npm - @authgear/nextjs - Versions diffs - 0.1.7 → 0.2.0 - Mend

@authgear/nextjs 0.1.7 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/LICENSE +192 -0
package/README.md +24 -37
package/dist/{chunk-MJD3XNUK.js → chunk-A3E57VNZ.js} +16 -9
package/dist/chunk-A3E57VNZ.js.map +1 -0
package/dist/{chunk-UY6NEM2T.js → chunk-HYKCRZLJ.js} +1 -1
package/dist/chunk-HYKCRZLJ.js.map +1 -0
package/dist/chunk-PUKK75RO.js +72 -0
package/dist/chunk-PUKK75RO.js.map +1 -0
package/dist/client.d.ts +2 -2
package/dist/client.js +1 -1
package/dist/index.d.ts +2 -2
package/dist/index.js +8 -37
package/dist/index.js.map +1 -1
package/dist/proxy.d.ts +1 -1
package/dist/proxy.js +5 -6
package/dist/proxy.js.map +1 -1
package/dist/server.d.ts +37 -6
package/dist/server.js +68 -6
package/dist/server.js.map +1 -1
package/dist/{types-Csfra4K2.d.ts → types-BUoN9wBp.d.ts} +1 -3
package/package.json +5 -1
package/dist/chunk-3KVYAFQJ.js +0 -26
package/dist/chunk-3KVYAFQJ.js.map +0 -1
package/dist/chunk-MJD3XNUK.js.map +0 -1
package/dist/chunk-UY6NEM2T.js.map +0 -1

package/LICENSE ADDED Viewed

@@ -0,0 +1,192 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+   1. Definitions.
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+      "Work" shall mean the work of authorship made available under
+      the License, as indicated by a copyright notice that is included in
+      or attached to the work (an example is provided in the Appendix below).
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+      "Contribution" shall mean, as submitted to the Licensor for inclusion
+      in the Work by the copyright owner or by an individual or Legal Entity
+      authorized to submit on behalf of the copyright owner. For the purposes
+      of this definition, "submitted" means any form of electronic, verbal,
+      or written communication sent to the Licensor or its representatives,
+      including but not limited to communication on electronic mailing lists,
+      source code control systems, and issue tracking systems that are managed
+      by, or on behalf of, the Licensor for the purpose of discussing and
+      improving the Work, but excluding communication that is conspicuously
+      marked or otherwise designated in writing by the copyright owner as
+      "Not a Contribution."
+      "Contributor" shall mean Licensor and any Legal Entity on behalf of
+      whom a Contribution has been received by the Licensor and subsequently
+      incorporated within the Work.
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a cross-claim
+      or counterclaim in a lawsuit) alleging that the Work or any Contribution
+      incorporated within the Work constitutes direct or contributory patent
+      infringement, then any patent licenses granted to You under this License
+      for that Work shall terminate as of the date such litigation is filed.
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+      (a) You must give any other recipients of the Work or Derivative Works
+          a copy of this License; and
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, You must include a readable copy of the attribution
+          notices contained within such NOTICE file, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+      You may add Your own license statement for Your modifications and
+      may provide additional grant of rights to use, copy, modify, merge,
+      publish, distribute, sublicense, and/or sell copies of Your
+      modifications, or for such Derivative Works as a whole, subject to
+      the terms and conditions of this License.
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any conditions of title,
+      merchantability, fitness for a particular purpose and
+      noninfringement. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or exemplary damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or all other
+      commercial damages or losses), even if such Contributor has been
+      advised of the possibility of such damages.
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+   END OF TERMS AND CONDITIONS
+   APPENDIX: How to apply the Apache License to your work.
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format in use. Please also include a
+      relevant "NOTICE" text file as appropriate.
+   Copyright 2026 Oursky
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+       http://www.apache.org/licenses/LICENSE-2.0
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md CHANGED Viewed

@@ -7,7 +7,7 @@
 With Authgear SDK for Next.js, you can easily integrate authentication features into your Next.js application — covering both the frontend and backend in one package.
 In most cases, it involves just **a few lines of code** to enable **multiple authentication methods**, such as [social logins](https://www.authgear.com/features/social-login), [passwordless](https://www.authgear.com/features/passwordless-authentication), [biometrics logins](https://www.authgear.com/features/biometric-authentication), [one-time-password (OTP)](https://www.authgear.com/features/whatsapp-otp) with SMS/WhatsApp, and multi-factor authentication (MFA).
-**Quick links** — 📚 [Documentation](#documentation) · 🏁 [Getting Started](#getting-started) · 🛠️ [Troubleshooting](#troubleshooting) · 👥 [Contributing](#contributing)
+**Quick links** — 📚 [Documentation](https://authgear.github.io/authgear-sdk-nextjs/) · 🏁 [Getting Started](#getting-started) · 🛠️ [Troubleshooting](#troubleshooting) · 👥 [Contributing](#contributing)
 ## What is Authgear?
@@ -35,6 +35,8 @@ npm install @authgear/nextjs
 ## Getting Started
+For a complete tutorial, see the [Next.js integration guide](https://docs.authgear.com/get-started/regular-web-app/nextjs) on Authgear Docs, or explore the [example project](https://github.com/authgear/authgear-example-nextjs) on GitHub.
 ### 1. Configure Authgear
 Create a config object. The `sessionSecret` must be at least 32 characters and should be stored in an environment variable.
@@ -46,7 +48,6 @@ import type { AuthgearConfig } from "@authgear/nextjs";
 export const authgearConfig: AuthgearConfig = {
   endpoint: process.env.AUTHGEAR_ENDPOINT!,       // e.g. "https://myapp.authgear.cloud"
   clientID: process.env.AUTHGEAR_CLIENT_ID!,
-  clientSecret: process.env.AUTHGEAR_CLIENT_SECRET,  // for confidential clients
   redirectURI: process.env.AUTHGEAR_REDIRECT_URI!,   // e.g. "http://localhost:3000/api/auth/callback"
   sessionSecret: process.env.SESSION_SECRET!,         // min 32 chars
 };
@@ -169,17 +170,27 @@ export async function GET(request: NextRequest) {
 }
 ```
-### Reading the Session
+### Reading the Session in Server Actions
-Use `auth()` to read the raw session (tokens + expiry) without fetching user info.
+Use `auth()` to get the session (including a fresh access token) without fetching user info. This is the right choice for Server Actions that need to call a downstream API on behalf of the user — `auth()` will auto-refresh the token if expired before returning it.
 ```ts
-import { auth } from "@authgear/nextjs/server";
+"use server";
+import { auth, SessionState } from "@authgear/nextjs/server";
 import { authgearConfig } from "@/lib/authgear";
-const session = await auth(authgearConfig);
-// session.state: SessionState.Authenticated | SessionState.NoSession
-// session.accessToken: string | null
+export async function callMyApiAction() {
+  const session = await auth(authgearConfig);
+  if (session.state !== SessionState.Authenticated || !session.accessToken) {
+    throw new Error("Not authenticated");
+  }
+  // session.accessToken is always fresh — auto-refreshed if it was expired
+  const res = await fetch("https://api.example.com/data", {
+    headers: { Authorization: `Bearer ${session.accessToken}` },
+  });
+  return res.json();
+}
 ```
 ---
@@ -196,9 +207,10 @@ const session = await auth(authgearConfig);
 | Export | Description |
 |---|---|
-| `auth(config)` | Returns the current `Session` from the session cookie |
-| `currentUser(config)` | Returns `UserInfo \| null`, auto-refreshes access token |
+| `auth(config)` | Returns the current `Session`, auto-refreshes access token if expired |
+| `currentUser(config)` | Returns `UserInfo \| null`, auto-refreshes access token if expired |
 | `verifyAccessToken(token, config)` | Verifies a JWT Bearer token with JWKS, returns `JWTPayload` |
+| `getOpenURL(page, config)` | Returns a URL to open an Authgear page (e.g. `Page.Settings`) with the user pre-authenticated |
 ### `@authgear/nextjs/client`
@@ -232,7 +244,6 @@ const session = await auth(authgearConfig);
 | `clientID` | ✓ | OAuth client ID |
 | `redirectURI` | ✓ | OAuth callback URL, e.g. `"http://localhost:3000/api/auth/callback"` |
 | `sessionSecret` | ✓ | Secret for encrypting session cookie (min 32 chars) |
-| `clientSecret` | | OAuth client secret (for confidential clients) |
 | `postLogoutRedirectURI` | | Where to redirect after logout. Defaults to `"/"` |
 | `scopes` | | OAuth scopes. Defaults to `["openid", "offline_access", "https://authgear.com/scopes/full-userinfo"]` |
 | `cookieName` | | Session cookie name. Defaults to `"authgear.session"` |
@@ -241,37 +252,13 @@ const session = await auth(authgearConfig);
 ## Roadmap
-### `open(page)` — Open Authgear Settings Page
-> **Status: pending server-side enablement**
-The SDK has a planned `getOpenURL(page, config)` function (modelled after [`authgear.open(Page.Settings)`](https://docs.authgear.com/get-started/single-page-app/website#step-8-open-user-settings-page) in the web SDK) that opens the Authgear-hosted settings UI with the current user already authenticated — no re-login required.
-**How it will work:**
-```ts
-// app/dashboard/actions.ts  (Server Action)
-"use server";
-import { getOpenURL, Page } from "@authgear/nextjs/server";
-import { authgearConfig } from "@/lib/authgear";
-export async function getSettingsURLAction() {
-  return getOpenURL(Page.Settings, authgearConfig);
-}
-```
-```tsx
-// Client component
-const url = await getSettingsURLAction();
-window.open(url, "_blank");
-```
-**Blocker:** This feature exchanges the refresh token for an `app_session_token` via `POST /oauth2/app_session_token`. The Authgear server must grant the OAuth client **"full user access"** permission before this endpoint is accessible. Once that server-side configuration is in place, the implementation in `src/server.ts` can be uncommented and released.
+This SDK is actively maintained. Feature requests and contributions are welcome via [GitHub Issues](https://github.com/authgear/authgear-sdk-nextjs/issues).
 ---
 ## Documentation
+- **SDK Documentation**: [https://authgear.github.io/authgear-sdk-nextjs/](https://authgear.github.io/authgear-sdk-nextjs/)
 - Learn how to set up an Authgear application at [https://docs.authgear.com/](https://docs.authgear.com/)
 - Learn how to manage your users through the [Admin API](https://docs.authgear.com/reference/apis/admin-api)

package/dist/{chunk-MJD3XNUK.js → chunk-A3E57VNZ.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 import {
   DEFAULT_SCOPES
-} from "./chunk-UY6NEM2T.js";
+} from "./chunk-HYKCRZLJ.js";
 // src/config.ts
 function resolveConfig(config) {
@@ -13,7 +13,6 @@ function resolveConfig(config) {
   return {
     endpoint: config.endpoint.replace(/\/+$/, ""),
     clientID: config.clientID,
-    clientSecret: config.clientSecret ?? "",
     redirectURI: config.redirectURI,
     postLogoutRedirectURI: config.postLogoutRedirectURI ?? "/",
     scopes: config.scopes ?? DEFAULT_SCOPES,
@@ -142,9 +141,6 @@ async function exchangeCode(oidcConfig, params) {
     client_id: params.clientID,
     redirect_uri: params.redirectURI
   });
-  if (params.clientSecret) {
-    body.set("client_secret", params.clientSecret);
-  }
   const res = await fetch(oidcConfig.token_endpoint, {
     method: "POST",
     headers: { "Content-Type": "application/x-www-form-urlencoded" },
@@ -162,9 +158,6 @@ async function refreshAccessToken(oidcConfig, params) {
     refresh_token: params.refreshToken,
     client_id: params.clientID
   });
-  if (params.clientSecret) {
-    body.set("client_secret", params.clientSecret);
-  }
   const res = await fetch(oidcConfig.token_endpoint, {
     method: "POST",
     headers: { "Content-Type": "application/x-www-form-urlencoded" },
@@ -176,6 +169,19 @@ async function refreshAccessToken(oidcConfig, params) {
   }
   return res.json();
 }
+async function getAppSessionToken(endpoint, refreshToken) {
+  const res = await fetch(`${endpoint}/oauth2/app_session_token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ refresh_token: refreshToken })
+  });
+  if (!res.ok) {
+    const error = await res.text();
+    throw new Error(`Failed to get app session token (${res.status}): ${error}`);
+  }
+  const json = await res.json();
+  return json.result;
+}
 async function revokeToken(oidcConfig, token) {
   await fetch(oidcConfig.revocation_endpoint, {
     method: "POST",
@@ -220,8 +226,9 @@ export {
   decryptPKCECookie,
   exchangeCode,
   refreshAccessToken,
+  getAppSessionToken,
   revokeToken,
   deriveSessionState,
   isTokenExpired
 };
-//# sourceMappingURL=chunk-MJD3XNUK.js.map
+//# sourceMappingURL=chunk-A3E57VNZ.js.map

package/dist/chunk-A3E57VNZ.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/config.ts","../src/oauth/discovery.ts","../src/session/cookie.ts","../src/oauth/token.ts","../src/session/state.ts"],"sourcesContent":["import { type AuthgearConfig, DEFAULT_SCOPES } from \"./types.js\";\n\nexport function resolveConfig(config: AuthgearConfig): Required<AuthgearConfig> {\n if (!config.endpoint) throw new Error(\"AuthgearConfig: endpoint is required\");\n if (!config.clientID) throw new Error(\"AuthgearConfig: clientID is required\");\n if (!config.redirectURI) throw new Error(\"AuthgearConfig: redirectURI is required\");\n if (!config.sessionSecret || config.sessionSecret.length < 32) {\n throw new Error(\"AuthgearConfig: sessionSecret must be at least 32 characters\");\n }\n\n return {\n endpoint: config.endpoint.replace(/\\/+$/, \"\"),\n clientID: config.clientID,\n redirectURI: config.redirectURI,\n postLogoutRedirectURI: config.postLogoutRedirectURI ?? \"/\",\n scopes: config.scopes ?? DEFAULT_SCOPES,\n sessionSecret: config.sessionSecret,\n cookieName: config.cookieName ?? \"authgear.session\",\n };\n}\n","import type { OIDCConfiguration } from \"../types.js\";\n\nconst cache = new Map<string, { config: OIDCConfiguration; fetchedAt: number }>();\nconst CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour\n\nexport async function fetchOIDCConfiguration(\n endpoint: string,\n): Promise<OIDCConfiguration> {\n const cached = cache.get(endpoint);\n if (cached && Date.now() - cached.fetchedAt < CACHE_TTL_MS) {\n return cached.config;\n }\n\n const url = `${endpoint}/.well-known/openid-configuration`;\n const res = await fetch(url);\n if (!res.ok) {\n throw new Error(`Failed to fetch OIDC configuration from ${url}: ${res.status}`);\n }\n\n const config = (await res.json()) as OIDCConfiguration;\n cache.set(endpoint, { config, fetchedAt: Date.now() });\n return config;\n}\n\n/** Clear cached OIDC configuration (useful for testing) */\nexport function clearOIDCCache(): void {\n cache.clear();\n}\n","import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from \"node:crypto\";\nimport type { SessionData } from \"../types.js\";\n\nconst ALGORITHM = \"aes-256-gcm\";\nconst IV_LENGTH = 12;\nconst AUTH_TAG_LENGTH = 16;\nconst KEY_LENGTH = 32;\nconst SALT = \"authgear-nextjs-session\";\n\nfunction deriveKey(secret: string): Buffer {\n return scryptSync(secret, SALT, KEY_LENGTH);\n}\n\nexport function encryptSession(data: SessionData, secret: string): string {\n const key = deriveKey(secret);\n const iv = randomBytes(IV_LENGTH);\n const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n\n const json = JSON.stringify(data);\n const encrypted = Buffer.concat([cipher.update(json, \"utf8\"), cipher.final()]);\n const authTag = cipher.getAuthTag();\n\n // Format: base64(iv + authTag + encrypted)\n return Buffer.concat([iv, authTag, encrypted]).toString(\"base64url\");\n}\n\nexport function decryptSession(encrypted: string, secret: string): SessionData | null {\n try {\n const key = deriveKey(secret);\n const buf = Buffer.from(encrypted, \"base64url\");\n\n if (buf.length < IV_LENGTH + AUTH_TAG_LENGTH) return null;\n\n const iv = buf.subarray(0, IV_LENGTH);\n const authTag = buf.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);\n const ciphertext = buf.subarray(IV_LENGTH + AUTH_TAG_LENGTH);\n\n const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n decipher.setAuthTag(authTag);\n\n const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n return JSON.parse(decrypted.toString(\"utf8\")) as SessionData;\n } catch {\n return null;\n }\n}\n\nexport interface CookieOptions {\n name: string;\n value: string;\n httpOnly?: boolean;\n secure?: boolean;\n sameSite?: \"lax\" | \"strict\" | \"none\";\n path?: string;\n maxAge?: number;\n}\n\nexport function buildSessionCookie(\n cookieName: string,\n data: SessionData,\n secret: string,\n): CookieOptions {\n return {\n name: cookieName,\n value: encryptSession(data, secret),\n httpOnly: true,\n secure: process.env.NODE_ENV === \"production\",\n sameSite: \"lax\",\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60, // 30 days\n };\n}\n\nexport function buildClearCookie(cookieName: string): CookieOptions {\n return {\n name: cookieName,\n value: \"\",\n httpOnly: true,\n secure: process.env.NODE_ENV === \"production\",\n sameSite: \"lax\",\n path: \"/\",\n maxAge: 0,\n };\n}\n\nexport function buildPKCECookie(\n data: { codeVerifier: string; state: string; returnTo: string },\n secret: string,\n): CookieOptions {\n const key = deriveKey(secret);\n const iv = randomBytes(IV_LENGTH);\n const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n\n const json = JSON.stringify(data);\n const encrypted = Buffer.concat([cipher.update(json, \"utf8\"), cipher.final()]);\n const authTag = cipher.getAuthTag();\n\n return {\n name: \"authgear.pkce\",\n value: Buffer.concat([iv, authTag, encrypted]).toString(\"base64url\"),\n httpOnly: true,\n secure: process.env.NODE_ENV === \"production\",\n sameSite: \"lax\",\n path: \"/\",\n maxAge: 600, // 10 minutes\n };\n}\n\nexport function decryptPKCECookie(\n encrypted: string,\n secret: string,\n): { codeVerifier: string; state: string; returnTo: string } | null {\n try {\n const key = deriveKey(secret);\n const buf = Buffer.from(encrypted, \"base64url\");\n\n if (buf.length < IV_LENGTH + AUTH_TAG_LENGTH) return null;\n\n const iv = buf.subarray(0, IV_LENGTH);\n const authTag = buf.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);\n const ciphertext = buf.subarray(IV_LENGTH + AUTH_TAG_LENGTH);\n\n const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n decipher.setAuthTag(authTag);\n\n const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n return JSON.parse(decrypted.toString(\"utf8\"));\n } catch {\n return null;\n }\n}\n","import type { OIDCConfiguration, TokenResponse, AppSessionTokenResponse } from \"../types.js\";\n\nexport interface ExchangeCodeParams {\n code: string;\n codeVerifier: string;\n clientID: string;\n redirectURI: string;\n}\n\nexport interface RefreshTokenParams {\n refreshToken: string;\n clientID: string;\n}\n\nexport async function exchangeCode(\n oidcConfig: OIDCConfiguration,\n params: ExchangeCodeParams,\n): Promise<TokenResponse> {\n const body = new URLSearchParams({\n grant_type: \"authorization_code\",\n code: params.code,\n code_verifier: params.codeVerifier,\n client_id: params.clientID,\n redirect_uri: params.redirectURI,\n });\n\n const res = await fetch(oidcConfig.token_endpoint, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: body.toString(),\n });\n\n if (!res.ok) {\n const error = await res.text();\n throw new Error(`Token exchange failed (${res.status}): ${error}`);\n }\n\n return res.json() as Promise<TokenResponse>;\n}\n\nexport async function refreshAccessToken(\n oidcConfig: OIDCConfiguration,\n params: RefreshTokenParams,\n): Promise<TokenResponse> {\n const body = new URLSearchParams({\n grant_type: \"refresh_token\",\n refresh_token: params.refreshToken,\n client_id: params.clientID,\n });\n\n const res = await fetch(oidcConfig.token_endpoint, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: body.toString(),\n });\n\n if (!res.ok) {\n const error = await res.text();\n throw new Error(`Token refresh failed (${res.status}): ${error}`);\n }\n\n return res.json() as Promise<TokenResponse>;\n}\n\nexport async function getAppSessionToken(\n endpoint: string,\n refreshToken: string,\n): Promise<AppSessionTokenResponse> {\n const res = await fetch(`${endpoint}/oauth2/app_session_token`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ refresh_token: refreshToken }),\n });\n\n if (!res.ok) {\n const error = await res.text();\n throw new Error(`Failed to get app session token (${res.status}): ${error}`);\n }\n\n const json = (await res.json()) as { result: AppSessionTokenResponse };\n return json.result;\n}\n\nexport async function revokeToken(\n oidcConfig: OIDCConfiguration,\n token: string,\n): Promise<void> {\n await fetch(oidcConfig.revocation_endpoint, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: new URLSearchParams({ token }).toString(),\n });\n}\n","import { SessionState, type SessionData, type Session } from \"../types.js\";\n\nexport function deriveSessionState(data: SessionData | null): Session {\n if (!data) {\n return {\n state: SessionState.NoSession,\n accessToken: null,\n refreshToken: null,\n idToken: null,\n expiresAt: null,\n user: null,\n };\n }\n\n return {\n state: SessionState.Authenticated,\n accessToken: data.accessToken,\n refreshToken: data.refreshToken,\n idToken: data.idToken,\n expiresAt: data.expiresAt,\n user: null, // User is fetched separately when needed\n };\n}\n\nexport function isTokenExpired(expiresAt: number): boolean {\n // Consider expired 30 seconds early for safety margin\n return Date.now() / 1000 >= expiresAt - 30;\n}\n"],"mappings":";;;;;AAEO,SAAS,cAAc,QAAkD;AAC9E,MAAI,CAAC,OAAO,SAAU,OAAM,IAAI,MAAM,sCAAsC;AAC5E,MAAI,CAAC,OAAO,SAAU,OAAM,IAAI,MAAM,sCAAsC;AAC5E,MAAI,CAAC,OAAO,YAAa,OAAM,IAAI,MAAM,yCAAyC;AAClF,MAAI,CAAC,OAAO,iBAAiB,OAAO,cAAc,SAAS,IAAI;AAC7D,UAAM,IAAI,MAAM,8DAA8D;AAAA,EAChF;AAEA,SAAO;AAAA,IACL,UAAU,OAAO,SAAS,QAAQ,QAAQ,EAAE;AAAA,IAC5C,UAAU,OAAO;AAAA,IACjB,aAAa,OAAO;AAAA,IACpB,uBAAuB,OAAO,yBAAyB;AAAA,IACvD,QAAQ,OAAO,UAAU;AAAA,IACzB,eAAe,OAAO;AAAA,IACtB,YAAY,OAAO,cAAc;AAAA,EACnC;AACF;;;ACjBA,IAAM,QAAQ,oBAAI,IAA8D;AAChF,IAAM,eAAe,KAAK,KAAK;AAE/B,eAAsB,uBACpB,UAC4B;AAC5B,QAAM,SAAS,MAAM,IAAI,QAAQ;AACjC,MAAI,UAAU,KAAK,IAAI,IAAI,OAAO,YAAY,cAAc;AAC1D,WAAO,OAAO;AAAA,EAChB;AAEA,QAAM,MAAM,GAAG,QAAQ;AACvB,QAAM,MAAM,MAAM,MAAM,GAAG;AAC3B,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,IAAI,MAAM,2CAA2C,GAAG,KAAK,IAAI,MAAM,EAAE;AAAA,EACjF;AAEA,QAAM,SAAU,MAAM,IAAI,KAAK;AAC/B,QAAM,IAAI,UAAU,EAAE,QAAQ,WAAW,KAAK,IAAI,EAAE,CAAC;AACrD,SAAO;AACT;;;ACtBA,SAAS,gBAAgB,kBAAkB,aAAa,kBAAkB;AAG1E,IAAM,YAAY;AAClB,IAAM,YAAY;AAClB,IAAM,kBAAkB;AACxB,IAAM,aAAa;AACnB,IAAM,OAAO;AAEb,SAAS,UAAU,QAAwB;AACzC,SAAO,WAAW,QAAQ,MAAM,UAAU;AAC5C;AAEO,SAAS,eAAe,MAAmB,QAAwB;AACxE,QAAM,MAAM,UAAU,MAAM;AAC5B,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,SAAS,eAAe,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AAEpF,QAAM,OAAO,KAAK,UAAU,IAAI;AAChC,QAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,CAAC;AAC7E,QAAM,UAAU,OAAO,WAAW;AAGlC,SAAO,OAAO,OAAO,CAAC,IAAI,SAAS,SAAS,CAAC,EAAE,SAAS,WAAW;AACrE;AAEO,SAAS,eAAe,WAAmB,QAAoC;AACpF,MAAI;AACF,UAAM,MAAM,UAAU,MAAM;AAC5B,UAAM,MAAM,OAAO,KAAK,WAAW,WAAW;AAE9C,QAAI,IAAI,SAAS,YAAY,gBAAiB,QAAO;AAErD,UAAM,KAAK,IAAI,SAAS,GAAG,SAAS;AACpC,UAAM,UAAU,IAAI,SAAS,WAAW,YAAY,eAAe;AACnE,UAAM,aAAa,IAAI,SAAS,YAAY,eAAe;AAE3D,UAAM,WAAW,iBAAiB,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AACxF,aAAS,WAAW,OAAO;AAE3B,UAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC;AAC/E,WAAO,KAAK,MAAM,UAAU,SAAS,MAAM,CAAC;AAAA,EAC9C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAYO,SAAS,mBACd,YACA,MACA,QACe;AACf,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO,eAAe,MAAM,MAAM;AAAA,IAClC,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ,KAAK,KAAK,KAAK;AAAA;AAAA,EACzB;AACF;AAEO,SAAS,iBAAiB,YAAmC;AAClE,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO;AAAA,IACP,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,EACV;AACF;AAEO,SAAS,gBACd,MACA,QACe;AACf,QAAM,MAAM,UAAU,MAAM;AAC5B,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,SAAS,eAAe,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AAEpF,QAAM,OAAO,KAAK,UAAU,IAAI;AAChC,QAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,CAAC;AAC7E,QAAM,UAAU,OAAO,WAAW;AAElC,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO,OAAO,OAAO,CAAC,IAAI,SAAS,SAAS,CAAC,EAAE,SAAS,WAAW;AAAA,IACnE,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA;AAAA,EACV;AACF;AAEO,SAAS,kBACd,WACA,QACkE;AAClE,MAAI;AACF,UAAM,MAAM,UAAU,MAAM;AAC5B,UAAM,MAAM,OAAO,KAAK,WAAW,WAAW;AAE9C,QAAI,IAAI,SAAS,YAAY,gBAAiB,QAAO;AAErD,UAAM,KAAK,IAAI,SAAS,GAAG,SAAS;AACpC,UAAM,UAAU,IAAI,SAAS,WAAW,YAAY,eAAe;AACnE,UAAM,aAAa,IAAI,SAAS,YAAY,eAAe;AAE3D,UAAM,WAAW,iBAAiB,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AACxF,aAAS,WAAW,OAAO;AAE3B,UAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC;AAC/E,WAAO,KAAK,MAAM,UAAU,SAAS,MAAM,CAAC;AAAA,EAC9C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;ACpHA,eAAsB,aACpB,YACA,QACwB;AACxB,QAAM,OAAO,IAAI,gBAAgB;AAAA,IAC/B,YAAY;AAAA,IACZ,MAAM,OAAO;AAAA,IACb,eAAe,OAAO;AAAA,IACtB,WAAW,OAAO;AAAA,IAClB,cAAc,OAAO;AAAA,EACvB,CAAC;AAED,QAAM,MAAM,MAAM,MAAM,WAAW,gBAAgB;AAAA,IACjD,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,QAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,IAAI,MAAM,0BAA0B,IAAI,MAAM,MAAM,KAAK,EAAE;AAAA,EACnE;AAEA,SAAO,IAAI,KAAK;AAClB;AAEA,eAAsB,mBACpB,YACA,QACwB;AACxB,QAAM,OAAO,IAAI,gBAAgB;AAAA,IAC/B,YAAY;AAAA,IACZ,eAAe,OAAO;AAAA,IACtB,WAAW,OAAO;AAAA,EACpB,CAAC;AAED,QAAM,MAAM,MAAM,MAAM,WAAW,gBAAgB;AAAA,IACjD,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,QAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,IAAI,MAAM,yBAAyB,IAAI,MAAM,MAAM,KAAK,EAAE;AAAA,EAClE;AAEA,SAAO,IAAI,KAAK;AAClB;AAEA,eAAsB,mBACpB,UACA,cACkC;AAClC,QAAM,MAAM,MAAM,MAAM,GAAG,QAAQ,6BAA6B;AAAA,IAC9D,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,MAAM,KAAK,UAAU,EAAE,eAAe,aAAa,CAAC;AAAA,EACtD,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,QAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,IAAI,MAAM,oCAAoC,IAAI,MAAM,MAAM,KAAK,EAAE;AAAA,EAC7E;AAEA,QAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,SAAO,KAAK;AACd;AAEA,eAAsB,YACpB,YACA,OACe;AACf,QAAM,MAAM,WAAW,qBAAqB;AAAA,IAC1C,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,IAAI,gBAAgB,EAAE,MAAM,CAAC,EAAE,SAAS;AAAA,EAChD,CAAC;AACH;;;AC1FO,SAAS,mBAAmB,MAAmC;AACpE,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,MACL;AAAA,MACA,aAAa;AAAA,MACb,cAAc;AAAA,MACd,SAAS;AAAA,MACT,WAAW;AAAA,MACX,MAAM;AAAA,IACR;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,aAAa,KAAK;AAAA,IAClB,cAAc,KAAK;AAAA,IACnB,SAAS,KAAK;AAAA,IACd,WAAW,KAAK;AAAA,IAChB,MAAM;AAAA;AAAA,EACR;AACF;AAEO,SAAS,eAAe,WAA4B;AAEzD,SAAO,KAAK,IAAI,IAAI,OAAQ,YAAY;AAC1C;","names":[]}

package/dist/{chunk-UY6NEM2T.js → chunk-HYKCRZLJ.js} RENAMED Viewed

@@ -20,4 +20,4 @@ export {
   DEFAULT_SCOPES,
   SessionState
 };
-//# sourceMappingURL=chunk-UY6NEM2T.js.map
+//# sourceMappingURL=chunk-HYKCRZLJ.js.map

package/dist/chunk-HYKCRZLJ.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/types.ts"],"sourcesContent":["export interface AuthgearConfig {\n /** Authgear endpoint, e.g. \"https://myapp.authgear.cloud\" */\n endpoint: string;\n /** OAuth client ID */\n clientID: string;\n /** Redirect URI for OAuth callback, e.g. \"http://localhost:3000/api/auth/callback\" */\n redirectURI: string;\n /** Where to redirect after logout */\n postLogoutRedirectURI?: string;\n /** OAuth scopes. Defaults to [\"openid\", \"offline_access\", \"https://authgear.com/scopes/full-userinfo\"] */\n scopes?: string[];\n /** Secret key for encrypting session cookie (min 32 chars) */\n sessionSecret: string;\n /** Session cookie name. Defaults to \"authgear.session\" */\n cookieName?: string;\n}\n\n/**\n * Pages that can be opened via {@link getOpenURL}.\n */\nexport enum Page {\n Settings = \"/settings\",\n}\n\nexport const DEFAULT_SCOPES = [\n \"openid\",\n \"offline_access\",\n \"https://authgear.com/scopes/full-userinfo\",\n];\n\nexport enum SessionState {\n Unknown = \"UNKNOWN\",\n NoSession = \"NO_SESSION\",\n Authenticated = \"AUTHENTICATED\",\n}\n\nexport interface SessionData {\n accessToken: string;\n refreshToken: string | null;\n idToken: string | null;\n expiresAt: number;\n}\n\nexport interface Session {\n state: SessionState;\n accessToken: string | null;\n refreshToken: string | null;\n idToken: string | null;\n expiresAt: number | null;\n user: UserInfo | null;\n}\n\nexport interface UserInfo {\n sub: string;\n email?: string;\n emailVerified?: boolean;\n phoneNumber?: string;\n phoneNumberVerified?: boolean;\n preferredUsername?: string;\n givenName?: string;\n familyName?: string;\n name?: string;\n picture?: string;\n roles?: string[];\n isAnonymous?: boolean;\n isVerified?: boolean;\n canReauthenticate?: boolean;\n customAttributes?: Record<string, unknown>;\n raw: Record<string, unknown>;\n}\n\nexport interface JWTPayload {\n sub: string;\n iss: string;\n aud: string | string[];\n exp: number;\n iat: number;\n jti?: string;\n client_id?: string;\n \"https://authgear.com/claims/user/is_anonymous\"?: boolean;\n \"https://authgear.com/claims/user/is_verified\"?: boolean;\n \"https://authgear.com/claims/user/can_reauthenticate\"?: boolean;\n \"https://authgear.com/claims/user/roles\"?: string[];\n [key: string]: unknown;\n}\n\nexport interface TokenResponse {\n access_token: string;\n token_type: string;\n expires_in: number;\n refresh_token?: string;\n id_token?: string;\n}\n\nexport interface AppSessionTokenResponse {\n app_session_token: string;\n expire_at: string;\n}\n\nexport interface OIDCConfiguration {\n authorization_endpoint: string;\n token_endpoint: string;\n userinfo_endpoint: string;\n revocation_endpoint: string;\n end_session_endpoint: string;\n jwks_uri: string;\n issuer: string;\n}\n"],"mappings":";AAoBO,IAAK,OAAL,kBAAKA,UAAL;AACL,EAAAA,MAAA,cAAW;AADD,SAAAA;AAAA,GAAA;AAIL,IAAM,iBAAiB;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AACF;AAEO,IAAK,eAAL,kBAAKC,kBAAL;AACL,EAAAA,cAAA,aAAU;AACV,EAAAA,cAAA,eAAY;AACZ,EAAAA,cAAA,mBAAgB;AAHN,SAAAA;AAAA,GAAA;","names":["Page","SessionState"]}

package/dist/chunk-PUKK75RO.js ADDED Viewed

@@ -0,0 +1,72 @@
+// src/oauth/authorize.ts
+import { randomBytes as randomBytes2 } from "crypto";
+// src/oauth/pkce.ts
+import { randomBytes, createHash } from "crypto";
+var VERIFIER_LENGTH = 64;
+function generateCodeVerifier() {
+  return randomBytes(VERIFIER_LENGTH).toString("base64url").slice(0, VERIFIER_LENGTH);
+}
+function computeCodeChallenge(codeVerifier) {
+  return createHash("sha256").update(codeVerifier).digest("base64url");
+}
+// src/oauth/authorize.ts
+function buildOpenURL(oidcConfig, params) {
+  const authorizationEndpoint = new URL(oidcConfig.authorization_endpoint);
+  const settingsURL = `${authorizationEndpoint.origin}${params.targetPath}`;
+  const loginHint = `https://authgear.com/login_hint?type=app_session_token&app_session_token=${encodeURIComponent(params.appSessionToken)}`;
+  const url = new URL(oidcConfig.authorization_endpoint);
+  url.searchParams.set("response_type", "none");
+  url.searchParams.set("client_id", params.clientID);
+  url.searchParams.set("redirect_uri", settingsURL);
+  url.searchParams.set("scope", params.scopes.join(" "));
+  url.searchParams.set("prompt", "none");
+  url.searchParams.set("login_hint", loginHint);
+  return url.toString();
+}
+function generateState() {
+  return randomBytes2(32).toString("base64url");
+}
+function buildAuthorizeURL(oidcConfig, params) {
+  const url = new URL(oidcConfig.authorization_endpoint);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", params.clientID);
+  url.searchParams.set("redirect_uri", params.redirectURI);
+  url.searchParams.set("scope", params.scopes.join(" "));
+  url.searchParams.set("code_challenge", computeCodeChallenge(params.codeVerifier));
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set("state", params.state);
+  return url.toString();
+}
+// src/user.ts
+function parseUserInfo(raw) {
+  return {
+    sub: raw["sub"],
+    email: raw["email"],
+    emailVerified: raw["email_verified"],
+    phoneNumber: raw["phone_number"],
+    phoneNumberVerified: raw["phone_number_verified"],
+    preferredUsername: raw["preferred_username"],
+    givenName: raw["given_name"],
+    familyName: raw["family_name"],
+    name: raw["name"],
+    picture: raw["picture"],
+    roles: raw["https://authgear.com/claims/user/roles"],
+    isAnonymous: raw["https://authgear.com/claims/user/is_anonymous"],
+    isVerified: raw["https://authgear.com/claims/user/is_verified"],
+    canReauthenticate: raw["https://authgear.com/claims/user/can_reauthenticate"],
+    customAttributes: raw["custom_attributes"],
+    raw
+  };
+}
+export {
+  generateCodeVerifier,
+  buildOpenURL,
+  generateState,
+  buildAuthorizeURL,
+  parseUserInfo
+};
+//# sourceMappingURL=chunk-PUKK75RO.js.map

package/dist/chunk-PUKK75RO.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/oauth/authorize.ts","../src/oauth/pkce.ts","../src/user.ts"],"sourcesContent":["import { randomBytes } from \"node:crypto\";\nimport type { OIDCConfiguration } from \"../types.js\";\nimport { computeCodeChallenge } from \"./pkce.js\";\n\n/**\n * Build the URL to open an Authgear page (e.g. /settings) with the user\n * already authenticated via an app session token.\n */\nexport function buildOpenURL(\n oidcConfig: OIDCConfiguration,\n params: {\n clientID: string;\n appSessionToken: string;\n targetPath: string; // e.g. \"/settings\"\n scopes: string[];\n },\n): string {\n const authorizationEndpoint = new URL(oidcConfig.authorization_endpoint);\n const settingsURL = `${authorizationEndpoint.origin}${params.targetPath}`;\n const loginHint = `https://authgear.com/login_hint?type=app_session_token&app_session_token=${encodeURIComponent(params.appSessionToken)}`;\n\n const url = new URL(oidcConfig.authorization_endpoint);\n url.searchParams.set(\"response_type\", \"none\");\n url.searchParams.set(\"client_id\", params.clientID);\n url.searchParams.set(\"redirect_uri\", settingsURL);\n url.searchParams.set(\"scope\", params.scopes.join(\" \"));\n url.searchParams.set(\"prompt\", \"none\");\n url.searchParams.set(\"login_hint\", loginHint);\n return url.toString();\n}\n\nexport interface AuthorizeParams {\n clientID: string;\n redirectURI: string;\n scopes: string[];\n codeVerifier: string;\n state: string;\n}\n\nexport function generateState(): string {\n return randomBytes(32).toString(\"base64url\");\n}\n\nexport function buildAuthorizeURL(\n oidcConfig: OIDCConfiguration,\n params: AuthorizeParams,\n): string {\n const url = new URL(oidcConfig.authorization_endpoint);\n url.searchParams.set(\"response_type\", \"code\");\n url.searchParams.set(\"client_id\", params.clientID);\n url.searchParams.set(\"redirect_uri\", params.redirectURI);\n url.searchParams.set(\"scope\", params.scopes.join(\" \"));\n url.searchParams.set(\"code_challenge\", computeCodeChallenge(params.codeVerifier));\n url.searchParams.set(\"code_challenge_method\", \"S256\");\n url.searchParams.set(\"state\", params.state);\n return url.toString();\n}\n","import { randomBytes, createHash } from \"node:crypto\";\n\nconst VERIFIER_LENGTH = 64;\n\nexport function generateCodeVerifier(): string {\n return randomBytes(VERIFIER_LENGTH)\n .toString(\"base64url\")\n .slice(0, VERIFIER_LENGTH);\n}\n\nexport function computeCodeChallenge(codeVerifier: string): string {\n return createHash(\"sha256\").update(codeVerifier).digest(\"base64url\");\n}\n","import type { UserInfo } from \"./types.js\";\n\nexport function parseUserInfo(raw: Record<string, unknown>): UserInfo {\n return {\n sub: raw[\"sub\"] as string,\n email: raw[\"email\"] as string | undefined,\n emailVerified: raw[\"email_verified\"] as boolean | undefined,\n phoneNumber: raw[\"phone_number\"] as string | undefined,\n phoneNumberVerified: raw[\"phone_number_verified\"] as boolean | undefined,\n preferredUsername: raw[\"preferred_username\"] as string | undefined,\n givenName: raw[\"given_name\"] as string | undefined,\n familyName: raw[\"family_name\"] as string | undefined,\n name: raw[\"name\"] as string | undefined,\n picture: raw[\"picture\"] as string | undefined,\n roles: raw[\"https://authgear.com/claims/user/roles\"] as string[] | undefined,\n isAnonymous: raw[\"https://authgear.com/claims/user/is_anonymous\"] as boolean | undefined,\n isVerified: raw[\"https://authgear.com/claims/user/is_verified\"] as boolean | undefined,\n canReauthenticate: raw[\"https://authgear.com/claims/user/can_reauthenticate\"] as boolean | undefined,\n customAttributes: raw[\"custom_attributes\"] as Record<string, unknown> | undefined,\n raw,\n };\n}\n"],"mappings":";AAAA,SAAS,eAAAA,oBAAmB;;;ACA5B,SAAS,aAAa,kBAAkB;AAExC,IAAM,kBAAkB;AAEjB,SAAS,uBAA+B;AAC7C,SAAO,YAAY,eAAe,EAC/B,SAAS,WAAW,EACpB,MAAM,GAAG,eAAe;AAC7B;AAEO,SAAS,qBAAqB,cAA8B;AACjE,SAAO,WAAW,QAAQ,EAAE,OAAO,YAAY,EAAE,OAAO,WAAW;AACrE;;;ADJO,SAAS,aACd,YACA,QAMQ;AACR,QAAM,wBAAwB,IAAI,IAAI,WAAW,sBAAsB;AACvE,QAAM,cAAc,GAAG,sBAAsB,MAAM,GAAG,OAAO,UAAU;AACvE,QAAM,YAAY,4EAA4E,mBAAmB,OAAO,eAAe,CAAC;AAExI,QAAM,MAAM,IAAI,IAAI,WAAW,sBAAsB;AACrD,MAAI,aAAa,IAAI,iBAAiB,MAAM;AAC5C,MAAI,aAAa,IAAI,aAAa,OAAO,QAAQ;AACjD,MAAI,aAAa,IAAI,gBAAgB,WAAW;AAChD,MAAI,aAAa,IAAI,SAAS,OAAO,OAAO,KAAK,GAAG,CAAC;AACrD,MAAI,aAAa,IAAI,UAAU,MAAM;AACrC,MAAI,aAAa,IAAI,cAAc,SAAS;AAC5C,SAAO,IAAI,SAAS;AACtB;AAUO,SAAS,gBAAwB;AACtC,SAAOC,aAAY,EAAE,EAAE,SAAS,WAAW;AAC7C;AAEO,SAAS,kBACd,YACA,QACQ;AACR,QAAM,MAAM,IAAI,IAAI,WAAW,sBAAsB;AACrD,MAAI,aAAa,IAAI,iBAAiB,MAAM;AAC5C,MAAI,aAAa,IAAI,aAAa,OAAO,QAAQ;AACjD,MAAI,aAAa,IAAI,gBAAgB,OAAO,WAAW;AACvD,MAAI,aAAa,IAAI,SAAS,OAAO,OAAO,KAAK,GAAG,CAAC;AACrD,MAAI,aAAa,IAAI,kBAAkB,qBAAqB,OAAO,YAAY,CAAC;AAChF,MAAI,aAAa,IAAI,yBAAyB,MAAM;AACpD,MAAI,aAAa,IAAI,SAAS,OAAO,KAAK;AAC1C,SAAO,IAAI,SAAS;AACtB;;;AEtDO,SAAS,cAAc,KAAwC;AACpE,SAAO;AAAA,IACL,KAAK,IAAI,KAAK;AAAA,IACd,OAAO,IAAI,OAAO;AAAA,IAClB,eAAe,IAAI,gBAAgB;AAAA,IACnC,aAAa,IAAI,cAAc;AAAA,IAC/B,qBAAqB,IAAI,uBAAuB;AAAA,IAChD,mBAAmB,IAAI,oBAAoB;AAAA,IAC3C,WAAW,IAAI,YAAY;AAAA,IAC3B,YAAY,IAAI,aAAa;AAAA,IAC7B,MAAM,IAAI,MAAM;AAAA,IAChB,SAAS,IAAI,SAAS;AAAA,IACtB,OAAO,IAAI,wCAAwC;AAAA,IACnD,aAAa,IAAI,+CAA+C;AAAA,IAChE,YAAY,IAAI,8CAA8C;AAAA,IAC9D,mBAAmB,IAAI,qDAAqD;AAAA,IAC5E,kBAAkB,IAAI,mBAAmB;AAAA,IACzC;AAAA,EACF;AACF;","names":["randomBytes","randomBytes"]}

package/dist/client.d.ts CHANGED Viewed

@@ -1,7 +1,7 @@
 import * as react_jsx_runtime from 'react/jsx-runtime';
 import { ReactNode, ButtonHTMLAttributes } from 'react';
-import { b as SessionState, U as UserInfo } from './types-Csfra4K2.js';
-export { S as Session } from './types-Csfra4K2.js';
+import { b as SessionState, U as UserInfo } from './types-BUoN9wBp.js';
+export { S as Session } from './types-BUoN9wBp.js';
 interface SignInOptions {
     returnTo?: string;

package/dist/client.js CHANGED Viewed

@@ -1,7 +1,7 @@
 "use client";
 import {
   SessionState
-} from "./chunk-UY6NEM2T.js";
+} from "./chunk-HYKCRZLJ.js";
 // src/components/AuthgearProvider.tsx
 import {

package/dist/index.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { A as AuthgearConfig } from './types-Csfra4K2.js';
-export { D as DEFAULT_SCOPES, J as JWTPayload, O as OIDCConfiguration, P as Page, S as Session, a as SessionData, b as SessionState, T as TokenResponse, U as UserInfo } from './types-Csfra4K2.js';
+import { A as AuthgearConfig } from './types-BUoN9wBp.js';
+export { D as DEFAULT_SCOPES, J as JWTPayload, O as OIDCConfiguration, P as Page, S as Session, a as SessionData, b as SessionState, T as TokenResponse, U as UserInfo } from './types-BUoN9wBp.js';
 /**
  * Creates Next.js route handlers for all Authgear auth endpoints.

package/dist/index.js CHANGED Viewed

@@ -1,6 +1,9 @@
 import {
+  buildAuthorizeURL,
+  generateCodeVerifier,
+  generateState,
   parseUserInfo
-} from "./chunk-3KVYAFQJ.js";
+} from "./chunk-PUKK75RO.js";
 import {
   buildClearCookie,
   buildPKCECookie,
@@ -13,47 +16,18 @@ import {
   refreshAccessToken,
   resolveConfig,
   revokeToken
-} from "./chunk-MJD3XNUK.js";
+} from "./chunk-A3E57VNZ.js";
 import {
   DEFAULT_SCOPES,
   Page,
   SessionState
-} from "./chunk-UY6NEM2T.js";
+} from "./chunk-HYKCRZLJ.js";
 // src/handlers/index.ts
 import { NextResponse as NextResponse6 } from "next/server";
 // src/handlers/login.ts
 import { NextResponse } from "next/server";
-// src/oauth/pkce.ts
-import { randomBytes, createHash } from "crypto";
-var VERIFIER_LENGTH = 64;
-function generateCodeVerifier() {
-  return randomBytes(VERIFIER_LENGTH).toString("base64url").slice(0, VERIFIER_LENGTH);
-}
-function computeCodeChallenge(codeVerifier) {
-  return createHash("sha256").update(codeVerifier).digest("base64url");
-}
-// src/oauth/authorize.ts
-import { randomBytes as randomBytes2 } from "crypto";
-function generateState() {
-  return randomBytes2(32).toString("base64url");
-}
-function buildAuthorizeURL(oidcConfig, params) {
-  const url = new URL(oidcConfig.authorization_endpoint);
-  url.searchParams.set("response_type", "code");
-  url.searchParams.set("client_id", params.clientID);
-  url.searchParams.set("redirect_uri", params.redirectURI);
-  url.searchParams.set("scope", params.scopes.join(" "));
-  url.searchParams.set("code_challenge", computeCodeChallenge(params.codeVerifier));
-  url.searchParams.set("code_challenge_method", "S256");
-  url.searchParams.set("state", params.state);
-  return url.toString();
-}
-// src/handlers/login.ts
 async function handleLogin(request, config) {
   const resolved = resolveConfig(config);
   const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
@@ -118,7 +92,6 @@ async function handleCallback(request, config) {
     code,
     codeVerifier: pkceData.codeVerifier,
     clientID: resolved.clientID,
-    clientSecret: resolved.clientSecret || void 0,
     redirectURI: resolved.redirectURI
   });
   const sessionCookie = buildSessionCookie(
@@ -188,8 +161,7 @@ async function handleRefresh(request, config) {
   const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
   const tokenResponse = await refreshAccessToken(oidcConfig, {
     refreshToken: session.refreshToken,
-    clientID: resolved.clientID,
-    clientSecret: resolved.clientSecret || void 0
+    clientID: resolved.clientID
   });
   const newSession = {
     accessToken: tokenResponse.access_token,
@@ -225,8 +197,7 @@ async function handleUserInfo(request, config) {
   if (isTokenExpired(session.expiresAt) && session.refreshToken) {
     const tokenResponse = await refreshAccessToken(oidcConfig, {
       refreshToken: session.refreshToken,
-      clientID: resolved.clientID,
-      clientSecret: resolved.clientSecret || void 0
+      clientID: resolved.clientID
     });
     session = {
       accessToken: tokenResponse.access_token,

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/handlers/index.ts","../src/handlers/login.ts","../src/oauth/pkce.ts","../src/oauth/authorize.ts","../src/handlers/callback.ts","../src/handlers/logout.ts","../src/handlers/refresh.ts","../src/handlers/userinfo.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { handleLogin } from \"./login.js\";\nimport { handleCallback } from \"./callback.js\";\nimport { handleLogout } from \"./logout.js\";\nimport { handleRefresh } from \"./refresh.js\";\nimport { handleUserInfo } from \"./userinfo.js\";\n\n/*\n Creates Next.js route handlers for all Authgear auth endpoints.\n \n Usage in `app/api/auth/[...authgear]/route.ts`:\n * ```ts\n * import { createAuthgearHandlers } from \"@authgear/nextjs\";\n * export const { GET, POST } = createAuthgearHandlers(config);\n * ```\n \n Routes handled:\n * - GET /api/auth/login — Start OAuth flow\n * - GET /api/auth/callback — Handle OAuth callback\n * - GET /api/auth/logout — Logout and revoke tokens\n * - POST /api/auth/refresh — Refresh access token\n * - GET /api/auth/userinfo — Get current user info\n /\nexport function createAuthgearHandlers(config: AuthgearConfig) {\n async function GET(\n request: NextRequest,\n { params }: { params: Promise<{ authgear: string[] }> },\n ): Promise<NextResponse> {\n const { authgear } = await params;\n const action = authgear?.[0];\n\n switch (action) {\n case \"login\":\n return handleLogin(request, config);\n case \"callback\":\n return handleCallback(request, config);\n case \"logout\":\n return handleLogout(request, config);\n case \"userinfo\":\n return handleUserInfo(request, config);\n default:\n return NextResponse.json({ error: \"not_found\" }, { status: 404 });\n }\n }\n\n async function POST(\n request: NextRequest,\n { params }: { params: Promise<{ authgear: string[] }> },\n ): Promise<NextResponse> {\n const { authgear } = await params;\n const action = authgear?.[0];\n\n switch (action) {\n case \"refresh\":\n return handleRefresh(request, config);\n default:\n return NextResponse.json({ error: \"not_found\" }, { status: 404 });\n }\n }\n\n return { GET, POST };\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { generateCodeVerifier } from \"../oauth/pkce.js\";\nimport { buildAuthorizeURL, generateState } from \"../oauth/authorize.js\";\nimport { buildPKCECookie } from \"../session/cookie.js\";\n\nexport async function handleLogin(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n const returnTo = request.nextUrl.searchParams.get(\"returnTo\") ?? \"/\";\n const codeVerifier = generateCodeVerifier();\n const state = generateState();\n\n const authorizeURL = buildAuthorizeURL(oidcConfig, {\n clientID: resolved.clientID,\n redirectURI: resolved.redirectURI,\n scopes: resolved.scopes,\n codeVerifier,\n state,\n });\n\n const pkceCookie = buildPKCECookie({ codeVerifier, state, returnTo }, resolved.sessionSecret);\n\n const response = NextResponse.redirect(authorizeURL);\n response.cookies.set(pkceCookie.name, pkceCookie.value, {\n httpOnly: pkceCookie.httpOnly,\n secure: pkceCookie.secure,\n sameSite: pkceCookie.sameSite,\n path: pkceCookie.path,\n maxAge: pkceCookie.maxAge,\n });\n\n return response;\n}\n","import { randomBytes, createHash } from \"node:crypto\";\n\nconst VERIFIER_LENGTH = 64;\n\nexport function generateCodeVerifier(): string {\n return randomBytes(VERIFIER_LENGTH)\n .toString(\"base64url\")\n .slice(0, VERIFIER_LENGTH);\n}\n\nexport function computeCodeChallenge(codeVerifier: string): string {\n return createHash(\"sha256\").update(codeVerifier).digest(\"base64url\");\n}\n","import { randomBytes } from \"node:crypto\";\nimport type { OIDCConfiguration } from \"../types.js\";\nimport { computeCodeChallenge } from \"./pkce.js\";\n\n/\n Build the URL to open an Authgear page (e.g. /settings) with the user\n * already authenticated via an app session token.\n */\nexport function buildOpenURL(\n oidcConfig: OIDCConfiguration,\n params: {\n clientID: string;\n appSessionToken: string;\n targetPath: string; // e.g. \"/settings\"\n },\n): string {\n const authorizationEndpoint = new URL(oidcConfig.authorization_endpoint);\n const settingsURL = `${authorizationEndpoint.origin}${params.targetPath}`;\n const loginHint = `https://authgear.com/login_hint?type=app_session_token&app_session_token=${encodeURIComponent(params.appSessionToken)}`;\n\n const url = new URL(oidcConfig.authorization_endpoint);\n url.searchParams.set(\"response_type\", \"none\");\n url.searchParams.set(\"client_id\", params.clientID);\n url.searchParams.set(\"redirect_uri\", settingsURL);\n url.searchParams.set(\"prompt\", \"none\");\n url.searchParams.set(\"login_hint\", loginHint);\n return url.toString();\n}\n\nexport interface AuthorizeParams {\n clientID: string;\n redirectURI: string;\n scopes: string[];\n codeVerifier: string;\n state: string;\n}\n\nexport function generateState(): string {\n return randomBytes(32).toString(\"base64url\");\n}\n\nexport function buildAuthorizeURL(\n oidcConfig: OIDCConfiguration,\n params: AuthorizeParams,\n): string {\n const url = new URL(oidcConfig.authorization_endpoint);\n url.searchParams.set(\"response_type\", \"code\");\n url.searchParams.set(\"client_id\", params.clientID);\n url.searchParams.set(\"redirect_uri\", params.redirectURI);\n url.searchParams.set(\"scope\", params.scopes.join(\" \"));\n url.searchParams.set(\"code_challenge\", computeCodeChallenge(params.codeVerifier));\n url.searchParams.set(\"code_challenge_method\", \"S256\");\n url.searchParams.set(\"state\", params.state);\n return url.toString();\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { exchangeCode } from \"../oauth/token.js\";\nimport { decryptPKCECookie, buildSessionCookie } from \"../session/cookie.js\";\n\nexport async function handleCallback(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n const code = request.nextUrl.searchParams.get(\"code\");\n const state = request.nextUrl.searchParams.get(\"state\");\n const error = request.nextUrl.searchParams.get(\"error\");\n const errorDescription = request.nextUrl.searchParams.get(\"error_description\");\n\n if (error) {\n return NextResponse.json(\n { error, error_description: errorDescription },\n { status: 400 },\n );\n }\n\n if (!code \|\| !state) {\n return NextResponse.json(\n { error: \"missing_params\", error_description: \"Missing code or state parameter\" },\n { status: 400 },\n );\n }\n\n // Validate PKCE state\n const pkceCookieValue = request.cookies.get(\"authgear.pkce\")?.value;\n if (!pkceCookieValue) {\n return NextResponse.json(\n { error: \"invalid_state\", error_description: \"Missing PKCE cookie\" },\n { status: 400 },\n );\n }\n\n const pkceData = decryptPKCECookie(pkceCookieValue, resolved.sessionSecret);\n if (!pkceData \|\| pkceData.state !== state) {\n return NextResponse.json(\n { error: \"invalid_state\", error_description: \"State mismatch\" },\n { status: 400 },\n );\n }\n\n // Exchange code for tokens\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const tokenResponse = await exchangeCode(oidcConfig, {\n code,\n codeVerifier: pkceData.codeVerifier,\n clientID: resolved.clientID,\n clientSecret: resolved.clientSecret \|\| undefined,\n redirectURI: resolved.redirectURI,\n });\n\n // Build session cookie\n const sessionCookie = buildSessionCookie(\n resolved.cookieName,\n {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? null,\n idToken: tokenResponse.id_token ?? null,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n },\n resolved.sessionSecret,\n );\n\n const returnTo = pkceData.returnTo \|\| \"/\";\n const redirectURL = new URL(returnTo, request.nextUrl.origin);\n const response = NextResponse.redirect(redirectURL);\n\n // Set session cookie\n response.cookies.set(sessionCookie.name, sessionCookie.value, {\n httpOnly: sessionCookie.httpOnly,\n secure: sessionCookie.secure,\n sameSite: sessionCookie.sameSite,\n path: sessionCookie.path,\n maxAge: sessionCookie.maxAge,\n });\n\n // Clear PKCE cookie\n response.cookies.set(\"authgear.pkce\", \"\", { maxAge: 0, path: \"/\" });\n\n return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { revokeToken } from \"../oauth/token.js\";\nimport { decryptSession, buildClearCookie } from \"../session/cookie.js\";\n\nexport async function handleLogout(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n // Revoke refresh token if present\n const sessionCookie = request.cookies.get(resolved.cookieName)?.value;\n if (sessionCookie) {\n const session = decryptSession(sessionCookie, resolved.sessionSecret);\n if (session?.refreshToken) {\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n try {\n await revokeToken(oidcConfig, session.refreshToken);\n } catch {\n // Best-effort revocation\n }\n }\n }\n\n const clearCookie = buildClearCookie(resolved.cookieName);\n const redirectURL = new URL(resolved.postLogoutRedirectURI, request.nextUrl.origin);\n const response = NextResponse.redirect(redirectURL);\n\n response.cookies.set(clearCookie.name, clearCookie.value, {\n httpOnly: clearCookie.httpOnly,\n secure: clearCookie.secure,\n sameSite: clearCookie.sameSite,\n path: clearCookie.path,\n maxAge: clearCookie.maxAge,\n });\n\n return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { refreshAccessToken } from \"../oauth/token.js\";\nimport { decryptSession, buildSessionCookie } from \"../session/cookie.js\";\n\nexport async function handleRefresh(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n if (!sessionCookieValue) {\n return NextResponse.json({ error: \"no_session\" }, { status: 401 });\n }\n\n const session = decryptSession(sessionCookieValue, resolved.sessionSecret);\n if (!session?.refreshToken) {\n return NextResponse.json({ error: \"no_refresh_token\" }, { status: 401 });\n }\n\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: session.refreshToken,\n clientID: resolved.clientID,\n clientSecret: resolved.clientSecret \|\| undefined,\n });\n\n const newSession = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? session.refreshToken,\n idToken: tokenResponse.id_token ?? session.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n\n const sessionCookie = buildSessionCookie(resolved.cookieName, newSession, resolved.sessionSecret);\n const response = NextResponse.json({ ok: true });\n\n response.cookies.set(sessionCookie.name, sessionCookie.value, {\n httpOnly: sessionCookie.httpOnly,\n secure: sessionCookie.secure,\n sameSite: sessionCookie.sameSite,\n path: sessionCookie.path,\n maxAge: sessionCookie.maxAge,\n });\n\n return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig, UserInfo } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { decryptSession } from \"../session/cookie.js\";\nimport { isTokenExpired } from \"../session/state.js\";\nimport { refreshAccessToken } from \"../oauth/token.js\";\nimport { buildSessionCookie } from \"../session/cookie.js\";\nimport { parseUserInfo } from \"../user.js\";\n\nexport async function handleUserInfo(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n if (!sessionCookieValue) {\n return NextResponse.json({ error: \"no_session\" }, { status: 401 });\n }\n\n let session = decryptSession(sessionCookieValue, resolved.sessionSecret);\n if (!session) {\n return NextResponse.json({ error: \"invalid_session\" }, { status: 401 });\n }\n\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n // Auto-refresh if access token is expired\n if (isTokenExpired(session.expiresAt) && session.refreshToken) {\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: session.refreshToken,\n clientID: resolved.clientID,\n clientSecret: resolved.clientSecret \|\| undefined,\n });\n session = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? session.refreshToken,\n idToken: tokenResponse.id_token ?? session.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n }\n\n // Fetch user info from Authgear\n const userinfoRes = await fetch(oidcConfig.userinfo_endpoint, {\n headers: { Authorization: `Bearer ${session.accessToken}` },\n });\n\n if (!userinfoRes.ok) {\n return NextResponse.json({ error: \"userinfo_failed\" }, { status: userinfoRes.status });\n }\n\n const raw = (await userinfoRes.json()) as Record<string, unknown>;\n const userInfo: UserInfo = parseUserInfo(raw);\n\n const response = NextResponse.json(userInfo);\n\n // Update session cookie if tokens were refreshed\n const newCookie = buildSessionCookie(resolved.cookieName, session, resolved.sessionSecret);\n response.cookies.set(newCookie.name, newCookie.value, {\n httpOnly: newCookie.httpOnly,\n secure: newCookie.secure,\n sameSite: newCookie.sameSite,\n path: newCookie.path,\n maxAge: newCookie.maxAge,\n });\n\n return response;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAAA,SAAS,gBAAAA,qBAAsC;;;ACA/C,SAAS,oBAAsC;;;ACA/C,SAAS,aAAa,kBAAkB;AAExC,IAAM,kBAAkB;AAEjB,SAAS,uBAA+B;AAC7C,SAAO,YAAY,eAAe,EAC/B,SAAS,WAAW,EACpB,MAAM,GAAG,eAAe;AAC7B;AAEO,SAAS,qBAAqB,cAA8B;AACjE,SAAO,WAAW,QAAQ,EAAE,OAAO,YAAY,EAAE,OAAO,WAAW;AACrE;;;ACZA,SAAS,eAAAC,oBAAmB;AAqCrB,SAAS,gBAAwB;AACtC,SAAOC,aAAY,EAAE,EAAE,SAAS,WAAW;AAC7C;AAEO,SAAS,kBACd,YACA,QACQ;AACR,QAAM,MAAM,IAAI,IAAI,WAAW,sBAAsB;AACrD,MAAI,aAAa,IAAI,iBAAiB,MAAM;AAC5C,MAAI,aAAa,IAAI,aAAa,OAAO,QAAQ;AACjD,MAAI,aAAa,IAAI,gBAAgB,OAAO,WAAW;AACvD,MAAI,aAAa,IAAI,SAAS,OAAO,OAAO,KAAK,GAAG,CAAC;AACrD,MAAI,aAAa,IAAI,kBAAkB,qBAAqB,OAAO,YAAY,CAAC;AAChF,MAAI,aAAa,IAAI,yBAAyB,MAAM;AACpD,MAAI,aAAa,IAAI,SAAS,OAAO,KAAK;AAC1C,SAAO,IAAI,SAAS;AACtB;;;AF9CA,eAAsB,YACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAEjE,QAAM,WAAW,QAAQ,QAAQ,aAAa,IAAI,UAAU,KAAK;AACjE,QAAM,eAAe,qBAAqB;AAC1C,QAAM,QAAQ,cAAc;AAE5B,QAAM,eAAe,kBAAkB,YAAY;AAAA,IACjD,UAAU,SAAS;AAAA,IACnB,aAAa,SAAS;AAAA,IACtB,QAAQ,SAAS;AAAA,IACjB;AAAA,IACA;AAAA,EACF,CAAC;AAED,QAAM,aAAa,gBAAgB,EAAE,cAAc,OAAO,SAAS,GAAG,SAAS,aAAa;AAE5F,QAAM,WAAW,aAAa,SAAS,YAAY;AACnD,WAAS,QAAQ,IAAI,WAAW,MAAM,WAAW,OAAO;AAAA,IACtD,UAAU,WAAW;AAAA,IACrB,QAAQ,WAAW;AAAA,IACnB,UAAU,WAAW;AAAA,IACrB,MAAM,WAAW;AAAA,IACjB,QAAQ,WAAW;AAAA,EACrB,CAAC;AAED,SAAO;AACT;;;AGvCA,SAAS,gBAAAC,qBAAsC;AAO/C,eAAsB,eACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAErC,QAAM,OAAO,QAAQ,QAAQ,aAAa,IAAI,MAAM;AACpD,QAAM,QAAQ,QAAQ,QAAQ,aAAa,IAAI,OAAO;AACtD,QAAM,QAAQ,QAAQ,QAAQ,aAAa,IAAI,OAAO;AACtD,QAAM,mBAAmB,QAAQ,QAAQ,aAAa,IAAI,mBAAmB;AAE7E,MAAI,OAAO;AACT,WAAOC,cAAa;AAAA,MAClB,EAAE,OAAO,mBAAmB,iBAAiB;AAAA,MAC7C,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,MAAI,CAAC,QAAQ,CAAC,OAAO;AACnB,WAAOA,cAAa;AAAA,MAClB,EAAE,OAAO,kBAAkB,mBAAmB,kCAAkC;AAAA,MAChF,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAGA,QAAM,kBAAkB,QAAQ,QAAQ,IAAI,eAAe,GAAG;AAC9D,MAAI,CAAC,iBAAiB;AACpB,WAAOA,cAAa;AAAA,MAClB,EAAE,OAAO,iBAAiB,mBAAmB,sBAAsB;AAAA,MACnE,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,WAAW,kBAAkB,iBAAiB,SAAS,aAAa;AAC1E,MAAI,CAAC,YAAY,SAAS,UAAU,OAAO;AACzC,WAAOA,cAAa;AAAA,MAClB,EAAE,OAAO,iBAAiB,mBAAmB,iBAAiB;AAAA,MAC9D,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAGA,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,QAAM,gBAAgB,MAAM,aAAa,YAAY;AAAA,IACnD;AAAA,IACA,cAAc,SAAS;AAAA,IACvB,UAAU,SAAS;AAAA,IACnB,cAAc,SAAS,gBAAgB;AAAA,IACvC,aAAa,SAAS;AAAA,EACxB,CAAC;AAGD,QAAM,gBAAgB;AAAA,IACpB,SAAS;AAAA,IACT;AAAA,MACE,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc,iBAAiB;AAAA,MAC7C,SAAS,cAAc,YAAY;AAAA,MACnC,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,IAC3D;AAAA,IACA,SAAS;AAAA,EACX;AAEA,QAAM,WAAW,SAAS,YAAY;AACtC,QAAM,cAAc,IAAI,IAAI,UAAU,QAAQ,QAAQ,MAAM;AAC5D,QAAM,WAAWA,cAAa,SAAS,WAAW;AAGlD,WAAS,QAAQ,IAAI,cAAc,MAAM,cAAc,OAAO;AAAA,IAC5D,UAAU,cAAc;AAAA,IACxB,QAAQ,cAAc;AAAA,IACtB,UAAU,cAAc;AAAA,IACxB,MAAM,cAAc;AAAA,IACpB,QAAQ,cAAc;AAAA,EACxB,CAAC;AAGD,WAAS,QAAQ,IAAI,iBAAiB,IAAI,EAAE,QAAQ,GAAG,MAAM,IAAI,CAAC;AAElE,SAAO;AACT;;;ACxFA,SAAS,gBAAAC,qBAAsC;AAO/C,eAAsB,aACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAGrC,QAAM,gBAAgB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AAChE,MAAI,eAAe;AACjB,UAAM,UAAU,eAAe,eAAe,SAAS,aAAa;AACpE,QAAI,SAAS,cAAc;AACzB,YAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,UAAI;AACF,cAAM,YAAY,YAAY,QAAQ,YAAY;AAAA,MACpD,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAEA,QAAM,cAAc,iBAAiB,SAAS,UAAU;AACxD,QAAM,cAAc,IAAI,IAAI,SAAS,uBAAuB,QAAQ,QAAQ,MAAM;AAClF,QAAM,WAAWC,cAAa,SAAS,WAAW;AAElD,WAAS,QAAQ,IAAI,YAAY,MAAM,YAAY,OAAO;AAAA,IACxD,UAAU,YAAY;AAAA,IACtB,QAAQ,YAAY;AAAA,IACpB,UAAU,YAAY;AAAA,IACtB,MAAM,YAAY;AAAA,IAClB,QAAQ,YAAY;AAAA,EACtB,CAAC;AAED,SAAO;AACT;;;ACxCA,SAAS,gBAAAC,qBAAsC;AAO/C,eAAsB,cACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAErC,QAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,MAAI,CAAC,oBAAoB;AACvB,WAAOC,cAAa,KAAK,EAAE,OAAO,aAAa,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnE;AAEA,QAAM,UAAU,eAAe,oBAAoB,SAAS,aAAa;AACzE,MAAI,CAAC,SAAS,cAAc;AAC1B,WAAOA,cAAa,KAAK,EAAE,OAAO,mBAAmB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzE;AAEA,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,QAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,IACzD,cAAc,QAAQ;AAAA,IACtB,UAAU,SAAS;AAAA,IACnB,cAAc,SAAS,gBAAgB;AAAA,EACzC,CAAC;AAED,QAAM,aAAa;AAAA,IACjB,aAAa,cAAc;AAAA,IAC3B,cAAc,cAAc,iBAAiB,QAAQ;AAAA,IACrD,SAAS,cAAc,YAAY,QAAQ;AAAA,IAC3C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,EAC3D;AAEA,QAAM,gBAAgB,mBAAmB,SAAS,YAAY,YAAY,SAAS,aAAa;AAChG,QAAM,WAAWA,cAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AAE/C,WAAS,QAAQ,IAAI,cAAc,MAAM,cAAc,OAAO;AAAA,IAC5D,UAAU,cAAc;AAAA,IACxB,QAAQ,cAAc;AAAA,IACtB,UAAU,cAAc;AAAA,IACxB,MAAM,cAAc;AAAA,IACpB,QAAQ,cAAc;AAAA,EACxB,CAAC;AAED,SAAO;AACT;;;ACjDA,SAAS,gBAAAC,qBAAsC;AAU/C,eAAsB,eACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAErC,QAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,MAAI,CAAC,oBAAoB;AACvB,WAAOC,cAAa,KAAK,EAAE,OAAO,aAAa,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnE;AAEA,MAAI,UAAU,eAAe,oBAAoB,SAAS,aAAa;AACvE,MAAI,CAAC,SAAS;AACZ,WAAOA,cAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxE;AAEA,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAGjE,MAAI,eAAe,QAAQ,SAAS,KAAK,QAAQ,cAAc;AAC7D,UAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,MACzD,cAAc,QAAQ;AAAA,MACtB,UAAU,SAAS;AAAA,MACnB,cAAc,SAAS,gBAAgB;AAAA,IACzC,CAAC;AACD,cAAU;AAAA,MACR,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc,iBAAiB,QAAQ;AAAA,MACrD,SAAS,cAAc,YAAY,QAAQ;AAAA,MAC3C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,IAC3D;AAAA,EACF;AAGA,QAAM,cAAc,MAAM,MAAM,WAAW,mBAAmB;AAAA,IAC5D,SAAS,EAAE,eAAe,UAAU,QAAQ,WAAW,GAAG;AAAA,EAC5D,CAAC;AAED,MAAI,CAAC,YAAY,IAAI;AACnB,WAAOA,cAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,YAAY,OAAO,CAAC;AAAA,EACvF;AAEA,QAAM,MAAO,MAAM,YAAY,KAAK;AACpC,QAAM,WAAqB,cAAc,GAAG;AAE5C,QAAM,WAAWA,cAAa,KAAK,QAAQ;AAG3C,QAAM,YAAY,mBAAmB,SAAS,YAAY,SAAS,SAAS,aAAa;AACzF,WAAS,QAAQ,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,IACpD,UAAU,UAAU;AAAA,IACpB,QAAQ,UAAU;AAAA,IAClB,UAAU,UAAU;AAAA,IACpB,MAAM,UAAU;AAAA,IAChB,QAAQ,UAAU;AAAA,EACpB,CAAC;AAED,SAAO;AACT;;;AP5CO,SAAS,uBAAuB,QAAwB;AAC7D,iBAAe,IACb,SACA,EAAE,OAAO,GACc;AACvB,UAAM,EAAE,SAAS,IAAI,MAAM;AAC3B,UAAM,SAAS,WAAW,CAAC;AAE3B,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO,YAAY,SAAS,MAAM;AAAA,MACpC,KAAK;AACH,eAAO,eAAe,SAAS,MAAM;AAAA,MACvC,KAAK;AACH,eAAO,aAAa,SAAS,MAAM;AAAA,MACrC,KAAK;AACH,eAAO,eAAe,SAAS,MAAM;AAAA,MACvC;AACE,eAAOC,cAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACpE;AAAA,EACF;AAEA,iBAAe,KACb,SACA,EAAE,OAAO,GACc;AACvB,UAAM,EAAE,SAAS,IAAI,MAAM;AAC3B,UAAM,SAAS,WAAW,CAAC;AAE3B,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO,cAAc,SAAS,MAAM;AAAA,MACtC;AACE,eAAOA,cAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACpE;AAAA,EACF;AAEA,SAAO,EAAE,KAAK,KAAK;AACrB;","names":["NextResponse","randomBytes","randomBytes","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse"]}
1	+ {"version":3,"sources":["../src/handlers/index.ts","../src/handlers/login.ts","../src/handlers/callback.ts","../src/handlers/logout.ts","../src/handlers/refresh.ts","../src/handlers/userinfo.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { handleLogin } from \"./login.js\";\nimport { handleCallback } from \"./callback.js\";\nimport { handleLogout } from \"./logout.js\";\nimport { handleRefresh } from \"./refresh.js\";\nimport { handleUserInfo } from \"./userinfo.js\";\n\n/*\n Creates Next.js route handlers for all Authgear auth endpoints.\n \n Usage in `app/api/auth/[...authgear]/route.ts`:\n * ```ts\n * import { createAuthgearHandlers } from \"@authgear/nextjs\";\n * export const { GET, POST } = createAuthgearHandlers(config);\n * ```\n \n Routes handled:\n * - GET /api/auth/login — Start OAuth flow\n * - GET /api/auth/callback — Handle OAuth callback\n * - GET /api/auth/logout — Logout and revoke tokens\n * - POST /api/auth/refresh — Refresh access token\n * - GET /api/auth/userinfo — Get current user info\n */\nexport function createAuthgearHandlers(config: AuthgearConfig) {\n async function GET(\n request: NextRequest,\n { params }: { params: Promise<{ authgear: string[] }> },\n ): Promise<NextResponse> {\n const { authgear } = await params;\n const action = authgear?.[0];\n\n switch (action) {\n case \"login\":\n return handleLogin(request, config);\n case \"callback\":\n return handleCallback(request, config);\n case \"logout\":\n return handleLogout(request, config);\n case \"userinfo\":\n return handleUserInfo(request, config);\n default:\n return NextResponse.json({ error: \"not_found\" }, { status: 404 });\n }\n }\n\n async function POST(\n request: NextRequest,\n { params }: { params: Promise<{ authgear: string[] }> },\n ): Promise<NextResponse> {\n const { authgear } = await params;\n const action = authgear?.[0];\n\n switch (action) {\n case \"refresh\":\n return handleRefresh(request, config);\n default:\n return NextResponse.json({ error: \"not_found\" }, { status: 404 });\n }\n }\n\n return { GET, POST };\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { generateCodeVerifier } from \"../oauth/pkce.js\";\nimport { buildAuthorizeURL, generateState } from \"../oauth/authorize.js\";\nimport { buildPKCECookie } from \"../session/cookie.js\";\n\nexport async function handleLogin(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n const returnTo = request.nextUrl.searchParams.get(\"returnTo\") ?? \"/\";\n const codeVerifier = generateCodeVerifier();\n const state = generateState();\n\n const authorizeURL = buildAuthorizeURL(oidcConfig, {\n clientID: resolved.clientID,\n redirectURI: resolved.redirectURI,\n scopes: resolved.scopes,\n codeVerifier,\n state,\n });\n\n const pkceCookie = buildPKCECookie({ codeVerifier, state, returnTo }, resolved.sessionSecret);\n\n const response = NextResponse.redirect(authorizeURL);\n response.cookies.set(pkceCookie.name, pkceCookie.value, {\n httpOnly: pkceCookie.httpOnly,\n secure: pkceCookie.secure,\n sameSite: pkceCookie.sameSite,\n path: pkceCookie.path,\n maxAge: pkceCookie.maxAge,\n });\n\n return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { exchangeCode } from \"../oauth/token.js\";\nimport { decryptPKCECookie, buildSessionCookie } from \"../session/cookie.js\";\n\nexport async function handleCallback(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n const code = request.nextUrl.searchParams.get(\"code\");\n const state = request.nextUrl.searchParams.get(\"state\");\n const error = request.nextUrl.searchParams.get(\"error\");\n const errorDescription = request.nextUrl.searchParams.get(\"error_description\");\n\n if (error) {\n return NextResponse.json(\n { error, error_description: errorDescription },\n { status: 400 },\n );\n }\n\n if (!code \|\| !state) {\n return NextResponse.json(\n { error: \"missing_params\", error_description: \"Missing code or state parameter\" },\n { status: 400 },\n );\n }\n\n // Validate PKCE state\n const pkceCookieValue = request.cookies.get(\"authgear.pkce\")?.value;\n if (!pkceCookieValue) {\n return NextResponse.json(\n { error: \"invalid_state\", error_description: \"Missing PKCE cookie\" },\n { status: 400 },\n );\n }\n\n const pkceData = decryptPKCECookie(pkceCookieValue, resolved.sessionSecret);\n if (!pkceData \|\| pkceData.state !== state) {\n return NextResponse.json(\n { error: \"invalid_state\", error_description: \"State mismatch\" },\n { status: 400 },\n );\n }\n\n // Exchange code for tokens\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const tokenResponse = await exchangeCode(oidcConfig, {\n code,\n codeVerifier: pkceData.codeVerifier,\n clientID: resolved.clientID,\n redirectURI: resolved.redirectURI,\n });\n\n // Build session cookie\n const sessionCookie = buildSessionCookie(\n resolved.cookieName,\n {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? null,\n idToken: tokenResponse.id_token ?? null,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n },\n resolved.sessionSecret,\n );\n\n const returnTo = pkceData.returnTo \|\| \"/\";\n const redirectURL = new URL(returnTo, request.nextUrl.origin);\n const response = NextResponse.redirect(redirectURL);\n\n // Set session cookie\n response.cookies.set(sessionCookie.name, sessionCookie.value, {\n httpOnly: sessionCookie.httpOnly,\n secure: sessionCookie.secure,\n sameSite: sessionCookie.sameSite,\n path: sessionCookie.path,\n maxAge: sessionCookie.maxAge,\n });\n\n // Clear PKCE cookie\n response.cookies.set(\"authgear.pkce\", \"\", { maxAge: 0, path: \"/\" });\n\n return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { revokeToken } from \"../oauth/token.js\";\nimport { decryptSession, buildClearCookie } from \"../session/cookie.js\";\n\nexport async function handleLogout(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n // Revoke refresh token if present\n const sessionCookie = request.cookies.get(resolved.cookieName)?.value;\n if (sessionCookie) {\n const session = decryptSession(sessionCookie, resolved.sessionSecret);\n if (session?.refreshToken) {\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n try {\n await revokeToken(oidcConfig, session.refreshToken);\n } catch {\n // Best-effort revocation\n }\n }\n }\n\n const clearCookie = buildClearCookie(resolved.cookieName);\n const redirectURL = new URL(resolved.postLogoutRedirectURI, request.nextUrl.origin);\n const response = NextResponse.redirect(redirectURL);\n\n response.cookies.set(clearCookie.name, clearCookie.value, {\n httpOnly: clearCookie.httpOnly,\n secure: clearCookie.secure,\n sameSite: clearCookie.sameSite,\n path: clearCookie.path,\n maxAge: clearCookie.maxAge,\n });\n\n return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { refreshAccessToken } from \"../oauth/token.js\";\nimport { decryptSession, buildSessionCookie } from \"../session/cookie.js\";\n\nexport async function handleRefresh(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n if (!sessionCookieValue) {\n return NextResponse.json({ error: \"no_session\" }, { status: 401 });\n }\n\n const session = decryptSession(sessionCookieValue, resolved.sessionSecret);\n if (!session?.refreshToken) {\n return NextResponse.json({ error: \"no_refresh_token\" }, { status: 401 });\n }\n\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: session.refreshToken,\n clientID: resolved.clientID,\n });\n\n const newSession = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? session.refreshToken,\n idToken: tokenResponse.id_token ?? session.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n\n const sessionCookie = buildSessionCookie(resolved.cookieName, newSession, resolved.sessionSecret);\n const response = NextResponse.json({ ok: true });\n\n response.cookies.set(sessionCookie.name, sessionCookie.value, {\n httpOnly: sessionCookie.httpOnly,\n secure: sessionCookie.secure,\n sameSite: sessionCookie.sameSite,\n path: sessionCookie.path,\n maxAge: sessionCookie.maxAge,\n });\n\n return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig, UserInfo } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { decryptSession } from \"../session/cookie.js\";\nimport { isTokenExpired } from \"../session/state.js\";\nimport { refreshAccessToken } from \"../oauth/token.js\";\nimport { buildSessionCookie } from \"../session/cookie.js\";\nimport { parseUserInfo } from \"../user.js\";\n\nexport async function handleUserInfo(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n if (!sessionCookieValue) {\n return NextResponse.json({ error: \"no_session\" }, { status: 401 });\n }\n\n let session = decryptSession(sessionCookieValue, resolved.sessionSecret);\n if (!session) {\n return NextResponse.json({ error: \"invalid_session\" }, { status: 401 });\n }\n\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n // Auto-refresh if access token is expired\n if (isTokenExpired(session.expiresAt) && session.refreshToken) {\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: session.refreshToken,\n clientID: resolved.clientID,\n });\n session = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? session.refreshToken,\n idToken: tokenResponse.id_token ?? session.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n }\n\n // Fetch user info from Authgear\n const userinfoRes = await fetch(oidcConfig.userinfo_endpoint, {\n headers: { Authorization: `Bearer ${session.accessToken}` },\n });\n\n if (!userinfoRes.ok) {\n return NextResponse.json({ error: \"userinfo_failed\" }, { status: userinfoRes.status });\n }\n\n const raw = (await userinfoRes.json()) as Record<string, unknown>;\n const userInfo: UserInfo = parseUserInfo(raw);\n\n const response = NextResponse.json(userInfo);\n\n // Update session cookie if tokens were refreshed\n const newCookie = buildSessionCookie(resolved.cookieName, session, resolved.sessionSecret);\n response.cookies.set(newCookie.name, newCookie.value, {\n httpOnly: newCookie.httpOnly,\n secure: newCookie.secure,\n sameSite: newCookie.sameSite,\n path: newCookie.path,\n maxAge: newCookie.maxAge,\n });\n\n return response;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,SAAS,gBAAAA,qBAAsC;;;ACA/C,SAAS,oBAAsC;AAQ/C,eAAsB,YACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAEjE,QAAM,WAAW,QAAQ,QAAQ,aAAa,IAAI,UAAU,KAAK;AACjE,QAAM,eAAe,qBAAqB;AAC1C,QAAM,QAAQ,cAAc;AAE5B,QAAM,eAAe,kBAAkB,YAAY;AAAA,IACjD,UAAU,SAAS;AAAA,IACnB,aAAa,SAAS;AAAA,IACtB,QAAQ,SAAS;AAAA,IACjB;AAAA,IACA;AAAA,EACF,CAAC;AAED,QAAM,aAAa,gBAAgB,EAAE,cAAc,OAAO,SAAS,GAAG,SAAS,aAAa;AAE5F,QAAM,WAAW,aAAa,SAAS,YAAY;AACnD,WAAS,QAAQ,IAAI,WAAW,MAAM,WAAW,OAAO;AAAA,IACtD,UAAU,WAAW;AAAA,IACrB,QAAQ,WAAW;AAAA,IACnB,UAAU,WAAW;AAAA,IACrB,MAAM,WAAW;AAAA,IACjB,QAAQ,WAAW;AAAA,EACrB,CAAC;AAED,SAAO;AACT;;;ACvCA,SAAS,gBAAAC,qBAAsC;AAO/C,eAAsB,eACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAErC,QAAM,OAAO,QAAQ,QAAQ,aAAa,IAAI,MAAM;AACpD,QAAM,QAAQ,QAAQ,QAAQ,aAAa,IAAI,OAAO;AACtD,QAAM,QAAQ,QAAQ,QAAQ,aAAa,IAAI,OAAO;AACtD,QAAM,mBAAmB,QAAQ,QAAQ,aAAa,IAAI,mBAAmB;AAE7E,MAAI,OAAO;AACT,WAAOC,cAAa;AAAA,MAClB,EAAE,OAAO,mBAAmB,iBAAiB;AAAA,MAC7C,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,MAAI,CAAC,QAAQ,CAAC,OAAO;AACnB,WAAOA,cAAa;AAAA,MAClB,EAAE,OAAO,kBAAkB,mBAAmB,kCAAkC;AAAA,MAChF,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAGA,QAAM,kBAAkB,QAAQ,QAAQ,IAAI,eAAe,GAAG;AAC9D,MAAI,CAAC,iBAAiB;AACpB,WAAOA,cAAa;AAAA,MAClB,EAAE,OAAO,iBAAiB,mBAAmB,sBAAsB;AAAA,MACnE,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,WAAW,kBAAkB,iBAAiB,SAAS,aAAa;AAC1E,MAAI,CAAC,YAAY,SAAS,UAAU,OAAO;AACzC,WAAOA,cAAa;AAAA,MAClB,EAAE,OAAO,iBAAiB,mBAAmB,iBAAiB;AAAA,MAC9D,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAGA,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,QAAM,gBAAgB,MAAM,aAAa,YAAY;AAAA,IACnD;AAAA,IACA,cAAc,SAAS;AAAA,IACvB,UAAU,SAAS;AAAA,IACnB,aAAa,SAAS;AAAA,EACxB,CAAC;AAGD,QAAM,gBAAgB;AAAA,IACpB,SAAS;AAAA,IACT;AAAA,MACE,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc,iBAAiB;AAAA,MAC7C,SAAS,cAAc,YAAY;AAAA,MACnC,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,IAC3D;AAAA,IACA,SAAS;AAAA,EACX;AAEA,QAAM,WAAW,SAAS,YAAY;AACtC,QAAM,cAAc,IAAI,IAAI,UAAU,QAAQ,QAAQ,MAAM;AAC5D,QAAM,WAAWA,cAAa,SAAS,WAAW;AAGlD,WAAS,QAAQ,IAAI,cAAc,MAAM,cAAc,OAAO;AAAA,IAC5D,UAAU,cAAc;AAAA,IACxB,QAAQ,cAAc;AAAA,IACtB,UAAU,cAAc;AAAA,IACxB,MAAM,cAAc;AAAA,IACpB,QAAQ,cAAc;AAAA,EACxB,CAAC;AAGD,WAAS,QAAQ,IAAI,iBAAiB,IAAI,EAAE,QAAQ,GAAG,MAAM,IAAI,CAAC;AAElE,SAAO;AACT;;;ACvFA,SAAS,gBAAAC,qBAAsC;AAO/C,eAAsB,aACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAGrC,QAAM,gBAAgB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AAChE,MAAI,eAAe;AACjB,UAAM,UAAU,eAAe,eAAe,SAAS,aAAa;AACpE,QAAI,SAAS,cAAc;AACzB,YAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,UAAI;AACF,cAAM,YAAY,YAAY,QAAQ,YAAY;AAAA,MACpD,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAEA,QAAM,cAAc,iBAAiB,SAAS,UAAU;AACxD,QAAM,cAAc,IAAI,IAAI,SAAS,uBAAuB,QAAQ,QAAQ,MAAM;AAClF,QAAM,WAAWC,cAAa,SAAS,WAAW;AAElD,WAAS,QAAQ,IAAI,YAAY,MAAM,YAAY,OAAO;AAAA,IACxD,UAAU,YAAY;AAAA,IACtB,QAAQ,YAAY;AAAA,IACpB,UAAU,YAAY;AAAA,IACtB,MAAM,YAAY;AAAA,IAClB,QAAQ,YAAY;AAAA,EACtB,CAAC;AAED,SAAO;AACT;;;ACxCA,SAAS,gBAAAC,qBAAsC;AAO/C,eAAsB,cACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAErC,QAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,MAAI,CAAC,oBAAoB;AACvB,WAAOC,cAAa,KAAK,EAAE,OAAO,aAAa,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnE;AAEA,QAAM,UAAU,eAAe,oBAAoB,SAAS,aAAa;AACzE,MAAI,CAAC,SAAS,cAAc;AAC1B,WAAOA,cAAa,KAAK,EAAE,OAAO,mBAAmB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzE;AAEA,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,QAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,IACzD,cAAc,QAAQ;AAAA,IACtB,UAAU,SAAS;AAAA,EACrB,CAAC;AAED,QAAM,aAAa;AAAA,IACjB,aAAa,cAAc;AAAA,IAC3B,cAAc,cAAc,iBAAiB,QAAQ;AAAA,IACrD,SAAS,cAAc,YAAY,QAAQ;AAAA,IAC3C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,EAC3D;AAEA,QAAM,gBAAgB,mBAAmB,SAAS,YAAY,YAAY,SAAS,aAAa;AAChG,QAAM,WAAWA,cAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AAE/C,WAAS,QAAQ,IAAI,cAAc,MAAM,cAAc,OAAO;AAAA,IAC5D,UAAU,cAAc;AAAA,IACxB,QAAQ,cAAc;AAAA,IACtB,UAAU,cAAc;AAAA,IACxB,MAAM,cAAc;AAAA,IACpB,QAAQ,cAAc;AAAA,EACxB,CAAC;AAED,SAAO;AACT;;;AChDA,SAAS,gBAAAC,qBAAsC;AAU/C,eAAsB,eACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAErC,QAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,MAAI,CAAC,oBAAoB;AACvB,WAAOC,cAAa,KAAK,EAAE,OAAO,aAAa,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnE;AAEA,MAAI,UAAU,eAAe,oBAAoB,SAAS,aAAa;AACvE,MAAI,CAAC,SAAS;AACZ,WAAOA,cAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxE;AAEA,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAGjE,MAAI,eAAe,QAAQ,SAAS,KAAK,QAAQ,cAAc;AAC7D,UAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,MACzD,cAAc,QAAQ;AAAA,MACtB,UAAU,SAAS;AAAA,IACrB,CAAC;AACD,cAAU;AAAA,MACR,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc,iBAAiB,QAAQ;AAAA,MACrD,SAAS,cAAc,YAAY,QAAQ;AAAA,MAC3C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,IAC3D;AAAA,EACF;AAGA,QAAM,cAAc,MAAM,MAAM,WAAW,mBAAmB;AAAA,IAC5D,SAAS,EAAE,eAAe,UAAU,QAAQ,WAAW,GAAG;AAAA,EAC5D,CAAC;AAED,MAAI,CAAC,YAAY,IAAI;AACnB,WAAOA,cAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,YAAY,OAAO,CAAC;AAAA,EACvF;AAEA,QAAM,MAAO,MAAM,YAAY,KAAK;AACpC,QAAM,WAAqB,cAAc,GAAG;AAE5C,QAAM,WAAWA,cAAa,KAAK,QAAQ;AAG3C,QAAM,YAAY,mBAAmB,SAAS,YAAY,SAAS,SAAS,aAAa;AACzF,WAAS,QAAQ,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,IACpD,UAAU,UAAU;AAAA,IACpB,QAAQ,UAAU;AAAA,IAClB,UAAU,UAAU;AAAA,IACpB,MAAM,UAAU;AAAA,IAChB,QAAQ,UAAU;AAAA,EACpB,CAAC;AAED,SAAO;AACT;;;AL3CO,SAAS,uBAAuB,QAAwB;AAC7D,iBAAe,IACb,SACA,EAAE,OAAO,GACc;AACvB,UAAM,EAAE,SAAS,IAAI,MAAM;AAC3B,UAAM,SAAS,WAAW,CAAC;AAE3B,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO,YAAY,SAAS,MAAM;AAAA,MACpC,KAAK;AACH,eAAO,eAAe,SAAS,MAAM;AAAA,MACvC,KAAK;AACH,eAAO,aAAa,SAAS,MAAM;AAAA,MACrC,KAAK;AACH,eAAO,eAAe,SAAS,MAAM;AAAA,MACvC;AACE,eAAOC,cAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACpE;AAAA,EACF;AAEA,iBAAe,KACb,SACA,EAAE,OAAO,GACc;AACvB,UAAM,EAAE,SAAS,IAAI,MAAM;AAC3B,UAAM,SAAS,WAAW,CAAC;AAE3B,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO,cAAc,SAAS,MAAM;AAAA,MACtC;AACE,eAAOA,cAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACpE;AAAA,EACF;AAEA,SAAO,EAAE,KAAK,KAAK;AACrB;","names":["NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse"]}

package/dist/proxy.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { A as AuthgearConfig } from './types-Csfra4K2.js';
+import { A as AuthgearConfig } from './types-BUoN9wBp.js';
 interface AuthgearProxyOptions extends AuthgearConfig {
     /**

package/dist/proxy.js CHANGED Viewed

@@ -5,8 +5,8 @@ import {
   isTokenExpired,
   refreshAccessToken,
   resolveConfig
-} from "./chunk-MJD3XNUK.js";
-import "./chunk-UY6NEM2T.js";
+} from "./chunk-A3E57VNZ.js";
+import "./chunk-HYKCRZLJ.js";
 // src/proxy.ts
 import { NextResponse } from "next/server";
@@ -35,8 +35,7 @@ function createAuthgearProxy(options) {
         const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
         const tokenResponse = await refreshAccessToken(oidcConfig, {
           refreshToken: sessionData.refreshToken,
-          clientID: resolved.clientID,
-          clientSecret: resolved.clientSecret || void 0
+          clientID: resolved.clientID
         });
         sessionData = {
           accessToken: tokenResponse.access_token,
@@ -55,8 +54,6 @@ function createAuthgearProxy(options) {
     }
     const response = NextResponse.next();
     if (sessionData) {
-      const requestHeaders = new Headers(request.headers);
-      requestHeaders.set("Authorization", `Bearer ${sessionData.accessToken}`);
       const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);
       response.cookies.set(newCookie.name, newCookie.value, {
         httpOnly: newCookie.httpOnly,
@@ -65,6 +62,8 @@ function createAuthgearProxy(options) {
         path: newCookie.path,
         maxAge: newCookie.maxAge
       });
+    } else if (sessionCookieValue) {
+      response.cookies.set(resolved.cookieName, "", { maxAge: 0, path: "/" });
     }
     return response;
   };

package/dist/proxy.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/proxy.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"./types.js\";\nimport { resolveConfig } from \"./config.js\";\nimport { decryptSession, buildSessionCookie } from \"./session/cookie.js\";\nimport { isTokenExpired } from \"./session/state.js\";\nimport { fetchOIDCConfiguration } from \"./oauth/discovery.js\";\nimport { refreshAccessToken } from \"./oauth/token.js\";\n\nexport interface AuthgearProxyOptions extends AuthgearConfig {\n /*\n Paths that require authentication. Unauthenticated requests are redirected to login.\n * Supports exact paths and prefix patterns ending with `` (e.g. \"/dashboard/\").\n /\n protectedPaths?: string[];\n\n /\n Paths that are always public (never redirected to login).\n * Takes precedence over protectedPaths.\n * Defaults to [\"/api/auth/\"].\n /\n publicPaths?: string[];\n\n /*\n URL to redirect unauthenticated users. Defaults to \"/api/auth/login\".\n /\n loginPath?: string;\n}\n\nfunction matchesPath(pathname: string, patterns: string[]): boolean {\n return patterns.some((pattern) => {\n if (pattern.endsWith(\"\")) {\n return pathname.startsWith(pattern.slice(0, -1));\n }\n return pathname === pattern;\n });\n}\n\n/*\n Create a Next.js 16 proxy function for Authgear authentication.\n \n Usage in `proxy.ts`:\n * ```ts\n * import { createAuthgearProxy } from \"@authgear/nextjs/proxy\";\n * export const proxy = createAuthgearProxy({ ...config, protectedPaths: [\"/dashboard/\"] });\n ```\n /\nexport function createAuthgearProxy(options: AuthgearProxyOptions) {\n const resolved = resolveConfig(options);\n const protectedPaths = options.protectedPaths ?? [];\n const publicPaths = options.publicPaths ?? [\"/api/auth/\"];\n const loginPath = options.loginPath ?? \"/api/auth/login\";\n\n return async function proxy(request: NextRequest): Promise<NextResponse> {\n const { pathname } = request.nextUrl;\n\n // Always allow public paths\n if (matchesPath(pathname, publicPaths)) {\n return NextResponse.next();\n }\n\n const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n let sessionData = sessionCookieValue\n ? decryptSession(sessionCookieValue, resolved.sessionSecret)\n : null;\n\n // Try to refresh expired token\n if (sessionData && isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n try {\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: sessionData.refreshToken,\n clientID: resolved.clientID,\n ~~clientSecret: resolved.clientSecret \|\| undefined,\n~~ });\n sessionData = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n idToken: tokenResponse.id_token ?? sessionData.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n } catch {\n sessionData = null;\n }\n }\n\n // Redirect unauthenticated requests on protected paths\n if (!sessionData && matchesPath(pathname, protectedPaths)) {\n const loginURL = new URL(loginPath, request.nextUrl.origin);\n loginURL.searchParams.set(\"returnTo\", pathname);\n return NextResponse.redirect(loginURL);\n }\n\n const response = NextResponse.next();\n\n ~~// Inject Authorization header for authenticated requests\n~~ if (sessionData) {\n ~~const~~ ~~requestHeaders~~ = ~~new~~ ~~Headers~~(~~request.headers);\n requestHeaders.set(\"Authorization\",~~ ~~`Bearer~~ ~~${sessionData.accessToken}`);\n\n //~~ ~~Update~~ ~~session cookie~~ if ~~token~~ ~~was~~ ~~refreshed~~\n const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);\n response.cookies.set(newCookie.name, newCookie.value, {\n httpOnly: newCookie.httpOnly,\n secure: newCookie.secure,\n sameSite: newCookie.sameSite,\n path: newCookie.path,\n maxAge: newCookie.maxAge,\n });\n }\n\n return response;\n };\n}\n"],"mappings":";;;;;;;;;;;AAAA,SAAS,oBAAsC;AA4B/C,SAAS,YAAY,UAAkB,UAA6B;AAClE,SAAO,SAAS,KAAK,CAAC,YAAY;AAChC,QAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,aAAO,SAAS,WAAW,QAAQ,MAAM,GAAG,EAAE,CAAC;AAAA,IACjD;AACA,WAAO,aAAa;AAAA,EACtB,CAAC;AACH;AAWO,SAAS,oBAAoB,SAA+B;AACjE,QAAM,WAAW,cAAc,OAAO;AACtC,QAAM,iBAAiB,QAAQ,kBAAkB,CAAC;AAClD,QAAM,cAAc,QAAQ,eAAe,CAAC,aAAa;AACzD,QAAM,YAAY,QAAQ,aAAa;AAEvC,SAAO,eAAe,MAAM,SAA6C;AACvE,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,YAAY,UAAU,WAAW,GAAG;AACtC,aAAO,aAAa,KAAK;AAAA,IAC3B;AAEA,UAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,QAAI,cAAc,qBACd,eAAe,oBAAoB,SAAS,aAAa,IACzD;AAGJ,QAAI,eAAe,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACpF,UAAI;AACF,cAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,cAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,UACzD,cAAc,YAAY;AAAA,UAC1B,UAAU,SAAS;AAAA,~~UACnB~~,~~cAAc,SAAS,gBAAgB;AAAA,QACzC,~~CAAC;AACD,sBAAc;AAAA,UACZ,aAAa,cAAc;AAAA,UAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,UACzD,SAAS,cAAc,YAAY,YAAY;AAAA,UAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,QAC3D;AAAA,MACF,QAAQ;AACN,sBAAc;AAAA,MAChB;AAAA,IACF;AAGA,QAAI,CAAC,eAAe,YAAY,UAAU,cAAc,GAAG;AACzD,YAAM,WAAW,IAAI,IAAI,WAAW,QAAQ,QAAQ,MAAM;AAC1D,eAAS,aAAa,IAAI,YAAY,QAAQ;AAC9C,aAAO,aAAa,SAAS,QAAQ;AAAA,IACvC;AAEA,UAAM,WAAW,aAAa,KAAK;~~AAGnC~~,QAAI,aAAa;~~AACf~~,YAAM,~~iBAAiB,IAAI,QAAQ,QAAQ,OAAO;AAClD,qBAAe,IAAI,iBAAiB,UAAU,~~YAAY,~~WAAW,EAAE;AAGvE,YAAM,YAAY,~~mBAAmB,SAAS,YAAY,aAAa,SAAS,aAAa;AAC7F,eAAS,QAAQ,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,QACpD,UAAU,UAAU;AAAA,QACpB,QAAQ,UAAU;AAAA,QAClB,UAAU,UAAU;AAAA,QACpB,MAAM,UAAU;AAAA,QAChB,QAAQ,UAAU;AAAA,MACpB,CAAC;AAAA,IACH;AAEA,WAAO;AAAA,EACT;AACF;","names":[]}
1	+ {"version":3,"sources":["../src/proxy.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"./types.js\";\nimport { resolveConfig } from \"./config.js\";\nimport { decryptSession, buildSessionCookie } from \"./session/cookie.js\";\nimport { isTokenExpired } from \"./session/state.js\";\nimport { fetchOIDCConfiguration } from \"./oauth/discovery.js\";\nimport { refreshAccessToken } from \"./oauth/token.js\";\n\nexport interface AuthgearProxyOptions extends AuthgearConfig {\n /*\n Paths that require authentication. Unauthenticated requests are redirected to login.\n * Supports exact paths and prefix patterns ending with `` (e.g. \"/dashboard/\").\n /\n protectedPaths?: string[];\n\n /\n Paths that are always public (never redirected to login).\n * Takes precedence over protectedPaths.\n * Defaults to [\"/api/auth/\"].\n /\n publicPaths?: string[];\n\n /*\n URL to redirect unauthenticated users. Defaults to \"/api/auth/login\".\n /\n loginPath?: string;\n}\n\nfunction matchesPath(pathname: string, patterns: string[]): boolean {\n return patterns.some((pattern) => {\n if (pattern.endsWith(\"\")) {\n return pathname.startsWith(pattern.slice(0, -1));\n }\n return pathname === pattern;\n });\n}\n\n/*\n Create a Next.js 16 proxy function for Authgear authentication.\n \n Usage in `proxy.ts`:\n * ```ts\n * import { createAuthgearProxy } from \"@authgear/nextjs/proxy\";\n * export const proxy = createAuthgearProxy({ ...config, protectedPaths: [\"/dashboard/\"] });\n ```\n /\nexport function createAuthgearProxy(options: AuthgearProxyOptions) {\n const resolved = resolveConfig(options);\n const protectedPaths = options.protectedPaths ?? [];\n const publicPaths = options.publicPaths ?? [\"/api/auth/\"];\n const loginPath = options.loginPath ?? \"/api/auth/login\";\n\n return async function proxy(request: NextRequest): Promise<NextResponse> {\n const { pathname } = request.nextUrl;\n\n // Always allow public paths\n if (matchesPath(pathname, publicPaths)) {\n return NextResponse.next();\n }\n\n const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n let sessionData = sessionCookieValue\n ? decryptSession(sessionCookieValue, resolved.sessionSecret)\n : null;\n\n // Try to refresh expired token\n if (sessionData && isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n try {\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: sessionData.refreshToken,\n clientID: resolved.clientID,\n });\n sessionData = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n idToken: tokenResponse.id_token ?? sessionData.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n } catch {\n sessionData = null;\n }\n }\n\n // Redirect unauthenticated requests on protected paths\n if (!sessionData && matchesPath(pathname, protectedPaths)) {\n const loginURL = new URL(loginPath, request.nextUrl.origin);\n loginURL.searchParams.set(\"returnTo\", pathname);\n return NextResponse.redirect(loginURL);\n }\n\n const response = NextResponse.next();\n\n if (sessionData) {\n // Update session cookie (captures rotated refresh token if server rotated it)\n const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);\n response.cookies.set(newCookie.name, newCookie.value, {\n httpOnly: newCookie.httpOnly,\n secure: newCookie.secure,\n sameSite: newCookie.sameSite,\n path: newCookie.path,\n maxAge: newCookie.maxAge,\n });\n } else if (sessionCookieValue) {\n // Refresh failed — clear the stale cookie so Server Components don't see a broken session\n response.cookies.set(resolved.cookieName, \"\", { maxAge: 0, path: \"/\" });\n }\n\n return response;\n };\n}\n"],"mappings":";;;;;;;;;;;AAAA,SAAS,oBAAsC;AA4B/C,SAAS,YAAY,UAAkB,UAA6B;AAClE,SAAO,SAAS,KAAK,CAAC,YAAY;AAChC,QAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,aAAO,SAAS,WAAW,QAAQ,MAAM,GAAG,EAAE,CAAC;AAAA,IACjD;AACA,WAAO,aAAa;AAAA,EACtB,CAAC;AACH;AAWO,SAAS,oBAAoB,SAA+B;AACjE,QAAM,WAAW,cAAc,OAAO;AACtC,QAAM,iBAAiB,QAAQ,kBAAkB,CAAC;AAClD,QAAM,cAAc,QAAQ,eAAe,CAAC,aAAa;AACzD,QAAM,YAAY,QAAQ,aAAa;AAEvC,SAAO,eAAe,MAAM,SAA6C;AACvE,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,YAAY,UAAU,WAAW,GAAG;AACtC,aAAO,aAAa,KAAK;AAAA,IAC3B;AAEA,UAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,QAAI,cAAc,qBACd,eAAe,oBAAoB,SAAS,aAAa,IACzD;AAGJ,QAAI,eAAe,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACpF,UAAI;AACF,cAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,cAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,UACzD,cAAc,YAAY;AAAA,UAC1B,UAAU,SAAS;AAAA,QACrB,CAAC;AACD,sBAAc;AAAA,UACZ,aAAa,cAAc;AAAA,UAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,UACzD,SAAS,cAAc,YAAY,YAAY;AAAA,UAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,QAC3D;AAAA,MACF,QAAQ;AACN,sBAAc;AAAA,MAChB;AAAA,IACF;AAGA,QAAI,CAAC,eAAe,YAAY,UAAU,cAAc,GAAG;AACzD,YAAM,WAAW,IAAI,IAAI,WAAW,QAAQ,QAAQ,MAAM;AAC1D,eAAS,aAAa,IAAI,YAAY,QAAQ;AAC9C,aAAO,aAAa,SAAS,QAAQ;AAAA,IACvC;AAEA,UAAM,WAAW,aAAa,KAAK;AAEnC,QAAI,aAAa;AAEf,YAAM,YAAY,mBAAmB,SAAS,YAAY,aAAa,SAAS,aAAa;AAC7F,eAAS,QAAQ,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,QACpD,UAAU,UAAU;AAAA,QACpB,QAAQ,UAAU;AAAA,QAClB,UAAU,UAAU;AAAA,QACpB,MAAM,UAAU;AAAA,QAChB,QAAQ,UAAU;AAAA,MACpB,CAAC;AAAA,IACH,WAAW,oBAAoB;AAE7B,eAAS,QAAQ,IAAI,SAAS,YAAY,IAAI,EAAE,QAAQ,GAAG,MAAM,IAAI,CAAC;AAAA,IACxE;AAEA,WAAO;AAAA,EACT;AACF;","names":[]}

package/dist/server.d.ts CHANGED Viewed

@@ -1,14 +1,18 @@
-import { A as AuthgearConfig, S as Session, U as UserInfo, J as JWTPayload } from './types-Csfra4K2.js';
-export { P as Page, b as SessionState } from './types-Csfra4K2.js';
+import { A as AuthgearConfig, S as Session, U as UserInfo, P as Page, J as JWTPayload } from './types-BUoN9wBp.js';
+export { b as SessionState } from './types-BUoN9wBp.js';
 /**
- * Read the current session in a Server Component or Route Handler.
- * Automatically refreshes the access token if expired.
+ * Read the current session in a Server Component, Route Handler, or Server Action.
+ * Automatically refreshes the access token if expired, so `session.accessToken` is
+ * always valid when the session state is `Authenticated`. Use this when you need a
+ * fresh access token to call a downstream API (e.g. inside a Server Action).
  */
 declare function auth(config: AuthgearConfig): Promise<Session>;
 /**
  * Get the current user in a Server Component or Route Handler.
- * Returns null if not authenticated.
+ * Automatically refreshes the access token if expired, including persisting a
+ * rotated refresh token when the Authgear project has refresh token rotation enabled.
+ * Returns null if not authenticated or if the session cannot be refreshed.
  */
 declare function currentUser(config: AuthgearConfig): Promise<UserInfo | null>;
 /**
@@ -18,5 +22,32 @@ declare function currentUser(config: AuthgearConfig): Promise<UserInfo | null>;
  * @throws {Error} If the token is invalid, expired, or has wrong issuer/audience
  */
 declare function verifyAccessToken(token: string, config: AuthgearConfig): Promise<JWTPayload>;
+/**
+ * Get a URL that opens an Authgear page (e.g. `/settings`) with the current
+ * user already authenticated — no re-login required.
+ *
+ * Exchanges the user's refresh token for a short-lived `app_session_token`
+ * via `POST /oauth2/app_session_token`, then builds an authorization URL
+ * that uses that token as a `login_hint` so Authgear can authenticate the
+ * user silently.
+ *
+ * @param page - A `Page` enum value (e.g. `Page.Settings`) or an arbitrary path string.
+ * @param config - The Authgear SDK config.
+ * @returns A URL string. Open it in a new tab (`window.open(url, "_blank")`).
+ * @throws {Error} If the user is not authenticated or has no refresh token.
+ *
+ * @example
+ * ```ts
+ * // Server Action
+ * "use server";
+ * import { getOpenURL, Page } from "@authgear/nextjs/server";
+ * import { authgearConfig } from "@/lib/authgear";
+ *
+ * export async function getSettingsURLAction() {
+ *   return getOpenURL(Page.Settings, authgearConfig);
+ * }
+ * ```
+ */
+declare function getOpenURL(page: Page | string, config: AuthgearConfig): Promise<string>;
-export { JWTPayload, Session, UserInfo, auth, currentUser, verifyAccessToken };
+export { JWTPayload, Page, Session, UserInfo, auth, currentUser, getOpenURL, verifyAccessToken };

package/dist/server.js CHANGED Viewed

@@ -1,18 +1,21 @@
 import {
+  buildOpenURL,
   parseUserInfo
-} from "./chunk-3KVYAFQJ.js";
+} from "./chunk-PUKK75RO.js";
 import {
+  buildSessionCookie,
   decryptSession,
   deriveSessionState,
   fetchOIDCConfiguration,
+  getAppSessionToken,
   isTokenExpired,
   refreshAccessToken,
   resolveConfig
-} from "./chunk-MJD3XNUK.js";
+} from "./chunk-A3E57VNZ.js";
 import {
   Page,
   SessionState
-} from "./chunk-UY6NEM2T.js";
+} from "./chunk-HYKCRZLJ.js";
 // src/server.ts
 import "server-only";
@@ -50,7 +53,35 @@ async function auth(config) {
   const resolved = resolveConfig(config);
   const cookieStore = await cookies();
   const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;
-  const sessionData = sessionCookieValue ? decryptSession(sessionCookieValue, resolved.sessionSecret) : null;
+  let sessionData = sessionCookieValue ? decryptSession(sessionCookieValue, resolved.sessionSecret) : null;
+  if (sessionData && isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {
+    try {
+      const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
+      const tokenResponse = await refreshAccessToken(oidcConfig, {
+        refreshToken: sessionData.refreshToken,
+        clientID: resolved.clientID
+      });
+      sessionData = {
+        accessToken: tokenResponse.access_token,
+        refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,
+        idToken: tokenResponse.id_token ?? sessionData.idToken,
+        expiresAt: Math.floor(Date.now() / 1e3) + tokenResponse.expires_in
+      };
+      try {
+        const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);
+        cookieStore.set(newCookie.name, newCookie.value, {
+          httpOnly: newCookie.httpOnly,
+          secure: newCookie.secure,
+          sameSite: newCookie.sameSite,
+          path: newCookie.path,
+          maxAge: newCookie.maxAge
+        });
+      } catch {
+      }
+    } catch {
+      sessionData = null;
+    }
+  }
   return deriveSessionState(sessionData);
 }
 async function currentUser(config) {
@@ -65,8 +96,7 @@ async function currentUser(config) {
     try {
       const tokenResponse = await refreshAccessToken(oidcConfig, {
         refreshToken: sessionData.refreshToken,
-        clientID: resolved.clientID,
-        clientSecret: resolved.clientSecret || void 0
+        clientID: resolved.clientID
       });
       sessionData = {
         accessToken: tokenResponse.access_token,
@@ -74,6 +104,17 @@ async function currentUser(config) {
         idToken: tokenResponse.id_token ?? sessionData.idToken,
         expiresAt: Math.floor(Date.now() / 1e3) + tokenResponse.expires_in
       };
+      try {
+        const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);
+        cookieStore.set(newCookie.name, newCookie.value, {
+          httpOnly: newCookie.httpOnly,
+          secure: newCookie.secure,
+          sameSite: newCookie.sameSite,
+          path: newCookie.path,
+          maxAge: newCookie.maxAge
+        });
+      } catch {
+      }
     } catch {
       return null;
     }
@@ -90,11 +131,32 @@ async function verifyAccessToken(token, config) {
   const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
   return verifyJWT(token, oidcConfig);
 }
+async function getOpenURL(page, config) {
+  const resolved = resolveConfig(config);
+  const cookieStore = await cookies();
+  const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;
+  if (!sessionCookieValue) throw new Error("Not authenticated");
+  let sessionData = decryptSession(sessionCookieValue, resolved.sessionSecret);
+  if (!sessionData) throw new Error("Not authenticated");
+  if (!sessionData.refreshToken) throw new Error("No refresh token in session");
+  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
+  const { app_session_token } = await getAppSessionToken(
+    resolved.endpoint,
+    sessionData.refreshToken
+  );
+  return buildOpenURL(oidcConfig, {
+    clientID: resolved.clientID,
+    appSessionToken: app_session_token,
+    targetPath: page,
+    scopes: resolved.scopes
+  });
+}
 export {
   Page,
   SessionState,
   auth,
   currentUser,
+  getOpenURL,
   verifyAccessToken
 };
 //# sourceMappingURL=server.js.map

package/dist/server.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/server.ts","../src/jwt/verify.ts","../src/jwt/jwks.ts"],"sourcesContent":["import \"server-only\";\nimport { cookies } from \"next/headers\";\nimport { SessionState, Page, type Session, type UserInfo, type JWTPayload, type AuthgearConfig } from \"./types.js\";\nimport { resolveConfig } from \"./config.js\";\nimport { decryptSession } from \"./session/cookie.js\";\nimport { deriveSessionState, isTokenExpired } from \"./session/state.js\";\nimport { fetchOIDCConfiguration } from \"./oauth/discovery.js\";\nimport { refreshAccessToken } from \"./oauth/token.js\";\n// ROADMAP: import { getAppSessionToken } from \"./oauth/token.js\";\n// ROADMAP: import { buildOpenURL } from \"./oauth/authorize.js\";\nimport { verifyJWT } from \"./jwt/verify.js\";\nimport { parseUserInfo } from \"./user.js\";\n\n/*\n Read the current session in a Server Component or Route Handler.\n * Automatically refreshes the access token if expired.\n /\nexport async function auth(config: AuthgearConfig): Promise<Session> {\n const resolved = resolveConfig(config);\n const cookieStore = await cookies();\n const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n\n const sessionData = sessionCookieValue\n ? decryptSession(sessionCookieValue, resolved.sessionSecret)\n : null;\n\n return deriveSessionState(sessionData);\n}\n\n/\n Get the current user in a Server Component or Route Handler.\n * Returns null if not authenticated.\n /\nexport async function currentUser(config: AuthgearConfig): Promise<UserInfo \| null> {\n const resolved = resolveConfig(config);\n const cookieStore = await cookies();\n const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n\n if (!sessionCookieValue) return null;\n\n let sessionData = decryptSession(sessionCookieValue, resolved.sessionSecret);\n if (!sessionData) return null;\n\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n // Auto-refresh expired token\n if (isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n try {\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: sessionData.refreshToken,\n clientID: resolved.clientID,\n clientSecret: resolved.clientSecret \|\| undefined,\n });\n sessionData = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n idToken: tokenResponse.id_token ?? sessionData.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n } catch {\n return null;\n }\n }\n\n const userinfoRes = await fetch(oidcConfig.userinfo_endpoint, {\n headers: { Authorization: `Bearer ${sessionData.accessToken}` },\n });\n\n if (!userinfoRes.ok) return null;\n\n const raw = (await userinfoRes.json()) as Record<string, unknown>;\n return parseUserInfo(raw);\n}\n\n/\n Verify a JWT access token (from Authorization: Bearer header).\n * Useful for protecting API routes.\n \n @throws {Error} If the token is invalid, expired, or has wrong issuer/audience\n /\nexport async function verifyAccessToken(\n token: string,\n config: AuthgearConfig,\n): Promise<JWTPayload> {\n const resolved = resolveConfig(config);\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n return verifyJWT(token, oidcConfig);\n}\n\n// ROADMAP: getOpenURL — open Authgear settings (or any Authgear page) with the\n// current user pre-authenticated via the app_session_token exchange.\n//\n// This requires the Authgear server to grant the client permission to call\n// POST /oauth2/app_session_token (\"full user access\"). Once that server-side\n// configuration is available, uncomment the implementation below and the\n// imports above, then expose it from the example dashboard via a Server Action.\n//\n// export async function getOpenURL(\n// page: Page \| string,\n// config: AuthgearConfig,\n// ): Promise<string> {\n// const resolved = resolveConfig(config);\n// const cookieStore = await cookies();\n// const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n// if (!sessionCookieValue) throw new Error(\"Not authenticated\");\n// const sessionData = decryptSession(sessionCookieValue, resolved.sessionSecret);\n// if (!sessionData?.refreshToken) throw new Error(\"No refresh token in session\");\n// const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n// const { app_session_token } = await getAppSessionToken(\n// resolved.endpoint,\n// sessionData.refreshToken,\n// );\n// return buildOpenURL(oidcConfig, {\n// clientID: resolved.clientID,\n// appSessionToken: app_session_token,\n// targetPath: page,\n// });\n// }\n\nexport { SessionState, Page };\nexport type { Session, UserInfo, JWTPayload };\n","import { jwtVerify } from \"jose\";\nimport type { JWTPayload, OIDCConfiguration } from \"../types.js\";\nimport { getJWKS } from \"./jwks.js\";\n\nexport interface VerifyOptions {\n /* Expected audience. If not set, audience is not checked. /\n audience?: string \| string[];\n}\n\nexport async function verifyJWT(\n token: string,\n oidcConfig: OIDCConfiguration,\n options?: VerifyOptions,\n): Promise<JWTPayload> {\n const jwks = getJWKS(oidcConfig);\n\n const { payload } = await jwtVerify(token, jwks, {\n issuer: oidcConfig.issuer,\n audience: options?.audience,\n algorithms: [\"RS256\"],\n });\n\n return payload as unknown as JWTPayload;\n}\n","import { createRemoteJWKSet } from \"jose\";\nimport type { OIDCConfiguration } from \"../types.js\";\n\nconst jwksSets = new Map<string, ReturnType<typeof createRemoteJWKSet>>();\n\nexport function getJWKS(oidcConfig: OIDCConfiguration) {\n const uri = oidcConfig.jwks_uri;\n let jwks = jwksSets.get(uri);\n if (!jwks) {\n jwks = createRemoteJWKSet(new URL(uri));\n jwksSets.set(uri, jwks);\n }\n return jwks;\n}\n\n/* Clear cached JWKS (useful for testing) */\nexport function clearJWKSCache(): void {\n jwksSets.clear();\n}\n"],"mappings":";;;;;;;;;;;;;;;;;AAAA,OAAO;AACP,SAAS,eAAe;;;ACDxB,SAAS,iBAAiB;;;ACA1B,SAAS,0BAA0B;AAGnC,IAAM,WAAW,oBAAI,IAAmD;AAEjE,SAAS,QAAQ,YAA+B;AACrD,QAAM,MAAM,WAAW;AACvB,MAAI,OAAO,SAAS,IAAI,GAAG;AAC3B,MAAI,CAAC,MAAM;AACT,WAAO,mBAAmB,IAAI,IAAI,GAAG,CAAC;AACtC,aAAS,IAAI,KAAK,IAAI;AAAA,EACxB;AACA,SAAO;AACT;;;ADJA,eAAsB,UACpB,OACA,YACA,SACqB;AACrB,QAAM,OAAO,QAAQ,UAAU;AAE/B,QAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,MAAM;AAAA,IAC/C,QAAQ,WAAW;AAAA,IACnB,UAAU,SAAS;AAAA,IACnB,YAAY,CAAC,OAAO;AAAA,EACtB,CAAC;AAED,SAAO;AACT;;;ADNA,eAAsB,KAAK,QAA0C;AACnE,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,qBAAqB,YAAY,IAAI,SAAS,UAAU,GAAG;AAEjE,QAAM,cAAc,qBAChB,eAAe,oBAAoB,SAAS,aAAa,IACzD;AAEJ,SAAO,mBAAmB,WAAW;AACvC;AAMA,eAAsB,YAAY,QAAkD;AAClF,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,qBAAqB,YAAY,IAAI,SAAS,UAAU,GAAG;AAEjE,MAAI,CAAC,mBAAoB,QAAO;AAEhC,MAAI,cAAc,eAAe,oBAAoB,SAAS,aAAa;AAC3E,MAAI,CAAC,YAAa,QAAO;AAEzB,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAGjE,MAAI,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACrE,QAAI;AACF,YAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,QACzD,cAAc,YAAY;AAAA,QAC1B,UAAU,SAAS;AAAA,QACnB,cAAc,SAAS,gBAAgB;AAAA,MACzC,CAAC;AACD,oBAAc;AAAA,QACZ,aAAa,cAAc;AAAA,QAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,QACzD,SAAS,cAAc,YAAY,YAAY;AAAA,QAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,MAC3D;AAAA,IACF,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,cAAc,MAAM,MAAM,WAAW,mBAAmB;AAAA,IAC5D,SAAS,EAAE,eAAe,UAAU,YAAY,WAAW,GAAG;AAAA,EAChE,CAAC;AAED,MAAI,CAAC,YAAY,GAAI,QAAO;AAE5B,QAAM,MAAO,MAAM,YAAY,KAAK;AACpC,SAAO,cAAc,GAAG;AAC1B;AAQA,eAAsB,kBACpB,OACA,QACqB;AACrB,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,SAAO,UAAU,OAAO,UAAU;AACpC;","names":[]}
1	+ {"version":3,"sources":["../src/server.ts","../src/jwt/verify.ts","../src/jwt/jwks.ts"],"sourcesContent":["import \"server-only\";\nimport { cookies } from \"next/headers\";\nimport { SessionState, Page, type Session, type UserInfo, type JWTPayload, type AuthgearConfig } from \"./types.js\";\nimport { resolveConfig } from \"./config.js\";\nimport { decryptSession, buildSessionCookie } from \"./session/cookie.js\";\nimport { deriveSessionState, isTokenExpired } from \"./session/state.js\";\nimport { fetchOIDCConfiguration } from \"./oauth/discovery.js\";\nimport { refreshAccessToken, getAppSessionToken } from \"./oauth/token.js\";\nimport { buildOpenURL } from \"./oauth/authorize.js\";\nimport { verifyJWT } from \"./jwt/verify.js\";\nimport { parseUserInfo } from \"./user.js\";\n\n/*\n Read the current session in a Server Component, Route Handler, or Server Action.\n * Automatically refreshes the access token if expired, so `session.accessToken` is\n * always valid when the session state is `Authenticated`. Use this when you need a\n * fresh access token to call a downstream API (e.g. inside a Server Action).\n /\nexport async function auth(config: AuthgearConfig): Promise<Session> {\n const resolved = resolveConfig(config);\n const cookieStore = await cookies();\n const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n\n let sessionData = sessionCookieValue\n ? decryptSession(sessionCookieValue, resolved.sessionSecret)\n : null;\n\n // Auto-refresh expired token so callers (e.g. Server Actions) always get a valid access token\n if (sessionData && isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n try {\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: sessionData.refreshToken,\n clientID: resolved.clientID,\n });\n sessionData = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n idToken: tokenResponse.id_token ?? sessionData.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n try {\n const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);\n cookieStore.set(newCookie.name, newCookie.value, {\n httpOnly: newCookie.httpOnly,\n secure: newCookie.secure,\n sameSite: newCookie.sameSite,\n path: newCookie.path,\n maxAge: newCookie.maxAge,\n });\n } catch {\n // Not in a Route Handler — cookie will be persisted by the proxy on next navigation\n }\n } catch {\n sessionData = null;\n }\n }\n\n return deriveSessionState(sessionData);\n}\n\n/\n Get the current user in a Server Component or Route Handler.\n * Automatically refreshes the access token if expired, including persisting a\n * rotated refresh token when the Authgear project has refresh token rotation enabled.\n * Returns null if not authenticated or if the session cannot be refreshed.\n /\nexport async function currentUser(config: AuthgearConfig): Promise<UserInfo \| null> {\n const resolved = resolveConfig(config);\n const cookieStore = await cookies();\n const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n\n if (!sessionCookieValue) return null;\n\n let sessionData = decryptSession(sessionCookieValue, resolved.sessionSecret);\n if (!sessionData) return null;\n\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n // Auto-refresh expired token\n if (isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n try {\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: sessionData.refreshToken,\n clientID: resolved.clientID,\n });\n sessionData = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n idToken: tokenResponse.id_token ?? sessionData.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n // Persist the updated session (with rotated refresh token) back to the cookie.\n // This succeeds in Route Handlers but throws in Server Components (Next.js restriction).\n // In Server Components the proxy will write the updated cookie on the next page navigation.\n try {\n const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);\n cookieStore.set(newCookie.name, newCookie.value, {\n httpOnly: newCookie.httpOnly,\n secure: newCookie.secure,\n sameSite: newCookie.sameSite,\n path: newCookie.path,\n maxAge: newCookie.maxAge,\n });\n } catch {\n // Not in a Route Handler — cookie will be persisted by the proxy on next navigation\n }\n } catch {\n return null;\n }\n }\n\n const userinfoRes = await fetch(oidcConfig.userinfo_endpoint, {\n headers: { Authorization: `Bearer ${sessionData.accessToken}` },\n });\n\n if (!userinfoRes.ok) return null;\n\n const raw = (await userinfoRes.json()) as Record<string, unknown>;\n return parseUserInfo(raw);\n}\n\n/\n Verify a JWT access token (from Authorization: Bearer header).\n * Useful for protecting API routes.\n \n @throws {Error} If the token is invalid, expired, or has wrong issuer/audience\n /\nexport async function verifyAccessToken(\n token: string,\n config: AuthgearConfig,\n): Promise<JWTPayload> {\n const resolved = resolveConfig(config);\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n return verifyJWT(token, oidcConfig);\n}\n\n/\n Get a URL that opens an Authgear page (e.g. `/settings`) with the current\n * user already authenticated — no re-login required.\n \n Exchanges the user's refresh token for a short-lived `app_session_token`\n * via `POST /oauth2/app_session_token`, then builds an authorization URL\n * that uses that token as a `login_hint` so Authgear can authenticate the\n * user silently.\n \n @param page - A `Page` enum value (e.g. `Page.Settings`) or an arbitrary path string.\n * @param config - The Authgear SDK config.\n * @returns A URL string. Open it in a new tab (`window.open(url, \"_blank\")`).\n * @throws {Error} If the user is not authenticated or has no refresh token.\n \n @example\n * ```ts\n * // Server Action\n * \"use server\";\n * import { getOpenURL, Page } from \"@authgear/nextjs/server\";\n * import { authgearConfig } from \"@/lib/authgear\";\n \n export async function getSettingsURLAction() {\n * return getOpenURL(Page.Settings, authgearConfig);\n * }\n * ```\n /\nexport async function getOpenURL(\n page: Page \| string,\n config: AuthgearConfig,\n): Promise<string> {\n const resolved = resolveConfig(config);\n const cookieStore = await cookies();\n const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n if (!sessionCookieValue) throw new Error(\"Not authenticated\");\n let sessionData = decryptSession(sessionCookieValue, resolved.sessionSecret);\n if (!sessionData) throw new Error(\"Not authenticated\");\n if (!sessionData.refreshToken) throw new Error(\"No refresh token in session\");\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const { app_session_token } = await getAppSessionToken(\n resolved.endpoint,\n sessionData.refreshToken!,\n );\n return buildOpenURL(oidcConfig, {\n clientID: resolved.clientID,\n appSessionToken: app_session_token,\n targetPath: page,\n scopes: resolved.scopes,\n });\n}\n\nexport { SessionState, Page };\nexport type { Session, UserInfo, JWTPayload };\n","import { jwtVerify } from \"jose\";\nimport type { JWTPayload, OIDCConfiguration } from \"../types.js\";\nimport { getJWKS } from \"./jwks.js\";\n\nexport interface VerifyOptions {\n /* Expected audience. If not set, audience is not checked. /\n audience?: string \| string[];\n}\n\nexport async function verifyJWT(\n token: string,\n oidcConfig: OIDCConfiguration,\n options?: VerifyOptions,\n): Promise<JWTPayload> {\n const jwks = getJWKS(oidcConfig);\n\n const { payload } = await jwtVerify(token, jwks, {\n issuer: oidcConfig.issuer,\n audience: options?.audience,\n algorithms: [\"RS256\"],\n });\n\n return payload as unknown as JWTPayload;\n}\n","import { createRemoteJWKSet } from \"jose\";\nimport type { OIDCConfiguration } from \"../types.js\";\n\nconst jwksSets = new Map<string, ReturnType<typeof createRemoteJWKSet>>();\n\nexport function getJWKS(oidcConfig: OIDCConfiguration) {\n const uri = oidcConfig.jwks_uri;\n let jwks = jwksSets.get(uri);\n if (!jwks) {\n jwks = createRemoteJWKSet(new URL(uri));\n jwksSets.set(uri, jwks);\n }\n return jwks;\n}\n\n/* Clear cached JWKS (useful for testing) */\nexport function clearJWKSCache(): void {\n jwksSets.clear();\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA,OAAO;AACP,SAAS,eAAe;;;ACDxB,SAAS,iBAAiB;;;ACA1B,SAAS,0BAA0B;AAGnC,IAAM,WAAW,oBAAI,IAAmD;AAEjE,SAAS,QAAQ,YAA+B;AACrD,QAAM,MAAM,WAAW;AACvB,MAAI,OAAO,SAAS,IAAI,GAAG;AAC3B,MAAI,CAAC,MAAM;AACT,WAAO,mBAAmB,IAAI,IAAI,GAAG,CAAC;AACtC,aAAS,IAAI,KAAK,IAAI;AAAA,EACxB;AACA,SAAO;AACT;;;ADJA,eAAsB,UACpB,OACA,YACA,SACqB;AACrB,QAAM,OAAO,QAAQ,UAAU;AAE/B,QAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,MAAM;AAAA,IAC/C,QAAQ,WAAW;AAAA,IACnB,UAAU,SAAS;AAAA,IACnB,YAAY,CAAC,OAAO;AAAA,EACtB,CAAC;AAED,SAAO;AACT;;;ADLA,eAAsB,KAAK,QAA0C;AACnE,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,qBAAqB,YAAY,IAAI,SAAS,UAAU,GAAG;AAEjE,MAAI,cAAc,qBACd,eAAe,oBAAoB,SAAS,aAAa,IACzD;AAGJ,MAAI,eAAe,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACpF,QAAI;AACF,YAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,YAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,QACzD,cAAc,YAAY;AAAA,QAC1B,UAAU,SAAS;AAAA,MACrB,CAAC;AACD,oBAAc;AAAA,QACZ,aAAa,cAAc;AAAA,QAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,QACzD,SAAS,cAAc,YAAY,YAAY;AAAA,QAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,MAC3D;AACA,UAAI;AACF,cAAM,YAAY,mBAAmB,SAAS,YAAY,aAAa,SAAS,aAAa;AAC7F,oBAAY,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,UAC/C,UAAU,UAAU;AAAA,UACpB,QAAQ,UAAU;AAAA,UAClB,UAAU,UAAU;AAAA,UACpB,MAAM,UAAU;AAAA,UAChB,QAAQ,UAAU;AAAA,QACpB,CAAC;AAAA,MACH,QAAQ;AAAA,MAER;AAAA,IACF,QAAQ;AACN,oBAAc;AAAA,IAChB;AAAA,EACF;AAEA,SAAO,mBAAmB,WAAW;AACvC;AAQA,eAAsB,YAAY,QAAkD;AAClF,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,qBAAqB,YAAY,IAAI,SAAS,UAAU,GAAG;AAEjE,MAAI,CAAC,mBAAoB,QAAO;AAEhC,MAAI,cAAc,eAAe,oBAAoB,SAAS,aAAa;AAC3E,MAAI,CAAC,YAAa,QAAO;AAEzB,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAGjE,MAAI,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACrE,QAAI;AACF,YAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,QACzD,cAAc,YAAY;AAAA,QAC1B,UAAU,SAAS;AAAA,MACrB,CAAC;AACD,oBAAc;AAAA,QACZ,aAAa,cAAc;AAAA,QAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,QACzD,SAAS,cAAc,YAAY,YAAY;AAAA,QAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,MAC3D;AAIA,UAAI;AACF,cAAM,YAAY,mBAAmB,SAAS,YAAY,aAAa,SAAS,aAAa;AAC7F,oBAAY,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,UAC/C,UAAU,UAAU;AAAA,UACpB,QAAQ,UAAU;AAAA,UAClB,UAAU,UAAU;AAAA,UACpB,MAAM,UAAU;AAAA,UAChB,QAAQ,UAAU;AAAA,QACpB,CAAC;AAAA,MACH,QAAQ;AAAA,MAER;AAAA,IACF,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,cAAc,MAAM,MAAM,WAAW,mBAAmB;AAAA,IAC5D,SAAS,EAAE,eAAe,UAAU,YAAY,WAAW,GAAG;AAAA,EAChE,CAAC;AAED,MAAI,CAAC,YAAY,GAAI,QAAO;AAE5B,QAAM,MAAO,MAAM,YAAY,KAAK;AACpC,SAAO,cAAc,GAAG;AAC1B;AAQA,eAAsB,kBACpB,OACA,QACqB;AACrB,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,SAAO,UAAU,OAAO,UAAU;AACpC;AA4BA,eAAsB,WACpB,MACA,QACiB;AACjB,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,qBAAqB,YAAY,IAAI,SAAS,UAAU,GAAG;AACjE,MAAI,CAAC,mBAAoB,OAAM,IAAI,MAAM,mBAAmB;AAC5D,MAAI,cAAc,eAAe,oBAAoB,SAAS,aAAa;AAC3E,MAAI,CAAC,YAAa,OAAM,IAAI,MAAM,mBAAmB;AACrD,MAAI,CAAC,YAAY,aAAc,OAAM,IAAI,MAAM,6BAA6B;AAC5E,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,QAAM,EAAE,kBAAkB,IAAI,MAAM;AAAA,IAClC,SAAS;AAAA,IACT,YAAY;AAAA,EACd;AACA,SAAO,aAAa,YAAY;AAAA,IAC9B,UAAU,SAAS;AAAA,IACnB,iBAAiB;AAAA,IACjB,YAAY;AAAA,IACZ,QAAQ,SAAS;AAAA,EACnB,CAAC;AACH;","names":[]}

package/dist/{types-Csfra4K2.d.ts → types-BUoN9wBp.d.ts} RENAMED Viewed

@@ -3,8 +3,6 @@ interface AuthgearConfig {
     endpoint: string;
     /** OAuth client ID */
     clientID: string;
-    /** OAuth client secret (for confidential server-side clients) */
-    clientSecret?: string;
     /** Redirect URI for OAuth callback, e.g. "http://localhost:3000/api/auth/callback" */
     redirectURI: string;
     /** Where to redirect after logout */
@@ -17,7 +15,7 @@ interface AuthgearConfig {
     cookieName?: string;
 }
 /**
- * Pages that can be opened via open().
+ * Pages that can be opened via {@link getOpenURL}.
  */
 declare enum Page {
     Settings = "/settings"

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@authgear/nextjs",
-  "version": "0.1.7",
+  "version": "0.2.0",
   "description": "Authgear SDK for Next.js 16 - OAuth authentication, session management, and JWT verification",
   "type": "module",
   "exports": {
@@ -38,6 +38,10 @@
     "oidc",
     "jwt"
   ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/authgear/authgear-sdk-nextjs"
+  },
   "license": "MIT",
   "dependencies": {
     "jose": "^6.0.0"

package/dist/chunk-3KVYAFQJ.js DELETED Viewed

@@ -1,26 +0,0 @@
-// src/user.ts
-function parseUserInfo(raw) {
-  return {
-    sub: raw["sub"],
-    email: raw["email"],
-    emailVerified: raw["email_verified"],
-    phoneNumber: raw["phone_number"],
-    phoneNumberVerified: raw["phone_number_verified"],
-    preferredUsername: raw["preferred_username"],
-    givenName: raw["given_name"],
-    familyName: raw["family_name"],
-    name: raw["name"],
-    picture: raw["picture"],
-    roles: raw["https://authgear.com/claims/user/roles"],
-    isAnonymous: raw["https://authgear.com/claims/user/is_anonymous"],
-    isVerified: raw["https://authgear.com/claims/user/is_verified"],
-    canReauthenticate: raw["https://authgear.com/claims/user/can_reauthenticate"],
-    customAttributes: raw["custom_attributes"],
-    raw
-  };
-}
-export {
-  parseUserInfo
-};
-//# sourceMappingURL=chunk-3KVYAFQJ.js.map

package/dist/chunk-3KVYAFQJ.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../src/user.ts"],"sourcesContent":["import type { UserInfo } from \"./types.js\";\n\nexport function parseUserInfo(raw: Record<string, unknown>): UserInfo {\n return {\n sub: raw[\"sub\"] as string,\n email: raw[\"email\"] as string | undefined,\n emailVerified: raw[\"email_verified\"] as boolean | undefined,\n phoneNumber: raw[\"phone_number\"] as string | undefined,\n phoneNumberVerified: raw[\"phone_number_verified\"] as boolean | undefined,\n preferredUsername: raw[\"preferred_username\"] as string | undefined,\n givenName: raw[\"given_name\"] as string | undefined,\n familyName: raw[\"family_name\"] as string | undefined,\n name: raw[\"name\"] as string | undefined,\n picture: raw[\"picture\"] as string | undefined,\n roles: raw[\"https://authgear.com/claims/user/roles\"] as string[] | undefined,\n isAnonymous: raw[\"https://authgear.com/claims/user/is_anonymous\"] as boolean | undefined,\n isVerified: raw[\"https://authgear.com/claims/user/is_verified\"] as boolean | undefined,\n canReauthenticate: raw[\"https://authgear.com/claims/user/can_reauthenticate\"] as boolean | undefined,\n customAttributes: raw[\"custom_attributes\"] as Record<string, unknown> | undefined,\n raw,\n };\n}\n"],"mappings":";AAEO,SAAS,cAAc,KAAwC;AACpE,SAAO;AAAA,IACL,KAAK,IAAI,KAAK;AAAA,IACd,OAAO,IAAI,OAAO;AAAA,IAClB,eAAe,IAAI,gBAAgB;AAAA,IACnC,aAAa,IAAI,cAAc;AAAA,IAC/B,qBAAqB,IAAI,uBAAuB;AAAA,IAChD,mBAAmB,IAAI,oBAAoB;AAAA,IAC3C,WAAW,IAAI,YAAY;AAAA,IAC3B,YAAY,IAAI,aAAa;AAAA,IAC7B,MAAM,IAAI,MAAM;AAAA,IAChB,SAAS,IAAI,SAAS;AAAA,IACtB,OAAO,IAAI,wCAAwC;AAAA,IACnD,aAAa,IAAI,+CAA+C;AAAA,IAChE,YAAY,IAAI,8CAA8C;AAAA,IAC9D,mBAAmB,IAAI,qDAAqD;AAAA,IAC5E,kBAAkB,IAAI,mBAAmB;AAAA,IACzC;AAAA,EACF;AACF;","names":[]}

package/dist/chunk-MJD3XNUK.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../src/config.ts","../src/oauth/discovery.ts","../src/session/cookie.ts","../src/oauth/token.ts","../src/session/state.ts"],"sourcesContent":["import { type AuthgearConfig, DEFAULT_SCOPES } from \"./types.js\";\n\nexport function resolveConfig(config: AuthgearConfig): Required<AuthgearConfig> {\n if (!config.endpoint) throw new Error(\"AuthgearConfig: endpoint is required\");\n if (!config.clientID) throw new Error(\"AuthgearConfig: clientID is required\");\n if (!config.redirectURI) throw new Error(\"AuthgearConfig: redirectURI is required\");\n if (!config.sessionSecret || config.sessionSecret.length < 32) {\n throw new Error(\"AuthgearConfig: sessionSecret must be at least 32 characters\");\n }\n\n return {\n endpoint: config.endpoint.replace(/\\/+$/, \"\"),\n clientID: config.clientID,\n clientSecret: config.clientSecret ?? \"\",\n redirectURI: config.redirectURI,\n postLogoutRedirectURI: config.postLogoutRedirectURI ?? \"/\",\n scopes: config.scopes ?? DEFAULT_SCOPES,\n sessionSecret: config.sessionSecret,\n cookieName: config.cookieName ?? \"authgear.session\",\n };\n}\n","import type { OIDCConfiguration } from \"../types.js\";\n\nconst cache = new Map<string, { config: OIDCConfiguration; fetchedAt: number }>();\nconst CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour\n\nexport async function fetchOIDCConfiguration(\n endpoint: string,\n): Promise<OIDCConfiguration> {\n const cached = cache.get(endpoint);\n if (cached && Date.now() - cached.fetchedAt < CACHE_TTL_MS) {\n return cached.config;\n }\n\n const url = `${endpoint}/.well-known/openid-configuration`;\n const res = await fetch(url);\n if (!res.ok) {\n throw new Error(`Failed to fetch OIDC configuration from ${url}: ${res.status}`);\n }\n\n const config = (await res.json()) as OIDCConfiguration;\n cache.set(endpoint, { config, fetchedAt: Date.now() });\n return config;\n}\n\n/** Clear cached OIDC configuration (useful for testing) */\nexport function clearOIDCCache(): void {\n cache.clear();\n}\n","import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from \"node:crypto\";\nimport type { SessionData } from \"../types.js\";\n\nconst ALGORITHM = \"aes-256-gcm\";\nconst IV_LENGTH = 12;\nconst AUTH_TAG_LENGTH = 16;\nconst KEY_LENGTH = 32;\nconst SALT = \"authgear-nextjs-session\";\n\nfunction deriveKey(secret: string): Buffer {\n return scryptSync(secret, SALT, KEY_LENGTH);\n}\n\nexport function encryptSession(data: SessionData, secret: string): string {\n const key = deriveKey(secret);\n const iv = randomBytes(IV_LENGTH);\n const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n\n const json = JSON.stringify(data);\n const encrypted = Buffer.concat([cipher.update(json, \"utf8\"), cipher.final()]);\n const authTag = cipher.getAuthTag();\n\n // Format: base64(iv + authTag + encrypted)\n return Buffer.concat([iv, authTag, encrypted]).toString(\"base64url\");\n}\n\nexport function decryptSession(encrypted: string, secret: string): SessionData | null {\n try {\n const key = deriveKey(secret);\n const buf = Buffer.from(encrypted, \"base64url\");\n\n if (buf.length < IV_LENGTH + AUTH_TAG_LENGTH) return null;\n\n const iv = buf.subarray(0, IV_LENGTH);\n const authTag = buf.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);\n const ciphertext = buf.subarray(IV_LENGTH + AUTH_TAG_LENGTH);\n\n const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n decipher.setAuthTag(authTag);\n\n const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n return JSON.parse(decrypted.toString(\"utf8\")) as SessionData;\n } catch {\n return null;\n }\n}\n\nexport interface CookieOptions {\n name: string;\n value: string;\n httpOnly?: boolean;\n secure?: boolean;\n sameSite?: \"lax\" | \"strict\" | \"none\";\n path?: string;\n maxAge?: number;\n}\n\nexport function buildSessionCookie(\n cookieName: string,\n data: SessionData,\n secret: string,\n): CookieOptions {\n return {\n name: cookieName,\n value: encryptSession(data, secret),\n httpOnly: true,\n secure: process.env.NODE_ENV === \"production\",\n sameSite: \"lax\",\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60, // 30 days\n };\n}\n\nexport function buildClearCookie(cookieName: string): CookieOptions {\n return {\n name: cookieName,\n value: \"\",\n httpOnly: true,\n secure: process.env.NODE_ENV === \"production\",\n sameSite: \"lax\",\n path: \"/\",\n maxAge: 0,\n };\n}\n\nexport function buildPKCECookie(\n data: { codeVerifier: string; state: string; returnTo: string },\n secret: string,\n): CookieOptions {\n const key = deriveKey(secret);\n const iv = randomBytes(IV_LENGTH);\n const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n\n const json = JSON.stringify(data);\n const encrypted = Buffer.concat([cipher.update(json, \"utf8\"), cipher.final()]);\n const authTag = cipher.getAuthTag();\n\n return {\n name: \"authgear.pkce\",\n value: Buffer.concat([iv, authTag, encrypted]).toString(\"base64url\"),\n httpOnly: true,\n secure: process.env.NODE_ENV === \"production\",\n sameSite: \"lax\",\n path: \"/\",\n maxAge: 600, // 10 minutes\n };\n}\n\nexport function decryptPKCECookie(\n encrypted: string,\n secret: string,\n): { codeVerifier: string; state: string; returnTo: string } | null {\n try {\n const key = deriveKey(secret);\n const buf = Buffer.from(encrypted, \"base64url\");\n\n if (buf.length < IV_LENGTH + AUTH_TAG_LENGTH) return null;\n\n const iv = buf.subarray(0, IV_LENGTH);\n const authTag = buf.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);\n const ciphertext = buf.subarray(IV_LENGTH + AUTH_TAG_LENGTH);\n\n const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n decipher.setAuthTag(authTag);\n\n const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n return JSON.parse(decrypted.toString(\"utf8\"));\n } catch {\n return null;\n }\n}\n","import type { OIDCConfiguration, TokenResponse, AppSessionTokenResponse } from \"../types.js\";\n\nexport interface ExchangeCodeParams {\n code: string;\n codeVerifier: string;\n clientID: string;\n clientSecret?: string;\n redirectURI: string;\n}\n\nexport interface RefreshTokenParams {\n refreshToken: string;\n clientID: string;\n clientSecret?: string;\n}\n\nexport async function exchangeCode(\n oidcConfig: OIDCConfiguration,\n params: ExchangeCodeParams,\n): Promise<TokenResponse> {\n const body = new URLSearchParams({\n grant_type: \"authorization_code\",\n code: params.code,\n code_verifier: params.codeVerifier,\n client_id: params.clientID,\n redirect_uri: params.redirectURI,\n });\n if (params.clientSecret) {\n body.set(\"client_secret\", params.clientSecret);\n }\n\n const res = await fetch(oidcConfig.token_endpoint, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: body.toString(),\n });\n\n if (!res.ok) {\n const error = await res.text();\n throw new Error(`Token exchange failed (${res.status}): ${error}`);\n }\n\n return res.json() as Promise<TokenResponse>;\n}\n\nexport async function refreshAccessToken(\n oidcConfig: OIDCConfiguration,\n params: RefreshTokenParams,\n): Promise<TokenResponse> {\n const body = new URLSearchParams({\n grant_type: \"refresh_token\",\n refresh_token: params.refreshToken,\n client_id: params.clientID,\n });\n if (params.clientSecret) {\n body.set(\"client_secret\", params.clientSecret);\n }\n\n const res = await fetch(oidcConfig.token_endpoint, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: body.toString(),\n });\n\n if (!res.ok) {\n const error = await res.text();\n throw new Error(`Token refresh failed (${res.status}): ${error}`);\n }\n\n return res.json() as Promise<TokenResponse>;\n}\n\nexport async function getAppSessionToken(\n endpoint: string,\n refreshToken: string,\n): Promise<AppSessionTokenResponse> {\n const res = await fetch(`${endpoint}/oauth2/app_session_token`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ refresh_token: refreshToken }),\n });\n\n if (!res.ok) {\n const error = await res.text();\n throw new Error(`Failed to get app session token (${res.status}): ${error}`);\n }\n\n return res.json() as Promise<AppSessionTokenResponse>;\n}\n\nexport async function revokeToken(\n oidcConfig: OIDCConfiguration,\n token: string,\n): Promise<void> {\n await fetch(oidcConfig.revocation_endpoint, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: new URLSearchParams({ token }).toString(),\n });\n}\n","import { SessionState, type SessionData, type Session } from \"../types.js\";\n\nexport function deriveSessionState(data: SessionData | null): Session {\n if (!data) {\n return {\n state: SessionState.NoSession,\n accessToken: null,\n refreshToken: null,\n idToken: null,\n expiresAt: null,\n user: null,\n };\n }\n\n return {\n state: SessionState.Authenticated,\n accessToken: data.accessToken,\n refreshToken: data.refreshToken,\n idToken: data.idToken,\n expiresAt: data.expiresAt,\n user: null, // User is fetched separately when needed\n };\n}\n\nexport function isTokenExpired(expiresAt: number): boolean {\n // Consider expired 30 seconds early for safety margin\n return Date.now() / 1000 >= expiresAt - 30;\n}\n"],"mappings":";;;;;AAEO,SAAS,cAAc,QAAkD;AAC9E,MAAI,CAAC,OAAO,SAAU,OAAM,IAAI,MAAM,sCAAsC;AAC5E,MAAI,CAAC,OAAO,SAAU,OAAM,IAAI,MAAM,sCAAsC;AAC5E,MAAI,CAAC,OAAO,YAAa,OAAM,IAAI,MAAM,yCAAyC;AAClF,MAAI,CAAC,OAAO,iBAAiB,OAAO,cAAc,SAAS,IAAI;AAC7D,UAAM,IAAI,MAAM,8DAA8D;AAAA,EAChF;AAEA,SAAO;AAAA,IACL,UAAU,OAAO,SAAS,QAAQ,QAAQ,EAAE;AAAA,IAC5C,UAAU,OAAO;AAAA,IACjB,cAAc,OAAO,gBAAgB;AAAA,IACrC,aAAa,OAAO;AAAA,IACpB,uBAAuB,OAAO,yBAAyB;AAAA,IACvD,QAAQ,OAAO,UAAU;AAAA,IACzB,eAAe,OAAO;AAAA,IACtB,YAAY,OAAO,cAAc;AAAA,EACnC;AACF;;;AClBA,IAAM,QAAQ,oBAAI,IAA8D;AAChF,IAAM,eAAe,KAAK,KAAK;AAE/B,eAAsB,uBACpB,UAC4B;AAC5B,QAAM,SAAS,MAAM,IAAI,QAAQ;AACjC,MAAI,UAAU,KAAK,IAAI,IAAI,OAAO,YAAY,cAAc;AAC1D,WAAO,OAAO;AAAA,EAChB;AAEA,QAAM,MAAM,GAAG,QAAQ;AACvB,QAAM,MAAM,MAAM,MAAM,GAAG;AAC3B,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,IAAI,MAAM,2CAA2C,GAAG,KAAK,IAAI,MAAM,EAAE;AAAA,EACjF;AAEA,QAAM,SAAU,MAAM,IAAI,KAAK;AAC/B,QAAM,IAAI,UAAU,EAAE,QAAQ,WAAW,KAAK,IAAI,EAAE,CAAC;AACrD,SAAO;AACT;;;ACtBA,SAAS,gBAAgB,kBAAkB,aAAa,kBAAkB;AAG1E,IAAM,YAAY;AAClB,IAAM,YAAY;AAClB,IAAM,kBAAkB;AACxB,IAAM,aAAa;AACnB,IAAM,OAAO;AAEb,SAAS,UAAU,QAAwB;AACzC,SAAO,WAAW,QAAQ,MAAM,UAAU;AAC5C;AAEO,SAAS,eAAe,MAAmB,QAAwB;AACxE,QAAM,MAAM,UAAU,MAAM;AAC5B,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,SAAS,eAAe,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AAEpF,QAAM,OAAO,KAAK,UAAU,IAAI;AAChC,QAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,CAAC;AAC7E,QAAM,UAAU,OAAO,WAAW;AAGlC,SAAO,OAAO,OAAO,CAAC,IAAI,SAAS,SAAS,CAAC,EAAE,SAAS,WAAW;AACrE;AAEO,SAAS,eAAe,WAAmB,QAAoC;AACpF,MAAI;AACF,UAAM,MAAM,UAAU,MAAM;AAC5B,UAAM,MAAM,OAAO,KAAK,WAAW,WAAW;AAE9C,QAAI,IAAI,SAAS,YAAY,gBAAiB,QAAO;AAErD,UAAM,KAAK,IAAI,SAAS,GAAG,SAAS;AACpC,UAAM,UAAU,IAAI,SAAS,WAAW,YAAY,eAAe;AACnE,UAAM,aAAa,IAAI,SAAS,YAAY,eAAe;AAE3D,UAAM,WAAW,iBAAiB,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AACxF,aAAS,WAAW,OAAO;AAE3B,UAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC;AAC/E,WAAO,KAAK,MAAM,UAAU,SAAS,MAAM,CAAC;AAAA,EAC9C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAYO,SAAS,mBACd,YACA,MACA,QACe;AACf,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO,eAAe,MAAM,MAAM;AAAA,IAClC,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ,KAAK,KAAK,KAAK;AAAA;AAAA,EACzB;AACF;AAEO,SAAS,iBAAiB,YAAmC;AAClE,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO;AAAA,IACP,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,EACV;AACF;AAEO,SAAS,gBACd,MACA,QACe;AACf,QAAM,MAAM,UAAU,MAAM;AAC5B,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,SAAS,eAAe,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AAEpF,QAAM,OAAO,KAAK,UAAU,IAAI;AAChC,QAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,CAAC;AAC7E,QAAM,UAAU,OAAO,WAAW;AAElC,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO,OAAO,OAAO,CAAC,IAAI,SAAS,SAAS,CAAC,EAAE,SAAS,WAAW;AAAA,IACnE,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA;AAAA,EACV;AACF;AAEO,SAAS,kBACd,WACA,QACkE;AAClE,MAAI;AACF,UAAM,MAAM,UAAU,MAAM;AAC5B,UAAM,MAAM,OAAO,KAAK,WAAW,WAAW;AAE9C,QAAI,IAAI,SAAS,YAAY,gBAAiB,QAAO;AAErD,UAAM,KAAK,IAAI,SAAS,GAAG,SAAS;AACpC,UAAM,UAAU,IAAI,SAAS,WAAW,YAAY,eAAe;AACnE,UAAM,aAAa,IAAI,SAAS,YAAY,eAAe;AAE3D,UAAM,WAAW,iBAAiB,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AACxF,aAAS,WAAW,OAAO;AAE3B,UAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC;AAC/E,WAAO,KAAK,MAAM,UAAU,SAAS,MAAM,CAAC;AAAA,EAC9C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AClHA,eAAsB,aACpB,YACA,QACwB;AACxB,QAAM,OAAO,IAAI,gBAAgB;AAAA,IAC/B,YAAY;AAAA,IACZ,MAAM,OAAO;AAAA,IACb,eAAe,OAAO;AAAA,IACtB,WAAW,OAAO;AAAA,IAClB,cAAc,OAAO;AAAA,EACvB,CAAC;AACD,MAAI,OAAO,cAAc;AACvB,SAAK,IAAI,iBAAiB,OAAO,YAAY;AAAA,EAC/C;AAEA,QAAM,MAAM,MAAM,MAAM,WAAW,gBAAgB;AAAA,IACjD,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,QAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,IAAI,MAAM,0BAA0B,IAAI,MAAM,MAAM,KAAK,EAAE;AAAA,EACnE;AAEA,SAAO,IAAI,KAAK;AAClB;AAEA,eAAsB,mBACpB,YACA,QACwB;AACxB,QAAM,OAAO,IAAI,gBAAgB;AAAA,IAC/B,YAAY;AAAA,IACZ,eAAe,OAAO;AAAA,IACtB,WAAW,OAAO;AAAA,EACpB,CAAC;AACD,MAAI,OAAO,cAAc;AACvB,SAAK,IAAI,iBAAiB,OAAO,YAAY;AAAA,EAC/C;AAEA,QAAM,MAAM,MAAM,MAAM,WAAW,gBAAgB;AAAA,IACjD,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,QAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,IAAI,MAAM,yBAAyB,IAAI,MAAM,MAAM,KAAK,EAAE;AAAA,EAClE;AAEA,SAAO,IAAI,KAAK;AAClB;AAoBA,eAAsB,YACpB,YACA,OACe;AACf,QAAM,MAAM,WAAW,qBAAqB;AAAA,IAC1C,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,IAAI,gBAAgB,EAAE,MAAM,CAAC,EAAE,SAAS;AAAA,EAChD,CAAC;AACH;;;ACjGO,SAAS,mBAAmB,MAAmC;AACpE,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,MACL;AAAA,MACA,aAAa;AAAA,MACb,cAAc;AAAA,MACd,SAAS;AAAA,MACT,WAAW;AAAA,MACX,MAAM;AAAA,IACR;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,aAAa,KAAK;AAAA,IAClB,cAAc,KAAK;AAAA,IACnB,SAAS,KAAK;AAAA,IACd,WAAW,KAAK;AAAA,IAChB,MAAM;AAAA;AAAA,EACR;AACF;AAEO,SAAS,eAAe,WAA4B;AAEzD,SAAO,KAAK,IAAI,IAAI,OAAQ,YAAY;AAC1C;","names":[]}

package/dist/chunk-UY6NEM2T.js.map DELETED Viewed

@@ -1 +0,0 @@

- {"version":3,"sources":["../src/types.ts"],"sourcesContent":["export interface AuthgearConfig {\n /** Authgear endpoint, e.g. \"https://myapp.authgear.cloud\" */\n endpoint: string;\n /** OAuth client ID */\n clientID: string;\n /** OAuth client secret (for confidential server-side clients) */\n clientSecret?: string;\n /** Redirect URI for OAuth callback, e.g. \"http://localhost:3000/api/auth/callback\" */\n redirectURI: string;\n /** Where to redirect after logout */\n postLogoutRedirectURI?: string;\n /** OAuth scopes. Defaults to [\"openid\", \"offline_access\", \"https://authgear.com/scopes/full-userinfo\"] */\n scopes?: string[];\n /** Secret key for encrypting session cookie (min 32 chars) */\n sessionSecret: string;\n /** Session cookie name. Defaults to \"authgear.session\" */\n cookieName?: string;\n}\n\n/**\n * Pages that can be opened via open().\n */\nexport enum Page {\n Settings = \"/settings\",\n}\n\nexport const DEFAULT_SCOPES = [\n \"openid\",\n \"offline_access\",\n \"https://authgear.com/scopes/full-userinfo\",\n];\n\nexport enum SessionState {\n Unknown = \"UNKNOWN\",\n NoSession = \"NO_SESSION\",\n Authenticated = \"AUTHENTICATED\",\n}\n\nexport interface SessionData {\n accessToken: string;\n refreshToken: string | null;\n idToken: string | null;\n expiresAt: number;\n}\n\nexport interface Session {\n state: SessionState;\n accessToken: string | null;\n refreshToken: string | null;\n idToken: string | null;\n expiresAt: number | null;\n user: UserInfo | null;\n}\n\nexport interface UserInfo {\n sub: string;\n email?: string;\n emailVerified?: boolean;\n phoneNumber?: string;\n phoneNumberVerified?: boolean;\n preferredUsername?: string;\n givenName?: string;\n familyName?: string;\n name?: string;\n picture?: string;\n roles?: string[];\n isAnonymous?: boolean;\n isVerified?: boolean;\n canReauthenticate?: boolean;\n customAttributes?: Record<string, unknown>;\n raw: Record<string, unknown>;\n}\n\nexport interface JWTPayload {\n sub: string;\n iss: string;\n aud: string | string[];\n exp: number;\n iat: number;\n jti?: string;\n client_id?: string;\n \"https://authgear.com/claims/user/is_anonymous\"?: boolean;\n \"https://authgear.com/claims/user/is_verified\"?: boolean;\n \"https://authgear.com/claims/user/can_reauthenticate\"?: boolean;\n \"https://authgear.com/claims/user/roles\"?: string[];\n [key: string]: unknown;\n}\n\nexport interface TokenResponse {\n access_token: string;\n token_type: string;\n expires_in: number;\n refresh_token?: string;\n id_token?: string;\n}\n\nexport interface AppSessionTokenResponse {\n app_session_token: string;\n expire_at: string;\n}\n\nexport interface OIDCConfiguration {\n authorization_endpoint: string;\n token_endpoint: string;\n userinfo_endpoint: string;\n revocation_endpoint: string;\n end_session_endpoint: string;\n jwks_uri: string;\n issuer: string;\n}\n"],"mappings":";AAsBO,IAAK,OAAL,kBAAKA,UAAL;AACL,EAAAA,MAAA,cAAW;AADD,SAAAA;AAAA,GAAA;AAIL,IAAM,iBAAiB;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AACF;AAEO,IAAK,eAAL,kBAAKC,kBAAL;AACL,EAAAA,cAAA,aAAU;AACV,EAAAA,cAAA,eAAY;AACZ,EAAAA,cAAA,mBAAgB;AAHN,SAAAA;AAAA,GAAA;","names":["Page","SessionState"]}