npm - @chemmangat/msal-next - Versions diffs - 2.0.1 → 2.1.1 - Mend

@chemmangat/msal-next 2.0.1 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/server.d.mts CHANGED Viewed

@@ -13,7 +13,6 @@ interface ServerSession {
     username?: string;
     /**
      * Access token (if available in cookie)
-     * @deprecated Storing tokens in cookies is not recommended for security reasons
      */
     accessToken?: string;
 }

package/dist/server.d.ts CHANGED Viewed

@@ -13,7 +13,6 @@ interface ServerSession {
     username?: string;
     /**
      * Access token (if available in cookie)
-     * @deprecated Storing tokens in cookies is not recommended for security reasons
      */
     accessToken?: string;
 }

package/dist/server.js CHANGED Viewed

@@ -1,91 +1 @@
-'use strict';
-var headers = require('next/headers');
-// src/utils/getServerSession.ts
-// src/utils/validation.ts
-function safeJsonParse(jsonString, validator) {
-  try {
-    const parsed = JSON.parse(jsonString);
-    if (validator(parsed)) {
-      return parsed;
-    }
-    console.warn("[Validation] JSON validation failed");
-    return null;
-  } catch (error) {
-    console.error("[Validation] JSON parse error:", error);
-    return null;
-  }
-}
-function isValidAccountData(data) {
-  return typeof data === "object" && data !== null && typeof data.homeAccountId === "string" && data.homeAccountId.length > 0 && typeof data.username === "string" && data.username.length > 0 && (data.name === void 0 || typeof data.name === "string");
-}
-// src/utils/getServerSession.ts
-async function getServerSession() {
-  try {
-    const cookieStore = await headers.cookies();
-    const headersList = await headers.headers();
-    const msalAccount = cookieStore.get("msal.account");
-    const msalToken = cookieStore.get("msal.token");
-    if (msalAccount?.value) {
-      const accountData = safeJsonParse(
-        msalAccount.value,
-        isValidAccountData
-      );
-      if (accountData) {
-        return {
-          isAuthenticated: true,
-          accountId: accountData.homeAccountId,
-          username: accountData.username,
-          accessToken: msalToken?.value
-        };
-      } else {
-        console.warn("[ServerSession] Invalid account data in cookie");
-      }
-    }
-    const authHeader = headersList.get("x-msal-authenticated");
-    if (authHeader === "true") {
-      const username = headersList.get("x-msal-username");
-      return {
-        isAuthenticated: true,
-        username: username || void 0
-      };
-    }
-    return {
-      isAuthenticated: false
-    };
-  } catch (error) {
-    console.error("[ServerSession] Error reading session:", error);
-    return {
-      isAuthenticated: false
-    };
-  }
-}
-async function setServerSessionCookie(account, accessToken) {
-  try {
-    const accountData = {
-      homeAccountId: account.homeAccountId,
-      username: account.username,
-      name: account.name
-    };
-    await fetch("/api/auth/session", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify({
-        account: accountData,
-        token: accessToken
-      })
-    });
-  } catch (error) {
-    console.error("[ServerSession] Failed to set session cookie:", error);
-  }
-}
-exports.getServerSession = getServerSession;
-exports.setServerSessionCookie = setServerSessionCookie;
-//# sourceMappingURL=server.js.map
-//# sourceMappingURL=server.js.map
+'use strict';var headers=require('next/headers');async function i(){try{let e=await headers.cookies(),r=await headers.headers(),t=e.get("msal.account"),o=e.get("msal.token");if(t?.value)try{let s=JSON.parse(t.value);return {isAuthenticated:!0,accountId:s.homeAccountId,username:s.username,accessToken:o?.value}}catch(s){console.error("[ServerSession] Failed to parse account data:",s);}return r.get("x-msal-authenticated")==="true"?{isAuthenticated:!0,username:r.get("x-msal-username")||void 0}:{isAuthenticated:!1}}catch(e){return console.error("[ServerSession] Error reading session:",e),{isAuthenticated:false}}}async function c(e,r){try{let t={homeAccountId:e.homeAccountId,username:e.username,name:e.name};await fetch("/api/auth/session",{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({account:t,token:r})});}catch(t){console.error("[ServerSession] Failed to set session cookie:",t);}}exports.getServerSession=i;exports.setServerSessionCookie=c;

package/dist/server.mjs CHANGED Viewed

@@ -1,88 +1 @@
-import { cookies, headers } from 'next/headers';
-// src/utils/getServerSession.ts
-// src/utils/validation.ts
-function safeJsonParse(jsonString, validator) {
-  try {
-    const parsed = JSON.parse(jsonString);
-    if (validator(parsed)) {
-      return parsed;
-    }
-    console.warn("[Validation] JSON validation failed");
-    return null;
-  } catch (error) {
-    console.error("[Validation] JSON parse error:", error);
-    return null;
-  }
-}
-function isValidAccountData(data) {
-  return typeof data === "object" && data !== null && typeof data.homeAccountId === "string" && data.homeAccountId.length > 0 && typeof data.username === "string" && data.username.length > 0 && (data.name === void 0 || typeof data.name === "string");
-}
-// src/utils/getServerSession.ts
-async function getServerSession() {
-  try {
-    const cookieStore = await cookies();
-    const headersList = await headers();
-    const msalAccount = cookieStore.get("msal.account");
-    const msalToken = cookieStore.get("msal.token");
-    if (msalAccount?.value) {
-      const accountData = safeJsonParse(
-        msalAccount.value,
-        isValidAccountData
-      );
-      if (accountData) {
-        return {
-          isAuthenticated: true,
-          accountId: accountData.homeAccountId,
-          username: accountData.username,
-          accessToken: msalToken?.value
-        };
-      } else {
-        console.warn("[ServerSession] Invalid account data in cookie");
-      }
-    }
-    const authHeader = headersList.get("x-msal-authenticated");
-    if (authHeader === "true") {
-      const username = headersList.get("x-msal-username");
-      return {
-        isAuthenticated: true,
-        username: username || void 0
-      };
-    }
-    return {
-      isAuthenticated: false
-    };
-  } catch (error) {
-    console.error("[ServerSession] Error reading session:", error);
-    return {
-      isAuthenticated: false
-    };
-  }
-}
-async function setServerSessionCookie(account, accessToken) {
-  try {
-    const accountData = {
-      homeAccountId: account.homeAccountId,
-      username: account.username,
-      name: account.name
-    };
-    await fetch("/api/auth/session", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify({
-        account: accountData,
-        token: accessToken
-      })
-    });
-  } catch (error) {
-    console.error("[ServerSession] Failed to set session cookie:", error);
-  }
-}
-export { getServerSession, setServerSessionCookie };
-//# sourceMappingURL=server.mjs.map
-//# sourceMappingURL=server.mjs.map
+import {cookies,headers}from'next/headers';async function i(){try{let e=await cookies(),r=await headers(),t=e.get("msal.account"),o=e.get("msal.token");if(t?.value)try{let s=JSON.parse(t.value);return {isAuthenticated:!0,accountId:s.homeAccountId,username:s.username,accessToken:o?.value}}catch(s){console.error("[ServerSession] Failed to parse account data:",s);}return r.get("x-msal-authenticated")==="true"?{isAuthenticated:!0,username:r.get("x-msal-username")||void 0}:{isAuthenticated:!1}}catch(e){return console.error("[ServerSession] Error reading session:",e),{isAuthenticated:false}}}async function c(e,r){try{let t={homeAccountId:e.homeAccountId,username:e.username,name:e.name};await fetch("/api/auth/session",{method:"POST",headers:{"Content-Type":"application/json"},body:JSON.stringify({account:t,token:r})});}catch(t){console.error("[ServerSession] Failed to set session cookie:",t);}}export{i as getServerSession,c as setServerSessionCookie};

package/package.json CHANGED Viewed

@@ -1,77 +1,94 @@
-{
-  "name": "@chemmangat/msal-next",
-  "version": "2.0.1",
-  "description": "Production-grade MSAL authentication package for Next.js App Router with minimal boilerplate",
-  "main": "./dist/index.js",
-  "module": "./dist/index.mjs",
-  "types": "./dist/index.d.ts",
-  "exports": {
-    ".": {
-      "types": "./dist/index.d.ts",
-      "import": "./dist/index.mjs",
-      "require": "./dist/index.js"
-    },
-    "./server": {
-      "types": "./dist/server.d.ts",
-      "import": "./dist/server.mjs",
-      "require": "./dist/server.js"
-    }
-  },
-  "files": [
-    "dist",
-    "README.md",
-    "SECURITY.md"
-  ],
-  "scripts": {
-    "build": "tsup",
-    "dev": "tsup --watch",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "test:coverage": "vitest run --coverage",
-    "prepublishOnly": "npm run build"
-  },
-  "keywords": [
-    "msal",
-    "nextjs",
-    "authentication",
-    "azure-ad",
-    "microsoft",
-    "oauth",
-    "next.js",
-    "app-router",
-    "typescript",
-    "sso",
-    "microsoft-graph"
-  ],
-  "author": "Hari Manoj (chemmangat)",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "https://github.com/chemmangat/msal-next.git",
-    "directory": "packages/core"
-  },
-  "homepage": "https://github.com/chemmangat/msal-next#readme",
-  "bugs": {
-    "url": "https://github.com/chemmangat/msal-next/issues"
-  },
-  "peerDependencies": {
-    "@azure/msal-browser": "^3.11.0 || ^4.0.0",
-    "@azure/msal-react": "^2.0.0 || ^3.0.0",
-    "next": ">=14.0.0",
-    "react": ">=18.0.0",
-    "react-dom": ">=18.0.0"
-  },
-  "devDependencies": {
-    "@azure/msal-browser": "^3.11.1",
-    "@azure/msal-react": "^2.0.15",
-    "@testing-library/react": "^14.0.0",
-    "@testing-library/react-hooks": "^8.0.1",
-    "@types/react": "^18.2.0",
-    "@vitest/coverage-v8": "^1.0.0",
-    "jsdom": "^23.0.0",
-    "react": "^18.2.0",
-    "tsup": "^8.0.1",
-    "typescript": "^5.3.0",
-    "vitest": "^1.0.0"
-  }
-}
+{
+  "name": "@chemmangat/msal-next",
+  "version": "2.1.1",
+  "description": "Production-grade MSAL authentication package for Next.js App Router with minimal boilerplate",
+  "main": "./dist/index.js",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.mjs",
+      "require": "./dist/index.js"
+    },
+    "./server": {
+      "types": "./dist/server.d.ts",
+      "import": "./dist/server.mjs",
+      "require": "./dist/server.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "msal",
+    "nextjs",
+    "next.js",
+    "next",
+    "authentication",
+    "auth",
+    "azure-ad",
+    "azure",
+    "microsoft",
+    "microsoft-authentication",
+    "oauth",
+    "oauth2",
+    "app-router",
+    "typescript",
+    "sso",
+    "single-sign-on",
+    "microsoft-graph",
+    "graph-api",
+    "azure-active-directory",
+    "entra-id",
+    "login",
+    "signin",
+    "react",
+    "msal-react",
+    "msal-browser",
+    "next14",
+    "next15",
+    "nextjs-auth",
+    "microsoft-login"
+  ],
+  "author": "Chemmangat",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/chemmangat/msal-next.git",
+    "directory": "packages/core"
+  },
+  "homepage": "https://github.com/chemmangat/msal-next#readme",
+  "bugs": {
+    "url": "https://github.com/chemmangat/msal-next/issues"
+  },
+  "peerDependencies": {
+    "@azure/msal-browser": "^3.11.0 || ^4.0.0",
+    "@azure/msal-react": "^2.0.0 || ^3.0.0",
+    "next": ">=14.0.0",
+    "react": ">=18.0.0",
+    "react-dom": ">=18.0.0"
+  },
+  "devDependencies": {
+    "@azure/msal-browser": "^3.11.1",
+    "@azure/msal-react": "^2.0.15",
+    "@testing-library/react": "^14.0.0",
+    "@testing-library/react-hooks": "^8.0.1",
+    "@types/react": "^18.2.0",
+    "@vitest/coverage-v8": "^1.0.0",
+    "jsdom": "^23.0.0",
+    "react": "^18.2.0",
+    "tsup": "^8.0.1",
+    "typescript": "^5.3.0",
+    "vitest": "^1.0.0"
+  }
+}

package/SECURITY.md DELETED Viewed

@@ -1,152 +0,0 @@
-# Security Policy
-## Supported Versions
-| Version | Supported          |
-| ------- | ------------------ |
-| 2.0.x   | :white_check_mark: |
-| < 2.0   | :x:                |
-## Security Updates in v2.0.1
-This release addresses several security vulnerabilities discovered in v2.0.0. We strongly recommend all users upgrade immediately.
-### Fixed Vulnerabilities
-#### 1. Memory Leaks from Blob URLs (Medium Severity)
-**Affected:** `useUserProfile` hook
-**Fixed:** Added proper cleanup of blob URLs using `URL.revokeObjectURL()` in useEffect cleanup functions.
-#### 2. Unbounded Cache Growth (Medium Severity)
-**Affected:** `useRoles` and `useUserProfile` hooks
-**Fixed:** Implemented LRU cache eviction with a maximum size limit of 100 entries to prevent memory exhaustion.
-#### 3. Race Conditions in Token Acquisition (Medium Severity)
-**Affected:** `useMsalAuth` hook
-**Fixed:** Implemented request deduplication to prevent multiple concurrent popup windows and token requests.
-#### 4. JSON Parsing Without Validation (High Severity)
-**Affected:** `getServerSession`, `createAuthMiddleware`
-**Fixed:** Added schema validation for all JSON parsing operations using the new `safeJsonParse` utility.
-#### 5. Information Disclosure in Error Messages (Medium Severity)
-**Affected:** All hooks and utilities
-**Fixed:** Implemented error sanitization to remove tokens, secrets, and sensitive information from error messages.
-#### 6. Missing Redirect URI Validation (Medium Severity)
-**Affected:** `createMsalConfig`
-**Fixed:** Added optional `allowedRedirectUris` configuration to validate redirect URIs and prevent open redirect vulnerabilities.
-### New Security Features
-- **Input Validation Utilities**: New `validation.ts` module with functions for safe JSON parsing, scope validation, and redirect URI validation
-- **Error Sanitization**: Automatic removal of tokens and secrets from error messages
-- **Cache Management**: Proper cache size limits and cleanup on component unmount
-- **Request Deduplication**: Prevention of concurrent token acquisition requests
-## Best Practices
-### DO NOT Store Tokens in Cookies
-The example code in `src/examples/api-route-session.ts` demonstrates cookie-based session management but includes a warning. **Do not use this pattern in production** as it exposes tokens to CSRF attacks.
-Instead:
-- Use MSAL's built-in sessionStorage/localStorage (client-side only)
-- Implement proper server-side session management with encrypted session IDs
-- Never store access tokens in cookies
-### Use Redirect URI Validation
-```typescript
-<MsalAuthProvider
-  clientId={process.env.NEXT_PUBLIC_CLIENT_ID!}
-  allowedRedirectUris={[
-    'https://myapp.com',
-    'https://staging.myapp.com',
-    'http://localhost:3000'
-  ]}
->
-  {children}
-</MsalAuthProvider>
-```
-### Implement Security Headers
-Add comprehensive security headers in your `next.config.js`:
-```javascript
-async headers() {
-  return [
-    {
-      source: '/(.*)',
-      headers: [
-        {
-          key: 'Content-Security-Policy',
-          value: "default-src 'self'; script-src 'self'; connect-src 'self' https://login.microsoftonline.com https://graph.microsoft.com;"
-        },
-        {
-          key: 'X-Frame-Options',
-          value: 'DENY'
-        },
-        {
-          key: 'X-Content-Type-Options',
-          value: 'nosniff'
-        },
-        {
-          key: 'Referrer-Policy',
-          value: 'strict-origin-when-cross-origin'
-        },
-        {
-          key: 'Permissions-Policy',
-          value: 'camera=(), microphone=(), geolocation=()'
-        }
-      ]
-    }
-  ];
-}
-```
-### Validate Scopes
-Use the built-in scope validation:
-```typescript
-import { validateScopes } from '@chemmangat/msal-next';
-const scopes = ['User.Read', 'Mail.Read'];
-if (!validateScopes(scopes)) {
-  throw new Error('Invalid scopes');
-}
-```
-### Use HTTPS in Development
-Always test with HTTPS locally to catch security issues early:
-```bash
-# Use mkcert or similar tools
-mkcert localhost
-```
-## Reporting a Vulnerability
-If you discover a security vulnerability, please email security@chemmangat.com with:
-1. Description of the vulnerability
-2. Steps to reproduce
-3. Potential impact
-4. Suggested fix (if any)
-We will respond within 48 hours and provide a timeline for a fix.
-## Security Checklist
-- [ ] Updated to v2.0.1 or later
-- [ ] Not storing tokens in cookies
-- [ ] Security headers configured in next.config.js
-- [ ] Redirect URI validation enabled
-- [ ] Using HTTPS in production
-- [ ] Regular dependency audits (`npm audit`)
-- [ ] Environment variables properly secured
-- [ ] CSRF protection on state-changing endpoints
-- [ ] Rate limiting on authentication endpoints