@supertokens-plugins/rownd-nodejs 0.3.0-beta.6 → 0.3.0-beta.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -80,6 +80,62 @@ RowndMigrationPlugin.init({
80
80
  });
81
81
  ```
82
82
 
83
+ ### Passwordless Confirmation Bypass
84
+
85
+ Use `createMagicLinkWithConfirmationBypass` when your backend needs to create a passwordless magic link that can be opened on a different device without showing the SuperTokens cross-device confirmation prompt.
86
+ This is intended for trusted server-side flows only.
87
+
88
+ First, configure the exact post-login paths that may use the bypass:
89
+
90
+ ```typescript
91
+ const rowndPluginConfig = {
92
+ rowndAppKey: process.env.ROWND_APP_KEY,
93
+ rowndAppSecret: process.env.ROWND_APP_SECRET,
94
+ clientDomains: {
95
+ browser: "https://app.example.com",
96
+ },
97
+ crossDeviceConfirmationBypass: {
98
+ allowedRedirectPaths: ["/profile", "/settings/security"],
99
+ },
100
+ };
101
+
102
+ const superTokensConfig = {
103
+ // your app info and recipe list
104
+ experimental: {
105
+ plugins: [RowndMigrationPlugin.init(rowndPluginConfig)],
106
+ },
107
+ };
108
+
109
+ SuperTokens.init(superTokensConfig);
110
+ ```
111
+
112
+ Then call the helper from your backend:
113
+
114
+ ```typescript
115
+ import { createMagicLinkWithConfirmationBypass } from "@supertokens-plugins/rownd-nodejs";
116
+
117
+ const magicLink = await createMagicLinkWithConfirmationBypass({
118
+ email: "user@example.com",
119
+ clientDomain: "browser",
120
+ redirectToPath: "/profile",
121
+ displayContext: "browser",
122
+ });
123
+ ```
124
+
125
+ `redirectToPath` is required and must match `crossDeviceConfirmationBypass.allowedRedirectPaths` exactly after normalization. Absolute URLs are accepted only when their origin matches the resolved `clientDomain`; they are normalized back to a relative path before being added to the magic link.
126
+
127
+ `clientDomain` must be a configured `clientDomains` key, not a raw domain. Omit it to use the SuperTokens website domain.
128
+
129
+ Pass exactly one of `email` or `phoneNumber`. The helper returns the rewritten magic link with `bypassDeviceConfirmation=true`.
130
+
131
+ Before skipping the cross-device confirmation prompt, the frontend should validate the callback against the plugin:
132
+
133
+ - **POST** `/plugin/passwordless-cross-device-confirmation/validate`
134
+ - **Body**: `{ "clientDomain": "browser", "redirectToPath": "/profile", "appVariantId": "optional_variant" }`
135
+ - **Success response**: `{ "status": "OK", "bypass": true }`
136
+
137
+ If validation fails, the frontend should show the normal cross-device confirmation prompt.
138
+
83
139
  ## API Endpoint
84
140
 
85
141
  The plugin exposes a single endpoint:
@@ -91,8 +147,8 @@ The plugin exposes a single endpoint:
91
147
  ### Migrate
92
148
 
93
149
  - **POST** `/plugin/rownd/migrate`
94
- - **Headers**: `Authorization: Bearer <Rownd_JWT>`
95
- - **Description**: Validates the Rownd JWT, ensures the user is migrated to SuperTokens in the `public` tenant, syncs Rownd user data to SuperTokens UserMetadata, and then creates a new SuperTokens session for that user.
150
+ - **Headers**: `Authorization: Bearer <Rownd_JWT>`. Header-token clients should also send `rid: session`, `fdi-version: 1.18`, and `st-auth-mode: header`.
151
+ - **Description**: Validates the Rownd JWT, ensures the user is migrated to SuperTokens in the `public` tenant, syncs Rownd user data to SuperTokens UserMetadata, and then creates a new SuperTokens session for that user. Header-token clients must receive `st-access-token`, `st-refresh-token`, and `front-token` response headers.
96
152
 
97
153
  ## Debug Logging
98
154
 
@@ -41,6 +41,7 @@ var import_zod2 = require("zod");
41
41
 
42
42
  // src/rownd-compatibility.ts
43
43
  var import_supertokens_node = __toESM(require("supertokens-node"));
44
+ var import_usermetadata = __toESM(require("supertokens-node/recipe/usermetadata"));
44
45
 
45
46
  // src/constants.ts
46
47
  var GUEST_AUTH_METHOD_ID = "guest";
@@ -349,7 +349,10 @@ function convertRowndConfigToPluginConfig(rowndApp, creds) {
349
349
  } else if (key === "apple") {
350
350
  result.push({
351
351
  method: "apple",
352
- clientId: value.client_id
352
+ clientId: value.client_id,
353
+ webClientType: value.web_client_type,
354
+ iosClientType: value.ios_client_type,
355
+ androidClientType: value.android_client_type
353
356
  });
354
357
  instructions.push(
355
358
  `Apple sign-in was enabled. Please ensure you configure the "apple" provider in your SuperTokens ThirdParty recipe. You will need to manually provide the Apple 'clientSecret' (or private key) as Rownd cannot export it.`
package/dist/index.d.mts CHANGED
@@ -1,5 +1,6 @@
1
- import * as supertokens_node from 'supertokens-node';
1
+ import * as SuperTokens from 'supertokens-node';
2
2
  import { JSONObject, SuperTokensPlugin } from 'supertokens-node/types';
3
+ import { SessionContainerInterface } from 'supertokens-node/recipe/session/types';
3
4
 
4
5
  type RowndSignInMethod = {
5
6
  /**
@@ -24,6 +25,18 @@ type RowndSignInMethod = {
24
25
  * @default ""
25
26
  */
26
27
  clientId?: string;
28
+ /**
29
+ * SuperTokens provider clientType used for browser Apple redirect flows.
30
+ */
31
+ webClientType?: string;
32
+ /**
33
+ * SuperTokens provider clientType used for native iOS Apple auth code exchange.
34
+ */
35
+ iosClientType?: string;
36
+ /**
37
+ * SuperTokens provider clientType used for native Android Apple auth code exchange.
38
+ */
39
+ androidClientType?: string;
27
40
  } | {
28
41
  /**
29
42
  * Enables Sign in with Google.
@@ -661,6 +674,9 @@ interface RowndPluginConfig {
661
674
  rowndAppSecret: string;
662
675
  enableDebugLogs?: boolean;
663
676
  clientDomains?: RowndClientDomains;
677
+ crossDeviceConfirmationBypass?: {
678
+ allowedRedirectPaths: string[];
679
+ };
664
680
  telemetry?: RowndTelemetryConfig;
665
681
  schema?: RowndSchema;
666
682
  appConfig?: RowndAppConfigInput;
@@ -742,6 +758,9 @@ interface RowndPluginNormalisedConfig {
742
758
  rowndAppSecret: string;
743
759
  enableDebugLogs?: boolean;
744
760
  clientDomains?: RowndClientDomains;
761
+ crossDeviceConfirmationBypass?: {
762
+ allowedRedirectPaths: string[];
763
+ };
745
764
  telemetry?: RowndTelemetryConfig;
746
765
  schema?: RowndSchema;
747
766
  appConfig?: RowndAppConfigInput;
@@ -814,6 +833,7 @@ declare const ROWND_JWT_CLAIMS: {
814
833
  declare const DEFAULT_ROWND_SCHEMA: RowndSchema;
815
834
  declare const HUB_LOGIN_PAGE_PATH = "/account/login";
816
835
  declare const HUB_VERIFY_EMAIL_PAGE_PATH = "/account/verify-email";
836
+ declare const PASSWORDLESS_BYPASS_DEVICE_CONFIRMATION_PARAM = "bypassDeviceConfirmation";
817
837
 
818
838
  declare const ROWND_PLUGIN_ERROR_MESSAGES: {
819
839
  readonly MISSING_AUTHORIZATION_HEADER: "Missing authorization header";
@@ -825,11 +845,26 @@ declare class RowndPluginError extends Error {
825
845
  constructor(type: RowndPluginErrorType);
826
846
  }
827
847
 
848
+ type BypassDisplayContext = "browser" | "mobile_app" | "customer_web_view";
849
+ type CreateMagicLinkWithConfirmationBypassInput = {
850
+ email?: string;
851
+ phoneNumber?: string;
852
+ tenantId?: string;
853
+ request?: any;
854
+ session?: SessionContainerInterface;
855
+ userContext?: Record<string, any>;
856
+ redirectToPath?: string;
857
+ clientDomain?: string;
858
+ displayContext?: BypassDisplayContext;
859
+ appVariantId?: string;
860
+ };
861
+ declare function createMagicLinkWithConfirmationBypass(input: CreateMagicLinkWithConfirmationBypassInput): Promise<string>;
862
+
828
863
  declare function setRowndClient(client: IRowndClient): void;
829
864
  declare function getRowndClient(): IRowndClient;
830
865
 
831
866
  declare const _default: {
832
- init: (config: RowndPluginConfig) => supertokens_node.SuperTokensPlugin;
867
+ init: (config: RowndPluginConfig) => SuperTokens.SuperTokensPlugin;
833
868
  };
834
869
 
835
- export { DEFAULT_ROWND_SCHEMA, GUEST_AUTH_METHOD_ID, HANDLE_BASE_PATH, HUB_LOGIN_PAGE_PATH, HUB_VERIFY_EMAIL_PAGE_PATH, INSTANT_AUTH_METHOD_ID, type IRowndClient, type MigrationResponse, PLUGIN_ID, PLUGIN_SDK_VERSION, PLUGIN_VERSION, PUBLIC_TENANT_ID, ROWND_JWT_CLAIMS, ROWND_PLUGIN_ERROR_MESSAGES, type RowndAppConfigInput, type RowndAuthConfig, type RowndBranding, type RowndClientDomains, type RowndCustomContent, type RowndLegal, type RowndPluginConfig, RowndPluginError, type RowndPluginErrorType, type RowndPluginNormalisedConfig, type RowndProfileConfig, type RowndSchema, type RowndSchemaField, type RowndSignInMethod, type RowndSubBrandConfigInput, type RowndTelemetryClient, type RowndTelemetryConfig, type RowndTelemetryEvent, type RowndUser, type RowndUserMetadata, type SuperTokensUserImport, _default as default, getRowndClient, init, setRowndClient };
870
+ export { type CreateMagicLinkWithConfirmationBypassInput, DEFAULT_ROWND_SCHEMA, GUEST_AUTH_METHOD_ID, HANDLE_BASE_PATH, HUB_LOGIN_PAGE_PATH, HUB_VERIFY_EMAIL_PAGE_PATH, INSTANT_AUTH_METHOD_ID, type IRowndClient, type MigrationResponse, PASSWORDLESS_BYPASS_DEVICE_CONFIRMATION_PARAM, PLUGIN_ID, PLUGIN_SDK_VERSION, PLUGIN_VERSION, PUBLIC_TENANT_ID, ROWND_JWT_CLAIMS, ROWND_PLUGIN_ERROR_MESSAGES, type RowndAppConfigInput, type RowndAuthConfig, type RowndBranding, type RowndClientDomains, type RowndCustomContent, type RowndLegal, type RowndPluginConfig, RowndPluginError, type RowndPluginErrorType, type RowndPluginNormalisedConfig, type RowndProfileConfig, type RowndSchema, type RowndSchemaField, type RowndSignInMethod, type RowndSubBrandConfigInput, type RowndTelemetryClient, type RowndTelemetryConfig, type RowndTelemetryEvent, type RowndUser, type RowndUserMetadata, type SuperTokensUserImport, createMagicLinkWithConfirmationBypass, _default as default, getRowndClient, init, setRowndClient };
package/dist/index.d.ts CHANGED
@@ -1,5 +1,6 @@
1
- import * as supertokens_node from 'supertokens-node';
1
+ import * as SuperTokens from 'supertokens-node';
2
2
  import { JSONObject, SuperTokensPlugin } from 'supertokens-node/types';
3
+ import { SessionContainerInterface } from 'supertokens-node/recipe/session/types';
3
4
 
4
5
  type RowndSignInMethod = {
5
6
  /**
@@ -24,6 +25,18 @@ type RowndSignInMethod = {
24
25
  * @default ""
25
26
  */
26
27
  clientId?: string;
28
+ /**
29
+ * SuperTokens provider clientType used for browser Apple redirect flows.
30
+ */
31
+ webClientType?: string;
32
+ /**
33
+ * SuperTokens provider clientType used for native iOS Apple auth code exchange.
34
+ */
35
+ iosClientType?: string;
36
+ /**
37
+ * SuperTokens provider clientType used for native Android Apple auth code exchange.
38
+ */
39
+ androidClientType?: string;
27
40
  } | {
28
41
  /**
29
42
  * Enables Sign in with Google.
@@ -661,6 +674,9 @@ interface RowndPluginConfig {
661
674
  rowndAppSecret: string;
662
675
  enableDebugLogs?: boolean;
663
676
  clientDomains?: RowndClientDomains;
677
+ crossDeviceConfirmationBypass?: {
678
+ allowedRedirectPaths: string[];
679
+ };
664
680
  telemetry?: RowndTelemetryConfig;
665
681
  schema?: RowndSchema;
666
682
  appConfig?: RowndAppConfigInput;
@@ -742,6 +758,9 @@ interface RowndPluginNormalisedConfig {
742
758
  rowndAppSecret: string;
743
759
  enableDebugLogs?: boolean;
744
760
  clientDomains?: RowndClientDomains;
761
+ crossDeviceConfirmationBypass?: {
762
+ allowedRedirectPaths: string[];
763
+ };
745
764
  telemetry?: RowndTelemetryConfig;
746
765
  schema?: RowndSchema;
747
766
  appConfig?: RowndAppConfigInput;
@@ -814,6 +833,7 @@ declare const ROWND_JWT_CLAIMS: {
814
833
  declare const DEFAULT_ROWND_SCHEMA: RowndSchema;
815
834
  declare const HUB_LOGIN_PAGE_PATH = "/account/login";
816
835
  declare const HUB_VERIFY_EMAIL_PAGE_PATH = "/account/verify-email";
836
+ declare const PASSWORDLESS_BYPASS_DEVICE_CONFIRMATION_PARAM = "bypassDeviceConfirmation";
817
837
 
818
838
  declare const ROWND_PLUGIN_ERROR_MESSAGES: {
819
839
  readonly MISSING_AUTHORIZATION_HEADER: "Missing authorization header";
@@ -825,11 +845,26 @@ declare class RowndPluginError extends Error {
825
845
  constructor(type: RowndPluginErrorType);
826
846
  }
827
847
 
848
+ type BypassDisplayContext = "browser" | "mobile_app" | "customer_web_view";
849
+ type CreateMagicLinkWithConfirmationBypassInput = {
850
+ email?: string;
851
+ phoneNumber?: string;
852
+ tenantId?: string;
853
+ request?: any;
854
+ session?: SessionContainerInterface;
855
+ userContext?: Record<string, any>;
856
+ redirectToPath?: string;
857
+ clientDomain?: string;
858
+ displayContext?: BypassDisplayContext;
859
+ appVariantId?: string;
860
+ };
861
+ declare function createMagicLinkWithConfirmationBypass(input: CreateMagicLinkWithConfirmationBypassInput): Promise<string>;
862
+
828
863
  declare function setRowndClient(client: IRowndClient): void;
829
864
  declare function getRowndClient(): IRowndClient;
830
865
 
831
866
  declare const _default: {
832
- init: (config: RowndPluginConfig) => supertokens_node.SuperTokensPlugin;
867
+ init: (config: RowndPluginConfig) => SuperTokens.SuperTokensPlugin;
833
868
  };
834
869
 
835
- export { DEFAULT_ROWND_SCHEMA, GUEST_AUTH_METHOD_ID, HANDLE_BASE_PATH, HUB_LOGIN_PAGE_PATH, HUB_VERIFY_EMAIL_PAGE_PATH, INSTANT_AUTH_METHOD_ID, type IRowndClient, type MigrationResponse, PLUGIN_ID, PLUGIN_SDK_VERSION, PLUGIN_VERSION, PUBLIC_TENANT_ID, ROWND_JWT_CLAIMS, ROWND_PLUGIN_ERROR_MESSAGES, type RowndAppConfigInput, type RowndAuthConfig, type RowndBranding, type RowndClientDomains, type RowndCustomContent, type RowndLegal, type RowndPluginConfig, RowndPluginError, type RowndPluginErrorType, type RowndPluginNormalisedConfig, type RowndProfileConfig, type RowndSchema, type RowndSchemaField, type RowndSignInMethod, type RowndSubBrandConfigInput, type RowndTelemetryClient, type RowndTelemetryConfig, type RowndTelemetryEvent, type RowndUser, type RowndUserMetadata, type SuperTokensUserImport, _default as default, getRowndClient, init, setRowndClient };
870
+ export { type CreateMagicLinkWithConfirmationBypassInput, DEFAULT_ROWND_SCHEMA, GUEST_AUTH_METHOD_ID, HANDLE_BASE_PATH, HUB_LOGIN_PAGE_PATH, HUB_VERIFY_EMAIL_PAGE_PATH, INSTANT_AUTH_METHOD_ID, type IRowndClient, type MigrationResponse, PASSWORDLESS_BYPASS_DEVICE_CONFIRMATION_PARAM, PLUGIN_ID, PLUGIN_SDK_VERSION, PLUGIN_VERSION, PUBLIC_TENANT_ID, ROWND_JWT_CLAIMS, ROWND_PLUGIN_ERROR_MESSAGES, type RowndAppConfigInput, type RowndAuthConfig, type RowndBranding, type RowndClientDomains, type RowndCustomContent, type RowndLegal, type RowndPluginConfig, RowndPluginError, type RowndPluginErrorType, type RowndPluginNormalisedConfig, type RowndProfileConfig, type RowndSchema, type RowndSchemaField, type RowndSignInMethod, type RowndSubBrandConfigInput, type RowndTelemetryClient, type RowndTelemetryConfig, type RowndTelemetryEvent, type RowndUser, type RowndUserMetadata, type SuperTokensUserImport, createMagicLinkWithConfirmationBypass, _default as default, getRowndClient, init, setRowndClient };