@authgear/nextjs 0.1.8 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (24) hide show
  1. package/README.md +17 -31
  2. package/dist/{chunk-UY6NEM2T.js → chunk-CCQOLKXU.js} +7 -1
  3. package/dist/chunk-CCQOLKXU.js.map +1 -0
  4. package/dist/chunk-GXYXHQVJ.js +75 -0
  5. package/dist/chunk-GXYXHQVJ.js.map +1 -0
  6. package/dist/{chunk-MJD3XNUK.js → chunk-UERNRN5J.js} +18 -10
  7. package/dist/{chunk-MJD3XNUK.js.map → chunk-UERNRN5J.js.map} +1 -1
  8. package/dist/client.d.ts +8 -2
  9. package/dist/client.js +6 -1
  10. package/dist/client.js.map +1 -1
  11. package/dist/index.d.ts +2 -2
  12. package/dist/index.js +16 -38
  13. package/dist/index.js.map +1 -1
  14. package/dist/proxy.d.ts +1 -1
  15. package/dist/proxy.js +3 -4
  16. package/dist/proxy.js.map +1 -1
  17. package/dist/server.d.ts +30 -3
  18. package/dist/server.js +30 -7
  19. package/dist/server.js.map +1 -1
  20. package/dist/{types-Csfra4K2.d.ts → types-Cx-gnfE7.d.ts} +24 -4
  21. package/package.json +1 -1
  22. package/dist/chunk-3KVYAFQJ.js +0 -26
  23. package/dist/chunk-3KVYAFQJ.js.map +0 -1
  24. package/dist/chunk-UY6NEM2T.js.map +0 -1
package/README.md CHANGED
@@ -48,7 +48,6 @@ import type { AuthgearConfig } from "@authgear/nextjs";
48
48
  export const authgearConfig: AuthgearConfig = {
49
49
  endpoint: process.env.AUTHGEAR_ENDPOINT!, // e.g. "https://myapp.authgear.cloud"
50
50
  clientID: process.env.AUTHGEAR_CLIENT_ID!,
51
- clientSecret: process.env.AUTHGEAR_CLIENT_SECRET, // for confidential clients
52
51
  redirectURI: process.env.AUTHGEAR_REDIRECT_URI!, // e.g. "http://localhost:3000/api/auth/callback"
53
52
  sessionSecret: process.env.SESSION_SECRET!, // min 32 chars
54
53
  };
@@ -200,9 +199,10 @@ export async function callMyApiAction() {
200
199
 
201
200
  ### `@authgear/nextjs`
202
201
 
203
- | Export | Description |
204
- |---|---|
205
- | `createAuthgearHandlers(config)` | Returns `{ GET, POST }` for `app/api/auth/[...authgear]/route.ts` |
202
+ | Export | Kind | Values | Description |
203
+ |---|---|---|---|
204
+ | `createAuthgearHandlers(config)` | Function | — | Returns `{ GET, POST }` for `app/api/auth/[...authgear]/route.ts` |
205
+ | `PromptOption` | Enum | `"login"` \| `"none"` | Convenience constants for the OIDC `prompt` parameter. Pass to `signIn({ prompt: PromptOption.Login })` to force the login form for a specific sign-in call. |
206
206
 
207
207
  ### `@authgear/nextjs/server`
208
208
 
@@ -211,6 +211,7 @@ export async function callMyApiAction() {
211
211
  | `auth(config)` | Returns the current `Session`, auto-refreshes access token if expired |
212
212
  | `currentUser(config)` | Returns `UserInfo \| null`, auto-refreshes access token if expired |
213
213
  | `verifyAccessToken(token, config)` | Verifies a JWT Bearer token with JWKS, returns `JWTPayload` |
214
+ | `getOpenURL(page, config)` | Returns a URL to open an Authgear page (e.g. `Page.Settings`) with the user pre-authenticated |
214
215
 
215
216
  ### `@authgear/nextjs/client`
216
217
 
@@ -222,6 +223,16 @@ export async function callMyApiAction() {
222
223
  | `<SignInButton>` | Button that calls `signIn()` on click |
223
224
  | `<SignOutButton>` | Button that calls `signOut()` on click |
224
225
 
226
+ ### `SignInOptions`
227
+
228
+ Options accepted by `signIn()` (from `useAuthgear()`) and the `signInOptions` prop on `<SignInButton>`.
229
+
230
+ | Field | Type | Required | Default | Description |
231
+ |---|---|---|---|---|
232
+ | `returnTo` | `string` | No | — | Path to redirect to after sign-in. |
233
+ | `loginPath` | `string` | No | `"/api/auth/login"` | Override the login route for this call. |
234
+ | `prompt` | `string` | No | — | OIDC prompt value for this sign-in call. Use `PromptOption.Login` to force the login form. Overrides the global `isSSOEnabled` setting. |
235
+
225
236
  ### `@authgear/nextjs/proxy`
226
237
 
227
238
  | Export | Description |
@@ -244,41 +255,16 @@ export async function callMyApiAction() {
244
255
  | `clientID` | ✓ | OAuth client ID |
245
256
  | `redirectURI` | ✓ | OAuth callback URL, e.g. `"http://localhost:3000/api/auth/callback"` |
246
257
  | `sessionSecret` | ✓ | Secret for encrypting session cookie (min 32 chars) |
247
- | `clientSecret` | | OAuth client secret (for confidential clients) |
248
258
  | `postLogoutRedirectURI` | | Where to redirect after logout. Defaults to `"/"` |
249
259
  | `scopes` | | OAuth scopes. Defaults to `["openid", "offline_access", "https://authgear.com/scopes/full-userinfo"]` |
260
+ | `isSSOEnabled` | | When `false`, always shows the Authgear login form (`prompt=login`), even if the user has an existing Authgear session. Recommended for single-app deployments. Defaults to `true` |
250
261
  | `cookieName` | | Session cookie name. Defaults to `"authgear.session"` |
251
262
 
252
263
  ---
253
264
 
254
265
  ## Roadmap
255
266
 
256
- ### `open(page)` Open Authgear Settings Page
257
-
258
- > **Status: pending server-side enablement**
259
-
260
- The SDK has a planned `getOpenURL(page, config)` function (modelled after [`authgear.open(Page.Settings)`](https://docs.authgear.com/get-started/single-page-app/website#step-8-open-user-settings-page) in the web SDK) that opens the Authgear-hosted settings UI with the current user already authenticated — no re-login required.
261
-
262
- **How it will work:**
263
-
264
- ```ts
265
- // app/dashboard/actions.ts (Server Action)
266
- "use server";
267
- import { getOpenURL, Page } from "@authgear/nextjs/server";
268
- import { authgearConfig } from "@/lib/authgear";
269
-
270
- export async function getSettingsURLAction() {
271
- return getOpenURL(Page.Settings, authgearConfig);
272
- }
273
- ```
274
-
275
- ```tsx
276
- // Client component
277
- const url = await getSettingsURLAction();
278
- window.open(url, "_blank");
279
- ```
280
-
281
- **Blocker:** This feature exchanges the refresh token for an `app_session_token` via `POST /oauth2/app_session_token`. The Authgear server must grant the OAuth client **"full user access"** permission before this endpoint is accessible. Once that server-side configuration is in place, the implementation in `src/server.ts` can be uncommented and released.
267
+ This SDK is actively maintained. Feature requests and contributions are welcome via [GitHub Issues](https://github.com/authgear/authgear-sdk-nextjs/issues).
282
268
 
283
269
  ---
284
270
 
package/dist/{chunk-UY6NEM2T.js → chunk-CCQOLKXU.js} RENAMED
@@ -3,6 +3,11 @@ var Page = /* @__PURE__ */ ((Page2) => {
3
3
  Page2["Settings"] = "/settings";
4
4
  return Page2;
5
5
  })(Page || {});
6
+ var PromptOption = /* @__PURE__ */ ((PromptOption2) => {
7
+ PromptOption2["Login"] = "login";
8
+ PromptOption2["None"] = "none";
9
+ return PromptOption2;
10
+ })(PromptOption || {});
6
11
  var DEFAULT_SCOPES = [
7
12
  "openid",
8
13
  "offline_access",
@@ -17,7 +22,8 @@ var SessionState = /* @__PURE__ */ ((SessionState2) => {
17
22
 
18
23
  export {
19
24
  Page,
25
+ PromptOption,
20
26
  DEFAULT_SCOPES,
21
27
  SessionState
22
28
  };
23
- //# sourceMappingURL=chunk-UY6NEM2T.js.map
29
+ //# sourceMappingURL=chunk-CCQOLKXU.js.map
package/dist/chunk-CCQOLKXU.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/types.ts"],"sourcesContent":["export interface AuthgearConfig {\n /** Authgear endpoint, e.g. \"https://myapp.authgear.cloud\" */\n endpoint: string;\n /** OAuth client ID */\n clientID: string;\n /** Redirect URI for OAuth callback, e.g. \"http://localhost:3000/api/auth/callback\" */\n redirectURI: string;\n /** Where to redirect after logout */\n postLogoutRedirectURI?: string;\n /** OAuth scopes. Defaults to [\"openid\", \"offline_access\", \"https://authgear.com/scopes/full-userinfo\"] */\n scopes?: string[];\n /** Secret key for encrypting session cookie (min 32 chars) */\n sessionSecret: string;\n /** Session cookie name. Defaults to \"authgear.session\" */\n cookieName?: string;\n /**\n * Whether to enable SSO (Single Sign-On) with other apps on the same Authgear tenant.\n * When `true` (default), Authgear silently reuses its server-side session if the user\n * is already logged in, so users are not prompted for credentials again.\n * Set to `false` to always show the login form (`prompt=login`), which is recommended\n * for single-app deployments where silent sign-in feels unexpected to the user.\n * Defaults to `true`.\n */\n isSSOEnabled?: boolean;\n}\n\n/**\n * Pages that can be opened via `getOpenURL` from `@authgear/nextjs/server`.\n */\nexport enum Page {\n Settings = \"/settings\",\n}\n\n/**\n * OIDC `prompt` parameter values.\n * Pass to `signIn({ prompt })` or `SignInButton signInOptions={{ prompt }}` to control\n * whether Authgear shows the login form for a specific authentication call.\n *\n * @see https://docs.authgear.com/authentication-and-access/single-sign-on/force-authgear-to-show-login-page\n */\nexport enum PromptOption {\n /** Always show the login form, even if the user has an active Authgear session. */\n Login = \"login\",\n /** Never show the login form; return an error if the user is not already authenticated. */\n None = \"none\",\n}\n\nexport const DEFAULT_SCOPES = [\n \"openid\",\n \"offline_access\",\n \"https://authgear.com/scopes/full-userinfo\",\n];\n\nexport enum SessionState {\n Unknown = \"UNKNOWN\",\n NoSession = \"NO_SESSION\",\n Authenticated = \"AUTHENTICATED\",\n}\n\nexport interface SessionData {\n accessToken: string;\n refreshToken: string | null;\n idToken: string | null;\n expiresAt: number;\n}\n\nexport interface Session {\n state: SessionState;\n accessToken: string | null;\n refreshToken: string | null;\n idToken: string | null;\n expiresAt: number | null;\n user: UserInfo | null;\n}\n\nexport interface UserInfo {\n sub: string;\n email?: string;\n emailVerified?: boolean;\n phoneNumber?: string;\n phoneNumberVerified?: boolean;\n preferredUsername?: string;\n givenName?: string;\n familyName?: string;\n name?: string;\n picture?: string;\n roles?: string[];\n isAnonymous?: boolean;\n isVerified?: boolean;\n canReauthenticate?: boolean;\n customAttributes?: Record<string, unknown>;\n raw: Record<string, unknown>;\n}\n\nexport interface JWTPayload {\n sub: string;\n iss: string;\n aud: string | string[];\n exp: number;\n iat: number;\n jti?: string;\n client_id?: string;\n \"https://authgear.com/claims/user/is_anonymous\"?: boolean;\n \"https://authgear.com/claims/user/is_verified\"?: boolean;\n \"https://authgear.com/claims/user/can_reauthenticate\"?: boolean;\n \"https://authgear.com/claims/user/roles\"?: string[];\n [key: string]: unknown;\n}\n\nexport interface TokenResponse {\n access_token: string;\n token_type: string;\n expires_in: number;\n refresh_token?: string;\n id_token?: string;\n}\n\nexport interface AppSessionTokenResponse {\n app_session_token: string;\n expire_at: string;\n}\n\nexport interface OIDCConfiguration {\n authorization_endpoint: string;\n token_endpoint: string;\n userinfo_endpoint: string;\n revocation_endpoint: string;\n end_session_endpoint: string;\n jwks_uri: string;\n issuer: string;\n}\n"],"mappings":";AA6BO,IAAK,OAAL,kBAAKA,UAAL;AACL,EAAAA,MAAA,cAAW;AADD,SAAAA;AAAA,GAAA;AAWL,IAAK,eAAL,kBAAKC,kBAAL;AAEL,EAAAA,cAAA,WAAQ;AAER,EAAAA,cAAA,UAAO;AAJG,SAAAA;AAAA,GAAA;AAOL,IAAM,iBAAiB;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AACF;AAEO,IAAK,eAAL,kBAAKC,kBAAL;AACL,EAAAA,cAAA,aAAU;AACV,EAAAA,cAAA,eAAY;AACZ,EAAAA,cAAA,mBAAgB;AAHN,SAAAA;AAAA,GAAA;","names":["Page","PromptOption","SessionState"]}
package/dist/chunk-GXYXHQVJ.js ADDED
@@ -0,0 +1,75 @@
1
+ // src/oauth/authorize.ts
2
+ import { randomBytes as randomBytes2 } from "crypto";
3
+
4
+ // src/oauth/pkce.ts
5
+ import { randomBytes, createHash } from "crypto";
6
+ var VERIFIER_LENGTH = 64;
7
+ function generateCodeVerifier() {
8
+ return randomBytes(VERIFIER_LENGTH).toString("base64url").slice(0, VERIFIER_LENGTH);
9
+ }
10
+ function computeCodeChallenge(codeVerifier) {
11
+ return createHash("sha256").update(codeVerifier).digest("base64url");
12
+ }
13
+
14
+ // src/oauth/authorize.ts
15
+ function buildOpenURL(oidcConfig, params) {
16
+ const authorizationEndpoint = new URL(oidcConfig.authorization_endpoint);
17
+ const settingsURL = `${authorizationEndpoint.origin}${params.targetPath}`;
18
+ const loginHint = `https://authgear.com/login_hint?type=app_session_token&app_session_token=${encodeURIComponent(params.appSessionToken)}`;
19
+ const url = new URL(oidcConfig.authorization_endpoint);
20
+ url.searchParams.set("response_type", "none");
21
+ url.searchParams.set("client_id", params.clientID);
22
+ url.searchParams.set("redirect_uri", settingsURL);
23
+ url.searchParams.set("scope", params.scopes.join(" "));
24
+ url.searchParams.set("prompt", "none");
25
+ url.searchParams.set("login_hint", loginHint);
26
+ return url.toString();
27
+ }
28
+ function generateState() {
29
+ return randomBytes2(32).toString("base64url");
30
+ }
31
+ function buildAuthorizeURL(oidcConfig, params) {
32
+ const url = new URL(oidcConfig.authorization_endpoint);
33
+ url.searchParams.set("response_type", "code");
34
+ url.searchParams.set("client_id", params.clientID);
35
+ url.searchParams.set("redirect_uri", params.redirectURI);
36
+ url.searchParams.set("scope", params.scopes.join(" "));
37
+ url.searchParams.set("code_challenge", computeCodeChallenge(params.codeVerifier));
38
+ url.searchParams.set("code_challenge_method", "S256");
39
+ url.searchParams.set("state", params.state);
40
+ if (params.prompt) {
41
+ url.searchParams.set("prompt", params.prompt);
42
+ }
43
+ return url.toString();
44
+ }
45
+
46
+ // src/user.ts
47
+ function parseUserInfo(raw) {
48
+ return {
49
+ sub: raw["sub"],
50
+ email: raw["email"],
51
+ emailVerified: raw["email_verified"],
52
+ phoneNumber: raw["phone_number"],
53
+ phoneNumberVerified: raw["phone_number_verified"],
54
+ preferredUsername: raw["preferred_username"],
55
+ givenName: raw["given_name"],
56
+ familyName: raw["family_name"],
57
+ name: raw["name"],
58
+ picture: raw["picture"],
59
+ roles: raw["https://authgear.com/claims/user/roles"],
60
+ isAnonymous: raw["https://authgear.com/claims/user/is_anonymous"],
61
+ isVerified: raw["https://authgear.com/claims/user/is_verified"],
62
+ canReauthenticate: raw["https://authgear.com/claims/user/can_reauthenticate"],
63
+ customAttributes: raw["custom_attributes"],
64
+ raw
65
+ };
66
+ }
67
+
68
+ export {
69
+ generateCodeVerifier,
70
+ buildOpenURL,
71
+ generateState,
72
+ buildAuthorizeURL,
73
+ parseUserInfo
74
+ };
75
+ //# sourceMappingURL=chunk-GXYXHQVJ.js.map
package/dist/chunk-GXYXHQVJ.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/oauth/authorize.ts","../src/oauth/pkce.ts","../src/user.ts"],"sourcesContent":["import { randomBytes } from \"node:crypto\";\nimport type { OIDCConfiguration } from \"../types.js\";\nimport { computeCodeChallenge } from \"./pkce.js\";\n\n/**\n * Build the URL to open an Authgear page (e.g. /settings) with the user\n * already authenticated via an app session token.\n */\nexport function buildOpenURL(\n oidcConfig: OIDCConfiguration,\n params: {\n clientID: string;\n appSessionToken: string;\n targetPath: string; // e.g. \"/settings\"\n scopes: string[];\n },\n): string {\n const authorizationEndpoint = new URL(oidcConfig.authorization_endpoint);\n const settingsURL = `${authorizationEndpoint.origin}${params.targetPath}`;\n const loginHint = `https://authgear.com/login_hint?type=app_session_token&app_session_token=${encodeURIComponent(params.appSessionToken)}`;\n\n const url = new URL(oidcConfig.authorization_endpoint);\n url.searchParams.set(\"response_type\", \"none\");\n url.searchParams.set(\"client_id\", params.clientID);\n url.searchParams.set(\"redirect_uri\", settingsURL);\n url.searchParams.set(\"scope\", params.scopes.join(\" \"));\n url.searchParams.set(\"prompt\", \"none\");\n url.searchParams.set(\"login_hint\", loginHint);\n return url.toString();\n}\n\nexport interface AuthorizeParams {\n clientID: string;\n redirectURI: string;\n scopes: string[];\n codeVerifier: string;\n state: string;\n prompt?: string;\n}\n\nexport function generateState(): string {\n return randomBytes(32).toString(\"base64url\");\n}\n\nexport function buildAuthorizeURL(\n oidcConfig: OIDCConfiguration,\n params: AuthorizeParams,\n): string {\n const url = new URL(oidcConfig.authorization_endpoint);\n url.searchParams.set(\"response_type\", \"code\");\n url.searchParams.set(\"client_id\", params.clientID);\n url.searchParams.set(\"redirect_uri\", params.redirectURI);\n url.searchParams.set(\"scope\", params.scopes.join(\" \"));\n url.searchParams.set(\"code_challenge\", computeCodeChallenge(params.codeVerifier));\n url.searchParams.set(\"code_challenge_method\", \"S256\");\n url.searchParams.set(\"state\", params.state);\n if (params.prompt) {\n url.searchParams.set(\"prompt\", params.prompt);\n }\n return url.toString();\n}\n","import { randomBytes, createHash } from \"node:crypto\";\n\nconst VERIFIER_LENGTH = 64;\n\nexport function generateCodeVerifier(): string {\n return randomBytes(VERIFIER_LENGTH)\n .toString(\"base64url\")\n .slice(0, VERIFIER_LENGTH);\n}\n\nexport function computeCodeChallenge(codeVerifier: string): string {\n return createHash(\"sha256\").update(codeVerifier).digest(\"base64url\");\n}\n","import type { UserInfo } from \"./types.js\";\n\nexport function parseUserInfo(raw: Record<string, unknown>): UserInfo {\n return {\n sub: raw[\"sub\"] as string,\n email: raw[\"email\"] as string | undefined,\n emailVerified: raw[\"email_verified\"] as boolean | undefined,\n phoneNumber: raw[\"phone_number\"] as string | undefined,\n phoneNumberVerified: raw[\"phone_number_verified\"] as boolean | undefined,\n preferredUsername: raw[\"preferred_username\"] as string | undefined,\n givenName: raw[\"given_name\"] as string | undefined,\n familyName: raw[\"family_name\"] as string | undefined,\n name: raw[\"name\"] as string | undefined,\n picture: raw[\"picture\"] as string | undefined,\n roles: raw[\"https://authgear.com/claims/user/roles\"] as string[] | undefined,\n isAnonymous: raw[\"https://authgear.com/claims/user/is_anonymous\"] as boolean | undefined,\n isVerified: raw[\"https://authgear.com/claims/user/is_verified\"] as boolean | undefined,\n canReauthenticate: raw[\"https://authgear.com/claims/user/can_reauthenticate\"] as boolean | undefined,\n customAttributes: raw[\"custom_attributes\"] as Record<string, unknown> | undefined,\n raw,\n };\n}\n"],"mappings":";AAAA,SAAS,eAAAA,oBAAmB;;;ACA5B,SAAS,aAAa,kBAAkB;AAExC,IAAM,kBAAkB;AAEjB,SAAS,uBAA+B;AAC7C,SAAO,YAAY,eAAe,EAC/B,SAAS,WAAW,EACpB,MAAM,GAAG,eAAe;AAC7B;AAEO,SAAS,qBAAqB,cAA8B;AACjE,SAAO,WAAW,QAAQ,EAAE,OAAO,YAAY,EAAE,OAAO,WAAW;AACrE;;;ADJO,SAAS,aACd,YACA,QAMQ;AACR,QAAM,wBAAwB,IAAI,IAAI,WAAW,sBAAsB;AACvE,QAAM,cAAc,GAAG,sBAAsB,MAAM,GAAG,OAAO,UAAU;AACvE,QAAM,YAAY,4EAA4E,mBAAmB,OAAO,eAAe,CAAC;AAExI,QAAM,MAAM,IAAI,IAAI,WAAW,sBAAsB;AACrD,MAAI,aAAa,IAAI,iBAAiB,MAAM;AAC5C,MAAI,aAAa,IAAI,aAAa,OAAO,QAAQ;AACjD,MAAI,aAAa,IAAI,gBAAgB,WAAW;AAChD,MAAI,aAAa,IAAI,SAAS,OAAO,OAAO,KAAK,GAAG,CAAC;AACrD,MAAI,aAAa,IAAI,UAAU,MAAM;AACrC,MAAI,aAAa,IAAI,cAAc,SAAS;AAC5C,SAAO,IAAI,SAAS;AACtB;AAWO,SAAS,gBAAwB;AACtC,SAAOC,aAAY,EAAE,EAAE,SAAS,WAAW;AAC7C;AAEO,SAAS,kBACd,YACA,QACQ;AACR,QAAM,MAAM,IAAI,IAAI,WAAW,sBAAsB;AACrD,MAAI,aAAa,IAAI,iBAAiB,MAAM;AAC5C,MAAI,aAAa,IAAI,aAAa,OAAO,QAAQ;AACjD,MAAI,aAAa,IAAI,gBAAgB,OAAO,WAAW;AACvD,MAAI,aAAa,IAAI,SAAS,OAAO,OAAO,KAAK,GAAG,CAAC;AACrD,MAAI,aAAa,IAAI,kBAAkB,qBAAqB,OAAO,YAAY,CAAC;AAChF,MAAI,aAAa,IAAI,yBAAyB,MAAM;AACpD,MAAI,aAAa,IAAI,SAAS,OAAO,KAAK;AAC1C,MAAI,OAAO,QAAQ;AACjB,QAAI,aAAa,IAAI,UAAU,OAAO,MAAM;AAAA,EAC9C;AACA,SAAO,IAAI,SAAS;AACtB;;;AE1DO,SAAS,cAAc,KAAwC;AACpE,SAAO;AAAA,IACL,KAAK,IAAI,KAAK;AAAA,IACd,OAAO,IAAI,OAAO;AAAA,IAClB,eAAe,IAAI,gBAAgB;AAAA,IACnC,aAAa,IAAI,cAAc;AAAA,IAC/B,qBAAqB,IAAI,uBAAuB;AAAA,IAChD,mBAAmB,IAAI,oBAAoB;AAAA,IAC3C,WAAW,IAAI,YAAY;AAAA,IAC3B,YAAY,IAAI,aAAa;AAAA,IAC7B,MAAM,IAAI,MAAM;AAAA,IAChB,SAAS,IAAI,SAAS;AAAA,IACtB,OAAO,IAAI,wCAAwC;AAAA,IACnD,aAAa,IAAI,+CAA+C;AAAA,IAChE,YAAY,IAAI,8CAA8C;AAAA,IAC9D,mBAAmB,IAAI,qDAAqD;AAAA,IAC5E,kBAAkB,IAAI,mBAAmB;AAAA,IACzC;AAAA,EACF;AACF;","names":["randomBytes","randomBytes"]}
package/dist/{chunk-MJD3XNUK.js → chunk-UERNRN5J.js} RENAMED
@@ -1,6 +1,6 @@
1
1
  import {
2
2
  DEFAULT_SCOPES
3
- } from "./chunk-UY6NEM2T.js";
3
+ } from "./chunk-CCQOLKXU.js";
4
4
 
5
5
  // src/config.ts
6
6
  function resolveConfig(config) {
@@ -13,12 +13,12 @@ function resolveConfig(config) {
13
13
  return {
14
14
  endpoint: config.endpoint.replace(/\/+$/, ""),
15
15
  clientID: config.clientID,
16
- clientSecret: config.clientSecret ?? "",
17
16
  redirectURI: config.redirectURI,
18
17
  postLogoutRedirectURI: config.postLogoutRedirectURI ?? "/",
19
18
  scopes: config.scopes ?? DEFAULT_SCOPES,
20
19
  sessionSecret: config.sessionSecret,
21
- cookieName: config.cookieName ?? "authgear.session"
20
+ cookieName: config.cookieName ?? "authgear.session",
21
+ isSSOEnabled: config.isSSOEnabled ?? true
22
22
  };
23
23
  }
24
24
 
@@ -142,9 +142,6 @@ async function exchangeCode(oidcConfig, params) {
142
142
  client_id: params.clientID,
143
143
  redirect_uri: params.redirectURI
144
144
  });
145
- if (params.clientSecret) {
146
- body.set("client_secret", params.clientSecret);
147
- }
148
145
  const res = await fetch(oidcConfig.token_endpoint, {
149
146
  method: "POST",
150
147
  headers: { "Content-Type": "application/x-www-form-urlencoded" },
@@ -162,9 +159,6 @@ async function refreshAccessToken(oidcConfig, params) {
162
159
  refresh_token: params.refreshToken,
163
160
  client_id: params.clientID
164
161
  });
165
- if (params.clientSecret) {
166
- body.set("client_secret", params.clientSecret);
167
- }
168
162
  const res = await fetch(oidcConfig.token_endpoint, {
169
163
  method: "POST",
170
164
  headers: { "Content-Type": "application/x-www-form-urlencoded" },
@@ -176,6 +170,19 @@ async function refreshAccessToken(oidcConfig, params) {
176
170
  }
177
171
  return res.json();
178
172
  }
173
+ async function getAppSessionToken(endpoint, refreshToken) {
174
+ const res = await fetch(`${endpoint}/oauth2/app_session_token`, {
175
+ method: "POST",
176
+ headers: { "Content-Type": "application/json" },
177
+ body: JSON.stringify({ refresh_token: refreshToken })
178
+ });
179
+ if (!res.ok) {
180
+ const error = await res.text();
181
+ throw new Error(`Failed to get app session token (${res.status}): ${error}`);
182
+ }
183
+ const json = await res.json();
184
+ return json.result;
185
+ }
179
186
  async function revokeToken(oidcConfig, token) {
180
187
  await fetch(oidcConfig.revocation_endpoint, {
181
188
  method: "POST",
@@ -220,8 +227,9 @@ export {
220
227
  decryptPKCECookie,
221
228
  exchangeCode,
222
229
  refreshAccessToken,
230
+ getAppSessionToken,
223
231
  revokeToken,
224
232
  deriveSessionState,
225
233
  isTokenExpired
226
234
  };
227
- //# sourceMappingURL=chunk-MJD3XNUK.js.map
235
+ //# sourceMappingURL=chunk-UERNRN5J.js.map
package/dist/{chunk-MJD3XNUK.js.map → chunk-UERNRN5J.js.map} RENAMED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/config.ts","../src/oauth/discovery.ts","../src/session/cookie.ts","../src/oauth/token.ts","../src/session/state.ts"],"sourcesContent":["import { type AuthgearConfig, DEFAULT_SCOPES } from \"./types.js\";\n\nexport function resolveConfig(config: AuthgearConfig): Required<AuthgearConfig> {\n if (!config.endpoint) throw new Error(\"AuthgearConfig: endpoint is required\");\n if (!config.clientID) throw new Error(\"AuthgearConfig: clientID is required\");\n if (!config.redirectURI) throw new Error(\"AuthgearConfig: redirectURI is required\");\n if (!config.sessionSecret || config.sessionSecret.length < 32) {\n throw new Error(\"AuthgearConfig: sessionSecret must be at least 32 characters\");\n }\n\n return {\n endpoint: config.endpoint.replace(/\\/+$/, \"\"),\n clientID: config.clientID,\n clientSecret: config.clientSecret ?? \"\",\n redirectURI: config.redirectURI,\n postLogoutRedirectURI: config.postLogoutRedirectURI ?? \"/\",\n scopes: config.scopes ?? DEFAULT_SCOPES,\n sessionSecret: config.sessionSecret,\n cookieName: config.cookieName ?? \"authgear.session\",\n };\n}\n","import type { OIDCConfiguration } from \"../types.js\";\n\nconst cache = new Map<string, { config: OIDCConfiguration; fetchedAt: number }>();\nconst CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour\n\nexport async function fetchOIDCConfiguration(\n endpoint: string,\n): Promise<OIDCConfiguration> {\n const cached = cache.get(endpoint);\n if (cached && Date.now() - cached.fetchedAt < CACHE_TTL_MS) {\n return cached.config;\n }\n\n const url = `${endpoint}/.well-known/openid-configuration`;\n const res = await fetch(url);\n if (!res.ok) {\n throw new Error(`Failed to fetch OIDC configuration from ${url}: ${res.status}`);\n }\n\n const config = (await res.json()) as OIDCConfiguration;\n cache.set(endpoint, { config, fetchedAt: Date.now() });\n return config;\n}\n\n/** Clear cached OIDC configuration (useful for testing) */\nexport function clearOIDCCache(): void {\n cache.clear();\n}\n","import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from \"node:crypto\";\nimport type { SessionData } from \"../types.js\";\n\nconst ALGORITHM = \"aes-256-gcm\";\nconst IV_LENGTH = 12;\nconst AUTH_TAG_LENGTH = 16;\nconst KEY_LENGTH = 32;\nconst SALT = \"authgear-nextjs-session\";\n\nfunction deriveKey(secret: string): Buffer {\n return scryptSync(secret, SALT, KEY_LENGTH);\n}\n\nexport function encryptSession(data: SessionData, secret: string): string {\n const key = deriveKey(secret);\n const iv = randomBytes(IV_LENGTH);\n const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n\n const json = JSON.stringify(data);\n const encrypted = Buffer.concat([cipher.update(json, \"utf8\"), cipher.final()]);\n const authTag = cipher.getAuthTag();\n\n // Format: base64(iv + authTag + encrypted)\n return Buffer.concat([iv, authTag, encrypted]).toString(\"base64url\");\n}\n\nexport function decryptSession(encrypted: string, secret: string): SessionData | null {\n try {\n const key = deriveKey(secret);\n const buf = Buffer.from(encrypted, \"base64url\");\n\n if (buf.length < IV_LENGTH + AUTH_TAG_LENGTH) return null;\n\n const iv = buf.subarray(0, IV_LENGTH);\n const authTag = buf.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);\n const ciphertext = buf.subarray(IV_LENGTH + AUTH_TAG_LENGTH);\n\n const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n decipher.setAuthTag(authTag);\n\n const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n return JSON.parse(decrypted.toString(\"utf8\")) as SessionData;\n } catch {\n return null;\n }\n}\n\nexport interface CookieOptions {\n name: string;\n value: string;\n httpOnly?: boolean;\n secure?: boolean;\n sameSite?: \"lax\" | \"strict\" | \"none\";\n path?: string;\n maxAge?: number;\n}\n\nexport function buildSessionCookie(\n cookieName: string,\n data: SessionData,\n secret: string,\n): CookieOptions {\n return {\n name: cookieName,\n value: encryptSession(data, secret),\n httpOnly: true,\n secure: process.env.NODE_ENV === \"production\",\n sameSite: \"lax\",\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60, // 30 days\n };\n}\n\nexport function buildClearCookie(cookieName: string): CookieOptions {\n return {\n name: cookieName,\n value: \"\",\n httpOnly: true,\n secure: process.env.NODE_ENV === \"production\",\n sameSite: \"lax\",\n path: \"/\",\n maxAge: 0,\n };\n}\n\nexport function buildPKCECookie(\n data: { codeVerifier: string; state: string; returnTo: string },\n secret: string,\n): CookieOptions {\n const key = deriveKey(secret);\n const iv = randomBytes(IV_LENGTH);\n const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n\n const json = JSON.stringify(data);\n const encrypted = Buffer.concat([cipher.update(json, \"utf8\"), cipher.final()]);\n const authTag = cipher.getAuthTag();\n\n return {\n name: \"authgear.pkce\",\n value: Buffer.concat([iv, authTag, encrypted]).toString(\"base64url\"),\n httpOnly: true,\n secure: process.env.NODE_ENV === \"production\",\n sameSite: \"lax\",\n path: \"/\",\n maxAge: 600, // 10 minutes\n };\n}\n\nexport function decryptPKCECookie(\n encrypted: string,\n secret: string,\n): { codeVerifier: string; state: string; returnTo: string } | null {\n try {\n const key = deriveKey(secret);\n const buf = Buffer.from(encrypted, \"base64url\");\n\n if (buf.length < IV_LENGTH + AUTH_TAG_LENGTH) return null;\n\n const iv = buf.subarray(0, IV_LENGTH);\n const authTag = buf.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);\n const ciphertext = buf.subarray(IV_LENGTH + AUTH_TAG_LENGTH);\n\n const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n decipher.setAuthTag(authTag);\n\n const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n return JSON.parse(decrypted.toString(\"utf8\"));\n } catch {\n return null;\n }\n}\n","import type { OIDCConfiguration, TokenResponse, AppSessionTokenResponse } from \"../types.js\";\n\nexport interface ExchangeCodeParams {\n code: string;\n codeVerifier: string;\n clientID: string;\n clientSecret?: string;\n redirectURI: string;\n}\n\nexport interface RefreshTokenParams {\n refreshToken: string;\n clientID: string;\n clientSecret?: string;\n}\n\nexport async function exchangeCode(\n oidcConfig: OIDCConfiguration,\n params: ExchangeCodeParams,\n): Promise<TokenResponse> {\n const body = new URLSearchParams({\n grant_type: \"authorization_code\",\n code: params.code,\n code_verifier: params.codeVerifier,\n client_id: params.clientID,\n redirect_uri: params.redirectURI,\n });\n if (params.clientSecret) {\n body.set(\"client_secret\", params.clientSecret);\n }\n\n const res = await fetch(oidcConfig.token_endpoint, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: body.toString(),\n });\n\n if (!res.ok) {\n const error = await res.text();\n throw new Error(`Token exchange failed (${res.status}): ${error}`);\n }\n\n return res.json() as Promise<TokenResponse>;\n}\n\nexport async function refreshAccessToken(\n oidcConfig: OIDCConfiguration,\n params: RefreshTokenParams,\n): Promise<TokenResponse> {\n const body = new URLSearchParams({\n grant_type: \"refresh_token\",\n refresh_token: params.refreshToken,\n client_id: params.clientID,\n });\n if (params.clientSecret) {\n body.set(\"client_secret\", params.clientSecret);\n }\n\n const res = await fetch(oidcConfig.token_endpoint, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: body.toString(),\n });\n\n if (!res.ok) {\n const error = await res.text();\n throw new Error(`Token refresh failed (${res.status}): ${error}`);\n }\n\n return res.json() as Promise<TokenResponse>;\n}\n\nexport async function getAppSessionToken(\n endpoint: string,\n refreshToken: string,\n): Promise<AppSessionTokenResponse> {\n const res = await fetch(`${endpoint}/oauth2/app_session_token`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ refresh_token: refreshToken }),\n });\n\n if (!res.ok) {\n const error = await res.text();\n throw new Error(`Failed to get app session token (${res.status}): ${error}`);\n }\n\n return res.json() as Promise<AppSessionTokenResponse>;\n}\n\nexport async function revokeToken(\n oidcConfig: OIDCConfiguration,\n token: string,\n): Promise<void> {\n await fetch(oidcConfig.revocation_endpoint, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: new URLSearchParams({ token }).toString(),\n });\n}\n","import { SessionState, type SessionData, type Session } from \"../types.js\";\n\nexport function deriveSessionState(data: SessionData | null): Session {\n if (!data) {\n return {\n state: SessionState.NoSession,\n accessToken: null,\n refreshToken: null,\n idToken: null,\n expiresAt: null,\n user: null,\n };\n }\n\n return {\n state: SessionState.Authenticated,\n accessToken: data.accessToken,\n refreshToken: data.refreshToken,\n idToken: data.idToken,\n expiresAt: data.expiresAt,\n user: null, // User is fetched separately when needed\n };\n}\n\nexport function isTokenExpired(expiresAt: number): boolean {\n // Consider expired 30 seconds early for safety margin\n return Date.now() / 1000 >= expiresAt - 30;\n}\n"],"mappings":";;;;;AAEO,SAAS,cAAc,QAAkD;AAC9E,MAAI,CAAC,OAAO,SAAU,OAAM,IAAI,MAAM,sCAAsC;AAC5E,MAAI,CAAC,OAAO,SAAU,OAAM,IAAI,MAAM,sCAAsC;AAC5E,MAAI,CAAC,OAAO,YAAa,OAAM,IAAI,MAAM,yCAAyC;AAClF,MAAI,CAAC,OAAO,iBAAiB,OAAO,cAAc,SAAS,IAAI;AAC7D,UAAM,IAAI,MAAM,8DAA8D;AAAA,EAChF;AAEA,SAAO;AAAA,IACL,UAAU,OAAO,SAAS,QAAQ,QAAQ,EAAE;AAAA,IAC5C,UAAU,OAAO;AAAA,IACjB,cAAc,OAAO,gBAAgB;AAAA,IACrC,aAAa,OAAO;AAAA,IACpB,uBAAuB,OAAO,yBAAyB;AAAA,IACvD,QAAQ,OAAO,UAAU;AAAA,IACzB,eAAe,OAAO;AAAA,IACtB,YAAY,OAAO,cAAc;AAAA,EACnC;AACF;;;AClBA,IAAM,QAAQ,oBAAI,IAA8D;AAChF,IAAM,eAAe,KAAK,KAAK;AAE/B,eAAsB,uBACpB,UAC4B;AAC5B,QAAM,SAAS,MAAM,IAAI,QAAQ;AACjC,MAAI,UAAU,KAAK,IAAI,IAAI,OAAO,YAAY,cAAc;AAC1D,WAAO,OAAO;AAAA,EAChB;AAEA,QAAM,MAAM,GAAG,QAAQ;AACvB,QAAM,MAAM,MAAM,MAAM,GAAG;AAC3B,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,IAAI,MAAM,2CAA2C,GAAG,KAAK,IAAI,MAAM,EAAE;AAAA,EACjF;AAEA,QAAM,SAAU,MAAM,IAAI,KAAK;AAC/B,QAAM,IAAI,UAAU,EAAE,QAAQ,WAAW,KAAK,IAAI,EAAE,CAAC;AACrD,SAAO;AACT;;;ACtBA,SAAS,gBAAgB,kBAAkB,aAAa,kBAAkB;AAG1E,IAAM,YAAY;AAClB,IAAM,YAAY;AAClB,IAAM,kBAAkB;AACxB,IAAM,aAAa;AACnB,IAAM,OAAO;AAEb,SAAS,UAAU,QAAwB;AACzC,SAAO,WAAW,QAAQ,MAAM,UAAU;AAC5C;AAEO,SAAS,eAAe,MAAmB,QAAwB;AACxE,QAAM,MAAM,UAAU,MAAM;AAC5B,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,SAAS,eAAe,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AAEpF,QAAM,OAAO,KAAK,UAAU,IAAI;AAChC,QAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,CAAC;AAC7E,QAAM,UAAU,OAAO,WAAW;AAGlC,SAAO,OAAO,OAAO,CAAC,IAAI,SAAS,SAAS,CAAC,EAAE,SAAS,WAAW;AACrE;AAEO,SAAS,eAAe,WAAmB,QAAoC;AACpF,MAAI;AACF,UAAM,MAAM,UAAU,MAAM;AAC5B,UAAM,MAAM,OAAO,KAAK,WAAW,WAAW;AAE9C,QAAI,IAAI,SAAS,YAAY,gBAAiB,QAAO;AAErD,UAAM,KAAK,IAAI,SAAS,GAAG,SAAS;AACpC,UAAM,UAAU,IAAI,SAAS,WAAW,YAAY,eAAe;AACnE,UAAM,aAAa,IAAI,SAAS,YAAY,eAAe;AAE3D,UAAM,WAAW,iBAAiB,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AACxF,aAAS,WAAW,OAAO;AAE3B,UAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC;AAC/E,WAAO,KAAK,MAAM,UAAU,SAAS,MAAM,CAAC;AAAA,EAC9C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAYO,SAAS,mBACd,YACA,MACA,QACe;AACf,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO,eAAe,MAAM,MAAM;AAAA,IAClC,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ,KAAK,KAAK,KAAK;AAAA;AAAA,EACzB;AACF;AAEO,SAAS,iBAAiB,YAAmC;AAClE,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO;AAAA,IACP,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,EACV;AACF;AAEO,SAAS,gBACd,MACA,QACe;AACf,QAAM,MAAM,UAAU,MAAM;AAC5B,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,SAAS,eAAe,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AAEpF,QAAM,OAAO,KAAK,UAAU,IAAI;AAChC,QAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,CAAC;AAC7E,QAAM,UAAU,OAAO,WAAW;AAElC,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO,OAAO,OAAO,CAAC,IAAI,SAAS,SAAS,CAAC,EAAE,SAAS,WAAW;AAAA,IACnE,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA;AAAA,EACV;AACF;AAEO,SAAS,kBACd,WACA,QACkE;AAClE,MAAI;AACF,UAAM,MAAM,UAAU,MAAM;AAC5B,UAAM,MAAM,OAAO,KAAK,WAAW,WAAW;AAE9C,QAAI,IAAI,SAAS,YAAY,gBAAiB,QAAO;AAErD,UAAM,KAAK,IAAI,SAAS,GAAG,SAAS;AACpC,UAAM,UAAU,IAAI,SAAS,WAAW,YAAY,eAAe;AACnE,UAAM,aAAa,IAAI,SAAS,YAAY,eAAe;AAE3D,UAAM,WAAW,iBAAiB,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AACxF,aAAS,WAAW,OAAO;AAE3B,UAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC;AAC/E,WAAO,KAAK,MAAM,UAAU,SAAS,MAAM,CAAC;AAAA,EAC9C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;AClHA,eAAsB,aACpB,YACA,QACwB;AACxB,QAAM,OAAO,IAAI,gBAAgB;AAAA,IAC/B,YAAY;AAAA,IACZ,MAAM,OAAO;AAAA,IACb,eAAe,OAAO;AAAA,IACtB,WAAW,OAAO;AAAA,IAClB,cAAc,OAAO;AAAA,EACvB,CAAC;AACD,MAAI,OAAO,cAAc;AACvB,SAAK,IAAI,iBAAiB,OAAO,YAAY;AAAA,EAC/C;AAEA,QAAM,MAAM,MAAM,MAAM,WAAW,gBAAgB;AAAA,IACjD,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,QAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,IAAI,MAAM,0BAA0B,IAAI,MAAM,MAAM,KAAK,EAAE;AAAA,EACnE;AAEA,SAAO,IAAI,KAAK;AAClB;AAEA,eAAsB,mBACpB,YACA,QACwB;AACxB,QAAM,OAAO,IAAI,gBAAgB;AAAA,IAC/B,YAAY;AAAA,IACZ,eAAe,OAAO;AAAA,IACtB,WAAW,OAAO;AAAA,EACpB,CAAC;AACD,MAAI,OAAO,cAAc;AACvB,SAAK,IAAI,iBAAiB,OAAO,YAAY;AAAA,EAC/C;AAEA,QAAM,MAAM,MAAM,MAAM,WAAW,gBAAgB;AAAA,IACjD,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,QAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,IAAI,MAAM,yBAAyB,IAAI,MAAM,MAAM,KAAK,EAAE;AAAA,EAClE;AAEA,SAAO,IAAI,KAAK;AAClB;AAoBA,eAAsB,YACpB,YACA,OACe;AACf,QAAM,MAAM,WAAW,qBAAqB;AAAA,IAC1C,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,IAAI,gBAAgB,EAAE,MAAM,CAAC,EAAE,SAAS;AAAA,EAChD,CAAC;AACH;;;ACjGO,SAAS,mBAAmB,MAAmC;AACpE,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,MACL;AAAA,MACA,aAAa;AAAA,MACb,cAAc;AAAA,MACd,SAAS;AAAA,MACT,WAAW;AAAA,MACX,MAAM;AAAA,IACR;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,aAAa,KAAK;AAAA,IAClB,cAAc,KAAK;AAAA,IACnB,SAAS,KAAK;AAAA,IACd,WAAW,KAAK;AAAA,IAChB,MAAM;AAAA;AAAA,EACR;AACF;AAEO,SAAS,eAAe,WAA4B;AAEzD,SAAO,KAAK,IAAI,IAAI,OAAQ,YAAY;AAC1C;","names":[]}
1
+ {"version":3,"sources":["../src/config.ts","../src/oauth/discovery.ts","../src/session/cookie.ts","../src/oauth/token.ts","../src/session/state.ts"],"sourcesContent":["import { type AuthgearConfig, DEFAULT_SCOPES } from \"./types.js\";\n\nexport function resolveConfig(config: AuthgearConfig): Required<AuthgearConfig> {\n if (!config.endpoint) throw new Error(\"AuthgearConfig: endpoint is required\");\n if (!config.clientID) throw new Error(\"AuthgearConfig: clientID is required\");\n if (!config.redirectURI) throw new Error(\"AuthgearConfig: redirectURI is required\");\n if (!config.sessionSecret || config.sessionSecret.length < 32) {\n throw new Error(\"AuthgearConfig: sessionSecret must be at least 32 characters\");\n }\n\n return {\n endpoint: config.endpoint.replace(/\\/+$/, \"\"),\n clientID: config.clientID,\n redirectURI: config.redirectURI,\n postLogoutRedirectURI: config.postLogoutRedirectURI ?? \"/\",\n scopes: config.scopes ?? DEFAULT_SCOPES,\n sessionSecret: config.sessionSecret,\n cookieName: config.cookieName ?? \"authgear.session\",\n isSSOEnabled: config.isSSOEnabled ?? true,\n };\n}\n","import type { OIDCConfiguration } from \"../types.js\";\n\nconst cache = new Map<string, { config: OIDCConfiguration; fetchedAt: number }>();\nconst CACHE_TTL_MS = 60 * 60 * 1000; // 1 hour\n\nexport async function fetchOIDCConfiguration(\n endpoint: string,\n): Promise<OIDCConfiguration> {\n const cached = cache.get(endpoint);\n if (cached && Date.now() - cached.fetchedAt < CACHE_TTL_MS) {\n return cached.config;\n }\n\n const url = `${endpoint}/.well-known/openid-configuration`;\n const res = await fetch(url);\n if (!res.ok) {\n throw new Error(`Failed to fetch OIDC configuration from ${url}: ${res.status}`);\n }\n\n const config = (await res.json()) as OIDCConfiguration;\n cache.set(endpoint, { config, fetchedAt: Date.now() });\n return config;\n}\n\n/** Clear cached OIDC configuration (useful for testing) */\nexport function clearOIDCCache(): void {\n cache.clear();\n}\n","import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from \"node:crypto\";\nimport type { SessionData } from \"../types.js\";\n\nconst ALGORITHM = \"aes-256-gcm\";\nconst IV_LENGTH = 12;\nconst AUTH_TAG_LENGTH = 16;\nconst KEY_LENGTH = 32;\nconst SALT = \"authgear-nextjs-session\";\n\nfunction deriveKey(secret: string): Buffer {\n return scryptSync(secret, SALT, KEY_LENGTH);\n}\n\nexport function encryptSession(data: SessionData, secret: string): string {\n const key = deriveKey(secret);\n const iv = randomBytes(IV_LENGTH);\n const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n\n const json = JSON.stringify(data);\n const encrypted = Buffer.concat([cipher.update(json, \"utf8\"), cipher.final()]);\n const authTag = cipher.getAuthTag();\n\n // Format: base64(iv + authTag + encrypted)\n return Buffer.concat([iv, authTag, encrypted]).toString(\"base64url\");\n}\n\nexport function decryptSession(encrypted: string, secret: string): SessionData | null {\n try {\n const key = deriveKey(secret);\n const buf = Buffer.from(encrypted, \"base64url\");\n\n if (buf.length < IV_LENGTH + AUTH_TAG_LENGTH) return null;\n\n const iv = buf.subarray(0, IV_LENGTH);\n const authTag = buf.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);\n const ciphertext = buf.subarray(IV_LENGTH + AUTH_TAG_LENGTH);\n\n const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n decipher.setAuthTag(authTag);\n\n const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n return JSON.parse(decrypted.toString(\"utf8\")) as SessionData;\n } catch {\n return null;\n }\n}\n\nexport interface CookieOptions {\n name: string;\n value: string;\n httpOnly?: boolean;\n secure?: boolean;\n sameSite?: \"lax\" | \"strict\" | \"none\";\n path?: string;\n maxAge?: number;\n}\n\nexport function buildSessionCookie(\n cookieName: string,\n data: SessionData,\n secret: string,\n): CookieOptions {\n return {\n name: cookieName,\n value: encryptSession(data, secret),\n httpOnly: true,\n secure: process.env.NODE_ENV === \"production\",\n sameSite: \"lax\",\n path: \"/\",\n maxAge: 30 * 24 * 60 * 60, // 30 days\n };\n}\n\nexport function buildClearCookie(cookieName: string): CookieOptions {\n return {\n name: cookieName,\n value: \"\",\n httpOnly: true,\n secure: process.env.NODE_ENV === \"production\",\n sameSite: \"lax\",\n path: \"/\",\n maxAge: 0,\n };\n}\n\nexport function buildPKCECookie(\n data: { codeVerifier: string; state: string; returnTo: string },\n secret: string,\n): CookieOptions {\n const key = deriveKey(secret);\n const iv = randomBytes(IV_LENGTH);\n const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n\n const json = JSON.stringify(data);\n const encrypted = Buffer.concat([cipher.update(json, \"utf8\"), cipher.final()]);\n const authTag = cipher.getAuthTag();\n\n return {\n name: \"authgear.pkce\",\n value: Buffer.concat([iv, authTag, encrypted]).toString(\"base64url\"),\n httpOnly: true,\n secure: process.env.NODE_ENV === \"production\",\n sameSite: \"lax\",\n path: \"/\",\n maxAge: 600, // 10 minutes\n };\n}\n\nexport function decryptPKCECookie(\n encrypted: string,\n secret: string,\n): { codeVerifier: string; state: string; returnTo: string } | null {\n try {\n const key = deriveKey(secret);\n const buf = Buffer.from(encrypted, \"base64url\");\n\n if (buf.length < IV_LENGTH + AUTH_TAG_LENGTH) return null;\n\n const iv = buf.subarray(0, IV_LENGTH);\n const authTag = buf.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);\n const ciphertext = buf.subarray(IV_LENGTH + AUTH_TAG_LENGTH);\n\n const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });\n decipher.setAuthTag(authTag);\n\n const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);\n return JSON.parse(decrypted.toString(\"utf8\"));\n } catch {\n return null;\n }\n}\n","import type { OIDCConfiguration, TokenResponse, AppSessionTokenResponse } from \"../types.js\";\n\nexport interface ExchangeCodeParams {\n code: string;\n codeVerifier: string;\n clientID: string;\n redirectURI: string;\n}\n\nexport interface RefreshTokenParams {\n refreshToken: string;\n clientID: string;\n}\n\nexport async function exchangeCode(\n oidcConfig: OIDCConfiguration,\n params: ExchangeCodeParams,\n): Promise<TokenResponse> {\n const body = new URLSearchParams({\n grant_type: \"authorization_code\",\n code: params.code,\n code_verifier: params.codeVerifier,\n client_id: params.clientID,\n redirect_uri: params.redirectURI,\n });\n\n const res = await fetch(oidcConfig.token_endpoint, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: body.toString(),\n });\n\n if (!res.ok) {\n const error = await res.text();\n throw new Error(`Token exchange failed (${res.status}): ${error}`);\n }\n\n return res.json() as Promise<TokenResponse>;\n}\n\nexport async function refreshAccessToken(\n oidcConfig: OIDCConfiguration,\n params: RefreshTokenParams,\n): Promise<TokenResponse> {\n const body = new URLSearchParams({\n grant_type: \"refresh_token\",\n refresh_token: params.refreshToken,\n client_id: params.clientID,\n });\n\n const res = await fetch(oidcConfig.token_endpoint, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: body.toString(),\n });\n\n if (!res.ok) {\n const error = await res.text();\n throw new Error(`Token refresh failed (${res.status}): ${error}`);\n }\n\n return res.json() as Promise<TokenResponse>;\n}\n\nexport async function getAppSessionToken(\n endpoint: string,\n refreshToken: string,\n): Promise<AppSessionTokenResponse> {\n const res = await fetch(`${endpoint}/oauth2/app_session_token`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ refresh_token: refreshToken }),\n });\n\n if (!res.ok) {\n const error = await res.text();\n throw new Error(`Failed to get app session token (${res.status}): ${error}`);\n }\n\n const json = (await res.json()) as { result: AppSessionTokenResponse };\n return json.result;\n}\n\nexport async function revokeToken(\n oidcConfig: OIDCConfiguration,\n token: string,\n): Promise<void> {\n await fetch(oidcConfig.revocation_endpoint, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/x-www-form-urlencoded\" },\n body: new URLSearchParams({ token }).toString(),\n });\n}\n","import { SessionState, type SessionData, type Session } from \"../types.js\";\n\nexport function deriveSessionState(data: SessionData | null): Session {\n if (!data) {\n return {\n state: SessionState.NoSession,\n accessToken: null,\n refreshToken: null,\n idToken: null,\n expiresAt: null,\n user: null,\n };\n }\n\n return {\n state: SessionState.Authenticated,\n accessToken: data.accessToken,\n refreshToken: data.refreshToken,\n idToken: data.idToken,\n expiresAt: data.expiresAt,\n user: null, // User is fetched separately when needed\n };\n}\n\nexport function isTokenExpired(expiresAt: number): boolean {\n // Consider expired 30 seconds early for safety margin\n return Date.now() / 1000 >= expiresAt - 30;\n}\n"],"mappings":";;;;;AAEO,SAAS,cAAc,QAAkD;AAC9E,MAAI,CAAC,OAAO,SAAU,OAAM,IAAI,MAAM,sCAAsC;AAC5E,MAAI,CAAC,OAAO,SAAU,OAAM,IAAI,MAAM,sCAAsC;AAC5E,MAAI,CAAC,OAAO,YAAa,OAAM,IAAI,MAAM,yCAAyC;AAClF,MAAI,CAAC,OAAO,iBAAiB,OAAO,cAAc,SAAS,IAAI;AAC7D,UAAM,IAAI,MAAM,8DAA8D;AAAA,EAChF;AAEA,SAAO;AAAA,IACL,UAAU,OAAO,SAAS,QAAQ,QAAQ,EAAE;AAAA,IAC5C,UAAU,OAAO;AAAA,IACjB,aAAa,OAAO;AAAA,IACpB,uBAAuB,OAAO,yBAAyB;AAAA,IACvD,QAAQ,OAAO,UAAU;AAAA,IACzB,eAAe,OAAO;AAAA,IACtB,YAAY,OAAO,cAAc;AAAA,IACjC,cAAc,OAAO,gBAAgB;AAAA,EACvC;AACF;;;AClBA,IAAM,QAAQ,oBAAI,IAA8D;AAChF,IAAM,eAAe,KAAK,KAAK;AAE/B,eAAsB,uBACpB,UAC4B;AAC5B,QAAM,SAAS,MAAM,IAAI,QAAQ;AACjC,MAAI,UAAU,KAAK,IAAI,IAAI,OAAO,YAAY,cAAc;AAC1D,WAAO,OAAO;AAAA,EAChB;AAEA,QAAM,MAAM,GAAG,QAAQ;AACvB,QAAM,MAAM,MAAM,MAAM,GAAG;AAC3B,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,IAAI,MAAM,2CAA2C,GAAG,KAAK,IAAI,MAAM,EAAE;AAAA,EACjF;AAEA,QAAM,SAAU,MAAM,IAAI,KAAK;AAC/B,QAAM,IAAI,UAAU,EAAE,QAAQ,WAAW,KAAK,IAAI,EAAE,CAAC;AACrD,SAAO;AACT;;;ACtBA,SAAS,gBAAgB,kBAAkB,aAAa,kBAAkB;AAG1E,IAAM,YAAY;AAClB,IAAM,YAAY;AAClB,IAAM,kBAAkB;AACxB,IAAM,aAAa;AACnB,IAAM,OAAO;AAEb,SAAS,UAAU,QAAwB;AACzC,SAAO,WAAW,QAAQ,MAAM,UAAU;AAC5C;AAEO,SAAS,eAAe,MAAmB,QAAwB;AACxE,QAAM,MAAM,UAAU,MAAM;AAC5B,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,SAAS,eAAe,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AAEpF,QAAM,OAAO,KAAK,UAAU,IAAI;AAChC,QAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,CAAC;AAC7E,QAAM,UAAU,OAAO,WAAW;AAGlC,SAAO,OAAO,OAAO,CAAC,IAAI,SAAS,SAAS,CAAC,EAAE,SAAS,WAAW;AACrE;AAEO,SAAS,eAAe,WAAmB,QAAoC;AACpF,MAAI;AACF,UAAM,MAAM,UAAU,MAAM;AAC5B,UAAM,MAAM,OAAO,KAAK,WAAW,WAAW;AAE9C,QAAI,IAAI,SAAS,YAAY,gBAAiB,QAAO;AAErD,UAAM,KAAK,IAAI,SAAS,GAAG,SAAS;AACpC,UAAM,UAAU,IAAI,SAAS,WAAW,YAAY,eAAe;AACnE,UAAM,aAAa,IAAI,SAAS,YAAY,eAAe;AAE3D,UAAM,WAAW,iBAAiB,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AACxF,aAAS,WAAW,OAAO;AAE3B,UAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC;AAC/E,WAAO,KAAK,MAAM,UAAU,SAAS,MAAM,CAAC;AAAA,EAC9C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAYO,SAAS,mBACd,YACA,MACA,QACe;AACf,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO,eAAe,MAAM,MAAM;AAAA,IAClC,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ,KAAK,KAAK,KAAK;AAAA;AAAA,EACzB;AACF;AAEO,SAAS,iBAAiB,YAAmC;AAClE,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO;AAAA,IACP,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA,EACV;AACF;AAEO,SAAS,gBACd,MACA,QACe;AACf,QAAM,MAAM,UAAU,MAAM;AAC5B,QAAM,KAAK,YAAY,SAAS;AAChC,QAAM,SAAS,eAAe,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AAEpF,QAAM,OAAO,KAAK,UAAU,IAAI;AAChC,QAAM,YAAY,OAAO,OAAO,CAAC,OAAO,OAAO,MAAM,MAAM,GAAG,OAAO,MAAM,CAAC,CAAC;AAC7E,QAAM,UAAU,OAAO,WAAW;AAElC,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO,OAAO,OAAO,CAAC,IAAI,SAAS,SAAS,CAAC,EAAE,SAAS,WAAW;AAAA,IACnE,UAAU;AAAA,IACV,QAAQ,QAAQ,IAAI,aAAa;AAAA,IACjC,UAAU;AAAA,IACV,MAAM;AAAA,IACN,QAAQ;AAAA;AAAA,EACV;AACF;AAEO,SAAS,kBACd,WACA,QACkE;AAClE,MAAI;AACF,UAAM,MAAM,UAAU,MAAM;AAC5B,UAAM,MAAM,OAAO,KAAK,WAAW,WAAW;AAE9C,QAAI,IAAI,SAAS,YAAY,gBAAiB,QAAO;AAErD,UAAM,KAAK,IAAI,SAAS,GAAG,SAAS;AACpC,UAAM,UAAU,IAAI,SAAS,WAAW,YAAY,eAAe;AACnE,UAAM,aAAa,IAAI,SAAS,YAAY,eAAe;AAE3D,UAAM,WAAW,iBAAiB,WAAW,KAAK,IAAI,EAAE,eAAe,gBAAgB,CAAC;AACxF,aAAS,WAAW,OAAO;AAE3B,UAAM,YAAY,OAAO,OAAO,CAAC,SAAS,OAAO,UAAU,GAAG,SAAS,MAAM,CAAC,CAAC;AAC/E,WAAO,KAAK,MAAM,UAAU,SAAS,MAAM,CAAC;AAAA,EAC9C,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;ACpHA,eAAsB,aACpB,YACA,QACwB;AACxB,QAAM,OAAO,IAAI,gBAAgB;AAAA,IAC/B,YAAY;AAAA,IACZ,MAAM,OAAO;AAAA,IACb,eAAe,OAAO;AAAA,IACtB,WAAW,OAAO;AAAA,IAClB,cAAc,OAAO;AAAA,EACvB,CAAC;AAED,QAAM,MAAM,MAAM,MAAM,WAAW,gBAAgB;AAAA,IACjD,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,QAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,IAAI,MAAM,0BAA0B,IAAI,MAAM,MAAM,KAAK,EAAE;AAAA,EACnE;AAEA,SAAO,IAAI,KAAK;AAClB;AAEA,eAAsB,mBACpB,YACA,QACwB;AACxB,QAAM,OAAO,IAAI,gBAAgB;AAAA,IAC/B,YAAY;AAAA,IACZ,eAAe,OAAO;AAAA,IACtB,WAAW,OAAO;AAAA,EACpB,CAAC;AAED,QAAM,MAAM,MAAM,MAAM,WAAW,gBAAgB;AAAA,IACjD,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,KAAK,SAAS;AAAA,EACtB,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,QAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,IAAI,MAAM,yBAAyB,IAAI,MAAM,MAAM,KAAK,EAAE;AAAA,EAClE;AAEA,SAAO,IAAI,KAAK;AAClB;AAEA,eAAsB,mBACpB,UACA,cACkC;AAClC,QAAM,MAAM,MAAM,MAAM,GAAG,QAAQ,6BAA6B;AAAA,IAC9D,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,IAC9C,MAAM,KAAK,UAAU,EAAE,eAAe,aAAa,CAAC;AAAA,EACtD,CAAC;AAED,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,QAAQ,MAAM,IAAI,KAAK;AAC7B,UAAM,IAAI,MAAM,oCAAoC,IAAI,MAAM,MAAM,KAAK,EAAE;AAAA,EAC7E;AAEA,QAAM,OAAQ,MAAM,IAAI,KAAK;AAC7B,SAAO,KAAK;AACd;AAEA,eAAsB,YACpB,YACA,OACe;AACf,QAAM,MAAM,WAAW,qBAAqB;AAAA,IAC1C,QAAQ;AAAA,IACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,IAC/D,MAAM,IAAI,gBAAgB,EAAE,MAAM,CAAC,EAAE,SAAS;AAAA,EAChD,CAAC;AACH;;;AC1FO,SAAS,mBAAmB,MAAmC;AACpE,MAAI,CAAC,MAAM;AACT,WAAO;AAAA,MACL;AAAA,MACA,aAAa;AAAA,MACb,cAAc;AAAA,MACd,SAAS;AAAA,MACT,WAAW;AAAA,MACX,MAAM;AAAA,IACR;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,aAAa,KAAK;AAAA,IAClB,cAAc,KAAK;AAAA,IACnB,SAAS,KAAK;AAAA,IACd,WAAW,KAAK;AAAA,IAChB,MAAM;AAAA;AAAA,EACR;AACF;AAEO,SAAS,eAAe,WAA4B;AAEzD,SAAO,KAAK,IAAI,IAAI,OAAQ,YAAY;AAC1C;","names":[]}
package/dist/client.d.ts CHANGED
@@ -1,11 +1,17 @@
1
1
  import * as react_jsx_runtime from 'react/jsx-runtime';
2
2
  import { ReactNode, ButtonHTMLAttributes } from 'react';
3
- import { b as SessionState, U as UserInfo } from './types-Csfra4K2.js';
4
- export { S as Session } from './types-Csfra4K2.js';
3
+ import { c as SessionState, U as UserInfo } from './types-Cx-gnfE7.js';
4
+ export { a as PromptOption, S as Session } from './types-Cx-gnfE7.js';
5
5
 
6
6
  interface SignInOptions {
7
7
  returnTo?: string;
8
8
  loginPath?: string;
9
+ /**
10
+ * OIDC `prompt` parameter for this sign-in call.
11
+ * Overrides the global `isSSOEnabled` setting for this navigation.
12
+ * Use `PromptOption.Login` or `PromptOption.None` for type-safe values.
13
+ */
14
+ prompt?: string;
9
15
  }
10
16
  interface AuthgearProviderProps {
11
17
  children: ReactNode;
package/dist/client.js CHANGED
@@ -1,7 +1,8 @@
1
1
  "use client";
2
2
  import {
3
+ PromptOption,
3
4
  SessionState
4
- } from "./chunk-UY6NEM2T.js";
5
+ } from "./chunk-CCQOLKXU.js";
5
6
 
6
7
  // src/components/AuthgearProvider.tsx
7
8
  import {
@@ -59,6 +60,9 @@ function AuthgearProvider({
59
60
  if (options?.returnTo) {
60
61
  url.searchParams.set("returnTo", options.returnTo);
61
62
  }
63
+ if (options?.prompt != null) {
64
+ url.searchParams.set("prompt", options.prompt);
65
+ }
62
66
  window.location.href = url.toString();
63
67
  },
64
68
  [loginPath]
@@ -110,6 +114,7 @@ function useUser() {
110
114
  }
111
115
  export {
112
116
  AuthgearProvider,
117
+ PromptOption,
113
118
  SessionState,
114
119
  SignInButton,
115
120
  SignOutButton,
package/dist/client.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/components/AuthgearProvider.tsx","../src/components/SignInButton.tsx","../src/components/SignOutButton.tsx","../src/hooks/useAuthgear.ts","../src/hooks/useUser.ts"],"sourcesContent":["\"use client\";\n\nimport React, {\n createContext,\n useContext,\n useEffect,\n useState,\n useCallback,\n type ReactNode,\n} from \"react\";\nimport { SessionState, type UserInfo } from \"../types.js\";\n\nexport interface AuthgearContextValue {\n state: SessionState;\n user: UserInfo | null;\n isLoaded: boolean;\n signIn: (options?: SignInOptions) => void;\n signOut: () => void;\n}\n\nexport interface SignInOptions {\n returnTo?: string;\n loginPath?: string;\n}\n\nconst AuthgearContext = createContext<AuthgearContextValue | null>(null);\n\nexport interface AuthgearProviderProps {\n children: ReactNode;\n /** Path to the userinfo API route. Defaults to \"/api/auth/userinfo\". */\n userInfoPath?: string;\n /** Path to the login route. Defaults to \"/api/auth/login\". */\n loginPath?: string;\n /** Path to the logout route. Defaults to \"/api/auth/logout\". */\n logoutPath?: string;\n}\n\nexport function AuthgearProvider({\n children,\n userInfoPath = \"/api/auth/userinfo\",\n loginPath = \"/api/auth/login\",\n logoutPath = \"/api/auth/logout\",\n}: AuthgearProviderProps) {\n const [state, setState] = useState<SessionState>(SessionState.Unknown);\n const [user, setUser] = useState<UserInfo | null>(null);\n const [isLoaded, setIsLoaded] = useState(false);\n\n useEffect(() => {\n let cancelled = false;\n\n async function fetchSession() {\n try {\n const res = await fetch(userInfoPath);\n if (cancelled) return;\n\n if (res.ok) {\n const userInfo = (await res.json()) as UserInfo;\n setState(SessionState.Authenticated);\n setUser(userInfo);\n } else {\n setState(SessionState.NoSession);\n setUser(null);\n }\n } catch {\n if (!cancelled) {\n setState(SessionState.NoSession);\n setUser(null);\n }\n } finally {\n if (!cancelled) {\n setIsLoaded(true);\n }\n }\n }\n\n fetchSession();\n return () => { cancelled = true; };\n }, [userInfoPath]);\n\n const signIn = useCallback(\n (options?: SignInOptions) => {\n const path = options?.loginPath ?? loginPath;\n const url = new URL(path, window.location.origin);\n if (options?.returnTo) {\n url.searchParams.set(\"returnTo\", options.returnTo);\n }\n window.location.href = url.toString();\n },\n [loginPath],\n );\n\n const signOut = useCallback(() => {\n window.location.href = logoutPath;\n }, [logoutPath]);\n\n return (\n <AuthgearContext.Provider value={{ state, user, isLoaded, signIn, signOut }}>\n {children}\n </AuthgearContext.Provider>\n );\n}\n\nexport function useAuthgearContext(): AuthgearContextValue {\n const ctx = useContext(AuthgearContext);\n if (!ctx) {\n throw new Error(\"useAuthgearContext must be used within <AuthgearProvider>\");\n }\n return ctx;\n}\n","\"use client\";\n\nimport React, { type ButtonHTMLAttributes } from \"react\";\nimport { useAuthgearContext, type SignInOptions } from \"./AuthgearProvider.js\";\n\nexport interface SignInButtonProps extends ButtonHTMLAttributes<HTMLButtonElement> {\n signInOptions?: SignInOptions;\n}\n\nexport function SignInButton({ signInOptions, children = \"Sign In\", ...props }: SignInButtonProps) {\n const { signIn } = useAuthgearContext();\n return (\n <button {...props} onClick={() => signIn(signInOptions)}>\n {children}\n </button>\n );\n}\n","\"use client\";\n\nimport React, { type ButtonHTMLAttributes } from \"react\";\nimport { useAuthgearContext } from \"./AuthgearProvider.js\";\n\nexport type SignOutButtonProps = ButtonHTMLAttributes<HTMLButtonElement>;\n\nexport function SignOutButton({ children = \"Sign Out\", ...props }: SignOutButtonProps) {\n const { signOut } = useAuthgearContext();\n return (\n <button {...props} onClick={signOut}>\n {children}\n </button>\n );\n}\n","\"use client\";\n\nimport { useAuthgearContext, type SignInOptions } from \"../components/AuthgearProvider.js\";\nimport { SessionState, type UserInfo } from \"../types.js\";\n\nexport interface UseAuthgearReturn {\n /** Current session state */\n state: SessionState;\n /** Current user info, null if not authenticated */\n user: UserInfo | null;\n /** Whether the initial session check has completed */\n isLoaded: boolean;\n /** Whether the user is currently authenticated */\n isAuthenticated: boolean;\n /** Navigate to the sign-in page */\n signIn: (options?: SignInOptions) => void;\n /** Navigate to the sign-out endpoint */\n signOut: () => void;\n}\n\nexport function useAuthgear(): UseAuthgearReturn {\n const { state, user, isLoaded, signIn, signOut } = useAuthgearContext();\n\n return {\n state,\n user,\n isLoaded,\n isAuthenticated: state === SessionState.Authenticated,\n signIn,\n signOut,\n };\n}\n","\"use client\";\n\nimport { useAuthgearContext } from \"../components/AuthgearProvider.js\";\nimport type { UserInfo } from \"../types.js\";\n\n/** Returns the current user info, or null if not authenticated. */\nexport function useUser(): UserInfo | null {\n const { user } = useAuthgearContext();\n return user;\n}\n"],"mappings":";;;;;;AAEA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AAuFH;AAvEJ,IAAM,kBAAkB,cAA2C,IAAI;AAYhE,SAAS,iBAAiB;AAAA,EAC/B;AAAA,EACA,eAAe;AAAA,EACf,YAAY;AAAA,EACZ,aAAa;AACf,GAA0B;AACxB,QAAM,CAAC,OAAO,QAAQ,IAAI,gCAA2C;AACrE,QAAM,CAAC,MAAM,OAAO,IAAI,SAA0B,IAAI;AACtD,QAAM,CAAC,UAAU,WAAW,IAAI,SAAS,KAAK;AAE9C,YAAU,MAAM;AACd,QAAI,YAAY;AAEhB,mBAAe,eAAe;AAC5B,UAAI;AACF,cAAM,MAAM,MAAM,MAAM,YAAY;AACpC,YAAI,UAAW;AAEf,YAAI,IAAI,IAAI;AACV,gBAAM,WAAY,MAAM,IAAI,KAAK;AACjC,sDAAmC;AACnC,kBAAQ,QAAQ;AAAA,QAClB,OAAO;AACL,+CAA+B;AAC/B,kBAAQ,IAAI;AAAA,QACd;AAAA,MACF,QAAQ;AACN,YAAI,CAAC,WAAW;AACd,+CAA+B;AAC/B,kBAAQ,IAAI;AAAA,QACd;AAAA,MACF,UAAE;AACA,YAAI,CAAC,WAAW;AACd,sBAAY,IAAI;AAAA,QAClB;AAAA,MACF;AAAA,IACF;AAEA,iBAAa;AACb,WAAO,MAAM;AAAE,kBAAY;AAAA,IAAM;AAAA,EACnC,GAAG,CAAC,YAAY,CAAC;AAEjB,QAAM,SAAS;AAAA,IACb,CAAC,YAA4B;AAC3B,YAAM,OAAO,SAAS,aAAa;AACnC,YAAM,MAAM,IAAI,IAAI,MAAM,OAAO,SAAS,MAAM;AAChD,UAAI,SAAS,UAAU;AACrB,YAAI,aAAa,IAAI,YAAY,QAAQ,QAAQ;AAAA,MACnD;AACA,aAAO,SAAS,OAAO,IAAI,SAAS;AAAA,IACtC;AAAA,IACA,CAAC,SAAS;AAAA,EACZ;AAEA,QAAM,UAAU,YAAY,MAAM;AAChC,WAAO,SAAS,OAAO;AAAA,EACzB,GAAG,CAAC,UAAU,CAAC;AAEf,SACE,oBAAC,gBAAgB,UAAhB,EAAyB,OAAO,EAAE,OAAO,MAAM,UAAU,QAAQ,QAAQ,GACvE,UACH;AAEJ;AAEO,SAAS,qBAA2C;AACzD,QAAM,MAAM,WAAW,eAAe;AACtC,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,MAAM,2DAA2D;AAAA,EAC7E;AACA,SAAO;AACT;;;AChGI,gBAAAA,YAAA;AAHG,SAAS,aAAa,EAAE,eAAe,WAAW,WAAW,GAAG,MAAM,GAAsB;AACjG,QAAM,EAAE,OAAO,IAAI,mBAAmB;AACtC,SACE,gBAAAA,KAAC,YAAQ,GAAG,OAAO,SAAS,MAAM,OAAO,aAAa,GACnD,UACH;AAEJ;;;ACNI,gBAAAC,YAAA;AAHG,SAAS,cAAc,EAAE,WAAW,YAAY,GAAG,MAAM,GAAuB;AACrF,QAAM,EAAE,QAAQ,IAAI,mBAAmB;AACvC,SACE,gBAAAA,KAAC,YAAQ,GAAG,OAAO,SAAS,SACzB,UACH;AAEJ;;;ACMO,SAAS,cAAiC;AAC/C,QAAM,EAAE,OAAO,MAAM,UAAU,QAAQ,QAAQ,IAAI,mBAAmB;AAEtE,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,iBAAiB;AAAA,IACjB;AAAA,IACA;AAAA,EACF;AACF;;;ACzBO,SAAS,UAA2B;AACzC,QAAM,EAAE,KAAK,IAAI,mBAAmB;AACpC,SAAO;AACT;","names":["jsx","jsx"]}
1
+ {"version":3,"sources":["../src/components/AuthgearProvider.tsx","../src/components/SignInButton.tsx","../src/components/SignOutButton.tsx","../src/hooks/useAuthgear.ts","../src/hooks/useUser.ts"],"sourcesContent":["\"use client\";\n\nimport React, {\n createContext,\n useContext,\n useEffect,\n useState,\n useCallback,\n type ReactNode,\n} from \"react\";\nimport { SessionState, type UserInfo } from \"../types.js\";\n\nexport interface AuthgearContextValue {\n state: SessionState;\n user: UserInfo | null;\n isLoaded: boolean;\n signIn: (options?: SignInOptions) => void;\n signOut: () => void;\n}\n\nexport interface SignInOptions {\n returnTo?: string;\n loginPath?: string;\n /**\n * OIDC `prompt` parameter for this sign-in call.\n * Overrides the global `isSSOEnabled` setting for this navigation.\n * Use `PromptOption.Login` or `PromptOption.None` for type-safe values.\n */\n prompt?: string;\n}\n\nconst AuthgearContext = createContext<AuthgearContextValue | null>(null);\n\nexport interface AuthgearProviderProps {\n children: ReactNode;\n /** Path to the userinfo API route. Defaults to \"/api/auth/userinfo\". */\n userInfoPath?: string;\n /** Path to the login route. Defaults to \"/api/auth/login\". */\n loginPath?: string;\n /** Path to the logout route. Defaults to \"/api/auth/logout\". */\n logoutPath?: string;\n}\n\nexport function AuthgearProvider({\n children,\n userInfoPath = \"/api/auth/userinfo\",\n loginPath = \"/api/auth/login\",\n logoutPath = \"/api/auth/logout\",\n}: AuthgearProviderProps) {\n const [state, setState] = useState<SessionState>(SessionState.Unknown);\n const [user, setUser] = useState<UserInfo | null>(null);\n const [isLoaded, setIsLoaded] = useState(false);\n\n useEffect(() => {\n let cancelled = false;\n\n async function fetchSession() {\n try {\n const res = await fetch(userInfoPath);\n if (cancelled) return;\n\n if (res.ok) {\n const userInfo = (await res.json()) as UserInfo;\n setState(SessionState.Authenticated);\n setUser(userInfo);\n } else {\n setState(SessionState.NoSession);\n setUser(null);\n }\n } catch {\n if (!cancelled) {\n setState(SessionState.NoSession);\n setUser(null);\n }\n } finally {\n if (!cancelled) {\n setIsLoaded(true);\n }\n }\n }\n\n fetchSession();\n return () => { cancelled = true; };\n }, [userInfoPath]);\n\n const signIn = useCallback(\n (options?: SignInOptions) => {\n const path = options?.loginPath ?? loginPath;\n const url = new URL(path, window.location.origin);\n if (options?.returnTo) {\n url.searchParams.set(\"returnTo\", options.returnTo);\n }\n if (options?.prompt != null) {\n url.searchParams.set(\"prompt\", options.prompt);\n }\n window.location.href = url.toString();\n },\n [loginPath],\n );\n\n const signOut = useCallback(() => {\n window.location.href = logoutPath;\n }, [logoutPath]);\n\n return (\n <AuthgearContext.Provider value={{ state, user, isLoaded, signIn, signOut }}>\n {children}\n </AuthgearContext.Provider>\n );\n}\n\nexport function useAuthgearContext(): AuthgearContextValue {\n const ctx = useContext(AuthgearContext);\n if (!ctx) {\n throw new Error(\"useAuthgearContext must be used within <AuthgearProvider>\");\n }\n return ctx;\n}\n","\"use client\";\n\nimport React, { type ButtonHTMLAttributes } from \"react\";\nimport { useAuthgearContext, type SignInOptions } from \"./AuthgearProvider.js\";\n\nexport interface SignInButtonProps extends ButtonHTMLAttributes<HTMLButtonElement> {\n signInOptions?: SignInOptions;\n}\n\nexport function SignInButton({ signInOptions, children = \"Sign In\", ...props }: SignInButtonProps) {\n const { signIn } = useAuthgearContext();\n return (\n <button {...props} onClick={() => signIn(signInOptions)}>\n {children}\n </button>\n );\n}\n","\"use client\";\n\nimport React, { type ButtonHTMLAttributes } from \"react\";\nimport { useAuthgearContext } from \"./AuthgearProvider.js\";\n\nexport type SignOutButtonProps = ButtonHTMLAttributes<HTMLButtonElement>;\n\nexport function SignOutButton({ children = \"Sign Out\", ...props }: SignOutButtonProps) {\n const { signOut } = useAuthgearContext();\n return (\n <button {...props} onClick={signOut}>\n {children}\n </button>\n );\n}\n","\"use client\";\n\nimport { useAuthgearContext, type SignInOptions } from \"../components/AuthgearProvider.js\";\nimport { SessionState, type UserInfo } from \"../types.js\";\n\nexport interface UseAuthgearReturn {\n /** Current session state */\n state: SessionState;\n /** Current user info, null if not authenticated */\n user: UserInfo | null;\n /** Whether the initial session check has completed */\n isLoaded: boolean;\n /** Whether the user is currently authenticated */\n isAuthenticated: boolean;\n /** Navigate to the sign-in page */\n signIn: (options?: SignInOptions) => void;\n /** Navigate to the sign-out endpoint */\n signOut: () => void;\n}\n\nexport function useAuthgear(): UseAuthgearReturn {\n const { state, user, isLoaded, signIn, signOut } = useAuthgearContext();\n\n return {\n state,\n user,\n isLoaded,\n isAuthenticated: state === SessionState.Authenticated,\n signIn,\n signOut,\n };\n}\n","\"use client\";\n\nimport { useAuthgearContext } from \"../components/AuthgearProvider.js\";\nimport type { UserInfo } from \"../types.js\";\n\n/** Returns the current user info, or null if not authenticated. */\nexport function useUser(): UserInfo | null {\n const { user } = useAuthgearContext();\n return user;\n}\n"],"mappings":";;;;;;;AAEA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AAgGH;AA1EJ,IAAM,kBAAkB,cAA2C,IAAI;AAYhE,SAAS,iBAAiB;AAAA,EAC/B;AAAA,EACA,eAAe;AAAA,EACf,YAAY;AAAA,EACZ,aAAa;AACf,GAA0B;AACxB,QAAM,CAAC,OAAO,QAAQ,IAAI,gCAA2C;AACrE,QAAM,CAAC,MAAM,OAAO,IAAI,SAA0B,IAAI;AACtD,QAAM,CAAC,UAAU,WAAW,IAAI,SAAS,KAAK;AAE9C,YAAU,MAAM;AACd,QAAI,YAAY;AAEhB,mBAAe,eAAe;AAC5B,UAAI;AACF,cAAM,MAAM,MAAM,MAAM,YAAY;AACpC,YAAI,UAAW;AAEf,YAAI,IAAI,IAAI;AACV,gBAAM,WAAY,MAAM,IAAI,KAAK;AACjC,sDAAmC;AACnC,kBAAQ,QAAQ;AAAA,QAClB,OAAO;AACL,+CAA+B;AAC/B,kBAAQ,IAAI;AAAA,QACd;AAAA,MACF,QAAQ;AACN,YAAI,CAAC,WAAW;AACd,+CAA+B;AAC/B,kBAAQ,IAAI;AAAA,QACd;AAAA,MACF,UAAE;AACA,YAAI,CAAC,WAAW;AACd,sBAAY,IAAI;AAAA,QAClB;AAAA,MACF;AAAA,IACF;AAEA,iBAAa;AACb,WAAO,MAAM;AAAE,kBAAY;AAAA,IAAM;AAAA,EACnC,GAAG,CAAC,YAAY,CAAC;AAEjB,QAAM,SAAS;AAAA,IACb,CAAC,YAA4B;AAC3B,YAAM,OAAO,SAAS,aAAa;AACnC,YAAM,MAAM,IAAI,IAAI,MAAM,OAAO,SAAS,MAAM;AAChD,UAAI,SAAS,UAAU;AACrB,YAAI,aAAa,IAAI,YAAY,QAAQ,QAAQ;AAAA,MACnD;AACA,UAAI,SAAS,UAAU,MAAM;AAC3B,YAAI,aAAa,IAAI,UAAU,QAAQ,MAAM;AAAA,MAC/C;AACA,aAAO,SAAS,OAAO,IAAI,SAAS;AAAA,IACtC;AAAA,IACA,CAAC,SAAS;AAAA,EACZ;AAEA,QAAM,UAAU,YAAY,MAAM;AAChC,WAAO,SAAS,OAAO;AAAA,EACzB,GAAG,CAAC,UAAU,CAAC;AAEf,SACE,oBAAC,gBAAgB,UAAhB,EAAyB,OAAO,EAAE,OAAO,MAAM,UAAU,QAAQ,QAAQ,GACvE,UACH;AAEJ;AAEO,SAAS,qBAA2C;AACzD,QAAM,MAAM,WAAW,eAAe;AACtC,MAAI,CAAC,KAAK;AACR,UAAM,IAAI,MAAM,2DAA2D;AAAA,EAC7E;AACA,SAAO;AACT;;;ACzGI,gBAAAA,YAAA;AAHG,SAAS,aAAa,EAAE,eAAe,WAAW,WAAW,GAAG,MAAM,GAAsB;AACjG,QAAM,EAAE,OAAO,IAAI,mBAAmB;AACtC,SACE,gBAAAA,KAAC,YAAQ,GAAG,OAAO,SAAS,MAAM,OAAO,aAAa,GACnD,UACH;AAEJ;;;ACNI,gBAAAC,YAAA;AAHG,SAAS,cAAc,EAAE,WAAW,YAAY,GAAG,MAAM,GAAuB;AACrF,QAAM,EAAE,QAAQ,IAAI,mBAAmB;AACvC,SACE,gBAAAA,KAAC,YAAQ,GAAG,OAAO,SAAS,SACzB,UACH;AAEJ;;;ACMO,SAAS,cAAiC;AAC/C,QAAM,EAAE,OAAO,MAAM,UAAU,QAAQ,QAAQ,IAAI,mBAAmB;AAEtE,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,iBAAiB;AAAA,IACjB;AAAA,IACA;AAAA,EACF;AACF;;;ACzBO,SAAS,UAA2B;AACzC,QAAM,EAAE,KAAK,IAAI,mBAAmB;AACpC,SAAO;AACT;","names":["jsx","jsx"]}
package/dist/index.d.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { NextRequest, NextResponse } from 'next/server';
2
- import { A as AuthgearConfig } from './types-Csfra4K2.js';
3
- export { D as DEFAULT_SCOPES, J as JWTPayload, O as OIDCConfiguration, P as Page, S as Session, a as SessionData, b as SessionState, T as TokenResponse, U as UserInfo } from './types-Csfra4K2.js';
2
+ import { A as AuthgearConfig } from './types-Cx-gnfE7.js';
3
+ export { D as DEFAULT_SCOPES, J as JWTPayload, O as OIDCConfiguration, P as Page, a as PromptOption, S as Session, b as SessionData, c as SessionState, T as TokenResponse, U as UserInfo } from './types-Cx-gnfE7.js';
4
4
 
5
5
  /**
6
6
  * Creates Next.js route handlers for all Authgear auth endpoints.
package/dist/index.js CHANGED
@@ -1,6 +1,9 @@
1
1
  import {
2
+ buildAuthorizeURL,
3
+ generateCodeVerifier,
4
+ generateState,
2
5
  parseUserInfo
3
- } from "./chunk-3KVYAFQJ.js";
6
+ } from "./chunk-GXYXHQVJ.js";
4
7
  import {
5
8
  buildClearCookie,
6
9
  buildPKCECookie,
@@ -13,59 +16,36 @@ import {
13
16
  refreshAccessToken,
14
17
  resolveConfig,
15
18
  revokeToken
16
- } from "./chunk-MJD3XNUK.js";
19
+ } from "./chunk-UERNRN5J.js";
17
20
  import {
18
21
  DEFAULT_SCOPES,
19
22
  Page,
23
+ PromptOption,
20
24
  SessionState
21
- } from "./chunk-UY6NEM2T.js";
25
+ } from "./chunk-CCQOLKXU.js";
22
26
 
23
27
  // src/handlers/index.ts
24
28
  import { NextResponse as NextResponse6 } from "next/server";
25
29
 
26
30
  // src/handlers/login.ts
27
31
  import { NextResponse } from "next/server";
28
-
29
- // src/oauth/pkce.ts
30
- import { randomBytes, createHash } from "crypto";
31
- var VERIFIER_LENGTH = 64;
32
- function generateCodeVerifier() {
33
- return randomBytes(VERIFIER_LENGTH).toString("base64url").slice(0, VERIFIER_LENGTH);
34
- }
35
- function computeCodeChallenge(codeVerifier) {
36
- return createHash("sha256").update(codeVerifier).digest("base64url");
37
- }
38
-
39
- // src/oauth/authorize.ts
40
- import { randomBytes as randomBytes2 } from "crypto";
41
- function generateState() {
42
- return randomBytes2(32).toString("base64url");
43
- }
44
- function buildAuthorizeURL(oidcConfig, params) {
45
- const url = new URL(oidcConfig.authorization_endpoint);
46
- url.searchParams.set("response_type", "code");
47
- url.searchParams.set("client_id", params.clientID);
48
- url.searchParams.set("redirect_uri", params.redirectURI);
49
- url.searchParams.set("scope", params.scopes.join(" "));
50
- url.searchParams.set("code_challenge", computeCodeChallenge(params.codeVerifier));
51
- url.searchParams.set("code_challenge_method", "S256");
52
- url.searchParams.set("state", params.state);
53
- return url.toString();
54
- }
55
-
56
- // src/handlers/login.ts
57
32
  async function handleLogin(request, config) {
58
33
  const resolved = resolveConfig(config);
59
34
  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
60
35
  const returnTo = request.nextUrl.searchParams.get("returnTo") ?? "/";
61
36
  const codeVerifier = generateCodeVerifier();
62
37
  const state = generateState();
38
+ const ALLOWED_PROMPTS = new Set(Object.values(PromptOption));
39
+ const rawPrompt = request.nextUrl.searchParams.get("prompt");
40
+ const perCallPrompt = rawPrompt !== null && ALLOWED_PROMPTS.has(rawPrompt) ? rawPrompt : void 0;
41
+ const prompt = perCallPrompt ?? (resolved.isSSOEnabled ? void 0 : "login");
63
42
  const authorizeURL = buildAuthorizeURL(oidcConfig, {
64
43
  clientID: resolved.clientID,
65
44
  redirectURI: resolved.redirectURI,
66
45
  scopes: resolved.scopes,
67
46
  codeVerifier,
68
- state
47
+ state,
48
+ prompt
69
49
  });
70
50
  const pkceCookie = buildPKCECookie({ codeVerifier, state, returnTo }, resolved.sessionSecret);
71
51
  const response = NextResponse.redirect(authorizeURL);
@@ -118,7 +98,6 @@ async function handleCallback(request, config) {
118
98
  code,
119
99
  codeVerifier: pkceData.codeVerifier,
120
100
  clientID: resolved.clientID,
121
- clientSecret: resolved.clientSecret || void 0,
122
101
  redirectURI: resolved.redirectURI
123
102
  });
124
103
  const sessionCookie = buildSessionCookie(
@@ -188,8 +167,7 @@ async function handleRefresh(request, config) {
188
167
  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
189
168
  const tokenResponse = await refreshAccessToken(oidcConfig, {
190
169
  refreshToken: session.refreshToken,
191
- clientID: resolved.clientID,
192
- clientSecret: resolved.clientSecret || void 0
170
+ clientID: resolved.clientID
193
171
  });
194
172
  const newSession = {
195
173
  accessToken: tokenResponse.access_token,
@@ -225,8 +203,7 @@ async function handleUserInfo(request, config) {
225
203
  if (isTokenExpired(session.expiresAt) && session.refreshToken) {
226
204
  const tokenResponse = await refreshAccessToken(oidcConfig, {
227
205
  refreshToken: session.refreshToken,
228
- clientID: resolved.clientID,
229
- clientSecret: resolved.clientSecret || void 0
206
+ clientID: resolved.clientID
230
207
  });
231
208
  session = {
232
209
  accessToken: tokenResponse.access_token,
@@ -288,6 +265,7 @@ function createAuthgearHandlers(config) {
288
265
  export {
289
266
  DEFAULT_SCOPES,
290
267
  Page,
268
+ PromptOption,
291
269
  SessionState,
292
270
  createAuthgearHandlers
293
271
  };
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/handlers/index.ts","../src/handlers/login.ts","../src/oauth/pkce.ts","../src/oauth/authorize.ts","../src/handlers/callback.ts","../src/handlers/logout.ts","../src/handlers/refresh.ts","../src/handlers/userinfo.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { handleLogin } from \"./login.js\";\nimport { handleCallback } from \"./callback.js\";\nimport { handleLogout } from \"./logout.js\";\nimport { handleRefresh } from \"./refresh.js\";\nimport { handleUserInfo } from \"./userinfo.js\";\n\n/**\n * Creates Next.js route handlers for all Authgear auth endpoints.\n *\n * Usage in `app/api/auth/[...authgear]/route.ts`:\n * ```ts\n * import { createAuthgearHandlers } from \"@authgear/nextjs\";\n * export const { GET, POST } = createAuthgearHandlers(config);\n * ```\n *\n * Routes handled:\n * - GET /api/auth/login — Start OAuth flow\n * - GET /api/auth/callback — Handle OAuth callback\n * - GET /api/auth/logout — Logout and revoke tokens\n * - POST /api/auth/refresh — Refresh access token\n * - GET /api/auth/userinfo — Get current user info\n */\nexport function createAuthgearHandlers(config: AuthgearConfig) {\n async function GET(\n request: NextRequest,\n { params }: { params: Promise<{ authgear: string[] }> },\n ): Promise<NextResponse> {\n const { authgear } = await params;\n const action = authgear?.[0];\n\n switch (action) {\n case \"login\":\n return handleLogin(request, config);\n case \"callback\":\n return handleCallback(request, config);\n case \"logout\":\n return handleLogout(request, config);\n case \"userinfo\":\n return handleUserInfo(request, config);\n default:\n return NextResponse.json({ error: \"not_found\" }, { status: 404 });\n }\n }\n\n async function POST(\n request: NextRequest,\n { params }: { params: Promise<{ authgear: string[] }> },\n ): Promise<NextResponse> {\n const { authgear } = await params;\n const action = authgear?.[0];\n\n switch (action) {\n case \"refresh\":\n return handleRefresh(request, config);\n default:\n return NextResponse.json({ error: \"not_found\" }, { status: 404 });\n }\n }\n\n return { GET, POST };\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { generateCodeVerifier } from \"../oauth/pkce.js\";\nimport { buildAuthorizeURL, generateState } from \"../oauth/authorize.js\";\nimport { buildPKCECookie } from \"../session/cookie.js\";\n\nexport async function handleLogin(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n const returnTo = request.nextUrl.searchParams.get(\"returnTo\") ?? \"/\";\n const codeVerifier = generateCodeVerifier();\n const state = generateState();\n\n const authorizeURL = buildAuthorizeURL(oidcConfig, {\n clientID: resolved.clientID,\n redirectURI: resolved.redirectURI,\n scopes: resolved.scopes,\n codeVerifier,\n state,\n });\n\n const pkceCookie = buildPKCECookie({ codeVerifier, state, returnTo }, resolved.sessionSecret);\n\n const response = NextResponse.redirect(authorizeURL);\n response.cookies.set(pkceCookie.name, pkceCookie.value, {\n httpOnly: pkceCookie.httpOnly,\n secure: pkceCookie.secure,\n sameSite: pkceCookie.sameSite,\n path: pkceCookie.path,\n maxAge: pkceCookie.maxAge,\n });\n\n return response;\n}\n","import { randomBytes, createHash } from \"node:crypto\";\n\nconst VERIFIER_LENGTH = 64;\n\nexport function generateCodeVerifier(): string {\n return randomBytes(VERIFIER_LENGTH)\n .toString(\"base64url\")\n .slice(0, VERIFIER_LENGTH);\n}\n\nexport function computeCodeChallenge(codeVerifier: string): string {\n return createHash(\"sha256\").update(codeVerifier).digest(\"base64url\");\n}\n","import { randomBytes } from \"node:crypto\";\nimport type { OIDCConfiguration } from \"../types.js\";\nimport { computeCodeChallenge } from \"./pkce.js\";\n\n/**\n * Build the URL to open an Authgear page (e.g. /settings) with the user\n * already authenticated via an app session token.\n */\nexport function buildOpenURL(\n oidcConfig: OIDCConfiguration,\n params: {\n clientID: string;\n appSessionToken: string;\n targetPath: string; // e.g. \"/settings\"\n },\n): string {\n const authorizationEndpoint = new URL(oidcConfig.authorization_endpoint);\n const settingsURL = `${authorizationEndpoint.origin}${params.targetPath}`;\n const loginHint = `https://authgear.com/login_hint?type=app_session_token&app_session_token=${encodeURIComponent(params.appSessionToken)}`;\n\n const url = new URL(oidcConfig.authorization_endpoint);\n url.searchParams.set(\"response_type\", \"none\");\n url.searchParams.set(\"client_id\", params.clientID);\n url.searchParams.set(\"redirect_uri\", settingsURL);\n url.searchParams.set(\"prompt\", \"none\");\n url.searchParams.set(\"login_hint\", loginHint);\n return url.toString();\n}\n\nexport interface AuthorizeParams {\n clientID: string;\n redirectURI: string;\n scopes: string[];\n codeVerifier: string;\n state: string;\n}\n\nexport function generateState(): string {\n return randomBytes(32).toString(\"base64url\");\n}\n\nexport function buildAuthorizeURL(\n oidcConfig: OIDCConfiguration,\n params: AuthorizeParams,\n): string {\n const url = new URL(oidcConfig.authorization_endpoint);\n url.searchParams.set(\"response_type\", \"code\");\n url.searchParams.set(\"client_id\", params.clientID);\n url.searchParams.set(\"redirect_uri\", params.redirectURI);\n url.searchParams.set(\"scope\", params.scopes.join(\" \"));\n url.searchParams.set(\"code_challenge\", computeCodeChallenge(params.codeVerifier));\n url.searchParams.set(\"code_challenge_method\", \"S256\");\n url.searchParams.set(\"state\", params.state);\n return url.toString();\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { exchangeCode } from \"../oauth/token.js\";\nimport { decryptPKCECookie, buildSessionCookie } from \"../session/cookie.js\";\n\nexport async function handleCallback(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n const code = request.nextUrl.searchParams.get(\"code\");\n const state = request.nextUrl.searchParams.get(\"state\");\n const error = request.nextUrl.searchParams.get(\"error\");\n const errorDescription = request.nextUrl.searchParams.get(\"error_description\");\n\n if (error) {\n return NextResponse.json(\n { error, error_description: errorDescription },\n { status: 400 },\n );\n }\n\n if (!code || !state) {\n return NextResponse.json(\n { error: \"missing_params\", error_description: \"Missing code or state parameter\" },\n { status: 400 },\n );\n }\n\n // Validate PKCE state\n const pkceCookieValue = request.cookies.get(\"authgear.pkce\")?.value;\n if (!pkceCookieValue) {\n return NextResponse.json(\n { error: \"invalid_state\", error_description: \"Missing PKCE cookie\" },\n { status: 400 },\n );\n }\n\n const pkceData = decryptPKCECookie(pkceCookieValue, resolved.sessionSecret);\n if (!pkceData || pkceData.state !== state) {\n return NextResponse.json(\n { error: \"invalid_state\", error_description: \"State mismatch\" },\n { status: 400 },\n );\n }\n\n // Exchange code for tokens\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const tokenResponse = await exchangeCode(oidcConfig, {\n code,\n codeVerifier: pkceData.codeVerifier,\n clientID: resolved.clientID,\n clientSecret: resolved.clientSecret || undefined,\n redirectURI: resolved.redirectURI,\n });\n\n // Build session cookie\n const sessionCookie = buildSessionCookie(\n resolved.cookieName,\n {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? null,\n idToken: tokenResponse.id_token ?? null,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n },\n resolved.sessionSecret,\n );\n\n const returnTo = pkceData.returnTo || \"/\";\n const redirectURL = new URL(returnTo, request.nextUrl.origin);\n const response = NextResponse.redirect(redirectURL);\n\n // Set session cookie\n response.cookies.set(sessionCookie.name, sessionCookie.value, {\n httpOnly: sessionCookie.httpOnly,\n secure: sessionCookie.secure,\n sameSite: sessionCookie.sameSite,\n path: sessionCookie.path,\n maxAge: sessionCookie.maxAge,\n });\n\n // Clear PKCE cookie\n response.cookies.set(\"authgear.pkce\", \"\", { maxAge: 0, path: \"/\" });\n\n return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { revokeToken } from \"../oauth/token.js\";\nimport { decryptSession, buildClearCookie } from \"../session/cookie.js\";\n\nexport async function handleLogout(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n // Revoke refresh token if present\n const sessionCookie = request.cookies.get(resolved.cookieName)?.value;\n if (sessionCookie) {\n const session = decryptSession(sessionCookie, resolved.sessionSecret);\n if (session?.refreshToken) {\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n try {\n await revokeToken(oidcConfig, session.refreshToken);\n } catch {\n // Best-effort revocation\n }\n }\n }\n\n const clearCookie = buildClearCookie(resolved.cookieName);\n const redirectURL = new URL(resolved.postLogoutRedirectURI, request.nextUrl.origin);\n const response = NextResponse.redirect(redirectURL);\n\n response.cookies.set(clearCookie.name, clearCookie.value, {\n httpOnly: clearCookie.httpOnly,\n secure: clearCookie.secure,\n sameSite: clearCookie.sameSite,\n path: clearCookie.path,\n maxAge: clearCookie.maxAge,\n });\n\n return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { refreshAccessToken } from \"../oauth/token.js\";\nimport { decryptSession, buildSessionCookie } from \"../session/cookie.js\";\n\nexport async function handleRefresh(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n if (!sessionCookieValue) {\n return NextResponse.json({ error: \"no_session\" }, { status: 401 });\n }\n\n const session = decryptSession(sessionCookieValue, resolved.sessionSecret);\n if (!session?.refreshToken) {\n return NextResponse.json({ error: \"no_refresh_token\" }, { status: 401 });\n }\n\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: session.refreshToken,\n clientID: resolved.clientID,\n clientSecret: resolved.clientSecret || undefined,\n });\n\n const newSession = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? session.refreshToken,\n idToken: tokenResponse.id_token ?? session.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n\n const sessionCookie = buildSessionCookie(resolved.cookieName, newSession, resolved.sessionSecret);\n const response = NextResponse.json({ ok: true });\n\n response.cookies.set(sessionCookie.name, sessionCookie.value, {\n httpOnly: sessionCookie.httpOnly,\n secure: sessionCookie.secure,\n sameSite: sessionCookie.sameSite,\n path: sessionCookie.path,\n maxAge: sessionCookie.maxAge,\n });\n\n return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig, UserInfo } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { decryptSession } from \"../session/cookie.js\";\nimport { isTokenExpired } from \"../session/state.js\";\nimport { refreshAccessToken } from \"../oauth/token.js\";\nimport { buildSessionCookie } from \"../session/cookie.js\";\nimport { parseUserInfo } from \"../user.js\";\n\nexport async function handleUserInfo(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n if (!sessionCookieValue) {\n return NextResponse.json({ error: \"no_session\" }, { status: 401 });\n }\n\n let session = decryptSession(sessionCookieValue, resolved.sessionSecret);\n if (!session) {\n return NextResponse.json({ error: \"invalid_session\" }, { status: 401 });\n }\n\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n // Auto-refresh if access token is expired\n if (isTokenExpired(session.expiresAt) && session.refreshToken) {\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: session.refreshToken,\n clientID: resolved.clientID,\n clientSecret: resolved.clientSecret || undefined,\n });\n session = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? session.refreshToken,\n idToken: tokenResponse.id_token ?? session.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n }\n\n // Fetch user info from Authgear\n const userinfoRes = await fetch(oidcConfig.userinfo_endpoint, {\n headers: { Authorization: `Bearer ${session.accessToken}` },\n });\n\n if (!userinfoRes.ok) {\n return NextResponse.json({ error: \"userinfo_failed\" }, { status: userinfoRes.status });\n }\n\n const raw = (await userinfoRes.json()) as Record<string, unknown>;\n const userInfo: UserInfo = parseUserInfo(raw);\n\n const response = NextResponse.json(userInfo);\n\n // Update session cookie if tokens were refreshed\n const newCookie = buildSessionCookie(resolved.cookieName, session, resolved.sessionSecret);\n response.cookies.set(newCookie.name, newCookie.value, {\n httpOnly: newCookie.httpOnly,\n secure: newCookie.secure,\n sameSite: newCookie.sameSite,\n path: newCookie.path,\n maxAge: newCookie.maxAge,\n });\n\n return response;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAAA,SAAS,gBAAAA,qBAAsC;;;ACA/C,SAAS,oBAAsC;;;ACA/C,SAAS,aAAa,kBAAkB;AAExC,IAAM,kBAAkB;AAEjB,SAAS,uBAA+B;AAC7C,SAAO,YAAY,eAAe,EAC/B,SAAS,WAAW,EACpB,MAAM,GAAG,eAAe;AAC7B;AAEO,SAAS,qBAAqB,cAA8B;AACjE,SAAO,WAAW,QAAQ,EAAE,OAAO,YAAY,EAAE,OAAO,WAAW;AACrE;;;ACZA,SAAS,eAAAC,oBAAmB;AAqCrB,SAAS,gBAAwB;AACtC,SAAOC,aAAY,EAAE,EAAE,SAAS,WAAW;AAC7C;AAEO,SAAS,kBACd,YACA,QACQ;AACR,QAAM,MAAM,IAAI,IAAI,WAAW,sBAAsB;AACrD,MAAI,aAAa,IAAI,iBAAiB,MAAM;AAC5C,MAAI,aAAa,IAAI,aAAa,OAAO,QAAQ;AACjD,MAAI,aAAa,IAAI,gBAAgB,OAAO,WAAW;AACvD,MAAI,aAAa,IAAI,SAAS,OAAO,OAAO,KAAK,GAAG,CAAC;AACrD,MAAI,aAAa,IAAI,kBAAkB,qBAAqB,OAAO,YAAY,CAAC;AAChF,MAAI,aAAa,IAAI,yBAAyB,MAAM;AACpD,MAAI,aAAa,IAAI,SAAS,OAAO,KAAK;AAC1C,SAAO,IAAI,SAAS;AACtB;;;AF9CA,eAAsB,YACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAEjE,QAAM,WAAW,QAAQ,QAAQ,aAAa,IAAI,UAAU,KAAK;AACjE,QAAM,eAAe,qBAAqB;AAC1C,QAAM,QAAQ,cAAc;AAE5B,QAAM,eAAe,kBAAkB,YAAY;AAAA,IACjD,UAAU,SAAS;AAAA,IACnB,aAAa,SAAS;AAAA,IACtB,QAAQ,SAAS;AAAA,IACjB;AAAA,IACA;AAAA,EACF,CAAC;AAED,QAAM,aAAa,gBAAgB,EAAE,cAAc,OAAO,SAAS,GAAG,SAAS,aAAa;AAE5F,QAAM,WAAW,aAAa,SAAS,YAAY;AACnD,WAAS,QAAQ,IAAI,WAAW,MAAM,WAAW,OAAO;AAAA,IACtD,UAAU,WAAW;AAAA,IACrB,QAAQ,WAAW;AAAA,IACnB,UAAU,WAAW;AAAA,IACrB,MAAM,WAAW;AAAA,IACjB,QAAQ,WAAW;AAAA,EACrB,CAAC;AAED,SAAO;AACT;;;AGvCA,SAAS,gBAAAC,qBAAsC;AAO/C,eAAsB,eACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAErC,QAAM,OAAO,QAAQ,QAAQ,aAAa,IAAI,MAAM;AACpD,QAAM,QAAQ,QAAQ,QAAQ,aAAa,IAAI,OAAO;AACtD,QAAM,QAAQ,QAAQ,QAAQ,aAAa,IAAI,OAAO;AACtD,QAAM,mBAAmB,QAAQ,QAAQ,aAAa,IAAI,mBAAmB;AAE7E,MAAI,OAAO;AACT,WAAOC,cAAa;AAAA,MAClB,EAAE,OAAO,mBAAmB,iBAAiB;AAAA,MAC7C,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,MAAI,CAAC,QAAQ,CAAC,OAAO;AACnB,WAAOA,cAAa;AAAA,MAClB,EAAE,OAAO,kBAAkB,mBAAmB,kCAAkC;AAAA,MAChF,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAGA,QAAM,kBAAkB,QAAQ,QAAQ,IAAI,eAAe,GAAG;AAC9D,MAAI,CAAC,iBAAiB;AACpB,WAAOA,cAAa;AAAA,MAClB,EAAE,OAAO,iBAAiB,mBAAmB,sBAAsB;AAAA,MACnE,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,WAAW,kBAAkB,iBAAiB,SAAS,aAAa;AAC1E,MAAI,CAAC,YAAY,SAAS,UAAU,OAAO;AACzC,WAAOA,cAAa;AAAA,MAClB,EAAE,OAAO,iBAAiB,mBAAmB,iBAAiB;AAAA,MAC9D,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAGA,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,QAAM,gBAAgB,MAAM,aAAa,YAAY;AAAA,IACnD;AAAA,IACA,cAAc,SAAS;AAAA,IACvB,UAAU,SAAS;AAAA,IACnB,cAAc,SAAS,gBAAgB;AAAA,IACvC,aAAa,SAAS;AAAA,EACxB,CAAC;AAGD,QAAM,gBAAgB;AAAA,IACpB,SAAS;AAAA,IACT;AAAA,MACE,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc,iBAAiB;AAAA,MAC7C,SAAS,cAAc,YAAY;AAAA,MACnC,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,IAC3D;AAAA,IACA,SAAS;AAAA,EACX;AAEA,QAAM,WAAW,SAAS,YAAY;AACtC,QAAM,cAAc,IAAI,IAAI,UAAU,QAAQ,QAAQ,MAAM;AAC5D,QAAM,WAAWA,cAAa,SAAS,WAAW;AAGlD,WAAS,QAAQ,IAAI,cAAc,MAAM,cAAc,OAAO;AAAA,IAC5D,UAAU,cAAc;AAAA,IACxB,QAAQ,cAAc;AAAA,IACtB,UAAU,cAAc;AAAA,IACxB,MAAM,cAAc;AAAA,IACpB,QAAQ,cAAc;AAAA,EACxB,CAAC;AAGD,WAAS,QAAQ,IAAI,iBAAiB,IAAI,EAAE,QAAQ,GAAG,MAAM,IAAI,CAAC;AAElE,SAAO;AACT;;;ACxFA,SAAS,gBAAAC,qBAAsC;AAO/C,eAAsB,aACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAGrC,QAAM,gBAAgB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AAChE,MAAI,eAAe;AACjB,UAAM,UAAU,eAAe,eAAe,SAAS,aAAa;AACpE,QAAI,SAAS,cAAc;AACzB,YAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,UAAI;AACF,cAAM,YAAY,YAAY,QAAQ,YAAY;AAAA,MACpD,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAEA,QAAM,cAAc,iBAAiB,SAAS,UAAU;AACxD,QAAM,cAAc,IAAI,IAAI,SAAS,uBAAuB,QAAQ,QAAQ,MAAM;AAClF,QAAM,WAAWC,cAAa,SAAS,WAAW;AAElD,WAAS,QAAQ,IAAI,YAAY,MAAM,YAAY,OAAO;AAAA,IACxD,UAAU,YAAY;AAAA,IACtB,QAAQ,YAAY;AAAA,IACpB,UAAU,YAAY;AAAA,IACtB,MAAM,YAAY;AAAA,IAClB,QAAQ,YAAY;AAAA,EACtB,CAAC;AAED,SAAO;AACT;;;ACxCA,SAAS,gBAAAC,qBAAsC;AAO/C,eAAsB,cACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAErC,QAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,MAAI,CAAC,oBAAoB;AACvB,WAAOC,cAAa,KAAK,EAAE,OAAO,aAAa,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnE;AAEA,QAAM,UAAU,eAAe,oBAAoB,SAAS,aAAa;AACzE,MAAI,CAAC,SAAS,cAAc;AAC1B,WAAOA,cAAa,KAAK,EAAE,OAAO,mBAAmB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzE;AAEA,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,QAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,IACzD,cAAc,QAAQ;AAAA,IACtB,UAAU,SAAS;AAAA,IACnB,cAAc,SAAS,gBAAgB;AAAA,EACzC,CAAC;AAED,QAAM,aAAa;AAAA,IACjB,aAAa,cAAc;AAAA,IAC3B,cAAc,cAAc,iBAAiB,QAAQ;AAAA,IACrD,SAAS,cAAc,YAAY,QAAQ;AAAA,IAC3C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,EAC3D;AAEA,QAAM,gBAAgB,mBAAmB,SAAS,YAAY,YAAY,SAAS,aAAa;AAChG,QAAM,WAAWA,cAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AAE/C,WAAS,QAAQ,IAAI,cAAc,MAAM,cAAc,OAAO;AAAA,IAC5D,UAAU,cAAc;AAAA,IACxB,QAAQ,cAAc;AAAA,IACtB,UAAU,cAAc;AAAA,IACxB,MAAM,cAAc;AAAA,IACpB,QAAQ,cAAc;AAAA,EACxB,CAAC;AAED,SAAO;AACT;;;ACjDA,SAAS,gBAAAC,qBAAsC;AAU/C,eAAsB,eACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAErC,QAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,MAAI,CAAC,oBAAoB;AACvB,WAAOC,cAAa,KAAK,EAAE,OAAO,aAAa,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnE;AAEA,MAAI,UAAU,eAAe,oBAAoB,SAAS,aAAa;AACvE,MAAI,CAAC,SAAS;AACZ,WAAOA,cAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxE;AAEA,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAGjE,MAAI,eAAe,QAAQ,SAAS,KAAK,QAAQ,cAAc;AAC7D,UAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,MACzD,cAAc,QAAQ;AAAA,MACtB,UAAU,SAAS;AAAA,MACnB,cAAc,SAAS,gBAAgB;AAAA,IACzC,CAAC;AACD,cAAU;AAAA,MACR,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc,iBAAiB,QAAQ;AAAA,MACrD,SAAS,cAAc,YAAY,QAAQ;AAAA,MAC3C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,IAC3D;AAAA,EACF;AAGA,QAAM,cAAc,MAAM,MAAM,WAAW,mBAAmB;AAAA,IAC5D,SAAS,EAAE,eAAe,UAAU,QAAQ,WAAW,GAAG;AAAA,EAC5D,CAAC;AAED,MAAI,CAAC,YAAY,IAAI;AACnB,WAAOA,cAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,YAAY,OAAO,CAAC;AAAA,EACvF;AAEA,QAAM,MAAO,MAAM,YAAY,KAAK;AACpC,QAAM,WAAqB,cAAc,GAAG;AAE5C,QAAM,WAAWA,cAAa,KAAK,QAAQ;AAG3C,QAAM,YAAY,mBAAmB,SAAS,YAAY,SAAS,SAAS,aAAa;AACzF,WAAS,QAAQ,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,IACpD,UAAU,UAAU;AAAA,IACpB,QAAQ,UAAU;AAAA,IAClB,UAAU,UAAU;AAAA,IACpB,MAAM,UAAU;AAAA,IAChB,QAAQ,UAAU;AAAA,EACpB,CAAC;AAED,SAAO;AACT;;;AP5CO,SAAS,uBAAuB,QAAwB;AAC7D,iBAAe,IACb,SACA,EAAE,OAAO,GACc;AACvB,UAAM,EAAE,SAAS,IAAI,MAAM;AAC3B,UAAM,SAAS,WAAW,CAAC;AAE3B,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO,YAAY,SAAS,MAAM;AAAA,MACpC,KAAK;AACH,eAAO,eAAe,SAAS,MAAM;AAAA,MACvC,KAAK;AACH,eAAO,aAAa,SAAS,MAAM;AAAA,MACrC,KAAK;AACH,eAAO,eAAe,SAAS,MAAM;AAAA,MACvC;AACE,eAAOC,cAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACpE;AAAA,EACF;AAEA,iBAAe,KACb,SACA,EAAE,OAAO,GACc;AACvB,UAAM,EAAE,SAAS,IAAI,MAAM;AAC3B,UAAM,SAAS,WAAW,CAAC;AAE3B,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO,cAAc,SAAS,MAAM;AAAA,MACtC;AACE,eAAOA,cAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACpE;AAAA,EACF;AAEA,SAAO,EAAE,KAAK,KAAK;AACrB;","names":["NextResponse","randomBytes","randomBytes","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse"]}
1
+ {"version":3,"sources":["../src/handlers/index.ts","../src/handlers/login.ts","../src/handlers/callback.ts","../src/handlers/logout.ts","../src/handlers/refresh.ts","../src/handlers/userinfo.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { handleLogin } from \"./login.js\";\nimport { handleCallback } from \"./callback.js\";\nimport { handleLogout } from \"./logout.js\";\nimport { handleRefresh } from \"./refresh.js\";\nimport { handleUserInfo } from \"./userinfo.js\";\n\n/**\n * Creates Next.js route handlers for all Authgear auth endpoints.\n *\n * Usage in `app/api/auth/[...authgear]/route.ts`:\n * ```ts\n * import { createAuthgearHandlers } from \"@authgear/nextjs\";\n * export const { GET, POST } = createAuthgearHandlers(config);\n * ```\n *\n * Routes handled:\n * - GET /api/auth/login — Start OAuth flow\n * - GET /api/auth/callback — Handle OAuth callback\n * - GET /api/auth/logout — Logout and revoke tokens\n * - POST /api/auth/refresh — Refresh access token\n * - GET /api/auth/userinfo — Get current user info\n */\nexport function createAuthgearHandlers(config: AuthgearConfig) {\n async function GET(\n request: NextRequest,\n { params }: { params: Promise<{ authgear: string[] }> },\n ): Promise<NextResponse> {\n const { authgear } = await params;\n const action = authgear?.[0];\n\n switch (action) {\n case \"login\":\n return handleLogin(request, config);\n case \"callback\":\n return handleCallback(request, config);\n case \"logout\":\n return handleLogout(request, config);\n case \"userinfo\":\n return handleUserInfo(request, config);\n default:\n return NextResponse.json({ error: \"not_found\" }, { status: 404 });\n }\n }\n\n async function POST(\n request: NextRequest,\n { params }: { params: Promise<{ authgear: string[] }> },\n ): Promise<NextResponse> {\n const { authgear } = await params;\n const action = authgear?.[0];\n\n switch (action) {\n case \"refresh\":\n return handleRefresh(request, config);\n default:\n return NextResponse.json({ error: \"not_found\" }, { status: 404 });\n }\n }\n\n return { GET, POST };\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { PromptOption } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { generateCodeVerifier } from \"../oauth/pkce.js\";\nimport { buildAuthorizeURL, generateState } from \"../oauth/authorize.js\";\nimport { buildPKCECookie } from \"../session/cookie.js\";\n\nexport async function handleLogin(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n const returnTo = request.nextUrl.searchParams.get(\"returnTo\") ?? \"/\";\n const codeVerifier = generateCodeVerifier();\n const state = generateState();\n\n // Per-call ?prompt= query param takes precedence over the global isSSOEnabled default\n const ALLOWED_PROMPTS = new Set<string>(Object.values(PromptOption));\n const rawPrompt = request.nextUrl.searchParams.get(\"prompt\");\n const perCallPrompt = rawPrompt !== null && ALLOWED_PROMPTS.has(rawPrompt) ? rawPrompt : undefined;\n const prompt = perCallPrompt ?? (resolved.isSSOEnabled ? undefined : \"login\");\n\n const authorizeURL = buildAuthorizeURL(oidcConfig, {\n clientID: resolved.clientID,\n redirectURI: resolved.redirectURI,\n scopes: resolved.scopes,\n codeVerifier,\n state,\n prompt,\n });\n\n const pkceCookie = buildPKCECookie({ codeVerifier, state, returnTo }, resolved.sessionSecret);\n\n const response = NextResponse.redirect(authorizeURL);\n response.cookies.set(pkceCookie.name, pkceCookie.value, {\n httpOnly: pkceCookie.httpOnly,\n secure: pkceCookie.secure,\n sameSite: pkceCookie.sameSite,\n path: pkceCookie.path,\n maxAge: pkceCookie.maxAge,\n });\n\n return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { exchangeCode } from \"../oauth/token.js\";\nimport { decryptPKCECookie, buildSessionCookie } from \"../session/cookie.js\";\n\nexport async function handleCallback(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n const code = request.nextUrl.searchParams.get(\"code\");\n const state = request.nextUrl.searchParams.get(\"state\");\n const error = request.nextUrl.searchParams.get(\"error\");\n const errorDescription = request.nextUrl.searchParams.get(\"error_description\");\n\n if (error) {\n return NextResponse.json(\n { error, error_description: errorDescription },\n { status: 400 },\n );\n }\n\n if (!code || !state) {\n return NextResponse.json(\n { error: \"missing_params\", error_description: \"Missing code or state parameter\" },\n { status: 400 },\n );\n }\n\n // Validate PKCE state\n const pkceCookieValue = request.cookies.get(\"authgear.pkce\")?.value;\n if (!pkceCookieValue) {\n return NextResponse.json(\n { error: \"invalid_state\", error_description: \"Missing PKCE cookie\" },\n { status: 400 },\n );\n }\n\n const pkceData = decryptPKCECookie(pkceCookieValue, resolved.sessionSecret);\n if (!pkceData || pkceData.state !== state) {\n return NextResponse.json(\n { error: \"invalid_state\", error_description: \"State mismatch\" },\n { status: 400 },\n );\n }\n\n // Exchange code for tokens\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const tokenResponse = await exchangeCode(oidcConfig, {\n code,\n codeVerifier: pkceData.codeVerifier,\n clientID: resolved.clientID,\n redirectURI: resolved.redirectURI,\n });\n\n // Build session cookie\n const sessionCookie = buildSessionCookie(\n resolved.cookieName,\n {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? null,\n idToken: tokenResponse.id_token ?? null,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n },\n resolved.sessionSecret,\n );\n\n const returnTo = pkceData.returnTo || \"/\";\n const redirectURL = new URL(returnTo, request.nextUrl.origin);\n const response = NextResponse.redirect(redirectURL);\n\n // Set session cookie\n response.cookies.set(sessionCookie.name, sessionCookie.value, {\n httpOnly: sessionCookie.httpOnly,\n secure: sessionCookie.secure,\n sameSite: sessionCookie.sameSite,\n path: sessionCookie.path,\n maxAge: sessionCookie.maxAge,\n });\n\n // Clear PKCE cookie\n response.cookies.set(\"authgear.pkce\", \"\", { maxAge: 0, path: \"/\" });\n\n return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { revokeToken } from \"../oauth/token.js\";\nimport { decryptSession, buildClearCookie } from \"../session/cookie.js\";\n\nexport async function handleLogout(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n // Revoke refresh token if present\n const sessionCookie = request.cookies.get(resolved.cookieName)?.value;\n if (sessionCookie) {\n const session = decryptSession(sessionCookie, resolved.sessionSecret);\n if (session?.refreshToken) {\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n try {\n await revokeToken(oidcConfig, session.refreshToken);\n } catch {\n // Best-effort revocation\n }\n }\n }\n\n const clearCookie = buildClearCookie(resolved.cookieName);\n const redirectURL = new URL(resolved.postLogoutRedirectURI, request.nextUrl.origin);\n const response = NextResponse.redirect(redirectURL);\n\n response.cookies.set(clearCookie.name, clearCookie.value, {\n httpOnly: clearCookie.httpOnly,\n secure: clearCookie.secure,\n sameSite: clearCookie.sameSite,\n path: clearCookie.path,\n maxAge: clearCookie.maxAge,\n });\n\n return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { refreshAccessToken } from \"../oauth/token.js\";\nimport { decryptSession, buildSessionCookie } from \"../session/cookie.js\";\n\nexport async function handleRefresh(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n if (!sessionCookieValue) {\n return NextResponse.json({ error: \"no_session\" }, { status: 401 });\n }\n\n const session = decryptSession(sessionCookieValue, resolved.sessionSecret);\n if (!session?.refreshToken) {\n return NextResponse.json({ error: \"no_refresh_token\" }, { status: 401 });\n }\n\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: session.refreshToken,\n clientID: resolved.clientID,\n });\n\n const newSession = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? session.refreshToken,\n idToken: tokenResponse.id_token ?? session.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n\n const sessionCookie = buildSessionCookie(resolved.cookieName, newSession, resolved.sessionSecret);\n const response = NextResponse.json({ ok: true });\n\n response.cookies.set(sessionCookie.name, sessionCookie.value, {\n httpOnly: sessionCookie.httpOnly,\n secure: sessionCookie.secure,\n sameSite: sessionCookie.sameSite,\n path: sessionCookie.path,\n maxAge: sessionCookie.maxAge,\n });\n\n return response;\n}\n","import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig, UserInfo } from \"../types.js\";\nimport { resolveConfig } from \"../config.js\";\nimport { fetchOIDCConfiguration } from \"../oauth/discovery.js\";\nimport { decryptSession } from \"../session/cookie.js\";\nimport { isTokenExpired } from \"../session/state.js\";\nimport { refreshAccessToken } from \"../oauth/token.js\";\nimport { buildSessionCookie } from \"../session/cookie.js\";\nimport { parseUserInfo } from \"../user.js\";\n\nexport async function handleUserInfo(\n request: NextRequest,\n config: AuthgearConfig,\n): Promise<NextResponse> {\n const resolved = resolveConfig(config);\n\n const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n if (!sessionCookieValue) {\n return NextResponse.json({ error: \"no_session\" }, { status: 401 });\n }\n\n let session = decryptSession(sessionCookieValue, resolved.sessionSecret);\n if (!session) {\n return NextResponse.json({ error: \"invalid_session\" }, { status: 401 });\n }\n\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n // Auto-refresh if access token is expired\n if (isTokenExpired(session.expiresAt) && session.refreshToken) {\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: session.refreshToken,\n clientID: resolved.clientID,\n });\n session = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? session.refreshToken,\n idToken: tokenResponse.id_token ?? session.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n }\n\n // Fetch user info from Authgear\n const userinfoRes = await fetch(oidcConfig.userinfo_endpoint, {\n headers: { Authorization: `Bearer ${session.accessToken}` },\n });\n\n if (!userinfoRes.ok) {\n return NextResponse.json({ error: \"userinfo_failed\" }, { status: userinfoRes.status });\n }\n\n const raw = (await userinfoRes.json()) as Record<string, unknown>;\n const userInfo: UserInfo = parseUserInfo(raw);\n\n const response = NextResponse.json(userInfo);\n\n // Update session cookie if tokens were refreshed\n const newCookie = buildSessionCookie(resolved.cookieName, session, resolved.sessionSecret);\n response.cookies.set(newCookie.name, newCookie.value, {\n httpOnly: newCookie.httpOnly,\n secure: newCookie.secure,\n sameSite: newCookie.sameSite,\n path: newCookie.path,\n maxAge: newCookie.maxAge,\n });\n\n return response;\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,SAAS,gBAAAA,qBAAsC;;;ACA/C,SAAS,oBAAsC;AAS/C,eAAsB,YACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAEjE,QAAM,WAAW,QAAQ,QAAQ,aAAa,IAAI,UAAU,KAAK;AACjE,QAAM,eAAe,qBAAqB;AAC1C,QAAM,QAAQ,cAAc;AAG5B,QAAM,kBAAkB,IAAI,IAAY,OAAO,OAAO,YAAY,CAAC;AACnE,QAAM,YAAY,QAAQ,QAAQ,aAAa,IAAI,QAAQ;AAC3D,QAAM,gBAAgB,cAAc,QAAQ,gBAAgB,IAAI,SAAS,IAAI,YAAY;AACzF,QAAM,SAAS,kBAAkB,SAAS,eAAe,SAAY;AAErE,QAAM,eAAe,kBAAkB,YAAY;AAAA,IACjD,UAAU,SAAS;AAAA,IACnB,aAAa,SAAS;AAAA,IACtB,QAAQ,SAAS;AAAA,IACjB;AAAA,IACA;AAAA,IACA;AAAA,EACF,CAAC;AAED,QAAM,aAAa,gBAAgB,EAAE,cAAc,OAAO,SAAS,GAAG,SAAS,aAAa;AAE5F,QAAM,WAAW,aAAa,SAAS,YAAY;AACnD,WAAS,QAAQ,IAAI,WAAW,MAAM,WAAW,OAAO;AAAA,IACtD,UAAU,WAAW;AAAA,IACrB,QAAQ,WAAW;AAAA,IACnB,UAAU,WAAW;AAAA,IACrB,MAAM,WAAW;AAAA,IACjB,QAAQ,WAAW;AAAA,EACrB,CAAC;AAED,SAAO;AACT;;;AC/CA,SAAS,gBAAAC,qBAAsC;AAO/C,eAAsB,eACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAErC,QAAM,OAAO,QAAQ,QAAQ,aAAa,IAAI,MAAM;AACpD,QAAM,QAAQ,QAAQ,QAAQ,aAAa,IAAI,OAAO;AACtD,QAAM,QAAQ,QAAQ,QAAQ,aAAa,IAAI,OAAO;AACtD,QAAM,mBAAmB,QAAQ,QAAQ,aAAa,IAAI,mBAAmB;AAE7E,MAAI,OAAO;AACT,WAAOC,cAAa;AAAA,MAClB,EAAE,OAAO,mBAAmB,iBAAiB;AAAA,MAC7C,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,MAAI,CAAC,QAAQ,CAAC,OAAO;AACnB,WAAOA,cAAa;AAAA,MAClB,EAAE,OAAO,kBAAkB,mBAAmB,kCAAkC;AAAA,MAChF,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAGA,QAAM,kBAAkB,QAAQ,QAAQ,IAAI,eAAe,GAAG;AAC9D,MAAI,CAAC,iBAAiB;AACpB,WAAOA,cAAa;AAAA,MAClB,EAAE,OAAO,iBAAiB,mBAAmB,sBAAsB;AAAA,MACnE,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAEA,QAAM,WAAW,kBAAkB,iBAAiB,SAAS,aAAa;AAC1E,MAAI,CAAC,YAAY,SAAS,UAAU,OAAO;AACzC,WAAOA,cAAa;AAAA,MAClB,EAAE,OAAO,iBAAiB,mBAAmB,iBAAiB;AAAA,MAC9D,EAAE,QAAQ,IAAI;AAAA,IAChB;AAAA,EACF;AAGA,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,QAAM,gBAAgB,MAAM,aAAa,YAAY;AAAA,IACnD;AAAA,IACA,cAAc,SAAS;AAAA,IACvB,UAAU,SAAS;AAAA,IACnB,aAAa,SAAS;AAAA,EACxB,CAAC;AAGD,QAAM,gBAAgB;AAAA,IACpB,SAAS;AAAA,IACT;AAAA,MACE,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc,iBAAiB;AAAA,MAC7C,SAAS,cAAc,YAAY;AAAA,MACnC,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,IAC3D;AAAA,IACA,SAAS;AAAA,EACX;AAEA,QAAM,WAAW,SAAS,YAAY;AACtC,QAAM,cAAc,IAAI,IAAI,UAAU,QAAQ,QAAQ,MAAM;AAC5D,QAAM,WAAWA,cAAa,SAAS,WAAW;AAGlD,WAAS,QAAQ,IAAI,cAAc,MAAM,cAAc,OAAO;AAAA,IAC5D,UAAU,cAAc;AAAA,IACxB,QAAQ,cAAc;AAAA,IACtB,UAAU,cAAc;AAAA,IACxB,MAAM,cAAc;AAAA,IACpB,QAAQ,cAAc;AAAA,EACxB,CAAC;AAGD,WAAS,QAAQ,IAAI,iBAAiB,IAAI,EAAE,QAAQ,GAAG,MAAM,IAAI,CAAC;AAElE,SAAO;AACT;;;ACvFA,SAAS,gBAAAC,qBAAsC;AAO/C,eAAsB,aACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAGrC,QAAM,gBAAgB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AAChE,MAAI,eAAe;AACjB,UAAM,UAAU,eAAe,eAAe,SAAS,aAAa;AACpE,QAAI,SAAS,cAAc;AACzB,YAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,UAAI;AACF,cAAM,YAAY,YAAY,QAAQ,YAAY;AAAA,MACpD,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAEA,QAAM,cAAc,iBAAiB,SAAS,UAAU;AACxD,QAAM,cAAc,IAAI,IAAI,SAAS,uBAAuB,QAAQ,QAAQ,MAAM;AAClF,QAAM,WAAWC,cAAa,SAAS,WAAW;AAElD,WAAS,QAAQ,IAAI,YAAY,MAAM,YAAY,OAAO;AAAA,IACxD,UAAU,YAAY;AAAA,IACtB,QAAQ,YAAY;AAAA,IACpB,UAAU,YAAY;AAAA,IACtB,MAAM,YAAY;AAAA,IAClB,QAAQ,YAAY;AAAA,EACtB,CAAC;AAED,SAAO;AACT;;;ACxCA,SAAS,gBAAAC,qBAAsC;AAO/C,eAAsB,cACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAErC,QAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,MAAI,CAAC,oBAAoB;AACvB,WAAOC,cAAa,KAAK,EAAE,OAAO,aAAa,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnE;AAEA,QAAM,UAAU,eAAe,oBAAoB,SAAS,aAAa;AACzE,MAAI,CAAC,SAAS,cAAc;AAC1B,WAAOA,cAAa,KAAK,EAAE,OAAO,mBAAmB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACzE;AAEA,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,QAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,IACzD,cAAc,QAAQ;AAAA,IACtB,UAAU,SAAS;AAAA,EACrB,CAAC;AAED,QAAM,aAAa;AAAA,IACjB,aAAa,cAAc;AAAA,IAC3B,cAAc,cAAc,iBAAiB,QAAQ;AAAA,IACrD,SAAS,cAAc,YAAY,QAAQ;AAAA,IAC3C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,EAC3D;AAEA,QAAM,gBAAgB,mBAAmB,SAAS,YAAY,YAAY,SAAS,aAAa;AAChG,QAAM,WAAWA,cAAa,KAAK,EAAE,IAAI,KAAK,CAAC;AAE/C,WAAS,QAAQ,IAAI,cAAc,MAAM,cAAc,OAAO;AAAA,IAC5D,UAAU,cAAc;AAAA,IACxB,QAAQ,cAAc;AAAA,IACtB,UAAU,cAAc;AAAA,IACxB,MAAM,cAAc;AAAA,IACpB,QAAQ,cAAc;AAAA,EACxB,CAAC;AAED,SAAO;AACT;;;AChDA,SAAS,gBAAAC,qBAAsC;AAU/C,eAAsB,eACpB,SACA,QACuB;AACvB,QAAM,WAAW,cAAc,MAAM;AAErC,QAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,MAAI,CAAC,oBAAoB;AACvB,WAAOC,cAAa,KAAK,EAAE,OAAO,aAAa,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACnE;AAEA,MAAI,UAAU,eAAe,oBAAoB,SAAS,aAAa;AACvE,MAAI,CAAC,SAAS;AACZ,WAAOA,cAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,EACxE;AAEA,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAGjE,MAAI,eAAe,QAAQ,SAAS,KAAK,QAAQ,cAAc;AAC7D,UAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,MACzD,cAAc,QAAQ;AAAA,MACtB,UAAU,SAAS;AAAA,IACrB,CAAC;AACD,cAAU;AAAA,MACR,aAAa,cAAc;AAAA,MAC3B,cAAc,cAAc,iBAAiB,QAAQ;AAAA,MACrD,SAAS,cAAc,YAAY,QAAQ;AAAA,MAC3C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,IAC3D;AAAA,EACF;AAGA,QAAM,cAAc,MAAM,MAAM,WAAW,mBAAmB;AAAA,IAC5D,SAAS,EAAE,eAAe,UAAU,QAAQ,WAAW,GAAG;AAAA,EAC5D,CAAC;AAED,MAAI,CAAC,YAAY,IAAI;AACnB,WAAOA,cAAa,KAAK,EAAE,OAAO,kBAAkB,GAAG,EAAE,QAAQ,YAAY,OAAO,CAAC;AAAA,EACvF;AAEA,QAAM,MAAO,MAAM,YAAY,KAAK;AACpC,QAAM,WAAqB,cAAc,GAAG;AAE5C,QAAM,WAAWA,cAAa,KAAK,QAAQ;AAG3C,QAAM,YAAY,mBAAmB,SAAS,YAAY,SAAS,SAAS,aAAa;AACzF,WAAS,QAAQ,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,IACpD,UAAU,UAAU;AAAA,IACpB,QAAQ,UAAU;AAAA,IAClB,UAAU,UAAU;AAAA,IACpB,MAAM,UAAU;AAAA,IAChB,QAAQ,UAAU;AAAA,EACpB,CAAC;AAED,SAAO;AACT;;;AL3CO,SAAS,uBAAuB,QAAwB;AAC7D,iBAAe,IACb,SACA,EAAE,OAAO,GACc;AACvB,UAAM,EAAE,SAAS,IAAI,MAAM;AAC3B,UAAM,SAAS,WAAW,CAAC;AAE3B,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO,YAAY,SAAS,MAAM;AAAA,MACpC,KAAK;AACH,eAAO,eAAe,SAAS,MAAM;AAAA,MACvC,KAAK;AACH,eAAO,aAAa,SAAS,MAAM;AAAA,MACrC,KAAK;AACH,eAAO,eAAe,SAAS,MAAM;AAAA,MACvC;AACE,eAAOC,cAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACpE;AAAA,EACF;AAEA,iBAAe,KACb,SACA,EAAE,OAAO,GACc;AACvB,UAAM,EAAE,SAAS,IAAI,MAAM;AAC3B,UAAM,SAAS,WAAW,CAAC;AAE3B,YAAQ,QAAQ;AAAA,MACd,KAAK;AACH,eAAO,cAAc,SAAS,MAAM;AAAA,MACtC;AACE,eAAOA,cAAa,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;AAAA,IACpE;AAAA,EACF;AAEA,SAAO,EAAE,KAAK,KAAK;AACrB;","names":["NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse","NextResponse"]}
package/dist/proxy.d.ts CHANGED
@@ -1,5 +1,5 @@
1
1
  import { NextRequest, NextResponse } from 'next/server';
2
- import { A as AuthgearConfig } from './types-Csfra4K2.js';
2
+ import { A as AuthgearConfig } from './types-Cx-gnfE7.js';
3
3
 
4
4
  interface AuthgearProxyOptions extends AuthgearConfig {
5
5
  /**
package/dist/proxy.js CHANGED
@@ -5,8 +5,8 @@ import {
5
5
  isTokenExpired,
6
6
  refreshAccessToken,
7
7
  resolveConfig
8
- } from "./chunk-MJD3XNUK.js";
9
- import "./chunk-UY6NEM2T.js";
8
+ } from "./chunk-UERNRN5J.js";
9
+ import "./chunk-CCQOLKXU.js";
10
10
 
11
11
  // src/proxy.ts
12
12
  import { NextResponse } from "next/server";
@@ -35,8 +35,7 @@ function createAuthgearProxy(options) {
35
35
  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
36
36
  const tokenResponse = await refreshAccessToken(oidcConfig, {
37
37
  refreshToken: sessionData.refreshToken,
38
- clientID: resolved.clientID,
39
- clientSecret: resolved.clientSecret || void 0
38
+ clientID: resolved.clientID
40
39
  });
41
40
  sessionData = {
42
41
  accessToken: tokenResponse.access_token,
package/dist/proxy.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/proxy.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"./types.js\";\nimport { resolveConfig } from \"./config.js\";\nimport { decryptSession, buildSessionCookie } from \"./session/cookie.js\";\nimport { isTokenExpired } from \"./session/state.js\";\nimport { fetchOIDCConfiguration } from \"./oauth/discovery.js\";\nimport { refreshAccessToken } from \"./oauth/token.js\";\n\nexport interface AuthgearProxyOptions extends AuthgearConfig {\n /**\n * Paths that require authentication. Unauthenticated requests are redirected to login.\n * Supports exact paths and prefix patterns ending with `*` (e.g. \"/dashboard/*\").\n */\n protectedPaths?: string[];\n\n /**\n * Paths that are always public (never redirected to login).\n * Takes precedence over protectedPaths.\n * Defaults to [\"/api/auth/*\"].\n */\n publicPaths?: string[];\n\n /**\n * URL to redirect unauthenticated users. Defaults to \"/api/auth/login\".\n */\n loginPath?: string;\n}\n\nfunction matchesPath(pathname: string, patterns: string[]): boolean {\n return patterns.some((pattern) => {\n if (pattern.endsWith(\"*\")) {\n return pathname.startsWith(pattern.slice(0, -1));\n }\n return pathname === pattern;\n });\n}\n\n/**\n * Create a Next.js 16 proxy function for Authgear authentication.\n *\n * Usage in `proxy.ts`:\n * ```ts\n * import { createAuthgearProxy } from \"@authgear/nextjs/proxy\";\n * export const proxy = createAuthgearProxy({ ...config, protectedPaths: [\"/dashboard/*\"] });\n * ```\n */\nexport function createAuthgearProxy(options: AuthgearProxyOptions) {\n const resolved = resolveConfig(options);\n const protectedPaths = options.protectedPaths ?? [];\n const publicPaths = options.publicPaths ?? [\"/api/auth/*\"];\n const loginPath = options.loginPath ?? \"/api/auth/login\";\n\n return async function proxy(request: NextRequest): Promise<NextResponse> {\n const { pathname } = request.nextUrl;\n\n // Always allow public paths\n if (matchesPath(pathname, publicPaths)) {\n return NextResponse.next();\n }\n\n const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n let sessionData = sessionCookieValue\n ? decryptSession(sessionCookieValue, resolved.sessionSecret)\n : null;\n\n // Try to refresh expired token\n if (sessionData && isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n try {\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: sessionData.refreshToken,\n clientID: resolved.clientID,\n clientSecret: resolved.clientSecret || undefined,\n });\n sessionData = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n idToken: tokenResponse.id_token ?? sessionData.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n } catch {\n sessionData = null;\n }\n }\n\n // Redirect unauthenticated requests on protected paths\n if (!sessionData && matchesPath(pathname, protectedPaths)) {\n const loginURL = new URL(loginPath, request.nextUrl.origin);\n loginURL.searchParams.set(\"returnTo\", pathname);\n return NextResponse.redirect(loginURL);\n }\n\n const response = NextResponse.next();\n\n if (sessionData) {\n // Update session cookie (captures rotated refresh token if server rotated it)\n const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);\n response.cookies.set(newCookie.name, newCookie.value, {\n httpOnly: newCookie.httpOnly,\n secure: newCookie.secure,\n sameSite: newCookie.sameSite,\n path: newCookie.path,\n maxAge: newCookie.maxAge,\n });\n } else if (sessionCookieValue) {\n // Refresh failed — clear the stale cookie so Server Components don't see a broken session\n response.cookies.set(resolved.cookieName, \"\", { maxAge: 0, path: \"/\" });\n }\n\n return response;\n };\n}\n"],"mappings":";;;;;;;;;;;AAAA,SAAS,oBAAsC;AA4B/C,SAAS,YAAY,UAAkB,UAA6B;AAClE,SAAO,SAAS,KAAK,CAAC,YAAY;AAChC,QAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,aAAO,SAAS,WAAW,QAAQ,MAAM,GAAG,EAAE,CAAC;AAAA,IACjD;AACA,WAAO,aAAa;AAAA,EACtB,CAAC;AACH;AAWO,SAAS,oBAAoB,SAA+B;AACjE,QAAM,WAAW,cAAc,OAAO;AACtC,QAAM,iBAAiB,QAAQ,kBAAkB,CAAC;AAClD,QAAM,cAAc,QAAQ,eAAe,CAAC,aAAa;AACzD,QAAM,YAAY,QAAQ,aAAa;AAEvC,SAAO,eAAe,MAAM,SAA6C;AACvE,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,YAAY,UAAU,WAAW,GAAG;AACtC,aAAO,aAAa,KAAK;AAAA,IAC3B;AAEA,UAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,QAAI,cAAc,qBACd,eAAe,oBAAoB,SAAS,aAAa,IACzD;AAGJ,QAAI,eAAe,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACpF,UAAI;AACF,cAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,cAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,UACzD,cAAc,YAAY;AAAA,UAC1B,UAAU,SAAS;AAAA,UACnB,cAAc,SAAS,gBAAgB;AAAA,QACzC,CAAC;AACD,sBAAc;AAAA,UACZ,aAAa,cAAc;AAAA,UAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,UACzD,SAAS,cAAc,YAAY,YAAY;AAAA,UAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,QAC3D;AAAA,MACF,QAAQ;AACN,sBAAc;AAAA,MAChB;AAAA,IACF;AAGA,QAAI,CAAC,eAAe,YAAY,UAAU,cAAc,GAAG;AACzD,YAAM,WAAW,IAAI,IAAI,WAAW,QAAQ,QAAQ,MAAM;AAC1D,eAAS,aAAa,IAAI,YAAY,QAAQ;AAC9C,aAAO,aAAa,SAAS,QAAQ;AAAA,IACvC;AAEA,UAAM,WAAW,aAAa,KAAK;AAEnC,QAAI,aAAa;AAEf,YAAM,YAAY,mBAAmB,SAAS,YAAY,aAAa,SAAS,aAAa;AAC7F,eAAS,QAAQ,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,QACpD,UAAU,UAAU;AAAA,QACpB,QAAQ,UAAU;AAAA,QAClB,UAAU,UAAU;AAAA,QACpB,MAAM,UAAU;AAAA,QAChB,QAAQ,UAAU;AAAA,MACpB,CAAC;AAAA,IACH,WAAW,oBAAoB;AAE7B,eAAS,QAAQ,IAAI,SAAS,YAAY,IAAI,EAAE,QAAQ,GAAG,MAAM,IAAI,CAAC;AAAA,IACxE;AAEA,WAAO;AAAA,EACT;AACF;","names":[]}
1
+ {"version":3,"sources":["../src/proxy.ts"],"sourcesContent":["import { NextResponse, type NextRequest } from \"next/server\";\nimport type { AuthgearConfig } from \"./types.js\";\nimport { resolveConfig } from \"./config.js\";\nimport { decryptSession, buildSessionCookie } from \"./session/cookie.js\";\nimport { isTokenExpired } from \"./session/state.js\";\nimport { fetchOIDCConfiguration } from \"./oauth/discovery.js\";\nimport { refreshAccessToken } from \"./oauth/token.js\";\n\nexport interface AuthgearProxyOptions extends AuthgearConfig {\n /**\n * Paths that require authentication. Unauthenticated requests are redirected to login.\n * Supports exact paths and prefix patterns ending with `*` (e.g. \"/dashboard/*\").\n */\n protectedPaths?: string[];\n\n /**\n * Paths that are always public (never redirected to login).\n * Takes precedence over protectedPaths.\n * Defaults to [\"/api/auth/*\"].\n */\n publicPaths?: string[];\n\n /**\n * URL to redirect unauthenticated users. Defaults to \"/api/auth/login\".\n */\n loginPath?: string;\n}\n\nfunction matchesPath(pathname: string, patterns: string[]): boolean {\n return patterns.some((pattern) => {\n if (pattern.endsWith(\"*\")) {\n return pathname.startsWith(pattern.slice(0, -1));\n }\n return pathname === pattern;\n });\n}\n\n/**\n * Create a Next.js 16 proxy function for Authgear authentication.\n *\n * Usage in `proxy.ts`:\n * ```ts\n * import { createAuthgearProxy } from \"@authgear/nextjs/proxy\";\n * export const proxy = createAuthgearProxy({ ...config, protectedPaths: [\"/dashboard/*\"] });\n * ```\n */\nexport function createAuthgearProxy(options: AuthgearProxyOptions) {\n const resolved = resolveConfig(options);\n const protectedPaths = options.protectedPaths ?? [];\n const publicPaths = options.publicPaths ?? [\"/api/auth/*\"];\n const loginPath = options.loginPath ?? \"/api/auth/login\";\n\n return async function proxy(request: NextRequest): Promise<NextResponse> {\n const { pathname } = request.nextUrl;\n\n // Always allow public paths\n if (matchesPath(pathname, publicPaths)) {\n return NextResponse.next();\n }\n\n const sessionCookieValue = request.cookies.get(resolved.cookieName)?.value;\n let sessionData = sessionCookieValue\n ? decryptSession(sessionCookieValue, resolved.sessionSecret)\n : null;\n\n // Try to refresh expired token\n if (sessionData && isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n try {\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: sessionData.refreshToken,\n clientID: resolved.clientID,\n });\n sessionData = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n idToken: tokenResponse.id_token ?? sessionData.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n } catch {\n sessionData = null;\n }\n }\n\n // Redirect unauthenticated requests on protected paths\n if (!sessionData && matchesPath(pathname, protectedPaths)) {\n const loginURL = new URL(loginPath, request.nextUrl.origin);\n loginURL.searchParams.set(\"returnTo\", pathname);\n return NextResponse.redirect(loginURL);\n }\n\n const response = NextResponse.next();\n\n if (sessionData) {\n // Update session cookie (captures rotated refresh token if server rotated it)\n const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);\n response.cookies.set(newCookie.name, newCookie.value, {\n httpOnly: newCookie.httpOnly,\n secure: newCookie.secure,\n sameSite: newCookie.sameSite,\n path: newCookie.path,\n maxAge: newCookie.maxAge,\n });\n } else if (sessionCookieValue) {\n // Refresh failed — clear the stale cookie so Server Components don't see a broken session\n response.cookies.set(resolved.cookieName, \"\", { maxAge: 0, path: \"/\" });\n }\n\n return response;\n };\n}\n"],"mappings":";;;;;;;;;;;AAAA,SAAS,oBAAsC;AA4B/C,SAAS,YAAY,UAAkB,UAA6B;AAClE,SAAO,SAAS,KAAK,CAAC,YAAY;AAChC,QAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,aAAO,SAAS,WAAW,QAAQ,MAAM,GAAG,EAAE,CAAC;AAAA,IACjD;AACA,WAAO,aAAa;AAAA,EACtB,CAAC;AACH;AAWO,SAAS,oBAAoB,SAA+B;AACjE,QAAM,WAAW,cAAc,OAAO;AACtC,QAAM,iBAAiB,QAAQ,kBAAkB,CAAC;AAClD,QAAM,cAAc,QAAQ,eAAe,CAAC,aAAa;AACzD,QAAM,YAAY,QAAQ,aAAa;AAEvC,SAAO,eAAe,MAAM,SAA6C;AACvE,UAAM,EAAE,SAAS,IAAI,QAAQ;AAG7B,QAAI,YAAY,UAAU,WAAW,GAAG;AACtC,aAAO,aAAa,KAAK;AAAA,IAC3B;AAEA,UAAM,qBAAqB,QAAQ,QAAQ,IAAI,SAAS,UAAU,GAAG;AACrE,QAAI,cAAc,qBACd,eAAe,oBAAoB,SAAS,aAAa,IACzD;AAGJ,QAAI,eAAe,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACpF,UAAI;AACF,cAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,cAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,UACzD,cAAc,YAAY;AAAA,UAC1B,UAAU,SAAS;AAAA,QACrB,CAAC;AACD,sBAAc;AAAA,UACZ,aAAa,cAAc;AAAA,UAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,UACzD,SAAS,cAAc,YAAY,YAAY;AAAA,UAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,QAC3D;AAAA,MACF,QAAQ;AACN,sBAAc;AAAA,MAChB;AAAA,IACF;AAGA,QAAI,CAAC,eAAe,YAAY,UAAU,cAAc,GAAG;AACzD,YAAM,WAAW,IAAI,IAAI,WAAW,QAAQ,QAAQ,MAAM;AAC1D,eAAS,aAAa,IAAI,YAAY,QAAQ;AAC9C,aAAO,aAAa,SAAS,QAAQ;AAAA,IACvC;AAEA,UAAM,WAAW,aAAa,KAAK;AAEnC,QAAI,aAAa;AAEf,YAAM,YAAY,mBAAmB,SAAS,YAAY,aAAa,SAAS,aAAa;AAC7F,eAAS,QAAQ,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,QACpD,UAAU,UAAU;AAAA,QACpB,QAAQ,UAAU;AAAA,QAClB,UAAU,UAAU;AAAA,QACpB,MAAM,UAAU;AAAA,QAChB,QAAQ,UAAU;AAAA,MACpB,CAAC;AAAA,IACH,WAAW,oBAAoB;AAE7B,eAAS,QAAQ,IAAI,SAAS,YAAY,IAAI,EAAE,QAAQ,GAAG,MAAM,IAAI,CAAC;AAAA,IACxE;AAEA,WAAO;AAAA,EACT;AACF;","names":[]}
package/dist/server.d.ts CHANGED
@@ -1,5 +1,5 @@
1
- import { A as AuthgearConfig, S as Session, U as UserInfo, J as JWTPayload } from './types-Csfra4K2.js';
2
- export { P as Page, b as SessionState } from './types-Csfra4K2.js';
1
+ import { A as AuthgearConfig, S as Session, U as UserInfo, P as Page, J as JWTPayload } from './types-Cx-gnfE7.js';
2
+ export { a as PromptOption, c as SessionState } from './types-Cx-gnfE7.js';
3
3
 
4
4
  /**
5
5
  * Read the current session in a Server Component, Route Handler, or Server Action.
@@ -22,5 +22,32 @@ declare function currentUser(config: AuthgearConfig): Promise<UserInfo | null>;
22
22
  * @throws {Error} If the token is invalid, expired, or has wrong issuer/audience
23
23
  */
24
24
  declare function verifyAccessToken(token: string, config: AuthgearConfig): Promise<JWTPayload>;
25
+ /**
26
+ * Get a URL that opens an Authgear page (e.g. `/settings`) with the current
27
+ * user already authenticated — no re-login required.
28
+ *
29
+ * Exchanges the user's refresh token for a short-lived `app_session_token`
30
+ * via `POST /oauth2/app_session_token`, then builds an authorization URL
31
+ * that uses that token as a `login_hint` so Authgear can authenticate the
32
+ * user silently.
33
+ *
34
+ * @param page - A `Page` enum value (e.g. `Page.Settings`) or an arbitrary path string.
35
+ * @param config - The Authgear SDK config.
36
+ * @returns A URL string. Open it in a new tab (`window.open(url, "_blank")`).
37
+ * @throws {Error} If the user is not authenticated or has no refresh token.
38
+ *
39
+ * @example
40
+ * ```ts
41
+ * // Server Action
42
+ * "use server";
43
+ * import { getOpenURL, Page } from "@authgear/nextjs/server";
44
+ * import { authgearConfig } from "@/lib/authgear";
45
+ *
46
+ * export async function getSettingsURLAction() {
47
+ * return getOpenURL(Page.Settings, authgearConfig);
48
+ * }
49
+ * ```
50
+ */
51
+ declare function getOpenURL(page: Page | string, config: AuthgearConfig): Promise<string>;
25
52
 
26
- export { JWTPayload, Session, UserInfo, auth, currentUser, verifyAccessToken };
53
+ export { JWTPayload, Page, Session, UserInfo, auth, currentUser, getOpenURL, verifyAccessToken };
package/dist/server.js CHANGED
@@ -1,19 +1,22 @@
1
1
  import {
2
+ buildOpenURL,
2
3
  parseUserInfo
3
- } from "./chunk-3KVYAFQJ.js";
4
+ } from "./chunk-GXYXHQVJ.js";
4
5
  import {
5
6
  buildSessionCookie,
6
7
  decryptSession,
7
8
  deriveSessionState,
8
9
  fetchOIDCConfiguration,
10
+ getAppSessionToken,
9
11
  isTokenExpired,
10
12
  refreshAccessToken,
11
13
  resolveConfig
12
- } from "./chunk-MJD3XNUK.js";
14
+ } from "./chunk-UERNRN5J.js";
13
15
  import {
14
16
  Page,
17
+ PromptOption,
15
18
  SessionState
16
- } from "./chunk-UY6NEM2T.js";
19
+ } from "./chunk-CCQOLKXU.js";
17
20
 
18
21
  // src/server.ts
19
22
  import "server-only";
@@ -57,8 +60,7 @@ async function auth(config) {
57
60
  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
58
61
  const tokenResponse = await refreshAccessToken(oidcConfig, {
59
62
  refreshToken: sessionData.refreshToken,
60
- clientID: resolved.clientID,
61
- clientSecret: resolved.clientSecret || void 0
63
+ clientID: resolved.clientID
62
64
  });
63
65
  sessionData = {
64
66
  accessToken: tokenResponse.access_token,
@@ -95,8 +97,7 @@ async function currentUser(config) {
95
97
  try {
96
98
  const tokenResponse = await refreshAccessToken(oidcConfig, {
97
99
  refreshToken: sessionData.refreshToken,
98
- clientID: resolved.clientID,
99
- clientSecret: resolved.clientSecret || void 0
100
+ clientID: resolved.clientID
100
101
  });
101
102
  sessionData = {
102
103
  accessToken: tokenResponse.access_token,
@@ -131,11 +132,33 @@ async function verifyAccessToken(token, config) {
131
132
  const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
132
133
  return verifyJWT(token, oidcConfig);
133
134
  }
135
+ async function getOpenURL(page, config) {
136
+ const resolved = resolveConfig(config);
137
+ const cookieStore = await cookies();
138
+ const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;
139
+ if (!sessionCookieValue) throw new Error("Not authenticated");
140
+ let sessionData = decryptSession(sessionCookieValue, resolved.sessionSecret);
141
+ if (!sessionData) throw new Error("Not authenticated");
142
+ if (!sessionData.refreshToken) throw new Error("No refresh token in session");
143
+ const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);
144
+ const { app_session_token } = await getAppSessionToken(
145
+ resolved.endpoint,
146
+ sessionData.refreshToken
147
+ );
148
+ return buildOpenURL(oidcConfig, {
149
+ clientID: resolved.clientID,
150
+ appSessionToken: app_session_token,
151
+ targetPath: page,
152
+ scopes: resolved.scopes
153
+ });
154
+ }
134
155
  export {
135
156
  Page,
157
+ PromptOption,
136
158
  SessionState,
137
159
  auth,
138
160
  currentUser,
161
+ getOpenURL,
139
162
  verifyAccessToken
140
163
  };
141
164
  //# sourceMappingURL=server.js.map
package/dist/server.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/server.ts","../src/jwt/verify.ts","../src/jwt/jwks.ts"],"sourcesContent":["import \"server-only\";\nimport { cookies } from \"next/headers\";\nimport { SessionState, Page, type Session, type UserInfo, type JWTPayload, type AuthgearConfig } from \"./types.js\";\nimport { resolveConfig } from \"./config.js\";\nimport { decryptSession, buildSessionCookie } from \"./session/cookie.js\";\nimport { deriveSessionState, isTokenExpired } from \"./session/state.js\";\nimport { fetchOIDCConfiguration } from \"./oauth/discovery.js\";\nimport { refreshAccessToken } from \"./oauth/token.js\";\n// ROADMAP: import { getAppSessionToken } from \"./oauth/token.js\";\n// ROADMAP: import { buildOpenURL } from \"./oauth/authorize.js\";\nimport { verifyJWT } from \"./jwt/verify.js\";\nimport { parseUserInfo } from \"./user.js\";\n\n/**\n * Read the current session in a Server Component, Route Handler, or Server Action.\n * Automatically refreshes the access token if expired, so `session.accessToken` is\n * always valid when the session state is `Authenticated`. Use this when you need a\n * fresh access token to call a downstream API (e.g. inside a Server Action).\n */\nexport async function auth(config: AuthgearConfig): Promise<Session> {\n const resolved = resolveConfig(config);\n const cookieStore = await cookies();\n const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n\n let sessionData = sessionCookieValue\n ? decryptSession(sessionCookieValue, resolved.sessionSecret)\n : null;\n\n // Auto-refresh expired token so callers (e.g. Server Actions) always get a valid access token\n if (sessionData && isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n try {\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: sessionData.refreshToken,\n clientID: resolved.clientID,\n clientSecret: resolved.clientSecret || undefined,\n });\n sessionData = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n idToken: tokenResponse.id_token ?? sessionData.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n try {\n const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);\n cookieStore.set(newCookie.name, newCookie.value, {\n httpOnly: newCookie.httpOnly,\n secure: newCookie.secure,\n sameSite: newCookie.sameSite,\n path: newCookie.path,\n maxAge: newCookie.maxAge,\n });\n } catch {\n // Not in a Route Handler — cookie will be persisted by the proxy on next navigation\n }\n } catch {\n sessionData = null;\n }\n }\n\n return deriveSessionState(sessionData);\n}\n\n/**\n * Get the current user in a Server Component or Route Handler.\n * Automatically refreshes the access token if expired, including persisting a\n * rotated refresh token when the Authgear project has refresh token rotation enabled.\n * Returns null if not authenticated or if the session cannot be refreshed.\n */\nexport async function currentUser(config: AuthgearConfig): Promise<UserInfo | null> {\n const resolved = resolveConfig(config);\n const cookieStore = await cookies();\n const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n\n if (!sessionCookieValue) return null;\n\n let sessionData = decryptSession(sessionCookieValue, resolved.sessionSecret);\n if (!sessionData) return null;\n\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n // Auto-refresh expired token\n if (isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n try {\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: sessionData.refreshToken,\n clientID: resolved.clientID,\n clientSecret: resolved.clientSecret || undefined,\n });\n sessionData = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n idToken: tokenResponse.id_token ?? sessionData.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n // Persist the updated session (with rotated refresh token) back to the cookie.\n // This succeeds in Route Handlers but throws in Server Components (Next.js restriction).\n // In Server Components the proxy will write the updated cookie on the next page navigation.\n try {\n const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);\n cookieStore.set(newCookie.name, newCookie.value, {\n httpOnly: newCookie.httpOnly,\n secure: newCookie.secure,\n sameSite: newCookie.sameSite,\n path: newCookie.path,\n maxAge: newCookie.maxAge,\n });\n } catch {\n // Not in a Route Handler — cookie will be persisted by the proxy on next navigation\n }\n } catch {\n return null;\n }\n }\n\n const userinfoRes = await fetch(oidcConfig.userinfo_endpoint, {\n headers: { Authorization: `Bearer ${sessionData.accessToken}` },\n });\n\n if (!userinfoRes.ok) return null;\n\n const raw = (await userinfoRes.json()) as Record<string, unknown>;\n return parseUserInfo(raw);\n}\n\n/**\n * Verify a JWT access token (from Authorization: Bearer header).\n * Useful for protecting API routes.\n *\n * @throws {Error} If the token is invalid, expired, or has wrong issuer/audience\n */\nexport async function verifyAccessToken(\n token: string,\n config: AuthgearConfig,\n): Promise<JWTPayload> {\n const resolved = resolveConfig(config);\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n return verifyJWT(token, oidcConfig);\n}\n\n// ROADMAP: getOpenURL — open Authgear settings (or any Authgear page) with the\n// current user pre-authenticated via the app_session_token exchange.\n//\n// This requires the Authgear server to grant the client permission to call\n// POST /oauth2/app_session_token (\"full user access\"). Once that server-side\n// configuration is available, uncomment the implementation below and the\n// imports above, then expose it from the example dashboard via a Server Action.\n//\n// export async function getOpenURL(\n// page: Page | string,\n// config: AuthgearConfig,\n// ): Promise<string> {\n// const resolved = resolveConfig(config);\n// const cookieStore = await cookies();\n// const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n// if (!sessionCookieValue) throw new Error(\"Not authenticated\");\n// const sessionData = decryptSession(sessionCookieValue, resolved.sessionSecret);\n// if (!sessionData?.refreshToken) throw new Error(\"No refresh token in session\");\n// const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n// const { app_session_token } = await getAppSessionToken(\n// resolved.endpoint,\n// sessionData.refreshToken,\n// );\n// return buildOpenURL(oidcConfig, {\n// clientID: resolved.clientID,\n// appSessionToken: app_session_token,\n// targetPath: page,\n// });\n// }\n\nexport { SessionState, Page };\nexport type { Session, UserInfo, JWTPayload };\n","import { jwtVerify } from \"jose\";\nimport type { JWTPayload, OIDCConfiguration } from \"../types.js\";\nimport { getJWKS } from \"./jwks.js\";\n\nexport interface VerifyOptions {\n /** Expected audience. If not set, audience is not checked. */\n audience?: string | string[];\n}\n\nexport async function verifyJWT(\n token: string,\n oidcConfig: OIDCConfiguration,\n options?: VerifyOptions,\n): Promise<JWTPayload> {\n const jwks = getJWKS(oidcConfig);\n\n const { payload } = await jwtVerify(token, jwks, {\n issuer: oidcConfig.issuer,\n audience: options?.audience,\n algorithms: [\"RS256\"],\n });\n\n return payload as unknown as JWTPayload;\n}\n","import { createRemoteJWKSet } from \"jose\";\nimport type { OIDCConfiguration } from \"../types.js\";\n\nconst jwksSets = new Map<string, ReturnType<typeof createRemoteJWKSet>>();\n\nexport function getJWKS(oidcConfig: OIDCConfiguration) {\n const uri = oidcConfig.jwks_uri;\n let jwks = jwksSets.get(uri);\n if (!jwks) {\n jwks = createRemoteJWKSet(new URL(uri));\n jwksSets.set(uri, jwks);\n }\n return jwks;\n}\n\n/** Clear cached JWKS (useful for testing) */\nexport function clearJWKSCache(): void {\n jwksSets.clear();\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;AAAA,OAAO;AACP,SAAS,eAAe;;;ACDxB,SAAS,iBAAiB;;;ACA1B,SAAS,0BAA0B;AAGnC,IAAM,WAAW,oBAAI,IAAmD;AAEjE,SAAS,QAAQ,YAA+B;AACrD,QAAM,MAAM,WAAW;AACvB,MAAI,OAAO,SAAS,IAAI,GAAG;AAC3B,MAAI,CAAC,MAAM;AACT,WAAO,mBAAmB,IAAI,IAAI,GAAG,CAAC;AACtC,aAAS,IAAI,KAAK,IAAI;AAAA,EACxB;AACA,SAAO;AACT;;;ADJA,eAAsB,UACpB,OACA,YACA,SACqB;AACrB,QAAM,OAAO,QAAQ,UAAU;AAE/B,QAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,MAAM;AAAA,IAC/C,QAAQ,WAAW;AAAA,IACnB,UAAU,SAAS;AAAA,IACnB,YAAY,CAAC,OAAO;AAAA,EACtB,CAAC;AAED,SAAO;AACT;;;ADJA,eAAsB,KAAK,QAA0C;AACnE,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,qBAAqB,YAAY,IAAI,SAAS,UAAU,GAAG;AAEjE,MAAI,cAAc,qBACd,eAAe,oBAAoB,SAAS,aAAa,IACzD;AAGJ,MAAI,eAAe,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACpF,QAAI;AACF,YAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,YAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,QACzD,cAAc,YAAY;AAAA,QAC1B,UAAU,SAAS;AAAA,QACnB,cAAc,SAAS,gBAAgB;AAAA,MACzC,CAAC;AACD,oBAAc;AAAA,QACZ,aAAa,cAAc;AAAA,QAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,QACzD,SAAS,cAAc,YAAY,YAAY;AAAA,QAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,MAC3D;AACA,UAAI;AACF,cAAM,YAAY,mBAAmB,SAAS,YAAY,aAAa,SAAS,aAAa;AAC7F,oBAAY,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,UAC/C,UAAU,UAAU;AAAA,UACpB,QAAQ,UAAU;AAAA,UAClB,UAAU,UAAU;AAAA,UACpB,MAAM,UAAU;AAAA,UAChB,QAAQ,UAAU;AAAA,QACpB,CAAC;AAAA,MACH,QAAQ;AAAA,MAER;AAAA,IACF,QAAQ;AACN,oBAAc;AAAA,IAChB;AAAA,EACF;AAEA,SAAO,mBAAmB,WAAW;AACvC;AAQA,eAAsB,YAAY,QAAkD;AAClF,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,qBAAqB,YAAY,IAAI,SAAS,UAAU,GAAG;AAEjE,MAAI,CAAC,mBAAoB,QAAO;AAEhC,MAAI,cAAc,eAAe,oBAAoB,SAAS,aAAa;AAC3E,MAAI,CAAC,YAAa,QAAO;AAEzB,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAGjE,MAAI,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACrE,QAAI;AACF,YAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,QACzD,cAAc,YAAY;AAAA,QAC1B,UAAU,SAAS;AAAA,QACnB,cAAc,SAAS,gBAAgB;AAAA,MACzC,CAAC;AACD,oBAAc;AAAA,QACZ,aAAa,cAAc;AAAA,QAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,QACzD,SAAS,cAAc,YAAY,YAAY;AAAA,QAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,MAC3D;AAIA,UAAI;AACF,cAAM,YAAY,mBAAmB,SAAS,YAAY,aAAa,SAAS,aAAa;AAC7F,oBAAY,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,UAC/C,UAAU,UAAU;AAAA,UACpB,QAAQ,UAAU;AAAA,UAClB,UAAU,UAAU;AAAA,UACpB,MAAM,UAAU;AAAA,UAChB,QAAQ,UAAU;AAAA,QACpB,CAAC;AAAA,MACH,QAAQ;AAAA,MAER;AAAA,IACF,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,cAAc,MAAM,MAAM,WAAW,mBAAmB;AAAA,IAC5D,SAAS,EAAE,eAAe,UAAU,YAAY,WAAW,GAAG;AAAA,EAChE,CAAC;AAED,MAAI,CAAC,YAAY,GAAI,QAAO;AAE5B,QAAM,MAAO,MAAM,YAAY,KAAK;AACpC,SAAO,cAAc,GAAG;AAC1B;AAQA,eAAsB,kBACpB,OACA,QACqB;AACrB,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,SAAO,UAAU,OAAO,UAAU;AACpC;","names":[]}
1
+ {"version":3,"sources":["../src/server.ts","../src/jwt/verify.ts","../src/jwt/jwks.ts"],"sourcesContent":["import \"server-only\";\nimport { cookies } from \"next/headers\";\nimport { SessionState, Page, PromptOption, type Session, type UserInfo, type JWTPayload, type AuthgearConfig } from \"./types.js\";\nimport { resolveConfig } from \"./config.js\";\nimport { decryptSession, buildSessionCookie } from \"./session/cookie.js\";\nimport { deriveSessionState, isTokenExpired } from \"./session/state.js\";\nimport { fetchOIDCConfiguration } from \"./oauth/discovery.js\";\nimport { refreshAccessToken, getAppSessionToken } from \"./oauth/token.js\";\nimport { buildOpenURL } from \"./oauth/authorize.js\";\nimport { verifyJWT } from \"./jwt/verify.js\";\nimport { parseUserInfo } from \"./user.js\";\n\n/**\n * Read the current session in a Server Component, Route Handler, or Server Action.\n * Automatically refreshes the access token if expired, so `session.accessToken` is\n * always valid when the session state is `Authenticated`. Use this when you need a\n * fresh access token to call a downstream API (e.g. inside a Server Action).\n */\nexport async function auth(config: AuthgearConfig): Promise<Session> {\n const resolved = resolveConfig(config);\n const cookieStore = await cookies();\n const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n\n let sessionData = sessionCookieValue\n ? decryptSession(sessionCookieValue, resolved.sessionSecret)\n : null;\n\n // Auto-refresh expired token so callers (e.g. Server Actions) always get a valid access token\n if (sessionData && isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n try {\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: sessionData.refreshToken,\n clientID: resolved.clientID,\n });\n sessionData = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n idToken: tokenResponse.id_token ?? sessionData.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n try {\n const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);\n cookieStore.set(newCookie.name, newCookie.value, {\n httpOnly: newCookie.httpOnly,\n secure: newCookie.secure,\n sameSite: newCookie.sameSite,\n path: newCookie.path,\n maxAge: newCookie.maxAge,\n });\n } catch {\n // Not in a Route Handler — cookie will be persisted by the proxy on next navigation\n }\n } catch {\n sessionData = null;\n }\n }\n\n return deriveSessionState(sessionData);\n}\n\n/**\n * Get the current user in a Server Component or Route Handler.\n * Automatically refreshes the access token if expired, including persisting a\n * rotated refresh token when the Authgear project has refresh token rotation enabled.\n * Returns null if not authenticated or if the session cannot be refreshed.\n */\nexport async function currentUser(config: AuthgearConfig): Promise<UserInfo | null> {\n const resolved = resolveConfig(config);\n const cookieStore = await cookies();\n const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n\n if (!sessionCookieValue) return null;\n\n let sessionData = decryptSession(sessionCookieValue, resolved.sessionSecret);\n if (!sessionData) return null;\n\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n\n // Auto-refresh expired token\n if (isTokenExpired(sessionData.expiresAt) && sessionData.refreshToken) {\n try {\n const tokenResponse = await refreshAccessToken(oidcConfig, {\n refreshToken: sessionData.refreshToken,\n clientID: resolved.clientID,\n });\n sessionData = {\n accessToken: tokenResponse.access_token,\n refreshToken: tokenResponse.refresh_token ?? sessionData.refreshToken,\n idToken: tokenResponse.id_token ?? sessionData.idToken,\n expiresAt: Math.floor(Date.now() / 1000) + tokenResponse.expires_in,\n };\n // Persist the updated session (with rotated refresh token) back to the cookie.\n // This succeeds in Route Handlers but throws in Server Components (Next.js restriction).\n // In Server Components the proxy will write the updated cookie on the next page navigation.\n try {\n const newCookie = buildSessionCookie(resolved.cookieName, sessionData, resolved.sessionSecret);\n cookieStore.set(newCookie.name, newCookie.value, {\n httpOnly: newCookie.httpOnly,\n secure: newCookie.secure,\n sameSite: newCookie.sameSite,\n path: newCookie.path,\n maxAge: newCookie.maxAge,\n });\n } catch {\n // Not in a Route Handler — cookie will be persisted by the proxy on next navigation\n }\n } catch {\n return null;\n }\n }\n\n const userinfoRes = await fetch(oidcConfig.userinfo_endpoint, {\n headers: { Authorization: `Bearer ${sessionData.accessToken}` },\n });\n\n if (!userinfoRes.ok) return null;\n\n const raw = (await userinfoRes.json()) as Record<string, unknown>;\n return parseUserInfo(raw);\n}\n\n/**\n * Verify a JWT access token (from Authorization: Bearer header).\n * Useful for protecting API routes.\n *\n * @throws {Error} If the token is invalid, expired, or has wrong issuer/audience\n */\nexport async function verifyAccessToken(\n token: string,\n config: AuthgearConfig,\n): Promise<JWTPayload> {\n const resolved = resolveConfig(config);\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n return verifyJWT(token, oidcConfig);\n}\n\n/**\n * Get a URL that opens an Authgear page (e.g. `/settings`) with the current\n * user already authenticated — no re-login required.\n *\n * Exchanges the user's refresh token for a short-lived `app_session_token`\n * via `POST /oauth2/app_session_token`, then builds an authorization URL\n * that uses that token as a `login_hint` so Authgear can authenticate the\n * user silently.\n *\n * @param page - A `Page` enum value (e.g. `Page.Settings`) or an arbitrary path string.\n * @param config - The Authgear SDK config.\n * @returns A URL string. Open it in a new tab (`window.open(url, \"_blank\")`).\n * @throws {Error} If the user is not authenticated or has no refresh token.\n *\n * @example\n * ```ts\n * // Server Action\n * \"use server\";\n * import { getOpenURL, Page } from \"@authgear/nextjs/server\";\n * import { authgearConfig } from \"@/lib/authgear\";\n *\n * export async function getSettingsURLAction() {\n * return getOpenURL(Page.Settings, authgearConfig);\n * }\n * ```\n */\nexport async function getOpenURL(\n page: Page | string,\n config: AuthgearConfig,\n): Promise<string> {\n const resolved = resolveConfig(config);\n const cookieStore = await cookies();\n const sessionCookieValue = cookieStore.get(resolved.cookieName)?.value;\n if (!sessionCookieValue) throw new Error(\"Not authenticated\");\n let sessionData = decryptSession(sessionCookieValue, resolved.sessionSecret);\n if (!sessionData) throw new Error(\"Not authenticated\");\n if (!sessionData.refreshToken) throw new Error(\"No refresh token in session\");\n const oidcConfig = await fetchOIDCConfiguration(resolved.endpoint);\n const { app_session_token } = await getAppSessionToken(\n resolved.endpoint,\n sessionData.refreshToken!,\n );\n return buildOpenURL(oidcConfig, {\n clientID: resolved.clientID,\n appSessionToken: app_session_token,\n targetPath: page,\n scopes: resolved.scopes,\n });\n}\n\nexport { SessionState, Page, PromptOption };\nexport type { Session, UserInfo, JWTPayload };\n","import { jwtVerify } from \"jose\";\nimport type { JWTPayload, OIDCConfiguration } from \"../types.js\";\nimport { getJWKS } from \"./jwks.js\";\n\nexport interface VerifyOptions {\n /** Expected audience. If not set, audience is not checked. */\n audience?: string | string[];\n}\n\nexport async function verifyJWT(\n token: string,\n oidcConfig: OIDCConfiguration,\n options?: VerifyOptions,\n): Promise<JWTPayload> {\n const jwks = getJWKS(oidcConfig);\n\n const { payload } = await jwtVerify(token, jwks, {\n issuer: oidcConfig.issuer,\n audience: options?.audience,\n algorithms: [\"RS256\"],\n });\n\n return payload as unknown as JWTPayload;\n}\n","import { createRemoteJWKSet } from \"jose\";\nimport type { OIDCConfiguration } from \"../types.js\";\n\nconst jwksSets = new Map<string, ReturnType<typeof createRemoteJWKSet>>();\n\nexport function getJWKS(oidcConfig: OIDCConfiguration) {\n const uri = oidcConfig.jwks_uri;\n let jwks = jwksSets.get(uri);\n if (!jwks) {\n jwks = createRemoteJWKSet(new URL(uri));\n jwksSets.set(uri, jwks);\n }\n return jwks;\n}\n\n/** Clear cached JWKS (useful for testing) */\nexport function clearJWKSCache(): void {\n jwksSets.clear();\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,OAAO;AACP,SAAS,eAAe;;;ACDxB,SAAS,iBAAiB;;;ACA1B,SAAS,0BAA0B;AAGnC,IAAM,WAAW,oBAAI,IAAmD;AAEjE,SAAS,QAAQ,YAA+B;AACrD,QAAM,MAAM,WAAW;AACvB,MAAI,OAAO,SAAS,IAAI,GAAG;AAC3B,MAAI,CAAC,MAAM;AACT,WAAO,mBAAmB,IAAI,IAAI,GAAG,CAAC;AACtC,aAAS,IAAI,KAAK,IAAI;AAAA,EACxB;AACA,SAAO;AACT;;;ADJA,eAAsB,UACpB,OACA,YACA,SACqB;AACrB,QAAM,OAAO,QAAQ,UAAU;AAE/B,QAAM,EAAE,QAAQ,IAAI,MAAM,UAAU,OAAO,MAAM;AAAA,IAC/C,QAAQ,WAAW;AAAA,IACnB,UAAU,SAAS;AAAA,IACnB,YAAY,CAAC,OAAO;AAAA,EACtB,CAAC;AAED,SAAO;AACT;;;ADLA,eAAsB,KAAK,QAA0C;AACnE,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,qBAAqB,YAAY,IAAI,SAAS,UAAU,GAAG;AAEjE,MAAI,cAAc,qBACd,eAAe,oBAAoB,SAAS,aAAa,IACzD;AAGJ,MAAI,eAAe,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACpF,QAAI;AACF,YAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,YAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,QACzD,cAAc,YAAY;AAAA,QAC1B,UAAU,SAAS;AAAA,MACrB,CAAC;AACD,oBAAc;AAAA,QACZ,aAAa,cAAc;AAAA,QAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,QACzD,SAAS,cAAc,YAAY,YAAY;AAAA,QAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,MAC3D;AACA,UAAI;AACF,cAAM,YAAY,mBAAmB,SAAS,YAAY,aAAa,SAAS,aAAa;AAC7F,oBAAY,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,UAC/C,UAAU,UAAU;AAAA,UACpB,QAAQ,UAAU;AAAA,UAClB,UAAU,UAAU;AAAA,UACpB,MAAM,UAAU;AAAA,UAChB,QAAQ,UAAU;AAAA,QACpB,CAAC;AAAA,MACH,QAAQ;AAAA,MAER;AAAA,IACF,QAAQ;AACN,oBAAc;AAAA,IAChB;AAAA,EACF;AAEA,SAAO,mBAAmB,WAAW;AACvC;AAQA,eAAsB,YAAY,QAAkD;AAClF,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,qBAAqB,YAAY,IAAI,SAAS,UAAU,GAAG;AAEjE,MAAI,CAAC,mBAAoB,QAAO;AAEhC,MAAI,cAAc,eAAe,oBAAoB,SAAS,aAAa;AAC3E,MAAI,CAAC,YAAa,QAAO;AAEzB,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AAGjE,MAAI,eAAe,YAAY,SAAS,KAAK,YAAY,cAAc;AACrE,QAAI;AACF,YAAM,gBAAgB,MAAM,mBAAmB,YAAY;AAAA,QACzD,cAAc,YAAY;AAAA,QAC1B,UAAU,SAAS;AAAA,MACrB,CAAC;AACD,oBAAc;AAAA,QACZ,aAAa,cAAc;AAAA,QAC3B,cAAc,cAAc,iBAAiB,YAAY;AAAA,QACzD,SAAS,cAAc,YAAY,YAAY;AAAA,QAC/C,WAAW,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI,IAAI,cAAc;AAAA,MAC3D;AAIA,UAAI;AACF,cAAM,YAAY,mBAAmB,SAAS,YAAY,aAAa,SAAS,aAAa;AAC7F,oBAAY,IAAI,UAAU,MAAM,UAAU,OAAO;AAAA,UAC/C,UAAU,UAAU;AAAA,UACpB,QAAQ,UAAU;AAAA,UAClB,UAAU,UAAU;AAAA,UACpB,MAAM,UAAU;AAAA,UAChB,QAAQ,UAAU;AAAA,QACpB,CAAC;AAAA,MACH,QAAQ;AAAA,MAER;AAAA,IACF,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAEA,QAAM,cAAc,MAAM,MAAM,WAAW,mBAAmB;AAAA,IAC5D,SAAS,EAAE,eAAe,UAAU,YAAY,WAAW,GAAG;AAAA,EAChE,CAAC;AAED,MAAI,CAAC,YAAY,GAAI,QAAO;AAE5B,QAAM,MAAO,MAAM,YAAY,KAAK;AACpC,SAAO,cAAc,GAAG;AAC1B;AAQA,eAAsB,kBACpB,OACA,QACqB;AACrB,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,SAAO,UAAU,OAAO,UAAU;AACpC;AA4BA,eAAsB,WACpB,MACA,QACiB;AACjB,QAAM,WAAW,cAAc,MAAM;AACrC,QAAM,cAAc,MAAM,QAAQ;AAClC,QAAM,qBAAqB,YAAY,IAAI,SAAS,UAAU,GAAG;AACjE,MAAI,CAAC,mBAAoB,OAAM,IAAI,MAAM,mBAAmB;AAC5D,MAAI,cAAc,eAAe,oBAAoB,SAAS,aAAa;AAC3E,MAAI,CAAC,YAAa,OAAM,IAAI,MAAM,mBAAmB;AACrD,MAAI,CAAC,YAAY,aAAc,OAAM,IAAI,MAAM,6BAA6B;AAC5E,QAAM,aAAa,MAAM,uBAAuB,SAAS,QAAQ;AACjE,QAAM,EAAE,kBAAkB,IAAI,MAAM;AAAA,IAClC,SAAS;AAAA,IACT,YAAY;AAAA,EACd;AACA,SAAO,aAAa,YAAY;AAAA,IAC9B,UAAU,SAAS;AAAA,IACnB,iBAAiB;AAAA,IACjB,YAAY;AAAA,IACZ,QAAQ,SAAS;AAAA,EACnB,CAAC;AACH;","names":[]}
package/dist/{types-Csfra4K2.d.ts → types-Cx-gnfE7.d.ts} RENAMED
@@ -3,8 +3,6 @@ interface AuthgearConfig {
3
3
  endpoint: string;
4
4
  /** OAuth client ID */
5
5
  clientID: string;
6
- /** OAuth client secret (for confidential server-side clients) */
7
- clientSecret?: string;
8
6
  /** Redirect URI for OAuth callback, e.g. "http://localhost:3000/api/auth/callback" */
9
7
  redirectURI: string;
10
8
  /** Where to redirect after logout */
@@ -15,13 +13,35 @@ interface AuthgearConfig {
15
13
  sessionSecret: string;
16
14
  /** Session cookie name. Defaults to "authgear.session" */
17
15
  cookieName?: string;
16
+ /**
17
+ * Whether to enable SSO (Single Sign-On) with other apps on the same Authgear tenant.
18
+ * When `true` (default), Authgear silently reuses its server-side session if the user
19
+ * is already logged in, so users are not prompted for credentials again.
20
+ * Set to `false` to always show the login form (`prompt=login`), which is recommended
21
+ * for single-app deployments where silent sign-in feels unexpected to the user.
22
+ * Defaults to `true`.
23
+ */
24
+ isSSOEnabled?: boolean;
18
25
  }
19
26
  /**
20
- * Pages that can be opened via open().
27
+ * Pages that can be opened via `getOpenURL` from `@authgear/nextjs/server`.
21
28
  */
22
29
  declare enum Page {
23
30
  Settings = "/settings"
24
31
  }
32
+ /**
33
+ * OIDC `prompt` parameter values.
34
+ * Pass to `signIn({ prompt })` or `SignInButton signInOptions={{ prompt }}` to control
35
+ * whether Authgear shows the login form for a specific authentication call.
36
+ *
37
+ * @see https://docs.authgear.com/authentication-and-access/single-sign-on/force-authgear-to-show-login-page
38
+ */
39
+ declare enum PromptOption {
40
+ /** Always show the login form, even if the user has an active Authgear session. */
41
+ Login = "login",
42
+ /** Never show the login form; return an error if the user is not already authenticated. */
43
+ None = "none"
44
+ }
25
45
  declare const DEFAULT_SCOPES: string[];
26
46
  declare enum SessionState {
27
47
  Unknown = "UNKNOWN",
@@ -91,4 +111,4 @@ interface OIDCConfiguration {
91
111
  issuer: string;
92
112
  }
93
113
 
94
- export { type AuthgearConfig as A, DEFAULT_SCOPES as D, type JWTPayload as J, type OIDCConfiguration as O, Page as P, type Session as S, type TokenResponse as T, type UserInfo as U, type SessionData as a, SessionState as b };
114
+ export { type AuthgearConfig as A, DEFAULT_SCOPES as D, type JWTPayload as J, type OIDCConfiguration as O, Page as P, type Session as S, type TokenResponse as T, type UserInfo as U, PromptOption as a, type SessionData as b, SessionState as c };
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@authgear/nextjs",
3
- "version": "0.1.8",
3
+ "version": "0.3.0",
4
4
  "description": "Authgear SDK for Next.js 16 - OAuth authentication, session management, and JWT verification",
5
5
  "type": "module",
6
6
  "exports": {
package/dist/chunk-3KVYAFQJ.js DELETED
@@ -1,26 +0,0 @@
1
- // src/user.ts
2
- function parseUserInfo(raw) {
3
- return {
4
- sub: raw["sub"],
5
- email: raw["email"],
6
- emailVerified: raw["email_verified"],
7
- phoneNumber: raw["phone_number"],
8
- phoneNumberVerified: raw["phone_number_verified"],
9
- preferredUsername: raw["preferred_username"],
10
- givenName: raw["given_name"],
11
- familyName: raw["family_name"],
12
- name: raw["name"],
13
- picture: raw["picture"],
14
- roles: raw["https://authgear.com/claims/user/roles"],
15
- isAnonymous: raw["https://authgear.com/claims/user/is_anonymous"],
16
- isVerified: raw["https://authgear.com/claims/user/is_verified"],
17
- canReauthenticate: raw["https://authgear.com/claims/user/can_reauthenticate"],
18
- customAttributes: raw["custom_attributes"],
19
- raw
20
- };
21
- }
22
-
23
- export {
24
- parseUserInfo
25
- };
26
- //# sourceMappingURL=chunk-3KVYAFQJ.js.map
package/dist/chunk-3KVYAFQJ.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/user.ts"],"sourcesContent":["import type { UserInfo } from \"./types.js\";\n\nexport function parseUserInfo(raw: Record<string, unknown>): UserInfo {\n return {\n sub: raw[\"sub\"] as string,\n email: raw[\"email\"] as string | undefined,\n emailVerified: raw[\"email_verified\"] as boolean | undefined,\n phoneNumber: raw[\"phone_number\"] as string | undefined,\n phoneNumberVerified: raw[\"phone_number_verified\"] as boolean | undefined,\n preferredUsername: raw[\"preferred_username\"] as string | undefined,\n givenName: raw[\"given_name\"] as string | undefined,\n familyName: raw[\"family_name\"] as string | undefined,\n name: raw[\"name\"] as string | undefined,\n picture: raw[\"picture\"] as string | undefined,\n roles: raw[\"https://authgear.com/claims/user/roles\"] as string[] | undefined,\n isAnonymous: raw[\"https://authgear.com/claims/user/is_anonymous\"] as boolean | undefined,\n isVerified: raw[\"https://authgear.com/claims/user/is_verified\"] as boolean | undefined,\n canReauthenticate: raw[\"https://authgear.com/claims/user/can_reauthenticate\"] as boolean | undefined,\n customAttributes: raw[\"custom_attributes\"] as Record<string, unknown> | undefined,\n raw,\n };\n}\n"],"mappings":";AAEO,SAAS,cAAc,KAAwC;AACpE,SAAO;AAAA,IACL,KAAK,IAAI,KAAK;AAAA,IACd,OAAO,IAAI,OAAO;AAAA,IAClB,eAAe,IAAI,gBAAgB;AAAA,IACnC,aAAa,IAAI,cAAc;AAAA,IAC/B,qBAAqB,IAAI,uBAAuB;AAAA,IAChD,mBAAmB,IAAI,oBAAoB;AAAA,IAC3C,WAAW,IAAI,YAAY;AAAA,IAC3B,YAAY,IAAI,aAAa;AAAA,IAC7B,MAAM,IAAI,MAAM;AAAA,IAChB,SAAS,IAAI,SAAS;AAAA,IACtB,OAAO,IAAI,wCAAwC;AAAA,IACnD,aAAa,IAAI,+CAA+C;AAAA,IAChE,YAAY,IAAI,8CAA8C;AAAA,IAC9D,mBAAmB,IAAI,qDAAqD;AAAA,IAC5E,kBAAkB,IAAI,mBAAmB;AAAA,IACzC;AAAA,EACF;AACF;","names":[]}
package/dist/chunk-UY6NEM2T.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/types.ts"],"sourcesContent":["export interface AuthgearConfig {\n /** Authgear endpoint, e.g. \"https://myapp.authgear.cloud\" */\n endpoint: string;\n /** OAuth client ID */\n clientID: string;\n /** OAuth client secret (for confidential server-side clients) */\n clientSecret?: string;\n /** Redirect URI for OAuth callback, e.g. \"http://localhost:3000/api/auth/callback\" */\n redirectURI: string;\n /** Where to redirect after logout */\n postLogoutRedirectURI?: string;\n /** OAuth scopes. Defaults to [\"openid\", \"offline_access\", \"https://authgear.com/scopes/full-userinfo\"] */\n scopes?: string[];\n /** Secret key for encrypting session cookie (min 32 chars) */\n sessionSecret: string;\n /** Session cookie name. Defaults to \"authgear.session\" */\n cookieName?: string;\n}\n\n/**\n * Pages that can be opened via open().\n */\nexport enum Page {\n Settings = \"/settings\",\n}\n\nexport const DEFAULT_SCOPES = [\n \"openid\",\n \"offline_access\",\n \"https://authgear.com/scopes/full-userinfo\",\n];\n\nexport enum SessionState {\n Unknown = \"UNKNOWN\",\n NoSession = \"NO_SESSION\",\n Authenticated = \"AUTHENTICATED\",\n}\n\nexport interface SessionData {\n accessToken: string;\n refreshToken: string | null;\n idToken: string | null;\n expiresAt: number;\n}\n\nexport interface Session {\n state: SessionState;\n accessToken: string | null;\n refreshToken: string | null;\n idToken: string | null;\n expiresAt: number | null;\n user: UserInfo | null;\n}\n\nexport interface UserInfo {\n sub: string;\n email?: string;\n emailVerified?: boolean;\n phoneNumber?: string;\n phoneNumberVerified?: boolean;\n preferredUsername?: string;\n givenName?: string;\n familyName?: string;\n name?: string;\n picture?: string;\n roles?: string[];\n isAnonymous?: boolean;\n isVerified?: boolean;\n canReauthenticate?: boolean;\n customAttributes?: Record<string, unknown>;\n raw: Record<string, unknown>;\n}\n\nexport interface JWTPayload {\n sub: string;\n iss: string;\n aud: string | string[];\n exp: number;\n iat: number;\n jti?: string;\n client_id?: string;\n \"https://authgear.com/claims/user/is_anonymous\"?: boolean;\n \"https://authgear.com/claims/user/is_verified\"?: boolean;\n \"https://authgear.com/claims/user/can_reauthenticate\"?: boolean;\n \"https://authgear.com/claims/user/roles\"?: string[];\n [key: string]: unknown;\n}\n\nexport interface TokenResponse {\n access_token: string;\n token_type: string;\n expires_in: number;\n refresh_token?: string;\n id_token?: string;\n}\n\nexport interface AppSessionTokenResponse {\n app_session_token: string;\n expire_at: string;\n}\n\nexport interface OIDCConfiguration {\n authorization_endpoint: string;\n token_endpoint: string;\n userinfo_endpoint: string;\n revocation_endpoint: string;\n end_session_endpoint: string;\n jwks_uri: string;\n issuer: string;\n}\n"],"mappings":";AAsBO,IAAK,OAAL,kBAAKA,UAAL;AACL,EAAAA,MAAA,cAAW;AADD,SAAAA;AAAA,GAAA;AAIL,IAAM,iBAAiB;AAAA,EAC5B;AAAA,EACA;AAAA,EACA;AACF;AAEO,IAAK,eAAL,kBAAKC,kBAAL;AACL,EAAAA,cAAA,aAAU;AACV,EAAAA,cAAA,eAAY;AACZ,EAAAA,cAAA,mBAAgB;AAHN,SAAAA;AAAA,GAAA;","names":["Page","SessionState"]}