@chemmangat/msal-next 5.2.0 → 5.3.0

package/dist/index.mjs

@@ -614,6 +614,7 @@ Note: Environment variables starting with NEXT_PUBLIC_ are exposed to the browse
 
 // src/hooks/useTokenRefresh.ts
 import { useEffect, useRef, useCallback as useCallback2 } from "react";
+import { useMsal as useMsal2 } from "@azure/msal-react";
 
 // src/hooks/useMsalAuth.ts
 import { useMsal, useAccount } from "@azure/msal-react";
@@ -792,7 +793,8 @@ function useTokenRefresh(options = {}) {
     onRefresh,
     onError
   } = options;
-  const { isAuthenticated, account, acquireTokenSilent } = useMsalAuth();
+  const { isAuthenticated, account } = useMsalAuth();
+  const { instance } = useMsal2();
   const intervalRef = useRef(null);
   const lastRefreshRef = useRef(null);
   const expiresInRef = useRef(null);
@@ -801,23 +803,27 @@ function useTokenRefresh(options = {}) {
       return;
     }
     try {
-      await acquireTokenSilent(scopes);
+      const response = await instance.acquireTokenSilent({
+        scopes,
+        account,
+        forceRefresh: false
+      });
       lastRefreshRef.current = /* @__PURE__ */ new Date();
-      const expiresIn = 3600;
+      const expiresIn = response.expiresOn ? Math.max(0, response.expiresOn.getTime() / 1e3 - Date.now() / 1e3) : 3600;
       expiresInRef.current = expiresIn;
       onRefresh?.(expiresIn);
     } catch (error) {
       console.error("[TokenRefresh] Failed to refresh token:", error);
       onError?.(error);
     }
-  }, [isAuthenticated, account, acquireTokenSilent, scopes, onRefresh, onError]);
+  }, [isAuthenticated, account, instance, scopes, onRefresh, onError]);
   useEffect(() => {
     if (!enabled || !isAuthenticated) {
       return;
     }
     refresh();
     intervalRef.current = setInterval(() => {
-      if (!expiresInRef.current) {
+      if (expiresInRef.current === null) {
         return;
       }
       const timeSinceRefresh = lastRefreshRef.current ? (Date.now() - lastRefreshRef.current.getTime()) / 1e3 : 0;
@@ -950,6 +956,23 @@ function validateTenantAccess(account, config) {
 // src/components/MsalAuthProvider.tsx
 import { Fragment, jsx, jsxs } from "react/jsx-runtime";
 var globalMsalInstance = null;
+function writeMsalSessionCookie(account) {
+  try {
+    const data = encodeURIComponent(JSON.stringify({
+      homeAccountId: account.homeAccountId,
+      username: account.username,
+      name: account.name ?? ""
+    }));
+    document.cookie = `msal.account=${data}; path=/; SameSite=Lax`;
+  } catch {
+  }
+}
+function clearMsalSessionCookie() {
+  try {
+    document.cookie = "msal.account=; path=/; SameSite=Lax; expires=Thu, 01 Jan 1970 00:00:00 GMT";
+  } catch {
+  }
+}
 function getMsalInstance() {
   return globalMsalInstance;
 }
@@ -999,6 +1022,7 @@ function MsalAuthProvider({
             }
             if (response.account) {
               instance.setActiveAccount(response.account);
+              writeMsalSessionCookie(response.account);
               if (config.multiTenant) {
                 const validation = validateTenantAccess(response.account, config.multiTenant);
                 if (!validation.allowed) {
@@ -1044,6 +1068,7 @@ function MsalAuthProvider({
         const accounts = instance.getAllAccounts();
         if (accounts.length > 0 && !instance.getActiveAccount()) {
           instance.setActiveAccount(accounts[0]);
+          writeMsalSessionCookie(accounts[0]);
         }
         const loggingEnabled = config.enableLogging || false;
         instance.addEventCallback((event) => {
@@ -1052,6 +1077,7 @@ function MsalAuthProvider({
             const account = "account" in payload ? payload.account : payload;
             if (account) {
               instance.setActiveAccount(account);
+              writeMsalSessionCookie(account);
             }
             if (loggingEnabled) {
               console.log("[MSAL] Login successful:", account?.username);
@@ -1063,10 +1089,14 @@ function MsalAuthProvider({
           }
           if (event.eventType === EventType.LOGOUT_SUCCESS) {
             instance.setActiveAccount(null);
+            clearMsalSessionCookie();
             if (loggingEnabled) {
               console.log("[MSAL] Logout successful");
             }
           }
+          if (EventType.LOGOUT_END !== void 0 && event.eventType === EventType.LOGOUT_END) {
+            clearMsalSessionCookie();
+          }
           if (event.eventType === EventType.ACQUIRE_TOKEN_SUCCESS) {
             const payload = event.payload;
             if (payload?.account && !instance.getActiveAccount()) {
@@ -1868,11 +1898,11 @@ var ErrorBoundary = class extends Component {
 };
 
 // src/hooks/useMultiAccount.ts
-import { useMsal as useMsal2 } from "@azure/msal-react";
+import { useMsal as useMsal3 } from "@azure/msal-react";
 import { InteractionStatus as InteractionStatus2 } from "@azure/msal-browser";
 import { useCallback as useCallback5, useMemo as useMemo2, useState as useState5, useEffect as useEffect7 } from "react";
 function useMultiAccount(defaultScopes = ["User.Read"]) {
-  const { instance, accounts, inProgress } = useMsal2();
+  const { instance, accounts, inProgress } = useMsal3();
   const [activeAccount, setActiveAccount] = useState5(
     instance.getActiveAccount()
   );
@@ -3106,107 +3136,8 @@ function withPageAuth(Component2, authConfig, globalConfig) {
   return WrappedComponent;
 }
 
-// src/middleware/createAuthMiddleware.ts
-import { NextResponse } from "next/server";
-function createAuthMiddleware(config = {}) {
-  const {
-    protectedRoutes = [],
-    publicOnlyRoutes = [],
-    loginPath = "/login",
-    redirectAfterLogin = "/",
-    sessionCookie = "msal.account",
-    isAuthenticated: customAuthCheck,
-    tenantConfig,
-    tenantDeniedPath = "/unauthorized",
-    debug = false
-  } = config;
-  return async function authMiddleware(request) {
-    const { pathname } = request.nextUrl;
-    if (debug) {
-      console.log("[AuthMiddleware] Processing:", pathname);
-    }
-    let authenticated = false;
-    if (customAuthCheck) {
-      authenticated = await customAuthCheck(request);
-    } else {
-      const sessionData = request.cookies.get(sessionCookie);
-      authenticated = !!sessionData?.value;
-    }
-    if (debug) {
-      console.log("[AuthMiddleware] Authenticated:", authenticated);
-    }
-    const isProtectedRoute = protectedRoutes.some(
-      (route) => pathname.startsWith(route)
-    );
-    const isPublicOnlyRoute = publicOnlyRoutes.some(
-      (route) => pathname.startsWith(route)
-    );
-    if (isProtectedRoute && !authenticated) {
-      if (debug) {
-        console.log("[AuthMiddleware] Redirecting to login");
-      }
-      const url = request.nextUrl.clone();
-      url.pathname = loginPath;
-      url.searchParams.set("returnUrl", pathname);
-      return NextResponse.redirect(url);
-    }
-    if (isProtectedRoute && authenticated && tenantConfig) {
-      try {
-        const sessionData = request.cookies.get(sessionCookie);
-        if (sessionData?.value) {
-          const account = safeJsonParse(sessionData.value, isValidAccountData);
-          if (account) {
-            const tenantResult = validateTenantAccess(account, tenantConfig);
-            if (!tenantResult.allowed) {
-              if (debug) {
-                console.log("[AuthMiddleware] Tenant access denied:", tenantResult.reason);
-              }
-              const url = request.nextUrl.clone();
-              url.pathname = tenantDeniedPath;
-              url.searchParams.set("reason", tenantResult.reason || "access_denied");
-              return NextResponse.redirect(url);
-            }
-          }
-        }
-      } catch (error) {
-        if (debug) {
-          console.warn("[AuthMiddleware] Tenant validation error:", error);
-        }
-      }
-    }
-    if (isPublicOnlyRoute && authenticated) {
-      if (debug) {
-        console.log("[AuthMiddleware] Redirecting to home");
-      }
-      const returnUrl = request.nextUrl.searchParams.get("returnUrl");
-      const url = request.nextUrl.clone();
-      url.pathname = returnUrl || redirectAfterLogin;
-      url.searchParams.delete("returnUrl");
-      return NextResponse.redirect(url);
-    }
-    const response = NextResponse.next();
-    if (authenticated) {
-      response.headers.set("x-msal-authenticated", "true");
-      try {
-        const sessionData = request.cookies.get(sessionCookie);
-        if (sessionData?.value) {
-          const account = safeJsonParse(sessionData.value, isValidAccountData);
-          if (account?.username) {
-            response.headers.set("x-msal-username", account.username);
-          }
-        }
-      } catch (error) {
-        if (debug) {
-          console.warn("[AuthMiddleware] Failed to parse session data");
-        }
-      }
-    }
-    return response;
-  };
-}
-
 // src/client.ts
-import { useMsal as useMsal3, useIsAuthenticated, useAccount as useAccount2 } from "@azure/msal-react";
+import { useMsal as useMsal4, useIsAuthenticated, useAccount as useAccount2 } from "@azure/msal-react";
 export {
   AccountList,
   AccountSwitcher,
@@ -3220,7 +3151,6 @@ export {
   ProtectedPage,
   SignOutButton,
   UserAvatar,
-  createAuthMiddleware,
   createMissingEnvVarError,
   createMsalConfig,
   createRetryWrapper,
@@ -3237,7 +3167,7 @@ export {
   useAccount2 as useAccount,
   useGraphApi,
   useIsAuthenticated,
-  useMsal3 as useMsal,
+  useMsal4 as useMsal,
   useMsalAuth,
   useMultiAccount,
   useRoles,

package/dist/middleware.d.mts

@@ -0,0 +1,115 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+/**
+ * Type definitions for @chemmangat/msal-next
+ *
+ * @packageDocumentation
+ */
+
+/**
+ * Multi-tenant configuration for v5.1.0
+ */
+interface MultiTenantConfig {
+    /**
+     * Tenant mode
+     * - 'single'        — only your own tenant (maps to authorityType 'tenant')
+     * - 'multi'         — any Azure AD tenant (maps to authorityType 'common')
+     * - 'organizations' — any organisational tenant, no personal accounts
+     * - 'consumers'     — Microsoft personal accounts only
+     * - 'common'        — alias for 'multi'
+     *
+     * @defaultValue 'common'
+     */
+    type?: 'single' | 'multi' | 'organizations' | 'consumers' | 'common';
+    /**
+     * Tenant allow-list — only users from these tenant IDs or domains are permitted.
+     * Checked after authentication; users from other tenants are shown an error.
+     *
+     * @example ['contoso.com', '72f988bf-86f1-41af-91ab-2d7cd011db47']
+     */
+    allowList?: string[];
+    /**
+     * Tenant block-list — users from these tenant IDs or domains are denied.
+     * Takes precedence over allowList.
+     */
+    blockList?: string[];
+    /**
+     * Require a specific tenant type ('Member' | 'Guest').
+     * Useful to block B2B guests or to allow only guests.
+     */
+    requireType?: 'Member' | 'Guest';
+    /**
+     * Require MFA claim in the token (amr claim must contain 'mfa').
+     * @defaultValue false
+     */
+    requireMFA?: boolean;
+}
+
+interface AuthMiddlewareConfig {
+    /**
+     * Routes that require authentication
+     * @example ['/dashboard', '/profile', '/api/protected']
+     */
+    protectedRoutes?: string[];
+    /**
+     * Routes that should be accessible only when NOT authenticated
+     * @example ['/login', '/signup']
+     */
+    publicOnlyRoutes?: string[];
+    /**
+     * Login page path
+     * @default '/login'
+     */
+    loginPath?: string;
+    /**
+     * Redirect path after login
+     * @default '/'
+     */
+    redirectAfterLogin?: string;
+    /**
+     * Cookie name for session
+     * @default 'msal.account'
+     */
+    sessionCookie?: string;
+    /**
+     * Custom authentication check function
+     */
+    isAuthenticated?: (request: NextRequest) => boolean | Promise<boolean>;
+    /**
+     * Tenant access configuration (v5.1.0).
+     * Validated against the account stored in the session cookie.
+     */
+    tenantConfig?: MultiTenantConfig;
+    /**
+     * Path to redirect to when tenant access is denied (v5.1.0).
+     * @default '/unauthorized'
+     */
+    tenantDeniedPath?: string;
+    /**
+     * Enable debug logging
+     * @default false
+     */
+    debug?: boolean;
+}
+/**
+ * Creates authentication middleware for Next.js App Router
+ *
+ * @example
+ * ```tsx
+ * // middleware.ts
+ * import { createAuthMiddleware } from '@chemmangat/msal-next';
+ *
+ * export const middleware = createAuthMiddleware({
+ *   protectedRoutes: ['/dashboard', '/profile'],
+ *   publicOnlyRoutes: ['/login'],
+ *   loginPath: '/login',
+ * });
+ *
+ * export const config = {
+ *   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
+ * };
+ * ```
+ */
+declare function createAuthMiddleware(config?: AuthMiddlewareConfig): (request: NextRequest) => Promise<NextResponse<unknown>>;
+
+export { type AuthMiddlewareConfig, createAuthMiddleware };

package/dist/middleware.d.ts

@@ -0,0 +1,115 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+/**
+ * Type definitions for @chemmangat/msal-next
+ *
+ * @packageDocumentation
+ */
+
+/**
+ * Multi-tenant configuration for v5.1.0
+ */
+interface MultiTenantConfig {
+    /**
+     * Tenant mode
+     * - 'single'        — only your own tenant (maps to authorityType 'tenant')
+     * - 'multi'         — any Azure AD tenant (maps to authorityType 'common')
+     * - 'organizations' — any organisational tenant, no personal accounts
+     * - 'consumers'     — Microsoft personal accounts only
+     * - 'common'        — alias for 'multi'
+     *
+     * @defaultValue 'common'
+     */
+    type?: 'single' | 'multi' | 'organizations' | 'consumers' | 'common';
+    /**
+     * Tenant allow-list — only users from these tenant IDs or domains are permitted.
+     * Checked after authentication; users from other tenants are shown an error.
+     *
+     * @example ['contoso.com', '72f988bf-86f1-41af-91ab-2d7cd011db47']
+     */
+    allowList?: string[];
+    /**
+     * Tenant block-list — users from these tenant IDs or domains are denied.
+     * Takes precedence over allowList.
+     */
+    blockList?: string[];
+    /**
+     * Require a specific tenant type ('Member' | 'Guest').
+     * Useful to block B2B guests or to allow only guests.
+     */
+    requireType?: 'Member' | 'Guest';
+    /**
+     * Require MFA claim in the token (amr claim must contain 'mfa').
+     * @defaultValue false
+     */
+    requireMFA?: boolean;
+}
+
+interface AuthMiddlewareConfig {
+    /**
+     * Routes that require authentication
+     * @example ['/dashboard', '/profile', '/api/protected']
+     */
+    protectedRoutes?: string[];
+    /**
+     * Routes that should be accessible only when NOT authenticated
+     * @example ['/login', '/signup']
+     */
+    publicOnlyRoutes?: string[];
+    /**
+     * Login page path
+     * @default '/login'
+     */
+    loginPath?: string;
+    /**
+     * Redirect path after login
+     * @default '/'
+     */
+    redirectAfterLogin?: string;
+    /**
+     * Cookie name for session
+     * @default 'msal.account'
+     */
+    sessionCookie?: string;
+    /**
+     * Custom authentication check function
+     */
+    isAuthenticated?: (request: NextRequest) => boolean | Promise<boolean>;
+    /**
+     * Tenant access configuration (v5.1.0).
+     * Validated against the account stored in the session cookie.
+     */
+    tenantConfig?: MultiTenantConfig;
+    /**
+     * Path to redirect to when tenant access is denied (v5.1.0).
+     * @default '/unauthorized'
+     */
+    tenantDeniedPath?: string;
+    /**
+     * Enable debug logging
+     * @default false
+     */
+    debug?: boolean;
+}
+/**
+ * Creates authentication middleware for Next.js App Router
+ *
+ * @example
+ * ```tsx
+ * // middleware.ts
+ * import { createAuthMiddleware } from '@chemmangat/msal-next';
+ *
+ * export const middleware = createAuthMiddleware({
+ *   protectedRoutes: ['/dashboard', '/profile'],
+ *   publicOnlyRoutes: ['/login'],
+ *   loginPath: '/login',
+ * });
+ *
+ * export const config = {
+ *   matcher: ['/((?!_next/static|_next/image|favicon.ico).*)'],
+ * };
+ * ```
+ */
+declare function createAuthMiddleware(config?: AuthMiddlewareConfig): (request: NextRequest) => Promise<NextResponse<unknown>>;
+
+export { type AuthMiddlewareConfig, createAuthMiddleware };

package/dist/middleware.js

@@ -0,0 +1,203 @@
+'use strict';
+
+var server = require('next/server');
+
+// src/middleware/createAuthMiddleware.ts
+
+// src/utils/validation.ts
+function safeJsonParse(jsonString, validator) {
+  try {
+    const parsed = JSON.parse(jsonString);
+    if (validator(parsed)) {
+      return parsed;
+    }
+    console.warn("[Validation] JSON validation failed");
+    return null;
+  } catch (error) {
+    console.error("[Validation] JSON parse error:", error);
+    return null;
+  }
+}
+function isValidAccountData(data) {
+  return typeof data === "object" && data !== null && typeof data.homeAccountId === "string" && data.homeAccountId.length > 0 && typeof data.username === "string" && data.username.length > 0 && (data.name === void 0 || typeof data.name === "string");
+}
+
+// src/utils/tenantValidator.ts
+function getTenantDomain(account) {
+  const upn = account.username || account.idTokenClaims?.preferred_username || account.idTokenClaims?.upn || "";
+  return upn.includes("@") ? upn.split("@")[1].toLowerCase() : null;
+}
+function getTenantId(account) {
+  return account.tenantId || account.idTokenClaims?.tid || null;
+}
+function matchesTenant(value, tenantId, tenantDomain) {
+  const v = value.toLowerCase();
+  if (tenantId && v === tenantId.toLowerCase()) return true;
+  if (tenantDomain && v === tenantDomain.toLowerCase()) return true;
+  return false;
+}
+function isGuestAccount(account) {
+  const claims = account.idTokenClaims ?? {};
+  const resourceTenantId = account.tenantId || claims["tid"] || null;
+  const issuer = claims["iss"] || null;
+  if (!issuer || !resourceTenantId) return false;
+  const match = issuer.match(
+    /https:\/\/login\.microsoftonline\.com\/([^/]+)(?:\/|$)/i
+  );
+  if (!match) return false;
+  const homeTenantId = match[1];
+  return homeTenantId.toLowerCase() !== resourceTenantId.toLowerCase();
+}
+function validateTenantAccess(account, config) {
+  const tenantId = getTenantId(account);
+  const tenantDomain = getTenantDomain(account);
+  const claims = account.idTokenClaims ?? {};
+  if (config.blockList && config.blockList.length > 0) {
+    const blocked = config.blockList.some(
+      (entry) => matchesTenant(entry, tenantId, tenantDomain)
+    );
+    if (blocked) {
+      return {
+        allowed: false,
+        reason: `Tenant "${tenantDomain || tenantId}" is blocked from accessing this application.`
+      };
+    }
+  }
+  if (config.allowList && config.allowList.length > 0) {
+    const allowed = config.allowList.some(
+      (entry) => matchesTenant(entry, tenantId, tenantDomain)
+    );
+    if (!allowed) {
+      return {
+        allowed: false,
+        reason: `Tenant "${tenantDomain || tenantId}" is not in the allowed list for this application.`
+      };
+    }
+  }
+  if (config.requireType) {
+    const isGuest = isGuestAccount(account);
+    if (config.requireType === "Member" && isGuest) {
+      return {
+        allowed: false,
+        reason: "Only member accounts are allowed. Guest (B2B) accounts are not permitted."
+      };
+    }
+    if (config.requireType === "Guest" && !isGuest) {
+      return {
+        allowed: false,
+        reason: "Only guest (B2B) accounts are allowed."
+      };
+    }
+  }
+  if (config.requireMFA) {
+    const amr = claims["amr"] || [];
+    const hasMfa = amr.includes("mfa") || amr.includes("ngcmfa") || amr.includes("hwk") || amr.includes("swk");
+    if (!hasMfa) {
+      return {
+        allowed: false,
+        reason: "Multi-factor authentication (MFA) is required to access this application."
+      };
+    }
+  }
+  return { allowed: true };
+}
+
+// src/middleware/createAuthMiddleware.ts
+function createAuthMiddleware(config = {}) {
+  const {
+    protectedRoutes = [],
+    publicOnlyRoutes = [],
+    loginPath = "/login",
+    redirectAfterLogin = "/",
+    sessionCookie = "msal.account",
+    isAuthenticated: customAuthCheck,
+    tenantConfig,
+    tenantDeniedPath = "/unauthorized",
+    debug = false
+  } = config;
+  return async function authMiddleware(request) {
+    const { pathname } = request.nextUrl;
+    if (debug) {
+      console.log("[AuthMiddleware] Processing:", pathname);
+    }
+    let authenticated = false;
+    if (customAuthCheck) {
+      authenticated = await customAuthCheck(request);
+    } else {
+      const sessionData = request.cookies.get(sessionCookie);
+      authenticated = !!sessionData?.value;
+    }
+    if (debug) {
+      console.log("[AuthMiddleware] Authenticated:", authenticated);
+    }
+    const isProtectedRoute = protectedRoutes.some(
+      (route) => pathname.startsWith(route)
+    );
+    const isPublicOnlyRoute = publicOnlyRoutes.some(
+      (route) => pathname.startsWith(route)
+    );
+    if (isProtectedRoute && !authenticated) {
+      if (debug) {
+        console.log("[AuthMiddleware] Redirecting to login");
+      }
+      const url = request.nextUrl.clone();
+      url.pathname = loginPath;
+      url.searchParams.set("returnUrl", pathname);
+      return server.NextResponse.redirect(url);
+    }
+    if (isProtectedRoute && authenticated && tenantConfig) {
+      try {
+        const sessionData = request.cookies.get(sessionCookie);
+        if (sessionData?.value) {
+          const account = safeJsonParse(sessionData.value, isValidAccountData);
+          if (account) {
+            const tenantResult = validateTenantAccess(account, tenantConfig);
+            if (!tenantResult.allowed) {
+              if (debug) {
+                console.log("[AuthMiddleware] Tenant access denied:", tenantResult.reason);
+              }
+              const url = request.nextUrl.clone();
+              url.pathname = tenantDeniedPath;
+              url.searchParams.set("reason", tenantResult.reason || "access_denied");
+              return server.NextResponse.redirect(url);
+            }
+          }
+        }
+      } catch (error) {
+        if (debug) {
+          console.warn("[AuthMiddleware] Tenant validation error:", error);
+        }
+      }
+    }
+    if (isPublicOnlyRoute && authenticated) {
+      if (debug) {
+        console.log("[AuthMiddleware] Redirecting to home");
+      }
+      const returnUrl = request.nextUrl.searchParams.get("returnUrl");
+      const url = request.nextUrl.clone();
+      url.pathname = returnUrl || redirectAfterLogin;
+      url.searchParams.delete("returnUrl");
+      return server.NextResponse.redirect(url);
+    }
+    const response = server.NextResponse.next();
+    if (authenticated) {
+      response.headers.set("x-msal-authenticated", "true");
+      try {
+        const sessionData = request.cookies.get(sessionCookie);
+        if (sessionData?.value) {
+          const account = safeJsonParse(sessionData.value, isValidAccountData);
+          if (account?.username) {
+            response.headers.set("x-msal-username", account.username);
+          }
+        }
+      } catch (error) {
+        if (debug) {
+          console.warn("[AuthMiddleware] Failed to parse session data");
+        }
+      }
+    }
+    return response;
+  };
+}
+
+exports.createAuthMiddleware = createAuthMiddleware;