npm - @chemmangat/msal-next - Versions diffs - 4.0.2 → 4.1.1 - Mend

@chemmangat/msal-next 4.0.2 → 4.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md CHANGED Viewed

@@ -4,313 +4,231 @@ Production-grade MSAL authentication library for Next.js App Router with minimal
 [![npm version](https://badge.fury.io/js/@chemmangat%2Fmsal-next.svg)](https://www.npmjs.com/package/@chemmangat/msal-next)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Security](https://img.shields.io/badge/Security-A+-green.svg)](./SECURITY.md)
-> **📦 Current Version: 4.0.2** - Enhanced Developer Experience with Complete Types & Better Errors!
+> **📦 Current Version: 4.1.1** - Production-ready with automatic token refresh and enhanced security
-> **🚀 What's New in v4.0.2:** Complete TypeScript types for user profiles, actionable error messages with fix instructions, and automatic configuration validation in development mode!
-## 🎉 What's New in v4.0.2
-### Complete TypeScript Types
-```tsx
-const { profile } = useUserProfile();
-// Now available with full type safety!
-console.log(profile?.department);
-console.log(profile?.preferredLanguage);
-console.log(profile?.employeeId);
-console.log(profile?.companyName);
-console.log(profile?.country);
-// ... and 20+ more fields!
-```
+---
-### Actionable Error Messages
-```tsx
-// Before: Cryptic error
-Error: AADSTS50011
+## ⭐ Why Choose @chemmangat/msal-next?
-// After: Helpful guidance
-🚨 MSAL Authentication Error
+### 🚀 **5-Minute Setup**
+Get Azure AD authentication running in your Next.js app in just 5 minutes. No complex configuration, no boilerplate.
-Error: Redirect URI mismatch
+### 🔒 **Enterprise Security**
+Built on Microsoft's official MSAL library. All authentication happens client-side - tokens never touch your server. [Read Security Policy →](./SECURITY.md)
-💡 How to fix:
-Your redirect URI doesn't match what's configured in Azure AD.
+### 🎯 **Production-Ready**
+Used by 2,200+ developers in production. Automatic token refresh prevents unexpected logouts. Complete TypeScript support.
-Fix:
-1. Go to Azure Portal → Azure Active Directory → App registrations
-2. Select your app → Authentication
-3. Under "Single-page application", add your redirect URI:
-   • http://localhost:3000 (for development)
-   • https://yourdomain.com (for production)
-4. Click "Save"
+### 🤖 **AI-Friendly**
+Complete documentation optimized for AI assistants. Setup instructions that work on the first try.
-📚 Documentation: https://learn.microsoft.com/...
+### ⚡ **Zero Boilerplate**
+```tsx
+<MSALProvider clientId="...">
+  <MicrosoftSignInButton />
+</MSALProvider>
 ```
+That's it. You're done.
-### Automatic Configuration Validation
-```tsx
-// Development mode automatically checks for:
-⚠️  Warnings (should fix)
+---
-clientId:
-  Client ID appears to be a placeholder
+## 🎯 Top Features
-  Fix:
-  Replace the placeholder with your actual Application (client) ID from Azure Portal.
-  Current value: your-client-id-here
-  Expected format: 12345678-1234-1234-1234-123456789012 (GUID)
-```
+| Feature | Description | Status |
+|---------|-------------|--------|
+| **Automatic Token Refresh** | Prevents unexpected logouts | ✅ v4.1.0 |
+| **Complete TypeScript Types** | 30+ user profile fields | ✅ v4.0.2 |
+| **Actionable Error Messages** | Fix instructions included | ✅ v4.0.2 |
+| **Configuration Validation** | Catches mistakes in dev mode | ✅ v4.0.2 |
+| **Zero-Config Protected Routes** | One line to protect pages | ✅ v4.0.1 |
+| **Server Components Support** | Works in Next.js layouts | ✅ Always |
+| **Microsoft Graph Integration** | Pre-configured API client | ✅ Always |
+| **Role-Based Access Control** | Built-in RBAC support | ✅ Always |
 ---
-## Common Mistakes (and How to Avoid Them)
-### ❌ Mistake #1: 'use client' in the wrong place
+## 🔒 Security First
-```tsx
-// WRONG - 'use client' must be FIRST
-import { useMsalAuth } from '@chemmangat/msal-next';
+**Your tokens never leave the browser:**
+- ✅ Client-side authentication only
+- ✅ No server-side token storage
+- ✅ Microsoft's official MSAL library
+- ✅ Secure token storage (sessionStorage/localStorage)
+- ✅ Automatic error sanitization
+- ✅ HTTPS enforcement in production
-'use client';  // Too late!
+**[Read Complete Security Policy →](./SECURITY.md)**
-export default function MyComponent() {
-  const { isAuthenticated } = useMsalAuth();
-  // ...
-}
-```
+---
-```tsx
-// CORRECT - 'use client' comes FIRST
-'use client';
+## 🚀 Quick Start (5 Minutes)
-import { useMsalAuth } from '@chemmangat/msal-next';
+### Step 1: Install the Package
-export default function MyComponent() {
-  const { isAuthenticated } = useMsalAuth();
-  // ...
-}
+```bash
+npm install @chemmangat/msal-next @azure/msal-browser @azure/msal-react
 ```
-### ❌ Mistake #2: Using MsalAuthProvider in layout.tsx
+### Step 2: Get Your Azure AD Credentials
-```tsx
-// WRONG - Will cause "createContext only works in Client Components" error
-import { MsalAuthProvider } from '@chemmangat/msal-next';
+1. Go to [Azure Portal](https://portal.azure.com)
+2. Navigate to **Azure Active Directory** → **App registrations**
+3. Click **New registration**
+4. Enter a name (e.g., "My Next.js App")
+5. Select **Single-page application (SPA)**
+6. Add redirect URI: `http://localhost:3000` (for development)
+7. Click **Register**
+8. Copy the **Application (client) ID** and **Directory (tenant) ID**
-export default function RootLayout({ children }) {
-  return <MsalAuthProvider>{children}</MsalAuthProvider>;
-}
-```
+### Step 3: Configure Environment Variables
-```tsx
-// CORRECT - Use MSALProvider instead
-import { MSALProvider } from '@chemmangat/msal-next';
+Create `.env.local` in your project root:
-export default function RootLayout({ children }) {
-  return <MSALProvider clientId="...">{children}</MSALProvider>;
-}
+```bash
+# .env.local
+NEXT_PUBLIC_AZURE_AD_CLIENT_ID=your-client-id-here
+NEXT_PUBLIC_AZURE_AD_TENANT_ID=your-tenant-id-here
 ```
-### ❌ Mistake #3: Placeholder values in production
+**Important:**
+- Replace `your-client-id-here` and `your-tenant-id-here` with actual values from Azure Portal
+- Never commit `.env.local` to version control
+- Variables starting with `NEXT_PUBLIC_` are exposed to the browser (this is correct for MSAL)
-```tsx
-// WRONG - Placeholder values
-<MSALProvider
-  clientId="your-client-id-here"
-  tenantId="your-tenant-id-here"
->
-```
-```tsx
-// CORRECT - Actual GUIDs from Azure Portal
-<MSALProvider
-  clientId="12345678-1234-1234-1234-123456789012"
-  tenantId="87654321-4321-4321-4321-210987654321"
->
-```
+**Security Note:** All authentication happens in the browser. Your tokens never touch your Next.js server. [Learn more →](./SECURITY.md)
-### ❌ Mistake #4: Missing environment variables
+### Step 4: Add Provider to Layout
 ```tsx
-// WRONG - Hardcoded values
-<MSALProvider clientId="12345678-1234-1234-1234-123456789012">
-```
+// app/layout.tsx (Server Component - no 'use client' needed!)
+import { MSALProvider } from '@chemmangat/msal-next';
-```tsx
-// CORRECT - Use environment variables
-<MSALProvider
-  clientId={process.env.NEXT_PUBLIC_AZURE_AD_CLIENT_ID!}
-  tenantId={process.env.NEXT_PUBLIC_AZURE_AD_TENANT_ID!}
->
+export default function RootLayout({ children }: { children: React.ReactNode }) {
+  return (
+    <html lang="en">
+      <body>
+        <MSALProvider
+          clientId={process.env.NEXT_PUBLIC_AZURE_AD_CLIENT_ID!}
+          tenantId={process.env.NEXT_PUBLIC_AZURE_AD_TENANT_ID!}
+        >
+          {children}
+        </MSALProvider>
+      </body>
+    </html>
+  );
+}
 ```
-```bash
-# .env.local
-NEXT_PUBLIC_AZURE_AD_CLIENT_ID=12345678-1234-1234-1234-123456789012
-NEXT_PUBLIC_AZURE_AD_TENANT_ID=87654321-4321-4321-4321-210987654321
-```
+**Note:** MSALProvider is already marked as 'use client' internally. You don't need to add 'use client' to your layout.tsx!
-### ❌ Mistake #5: HTTP in production
+### Step 5: Add Sign-In Button
 ```tsx
-// WRONG - HTTP in production
-redirectUri: "http://myapp.com"
-// CORRECT - HTTPS in production, HTTP only for localhost
-redirectUri: process.env.NODE_ENV === 'production'
-  ? "https://myapp.com"
-  : "http://localhost:3000"
-```
----
-## 🚀 What's New in v4.0.1
+// app/page.tsx
+'use client';
-### Zero-Config Protected Routes - THE Killer Feature
+import { MicrosoftSignInButton, useMsalAuth } from '@chemmangat/msal-next';
-Protect any route with **one line of code**. No middleware setup, no boilerplate, just export an auth config:
+export default function HomePage() {
+  const { isAuthenticated, account } = useMsalAuth();
-```tsx
-// app/dashboard/page.tsx
-export const auth = { required: true };
+  if (isAuthenticated) {
+    return (
+      <div>
+        <h1>Welcome, {account?.name}!</h1>
+        <p>You are signed in as {account?.username}</p>
+      </div>
+    );
+  }
-export default function Dashboard() {
-  return <div>Protected content - that's it!</div>;
+  return (
+    <div>
+      <h1>Welcome to My App</h1>
+      <MicrosoftSignInButton />
+    </div>
+  );
 }
 ```
-**Why This Changes Everything:**
-| Before (v3.x) | After (v4.0) |
-|---------------|--------------|
-| 50+ lines of middleware | 1 line |
-| Manual redirect logic | Automatic |
-| Boilerplate in every page | Zero boilerplate |
-| 30 min setup | 30 sec setup |
-### More Examples
+### Step 6: Run Your App
-**Role-Based Access:**
-```tsx
-export const auth = {
-  required: true,
-  roles: ['admin', 'editor']
-};
-```
-**Custom Validation:**
-```tsx
-export const auth = {
-  required: true,
-  validate: (account) => account.username.endsWith('@company.com')
-};
+```bash
+npm run dev
 ```
-**Custom UI:**
-```tsx
-export const auth = {
-  required: true,
-  loading: <Spinner />,
-  unauthorized: <AccessDenied />
-};
-```
+Visit `http://localhost:3000` and click the sign-in button!
 ---
-## Features (v4.0.1)
-✨ **Zero-Config Protection** - One line to protect any route
-🎯 **Role-Based Access** - Built-in Azure AD role checking
-🔐 **Custom Validation** - Add your own auth logic
-⚡ **Automatic Redirects** - Smart return URL handling
-🎨 **Custom UI** - Override loading/unauthorized states
-📦 **TypeScript First** - Full type safety
-🚀 **Next.js 14+** - Built for App Router
+## 📋 Complete Setup Guide for AI Assistants
----
+When implementing MSAL authentication in a Next.js project, follow these steps:
-## What's New in v3.0
+### 1. Installation
-### 🚀 CLI Tool (NEW)
 ```bash
-# One command setup - that's it!
-npx @chemmangat/msal-next init
+npm install @chemmangat/msal-next @azure/msal-browser@^4.0.0 @azure/msal-react@^3.0.0
 ```
-The new CLI tool automatically:
-- Detects your Next.js structure (App Router/Pages Router)
-- Installs dependencies
-- Creates configuration files
-- Generates example pages
-- Sets up middleware
+### 2. Azure AD Configuration
-**Reduces setup time from 30+ minutes to under 2 minutes!**
+**Required Azure AD Setup:**
+- App registration created in Azure Portal
+- Redirect URI configured: `http://localhost:3000` (dev) and `https://yourdomain.com` (prod)
+- Platform type: **Single-page application (SPA)**
+- API permissions: At minimum `User.Read` (usually granted by default)
-### 🔍 Enhanced Debug Logger (NEW)
-```tsx
-import { getDebugLogger } from '@chemmangat/msal-next';
+**Get these values from Azure Portal:**
+- `Application (client) ID` → Use as `NEXT_PUBLIC_AZURE_AD_CLIENT_ID`
+- `Directory (tenant) ID` → Use as `NEXT_PUBLIC_AZURE_AD_TENANT_ID`
-const logger = getDebugLogger({
-  enabled: true,
-  enablePerformance: true,    // Track operation timing
-  enableNetworkLogs: true,    // Log all requests/responses
-});
+### 3. Environment Variables
-// Performance tracking
-logger.startTiming('token-acquisition');
-await acquireToken(['User.Read']);
-logger.endTiming('token-acquisition'); // Logs: "⏱️ Completed: token-acquisition (45ms)"
+Create `.env.local`:
-// Export logs for debugging
-logger.downloadLogs('debug-logs.json');
+```bash
+NEXT_PUBLIC_AZURE_AD_CLIENT_ID=12345678-1234-1234-1234-123456789012
+NEXT_PUBLIC_AZURE_AD_TENANT_ID=87654321-4321-4321-4321-210987654321
 ```
-### 📚 New Examples
-- **Role-Based Routing** - Complete RBAC implementation
-- **Multi-Tenant SaaS** - Full multi-tenant architecture
-### 🔄 Breaking Changes
-- Requires Node.js 18+ (was 16+)
-- Requires Next.js 14.1+ (was 14.0+)
-- Requires @azure/msal-browser v4+ (was v3+)
-- Removed `ServerSession.accessToken` (use client-side `acquireToken()`)
-[See Migration Guide](./MIGRATION_GUIDE_v3.md) for details.
+**Critical Rules:**
+- Variables MUST start with `NEXT_PUBLIC_` to be accessible in browser
+- Use actual GUIDs, not placeholder text
+- Never commit `.env.local` to version control
+- Restart dev server after changing environment variables
-## Installation
+### 4. Project Structure
-### Option 1: CLI Setup (Recommended)
-```bash
-# Create Next.js app
-npx create-next-app@latest my-app
-cd my-app
-# Initialize MSAL
-npx @chemmangat/msal-next init
 ```
-### Option 2: Manual Installation
-```bash
-npm install @chemmangat/msal-next@latest @azure/msal-browser@^4.0.0 @azure/msal-react@^3.0.0
+your-app/
+├── app/
+│   ├── layout.tsx          # Add MSALProvider here
+│   ├── page.tsx            # Add sign-in button here
+│   └── dashboard/
+│       └── page.tsx        # Protected page example
+├── .env.local              # Environment variables
+└── package.json
 ```
-## Quick Start
-> **Important:** Use `MSALProvider` (not `MsalAuthProvider`) in your layout.tsx to avoid the "createContext only works in Client Components" error.
+### 5. Implementation Files
-### 1. Wrap your app with MSALProvider
+**File 1: `app/layout.tsx` (Server Component)**
 ```tsx
-// app/layout.tsx
 import { MSALProvider } from '@chemmangat/msal-next';
+import './globals.css';
-export default function RootLayout({ children }) {
+export default function RootLayout({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
   return (
-    <html>
+    <html lang="en">
       <body>
-        <MSALProvider
+        <MSALProvider
           clientId={process.env.NEXT_PUBLIC_AZURE_AD_CLIENT_ID!}
           tenantId={process.env.NEXT_PUBLIC_AZURE_AD_TENANT_ID!}
         >
@@ -322,94 +240,237 @@ export default function RootLayout({ children }) {
 }
 ```
-### 2. Add sign-in button
+**File 2: `app/page.tsx` (Client Component)**
 ```tsx
-// app/page.tsx
 'use client';
-import { MicrosoftSignInButton, useMsalAuth } from '@chemmangat/msal-next';
+import { MicrosoftSignInButton, SignOutButton, useMsalAuth } from '@chemmangat/msal-next';
-export default function Home() {
-  const { isAuthenticated } = useMsalAuth();
+export default function HomePage() {
+  const { isAuthenticated, account } = useMsalAuth();
-  if (isAuthenticated) {
-    return <div>Welcome! You're signed in.</div>;
-  }
-  return <MicrosoftSignInButton />;
+  return (
+    <div style={{ padding: '2rem' }}>
+      <h1>My App</h1>
+      {isAuthenticated ? (
+        <div>
+          <p>Welcome, {account?.name}!</p>
+          <p>Email: {account?.username}</p>
+          <SignOutButton />
+        </div>
+      ) : (
+        <div>
+          <p>Please sign in to continue</p>
+          <MicrosoftSignInButton />
+        </div>
+      )}
+    </div>
+  );
 }
 ```
-That's it! 🎉
+**File 3: `app/dashboard/page.tsx` (Protected Page)**
-The button uses redirect flow (full page redirect to Microsoft login, then back to your app). Simple and clean.
+```tsx
+'use client';
-## Components
+import { AuthGuard, useUserProfile } from '@chemmangat/msal-next';
-### MSALProvider (Recommended for App Router)
+export default function DashboardPage() {
+  return (
+    <AuthGuard>
+      <DashboardContent />
+    </AuthGuard>
+  );
+}
-Pre-configured wrapper component that's already marked as `'use client'`. Use this in your server-side layout.tsx.
+function DashboardContent() {
+  const { profile, loading } = useUserProfile();
-```tsx
-// app/layout.tsx (Server Component)
-import { MSALProvider } from '@chemmangat/msal-next';
+  if (loading) return <div>Loading profile...</div>;
-export default function RootLayout({ children }) {
   return (
-    <html>
-      <body>
-        <MSALProvider
-          clientId={process.env.NEXT_PUBLIC_AZURE_AD_CLIENT_ID!}
-          tenantId={process.env.NEXT_PUBLIC_AZURE_AD_TENANT_ID!}
-          scopes={['User.Read', 'Mail.Read']} // Optional
-          enableLogging={true} // Optional
-        >
-          {children}
-        </MSALProvider>
-      </body>
-    </html>
+    <div style={{ padding: '2rem' }}>
+      <h1>Dashboard</h1>
+      <p>Name: {profile?.displayName}</p>
+      <p>Email: {profile?.mail}</p>
+      <p>Job Title: {profile?.jobTitle}</p>
+      <p>Department: {profile?.department}</p>
+    </div>
   );
 }
 ```
-### MsalAuthProvider (Advanced Usage)
+### 6. Common Patterns
+**Pattern 1: Check Authentication Status**
+```tsx
+'use client';
+import { useMsalAuth } from '@chemmangat/msal-next';
+export default function MyComponent() {
+  const { isAuthenticated, account, inProgress } = useMsalAuth();
+  if (inProgress) return <div>Loading...</div>;
+  if (!isAuthenticated) return <div>Please sign in</div>;
+  return <div>Hello, {account?.name}!</div>;
+}
+```
+**Pattern 2: Get Access Token**
-The underlying provider component. Only use this if you're creating your own client component wrapper.
+```tsx
+'use client';
+import { useMsalAuth } from '@chemmangat/msal-next';
+import { useEffect, useState } from 'react';
+export default function DataComponent() {
+  const { acquireToken, isAuthenticated } = useMsalAuth();
+  const [data, setData] = useState(null);
+  useEffect(() => {
+    async function fetchData() {
+      if (!isAuthenticated) return;
+      try {
+        const token = await acquireToken(['User.Read']);
+        const response = await fetch('https://graph.microsoft.com/v1.0/me', {
+          headers: { Authorization: `Bearer ${token}` },
+        });
+        const result = await response.json();
+        setData(result);
+      } catch (error) {
+        console.error('Error fetching data:', error);
+      }
+    }
+    fetchData();
+  }, [isAuthenticated, acquireToken]);
+  return <div>{/* Render data */}</div>;
+}
+```
+**Pattern 3: Protect Routes**
 ```tsx
-// app/providers.tsx
-'use client'
+'use client';
-import { MsalAuthProvider } from '@chemmangat/msal-next';
+import { AuthGuard } from '@chemmangat/msal-next';
-export function MyProviders({ children }) {
+export default function ProtectedPage() {
   return (
-    <MsalAuthProvider
-      clientId={process.env.NEXT_PUBLIC_AZURE_AD_CLIENT_ID!}
-      tenantId={process.env.NEXT_PUBLIC_AZURE_AD_TENANT_ID!}
+    <AuthGuard
+      loadingComponent={<div>Checking authentication...</div>}
+      fallbackComponent={<div>Redirecting to login...</div>}
     >
-      {children}
-    </MsalAuthProvider>
+      <div>This content is protected</div>
+    </AuthGuard>
   );
 }
 ```
-### MicrosoftSignInButton
+### 7. Configuration Options
+```tsx
+<MSALProvider
+  // Required
+  clientId={process.env.NEXT_PUBLIC_AZURE_AD_CLIENT_ID!}
+  // Optional - for single-tenant apps
+  tenantId={process.env.NEXT_PUBLIC_AZURE_AD_TENANT_ID}
+  // Optional - for multi-tenant apps (default: 'common')
+  authorityType="common" // or "organizations", "consumers", "tenant"
+  // Optional - default scopes (default: ['User.Read'])
+  scopes={['User.Read', 'Mail.Read']}
+  // Optional - enable debug logging (default: false)
+  enableLogging={true}
+  // Optional - custom redirect URI (default: window.location.origin)
+  redirectUri="https://yourdomain.com"
+  // Optional - cache location (default: 'sessionStorage')
+  cacheLocation="sessionStorage" // or "localStorage", "memoryStorage"
+  // NEW in v4.1.0 - automatic token refresh
+  autoRefreshToken={true}        // Prevents unexpected logouts
+  refreshBeforeExpiry={300}      // Refresh 5 min before expiry
+>
+  {children}
+</MSALProvider>
+```
+### 8. Troubleshooting Checklist
+**If authentication doesn't work:**
+1. ✅ Check environment variables are set correctly
+2. ✅ Restart dev server after adding `.env.local`
+3. ✅ Verify redirect URI in Azure Portal matches your app URL
+4. ✅ Ensure `'use client'` is at the TOP of files using hooks
+5. ✅ Check browser console for errors
+6. ✅ Enable debug logging: `enableLogging={true}`
+7. ✅ Verify client ID and tenant ID are valid GUIDs
+**Common Errors:**
+- **"createContext only works in Client Components"** → Use `MSALProvider` (not `MsalAuthProvider`) in layout.tsx
+- **"AADSTS50011: Redirect URI mismatch"** → Add your URL to Azure Portal → Authentication → Redirect URIs
+- **"No active account"** → User needs to sign in first before calling `acquireToken()`
+- **Environment variables undefined** → Restart dev server after creating `.env.local`
+---
+## 🎯 Key Features
+- ✅ **Zero-Config Setup** - Works out of the box with minimal configuration
+- ✅ **Automatic Token Refresh** - Prevents unexpected logouts (NEW in v4.1.0)
+- ✅ **TypeScript First** - Complete type safety with 30+ user profile fields
+- ✅ **Next.js 14+ Ready** - Built for App Router with Server Components support
+- ✅ **Automatic Validation** - Catches configuration mistakes in development
+- ✅ **Actionable Errors** - Clear error messages with fix instructions
+- ✅ **Production Ready** - Used by 2,200+ developers in production
+- ✅ **Fixed Interaction Issues** - No more "interaction in progress" errors (v4.1.0)
+---
+## 📚 API Reference
-Pre-styled sign-in button with Microsoft branding. Uses redirect flow (full page redirect to Microsoft login).
+### Components
+#### MSALProvider
+Wrap your app to provide authentication context.
+```tsx
+<MSALProvider clientId="..." tenantId="...">
+  {children}
+</MSALProvider>
+```
+#### MicrosoftSignInButton
+Pre-styled sign-in button with Microsoft branding.
 ```tsx
 <MicrosoftSignInButton
   variant="dark" // or "light"
-  size="medium" // "small", "medium", "large"
+  size="medium"  // "small", "medium", "large"
   onSuccess={() => console.log('Signed in!')}
 />
 ```
-### SignOutButton
-Pre-styled sign-out button matching the sign-in button style.
+#### SignOutButton
+Pre-styled sign-out button.
 ```tsx
 <SignOutButton
@@ -419,22 +480,20 @@ Pre-styled sign-out button matching the sign-in button style.
 />
 ```
-### AuthGuard
-Protect pages/components that require authentication.
+#### AuthGuard
+Protect components that require authentication.
 ```tsx
 <AuthGuard
   loadingComponent={<div>Loading...</div>}
-  fallbackComponent={<div>Redirecting to login...</div>}
+  fallbackComponent={<div>Please sign in</div>}
 >
   <ProtectedContent />
 </AuthGuard>
 ```
-### UserAvatar
-Display user photo from MS Graph with fallback initials.
+#### UserAvatar
+Display user photo from Microsoft Graph.
 ```tsx
 <UserAvatar
@@ -444,65 +503,44 @@ Display user photo from MS Graph with fallback initials.
 />
 ```
-### AuthStatus
-Show current authentication state.
-```tsx
-<AuthStatus
-  showDetails={true}
-  renderAuthenticated={(username) => (
-    <div>Logged in as {username}</div>
-  )}
-/>
-```
-### ErrorBoundary
+### Hooks
-Catch and handle authentication errors gracefully.
+#### useMsalAuth()
+Main authentication hook.
 ```tsx
-<ErrorBoundary
-  fallback={(error, reset) => (
-    <div>
-      <p>Error: {error.message}</p>
-      <button onClick={reset}>Try Again</button>
-    </div>
-  )}
->
-  <App />
-</ErrorBoundary>
+const {
+  account,           // Current user account
+  accounts,          // All cached accounts
+  isAuthenticated,   // Boolean: is user signed in?
+  inProgress,        // Boolean: is auth in progress?
+  loginRedirect,     // Function: sign in
+  logoutRedirect,    // Function: sign out
+  acquireToken,      // Function: get access token
+} = useMsalAuth();
 ```
-## Hooks
-### useMsalAuth
-Main authentication hook with all auth operations.
+#### useUserProfile()
+Fetch user profile from Microsoft Graph.
 ```tsx
 const {
-  account,
-  isAuthenticated,
-  inProgress,
-  loginRedirect,
-  logoutRedirect,
-  acquireToken,
-} = useMsalAuth();
-// Login (redirects to Microsoft)
-await loginRedirect(['User.Read']);
-// Get token
-const token = await acquireToken(['User.Read']);
-// Logout (redirects to Microsoft)
-await logoutRedirect();
+  profile,    // User profile with 30+ fields
+  loading,    // Boolean: is loading?
+  error,      // Error object if failed
+  refetch,    // Function: refetch profile
+  clearCache, // Function: clear cached profile
+} = useUserProfile();
+// Access profile fields
+console.log(profile?.displayName);
+console.log(profile?.department);
+console.log(profile?.preferredLanguage);
+console.log(profile?.employeeId);
 ```
-### useGraphApi
-Pre-configured fetch wrapper for MS Graph API.
+#### useGraphApi()
+Pre-configured Microsoft Graph API client.
 ```tsx
 const graph = useGraphApi();
@@ -515,503 +553,304 @@ const message = await graph.post('/me/messages', {
   subject: 'Hello',
   body: { content: 'World' }
 });
-// Custom request
-const data = await graph.request('/me/drive', {
-  scopes: ['Files.Read'],
-  version: 'beta'
-});
-```
-### useUserProfile
-Fetch and cache user profile from MS Graph with complete TypeScript types.
-```tsx
-const { profile, loading, error, refetch } = useUserProfile();
-if (loading) return <div>Loading...</div>;
-if (error) return <div>Error: {error.message}</div>;
-return (
-  <div>
-    <h1>{profile.displayName}</h1>
-    <p>{profile.mail}</p>
-    <p>{profile.jobTitle}</p>
-    <p>{profile.department}</p>
-    <p>{profile.preferredLanguage}</p>
-    <p>{profile.employeeId}</p>
-    <p>{profile.companyName}</p>
-    <p>{profile.officeLocation}</p>
-  </div>
-);
-```
-**New in v4.0.2:** Complete TypeScript types with 30+ fields from Microsoft Graph:
-- `department`, `preferredLanguage`, `employeeId`, `companyName`
-- `country`, `city`, `state`, `streetAddress`, `postalCode`
-- `manager`, `aboutMe`, `birthday`, `interests`, `skills`
-- And many more!
-**Generic type support:**
-```tsx
-interface MyProfile extends UserProfile {
-  customField: string;
-}
-const { profile } = useUserProfile<MyProfile>();
-console.log(profile?.customField); // Type-safe!
 ```
-### useRoles
-Access user's Azure AD roles and groups.
+#### useRoles()
+Access user's Azure AD roles.
 ```tsx
-const { roles, groups, hasRole, hasAnyRole } = useRoles();
+const {
+  roles,        // Array of role names
+  groups,       // Array of group IDs
+  hasRole,      // Function: check single role
+  hasAnyRole,   // Function: check multiple roles
+  hasAllRoles,  // Function: check all roles
+} = useRoles();
 if (hasRole('Admin')) {
-  return <AdminPanel />;
+  // Show admin content
 }
-if (hasAnyRole(['Editor', 'Contributor'])) {
-  return <EditorPanel />;
-}
-return <ViewerPanel />;
 ```
-## Utilities
-### withAuth
-Higher-order component for protecting pages.
-```tsx
-const ProtectedPage = withAuth(MyPage, {
-  useRedirect: true,
-  scopes: ['User.Read']
-});
-export default ProtectedPage;
-```
+---
-### getServerSession
+## 🎓 Advanced Usage
-Server-side session helper for App Router.
+### Automatic Token Refresh (NEW in v4.1.0)
-**Important:** Import from `@chemmangat/msal-next/server` in Server Components only.
+Prevent unexpected logouts by automatically refreshing tokens before they expire:
 ```tsx
-// app/dashboard/page.tsx
-import { getServerSession } from '@chemmangat/msal-next/server';
-import { redirect } from 'next/navigation';
-export default async function DashboardPage() {
-  const session = await getServerSession();
-  if (!session.isAuthenticated) {
-    redirect('/login');
-  }
-  return <div>Welcome {session.username}</div>;
-}
+<MSALProvider
+  clientId={process.env.NEXT_PUBLIC_AZURE_AD_CLIENT_ID!}
+  autoRefreshToken={true}        // Enable automatic refresh
+  refreshBeforeExpiry={300}      // Refresh 5 minutes before expiry
+>
+  {children}
+</MSALProvider>
 ```
-### createAuthMiddleware
-Protect routes at the edge with middleware.
+**Monitor token expiry:**
 ```tsx
-// middleware.ts
-import { createAuthMiddleware } from '@chemmangat/msal-next';
-export const middleware = createAuthMiddleware({
-  protectedRoutes: ['/dashboard', '/profile', '/api/protected'],
-  publicOnlyRoutes: ['/login'],
-  loginPath: '/login',
-  debug: true,
-});
-export const config = {
-  matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
-};
-```
+'use client';
-### Retry Logic
+import { useTokenRefresh } from '@chemmangat/msal-next';
-Built-in exponential backoff for token acquisition.
+export default function SessionWarning() {
+  const { expiresIn, isExpiringSoon } = useTokenRefresh();
-```tsx
-import { retryWithBackoff, createRetryWrapper } from '@chemmangat/msal-next';
-// Wrap any async function with retry logic
-const token = await retryWithBackoff(
-  () => acquireToken(['User.Read']),
-  {
-    maxRetries: 3,
-    initialDelay: 1000,
-    backoffMultiplier: 2,
-    debug: true
+  if (isExpiringSoon) {
+    return (
+      <div className="warning">
+        ⚠️ Your session will expire in {Math.floor(expiresIn / 60)} minutes
+      </div>
+    );
   }
-);
-// Create a reusable retry wrapper
-const acquireTokenWithRetry = createRetryWrapper(acquireToken, {
-  maxRetries: 3
-});
-```
-### Debug Logger
-Comprehensive logging for troubleshooting with enhanced v3.0 features.
-```tsx
-import { getDebugLogger } from '@chemmangat/msal-next';
-const logger = getDebugLogger({
-  enabled: true,
-  level: 'debug',
-  showTimestamp: true,
-  enablePerformance: true,    // NEW in v3.0
-  enableNetworkLogs: true,    // NEW in v3.0
-  maxHistorySize: 100,        // NEW in v3.0
-});
-// Basic logging
-logger.info('User logged in', { username: 'user@example.com' });
-logger.error('Authentication failed', { error });
-// NEW: Performance tracking
-logger.startTiming('token-acquisition');
-const token = await acquireToken(['User.Read']);
-logger.endTiming('token-acquisition'); // Logs duration
-// NEW: Network logging
-logger.logRequest('GET', '/me');
-logger.logResponse('GET', '/me', 200, userData);
-// NEW: Export logs
-const logs = logger.exportLogs();
-logger.downloadLogs('debug-logs.json'); // Download as file
-```
-## TypeScript Support
-### Custom Token Claims
-Extend the `CustomTokenClaims` interface for type-safe custom claims.
-```tsx
-import { CustomTokenClaims } from '@chemmangat/msal-next';
-interface MyCustomClaims extends CustomTokenClaims {
-  roles: string[];
-  department: string;
-  employeeId: string;
+  return null;
 }
-const { account } = useMsalAuth();
-const claims = account?.idTokenClaims as MyCustomClaims;
-console.log(claims.roles); // Type-safe!
-console.log(claims.department); // Type-safe!
 ```
-## Advanced Examples
+### Multi-Tenant Applications
-### Multi-Tenant Support
+For apps that support any Azure AD tenant:
 ```tsx
-<MsalAuthProvider
-  clientId="YOUR_CLIENT_ID"
-  authorityType="common" // Supports any Azure AD tenant
+<MSALProvider
+  clientId={process.env.NEXT_PUBLIC_AZURE_AD_CLIENT_ID!}
+  authorityType="common"  // No tenantId needed
 >
   {children}
-</MsalAuthProvider>
+</MSALProvider>
 ```
 ### Custom Scopes
+Request additional Microsoft Graph permissions:
 ```tsx
-<MsalAuthProvider
-  clientId="YOUR_CLIENT_ID"
-  scopes={[
-    'User.Read',
-    'Mail.Read',
-    'Calendars.Read',
-    'Files.Read.All'
-  ]}
+<MSALProvider
+  clientId={process.env.NEXT_PUBLIC_AZURE_AD_CLIENT_ID!}
+  scopes={['User.Read', 'Mail.Read', 'Calendars.Read', 'Files.Read']}
 >
   {children}
-</MsalAuthProvider>
+</MSALProvider>
 ```
-### Multiple Account Selection
-```tsx
-const { accounts, loginPopup } = useMsalAuth();
-// Show account picker
-await loginPopup(scopes, {
-  prompt: 'select_account'
-});
-// List all accounts
-accounts.map(account => (
-  <div key={account.homeAccountId}>
-    {account.username}
-  </div>
-));
-```
+### Server-Side Session
-### Server-Side Rendering
+Access authentication state in Server Components:
 ```tsx
-// app/profile/page.tsx
-import { getServerSession } from '@chemmangat/msal-next';
+// app/profile/page.tsx (Server Component)
+import { getServerSession } from '@chemmangat/msal-next/server';
+import { redirect } from 'next/navigation';
 export default async function ProfilePage() {
   const session = await getServerSession();
+  if (!session.isAuthenticated) {
+    redirect('/login');
+  }
   return (
     <div>
       <h1>Profile</h1>
-      {session.isAuthenticated ? (
-        <p>Welcome {session.username}</p>
-      ) : (
-        <p>Please sign in</p>
-      )}
+      <p>Welcome, {session.username}</p>
     </div>
   );
 }
 ```
-### Role-Based Access Control
+### Middleware Protection
-```tsx
-'use client';
-import { useRoles, AuthGuard } from '@chemmangat/msal-next';
-function AdminPanel() {
-  const { hasRole, hasAnyRole, hasAllRoles } = useRoles();
+Protect routes at the edge:
-  if (!hasRole('Admin')) {
-    return <div>Access denied</div>;
-  }
+```tsx
+// middleware.ts
+import { createAuthMiddleware } from '@chemmangat/msal-next';
-  return <div>Admin content</div>;
-}
+export const middleware = createAuthMiddleware({
+  protectedRoutes: ['/dashboard', '/profile', '/api/protected'],
+  publicOnlyRoutes: ['/login'],
+  loginPath: '/login',
+  debug: true,
+});
-export default function AdminPage() {
-  return (
-    <AuthGuard>
-      <AdminPanel />
-    </AuthGuard>
-  );
-}
+export const config = {
+  matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
+};
 ```
-## Configuration Options
-### MsalAuthConfig
-| Option | Type | Default | Description |
-|--------|------|---------|-------------|
-| `clientId` | `string` | **Required** | Azure AD Application (client) ID |
-| `tenantId` | `string` | `undefined` | Azure AD Directory (tenant) ID |
-| `authorityType` | `'common' \| 'organizations' \| 'consumers' \| 'tenant'` | `'common'` | Authority type |
-| `redirectUri` | `string` | `window.location.origin` | Redirect URI after auth |
-| `scopes` | `string[]` | `['User.Read']` | Default scopes |
-| `cacheLocation` | `'sessionStorage' \| 'localStorage' \| 'memoryStorage'` | `'sessionStorage'` | Token cache location |
-| `enableLogging` | `boolean` | `false` | Enable debug logging |
-## Troubleshooting
+### Error Handling
-### Common Issues
+Use enhanced error handling for better debugging:
-**Issue**: "No active account" error
-**Solution**: Ensure user is logged in before calling `acquireToken`
-**Issue**: Token acquisition fails
-**Solution**: Check that required scopes are granted in Azure AD
-**Issue**: SSR hydration mismatch
-**Solution**: Use `'use client'` directive for components using auth hooks
-**Issue**: Middleware not protecting routes
-**Solution**: Ensure session cookies are being set after login
-**Issue**: "createContext only works in Client Components"
-**Solution**: Use `MSALProvider` (not `MsalAuthProvider`) in layout.tsx
-**Issue**: Redirect URI mismatch (AADSTS50011)
-**Solution**: Add your redirect URI to Azure Portal → App registrations → Authentication
-**Issue**: Missing environment variables
-**Solution**: Create `.env.local` with `NEXT_PUBLIC_AZURE_AD_CLIENT_ID` and `NEXT_PUBLIC_AZURE_AD_TENANT_ID`
+```tsx
+'use client';
-For more detailed troubleshooting, see [TROUBLESHOOTING.md](./TROUBLESHOOTING.md)
+import { useMsalAuth, wrapMsalError } from '@chemmangat/msal-next';
+export default function LoginPage() {
+  const { loginRedirect } = useMsalAuth();
+  const handleLogin = async () => {
+    try {
+      await loginRedirect();
+    } catch (error) {
+      const msalError = wrapMsalError(error);
+      // Check if user cancelled (not a real error)
+      if (msalError.isUserCancellation()) {
+        return;
+      }
+      // Display actionable error message
+      console.error(msalError.toConsoleString());
+    }
+  };
+  return <button onClick={handleLogin}>Sign In</button>;
+}
+```
-### Debug Mode
+### Custom Profile Fields
-Enable debug logging to troubleshoot issues:
+Extend UserProfile with organization-specific fields:
 ```tsx
-<MsalAuthProvider
-  clientId="YOUR_CLIENT_ID"
-  enableLogging={true}
->
-  {children}
-</MsalAuthProvider>
-```
+'use client';
-### Enhanced Error Handling (v4.0.2)
+import { useUserProfile, UserProfile } from '@chemmangat/msal-next';
-Use the new MsalError class for better error messages:
+interface MyCompanyProfile extends UserProfile {
+  customField: string;
+}
-```tsx
-import { wrapMsalError } from '@chemmangat/msal-next';
+export default function ProfilePage() {
+  const { profile } = useUserProfile<MyCompanyProfile>();
-try {
-  await loginRedirect();
-} catch (error) {
-  const msalError = wrapMsalError(error);
-  // Check if user just cancelled (not a real error)
-  if (msalError.isUserCancellation()) {
-    return;
-  }
-  // Get actionable error message with fix instructions
-  console.error(msalError.toConsoleString());
-  // Access error details
-  console.log('Error code:', msalError.code);
-  console.log('Fix instructions:', msalError.fix);
-  console.log('Documentation:', msalError.docs);
+  return (
+    <div>
+      <p>Department: {profile?.department}</p>
+      <p>Custom Field: {profile?.customField}</p>
+    </div>
+  );
 }
 ```
-## Migration to v4.0.1
+---
-### From v3.x to v4.0.1
+## 🔧 Configuration Reference
-**Good news:** v4.0.0 is **100% backward compatible**! All v3.x code works without changes.
+### MSALProvider Props
-**New feature:** Zero-Config Protected Routes (optional, but recommended)
+| Prop | Type | Required | Default | Description |
+|------|------|----------|---------|-------------|
+| `clientId` | `string` | ✅ Yes | - | Azure AD Application (client) ID |
+| `tenantId` | `string` | No | - | Azure AD Directory (tenant) ID (for single-tenant) |
+| `authorityType` | `'common' \| 'organizations' \| 'consumers' \| 'tenant'` | No | `'common'` | Authority type |
+| `redirectUri` | `string` | No | `window.location.origin` | Redirect URI after authentication |
+| `scopes` | `string[]` | No | `['User.Read']` | Default scopes |
+| `cacheLocation` | `'sessionStorage' \| 'localStorage' \| 'memoryStorage'` | No | `'sessionStorage'` | Token cache location |
+| `enableLogging` | `boolean` | No | `false` | Enable debug logging |
-**Before (v3.x - still works):**
-```tsx
-// middleware.ts
-export async function middleware(request) {
-  const session = await getServerSession();
-  if (!session) return redirect('/login');
-}
+### Authority Types
-// app/dashboard/page.tsx
-export default async function Dashboard() {
-  const session = await getServerSession();
-  if (!session) redirect('/login');
-  return <div>Protected</div>;
-}
-```
+- **`common`** - Multi-tenant (any Azure AD tenant or Microsoft account)
+- **`organizations`** - Any organizational Azure AD tenant
+- **`consumers`** - Microsoft personal accounts only
+- **`tenant`** - Single-tenant (requires `tenantId`)
-**After (v4.0 - recommended):**
-```tsx
-// app/dashboard/page.tsx
-export const auth = { required: true };
+---
-export default function Dashboard() {
-  return <div>Protected</div>;
-}
-```
+## 📖 Additional Resources
+### Documentation
+- [SECURITY.md](./SECURITY.md) - **Security policy and best practices** ⭐
+- [TROUBLESHOOTING.md](./TROUBLESHOOTING.md) - Common issues and solutions
+- [CHANGELOG.md](./CHANGELOG.md) - Version history
+- [MIGRATION_GUIDE_v3.md](./MIGRATION_GUIDE_v3.md) - Migrating from v2.x
+- [EXAMPLES_v4.0.2.md](./EXAMPLES_v4.0.2.md) - Code examples
+### Security
+- 🔒 [Security Policy](./SECURITY.md) - Complete security documentation
+- 🛡️ [Best Practices](./SECURITY.md#-best-practices) - Security guidelines
+- ⚠️ [Common Mistakes](./SECURITY.md#-common-security-mistakes) - What to avoid
+- ✅ [Security Checklist](./SECURITY.md#-security-checklist) - Pre-deployment checklist
+### Links
+- 📦 [npm Package](https://www.npmjs.com/package/@chemmangat/msal-next)
+- 🚀 [Live Demo](https://github.com/Chemmangat/msal-next-demo) - Sample implementation
+- 🐛 [Report Issues](https://github.com/chemmangat/msal-next/issues)
+- 💬 [Discussions](https://github.com/chemmangat/msal-next/discussions)
+- ⭐ [GitHub Repository](https://github.com/chemmangat/msal-next)
-**That's it!** No breaking changes, just a better way to protect routes.
+### Microsoft Resources
+- [Azure AD Documentation](https://learn.microsoft.com/en-us/azure/active-directory/)
+- [MSAL.js Documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview)
+- [Microsoft Graph API](https://learn.microsoft.com/en-us/graph/overview)
 ---
-## Migration Guide
+## ❓ FAQ
-### From v2.x to v3.0
+**Q: Do I need to create an Azure AD app registration?**
+A: Yes, you need an app registration in Azure Portal to get the client ID and tenant ID.
-v3.0 includes breaking changes. See [MIGRATION_GUIDE_v3.md](./MIGRATION_GUIDE_v3.md) for complete details.
+**Q: Can I use this with Next.js Pages Router?**
+A: This package is designed for App Router. For Pages Router, use v2.x or consider migrating to App Router.
-**Quick migration:**
+**Q: Is this free to use?**
+A: Yes, the package is MIT licensed and free. Azure AD has a free tier for up to 50,000 users.
-```bash
-# 1. Update dependencies
-npm install @chemmangat/msal-next@3.0.0
-npm install @azure/msal-browser@^4.0.0
-npm install @azure/msal-react@^3.0.0
-npm install next@^14.1.0
+**Q: Can I use this for multi-tenant SaaS apps?**
+A: Yes! Set `authorityType="common"` and omit `tenantId`.
-# 2. Update Node.js to 18+
-node --version  # Should be v18.0.0+
+**Q: How do I get additional user information?**
+A: Use `useUserProfile()` hook which provides 30+ fields from Microsoft Graph.
-# 3. Remove deprecated ServerSession.accessToken usage
-# Before:
-const session = await getServerSession();
-const token = session.accessToken; // ❌ Removed
+**Q: Can I customize the sign-in button?**
+A: Yes, `MicrosoftSignInButton` accepts `variant`, `size`, `className`, and `style` props.
-# After:
-'use client';
-const { acquireToken } = useMsalAuth();
-const token = await acquireToken(['User.Read']); // ✅
-```
-### From v1.x to v2.x
+**Q: Does this work with Azure AD B2C?**
+A: This package is designed for Azure AD. For B2C, you may need additional configuration.
-v2.0 is backward compatible with v1.x. New features are additive:
+**Q: How do I protect API routes?**
+A: Use `getServerSession()` in API routes or `createAuthMiddleware()` for edge protection.
-```tsx
-// v1.x - Still works!
-import { MsalAuthProvider, useMsalAuth } from '@chemmangat/msal-next';
-// v2.x - New features
-import {
-  AuthGuard,
-  SignOutButton,
-  UserAvatar,
-  useGraphApi,
-  useUserProfile,
-  useRoles,
-  withAuth,
-  createAuthMiddleware,
-} from '@chemmangat/msal-next';
-```
+---
-## Contributing
+## 🤝 Contributing
 Contributions are welcome! Please read our [Contributing Guide](../../CONTRIBUTING.md) for details.
-## License
-MIT © [Chemmangat](https://github.com/chemmangat)
-## Support
-- 📖 [Documentation](https://github.com/chemmangat/msal-next#readme)
-- 🐛 [Issue Tracker](https://github.com/chemmangat/msal-next/issues)
-- 💬 [Discussions](https://github.com/chemmangat/msal-next/discussions)
-- 🚀 [CLI Tool](https://www.npmjs.com/package/@chemmangat/msal-next-cli)
-- 📋 [Migration Guide](./MIGRATION_GUIDE_v3.md)
-- 🧪 [Testing Guide](./TESTING_GUIDE.md)
+---
-## What's Coming in v3.1
+## 📄 License
-- 🧪 80%+ test coverage
-- 📚 6+ additional examples
-- ⚡ Performance optimizations
-- 🔒 Security audit
-- 🆕 New hooks and components
+MIT © [Chemmangat](https://github.com/chemmangat)
-[See Roadmap](./V3_ROADMAP.md) for details.
+---
-## Acknowledgments
+## 🙏 Acknowledgments
 Built with:
 - [@azure/msal-browser](https://github.com/AzureAD/microsoft-authentication-library-for-js)
 - [@azure/msal-react](https://github.com/AzureAD/microsoft-authentication-library-for-js)
 - [Next.js](https://nextjs.org/)
+---
+## 📊 Stats
+- 📦 2,200+ weekly downloads
+- ⭐ Used in production by developers worldwide
+- 🔒 Security-focused with regular updates
+- 📚 Comprehensive documentation
+- 🎯 TypeScript-first with complete type safety
+---
+**Need help?** Check [TROUBLESHOOTING.md](./TROUBLESHOOTING.md) or [open an issue](https://github.com/chemmangat/msal-next/issues)!