npm - @pylonsync/sdk - Versions diffs - 0.3.78 → 0.3.83 - Mend

@pylonsync/sdk 0.3.78 → 0.3.83

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/src/index.ts +14 -1

package/package.json CHANGED Viewed

@@ -3,7 +3,7 @@
   "publishConfig": {
     "access": "public"
   },
-  "version": "0.3.78",
+  "version": "0.3.83",
   "type": "module",
   "main": "src/index.ts",
   "types": "src/index.ts",

package/src/index.ts CHANGED Viewed

@@ -518,6 +518,12 @@ export function policiesToManifest(
  * (User entity named "User", strip `passwordHash`, 30-day sessions,
  * no cookie cache, trusted origins from `PYLON_TRUSTED_ORIGINS` env).
  *
+ * `trustedOrigins` is the unified source for **all three gates** —
+ * CORS, CSRF, and OAuth-redirect. Loopback origins
+ * (`http://localhost`, `127.0.0.1`, `[::1]`, any port) are always
+ * auto-trusted across all three gates so `pylon dev` works without
+ * any allowlist config.
+ *
  * @example
  * auth({
  *   user: {
@@ -590,7 +596,14 @@ export type AuthConfig = {
      */
     disabled?: boolean;
   };
-  /** Per-app trusted origins for OAuth `?callback=` validation. Merged with `PYLON_TRUSTED_ORIGINS` env. */
+  /**
+   * Per-app trusted origins. Single declarative source for the three
+   * browser-facing gates: CORS, CSRF, OAuth `?callback=` validation.
+   * Merged with `PYLON_TRUSTED_ORIGINS` (OAuth) / `PYLON_CORS_ORIGIN`
+   * (CORS) / `PYLON_CSRF_ORIGINS` (CSRF) env vars when ops need to
+   * split per-gate. Loopback (`http://localhost`, `127.0.0.1`, `[::1]`,
+   * any port) is always auto-trusted at every gate.
+   */
   trustedOrigins?: string[];
 };