@sylphx/sdk 0.10.7 → 0.11.0

package/dist/nextjs/index.d.ts

@@ -116,6 +116,25 @@ interface SylphxMiddlewareConfig {
      * @default process.env.SYLPHX_SECRET_URL
      */
     secretUrl?: string;
+    /**
+     * Publishable key for browser-safe auth routes.
+     *
+     * Public auth handlers (`/auth/login`, `/auth/oauth-providers`,
+     * `/auth/oauth/authorize`, password reset, passkeys) call runtime routes
+     * guarded by projectAuth, which accepts pk_* only.
+     *
+     * @default credential parsed from process.env.SYLPHX_URL or
+     * process.env.NEXT_PUBLIC_SYLPHX_URL
+     */
+    publishableKey?: string;
+    /**
+     * Public connection URL for browser-safe auth routes.
+     *
+     * Format: sylphx://pk_<env>_<hex>@<tenant>.api.sylphx.com
+     *
+     * @default process.env.SYLPHX_URL or process.env.NEXT_PUBLIC_SYLPHX_URL
+     */
+    publicUrl?: string;
     /**
      * Platform URL for API calls.
      * Override for self-hosted or same-origin deployments.

package/dist/nextjs/index.mjs

@@ -3,6 +3,7 @@ import { NextResponse } from "next/server";
 
 // src/constants.ts
 var ENV_URL = "SYLPHX_URL";
+var ENV_PUBLIC_URL = "NEXT_PUBLIC_SYLPHX_URL";
 var ENV_SECRET_URL = "SYLPHX_SECRET_URL";
 var DEFAULT_SDK_API_HOST = "api.sylphx.com";
 var SDK_PLATFORM = typeof window !== "undefined" ? "browser" : typeof process !== "undefined" && process.versions?.node ? "node" : "unknown";
@@ -127,6 +128,12 @@ function validateKeyForType(key, keyType, pattern, envVarName) {
 function validatePublicKey(key) {
   return validateKeyForType(key, "publicKey", PUBLIC_KEY_PATTERN, "publishable credential");
 }
+function validateAndSanitizePublicKey(key) {
+  const result = validatePublicKey(key);
+  if (!result.valid) throw new Error(result.error);
+  if (result.warning) console.warn(result.warning);
+  return result.sanitizedKey;
+}
 function validateAppId(key) {
   return validateKeyForType(key, "appId", APP_ID_PATTERN, "NEXT_PUBLIC_SYLPHX_APP_ID");
 }
@@ -427,6 +434,11 @@ function secretKeyFromConnectionUrl(value) {
   if (!parsed || parsed.credentialType !== "sk") return null;
   return parsed.credential;
 }
+function publishableKeyFromConnectionUrl(value) {
+  const parsed = parseConnection(value);
+  if (!parsed || parsed.credentialType !== "pk") return null;
+  return parsed.credential;
+}
 function resolveNextjsPlatformUrl(options) {
   if (options.explicitPlatformUrl) return normalizePlatformUrl(options.explicitPlatformUrl);
   const fromExplicitSecretUrl = platformUrlFromConnectionUrl(options.secretUrl);
@@ -451,6 +463,16 @@ function resolveNextjsSecretKey(options) {
   if (fromGenericUrl) return fromGenericUrl;
   return null;
 }
+function resolveNextjsPublishableKey(options) {
+  if (options.explicitPublishableKey?.trim()) return options.explicitPublishableKey.trim();
+  const fromExplicitPublicUrl = publishableKeyFromConnectionUrl(options.explicitPublicUrl);
+  if (fromExplicitPublicUrl) return fromExplicitPublicUrl;
+  const fromPublicUrl = publishableKeyFromConnectionUrl(process.env[ENV_URL]);
+  if (fromPublicUrl) return fromPublicUrl;
+  const fromNextPublicUrl = publishableKeyFromConnectionUrl(process.env[ENV_PUBLIC_URL]);
+  if (fromNextPublicUrl) return fromNextPublicUrl;
+  return null;
+}
 
 // src/nextjs/middleware.ts
 var OAUTH_PKCE_TTL_SECONDS = 10 * 60;
@@ -639,10 +661,10 @@ function authCookieJsonResponse(ctx, data) {
   setAuthCookiesMiddleware(response, ctx.namespace, data);
   return response;
 }
-function headersForPlatformAuth(ctx) {
+function headersForProjectAuth(ctx) {
   return {
     "Content-Type": "application/json",
-    "x-app-secret": ctx.secretKey
+    "x-app-secret": ctx.publishableKey
   };
 }
 async function handleRegister(request, ctx) {
@@ -652,7 +674,7 @@ async function handleRegister(request, ctx) {
   const body = await parseJsonObject(request);
   const res = await fetch(`${ctx.platformUrl}/v1/auth/register`, {
     method: "POST",
-    headers: headersForPlatformAuth(ctx),
+    headers: headersForProjectAuth(ctx),
     body: JSON.stringify(body ?? {})
   });
   const data = await res.json().catch(() => ({}));
@@ -670,7 +692,7 @@ async function handleLogin(request, ctx) {
   }
   const res = await fetch(`${ctx.platformUrl}/v1/auth/login`, {
     method: "POST",
-    headers: headersForPlatformAuth(ctx),
+    headers: headersForProjectAuth(ctx),
     body: JSON.stringify({ email, password })
   });
   const data = await res.json().catch(() => ({}));
@@ -696,7 +718,7 @@ async function handleVerifyEmail(request, ctx) {
   }
   const res = await fetch(`${ctx.platformUrl}/v1/auth/verify-email`, {
     method: "POST",
-    headers: headersForPlatformAuth(ctx),
+    headers: headersForProjectAuth(ctx),
     body: JSON.stringify({ token })
   });
   const data = await res.json().catch(() => ({}));
@@ -714,7 +736,7 @@ async function handleVerifyTwoFactor(request, ctx) {
   }
   const res = await fetch(`${ctx.platformUrl}/v1/auth/verify-2fa`, {
     method: "POST",
-    headers: headersForPlatformAuth(ctx),
+    headers: headersForProjectAuth(ctx),
     body: JSON.stringify({ userId, code })
   });
   const data = await res.json().catch(() => ({}));
@@ -759,7 +781,7 @@ function handleSession(request, ctx) {
 async function handleOAuthProviders(ctx) {
   const res = await fetch(`${ctx.platformUrl}/v1/auth/oauth-providers`, {
     method: "GET",
-    headers: headersForPlatformAuth(ctx)
+    headers: headersForProjectAuth(ctx)
   });
   const data = await res.json().catch(() => ({}));
   return NextResponse.json(data, { status: res.status });
@@ -782,7 +804,7 @@ async function handleOAuthAuthorize(request, ctx) {
   const scopes = Array.isArray(body?.scopes) ? body.scopes.filter((scope) => typeof scope === "string") : void 0;
   const res = await fetch(`${ctx.platformUrl}/v1/oauth/authorize`, {
     method: "POST",
-    headers: headersForPlatformAuth(ctx),
+    headers: headersForProjectAuth(ctx),
     body: JSON.stringify({
       provider,
       redirect_uri: redirectUri.toString(),
@@ -811,7 +833,7 @@ async function handlePasskeyOptions(request, ctx) {
   const body = await parseJsonObject(request);
   const res = await fetch(`${ctx.platformUrl}/v1/auth/passkey/options`, {
     method: "POST",
-    headers: headersForPlatformAuth(ctx),
+    headers: headersForProjectAuth(ctx),
     body: JSON.stringify(body ?? {})
   });
   const data = await res.json().catch(() => ({}));
@@ -824,7 +846,7 @@ async function handlePasskeyAuthenticate(request, ctx) {
   const body = await parseJsonObject(request);
   const res = await fetch(`${ctx.platformUrl}/v1/auth/passkey/authenticate`, {
     method: "POST",
-    headers: headersForPlatformAuth(ctx),
+    headers: headersForProjectAuth(ctx),
     body: JSON.stringify(body ?? {})
   });
   const data = await res.json().catch(() => ({}));
@@ -852,7 +874,7 @@ async function handleForgotPassword(request, ctx) {
   }
   const res = await fetch(`${ctx.platformUrl}/v1/auth/forgot-password`, {
     method: "POST",
-    headers: headersForPlatformAuth(ctx),
+    headers: headersForProjectAuth(ctx),
     body: JSON.stringify({ email, redirectUrl })
   });
   const data = await res.json().catch(() => ({}));
@@ -870,7 +892,7 @@ async function handleResetPassword(request, ctx) {
   }
   const res = await fetch(`${ctx.platformUrl}/v1/auth/reset-password`, {
     method: "POST",
-    headers: headersForPlatformAuth(ctx),
+    headers: headersForProjectAuth(ctx),
     body: JSON.stringify({ token, password })
   });
   const data = await res.json().catch(() => ({}));
@@ -1281,6 +1303,21 @@ function createSylphxMiddleware(userConfig = {}) {
     secretKey = validateAndSanitizeSecretKey(rawSecretKey);
     return secretKey;
   }
+  let publishableKey = null;
+  function resolvePublishableKey() {
+    if (publishableKey) return publishableKey;
+    const rawPublishableKey = resolveNextjsPublishableKey({
+      explicitPublishableKey: userConfig.publishableKey,
+      explicitPublicUrl: userConfig.publicUrl
+    });
+    if (!rawPublishableKey) {
+      throw new Error(
+        "[Sylphx] Publishable connection URL is required for public auth routes.\nEither pass publicUrl/publishableKey in config or set SYLPHX_URL/NEXT_PUBLIC_SYLPHX_URL."
+      );
+    }
+    publishableKey = validateAndSanitizePublicKey(rawPublishableKey);
+    return publishableKey;
+  }
   let platformUrl;
   let namespace;
   let cookieNames;
@@ -1328,6 +1365,9 @@ function createSylphxMiddleware(userConfig = {}) {
     get secretKey() {
       return secretKey;
     },
+    get publishableKey() {
+      return resolvePublishableKey();
+    },
     get platformUrl() {
       return platformUrl;
     },