@every-app/sdk 0.1.12 → 0.1.13

package/dist/cloudflare/server/gateway.js

@@ -32,6 +32,11 @@ export async function fetchGateway({ env, url, init, }) {
     return fetch(authenticatedRequest);
 }
 function applyAppTokenAuth(request, env) {
+    const gatewayOrigin = new URL(getGatewayUrl(env)).origin;
+    const requestOrigin = new URL(request.url).origin;
+    if (requestOrigin !== gatewayOrigin) {
+        throw new Error(`Refusing to send gateway token to non-gateway origin: ${requestOrigin}`);
+    }
     const appToken = getGatewayAppApiToken(env);
     if (!appToken) {
         throw new Error("GATEWAY_APP_API_TOKEN is required. Run `npx everyapp app deploy` to provision one.");

package/dist/tanstack/server/authenticateRequest.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authenticateRequest.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAQ7C;;;GAGG;AACH,UAAU,mBAAmB;IAC3B,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,UAAU,EACtB,eAAe,CAAC,EAAE,OAAO,GACxB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CA8CrC;AAyCD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAK3E"}
+{"version":3,"file":"authenticateRequest.d.ts","sourceRoot":"","sources":["../../../src/tanstack/server/authenticateRequest.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAQ7C;;;GAGG;AACH,UAAU,mBAAmB;IAC3B,8BAA8B;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,6DAA6D;IAC7D,GAAG,EAAE,MAAM,CAAC;IACZ,2BAA2B;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wBAAsB,mBAAmB,CACvC,UAAU,EAAE,UAAU,EACtB,eAAe,CAAC,EAAE,OAAO,GACxB,OAAO,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAoDrC;AAyCD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,GAAG,MAAM,GAAG,IAAI,CAK3E"}

package/dist/tanstack/server/authenticateRequest.js

@@ -27,10 +27,15 @@ export async function authenticateRequest(authConfig, providedRequest) {
         return session;
     }
     catch (error) {
+        const isProd = import.meta.env.PROD === true;
         console.error(JSON.stringify({
             message: "Error verifying session token",
             error: error instanceof Error ? error.message : String(error),
-            stack: error instanceof Error ? error.stack : undefined,
+            stack: isProd === true
+                ? undefined
+                : error instanceof Error
+                    ? error.stack
+                    : undefined,
             errorType: error instanceof Error ? error.constructor.name : "Unknown",
             issuer: authConfig.issuer,
             audience: authConfig.audience,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@every-app/sdk",
-  "version": "0.1.12",
+  "version": "0.1.13",
   "license": "MIT",
   "type": "module",
   "exports": {

package/src/cloudflare/server/gateway.test.ts

@@ -56,6 +56,53 @@ describe("gateway server helpers", () => {
     );
   });
 
+  it("throws when absolute URL points to non-gateway origin", async () => {
+    const fetchMock = vi
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValue(new Response("ok", { status: 200 }));
+
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+      GATEWAY_APP_API_TOKEN: "eat_test_token",
+    };
+
+    await expect(
+      fetchGateway({
+        env,
+        url: "https://evil.example.com/api/ai/openai/v1/responses",
+        init: { method: "POST" },
+      }),
+    ).rejects.toThrow(
+      "Refusing to send gateway token to non-gateway origin: https://evil.example.com",
+    );
+
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  it("allows absolute URL when it matches gateway origin", async () => {
+    const fetchMock = vi
+      .spyOn(globalThis, "fetch")
+      .mockResolvedValue(new Response("ok", { status: 200 }));
+
+    const env: TestEnv = {
+      GATEWAY_URL: "https://gateway.example.com",
+      GATEWAY_APP_API_TOKEN: "eat_test_token",
+    };
+
+    await fetchGateway({
+      env,
+      url: "https://gateway.example.com/api/ai/openai/v1/responses",
+      init: { method: "POST" },
+    });
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    const [requestArg] = fetchMock.mock.calls[0];
+    const request = requestArg as Request;
+    expect(request.url).toBe(
+      "https://gateway.example.com/api/ai/openai/v1/responses",
+    );
+  });
+
   it("fetches via service binding when available in production", async () => {
     // Service binding is only used when import.meta.env.PROD is true
     const originalProd = import.meta.env.PROD;

package/src/cloudflare/server/gateway.ts

@@ -61,6 +61,14 @@ export async function fetchGateway({
 }
 
 function applyAppTokenAuth(request: Request, env: GatewayEnv): Request {
+  const gatewayOrigin = new URL(getGatewayUrl(env)).origin;
+  const requestOrigin = new URL(request.url).origin;
+  if (requestOrigin !== gatewayOrigin) {
+    throw new Error(
+      `Refusing to send gateway token to non-gateway origin: ${requestOrigin}`,
+    );
+  }
+
   const appToken = getGatewayAppApiToken(env);
   if (!appToken) {
     throw new Error(

package/src/tanstack/server/authenticateRequest.test.ts

@@ -444,4 +444,39 @@ describe("authenticateRequest", () => {
       expect(result).toBeNull();
     });
   });
+
+  describe("error logging", () => {
+    it("omits stack details in production logs", async () => {
+      const originalProd = import.meta.env.PROD;
+      import.meta.env.PROD = true;
+
+      const consoleErrorSpy = vi
+        .spyOn(console, "error")
+        .mockImplementation(() => undefined);
+
+      try {
+        const request = createRequest("Bearer malformed.token");
+        const result = await authenticateRequest(authConfig, request);
+
+        expect(result).toBeNull();
+        expect(consoleErrorSpy).toHaveBeenCalledTimes(1);
+
+        const [payload] = consoleErrorSpy.mock.calls[0];
+        expect(typeof payload).toBe("string");
+
+        const parsed = JSON.parse(payload as string) as {
+          stack?: string;
+          message: string;
+          issuer: string;
+          audience: string;
+        };
+        expect(parsed.message).toBe("Error verifying session token");
+        expect(parsed.issuer).toBe(authConfig.issuer);
+        expect(parsed.audience).toBe(authConfig.audience);
+        expect(parsed.stack).toBeUndefined();
+      } finally {
+        import.meta.env.PROD = originalProd;
+      }
+    });
+  });
 });

package/src/tanstack/server/authenticateRequest.ts

@@ -70,11 +70,17 @@ export async function authenticateRequest(
     const session = await verifySessionToken(token, authConfig);
     return session;
   } catch (error) {
+    const isProd = import.meta.env.PROD === true;
     console.error(
       JSON.stringify({
         message: "Error verifying session token",
         error: error instanceof Error ? error.message : String(error),
-        stack: error instanceof Error ? error.stack : undefined,
+        stack:
+          isProd === true
+            ? undefined
+            : error instanceof Error
+              ? error.stack
+              : undefined,
         errorType: error instanceof Error ? error.constructor.name : "Unknown",
         issuer: authConfig.issuer,
         audience: authConfig.audience,