naystack 1.5.29 → 1.5.31

package/dist/auth/constants.cjs.js

@@ -20,11 +20,14 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/auth/constants.ts
 var constants_exports = {};
 __export(constants_exports, {
-  REFRESH_COOKIE_NAME: () => REFRESH_COOKIE_NAME
+  REFRESH_COOKIE_NAME: () => REFRESH_COOKIE_NAME,
+  REFRESH_HEADER_NAME: () => REFRESH_HEADER_NAME
 });
 module.exports = __toCommonJS(constants_exports);
 var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  REFRESH_COOKIE_NAME
+  REFRESH_COOKIE_NAME,
+  REFRESH_HEADER_NAME
 });

package/dist/auth/constants.d.mts

@@ -3,5 +3,6 @@
  * @category Auth
  */
 declare const REFRESH_COOKIE_NAME = "refresh";
+declare const REFRESH_HEADER_NAME = "X-Refresh-Token";
 
-export { REFRESH_COOKIE_NAME };
+export { REFRESH_COOKIE_NAME, REFRESH_HEADER_NAME };

package/dist/auth/constants.d.ts

@@ -3,5 +3,6 @@
  * @category Auth
  */
 declare const REFRESH_COOKIE_NAME = "refresh";
+declare const REFRESH_HEADER_NAME = "X-Refresh-Token";
 
-export { REFRESH_COOKIE_NAME };
+export { REFRESH_COOKIE_NAME, REFRESH_HEADER_NAME };

package/dist/auth/constants.esm.js

@@ -1,5 +1,7 @@
 // src/auth/constants.ts
 var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
 export {
-  REFRESH_COOKIE_NAME
+  REFRESH_COOKIE_NAME,
+  REFRESH_HEADER_NAME
 };

package/dist/auth/email/client.cjs.js

@@ -45,7 +45,7 @@ module.exports = __toCommonJS(client_exports);
 var import_react = __toESM(require("react"));
 
 // src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
 
 // src/env.ts
 var getEnvValue = (key) => {
@@ -116,13 +116,12 @@ var AuthWrapper = ({
 function useAuthFetch(getRefreshToken) {
   const setToken = useSetToken();
   const fetchToken = async () => {
-    const url = new URL(getEnv("NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT" /* NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT */));
-    if (getRefreshToken) {
-      const token = await getRefreshToken();
-      if (token) url.searchParams.set(REFRESH_COOKIE_NAME, token);
-    }
-    fetch(url, {
-      credentials: "include"
+    const token = getRefreshToken ? await getRefreshToken() : null;
+    fetch(getEnv("NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT" /* NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT */), {
+      credentials: "include",
+      headers: token ? {
+        [REFRESH_HEADER_NAME]: token
+      } : void 0
     }).then((res) => res.json()).then((data) => setToken(data.accessToken));
   };
   (0, import_react.useEffect)(() => {

package/dist/auth/email/client.esm.js

@@ -10,7 +10,7 @@ import React, {
 } from "react";
 
 // src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
 
 // src/env.ts
 var getEnvValue = (key) => {
@@ -81,13 +81,12 @@ var AuthWrapper = ({
 function useAuthFetch(getRefreshToken) {
   const setToken = useSetToken();
   const fetchToken = async () => {
-    const url = new URL(getEnv("NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT" /* NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT */));
-    if (getRefreshToken) {
-      const token = await getRefreshToken();
-      if (token) url.searchParams.set(REFRESH_COOKIE_NAME, token);
-    }
-    fetch(url, {
-      credentials: "include"
+    const token = getRefreshToken ? await getRefreshToken() : null;
+    fetch(getEnv("NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT" /* NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT */), {
+      credentials: "include",
+      headers: token ? {
+        [REFRESH_HEADER_NAME]: token
+      } : void 0
     }).then((res) => res.json()).then((data) => setToken(data.accessToken));
   };
   useEffect(() => {

package/dist/auth/email/index.cjs.js

@@ -38,6 +38,39 @@ __export(email_exports, {
 module.exports = __toCommonJS(email_exports);
 var import_server4 = require("next/server");
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
+// src/utils/route.ts
+function getCorsHeaders(origin, allowedOrigins) {
+  if (!origin || !allowedOrigins.includes(origin)) return null;
+  return {
+    "Access-Control-Allow-Origin": origin,
+    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
+    "Access-Control-Allow-Credentials": "true"
+  };
+}
+function withCors(handler, allowedOrigins) {
+  if (!allowedOrigins?.length) return handler;
+  return ((req) => {
+    return handler(req).then((response) => {
+      if (!response) return response;
+      const corsHeaders = getCorsHeaders(
+        req.headers.get("origin"),
+        allowedOrigins
+      );
+      if (corsHeaders) {
+        Object.entries(corsHeaders).forEach(([key, value]) => {
+          response.headers.set(key, value);
+        });
+      }
+      return response;
+    });
+  });
+}
+
 // src/auth/email/token.ts
 var import_bcryptjs = require("bcryptjs");
 var import_jsonwebtoken = require("jsonwebtoken");
@@ -94,9 +127,6 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
 // src/auth/email/token.ts
 function generateAccessToken(id, signingKey) {
   return (0, import_jsonwebtoken.sign)({ id }, signingKey, {
@@ -242,11 +272,11 @@ var getDeleteRoute = (options) => async (req) => {
 
 // src/auth/email/routes/get.ts
 var getGetRoute = (options) => async (req) => {
-  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.nextUrl.searchParams.get(REFRESH_COOKIE_NAME) || void 0;
+  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.headers.get(REFRESH_HEADER_NAME) || void 0;
   const userID = getUserIdFromRefreshToken(refresh);
   if (userID) {
     if (options.onRefresh) {
-      const body = await req.json();
+      const body = await req.json().catch(() => null);
       await options.onRefresh?.(userID, body);
     }
     return getTokenizedResponse(
@@ -367,33 +397,6 @@ function AuthFetch() {
 }
 
 // src/auth/email/index.ts
-function getCorsHeaders(origin, allowedOrigins) {
-  if (!origin || !allowedOrigins.includes(origin)) return null;
-  return {
-    "Access-Control-Allow-Origin": origin,
-    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization",
-    "Access-Control-Allow-Credentials": "true"
-  };
-}
-function withCors(handler, allowedOrigins) {
-  if (!allowedOrigins?.length) return handler;
-  return ((req) => {
-    return handler(req).then((response) => {
-      if (!response) return response;
-      const corsHeaders = getCorsHeaders(
-        req.headers.get("origin"),
-        allowedOrigins
-      );
-      if (corsHeaders) {
-        Object.entries(corsHeaders).forEach(([key, value]) => {
-          response.headers.set(key, value);
-        });
-      }
-      return response;
-    });
-  });
-}
 function getEmailAuthRoutes(options) {
   const { allowedOrigins } = options;
   return {

package/dist/auth/email/index.esm.js

@@ -1,6 +1,39 @@
 // src/auth/email/index.ts
 import { NextResponse as NextResponse3 } from "next/server";
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
+// src/utils/route.ts
+function getCorsHeaders(origin, allowedOrigins) {
+  if (!origin || !allowedOrigins.includes(origin)) return null;
+  return {
+    "Access-Control-Allow-Origin": origin,
+    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
+    "Access-Control-Allow-Credentials": "true"
+  };
+}
+function withCors(handler, allowedOrigins) {
+  if (!allowedOrigins?.length) return handler;
+  return ((req) => {
+    return handler(req).then((response) => {
+      if (!response) return response;
+      const corsHeaders = getCorsHeaders(
+        req.headers.get("origin"),
+        allowedOrigins
+      );
+      if (corsHeaders) {
+        Object.entries(corsHeaders).forEach(([key, value]) => {
+          response.headers.set(key, value);
+        });
+      }
+      return response;
+    });
+  });
+}
+
 // src/auth/email/token.ts
 import { compare } from "bcryptjs";
 import { JsonWebTokenError, sign, verify } from "jsonwebtoken";
@@ -57,9 +90,6 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
 // src/auth/email/token.ts
 function generateAccessToken(id, signingKey) {
   return sign({ id }, signingKey, {
@@ -205,11 +235,11 @@ var getDeleteRoute = (options) => async (req) => {
 
 // src/auth/email/routes/get.ts
 var getGetRoute = (options) => async (req) => {
-  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.nextUrl.searchParams.get(REFRESH_COOKIE_NAME) || void 0;
+  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.headers.get(REFRESH_HEADER_NAME) || void 0;
   const userID = getUserIdFromRefreshToken(refresh);
   if (userID) {
     if (options.onRefresh) {
-      const body = await req.json();
+      const body = await req.json().catch(() => null);
       await options.onRefresh?.(userID, body);
     }
     return getTokenizedResponse(
@@ -334,33 +364,6 @@ function AuthFetch() {
 }
 
 // src/auth/email/index.ts
-function getCorsHeaders(origin, allowedOrigins) {
-  if (!origin || !allowedOrigins.includes(origin)) return null;
-  return {
-    "Access-Control-Allow-Origin": origin,
-    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization",
-    "Access-Control-Allow-Credentials": "true"
-  };
-}
-function withCors(handler, allowedOrigins) {
-  if (!allowedOrigins?.length) return handler;
-  return ((req) => {
-    return handler(req).then((response) => {
-      if (!response) return response;
-      const corsHeaders = getCorsHeaders(
-        req.headers.get("origin"),
-        allowedOrigins
-      );
-      if (corsHeaders) {
-        Object.entries(corsHeaders).forEach(([key, value]) => {
-          response.headers.set(key, value);
-        });
-      }
-      return response;
-    });
-  });
-}
 function getEmailAuthRoutes(options) {
   const { allowedOrigins } = options;
   return {

package/dist/auth/email/routes/get.cjs.js

@@ -75,6 +75,7 @@ function getEnv(key, skipCheck) {
 
 // src/auth/constants.ts
 var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
 
 // src/auth/email/token.ts
 var import_bcryptjs = require("bcryptjs");
@@ -123,11 +124,11 @@ function getUserIdFromRefreshToken(refreshToken) {
 
 // src/auth/email/routes/get.ts
 var getGetRoute = (options) => async (req) => {
-  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.nextUrl.searchParams.get(REFRESH_COOKIE_NAME) || void 0;
+  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.headers.get(REFRESH_HEADER_NAME) || void 0;
   const userID = getUserIdFromRefreshToken(refresh);
   if (userID) {
     if (options.onRefresh) {
-      const body = await req.json();
+      const body = await req.json().catch(() => null);
       await options.onRefresh?.(userID, body);
     }
     return getTokenizedResponse(

package/dist/auth/email/routes/get.esm.js

@@ -49,6 +49,7 @@ function getEnv(key, skipCheck) {
 
 // src/auth/constants.ts
 var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
 
 // src/auth/email/token.ts
 import { compare } from "bcryptjs";
@@ -97,11 +98,11 @@ function getUserIdFromRefreshToken(refreshToken) {
 
 // src/auth/email/routes/get.ts
 var getGetRoute = (options) => async (req) => {
-  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.nextUrl.searchParams.get(REFRESH_COOKIE_NAME) || void 0;
+  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.headers.get(REFRESH_HEADER_NAME) || void 0;
   const userID = getUserIdFromRefreshToken(refresh);
   if (userID) {
     if (options.onRefresh) {
-      const body = await req.json();
+      const body = await req.json().catch(() => null);
       await options.onRefresh?.(userID, body);
     }
     return getTokenizedResponse(

package/dist/auth/index.cjs.js

@@ -44,6 +44,39 @@ module.exports = __toCommonJS(auth_exports);
 // src/auth/email/index.ts
 var import_server4 = require("next/server");
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
+// src/utils/route.ts
+function getCorsHeaders(origin, allowedOrigins) {
+  if (!origin || !allowedOrigins.includes(origin)) return null;
+  return {
+    "Access-Control-Allow-Origin": origin,
+    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
+    "Access-Control-Allow-Credentials": "true"
+  };
+}
+function withCors(handler, allowedOrigins) {
+  if (!allowedOrigins?.length) return handler;
+  return ((req) => {
+    return handler(req).then((response) => {
+      if (!response) return response;
+      const corsHeaders = getCorsHeaders(
+        req.headers.get("origin"),
+        allowedOrigins
+      );
+      if (corsHeaders) {
+        Object.entries(corsHeaders).forEach(([key, value]) => {
+          response.headers.set(key, value);
+        });
+      }
+      return response;
+    });
+  });
+}
+
 // src/auth/email/token.ts
 var import_bcryptjs = require("bcryptjs");
 var import_jsonwebtoken = require("jsonwebtoken");
@@ -100,9 +133,6 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
 // src/auth/email/token.ts
 function generateAccessToken(id, signingKey) {
   return (0, import_jsonwebtoken.sign)({ id }, signingKey, {
@@ -260,11 +290,11 @@ var getDeleteRoute = (options) => async (req) => {
 
 // src/auth/email/routes/get.ts
 var getGetRoute = (options) => async (req) => {
-  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.nextUrl.searchParams.get(REFRESH_COOKIE_NAME) || void 0;
+  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.headers.get(REFRESH_HEADER_NAME) || void 0;
   const userID = getUserIdFromRefreshToken(refresh);
   if (userID) {
     if (options.onRefresh) {
-      const body = await req.json();
+      const body = await req.json().catch(() => null);
       await options.onRefresh?.(userID, body);
     }
     return getTokenizedResponse(
@@ -385,33 +415,6 @@ function AuthFetch() {
 }
 
 // src/auth/email/index.ts
-function getCorsHeaders(origin, allowedOrigins) {
-  if (!origin || !allowedOrigins.includes(origin)) return null;
-  return {
-    "Access-Control-Allow-Origin": origin,
-    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization",
-    "Access-Control-Allow-Credentials": "true"
-  };
-}
-function withCors(handler, allowedOrigins) {
-  if (!allowedOrigins?.length) return handler;
-  return ((req) => {
-    return handler(req).then((response) => {
-      if (!response) return response;
-      const corsHeaders = getCorsHeaders(
-        req.headers.get("origin"),
-        allowedOrigins
-      );
-      if (corsHeaders) {
-        Object.entries(corsHeaders).forEach(([key, value]) => {
-          response.headers.set(key, value);
-        });
-      }
-      return response;
-    });
-  });
-}
 function getEmailAuthRoutes(options) {
   const { allowedOrigins } = options;
   return {

package/dist/auth/index.esm.js

@@ -1,6 +1,39 @@
 // src/auth/email/index.ts
 import { NextResponse as NextResponse3 } from "next/server";
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
+// src/utils/route.ts
+function getCorsHeaders(origin, allowedOrigins) {
+  if (!origin || !allowedOrigins.includes(origin)) return null;
+  return {
+    "Access-Control-Allow-Origin": origin,
+    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
+    "Access-Control-Allow-Credentials": "true"
+  };
+}
+function withCors(handler, allowedOrigins) {
+  if (!allowedOrigins?.length) return handler;
+  return ((req) => {
+    return handler(req).then((response) => {
+      if (!response) return response;
+      const corsHeaders = getCorsHeaders(
+        req.headers.get("origin"),
+        allowedOrigins
+      );
+      if (corsHeaders) {
+        Object.entries(corsHeaders).forEach(([key, value]) => {
+          response.headers.set(key, value);
+        });
+      }
+      return response;
+    });
+  });
+}
+
 // src/auth/email/token.ts
 import { compare } from "bcryptjs";
 import { JsonWebTokenError, sign, verify } from "jsonwebtoken";
@@ -57,9 +90,6 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
 // src/auth/email/token.ts
 function generateAccessToken(id, signingKey) {
   return sign({ id }, signingKey, {
@@ -217,11 +247,11 @@ var getDeleteRoute = (options) => async (req) => {
 
 // src/auth/email/routes/get.ts
 var getGetRoute = (options) => async (req) => {
-  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.nextUrl.searchParams.get(REFRESH_COOKIE_NAME) || void 0;
+  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.headers.get(REFRESH_HEADER_NAME) || void 0;
   const userID = getUserIdFromRefreshToken(refresh);
   if (userID) {
     if (options.onRefresh) {
-      const body = await req.json();
+      const body = await req.json().catch(() => null);
       await options.onRefresh?.(userID, body);
     }
     return getTokenizedResponse(
@@ -346,33 +376,6 @@ function AuthFetch() {
 }
 
 // src/auth/email/index.ts
-function getCorsHeaders(origin, allowedOrigins) {
-  if (!origin || !allowedOrigins.includes(origin)) return null;
-  return {
-    "Access-Control-Allow-Origin": origin,
-    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization",
-    "Access-Control-Allow-Credentials": "true"
-  };
-}
-function withCors(handler, allowedOrigins) {
-  if (!allowedOrigins?.length) return handler;
-  return ((req) => {
-    return handler(req).then((response) => {
-      if (!response) return response;
-      const corsHeaders = getCorsHeaders(
-        req.headers.get("origin"),
-        allowedOrigins
-      );
-      if (corsHeaders) {
-        Object.entries(corsHeaders).forEach(([key, value]) => {
-          response.headers.set(key, value);
-        });
-      }
-      return response;
-    });
-  });
-}
 function getEmailAuthRoutes(options) {
   const { allowedOrigins } = options;
   return {

package/dist/graphql/index.cjs.js

@@ -574,6 +574,7 @@ var import_reflect_metadata = require("reflect-metadata");
 var import_server3 = require("@apollo/server");
 var import_default = require("@apollo/server/plugin/landingPage/default");
 var import_next = require("@as-integrations/next");
+var import_server4 = require("next/server");
 var import_type_graphql = require("type-graphql");
 
 // src/env.ts
@@ -625,6 +626,39 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
+// src/utils/route.ts
+function getCorsHeaders(origin, allowedOrigins) {
+  if (!origin || !allowedOrigins.includes(origin)) return null;
+  return {
+    "Access-Control-Allow-Origin": origin,
+    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
+    "Access-Control-Allow-Credentials": "true"
+  };
+}
+function withCors(handler, allowedOrigins) {
+  if (!allowedOrigins?.length) return handler;
+  return ((req) => {
+    return handler(req).then((response) => {
+      if (!response) return response;
+      const corsHeaders = getCorsHeaders(
+        req.headers.get("origin"),
+        allowedOrigins
+      );
+      if (corsHeaders) {
+        Object.entries(corsHeaders).forEach(([key, value]) => {
+          response.headers.set(key, value);
+        });
+      }
+      return response;
+    });
+  });
+}
+
 // src/auth/email/utils.ts
 var import_jsonwebtoken2 = require("jsonwebtoken");
 
@@ -634,11 +668,6 @@ var import_jsonwebtoken = require("jsonwebtoken");
 var import_headers = require("next/headers");
 var import_navigation = require("next/navigation");
 var import_server = require("next/server");
-
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
-// src/auth/email/token.ts
 function getUserIdFromRefreshToken(refreshToken) {
   if (refreshToken)
     try {
@@ -683,7 +712,8 @@ async function initGraphQLServer({
   authChecker,
   resolvers,
   plugins,
-  getContext: overrideGetContext
+  getContext: overrideGetContext,
+  allowedOrigins
 }) {
   const { typeDefs, resolvers: builtResolvers } = await (0, import_type_graphql.buildTypeDefsAndResolvers)({
     validate: true,
@@ -710,8 +740,12 @@ async function initGraphQLServer({
     context: overrideGetContext || getContext
   });
   return {
-    GET: (request) => handler(request),
-    POST: (request) => handler(request)
+    GET: withCors((request) => handler(request), allowedOrigins),
+    POST: withCors((request) => handler(request), allowedOrigins),
+    OPTIONS: withCors(
+      (_request) => Promise.resolve(new import_server4.NextResponse(null, { status: 204 })),
+      allowedOrigins
+    )
   };
 }
 

package/dist/graphql/index.esm.js

@@ -559,6 +559,7 @@ import {
   ApolloServerPluginLandingPageProductionDefault
 } from "@apollo/server/plugin/landingPage/default";
 import { startServerAndCreateNextHandler } from "@as-integrations/next";
+import { NextResponse as NextResponse3 } from "next/server";
 import {
   buildTypeDefsAndResolvers
 } from "type-graphql";
@@ -612,6 +613,39 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
+// src/utils/route.ts
+function getCorsHeaders(origin, allowedOrigins) {
+  if (!origin || !allowedOrigins.includes(origin)) return null;
+  return {
+    "Access-Control-Allow-Origin": origin,
+    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
+    "Access-Control-Allow-Credentials": "true"
+  };
+}
+function withCors(handler, allowedOrigins) {
+  if (!allowedOrigins?.length) return handler;
+  return ((req) => {
+    return handler(req).then((response) => {
+      if (!response) return response;
+      const corsHeaders = getCorsHeaders(
+        req.headers.get("origin"),
+        allowedOrigins
+      );
+      if (corsHeaders) {
+        Object.entries(corsHeaders).forEach(([key, value]) => {
+          response.headers.set(key, value);
+        });
+      }
+      return response;
+    });
+  });
+}
+
 // src/auth/email/utils.ts
 import { verify as verify2 } from "jsonwebtoken";
 
@@ -621,11 +655,6 @@ import { JsonWebTokenError, sign, verify } from "jsonwebtoken";
 import { cookies } from "next/headers";
 import { redirect } from "next/navigation";
 import { NextResponse } from "next/server";
-
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
-// src/auth/email/token.ts
 function getUserIdFromRefreshToken(refreshToken) {
   if (refreshToken)
     try {
@@ -670,7 +699,8 @@ async function initGraphQLServer({
   authChecker,
   resolvers,
   plugins,
-  getContext: overrideGetContext
+  getContext: overrideGetContext,
+  allowedOrigins
 }) {
   const { typeDefs, resolvers: builtResolvers } = await buildTypeDefsAndResolvers({
     validate: true,
@@ -697,8 +727,12 @@ async function initGraphQLServer({
     context: overrideGetContext || getContext
   });
   return {
-    GET: (request) => handler(request),
-    POST: (request) => handler(request)
+    GET: withCors((request) => handler(request), allowedOrigins),
+    POST: withCors((request) => handler(request), allowedOrigins),
+    OPTIONS: withCors(
+      (_request) => Promise.resolve(new NextResponse3(null, { status: 204 })),
+      allowedOrigins
+    )
   };
 }
 

package/dist/graphql/init.cjs.js

@@ -27,6 +27,7 @@ var import_reflect_metadata = require("reflect-metadata");
 var import_server3 = require("@apollo/server");
 var import_default = require("@apollo/server/plugin/landingPage/default");
 var import_next = require("@as-integrations/next");
+var import_server4 = require("next/server");
 var import_type_graphql = require("type-graphql");
 
 // src/env.ts
@@ -78,6 +79,39 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
+// src/utils/route.ts
+function getCorsHeaders(origin, allowedOrigins) {
+  if (!origin || !allowedOrigins.includes(origin)) return null;
+  return {
+    "Access-Control-Allow-Origin": origin,
+    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
+    "Access-Control-Allow-Credentials": "true"
+  };
+}
+function withCors(handler, allowedOrigins) {
+  if (!allowedOrigins?.length) return handler;
+  return ((req) => {
+    return handler(req).then((response) => {
+      if (!response) return response;
+      const corsHeaders = getCorsHeaders(
+        req.headers.get("origin"),
+        allowedOrigins
+      );
+      if (corsHeaders) {
+        Object.entries(corsHeaders).forEach(([key, value]) => {
+          response.headers.set(key, value);
+        });
+      }
+      return response;
+    });
+  });
+}
+
 // src/auth/email/utils.ts
 var import_jsonwebtoken2 = require("jsonwebtoken");
 
@@ -87,11 +121,6 @@ var import_jsonwebtoken = require("jsonwebtoken");
 var import_headers = require("next/headers");
 var import_navigation = require("next/navigation");
 var import_server = require("next/server");
-
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
-// src/auth/email/token.ts
 function getUserIdFromRefreshToken(refreshToken) {
   if (refreshToken)
     try {
@@ -136,7 +165,8 @@ async function initGraphQLServer({
   authChecker,
   resolvers,
   plugins,
-  getContext: overrideGetContext
+  getContext: overrideGetContext,
+  allowedOrigins
 }) {
   const { typeDefs, resolvers: builtResolvers } = await (0, import_type_graphql.buildTypeDefsAndResolvers)({
     validate: true,
@@ -163,8 +193,12 @@ async function initGraphQLServer({
     context: overrideGetContext || getContext
   });
   return {
-    GET: (request) => handler(request),
-    POST: (request) => handler(request)
+    GET: withCors((request) => handler(request), allowedOrigins),
+    POST: withCors((request) => handler(request), allowedOrigins),
+    OPTIONS: withCors(
+      (_request) => Promise.resolve(new import_server4.NextResponse(null, { status: 204 })),
+      allowedOrigins
+    )
   };
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/graphql/init.d.mts

@@ -1,5 +1,5 @@
 import { ApolloServerPlugin } from '@apollo/server';
-import { NextRequest } from 'next/server';
+import { NextRequest, NextResponse } from 'next/server';
 import { AuthChecker, NonEmptyArray } from 'type-graphql';
 
 /**
@@ -35,14 +35,16 @@ import { AuthChecker, NonEmptyArray } from 'type-graphql';
  *
  * @category GraphQL
  */
-declare function initGraphQLServer({ authChecker, resolvers, plugins, getContext: overrideGetContext, }: {
+declare function initGraphQLServer({ authChecker, resolvers, plugins, getContext: overrideGetContext, allowedOrigins, }: {
     authChecker?: AuthChecker<any>;
     resolvers: NonEmptyArray<Function>;
     plugins?: ApolloServerPlugin[];
     getContext?: (req: NextRequest) => Promise<any> | any;
+    allowedOrigins?: string[];
 }): Promise<{
     GET: (request: NextRequest) => Promise<Response>;
     POST: (request: NextRequest) => Promise<Response>;
+    OPTIONS: (_request: NextRequest) => Promise<NextResponse<unknown>>;
 }>;
 
 export { initGraphQLServer };

package/dist/graphql/init.d.ts

@@ -1,5 +1,5 @@
 import { ApolloServerPlugin } from '@apollo/server';
-import { NextRequest } from 'next/server';
+import { NextRequest, NextResponse } from 'next/server';
 import { AuthChecker, NonEmptyArray } from 'type-graphql';
 
 /**
@@ -35,14 +35,16 @@ import { AuthChecker, NonEmptyArray } from 'type-graphql';
  *
  * @category GraphQL
  */
-declare function initGraphQLServer({ authChecker, resolvers, plugins, getContext: overrideGetContext, }: {
+declare function initGraphQLServer({ authChecker, resolvers, plugins, getContext: overrideGetContext, allowedOrigins, }: {
     authChecker?: AuthChecker<any>;
     resolvers: NonEmptyArray<Function>;
     plugins?: ApolloServerPlugin[];
     getContext?: (req: NextRequest) => Promise<any> | any;
+    allowedOrigins?: string[];
 }): Promise<{
     GET: (request: NextRequest) => Promise<Response>;
     POST: (request: NextRequest) => Promise<Response>;
+    OPTIONS: (_request: NextRequest) => Promise<NextResponse<unknown>>;
 }>;
 
 export { initGraphQLServer };

package/dist/graphql/init.esm.js

@@ -6,6 +6,7 @@ import {
   ApolloServerPluginLandingPageProductionDefault
 } from "@apollo/server/plugin/landingPage/default";
 import { startServerAndCreateNextHandler } from "@as-integrations/next";
+import { NextResponse as NextResponse3 } from "next/server";
 import {
   buildTypeDefsAndResolvers
 } from "type-graphql";
@@ -59,6 +60,39 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
+// src/utils/route.ts
+function getCorsHeaders(origin, allowedOrigins) {
+  if (!origin || !allowedOrigins.includes(origin)) return null;
+  return {
+    "Access-Control-Allow-Origin": origin,
+    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
+    "Access-Control-Allow-Credentials": "true"
+  };
+}
+function withCors(handler, allowedOrigins) {
+  if (!allowedOrigins?.length) return handler;
+  return ((req) => {
+    return handler(req).then((response) => {
+      if (!response) return response;
+      const corsHeaders = getCorsHeaders(
+        req.headers.get("origin"),
+        allowedOrigins
+      );
+      if (corsHeaders) {
+        Object.entries(corsHeaders).forEach(([key, value]) => {
+          response.headers.set(key, value);
+        });
+      }
+      return response;
+    });
+  });
+}
+
 // src/auth/email/utils.ts
 import { verify as verify2 } from "jsonwebtoken";
 
@@ -68,11 +102,6 @@ import { JsonWebTokenError, sign, verify } from "jsonwebtoken";
 import { cookies } from "next/headers";
 import { redirect } from "next/navigation";
 import { NextResponse } from "next/server";
-
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
-// src/auth/email/token.ts
 function getUserIdFromRefreshToken(refreshToken) {
   if (refreshToken)
     try {
@@ -117,7 +146,8 @@ async function initGraphQLServer({
   authChecker,
   resolvers,
   plugins,
-  getContext: overrideGetContext
+  getContext: overrideGetContext,
+  allowedOrigins
 }) {
   const { typeDefs, resolvers: builtResolvers } = await buildTypeDefsAndResolvers({
     validate: true,
@@ -144,8 +174,12 @@ async function initGraphQLServer({
     context: overrideGetContext || getContext
   });
   return {
-    GET: (request) => handler(request),
-    POST: (request) => handler(request)
+    GET: withCors((request) => handler(request), allowedOrigins),
+    POST: withCors((request) => handler(request), allowedOrigins),
+    OPTIONS: withCors(
+      (_request) => Promise.resolve(new NextResponse3(null, { status: 204 })),
+      allowedOrigins
+    )
   };
 }
 export {

package/dist/utils/route.cjs.js

@@ -0,0 +1,63 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/utils/route.ts
+var route_exports = {};
+__export(route_exports, {
+  getCorsHeaders: () => getCorsHeaders,
+  withCors: () => withCors
+});
+module.exports = __toCommonJS(route_exports);
+
+// src/auth/constants.ts
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
+// src/utils/route.ts
+function getCorsHeaders(origin, allowedOrigins) {
+  if (!origin || !allowedOrigins.includes(origin)) return null;
+  return {
+    "Access-Control-Allow-Origin": origin,
+    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
+    "Access-Control-Allow-Credentials": "true"
+  };
+}
+function withCors(handler, allowedOrigins) {
+  if (!allowedOrigins?.length) return handler;
+  return ((req) => {
+    return handler(req).then((response) => {
+      if (!response) return response;
+      const corsHeaders = getCorsHeaders(
+        req.headers.get("origin"),
+        allowedOrigins
+      );
+      if (corsHeaders) {
+        Object.entries(corsHeaders).forEach(([key, value]) => {
+          response.headers.set(key, value);
+        });
+      }
+      return response;
+    });
+  });
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  getCorsHeaders,
+  withCors
+});

package/dist/utils/route.d.mts

@@ -0,0 +1,11 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+declare function getCorsHeaders(origin: string | null, allowedOrigins: string[]): {
+    "Access-Control-Allow-Origin": string;
+    "Access-Control-Allow-Methods": string;
+    "Access-Control-Allow-Headers": string;
+    "Access-Control-Allow-Credentials": string;
+} | null;
+declare function withCors<T extends (req: NextRequest) => Promise<NextResponse | Response | undefined>>(handler: T, allowedOrigins?: string[]): T;
+
+export { getCorsHeaders, withCors };

package/dist/utils/route.d.ts

@@ -0,0 +1,11 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+declare function getCorsHeaders(origin: string | null, allowedOrigins: string[]): {
+    "Access-Control-Allow-Origin": string;
+    "Access-Control-Allow-Methods": string;
+    "Access-Control-Allow-Headers": string;
+    "Access-Control-Allow-Credentials": string;
+} | null;
+declare function withCors<T extends (req: NextRequest) => Promise<NextResponse | Response | undefined>>(handler: T, allowedOrigins?: string[]): T;
+
+export { getCorsHeaders, withCors };

package/dist/utils/route.esm.js

@@ -0,0 +1,35 @@
+// src/auth/constants.ts
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
+// src/utils/route.ts
+function getCorsHeaders(origin, allowedOrigins) {
+  if (!origin || !allowedOrigins.includes(origin)) return null;
+  return {
+    "Access-Control-Allow-Origin": origin,
+    "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
+    "Access-Control-Allow-Credentials": "true"
+  };
+}
+function withCors(handler, allowedOrigins) {
+  if (!allowedOrigins?.length) return handler;
+  return ((req) => {
+    return handler(req).then((response) => {
+      if (!response) return response;
+      const corsHeaders = getCorsHeaders(
+        req.headers.get("origin"),
+        allowedOrigins
+      );
+      if (corsHeaders) {
+        Object.entries(corsHeaders).forEach(([key, value]) => {
+          response.headers.set(key, value);
+        });
+      }
+      return response;
+    });
+  });
+}
+export {
+  getCorsHeaders,
+  withCors
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "naystack",
-  "version": "1.5.29",
+  "version": "1.5.31",
   "description": "A stack built with Next + GraphQL + S3 + Auth",
   "main": "dist/index.cjs.js",
   "module": "dist/index.esm.js",