@authgear/nextjs 0.1.1

package/dist/client.d.ts

@@ -0,0 +1,48 @@
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { ReactNode, ButtonHTMLAttributes } from 'react';
+import { b as SessionState, U as UserInfo } from './types-Csfra4K2.js';
+export { S as Session } from './types-Csfra4K2.js';
+
+interface SignInOptions {
+    returnTo?: string;
+    loginPath?: string;
+}
+interface AuthgearProviderProps {
+    children: ReactNode;
+    /** Path to the userinfo API route. Defaults to "/api/auth/userinfo". */
+    userInfoPath?: string;
+    /** Path to the login route. Defaults to "/api/auth/login". */
+    loginPath?: string;
+    /** Path to the logout route. Defaults to "/api/auth/logout". */
+    logoutPath?: string;
+}
+declare function AuthgearProvider({ children, userInfoPath, loginPath, logoutPath, }: AuthgearProviderProps): react_jsx_runtime.JSX.Element;
+
+interface SignInButtonProps extends ButtonHTMLAttributes<HTMLButtonElement> {
+    signInOptions?: SignInOptions;
+}
+declare function SignInButton({ signInOptions, children, ...props }: SignInButtonProps): react_jsx_runtime.JSX.Element;
+
+type SignOutButtonProps = ButtonHTMLAttributes<HTMLButtonElement>;
+declare function SignOutButton({ children, ...props }: SignOutButtonProps): react_jsx_runtime.JSX.Element;
+
+interface UseAuthgearReturn {
+    /** Current session state */
+    state: SessionState;
+    /** Current user info, null if not authenticated */
+    user: UserInfo | null;
+    /** Whether the initial session check has completed */
+    isLoaded: boolean;
+    /** Whether the user is currently authenticated */
+    isAuthenticated: boolean;
+    /** Navigate to the sign-in page */
+    signIn: (options?: SignInOptions) => void;
+    /** Navigate to the sign-out endpoint */
+    signOut: () => void;
+}
+declare function useAuthgear(): UseAuthgearReturn;
+
+/** Returns the current user info, or null if not authenticated. */
+declare function useUser(): UserInfo | null;
+
+export { AuthgearProvider, type AuthgearProviderProps, SessionState, SignInButton, type SignInButtonProps, type SignInOptions, SignOutButton, type SignOutButtonProps, type UseAuthgearReturn, UserInfo, useAuthgear, useUser };

package/dist/client.js

@@ -0,0 +1,119 @@
+"use client";
+import {
+  SessionState
+} from "./chunk-UY6NEM2T.js";
+
+// src/components/AuthgearProvider.tsx
+import {
+  createContext,
+  useContext,
+  useEffect,
+  useState,
+  useCallback
+} from "react";
+import { jsx } from "react/jsx-runtime";
+var AuthgearContext = createContext(null);
+function AuthgearProvider({
+  children,
+  userInfoPath = "/api/auth/userinfo",
+  loginPath = "/api/auth/login",
+  logoutPath = "/api/auth/logout"
+}) {
+  const [state, setState] = useState("UNKNOWN" /* Unknown */);
+  const [user, setUser] = useState(null);
+  const [isLoaded, setIsLoaded] = useState(false);
+  useEffect(() => {
+    let cancelled = false;
+    async function fetchSession() {
+      try {
+        const res = await fetch(userInfoPath);
+        if (cancelled) return;
+        if (res.ok) {
+          const userInfo = await res.json();
+          setState("AUTHENTICATED" /* Authenticated */);
+          setUser(userInfo);
+        } else {
+          setState("NO_SESSION" /* NoSession */);
+          setUser(null);
+        }
+      } catch {
+        if (!cancelled) {
+          setState("NO_SESSION" /* NoSession */);
+          setUser(null);
+        }
+      } finally {
+        if (!cancelled) {
+          setIsLoaded(true);
+        }
+      }
+    }
+    fetchSession();
+    return () => {
+      cancelled = true;
+    };
+  }, [userInfoPath]);
+  const signIn = useCallback(
+    (options) => {
+      const path = options?.loginPath ?? loginPath;
+      const url = new URL(path, window.location.origin);
+      if (options?.returnTo) {
+        url.searchParams.set("returnTo", options.returnTo);
+      }
+      window.location.href = url.toString();
+    },
+    [loginPath]
+  );
+  const signOut = useCallback(() => {
+    window.location.href = logoutPath;
+  }, [logoutPath]);
+  return /* @__PURE__ */ jsx(AuthgearContext.Provider, { value: { state, user, isLoaded, signIn, signOut }, children });
+}
+function useAuthgearContext() {
+  const ctx = useContext(AuthgearContext);
+  if (!ctx) {
+    throw new Error("useAuthgearContext must be used within <AuthgearProvider>");
+  }
+  return ctx;
+}
+
+// src/components/SignInButton.tsx
+import { jsx as jsx2 } from "react/jsx-runtime";
+function SignInButton({ signInOptions, children = "Sign In", ...props }) {
+  const { signIn } = useAuthgearContext();
+  return /* @__PURE__ */ jsx2("button", { ...props, onClick: () => signIn(signInOptions), children });
+}
+
+// src/components/SignOutButton.tsx
+import { jsx as jsx3 } from "react/jsx-runtime";
+function SignOutButton({ children = "Sign Out", ...props }) {
+  const { signOut } = useAuthgearContext();
+  return /* @__PURE__ */ jsx3("button", { ...props, onClick: signOut, children });
+}
+
+// src/hooks/useAuthgear.ts
+function useAuthgear() {
+  const { state, user, isLoaded, signIn, signOut } = useAuthgearContext();
+  return {
+    state,
+    user,
+    isLoaded,
+    isAuthenticated: state === "AUTHENTICATED" /* Authenticated */,
+    signIn,
+    signOut
+  };
+}
+
+// src/hooks/useUser.ts
+function useUser() {
+  const { user } = useAuthgearContext();
+  return user;
+}
+export {
+  AuthgearProvider,
+  SessionState,
+  SignInButton,
+  SignOutButton,
+  useAuthgear,
+  useUser
+};
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/components/AuthgearProvider.tsx","../src/components/SignInButton.tsx","../src/components/SignOutButton.tsx","../src/hooks/useAuthgear.ts","../src/hooks/useUser.ts"],"sourcesContent":["\"use client\";\n\nimport React, {\n  createContext,\n  useContext,\n  useEffect,\n  useState,\n  useCallback,\n  type ReactNode,\n} from \"react\";\nimport { SessionState, type UserInfo } from \"../types.js\";\n\nexport interface AuthgearContextValue {\n  state: SessionState;\n  user: UserInfo | null;\n  isLoaded: boolean;\n  signIn: (options?: SignInOptions) => void;\n  signOut: () => void;\n}\n\nexport interface SignInOptions {\n  returnTo?: string;\n  loginPath?: string;\n}\n\nconst AuthgearContext = createContext<AuthgearContextValue | null>(null);\n\nexport interface AuthgearProviderProps {\n  children: ReactNode;\n  /** Path to the userinfo API route. Defaults to \"/api/auth/userinfo\". */\n  userInfoPath?: string;\n  /** Path to the login route. Defaults to \"/api/auth/login\". */\n  loginPath?: string;\n  /** Path to the logout route. Defaults to \"/api/auth/logout\". */\n  logoutPath?: string;\n}\n\nexport function AuthgearProvider({\n  children,\n  userInfoPath = \"/api/auth/userinfo\",\n  loginPath = \"/api/auth/login\",\n  logoutPath = \"/api/auth/logout\",\n}: AuthgearProviderProps) {\n  const [state, setState] = useState<SessionState>(SessionState.Unknown);\n  const [user, setUser] = useState<UserInfo | null>(null);\n  const [isLoaded, setIsLoaded] = useState(false);\n\n  useEffect(() => {\n    let cancelled = false;\n\n    async function fetchSession() {\n      try {\n        const res = await fetch(userInfoPath);\n        if (cancelled) return;\n\n        if (res.ok) {\n          const userInfo = (await res.json()) as UserInfo;\n          setState(SessionState.Authenticated);\n          setUser(userInfo);\n        } else {\n          setState(SessionState.NoSession);\n          setUser(null);\n        }\n      } catch {\n        if (!cancelled) {\n          setState(SessionState.NoSession);\n          setUser(null);\n        }\n      } finally {\n        if (!cancelled) {\n          setIsLoaded(true);\n        }\n      }\n    }\n\n    fetchSession();\n    return () => { cancelled = true; };\n  }, [userInfoPath]);\n\n  const signIn = useCallback(\n    (options?: SignInOptions) => {\n      const path = options?.loginPath ?? loginPath;\n      const url = new URL(path, window.location.origin);\n      if (options?.returnTo) {\n        url.searchParams.set(\"returnTo\", options.returnTo);\n      }\n      window.location.href = url.toString();\n    },\n    [loginPath],\n  );\n\n  const signOut = useCallback(() => {\n    window.location.href = logoutPath;\n  }, [logoutPath]);\n\n  return (\n    <AuthgearContext.Provider value={{ state, user, isLoaded, signIn, signOut }}>\n      {children}\n    </AuthgearContext.Provider>\n  );\n}\n\nexport function useAuthgearContext(): AuthgearContextValue {\n  const ctx = useContext(AuthgearContext);\n  if (!ctx) {\n    throw new Error(\"useAuthgearContext must be used within <AuthgearProvider>\");\n  }\n  return ctx;\n}\n","\"use client\";\n\nimport React, { type ButtonHTMLAttributes } from \"react\";\nimport { useAuthgearContext, type SignInOptions } from \"./AuthgearProvider.js\";\n\nexport interface SignInButtonProps extends ButtonHTMLAttributes<HTMLButtonElement> {\n  signInOptions?: SignInOptions;\n}\n\nexport function SignInButton({ signInOptions, children = \"Sign In\", ...props }: SignInButtonProps) {\n  const { signIn } = useAuthgearContext();\n  return (\n    <button {...props} onClick={() => signIn(signInOptions)}>\n      {children}\n    </button>\n  );\n}\n","\"use client\";\n\nimport React, { type ButtonHTMLAttributes } from \"react\";\nimport { useAuthgearContext } from \"./AuthgearProvider.js\";\n\nexport type SignOutButtonProps = ButtonHTMLAttributes<HTMLButtonElement>;\n\nexport function SignOutButton({ children = \"Sign Out\", ...props }: SignOutButtonProps) {\n  const { signOut } = useAuthgearContext();\n  return (\n    <button {...props} onClick={signOut}>\n      {children}\n    </button>\n  );\n}\n","\"use client\";\n\nimport { useAuthgearContext, type SignInOptions } from \"../components/AuthgearProvider.js\";\nimport { SessionState, type UserInfo } from \"../types.js\";\n\nexport interface UseAuthgearReturn {\n  /** Current session state */\n  state: SessionState;\n  /** Current user info, null if not authenticated */\n  user: UserInfo | null;\n  /** Whether the initial session check has completed */\n  isLoaded: boolean;\n  /** Whether the user is currently authenticated */\n  isAuthenticated: boolean;\n  /** Navigate to the sign-in page */\n  signIn: (options?: SignInOptions) => void;\n  /** Navigate to the sign-out endpoint */\n  signOut: () => void;\n}\n\nexport function useAuthgear(): UseAuthgearReturn {\n  const { state, user, isLoaded, signIn, signOut } = useAuthgearContext();\n\n  return {\n    state,\n    user,\n    isLoaded,\n    isAuthenticated: state === SessionState.Authenticated,\n    signIn,\n    signOut,\n  };\n}\n","\"use client\";\n\nimport { useAuthgearContext } from \"../components/AuthgearProvider.js\";\nimport type { UserInfo } from \"../types.js\";\n\n/** Returns the current user info, or null if not authenticated. */\nexport function useUser(): UserInfo | null {\n  const { user } = useAuthgearContext();\n  return user;\n}\n"],"mappings":";;;;;;AAEA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AAuFH;AAvEJ,IAAM,kBAAkB,cAA2C,IAAI;AAYhE,SAAS,iBAAiB;AAAA,EAC/B;AAAA,EACA,eAAe;AAAA,EACf,YAAY;AAAA,EACZ,aAAa;AACf,GAA0B;AACxB,QAAM,CAAC,OAAO,QAAQ,IAAI,gCAA2C;AACrE,QAAM,CAAC,MAAM,OAAO,IAAI,SAA0B,IAAI;AACtD,QAAM,CAAC,UAAU,WAAW,IAAI,SAAS,KAAK;AAE9C,YAAU,MAAM;AACd,QAAI,YAAY;AAEhB,mBAAe,eAAe;AAC5B,UAAI;AACF,cAAM,MAAM,MAAM,MAAM,YAAY;AACpC,YAAI,UAAW;AAEf,YAAI,IAAI,IAAI;AACV,gBAAM,WAAY,MAAM,IAAI,KAAK;AACjC,sDAAmC;AACnC,kBAAQ,QAAQ;AAAA,QAClB,OAAO;AACL,+CAA+B;AAC/B,kBAAQ,IAAI;AAAA,QACd;AAAA,MACF,QAAQ;AACN,YAAI,CAAC,WAAW;AACd,+CAA+B;AAC/B,kBAAQ,IAAI;AAAA,QACd;AAAA,MACF,UAAE;AACA,YAAI,CAAC,WAAW;AACd,sBAAY,IAAI;AAAA,QAClB;AAAA,MACF;AAAA,IACF;AAEA,iBAAa;AACb,WAAO,MAAM;AAAE,kBAAY;AAAA,IAAM;AAAA,EACnC,GAAG,CAAC,YAAY,CAAC;AAEjB,QAAM,SAAS;AAAA,IACb,CAAC,YAA4B;AAC3B,YAAM,OAAO,SAAS,aAAa;AACnC,YAAM,MAAM,IAAI,IAAI,MAAM,OAAO,SAAS,MAAM;AAChD,UAAI,SAAS,UAAU;AACrB,YAAI,aAAa,IAAI,YAAY,QAAQ,QAAQ;AAAA,MACnD;AACA,aAAO,SAAS,OAAO,IAAI,SAAS;AAAA,IACtC;AAAA,IACA,CAAC,SAAS;AAAA,EACZ;AAEA,QAAM,UAAU,YAAY,MAAM;AAChC,WAAO,SAAS,OAAO;AAAA,EACzB,GAAG,CAAC,UAAU,CAAC;AAEf,SACE,oBAAC,gBAAgB,UAAhB,EAAyB,OAAO,EAAE,OAAO,MAAM,UAAU,QAAQ,QAAQ,GACvE,UACH;AAEJ;AAEO,SAAS,qBAA2C;AACzD,QAAM,MAAM,WAAW,eAAe;AACtC,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,MAAM,2DAA2D;AAAA,EAC7E;AACA,SAAO;AACT;;;AChGI,gBAAAA,YAAA;AAHG,SAAS,aAAa,EAAE,eAAe,WAAW,WAAW,GAAG,MAAM,GAAsB;AACjG,QAAM,EAAE,OAAO,IAAI,mBAAmB;AACtC,SACE,gBAAAA,KAAC,YAAQ,GAAG,OAAO,SAAS,MAAM,OAAO,aAAa,GACnD,UACH;AAEJ;;;ACNI,gBAAAC,YAAA;AAHG,SAAS,cAAc,EAAE,WAAW,YAAY,GAAG,MAAM,GAAuB;AACrF,QAAM,EAAE,QAAQ,IAAI,mBAAmB;AACvC,SACE,gBAAAA,KAAC,YAAQ,GAAG,OAAO,SAAS,SACzB,UACH;AAEJ;;;ACMO,SAAS,cAAiC;AAC/C,QAAM,EAAE,OAAO,MAAM,UAAU,QAAQ,QAAQ,IAAI,mBAAmB;AAEtE,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,iBAAiB;AAAA,IACjB;AAAA,IACA;AAAA,EACF;AACF;;;ACzBO,SAAS,UAA2B;AACzC,QAAM,EAAE,KAAK,IAAI,mBAAmB;AACpC,SAAO;AACT;","names":["jsx","jsx"]}

package/dist/index.d.ts

@@ -0,0 +1,34 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { A as AuthgearConfig } from './types-Csfra4K2.js';
+export { D as DEFAULT_SCOPES, J as JWTPayload, O as OIDCConfiguration, P as Page, S as Session, a as SessionData, b as SessionState, T as TokenResponse, U as UserInfo } from './types-Csfra4K2.js';
+
+/**
+ * Creates Next.js route handlers for all Authgear auth endpoints.
+ *
+ * Usage in `app/api/auth/[...authgear]/route.ts`:
+ * ```ts
+ * import { createAuthgearHandlers } from "@authgear/nextjs";
+ * export const { GET, POST } = createAuthgearHandlers(config);
+ * ```
+ *
+ * Routes handled:
+ * - GET /api/auth/login     — Start OAuth flow
+ * - GET /api/auth/callback  — Handle OAuth callback
+ * - GET /api/auth/logout    — Logout and revoke tokens
+ * - POST /api/auth/refresh  — Refresh access token
+ * - GET /api/auth/userinfo  — Get current user info
+ */
+declare function createAuthgearHandlers(config: AuthgearConfig): {
+    GET: (request: NextRequest, { params }: {
+        params: Promise<{
+            authgear: string[];
+        }>;
+    }) => Promise<NextResponse>;
+    POST: (request: NextRequest, { params }: {
+        params: Promise<{
+            authgear: string[];
+        }>;
+    }) => Promise<NextResponse>;
+};
+
+export { AuthgearConfig, createAuthgearHandlers };

package/dist/index.js

@@ -0,0 +1,294 @@
+import {
+  parseUserInfo
+} from "./chunk-3KVYAFQJ.js";
+import {
+  buildClearCookie,
+  buildPKCECookie,
+  buildSessionCookie,
+  decryptPKCECookie,
+  decryptSession,
+  exchangeCode,
+  fetchOIDCConfiguration,
+  isTokenExpired,
+  refreshAccessToken,
+  resolveConfig,
+  revokeToken
+} from "./chunk-MJD3XNUK.js";
+import {
+  DEFAULT_SCOPES,
+  Page,
+  SessionState
+} from "./chunk-UY6NEM2T.js";
+
+// src/handlers/index.ts
+import { NextResponse as NextResponse6 } from "next/server";
+
+// src/handlers/login.ts
+import { NextResponse } from "next/server";
+
+// src/oauth/pkce.ts
+import { randomBytes, createHash } from "crypto";
+var VERIFIER_LENGTH = 64;
+function generateCodeVerifier() {
+  return randomBytes(VERIFIER_LENGTH).toString("base64url").slice(0, VERIFIER_LENGTH);
+}
+function computeCodeChallenge(codeVerifier) {
+  return createHash("sha256").update(codeVerifier).digest("base64url");
+}
+
+// src/oauth/authorize.ts
+import { randomBytes as randomBytes2 } from "crypto";
+function generateState() {
+  return randomBytes2(32).toString("base64url");
+}
+function buildAuthorizeURL(oidcConfig, params) {
+  const url = new URL(oidcConfig.authorization_endpoint);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", params.clientID);
+  url.searchParams.set("redirect_uri", params.redirectURI);
+  url.searchParams.set("scope", params.scopes.join(" "));
+  url.searchParams.set("code_challenge", computeCodeChallenge(params.codeVerifier));
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set("state", params.state);
+  return url.toString();
+}
+
+// src/handlers/login.ts
+async function handleLogin(request, config) {
+  const resolved = resolveConfig(config);
+  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
+  const returnTo = request.nextUrl.searchParams.get("returnTo") ?? "/";
+  const codeVerifier = generateCodeVerifier();
+  const state = generateState();
+  const authorizeURL = buildAuthorizeURL(oidcConfig, {
+    clientID: resolved.clientID,
+    redirectURI: resolved.redirectURI,
+    scopes: resolved.scopes,
+    codeVerifier,
+    state
+  });
+  const pkceCookie = buildPKCECookie({ codeVerifier, state, returnTo }, resolved.sessionSecret);
+  const response = NextResponse.redirect(authorizeURL);
+  response.cookies.set(pkceCookie.name, pkceCookie.value, {
+    httpOnly: pkceCookie.httpOnly,
+    secure: pkceCookie.secure,
+    sameSite: pkceCookie.sameSite,
+    path: pkceCookie.path,
+    maxAge: pkceCookie.maxAge
+  });
+  return response;
+}
+
+// src/handlers/callback.ts
+import { NextResponse as NextResponse2 } from "next/server";
+async function handleCallback(request, config) {
+  const resolved = resolveConfig(config);
+  const code = request.nextUrl.searchParams.get("code");
+  const state = request.nextUrl.searchParams.get("state");
+  const error = request.nextUrl.searchParams.get("error");
+  const errorDescription = request.nextUrl.searchParams.get("error_description");
+  if (error) {
+    return NextResponse2.json(
+      { error, error_description: errorDescription },
+      { status: 400 }
+    );
+  }
+  if (!code || !state) {
+    return NextResponse2.json(
+      { error: "missing_params", error_description: "Missing code or state parameter" },
+      { status: 400 }
+    );
+  }
+  const pkceCookieValue = request.cookies.get("authgear.pkce")?.value;
+  if (!pkceCookieValue) {
+    return NextResponse2.json(
+      { error: "invalid_state", error_description: "Missing PKCE cookie" },
+      { status: 400 }
+    );
+  }
+  const pkceData = decryptPKCECookie(pkceCookieValue, resolved.sessionSecret);
+  if (!pkceData || pkceData.state !== state) {
+    return NextResponse2.json(
+      { error: "invalid_state", error_description: "State mismatch" },
+      { status: 400 }
+    );
+  }
+  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
+  const tokenResponse = await exchangeCode(oidcConfig, {
+    code,
+    codeVerifier: pkceData.codeVerifier,
+    clientID: resolved.clientID,
+    clientSecret: resolved.clientSecret || void 0,
+    redirectURI: resolved.redirectURI
+  });
+  const sessionCookie = buildSessionCookie(
+    resolved.cookieName,
+    {
+      accessToken: tokenResponse.access_token,
+      refreshToken: tokenResponse.refresh_token ?? null,
+      idToken: tokenResponse.id_token ?? null,
+      expiresAt: Math.floor(Date.now() / 1e3) + tokenResponse.expires_in
+    },
+    resolved.sessionSecret
+  );
+  const returnTo = pkceData.returnTo || "/";
+  const redirectURL = new URL(returnTo, request.nextUrl.origin);
+  const response = NextResponse2.redirect(redirectURL);
+  response.cookies.set(sessionCookie.name, sessionCookie.value, {
+    httpOnly: sessionCookie.httpOnly,
+    secure: sessionCookie.secure,
+    sameSite: sessionCookie.sameSite,
+    path: sessionCookie.path,
+    maxAge: sessionCookie.maxAge
+  });
+  response.cookies.set("authgear.pkce", "", { maxAge: 0, path: "/" });
+  return response;
+}
+
+// src/handlers/logout.ts
+import { NextResponse as NextResponse3 } from "next/server";
+async function handleLogout(request, config) {
+  const resolved = resolveConfig(config);
+  const sessionCookie = request.cookies.get(resolved.cookieName)?.value;
+  if (sessionCookie) {
+    const session = decryptSession(sessionCookie, resolved.sessionSecret);
+    if (session?.refreshToken) {
+      const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
+      try {
+        await revokeToken(oidcConfig, session.refreshToken);
+      } catch {
+      }
+    }
+  }
+  const clearCookie = buildClearCookie(resolved.cookieName);
+  const redirectURL = new URL(resolved.postLogoutRedirectURI, request.nextUrl.origin);
+  const response = NextResponse3.redirect(redirectURL);
+  response.cookies.set(clearCookie.name, clearCookie.value, {
+    httpOnly: clearCookie.httpOnly,
+    secure: clearCookie.secure,
+    sameSite: clearCookie.sameSite,
+    path: clearCookie.path,
+    maxAge: clearCookie.maxAge
+  });
+  return response;
+}
+
+// src/handlers/refresh.ts
+import { NextResponse as NextResponse4 } from "next/server";
+async function handleRefresh(request, config) {
+  const resolved = resolveConfig(config);
+  const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;
+  if (!sessionCookieValue) {
+    return NextResponse4.json({ error: "no_session" }, { status: 401 });
+  }
+  const session = decryptSession(sessionCookieValue, resolved.sessionSecret);
+  if (!session?.refreshToken) {
+    return NextResponse4.json({ error: "no_refresh_token" }, { status: 401 });
+  }
+  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
+  const tokenResponse = await refreshAccessToken(oidcConfig, {
+    refreshToken: session.refreshToken,
+    clientID: resolved.clientID,
+    clientSecret: resolved.clientSecret || void 0
+  });
+  const newSession = {
+    accessToken: tokenResponse.access_token,
+    refreshToken: tokenResponse.refresh_token ?? session.refreshToken,
+    idToken: tokenResponse.id_token ?? session.idToken,
+    expiresAt: Math.floor(Date.now() / 1e3) + tokenResponse.expires_in
+  };
+  const sessionCookie = buildSessionCookie(resolved.cookieName, newSession, resolved.sessionSecret);
+  const response = NextResponse4.json({ ok: true });
+  response.cookies.set(sessionCookie.name, sessionCookie.value, {
+    httpOnly: sessionCookie.httpOnly,
+    secure: sessionCookie.secure,
+    sameSite: sessionCookie.sameSite,
+    path: sessionCookie.path,
+    maxAge: sessionCookie.maxAge
+  });
+  return response;
+}
+
+// src/handlers/userinfo.ts
+import { NextResponse as NextResponse5 } from "next/server";
+async function handleUserInfo(request, config) {
+  const resolved = resolveConfig(config);
+  const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;
+  if (!sessionCookieValue) {
+    return NextResponse5.json({ error: "no_session" }, { status: 401 });
+  }
+  let session = decryptSession(sessionCookieValue, resolved.sessionSecret);
+  if (!session) {
+    return NextResponse5.json({ error: "invalid_session" }, { status: 401 });
+  }
+  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
+  if (isTokenExpired(session.expiresAt) && session.refreshToken) {
+    const tokenResponse = await refreshAccessToken(oidcConfig, {
+      refreshToken: session.refreshToken,
+      clientID: resolved.clientID,
+      clientSecret: resolved.clientSecret || void 0
+    });
+    session = {
+      accessToken: tokenResponse.access_token,
+      refreshToken: tokenResponse.refresh_token ?? session.refreshToken,
+      idToken: tokenResponse.id_token ?? session.idToken,
+      expiresAt: Math.floor(Date.now() / 1e3) + tokenResponse.expires_in
+    };
+  }
+  const userinfoRes = await fetch(oidcConfig.userinfo_endpoint, {
+    headers: { Authorization: `Bearer ${session.accessToken}` }
+  });
+  if (!userinfoRes.ok) {
+    return NextResponse5.json({ error: "userinfo_failed" }, { status: userinfoRes.status });
+  }
+  const raw = await userinfoRes.json();
+  const userInfo = parseUserInfo(raw);
+  const response = NextResponse5.json(userInfo);
+  const newCookie = buildSessionCookie(resolved.cookieName, session, resolved.sessionSecret);
+  response.cookies.set(newCookie.name, newCookie.value, {
+    httpOnly: newCookie.httpOnly,
+    secure: newCookie.secure,
+    sameSite: newCookie.sameSite,
+    path: newCookie.path,
+    maxAge: newCookie.maxAge
+  });
+  return response;
+}
+
+// src/handlers/index.ts
+function createAuthgearHandlers(config) {
+  async function GET(request, { params }) {
+    const { authgear } = await params;
+    const action = authgear?.[0];
+    switch (action) {
+      case "login":
+        return handleLogin(request, config);
+      case "callback":
+        return handleCallback(request, config);
+      case "logout":
+        return handleLogout(request, config);
+      case "userinfo":
+        return handleUserInfo(request, config);
+      default:
+        return NextResponse6.json({ error: "not_found" }, { status: 404 });
+    }
+  }
+  async function POST(request, { params }) {
+    const { authgear } = await params;
+    const action = authgear?.[0];
+    switch (action) {
+      case "refresh":
+        return handleRefresh(request, config);
+      default:
+        return NextResponse6.json({ error: "not_found" }, { status: 404 });
+    }
+  }
+  return { GET, POST };
+}
+export {
+  DEFAULT_SCOPES,
+  Page,
+  SessionState,
+  createAuthgearHandlers
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/handlers/index.ts","../src/handlers/login.ts","../src/oauth/pkce.ts","../src/oauth/authorize.ts","../src/handlers/callback.ts","../src/handlers/logout.ts","../src/handlers/refresh.ts","../src/handlers/userinfo.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { handleLogin } from \"./login.js\";\nimport { handleCallback } from \"./callback.js\";\nimport { handleLogout } from \"./logout.js\";\nimport { handleRefresh } from \"./refresh.js\";\nimport { handleUserInfo } from \"./userinfo.js\";\n\n/**\n * Creates Next.js route handlers for all Authgear auth endpoints.\n *\n * Usage in `app/api/auth/[...authgear]/route.ts`:\n * ```ts\n * import { createAuthgearHandlers } from \"@authgear/nextjs\";\n * export const { GET, POST } = createAuthgearHandlers(config);\n * ```\n *\n * Routes handled:\n * - GET /api/auth/login     — Start OAuth flow\n * - GET /api/auth/callback  — Handle OAuth callback\n * - GET /api/auth/logout    — Logout and revoke tokens\n * - POST /api/auth/refresh  — Refresh access token\n * - GET /api/auth/userinfo  — Get current user info\n */\nexport function createAuthgearHandlers(config: AuthgearConfig) {\n  async function GET(\n    request: NextRequest,\n    { params }: { params: Promise<{ authgear: string[] }> },\n  ): Promise<NextResponse> {\n    const { authgear } = await params;\n    const action = authgear?.[0];\n\n    switch (action) {\n      case \"login\":\n        return handleLogin(request, config);\n      case \"callback\":\n        return handleCallback(request, config);\n      case \"logout\":\n        return handleLogout(request, config);\n      case \"userinfo\":\n        return handleUserInfo(request, config);\n      default:\n        return NextResponse.json({ error: \"not_found\" }, { status: 404 });\n    }\n  }\n\n  async function POST(\n    request: NextRequest,\n    { params }: { params: Promise<{ authgear: string[] }> },\n  ): Promise<NextResponse> {\n    const { authgear } = await params;\n    const action = authgear?.[0];\n\n    switch (action) {\n      case \"refresh\":\n        return handleRefresh(request, config);\n      default:\n        return NextResponse.json({ error: \"not_found\" }, { status: 404 });\n    }\n  }\n\n  return { GET, POST };\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { generateCodeVerifier } from \"../oauth/pkce.js\";\nimport { buildAuthorizeURL, generateState } from \"../oauth/authorize.js\";\nimport { buildPKCECookie } from \"../session/cookie.js\";\n\nexport async function handleLogin(\n  request: NextRequest,\n  config: AuthgearConfig,\n): Promise<NextResponse> {\n  const resolved = resolveConfig(config);\n  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n  const returnTo = request.nextUrl.searchParams.get(\"returnTo\") ?? \"/\";\n  const codeVerifier = generateCodeVerifier();\n  const state = generateState();\n\n  const authorizeURL = buildAuthorizeURL(oidcConfig, {\n    clientID: resolved.clientID,\n    redirectURI: resolved.redirectURI,\n    scopes: resolved.scopes,\n    codeVerifier,\n    state,\n  });\n\n  const pkceCookie = buildPKCECookie({ codeVerifier, state, returnTo }, resolved.sessionSecret);\n\n  const response = NextResponse.redirect(authorizeURL);\n  response.cookies.set(pkceCookie.name, pkceCookie.value, {\n    httpOnly: pkceCookie.httpOnly,\n    secure: pkceCookie.secure,\n    sameSite: pkceCookie.sameSite,\n    path: pkceCookie.path,\n    maxAge: pkceCookie.maxAge,\n  });\n\n  return response;\n}\n","import { randomBytes, createHash } from \"node:crypto\";\n\nconst VERIFIER_LENGTH = 64;\n\nexport function generateCodeVerifier(): string {\n  return randomBytes(VERIFIER_LENGTH)\n    .toString(\"base64url\")\n    .slice(0, VERIFIER_LENGTH);\n}\n\nexport function computeCodeChallenge(codeVerifier: string): string {\n  return createHash(\"sha256\").update(codeVerifier).digest(\"base64url\");\n}\n","import { randomBytes } from \"node:crypto\";\nimport type { OIDCConfiguration } from \"../types.js\";\nimport { computeCodeChallenge } from \"./pkce.js\";\n\n/**\n * Build the URL to open an Authgear page (e.g. /settings) with the user\n * already authenticated via an app session token.\n */\nexport function buildOpenURL(\n  oidcConfig: OIDCConfiguration,\n  params: {\n    clientID: string;\n    appSessionToken: string;\n    targetPath: string; // e.g. \"/settings\"\n  },\n): string {\n  const authorizationEndpoint = new URL(oidcConfig.authorization_endpoint);\n  const settingsURL = `${authorizationEndpoint.origin}${params.targetPath}`;\n  const loginHint = `https://authgear.com/login_hint?type=app_session_token&app_session_token=${encodeURIComponent(params.appSessionToken)}`;\n\n  const url = new URL(oidcConfig.authorization_endpoint);\n  url.searchParams.set(\"response_type\", \"none\");\n  url.searchParams.set(\"client_id\", params.clientID);\n  url.searchParams.set(\"redirect_uri\", settingsURL);\n  url.searchParams.set(\"prompt\", \"none\");\n  url.searchParams.set(\"login_hint\", loginHint);\n  return url.toString();\n}\n\nexport interface AuthorizeParams {\n  clientID: string;\n  redirectURI: string;\n  scopes: string[];\n  codeVerifier: string;\n  state: string;\n}\n\nexport function generateState(): string {\n  return randomBytes(32).toString(\"base64url\");\n}\n\nexport function buildAuthorizeURL(\n  oidcConfig: OIDCConfiguration,\n  params: AuthorizeParams,\n): string {\n  const url = new URL(oidcConfig.authorization_endpoint);\n  url.searchParams.set(\"response_type\", \"code\");\n  url.searchParams.set(\"client_id\", params.clientID);\n  url.searchParams.set(\"redirect_uri\", params.redirectURI);\n  url.searchParams.set(\"scope\", params.scopes.join(\" \"));\n  url.searchParams.set(\"code_challenge\", computeCodeChallenge(params.codeVerifier));\n  url.searchParams.set(\"code_challenge_method\", \"S256\");\n  url.searchParams.set(\"state\", params.state);\n  return url.toString();\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { exchangeCode } from \"../oauth/token.js\";\nimport { decryptPKCECookie, buildSessionCookie } from \"../session/cookie.js\";\n\nexport async function handleCallback(\n  request: NextRequest,\n  config: AuthgearConfig,\n): Promise<NextResponse> {\n  const resolved = resolveConfig(config);\n\n  const code = request.nextUrl.searchParams.get(\"code\");\n  const state = request.nextUrl.searchParams.get(\"state\");\n  const error = request.nextUrl.searchParams.get(\"error\");\n  const errorDescription = request.nextUrl.searchParams.get(\"error_description\");\n\n  if (error) {\n    return NextResponse.json(\n      { error, error_description: errorDescription },\n      { status: 400 },\n    );\n  }\n\n  if (!code || !state) {\n    return NextResponse.json(\n      { error: \"missing_params\", error_description: \"Missing code or state parameter\" },\n      { status: 400 },\n    );\n  }\n\n  // Validate PKCE state\n  const pkceCookieValue = request.cookies.get(\"authgear.pkce\")?.value;\n  if (!pkceCookieValue) {\n    return NextResponse.json(\n      { error: \"invalid_state\", error_description: \"Missing PKCE cookie\" },\n      { status: 400 },\n    );\n  }\n\n  const pkceData = decryptPKCECookie(pkceCookieValue, resolved.sessionSecret);\n  if (!pkceData || pkceData.state !== state) {\n    return NextResponse.json(\n      { error: \"invalid_state\", error_description: \"State mismatch\" },\n      { status: 400 },\n    );\n  }\n\n  // Exchange code for tokens\n  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n  const tokenResponse = await exchangeCode(oidcConfig, {\n    code,\n    codeVerifier: pkceData.codeVerifier,\n    clientID: resolved.clientID,\n    clientSecret: resolved.clientSecret || undefined,\n    redirectURI: resolved.redirectURI,\n  });\n\n  // Build session cookie\n  const sessionCookie = buildSessionCookie(\n    resolved.cookieName,\n    {\n      accessToken: tokenResponse.access_token,\n      refreshToken: tokenResponse.refresh_token ?? null,\n      idToken: tokenResponse.id_token ?? null,\n      expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n    },\n    resolved.sessionSecret,\n  );\n\n  const returnTo = pkceData.returnTo || \"/\";\n  const redirectURL = new URL(returnTo, request.nextUrl.origin);\n  const response = NextResponse.redirect(redirectURL);\n\n  // Set session cookie\n  response.cookies.set(sessionCookie.name, sessionCookie.value, {\n    httpOnly: sessionCookie.httpOnly,\n    secure: sessionCookie.secure,\n    sameSite: sessionCookie.sameSite,\n    path: sessionCookie.path,\n    maxAge: sessionCookie.maxAge,\n  });\n\n  // Clear PKCE cookie\n  response.cookies.set(\"authgear.pkce\", \"\", { maxAge: 0, path: \"/\" });\n\n  return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { revokeToken } from \"../oauth/token.js\";\nimport { decryptSession, buildClearCookie } from \"../session/cookie.js\";\n\nexport async function handleLogout(\n  request: NextRequest,\n  config: AuthgearConfig,\n): Promise<NextResponse> {\n  const resolved = resolveConfig(config);\n\n  // Revoke refresh token if present\n  const sessionCookie = request.cookies.get(resolved.cookieName)?.value;\n  if (sessionCookie) {\n    const session = decryptSession(sessionCookie, resolved.sessionSecret);\n    if (session?.refreshToken) {\n      const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n      try {\n        await revokeToken(oidcConfig, session.refreshToken);\n      } catch {\n        // Best-effort revocation\n      }\n    }\n  }\n\n  const clearCookie = buildClearCookie(resolved.cookieName);\n  const redirectURL = new URL(resolved.postLogoutRedirectURI, request.nextUrl.origin);\n  const response = NextResponse.redirect(redirectURL);\n\n  response.cookies.set(clearCookie.name, clearCookie.value, {\n    httpOnly: clearCookie.httpOnly,\n    secure: clearCookie.secure,\n    sameSite: clearCookie.sameSite,\n    path: clearCookie.path,\n    maxAge: clearCookie.maxAge,\n  });\n\n  return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { refreshAccessToken } from \"../oauth/token.js\";\nimport { decryptSession, buildSessionCookie } from \"../session/cookie.js\";\n\nexport async function handleRefresh(\n  request: NextRequest,\n  config: AuthgearConfig,\n): Promise<NextResponse> {\n  const resolved = resolveConfig(config);\n\n  const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n  if (!sessionCookieValue) {\n    return NextResponse.json({ error: \"no_session\" }, { status: 401 });\n  }\n\n  const session = decryptSession(sessionCookieValue, resolved.sessionSecret);\n  if (!session?.refreshToken) {\n    return NextResponse.json({ error: \"no_refresh_token\" }, { status: 401 });\n  }\n\n  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n  const tokenResponse = await refreshAccessToken(oidcConfig, {\n    refreshToken: session.refreshToken,\n    clientID: resolved.clientID,\n    clientSecret: resolved.clientSecret || undefined,\n  });\n\n  const newSession = {\n    accessToken: tokenResponse.access_token,\n    refreshToken: tokenResponse.refresh_token ?? session.refreshToken,\n    idToken: tokenResponse.id_token ?? session.idToken,\n    expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n  };\n\n  const sessionCookie = buildSessionCookie(resolved.cookieName, newSession, resolved.sessionSecret);\n  const response = NextResponse.json({ ok: true });\n\n  response.cookies.set(sessionCookie.name, sessionCookie.value, {\n    httpOnly: sessionCookie.httpOnly,\n    secure: sessionCookie.secure,\n    sameSite: sessionCookie.sameSite,\n    path: sessionCookie.path,\n    maxAge: sessionCookie.maxAge,\n  });\n\n  return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig, UserInfo } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { decryptSession } from \"../session/cookie.js\";\nimport { isTokenExpired } from \"../session/state.js\";\nimport { refreshAccessToken } from \"../oauth/token.js\";\nimport { buildSessionCookie } from \"../session/cookie.js\";\nimport { parseUserInfo } from \"../user.js\";\n\nexport async function handleUserInfo(\n  request: NextRequest,\n  config: AuthgearConfig,\n): Promise<NextResponse> {\n  const resolved = resolveConfig(config);\n\n  const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n  if (!sessionCookieValue) {\n    return NextResponse.json({ error: \"no_session\" }, { status: 401 });\n  }\n\n  let session = decryptSession(sessionCookieValue, resolved.sessionSecret);\n  if (!session) {\n    return NextResponse.json({ error: \"invalid_session\" }, { status: 401 });\n  }\n\n  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n  // Auto-refresh if access token is expired\n  if (isTokenExpired(session.expiresAt) && session.refreshToken) {\n    const tokenResponse = await refreshAccessToken(oidcConfig, {\n      refreshToken: session.refreshToken,\n      clientID: resolved.clientID,\n      clientSecret: resolved.clientSecret || undefined,\n    });\n    session = {\n      accessToken: tokenResponse.access_token,\n      refreshToken: tokenResponse.refresh_token ?? session.refreshToken,\n      idToken: tokenResponse.id_token ?? session.idToken,\n      expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n    };\n  }\n\n  // Fetch user info from Authgear\n  const userinfoRes = await fetch(oidcConfig.userinfo_endpoint, {\n    headers: { Authorization: `Bearer ${session.accessToken}` },\n  });\n\n  if (!userinfoRes.ok) {\n    return NextResponse.json({ error: \"userinfo_failed\" }, { status: userinfoRes.status });\n  }\n\n  const raw = (await userinfoRes.json()) as Record<string, unknown>;\n  const userInfo: UserInfo = parseUserInfo(raw);\n\n  const response = NextResponse.json(userInfo);\n\n  // Update session cookie if tokens were refreshed\n  const newCookie = buildSessionCookie(resolved.cookieName, session, resolved.sessionSecret);\n  response.cookies.set(newCookie.name, newCookie.value, {\n    httpOnly: newCookie.httpOnly,\n    secure: newCookie.secure,\n    sameSite: newCookie.sameSite,\n    path: newCookie.path,\n    maxAge: newCookie.maxAge,\n  });\n\n  return response;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAAA,SAAS,gBAAAA,qBAAsC;;;ACA/C,SAAS,oBAAsC;;;ACA/C,SAAS,aAAa,kBAAkB;AAExC,IAAM,kBAAkB;AAEjB,SAAS,uBAA+B;AAC7C,SAAO,YAAY,eAAe,EAC/B,SAAS,WAAW,EACpB,MAAM,GAAG,eAAe;AAC7B;AAEO,SAAS,qBAAqB,cAA8B;AACjE,SAAO,WAAW,QAAQ,EAAE,OAAO,YAAY,EAAE,OAAO,WAAW;AACrE;;;ACZA,SAAS,eAAAC,oBAAmB;AAqCrB,SAAS,gBAAwB;AACtC,SAAOC,aAAY,EAAE,EAAE,SAAS,WAAW;AAC7C;AAEO,SAAS,kBACd,YACA,QACQ;AACR,QAAM,MAAM,IAAI,IAAI,WAAW,sBAAsB;AACrD,MAAI,aAAa,IAAI,iBAAiB,MAAM;AAC5C,MAAI,aAAa,IAAI,aAAa,OAAO,QAAQ;AACjD,MAAI,aAAa,IAAI,gBAAgB,OAAO,WAAW;AACvD,MAAI,aAAa,IAAI,SAAS,OAAO,OAAO,KAAK,GAAG,CAAC;AACrD,MAAI,aAAa,IAAI,kBAAkB,qBAAqB,OAAO,YAAY,CAAC;AAChF,MAAI,aAAa,IAAI,yBAAyB,MAAM;AACpD,MAAI,aAAa,IAAI,SAAS,OAAO,KAAK;AAC1C,SAAO,IAAI,SAAS;AACtB;;;AF9CA,eAAsB,YACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAEjE,QAAM,WAAW,QAAQ,QAAQ,aAAa,IAAI,UAAU,KAAK;AACjE,QAAM,eAAe,qBAAqB;AAC1C,QAAM,QAAQ,cAAc;AAE5B,QAAM,eAAe,kBAAkB,YAAY;AAAA,IACjD,UAAU,SAAS;AAAA,IACnB,aAAa,SAAS;AAAA,IACtB,QAAQ,SAAS;AAAA,IACjB;AAAA,IACA;AAAA,EACF,CAAC;AAED,QAAM,aAAa,gBAAgB,EAAE,cAAc,OAAO,SAAS,GAAG,SAAS,aAAa;AAE5F,QAAM,WAAW,aAAa,SAAS,YAAY;AACnD,WAAS,QAAQ,IAAI,WAAW,MAAM,WAAW,OAAO;AAAA,IACtD,UAAU,WAAW;AAAA,IACrB,QAAQ,WAAW;AAAA,IACnB,UAAU,WAAW;AAAA,IACrB,MAAM,WAAW;AAAA,IACjB,QAAQ,WAAW;AAAA,EACrB,CAAC;AAED,SAAO;AACT;;;AGvCA,SAAS,gBAAAC,qBAAsC;AAO/C,eAAsB,eACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAErC,QAAM,OAAO,QAAQ,QAAQ,aAAa,IAAI,MAAM;AACpD,QAAM,QAAQ,QAAQ,QAAQ,aAAa,IAAI,OAAO;AACtD,QAAM,QAAQ,QAAQ,QAAQ,aAAa,IAAI,OAAO;AACtD,QAAM,mBAAmB,QAAQ,QAAQ,aAAa,IAAI,mBAAmB;AAE7E,MAAI,OAAO;AACT,WAAOC,cAAa;AAAA,MAClB,EAAE,OAAO,mBAAmB,iBAAiB;AAAA,MAC7C,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,MAAI,CAAC,QAAQ,CAAC,OAAO;AACnB,WAAOA,cAAa;AAAA,MAClB,EAAE,OAAO,kBAAkB,mBAAmB,kCAAkC;AAAA,MAChF,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAGA,QAAM,kBAAkB,QAAQ,QAAQ,IAAI,eAAe,GAAG;AAC9D,MAAI,CAAC,iBAAiB;AACpB,WAAOA,cAAa;AAAA,MAClB,EAAE,OAAO,iBAAiB,mBAAmB,sBAAsB;AAAA,MACnE,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,WAAW,kBAAkB,iBAAiB,SAAS,aAAa;AAC1E,MAAI,CAAC,YAAY,SAAS,UAAU,OAAO;AACzC,WAAOA,cAAa;AAAA,MAClB,EAAE,OAAO,iBAAiB,mBAAmB,iBAAiB;AAAA,MAC9D,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAGA,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,QAAM,gBAAgB,MAAM,aAAa,YAAY;AAAA,IACnD;AAAA,IACA,cAAc,SAAS;AAAA,IACvB,UAAU,SAAS;AAAA,IACnB,cAAc,SAAS,gBAAgB;AAAA,IACvC,aAAa,SAAS;AAAA,EACxB,CAAC;AAGD,QAAM,gBAAgB;AAAA,IACpB,SAAS;AAAA,IACT;AAAA,MACE,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc,iBAAiB;AAAA,MAC7C,SAAS,cAAc,YAAY;AAAA,MACnC,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,IAC3D;AAAA,IACA,SAAS;AAAA,EACX;AAEA,QAAM,WAAW,SAAS,YAAY;AACtC,QAAM,cAAc,IAAI,IAAI,UAAU,QAAQ,QAAQ,MAAM;AAC5D,QAAM,WAAWA,cAAa,SAAS,WAAW;AAGlD,WAAS,QAAQ,IAAI,cAAc,MAAM,cAAc,OAAO;AAAA,IAC5D,UAAU,cAAc;AAAA,IACxB,QAAQ,cAAc;AAAA,IACtB,UAAU,cAAc;AAAA,IACxB,MAAM,cAAc;AAAA,IACpB,QAAQ,cAAc;AAAA,EACxB,CAAC;AAGD,WAAS,QAAQ,IAAI,iBAAiB,IAAI,EAAE,QAAQ,GAAG,MAAM,IAAI,CAAC;AAElE,SAAO;AACT;;;ACxFA,SAAS,gBAAAC,qBAAsC;AAO/C,eAAsB,aACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAGrC,QAAM,gBAAgB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AAChE,MAAI,eAAe;AACjB,UAAM,UAAU,eAAe,eAAe,SAAS,aAAa;AACpE,QAAI,SAAS,cAAc;AACzB,YAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,UAAI;AACF,cAAM,YAAY,YAAY,QAAQ,YAAY;AAAA,MACpD,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAEA,QAAM,cAAc,iBAAiB,SAAS,UAAU;AACxD,QAAM,cAAc,IAAI,IAAI,SAAS,uBAAuB,QAAQ,QAAQ,MAAM;AAClF,QAAM,WAAWC,cAAa,SAAS,WAAW;AAElD,WAAS,QAAQ,IAAI,YAAY,MAAM,YAAY,OAAO;AAAA,IACxD,UAAU,YAAY;AAAA,IACtB,QAAQ,YAAY;AAAA,IACpB,UAAU,YAAY;AAAA,IACtB,MAAM,YAAY;AAAA,IAClB,QAAQ,YAAY;AAAA,EACtB,CAAC;AAED,SAAO;AACT;;;ACxCA,SAAS,gBAAAC,qBAAsC;AAO/C,eAAsB,cACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAErC,QAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,MAAI,CAAC,oBAAoB;AACvB,WAAOC,cAAa,KAAK,EAAE,OAAO,aAAa,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnE;AAEA,QAAM,UAAU,eAAe,oBAAoB,SAAS,aAAa;AACzE,MAAI,CAAC,SAAS,cAAc;AAC1B,WAAOA,cAAa,KAAK,EAAE,OAAO,mBAAmB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzE;AAEA,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,QAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,IACzD,cAAc,QAAQ;AAAA,IACtB,UAAU,SAAS;AAAA,IACnB,cAAc,SAAS,gBAAgB;AAAA,EACzC,CAAC;AAED,QAAM,aAAa;AAAA,IACjB,aAAa,cAAc;AAAA,IAC3B,cAAc,cAAc,iBAAiB,QAAQ;AAAA,IACrD,SAAS,cAAc,YAAY,QAAQ;AAAA,IAC3C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,EAC3D;AAEA,QAAM,gBAAgB,mBAAmB,SAAS,YAAY,YAAY,SAAS,aAAa;AAChG,QAAM,WAAWA,cAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AAE/C,WAAS,QAAQ,IAAI,cAAc,MAAM,cAAc,OAAO;AAAA,IAC5D,UAAU,cAAc;AAAA,IACxB,QAAQ,cAAc;AAAA,IACtB,UAAU,cAAc;AAAA,IACxB,MAAM,cAAc;AAAA,IACpB,QAAQ,cAAc;AAAA,EACxB,CAAC;AAED,SAAO;AACT;;;ACjDA,SAAS,gBAAAC,qBAAsC;AAU/C,eAAsB,eACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAErC,QAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,MAAI,CAAC,oBAAoB;AACvB,WAAOC,cAAa,KAAK,EAAE,OAAO,aAAa,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnE;AAEA,MAAI,UAAU,eAAe,oBAAoB,SAAS,aAAa;AACvE,MAAI,CAAC,SAAS;AACZ,WAAOA,cAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxE;AAEA,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAGjE,MAAI,eAAe,QAAQ,SAAS,KAAK,QAAQ,cAAc;AAC7D,UAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,MACzD,cAAc,QAAQ;AAAA,MACtB,UAAU,SAAS;AAAA,MACnB,cAAc,SAAS,gBAAgB;AAAA,IACzC,CAAC;AACD,cAAU;AAAA,MACR,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc,iBAAiB,QAAQ;AAAA,MACrD,SAAS,cAAc,YAAY,QAAQ;AAAA,MAC3C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,IAC3D;AAAA,EACF;AAGA,QAAM,cAAc,MAAM,MAAM,WAAW,mBAAmB;AAAA,IAC5D,SAAS,EAAE,eAAe,UAAU,QAAQ,WAAW,GAAG;AAAA,EAC5D,CAAC;AAED,MAAI,CAAC,YAAY,IAAI;AACnB,WAAOA,cAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,YAAY,OAAO,CAAC;AAAA,EACvF;AAEA,QAAM,MAAO,MAAM,YAAY,KAAK;AACpC,QAAM,WAAqB,cAAc,GAAG;AAE5C,QAAM,WAAWA,cAAa,KAAK,QAAQ;AAG3C,QAAM,YAAY,mBAAmB,SAAS,YAAY,SAAS,SAAS,aAAa;AACzF,WAAS,QAAQ,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,IACpD,UAAU,UAAU;AAAA,IACpB,QAAQ,UAAU;AAAA,IAClB,UAAU,UAAU;AAAA,IACpB,MAAM,UAAU;AAAA,IAChB,QAAQ,UAAU;AAAA,EACpB,CAAC;AAED,SAAO;AACT;;;AP5CO,SAAS,uBAAuB,QAAwB;AAC7D,iBAAe,IACb,SACA,EAAE,OAAO,GACc;AACvB,UAAM,EAAE,SAAS,IAAI,MAAM;AAC3B,UAAM,SAAS,WAAW,CAAC;AAE3B,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO,YAAY,SAAS,MAAM;AAAA,MACpC,KAAK;AACH,eAAO,eAAe,SAAS,MAAM;AAAA,MACvC,KAAK;AACH,eAAO,aAAa,SAAS,MAAM;AAAA,MACrC,KAAK;AACH,eAAO,eAAe,SAAS,MAAM;AAAA,MACvC;AACE,eAAOC,cAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACpE;AAAA,EACF;AAEA,iBAAe,KACb,SACA,EAAE,OAAO,GACc;AACvB,UAAM,EAAE,SAAS,IAAI,MAAM;AAC3B,UAAM,SAAS,WAAW,CAAC;AAE3B,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO,cAAc,SAAS,MAAM;AAAA,MACtC;AACE,eAAOA,cAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACpE;AAAA,EACF;AAEA,SAAO,EAAE,KAAK,KAAK;AACrB;","names":["NextResponse","randomBytes","randomBytes","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse"]}

package/dist/proxy.d.ts

@@ -0,0 +1,32 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { A as AuthgearConfig } from './types-Csfra4K2.js';
+
+interface AuthgearProxyOptions extends AuthgearConfig {
+    /**
+     * Paths that require authentication. Unauthenticated requests are redirected to login.
+     * Supports exact paths and prefix patterns ending with `*` (e.g. "/dashboard/*").
+     */
+    protectedPaths?: string[];
+    /**
+     * Paths that are always public (never redirected to login).
+     * Takes precedence over protectedPaths.
+     * Defaults to ["/api/auth/*"].
+     */
+    publicPaths?: string[];
+    /**
+     * URL to redirect unauthenticated users. Defaults to "/api/auth/login".
+     */
+    loginPath?: string;
+}
+/**
+ * Create a Next.js 16 proxy function for Authgear authentication.
+ *
+ * Usage in `proxy.ts`:
+ * ```ts
+ * import { createAuthgearProxy } from "@authgear/nextjs/proxy";
+ * export const proxy = createAuthgearProxy({ ...config, protectedPaths: ["/dashboard/*"] });
+ * ```
+ */
+declare function createAuthgearProxy(options: AuthgearProxyOptions): (request: NextRequest) => Promise<NextResponse>;
+
+export { type AuthgearProxyOptions, createAuthgearProxy };

package/dist/proxy.js

@@ -0,0 +1,75 @@
+import {
+  buildSessionCookie,
+  decryptSession,
+  fetchOIDCConfiguration,
+  isTokenExpired,
+  refreshAccessToken,
+  resolveConfig
+} from "./chunk-MJD3XNUK.js";
+import "./chunk-UY6NEM2T.js";
+
+// src/proxy.ts
+import { NextResponse } from "next/server";
+function matchesPath(pathname, patterns) {
+  return patterns.some((pattern) => {
+    if (pattern.endsWith("*")) {
+      return pathname.startsWith(pattern.slice(0, -1));
+    }
+    return pathname === pattern;
+  });
+}
+function createAuthgearProxy(options) {
+  const resolved = resolveConfig(options);
+  const protectedPaths = options.protectedPaths ?? [];
+  const publicPaths = options.publicPaths ?? ["/api/auth/*"];
+  const loginPath = options.loginPath ?? "/api/auth/login";
+  return async function proxy(request) {
+    const { pathname } = request.nextUrl;
+    if (matchesPath(pathname, publicPaths)) {
+      return NextResponse.next();
+    }
+    const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;
+    let sessionData = sessionCookieValue ? decryptSession(sessionCookieValue, resolved.sessionSecret) : null;
+    if (sessionData && isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {
+      try {
+        const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
+        const tokenResponse = await refreshAccessToken(oidcConfig, {
+          refreshToken: sessionData.refreshToken,
+          clientID: resolved.clientID,
+          clientSecret: resolved.clientSecret || void 0
+        });
+        sessionData = {
+          accessToken: tokenResponse.access_token,
+          refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,
+          idToken: tokenResponse.id_token ?? sessionData.idToken,
+          expiresAt: Math.floor(Date.now() / 1e3) + tokenResponse.expires_in
+        };
+      } catch {
+        sessionData = null;
+      }
+    }
+    if (!sessionData && matchesPath(pathname, protectedPaths)) {
+      const loginURL = new URL(loginPath, request.nextUrl.origin);
+      loginURL.searchParams.set("returnTo", pathname);
+      return NextResponse.redirect(loginURL);
+    }
+    const response = NextResponse.next();
+    if (sessionData) {
+      const requestHeaders = new Headers(request.headers);
+      requestHeaders.set("Authorization", `Bearer ${sessionData.accessToken}`);
+      const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);
+      response.cookies.set(newCookie.name, newCookie.value, {
+        httpOnly: newCookie.httpOnly,
+        secure: newCookie.secure,
+        sameSite: newCookie.sameSite,
+        path: newCookie.path,
+        maxAge: newCookie.maxAge
+      });
+    }
+    return response;
+  };
+}
+export {
+  createAuthgearProxy
+};
+//# sourceMappingURL=proxy.js.map