zudoku 0.78.1 → 0.79.0

package/dist/cli/cli.js

@@ -3853,7 +3853,7 @@ import {
 // package.json
 var package_default = {
   name: "zudoku",
-  version: "0.78.0",
+  version: "0.78.1",
   type: "module",
   sideEffects: [
     "**/*.css",
@@ -7786,6 +7786,7 @@ async function getViteConfig(dir, configEnv, options = {}) {
       "process.env.ZUDOKU_VERSION": JSON.stringify(package_default.version),
       "process.env.IS_ZUPLO": ZuploEnv.isZuplo,
       "import.meta.env.IS_ZUPLO": ZuploEnv.isZuplo,
+      "import.meta.env.ZUDOKU_HAS_SERVER": JSON.stringify(options.ssr === true),
       "import.meta.env.ZUPLO_PUBLIC_DEPLOYMENT_NAME": JSON.stringify(deploymentName),
       ...defineEnvVars([
         "SENTRY_DSN",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "zudoku",
-  "version": "0.78.1",
+  "version": "0.79.0",
   "type": "module",
   "sideEffects": [
     "**/*.css",

package/src/app/entry.client.tsx

@@ -13,7 +13,9 @@ import { BootstrapClient } from "../lib/components/Bootstrap.js";
 import { joinUrl } from "../lib/util/joinUrl.js";
 import { getRoutesByConfig, shikiReady } from "./main.js";
 
-setupCookieSync(authState, joinUrl(config.basePath, "/__z/auth/session"));
+if (import.meta.env.ZUDOKU_HAS_SERVER) {
+  setupCookieSync(authState, joinUrl(config.basePath, "/__z/auth/session"));
+}
 
 const routes = getRoutesByConfig(config);
 // biome-ignore lint/style/noNonNullAssertion: We know the root element exists

package/src/app/entry.server.tsx

@@ -54,6 +54,31 @@ const safeSerialize = (data: unknown) =>
     .replace(/\u2028/g, "\\u2028")
     .replace(/\u2029/g, "\\u2029");
 
+// Profile must come from the verifier so a forged cookie can't render
+// protected HTML. SSG has no runtime cookie and short-circuits.
+const resolveSsrAuth = async (
+  request: Request,
+): Promise<SSRAuthState | undefined> => {
+  if (!import.meta.env.ZUDOKU_HAS_SERVER || !configuredAuthProvider) return;
+
+  const { accessToken } = parseCookies(request);
+  if (!accessToken || !verifier)
+    return { accessToken: undefined, profile: null };
+
+  try {
+    const verified = await verifier(accessToken);
+    return verified
+      ? { accessToken, profile: verified.profile }
+      : { accessToken: undefined, profile: null };
+  } catch (error) {
+    logger.error(
+      `SSR auth verifier error (${request.method} ${request.url}):`,
+      error,
+    );
+    return { accessToken: undefined, profile: null };
+  }
+};
+
 // Statically importing shiki.ts here ensures it's in the SSR bundle.
 // main.tsx dynamically imports it instead to enable lazy loading on the client.
 await import("virtual:zudoku-shiki-register").then(
@@ -75,27 +100,7 @@ export const handleRequest = async ({
   basePath?: string;
   bypassProtection?: boolean;
 }): Promise<Response> => {
-  const { accessToken } = parseCookies(request);
-  // Always derive profile from the verifier, never trust the client cookie.
-  // An unverified profile would let a stale/forged cookie render protected HTML.
-  let verifiedProfile: SSRAuthState["profile"] = null;
-  if (accessToken && verifier) {
-    try {
-      const verified = await verifier(accessToken);
-      if (verified) verifiedProfile = verified.profile;
-    } catch (error) {
-      logger.error(
-        `SSR auth verifier error (${request.method} ${request.url}):`,
-        error,
-      );
-    }
-  }
-  const ssrAuth: SSRAuthState | undefined = configuredAuthProvider
-    ? {
-        accessToken: verifiedProfile ? accessToken : undefined,
-        profile: verifiedProfile,
-      }
-    : undefined;
+  const ssrAuth = await resolveSsrAuth(request);
 
   // No-op lazy() on protected subtrees for unauthed requests so loaders
   // don't run for a 401 render.

package/src/app/main.tsx

@@ -151,8 +151,9 @@ export const getRoutesByConfig = (config: ZudokuConfig): RouteObject[] => {
             </Meta>
           ),
           errorElement: <RouterError />,
+          // Chunk-gate protected routes only in SSR; SSG has no 401 to avoid.
           children:
-            typeof window === "undefined"
+            typeof window === "undefined" || !import.meta.env.ZUDOKU_HAS_SERVER
               ? processRoutes(routes)
               : wrapProtectedRoutes(
                   processRoutes(routes),

package/src/lib/authentication/state.ts

@@ -49,11 +49,11 @@ const noopStorage: StateStorage = {
 const ssrAuthInitial =
   typeof window !== "undefined" ? window.ZUDOKU_SSR_AUTH : undefined;
 
-// When the server injected ZUDOKU_SSR_AUTH, cookies are the single source of
-// truth. Persisting would let stale localStorage contradict the SSR signal
-// (ghost login after cookies expire). SSG has no SSR signal, so persist the
-// full snapshot for reload continuity.
-const ssrMode = ssrAuthInitial !== undefined;
+// SSR builds use cookies as the source of truth; SSG uses localStorage.
+// `import.meta.env` is missing when this module is loaded outside a Vite
+// build (e.g. esbuild bundling a vite.*.config.ts), so guard the access.
+const ssrMode =
+  typeof import.meta.env !== "undefined" && import.meta.env.ZUDOKU_HAS_SERVER;
 
 export const authState = create<AuthState>()(
   persist(

package/src/vite/config.ts

@@ -123,6 +123,7 @@ export async function getViteConfig(
       "process.env.ZUDOKU_VERSION": JSON.stringify(packageJson.version),
       "process.env.IS_ZUPLO": ZuploEnv.isZuplo,
       "import.meta.env.IS_ZUPLO": ZuploEnv.isZuplo,
+      "import.meta.env.ZUDOKU_HAS_SERVER": JSON.stringify(options.ssr === true),
       "import.meta.env.ZUPLO_PUBLIC_DEPLOYMENT_NAME":
         JSON.stringify(deploymentName),
       ...defineEnvVars([

package/src/vite-env.d.ts

@@ -5,4 +5,5 @@ declare module "vite/modulepreload-polyfill" {}
 interface ImportMetaEnv {
   readonly IS_ZUPLO: boolean;
   readonly ZUPLO_BUILD_ID?: string;
+  readonly ZUDOKU_HAS_SERVER: boolean;
 }