@startsimpli/auth 0.4.9 → 0.4.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/utils/token.ts +14 -2
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@startsimpli/auth",
3
- "version": "0.4.9",
3
+ "version": "0.4.11",
4
4
  "description": "Shared authentication package for StartSimpli Next.js apps",
5
5
  "main": "./src/index.ts",
6
6
  "types": "./src/index.ts",
package/src/utils/token.ts CHANGED
@@ -4,6 +4,18 @@
4
4
 
5
5
  import type { TokenPayload, DecodedToken } from '../types';
6
6
 
7
+ // JWT payloads are base64url-encoded. Browser atob() only accepts standard
8
+ // base64, so we have to translate `-`/`_` → `+`/`/` and restore padding before
9
+ // decoding. Without this, any token whose payload contains a url-safe char
10
+ // (common once claims grow beyond a few short ASCII fields) throws in atob
11
+ // and decodeToken silently returns null — which causes login to reject a
12
+ // valid server-issued token with "Invalid token received" and never stores it.
13
+ function _base64UrlDecode(input: string): string {
14
+ const base64 = input.replace(/-/g, '+').replace(/_/g, '/');
15
+ const padded = base64 + '='.repeat((4 - (base64.length % 4)) % 4);
16
+ return atob(padded);
17
+ }
18
+
7
19
  /**
8
20
  * Decode JWT token payload (does NOT verify signature)
9
21
  */
@@ -15,7 +27,7 @@ export function decodeToken(token: string): TokenPayload | null {
15
27
  }
16
28
 
17
29
  const payload = parts[1];
18
- const decoded = JSON.parse(atob(payload));
30
+ const decoded = JSON.parse(_base64UrlDecode(payload));
19
31
  return decoded as TokenPayload;
20
32
  } catch (error) {
21
33
  console.error('Failed to decode token:', error);
@@ -60,7 +72,7 @@ export function getTokenPayload(token: string): DecodedToken | null {
60
72
  }
61
73
 
62
74
  const payload = parts[1];
63
- const decoded = JSON.parse(atob(payload));
75
+ const decoded = JSON.parse(_base64UrlDecode(payload));
64
76
 
65
77
  if (typeof decoded !== 'object' || decoded === null) {
66
78
  return null;