@sylphx/sdk 0.10.6 → 0.11.0

package/dist/nextjs/index.d.ts

@@ -64,14 +64,18 @@ interface SylphxMiddlewareConfig {
     afterSignInUrl?: string;
     /**
      * Auth routes prefix. Routes are mounted at:
+     * - {prefix}/register — email/password registration handler
      * - {prefix}/login — credentials login handler
+     * - {prefix}/verify-email — email verification handler
      * - {prefix}/oauth-providers — enabled social login providers
      * - {prefix}/oauth/authorize — social login start handler
      * - {prefix}/callback — OAuth callback handler
      * - {prefix}/passkey/options — passkey login challenge handler
      * - {prefix}/passkey/authenticate — passkey login verification handler
+     * - {prefix}/verify-2fa — TOTP/backup-code verification handler
      * - {prefix}/forgot-password — password reset email handler
      * - {prefix}/reset-password — password reset verification handler
+     * - {prefix}/session — safe session metadata handler
      * - {prefix}/signout — Sign out handler
      *
      * @default '/auth'
@@ -112,6 +116,25 @@ interface SylphxMiddlewareConfig {
      * @default process.env.SYLPHX_SECRET_URL
      */
     secretUrl?: string;
+    /**
+     * Publishable key for browser-safe auth routes.
+     *
+     * Public auth handlers (`/auth/login`, `/auth/oauth-providers`,
+     * `/auth/oauth/authorize`, password reset, passkeys) call runtime routes
+     * guarded by projectAuth, which accepts pk_* only.
+     *
+     * @default credential parsed from process.env.SYLPHX_URL or
+     * process.env.NEXT_PUBLIC_SYLPHX_URL
+     */
+    publishableKey?: string;
+    /**
+     * Public connection URL for browser-safe auth routes.
+     *
+     * Format: sylphx://pk_<env>_<hex>@<tenant>.api.sylphx.com
+     *
+     * @default process.env.SYLPHX_URL or process.env.NEXT_PUBLIC_SYLPHX_URL
+     */
+    publicUrl?: string;
     /**
      * Platform URL for API calls.
      * Override for self-hosted or same-origin deployments.

package/dist/nextjs/index.mjs

@@ -3,6 +3,7 @@ import { NextResponse } from "next/server";
 
 // src/constants.ts
 var ENV_URL = "SYLPHX_URL";
+var ENV_PUBLIC_URL = "NEXT_PUBLIC_SYLPHX_URL";
 var ENV_SECRET_URL = "SYLPHX_SECRET_URL";
 var DEFAULT_SDK_API_HOST = "api.sylphx.com";
 var SDK_PLATFORM = typeof window !== "undefined" ? "browser" : typeof process !== "undefined" && process.versions?.node ? "node" : "unknown";
@@ -127,6 +128,12 @@ function validateKeyForType(key, keyType, pattern, envVarName) {
 function validatePublicKey(key) {
   return validateKeyForType(key, "publicKey", PUBLIC_KEY_PATTERN, "publishable credential");
 }
+function validateAndSanitizePublicKey(key) {
+  const result = validatePublicKey(key);
+  if (!result.valid) throw new Error(result.error);
+  if (result.warning) console.warn(result.warning);
+  return result.sanitizedKey;
+}
 function validateAppId(key) {
   return validateKeyForType(key, "appId", APP_ID_PATTERN, "NEXT_PUBLIC_SYLPHX_APP_ID");
 }
@@ -427,6 +434,11 @@ function secretKeyFromConnectionUrl(value) {
   if (!parsed || parsed.credentialType !== "sk") return null;
   return parsed.credential;
 }
+function publishableKeyFromConnectionUrl(value) {
+  const parsed = parseConnection(value);
+  if (!parsed || parsed.credentialType !== "pk") return null;
+  return parsed.credential;
+}
 function resolveNextjsPlatformUrl(options) {
   if (options.explicitPlatformUrl) return normalizePlatformUrl(options.explicitPlatformUrl);
   const fromExplicitSecretUrl = platformUrlFromConnectionUrl(options.secretUrl);
@@ -451,6 +463,16 @@ function resolveNextjsSecretKey(options) {
   if (fromGenericUrl) return fromGenericUrl;
   return null;
 }
+function resolveNextjsPublishableKey(options) {
+  if (options.explicitPublishableKey?.trim()) return options.explicitPublishableKey.trim();
+  const fromExplicitPublicUrl = publishableKeyFromConnectionUrl(options.explicitPublicUrl);
+  if (fromExplicitPublicUrl) return fromExplicitPublicUrl;
+  const fromPublicUrl = publishableKeyFromConnectionUrl(process.env[ENV_URL]);
+  if (fromPublicUrl) return fromPublicUrl;
+  const fromNextPublicUrl = publishableKeyFromConnectionUrl(process.env[ENV_PUBLIC_URL]);
+  if (fromNextPublicUrl) return fromNextPublicUrl;
+  return null;
+}
 
 // src/nextjs/middleware.ts
 var OAUTH_PKCE_TTL_SECONDS = 10 * 60;
@@ -634,12 +656,30 @@ function isTwoFactorLoginResponse(data) {
 function isOAuthAuthorizeResponse(data) {
   return typeof data === "object" && data !== null && typeof data.authorization_url === "string";
 }
-function headersForPlatformAuth(ctx) {
+function authCookieJsonResponse(ctx, data) {
+  const response = NextResponse.json({ success: true, user: data.user });
+  setAuthCookiesMiddleware(response, ctx.namespace, data);
+  return response;
+}
+function headersForProjectAuth(ctx) {
   return {
     "Content-Type": "application/json",
-    "x-app-secret": ctx.secretKey
+    "x-app-secret": ctx.publishableKey
   };
 }
+async function handleRegister(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/register`, {
+    method: "POST",
+    headers: headersForProjectAuth(ctx),
+    body: JSON.stringify(body ?? {})
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
 async function handleLogin(request, ctx) {
   if (request.method !== "POST") {
     return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
@@ -652,7 +692,7 @@ async function handleLogin(request, ctx) {
   }
   const res = await fetch(`${ctx.platformUrl}/v1/auth/login`, {
     method: "POST",
-    headers: headersForPlatformAuth(ctx),
+    headers: headersForProjectAuth(ctx),
     body: JSON.stringify({ email, password })
   });
   const data = await res.json().catch(() => ({}));
@@ -665,14 +705,83 @@ async function handleLogin(request, ctx) {
   if (!isTokenResponse(data)) {
     return NextResponse.json({ error: "invalid_response" }, { status: 502 });
   }
-  const response = NextResponse.json({ success: true, user: data.user });
-  setAuthCookiesMiddleware(response, ctx.namespace, data);
-  return response;
+  return authCookieJsonResponse(ctx, data);
+}
+async function handleVerifyEmail(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const token = typeof body?.token === "string" ? body.token : null;
+  if (!token) {
+    return NextResponse.json({ error: "token is required" }, { status: 400 });
+  }
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/verify-email`, {
+    method: "POST",
+    headers: headersForProjectAuth(ctx),
+    body: JSON.stringify({ token })
+  });
+  const data = await res.json().catch(() => ({}));
+  return NextResponse.json(data, { status: res.status });
+}
+async function handleVerifyTwoFactor(request, ctx) {
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const body = await parseJsonObject(request);
+  const userId = typeof body?.userId === "string" ? body.userId : null;
+  const code = typeof body?.code === "string" ? body.code : null;
+  if (!userId || !code) {
+    return NextResponse.json({ error: "userId and code are required" }, { status: 400 });
+  }
+  const res = await fetch(`${ctx.platformUrl}/v1/auth/verify-2fa`, {
+    method: "POST",
+    headers: headersForProjectAuth(ctx),
+    body: JSON.stringify({ userId, code })
+  });
+  const data = await res.json().catch(() => ({}));
+  if (!res.ok) {
+    return NextResponse.json(data, { status: res.status });
+  }
+  if (!isTokenResponse(data)) {
+    return NextResponse.json({ error: "invalid_response" }, { status: 502 });
+  }
+  return authCookieJsonResponse(ctx, data);
+}
+function handleSession(request, ctx) {
+  if (request.method !== "GET") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const sessionToken = request.cookies.get(ctx.cookieNames.SESSION)?.value;
+  const userCookieValue = request.cookies.get(ctx.cookieNames.USER)?.value;
+  let userCookie = userCookieValue ? parseUserCookie2(userCookieValue) : null;
+  if (!userCookie && userCookieValue) {
+    try {
+      userCookie = parseUserCookie2(decodeURIComponent(userCookieValue));
+    } catch {
+      userCookie = null;
+    }
+  }
+  if (!sessionToken || isTokenExpired(sessionToken) || !userCookie?.user) {
+    return NextResponse.json({ success: true, session: null, user: null });
+  }
+  const payload = decodeJwtPayload(sessionToken);
+  const userId = payload?.sub ?? userCookie.user.id;
+  const expiresAt = typeof payload?.exp === "number" ? new Date(payload.exp * 1e3).toISOString() : new Date(userCookie.expiresAt).toISOString();
+  return NextResponse.json({
+    success: true,
+    session: {
+      id: `platform:${userId}`,
+      userId,
+      expiresAt
+    },
+    user: userCookie.user
+  });
 }
 async function handleOAuthProviders(ctx) {
   const res = await fetch(`${ctx.platformUrl}/v1/auth/oauth-providers`, {
     method: "GET",
-    headers: headersForPlatformAuth(ctx)
+    headers: headersForProjectAuth(ctx)
   });
   const data = await res.json().catch(() => ({}));
   return NextResponse.json(data, { status: res.status });
@@ -695,7 +804,7 @@ async function handleOAuthAuthorize(request, ctx) {
   const scopes = Array.isArray(body?.scopes) ? body.scopes.filter((scope) => typeof scope === "string") : void 0;
   const res = await fetch(`${ctx.platformUrl}/v1/oauth/authorize`, {
     method: "POST",
-    headers: headersForPlatformAuth(ctx),
+    headers: headersForProjectAuth(ctx),
     body: JSON.stringify({
       provider,
       redirect_uri: redirectUri.toString(),
@@ -724,7 +833,7 @@ async function handlePasskeyOptions(request, ctx) {
   const body = await parseJsonObject(request);
   const res = await fetch(`${ctx.platformUrl}/v1/auth/passkey/options`, {
     method: "POST",
-    headers: headersForPlatformAuth(ctx),
+    headers: headersForProjectAuth(ctx),
     body: JSON.stringify(body ?? {})
   });
   const data = await res.json().catch(() => ({}));
@@ -737,7 +846,7 @@ async function handlePasskeyAuthenticate(request, ctx) {
   const body = await parseJsonObject(request);
   const res = await fetch(`${ctx.platformUrl}/v1/auth/passkey/authenticate`, {
     method: "POST",
-    headers: headersForPlatformAuth(ctx),
+    headers: headersForProjectAuth(ctx),
     body: JSON.stringify(body ?? {})
   });
   const data = await res.json().catch(() => ({}));
@@ -747,9 +856,7 @@ async function handlePasskeyAuthenticate(request, ctx) {
   if (!isTokenResponse(data)) {
     return NextResponse.json({ error: "invalid_response" }, { status: 502 });
   }
-  const response = NextResponse.json({ success: true, user: data.user });
-  setAuthCookiesMiddleware(response, ctx.namespace, data);
-  return response;
+  return authCookieJsonResponse(ctx, data);
 }
 async function handleForgotPassword(request, ctx) {
   if (request.method !== "POST") {
@@ -767,7 +874,7 @@ async function handleForgotPassword(request, ctx) {
   }
   const res = await fetch(`${ctx.platformUrl}/v1/auth/forgot-password`, {
     method: "POST",
-    headers: headersForPlatformAuth(ctx),
+    headers: headersForProjectAuth(ctx),
     body: JSON.stringify({ email, redirectUrl })
   });
   const data = await res.json().catch(() => ({}));
@@ -785,7 +892,7 @@ async function handleResetPassword(request, ctx) {
   }
   const res = await fetch(`${ctx.platformUrl}/v1/auth/reset-password`, {
     method: "POST",
-    headers: headersForPlatformAuth(ctx),
+    headers: headersForProjectAuth(ctx),
     body: JSON.stringify({ token, password })
   });
   const data = await res.json().catch(() => ({}));
@@ -1091,12 +1198,15 @@ async function handleSwitchOrg(request, ctx) {
     }
     const expiresIn = resolveOrgScopedTokenExpiresIn(data);
     const expiresAt = Date.now() + expiresIn * 1e3;
+    const payload = decodeJwtPayload(accessToken);
+    const activeOrganization = {
+      id: payload?.org_id ?? orgId,
+      slug: payload?.org_slug ?? requestedOrgSlug
+    };
     const response = NextResponse.json({
-      accessToken,
-      token: accessToken,
-      expiresIn,
-      tokenType: resolveOrgScopedTokenType(data),
-      user: data.user ?? null
+      success: true,
+      user: data.user ?? null,
+      organization: activeOrganization
     });
     response.cookies.set(ctx.cookieNames.SESSION, accessToken, {
       ...SECURE_COOKIE_OPTIONS,
@@ -1117,11 +1227,7 @@ async function handleSwitchOrg(request, ctx) {
         }
       );
     }
-    const payload = decodeJwtPayload(accessToken);
-    setActiveOrganizationCookies(response, ctx, {
-      id: payload?.org_id ?? orgId,
-      slug: payload?.org_slug ?? requestedOrgSlug
-    });
+    setActiveOrganizationCookies(response, ctx, activeOrganization);
     ctx.log("Switch org success", { orgId });
     return response;
   } catch (err) {
@@ -1197,6 +1303,21 @@ function createSylphxMiddleware(userConfig = {}) {
     secretKey = validateAndSanitizeSecretKey(rawSecretKey);
     return secretKey;
   }
+  let publishableKey = null;
+  function resolvePublishableKey() {
+    if (publishableKey) return publishableKey;
+    const rawPublishableKey = resolveNextjsPublishableKey({
+      explicitPublishableKey: userConfig.publishableKey,
+      explicitPublicUrl: userConfig.publicUrl
+    });
+    if (!rawPublishableKey) {
+      throw new Error(
+        "[Sylphx] Publishable connection URL is required for public auth routes.\nEither pass publicUrl/publishableKey in config or set SYLPHX_URL/NEXT_PUBLIC_SYLPHX_URL."
+      );
+    }
+    publishableKey = validateAndSanitizePublicKey(rawPublishableKey);
+    return publishableKey;
+  }
   let platformUrl;
   let namespace;
   let cookieNames;
@@ -1244,6 +1365,9 @@ function createSylphxMiddleware(userConfig = {}) {
     get secretKey() {
       return secretKey;
     },
+    get publishableKey() {
+      return resolvePublishableKey();
+    },
     get platformUrl() {
       return platformUrl;
     },
@@ -1267,12 +1391,18 @@ function createSylphxMiddleware(userConfig = {}) {
     if (pathname.includes(".") || pathname.startsWith("/_next")) {
       return NextResponse.next();
     }
+    if (pathname === `${config.authPrefix}/register`) {
+      return handleRegister(request, ctx);
+    }
     if (pathname === `${config.authPrefix}/callback`) {
       return handleCallback(request, ctx);
     }
     if (pathname === `${config.authPrefix}/login`) {
       return handleLogin(request, ctx);
     }
+    if (pathname === `${config.authPrefix}/verify-email`) {
+      return handleVerifyEmail(request, ctx);
+    }
     if (pathname === `${config.authPrefix}/oauth-providers`) {
       return handleOAuthProviders(ctx);
     }
@@ -1285,12 +1415,18 @@ function createSylphxMiddleware(userConfig = {}) {
     if (pathname === `${config.authPrefix}/passkey/authenticate`) {
       return handlePasskeyAuthenticate(request, ctx);
     }
+    if (pathname === `${config.authPrefix}/verify-2fa`) {
+      return handleVerifyTwoFactor(request, ctx);
+    }
     if (pathname === `${config.authPrefix}/forgot-password`) {
       return handleForgotPassword(request, ctx);
     }
     if (pathname === `${config.authPrefix}/reset-password`) {
       return handleResetPassword(request, ctx);
     }
+    if (pathname === `${config.authPrefix}/session`) {
+      return handleSession(request, ctx);
+    }
     if (pathname === `${config.authPrefix}/signout`) {
       return handleSignOut(request, ctx);
     }