@banata-auth/nextjs 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Banata Auth Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,48 @@
+# @banata-auth/nextjs
+
+Next.js integration for Banata Auth -- route handler proxy, middleware, and server-side utilities.
+
+## Installation
+
+```bash
+npm install @banata-auth/nextjs
+```
+
+## Quick start
+
+### Route handler
+
+```ts
+// app/api/auth/[...all]/route.ts
+import { createRouteHandler } from "@banata-auth/nextjs";
+
+const handler = createRouteHandler({
+  convexSiteUrl: process.env.NEXT_PUBLIC_CONVEX_SITE_URL!,
+});
+
+export const { GET, POST } = handler;
+```
+
+### Server-side auth
+
+```ts
+import { createBanataAuthServer } from "@banata-auth/nextjs/server";
+
+const { handler, isAuthenticated, getToken } = createBanataAuthServer({
+  convexUrl: process.env.NEXT_PUBLIC_CONVEX_URL!,
+  convexSiteUrl: process.env.NEXT_PUBLIC_CONVEX_SITE_URL!,
+});
+
+// In a Server Component or API route
+const authenticated = await isAuthenticated();
+```
+
+## Features
+
+- Secure proxy route handler with header allowlisting
+- Server-side session and auth token retrieval
+- Middleware helpers for auth-gated routes
+
+## License
+
+MIT

package/dist/bot-protection.d.ts

@@ -0,0 +1,207 @@
+/**
+ * Bot protection utilities for Next.js applications using Banata Auth.
+ *
+ * Provides helpers to integrate bot detection services (Vercel BotID,
+ * Cloudflare Turnstile, hCaptcha, reCAPTCHA) with the Banata Auth
+ * route handler.
+ *
+ * These utilities wrap the route handler's POST method to automatically
+ * verify requests against protected auth paths before forwarding to
+ * the auth backend.
+ *
+ * Credentials can be supplied directly or fetched from the Banata Auth
+ * config API (configured via the Radar page in the dashboard).
+ *
+ * @example
+ * ```ts
+ * // app/api/auth/[...all]/route.ts
+ * import { createRouteHandler } from "@banata-auth/nextjs";
+ * import { withBotProtection, createBotIdVerifier } from "@banata-auth/nextjs/bot-protection";
+ *
+ * const handler = createRouteHandler({
+ *   convexSiteUrl: process.env.NEXT_PUBLIC_CONVEX_SITE_URL!,
+ * });
+ *
+ * export const GET = handler.GET;
+ * export const POST = withBotProtection(handler.POST, {
+ *   protectedPaths: ["/api/auth/sign-in", "/api/auth/sign-up"],
+ *   verify: async () => {
+ *     const { checkBotId } = await import("botid/server");
+ *     const result = await checkBotId();
+ *     return { isBot: result.isBot };
+ *   },
+ * });
+ * ```
+ *
+ * @example
+ * ```ts
+ * // Using credentials from the Banata Auth config API
+ * import { createConfigAwareVerifier } from "@banata-auth/nextjs/bot-protection";
+ *
+ * const verify = createConfigAwareVerifier({
+ *   configApiUrl: process.env.NEXT_PUBLIC_APP_URL + "/api/auth",
+ * });
+ *
+ * export const POST = withBotProtection(handler.POST, { verify });
+ * ```
+ */
+/**
+ * Result of a bot verification check.
+ */
+interface BotCheckResult {
+    /** Whether the request is from a bot. */
+    isBot: boolean;
+    /** Optional reason string for logging. */
+    reason?: string;
+}
+/**
+ * Function that verifies whether a request is from a bot.
+ * Implement with your provider of choice.
+ */
+type BotCheckFn = (request: Request) => Promise<BotCheckResult>;
+/**
+ * Configuration for the route-handler-level bot protection wrapper.
+ */
+interface BotProtectionConfig {
+    /**
+     * The verification function.
+     * Called for every request matching a protected path.
+     */
+    verify: BotCheckFn;
+    /**
+     * Path prefixes to protect. Requests to other paths pass through.
+     * @default ["/api/auth/sign-in", "/api/auth/sign-up", "/api/auth/forget-password", "/api/auth/reset-password"]
+     */
+    protectedPaths?: string[];
+    /**
+     * Whether to allow requests through if verification fails (service unavailable).
+     * @default true
+     */
+    failOpen?: boolean;
+    /**
+     * Error message returned when a bot is detected.
+     * @default "Bot detected. Access denied."
+     */
+    blockedMessage?: string;
+}
+/**
+ * Bot provider credentials as stored in the Radar configuration.
+ */
+interface BotProviderCredentials {
+    apiKey?: string;
+    siteKey?: string;
+    secretKey?: string;
+}
+/**
+ * Radar configuration shape returned by the config API.
+ */
+interface RadarConfigResponse {
+    enabled: boolean;
+    botDetection: boolean;
+    botProvider: string | null;
+    botProviderCredentials: BotProviderCredentials;
+}
+/**
+ * Options for creating a config-aware bot verifier.
+ */
+interface ConfigAwareVerifierOptions {
+    /**
+     * Base URL of the Banata Auth API (e.g., "http://localhost:3000/api/auth").
+     * The radar config endpoint will be called at `${configApiUrl}/banata/config/radar/get`.
+     */
+    configApiUrl: string;
+    /**
+     * How long to cache the radar config (in milliseconds).
+     * @default 60000 (1 minute)
+     */
+    cacheTtlMs?: number;
+    /**
+     * Cookie header to forward for authentication.
+     * If not provided, the verifier will try to read from the request headers.
+     */
+    cookieHeader?: string;
+    /**
+     * Whether to allow requests through if config fetch or verification fails.
+     * @default true
+     */
+    failOpen?: boolean;
+}
+/**
+ * Wrap a route handler function with bot protection.
+ *
+ * This is the recommended way to add bot protection in Next.js
+ * route handlers. It checks requests against protected paths and
+ * verifies them before forwarding to the auth handler.
+ *
+ * @param handler - The original route handler function (e.g., `handler.POST`)
+ * @param config - Bot protection configuration
+ * @returns A wrapped handler that verifies bots before forwarding
+ *
+ * @example
+ * ```ts
+ * import { createRouteHandler } from "@banata-auth/nextjs";
+ * import { withBotProtection } from "@banata-auth/nextjs/bot-protection";
+ * import { checkBotId } from "botid/server";
+ *
+ * const handler = createRouteHandler({ convexSiteUrl: "..." });
+ *
+ * export const GET = handler.GET;
+ * export const POST = withBotProtection(handler.POST, {
+ *   verify: async () => {
+ *     const result = await checkBotId();
+ *     return { isBot: result.isBot };
+ *   },
+ * });
+ * ```
+ */
+declare function withBotProtection<THandler extends (...args: any[]) => Promise<Response>>(handler: THandler, config: BotProtectionConfig): THandler;
+/**
+ * Create a BotID verification function for use with `withBotProtection`
+ * or the `banataProtection` plugin.
+ *
+ * This is a convenience factory that wraps Vercel BotID's `checkBotId()`
+ * function in the format expected by the protection system.
+ *
+ * @param checkBotIdFn - The `checkBotId` function from `botid/server`
+ * @returns A verification function compatible with `BotCheckFn` / `BotVerifyFn`
+ *
+ * @example
+ * ```ts
+ * import { createBotIdVerifier } from "@banata-auth/nextjs/bot-protection";
+ * import { checkBotId } from "botid/server";
+ *
+ * const verify = createBotIdVerifier(checkBotId);
+ *
+ * export const POST = withBotProtection(handler.POST, { verify });
+ * ```
+ */
+declare function createBotIdVerifier(checkBotIdFn: () => Promise<{
+    isBot: boolean;
+}>): BotCheckFn;
+/**
+ * Create a bot verifier that reads provider credentials from the
+ * Banata Auth config API (Radar configuration).
+ *
+ * This allows dashboard admins to configure bot protection credentials
+ * through the UI (Radar > Configuration > Bot Detection Provider),
+ * and the verifier will automatically pick up the latest credentials.
+ *
+ * The config is cached in-memory for performance (default: 1 minute TTL).
+ *
+ * @param options - Config-aware verifier options
+ * @returns A verification function that uses the configured bot provider
+ *
+ * @example
+ * ```ts
+ * import { createConfigAwareVerifier, withBotProtection } from "@banata-auth/nextjs/bot-protection";
+ *
+ * const verify = createConfigAwareVerifier({
+ *   configApiUrl: process.env.NEXT_PUBLIC_APP_URL + "/api/auth",
+ * });
+ *
+ * export const POST = withBotProtection(handler.POST, { verify });
+ * ```
+ */
+declare function createConfigAwareVerifier(options: ConfigAwareVerifierOptions): BotCheckFn;
+
+export { type BotCheckFn, type BotCheckResult, type BotProtectionConfig, type BotProviderCredentials, type ConfigAwareVerifierOptions, type RadarConfigResponse, createBotIdVerifier, createConfigAwareVerifier, withBotProtection };

package/dist/bot-protection.js

@@ -0,0 +1,286 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// ../../node_modules/botid/dist/server/index.mjs
+var server_exports = {};
+__export(server_exports, {
+  checkBotId: () => z
+});
+async function m(e) {
+  let o = l();
+  if (o.headers || process.env.NODE_ENV !== "development") return { ...o.headers || {}, url: o.url || "" };
+  let t = await T();
+  if (t) return x(t);
+  if (e) {
+    let n = {};
+    for (let [i, r] of Object.entries(e)) typeof r == "string" ? n[i.toLowerCase()] = r : Array.isArray(r) && (n[i.toLowerCase()] = r.join(", "));
+    return n;
+  }
+  return {};
+}
+async function T() {
+  try {
+    let { headers: e } = await import('next/headers');
+    return e();
+  } catch {
+    return null;
+  }
+}
+function x(e) {
+  let o = {};
+  return e.forEach((t, n) => {
+    o[n] = t;
+  }), o;
+}
+async function g() {
+  return C();
+}
+function C() {
+  let e = l().headers?.["x-vercel-oidc-token"] ?? process.env.VERCEL_OIDC_TOKEN;
+  if (!e) throw new Error("The 'x-vercel-oidc-token' header is missing from the request. Do you have the OIDC option enabled in the Vercel project settings?");
+  return e;
+}
+var k, h, B, l, y, H, w, z;
+var init_server = __esm({
+  "../../node_modules/botid/dist/server/index.mjs"() {
+    k = "https://api.vercel.com/bot-protection";
+    h = () => process.env.OVERRIDE_BOTID_SERVER_URL ? process.env.OVERRIDE_BOTID_SERVER_URL : k;
+    B = Symbol.for("@vercel/request-context");
+    l = () => globalThis[B]?.get?.() ?? {};
+    y = (e) => {
+      let o = e.cookie ?? e.Cookie ?? "";
+      return o ? o.split(";").map((t) => t.trim()).filter((t) => t.length > 0).map((t) => {
+        let [n, ...i] = t.split("="), r = i.join("=");
+        return { name: n.trim(), value: r.trim() };
+      }) : [];
+    };
+    H = (e) => {
+      let { authorization: o, ...t } = e, i = y(t).filter((a) => a.name.startsWith("KP_")), r = {};
+      for (let a of i) r[a.name] = a.value;
+      return Object.keys(r).length > 0 ? t.cookie = Object.entries(r).map(([a, f]) => `${a}=${f}`).join("; ") : t.cookie = void 0, t;
+    };
+    w = (e) => {
+      try {
+        return new URL(e);
+      } catch {
+        return null;
+      }
+    };
+    z = async ({ developmentOptions: e, advancedOptions: o } = {}) => {
+      if (o?.checkLevel !== void 0 && o.checkLevel !== "deepAnalysis" && o.checkLevel !== "basic") throw new Error(`Invalid checkLevel "${o.checkLevel}". Must be one of: deepAnalysis, basic`);
+      let t = await m(o?.headers), n = t.host || "unknown host", i = w(t.url || "")?.pathname || t["x-path"] || "<your protected endpoint>", r = t["x-method"] || "POST", a = t["x-is-human"], f = e?.isDevelopment ?? process.env.NODE_ENV !== "production";
+      if (a || (process.env.NODE_ENV !== "production" || process.env.VERCEL_ENV !== "production" ? console.error(`Possible misconfiguration of Vercel BotId. 
+Ensure that the client-side protection is properly configured for '${r} ${i}'.
+Add the following item to your BotId client side protection:
+{
+  path: '${i}',
+  method: '${r}',
+}
+More info at https://vercel.com/docs/botid/get-started#add-client-side-protection`) : console.warn(`Possible misconfiguration of Vercel BotId or malicious request to '${r} ${i}'. More info at https://vercel.com/docs/botid/get-started#add-client-side-protection`)), f && e?.bypass) return { isHuman: e.bypass === "HUMAN", isBot: e.bypass === "BAD-BOT", isVerifiedBot: e.bypass === "GOOD-BOT", bypassed: false };
+      if (f) return console.warn("[Dev Only] Without setting the developmentOptions.bypass value, the bot protection will return HUMAN."), { isHuman: true, isBot: false, isVerifiedBot: false, bypassed: true };
+      let R = h(), u = o?.vercelOidcToken ?? await g();
+      if (!u) throw new Error("VERCEL_OIDC_TOKEN is not set");
+      let d = l(), b = H(t), v = { url: d.url || "", method: r, headers: Object.entries(b), vercelOidcToken: u, forceCheckLevel: o?.checkLevel, extraAllowedHosts: o?.extraAllowedHosts }, E = `${R}/v1/is-bot?v=${3}  `, s = await (await fetch(E, { method: "POST", body: JSON.stringify(v), headers: { "Content-Type": "application/json", "user-agent": `Vercel/BotId (${n})`, "x-vercel-oidc-token": u } })).json();
+      if (!d) throw new Error("Must be deployed on Vercel to access response headers");
+      if (!d.mutateResponseHeadersBeforeFlush) throw new Error("Must be deployed on Vercel to set response headers");
+      if (s.responseHeadersToSet?.addHeaders) for (let c of s.responseHeadersToSet.addHeaders) d.mutateResponseHeadersBeforeFlush((p) => {
+        p.append(c.key, c.value);
+      });
+      if (s.responseHeadersToSet?.addValuesToHeaders) for (let c of s.responseHeadersToSet.addValuesToHeaders) d.mutateResponseHeadersBeforeFlush((p) => {
+        p.append(c.key, c.value);
+      });
+      if (s.responseHeadersToSet?.replaceHeaders) for (let c of s.responseHeadersToSet.replaceHeaders) d.mutateResponseHeadersBeforeFlush((p) => {
+        p.set(c.key, c.value);
+      });
+      return { isHuman: !s.isBot, isBot: s.isBot, isVerifiedBot: s.isVerifiedBot, verifiedBotName: s.verifiedBotName, verifiedBotCategory: s.verifiedBotCategory, bypassed: s.bypassed, classificationReason: s.classificationReason, ...o?.returnResponseHeaders && { responseHeaders: s.responseHeadersToSet } };
+    };
+  }
+});
+
+// src/bot-protection.ts
+var DEFAULT_PROTECTED_PATHS = [
+  "/api/auth/sign-in",
+  "/api/auth/sign-up",
+  "/api/auth/forget-password",
+  "/api/auth/reset-password"
+];
+function withBotProtection(handler, config) {
+  const {
+    verify,
+    protectedPaths = DEFAULT_PROTECTED_PATHS,
+    failOpen = true,
+    blockedMessage = "Bot detected. Access denied."
+  } = config;
+  const wrapped = async (...args) => {
+    const request = args[0];
+    if (request?.url) {
+      const url = new URL(request.url);
+      const isProtected = protectedPaths.some((path) => url.pathname.startsWith(path));
+      if (isProtected) {
+        try {
+          const result = await verify(request);
+          if (result.isBot) {
+            return new Response(JSON.stringify({ error: blockedMessage }), {
+              status: 403,
+              headers: { "Content-Type": "application/json" }
+            });
+          }
+        } catch {
+          if (!failOpen) {
+            return new Response(
+              JSON.stringify({ error: "Bot verification unavailable. Please try again." }),
+              {
+                status: 503,
+                headers: { "Content-Type": "application/json" }
+              }
+            );
+          }
+        }
+      }
+    }
+    return handler(...args);
+  };
+  return wrapped;
+}
+function createBotIdVerifier(checkBotIdFn) {
+  return async (_request) => {
+    try {
+      const result = await checkBotIdFn();
+      return { isBot: result.isBot };
+    } catch {
+      return { isBot: false };
+    }
+  };
+}
+function createConfigAwareVerifier(options) {
+  const { configApiUrl, cacheTtlMs = 6e4, failOpen = true } = options;
+  let cachedConfig = null;
+  let cacheTimestamp = 0;
+  async function fetchRadarConfig(request) {
+    const now = Date.now();
+    if (cachedConfig && now - cacheTimestamp < cacheTtlMs) {
+      return cachedConfig;
+    }
+    try {
+      const cookieHeader = options.cookieHeader ?? request.headers.get("cookie") ?? "";
+      const response = await fetch(`${configApiUrl}/banata/config/radar/get`, {
+        method: "POST",
+        headers: {
+          "content-type": "application/json",
+          ...cookieHeader ? { cookie: cookieHeader } : {}
+        },
+        body: JSON.stringify({})
+      });
+      if (!response.ok) {
+        console.warn("[bot-protection] Failed to fetch radar config:", response.status);
+        return cachedConfig;
+      }
+      const data = await response.json();
+      cachedConfig = data;
+      cacheTimestamp = now;
+      return data;
+    } catch (error) {
+      console.warn(
+        "[bot-protection] Error fetching radar config:",
+        error instanceof Error ? error.message : error
+      );
+      return cachedConfig;
+    }
+  }
+  return async (request) => {
+    try {
+      const radarConfig = await fetchRadarConfig(request);
+      if (!radarConfig?.enabled || !radarConfig.botDetection) {
+        return { isBot: false };
+      }
+      const { botProvider, botProviderCredentials } = radarConfig;
+      if (!botProvider || !botProviderCredentials) {
+        return { isBot: false };
+      }
+      switch (botProvider) {
+        case "botid": {
+          try {
+            const { checkBotId } = await Promise.resolve().then(() => (init_server(), server_exports));
+            const result = await checkBotId();
+            return { isBot: result.isBot };
+          } catch {
+            return { isBot: false };
+          }
+        }
+        case "turnstile": {
+          const { secretKey } = botProviderCredentials;
+          if (!secretKey) return { isBot: false };
+          const formData = new URLSearchParams();
+          formData.append("secret", secretKey);
+          const turnstileToken = request.headers.get("cf-turnstile-response") ?? request.headers.get("x-turnstile-token");
+          if (!turnstileToken) {
+            return { isBot: false, reason: "No Turnstile token provided" };
+          }
+          formData.append("response", turnstileToken);
+          const verifyResponse = await fetch(
+            "https://challenges.cloudflare.com/turnstile/v0/siteverify",
+            {
+              method: "POST",
+              headers: { "content-type": "application/x-www-form-urlencoded" },
+              body: formData.toString()
+            }
+          );
+          const verifyResult = await verifyResponse.json();
+          return { isBot: !verifyResult.success };
+        }
+        case "recaptcha": {
+          const { secretKey: recaptchaSecret } = botProviderCredentials;
+          if (!recaptchaSecret) return { isBot: false };
+          const recaptchaToken = request.headers.get("x-recaptcha-token") ?? request.headers.get("g-recaptcha-response");
+          if (!recaptchaToken) {
+            return { isBot: false, reason: "No reCAPTCHA token provided" };
+          }
+          const recaptchaResponse = await fetch(
+            `https://www.google.com/recaptcha/api/siteverify?secret=${encodeURIComponent(recaptchaSecret)}&response=${encodeURIComponent(recaptchaToken)}`,
+            { method: "POST" }
+          );
+          const recaptchaResult = await recaptchaResponse.json();
+          const isBot = !recaptchaResult.success || (recaptchaResult.score ?? 1) < 0.5;
+          return { isBot };
+        }
+        case "hcaptcha": {
+          const { secretKey: hcaptchaSecret } = botProviderCredentials;
+          if (!hcaptchaSecret) return { isBot: false };
+          const hcaptchaToken = request.headers.get("x-hcaptcha-token") ?? request.headers.get("h-captcha-response");
+          if (!hcaptchaToken) {
+            return { isBot: false, reason: "No hCaptcha token provided" };
+          }
+          const hcaptchaResponse = await fetch("https://api.hcaptcha.com/siteverify", {
+            method: "POST",
+            headers: { "content-type": "application/x-www-form-urlencoded" },
+            body: `secret=${encodeURIComponent(hcaptchaSecret)}&response=${encodeURIComponent(hcaptchaToken)}`
+          });
+          const hcaptchaResult = await hcaptchaResponse.json();
+          return { isBot: !hcaptchaResult.success };
+        }
+        default:
+          return { isBot: false };
+      }
+    } catch (error) {
+      if (failOpen) {
+        console.warn(
+          "[bot-protection] Verification failed, allowing request (failOpen=true):",
+          error instanceof Error ? error.message : error
+        );
+        return { isBot: false };
+      }
+      return { isBot: true, reason: "Verification service unavailable" };
+    }
+  };
+}
+
+export { createBotIdVerifier, createConfigAwareVerifier, withBotProtection };
+//# sourceMappingURL=bot-protection.js.map
+//# sourceMappingURL=bot-protection.js.map

package/dist/bot-protection.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../node_modules/botid/dist/server/index.mjs","../src/bot-protection.ts"],"names":[],"mappings":";;;;;;;;;;;AAAA,IAAA,cAAA,GAAA,EAAA;AAAA,QAAA,CAAA,cAAA,EAAA;AAAA,EAAA,UAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AAA+M,eAAe,EAAE,CAAA,EAAE;AAAC,EAAA,IAAI,IAAE,CAAA,EAAE;AAAE,EAAA,IAAG,EAAE,OAAA,IAAS,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAW,eAAc,OAAM,EAAC,GAAG,CAAA,CAAE,WAAS,EAAC,EAAE,GAAA,EAAI,CAAA,CAAE,OAAK,EAAA,EAAE;AAAE,EAAA,IAAI,CAAA,GAAE,MAAM,CAAA,EAAE;AAAE,EAAA,IAAG,CAAA,EAAE,OAAO,CAAA,CAAE,CAAC,CAAA;AAAE,EAAA,IAAG,CAAA,EAAE;AAAC,IAAA,IAAI,IAAE,EAAC;AAAE,IAAA,KAAA,IAAO,CAAC,CAAA,EAAE,CAAC,CAAA,IAAI,MAAA,CAAO,OAAA,CAAQ,CAAC,CAAA,EAAE,OAAO,CAAA,IAAG,QAAA,GAAS,CAAA,CAAE,CAAA,CAAE,WAAA,EAAa,CAAA,GAAE,CAAA,GAAE,KAAA,CAAM,OAAA,CAAQ,CAAC,CAAA,KAAI,CAAA,CAAE,CAAA,CAAE,WAAA,EAAa,CAAA,GAAE,CAAA,CAAE,IAAA,CAAK,IAAI,CAAA,CAAA;AAAG,IAAA,OAAO,CAAA;AAAA,EAAC;AAAC,EAAA,OAAM,EAAC;AAAC;AAAC,eAAe,CAAA,GAAG;AAAC,EAAA,IAAG;AAAC,IAAA,IAAG,EAAC,OAAA,EAAQ,CAAA,EAAC,GAAE,MAAM,OAAO,cAAc,CAAA;AAAE,IAAA,OAAO,CAAA,EAAE;AAAA,EAAC,CAAA,CAAA,MAAM;AAAC,IAAA,OAAO,IAAA;AAAA,EAAI;AAAC;AAAC,SAAS,EAAE,CAAA,EAAE;AAAC,EAAA,IAAI,IAAE,EAAC;AAAE,EAAA,OAAO,CAAA,CAAE,OAAA,CAAQ,CAAC,CAAA,EAAE,CAAA,KAAI;AAAC,IAAA,CAAA,CAAE,CAAC,CAAA,GAAE,CAAA;AAAA,EAAC,CAAC,CAAA,EAAE,CAAA;AAAC;AAAC,eAAe,CAAA,GAAG;AAAC,EAAA,OAAO,CAAA,EAAE;AAAC;AAAC,SAAS,CAAA,GAAG;AAAC,EAAA,IAAI,IAAE,CAAA,EAAE,CAAE,UAAU,qBAAqB,CAAA,IAAG,QAAQ,GAAA,CAAI,iBAAA;AAAkB,EAAA,IAAG,CAAC,CAAA,EAAE,MAAM,IAAI,MAAM,mIAAmI,CAAA;AAAE,EAAA,OAAO,CAAA;AAAC;AAA17B,IAAI,GAA0C,CAAA,EAAwF,CAAA,EAAwC,CAAA,EAAixB,CAAA,EAA8L,GAAyO,CAAA,EAAgD,CAAA;AAAt5C,IAAA,WAAA,GAAA,KAAA,CAAA;AAAA,EAAA,gDAAA,GAAA;AAAA,IAAI,CAAA,GAAE,uCAAA;AAAN,IAA8C,IAAE,MAAI,OAAA,CAAQ,IAAI,yBAAA,GAA0B,OAAA,CAAQ,IAAI,yBAAA,GAA0B,CAAA;AAAE,IAAI,CAAA,GAAE,MAAA,CAAO,GAAA,CAAI,yBAAyB,CAAA;AAA1C,IAA4C,IAAE,MAAI,UAAA,CAAW,CAAC,CAAA,EAAG,GAAA,QAAS,EAAC;AAA8uB,IAAI,IAAE,CAAA,CAAA,KAAG;AAAC,MAAA,IAAI,CAAA,GAAE,CAAA,CAAE,MAAA,IAAQ,CAAA,CAAE,MAAA,IAAQ,EAAA;AAAG,MAAA,OAAO,IAAE,CAAA,CAAE,KAAA,CAAM,GAAG,CAAA,CAAE,GAAA,CAAI,OAAG,CAAA,CAAE,IAAA,EAAM,CAAA,CAAE,OAAO,CAAA,CAAA,KAAG,CAAA,CAAE,SAAO,CAAC,CAAA,CAAE,IAAI,CAAA,CAAA,KAAG;AAAC,QAAA,IAAG,CAAC,CAAA,EAAE,GAAG,CAAC,CAAA,GAAE,CAAA,CAAE,KAAA,CAAM,GAAG,CAAA,EAAE,CAAA,GAAE,CAAA,CAAE,IAAA,CAAK,GAAG,CAAA;AAAE,QAAA,OAAM,EAAC,MAAK,CAAA,CAAE,IAAA,IAAO,KAAA,EAAM,CAAA,CAAE,MAAK,EAAC;AAAA,MAAC,CAAC,IAAE,EAAC;AAAA,IAAC,CAAA;AAAE,IAAI,IAAE,CAAA,CAAA,KAAG;AAAC,MAAA,IAAG,EAAC,eAAc,CAAA,EAAE,GAAG,GAAC,GAAE,CAAA,EAAE,IAAE,CAAA,CAAE,CAAC,EAAE,MAAA,CAAO,CAAA,CAAA,KAAG,EAAE,IAAA,CAAK,UAAA,CAAW,KAAK,CAAC,CAAA,EAAE,IAAE,EAAC;AAAE,MAAA,KAAA,IAAQ,KAAK,CAAA,EAAE,CAAA,CAAE,CAAA,CAAE,IAAI,IAAE,CAAA,CAAE,KAAA;AAAM,MAAA,OAAO,MAAA,CAAO,IAAA,CAAK,CAAC,CAAA,CAAE,MAAA,GAAO,CAAA,GAAE,CAAA,CAAE,MAAA,GAAO,MAAA,CAAO,OAAA,CAAQ,CAAC,CAAA,CAAE,GAAA,CAAI,CAAC,CAAC,CAAA,EAAE,CAAC,CAAA,KAAI,CAAA,EAAG,CAAC,CAAA,CAAA,EAAI,CAAC,CAAA,CAAE,CAAA,CAAE,IAAA,CAAK,IAAI,CAAA,GAAE,CAAA,CAAE,SAAO,MAAA,EAAO,CAAA;AAAA,IAAC,CAAA;AAAE,IAAI,IAAE,CAAA,CAAA,KAAG;AAAC,MAAA,IAAG;AAAC,QAAA,OAAO,IAAI,IAAI,CAAC,CAAA;AAAA,MAAC,CAAA,CAAA,MAAM;AAAC,QAAA,OAAO,IAAA;AAAA,MAAI;AAAA,IAAC,CAAA;AAAlD,IAAoD,CAAA,GAAE,OAAM,EAAC,kBAAA,EAAmB,GAAE,eAAA,EAAgB,CAAA,EAAC,GAAE,EAAC,KAAI;AAAC,MAAA,IAAG,CAAA,EAAG,UAAA,KAAa,MAAA,IAAQ,CAAA,CAAE,eAAa,cAAA,IAAgB,CAAA,CAAE,UAAA,KAAa,OAAA,QAAc,IAAI,KAAA,CAAM,CAAA,oBAAA,EAAuB,CAAA,CAAE,UAAU,CAAA,sCAAA,CAAwC,CAAA;AAAE,MAAA,IAAI,CAAA,GAAE,MAAM,CAAA,CAAE,CAAA,EAAG,OAAO,CAAA,EAAE,CAAA,GAAE,CAAA,CAAE,IAAA,IAAM,gBAAe,CAAA,GAAE,CAAA,CAAE,CAAA,CAAE,GAAA,IAAK,EAAE,CAAA,EAAG,QAAA,IAAU,CAAA,CAAE,QAAQ,KAAG,2BAAA,EAA4B,CAAA,GAAE,CAAA,CAAE,UAAU,KAAG,MAAA,EAAO,CAAA,GAAE,CAAA,CAAE,YAAY,GAAE,CAAA,GAAE,CAAA,EAAG,aAAA,IAAe,OAAA,CAAQ,IAAI,QAAA,KAAW,YAAA;AAAa,MAAA,IAAG,CAAA,KAAI,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAW,YAAA,IAAc,QAAQ,GAAA,CAAI,UAAA,KAAa,YAAA,GAAa,OAAA,CAAQ,KAAA,CAAM,CAAA;AAAA,mEAAA,EAC92D,CAAC,IAAI,CAAC,CAAA;AAAA;AAAA;AAAA,SAAA,EAGhE,CAAC,CAAA;AAAA,WAAA,EACC,CAAC,CAAA;AAAA;AAAA,iFAAA,CAEoE,CAAA,GAAE,OAAA,CAAQ,IAAA,CAAK,CAAA,mEAAA,EAAsE,CAAC,CAAA,CAAA,EAAI,CAAC,CAAA,oFAAA,CAAsF,CAAA,CAAA,EAAG,CAAA,IAAG,CAAA,EAAG,MAAA,EAAO,OAAM,EAAC,OAAA,EAAQ,CAAA,CAAE,MAAA,KAAS,OAAA,EAAQ,KAAA,EAAM,CAAA,CAAE,MAAA,KAAS,SAAA,EAAU,aAAA,EAAc,CAAA,CAAE,MAAA,KAAS,UAAA,EAAW,QAAA,EAAS,KAAA,EAAE;AAAE,MAAA,IAAG,CAAA,EAAE,OAAO,OAAA,CAAQ,IAAA,CAAK,uGAAuG,CAAA,EAAE,EAAC,OAAA,EAAQ,IAAA,EAAG,KAAA,EAAM,KAAA,EAAG,aAAA,EAAc,KAAA,EAAG,UAAS,IAAA,EAAE;AAAE,MAAA,IAAI,IAAE,CAAA,EAAE,EAAE,IAAE,CAAA,EAAG,eAAA,IAAiB,MAAM,CAAA,EAAE;AAAE,MAAA,IAAG,CAAC,CAAA,EAAE,MAAM,IAAI,MAAM,8BAA8B,CAAA;AAAE,MAAA,IAAI,CAAA,GAAE,CAAA,EAAE,EAAE,CAAA,GAAE,CAAA,CAAE,CAAC,CAAA,EAAE,CAAA,GAAE,EAAC,GAAA,EAAI,CAAA,CAAE,GAAA,IAAK,EAAA,EAAG,MAAA,EAAO,CAAA,EAAE,OAAA,EAAQ,MAAA,CAAO,OAAA,CAAQ,CAAC,CAAA,EAAE,eAAA,EAAgB,CAAA,EAAE,eAAA,EAAgB,CAAA,EAAG,UAAA,EAAW,iBAAA,EAAkB,CAAA,EAAG,iBAAA,EAAiB,EAAE,CAAA,GAAE,CAAA,EAAG,CAAC,CAAA,aAAA,EAAgB,CAAC,CAAA,EAAA,CAAA,EAAK,CAAA,GAAE,MAAA,CAAM,MAAM,KAAA,CAAM,CAAA,EAAE,EAAC,MAAA,EAAO,MAAA,EAAO,IAAA,EAAK,IAAA,CAAK,SAAA,CAAU,CAAC,CAAA,EAAE,OAAA,EAAQ,EAAC,cAAA,EAAe,kBAAA,EAAmB,YAAA,EAAa,CAAA,cAAA,EAAiB,CAAC,CAAA,CAAA,CAAA,EAAI,qBAAA,EAAsB,CAAA,EAAC,EAAE,GAAG,IAAA,EAAK;AAAE,MAAA,IAAG,CAAC,CAAA,EAAE,MAAM,IAAI,MAAM,uDAAuD,CAAA;AAAE,MAAA,IAAG,CAAC,CAAA,CAAE,gCAAA,EAAiC,MAAM,IAAI,MAAM,oDAAoD,CAAA;AAAE,MAAA,IAAG,CAAA,CAAE,oBAAA,EAAsB,UAAA,EAAW,KAAA,IAAQ,CAAA,IAAK,EAAE,oBAAA,CAAqB,UAAA,EAAW,CAAA,CAAE,gCAAA,CAAiC,CAAA,CAAA,KAAG;AAAC,QAAA,CAAA,CAAE,MAAA,CAAO,CAAA,CAAE,GAAA,EAAI,CAAA,CAAE,KAAK,CAAA;AAAA,MAAC,CAAC,CAAA;AAAE,MAAA,IAAG,CAAA,CAAE,oBAAA,EAAsB,kBAAA,EAAmB,KAAA,IAAQ,CAAA,IAAK,EAAE,oBAAA,CAAqB,kBAAA,EAAmB,CAAA,CAAE,gCAAA,CAAiC,CAAA,CAAA,KAAG;AAAC,QAAA,CAAA,CAAE,MAAA,CAAO,CAAA,CAAE,GAAA,EAAI,CAAA,CAAE,KAAK,CAAA;AAAA,MAAC,CAAC,CAAA;AAAE,MAAA,IAAG,CAAA,CAAE,oBAAA,EAAsB,cAAA,EAAe,KAAA,IAAQ,CAAA,IAAK,EAAE,oBAAA,CAAqB,cAAA,EAAe,CAAA,CAAE,gCAAA,CAAiC,CAAA,CAAA,KAAG;AAAC,QAAA,CAAA,CAAE,GAAA,CAAI,CAAA,CAAE,GAAA,EAAI,CAAA,CAAE,KAAK,CAAA;AAAA,MAAC,CAAC,CAAA;AAAE,MAAA,OAAM,EAAC,OAAA,EAAQ,CAAC,CAAA,CAAE,KAAA,EAAM,KAAA,EAAM,CAAA,CAAE,KAAA,EAAM,aAAA,EAAc,CAAA,CAAE,aAAA,EAAc,eAAA,EAAgB,EAAE,eAAA,EAAgB,mBAAA,EAAoB,CAAA,CAAE,mBAAA,EAAoB,QAAA,EAAS,CAAA,CAAE,QAAA,EAAS,oBAAA,EAAqB,CAAA,CAAE,oBAAA,EAAqB,GAAG,CAAA,EAAG,qBAAA,IAAuB,EAAC,eAAA,EAAgB,CAAA,CAAE,sBAAoB,EAAC;AAAA,IAAC,CAAA;AAAA,EAAA;AAAA,CAAA,CAAA;;;AC0Ir6D,IAAM,uBAAA,GAA0B;AAAA,EAC/B,mBAAA;AAAA,EACA,mBAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACD,CAAA;AAgCO,SAAS,iBAAA,CACf,SACA,MAAA,EACW;AACX,EAAA,MAAM;AAAA,IACL,MAAA;AAAA,IACA,cAAA,GAAiB,uBAAA;AAAA,IACjB,QAAA,GAAW,IAAA;AAAA,IACX,cAAA,GAAiB;AAAA,GAClB,GAAI,MAAA;AAEJ,EAAA,MAAM,OAAA,GAAU,UAAU,IAAA,KAAkD;AAE3E,IAAA,MAAM,OAAA,GAAU,KAAK,CAAC,CAAA;AAEtB,IAAA,IAAI,SAAS,GAAA,EAAK;AACjB,MAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA;AAC/B,MAAA,MAAM,WAAA,GAAc,eAAe,IAAA,CAAK,CAAC,SAAS,GAAA,CAAI,QAAA,CAAS,UAAA,CAAW,IAAI,CAAC,CAAA;AAE/E,MAAA,IAAI,WAAA,EAAa;AAChB,QAAA,IAAI;AACH,UAAA,MAAM,MAAA,GAAS,MAAM,MAAA,CAAO,OAAO,CAAA;AACnC,UAAA,IAAI,OAAO,KAAA,EAAO;AACjB,YAAA,OAAO,IAAI,SAAS,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,cAAA,EAAgB,CAAA,EAAG;AAAA,cAC9D,MAAA,EAAQ,GAAA;AAAA,cACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA;AAAmB,aAC9C,CAAA;AAAA,UACF;AAAA,QACD,CAAA,CAAA,MAAQ;AACP,UAAA,IAAI,CAAC,QAAA,EAAU;AACd,YAAA,OAAO,IAAI,QAAA;AAAA,cACV,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,mDAAmD,CAAA;AAAA,cAC3E;AAAA,gBACC,MAAA,EAAQ,GAAA;AAAA,gBACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA;AAAmB;AAC/C,aACD;AAAA,UACD;AAAA,QAED;AAAA,MACD;AAAA,IACD;AAEA,IAAA,OAAO,OAAA,CAAQ,GAAG,IAAI,CAAA;AAAA,EACvB,CAAA;AAEA,EAAA,OAAO,OAAA;AACR;AAsBO,SAAS,oBAAoB,YAAA,EAA6D;AAChG,EAAA,OAAO,OAAO,QAAA,KAA+C;AAC5D,IAAA,IAAI;AACH,MAAA,MAAM,MAAA,GAAS,MAAM,YAAA,EAAa;AAClC,MAAA,OAAO,EAAE,KAAA,EAAO,MAAA,CAAO,KAAA,EAAM;AAAA,IAC9B,CAAA,CAAA,MAAQ;AAEP,MAAA,OAAO,EAAE,OAAO,KAAA,EAAM;AAAA,IACvB;AAAA,EACD,CAAA;AACD;AA4BO,SAAS,0BAA0B,OAAA,EAAiD;AAC1F,EAAA,MAAM,EAAE,YAAA,EAAc,UAAA,GAAa,GAAA,EAAQ,QAAA,GAAW,MAAK,GAAI,OAAA;AAE/D,EAAA,IAAI,YAAA,GAA2C,IAAA;AAC/C,EAAA,IAAI,cAAA,GAAiB,CAAA;AAErB,EAAA,eAAe,iBAAiB,OAAA,EAAuD;AACtF,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,IAAI,YAAA,IAAgB,GAAA,GAAM,cAAA,GAAiB,UAAA,EAAY;AACtD,MAAA,OAAO,YAAA;AAAA,IACR;AAEA,IAAA,IAAI;AAEH,MAAA,MAAM,eAAe,OAAA,CAAQ,YAAA,IAAgB,QAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA,IAAK,EAAA;AAE9E,MAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,CAAA,EAAG,YAAY,CAAA,wBAAA,CAAA,EAA4B;AAAA,QACvE,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACR,cAAA,EAAgB,kBAAA;AAAA,UAChB,GAAI,YAAA,GAAe,EAAE,MAAA,EAAQ,YAAA,KAAiB;AAAC,SAChD;AAAA,QACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,EAAE;AAAA,OACvB,CAAA;AAED,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AACjB,QAAA,OAAA,CAAQ,IAAA,CAAK,gDAAA,EAAkD,QAAA,CAAS,MAAM,CAAA;AAC9E,QAAA,OAAO,YAAA;AAAA,MACR;AAEA,MAAA,MAAM,IAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,MAAA,YAAA,GAAe,IAAA;AACf,MAAA,cAAA,GAAiB,GAAA;AACjB,MAAA,OAAO,IAAA;AAAA,IACR,SAAS,KAAA,EAAO;AACf,MAAA,OAAA,CAAQ,IAAA;AAAA,QACP,+CAAA;AAAA,QACA,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,OAAA,GAAU;AAAA,OAC1C;AACA,MAAA,OAAO,YAAA;AAAA,IACR;AAAA,EACD;AAEA,EAAA,OAAO,OAAO,OAAA,KAA8C;AAC3D,IAAA,IAAI;AACH,MAAA,MAAM,WAAA,GAAc,MAAM,gBAAA,CAAiB,OAAO,CAAA;AAGlD,MAAA,IAAI,CAAC,WAAA,EAAa,OAAA,IAAW,CAAC,YAAY,YAAA,EAAc;AACvD,QAAA,OAAO,EAAE,OAAO,KAAA,EAAM;AAAA,MACvB;AAEA,MAAA,MAAM,EAAE,WAAA,EAAa,sBAAA,EAAuB,GAAI,WAAA;AAEhD,MAAA,IAAI,CAAC,WAAA,IAAe,CAAC,sBAAA,EAAwB;AAC5C,QAAA,OAAO,EAAE,OAAO,KAAA,EAAM;AAAA,MACvB;AAGA,MAAA,QAAQ,WAAA;AAAa,QACpB,KAAK,OAAA,EAAS;AAGb,UAAA,IAAI;AACH,YAAA,MAAM,EAAE,UAAA,EAAW,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,WAAA,EAAA,EAAA,cAAA,CAAA,CAAA;AAC7B,YAAA,MAAM,MAAA,GAAS,MAAM,UAAA,EAAW;AAChC,YAAA,OAAO,EAAE,KAAA,EAAO,MAAA,CAAO,KAAA,EAAM;AAAA,UAC9B,CAAA,CAAA,MAAQ;AAEP,YAAA,OAAO,EAAE,OAAO,KAAA,EAAM;AAAA,UACvB;AAAA,QACD;AAAA,QAEA,KAAK,WAAA,EAAa;AAEjB,UAAA,MAAM,EAAE,WAAU,GAAI,sBAAA;AACtB,UAAA,IAAI,CAAC,SAAA,EAAW,OAAO,EAAE,OAAO,KAAA,EAAM;AAEtC,UAAA,MAAM,QAAA,GAAW,IAAI,eAAA,EAAgB;AACrC,UAAA,QAAA,CAAS,MAAA,CAAO,UAAU,SAAS,CAAA;AAGnC,UAAA,MAAM,cAAA,GACL,QAAQ,OAAA,CAAQ,GAAA,CAAI,uBAAuB,CAAA,IAC3C,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,mBAAmB,CAAA;AACxC,UAAA,IAAI,CAAC,cAAA,EAAgB;AACpB,YAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,6BAAA,EAA8B;AAAA,UAC9D;AACA,UAAA,QAAA,CAAS,MAAA,CAAO,YAAY,cAAc,CAAA;AAE1C,UAAA,MAAM,iBAAiB,MAAM,KAAA;AAAA,YAC5B,2DAAA;AAAA,YACA;AAAA,cACC,MAAA,EAAQ,MAAA;AAAA,cACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,cAC/D,IAAA,EAAM,SAAS,QAAA;AAAS;AACzB,WACD;AAEA,UAAA,MAAM,YAAA,GAAgB,MAAM,cAAA,CAAe,IAAA,EAAK;AAChD,UAAA,OAAO,EAAE,KAAA,EAAO,CAAC,YAAA,CAAa,OAAA,EAAQ;AAAA,QACvC;AAAA,QAEA,KAAK,WAAA,EAAa;AAEjB,UAAA,MAAM,EAAE,SAAA,EAAW,eAAA,EAAgB,GAAI,sBAAA;AACvC,UAAA,IAAI,CAAC,eAAA,EAAiB,OAAO,EAAE,OAAO,KAAA,EAAM;AAE5C,UAAA,MAAM,cAAA,GACL,QAAQ,OAAA,CAAQ,GAAA,CAAI,mBAAmB,CAAA,IAAK,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,sBAAsB,CAAA;AACvF,UAAA,IAAI,CAAC,cAAA,EAAgB;AACpB,YAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,6BAAA,EAA8B;AAAA,UAC9D;AAEA,UAAA,MAAM,oBAAoB,MAAM,KAAA;AAAA,YAC/B,0DAA0D,kBAAA,CAAmB,eAAe,CAAC,CAAA,UAAA,EAAa,kBAAA,CAAmB,cAAc,CAAC,CAAA,CAAA;AAAA,YAC5I,EAAE,QAAQ,MAAA;AAAO,WAClB;AAEA,UAAA,MAAM,eAAA,GAAmB,MAAM,iBAAA,CAAkB,IAAA,EAAK;AAKtD,UAAA,MAAM,QAAQ,CAAC,eAAA,CAAgB,OAAA,IAAA,CAAY,eAAA,CAAgB,SAAS,CAAA,IAAK,GAAA;AACzE,UAAA,OAAO,EAAE,KAAA,EAAM;AAAA,QAChB;AAAA,QAEA,KAAK,UAAA,EAAY;AAEhB,UAAA,MAAM,EAAE,SAAA,EAAW,cAAA,EAAe,GAAI,sBAAA;AACtC,UAAA,IAAI,CAAC,cAAA,EAAgB,OAAO,EAAE,OAAO,KAAA,EAAM;AAE3C,UAAA,MAAM,aAAA,GACL,QAAQ,OAAA,CAAQ,GAAA,CAAI,kBAAkB,CAAA,IAAK,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,oBAAoB,CAAA;AACpF,UAAA,IAAI,CAAC,aAAA,EAAe;AACnB,YAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,4BAAA,EAA6B;AAAA,UAC7D;AAEA,UAAA,MAAM,gBAAA,GAAmB,MAAM,KAAA,CAAM,qCAAA,EAAuC;AAAA,YAC3E,MAAA,EAAQ,MAAA;AAAA,YACR,OAAA,EAAS,EAAE,cAAA,EAAgB,mCAAA,EAAoC;AAAA,YAC/D,IAAA,EAAM,UAAU,kBAAA,CAAmB,cAAc,CAAC,CAAA,UAAA,EAAa,kBAAA,CAAmB,aAAa,CAAC,CAAA;AAAA,WAChG,CAAA;AAED,UAAA,MAAM,cAAA,GAAkB,MAAM,gBAAA,CAAiB,IAAA,EAAK;AACpD,UAAA,OAAO,EAAE,KAAA,EAAO,CAAC,cAAA,CAAe,OAAA,EAAQ;AAAA,QACzC;AAAA,QAEA;AACC,UAAA,OAAO,EAAE,OAAO,KAAA,EAAM;AAAA;AACxB,IACD,SAAS,KAAA,EAAO;AACf,MAAA,IAAI,QAAA,EAAU;AACb,QAAA,OAAA,CAAQ,IAAA;AAAA,UACP,yEAAA;AAAA,UACA,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,OAAA,GAAU;AAAA,SAC1C;AACA,QAAA,OAAO,EAAE,OAAO,KAAA,EAAM;AAAA,MACvB;AACA,MAAA,OAAO,EAAE,KAAA,EAAO,IAAA,EAAM,MAAA,EAAQ,kCAAA,EAAmC;AAAA,IAClE;AAAA,EACD,CAAA;AACD","file":"bot-protection.js","sourcesContent":["var k=\"https://api.vercel.com/bot-protection\",h=()=>process.env.OVERRIDE_BOTID_SERVER_URL?process.env.OVERRIDE_BOTID_SERVER_URL:k;var B=Symbol.for(\"@vercel/request-context\"),l=()=>globalThis[B]?.get?.()??{};async function m(e){let o=l();if(o.headers||process.env.NODE_ENV!==\"development\")return{...o.headers||{},url:o.url||\"\"};let t=await T();if(t)return x(t);if(e){let n={};for(let[i,r]of Object.entries(e))typeof r==\"string\"?n[i.toLowerCase()]=r:Array.isArray(r)&&(n[i.toLowerCase()]=r.join(\", \"));return n}return{}}async function T(){try{let{headers:e}=await import(\"next/headers\");return e()}catch{return null}}function x(e){let o={};return e.forEach((t,n)=>{o[n]=t}),o}async function g(){return C()}function C(){let e=l().headers?.[\"x-vercel-oidc-token\"]??process.env.VERCEL_OIDC_TOKEN;if(!e)throw new Error(\"The 'x-vercel-oidc-token' header is missing from the request. Do you have the OIDC option enabled in the Vercel project settings?\");return e}var y=e=>{let o=e.cookie??e.Cookie??\"\";return o?o.split(\";\").map(t=>t.trim()).filter(t=>t.length>0).map(t=>{let[n,...i]=t.split(\"=\"),r=i.join(\"=\");return{name:n.trim(),value:r.trim()}}):[]};var H=e=>{let{authorization:o,...t}=e,i=y(t).filter(a=>a.name.startsWith(\"KP_\")),r={};for(let a of i)r[a.name]=a.value;return Object.keys(r).length>0?t.cookie=Object.entries(r).map(([a,f])=>`${a}=${f}`).join(\"; \"):t.cookie=void 0,t};var w=e=>{try{return new URL(e)}catch{return null}},z=async({developmentOptions:e,advancedOptions:o}={})=>{if(o?.checkLevel!==void 0&&o.checkLevel!==\"deepAnalysis\"&&o.checkLevel!==\"basic\")throw new Error(`Invalid checkLevel \"${o.checkLevel}\". Must be one of: deepAnalysis, basic`);let t=await m(o?.headers),n=t.host||\"unknown host\",i=w(t.url||\"\")?.pathname||t[\"x-path\"]||\"<your protected endpoint>\",r=t[\"x-method\"]||\"POST\",a=t[\"x-is-human\"],f=e?.isDevelopment??process.env.NODE_ENV!==\"production\";if(a||(process.env.NODE_ENV!==\"production\"||process.env.VERCEL_ENV!==\"production\"?console.error(`Possible misconfiguration of Vercel BotId. \nEnsure that the client-side protection is properly configured for '${r} ${i}'.\nAdd the following item to your BotId client side protection:\n{\n  path: '${i}',\n  method: '${r}',\n}\nMore info at https://vercel.com/docs/botid/get-started#add-client-side-protection`):console.warn(`Possible misconfiguration of Vercel BotId or malicious request to '${r} ${i}'. More info at https://vercel.com/docs/botid/get-started#add-client-side-protection`)),f&&e?.bypass)return{isHuman:e.bypass===\"HUMAN\",isBot:e.bypass===\"BAD-BOT\",isVerifiedBot:e.bypass===\"GOOD-BOT\",bypassed:!1};if(f)return console.warn(\"[Dev Only] Without setting the developmentOptions.bypass value, the bot protection will return HUMAN.\"),{isHuman:!0,isBot:!1,isVerifiedBot:!1,bypassed:!0};let R=h(),u=o?.vercelOidcToken??await g();if(!u)throw new Error(\"VERCEL_OIDC_TOKEN is not set\");let d=l(),b=H(t),v={url:d.url||\"\",method:r,headers:Object.entries(b),vercelOidcToken:u,forceCheckLevel:o?.checkLevel,extraAllowedHosts:o?.extraAllowedHosts},E=`${R}/v1/is-bot?v=${3}  `,s=await(await fetch(E,{method:\"POST\",body:JSON.stringify(v),headers:{\"Content-Type\":\"application/json\",\"user-agent\":`Vercel/BotId (${n})`,\"x-vercel-oidc-token\":u}})).json();if(!d)throw new Error(\"Must be deployed on Vercel to access response headers\");if(!d.mutateResponseHeadersBeforeFlush)throw new Error(\"Must be deployed on Vercel to set response headers\");if(s.responseHeadersToSet?.addHeaders)for(let c of s.responseHeadersToSet.addHeaders)d.mutateResponseHeadersBeforeFlush(p=>{p.append(c.key,c.value)});if(s.responseHeadersToSet?.addValuesToHeaders)for(let c of s.responseHeadersToSet.addValuesToHeaders)d.mutateResponseHeadersBeforeFlush(p=>{p.append(c.key,c.value)});if(s.responseHeadersToSet?.replaceHeaders)for(let c of s.responseHeadersToSet.replaceHeaders)d.mutateResponseHeadersBeforeFlush(p=>{p.set(c.key,c.value)});return{isHuman:!s.isBot,isBot:s.isBot,isVerifiedBot:s.isVerifiedBot,verifiedBotName:s.verifiedBotName,verifiedBotCategory:s.verifiedBotCategory,bypassed:s.bypassed,classificationReason:s.classificationReason,...o?.returnResponseHeaders&&{responseHeaders:s.responseHeadersToSet}}};export{z as checkBotId};\n","/**\n * Bot protection utilities for Next.js applications using Banata Auth.\n *\n * Provides helpers to integrate bot detection services (Vercel BotID,\n * Cloudflare Turnstile, hCaptcha, reCAPTCHA) with the Banata Auth\n * route handler.\n *\n * These utilities wrap the route handler's POST method to automatically\n * verify requests against protected auth paths before forwarding to\n * the auth backend.\n *\n * Credentials can be supplied directly or fetched from the Banata Auth\n * config API (configured via the Radar page in the dashboard).\n *\n * @example\n * ```ts\n * // app/api/auth/[...all]/route.ts\n * import { createRouteHandler } from \"@banata-auth/nextjs\";\n * import { withBotProtection, createBotIdVerifier } from \"@banata-auth/nextjs/bot-protection\";\n *\n * const handler = createRouteHandler({\n *   convexSiteUrl: process.env.NEXT_PUBLIC_CONVEX_SITE_URL!,\n * });\n *\n * export const GET = handler.GET;\n * export const POST = withBotProtection(handler.POST, {\n *   protectedPaths: [\"/api/auth/sign-in\", \"/api/auth/sign-up\"],\n *   verify: async () => {\n *     const { checkBotId } = await import(\"botid/server\");\n *     const result = await checkBotId();\n *     return { isBot: result.isBot };\n *   },\n * });\n * ```\n *\n * @example\n * ```ts\n * // Using credentials from the Banata Auth config API\n * import { createConfigAwareVerifier } from \"@banata-auth/nextjs/bot-protection\";\n *\n * const verify = createConfigAwareVerifier({\n *   configApiUrl: process.env.NEXT_PUBLIC_APP_URL + \"/api/auth\",\n * });\n *\n * export const POST = withBotProtection(handler.POST, { verify });\n * ```\n */\n\n// ─── Types ──────────────────────────────────────────────────────────\n\n/**\n * Result of a bot verification check.\n */\nexport interface BotCheckResult {\n\t/** Whether the request is from a bot. */\n\tisBot: boolean;\n\t/** Optional reason string for logging. */\n\treason?: string;\n}\n\n/**\n * Function that verifies whether a request is from a bot.\n * Implement with your provider of choice.\n */\nexport type BotCheckFn = (request: Request) => Promise<BotCheckResult>;\n\n/**\n * Configuration for the route-handler-level bot protection wrapper.\n */\nexport interface BotProtectionConfig {\n\t/**\n\t * The verification function.\n\t * Called for every request matching a protected path.\n\t */\n\tverify: BotCheckFn;\n\n\t/**\n\t * Path prefixes to protect. Requests to other paths pass through.\n\t * @default [\"/api/auth/sign-in\", \"/api/auth/sign-up\", \"/api/auth/forget-password\", \"/api/auth/reset-password\"]\n\t */\n\tprotectedPaths?: string[];\n\n\t/**\n\t * Whether to allow requests through if verification fails (service unavailable).\n\t * @default true\n\t */\n\tfailOpen?: boolean;\n\n\t/**\n\t * Error message returned when a bot is detected.\n\t * @default \"Bot detected. Access denied.\"\n\t */\n\tblockedMessage?: string;\n}\n\n/**\n * Bot provider credentials as stored in the Radar configuration.\n */\nexport interface BotProviderCredentials {\n\tapiKey?: string;\n\tsiteKey?: string;\n\tsecretKey?: string;\n}\n\n/**\n * Radar configuration shape returned by the config API.\n */\nexport interface RadarConfigResponse {\n\tenabled: boolean;\n\tbotDetection: boolean;\n\tbotProvider: string | null;\n\tbotProviderCredentials: BotProviderCredentials;\n}\n\n/**\n * Options for creating a config-aware bot verifier.\n */\nexport interface ConfigAwareVerifierOptions {\n\t/**\n\t * Base URL of the Banata Auth API (e.g., \"http://localhost:3000/api/auth\").\n\t * The radar config endpoint will be called at `${configApiUrl}/banata/config/radar/get`.\n\t */\n\tconfigApiUrl: string;\n\n\t/**\n\t * How long to cache the radar config (in milliseconds).\n\t * @default 60000 (1 minute)\n\t */\n\tcacheTtlMs?: number;\n\n\t/**\n\t * Cookie header to forward for authentication.\n\t * If not provided, the verifier will try to read from the request headers.\n\t */\n\tcookieHeader?: string;\n\n\t/**\n\t * Whether to allow requests through if config fetch or verification fails.\n\t * @default true\n\t */\n\tfailOpen?: boolean;\n}\n\n// ─── Default Protected Paths ────────────────────────────────────────\n\nconst DEFAULT_PROTECTED_PATHS = [\n\t\"/api/auth/sign-in\",\n\t\"/api/auth/sign-up\",\n\t\"/api/auth/forget-password\",\n\t\"/api/auth/reset-password\",\n];\n\n// ─── withBotProtection ──────────────────────────────────────────────\n\n/**\n * Wrap a route handler function with bot protection.\n *\n * This is the recommended way to add bot protection in Next.js\n * route handlers. It checks requests against protected paths and\n * verifies them before forwarding to the auth handler.\n *\n * @param handler - The original route handler function (e.g., `handler.POST`)\n * @param config - Bot protection configuration\n * @returns A wrapped handler that verifies bots before forwarding\n *\n * @example\n * ```ts\n * import { createRouteHandler } from \"@banata-auth/nextjs\";\n * import { withBotProtection } from \"@banata-auth/nextjs/bot-protection\";\n * import { checkBotId } from \"botid/server\";\n *\n * const handler = createRouteHandler({ convexSiteUrl: \"...\" });\n *\n * export const GET = handler.GET;\n * export const POST = withBotProtection(handler.POST, {\n *   verify: async () => {\n *     const result = await checkBotId();\n *     return { isBot: result.isBot };\n *   },\n * });\n * ```\n */\nexport function withBotProtection<THandler extends (...args: any[]) => Promise<Response>>(\n\thandler: THandler,\n\tconfig: BotProtectionConfig,\n): THandler {\n\tconst {\n\t\tverify,\n\t\tprotectedPaths = DEFAULT_PROTECTED_PATHS,\n\t\tfailOpen = true,\n\t\tblockedMessage = \"Bot detected. Access denied.\",\n\t} = config;\n\n\tconst wrapped = async (...args: Parameters<THandler>): Promise<Response> => {\n\t\t// Extract the request from the first argument\n\t\tconst request = args[0] as Request;\n\n\t\tif (request?.url) {\n\t\t\tconst url = new URL(request.url);\n\t\t\tconst isProtected = protectedPaths.some((path) => url.pathname.startsWith(path));\n\n\t\t\tif (isProtected) {\n\t\t\t\ttry {\n\t\t\t\t\tconst result = await verify(request);\n\t\t\t\t\tif (result.isBot) {\n\t\t\t\t\t\treturn new Response(JSON.stringify({ error: blockedMessage }), {\n\t\t\t\t\t\t\tstatus: 403,\n\t\t\t\t\t\t\theaders: { \"Content-Type\": \"application/json\" },\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t} catch {\n\t\t\t\t\tif (!failOpen) {\n\t\t\t\t\t\treturn new Response(\n\t\t\t\t\t\t\tJSON.stringify({ error: \"Bot verification unavailable. Please try again.\" }),\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\tstatus: 503,\n\t\t\t\t\t\t\t\theaders: { \"Content-Type\": \"application/json\" },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t\t// fail open — allow through\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn handler(...args);\n\t};\n\n\treturn wrapped as THandler;\n}\n\n/**\n * Create a BotID verification function for use with `withBotProtection`\n * or the `banataProtection` plugin.\n *\n * This is a convenience factory that wraps Vercel BotID's `checkBotId()`\n * function in the format expected by the protection system.\n *\n * @param checkBotIdFn - The `checkBotId` function from `botid/server`\n * @returns A verification function compatible with `BotCheckFn` / `BotVerifyFn`\n *\n * @example\n * ```ts\n * import { createBotIdVerifier } from \"@banata-auth/nextjs/bot-protection\";\n * import { checkBotId } from \"botid/server\";\n *\n * const verify = createBotIdVerifier(checkBotId);\n *\n * export const POST = withBotProtection(handler.POST, { verify });\n * ```\n */\nexport function createBotIdVerifier(checkBotIdFn: () => Promise<{ isBot: boolean }>): BotCheckFn {\n\treturn async (_request: Request): Promise<BotCheckResult> => {\n\t\ttry {\n\t\t\tconst result = await checkBotIdFn();\n\t\t\treturn { isBot: result.isBot };\n\t\t} catch {\n\t\t\t// BotID not configured (not on Vercel) — allow through\n\t\t\treturn { isBot: false };\n\t\t}\n\t};\n}\n\n// ─── Config-Aware Verifier ──────────────────────────────────────────\n\n/**\n * Create a bot verifier that reads provider credentials from the\n * Banata Auth config API (Radar configuration).\n *\n * This allows dashboard admins to configure bot protection credentials\n * through the UI (Radar > Configuration > Bot Detection Provider),\n * and the verifier will automatically pick up the latest credentials.\n *\n * The config is cached in-memory for performance (default: 1 minute TTL).\n *\n * @param options - Config-aware verifier options\n * @returns A verification function that uses the configured bot provider\n *\n * @example\n * ```ts\n * import { createConfigAwareVerifier, withBotProtection } from \"@banata-auth/nextjs/bot-protection\";\n *\n * const verify = createConfigAwareVerifier({\n *   configApiUrl: process.env.NEXT_PUBLIC_APP_URL + \"/api/auth\",\n * });\n *\n * export const POST = withBotProtection(handler.POST, { verify });\n * ```\n */\nexport function createConfigAwareVerifier(options: ConfigAwareVerifierOptions): BotCheckFn {\n\tconst { configApiUrl, cacheTtlMs = 60_000, failOpen = true } = options;\n\n\tlet cachedConfig: RadarConfigResponse | null = null;\n\tlet cacheTimestamp = 0;\n\n\tasync function fetchRadarConfig(request: Request): Promise<RadarConfigResponse | null> {\n\t\tconst now = Date.now();\n\t\tif (cachedConfig && now - cacheTimestamp < cacheTtlMs) {\n\t\t\treturn cachedConfig;\n\t\t}\n\n\t\ttry {\n\t\t\t// Forward cookies from the incoming request for auth\n\t\t\tconst cookieHeader = options.cookieHeader ?? request.headers.get(\"cookie\") ?? \"\";\n\n\t\t\tconst response = await fetch(`${configApiUrl}/banata/config/radar/get`, {\n\t\t\t\tmethod: \"POST\",\n\t\t\t\theaders: {\n\t\t\t\t\t\"content-type\": \"application/json\",\n\t\t\t\t\t...(cookieHeader ? { cookie: cookieHeader } : {}),\n\t\t\t\t},\n\t\t\t\tbody: JSON.stringify({}),\n\t\t\t});\n\n\t\t\tif (!response.ok) {\n\t\t\t\tconsole.warn(\"[bot-protection] Failed to fetch radar config:\", response.status);\n\t\t\t\treturn cachedConfig; // Return stale cache if available\n\t\t\t}\n\n\t\t\tconst data = (await response.json()) as RadarConfigResponse;\n\t\t\tcachedConfig = data;\n\t\t\tcacheTimestamp = now;\n\t\t\treturn data;\n\t\t} catch (error) {\n\t\t\tconsole.warn(\n\t\t\t\t\"[bot-protection] Error fetching radar config:\",\n\t\t\t\terror instanceof Error ? error.message : error,\n\t\t\t);\n\t\t\treturn cachedConfig; // Return stale cache if available\n\t\t}\n\t}\n\n\treturn async (request: Request): Promise<BotCheckResult> => {\n\t\ttry {\n\t\t\tconst radarConfig = await fetchRadarConfig(request);\n\n\t\t\t// If radar is not enabled or bot detection is off, allow through\n\t\t\tif (!radarConfig?.enabled || !radarConfig.botDetection) {\n\t\t\t\treturn { isBot: false };\n\t\t\t}\n\n\t\t\tconst { botProvider, botProviderCredentials } = radarConfig;\n\n\t\t\tif (!botProvider || !botProviderCredentials) {\n\t\t\t\treturn { isBot: false };\n\t\t\t}\n\n\t\t\t// Dispatch to the appropriate provider\n\t\t\tswitch (botProvider) {\n\t\t\t\tcase \"botid\": {\n\t\t\t\t\t// Vercel BotID — uses checkBotId() which reads from the request context\n\t\t\t\t\t// The API key is configured at the Vercel project level, not per-request\n\t\t\t\t\ttry {\n\t\t\t\t\t\tconst { checkBotId } = await import(\"botid/server\");\n\t\t\t\t\t\tconst result = await checkBotId();\n\t\t\t\t\t\treturn { isBot: result.isBot };\n\t\t\t\t\t} catch {\n\t\t\t\t\t\t// BotID not available (not on Vercel)\n\t\t\t\t\t\treturn { isBot: false };\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tcase \"turnstile\": {\n\t\t\t\t\t// Cloudflare Turnstile verification\n\t\t\t\t\tconst { secretKey } = botProviderCredentials;\n\t\t\t\t\tif (!secretKey) return { isBot: false };\n\n\t\t\t\t\tconst formData = new URLSearchParams();\n\t\t\t\t\tformData.append(\"secret\", secretKey);\n\n\t\t\t\t\t// The Turnstile token should be in the request body or header\n\t\t\t\t\tconst turnstileToken =\n\t\t\t\t\t\trequest.headers.get(\"cf-turnstile-response\") ??\n\t\t\t\t\t\trequest.headers.get(\"x-turnstile-token\");\n\t\t\t\t\tif (!turnstileToken) {\n\t\t\t\t\t\treturn { isBot: false, reason: \"No Turnstile token provided\" };\n\t\t\t\t\t}\n\t\t\t\t\tformData.append(\"response\", turnstileToken);\n\n\t\t\t\t\tconst verifyResponse = await fetch(\n\t\t\t\t\t\t\"https://challenges.cloudflare.com/turnstile/v0/siteverify\",\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\t\t\theaders: { \"content-type\": \"application/x-www-form-urlencoded\" },\n\t\t\t\t\t\t\tbody: formData.toString(),\n\t\t\t\t\t\t},\n\t\t\t\t\t);\n\n\t\t\t\t\tconst verifyResult = (await verifyResponse.json()) as { success: boolean };\n\t\t\t\t\treturn { isBot: !verifyResult.success };\n\t\t\t\t}\n\n\t\t\t\tcase \"recaptcha\": {\n\t\t\t\t\t// Google reCAPTCHA v3 verification\n\t\t\t\t\tconst { secretKey: recaptchaSecret } = botProviderCredentials;\n\t\t\t\t\tif (!recaptchaSecret) return { isBot: false };\n\n\t\t\t\t\tconst recaptchaToken =\n\t\t\t\t\t\trequest.headers.get(\"x-recaptcha-token\") ?? request.headers.get(\"g-recaptcha-response\");\n\t\t\t\t\tif (!recaptchaToken) {\n\t\t\t\t\t\treturn { isBot: false, reason: \"No reCAPTCHA token provided\" };\n\t\t\t\t\t}\n\n\t\t\t\t\tconst recaptchaResponse = await fetch(\n\t\t\t\t\t\t`https://www.google.com/recaptcha/api/siteverify?secret=${encodeURIComponent(recaptchaSecret)}&response=${encodeURIComponent(recaptchaToken)}`,\n\t\t\t\t\t\t{ method: \"POST\" },\n\t\t\t\t\t);\n\n\t\t\t\t\tconst recaptchaResult = (await recaptchaResponse.json()) as {\n\t\t\t\t\t\tsuccess: boolean;\n\t\t\t\t\t\tscore?: number;\n\t\t\t\t\t};\n\t\t\t\t\t// Score < 0.5 is likely a bot (reCAPTCHA v3)\n\t\t\t\t\tconst isBot = !recaptchaResult.success || (recaptchaResult.score ?? 1) < 0.5;\n\t\t\t\t\treturn { isBot };\n\t\t\t\t}\n\n\t\t\t\tcase \"hcaptcha\": {\n\t\t\t\t\t// hCaptcha verification\n\t\t\t\t\tconst { secretKey: hcaptchaSecret } = botProviderCredentials;\n\t\t\t\t\tif (!hcaptchaSecret) return { isBot: false };\n\n\t\t\t\t\tconst hcaptchaToken =\n\t\t\t\t\t\trequest.headers.get(\"x-hcaptcha-token\") ?? request.headers.get(\"h-captcha-response\");\n\t\t\t\t\tif (!hcaptchaToken) {\n\t\t\t\t\t\treturn { isBot: false, reason: \"No hCaptcha token provided\" };\n\t\t\t\t\t}\n\n\t\t\t\t\tconst hcaptchaResponse = await fetch(\"https://api.hcaptcha.com/siteverify\", {\n\t\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\t\theaders: { \"content-type\": \"application/x-www-form-urlencoded\" },\n\t\t\t\t\t\tbody: `secret=${encodeURIComponent(hcaptchaSecret)}&response=${encodeURIComponent(hcaptchaToken)}`,\n\t\t\t\t\t});\n\n\t\t\t\t\tconst hcaptchaResult = (await hcaptchaResponse.json()) as { success: boolean };\n\t\t\t\t\treturn { isBot: !hcaptchaResult.success };\n\t\t\t\t}\n\n\t\t\t\tdefault:\n\t\t\t\t\treturn { isBot: false };\n\t\t\t}\n\t\t} catch (error) {\n\t\t\tif (failOpen) {\n\t\t\t\tconsole.warn(\n\t\t\t\t\t\"[bot-protection] Verification failed, allowing request (failOpen=true):\",\n\t\t\t\t\terror instanceof Error ? error.message : error,\n\t\t\t\t);\n\t\t\t\treturn { isBot: false };\n\t\t\t}\n\t\t\treturn { isBot: true, reason: \"Verification service unavailable\" };\n\t\t}\n\t};\n}\n"]}

package/dist/client.d.ts

@@ -0,0 +1 @@
+export { usePreloadedAuthQuery } from '@convex-dev/better-auth/nextjs/client';

package/dist/client.js

@@ -0,0 +1,3 @@
+"use client";export { usePreloadedAuthQuery } from '@convex-dev/better-auth/nextjs/client';
+//# sourceMappingURL=client.js.map
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"names":[],"mappings":"","file":"client.js","sourcesContent":[]}

package/dist/index.d.ts

@@ -0,0 +1,16 @@
+export { BanataAuthMiddlewareOptions, banataAuthMiddleware, banataAuthProxy } from './middleware.js';
+export { getSessionCookie } from 'better-auth/cookies';
+import 'next/server';
+
+declare function createRouteHandler(options: {
+    /** The Convex .site URL where HTTP actions are hosted. */
+    convexSiteUrl: string;
+}): {
+    GET: (request: Request) => Promise<Response>;
+    POST: (request: Request) => Promise<Response>;
+    PUT: (request: Request) => Promise<Response>;
+    PATCH: (request: Request) => Promise<Response>;
+    DELETE: (request: Request) => Promise<Response>;
+};
+
+export { createRouteHandler };

package/dist/index.js

@@ -0,0 +1,122 @@
+import { NextResponse } from 'next/server';
+export { getSessionCookie } from 'better-auth/cookies';
+
+// src/middleware.ts
+var AUTH_COOKIE_NAMES = [
+  "better-auth.session_token",
+  "__Secure-better-auth.session_token",
+  "better-auth-session_token",
+  "__Secure-better-auth-session_token",
+  "convex_jwt"
+];
+function hasSessionCookie(request) {
+  return AUTH_COOKIE_NAMES.some((name) => {
+    const cookie = request.cookies.get(name);
+    return cookie !== void 0 && cookie.value !== "";
+  });
+}
+function createAuthProxy(options = {}) {
+  const { publicRoutes = [], ignoredRoutes = [], signInUrl = "/sign-in" } = options;
+  const compiledPublicRoutes = compileRoutes(publicRoutes);
+  const compiledIgnoredRoutes = compileRoutes(ignoredRoutes);
+  return async function proxy(request) {
+    const { pathname } = request.nextUrl;
+    const requestHeaders = new Headers(request.headers);
+    requestHeaders.set("x-pathname", pathname);
+    if (isMatchingRoute(pathname, compiledIgnoredRoutes)) {
+      return NextResponse.next({ request: { headers: requestHeaders } });
+    }
+    if (isMatchingRoute(pathname, compiledPublicRoutes)) {
+      return NextResponse.next({ request: { headers: requestHeaders } });
+    }
+    if (!hasSessionCookie(request)) {
+      const signInURL = new URL(signInUrl, request.url);
+      signInURL.searchParams.set("redirect_url", pathname);
+      return NextResponse.redirect(signInURL);
+    }
+    return NextResponse.next({ request: { headers: requestHeaders } });
+  };
+}
+var banataAuthProxy = createAuthProxy;
+var banataAuthMiddleware = createAuthProxy;
+function compileRoutes(routes) {
+  return routes.map((route) => {
+    try {
+      return new RegExp(`^${route}$`);
+    } catch {
+      return route;
+    }
+  });
+}
+function isMatchingRoute(pathname, compiledRoutes) {
+  return compiledRoutes.some((route) => {
+    if (typeof route === "string") {
+      return pathname === route;
+    }
+    return route.test(pathname);
+  });
+}
+
+// src/route-handler.ts
+var FORWARDED_HEADERS = /* @__PURE__ */ new Set([
+  "accept",
+  "accept-language",
+  "authorization",
+  "content-type",
+  "content-length",
+  "cookie",
+  "origin",
+  "referer",
+  "user-agent",
+  "x-requested-with"
+]);
+function createRouteHandler(options) {
+  const { convexSiteUrl } = options;
+  const siteUrl = convexSiteUrl.replace(/\/$/, "");
+  async function handler(request) {
+    const requestUrl = new URL(request.url);
+    const targetUrl = `${siteUrl}${requestUrl.pathname}${requestUrl.search}`;
+    const forwardedHeaders = new Headers();
+    for (const [key, value] of request.headers) {
+      if (FORWARDED_HEADERS.has(key.toLowerCase())) {
+        forwardedHeaders.set(key, value);
+      }
+    }
+    const newRequest = new Request(targetUrl, {
+      method: request.method,
+      headers: forwardedHeaders,
+      body: request.body,
+      // @ts-expect-error - duplex is needed for streaming bodies
+      duplex: "half"
+    });
+    newRequest.headers.set("host", new URL(siteUrl).host);
+    try {
+      const response = await fetch(newRequest, {
+        method: request.method,
+        redirect: "manual"
+      });
+      return new Response(response.body, {
+        status: response.status,
+        statusText: response.statusText,
+        headers: response.headers
+      });
+    } catch (error) {
+      console.error("[banata-auth] Proxy error:", error);
+      return new Response(JSON.stringify({ error: "Auth service unavailable" }), {
+        status: 502,
+        headers: { "Content-Type": "application/json" }
+      });
+    }
+  }
+  return {
+    GET: handler,
+    POST: handler,
+    PUT: handler,
+    PATCH: handler,
+    DELETE: handler
+  };
+}
+
+export { banataAuthMiddleware, banataAuthProxy, createRouteHandler };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/middleware.ts","../src/route-handler.ts"],"names":[],"mappings":";;;;AAYA,IAAM,iBAAA,GAAoB;AAAA,EACzB,2BAAA;AAAA,EACA,oCAAA;AAAA,EACA,2BAAA;AAAA,EACA,oCAAA;AAAA,EACA;AACD,CAAA;AAQA,SAAS,iBAAiB,OAAA,EAA+B;AACxD,EAAA,OAAO,iBAAA,CAAkB,IAAA,CAAK,CAAC,IAAA,KAAS;AACvC,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA;AACvC,IAAA,OAAO,MAAA,KAAW,MAAA,IAAa,MAAA,CAAO,KAAA,KAAU,EAAA;AAAA,EACjD,CAAC,CAAA;AACF;AAqEA,SAAS,eAAA,CAAgB,OAAA,GAAuC,EAAC,EAAG;AACnE,EAAA,MAAM,EAAE,eAAe,EAAC,EAAG,gBAAgB,EAAC,EAAG,SAAA,GAAY,UAAA,EAAW,GAAI,OAAA;AAK1E,EAAA,MAAM,oBAAA,GAAuB,cAAc,YAAY,CAAA;AACvD,EAAA,MAAM,qBAAA,GAAwB,cAAc,aAAa,CAAA;AAEzD,EAAA,OAAO,eAAe,MAAM,OAAA,EAAsB;AACjD,IAAA,MAAM,EAAE,QAAA,EAAS,GAAI,OAAA,CAAQ,OAAA;AAK7B,IAAA,MAAM,cAAA,GAAiB,IAAI,OAAA,CAAQ,OAAA,CAAQ,OAAO,CAAA;AAClD,IAAA,cAAA,CAAe,GAAA,CAAI,cAAc,QAAQ,CAAA;AAGzC,IAAA,IAAI,eAAA,CAAgB,QAAA,EAAU,qBAAqB,CAAA,EAAG;AACrD,MAAA,OAAO,YAAA,CAAa,KAAK,EAAE,OAAA,EAAS,EAAE,OAAA,EAAS,cAAA,IAAkB,CAAA;AAAA,IAClE;AAGA,IAAA,IAAI,eAAA,CAAgB,QAAA,EAAU,oBAAoB,CAAA,EAAG;AACpD,MAAA,OAAO,YAAA,CAAa,KAAK,EAAE,OAAA,EAAS,EAAE,OAAA,EAAS,cAAA,IAAkB,CAAA;AAAA,IAClE;AAGA,IAAA,IAAI,CAAC,gBAAA,CAAiB,OAAO,CAAA,EAAG;AAC/B,MAAA,MAAM,SAAA,GAAY,IAAI,GAAA,CAAI,SAAA,EAAW,QAAQ,GAAG,CAAA;AAChD,MAAA,SAAA,CAAU,YAAA,CAAa,GAAA,CAAI,cAAA,EAAgB,QAAQ,CAAA;AACnD,MAAA,OAAO,YAAA,CAAa,SAAS,SAAS,CAAA;AAAA,IACvC;AAGA,IAAA,OAAO,YAAA,CAAa,KAAK,EAAE,OAAA,EAAS,EAAE,OAAA,EAAS,cAAA,IAAkB,CAAA;AAAA,EAClE,CAAA;AACD;AAMO,IAAM,eAAA,GAAkB;AAMxB,IAAM,oBAAA,GAAuB;AAUpC,SAAS,cAAc,MAAA,EAAmC;AACzD,EAAA,OAAO,MAAA,CAAO,GAAA,CAAI,CAAC,KAAA,KAAU;AAC5B,IAAA,IAAI;AACH,MAAA,OAAO,IAAI,MAAA,CAAO,CAAA,CAAA,EAAI,KAAK,CAAA,CAAA,CAAG,CAAA;AAAA,IAC/B,CAAA,CAAA,MAAQ;AAEP,MAAA,OAAO,KAAA;AAAA,IACR;AAAA,EACD,CAAC,CAAA;AACF;AAEA,SAAS,eAAA,CAAgB,UAAkB,cAAA,EAA0C;AACpF,EAAA,OAAO,cAAA,CAAe,IAAA,CAAK,CAAC,KAAA,KAAU;AACrC,IAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC9B,MAAA,OAAO,QAAA,KAAa,KAAA;AAAA,IACrB;AACA,IAAA,OAAO,KAAA,CAAM,KAAK,QAAQ,CAAA;AAAA,EAC3B,CAAC,CAAA;AACF;;;AC3JA,IAAM,iBAAA,uBAAwB,GAAA,CAAI;AAAA,EACjC,QAAA;AAAA,EACA,iBAAA;AAAA,EACA,eAAA;AAAA,EACA,cAAA;AAAA,EACA,gBAAA;AAAA,EACA,QAAA;AAAA,EACA,QAAA;AAAA,EACA,SAAA;AAAA,EACA,YAAA;AAAA,EACA;AACD,CAAC,CAAA;AAEM,SAAS,mBAAmB,OAAA,EAGhC;AACF,EAAA,MAAM,EAAE,eAAc,GAAI,OAAA;AAC1B,EAAA,MAAM,OAAA,GAAU,aAAA,CAAc,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AAE/C,EAAA,eAAe,QAAQ,OAAA,EAAqC;AAC3D,IAAA,MAAM,UAAA,GAAa,IAAI,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA;AACtC,IAAA,MAAM,SAAA,GAAY,GAAG,OAAO,CAAA,EAAG,WAAW,QAAQ,CAAA,EAAG,WAAW,MAAM,CAAA,CAAA;AAGtE,IAAA,MAAM,gBAAA,GAAmB,IAAI,OAAA,EAAQ;AACrC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,CAAA,IAAK,QAAQ,OAAA,EAAS;AAC3C,MAAA,IAAI,iBAAA,CAAkB,GAAA,CAAI,GAAA,CAAI,WAAA,EAAa,CAAA,EAAG;AAC7C,QAAA,gBAAA,CAAiB,GAAA,CAAI,KAAK,KAAK,CAAA;AAAA,MAChC;AAAA,IACD;AAEA,IAAA,MAAM,UAAA,GAAa,IAAI,OAAA,CAAQ,SAAA,EAAW;AAAA,MACzC,QAAQ,OAAA,CAAQ,MAAA;AAAA,MAChB,OAAA,EAAS,gBAAA;AAAA,MACT,MAAM,OAAA,CAAQ,IAAA;AAAA;AAAA,MAEd,MAAA,EAAQ;AAAA,KACR,CAAA;AAGD,IAAA,UAAA,CAAW,QAAQ,GAAA,CAAI,MAAA,EAAQ,IAAI,GAAA,CAAI,OAAO,EAAE,IAAI,CAAA;AAEpD,IAAA,IAAI;AACH,MAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,UAAA,EAAY;AAAA,QACxC,QAAQ,OAAA,CAAQ,MAAA;AAAA,QAChB,QAAA,EAAU;AAAA,OACV,CAAA;AAGD,MAAA,OAAO,IAAI,QAAA,CAAS,QAAA,CAAS,IAAA,EAAM;AAAA,QAClC,QAAQ,QAAA,CAAS,MAAA;AAAA,QACjB,YAAY,QAAA,CAAS,UAAA;AAAA,QACrB,SAAS,QAAA,CAAS;AAAA,OAClB,CAAA;AAAA,IACF,SAAS,KAAA,EAAO;AACf,MAAA,OAAA,CAAQ,KAAA,CAAM,8BAA8B,KAAK,CAAA;AACjD,MAAA,OAAO,IAAI,SAAS,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,0BAAA,EAA4B,CAAA,EAAG;AAAA,QAC1E,MAAA,EAAQ,GAAA;AAAA,QACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA;AAAmB,OAC9C,CAAA;AAAA,IACF;AAAA,EACD;AAEA,EAAA,OAAO;AAAA,IACN,GAAA,EAAK,OAAA;AAAA,IACL,IAAA,EAAM,OAAA;AAAA,IACN,GAAA,EAAK,OAAA;AAAA,IACL,KAAA,EAAO,OAAA;AAAA,IACP,MAAA,EAAQ;AAAA,GACT;AACD","file":"index.js","sourcesContent":["import { type NextRequest, NextResponse } from \"next/server\";\n\n/**\n * Cookie names that indicate an active auth session.\n *\n * Better Auth uses `better-auth.session_token` (or `__Secure-better-auth.session_token`\n * in production). The Convex Better Auth integration also sets `convex_jwt`.\n * We check both to cover all deployment scenarios.\n *\n * NOTE: This only checks for cookie *presence*, not validity. The actual\n * token is validated server-side when the API routes are hit.\n */\nconst AUTH_COOKIE_NAMES = [\n\t\"better-auth.session_token\",\n\t\"__Secure-better-auth.session_token\",\n\t\"better-auth-session_token\",\n\t\"__Secure-better-auth-session_token\",\n\t\"convex_jwt\",\n];\n\n/**\n * Check whether the request carries any known auth session cookie.\n * Uses the standard `NextRequest.cookies` API rather than Better Auth's\n * `getSessionCookie()`, which requires a `Headers` object incompatible\n * with some mocking/testing scenarios.\n */\nfunction hasSessionCookie(request: NextRequest): boolean {\n\treturn AUTH_COOKIE_NAMES.some((name) => {\n\t\tconst cookie = request.cookies.get(name);\n\t\treturn cookie !== undefined && cookie.value !== \"\";\n\t});\n}\n\nexport interface BanataAuthMiddlewareOptions {\n\t/**\n\t * Routes that don't require authentication.\n\t * Supports exact strings and regex patterns.\n\t */\n\tpublicRoutes?: string[];\n\n\t/**\n\t * Routes that the middleware should ignore entirely.\n\t */\n\tignoredRoutes?: string[];\n\n\t/**\n\t * URL to redirect to when unauthenticated.\n\t * @default \"/sign-in\"\n\t */\n\tsignInUrl?: string;\n\n\t/**\n\t * URL to redirect to after successful sign-in.\n\t * @default \"/dashboard\"\n\t */\n\tafterSignInUrl?: string;\n}\n\n/**\n * Create a Next.js proxy/middleware that protects routes based on auth state.\n *\n * **Important:** This middleware checks for the *presence* of an auth session\n * cookie, not its validity. The actual token is validated server-side when\n * API routes are hit. This is the standard pattern for Next.js Edge\n * middleware, which runs before the request reaches the server and cannot\n * perform full JWT validation without a network round-trip.\n *\n * In Next.js 16+, the file convention is `proxy.ts` with a named `proxy` export.\n * For Next.js 15 and earlier, use `middleware.ts` with a default export.\n *\n * @example\n * ```ts\n * // proxy.ts (Next.js 16+)\n * import { banataAuthProxy } from \"@banata-auth/nextjs\";\n *\n * export const proxy = banataAuthProxy({\n *   publicRoutes: [\"/\", \"/pricing\", \"/blog(.*)\"],\n *   signInUrl: \"/sign-in\",\n * });\n *\n * export const config = {\n *   matcher: [\"/((?!.*\\\\..*|_next).*)\", \"/\", \"/(api|trpc)(.*)\"],\n * };\n * ```\n *\n * @example\n * ```ts\n * // middleware.ts (Next.js 15 and earlier)\n * import { banataAuthMiddleware } from \"@banata-auth/nextjs\";\n *\n * export default banataAuthMiddleware({\n *   publicRoutes: [\"/\", \"/pricing\", \"/blog(.*)\"],\n *   signInUrl: \"/sign-in\",\n * });\n *\n * export const config = {\n *   matcher: [\"/((?!.*\\\\..*|_next).*)\", \"/\", \"/(api|trpc)(.*)\"],\n * };\n * ```\n */\nfunction createAuthProxy(options: BanataAuthMiddlewareOptions = {}) {\n\tconst { publicRoutes = [], ignoredRoutes = [], signInUrl = \"/sign-in\" } = options;\n\n\t// Pre-compile route patterns at config time (once) to avoid\n\t// re-creating RegExp objects on every request and to catch\n\t// invalid patterns early.\n\tconst compiledPublicRoutes = compileRoutes(publicRoutes);\n\tconst compiledIgnoredRoutes = compileRoutes(ignoredRoutes);\n\n\treturn async function proxy(request: NextRequest) {\n\t\tconst { pathname } = request.nextUrl;\n\n\t\t// Forward pathname as a request header so server components\n\t\t// can read it via headers(). This is the official Next.js pattern\n\t\t// for passing data from proxy/middleware to server components.\n\t\tconst requestHeaders = new Headers(request.headers);\n\t\trequestHeaders.set(\"x-pathname\", pathname);\n\n\t\t// Check ignored routes\n\t\tif (isMatchingRoute(pathname, compiledIgnoredRoutes)) {\n\t\t\treturn NextResponse.next({ request: { headers: requestHeaders } });\n\t\t}\n\n\t\t// Check public routes\n\t\tif (isMatchingRoute(pathname, compiledPublicRoutes)) {\n\t\t\treturn NextResponse.next({ request: { headers: requestHeaders } });\n\t\t}\n\n\t\t// Check for auth session cookie presence\n\t\tif (!hasSessionCookie(request)) {\n\t\t\tconst signInURL = new URL(signInUrl, request.url);\n\t\t\tsignInURL.searchParams.set(\"redirect_url\", pathname);\n\t\t\treturn NextResponse.redirect(signInURL);\n\t\t}\n\n\t\t// Token exists - allow the request through.\n\t\treturn NextResponse.next({ request: { headers: requestHeaders } });\n\t};\n}\n\n/**\n * Create a Next.js proxy function for `proxy.ts` (Next.js 16+).\n * The returned function is named `proxy` for compatibility with the new convention.\n */\nexport const banataAuthProxy = createAuthProxy;\n\n/**\n * Backward-compatible alias for Next.js 15 and earlier `middleware.ts`.\n * @deprecated Use `banataAuthProxy` with `proxy.ts` for Next.js 16+\n */\nexport const banataAuthMiddleware = createAuthProxy;\n\n/** A pre-compiled route matcher — either a RegExp or an exact string. */\ntype CompiledRoute = RegExp | string;\n\n/**\n * Pre-compile route patterns into RegExp objects (anchored with ^ and $).\n * Invalid patterns fall back to exact string matching.\n * This is called once at config time, not per-request.\n */\nfunction compileRoutes(routes: string[]): CompiledRoute[] {\n\treturn routes.map((route) => {\n\t\ttry {\n\t\t\treturn new RegExp(`^${route}$`);\n\t\t} catch {\n\t\t\t// If the pattern is invalid regex, fall back to exact match\n\t\t\treturn route;\n\t\t}\n\t});\n}\n\nfunction isMatchingRoute(pathname: string, compiledRoutes: CompiledRoute[]): boolean {\n\treturn compiledRoutes.some((route) => {\n\t\tif (typeof route === \"string\") {\n\t\t\treturn pathname === route;\n\t\t}\n\t\treturn route.test(pathname);\n\t});\n}\n","/**\n * Create a Next.js route handler that proxies auth requests to Convex.\n *\n * This is used in `app/api/auth/[...all]/route.ts` to forward all\n * Better Auth API calls to the Convex HTTP actions endpoint.\n *\n * @example\n * ```ts\n * // app/api/auth/[...all]/route.ts\n * import { createRouteHandler } from \"@banata-auth/nextjs\";\n *\n * const handler = createRouteHandler({\n *   convexSiteUrl: process.env.NEXT_PUBLIC_CONVEX_SITE_URL!,\n * });\n *\n * export const { GET, POST } = handler;\n * ```\n */\n/**\n * Headers that are safe to forward from the client to the Convex auth API.\n * All other headers are stripped to avoid leaking internal server details\n * (e.g. X-Forwarded-For, X-Real-IP, CF-* Cloudflare headers, etc.).\n */\nconst FORWARDED_HEADERS = new Set([\n\t\"accept\",\n\t\"accept-language\",\n\t\"authorization\",\n\t\"content-type\",\n\t\"content-length\",\n\t\"cookie\",\n\t\"origin\",\n\t\"referer\",\n\t\"user-agent\",\n\t\"x-requested-with\",\n]);\n\nexport function createRouteHandler(options: {\n\t/** The Convex .site URL where HTTP actions are hosted. */\n\tconvexSiteUrl: string;\n}) {\n\tconst { convexSiteUrl } = options;\n\tconst siteUrl = convexSiteUrl.replace(/\\/$/, \"\");\n\n\tasync function handler(request: Request): Promise<Response> {\n\t\tconst requestUrl = new URL(request.url);\n\t\tconst targetUrl = `${siteUrl}${requestUrl.pathname}${requestUrl.search}`;\n\n\t\t// Only forward allowed headers to the upstream auth API\n\t\tconst forwardedHeaders = new Headers();\n\t\tfor (const [key, value] of request.headers) {\n\t\t\tif (FORWARDED_HEADERS.has(key.toLowerCase())) {\n\t\t\t\tforwardedHeaders.set(key, value);\n\t\t\t}\n\t\t}\n\n\t\tconst newRequest = new Request(targetUrl, {\n\t\t\tmethod: request.method,\n\t\t\theaders: forwardedHeaders,\n\t\t\tbody: request.body,\n\t\t\t// @ts-expect-error - duplex is needed for streaming bodies\n\t\t\tduplex: \"half\",\n\t\t});\n\n\t\t// Set the host header to the Convex site\n\t\tnewRequest.headers.set(\"host\", new URL(siteUrl).host);\n\n\t\ttry {\n\t\t\tconst response = await fetch(newRequest, {\n\t\t\t\tmethod: request.method,\n\t\t\t\tredirect: \"manual\",\n\t\t\t});\n\n\t\t\t// Forward the response including cookies\n\t\t\treturn new Response(response.body, {\n\t\t\t\tstatus: response.status,\n\t\t\t\tstatusText: response.statusText,\n\t\t\t\theaders: response.headers,\n\t\t\t});\n\t\t} catch (error) {\n\t\t\tconsole.error(\"[banata-auth] Proxy error:\", error);\n\t\t\treturn new Response(JSON.stringify({ error: \"Auth service unavailable\" }), {\n\t\t\t\tstatus: 502,\n\t\t\t\theaders: { \"Content-Type\": \"application/json\" },\n\t\t\t});\n\t\t}\n\t}\n\n\treturn {\n\t\tGET: handler,\n\t\tPOST: handler,\n\t\tPUT: handler,\n\t\tPATCH: handler,\n\t\tDELETE: handler,\n\t};\n}\n"]}

package/dist/middleware.d.ts

@@ -0,0 +1,78 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+interface BanataAuthMiddlewareOptions {
+    /**
+     * Routes that don't require authentication.
+     * Supports exact strings and regex patterns.
+     */
+    publicRoutes?: string[];
+    /**
+     * Routes that the middleware should ignore entirely.
+     */
+    ignoredRoutes?: string[];
+    /**
+     * URL to redirect to when unauthenticated.
+     * @default "/sign-in"
+     */
+    signInUrl?: string;
+    /**
+     * URL to redirect to after successful sign-in.
+     * @default "/dashboard"
+     */
+    afterSignInUrl?: string;
+}
+/**
+ * Create a Next.js proxy/middleware that protects routes based on auth state.
+ *
+ * **Important:** This middleware checks for the *presence* of an auth session
+ * cookie, not its validity. The actual token is validated server-side when
+ * API routes are hit. This is the standard pattern for Next.js Edge
+ * middleware, which runs before the request reaches the server and cannot
+ * perform full JWT validation without a network round-trip.
+ *
+ * In Next.js 16+, the file convention is `proxy.ts` with a named `proxy` export.
+ * For Next.js 15 and earlier, use `middleware.ts` with a default export.
+ *
+ * @example
+ * ```ts
+ * // proxy.ts (Next.js 16+)
+ * import { banataAuthProxy } from "@banata-auth/nextjs";
+ *
+ * export const proxy = banataAuthProxy({
+ *   publicRoutes: ["/", "/pricing", "/blog(.*)"],
+ *   signInUrl: "/sign-in",
+ * });
+ *
+ * export const config = {
+ *   matcher: ["/((?!.*\\..*|_next).*)", "/", "/(api|trpc)(.*)"],
+ * };
+ * ```
+ *
+ * @example
+ * ```ts
+ * // middleware.ts (Next.js 15 and earlier)
+ * import { banataAuthMiddleware } from "@banata-auth/nextjs";
+ *
+ * export default banataAuthMiddleware({
+ *   publicRoutes: ["/", "/pricing", "/blog(.*)"],
+ *   signInUrl: "/sign-in",
+ * });
+ *
+ * export const config = {
+ *   matcher: ["/((?!.*\\..*|_next).*)", "/", "/(api|trpc)(.*)"],
+ * };
+ * ```
+ */
+declare function createAuthProxy(options?: BanataAuthMiddlewareOptions): (request: NextRequest) => Promise<NextResponse<unknown>>;
+/**
+ * Create a Next.js proxy function for `proxy.ts` (Next.js 16+).
+ * The returned function is named `proxy` for compatibility with the new convention.
+ */
+declare const banataAuthProxy: typeof createAuthProxy;
+/**
+ * Backward-compatible alias for Next.js 15 and earlier `middleware.ts`.
+ * @deprecated Use `banataAuthProxy` with `proxy.ts` for Next.js 16+
+ */
+declare const banataAuthMiddleware: typeof createAuthProxy;
+
+export { type BanataAuthMiddlewareOptions, banataAuthMiddleware, banataAuthProxy };

package/dist/middleware.js

@@ -0,0 +1,61 @@
+import { NextResponse } from 'next/server';
+
+// src/middleware.ts
+var AUTH_COOKIE_NAMES = [
+  "better-auth.session_token",
+  "__Secure-better-auth.session_token",
+  "better-auth-session_token",
+  "__Secure-better-auth-session_token",
+  "convex_jwt"
+];
+function hasSessionCookie(request) {
+  return AUTH_COOKIE_NAMES.some((name) => {
+    const cookie = request.cookies.get(name);
+    return cookie !== void 0 && cookie.value !== "";
+  });
+}
+function createAuthProxy(options = {}) {
+  const { publicRoutes = [], ignoredRoutes = [], signInUrl = "/sign-in" } = options;
+  const compiledPublicRoutes = compileRoutes(publicRoutes);
+  const compiledIgnoredRoutes = compileRoutes(ignoredRoutes);
+  return async function proxy(request) {
+    const { pathname } = request.nextUrl;
+    const requestHeaders = new Headers(request.headers);
+    requestHeaders.set("x-pathname", pathname);
+    if (isMatchingRoute(pathname, compiledIgnoredRoutes)) {
+      return NextResponse.next({ request: { headers: requestHeaders } });
+    }
+    if (isMatchingRoute(pathname, compiledPublicRoutes)) {
+      return NextResponse.next({ request: { headers: requestHeaders } });
+    }
+    if (!hasSessionCookie(request)) {
+      const signInURL = new URL(signInUrl, request.url);
+      signInURL.searchParams.set("redirect_url", pathname);
+      return NextResponse.redirect(signInURL);
+    }
+    return NextResponse.next({ request: { headers: requestHeaders } });
+  };
+}
+var banataAuthProxy = createAuthProxy;
+var banataAuthMiddleware = createAuthProxy;
+function compileRoutes(routes) {
+  return routes.map((route) => {
+    try {
+      return new RegExp(`^${route}$`);
+    } catch {
+      return route;
+    }
+  });
+}
+function isMatchingRoute(pathname, compiledRoutes) {
+  return compiledRoutes.some((route) => {
+    if (typeof route === "string") {
+      return pathname === route;
+    }
+    return route.test(pathname);
+  });
+}
+
+export { banataAuthMiddleware, banataAuthProxy };
+//# sourceMappingURL=middleware.js.map
+//# sourceMappingURL=middleware.js.map

package/dist/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/middleware.ts"],"names":[],"mappings":";;;AAYA,IAAM,iBAAA,GAAoB;AAAA,EACzB,2BAAA;AAAA,EACA,oCAAA;AAAA,EACA,2BAAA;AAAA,EACA,oCAAA;AAAA,EACA;AACD,CAAA;AAQA,SAAS,iBAAiB,OAAA,EAA+B;AACxD,EAAA,OAAO,iBAAA,CAAkB,IAAA,CAAK,CAAC,IAAA,KAAS;AACvC,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,IAAI,CAAA;AACvC,IAAA,OAAO,MAAA,KAAW,MAAA,IAAa,MAAA,CAAO,KAAA,KAAU,EAAA;AAAA,EACjD,CAAC,CAAA;AACF;AAqEA,SAAS,eAAA,CAAgB,OAAA,GAAuC,EAAC,EAAG;AACnE,EAAA,MAAM,EAAE,eAAe,EAAC,EAAG,gBAAgB,EAAC,EAAG,SAAA,GAAY,UAAA,EAAW,GAAI,OAAA;AAK1E,EAAA,MAAM,oBAAA,GAAuB,cAAc,YAAY,CAAA;AACvD,EAAA,MAAM,qBAAA,GAAwB,cAAc,aAAa,CAAA;AAEzD,EAAA,OAAO,eAAe,MAAM,OAAA,EAAsB;AACjD,IAAA,MAAM,EAAE,QAAA,EAAS,GAAI,OAAA,CAAQ,OAAA;AAK7B,IAAA,MAAM,cAAA,GAAiB,IAAI,OAAA,CAAQ,OAAA,CAAQ,OAAO,CAAA;AAClD,IAAA,cAAA,CAAe,GAAA,CAAI,cAAc,QAAQ,CAAA;AAGzC,IAAA,IAAI,eAAA,CAAgB,QAAA,EAAU,qBAAqB,CAAA,EAAG;AACrD,MAAA,OAAO,YAAA,CAAa,KAAK,EAAE,OAAA,EAAS,EAAE,OAAA,EAAS,cAAA,IAAkB,CAAA;AAAA,IAClE;AAGA,IAAA,IAAI,eAAA,CAAgB,QAAA,EAAU,oBAAoB,CAAA,EAAG;AACpD,MAAA,OAAO,YAAA,CAAa,KAAK,EAAE,OAAA,EAAS,EAAE,OAAA,EAAS,cAAA,IAAkB,CAAA;AAAA,IAClE;AAGA,IAAA,IAAI,CAAC,gBAAA,CAAiB,OAAO,CAAA,EAAG;AAC/B,MAAA,MAAM,SAAA,GAAY,IAAI,GAAA,CAAI,SAAA,EAAW,QAAQ,GAAG,CAAA;AAChD,MAAA,SAAA,CAAU,YAAA,CAAa,GAAA,CAAI,cAAA,EAAgB,QAAQ,CAAA;AACnD,MAAA,OAAO,YAAA,CAAa,SAAS,SAAS,CAAA;AAAA,IACvC;AAGA,IAAA,OAAO,YAAA,CAAa,KAAK,EAAE,OAAA,EAAS,EAAE,OAAA,EAAS,cAAA,IAAkB,CAAA;AAAA,EAClE,CAAA;AACD;AAMO,IAAM,eAAA,GAAkB;AAMxB,IAAM,oBAAA,GAAuB;AAUpC,SAAS,cAAc,MAAA,EAAmC;AACzD,EAAA,OAAO,MAAA,CAAO,GAAA,CAAI,CAAC,KAAA,KAAU;AAC5B,IAAA,IAAI;AACH,MAAA,OAAO,IAAI,MAAA,CAAO,CAAA,CAAA,EAAI,KAAK,CAAA,CAAA,CAAG,CAAA;AAAA,IAC/B,CAAA,CAAA,MAAQ;AAEP,MAAA,OAAO,KAAA;AAAA,IACR;AAAA,EACD,CAAC,CAAA;AACF;AAEA,SAAS,eAAA,CAAgB,UAAkB,cAAA,EAA0C;AACpF,EAAA,OAAO,cAAA,CAAe,IAAA,CAAK,CAAC,KAAA,KAAU;AACrC,IAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC9B,MAAA,OAAO,QAAA,KAAa,KAAA;AAAA,IACrB;AACA,IAAA,OAAO,KAAA,CAAM,KAAK,QAAQ,CAAA;AAAA,EAC3B,CAAC,CAAA;AACF","file":"middleware.js","sourcesContent":["import { type NextRequest, NextResponse } from \"next/server\";\n\n/**\n * Cookie names that indicate an active auth session.\n *\n * Better Auth uses `better-auth.session_token` (or `__Secure-better-auth.session_token`\n * in production). The Convex Better Auth integration also sets `convex_jwt`.\n * We check both to cover all deployment scenarios.\n *\n * NOTE: This only checks for cookie *presence*, not validity. The actual\n * token is validated server-side when the API routes are hit.\n */\nconst AUTH_COOKIE_NAMES = [\n\t\"better-auth.session_token\",\n\t\"__Secure-better-auth.session_token\",\n\t\"better-auth-session_token\",\n\t\"__Secure-better-auth-session_token\",\n\t\"convex_jwt\",\n];\n\n/**\n * Check whether the request carries any known auth session cookie.\n * Uses the standard `NextRequest.cookies` API rather than Better Auth's\n * `getSessionCookie()`, which requires a `Headers` object incompatible\n * with some mocking/testing scenarios.\n */\nfunction hasSessionCookie(request: NextRequest): boolean {\n\treturn AUTH_COOKIE_NAMES.some((name) => {\n\t\tconst cookie = request.cookies.get(name);\n\t\treturn cookie !== undefined && cookie.value !== \"\";\n\t});\n}\n\nexport interface BanataAuthMiddlewareOptions {\n\t/**\n\t * Routes that don't require authentication.\n\t * Supports exact strings and regex patterns.\n\t */\n\tpublicRoutes?: string[];\n\n\t/**\n\t * Routes that the middleware should ignore entirely.\n\t */\n\tignoredRoutes?: string[];\n\n\t/**\n\t * URL to redirect to when unauthenticated.\n\t * @default \"/sign-in\"\n\t */\n\tsignInUrl?: string;\n\n\t/**\n\t * URL to redirect to after successful sign-in.\n\t * @default \"/dashboard\"\n\t */\n\tafterSignInUrl?: string;\n}\n\n/**\n * Create a Next.js proxy/middleware that protects routes based on auth state.\n *\n * **Important:** This middleware checks for the *presence* of an auth session\n * cookie, not its validity. The actual token is validated server-side when\n * API routes are hit. This is the standard pattern for Next.js Edge\n * middleware, which runs before the request reaches the server and cannot\n * perform full JWT validation without a network round-trip.\n *\n * In Next.js 16+, the file convention is `proxy.ts` with a named `proxy` export.\n * For Next.js 15 and earlier, use `middleware.ts` with a default export.\n *\n * @example\n * ```ts\n * // proxy.ts (Next.js 16+)\n * import { banataAuthProxy } from \"@banata-auth/nextjs\";\n *\n * export const proxy = banataAuthProxy({\n *   publicRoutes: [\"/\", \"/pricing\", \"/blog(.*)\"],\n *   signInUrl: \"/sign-in\",\n * });\n *\n * export const config = {\n *   matcher: [\"/((?!.*\\\\..*|_next).*)\", \"/\", \"/(api|trpc)(.*)\"],\n * };\n * ```\n *\n * @example\n * ```ts\n * // middleware.ts (Next.js 15 and earlier)\n * import { banataAuthMiddleware } from \"@banata-auth/nextjs\";\n *\n * export default banataAuthMiddleware({\n *   publicRoutes: [\"/\", \"/pricing\", \"/blog(.*)\"],\n *   signInUrl: \"/sign-in\",\n * });\n *\n * export const config = {\n *   matcher: [\"/((?!.*\\\\..*|_next).*)\", \"/\", \"/(api|trpc)(.*)\"],\n * };\n * ```\n */\nfunction createAuthProxy(options: BanataAuthMiddlewareOptions = {}) {\n\tconst { publicRoutes = [], ignoredRoutes = [], signInUrl = \"/sign-in\" } = options;\n\n\t// Pre-compile route patterns at config time (once) to avoid\n\t// re-creating RegExp objects on every request and to catch\n\t// invalid patterns early.\n\tconst compiledPublicRoutes = compileRoutes(publicRoutes);\n\tconst compiledIgnoredRoutes = compileRoutes(ignoredRoutes);\n\n\treturn async function proxy(request: NextRequest) {\n\t\tconst { pathname } = request.nextUrl;\n\n\t\t// Forward pathname as a request header so server components\n\t\t// can read it via headers(). This is the official Next.js pattern\n\t\t// for passing data from proxy/middleware to server components.\n\t\tconst requestHeaders = new Headers(request.headers);\n\t\trequestHeaders.set(\"x-pathname\", pathname);\n\n\t\t// Check ignored routes\n\t\tif (isMatchingRoute(pathname, compiledIgnoredRoutes)) {\n\t\t\treturn NextResponse.next({ request: { headers: requestHeaders } });\n\t\t}\n\n\t\t// Check public routes\n\t\tif (isMatchingRoute(pathname, compiledPublicRoutes)) {\n\t\t\treturn NextResponse.next({ request: { headers: requestHeaders } });\n\t\t}\n\n\t\t// Check for auth session cookie presence\n\t\tif (!hasSessionCookie(request)) {\n\t\t\tconst signInURL = new URL(signInUrl, request.url);\n\t\t\tsignInURL.searchParams.set(\"redirect_url\", pathname);\n\t\t\treturn NextResponse.redirect(signInURL);\n\t\t}\n\n\t\t// Token exists - allow the request through.\n\t\treturn NextResponse.next({ request: { headers: requestHeaders } });\n\t};\n}\n\n/**\n * Create a Next.js proxy function for `proxy.ts` (Next.js 16+).\n * The returned function is named `proxy` for compatibility with the new convention.\n */\nexport const banataAuthProxy = createAuthProxy;\n\n/**\n * Backward-compatible alias for Next.js 15 and earlier `middleware.ts`.\n * @deprecated Use `banataAuthProxy` with `proxy.ts` for Next.js 16+\n */\nexport const banataAuthMiddleware = createAuthProxy;\n\n/** A pre-compiled route matcher — either a RegExp or an exact string. */\ntype CompiledRoute = RegExp | string;\n\n/**\n * Pre-compile route patterns into RegExp objects (anchored with ^ and $).\n * Invalid patterns fall back to exact string matching.\n * This is called once at config time, not per-request.\n */\nfunction compileRoutes(routes: string[]): CompiledRoute[] {\n\treturn routes.map((route) => {\n\t\ttry {\n\t\t\treturn new RegExp(`^${route}$`);\n\t\t} catch {\n\t\t\t// If the pattern is invalid regex, fall back to exact match\n\t\t\treturn route;\n\t\t}\n\t});\n}\n\nfunction isMatchingRoute(pathname: string, compiledRoutes: CompiledRoute[]): boolean {\n\treturn compiledRoutes.some((route) => {\n\t\tif (typeof route === \"string\") {\n\t\t\treturn pathname === route;\n\t\t}\n\t\treturn route.test(pathname);\n\t});\n}\n"]}

package/dist/server.d.ts

@@ -0,0 +1,80 @@
+import * as convex_react from 'convex/react';
+import * as convex_helpers from 'convex-helpers';
+import * as convex_server from 'convex/server';
+
+interface BanataAuthServerOptions {
+    /**
+     * Your Convex cloud URL (e.g. `https://adjective-animal-123.convex.cloud`).
+     * Typically `process.env.NEXT_PUBLIC_CONVEX_URL`.
+     */
+    convexUrl: string;
+    /**
+     * Your Convex site URL (e.g. `https://adjective-animal-123.convex.site`).
+     * Typically `process.env.NEXT_PUBLIC_CONVEX_SITE_URL`.
+     */
+    convexSiteUrl: string;
+}
+/**
+ * Create the Banata Auth server utilities for Next.js.
+ *
+ * This is the recommended way to configure server-side auth helpers.
+ * It wraps `@convex-dev/better-auth/nextjs` so consumers don't need
+ * that package as a direct dependency.
+ *
+ * Returns `handler`, `isAuthenticated`, `getToken`, `preloadAuthQuery`,
+ * `fetchAuthQuery`, `fetchAuthMutation`, and `fetchAuthAction`.
+ *
+ * @example
+ * ```ts
+ * // lib/auth-server.ts
+ * import { createBanataAuthServer } from "@banata-auth/nextjs/server";
+ *
+ * export const {
+ *   handler,
+ *   isAuthenticated,
+ *   getToken,
+ *   preloadAuthQuery,
+ *   fetchAuthQuery,
+ *   fetchAuthMutation,
+ *   fetchAuthAction,
+ * } = createBanataAuthServer({
+ *   convexUrl: process.env.NEXT_PUBLIC_CONVEX_URL!,
+ *   convexSiteUrl: process.env.NEXT_PUBLIC_CONVEX_SITE_URL!,
+ * });
+ * ```
+ *
+ * @example
+ * ```ts
+ * // app/api/auth/[...all]/route.ts
+ * import { handler } from "@/lib/auth-server";
+ * export const { GET, POST } = handler;
+ * ```
+ *
+ * @example
+ * ```ts
+ * // app/layout.tsx (server component)
+ * import { getToken, isAuthenticated } from "@/lib/auth-server";
+ * import { redirect } from "next/navigation";
+ *
+ * export default async function Layout({ children }) {
+ *   if (!(await isAuthenticated())) redirect("/sign-in");
+ *   const token = await getToken();
+ *   return <Provider initialToken={token}>{children}</Provider>;
+ * }
+ * ```
+ */
+declare function createBanataAuthServer(opts: BanataAuthServerOptions): {
+    getToken: () => Promise<string | undefined>;
+    handler: {
+        GET: (request: Request) => Promise<Response>;
+        POST: (request: Request) => Promise<Response>;
+    };
+    isAuthenticated: () => Promise<boolean>;
+    preloadAuthQuery: <Query extends convex_server.FunctionReference<"query">>(query: Query, ...args: Query["_args"] extends convex_helpers.EmptyObject ? [args?: convex_helpers.EmptyObject | undefined] : [args: Query["_args"]]) => Promise<convex_react.Preloaded<Query>>;
+    fetchAuthQuery: <Query extends convex_server.FunctionReference<"query">>(query: Query, ...args: Query["_args"] extends convex_helpers.EmptyObject ? [args?: convex_helpers.EmptyObject | undefined] : [args: Query["_args"]]) => Promise<convex_server.FunctionReturnType<Query>>;
+    fetchAuthMutation: <Mutation extends convex_server.FunctionReference<"mutation">>(mutation: Mutation, ...args: Mutation["_args"] extends convex_helpers.EmptyObject ? [args?: convex_helpers.EmptyObject | undefined] : [args: Mutation["_args"]]) => Promise<convex_server.FunctionReturnType<Mutation>>;
+    fetchAuthAction: <Action extends convex_server.FunctionReference<"action">>(action: Action, ...args: Action["_args"] extends convex_helpers.EmptyObject ? [args?: convex_helpers.EmptyObject | undefined] : [args: Action["_args"]]) => Promise<convex_server.FunctionReturnType<Action>>;
+};
+type BanataAuthServer = ReturnType<typeof createBanataAuthServer>;
+
+export { type BanataAuthServer, type BanataAuthServerOptions, createBanataAuthServer };

package/dist/server.js

@@ -0,0 +1,13 @@
+import { convexBetterAuthNextJs } from '@convex-dev/better-auth/nextjs';
+
+// src/server.ts
+function createBanataAuthServer(opts) {
+  return convexBetterAuthNextJs({
+    convexUrl: opts.convexUrl,
+    convexSiteUrl: opts.convexSiteUrl
+  });
+}
+
+export { createBanataAuthServer };
+//# sourceMappingURL=server.js.map
+//# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/server.ts"],"names":[],"mappings":";;;AAmEO,SAAS,uBAAuB,IAAA,EAA+B;AACrE,EAAA,OAAO,sBAAA,CAAuB;AAAA,IAC7B,WAAW,IAAA,CAAK,SAAA;AAAA,IAChB,eAAe,IAAA,CAAK;AAAA,GACpB,CAAA;AACF","file":"server.js","sourcesContent":["import { convexBetterAuthNextJs } from \"@convex-dev/better-auth/nextjs\";\n\n// ── Types ───────────────────────────────────────────────────────────\n\nexport interface BanataAuthServerOptions {\n\t/**\n\t * Your Convex cloud URL (e.g. `https://adjective-animal-123.convex.cloud`).\n\t * Typically `process.env.NEXT_PUBLIC_CONVEX_URL`.\n\t */\n\tconvexUrl: string;\n\n\t/**\n\t * Your Convex site URL (e.g. `https://adjective-animal-123.convex.site`).\n\t * Typically `process.env.NEXT_PUBLIC_CONVEX_SITE_URL`.\n\t */\n\tconvexSiteUrl: string;\n}\n\n/**\n * Create the Banata Auth server utilities for Next.js.\n *\n * This is the recommended way to configure server-side auth helpers.\n * It wraps `@convex-dev/better-auth/nextjs` so consumers don't need\n * that package as a direct dependency.\n *\n * Returns `handler`, `isAuthenticated`, `getToken`, `preloadAuthQuery`,\n * `fetchAuthQuery`, `fetchAuthMutation`, and `fetchAuthAction`.\n *\n * @example\n * ```ts\n * // lib/auth-server.ts\n * import { createBanataAuthServer } from \"@banata-auth/nextjs/server\";\n *\n * export const {\n *   handler,\n *   isAuthenticated,\n *   getToken,\n *   preloadAuthQuery,\n *   fetchAuthQuery,\n *   fetchAuthMutation,\n *   fetchAuthAction,\n * } = createBanataAuthServer({\n *   convexUrl: process.env.NEXT_PUBLIC_CONVEX_URL!,\n *   convexSiteUrl: process.env.NEXT_PUBLIC_CONVEX_SITE_URL!,\n * });\n * ```\n *\n * @example\n * ```ts\n * // app/api/auth/[...all]/route.ts\n * import { handler } from \"@/lib/auth-server\";\n * export const { GET, POST } = handler;\n * ```\n *\n * @example\n * ```ts\n * // app/layout.tsx (server component)\n * import { getToken, isAuthenticated } from \"@/lib/auth-server\";\n * import { redirect } from \"next/navigation\";\n *\n * export default async function Layout({ children }) {\n *   if (!(await isAuthenticated())) redirect(\"/sign-in\");\n *   const token = await getToken();\n *   return <Provider initialToken={token}>{children}</Provider>;\n * }\n * ```\n */\nexport function createBanataAuthServer(opts: BanataAuthServerOptions) {\n\treturn convexBetterAuthNextJs({\n\t\tconvexUrl: opts.convexUrl,\n\t\tconvexSiteUrl: opts.convexSiteUrl,\n\t});\n}\n\n// Re-export the return type so consumers can type their variables if needed\nexport type BanataAuthServer = ReturnType<typeof createBanataAuthServer>;\n"]}

package/package.json

@@ -0,0 +1,85 @@
+{
+	"name": "@banata-auth/nextjs",
+	"version": "0.1.0",
+	"private": false,
+	"license": "MIT",
+	"type": "module",
+	"description": "Next.js integration for Banata Auth — route handler, middleware, and server-side utilities",
+	"repository": {
+		"type": "git",
+		"url": "https://github.com/banata-auth/banata-auth",
+		"directory": "packages/nextjs"
+	},
+	"homepage": "https://auth-docs.banata.dev/docs/nextjs",
+	"keywords": ["banata-auth", "auth", "nextjs", "middleware", "route-handler", "server"],
+	"publishConfig": {
+		"access": "public"
+	},
+	"sideEffects": false,
+	"exports": {
+		".": {
+			"types": "./dist/index.d.ts",
+			"import": "./dist/index.js",
+			"default": "./dist/index.js"
+		},
+		"./server": {
+			"types": "./dist/server.d.ts",
+			"import": "./dist/server.js",
+			"default": "./dist/server.js"
+		},
+		"./client": {
+			"types": "./dist/client.d.ts",
+			"import": "./dist/client.js",
+			"default": "./dist/client.js"
+		},
+		"./middleware": {
+			"types": "./dist/middleware.d.ts",
+			"import": "./dist/middleware.js",
+			"default": "./dist/middleware.js"
+		},
+		"./bot-protection": {
+			"types": "./dist/bot-protection.d.ts",
+			"import": "./dist/bot-protection.js",
+			"default": "./dist/bot-protection.js"
+		}
+	},
+	"main": "./dist/index.js",
+	"module": "./dist/index.js",
+	"types": "./dist/index.d.ts",
+	"files": ["dist"],
+	"scripts": {
+		"build": "tsup && node ../../scripts/ensure-use-client.mjs dist/client.js",
+		"dev": "tsup --watch",
+		"typecheck": "tsc --noEmit",
+		"test": "vitest run --passWithNoTests",
+		"prepublishOnly": "bun run build",
+		"clean": "rm -rf dist .turbo"
+	},
+	"dependencies": {
+		"@banata-auth/react": "workspace:*",
+		"@banata-auth/shared": "workspace:*"
+	},
+	"peerDependencies": {
+		"@convex-dev/better-auth": ">=0.10.0",
+		"better-auth": ">=1.4.0",
+		"convex": ">=1.25.0",
+		"next": ">=15.0.0",
+		"react": "^18 || ^19"
+	},
+	"peerDependenciesMeta": {
+		"@convex-dev/better-auth": { "optional": true },
+		"better-auth": { "optional": true },
+		"convex": { "optional": true }
+	},
+	"devDependencies": {
+		"@convex-dev/better-auth": "^0.10.13",
+		"@types/react": "^19.0.0",
+		"better-auth": "^1.4.20",
+		"convex": "^1.25.0",
+		"next": "^16.0.0",
+		"react": "^19.0.0",
+		"tsup": "^8.3.0",
+		"typescript": "^5.7.0",
+		"vitest": "^3.0.0"
+	}
+}