@pylonsync/next 0.3.6 → 0.3.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/auth.ts +24 -3
- package/src/server.ts +33 -15
package/package.json
CHANGED
package/src/auth.ts
CHANGED
|
@@ -67,12 +67,33 @@ export async function listOAuthProviders(): Promise<OAuthProvider[]> {
|
|
|
67
67
|
/**
|
|
68
68
|
* Kick off an OAuth login. Browser navigates to Pylon's GET login
|
|
69
69
|
* route, which 302s to the provider, which 302s back to Pylon's GET
|
|
70
|
-
* callback (Set-Cookie + 302 to
|
|
70
|
+
* callback (Set-Cookie + 302 to the success URL). The OAuth code
|
|
71
71
|
* never enters JS, so XSS in the dashboard can't intercept the
|
|
72
72
|
* handshake.
|
|
73
|
+
*
|
|
74
|
+
* `successUrl` and `errorUrl` MUST have origins listed in the
|
|
75
|
+
* server's PYLON_TRUSTED_ORIGINS — otherwise pylon's start endpoint
|
|
76
|
+
* 403s with UNTRUSTED_REDIRECT. Defaults are sensible for typical
|
|
77
|
+
* Next.js layouts (current origin's `/dashboard` and `/login`); pass
|
|
78
|
+
* explicit values for apps that route auth elsewhere.
|
|
73
79
|
*/
|
|
74
|
-
export
|
|
75
|
-
|
|
80
|
+
export type StartOAuthLoginOptions = {
|
|
81
|
+
successUrl?: string;
|
|
82
|
+
errorUrl?: string;
|
|
83
|
+
};
|
|
84
|
+
export function startOAuthLogin(
|
|
85
|
+
provider: OAuthProvider["provider"],
|
|
86
|
+
opts: StartOAuthLoginOptions = {},
|
|
87
|
+
): void {
|
|
88
|
+
const origin = window.location.origin;
|
|
89
|
+
const successUrl = opts.successUrl ?? `${origin}/dashboard`;
|
|
90
|
+
const errorUrl = opts.errorUrl ?? `${origin}/login`;
|
|
91
|
+
const params = new URLSearchParams({
|
|
92
|
+
redirect: "1",
|
|
93
|
+
callback: successUrl,
|
|
94
|
+
error_callback: errorUrl,
|
|
95
|
+
});
|
|
96
|
+
window.location.href = `/api/auth/login/${provider}?${params.toString()}`;
|
|
76
97
|
}
|
|
77
98
|
|
|
78
99
|
export async function sendVerificationEmail(): Promise<{
|
package/src/server.ts
CHANGED
|
@@ -206,21 +206,39 @@ export function createPylonServer(config: PylonServerConfig): PylonServer {
|
|
|
206
206
|
auth: PylonAuth;
|
|
207
207
|
user: U;
|
|
208
208
|
} | null> {
|
|
209
|
-
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
}
|
|
220
|
-
|
|
221
|
-
|
|
222
|
-
|
|
223
|
-
|
|
209
|
+
// Single round-trip to /api/auth/session — pylon returns
|
|
210
|
+
// `{ session, user }` where `user` is the User row projected
|
|
211
|
+
// to safe fields (passwordHash + framework-internal columns
|
|
212
|
+
// stripped). This replaces the older two-step
|
|
213
|
+
// /api/auth/me + /api/fn/getMe dance.
|
|
214
|
+
const session = await readSession();
|
|
215
|
+
if (!session) return null;
|
|
216
|
+
const resp = await fetch(`${target()}/api/auth/session`, {
|
|
217
|
+
headers: { cookie: session.header },
|
|
218
|
+
cache: "no-store",
|
|
219
|
+
})
|
|
220
|
+
.then(
|
|
221
|
+
(r) =>
|
|
222
|
+
r.json() as Promise<{
|
|
223
|
+
session?: {
|
|
224
|
+
user_id?: string;
|
|
225
|
+
tenant_id?: string | null;
|
|
226
|
+
is_admin?: boolean;
|
|
227
|
+
};
|
|
228
|
+
user?: U | null;
|
|
229
|
+
}>,
|
|
230
|
+
)
|
|
231
|
+
.catch(() => ({}) as { session?: undefined; user?: undefined });
|
|
232
|
+
if (!resp.session?.user_id || !resp.user) return null;
|
|
233
|
+
return {
|
|
234
|
+
auth: {
|
|
235
|
+
userId: resp.session.user_id,
|
|
236
|
+
tenantId: resp.session.tenant_id ?? null,
|
|
237
|
+
isAdmin: resp.session.is_admin ?? false,
|
|
238
|
+
cookieHeader: session.header,
|
|
239
|
+
},
|
|
240
|
+
user: resp.user,
|
|
241
|
+
};
|
|
224
242
|
}
|
|
225
243
|
|
|
226
244
|
async function requireMe<U = Record<string, unknown>>(): Promise<{
|