@civic/auth 0.0.1--.tsc.alpha.1 → 0.0.1-beta.1

package/dist/nextjs.js

@@ -0,0 +1,927 @@
+"use server";
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __defProps = Object.defineProperties;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropSymbols = Object.getOwnPropertySymbols;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __propIsEnum = Object.prototype.propertyIsEnumerable;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __spreadValues = (a, b) => {
+  for (var prop in b || (b = {}))
+    if (__hasOwnProp.call(b, prop))
+      __defNormalProp(a, prop, b[prop]);
+  if (__getOwnPropSymbols)
+    for (var prop of __getOwnPropSymbols(b)) {
+      if (__propIsEnum.call(b, prop))
+        __defNormalProp(a, prop, b[prop]);
+    }
+  return a;
+};
+var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __async = (__this, __arguments, generator) => {
+  return new Promise((resolve, reject) => {
+    var fulfilled = (value) => {
+      try {
+        step(generator.next(value));
+      } catch (e) {
+        reject(e);
+      }
+    };
+    var rejected = (value) => {
+      try {
+        step(generator.throw(value));
+      } catch (e) {
+        reject(e);
+      }
+    };
+    var step = (x) => x.done ? resolve(x.value) : Promise.resolve(x.value).then(fulfilled, rejected);
+    step((generator = generator.apply(__this, __arguments)).next());
+  });
+};
+
+// src/nextjs/index.ts
+var nextjs_exports = {};
+__export(nextjs_exports, {
+  auth: () => auth,
+  authMiddleware: () => authMiddleware,
+  createCivicAuthPlugin: () => createCivicAuthPlugin,
+  getUser: () => getUser,
+  handler: () => handler,
+  withAuth: () => withAuth
+});
+module.exports = __toCommonJS(nextjs_exports);
+
+// src/lib/logger.ts
+var import_debug = __toESM(require("debug"));
+var PACKAGE_NAME = "@civic/auth";
+var DebugLogger = class {
+  constructor(namespace) {
+    this.debugLogger = (0, import_debug.default)(`${PACKAGE_NAME}:${namespace}:debug`);
+    this.infoLogger = (0, import_debug.default)(`${PACKAGE_NAME}:${namespace}:info`);
+    this.warnLogger = (0, import_debug.default)(`${PACKAGE_NAME}:${namespace}:warn`);
+    this.errorLogger = (0, import_debug.default)(`${PACKAGE_NAME}:${namespace}:error`);
+    this.debugLogger.color = "4";
+    this.infoLogger.color = "2";
+    this.warnLogger.color = "3";
+    this.errorLogger.color = "1";
+  }
+  debug(message, ...args) {
+    this.debugLogger(message, ...args);
+  }
+  info(message, ...args) {
+    this.infoLogger(message, ...args);
+  }
+  warn(message, ...args) {
+    this.warnLogger(message, ...args);
+  }
+  error(message, ...args) {
+    this.errorLogger(message, ...args);
+  }
+};
+var createLogger = (namespace) => new DebugLogger(namespace);
+var loggers = {
+  // Next.js specific loggers
+  nextjs: {
+    routes: createLogger("api:routes"),
+    middleware: createLogger("api:middleware"),
+    handlers: {
+      auth: createLogger("api:handlers:auth")
+    }
+  },
+  // React specific loggers
+  react: {
+    components: createLogger("react:components"),
+    hooks: createLogger("react:hooks"),
+    context: createLogger("react:context")
+  },
+  // Shared utilities loggers
+  services: {
+    validation: createLogger("utils:validation"),
+    network: createLogger("utils:network")
+  }
+};
+
+// src/nextjs/config.ts
+var logger = loggers.nextjs.handlers.auth;
+var defaultAuthConfig = {
+  oauthServer: "https://auth-dev.civic.com/oauth",
+  callbackUrl: "/api/auth/callback",
+  challengeUrl: "/api/auth/challenge",
+  logoutUrl: "/api/auth/logout",
+  loginUrl: "/",
+  include: ["/*"],
+  exclude: [],
+  cookies: {
+    tokens: {
+      sameSite: "strict",
+      path: "/",
+      maxAge: 60 * 60
+      // 1 hour
+    },
+    user: {
+      sameSite: "strict",
+      path: "/",
+      maxAge: 60 * 60
+      // 1 hour
+    }
+  }
+};
+var withoutUndefined = (obj) => {
+  const result = {};
+  for (const key in obj) {
+    if (obj[key] !== void 0) {
+      result[key] = obj[key];
+    }
+  }
+  return result;
+};
+var resolveAuthConfig = (config = {}) => {
+  var _a, _b, _c, _d;
+  const configFromEnv = withoutUndefined({
+    clientId: process.env._civic_auth_client_id,
+    oauthServer: process.env._civic_oauth_server,
+    callbackUrl: process.env._civic_auth_callback_url,
+    loginUrl: process.env._civic_auth_login_url,
+    logoutUrl: process.env._civic_auth_logout_url,
+    include: (_a = process.env._civic_auth_includes) == null ? void 0 : _a.split(","),
+    exclude: (_b = process.env._civic_auth_excludes) == null ? void 0 : _b.split(","),
+    cookies: process.env._civic_auth_cookie_config ? JSON.parse(process.env._civic_auth_cookie_config) : void 0
+  });
+  const mergedConfig = __spreadProps(__spreadValues(__spreadValues(__spreadValues({}, defaultAuthConfig), configFromEnv), config), {
+    // Override with directly passed config
+    cookies: {
+      tokens: __spreadValues(__spreadValues({}, defaultAuthConfig.cookies.tokens), ((_c = config.cookies) == null ? void 0 : _c.tokens) || {}),
+      user: __spreadValues(__spreadValues({}, defaultAuthConfig.cookies.user), ((_d = config.cookies) == null ? void 0 : _d.user) || {})
+    }
+  });
+  logger.debug("Config from environment:", configFromEnv);
+  logger.debug("Resolved config:", mergedConfig);
+  if (mergedConfig.clientId === void 0) {
+    throw new Error("Civic Auth client ID is required");
+  }
+  return mergedConfig;
+};
+var createCivicAuthPlugin = (clientId, authConfig = {}) => {
+  return (nextConfig) => {
+    const resolvedConfig = resolveAuthConfig(__spreadProps(__spreadValues({}, authConfig), { clientId }));
+    return __spreadProps(__spreadValues({}, nextConfig), {
+      env: __spreadProps(__spreadValues({}, nextConfig == null ? void 0 : nextConfig.env), {
+        // Internal environment variables - do not set these manually
+        _civic_auth_client_id: clientId,
+        _civic_oauth_server: resolvedConfig.oauthServer,
+        _civic_auth_callback_url: resolvedConfig.callbackUrl,
+        _civic_auth_login_url: resolvedConfig.loginUrl,
+        _civic_auth_logout_url: resolvedConfig.logoutUrl,
+        _civic_auth_includes: resolvedConfig.include.join(","),
+        _civic_auth_excludes: resolvedConfig.exclude.join(","),
+        _civic_auth_cookie_config: JSON.stringify(resolvedConfig.cookies)
+      })
+    });
+  };
+};
+
+// src/nextjs/routeHandler.ts
+var import_server = require("next/server.js");
+var import_cache = require("next/cache.js");
+
+// src/nextjs/NextJSSessionService.ts
+var import_headers = require("next/headers.js");
+
+// src/services/UserInfoService.ts
+var import_jwt = require("oslo/jwt");
+var UserInfoServiceImpl = class {
+  constructor(endpoints) {
+    this.endpoints = endpoints;
+  }
+  extractUserFromIdToken(idToken) {
+    const parsedJWT = (0, import_jwt.parseJWT)(idToken);
+    if (!parsedJWT) {
+      return null;
+    }
+    return parsedJWT.payload;
+  }
+  getUserInfo(accessToken, idToken) {
+    return __async(this, null, function* () {
+      if (idToken) {
+        return this.extractUserFromIdToken(idToken);
+      }
+      const userInfo = yield fetch(this.endpoints.userinfo, {
+        headers: { Authorization: `Bearer ${accessToken}` }
+      });
+      return userInfo.json();
+    });
+  }
+};
+
+// src/services/SessionService.ts
+var import_oauth2 = require("oslo/oauth2");
+var jose = __toESM(require("jose"));
+
+// src/lib/oauth.ts
+var import_uuid = require("uuid");
+var getIssuerVariations = (issuer) => {
+  const issuerWithoutSlash = issuer.endsWith("/") ? issuer.slice(0, issuer.length - 1) : issuer;
+  const issuerWithSlash = `${issuerWithoutSlash}/`;
+  return [issuerWithoutSlash, issuerWithSlash];
+};
+var addSlashIfNeeded = (url) => url.endsWith("/") ? url : `${url}/`;
+var getOauthEndpoints = (oauthServer) => __async(void 0, null, function* () {
+  const openIdConfigResponse = yield fetch(
+    `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`
+  );
+  const openIdConfig = yield openIdConfigResponse.json();
+  return {
+    jwks: openIdConfig.jwks_uri,
+    auth: openIdConfig.authorization_endpoint,
+    token: openIdConfig.token_endpoint,
+    userinfo: openIdConfig.userinfo_endpoint
+  };
+});
+var generateState = (displayMode) => {
+  const jsonString = JSON.stringify({
+    uuid: (0, import_uuid.v4)(),
+    displayMode
+  });
+  return btoa(jsonString);
+};
+var displayModeFromState = (state, sessionDisplayMode) => {
+  try {
+    const jsonString = btoa(state);
+    return JSON.parse(jsonString).displayMode;
+  } catch (e) {
+    console.error("Failed to parse displayMode from state:", e);
+    return sessionDisplayMode;
+  }
+};
+
+// src/utils.ts
+var import_clsx = require("clsx");
+var import_tailwind_merge = require("tailwind-merge");
+var isPopupBlocked = () => {
+  const popup = window.open("", "", "width=1,height=1");
+  if (!popup) {
+    return true;
+  }
+  try {
+    if (typeof popup.closed === "undefined") {
+      throw new Error("Popup is blocked");
+    }
+  } catch (e) {
+    return true;
+  }
+  popup.close();
+  return false;
+};
+
+// src/services/SessionService.ts
+var AuthSessionServiceImpl = class {
+  constructor(clientId, redirectUrl, oauthServer, inputEndpoints) {
+    this.clientId = clientId;
+    this.redirectUrl = redirectUrl;
+    this.oauthServer = oauthServer;
+    this.inputEndpoints = inputEndpoints;
+    this.codeVerifier = void 0;
+    this.refreshTokenTimeout = null;
+    this.codeVerifier = this.getCodeVerifier();
+    this.endpoints = inputEndpoints;
+  }
+  getCodeVerifier() {
+    return (0, import_oauth2.generateCodeVerifier)();
+  }
+  getUserInfoService() {
+    return __async(this, null, function* () {
+      if (this.userInfoService) {
+        return this.userInfoService;
+      }
+      const endpoints = yield this.getEndpoints();
+      this.userInfoService = new UserInfoServiceImpl(endpoints);
+      return this.userInfoService;
+    });
+  }
+  getEndpoints() {
+    return __async(this, null, function* () {
+      var _a;
+      if ((_a = this.endpoints) == null ? void 0 : _a.auth) {
+        return this.endpoints;
+      }
+      const jwksEndpoints = yield getOauthEndpoints(this.oauthServer);
+      return this.endpoints ? __spreadValues(__spreadValues({}, this.endpoints), jwksEndpoints) : jwksEndpoints;
+    });
+  }
+  getOauth2Client() {
+    return __async(this, null, function* () {
+      if (this.oauth2Client) {
+        return this.oauth2Client;
+      }
+      const endpoints = yield this.getEndpoints();
+      this.oauth2Client = new import_oauth2.OAuth2Client(
+        this.clientId,
+        endpoints.auth,
+        endpoints.token,
+        // this
+        { redirectURI: this.redirectUrl }
+      );
+      return this.oauth2Client;
+    });
+  }
+  getSessionData() {
+    return JSON.parse(
+      localStorage.getItem(`civic-auth:${this.clientId}`) || "{}"
+    );
+  }
+  updateSessionData(data) {
+    localStorage.setItem(
+      `civic-auth:${this.clientId}`,
+      JSON.stringify(__spreadValues({}, data))
+    );
+  }
+  getUser() {
+    return JSON.parse(
+      localStorage.getItem(`civic-auth:${this.clientId}:user`) || "{}"
+    );
+  }
+  setUser(data) {
+    localStorage.setItem(
+      `civic-auth:${this.clientId}:user`,
+      JSON.stringify(data === null ? {} : data)
+    );
+  }
+  clearSessionData() {
+    localStorage.setItem(`civic-auth:${this.clientId}`, JSON.stringify({}));
+  }
+  getAuthorizationUrlWithChallenge(state, scopes) {
+    return __async(this, null, function* () {
+      var _a;
+      const oauth2Client = yield this.getOauth2Client();
+      if ((_a = this.endpoints) == null ? void 0 : _a.challenge) {
+        const challenge = yield fetch(this.endpoints.challenge).then(
+          (res) => res.json().then((data) => data.challenge)
+        );
+        const oAuthUrl2 = yield oauth2Client.createAuthorizationURL({
+          state,
+          scopes
+        });
+        oAuthUrl2.searchParams.append("code_challenge", challenge);
+        oAuthUrl2.searchParams.append("code_challenge_method", "S256");
+        return oAuthUrl2;
+      }
+      const oAuthUrl = yield oauth2Client.createAuthorizationURL({
+        state,
+        codeVerifier: this.codeVerifier,
+        codeChallengeMethod: "S256",
+        scopes
+      });
+      return oAuthUrl;
+    });
+  }
+  getAuthorizationUrl(scopes, displayMode, nonce) {
+    return __async(this, null, function* () {
+      const state = generateState(displayMode);
+      const existingSessionData = this.getSessionData();
+      this.updateSessionData(__spreadProps(__spreadValues({}, existingSessionData), {
+        codeVerifier: this.codeVerifier,
+        displayMode
+      }));
+      const oAuthUrl = yield this.getAuthorizationUrlWithChallenge(state, scopes);
+      if (nonce) {
+        oAuthUrl.searchParams.append("nonce", nonce);
+      }
+      oAuthUrl.searchParams.append("prompt", "consent");
+      return oAuthUrl.toString();
+    });
+  }
+  // TODO fix the Window reference
+  loadAuthorizationUrl(authorizationURL, displayMode) {
+    switch (displayMode) {
+      case "iframe":
+        break;
+      case "redirect":
+        window.location.href = authorizationURL;
+        break;
+      case "new_tab":
+        window.open(authorizationURL, "_blank");
+        break;
+      case "custom_tab":
+        break;
+    }
+  }
+  init() {
+    return __async(this, null, function* () {
+      this.updateSessionData({ authenticated: false });
+    });
+  }
+  determineDisplayMode(displayMode) {
+    if (isPopupBlocked() && displayMode === "iframe") {
+      displayMode = "redirect";
+    }
+    return displayMode;
+  }
+  signIn(displayMode, scopes, nonce) {
+    return __async(this, null, function* () {
+      const authorizationURL = yield this.getAuthorizationUrl(
+        scopes,
+        displayMode,
+        nonce
+      );
+      this.loadAuthorizationUrl(authorizationURL, displayMode);
+    });
+  }
+  tokenExchange(responseUrl) {
+    return __async(this, null, function* () {
+      let session = this.getSessionData();
+      if (!session.authenticated) {
+        const url = new URL(responseUrl);
+        const authorizationCode = url.searchParams.get("code");
+        const returnedState = url.searchParams.get("state");
+        if (!authorizationCode || !returnedState) {
+          throw new Error("Invalid authorization response");
+        }
+        const codeVerifier = session.codeVerifier;
+        const oauth2Client = yield this.getOauth2Client();
+        const tokens = yield oauth2Client.validateAuthorizationCode(
+          authorizationCode,
+          {
+            codeVerifier
+          }
+        );
+        try {
+          yield this.validateTokens(tokens);
+        } catch (error) {
+          console.error("tokenExchange tokens", { error, tokens });
+          throw new Error(
+            `OIDC tokens validation failed: ${error.message}`
+          );
+        }
+        const parsedDisplayMode = displayModeFromState(
+          returnedState,
+          session.displayMode
+        );
+        session = __spreadProps(__spreadValues({}, session), {
+          displayMode: parsedDisplayMode,
+          idToken: tokens.id_token,
+          authenticated: true,
+          state: returnedState,
+          accessToken: tokens.access_token,
+          refreshToken: tokens.refresh_token,
+          timestamp: Date.now(),
+          expiresIn: tokens.expires_in
+        });
+        this.updateSessionData(session);
+        const user = yield (yield this.getUserInfoService()).getUserInfo(tokens.access_token, tokens.id_token || null);
+        this.setUser(user);
+      }
+      this.setupTokenRefresh(session);
+      if (session.displayMode === "new_tab") {
+        window.close();
+      } else if (session.displayMode === "redirect") {
+      }
+      return session;
+    });
+  }
+  setupTokenRefresh(session) {
+    if (this.refreshTokenTimeout) {
+      clearTimeout(this.refreshTokenTimeout);
+    }
+    if (session.expiresIn) {
+      const elapsedTime = Date.now() - (session.timestamp || 0);
+      const remainingTime = session.expiresIn * 1e3 - elapsedTime;
+      const refreshTime = Math.max(0, remainingTime - 6e4);
+      this.refreshTokenTimeout = setTimeout(() => {
+        this.refreshToken().then((newSession) => {
+          console.log("Token refreshed successfully", newSession);
+        }).catch((error) => {
+          console.error("Failed to refresh token:", error);
+          this.updateSessionData({});
+        });
+      }, refreshTime);
+    }
+  }
+  refreshToken() {
+    return __async(this, null, function* () {
+      const sessionData = this.getSessionData();
+      if (!sessionData.refreshToken) {
+        throw new Error("No refresh token available");
+      }
+      const oauth2Client = yield this.getOauth2Client();
+      const tokens = yield oauth2Client.refreshAccessToken(
+        sessionData.refreshToken
+      );
+      const session = __spreadProps(__spreadValues({}, sessionData), {
+        idToken: tokens.id_token,
+        authenticated: true,
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token,
+        timestamp: Date.now(),
+        expiresIn: tokens.expires_in
+      });
+      this.updateSessionData(session);
+      this.setupTokenRefresh(session);
+      return session;
+    });
+  }
+  getUserInfo() {
+    return __async(this, null, function* () {
+      const sessionData = this.getSessionData();
+      if (!sessionData.accessToken) {
+        throw new Error("No access token available");
+      }
+      const userInfoService = yield this.getUserInfoService();
+      return userInfoService.getUserInfo(
+        sessionData.accessToken,
+        sessionData.idToken || null
+      );
+    });
+  }
+  /**
+   * Uses the jose library to validate a JWT token using the OAuth JWKS endpoint
+   * @param {string} token
+   * @returns {Promise<jose.JWTPayload>}
+   * @throws {Error} if the token is invalid
+   */
+  validateTokens(tokens) {
+    return __async(this, null, function* () {
+      const endpoints = yield this.getEndpoints();
+      const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));
+      const returnPayload = {};
+      console.log("issuer", getIssuerVariations(this.oauthServer));
+      const idTokenResponse = yield jose.jwtVerify(tokens.id_token, JWKS, {
+        issuer: getIssuerVariations(this.oauthServer),
+        audience: this.clientId
+      });
+      returnPayload.idToken = idTokenResponse.payload;
+      const accessTokenResponse = yield jose.jwtVerify(
+        tokens.access_token,
+        JWKS,
+        {
+          issuer: getIssuerVariations(this.oauthServer)
+        }
+      );
+      returnPayload.accessToken = accessTokenResponse.payload;
+      if (tokens.refresh_token) {
+        returnPayload.refreshToken = tokens.refresh_token;
+      }
+      return returnPayload;
+    });
+  }
+  validateExistingSession() {
+    return __async(this, null, function* () {
+      const sessionData = this.getSessionData();
+      try {
+        if (!sessionData.idToken || !sessionData.accessToken) {
+          const unAuthenticatedSession = __spreadProps(__spreadValues({}, sessionData), { authenticated: false });
+          this.updateSessionData(unAuthenticatedSession);
+          return unAuthenticatedSession;
+        }
+        yield this.validateTokens({
+          id_token: sessionData.idToken,
+          access_token: sessionData.accessToken,
+          refresh_token: sessionData.refreshToken
+        });
+        sessionData.authenticated = true;
+        return sessionData;
+      } catch (error) {
+        console.warn("Failed to validate existing tokens", error);
+        const unAuthenticatedSession = {
+          authenticated: false
+        };
+        this.updateSessionData(unAuthenticatedSession);
+        return unAuthenticatedSession;
+      }
+    });
+  }
+};
+
+// src/nextjs/cookies.ts
+var createSecureTokenCookies = (response, sessionData, config) => {
+  var _a, _b;
+  const maxAge = (_a = sessionData.expiresIn) != null ? _a : 3600;
+  const cookieOptions = __spreadProps(__spreadValues({}, (_b = config.cookies) == null ? void 0 : _b.tokens), {
+    maxAge
+  });
+  if (sessionData.accessToken) {
+    response.cookies.set("access_token", sessionData.accessToken, __spreadProps(__spreadValues({}, cookieOptions), {
+      httpOnly: true
+    }));
+  }
+  if (sessionData.idToken) {
+    response.cookies.set("id_token", sessionData.idToken, __spreadProps(__spreadValues({}, cookieOptions), {
+      httpOnly: true
+    }));
+  }
+  if (sessionData.refreshToken) {
+    response.cookies.set("refresh_token", sessionData.refreshToken, __spreadProps(__spreadValues({}, cookieOptions), {
+      httpOnly: true
+    }));
+  }
+};
+var createUserInfoCookie = (response, user, sessionData, config) => {
+  var _a, _b, _c;
+  if (!user) {
+    response.cookies.set("user", "", __spreadProps(__spreadValues({}, (_a = config.cookies) == null ? void 0 : _a.user), {
+      maxAge: 0
+    }));
+    return;
+  }
+  const maxAge = (_b = sessionData.expiresIn) != null ? _b : 3600;
+  const frontendUser = __spreadValues({}, user);
+  response.cookies.set("user", JSON.stringify(frontendUser), __spreadProps(__spreadValues({}, (_c = config.cookies) == null ? void 0 : _c.user), {
+    maxAge
+  }));
+};
+var clearAuthCookies = (response, config) => {
+  var _a, _b;
+  const clearOptions = __spreadProps(__spreadValues({}, (_a = config.cookies) == null ? void 0 : _a.tokens), {
+    maxAge: 0
+  });
+  response.cookies.set("access_token", "", clearOptions);
+  response.cookies.set("id_token", "", clearOptions);
+  response.cookies.set("refresh_token", "", clearOptions);
+  response.cookies.set("codeVerifier", "", clearOptions);
+  response.cookies.set("user", "", __spreadProps(__spreadValues({}, (_b = config.cookies) == null ? void 0 : _b.user), {
+    maxAge: 0
+  }));
+};
+
+// src/nextjs/NextJSSessionService.ts
+var NextJSAuthSessionServiceImpl = class extends AuthSessionServiceImpl {
+  constructor(authConfig, request, response, inputEndpoints) {
+    super(
+      authConfig.clientId,
+      authConfig.callbackUrl,
+      authConfig.oauthServer,
+      inputEndpoints
+    );
+    this.authConfig = authConfig;
+    this.request = request;
+    this.response = response;
+    this.inputEndpoints = inputEndpoints;
+  }
+  getCodeVerifier() {
+    const codeVerifier = (0, import_headers.cookies)().get("codeVerifier");
+    if (!codeVerifier) {
+      throw new Error("Code verifier not found in cookies");
+    }
+    return codeVerifier.value;
+  }
+  getSessionData() {
+    var _a, _b, _c, _d;
+    const authenticated = (0, import_headers.cookies)().get("access_token") !== void 0;
+    return {
+      authenticated,
+      codeVerifier: (_a = (0, import_headers.cookies)().get("codeVerifier")) == null ? void 0 : _a.value,
+      accessToken: (_b = (0, import_headers.cookies)().get("access_token")) == null ? void 0 : _b.value,
+      idToken: (_c = (0, import_headers.cookies)().get("id_token")) == null ? void 0 : _c.value,
+      refreshToken: (_d = (0, import_headers.cookies)().get("refresh_token")) == null ? void 0 : _d.value
+    };
+  }
+  updateSessionData(data) {
+    createSecureTokenCookies(
+      this.response,
+      data,
+      this.authConfig
+    );
+  }
+  getUser() {
+    const userCookie = (0, import_headers.cookies)().get("user");
+    if (!userCookie) return null;
+    return JSON.parse(userCookie.value);
+  }
+  setUser(user) {
+    createUserInfoCookie(
+      this.response,
+      user,
+      { authenticated: true },
+      this.authConfig
+    );
+  }
+  clearSessionData() {
+    clearAuthCookies(this.response, this.authConfig);
+  }
+  // TODO fix the Window reference
+  loadAuthorizationUrl() {
+    throw new Error("Not implemented");
+  }
+  init() {
+    return __async(this, null, function* () {
+      this.updateSessionData({ authenticated: false });
+    });
+  }
+};
+
+// src/nextjs/routeHandler.ts
+var import_oauth22 = require("oslo/oauth2");
+var logger2 = loggers.nextjs.handlers.auth;
+var AuthError = class extends Error {
+  constructor(message, status = 401) {
+    super(message);
+    this.status = status;
+    this.name = "AuthError";
+  }
+};
+function generateCodeChallenge(codeVerifier) {
+  return __async(this, null, function* () {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(codeVerifier);
+    const digest = yield crypto.subtle.digest("SHA-256", data);
+    return btoa(String.fromCharCode(...new Uint8Array(digest))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  });
+}
+function handleChallenge() {
+  return __async(this, null, function* () {
+    const codeVerifier = (0, import_oauth22.generateCodeVerifier)();
+    console.log("handleChallenge codeVerifier", codeVerifier);
+    const challenge = yield generateCodeChallenge(codeVerifier);
+    const response = import_server.NextResponse.json({ status: "success", challenge });
+    response.cookies.set("codeVerifier", codeVerifier, {
+      httpOnly: true,
+      secure: true,
+      sameSite: "strict"
+    });
+    return response;
+  });
+}
+function handleCallback(request, config) {
+  return __async(this, null, function* () {
+    const code = request.nextUrl.searchParams.get("code");
+    if (!code) {
+      throw new AuthError("Missing authorization code");
+    }
+    try {
+      const response = new import_server.NextResponse(`<html></html>`);
+      response.headers.set("Content-Type", "text/html; charset=utf-8");
+      const resolvedConfigs = resolveAuthConfig(config);
+      const callbackUrl = new URL(
+        resolvedConfigs == null ? void 0 : resolvedConfigs.callbackUrl,
+        request.url
+      ).toString();
+      const authService = getDefaultAuthSessionService(
+        __spreadProps(__spreadValues({}, resolvedConfigs), {
+          callbackUrl
+        }),
+        request,
+        response
+      );
+      console.log("handleCallback authService", authService);
+      const tokens = yield authService.tokenExchange(request.nextUrl.toString());
+      if (!tokens.accessToken) {
+        throw new AuthError("Missing access token");
+      }
+      return response;
+    } catch (error) {
+      logger2.error("Token exchange failed:", error);
+      throw new AuthError("Failed to authenticate user", 401);
+    }
+  });
+}
+function handleLogout(request, config) {
+  return __async(this, null, function* () {
+    var _a;
+    const resolvedConfigs = resolveAuthConfig(config);
+    const path = (_a = resolvedConfigs.loginUrl) != null ? _a : "/";
+    const redirectTarget = new URL(path, request.url).toString();
+    const response = import_server.NextResponse.redirect(redirectTarget);
+    clearAuthCookies(response, resolvedConfigs);
+    try {
+      (0, import_cache.revalidatePath)(path);
+    } catch (error) {
+      logger2.warn("Failed to revalidate path after logout:", error);
+    }
+    return response;
+  });
+}
+var getDefaultAuthSessionService = (authConfig, request, response) => {
+  return new NextJSAuthSessionServiceImpl(authConfig, request, response);
+};
+function handler(authConfig = {}) {
+  return (request) => __async(this, null, function* () {
+    const config = resolveAuthConfig(authConfig);
+    try {
+      const pathname = request.nextUrl.pathname;
+      const pathSegments = pathname.split("/");
+      const lastSegment = pathSegments[pathSegments.length - 1];
+      switch (lastSegment) {
+        case "challenge":
+          return yield handleChallenge();
+        case "callback":
+          return yield handleCallback(request, config);
+        case "logout":
+          return yield handleLogout(request, config);
+        default:
+          throw new AuthError(`Invalid auth route: ${pathname}`, 404);
+      }
+    } catch (error) {
+      logger2.error("Auth handler error:", error);
+      const status = error instanceof AuthError ? error.status : 500;
+      const message = error instanceof Error ? error.message : "Authentication failed";
+      const response = import_server.NextResponse.json({ error: message }, { status });
+      clearAuthCookies(response, config);
+      return response;
+    }
+  });
+}
+
+// src/nextjs/GetUser.ts
+var import_headers2 = require("next/headers.js");
+var getUser = () => {
+  var _a;
+  const user = (_a = (0, import_headers2.cookies)().get("user")) == null ? void 0 : _a.value;
+  if (!user) return null;
+  return JSON.parse(user);
+};
+
+// src/nextjs/middleware.ts
+var import_server2 = require("next/server.js");
+var import_picomatch = __toESM(require("picomatch"));
+var matchGlob = (pathname, globPattern) => {
+  const matches = (0, import_picomatch.default)(globPattern);
+  return matches(pathname);
+};
+var matchesGlobs = (pathname, patterns) => patterns.some((pattern) => {
+  if (!pattern) return false;
+  console.log("matching", {
+    pattern,
+    pathname,
+    match: matchGlob(pathname, pattern)
+  });
+  return matchGlob(pathname, pattern);
+});
+var applyAuth = (authConfig, request) => __async(void 0, null, function* () {
+  const authConfigWithDefaults = resolveAuthConfig(authConfig);
+  const isAuthenticated = !!request.cookies.get("id_token");
+  if (request.nextUrl.pathname === authConfigWithDefaults.loginUrl) {
+    console.log("\u2192 Skipping auth check - this is the login URL");
+    return void 0;
+  }
+  if (!matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.include)) {
+    console.log("\u2192 Skipping auth check - path not in include patterns");
+    return void 0;
+  }
+  if (matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.exclude)) {
+    console.log("\u2192 Skipping auth check - path in exclude patterns");
+    return void 0;
+  }
+  if (!isAuthenticated) {
+    console.log("\u2192 No valid token found - redirecting to login");
+    const loginUrl = new URL(authConfigWithDefaults.loginUrl, request.url);
+    return import_server2.NextResponse.redirect(loginUrl);
+  }
+  console.log("\u2192 Auth check passed");
+  return void 0;
+});
+var authMiddleware = (authConfig = defaultAuthConfig) => (request) => __async(void 0, null, function* () {
+  const response = yield applyAuth(authConfig, request);
+  if (response) return response;
+  return import_server2.NextResponse.next();
+});
+function withAuth(middleware) {
+  return (request) => __async(this, null, function* () {
+    const response = yield applyAuth({}, request);
+    if (response) return response;
+    return middleware(request);
+  });
+}
+function auth(authConfig = {}) {
+  return (middleware) => {
+    return (request) => __async(this, null, function* () {
+      const response = yield applyAuth(authConfig, request);
+      if (response) return response;
+      return middleware(request);
+    });
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  auth,
+  authMiddleware,
+  createCivicAuthPlugin,
+  getUser,
+  handler,
+  withAuth
+});
+//# sourceMappingURL=nextjs.js.map