npm - @chemmangat/msal-next - Versions diffs - 5.2.0 → 5.2.1 - Mend

@chemmangat/msal-next 5.2.0 → 5.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -2,7 +2,32 @@
 All notable changes to this project will be documented in this file.
-## [5.2.0] - 2026-04-07
+## [5.2.1] - 2026-04-07
+### 🐛 Bug Fix
+#### `createAuthMiddleware` now importable from `@chemmangat/msal-next/middleware`
+`createAuthMiddleware` was previously bundled inside `dist/index.mjs` which carries a `"use client"` directive. Importing it in `middleware.ts` caused Next.js to throw:
+> "Attempted to call createAuthMiddleware() from the server but createAuthMiddleware is on the client."
+It now has its own edge-compatible entry point with no React, no `@azure/msal-browser`, and no `"use client"` — only `next/server`.
+**Migration** (update your import):
+```ts
+// Before
+import { createAuthMiddleware } from '@chemmangat/msal-next';
+// After
+import { createAuthMiddleware } from '@chemmangat/msal-next/middleware';
+```
+Also fixed `tenantValidator.ts` to use `import type` for its `@azure/msal-browser` and `types.ts` imports, ensuring those never get bundled into the middleware output.
+---
 ### 🔧 Compatibility

package/dist/index.d.mts CHANGED Viewed

@@ -2,7 +2,7 @@ import * as react_jsx_runtime from 'react/jsx-runtime';
 import { Configuration, LogLevel, IPublicClientApplication, PublicClientApplication, AccountInfo } from '@azure/msal-browser';
 export { AccountInfo } from '@azure/msal-browser';
 import { ReactNode, CSSProperties, Component, ErrorInfo, ComponentType } from 'react';
-import { NextRequest, NextResponse } from 'next/server';
+import { NextRequest } from 'next/server';
 export { useAccount, useIsAuthenticated, useMsal } from '@azure/msal-react';
 /**
@@ -1865,6 +1865,26 @@ declare function withPageAuth<P extends object>(Component: ComponentType<P>, aut
     displayName: string;
 };
+interface ServerSession {
+    /**
+     * Whether user is authenticated
+     */
+    isAuthenticated: boolean;
+    /**
+     * User's account ID from MSAL cache
+     */
+    accountId?: string;
+    /**
+     * User's username/email
+     */
+    username?: string;
+    /**
+     * Access token (if available in cookie)
+     * @deprecated Storing tokens in cookies is not recommended for security reasons
+     */
+    accessToken?: string;
+}
 interface AuthMiddlewareConfig {
     /**
      * Routes that require authentication
@@ -1911,45 +1931,5 @@ interface AuthMiddlewareConfig {
      */
     debug?: boolean;
 }
-/**
- * Creates authentication middleware for Next.js App Router
- *
- * @example
- * ```tsx
- * // middleware.ts
- * import { createAuthMiddleware } from '@chemmangat/msal-next';
- *
- * export const middleware = createAuthMiddleware({
- *   protectedRoutes: ['/dashboard', '/profile'],
- *   publicOnlyRoutes: ['/login'],
- *   loginPath: '/login',
- * });
- *
- * export const config = {
- *   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
- * };
- * ```
- */
-declare function createAuthMiddleware(config?: AuthMiddlewareConfig): (request: NextRequest) => Promise<NextResponse<unknown>>;
-interface ServerSession {
-    /**
-     * Whether user is authenticated
-     */
-    isAuthenticated: boolean;
-    /**
-     * User's account ID from MSAL cache
-     */
-    accountId?: string;
-    /**
-     * User's username/email
-     */
-    username?: string;
-    /**
-     * Access token (if available in cookie)
-     * @deprecated Storing tokens in cookies is not recommended for security reasons
-     */
-    accessToken?: string;
-}
-export { AccountList, type AccountListProps, AccountSwitcher, type AccountSwitcherProps, AuthGuard, type AuthGuardProps, type AuthMiddlewareConfig, type AuthProtectionConfig, AuthStatus, type AuthStatusProps, type CustomTokenClaims, type DebugLoggerConfig, ErrorBoundary, type ErrorBoundaryProps, type GraphApiOptions, MSALProvider, MicrosoftSignInButton, type MicrosoftSignInButtonProps, type MsalAuthConfig, MsalAuthProvider, type MsalAuthProviderProps, MsalError, type MultiTenantConfig, type PageAuthConfig, ProtectedPage, type RetryConfig, type ServerSession, SignOutButton, type SignOutButtonProps, type TenantAuthConfig, type TenantInfo, type UseGraphApiReturn, type UseMsalAuthReturn, type UseMultiAccountReturn, type UseRolesReturn, type UseTenantReturn, type UseTokenRefreshOptions, type UseTokenRefreshReturn, type UseUserProfileReturn, UserAvatar, type UserAvatarProps, type UserProfile, type ValidatedAccountData, type ValidationError, type ValidationResult, type ValidationWarning, type WithAuthOptions, createAuthMiddleware, createMissingEnvVarError, createMsalConfig, createRetryWrapper, createScopedLogger, displayValidationResults, getDebugLogger, getMsalInstance, isValidAccountData, isValidRedirectUri, isValidScope, retryWithBackoff, safeJsonParse, sanitizeError, useGraphApi, useMsalAuth, useMultiAccount, useRoles, useTenant, useTenantConfig, useTokenRefresh, useUserProfile, validateConfig, validateScopes, withAuth, withPageAuth, wrapMsalError };
+export { AccountList, type AccountListProps, AccountSwitcher, type AccountSwitcherProps, AuthGuard, type AuthGuardProps, type AuthMiddlewareConfig, type AuthProtectionConfig, AuthStatus, type AuthStatusProps, type CustomTokenClaims, type DebugLoggerConfig, ErrorBoundary, type ErrorBoundaryProps, type GraphApiOptions, MSALProvider, MicrosoftSignInButton, type MicrosoftSignInButtonProps, type MsalAuthConfig, MsalAuthProvider, type MsalAuthProviderProps, MsalError, type MultiTenantConfig, type PageAuthConfig, ProtectedPage, type RetryConfig, type ServerSession, SignOutButton, type SignOutButtonProps, type TenantAuthConfig, type TenantInfo, type UseGraphApiReturn, type UseMsalAuthReturn, type UseMultiAccountReturn, type UseRolesReturn, type UseTenantReturn, type UseTokenRefreshOptions, type UseTokenRefreshReturn, type UseUserProfileReturn, UserAvatar, type UserAvatarProps, type UserProfile, type ValidatedAccountData, type ValidationError, type ValidationResult, type ValidationWarning, type WithAuthOptions, createMissingEnvVarError, createMsalConfig, createRetryWrapper, createScopedLogger, displayValidationResults, getDebugLogger, getMsalInstance, isValidAccountData, isValidRedirectUri, isValidScope, retryWithBackoff, safeJsonParse, sanitizeError, useGraphApi, useMsalAuth, useMultiAccount, useRoles, useTenant, useTenantConfig, useTokenRefresh, useUserProfile, validateConfig, validateScopes, withAuth, withPageAuth, wrapMsalError };

package/dist/index.d.ts CHANGED Viewed

@@ -2,7 +2,7 @@ import * as react_jsx_runtime from 'react/jsx-runtime';
 import { Configuration, LogLevel, IPublicClientApplication, PublicClientApplication, AccountInfo } from '@azure/msal-browser';
 export { AccountInfo } from '@azure/msal-browser';
 import { ReactNode, CSSProperties, Component, ErrorInfo, ComponentType } from 'react';
-import { NextRequest, NextResponse } from 'next/server';
+import { NextRequest } from 'next/server';
 export { useAccount, useIsAuthenticated, useMsal } from '@azure/msal-react';
 /**
@@ -1865,6 +1865,26 @@ declare function withPageAuth<P extends object>(Component: ComponentType<P>, aut
     displayName: string;
 };
+interface ServerSession {
+    /**
+     * Whether user is authenticated
+     */
+    isAuthenticated: boolean;
+    /**
+     * User's account ID from MSAL cache
+     */
+    accountId?: string;
+    /**
+     * User's username/email
+     */
+    username?: string;
+    /**
+     * Access token (if available in cookie)
+     * @deprecated Storing tokens in cookies is not recommended for security reasons
+     */
+    accessToken?: string;
+}
 interface AuthMiddlewareConfig {
     /**
      * Routes that require authentication
@@ -1911,45 +1931,5 @@ interface AuthMiddlewareConfig {
      */
     debug?: boolean;
 }
-/**
- * Creates authentication middleware for Next.js App Router
- *
- * @example
- * ```tsx
- * // middleware.ts
- * import { createAuthMiddleware } from '@chemmangat/msal-next';
- *
- * export const middleware = createAuthMiddleware({
- *   protectedRoutes: ['/dashboard', '/profile'],
- *   publicOnlyRoutes: ['/login'],
- *   loginPath: '/login',
- * });
- *
- * export const config = {
- *   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
- * };
- * ```
- */
-declare function createAuthMiddleware(config?: AuthMiddlewareConfig): (request: NextRequest) => Promise<NextResponse<unknown>>;
-interface ServerSession {
-    /**
-     * Whether user is authenticated
-     */
-    isAuthenticated: boolean;
-    /**
-     * User's account ID from MSAL cache
-     */
-    accountId?: string;
-    /**
-     * User's username/email
-     */
-    username?: string;
-    /**
-     * Access token (if available in cookie)
-     * @deprecated Storing tokens in cookies is not recommended for security reasons
-     */
-    accessToken?: string;
-}
-export { AccountList, type AccountListProps, AccountSwitcher, type AccountSwitcherProps, AuthGuard, type AuthGuardProps, type AuthMiddlewareConfig, type AuthProtectionConfig, AuthStatus, type AuthStatusProps, type CustomTokenClaims, type DebugLoggerConfig, ErrorBoundary, type ErrorBoundaryProps, type GraphApiOptions, MSALProvider, MicrosoftSignInButton, type MicrosoftSignInButtonProps, type MsalAuthConfig, MsalAuthProvider, type MsalAuthProviderProps, MsalError, type MultiTenantConfig, type PageAuthConfig, ProtectedPage, type RetryConfig, type ServerSession, SignOutButton, type SignOutButtonProps, type TenantAuthConfig, type TenantInfo, type UseGraphApiReturn, type UseMsalAuthReturn, type UseMultiAccountReturn, type UseRolesReturn, type UseTenantReturn, type UseTokenRefreshOptions, type UseTokenRefreshReturn, type UseUserProfileReturn, UserAvatar, type UserAvatarProps, type UserProfile, type ValidatedAccountData, type ValidationError, type ValidationResult, type ValidationWarning, type WithAuthOptions, createAuthMiddleware, createMissingEnvVarError, createMsalConfig, createRetryWrapper, createScopedLogger, displayValidationResults, getDebugLogger, getMsalInstance, isValidAccountData, isValidRedirectUri, isValidScope, retryWithBackoff, safeJsonParse, sanitizeError, useGraphApi, useMsalAuth, useMultiAccount, useRoles, useTenant, useTenantConfig, useTokenRefresh, useUserProfile, validateConfig, validateScopes, withAuth, withPageAuth, wrapMsalError };
+export { AccountList, type AccountListProps, AccountSwitcher, type AccountSwitcherProps, AuthGuard, type AuthGuardProps, type AuthMiddlewareConfig, type AuthProtectionConfig, AuthStatus, type AuthStatusProps, type CustomTokenClaims, type DebugLoggerConfig, ErrorBoundary, type ErrorBoundaryProps, type GraphApiOptions, MSALProvider, MicrosoftSignInButton, type MicrosoftSignInButtonProps, type MsalAuthConfig, MsalAuthProvider, type MsalAuthProviderProps, MsalError, type MultiTenantConfig, type PageAuthConfig, ProtectedPage, type RetryConfig, type ServerSession, SignOutButton, type SignOutButtonProps, type TenantAuthConfig, type TenantInfo, type UseGraphApiReturn, type UseMsalAuthReturn, type UseMultiAccountReturn, type UseRolesReturn, type UseTenantReturn, type UseTokenRefreshOptions, type UseTokenRefreshReturn, type UseUserProfileReturn, UserAvatar, type UserAvatarProps, type UserProfile, type ValidatedAccountData, type ValidationError, type ValidationResult, type ValidationWarning, type WithAuthOptions, createMissingEnvVarError, createMsalConfig, createRetryWrapper, createScopedLogger, displayValidationResults, getDebugLogger, getMsalInstance, isValidAccountData, isValidRedirectUri, isValidScope, retryWithBackoff, safeJsonParse, sanitizeError, useGraphApi, useMsalAuth, useMultiAccount, useRoles, useTenant, useTenantConfig, useTokenRefresh, useUserProfile, validateConfig, validateScopes, withAuth, withPageAuth, wrapMsalError };

package/dist/index.js CHANGED Viewed

@@ -33,7 +33,6 @@ __export(client_exports, {
   ProtectedPage: () => ProtectedPage,
   SignOutButton: () => SignOutButton,
   UserAvatar: () => UserAvatar,
-  createAuthMiddleware: () => createAuthMiddleware,
   createMissingEnvVarError: () => createMissingEnvVarError,
   createMsalConfig: () => createMsalConfig,
   createRetryWrapper: () => createRetryWrapper,
@@ -3166,105 +3165,6 @@ function withPageAuth(Component2, authConfig, globalConfig) {
   return WrappedComponent;
 }
-// src/middleware/createAuthMiddleware.ts
-var import_server = require("next/server");
-function createAuthMiddleware(config = {}) {
-  const {
-    protectedRoutes = [],
-    publicOnlyRoutes = [],
-    loginPath = "/login",
-    redirectAfterLogin = "/",
-    sessionCookie = "msal.account",
-    isAuthenticated: customAuthCheck,
-    tenantConfig,
-    tenantDeniedPath = "/unauthorized",
-    debug = false
-  } = config;
-  return async function authMiddleware(request) {
-    const { pathname } = request.nextUrl;
-    if (debug) {
-      console.log("[AuthMiddleware] Processing:", pathname);
-    }
-    let authenticated = false;
-    if (customAuthCheck) {
-      authenticated = await customAuthCheck(request);
-    } else {
-      const sessionData = request.cookies.get(sessionCookie);
-      authenticated = !!sessionData?.value;
-    }
-    if (debug) {
-      console.log("[AuthMiddleware] Authenticated:", authenticated);
-    }
-    const isProtectedRoute = protectedRoutes.some(
-      (route) => pathname.startsWith(route)
-    );
-    const isPublicOnlyRoute = publicOnlyRoutes.some(
-      (route) => pathname.startsWith(route)
-    );
-    if (isProtectedRoute && !authenticated) {
-      if (debug) {
-        console.log("[AuthMiddleware] Redirecting to login");
-      }
-      const url = request.nextUrl.clone();
-      url.pathname = loginPath;
-      url.searchParams.set("returnUrl", pathname);
-      return import_server.NextResponse.redirect(url);
-    }
-    if (isProtectedRoute && authenticated && tenantConfig) {
-      try {
-        const sessionData = request.cookies.get(sessionCookie);
-        if (sessionData?.value) {
-          const account = safeJsonParse(sessionData.value, isValidAccountData);
-          if (account) {
-            const tenantResult = validateTenantAccess(account, tenantConfig);
-            if (!tenantResult.allowed) {
-              if (debug) {
-                console.log("[AuthMiddleware] Tenant access denied:", tenantResult.reason);
-              }
-              const url = request.nextUrl.clone();
-              url.pathname = tenantDeniedPath;
-              url.searchParams.set("reason", tenantResult.reason || "access_denied");
-              return import_server.NextResponse.redirect(url);
-            }
-          }
-        }
-      } catch (error) {
-        if (debug) {
-          console.warn("[AuthMiddleware] Tenant validation error:", error);
-        }
-      }
-    }
-    if (isPublicOnlyRoute && authenticated) {
-      if (debug) {
-        console.log("[AuthMiddleware] Redirecting to home");
-      }
-      const returnUrl = request.nextUrl.searchParams.get("returnUrl");
-      const url = request.nextUrl.clone();
-      url.pathname = returnUrl || redirectAfterLogin;
-      url.searchParams.delete("returnUrl");
-      return import_server.NextResponse.redirect(url);
-    }
-    const response = import_server.NextResponse.next();
-    if (authenticated) {
-      response.headers.set("x-msal-authenticated", "true");
-      try {
-        const sessionData = request.cookies.get(sessionCookie);
-        if (sessionData?.value) {
-          const account = safeJsonParse(sessionData.value, isValidAccountData);
-          if (account?.username) {
-            response.headers.set("x-msal-username", account.username);
-          }
-        }
-      } catch (error) {
-        if (debug) {
-          console.warn("[AuthMiddleware] Failed to parse session data");
-        }
-      }
-    }
-    return response;
-  };
-}
 // src/client.ts
 var import_msal_react4 = require("@azure/msal-react");
 // Annotate the CommonJS export names for ESM import in node:
@@ -3281,7 +3181,6 @@ var import_msal_react4 = require("@azure/msal-react");
   ProtectedPage,
   SignOutButton,
   UserAvatar,
-  createAuthMiddleware,
   createMissingEnvVarError,
   createMsalConfig,
   createRetryWrapper,

package/dist/index.mjs CHANGED Viewed

@@ -3106,105 +3106,6 @@ function withPageAuth(Component2, authConfig, globalConfig) {
   return WrappedComponent;
 }
-// src/middleware/createAuthMiddleware.ts
-import { NextResponse } from "next/server";
-function createAuthMiddleware(config = {}) {
-  const {
-    protectedRoutes = [],
-    publicOnlyRoutes = [],
-    loginPath = "/login",
-    redirectAfterLogin = "/",
-    sessionCookie = "msal.account",
-    isAuthenticated: customAuthCheck,
-    tenantConfig,
-    tenantDeniedPath = "/unauthorized",
-    debug = false
-  } = config;
-  return async function authMiddleware(request) {
-    const { pathname } = request.nextUrl;
-    if (debug) {
-      console.log("[AuthMiddleware] Processing:", pathname);
-    }
-    let authenticated = false;
-    if (customAuthCheck) {
-      authenticated = await customAuthCheck(request);
-    } else {
-      const sessionData = request.cookies.get(sessionCookie);
-      authenticated = !!sessionData?.value;
-    }
-    if (debug) {
-      console.log("[AuthMiddleware] Authenticated:", authenticated);
-    }
-    const isProtectedRoute = protectedRoutes.some(
-      (route) => pathname.startsWith(route)
-    );
-    const isPublicOnlyRoute = publicOnlyRoutes.some(
-      (route) => pathname.startsWith(route)
-    );
-    if (isProtectedRoute && !authenticated) {
-      if (debug) {
-        console.log("[AuthMiddleware] Redirecting to login");
-      }
-      const url = request.nextUrl.clone();
-      url.pathname = loginPath;
-      url.searchParams.set("returnUrl", pathname);
-      return NextResponse.redirect(url);
-    }
-    if (isProtectedRoute && authenticated && tenantConfig) {
-      try {
-        const sessionData = request.cookies.get(sessionCookie);
-        if (sessionData?.value) {
-          const account = safeJsonParse(sessionData.value, isValidAccountData);
-          if (account) {
-            const tenantResult = validateTenantAccess(account, tenantConfig);
-            if (!tenantResult.allowed) {
-              if (debug) {
-                console.log("[AuthMiddleware] Tenant access denied:", tenantResult.reason);
-              }
-              const url = request.nextUrl.clone();
-              url.pathname = tenantDeniedPath;
-              url.searchParams.set("reason", tenantResult.reason || "access_denied");
-              return NextResponse.redirect(url);
-            }
-          }
-        }
-      } catch (error) {
-        if (debug) {
-          console.warn("[AuthMiddleware] Tenant validation error:", error);
-        }
-      }
-    }
-    if (isPublicOnlyRoute && authenticated) {
-      if (debug) {
-        console.log("[AuthMiddleware] Redirecting to home");
-      }
-      const returnUrl = request.nextUrl.searchParams.get("returnUrl");
-      const url = request.nextUrl.clone();
-      url.pathname = returnUrl || redirectAfterLogin;
-      url.searchParams.delete("returnUrl");
-      return NextResponse.redirect(url);
-    }
-    const response = NextResponse.next();
-    if (authenticated) {
-      response.headers.set("x-msal-authenticated", "true");
-      try {
-        const sessionData = request.cookies.get(sessionCookie);
-        if (sessionData?.value) {
-          const account = safeJsonParse(sessionData.value, isValidAccountData);
-          if (account?.username) {
-            response.headers.set("x-msal-username", account.username);
-          }
-        }
-      } catch (error) {
-        if (debug) {
-          console.warn("[AuthMiddleware] Failed to parse session data");
-        }
-      }
-    }
-    return response;
-  };
-}
 // src/client.ts
 import { useMsal as useMsal3, useIsAuthenticated, useAccount as useAccount2 } from "@azure/msal-react";
 export {
@@ -3220,7 +3121,6 @@ export {
   ProtectedPage,
   SignOutButton,
   UserAvatar,
-  createAuthMiddleware,
   createMissingEnvVarError,
   createMsalConfig,
   createRetryWrapper,

package/dist/middleware.d.mts ADDED Viewed

@@ -0,0 +1,115 @@
+import { NextRequest, NextResponse } from 'next/server';
+/**
+ * Type definitions for @chemmangat/msal-next
+ *
+ * @packageDocumentation
+ */
+/**
+ * Multi-tenant configuration for v5.1.0
+ */
+interface MultiTenantConfig {
+    /**
+     * Tenant mode
+     * - 'single'        — only your own tenant (maps to authorityType 'tenant')
+     * - 'multi'         — any Azure AD tenant (maps to authorityType 'common')
+     * - 'organizations' — any organisational tenant, no personal accounts
+     * - 'consumers'     — Microsoft personal accounts only
+     * - 'common'        — alias for 'multi'
+     *
+     * @defaultValue 'common'
+     */
+    type?: 'single' | 'multi' | 'organizations' | 'consumers' | 'common';
+    /**
+     * Tenant allow-list — only users from these tenant IDs or domains are permitted.
+     * Checked after authentication; users from other tenants are shown an error.
+     *
+     * @example ['contoso.com', '72f988bf-86f1-41af-91ab-2d7cd011db47']
+     */
+    allowList?: string[];
+    /**
+     * Tenant block-list — users from these tenant IDs or domains are denied.
+     * Takes precedence over allowList.
+     */
+    blockList?: string[];
+    /**
+     * Require a specific tenant type ('Member' | 'Guest').
+     * Useful to block B2B guests or to allow only guests.
+     */
+    requireType?: 'Member' | 'Guest';
+    /**
+     * Require MFA claim in the token (amr claim must contain 'mfa').
+     * @defaultValue false
+     */
+    requireMFA?: boolean;
+}
+interface AuthMiddlewareConfig {
+    /**
+     * Routes that require authentication
+     * @example ['/dashboard', '/profile', '/api/protected']
+     */
+    protectedRoutes?: string[];
+    /**
+     * Routes that should be accessible only when NOT authenticated
+     * @example ['/login', '/signup']
+     */
+    publicOnlyRoutes?: string[];
+    /**
+     * Login page path
+     * @default '/login'
+     */
+    loginPath?: string;
+    /**
+     * Redirect path after login
+     * @default '/'
+     */
+    redirectAfterLogin?: string;
+    /**
+     * Cookie name for session
+     * @default 'msal.account'
+     */
+    sessionCookie?: string;
+    /**
+     * Custom authentication check function
+     */
+    isAuthenticated?: (request: NextRequest) => boolean | Promise<boolean>;
+    /**
+     * Tenant access configuration (v5.1.0).
+     * Validated against the account stored in the session cookie.
+     */
+    tenantConfig?: MultiTenantConfig;
+    /**
+     * Path to redirect to when tenant access is denied (v5.1.0).
+     * @default '/unauthorized'
+     */
+    tenantDeniedPath?: string;
+    /**
+     * Enable debug logging
+     * @default false
+     */
+    debug?: boolean;
+}
+/**
+ * Creates authentication middleware for Next.js App Router
+ *
+ * @example
+ * ```tsx
+ * // middleware.ts
+ * import { createAuthMiddleware } from '@chemmangat/msal-next';
+ *
+ * export const middleware = createAuthMiddleware({
+ *   protectedRoutes: ['/dashboard', '/profile'],
+ *   publicOnlyRoutes: ['/login'],
+ *   loginPath: '/login',
+ * });
+ *
+ * export const config = {
+ *   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
+ * };
+ * ```
+ */
+declare function createAuthMiddleware(config?: AuthMiddlewareConfig): (request: NextRequest) => Promise<NextResponse<unknown>>;
+export { type AuthMiddlewareConfig, createAuthMiddleware };

package/dist/middleware.d.ts ADDED Viewed

@@ -0,0 +1,115 @@
+import { NextRequest, NextResponse } from 'next/server';
+/**
+ * Type definitions for @chemmangat/msal-next
+ *
+ * @packageDocumentation
+ */
+/**
+ * Multi-tenant configuration for v5.1.0
+ */
+interface MultiTenantConfig {
+    /**
+     * Tenant mode
+     * - 'single'        — only your own tenant (maps to authorityType 'tenant')
+     * - 'multi'         — any Azure AD tenant (maps to authorityType 'common')
+     * - 'organizations' — any organisational tenant, no personal accounts
+     * - 'consumers'     — Microsoft personal accounts only
+     * - 'common'        — alias for 'multi'
+     *
+     * @defaultValue 'common'
+     */
+    type?: 'single' | 'multi' | 'organizations' | 'consumers' | 'common';
+    /**
+     * Tenant allow-list — only users from these tenant IDs or domains are permitted.
+     * Checked after authentication; users from other tenants are shown an error.
+     *
+     * @example ['contoso.com', '72f988bf-86f1-41af-91ab-2d7cd011db47']
+     */
+    allowList?: string[];
+    /**
+     * Tenant block-list — users from these tenant IDs or domains are denied.
+     * Takes precedence over allowList.
+     */
+    blockList?: string[];
+    /**
+     * Require a specific tenant type ('Member' | 'Guest').
+     * Useful to block B2B guests or to allow only guests.
+     */
+    requireType?: 'Member' | 'Guest';
+    /**
+     * Require MFA claim in the token (amr claim must contain 'mfa').
+     * @defaultValue false
+     */
+    requireMFA?: boolean;
+}
+interface AuthMiddlewareConfig {
+    /**
+     * Routes that require authentication
+     * @example ['/dashboard', '/profile', '/api/protected']
+     */
+    protectedRoutes?: string[];
+    /**
+     * Routes that should be accessible only when NOT authenticated
+     * @example ['/login', '/signup']
+     */
+    publicOnlyRoutes?: string[];
+    /**
+     * Login page path
+     * @default '/login'
+     */
+    loginPath?: string;
+    /**
+     * Redirect path after login
+     * @default '/'
+     */
+    redirectAfterLogin?: string;
+    /**
+     * Cookie name for session
+     * @default 'msal.account'
+     */
+    sessionCookie?: string;
+    /**
+     * Custom authentication check function
+     */
+    isAuthenticated?: (request: NextRequest) => boolean | Promise<boolean>;
+    /**
+     * Tenant access configuration (v5.1.0).
+     * Validated against the account stored in the session cookie.
+     */
+    tenantConfig?: MultiTenantConfig;
+    /**
+     * Path to redirect to when tenant access is denied (v5.1.0).
+     * @default '/unauthorized'
+     */
+    tenantDeniedPath?: string;
+    /**
+     * Enable debug logging
+     * @default false
+     */
+    debug?: boolean;
+}
+/**
+ * Creates authentication middleware for Next.js App Router
+ *
+ * @example
+ * ```tsx
+ * // middleware.ts
+ * import { createAuthMiddleware } from '@chemmangat/msal-next';
+ *
+ * export const middleware = createAuthMiddleware({
+ *   protectedRoutes: ['/dashboard', '/profile'],
+ *   publicOnlyRoutes: ['/login'],
+ *   loginPath: '/login',
+ * });
+ *
+ * export const config = {
+ *   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
+ * };
+ * ```
+ */
+declare function createAuthMiddleware(config?: AuthMiddlewareConfig): (request: NextRequest) => Promise<NextResponse<unknown>>;
+export { type AuthMiddlewareConfig, createAuthMiddleware };

package/dist/middleware.js ADDED Viewed

@@ -0,0 +1,203 @@
+'use strict';
+var server = require('next/server');
+// src/middleware/createAuthMiddleware.ts
+// src/utils/validation.ts
+function safeJsonParse(jsonString, validator) {
+  try {
+    const parsed = JSON.parse(jsonString);
+    if (validator(parsed)) {
+      return parsed;
+    }
+    console.warn("[Validation] JSON validation failed");
+    return null;
+  } catch (error) {
+    console.error("[Validation] JSON parse error:", error);
+    return null;
+  }
+}
+function isValidAccountData(data) {
+  return typeof data === "object" && data !== null && typeof data.homeAccountId === "string" && data.homeAccountId.length > 0 && typeof data.username === "string" && data.username.length > 0 && (data.name === void 0 || typeof data.name === "string");
+}
+// src/utils/tenantValidator.ts
+function getTenantDomain(account) {
+  const upn = account.username || account.idTokenClaims?.preferred_username || account.idTokenClaims?.upn || "";
+  return upn.includes("@") ? upn.split("@")[1].toLowerCase() : null;
+}
+function getTenantId(account) {
+  return account.tenantId || account.idTokenClaims?.tid || null;
+}
+function matchesTenant(value, tenantId, tenantDomain) {
+  const v = value.toLowerCase();
+  if (tenantId && v === tenantId.toLowerCase()) return true;
+  if (tenantDomain && v === tenantDomain.toLowerCase()) return true;
+  return false;
+}
+function isGuestAccount(account) {
+  const claims = account.idTokenClaims ?? {};
+  const resourceTenantId = account.tenantId || claims["tid"] || null;
+  const issuer = claims["iss"] || null;
+  if (!issuer || !resourceTenantId) return false;
+  const match = issuer.match(
+    /https:\/\/login\.microsoftonline\.com\/([^/]+)(?:\/|$)/i
+  );
+  if (!match) return false;
+  const homeTenantId = match[1];
+  return homeTenantId.toLowerCase() !== resourceTenantId.toLowerCase();
+}
+function validateTenantAccess(account, config) {
+  const tenantId = getTenantId(account);
+  const tenantDomain = getTenantDomain(account);
+  const claims = account.idTokenClaims ?? {};
+  if (config.blockList && config.blockList.length > 0) {
+    const blocked = config.blockList.some(
+      (entry) => matchesTenant(entry, tenantId, tenantDomain)
+    );
+    if (blocked) {
+      return {
+        allowed: false,
+        reason: `Tenant "${tenantDomain || tenantId}" is blocked from accessing this application.`
+      };
+    }
+  }
+  if (config.allowList && config.allowList.length > 0) {
+    const allowed = config.allowList.some(
+      (entry) => matchesTenant(entry, tenantId, tenantDomain)
+    );
+    if (!allowed) {
+      return {
+        allowed: false,
+        reason: `Tenant "${tenantDomain || tenantId}" is not in the allowed list for this application.`
+      };
+    }
+  }
+  if (config.requireType) {
+    const isGuest = isGuestAccount(account);
+    if (config.requireType === "Member" && isGuest) {
+      return {
+        allowed: false,
+        reason: "Only member accounts are allowed. Guest (B2B) accounts are not permitted."
+      };
+    }
+    if (config.requireType === "Guest" && !isGuest) {
+      return {
+        allowed: false,
+        reason: "Only guest (B2B) accounts are allowed."
+      };
+    }
+  }
+  if (config.requireMFA) {
+    const amr = claims["amr"] || [];
+    const hasMfa = amr.includes("mfa") || amr.includes("ngcmfa") || amr.includes("hwk") || amr.includes("swk");
+    if (!hasMfa) {
+      return {
+        allowed: false,
+        reason: "Multi-factor authentication (MFA) is required to access this application."
+      };
+    }
+  }
+  return { allowed: true };
+}
+// src/middleware/createAuthMiddleware.ts
+function createAuthMiddleware(config = {}) {
+  const {
+    protectedRoutes = [],
+    publicOnlyRoutes = [],
+    loginPath = "/login",
+    redirectAfterLogin = "/",
+    sessionCookie = "msal.account",
+    isAuthenticated: customAuthCheck,
+    tenantConfig,
+    tenantDeniedPath = "/unauthorized",
+    debug = false
+  } = config;
+  return async function authMiddleware(request) {
+    const { pathname } = request.nextUrl;
+    if (debug) {
+      console.log("[AuthMiddleware] Processing:", pathname);
+    }
+    let authenticated = false;
+    if (customAuthCheck) {
+      authenticated = await customAuthCheck(request);
+    } else {
+      const sessionData = request.cookies.get(sessionCookie);
+      authenticated = !!sessionData?.value;
+    }
+    if (debug) {
+      console.log("[AuthMiddleware] Authenticated:", authenticated);
+    }
+    const isProtectedRoute = protectedRoutes.some(
+      (route) => pathname.startsWith(route)
+    );
+    const isPublicOnlyRoute = publicOnlyRoutes.some(
+      (route) => pathname.startsWith(route)
+    );
+    if (isProtectedRoute && !authenticated) {
+      if (debug) {
+        console.log("[AuthMiddleware] Redirecting to login");
+      }
+      const url = request.nextUrl.clone();
+      url.pathname = loginPath;
+      url.searchParams.set("returnUrl", pathname);
+      return server.NextResponse.redirect(url);
+    }
+    if (isProtectedRoute && authenticated && tenantConfig) {
+      try {
+        const sessionData = request.cookies.get(sessionCookie);
+        if (sessionData?.value) {
+          const account = safeJsonParse(sessionData.value, isValidAccountData);
+          if (account) {
+            const tenantResult = validateTenantAccess(account, tenantConfig);
+            if (!tenantResult.allowed) {
+              if (debug) {
+                console.log("[AuthMiddleware] Tenant access denied:", tenantResult.reason);
+              }
+              const url = request.nextUrl.clone();
+              url.pathname = tenantDeniedPath;
+              url.searchParams.set("reason", tenantResult.reason || "access_denied");
+              return server.NextResponse.redirect(url);
+            }
+          }
+        }
+      } catch (error) {
+        if (debug) {
+          console.warn("[AuthMiddleware] Tenant validation error:", error);
+        }
+      }
+    }
+    if (isPublicOnlyRoute && authenticated) {
+      if (debug) {
+        console.log("[AuthMiddleware] Redirecting to home");
+      }
+      const returnUrl = request.nextUrl.searchParams.get("returnUrl");
+      const url = request.nextUrl.clone();
+      url.pathname = returnUrl || redirectAfterLogin;
+      url.searchParams.delete("returnUrl");
+      return server.NextResponse.redirect(url);
+    }
+    const response = server.NextResponse.next();
+    if (authenticated) {
+      response.headers.set("x-msal-authenticated", "true");
+      try {
+        const sessionData = request.cookies.get(sessionCookie);
+        if (sessionData?.value) {
+          const account = safeJsonParse(sessionData.value, isValidAccountData);
+          if (account?.username) {
+            response.headers.set("x-msal-username", account.username);
+          }
+        }
+      } catch (error) {
+        if (debug) {
+          console.warn("[AuthMiddleware] Failed to parse session data");
+        }
+      }
+    }
+    return response;
+  };
+}
+exports.createAuthMiddleware = createAuthMiddleware;

package/dist/middleware.mjs ADDED Viewed

@@ -0,0 +1,201 @@
+import { NextResponse } from 'next/server';
+// src/middleware/createAuthMiddleware.ts
+// src/utils/validation.ts
+function safeJsonParse(jsonString, validator) {
+  try {
+    const parsed = JSON.parse(jsonString);
+    if (validator(parsed)) {
+      return parsed;
+    }
+    console.warn("[Validation] JSON validation failed");
+    return null;
+  } catch (error) {
+    console.error("[Validation] JSON parse error:", error);
+    return null;
+  }
+}
+function isValidAccountData(data) {
+  return typeof data === "object" && data !== null && typeof data.homeAccountId === "string" && data.homeAccountId.length > 0 && typeof data.username === "string" && data.username.length > 0 && (data.name === void 0 || typeof data.name === "string");
+}
+// src/utils/tenantValidator.ts
+function getTenantDomain(account) {
+  const upn = account.username || account.idTokenClaims?.preferred_username || account.idTokenClaims?.upn || "";
+  return upn.includes("@") ? upn.split("@")[1].toLowerCase() : null;
+}
+function getTenantId(account) {
+  return account.tenantId || account.idTokenClaims?.tid || null;
+}
+function matchesTenant(value, tenantId, tenantDomain) {
+  const v = value.toLowerCase();
+  if (tenantId && v === tenantId.toLowerCase()) return true;
+  if (tenantDomain && v === tenantDomain.toLowerCase()) return true;
+  return false;
+}
+function isGuestAccount(account) {
+  const claims = account.idTokenClaims ?? {};
+  const resourceTenantId = account.tenantId || claims["tid"] || null;
+  const issuer = claims["iss"] || null;
+  if (!issuer || !resourceTenantId) return false;
+  const match = issuer.match(
+    /https:\/\/login\.microsoftonline\.com\/([^/]+)(?:\/|$)/i
+  );
+  if (!match) return false;
+  const homeTenantId = match[1];
+  return homeTenantId.toLowerCase() !== resourceTenantId.toLowerCase();
+}
+function validateTenantAccess(account, config) {
+  const tenantId = getTenantId(account);
+  const tenantDomain = getTenantDomain(account);
+  const claims = account.idTokenClaims ?? {};
+  if (config.blockList && config.blockList.length > 0) {
+    const blocked = config.blockList.some(
+      (entry) => matchesTenant(entry, tenantId, tenantDomain)
+    );
+    if (blocked) {
+      return {
+        allowed: false,
+        reason: `Tenant "${tenantDomain || tenantId}" is blocked from accessing this application.`
+      };
+    }
+  }
+  if (config.allowList && config.allowList.length > 0) {
+    const allowed = config.allowList.some(
+      (entry) => matchesTenant(entry, tenantId, tenantDomain)
+    );
+    if (!allowed) {
+      return {
+        allowed: false,
+        reason: `Tenant "${tenantDomain || tenantId}" is not in the allowed list for this application.`
+      };
+    }
+  }
+  if (config.requireType) {
+    const isGuest = isGuestAccount(account);
+    if (config.requireType === "Member" && isGuest) {
+      return {
+        allowed: false,
+        reason: "Only member accounts are allowed. Guest (B2B) accounts are not permitted."
+      };
+    }
+    if (config.requireType === "Guest" && !isGuest) {
+      return {
+        allowed: false,
+        reason: "Only guest (B2B) accounts are allowed."
+      };
+    }
+  }
+  if (config.requireMFA) {
+    const amr = claims["amr"] || [];
+    const hasMfa = amr.includes("mfa") || amr.includes("ngcmfa") || amr.includes("hwk") || amr.includes("swk");
+    if (!hasMfa) {
+      return {
+        allowed: false,
+        reason: "Multi-factor authentication (MFA) is required to access this application."
+      };
+    }
+  }
+  return { allowed: true };
+}
+// src/middleware/createAuthMiddleware.ts
+function createAuthMiddleware(config = {}) {
+  const {
+    protectedRoutes = [],
+    publicOnlyRoutes = [],
+    loginPath = "/login",
+    redirectAfterLogin = "/",
+    sessionCookie = "msal.account",
+    isAuthenticated: customAuthCheck,
+    tenantConfig,
+    tenantDeniedPath = "/unauthorized",
+    debug = false
+  } = config;
+  return async function authMiddleware(request) {
+    const { pathname } = request.nextUrl;
+    if (debug) {
+      console.log("[AuthMiddleware] Processing:", pathname);
+    }
+    let authenticated = false;
+    if (customAuthCheck) {
+      authenticated = await customAuthCheck(request);
+    } else {
+      const sessionData = request.cookies.get(sessionCookie);
+      authenticated = !!sessionData?.value;
+    }
+    if (debug) {
+      console.log("[AuthMiddleware] Authenticated:", authenticated);
+    }
+    const isProtectedRoute = protectedRoutes.some(
+      (route) => pathname.startsWith(route)
+    );
+    const isPublicOnlyRoute = publicOnlyRoutes.some(
+      (route) => pathname.startsWith(route)
+    );
+    if (isProtectedRoute && !authenticated) {
+      if (debug) {
+        console.log("[AuthMiddleware] Redirecting to login");
+      }
+      const url = request.nextUrl.clone();
+      url.pathname = loginPath;
+      url.searchParams.set("returnUrl", pathname);
+      return NextResponse.redirect(url);
+    }
+    if (isProtectedRoute && authenticated && tenantConfig) {
+      try {
+        const sessionData = request.cookies.get(sessionCookie);
+        if (sessionData?.value) {
+          const account = safeJsonParse(sessionData.value, isValidAccountData);
+          if (account) {
+            const tenantResult = validateTenantAccess(account, tenantConfig);
+            if (!tenantResult.allowed) {
+              if (debug) {
+                console.log("[AuthMiddleware] Tenant access denied:", tenantResult.reason);
+              }
+              const url = request.nextUrl.clone();
+              url.pathname = tenantDeniedPath;
+              url.searchParams.set("reason", tenantResult.reason || "access_denied");
+              return NextResponse.redirect(url);
+            }
+          }
+        }
+      } catch (error) {
+        if (debug) {
+          console.warn("[AuthMiddleware] Tenant validation error:", error);
+        }
+      }
+    }
+    if (isPublicOnlyRoute && authenticated) {
+      if (debug) {
+        console.log("[AuthMiddleware] Redirecting to home");
+      }
+      const returnUrl = request.nextUrl.searchParams.get("returnUrl");
+      const url = request.nextUrl.clone();
+      url.pathname = returnUrl || redirectAfterLogin;
+      url.searchParams.delete("returnUrl");
+      return NextResponse.redirect(url);
+    }
+    const response = NextResponse.next();
+    if (authenticated) {
+      response.headers.set("x-msal-authenticated", "true");
+      try {
+        const sessionData = request.cookies.get(sessionCookie);
+        if (sessionData?.value) {
+          const account = safeJsonParse(sessionData.value, isValidAccountData);
+          if (account?.username) {
+            response.headers.set("x-msal-username", account.username);
+          }
+        }
+      } catch (error) {
+        if (debug) {
+          console.warn("[AuthMiddleware] Failed to parse session data");
+        }
+      }
+    }
+    return response;
+  };
+}
+export { createAuthMiddleware };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@chemmangat/msal-next",
-  "version": "5.2.0",
+  "version": "5.2.1",
   "description": "Production-ready Microsoft/Azure AD authentication for Next.js App Router. Zero-config setup, TypeScript-first, multi-account support, auto token refresh. The easiest way to add Microsoft login to your Next.js app.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -15,6 +15,11 @@
       "types": "./dist/server.d.ts",
       "import": "./dist/server.mjs",
       "require": "./dist/server.js"
+    },
+    "./middleware": {
+      "types": "./dist/middleware.d.ts",
+      "import": "./dist/middleware.mjs",
+      "require": "./dist/middleware.js"
     }
   },
   "files": [