@chemmangat/msal-next 5.2.0 → 5.3.0

package/dist/middleware.mjs

@@ -0,0 +1,201 @@
+import { NextResponse } from 'next/server';
+
+// src/middleware/createAuthMiddleware.ts
+
+// src/utils/validation.ts
+function safeJsonParse(jsonString, validator) {
+  try {
+    const parsed = JSON.parse(jsonString);
+    if (validator(parsed)) {
+      return parsed;
+    }
+    console.warn("[Validation] JSON validation failed");
+    return null;
+  } catch (error) {
+    console.error("[Validation] JSON parse error:", error);
+    return null;
+  }
+}
+function isValidAccountData(data) {
+  return typeof data === "object" && data !== null && typeof data.homeAccountId === "string" && data.homeAccountId.length > 0 && typeof data.username === "string" && data.username.length > 0 && (data.name === void 0 || typeof data.name === "string");
+}
+
+// src/utils/tenantValidator.ts
+function getTenantDomain(account) {
+  const upn = account.username || account.idTokenClaims?.preferred_username || account.idTokenClaims?.upn || "";
+  return upn.includes("@") ? upn.split("@")[1].toLowerCase() : null;
+}
+function getTenantId(account) {
+  return account.tenantId || account.idTokenClaims?.tid || null;
+}
+function matchesTenant(value, tenantId, tenantDomain) {
+  const v = value.toLowerCase();
+  if (tenantId && v === tenantId.toLowerCase()) return true;
+  if (tenantDomain && v === tenantDomain.toLowerCase()) return true;
+  return false;
+}
+function isGuestAccount(account) {
+  const claims = account.idTokenClaims ?? {};
+  const resourceTenantId = account.tenantId || claims["tid"] || null;
+  const issuer = claims["iss"] || null;
+  if (!issuer || !resourceTenantId) return false;
+  const match = issuer.match(
+    /https:\/\/login\.microsoftonline\.com\/([^/]+)(?:\/|$)/i
+  );
+  if (!match) return false;
+  const homeTenantId = match[1];
+  return homeTenantId.toLowerCase() !== resourceTenantId.toLowerCase();
+}
+function validateTenantAccess(account, config) {
+  const tenantId = getTenantId(account);
+  const tenantDomain = getTenantDomain(account);
+  const claims = account.idTokenClaims ?? {};
+  if (config.blockList && config.blockList.length > 0) {
+    const blocked = config.blockList.some(
+      (entry) => matchesTenant(entry, tenantId, tenantDomain)
+    );
+    if (blocked) {
+      return {
+        allowed: false,
+        reason: `Tenant "${tenantDomain || tenantId}" is blocked from accessing this application.`
+      };
+    }
+  }
+  if (config.allowList && config.allowList.length > 0) {
+    const allowed = config.allowList.some(
+      (entry) => matchesTenant(entry, tenantId, tenantDomain)
+    );
+    if (!allowed) {
+      return {
+        allowed: false,
+        reason: `Tenant "${tenantDomain || tenantId}" is not in the allowed list for this application.`
+      };
+    }
+  }
+  if (config.requireType) {
+    const isGuest = isGuestAccount(account);
+    if (config.requireType === "Member" && isGuest) {
+      return {
+        allowed: false,
+        reason: "Only member accounts are allowed. Guest (B2B) accounts are not permitted."
+      };
+    }
+    if (config.requireType === "Guest" && !isGuest) {
+      return {
+        allowed: false,
+        reason: "Only guest (B2B) accounts are allowed."
+      };
+    }
+  }
+  if (config.requireMFA) {
+    const amr = claims["amr"] || [];
+    const hasMfa = amr.includes("mfa") || amr.includes("ngcmfa") || amr.includes("hwk") || amr.includes("swk");
+    if (!hasMfa) {
+      return {
+        allowed: false,
+        reason: "Multi-factor authentication (MFA) is required to access this application."
+      };
+    }
+  }
+  return { allowed: true };
+}
+
+// src/middleware/createAuthMiddleware.ts
+function createAuthMiddleware(config = {}) {
+  const {
+    protectedRoutes = [],
+    publicOnlyRoutes = [],
+    loginPath = "/login",
+    redirectAfterLogin = "/",
+    sessionCookie = "msal.account",
+    isAuthenticated: customAuthCheck,
+    tenantConfig,
+    tenantDeniedPath = "/unauthorized",
+    debug = false
+  } = config;
+  return async function authMiddleware(request) {
+    const { pathname } = request.nextUrl;
+    if (debug) {
+      console.log("[AuthMiddleware] Processing:", pathname);
+    }
+    let authenticated = false;
+    if (customAuthCheck) {
+      authenticated = await customAuthCheck(request);
+    } else {
+      const sessionData = request.cookies.get(sessionCookie);
+      authenticated = !!sessionData?.value;
+    }
+    if (debug) {
+      console.log("[AuthMiddleware] Authenticated:", authenticated);
+    }
+    const isProtectedRoute = protectedRoutes.some(
+      (route) => pathname.startsWith(route)
+    );
+    const isPublicOnlyRoute = publicOnlyRoutes.some(
+      (route) => pathname.startsWith(route)
+    );
+    if (isProtectedRoute && !authenticated) {
+      if (debug) {
+        console.log("[AuthMiddleware] Redirecting to login");
+      }
+      const url = request.nextUrl.clone();
+      url.pathname = loginPath;
+      url.searchParams.set("returnUrl", pathname);
+      return NextResponse.redirect(url);
+    }
+    if (isProtectedRoute && authenticated && tenantConfig) {
+      try {
+        const sessionData = request.cookies.get(sessionCookie);
+        if (sessionData?.value) {
+          const account = safeJsonParse(sessionData.value, isValidAccountData);
+          if (account) {
+            const tenantResult = validateTenantAccess(account, tenantConfig);
+            if (!tenantResult.allowed) {
+              if (debug) {
+                console.log("[AuthMiddleware] Tenant access denied:", tenantResult.reason);
+              }
+              const url = request.nextUrl.clone();
+              url.pathname = tenantDeniedPath;
+              url.searchParams.set("reason", tenantResult.reason || "access_denied");
+              return NextResponse.redirect(url);
+            }
+          }
+        }
+      } catch (error) {
+        if (debug) {
+          console.warn("[AuthMiddleware] Tenant validation error:", error);
+        }
+      }
+    }
+    if (isPublicOnlyRoute && authenticated) {
+      if (debug) {
+        console.log("[AuthMiddleware] Redirecting to home");
+      }
+      const returnUrl = request.nextUrl.searchParams.get("returnUrl");
+      const url = request.nextUrl.clone();
+      url.pathname = returnUrl || redirectAfterLogin;
+      url.searchParams.delete("returnUrl");
+      return NextResponse.redirect(url);
+    }
+    const response = NextResponse.next();
+    if (authenticated) {
+      response.headers.set("x-msal-authenticated", "true");
+      try {
+        const sessionData = request.cookies.get(sessionCookie);
+        if (sessionData?.value) {
+          const account = safeJsonParse(sessionData.value, isValidAccountData);
+          if (account?.username) {
+            response.headers.set("x-msal-username", account.username);
+          }
+        }
+      } catch (error) {
+        if (debug) {
+          console.warn("[AuthMiddleware] Failed to parse session data");
+        }
+      }
+    }
+    return response;
+  };
+}
+
+export { createAuthMiddleware };

package/dist/server.d.mts

@@ -41,14 +41,33 @@ interface ServerSession {
  */
 declare function getServerSession(): Promise<ServerSession>;
 /**
- * Helper to set server session in cookies (call from client-side after auth)
+ * Writes the `msal.account` session cookie directly via `document.cookie`.
+ *
+ * @remarks
+ * **Must be called from a Client Component** (browser context only).
+ *
+ * As of v5.3.0 this is no longer necessary for most apps — `MsalAuthProvider`
+ * automatically writes and clears the cookie on every login/logout event.
+ * Only call this manually if you need to set the cookie outside of the normal
+ * MSAL auth flow (e.g. after a silent SSO check in a custom component).
  *
  * @example
  * ```tsx
- * // After successful login
- * await setServerSessionCookie(account, accessToken);
+ * 'use client';
+ * import { setServerSessionCookie } from '@chemmangat/msal-next/server';
+ *
+ * // After a custom auth event:
+ * setServerSessionCookie(account);
  * ```
  */
-declare function setServerSessionCookie(account: any, accessToken?: string): Promise<void>;
+declare function setServerSessionCookie(account: any): void;
+/**
+ * Clears the `msal.account` session cookie.
+ *
+ * @remarks
+ * **Must be called from a Client Component** (browser context only).
+ * As of v5.3.0 this is handled automatically by `MsalAuthProvider` on logout.
+ */
+declare function clearServerSessionCookie(): void;
 
-export { type ServerSession, getServerSession, setServerSessionCookie };
+export { type ServerSession, clearServerSessionCookie, getServerSession, setServerSessionCookie };

package/dist/server.d.ts

@@ -41,14 +41,33 @@ interface ServerSession {
  */
 declare function getServerSession(): Promise<ServerSession>;
 /**
- * Helper to set server session in cookies (call from client-side after auth)
+ * Writes the `msal.account` session cookie directly via `document.cookie`.
+ *
+ * @remarks
+ * **Must be called from a Client Component** (browser context only).
+ *
+ * As of v5.3.0 this is no longer necessary for most apps — `MsalAuthProvider`
+ * automatically writes and clears the cookie on every login/logout event.
+ * Only call this manually if you need to set the cookie outside of the normal
+ * MSAL auth flow (e.g. after a silent SSO check in a custom component).
  *
  * @example
  * ```tsx
- * // After successful login
- * await setServerSessionCookie(account, accessToken);
+ * 'use client';
+ * import { setServerSessionCookie } from '@chemmangat/msal-next/server';
+ *
+ * // After a custom auth event:
+ * setServerSessionCookie(account);
  * ```
  */
-declare function setServerSessionCookie(account: any, accessToken?: string): Promise<void>;
+declare function setServerSessionCookie(account: any): void;
+/**
+ * Clears the `msal.account` session cookie.
+ *
+ * @remarks
+ * **Must be called from a Client Component** (browser context only).
+ * As of v5.3.0 this is handled automatically by `MsalAuthProvider` on logout.
+ */
+declare function clearServerSessionCookie(): void;
 
-export { type ServerSession, getServerSession, setServerSessionCookie };
+export { type ServerSession, clearServerSessionCookie, getServerSession, setServerSessionCookie };

package/dist/server.js

@@ -63,27 +63,29 @@ async function getServerSession() {
     };
   }
 }
-async function setServerSessionCookie(account, accessToken) {
+function setServerSessionCookie(account) {
+  if (typeof document === "undefined") {
+    console.warn("[ServerSession] setServerSessionCookie must be called in a browser (Client Component) context.");
+    return;
+  }
   try {
-    const accountData = {
+    const data = encodeURIComponent(JSON.stringify({
       homeAccountId: account.homeAccountId,
       username: account.username,
-      name: account.name
-    };
-    await fetch("/api/auth/session", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify({
-        account: accountData,
-        token: accessToken
-      })
-    });
+      name: account.name ?? ""
+    }));
+    document.cookie = `msal.account=${data}; path=/; SameSite=Lax`;
   } catch (error) {
     console.error("[ServerSession] Failed to set session cookie:", error);
   }
 }
+function clearServerSessionCookie() {
+  if (typeof document === "undefined") {
+    return;
+  }
+  document.cookie = "msal.account=; path=/; SameSite=Lax; expires=Thu, 01 Jan 1970 00:00:00 GMT";
+}
 
+exports.clearServerSessionCookie = clearServerSessionCookie;
 exports.getServerSession = getServerSession;
 exports.setServerSessionCookie = setServerSessionCookie;

package/dist/server.mjs

@@ -61,26 +61,27 @@ async function getServerSession() {
     };
   }
 }
-async function setServerSessionCookie(account, accessToken) {
+function setServerSessionCookie(account) {
+  if (typeof document === "undefined") {
+    console.warn("[ServerSession] setServerSessionCookie must be called in a browser (Client Component) context.");
+    return;
+  }
   try {
-    const accountData = {
+    const data = encodeURIComponent(JSON.stringify({
       homeAccountId: account.homeAccountId,
       username: account.username,
-      name: account.name
-    };
-    await fetch("/api/auth/session", {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify({
-        account: accountData,
-        token: accessToken
-      })
-    });
+      name: account.name ?? ""
+    }));
+    document.cookie = `msal.account=${data}; path=/; SameSite=Lax`;
   } catch (error) {
     console.error("[ServerSession] Failed to set session cookie:", error);
   }
 }
+function clearServerSessionCookie() {
+  if (typeof document === "undefined") {
+    return;
+  }
+  document.cookie = "msal.account=; path=/; SameSite=Lax; expires=Thu, 01 Jan 1970 00:00:00 GMT";
+}
 
-export { getServerSession, setServerSessionCookie };
+export { clearServerSessionCookie, getServerSession, setServerSessionCookie };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chemmangat/msal-next",
-  "version": "5.2.0",
+  "version": "5.3.0",
   "description": "Production-ready Microsoft/Azure AD authentication for Next.js App Router. Zero-config setup, TypeScript-first, multi-account support, auto token refresh. The easiest way to add Microsoft login to your Next.js app.",
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -15,6 +15,11 @@
       "types": "./dist/server.d.ts",
       "import": "./dist/server.mjs",
       "require": "./dist/server.js"
+    },
+    "./middleware": {
+      "types": "./dist/middleware.d.ts",
+      "import": "./dist/middleware.mjs",
+      "require": "./dist/middleware.js"
     }
   },
   "files": [