@civic/auth 0.0.1-beta.1 → 0.0.1-beta.11

package/dist/nextjs.mjs

@@ -1,824 +1,75 @@
-"use server";
-var __defProp = Object.defineProperty;
-var __defProps = Object.defineProperties;
-var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
-var __getOwnPropSymbols = Object.getOwnPropertySymbols;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __propIsEnum = Object.prototype.propertyIsEnumerable;
-var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
-var __spreadValues = (a, b) => {
-  for (var prop in b || (b = {}))
-    if (__hasOwnProp.call(b, prop))
-      __defNormalProp(a, prop, b[prop]);
-  if (__getOwnPropSymbols)
-    for (var prop of __getOwnPropSymbols(b)) {
-      if (__propIsEnum.call(b, prop))
-        __defNormalProp(a, prop, b[prop]);
-    }
-  return a;
-};
-var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
-var __async = (__this, __arguments, generator) => {
-  return new Promise((resolve, reject) => {
-    var fulfilled = (value) => {
-      try {
-        step(generator.next(value));
-      } catch (e) {
-        reject(e);
-      }
-    };
-    var rejected = (value) => {
-      try {
-        step(generator.throw(value));
-      } catch (e) {
-        reject(e);
-      }
-    };
-    var step = (x) => x.done ? resolve(x.value) : Promise.resolve(x.value).then(fulfilled, rejected);
-    step((generator = generator.apply(__this, __arguments)).next());
-  });
-};
-
-// src/lib/logger.ts
-import debug from "debug";
-var PACKAGE_NAME = "@civic/auth";
-var DebugLogger = class {
-  constructor(namespace) {
-    this.debugLogger = debug(`${PACKAGE_NAME}:${namespace}:debug`);
-    this.infoLogger = debug(`${PACKAGE_NAME}:${namespace}:info`);
-    this.warnLogger = debug(`${PACKAGE_NAME}:${namespace}:warn`);
-    this.errorLogger = debug(`${PACKAGE_NAME}:${namespace}:error`);
-    this.debugLogger.color = "4";
-    this.infoLogger.color = "2";
-    this.warnLogger.color = "3";
-    this.errorLogger.color = "1";
-  }
-  debug(message, ...args) {
-    this.debugLogger(message, ...args);
-  }
-  info(message, ...args) {
-    this.infoLogger(message, ...args);
-  }
-  warn(message, ...args) {
-    this.warnLogger(message, ...args);
-  }
-  error(message, ...args) {
-    this.errorLogger(message, ...args);
-  }
-};
-var createLogger = (namespace) => new DebugLogger(namespace);
-var loggers = {
-  // Next.js specific loggers
-  nextjs: {
-    routes: createLogger("api:routes"),
-    middleware: createLogger("api:middleware"),
-    handlers: {
-      auth: createLogger("api:handlers:auth")
-    }
-  },
-  // React specific loggers
-  react: {
-    components: createLogger("react:components"),
-    hooks: createLogger("react:hooks"),
-    context: createLogger("react:context")
-  },
-  // Shared utilities loggers
-  services: {
-    validation: createLogger("utils:validation"),
-    network: createLogger("utils:network")
-  }
-};
-
-// src/nextjs/config.ts
-var logger = loggers.nextjs.handlers.auth;
-var defaultAuthConfig = {
-  oauthServer: "https://auth-dev.civic.com/oauth",
-  callbackUrl: "/api/auth/callback",
-  challengeUrl: "/api/auth/challenge",
-  logoutUrl: "/api/auth/logout",
-  loginUrl: "/",
-  include: ["/*"],
-  exclude: [],
-  cookies: {
-    tokens: {
-      sameSite: "strict",
-      path: "/",
-      maxAge: 60 * 60
-      // 1 hour
-    },
-    user: {
-      sameSite: "strict",
-      path: "/",
-      maxAge: 60 * 60
-      // 1 hour
-    }
-  }
-};
-var withoutUndefined = (obj) => {
-  const result = {};
-  for (const key in obj) {
-    if (obj[key] !== void 0) {
-      result[key] = obj[key];
-    }
-  }
-  return result;
-};
-var resolveAuthConfig = (config = {}) => {
-  var _a, _b, _c, _d;
-  const configFromEnv = withoutUndefined({
-    clientId: process.env._civic_auth_client_id,
-    oauthServer: process.env._civic_oauth_server,
-    callbackUrl: process.env._civic_auth_callback_url,
-    loginUrl: process.env._civic_auth_login_url,
-    logoutUrl: process.env._civic_auth_logout_url,
-    include: (_a = process.env._civic_auth_includes) == null ? void 0 : _a.split(","),
-    exclude: (_b = process.env._civic_auth_excludes) == null ? void 0 : _b.split(","),
-    cookies: process.env._civic_auth_cookie_config ? JSON.parse(process.env._civic_auth_cookie_config) : void 0
-  });
-  const mergedConfig = __spreadProps(__spreadValues(__spreadValues(__spreadValues({}, defaultAuthConfig), configFromEnv), config), {
-    // Override with directly passed config
-    cookies: {
-      tokens: __spreadValues(__spreadValues({}, defaultAuthConfig.cookies.tokens), ((_c = config.cookies) == null ? void 0 : _c.tokens) || {}),
-      user: __spreadValues(__spreadValues({}, defaultAuthConfig.cookies.user), ((_d = config.cookies) == null ? void 0 : _d.user) || {})
-    }
-  });
-  logger.debug("Config from environment:", configFromEnv);
-  logger.debug("Resolved config:", mergedConfig);
-  if (mergedConfig.clientId === void 0) {
-    throw new Error("Civic Auth client ID is required");
-  }
-  return mergedConfig;
-};
-var createCivicAuthPlugin = (clientId, authConfig = {}) => {
-  return (nextConfig) => {
-    const resolvedConfig = resolveAuthConfig(__spreadProps(__spreadValues({}, authConfig), { clientId }));
-    return __spreadProps(__spreadValues({}, nextConfig), {
-      env: __spreadProps(__spreadValues({}, nextConfig == null ? void 0 : nextConfig.env), {
-        // Internal environment variables - do not set these manually
-        _civic_auth_client_id: clientId,
-        _civic_oauth_server: resolvedConfig.oauthServer,
-        _civic_auth_callback_url: resolvedConfig.callbackUrl,
-        _civic_auth_login_url: resolvedConfig.loginUrl,
-        _civic_auth_logout_url: resolvedConfig.logoutUrl,
-        _civic_auth_includes: resolvedConfig.include.join(","),
-        _civic_auth_excludes: resolvedConfig.exclude.join(","),
-        _civic_auth_cookie_config: JSON.stringify(resolvedConfig.cookies)
-      })
-    });
-  };
-};
-
-// src/nextjs/routeHandler.ts
-import { NextResponse } from "next/server.js";
-import { revalidatePath } from "next/cache.js";
+import {
+  createCivicAuthPlugin,
+  defaultAuthConfig,
+  loggers,
+  resolveAuthConfig,
+  resolveCallbackUrl
+} from "./chunk-EAANLFR5.mjs";
+import {
+  CookieStorage,
+  resolveOAuthAccessCode
+} from "./chunk-EGFTMH5S.mjs";
+import {
+  GenericPublicClientPKCEProducer,
+  GenericUserSession,
+  clearTokens,
+  getUser
+} from "./chunk-PMDIR5XE.mjs";
+import {
+  __async,
+  __spreadProps,
+  __spreadValues
+} from "./chunk-RGHW4PYM.mjs";
 
-// src/nextjs/NextJSSessionService.ts
+// src/nextjs/cookies.ts
 import { cookies } from "next/headers.js";
-
-// src/services/UserInfoService.ts
-import { parseJWT } from "oslo/jwt";
-var UserInfoServiceImpl = class {
-  constructor(endpoints) {
-    this.endpoints = endpoints;
-  }
-  extractUserFromIdToken(idToken) {
-    const parsedJWT = parseJWT(idToken);
-    if (!parsedJWT) {
-      return null;
-    }
-    return parsedJWT.payload;
-  }
-  getUserInfo(accessToken, idToken) {
-    return __async(this, null, function* () {
-      if (idToken) {
-        return this.extractUserFromIdToken(idToken);
-      }
-      const userInfo = yield fetch(this.endpoints.userinfo, {
-        headers: { Authorization: `Bearer ${accessToken}` }
-      });
-      return userInfo.json();
-    });
-  }
-};
-
-// src/services/SessionService.ts
-import { OAuth2Client, generateCodeVerifier } from "oslo/oauth2";
-import * as jose from "jose";
-
-// src/lib/oauth.ts
-import { v4 as uuid } from "uuid";
-var getIssuerVariations = (issuer) => {
-  const issuerWithoutSlash = issuer.endsWith("/") ? issuer.slice(0, issuer.length - 1) : issuer;
-  const issuerWithSlash = `${issuerWithoutSlash}/`;
-  return [issuerWithoutSlash, issuerWithSlash];
-};
-var addSlashIfNeeded = (url) => url.endsWith("/") ? url : `${url}/`;
-var getOauthEndpoints = (oauthServer) => __async(void 0, null, function* () {
-  const openIdConfigResponse = yield fetch(
-    `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`
-  );
-  const openIdConfig = yield openIdConfigResponse.json();
-  return {
-    jwks: openIdConfig.jwks_uri,
-    auth: openIdConfig.authorization_endpoint,
-    token: openIdConfig.token_endpoint,
-    userinfo: openIdConfig.userinfo_endpoint
-  };
+var clearAuthCookies = () => __async(void 0, null, function* () {
+  const cookieStorage = new NextjsCookieStorage();
+  clearTokens(cookieStorage);
+  const clientStorage = new NextjsClientStorage();
+  const userSession = new GenericUserSession(clientStorage);
+  userSession.set(null);
 });
-var generateState = (displayMode) => {
-  const jsonString = JSON.stringify({
-    uuid: uuid(),
-    displayMode
-  });
-  return btoa(jsonString);
-};
-var displayModeFromState = (state, sessionDisplayMode) => {
-  try {
-    const jsonString = btoa(state);
-    return JSON.parse(jsonString).displayMode;
-  } catch (e) {
-    console.error("Failed to parse displayMode from state:", e);
-    return sessionDisplayMode;
-  }
-};
-
-// src/utils.ts
-import { clsx } from "clsx";
-import { twMerge } from "tailwind-merge";
-var isPopupBlocked = () => {
-  const popup = window.open("", "", "width=1,height=1");
-  if (!popup) {
-    return true;
-  }
-  try {
-    if (typeof popup.closed === "undefined") {
-      throw new Error("Popup is blocked");
-    }
-  } catch (e) {
-    return true;
-  }
-  popup.close();
-  return false;
-};
-
-// src/services/SessionService.ts
-var AuthSessionServiceImpl = class {
-  constructor(clientId, redirectUrl, oauthServer, inputEndpoints) {
-    this.clientId = clientId;
-    this.redirectUrl = redirectUrl;
-    this.oauthServer = oauthServer;
-    this.inputEndpoints = inputEndpoints;
-    this.codeVerifier = void 0;
-    this.refreshTokenTimeout = null;
-    this.codeVerifier = this.getCodeVerifier();
-    this.endpoints = inputEndpoints;
-  }
-  getCodeVerifier() {
-    return generateCodeVerifier();
-  }
-  getUserInfoService() {
-    return __async(this, null, function* () {
-      if (this.userInfoService) {
-        return this.userInfoService;
-      }
-      const endpoints = yield this.getEndpoints();
-      this.userInfoService = new UserInfoServiceImpl(endpoints);
-      return this.userInfoService;
-    });
-  }
-  getEndpoints() {
-    return __async(this, null, function* () {
-      var _a;
-      if ((_a = this.endpoints) == null ? void 0 : _a.auth) {
-        return this.endpoints;
-      }
-      const jwksEndpoints = yield getOauthEndpoints(this.oauthServer);
-      return this.endpoints ? __spreadValues(__spreadValues({}, this.endpoints), jwksEndpoints) : jwksEndpoints;
-    });
-  }
-  getOauth2Client() {
-    return __async(this, null, function* () {
-      if (this.oauth2Client) {
-        return this.oauth2Client;
-      }
-      const endpoints = yield this.getEndpoints();
-      this.oauth2Client = new OAuth2Client(
-        this.clientId,
-        endpoints.auth,
-        endpoints.token,
-        // this
-        { redirectURI: this.redirectUrl }
-      );
-      return this.oauth2Client;
-    });
-  }
-  getSessionData() {
-    return JSON.parse(
-      localStorage.getItem(`civic-auth:${this.clientId}`) || "{}"
-    );
-  }
-  updateSessionData(data) {
-    localStorage.setItem(
-      `civic-auth:${this.clientId}`,
-      JSON.stringify(__spreadValues({}, data))
-    );
-  }
-  getUser() {
-    return JSON.parse(
-      localStorage.getItem(`civic-auth:${this.clientId}:user`) || "{}"
-    );
-  }
-  setUser(data) {
-    localStorage.setItem(
-      `civic-auth:${this.clientId}:user`,
-      JSON.stringify(data === null ? {} : data)
-    );
-  }
-  clearSessionData() {
-    localStorage.setItem(`civic-auth:${this.clientId}`, JSON.stringify({}));
-  }
-  getAuthorizationUrlWithChallenge(state, scopes) {
-    return __async(this, null, function* () {
-      var _a;
-      const oauth2Client = yield this.getOauth2Client();
-      if ((_a = this.endpoints) == null ? void 0 : _a.challenge) {
-        const challenge = yield fetch(this.endpoints.challenge).then(
-          (res) => res.json().then((data) => data.challenge)
-        );
-        const oAuthUrl2 = yield oauth2Client.createAuthorizationURL({
-          state,
-          scopes
-        });
-        oAuthUrl2.searchParams.append("code_challenge", challenge);
-        oAuthUrl2.searchParams.append("code_challenge_method", "S256");
-        return oAuthUrl2;
-      }
-      const oAuthUrl = yield oauth2Client.createAuthorizationURL({
-        state,
-        codeVerifier: this.codeVerifier,
-        codeChallengeMethod: "S256",
-        scopes
-      });
-      return oAuthUrl;
-    });
-  }
-  getAuthorizationUrl(scopes, displayMode, nonce) {
-    return __async(this, null, function* () {
-      const state = generateState(displayMode);
-      const existingSessionData = this.getSessionData();
-      this.updateSessionData(__spreadProps(__spreadValues({}, existingSessionData), {
-        codeVerifier: this.codeVerifier,
-        displayMode
-      }));
-      const oAuthUrl = yield this.getAuthorizationUrlWithChallenge(state, scopes);
-      if (nonce) {
-        oAuthUrl.searchParams.append("nonce", nonce);
-      }
-      oAuthUrl.searchParams.append("prompt", "consent");
-      return oAuthUrl.toString();
-    });
-  }
-  // TODO fix the Window reference
-  loadAuthorizationUrl(authorizationURL, displayMode) {
-    switch (displayMode) {
-      case "iframe":
-        break;
-      case "redirect":
-        window.location.href = authorizationURL;
-        break;
-      case "new_tab":
-        window.open(authorizationURL, "_blank");
-        break;
-      case "custom_tab":
-        break;
-    }
-  }
-  init() {
-    return __async(this, null, function* () {
-      this.updateSessionData({ authenticated: false });
-    });
-  }
-  determineDisplayMode(displayMode) {
-    if (isPopupBlocked() && displayMode === "iframe") {
-      displayMode = "redirect";
-    }
-    return displayMode;
-  }
-  signIn(displayMode, scopes, nonce) {
-    return __async(this, null, function* () {
-      const authorizationURL = yield this.getAuthorizationUrl(
-        scopes,
-        displayMode,
-        nonce
-      );
-      this.loadAuthorizationUrl(authorizationURL, displayMode);
-    });
-  }
-  tokenExchange(responseUrl) {
-    return __async(this, null, function* () {
-      let session = this.getSessionData();
-      if (!session.authenticated) {
-        const url = new URL(responseUrl);
-        const authorizationCode = url.searchParams.get("code");
-        const returnedState = url.searchParams.get("state");
-        if (!authorizationCode || !returnedState) {
-          throw new Error("Invalid authorization response");
-        }
-        const codeVerifier = session.codeVerifier;
-        const oauth2Client = yield this.getOauth2Client();
-        const tokens = yield oauth2Client.validateAuthorizationCode(
-          authorizationCode,
-          {
-            codeVerifier
-          }
-        );
-        try {
-          yield this.validateTokens(tokens);
-        } catch (error) {
-          console.error("tokenExchange tokens", { error, tokens });
-          throw new Error(
-            `OIDC tokens validation failed: ${error.message}`
-          );
-        }
-        const parsedDisplayMode = displayModeFromState(
-          returnedState,
-          session.displayMode
-        );
-        session = __spreadProps(__spreadValues({}, session), {
-          displayMode: parsedDisplayMode,
-          idToken: tokens.id_token,
-          authenticated: true,
-          state: returnedState,
-          accessToken: tokens.access_token,
-          refreshToken: tokens.refresh_token,
-          timestamp: Date.now(),
-          expiresIn: tokens.expires_in
-        });
-        this.updateSessionData(session);
-        const user = yield (yield this.getUserInfoService()).getUserInfo(tokens.access_token, tokens.id_token || null);
-        this.setUser(user);
-      }
-      this.setupTokenRefresh(session);
-      if (session.displayMode === "new_tab") {
-        window.close();
-      } else if (session.displayMode === "redirect") {
-      }
-      return session;
-    });
-  }
-  setupTokenRefresh(session) {
-    if (this.refreshTokenTimeout) {
-      clearTimeout(this.refreshTokenTimeout);
-    }
-    if (session.expiresIn) {
-      const elapsedTime = Date.now() - (session.timestamp || 0);
-      const remainingTime = session.expiresIn * 1e3 - elapsedTime;
-      const refreshTime = Math.max(0, remainingTime - 6e4);
-      this.refreshTokenTimeout = setTimeout(() => {
-        this.refreshToken().then((newSession) => {
-          console.log("Token refreshed successfully", newSession);
-        }).catch((error) => {
-          console.error("Failed to refresh token:", error);
-          this.updateSessionData({});
-        });
-      }, refreshTime);
-    }
-  }
-  refreshToken() {
-    return __async(this, null, function* () {
-      const sessionData = this.getSessionData();
-      if (!sessionData.refreshToken) {
-        throw new Error("No refresh token available");
-      }
-      const oauth2Client = yield this.getOauth2Client();
-      const tokens = yield oauth2Client.refreshAccessToken(
-        sessionData.refreshToken
-      );
-      const session = __spreadProps(__spreadValues({}, sessionData), {
-        idToken: tokens.id_token,
-        authenticated: true,
-        accessToken: tokens.access_token,
-        refreshToken: tokens.refresh_token,
-        timestamp: Date.now(),
-        expiresIn: tokens.expires_in
-      });
-      this.updateSessionData(session);
-      this.setupTokenRefresh(session);
-      return session;
-    });
-  }
-  getUserInfo() {
-    return __async(this, null, function* () {
-      const sessionData = this.getSessionData();
-      if (!sessionData.accessToken) {
-        throw new Error("No access token available");
-      }
-      const userInfoService = yield this.getUserInfoService();
-      return userInfoService.getUserInfo(
-        sessionData.accessToken,
-        sessionData.idToken || null
-      );
-    });
-  }
-  /**
-   * Uses the jose library to validate a JWT token using the OAuth JWKS endpoint
-   * @param {string} token
-   * @returns {Promise<jose.JWTPayload>}
-   * @throws {Error} if the token is invalid
-   */
-  validateTokens(tokens) {
-    return __async(this, null, function* () {
-      const endpoints = yield this.getEndpoints();
-      const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));
-      const returnPayload = {};
-      console.log("issuer", getIssuerVariations(this.oauthServer));
-      const idTokenResponse = yield jose.jwtVerify(tokens.id_token, JWKS, {
-        issuer: getIssuerVariations(this.oauthServer),
-        audience: this.clientId
-      });
-      returnPayload.idToken = idTokenResponse.payload;
-      const accessTokenResponse = yield jose.jwtVerify(
-        tokens.access_token,
-        JWKS,
-        {
-          issuer: getIssuerVariations(this.oauthServer)
-        }
-      );
-      returnPayload.accessToken = accessTokenResponse.payload;
-      if (tokens.refresh_token) {
-        returnPayload.refreshToken = tokens.refresh_token;
-      }
-      return returnPayload;
-    });
-  }
-  validateExistingSession() {
-    return __async(this, null, function* () {
-      const sessionData = this.getSessionData();
-      try {
-        if (!sessionData.idToken || !sessionData.accessToken) {
-          const unAuthenticatedSession = __spreadProps(__spreadValues({}, sessionData), { authenticated: false });
-          this.updateSessionData(unAuthenticatedSession);
-          return unAuthenticatedSession;
-        }
-        yield this.validateTokens({
-          id_token: sessionData.idToken,
-          access_token: sessionData.accessToken,
-          refresh_token: sessionData.refreshToken
-        });
-        sessionData.authenticated = true;
-        return sessionData;
-      } catch (error) {
-        console.warn("Failed to validate existing tokens", error);
-        const unAuthenticatedSession = {
-          authenticated: false
-        };
-        this.updateSessionData(unAuthenticatedSession);
-        return unAuthenticatedSession;
-      }
-    });
-  }
-};
-
-// src/nextjs/cookies.ts
-var createSecureTokenCookies = (response, sessionData, config) => {
-  var _a, _b;
-  const maxAge = (_a = sessionData.expiresIn) != null ? _a : 3600;
-  const cookieOptions = __spreadProps(__spreadValues({}, (_b = config.cookies) == null ? void 0 : _b.tokens), {
-    maxAge
-  });
-  if (sessionData.accessToken) {
-    response.cookies.set("access_token", sessionData.accessToken, __spreadProps(__spreadValues({}, cookieOptions), {
+var NextjsCookieStorage = class extends CookieStorage {
+  constructor(config = {}) {
+    super(__spreadProps(__spreadValues({}, config), {
+      secure: true,
       httpOnly: true
     }));
   }
-  if (sessionData.idToken) {
-    response.cookies.set("id_token", sessionData.idToken, __spreadProps(__spreadValues({}, cookieOptions), {
-      httpOnly: true
-    }));
+  get(key) {
+    var _a;
+    return ((_a = cookies().get(key)) == null ? void 0 : _a.value) || null;
   }
-  if (sessionData.refreshToken) {
-    response.cookies.set("refresh_token", sessionData.refreshToken, __spreadProps(__spreadValues({}, cookieOptions), {
-      httpOnly: true
-    }));
+  set(key, value) {
+    cookies().set(key, value, this.settings);
   }
 };
-var createUserInfoCookie = (response, user, sessionData, config) => {
-  var _a, _b, _c;
-  if (!user) {
-    response.cookies.set("user", "", __spreadProps(__spreadValues({}, (_a = config.cookies) == null ? void 0 : _a.user), {
-      maxAge: 0
+var NextjsClientStorage = class extends CookieStorage {
+  constructor(config = {}) {
+    super(__spreadProps(__spreadValues({}, config), {
+      secure: false,
+      httpOnly: false
     }));
-    return;
   }
-  const maxAge = (_b = sessionData.expiresIn) != null ? _b : 3600;
-  const frontendUser = __spreadValues({}, user);
-  response.cookies.set("user", JSON.stringify(frontendUser), __spreadProps(__spreadValues({}, (_c = config.cookies) == null ? void 0 : _c.user), {
-    maxAge
-  }));
-};
-var clearAuthCookies = (response, config) => {
-  var _a, _b;
-  const clearOptions = __spreadProps(__spreadValues({}, (_a = config.cookies) == null ? void 0 : _a.tokens), {
-    maxAge: 0
-  });
-  response.cookies.set("access_token", "", clearOptions);
-  response.cookies.set("id_token", "", clearOptions);
-  response.cookies.set("refresh_token", "", clearOptions);
-  response.cookies.set("codeVerifier", "", clearOptions);
-  response.cookies.set("user", "", __spreadProps(__spreadValues({}, (_b = config.cookies) == null ? void 0 : _b.user), {
-    maxAge: 0
-  }));
-};
-
-// src/nextjs/NextJSSessionService.ts
-var NextJSAuthSessionServiceImpl = class extends AuthSessionServiceImpl {
-  constructor(authConfig, request, response, inputEndpoints) {
-    super(
-      authConfig.clientId,
-      authConfig.callbackUrl,
-      authConfig.oauthServer,
-      inputEndpoints
-    );
-    this.authConfig = authConfig;
-    this.request = request;
-    this.response = response;
-    this.inputEndpoints = inputEndpoints;
-  }
-  getCodeVerifier() {
-    const codeVerifier = cookies().get("codeVerifier");
-    if (!codeVerifier) {
-      throw new Error("Code verifier not found in cookies");
-    }
-    return codeVerifier.value;
-  }
-  getSessionData() {
-    var _a, _b, _c, _d;
-    const authenticated = cookies().get("access_token") !== void 0;
-    return {
-      authenticated,
-      codeVerifier: (_a = cookies().get("codeVerifier")) == null ? void 0 : _a.value,
-      accessToken: (_b = cookies().get("access_token")) == null ? void 0 : _b.value,
-      idToken: (_c = cookies().get("id_token")) == null ? void 0 : _c.value,
-      refreshToken: (_d = cookies().get("refresh_token")) == null ? void 0 : _d.value
-    };
-  }
-  updateSessionData(data) {
-    createSecureTokenCookies(
-      this.response,
-      data,
-      this.authConfig
-    );
-  }
-  getUser() {
-    const userCookie = cookies().get("user");
-    if (!userCookie) return null;
-    return JSON.parse(userCookie.value);
-  }
-  setUser(user) {
-    createUserInfoCookie(
-      this.response,
-      user,
-      { authenticated: true },
-      this.authConfig
-    );
-  }
-  clearSessionData() {
-    clearAuthCookies(this.response, this.authConfig);
-  }
-  // TODO fix the Window reference
-  loadAuthorizationUrl() {
-    throw new Error("Not implemented");
-  }
-  init() {
-    return __async(this, null, function* () {
-      this.updateSessionData({ authenticated: false });
-    });
+  get(key) {
+    var _a;
+    return ((_a = cookies().get(key)) == null ? void 0 : _a.value) || null;
   }
-};
-
-// src/nextjs/routeHandler.ts
-import { generateCodeVerifier as generateCodeVerifier2 } from "oslo/oauth2";
-var logger2 = loggers.nextjs.handlers.auth;
-var AuthError = class extends Error {
-  constructor(message, status = 401) {
-    super(message);
-    this.status = status;
-    this.name = "AuthError";
+  set(key, value) {
+    cookies().set(key, value, this.settings);
   }
 };
-function generateCodeChallenge(codeVerifier) {
-  return __async(this, null, function* () {
-    const encoder = new TextEncoder();
-    const data = encoder.encode(codeVerifier);
-    const digest = yield crypto.subtle.digest("SHA-256", data);
-    return btoa(String.fromCharCode(...new Uint8Array(digest))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
-  });
-}
-function handleChallenge() {
-  return __async(this, null, function* () {
-    const codeVerifier = generateCodeVerifier2();
-    console.log("handleChallenge codeVerifier", codeVerifier);
-    const challenge = yield generateCodeChallenge(codeVerifier);
-    const response = NextResponse.json({ status: "success", challenge });
-    response.cookies.set("codeVerifier", codeVerifier, {
-      httpOnly: true,
-      secure: true,
-      sameSite: "strict"
-    });
-    return response;
-  });
-}
-function handleCallback(request, config) {
-  return __async(this, null, function* () {
-    const code = request.nextUrl.searchParams.get("code");
-    if (!code) {
-      throw new AuthError("Missing authorization code");
-    }
-    try {
-      const response = new NextResponse(`<html></html>`);
-      response.headers.set("Content-Type", "text/html; charset=utf-8");
-      const resolvedConfigs = resolveAuthConfig(config);
-      const callbackUrl = new URL(
-        resolvedConfigs == null ? void 0 : resolvedConfigs.callbackUrl,
-        request.url
-      ).toString();
-      const authService = getDefaultAuthSessionService(
-        __spreadProps(__spreadValues({}, resolvedConfigs), {
-          callbackUrl
-        }),
-        request,
-        response
-      );
-      console.log("handleCallback authService", authService);
-      const tokens = yield authService.tokenExchange(request.nextUrl.toString());
-      if (!tokens.accessToken) {
-        throw new AuthError("Missing access token");
-      }
-      return response;
-    } catch (error) {
-      logger2.error("Token exchange failed:", error);
-      throw new AuthError("Failed to authenticate user", 401);
-    }
-  });
-}
-function handleLogout(request, config) {
-  return __async(this, null, function* () {
-    var _a;
-    const resolvedConfigs = resolveAuthConfig(config);
-    const path = (_a = resolvedConfigs.loginUrl) != null ? _a : "/";
-    const redirectTarget = new URL(path, request.url).toString();
-    const response = NextResponse.redirect(redirectTarget);
-    clearAuthCookies(response, resolvedConfigs);
-    try {
-      revalidatePath(path);
-    } catch (error) {
-      logger2.warn("Failed to revalidate path after logout:", error);
-    }
-    return response;
-  });
-}
-var getDefaultAuthSessionService = (authConfig, request, response) => {
-  return new NextJSAuthSessionServiceImpl(authConfig, request, response);
-};
-function handler(authConfig = {}) {
-  return (request) => __async(this, null, function* () {
-    const config = resolveAuthConfig(authConfig);
-    try {
-      const pathname = request.nextUrl.pathname;
-      const pathSegments = pathname.split("/");
-      const lastSegment = pathSegments[pathSegments.length - 1];
-      switch (lastSegment) {
-        case "challenge":
-          return yield handleChallenge();
-        case "callback":
-          return yield handleCallback(request, config);
-        case "logout":
-          return yield handleLogout(request, config);
-        default:
-          throw new AuthError(`Invalid auth route: ${pathname}`, 404);
-      }
-    } catch (error) {
-      logger2.error("Auth handler error:", error);
-      const status = error instanceof AuthError ? error.status : 500;
-      const message = error instanceof Error ? error.message : "Authentication failed";
-      const response = NextResponse.json({ error: message }, { status });
-      clearAuthCookies(response, config);
-      return response;
-    }
-  });
-}
 
 // src/nextjs/GetUser.ts
-import { cookies as cookies2 } from "next/headers.js";
-var getUser = () => {
-  var _a;
-  const user = (_a = cookies2().get("user")) == null ? void 0 : _a.value;
-  if (!user) return null;
-  return JSON.parse(user);
+var getUser2 = () => {
+  const clientStorage = new NextjsClientStorage();
+  const userSession = new GenericUserSession(clientStorage);
+  return userSession.get();
 };
 
 // src/nextjs/middleware.ts
-import { NextResponse as NextResponse2 } from "next/server.js";
+import { NextResponse } from "next/server.js";
 import picomatch from "picomatch";
 var matchGlob = (pathname, globPattern) => {
   const matches = picomatch(globPattern);
@@ -851,7 +102,7 @@ var applyAuth = (authConfig, request) => __async(void 0, null, function* () {
   if (!isAuthenticated) {
     console.log("\u2192 No valid token found - redirecting to login");
     const loginUrl = new URL(authConfigWithDefaults.loginUrl, request.url);
-    return NextResponse2.redirect(loginUrl);
+    return NextResponse.redirect(loginUrl);
   }
   console.log("\u2192 Auth check passed");
   return void 0;
@@ -859,7 +110,7 @@ var applyAuth = (authConfig, request) => __async(void 0, null, function* () {
 var authMiddleware = (authConfig = defaultAuthConfig) => (request) => __async(void 0, null, function* () {
   const response = yield applyAuth(authConfig, request);
   if (response) return response;
-  return NextResponse2.next();
+  return NextResponse.next();
 });
 function withAuth(middleware) {
   return (request) => __async(this, null, function* () {
@@ -877,11 +128,117 @@ function auth(authConfig = {}) {
     });
   };
 }
+
+// src/nextjs/routeHandler.ts
+import { NextResponse as NextResponse2 } from "next/server.js";
+import { revalidatePath } from "next/cache.js";
+var logger = loggers.nextjs.handlers.auth;
+var AuthError = class extends Error {
+  constructor(message, status = 401) {
+    super(message);
+    this.status = status;
+    this.name = "AuthError";
+  }
+};
+function handleChallenge() {
+  return __async(this, null, function* () {
+    const cookieStorage = new NextjsCookieStorage();
+    const pkceProducer = new GenericPublicClientPKCEProducer(cookieStorage);
+    const challenge = yield pkceProducer.getCodeChallenge();
+    return NextResponse2.json({ status: "success", challenge });
+  });
+}
+function handleCallback(request, config) {
+  return __async(this, null, function* () {
+    const tokenExchange = request.nextUrl.searchParams.get("tokenExchange");
+    if (!tokenExchange) {
+      const response2 = new NextResponse2(`<html></html>`);
+      response2.headers.set("Content-Type", "text/html; charset=utf-8");
+      return response2;
+    }
+    const code = request.nextUrl.searchParams.get("code");
+    const state = request.nextUrl.searchParams.get("state");
+    if (!code || !state) throw new AuthError("Bad parameters", 400);
+    const cookieStorage = new NextjsCookieStorage();
+    const resolvedConfigs = resolveAuthConfig(config);
+    const callbackUrl = resolveCallbackUrl(resolvedConfigs, request.url);
+    try {
+      yield resolveOAuthAccessCode(code, state, cookieStorage, __spreadProps(__spreadValues({}, resolvedConfigs), {
+        redirectUrl: callbackUrl
+      }));
+    } catch (error) {
+      logger.error("Token exchange failed:", error);
+      throw new AuthError("Failed to authenticate user", 401);
+    }
+    const user = yield getUser(cookieStorage);
+    if (!user) {
+      throw new AuthError("Failed to get user info", 401);
+    }
+    const clientStorage = new NextjsClientStorage();
+    const userSession = new GenericUserSession(clientStorage);
+    userSession.set(user);
+    const response = new NextResponse2(`<html></html>`);
+    response.headers.set("Content-Type", "text/html; charset=utf-8");
+    return response;
+  });
+}
+var getAbsoluteRedirectPath = (redirectPath, currentBasePath) => {
+  if (/^(https?:\/\/|www\.).+/i.test(redirectPath)) {
+    return redirectPath;
+  }
+  return new URL(redirectPath, currentBasePath).href;
+};
+function handleLogout(request, config) {
+  return __async(this, null, function* () {
+    var _a;
+    const resolvedConfigs = resolveAuthConfig(config);
+    const defaultRedirectPath = (_a = resolvedConfigs.loginUrl) != null ? _a : "/";
+    const redirectTarget = new URL(request.url).searchParams.get("redirect") || defaultRedirectPath;
+    const isAbsoluteRedirect = /^(https?:\/\/|www\.).+/i.test(redirectTarget);
+    const finalRedirectUrl = getAbsoluteRedirectPath(
+      redirectTarget,
+      new URL(request.url).origin
+    );
+    const response = NextResponse2.redirect(finalRedirectUrl);
+    clearAuthCookies();
+    try {
+      revalidatePath(isAbsoluteRedirect ? finalRedirectUrl : redirectTarget);
+    } catch (error) {
+      logger.warn("Failed to revalidate path after logout:", error);
+    }
+    return response;
+  });
+}
+var handler = (authConfig = {}) => (request) => __async(void 0, null, function* () {
+  const config = resolveAuthConfig(authConfig);
+  try {
+    const pathname = request.nextUrl.pathname;
+    const pathSegments = pathname.split("/");
+    const lastSegment = pathSegments[pathSegments.length - 1];
+    switch (lastSegment) {
+      case "challenge":
+        return yield handleChallenge();
+      case "callback":
+        return yield handleCallback(request, config);
+      case "logout":
+        return yield handleLogout(request, config);
+      default:
+        throw new AuthError(`Invalid auth route: ${pathname}`, 404);
+    }
+  } catch (error) {
+    logger.error("Auth handler error:", error);
+    const status = error instanceof AuthError ? error.status : 500;
+    const message = error instanceof Error ? error.message : "Authentication failed";
+    const response = NextResponse2.json({ error: message }, { status });
+    clearAuthCookies();
+    return response;
+  }
+});
 export {
   auth,
   authMiddleware,
   createCivicAuthPlugin,
-  getUser,
+  getUser2 as getUser,
   handler,
   withAuth
 };