@spree/docs 0.1.99 → 0.1.101

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,5 +1,5 @@
1
1
  ---
2
- title: "Monetary Amounts"
2
+ title: "Monetary amounts in the Admin API: prices, costs, formats"
3
3
  sidebarTitle: "Monetary Amounts"
4
4
  description: "How the Admin API represents money as decimal strings, why JSON numbers are avoided, and how to send prices, costs, and amounts safely in requests."
5
5
  ---
@@ -76,7 +76,7 @@ module MyApp
76
76
 
77
77
  def authenticate
78
78
  token = params[:token] || extract_bearer
79
- return failure(I18n.t('spree.api.unauthorized')) if token.blank?
79
+ return failure(Spree.t('api.unauthorized')) if token.blank?
80
80
 
81
81
  payload = verify_with_jwks(token)
82
82
 
@@ -92,13 +92,13 @@ module MyApp
92
92
 
93
93
  success(user)
94
94
  rescue JWT::DecodeError, JWT::ExpiredSignature, JWT::InvalidIssuerError, JWT::InvalidAudError, KeyError => e
95
- failure(e.message)
95
+ failure(Spree.t('api.unauthorized'))
96
96
  end
97
97
 
98
98
  private
99
99
 
100
100
  def verify_with_jwks(token)
101
- jwks_loader = ->(opts) { jwks(force: opts[:invalidate]) }
101
+ jwks_loader = ->(opts) { jwks(force: opts[:kid_not_found]) }
102
102
 
103
103
  JWT.decode(
104
104
  token, nil, true,
@@ -318,7 +318,7 @@ This revokes the Spree refresh token. The Spree JWT itself remains valid until i
318
318
  A few things worth getting right:
319
319
 
320
320
  - **Don't try to pass the third-party JWT through to protected endpoints.** Spree's `JwtAuthentication` concern verifies `iss: 'spree'` and the expected audience (`store_api` or `admin_api`) with HS256 against the Spree secret — a foreign RS256 token will never validate, and you don't want it to. The exchange-at-login model is the right one.
321
- - **JWKS caching and rotation.** Cache the JWKS (the example uses a 1-hour TTL) but make sure your loader honors the `invalidate: true` option so that an unrecognized `kid` triggers a refetch. Otherwise key rotation at the IdP locks users out for up to the TTL.
321
+ - **JWKS caching and rotation.** Cache the JWKS (the example uses a 1-hour TTL) but make sure your loader honors the `kid_not_found: true` option so that an unrecognized `kid` triggers a refetch. Otherwise key rotation at the IdP locks users out for up to the TTL.
322
322
  - **Validate `iss` and `aud` claims.** Always. The example passes `verify_iss: true, verify_aud: true` to `JWT.decode` — don't drop those.
323
323
  - **Algorithm pinning.** Hard-code `algorithms: ['RS256']` (or whatever your IdP uses). Never let the token's own `alg` header decide — the classic `alg: none` and HS-as-RS confusion attacks both exploit lax algorithm selection.
324
324
  - **Rate limiting.** `POST /auth/login` is rate-limited per IP via `Spree::Api::Config[:rate_limit_login]`. Tune it in your app config if needed — the same limit applies to email/password and provider-dispatched logins.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@spree/docs",
3
- "version": "0.1.99",
3
+ "version": "0.1.101",
4
4
  "description": "Spree Commerce developer documentation for AI agents and local reference",
5
5
  "type": "module",
6
6
  "license": "CC-BY-4.0",