@every-app/sdk 0.1.11 → 0.1.13

package/src/core/sessionManager.ts

@@ -4,6 +4,7 @@ import {
   BYPASS_GATEWAY_LOCAL_ONLY_USER_ID,
   isBypassGatewayLocalOnlyClient,
 } from "../shared/bypassGatewayLocalOnly.js";
+import { parseMessagePayload } from "../shared/parseMessagePayload.js";
 
 interface SessionToken {
   token: string;
@@ -16,6 +17,52 @@ interface TokenResponse {
   error?: string;
 }
 
+interface TokenUpdateMessage {
+  type: "SESSION_TOKEN_UPDATE";
+  token?: string;
+  expiresAt?: string;
+  appId?: string;
+}
+
+function isTokenUpdateMessage(data: unknown): data is TokenUpdateMessage {
+  if (!data || typeof data !== "object" || Array.isArray(data)) {
+    return false;
+  }
+
+  return (data as { type?: unknown }).type === "SESSION_TOKEN_UPDATE";
+}
+
+function decodeJwtPayload(token: string): Record<string, unknown> | null {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) {
+      return null;
+    }
+
+    const base64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    const padded = base64 + "=".repeat((4 - (base64.length % 4)) % 4);
+    return JSON.parse(atob(padded)) as Record<string, unknown>;
+  } catch {
+    return null;
+  }
+}
+
+function tokenAudienceMatchesApp(
+  payload: Record<string, unknown>,
+  appId: string,
+): boolean {
+  const aud = payload.aud;
+  if (typeof aud === "string") {
+    return aud === appId;
+  }
+
+  if (Array.isArray(aud)) {
+    return aud.some((value) => value === appId);
+  }
+
+  return false;
+}
+
 export interface SessionManagerConfig {
   appId: string;
 }
@@ -23,12 +70,25 @@ export interface SessionManagerConfig {
 const MESSAGE_TIMEOUT_MS = 5000;
 const TOKEN_EXPIRY_BUFFER_MS = 10000;
 const DEFAULT_TOKEN_LIFETIME_MS = 60000;
+const REACT_NATIVE_TOKEN_WAIT_TIMEOUT_MS = 10000;
+
+/**
+ * Environment detection types
+ */
+export type EmbeddedEnvironment =
+  | "iframe"
+  | "react-native-webview"
+  | "standalone";
 
 /**
  * Detects whether the current window is running inside an iframe.
  * Returns true if in an iframe, false if running as top-level window.
  */
 export function isRunningInIframe(): boolean {
+  if (typeof window === "undefined") {
+    return false;
+  }
+
   try {
     return window.self !== window.top;
   } catch {
@@ -38,16 +98,52 @@ export function isRunningInIframe(): boolean {
   }
 }
 
+/**
+ * Detects whether the current window is running inside a React Native WebView.
+ * Returns true if window.ReactNativeWebView is available.
+ */
+export function isRunningInReactNativeWebView(): boolean {
+  if (typeof window === "undefined") {
+    return false;
+  }
+
+  return (
+    typeof (window as any).ReactNativeWebView?.postMessage === "function" ||
+    (window as any).isReactNativeWebView === true
+  );
+}
+
+/**
+ * Detects the current embedded environment.
+ * Priority: React Native WebView > iframe > standalone
+ */
+export function detectEnvironment(): EmbeddedEnvironment {
+  const isRNWebView = isRunningInReactNativeWebView();
+  const isIframe = isRunningInIframe();
+
+  if (isRNWebView) {
+    return "react-native-webview";
+  }
+  if (isIframe) {
+    return "iframe";
+  }
+  return "standalone";
+}
+
 export class SessionManager {
   readonly parentOrigin: string;
   readonly appId: string;
   readonly isInIframe: boolean;
+  readonly environment: EmbeddedEnvironment;
   readonly isBypassGatewayLocalOnly: boolean;
-  /** @deprecated Use isBypassGatewayLocalOnly instead. */
-  readonly isDemoModeLocalOnly: boolean;
 
   private token: SessionToken | null = null;
   private refreshPromise: Promise<string> | null = null;
+  private tokenWaiters: Array<{
+    resolve: (token: string) => void;
+    reject: (error: Error) => void;
+    timeout: ReturnType<typeof setTimeout>;
+  }> = [];
 
   constructor(config: SessionManagerConfig) {
     if (!config.appId) {
@@ -55,7 +151,6 @@ export class SessionManager {
     }
 
     this.isBypassGatewayLocalOnly = isBypassGatewayLocalOnlyClient();
-    this.isDemoModeLocalOnly = this.isBypassGatewayLocalOnly;
 
     const gatewayUrl = import.meta.env.VITE_GATEWAY_URL;
     if (!this.isBypassGatewayLocalOnly) {
@@ -76,8 +171,13 @@ export class SessionManager {
     this.parentOrigin = this.isBypassGatewayLocalOnly
       ? window.location.origin
       : gatewayUrl;
+    this.environment = detectEnvironment();
     this.isInIframe = isRunningInIframe();
 
+    if (this.environment === "react-native-webview") {
+      this.setupReactNativeTokenListener();
+    }
+
     if (this.isBypassGatewayLocalOnly) {
       this.token = {
         token: BYPASS_GATEWAY_LOCAL_ONLY_TOKEN,
@@ -86,6 +186,45 @@ export class SessionManager {
     }
   }
 
+  /**
+   * Check if running in an embedded environment (iframe or React Native WebView)
+   */
+  isEmbedded(): boolean {
+    return this.environment !== "standalone";
+  }
+
+  isTrustedHostMessage(event: MessageEvent): boolean {
+    if (this.environment === "react-native-webview") {
+      const origin = (event as MessageEvent & { origin?: string | null })
+        .origin;
+      return (
+        origin === "react-native" ||
+        origin === "null" ||
+        origin === "" ||
+        origin == null
+      );
+    }
+
+    return event.origin === this.parentOrigin;
+  }
+
+  postToHost(message: object): void {
+    if (this.environment === "react-native-webview") {
+      const postMessage = (window as any).ReactNativeWebView?.postMessage;
+      if (typeof postMessage !== "function") {
+        throw new Error("React Native WebView bridge is unavailable");
+      }
+
+      postMessage.call(
+        (window as any).ReactNativeWebView,
+        JSON.stringify(message),
+      );
+      return;
+    }
+
+    window.parent.postMessage(message, this.parentOrigin);
+  }
+
   private isTokenExpiringSoon(
     bufferMs: number = TOKEN_EXPIRY_BUFFER_MS,
   ): boolean {
@@ -105,19 +244,17 @@ export class SessionManager {
       };
 
       const handler = (event: MessageEvent) => {
-        // Security: reject messages from wrong origin (including null from sandboxed iframes)
-        if (event.origin !== this.parentOrigin) return;
-        // Safety: ignore malformed messages that could crash the handler
-        if (!event.data || typeof event.data !== "object") return;
-        if (
-          event.data.type === responseType &&
-          event.data.requestId === requestId
-        ) {
+        // Security: validate message origin based on environment
+        if (!this.isTrustedHostMessage(event)) return;
+        const data = parseMessagePayload(event.data);
+        if (!data) return;
+
+        if (data.type === responseType && data.requestId === requestId) {
           cleanup();
-          if (event.data.error) {
-            reject(new Error(event.data.error));
+          if (typeof data.error === "string" && data.error) {
+            reject(new Error(data.error));
           } else {
-            resolve(event.data as T);
+            resolve(data as T);
           }
         }
       };
@@ -128,7 +265,100 @@ export class SessionManager {
       }, MESSAGE_TIMEOUT_MS);
 
       window.addEventListener("message", handler);
-      window.parent.postMessage(request, this.parentOrigin);
+
+      try {
+        this.postToHost(request);
+      } catch (error) {
+        cleanup();
+        reject(
+          error instanceof Error
+            ? error
+            : new Error("Failed to post message to host"),
+        );
+      }
+    });
+  }
+
+  private setupReactNativeTokenListener(): void {
+    window.addEventListener("message", (event: MessageEvent) => {
+      if (!this.isTrustedHostMessage(event)) {
+        return;
+      }
+
+      const data = parseMessagePayload(event.data);
+      if (!data) {
+        return;
+      }
+
+      if (!isTokenUpdateMessage(data)) {
+        return;
+      }
+
+      const message = data;
+
+      if (!message.token || typeof message.token !== "string") {
+        return;
+      }
+
+      if (typeof message.appId !== "string" || message.appId !== this.appId) {
+        return;
+      }
+
+      if (
+        message.expiresAt !== undefined &&
+        typeof message.expiresAt !== "string"
+      ) {
+        return;
+      }
+
+      const payload = decodeJwtPayload(message.token);
+      if (!payload || !tokenAudienceMatchesApp(payload, this.appId)) {
+        return;
+      }
+
+      // Native controls token minting and pushes updates into the embedded app.
+      // We only consume pushed tokens in React Native WebView mode.
+      let expiresAt = Date.now() + DEFAULT_TOKEN_LIFETIME_MS;
+      if (message.expiresAt) {
+        const parsed = new Date(message.expiresAt).getTime();
+        if (!Number.isNaN(parsed)) {
+          expiresAt = parsed;
+        }
+      }
+
+      this.token = {
+        token: message.token,
+        expiresAt,
+      };
+
+      if (this.tokenWaiters.length > 0) {
+        const waiters = this.tokenWaiters;
+        this.tokenWaiters = [];
+
+        for (const waiter of waiters) {
+          clearTimeout(waiter.timeout);
+          waiter.resolve(message.token);
+        }
+      }
+    });
+  }
+
+  private waitForReactNativeTokenPush(): Promise<string> {
+    if (this.token && !this.isTokenExpiringSoon()) {
+      return Promise.resolve(this.token.token);
+    }
+
+    return new Promise((resolve, reject) => {
+      const timeout = setTimeout(() => {
+        this.tokenWaiters = this.tokenWaiters.filter(
+          (w) => w.timeout !== timeout,
+        );
+        reject(
+          new Error("Timed out waiting for token from React Native bridge"),
+        );
+      }, REACT_NATIVE_TOKEN_WAIT_TIMEOUT_MS);
+
+      this.tokenWaiters.push({ resolve, reject, timeout });
     });
   }
 
@@ -145,6 +375,16 @@ export class SessionManager {
       return this.refreshPromise;
     }
 
+    if (this.environment === "react-native-webview") {
+      this.refreshPromise = this.waitForReactNativeTokenPush();
+
+      try {
+        return await this.refreshPromise;
+      } finally {
+        this.refreshPromise = null;
+      }
+    }
+
     this.refreshPromise = (async () => {
       const requestId = crypto.randomUUID();
 
@@ -235,23 +475,18 @@ export class SessionManager {
       return null;
     }
 
-    try {
-      const parts = this.token.token.split(".");
-      if (parts.length !== 3) {
-        return null;
-      }
-
-      const payload = JSON.parse(atob(parts[1]));
-      if (!payload.sub) {
-        return null;
-      }
+    const payload = decodeJwtPayload(this.token.token);
+    if (!payload) {
+      return null;
+    }
 
-      return {
-        userId: payload.sub,
-        email: payload.email ?? "",
-      };
-    } catch {
+    if (typeof payload.sub !== "string") {
       return null;
     }
+
+    return {
+      userId: payload.sub,
+      email: typeof payload.email === "string" ? payload.email : "",
+    };
   }
 }

package/src/shared/parseMessagePayload.ts

@@ -0,0 +1,22 @@
+export type MessagePayload = Record<string, unknown>;
+
+export function parseMessagePayload(data: unknown): MessagePayload | null {
+  if (data && typeof data === "object" && !Array.isArray(data)) {
+    return data as MessagePayload;
+  }
+
+  if (typeof data !== "string") {
+    return null;
+  }
+
+  try {
+    const parsed = JSON.parse(data);
+    if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+      return parsed as MessagePayload;
+    }
+  } catch {
+    return null;
+  }
+
+  return null;
+}

package/src/tanstack/EmbeddedAppProvider.tsx

@@ -30,8 +30,11 @@ export function EmbeddedAppProvider({
 
   if (!sessionManager) return null;
 
-  // Check if the app is running outside of the Gateway iframe (skip in demo mode)
-  if (!sessionManager.isInIframe && !sessionManager.isBypassGatewayLocalOnly) {
+  // Check if the app is running outside of the Gateway (iframe or React Native WebView)
+  if (
+    !sessionManager.isEmbedded() &&
+    !sessionManager.isBypassGatewayLocalOnly
+  ) {
     return (
       <GatewayRequiredError
         gatewayOrigin={sessionManager.parentOrigin}

package/src/tanstack/_internal/useEveryAppSession.test.ts

@@ -0,0 +1,40 @@
+import { describe, expect, it } from "vitest";
+import { shouldBootstrapSession } from "./useEveryAppSession";
+
+describe("shouldBootstrapSession", () => {
+  it("returns false for standalone apps without bypass", () => {
+    expect(
+      shouldBootstrapSession({
+        isEmbedded: () => false,
+        isBypassGatewayLocalOnly: false,
+      }),
+    ).toBe(false);
+  });
+
+  it("returns true for embedded apps", () => {
+    expect(
+      shouldBootstrapSession({
+        isEmbedded: () => true,
+        isBypassGatewayLocalOnly: false,
+      }),
+    ).toBe(true);
+  });
+
+  it("returns true for local bypass mode", () => {
+    expect(
+      shouldBootstrapSession({
+        isEmbedded: () => false,
+        isBypassGatewayLocalOnly: true,
+      }),
+    ).toBe(true);
+  });
+
+  it("does not depend on iframe detection for RN webviews", () => {
+    expect(
+      shouldBootstrapSession({
+        isEmbedded: () => true,
+        isBypassGatewayLocalOnly: false,
+      }),
+    ).toBe(true);
+  });
+});

package/src/tanstack/_internal/useEveryAppSession.tsx

@@ -9,6 +9,20 @@ interface UseEveryAppSessionParams {
   sessionManagerConfig: SessionManagerConfig;
 }
 
+type SessionBootstrapGate = Pick<
+  SessionManager,
+  "isEmbedded" | "isBypassGatewayLocalOnly"
+>;
+
+export function shouldBootstrapSession(
+  sessionManager: SessionBootstrapGate,
+): boolean {
+  // Bootstrapping should happen whenever the app is hosted by a trusted container.
+  // This intentionally keys off embedded environment semantics (iframe OR RN WebView),
+  // not iframe-only detection, so RN can initialize auth from pushed tokens.
+  return sessionManager.isEmbedded() || sessionManager.isBypassGatewayLocalOnly;
+}
+
 export function useEveryAppSession({
   sessionManagerConfig,
 }: UseEveryAppSessionParams) {
@@ -28,9 +42,8 @@ export function useEveryAppSession({
 
   useEffect(() => {
     if (!sessionManager) return;
-    // Skip token requests when not in iframe (unless in demo mode) - the app will show GatewayRequiredError instead
-    if (!sessionManager.isInIframe && !sessionManager.isBypassGatewayLocalOnly)
-      return;
+    // Skip token bootstrap when not embedded (unless in demo mode) - the app will show GatewayRequiredError instead
+    if (!shouldBootstrapSession(sessionManager)) return;
 
     const interval = setInterval(() => {
       setSessionTokenState(sessionManager.getTokenState());

package/src/tanstack/server/authenticateRequest.test.ts

@@ -444,4 +444,39 @@ describe("authenticateRequest", () => {
       expect(result).toBeNull();
     });
   });
+
+  describe("error logging", () => {
+    it("omits stack details in production logs", async () => {
+      const originalProd = import.meta.env.PROD;
+      import.meta.env.PROD = true;
+
+      const consoleErrorSpy = vi
+        .spyOn(console, "error")
+        .mockImplementation(() => undefined);
+
+      try {
+        const request = createRequest("Bearer malformed.token");
+        const result = await authenticateRequest(authConfig, request);
+
+        expect(result).toBeNull();
+        expect(consoleErrorSpy).toHaveBeenCalledTimes(1);
+
+        const [payload] = consoleErrorSpy.mock.calls[0];
+        expect(typeof payload).toBe("string");
+
+        const parsed = JSON.parse(payload as string) as {
+          stack?: string;
+          message: string;
+          issuer: string;
+          audience: string;
+        };
+        expect(parsed.message).toBe("Error verifying session token");
+        expect(parsed.issuer).toBe(authConfig.issuer);
+        expect(parsed.audience).toBe(authConfig.audience);
+        expect(parsed.stack).toBeUndefined();
+      } finally {
+        import.meta.env.PROD = originalProd;
+      }
+    });
+  });
 });

package/src/tanstack/server/authenticateRequest.ts

@@ -70,11 +70,17 @@ export async function authenticateRequest(
     const session = await verifySessionToken(token, authConfig);
     return session;
   } catch (error) {
+    const isProd = import.meta.env.PROD === true;
     console.error(
       JSON.stringify({
         message: "Error verifying session token",
         error: error instanceof Error ? error.message : String(error),
-        stack: error instanceof Error ? error.stack : undefined,
+        stack:
+          isProd === true
+            ? undefined
+            : error instanceof Error
+              ? error.stack
+              : undefined,
         errorType: error instanceof Error ? error.constructor.name : "Unknown",
         issuer: authConfig.issuer,
         audience: authConfig.audience,

package/src/tanstack/useEveryAppRouter.tsx

@@ -1,6 +1,7 @@
 import { useEffect } from "react";
 import { SessionManager } from "../core/sessionManager.js";
 import { useRouter } from "@tanstack/react-router";
+import { parseMessagePayload } from "../shared/parseMessagePayload.js";
 
 interface UseEveryAppRouterParams {
   sessionManager: SessionManager | null;
@@ -11,15 +12,20 @@ export function useEveryAppRouter({ sessionManager }: UseEveryAppRouterParams) {
   // Route synchronization effect
   useEffect(() => {
     if (!sessionManager) return;
+
     // Listen for route sync messages from parent
     const handleMessage = (event: MessageEvent) => {
-      if (event.origin !== sessionManager.parentOrigin) return;
+      // Validate origin based on environment
+      if (!sessionManager.isTrustedHostMessage(event)) return;
+
+      const data = parseMessagePayload(event.data);
+      if (!data) return;
 
       if (
-        event.data.type === "ROUTE_CHANGE" &&
-        event.data.direction === "parent-to-child"
+        data.type === "ROUTE_CHANGE" &&
+        data.direction === "parent-to-child"
       ) {
-        const targetRoute = event.data.route;
+        const targetRoute = typeof data.route === "string" ? data.route : null;
         const currentRoute = window.location.pathname;
 
         // Only navigate if the route is different from current location
@@ -44,16 +50,17 @@ export function useEveryAppRouter({ sessionManager }: UseEveryAppRouterParams) {
 
       lastReportedPath = currentPath;
 
-      if (window.parent !== window) {
-        window.parent.postMessage(
-          {
-            type: "ROUTE_CHANGE",
-            route: currentPath,
-            appId: sessionManager.appId,
-            direction: "child-to-parent",
-          },
-          sessionManager.parentOrigin,
-        );
+      const message = {
+        type: "ROUTE_CHANGE",
+        route: currentPath,
+        appId: sessionManager.appId,
+        direction: "child-to-parent",
+      };
+
+      try {
+        sessionManager.postToHost(message);
+      } catch {
+        return;
       }
     };
     // Listen to popstate for browser back/forward