@iqauth/sdk 2.6.4 → 2.8.1

package/dist/express.mjs

@@ -1,27 +1,32 @@
 import {
-  handleCallback,
-  handleRefresh,
-  handleSignout
-} from "./chunk-6TDJJER7.mjs";
+  sanitizeReturnTo
+} from "./chunk-JRDVUWAL.mjs";
 import {
   DEFAULT_REFRESH_COOKIE,
   iqAuthMiddleware
-} from "./chunk-BVV54LPI.mjs";
+} from "./chunk-25SSYDIP.mjs";
+import {
+  handleCallback,
+  handleRefresh,
+  handleSignout,
+  handleUserinfo
+} from "./chunk-WSH4SW7F.mjs";
 import {
   assertPublishableKey
-} from "./chunk-WQWBJSSS.mjs";
+} from "./chunk-HVHNYPDC.mjs";
 import {
   IQAuthClient
-} from "./chunk-W3F4JYGP.mjs";
-import "./chunk-UNYDG2L4.mjs";
+} from "./chunk-ZLJPABB7.mjs";
+import "./chunk-NUO2I65G.mjs";
 import {
   ErrorCodes,
   IQAuthError
-} from "./chunk-6I6RM4MN.mjs";
+} from "./chunk-6PJRLRB4.mjs";
 import "./chunk-Y6FXYEAI.mjs";
 
 // src/express.ts
 var PKCE_COOKIE = "iqauth_pkce";
+var IDEMPOTENCY_HEADER = "x-iqauth-idempotency";
 function escapeHtml(s) {
   return s.replace(/[&<>"']/g, (c) => {
     switch (c) {
@@ -95,6 +100,17 @@ function defaultBrandedSpinner(args) {
 }
 function applyHandlerResponse(res, hr) {
   for (const c of hr.cookies) {
+    if (c.clear && typeof res.clearCookie === "function") {
+      const opts = {
+        httpOnly: c.httpOnly,
+        secure: c.secure,
+        sameSite: c.sameSite,
+        path: c.path
+      };
+      if (c.domain) opts.domain = c.domain;
+      res.clearCookie(c.name, opts);
+      continue;
+    }
     if (typeof res.cookie === "function") {
       const opts = {
         httpOnly: c.httpOnly,
@@ -104,11 +120,13 @@ function applyHandlerResponse(res, hr) {
         maxAge: c.maxAge * 1e3
       };
       if (c.domain) opts.domain = c.domain;
+      if (c.clear) opts.expires = /* @__PURE__ */ new Date(0);
       res.cookie(c.name, c.value, opts);
     } else {
       const existing = res.getHeader?.("Set-Cookie") || [];
       const list = Array.isArray(existing) ? existing : [existing];
       const parts = [`${c.name}=${encodeURIComponent(c.value)}`, `Path=${c.path}`, `Max-Age=${c.maxAge}`, `SameSite=${c.sameSite}`];
+      if (c.clear) parts.push("Expires=Thu, 01 Jan 1970 00:00:00 GMT");
       if (c.secure) parts.push("Secure");
       if (c.httpOnly) parts.push("HttpOnly");
       if (c.domain) parts.push(`Domain=${c.domain}`);
@@ -121,6 +139,11 @@ function applyHandlerResponse(res, hr) {
 function readBody(req) {
   return req.body && typeof req.body === "object" ? req.body : {};
 }
+function requestOriginOf(req) {
+  const proto = req.headers?.["x-forwarded-proto"]?.split(",")[0]?.trim() || (typeof req.protocol === "string" ? req.protocol : void 0) || "https";
+  const host = req.headers?.["x-forwarded-host"]?.split(",")[0]?.trim() || req.headers?.host || "";
+  return host ? `${proto}://${host}` : "";
+}
 function readCookieFromReq(req, name) {
   if (req.cookies && typeof req.cookies[name] === "string") return req.cookies[name];
   const header = req.headers?.cookie;
@@ -159,12 +182,19 @@ function iqAuth(options) {
   const inline = options.inlineCallback === true ? {} : options.inlineCallback && typeof options.inlineCallback === "object" ? options.inlineCallback : null;
   const inlineBranded = inline?.branded === true ? {} : inline?.branded && typeof inline.branded === "object" ? inline.branded : null;
   const attachHelpers = (app) => {
+    void client.prewarm();
     app.post(`${mount}/callback`, async (req, res) => {
       const body = readBody(req);
       const hr = await handleCallback(helperConfig, {
         code: body.code,
         codeVerifier: body.codeVerifier,
-        redirectUri: body.redirectUri
+        redirectUri: body.redirectUri,
+        // M-2: bind the callback to this browser. `state` is echoed back by the
+        // OAuth redirect (body); `expectedState` is the value the SDK published
+        // in a first-party cookie before redirect. handleCallback fails closed
+        // on mismatch/missing when requireOAuthState (default) is on.
+        state: body.state,
+        expectedState: readCookieFromReq(req, helperConfig.stateCookieName ?? "iqauth_state")
       });
       applyHandlerResponse(res, hr);
     });
@@ -213,21 +243,19 @@ function iqAuth(options) {
         });
         app.post(exchangePath, async (req, res) => {
           const body = readBody(req);
-          const stateFromBody = body.state || void 0;
-          const stateFromCookie = readCookieFromReq(req, stateCookie);
-          if (stateFromCookie && stateFromBody !== stateFromCookie) {
-            clearCookie(res, stateCookie);
-            res.status(400);
-            return res.json ? res.json({ success: false, error: { code: "STATE_MISMATCH", message: "OAuth state mismatch" } }) : res.end?.(JSON.stringify({ success: false, error: { code: "STATE_MISMATCH", message: "OAuth state mismatch" } }));
-          }
           const hr = await handleCallback(helperConfig, {
             code: body.code,
             codeVerifier: body.codeVerifier || readCookieFromReq(req, PKCE_COOKIE) || "",
-            redirectUri: body.redirectUri
+            redirectUri: body.redirectUri,
+            state: body.state,
+            expectedState: readCookieFromReq(req, stateCookie)
           });
           clearCookie(res, stateCookie);
           clearCookie(res, PKCE_COOKIE);
-          const returnTo = readCookieFromReq(req, returnToCookie) || hr.body?.returnTo || "/";
+          const returnTo = sanitizeReturnTo(
+            readCookieFromReq(req, returnToCookie) || hr.body?.returnTo,
+            { currentOrigin: requestOriginOf(req), fallback: "/" }
+          );
           if (hr.status < 400) clearCookie(res, returnToCookie);
           const enriched = {
             ...hr,
@@ -246,21 +274,17 @@ function iqAuth(options) {
               else res.end?.("Missing authorization code");
             });
           }
-          const stateFromQuery = q.state;
-          const stateFromCookie = readCookieFromReq(req, stateCookie);
-          if (stateFromCookie && stateFromQuery !== stateFromCookie) {
-            clearCookie(res, stateCookie);
-            return failPlain(res, "state_mismatch", () => {
-              res.status(400);
-              if (res.json) res.json({ success: false, error: { code: "STATE_MISMATCH", message: "OAuth state mismatch" } });
-              else res.end?.("OAuth state mismatch");
-            });
-          }
           const codeVerifier = readCookieFromReq(req, PKCE_COOKIE) || "";
           const proto = req.headers?.["x-forwarded-proto"] || req.protocol || "https";
           const host = req.headers?.["x-forwarded-host"] || req.headers?.host || "";
           const redirectUri = `${proto}://${host}${callbackPath}`;
-          const hr = await handleCallback(helperConfig, { code, codeVerifier, redirectUri });
+          const hr = await handleCallback(helperConfig, {
+            code,
+            codeVerifier,
+            redirectUri,
+            state: q.state,
+            expectedState: readCookieFromReq(req, stateCookie)
+          });
           for (const c of hr.cookies) {
             if (typeof res.cookie === "function") {
               const opts = {
@@ -277,14 +301,18 @@ function iqAuth(options) {
           clearCookie(res, stateCookie);
           clearCookie(res, PKCE_COOKIE);
           if (hr.status >= 400) {
-            const code2 = hr.body?.error?.code || "exchange_failed";
+            const rawCode = hr.body?.error?.code || "exchange_failed";
+            const code2 = rawCode === "STATE_MISMATCH" ? "state_mismatch" : rawCode;
             return failPlain(res, code2, () => {
               res.status(hr.status);
               if (res.json) res.json(hr.body);
               else res.end?.(JSON.stringify(hr.body));
             });
           }
-          const returnTo = readCookieFromReq(req, returnToCookie) || hr.body?.returnTo || "/";
+          const returnTo = sanitizeReturnTo(
+            readCookieFromReq(req, returnToCookie) || hr.body?.returnTo,
+            { currentOrigin: requestOriginOf(req), fallback: "/" }
+          );
           clearCookie(res, returnToCookie);
           if (typeof res.redirect === "function") return res.redirect(302, returnTo);
           res.status(302);
@@ -296,13 +324,23 @@ function iqAuth(options) {
     app.post(`${mount}/refresh`, async (req, res) => {
       const body = readBody(req);
       const refreshToken = body.refreshToken || readCookieFromReq(req, refreshCookie);
-      const hr = await handleRefresh(helperConfig, { refreshToken });
+      const idempotencyToken = req.headers?.[IDEMPOTENCY_HEADER] || body.idempotencyToken;
+      const hr = await handleRefresh(helperConfig, { refreshToken, idempotencyToken });
       applyHandlerResponse(res, hr);
     });
+    if (options.mountUserinfo && typeof app.get === "function") {
+      app.get(`${mount}/me`, async (req, res) => {
+        const accessToken = req.headers?.authorization?.replace(/^Bearer /i, "") || readCookieFromReq(req, accessCookie);
+        const hr = await handleUserinfo(helperConfig, { accessToken, req });
+        applyHandlerResponse(res, hr);
+      });
+    }
     app.post(`${mount}/signout`, async (req, res) => {
       const accessToken = req.headers?.authorization?.replace(/^Bearer /i, "") || readCookieFromReq(req, accessCookie);
+      const refreshToken = readCookieFromReq(req, refreshCookie);
       const ssoCookieHeader = req.headers?.cookie;
-      const hr = await handleSignout(helperConfig, { accessToken, ssoCookieHeader });
+      const idempotencyToken = req.headers?.[IDEMPOTENCY_HEADER];
+      const hr = await handleSignout(helperConfig, { accessToken, refreshToken, idempotencyToken, ssoCookieHeader });
       applyHandlerResponse(res, hr);
     });
   };
@@ -310,6 +348,7 @@ function iqAuth(options) {
   composed.middleware = middleware;
   composed.attachHelpers = attachHelpers;
   composed.client = client;
+  composed.prewarm = () => client.prewarm();
   return composed;
 }
 export {

package/dist/fastify.d.mts

@@ -1,4 +1,6 @@
 import { IQAuthHelperConfig } from './server/handlers.mjs';
+import './tokens-B06VtvUi.mjs';
+import './types-Bn8O-OEd.mjs';
 
 /**
  * @iqauth/sdk/fastify — Fastify adapter.
@@ -15,6 +17,14 @@ import { IQAuthHelperConfig } from './server/handlers.mjs';
 interface IQAuthFastifyOptions extends IQAuthHelperConfig {
     mountPath?: string;
     mountHelperRoutes?: boolean;
+    /**
+     * Cookie name the browser SDK publishes the post-login destination into
+     * before redirect. The callback handler reads it, surfaces it as `returnTo`
+     * in the JSON response body after a successful exchange, and clears it on
+     * success. Mirrors the express inline-callback adapter. Defaults to
+     * `iqauth_return_to`.
+     */
+    returnToCookieName?: string;
     /** Routes that bypass verification (e.g. health checks). */
     publicPaths?: string[] | ((path: string) => boolean);
     /** Override token verification options (issuer / audience / clock tolerance). */

package/dist/fastify.d.ts

@@ -1,4 +1,6 @@
 import { IQAuthHelperConfig } from './server/handlers.js';
+import './tokens-9F6ETrzk.js';
+import './types-Bn8O-OEd.js';
 
 /**
  * @iqauth/sdk/fastify — Fastify adapter.
@@ -15,6 +17,14 @@ import { IQAuthHelperConfig } from './server/handlers.js';
 interface IQAuthFastifyOptions extends IQAuthHelperConfig {
     mountPath?: string;
     mountHelperRoutes?: boolean;
+    /**
+     * Cookie name the browser SDK publishes the post-login destination into
+     * before redirect. The callback handler reads it, surfaces it as `returnTo`
+     * in the JSON response body after a successful exchange, and clears it on
+     * success. Mirrors the express inline-callback adapter. Defaults to
+     * `iqauth_return_to`.
+     */
+    returnToCookieName?: string;
     /** Routes that bypass verification (e.g. health checks). */
     publicPaths?: string[] | ((path: string) => boolean);
     /** Override token verification options (issuer / audience / clock tolerance). */