azirid-react 0.14.4 → 0.14.6

package/README.md

@@ -1342,7 +1342,7 @@ The Azirid dashboard lets admins click "Sign in as user" to impersonate any end
 1. Admin clicks "Sign in as user" in the Azirid dashboard
 2. Dashboard generates a one-time handoff code (valid for 5 minutes) and redirects to your app at `/auth/handoff?code=<code>&api=<apiUrl>`
 3. Your app renders `<HandoffCallback>`, which exchanges the code for session tokens directly with the API
-4. Tokens are stored in `sessionStorage` — on redirect to `/`, `AziridProvider` picks them up automatically
+4. Tokens are stored in `sessionStorage` + `__session` cookie, then the component redirects to `redirectUrl` via hard navigation so `AziridProvider` re-bootstraps with the new session
 
 > **`<HandoffCallback>` is fully standalone** — it does NOT depend on `AziridProvider`. It works even when the provider wraps the entire layout and its bootstrap would redirect to `/login`. No special route groups or layout changes needed.
 
@@ -1356,20 +1356,19 @@ import { HandoffCallback } from 'azirid-react'
 export default function HandoffPage() {
   return (
     <HandoffCallback
-      onSuccess={() => window.location.href = '/'}
+      redirectUrl="/dashboard"
       onError={() => window.location.href = '/login'}
     />
   )
 }
 ```
 
-> **Important:** Use `window.location.href` (not `router.push()`) for redirects. This triggers a full page reload so `AziridProvider` re-bootstraps with the new tokens.
-
 **Props:**
 
 | Prop | Type | Default | Description |
 |------|------|---------|-------------|
-| `onSuccess` | `(user: unknown) => void` | — | Called when the handoff succeeds; redirect the user here |
+| `redirectUrl` | `string` | `"/"` | URL to redirect after successful handoff (hard navigation) |
+| `onSuccess` | `(user: unknown) => void` | — | Called before redirect for optional side effects (analytics, etc.) |
 | `onError` | `(error: Error) => void` | — | Called on failure (expired/invalid code); redirect to login |
 | `loadingText` | `string` | `"Signing you in..."` | Text shown while the exchange is in progress |
 | `errorText` | `string` | `"Failed to complete sign-in. The link may have expired."` | Fallback error text |
@@ -1432,6 +1431,11 @@ export const proxy = createAziridProxy({
   // The original URL is preserved as ?redirect= so you can send them back after login.
   loginUrl: '/login',
 
+  // Where to redirect authenticated users when they visit a public route.
+  // E.g. user is logged in and visits /login → redirected to /dashboard.
+  // Your app handles role-based routing from there.
+  dashboardUrl: '/dashboard',
+
   // Routes that are ALWAYS public, even if they match a protectedRoute.
   // Default: ['/login', '/signup', '/auth/handoff']
   publicRoutes: [
@@ -1452,12 +1456,20 @@ export const config = {
 
 #### How it works
 
+**Unauthenticated user visits protected route:**
 1. User visits `/dashboard/settings` without a valid token
 2. Middleware checks: is `/dashboard/settings` protected? Yes (`startsWith('/dashboard')`)
 3. Middleware checks: is it public? No
 4. Middleware redirects to `/login?redirect=/dashboard/settings`
 5. After login, you can read `?redirect=` and send them back
 
+**Authenticated user visits public route (with `dashboardUrl`):**
+1. User is logged in and visits `/login`
+2. Middleware validates the JWT — valid
+3. Middleware checks: is `/login` a public route? Yes
+4. `dashboardUrl` is set → redirects to `/dashboard`
+5. Your app handles role-based routing from there (e.g. redirect admins to `/admin`)
+
 Routes not listed in `protectedRoutes` are accessible to everyone (e.g. `/`, `/pricing`, `/about`).
 
 #### Options
@@ -1466,9 +1478,9 @@ Routes not listed in `protectedRoutes` are accessible to everyone (e.g. `/`, `/p
 | ------------------ | ---------- | -------------------------------- | ------------------------------------------------------------- |
 | `protectedRoutes`  | `string[]` | —                                | Routes that require auth (matched with `startsWith`)          |
 | `loginUrl`         | `string`   | `"/login"`                       | Redirect target for unauthenticated users                     |
+| `dashboardUrl`     | `string`   | —                                | Redirect authenticated users away from public routes here     |
 | `publicRoutes`     | `string[]` | `["/login", "/signup", "/auth/handoff"]` | Always-accessible routes, even if inside a protected path |
 | `cookieName`       | `string`   | `"__session"`                    | Cookie carrying the access token JWT                          |
-| `jwksUrl`          | `string`   | auto                             | Override JWKS endpoint URL                                    |
 
 ---
 

package/dist/index.cjs

@@ -3977,6 +3977,7 @@ var subtextStyle = {
 function HandoffCallback({
   onSuccess,
   onError,
+  redirectUrl = "/",
   loadingText = "Signing you in...",
   errorText = "Failed to complete sign-in. The link may have expired."
 }) {
@@ -4003,6 +4004,7 @@ function HandoffCallback({
     }
     performHandoff(apiUrl, code).then((user) => {
       onSuccess?.(user);
+      window.location.href = redirectUrl;
     }).catch((err) => {
       setStatus("error");
       const error = err instanceof Error ? err : new Error("Handoff exchange failed");
@@ -4038,7 +4040,8 @@ async function performHandoff(apiUrl, code) {
   }
   const at = json.at ?? json.accessToken;
   if (at) {
-    document.cookie = `__session=${at}; Path=/; SameSite=Lax; Max-Age=900`;
+    const secure = window.location.protocol === "https:" ? "; Secure" : "";
+    document.cookie = `__session=${at}; Path=/; SameSite=Lax${secure}; Max-Age=900`;
   }
   return json.user;
 }
@@ -4853,7 +4856,7 @@ function usePasswordToggle() {
 }
 
 // src/index.ts
-var SDK_VERSION = "0.14.4";
+var SDK_VERSION = "0.14.6";
 
 exports.AUTH_BASE_PATH = AUTH_BASE_PATH;
 exports.AuthForm = AuthForm;