@sylphx/sdk 0.10.3 → 0.10.5

package/dist/nextjs/index.d.ts

@@ -63,6 +63,9 @@ interface SylphxMiddlewareConfig {
     afterSignInUrl?: string;
     /**
      * Auth routes prefix. Routes are mounted at:
+     * - {prefix}/login — credentials login handler
+     * - {prefix}/oauth-providers — enabled social login providers
+     * - {prefix}/oauth/authorize — social login start handler
      * - {prefix}/callback — OAuth callback handler
      * - {prefix}/signout — Sign out handler
      *
@@ -126,6 +129,42 @@ interface SylphxMiddlewareConfig {
      * @default '/select-organization'
      */
     orgSelectionUrl?: string;
+    /**
+     * Active organization context behaviour.
+     *
+     * Enabled by default so Next.js apps get durable org-scoped sessions without
+     * writing their own refresh/switch orchestration:
+     * - `/auth/switch-org` records the selected org in SDK-owned HttpOnly cookies
+     * - token refresh restores that org-scoped JWT when possible
+     * - single-org users are auto-scoped after refresh
+     *
+     * Apps migrating from pre-SDK org cookies can list additional cookie names
+     * for read compatibility. The SDK still writes only its own names.
+     */
+    organizationContext?: SylphxOrganizationContextConfig;
+}
+interface SylphxOrganizationContextConfig {
+    /**
+     * Preserve active organization context through refresh.
+     * @default true
+     */
+    enabled?: boolean;
+    /**
+     * When no active org preference exists and the user has exactly one org,
+     * automatically restore an org-scoped session token after refresh.
+     * @default true
+     */
+    autoSelectSingleOrganization?: boolean;
+    /**
+     * Additional org-id cookie names to read during migration from existing apps.
+     * The SDK-owned `__{namespace}_active_org_id` cookie is always read first.
+     */
+    additionalOrgIdCookies?: readonly string[];
+    /**
+     * Additional org-slug cookie names to read during migration from existing apps.
+     * The SDK-owned `__{namespace}_active_org_slug` cookie is always read first.
+     */
+    additionalOrgSlugCookies?: readonly string[];
 }
 /**
  * Create Sylphx middleware — State of the Art
@@ -485,6 +524,10 @@ declare function getCookieNames(namespace: string): {
     REFRESH: string;
     /** JS-readable user data for client hydration (5 min) */
     USER: string;
+    /** HttpOnly active organization ID used to preserve org-scoped sessions */
+    ACTIVE_ORG_ID: string;
+    /** HttpOnly active organization slug used to preserve org-scoped sessions */
+    ACTIVE_ORG_SLUG: string;
 };
 /**
  * Session token lifetime (5 minutes like Clerk)
@@ -494,6 +537,13 @@ declare const SESSION_TOKEN_LIFETIME: number;
  * Refresh token lifetime (30 days)
  */
 declare const REFRESH_TOKEN_LIFETIME: number;
+/**
+ * Active organization context lifetime (30 days).
+ *
+ * This matches refresh-token lifetime: the org preference is session-scoped
+ * state, not a permanent user preference. Clearing auth clears this too.
+ */
+declare const ACTIVE_ORG_LIFETIME: number;
 /**
  * Cookie options for HttpOnly tokens (session, refresh)
  *
@@ -521,6 +571,20 @@ declare const USER_COOKIE_OPTIONS: {
     sameSite: "lax";
     path: string;
 };
+/**
+ * Cookie options for active organization context.
+ *
+ * Active org is not a secret, but it controls which org-scoped JWT the SDK
+ * restores after refresh. Keep it HttpOnly so browser JavaScript cannot
+ * silently steer server-side auth context outside the official switch-org
+ * route.
+ */
+declare const ACTIVE_ORG_COOKIE_OPTIONS: {
+    httpOnly: boolean;
+    secure: boolean;
+    sameSite: "lax";
+    path: string;
+};
 /**
  * Auth cookies data returned by getAuthCookies
  */
@@ -588,4 +652,4 @@ declare function clearAuthCookiesMiddleware(response: NextResponse, namespace: s
  */
 declare function parseUserCookie(value: string): UserCookieData | null;
 
-export { type AuthCookiesData, type AuthResult, REFRESH_TOKEN_LIFETIME, SECURE_COOKIE_OPTIONS, SESSION_TOKEN_LIFETIME, SESSION_TOKEN_LIFETIME_MS, type SylphxMiddlewareConfig, TOKEN_EXPIRY_BUFFER_MS, USER_COOKIE_OPTIONS, type UserCookieData, auth, clearAuthCookies, clearAuthCookiesMiddleware, configureServer, createMatcher, createSylphxMiddleware, currentUser, currentUserId, decodeUserId, encodeUserId, getAuthCookies, getAuthorizationUrl, getCookieNames, getNamespace, getSessionToken, handleCallback, hasRefreshToken, isSessionExpired, parseUserCookie, setAuthCookies, setAuthCookiesMiddleware, signOut, sylphxMiddleware, syncAuthToCookies };
+export { ACTIVE_ORG_COOKIE_OPTIONS, ACTIVE_ORG_LIFETIME, type AuthCookiesData, type AuthResult, REFRESH_TOKEN_LIFETIME, SECURE_COOKIE_OPTIONS, SESSION_TOKEN_LIFETIME, SESSION_TOKEN_LIFETIME_MS, type SylphxMiddlewareConfig, type SylphxOrganizationContextConfig, TOKEN_EXPIRY_BUFFER_MS, USER_COOKIE_OPTIONS, type UserCookieData, auth, clearAuthCookies, clearAuthCookiesMiddleware, configureServer, createMatcher, createSylphxMiddleware, currentUser, currentUserId, decodeUserId, encodeUserId, getAuthCookies, getAuthorizationUrl, getCookieNames, getNamespace, getSessionToken, handleCallback, hasRefreshToken, isSessionExpired, parseUserCookie, setAuthCookies, setAuthCookiesMiddleware, signOut, sylphxMiddleware, syncAuthToCookies };

package/dist/nextjs/index.mjs

@@ -189,11 +189,16 @@ function getCookieNames(namespace) {
     /** HttpOnly refresh token (30 days) */
     REFRESH: `__${namespace}_refresh`,
     /** JS-readable user data for client hydration (5 min) */
-    USER: `__${namespace}_user`
+    USER: `__${namespace}_user`,
+    /** HttpOnly active organization ID used to preserve org-scoped sessions */
+    ACTIVE_ORG_ID: `__${namespace}_active_org_id`,
+    /** HttpOnly active organization slug used to preserve org-scoped sessions */
+    ACTIVE_ORG_SLUG: `__${namespace}_active_org_slug`
   };
 }
 var SESSION_TOKEN_LIFETIME = SESSION_TOKEN_LIFETIME_SECONDS;
 var REFRESH_TOKEN_LIFETIME = REFRESH_TOKEN_LIFETIME_SECONDS;
+var ACTIVE_ORG_LIFETIME = REFRESH_TOKEN_LIFETIME_SECONDS;
 var SECURE_COOKIE_OPTIONS = {
   httpOnly: true,
   secure: process.env.NODE_ENV === "production",
@@ -207,6 +212,10 @@ var USER_COOKIE_OPTIONS = {
   sameSite: "lax",
   path: "/"
 };
+var ACTIVE_ORG_COOKIE_OPTIONS = {
+  ...SECURE_COOKIE_OPTIONS,
+  httpOnly: true
+};
 async function getAuthCookies(namespace) {
   const cookieStore = await cookies();
   const names = getCookieNames(namespace);
@@ -255,6 +264,8 @@ async function clearAuthCookies(namespace) {
   cookieStore.delete(names.SESSION);
   cookieStore.delete(names.REFRESH);
   cookieStore.delete(names.USER);
+  cookieStore.delete(names.ACTIVE_ORG_ID);
+  cookieStore.delete(names.ACTIVE_ORG_SLUG);
 }
 async function isSessionExpired(namespace) {
   const { expiresAt } = await getAuthCookies(namespace);
@@ -290,6 +301,8 @@ function clearAuthCookiesMiddleware(response, namespace) {
   response.cookies.delete(names.SESSION);
   response.cookies.delete(names.REFRESH);
   response.cookies.delete(names.USER);
+  response.cookies.delete(names.ACTIVE_ORG_ID);
+  response.cookies.delete(names.ACTIVE_ORG_SLUG);
 }
 function parseUserCookie(value) {
   try {
@@ -440,6 +453,8 @@ function resolveNextjsSecretKey(options) {
 }
 
 // src/nextjs/middleware.ts
+var OAUTH_PKCE_TTL_SECONDS = 10 * 60;
+var OAUTH_PKCE_TTL_MS = OAUTH_PKCE_TTL_SECONDS * 1e3;
 function isTokenResponse(data) {
   return typeof data === "object" && data !== null && "accessToken" in data && "refreshToken" in data && "user" in data && typeof data.accessToken === "string" && typeof data.refreshToken === "string";
 }
@@ -476,6 +491,163 @@ function matchesPattern(pathname, pattern) {
 function matchesAny(pathname, patterns) {
   return patterns.some((p) => matchesPattern(pathname, p));
 }
+function requestPathWithSearch(request) {
+  const { pathname, search } = request.nextUrl;
+  return `${pathname}${search}`;
+}
+function isSafeRelativeRedirectPath(value) {
+  return typeof value === "string" && value.startsWith("/") && !value.startsWith("//");
+}
+function resolveSafeRelativeRedirectPath(value, fallback) {
+  if (isSafeRelativeRedirectPath(value)) return value;
+  if (isSafeRelativeRedirectPath(fallback)) return fallback;
+  return "/";
+}
+function bytesToBase64Url(bytes) {
+  let binary = "";
+  for (const byte of bytes) binary += String.fromCharCode(byte);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/u, "");
+}
+function randomBase64Url(byteLength) {
+  const bytes = new Uint8Array(byteLength);
+  crypto.getRandomValues(bytes);
+  return bytesToBase64Url(bytes);
+}
+async function sha256Base64Url(value) {
+  const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(value));
+  return bytesToBase64Url(new Uint8Array(digest));
+}
+async function parseJsonObject(request) {
+  try {
+    const body = await request.json();
+    if (typeof body === "object" && body !== null && !Array.isArray(body)) return body;
+    return null;
+  } catch {
+    return null;
+  }
+}
+function getOAuthPkceCookieName(ctx) {
+  return `__${ctx.namespace}_oauth_pkce`;
+}
+function encodeOAuthPkceCookie(value) {
+  return encodeURIComponent(JSON.stringify(value));
+}
+function readOAuthPkceVerifier(request, ctx) {
+  const raw = request.cookies.get(getOAuthPkceCookieName(ctx))?.value;
+  if (!raw) return null;
+  try {
+    const parsed = JSON.parse(decodeURIComponent(raw));
+    if (typeof parsed.verifier !== "string" || parsed.verifier.length < 43) return null;
+    if (typeof parsed.createdAt !== "number") return null;
+    if (Date.now() - parsed.createdAt > OAUTH_PKCE_TTL_MS) return null;
+    return parsed.verifier;
+  } catch {
+    return null;
+  }
+}
+function setOAuthPkceCookie(response, ctx, value) {
+  response.cookies.set(getOAuthPkceCookieName(ctx), encodeOAuthPkceCookie(value), {
+    ...SECURE_COOKIE_OPTIONS,
+    maxAge: OAUTH_PKCE_TTL_SECONDS,
+    path: ctx.config.authPrefix
+  });
+}
+function clearOAuthPkceCookie(response, ctx) {
+  response.cookies.set(getOAuthPkceCookieName(ctx), "", {
+    ...SECURE_COOKIE_OPTIONS,
+    maxAge: 0,
+    path: ctx.config.authPrefix
+  });
+}
+function isTwoFactorLoginResponse(data) {
+  return typeof data === "object" && data !== null && data.requiresTwoFactor === true && typeof data.userId === "string";
+}
+function isOAuthAuthorizeResponse(data) {
+  return typeof data === "object" && data !== null && typeof data.authorization_url === "string";
+}
+function headersForPlatformAuth(ctx) {
+  return {
+    "Content-Type": "application/json",
+    "x-app-secret": ctx.secretKey
+  };
+}
+async function handleLogin(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const email = typeof body?.email === "string" ? body.email : null;
+  const password = typeof body?.password === "string" ? body.password : null;
+  if (!email || !password) {
+    return NextResponse.json({ error: "email and password are required" }, { status: 400 });
+  }
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/login`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify({ email, password })
+  });
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    return NextResponse.json(data, { status: res.status });
+  }
+  if (isTwoFactorLoginResponse(data)) {
+    return NextResponse.json(data);
+  }
+  if (!isTokenResponse(data)) {
+    return NextResponse.json({ error: "invalid_response" }, { status: 502 });
+  }
+  const response = NextResponse.json({ success: true, user: data.user });
+  setAuthCookiesMiddleware(response, ctx.namespace, data);
+  return response;
+}
+async function handleOAuthProviders(ctx) {
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/oauth-providers`, {
+    method: "GET",
+    headers: headersForPlatformAuth(ctx)
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
+async function handleOAuthAuthorize(request, ctx) {
+  if (request.method !== "GET" && request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = request.method === "POST" ? await parseJsonObject(request) : null;
+  const provider = typeof body?.provider === "string" ? body.provider : request.nextUrl.searchParams.get("provider");
+  const rawRedirectTo = typeof body?.redirectTo === "string" ? body.redirectTo : request.nextUrl.searchParams.get("redirect_to") ?? request.nextUrl.searchParams.get("callbackUrl");
+  if (!provider) {
+    return NextResponse.json({ error: "provider is required" }, { status: 400 });
+  }
+  const redirectTo = resolveSafeRelativeRedirectPath(rawRedirectTo, ctx.config.afterSignInUrl);
+  const redirectUri = new URL(`${ctx.config.authPrefix}/callback`, request.url);
+  redirectUri.searchParams.set("redirect_to", redirectTo);
+  const verifier = randomBase64Url(32);
+  const challenge = await sha256Base64Url(verifier);
+  const scopes = Array.isArray(body?.scopes) ? body.scopes.filter((scope) => typeof scope === "string") : void 0;
+  const res = await fetch(`${ctx.platformUrl}/v1/oauth/authorize`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify({
+      provider,
+      redirect_uri: redirectUri.toString(),
+      code_challenge: challenge,
+      code_challenge_method: "S256",
+      ...scopes && scopes.length > 0 ? { scopes } : {}
+    })
+  });
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok || !isOAuthAuthorizeResponse(data)) {
+    return NextResponse.json(res.ok ? { error: "invalid_response" } : data, {
+      status: res.ok ? 502 : res.status
+    });
+  }
+  const response = request.method === "GET" ? NextResponse.redirect(data.authorization_url) : NextResponse.json({
+    authorization_url: data.authorization_url,
+    authorizationUrl: data.authorization_url
+  });
+  setOAuthPkceCookie(response, ctx, { verifier, createdAt: Date.now() });
+  return response;
+}
 async function handleCallback(request, ctx) {
   const { searchParams } = request.nextUrl;
   const code = searchParams.get("code");
@@ -495,30 +667,37 @@ async function handleCallback(request, ctx) {
     return NextResponse.redirect(url);
   }
   try {
+    const codeVerifier = readOAuthPkceVerifier(request, ctx);
     const res = await fetch(`${ctx.platformUrl}/v1/auth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
         grant_type: "authorization_code",
         code,
-        client_secret: ctx.secretKey
+        client_secret: ctx.secretKey,
+        ...codeVerifier ? { code_verifier: codeVerifier } : {}
       })
     });
     if (!res.ok) {
       const data2 = await res.json().catch(() => ({}));
       const url = new URL(ctx.config.signInUrl, request.url);
       url.searchParams.set("error", data2.error || "token_exchange_failed");
-      return NextResponse.redirect(url);
+      const response2 = NextResponse.redirect(url);
+      clearOAuthPkceCookie(response2, ctx);
+      return response2;
     }
     const data = await res.json();
     if (!isTokenResponse(data)) {
       const url = new URL(ctx.config.signInUrl, request.url);
       url.searchParams.set("error", "invalid_response");
-      return NextResponse.redirect(url);
+      const response2 = NextResponse.redirect(url);
+      clearOAuthPkceCookie(response2, ctx);
+      return response2;
     }
     const successUrl = new URL(redirectTo, request.url);
     const response = NextResponse.redirect(successUrl);
     setAuthCookiesMiddleware(response, ctx.namespace, data);
+    clearOAuthPkceCookie(response, ctx);
     ctx.log("Callback success", { redirectTo });
     return response;
   } catch (err) {
@@ -569,6 +748,16 @@ function resolveOrgScopedTokenExpiresIn(data) {
   if (typeof data.expires_in === "number") return data.expires_in;
   return SESSION_TOKEN_LIFETIME;
 }
+function resolveOrgScopedAccessToken(data) {
+  if (data.accessToken) return data.accessToken;
+  if (data.access_token) return data.access_token;
+  return null;
+}
+function resolveOrgScopedRefreshToken(data, fallbackRefreshToken) {
+  if (data.refreshToken) return data.refreshToken;
+  if (data.refresh_token) return data.refresh_token;
+  return fallbackRefreshToken;
+}
 function resolveOrgScopedTokenType(data) {
   if (data.tokenType) return data.tokenType;
   if (data.token_type) return data.token_type;
@@ -577,11 +766,149 @@ function resolveOrgScopedTokenType(data) {
 function parseUserCookie2(value) {
   if (!value) return null;
   try {
-    return JSON.parse(value);
+    return JSON.parse(decodeCookieValue(value));
+  } catch {
+    return null;
+  }
+}
+function decodeCookieValue(value) {
+  try {
+    return decodeURIComponent(value);
   } catch {
+    return value;
+  }
+}
+function readFirstCookieValue(request, names) {
+  for (const name of names) {
+    const value = request.cookies.get(name)?.value;
+    if (value) return decodeCookieValue(value);
+  }
+  return null;
+}
+function uniqueCookieNames(names) {
+  return [...new Set(names.filter((name) => Boolean(name)))];
+}
+function readActiveOrganizationContext(request, ctx, sessionToken) {
+  const orgIdCookieNames = uniqueCookieNames([
+    ctx.cookieNames.ACTIVE_ORG_ID,
+    ...ctx.config.organizationContext.additionalOrgIdCookies
+  ]);
+  const orgSlugCookieNames = uniqueCookieNames([
+    ctx.cookieNames.ACTIVE_ORG_SLUG,
+    ...ctx.config.organizationContext.additionalOrgSlugCookies
+  ]);
+  const fromCookie = {
+    id: readFirstCookieValue(request, orgIdCookieNames),
+    slug: readFirstCookieValue(request, orgSlugCookieNames)
+  };
+  if (fromCookie.id || fromCookie.slug) return fromCookie;
+  const payload = sessionToken ? decodeJwtPayload(sessionToken) : null;
+  return {
+    id: payload?.org_id ?? null,
+    slug: payload?.org_slug ?? null
+  };
+}
+function setActiveOrganizationCookies(response, ctx, org) {
+  if (org.id) {
+    response.cookies.set(ctx.cookieNames.ACTIVE_ORG_ID, org.id, {
+      ...ACTIVE_ORG_COOKIE_OPTIONS,
+      maxAge: ACTIVE_ORG_LIFETIME
+    });
+  }
+  if (org.slug) {
+    response.cookies.set(ctx.cookieNames.ACTIVE_ORG_SLUG, org.slug, {
+      ...ACTIVE_ORG_COOKIE_OPTIONS,
+      maxAge: ACTIVE_ORG_LIFETIME
+    });
+  }
+}
+async function getUserOrganizations(accessToken, ctx) {
+  try {
+    const res = await fetch(`${ctx.platformUrl}/v1/orgs/memberships`, {
+      method: "GET",
+      headers: {
+        "Content-Type": "application/json",
+        "x-app-secret": ctx.secretKey,
+        Authorization: `Bearer ${accessToken}`
+      }
+    });
+    if (!res.ok) {
+      ctx.log("Organization memberships fetch failed", res.status);
+      return null;
+    }
+    const data = await res.json().catch(() => ({}));
+    return Array.isArray(data.organizations) ? data.organizations : null;
+  } catch (err) {
+    ctx.log("Organization memberships fetch error", err);
     return null;
   }
 }
+async function getOrgScopedTokens(accessToken, orgId, ctx) {
+  try {
+    const res = await fetch(`${ctx.platformUrl}/v1/auth/switch-org`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "x-app-secret": ctx.secretKey,
+        Authorization: `Bearer ${accessToken}`
+      },
+      body: JSON.stringify({ orgId })
+    });
+    const data = await res.json().catch(() => ({}));
+    if (!res.ok) {
+      ctx.log("Org scope restore failed", data.error || data.message || res.status);
+      return { status: res.status, data };
+    }
+    return { status: res.status, data };
+  } catch (err) {
+    ctx.log("Org scope restore error", err);
+    return null;
+  }
+}
+async function restoreOrganizationScopeAfterRefresh(request, ctx, refreshedTokens, previousSessionToken) {
+  if (!ctx.config.organizationContext.enabled) {
+    return { tokens: refreshedTokens, activeOrganization: null };
+  }
+  const activeOrg = readActiveOrganizationContext(request, ctx, previousSessionToken);
+  let targetOrgId = activeOrg.id;
+  let targetOrgSlug = activeOrg.slug;
+  let organizations = null;
+  if (!targetOrgId && targetOrgSlug) {
+    organizations = await getUserOrganizations(refreshedTokens.accessToken, ctx);
+    targetOrgId = organizations?.find((org) => org.slug === targetOrgSlug)?.id ?? null;
+  }
+  if (!targetOrgId && !targetOrgSlug && ctx.config.organizationContext.autoSelectSingleOrganization) {
+    organizations = organizations ?? await getUserOrganizations(refreshedTokens.accessToken, ctx);
+    const onlyOrg = organizations?.length === 1 ? organizations[0] : null;
+    targetOrgId = onlyOrg?.id ?? null;
+    targetOrgSlug = onlyOrg?.slug ?? null;
+  }
+  if (!targetOrgId) {
+    return { tokens: refreshedTokens, activeOrganization: null };
+  }
+  const scoped = await getOrgScopedTokens(refreshedTokens.accessToken, targetOrgId, ctx);
+  const scopedData = scoped?.data;
+  const accessToken = scopedData ? resolveOrgScopedAccessToken(scopedData) : null;
+  if (!scoped || scoped.status >= 400 || !scopedData || !accessToken) {
+    return { tokens: refreshedTokens, activeOrganization: null };
+  }
+  const payload = decodeJwtPayload(accessToken);
+  const resolvedOrg = {
+    id: payload?.org_id ?? targetOrgId,
+    slug: payload?.org_slug ?? targetOrgSlug
+  };
+  return {
+    tokens: {
+      ...refreshedTokens,
+      accessToken,
+      refreshToken: resolveOrgScopedRefreshToken(scopedData, refreshedTokens.refreshToken),
+      expiresIn: resolveOrgScopedTokenExpiresIn(scopedData),
+      tokenType: resolveOrgScopedTokenType(scopedData),
+      user: scopedData.user ?? refreshedTokens.user
+    },
+    activeOrganization: resolvedOrg
+  };
+}
 async function handleSwitchOrg(request, ctx) {
   ctx.log("Switch org request");
   if (request.method !== "POST") {
@@ -592,9 +919,11 @@ async function handleSwitchOrg(request, ctx) {
     return NextResponse.json({ error: "Not authenticated", accessToken: null }, { status: 401 });
   }
   let orgId = null;
+  let requestedOrgSlug = null;
   try {
     const body = await request.json();
     orgId = typeof body.orgId === "string" && body.orgId.trim() ? body.orgId.trim() : null;
+    requestedOrgSlug = typeof body.orgSlug === "string" && body.orgSlug.trim() ? body.orgSlug.trim() : null;
   } catch {
     return NextResponse.json({ error: "Invalid request body" }, { status: 400 });
   }
@@ -602,25 +931,20 @@ async function handleSwitchOrg(request, ctx) {
     return NextResponse.json({ error: "orgId is required" }, { status: 400 });
   }
   try {
-    const res = await fetch(`${ctx.platformUrl}/v1/auth/switch-org`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "x-app-secret": ctx.secretKey,
-        Authorization: `Bearer ${sessionToken}`
-      },
-      body: JSON.stringify({ orgId })
-    });
-    const data = await res.json().catch(() => ({}));
-    if (!res.ok) {
+    const scoped = await getOrgScopedTokens(sessionToken, orgId, ctx);
+    const data = scoped?.data;
+    if (!scoped || scoped.status >= 400 || !data) {
       return NextResponse.json(
-        { error: data.error || data.message || "switch_org_failed" },
-        { status: res.status }
+        { error: data?.error || data?.message || "switch_org_failed" },
+        { status: scoped?.status ?? 502 }
       );
     }
-    const accessToken = data.accessToken ?? data.access_token;
+    const accessToken = resolveOrgScopedAccessToken(data);
     if (!accessToken) {
-      return NextResponse.json({ error: "invalid_response" }, { status: 502 });
+      return NextResponse.json(
+        { error: data.error || data.message || "invalid_response" },
+        { status: 502 }
+      );
     }
     const expiresIn = resolveOrgScopedTokenExpiresIn(data);
     const expiresAt = Date.now() + expiresIn * 1e3;
@@ -650,6 +974,11 @@ async function handleSwitchOrg(request, ctx) {
         }
       );
     }
+    const payload = decodeJwtPayload(accessToken);
+    setActiveOrganizationCookies(response, ctx, {
+      id: payload?.org_id ?? orgId,
+      slug: payload?.org_slug ?? requestedOrgSlug
+    });
     ctx.log("Switch org success", { orgId });
     return response;
   } catch (err) {
@@ -724,6 +1053,12 @@ function createSylphxMiddleware(userConfig = {}) {
     debug: userConfig.debug ?? false,
     orgRequired: userConfig.orgRequired ?? false,
     orgSelectionUrl: userConfig.orgSelectionUrl ?? "/select-organization",
+    organizationContext: {
+      enabled: userConfig.organizationContext?.enabled ?? true,
+      autoSelectSingleOrganization: userConfig.organizationContext?.autoSelectSingleOrganization ?? true,
+      additionalOrgIdCookies: userConfig.organizationContext?.additionalOrgIdCookies ?? [],
+      additionalOrgSlugCookies: userConfig.organizationContext?.additionalOrgSlugCookies ?? []
+    },
     onResponse: userConfig.onResponse
   };
   const publicRoutes = [
@@ -766,6 +1101,15 @@ function createSylphxMiddleware(userConfig = {}) {
     if (pathname === `${config.authPrefix}/callback`) {
       return handleCallback(request, ctx);
     }
+    if (pathname === `${config.authPrefix}/login`) {
+      return handleLogin(request, ctx);
+    }
+    if (pathname === `${config.authPrefix}/oauth-providers`) {
+      return handleOAuthProviders(ctx);
+    }
+    if (pathname === `${config.authPrefix}/oauth/authorize`) {
+      return handleOAuthAuthorize(request, ctx);
+    }
     if (pathname === `${config.authPrefix}/signout`) {
       return handleSignOut(request, ctx);
     }
@@ -778,16 +1122,25 @@ function createSylphxMiddleware(userConfig = {}) {
     const sessionToken = request.cookies.get(cookieNames.SESSION)?.value;
     const refreshToken = request.cookies.get(cookieNames.REFRESH)?.value;
     const hasValidSession = sessionToken && !isTokenExpired(sessionToken);
-    const response = NextResponse.next();
+    const response = NextResponse.next({ request: { headers: request.headers } });
     let isAuthenticated = hasValidSession;
     let activeSessionToken = hasValidSession ? sessionToken : null;
     if (!hasValidSession && refreshToken) {
       log("Session expired, refreshing");
       const tokens = await refreshTokens(refreshToken, ctx);
       if (tokens) {
-        setAuthCookiesMiddleware(response, namespace, tokens);
+        const restored = await restoreOrganizationScopeAfterRefresh(
+          request,
+          ctx,
+          tokens,
+          sessionToken
+        );
+        setAuthCookiesMiddleware(response, namespace, restored.tokens);
+        if (restored.activeOrganization) {
+          setActiveOrganizationCookies(response, ctx, restored.activeOrganization);
+        }
         isAuthenticated = true;
-        activeSessionToken = tokens.accessToken;
+        activeSessionToken = restored.tokens.accessToken;
       } else {
         clearAuthCookiesMiddleware(response, namespace);
         isAuthenticated = false;
@@ -798,19 +1151,23 @@ function createSylphxMiddleware(userConfig = {}) {
     if (!isPublic && !isAuthenticated) {
       log("Redirecting to sign-in");
       const url = new URL(config.signInUrl, request.url);
-      url.searchParams.set("redirect_to", pathname);
+      url.searchParams.set("callbackUrl", requestPathWithSearch(request));
       return NextResponse.redirect(url);
     }
     if (isAuthenticated && pathname === config.signInUrl) {
-      log("Redirecting from sign-in to dashboard");
-      return NextResponse.redirect(new URL(config.afterSignInUrl, request.url));
+      const callbackUrl = resolveSafeRelativeRedirectPath(
+        request.nextUrl.searchParams.get("callbackUrl"),
+        config.afterSignInUrl
+      );
+      log("Redirecting from sign-in", { callbackUrl });
+      return NextResponse.redirect(new URL(callbackUrl, request.url));
     }
     if (config.orgRequired && !isPublic && isAuthenticated && activeSessionToken && !matchesPattern(pathname, config.orgSelectionUrl)) {
       const payload = decodeJwtPayload(activeSessionToken);
       if (!payload?.org_id) {
         log("Redirecting to organization selection");
         const url = new URL(config.orgSelectionUrl, request.url);
-        url.searchParams.set("redirect_to", pathname);
+        url.searchParams.set("redirect_to", requestPathWithSearch(request));
         return NextResponse.redirect(url);
       }
     }
@@ -2263,6 +2620,8 @@ async function getSessionToken() {
   return sessionToken;
 }
 export {
+  ACTIVE_ORG_COOKIE_OPTIONS,
+  ACTIVE_ORG_LIFETIME,
   REFRESH_TOKEN_LIFETIME,
   SECURE_COOKIE_OPTIONS,
   SESSION_TOKEN_LIFETIME,