@neetru/sdk 3.1.4 → 3.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (47) hide show
  1. package/CHANGELOG.md +9 -0
  2. package/README.md +8 -4
  3. package/dist/auth.cjs +35 -9
  4. package/dist/auth.cjs.map +1 -1
  5. package/dist/auth.d.cts +1 -1
  6. package/dist/auth.d.ts +1 -1
  7. package/dist/auth.mjs +35 -9
  8. package/dist/auth.mjs.map +1 -1
  9. package/dist/catalog.d.cts +1 -1
  10. package/dist/catalog.d.ts +1 -1
  11. package/dist/checkout.d.cts +1 -1
  12. package/dist/checkout.d.ts +1 -1
  13. package/dist/db-react.d.cts +1 -1
  14. package/dist/db-react.d.ts +1 -1
  15. package/dist/db.d.cts +1 -1
  16. package/dist/db.d.ts +1 -1
  17. package/dist/entitlements.d.cts +1 -1
  18. package/dist/entitlements.d.ts +1 -1
  19. package/dist/firestore-compat.d.cts +1 -1
  20. package/dist/firestore-compat.d.ts +1 -1
  21. package/dist/index.cjs +36 -10
  22. package/dist/index.cjs.map +1 -1
  23. package/dist/index.d.cts +3 -3
  24. package/dist/index.d.ts +3 -3
  25. package/dist/index.mjs +36 -10
  26. package/dist/index.mjs.map +1 -1
  27. package/dist/mocks.cjs +26 -7
  28. package/dist/mocks.cjs.map +1 -1
  29. package/dist/mocks.d.cts +24 -7
  30. package/dist/mocks.d.ts +24 -7
  31. package/dist/mocks.mjs +26 -7
  32. package/dist/mocks.mjs.map +1 -1
  33. package/dist/notifications.d.cts +1 -1
  34. package/dist/notifications.d.ts +1 -1
  35. package/dist/react.d.cts +1 -1
  36. package/dist/react.d.ts +1 -1
  37. package/dist/support.d.cts +1 -1
  38. package/dist/support.d.ts +1 -1
  39. package/dist/telemetry.d.cts +1 -1
  40. package/dist/telemetry.d.ts +1 -1
  41. package/dist/{types-DvMdYbfV.d.cts → types-BXvGHppn.d.cts} +8 -0
  42. package/dist/{types-CRIIjqzC.d.ts → types-CQVak2a3.d.ts} +8 -0
  43. package/dist/usage.d.cts +1 -1
  44. package/dist/usage.d.ts +1 -1
  45. package/dist/webhooks.d.cts +1 -1
  46. package/dist/webhooks.d.ts +1 -1
  47. package/package.json +1 -1
package/dist/auth.d.cts CHANGED
@@ -1,4 +1,4 @@
1
- import { G as NeetruClientConfig, B as NeetruClient } from './types-DvMdYbfV.cjs';
1
+ import { G as NeetruClientConfig, B as NeetruClient } from './types-BXvGHppn.cjs';
2
2
  import 'drizzle-orm/node-postgres';
3
3
  import './errors.cjs';
4
4
 
package/dist/auth.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- import { G as NeetruClientConfig, B as NeetruClient } from './types-CRIIjqzC.js';
1
+ import { G as NeetruClientConfig, B as NeetruClient } from './types-CQVak2a3.js';
2
2
  import 'drizzle-orm/node-postgres';
3
3
  import './errors.js';
4
4
 
package/dist/auth.mjs CHANGED
@@ -5467,9 +5467,19 @@ var DEV_FIXTURE_USER = Object.freeze({
5467
5467
  var MockAuth = class {
5468
5468
  _user;
5469
5469
  _listeners;
5470
- constructor(initialUser = null) {
5470
+ _allowUnsignedDecode;
5471
+ constructor(initialUser = null, options) {
5471
5472
  this._user = initialUser;
5472
5473
  this._listeners = /* @__PURE__ */ new Set();
5474
+ this._allowUnsignedDecode = options?.allowUnsignedDecode ?? false;
5475
+ if (this._allowUnsignedDecode) {
5476
+ const isTestEnv = typeof process !== "undefined" && (process.env?.NODE_ENV === "test" || process.env?.VITEST === "true" || process.env?.VITEST != null);
5477
+ if (!isTestEnv && typeof console !== "undefined") {
5478
+ console.warn(
5479
+ "[neetru-sdk] MockAuth.verifyToken est\xE1 em modo allowUnsignedDecode=true: tokens N\xC3O t\xEAm assinatura verificada. Este modo \xE9 exclusivo para testes \u2014 NUNCA use como security boundary em c\xF3digo deployado."
5480
+ );
5481
+ }
5482
+ }
5473
5483
  }
5474
5484
  async signIn(_options) {
5475
5485
  if (!this._user) this._user = { ...DEV_FIXTURE_USER };
@@ -5494,18 +5504,27 @@ var MockAuth = class {
5494
5504
  };
5495
5505
  }
5496
5506
  /**
5497
- * Mock de `verifyToken` — decodifica o JWT sem verificar assinatura (pra testes).
5498
- * Em dev, retorna o user atual do mock se já estiver logado. Aceita qualquer token
5499
- * não-vazio sem chamar rede.
5507
+ * Mock de `verifyToken` — por default lança `unauthorized` pra prevenir uso
5508
+ * acidental como security boundary em código deployado.
5509
+ *
5510
+ * Para decodificar JWTs sem verificar assinatura em testes, crie a instância
5511
+ * com `new MockAuth(user, { allowUnsignedDecode: true })`. Isso é um opt-in
5512
+ * explícito — nunca acontece silenciosamente.
5500
5513
  *
5501
- * Para simular falhas em testes, use `MockAuth.__mockVerifyToken(fn)`.
5514
+ * Para simular falhas ou resultados customizados, use `__mockVerifyToken(fn)`.
5502
5515
  */
5503
5516
  async verifyToken(token) {
5504
5517
  if (this._verifyTokenOverride) {
5505
5518
  return this._verifyTokenOverride(token);
5506
5519
  }
5507
5520
  if (!token) {
5508
- throw Object.assign(new Error("Token inv\xE1lido"), { code: "token_invalid_signature" });
5521
+ throw new NeetruError("token_invalid_signature", "Token inv\xE1lido: string vazia");
5522
+ }
5523
+ if (!this._allowUnsignedDecode) {
5524
+ throw new NeetruError(
5525
+ "unauthorized",
5526
+ "MockAuth.verifyToken n\xE3o verifica assinaturas JWT e N\xC3O deve ser usado como security boundary em c\xF3digo deployado. Em testes, use new MockAuth(user, { allowUnsignedDecode: true }) para habilitar decodifica\xE7\xE3o sem assinatura, ou __mockVerifyToken(fn) para injetar resultado customizado."
5527
+ );
5509
5528
  }
5510
5529
  try {
5511
5530
  const parts = token.split(".");
@@ -5532,7 +5551,7 @@ var MockAuth = class {
5532
5551
  } catch {
5533
5552
  }
5534
5553
  if (this._user) return this._user;
5535
- throw Object.assign(new Error("Nenhum user mock dispon\xEDvel"), { code: "token_invalid_signature" });
5554
+ throw new NeetruError("token_invalid_signature", "Nenhum user mock dispon\xEDvel e JWT sem sub v\xE1lido");
5536
5555
  }
5537
5556
  /**
5538
5557
  * Mock de `handleRedirectCallback` (Bug 2 / 3.1.3) — não há redirect real no
@@ -6092,13 +6111,20 @@ function createOidcAuthNamespace(config) {
6092
6111
  const issuer = idpOrigin;
6093
6112
  const jwksUrl = `${idpOrigin}/api/v1/oauth/.well-known/jwks.json`;
6094
6113
  const cacheTtlMs = options?.jwksCacheTtlMs ?? DEFAULT_JWKS_TTL_MS;
6114
+ const audienceFromOptions = options?.audience;
6095
6115
  const parsedKey = tryParseApiKey(config.apiKey);
6096
- const audience = parsedKey?.keyId;
6116
+ const audience = audienceFromOptions ?? parsedKey?.keyId;
6117
+ if (!audience) {
6118
+ throw new NeetruError(
6119
+ "invalid_config",
6120
+ "verifyToken requires an audience: provide apiKey on the client or pass options.audience. Calling jwtVerify without an audience allows tokens issued for other OIDC clients to pass."
6121
+ );
6122
+ }
6097
6123
  const jwks = _getJwks(jwksUrl, cacheTtlMs);
6098
6124
  try {
6099
6125
  const { payload } = await jwtVerify(token, jwks, {
6100
6126
  issuer,
6101
- ...audience ? { audience } : {},
6127
+ audience,
6102
6128
  algorithms: ["RS256"]
6103
6129
  });
6104
6130
  return _jwtPayloadToUser(payload);