@haven-team/helix-gate

Express middleware that restricts a Helix sub-app to being served inside the Helix shell iframe.

The shell loads each app with a ?helix_token query param. On the first request carrying it, this mints a short-lived helix_session cookie so in-iframe navigation, static assets, and same-origin API calls don't need to re-carry the token. A request with neither token nor cookie is redirected to the shell, which re-opens the app in its iframe with a fresh token.

This is serving/transport glue only — there is no API surface and no data access in this package. The real auth boundary is each backend validating the Helix token on every request.

Usage

const express = require('express');
const { helixIframeGate } = require('@haven-team/helix-gate');

const app = express();

// Gate before static + routes. API proxying that relies on a same-origin
// session cookie should come after this.
app.use(helixIframeGate({ slug: 'kaya-payroll' }));

Options

| Option | Default | Description | |---------------|---------------------------------|-------------| | slug | (required) | Redirect target is ${shellOrigin}/helix-apps/${slug}. | | shellOrigin | https://app.myhavenbot.com | Helix shell origin. | | cookieName | helix_session | Session cookie name. | | maxAgeMs | 28800000 (8h) | Cookie lifetime. |