@sparkvault/sdk 1.21.6 → 1.21.7

package/dist/identity/utils.d.ts

@@ -7,6 +7,15 @@
 export { CooldownTimer, ExpirationTimer } from './utils/cooldown-timer';
 export type { CooldownTimerConfig, ExpirationTimerConfig } from './utils/cooldown-timer';
 export { arrayBufferToBase64url, base64urlToArrayBuffer, base64urlToString, } from '../utils/base64url';
+/**
+ * Extract the root (registrable) domain from a hostname for cross-subdomain cookies.
+ * Returns the domain prefixed with a dot (e.g., ".client.com") or null when
+ * the domain attribute should not be set (localhost, IP addresses).
+ *
+ * @param hostname - The hostname to extract the root domain from
+ * @returns Root domain with leading dot, or null
+ */
+export declare function getRootDomain(hostname: string): string | null;
 /**
  * Get cookie value by name
  * @param name - Cookie name
@@ -14,7 +23,10 @@ export { arrayBufferToBase64url, base64urlToArrayBuffer, base64urlToString, } fr
  */
 export declare function getCookie(name: string): string | null;
 /**
- * Set cookie with expiration
+ * Set cookie with expiration on the root domain for cross-subdomain access.
+ * The domain is automatically extracted from the current hostname and prefixed
+ * with a dot (e.g., ".client.com") so the cookie is shared across all subdomains.
+ *
  * @param name - Cookie name
  * @param value - Cookie value
  * @param days - Days until expiration

package/dist/sparkvault.cjs.js

@@ -269,6 +269,7 @@ class HttpClient {
     }
     async parseResponse(response) {
         // Handle empty responses (204 No Content, etc.)
+        // Callers expecting no body should use <void> as the generic type parameter.
         const contentLength = response.headers.get('content-length');
         if (response.status === 204 || contentLength === '0') {
             return null;
@@ -543,6 +544,57 @@ function base64urlToString(base64url) {
  * Consolidates duplicated logic from renderer, api, and index.
  */
 // Re-export timer utilities
+/**
+ * Common multi-part public suffixes where the last two labels form the TLD.
+ * Domains under these suffixes need three labels for a valid registrable domain
+ * (e.g., "app.client.co.uk" → registrable domain is "client.co.uk").
+ */
+const MULTI_PART_TLDS = new Set([
+    'co.uk', 'co.jp', 'co.kr', 'co.nz', 'co.za', 'co.in', 'co.id', 'co.th',
+    'com.au', 'com.br', 'com.cn', 'com.mx', 'com.sg', 'com.tw', 'com.hk',
+    'com.ar', 'com.co', 'com.my', 'com.ph', 'com.pk', 'com.tr', 'com.ua',
+    'com.vn', 'com.ng', 'com.eg', 'com.sa', 'com.pe', 'com.ec',
+    'net.au', 'net.br', 'net.cn', 'net.nz',
+    'org.au', 'org.br', 'org.cn', 'org.nz', 'org.uk',
+    'ac.uk', 'gov.uk', 'ac.jp', 'ne.jp', 'or.jp',
+    'ac.kr', 'go.kr', 'or.kr',
+    'ac.nz', 'govt.nz',
+    'ac.za', 'gov.za',
+    'ac.in', 'gov.in', 'net.in', 'org.in',
+]);
+/**
+ * Extract the root (registrable) domain from a hostname for cross-subdomain cookies.
+ * Returns the domain prefixed with a dot (e.g., ".client.com") or null when
+ * the domain attribute should not be set (localhost, IP addresses).
+ *
+ * @param hostname - The hostname to extract the root domain from
+ * @returns Root domain with leading dot, or null
+ */
+function getRootDomain(hostname) {
+    // Localhost — browsers reject domain attribute for localhost
+    if (hostname === 'localhost' || hostname === '127.0.0.1')
+        return null;
+    // IPv4 addresses
+    if (/^\d{1,3}(\.\d{1,3}){3}$/.test(hostname))
+        return null;
+    // IPv6 addresses
+    if (hostname.includes(':'))
+        return null;
+    const parts = hostname.split('.');
+    // Single-label hostnames (no dots)
+    if (parts.length <= 1)
+        return null;
+    // Two-part domain (e.g., "client.com") — already the root
+    if (parts.length === 2)
+        return `.${hostname}`;
+    // Check for multi-part TLD (e.g., "co.uk" in "app.client.co.uk")
+    const lastTwo = parts.slice(-2).join('.');
+    if (MULTI_PART_TLDS.has(lastTwo) && parts.length >= 3) {
+        return `.${parts.slice(-3).join('.')}`;
+    }
+    // Standard TLD — root domain is last two parts (e.g., "app.client.com" → ".client.com")
+    return `.${lastTwo}`;
+}
 /**
  * Get cookie value by name
  * @param name - Cookie name
@@ -553,7 +605,10 @@ function getCookie(name) {
     return match ? match[2] : null;
 }
 /**
- * Set cookie with expiration
+ * Set cookie with expiration on the root domain for cross-subdomain access.
+ * The domain is automatically extracted from the current hostname and prefixed
+ * with a dot (e.g., ".client.com") so the cookie is shared across all subdomains.
+ *
  * @param name - Cookie name
  * @param value - Cookie value
  * @param days - Days until expiration
@@ -562,7 +617,9 @@ function setCookie(name, value, days) {
     const date = new Date();
     date.setTime(date.getTime() + days * 24 * 60 * 60 * 1000);
     const expires = `expires=${date.toUTCString()}`;
-    document.cookie = `${name}=${value}; ${expires}; path=/; SameSite=Lax`;
+    const domain = getRootDomain(window.location.hostname);
+    const domainAttr = domain ? `; domain=${domain}` : '';
+    document.cookie = `${name}=${value}; ${expires}; path=/${domainAttr}; SameSite=Lax`;
 }
 /**
  * Generate cryptographically secure random state string
@@ -614,9 +671,11 @@ class IdentityApi {
         }
         const url = `${this.baseUrl}${endpoint}`;
         const headers = {
-            'Content-Type': 'application/json',
             'Accept': 'application/json',
         };
+        if (body) {
+            headers['Content-Type'] = 'application/json';
+        }
         // Create abort controller for request timeout
         const timeoutController = new AbortController();
         const timeoutId = setTimeout(() => timeoutController.abort(), this.timeoutMs);