@startsimpli/auth 0.4.18 → 0.4.21

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@startsimpli/auth",
-  "version": "0.4.18",
+  "version": "0.4.21",
   "description": "Shared authentication package for StartSimpli Next.js apps",
   "main": "./src/index.ts",
   "types": "./src/index.ts",

package/src/__tests__/central-auth.test.ts

@@ -0,0 +1,25 @@
+import { describe, it, expect } from 'vitest';
+import { resolveAppHomeUrl, buildCentralAuthUrl } from '../utils/central-auth';
+
+describe('resolveAppHomeUrl', () => {
+  it('maps known app slugs to their home URL', () => {
+    expect(resolveAppHomeUrl('present')).toBe('https://present.startsimpli.com');
+    expect(resolveAppHomeUrl('market')).toBe('https://market.startsimpli.com');
+    expect(resolveAppHomeUrl('raise')).toBe('https://app.raisesimpli.com');
+    expect(resolveAppHomeUrl('crochet')).toBe('https://crochets.site');
+  });
+  it('defaults unknown slugs to a startsimpli.com subdomain (never off-platform)', () => {
+    expect(resolveAppHomeUrl('whatever')).toBe('https://whatever.startsimpli.com');
+    expect(resolveAppHomeUrl('EVIL')).toBe('https://evil.startsimpli.com');
+  });
+  it('returns null for empty input', () => {
+    expect(resolveAppHomeUrl(null)).toBeNull();
+    expect(resolveAppHomeUrl(undefined)).toBeNull();
+    expect(resolveAppHomeUrl('  ')).toBeNull();
+  });
+  it('buildCentralAuthUrl still preserves app + return_to', () => {
+    const u = buildCentralAuthUrl('signin', { app: 'present', returnTo: 'https://present.startsimpli.com/x' });
+    expect(u).toContain('app=present');
+    expect(u).toContain('return_to=');
+  });
+});

package/src/__tests__/token-storage.test.ts

@@ -3,7 +3,12 @@
  * Regression for fund-your-startup-fe28 (access token was in module-level global).
  */
 import { describe, it, expect, beforeEach, vi } from 'vitest';
-import { getAccessToken, setAccessToken, setRememberMe } from '../client/functions';
+import {
+  getAccessToken,
+  setAccessToken,
+  setRememberMe,
+  hydrateSharedSession,
+} from '../client/functions';
 
 describe('Token storage (sessionStorage — default)', () => {
   beforeEach(() => {
@@ -100,3 +105,34 @@ describe('Token storage (localStorage — remember me)', () => {
     expect(getAccessToken()).toBe('session-tok');
   });
 });
+
+describe('hydrateSharedSession — cross-subdomain SSO bootstrap', () => {
+  beforeEach(() => {
+    sessionStorage.clear();
+    localStorage.clear();
+    setRememberMe(false);
+    setAccessToken(null); // also clears the auth_session cookie
+  });
+
+  it('seeds the token store from the shared auth_session cookie when empty', () => {
+    document.cookie = 'auth_session=shared-tok; path=/';
+    expect(getAccessToken()).toBeNull();
+
+    const result = hydrateSharedSession();
+
+    expect(result).toBe('shared-tok');
+    expect(getAccessToken()).toBe('shared-tok');
+  });
+
+  it('is a no-op when this origin already has a local token', () => {
+    setAccessToken('local-tok'); // also writes the cookie = local-tok
+    const result = hydrateSharedSession();
+    expect(result).toBeNull();
+    expect(getAccessToken()).toBe('local-tok');
+  });
+
+  it('returns null when there is no shared cookie', () => {
+    expect(hydrateSharedSession()).toBeNull();
+    expect(getAccessToken()).toBeNull();
+  });
+});

package/src/client/auth-context.tsx

@@ -14,7 +14,7 @@ import {
   type ReactNode,
 } from 'react';
 import { AuthClient } from './auth-client';
-import { setOnSessionExpired } from './functions';
+import { setOnSessionExpired, hydrateSharedSession } from './functions';
 import type { AuthBackend } from './backend';
 import type { AuthConfig, AuthState, Session, AuthUser } from '../types';
 
@@ -88,6 +88,12 @@ export function AuthProvider({
   useEffect(() => {
     let cancelled = false;
 
+    // Cross-subdomain SSO fast-path: if we arrived from a central-auth login on
+    // another *.startsimpli.com host, seed this origin's empty token store from
+    // the shared `auth_session` cookie so restoreSession() finds a session
+    // immediately. Guarded no-op when a local session already exists.
+    hydrateSharedSession();
+
     if (initialSession) {
       authClient.setSession(initialSession);
       setState({

package/src/client/functions.ts

@@ -11,7 +11,7 @@
  * endpoint was flaky).
  */
 
-import { deleteCookie } from '../utils/cookies';
+import { deleteCookie, getCookie } from '../utils/cookies';
 // Local binding for internal use; also re-exported below to preserve this
 // module's public surface.
 import { extractApiError } from '../utils/api-error';
@@ -160,6 +160,34 @@ export function getAccessToken(): string | null {
   return _memToken;
 }
 
+/**
+ * Cross-subdomain SSO bootstrap. Call ONCE on app init (e.g. from AuthProvider).
+ * After a login on auth.startsimpli.com the access token is shared via the
+ * `auth_session` cookie scoped to Domain=.startsimpli.com. On any other
+ * subdomain (market/trade/present/vault) the per-origin token stores start
+ * empty, so the app would treat the user as logged out even though the session
+ * cookie is present. This hydrates the per-origin store from that cookie.
+ *
+ * Returns the bootstrapped token, or null if there was already a local token
+ * (no-op) or no shared cookie. Kept explicit (not folded into getAccessToken)
+ * so the hot path stays pure and logout/clear semantics are unaffected.
+ */
+export function hydrateSharedSession(): string | null {
+  if (typeof document === 'undefined') return null;
+  // Don't override an existing local session on this origin.
+  if (
+    _resolveStorage('sessionStorage')?.getItem(TOKEN_STORAGE_KEY) ||
+    _resolveStorage('localStorage')?.getItem(TOKEN_STORAGE_KEY) ||
+    _memToken
+  ) {
+    return null;
+  }
+  const cookieToken = getCookie(AUTH_COOKIE_NAME);
+  if (!cookieToken) return null;
+  setAccessToken(cookieToken);
+  return cookieToken;
+}
+
 export function setAccessToken(token: string | null): void {
   const storage = _getStorage();
   if (storage) {
@@ -180,16 +208,37 @@ export function setAccessToken(token: string | null): void {
   _memToken = token;
 }
 
+const AUTH_COOKIE_NAME = 'auth_session';
+
+/**
+ * Cross-subdomain cookie Domain for central-auth SSO. On *.startsimpli.com (and
+ * the apex) the session cookie is shared across every subdomain so a login on
+ * auth.startsimpli.com is seen by market/trade/present/vault. Localhost and
+ * other single-host deployments stay host-only. Override with
+ * NEXT_PUBLIC_AUTH_COOKIE_DOMAIN.
+ */
+function _authCookieDomain(): string | null {
+  const override =
+    (typeof process !== 'undefined' && process.env?.NEXT_PUBLIC_AUTH_COOKIE_DOMAIN) || '';
+  if (override) return override;
+  if (typeof window === 'undefined') return null;
+  const host = window.location.hostname.toLowerCase();
+  if (host === 'startsimpli.com' || host.endsWith('.startsimpli.com')) return '.startsimpli.com';
+  return null;
+}
+
 /** Clear every cookie the middleware checks so it won't redirect back to the app. */
 function _clearAllAuthCookies(): void {
   if (typeof document === 'undefined') return;
+  const domain = _authCookieDomain();
+  const domainAttr = domain ? `; Domain=${domain}` : '';
   for (const name of ['auth_session', 'access_token', 'refresh_token']) {
     document.cookie = `${name}=; path=/; max-age=0`;
+    // A host-only delete won't evict a Domain-scoped cookie — clear both variants.
+    if (domainAttr) document.cookie = `${name}=; path=/; max-age=0${domainAttr}`;
   }
 }
 
-const AUTH_COOKIE_NAME = 'auth_session';
-
 /** Derive cookie max-age from JWT exp claim instead of hardcoding. */
 function _getTokenMaxAge(token: string): number {
   const payload = decodeToken(token);
@@ -202,12 +251,14 @@ function _getTokenMaxAge(token: string): number {
 
 function _syncAuthCookie(token: string | null): void {
   if (typeof document === 'undefined') return;
+  const domain = _authCookieDomain();
+  const domainAttr = domain ? `; Domain=${domain}` : '';
   if (token) {
     const maxAge = _getTokenMaxAge(token);
     const secure = window.location.protocol === 'https:' ? '; Secure' : '';
-    document.cookie = `${AUTH_COOKIE_NAME}=${token}; path=/; max-age=${maxAge}; SameSite=Lax${secure}`;
+    document.cookie = `${AUTH_COOKIE_NAME}=${token}; path=/; max-age=${maxAge}; SameSite=Lax${secure}${domainAttr}`;
   } else {
-    document.cookie = `${AUTH_COOKIE_NAME}=; path=/; max-age=0`;
+    document.cookie = `${AUTH_COOKIE_NAME}=; path=/; max-age=0${domainAttr}`;
   }
 }
 

package/src/utils/central-auth.ts

@@ -39,6 +39,35 @@ export function resolveCentralAuthHost(): string {
   return DEFAULT_CENTRAL_AUTH_HOST;
 }
 
+/**
+ * Known app slug → production home URL. Most apps live at
+ * `<slug>.startsimpli.com`; the exceptions (different registrable domains) are
+ * listed explicitly. Used to bounce a user to the right app after an auth flow
+ * when no explicit `return_to` was supplied (e.g. `/signin?app=present`).
+ */
+const APP_HOME_URLS: Record<string, string> = {
+  market: 'https://market.startsimpli.com',
+  trade: 'https://trade.startsimpli.com',
+  present: 'https://present.startsimpli.com',
+  vault: 'https://vault.startsimpli.com',
+  raise: 'https://app.raisesimpli.com',
+  recipe: 'https://recipesimpli.com',
+  crochet: 'https://crochets.site',
+};
+
+/**
+ * Resolve an app slug to its production home URL. Falls back to
+ * `https://<slug>.startsimpli.com` for any unregistered slug — always a
+ * startsimpli.com subdomain, so a bad `?app=` value can't redirect off-platform.
+ * Returns null for empty input.
+ */
+export function resolveAppHomeUrl(app: string | null | undefined): string | null {
+  if (!app) return null;
+  const slug = app.trim().toLowerCase();
+  if (!slug) return null;
+  return APP_HOME_URLS[slug] ?? `https://${slug}.startsimpli.com`;
+}
+
 export interface BuildCentralAuthUrlOptions {
   /** Slug identifying the calling app (e.g. `vault`, `raise`, `market`). */
   app: string;