@sylphx/sdk 0.10.3 → 0.10.4

package/dist/nextjs/index.d.ts

@@ -126,6 +126,42 @@ interface SylphxMiddlewareConfig {
      * @default '/select-organization'
      */
     orgSelectionUrl?: string;
+    /**
+     * Active organization context behaviour.
+     *
+     * Enabled by default so Next.js apps get durable org-scoped sessions without
+     * writing their own refresh/switch orchestration:
+     * - `/auth/switch-org` records the selected org in SDK-owned HttpOnly cookies
+     * - token refresh restores that org-scoped JWT when possible
+     * - single-org users are auto-scoped after refresh
+     *
+     * Apps migrating from pre-SDK org cookies can list additional cookie names
+     * for read compatibility. The SDK still writes only its own names.
+     */
+    organizationContext?: SylphxOrganizationContextConfig;
+}
+interface SylphxOrganizationContextConfig {
+    /**
+     * Preserve active organization context through refresh.
+     * @default true
+     */
+    enabled?: boolean;
+    /**
+     * When no active org preference exists and the user has exactly one org,
+     * automatically restore an org-scoped session token after refresh.
+     * @default true
+     */
+    autoSelectSingleOrganization?: boolean;
+    /**
+     * Additional org-id cookie names to read during migration from existing apps.
+     * The SDK-owned `__{namespace}_active_org_id` cookie is always read first.
+     */
+    additionalOrgIdCookies?: readonly string[];
+    /**
+     * Additional org-slug cookie names to read during migration from existing apps.
+     * The SDK-owned `__{namespace}_active_org_slug` cookie is always read first.
+     */
+    additionalOrgSlugCookies?: readonly string[];
 }
 /**
  * Create Sylphx middleware — State of the Art
@@ -485,6 +521,10 @@ declare function getCookieNames(namespace: string): {
     REFRESH: string;
     /** JS-readable user data for client hydration (5 min) */
     USER: string;
+    /** HttpOnly active organization ID used to preserve org-scoped sessions */
+    ACTIVE_ORG_ID: string;
+    /** HttpOnly active organization slug used to preserve org-scoped sessions */
+    ACTIVE_ORG_SLUG: string;
 };
 /**
  * Session token lifetime (5 minutes like Clerk)
@@ -494,6 +534,13 @@ declare const SESSION_TOKEN_LIFETIME: number;
  * Refresh token lifetime (30 days)
  */
 declare const REFRESH_TOKEN_LIFETIME: number;
+/**
+ * Active organization context lifetime (30 days).
+ *
+ * This matches refresh-token lifetime: the org preference is session-scoped
+ * state, not a permanent user preference. Clearing auth clears this too.
+ */
+declare const ACTIVE_ORG_LIFETIME: number;
 /**
  * Cookie options for HttpOnly tokens (session, refresh)
  *
@@ -521,6 +568,20 @@ declare const USER_COOKIE_OPTIONS: {
     sameSite: "lax";
     path: string;
 };
+/**
+ * Cookie options for active organization context.
+ *
+ * Active org is not a secret, but it controls which org-scoped JWT the SDK
+ * restores after refresh. Keep it HttpOnly so browser JavaScript cannot
+ * silently steer server-side auth context outside the official switch-org
+ * route.
+ */
+declare const ACTIVE_ORG_COOKIE_OPTIONS: {
+    httpOnly: boolean;
+    secure: boolean;
+    sameSite: "lax";
+    path: string;
+};
 /**
  * Auth cookies data returned by getAuthCookies
  */
@@ -588,4 +649,4 @@ declare function clearAuthCookiesMiddleware(response: NextResponse, namespace: s
  */
 declare function parseUserCookie(value: string): UserCookieData | null;
 
-export { type AuthCookiesData, type AuthResult, REFRESH_TOKEN_LIFETIME, SECURE_COOKIE_OPTIONS, SESSION_TOKEN_LIFETIME, SESSION_TOKEN_LIFETIME_MS, type SylphxMiddlewareConfig, TOKEN_EXPIRY_BUFFER_MS, USER_COOKIE_OPTIONS, type UserCookieData, auth, clearAuthCookies, clearAuthCookiesMiddleware, configureServer, createMatcher, createSylphxMiddleware, currentUser, currentUserId, decodeUserId, encodeUserId, getAuthCookies, getAuthorizationUrl, getCookieNames, getNamespace, getSessionToken, handleCallback, hasRefreshToken, isSessionExpired, parseUserCookie, setAuthCookies, setAuthCookiesMiddleware, signOut, sylphxMiddleware, syncAuthToCookies };
+export { ACTIVE_ORG_COOKIE_OPTIONS, ACTIVE_ORG_LIFETIME, type AuthCookiesData, type AuthResult, REFRESH_TOKEN_LIFETIME, SECURE_COOKIE_OPTIONS, SESSION_TOKEN_LIFETIME, SESSION_TOKEN_LIFETIME_MS, type SylphxMiddlewareConfig, type SylphxOrganizationContextConfig, TOKEN_EXPIRY_BUFFER_MS, USER_COOKIE_OPTIONS, type UserCookieData, auth, clearAuthCookies, clearAuthCookiesMiddleware, configureServer, createMatcher, createSylphxMiddleware, currentUser, currentUserId, decodeUserId, encodeUserId, getAuthCookies, getAuthorizationUrl, getCookieNames, getNamespace, getSessionToken, handleCallback, hasRefreshToken, isSessionExpired, parseUserCookie, setAuthCookies, setAuthCookiesMiddleware, signOut, sylphxMiddleware, syncAuthToCookies };

package/dist/nextjs/index.mjs

@@ -189,11 +189,16 @@ function getCookieNames(namespace) {
     /** HttpOnly refresh token (30 days) */
     REFRESH: `__${namespace}_refresh`,
     /** JS-readable user data for client hydration (5 min) */
-    USER: `__${namespace}_user`
+    USER: `__${namespace}_user`,
+    /** HttpOnly active organization ID used to preserve org-scoped sessions */
+    ACTIVE_ORG_ID: `__${namespace}_active_org_id`,
+    /** HttpOnly active organization slug used to preserve org-scoped sessions */
+    ACTIVE_ORG_SLUG: `__${namespace}_active_org_slug`
   };
 }
 var SESSION_TOKEN_LIFETIME = SESSION_TOKEN_LIFETIME_SECONDS;
 var REFRESH_TOKEN_LIFETIME = REFRESH_TOKEN_LIFETIME_SECONDS;
+var ACTIVE_ORG_LIFETIME = REFRESH_TOKEN_LIFETIME_SECONDS;
 var SECURE_COOKIE_OPTIONS = {
   httpOnly: true,
   secure: process.env.NODE_ENV === "production",
@@ -207,6 +212,10 @@ var USER_COOKIE_OPTIONS = {
   sameSite: "lax",
   path: "/"
 };
+var ACTIVE_ORG_COOKIE_OPTIONS = {
+  ...SECURE_COOKIE_OPTIONS,
+  httpOnly: true
+};
 async function getAuthCookies(namespace) {
   const cookieStore = await cookies();
   const names = getCookieNames(namespace);
@@ -255,6 +264,8 @@ async function clearAuthCookies(namespace) {
   cookieStore.delete(names.SESSION);
   cookieStore.delete(names.REFRESH);
   cookieStore.delete(names.USER);
+  cookieStore.delete(names.ACTIVE_ORG_ID);
+  cookieStore.delete(names.ACTIVE_ORG_SLUG);
 }
 async function isSessionExpired(namespace) {
   const { expiresAt } = await getAuthCookies(namespace);
@@ -290,6 +301,8 @@ function clearAuthCookiesMiddleware(response, namespace) {
   response.cookies.delete(names.SESSION);
   response.cookies.delete(names.REFRESH);
   response.cookies.delete(names.USER);
+  response.cookies.delete(names.ACTIVE_ORG_ID);
+  response.cookies.delete(names.ACTIVE_ORG_SLUG);
 }
 function parseUserCookie(value) {
   try {
@@ -476,6 +489,18 @@ function matchesPattern(pathname, pattern) {
 function matchesAny(pathname, patterns) {
   return patterns.some((p) => matchesPattern(pathname, p));
 }
+function requestPathWithSearch(request) {
+  const { pathname, search } = request.nextUrl;
+  return `${pathname}${search}`;
+}
+function isSafeRelativeRedirectPath(value) {
+  return typeof value === "string" && value.startsWith("/") && !value.startsWith("//");
+}
+function resolveSafeRelativeRedirectPath(value, fallback) {
+  if (isSafeRelativeRedirectPath(value)) return value;
+  if (isSafeRelativeRedirectPath(fallback)) return fallback;
+  return "/";
+}
 async function handleCallback(request, ctx) {
   const { searchParams } = request.nextUrl;
   const code = searchParams.get("code");
@@ -569,6 +594,16 @@ function resolveOrgScopedTokenExpiresIn(data) {
   if (typeof data.expires_in === "number") return data.expires_in;
   return SESSION_TOKEN_LIFETIME;
 }
+function resolveOrgScopedAccessToken(data) {
+  if (data.accessToken) return data.accessToken;
+  if (data.access_token) return data.access_token;
+  return null;
+}
+function resolveOrgScopedRefreshToken(data, fallbackRefreshToken) {
+  if (data.refreshToken) return data.refreshToken;
+  if (data.refresh_token) return data.refresh_token;
+  return fallbackRefreshToken;
+}
 function resolveOrgScopedTokenType(data) {
   if (data.tokenType) return data.tokenType;
   if (data.token_type) return data.token_type;
@@ -577,11 +612,149 @@ function resolveOrgScopedTokenType(data) {
 function parseUserCookie2(value) {
   if (!value) return null;
   try {
-    return JSON.parse(value);
+    return JSON.parse(decodeCookieValue(value));
   } catch {
     return null;
   }
 }
+function decodeCookieValue(value) {
+  try {
+    return decodeURIComponent(value);
+  } catch {
+    return value;
+  }
+}
+function readFirstCookieValue(request, names) {
+  for (const name of names) {
+    const value = request.cookies.get(name)?.value;
+    if (value) return decodeCookieValue(value);
+  }
+  return null;
+}
+function uniqueCookieNames(names) {
+  return [...new Set(names.filter((name) => Boolean(name)))];
+}
+function readActiveOrganizationContext(request, ctx, sessionToken) {
+  const orgIdCookieNames = uniqueCookieNames([
+    ctx.cookieNames.ACTIVE_ORG_ID,
+    ...ctx.config.organizationContext.additionalOrgIdCookies
+  ]);
+  const orgSlugCookieNames = uniqueCookieNames([
+    ctx.cookieNames.ACTIVE_ORG_SLUG,
+    ...ctx.config.organizationContext.additionalOrgSlugCookies
+  ]);
+  const fromCookie = {
+    id: readFirstCookieValue(request, orgIdCookieNames),
+    slug: readFirstCookieValue(request, orgSlugCookieNames)
+  };
+  if (fromCookie.id || fromCookie.slug) return fromCookie;
+  const payload = sessionToken ? decodeJwtPayload(sessionToken) : null;
+  return {
+    id: payload?.org_id ?? null,
+    slug: payload?.org_slug ?? null
+  };
+}
+function setActiveOrganizationCookies(response, ctx, org) {
+  if (org.id) {
+    response.cookies.set(ctx.cookieNames.ACTIVE_ORG_ID, org.id, {
+      ...ACTIVE_ORG_COOKIE_OPTIONS,
+      maxAge: ACTIVE_ORG_LIFETIME
+    });
+  }
+  if (org.slug) {
+    response.cookies.set(ctx.cookieNames.ACTIVE_ORG_SLUG, org.slug, {
+      ...ACTIVE_ORG_COOKIE_OPTIONS,
+      maxAge: ACTIVE_ORG_LIFETIME
+    });
+  }
+}
+async function getUserOrganizations(accessToken, ctx) {
+  try {
+    const res = await fetch(`${ctx.platformUrl}/v1/orgs/memberships`, {
+      method: "GET",
+      headers: {
+        "Content-Type": "application/json",
+        "x-app-secret": ctx.secretKey,
+        Authorization: `Bearer ${accessToken}`
+      }
+    });
+    if (!res.ok) {
+      ctx.log("Organization memberships fetch failed", res.status);
+      return null;
+    }
+    const data = await res.json().catch(() => ({}));
+    return Array.isArray(data.organizations) ? data.organizations : null;
+  } catch (err) {
+    ctx.log("Organization memberships fetch error", err);
+    return null;
+  }
+}
+async function getOrgScopedTokens(accessToken, orgId, ctx) {
+  try {
+    const res = await fetch(`${ctx.platformUrl}/v1/auth/switch-org`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "x-app-secret": ctx.secretKey,
+        Authorization: `Bearer ${accessToken}`
+      },
+      body: JSON.stringify({ orgId })
+    });
+    const data = await res.json().catch(() => ({}));
+    if (!res.ok) {
+      ctx.log("Org scope restore failed", data.error || data.message || res.status);
+      return { status: res.status, data };
+    }
+    return { status: res.status, data };
+  } catch (err) {
+    ctx.log("Org scope restore error", err);
+    return null;
+  }
+}
+async function restoreOrganizationScopeAfterRefresh(request, ctx, refreshedTokens, previousSessionToken) {
+  if (!ctx.config.organizationContext.enabled) {
+    return { tokens: refreshedTokens, activeOrganization: null };
+  }
+  const activeOrg = readActiveOrganizationContext(request, ctx, previousSessionToken);
+  let targetOrgId = activeOrg.id;
+  let targetOrgSlug = activeOrg.slug;
+  let organizations = null;
+  if (!targetOrgId && targetOrgSlug) {
+    organizations = await getUserOrganizations(refreshedTokens.accessToken, ctx);
+    targetOrgId = organizations?.find((org) => org.slug === targetOrgSlug)?.id ?? null;
+  }
+  if (!targetOrgId && !targetOrgSlug && ctx.config.organizationContext.autoSelectSingleOrganization) {
+    organizations = organizations ?? await getUserOrganizations(refreshedTokens.accessToken, ctx);
+    const onlyOrg = organizations?.length === 1 ? organizations[0] : null;
+    targetOrgId = onlyOrg?.id ?? null;
+    targetOrgSlug = onlyOrg?.slug ?? null;
+  }
+  if (!targetOrgId) {
+    return { tokens: refreshedTokens, activeOrganization: null };
+  }
+  const scoped = await getOrgScopedTokens(refreshedTokens.accessToken, targetOrgId, ctx);
+  const scopedData = scoped?.data;
+  const accessToken = scopedData ? resolveOrgScopedAccessToken(scopedData) : null;
+  if (!scoped || scoped.status >= 400 || !scopedData || !accessToken) {
+    return { tokens: refreshedTokens, activeOrganization: null };
+  }
+  const payload = decodeJwtPayload(accessToken);
+  const resolvedOrg = {
+    id: payload?.org_id ?? targetOrgId,
+    slug: payload?.org_slug ?? targetOrgSlug
+  };
+  return {
+    tokens: {
+      ...refreshedTokens,
+      accessToken,
+      refreshToken: resolveOrgScopedRefreshToken(scopedData, refreshedTokens.refreshToken),
+      expiresIn: resolveOrgScopedTokenExpiresIn(scopedData),
+      tokenType: resolveOrgScopedTokenType(scopedData),
+      user: scopedData.user ?? refreshedTokens.user
+    },
+    activeOrganization: resolvedOrg
+  };
+}
 async function handleSwitchOrg(request, ctx) {
   ctx.log("Switch org request");
   if (request.method !== "POST") {
@@ -592,9 +765,11 @@ async function handleSwitchOrg(request, ctx) {
     return NextResponse.json({ error: "Not authenticated", accessToken: null }, { status: 401 });
   }
   let orgId = null;
+  let requestedOrgSlug = null;
   try {
     const body = await request.json();
     orgId = typeof body.orgId === "string" && body.orgId.trim() ? body.orgId.trim() : null;
+    requestedOrgSlug = typeof body.orgSlug === "string" && body.orgSlug.trim() ? body.orgSlug.trim() : null;
   } catch {
     return NextResponse.json({ error: "Invalid request body" }, { status: 400 });
   }
@@ -602,25 +777,20 @@ async function handleSwitchOrg(request, ctx) {
     return NextResponse.json({ error: "orgId is required" }, { status: 400 });
   }
   try {
-    const res = await fetch(`${ctx.platformUrl}/v1/auth/switch-org`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "x-app-secret": ctx.secretKey,
-        Authorization: `Bearer ${sessionToken}`
-      },
-      body: JSON.stringify({ orgId })
-    });
-    const data = await res.json().catch(() => ({}));
-    if (!res.ok) {
+    const scoped = await getOrgScopedTokens(sessionToken, orgId, ctx);
+    const data = scoped?.data;
+    if (!scoped || scoped.status >= 400 || !data) {
       return NextResponse.json(
-        { error: data.error || data.message || "switch_org_failed" },
-        { status: res.status }
+        { error: data?.error || data?.message || "switch_org_failed" },
+        { status: scoped?.status ?? 502 }
       );
     }
-    const accessToken = data.accessToken ?? data.access_token;
+    const accessToken = resolveOrgScopedAccessToken(data);
     if (!accessToken) {
-      return NextResponse.json({ error: "invalid_response" }, { status: 502 });
+      return NextResponse.json(
+        { error: data.error || data.message || "invalid_response" },
+        { status: 502 }
+      );
     }
     const expiresIn = resolveOrgScopedTokenExpiresIn(data);
     const expiresAt = Date.now() + expiresIn * 1e3;
@@ -650,6 +820,11 @@ async function handleSwitchOrg(request, ctx) {
         }
       );
     }
+    const payload = decodeJwtPayload(accessToken);
+    setActiveOrganizationCookies(response, ctx, {
+      id: payload?.org_id ?? orgId,
+      slug: payload?.org_slug ?? requestedOrgSlug
+    });
     ctx.log("Switch org success", { orgId });
     return response;
   } catch (err) {
@@ -724,6 +899,12 @@ function createSylphxMiddleware(userConfig = {}) {
     debug: userConfig.debug ?? false,
     orgRequired: userConfig.orgRequired ?? false,
     orgSelectionUrl: userConfig.orgSelectionUrl ?? "/select-organization",
+    organizationContext: {
+      enabled: userConfig.organizationContext?.enabled ?? true,
+      autoSelectSingleOrganization: userConfig.organizationContext?.autoSelectSingleOrganization ?? true,
+      additionalOrgIdCookies: userConfig.organizationContext?.additionalOrgIdCookies ?? [],
+      additionalOrgSlugCookies: userConfig.organizationContext?.additionalOrgSlugCookies ?? []
+    },
     onResponse: userConfig.onResponse
   };
   const publicRoutes = [
@@ -778,16 +959,25 @@ function createSylphxMiddleware(userConfig = {}) {
     const sessionToken = request.cookies.get(cookieNames.SESSION)?.value;
     const refreshToken = request.cookies.get(cookieNames.REFRESH)?.value;
     const hasValidSession = sessionToken && !isTokenExpired(sessionToken);
-    const response = NextResponse.next();
+    const response = NextResponse.next({ request: { headers: request.headers } });
     let isAuthenticated = hasValidSession;
     let activeSessionToken = hasValidSession ? sessionToken : null;
     if (!hasValidSession && refreshToken) {
       log("Session expired, refreshing");
       const tokens = await refreshTokens(refreshToken, ctx);
       if (tokens) {
-        setAuthCookiesMiddleware(response, namespace, tokens);
+        const restored = await restoreOrganizationScopeAfterRefresh(
+          request,
+          ctx,
+          tokens,
+          sessionToken
+        );
+        setAuthCookiesMiddleware(response, namespace, restored.tokens);
+        if (restored.activeOrganization) {
+          setActiveOrganizationCookies(response, ctx, restored.activeOrganization);
+        }
         isAuthenticated = true;
-        activeSessionToken = tokens.accessToken;
+        activeSessionToken = restored.tokens.accessToken;
       } else {
         clearAuthCookiesMiddleware(response, namespace);
         isAuthenticated = false;
@@ -798,19 +988,23 @@ function createSylphxMiddleware(userConfig = {}) {
     if (!isPublic && !isAuthenticated) {
       log("Redirecting to sign-in");
       const url = new URL(config.signInUrl, request.url);
-      url.searchParams.set("redirect_to", pathname);
+      url.searchParams.set("callbackUrl", requestPathWithSearch(request));
       return NextResponse.redirect(url);
     }
     if (isAuthenticated && pathname === config.signInUrl) {
-      log("Redirecting from sign-in to dashboard");
-      return NextResponse.redirect(new URL(config.afterSignInUrl, request.url));
+      const callbackUrl = resolveSafeRelativeRedirectPath(
+        request.nextUrl.searchParams.get("callbackUrl"),
+        config.afterSignInUrl
+      );
+      log("Redirecting from sign-in", { callbackUrl });
+      return NextResponse.redirect(new URL(callbackUrl, request.url));
     }
     if (config.orgRequired && !isPublic && isAuthenticated && activeSessionToken && !matchesPattern(pathname, config.orgSelectionUrl)) {
       const payload = decodeJwtPayload(activeSessionToken);
       if (!payload?.org_id) {
         log("Redirecting to organization selection");
         const url = new URL(config.orgSelectionUrl, request.url);
-        url.searchParams.set("redirect_to", pathname);
+        url.searchParams.set("redirect_to", requestPathWithSearch(request));
         return NextResponse.redirect(url);
       }
     }
@@ -2263,6 +2457,8 @@ async function getSessionToken() {
   return sessionToken;
 }
 export {
+  ACTIVE_ORG_COOKIE_OPTIONS,
+  ACTIVE_ORG_LIFETIME,
   REFRESH_TOKEN_LIFETIME,
   SECURE_COOKIE_OPTIONS,
   SESSION_TOKEN_LIFETIME,