@baseworks/auth 0.2.0

package/dist/chunk-3NJASEF4.js

@@ -0,0 +1,69 @@
+// src/url-helpers.ts
+function normalizeUrlLike(value) {
+  if (value === "/") return "";
+  return value.replace(/\/+$/, "");
+}
+function joinPublicUrl(base, path = "") {
+  const normalizedBase = normalizeUrlLike(base);
+  const normalizedPath = path.startsWith("/") ? path : `/${path}`;
+  if (!normalizedBase) return normalizedPath;
+  if (/^https?:\/\//.test(normalizedBase)) {
+    return new URL(normalizedPath, `${normalizedBase}/`).toString();
+  }
+  return `${normalizedBase}${normalizedPath}`;
+}
+function getAuthPublicUrl() {
+  return normalizeUrlLike(process.env.NEXT_PUBLIC_AUTH_URL ?? "/auth");
+}
+function getAccountPublicUrl() {
+  return normalizeUrlLike(process.env.NEXT_PUBLIC_ACCOUNT_URL ?? "/account");
+}
+function getAppBasePath(defaultPath = "") {
+  return normalizeUrlLike(
+    process.env.NEXT_PUBLIC_APP_BASE_PATH ?? process.env.APP_BASE_PATH ?? defaultPath
+  );
+}
+function getPublicSiteUrl() {
+  return normalizeUrlLike(process.env.APP_PUBLIC_URL ?? process.env.NEXT_PUBLIC_SITE_URL ?? "");
+}
+function buildPublicUrl(pathOrUrl, fallbackOrigin) {
+  if (/^https?:\/\//.test(pathOrUrl)) return pathOrUrl;
+  const origin = getPublicSiteUrl() || fallbackOrigin;
+  if (!origin) return pathOrUrl;
+  return new URL(pathOrUrl, `${normalizeUrlLike(origin)}/`).toString();
+}
+function buildAuthUrl(path, redirectTo, origin) {
+  const target = joinPublicUrl(getAuthPublicUrl(), path);
+  const targetIsAbsolute = /^https?:\/\//.test(target);
+  const fallbackOrigin = "http://localhost";
+  const url = new URL(target, origin ?? fallbackOrigin);
+  url.searchParams.set("redirectTo", redirectTo);
+  const href = url.toString();
+  if (origin || targetIsAbsolute) return href;
+  return href.replace(fallbackOrigin, "");
+}
+function buildAuthLoginUrl(redirectTo, origin) {
+  return buildAuthUrl("/login", redirectTo, origin);
+}
+function buildAuthLogoutUrl(redirectTo, origin) {
+  return buildAuthUrl(
+    "/logout",
+    process.env.NEXT_PUBLIC_SIGN_OUT_REDIRECT_URL ?? redirectTo,
+    origin
+  );
+}
+function buildAccountProfileUrl() {
+  return joinPublicUrl(getAccountPublicUrl(), "/profile");
+}
+
+export {
+  normalizeUrlLike,
+  getAuthPublicUrl,
+  getAccountPublicUrl,
+  getAppBasePath,
+  getPublicSiteUrl,
+  buildPublicUrl,
+  buildAuthLoginUrl,
+  buildAuthLogoutUrl,
+  buildAccountProfileUrl
+};

package/dist/chunk-6TUNNS2B.js

@@ -0,0 +1,25 @@
+import {
+  verifyOidcToken
+} from "./chunk-BL74TFCV.js";
+
+// src/oidc-human.ts
+import { decodeJwt } from "jose";
+function createOidcHumanResolver(config) {
+  const issuer = config.issuer.replace(/\/+$/, "");
+  return async (token) => {
+    let iss;
+    try {
+      iss = decodeJwt(token).iss;
+    } catch {
+      return null;
+    }
+    if (!iss || !iss.startsWith(issuer)) return null;
+    const identity = await verifyOidcToken(token, { issuer, audience: config.audience });
+    if (!identity) return null;
+    return config.findOrCreate(identity, token);
+  };
+}
+
+export {
+  createOidcHumanResolver
+};

package/dist/chunk-BL74TFCV.js

@@ -0,0 +1,23 @@
+// src/oidc.ts
+import { createRemoteJWKSet, jwtVerify } from "jose";
+function withoutTrailingSlash(v) {
+  return v.replace(/\/+$/, "");
+}
+async function verifyOidcToken(token, config) {
+  const issuer = withoutTrailingSlash(config.issuer);
+  const jwks = createRemoteJWKSet(new URL(`${issuer}/oauth/v2/keys`));
+  const opts = config.audience ? { issuer, audience: config.audience } : { issuer };
+  const result = await jwtVerify(token, jwks, opts).catch(() => null);
+  if (!result) return null;
+  const payload = result.payload;
+  const subject = String(payload.sub ?? "");
+  if (!subject) return null;
+  const email = String(payload.email ?? payload.preferred_username ?? `${subject}@unknown`);
+  const name = String(payload.name ?? payload.preferred_username ?? email);
+  const picture = payload.picture ? String(payload.picture) : void 0;
+  return { subject, issuer, email, name, picture };
+}
+
+export {
+  verifyOidcToken
+};

package/dist/chunk-BMPRMOI7.js

@@ -0,0 +1,23 @@
+// src/zitadel.ts
+import { createRemoteJWKSet, jwtVerify } from "jose";
+function withoutTrailingSlash(v) {
+  return v.replace(/\/+$/, "");
+}
+async function verifyZitadelToken(token, config) {
+  const issuer = withoutTrailingSlash(config.issuer);
+  const jwks = createRemoteJWKSet(new URL(`${issuer}/oauth/v2/keys`));
+  const opts = config.audience ? { issuer, audience: config.audience } : { issuer };
+  const result = await jwtVerify(token, jwks, opts).catch(() => null);
+  if (!result) return null;
+  const payload = result.payload;
+  const subject = String(payload.sub ?? "");
+  if (!subject) return null;
+  const email = String(payload.email ?? payload.preferred_username ?? `${subject}@zitadel.local`);
+  const name = String(payload.name ?? payload.preferred_username ?? email);
+  const picture = payload.picture ? String(payload.picture) : void 0;
+  return { subject, issuer, email, name, picture };
+}
+
+export {
+  verifyZitadelToken
+};

package/dist/chunk-C4V5LCFA.js

@@ -0,0 +1,47 @@
+// src/cli-auth.ts
+async function startCliAuth(apiBase) {
+  const url = `${apiBase.replace(/\/+$/, "")}/v1/auth/start`;
+  const res = await fetch(url);
+  if (!res.ok) {
+    const text = await res.text().catch(() => res.statusText);
+    throw new Error(`Auth start failed (${res.status}): ${text}`);
+  }
+  const data = await res.json();
+  if (!data.state || !data.url) {
+    throw new Error("Invalid response from auth/start");
+  }
+  return {
+    state: data.state,
+    url: data.url,
+    expiresIn: data.expires_in ?? 600
+  };
+}
+async function pollCliAuth(apiBase, state, opts = {}) {
+  const intervalMs = opts.intervalMs ?? 2e3;
+  const timeoutMs = opts.timeoutMs ?? 3e5;
+  const base = apiBase.replace(/\/+$/, "");
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    await sleep(intervalMs);
+    const res = await fetch(`${base}/v1/auth/poll/${state}`);
+    if (!res.ok) {
+      throw new Error(`Poll failed (${res.status})`);
+    }
+    const data = await res.json();
+    if (data.status === "done" && data.token) {
+      return { token: data.token };
+    }
+    if (data.status === "expired") {
+      throw new Error("Auth session expired \u2014 run login again");
+    }
+  }
+  throw new Error("Auth timed out \u2014 run login again");
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+export {
+  startCliAuth,
+  pollCliAuth
+};

package/dist/chunk-M7EACPIB.js

@@ -0,0 +1,33 @@
+// src/pkce.ts
+async function generatePkce() {
+  const array = new Uint8Array(32);
+  crypto.getRandomValues(array);
+  const verifier = base64url(array);
+  const encoded = new TextEncoder().encode(verifier);
+  const digest = await crypto.subtle.digest("SHA-256", encoded);
+  const challenge = base64url(new Uint8Array(digest));
+  return { verifier, challenge, method: "S256" };
+}
+function buildOidcAuthUrl(config) {
+  const issuer = config.issuer.replace(/\/+$/, "");
+  const scopes = (config.scopes ?? ["openid", "email", "profile"]).join(" ");
+  const params = new URLSearchParams({
+    client_id: config.clientId,
+    redirect_uri: config.redirectUri,
+    response_type: "code",
+    scope: scopes,
+    code_challenge: config.challenge,
+    code_challenge_method: "S256"
+  });
+  if (config.state) params.set("state", config.state);
+  if (config.prompt) params.set("prompt", config.prompt);
+  return `${issuer}/oauth/v2/authorize?${params.toString()}`;
+}
+function base64url(buf) {
+  return btoa(Array.from(buf, (b) => String.fromCharCode(b)).join("")).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+
+export {
+  generatePkce,
+  buildOidcAuthUrl
+};

package/dist/chunk-VBIQJKUU.js

@@ -0,0 +1,20 @@
+// src/token.ts
+async function hashToken(token, pepper) {
+  const input = pepper ? `${pepper}:${token}` : token;
+  const buf = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(input));
+  return Array.from(new Uint8Array(buf), (b) => b.toString(16).padStart(2, "0")).join("");
+}
+function looksLikeJwt(token) {
+  return token.split(".").length === 3;
+}
+function stripBearer(header) {
+  if (!header?.startsWith("Bearer ")) return null;
+  const token = header.slice(7).trim();
+  return token || null;
+}
+
+export {
+  hashToken,
+  looksLikeJwt,
+  stripBearer
+};

package/dist/chunk-VUB4GTMI.js

@@ -0,0 +1,402 @@
+import {
+  getAuthPublicUrl,
+  normalizeUrlLike
+} from "./chunk-3NJASEF4.js";
+
+// src/session.ts
+import { cookies } from "next/headers";
+import { NextResponse } from "next/server";
+var oidcCookies = {
+  codeVerifier: "oidc_code_verifier",
+  state: "oidc_state",
+  nonce: "oidc_nonce",
+  returnTo: "oidc_return_to",
+  idToken: "oidc_id_token",
+  accessToken: "oidc_access_token",
+  refreshToken: "oidc_refresh_token",
+  expiresAt: "oidc_expires_at",
+  session: "oidc_session"
+};
+function getIssuer() {
+  return (process.env.OIDC_ISSUER ?? "https://nesskey.com").replace(/\/+$/, "");
+}
+function getClientId() {
+  const clientId = process.env.OIDC_CLIENT_ID;
+  if (!clientId) throw new Error("OIDC_CLIENT_ID is required.");
+  return clientId;
+}
+function getOptionalClientSecret() {
+  return process.env.OIDC_CLIENT_SECRET;
+}
+function getCookieDomain() {
+  const domain = process.env.OIDC_COOKIE_DOMAIN?.trim();
+  return domain || void 0;
+}
+function getScope() {
+  return process.env.OIDC_SCOPE ?? "openid profile email offline_access";
+}
+function getPublicAuthBasePath() {
+  return normalizeUrlLike(process.env.OIDC_PUBLIC_BASE_PATH ?? getAuthPublicUrl() ?? "/auth");
+}
+function getRedirectUriOverride() {
+  return process.env.OIDC_REDIRECT_URI ?? null;
+}
+function getDefaultSignedOutRedirect() {
+  return process.env.OIDC_DEFAULT_REDIRECT ?? "/";
+}
+function getPublicSiteUrlFromEnv(request) {
+  const explicit = process.env.APP_PUBLIC_URL ?? process.env.NEXT_PUBLIC_SITE_URL ?? process.env.OIDC_PUBLIC_SITE_URL;
+  if (explicit) return normalizeUrlLike(explicit);
+  if (request) return normalizeUrlLike(request.nextUrl.origin);
+  return null;
+}
+function resolvePublicRedirect(target, request) {
+  if (/^https?:\/\//.test(target)) return new URL(target);
+  const publicSiteUrl = getPublicSiteUrlFromEnv(request);
+  if (publicSiteUrl) return new URL(target, publicSiteUrl);
+  return new URL(target, request.url);
+}
+function base64UrlEncode(input) {
+  const buffer = typeof input === "string" ? Buffer.from(input, "utf8") : Buffer.from(input instanceof Uint8Array ? input : new Uint8Array(input));
+  return buffer.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function base64UrlDecode(input) {
+  const padded = input.replace(/-/g, "+").replace(/_/g, "/");
+  const remainder = padded.length % 4;
+  const normalized = remainder === 0 ? padded : `${padded}${"=".repeat(4 - remainder)}`;
+  return Buffer.from(normalized, "base64").toString("utf8");
+}
+function sha256(input) {
+  return crypto.subtle.digest("SHA-256", new TextEncoder().encode(input));
+}
+function randomString() {
+  return base64UrlEncode(crypto.getRandomValues(new Uint8Array(32)));
+}
+async function createPkcePair() {
+  const verifier = randomString();
+  const challenge = base64UrlEncode(await sha256(verifier));
+  return { challenge, verifier };
+}
+async function discoverOidc() {
+  const issuer = getIssuer();
+  const response = await fetch(`${issuer}/.well-known/openid-configuration`);
+  if (!response.ok) throw new Error(`Failed to load OIDC discovery document from ${issuer}.`);
+  return await response.json();
+}
+function parseJwtPayload(token) {
+  const [, payload = ""] = token.split(".");
+  return JSON.parse(base64UrlDecode(payload));
+}
+function encodeSessionCookie(session) {
+  return base64UrlEncode(JSON.stringify(session));
+}
+function parseSessionCookie(value) {
+  try {
+    const session = JSON.parse(base64UrlDecode(value));
+    return session.isAuthenticated ? session : null;
+  } catch {
+    return null;
+  }
+}
+function encodeTransactionCookie(transaction) {
+  return base64UrlEncode(JSON.stringify(transaction));
+}
+function parseTransactionCookie(value) {
+  try {
+    const transaction = JSON.parse(base64UrlDecode(value));
+    if (!transaction.codeVerifier || !transaction.returnTo) return null;
+    return transaction;
+  } catch {
+    return null;
+  }
+}
+function getTransactionCookieName(state) {
+  return `oidc_tx_${state}`;
+}
+function getCookieOptions(request) {
+  return {
+    domain: getCookieDomain(),
+    httpOnly: true,
+    path: "/",
+    sameSite: "lax",
+    secure: request.nextUrl.protocol === "https:"
+  };
+}
+function expireCookie(response, request, name) {
+  response.cookies.set(name, "", { ...getCookieOptions(request), expires: /* @__PURE__ */ new Date(0) });
+}
+function setTransactionCookie(response, request, state, transaction) {
+  response.cookies.set(
+    getTransactionCookieName(state),
+    encodeTransactionCookie(transaction),
+    { ...getCookieOptions(request), expires: new Date(Date.now() + 10 * 60 * 1e3) }
+  );
+}
+function getRedirectUri(request) {
+  const override = getRedirectUriOverride();
+  if (override) return override;
+  return new URL(
+    `${getPublicAuthBasePath()}/oidc/callback`,
+    getPublicSiteUrlFromEnv(request) ?? request.nextUrl.origin
+  ).toString();
+}
+function appendClientAuthentication(headers, params, clientId, clientSecret) {
+  if (clientSecret) {
+    const basic = Buffer.from(`${clientId}:${clientSecret}`).toString("base64");
+    headers.set("authorization", `Basic ${basic}`);
+    return;
+  }
+  params.set("client_id", clientId);
+}
+async function exchangeAuthorizationCode(args) {
+  const params = new URLSearchParams({
+    code: args.code,
+    code_verifier: args.codeVerifier,
+    grant_type: "authorization_code",
+    redirect_uri: args.redirectUri
+  });
+  const reqHeaders = new Headers({ "content-type": "application/x-www-form-urlencoded" });
+  appendClientAuthentication(reqHeaders, params, args.clientId, args.clientSecret);
+  const response = await fetch(args.tokenEndpoint, {
+    body: params.toString(),
+    headers: reqHeaders,
+    method: "POST"
+  });
+  const json = await response.json();
+  if (!response.ok || !json.id_token) {
+    throw new Error(json.error_description ?? "OIDC code exchange failed.");
+  }
+  return json;
+}
+async function refreshIdToken(args) {
+  const params = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: args.refreshToken
+  });
+  const reqHeaders = new Headers({ "content-type": "application/x-www-form-urlencoded" });
+  appendClientAuthentication(reqHeaders, params, args.clientId, args.clientSecret);
+  const response = await fetch(args.tokenEndpoint, {
+    body: params.toString(),
+    headers: reqHeaders,
+    method: "POST"
+  });
+  const json = await response.json();
+  if (!response.ok || !json.id_token) {
+    throw new Error(json.error_description ?? "OIDC token refresh failed.");
+  }
+  return json;
+}
+function sessionFromPayload(payload) {
+  return {
+    audience: payload.aud,
+    email: payload.email,
+    expiresAt: payload.exp ?? 0,
+    isAuthenticated: true,
+    issuer: payload.iss,
+    name: payload.name,
+    pictureUrl: payload.picture,
+    subject: payload.sub,
+    tokenIdentifier: payload.sub && payload.iss ? `${payload.sub}|${payload.iss}` : void 0
+  };
+}
+function applyTokenCookies(response, request, tokens) {
+  const options = getCookieOptions(request);
+  const payload = parseJwtPayload(tokens.id_token);
+  const expiresAt = payload.exp ?? (tokens.expires_in ? Math.floor(Date.now() / 1e3) + tokens.expires_in : void 0);
+  if (!expiresAt) throw new Error("The OIDC ID token did not include an expiry.");
+  response.cookies.set(oidcCookies.idToken, tokens.id_token, {
+    ...options,
+    expires: new Date(expiresAt * 1e3)
+  });
+  response.cookies.set(oidcCookies.expiresAt, String(expiresAt), {
+    ...options,
+    expires: new Date(expiresAt * 1e3)
+  });
+  response.cookies.set(
+    oidcCookies.session,
+    encodeSessionCookie(sessionFromPayload({ ...payload, exp: expiresAt })),
+    { ...options, expires: new Date(expiresAt * 1e3) }
+  );
+  if (tokens.access_token) {
+    response.cookies.set(oidcCookies.accessToken, tokens.access_token, {
+      ...options,
+      expires: new Date(expiresAt * 1e3)
+    });
+  }
+  if (tokens.refresh_token) {
+    response.cookies.set(oidcCookies.refreshToken, tokens.refresh_token, options);
+  }
+}
+function clearTransientCookies(response, request) {
+  expireCookie(response, request, oidcCookies.codeVerifier);
+  expireCookie(response, request, oidcCookies.state);
+  expireCookie(response, request, oidcCookies.nonce);
+}
+async function buildAuthorizationRedirect(request) {
+  const discovery = await discoverOidc();
+  const clientId = getClientId();
+  const { challenge, verifier } = await createPkcePair();
+  const nonce = randomString();
+  const state = randomString();
+  const redirectUri = getRedirectUri(request);
+  const returnTo = request.nextUrl.searchParams.get("redirectTo") ?? getDefaultSignedOutRedirect();
+  const url = new URL(discovery.authorization_endpoint);
+  url.searchParams.set("client_id", clientId);
+  url.searchParams.set("code_challenge", challenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set("nonce", nonce);
+  url.searchParams.set("redirect_uri", redirectUri);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("scope", getScope());
+  url.searchParams.set("state", state);
+  const response = NextResponse.redirect(url);
+  const options = getCookieOptions(request);
+  setTransactionCookie(response, request, state, { codeVerifier: verifier, nonce, returnTo });
+  response.cookies.set(oidcCookies.codeVerifier, verifier, options);
+  response.cookies.set(oidcCookies.state, state, options);
+  response.cookies.set(oidcCookies.nonce, nonce, options);
+  response.cookies.set(oidcCookies.returnTo, returnTo, options);
+  return response;
+}
+async function handleAuthorizationCallback(request) {
+  const cookieStore = await cookies();
+  const code = request.nextUrl.searchParams.get("code");
+  const state = request.nextUrl.searchParams.get("state");
+  const transaction = state ? parseTransactionCookie(cookieStore.get(getTransactionCookieName(state))?.value ?? "") : null;
+  const savedState = cookieStore.get(oidcCookies.state)?.value;
+  const codeVerifier = transaction?.codeVerifier ?? cookieStore.get(oidcCookies.codeVerifier)?.value;
+  const savedNonce = transaction?.nonce ?? cookieStore.get(oidcCookies.nonce)?.value;
+  const returnTo = transaction?.returnTo ?? cookieStore.get(oidcCookies.returnTo)?.value ?? getDefaultSignedOutRedirect();
+  if (!code || !state || !codeVerifier || !transaction && (!savedState || state !== savedState)) {
+    return NextResponse.redirect(
+      resolvePublicRedirect(`${getPublicAuthBasePath()}?error=oidc_state`, request)
+    );
+  }
+  try {
+    const discovery = await discoverOidc();
+    const tokens = await exchangeAuthorizationCode({
+      clientId: getClientId(),
+      clientSecret: getOptionalClientSecret(),
+      code,
+      codeVerifier,
+      redirectUri: getRedirectUri(request),
+      tokenEndpoint: discovery.token_endpoint
+    });
+    const payload = parseJwtPayload(tokens.id_token);
+    if (savedNonce && payload.nonce && payload.nonce !== savedNonce) {
+      throw new Error("OIDC nonce mismatch.");
+    }
+    const response = NextResponse.redirect(resolvePublicRedirect(returnTo, request));
+    applyTokenCookies(response, request, tokens);
+    clearTransientCookies(response, request);
+    expireCookie(response, request, oidcCookies.returnTo);
+    expireCookie(response, request, getTransactionCookieName(state));
+    return response;
+  } catch {
+    return NextResponse.redirect(
+      resolvePublicRedirect(`${getPublicAuthBasePath()}?error=oidc_callback`, request)
+    );
+  }
+}
+async function getSessionFromCookies() {
+  const cookieStore = await cookies();
+  const idToken = cookieStore.get(oidcCookies.idToken)?.value;
+  if (idToken) {
+    try {
+      return sessionFromPayload(parseJwtPayload(idToken));
+    } catch {
+    }
+  }
+  const sessionCookie = cookieStore.get(oidcCookies.session)?.value;
+  const session = sessionCookie ? parseSessionCookie(sessionCookie) : null;
+  return session ?? { expiresAt: 0, isAuthenticated: false };
+}
+async function getServerIdToken() {
+  const cookieStore = await cookies();
+  return cookieStore.get(oidcCookies.idToken)?.value ?? null;
+}
+async function hasServerOidcSession() {
+  const cookieStore = await cookies();
+  return Boolean(
+    cookieStore.get(oidcCookies.session)?.value ?? cookieStore.get(oidcCookies.idToken)?.value ?? cookieStore.get(oidcCookies.accessToken)?.value
+  );
+}
+async function getServerAccessToken() {
+  const cookieStore = await cookies();
+  const accessToken = cookieStore.get(oidcCookies.accessToken)?.value;
+  if (accessToken) return accessToken;
+  const refreshToken = cookieStore.get(oidcCookies.refreshToken)?.value;
+  if (!refreshToken) return null;
+  try {
+    const discovery = await discoverOidc();
+    const tokens = await refreshIdToken({
+      clientId: getClientId(),
+      clientSecret: getOptionalClientSecret(),
+      refreshToken,
+      tokenEndpoint: discovery.token_endpoint
+    });
+    return tokens.access_token ?? null;
+  } catch {
+    return null;
+  }
+}
+async function buildSessionResponse(_request) {
+  const cookieStore = await cookies();
+  const idToken = cookieStore.get(oidcCookies.idToken)?.value;
+  const expiresAt = Number(cookieStore.get(oidcCookies.expiresAt)?.value ?? "0");
+  const now = Math.floor(Date.now() / 1e3);
+  if (!idToken || expiresAt <= now) {
+    return NextResponse.json({ expiresAt: 0, isAuthenticated: false }, {
+      status: 401
+    });
+  }
+  return NextResponse.json(sessionFromPayload({ ...parseJwtPayload(idToken), exp: expiresAt }));
+}
+async function buildTokenResponse(request) {
+  const cookieStore = await cookies();
+  const idToken = cookieStore.get(oidcCookies.idToken)?.value;
+  const expiresAt = Number(cookieStore.get(oidcCookies.expiresAt)?.value ?? "0");
+  const now = Math.floor(Date.now() / 1e3);
+  if (!idToken || expiresAt <= now) {
+    const response = NextResponse.json({ token: null }, { status: 401 });
+    expireCookie(response, request, oidcCookies.idToken);
+    expireCookie(response, request, oidcCookies.refreshToken);
+    expireCookie(response, request, oidcCookies.expiresAt);
+    return response;
+  }
+  return NextResponse.json({ token: idToken });
+}
+async function buildLogoutResponse(request) {
+  const redirectTo = request.nextUrl.searchParams.get("redirectTo") ?? getDefaultSignedOutRedirect();
+  const postLogoutUrl = resolvePublicRedirect(redirectTo, request).toString();
+  const cookieStore = await cookies();
+  const idToken = cookieStore.get(oidcCookies.idToken)?.value;
+  const clearResponse = NextResponse.redirect(postLogoutUrl);
+  Object.values(oidcCookies).forEach((name) => expireCookie(clearResponse, request, name));
+  try {
+    const discovery = await discoverOidc();
+    if (discovery.end_session_endpoint) {
+      const endSessionUrl = new URL(discovery.end_session_endpoint);
+      endSessionUrl.searchParams.set("post_logout_redirect_uri", postLogoutUrl);
+      if (idToken) endSessionUrl.searchParams.set("id_token_hint", idToken);
+      return NextResponse.redirect(endSessionUrl.toString(), {
+        headers: clearResponse.headers
+      });
+    }
+  } catch {
+  }
+  return clearResponse;
+}
+
+export {
+  oidcCookies,
+  buildAuthorizationRedirect,
+  handleAuthorizationCallback,
+  getSessionFromCookies,
+  getServerIdToken,
+  hasServerOidcSession,
+  getServerAccessToken,
+  buildSessionResponse,
+  buildTokenResponse,
+  buildLogoutResponse
+};

package/dist/cli-auth.d.ts

@@ -0,0 +1,34 @@
+/**
+ * CLI authentication helpers — PKCE polling flow.
+ * Used by any CLI tool that authenticates via an orbseal-compatible API.
+ *
+ * Flow:
+ *   1. startCliAuth()  → get state + URL to show user
+ *   2. pollCliAuth()   → long-poll until user completes browser auth
+ */
+interface CliAuthStart {
+    state: string;
+    url: string;
+    expiresIn: number;
+}
+interface CliAuthResult {
+    token: string;
+}
+interface PollOptions {
+    /** ms between polls (default: 2000) */
+    intervalMs?: number;
+    /** ms before giving up (default: 300_000 = 5 min) */
+    timeoutMs?: number;
+}
+/**
+ * Call the API to initiate CLI login.
+ * Returns the state handle and the URL the user should open.
+ */
+declare function startCliAuth(apiBase: string): Promise<CliAuthStart>;
+/**
+ * Poll the API until the user completes browser auth.
+ * Resolves with the token when done, rejects on timeout or error.
+ */
+declare function pollCliAuth(apiBase: string, state: string, opts?: PollOptions): Promise<CliAuthResult>;
+
+export { type CliAuthResult, type CliAuthStart, type PollOptions, pollCliAuth, startCliAuth };

package/dist/cli-auth.js

@@ -0,0 +1,8 @@
+import {
+  pollCliAuth,
+  startCliAuth
+} from "./chunk-C4V5LCFA.js";
+export {
+  pollCliAuth,
+  startCliAuth
+};