@iqauth/sdk 2.6.1 → 2.6.2

package/README.md

@@ -17,6 +17,7 @@ The canonical TypeScript SDK for **IQAuthService** — DispositionIQ's multi-ten
 - [Install](#install)
 - [Five-line integration](#five-line-integration)
 - [Pick your environment](#pick-your-environment)
+- [What's new in 2.6.2](#whats-new-in-262)
 - [What's new in 2.6.1](#whats-new-in-261)
 - [What's new in 2.0.3](#whats-new-in-203)
 - [Browser apps with a backend (recommended)](#browser-apps-with-a-backend-recommended)
@@ -173,6 +174,25 @@ The SDK is not "one auth model for every environment". The safe pattern depends
 
 ---
 
+## What's new in 2.6.2
+
+### Card grows responsively on desktop (no more phone-sized form)
+
+`.iqauth-sdk-card` used to cap at `max-width: 460px` at every viewport,
+which meant a desktop user staring at a 1440px monitor saw a thin mobile
+column floating inside a 720px-wide pane. The cap is now responsive:
+
+- mobile (default): **480px**
+- tablet / desktop (`@container ≥ 768px`): **540px**
+- extra-wide (`@container ≥ 1280px`): **580px**
+
+Inner header/body padding and the title size also bump up at the desktop
+breakpoint so the form actually fills its half of the split layout. No
+opt-in required — the change applies to every consumer of `<SignIn/>` and
+`<SignUp/>` after upgrading.
+
+---
+
 ## What's new in 2.6.1
 
 ### 1. Silent SSO is now opt-in (default off)
@@ -604,6 +624,54 @@ Common codes you'll handle:
 | Cross-origin call to a sister IQAuth-protected app gets CORS-blocked | Add the caller's origin to the target app's `app_allowed_origins`. Allow up to 60s for the cache to refresh. |
 | `req.auth` is undefined under Passport | Verify you're reading `req.auth`, not `req.user`. The SDK deliberately uses `req.auth` to avoid Passport collision. |
 | Hosted sign-in page won't accept your `return_to` | The origin isn't in this app's allowlist. Add it in the admin dashboard. |
+| Server logs `[AUTH-MW] Missing auth credentials` on `GET /api/v1/auth/me` at app boot — **once**, immediately followed by a successful `[OIDC] SSO resume issued code` AND the next `/auth/me` returns 200 | **Benign.** SDK's `bootstrap()` probe. See ["Why does the server log `Missing auth credentials` at startup?"](#why-does-the-server-log-missing-auth-credentials-at-startup) below. |
+| `[AUTH-MW] Missing auth credentials` repeats in a **loop** (warn → resume → token → warn → resume → token …), user can't actually finish login | **NOT benign.** The SDK's callback handler on YOUR app's domain isn't completing the token exchange, so no cookie ever gets set. See ["When the bootstrap loop never ends"](#when-the-bootstrap-loop-never-ends) below — almost always a middleware-ordering bug on the consumer app. |
+| Same `Missing auth credentials` warning on `/api/v1/auth/me` but **no** subsequent `SSO resume issued code` or `/oidc/token` for the same user within ~1s | Real problem — your fetch is dropping cookies. Check `credentials: "include"`, CORS `Access-Control-Allow-Credentials: true`, `SameSite`/`COOKIE_DOMAIN`. |
+
+### Why does the server log `Missing auth credentials` at startup?
+
+When `<IQAuthProvider>` mounts, the SDK's `bootstrap()` runs `GET /api/v1/auth/me` once to ask the issuer "do I already have a session on this app?" That call is *defined* to be anonymous when the user has never signed in here yet — there is no `iqauth_at` cookie scoped to your origin yet to send.
+
+So the very first request you'll see for a returning user is:
+
+```
+WARN  [AUTH-MW] Missing auth credentials  GET /api/v1/auth/me  origin=https://your-app.com
+INFO  [OIDC]    SSO resume issued code     userId=…  clientId=iq_…
+INFO  [AuthMetrics] /oidc/token latency
+```
+
+That sequence is the **happy path** for silent SSO: probe → no session here → resume from the issuer's `iq_sso` cookie → exchange code for tokens → cookie now set on your origin → subsequent requests succeed against the cookie. The warning was misleading log severity for a defined-anonymous endpoint, and as of the next IQAuth server release the bootstrap probe on `/auth/me` and `/auth/refresh` is logged at **`debug`** rather than `warn`. Other routes still log at `warn` — so seeing this message on, say, `GET /api/v1/users` remains a real signal that cookies aren't traveling.
+
+**If you're on an older IQAuth server and want to silence the noise without an upgrade,** add a server-side log filter on the `[AUTH-MW] Missing auth credentials` line where `route` matches `/api/v1/auth/(me|refresh)`. Don't blanket-mute the message — you'll lose visibility on real CORS/cookie failures.
+
+### When the bootstrap loop never ends
+
+If you see `Missing auth credentials` → `SSO resume issued code` → `/oidc/token` happen **on repeat** and the user never actually gets signed in, the issuer side is doing its job perfectly — the failure is on **your** server. The SDK's callback helper at `/api/iqauth/callback` is responsible for taking the `?code=` from the OAuth redirect, POSTing it to `/oidc/token`, and setting the `iqauth_at` cookie on your app's domain. If that handler doesn't run (or returns an error), no cookie ever gets set and the SDK's next bootstrap probe is anonymous again — forever.
+
+The single most common cause: **your own auth middleware is intercepting `/api/iqauth/callback` before `attachHelpers()` can handle it.** The OAuth return trip is a fresh GET from the issuer with no `Authorization` header (correctly so — that's the whole point of the callback), so an `app.use(requireAuth)` mounted globally will reject it as 401.
+
+Confirm with these signals — if you see *any* of them, this is your bug:
+
+- Browser: `GET https://your-app.com/api/iqauth/callback?code=…` returns **401** (or any 4xx other than 302)
+- Browser DevTools → Application → Cookies for your app's domain: **no `iqauth_at` cookie present** after a sign-in attempt
+- Your app's server log shows your **own** auth middleware rejecting `path=/iqauth/callback` or `/api/iqauth/callback` with "missing authorization header"
+
+**Fix — pick one:**
+
+```ts
+// ✅ Option 1 (recommended) — mount SDK helpers BEFORE your auth middleware.
+const auth = iqAuth({ publishableKey, secretKey });
+auth.attachHelpers(app);          // public: /api/iqauth/{callback,refresh,signout}
+app.use(yourAuthMiddleware);      // anything below here requires a session
+
+// ✅ Option 2 — exempt /api/iqauth/* from your own auth gate.
+app.use((req, res, next) => {
+  if (req.path.startsWith("/api/iqauth/")) return next();
+  return yourAuthMiddleware(req, res, next);
+});
+```
+
+After the fix you should see `/api/iqauth/callback` return **302**, a `Set-Cookie: iqauth_at=…` header on the response, the cookie appearing under your app's domain in DevTools, and the next `/api/v1/auth/me` returning 200. The `Missing auth credentials` warning drops to the one harmless boot probe per fresh visitor.
 
 ---
 

package/dist/react.js

@@ -2432,7 +2432,7 @@ var SHELL_CSS = `
   box-sizing: border-box;
 }
 .iqauth-sdk-card {
-  width: 100%; max-width: 460px;
+  width: 100%; max-width: 480px;
   background: var(--brand-surface, #ffffff);
   border: 1px solid rgba(15,23,42,0.08);
   border-radius: var(--brand-radius, 16px);
@@ -2479,6 +2479,13 @@ var SHELL_CSS = `
   /* 2.6.1 \u2014 Restore 100vh ONLY for the wide side-by-side layout where
      hero+pane need height parity. Embedded narrow uses keep natural height. */
   .iqauth-sdk-pane { padding: 48px 24px; min-height: 100vh; }
+  /* 2.6.2 \u2014 Let the card breathe on desktop. The 480px mobile cap looks
+     phone-sized on a 720px+ pane; bump to 540px and grow the inner padding
+     so the form fills its half of the split layout. */
+  .iqauth-sdk-card { max-width: 540px; }
+  .iqauth-sdk-card-header { padding: 40px 44px 0; }
+  .iqauth-sdk-card-body { padding: 32px 44px 32px; }
+  .iqauth-sdk-card-header h1 { font-size: 26px; }
   .iqauth-sdk-hero {
     display: flex; flex-direction: column; justify-content: space-between;
     padding: clamp(32px, 4vw, 56px); color: #ffffff;
@@ -2500,6 +2507,9 @@ var SHELL_CSS = `
 }
 @container iqauth-sdk (min-width: 1280px) {
   .iqauth-sdk-shell:not([data-layout="centered_card"]):not([data-layout="full_bleed"]) { grid-template-columns: minmax(0, 5fr) minmax(0, 6fr); }
+  /* 2.6.2 \u2014 Extra-wide screens: card grows once more so the form keeps
+     pace with the hero pane on 1440px+ monitors. */
+  .iqauth-sdk-card { max-width: 580px; }
 }
 `;
 var sdkShellStylesInjected = false;

package/dist/react.mjs

@@ -687,7 +687,7 @@ var SHELL_CSS = `
   box-sizing: border-box;
 }
 .iqauth-sdk-card {
-  width: 100%; max-width: 460px;
+  width: 100%; max-width: 480px;
   background: var(--brand-surface, #ffffff);
   border: 1px solid rgba(15,23,42,0.08);
   border-radius: var(--brand-radius, 16px);
@@ -734,6 +734,13 @@ var SHELL_CSS = `
   /* 2.6.1 \u2014 Restore 100vh ONLY for the wide side-by-side layout where
      hero+pane need height parity. Embedded narrow uses keep natural height. */
   .iqauth-sdk-pane { padding: 48px 24px; min-height: 100vh; }
+  /* 2.6.2 \u2014 Let the card breathe on desktop. The 480px mobile cap looks
+     phone-sized on a 720px+ pane; bump to 540px and grow the inner padding
+     so the form fills its half of the split layout. */
+  .iqauth-sdk-card { max-width: 540px; }
+  .iqauth-sdk-card-header { padding: 40px 44px 0; }
+  .iqauth-sdk-card-body { padding: 32px 44px 32px; }
+  .iqauth-sdk-card-header h1 { font-size: 26px; }
   .iqauth-sdk-hero {
     display: flex; flex-direction: column; justify-content: space-between;
     padding: clamp(32px, 4vw, 56px); color: #ffffff;
@@ -755,6 +762,9 @@ var SHELL_CSS = `
 }
 @container iqauth-sdk (min-width: 1280px) {
   .iqauth-sdk-shell:not([data-layout="centered_card"]):not([data-layout="full_bleed"]) { grid-template-columns: minmax(0, 5fr) minmax(0, 6fr); }
+  /* 2.6.2 \u2014 Extra-wide screens: card grows once more so the form keeps
+     pace with the hero pane on 1440px+ monitors. */
+  .iqauth-sdk-card { max-width: 580px; }
 }
 `;
 var sdkShellStylesInjected = false;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@iqauth/sdk",
-  "version": "2.6.1",
+  "version": "2.6.2",
   "description": "TypeScript SDK for IQAuth — the canonical way for all IQ projects to integrate with IQAuthService",
   "main": "dist/index.js",
   "module": "dist/index.mjs",