sh3-core 0.17.2 → 0.19.1

package/dist/shards/types.d.ts

@@ -205,6 +205,35 @@ export interface ShardContext {
     registerVerb(verb: Verb): void;
     /** Obtain a file-oriented document handle scoped to this shard. */
     documents(options: DocumentHandleOptions): DocumentHandle;
+    /**
+     * Cross-origin-safe HTTP helper. Resolves relative `/api/...` paths
+     * against the configured serverUrl. In Tauri, routes through
+     * @tauri-apps/plugin-http (no browser CORS, cookies via reqwest).
+     * On web, behaves like `fetch` with `credentials: 'include'`.
+     *
+     * Server-shards must use this instead of global `fetch` to remain
+     * compatible with cross-origin clients (e.g. Tauri Android).
+     *
+     * @param path - Relative `/api/...` path or fully-qualified URL.
+     * @param init - Standard RequestInit.
+     */
+    fetch(path: string, init?: RequestInit): Promise<Response>;
+    /**
+     * The configured server base URL (e.g. `https://my-sh3.example.com`).
+     * Empty string when running local-only (no remote server).
+     * Use this as the `BaseAddress` for non-fetch HTTP clients (e.g. WASM .NET
+     * `HttpClient`) that cannot go through `ctx.fetch`.
+     */
+    readonly serverUrl: string;
+    /**
+     * Resolve a path to an absolute URL against the configured server, using
+     * the same rules as `ctx.fetch` but without making a request. Useful for
+     * WebSocket URLs and any transport that bypasses `ctx.fetch`.
+     *
+     * @param path - Relative `/api/...` path or fully-qualified URL.
+     * @returns Absolute URL string.
+     */
+    resolveUrl(path: string): string;
     /**
      * Declare environment state for this shard and receive a hydrated snapshot.
      * Env state is server-authoritative, fetched once at activation, and

package/dist/transport/apiFetch.d.ts

@@ -0,0 +1 @@
+export declare function apiFetch(url: string, init?: RequestInit): Promise<Response>;

package/dist/transport/apiFetch.js

@@ -0,0 +1,65 @@
+/*
+ * apiFetch — single source of truth for HTTP calls against the
+ * configured sh3-server, transparently using Tauri's plugin-http
+ * when running inside a Tauri webview.
+ *
+ * Browser fetch enforces CORS and respects SameSite cookie rules,
+ * which breaks cross-origin requests from a Tauri webview at e.g.
+ * `tauri://localhost` to a remote sh3-server. plugin-http (reqwest
+ * under the hood) is not subject to browser CORS and uses a
+ * per-host cookie store, so existing same-origin auth keeps working
+ * across origins.
+ *
+ * The plugin-http import is dynamic and behind try/catch — same
+ * defensive pattern as `platform/index.ts`. Vite code-splits it
+ * into a Tauri-only chunk that never loads in web builds.
+ */
+import { getAuthToken } from './authToken';
+let tauriFetch = null;
+let tauriProbed = false;
+function inTauriRuntime() {
+    // The plugin's fetch implementation calls into IPC via window.__TAURI__,
+    // so the *package being installed* is not enough — we have to be running
+    // inside a Tauri webview where these globals are injected.
+    if (typeof window === 'undefined')
+        return false;
+    return '__TAURI_INTERNALS__' in window || '__TAURI__' in window;
+}
+async function getTauriFetch() {
+    if (tauriProbed)
+        return tauriFetch;
+    tauriProbed = true;
+    if (!inTauriRuntime())
+        return null;
+    try {
+        // Static analysis is skipped so Vite/svelte-package don't try to bundle
+        // the optional Tauri-only dependency in pure-web builds.
+        const specifier = '@tauri-apps/plugin-http';
+        const mod = await import(/* @vite-ignore */ specifier);
+        tauriFetch = mod.fetch;
+    }
+    catch (_a) {
+        tauriFetch = null;
+    }
+    return tauriFetch;
+}
+export async function apiFetch(url, init) {
+    var _a;
+    // Inject Authorization: Bearer <session-token> if a session is active
+    // and the caller didn't already supply one. Cookies don't survive the
+    // cross-origin hop (SameSite=Lax + plugin-http has no cookie store),
+    // so the header carries the session for both transports uniformly.
+    const token = getAuthToken();
+    let finalInit = init !== null && init !== void 0 ? init : {};
+    if (token) {
+        const headers = new Headers((_a = finalInit.headers) !== null && _a !== void 0 ? _a : {});
+        if (!headers.has('Authorization')) {
+            headers.set('Authorization', `Bearer ${token}`);
+            finalInit = Object.assign(Object.assign({}, finalInit), { headers });
+        }
+    }
+    const tf = await getTauriFetch();
+    if (tf)
+        return tf(url, finalInit);
+    return fetch(url, Object.assign({ credentials: 'include' }, finalInit));
+}

package/dist/transport/apiFetch.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/transport/apiFetch.test.js

@@ -0,0 +1,37 @@
+import { describe, expect, it, vi, beforeEach, afterEach } from 'vitest';
+describe('apiFetch', () => {
+    let originalFetch;
+    beforeEach(() => {
+        originalFetch = globalThis.fetch;
+        vi.resetModules();
+    });
+    afterEach(() => {
+        globalThis.fetch = originalFetch;
+    });
+    it('uses global fetch with credentials:include when Tauri plugin-http is unavailable', async () => {
+        const calls = [];
+        globalThis.fetch = vi.fn(async (input, init) => {
+            calls.push([input, init]);
+            return new Response('ok');
+        });
+        const { apiFetch } = await import('./apiFetch');
+        const res = await apiFetch('https://example.com/api/foo', { method: 'GET' });
+        expect(await res.text()).toBe('ok');
+        expect(calls).toHaveLength(1);
+        const [input, init] = calls[0];
+        expect(input).toBe('https://example.com/api/foo');
+        expect(init.credentials).toBe('include');
+        expect(init.method).toBe('GET');
+    });
+    it('lets caller-provided credentials override the default', async () => {
+        const calls = [];
+        globalThis.fetch = vi.fn(async (input, init) => {
+            calls.push([input, init]);
+            return new Response('ok');
+        });
+        const { apiFetch } = await import('./apiFetch');
+        await apiFetch('https://example.com/api/foo', { credentials: 'omit' });
+        const [, init] = calls[0];
+        expect(init.credentials).toBe('omit');
+    });
+});

package/dist/transport/authToken.d.ts

@@ -0,0 +1,2 @@
+export declare function setAuthToken(value: string | null): void;
+export declare function getAuthToken(): string | null;

package/dist/transport/authToken.js

@@ -0,0 +1,53 @@
+/*
+ * Auth-token store used by `apiFetch` to attach `Authorization: Bearer
+ * <token>` to every request when a session exists.
+ *
+ * The browser auth flow relies on Set-Cookie + same-origin requests to
+ * keep the session alive. That breaks down for cross-origin Tauri
+ * clients (e.g. Android): the WebView's origin is `tauri://localhost`
+ * and the sh3-server lives on a different domain, so the session
+ * cookie is treated as cross-site and dropped under SameSite=Lax. On
+ * top of that, `@tauri-apps/plugin-http` (reqwest under the hood)
+ * doesn't enable a persistent cookie store by default, so even if
+ * SameSite weren't an issue cookies wouldn't survive between calls.
+ *
+ * Carrying the session token in a header sidesteps both problems.
+ * `auth.svelte.ts` populates this store after login/register/initFromBoot
+ * and clears it on logout. The token is mirrored to localStorage so an
+ * app restart doesn't dump the user back at the sign-in wall.
+ */
+const KEY = 'sh3:authToken';
+let token = null;
+let restored = false;
+function restore() {
+    if (restored)
+        return;
+    restored = true;
+    if (typeof localStorage === 'undefined')
+        return;
+    try {
+        token = localStorage.getItem(KEY);
+    }
+    catch (_a) {
+        token = null;
+    }
+}
+export function setAuthToken(value) {
+    restored = true;
+    token = value;
+    if (typeof localStorage === 'undefined')
+        return;
+    try {
+        if (value)
+            localStorage.setItem(KEY, value);
+        else
+            localStorage.removeItem(KEY);
+    }
+    catch (_a) {
+        // localStorage may be disabled (private browsing); in-memory copy still works.
+    }
+}
+export function getAuthToken() {
+    restore();
+    return token;
+}

package/dist/transport/authToken.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/transport/authToken.test.js

@@ -0,0 +1,33 @@
+import { describe, expect, it, beforeEach, vi } from 'vitest';
+describe('authToken', () => {
+    beforeEach(() => {
+        vi.resetModules();
+        if (typeof localStorage !== 'undefined')
+            localStorage.clear();
+    });
+    it('returns null when nothing stored', async () => {
+        const { getAuthToken } = await import('./authToken');
+        expect(getAuthToken()).toBeNull();
+    });
+    it('round-trips set/get', async () => {
+        const { setAuthToken, getAuthToken } = await import('./authToken');
+        setAuthToken('sh3s_deadbeef');
+        expect(getAuthToken()).toBe('sh3s_deadbeef');
+    });
+    it('persists across module re-imports via localStorage', async () => {
+        const first = await import('./authToken');
+        first.setAuthToken('sh3s_persisted');
+        vi.resetModules();
+        const second = await import('./authToken');
+        expect(second.getAuthToken()).toBe('sh3s_persisted');
+    });
+    it('clear removes from storage', async () => {
+        const { setAuthToken, getAuthToken } = await import('./authToken');
+        setAuthToken('sh3s_x');
+        setAuthToken(null);
+        expect(getAuthToken()).toBeNull();
+        vi.resetModules();
+        const reloaded = await import('./authToken');
+        expect(reloaded.getAuthToken()).toBeNull();
+    });
+});

package/dist/version.d.ts

@@ -1,2 +1,2 @@
 /** Auto-generated from package.json — do not edit manually. */
-export declare const VERSION = "0.17.2";
+export declare const VERSION = "0.19.1";

package/dist/version.js

@@ -1,2 +1,2 @@
 /** Auto-generated from package.json — do not edit manually. */
-export const VERSION = '0.17.2';
+export const VERSION = '0.19.1';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sh3-core",
-  "version": "0.17.2",
+  "version": "0.19.1",
   "type": "module",
   "files": [
     "dist"