@howone/sdk 0.1.9 → 0.1.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.d.mts +7 -0
  2. package/dist/index.d.ts +7 -0
  3. package/dist/index.js +134 -5
  4. package/dist/index.js.map +1 -1
  5. package/dist/index.mjs +134 -5
  6. package/dist/index.mjs.map +1 -1
  7. package/package.json +1 -1
package/dist/index.d.mts CHANGED
@@ -366,6 +366,9 @@ declare function createClient(opts?: {
366
366
  tokenInjection?: {
367
367
  allowedOrigins?: string[];
368
368
  waitMs?: number;
369
+ clearUrlParamsAfterInjectionMs?: number;
370
+ clearAllUrlParams?: boolean;
371
+ sensitiveParams?: string[];
369
372
  };
370
373
  };
371
374
  requestInstance?: Request;
@@ -395,6 +398,10 @@ declare function createClient(opts?: {
395
398
  login: (redirect?: string) => void;
396
399
  logout: () => void;
397
400
  };
401
+ sanitizeUrl: (o?: {
402
+ clearAll?: boolean;
403
+ sensitiveParams?: string[];
404
+ }) => void;
398
405
  };
399
406
 
400
407
  interface LoginFormProps {
package/dist/index.d.ts CHANGED
@@ -366,6 +366,9 @@ declare function createClient(opts?: {
366
366
  tokenInjection?: {
367
367
  allowedOrigins?: string[];
368
368
  waitMs?: number;
369
+ clearUrlParamsAfterInjectionMs?: number;
370
+ clearAllUrlParams?: boolean;
371
+ sensitiveParams?: string[];
369
372
  };
370
373
  };
371
374
  requestInstance?: Request;
@@ -395,6 +398,10 @@ declare function createClient(opts?: {
395
398
  login: (redirect?: string) => void;
396
399
  logout: () => void;
397
400
  };
401
+ sanitizeUrl: (o?: {
402
+ clearAll?: boolean;
403
+ sensitiveParams?: string[];
404
+ }) => void;
398
405
  };
399
406
 
400
407
  interface LoginFormProps {
package/dist/index.js CHANGED
@@ -293,14 +293,14 @@ var FloatingButton = ({
293
293
  fontWeight: "bold",
294
294
  bottom: "28px"
295
295
  },
296
- children: /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { className: "flex items-center gap-2", children: [
296
+ children: /* @__PURE__ */ (0, import_jsx_runtime.jsxs)("div", { className: "flex items-center gap-2", style: { cursor: "pointer" }, children: [
297
297
  /* @__PURE__ */ (0, import_jsx_runtime.jsx)("img", { width: 20, className: "pointer-events-auto", src: "https://sxwxqoixnnklnpeutjrj.supabase.co/storage/v1/object/public/create-x/logo/logo-sm.svg", alt: "" }),
298
298
  text,
299
299
  /* @__PURE__ */ (0, import_jsx_runtime.jsx)(import_iconify.Icon, { icon: "mdi:close", onClick: (e) => {
300
300
  e.stopPropagation();
301
301
  const btn = document.getElementById("floating-howone-btn");
302
302
  if (btn) btn.style.display = "none";
303
- }, className: "w-5 h-5 font-bold pointer-events-auto", style: { cursor: "pointer" } })
303
+ }, className: "w-5 h-5 font-bold pointer-events-auto" })
304
304
  ] })
305
305
  }
306
306
  );
@@ -962,6 +962,91 @@ init_auth();
962
962
  init_config();
963
963
  init_config();
964
964
  init_auth();
965
+
966
+ // src/utils/urlSanitizer.ts
967
+ var DEFAULT_SENSITIVE = ["token", "access_token", "auth", "auth_token"];
968
+ function removeSensitiveParamsFromUrl(opts) {
969
+ if (typeof window === "undefined") return;
970
+ try {
971
+ const { clearAll, sensitiveParams, includeHash = true, onChanged } = opts || {};
972
+ const sens = (sensitiveParams && sensitiveParams.length > 0 ? sensitiveParams : DEFAULT_SENSITIVE).map((s) => s.toLowerCase());
973
+ const before = window.location.href;
974
+ const url = new URL(before);
975
+ if (clearAll) {
976
+ url.search = "";
977
+ } else if (url.search) {
978
+ let changed = false;
979
+ for (const [k] of url.searchParams) {
980
+ if (sens.includes(k.toLowerCase())) {
981
+ url.searchParams.delete(k);
982
+ changed = true;
983
+ }
984
+ }
985
+ if (changed) {
986
+ const qs = url.searchParams.toString();
987
+ url.search = qs ? `?${qs}` : "";
988
+ }
989
+ }
990
+ if (includeHash && url.hash) {
991
+ const raw = url.hash.slice(1);
992
+ if (raw.includes("=")) {
993
+ const hp = new URLSearchParams(raw);
994
+ let changed = false;
995
+ for (const [k] of hp) {
996
+ if (clearAll || sens.includes(k.toLowerCase())) {
997
+ hp.delete(k);
998
+ changed = true;
999
+ }
1000
+ }
1001
+ if (changed) {
1002
+ const hs = hp.toString();
1003
+ url.hash = hs ? `#${hs}` : "";
1004
+ }
1005
+ } else {
1006
+ if (!clearAll && sens.some((p) => raw.toLowerCase().startsWith(p))) {
1007
+ url.hash = "";
1008
+ } else if (clearAll) {
1009
+ url.hash = "";
1010
+ }
1011
+ }
1012
+ }
1013
+ const next = url.pathname + url.search + url.hash;
1014
+ if (next !== window.location.pathname + window.location.search + window.location.hash) {
1015
+ window.history.replaceState(window.history.state, document.title, next);
1016
+ onChanged && onChanged(next);
1017
+ }
1018
+ } catch (e) {
1019
+ console.warn("[howone][urlSanitizer] failed", e);
1020
+ }
1021
+ }
1022
+ function setupClearUrlTokenListener(opts) {
1023
+ if (typeof window === "undefined") return;
1024
+ if (window.__howone_url_sanitize_registered) return;
1025
+ window.__howone_url_sanitize_registered = true;
1026
+ const allowed = opts?.allowedOrigins || [];
1027
+ function handler(ev) {
1028
+ try {
1029
+ if (!ev.data || typeof ev.data !== "object") return;
1030
+ if (ev.data.type !== "CLEAR_URL_TOKEN") return;
1031
+ if (allowed.length > 0 && !allowed.includes(ev.origin)) return;
1032
+ removeSensitiveParamsFromUrl({
1033
+ clearAll: opts?.clearAll || !!ev.data.clearAll,
1034
+ sensitiveParams: opts?.sensitiveParams
1035
+ });
1036
+ try {
1037
+ ev.source?.postMessage({ type: "CLEAR_URL_TOKEN_ACK" }, ev.origin);
1038
+ } catch {
1039
+ }
1040
+ } catch {
1041
+ }
1042
+ }
1043
+ window.addEventListener("message", handler);
1044
+ if (typeof opts?.autoRunMs === "number") {
1045
+ setTimeout(() => removeSensitiveParamsFromUrl({ clearAll: opts.clearAll, sensitiveParams: opts.sensitiveParams }), opts.autoRunMs);
1046
+ }
1047
+ }
1048
+
1049
+ // src/services/index.ts
965
1050
  var request = new request_default({
966
1051
  baseURL: "https://create-x-backend.fly.dev/api",
967
1052
  timeout: 6e4,
@@ -1034,8 +1119,24 @@ function wrapRequestWithProjectPrefix(biz, projectId) {
1034
1119
  return wrapped;
1035
1120
  }
1036
1121
  function createClient(opts) {
1037
- const biz = opts?.requestInstance || request;
1038
- const ai = opts?.aiRequestInstance || aiRequest;
1122
+ function makeRequestFromBase(base) {
1123
+ if (!base) return void 0;
1124
+ return new request_default({
1125
+ baseURL: base,
1126
+ timeout: 6e4,
1127
+ interceptors: {
1128
+ requestInterceptor: (config) => {
1129
+ config.headers = config.headers || {};
1130
+ return config;
1131
+ },
1132
+ requestInterceptorCatch: (err) => Promise.reject(err),
1133
+ responseInterceptor: (res) => res,
1134
+ responseInterceptorCatch: (err) => Promise.reject(err)
1135
+ }
1136
+ });
1137
+ }
1138
+ const biz = opts?.requestInstance || makeRequestFromBase(opts?.baseUrl) || request;
1139
+ const ai = opts?.aiRequestInstance || makeRequestFromBase(opts?.aiBaseUrl) || aiRequest;
1039
1140
  const bizWrapped = wrapRequestWithProjectPrefix(biz, opts?.projectId);
1040
1141
  let token = null;
1041
1142
  try {
@@ -1112,6 +1213,19 @@ function createClient(opts) {
1112
1213
  if (tokenFromPostMessage) {
1113
1214
  token = tokenFromPostMessage;
1114
1215
  applyToken(token);
1216
+ try {
1217
+ const cfg = opts?.auth?.tokenInjection;
1218
+ if (cfg && typeof window !== "undefined") {
1219
+ const delay = cfg.clearUrlParamsAfterInjectionMs ?? 50;
1220
+ setTimeout(() => {
1221
+ removeSensitiveParamsFromUrl({
1222
+ clearAll: cfg.clearAllUrlParams,
1223
+ sensitiveParams: cfg.sensitiveParams
1224
+ });
1225
+ }, delay);
1226
+ }
1227
+ } catch {
1228
+ }
1115
1229
  return;
1116
1230
  }
1117
1231
  }
@@ -1119,6 +1233,14 @@ function createClient(opts) {
1119
1233
  try {
1120
1234
  if (typeof window !== "undefined") {
1121
1235
  void initToken();
1236
+ if (runtimeMode === "embedded" && opts?.auth?.tokenInjection) {
1237
+ setupClearUrlTokenListener({
1238
+ allowedOrigins: opts.auth.tokenInjection.allowedOrigins,
1239
+ clearAll: opts.auth.tokenInjection.clearAllUrlParams,
1240
+ sensitiveParams: opts.auth.tokenInjection.sensitiveParams,
1241
+ autoRunMs: void 0
1242
+ });
1243
+ }
1122
1244
  }
1123
1245
  } catch (_e) {
1124
1246
  }
@@ -1168,6 +1290,13 @@ function createClient(opts) {
1168
1290
  token = null;
1169
1291
  applyToken(null);
1170
1292
  }
1293
+ },
1294
+ sanitizeUrl: (o) => {
1295
+ if (typeof window === "undefined") return;
1296
+ removeSensitiveParamsFromUrl({
1297
+ clearAll: o?.clearAll,
1298
+ sensitiveParams: o?.sensitiveParams
1299
+ });
1171
1300
  }
1172
1301
  };
1173
1302
  }
@@ -1466,7 +1595,7 @@ var AuthProvider = ({ children, autoRedirect = true, showFloatingButton = true,
1466
1595
  setIsLoading(false);
1467
1596
  if (autoRedirect && !state.user) {
1468
1597
  try {
1469
- const root = getAuthRoot() || "http://localhost:3000";
1598
+ const root = getAuthRoot();
1470
1599
  const authUrl = new URL("/auth", String(root));
1471
1600
  authUrl.searchParams.set("redirect_uri", window.location.href);
1472
1601
  const pid = getDefaultProjectId();