npm - @civic/auth - Versions diffs - 0.0.1-beta.0 → 0.0.1-beta.1 - Mend

@civic/auth 0.0.1-beta.0 → 0.0.1-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/README.md +10 -10
package/dist/index-DFVNodC9.d.mts +66 -0
package/dist/index-DFVNodC9.d.ts +66 -0
package/dist/index.css +5 -5
package/dist/index.css.map +1 -1
package/dist/index.d.mts +2 -2
package/dist/index.d.ts +2 -2
package/dist/nextjs.d.mts +235 -4
package/dist/nextjs.d.ts +235 -4
package/dist/nextjs.js +848 -42
package/dist/nextjs.js.map +1 -1
package/dist/nextjs.mjs +832 -43
package/dist/nextjs.mjs.map +1 -1
package/dist/react.d.mts +71 -19
package/dist/react.d.ts +71 -19
package/dist/react.js +599 -300
package/dist/react.js.map +1 -1
package/dist/react.mjs +588 -293
package/dist/react.mjs.map +1 -1
package/package.json +22 -18
package/dist/index-yT0eVchS.d.mts +0 -52
package/dist/index-yT0eVchS.d.ts +0 -52

package/dist/nextjs.mjs CHANGED Viewed

@@ -1,4 +1,4 @@
-'use client'
+"use server";
 var __defProp = Object.defineProperty;
 var __defProps = Object.defineProperties;
 var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
@@ -39,61 +39,850 @@ var __async = (__this, __arguments, generator) => {
   });
 };
-// src/nextjs/index.ts
-import { NextResponse } from "next/server";
-import { validateJWT } from "oslo/jwt";
-var defaults = {
-  loginUrl: "/"
-  // by default, redirect to the root
-};
-var redirectNoLoops = (newUrl, req) => {
-  const redirectUrl = new URL(newUrl, req.url);
-  req.nextUrl.searchParams.forEach((value, key) => {
-    redirectUrl.searchParams.append(key, value);
+// src/lib/logger.ts
+import debug from "debug";
+var PACKAGE_NAME = "@civic/auth";
+var DebugLogger = class {
+  constructor(namespace) {
+    this.debugLogger = debug(`${PACKAGE_NAME}:${namespace}:debug`);
+    this.infoLogger = debug(`${PACKAGE_NAME}:${namespace}:info`);
+    this.warnLogger = debug(`${PACKAGE_NAME}:${namespace}:warn`);
+    this.errorLogger = debug(`${PACKAGE_NAME}:${namespace}:error`);
+    this.debugLogger.color = "4";
+    this.infoLogger.color = "2";
+    this.warnLogger.color = "3";
+    this.errorLogger.color = "1";
+  }
+  debug(message, ...args) {
+    this.debugLogger(message, ...args);
+  }
+  info(message, ...args) {
+    this.infoLogger(message, ...args);
+  }
+  warn(message, ...args) {
+    this.warnLogger(message, ...args);
+  }
+  error(message, ...args) {
+    this.errorLogger(message, ...args);
+  }
+};
+var createLogger = (namespace) => new DebugLogger(namespace);
+var loggers = {
+  // Next.js specific loggers
+  nextjs: {
+    routes: createLogger("api:routes"),
+    middleware: createLogger("api:middleware"),
+    handlers: {
+      auth: createLogger("api:handlers:auth")
+    }
+  },
+  // React specific loggers
+  react: {
+    components: createLogger("react:components"),
+    hooks: createLogger("react:hooks"),
+    context: createLogger("react:context")
+  },
+  // Shared utilities loggers
+  services: {
+    validation: createLogger("utils:validation"),
+    network: createLogger("utils:network")
+  }
+};
+// src/nextjs/config.ts
+var logger = loggers.nextjs.handlers.auth;
+var defaultAuthConfig = {
+  oauthServer: "https://auth-dev.civic.com/oauth",
+  callbackUrl: "/api/auth/callback",
+  challengeUrl: "/api/auth/challenge",
+  logoutUrl: "/api/auth/logout",
+  loginUrl: "/",
+  include: ["/*"],
+  exclude: [],
+  cookies: {
+    tokens: {
+      sameSite: "strict",
+      path: "/",
+      maxAge: 60 * 60
+      // 1 hour
+    },
+    user: {
+      sameSite: "strict",
+      path: "/",
+      maxAge: 60 * 60
+      // 1 hour
+    }
+  }
+};
+var withoutUndefined = (obj) => {
+  const result = {};
+  for (const key in obj) {
+    if (obj[key] !== void 0) {
+      result[key] = obj[key];
+    }
+  }
+  return result;
+};
+var resolveAuthConfig = (config = {}) => {
+  var _a, _b, _c, _d;
+  const configFromEnv = withoutUndefined({
+    clientId: process.env._civic_auth_client_id,
+    oauthServer: process.env._civic_oauth_server,
+    callbackUrl: process.env._civic_auth_callback_url,
+    loginUrl: process.env._civic_auth_login_url,
+    logoutUrl: process.env._civic_auth_logout_url,
+    include: (_a = process.env._civic_auth_includes) == null ? void 0 : _a.split(","),
+    exclude: (_b = process.env._civic_auth_excludes) == null ? void 0 : _b.split(","),
+    cookies: process.env._civic_auth_cookie_config ? JSON.parse(process.env._civic_auth_cookie_config) : void 0
+  });
+  const mergedConfig = __spreadProps(__spreadValues(__spreadValues(__spreadValues({}, defaultAuthConfig), configFromEnv), config), {
+    // Override with directly passed config
+    cookies: {
+      tokens: __spreadValues(__spreadValues({}, defaultAuthConfig.cookies.tokens), ((_c = config.cookies) == null ? void 0 : _c.tokens) || {}),
+      user: __spreadValues(__spreadValues({}, defaultAuthConfig.cookies.user), ((_d = config.cookies) == null ? void 0 : _d.user) || {})
+    }
   });
-  if (redirectUrl.toString() !== req.url) {
-    return NextResponse.redirect(redirectUrl);
+  logger.debug("Config from environment:", configFromEnv);
+  logger.debug("Resolved config:", mergedConfig);
+  if (mergedConfig.clientId === void 0) {
+    throw new Error("Civic Auth client ID is required");
   }
+  return mergedConfig;
 };
-var authMiddleware = (config = defaults) => (req) => __async(void 0, null, function* () {
-  var _a;
-  const idToken = (_a = req.cookies.get("id_token")) == null ? void 0 : _a.value;
-  if (!idToken) {
-    return redirectNoLoops(config.loginUrl, req);
+var createCivicAuthPlugin = (clientId, authConfig = {}) => {
+  return (nextConfig) => {
+    const resolvedConfig = resolveAuthConfig(__spreadProps(__spreadValues({}, authConfig), { clientId }));
+    return __spreadProps(__spreadValues({}, nextConfig), {
+      env: __spreadProps(__spreadValues({}, nextConfig == null ? void 0 : nextConfig.env), {
+        // Internal environment variables - do not set these manually
+        _civic_auth_client_id: clientId,
+        _civic_oauth_server: resolvedConfig.oauthServer,
+        _civic_auth_callback_url: resolvedConfig.callbackUrl,
+        _civic_auth_login_url: resolvedConfig.loginUrl,
+        _civic_auth_logout_url: resolvedConfig.logoutUrl,
+        _civic_auth_includes: resolvedConfig.include.join(","),
+        _civic_auth_excludes: resolvedConfig.exclude.join(","),
+        _civic_auth_cookie_config: JSON.stringify(resolvedConfig.cookies)
+      })
+    });
+  };
+};
+// src/nextjs/routeHandler.ts
+import { NextResponse } from "next/server.js";
+import { revalidatePath } from "next/cache.js";
+// src/nextjs/NextJSSessionService.ts
+import { cookies } from "next/headers.js";
+// src/services/UserInfoService.ts
+import { parseJWT } from "oslo/jwt";
+var UserInfoServiceImpl = class {
+  constructor(endpoints) {
+    this.endpoints = endpoints;
+  }
+  extractUserFromIdToken(idToken) {
+    const parsedJWT = parseJWT(idToken);
+    if (!parsedJWT) {
+      return null;
+    }
+    return parsedJWT.payload;
+  }
+  getUserInfo(accessToken, idToken) {
+    return __async(this, null, function* () {
+      if (idToken) {
+        return this.extractUserFromIdToken(idToken);
+      }
+      const userInfo = yield fetch(this.endpoints.userinfo, {
+        headers: { Authorization: `Bearer ${accessToken}` }
+      });
+      return userInfo.json();
+    });
+  }
+};
+// src/services/SessionService.ts
+import { OAuth2Client, generateCodeVerifier } from "oslo/oauth2";
+import * as jose from "jose";
+// src/lib/oauth.ts
+import { v4 as uuid } from "uuid";
+var getIssuerVariations = (issuer) => {
+  const issuerWithoutSlash = issuer.endsWith("/") ? issuer.slice(0, issuer.length - 1) : issuer;
+  const issuerWithSlash = `${issuerWithoutSlash}/`;
+  return [issuerWithoutSlash, issuerWithSlash];
+};
+var addSlashIfNeeded = (url) => url.endsWith("/") ? url : `${url}/`;
+var getOauthEndpoints = (oauthServer) => __async(void 0, null, function* () {
+  const openIdConfigResponse = yield fetch(
+    `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`
+  );
+  const openIdConfig = yield openIdConfigResponse.json();
+  return {
+    jwks: openIdConfig.jwks_uri,
+    auth: openIdConfig.authorization_endpoint,
+    token: openIdConfig.token_endpoint,
+    userinfo: openIdConfig.userinfo_endpoint
+  };
+});
+var generateState = (displayMode) => {
+  const jsonString = JSON.stringify({
+    uuid: uuid(),
+    displayMode
+  });
+  return btoa(jsonString);
+};
+var displayModeFromState = (state, sessionDisplayMode) => {
+  try {
+    const jsonString = btoa(state);
+    return JSON.parse(jsonString).displayMode;
+  } catch (e) {
+    console.error("Failed to parse displayMode from state:", e);
+    return sessionDisplayMode;
+  }
+};
+// src/utils.ts
+import { clsx } from "clsx";
+import { twMerge } from "tailwind-merge";
+var isPopupBlocked = () => {
+  const popup = window.open("", "", "width=1,height=1");
+  if (!popup) {
+    return true;
   }
   try {
-    const jwt = yield validateJWT(
-      "HS256",
-      Buffer.from(process.env.LOGIN_JWT_SECRET),
-      idToken
+    if (typeof popup.closed === "undefined") {
+      throw new Error("Popup is blocked");
+    }
+  } catch (e) {
+    return true;
+  }
+  popup.close();
+  return false;
+};
+// src/services/SessionService.ts
+var AuthSessionServiceImpl = class {
+  constructor(clientId, redirectUrl, oauthServer, inputEndpoints) {
+    this.clientId = clientId;
+    this.redirectUrl = redirectUrl;
+    this.oauthServer = oauthServer;
+    this.inputEndpoints = inputEndpoints;
+    this.codeVerifier = void 0;
+    this.refreshTokenTimeout = null;
+    this.codeVerifier = this.getCodeVerifier();
+    this.endpoints = inputEndpoints;
+  }
+  getCodeVerifier() {
+    return generateCodeVerifier();
+  }
+  getUserInfoService() {
+    return __async(this, null, function* () {
+      if (this.userInfoService) {
+        return this.userInfoService;
+      }
+      const endpoints = yield this.getEndpoints();
+      this.userInfoService = new UserInfoServiceImpl(endpoints);
+      return this.userInfoService;
+    });
+  }
+  getEndpoints() {
+    return __async(this, null, function* () {
+      var _a;
+      if ((_a = this.endpoints) == null ? void 0 : _a.auth) {
+        return this.endpoints;
+      }
+      const jwksEndpoints = yield getOauthEndpoints(this.oauthServer);
+      return this.endpoints ? __spreadValues(__spreadValues({}, this.endpoints), jwksEndpoints) : jwksEndpoints;
+    });
+  }
+  getOauth2Client() {
+    return __async(this, null, function* () {
+      if (this.oauth2Client) {
+        return this.oauth2Client;
+      }
+      const endpoints = yield this.getEndpoints();
+      this.oauth2Client = new OAuth2Client(
+        this.clientId,
+        endpoints.auth,
+        endpoints.token,
+        // this
+        { redirectURI: this.redirectUrl }
+      );
+      return this.oauth2Client;
+    });
+  }
+  getSessionData() {
+    return JSON.parse(
+      localStorage.getItem(`civic-auth:${this.clientId}`) || "{}"
     );
-    if (!jwt) {
-      return NextResponse.json("Malformed token", { status: 400 });
+  }
+  updateSessionData(data) {
+    localStorage.setItem(
+      `civic-auth:${this.clientId}`,
+      JSON.stringify(__spreadValues({}, data))
+    );
+  }
+  getUser() {
+    return JSON.parse(
+      localStorage.getItem(`civic-auth:${this.clientId}:user`) || "{}"
+    );
+  }
+  setUser(data) {
+    localStorage.setItem(
+      `civic-auth:${this.clientId}:user`,
+      JSON.stringify(data === null ? {} : data)
+    );
+  }
+  clearSessionData() {
+    localStorage.setItem(`civic-auth:${this.clientId}`, JSON.stringify({}));
+  }
+  getAuthorizationUrlWithChallenge(state, scopes) {
+    return __async(this, null, function* () {
+      var _a;
+      const oauth2Client = yield this.getOauth2Client();
+      if ((_a = this.endpoints) == null ? void 0 : _a.challenge) {
+        const challenge = yield fetch(this.endpoints.challenge).then(
+          (res) => res.json().then((data) => data.challenge)
+        );
+        const oAuthUrl2 = yield oauth2Client.createAuthorizationURL({
+          state,
+          scopes
+        });
+        oAuthUrl2.searchParams.append("code_challenge", challenge);
+        oAuthUrl2.searchParams.append("code_challenge_method", "S256");
+        return oAuthUrl2;
+      }
+      const oAuthUrl = yield oauth2Client.createAuthorizationURL({
+        state,
+        codeVerifier: this.codeVerifier,
+        codeChallengeMethod: "S256",
+        scopes
+      });
+      return oAuthUrl;
+    });
+  }
+  getAuthorizationUrl(scopes, displayMode, nonce) {
+    return __async(this, null, function* () {
+      const state = generateState(displayMode);
+      const existingSessionData = this.getSessionData();
+      this.updateSessionData(__spreadProps(__spreadValues({}, existingSessionData), {
+        codeVerifier: this.codeVerifier,
+        displayMode
+      }));
+      const oAuthUrl = yield this.getAuthorizationUrlWithChallenge(state, scopes);
+      if (nonce) {
+        oAuthUrl.searchParams.append("nonce", nonce);
+      }
+      oAuthUrl.searchParams.append("prompt", "consent");
+      return oAuthUrl.toString();
+    });
+  }
+  // TODO fix the Window reference
+  loadAuthorizationUrl(authorizationURL, displayMode) {
+    switch (displayMode) {
+      case "iframe":
+        break;
+      case "redirect":
+        window.location.href = authorizationURL;
+        break;
+      case "new_tab":
+        window.open(authorizationURL, "_blank");
+        break;
+      case "custom_tab":
+        break;
     }
-    if (!jwt.expiresAt) {
-      return NextResponse.json("Token missing expiration", { status: 400 });
+  }
+  init() {
+    return __async(this, null, function* () {
+      this.updateSessionData({ authenticated: false });
+    });
+  }
+  determineDisplayMode(displayMode) {
+    if (isPopupBlocked() && displayMode === "iframe") {
+      displayMode = "redirect";
+    }
+    return displayMode;
+  }
+  signIn(displayMode, scopes, nonce) {
+    return __async(this, null, function* () {
+      const authorizationURL = yield this.getAuthorizationUrl(
+        scopes,
+        displayMode,
+        nonce
+      );
+      this.loadAuthorizationUrl(authorizationURL, displayMode);
+    });
+  }
+  tokenExchange(responseUrl) {
+    return __async(this, null, function* () {
+      let session = this.getSessionData();
+      if (!session.authenticated) {
+        const url = new URL(responseUrl);
+        const authorizationCode = url.searchParams.get("code");
+        const returnedState = url.searchParams.get("state");
+        if (!authorizationCode || !returnedState) {
+          throw new Error("Invalid authorization response");
+        }
+        const codeVerifier = session.codeVerifier;
+        const oauth2Client = yield this.getOauth2Client();
+        const tokens = yield oauth2Client.validateAuthorizationCode(
+          authorizationCode,
+          {
+            codeVerifier
+          }
+        );
+        try {
+          yield this.validateTokens(tokens);
+        } catch (error) {
+          console.error("tokenExchange tokens", { error, tokens });
+          throw new Error(
+            `OIDC tokens validation failed: ${error.message}`
+          );
+        }
+        const parsedDisplayMode = displayModeFromState(
+          returnedState,
+          session.displayMode
+        );
+        session = __spreadProps(__spreadValues({}, session), {
+          displayMode: parsedDisplayMode,
+          idToken: tokens.id_token,
+          authenticated: true,
+          state: returnedState,
+          accessToken: tokens.access_token,
+          refreshToken: tokens.refresh_token,
+          timestamp: Date.now(),
+          expiresIn: tokens.expires_in
+        });
+        this.updateSessionData(session);
+        const user = yield (yield this.getUserInfoService()).getUserInfo(tokens.access_token, tokens.id_token || null);
+        this.setUser(user);
+      }
+      this.setupTokenRefresh(session);
+      if (session.displayMode === "new_tab") {
+        window.close();
+      } else if (session.displayMode === "redirect") {
+      }
+      return session;
+    });
+  }
+  setupTokenRefresh(session) {
+    if (this.refreshTokenTimeout) {
+      clearTimeout(this.refreshTokenTimeout);
     }
-    if (jwt.expiresAt.getTime() < Date.now()) {
-      return redirectNoLoops(config.loginUrl, req);
+    if (session.expiresIn) {
+      const elapsedTime = Date.now() - (session.timestamp || 0);
+      const remainingTime = session.expiresIn * 1e3 - elapsedTime;
+      const refreshTime = Math.max(0, remainingTime - 6e4);
+      this.refreshTokenTimeout = setTimeout(() => {
+        this.refreshToken().then((newSession) => {
+          console.log("Token refreshed successfully", newSession);
+        }).catch((error) => {
+          console.error("Failed to refresh token:", error);
+          this.updateSessionData({});
+        });
+      }, refreshTime);
     }
-    const token = jwt.payload;
-    if (!token.id) {
-      return NextResponse.json("Unauthorized", { status: 401 });
+  }
+  refreshToken() {
+    return __async(this, null, function* () {
+      const sessionData = this.getSessionData();
+      if (!sessionData.refreshToken) {
+        throw new Error("No refresh token available");
+      }
+      const oauth2Client = yield this.getOauth2Client();
+      const tokens = yield oauth2Client.refreshAccessToken(
+        sessionData.refreshToken
+      );
+      const session = __spreadProps(__spreadValues({}, sessionData), {
+        idToken: tokens.id_token,
+        authenticated: true,
+        accessToken: tokens.access_token,
+        refreshToken: tokens.refresh_token,
+        timestamp: Date.now(),
+        expiresIn: tokens.expires_in
+      });
+      this.updateSessionData(session);
+      this.setupTokenRefresh(session);
+      return session;
+    });
+  }
+  getUserInfo() {
+    return __async(this, null, function* () {
+      const sessionData = this.getSessionData();
+      if (!sessionData.accessToken) {
+        throw new Error("No access token available");
+      }
+      const userInfoService = yield this.getUserInfoService();
+      return userInfoService.getUserInfo(
+        sessionData.accessToken,
+        sessionData.idToken || null
+      );
+    });
+  }
+  /**
+   * Uses the jose library to validate a JWT token using the OAuth JWKS endpoint
+   * @param {string} token
+   * @returns {Promise<jose.JWTPayload>}
+   * @throws {Error} if the token is invalid
+   */
+  validateTokens(tokens) {
+    return __async(this, null, function* () {
+      const endpoints = yield this.getEndpoints();
+      const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));
+      const returnPayload = {};
+      console.log("issuer", getIssuerVariations(this.oauthServer));
+      const idTokenResponse = yield jose.jwtVerify(tokens.id_token, JWKS, {
+        issuer: getIssuerVariations(this.oauthServer),
+        audience: this.clientId
+      });
+      returnPayload.idToken = idTokenResponse.payload;
+      const accessTokenResponse = yield jose.jwtVerify(
+        tokens.access_token,
+        JWKS,
+        {
+          issuer: getIssuerVariations(this.oauthServer)
+        }
+      );
+      returnPayload.accessToken = accessTokenResponse.payload;
+      if (tokens.refresh_token) {
+        returnPayload.refreshToken = tokens.refresh_token;
+      }
+      return returnPayload;
+    });
+  }
+  validateExistingSession() {
+    return __async(this, null, function* () {
+      const sessionData = this.getSessionData();
+      try {
+        if (!sessionData.idToken || !sessionData.accessToken) {
+          const unAuthenticatedSession = __spreadProps(__spreadValues({}, sessionData), { authenticated: false });
+          this.updateSessionData(unAuthenticatedSession);
+          return unAuthenticatedSession;
+        }
+        yield this.validateTokens({
+          id_token: sessionData.idToken,
+          access_token: sessionData.accessToken,
+          refresh_token: sessionData.refreshToken
+        });
+        sessionData.authenticated = true;
+        return sessionData;
+      } catch (error) {
+        console.warn("Failed to validate existing tokens", error);
+        const unAuthenticatedSession = {
+          authenticated: false
+        };
+        this.updateSessionData(unAuthenticatedSession);
+        return unAuthenticatedSession;
+      }
+    });
+  }
+};
+// src/nextjs/cookies.ts
+var createSecureTokenCookies = (response, sessionData, config) => {
+  var _a, _b;
+  const maxAge = (_a = sessionData.expiresIn) != null ? _a : 3600;
+  const cookieOptions = __spreadProps(__spreadValues({}, (_b = config.cookies) == null ? void 0 : _b.tokens), {
+    maxAge
+  });
+  if (sessionData.accessToken) {
+    response.cookies.set("access_token", sessionData.accessToken, __spreadProps(__spreadValues({}, cookieOptions), {
+      httpOnly: true
+    }));
+  }
+  if (sessionData.idToken) {
+    response.cookies.set("id_token", sessionData.idToken, __spreadProps(__spreadValues({}, cookieOptions), {
+      httpOnly: true
+    }));
+  }
+  if (sessionData.refreshToken) {
+    response.cookies.set("refresh_token", sessionData.refreshToken, __spreadProps(__spreadValues({}, cookieOptions), {
+      httpOnly: true
+    }));
+  }
+};
+var createUserInfoCookie = (response, user, sessionData, config) => {
+  var _a, _b, _c;
+  if (!user) {
+    response.cookies.set("user", "", __spreadProps(__spreadValues({}, (_a = config.cookies) == null ? void 0 : _a.user), {
+      maxAge: 0
+    }));
+    return;
+  }
+  const maxAge = (_b = sessionData.expiresIn) != null ? _b : 3600;
+  const frontendUser = __spreadValues({}, user);
+  response.cookies.set("user", JSON.stringify(frontendUser), __spreadProps(__spreadValues({}, (_c = config.cookies) == null ? void 0 : _c.user), {
+    maxAge
+  }));
+};
+var clearAuthCookies = (response, config) => {
+  var _a, _b;
+  const clearOptions = __spreadProps(__spreadValues({}, (_a = config.cookies) == null ? void 0 : _a.tokens), {
+    maxAge: 0
+  });
+  response.cookies.set("access_token", "", clearOptions);
+  response.cookies.set("id_token", "", clearOptions);
+  response.cookies.set("refresh_token", "", clearOptions);
+  response.cookies.set("codeVerifier", "", clearOptions);
+  response.cookies.set("user", "", __spreadProps(__spreadValues({}, (_b = config.cookies) == null ? void 0 : _b.user), {
+    maxAge: 0
+  }));
+};
+// src/nextjs/NextJSSessionService.ts
+var NextJSAuthSessionServiceImpl = class extends AuthSessionServiceImpl {
+  constructor(authConfig, request, response, inputEndpoints) {
+    super(
+      authConfig.clientId,
+      authConfig.callbackUrl,
+      authConfig.oauthServer,
+      inputEndpoints
+    );
+    this.authConfig = authConfig;
+    this.request = request;
+    this.response = response;
+    this.inputEndpoints = inputEndpoints;
+  }
+  getCodeVerifier() {
+    const codeVerifier = cookies().get("codeVerifier");
+    if (!codeVerifier) {
+      throw new Error("Code verifier not found in cookies");
     }
-    const requestHeaders = new Headers(req.headers);
-    requestHeaders.set("x-user-id", token.id);
-    return NextResponse.next({
-      request: __spreadProps(__spreadValues({}, req), {
-        // New request headers
-        headers: requestHeaders
-      })
+    return codeVerifier.value;
+  }
+  getSessionData() {
+    var _a, _b, _c, _d;
+    const authenticated = cookies().get("access_token") !== void 0;
+    return {
+      authenticated,
+      codeVerifier: (_a = cookies().get("codeVerifier")) == null ? void 0 : _a.value,
+      accessToken: (_b = cookies().get("access_token")) == null ? void 0 : _b.value,
+      idToken: (_c = cookies().get("id_token")) == null ? void 0 : _c.value,
+      refreshToken: (_d = cookies().get("refresh_token")) == null ? void 0 : _d.value
+    };
+  }
+  updateSessionData(data) {
+    createSecureTokenCookies(
+      this.response,
+      data,
+      this.authConfig
+    );
+  }
+  getUser() {
+    const userCookie = cookies().get("user");
+    if (!userCookie) return null;
+    return JSON.parse(userCookie.value);
+  }
+  setUser(user) {
+    createUserInfoCookie(
+      this.response,
+      user,
+      { authenticated: true },
+      this.authConfig
+    );
+  }
+  clearSessionData() {
+    clearAuthCookies(this.response, this.authConfig);
+  }
+  // TODO fix the Window reference
+  loadAuthorizationUrl() {
+    throw new Error("Not implemented");
+  }
+  init() {
+    return __async(this, null, function* () {
+      this.updateSessionData({ authenticated: false });
     });
-  } catch (error) {
-    console.error("Failed to decode id_token:", error);
-    return redirectNoLoops(config.loginUrl, req);
   }
+};
+// src/nextjs/routeHandler.ts
+import { generateCodeVerifier as generateCodeVerifier2 } from "oslo/oauth2";
+var logger2 = loggers.nextjs.handlers.auth;
+var AuthError = class extends Error {
+  constructor(message, status = 401) {
+    super(message);
+    this.status = status;
+    this.name = "AuthError";
+  }
+};
+function generateCodeChallenge(codeVerifier) {
+  return __async(this, null, function* () {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(codeVerifier);
+    const digest = yield crypto.subtle.digest("SHA-256", data);
+    return btoa(String.fromCharCode(...new Uint8Array(digest))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  });
+}
+function handleChallenge() {
+  return __async(this, null, function* () {
+    const codeVerifier = generateCodeVerifier2();
+    console.log("handleChallenge codeVerifier", codeVerifier);
+    const challenge = yield generateCodeChallenge(codeVerifier);
+    const response = NextResponse.json({ status: "success", challenge });
+    response.cookies.set("codeVerifier", codeVerifier, {
+      httpOnly: true,
+      secure: true,
+      sameSite: "strict"
+    });
+    return response;
+  });
+}
+function handleCallback(request, config) {
+  return __async(this, null, function* () {
+    const code = request.nextUrl.searchParams.get("code");
+    if (!code) {
+      throw new AuthError("Missing authorization code");
+    }
+    try {
+      const response = new NextResponse(`<html></html>`);
+      response.headers.set("Content-Type", "text/html; charset=utf-8");
+      const resolvedConfigs = resolveAuthConfig(config);
+      const callbackUrl = new URL(
+        resolvedConfigs == null ? void 0 : resolvedConfigs.callbackUrl,
+        request.url
+      ).toString();
+      const authService = getDefaultAuthSessionService(
+        __spreadProps(__spreadValues({}, resolvedConfigs), {
+          callbackUrl
+        }),
+        request,
+        response
+      );
+      console.log("handleCallback authService", authService);
+      const tokens = yield authService.tokenExchange(request.nextUrl.toString());
+      if (!tokens.accessToken) {
+        throw new AuthError("Missing access token");
+      }
+      return response;
+    } catch (error) {
+      logger2.error("Token exchange failed:", error);
+      throw new AuthError("Failed to authenticate user", 401);
+    }
+  });
+}
+function handleLogout(request, config) {
+  return __async(this, null, function* () {
+    var _a;
+    const resolvedConfigs = resolveAuthConfig(config);
+    const path = (_a = resolvedConfigs.loginUrl) != null ? _a : "/";
+    const redirectTarget = new URL(path, request.url).toString();
+    const response = NextResponse.redirect(redirectTarget);
+    clearAuthCookies(response, resolvedConfigs);
+    try {
+      revalidatePath(path);
+    } catch (error) {
+      logger2.warn("Failed to revalidate path after logout:", error);
+    }
+    return response;
+  });
+}
+var getDefaultAuthSessionService = (authConfig, request, response) => {
+  return new NextJSAuthSessionServiceImpl(authConfig, request, response);
+};
+function handler(authConfig = {}) {
+  return (request) => __async(this, null, function* () {
+    const config = resolveAuthConfig(authConfig);
+    try {
+      const pathname = request.nextUrl.pathname;
+      const pathSegments = pathname.split("/");
+      const lastSegment = pathSegments[pathSegments.length - 1];
+      switch (lastSegment) {
+        case "challenge":
+          return yield handleChallenge();
+        case "callback":
+          return yield handleCallback(request, config);
+        case "logout":
+          return yield handleLogout(request, config);
+        default:
+          throw new AuthError(`Invalid auth route: ${pathname}`, 404);
+      }
+    } catch (error) {
+      logger2.error("Auth handler error:", error);
+      const status = error instanceof AuthError ? error.status : 500;
+      const message = error instanceof Error ? error.message : "Authentication failed";
+      const response = NextResponse.json({ error: message }, { status });
+      clearAuthCookies(response, config);
+      return response;
+    }
+  });
+}
+// src/nextjs/GetUser.ts
+import { cookies as cookies2 } from "next/headers.js";
+var getUser = () => {
+  var _a;
+  const user = (_a = cookies2().get("user")) == null ? void 0 : _a.value;
+  if (!user) return null;
+  return JSON.parse(user);
+};
+// src/nextjs/middleware.ts
+import { NextResponse as NextResponse2 } from "next/server.js";
+import picomatch from "picomatch";
+var matchGlob = (pathname, globPattern) => {
+  const matches = picomatch(globPattern);
+  return matches(pathname);
+};
+var matchesGlobs = (pathname, patterns) => patterns.some((pattern) => {
+  if (!pattern) return false;
+  console.log("matching", {
+    pattern,
+    pathname,
+    match: matchGlob(pathname, pattern)
+  });
+  return matchGlob(pathname, pattern);
+});
+var applyAuth = (authConfig, request) => __async(void 0, null, function* () {
+  const authConfigWithDefaults = resolveAuthConfig(authConfig);
+  const isAuthenticated = !!request.cookies.get("id_token");
+  if (request.nextUrl.pathname === authConfigWithDefaults.loginUrl) {
+    console.log("\u2192 Skipping auth check - this is the login URL");
+    return void 0;
+  }
+  if (!matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.include)) {
+    console.log("\u2192 Skipping auth check - path not in include patterns");
+    return void 0;
+  }
+  if (matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.exclude)) {
+    console.log("\u2192 Skipping auth check - path in exclude patterns");
+    return void 0;
+  }
+  if (!isAuthenticated) {
+    console.log("\u2192 No valid token found - redirecting to login");
+    const loginUrl = new URL(authConfigWithDefaults.loginUrl, request.url);
+    return NextResponse2.redirect(loginUrl);
+  }
+  console.log("\u2192 Auth check passed");
+  return void 0;
+});
+var authMiddleware = (authConfig = defaultAuthConfig) => (request) => __async(void 0, null, function* () {
+  const response = yield applyAuth(authConfig, request);
+  if (response) return response;
+  return NextResponse2.next();
 });
+function withAuth(middleware) {
+  return (request) => __async(this, null, function* () {
+    const response = yield applyAuth({}, request);
+    if (response) return response;
+    return middleware(request);
+  });
+}
+function auth(authConfig = {}) {
+  return (middleware) => {
+    return (request) => __async(this, null, function* () {
+      const response = yield applyAuth(authConfig, request);
+      if (response) return response;
+      return middleware(request);
+    });
+  };
+}
 export {
-  authMiddleware
+  auth,
+  authMiddleware,
+  createCivicAuthPlugin,
+  getUser,
+  handler,
+  withAuth
 };
 //# sourceMappingURL=nextjs.mjs.map