@chemmangat/msal-next 5.2.0 → 5.3.0

package/CHANGELOG.md

@@ -2,7 +2,67 @@
 
 All notable changes to this project will be documented in this file.
 
-## [5.2.0] - 2026-04-07
+## [5.3.0] - 2026-04-07
+
+### 🐛 Bug Fixes
+
+#### Fix 1 — Auto-sync `msal.account` session cookie (no manual cookie code needed)
+
+`MsalAuthProvider` now automatically writes and clears the `msal.account` cookie on every auth event. The middleware works out of the box with zero manual setup.
+
+- `LOGIN_SUCCESS` → writes `msal.account` cookie (`{ homeAccountId, username, name }`, URL-encoded, `path=/; SameSite=Lax`)
+- `LOGOUT_SUCCESS` / `LOGOUT_END` → clears the cookie
+- Redirect flow (`handleRedirectPromise`) → writes cookie immediately after redirect completes
+- Existing cached account on init → restores cookie (handles browser restart with `localStorage` cache)
+
+#### Fix 2 — `setServerSessionCookie` no longer calls a non-existent API route
+
+The old implementation called `fetch('/api/auth/session')` which required an undocumented route that didn't exist. It now writes `document.cookie` directly — same format as Fix 1. The function signature changed from `async (account, accessToken?) => Promise<void>` to `(account) => void`.
+
+A new `clearServerSessionCookie()` helper is also exported from `@chemmangat/msal-next/server`.
+
+> As of v5.3.0 you rarely need to call either function manually — `MsalAuthProvider` handles the cookie automatically.
+
+#### Fix 3 — `useTokenRefresh` now reads real token expiry
+
+The hook previously hardcoded `expiresIn = 3600`. It now calls `instance.acquireTokenSilent` directly and reads `response.expiresOn` to calculate the actual remaining seconds. Falls back to `3600` if `expiresOn` is `null`.
+
+#### Fix 4 — `navigateToLoginRequestUrl` JSDoc default corrected
+
+The `@defaultValue` in `MsalAuthConfig` was documented as `true` but the actual default in `createMsalConfig` was `false`. Corrected to `@defaultValue false`.
+
+#### Fix 5 — No `/api/auth/session` route required
+
+All references to the non-existent `/api/auth/session` route have been removed. Cookie management is now entirely client-side via `document.cookie`.
+
+---
+
+
+
+### 🐛 Bug Fix
+
+#### `createAuthMiddleware` now importable from `@chemmangat/msal-next/middleware`
+
+`createAuthMiddleware` was previously bundled inside `dist/index.mjs` which carries a `"use client"` directive. Importing it in `middleware.ts` caused Next.js to throw:
+
+> "Attempted to call createAuthMiddleware() from the server but createAuthMiddleware is on the client."
+
+It now has its own edge-compatible entry point with no React, no `@azure/msal-browser`, and no `"use client"` — only `next/server`.
+
+**Migration** (update your import):
+```ts
+// Before
+import { createAuthMiddleware } from '@chemmangat/msal-next';
+
+// After
+import { createAuthMiddleware } from '@chemmangat/msal-next/middleware';
+```
+
+Also fixed `tenantValidator.ts` to use `import type` for its `@azure/msal-browser` and `types.ts` imports, ensuring those never get bundled into the middleware output.
+
+---
+
+
 
 ### 🔧 Compatibility
 

package/dist/index.d.mts

@@ -2,7 +2,7 @@ import * as react_jsx_runtime from 'react/jsx-runtime';
 import { Configuration, LogLevel, IPublicClientApplication, PublicClientApplication, AccountInfo } from '@azure/msal-browser';
 export { AccountInfo } from '@azure/msal-browser';
 import { ReactNode, CSSProperties, Component, ErrorInfo, ComponentType } from 'react';
-import { NextRequest, NextResponse } from 'next/server';
+import { NextRequest } from 'next/server';
 export { useAccount, useIsAuthenticated, useMsal } from '@azure/msal-react';
 
 /**
@@ -167,7 +167,7 @@ interface MsalAuthConfig {
      * @remarks
      * If true, redirects to the page that initiated login after successful auth.
      *
-     * @defaultValue true
+     * @defaultValue false
      */
     navigateToLoginRequestUrl?: boolean;
     /**
@@ -1865,6 +1865,26 @@ declare function withPageAuth<P extends object>(Component: ComponentType<P>, aut
     displayName: string;
 };
 
+interface ServerSession {
+    /**
+     * Whether user is authenticated
+     */
+    isAuthenticated: boolean;
+    /**
+     * User's account ID from MSAL cache
+     */
+    accountId?: string;
+    /**
+     * User's username/email
+     */
+    username?: string;
+    /**
+     * Access token (if available in cookie)
+     * @deprecated Storing tokens in cookies is not recommended for security reasons
+     */
+    accessToken?: string;
+}
+
 interface AuthMiddlewareConfig {
     /**
      * Routes that require authentication
@@ -1911,45 +1931,5 @@ interface AuthMiddlewareConfig {
      */
     debug?: boolean;
 }
-/**
- * Creates authentication middleware for Next.js App Router
- *
- * @example
- * ```tsx
- * // middleware.ts
- * import { createAuthMiddleware } from '@chemmangat/msal-next';
- *
- * export const middleware = createAuthMiddleware({
- *   protectedRoutes: ['/dashboard', '/profile'],
- *   publicOnlyRoutes: ['/login'],
- *   loginPath: '/login',
- * });
- *
- * export const config = {
- *   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
- * };
- * ```
- */
-declare function createAuthMiddleware(config?: AuthMiddlewareConfig): (request: NextRequest) => Promise<NextResponse<unknown>>;
-
-interface ServerSession {
-    /**
-     * Whether user is authenticated
-     */
-    isAuthenticated: boolean;
-    /**
-     * User's account ID from MSAL cache
-     */
-    accountId?: string;
-    /**
-     * User's username/email
-     */
-    username?: string;
-    /**
-     * Access token (if available in cookie)
-     * @deprecated Storing tokens in cookies is not recommended for security reasons
-     */
-    accessToken?: string;
-}
 
-export { AccountList, type AccountListProps, AccountSwitcher, type AccountSwitcherProps, AuthGuard, type AuthGuardProps, type AuthMiddlewareConfig, type AuthProtectionConfig, AuthStatus, type AuthStatusProps, type CustomTokenClaims, type DebugLoggerConfig, ErrorBoundary, type ErrorBoundaryProps, type GraphApiOptions, MSALProvider, MicrosoftSignInButton, type MicrosoftSignInButtonProps, type MsalAuthConfig, MsalAuthProvider, type MsalAuthProviderProps, MsalError, type MultiTenantConfig, type PageAuthConfig, ProtectedPage, type RetryConfig, type ServerSession, SignOutButton, type SignOutButtonProps, type TenantAuthConfig, type TenantInfo, type UseGraphApiReturn, type UseMsalAuthReturn, type UseMultiAccountReturn, type UseRolesReturn, type UseTenantReturn, type UseTokenRefreshOptions, type UseTokenRefreshReturn, type UseUserProfileReturn, UserAvatar, type UserAvatarProps, type UserProfile, type ValidatedAccountData, type ValidationError, type ValidationResult, type ValidationWarning, type WithAuthOptions, createAuthMiddleware, createMissingEnvVarError, createMsalConfig, createRetryWrapper, createScopedLogger, displayValidationResults, getDebugLogger, getMsalInstance, isValidAccountData, isValidRedirectUri, isValidScope, retryWithBackoff, safeJsonParse, sanitizeError, useGraphApi, useMsalAuth, useMultiAccount, useRoles, useTenant, useTenantConfig, useTokenRefresh, useUserProfile, validateConfig, validateScopes, withAuth, withPageAuth, wrapMsalError };
+export { AccountList, type AccountListProps, AccountSwitcher, type AccountSwitcherProps, AuthGuard, type AuthGuardProps, type AuthMiddlewareConfig, type AuthProtectionConfig, AuthStatus, type AuthStatusProps, type CustomTokenClaims, type DebugLoggerConfig, ErrorBoundary, type ErrorBoundaryProps, type GraphApiOptions, MSALProvider, MicrosoftSignInButton, type MicrosoftSignInButtonProps, type MsalAuthConfig, MsalAuthProvider, type MsalAuthProviderProps, MsalError, type MultiTenantConfig, type PageAuthConfig, ProtectedPage, type RetryConfig, type ServerSession, SignOutButton, type SignOutButtonProps, type TenantAuthConfig, type TenantInfo, type UseGraphApiReturn, type UseMsalAuthReturn, type UseMultiAccountReturn, type UseRolesReturn, type UseTenantReturn, type UseTokenRefreshOptions, type UseTokenRefreshReturn, type UseUserProfileReturn, UserAvatar, type UserAvatarProps, type UserProfile, type ValidatedAccountData, type ValidationError, type ValidationResult, type ValidationWarning, type WithAuthOptions, createMissingEnvVarError, createMsalConfig, createRetryWrapper, createScopedLogger, displayValidationResults, getDebugLogger, getMsalInstance, isValidAccountData, isValidRedirectUri, isValidScope, retryWithBackoff, safeJsonParse, sanitizeError, useGraphApi, useMsalAuth, useMultiAccount, useRoles, useTenant, useTenantConfig, useTokenRefresh, useUserProfile, validateConfig, validateScopes, withAuth, withPageAuth, wrapMsalError };

package/dist/index.d.ts

@@ -2,7 +2,7 @@ import * as react_jsx_runtime from 'react/jsx-runtime';
 import { Configuration, LogLevel, IPublicClientApplication, PublicClientApplication, AccountInfo } from '@azure/msal-browser';
 export { AccountInfo } from '@azure/msal-browser';
 import { ReactNode, CSSProperties, Component, ErrorInfo, ComponentType } from 'react';
-import { NextRequest, NextResponse } from 'next/server';
+import { NextRequest } from 'next/server';
 export { useAccount, useIsAuthenticated, useMsal } from '@azure/msal-react';
 
 /**
@@ -167,7 +167,7 @@ interface MsalAuthConfig {
      * @remarks
      * If true, redirects to the page that initiated login after successful auth.
      *
-     * @defaultValue true
+     * @defaultValue false
      */
     navigateToLoginRequestUrl?: boolean;
     /**
@@ -1865,6 +1865,26 @@ declare function withPageAuth<P extends object>(Component: ComponentType<P>, aut
     displayName: string;
 };
 
+interface ServerSession {
+    /**
+     * Whether user is authenticated
+     */
+    isAuthenticated: boolean;
+    /**
+     * User's account ID from MSAL cache
+     */
+    accountId?: string;
+    /**
+     * User's username/email
+     */
+    username?: string;
+    /**
+     * Access token (if available in cookie)
+     * @deprecated Storing tokens in cookies is not recommended for security reasons
+     */
+    accessToken?: string;
+}
+
 interface AuthMiddlewareConfig {
     /**
      * Routes that require authentication
@@ -1911,45 +1931,5 @@ interface AuthMiddlewareConfig {
      */
     debug?: boolean;
 }
-/**
- * Creates authentication middleware for Next.js App Router
- *
- * @example
- * ```tsx
- * // middleware.ts
- * import { createAuthMiddleware } from '@chemmangat/msal-next';
- *
- * export const middleware = createAuthMiddleware({
- *   protectedRoutes: ['/dashboard', '/profile'],
- *   publicOnlyRoutes: ['/login'],
- *   loginPath: '/login',
- * });
- *
- * export const config = {
- *   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
- * };
- * ```
- */
-declare function createAuthMiddleware(config?: AuthMiddlewareConfig): (request: NextRequest) => Promise<NextResponse<unknown>>;
-
-interface ServerSession {
-    /**
-     * Whether user is authenticated
-     */
-    isAuthenticated: boolean;
-    /**
-     * User's account ID from MSAL cache
-     */
-    accountId?: string;
-    /**
-     * User's username/email
-     */
-    username?: string;
-    /**
-     * Access token (if available in cookie)
-     * @deprecated Storing tokens in cookies is not recommended for security reasons
-     */
-    accessToken?: string;
-}
 
-export { AccountList, type AccountListProps, AccountSwitcher, type AccountSwitcherProps, AuthGuard, type AuthGuardProps, type AuthMiddlewareConfig, type AuthProtectionConfig, AuthStatus, type AuthStatusProps, type CustomTokenClaims, type DebugLoggerConfig, ErrorBoundary, type ErrorBoundaryProps, type GraphApiOptions, MSALProvider, MicrosoftSignInButton, type MicrosoftSignInButtonProps, type MsalAuthConfig, MsalAuthProvider, type MsalAuthProviderProps, MsalError, type MultiTenantConfig, type PageAuthConfig, ProtectedPage, type RetryConfig, type ServerSession, SignOutButton, type SignOutButtonProps, type TenantAuthConfig, type TenantInfo, type UseGraphApiReturn, type UseMsalAuthReturn, type UseMultiAccountReturn, type UseRolesReturn, type UseTenantReturn, type UseTokenRefreshOptions, type UseTokenRefreshReturn, type UseUserProfileReturn, UserAvatar, type UserAvatarProps, type UserProfile, type ValidatedAccountData, type ValidationError, type ValidationResult, type ValidationWarning, type WithAuthOptions, createAuthMiddleware, createMissingEnvVarError, createMsalConfig, createRetryWrapper, createScopedLogger, displayValidationResults, getDebugLogger, getMsalInstance, isValidAccountData, isValidRedirectUri, isValidScope, retryWithBackoff, safeJsonParse, sanitizeError, useGraphApi, useMsalAuth, useMultiAccount, useRoles, useTenant, useTenantConfig, useTokenRefresh, useUserProfile, validateConfig, validateScopes, withAuth, withPageAuth, wrapMsalError };
+export { AccountList, type AccountListProps, AccountSwitcher, type AccountSwitcherProps, AuthGuard, type AuthGuardProps, type AuthMiddlewareConfig, type AuthProtectionConfig, AuthStatus, type AuthStatusProps, type CustomTokenClaims, type DebugLoggerConfig, ErrorBoundary, type ErrorBoundaryProps, type GraphApiOptions, MSALProvider, MicrosoftSignInButton, type MicrosoftSignInButtonProps, type MsalAuthConfig, MsalAuthProvider, type MsalAuthProviderProps, MsalError, type MultiTenantConfig, type PageAuthConfig, ProtectedPage, type RetryConfig, type ServerSession, SignOutButton, type SignOutButtonProps, type TenantAuthConfig, type TenantInfo, type UseGraphApiReturn, type UseMsalAuthReturn, type UseMultiAccountReturn, type UseRolesReturn, type UseTenantReturn, type UseTokenRefreshOptions, type UseTokenRefreshReturn, type UseUserProfileReturn, UserAvatar, type UserAvatarProps, type UserProfile, type ValidatedAccountData, type ValidationError, type ValidationResult, type ValidationWarning, type WithAuthOptions, createMissingEnvVarError, createMsalConfig, createRetryWrapper, createScopedLogger, displayValidationResults, getDebugLogger, getMsalInstance, isValidAccountData, isValidRedirectUri, isValidScope, retryWithBackoff, safeJsonParse, sanitizeError, useGraphApi, useMsalAuth, useMultiAccount, useRoles, useTenant, useTenantConfig, useTokenRefresh, useUserProfile, validateConfig, validateScopes, withAuth, withPageAuth, wrapMsalError };

package/dist/index.js

@@ -33,7 +33,6 @@ __export(client_exports, {
   ProtectedPage: () => ProtectedPage,
   SignOutButton: () => SignOutButton,
   UserAvatar: () => UserAvatar,
-  createAuthMiddleware: () => createAuthMiddleware,
   createMissingEnvVarError: () => createMissingEnvVarError,
   createMsalConfig: () => createMsalConfig,
   createRetryWrapper: () => createRetryWrapper,
@@ -47,10 +46,10 @@ __export(client_exports, {
   retryWithBackoff: () => retryWithBackoff,
   safeJsonParse: () => safeJsonParse,
   sanitizeError: () => sanitizeError,
-  useAccount: () => import_msal_react4.useAccount,
+  useAccount: () => import_msal_react5.useAccount,
   useGraphApi: () => useGraphApi,
-  useIsAuthenticated: () => import_msal_react4.useIsAuthenticated,
-  useMsal: () => import_msal_react4.useMsal,
+  useIsAuthenticated: () => import_msal_react5.useIsAuthenticated,
+  useMsal: () => import_msal_react5.useMsal,
   useMsalAuth: () => useMsalAuth,
   useMultiAccount: () => useMultiAccount,
   useRoles: () => useRoles,
@@ -67,7 +66,7 @@ __export(client_exports, {
 module.exports = __toCommonJS(client_exports);
 
 // src/components/MsalAuthProvider.tsx
-var import_msal_react2 = require("@azure/msal-react");
+var import_msal_react3 = require("@azure/msal-react");
 var import_msal_browser3 = require("@azure/msal-browser");
 var import_react3 = require("react");
 
@@ -674,6 +673,7 @@ Note: Environment variables starting with NEXT_PUBLIC_ are exposed to the browse
 
 // src/hooks/useTokenRefresh.ts
 var import_react2 = require("react");
+var import_msal_react2 = require("@azure/msal-react");
 
 // src/hooks/useMsalAuth.ts
 var import_msal_react = require("@azure/msal-react");
@@ -852,7 +852,8 @@ function useTokenRefresh(options = {}) {
     onRefresh,
     onError
   } = options;
-  const { isAuthenticated, account, acquireTokenSilent } = useMsalAuth();
+  const { isAuthenticated, account } = useMsalAuth();
+  const { instance } = (0, import_msal_react2.useMsal)();
   const intervalRef = (0, import_react2.useRef)(null);
   const lastRefreshRef = (0, import_react2.useRef)(null);
   const expiresInRef = (0, import_react2.useRef)(null);
@@ -861,23 +862,27 @@ function useTokenRefresh(options = {}) {
       return;
     }
     try {
-      await acquireTokenSilent(scopes);
+      const response = await instance.acquireTokenSilent({
+        scopes,
+        account,
+        forceRefresh: false
+      });
       lastRefreshRef.current = /* @__PURE__ */ new Date();
-      const expiresIn = 3600;
+      const expiresIn = response.expiresOn ? Math.max(0, response.expiresOn.getTime() / 1e3 - Date.now() / 1e3) : 3600;
       expiresInRef.current = expiresIn;
       onRefresh?.(expiresIn);
     } catch (error) {
       console.error("[TokenRefresh] Failed to refresh token:", error);
       onError?.(error);
     }
-  }, [isAuthenticated, account, acquireTokenSilent, scopes, onRefresh, onError]);
+  }, [isAuthenticated, account, instance, scopes, onRefresh, onError]);
   (0, import_react2.useEffect)(() => {
     if (!enabled || !isAuthenticated) {
       return;
     }
     refresh();
     intervalRef.current = setInterval(() => {
-      if (!expiresInRef.current) {
+      if (expiresInRef.current === null) {
         return;
       }
       const timeSinceRefresh = lastRefreshRef.current ? (Date.now() - lastRefreshRef.current.getTime()) / 1e3 : 0;
@@ -1010,6 +1015,23 @@ function validateTenantAccess(account, config) {
 // src/components/MsalAuthProvider.tsx
 var import_jsx_runtime = require("react/jsx-runtime");
 var globalMsalInstance = null;
+function writeMsalSessionCookie(account) {
+  try {
+    const data = encodeURIComponent(JSON.stringify({
+      homeAccountId: account.homeAccountId,
+      username: account.username,
+      name: account.name ?? ""
+    }));
+    document.cookie = `msal.account=${data}; path=/; SameSite=Lax`;
+  } catch {
+  }
+}
+function clearMsalSessionCookie() {
+  try {
+    document.cookie = "msal.account=; path=/; SameSite=Lax; expires=Thu, 01 Jan 1970 00:00:00 GMT";
+  } catch {
+  }
+}
 function getMsalInstance() {
   return globalMsalInstance;
 }
@@ -1059,6 +1081,7 @@ function MsalAuthProvider({
             }
             if (response.account) {
               instance.setActiveAccount(response.account);
+              writeMsalSessionCookie(response.account);
               if (config.multiTenant) {
                 const validation = validateTenantAccess(response.account, config.multiTenant);
                 if (!validation.allowed) {
@@ -1104,6 +1127,7 @@ function MsalAuthProvider({
         const accounts = instance.getAllAccounts();
         if (accounts.length > 0 && !instance.getActiveAccount()) {
           instance.setActiveAccount(accounts[0]);
+          writeMsalSessionCookie(accounts[0]);
         }
         const loggingEnabled = config.enableLogging || false;
         instance.addEventCallback((event) => {
@@ -1112,6 +1136,7 @@ function MsalAuthProvider({
             const account = "account" in payload ? payload.account : payload;
             if (account) {
               instance.setActiveAccount(account);
+              writeMsalSessionCookie(account);
             }
             if (loggingEnabled) {
               console.log("[MSAL] Login successful:", account?.username);
@@ -1123,10 +1148,14 @@ function MsalAuthProvider({
           }
           if (event.eventType === import_msal_browser3.EventType.LOGOUT_SUCCESS) {
             instance.setActiveAccount(null);
+            clearMsalSessionCookie();
             if (loggingEnabled) {
               console.log("[MSAL] Logout successful");
             }
           }
+          if (import_msal_browser3.EventType.LOGOUT_END !== void 0 && event.eventType === import_msal_browser3.EventType.LOGOUT_END) {
+            clearMsalSessionCookie();
+          }
           if (event.eventType === import_msal_browser3.EventType.ACQUIRE_TOKEN_SUCCESS) {
             const payload = event.payload;
             if (payload?.account && !instance.getActiveAccount()) {
@@ -1158,7 +1187,7 @@ function MsalAuthProvider({
   if (!msalInstance) {
     return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(import_jsx_runtime.Fragment, { children: loadingComponent || /* @__PURE__ */ (0, import_jsx_runtime.jsx)("div", { children: "Loading authentication..." }) });
   }
-  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(import_msal_react2.MsalProvider, { instance: msalInstance, children: [
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsxs)(import_msal_react3.MsalProvider, { instance: msalInstance, children: [
     autoRefreshToken && /* @__PURE__ */ (0, import_jsx_runtime.jsx)(
       TokenRefreshManager,
       {
@@ -1928,11 +1957,11 @@ var ErrorBoundary = class extends import_react10.Component {
 };
 
 // src/hooks/useMultiAccount.ts
-var import_msal_react3 = require("@azure/msal-react");
+var import_msal_react4 = require("@azure/msal-react");
 var import_msal_browser4 = require("@azure/msal-browser");
 var import_react11 = require("react");
 function useMultiAccount(defaultScopes = ["User.Read"]) {
-  const { instance, accounts, inProgress } = (0, import_msal_react3.useMsal)();
+  const { instance, accounts, inProgress } = (0, import_msal_react4.useMsal)();
   const [activeAccount, setActiveAccount] = (0, import_react11.useState)(
     instance.getActiveAccount()
   );
@@ -3166,107 +3195,8 @@ function withPageAuth(Component2, authConfig, globalConfig) {
   return WrappedComponent;
 }
 
-// src/middleware/createAuthMiddleware.ts
-var import_server = require("next/server");
-function createAuthMiddleware(config = {}) {
-  const {
-    protectedRoutes = [],
-    publicOnlyRoutes = [],
-    loginPath = "/login",
-    redirectAfterLogin = "/",
-    sessionCookie = "msal.account",
-    isAuthenticated: customAuthCheck,
-    tenantConfig,
-    tenantDeniedPath = "/unauthorized",
-    debug = false
-  } = config;
-  return async function authMiddleware(request) {
-    const { pathname } = request.nextUrl;
-    if (debug) {
-      console.log("[AuthMiddleware] Processing:", pathname);
-    }
-    let authenticated = false;
-    if (customAuthCheck) {
-      authenticated = await customAuthCheck(request);
-    } else {
-      const sessionData = request.cookies.get(sessionCookie);
-      authenticated = !!sessionData?.value;
-    }
-    if (debug) {
-      console.log("[AuthMiddleware] Authenticated:", authenticated);
-    }
-    const isProtectedRoute = protectedRoutes.some(
-      (route) => pathname.startsWith(route)
-    );
-    const isPublicOnlyRoute = publicOnlyRoutes.some(
-      (route) => pathname.startsWith(route)
-    );
-    if (isProtectedRoute && !authenticated) {
-      if (debug) {
-        console.log("[AuthMiddleware] Redirecting to login");
-      }
-      const url = request.nextUrl.clone();
-      url.pathname = loginPath;
-      url.searchParams.set("returnUrl", pathname);
-      return import_server.NextResponse.redirect(url);
-    }
-    if (isProtectedRoute && authenticated && tenantConfig) {
-      try {
-        const sessionData = request.cookies.get(sessionCookie);
-        if (sessionData?.value) {
-          const account = safeJsonParse(sessionData.value, isValidAccountData);
-          if (account) {
-            const tenantResult = validateTenantAccess(account, tenantConfig);
-            if (!tenantResult.allowed) {
-              if (debug) {
-                console.log("[AuthMiddleware] Tenant access denied:", tenantResult.reason);
-              }
-              const url = request.nextUrl.clone();
-              url.pathname = tenantDeniedPath;
-              url.searchParams.set("reason", tenantResult.reason || "access_denied");
-              return import_server.NextResponse.redirect(url);
-            }
-          }
-        }
-      } catch (error) {
-        if (debug) {
-          console.warn("[AuthMiddleware] Tenant validation error:", error);
-        }
-      }
-    }
-    if (isPublicOnlyRoute && authenticated) {
-      if (debug) {
-        console.log("[AuthMiddleware] Redirecting to home");
-      }
-      const returnUrl = request.nextUrl.searchParams.get("returnUrl");
-      const url = request.nextUrl.clone();
-      url.pathname = returnUrl || redirectAfterLogin;
-      url.searchParams.delete("returnUrl");
-      return import_server.NextResponse.redirect(url);
-    }
-    const response = import_server.NextResponse.next();
-    if (authenticated) {
-      response.headers.set("x-msal-authenticated", "true");
-      try {
-        const sessionData = request.cookies.get(sessionCookie);
-        if (sessionData?.value) {
-          const account = safeJsonParse(sessionData.value, isValidAccountData);
-          if (account?.username) {
-            response.headers.set("x-msal-username", account.username);
-          }
-        }
-      } catch (error) {
-        if (debug) {
-          console.warn("[AuthMiddleware] Failed to parse session data");
-        }
-      }
-    }
-    return response;
-  };
-}
-
 // src/client.ts
-var import_msal_react4 = require("@azure/msal-react");
+var import_msal_react5 = require("@azure/msal-react");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AccountList,
@@ -3281,7 +3211,6 @@ var import_msal_react4 = require("@azure/msal-react");
   ProtectedPage,
   SignOutButton,
   UserAvatar,
-  createAuthMiddleware,
   createMissingEnvVarError,
   createMsalConfig,
   createRetryWrapper,