npm - @chemmangat/msal-next - Versions diffs - 1.2.1 → 2.0.1 - Mend

@chemmangat/msal-next 1.2.1 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/server.mjs ADDED Viewed

@@ -0,0 +1,88 @@
+import { cookies, headers } from 'next/headers';
+// src/utils/getServerSession.ts
+// src/utils/validation.ts
+function safeJsonParse(jsonString, validator) {
+  try {
+    const parsed = JSON.parse(jsonString);
+    if (validator(parsed)) {
+      return parsed;
+    }
+    console.warn("[Validation] JSON validation failed");
+    return null;
+  } catch (error) {
+    console.error("[Validation] JSON parse error:", error);
+    return null;
+  }
+}
+function isValidAccountData(data) {
+  return typeof data === "object" && data !== null && typeof data.homeAccountId === "string" && data.homeAccountId.length > 0 && typeof data.username === "string" && data.username.length > 0 && (data.name === void 0 || typeof data.name === "string");
+}
+// src/utils/getServerSession.ts
+async function getServerSession() {
+  try {
+    const cookieStore = await cookies();
+    const headersList = await headers();
+    const msalAccount = cookieStore.get("msal.account");
+    const msalToken = cookieStore.get("msal.token");
+    if (msalAccount?.value) {
+      const accountData = safeJsonParse(
+        msalAccount.value,
+        isValidAccountData
+      );
+      if (accountData) {
+        return {
+          isAuthenticated: true,
+          accountId: accountData.homeAccountId,
+          username: accountData.username,
+          accessToken: msalToken?.value
+        };
+      } else {
+        console.warn("[ServerSession] Invalid account data in cookie");
+      }
+    }
+    const authHeader = headersList.get("x-msal-authenticated");
+    if (authHeader === "true") {
+      const username = headersList.get("x-msal-username");
+      return {
+        isAuthenticated: true,
+        username: username || void 0
+      };
+    }
+    return {
+      isAuthenticated: false
+    };
+  } catch (error) {
+    console.error("[ServerSession] Error reading session:", error);
+    return {
+      isAuthenticated: false
+    };
+  }
+}
+async function setServerSessionCookie(account, accessToken) {
+  try {
+    const accountData = {
+      homeAccountId: account.homeAccountId,
+      username: account.username,
+      name: account.name
+    };
+    await fetch("/api/auth/session", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        account: accountData,
+        token: accessToken
+      })
+    });
+  } catch (error) {
+    console.error("[ServerSession] Failed to set session cookie:", error);
+  }
+}
+export { getServerSession, setServerSessionCookie };
+//# sourceMappingURL=server.mjs.map
+//# sourceMappingURL=server.mjs.map

package/dist/server.mjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/utils/validation.ts","../src/utils/getServerSession.ts"],"names":[],"mappings":";;;;;AAgBO,SAAS,aAAA,CACd,YACA,SAAA,EACU;AACV,EAAA,IAAI;AACF,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,UAAU,CAAA;AACpC,IAAA,IAAI,SAAA,CAAU,MAAM,CAAA,EAAG;AACrB,MAAA,OAAO,MAAA;AAAA,IACT;AACA,IAAA,OAAA,CAAQ,KAAK,qCAAqC,CAAA;AAClD,IAAA,OAAO,IAAA;AAAA,EACT,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,KAAA,CAAM,kCAAkC,KAAK,CAAA;AACrD,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAKO,SAAS,mBAAmB,IAAA,EAAyC;AAC1E,EAAA,OACE,OAAO,IAAA,KAAS,QAAA,IAChB,IAAA,KAAS,IAAA,IACT,OAAO,IAAA,CAAK,aAAA,KAAkB,QAAA,IAC9B,IAAA,CAAK,aAAA,CAAc,MAAA,GAAS,CAAA,IAC5B,OAAO,IAAA,CAAK,QAAA,KAAa,QAAA,IACzB,IAAA,CAAK,QAAA,CAAS,MAAA,GAAS,CAAA,KACtB,IAAA,CAAK,IAAA,KAAS,MAAA,IAAa,OAAO,IAAA,CAAK,IAAA,KAAS,QAAA,CAAA;AAErD;;;ACEA,eAAsB,gBAAA,GAA2C;AAC/D,EAAA,IAAI;AACF,IAAA,MAAM,WAAA,GAAc,MAAM,OAAA,EAAQ;AAClC,IAAA,MAAM,WAAA,GAAc,MAAM,OAAA,EAAQ;AAKlC,IAAA,MAAM,WAAA,GAAc,WAAA,CAAY,GAAA,CAAI,cAAc,CAAA;AAClD,IAAA,MAAM,SAAA,GAAY,WAAA,CAAY,GAAA,CAAI,YAAY,CAAA;AAE9C,IAAA,IAAI,aAAa,KAAA,EAAO;AAEtB,MAAA,MAAM,WAAA,GAAc,aAAA;AAAA,QAClB,WAAA,CAAY,KAAA;AAAA,QACZ;AAAA,OACF;AAEA,MAAA,IAAI,WAAA,EAAa;AACf,QAAA,OAAO;AAAA,UACL,eAAA,EAAiB,IAAA;AAAA,UACjB,WAAW,WAAA,CAAY,aAAA;AAAA,UACvB,UAAU,WAAA,CAAY,QAAA;AAAA,UACtB,aAAa,SAAA,EAAW;AAAA,SAC1B;AAAA,MACF,CAAA,MAAO;AACL,QAAA,OAAA,CAAQ,KAAK,gDAAgD,CAAA;AAAA,MAC/D;AAAA,IACF;AAGA,IAAA,MAAM,UAAA,GAAa,WAAA,CAAY,GAAA,CAAI,sBAAsB,CAAA;AACzD,IAAA,IAAI,eAAe,MAAA,EAAQ;AACzB,MAAA,MAAM,QAAA,GAAW,WAAA,CAAY,GAAA,CAAI,iBAAiB,CAAA;AAClD,MAAA,OAAO;AAAA,QACL,eAAA,EAAiB,IAAA;AAAA,QACjB,UAAU,QAAA,IAAY,KAAA;AAAA,OACxB;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,eAAA,EAAiB;AAAA,KACnB;AAAA,EACF,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,KAAA,CAAM,0CAA0C,KAAK,CAAA;AAC7D,IAAA,OAAO;AAAA,MACL,eAAA,EAAiB;AAAA,KACnB;AAAA,EACF;AACF;AAWA,eAAsB,sBAAA,CAAuB,SAAc,WAAA,EAAqC;AAC9F,EAAA,IAAI;AACF,IAAA,MAAM,WAAA,GAAc;AAAA,MAClB,eAAe,OAAA,CAAQ,aAAA;AAAA,MACvB,UAAU,OAAA,CAAQ,QAAA;AAAA,MAClB,MAAM,OAAA,CAAQ;AAAA,KAChB;AAGA,IAAA,MAAM,MAAM,mBAAA,EAAqB;AAAA,MAC/B,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB;AAAA,OAClB;AAAA,MACA,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,QACnB,OAAA,EAAS,WAAA;AAAA,QACT,KAAA,EAAO;AAAA,OACR;AAAA,KACF,CAAA;AAAA,EACH,SAAS,KAAA,EAAO;AACd,IAAA,OAAA,CAAQ,KAAA,CAAM,iDAAiD,KAAK,CAAA;AAAA,EACtE;AACF","file":"server.mjs","sourcesContent":["/**\r\n * Security utilities for input validation and sanitization\r\n */\r\n\r\n/**\r\n * Validate account data structure from cookie\r\n */\r\nexport interface ValidatedAccountData {\r\n homeAccountId: string;\r\n username: string;\r\n name?: string;\r\n}\r\n\r\n/**\r\n * Safely parse and validate JSON from untrusted sources\r\n */\r\nexport function safeJsonParse<T>(\r\n jsonString: string,\r\n validator: (data: any) => data is T\r\n): T | null {\r\n try {\r\n const parsed = JSON.parse(jsonString);\r\n if (validator(parsed)) {\r\n return parsed;\r\n }\r\n console.warn('[Validation] JSON validation failed');\r\n return null;\r\n } catch (error) {\r\n console.error('[Validation] JSON parse error:', error);\r\n return null;\r\n }\r\n}\r\n\r\n/**\r\n * Validate account data structure\r\n */\r\nexport function isValidAccountData(data: any): data is ValidatedAccountData {\r\n return (\r\n typeof data === 'object' &&\r\n data !== null &&\r\n typeof data.homeAccountId === 'string' &&\r\n data.homeAccountId.length > 0 &&\r\n typeof data.username === 'string' &&\r\n data.username.length > 0 &&\r\n (data.name === undefined || typeof data.name === 'string')\r\n );\r\n}\r\n\r\n/**\r\n * Sanitize error messages to prevent information disclosure\r\n */\r\nexport function sanitizeError(error: unknown): string {\r\n if (error instanceof Error) {\r\n // Remove sensitive information from error messages\r\n const message = error.message;\r\n \r\n // Remove potential tokens or secrets (anything that looks like a JWT or long hex string)\r\n const sanitized = message\r\n .replace(/[A-Za-z0-9_-]{20,}\\.[A-Za-z0-9_-]{20,}\\.[A-Za-z0-9_-]{20,}/g, '[TOKEN_REDACTED]')\r\n .replace(/[a-f0-9]{32,}/gi, '[SECRET_REDACTED]')\r\n .replace(/Bearer\\s+[^\\s]+/gi, 'Bearer [REDACTED]');\r\n \r\n return sanitized;\r\n }\r\n \r\n return 'An unexpected error occurred';\r\n}\r\n\r\n/**\r\n * Validate redirect URI to prevent open redirect vulnerabilities\r\n */\r\nexport function isValidRedirectUri(uri: string, allowedOrigins: string[]): boolean {\r\n try {\r\n const url = new URL(uri);\r\n \r\n // Check if the origin is in the allowed list\r\n return allowedOrigins.some(allowed => {\r\n const allowedUrl = new URL(allowed);\r\n return url.origin === allowedUrl.origin;\r\n });\r\n } catch {\r\n return false;\r\n }\r\n}\r\n\r\n/**\r\n * Validate scope strings to prevent injection\r\n */\r\nexport function isValidScope(scope: string): boolean {\r\n // Scopes should only contain alphanumeric characters, dots, hyphens, and underscores\r\n return /^[a-zA-Z0-9._-]+$/.test(scope);\r\n}\r\n\r\n/**\r\n * Validate array of scopes\r\n */\r\nexport function validateScopes(scopes: string[]): boolean {\r\n return Array.isArray(scopes) && scopes.every(isValidScope);\r\n}\r\n","import { cookies, headers } from 'next/headers';\r\nimport { safeJsonParse, isValidAccountData, ValidatedAccountData } from './validation';\r\n\r\nexport interface ServerSession {\r\n /**\r\n * Whether user is authenticated\r\n */\r\n isAuthenticated: boolean;\r\n\r\n /**\r\n * User's account ID from MSAL cache\r\n */\r\n accountId?: string;\r\n\r\n /**\r\n * User's username/email\r\n */\r\n username?: string;\r\n\r\n /**\r\n * Access token (if available in cookie)\r\n * @deprecated Storing tokens in cookies is not recommended for security reasons\r\n */\r\n accessToken?: string;\r\n}\r\n\r\n/**\r\n * Server-side session helper for Next.js App Router\r\n * \r\n * Note: This is a basic implementation that reads from cookies.\r\n * For production use, consider implementing a proper session store.\r\n * \r\n * @example\r\n * ```tsx\r\n * // In a Server Component or Route Handler\r\n * import { getServerSession } from '@chemmangat/msal-next';\r\n * \r\n * export default async function Page() {\r\n * const session = await getServerSession();\r\n * \r\n * if (!session.isAuthenticated) {\r\n * redirect('/login');\r\n * }\r\n * \r\n * return <div>Welcome {session.username}</div>;\r\n * }\r\n * ```\r\n */\r\nexport async function getServerSession(): Promise<ServerSession> {\r\n try {\r\n const cookieStore = await cookies();\r\n const headersList = await headers();\r\n\r\n // Try to read MSAL session from cookies\r\n // MSAL stores data in sessionStorage/localStorage by default,\r\n // so this requires custom implementation to sync to cookies\r\n const msalAccount = cookieStore.get('msal.account');\r\n const msalToken = cookieStore.get('msal.token');\r\n\r\n if (msalAccount?.value) {\r\n // Safely parse and validate account data\r\n const accountData = safeJsonParse<ValidatedAccountData>(\r\n msalAccount.value,\r\n isValidAccountData\r\n );\r\n\r\n if (accountData) {\r\n return {\r\n isAuthenticated: true,\r\n accountId: accountData.homeAccountId,\r\n username: accountData.username,\r\n accessToken: msalToken?.value,\r\n };\r\n } else {\r\n console.warn('[ServerSession] Invalid account data in cookie');\r\n }\r\n }\r\n\r\n // Fallback: check for custom auth header\r\n const authHeader = headersList.get('x-msal-authenticated');\r\n if (authHeader === 'true') {\r\n const username = headersList.get('x-msal-username');\r\n return {\r\n isAuthenticated: true,\r\n username: username || undefined,\r\n };\r\n }\r\n\r\n return {\r\n isAuthenticated: false,\r\n };\r\n } catch (error) {\r\n console.error('[ServerSession] Error reading session:', error);\r\n return {\r\n isAuthenticated: false,\r\n };\r\n }\r\n}\r\n\r\n/**\r\n * Helper to set server session in cookies (call from client-side after auth)\r\n * \r\n * @example\r\n * ```tsx\r\n * // After successful login\r\n * await setServerSessionCookie(account, accessToken);\r\n * ```\r\n */\r\nexport async function setServerSessionCookie(account: any, accessToken?: string): Promise<void> {\r\n try {\r\n const accountData = {\r\n homeAccountId: account.homeAccountId,\r\n username: account.username,\r\n name: account.name,\r\n };\r\n\r\n // Set cookies via API route\r\n await fetch('/api/auth/session', {\r\n method: 'POST',\r\n headers: {\r\n 'Content-Type': 'application/json',\r\n },\r\n body: JSON.stringify({\r\n account: accountData,\r\n token: accessToken,\r\n }),\r\n });\r\n } catch (error) {\r\n console.error('[ServerSession] Failed to set session cookie:', error);\r\n }\r\n}\r\n"]}

package/package.json CHANGED Viewed

@@ -1,61 +1,77 @@
-{
-  "name": "@chemmangat/msal-next",
-  "version": "1.2.1",
-  "description": "Fully configurable MSAL authentication package for Next.js App Router",
-  "main": "./dist/index.js",
-  "module": "./dist/index.mjs",
-  "types": "./dist/index.d.ts",
-  "exports": {
-    ".": {
-      "types": "./dist/index.d.ts",
-      "import": "./dist/index.mjs",
-      "require": "./dist/index.js"
-    }
-  },
-  "files": [
-    "dist",
-    "README.md"
-  ],
-  "scripts": {
-    "build": "tsup",
-    "dev": "tsup --watch",
-    "prepublishOnly": "npm run build"
-  },
-  "keywords": [
-    "msal",
-    "nextjs",
-    "authentication",
-    "azure-ad",
-    "microsoft",
-    "oauth",
-    "next.js",
-    "app-router",
-    "typescript"
-  ],
-  "author": "Chemmangat",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/chemmangat/msal-next.git",
-    "directory": "packages/core"
-  },
-  "homepage": "https://github.com/chemmangat/msal-next#readme",
-  "bugs": {
-    "url": "https://github.com/chemmangat/msal-next/issues"
-  },
-  "peerDependencies": {
-    "@azure/msal-browser": "^3.11.0 || ^4.0.0",
-    "@azure/msal-react": "^2.0.0 || ^3.0.0",
-    "next": ">=14.0.0",
-    "react": ">=18.0.0",
-    "react-dom": ">=18.0.0"
-  },
-  "devDependencies": {
-    "@azure/msal-browser": "^3.11.1",
-    "@azure/msal-react": "^2.0.15",
-    "@types/react": "^18.2.0",
-    "react": "^18.2.0",
-    "tsup": "^8.0.1",
-    "typescript": "^5.3.0"
-  }
-}
+{
+  "name": "@chemmangat/msal-next",
+  "version": "2.0.1",
+  "description": "Production-grade MSAL authentication package for Next.js App Router with minimal boilerplate",
+  "main": "./dist/index.js",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    },
+    "./server": {
+      "types": "./dist/server.d.ts",
+      "import": "./dist/server.mjs",
+      "require": "./dist/server.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md",
+    "SECURITY.md"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "msal",
+    "nextjs",
+    "authentication",
+    "azure-ad",
+    "microsoft",
+    "oauth",
+    "next.js",
+    "app-router",
+    "typescript",
+    "sso",
+    "microsoft-graph"
+  ],
+  "author": "Hari Manoj (chemmangat)",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/chemmangat/msal-next.git",
+    "directory": "packages/core"
+  },
+  "homepage": "https://github.com/chemmangat/msal-next#readme",
+  "bugs": {
+    "url": "https://github.com/chemmangat/msal-next/issues"
+  },
+  "peerDependencies": {
+    "@azure/msal-browser": "^3.11.0 || ^4.0.0",
+    "@azure/msal-react": "^2.0.0 || ^3.0.0",
+    "next": ">=14.0.0",
+    "react": ">=18.0.0",
+    "react-dom": ">=18.0.0"
+  },
+  "devDependencies": {
+    "@azure/msal-browser": "^3.11.1",
+    "@azure/msal-react": "^2.0.15",
+    "@testing-library/react": "^14.0.0",
+    "@testing-library/react-hooks": "^8.0.1",
+    "@types/react": "^18.2.0",
+    "@vitest/coverage-v8": "^1.0.0",
+    "jsdom": "^23.0.0",
+    "react": "^18.2.0",
+    "tsup": "^8.0.1",
+    "typescript": "^5.3.0",
+    "vitest": "^1.0.0"
+  }
+}