npm - @sylphx/sdk - Versions diffs - 0.10.4 → 0.10.5 - Mend

@sylphx/sdk 0.10.4 → 0.10.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/health/index.d.ts +681 -0
package/dist/index.d.ts +17 -17
package/dist/index.mjs +6 -6
package/dist/index.mjs.map +1 -1
package/dist/nextjs/index.d.ts +3 -0
package/dist/nextjs/index.mjs +166 -3
package/dist/nextjs/index.mjs.map +1 -1
package/dist/react/index.mjs.map +1 -1
package/dist/server/index.mjs.map +1 -1
package/dist/web-analytics.mjs.map +1 -1
package/package.json +1 -1

package/dist/nextjs/index.d.ts CHANGED Viewed

@@ -63,6 +63,9 @@ interface SylphxMiddlewareConfig {
     afterSignInUrl?: string;
     /**
      * Auth routes prefix. Routes are mounted at:
+     * - {prefix}/login — credentials login handler
+     * - {prefix}/oauth-providers — enabled social login providers
+     * - {prefix}/oauth/authorize — social login start handler
      * - {prefix}/callback — OAuth callback handler
      * - {prefix}/signout — Sign out handler
      *

package/dist/nextjs/index.mjs CHANGED Viewed

@@ -453,6 +453,8 @@ function resolveNextjsSecretKey(options) {
 }
 // src/nextjs/middleware.ts
+var OAUTH_PKCE_TTL_SECONDS = 10 * 60;
+var OAUTH_PKCE_TTL_MS = OAUTH_PKCE_TTL_SECONDS * 1e3;
 function isTokenResponse(data) {
   return typeof data === "object" && data !== null && "accessToken" in data && "refreshToken" in data && "user" in data && typeof data.accessToken === "string" && typeof data.refreshToken === "string";
 }
@@ -501,6 +503,151 @@ function resolveSafeRelativeRedirectPath(value, fallback) {
   if (isSafeRelativeRedirectPath(fallback)) return fallback;
   return "/";
 }
+function bytesToBase64Url(bytes) {
+  let binary = "";
+  for (const byte of bytes) binary += String.fromCharCode(byte);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/u, "");
+}
+function randomBase64Url(byteLength) {
+  const bytes = new Uint8Array(byteLength);
+  crypto.getRandomValues(bytes);
+  return bytesToBase64Url(bytes);
+}
+async function sha256Base64Url(value) {
+  const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(value));
+  return bytesToBase64Url(new Uint8Array(digest));
+}
+async function parseJsonObject(request) {
+  try {
+    const body = await request.json();
+    if (typeof body === "object" && body !== null && !Array.isArray(body)) return body;
+    return null;
+  } catch {
+    return null;
+  }
+}
+function getOAuthPkceCookieName(ctx) {
+  return `__${ctx.namespace}_oauth_pkce`;
+}
+function encodeOAuthPkceCookie(value) {
+  return encodeURIComponent(JSON.stringify(value));
+}
+function readOAuthPkceVerifier(request, ctx) {
+  const raw = request.cookies.get(getOAuthPkceCookieName(ctx))?.value;
+  if (!raw) return null;
+  try {
+    const parsed = JSON.parse(decodeURIComponent(raw));
+    if (typeof parsed.verifier !== "string" || parsed.verifier.length < 43) return null;
+    if (typeof parsed.createdAt !== "number") return null;
+    if (Date.now() - parsed.createdAt > OAUTH_PKCE_TTL_MS) return null;
+    return parsed.verifier;
+  } catch {
+    return null;
+  }
+}
+function setOAuthPkceCookie(response, ctx, value) {
+  response.cookies.set(getOAuthPkceCookieName(ctx), encodeOAuthPkceCookie(value), {
+    ...SECURE_COOKIE_OPTIONS,
+    maxAge: OAUTH_PKCE_TTL_SECONDS,
+    path: ctx.config.authPrefix
+  });
+}
+function clearOAuthPkceCookie(response, ctx) {
+  response.cookies.set(getOAuthPkceCookieName(ctx), "", {
+    ...SECURE_COOKIE_OPTIONS,
+    maxAge: 0,
+    path: ctx.config.authPrefix
+  });
+}
+function isTwoFactorLoginResponse(data) {
+  return typeof data === "object" && data !== null && data.requiresTwoFactor === true && typeof data.userId === "string";
+}
+function isOAuthAuthorizeResponse(data) {
+  return typeof data === "object" && data !== null && typeof data.authorization_url === "string";
+}
+function headersForPlatformAuth(ctx) {
+  return {
+    "Content-Type": "application/json",
+    "x-app-secret": ctx.secretKey
+  };
+}
+async function handleLogin(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const email = typeof body?.email === "string" ? body.email : null;
+  const password = typeof body?.password === "string" ? body.password : null;
+  if (!email || !password) {
+    return NextResponse.json({ error: "email and password are required" }, { status: 400 });
+  }
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/login`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify({ email, password })
+  });
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    return NextResponse.json(data, { status: res.status });
+  }
+  if (isTwoFactorLoginResponse(data)) {
+    return NextResponse.json(data);
+  }
+  if (!isTokenResponse(data)) {
+    return NextResponse.json({ error: "invalid_response" }, { status: 502 });
+  }
+  const response = NextResponse.json({ success: true, user: data.user });
+  setAuthCookiesMiddleware(response, ctx.namespace, data);
+  return response;
+}
+async function handleOAuthProviders(ctx) {
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/oauth-providers`, {
+    method: "GET",
+    headers: headersForPlatformAuth(ctx)
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
+async function handleOAuthAuthorize(request, ctx) {
+  if (request.method !== "GET" && request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = request.method === "POST" ? await parseJsonObject(request) : null;
+  const provider = typeof body?.provider === "string" ? body.provider : request.nextUrl.searchParams.get("provider");
+  const rawRedirectTo = typeof body?.redirectTo === "string" ? body.redirectTo : request.nextUrl.searchParams.get("redirect_to") ?? request.nextUrl.searchParams.get("callbackUrl");
+  if (!provider) {
+    return NextResponse.json({ error: "provider is required" }, { status: 400 });
+  }
+  const redirectTo = resolveSafeRelativeRedirectPath(rawRedirectTo, ctx.config.afterSignInUrl);
+  const redirectUri = new URL(`${ctx.config.authPrefix}/callback`, request.url);
+  redirectUri.searchParams.set("redirect_to", redirectTo);
+  const verifier = randomBase64Url(32);
+  const challenge = await sha256Base64Url(verifier);
+  const scopes = Array.isArray(body?.scopes) ? body.scopes.filter((scope) => typeof scope === "string") : void 0;
+  const res = await fetch(`${ctx.platformUrl}/v1/oauth/authorize`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify({
+      provider,
+      redirect_uri: redirectUri.toString(),
+      code_challenge: challenge,
+      code_challenge_method: "S256",
+      ...scopes && scopes.length > 0 ? { scopes } : {}
+    })
+  });
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok || !isOAuthAuthorizeResponse(data)) {
+    return NextResponse.json(res.ok ? { error: "invalid_response" } : data, {
+      status: res.ok ? 502 : res.status
+    });
+  }
+  const response = request.method === "GET" ? NextResponse.redirect(data.authorization_url) : NextResponse.json({
+    authorization_url: data.authorization_url,
+    authorizationUrl: data.authorization_url
+  });
+  setOAuthPkceCookie(response, ctx, { verifier, createdAt: Date.now() });
+  return response;
+}
 async function handleCallback(request, ctx) {
   const { searchParams } = request.nextUrl;
   const code = searchParams.get("code");
@@ -520,30 +667,37 @@ async function handleCallback(request, ctx) {
     return NextResponse.redirect(url);
   }
   try {
+    const codeVerifier = readOAuthPkceVerifier(request, ctx);
     const res = await fetch(`${ctx.platformUrl}/v1/auth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
         grant_type: "authorization_code",
         code,
-        client_secret: ctx.secretKey
+        client_secret: ctx.secretKey,
+        ...codeVerifier ? { code_verifier: codeVerifier } : {}
       })
     });
     if (!res.ok) {
       const data2 = await res.json().catch(() => ({}));
       const url = new URL(ctx.config.signInUrl, request.url);
       url.searchParams.set("error", data2.error || "token_exchange_failed");
-      return NextResponse.redirect(url);
+      const response2 = NextResponse.redirect(url);
+      clearOAuthPkceCookie(response2, ctx);
+      return response2;
     }
     const data = await res.json();
     if (!isTokenResponse(data)) {
       const url = new URL(ctx.config.signInUrl, request.url);
       url.searchParams.set("error", "invalid_response");
-      return NextResponse.redirect(url);
+      const response2 = NextResponse.redirect(url);
+      clearOAuthPkceCookie(response2, ctx);
+      return response2;
     }
     const successUrl = new URL(redirectTo, request.url);
     const response = NextResponse.redirect(successUrl);
     setAuthCookiesMiddleware(response, ctx.namespace, data);
+    clearOAuthPkceCookie(response, ctx);
     ctx.log("Callback success", { redirectTo });
     return response;
   } catch (err) {
@@ -947,6 +1101,15 @@ function createSylphxMiddleware(userConfig = {}) {
     if (pathname === `${config.authPrefix}/callback`) {
       return handleCallback(request, ctx);
     }
+    if (pathname === `${config.authPrefix}/login`) {
+      return handleLogin(request, ctx);
+    }
+    if (pathname === `${config.authPrefix}/oauth-providers`) {
+      return handleOAuthProviders(ctx);
+    }
+    if (pathname === `${config.authPrefix}/oauth/authorize`) {
+      return handleOAuthAuthorize(request, ctx);
+    }
     if (pathname === `${config.authPrefix}/signout`) {
       return handleSignOut(request, ctx);
     }