@tenxyte/core - npm Package Compare versions

Comparing version 0.9.4 to 0.9.5

package.json

 {
   "name": "@tenxyte/core",
-  "version": "0.9.4",
+  "version": "0.9.5",
   "description": "Core JavaScript SDK for Tenxyte",
@@ -5,0 +5,0 @@ "main": "./dist/index.cjs",

README.md

@@ -35,3 +35,3 @@ # @tenxyte/core
     baseUrl: 'https://api.my-backend.com',
-    headers: { 'X-Access-Key': 'your-public-app-key' },
+    accessKey: 'your-public-app-key',
 });
@@ -51,3 +51,3 @@
 
-> **Important**: Never expose `X-Access-Secret` in frontend bundles. Use it exclusively server-side.
+> **Important**: Never pass `accessSecret` in frontend code. The SDK emits a runtime warning if it detects a browser environment. Use `accessKey` alone for SPAs — the backend validates the `Origin` header instead.
 
@@ -65,4 +65,8 @@ ---
 
+    // Application authentication (dual-mode)
+    accessKey: 'pkg_abc123',        // Public key — safe in browser and server
+    // accessSecret: process.env.TENXYTE_SECRET, // Private — server-to-server ONLY
+
     // Optional — extra headers for every request
-    headers: { 'X-Access-Key': 'pkg_abc123' },
+    headers: { 'X-Custom': 'value' },
 
@@ -101,2 +105,13 @@ // Optional — token storage backend (default: MemoryStorage)
 
+### Dual-Mode Application Authentication
+
+| Mode | Config | Use case |
+|------|--------|----------|
+| **Frontend** (browser) | `accessKey` only | SPAs, web apps — `Origin` header validated server-side |
+| **Backend** (server) | `accessKey` + `accessSecret` | Cron jobs, webhooks, admin scripts |
+
+- **Frontend**: the backend verifies the request's `Origin` header against the application's `allowed_origins` list. No secret needed.
+- **Backend**: the secret proves identity for server-to-server calls where there is no `Origin` header.
+- If `accessSecret` is used in a browser, the SDK prints a **console warning**.
+
 ---
@@ -293,5 +308,9 @@
     description: 'Backend service',
+    allowed_origins: ['https://myapp.com', 'https://staging.myapp.com'], // enables key-only frontend auth
 });
 const detail = await tx.applications.getApplication('app-id');
-await tx.applications.updateApplication('app-id', { name: 'Renamed' });
+await tx.applications.updateApplication('app-id', {
+    name: 'Renamed',
+    allowed_origins: [], // require secret for all requests
+});
 await tx.applications.patchApplication('app-id', { description: 'Updated desc' });
@@ -341,7 +360,7 @@ await tx.applications.deleteApplication('app-id');
 ```typescript
-const global = await tx.dashboard.getStats({ period: 'last_30_days' });
+const global = await tx.dashboard.getStats({ period: '30d', compare: true });
 const auth = await tx.dashboard.getAuthStats();
 const security = await tx.dashboard.getSecurityStats();
 const gdpr = await tx.dashboard.getGdprStats();
-const orgStats = await tx.dashboard.getOrganizationStats('acme-corp');
+const orgStats = await tx.dashboard.getOrganizationStats();
 ```
@@ -480,2 +499,6 @@
 
+7. **`accessKey` / `accessSecret` are now first-class config options** — Replace `headers: { 'X-Access-Key': '...' }` with `accessKey: '...'`. The old `headers` approach still works but is no longer recommended.
+
+8. **Dual-mode application auth** — The backend now supports key-only authentication for browsers (validated via `Origin` header). Pass `accessKey` alone for frontend apps. The SDK warns at runtime if `accessSecret` is used in a browser.
+
 ### New Features in v0.9
@@ -482,0 +505,0 @@

New alerts

URL strings

Supply chain risk

Package contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

689525

3.09%

Lines of code

6649

2.36%

Number of lines in readme file

513

4.69%

Worsened metrics

Number of low supply chain risk alerts

2

100%

No dependency changes