@sylphx/sdk 0.9.0 → 0.10.1

package/dist/nextjs/index.d.ts

@@ -80,8 +80,7 @@ interface SylphxMiddlewareConfig {
      *
      * Use case: Platform Console uses dynamically generated keys.
      *
-     * @default credential parsed from process.env.SYLPHX_SECRET_URL, falling back
-     * to process.env.SYLPHX_SECRET_KEY for legacy apps
+     * @default credential parsed from process.env.SYLPHX_SECRET_URL
      */
     secretKey?: string;
     /**
@@ -96,7 +95,7 @@ interface SylphxMiddlewareConfig {
      * Platform URL for API calls.
      * Override for self-hosted or same-origin deployments.
      *
-     * @default resolved from SYLPHX_URL, then legacy 4-part key routing
+     * @default resolved from SYLPHX_SECRET_URL, SYLPHX_URL, SYLPHX_BAAS_URL, or SYLPHX_RUNTIME_URL
      */
     platformUrl?: string;
     /**
@@ -113,6 +112,20 @@ interface SylphxMiddlewareConfig {
      * ```
      */
     onResponse?: (response: NextResponse, request: NextRequest) => void | Promise<void>;
+    /**
+     * Require authenticated requests to carry an active organization context.
+     * When true, protected routes without an `org_id` JWT claim redirect to
+     * `orgSelectionUrl`.
+     *
+     * @default false
+     */
+    orgRequired?: boolean;
+    /**
+     * URL for selecting an active organization when `orgRequired` is enabled.
+     *
+     * @default '/select-organization'
+     */
+    orgSelectionUrl?: string;
 }
 /**
  * Create Sylphx middleware — State of the Art
@@ -138,6 +151,7 @@ interface SylphxMiddlewareConfig {
  * ```
  */
 declare function createSylphxMiddleware(userConfig?: SylphxMiddlewareConfig): (request: NextRequest) => Promise<NextResponse>;
+declare const sylphxMiddleware: typeof createSylphxMiddleware;
 /**
  * Create recommended matcher config
  */
@@ -225,8 +239,7 @@ interface UserCookieData {
  * Configure the SDK for server-side usage
  *
  * NOTE: This is optional! The SDK auto-configures from environment variables:
- * - SYLPHX_SECRET_URL (recommended)
- * - SYLPHX_SECRET_KEY (legacy fallback)
+ * - SYLPHX_SECRET_URL
  *
  * Use this only if you need to override the default configuration.
  *
@@ -575,4 +588,4 @@ declare function clearAuthCookiesMiddleware(response: NextResponse, namespace: s
  */
 declare function parseUserCookie(value: string): UserCookieData | null;
 
-export { type AuthCookiesData, type AuthResult, REFRESH_TOKEN_LIFETIME, SECURE_COOKIE_OPTIONS, SESSION_TOKEN_LIFETIME, SESSION_TOKEN_LIFETIME_MS, type SylphxMiddlewareConfig, TOKEN_EXPIRY_BUFFER_MS, USER_COOKIE_OPTIONS, type UserCookieData, auth, clearAuthCookies, clearAuthCookiesMiddleware, configureServer, createMatcher, createSylphxMiddleware, currentUser, currentUserId, decodeUserId, encodeUserId, getAuthCookies, getAuthorizationUrl, getCookieNames, getNamespace, getSessionToken, handleCallback, hasRefreshToken, isSessionExpired, parseUserCookie, setAuthCookies, setAuthCookiesMiddleware, signOut, syncAuthToCookies };
+export { type AuthCookiesData, type AuthResult, REFRESH_TOKEN_LIFETIME, SECURE_COOKIE_OPTIONS, SESSION_TOKEN_LIFETIME, SESSION_TOKEN_LIFETIME_MS, type SylphxMiddlewareConfig, TOKEN_EXPIRY_BUFFER_MS, USER_COOKIE_OPTIONS, type UserCookieData, auth, clearAuthCookies, clearAuthCookiesMiddleware, configureServer, createMatcher, createSylphxMiddleware, currentUser, currentUserId, decodeUserId, encodeUserId, getAuthCookies, getAuthorizationUrl, getCookieNames, getNamespace, getSessionToken, handleCallback, hasRefreshToken, isSessionExpired, parseUserCookie, setAuthCookies, setAuthCookiesMiddleware, signOut, sylphxMiddleware, syncAuthToCookies };

package/dist/nextjs/index.mjs

@@ -4,7 +4,6 @@ import { NextResponse } from "next/server";
 // src/constants.ts
 var ENV_URL = "SYLPHX_URL";
 var ENV_SECRET_URL = "SYLPHX_SECRET_URL";
-var ENV_SECRET_KEY = "SYLPHX_SECRET_KEY";
 var DEFAULT_SDK_API_HOST = "api.sylphx.com";
 var SDK_PLATFORM = typeof window !== "undefined" ? "browser" : typeof process !== "undefined" && process.versions?.node ? "node" : "unknown";
 var TOKEN_EXPIRY_BUFFER_MS = 3e4;
@@ -34,13 +33,14 @@ var JWK_CACHE_TTL_MS = 60 * 60 * 1e3;
 var ETAG_CACHE_TTL_MS = 5 * 60 * 1e3;
 
 // src/key-validation.ts
-var PUBLIC_KEY_PATTERN = /^pk_(dev|stg|prod)_[a-z0-9]{12}_[a-f0-9]{32}$/;
+var PUBLIC_KEY_PATTERN = /^pk_(dev|stg|prod|prev)(?:_[a-z0-9]{12})?_[a-f0-9]{32}$/;
 var APP_ID_PATTERN = /^(app|pk)_(dev|stg|prod|prev)_[a-z0-9_-]+$/;
-var SECRET_KEY_PATTERN = /^sk_(dev|stg|prod)_[a-z0-9_-]+$/;
+var SECRET_KEY_PATTERN = /^sk_(dev|stg|prod|prev)_[a-z0-9_-]+$/;
 var ENV_PREFIX_MAP = {
   dev: "development",
   stg: "staging",
-  prod: "production"
+  prod: "production",
+  prev: "preview"
 };
 function detectKeyIssues(key) {
   const issues = [];
@@ -65,7 +65,7 @@ The SDK will automatically sanitize the key, but fixing the source is recommende
 }
 function createInvalidKeyError(keyType, key, envVarName) {
   const maskedKey = key.length > 20 ? `${key.slice(0, 20)}...` : key;
-  const formatHint = keyType === "appId" ? "pk_(dev|stg|prod)_{ref}_{hex} or app_(dev|stg|prod)_[id]" : "sk_(dev|stg|prod)_{ref}_{hex}";
+  const formatHint = keyType === "appId" ? "pk_(dev|stg|prod|prev)_{ref}_{hex} or app_(dev|stg|prod|prev)_[id]" : "sk_(dev|stg|prod|prev)_{ref}_{hex}";
   const keyTypeName = keyType === "appId" ? "App ID" : "Secret Key";
   return `[Sylphx] Invalid ${keyTypeName} format.
 
@@ -78,7 +78,7 @@ You can find your keys in the Sylphx Console \u2192 API Keys.
 Common issues:
 \u2022 Key has uppercase characters (must be lowercase)
 \u2022 Key has wrong prefix (App ID: pk_ or app_, Secret Key: sk_)
-\u2022 Key has invalid environment (must be dev, stg, or prod)
+\u2022 Key has invalid environment (must be dev, stg, prod, or prev)
 \u2022 Key was copied with extra whitespace`;
 }
 function extractEnvironment(key) {
@@ -125,7 +125,7 @@ function validateKeyForType(key, keyType, pattern, envVarName) {
   };
 }
 function validatePublicKey(key) {
-  return validateKeyForType(key, "publicKey", PUBLIC_KEY_PATTERN, "NEXT_PUBLIC_SYLPHX_KEY");
+  return validateKeyForType(key, "publicKey", PUBLIC_KEY_PATTERN, "publishable credential");
 }
 function validateAppId(key) {
   return validateKeyForType(key, "appId", APP_ID_PATTERN, "NEXT_PUBLIC_SYLPHX_APP_ID");
@@ -141,7 +141,7 @@ function validateAndSanitizeAppId(key) {
   return result.sanitizedKey;
 }
 function validateSecretKey(key) {
-  return validateKeyForType(key, "secret", SECRET_KEY_PATTERN, "SYLPHX_SECRET_KEY");
+  return validateKeyForType(key, "secret", SECRET_KEY_PATTERN, "secret credential");
 }
 function validateAndSanitizeSecretKey(key) {
   const result = validateSecretKey(key);
@@ -176,7 +176,7 @@ function detectEnvironment(key) {
 }
 function getCookieNamespace(secretKey) {
   const env = detectEnvironment(secretKey);
-  const shortEnv = env === "development" ? "dev" : env === "staging" ? "stg" : "prod";
+  const shortEnv = env === "development" ? "dev" : env === "staging" ? "stg" : env === "preview" ? "prev" : "prod";
   return `sylphx_${shortEnv}`;
 }
 
@@ -302,7 +302,7 @@ function parseUserCookie(value) {
 // src/connection-url.ts
 var SYLPHX_PROTOCOL = "sylphx:";
 var DEFAULT_VERSION = "v1";
-var CREDENTIAL_REGEX = /^(pk|sk)_(dev|stg|prod|prev)_[a-f0-9]{32,64}$/;
+var CREDENTIAL_REGEX = /^(pk|sk)_(dev|stg|prod|prev)(?:_[a-z0-9]{12})?_[a-f0-9]{32,64}$/;
 var VERSION_REGEX = /^v[0-9]+$/;
 var SLUG_REGEX = /^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/;
 var InvalidConnectionUrlError = class _InvalidConnectionUrlError extends Error {
@@ -319,7 +319,7 @@ function fail(reason) {
 function parseCredential(raw) {
   const match = CREDENTIAL_REGEX.exec(raw);
   if (!match) {
-    fail(`credential must match (pk|sk)_(dev|stg|prod|prev)_[a-f0-9]{32,64}, got "${raw}"`);
+    fail(`credential must match (pk|sk)_(dev|stg|prod|prev)(_{ref})?_{hex}, got "${raw}"`);
   }
   return {
     credentialType: match[1],
@@ -414,12 +414,6 @@ function secretKeyFromConnectionUrl(value) {
   if (!parsed || parsed.credentialType !== "sk") return null;
   return parsed.credential;
 }
-function platformUrlFromLegacyKey(secretKey) {
-  if (!secretKey) return null;
-  const parts = secretKey.trim().toLowerCase().split("_");
-  const embeddedRef = parts.length === 4 ? parts[2] : null;
-  return embeddedRef ? `https://${embeddedRef}.${DEFAULT_SDK_API_HOST}` : null;
-}
 function resolveNextjsPlatformUrl(options) {
   if (options.explicitPlatformUrl) return normalizePlatformUrl(options.explicitPlatformUrl);
   const fromExplicitSecretUrl = platformUrlFromConnectionUrl(options.secretUrl);
@@ -430,8 +424,6 @@ function resolveNextjsPlatformUrl(options) {
   if (fromConnectionUrl) return fromConnectionUrl;
   const fromBaasOverride = process.env.SYLPHX_BAAS_URL ?? process.env.SYLPHX_RUNTIME_URL;
   if (fromBaasOverride) return normalizePlatformUrl(fromBaasOverride);
-  const fromLegacyKey = platformUrlFromLegacyKey(options.secretKey);
-  if (fromLegacyKey) return fromLegacyKey;
   throw new SylphxRoutingConfigurationError(
     '[Sylphx] BaaS routing target is required for @sylphx/sdk/nextjs. Set SYLPHX_SECRET_URL="sylphx://sk_<env>_<hex>@<tenant>.api.sylphx.com" or SYLPHX_URL="sylphx://<credential>@<tenant>.api.sylphx.com" or pass platformUrl explicitly. New-format sk_* credentials do not carry routing material.'
   );
@@ -444,7 +436,7 @@ function resolveNextjsSecretKey(options) {
   if (fromSecretUrl) return fromSecretUrl;
   const fromGenericUrl = secretKeyFromConnectionUrl(process.env[ENV_URL]);
   if (fromGenericUrl) return fromGenericUrl;
-  return process.env[ENV_SECRET_KEY]?.trim() || null;
+  return null;
 }
 
 // src/nextjs/middleware.ts
@@ -457,7 +449,8 @@ function decodeJwtPayload(token) {
     if (parts.length !== 3) return null;
     const payload = parts[1];
     const base64 = payload.replace(/-/g, "+").replace(/_/g, "/");
-    const jsonPayload = atob(base64);
+    const padded = base64.padEnd(base64.length + (4 - base64.length % 4) % 4, "=");
+    const jsonPayload = atob(padded);
     return JSON.parse(jsonPayload);
   } catch {
     return null;
@@ -571,6 +564,99 @@ function handleToken(request, ctx) {
   ctx.log("Token returned");
   return NextResponse.json({ accessToken: sessionToken });
 }
+function resolveOrgScopedTokenExpiresIn(data) {
+  if (typeof data.expiresIn === "number") return data.expiresIn;
+  if (typeof data.expires_in === "number") return data.expires_in;
+  return SESSION_TOKEN_LIFETIME;
+}
+function resolveOrgScopedTokenType(data) {
+  if (data.tokenType) return data.tokenType;
+  if (data.token_type) return data.token_type;
+  return "Bearer";
+}
+function parseUserCookie2(value) {
+  if (!value) return null;
+  try {
+    return JSON.parse(value);
+  } catch {
+    return null;
+  }
+}
+async function handleSwitchOrg(request, ctx) {
+  ctx.log("Switch org request");
+  if (request.method !== "POST") {
+    return NextResponse.json({ error: "Method not allowed" }, { status: 405 });
+  }
+  const sessionToken = request.cookies.get(ctx.cookieNames.SESSION)?.value;
+  if (!sessionToken || isTokenExpired(sessionToken)) {
+    return NextResponse.json({ error: "Not authenticated", accessToken: null }, { status: 401 });
+  }
+  let orgId = null;
+  try {
+    const body = await request.json();
+    orgId = typeof body.orgId === "string" && body.orgId.trim() ? body.orgId.trim() : null;
+  } catch {
+    return NextResponse.json({ error: "Invalid request body" }, { status: 400 });
+  }
+  if (!orgId) {
+    return NextResponse.json({ error: "orgId is required" }, { status: 400 });
+  }
+  try {
+    const res = await fetch(`${ctx.platformUrl}/v1/auth/switch-org`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "x-app-secret": ctx.secretKey,
+        Authorization: `Bearer ${sessionToken}`
+      },
+      body: JSON.stringify({ orgId })
+    });
+    const data = await res.json().catch(() => ({}));
+    if (!res.ok) {
+      return NextResponse.json(
+        { error: data.error || data.message || "switch_org_failed" },
+        { status: res.status }
+      );
+    }
+    const accessToken = data.accessToken ?? data.access_token;
+    if (!accessToken) {
+      return NextResponse.json({ error: "invalid_response" }, { status: 502 });
+    }
+    const expiresIn = resolveOrgScopedTokenExpiresIn(data);
+    const expiresAt = Date.now() + expiresIn * 1e3;
+    const response = NextResponse.json({
+      accessToken,
+      token: accessToken,
+      expiresIn,
+      tokenType: resolveOrgScopedTokenType(data),
+      user: data.user ?? null
+    });
+    response.cookies.set(ctx.cookieNames.SESSION, accessToken, {
+      ...SECURE_COOKIE_OPTIONS,
+      maxAge: expiresIn
+    });
+    const existingUser = parseUserCookie2(request.cookies.get(ctx.cookieNames.USER)?.value);
+    const user = data.user ?? existingUser?.user;
+    if (user) {
+      response.cookies.set(
+        ctx.cookieNames.USER,
+        JSON.stringify({
+          user,
+          expiresAt
+        }),
+        {
+          ...USER_COOKIE_OPTIONS,
+          maxAge: expiresIn
+        }
+      );
+    }
+    ctx.log("Switch org success", { orgId });
+    return response;
+  } catch (err) {
+    ctx.log("Switch org error", err);
+    return NextResponse.json({ error: "internal_error" }, { status: 500 });
+  }
+}
 async function refreshTokens(refreshToken, ctx) {
   ctx.log("Refreshing tokens");
   try {
@@ -609,7 +695,7 @@ function createSylphxMiddleware(userConfig = {}) {
     });
     if (!rawSecretKey) {
       throw new Error(
-        "[Sylphx] Server connection URL is required.\nEither pass secretUrl in config or set SYLPHX_SECRET_URL env var.\nLegacy apps may pass secretKey or set SYLPHX_SECRET_KEY during migration."
+        "[Sylphx] Server connection URL is required.\nEither pass secretUrl in config or set SYLPHX_SECRET_URL env var."
       );
     }
     secretKey = validateAndSanitizeSecretKey(rawSecretKey);
@@ -636,6 +722,8 @@ function createSylphxMiddleware(userConfig = {}) {
     afterSignInUrl: userConfig.afterSignInUrl ?? "/dashboard",
     authPrefix: userConfig.authPrefix ?? "/auth",
     debug: userConfig.debug ?? false,
+    orgRequired: userConfig.orgRequired ?? false,
+    orgSelectionUrl: userConfig.orgSelectionUrl ?? "/select-organization",
     onResponse: userConfig.onResponse
   };
   const publicRoutes = [
@@ -684,20 +772,26 @@ function createSylphxMiddleware(userConfig = {}) {
     if (pathname === `${config.authPrefix}/token`) {
       return handleToken(request, ctx);
     }
+    if (pathname === `${config.authPrefix}/switch-org`) {
+      return handleSwitchOrg(request, ctx);
+    }
     const sessionToken = request.cookies.get(cookieNames.SESSION)?.value;
     const refreshToken = request.cookies.get(cookieNames.REFRESH)?.value;
     const hasValidSession = sessionToken && !isTokenExpired(sessionToken);
     const response = NextResponse.next();
     let isAuthenticated = hasValidSession;
+    let activeSessionToken = hasValidSession ? sessionToken : null;
     if (!hasValidSession && refreshToken) {
       log("Session expired, refreshing");
       const tokens = await refreshTokens(refreshToken, ctx);
       if (tokens) {
         setAuthCookiesMiddleware(response, namespace, tokens);
         isAuthenticated = true;
+        activeSessionToken = tokens.accessToken;
       } else {
         clearAuthCookiesMiddleware(response, namespace);
         isAuthenticated = false;
+        activeSessionToken = null;
       }
     }
     const isPublic = matchesAny(pathname, publicRoutes);
@@ -711,12 +805,22 @@ function createSylphxMiddleware(userConfig = {}) {
       log("Redirecting from sign-in to dashboard");
       return NextResponse.redirect(new URL(config.afterSignInUrl, request.url));
     }
+    if (config.orgRequired && !isPublic && isAuthenticated && activeSessionToken && !matchesPattern(pathname, config.orgSelectionUrl)) {
+      const payload = decodeJwtPayload(activeSessionToken);
+      if (!payload?.org_id) {
+        log("Redirecting to organization selection");
+        const url = new URL(config.orgSelectionUrl, request.url);
+        url.searchParams.set("redirect_to", pathname);
+        return NextResponse.redirect(url);
+      }
+    }
     if (config.onResponse) {
       await config.onResponse(response, request);
     }
     return response;
   };
 }
+var sylphxMiddleware = createSylphxMiddleware;
 function createMatcher() {
   return {
     matcher: ["/((?!_next|monitoring|.*\\..*).*)", "/"]
@@ -2187,6 +2291,7 @@ export {
   setAuthCookies,
   setAuthCookiesMiddleware,
   signOut,
+  sylphxMiddleware,
   syncAuthToCookies
 };
 //# sourceMappingURL=index.mjs.map