@authgear/nextjs 0.1.1

package/README.md

@@ -0,0 +1,307 @@
+# Authgear SDK for Next.js
+
+[![@authgear/nextjs](https://img.shields.io/npm/v/@authgear/nextjs.svg?label=@authgear/nextjs)](https://www.npmjs.com/package/@authgear/nextjs)
+[![@authgear/nextjs](https://img.shields.io/npm/dt/@authgear/nextjs.svg?label=@authgear/nextjs)](https://www.npmjs.com/package/@authgear/nextjs)
+![License](https://img.shields.io/badge/license-MIT-blue)
+
+With Authgear SDK for Next.js, you can easily integrate authentication features into your Next.js application — covering both the frontend and backend in one package.
+In most cases, it involves just **a few lines of code** to enable **multiple authentication methods**, such as [social logins](https://www.authgear.com/features/social-login), [passwordless](https://www.authgear.com/features/passwordless-authentication), [biometrics logins](https://www.authgear.com/features/biometric-authentication), [one-time-password (OTP)](https://www.authgear.com/features/whatsapp-otp) with SMS/WhatsApp, and multi-factor authentication (MFA).
+
+**Quick links** — 📚 [Documentation](#documentation) · 🏁 [Getting Started](#getting-started) · 🛠️ [Troubleshooting](#troubleshooting) · 👥 [Contributing](#contributing)
+
+## What is Authgear?
+
+[Authgear](https://www.authgear.com/) is a highly adaptable identity-as-a-service (IDaaS) platform for web and mobile applications.
+Authgear makes user authentication easier and faster to implement by integrating it into various types of applications — from single-page web apps to mobile applications to API services.
+
+### Key Features
+
+- Zero-trust authentication architecture with [OpenID Connect](https://openid.net/developers/how-connect-works/) (OIDC) standard.
+- Easy-to-use interfaces for user registration and login, including email, phone, username as login ID, and password, OTP, magic links, etc.
+- Support for a wide range of identity providers, such as [Google](https://developers.google.com/identity), [Apple](https://support.apple.com/en-gb/guide/deployment/depa64848f3a/web), and [Azure Active Directory](https://azure.microsoft.com/en-gb/products/active-directory/).
+- Support for Passkeys, biometric login, and Multi-Factor Authentication (MFA) such as SMS/email-based verification and authenticator apps with TOTP.
+
+## Requirements
+
+- **Next.js** >= 16.0.0
+- **React** >= 19.0.0
+- **Node.js** >= 18
+
+## Installation
+
+```sh
+npm install @authgear/nextjs
+```
+
+## Getting Started
+
+### 1. Configure Authgear
+
+Create a config object. The `sessionSecret` must be at least 32 characters and should be stored in an environment variable.
+
+```ts
+// lib/authgear.ts
+import type { AuthgearConfig } from "@authgear/nextjs";
+
+export const authgearConfig: AuthgearConfig = {
+  endpoint: process.env.AUTHGEAR_ENDPOINT!,       // e.g. "https://myapp.authgear.cloud"
+  clientID: process.env.AUTHGEAR_CLIENT_ID!,
+  clientSecret: process.env.AUTHGEAR_CLIENT_SECRET,  // for confidential clients
+  redirectURI: process.env.AUTHGEAR_REDIRECT_URI!,   // e.g. "http://localhost:3000/api/auth/callback"
+  sessionSecret: process.env.SESSION_SECRET!,         // min 32 chars
+};
+```
+
+### 2. Add the Route Handler
+
+Create a catch-all route to handle all auth endpoints (`/api/auth/login`, `/api/auth/callback`, `/api/auth/logout`, `/api/auth/refresh`, `/api/auth/userinfo`).
+
+```ts
+// app/api/auth/[...authgear]/route.ts
+import { createAuthgearHandlers } from "@authgear/nextjs";
+import { authgearConfig } from "@/lib/authgear";
+
+export const { GET, POST } = createAuthgearHandlers(authgearConfig);
+```
+
+### 3. Add the Provider (Client Components)
+
+Wrap your app with `AuthgearProvider` to enable client-side hooks and components.
+
+```tsx
+// app/layout.tsx
+import { AuthgearProvider } from "@authgear/nextjs/client";
+
+export default function RootLayout({ children }: { children: React.ReactNode }) {
+  return (
+    <html>
+      <body>
+        <AuthgearProvider>{children}</AuthgearProvider>
+      </body>
+    </html>
+  );
+}
+```
+
+### 4. Protect Routes with the Proxy (Next.js 16)
+
+Create a `proxy.ts` file at the root of your project to automatically redirect unauthenticated users and inject auth headers.
+
+```ts
+// proxy.ts
+import { createAuthgearProxy } from "@authgear/nextjs/proxy";
+import { authgearConfig } from "@/lib/authgear";
+
+export const proxy = createAuthgearProxy({
+  ...authgearConfig,
+  protectedPaths: ["/dashboard/*", "/profile/*"],
+});
+```
+
+---
+
+## Usage
+
+### Client Components
+
+Use the `useAuthgear` hook or the built-in buttons:
+
+```tsx
+"use client";
+
+import { useAuthgear, SignInButton, SignOutButton } from "@authgear/nextjs/client";
+
+export function NavBar() {
+  const { isAuthenticated, isLoaded, user } = useAuthgear();
+
+  if (!isLoaded) return null;
+
+  return isAuthenticated ? (
+    <div>
+      <span>Welcome, {user?.email}</span>
+      <SignOutButton />
+    </div>
+  ) : (
+    <SignInButton />
+  );
+}
+```
+
+### Server Components
+
+Use `currentUser()` to get the authenticated user in Server Components and Route Handlers.
+
+```tsx
+// app/dashboard/page.tsx
+import { currentUser } from "@authgear/nextjs/server";
+import { authgearConfig } from "@/lib/authgear";
+import { redirect } from "next/navigation";
+
+export default async function DashboardPage() {
+  const user = await currentUser(authgearConfig);
+  if (!user) redirect("/api/auth/login?returnTo=/dashboard");
+
+  return <h1>Hello, {user.email}</h1>;
+}
+```
+
+### Protecting API Routes with JWT
+
+Use `verifyAccessToken()` to validate a Bearer token in API routes.
+
+```ts
+// app/api/me/route.ts
+import { verifyAccessToken } from "@authgear/nextjs/server";
+import { authgearConfig } from "@/lib/authgear";
+import { NextRequest, NextResponse } from "next/server";
+
+export async function GET(request: NextRequest) {
+  const authHeader = request.headers.get("Authorization");
+  const token = authHeader?.replace("Bearer ", "");
+  if (!token) return NextResponse.json({ error: "unauthorized" }, { status: 401 });
+
+  try {
+    const payload = await verifyAccessToken(token, authgearConfig);
+    return NextResponse.json({ sub: payload.sub });
+  } catch {
+    return NextResponse.json({ error: "invalid_token" }, { status: 401 });
+  }
+}
+```
+
+### Reading the Session
+
+Use `auth()` to read the raw session (tokens + expiry) without fetching user info.
+
+```ts
+import { auth } from "@authgear/nextjs/server";
+import { authgearConfig } from "@/lib/authgear";
+
+const session = await auth(authgearConfig);
+// session.state: SessionState.Authenticated | SessionState.NoSession
+// session.accessToken: string | null
+```
+
+---
+
+## API Reference
+
+### `@authgear/nextjs`
+
+| Export | Description |
+|---|---|
+| `createAuthgearHandlers(config)` | Returns `{ GET, POST }` for `app/api/auth/[...authgear]/route.ts` |
+
+### `@authgear/nextjs/server`
+
+| Export | Description |
+|---|---|
+| `auth(config)` | Returns the current `Session` from the session cookie |
+| `currentUser(config)` | Returns `UserInfo \| null`, auto-refreshes access token |
+| `verifyAccessToken(token, config)` | Verifies a JWT Bearer token with JWKS, returns `JWTPayload` |
+
+### `@authgear/nextjs/client`
+
+| Export | Description |
+|---|---|
+| `<AuthgearProvider>` | React context provider, must wrap the app |
+| `useAuthgear()` | Returns `{ state, user, isLoaded, isAuthenticated, signIn, signOut }` |
+| `useUser()` | Returns `UserInfo \| null` |
+| `<SignInButton>` | Button that calls `signIn()` on click |
+| `<SignOutButton>` | Button that calls `signOut()` on click |
+
+### `@authgear/nextjs/proxy`
+
+| Export | Description |
+|---|---|
+| `createAuthgearProxy(options)` | Returns a Next.js 16 `proxy()` function |
+
+**`createAuthgearProxy` options** (extends `AuthgearConfig`):
+
+| Option | Default | Description |
+|---|---|---|
+| `protectedPaths` | `[]` | Paths requiring auth, supports `*` suffix (e.g. `"/dashboard/*"`) |
+| `publicPaths` | `["/api/auth/*"]` | Paths always allowed through |
+| `loginPath` | `"/api/auth/login"` | Where to redirect unauthenticated users |
+
+### `AuthgearConfig`
+
+| Field | Required | Description |
+|---|---|---|
+| `endpoint` | ✓ | Authgear endpoint, e.g. `"https://myapp.authgear.cloud"` |
+| `clientID` | ✓ | OAuth client ID |
+| `redirectURI` | ✓ | OAuth callback URL, e.g. `"http://localhost:3000/api/auth/callback"` |
+| `sessionSecret` | ✓ | Secret for encrypting session cookie (min 32 chars) |
+| `clientSecret` | | OAuth client secret (for confidential clients) |
+| `postLogoutRedirectURI` | | Where to redirect after logout. Defaults to `"/"` |
+| `scopes` | | OAuth scopes. Defaults to `["openid", "offline_access", "https://authgear.com/scopes/full-userinfo"]` |
+| `cookieName` | | Session cookie name. Defaults to `"authgear.session"` |
+
+---
+
+## Roadmap
+
+### `open(page)` — Open Authgear Settings Page
+
+> **Status: pending server-side enablement**
+
+The SDK has a planned `getOpenURL(page, config)` function (modelled after [`authgear.open(Page.Settings)`](https://docs.authgear.com/get-started/single-page-app/website#step-8-open-user-settings-page) in the web SDK) that opens the Authgear-hosted settings UI with the current user already authenticated — no re-login required.
+
+**How it will work:**
+
+```ts
+// app/dashboard/actions.ts  (Server Action)
+"use server";
+import { getOpenURL, Page } from "@authgear/nextjs/server";
+import { authgearConfig } from "@/lib/authgear";
+
+export async function getSettingsURLAction() {
+  return getOpenURL(Page.Settings, authgearConfig);
+}
+```
+
+```tsx
+// Client component
+const url = await getSettingsURLAction();
+window.open(url, "_blank");
+```
+
+**Blocker:** This feature exchanges the refresh token for an `app_session_token` via `POST /oauth2/app_session_token`. The Authgear server must grant the OAuth client **"full user access"** permission before this endpoint is accessible. Once that server-side configuration is in place, the implementation in `src/server.ts` can be uncommented and released.
+
+---
+
+## Documentation
+
+- Learn how to set up an Authgear application at [https://docs.authgear.com/](https://docs.authgear.com/)
+- Learn how to manage your users through the [Admin API](https://docs.authgear.com/reference/apis/admin-api)
+
+## Troubleshooting
+
+Please check out the [Get Help](https://github.com/orgs/authgear/discussions/categories/get-help) section for solutions to common issues.
+
+### Raise an Issue
+
+To provide feedback or report a bug, please [raise an issue on our issue tracker](https://github.com/authgear/authgear-sdk-js/issues).
+
+## Contributing
+
+Anyone who wishes to contribute to this project, whether documentation, features, bug fixes, code cleanup, testing, or code reviews, is very much encouraged to do so.
+
+To join, raise your hand on the [Authgear Discord server](https://discord.gg/Kdn5vcYwAS) or the GitHub [discussions board](https://github.com/orgs/authgear/discussions).
+
+```sh
+git clone git@github.com:authgear/authgear-sdk-nextjs.git
+cd authgear-sdk-nextjs
+npm install
+npm test
+```
+
+## Supported and maintained by
+
+<div align="center">
+  <a href="https://github.com/authgear"><img src="https://uploads-ssl.webflow.com/60658b46b03f0cf83ac1485d/619e6607eb647619cecee2cf_authgear-logo.svg" /></a>
+</div>
+
+<p align="center">
+  Authgear is a highly adaptable identity-as-a-service (IDaaS) platform for web and mobile applications. To learn more, visit <a href="https://www.authgear.com/">authgear.com</a>.
+</p>

package/dist/chunk-3KVYAFQJ.js

@@ -0,0 +1,26 @@
+// src/user.ts
+function parseUserInfo(raw) {
+  return {
+    sub: raw["sub"],
+    email: raw["email"],
+    emailVerified: raw["email_verified"],
+    phoneNumber: raw["phone_number"],
+    phoneNumberVerified: raw["phone_number_verified"],
+    preferredUsername: raw["preferred_username"],
+    givenName: raw["given_name"],
+    familyName: raw["family_name"],
+    name: raw["name"],
+    picture: raw["picture"],
+    roles: raw["https://authgear.com/claims/user/roles"],
+    isAnonymous: raw["https://authgear.com/claims/user/is_anonymous"],
+    isVerified: raw["https://authgear.com/claims/user/is_verified"],
+    canReauthenticate: raw["https://authgear.com/claims/user/can_reauthenticate"],
+    customAttributes: raw["custom_attributes"],
+    raw
+  };
+}
+
+export {
+  parseUserInfo
+};
+//# sourceMappingURL=chunk-3KVYAFQJ.js.map

package/dist/chunk-3KVYAFQJ.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/user.ts"],"sourcesContent":["import type { UserInfo } from \"./types.js\";\n\nexport function parseUserInfo(raw: Record<string, unknown>): UserInfo {\n  return {\n    sub: raw[\"sub\"] as string,\n    email: raw[\"email\"] as string | undefined,\n    emailVerified: raw[\"email_verified\"] as boolean | undefined,\n    phoneNumber: raw[\"phone_number\"] as string | undefined,\n    phoneNumberVerified: raw[\"phone_number_verified\"] as boolean | undefined,\n    preferredUsername: raw[\"preferred_username\"] as string | undefined,\n    givenName: raw[\"given_name\"] as string | undefined,\n    familyName: raw[\"family_name\"] as string | undefined,\n    name: raw[\"name\"] as string | undefined,\n    picture: raw[\"picture\"] as string | undefined,\n    roles: raw[\"https://authgear.com/claims/user/roles\"] as string[] | undefined,\n    isAnonymous: raw[\"https://authgear.com/claims/user/is_anonymous\"] as boolean | undefined,\n    isVerified: raw[\"https://authgear.com/claims/user/is_verified\"] as boolean | undefined,\n    canReauthenticate: raw[\"https://authgear.com/claims/user/can_reauthenticate\"] as boolean | undefined,\n    customAttributes: raw[\"custom_attributes\"] as Record<string, unknown> | undefined,\n    raw,\n  };\n}\n"],"mappings":";AAEO,SAAS,cAAc,KAAwC;AACpE,SAAO;AAAA,IACL,KAAK,IAAI,KAAK;AAAA,IACd,OAAO,IAAI,OAAO;AAAA,IAClB,eAAe,IAAI,gBAAgB;AAAA,IACnC,aAAa,IAAI,cAAc;AAAA,IAC/B,qBAAqB,IAAI,uBAAuB;AAAA,IAChD,mBAAmB,IAAI,oBAAoB;AAAA,IAC3C,WAAW,IAAI,YAAY;AAAA,IAC3B,YAAY,IAAI,aAAa;AAAA,IAC7B,MAAM,IAAI,MAAM;AAAA,IAChB,SAAS,IAAI,SAAS;AAAA,IACtB,OAAO,IAAI,wCAAwC;AAAA,IACnD,aAAa,IAAI,+CAA+C;AAAA,IAChE,YAAY,IAAI,8CAA8C;AAAA,IAC9D,mBAAmB,IAAI,qDAAqD;AAAA,IAC5E,kBAAkB,IAAI,mBAAmB;AAAA,IACzC;AAAA,EACF;AACF;","names":[]}

package/dist/chunk-MJD3XNUK.js

@@ -0,0 +1,227 @@
+import {
+  DEFAULT_SCOPES
+} from "./chunk-UY6NEM2T.js";
+
+// src/config.ts
+function resolveConfig(config) {
+  if (!config.endpoint) throw new Error("AuthgearConfig: endpoint is required");
+  if (!config.clientID) throw new Error("AuthgearConfig: clientID is required");
+  if (!config.redirectURI) throw new Error("AuthgearConfig: redirectURI is required");
+  if (!config.sessionSecret || config.sessionSecret.length < 32) {
+    throw new Error("AuthgearConfig: sessionSecret must be at least 32 characters");
+  }
+  return {
+    endpoint: config.endpoint.replace(/\/+$/, ""),
+    clientID: config.clientID,
+    clientSecret: config.clientSecret ?? "",
+    redirectURI: config.redirectURI,
+    postLogoutRedirectURI: config.postLogoutRedirectURI ?? "/",
+    scopes: config.scopes ?? DEFAULT_SCOPES,
+    sessionSecret: config.sessionSecret,
+    cookieName: config.cookieName ?? "authgear.session"
+  };
+}
+
+// src/oauth/discovery.ts
+var cache = /* @__PURE__ */ new Map();
+var CACHE_TTL_MS = 60 * 60 * 1e3;
+async function fetchOIDCConfiguration(endpoint) {
+  const cached = cache.get(endpoint);
+  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL_MS) {
+    return cached.config;
+  }
+  const url = `${endpoint}/.well-known/openid-configuration`;
+  const res = await fetch(url);
+  if (!res.ok) {
+    throw new Error(`Failed to fetch OIDC configuration from ${url}: ${res.status}`);
+  }
+  const config = await res.json();
+  cache.set(endpoint, { config, fetchedAt: Date.now() });
+  return config;
+}
+
+// src/session/cookie.ts
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from "crypto";
+var ALGORITHM = "aes-256-gcm";
+var IV_LENGTH = 12;
+var AUTH_TAG_LENGTH = 16;
+var KEY_LENGTH = 32;
+var SALT = "authgear-nextjs-session";
+function deriveKey(secret) {
+  return scryptSync(secret, SALT, KEY_LENGTH);
+}
+function encryptSession(data, secret) {
+  const key = deriveKey(secret);
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+  const json = JSON.stringify(data);
+  const encrypted = Buffer.concat([cipher.update(json, "utf8"), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  return Buffer.concat([iv, authTag, encrypted]).toString("base64url");
+}
+function decryptSession(encrypted, secret) {
+  try {
+    const key = deriveKey(secret);
+    const buf = Buffer.from(encrypted, "base64url");
+    if (buf.length < IV_LENGTH + AUTH_TAG_LENGTH) return null;
+    const iv = buf.subarray(0, IV_LENGTH);
+    const authTag = buf.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);
+    const ciphertext = buf.subarray(IV_LENGTH + AUTH_TAG_LENGTH);
+    const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    return JSON.parse(decrypted.toString("utf8"));
+  } catch {
+    return null;
+  }
+}
+function buildSessionCookie(cookieName, data, secret) {
+  return {
+    name: cookieName,
+    value: encryptSession(data, secret),
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    maxAge: 30 * 24 * 60 * 60
+    // 30 days
+  };
+}
+function buildClearCookie(cookieName) {
+  return {
+    name: cookieName,
+    value: "",
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    maxAge: 0
+  };
+}
+function buildPKCECookie(data, secret) {
+  const key = deriveKey(secret);
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+  const json = JSON.stringify(data);
+  const encrypted = Buffer.concat([cipher.update(json, "utf8"), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  return {
+    name: "authgear.pkce",
+    value: Buffer.concat([iv, authTag, encrypted]).toString("base64url"),
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    maxAge: 600
+    // 10 minutes
+  };
+}
+function decryptPKCECookie(encrypted, secret) {
+  try {
+    const key = deriveKey(secret);
+    const buf = Buffer.from(encrypted, "base64url");
+    if (buf.length < IV_LENGTH + AUTH_TAG_LENGTH) return null;
+    const iv = buf.subarray(0, IV_LENGTH);
+    const authTag = buf.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);
+    const ciphertext = buf.subarray(IV_LENGTH + AUTH_TAG_LENGTH);
+    const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    return JSON.parse(decrypted.toString("utf8"));
+  } catch {
+    return null;
+  }
+}
+
+// src/oauth/token.ts
+async function exchangeCode(oidcConfig, params) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code: params.code,
+    code_verifier: params.codeVerifier,
+    client_id: params.clientID,
+    redirect_uri: params.redirectURI
+  });
+  if (params.clientSecret) {
+    body.set("client_secret", params.clientSecret);
+  }
+  const res = await fetch(oidcConfig.token_endpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  if (!res.ok) {
+    const error = await res.text();
+    throw new Error(`Token exchange failed (${res.status}): ${error}`);
+  }
+  return res.json();
+}
+async function refreshAccessToken(oidcConfig, params) {
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: params.refreshToken,
+    client_id: params.clientID
+  });
+  if (params.clientSecret) {
+    body.set("client_secret", params.clientSecret);
+  }
+  const res = await fetch(oidcConfig.token_endpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  if (!res.ok) {
+    const error = await res.text();
+    throw new Error(`Token refresh failed (${res.status}): ${error}`);
+  }
+  return res.json();
+}
+async function revokeToken(oidcConfig, token) {
+  await fetch(oidcConfig.revocation_endpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({ token }).toString()
+  });
+}
+
+// src/session/state.ts
+function deriveSessionState(data) {
+  if (!data) {
+    return {
+      state: "NO_SESSION" /* NoSession */,
+      accessToken: null,
+      refreshToken: null,
+      idToken: null,
+      expiresAt: null,
+      user: null
+    };
+  }
+  return {
+    state: "AUTHENTICATED" /* Authenticated */,
+    accessToken: data.accessToken,
+    refreshToken: data.refreshToken,
+    idToken: data.idToken,
+    expiresAt: data.expiresAt,
+    user: null
+    // User is fetched separately when needed
+  };
+}
+function isTokenExpired(expiresAt) {
+  return Date.now() / 1e3 >= expiresAt - 30;
+}
+
+export {
+  resolveConfig,
+  fetchOIDCConfiguration,
+  decryptSession,
+  buildSessionCookie,
+  buildClearCookie,
+  buildPKCECookie,
+  decryptPKCECookie,
+  exchangeCode,
+  refreshAccessToken,
+  revokeToken,
+  deriveSessionState,
+  isTokenExpired
+};
+//# sourceMappingURL=chunk-MJD3XNUK.js.map

package/dist/chunk-MJD3XNUK.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/config.ts","../src/oauth/discovery.ts","../src/session/cookie.ts","../src/oauth/token.ts","../src/session/state.ts"],"sourcesContent":["import { type AuthgearConfig, DEFAULT_SCOPES } from \"./types.js\";\n\nexport function resolveConfig(config: AuthgearConfig): Required<AuthgearConfig> {\n  if (!config.endpoint) throw new Error(\"AuthgearConfig: endpoint is required\");\n  if (!config.clientID) throw new Error(\"AuthgearConfig: clientID is required\");\n  if (!config.redirectURI) throw new Error(\"AuthgearConfig: redirectURI is required\");\n  if (!config.sessionSecret || config.sessionSecret.length < 32) {\n    throw new Error(\"AuthgearConfig: sessionSecret must be at least 32 characters\");\n  }\n\n  return {\n    endpoint: config.endpoint.replace(/\\/+$/, \"\"),\n    clientID: config.clientID,\n    clientSecret: config.clientSecret ?? \"\",\n    redirectURI: config.redirectURI,\n    postLogoutRedirectURI: config.postLogoutRedirectURI ?? \"/\",\n    scopes: config.scopes ?? DEFAULT_SCOPES,\n    sessionSecret: config.sessionSecret,\n    cookieName: config.cookieName ?? \"authgear.session\",\n  };\n}\n","import type { OIDCConfiguration } from \"../types.js\";\n\nconst cache = new Map<string, { config: OIDCConfiguration; fetchedAt: number }>();\nconst CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour\n\nexport async function fetchOIDCConfiguration(\n  endpoint: string,\n): Promise<OIDCConfiguration> {\n  const cached = cache.get(endpoint);\n  if (cached && Date.now() - cached.fetchedAt < CACHE_TTL_MS) {\n    return cached.config;\n  }\n\n  const url = `${endpoint}/.well-known/openid-configuration`;\n  const res = await fetch(url);\n  if (!res.ok) {\n    throw new Error(`Failed to fetch OIDC configuration from ${url}: ${res.status}`);\n  }\n\n  const config = (await res.json()) as OIDCConfiguration;\n  cache.set(endpoint, { config, fetchedAt: Date.now() });\n  return config;\n}\n\n/** Clear cached OIDC configuration (useful for testing) */\nexport function clearOIDCCache(): void {\n  cache.clear();\n}\n","import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from \"node:crypto\";\nimport type { SessionData } from \"../types.js\";\n\nconst ALGORITHM = \"aes-256-gcm\";\nconst IV_LENGTH = 12;\nconst AUTH_TAG_LENGTH = 16;\nconst KEY_LENGTH = 32;\nconst SALT = \"authgear-nextjs-session\";\n\nfunction deriveKey(secret: string): Buffer {\n  return scryptSync(secret, SALT, KEY_LENGTH);\n}\n\nexport function encryptSession(data: SessionData, secret: string): string {\n  const key = deriveKey(secret);\n  const iv = randomBytes(IV_LENGTH);\n  const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n\n  const json = JSON.stringify(data);\n  const encrypted = Buffer.concat([cipher.update(json, \"utf8\"), cipher.final()]);\n  const authTag = cipher.getAuthTag();\n\n  // Format: base64(iv + authTag + encrypted)\n  return Buffer.concat([iv, authTag, encrypted]).toString(\"base64url\");\n}\n\nexport function decryptSession(encrypted: string, secret: string): SessionData | null {\n  try {\n    const key = deriveKey(secret);\n    const buf = Buffer.from(encrypted, \"base64url\");\n\n    if (buf.length < IV_LENGTH + AUTH_TAG_LENGTH) return null;\n\n    const iv = buf.subarray(0, IV_LENGTH);\n    const authTag = buf.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);\n    const ciphertext = buf.subarray(IV_LENGTH + AUTH_TAG_LENGTH);\n\n    const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n    decipher.setAuthTag(authTag);\n\n    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n    return JSON.parse(decrypted.toString(\"utf8\")) as SessionData;\n  } catch {\n    return null;\n  }\n}\n\nexport interface CookieOptions {\n  name: string;\n  value: string;\n  httpOnly?: boolean;\n  secure?: boolean;\n  sameSite?: \"lax\" | \"strict\" | \"none\";\n  path?: string;\n  maxAge?: number;\n}\n\nexport function buildSessionCookie(\n  cookieName: string,\n  data: SessionData,\n  secret: string,\n): CookieOptions {\n  return {\n    name: cookieName,\n    value: encryptSession(data, secret),\n    httpOnly: true,\n    secure: process.env.NODE_ENV === \"production\",\n    sameSite: \"lax\",\n    path: \"/\",\n    maxAge: 30 * 24 * 60 * 60, // 30 days\n  };\n}\n\nexport function buildClearCookie(cookieName: string): CookieOptions {\n  return {\n    name: cookieName,\n    value: \"\",\n    httpOnly: true,\n    secure: process.env.NODE_ENV === \"production\",\n    sameSite: \"lax\",\n    path: \"/\",\n    maxAge: 0,\n  };\n}\n\nexport function buildPKCECookie(\n  data: { codeVerifier: string; state: string; returnTo: string },\n  secret: string,\n): CookieOptions {\n  const key = deriveKey(secret);\n  const iv = randomBytes(IV_LENGTH);\n  const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n\n  const json = JSON.stringify(data);\n  const encrypted = Buffer.concat([cipher.update(json, \"utf8\"), cipher.final()]);\n  const authTag = cipher.getAuthTag();\n\n  return {\n    name: \"authgear.pkce\",\n    value: Buffer.concat([iv, authTag, encrypted]).toString(\"base64url\"),\n    httpOnly: true,\n    secure: process.env.NODE_ENV === \"production\",\n    sameSite: \"lax\",\n    path: \"/\",\n    maxAge: 600, // 10 minutes\n  };\n}\n\nexport function decryptPKCECookie(\n  encrypted: string,\n  secret: string,\n): { codeVerifier: string; state: string; returnTo: string } | null {\n  try {\n    const key = deriveKey(secret);\n    const buf = Buffer.from(encrypted, \"base64url\");\n\n    if (buf.length < IV_LENGTH + AUTH_TAG_LENGTH) return null;\n\n    const iv = buf.subarray(0, IV_LENGTH);\n    const authTag = buf.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);\n    const ciphertext = buf.subarray(IV_LENGTH + AUTH_TAG_LENGTH);\n\n    const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n    decipher.setAuthTag(authTag);\n\n    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n    return JSON.parse(decrypted.toString(\"utf8\"));\n  } catch {\n    return null;\n  }\n}\n","import type { OIDCConfiguration, TokenResponse, AppSessionTokenResponse } from \"../types.js\";\n\nexport interface ExchangeCodeParams {\n  code: string;\n  codeVerifier: string;\n  clientID: string;\n  clientSecret?: string;\n  redirectURI: string;\n}\n\nexport interface RefreshTokenParams {\n  refreshToken: string;\n  clientID: string;\n  clientSecret?: string;\n}\n\nexport async function exchangeCode(\n  oidcConfig: OIDCConfiguration,\n  params: ExchangeCodeParams,\n): Promise<TokenResponse> {\n  const body = new URLSearchParams({\n    grant_type: \"authorization_code\",\n    code: params.code,\n    code_verifier: params.codeVerifier,\n    client_id: params.clientID,\n    redirect_uri: params.redirectURI,\n  });\n  if (params.clientSecret) {\n    body.set(\"client_secret\", params.clientSecret);\n  }\n\n  const res = await fetch(oidcConfig.token_endpoint, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n    body: body.toString(),\n  });\n\n  if (!res.ok) {\n    const error = await res.text();\n    throw new Error(`Token exchange failed (${res.status}): ${error}`);\n  }\n\n  return res.json() as Promise<TokenResponse>;\n}\n\nexport async function refreshAccessToken(\n  oidcConfig: OIDCConfiguration,\n  params: RefreshTokenParams,\n): Promise<TokenResponse> {\n  const body = new URLSearchParams({\n    grant_type: \"refresh_token\",\n    refresh_token: params.refreshToken,\n    client_id: params.clientID,\n  });\n  if (params.clientSecret) {\n    body.set(\"client_secret\", params.clientSecret);\n  }\n\n  const res = await fetch(oidcConfig.token_endpoint, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n    body: body.toString(),\n  });\n\n  if (!res.ok) {\n    const error = await res.text();\n    throw new Error(`Token refresh failed (${res.status}): ${error}`);\n  }\n\n  return res.json() as Promise<TokenResponse>;\n}\n\nexport async function getAppSessionToken(\n  endpoint: string,\n  refreshToken: string,\n): Promise<AppSessionTokenResponse> {\n  const res = await fetch(`${endpoint}/oauth2/app_session_token`, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/json\" },\n    body: JSON.stringify({ refresh_token: refreshToken }),\n  });\n\n  if (!res.ok) {\n    const error = await res.text();\n    throw new Error(`Failed to get app session token (${res.status}): ${error}`);\n  }\n\n  return res.json() as Promise<AppSessionTokenResponse>;\n}\n\nexport async function revokeToken(\n  oidcConfig: OIDCConfiguration,\n  token: string,\n): Promise<void> {\n  await fetch(oidcConfig.revocation_endpoint, {\n    method: \"POST\",\n    headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n    body: new URLSearchParams({ token }).toString(),\n  });\n}\n","import { SessionState, type SessionData, type Session } from \"../types.js\";\n\nexport function deriveSessionState(data: SessionData | null): Session {\n  if (!data) {\n    return {\n      state: SessionState.NoSession,\n      accessToken: null,\n      refreshToken: null,\n      idToken: null,\n      expiresAt: null,\n      user: null,\n    };\n  }\n\n  return {\n    state: SessionState.Authenticated,\n    accessToken: data.accessToken,\n    refreshToken: data.refreshToken,\n    idToken: data.idToken,\n    expiresAt: data.expiresAt,\n    user: null, // User is fetched separately when needed\n  };\n}\n\nexport function isTokenExpired(expiresAt: number): boolean {\n  // Consider expired 30 seconds early for safety margin\n  return Date.now() / 1000 >= expiresAt - 30;\n}\n"],"mappings":";;;;;AAEO,SAAS,cAAc,QAAkD;AAC9E,MAAI,CAAC,OAAO,SAAU,OAAM,IAAI,MAAM,sCAAsC;AAC5E,MAAI,CAAC,OAAO,SAAU,OAAM,IAAI,MAAM,sCAAsC;AAC5E,MAAI,CAAC,OAAO,YAAa,OAAM,IAAI,MAAM,yCAAyC;AAClF,MAAI,CAAC,OAAO,iBAAiB,OAAO,cAAc,SAAS,IAAI;AAC7D,UAAM,IAAI,MAAM,8DAA8D;AAAA,EAChF;AAEA,SAAO;AAAA,IACL,UAAU,OAAO,SAAS,QAAQ,QAAQ,EAAE;AAAA,IAC5C,UAAU,OAAO;AAAA,IACjB,cAAc,OAAO,gBAAgB;AAAA,IACrC,aAAa,OAAO;AAAA,IACpB,uBAAuB,OAAO,yBAAyB;AAAA,IACvD,QAAQ,OAAO,UAAU;AAAA,IACzB,eAAe,OAAO;AAAA,IACtB,YAAY,OAAO,cAAc;AAAA,EACnC;AACF;;;AClBA,IAAM,QAAQ,oBAAI,IAA8D;AAChF,IAAM,eAAe,KAAK,KAAK;AAE/B,eAAsB,uBACpB,UAC4B;AAC5B,QAAM,SAAS,MAAM,IAAI,QAAQ;AACjC,MAAI,UAAU,KAAK,IAAI,IAAI,OAAO,YAAY,cAAc;AAC1D,WAAO,OAAO;AAAA,EAChB;AAEA,QAAM,MAAM,GAAG,QAAQ;AACvB,QAAM,MAAM,MAAM,MAAM,GAAG;AAC3B,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,IAAI,MAAM,2CAA2C,GAAG,KAAK,IAAI,MAAM,EAAE;AAAA,EACjF;AAEA,QAAM,SAAU,MAAM,IAAI,KAAK;AAC/B,QAAM,IAAI,UAAU,EAAE,QAAQ,WAAW,KAAK,IAAI,EAAE,CAAC;AACrD,SAAO;AACT;;;ACtBA,SAAS,gBAAgB,kBAAkB,aAAa,kBAAkB;AAG1E,IAAM,YAAY;AAClB,IAAM,YAAY;AAClB,IAAM,kBAAkB;AACxB,IAAM,aAAa;AACnB,IAAM,OAAO;AAEb,SAAS,UAAU,QAAwB;AACzC,SAAO,WAAW,QAAQ,MAAM,UAAU;AAC5C;AAEO,SAAS,eAAe,MAAmB,QAAwB;AACxE,QAAM,MAAM,UAAU,MAAM;AAC5B,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,SAAS,eAAe,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AAEpF,QAAM,OAAO,KAAK,UAAU,IAAI;AAChC,QAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,CAAC;AAC7E,QAAM,UAAU,OAAO,WAAW;AAGlC,SAAO,OAAO,OAAO,CAAC,IAAI,SAAS,SAAS,CAAC,EAAE,SAAS,WAAW;AACrE;AAEO,SAAS,eAAe,WAAmB,QAAoC;AACpF,MAAI;AACF,UAAM,MAAM,UAAU,MAAM;AAC5B,UAAM,MAAM,OAAO,KAAK,WAAW,WAAW;AAE9C,QAAI,IAAI,SAAS,YAAY,gBAAiB,QAAO;AAErD,UAAM,KAAK,IAAI,SAAS,GAAG,SAAS;AACpC,UAAM,UAAU,IAAI,SAAS,WAAW,YAAY,eAAe;AACnE,UAAM,aAAa,IAAI,SAAS,YAAY,eAAe;AAE3D,UAAM,WAAW,iBAAiB,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AACxF,aAAS,WAAW,OAAO;AAE3B,UAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC;AAC/E,WAAO,KAAK,MAAM,UAAU,SAAS,MAAM,CAAC;AAAA,EAC9C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAYO,SAAS,mBACd,YACA,MACA,QACe;AACf,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO,eAAe,MAAM,MAAM;AAAA,IAClC,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ,KAAK,KAAK,KAAK;AAAA;AAAA,EACzB;AACF;AAEO,SAAS,iBAAiB,YAAmC;AAClE,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO;AAAA,IACP,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,EACV;AACF;AAEO,SAAS,gBACd,MACA,QACe;AACf,QAAM,MAAM,UAAU,MAAM;AAC5B,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,SAAS,eAAe,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AAEpF,QAAM,OAAO,KAAK,UAAU,IAAI;AAChC,QAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,CAAC;AAC7E,QAAM,UAAU,OAAO,WAAW;AAElC,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO,OAAO,OAAO,CAAC,IAAI,SAAS,SAAS,CAAC,EAAE,SAAS,WAAW;AAAA,IACnE,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA;AAAA,EACV;AACF;AAEO,SAAS,kBACd,WACA,QACkE;AAClE,MAAI;AACF,UAAM,MAAM,UAAU,MAAM;AAC5B,UAAM,MAAM,OAAO,KAAK,WAAW,WAAW;AAE9C,QAAI,IAAI,SAAS,YAAY,gBAAiB,QAAO;AAErD,UAAM,KAAK,IAAI,SAAS,GAAG,SAAS;AACpC,UAAM,UAAU,IAAI,SAAS,WAAW,YAAY,eAAe;AACnE,UAAM,aAAa,IAAI,SAAS,YAAY,eAAe;AAE3D,UAAM,WAAW,iBAAiB,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AACxF,aAAS,WAAW,OAAO;AAE3B,UAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC;AAC/E,WAAO,KAAK,MAAM,UAAU,SAAS,MAAM,CAAC;AAAA,EAC9C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AClHA,eAAsB,aACpB,YACA,QACwB;AACxB,QAAM,OAAO,IAAI,gBAAgB;AAAA,IAC/B,YAAY;AAAA,IACZ,MAAM,OAAO;AAAA,IACb,eAAe,OAAO;AAAA,IACtB,WAAW,OAAO;AAAA,IAClB,cAAc,OAAO;AAAA,EACvB,CAAC;AACD,MAAI,OAAO,cAAc;AACvB,SAAK,IAAI,iBAAiB,OAAO,YAAY;AAAA,EAC/C;AAEA,QAAM,MAAM,MAAM,MAAM,WAAW,gBAAgB;AAAA,IACjD,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,QAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,IAAI,MAAM,0BAA0B,IAAI,MAAM,MAAM,KAAK,EAAE;AAAA,EACnE;AAEA,SAAO,IAAI,KAAK;AAClB;AAEA,eAAsB,mBACpB,YACA,QACwB;AACxB,QAAM,OAAO,IAAI,gBAAgB;AAAA,IAC/B,YAAY;AAAA,IACZ,eAAe,OAAO;AAAA,IACtB,WAAW,OAAO;AAAA,EACpB,CAAC;AACD,MAAI,OAAO,cAAc;AACvB,SAAK,IAAI,iBAAiB,OAAO,YAAY;AAAA,EAC/C;AAEA,QAAM,MAAM,MAAM,MAAM,WAAW,gBAAgB;AAAA,IACjD,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,QAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,IAAI,MAAM,yBAAyB,IAAI,MAAM,MAAM,KAAK,EAAE;AAAA,EAClE;AAEA,SAAO,IAAI,KAAK;AAClB;AAoBA,eAAsB,YACpB,YACA,OACe;AACf,QAAM,MAAM,WAAW,qBAAqB;AAAA,IAC1C,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,IAAI,gBAAgB,EAAE,MAAM,CAAC,EAAE,SAAS;AAAA,EAChD,CAAC;AACH;;;ACjGO,SAAS,mBAAmB,MAAmC;AACpE,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,MACL;AAAA,MACA,aAAa;AAAA,MACb,cAAc;AAAA,MACd,SAAS;AAAA,MACT,WAAW;AAAA,MACX,MAAM;AAAA,IACR;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,aAAa,KAAK;AAAA,IAClB,cAAc,KAAK;AAAA,IACnB,SAAS,KAAK;AAAA,IACd,WAAW,KAAK;AAAA,IAChB,MAAM;AAAA;AAAA,EACR;AACF;AAEO,SAAS,eAAe,WAA4B;AAEzD,SAAO,KAAK,IAAI,IAAI,OAAQ,YAAY;AAC1C;","names":[]}

package/dist/chunk-UY6NEM2T.js

@@ -0,0 +1,23 @@
+// src/types.ts
+var Page = /* @__PURE__ */ ((Page2) => {
+  Page2["Settings"] = "/settings";
+  return Page2;
+})(Page || {});
+var DEFAULT_SCOPES = [
+  "openid",
+  "offline_access",
+  "https://authgear.com/scopes/full-userinfo"
+];
+var SessionState = /* @__PURE__ */ ((SessionState2) => {
+  SessionState2["Unknown"] = "UNKNOWN";
+  SessionState2["NoSession"] = "NO_SESSION";
+  SessionState2["Authenticated"] = "AUTHENTICATED";
+  return SessionState2;
+})(SessionState || {});
+
+export {
+  Page,
+  DEFAULT_SCOPES,
+  SessionState
+};
+//# sourceMappingURL=chunk-UY6NEM2T.js.map

package/dist/chunk-UY6NEM2T.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/types.ts"],"sourcesContent":["export interface AuthgearConfig {\n  /** Authgear endpoint, e.g. \"https://myapp.authgear.cloud\" */\n  endpoint: string;\n  /** OAuth client ID */\n  clientID: string;\n  /** OAuth client secret (for confidential server-side clients) */\n  clientSecret?: string;\n  /** Redirect URI for OAuth callback, e.g. \"http://localhost:3000/api/auth/callback\" */\n  redirectURI: string;\n  /** Where to redirect after logout */\n  postLogoutRedirectURI?: string;\n  /** OAuth scopes. Defaults to [\"openid\", \"offline_access\", \"https://authgear.com/scopes/full-userinfo\"] */\n  scopes?: string[];\n  /** Secret key for encrypting session cookie (min 32 chars) */\n  sessionSecret: string;\n  /** Session cookie name. Defaults to \"authgear.session\" */\n  cookieName?: string;\n}\n\n/**\n * Pages that can be opened via open().\n */\nexport enum Page {\n  Settings = \"/settings\",\n}\n\nexport const DEFAULT_SCOPES = [\n  \"openid\",\n  \"offline_access\",\n  \"https://authgear.com/scopes/full-userinfo\",\n];\n\nexport enum SessionState {\n  Unknown = \"UNKNOWN\",\n  NoSession = \"NO_SESSION\",\n  Authenticated = \"AUTHENTICATED\",\n}\n\nexport interface SessionData {\n  accessToken: string;\n  refreshToken: string | null;\n  idToken: string | null;\n  expiresAt: number;\n}\n\nexport interface Session {\n  state: SessionState;\n  accessToken: string | null;\n  refreshToken: string | null;\n  idToken: string | null;\n  expiresAt: number | null;\n  user: UserInfo | null;\n}\n\nexport interface UserInfo {\n  sub: string;\n  email?: string;\n  emailVerified?: boolean;\n  phoneNumber?: string;\n  phoneNumberVerified?: boolean;\n  preferredUsername?: string;\n  givenName?: string;\n  familyName?: string;\n  name?: string;\n  picture?: string;\n  roles?: string[];\n  isAnonymous?: boolean;\n  isVerified?: boolean;\n  canReauthenticate?: boolean;\n  customAttributes?: Record<string, unknown>;\n  raw: Record<string, unknown>;\n}\n\nexport interface JWTPayload {\n  sub: string;\n  iss: string;\n  aud: string | string[];\n  exp: number;\n  iat: number;\n  jti?: string;\n  client_id?: string;\n  \"https://authgear.com/claims/user/is_anonymous\"?: boolean;\n  \"https://authgear.com/claims/user/is_verified\"?: boolean;\n  \"https://authgear.com/claims/user/can_reauthenticate\"?: boolean;\n  \"https://authgear.com/claims/user/roles\"?: string[];\n  [key: string]: unknown;\n}\n\nexport interface TokenResponse {\n  access_token: string;\n  token_type: string;\n  expires_in: number;\n  refresh_token?: string;\n  id_token?: string;\n}\n\nexport interface AppSessionTokenResponse {\n  app_session_token: string;\n  expire_at: string;\n}\n\nexport interface OIDCConfiguration {\n  authorization_endpoint: string;\n  token_endpoint: string;\n  userinfo_endpoint: string;\n  revocation_endpoint: string;\n  end_session_endpoint: string;\n  jwks_uri: string;\n  issuer: string;\n}\n"],"mappings":";AAsBO,IAAK,OAAL,kBAAKA,UAAL;AACL,EAAAA,MAAA,cAAW;AADD,SAAAA;AAAA,GAAA;AAIL,IAAM,iBAAiB;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AACF;AAEO,IAAK,eAAL,kBAAKC,kBAAL;AACL,EAAAA,cAAA,aAAU;AACV,EAAAA,cAAA,eAAY;AACZ,EAAAA,cAAA,mBAAgB;AAHN,SAAAA;AAAA,GAAA;","names":["Page","SessionState"]}