@mostajs/auth-lite 0.2.0 → 0.3.0

package/dist/index.d.ts

@@ -27,4 +27,13 @@ export interface AuthLiteConfig {
     loginErrorPath?: string;
     /** Redirect on signup error (default "/signup?error=<kind>"). */
     signupErrorPath?: (kind: 'invalid' | 'exists') => string;
+    /**
+     * Embedding in a **cross-site iframe** (ex. CodeSandbox preview `*.csb.app`) :
+     * un cookie `sameSite:'lax'` n'est PAS renvoyé → session perdue. Mettre `true`
+     * pour utiliser `sameSite:'none'; secure:true` **quand la requête est en
+     * https** (détecté via `x-forwarded-proto`), et retomber sur `lax` en http
+     * (localhost dev). Défaut `false` (lax). ⚠️ `none` réduit la protection CSRF —
+     * à n'activer que pour des previews embarquées, pas pour une vraie prod hors-iframe.
+     */
+    crossSiteCookie?: boolean;
 }

package/dist/next.js

@@ -38,12 +38,35 @@ export function createAuthHandlers(config) {
     const afterLogout = config.afterLogout ?? '/';
     const loginError = config.loginErrorPath ?? '/login?error=invalid';
     const signupError = config.signupErrorPath ?? ((k) => `/signup?error=${k}`);
-    async function openSession(sessions, userId) {
+    const crossSite = config.crossSiteCookie ?? false;
+    /** La requête arrive-t-elle en https (proxy forwarde `x-forwarded-proto`, ou URL https) ? */
+    function isHttps(req) {
+        if (req.headers.get('x-forwarded-proto') === 'https')
+            return true;
+        try {
+            return new URL(req.url).protocol === 'https:';
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Attributs du cookie de session. `crossSiteCookie` + https → `sameSite:'none'`
+     * + `secure` (cookie renvoyé en iframe cross-site, ex. CodeSandbox). Sinon
+     * `sameSite:'lax'` (et pas de `secure`, pour que localhost http garde la session).
+     */
+    function cookieOpts(req, expires) {
+        if (crossSite && isHttps(req)) {
+            return { httpOnly: true, sameSite: 'none', secure: true, path: '/', expires };
+        }
+        return { httpOnly: true, sameSite: 'lax', path: '/', expires };
+    }
+    async function openSession(req, sessions, userId) {
         const token = randomBytes(32).toString('hex');
         const expiresAt = new Date(Date.now() + ttlMs);
         await sessions.create({ token, user: userId, expiresAt });
         const res = see(afterAuth);
-        res.cookies.set(cookie, token, { httpOnly: true, sameSite: 'lax', path: '/', expires: expiresAt });
+        res.cookies.set(cookie, token, cookieOpts(req, expiresAt));
         return res;
     }
     /** POST handler — verify credentials, start a session. */
@@ -56,7 +79,7 @@ export function createAuthHandlers(config) {
         if (!user || !verifyPassword(password, user.passwordHash)) {
             return see(loginError);
         }
-        return openSession(sessions, user.id);
+        return openSession(req, sessions, user.id);
     }
     /** POST handler — create the account, start a session. */
     async function signup(req) {
@@ -72,7 +95,7 @@ export function createAuthHandlers(config) {
             return see(signupError('exists'));
         }
         const user = await users.create({ email, name, passwordHash: hashPassword(password) });
-        return openSession(sessions, user.id);
+        return openSession(req, sessions, user.id);
     }
     /** POST handler — destroy the session (DB + cookie). */
     async function logout(req) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mostajs/auth-lite",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Minimal email/password + session auth for Next.js on @mostajs/orm. No native addon — boots in Bolt.new / StackBlitz / edge.",
   "license": "AGPL-3.0-or-later",
   "author": "Dr Hamid MADANI <drmdh@msn.com>",