@civic/auth 0.0.1-beta.28 → 0.0.1-beta.29

package/dist/nextjs.mjs

@@ -0,0 +1,315 @@
+import {
+  NextjsClientStorage,
+  NextjsCookieStorage,
+  clearAuthCookies,
+  createCivicAuthPlugin,
+  createTokenCookies,
+  createUserInfoCookie,
+  defaultAuthConfig,
+  loggers,
+  resolveAuthConfig,
+  resolveCallbackUrl
+} from "./chunk-OXXUQ36U.mjs";
+import {
+  resolveOAuthAccessCode
+} from "./chunk-63YGK3A7.mjs";
+import {
+  GenericPublicClientPKCEProducer,
+  GenericUserSession,
+  TOKEN_EXCHANGE_SUCCESS_TEXT,
+  TOKEN_EXCHANGE_TRIGGER_TEXT,
+  getUser,
+  retrieveTokens,
+  serverTokenExchangeFromState
+} from "./chunk-Q7DSPTUG.mjs";
+import {
+  __async,
+  __spreadProps,
+  __spreadValues
+} from "./chunk-RGHW4PYM.mjs";
+
+// src/nextjs/GetUser.ts
+var getUser2 = () => {
+  var _a;
+  const clientStorage = new NextjsClientStorage();
+  const userSession = new GenericUserSession(clientStorage);
+  const tokens = retrieveTokens(clientStorage);
+  const user = userSession.get();
+  if (!user || !tokens) return null;
+  return __spreadProps(__spreadValues({}, user), {
+    idToken: tokens.id_token,
+    accessToken: tokens.access_token,
+    refreshToken: (_a = tokens.refresh_token) != null ? _a : ""
+  });
+};
+
+// src/nextjs/middleware.ts
+import { NextResponse } from "next/server.js";
+import picomatch from "picomatch";
+var matchGlob = (pathname, globPattern) => {
+  const matches = picomatch(globPattern);
+  return matches(pathname);
+};
+var matchesGlobs = (pathname, patterns) => patterns.some((pattern) => {
+  if (!pattern) return false;
+  console.log("matching", {
+    pattern,
+    pathname,
+    match: matchGlob(pathname, pattern)
+  });
+  return matchGlob(pathname, pattern);
+});
+var applyAuth = (authConfig, request) => __async(void 0, null, function* () {
+  const authConfigWithDefaults = resolveAuthConfig(authConfig);
+  const isAuthenticated = !!request.cookies.get("id_token");
+  if (request.nextUrl.pathname === authConfigWithDefaults.loginUrl && request.method === "GET") {
+    console.log("\u2192 Skipping auth check - this is the login URL");
+    return void 0;
+  }
+  if (!matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.include)) {
+    console.log("\u2192 Skipping auth check - path not in include patterns");
+    return void 0;
+  }
+  if (matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.exclude)) {
+    console.log("\u2192 Skipping auth check - path in exclude patterns");
+    return void 0;
+  }
+  if (!isAuthenticated) {
+    const loginUrl = new URL(authConfigWithDefaults.loginUrl, request.url);
+    console.log("\u2192 No valid token found - redirecting to login", loginUrl);
+    return NextResponse.redirect(loginUrl);
+  }
+  console.log("\u2192 Auth check passed");
+  return void 0;
+});
+var authMiddleware = (authConfig = defaultAuthConfig) => (request) => __async(void 0, null, function* () {
+  const response = yield applyAuth(authConfig, request);
+  if (response) return response;
+  return NextResponse.next();
+});
+function withAuth(middleware) {
+  return (request) => __async(this, null, function* () {
+    const response = yield applyAuth({}, request);
+    if (response) return response;
+    return middleware(request);
+  });
+}
+function auth(authConfig = {}) {
+  return (middleware) => {
+    return (request) => __async(this, null, function* () {
+      const response = yield applyAuth(authConfig, request);
+      if (response) return response;
+      return middleware(request);
+    });
+  };
+}
+
+// src/nextjs/routeHandler.ts
+import { NextResponse as NextResponse2 } from "next/server.js";
+import { revalidatePath } from "next/cache.js";
+import { cookies } from "next/headers.js";
+var logger = loggers.nextjs.handlers.auth;
+var AuthError = class extends Error {
+  constructor(message, status = 401) {
+    super(message);
+    this.status = status;
+    this.name = "AuthError";
+  }
+};
+function handleChallenge(request, config) {
+  return __async(this, null, function* () {
+    var _a, _b;
+    const cookieStorage = new NextjsCookieStorage((_b = (_a = config.cookies) == null ? void 0 : _a.tokens) != null ? _b : {});
+    const pkceProducer = new GenericPublicClientPKCEProducer(cookieStorage);
+    const challenge = yield pkceProducer.getCodeChallenge();
+    const appUrl = request.nextUrl.searchParams.get("appUrl");
+    if (appUrl) {
+      cookieStorage.set("app_url" /* APP_URL */, appUrl);
+    }
+    return NextResponse2.json({ status: "success", challenge });
+  });
+}
+function performTokenExchangeAndSetCookies(request, config, code, state, appUrl) {
+  return __async(this, null, function* () {
+    const resolvedConfigs = resolveAuthConfig(config);
+    const cookieStorage = new NextjsCookieStorage(resolvedConfigs.cookies.tokens);
+    const callbackUrl = resolveCallbackUrl(resolvedConfigs, appUrl);
+    try {
+      yield resolveOAuthAccessCode(code, state, cookieStorage, __spreadProps(__spreadValues({}, resolvedConfigs), {
+        redirectUrl: callbackUrl
+      }));
+    } catch (error) {
+      logger.error("Token exchange failed:", error);
+      throw new AuthError("Failed to authenticate user", 401);
+    }
+    const user = yield getUser(cookieStorage);
+    if (!user) {
+      throw new AuthError("Failed to get user info", 401);
+    }
+    const clientStorage = new NextjsClientStorage();
+    const userSession = new GenericUserSession(clientStorage);
+    userSession.set(user);
+  });
+}
+function handleCallback(request, config) {
+  return __async(this, null, function* () {
+    var _a;
+    const resolvedConfigs = resolveAuthConfig(config);
+    console.log("handleCallback", { request, resolvedConfigs });
+    const code = request.nextUrl.searchParams.get("code");
+    const state = request.nextUrl.searchParams.get("state") || "";
+    if (!code || !state) throw new AuthError("Bad parameters", 400);
+    const appUrl = ((_a = request.cookies.get("app_url" /* APP_URL */)) == null ? void 0 : _a.value) || request.nextUrl.searchParams.get("appUrl");
+    console.log("handleCallback", {
+      code,
+      state,
+      cookies: cookies(),
+      appUrl
+    });
+    const codeVerifier = request.cookies.get("code_verifier" /* COOKIE_NAME */);
+    if (!codeVerifier || !appUrl) {
+      console.log("handleCallback no code_verifier found", {
+        state,
+        serverTokenExchange: serverTokenExchangeFromState(`${state}`)
+      });
+      let response2 = new NextResponse2(
+        `<html><body><span style="display:none">${TOKEN_EXCHANGE_TRIGGER_TEXT}</span></body></html>`
+      );
+      if (state && serverTokenExchangeFromState(state)) {
+        console.log(
+          "handleCallback serverTokenExchangeFromState, launching redirect page...",
+          {
+            requestUrl: request.url,
+            configCallbackUrl: resolvedConfigs.callbackUrl
+          }
+        );
+        const requestUrl = new URL(request.url);
+        const fetchUrl = `${resolvedConfigs.callbackUrl}?${requestUrl.searchParams.toString()}&sameDomainServerTokenExchange=true`;
+        response2 = new NextResponse2(
+          `<html>
+            <body>
+                <span style="display:none">
+                    <script>
+                        window.onload = function () {
+                            const appUrl = globalThis.window?.location?.origin;
+                            fetch('${fetchUrl}&appUrl=' + appUrl).then((response) => {
+                                response.json().then((jsonResponse) => {
+                                    console.log('fetch jsonResponse', jsonResponse);
+                                    if (jsonResponse.redirectUrl) {
+                                        console.log('handleCallback serverTokenExchangeFromState, redirecting');
+                                        window.location.href = jsonResponse.redirectUrl;
+                                    }
+                                });
+                            });
+                        };
+                    </script>
+                </span>
+            </body>
+        </html>
+        `
+        );
+      }
+      response2.headers.set("Content-Type", "text/html; charset=utf-8");
+      console.log(
+        `handleCallback no code_verifier found, returning ${TOKEN_EXCHANGE_TRIGGER_TEXT}`
+      );
+      return response2;
+    }
+    yield performTokenExchangeAndSetCookies(
+      request,
+      resolvedConfigs,
+      code,
+      state,
+      appUrl
+    );
+    if (request.url.includes("sameDomainServerTokenExchange=true")) {
+      console.log(
+        "handleCallback sameDomainServerTokenExchange = true, returnining redirectUrl",
+        appUrl
+      );
+      return NextResponse2.json({
+        status: "success",
+        redirectUrl: appUrl
+      });
+    }
+    if (serverTokenExchangeFromState(state)) {
+      console.log(
+        "handleCallback serverTokenExchangeFromState, redirect to appUrl",
+        appUrl
+      );
+      if (!appUrl) {
+        throw new Error("appUrl undefined. Cannot redirect.");
+      }
+      return NextResponse2.redirect(`${appUrl}`);
+    }
+    const response = new NextResponse2(
+      `<html><span style="display:none">${TOKEN_EXCHANGE_SUCCESS_TEXT}</span></html>`
+    );
+    response.headers.set("Content-Type", "text/html; charset=utf-8");
+    return response;
+  });
+}
+var getAbsoluteRedirectPath = (redirectPath, currentBasePath) => new URL(redirectPath, currentBasePath).href;
+function handleLogout(request, config) {
+  return __async(this, null, function* () {
+    var _a;
+    const resolvedConfigs = resolveAuthConfig(config);
+    const defaultRedirectPath = (_a = resolvedConfigs.loginUrl) != null ? _a : "/";
+    const redirectTarget = new URL(request.url).searchParams.get("redirect") || defaultRedirectPath;
+    const isAbsoluteRedirect = /^(https?:\/\/|www\.).+/i.test(redirectTarget);
+    const appUrl = request.nextUrl.searchParams.get("appUrl");
+    const finalRedirectUrl = isAbsoluteRedirect ? redirectTarget : getAbsoluteRedirectPath(
+      redirectTarget,
+      new URL(appUrl != null ? appUrl : request.url).origin
+    );
+    const response = NextResponse2.redirect(finalRedirectUrl);
+    clearAuthCookies(config);
+    try {
+      revalidatePath(isAbsoluteRedirect ? finalRedirectUrl : redirectTarget);
+    } catch (error) {
+      logger.warn("Failed to revalidate path after logout:", error);
+    }
+    return response;
+  });
+}
+var handler = (authConfig = {}) => (request) => __async(void 0, null, function* () {
+  const config = resolveAuthConfig(authConfig);
+  try {
+    const pathname = request.nextUrl.pathname;
+    const pathSegments = pathname.split("/");
+    const lastSegment = pathSegments[pathSegments.length - 1];
+    switch (lastSegment) {
+      case "challenge":
+        return yield handleChallenge(request, config);
+      case "callback":
+        return yield handleCallback(request, config);
+      case "logout":
+        return yield handleLogout(request, config);
+      default:
+        throw new AuthError(`Invalid auth route: ${pathname}`, 404);
+    }
+  } catch (error) {
+    logger.error("Auth handler error:", error);
+    const status = error instanceof AuthError ? error.status : 500;
+    const message = error instanceof Error ? error.message : "Authentication failed";
+    const response = NextResponse2.json({ error: message }, { status });
+    clearAuthCookies(config);
+    return response;
+  }
+});
+export {
+  NextjsClientStorage,
+  NextjsCookieStorage,
+  auth,
+  authMiddleware,
+  clearAuthCookies,
+  createCivicAuthPlugin,
+  createTokenCookies,
+  createUserInfoCookie,
+  defaultAuthConfig,
+  getUser2 as getUser,
+  handler,
+  resolveAuthConfig,
+  withAuth
+};
+//# sourceMappingURL=nextjs.mjs.map

package/dist/nextjs.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/nextjs/GetUser.ts","../src/nextjs/middleware.ts","../src/nextjs/routeHandler.ts"],"sourcesContent":["/**\n * Used on the server-side to get the user object from the cookie\n */\nimport { User } from \"@/types\";\nimport { GenericUserSession } from \"@/shared/UserSession\";\nimport { NextjsClientStorage } from \"@/nextjs/cookies\";\nimport { retrieveTokens } from \"@/shared/util\";\n\nexport const getUser = (): User | null => {\n  const clientStorage = new NextjsClientStorage();\n  const userSession = new GenericUserSession(clientStorage);\n  const tokens = retrieveTokens(clientStorage);\n  const user = userSession.get();\n  if (!user || !tokens) return null;\n\n  return {\n    ...user!,\n    idToken: tokens.id_token,\n    accessToken: tokens.access_token,\n    refreshToken: tokens.refresh_token ?? \"\",\n  } as User;\n};\n","/**\n * Authenticates the user on all requests by checking the token cookie\n *\n * Usage:\n * Option 1: use if no other middleware (e.g. no next-intl etc)\n * export default authMiddleware();\n *\n * Option 2: use if other middleware is needed - default auth config\n * export default withAuth((request) => {\n *    console.log('in custom middleware', request.nextUrl.pathname);\n *    return NextResponse.next();\n * })\n *\n * Option 3: use if other middleware is needed - specifying auth config\n * const withCivicAuth = auth({ loginUrl: '/login', include: ['/[.*]/user'] })\n * export default withCivicAuth((request) => {\n *   console.log('in custom middleware', request.url);\n *   return NextResponse.next();\n * })\n *\n */\nimport { NextRequest, NextResponse } from \"next/server.js\";\nimport picomatch from \"picomatch\";\nimport {\n  AuthConfig,\n  defaultAuthConfig,\n  resolveAuthConfig,\n} from \"@/nextjs/config.js\";\n\ntype Middleware = (\n  request: NextRequest,\n) => Promise<NextResponse> | NextResponse;\n\n// Matches globs:\n// Examples:\n// /user\n// /user/*\n// /user/**/info\nconst matchGlob = (pathname: string, globPattern: string) => {\n  const matches = picomatch(globPattern);\n  return matches(pathname);\n};\n\n// Matches globs:\n// Examples:\n// /user\n// /user/*\n// /user/**/info\nconst matchesGlobs = (pathname: string, patterns: string[]) =>\n  patterns.some((pattern) => {\n    if (!pattern) return false;\n    console.log(\"matching\", {\n      pattern,\n      pathname,\n      match: matchGlob(pathname, pattern),\n    });\n    return matchGlob(pathname, pattern);\n  });\n\n// internal - used by all exported functions\nconst applyAuth = async (\n  authConfig: AuthConfig,\n  request: NextRequest,\n): Promise<NextResponse | undefined> => {\n  const authConfigWithDefaults = resolveAuthConfig(authConfig);\n  // Check for any valid auth token\n  const isAuthenticated = !!request.cookies.get(\"id_token\");\n\n  // skip auth check for redirect to login url\n  if (\n    request.nextUrl.pathname === authConfigWithDefaults.loginUrl &&\n    request.method === \"GET\"\n  ) {\n    console.log(\"→ Skipping auth check - this is the login URL\");\n    return undefined;\n  }\n\n  if (!matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.include)) {\n    console.log(\"→ Skipping auth check - path not in include patterns\");\n    return undefined;\n  }\n\n  if (matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.exclude)) {\n    console.log(\"→ Skipping auth check - path in exclude patterns\");\n    return undefined;\n  }\n\n  // Check for either token type\n  if (!isAuthenticated) {\n    const loginUrl = new URL(authConfigWithDefaults.loginUrl, request.url);\n    console.log(\"→ No valid token found - redirecting to login\", loginUrl);\n    return NextResponse.redirect(loginUrl);\n  }\n\n  console.log(\"→ Auth check passed\");\n  return undefined;\n};\n\n/**\n *\n * Use this when auth is the only middleware you need.\n * Usage:\n *\n * export default authMiddleware({ loginUrl = '/login' }); // or just authMiddleware();\n *\n */\nexport const authMiddleware =\n  (authConfig = defaultAuthConfig) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const response = await applyAuth(authConfig, request);\n    if (response) return response;\n\n    // NextJS doesn't do middleware chaining yet, so this does not mean\n    // \"call the next middleware\" - it means \"continue to the route handler\"\n    return NextResponse.next();\n  };\n\n/**\n * Usage:\n *\n * export default withAuth(async (request) => {\n *    console.log('my middleware');\n *    return NextResponse.next();\n *  })\n */\n// use this when you have your own middleware to chain\nexport function withAuth(\n  middleware: Middleware,\n): (request: NextRequest) => Promise<NextResponse> {\n  return async (request: NextRequest): Promise<NextResponse> => {\n    const response = await applyAuth({}, request);\n    if (response) return response;\n\n    return middleware(request);\n  };\n}\n\n/**\n * Use this when you want to configure the middleware here (an alternative is to do it in the next.config file)\n *\n * Usage:\n *\n * const withAuth = auth({ loginUrl = '/login' }); // or just auth();\n *\n * export default withAuth(async (request) => {\n *    console.log('my middleware');\n *    return NextResponse.next();\n *  })\n *\n */\nexport function auth(authConfig: AuthConfig = {}) {\n  return (\n    middleware: Middleware,\n  ): ((request: NextRequest) => Promise<NextResponse>) => {\n    return async (request: NextRequest): Promise<NextResponse> => {\n      const response = await applyAuth(authConfig, request);\n      if (response) return response;\n\n      return middleware(request);\n    };\n  };\n}\n","import { NextRequest, NextResponse } from \"next/server.js\";\nimport { revalidatePath } from \"next/cache.js\";\nimport { AuthConfig, resolveAuthConfig } from \"@/nextjs/config.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport {\n  clearAuthCookies,\n  NextjsClientStorage,\n  NextjsCookieStorage,\n} from \"@/nextjs/cookies.js\";\nimport { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { resolveOAuthAccessCode } from \"@/server/login.js\";\nimport { getUser } from \"@/shared/session.js\";\nimport { resolveCallbackUrl } from \"@/nextjs/utils.js\";\nimport { GenericUserSession } from \"@/shared/UserSession.js\";\nimport {\n  TOKEN_EXCHANGE_SUCCESS_TEXT,\n  TOKEN_EXCHANGE_TRIGGER_TEXT,\n} from \"@/constants.js\";\nimport { serverTokenExchangeFromState } from \"@/lib/oauth.js\";\nimport { cookies } from \"next/headers.js\";\nimport { CodeVerifier } from \"@/shared/types\";\n\nconst logger = loggers.nextjs.handlers.auth;\n\nclass AuthError extends Error {\n  constructor(\n    message: string,\n    public readonly status: number = 401,\n  ) {\n    super(message);\n    this.name = \"AuthError\";\n  }\n}\n\n/**\n * create a code verifier and challenge for PKCE\n * saving the verifier in a cookie for later use\n * @returns {Promise<NextResponse>}\n */\nasync function handleChallenge(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const cookieStorage = new NextjsCookieStorage(config.cookies?.tokens ?? {});\n  const pkceProducer = new GenericPublicClientPKCEProducer(cookieStorage);\n\n  const challenge = await pkceProducer.getCodeChallenge();\n  const appUrl = request.nextUrl.searchParams.get(\"appUrl\");\n  if (appUrl) {\n    cookieStorage.set(CodeVerifier.APP_URL, appUrl);\n  }\n  return NextResponse.json({ status: \"success\", challenge });\n}\n\nasync function performTokenExchangeAndSetCookies(\n  request: NextRequest,\n  config: AuthConfig,\n  code: string,\n  state: string,\n  appUrl: string,\n) {\n  const resolvedConfigs = resolveAuthConfig(config);\n  const cookieStorage = new NextjsCookieStorage(resolvedConfigs.cookies.tokens);\n\n  const callbackUrl = resolveCallbackUrl(resolvedConfigs, appUrl);\n  try {\n    await resolveOAuthAccessCode(code, state, cookieStorage, {\n      ...resolvedConfigs,\n      redirectUrl: callbackUrl,\n    });\n  } catch (error) {\n    logger.error(\"Token exchange failed:\", error);\n    throw new AuthError(\"Failed to authenticate user\", 401);\n  }\n\n  const user = await getUser(cookieStorage);\n  if (!user) {\n    throw new AuthError(\"Failed to get user info\", 401);\n  }\n\n  const clientStorage = new NextjsClientStorage();\n  const userSession = new GenericUserSession(clientStorage);\n  userSession.set(user);\n}\nasync function handleCallback(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n  console.log(\"handleCallback\", { request, resolvedConfigs });\n  const code = request.nextUrl.searchParams.get(\"code\");\n  const state = request.nextUrl.searchParams.get(\"state\") || \"\";\n  if (!code || !state) throw new AuthError(\"Bad parameters\", 400);\n\n  // appUrl is passed from the client to the server in the query string\n  // this is necessary because the server does not have access to the client's window.location.origin\n  // and can not accurately determine the appUrl (specially if the app is behind a reverse proxy)\n  const appUrl =\n    request.cookies.get(CodeVerifier.APP_URL)?.value ||\n    request.nextUrl.searchParams.get(\"appUrl\");\n\n  // If we have a code_verifier cookie and the appUrl, we can do a token exchange.\n  // Otherwise, just render an empty page.\n  // The initial redirect back from the auth server does not send cookies, because the redirect is from a 3rd-party domain.\n  // The client will make an additional call to this route with cookies included, at which point we do the token exchange.\n  console.log(\"handleCallback\", {\n    code,\n    state,\n    cookies: cookies(),\n    appUrl,\n  });\n\n  const codeVerifier = request.cookies.get(CodeVerifier.COOKIE_NAME);\n\n  if (!codeVerifier || !appUrl) {\n    console.log(\"handleCallback no code_verifier found\", {\n      state,\n      serverTokenExchange: serverTokenExchangeFromState(`${state}`),\n    });\n    let response = new NextResponse(\n      `<html><body><span style=\"display:none\">${TOKEN_EXCHANGE_TRIGGER_TEXT}</span></body></html>`,\n    );\n\n    // in server-side token exchange mode we need to launch a page that will trigger the token exchange\n    // from the same domain, allowing it access to the code_verifier cookie\n    // we only need to do this in redirect mode, as the iframe already triggers a client-side token exchange\n    // if no code-verifier cookie is found\n    if (state && serverTokenExchangeFromState(state)) {\n      console.log(\n        \"handleCallback serverTokenExchangeFromState, launching redirect page...\",\n        {\n          requestUrl: request.url,\n          configCallbackUrl: resolvedConfigs.callbackUrl,\n        },\n      );\n      // we need to replace the URL with resolved config in case the server is hosted\n      // behind a reverse proxy or load balancer\n      const requestUrl = new URL(request.url);\n      const fetchUrl = `${resolvedConfigs.callbackUrl}?${requestUrl.searchParams.toString()}&sameDomainServerTokenExchange=true`;\n      response = new NextResponse(\n        `<html>\n            <body>\n                <span style=\"display:none\">\n                    <script>\n                        window.onload = function () {\n                            const appUrl = globalThis.window?.location?.origin;\n                            fetch('${fetchUrl}&appUrl=' + appUrl).then((response) => {\n                                response.json().then((jsonResponse) => {\n                                    console.log('fetch jsonResponse', jsonResponse);\n                                    if (jsonResponse.redirectUrl) {\n                                        console.log('handleCallback serverTokenExchangeFromState, redirecting');\n                                        window.location.href = jsonResponse.redirectUrl;\n                                    }\n                                });\n                            });\n                        };\n                    </script>\n                </span>\n            </body>\n        </html>\n        `,\n      );\n    }\n    response.headers.set(\"Content-Type\", \"text/html; charset=utf-8\");\n    console.log(\n      `handleCallback no code_verifier found, returning ${TOKEN_EXCHANGE_TRIGGER_TEXT}`,\n    );\n    return response;\n  }\n\n  await performTokenExchangeAndSetCookies(\n    request,\n    resolvedConfigs,\n    code,\n    state,\n    appUrl,\n  );\n\n  if (request.url.includes(\"sameDomainServerTokenExchange=true\")) {\n    console.log(\n      \"handleCallback sameDomainServerTokenExchange = true, returnining redirectUrl\",\n      appUrl,\n    );\n    return NextResponse.json({\n      status: \"success\",\n      redirectUrl: appUrl,\n    });\n  }\n\n  // this is the case where a 'normal' redirect is happening\n  if (serverTokenExchangeFromState(state)) {\n    console.log(\n      \"handleCallback serverTokenExchangeFromState, redirect to appUrl\",\n      appUrl,\n    );\n    if (!appUrl) {\n      throw new Error(\"appUrl undefined. Cannot redirect.\");\n    }\n    return NextResponse.redirect(`${appUrl}`);\n  }\n  // return an empty HTML response so the iframe doesn't show any response\n  // in the short moment between the redirect and the parent window\n  // acknowledging the redirect and closing the iframe\n  const response = new NextResponse(\n    `<html><span style=\"display:none\">${TOKEN_EXCHANGE_SUCCESS_TEXT}</span></html>`,\n  );\n  response.headers.set(\"Content-Type\", \"text/html; charset=utf-8\");\n  return response;\n}\n\n/**\n * If redirectPath is an absolute path, return it as-is.\n * Otherwise for relative paths, append it to the current domain.\n * @param redirectPath\n * @returns\n */\nconst getAbsoluteRedirectPath = (\n  redirectPath: string,\n  currentBasePath: string,\n) => new URL(redirectPath, currentBasePath).href;\n\nexport async function handleLogout(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n  const defaultRedirectPath = resolvedConfigs.loginUrl ?? \"/\";\n  const redirectTarget =\n    new URL(request.url).searchParams.get(\"redirect\") || defaultRedirectPath;\n\n  const isAbsoluteRedirect = /^(https?:\\/\\/|www\\.).+/i.test(redirectTarget);\n\n  const appUrl = request.nextUrl.searchParams.get(\"appUrl\");\n\n  const finalRedirectUrl = isAbsoluteRedirect\n    ? redirectTarget\n    : getAbsoluteRedirectPath(\n        redirectTarget,\n        new URL(appUrl ?? request.url).origin,\n      );\n\n  const response = NextResponse.redirect(finalRedirectUrl);\n\n  clearAuthCookies(config);\n\n  try {\n    revalidatePath(isAbsoluteRedirect ? finalRedirectUrl : redirectTarget);\n  } catch (error) {\n    logger.warn(\"Failed to revalidate path after logout:\", error);\n  }\n\n  return response;\n}\n\n/**\n * Creates an authentication handler for Next.js API routes\n *\n * Usage:\n * ```ts\n * // app/api/auth/[...civicauth]/route.ts\n * import { handler } from '@civic/auth/nextjs'\n * export const GET = handler({\n *   // optional config overrides\n * })\n * ```\n */\nexport const handler =\n  (authConfig = {}) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const config = resolveAuthConfig(authConfig);\n\n    try {\n      const pathname = request.nextUrl.pathname;\n      const pathSegments = pathname.split(\"/\");\n      const lastSegment = pathSegments[pathSegments.length - 1];\n\n      switch (lastSegment) {\n        case \"challenge\":\n          return await handleChallenge(request, config);\n        case \"callback\":\n          return await handleCallback(request, config);\n        case \"logout\":\n          return await handleLogout(request, config);\n        default:\n          throw new AuthError(`Invalid auth route: ${pathname}`, 404);\n      }\n    } catch (error) {\n      logger.error(\"Auth handler error:\", error);\n\n      const status = error instanceof AuthError ? error.status : 500;\n      const message =\n        error instanceof Error ? error.message : \"Authentication failed\";\n\n      const response = NextResponse.json({ error: message }, { status });\n\n      clearAuthCookies(config);\n      return response;\n    }\n  };\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAQO,IAAMA,WAAU,MAAmB;AAR1C;AASE,QAAM,gBAAgB,IAAI,oBAAoB;AAC9C,QAAM,cAAc,IAAI,mBAAmB,aAAa;AACxD,QAAM,SAAS,eAAe,aAAa;AAC3C,QAAM,OAAO,YAAY,IAAI;AAC7B,MAAI,CAAC,QAAQ,CAAC,OAAQ,QAAO;AAE7B,SAAO,iCACF,OADE;AAAA,IAEL,SAAS,OAAO;AAAA,IAChB,aAAa,OAAO;AAAA,IACpB,eAAc,YAAO,kBAAP,YAAwB;AAAA,EACxC;AACF;;;ACAA,SAAsB,oBAAoB;AAC1C,OAAO,eAAe;AAgBtB,IAAM,YAAY,CAAC,UAAkB,gBAAwB;AAC3D,QAAM,UAAU,UAAU,WAAW;AACrC,SAAO,QAAQ,QAAQ;AACzB;AAOA,IAAM,eAAe,CAAC,UAAkB,aACtC,SAAS,KAAK,CAAC,YAAY;AACzB,MAAI,CAAC,QAAS,QAAO;AACrB,UAAQ,IAAI,YAAY;AAAA,IACtB;AAAA,IACA;AAAA,IACA,OAAO,UAAU,UAAU,OAAO;AAAA,EACpC,CAAC;AACD,SAAO,UAAU,UAAU,OAAO;AACpC,CAAC;AAGH,IAAM,YAAY,CAChB,YACA,YACsC;AACtC,QAAM,yBAAyB,kBAAkB,UAAU;AAE3D,QAAM,kBAAkB,CAAC,CAAC,QAAQ,QAAQ,IAAI,UAAU;AAGxD,MACE,QAAQ,QAAQ,aAAa,uBAAuB,YACpD,QAAQ,WAAW,OACnB;AACA,YAAQ,IAAI,oDAA+C;AAC3D,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,aAAa,QAAQ,QAAQ,UAAU,uBAAuB,OAAO,GAAG;AAC3E,YAAQ,IAAI,2DAAsD;AAClE,WAAO;AAAA,EACT;AAEA,MAAI,aAAa,QAAQ,QAAQ,UAAU,uBAAuB,OAAO,GAAG;AAC1E,YAAQ,IAAI,uDAAkD;AAC9D,WAAO;AAAA,EACT;AAGA,MAAI,CAAC,iBAAiB;AACpB,UAAM,WAAW,IAAI,IAAI,uBAAuB,UAAU,QAAQ,GAAG;AACrE,YAAQ,IAAI,sDAAiD,QAAQ;AACrE,WAAO,aAAa,SAAS,QAAQ;AAAA,EACvC;AAEA,UAAQ,IAAI,0BAAqB;AACjC,SAAO;AACT;AAUO,IAAM,iBACX,CAAC,aAAa,sBACd,CAAO,YAAgD;AACrD,QAAM,WAAW,MAAM,UAAU,YAAY,OAAO;AACpD,MAAI,SAAU,QAAO;AAIrB,SAAO,aAAa,KAAK;AAC3B;AAWK,SAAS,SACd,YACiD;AACjD,SAAO,CAAO,YAAgD;AAC5D,UAAM,WAAW,MAAM,UAAU,CAAC,GAAG,OAAO;AAC5C,QAAI,SAAU,QAAO;AAErB,WAAO,WAAW,OAAO;AAAA,EAC3B;AACF;AAeO,SAAS,KAAK,aAAyB,CAAC,GAAG;AAChD,SAAO,CACL,eACsD;AACtD,WAAO,CAAO,YAAgD;AAC5D,YAAM,WAAW,MAAM,UAAU,YAAY,OAAO;AACpD,UAAI,SAAU,QAAO;AAErB,aAAO,WAAW,OAAO;AAAA,IAC3B;AAAA,EACF;AACF;;;ACjKA,SAAsB,gBAAAC,qBAAoB;AAC1C,SAAS,sBAAsB;AAkB/B,SAAS,eAAe;AAGxB,IAAM,SAAS,QAAQ,OAAO,SAAS;AAEvC,IAAM,YAAN,cAAwB,MAAM;AAAA,EAC5B,YACE,SACgB,SAAiB,KACjC;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOA,SAAe,gBACb,SACA,QACuB;AAAA;AA1CzB;AA2CE,UAAM,gBAAgB,IAAI,qBAAoB,kBAAO,YAAP,mBAAgB,WAAhB,YAA0B,CAAC,CAAC;AAC1E,UAAM,eAAe,IAAI,gCAAgC,aAAa;AAEtE,UAAM,YAAY,MAAM,aAAa,iBAAiB;AACtD,UAAM,SAAS,QAAQ,QAAQ,aAAa,IAAI,QAAQ;AACxD,QAAI,QAAQ;AACV,oBAAc,6BAA0B,MAAM;AAAA,IAChD;AACA,WAAOC,cAAa,KAAK,EAAE,QAAQ,WAAW,UAAU,CAAC;AAAA,EAC3D;AAAA;AAEA,SAAe,kCACb,SACA,QACA,MACA,OACA,QACA;AAAA;AACA,UAAM,kBAAkB,kBAAkB,MAAM;AAChD,UAAM,gBAAgB,IAAI,oBAAoB,gBAAgB,QAAQ,MAAM;AAE5E,UAAM,cAAc,mBAAmB,iBAAiB,MAAM;AAC9D,QAAI;AACF,YAAM,uBAAuB,MAAM,OAAO,eAAe,iCACpD,kBADoD;AAAA,QAEvD,aAAa;AAAA,MACf,EAAC;AAAA,IACH,SAAS,OAAO;AACd,aAAO,MAAM,0BAA0B,KAAK;AAC5C,YAAM,IAAI,UAAU,+BAA+B,GAAG;AAAA,IACxD;AAEA,UAAM,OAAO,MAAM,QAAQ,aAAa;AACxC,QAAI,CAAC,MAAM;AACT,YAAM,IAAI,UAAU,2BAA2B,GAAG;AAAA,IACpD;AAEA,UAAM,gBAAgB,IAAI,oBAAoB;AAC9C,UAAM,cAAc,IAAI,mBAAmB,aAAa;AACxD,gBAAY,IAAI,IAAI;AAAA,EACtB;AAAA;AACA,SAAe,eACb,SACA,QACuB;AAAA;AAvFzB;AAwFE,UAAM,kBAAkB,kBAAkB,MAAM;AAChD,YAAQ,IAAI,kBAAkB,EAAE,SAAS,gBAAgB,CAAC;AAC1D,UAAM,OAAO,QAAQ,QAAQ,aAAa,IAAI,MAAM;AACpD,UAAM,QAAQ,QAAQ,QAAQ,aAAa,IAAI,OAAO,KAAK;AAC3D,QAAI,CAAC,QAAQ,CAAC,MAAO,OAAM,IAAI,UAAU,kBAAkB,GAAG;AAK9D,UAAM,WACJ,aAAQ,QAAQ,2BAAwB,MAAxC,mBAA2C,UAC3C,QAAQ,QAAQ,aAAa,IAAI,QAAQ;AAM3C,YAAQ,IAAI,kBAAkB;AAAA,MAC5B;AAAA,MACA;AAAA,MACA,SAAS,QAAQ;AAAA,MACjB;AAAA,IACF,CAAC;AAED,UAAM,eAAe,QAAQ,QAAQ,qCAA4B;AAEjE,QAAI,CAAC,gBAAgB,CAAC,QAAQ;AAC5B,cAAQ,IAAI,yCAAyC;AAAA,QACnD;AAAA,QACA,qBAAqB,6BAA6B,GAAG,KAAK,EAAE;AAAA,MAC9D,CAAC;AACD,UAAIC,YAAW,IAAID;AAAA,QACjB,0CAA0C,2BAA2B;AAAA,MACvE;AAMA,UAAI,SAAS,6BAA6B,KAAK,GAAG;AAChD,gBAAQ;AAAA,UACN;AAAA,UACA;AAAA,YACE,YAAY,QAAQ;AAAA,YACpB,mBAAmB,gBAAgB;AAAA,UACrC;AAAA,QACF;AAGA,cAAM,aAAa,IAAI,IAAI,QAAQ,GAAG;AACtC,cAAM,WAAW,GAAG,gBAAgB,WAAW,IAAI,WAAW,aAAa,SAAS,CAAC;AACrF,QAAAC,YAAW,IAAID;AAAA,UACb;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,qCAM6B,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,QAevC;AAAA,MACF;AACA,MAAAC,UAAS,QAAQ,IAAI,gBAAgB,0BAA0B;AAC/D,cAAQ;AAAA,QACN,oDAAoD,2BAA2B;AAAA,MACjF;AACA,aAAOA;AAAA,IACT;AAEA,UAAM;AAAA,MACJ;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,QAAI,QAAQ,IAAI,SAAS,oCAAoC,GAAG;AAC9D,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,MACF;AACA,aAAOD,cAAa,KAAK;AAAA,QACvB,QAAQ;AAAA,QACR,aAAa;AAAA,MACf,CAAC;AAAA,IACH;AAGA,QAAI,6BAA6B,KAAK,GAAG;AACvC,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,MACF;AACA,UAAI,CAAC,QAAQ;AACX,cAAM,IAAI,MAAM,oCAAoC;AAAA,MACtD;AACA,aAAOA,cAAa,SAAS,GAAG,MAAM,EAAE;AAAA,IAC1C;AAIA,UAAM,WAAW,IAAIA;AAAA,MACnB,oCAAoC,2BAA2B;AAAA,IACjE;AACA,aAAS,QAAQ,IAAI,gBAAgB,0BAA0B;AAC/D,WAAO;AAAA,EACT;AAAA;AAQA,IAAM,0BAA0B,CAC9B,cACA,oBACG,IAAI,IAAI,cAAc,eAAe,EAAE;AAE5C,SAAsB,aACpB,SACA,QACuB;AAAA;AAhOzB;AAiOE,UAAM,kBAAkB,kBAAkB,MAAM;AAChD,UAAM,uBAAsB,qBAAgB,aAAhB,YAA4B;AACxD,UAAM,iBACJ,IAAI,IAAI,QAAQ,GAAG,EAAE,aAAa,IAAI,UAAU,KAAK;AAEvD,UAAM,qBAAqB,0BAA0B,KAAK,cAAc;AAExE,UAAM,SAAS,QAAQ,QAAQ,aAAa,IAAI,QAAQ;AAExD,UAAM,mBAAmB,qBACrB,iBACA;AAAA,MACE;AAAA,MACA,IAAI,IAAI,0BAAU,QAAQ,GAAG,EAAE;AAAA,IACjC;AAEJ,UAAM,WAAWA,cAAa,SAAS,gBAAgB;AAEvD,qBAAiB,MAAM;AAEvB,QAAI;AACF,qBAAe,qBAAqB,mBAAmB,cAAc;AAAA,IACvE,SAAS,OAAO;AACd,aAAO,KAAK,2CAA2C,KAAK;AAAA,IAC9D;AAEA,WAAO;AAAA,EACT;AAAA;AAcO,IAAM,UACX,CAAC,aAAa,CAAC,MACf,CAAO,YAAgD;AACrD,QAAM,SAAS,kBAAkB,UAAU;AAE3C,MAAI;AACF,UAAM,WAAW,QAAQ,QAAQ;AACjC,UAAM,eAAe,SAAS,MAAM,GAAG;AACvC,UAAM,cAAc,aAAa,aAAa,SAAS,CAAC;AAExD,YAAQ,aAAa;AAAA,MACnB,KAAK;AACH,eAAO,MAAM,gBAAgB,SAAS,MAAM;AAAA,MAC9C,KAAK;AACH,eAAO,MAAM,eAAe,SAAS,MAAM;AAAA,MAC7C,KAAK;AACH,eAAO,MAAM,aAAa,SAAS,MAAM;AAAA,MAC3C;AACE,cAAM,IAAI,UAAU,uBAAuB,QAAQ,IAAI,GAAG;AAAA,IAC9D;AAAA,EACF,SAAS,OAAO;AACd,WAAO,MAAM,uBAAuB,KAAK;AAEzC,UAAM,SAAS,iBAAiB,YAAY,MAAM,SAAS;AAC3D,UAAM,UACJ,iBAAiB,QAAQ,MAAM,UAAU;AAE3C,UAAM,WAAWA,cAAa,KAAK,EAAE,OAAO,QAAQ,GAAG,EAAE,OAAO,CAAC;AAEjE,qBAAiB,MAAM;AACvB,WAAO;AAAA,EACT;AACF;","names":["getUser","NextResponse","NextResponse","response"]}

package/dist/react.d.mts

@@ -0,0 +1,65 @@
+import { U as UserContextType, A as AuthContextType } from './UserProvider-Bl3j1PUO.mjs';
+import { F as ForwardedTokens, C as Config, S as SessionData, D as DisplayMode } from './types-BxAubCqO.mjs';
+import { RefObject, Dispatch, SetStateAction } from 'react';
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { A as AuthProviderProps } from './AuthProvider-BYZ8w92b.mjs';
+import 'oslo/jwt';
+import 'oslo/oauth2';
+
+type TokenContextType = {
+    accessToken: string | null;
+    idToken: string | null;
+    forwardedTokens: ForwardedTokens;
+    refreshToken: () => Promise<void>;
+    isLoading: boolean;
+    error: Error | null;
+};
+
+type CivicAuthProviderProps = Omit<AuthProviderProps, "pkceConsumer">;
+declare const CivicAuthProvider: ({ children, ...props }: CivicAuthProviderProps) => react_jsx_runtime.JSX.Element;
+
+declare const useUser: <T extends Record<string, unknown> = Record<string, never>>() => UserContextType<T>;
+
+declare const useToken: () => TokenContextType;
+
+declare const useAuth: () => AuthContextType;
+
+type ConfigProviderOutput = {
+    config: Config;
+    redirectUrl: string;
+    modalIframe: boolean;
+    serverTokenExchange: boolean;
+};
+
+declare const useConfig: () => ConfigProviderOutput;
+
+type IframeProviderOutput = {
+    iframeRef: RefObject<HTMLIFrameElement> | null;
+    setAuthResponseUrl: Dispatch<SetStateAction<string | null>>;
+};
+
+declare const useIframe: () => IframeProviderOutput;
+
+declare const useSession: () => SessionData;
+
+type CivicAuthIframeContainerProps = {
+    onClose?: () => void;
+    closeOnRedirect?: boolean;
+};
+declare const CivicAuthIframeContainer: ({ onClose, closeOnRedirect, }: CivicAuthIframeContainerProps) => react_jsx_runtime.JSX.Element;
+
+declare const UserButton: ({ displayMode, className, }: {
+    displayMode?: DisplayMode;
+    className?: string;
+}) => react_jsx_runtime.JSX.Element;
+
+declare const SignInButton: ({ displayMode, className, }: {
+    displayMode?: DisplayMode;
+    className?: string;
+}) => react_jsx_runtime.JSX.Element;
+
+declare const SignOutButton: ({ className }: {
+    className?: string;
+}) => react_jsx_runtime.JSX.Element;
+
+export { AuthContextType, CivicAuthIframeContainer, CivicAuthProvider, type CivicAuthProviderProps, SignInButton, SignOutButton, type TokenContextType, UserButton, UserContextType, useAuth, useConfig, useIframe, useSession, useToken, useUser };

package/dist/react.d.ts

@@ -0,0 +1,65 @@
+import { U as UserContextType, A as AuthContextType } from './UserProvider-BA2uflVB.js';
+import { F as ForwardedTokens, C as Config, S as SessionData, D as DisplayMode } from './types-BxAubCqO.js';
+import { RefObject, Dispatch, SetStateAction } from 'react';
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { A as AuthProviderProps } from './AuthProvider-BgOwv9h8.js';
+import 'oslo/jwt';
+import 'oslo/oauth2';
+
+type TokenContextType = {
+    accessToken: string | null;
+    idToken: string | null;
+    forwardedTokens: ForwardedTokens;
+    refreshToken: () => Promise<void>;
+    isLoading: boolean;
+    error: Error | null;
+};
+
+type CivicAuthProviderProps = Omit<AuthProviderProps, "pkceConsumer">;
+declare const CivicAuthProvider: ({ children, ...props }: CivicAuthProviderProps) => react_jsx_runtime.JSX.Element;
+
+declare const useUser: <T extends Record<string, unknown> = Record<string, never>>() => UserContextType<T>;
+
+declare const useToken: () => TokenContextType;
+
+declare const useAuth: () => AuthContextType;
+
+type ConfigProviderOutput = {
+    config: Config;
+    redirectUrl: string;
+    modalIframe: boolean;
+    serverTokenExchange: boolean;
+};
+
+declare const useConfig: () => ConfigProviderOutput;
+
+type IframeProviderOutput = {
+    iframeRef: RefObject<HTMLIFrameElement> | null;
+    setAuthResponseUrl: Dispatch<SetStateAction<string | null>>;
+};
+
+declare const useIframe: () => IframeProviderOutput;
+
+declare const useSession: () => SessionData;
+
+type CivicAuthIframeContainerProps = {
+    onClose?: () => void;
+    closeOnRedirect?: boolean;
+};
+declare const CivicAuthIframeContainer: ({ onClose, closeOnRedirect, }: CivicAuthIframeContainerProps) => react_jsx_runtime.JSX.Element;
+
+declare const UserButton: ({ displayMode, className, }: {
+    displayMode?: DisplayMode;
+    className?: string;
+}) => react_jsx_runtime.JSX.Element;
+
+declare const SignInButton: ({ displayMode, className, }: {
+    displayMode?: DisplayMode;
+    className?: string;
+}) => react_jsx_runtime.JSX.Element;
+
+declare const SignOutButton: ({ className }: {
+    className?: string;
+}) => react_jsx_runtime.JSX.Element;
+
+export { AuthContextType, CivicAuthIframeContainer, CivicAuthProvider, type CivicAuthProviderProps, SignInButton, SignOutButton, type TokenContextType, UserButton, UserContextType, useAuth, useConfig, useIframe, useSession, useToken, useUser };