@playcademy/sdk 0.0.6 → 0.0.8

package/dist/index.d.ts

@@ -3,24 +3,6 @@ import * as drizzle_orm_pg_core from 'drizzle-orm/pg-core';
 import * as drizzle_zod from 'drizzle-zod';
 import { z } from 'zod';
 
-/**
- * SDK Constants
- * These are re-exported from @playcademy/data but defined here
- * to avoid bundling issues with API Extractor
- */
-declare const CURRENCIES: {
-    readonly PRIMARY: "PLAYCADEMY_CREDITS";
-    readonly XP: "PLAYCADEMY_XP";
-};
-declare const BADGES: {
-    readonly FOUNDING_MEMBER: "FOUNDING_MEMBER_BADGE";
-    readonly EARLY_ADOPTER: "EARLY_ADOPTER_BADGE";
-    readonly FIRST_GAME: "FIRST_GAME_BADGE";
-};
-declare const AuthProvider: {
-    readonly TIMEBACK: "TIMEBACK";
-};
-
 declare const users: drizzle_orm_pg_core.PgTableWithColumns<{
     name: "user";
     schema: undefined;
@@ -2343,6 +2325,25 @@ type AuthenticatedUser = User & {
  * Types that combine data from multiple domains
  */
 type ManifestV1 = z.infer<typeof ManifestV1Schema>;
+/**
+ * Basic user information in the shape of the claims from identity providers
+ */
+interface UserInfo {
+    /** Unique user identifier (sub claim from JWT) */
+    sub: string;
+    /** User's email address */
+    email: string;
+    /** User's display name */
+    name: string;
+    /** Whether the email has been verified */
+    email_verified: boolean;
+    /** Optional given name (first name) */
+    given_name?: string;
+    /** Optional family name (last name) */
+    family_name?: string;
+    /** Additional user attributes from the identity provider */
+    [key: string]: unknown;
+}
 /**
  * Character-related Composite Types
  * Types that combine character component data with sprite sheet information
@@ -2583,6 +2584,24 @@ interface AchievementProgressResponse {
     createdAt: string;
 }
 
+/**
+ * SDK Constants
+ * These are re-exported from @playcademy/data but defined here
+ * to avoid bundling issues with API Extractor
+ */
+declare const CURRENCIES: {
+    readonly PRIMARY: "PLAYCADEMY_CREDITS";
+    readonly XP: "PLAYCADEMY_XP";
+};
+declare const BADGES: {
+    readonly FOUNDING_MEMBER: "FOUNDING_MEMBER_BADGE";
+    readonly EARLY_ADOPTER: "EARLY_ADOPTER_BADGE";
+    readonly FIRST_GAME: "FIRST_GAME_BADGE";
+};
+declare const AuthProvider: {
+    readonly TIMEBACK: "TIMEBACK";
+};
+
 interface ClientConfig {
     baseUrl: string;
     token?: string;
@@ -2629,26 +2648,6 @@ interface AuthResult {
     /** Error if authentication failed */
     error?: Error;
 }
-/**
- * Standard OAuth/OIDC user claims returned from identity providers
- * This is what external identity providers (like Timeback) return
- */
-interface UserInfo {
-    /** Unique user identifier (sub claim from JWT) */
-    sub: string;
-    /** User's email address */
-    email: string;
-    /** User's display name */
-    name: string;
-    /** Whether the email has been verified */
-    email_verified: boolean;
-    /** Optional given name (first name) */
-    given_name?: string;
-    /** Optional family name (last name) */
-    family_name?: string;
-    /** Additional user attributes from the identity provider */
-    [key: string]: unknown;
-}
 /**
  * Authentication state change event payload.
  * Used when authentication state changes in the application.
@@ -2874,16 +2873,24 @@ interface UserScore {
  * - Sets up event listeners for token refresh
  * - Exposes the client for debugging in development mode
  *
+ * @param options - Optional configuration overrides
+ * @param options.baseUrl - Override the base URL for API requests
  * @returns Promise resolving to a fully initialized PlaycademyClient
  * @throws Error if not running in a browser context
  *
  * @example
  * ```typescript
+ * // Default initialization
  * const client = await PlaycademyClient.init()
- * const user = await client.users.me()
+ *
+ * // With custom base URL
+ * const client = await PlaycademyClient.init({ baseUrl: 'https://custom.api.com' })
  * ```
  */
-declare function init(): Promise<PlaycademyClient>;
+declare function init(options?: {
+    baseUrl?: string;
+    allowedParentOrigins?: string[];
+}): Promise<PlaycademyClient>;
 
 /**
  * Authenticates a user with email and password.
@@ -2965,6 +2972,22 @@ declare class PlaycademyClient {
      * @param token - The authentication token, or null to clear
      */
     setToken(token: string | null): void;
+    /**
+     * Gets the current authentication token.
+     *
+     * @returns The current token or null if not authenticated
+     *
+     * @example
+     * ```typescript
+     * // Send token to your backend for verification
+     * const token = client.getToken()
+     * const response = await fetch('/api/auth/playcademy', {
+     *     method: 'POST',
+     *     body: JSON.stringify({ gameToken: token })
+     * })
+     * ```
+     */
+    getToken(): string | null;
     /**
      * Checks if the client has a valid API token for making Playcademy API requests.
      *
@@ -3059,14 +3082,6 @@ declare class PlaycademyClient {
     };
     /** Identity provider connection methods (connect external accounts) */
     identity: {
-        readonly user: {
-            sub: string;
-            email: string;
-            name: string;
-            email_verified: true;
-            given_name: undefined;
-            family_name: undefined;
-        } | null;
         connect: (options: AuthOptions) => Promise<AuthResult>;
         _getContext: () => {
             isInIframe: boolean;
@@ -3114,7 +3129,7 @@ declare class PlaycademyClient {
         };
         leaderboard: {
             get: (gameId: string, options?: {
-                limit?: number;
+                limit? /** Runtime methods (getGameToken, exit) */: number;
                 offset?: number;
             }) => Promise<LeaderboardEntry[]>;
         };

package/dist/index.js

@@ -398,18 +398,13 @@ async function login(client, options) {
   try {
     let stateData = options.stateData;
     if (!stateData) {
-      const currentUser = client["initPayload"]?.user;
-      if (currentUser?.id) {
-        stateData = { playcademy_user_id: currentUser.id };
-      } else {
-        try {
-          const currentUser2 = await client.users.me();
-          if (currentUser2?.id) {
-            stateData = { playcademy_user_id: currentUser2.id };
-          }
-        } catch {
-          log.debug("[Playcademy SDK] No current user available for state data");
+      try {
+        const currentUser = await client.users.me();
+        if (currentUser?.id) {
+          stateData = { playcademy_user_id: currentUser.id };
         }
+      } catch {
+        log.debug("[Playcademy SDK] No current user available for state data");
       }
     }
     log.debug("[Playcademy SDK] Starting OAuth login", {
@@ -446,20 +441,6 @@ var init_login = __esm(() => {
 // src/core/namespaces/identity.ts
 function createIdentityNamespace(client) {
   return {
-    get user() {
-      const gameUser = client["initPayload"]?.user;
-      if (!gameUser)
-        return null;
-      const name = gameUser.name || gameUser.username || "";
-      return {
-        sub: gameUser.id,
-        email: gameUser.email || "",
-        name,
-        email_verified: true,
-        given_name: undefined,
-        family_name: undefined
-      };
-    },
     connect: (options) => login(client, options),
     _getContext: () => ({
       isInIframe: client["authContext"]?.isInIframe ?? false
@@ -2594,29 +2575,61 @@ var init_namespaces = __esm(() => {
 });
 
 // src/core/static/init.ts
-async function getPlaycademyConfig() {
+async function getPlaycademyConfig(allowedParentOrigins) {
   const preloaded = window.PLAYCADEMY;
   if (preloaded?.token) {
     return preloaded;
   }
   if (window.self !== window.top) {
-    return await waitForPlaycademyInit();
+    return await waitForPlaycademyInit(allowedParentOrigins);
   } else {
     return createStandaloneConfig();
   }
 }
-async function waitForPlaycademyInit() {
+function getReferrerOrigin() {
+  try {
+    return document.referrer ? new URL(document.referrer).origin : null;
+  } catch {
+    return null;
+  }
+}
+function buildAllowedOrigins(explicit) {
+  if (Array.isArray(explicit) && explicit.length > 0)
+    return explicit;
+  const ref = getReferrerOrigin();
+  return ref ? [ref] : [];
+}
+function isOriginAllowed(origin, allowlist) {
+  if (!allowlist || allowlist.length === 0) {
+    console.error("[Playcademy SDK] No allowed origins configured. Consider passing allowedParentOrigins explicitly to init().");
+    return false;
+  }
+  return allowlist.includes(origin);
+}
+async function waitForPlaycademyInit(allowedParentOrigins) {
   return new Promise((resolve, reject) => {
     let contextReceived = false;
     const timeoutDuration = 5000;
+    const allowlist = buildAllowedOrigins(allowedParentOrigins);
+    let hasWarnedAboutUntrustedOrigin = false;
+    function warnAboutUntrustedOrigin(origin) {
+      if (hasWarnedAboutUntrustedOrigin)
+        return;
+      hasWarnedAboutUntrustedOrigin = true;
+      console.warn("[Playcademy SDK] Ignoring INIT from untrusted origin:", origin);
+    }
     const handleMessage = (event) => {
-      if (event.data?.type === "PLAYCADEMY_INIT" /* INIT */) {
-        contextReceived = true;
-        window.removeEventListener("message", handleMessage);
-        clearTimeout(timeoutId);
-        window.PLAYCADEMY = event.data.payload;
-        resolve(event.data.payload);
+      if (event.data?.type !== "PLAYCADEMY_INIT" /* INIT */)
+        return;
+      if (!isOriginAllowed(event.origin, allowlist)) {
+        warnAboutUntrustedOrigin(event.origin);
+        return;
       }
+      contextReceived = true;
+      window.removeEventListener("message", handleMessage);
+      clearTimeout(timeoutId);
+      window.PLAYCADEMY = event.data.payload;
+      resolve(event.data.payload);
     };
     window.addEventListener("message", handleMessage);
     const timeoutId = setTimeout(() => {
@@ -2628,22 +2641,25 @@ async function waitForPlaycademyInit() {
   });
 }
 function createStandaloneConfig() {
+  console.warn("[Playcademy SDK] Standalone mode detected, creating mock context for local development");
   const mockConfig = {
     baseUrl: "/api",
     token: "mock-game-token-for-local-dev",
     gameId: "mock-game-id-from-template",
-    realtimeUrl: undefined,
-    user: undefined
+    realtimeUrl: undefined
   };
   window.PLAYCADEMY = mockConfig;
   return mockConfig;
 }
-async function init() {
+async function init(options) {
   const { PlaycademyClient } = await Promise.resolve().then(() => (init_client(), exports_client));
   if (typeof window === "undefined") {
     throw new Error("Playcademy SDK must run in a browser context");
   }
-  const config = await getPlaycademyConfig();
+  const config = await getPlaycademyConfig(options?.allowedParentOrigins);
+  if (options?.baseUrl) {
+    config.baseUrl = options.baseUrl;
+  }
   const client = new PlaycademyClient({
     baseUrl: config.baseUrl,
     token: config.token,
@@ -2756,6 +2772,9 @@ var init_client = __esm(() => {
       this.token = token ?? undefined;
       this.emit("authChange", { token: this.token ?? null });
     }
+    getToken() {
+      return this.token ?? null;
+    }
     isAuthenticated() {
       return !!this.token;
     }

package/dist/server.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Basic user information in the shape of the claims from identity providers
+ */
+interface UserInfo {
+    /** Unique user identifier (sub claim from JWT) */
+    sub: string;
+    /** User's email address */
+    email: string;
+    /** User's display name */
+    name: string;
+    /** Whether the email has been verified */
+    email_verified: boolean;
+    /** Optional given name (first name) */
+    given_name?: string;
+    /** Optional family name (last name) */
+    family_name?: string;
+    /** Additional user attributes from the identity provider */
+    [key: string]: unknown;
+}
+
+/**
+ * Server-only utilities for Playcademy.
+ *
+ * NOTE: This module is intended for backend/server runtimes. It should not be
+ * bundled into browser code. The API intentionally avoids requiring a
+ * PlaycademyClient instance, offering stateless helpers for auth flows.
+ */
+
+/**
+ * Verifies a short-lived Playcademy Game Token and returns verified identity claims.
+ *
+ * This calls the Playcademy API to cryptographically verify the token and
+ * returns the verified user information and claims.
+ *
+ * @param gameToken - The game JWT token to verify
+ * @param options - Optional configuration (reserved for future use)
+ * @returns Promise containing verified claims, gameId, and user information
+ * @throws Error if token is invalid or verification fails
+ */
+declare function verifyGameToken(gameToken: string, options?: {
+    baseUrl?: string;
+}): Promise<{
+    claims: Record<string, unknown>;
+    gameId: string;
+    user: UserInfo;
+}>;
+declare const PlaycademyServer: {
+    auth: {
+        verifyGameToken: typeof verifyGameToken;
+    };
+};
+
+export { PlaycademyServer, verifyGameToken };

package/dist/server.js

@@ -0,0 +1,50 @@
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: (newValue) => all[name] = () => newValue
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+
+// src/server.ts
+async function verifyGameToken(gameToken, options) {
+  if (!gameToken || typeof gameToken !== "string") {
+    throw new Error("[Playcademy SDK] gameToken must be a non-empty string");
+  }
+  const baseUrl = options?.baseUrl || process.env.PLAYCADEMY_BASE_URL || process.env.PUBLIC_PLAYCADEMY_BASE_URL || process.env.NEXT_PUBLIC_PLAYCADEMY_BASE_URL;
+  if (!baseUrl) {
+    throw new Error(`[Playcademy SDK] PLAYCADEMY_BASE_URL is not set
+Please set the PLAYCADEMY_BASE_URL environment variable`);
+  }
+  try {
+    const response = await fetch(`${baseUrl}/api/games/verify`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ token: gameToken })
+    });
+    if (!response.ok) {
+      const errorText = await response.text().catch(() => "Unknown error");
+      throw new Error(`[Playcademy SDK] Token verification failed: ${response.status} ${errorText}`);
+    }
+    const result = await response.json();
+    return result;
+  } catch (error) {
+    if (error instanceof Error) {
+      throw error;
+    }
+    throw new Error("[Playcademy SDK] Token verification failed: Network error");
+  }
+}
+var PlaycademyServer = {
+  auth: { verifyGameToken }
+};
+export {
+  verifyGameToken,
+  PlaycademyServer
+};

package/dist/types.d.ts

@@ -3,10 +3,6 @@ import * as drizzle_zod from 'drizzle-zod';
 import { z } from 'zod';
 import * as _playcademy_realtime_server_types from '@playcademy/realtime/server/types';
 
-declare const AuthProvider: {
-    readonly TIMEBACK: "TIMEBACK";
-};
-
 declare const userRoleEnum: drizzle_orm_pg_core.PgEnum<["admin", "player", "developer"]>;
 declare const users: drizzle_orm_pg_core.PgTableWithColumns<{
     name: "user";
@@ -3095,6 +3091,25 @@ type AuthenticatedUser = User & {
  * Types that combine data from multiple domains
  */
 type ManifestV1 = z.infer<typeof ManifestV1Schema>;
+/**
+ * Basic user information in the shape of the claims from identity providers
+ */
+interface UserInfo {
+    /** Unique user identifier (sub claim from JWT) */
+    sub: string;
+    /** User's email address */
+    email: string;
+    /** User's display name */
+    name: string;
+    /** Whether the email has been verified */
+    email_verified: boolean;
+    /** Optional given name (first name) */
+    given_name?: string;
+    /** Optional family name (last name) */
+    family_name?: string;
+    /** Additional user attributes from the identity provider */
+    [key: string]: unknown;
+}
 /**
  * Character-related Composite Types
  * Types that combine character component data with sprite sheet information
@@ -3350,6 +3365,10 @@ interface AchievementProgressResponse {
     createdAt: string;
 }
 
+declare const AuthProvider: {
+    readonly TIMEBACK: "TIMEBACK";
+};
+
 /**
  * OAuth 2.0 implementation for the Playcademy SDK
  */
@@ -3585,16 +3604,24 @@ declare enum MessageEvents {
  * - Sets up event listeners for token refresh
  * - Exposes the client for debugging in development mode
  *
+ * @param options - Optional configuration overrides
+ * @param options.baseUrl - Override the base URL for API requests
  * @returns Promise resolving to a fully initialized PlaycademyClient
  * @throws Error if not running in a browser context
  *
  * @example
  * ```typescript
+ * // Default initialization
  * const client = await PlaycademyClient.init()
- * const user = await client.users.me()
+ *
+ * // With custom base URL
+ * const client = await PlaycademyClient.init({ baseUrl: 'https://custom.api.com' })
  * ```
  */
-declare function init(): Promise<PlaycademyClient>;
+declare function init(options?: {
+    baseUrl?: string;
+    allowedParentOrigins?: string[];
+}): Promise<PlaycademyClient>;
 
 /**
  * Authenticates a user with email and password.
@@ -3676,6 +3703,22 @@ declare class PlaycademyClient {
      * @param token - The authentication token, or null to clear
      */
     setToken(token: string | null): void;
+    /**
+     * Gets the current authentication token.
+     *
+     * @returns The current token or null if not authenticated
+     *
+     * @example
+     * ```typescript
+     * // Send token to your backend for verification
+     * const token = client.getToken()
+     * const response = await fetch('/api/auth/playcademy', {
+     *     method: 'POST',
+     *     body: JSON.stringify({ gameToken: token })
+     * })
+     * ```
+     */
+    getToken(): string | null;
     /**
      * Checks if the client has a valid API token for making Playcademy API requests.
      *
@@ -3770,14 +3813,6 @@ declare class PlaycademyClient {
     };
     /** Identity provider connection methods (connect external accounts) */
     identity: {
-        readonly user: {
-            sub: string;
-            email: string;
-            name: string;
-            email_verified: true;
-            given_name: undefined;
-            family_name: undefined;
-        } | null;
         connect: (options: AuthOptions) => Promise<AuthResult>;
         _getContext: () => {
             isInIframe: boolean;
@@ -3825,7 +3860,7 @@ declare class PlaycademyClient {
         };
         leaderboard: {
             get: (gameId: string, options?: {
-                limit?: number;
+                limit? /** Runtime methods (getGameToken, exit) */: number;
                 offset?: number;
             }) => Promise<LeaderboardEntry[]>;
         };
@@ -4175,7 +4210,6 @@ interface InitPayload {
     token: string;
     gameId: string;
     realtimeUrl?: string;
-    user?: GameUser;
 }
 type AuthProviderType = (typeof AuthProvider)[keyof typeof AuthProvider];
 interface AuthOptions {
@@ -4217,26 +4251,6 @@ interface AuthResult {
     /** Error if authentication failed */
     error?: Error;
 }
-/**
- * Standard OAuth/OIDC user claims returned from identity providers
- * This is what external identity providers (like Timeback) return
- */
-interface UserInfo {
-    /** Unique user identifier (sub claim from JWT) */
-    sub: string;
-    /** User's email address */
-    email: string;
-    /** User's display name */
-    name: string;
-    /** Whether the email has been verified */
-    email_verified: boolean;
-    /** Optional given name (first name) */
-    given_name?: string;
-    /** Optional family name (last name) */
-    family_name?: string;
-    /** Additional user attributes from the identity provider */
-    [key: string]: unknown;
-}
 /**
  * Simplified user data passed to games via InitPayload
  * This is a subset of AuthenticatedUser suitable for external game consumption

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@playcademy/sdk",
-    "version": "0.0.6",
+    "version": "0.0.8",
     "type": "module",
     "exports": {
         ".": {
@@ -8,6 +8,11 @@
             "require": "./dist/index.js",
             "types": "./dist/index.d.ts"
         },
+        "./server": {
+            "import": "./dist/server.js",
+            "require": "./dist/server.js",
+            "types": "./dist/server.d.ts"
+        },
         "./types": {
             "import": "./dist/types.js",
             "require": "./dist/types.js",