npm - @sylphx/sdk - Versions diffs - 0.15.1 → 0.15.3 - Mend

@sylphx/sdk 0.15.1 → 0.15.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/index.d.ts +7 -0
package/dist/index.mjs.map +1 -1
package/dist/nextjs/index.d.ts +278 -264
package/dist/nextjs/index.mjs +247 -215
package/dist/nextjs/index.mjs.map +1 -1
package/dist/react/index.d.ts +11 -5
package/dist/react/index.mjs.map +1 -1
package/dist/server/index.d.ts +12 -0
package/dist/server/index.mjs.map +1 -1
package/package.json +2 -2

package/dist/nextjs/index.mjs CHANGED Viewed

@@ -1,45 +1,6 @@
 // src/nextjs/middleware.ts
 import { NextResponse } from "next/server";
-// src/constants.ts
-var ENV_URL = "SYLPHX_URL";
-var ENV_PUBLIC_URL = "NEXT_PUBLIC_SYLPHX_URL";
-var ENV_SECRET_URL = "SYLPHX_SECRET_URL";
-var SDK_API_PATH = `/v1`;
-var DEFAULT_SDK_API_HOST = "api.sylphx.com";
-function detectSdkPlatform() {
-  if (typeof window !== "undefined") return "browser";
-  const runtimeGlobal = globalThis;
-  if (typeof runtimeGlobal.EdgeRuntime !== "undefined") return "edge";
-  return "node";
-}
-var SDK_PLATFORM = detectSdkPlatform();
-var TOKEN_EXPIRY_BUFFER_MS = 3e4;
-var SESSION_TOKEN_LIFETIME_SECONDS = 5 * 60;
-var SESSION_TOKEN_LIFETIME_MS = SESSION_TOKEN_LIFETIME_SECONDS * 1e3;
-var REFRESH_TOKEN_LIFETIME_SECONDS = 30 * 24 * 60 * 60;
-var FLAGS_CACHE_TTL_MS = 5 * 60 * 1e3;
-var FLAGS_STALE_WHILE_REVALIDATE_MS = 60 * 1e3;
-var ANALYTICS_SESSION_TIMEOUT_MS = 30 * 60 * 1e3;
-var WEBHOOK_MAX_AGE_MS = 5 * 60 * 1e3;
-var WEBHOOK_CLOCK_SKEW_MS = 30 * 1e3;
-var PKCE_CODE_TTL_MS = 10 * 60 * 1e3;
-var JOBS_DLQ_MAX_AGE_MS = 7 * 24 * 60 * 60 * 1e3;
-var SESSION_REPLAY_MAX_DURATION_MS = 60 * 60 * 1e3;
-var FLAGS_EXPOSURE_DEDUPE_WINDOW_MS = 60 * 60 * 1e3;
-var CLICK_ID_EXPIRY_MS = 90 * 24 * 60 * 60 * 1e3;
-var STALE_TIME_FREQUENT_MS = 60 * 1e3;
-var STALE_TIME_MODERATE_MS = 2 * 60 * 1e3;
-var STALE_TIME_STABLE_MS = 5 * 60 * 1e3;
-var STALE_TIME_STATS_MS = 30 * 1e3;
-var NEW_USER_THRESHOLD_MS = 60 * 1e3;
-var STORAGE_MULTIPART_THRESHOLD_BYTES = 5 * 1024 * 1024;
-var STORAGE_DEFAULT_MAX_SIZE_BYTES = 5 * 1024 * 1024;
-var STORAGE_AVATAR_MAX_SIZE_BYTES = 2 * 1024 * 1024;
-var STORAGE_LARGE_MAX_SIZE_BYTES = 10 * 1024 * 1024;
-var JWK_CACHE_TTL_MS = 60 * 60 * 1e3;
-var ETAG_CACHE_TTL_MS = 5 * 60 * 1e3;
 // src/key-validation.ts
 var PUBLIC_KEY_PATTERN = /^pk_(dev|stg|prod|prev)(?:_[a-z0-9]{12})?_[a-f0-9]{32}$/;
 var APP_ID_PATTERN = /^(app|pk)_(dev|stg|prod|prev)_[a-z0-9_-]+$/;
@@ -196,6 +157,47 @@ function getCookieNamespace(secretKey) {
 // src/nextjs/cookies.ts
 import { cookies } from "next/headers";
+// src/constants.ts
+var ENV_URL = "SYLPHX_URL";
+var ENV_PUBLIC_URL = "NEXT_PUBLIC_SYLPHX_URL";
+var ENV_SECRET_URL = "SYLPHX_SECRET_URL";
+var SDK_API_PATH = `/v1`;
+var DEFAULT_SDK_API_HOST = "api.sylphx.com";
+function detectSdkPlatform() {
+  if (typeof window !== "undefined") return "browser";
+  const runtimeGlobal = globalThis;
+  if (typeof runtimeGlobal.EdgeRuntime !== "undefined") return "edge";
+  return "node";
+}
+var SDK_PLATFORM = detectSdkPlatform();
+var TOKEN_EXPIRY_BUFFER_MS = 3e4;
+var SESSION_TOKEN_LIFETIME_SECONDS = 5 * 60;
+var SESSION_TOKEN_LIFETIME_MS = SESSION_TOKEN_LIFETIME_SECONDS * 1e3;
+var REFRESH_TOKEN_LIFETIME_SECONDS = 30 * 24 * 60 * 60;
+var FLAGS_CACHE_TTL_MS = 5 * 60 * 1e3;
+var FLAGS_STALE_WHILE_REVALIDATE_MS = 60 * 1e3;
+var ANALYTICS_SESSION_TIMEOUT_MS = 30 * 60 * 1e3;
+var WEBHOOK_MAX_AGE_MS = 5 * 60 * 1e3;
+var WEBHOOK_CLOCK_SKEW_MS = 30 * 1e3;
+var PKCE_CODE_TTL_MS = 10 * 60 * 1e3;
+var JOBS_DLQ_MAX_AGE_MS = 7 * 24 * 60 * 60 * 1e3;
+var SESSION_REPLAY_MAX_DURATION_MS = 60 * 60 * 1e3;
+var FLAGS_EXPOSURE_DEDUPE_WINDOW_MS = 60 * 60 * 1e3;
+var CLICK_ID_EXPIRY_MS = 90 * 24 * 60 * 60 * 1e3;
+var STALE_TIME_FREQUENT_MS = 60 * 1e3;
+var STALE_TIME_MODERATE_MS = 2 * 60 * 1e3;
+var STALE_TIME_STABLE_MS = 5 * 60 * 1e3;
+var STALE_TIME_STATS_MS = 30 * 1e3;
+var NEW_USER_THRESHOLD_MS = 60 * 1e3;
+var STORAGE_MULTIPART_THRESHOLD_BYTES = 5 * 1024 * 1024;
+var STORAGE_DEFAULT_MAX_SIZE_BYTES = 5 * 1024 * 1024;
+var STORAGE_AVATAR_MAX_SIZE_BYTES = 2 * 1024 * 1024;
+var STORAGE_LARGE_MAX_SIZE_BYTES = 10 * 1024 * 1024;
+var JWK_CACHE_TTL_MS = 60 * 60 * 1e3;
+var ETAG_CACHE_TTL_MS = 5 * 60 * 1e3;
+// src/nextjs/cookies.ts
 function getCookieNames(namespace) {
   return {
     /** HttpOnly JWT access token (5 min) */
@@ -230,6 +232,26 @@ var ACTIVE_ORG_COOKIE_OPTIONS = {
   ...SECURE_COOKIE_OPTIONS,
   httpOnly: true
 };
+function decodeCookieValue(value) {
+  try {
+    return decodeURIComponent(value);
+  } catch {
+    return value;
+  }
+}
+function readCookieValueFromHeader(cookieHeader, name) {
+  if (!cookieHeader) return null;
+  let value = null;
+  for (const cookie of cookieHeader.split(";")) {
+    const trimmed = cookie.trim();
+    const eq = trimmed.indexOf("=");
+    if (eq === -1) continue;
+    if (trimmed.slice(0, eq) === name) {
+      value = decodeCookieValue(trimmed.slice(eq + 1));
+    }
+  }
+  return value;
+}
 async function getAuthCookies(namespace) {
   const cookieStore = await cookies();
   const names = getCookieNames(namespace);
@@ -326,6 +348,163 @@ function parseUserCookie(value) {
   }
 }
+// src/nextjs/middleware-helpers.ts
+var OAUTH_PKCE_TTL_SECONDS = 10 * 60;
+var OAUTH_PKCE_TTL_MS = OAUTH_PKCE_TTL_SECONDS * 1e3;
+var DEFAULT_BAAS_PREFIX = "/sylphx";
+var BAAS_PROXY_AUTH_REQUIRED_PATHS = ["/challenge/", "/security/"];
+var BAAS_PROXY_PUBLIC_PATHS = ["/app"];
+var BODYLESS_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD"]);
+var RESPONSE_HEADER_ALLOWLIST = [
+  "cache-control",
+  "content-language",
+  "content-type",
+  "etag",
+  "expires",
+  "last-modified",
+  "retry-after"
+];
+function isTokenResponse(data) {
+  return typeof data === "object" && data !== null && "accessToken" in data && "refreshToken" in data && "user" in data && typeof data.accessToken === "string" && typeof data.refreshToken === "string";
+}
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = parts[1];
+    const base64 = payload.replace(/-/g, "+").replace(/_/g, "/");
+    const padded = base64.padEnd(base64.length + (4 - base64.length % 4) % 4, "=");
+    const jsonPayload = atob(padded);
+    return JSON.parse(jsonPayload);
+  } catch {
+    return null;
+  }
+}
+function isTokenExpired(token) {
+  const payload = decodeJwtPayload(token);
+  if (!payload?.exp) return true;
+  return payload.exp * 1e3 < Date.now() + TOKEN_EXPIRY_BUFFER_MS;
+}
+function matchesPattern(pathname, pattern) {
+  if (pattern === pathname) return true;
+  if (pattern.endsWith("/*")) {
+    const base = pattern.slice(0, -2);
+    return pathname === base || pathname.startsWith(`${base}/`);
+  }
+  if (pattern.endsWith("/**")) {
+    const base = pattern.slice(0, -3);
+    return pathname === base || pathname.startsWith(`${base}/`);
+  }
+  return false;
+}
+function matchesAny(pathname, patterns) {
+  return patterns.some((p) => matchesPattern(pathname, p));
+}
+function normalizeRoutePrefix(prefix) {
+  const normalized = prefix.trim().replace(/\/+$/u, "");
+  return normalized.startsWith("/") ? normalized : `/${normalized}`;
+}
+function stripRoutePrefix(pathname, prefix) {
+  if (pathname === prefix) return "/";
+  if (!pathname.startsWith(`${prefix}/`)) return null;
+  return pathname.slice(prefix.length);
+}
+function isPublicBaasProxyPath(pathname) {
+  return BAAS_PROXY_PUBLIC_PATHS.some((path) => pathname === path);
+}
+function isAuthenticatedBaasProxyPath(pathname) {
+  return BAAS_PROXY_AUTH_REQUIRED_PATHS.some((prefix) => pathname.startsWith(prefix));
+}
+function isAllowedBaasProxyPath(pathname) {
+  return isPublicBaasProxyPath(pathname) || isAuthenticatedBaasProxyPath(pathname);
+}
+function copyRequestHeader(source, target, name) {
+  const value = source.get(name);
+  if (value) target.set(name, value);
+}
+function buildUpstreamProxyHeaders(request, ctx, sessionToken) {
+  const headers = new Headers();
+  copyRequestHeader(request.headers, headers, "accept");
+  copyRequestHeader(request.headers, headers, "content-type");
+  copyRequestHeader(request.headers, headers, "user-agent");
+  copyRequestHeader(request.headers, headers, "x-correlation-id");
+  headers.set("x-app-secret", ctx.secretKey);
+  if (sessionToken) headers.set("authorization", `Bearer ${sessionToken}`);
+  return headers;
+}
+function copyResponseHeaders(source) {
+  const headers = new Headers();
+  for (const name of RESPONSE_HEADER_ALLOWLIST) {
+    const value = source.get(name);
+    if (value) headers.set(name, value);
+  }
+  return headers;
+}
+function requestPathWithSearch(request) {
+  const { pathname, search } = request.nextUrl;
+  return `${pathname}${search}`;
+}
+function isSafeRelativeRedirectPath(value) {
+  return typeof value === "string" && value.startsWith("/") && !value.startsWith("//");
+}
+function resolveSafeRelativeRedirectPath(value, fallback) {
+  if (isSafeRelativeRedirectPath(value)) return value;
+  if (isSafeRelativeRedirectPath(fallback)) return fallback;
+  return "/";
+}
+function resolveSameOriginUrl(request, value, fallbackPath) {
+  if (!value) return new URL(fallbackPath, request.url).toString();
+  if (isSafeRelativeRedirectPath(value)) {
+    const url = new URL(value, request.url);
+    if (url.hash) return null;
+    return url.toString();
+  }
+  try {
+    const url = new URL(value);
+    if (url.origin !== new URL(request.url).origin) return null;
+    if (url.hash) return null;
+    return url.toString();
+  } catch {
+    return null;
+  }
+}
+function normalizeAppUrl(value) {
+  if (!value?.trim()) return null;
+  try {
+    const url = new URL(value);
+    return url.origin;
+  } catch {
+    return null;
+  }
+}
+function resolveOAuthCallbackUrl(request, ctx) {
+  const origin = ctx.config.appUrl ?? new URL(request.url).origin;
+  return new URL(`${ctx.config.authPrefix}/callback`, origin);
+}
+function bytesToBase64Url(bytes) {
+  let binary = "";
+  for (const byte of bytes) binary += String.fromCharCode(byte);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/u, "");
+}
+function randomBase64Url(byteLength) {
+  const bytes = new Uint8Array(byteLength);
+  crypto.getRandomValues(bytes);
+  return bytesToBase64Url(bytes);
+}
+async function sha256Base64Url(value) {
+  const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(value));
+  return bytesToBase64Url(new Uint8Array(digest));
+}
+async function parseJsonObject(request) {
+  try {
+    const body = await request.json();
+    if (typeof body === "object" && body !== null && !Array.isArray(body)) return body;
+    return null;
+  } catch {
+    return null;
+  }
+}
 // src/connection-url.ts
 var SYLPHX_PROTOCOL = "sylphx:";
 var DEFAULT_VERSION = "v1";
@@ -482,161 +661,6 @@ function resolveNextjsPublishableKey(options) {
 }
 // src/nextjs/middleware.ts
-var OAUTH_PKCE_TTL_SECONDS = 10 * 60;
-var OAUTH_PKCE_TTL_MS = OAUTH_PKCE_TTL_SECONDS * 1e3;
-var DEFAULT_BAAS_PREFIX = "/sylphx";
-var BAAS_PROXY_AUTH_REQUIRED_PATHS = ["/challenge/", "/security/"];
-var BAAS_PROXY_PUBLIC_PATHS = ["/app"];
-var BODYLESS_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD"]);
-var RESPONSE_HEADER_ALLOWLIST = [
-  "cache-control",
-  "content-language",
-  "content-type",
-  "etag",
-  "expires",
-  "last-modified",
-  "retry-after"
-];
-function isTokenResponse(data) {
-  return typeof data === "object" && data !== null && "accessToken" in data && "refreshToken" in data && "user" in data && typeof data.accessToken === "string" && typeof data.refreshToken === "string";
-}
-function decodeJwtPayload(token) {
-  try {
-    const parts = token.split(".");
-    if (parts.length !== 3) return null;
-    const payload = parts[1];
-    const base64 = payload.replace(/-/g, "+").replace(/_/g, "/");
-    const padded = base64.padEnd(base64.length + (4 - base64.length % 4) % 4, "=");
-    const jsonPayload = atob(padded);
-    return JSON.parse(jsonPayload);
-  } catch {
-    return null;
-  }
-}
-function isTokenExpired(token) {
-  const payload = decodeJwtPayload(token);
-  if (!payload?.exp) return true;
-  return payload.exp * 1e3 < Date.now() + TOKEN_EXPIRY_BUFFER_MS;
-}
-function matchesPattern(pathname, pattern) {
-  if (pattern === pathname) return true;
-  if (pattern.endsWith("/*")) {
-    const base = pattern.slice(0, -2);
-    return pathname === base || pathname.startsWith(`${base}/`);
-  }
-  if (pattern.endsWith("/**")) {
-    const base = pattern.slice(0, -3);
-    return pathname === base || pathname.startsWith(`${base}/`);
-  }
-  return false;
-}
-function matchesAny(pathname, patterns) {
-  return patterns.some((p) => matchesPattern(pathname, p));
-}
-function normalizeRoutePrefix(prefix) {
-  const normalized = prefix.trim().replace(/\/+$/u, "");
-  return normalized.startsWith("/") ? normalized : `/${normalized}`;
-}
-function stripRoutePrefix(pathname, prefix) {
-  if (pathname === prefix) return "/";
-  if (!pathname.startsWith(`${prefix}/`)) return null;
-  return pathname.slice(prefix.length);
-}
-function isPublicBaasProxyPath(pathname) {
-  return BAAS_PROXY_PUBLIC_PATHS.some((path) => pathname === path);
-}
-function isAuthenticatedBaasProxyPath(pathname) {
-  return BAAS_PROXY_AUTH_REQUIRED_PATHS.some((prefix) => pathname.startsWith(prefix));
-}
-function isAllowedBaasProxyPath(pathname) {
-  return isPublicBaasProxyPath(pathname) || isAuthenticatedBaasProxyPath(pathname);
-}
-function copyRequestHeader(source, target, name) {
-  const value = source.get(name);
-  if (value) target.set(name, value);
-}
-function buildUpstreamProxyHeaders(request, ctx, sessionToken) {
-  const headers = new Headers();
-  copyRequestHeader(request.headers, headers, "accept");
-  copyRequestHeader(request.headers, headers, "content-type");
-  copyRequestHeader(request.headers, headers, "user-agent");
-  copyRequestHeader(request.headers, headers, "x-correlation-id");
-  headers.set("x-app-secret", ctx.secretKey);
-  if (sessionToken) headers.set("authorization", `Bearer ${sessionToken}`);
-  return headers;
-}
-function copyResponseHeaders(source) {
-  const headers = new Headers();
-  for (const name of RESPONSE_HEADER_ALLOWLIST) {
-    const value = source.get(name);
-    if (value) headers.set(name, value);
-  }
-  return headers;
-}
-function requestPathWithSearch(request) {
-  const { pathname, search } = request.nextUrl;
-  return `${pathname}${search}`;
-}
-function isSafeRelativeRedirectPath(value) {
-  return typeof value === "string" && value.startsWith("/") && !value.startsWith("//");
-}
-function resolveSafeRelativeRedirectPath(value, fallback) {
-  if (isSafeRelativeRedirectPath(value)) return value;
-  if (isSafeRelativeRedirectPath(fallback)) return fallback;
-  return "/";
-}
-function resolveSameOriginUrl(request, value, fallbackPath) {
-  if (!value) return new URL(fallbackPath, request.url).toString();
-  if (isSafeRelativeRedirectPath(value)) {
-    const url = new URL(value, request.url);
-    if (url.hash) return null;
-    return url.toString();
-  }
-  try {
-    const url = new URL(value);
-    if (url.origin !== new URL(request.url).origin) return null;
-    if (url.hash) return null;
-    return url.toString();
-  } catch {
-    return null;
-  }
-}
-function normalizeAppUrl(value) {
-  if (!value?.trim()) return null;
-  try {
-    const url = new URL(value);
-    return url.origin;
-  } catch {
-    return null;
-  }
-}
-function resolveOAuthCallbackUrl(request, ctx) {
-  const origin = ctx.config.appUrl ?? new URL(request.url).origin;
-  return new URL(`${ctx.config.authPrefix}/callback`, origin);
-}
-function bytesToBase64Url(bytes) {
-  let binary = "";
-  for (const byte of bytes) binary += String.fromCharCode(byte);
-  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/u, "");
-}
-function randomBase64Url(byteLength) {
-  const bytes = new Uint8Array(byteLength);
-  crypto.getRandomValues(bytes);
-  return bytesToBase64Url(bytes);
-}
-async function sha256Base64Url(value) {
-  const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(value));
-  return bytesToBase64Url(new Uint8Array(digest));
-}
-async function parseJsonObject(request) {
-  try {
-    const body = await request.json();
-    if (typeof body === "object" && body !== null && !Array.isArray(body)) return body;
-    return null;
-  } catch {
-    return null;
-  }
-}
 function getOAuthPkceCookieName(ctx) {
   return `__${ctx.namespace}_oauth_pkce`;
 }
@@ -670,6 +694,19 @@ function clearOAuthPkceCookie(response, ctx) {
     path: ctx.config.authPrefix
   });
 }
+function readRequestCookieValue(request, name) {
+  const values = request.cookies.getAll(name);
+  if (values.length > 0) {
+    const value = values[values.length - 1]?.value;
+    return value === void 0 ? void 0 : decodeCookieValue(value);
+  }
+  const cookie = request.cookies.get(name);
+  if (cookie) return decodeCookieValue(cookie.value);
+  return readCookieValueFromHeader(request.headers.get("cookie"), name) ?? void 0;
+}
+function hasRequestCookie(request, name) {
+  return readRequestCookieValue(request, name) !== void 0;
+}
 function isTwoFactorLoginResponse(data) {
   return typeof data === "object" && data !== null && data.requiresTwoFactor === true && typeof data.userId === "string";
 }
@@ -702,7 +739,7 @@ function setRestoredSessionCookies(response, ctx, restored) {
   }
 }
 async function refreshSessionFromCookie(request, ctx, previousSessionToken) {
-  const refreshToken = request.cookies.get(ctx.cookieNames.REFRESH)?.value;
+  const refreshToken = readRequestCookieValue(request, ctx.cookieNames.REFRESH);
   if (!refreshToken) return null;
   const refreshedTokens = await refreshTokens(refreshToken, ctx);
   if (!refreshedTokens) return null;
@@ -799,8 +836,8 @@ async function handleSession(request, ctx) {
   if (request.method !== "GET") {
     return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
   }
-  const sessionToken = request.cookies.get(ctx.cookieNames.SESSION)?.value;
-  const userCookie = parseUserCookie2(request.cookies.get(ctx.cookieNames.USER)?.value);
+  const sessionToken = readRequestCookieValue(request, ctx.cookieNames.SESSION);
+  const userCookie = parseUserCookie2(readRequestCookieValue(request, ctx.cookieNames.USER));
   if (sessionToken && !isTokenExpired(sessionToken) && userCookie?.user) {
     return NextResponse.json(sessionMetadataBody(sessionToken, userCookie.user));
   }
@@ -813,7 +850,7 @@ async function handleSession(request, ctx) {
     return response2;
   }
   const response = NextResponse.json({ success: true, session: null, user: null });
-  if (sessionToken || request.cookies.has(ctx.cookieNames.REFRESH) || userCookie) {
+  if (sessionToken || hasRequestCookie(request, ctx.cookieNames.REFRESH) || userCookie) {
     clearAuthCookiesMiddleware(response, ctx.namespace);
   }
   return response;
@@ -999,7 +1036,7 @@ async function handleCallback(request, ctx) {
 }
 async function handleSignOut(request, ctx) {
   ctx.log("Signout");
-  const refreshToken = request.cookies.get(ctx.cookieNames.REFRESH)?.value;
+  const refreshToken = readRequestCookieValue(request, ctx.cookieNames.REFRESH);
   if (refreshToken) {
     try {
       await fetch(`${ctx.platformUrl}/v1/auth/revoke`, {
@@ -1021,7 +1058,7 @@ async function handleSignOut(request, ctx) {
 }
 async function handleToken(request, ctx) {
   ctx.log("Token request");
-  const sessionToken = request.cookies.get(ctx.cookieNames.SESSION)?.value;
+  const sessionToken = readRequestCookieValue(request, ctx.cookieNames.SESSION);
   if (sessionToken && !isTokenExpired(sessionToken)) {
     ctx.log("Token returned");
     return NextResponse.json({ accessToken: sessionToken });
@@ -1038,7 +1075,7 @@ async function handleToken(request, ctx) {
     { error: sessionToken ? "Session expired" : "Not authenticated", accessToken: null },
     { status: 401 }
   );
-  if (sessionToken || request.cookies.has(ctx.cookieNames.REFRESH)) {
+  if (sessionToken || hasRequestCookie(request, ctx.cookieNames.REFRESH)) {
     clearAuthCookiesMiddleware(response, ctx.namespace);
   }
   return response;
@@ -1071,17 +1108,10 @@ function parseUserCookie2(value) {
     return null;
   }
 }
-function decodeCookieValue(value) {
-  try {
-    return decodeURIComponent(value);
-  } catch {
-    return value;
-  }
-}
 function readFirstCookieValue(request, names) {
   for (const name of names) {
-    const value = request.cookies.get(name)?.value;
-    if (value) return decodeCookieValue(value);
+    const value = readRequestCookieValue(request, name);
+    if (value) return value;
   }
   return null;
 }
@@ -1214,7 +1244,7 @@ async function handleSwitchOrg(request, ctx) {
   if (request.method !== "POST") {
     return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
   }
-  const currentSessionToken = request.cookies.get(ctx.cookieNames.SESSION)?.value;
+  const currentSessionToken = readRequestCookieValue(request, ctx.cookieNames.SESSION);
   let sessionToken = currentSessionToken && !isTokenExpired(currentSessionToken) ? currentSessionToken : null;
   let restoredBaseSession = null;
   if (!sessionToken) {
@@ -1226,7 +1256,7 @@ async function handleSwitchOrg(request, ctx) {
       { error: "Not authenticated", accessToken: null },
       { status: 401 }
     );
-    if (currentSessionToken || request.cookies.has(ctx.cookieNames.REFRESH)) {
+    if (currentSessionToken || hasRequestCookie(request, ctx.cookieNames.REFRESH)) {
       clearAuthCookiesMiddleware(response, ctx.namespace);
     }
     return response;
@@ -1281,7 +1311,7 @@ async function handleSwitchOrg(request, ctx) {
       ...SECURE_COOKIE_OPTIONS,
       maxAge: expiresIn
     });
-    const existingUser = parseUserCookie2(request.cookies.get(ctx.cookieNames.USER)?.value);
+    const existingUser = parseUserCookie2(readRequestCookieValue(request, ctx.cookieNames.USER));
     const user = data.user ?? existingUser?.user;
     if (user) {
       response.cookies.set(
@@ -1506,8 +1536,8 @@ function createSylphxMiddleware(userConfig = {}) {
     if (pathname === `${config.authPrefix}/switch-org`) {
       return handleSwitchOrg(request, ctx);
     }
-    const sessionToken = request.cookies.get(cookieNames.SESSION)?.value;
-    const refreshToken = request.cookies.get(cookieNames.REFRESH)?.value;
+    const sessionToken = readRequestCookieValue(request, cookieNames.SESSION);
+    const refreshToken = readRequestCookieValue(request, cookieNames.REFRESH);
     const hasValidSession = sessionToken && !isTokenExpired(sessionToken);
     const response = NextResponse.next({ request: { headers: request.headers } });
     let isAuthenticated = hasValidSession;
@@ -3028,6 +3058,7 @@ export {
   createSylphxMiddleware,
   currentUser,
   currentUserId,
+  decodeCookieValue,
   decodeUserId,
   encodeUserId,
   getAuthCookies,
@@ -3039,6 +3070,7 @@ export {
   hasRefreshToken,
   isSessionExpired,
   parseUserCookie,
+  readCookieValueFromHeader,
   setAuthCookies,
   setAuthCookiesMiddleware,
   signOut,