naystack 1.5.30 → 1.5.32

package/dist/auth/constants.cjs.js

@@ -20,11 +20,14 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/auth/constants.ts
 var constants_exports = {};
 __export(constants_exports, {
-  REFRESH_COOKIE_NAME: () => REFRESH_COOKIE_NAME
+  REFRESH_COOKIE_NAME: () => REFRESH_COOKIE_NAME,
+  REFRESH_HEADER_NAME: () => REFRESH_HEADER_NAME
 });
 module.exports = __toCommonJS(constants_exports);
 var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  REFRESH_COOKIE_NAME
+  REFRESH_COOKIE_NAME,
+  REFRESH_HEADER_NAME
 });

package/dist/auth/constants.d.mts

@@ -3,5 +3,6 @@
  * @category Auth
  */
 declare const REFRESH_COOKIE_NAME = "refresh";
+declare const REFRESH_HEADER_NAME = "X-Refresh-Token";
 
-export { REFRESH_COOKIE_NAME };
+export { REFRESH_COOKIE_NAME, REFRESH_HEADER_NAME };

package/dist/auth/constants.d.ts

@@ -3,5 +3,6 @@
  * @category Auth
  */
 declare const REFRESH_COOKIE_NAME = "refresh";
+declare const REFRESH_HEADER_NAME = "X-Refresh-Token";
 
-export { REFRESH_COOKIE_NAME };
+export { REFRESH_COOKIE_NAME, REFRESH_HEADER_NAME };

package/dist/auth/constants.esm.js

@@ -1,5 +1,7 @@
 // src/auth/constants.ts
 var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
 export {
-  REFRESH_COOKIE_NAME
+  REFRESH_COOKIE_NAME,
+  REFRESH_HEADER_NAME
 };

package/dist/auth/email/client.cjs.js

@@ -45,7 +45,7 @@ module.exports = __toCommonJS(client_exports);
 var import_react = __toESM(require("react"));
 
 // src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
 
 // src/env.ts
 var getEnvValue = (key) => {
@@ -116,13 +116,12 @@ var AuthWrapper = ({
 function useAuthFetch(getRefreshToken) {
   const setToken = useSetToken();
   const fetchToken = async () => {
-    const url = new URL(getEnv("NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT" /* NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT */));
-    if (getRefreshToken) {
-      const token = await getRefreshToken();
-      if (token) url.searchParams.set(REFRESH_COOKIE_NAME, token);
-    }
-    fetch(url, {
-      credentials: "include"
+    const token = getRefreshToken ? await getRefreshToken() : null;
+    fetch(getEnv("NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT" /* NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT */), {
+      credentials: "include",
+      headers: token ? {
+        [REFRESH_HEADER_NAME]: token
+      } : void 0
     }).then((res) => res.json()).then((data) => setToken(data.accessToken));
   };
   (0, import_react.useEffect)(() => {

package/dist/auth/email/client.esm.js

@@ -10,7 +10,7 @@ import React, {
 } from "react";
 
 // src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
 
 // src/env.ts
 var getEnvValue = (key) => {
@@ -81,13 +81,12 @@ var AuthWrapper = ({
 function useAuthFetch(getRefreshToken) {
   const setToken = useSetToken();
   const fetchToken = async () => {
-    const url = new URL(getEnv("NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT" /* NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT */));
-    if (getRefreshToken) {
-      const token = await getRefreshToken();
-      if (token) url.searchParams.set(REFRESH_COOKIE_NAME, token);
-    }
-    fetch(url, {
-      credentials: "include"
+    const token = getRefreshToken ? await getRefreshToken() : null;
+    fetch(getEnv("NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT" /* NEXT_PUBLIC_EMAIL_AUTH_ENDPOINT */), {
+      credentials: "include",
+      headers: token ? {
+        [REFRESH_HEADER_NAME]: token
+      } : void 0
     }).then((res) => res.json()).then((data) => setToken(data.accessToken));
   };
   useEffect(() => {

package/dist/auth/email/index.cjs.js

@@ -38,13 +38,17 @@ __export(email_exports, {
 module.exports = __toCommonJS(email_exports);
 var import_server4 = require("next/server");
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
 // src/utils/route.ts
 function getCorsHeaders(origin, allowedOrigins) {
   if (!origin || !allowedOrigins.includes(origin)) return null;
   return {
     "Access-Control-Allow-Origin": origin,
     "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
     "Access-Control-Allow-Credentials": "true"
   };
 }
@@ -123,9 +127,6 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
 // src/auth/email/token.ts
 function generateAccessToken(id, signingKey) {
   return (0, import_jsonwebtoken.sign)({ id }, signingKey, {
@@ -271,11 +272,11 @@ var getDeleteRoute = (options) => async (req) => {
 
 // src/auth/email/routes/get.ts
 var getGetRoute = (options) => async (req) => {
-  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.nextUrl.searchParams.get(REFRESH_COOKIE_NAME) || void 0;
+  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.headers.get(REFRESH_HEADER_NAME) || void 0;
   const userID = getUserIdFromRefreshToken(refresh);
   if (userID) {
     if (options.onRefresh) {
-      const body = await req.json();
+      const body = await req.json().catch(() => null);
       await options.onRefresh?.(userID, body);
     }
     return getTokenizedResponse(

package/dist/auth/email/index.esm.js

@@ -1,13 +1,17 @@
 // src/auth/email/index.ts
 import { NextResponse as NextResponse3 } from "next/server";
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
 // src/utils/route.ts
 function getCorsHeaders(origin, allowedOrigins) {
   if (!origin || !allowedOrigins.includes(origin)) return null;
   return {
     "Access-Control-Allow-Origin": origin,
     "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
     "Access-Control-Allow-Credentials": "true"
   };
 }
@@ -86,9 +90,6 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
 // src/auth/email/token.ts
 function generateAccessToken(id, signingKey) {
   return sign({ id }, signingKey, {
@@ -234,11 +235,11 @@ var getDeleteRoute = (options) => async (req) => {
 
 // src/auth/email/routes/get.ts
 var getGetRoute = (options) => async (req) => {
-  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.nextUrl.searchParams.get(REFRESH_COOKIE_NAME) || void 0;
+  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.headers.get(REFRESH_HEADER_NAME) || void 0;
   const userID = getUserIdFromRefreshToken(refresh);
   if (userID) {
     if (options.onRefresh) {
-      const body = await req.json();
+      const body = await req.json().catch(() => null);
       await options.onRefresh?.(userID, body);
     }
     return getTokenizedResponse(

package/dist/auth/email/routes/get.cjs.js

@@ -75,6 +75,7 @@ function getEnv(key, skipCheck) {
 
 // src/auth/constants.ts
 var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
 
 // src/auth/email/token.ts
 var import_bcryptjs = require("bcryptjs");
@@ -123,11 +124,11 @@ function getUserIdFromRefreshToken(refreshToken) {
 
 // src/auth/email/routes/get.ts
 var getGetRoute = (options) => async (req) => {
-  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.nextUrl.searchParams.get(REFRESH_COOKIE_NAME) || void 0;
+  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.headers.get(REFRESH_HEADER_NAME) || void 0;
   const userID = getUserIdFromRefreshToken(refresh);
   if (userID) {
     if (options.onRefresh) {
-      const body = await req.json();
+      const body = await req.json().catch(() => null);
       await options.onRefresh?.(userID, body);
     }
     return getTokenizedResponse(

package/dist/auth/email/routes/get.esm.js

@@ -49,6 +49,7 @@ function getEnv(key, skipCheck) {
 
 // src/auth/constants.ts
 var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
 
 // src/auth/email/token.ts
 import { compare } from "bcryptjs";
@@ -97,11 +98,11 @@ function getUserIdFromRefreshToken(refreshToken) {
 
 // src/auth/email/routes/get.ts
 var getGetRoute = (options) => async (req) => {
-  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.nextUrl.searchParams.get(REFRESH_COOKIE_NAME) || void 0;
+  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.headers.get(REFRESH_HEADER_NAME) || void 0;
   const userID = getUserIdFromRefreshToken(refresh);
   if (userID) {
     if (options.onRefresh) {
-      const body = await req.json();
+      const body = await req.json().catch(() => null);
       await options.onRefresh?.(userID, body);
     }
     return getTokenizedResponse(

package/dist/auth/index.cjs.js

@@ -44,13 +44,17 @@ module.exports = __toCommonJS(auth_exports);
 // src/auth/email/index.ts
 var import_server4 = require("next/server");
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
 // src/utils/route.ts
 function getCorsHeaders(origin, allowedOrigins) {
   if (!origin || !allowedOrigins.includes(origin)) return null;
   return {
     "Access-Control-Allow-Origin": origin,
     "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
     "Access-Control-Allow-Credentials": "true"
   };
 }
@@ -129,9 +133,6 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
 // src/auth/email/token.ts
 function generateAccessToken(id, signingKey) {
   return (0, import_jsonwebtoken.sign)({ id }, signingKey, {
@@ -289,11 +290,11 @@ var getDeleteRoute = (options) => async (req) => {
 
 // src/auth/email/routes/get.ts
 var getGetRoute = (options) => async (req) => {
-  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.nextUrl.searchParams.get(REFRESH_COOKIE_NAME) || void 0;
+  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.headers.get(REFRESH_HEADER_NAME) || void 0;
   const userID = getUserIdFromRefreshToken(refresh);
   if (userID) {
     if (options.onRefresh) {
-      const body = await req.json();
+      const body = await req.json().catch(() => null);
       await options.onRefresh?.(userID, body);
     }
     return getTokenizedResponse(

package/dist/auth/index.esm.js

@@ -1,13 +1,17 @@
 // src/auth/email/index.ts
 import { NextResponse as NextResponse3 } from "next/server";
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
 // src/utils/route.ts
 function getCorsHeaders(origin, allowedOrigins) {
   if (!origin || !allowedOrigins.includes(origin)) return null;
   return {
     "Access-Control-Allow-Origin": origin,
     "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
     "Access-Control-Allow-Credentials": "true"
   };
 }
@@ -86,9 +90,6 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
 // src/auth/email/token.ts
 function generateAccessToken(id, signingKey) {
   return sign({ id }, signingKey, {
@@ -246,11 +247,11 @@ var getDeleteRoute = (options) => async (req) => {
 
 // src/auth/email/routes/get.ts
 var getGetRoute = (options) => async (req) => {
-  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.nextUrl.searchParams.get(REFRESH_COOKIE_NAME) || void 0;
+  const refresh = req.cookies.get(REFRESH_COOKIE_NAME)?.value || req.headers.get(REFRESH_HEADER_NAME) || void 0;
   const userID = getUserIdFromRefreshToken(refresh);
   if (userID) {
     if (options.onRefresh) {
-      const body = await req.json();
+      const body = await req.json().catch(() => null);
       await options.onRefresh?.(userID, body);
     }
     return getTokenizedResponse(

package/dist/graphql/index.cjs.js

@@ -574,6 +574,7 @@ var import_reflect_metadata = require("reflect-metadata");
 var import_server3 = require("@apollo/server");
 var import_default = require("@apollo/server/plugin/landingPage/default");
 var import_next = require("@as-integrations/next");
+var import_server4 = require("next/server");
 var import_type_graphql = require("type-graphql");
 
 // src/env.ts
@@ -625,13 +626,17 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
 // src/utils/route.ts
 function getCorsHeaders(origin, allowedOrigins) {
   if (!origin || !allowedOrigins.includes(origin)) return null;
   return {
     "Access-Control-Allow-Origin": origin,
     "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
     "Access-Control-Allow-Credentials": "true"
   };
 }
@@ -663,11 +668,6 @@ var import_jsonwebtoken = require("jsonwebtoken");
 var import_headers = require("next/headers");
 var import_navigation = require("next/navigation");
 var import_server = require("next/server");
-
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
-// src/auth/email/token.ts
 function getUserIdFromRefreshToken(refreshToken) {
   if (refreshToken)
     try {
@@ -741,7 +741,19 @@ async function initGraphQLServer({
   });
   return {
     GET: withCors((request) => handler(request), allowedOrigins),
-    POST: withCors((request) => handler(request), allowedOrigins)
+    POST: withCors((request) => handler(request), allowedOrigins),
+    ...allowedOrigins?.length ? {
+      OPTIONS: (req) => {
+        const corsHeaders = getCorsHeaders(
+          req.headers.get("origin"),
+          allowedOrigins
+        );
+        return new import_server4.NextResponse(null, {
+          status: 204,
+          headers: corsHeaders ?? void 0
+        });
+      }
+    } : {}
   };
 }
 

package/dist/graphql/index.esm.js

@@ -559,6 +559,7 @@ import {
   ApolloServerPluginLandingPageProductionDefault
 } from "@apollo/server/plugin/landingPage/default";
 import { startServerAndCreateNextHandler } from "@as-integrations/next";
+import { NextResponse as NextResponse3 } from "next/server";
 import {
   buildTypeDefsAndResolvers
 } from "type-graphql";
@@ -612,13 +613,17 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
 // src/utils/route.ts
 function getCorsHeaders(origin, allowedOrigins) {
   if (!origin || !allowedOrigins.includes(origin)) return null;
   return {
     "Access-Control-Allow-Origin": origin,
     "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
     "Access-Control-Allow-Credentials": "true"
   };
 }
@@ -650,11 +655,6 @@ import { JsonWebTokenError, sign, verify } from "jsonwebtoken";
 import { cookies } from "next/headers";
 import { redirect } from "next/navigation";
 import { NextResponse } from "next/server";
-
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
-// src/auth/email/token.ts
 function getUserIdFromRefreshToken(refreshToken) {
   if (refreshToken)
     try {
@@ -728,7 +728,19 @@ async function initGraphQLServer({
   });
   return {
     GET: withCors((request) => handler(request), allowedOrigins),
-    POST: withCors((request) => handler(request), allowedOrigins)
+    POST: withCors((request) => handler(request), allowedOrigins),
+    ...allowedOrigins?.length ? {
+      OPTIONS: (req) => {
+        const corsHeaders = getCorsHeaders(
+          req.headers.get("origin"),
+          allowedOrigins
+        );
+        return new NextResponse3(null, {
+          status: 204,
+          headers: corsHeaders ?? void 0
+        });
+      }
+    } : {}
   };
 }
 

package/dist/graphql/init.cjs.js

@@ -27,6 +27,7 @@ var import_reflect_metadata = require("reflect-metadata");
 var import_server3 = require("@apollo/server");
 var import_default = require("@apollo/server/plugin/landingPage/default");
 var import_next = require("@as-integrations/next");
+var import_server4 = require("next/server");
 var import_type_graphql = require("type-graphql");
 
 // src/env.ts
@@ -78,13 +79,17 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
 // src/utils/route.ts
 function getCorsHeaders(origin, allowedOrigins) {
   if (!origin || !allowedOrigins.includes(origin)) return null;
   return {
     "Access-Control-Allow-Origin": origin,
     "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
     "Access-Control-Allow-Credentials": "true"
   };
 }
@@ -116,11 +121,6 @@ var import_jsonwebtoken = require("jsonwebtoken");
 var import_headers = require("next/headers");
 var import_navigation = require("next/navigation");
 var import_server = require("next/server");
-
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
-// src/auth/email/token.ts
 function getUserIdFromRefreshToken(refreshToken) {
   if (refreshToken)
     try {
@@ -194,7 +194,19 @@ async function initGraphQLServer({
   });
   return {
     GET: withCors((request) => handler(request), allowedOrigins),
-    POST: withCors((request) => handler(request), allowedOrigins)
+    POST: withCors((request) => handler(request), allowedOrigins),
+    ...allowedOrigins?.length ? {
+      OPTIONS: (req) => {
+        const corsHeaders = getCorsHeaders(
+          req.headers.get("origin"),
+          allowedOrigins
+        );
+        return new import_server4.NextResponse(null, {
+          status: 204,
+          headers: corsHeaders ?? void 0
+        });
+      }
+    } : {}
   };
 }
 // Annotate the CommonJS export names for ESM import in node:

package/dist/graphql/init.d.mts

@@ -1,5 +1,5 @@
 import { ApolloServerPlugin } from '@apollo/server';
-import { NextRequest } from 'next/server';
+import { NextRequest, NextResponse } from 'next/server';
 import { AuthChecker, NonEmptyArray } from 'type-graphql';
 
 /**
@@ -42,6 +42,7 @@ declare function initGraphQLServer({ authChecker, resolvers, plugins, getContext
     getContext?: (req: NextRequest) => Promise<any> | any;
     allowedOrigins?: string[];
 }): Promise<{
+    OPTIONS?: ((req: NextRequest) => NextResponse<unknown>) | undefined;
     GET: (request: NextRequest) => Promise<Response>;
     POST: (request: NextRequest) => Promise<Response>;
 }>;

package/dist/graphql/init.d.ts

@@ -1,5 +1,5 @@
 import { ApolloServerPlugin } from '@apollo/server';
-import { NextRequest } from 'next/server';
+import { NextRequest, NextResponse } from 'next/server';
 import { AuthChecker, NonEmptyArray } from 'type-graphql';
 
 /**
@@ -42,6 +42,7 @@ declare function initGraphQLServer({ authChecker, resolvers, plugins, getContext
     getContext?: (req: NextRequest) => Promise<any> | any;
     allowedOrigins?: string[];
 }): Promise<{
+    OPTIONS?: ((req: NextRequest) => NextResponse<unknown>) | undefined;
     GET: (request: NextRequest) => Promise<Response>;
     POST: (request: NextRequest) => Promise<Response>;
 }>;

package/dist/graphql/init.esm.js

@@ -6,6 +6,7 @@ import {
   ApolloServerPluginLandingPageProductionDefault
 } from "@apollo/server/plugin/landingPage/default";
 import { startServerAndCreateNextHandler } from "@as-integrations/next";
+import { NextResponse as NextResponse3 } from "next/server";
 import {
   buildTypeDefsAndResolvers
 } from "type-graphql";
@@ -59,13 +60,17 @@ function getEnv(key, skipCheck) {
   return value;
 }
 
+// src/auth/constants.ts
+var REFRESH_COOKIE_NAME = "refresh";
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
 // src/utils/route.ts
 function getCorsHeaders(origin, allowedOrigins) {
   if (!origin || !allowedOrigins.includes(origin)) return null;
   return {
     "Access-Control-Allow-Origin": origin,
     "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
     "Access-Control-Allow-Credentials": "true"
   };
 }
@@ -97,11 +102,6 @@ import { JsonWebTokenError, sign, verify } from "jsonwebtoken";
 import { cookies } from "next/headers";
 import { redirect } from "next/navigation";
 import { NextResponse } from "next/server";
-
-// src/auth/constants.ts
-var REFRESH_COOKIE_NAME = "refresh";
-
-// src/auth/email/token.ts
 function getUserIdFromRefreshToken(refreshToken) {
   if (refreshToken)
     try {
@@ -175,7 +175,19 @@ async function initGraphQLServer({
   });
   return {
     GET: withCors((request) => handler(request), allowedOrigins),
-    POST: withCors((request) => handler(request), allowedOrigins)
+    POST: withCors((request) => handler(request), allowedOrigins),
+    ...allowedOrigins?.length ? {
+      OPTIONS: (req) => {
+        const corsHeaders = getCorsHeaders(
+          req.headers.get("origin"),
+          allowedOrigins
+        );
+        return new NextResponse3(null, {
+          status: 204,
+          headers: corsHeaders ?? void 0
+        });
+      }
+    } : {}
   };
 }
 export {

package/dist/utils/route.cjs.js

@@ -24,12 +24,17 @@ __export(route_exports, {
   withCors: () => withCors
 });
 module.exports = __toCommonJS(route_exports);
+
+// src/auth/constants.ts
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
+// src/utils/route.ts
 function getCorsHeaders(origin, allowedOrigins) {
   if (!origin || !allowedOrigins.includes(origin)) return null;
   return {
     "Access-Control-Allow-Origin": origin,
     "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
     "Access-Control-Allow-Credentials": "true"
   };
 }

package/dist/utils/route.esm.js

@@ -1,10 +1,13 @@
+// src/auth/constants.ts
+var REFRESH_HEADER_NAME = "X-Refresh-Token";
+
 // src/utils/route.ts
 function getCorsHeaders(origin, allowedOrigins) {
   if (!origin || !allowedOrigins.includes(origin)) return null;
   return {
     "Access-Control-Allow-Origin": origin,
     "Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization",
+    "Access-Control-Allow-Headers": `Content-Type, Authorization, ${REFRESH_HEADER_NAME}`,
     "Access-Control-Allow-Credentials": "true"
   };
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "naystack",
-  "version": "1.5.30",
+  "version": "1.5.32",
   "description": "A stack built with Next + GraphQL + S3 + Auth",
   "main": "dist/index.cjs.js",
   "module": "dist/index.esm.js",