security: SDK-wide audit fixes — remove token logging, fix XSS, harden passkeys

- OAuthManager: wrap JWT payload NSLog in #if DEBUG (was logging to system log in release)
- PasskeyHelper: rpId missing now throws error instead of falling back to "localhost"
- profile.ts: validate avatarUrl is http(s) + escape quotes (prevent javascript:/data: XSS)
- Centralize User-Agent version string to single authonSwiftVersion constant

Author: mikusnuz

packages/js/src/profile.ts

@@ -291,8 +291,9 @@ export class ProfileRenderer {
       .slice(0, 2)
       .join('');
 
-    const avatarHtml = u.avatarUrl
-      ? `<img class="avatar-img" src="${u.avatarUrl}" alt="${u.displayName || ''}" />`
+    const safeAvatarUrl = u.avatarUrl && /^https?:\/\//i.test(u.avatarUrl) ? u.avatarUrl : null;
+    const avatarHtml = safeAvatarUrl
+      ? `<img class="avatar-img" src="${safeAvatarUrl.replace(/"/g, '&quot;')}" alt="${(u.displayName || '').replace(/"/g, '&quot;')}" />`
       : `<div class="avatar-placeholder">${initials}</div>`;
 
     const closeBtn = this.mode === 'popup'

swift/Sources/Authon/Authon.swift

@@ -650,7 +650,7 @@ public final class Authon: ObservableObject {
         req.httpMethod = method
         req.setValue("application/json", forHTTPHeaderField: "Content-Type")
         req.setValue(api.publishableKey, forHTTPHeaderField: "x-api-key")
-        req.setValue("authon-swift/0.3.1", forHTTPHeaderField: "User-Agent")
+        req.setValue("authon-swift/\(authonSwiftVersion)", forHTTPHeaderField: "User-Agent")
 
         if let body {
             let encoder = JSONEncoder()

swift/Sources/Authon/AuthonAPI.swift

@@ -1,5 +1,7 @@
 import Foundation
 
+let authonSwiftVersion = "0.3.1"
+
 final class AuthonAPI: Sendable {
     let publishableKey: String
     let apiURL: String
@@ -51,7 +53,7 @@ final class AuthonAPI: Sendable {
         req.httpMethod = method
         req.setValue("application/json", forHTTPHeaderField: "Content-Type")
         req.setValue(publishableKey, forHTTPHeaderField: "x-api-key")
-        req.setValue("authon-swift/0.3.1", forHTTPHeaderField: "User-Agent")
+        req.setValue("authon-swift/\(authonSwiftVersion)", forHTTPHeaderField: "User-Agent")
 
         if let accessToken {
             req.setValue("Bearer \(accessToken)", forHTTPHeaderField: "Authorization")

swift/Sources/Authon/OAuthManager.swift

@@ -229,11 +229,13 @@ extension OAuthManager: ASAuthorizationControllerDelegate, ASAuthorizationContro
     }
 
     private func exchangeAppleToken(identityToken: String) async throws -> ApiAuthResponse {
-        // Decode JWT to check audience
+        #if DEBUG
+        // Debug-only: decode JWT to inspect audience (never log tokens in release builds)
         let parts = identityToken.split(separator: ".")
         if parts.count >= 2, let data = Data(base64Encoded: String(parts[1]).padding(toLength: ((parts[1].count + 3) / 4) * 4, withPad: "=", startingAt: 0)) {
             NSLog("[Authon-Apple] token payload: %@", String(data: data, encoding: .utf8) ?? "?")
         }
+        #endif
 
         struct NativeOAuthRequest: Encodable {
             let provider: String

swift/Sources/Authon/PasskeyHelper.swift

@@ -125,7 +125,9 @@ final class PasskeyHelper: NSObject, ASAuthorizationControllerDelegate, ASAuthor
             throw AuthonError(statusCode: 400, message: "Invalid challenge", code: "invalid_challenge")
         }
 
-        let rpId = options.rpId ?? "localhost"
+        guard let rpId = options.rpId, !rpId.isEmpty else {
+            throw AuthonError(statusCode: 400, message: "Server did not provide rpId for passkey authentication", code: "missing_rp_id")
+        }
         let provider = ASAuthorizationPlatformPublicKeyCredentialProvider(relyingPartyIdentifier: rpId)
         let request = provider.createCredentialAssertionRequest(challenge: challengeData)