@startsimpli/auth 0.4.27 → 0.4.29

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@startsimpli/auth",
-  "version": "0.4.27",
+  "version": "0.4.29",
   "description": "Shared authentication package for StartSimpli Next.js apps",
   "main": "./src/index.ts",
   "types": "./src/index.ts",

package/src/__tests__/auth-functions.test.ts

@@ -119,6 +119,54 @@ describe('CSRF not required for signin/register (endpoints are @csrf_exempt)', (
     expect(headers['X-CSRFToken']).toBeUndefined();
   });
 
+  it('signInWithCredentials threads the login target (app) into the body when provided (qxv2.5)', async () => {
+    mockFetch.mockImplementation(() =>
+      Promise.resolve({
+        ok: true,
+        status: 200,
+        json: async () => ({ access: VALID_TOKEN, user: { id: '1', email: 'a@b.com' } }),
+      }),
+    );
+
+    await signInWithCredentials('test@test.com', 'password', 'foundry');
+
+    const tokenCall = mockFetch.mock.calls.find(
+      (c: unknown[]) =>
+        typeof c[0] === 'string' &&
+        (c[0] as string).includes('/auth/token/') &&
+        !(c[0] as string).includes('refresh'),
+    );
+    expect(tokenCall).toBeDefined();
+    expect(JSON.parse(tokenCall![1]!.body as string)).toEqual({
+      email: 'test@test.com',
+      password: 'password',
+      app: 'foundry',
+    });
+  });
+
+  it('signInWithCredentials omits app from the body when not provided (qxv2.5)', async () => {
+    mockFetch.mockImplementation(() =>
+      Promise.resolve({
+        ok: true,
+        status: 200,
+        json: async () => ({ access: VALID_TOKEN, user: { id: '1', email: 'a@b.com' } }),
+      }),
+    );
+
+    await signInWithCredentials('test@test.com', 'password');
+
+    const tokenCall = mockFetch.mock.calls.find(
+      (c: unknown[]) =>
+        typeof c[0] === 'string' &&
+        (c[0] as string).includes('/auth/token/') &&
+        !(c[0] as string).includes('refresh'),
+    );
+    expect(JSON.parse(tokenCall![1]!.body as string)).toEqual({
+      email: 'test@test.com',
+      password: 'password',
+    });
+  });
+
   it('registerAccount does not fetch or send CSRF token', async () => {
     mockFetch.mockImplementation(() => {
       return Promise.resolve({

package/src/__tests__/login-app-hint.test.ts

@@ -0,0 +1,35 @@
+/**
+ * loginAppHint() reads the signin target (?app=<slug>) from the URL so the
+ * login token POST can carry it — central auth scopes the minted token's
+ * audience by it (startsim-qxv2.5).
+ */
+import { describe, it, expect, afterEach } from 'vitest';
+import { loginAppHint } from '../client/functions';
+
+function setUrl(search: string) {
+  window.history.pushState({}, '', `/signin${search}`);
+}
+
+describe('loginAppHint', () => {
+  afterEach(() => setUrl(''));
+
+  it('returns the app slug from ?app=', () => {
+    setUrl('?app=foundry&return_to=https%3A%2F%2Ffoundry.startsimpli.com%2F');
+    expect(loginAppHint()).toBe('foundry');
+  });
+
+  it('returns the tenant slug for a tenant-app signin', () => {
+    setUrl('?app=mcr');
+    expect(loginAppHint()).toBe('mcr');
+  });
+
+  it('returns undefined when no app param is present', () => {
+    setUrl('?return_to=https%3A%2F%2Fexample.com');
+    expect(loginAppHint()).toBeUndefined();
+  });
+
+  it('treats a blank app as absent', () => {
+    setUrl('?app=');
+    expect(loginAppHint()).toBeUndefined();
+  });
+});

package/src/client/auth-client.ts

@@ -11,7 +11,7 @@ import type {
   AuthUser,
 } from '../types';
 import { isTokenExpired, getTokenExpiresAt, shouldRefreshToken } from '../utils';
-import { extractApiError, setAccessToken as setModuleAccessToken } from './functions';
+import { extractApiError, loginAppHint, setAccessToken as setModuleAccessToken } from './functions';
 import { deleteCookie } from '../utils/cookies';
 import type { AuthBackend, RegisterPayload } from './backend';
 
@@ -68,11 +68,12 @@ export class AuthClient implements AuthBackend {
    * Login with email and password
    */
   async login(email: string, password: string): Promise<Session> {
+    const app = loginAppHint(); // scope the token audience to the login target (qxv2.5)
     const response = await fetch(`${this.config.apiBaseUrl}/api/v1/auth/token/`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
       credentials: 'include', // Include cookies for refresh token
-      body: JSON.stringify({ email, password }),
+      body: JSON.stringify({ email, password, ...(app ? { app } : {}) }),
     });
 
     if (!response.ok) {

package/src/client/functions.ts

@@ -59,6 +59,19 @@ export function notifySessionExpired(): void {
   _onSessionExpired();
 }
 
+/**
+ * The app/target the user is signing in FOR, read from the signin URL
+ * (?app=<slug>). Central auth uses it to scope the minted token's audience:
+ * a central/platform login (app=foundry) yields a first-party token; a tenant
+ * login (app=<tenant>) yields the tenant audience. Browser-only (undefined
+ * off-browser, e.g. SSR). (startsim-qxv2.5)
+ */
+export function loginAppHint(): string | undefined {
+  if (typeof window === 'undefined') return undefined;
+  const app = new URLSearchParams(window.location.search).get('app');
+  return app?.trim() || undefined;
+}
+
 // --- Endpoint paths (Django backend defaults) ---
 
 const API_BASE = '/api/v1';
@@ -317,7 +330,10 @@ function parseAuthResponse(data: unknown): { access?: string; user?: AuthUser }
 
 // --- Auth functions ---
 
-export async function signInWithCredentials(email: string, password: string) {
+export async function signInWithCredentials(email: string, password: string, app?: string) {
+  // `app` is the login target (qxv2.5): the central mint scopes the token's
+  // audience to it (control plane => first-party for a foundry owner; tenant =>
+  // tenant aud). Server-validated; omitted => current home-org behavior.
   // No CSRF needed — Django's /auth/token/ is @csrf_exempt (JWT endpoint)
   const response = await fetchWithTimeout(resolveAuthUrl(AUTH_PATHS.TOKEN), {
     method: 'POST',
@@ -325,7 +341,7 @@ export async function signInWithCredentials(email: string, password: string) {
       'Content-Type': 'application/json',
     },
     credentials: 'include',
-    body: JSON.stringify({ email, password }),
+    body: JSON.stringify(app ? { email, password, app } : { email, password }),
   });
 
   const data = await response.json().catch(() => ({}));

package/src/client/token-auth-core.ts

@@ -20,6 +20,7 @@
 import type { AuthUser, Session } from '../types';
 import { getTokenExpiresAt } from '../utils/token';
 import { extractApiError } from '../utils/api-error';
+import { loginAppHint } from './functions';
 
 /** Persistence for the refresh token. Web uses cookies (and never needs this);
  *  native provides a SecureStore-backed implementation. */
@@ -89,10 +90,11 @@ export class TokenAuthClient {
   }
 
   async login(email: string, password: string): Promise<Session> {
+    const app = loginAppHint(); // scope the token audience to the login target (qxv2.5)
     const response = await this.fetchImpl(`${this.apiBaseUrl}/api/v1/auth/token/`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json', 'X-Auth-Mode': 'token' },
-      body: JSON.stringify({ email, password }),
+      body: JSON.stringify({ email, password, ...(app ? { app } : {}) }),
     });
 
     if (!response.ok) {