npm - @alepha/react - Versions diffs - 0.5.2 → 0.6.0 - Mend

@alepha/react 0.5.2 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/dist/index.browser.cjs +23 -19
package/dist/index.browser.js +5 -4
package/dist/index.cjs +419 -339
package/dist/index.d.ts +591 -420
package/dist/index.js +398 -320
package/dist/{useRouterState-BlKHWZwk.cjs → useAuth-DOVx2kqa.cjs} +243 -102
package/dist/{useRouterState-CvFCmaq7.js → useAuth-i7wbKVrt.js} +214 -77
package/package.json +20 -18
package/src/components/Link.tsx +22 -0
package/src/components/NestedView.tsx +2 -2
package/src/constants/SSID.ts +1 -0
package/src/contexts/RouterContext.ts +2 -2
package/src/descriptors/$auth.ts +28 -0
package/src/descriptors/$page.ts +57 -3
package/src/errors/RedirectionError.ts +7 -0
package/src/hooks/useAuth.ts +29 -0
package/src/hooks/useInject.ts +3 -3
package/src/index.browser.ts +3 -1
package/src/index.shared.ts +14 -3
package/src/index.ts +23 -6
package/src/providers/ReactAuthProvider.ts +410 -0
package/src/providers/ReactBrowserProvider.ts +41 -19
package/src/providers/ReactServerProvider.ts +105 -48
package/src/services/Auth.ts +45 -0
package/src/services/Router.ts +154 -41
package/src/providers/ReactSessionProvider.ts +0 -363

package/dist/index.cjs CHANGED Viewed

@@ -2,19 +2,316 @@
 var core = require('@alepha/core');
 var server = require('@alepha/server');
-var useRouterState = require('./useRouterState-BlKHWZwk.cjs');
+var useAuth = require('./useAuth-DOVx2kqa.cjs');
+var openidClient = require('openid-client');
 var node_fs = require('node:fs');
 var promises = require('node:fs/promises');
 var node_path = require('node:path');
 var server$1 = require('react-dom/server');
-var crypto = require('node:crypto');
-var cache = require('@alepha/cache');
-var security = require('@alepha/security');
-var openidClient = require('openid-client');
+require('react/jsx-runtime');
 require('react');
 require('react-dom/client');
 require('path-to-regexp');
+class ReactAuthProvider {
+  log = core.$logger();
+  alepha = core.$inject(core.Alepha);
+  fastifyCookieProvider = core.$inject(server.FastifyCookieProvider);
+  authProviders = [];
+  authorizationCode = server.$cookie({
+    name: "authorizationCode",
+    ttl: { minutes: 15 },
+    httpOnly: true,
+    schema: core.t.object({
+      codeVerifier: core.t.optional(core.t.string({ size: "long" })),
+      redirectUri: core.t.optional(core.t.string({ size: "long" }))
+    })
+  });
+  tokens = server.$cookie({
+    name: "tokens",
+    ttl: { days: 1 },
+    httpOnly: true,
+    compress: true,
+    schema: core.t.object({
+      access_token: core.t.optional(core.t.string({ size: "rich" })),
+      expires_in: core.t.optional(core.t.number()),
+      refresh_token: core.t.optional(core.t.string({ size: "rich" })),
+      id_token: core.t.optional(core.t.string({ size: "rich" })),
+      scope: core.t.optional(core.t.string()),
+      issued_at: core.t.optional(core.t.number())
+    })
+  });
+  user = server.$cookie({
+    name: "user",
+    ttl: { days: 1 },
+    schema: core.t.object({
+      id: core.t.string(),
+      name: core.t.optional(core.t.string()),
+      email: core.t.optional(core.t.string())
+    })
+  });
+  configure = core.$hook({
+    name: "configure",
+    handler: async () => {
+      const auths = this.alepha.getDescriptorValues(useAuth.$auth);
+      for (const auth of auths) {
+        const options = auth.value.options;
+        if (options.oidc) {
+          this.authProviders.push({
+            name: options.name ?? auth.key,
+            redirectUri: options.oidc.redirectUri ?? "/api/_oauth/callback",
+            client: await openidClient.discovery(
+              new URL(options.oidc.issuer),
+              options.oidc.clientId,
+              {
+                client_secret: options.oidc.clientSecret
+              },
+              void 0,
+              {
+                execute: [openidClient.allowInsecureRequests]
+              }
+            )
+          });
+        }
+      }
+    }
+  });
+  /**
+   * Configure Fastify to forward Session Access Token to Header Authorization.
+   */
+  configureFastify = core.$hook({
+    name: "configure:fastify",
+    after: this.fastifyCookieProvider,
+    handler: async (app) => {
+      app.addHook("onRequest", async (req) => {
+        if (req.cookies && !this.isViteFile(req.url) && !!this.authProviders.length) {
+          const tokens = await this.refresh(req.cookies);
+          if (tokens) {
+            req.headers.authorization = `Bearer ${tokens.access_token}`;
+          }
+          if (this.user.get(req.cookies) && !this.tokens.get(req.cookies)) {
+            this.user.del(req.cookies);
+          }
+        }
+      });
+    }
+  });
+  /**
+   *
+   * @param cookies
+   * @protected
+   */
+  async refresh(cookies) {
+    const now = Date.now();
+    const tokens = this.tokens.get(cookies);
+    if (!tokens) {
+      return;
+    }
+    if (tokens.expires_in && tokens.issued_at) {
+      const expiresAt = tokens.issued_at + (tokens.expires_in - 10) * 1e3;
+      if (expiresAt < now) {
+        if (tokens.refresh_token) {
+          try {
+            const newTokens = await openidClient.refreshTokenGrant(
+              this.authProviders[0].client,
+              tokens.refresh_token
+            );
+            this.tokens.set(cookies, {
+              ...newTokens,
+              issued_at: Date.now()
+            });
+            return newTokens;
+          } catch (e) {
+            this.log.warn(e, "Failed to refresh token -");
+          }
+        }
+        this.tokens.del(cookies);
+        this.user.del(cookies);
+        return;
+      }
+    }
+    if (!tokens.issued_at && tokens.access_token) {
+      this.tokens.del(cookies);
+      this.user.del(cookies);
+      return;
+    }
+    return tokens;
+  }
+  /**
+   *
+   */
+  login = server.$route({
+    security: false,
+    private: true,
+    url: "/_oauth/login",
+    group: "auth",
+    method: "GET",
+    schema: {
+      query: core.t.object({
+        redirect: core.t.optional(core.t.string()),
+        provider: core.t.optional(core.t.string())
+      })
+    },
+    handler: async ({ query, cookies, url }) => {
+      const { client } = this.provider(query.provider);
+      const codeVerifier = openidClient.randomPKCECodeVerifier();
+      const codeChallenge = await openidClient.calculatePKCECodeChallenge(codeVerifier);
+      const scope = "openid profile email";
+      let redirect_uri = this.authProviders[0].redirectUri;
+      if (redirect_uri.startsWith("/")) {
+        redirect_uri = `${url.protocol}://${url.host}${redirect_uri}`;
+      }
+      const parameters = {
+        redirect_uri,
+        scope,
+        code_challenge: codeChallenge,
+        code_challenge_method: "S256"
+      };
+      this.authorizationCode.set(cookies, {
+        codeVerifier,
+        redirectUri: query.redirect ?? "/"
+      });
+      return new Response("", {
+        status: 302,
+        headers: {
+          Location: openidClient.buildAuthorizationUrl(client, parameters).toString()
+        }
+      });
+    }
+  });
+  /**
+   *
+   */
+  callback = server.$route({
+    security: false,
+    private: true,
+    url: "/_oauth/callback",
+    group: "auth",
+    method: "GET",
+    schema: {
+      query: core.t.object({
+        provider: core.t.optional(core.t.string())
+      })
+    },
+    handler: async ({ url, cookies, query }) => {
+      const { client } = this.provider(query.provider);
+      const authorizationCode = this.authorizationCode.get(cookies);
+      if (!authorizationCode) {
+        throw new server.BadRequestError("Missing code verifier");
+      }
+      const tokens = await openidClient.authorizationCodeGrant(client, url, {
+        pkceCodeVerifier: authorizationCode.codeVerifier
+      });
+      this.authorizationCode.del(cookies);
+      this.tokens.set(cookies, {
+        ...tokens,
+        issued_at: Date.now()
+      });
+      const user = this.userFromAccessToken(tokens.access_token);
+      if (user) {
+        this.user.set(cookies, user);
+      }
+      return Response.redirect(authorizationCode.redirectUri ?? "/");
+    }
+  });
+  /**
+   *
+   * @param accessToken
+   * @protected
+   */
+  userFromAccessToken(accessToken) {
+    try {
+      const parts = accessToken.split(".");
+      if (parts.length !== 3) {
+        return;
+      }
+      const payload = parts[1];
+      const decoded = JSON.parse(atob(payload));
+      if (!decoded.sub) {
+        return;
+      }
+      return {
+        id: decoded.sub,
+        name: decoded.name,
+        email: decoded.email
+        // organization
+        // ...
+      };
+    } catch (e) {
+      this.log.warn(e, "Failed to decode access token");
+    }
+  }
+  /**
+   *
+   */
+  logout = server.$route({
+    security: false,
+    private: true,
+    url: "/_oauth/logout",
+    group: "auth",
+    method: "GET",
+    schema: {
+      query: core.t.object({
+        redirect: core.t.optional(core.t.string()),
+        provider: core.t.optional(core.t.string())
+      })
+    },
+    handler: async ({ query, cookies }) => {
+      const { client } = this.provider(query.provider);
+      const tokens = this.tokens.get(cookies);
+      const idToken = tokens?.id_token;
+      const redirect = query.redirect ?? "/";
+      const params = new URLSearchParams();
+      params.set("post_logout_redirect_uri", redirect);
+      if (idToken) {
+        params.set("id_token_hint", idToken);
+      }
+      this.tokens.del(cookies);
+      this.user.del(cookies);
+      return Response.redirect(openidClient.buildEndSessionUrl(client, params).toString());
+    }
+  });
+  /**
+   *
+   * @param name
+   * @protected
+   */
+  provider(name) {
+    if (!name) {
+      const client = this.authProviders[0];
+      if (!client) {
+        throw new server.BadRequestError("Client name is required");
+      }
+      return client;
+    }
+    const authProvider = this.authProviders.find(
+      (provider) => provider.name === name
+    );
+    if (!authProvider) {
+      throw new server.BadRequestError(`Client ${name} not found`);
+    }
+    return authProvider;
+  }
+  /**
+   *
+   * @param file
+   * @protected
+   */
+  isViteFile(file) {
+    const [pathname] = file.split("?");
+    if (pathname.startsWith("/docs")) {
+      return false;
+    }
+    if (pathname.match(/\.\w{2,5}$/)) {
+      return true;
+    }
+    if (pathname.startsWith("/@")) {
+      return true;
+    }
+    return false;
+  }
+}
 const envSchema$1 = core.t.object({
   REACT_SERVER_DIST: core.t.string({ default: "client" }),
   REACT_SERVER_PREFIX: core.t.string({ default: "" }),
@@ -24,7 +321,7 @@ const envSchema$1 = core.t.object({
 class ReactServerProvider {
   log = core.$logger();
   alepha = core.$inject(core.Alepha);
-  router = core.$inject(useRouterState.Router);
+  router = core.$inject(useAuth.Router);
   server = core.$inject(server.ServerProvider);
   env = core.$inject(envSchema$1);
   configure = core.$hook({
@@ -41,45 +338,67 @@ class ReactServerProvider {
       return;
     }
     if (process.env.VITE_ALEPHA_DEV === "true") {
-      this.log.info("SSR starting in development mode");
-      const templateUrl = `${this.server.hostname}/index.html`;
+      this.log.info("SSR (vite) OK");
+      const templateUrl = "http://127.0.0.1:5173/index.html";
       this.log.debug(`Fetch template from ${templateUrl}`);
       const route2 = this.createHandler(
-        () => fetch(templateUrl).then((it) => it.text()).catch(() => void 0)
+        () => fetch(templateUrl).then((it) => it.text()).catch(() => void 0).then((it) => it ? this.checkTemplate(it) : void 0)
       );
       await this.server.route(route2);
       await this.server.route({
-        url: "*",
-        handler: route2.handler
+        ...route2,
+        url: "*"
       });
       return;
     }
-    const maybe = [
-      node_path.join(process.cwd(), this.env.REACT_SERVER_DIST),
-      node_path.join(process.cwd(), "..", this.env.REACT_SERVER_DIST),
-      node_path.join(process.cwd(), "dist", this.env.REACT_SERVER_DIST)
-    ];
     let root = "";
-    for (const it of maybe) {
-      if (node_fs.existsSync(it)) {
-        root = it;
-        break;
+    if (!this.alepha.isServerless()) {
+      const maybe = [
+        node_path.join(process.cwd(), this.env.REACT_SERVER_DIST),
+        node_path.join(process.cwd(), "..", this.env.REACT_SERVER_DIST)
+      ];
+      for (const it of maybe) {
+        if (node_fs.existsSync(it)) {
+          root = it;
+          break;
+        }
       }
+      if (!root) {
+        this.log.warn("Missing static files, SSR will be disabled");
+        return;
+      }
+      await this.server.serve(this.createStaticHandler(root));
     }
-    if (!root) {
-      this.log.warn("Missing static files, SSR will be disabled");
-      return;
-    }
-    await this.server.serve(this.createStaticHandler(root));
-    const template = await promises.readFile(node_path.join(root, "index.html"), "utf-8");
+    const template = this.checkTemplate(
+      this.alepha.state("ReactServerProvider.template") ?? await promises.readFile(node_path.join(root, "index.html"), "utf-8")
+    );
     const route = this.createHandler(async () => template);
     await this.server.route(route);
     await this.server.route({
-      url: "/*",
-      // alias for "not found handler"
-      handler: route.handler
+      ...route,
+      url: "*"
     });
   }
+  /**
+   * Check if the template contains the outlet.
+   *
+   * @param template
+   * @protected
+   */
+  checkTemplate(template) {
+    if (!template.includes(this.env.REACT_SSR_OUTLET)) {
+      if (!template.includes('<div id="root"></div>')) {
+        throw new Error(
+          `Missing React SSR outlet in index.html, please add ${this.env.REACT_SSR_OUTLET} to the index.html file`
+        );
+      }
+      return template.replace(
+        `<div id="root"></div>`,
+        `<div id="root">${this.env.REACT_SSR_OUTLET}</div>`
+      );
+    }
+    return template;
+  }
   /**
    *
    * @param root
@@ -104,22 +423,26 @@ class ReactServerProvider {
    */
   createHandler(templateLoader) {
     return {
+      method: "GET",
       url: "/",
-      handler: async ({ url, user }) => {
+      handler: async (ctx) => {
         const template = await templateLoader();
         if (!template) {
           return new Response("Not found", { status: 404 });
         }
-        const response = this.notFoundHandler(url);
+        const response = this.notFoundHandler(ctx.url);
         if (response) {
           return response;
         }
-        return await this.ssr(url, template, user);
+        return await this.ssr(ctx.url, template, {
+          user: ctx.user,
+          cookies: ctx.cookies
+        });
       }
     };
   }
   processDescriptors() {
-    const pages = this.alepha.getDescriptorValues(useRouterState.$page);
+    const pages = this.alepha.getDescriptorValues(useAuth.$page);
     for (const { key, instance, value } of pages) {
       instance[key].render = async (options = {}) => {
         const name = value.options.name ?? key;
@@ -135,7 +458,8 @@ class ReactServerProvider {
           this.router.root({
             layers,
             pathname: "",
-            search: ""
+            search: "",
+            context: {}
           })
         );
       };
@@ -147,7 +471,7 @@ class ReactServerProvider {
    * @protected
    */
   notFoundHandler(url) {
-    if (url.match(/\.\w+$/)) {
+    if (url.pathname.match(/\.\w+$/)) {
       return new Response("Not found", { status: 404 });
     }
   }
@@ -155,12 +479,15 @@ class ReactServerProvider {
    *
    * @param url
    * @param template
-   * @param user
+   * @param page
    */
-  async ssr(url, template = this.env.REACT_SSR_OUTLET, user) {
-    const { element, layers, redirect } = await this.router.render(url, {
-      user
-    });
+  async ssr(url, template = this.env.REACT_SSR_OUTLET, page = {}) {
+    const { element, layers, redirect, context } = await this.router.render(
+      url.pathname + url.search,
+      {
+        args: page
+      }
+    );
     if (redirect) {
       return new Response("", {
         status: 302,
@@ -176,324 +503,77 @@ class ReactServerProvider {
         index: void 0,
         path: void 0,
         element: void 0
-      })),
-      session: {
-        user: user ? {
-          id: user.id,
-          name: user.name
-        } : void 0
-      }
+      }))
     })}<\/script>`;
     const index = template.indexOf("</body>");
     if (index !== -1) {
       template = template.slice(0, index) + script + template.slice(index);
     }
-    return new Response(template.replace(this.env.REACT_SSR_OUTLET, appHtml), {
-      headers: { "Content-Type": "text/html" }
-    });
-  }
-}
-const sessionUserSchema = core.t.object({
-  id: core.t.string(),
-  name: core.t.optional(core.t.string())
-});
-const sessionSchema = core.t.object({
-  user: core.t.optional(sessionUserSchema)
-});
-const envSchema = core.t.object({
-  REACT_OIDC_ISSUER: core.t.optional(core.t.string()),
-  REACT_OIDC_CLIENT_ID: core.t.optional(core.t.string()),
-  REACT_OIDC_CLIENT_SECRET: core.t.optional(core.t.string()),
-  REACT_OIDC_REDIRECT_URI: core.t.optional(core.t.string())
-});
-class ReactSessionProvider {
-  SSID = "ssid";
-  log = core.$logger();
-  env = core.$inject(envSchema);
-  serverProvider = core.$inject(server.ServerProvider);
-  securityProvider = core.$inject(security.SecurityProvider);
-  sessions = cache.$cache();
-  clients = [];
-  get redirectUri() {
-    return this.env.REACT_OIDC_REDIRECT_URI ?? `${this.serverProvider.hostname}/api/callback`;
-  }
-  configure = core.$hook({
-    name: "configure",
-    priority: 100,
-    handler: async () => {
-      const issuer = this.env.REACT_OIDC_ISSUER;
-      const clientId = this.env.REACT_OIDC_CLIENT_ID;
-      if (!issuer || !clientId) {
-        return;
-      }
-      const client = await openidClient.discovery(
-        new URL(issuer),
-        clientId,
-        {
-          client_secret: this.env.REACT_OIDC_CLIENT_SECRET
-        },
-        void 0,
-        {
-          execute: [openidClient.allowInsecureRequests]
-        }
-      );
-      this.clients = [client];
+    if (context.helmet) {
+      template = this.renderHelmetContext(template, context.helmet);
     }
-  });
-  /**
-   *
-   * @param sessionId
-   * @param session
-   * @protected
-   */
-  async setSession(sessionId, session) {
-    await this.sessions.set(sessionId, session, {
-      days: 1
+    template = template.replace(this.env.REACT_SSR_OUTLET, appHtml);
+    return new Response(template, {
+      headers: { "Content-Type": "text/html" }
     });
   }
-  /**
-   *
-   * @param sessionId
-   * @protected
-   */
-  async getSession(sessionId) {
-    const session = await this.sessions.get(sessionId);
-    if (!session) {
-      return;
-    }
-    const now = Date.now();
-    if (session.expires_in && session.issued_at) {
-      const expiresAt = session.issued_at + (session.expires_in - 10) * 1e3;
-      if (expiresAt < now) {
-        if (session.refresh_token) {
-          try {
-            const newTokens = await openidClient.refreshTokenGrant(
-              this.clients[0],
-              session.refresh_token
-            );
-            await this.setSession(sessionId, {
-              ...newTokens,
-              issued_at: Date.now()
-            });
-            return newTokens;
-          } catch (e) {
-            this.log.error(e, "Failed to refresh token");
-          }
-        }
-        await this.sessions.invalidate(sessionId);
-        return;
+  renderHelmetContext(template, helmetContext) {
+    if (helmetContext.title) {
+      if (template.includes("<title>")) {
+        template = template.replace(
+          /<title>.*<\/title>/,
+          `<title>${helmetContext.title}</title>`
+        );
+      } else {
+        template = template.replace(
+          "</head>",
+          `<title>${helmetContext.title}</title></head>`
+        );
       }
     }
-    if (!session.issued_at && session.access_token) {
-      await this.sessions.invalidate(sessionId);
-      return;
-    }
-    return session;
+    return template;
   }
-  /**
-   *
-   * @protected
-   */
-  beforeRequest = core.$hook({
-    name: "configure:fastify",
-    priority: 100,
-    handler: async (app) => {
-      app.decorateRequest("session");
-      app.addHook("onRequest", async (req) => {
-        const sessionId = req.cookies[this.SSID];
-        if (sessionId && !isViteFile(req.url)) {
-          const session = await this.getSession(sessionId);
-          if (session) {
-            req.session = session;
-            if (session.access_token) {
-              req.headers.authorization = `Bearer ${session.access_token}`;
-            }
-          }
-        }
-      });
-    }
-  });
-  /**
-   *
-   */
-  login = server.$route({
-    security: false,
-    url: "/login",
-    method: "GET",
-    schema: {
-      query: core.t.object({
-        redirect: core.t.optional(core.t.string())
-      })
-    },
-    handler: async ({ query }) => {
-      const client = this.clients[0];
-      const codeVerifier = openidClient.randomPKCECodeVerifier();
-      const codeChallenge = await openidClient.calculatePKCECodeChallenge(codeVerifier);
-      const scope = "openid profile email";
-      const parameters = {
-        redirect_uri: this.redirectUri,
-        scope,
-        code_challenge: codeChallenge,
-        code_challenge_method: "S256"
-      };
-      const sessionId = crypto.randomUUID();
-      await this.setSession(sessionId, {
-        authorizationCodeGrant: {
-          codeVerifier,
-          redirectUri: query.redirect ?? "/"
-          // TODO: add nonce, max_age, state
-        }
-      });
-      return new Response("", {
-        status: 302,
-        headers: {
-          "Set-Cookie": `${this.SSID}=${sessionId}; HttpOnly; Path=/; SameSite=Lax;`,
-          Location: openidClient.buildAuthorizationUrl(client, parameters).toString()
-        }
-      });
-    }
-  });
-  /**
-   *
-   */
-  callback = server.$route({
-    security: false,
-    url: "/callback",
-    method: "GET",
-    schema: {
-      headers: core.t.record(core.t.string(), core.t.string()),
-      cookies: core.t.object({
-        ssid: core.t.string()
-      })
-    },
-    handler: async ({ cookies, url }) => {
-      const sessionId = cookies.ssid;
-      const session = await this.getSession(sessionId);
-      if (!session) {
-        throw new server.BadRequestError("Missing session");
-      }
-      if (!session.authorizationCodeGrant) {
-        throw new server.BadRequestError("Invalid session - missing code verifier");
-      }
-      const [, search] = url.split("?");
-      const tokens = await openidClient.authorizationCodeGrant(
-        this.clients[0],
-        new URL(`${this.redirectUri}?${search}`),
-        {
-          pkceCodeVerifier: session.authorizationCodeGrant.codeVerifier,
-          expectedNonce: session.authorizationCodeGrant.nonce,
-          expectedState: session.authorizationCodeGrant.state,
-          maxAge: session.authorizationCodeGrant.max_age
-        }
-      );
-      await this.setSession(sessionId, {
-        ...tokens,
-        issued_at: Date.now()
-      });
-      return new Response("", {
-        status: 302,
-        headers: {
-          Location: session.authorizationCodeGrant.redirectUri ?? "/"
-        }
-      });
-    }
-  });
-  logout = server.$route({
-    security: false,
-    url: "/logout",
-    method: "GET",
-    schema: {
-      query: core.t.object({
-        redirect: core.t.optional(core.t.string())
-      }),
-      cookies: core.t.object({
-        ssid: core.t.string()
-      })
-    },
-    handler: async ({ query, cookies }, { fastify }) => {
-      const session = fastify?.req.session;
-      await this.sessions.invalidate(cookies.ssid);
-      const redirect = query.redirect ?? "/";
-      const params = new URLSearchParams();
-      params.set("post_logout_redirect_uri", redirect);
-      if (session?.id_token) {
-        params.set("id_token_hint", session.id_token);
-      }
-      return new Response("", {
-        status: 302,
-        headers: {
-          "Set-Cookie": `${this.SSID}=; HttpOnly; Path=/; SameSite=Lax;`,
-          Location: openidClient.buildEndSessionUrl(this.clients[0], params).toString()
-        }
-      });
-    }
-  });
-  session = server.$route({
-    security: false,
-    url: "/_session",
-    method: "GET",
-    schema: {
-      headers: core.t.object({
-        authorization: core.t.string()
-      }),
-      response: sessionSchema
-    },
-    handler: async ({ headers }) => {
-      try {
-        return {
-          user: await this.securityProvider.createUserFromToken(
-            headers.authorization
-          )
-        };
-      } catch (e) {
-        return {};
-      }
-    }
-  });
 }
-const isViteFile = (file) => {
-  const [pathname] = file.split("?");
-  if (pathname.startsWith("/docs")) {
-    return false;
-  }
-  if (pathname.match(/\.\w{2,5}$/)) {
-    return true;
-  }
-  if (pathname.startsWith("/@")) {
-    return true;
-  }
-  return false;
-};
+const envSchema = core.t.object({
+  REACT_AUTH_ENABLED: core.t.boolean({ default: false })
+});
 class ReactModule {
+  env = core.$inject(envSchema);
   alepha = core.$inject(core.Alepha);
   constructor() {
-    this.alepha.with(server.ServerModule).with(server.ServerLinksProvider).with(ReactServerProvider).with(ReactSessionProvider).with(useRouterState.PageDescriptorProvider);
+    this.alepha.with(server.ServerModule).with(server.ServerLinksProvider).with(useAuth.PageDescriptorProvider).with(ReactServerProvider);
+    if (this.env.REACT_AUTH_ENABLED) {
+      this.alepha.with(ReactAuthProvider);
+      this.alepha.with(useAuth.Auth);
+    }
   }
 }
-core.autoInject(useRouterState.$page, ReactModule);
+core.autoInject(useAuth.$page, ReactModule);
+core.autoInject(useAuth.$auth, ReactAuthProvider, useAuth.Auth);
-exports.$page = useRouterState.$page;
-exports.NestedView = useRouterState.NestedView;
-exports.PageDescriptorProvider = useRouterState.PageDescriptorProvider;
-exports.ReactBrowserProvider = useRouterState.ReactBrowserProvider;
-exports.RedirectException = useRouterState.RedirectException;
-exports.Router = useRouterState.Router;
-exports.RouterContext = useRouterState.RouterContext;
-exports.RouterHookApi = useRouterState.RouterHookApi;
-exports.RouterLayerContext = useRouterState.RouterLayerContext;
-exports.pageDescriptorKey = useRouterState.pageDescriptorKey;
-exports.useActive = useRouterState.useActive;
-exports.useClient = useRouterState.useClient;
-exports.useInject = useRouterState.useInject;
-exports.useQueryParams = useRouterState.useQueryParams;
-exports.useRouter = useRouterState.useRouter;
-exports.useRouterEvents = useRouterState.useRouterEvents;
-exports.useRouterState = useRouterState.useRouterState;
+exports.$auth = useAuth.$auth;
+exports.$page = useAuth.$page;
+exports.Auth = useAuth.Auth;
+exports.Link = useAuth.Link;
+exports.NestedView = useAuth.NestedView;
+exports.PageDescriptorProvider = useAuth.PageDescriptorProvider;
+exports.ReactBrowserProvider = useAuth.ReactBrowserProvider;
+exports.RedirectionError = useAuth.RedirectionError;
+exports.Router = useAuth.Router;
+exports.RouterContext = useAuth.RouterContext;
+exports.RouterHookApi = useAuth.RouterHookApi;
+exports.RouterLayerContext = useAuth.RouterLayerContext;
+exports.pageDescriptorKey = useAuth.pageDescriptorKey;
+exports.useActive = useAuth.useActive;
+exports.useAuth = useAuth.useAuth;
+exports.useClient = useAuth.useClient;
+exports.useInject = useAuth.useInject;
+exports.useQueryParams = useAuth.useQueryParams;
+exports.useRouter = useAuth.useRouter;
+exports.useRouterEvents = useAuth.useRouterEvents;
+exports.useRouterState = useAuth.useRouterState;
+exports.ReactAuthProvider = ReactAuthProvider;
 exports.ReactModule = ReactModule;
 exports.ReactServerProvider = ReactServerProvider;
-exports.ReactSessionProvider = ReactSessionProvider;
 exports.envSchema = envSchema$1;
-exports.sessionSchema = sessionSchema;
-exports.sessionUserSchema = sessionUserSchema;