
+      env,
+      url: "/api/ai/openai/v1/chat/completions",
+      init: { method: "POST" },
+    });
+
+    // In dev, should use HTTP fetch, not service binding
+    expect(bindingFetch).not.toHaveBeenCalled();
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+  });
+
   it("always injects app token and strips Authorization header", async () => {
     const fetchMock = vi
       .spyOn(globalThis, "fetch")

package/src/cloudflare/server/gateway.ts

@@ -46,20 +46,29 @@ export async function fetchGateway({
   const resolvedRequest = toRequest(url, init, gatewayBaseUrl);
   const authenticatedRequest = applyAppTokenAuth(resolvedRequest, env);
 
-  // Use service binding when available for zero-latency internal routing
-  // (available in production Workers, not in local dev)
-  if (env.EVERY_APP_GATEWAY) {
+  // Use service binding in production for zero-latency internal routing.
+  // In local dev wrangler still exposes the binding object, but the target
+  // service usually isn't running locally, so we skip it and use HTTP fetch.
+  if (import.meta.env.PROD && env.EVERY_APP_GATEWAY) {
     const url = new URL(authenticatedRequest.url);
     const bindingUrl = `${SERVICE_BINDING_ORIGIN}${url.pathname}${url.search}`;
     const bindingRequest = new Request(bindingUrl, authenticatedRequest);
     return env.EVERY_APP_GATEWAY.fetch(bindingRequest);
   }
 
-  // Fall back to HTTP fetch for local dev
+  // HTTP fetch – used in local dev, or as a fallback when no binding exists
   return fetch(authenticatedRequest);
 }
 
 function applyAppTokenAuth(request: Request, env: GatewayEnv): Request {
+  const gatewayOrigin = new URL(getGatewayUrl(env)).origin;
+  const requestOrigin = new URL(request.url).origin;
+  if (requestOrigin !== gatewayOrigin) {
+    throw new Error(
+      `Refusing to send gateway token to non-gateway origin: ${requestOrigin}`,
+    );
+  }
+
   const appToken = getGatewayAppApiToken(env);
   if (!appToken) {
     throw new Error(

package/src/core/index.ts

@@ -1,4 +1,12 @@
-export { SessionManager, isRunningInIframe } from "./sessionManager.js";
-export type { SessionManagerConfig } from "./sessionManager.js";
+export {
+  SessionManager,
+  isRunningInIframe,
+  isRunningInReactNativeWebView,
+  detectEnvironment,
+} from "./sessionManager.js";
+export type {
+  SessionManagerConfig,
+  EmbeddedEnvironment,
+} from "./sessionManager.js";
 
 export { authenticatedFetch, getSessionToken } from "./authenticatedFetch.js";

package/src/core/sessionManager.test.ts

@@ -47,6 +47,21 @@ describe("SessionManager", () => {
     } as MessageEvent);
   }
 
+  function createJwtLikeToken(payload: Record<string, unknown>): string {
+    return `header.${btoa(JSON.stringify(payload))}.signature`;
+  }
+
+  function createBase64UrlJwtLikeToken(
+    payload: Record<string, unknown>,
+  ): string {
+    const encoded = btoa(JSON.stringify(payload))
+      .replace(/\+/g, "-")
+      .replace(/\//g, "_")
+      .replace(/=+$/g, "");
+
+    return `header.${encoded}.signature`;
+  }
+
   beforeEach(async () => {
     vi.resetModules();
     vi.stubEnv("VITE_GATEWAY_URL", "https://gateway.example.com");
@@ -552,6 +567,31 @@ describe("SessionManager", () => {
         email: "", // Defaults to empty string
       });
     });
+
+    it("extracts user info from base64url-encoded JWT payload", async () => {
+      const manager = new SessionManager({ appId: "test-app" });
+
+      const fakeToken = createBase64UrlJwtLikeToken({
+        sub: "user-123",
+        email: "test@example.com",
+      });
+
+      const tokenPromise = manager.requestNewToken();
+
+      simulateTokenResponse({
+        token: fakeToken,
+        expiresAt: new Date(Date.now() + 60000).toISOString(),
+      });
+
+      await tokenPromise;
+
+      const user = manager.getUser();
+
+      expect(user).toEqual({
+        userId: "user-123",
+        email: "test@example.com",
+      });
+    });
   });
 
   describe("default token lifetime", () => {
@@ -793,4 +833,107 @@ describe("SessionManager", () => {
       expect(token).toBe("success-token");
     });
   });
+
+  describe("react-native-webview token push", () => {
+    beforeEach(() => {
+      messageHandler = null;
+      addEventListenerSpy = vi.fn((event: string, handler: Function) => {
+        if (event === "message") {
+          messageHandler = handler as (event: MessageEvent) => void;
+        }
+      });
+
+      vi.stubGlobal("window", {
+        addEventListener: addEventListenerSpy,
+        removeEventListener: removeEventListenerSpy,
+        ReactNativeWebView: {
+          postMessage: vi.fn(),
+        },
+        parent: {
+          postMessage: mockPostMessage,
+        },
+      });
+    });
+
+    it("accepts pushed token only when appId and audience match", async () => {
+      const manager = new SessionManager({ appId: "todo-app" });
+      const tokenPromise = manager.requestNewToken();
+
+      const token = createJwtLikeToken({
+        sub: "user-1",
+        aud: "todo-app",
+      });
+
+      simulateMalformedMessage("react-native", {
+        type: "SESSION_TOKEN_UPDATE",
+        appId: "todo-app",
+        token,
+        expiresAt: new Date(Date.now() + 60000).toISOString(),
+      });
+
+      await expect(tokenPromise).resolves.toBe(token);
+    });
+
+    it("accepts stringified token update payload with null-like origin", async () => {
+      const manager = new SessionManager({ appId: "todo-app" });
+      const tokenPromise = manager.requestNewToken();
+
+      const token = createJwtLikeToken({
+        sub: "user-1",
+        aud: "todo-app",
+      });
+
+      simulateMalformedMessage(
+        "null",
+        JSON.stringify({
+          type: "SESSION_TOKEN_UPDATE",
+          appId: "todo-app",
+          token,
+          expiresAt: new Date(Date.now() + 60000).toISOString(),
+        }),
+      );
+
+      await expect(tokenPromise).resolves.toBe(token);
+    });
+
+    it("ignores malformed JSON token updates", async () => {
+      vi.useFakeTimers();
+
+      const manager = new SessionManager({ appId: "todo-app" });
+      const tokenPromise = manager.requestNewToken();
+
+      simulateMalformedMessage("react-native", "{not-json");
+
+      vi.advanceTimersByTime(10001);
+
+      await expect(tokenPromise).rejects.toThrow(
+        "Timed out waiting for token from React Native bridge",
+      );
+    });
+
+    it("rejects pushed token when audience does not match expected app", async () => {
+      vi.useFakeTimers();
+
+      const manager = new SessionManager({ appId: "todo-app" });
+      const tokenPromise = manager.requestNewToken();
+
+      const wrongAudienceToken = createJwtLikeToken({
+        sub: "user-1",
+        aud: "chef-app",
+      });
+
+      simulateMalformedMessage("react-native", {
+        type: "SESSION_TOKEN_UPDATE",
+        appId: "todo-app",
+        token: wrongAudienceToken,
+        expiresAt: new Date(Date.now() + 60000).toISOString(),
+      });
+
+      vi.advanceTimersByTime(10001);
+
+      await expect(tokenPromise).rejects.toThrow(
+        "Timed out waiting for token from React Native bridge",
+      );
+    });
+  });
 });