npm - scorezilla - Versions diffs - 0.3.0-next.2 → 0.3.0-next.3 - Mend

scorezilla 0.3.0-next.2 → 0.3.0-next.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (23) hide show

package/API.md +48 -0
package/CHANGELOG.md +30 -0
package/README.md +54 -0
package/RECIPES.md +41 -0
package/dist/{errors-CtXMAHtJ.d.cts → errors-CWTmormh.d.cts} +1 -1
package/dist/{errors-CtXMAHtJ.d.ts → errors-CWTmormh.d.ts} +1 -1
package/dist/identity.cjs +116 -4
package/dist/identity.cjs.map +1 -1
package/dist/identity.d.cts +53 -20
package/dist/identity.d.ts +53 -20
package/dist/identity.js +116 -4
package/dist/identity.js.map +1 -1
package/dist/index.cjs +2 -2
package/dist/index.d.cts +2 -2
package/dist/index.d.ts +2 -2
package/dist/index.js +2 -2
package/dist/server.cjs +130 -1
package/dist/server.cjs.map +1 -1
package/dist/server.d.cts +55 -3
package/dist/server.d.ts +55 -3
package/dist/server.js +130 -2
package/dist/server.js.map +1 -1
package/package.json +5 -4

package/dist/index.js CHANGED Viewed

@@ -631,7 +631,7 @@ function validateMetadata(metadata) {
 }
 var Scorezilla = class _Scorezilla {
   /** The package version, injected at build time from `package.json`. */
-  static version = "0.3.0-next.2";
+  static version = "0.3.0-next.3";
   #config;
   #userAgent;
   #authHeader;
@@ -816,7 +816,7 @@ function createClient(config) {
 }
 // src/index.ts
-var SDK_VERSION = "0.3.0-next.2";
+var SDK_VERSION = "0.3.0-next.3";
 export { SDK_VERSION, Scorezilla, ScorezillaError, createClient, detectRuntime };
 //# sourceMappingURL=index.js.map

package/dist/server.cjs CHANGED Viewed

@@ -708,13 +708,141 @@ function verifyFirebaseIdToken(options) {
   });
 }
+// src/github-oauth.ts
+var GITHUB_TOKEN_URL = "https://github.com/login/oauth/access_token";
+var GITHUB_USER_URL = "https://api.github.com/user";
+var MESSAGE_SOURCE = "scorezilla:github-oauth";
+var USER_AGENT = "scorezilla-sdk-github-oauth";
+var STATE_RE = /^[A-Za-z0-9_-]{8,128}$/;
+var CODE_RE = /^[A-Za-z0-9_-]{1,128}$/;
+function createGitHubOAuthHandler(config) {
+  if (typeof config.clientId !== "string" || config.clientId.length === 0) {
+    throw new TypeError("createGitHubOAuthHandler: clientId is required.");
+  }
+  if (typeof config.clientSecret !== "string" || config.clientSecret.length === 0) {
+    throw new TypeError("createGitHubOAuthHandler: clientSecret is required.");
+  }
+  let allowedOrigin;
+  try {
+    const parsed = new URL(config.allowedOrigin);
+    allowedOrigin = parsed.origin;
+    if (allowedOrigin === "null") throw new Error("opaque origin");
+  } catch {
+    throw new TypeError(
+      "createGitHubOAuthHandler: allowedOrigin must be an absolute origin, e.g. 'https://mygame.example' (got " + JSON.stringify(config.allowedOrigin) + ")."
+    );
+  }
+  const fetchImpl = config.fetch ?? fetch;
+  return async (req) => {
+    if (req.method !== "GET") {
+      return new Response("method not allowed", { status: 405, headers: { allow: "GET" } });
+    }
+    const url = new URL(req.url);
+    const state = url.searchParams.get("state") ?? "";
+    const code = url.searchParams.get("code");
+    const ghError = url.searchParams.get("error");
+    if (!STATE_RE.test(state)) {
+      return new Response("invalid or missing state parameter", { status: 400 });
+    }
+    if (ghError !== null) {
+      return callbackPage(
+        { state, error: ghError === "access_denied" ? "access_denied" : "exchange_failed" },
+        allowedOrigin
+      );
+    }
+    if (code === null || !CODE_RE.test(code)) {
+      return new Response("invalid or missing code parameter", { status: 400 });
+    }
+    let accessToken;
+    try {
+      const tokenRes = await fetchImpl(GITHUB_TOKEN_URL, {
+        method: "POST",
+        headers: {
+          accept: "application/json",
+          "content-type": "application/x-www-form-urlencoded",
+          "user-agent": USER_AGENT
+        },
+        body: new URLSearchParams({
+          client_id: config.clientId,
+          client_secret: config.clientSecret,
+          code
+        }).toString()
+      });
+      const tokenBody = await tokenRes.json();
+      if (!tokenRes.ok || typeof tokenBody.access_token !== "string") {
+        return callbackPage({ state, error: "exchange_failed" }, allowedOrigin);
+      }
+      accessToken = tokenBody.access_token;
+    } catch {
+      return callbackPage({ state, error: "exchange_failed" }, allowedOrigin);
+    }
+    try {
+      const userRes = await fetchImpl(GITHUB_USER_URL, {
+        method: "GET",
+        headers: {
+          authorization: `Bearer ${accessToken}`,
+          accept: "application/vnd.github+json",
+          "user-agent": USER_AGENT
+        }
+      });
+      if (!userRes.ok) {
+        return callbackPage({ state, error: "exchange_failed" }, allowedOrigin);
+      }
+      const user = await userRes.json();
+      if (typeof user.id !== "number" || !Number.isSafeInteger(user.id)) {
+        return callbackPage({ state, error: "exchange_failed" }, allowedOrigin);
+      }
+      return callbackPage({ state, id: String(user.id) }, allowedOrigin);
+    } catch {
+      return callbackPage({ state, error: "exchange_failed" }, allowedOrigin);
+    }
+  };
+}
+function callbackPage(payload, allowedOrigin) {
+  const message = JSON.stringify({ source: MESSAGE_SOURCE, ...payload });
+  const target = JSON.stringify(allowedOrigin);
+  const html = `<!doctype html>
+<html>
+<head><meta charset="utf-8"><title>Signing in\u2026</title></head>
+<body>
+<script>
+(function () {
+  if (window.opener) {
+    window.opener.postMessage(${message}, ${target});
+    window.close();
+  } else {
+    document.body.textContent =
+      'Sign-in handled \u2014 you can close this window. (If this keeps appearing, ' +
+      'the game page may be setting Cross-Origin-Opener-Policy: same-origin, ' +
+      'which severs the popup link; use same-origin-allow-popups.)';
+  }
+})();
+</script>
+</body>
+</html>`;
+  return new Response(html, {
+    status: 200,
+    headers: {
+      "content-type": "text/html; charset=utf-8",
+      // One-shot page embedding a one-shot state — never cache it.
+      "cache-control": "no-store",
+      // The URL carried the OAuth `code`; nothing on this page may leak it.
+      "referrer-policy": "no-referrer",
+      // Defense in depth for the inline script: nothing else may load or
+      // run on this page even if a future regression reflected input here.
+      "content-security-policy": "default-src 'none'; script-src 'unsafe-inline'",
+      "x-content-type-options": "nosniff"
+    }
+  });
+}
 // src/server.ts
 var Scorezilla = class _Scorezilla {
   /** The package version, injected at build time from `package.json`.
    *  Mirrors the static on the public-key client so consumers can log
    *  the running SDK build the same way regardless of which surface
    *  they imported. */
-  static version = "0.3.0-next.2";
+  static version = "0.3.0-next.3";
   #keyId;
   #secret;
   #baseUrl;
@@ -983,6 +1111,7 @@ function isCorsOriginAllowed(rule, origin) {
 exports.Scorezilla = Scorezilla;
 exports.ScorezillaError = ScorezillaError;
+exports.createGitHubOAuthHandler = createGitHubOAuthHandler;
 exports.createScoreSubmitHandler = createScoreSubmitHandler;
 exports.verifyAuth0Jwt = verifyAuth0Jwt;
 exports.verifyClerkJwt = verifyClerkJwt;