@sylphx/sdk 0.10.5 → 0.10.7

package/dist/nextjs/index.d.ts

@@ -6,6 +6,7 @@ import { AuthTokensResponse } from '@sylphx/contract';
  *
  * ONE middleware function handles EVERYTHING:
  * - Auth routes (mounted automatically, zero manual API routes)
+ * - BaaS routes (same-origin proxy, no browser bearer-token exposure)
  * - Token refresh (automatic, every request)
  * - Route protection
  * - Cookie management
@@ -63,15 +64,36 @@ interface SylphxMiddlewareConfig {
     afterSignInUrl?: string;
     /**
      * Auth routes prefix. Routes are mounted at:
+     * - {prefix}/register — email/password registration handler
      * - {prefix}/login — credentials login handler
+     * - {prefix}/verify-email — email verification handler
      * - {prefix}/oauth-providers — enabled social login providers
      * - {prefix}/oauth/authorize — social login start handler
      * - {prefix}/callback — OAuth callback handler
+     * - {prefix}/passkey/options — passkey login challenge handler
+     * - {prefix}/passkey/authenticate — passkey login verification handler
+     * - {prefix}/verify-2fa — TOTP/backup-code verification handler
+     * - {prefix}/forgot-password — password reset email handler
+     * - {prefix}/reset-password — password reset verification handler
+     * - {prefix}/session — safe session metadata handler
      * - {prefix}/signout — Sign out handler
      *
      * @default '/auth'
      */
     authPrefix?: string;
+    /**
+     * Same-origin BaaS proxy prefix.
+     *
+     * Mounted routes are allowlisted SDK-owned BaaS surfaces such as
+     * `{prefix}/security/*` and `{prefix}/challenge/*`. The middleware converts
+     * the HttpOnly session cookie into an upstream bearer token, so browser code
+     * can use BaaS features without ever reading Platform access tokens.
+     *
+     * Set to `false` to disable the proxy.
+     *
+     * @default '/sylphx'
+     */
+    baasPrefix?: string | false;
     /**
      * Enable debug logging.
      * @default false

package/dist/nextjs/index.mjs

@@ -455,6 +455,19 @@ function resolveNextjsSecretKey(options) {
 // src/nextjs/middleware.ts
 var OAUTH_PKCE_TTL_SECONDS = 10 * 60;
 var OAUTH_PKCE_TTL_MS = OAUTH_PKCE_TTL_SECONDS * 1e3;
+var DEFAULT_BAAS_PREFIX = "/sylphx";
+var BAAS_PROXY_AUTH_REQUIRED_PATHS = ["/challenge/", "/security/"];
+var BAAS_PROXY_PUBLIC_PATHS = ["/app"];
+var BODYLESS_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD"]);
+var RESPONSE_HEADER_ALLOWLIST = [
+  "cache-control",
+  "content-language",
+  "content-type",
+  "etag",
+  "expires",
+  "last-modified",
+  "retry-after"
+];
 function isTokenResponse(data) {
   return typeof data === "object" && data !== null && "accessToken" in data && "refreshToken" in data && "user" in data && typeof data.accessToken === "string" && typeof data.refreshToken === "string";
 }
@@ -491,6 +504,46 @@ function matchesPattern(pathname, pattern) {
 function matchesAny(pathname, patterns) {
   return patterns.some((p) => matchesPattern(pathname, p));
 }
+function normalizeRoutePrefix(prefix) {
+  const normalized = prefix.trim().replace(/\/+$/u, "");
+  return normalized.startsWith("/") ? normalized : `/${normalized}`;
+}
+function stripRoutePrefix(pathname, prefix) {
+  if (pathname === prefix) return "/";
+  if (!pathname.startsWith(`${prefix}/`)) return null;
+  return pathname.slice(prefix.length);
+}
+function isPublicBaasProxyPath(pathname) {
+  return BAAS_PROXY_PUBLIC_PATHS.some((path) => pathname === path);
+}
+function isAuthenticatedBaasProxyPath(pathname) {
+  return BAAS_PROXY_AUTH_REQUIRED_PATHS.some((prefix) => pathname.startsWith(prefix));
+}
+function isAllowedBaasProxyPath(pathname) {
+  return isPublicBaasProxyPath(pathname) || isAuthenticatedBaasProxyPath(pathname);
+}
+function copyRequestHeader(source, target, name) {
+  const value = source.get(name);
+  if (value) target.set(name, value);
+}
+function buildUpstreamProxyHeaders(request, ctx, sessionToken) {
+  const headers = new Headers();
+  copyRequestHeader(request.headers, headers, "accept");
+  copyRequestHeader(request.headers, headers, "content-type");
+  copyRequestHeader(request.headers, headers, "user-agent");
+  copyRequestHeader(request.headers, headers, "x-correlation-id");
+  headers.set("x-app-secret", ctx.secretKey);
+  if (sessionToken) headers.set("authorization", `Bearer ${sessionToken}`);
+  return headers;
+}
+function copyResponseHeaders(source) {
+  const headers = new Headers();
+  for (const name of RESPONSE_HEADER_ALLOWLIST) {
+    const value = source.get(name);
+    if (value) headers.set(name, value);
+  }
+  return headers;
+}
 function requestPathWithSearch(request) {
   const { pathname, search } = request.nextUrl;
   return `${pathname}${search}`;
@@ -503,6 +556,22 @@ function resolveSafeRelativeRedirectPath(value, fallback) {
   if (isSafeRelativeRedirectPath(fallback)) return fallback;
   return "/";
 }
+function resolveSameOriginUrl(request, value, fallbackPath) {
+  if (!value) return new URL(fallbackPath, request.url).toString();
+  if (isSafeRelativeRedirectPath(value)) {
+    const url = new URL(value, request.url);
+    if (url.hash) return null;
+    return url.toString();
+  }
+  try {
+    const url = new URL(value);
+    if (url.origin !== new URL(request.url).origin) return null;
+    if (url.hash) return null;
+    return url.toString();
+  } catch {
+    return null;
+  }
+}
 function bytesToBase64Url(bytes) {
   let binary = "";
   for (const byte of bytes) binary += String.fromCharCode(byte);
@@ -565,12 +634,30 @@ function isTwoFactorLoginResponse(data) {
 function isOAuthAuthorizeResponse(data) {
   return typeof data === "object" && data !== null && typeof data.authorization_url === "string";
 }
+function authCookieJsonResponse(ctx, data) {
+  const response = NextResponse.json({ success: true, user: data.user });
+  setAuthCookiesMiddleware(response, ctx.namespace, data);
+  return response;
+}
 function headersForPlatformAuth(ctx) {
   return {
     "Content-Type": "application/json",
     "x-app-secret": ctx.secretKey
   };
 }
+async function handleRegister(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/register`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify(body ?? {})
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
 async function handleLogin(request, ctx) {
   if (request.method !== "POST") {
     return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
@@ -596,9 +683,78 @@ async function handleLogin(request, ctx) {
   if (!isTokenResponse(data)) {
     return NextResponse.json({ error: "invalid_response" }, { status: 502 });
   }
-  const response = NextResponse.json({ success: true, user: data.user });
-  setAuthCookiesMiddleware(response, ctx.namespace, data);
-  return response;
+  return authCookieJsonResponse(ctx, data);
+}
+async function handleVerifyEmail(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const token = typeof body?.token === "string" ? body.token : null;
+  if (!token) {
+    return NextResponse.json({ error: "token is required" }, { status: 400 });
+  }
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/verify-email`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify({ token })
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
+async function handleVerifyTwoFactor(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const userId = typeof body?.userId === "string" ? body.userId : null;
+  const code = typeof body?.code === "string" ? body.code : null;
+  if (!userId || !code) {
+    return NextResponse.json({ error: "userId and code are required" }, { status: 400 });
+  }
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/verify-2fa`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify({ userId, code })
+  });
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    return NextResponse.json(data, { status: res.status });
+  }
+  if (!isTokenResponse(data)) {
+    return NextResponse.json({ error: "invalid_response" }, { status: 502 });
+  }
+  return authCookieJsonResponse(ctx, data);
+}
+function handleSession(request, ctx) {
+  if (request.method !== "GET") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const sessionToken = request.cookies.get(ctx.cookieNames.SESSION)?.value;
+  const userCookieValue = request.cookies.get(ctx.cookieNames.USER)?.value;
+  let userCookie = userCookieValue ? parseUserCookie2(userCookieValue) : null;
+  if (!userCookie && userCookieValue) {
+    try {
+      userCookie = parseUserCookie2(decodeURIComponent(userCookieValue));
+    } catch {
+      userCookie = null;
+    }
+  }
+  if (!sessionToken || isTokenExpired(sessionToken) || !userCookie?.user) {
+    return NextResponse.json({ success: true, session: null, user: null });
+  }
+  const payload = decodeJwtPayload(sessionToken);
+  const userId = payload?.sub ?? userCookie.user.id;
+  const expiresAt = typeof payload?.exp === "number" ? new Date(payload.exp * 1e3).toISOString() : new Date(userCookie.expiresAt).toISOString();
+  return NextResponse.json({
+    success: true,
+    session: {
+      id: `platform:${userId}`,
+      userId,
+      expiresAt
+    },
+    user: userCookie.user
+  });
 }
 async function handleOAuthProviders(ctx) {
   const res = await fetch(`${ctx.platformUrl}/v1/auth/oauth-providers`, {
@@ -648,6 +804,78 @@ async function handleOAuthAuthorize(request, ctx) {
   setOAuthPkceCookie(response, ctx, { verifier, createdAt: Date.now() });
   return response;
 }
+async function handlePasskeyOptions(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/passkey/options`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify(body ?? {})
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
+async function handlePasskeyAuthenticate(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/passkey/authenticate`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify(body ?? {})
+  });
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    return NextResponse.json(data, { status: res.status });
+  }
+  if (!isTokenResponse(data)) {
+    return NextResponse.json({ error: "invalid_response" }, { status: 502 });
+  }
+  return authCookieJsonResponse(ctx, data);
+}
+async function handleForgotPassword(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const email = typeof body?.email === "string" ? body.email : null;
+  const rawRedirect = typeof body?.redirectUrl === "string" ? body.redirectUrl : typeof body?.redirectTo === "string" ? body.redirectTo : null;
+  const redirectUrl = resolveSameOriginUrl(request, rawRedirect, "/reset-password");
+  if (!email) {
+    return NextResponse.json({ error: "email is required" }, { status: 400 });
+  }
+  if (!redirectUrl) {
+    return NextResponse.json({ error: "invalid_redirect_url" }, { status: 400 });
+  }
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/forgot-password`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify({ email, redirectUrl })
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
+async function handleResetPassword(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const token = typeof body?.token === "string" ? body.token : null;
+  const password = typeof body?.password === "string" ? body.password : typeof body?.newPassword === "string" ? body.newPassword : null;
+  if (!token || !password) {
+    return NextResponse.json({ error: "token and password are required" }, { status: 400 });
+  }
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/reset-password`, {
+    method: "POST",
+    headers: headersForPlatformAuth(ctx),
+    body: JSON.stringify({ token, password })
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
 async function handleCallback(request, ctx) {
   const { searchParams } = request.nextUrl;
   const code = searchParams.get("code");
@@ -948,12 +1176,15 @@ async function handleSwitchOrg(request, ctx) {
     }
     const expiresIn = resolveOrgScopedTokenExpiresIn(data);
     const expiresAt = Date.now() + expiresIn * 1e3;
+    const payload = decodeJwtPayload(accessToken);
+    const activeOrganization = {
+      id: payload?.org_id ?? orgId,
+      slug: payload?.org_slug ?? requestedOrgSlug
+    };
     const response = NextResponse.json({
-      accessToken,
-      token: accessToken,
-      expiresIn,
-      tokenType: resolveOrgScopedTokenType(data),
-      user: data.user ?? null
+      success: true,
+      user: data.user ?? null,
+      organization: activeOrganization
     });
     response.cookies.set(ctx.cookieNames.SESSION, accessToken, {
       ...SECURE_COOKIE_OPTIONS,
@@ -974,11 +1205,7 @@ async function handleSwitchOrg(request, ctx) {
         }
       );
     }
-    const payload = decodeJwtPayload(accessToken);
-    setActiveOrganizationCookies(response, ctx, {
-      id: payload?.org_id ?? orgId,
-      slug: payload?.org_slug ?? requestedOrgSlug
-    });
+    setActiveOrganizationCookies(response, ctx, activeOrganization);
     ctx.log("Switch org success", { orgId });
     return response;
   } catch (err) {
@@ -986,6 +1213,30 @@ async function handleSwitchOrg(request, ctx) {
     return NextResponse.json({ error: "internal_error" }, { status: 500 });
   }
 }
+async function handleBaasProxy(request, ctx, sessionToken) {
+  const prefix = ctx.config.baasPrefix;
+  if (!prefix) return NextResponse.json({ error: "Not found" }, { status: 404 });
+  const upstreamPath = stripRoutePrefix(request.nextUrl.pathname, prefix);
+  if (!upstreamPath || !isAllowedBaasProxyPath(upstreamPath)) {
+    return NextResponse.json({ error: "Not found" }, { status: 404 });
+  }
+  if (isAuthenticatedBaasProxyPath(upstreamPath) && !sessionToken) {
+    return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+  }
+  const upstreamUrl = new URL(`${ctx.platformUrl}/v1${upstreamPath}`);
+  upstreamUrl.search = request.nextUrl.search;
+  const method = request.method.toUpperCase();
+  const body = BODYLESS_METHODS.has(method) ? void 0 : await request.arrayBuffer();
+  const res = await fetch(upstreamUrl, {
+    method,
+    headers: buildUpstreamProxyHeaders(request, ctx, sessionToken),
+    body
+  });
+  return new NextResponse(res.body, {
+    status: res.status,
+    headers: copyResponseHeaders(res.headers)
+  });
+}
 async function refreshTokens(refreshToken, ctx) {
   ctx.log("Refreshing tokens");
   try {
@@ -1050,6 +1301,7 @@ function createSylphxMiddleware(userConfig = {}) {
     afterSignOutUrl: userConfig.afterSignOutUrl ?? "/",
     afterSignInUrl: userConfig.afterSignInUrl ?? "/dashboard",
     authPrefix: userConfig.authPrefix ?? "/auth",
+    baasPrefix: userConfig.baasPrefix === false ? null : normalizeRoutePrefix(userConfig.baasPrefix ?? DEFAULT_BAAS_PREFIX),
     debug: userConfig.debug ?? false,
     orgRequired: userConfig.orgRequired ?? false,
     orgSelectionUrl: userConfig.orgSelectionUrl ?? "/select-organization",
@@ -1065,7 +1317,8 @@ function createSylphxMiddleware(userConfig = {}) {
     ...config.publicRoutes,
     config.signInUrl,
     "/signup",
-    `${config.authPrefix}/*`
+    `${config.authPrefix}/*`,
+    ...config.baasPrefix ? [`${config.baasPrefix}/*`] : []
   ];
   const log = (msg, data) => {
     if (config.debug) {
@@ -1098,18 +1351,42 @@ function createSylphxMiddleware(userConfig = {}) {
     if (pathname.includes(".") || pathname.startsWith("/_next")) {
       return NextResponse.next();
     }
+    if (pathname === `${config.authPrefix}/register`) {
+      return handleRegister(request, ctx);
+    }
     if (pathname === `${config.authPrefix}/callback`) {
       return handleCallback(request, ctx);
     }
     if (pathname === `${config.authPrefix}/login`) {
       return handleLogin(request, ctx);
     }
+    if (pathname === `${config.authPrefix}/verify-email`) {
+      return handleVerifyEmail(request, ctx);
+    }
     if (pathname === `${config.authPrefix}/oauth-providers`) {
       return handleOAuthProviders(ctx);
     }
     if (pathname === `${config.authPrefix}/oauth/authorize`) {
       return handleOAuthAuthorize(request, ctx);
     }
+    if (pathname === `${config.authPrefix}/passkey/options`) {
+      return handlePasskeyOptions(request, ctx);
+    }
+    if (pathname === `${config.authPrefix}/passkey/authenticate`) {
+      return handlePasskeyAuthenticate(request, ctx);
+    }
+    if (pathname === `${config.authPrefix}/verify-2fa`) {
+      return handleVerifyTwoFactor(request, ctx);
+    }
+    if (pathname === `${config.authPrefix}/forgot-password`) {
+      return handleForgotPassword(request, ctx);
+    }
+    if (pathname === `${config.authPrefix}/reset-password`) {
+      return handleResetPassword(request, ctx);
+    }
+    if (pathname === `${config.authPrefix}/session`) {
+      return handleSession(request, ctx);
+    }
     if (pathname === `${config.authPrefix}/signout`) {
       return handleSignOut(request, ctx);
     }
@@ -1147,6 +1424,9 @@ function createSylphxMiddleware(userConfig = {}) {
         activeSessionToken = null;
       }
     }
+    if (config.baasPrefix && stripRoutePrefix(pathname, config.baasPrefix)) {
+      return handleBaasProxy(request, ctx, activeSessionToken);
+    }
     const isPublic = matchesAny(pathname, publicRoutes);
     if (!isPublic && !isAuthenticated) {
       log("Redirecting to sign-in");