npm - @sylphx/sdk - Versions diffs - 0.10.5 → 0.10.6 - Mend

@sylphx/sdk 0.10.5 → 0.10.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/nextjs/index.d.ts CHANGED Viewed

@@ -6,6 +6,7 @@ import { AuthTokensResponse } from '@sylphx/contract';
  *
  * ONE middleware function handles EVERYTHING:
  * - Auth routes (mounted automatically, zero manual API routes)
+ * - BaaS routes (same-origin proxy, no browser bearer-token exposure)
  * - Token refresh (automatic, every request)
  * - Route protection
  * - Cookie management
@@ -67,11 +68,28 @@ interface SylphxMiddlewareConfig {
      * - {prefix}/oauth-providers — enabled social login providers
      * - {prefix}/oauth/authorize — social login start handler
      * - {prefix}/callback — OAuth callback handler
+     * - {prefix}/passkey/options — passkey login challenge handler
+     * - {prefix}/passkey/authenticate — passkey login verification handler
+     * - {prefix}/forgot-password — password reset email handler
+     * - {prefix}/reset-password — password reset verification handler
      * - {prefix}/signout — Sign out handler
      *
      * @default '/auth'
      */
     authPrefix?: string;
+    /**
+     * Same-origin BaaS proxy prefix.
+     *
+     * Mounted routes are allowlisted SDK-owned BaaS surfaces such as
+     * `{prefix}/security/*` and `{prefix}/challenge/*`. The middleware converts
+     * the HttpOnly session cookie into an upstream bearer token, so browser code
+     * can use BaaS features without ever reading Platform access tokens.
+     *
+     * Set to `false` to disable the proxy.
+     *
+     * @default '/sylphx'
+     */
+    baasPrefix?: string | false;
     /**
      * Enable debug logging.
      * @default false

package/dist/nextjs/index.mjs CHANGED Viewed

@@ -455,6 +455,19 @@ function resolveNextjsSecretKey(options) {
 // src/nextjs/middleware.ts
 var OAUTH_PKCE_TTL_SECONDS = 10 * 60;
 var OAUTH_PKCE_TTL_MS = OAUTH_PKCE_TTL_SECONDS * 1e3;
+var DEFAULT_BAAS_PREFIX = "/sylphx";
+var BAAS_PROXY_AUTH_REQUIRED_PATHS = ["/challenge/", "/security/"];
+var BAAS_PROXY_PUBLIC_PATHS = ["/app"];
+var BODYLESS_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD"]);
+var RESPONSE_HEADER_ALLOWLIST = [
+  "cache-control",
+  "content-language",
+  "content-type",
+  "etag",
+  "expires",
+  "last-modified",
+  "retry-after"
+];
 function isTokenResponse(data) {
   return typeof data === "object" && data !== null && "accessToken" in data && "refreshToken" in data && "user" in data && typeof data.accessToken === "string" && typeof data.refreshToken === "string";
 }
@@ -491,6 +504,46 @@ function matchesPattern(pathname, pattern) {
 function matchesAny(pathname, patterns) {
   return patterns.some((p) => matchesPattern(pathname, p));
 }
+function normalizeRoutePrefix(prefix) {
+  const normalized = prefix.trim().replace(/\/+$/u, "");
+  return normalized.startsWith("/") ? normalized : `/${normalized}`;
+}
+function stripRoutePrefix(pathname, prefix) {
+  if (pathname === prefix) return "/";
+  if (!pathname.startsWith(`${prefix}/`)) return null;
+  return pathname.slice(prefix.length);
+}
+function isPublicBaasProxyPath(pathname) {
+  return BAAS_PROXY_PUBLIC_PATHS.some((path) => pathname === path);
+}
+function isAuthenticatedBaasProxyPath(pathname) {
+  return BAAS_PROXY_AUTH_REQUIRED_PATHS.some((prefix) => pathname.startsWith(prefix));
+}
+function isAllowedBaasProxyPath(pathname) {
+  return isPublicBaasProxyPath(pathname) || isAuthenticatedBaasProxyPath(pathname);
+}
+function copyRequestHeader(source, target, name) {
+  const value = source.get(name);
+  if (value) target.set(name, value);
+}
+function buildUpstreamProxyHeaders(request, ctx, sessionToken) {
+  const headers = new Headers();
+  copyRequestHeader(request.headers, headers, "accept");
+  copyRequestHeader(request.headers, headers, "content-type");
+  copyRequestHeader(request.headers, headers, "user-agent");
+  copyRequestHeader(request.headers, headers, "x-correlation-id");
+  headers.set("x-app-secret", ctx.secretKey);
+  if (sessionToken) headers.set("authorization", `Bearer ${sessionToken}`);
+  return headers;
+}
+function copyResponseHeaders(source) {
+  const headers = new Headers();
+  for (const name of RESPONSE_HEADER_ALLOWLIST) {
+    const value = source.get(name);
+    if (value) headers.set(name, value);
+  }
+  return headers;
+}
 function requestPathWithSearch(request) {
   const { pathname, search } = request.nextUrl;
   return `${pathname}${search}`;
@@ -503,6 +556,22 @@ function resolveSafeRelativeRedirectPath(value, fallback) {
   if (isSafeRelativeRedirectPath(fallback)) return fallback;
   return "/";
 }
+function resolveSameOriginUrl(request, value, fallbackPath) {
+  if (!value) return new URL(fallbackPath, request.url).toString();
+  if (isSafeRelativeRedirectPath(value)) {
+    const url = new URL(value, request.url);
+    if (url.hash) return null;
+    return url.toString();
+  }
+  try {
+    const url = new URL(value);
+    if (url.origin !== new URL(request.url).origin) return null;
+    if (url.hash) return null;
+    return url.toString();
+  } catch {
+    return null;
+  }
+}
 function bytesToBase64Url(bytes) {
   let binary = "";
   for (const byte of bytes) binary += String.fromCharCode(byte);
@@ -648,6 +717,80 @@ async function handleOAuthAuthorize(request, ctx) {
   setOAuthPkceCookie(response, ctx, { verifier, createdAt: Date.now() });
   return response;
 }
+async function handlePasskeyOptions(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/passkey/options`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify(body ?? {})
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
+async function handlePasskeyAuthenticate(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/passkey/authenticate`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify(body ?? {})
+  });
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    return NextResponse.json(data, { status: res.status });
+  }
+  if (!isTokenResponse(data)) {
+    return NextResponse.json({ error: "invalid_response" }, { status: 502 });
+  }
+  const response = NextResponse.json({ success: true, user: data.user });
+  setAuthCookiesMiddleware(response, ctx.namespace, data);
+  return response;
+}
+async function handleForgotPassword(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const email = typeof body?.email === "string" ? body.email : null;
+  const rawRedirect = typeof body?.redirectUrl === "string" ? body.redirectUrl : typeof body?.redirectTo === "string" ? body.redirectTo : null;
+  const redirectUrl = resolveSameOriginUrl(request, rawRedirect, "/reset-password");
+  if (!email) {
+    return NextResponse.json({ error: "email is required" }, { status: 400 });
+  }
+  if (!redirectUrl) {
+    return NextResponse.json({ error: "invalid_redirect_url" }, { status: 400 });
+  }
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/forgot-password`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify({ email, redirectUrl })
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
+async function handleResetPassword(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const token = typeof body?.token === "string" ? body.token : null;
+  const password = typeof body?.password === "string" ? body.password : typeof body?.newPassword === "string" ? body.newPassword : null;
+  if (!token || !password) {
+    return NextResponse.json({ error: "token and password are required" }, { status: 400 });
+  }
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/reset-password`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify({ token, password })
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
 async function handleCallback(request, ctx) {
   const { searchParams } = request.nextUrl;
   const code = searchParams.get("code");
@@ -986,6 +1129,30 @@ async function handleSwitchOrg(request, ctx) {
     return NextResponse.json({ error: "internal_error" }, { status: 500 });
   }
 }
+async function handleBaasProxy(request, ctx, sessionToken) {
+  const prefix = ctx.config.baasPrefix;
+  if (!prefix) return NextResponse.json({ error: "Not found" }, { status: 404 });
+  const upstreamPath = stripRoutePrefix(request.nextUrl.pathname, prefix);
+  if (!upstreamPath || !isAllowedBaasProxyPath(upstreamPath)) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+  if (isAuthenticatedBaasProxyPath(upstreamPath) && !sessionToken) {
+    return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+  }
+  const upstreamUrl = new URL(`${ctx.platformUrl}/v1${upstreamPath}`);
+  upstreamUrl.search = request.nextUrl.search;
+  const method = request.method.toUpperCase();
+  const body = BODYLESS_METHODS.has(method) ? void 0 : await request.arrayBuffer();
+  const res = await fetch(upstreamUrl, {
+    method,
+    headers: buildUpstreamProxyHeaders(request, ctx, sessionToken),
+    body
+  });
+  return new NextResponse(res.body, {
+    status: res.status,
+    headers: copyResponseHeaders(res.headers)
+  });
+}
 async function refreshTokens(refreshToken, ctx) {
   ctx.log("Refreshing tokens");
   try {
@@ -1050,6 +1217,7 @@ function createSylphxMiddleware(userConfig = {}) {
     afterSignOutUrl: userConfig.afterSignOutUrl ?? "/",
     afterSignInUrl: userConfig.afterSignInUrl ?? "/dashboard",
     authPrefix: userConfig.authPrefix ?? "/auth",
+    baasPrefix: userConfig.baasPrefix === false ? null : normalizeRoutePrefix(userConfig.baasPrefix ?? DEFAULT_BAAS_PREFIX),
     debug: userConfig.debug ?? false,
     orgRequired: userConfig.orgRequired ?? false,
     orgSelectionUrl: userConfig.orgSelectionUrl ?? "/select-organization",
@@ -1065,7 +1233,8 @@ function createSylphxMiddleware(userConfig = {}) {
     ...config.publicRoutes,
     config.signInUrl,
     "/signup",
-    `${config.authPrefix}/*`
+    `${config.authPrefix}/*`,
+    ...config.baasPrefix ? [`${config.baasPrefix}/*`] : []
   ];
   const log = (msg, data) => {
     if (config.debug) {
@@ -1110,6 +1279,18 @@ function createSylphxMiddleware(userConfig = {}) {
     if (pathname === `${config.authPrefix}/oauth/authorize`) {
       return handleOAuthAuthorize(request, ctx);
     }
+    if (pathname === `${config.authPrefix}/passkey/options`) {
+      return handlePasskeyOptions(request, ctx);
+    }
+    if (pathname === `${config.authPrefix}/passkey/authenticate`) {
+      return handlePasskeyAuthenticate(request, ctx);
+    }
+    if (pathname === `${config.authPrefix}/forgot-password`) {
+      return handleForgotPassword(request, ctx);
+    }
+    if (pathname === `${config.authPrefix}/reset-password`) {
+      return handleResetPassword(request, ctx);
+    }
     if (pathname === `${config.authPrefix}/signout`) {
       return handleSignOut(request, ctx);
     }
@@ -1147,6 +1328,9 @@ function createSylphxMiddleware(userConfig = {}) {
         activeSessionToken = null;
       }
     }
+    if (config.baasPrefix && stripRoutePrefix(pathname, config.baasPrefix)) {
+      return handleBaasProxy(request, ctx, activeSessionToken);
+    }
     const isPublic = matchesAny(pathname, publicRoutes);
     if (!isPublic && !isAuthenticated) {
       log("Redirecting to sign-in");