@sylphx/sdk 0.10.4 → 0.10.6

package/dist/nextjs/index.d.ts

@@ -6,6 +6,7 @@ import { AuthTokensResponse } from '@sylphx/contract';
  *
  * ONE middleware function handles EVERYTHING:
  * - Auth routes (mounted automatically, zero manual API routes)
+ * - BaaS routes (same-origin proxy, no browser bearer-token exposure)
  * - Token refresh (automatic, every request)
  * - Route protection
  * - Cookie management
@@ -63,12 +64,32 @@ interface SylphxMiddlewareConfig {
     afterSignInUrl?: string;
     /**
      * Auth routes prefix. Routes are mounted at:
+     * - {prefix}/login — credentials login handler
+     * - {prefix}/oauth-providers — enabled social login providers
+     * - {prefix}/oauth/authorize — social login start handler
      * - {prefix}/callback — OAuth callback handler
+     * - {prefix}/passkey/options — passkey login challenge handler
+     * - {prefix}/passkey/authenticate — passkey login verification handler
+     * - {prefix}/forgot-password — password reset email handler
+     * - {prefix}/reset-password — password reset verification handler
      * - {prefix}/signout — Sign out handler
      *
      * @default '/auth'
      */
     authPrefix?: string;
+    /**
+     * Same-origin BaaS proxy prefix.
+     *
+     * Mounted routes are allowlisted SDK-owned BaaS surfaces such as
+     * `{prefix}/security/*` and `{prefix}/challenge/*`. The middleware converts
+     * the HttpOnly session cookie into an upstream bearer token, so browser code
+     * can use BaaS features without ever reading Platform access tokens.
+     *
+     * Set to `false` to disable the proxy.
+     *
+     * @default '/sylphx'
+     */
+    baasPrefix?: string | false;
     /**
      * Enable debug logging.
      * @default false

package/dist/nextjs/index.mjs

@@ -453,6 +453,21 @@ function resolveNextjsSecretKey(options) {
 }
 
 // src/nextjs/middleware.ts
+var OAUTH_PKCE_TTL_SECONDS = 10 * 60;
+var OAUTH_PKCE_TTL_MS = OAUTH_PKCE_TTL_SECONDS * 1e3;
+var DEFAULT_BAAS_PREFIX = "/sylphx";
+var BAAS_PROXY_AUTH_REQUIRED_PATHS = ["/challenge/", "/security/"];
+var BAAS_PROXY_PUBLIC_PATHS = ["/app"];
+var BODYLESS_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD"]);
+var RESPONSE_HEADER_ALLOWLIST = [
+  "cache-control",
+  "content-language",
+  "content-type",
+  "etag",
+  "expires",
+  "last-modified",
+  "retry-after"
+];
 function isTokenResponse(data) {
   return typeof data === "object" && data !== null && "accessToken" in data && "refreshToken" in data && "user" in data && typeof data.accessToken === "string" && typeof data.refreshToken === "string";
 }
@@ -489,6 +504,46 @@ function matchesPattern(pathname, pattern) {
 function matchesAny(pathname, patterns) {
   return patterns.some((p) => matchesPattern(pathname, p));
 }
+function normalizeRoutePrefix(prefix) {
+  const normalized = prefix.trim().replace(/\/+$/u, "");
+  return normalized.startsWith("/") ? normalized : `/${normalized}`;
+}
+function stripRoutePrefix(pathname, prefix) {
+  if (pathname === prefix) return "/";
+  if (!pathname.startsWith(`${prefix}/`)) return null;
+  return pathname.slice(prefix.length);
+}
+function isPublicBaasProxyPath(pathname) {
+  return BAAS_PROXY_PUBLIC_PATHS.some((path) => pathname === path);
+}
+function isAuthenticatedBaasProxyPath(pathname) {
+  return BAAS_PROXY_AUTH_REQUIRED_PATHS.some((prefix) => pathname.startsWith(prefix));
+}
+function isAllowedBaasProxyPath(pathname) {
+  return isPublicBaasProxyPath(pathname) || isAuthenticatedBaasProxyPath(pathname);
+}
+function copyRequestHeader(source, target, name) {
+  const value = source.get(name);
+  if (value) target.set(name, value);
+}
+function buildUpstreamProxyHeaders(request, ctx, sessionToken) {
+  const headers = new Headers();
+  copyRequestHeader(request.headers, headers, "accept");
+  copyRequestHeader(request.headers, headers, "content-type");
+  copyRequestHeader(request.headers, headers, "user-agent");
+  copyRequestHeader(request.headers, headers, "x-correlation-id");
+  headers.set("x-app-secret", ctx.secretKey);
+  if (sessionToken) headers.set("authorization", `Bearer ${sessionToken}`);
+  return headers;
+}
+function copyResponseHeaders(source) {
+  const headers = new Headers();
+  for (const name of RESPONSE_HEADER_ALLOWLIST) {
+    const value = source.get(name);
+    if (value) headers.set(name, value);
+  }
+  return headers;
+}
 function requestPathWithSearch(request) {
   const { pathname, search } = request.nextUrl;
   return `${pathname}${search}`;
@@ -501,6 +556,241 @@ function resolveSafeRelativeRedirectPath(value, fallback) {
   if (isSafeRelativeRedirectPath(fallback)) return fallback;
   return "/";
 }
+function resolveSameOriginUrl(request, value, fallbackPath) {
+  if (!value) return new URL(fallbackPath, request.url).toString();
+  if (isSafeRelativeRedirectPath(value)) {
+    const url = new URL(value, request.url);
+    if (url.hash) return null;
+    return url.toString();
+  }
+  try {
+    const url = new URL(value);
+    if (url.origin !== new URL(request.url).origin) return null;
+    if (url.hash) return null;
+    return url.toString();
+  } catch {
+    return null;
+  }
+}
+function bytesToBase64Url(bytes) {
+  let binary = "";
+  for (const byte of bytes) binary += String.fromCharCode(byte);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/u, "");
+}
+function randomBase64Url(byteLength) {
+  const bytes = new Uint8Array(byteLength);
+  crypto.getRandomValues(bytes);
+  return bytesToBase64Url(bytes);
+}
+async function sha256Base64Url(value) {
+  const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(value));
+  return bytesToBase64Url(new Uint8Array(digest));
+}
+async function parseJsonObject(request) {
+  try {
+    const body = await request.json();
+    if (typeof body === "object" && body !== null && !Array.isArray(body)) return body;
+    return null;
+  } catch {
+    return null;
+  }
+}
+function getOAuthPkceCookieName(ctx) {
+  return `__${ctx.namespace}_oauth_pkce`;
+}
+function encodeOAuthPkceCookie(value) {
+  return encodeURIComponent(JSON.stringify(value));
+}
+function readOAuthPkceVerifier(request, ctx) {
+  const raw = request.cookies.get(getOAuthPkceCookieName(ctx))?.value;
+  if (!raw) return null;
+  try {
+    const parsed = JSON.parse(decodeURIComponent(raw));
+    if (typeof parsed.verifier !== "string" || parsed.verifier.length < 43) return null;
+    if (typeof parsed.createdAt !== "number") return null;
+    if (Date.now() - parsed.createdAt > OAUTH_PKCE_TTL_MS) return null;
+    return parsed.verifier;
+  } catch {
+    return null;
+  }
+}
+function setOAuthPkceCookie(response, ctx, value) {
+  response.cookies.set(getOAuthPkceCookieName(ctx), encodeOAuthPkceCookie(value), {
+    ...SECURE_COOKIE_OPTIONS,
+    maxAge: OAUTH_PKCE_TTL_SECONDS,
+    path: ctx.config.authPrefix
+  });
+}
+function clearOAuthPkceCookie(response, ctx) {
+  response.cookies.set(getOAuthPkceCookieName(ctx), "", {
+    ...SECURE_COOKIE_OPTIONS,
+    maxAge: 0,
+    path: ctx.config.authPrefix
+  });
+}
+function isTwoFactorLoginResponse(data) {
+  return typeof data === "object" && data !== null && data.requiresTwoFactor === true && typeof data.userId === "string";
+}
+function isOAuthAuthorizeResponse(data) {
+  return typeof data === "object" && data !== null && typeof data.authorization_url === "string";
+}
+function headersForPlatformAuth(ctx) {
+  return {
+    "Content-Type": "application/json",
+    "x-app-secret": ctx.secretKey
+  };
+}
+async function handleLogin(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const email = typeof body?.email === "string" ? body.email : null;
+  const password = typeof body?.password === "string" ? body.password : null;
+  if (!email || !password) {
+    return NextResponse.json({ error: "email and password are required" }, { status: 400 });
+  }
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/login`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify({ email, password })
+  });
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    return NextResponse.json(data, { status: res.status });
+  }
+  if (isTwoFactorLoginResponse(data)) {
+    return NextResponse.json(data);
+  }
+  if (!isTokenResponse(data)) {
+    return NextResponse.json({ error: "invalid_response" }, { status: 502 });
+  }
+  const response = NextResponse.json({ success: true, user: data.user });
+  setAuthCookiesMiddleware(response, ctx.namespace, data);
+  return response;
+}
+async function handleOAuthProviders(ctx) {
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/oauth-providers`, {
+    method: "GET",
+    headers: headersForPlatformAuth(ctx)
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
+async function handleOAuthAuthorize(request, ctx) {
+  if (request.method !== "GET" && request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = request.method === "POST" ? await parseJsonObject(request) : null;
+  const provider = typeof body?.provider === "string" ? body.provider : request.nextUrl.searchParams.get("provider");
+  const rawRedirectTo = typeof body?.redirectTo === "string" ? body.redirectTo : request.nextUrl.searchParams.get("redirect_to") ?? request.nextUrl.searchParams.get("callbackUrl");
+  if (!provider) {
+    return NextResponse.json({ error: "provider is required" }, { status: 400 });
+  }
+  const redirectTo = resolveSafeRelativeRedirectPath(rawRedirectTo, ctx.config.afterSignInUrl);
+  const redirectUri = new URL(`${ctx.config.authPrefix}/callback`, request.url);
+  redirectUri.searchParams.set("redirect_to", redirectTo);
+  const verifier = randomBase64Url(32);
+  const challenge = await sha256Base64Url(verifier);
+  const scopes = Array.isArray(body?.scopes) ? body.scopes.filter((scope) => typeof scope === "string") : void 0;
+  const res = await fetch(`${ctx.platformUrl}/v1/oauth/authorize`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify({
+      provider,
+      redirect_uri: redirectUri.toString(),
+      code_challenge: challenge,
+      code_challenge_method: "S256",
+      ...scopes && scopes.length > 0 ? { scopes } : {}
+    })
+  });
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok || !isOAuthAuthorizeResponse(data)) {
+    return NextResponse.json(res.ok ? { error: "invalid_response" } : data, {
+      status: res.ok ? 502 : res.status
+    });
+  }
+  const response = request.method === "GET" ? NextResponse.redirect(data.authorization_url) : NextResponse.json({
+    authorization_url: data.authorization_url,
+    authorizationUrl: data.authorization_url
+  });
+  setOAuthPkceCookie(response, ctx, { verifier, createdAt: Date.now() });
+  return response;
+}
+async function handlePasskeyOptions(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/passkey/options`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify(body ?? {})
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
+async function handlePasskeyAuthenticate(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/passkey/authenticate`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify(body ?? {})
+  });
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    return NextResponse.json(data, { status: res.status });
+  }
+  if (!isTokenResponse(data)) {
+    return NextResponse.json({ error: "invalid_response" }, { status: 502 });
+  }
+  const response = NextResponse.json({ success: true, user: data.user });
+  setAuthCookiesMiddleware(response, ctx.namespace, data);
+  return response;
+}
+async function handleForgotPassword(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const email = typeof body?.email === "string" ? body.email : null;
+  const rawRedirect = typeof body?.redirectUrl === "string" ? body.redirectUrl : typeof body?.redirectTo === "string" ? body.redirectTo : null;
+  const redirectUrl = resolveSameOriginUrl(request, rawRedirect, "/reset-password");
+  if (!email) {
+    return NextResponse.json({ error: "email is required" }, { status: 400 });
+  }
+  if (!redirectUrl) {
+    return NextResponse.json({ error: "invalid_redirect_url" }, { status: 400 });
+  }
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/forgot-password`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify({ email, redirectUrl })
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
+async function handleResetPassword(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const token = typeof body?.token === "string" ? body.token : null;
+  const password = typeof body?.password === "string" ? body.password : typeof body?.newPassword === "string" ? body.newPassword : null;
+  if (!token || !password) {
+    return NextResponse.json({ error: "token and password are required" }, { status: 400 });
+  }
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/reset-password`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify({ token, password })
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
 async function handleCallback(request, ctx) {
   const { searchParams } = request.nextUrl;
   const code = searchParams.get("code");
@@ -520,30 +810,37 @@ async function handleCallback(request, ctx) {
     return NextResponse.redirect(url);
   }
   try {
+    const codeVerifier = readOAuthPkceVerifier(request, ctx);
     const res = await fetch(`${ctx.platformUrl}/v1/auth/token`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({
         grant_type: "authorization_code",
         code,
-        client_secret: ctx.secretKey
+        client_secret: ctx.secretKey,
+        ...codeVerifier ? { code_verifier: codeVerifier } : {}
       })
     });
     if (!res.ok) {
       const data2 = await res.json().catch(() => ({}));
       const url = new URL(ctx.config.signInUrl, request.url);
       url.searchParams.set("error", data2.error || "token_exchange_failed");
-      return NextResponse.redirect(url);
+      const response2 = NextResponse.redirect(url);
+      clearOAuthPkceCookie(response2, ctx);
+      return response2;
     }
     const data = await res.json();
     if (!isTokenResponse(data)) {
       const url = new URL(ctx.config.signInUrl, request.url);
       url.searchParams.set("error", "invalid_response");
-      return NextResponse.redirect(url);
+      const response2 = NextResponse.redirect(url);
+      clearOAuthPkceCookie(response2, ctx);
+      return response2;
     }
     const successUrl = new URL(redirectTo, request.url);
     const response = NextResponse.redirect(successUrl);
     setAuthCookiesMiddleware(response, ctx.namespace, data);
+    clearOAuthPkceCookie(response, ctx);
     ctx.log("Callback success", { redirectTo });
     return response;
   } catch (err) {
@@ -832,6 +1129,30 @@ async function handleSwitchOrg(request, ctx) {
     return NextResponse.json({ error: "internal_error" }, { status: 500 });
   }
 }
+async function handleBaasProxy(request, ctx, sessionToken) {
+  const prefix = ctx.config.baasPrefix;
+  if (!prefix) return NextResponse.json({ error: "Not found" }, { status: 404 });
+  const upstreamPath = stripRoutePrefix(request.nextUrl.pathname, prefix);
+  if (!upstreamPath || !isAllowedBaasProxyPath(upstreamPath)) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+  if (isAuthenticatedBaasProxyPath(upstreamPath) && !sessionToken) {
+    return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+  }
+  const upstreamUrl = new URL(`${ctx.platformUrl}/v1${upstreamPath}`);
+  upstreamUrl.search = request.nextUrl.search;
+  const method = request.method.toUpperCase();
+  const body = BODYLESS_METHODS.has(method) ? void 0 : await request.arrayBuffer();
+  const res = await fetch(upstreamUrl, {
+    method,
+    headers: buildUpstreamProxyHeaders(request, ctx, sessionToken),
+    body
+  });
+  return new NextResponse(res.body, {
+    status: res.status,
+    headers: copyResponseHeaders(res.headers)
+  });
+}
 async function refreshTokens(refreshToken, ctx) {
   ctx.log("Refreshing tokens");
   try {
@@ -896,6 +1217,7 @@ function createSylphxMiddleware(userConfig = {}) {
     afterSignOutUrl: userConfig.afterSignOutUrl ?? "/",
     afterSignInUrl: userConfig.afterSignInUrl ?? "/dashboard",
     authPrefix: userConfig.authPrefix ?? "/auth",
+    baasPrefix: userConfig.baasPrefix === false ? null : normalizeRoutePrefix(userConfig.baasPrefix ?? DEFAULT_BAAS_PREFIX),
     debug: userConfig.debug ?? false,
     orgRequired: userConfig.orgRequired ?? false,
     orgSelectionUrl: userConfig.orgSelectionUrl ?? "/select-organization",
@@ -911,7 +1233,8 @@ function createSylphxMiddleware(userConfig = {}) {
     ...config.publicRoutes,
     config.signInUrl,
     "/signup",
-    `${config.authPrefix}/*`
+    `${config.authPrefix}/*`,
+    ...config.baasPrefix ? [`${config.baasPrefix}/*`] : []
   ];
   const log = (msg, data) => {
     if (config.debug) {
@@ -947,6 +1270,27 @@ function createSylphxMiddleware(userConfig = {}) {
     if (pathname === `${config.authPrefix}/callback`) {
       return handleCallback(request, ctx);
     }
+    if (pathname === `${config.authPrefix}/login`) {
+      return handleLogin(request, ctx);
+    }
+    if (pathname === `${config.authPrefix}/oauth-providers`) {
+      return handleOAuthProviders(ctx);
+    }
+    if (pathname === `${config.authPrefix}/oauth/authorize`) {
+      return handleOAuthAuthorize(request, ctx);
+    }
+    if (pathname === `${config.authPrefix}/passkey/options`) {
+      return handlePasskeyOptions(request, ctx);
+    }
+    if (pathname === `${config.authPrefix}/passkey/authenticate`) {
+      return handlePasskeyAuthenticate(request, ctx);
+    }
+    if (pathname === `${config.authPrefix}/forgot-password`) {
+      return handleForgotPassword(request, ctx);
+    }
+    if (pathname === `${config.authPrefix}/reset-password`) {
+      return handleResetPassword(request, ctx);
+    }
     if (pathname === `${config.authPrefix}/signout`) {
       return handleSignOut(request, ctx);
     }
@@ -984,6 +1328,9 @@ function createSylphxMiddleware(userConfig = {}) {
         activeSessionToken = null;
       }
     }
+    if (config.baasPrefix && stripRoutePrefix(pathname, config.baasPrefix)) {
+      return handleBaasProxy(request, ctx, activeSessionToken);
+    }
     const isPublic = matchesAny(pathname, publicRoutes);
     if (!isPublic && !isAuthenticated) {
       log("Redirecting to sign-in");