@habityzer/nuxt-symfony-kinde-layer 2.1.2 → 2.1.4

package/.github/workflows/publish.yml

@@ -0,0 +1,52 @@
+name: Publish to npm
+
+on:
+  push:
+    branches:
+      - main
+      - master
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
+      id-token: write
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+      
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'pnpm'
+          registry-url: 'https://registry.npmjs.org'
+      
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+      
+      - name: Prepare Nuxt
+        run: pnpm nuxt prepare
+      
+      - name: Run linter
+        run: pnpm lint
+      
+      - name: Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: pnpm release
+

package/.releaserc.json

@@ -23,7 +23,7 @@
       "changelogFile": "CHANGELOG.md"
     }],
     ["@semantic-release/npm", {
-      "npmPublish": false
+      "npmPublish": true
     }],
     ["@semantic-release/git", {
       "assets": ["package.json", "CHANGELOG.md"],

package/CHANGELOG.md

@@ -1,3 +1,18 @@
+## [2.1.4](https://github.com/Habityzer/nuxt-symfony-kinde-layer/compare/v2.1.3...v2.1.4) (2026-01-01)
+
+
+### Bug Fixes
+
+* Add Nuxt prepare step to CI and correct ESLint config import path ([07471f5](https://github.com/Habityzer/nuxt-symfony-kinde-layer/commit/07471f5234e1322a2ccfe5709cb8109badededda))
+* Remove invalid pnpm-workspace.yaml for single package ([7e7d6a1](https://github.com/Habityzer/nuxt-symfony-kinde-layer/commit/7e7d6a19ffd2edccfee80b944c947c364b6b2863))
+
+## [2.1.3](https://github.com/Habityzer/nuxt-symfony-kinde-layer/compare/v2.1.2...v2.1.3) (2026-01-01)
+
+
+### Bug Fixes
+
+* Update Kinde configuration to use environment variables and enhance Symfony proxy request handling ([3e0d0bd](https://github.com/Habityzer/nuxt-symfony-kinde-layer/commit/3e0d0bd09ea26a21940f0a0d16cc9aaf5a327be8))
+
 ## [2.1.2](https://github.com/Habityzer/nuxt-symfony-kinde-layer/compare/v2.1.1...v2.1.2) (2025-12-26)
 
 

package/README.md

@@ -324,3 +324,4 @@ MIT
 ## Contributing
 
 This is a private layer for Habityzer projects. For issues or improvements, contact the team.
+

package/SETUP_NPM_PUBLISH.md

@@ -0,0 +1,134 @@
+# Setting Up Automated NPM Publishing
+
+This project uses GitHub Actions with semantic-release to automatically publish to npm when you push to the `master` branch.
+
+## Setup Instructions
+
+### 1. Create NPM Access Token
+
+> **Important**: As of December 9, 2025, npm classic tokens have been permanently revoked. You must use **granular access tokens** for CI/CD workflows.
+
+**Option A: Using npm CLI (recommended):**
+```bash
+npm token create --type automation --scope @habityzer
+```
+
+**Option B: Using the web interface:**
+1. Go to [npmjs.com/settings/~/tokens](https://www.npmjs.com/settings/~/tokens) and log in
+2. Click **Generate New Token** → **Granular Access Token**
+3. Configure your token:
+   - **Token name**: `github-actions-publish` (or any descriptive name)
+   - **Expiration**: Up to 90 days (maximum for publish tokens)
+   - **Packages and scopes**: Select your package or `@habityzer` scope
+   - **Permissions**: Select **Read and write**
+   - ✅ **Enable "Bypass 2FA"** for automated workflows
+4. Click **Generate Token**
+5. Copy the token (starts with `npm_...`)
+
+> **Note**: Granular tokens for publishing expire after a maximum of 90 days. Set a reminder to regenerate the token before expiration, or consider using [OIDC trusted publishing](https://docs.npmjs.com/generating-provenance-statements) for a more secure, token-free approach.
+
+### 2. Add NPM Token to GitHub
+
+1. Go to your GitHub repository
+2. Navigate to **Settings** → **Secrets and variables** → **Actions**
+3. Click **New repository secret**
+4. Name: `NPM_TOKEN`
+5. Value: Paste your npm token from step 1
+6. Click **Add secret**
+
+### 3. Configure GitHub Actions in NPM
+
+When setting up your package on npmjs.com for automated publishing:
+
+1. Go to your package page on npmjs.com
+2. Navigate to **Settings** → **Publishing Access**
+3. Under **GitHub Actions**, you'll be asked for:
+   - **Workflow filename**: Enter `publish.yml`
+   - This tells npm which workflow file in `.github/workflows/` will publish your package
+
+### 4. How It Works
+
+The workflow (`.github/workflows/publish.yml`) will:
+
+1. **Trigger**: Automatically runs when you push to the `master` branch
+2. **Analyze**: Semantic-release reads your commit messages (following conventional commits)
+3. **Version**: Automatically bumps the version based on your commits:
+   - `feat:` → minor version (1.0.0 → 1.1.0)
+   - `fix:` → patch version (1.0.0 → 1.0.1)
+   - `BREAKING CHANGE:` → major version (1.0.0 → 2.0.0)
+4. **Changelog**: Updates `CHANGELOG.md`
+5. **Git Tag**: Creates a git tag for the new version
+6. **Publish**: Publishes to npm
+7. **Commit**: Commits the changelog and version bump back to your repo
+
+### 5. Commit Message Format
+
+Use conventional commits for automatic versioning:
+
+```bash
+# Patch release (1.0.0 → 1.0.1)
+git commit -m "fix: resolve authentication bug"
+
+# Minor release (1.0.0 → 1.1.0)
+git commit -m "feat: add new login method"
+
+# Major release (1.0.0 → 2.0.0)
+git commit -m "feat: redesign API
+
+BREAKING CHANGE: API structure has changed"
+
+# No release (documentation, etc.)
+git commit -m "docs: update README"
+git commit -m "chore: update dependencies"
+```
+
+### 6. Manual Release (Optional)
+
+If you prefer to release manually:
+
+```bash
+pnpm release
+```
+
+This runs semantic-release locally. Make sure you have:
+- `NPM_TOKEN` environment variable set
+- Committed all your changes
+- Pushed to the master branch
+
+## Troubleshooting
+
+### "No NPM_TOKEN found"
+- Make sure you've added `NPM_TOKEN` as a GitHub secret
+- Check that the secret name is exactly `NPM_TOKEN` (case-sensitive)
+
+### "No release published"
+- Check your commit messages follow conventional commits format
+- Semantic-release only publishes if there are releasable commits
+- View the GitHub Actions logs for details
+
+### "Permission denied" or "Invalid npm token"
+- Ensure you're using a **granular access token** (not classic token)
+- Check that the token has **Read and write** permissions
+- Ensure **"Bypass 2FA"** is enabled for CI/CD workflows
+- Check that your npm account has publish access to the `@habityzer` scope
+- Verify the token hasn't expired (granular tokens expire after max 90 days)
+
+### "Package already published"
+- Semantic-release automatically handles versions
+- If you manually published the same version, semantic-release will skip it
+
+## Current Configuration
+
+- **Branch**: `master` (configured in `.releaserc.json`)
+- **Package**: `@habityzer/nuxt-symfony-kinde-layer`
+- **Workflow**: `.github/workflows/publish.yml`
+- **NPM Publish**: Enabled (set in `.releaserc.json`)
+
+## Additional Resources
+
+- [npm Granular Access Tokens Documentation](https://docs.npmjs.com/about-access-tokens#granular-access-tokens)
+- [GitHub Blog: npm Classic Tokens Revoked (Dec 2025)](https://github.blog/changelog/2025-12-09-npm-classic-tokens-revoked-session-based-auth-and-cli-token-management-now-available/)
+- [Semantic Release Documentation](https://semantic-release.gitbook.io/)
+- [Conventional Commits](https://www.conventionalcommits.org/)
+- [OIDC Trusted Publishing for npm](https://docs.npmjs.com/generating-provenance-statements)
+

package/eslint.config.mjs

@@ -1,5 +1,5 @@
 // @ts-check
-import withNuxt from './node_modules/.cache/nuxt/.nuxt/eslint.config.mjs'
+import withNuxt from './.nuxt/eslint.config.mjs'
 
 export default withNuxt(
   // Your custom configs here

package/nuxt.config.ts

@@ -48,11 +48,11 @@ export default defineNuxtConfig({
 
   // Default Kinde configuration (projects MUST override with their credentials)
   kindeAuth: {
-    authDomain: '', // Project must provide
-    clientId: '', // Project must provide
-    clientSecret: '', // Project must provide
-    redirectURL: '', // Project must provide
-    logoutRedirectURL: '', // Project must provide
+    authDomain: process.env.KINDE_AUTH_DOMAIN || 'https://dummy.kinde.com', // Project must provide, dummy for build
+    clientId: process.env.KINDE_CLIENT_ID || 'dummy-client-id', // Project must provide, dummy for build
+    clientSecret: process.env.KINDE_CLIENT_SECRET || 'dummy-secret', // Project must provide, dummy for build
+    redirectURL: process.env.KINDE_REDIRECT_URL || 'http://localhost:3000/api/auth/kinde_callback', // Project must provide, dummy for build
+    logoutRedirectURL: process.env.KINDE_LOGOUT_REDIRECT_URL || 'http://localhost:3000', // Project must provide, dummy for build
     postLoginRedirectURL: '/dashboard', // Default, can be overridden
     cookie: {
       prefix: 'app_', // Projects MUST override this

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@habityzer/nuxt-symfony-kinde-layer",
-  "version": "2.1.2",
+  "version": "2.1.4",
   "description": "Shared Nuxt layer for Symfony + Kinde authentication integration",
   "type": "module",
   "main": "./nuxt.config.ts",

package/server/api/symfony/[...].ts

@@ -13,95 +13,95 @@
  */
 
 // Auth constants (defined inline to avoid import issues during Nitro bundling)
-const E2E_TOKEN_COOKIE_NAME = "kinde_token";
-const APP_TOKEN_PREFIX = "app_";
-const KINDE_ID_TOKEN_COOKIE_NAME = "id_token";
+const E2E_TOKEN_COOKIE_NAME = 'kinde_token'
+const APP_TOKEN_PREFIX = 'app_'
+const KINDE_ID_TOKEN_COOKIE_NAME = 'id_token'
 
 export default defineEventHandler(async (event) => {
-  const config = useRuntimeConfig();
+  const config = useRuntimeConfig()
 
   // Get the path (remove /api/symfony prefix)
-  let path =
-    event.context.params?.path || event.path.replace("/api/symfony", "");
+  let path
+    = event.context.params?.path || event.path.replace('/api/symfony', '')
 
   // Ensure path starts with / (for catch-all routes it might not)
-  if (!path.startsWith("/")) {
-    path = `/${path}`;
+  if (!path.startsWith('/')) {
+    path = `/${path}`
   }
 
   // Check if this is a public API route (no auth required)
-  const publicApiRoutes =
-    config.public.kindeAuth?.middleware?.publicApiRoutes || [];
+  const publicApiRoutes
+    = config.public.kindeAuth?.middleware?.publicApiRoutes || []
   const isPublicRoute = publicApiRoutes.some((route: string) => {
-    if (route.endsWith("/**")) {
-      const prefix = route.slice(0, -3);
-      return path.startsWith(prefix);
+    if (route.endsWith('/**')) {
+      const prefix = route.slice(0, -3)
+      return path.startsWith(prefix)
     }
-    return path === route;
-  });
+    return path === route
+  })
 
-  let token: string | undefined;
+  let token: string | undefined
 
   // Skip authentication for public routes
   if (isPublicRoute) {
-    console.log("🔓 [SYMFONY PROXY] Public route, skipping auth:", path);
+    console.log('🔓 [SYMFONY PROXY] Public route, skipping auth:', path)
     // Set token to empty to skip auth headers
-    token = "";
+    token = ''
   } else {
     // Check for E2E test token first (from cookie)
     // Only use E2E token if it's a valid app token (starts with APP_TOKEN_PREFIX)
-    const e2eToken = getCookie(event, E2E_TOKEN_COOKIE_NAME);
+    const e2eToken = getCookie(event, E2E_TOKEN_COOKIE_NAME)
     if (e2eToken && e2eToken.startsWith(APP_TOKEN_PREFIX)) {
-      token = e2eToken;
+      token = e2eToken
     } else {
       // Use Kinde authentication from the module
-      const kinde = event.context.kinde;
+      const kinde = event.context.kinde
 
       if (!kinde?.client || !kinde?.sessionManager) {
         throw createError({
           statusCode: 500,
           statusMessage:
-            "Kinde authentication not initialized. Module may not be loaded correctly.",
-        });
+            'Kinde authentication not initialized. Module may not be loaded correctly.'
+        })
       }
 
-      const { client, sessionManager } = kinde;
+      const { client, sessionManager } = kinde
 
       try {
         // Try to get access token first
-        let accessToken: string | null = null;
+        let accessToken: string | null = null
         try {
-          accessToken = await client.getToken(sessionManager);
+          accessToken = await client.getToken(sessionManager)
         } catch {
           // Silent - will try id_token fallback
         }
 
         // If access token is not available, try id_token as fallback
-        if (!accessToken || accessToken.trim() === "") {
+        if (!accessToken || accessToken.trim() === '') {
           const idToken = (await sessionManager.getSessionItem(
             KINDE_ID_TOKEN_COOKIE_NAME
-          )) as string | undefined;
+          )) as string | undefined
 
           if (idToken) {
-            token = idToken;
+            token = idToken
           }
         } else {
-          token = accessToken;
+          token = accessToken
         }
 
-        if (!token || token.trim() === "") {
+        if (!token || token.trim() === '') {
           throw createError({
             statusCode: 401,
-            statusMessage: "Unauthorized - Please log in",
-          });
+            statusMessage: 'Unauthorized - Please log in'
+          })
         }
       } catch (error) {
-        console.error("❌ [SYMFONY PROXY] Auth error:", error);
+        console.error('❌ [SYMFONY PROXY] Auth error:', error)
         throw createError({
           statusCode: 401,
           statusMessage:
-            error instanceof Error ? error.message : "Authentication failed",
-        });
+            error instanceof Error ? error.message : 'Authentication failed'
+        })
       }
     }
   }
@@ -109,53 +109,66 @@ export default defineEventHandler(async (event) => {
   if (!token && !isPublicRoute) {
     throw createError({
       statusCode: 401,
-      statusMessage: "No authentication token available",
-    });
+      statusMessage: 'No authentication token available'
+    })
   }
 
   try {
-    // Get request method and body
-    const method = event.method;
-    const body =
-      method !== "GET" && method !== "HEAD" ? await readBody(event) : undefined;
+    // Get request method
+    const method = event.method
+
+    // Get Content-Type to determine how to handle body
+    const contentType = getHeader(event, 'content-type') || ''
+
+    let body: string | undefined
+
+    // Handle multipart/form-data specially (preserve binary data and MIME types)
+    if (contentType.includes('multipart/form-data')) {
+      // For multipart/form-data, read the raw body without parsing
+      // This preserves the boundary and binary data including MIME types
+      body = await readRawBody(event, false)
+    } else if (method !== 'GET' && method !== 'HEAD') {
+      // For other content types (JSON, etc.), read and parse the body
+      body = await readBody(event)
+    }
 
     // Get query parameters from original request
-    const query = getQuery(event);
+    const query = getQuery(event)
 
     // Prepare headers for Symfony
     // IMPORTANT: Forward Content-Type and Accept headers for proper API negotiation
-    const headers: Record<string, string> = {};
+    const headers: Record<string, string> = {}
 
     // Only add Authorization header if we have a token (not public route)
-    if (token && token !== "") {
-      headers.Authorization = `Bearer kinde_${token}`;
+    if (token && token !== '') {
+      headers.Authorization = `Bearer kinde_${token}`
     }
 
-    // Forward Content-Type header
-    const contentType = getHeader(event, "content-type");
+    // Forward Content-Type header (CRITICAL for multipart/form-data with boundary)
     if (contentType) {
-      headers["Content-Type"] = contentType;
+      headers['Content-Type'] = contentType
     }
 
     // Forward Accept header (CRITICAL for content negotiation)
     // Without this, backend returns default format instead of requested format (e.g., JSON vs Hydra)
-    const accept = getHeader(event, "accept");
+    const accept = getHeader(event, 'accept')
     if (accept) {
-      headers["Accept"] = accept;
+      headers['Accept'] = accept
     }
 
     // Log the request to backend
-    const backendUrl = `${config.apiBaseUrl}${path}`;
-    console.log("🔵 [SYMFONY PROXY] Request to backend:", {
+    const backendUrl = `${config.apiBaseUrl}${path}`
+    console.log('🔵 [SYMFONY PROXY] Request to backend:', {
       url: backendUrl,
       method,
       headers: {
         ...headers,
-        Authorization: `Bearer kinde_${token.substring(0, 10)}...`, // Only log first 10 chars of token
+        Authorization: token && token !== '' ? `Bearer kinde_${token.substring(0, 10)}...` : 'none'
       },
       query,
       hasBody: !!body,
-    });
+      isMultipart: contentType.includes('multipart/form-data')
+    })
 
     // Forward request to Symfony with Kinde token
     const response = await $fetch(path, {
@@ -163,46 +176,47 @@ export default defineEventHandler(async (event) => {
       method,
       headers,
       body,
-      retry: false, // Disable automatic retries
       query,
-    });
+      retry: false, // Disable automatic retries
+      timeout: 30000 // 30 second timeout
+    })
 
-    console.log("✅ [SYMFONY PROXY] Backend response received:", {
+    console.log('✅ [SYMFONY PROXY] Backend response received:', {
       url: backendUrl,
       method,
-      status: "success",
-    });
+      status: 'success'
+    })
 
-    return response;
+    return response
   } catch (error) {
-    console.error("❌ [SYMFONY PROXY] Symfony API error:", {
+    console.error('❌ [SYMFONY PROXY] Symfony API error:', {
       path,
       statusCode:
-        error && typeof error === "object" && "statusCode" in error
+        error && typeof error === 'object' && 'statusCode' in error
           ? error.statusCode
-          : "unknown",
-      message: error instanceof Error ? error.message : "unknown",
-    });
+          : 'unknown',
+      message: error instanceof Error ? error.message : 'unknown'
+    })
     // Handle Symfony API errors
-    const statusCode =
-      error && typeof error === "object" && "statusCode" in error
+    const statusCode
+      = error && typeof error === 'object' && 'statusCode' in error
         ? (error.statusCode as number)
-        : 500;
-    const statusMessage =
-      error && typeof error === "object" && "statusMessage" in error
+        : 500
+    const statusMessage
+      = error && typeof error === 'object' && 'statusMessage' in error
         ? (error.statusMessage as string)
         : error instanceof Error
-        ? error.message
-        : "Symfony API error";
-    const data =
-      error && typeof error === "object" && "data" in error
+          ? error.message
+          : 'Symfony API error'
+    const data
+      = error && typeof error === 'object' && 'data' in error
         ? error.data
-        : undefined;
+        : undefined
 
     throw createError({
       statusCode,
       statusMessage,
-      data,
-    });
+      data
+    })
   }
-});
+})

package/pnpm-workspace.yaml

@@ -1,5 +0,0 @@
-onlyBuiltDependencies:
-  - '@tailwindcss/oxide'
-  - sharp
-  - unrs-resolver
-  - vue-demi