@startsimpli/auth 0.4.16 → 0.4.17

package/src/utils/central-auth.ts

@@ -0,0 +1,91 @@
+/**
+ * Helpers for redirecting to the central StartSimpli auth host
+ * (auth.startsimpli.com, see startsim-ul0).
+ *
+ * Per-app auth pages have been replaced by a single host that owns
+ * /signin, /signup, /forgot-password, /reset-password, /verify-email,
+ * /oauth/google/callback, /oauth/microsoft/callback, /completion, /error.
+ *
+ * Apps consume this helper to:
+ *   1. Build "Sign in" / "Create account" links with the `app` + `return_to`
+ *      query params preserved.
+ *   2. Configure AuthProvider's `loginPath` so session-expired bounces hit the
+ *      same host.
+ *
+ * Defaults to https://auth.startsimpli.com but can be overridden via the
+ * `NEXT_PUBLIC_AUTH_HOST` env var for staging / local dev.
+ */
+
+export const DEFAULT_CENTRAL_AUTH_HOST = 'https://auth.startsimpli.com';
+
+/** Flows owned by the central auth host. */
+export type CentralAuthFlow =
+  | 'signin'
+  | 'signup'
+  | 'forgot-password'
+  | 'reset-password'
+  | 'verify-email'
+  | 'completion'
+  | 'error';
+
+/**
+ * Resolve the central auth host. Reads `NEXT_PUBLIC_AUTH_HOST` when present
+ * so apps can point at a staging deploy without rebuilding the package.
+ */
+export function resolveCentralAuthHost(): string {
+  if (typeof process !== 'undefined' && process.env?.NEXT_PUBLIC_AUTH_HOST) {
+    return process.env.NEXT_PUBLIC_AUTH_HOST;
+  }
+  return DEFAULT_CENTRAL_AUTH_HOST;
+}
+
+export interface BuildCentralAuthUrlOptions {
+  /** Slug identifying the calling app (e.g. `vault`, `raise`, `market`). */
+  app: string;
+  /** Absolute URL the user should be returned to after the flow completes. */
+  returnTo?: string;
+  /** Override the host (otherwise resolved from env). */
+  host?: string;
+  /** Extra query params to tack on. */
+  extraParams?: Record<string, string>;
+}
+
+/**
+ * Build a URL into the central auth host, preserving `?app=` and
+ * `?return_to=` consistently. Use this for hand-rolled links AND for
+ * AuthProvider's `loginPath` config.
+ *
+ * Example:
+ *   buildCentralAuthUrl('signin', { app: 'vault', returnTo: 'https://vault.startsimpli.com/environments' })
+ *   // => 'https://auth.startsimpli.com/signin?app=vault&return_to=https%3A%2F%2F...'
+ */
+export function buildCentralAuthUrl(
+  flow: CentralAuthFlow,
+  options: BuildCentralAuthUrlOptions,
+): string {
+  const host = options.host ?? resolveCentralAuthHost();
+  const url = new URL(`/${flow}`, host);
+  url.searchParams.set('app', options.app);
+  if (options.returnTo) {
+    url.searchParams.set('return_to', options.returnTo);
+  }
+  if (options.extraParams) {
+    for (const [key, value] of Object.entries(options.extraParams)) {
+      url.searchParams.set(key, value);
+    }
+  }
+  return url.toString();
+}
+
+/**
+ * Convenience: redirect the browser to the central auth host's signin flow,
+ * preserving the current URL as `return_to`. Safe to call from client code.
+ */
+export function redirectToCentralSignin(app: string): void {
+  if (typeof window === 'undefined') return;
+  const url = buildCentralAuthUrl('signin', {
+    app,
+    returnTo: window.location.href,
+  });
+  window.location.href = url;
+}

package/src/utils/index.ts

@@ -1,3 +1,4 @@
 export * from './token';
 export * from './cookies';
+export * from './central-auth';
 export * from '../validation';

package/src/utils/validation.ts

@@ -54,18 +54,13 @@ export const passwordSchema = z
   );
 
 /**
- * Password confirmation schema
- * Validates password and confirmation match
+ * Password schema (alias retained for back-compat — passwordConfirm dropped
+ * from create-account/reset/change flows since browsers + password managers
+ * make the second field pure friction). startsim-nbq.
  */
-export const passwordConfirmSchema = z
-  .object({
-    password: passwordSchema,
-    passwordConfirm: z.string(),
-  })
-  .refine((data) => data.password === data.passwordConfirm, {
-    message: PasswordErrorCode.MISMATCH,
-    path: ['passwordConfirm'],
-  });
+export const passwordConfirmSchema = z.object({
+  password: passwordSchema,
+});
 
 /**
  * Password reset request schema
@@ -78,16 +73,10 @@ export const passwordResetRequestSchema = z.object({
 /**
  * Password reset confirm schema
  */
-export const passwordResetConfirmSchema = z
-  .object({
-    token: z.string().min(1, { message: 'Token is required' }),
-    password: passwordSchema,
-    passwordConfirm: z.string(),
-  })
-  .refine((data) => data.password === data.passwordConfirm, {
-    message: PasswordErrorCode.MISMATCH,
-    path: ['passwordConfirm'] as const,
-  });
+export const passwordResetConfirmSchema = z.object({
+  token: z.string().min(1, { message: 'Token is required' }),
+  password: passwordSchema,
+});
 
 /**
  * Email verification request schema