azirid-react 0.14.1 → 0.14.2

package/README.md

@@ -1415,7 +1415,7 @@ export function Providers({ children }: { children: React.ReactNode }) {
 
 ### Middleware — Route Protection & JWT Validation
 
-The middleware validates `__session` JWT cookies using JWKS (RS256) and protects routes.
+The middleware validates `__session` JWT cookies using JWKS (RS256) and protects routes server-side — before any HTML reaches the browser. No spinners, no flashes, no client-side redirect logic needed.
 
 #### Next.js 16+ (`proxy.ts`)
 
@@ -1424,9 +1424,25 @@ The middleware validates `__session` JWT cookies using JWKS (RS256) and protects
 import { createAziridProxy } from 'azirid-react/next/proxy'
 
 export const proxy = createAziridProxy({
-  protectedRoutes: ['/dashboard', '/settings'],
+  // Routes that REQUIRE authentication.
+  // Uses startsWith — '/dashboard' protects '/dashboard', '/dashboard/settings', etc.
+  protectedRoutes: ['/dashboard', '/admin', '/settings'],
+
+  // Where to redirect unauthenticated users (default: '/login').
+  // The original URL is preserved as ?redirect= so you can send them back after login.
   loginUrl: '/login',
-  publicRoutes: ['/login', '/signup', '/forgot-password'],
+
+  // Routes that are ALWAYS public, even if they match a protectedRoute.
+  // Default: ['/login', '/signup', '/auth/handoff']
+  publicRoutes: [
+    '/login',
+    '/register',
+    '/forgot-password',
+    '/reset-password',
+    '/pricing',
+    '/legal/terms',
+    '/legal/privacy',
+  ],
 })
 
 export const config = {
@@ -1434,13 +1450,25 @@ export const config = {
 }
 ```
 
-| Option             | Type       | Default       | Description                                      |
-| ------------------ | ---------- | ------------- | ------------------------------------------------ |
-| `cookieName`       | `string`   | `"__session"` | Cookie carrying the access token JWT             |
-| `protectedRoutes`  | `string[]` | —             | Routes that require authentication               |
-| `loginUrl`         | `string`   | `"/login"`    | Redirect target for unauthenticated users        |
-| `publicRoutes`     | `string[]` | login/signup  | Always-accessible routes                         |
-| `jwksUrl`          | `string`   | auto          | Override JWKS endpoint URL                       |
+#### How it works
+
+1. User visits `/dashboard/settings` without a valid token
+2. Middleware checks: is `/dashboard/settings` protected? Yes (`startsWith('/dashboard')`)
+3. Middleware checks: is it public? No
+4. Middleware redirects to `/login?redirect=/dashboard/settings`
+5. After login, you can read `?redirect=` and send them back
+
+Routes not listed in `protectedRoutes` are accessible to everyone (e.g. `/`, `/pricing`, `/about`).
+
+#### Options
+
+| Option             | Type       | Default                          | Description                                                   |
+| ------------------ | ---------- | -------------------------------- | ------------------------------------------------------------- |
+| `protectedRoutes`  | `string[]` | —                                | Routes that require auth (matched with `startsWith`)          |
+| `loginUrl`         | `string`   | `"/login"`                       | Redirect target for unauthenticated users                     |
+| `publicRoutes`     | `string[]` | `["/login", "/signup", "/auth/handoff"]` | Always-accessible routes, even if inside a protected path |
+| `cookieName`       | `string`   | `"__session"`                    | Cookie carrying the access token JWT                          |
+| `jwksUrl`          | `string`   | auto                             | Override JWKS endpoint URL                                    |
 
 ---
 

package/dist/index.cjs

@@ -4853,7 +4853,7 @@ function usePasswordToggle() {
 }
 
 // src/index.ts
-var SDK_VERSION = "0.14.1";
+var SDK_VERSION = "0.14.2";
 
 exports.AUTH_BASE_PATH = AUTH_BASE_PATH;
 exports.AuthForm = AuthForm;

package/dist/index.js

@@ -4851,7 +4851,7 @@ function usePasswordToggle() {
 }
 
 // src/index.ts
-var SDK_VERSION = "0.14.1";
+var SDK_VERSION = "0.14.2";
 
 export { AUTH_BASE_PATH, AuthForm, AziridProvider, CheckoutButton, ForgotPasswordForm, HandoffCallback, InvoiceList, LoginForm, PATHS, PayButton, PayphoneCallback, PayphoneWidgetRenderer, PricingTable, ReferralCard, ReferralStats, ResetPasswordForm, SDK_VERSION, SignupForm, SubscriptionBadge, buildPaths, changePasswordSchema, cn, createAccessClient, createForgotPasswordSchema, createLoginSchema, createMutationHook, createResetPasswordConfirmSchema, createSignupSchema, en, es, forgotPasswordSchema, isAuthError, loginSchema, magicLinkRequestSchema, magicLinkVerifySchema, passkeyRegisterStartSchema, removeStyles, resetPasswordConfirmSchema, resolveMessages, signupSchema, socialLoginSchema, useAccessClient, useAzirid, useBootstrap, useBranches, useBranding, useChangePassword, useCheckout, useFormState, useInvoices, useLogin, useLogout, useMagicLink, useMessages, usePasskeys, usePasswordReset, usePasswordToggle, usePayButton, usePaymentMethods, usePaymentProviders, usePayphoneCheckout, usePayphoneConfirm, usePlans, useReferral, useReferralStats, useRefresh, useSession, useSignup, useSocialLogin, useSubmitTransferProof, useSubscription, useSwitchTenant, useTenantMembers, useTenants, useTransferPayment, useTransferProofs, useUploadTransferProof };
 //# sourceMappingURL=index.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "azirid-react",
-  "version": "0.14.1",
+  "version": "0.14.2",
   "description": "Authentication components for React and Next.js — Login, Register, powered by TanStack Query and Zod.",
   "author": "Azirid",
   "license": "MIT",