@civic/auth 0.0.1-beta.1 → 0.0.1-beta.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. package/README.md +26 -0
  2. package/dist/chunk-CRTRMMJ7.js +59 -0
  3. package/dist/chunk-CRTRMMJ7.js.map +1 -0
  4. package/dist/chunk-EAANLFR5.mjs +148 -0
  5. package/dist/chunk-EAANLFR5.mjs.map +1 -0
  6. package/dist/chunk-EGFTMH5S.mjs +214 -0
  7. package/dist/chunk-EGFTMH5S.mjs.map +1 -0
  8. package/dist/chunk-KCSGIIPA.js +214 -0
  9. package/dist/chunk-KCSGIIPA.js.map +1 -0
  10. package/dist/chunk-MVO4UZ2A.js +148 -0
  11. package/dist/chunk-MVO4UZ2A.js.map +1 -0
  12. package/dist/chunk-PMDIR5XE.mjs +502 -0
  13. package/dist/chunk-PMDIR5XE.mjs.map +1 -0
  14. package/dist/chunk-RGHW4PYM.mjs +59 -0
  15. package/dist/chunk-RGHW4PYM.mjs.map +1 -0
  16. package/dist/chunk-YNLXRD5L.js +502 -0
  17. package/dist/chunk-YNLXRD5L.js.map +1 -0
  18. package/dist/{index-DFVNodC9.d.mts → index-Bfi0hVMZ.d.mts} +5 -13
  19. package/dist/{index-DFVNodC9.d.ts → index-Bfi0hVMZ.d.ts} +5 -13
  20. package/dist/index.css +63 -63
  21. package/dist/index.css.map +1 -1
  22. package/dist/index.d.mts +1 -1
  23. package/dist/index.d.ts +1 -1
  24. package/dist/index.js +1 -19
  25. package/dist/index.js.map +1 -1
  26. package/dist/index.mjs +1 -1
  27. package/dist/nextjs.d.mts +22 -37
  28. package/dist/nextjs.d.ts +22 -37
  29. package/dist/nextjs.js +166 -848
  30. package/dist/nextjs.js.map +1 -1
  31. package/dist/nextjs.mjs +162 -805
  32. package/dist/nextjs.mjs.map +1 -1
  33. package/dist/react.d.mts +42 -58
  34. package/dist/react.d.ts +42 -58
  35. package/dist/react.js +668 -1103
  36. package/dist/react.js.map +1 -1
  37. package/dist/react.mjs +608 -1005
  38. package/dist/react.mjs.map +1 -1
  39. package/dist/server.d.mts +56 -0
  40. package/dist/server.d.ts +56 -0
  41. package/dist/server.js +20 -0
  42. package/dist/server.js.map +1 -0
  43. package/dist/server.mjs +20 -0
  44. package/dist/server.mjs.map +1 -0
  45. package/package.json +28 -18
package/dist/nextjs.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/lib/logger.ts","../src/nextjs/config.ts","../src/nextjs/routeHandler.ts","../src/nextjs/NextJSSessionService.ts","../src/services/UserInfoService.ts","../src/services/SessionService.ts","../src/lib/oauth.ts","../src/utils.ts","../src/nextjs/cookies.ts","../src/nextjs/GetUser.ts","../src/nextjs/middleware.ts"],"sourcesContent":["import debug from \"debug\";\n\nconst PACKAGE_NAME = \"@civic/auth\";\n\nexport interface Logger {\n debug(message: string, ...args: unknown[]): void;\n info(message: string, ...args: unknown[]): void;\n warn(message: string, ...args: unknown[]): void;\n error(message: string, ...args: unknown[]): void;\n}\n\nclass DebugLogger implements Logger {\n private debugLogger: debug.Debugger;\n private infoLogger: debug.Debugger;\n private warnLogger: debug.Debugger;\n private errorLogger: debug.Debugger;\n\n constructor(namespace: string) {\n // Format: @org/package:library:component:level\n this.debugLogger = debug(`${PACKAGE_NAME}:${namespace}:debug`);\n this.infoLogger = debug(`${PACKAGE_NAME}:${namespace}:info`);\n this.warnLogger = debug(`${PACKAGE_NAME}:${namespace}:warn`);\n this.errorLogger = debug(`${PACKAGE_NAME}:${namespace}:error`);\n\n this.debugLogger.color = \"4\";\n this.infoLogger.color = \"2\";\n this.warnLogger.color = \"3\";\n this.errorLogger.color = \"1\";\n }\n\n debug(message: string, ...args: unknown[]): void {\n this.debugLogger(message, ...args);\n }\n\n info(message: string, ...args: unknown[]): void {\n this.infoLogger(message, ...args);\n }\n\n warn(message: string, ...args: unknown[]): void {\n this.warnLogger(message, ...args);\n }\n\n error(message: string, ...args: unknown[]): void {\n this.errorLogger(message, ...args);\n }\n}\n\nexport const createLogger = (namespace: string): Logger =>\n new DebugLogger(namespace);\n\n// Pre-configured loggers for different parts of your package\nexport const loggers = {\n // Next.js specific loggers\n nextjs: {\n routes: createLogger(\"api:routes\"),\n middleware: createLogger(\"api:middleware\"),\n handlers: {\n auth: createLogger(\"api:handlers:auth\"),\n },\n },\n // React specific loggers\n react: {\n components: createLogger(\"react:components\"),\n hooks: createLogger(\"react:hooks\"),\n context: createLogger(\"react:context\"),\n },\n // Shared utilities loggers\n services: {\n validation: createLogger(\"utils:validation\"),\n network: createLogger(\"utils:network\"),\n },\n} as const;\n","/* eslint-disable turbo/no-undeclared-env-vars */\n\"use server\";\nimport { NextConfig } from \"next\";\nimport { loggers } from \"@/lib/logger\";\n\nconst logger = loggers.nextjs.handlers.auth;\n\nexport interface CookieConfig {\n secure?: boolean;\n sameSite?: \"strict\" | \"lax\" | \"none\";\n domain?: string;\n path?: string;\n maxAge?: number;\n}\n\nexport type AuthConfigWithDefaults = {\n clientId: string;\n oauthServer: string;\n callbackUrl: string;\n loginUrl: string;\n logoutUrl: string;\n challengeUrl: string;\n include: string[];\n exclude: string[];\n cookies: {\n tokens: CookieConfig;\n user: CookieConfig;\n };\n};\n\nexport type AuthConfig = Partial<AuthConfigWithDefaults>;\n\nexport type DefinedAuthConfig = AuthConfigWithDefaults;\n\n/**\n * Default configuration values that will be used if not overridden\n */\nexport const defaultAuthConfig: Omit<AuthConfigWithDefaults, \"clientId\"> = {\n oauthServer: \"https://auth-dev.civic.com/oauth\",\n callbackUrl: \"/api/auth/callback\",\n challengeUrl: \"/api/auth/challenge\",\n logoutUrl: \"/api/auth/logout\",\n loginUrl: \"/\",\n include: [\"/*\"],\n exclude: [],\n cookies: {\n tokens: {\n sameSite: \"strict\",\n path: \"/\",\n maxAge: 60 * 60, // 1 hour\n },\n user: {\n sameSite: \"strict\",\n path: \"/\",\n maxAge: 60 * 60, // 1 hour\n },\n },\n};\n\nconst withoutUndefined = <T extends { [k: string]: unknown }>(\n obj: T,\n): Partial<T> => {\n const result: Partial<T> = {};\n for (const key in obj) {\n if (obj[key] !== undefined) {\n result[key] = obj[key];\n }\n }\n return result;\n};\n\n/**\n * Resolves the authentication configuration by combining:\n * 1. Default values\n * 2. Environment variables (set internally by the plugin)\n * 3. Explicitly passed configuration\n *\n * Note: Developers should not set _civic_auth_* environment variables directly.\n * Instead, pass configuration to the createCivicAuthPlugin in next.config.js:\n *\n * @example\n * ```js\n * // next.config.js\n * export default createCivicAuthPlugin({\n * callbackUrl: '/custom/callback',\n * })\n * ```\n */\nexport const resolveAuthConfig = (\n config: AuthConfig = {},\n): AuthConfigWithDefaults & { clientId: string } => {\n // Read configuration that was set by the plugin via environment variables\n const configFromEnv = withoutUndefined({\n clientId: process.env._civic_auth_client_id,\n oauthServer: process.env._civic_oauth_server,\n callbackUrl: process.env._civic_auth_callback_url,\n loginUrl: process.env._civic_auth_login_url,\n logoutUrl: process.env._civic_auth_logout_url,\n include: process.env._civic_auth_includes?.split(\",\"),\n exclude: process.env._civic_auth_excludes?.split(\",\"),\n cookies: process.env._civic_auth_cookie_config\n ? JSON.parse(process.env._civic_auth_cookie_config)\n : undefined,\n });\n\n const mergedConfig = {\n ...defaultAuthConfig,\n ...configFromEnv, // Apply plugin-set config\n ...config, // Override with directly passed config\n cookies: {\n tokens: {\n ...defaultAuthConfig.cookies.tokens,\n ...(config.cookies?.tokens || {}),\n },\n user: {\n ...defaultAuthConfig.cookies.user,\n ...(config.cookies?.user || {}),\n },\n },\n };\n\n logger.debug(\"Config from environment:\", configFromEnv);\n logger.debug(\"Resolved config:\", mergedConfig);\n if (mergedConfig.clientId === undefined) {\n throw new Error(\"Civic Auth client ID is required\");\n }\n return mergedConfig as AuthConfigWithDefaults & { clientId: string };\n};\n\n/**\n * Creates a Next.js plugin that handles auth configuration.\n *\n * This is the main configuration point for the auth system.\n * Do not set _civic_auth_* environment variables directly - instead,\n * pass your configuration here:\n *\n * @example\n * ```js\n * // next.config.js\n * export tefault createCivicAuthPlugin({\n * clientId: 'my-client-id',\n * callbackUrl: '/custom/callback',\n * loginUrl: '/custom/login',\n * logoutUrl: '/custom/logout',\n * include: ['/protected/*'],\n * exclude: ['/public/*']\n * })\n * ```\n *\n * The plugin sets internal environment variables that are used by\n * the auth system. These variables should not be set manually.\n */\nexport const createCivicAuthPlugin = (\n clientId: string,\n authConfig: AuthConfig = {},\n) => {\n return (nextConfig?: NextConfig) => {\n const resolvedConfig = resolveAuthConfig({ ...authConfig, clientId });\n return {\n ...nextConfig,\n env: {\n ...nextConfig?.env,\n // Internal environment variables - do not set these manually\n _civic_auth_client_id: clientId,\n _civic_oauth_server: resolvedConfig.oauthServer,\n _civic_auth_callback_url: resolvedConfig.callbackUrl,\n _civic_auth_login_url: resolvedConfig.loginUrl,\n _civic_auth_logout_url: resolvedConfig.logoutUrl,\n _civic_auth_includes: resolvedConfig.include.join(\",\"),\n _civic_auth_excludes: resolvedConfig.exclude.join(\",\"),\n _civic_auth_cookie_config: JSON.stringify(resolvedConfig.cookies),\n },\n };\n };\n};\n","\"use server\";\nimport { NextRequest, NextResponse } from \"next/server.js\";\nimport { revalidatePath } from \"next/cache.js\";\nimport {\n AuthConfig,\n DefinedAuthConfig,\n resolveAuthConfig,\n} from \"@/nextjs/config.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport { AuthSessionService } from \"@/types\";\nimport { NextJSAuthSessionServiceImpl } from \"./NextJSSessionService.js\";\nimport { clearAuthCookies } from \"./cookies.js\";\nimport { generateCodeVerifier } from \"oslo/oauth2\";\n\nconst logger = loggers.nextjs.handlers.auth;\n\nclass AuthError extends Error {\n constructor(\n message: string,\n public readonly status: number = 401,\n ) {\n super(message);\n this.name = \"AuthError\";\n }\n}\n\nasync function generateCodeChallenge(codeVerifier: string) {\n const encoder = new TextEncoder();\n const data = encoder.encode(codeVerifier);\n const digest = await crypto.subtle.digest(\"SHA-256\", data);\n return btoa(String.fromCharCode(...new Uint8Array(digest)))\n .replace(/\\+/g, \"-\")\n .replace(/\\//g, \"_\")\n .replace(/=+$/, \"\");\n}\n/**\n * create a code verifier and challenge for PKCE\n * saving the verifier in a cookie for later use\n * @returns {Promise<NextResponse>}\n */\nasync function handleChallenge(): Promise<NextResponse> {\n const codeVerifier = generateCodeVerifier();\n console.log(\"handleChallenge codeVerifier\", codeVerifier);\n const challenge = await generateCodeChallenge(codeVerifier);\n const response = NextResponse.json({ status: \"success\", challenge });\n response.cookies.set(\"codeVerifier\", codeVerifier, {\n httpOnly: true,\n secure: true,\n sameSite: \"strict\",\n });\n return response;\n}\nasync function handleCallback(\n request: NextRequest,\n config: AuthConfig,\n): Promise<NextResponse> {\n const code = request.nextUrl.searchParams.get(\"code\");\n if (!code) {\n throw new AuthError(\"Missing authorization code\");\n }\n\n try {\n // return an empty HTML response so the iframe doesn't show any response\n // in the short moment between the redirect and the parent window\n // acknowledging the redirect and closing the iframe\n const response = new NextResponse(`<html></html>`);\n response.headers.set(\"Content-Type\", \"text/html; charset=utf-8\");\n\n const resolvedConfigs = resolveAuthConfig(config);\n const callbackUrl = new URL(\n resolvedConfigs?.callbackUrl,\n request.url,\n ).toString();\n\n const authService = getDefaultAuthSessionService(\n {\n ...resolvedConfigs,\n callbackUrl,\n },\n request,\n response,\n );\n console.log(\"handleCallback authService\", authService);\n const tokens = await authService.tokenExchange(request.nextUrl.toString());\n\n if (!tokens.accessToken) {\n throw new AuthError(\"Missing access token\");\n }\n\n return response;\n } catch (error) {\n logger.error(\"Token exchange failed:\", error);\n throw new AuthError(\"Failed to authenticate user\", 401);\n }\n}\n\nasync function handleLogout(\n request: NextRequest,\n config: AuthConfig,\n): Promise<NextResponse> {\n const resolvedConfigs = resolveAuthConfig(config);\n const path = resolvedConfigs.loginUrl ?? \"/\";\n const redirectTarget = new URL(path, request.url).toString();\n\n const response = NextResponse.redirect(redirectTarget);\n clearAuthCookies(response, resolvedConfigs);\n\n try {\n revalidatePath(path);\n } catch (error) {\n logger.warn(\"Failed to revalidate path after logout:\", error);\n }\n\n return response;\n}\n\nconst getDefaultAuthSessionService = (\n authConfig: DefinedAuthConfig,\n request?: NextRequest,\n response?: NextResponse,\n): AuthSessionService => {\n return new NextJSAuthSessionServiceImpl(authConfig, request, response);\n};\n\n/**\n * Creates an authentication handler for Next.js API routes\n *\n * Usage:\n * ```ts\n * // app/api/auth/[...civicauth]/route.ts\n * import { handler } from '@civic/auth/nextjs'\n * export const GET = handler({\n * // optional config overrides\n * })\n * ```\n */\nfunction handler(authConfig: AuthConfig = {}) {\n return async (request: NextRequest): Promise<NextResponse> => {\n const config = resolveAuthConfig(authConfig);\n\n try {\n const pathname = request.nextUrl.pathname;\n const pathSegments = pathname.split(\"/\");\n const lastSegment = pathSegments[pathSegments.length - 1];\n\n switch (lastSegment) {\n case \"challenge\":\n return await handleChallenge();\n case \"callback\":\n return await handleCallback(request, config);\n case \"logout\":\n return await handleLogout(request, config);\n default:\n throw new AuthError(`Invalid auth route: ${pathname}`, 404);\n }\n } catch (error) {\n logger.error(\"Auth handler error:\", error);\n\n const status = error instanceof AuthError ? error.status : 500;\n const message =\n error instanceof Error ? error.message : \"Authentication failed\";\n\n const response = NextResponse.json({ error: message }, { status });\n\n clearAuthCookies(response, config);\n return response;\n }\n };\n}\n\nexport { handler };\n","\"use server\";\nimport { cookies } from \"next/headers.js\";\nimport { SessionData, UnknownObject, Endpoints, User } from \"../types.js\";\nimport { NextRequest, NextResponse } from \"next/server.js\";\nimport { AuthConfigWithDefaults } from \"./config.js\";\nimport { AuthSessionServiceImpl } from \"@/services\";\nimport {\n clearAuthCookies,\n createSecureTokenCookies,\n createUserInfoCookie,\n} from \"./cookies.js\";\n\nexport type StorageInterface = {\n get(): SessionData;\n getUser(): User<UnknownObject> | null;\n set(data: Partial<SessionData>): void;\n setUser(data: User<UnknownObject> | null): void;\n clear(): void;\n};\n\nexport class NextJSAuthSessionServiceImpl extends AuthSessionServiceImpl {\n constructor(\n readonly authConfig: AuthConfigWithDefaults,\n readonly request: NextRequest | undefined,\n readonly response: NextResponse | undefined,\n readonly inputEndpoints?: Endpoints | undefined,\n ) {\n super(\n authConfig.clientId,\n authConfig.callbackUrl,\n authConfig.oauthServer,\n inputEndpoints,\n );\n }\n\n protected getCodeVerifier(): string {\n const codeVerifier = cookies().get(\"codeVerifier\");\n if (!codeVerifier) {\n throw new Error(\"Code verifier not found in cookies\");\n }\n return codeVerifier.value;\n }\n\n getSessionData(): SessionData {\n const authenticated = cookies().get(\"access_token\") !== undefined;\n return {\n authenticated,\n codeVerifier: cookies().get(\"codeVerifier\")?.value,\n accessToken: cookies().get(\"access_token\")?.value,\n idToken: cookies().get(\"id_token\")?.value,\n refreshToken: cookies().get(\"refresh_token\")?.value,\n };\n }\n\n updateSessionData(data: Partial<SessionData>): void {\n createSecureTokenCookies(\n this.response as NextResponse,\n data as SessionData,\n this.authConfig,\n );\n }\n\n getUser(): User<UnknownObject> | null {\n const userCookie = cookies().get(\"user\");\n if (!userCookie) return null;\n return JSON.parse(userCookie.value);\n }\n\n setUser(user: User<UnknownObject> | null): void {\n createUserInfoCookie(\n this.response as NextResponse,\n user,\n { authenticated: true },\n this.authConfig,\n );\n }\n\n clearSessionData(): void {\n clearAuthCookies(this.response as NextResponse, this.authConfig);\n }\n\n // TODO fix the Window reference\n loadAuthorizationUrl() {\n throw new Error(\"Not implemented\");\n }\n\n async init(): Promise<void> {\n this.updateSessionData({ authenticated: false });\n }\n}\n","import { UserInfoService, Endpoints } from \"@/types\";\nimport { parseJWT } from \"oslo/jwt\";\n\nexport class UserInfoServiceImpl implements UserInfoService {\n constructor(private endpoints: Endpoints) {}\n\n extractUserFromIdToken<T>(idToken: string): T | null {\n const parsedJWT = parseJWT(idToken);\n if (!parsedJWT) {\n return null;\n }\n return parsedJWT.payload as T;\n }\n\n async getUserInfo<T>(\n accessToken: string,\n idToken: string | null,\n ): Promise<T | null> {\n if (idToken) {\n return this.extractUserFromIdToken<T>(idToken);\n }\n\n const userInfo = await fetch(this.endpoints.userinfo, {\n headers: { Authorization: `Bearer ${accessToken}` },\n });\n return userInfo.json() as T;\n }\n}\n","import {\n AuthSessionService,\n DisplayMode,\n UserInfoService,\n SessionData,\n OIDCTokenResponseBody,\n UnknownObject,\n Endpoints,\n User,\n} from \"../types\";\nimport { UserInfoServiceImpl } from \"./UserInfoService\";\nimport { OAuth2Client, generateCodeVerifier } from \"oslo/oauth2\";\nimport * as jose from \"jose\";\nimport {\n displayModeFromState,\n generateState,\n getIssuerVariations,\n getOauthEndpoints,\n} from \"@/lib/oauth\";\nimport { isPopupBlocked } from \"@/utils\";\n\nexport type StorageInterface = {\n get(): SessionData;\n getUser(): User<UnknownObject> | null;\n set(data: Partial<SessionData>): void;\n setUser(data: User<UnknownObject> | null): void;\n clear(): void;\n};\n\nexport class AuthSessionServiceImpl implements AuthSessionService {\n private endpoints: Endpoints | undefined;\n private oauth2Client: OAuth2Client | undefined;\n private userInfoService: UserInfoService | undefined;\n private codeVerifier: string | undefined = undefined;\n private refreshTokenTimeout: NodeJS.Timeout | null = null;\n\n constructor(\n readonly clientId: string,\n readonly redirectUrl: string,\n readonly oauthServer: string,\n readonly inputEndpoints?: Partial<Endpoints> | undefined,\n ) {\n this.codeVerifier = this.getCodeVerifier();\n this.endpoints = inputEndpoints as Endpoints;\n }\n\n protected getCodeVerifier(): string {\n return generateCodeVerifier();\n }\n\n public async getUserInfoService(): Promise<UserInfoService> {\n if (this.userInfoService) {\n return this.userInfoService;\n }\n const endpoints = await this.getEndpoints();\n\n this.userInfoService = new UserInfoServiceImpl(endpoints);\n return this.userInfoService;\n }\n\n protected async getEndpoints(): Promise<Endpoints> {\n if (this.endpoints?.auth) {\n return this.endpoints;\n }\n const jwksEndpoints = await getOauthEndpoints(this.oauthServer);\n return this.endpoints\n ? { ...this.endpoints, ...jwksEndpoints }\n : jwksEndpoints;\n }\n\n protected async getOauth2Client() {\n if (this.oauth2Client) {\n return this.oauth2Client;\n }\n const endpoints = await this.getEndpoints();\n this.oauth2Client = new OAuth2Client(\n this.clientId,\n endpoints.auth,\n endpoints.token,\n // this\n { redirectURI: this.redirectUrl },\n );\n return this.oauth2Client;\n }\n\n getSessionData(): SessionData {\n return JSON.parse(\n localStorage.getItem(`civic-auth:${this.clientId}`) || \"{}\",\n ) as SessionData;\n }\n\n updateSessionData(data: Partial<SessionData>): void {\n localStorage.setItem(\n `civic-auth:${this.clientId}`,\n JSON.stringify({ ...data }),\n );\n }\n\n getUser(): User<UnknownObject> | null {\n return JSON.parse(\n localStorage.getItem(`civic-auth:${this.clientId}:user`) || \"{}\",\n ) as User<UnknownObject>;\n }\n\n setUser(data: User<UnknownObject> | null): void {\n localStorage.setItem(\n `civic-auth:${this.clientId}:user`,\n JSON.stringify(data === null ? {} : data),\n );\n }\n\n clearSessionData(): void {\n localStorage.setItem(`civic-auth:${this.clientId}`, JSON.stringify({}));\n }\n\n async getAuthorizationUrlWithChallenge(\n state: string,\n scopes: string[],\n ): Promise<URL> {\n const oauth2Client = await this.getOauth2Client();\n if (this.endpoints?.challenge) {\n const challenge = await fetch(this.endpoints.challenge).then((res) =>\n res.json().then((data) => data.challenge),\n );\n const oAuthUrl = await oauth2Client.createAuthorizationURL({\n state,\n scopes,\n });\n oAuthUrl.searchParams.append(\"code_challenge\", challenge);\n oAuthUrl.searchParams.append(\"code_challenge_method\", \"S256\");\n return oAuthUrl;\n }\n const oAuthUrl = await oauth2Client.createAuthorizationURL({\n state,\n codeVerifier: this.codeVerifier,\n codeChallengeMethod: \"S256\",\n scopes,\n });\n return oAuthUrl;\n }\n async getAuthorizationUrl(\n scopes: string[],\n displayMode: DisplayMode,\n nonce?: string,\n ): Promise<string> {\n const state = generateState(displayMode);\n const existingSessionData = this.getSessionData();\n this.updateSessionData({\n ...existingSessionData,\n codeVerifier: this.codeVerifier,\n displayMode,\n });\n const oAuthUrl = await this.getAuthorizationUrlWithChallenge(state, scopes);\n if (nonce) {\n // nonce isn't supported by oslo, so we add it manually\n oAuthUrl.searchParams.append(\"nonce\", nonce);\n }\n oAuthUrl.searchParams.append(\"prompt\", \"consent\");\n return oAuthUrl.toString();\n }\n\n // TODO fix the Window reference\n loadAuthorizationUrl(authorizationURL: string, displayMode: DisplayMode) {\n switch (displayMode) {\n case \"iframe\":\n // Implement iframe logic\n break;\n case \"redirect\":\n window.location.href = authorizationURL;\n break;\n case \"new_tab\":\n window.open(authorizationURL, \"_blank\");\n break;\n case \"custom_tab\":\n // Implement custom tab logic (might require native app integration)\n break;\n }\n }\n\n async init(): Promise<void> {\n this.updateSessionData({ authenticated: false });\n }\n\n determineDisplayMode(displayMode: DisplayMode): DisplayMode {\n // If popups are blocked and we're in iframe mode, we need to override the display mode to redirect\n if (isPopupBlocked() && displayMode === \"iframe\") {\n displayMode = \"redirect\";\n }\n // TODO: Add additional checks to determine the display mode for new_mode if new tabs are blocked.\n return displayMode;\n }\n\n async signIn(\n displayMode: DisplayMode,\n scopes: string[],\n nonce: string,\n ): Promise<void> {\n const authorizationURL = await this.getAuthorizationUrl(\n scopes,\n displayMode,\n nonce,\n );\n\n this.loadAuthorizationUrl(authorizationURL, displayMode);\n }\n\n async tokenExchange(responseUrl: string): Promise<SessionData> {\n let session = this.getSessionData();\n\n if (!session.authenticated) {\n const url = new URL(responseUrl);\n const authorizationCode = url.searchParams.get(\"code\");\n const returnedState = url.searchParams.get(\"state\");\n if (!authorizationCode || !returnedState) {\n throw new Error(\"Invalid authorization response\");\n }\n const codeVerifier = session.codeVerifier;\n const oauth2Client = await this.getOauth2Client();\n const tokens =\n await oauth2Client.validateAuthorizationCode<OIDCTokenResponseBody>(\n authorizationCode,\n {\n codeVerifier,\n },\n );\n\n // Validate relevant tokens\n try {\n await this.validateTokens(tokens);\n } catch (error) {\n console.error(\"tokenExchange tokens\", { error, tokens });\n throw new Error(\n `OIDC tokens validation failed: ${(error as Error).message}`,\n );\n }\n const parsedDisplayMode = displayModeFromState(\n returnedState,\n session.displayMode,\n );\n // Update session with authentication result\n session = {\n ...session,\n displayMode: parsedDisplayMode,\n idToken: tokens.id_token,\n authenticated: true,\n state: returnedState,\n accessToken: tokens.access_token,\n refreshToken: tokens.refresh_token,\n timestamp: Date.now(),\n expiresIn: tokens.expires_in,\n };\n this.updateSessionData(session);\n const user = await (\n await this.getUserInfoService()\n ).getUserInfo(tokens.access_token, tokens.id_token || null);\n this.setUser(user);\n }\n\n // Set up automatic token refresh\n this.setupTokenRefresh(session);\n\n if (session.displayMode === \"new_tab\") {\n // Close the popup window\n window.close();\n } else if (session.displayMode === \"redirect\") {\n // TODO: Determine if there is anything additional to do here\n }\n return session;\n }\n\n private setupTokenRefresh(session: SessionData): void {\n if (this.refreshTokenTimeout) {\n clearTimeout(this.refreshTokenTimeout);\n }\n\n if (session.expiresIn) {\n // Calculate remaining time by subtracting elapsed time from total expiration time\n const elapsedTime = Date.now() - (session.timestamp || 0);\n const remainingTime = session.expiresIn * 1000 - elapsedTime;\n // Refresh the token 1 minute before it expires\n const refreshTime = Math.max(0, remainingTime - 60000);\n\n this.refreshTokenTimeout = setTimeout(() => {\n this.refreshToken()\n .then((newSession) => {\n console.log(\"Token refreshed successfully\", newSession);\n })\n .catch((error) => {\n console.error(\"Failed to refresh token:\", error);\n // Handle the error (e.g., log out the user or retry)\n // TODO this should be replaced by the real logout once it is available\n this.updateSessionData({});\n });\n }, refreshTime);\n }\n }\n\n async refreshToken(): Promise<SessionData> {\n const sessionData = this.getSessionData();\n if (!sessionData.refreshToken) {\n throw new Error(\"No refresh token available\");\n }\n const oauth2Client = await this.getOauth2Client();\n const tokens = await oauth2Client.refreshAccessToken<OIDCTokenResponseBody>(\n sessionData.refreshToken,\n );\n\n // Update session data\n const session = {\n ...sessionData,\n idToken: tokens.id_token,\n authenticated: true,\n accessToken: tokens.access_token,\n refreshToken: tokens.refresh_token,\n timestamp: Date.now(),\n expiresIn: tokens.expires_in,\n };\n this.updateSessionData(session);\n\n // Schedule next automatic refresh\n this.setupTokenRefresh(session);\n\n return session;\n }\n\n async getUserInfo<T extends UnknownObject>(): Promise<User<T> | null> {\n const sessionData = this.getSessionData();\n if (!sessionData.accessToken) {\n throw new Error(\"No access token available\");\n }\n const userInfoService = await this.getUserInfoService();\n return userInfoService.getUserInfo<T>(\n sessionData.accessToken,\n sessionData.idToken || null,\n );\n }\n\n /**\n * Uses the jose library to validate a JWT token using the OAuth JWKS endpoint\n * @param {string} token\n * @returns {Promise<jose.JWTPayload>}\n * @throws {Error} if the token is invalid\n */\n async validateTokens(\n tokens: OIDCTokenResponseBody,\n ): Promise<\n Record<\"idToken\" | \"accessToken\" | \"refreshToken\", jose.JWTPayload | string>\n > {\n const endpoints = await this.getEndpoints();\n const JWKS = jose.createRemoteJWKSet(new URL(endpoints.jwks));\n const returnPayload: Record<string, jose.JWTPayload | string> = {};\n // const payload = {};\n // validate the ID token\n console.log(\"issuer\", getIssuerVariations(this.oauthServer));\n const idTokenResponse = await jose.jwtVerify(tokens.id_token, JWKS, {\n issuer: getIssuerVariations(this.oauthServer),\n audience: this.clientId,\n });\n returnPayload.idToken = idTokenResponse.payload;\n // validate the access token\n const accessTokenResponse = await jose.jwtVerify(\n tokens.access_token,\n JWKS,\n {\n issuer: getIssuerVariations(this.oauthServer),\n },\n );\n returnPayload.accessToken = accessTokenResponse.payload;\n\n if (tokens.refresh_token) {\n returnPayload.refreshToken = tokens.refresh_token;\n }\n return returnPayload;\n }\n\n async validateExistingSession(): Promise<SessionData> {\n const sessionData = this.getSessionData();\n try {\n if (!sessionData.idToken || !sessionData.accessToken) {\n const unAuthenticatedSession = { ...sessionData, authenticated: false };\n this.updateSessionData(unAuthenticatedSession);\n return unAuthenticatedSession;\n }\n await this.validateTokens({\n id_token: sessionData.idToken as string,\n access_token: sessionData.accessToken as string,\n refresh_token: sessionData.refreshToken as string,\n });\n sessionData.authenticated = true;\n return sessionData;\n } catch (error) {\n console.warn(\"Failed to validate existing tokens\", error);\n const unAuthenticatedSession = {\n authenticated: false,\n };\n this.updateSessionData(unAuthenticatedSession);\n return unAuthenticatedSession;\n }\n }\n}\n","import { DisplayMode, Endpoints, OpenIdConfiguration } from \"@/types\";\nimport { v4 as uuid } from \"uuid\";\n\nconst getIssuerVariations = (issuer: string): string[] => {\n const issuerWithoutSlash = issuer.endsWith(\"/\")\n ? issuer.slice(0, issuer.length - 1)\n : issuer;\n\n const issuerWithSlash = `${issuerWithoutSlash}/`;\n\n return [issuerWithoutSlash, issuerWithSlash];\n};\n\nconst addSlashIfNeeded = (url: string): string =>\n url.endsWith(\"/\") ? url : `${url}/`;\n\nconst getOauthEndpoints = async (oauthServer: string): Promise<Endpoints> => {\n const openIdConfigResponse = await fetch(\n `${addSlashIfNeeded(oauthServer)}.well-known/openid-configuration`,\n );\n const openIdConfig =\n (await openIdConfigResponse.json()) as OpenIdConfiguration;\n return {\n jwks: openIdConfig.jwks_uri,\n auth: openIdConfig.authorization_endpoint,\n token: openIdConfig.token_endpoint,\n userinfo: openIdConfig.userinfo_endpoint,\n };\n};\n\n/**\n * creates a state string for the OAuth2 flow, encoding the display mode too for future use\n * @param {DisplayMode} displayMode\n * @returns {string}\n */\nconst generateState = (displayMode: DisplayMode): string => {\n const jsonString = JSON.stringify({\n uuid: uuid(),\n displayMode,\n });\n\n return btoa(jsonString);\n};\n\n/**\n * parses the state string from the OAuth2 flow, decoding the display mode too\n * @param state\n * @returns { uuid: string, displayMode: DisplayMode }\n */\nconst displayModeFromState = (\n state: string,\n sessionDisplayMode: DisplayMode | undefined,\n): DisplayMode | undefined => {\n try {\n const jsonString = btoa(state);\n\n return JSON.parse(jsonString).displayMode;\n } catch (e) {\n console.error(\"Failed to parse displayMode from state:\", e);\n\n return sessionDisplayMode;\n }\n};\n\nexport {\n getIssuerVariations,\n getOauthEndpoints,\n displayModeFromState,\n generateState,\n};\n","import { clsx, type ClassValue } from \"clsx\";\nimport { twMerge } from \"tailwind-merge\";\n\n/**\n * Checks if a popup window is blocked by the browser.\n *\n * This function attempts to open a small popup window and then checks if it was successfully created.\n * If the popup is blocked by the browser, the function returns `true`. Otherwise, it returns `false`.\n *\n * @returns {boolean} - `true` if the popup is blocked, `false` otherwise.\n */\nconst isPopupBlocked = (): boolean => {\n // First we try to open a small popup window. It either returns a window object or null.\n const popup = window.open(\"\", \"\", \"width=1,height=1\");\n\n // If window.open() returns null, popup is definitely blocked\n if (!popup) {\n return true;\n }\n\n try {\n // Try to access a property of the popup to check if it's usable\n if (typeof popup.closed === \"undefined\") {\n throw new Error(\"Popup is blocked\");\n }\n } catch {\n // Accessing the popup's properties throws an error if the popup is blocked\n return true;\n }\n\n // Close the popup immediately if it was opened\n popup.close();\n return false;\n};\n\nconst cn = (...inputs: ClassValue[]) => {\n return twMerge(clsx(inputs));\n};\n\nexport { cn, isPopupBlocked };\n","\"use server\";\nimport { SessionData, UnknownObject, User } from \"@/types\";\nimport { NextResponse } from \"next/server\";\nimport { AuthConfig } from \"./config\";\n\n/**\n * Creates secure HTTP-only cookies for authentication tokens\n */\nconst createSecureTokenCookies = (\n response: NextResponse,\n sessionData: SessionData,\n config: AuthConfig,\n) => {\n const maxAge = sessionData.expiresIn ?? 3600;\n const cookieOptions = {\n ...config.cookies?.tokens,\n maxAge,\n };\n\n if (sessionData.accessToken) {\n response.cookies.set(\"access_token\", sessionData.accessToken, {\n ...cookieOptions,\n httpOnly: true,\n });\n }\n\n if (sessionData.idToken) {\n response.cookies.set(\"id_token\", sessionData.idToken, {\n ...cookieOptions,\n httpOnly: true,\n });\n }\n\n if (sessionData.refreshToken) {\n response.cookies.set(\"refresh_token\", sessionData.refreshToken, {\n ...cookieOptions,\n httpOnly: true,\n });\n }\n};\n\n/**\n * Creates a client-readable cookie with user info\n */\nconst createUserInfoCookie = (\n response: NextResponse,\n user: User<UnknownObject> | null,\n sessionData: SessionData,\n config: AuthConfig,\n) => {\n if (!user) {\n response.cookies.set(\"user\", \"\", {\n ...config.cookies?.user,\n maxAge: 0,\n });\n return;\n }\n const maxAge = sessionData.expiresIn ?? 3600;\n\n // TODO select fields to include in the user cookie\n const frontendUser = {\n ...user,\n };\n\n // TODO make call to get user info from the\n // auth server /userinfo endpoint when it's available\n // then add to the default claims above\n\n response.cookies.set(\"user\", JSON.stringify(frontendUser), {\n ...config.cookies?.user,\n maxAge,\n });\n};\n\n/**\n * Clears all authentication cookies\n */\nconst clearAuthCookies = (response: NextResponse, config: AuthConfig) => {\n const clearOptions = {\n ...config.cookies?.tokens,\n maxAge: 0,\n };\n\n response.cookies.set(\"access_token\", \"\", clearOptions);\n response.cookies.set(\"id_token\", \"\", clearOptions);\n response.cookies.set(\"refresh_token\", \"\", clearOptions);\n response.cookies.set(\"codeVerifier\", \"\", clearOptions);\n response.cookies.set(\"user\", \"\", {\n ...config.cookies?.user,\n maxAge: 0,\n });\n};\n\nexport { createSecureTokenCookies, createUserInfoCookie, clearAuthCookies };\n","/**\n * Used on the server-side to get the user object from the cookie\n */\nimport { cookies } from \"next/headers.js\";\nimport { UnknownObject, User } from \"../types\";\n\nexport const getUser = (): User<UnknownObject> | null => {\n // TODO validate the token?\n const user = cookies().get(\"user\")?.value;\n if (!user) return null;\n return JSON.parse(user);\n};\n","\"use server\";\n/**\n * Authenticates the user on all requests by checking the token cookie\n *\n * Usage:\n * Option 1: use if no other middleware (e.g. no next-intl etc)\n * export default authMiddleware();\n *\n * Option 2: use if other middleware is needed - default auth config\n * export default withAuth((request) => {\n * console.log('in custom middleware', request.nextUrl.pathname);\n * return NextResponse.next();\n * })\n *\n * Option 3: use if other middleware is needed - specifying auth config\n * const withCivicAuth = auth({ loginUrl: '/login', include: ['/[.*]/user'] })\n * export default withCivicAuth((request) => {\n * console.log('in custom middleware', request.url);\n * return NextResponse.next();\n * })\n *\n */\nimport { NextRequest, NextResponse } from \"next/server.js\";\nimport picomatch from \"picomatch\";\nimport {\n AuthConfig,\n defaultAuthConfig,\n resolveAuthConfig,\n} from \"@/nextjs/config.js\";\n\ntype Middleware = (\n request: NextRequest,\n) => Promise<NextResponse> | NextResponse;\n\n// Matches globs:\n// Examples:\n// /user\n// /user/*\n// /user/**/info\nconst matchGlob = (pathname: string, globPattern: string) => {\n const matches = picomatch(globPattern);\n return matches(pathname);\n};\n\n// Matches globs:\n// Examples:\n// /user\n// /user/*\n// /user/**/info\nconst matchesGlobs = (pathname: string, patterns: string[]) =>\n patterns.some((pattern) => {\n if (!pattern) return false;\n console.log(\"matching\", {\n pattern,\n pathname,\n match: matchGlob(pathname, pattern),\n });\n return matchGlob(pathname, pattern);\n });\n\n// internal - used by all exported functions\nconst applyAuth = async (\n authConfig: AuthConfig,\n request: NextRequest,\n): Promise<NextResponse | undefined> => {\n const authConfigWithDefaults = resolveAuthConfig(authConfig);\n\n // Check for any valid auth token\n const isAuthenticated = !!request.cookies.get(\"id_token\");\n\n // skip auth check for login url\n if (request.nextUrl.pathname === authConfigWithDefaults.loginUrl) {\n console.log(\"→ Skipping auth check - this is the login URL\");\n return undefined;\n }\n\n if (!matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.include)) {\n console.log(\"→ Skipping auth check - path not in include patterns\");\n return undefined;\n }\n\n if (matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.exclude)) {\n console.log(\"→ Skipping auth check - path in exclude patterns\");\n return undefined;\n }\n\n // Check for either token type\n if (!isAuthenticated) {\n console.log(\"→ No valid token found - redirecting to login\");\n const loginUrl = new URL(authConfigWithDefaults.loginUrl, request.url);\n return NextResponse.redirect(loginUrl);\n }\n\n console.log(\"→ Auth check passed\");\n return undefined;\n};\n\n/**\n *\n * Use this when auth is the only middleware you need.\n * Usage:\n *\n * export default authMiddleware({ loginUrl = '/login' }); // or just authMiddleware();\n *\n */\nexport const authMiddleware =\n (authConfig = defaultAuthConfig) =>\n async (request: NextRequest): Promise<NextResponse> => {\n const response = await applyAuth(authConfig, request);\n if (response) return response;\n\n // NextJS doesn't do middleware chaining yet, so this does not mean\n // \"call the next middleware\" - it means \"continue to the route handler\"\n return NextResponse.next();\n };\n\n/**\n * Usage:\n *\n * export default withAuth(async (request) => {\n * console.log('my middleware');\n * return NextResponse.next();\n * })\n */\n// use this when you have your own middleware to chain\nexport function withAuth(\n middleware: Middleware,\n): (request: NextRequest) => Promise<NextResponse> {\n return async (request: NextRequest): Promise<NextResponse> => {\n const response = await applyAuth({}, request);\n if (response) return response;\n return middleware(request);\n };\n}\n\n/**\n * Use this when you want to configure the middleware here (an alternative is to do it in the next.config file)\n *\n * Usage:\n *\n * const withAuth = auth({ loginUrl = '/login' }); // or just auth();\n *\n * export default withAuth(async (request) => {\n * console.log('my middleware');\n * return NextResponse.next();\n * })\n *\n */\nexport function auth(authConfig: AuthConfig = {}) {\n return (\n middleware: Middleware,\n ): ((request: NextRequest) => Promise<NextResponse>) => {\n return async (request: NextRequest): Promise<NextResponse> => {\n const response = await applyAuth(authConfig, request);\n if (response) return response;\n return middleware(request);\n };\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,OAAO,WAAW;AAElB,IAAM,eAAe;AASrB,IAAM,cAAN,MAAoC;AAAA,EAMlC,YAAY,WAAmB;AAE7B,SAAK,cAAc,MAAM,GAAG,YAAY,IAAI,SAAS,QAAQ;AAC7D,SAAK,aAAa,MAAM,GAAG,YAAY,IAAI,SAAS,OAAO;AAC3D,SAAK,aAAa,MAAM,GAAG,YAAY,IAAI,SAAS,OAAO;AAC3D,SAAK,cAAc,MAAM,GAAG,YAAY,IAAI,SAAS,QAAQ;AAE7D,SAAK,YAAY,QAAQ;AACzB,SAAK,WAAW,QAAQ;AACxB,SAAK,WAAW,QAAQ;AACxB,SAAK,YAAY,QAAQ;AAAA,EAC3B;AAAA,EAEA,MAAM,YAAoB,MAAuB;AAC/C,SAAK,YAAY,SAAS,GAAG,IAAI;AAAA,EACnC;AAAA,EAEA,KAAK,YAAoB,MAAuB;AAC9C,SAAK,WAAW,SAAS,GAAG,IAAI;AAAA,EAClC;AAAA,EAEA,KAAK,YAAoB,MAAuB;AAC9C,SAAK,WAAW,SAAS,GAAG,IAAI;AAAA,EAClC;AAAA,EAEA,MAAM,YAAoB,MAAuB;AAC/C,SAAK,YAAY,SAAS,GAAG,IAAI;AAAA,EACnC;AACF;AAEO,IAAM,eAAe,CAAC,cAC3B,IAAI,YAAY,SAAS;AAGpB,IAAM,UAAU;AAAA;AAAA,EAErB,QAAQ;AAAA,IACN,QAAQ,aAAa,YAAY;AAAA,IACjC,YAAY,aAAa,gBAAgB;AAAA,IACzC,UAAU;AAAA,MACR,MAAM,aAAa,mBAAmB;AAAA,IACxC;AAAA,EACF;AAAA;AAAA,EAEA,OAAO;AAAA,IACL,YAAY,aAAa,kBAAkB;AAAA,IAC3C,OAAO,aAAa,aAAa;AAAA,IACjC,SAAS,aAAa,eAAe;AAAA,EACvC;AAAA;AAAA,EAEA,UAAU;AAAA,IACR,YAAY,aAAa,kBAAkB;AAAA,IAC3C,SAAS,aAAa,eAAe;AAAA,EACvC;AACF;;;AClEA,IAAM,SAAS,QAAQ,OAAO,SAAS;AAgChC,IAAM,oBAA8D;AAAA,EACzE,aAAa;AAAA,EACb,aAAa;AAAA,EACb,cAAc;AAAA,EACd,WAAW;AAAA,EACX,UAAU;AAAA,EACV,SAAS,CAAC,IAAI;AAAA,EACd,SAAS,CAAC;AAAA,EACV,SAAS;AAAA,IACP,QAAQ;AAAA,MACN,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ,KAAK;AAAA;AAAA,IACf;AAAA,IACA,MAAM;AAAA,MACJ,UAAU;AAAA,MACV,MAAM;AAAA,MACN,QAAQ,KAAK;AAAA;AAAA,IACf;AAAA,EACF;AACF;AAEA,IAAM,mBAAmB,CACvB,QACe;AACf,QAAM,SAAqB,CAAC;AAC5B,aAAW,OAAO,KAAK;AACrB,QAAI,IAAI,GAAG,MAAM,QAAW;AAC1B,aAAO,GAAG,IAAI,IAAI,GAAG;AAAA,IACvB;AAAA,EACF;AACA,SAAO;AACT;AAmBO,IAAM,oBAAoB,CAC/B,SAAqB,CAAC,MAC4B;AA1FpD;AA4FE,QAAM,gBAAgB,iBAAiB;AAAA,IACrC,UAAU,QAAQ,IAAI;AAAA,IACtB,aAAa,QAAQ,IAAI;AAAA,IACzB,aAAa,QAAQ,IAAI;AAAA,IACzB,UAAU,QAAQ,IAAI;AAAA,IACtB,WAAW,QAAQ,IAAI;AAAA,IACvB,UAAS,aAAQ,IAAI,yBAAZ,mBAAkC,MAAM;AAAA,IACjD,UAAS,aAAQ,IAAI,yBAAZ,mBAAkC,MAAM;AAAA,IACjD,SAAS,QAAQ,IAAI,4BACjB,KAAK,MAAM,QAAQ,IAAI,yBAAyB,IAChD;AAAA,EACN,CAAC;AAED,QAAM,eAAe,+DAChB,oBACA,gBACA,SAHgB;AAAA;AAAA,IAInB,SAAS;AAAA,MACP,QAAQ,kCACH,kBAAkB,QAAQ,WACzB,YAAO,YAAP,mBAAgB,WAAU,CAAC;AAAA,MAEjC,MAAM,kCACD,kBAAkB,QAAQ,SACzB,YAAO,YAAP,mBAAgB,SAAQ,CAAC;AAAA,IAEjC;AAAA,EACF;AAEA,SAAO,MAAM,4BAA4B,aAAa;AACtD,SAAO,MAAM,oBAAoB,YAAY;AAC7C,MAAI,aAAa,aAAa,QAAW;AACvC,UAAM,IAAI,MAAM,kCAAkC;AAAA,EACpD;AACA,SAAO;AACT;AAyBO,IAAM,wBAAwB,CACnC,UACA,aAAyB,CAAC,MACvB;AACH,SAAO,CAAC,eAA4B;AAClC,UAAM,iBAAiB,kBAAkB,iCAAK,aAAL,EAAiB,SAAS,EAAC;AACpE,WAAO,iCACF,aADE;AAAA,MAEL,KAAK,iCACA,yCAAY,MADZ;AAAA;AAAA,QAGH,uBAAuB;AAAA,QACvB,qBAAqB,eAAe;AAAA,QACpC,0BAA0B,eAAe;AAAA,QACzC,uBAAuB,eAAe;AAAA,QACtC,wBAAwB,eAAe;AAAA,QACvC,sBAAsB,eAAe,QAAQ,KAAK,GAAG;AAAA,QACrD,sBAAsB,eAAe,QAAQ,KAAK,GAAG;AAAA,QACrD,2BAA2B,KAAK,UAAU,eAAe,OAAO;AAAA,MAClE;AAAA,IACF;AAAA,EACF;AACF;;;AC7KA,SAAsB,oBAAoB;AAC1C,SAAS,sBAAsB;;;ACD/B,SAAS,eAAe;;;ACAxB,SAAS,gBAAgB;AAElB,IAAM,sBAAN,MAAqD;AAAA,EAC1D,YAAoB,WAAsB;AAAtB;AAAA,EAAuB;AAAA,EAE3C,uBAA0B,SAA2B;AACnD,UAAM,YAAY,SAAS,OAAO;AAClC,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,IACT;AACA,WAAO,UAAU;AAAA,EACnB;AAAA,EAEM,YACJ,aACA,SACmB;AAAA;AACnB,UAAI,SAAS;AACX,eAAO,KAAK,uBAA0B,OAAO;AAAA,MAC/C;AAEA,YAAM,WAAW,MAAM,MAAM,KAAK,UAAU,UAAU;AAAA,QACpD,SAAS,EAAE,eAAe,UAAU,WAAW,GAAG;AAAA,MACpD,CAAC;AACD,aAAO,SAAS,KAAK;AAAA,IACvB;AAAA;AACF;;;AChBA,SAAS,cAAc,4BAA4B;AACnD,YAAY,UAAU;;;ACXtB,SAAS,MAAM,YAAY;AAE3B,IAAM,sBAAsB,CAAC,WAA6B;AACxD,QAAM,qBAAqB,OAAO,SAAS,GAAG,IAC1C,OAAO,MAAM,GAAG,OAAO,SAAS,CAAC,IACjC;AAEJ,QAAM,kBAAkB,GAAG,kBAAkB;AAE7C,SAAO,CAAC,oBAAoB,eAAe;AAC7C;AAEA,IAAM,mBAAmB,CAAC,QACxB,IAAI,SAAS,GAAG,IAAI,MAAM,GAAG,GAAG;AAElC,IAAM,oBAAoB,CAAO,gBAA4C;AAC3E,QAAM,uBAAuB,MAAM;AAAA,IACjC,GAAG,iBAAiB,WAAW,CAAC;AAAA,EAClC;AACA,QAAM,eACH,MAAM,qBAAqB,KAAK;AACnC,SAAO;AAAA,IACL,MAAM,aAAa;AAAA,IACnB,MAAM,aAAa;AAAA,IACnB,OAAO,aAAa;AAAA,IACpB,UAAU,aAAa;AAAA,EACzB;AACF;AAOA,IAAM,gBAAgB,CAAC,gBAAqC;AAC1D,QAAM,aAAa,KAAK,UAAU;AAAA,IAChC,MAAM,KAAK;AAAA,IACX;AAAA,EACF,CAAC;AAED,SAAO,KAAK,UAAU;AACxB;AAOA,IAAM,uBAAuB,CAC3B,OACA,uBAC4B;AAC5B,MAAI;AACF,UAAM,aAAa,KAAK,KAAK;AAE7B,WAAO,KAAK,MAAM,UAAU,EAAE;AAAA,EAChC,SAAS,GAAG;AACV,YAAQ,MAAM,2CAA2C,CAAC;AAE1D,WAAO;AAAA,EACT;AACF;;;AC9DA,SAAS,YAA6B;AACtC,SAAS,eAAe;AAUxB,IAAM,iBAAiB,MAAe;AAEpC,QAAM,QAAQ,OAAO,KAAK,IAAI,IAAI,kBAAkB;AAGpD,MAAI,CAAC,OAAO;AACV,WAAO;AAAA,EACT;AAEA,MAAI;AAEF,QAAI,OAAO,MAAM,WAAW,aAAa;AACvC,YAAM,IAAI,MAAM,kBAAkB;AAAA,IACpC;AAAA,EACF,SAAQ;AAEN,WAAO;AAAA,EACT;AAGA,QAAM,MAAM;AACZ,SAAO;AACT;;;AFJO,IAAM,yBAAN,MAA2D;AAAA,EAOhE,YACW,UACA,aACA,aACA,gBACT;AAJS;AACA;AACA;AACA;AAPX,SAAQ,eAAmC;AAC3C,SAAQ,sBAA6C;AAQnD,SAAK,eAAe,KAAK,gBAAgB;AACzC,SAAK,YAAY;AAAA,EACnB;AAAA,EAEU,kBAA0B;AAClC,WAAO,qBAAqB;AAAA,EAC9B;AAAA,EAEa,qBAA+C;AAAA;AAC1D,UAAI,KAAK,iBAAiB;AACxB,eAAO,KAAK;AAAA,MACd;AACA,YAAM,YAAY,MAAM,KAAK,aAAa;AAE1C,WAAK,kBAAkB,IAAI,oBAAoB,SAAS;AACxD,aAAO,KAAK;AAAA,IACd;AAAA;AAAA,EAEgB,eAAmC;AAAA;AA5DrD;AA6DI,WAAI,UAAK,cAAL,mBAAgB,MAAM;AACxB,eAAO,KAAK;AAAA,MACd;AACA,YAAM,gBAAgB,MAAM,kBAAkB,KAAK,WAAW;AAC9D,aAAO,KAAK,YACR,kCAAK,KAAK,YAAc,iBACxB;AAAA,IACN;AAAA;AAAA,EAEgB,kBAAkB;AAAA;AAChC,UAAI,KAAK,cAAc;AACrB,eAAO,KAAK;AAAA,MACd;AACA,YAAM,YAAY,MAAM,KAAK,aAAa;AAC1C,WAAK,eAAe,IAAI;AAAA,QACtB,KAAK;AAAA,QACL,UAAU;AAAA,QACV,UAAU;AAAA;AAAA,QAEV,EAAE,aAAa,KAAK,YAAY;AAAA,MAClC;AACA,aAAO,KAAK;AAAA,IACd;AAAA;AAAA,EAEA,iBAA8B;AAC5B,WAAO,KAAK;AAAA,MACV,aAAa,QAAQ,cAAc,KAAK,QAAQ,EAAE,KAAK;AAAA,IACzD;AAAA,EACF;AAAA,EAEA,kBAAkB,MAAkC;AAClD,iBAAa;AAAA,MACX,cAAc,KAAK,QAAQ;AAAA,MAC3B,KAAK,UAAU,mBAAK,KAAM;AAAA,IAC5B;AAAA,EACF;AAAA,EAEA,UAAsC;AACpC,WAAO,KAAK;AAAA,MACV,aAAa,QAAQ,cAAc,KAAK,QAAQ,OAAO,KAAK;AAAA,IAC9D;AAAA,EACF;AAAA,EAEA,QAAQ,MAAwC;AAC9C,iBAAa;AAAA,MACX,cAAc,KAAK,QAAQ;AAAA,MAC3B,KAAK,UAAU,SAAS,OAAO,CAAC,IAAI,IAAI;AAAA,IAC1C;AAAA,EACF;AAAA,EAEA,mBAAyB;AACvB,iBAAa,QAAQ,cAAc,KAAK,QAAQ,IAAI,KAAK,UAAU,CAAC,CAAC,CAAC;AAAA,EACxE;AAAA,EAEM,iCACJ,OACA,QACc;AAAA;AAtHlB;AAuHI,YAAM,eAAe,MAAM,KAAK,gBAAgB;AAChD,WAAI,UAAK,cAAL,mBAAgB,WAAW;AAC7B,cAAM,YAAY,MAAM,MAAM,KAAK,UAAU,SAAS,EAAE;AAAA,UAAK,CAAC,QAC5D,IAAI,KAAK,EAAE,KAAK,CAAC,SAAS,KAAK,SAAS;AAAA,QAC1C;AACA,cAAMA,YAAW,MAAM,aAAa,uBAAuB;AAAA,UACzD;AAAA,UACA;AAAA,QACF,CAAC;AACD,QAAAA,UAAS,aAAa,OAAO,kBAAkB,SAAS;AACxD,QAAAA,UAAS,aAAa,OAAO,yBAAyB,MAAM;AAC5D,eAAOA;AAAA,MACT;AACA,YAAM,WAAW,MAAM,aAAa,uBAAuB;AAAA,QACzD;AAAA,QACA,cAAc,KAAK;AAAA,QACnB,qBAAqB;AAAA,QACrB;AAAA,MACF,CAAC;AACD,aAAO;AAAA,IACT;AAAA;AAAA,EACM,oBACJ,QACA,aACA,OACiB;AAAA;AACjB,YAAM,QAAQ,cAAc,WAAW;AACvC,YAAM,sBAAsB,KAAK,eAAe;AAChD,WAAK,kBAAkB,iCAClB,sBADkB;AAAA,QAErB,cAAc,KAAK;AAAA,QACnB;AAAA,MACF,EAAC;AACD,YAAM,WAAW,MAAM,KAAK,iCAAiC,OAAO,MAAM;AAC1E,UAAI,OAAO;AAET,iBAAS,aAAa,OAAO,SAAS,KAAK;AAAA,MAC7C;AACA,eAAS,aAAa,OAAO,UAAU,SAAS;AAChD,aAAO,SAAS,SAAS;AAAA,IAC3B;AAAA;AAAA;AAAA,EAGA,qBAAqB,kBAA0B,aAA0B;AACvE,YAAQ,aAAa;AAAA,MACnB,KAAK;AAEH;AAAA,MACF,KAAK;AACH,eAAO,SAAS,OAAO;AACvB;AAAA,MACF,KAAK;AACH,eAAO,KAAK,kBAAkB,QAAQ;AACtC;AAAA,MACF,KAAK;AAEH;AAAA,IACJ;AAAA,EACF;AAAA,EAEM,OAAsB;AAAA;AAC1B,WAAK,kBAAkB,EAAE,eAAe,MAAM,CAAC;AAAA,IACjD;AAAA;AAAA,EAEA,qBAAqB,aAAuC;AAE1D,QAAI,eAAe,KAAK,gBAAgB,UAAU;AAChD,oBAAc;AAAA,IAChB;AAEA,WAAO;AAAA,EACT;AAAA,EAEM,OACJ,aACA,QACA,OACe;AAAA;AACf,YAAM,mBAAmB,MAAM,KAAK;AAAA,QAClC;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEA,WAAK,qBAAqB,kBAAkB,WAAW;AAAA,IACzD;AAAA;AAAA,EAEM,cAAc,aAA2C;AAAA;AAC7D,UAAI,UAAU,KAAK,eAAe;AAElC,UAAI,CAAC,QAAQ,eAAe;AAC1B,cAAM,MAAM,IAAI,IAAI,WAAW;AAC/B,cAAM,oBAAoB,IAAI,aAAa,IAAI,MAAM;AACrD,cAAM,gBAAgB,IAAI,aAAa,IAAI,OAAO;AAClD,YAAI,CAAC,qBAAqB,CAAC,eAAe;AACxC,gBAAM,IAAI,MAAM,gCAAgC;AAAA,QAClD;AACA,cAAM,eAAe,QAAQ;AAC7B,cAAM,eAAe,MAAM,KAAK,gBAAgB;AAChD,cAAM,SACJ,MAAM,aAAa;AAAA,UACjB;AAAA,UACA;AAAA,YACE;AAAA,UACF;AAAA,QACF;AAGF,YAAI;AACF,gBAAM,KAAK,eAAe,MAAM;AAAA,QAClC,SAAS,OAAO;AACd,kBAAQ,MAAM,wBAAwB,EAAE,OAAO,OAAO,CAAC;AACvD,gBAAM,IAAI;AAAA,YACR,kCAAmC,MAAgB,OAAO;AAAA,UAC5D;AAAA,QACF;AACA,cAAM,oBAAoB;AAAA,UACxB;AAAA,UACA,QAAQ;AAAA,QACV;AAEA,kBAAU,iCACL,UADK;AAAA,UAER,aAAa;AAAA,UACb,SAAS,OAAO;AAAA,UAChB,eAAe;AAAA,UACf,OAAO;AAAA,UACP,aAAa,OAAO;AAAA,UACpB,cAAc,OAAO;AAAA,UACrB,WAAW,KAAK,IAAI;AAAA,UACpB,WAAW,OAAO;AAAA,QACpB;AACA,aAAK,kBAAkB,OAAO;AAC9B,cAAM,OAAO,OACX,MAAM,KAAK,mBAAmB,GAC9B,YAAY,OAAO,cAAc,OAAO,YAAY,IAAI;AAC1D,aAAK,QAAQ,IAAI;AAAA,MACnB;AAGA,WAAK,kBAAkB,OAAO;AAE9B,UAAI,QAAQ,gBAAgB,WAAW;AAErC,eAAO,MAAM;AAAA,MACf,WAAW,QAAQ,gBAAgB,YAAY;AAAA,MAE/C;AACA,aAAO;AAAA,IACT;AAAA;AAAA,EAEQ,kBAAkB,SAA4B;AACpD,QAAI,KAAK,qBAAqB;AAC5B,mBAAa,KAAK,mBAAmB;AAAA,IACvC;AAEA,QAAI,QAAQ,WAAW;AAErB,YAAM,cAAc,KAAK,IAAI,KAAK,QAAQ,aAAa;AACvD,YAAM,gBAAgB,QAAQ,YAAY,MAAO;AAEjD,YAAM,cAAc,KAAK,IAAI,GAAG,gBAAgB,GAAK;AAErD,WAAK,sBAAsB,WAAW,MAAM;AAC1C,aAAK,aAAa,EACf,KAAK,CAAC,eAAe;AACpB,kBAAQ,IAAI,gCAAgC,UAAU;AAAA,QACxD,CAAC,EACA,MAAM,CAAC,UAAU;AAChB,kBAAQ,MAAM,4BAA4B,KAAK;AAG/C,eAAK,kBAAkB,CAAC,CAAC;AAAA,QAC3B,CAAC;AAAA,MACL,GAAG,WAAW;AAAA,IAChB;AAAA,EACF;AAAA,EAEM,eAAqC;AAAA;AACzC,YAAM,cAAc,KAAK,eAAe;AACxC,UAAI,CAAC,YAAY,cAAc;AAC7B,cAAM,IAAI,MAAM,4BAA4B;AAAA,MAC9C;AACA,YAAM,eAAe,MAAM,KAAK,gBAAgB;AAChD,YAAM,SAAS,MAAM,aAAa;AAAA,QAChC,YAAY;AAAA,MACd;AAGA,YAAM,UAAU,iCACX,cADW;AAAA,QAEd,SAAS,OAAO;AAAA,QAChB,eAAe;AAAA,QACf,aAAa,OAAO;AAAA,QACpB,cAAc,OAAO;AAAA,QACrB,WAAW,KAAK,IAAI;AAAA,QACpB,WAAW,OAAO;AAAA,MACpB;AACA,WAAK,kBAAkB,OAAO;AAG9B,WAAK,kBAAkB,OAAO;AAE9B,aAAO;AAAA,IACT;AAAA;AAAA,EAEM,cAAgE;AAAA;AACpE,YAAM,cAAc,KAAK,eAAe;AACxC,UAAI,CAAC,YAAY,aAAa;AAC5B,cAAM,IAAI,MAAM,2BAA2B;AAAA,MAC7C;AACA,YAAM,kBAAkB,MAAM,KAAK,mBAAmB;AACtD,aAAO,gBAAgB;AAAA,QACrB,YAAY;AAAA,QACZ,YAAY,WAAW;AAAA,MACzB;AAAA,IACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQM,eACJ,QAGA;AAAA;AACA,YAAM,YAAY,MAAM,KAAK,aAAa;AAC1C,YAAM,OAAY,wBAAmB,IAAI,IAAI,UAAU,IAAI,CAAC;AAC5D,YAAM,gBAA0D,CAAC;AAGjE,cAAQ,IAAI,UAAU,oBAAoB,KAAK,WAAW,CAAC;AAC3D,YAAM,kBAAkB,MAAW,eAAU,OAAO,UAAU,MAAM;AAAA,QAClE,QAAQ,oBAAoB,KAAK,WAAW;AAAA,QAC5C,UAAU,KAAK;AAAA,MACjB,CAAC;AACD,oBAAc,UAAU,gBAAgB;AAExC,YAAM,sBAAsB,MAAW;AAAA,QACrC,OAAO;AAAA,QACP;AAAA,QACA;AAAA,UACE,QAAQ,oBAAoB,KAAK,WAAW;AAAA,QAC9C;AAAA,MACF;AACA,oBAAc,cAAc,oBAAoB;AAEhD,UAAI,OAAO,eAAe;AACxB,sBAAc,eAAe,OAAO;AAAA,MACtC;AACA,aAAO;AAAA,IACT;AAAA;AAAA,EAEM,0BAAgD;AAAA;AACpD,YAAM,cAAc,KAAK,eAAe;AACxC,UAAI;AACF,YAAI,CAAC,YAAY,WAAW,CAAC,YAAY,aAAa;AACpD,gBAAM,yBAAyB,iCAAK,cAAL,EAAkB,eAAe,MAAM;AACtE,eAAK,kBAAkB,sBAAsB;AAC7C,iBAAO;AAAA,QACT;AACA,cAAM,KAAK,eAAe;AAAA,UACxB,UAAU,YAAY;AAAA,UACtB,cAAc,YAAY;AAAA,UAC1B,eAAe,YAAY;AAAA,QAC7B,CAAC;AACD,oBAAY,gBAAgB;AAC5B,eAAO;AAAA,MACT,SAAS,OAAO;AACd,gBAAQ,KAAK,sCAAsC,KAAK;AACxD,cAAM,yBAAyB;AAAA,UAC7B,eAAe;AAAA,QACjB;AACA,aAAK,kBAAkB,sBAAsB;AAC7C,eAAO;AAAA,MACT;AAAA,IACF;AAAA;AACF;;;AGvYA,IAAM,2BAA2B,CAC/B,UACA,aACA,WACG;AAZL;AAaE,QAAM,UAAS,iBAAY,cAAZ,YAAyB;AACxC,QAAM,gBAAgB,kCACjB,YAAO,YAAP,mBAAgB,SADC;AAAA,IAEpB;AAAA,EACF;AAEA,MAAI,YAAY,aAAa;AAC3B,aAAS,QAAQ,IAAI,gBAAgB,YAAY,aAAa,iCACzD,gBADyD;AAAA,MAE5D,UAAU;AAAA,IACZ,EAAC;AAAA,EACH;AAEA,MAAI,YAAY,SAAS;AACvB,aAAS,QAAQ,IAAI,YAAY,YAAY,SAAS,iCACjD,gBADiD;AAAA,MAEpD,UAAU;AAAA,IACZ,EAAC;AAAA,EACH;AAEA,MAAI,YAAY,cAAc;AAC5B,aAAS,QAAQ,IAAI,iBAAiB,YAAY,cAAc,iCAC3D,gBAD2D;AAAA,MAE9D,UAAU;AAAA,IACZ,EAAC;AAAA,EACH;AACF;AAKA,IAAM,uBAAuB,CAC3B,UACA,MACA,aACA,WACG;AAjDL;AAkDE,MAAI,CAAC,MAAM;AACT,aAAS,QAAQ,IAAI,QAAQ,IAAI,kCAC5B,YAAO,YAAP,mBAAgB,OADY;AAAA,MAE/B,QAAQ;AAAA,IACV,EAAC;AACD;AAAA,EACF;AACA,QAAM,UAAS,iBAAY,cAAZ,YAAyB;AAGxC,QAAM,eAAe,mBAChB;AAOL,WAAS,QAAQ,IAAI,QAAQ,KAAK,UAAU,YAAY,GAAG,kCACtD,YAAO,YAAP,mBAAgB,OADsC;AAAA,IAEzD;AAAA,EACF,EAAC;AACH;AAKA,IAAM,mBAAmB,CAAC,UAAwB,WAAuB;AA7EzE;AA8EE,QAAM,eAAe,kCAChB,YAAO,YAAP,mBAAgB,SADA;AAAA,IAEnB,QAAQ;AAAA,EACV;AAEA,WAAS,QAAQ,IAAI,gBAAgB,IAAI,YAAY;AACrD,WAAS,QAAQ,IAAI,YAAY,IAAI,YAAY;AACjD,WAAS,QAAQ,IAAI,iBAAiB,IAAI,YAAY;AACtD,WAAS,QAAQ,IAAI,gBAAgB,IAAI,YAAY;AACrD,WAAS,QAAQ,IAAI,QAAQ,IAAI,kCAC5B,YAAO,YAAP,mBAAgB,OADY;AAAA,IAE/B,QAAQ;AAAA,EACV,EAAC;AACH;;;ALvEO,IAAM,+BAAN,cAA2C,uBAAuB;AAAA,EACvE,YACW,YACA,SACA,UACA,gBACT;AACA;AAAA,MACE,WAAW;AAAA,MACX,WAAW;AAAA,MACX,WAAW;AAAA,MACX;AAAA,IACF;AAVS;AACA;AACA;AACA;AAAA,EAQX;AAAA,EAEU,kBAA0B;AAClC,UAAM,eAAe,QAAQ,EAAE,IAAI,cAAc;AACjD,QAAI,CAAC,cAAc;AACjB,YAAM,IAAI,MAAM,oCAAoC;AAAA,IACtD;AACA,WAAO,aAAa;AAAA,EACtB;AAAA,EAEA,iBAA8B;AA3ChC;AA4CI,UAAM,gBAAgB,QAAQ,EAAE,IAAI,cAAc,MAAM;AACxD,WAAO;AAAA,MACL;AAAA,MACA,eAAc,aAAQ,EAAE,IAAI,cAAc,MAA5B,mBAA+B;AAAA,MAC7C,cAAa,aAAQ,EAAE,IAAI,cAAc,MAA5B,mBAA+B;AAAA,MAC5C,UAAS,aAAQ,EAAE,IAAI,UAAU,MAAxB,mBAA2B;AAAA,MACpC,eAAc,aAAQ,EAAE,IAAI,eAAe,MAA7B,mBAAgC;AAAA,IAChD;AAAA,EACF;AAAA,EAEA,kBAAkB,MAAkC;AAClD;AAAA,MACE,KAAK;AAAA,MACL;AAAA,MACA,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EAEA,UAAsC;AACpC,UAAM,aAAa,QAAQ,EAAE,IAAI,MAAM;AACvC,QAAI,CAAC,WAAY,QAAO;AACxB,WAAO,KAAK,MAAM,WAAW,KAAK;AAAA,EACpC;AAAA,EAEA,QAAQ,MAAwC;AAC9C;AAAA,MACE,KAAK;AAAA,MACL;AAAA,MACA,EAAE,eAAe,KAAK;AAAA,MACtB,KAAK;AAAA,IACP;AAAA,EACF;AAAA,EAEA,mBAAyB;AACvB,qBAAiB,KAAK,UAA0B,KAAK,UAAU;AAAA,EACjE;AAAA;AAAA,EAGA,uBAAuB;AACrB,UAAM,IAAI,MAAM,iBAAiB;AAAA,EACnC;AAAA,EAEM,OAAsB;AAAA;AAC1B,WAAK,kBAAkB,EAAE,eAAe,MAAM,CAAC;AAAA,IACjD;AAAA;AACF;;;AD7EA,SAAS,wBAAAC,6BAA4B;AAErC,IAAMC,UAAS,QAAQ,OAAO,SAAS;AAEvC,IAAM,YAAN,cAAwB,MAAM;AAAA,EAC5B,YACE,SACgB,SAAiB,KACjC;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAEA,SAAe,sBAAsB,cAAsB;AAAA;AACzD,UAAM,UAAU,IAAI,YAAY;AAChC,UAAM,OAAO,QAAQ,OAAO,YAAY;AACxC,UAAM,SAAS,MAAM,OAAO,OAAO,OAAO,WAAW,IAAI;AACzD,WAAO,KAAK,OAAO,aAAa,GAAG,IAAI,WAAW,MAAM,CAAC,CAAC,EACvD,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,GAAG,EAClB,QAAQ,OAAO,EAAE;AAAA,EACtB;AAAA;AAMA,SAAe,kBAAyC;AAAA;AACtD,UAAM,eAAeC,sBAAqB;AAC1C,YAAQ,IAAI,gCAAgC,YAAY;AACxD,UAAM,YAAY,MAAM,sBAAsB,YAAY;AAC1D,UAAM,WAAW,aAAa,KAAK,EAAE,QAAQ,WAAW,UAAU,CAAC;AACnE,aAAS,QAAQ,IAAI,gBAAgB,cAAc;AAAA,MACjD,UAAU;AAAA,MACV,QAAQ;AAAA,MACR,UAAU;AAAA,IACZ,CAAC;AACD,WAAO;AAAA,EACT;AAAA;AACA,SAAe,eACb,SACA,QACuB;AAAA;AACvB,UAAM,OAAO,QAAQ,QAAQ,aAAa,IAAI,MAAM;AACpD,QAAI,CAAC,MAAM;AACT,YAAM,IAAI,UAAU,4BAA4B;AAAA,IAClD;AAEA,QAAI;AAIF,YAAM,WAAW,IAAI,aAAa,eAAe;AACjD,eAAS,QAAQ,IAAI,gBAAgB,0BAA0B;AAE/D,YAAM,kBAAkB,kBAAkB,MAAM;AAChD,YAAM,cAAc,IAAI;AAAA,QACtB,mDAAiB;AAAA,QACjB,QAAQ;AAAA,MACV,EAAE,SAAS;AAEX,YAAM,cAAc;AAAA,QAClB,iCACK,kBADL;AAAA,UAEE;AAAA,QACF;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,cAAQ,IAAI,8BAA8B,WAAW;AACrD,YAAM,SAAS,MAAM,YAAY,cAAc,QAAQ,QAAQ,SAAS,CAAC;AAEzE,UAAI,CAAC,OAAO,aAAa;AACvB,cAAM,IAAI,UAAU,sBAAsB;AAAA,MAC5C;AAEA,aAAO;AAAA,IACT,SAAS,OAAO;AACd,MAAAD,QAAO,MAAM,0BAA0B,KAAK;AAC5C,YAAM,IAAI,UAAU,+BAA+B,GAAG;AAAA,IACxD;AAAA,EACF;AAAA;AAEA,SAAe,aACb,SACA,QACuB;AAAA;AAnGzB;AAoGE,UAAM,kBAAkB,kBAAkB,MAAM;AAChD,UAAM,QAAO,qBAAgB,aAAhB,YAA4B;AACzC,UAAM,iBAAiB,IAAI,IAAI,MAAM,QAAQ,GAAG,EAAE,SAAS;AAE3D,UAAM,WAAW,aAAa,SAAS,cAAc;AACrD,qBAAiB,UAAU,eAAe;AAE1C,QAAI;AACF,qBAAe,IAAI;AAAA,IACrB,SAAS,OAAO;AACd,MAAAA,QAAO,KAAK,2CAA2C,KAAK;AAAA,IAC9D;AAEA,WAAO;AAAA,EACT;AAAA;AAEA,IAAM,+BAA+B,CACnC,YACA,SACA,aACuB;AACvB,SAAO,IAAI,6BAA6B,YAAY,SAAS,QAAQ;AACvE;AAcA,SAAS,QAAQ,aAAyB,CAAC,GAAG;AAC5C,SAAO,CAAO,YAAgD;AAC5D,UAAM,SAAS,kBAAkB,UAAU;AAE3C,QAAI;AACF,YAAM,WAAW,QAAQ,QAAQ;AACjC,YAAM,eAAe,SAAS,MAAM,GAAG;AACvC,YAAM,cAAc,aAAa,aAAa,SAAS,CAAC;AAExD,cAAQ,aAAa;AAAA,QACnB,KAAK;AACH,iBAAO,MAAM,gBAAgB;AAAA,QAC/B,KAAK;AACH,iBAAO,MAAM,eAAe,SAAS,MAAM;AAAA,QAC7C,KAAK;AACH,iBAAO,MAAM,aAAa,SAAS,MAAM;AAAA,QAC3C;AACE,gBAAM,IAAI,UAAU,uBAAuB,QAAQ,IAAI,GAAG;AAAA,MAC9D;AAAA,IACF,SAAS,OAAO;AACd,MAAAA,QAAO,MAAM,uBAAuB,KAAK;AAEzC,YAAM,SAAS,iBAAiB,YAAY,MAAM,SAAS;AAC3D,YAAM,UACJ,iBAAiB,QAAQ,MAAM,UAAU;AAE3C,YAAM,WAAW,aAAa,KAAK,EAAE,OAAO,QAAQ,GAAG,EAAE,OAAO,CAAC;AAEjE,uBAAiB,UAAU,MAAM;AACjC,aAAO;AAAA,IACT;AAAA,EACF;AACF;;;AOrKA,SAAS,WAAAE,gBAAe;AAGjB,IAAM,UAAU,MAAkC;AANzD;AAQE,QAAM,QAAO,KAAAA,SAAQ,EAAE,IAAI,MAAM,MAApB,mBAAuB;AACpC,MAAI,CAAC,KAAM,QAAO;AAClB,SAAO,KAAK,MAAM,IAAI;AACxB;;;ACWA,SAAsB,gBAAAC,qBAAoB;AAC1C,OAAO,eAAe;AAgBtB,IAAM,YAAY,CAAC,UAAkB,gBAAwB;AAC3D,QAAM,UAAU,UAAU,WAAW;AACrC,SAAO,QAAQ,QAAQ;AACzB;AAOA,IAAM,eAAe,CAAC,UAAkB,aACtC,SAAS,KAAK,CAAC,YAAY;AACzB,MAAI,CAAC,QAAS,QAAO;AACrB,UAAQ,IAAI,YAAY;AAAA,IACtB;AAAA,IACA;AAAA,IACA,OAAO,UAAU,UAAU,OAAO;AAAA,EACpC,CAAC;AACD,SAAO,UAAU,UAAU,OAAO;AACpC,CAAC;AAGH,IAAM,YAAY,CAChB,YACA,YACsC;AACtC,QAAM,yBAAyB,kBAAkB,UAAU;AAG3D,QAAM,kBAAkB,CAAC,CAAC,QAAQ,QAAQ,IAAI,UAAU;AAGxD,MAAI,QAAQ,QAAQ,aAAa,uBAAuB,UAAU;AAChE,YAAQ,IAAI,oDAA+C;AAC3D,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,aAAa,QAAQ,QAAQ,UAAU,uBAAuB,OAAO,GAAG;AAC3E,YAAQ,IAAI,2DAAsD;AAClE,WAAO;AAAA,EACT;AAEA,MAAI,aAAa,QAAQ,QAAQ,UAAU,uBAAuB,OAAO,GAAG;AAC1E,YAAQ,IAAI,uDAAkD;AAC9D,WAAO;AAAA,EACT;AAGA,MAAI,CAAC,iBAAiB;AACpB,YAAQ,IAAI,oDAA+C;AAC3D,UAAM,WAAW,IAAI,IAAI,uBAAuB,UAAU,QAAQ,GAAG;AACrE,WAAOC,cAAa,SAAS,QAAQ;AAAA,EACvC;AAEA,UAAQ,IAAI,0BAAqB;AACjC,SAAO;AACT;AAUO,IAAM,iBACX,CAAC,aAAa,sBACd,CAAO,YAAgD;AACrD,QAAM,WAAW,MAAM,UAAU,YAAY,OAAO;AACpD,MAAI,SAAU,QAAO;AAIrB,SAAOA,cAAa,KAAK;AAC3B;AAWK,SAAS,SACd,YACiD;AACjD,SAAO,CAAO,YAAgD;AAC5D,UAAM,WAAW,MAAM,UAAU,CAAC,GAAG,OAAO;AAC5C,QAAI,SAAU,QAAO;AACrB,WAAO,WAAW,OAAO;AAAA,EAC3B;AACF;AAeO,SAAS,KAAK,aAAyB,CAAC,GAAG;AAChD,SAAO,CACL,eACsD;AACtD,WAAO,CAAO,YAAgD;AAC5D,YAAM,WAAW,MAAM,UAAU,YAAY,OAAO;AACpD,UAAI,SAAU,QAAO;AACrB,aAAO,WAAW,OAAO;AAAA,IAC3B;AAAA,EACF;AACF;","names":["oAuthUrl","generateCodeVerifier","logger","generateCodeVerifier","cookies","NextResponse","NextResponse"]}
1
+ {"version":3,"sources":["../src/nextjs/cookies.ts","../src/nextjs/GetUser.ts","../src/nextjs/middleware.ts","../src/nextjs/routeHandler.ts"],"sourcesContent":["import { SessionData, UnknownObject, User } from \"@/types\";\nimport { NextResponse } from \"next/server\";\nimport { AuthConfig } from \"@/nextjs/config\";\nimport { CookieStorage, CookieStorageSettings } from \"@/server\";\nimport { cookies } from \"next/headers.js\";\nimport { GenericUserSession } from \"@/shared/UserSession\";\nimport { clearTokens } from \"@/shared/util\";\n\n/**\n * Creates HTTP-only cookies for authentication tokens\n */\nconst createTokenCookies = (\n response: NextResponse,\n sessionData: SessionData,\n config: AuthConfig,\n) => {\n const maxAge = sessionData.expiresIn ?? 3600;\n const cookieOptions = {\n ...config.cookies?.tokens,\n maxAge,\n };\n\n if (sessionData.accessToken) {\n response.cookies.set(\"access_token\", sessionData.accessToken, {\n ...cookieOptions,\n httpOnly: true,\n });\n }\n\n if (sessionData.idToken) {\n response.cookies.set(\"id_token\", sessionData.idToken, {\n ...cookieOptions,\n httpOnly: true,\n });\n }\n\n if (sessionData.refreshToken) {\n response.cookies.set(\"refresh_token\", sessionData.refreshToken, {\n ...cookieOptions,\n httpOnly: true,\n });\n }\n};\n\n/**\n * Creates a client-readable cookie with user info\n */\nconst createUserInfoCookie = (\n response: NextResponse,\n user: User<UnknownObject> | null,\n sessionData: SessionData,\n config: AuthConfig,\n) => {\n if (!user) {\n response.cookies.set(\"user\", \"\", {\n ...config.cookies?.user,\n maxAge: 0,\n });\n return;\n }\n const maxAge = sessionData.expiresIn ?? 3600;\n\n // TODO select fields to include in the user cookie\n const frontendUser = {\n ...user,\n };\n\n // TODO make call to get user info from the\n // auth server /userinfo endpoint when it's available\n // then add to the default claims above\n\n response.cookies.set(\"user\", JSON.stringify(frontendUser), {\n ...config.cookies?.user,\n maxAge,\n });\n};\n\n/**\n * Clears all authentication cookies\n */\nconst clearAuthCookies = async () => {\n // clear session, and tokens\n const cookieStorage = new NextjsCookieStorage();\n clearTokens(cookieStorage);\n\n // clear user\n const clientStorage = new NextjsClientStorage();\n const userSession = new GenericUserSession(clientStorage);\n userSession.set(null);\n};\n\nclass NextjsCookieStorage extends CookieStorage {\n constructor(config: Partial<CookieStorageSettings> = {}) {\n super({\n ...config,\n secure: true,\n httpOnly: true,\n });\n }\n\n get(key: string): string | null {\n return cookies().get(key)?.value || null;\n }\n\n set(key: string, value: string): void {\n cookies().set(key, value, this.settings);\n }\n}\n\nclass NextjsClientStorage extends CookieStorage {\n constructor(config: Partial<CookieStorageSettings> = {}) {\n super({\n ...config,\n secure: false,\n httpOnly: false,\n });\n }\n\n get(key: string): string | null {\n return cookies().get(key)?.value || null;\n }\n\n set(key: string, value: string): void {\n cookies().set(key, value, this.settings);\n }\n}\n\nexport {\n createTokenCookies,\n createUserInfoCookie,\n clearAuthCookies,\n NextjsCookieStorage,\n NextjsClientStorage,\n};\n","/**\n * Used on the server-side to get the user object from the cookie\n */\nimport { User } from \"@/types\";\nimport { GenericUserSession } from \"@/shared/UserSession\";\nimport { NextjsClientStorage } from \"@/nextjs/cookies\";\n\nexport const getUser = (): User | null => {\n const clientStorage = new NextjsClientStorage();\n const userSession = new GenericUserSession(clientStorage);\n return userSession.get();\n};\n","/**\n * Authenticates the user on all requests by checking the token cookie\n *\n * Usage:\n * Option 1: use if no other middleware (e.g. no next-intl etc)\n * export default authMiddleware();\n *\n * Option 2: use if other middleware is needed - default auth config\n * export default withAuth((request) => {\n * console.log('in custom middleware', request.nextUrl.pathname);\n * return NextResponse.next();\n * })\n *\n * Option 3: use if other middleware is needed - specifying auth config\n * const withCivicAuth = auth({ loginUrl: '/login', include: ['/[.*]/user'] })\n * export default withCivicAuth((request) => {\n * console.log('in custom middleware', request.url);\n * return NextResponse.next();\n * })\n *\n */\nimport { NextRequest, NextResponse } from \"next/server.js\";\nimport picomatch from \"picomatch\";\nimport {\n AuthConfig,\n defaultAuthConfig,\n resolveAuthConfig,\n} from \"@/nextjs/config.js\";\n\ntype Middleware = (\n request: NextRequest,\n) => Promise<NextResponse> | NextResponse;\n\n// Matches globs:\n// Examples:\n// /user\n// /user/*\n// /user/**/info\nconst matchGlob = (pathname: string, globPattern: string) => {\n const matches = picomatch(globPattern);\n return matches(pathname);\n};\n\n// Matches globs:\n// Examples:\n// /user\n// /user/*\n// /user/**/info\nconst matchesGlobs = (pathname: string, patterns: string[]) =>\n patterns.some((pattern) => {\n if (!pattern) return false;\n console.log(\"matching\", {\n pattern,\n pathname,\n match: matchGlob(pathname, pattern),\n });\n return matchGlob(pathname, pattern);\n });\n\n// internal - used by all exported functions\nconst applyAuth = async (\n authConfig: AuthConfig,\n request: NextRequest,\n): Promise<NextResponse | undefined> => {\n const authConfigWithDefaults = resolveAuthConfig(authConfig);\n\n // Check for any valid auth token\n const isAuthenticated = !!request.cookies.get(\"id_token\");\n\n // skip auth check for login url\n if (request.nextUrl.pathname === authConfigWithDefaults.loginUrl) {\n console.log(\"→ Skipping auth check - this is the login URL\");\n return undefined;\n }\n\n if (!matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.include)) {\n console.log(\"→ Skipping auth check - path not in include patterns\");\n return undefined;\n }\n\n if (matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.exclude)) {\n console.log(\"→ Skipping auth check - path in exclude patterns\");\n return undefined;\n }\n\n // Check for either token type\n if (!isAuthenticated) {\n console.log(\"→ No valid token found - redirecting to login\");\n const loginUrl = new URL(authConfigWithDefaults.loginUrl, request.url);\n return NextResponse.redirect(loginUrl);\n }\n\n console.log(\"→ Auth check passed\");\n return undefined;\n};\n\n/**\n *\n * Use this when auth is the only middleware you need.\n * Usage:\n *\n * export default authMiddleware({ loginUrl = '/login' }); // or just authMiddleware();\n *\n */\nexport const authMiddleware =\n (authConfig = defaultAuthConfig) =>\n async (request: NextRequest): Promise<NextResponse> => {\n const response = await applyAuth(authConfig, request);\n if (response) return response;\n\n // NextJS doesn't do middleware chaining yet, so this does not mean\n // \"call the next middleware\" - it means \"continue to the route handler\"\n return NextResponse.next();\n };\n\n/**\n * Usage:\n *\n * export default withAuth(async (request) => {\n * console.log('my middleware');\n * return NextResponse.next();\n * })\n */\n// use this when you have your own middleware to chain\nexport function withAuth(\n middleware: Middleware,\n): (request: NextRequest) => Promise<NextResponse> {\n return async (request: NextRequest): Promise<NextResponse> => {\n const response = await applyAuth({}, request);\n if (response) return response;\n return middleware(request);\n };\n}\n\n/**\n * Use this when you want to configure the middleware here (an alternative is to do it in the next.config file)\n *\n * Usage:\n *\n * const withAuth = auth({ loginUrl = '/login' }); // or just auth();\n *\n * export default withAuth(async (request) => {\n * console.log('my middleware');\n * return NextResponse.next();\n * })\n *\n */\nexport function auth(authConfig: AuthConfig = {}) {\n return (\n middleware: Middleware,\n ): ((request: NextRequest) => Promise<NextResponse>) => {\n return async (request: NextRequest): Promise<NextResponse> => {\n const response = await applyAuth(authConfig, request);\n if (response) return response;\n return middleware(request);\n };\n };\n}\n","import { NextRequest, NextResponse } from \"next/server.js\";\nimport { revalidatePath } from \"next/cache.js\";\nimport { AuthConfig, resolveAuthConfig } from \"@/nextjs/config.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport {\n clearAuthCookies,\n NextjsClientStorage,\n NextjsCookieStorage,\n} from \"@/nextjs/cookies.js\";\nimport { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { resolveOAuthAccessCode } from \"@/server/login.js\";\nimport { getUser } from \"@/shared/session.js\";\nimport { resolveCallbackUrl } from \"@/nextjs/utils.js\";\nimport { GenericUserSession } from \"@/shared/UserSession.js\";\n\nconst logger = loggers.nextjs.handlers.auth;\n\nclass AuthError extends Error {\n constructor(\n message: string,\n public readonly status: number = 401,\n ) {\n super(message);\n this.name = \"AuthError\";\n }\n}\n\n/**\n * create a code verifier and challenge for PKCE\n * saving the verifier in a cookie for later use\n * @returns {Promise<NextResponse>}\n */\nasync function handleChallenge(): Promise<NextResponse> {\n const cookieStorage = new NextjsCookieStorage();\n const pkceProducer = new GenericPublicClientPKCEProducer(cookieStorage);\n\n const challenge = await pkceProducer.getCodeChallenge();\n\n return NextResponse.json({ status: \"success\", challenge });\n}\n\nasync function handleCallback(\n request: NextRequest,\n config: AuthConfig,\n): Promise<NextResponse> {\n const tokenExchange = request.nextUrl.searchParams.get(\"tokenExchange\");\n // if the client hasn't request token exchange, return an empty HTML response\n // the next call should include the tokenExchange query parameter from the same-domain\n if (!tokenExchange) {\n const response = new NextResponse(`<html></html>`);\n response.headers.set(\"Content-Type\", \"text/html; charset=utf-8\");\n return response;\n }\n const code = request.nextUrl.searchParams.get(\"code\");\n const state = request.nextUrl.searchParams.get(\"state\");\n if (!code || !state) throw new AuthError(\"Bad parameters\", 400);\n\n const cookieStorage = new NextjsCookieStorage();\n\n const resolvedConfigs = resolveAuthConfig(config);\n const callbackUrl = resolveCallbackUrl(resolvedConfigs, request.url);\n\n try {\n await resolveOAuthAccessCode(code, state, cookieStorage, {\n ...resolvedConfigs,\n redirectUrl: callbackUrl,\n });\n } catch (error) {\n logger.error(\"Token exchange failed:\", error);\n throw new AuthError(\"Failed to authenticate user\", 401);\n }\n\n const user = await getUser(cookieStorage);\n if (!user) {\n throw new AuthError(\"Failed to get user info\", 401);\n }\n\n const clientStorage = new NextjsClientStorage();\n const userSession = new GenericUserSession(clientStorage);\n\n userSession.set(user);\n\n // return an empty HTML response so the iframe doesn't show any response\n // in the short moment between the redirect and the parent window\n // acknowledging the redirect and closing the iframe\n const response = new NextResponse(`<html></html>`);\n response.headers.set(\"Content-Type\", \"text/html; charset=utf-8\");\n return response;\n}\n\n/**\n * If redirectPath is an absolute path, return it as-is.\n * Otherwise for relative paths, append it to the current domain.\n * @param redirectPath\n * @returns\n */\nconst getAbsoluteRedirectPath = (\n redirectPath: string,\n currentBasePath: string,\n) => {\n // Check if the redirectPath is an absolute URL\n if (/^(https?:\\/\\/|www\\.).+/i.test(redirectPath)) {\n return redirectPath; // Return as-is if it's an absolute URL\n }\n return new URL(redirectPath, currentBasePath).href;\n};\n\nasync function handleLogout(\n request: NextRequest,\n config: AuthConfig,\n): Promise<NextResponse> {\n const resolvedConfigs = resolveAuthConfig(config);\n const defaultRedirectPath = resolvedConfigs.loginUrl ?? \"/\";\n const redirectTarget =\n new URL(request.url).searchParams.get(\"redirect\") || defaultRedirectPath;\n const isAbsoluteRedirect = /^(https?:\\/\\/|www\\.).+/i.test(redirectTarget);\n const finalRedirectUrl = getAbsoluteRedirectPath(\n redirectTarget,\n new URL(request.url).origin,\n );\n\n const response = NextResponse.redirect(finalRedirectUrl);\n\n clearAuthCookies();\n\n try {\n revalidatePath(isAbsoluteRedirect ? finalRedirectUrl : redirectTarget);\n } catch (error) {\n logger.warn(\"Failed to revalidate path after logout:\", error);\n }\n\n return response;\n}\n\n/**\n * Creates an authentication handler for Next.js API routes\n *\n * Usage:\n * ```ts\n * // app/api/auth/[...civicauth]/route.ts\n * import { handler } from '@civic/auth/nextjs'\n * export const GET = handler({\n * // optional config overrides\n * })\n * ```\n */\nexport const handler =\n (authConfig = {}) =>\n async (request: NextRequest): Promise<NextResponse> => {\n const config = resolveAuthConfig(authConfig);\n\n try {\n const pathname = request.nextUrl.pathname;\n const pathSegments = pathname.split(\"/\");\n const lastSegment = pathSegments[pathSegments.length - 1];\n\n switch (lastSegment) {\n case \"challenge\":\n return await handleChallenge();\n case \"callback\":\n return await handleCallback(request, config);\n case \"logout\":\n return await handleLogout(request, config);\n default:\n throw new AuthError(`Invalid auth route: ${pathname}`, 404);\n }\n } catch (error) {\n logger.error(\"Auth handler error:\", error);\n\n const status = error instanceof AuthError ? error.status : 500;\n const message =\n error instanceof Error ? error.message : \"Authentication failed\";\n\n const response = NextResponse.json({ error: message }, { status });\n\n clearAuthCookies();\n return response;\n }\n };\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAIA,SAAS,eAAe;AA4ExB,IAAM,mBAAmB,MAAY;AAEnC,QAAM,gBAAgB,IAAI,oBAAoB;AAC9C,cAAY,aAAa;AAGzB,QAAM,gBAAgB,IAAI,oBAAoB;AAC9C,QAAM,cAAc,IAAI,mBAAmB,aAAa;AACxD,cAAY,IAAI,IAAI;AACtB;AAEA,IAAM,sBAAN,cAAkC,cAAc;AAAA,EAC9C,YAAY,SAAyC,CAAC,GAAG;AACvD,UAAM,iCACD,SADC;AAAA,MAEJ,QAAQ;AAAA,MACR,UAAU;AAAA,IACZ,EAAC;AAAA,EACH;AAAA,EAEA,IAAI,KAA4B;AApGlC;AAqGI,aAAO,aAAQ,EAAE,IAAI,GAAG,MAAjB,mBAAoB,UAAS;AAAA,EACtC;AAAA,EAEA,IAAI,KAAa,OAAqB;AACpC,YAAQ,EAAE,IAAI,KAAK,OAAO,KAAK,QAAQ;AAAA,EACzC;AACF;AAEA,IAAM,sBAAN,cAAkC,cAAc;AAAA,EAC9C,YAAY,SAAyC,CAAC,GAAG;AACvD,UAAM,iCACD,SADC;AAAA,MAEJ,QAAQ;AAAA,MACR,UAAU;AAAA,IACZ,EAAC;AAAA,EACH;AAAA,EAEA,IAAI,KAA4B;AAtHlC;AAuHI,aAAO,aAAQ,EAAE,IAAI,GAAG,MAAjB,mBAAoB,UAAS;AAAA,EACtC;AAAA,EAEA,IAAI,KAAa,OAAqB;AACpC,YAAQ,EAAE,IAAI,KAAK,OAAO,KAAK,QAAQ;AAAA,EACzC;AACF;;;ACtHO,IAAMA,WAAU,MAAmB;AACxC,QAAM,gBAAgB,IAAI,oBAAoB;AAC9C,QAAM,cAAc,IAAI,mBAAmB,aAAa;AACxD,SAAO,YAAY,IAAI;AACzB;;;ACUA,SAAsB,oBAAoB;AAC1C,OAAO,eAAe;AAgBtB,IAAM,YAAY,CAAC,UAAkB,gBAAwB;AAC3D,QAAM,UAAU,UAAU,WAAW;AACrC,SAAO,QAAQ,QAAQ;AACzB;AAOA,IAAM,eAAe,CAAC,UAAkB,aACtC,SAAS,KAAK,CAAC,YAAY;AACzB,MAAI,CAAC,QAAS,QAAO;AACrB,UAAQ,IAAI,YAAY;AAAA,IACtB;AAAA,IACA;AAAA,IACA,OAAO,UAAU,UAAU,OAAO;AAAA,EACpC,CAAC;AACD,SAAO,UAAU,UAAU,OAAO;AACpC,CAAC;AAGH,IAAM,YAAY,CAChB,YACA,YACsC;AACtC,QAAM,yBAAyB,kBAAkB,UAAU;AAG3D,QAAM,kBAAkB,CAAC,CAAC,QAAQ,QAAQ,IAAI,UAAU;AAGxD,MAAI,QAAQ,QAAQ,aAAa,uBAAuB,UAAU;AAChE,YAAQ,IAAI,oDAA+C;AAC3D,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,aAAa,QAAQ,QAAQ,UAAU,uBAAuB,OAAO,GAAG;AAC3E,YAAQ,IAAI,2DAAsD;AAClE,WAAO;AAAA,EACT;AAEA,MAAI,aAAa,QAAQ,QAAQ,UAAU,uBAAuB,OAAO,GAAG;AAC1E,YAAQ,IAAI,uDAAkD;AAC9D,WAAO;AAAA,EACT;AAGA,MAAI,CAAC,iBAAiB;AACpB,YAAQ,IAAI,oDAA+C;AAC3D,UAAM,WAAW,IAAI,IAAI,uBAAuB,UAAU,QAAQ,GAAG;AACrE,WAAO,aAAa,SAAS,QAAQ;AAAA,EACvC;AAEA,UAAQ,IAAI,0BAAqB;AACjC,SAAO;AACT;AAUO,IAAM,iBACX,CAAC,aAAa,sBACd,CAAO,YAAgD;AACrD,QAAM,WAAW,MAAM,UAAU,YAAY,OAAO;AACpD,MAAI,SAAU,QAAO;AAIrB,SAAO,aAAa,KAAK;AAC3B;AAWK,SAAS,SACd,YACiD;AACjD,SAAO,CAAO,YAAgD;AAC5D,UAAM,WAAW,MAAM,UAAU,CAAC,GAAG,OAAO;AAC5C,QAAI,SAAU,QAAO;AACrB,WAAO,WAAW,OAAO;AAAA,EAC3B;AACF;AAeO,SAAS,KAAK,aAAyB,CAAC,GAAG;AAChD,SAAO,CACL,eACsD;AACtD,WAAO,CAAO,YAAgD;AAC5D,YAAM,WAAW,MAAM,UAAU,YAAY,OAAO;AACpD,UAAI,SAAU,QAAO;AACrB,aAAO,WAAW,OAAO;AAAA,IAC3B;AAAA,EACF;AACF;;;AC7JA,SAAsB,gBAAAC,qBAAoB;AAC1C,SAAS,sBAAsB;AAc/B,IAAM,SAAS,QAAQ,OAAO,SAAS;AAEvC,IAAM,YAAN,cAAwB,MAAM;AAAA,EAC5B,YACE,SACgB,SAAiB,KACjC;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOA,SAAe,kBAAyC;AAAA;AACtD,UAAM,gBAAgB,IAAI,oBAAoB;AAC9C,UAAM,eAAe,IAAI,gCAAgC,aAAa;AAEtE,UAAM,YAAY,MAAM,aAAa,iBAAiB;AAEtD,WAAOC,cAAa,KAAK,EAAE,QAAQ,WAAW,UAAU,CAAC;AAAA,EAC3D;AAAA;AAEA,SAAe,eACb,SACA,QACuB;AAAA;AACvB,UAAM,gBAAgB,QAAQ,QAAQ,aAAa,IAAI,eAAe;AAGtE,QAAI,CAAC,eAAe;AAClB,YAAMC,YAAW,IAAID,cAAa,eAAe;AACjD,MAAAC,UAAS,QAAQ,IAAI,gBAAgB,0BAA0B;AAC/D,aAAOA;AAAA,IACT;AACA,UAAM,OAAO,QAAQ,QAAQ,aAAa,IAAI,MAAM;AACpD,UAAM,QAAQ,QAAQ,QAAQ,aAAa,IAAI,OAAO;AACtD,QAAI,CAAC,QAAQ,CAAC,MAAO,OAAM,IAAI,UAAU,kBAAkB,GAAG;AAE9D,UAAM,gBAAgB,IAAI,oBAAoB;AAE9C,UAAM,kBAAkB,kBAAkB,MAAM;AAChD,UAAM,cAAc,mBAAmB,iBAAiB,QAAQ,GAAG;AAEnE,QAAI;AACF,YAAM,uBAAuB,MAAM,OAAO,eAAe,iCACpD,kBADoD;AAAA,QAEvD,aAAa;AAAA,MACf,EAAC;AAAA,IACH,SAAS,OAAO;AACd,aAAO,MAAM,0BAA0B,KAAK;AAC5C,YAAM,IAAI,UAAU,+BAA+B,GAAG;AAAA,IACxD;AAEA,UAAM,OAAO,MAAM,QAAQ,aAAa;AACxC,QAAI,CAAC,MAAM;AACT,YAAM,IAAI,UAAU,2BAA2B,GAAG;AAAA,IACpD;AAEA,UAAM,gBAAgB,IAAI,oBAAoB;AAC9C,UAAM,cAAc,IAAI,mBAAmB,aAAa;AAExD,gBAAY,IAAI,IAAI;AAKpB,UAAM,WAAW,IAAID,cAAa,eAAe;AACjD,aAAS,QAAQ,IAAI,gBAAgB,0BAA0B;AAC/D,WAAO;AAAA,EACT;AAAA;AAQA,IAAM,0BAA0B,CAC9B,cACA,oBACG;AAEH,MAAI,0BAA0B,KAAK,YAAY,GAAG;AAChD,WAAO;AAAA,EACT;AACA,SAAO,IAAI,IAAI,cAAc,eAAe,EAAE;AAChD;AAEA,SAAe,aACb,SACA,QACuB;AAAA;AA9GzB;AA+GE,UAAM,kBAAkB,kBAAkB,MAAM;AAChD,UAAM,uBAAsB,qBAAgB,aAAhB,YAA4B;AACxD,UAAM,iBACJ,IAAI,IAAI,QAAQ,GAAG,EAAE,aAAa,IAAI,UAAU,KAAK;AACvD,UAAM,qBAAqB,0BAA0B,KAAK,cAAc;AACxE,UAAM,mBAAmB;AAAA,MACvB;AAAA,MACA,IAAI,IAAI,QAAQ,GAAG,EAAE;AAAA,IACvB;AAEA,UAAM,WAAWA,cAAa,SAAS,gBAAgB;AAEvD,qBAAiB;AAEjB,QAAI;AACF,qBAAe,qBAAqB,mBAAmB,cAAc;AAAA,IACvE,SAAS,OAAO;AACd,aAAO,KAAK,2CAA2C,KAAK;AAAA,IAC9D;AAEA,WAAO;AAAA,EACT;AAAA;AAcO,IAAM,UACX,CAAC,aAAa,CAAC,MACf,CAAO,YAAgD;AACrD,QAAM,SAAS,kBAAkB,UAAU;AAE3C,MAAI;AACF,UAAM,WAAW,QAAQ,QAAQ;AACjC,UAAM,eAAe,SAAS,MAAM,GAAG;AACvC,UAAM,cAAc,aAAa,aAAa,SAAS,CAAC;AAExD,YAAQ,aAAa;AAAA,MACnB,KAAK;AACH,eAAO,MAAM,gBAAgB;AAAA,MAC/B,KAAK;AACH,eAAO,MAAM,eAAe,SAAS,MAAM;AAAA,MAC7C,KAAK;AACH,eAAO,MAAM,aAAa,SAAS,MAAM;AAAA,MAC3C;AACE,cAAM,IAAI,UAAU,uBAAuB,QAAQ,IAAI,GAAG;AAAA,IAC9D;AAAA,EACF,SAAS,OAAO;AACd,WAAO,MAAM,uBAAuB,KAAK;AAEzC,UAAM,SAAS,iBAAiB,YAAY,MAAM,SAAS;AAC3D,UAAM,UACJ,iBAAiB,QAAQ,MAAM,UAAU;AAE3C,UAAM,WAAWA,cAAa,KAAK,EAAE,OAAO,QAAQ,GAAG,EAAE,OAAO,CAAC;AAEjE,qBAAiB;AACjB,WAAO;AAAA,EACT;AACF;","names":["getUser","NextResponse","NextResponse","response"]}
package/dist/react.d.mts CHANGED
@@ -1,49 +1,8 @@
1
- import { A as AuthSessionService, E as Endpoints, U as UserInfoService, S as SessionData, a as User, b as UnknownObject, D as DisplayMode, O as OIDCTokenResponseBody, C as Config, F as ForwardedTokens } from './index-DFVNodC9.mjs';
2
1
  import { JWT } from 'oslo/jwt';
3
- import { ReactNode } from 'react';
4
- import { OAuth2Client } from 'oslo/oauth2';
5
- import * as jose from 'jose';
2
+ import { D as DisplayMode, U as User, F as ForwardedTokens, C as Config, S as SessionData, a as UnknownObject } from './index-Bfi0hVMZ.mjs';
3
+ import { ReactNode, RefObject, Dispatch, SetStateAction } from 'react';
6
4
  import * as react_jsx_runtime from 'react/jsx-runtime';
7
-
8
- declare class AuthSessionServiceImpl implements AuthSessionService {
9
- readonly clientId: string;
10
- readonly redirectUrl: string;
11
- readonly oauthServer: string;
12
- readonly inputEndpoints?: Partial<Endpoints> | undefined;
13
- private endpoints;
14
- private oauth2Client;
15
- private userInfoService;
16
- private codeVerifier;
17
- private refreshTokenTimeout;
18
- constructor(clientId: string, redirectUrl: string, oauthServer: string, inputEndpoints?: Partial<Endpoints> | undefined);
19
- protected getCodeVerifier(): string;
20
- getUserInfoService(): Promise<UserInfoService>;
21
- protected getEndpoints(): Promise<Endpoints>;
22
- protected getOauth2Client(): Promise<OAuth2Client>;
23
- getSessionData(): SessionData;
24
- updateSessionData(data: Partial<SessionData>): void;
25
- getUser(): User<UnknownObject> | null;
26
- setUser(data: User<UnknownObject> | null): void;
27
- clearSessionData(): void;
28
- getAuthorizationUrlWithChallenge(state: string, scopes: string[]): Promise<URL>;
29
- getAuthorizationUrl(scopes: string[], displayMode: DisplayMode, nonce?: string): Promise<string>;
30
- loadAuthorizationUrl(authorizationURL: string, displayMode: DisplayMode): void;
31
- init(): Promise<void>;
32
- determineDisplayMode(displayMode: DisplayMode): DisplayMode;
33
- signIn(displayMode: DisplayMode, scopes: string[], nonce: string): Promise<void>;
34
- tokenExchange(responseUrl: string): Promise<SessionData>;
35
- private setupTokenRefresh;
36
- refreshToken(): Promise<SessionData>;
37
- getUserInfo<T extends UnknownObject>(): Promise<User<T> | null>;
38
- /**
39
- * Uses the jose library to validate a JWT token using the OAuth JWKS endpoint
40
- * @param {string} token
41
- * @returns {Promise<jose.JWTPayload>}
42
- * @throws {Error} if the token is invalid
43
- */
44
- validateTokens(tokens: OIDCTokenResponseBody): Promise<Record<"idToken" | "accessToken" | "refreshToken", jose.JWTPayload | string>>;
45
- validateExistingSession(): Promise<SessionData>;
46
- }
5
+ import 'oslo/oauth2';
47
6
 
48
7
  type AuthContextType = {
49
8
  signIn: (displayMode?: DisplayMode) => Promise<void>;
@@ -52,17 +11,6 @@ type AuthContextType = {
52
11
  error: Error | null;
53
12
  signOut: () => Promise<void>;
54
13
  };
55
- type AuthProviderProps = {
56
- children: ReactNode;
57
- clientId: string;
58
- redirectUrl?: string;
59
- nonce?: string;
60
- config?: Config;
61
- onSignIn?: (error?: Error) => void;
62
- onSignOut?: () => void;
63
- authServiceImpl?: AuthSessionServiceImpl;
64
- serverSideTokenExchange?: boolean;
65
- };
66
14
 
67
15
  type UserContextType$1<T extends Record<string, unknown> & JWT["payload"] = Record<string, unknown> & JWT["payload"]> = {
68
16
  user: User<T> | null;
@@ -77,7 +25,28 @@ type TokenContextType = {
77
25
  error: Error | null;
78
26
  };
79
27
 
80
- type CivicAuthProviderProps = Omit<AuthProviderProps, "authServiceImpl" | "serverSideTokenExchange">;
28
+ interface PKCEConsumer {
29
+ getCodeChallenge(): Promise<string>;
30
+ }
31
+
32
+ type AuthProviderProps = {
33
+ children: ReactNode;
34
+ clientId: string;
35
+ redirectUrl?: string;
36
+ nonce?: string;
37
+ config?: Config;
38
+ onSignIn?: (error?: Error) => void;
39
+ onSignOut?: () => void;
40
+ pkceConsumer?: PKCEConsumer;
41
+ modalIframe?: boolean;
42
+ };
43
+
44
+ type SessionProviderOutput = SessionData & {
45
+ iframeRef: RefObject<HTMLIFrameElement> | null;
46
+ setAuthResponseUrl: Dispatch<SetStateAction<string | null>>;
47
+ };
48
+
49
+ type CivicAuthProviderProps = Omit<AuthProviderProps, "pkceConsumer">;
81
50
  declare const CivicAuthProvider: ({ children, ...props }: CivicAuthProviderProps) => react_jsx_runtime.JSX.Element;
82
51
 
83
52
  type UserContextType = {
@@ -95,7 +64,22 @@ declare const useToken: () => TokenContextType;
95
64
 
96
65
  declare const useAuth: () => AuthContextType;
97
66
 
98
- declare const useSession: () => SessionData;
67
+ declare const useSession: () => SessionProviderOutput;
68
+
69
+ type ConfigProviderOutput = {
70
+ config: Config;
71
+ redirectUrl: string;
72
+ modalIframe: boolean;
73
+ serverTokenExchange: boolean;
74
+ };
75
+
76
+ declare const useConfig: () => ConfigProviderOutput;
77
+
78
+ type CivicAuthIframeContainerProps = {
79
+ onClose?: () => void;
80
+ closeOnRedirect?: boolean;
81
+ };
82
+ declare const CivicAuthIframeContainer: ({ onClose, closeOnRedirect, }: CivicAuthIframeContainerProps) => react_jsx_runtime.JSX.Element;
99
83
 
100
84
  declare const UserButton: ({ displayMode, className, }: {
101
85
  displayMode?: DisplayMode;
@@ -115,4 +99,4 @@ declare const NextLogOut: ({ children }: {
115
99
  children: ReactNode;
116
100
  }) => react_jsx_runtime.JSX.Element;
117
101
 
118
- export { type AuthContextType, CivicAuthProvider, CivicNextAuthProvider, NextLogOut, SignInButton, SignOutButton, type TokenContextType, UserButton, type UserContextType$1 as UserContextType, useAuth, useNextUser, useSession, useToken, useUser, useUserCookie };
102
+ export { type AuthContextType, CivicAuthIframeContainer, CivicAuthProvider, type CivicAuthProviderProps, CivicNextAuthProvider, type NextCivicAuthProviderProps, NextLogOut, SignInButton, SignOutButton, type TokenContextType, UserButton, type UserContextType$1 as UserContextType, useAuth, useConfig, useNextUser, useSession, useToken, useUser, useUserCookie };
package/dist/react.d.ts CHANGED
@@ -1,49 +1,8 @@
1
- import { A as AuthSessionService, E as Endpoints, U as UserInfoService, S as SessionData, a as User, b as UnknownObject, D as DisplayMode, O as OIDCTokenResponseBody, C as Config, F as ForwardedTokens } from './index-DFVNodC9.js';
2
1
  import { JWT } from 'oslo/jwt';
3
- import { ReactNode } from 'react';
4
- import { OAuth2Client } from 'oslo/oauth2';
5
- import * as jose from 'jose';
2
+ import { D as DisplayMode, U as User, F as ForwardedTokens, C as Config, S as SessionData, a as UnknownObject } from './index-Bfi0hVMZ.js';
3
+ import { ReactNode, RefObject, Dispatch, SetStateAction } from 'react';
6
4
  import * as react_jsx_runtime from 'react/jsx-runtime';
7
-
8
- declare class AuthSessionServiceImpl implements AuthSessionService {
9
- readonly clientId: string;
10
- readonly redirectUrl: string;
11
- readonly oauthServer: string;
12
- readonly inputEndpoints?: Partial<Endpoints> | undefined;
13
- private endpoints;
14
- private oauth2Client;
15
- private userInfoService;
16
- private codeVerifier;
17
- private refreshTokenTimeout;
18
- constructor(clientId: string, redirectUrl: string, oauthServer: string, inputEndpoints?: Partial<Endpoints> | undefined);
19
- protected getCodeVerifier(): string;
20
- getUserInfoService(): Promise<UserInfoService>;
21
- protected getEndpoints(): Promise<Endpoints>;
22
- protected getOauth2Client(): Promise<OAuth2Client>;
23
- getSessionData(): SessionData;
24
- updateSessionData(data: Partial<SessionData>): void;
25
- getUser(): User<UnknownObject> | null;
26
- setUser(data: User<UnknownObject> | null): void;
27
- clearSessionData(): void;
28
- getAuthorizationUrlWithChallenge(state: string, scopes: string[]): Promise<URL>;
29
- getAuthorizationUrl(scopes: string[], displayMode: DisplayMode, nonce?: string): Promise<string>;
30
- loadAuthorizationUrl(authorizationURL: string, displayMode: DisplayMode): void;
31
- init(): Promise<void>;
32
- determineDisplayMode(displayMode: DisplayMode): DisplayMode;
33
- signIn(displayMode: DisplayMode, scopes: string[], nonce: string): Promise<void>;
34
- tokenExchange(responseUrl: string): Promise<SessionData>;
35
- private setupTokenRefresh;
36
- refreshToken(): Promise<SessionData>;
37
- getUserInfo<T extends UnknownObject>(): Promise<User<T> | null>;
38
- /**
39
- * Uses the jose library to validate a JWT token using the OAuth JWKS endpoint
40
- * @param {string} token
41
- * @returns {Promise<jose.JWTPayload>}
42
- * @throws {Error} if the token is invalid
43
- */
44
- validateTokens(tokens: OIDCTokenResponseBody): Promise<Record<"idToken" | "accessToken" | "refreshToken", jose.JWTPayload | string>>;
45
- validateExistingSession(): Promise<SessionData>;
46
- }
5
+ import 'oslo/oauth2';
47
6
 
48
7
  type AuthContextType = {
49
8
  signIn: (displayMode?: DisplayMode) => Promise<void>;
@@ -52,17 +11,6 @@ type AuthContextType = {
52
11
  error: Error | null;
53
12
  signOut: () => Promise<void>;
54
13
  };
55
- type AuthProviderProps = {
56
- children: ReactNode;
57
- clientId: string;
58
- redirectUrl?: string;
59
- nonce?: string;
60
- config?: Config;
61
- onSignIn?: (error?: Error) => void;
62
- onSignOut?: () => void;
63
- authServiceImpl?: AuthSessionServiceImpl;
64
- serverSideTokenExchange?: boolean;
65
- };
66
14
 
67
15
  type UserContextType$1<T extends Record<string, unknown> & JWT["payload"] = Record<string, unknown> & JWT["payload"]> = {
68
16
  user: User<T> | null;
@@ -77,7 +25,28 @@ type TokenContextType = {
77
25
  error: Error | null;
78
26
  };
79
27
 
80
- type CivicAuthProviderProps = Omit<AuthProviderProps, "authServiceImpl" | "serverSideTokenExchange">;
28
+ interface PKCEConsumer {
29
+ getCodeChallenge(): Promise<string>;
30
+ }
31
+
32
+ type AuthProviderProps = {
33
+ children: ReactNode;
34
+ clientId: string;
35
+ redirectUrl?: string;
36
+ nonce?: string;
37
+ config?: Config;
38
+ onSignIn?: (error?: Error) => void;
39
+ onSignOut?: () => void;
40
+ pkceConsumer?: PKCEConsumer;
41
+ modalIframe?: boolean;
42
+ };
43
+
44
+ type SessionProviderOutput = SessionData & {
45
+ iframeRef: RefObject<HTMLIFrameElement> | null;
46
+ setAuthResponseUrl: Dispatch<SetStateAction<string | null>>;
47
+ };
48
+
49
+ type CivicAuthProviderProps = Omit<AuthProviderProps, "pkceConsumer">;
81
50
  declare const CivicAuthProvider: ({ children, ...props }: CivicAuthProviderProps) => react_jsx_runtime.JSX.Element;
82
51
 
83
52
  type UserContextType = {
@@ -95,7 +64,22 @@ declare const useToken: () => TokenContextType;
95
64
 
96
65
  declare const useAuth: () => AuthContextType;
97
66
 
98
- declare const useSession: () => SessionData;
67
+ declare const useSession: () => SessionProviderOutput;
68
+
69
+ type ConfigProviderOutput = {
70
+ config: Config;
71
+ redirectUrl: string;
72
+ modalIframe: boolean;
73
+ serverTokenExchange: boolean;
74
+ };
75
+
76
+ declare const useConfig: () => ConfigProviderOutput;
77
+
78
+ type CivicAuthIframeContainerProps = {
79
+ onClose?: () => void;
80
+ closeOnRedirect?: boolean;
81
+ };
82
+ declare const CivicAuthIframeContainer: ({ onClose, closeOnRedirect, }: CivicAuthIframeContainerProps) => react_jsx_runtime.JSX.Element;
99
83
 
100
84
  declare const UserButton: ({ displayMode, className, }: {
101
85
  displayMode?: DisplayMode;
@@ -115,4 +99,4 @@ declare const NextLogOut: ({ children }: {
115
99
  children: ReactNode;
116
100
  }) => react_jsx_runtime.JSX.Element;
117
101
 
118
- export { type AuthContextType, CivicAuthProvider, CivicNextAuthProvider, NextLogOut, SignInButton, SignOutButton, type TokenContextType, UserButton, type UserContextType$1 as UserContextType, useAuth, useNextUser, useSession, useToken, useUser, useUserCookie };
102
+ export { type AuthContextType, CivicAuthIframeContainer, CivicAuthProvider, type CivicAuthProviderProps, CivicNextAuthProvider, type NextCivicAuthProviderProps, NextLogOut, SignInButton, SignOutButton, type TokenContextType, UserButton, type UserContextType$1 as UserContextType, useAuth, useConfig, useNextUser, useSession, useToken, useUser, useUserCookie };