@civic/auth 0.0.1-beta.28 → 0.0.1-beta.3

package/dist/nextjs.mjs

@@ -0,0 +1,253 @@
+import {
+  createCivicAuthPlugin,
+  defaultAuthConfig,
+  loggers,
+  resolveAuthConfig,
+  resolveCallbackUrl
+} from "./chunk-NQPMNXBL.mjs";
+import {
+  CookieStorage,
+  GenericPublicClientPKCEProducer,
+  getUser,
+  resolveOAuthAccessCode
+} from "./chunk-UV56GNIT.mjs";
+import {
+  clearTokens
+} from "./chunk-GNGLWGZJ.mjs";
+import {
+  __async,
+  __spreadProps,
+  __spreadValues
+} from "./chunk-RGHW4PYM.mjs";
+
+// src/shared/UserSession.ts
+var GenericUserSession = class {
+  constructor(storage) {
+    this.storage = storage;
+  }
+  get() {
+    const user = this.storage.get("user" /* USER */);
+    return user ? JSON.parse(user) : null;
+  }
+  set(user) {
+    const value = user ? JSON.stringify(user) : "";
+    this.storage.set("user" /* USER */, value);
+  }
+};
+
+// src/nextjs/cookies.ts
+import { cookies } from "next/headers.js";
+var clearAuthCookies = () => __async(void 0, null, function* () {
+  const cookieStorage = new NextjsCookieStorage();
+  clearTokens(cookieStorage);
+  const clientStorage = new NextjsClientStorage();
+  const userSession = new GenericUserSession(clientStorage);
+  userSession.set(null);
+});
+var NextjsCookieStorage = class extends CookieStorage {
+  constructor(config = {}) {
+    super(__spreadProps(__spreadValues({}, config), {
+      secure: true,
+      httpOnly: true
+    }));
+  }
+  get(key) {
+    var _a;
+    return ((_a = cookies().get(key)) == null ? void 0 : _a.value) || null;
+  }
+  set(key, value) {
+    cookies().set(key, value, this.settings);
+  }
+};
+var NextjsClientStorage = class extends CookieStorage {
+  constructor(config = {}) {
+    super(__spreadProps(__spreadValues({}, config), {
+      secure: false,
+      httpOnly: false
+    }));
+  }
+  get(key) {
+    var _a;
+    return ((_a = cookies().get(key)) == null ? void 0 : _a.value) || null;
+  }
+  set(key, value) {
+    cookies().set(key, value, this.settings);
+  }
+};
+
+// src/nextjs/GetUser.ts
+var getUser2 = () => {
+  const clientStorage = new NextjsClientStorage();
+  const userSession = new GenericUserSession(clientStorage);
+  return userSession.get();
+};
+
+// src/nextjs/middleware.ts
+import { NextResponse } from "next/server.js";
+import picomatch from "picomatch";
+var matchGlob = (pathname, globPattern) => {
+  const matches = picomatch(globPattern);
+  return matches(pathname);
+};
+var matchesGlobs = (pathname, patterns) => patterns.some((pattern) => {
+  if (!pattern) return false;
+  console.log("matching", {
+    pattern,
+    pathname,
+    match: matchGlob(pathname, pattern)
+  });
+  return matchGlob(pathname, pattern);
+});
+var applyAuth = (authConfig, request) => __async(void 0, null, function* () {
+  const authConfigWithDefaults = resolveAuthConfig(authConfig);
+  const isAuthenticated = !!request.cookies.get("id_token");
+  if (request.nextUrl.pathname === authConfigWithDefaults.loginUrl) {
+    console.log("\u2192 Skipping auth check - this is the login URL");
+    return void 0;
+  }
+  if (!matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.include)) {
+    console.log("\u2192 Skipping auth check - path not in include patterns");
+    return void 0;
+  }
+  if (matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.exclude)) {
+    console.log("\u2192 Skipping auth check - path in exclude patterns");
+    return void 0;
+  }
+  if (!isAuthenticated) {
+    console.log("\u2192 No valid token found - redirecting to login");
+    const loginUrl = new URL(authConfigWithDefaults.loginUrl, request.url);
+    return NextResponse.redirect(loginUrl);
+  }
+  console.log("\u2192 Auth check passed");
+  return void 0;
+});
+var authMiddleware = (authConfig = defaultAuthConfig) => (request) => __async(void 0, null, function* () {
+  const response = yield applyAuth(authConfig, request);
+  if (response) return response;
+  return NextResponse.next();
+});
+function withAuth(middleware) {
+  return (request) => __async(this, null, function* () {
+    const response = yield applyAuth({}, request);
+    if (response) return response;
+    return middleware(request);
+  });
+}
+function auth(authConfig = {}) {
+  return (middleware) => {
+    return (request) => __async(this, null, function* () {
+      const response = yield applyAuth(authConfig, request);
+      if (response) return response;
+      return middleware(request);
+    });
+  };
+}
+
+// src/nextjs/routeHandler.ts
+import { NextResponse as NextResponse2 } from "next/server.js";
+import { revalidatePath } from "next/cache.js";
+var logger = loggers.nextjs.handlers.auth;
+var AuthError = class extends Error {
+  constructor(message, status = 401) {
+    super(message);
+    this.status = status;
+    this.name = "AuthError";
+  }
+};
+function handleChallenge() {
+  return __async(this, null, function* () {
+    const cookieStorage = new NextjsCookieStorage();
+    const pkceProducer = new GenericPublicClientPKCEProducer(cookieStorage);
+    const challenge = yield pkceProducer.getCodeChallenge();
+    return NextResponse2.json({ status: "success", challenge });
+  });
+}
+function handleCallback(request, config) {
+  return __async(this, null, function* () {
+    const code = request.nextUrl.searchParams.get("code");
+    const state = request.nextUrl.searchParams.get("state");
+    if (!code || !state) throw new AuthError("Bad parameters", 400);
+    const cookieStorage = new NextjsCookieStorage();
+    const resolvedConfigs = resolveAuthConfig(config);
+    const callbackUrl = resolveCallbackUrl(resolvedConfigs, request.url);
+    try {
+      yield resolveOAuthAccessCode(code, state, cookieStorage, __spreadProps(__spreadValues({}, resolvedConfigs), {
+        redirectUrl: callbackUrl
+      }));
+    } catch (error) {
+      logger.error("Token exchange failed:", error);
+      throw new AuthError("Failed to authenticate user", 401);
+    }
+    const user = yield getUser(cookieStorage);
+    if (!user) {
+      throw new AuthError("Failed to get user info", 401);
+    }
+    const clientStorage = new NextjsClientStorage();
+    const userSession = new GenericUserSession(clientStorage);
+    userSession.set(user);
+    const response = new NextResponse2(`<html></html>`);
+    response.headers.set("Content-Type", "text/html; charset=utf-8");
+    return response;
+  });
+}
+var getAbsoluteRedirectPath = (redirectPath, currentBasePath) => {
+  if (/^(https?:\/\/|www\.).+/i.test(redirectPath)) {
+    return redirectPath;
+  }
+  return new URL(redirectPath, currentBasePath).href;
+};
+function handleLogout(request, config) {
+  return __async(this, null, function* () {
+    var _a;
+    const resolvedConfigs = resolveAuthConfig(config);
+    const defaultRedirectPath = (_a = resolvedConfigs.loginUrl) != null ? _a : "/";
+    const redirectTarget = new URL(request.url).searchParams.get("redirect") || defaultRedirectPath;
+    const isAbsoluteRedirect = /^(https?:\/\/|www\.).+/i.test(redirectTarget);
+    const finalRedirectUrl = getAbsoluteRedirectPath(
+      redirectTarget,
+      new URL(request.url).origin
+    );
+    const response = NextResponse2.redirect(finalRedirectUrl);
+    clearAuthCookies();
+    try {
+      revalidatePath(isAbsoluteRedirect ? finalRedirectUrl : redirectTarget);
+    } catch (error) {
+      logger.warn("Failed to revalidate path after logout:", error);
+    }
+    return response;
+  });
+}
+var handler = (authConfig = {}) => (request) => __async(void 0, null, function* () {
+  const config = resolveAuthConfig(authConfig);
+  try {
+    const pathname = request.nextUrl.pathname;
+    const pathSegments = pathname.split("/");
+    const lastSegment = pathSegments[pathSegments.length - 1];
+    switch (lastSegment) {
+      case "challenge":
+        return yield handleChallenge();
+      case "callback":
+        return yield handleCallback(request, config);
+      case "logout":
+        return yield handleLogout(request, config);
+      default:
+        throw new AuthError(`Invalid auth route: ${pathname}`, 404);
+    }
+  } catch (error) {
+    logger.error("Auth handler error:", error);
+    const status = error instanceof AuthError ? error.status : 500;
+    const message = error instanceof Error ? error.message : "Authentication failed";
+    const response = NextResponse2.json({ error: message }, { status });
+    clearAuthCookies();
+    return response;
+  }
+});
+export {
+  auth,
+  authMiddleware,
+  createCivicAuthPlugin,
+  getUser2 as getUser,
+  handler,
+  withAuth
+};
+//# sourceMappingURL=nextjs.mjs.map

package/dist/nextjs.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/shared/UserSession.ts","../src/nextjs/cookies.ts","../src/nextjs/GetUser.ts","../src/nextjs/middleware.ts","../src/nextjs/routeHandler.ts"],"sourcesContent":["import { AuthStorage } from \"@/server\";\nimport { User } from \"@/types\";\nimport { NextjsClientCookies } from \"./types\";\n\nexport interface UserSession {\n  get(): User | null;\n  set(user: User): void;\n}\n\nexport class GenericUserSession implements UserSession {\n  constructor(readonly storage: AuthStorage) {}\n\n  get(): User | null {\n    const user = this.storage.get(NextjsClientCookies.USER);\n    return user ? JSON.parse(user) : null;\n  }\n\n  set(user: User | null): void {\n    const value = user ? JSON.stringify(user) : \"\";\n    this.storage.set(NextjsClientCookies.USER, value);\n  }\n}\n","import { SessionData, UnknownObject, User } from \"@/types\";\nimport { NextResponse } from \"next/server\";\nimport { AuthConfig } from \"./config\";\nimport { CookieStorage, CookieStorageSettings } from \"@/server\";\nimport { cookies } from \"next/headers.js\";\nimport { GenericUserSession } from \"@/shared/UserSession\";\nimport { clearTokens } from \"@/shared/util\";\n\n/**\n * Creates HTTP-only cookies for authentication tokens\n */\nconst createTokenCookies = (\n  response: NextResponse,\n  sessionData: SessionData,\n  config: AuthConfig,\n) => {\n  const maxAge = sessionData.expiresIn ?? 3600;\n  const cookieOptions = {\n    ...config.cookies?.tokens,\n    maxAge,\n  };\n\n  if (sessionData.accessToken) {\n    response.cookies.set(\"access_token\", sessionData.accessToken, {\n      ...cookieOptions,\n      httpOnly: true,\n    });\n  }\n\n  if (sessionData.idToken) {\n    response.cookies.set(\"id_token\", sessionData.idToken, {\n      ...cookieOptions,\n      httpOnly: true,\n    });\n  }\n\n  if (sessionData.refreshToken) {\n    response.cookies.set(\"refresh_token\", sessionData.refreshToken, {\n      ...cookieOptions,\n      httpOnly: true,\n    });\n  }\n};\n\n/**\n * Creates a client-readable cookie with user info\n */\nconst createUserInfoCookie = (\n  response: NextResponse,\n  user: User<UnknownObject> | null,\n  sessionData: SessionData,\n  config: AuthConfig,\n) => {\n  if (!user) {\n    response.cookies.set(\"user\", \"\", {\n      ...config.cookies?.user,\n      maxAge: 0,\n    });\n    return;\n  }\n  const maxAge = sessionData.expiresIn ?? 3600;\n\n  // TODO select fields to include in the user cookie\n  const frontendUser = {\n    ...user,\n  };\n\n  // TODO make call to get user info from the\n  // auth server /userinfo endpoint when it's available\n  // then add to the default claims above\n\n  response.cookies.set(\"user\", JSON.stringify(frontendUser), {\n    ...config.cookies?.user,\n    maxAge,\n  });\n};\n\n/**\n * Clears all authentication cookies\n */\nconst clearAuthCookies = async () => {\n  // clear session, and tokens\n  const cookieStorage = new NextjsCookieStorage();\n  clearTokens(cookieStorage);\n\n  // clear user\n  const clientStorage = new NextjsClientStorage();\n  const userSession = new GenericUserSession(clientStorage);\n  userSession.set(null);\n};\n\nclass NextjsCookieStorage extends CookieStorage {\n  constructor(config: Partial<CookieStorageSettings> = {}) {\n    super({\n      ...config,\n      secure: true,\n      httpOnly: true,\n    });\n  }\n\n  get(key: string): string | null {\n    return cookies().get(key)?.value || null;\n  }\n\n  set(key: string, value: string): void {\n    cookies().set(key, value, this.settings);\n  }\n}\n\nclass NextjsClientStorage extends CookieStorage {\n  constructor(config: Partial<CookieStorageSettings> = {}) {\n    super({\n      ...config,\n      secure: false,\n      httpOnly: false,\n    });\n  }\n\n  get(key: string): string | null {\n    return cookies().get(key)?.value || null;\n  }\n\n  set(key: string, value: string): void {\n    cookies().set(key, value, this.settings);\n  }\n}\n\nexport {\n  createTokenCookies,\n  createUserInfoCookie,\n  clearAuthCookies,\n  NextjsCookieStorage,\n  NextjsClientStorage,\n};\n","/**\n * Used on the server-side to get the user object from the cookie\n */\nimport { User } from \"@/types\";\nimport { GenericUserSession } from \"@/shared/UserSession\";\nimport { NextjsClientStorage } from \"./cookies\";\n\nexport const getUser = (): User | null => {\n  const clientStorage = new NextjsClientStorage();\n  const userSession = new GenericUserSession(clientStorage);\n  return userSession.get();\n};\n","/**\n * Authenticates the user on all requests by checking the token cookie\n *\n * Usage:\n * Option 1: use if no other middleware (e.g. no next-intl etc)\n * export default authMiddleware();\n *\n * Option 2: use if other middleware is needed - default auth config\n * export default withAuth((request) => {\n *    console.log('in custom middleware', request.nextUrl.pathname);\n *    return NextResponse.next();\n * })\n *\n * Option 3: use if other middleware is needed - specifying auth config\n * const withCivicAuth = auth({ loginUrl: '/login', include: ['/[.*]/user'] })\n * export default withCivicAuth((request) => {\n *   console.log('in custom middleware', request.url);\n *   return NextResponse.next();\n * })\n *\n */\nimport { NextRequest, NextResponse } from \"next/server.js\";\nimport picomatch from \"picomatch\";\nimport {\n  AuthConfig,\n  defaultAuthConfig,\n  resolveAuthConfig,\n} from \"@/nextjs/config.js\";\n\ntype Middleware = (\n  request: NextRequest,\n) => Promise<NextResponse> | NextResponse;\n\n// Matches globs:\n// Examples:\n// /user\n// /user/*\n// /user/**/info\nconst matchGlob = (pathname: string, globPattern: string) => {\n  const matches = picomatch(globPattern);\n  return matches(pathname);\n};\n\n// Matches globs:\n// Examples:\n// /user\n// /user/*\n// /user/**/info\nconst matchesGlobs = (pathname: string, patterns: string[]) =>\n  patterns.some((pattern) => {\n    if (!pattern) return false;\n    console.log(\"matching\", {\n      pattern,\n      pathname,\n      match: matchGlob(pathname, pattern),\n    });\n    return matchGlob(pathname, pattern);\n  });\n\n// internal - used by all exported functions\nconst applyAuth = async (\n  authConfig: AuthConfig,\n  request: NextRequest,\n): Promise<NextResponse | undefined> => {\n  const authConfigWithDefaults = resolveAuthConfig(authConfig);\n\n  // Check for any valid auth token\n  // TODO check if token is not expired\n  const isAuthenticated = !!request.cookies.get(\"id_token\");\n\n  // skip auth check for login url\n  if (request.nextUrl.pathname === authConfigWithDefaults.loginUrl) {\n    console.log(\"→ Skipping auth check - this is the login URL\");\n    return undefined;\n  }\n\n  if (!matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.include)) {\n    console.log(\"→ Skipping auth check - path not in include patterns\");\n    return undefined;\n  }\n\n  if (matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.exclude)) {\n    console.log(\"→ Skipping auth check - path in exclude patterns\");\n    return undefined;\n  }\n\n  // Check for either token type\n  if (!isAuthenticated) {\n    console.log(\"→ No valid token found - redirecting to login\");\n    const loginUrl = new URL(authConfigWithDefaults.loginUrl, request.url);\n    return NextResponse.redirect(loginUrl);\n  }\n\n  console.log(\"→ Auth check passed\");\n  return undefined;\n};\n\n/**\n *\n * Use this when auth is the only middleware you need.\n * Usage:\n *\n * export default authMiddleware({ loginUrl = '/login' }); // or just authMiddleware();\n *\n */\nexport const authMiddleware =\n  (authConfig = defaultAuthConfig) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const response = await applyAuth(authConfig, request);\n    if (response) return response;\n\n    // NextJS doesn't do middleware chaining yet, so this does not mean\n    // \"call the next middleware\" - it means \"continue to the route handler\"\n    return NextResponse.next();\n  };\n\n/**\n * Usage:\n *\n * export default withAuth(async (request) => {\n *    console.log('my middleware');\n *    return NextResponse.next();\n *  })\n */\n// use this when you have your own middleware to chain\nexport function withAuth(\n  middleware: Middleware,\n): (request: NextRequest) => Promise<NextResponse> {\n  return async (request: NextRequest): Promise<NextResponse> => {\n    const response = await applyAuth({}, request);\n    if (response) return response;\n    return middleware(request);\n  };\n}\n\n/**\n * Use this when you want to configure the middleware here (an alternative is to do it in the next.config file)\n *\n * Usage:\n *\n * const withAuth = auth({ loginUrl = '/login' }); // or just auth();\n *\n * export default withAuth(async (request) => {\n *    console.log('my middleware');\n *    return NextResponse.next();\n *  })\n *\n */\nexport function auth(authConfig: AuthConfig = {}) {\n  return (\n    middleware: Middleware,\n  ): ((request: NextRequest) => Promise<NextResponse>) => {\n    return async (request: NextRequest): Promise<NextResponse> => {\n      const response = await applyAuth(authConfig, request);\n      if (response) return response;\n      return middleware(request);\n    };\n  };\n}\n","import { NextRequest, NextResponse } from \"next/server.js\";\nimport { revalidatePath } from \"next/cache.js\";\nimport { AuthConfig, resolveAuthConfig } from \"@/nextjs/config.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport {\n  clearAuthCookies,\n  NextjsClientStorage,\n  NextjsCookieStorage,\n} from \"./cookies.js\";\nimport { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { resolveOAuthAccessCode } from \"@/server/login.js\";\nimport { getUser } from \"@/server/session.js\";\nimport { resolveCallbackUrl } from \"./utils.js\";\nimport { GenericUserSession } from \"@/shared/UserSession.js\";\n\nconst logger = loggers.nextjs.handlers.auth;\n\nclass AuthError extends Error {\n  constructor(\n    message: string,\n    public readonly status: number = 401,\n  ) {\n    super(message);\n    this.name = \"AuthError\";\n  }\n}\n\n/**\n * create a code verifier and challenge for PKCE\n * saving the verifier in a cookie for later use\n * @returns {Promise<NextResponse>}\n */\nasync function handleChallenge(): Promise<NextResponse> {\n  const cookieStorage = new NextjsCookieStorage();\n  const pkceProducer = new GenericPublicClientPKCEProducer(cookieStorage);\n\n  const challenge = await pkceProducer.getCodeChallenge();\n\n  return NextResponse.json({ status: \"success\", challenge });\n}\n\nasync function handleCallback(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const code = request.nextUrl.searchParams.get(\"code\");\n  const state = request.nextUrl.searchParams.get(\"state\");\n  if (!code || !state) throw new AuthError(\"Bad parameters\", 400);\n\n  const cookieStorage = new NextjsCookieStorage();\n\n  const resolvedConfigs = resolveAuthConfig(config);\n  const callbackUrl = resolveCallbackUrl(resolvedConfigs, request.url);\n\n  try {\n    await resolveOAuthAccessCode(code, state, cookieStorage, {\n      ...resolvedConfigs,\n      redirectUrl: callbackUrl,\n    });\n  } catch (error) {\n    logger.error(\"Token exchange failed:\", error);\n    throw new AuthError(\"Failed to authenticate user\", 401);\n  }\n\n  const user = await getUser(cookieStorage);\n  if (!user) {\n    throw new AuthError(\"Failed to get user info\", 401);\n  }\n\n  const clientStorage = new NextjsClientStorage();\n  const userSession = new GenericUserSession(clientStorage);\n\n  userSession.set(user);\n\n  // return an empty HTML response so the iframe doesn't show any response\n  // in the short moment between the redirect and the parent window\n  // acknowledging the redirect and closing the iframe\n  const response = new NextResponse(`<html></html>`);\n  response.headers.set(\"Content-Type\", \"text/html; charset=utf-8\");\n  return response;\n}\n\n/**\n * If redirectPath is an absolute path, return it as-is.\n * Otherwise for relative paths, append it to the current domain.\n * @param redirectPath\n * @returns\n */\nconst getAbsoluteRedirectPath = (\n  redirectPath: string,\n  currentBasePath: string,\n) => {\n  // Check if the redirectPath is an absolute URL\n  if (/^(https?:\\/\\/|www\\.).+/i.test(redirectPath)) {\n    return redirectPath; // Return as-is if it's an absolute URL\n  }\n  return new URL(redirectPath, currentBasePath).href;\n};\n\nasync function handleLogout(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n  const defaultRedirectPath = resolvedConfigs.loginUrl ?? \"/\";\n  const redirectTarget =\n    new URL(request.url).searchParams.get(\"redirect\") || defaultRedirectPath;\n  const isAbsoluteRedirect = /^(https?:\\/\\/|www\\.).+/i.test(redirectTarget);\n  const finalRedirectUrl = getAbsoluteRedirectPath(\n    redirectTarget,\n    new URL(request.url).origin,\n  );\n\n  const response = NextResponse.redirect(finalRedirectUrl);\n\n  clearAuthCookies();\n\n  try {\n    revalidatePath(isAbsoluteRedirect ? finalRedirectUrl : redirectTarget);\n  } catch (error) {\n    logger.warn(\"Failed to revalidate path after logout:\", error);\n  }\n\n  return response;\n}\n\n/**\n * Creates an authentication handler for Next.js API routes\n *\n * Usage:\n * ```ts\n * // app/api/auth/[...civicauth]/route.ts\n * import { handler } from '@civic/auth/nextjs'\n * export const GET = handler({\n *   // optional config overrides\n * })\n * ```\n */\nexport const handler =\n  (authConfig = {}) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const config = resolveAuthConfig(authConfig);\n\n    try {\n      const pathname = request.nextUrl.pathname;\n      const pathSegments = pathname.split(\"/\");\n      const lastSegment = pathSegments[pathSegments.length - 1];\n\n      switch (lastSegment) {\n        case \"challenge\":\n          return await handleChallenge();\n        case \"callback\":\n          return await handleCallback(request, config);\n        case \"logout\":\n          return await handleLogout(request, config);\n        default:\n          throw new AuthError(`Invalid auth route: ${pathname}`, 404);\n      }\n    } catch (error) {\n      logger.error(\"Auth handler error:\", error);\n\n      const status = error instanceof AuthError ? error.status : 500;\n      const message =\n        error instanceof Error ? error.message : \"Authentication failed\";\n\n      const response = NextResponse.json({ error: message }, { status });\n\n      clearAuthCookies();\n      return response;\n    }\n  };\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AASO,IAAM,qBAAN,MAAgD;AAAA,EACrD,YAAqB,SAAsB;AAAtB;AAAA,EAAuB;AAAA,EAE5C,MAAmB;AACjB,UAAM,OAAO,KAAK,QAAQ,qBAA4B;AACtD,WAAO,OAAO,KAAK,MAAM,IAAI,IAAI;AAAA,EACnC;AAAA,EAEA,IAAI,MAAyB;AAC3B,UAAM,QAAQ,OAAO,KAAK,UAAU,IAAI,IAAI;AAC5C,SAAK,QAAQ,uBAA8B,KAAK;AAAA,EAClD;AACF;;;ACjBA,SAAS,eAAe;AA4ExB,IAAM,mBAAmB,MAAY;AAEnC,QAAM,gBAAgB,IAAI,oBAAoB;AAC9C,cAAY,aAAa;AAGzB,QAAM,gBAAgB,IAAI,oBAAoB;AAC9C,QAAM,cAAc,IAAI,mBAAmB,aAAa;AACxD,cAAY,IAAI,IAAI;AACtB;AAEA,IAAM,sBAAN,cAAkC,cAAc;AAAA,EAC9C,YAAY,SAAyC,CAAC,GAAG;AACvD,UAAM,iCACD,SADC;AAAA,MAEJ,QAAQ;AAAA,MACR,UAAU;AAAA,IACZ,EAAC;AAAA,EACH;AAAA,EAEA,IAAI,KAA4B;AApGlC;AAqGI,aAAO,aAAQ,EAAE,IAAI,GAAG,MAAjB,mBAAoB,UAAS;AAAA,EACtC;AAAA,EAEA,IAAI,KAAa,OAAqB;AACpC,YAAQ,EAAE,IAAI,KAAK,OAAO,KAAK,QAAQ;AAAA,EACzC;AACF;AAEA,IAAM,sBAAN,cAAkC,cAAc;AAAA,EAC9C,YAAY,SAAyC,CAAC,GAAG;AACvD,UAAM,iCACD,SADC;AAAA,MAEJ,QAAQ;AAAA,MACR,UAAU;AAAA,IACZ,EAAC;AAAA,EACH;AAAA,EAEA,IAAI,KAA4B;AAtHlC;AAuHI,aAAO,aAAQ,EAAE,IAAI,GAAG,MAAjB,mBAAoB,UAAS;AAAA,EACtC;AAAA,EAEA,IAAI,KAAa,OAAqB;AACpC,YAAQ,EAAE,IAAI,KAAK,OAAO,KAAK,QAAQ;AAAA,EACzC;AACF;;;ACtHO,IAAMA,WAAU,MAAmB;AACxC,QAAM,gBAAgB,IAAI,oBAAoB;AAC9C,QAAM,cAAc,IAAI,mBAAmB,aAAa;AACxD,SAAO,YAAY,IAAI;AACzB;;;ACUA,SAAsB,oBAAoB;AAC1C,OAAO,eAAe;AAgBtB,IAAM,YAAY,CAAC,UAAkB,gBAAwB;AAC3D,QAAM,UAAU,UAAU,WAAW;AACrC,SAAO,QAAQ,QAAQ;AACzB;AAOA,IAAM,eAAe,CAAC,UAAkB,aACtC,SAAS,KAAK,CAAC,YAAY;AACzB,MAAI,CAAC,QAAS,QAAO;AACrB,UAAQ,IAAI,YAAY;AAAA,IACtB;AAAA,IACA;AAAA,IACA,OAAO,UAAU,UAAU,OAAO;AAAA,EACpC,CAAC;AACD,SAAO,UAAU,UAAU,OAAO;AACpC,CAAC;AAGH,IAAM,YAAY,CAChB,YACA,YACsC;AACtC,QAAM,yBAAyB,kBAAkB,UAAU;AAI3D,QAAM,kBAAkB,CAAC,CAAC,QAAQ,QAAQ,IAAI,UAAU;AAGxD,MAAI,QAAQ,QAAQ,aAAa,uBAAuB,UAAU;AAChE,YAAQ,IAAI,oDAA+C;AAC3D,WAAO;AAAA,EACT;AAEA,MAAI,CAAC,aAAa,QAAQ,QAAQ,UAAU,uBAAuB,OAAO,GAAG;AAC3E,YAAQ,IAAI,2DAAsD;AAClE,WAAO;AAAA,EACT;AAEA,MAAI,aAAa,QAAQ,QAAQ,UAAU,uBAAuB,OAAO,GAAG;AAC1E,YAAQ,IAAI,uDAAkD;AAC9D,WAAO;AAAA,EACT;AAGA,MAAI,CAAC,iBAAiB;AACpB,YAAQ,IAAI,oDAA+C;AAC3D,UAAM,WAAW,IAAI,IAAI,uBAAuB,UAAU,QAAQ,GAAG;AACrE,WAAO,aAAa,SAAS,QAAQ;AAAA,EACvC;AAEA,UAAQ,IAAI,0BAAqB;AACjC,SAAO;AACT;AAUO,IAAM,iBACX,CAAC,aAAa,sBACd,CAAO,YAAgD;AACrD,QAAM,WAAW,MAAM,UAAU,YAAY,OAAO;AACpD,MAAI,SAAU,QAAO;AAIrB,SAAO,aAAa,KAAK;AAC3B;AAWK,SAAS,SACd,YACiD;AACjD,SAAO,CAAO,YAAgD;AAC5D,UAAM,WAAW,MAAM,UAAU,CAAC,GAAG,OAAO;AAC5C,QAAI,SAAU,QAAO;AACrB,WAAO,WAAW,OAAO;AAAA,EAC3B;AACF;AAeO,SAAS,KAAK,aAAyB,CAAC,GAAG;AAChD,SAAO,CACL,eACsD;AACtD,WAAO,CAAO,YAAgD;AAC5D,YAAM,WAAW,MAAM,UAAU,YAAY,OAAO;AACpD,UAAI,SAAU,QAAO;AACrB,aAAO,WAAW,OAAO;AAAA,IAC3B;AAAA,EACF;AACF;;;AC9JA,SAAsB,gBAAAC,qBAAoB;AAC1C,SAAS,sBAAsB;AAc/B,IAAM,SAAS,QAAQ,OAAO,SAAS;AAEvC,IAAM,YAAN,cAAwB,MAAM;AAAA,EAC5B,YACE,SACgB,SAAiB,KACjC;AACA,UAAM,OAAO;AAFG;AAGhB,SAAK,OAAO;AAAA,EACd;AACF;AAOA,SAAe,kBAAyC;AAAA;AACtD,UAAM,gBAAgB,IAAI,oBAAoB;AAC9C,UAAM,eAAe,IAAI,gCAAgC,aAAa;AAEtE,UAAM,YAAY,MAAM,aAAa,iBAAiB;AAEtD,WAAOC,cAAa,KAAK,EAAE,QAAQ,WAAW,UAAU,CAAC;AAAA,EAC3D;AAAA;AAEA,SAAe,eACb,SACA,QACuB;AAAA;AACvB,UAAM,OAAO,QAAQ,QAAQ,aAAa,IAAI,MAAM;AACpD,UAAM,QAAQ,QAAQ,QAAQ,aAAa,IAAI,OAAO;AACtD,QAAI,CAAC,QAAQ,CAAC,MAAO,OAAM,IAAI,UAAU,kBAAkB,GAAG;AAE9D,UAAM,gBAAgB,IAAI,oBAAoB;AAE9C,UAAM,kBAAkB,kBAAkB,MAAM;AAChD,UAAM,cAAc,mBAAmB,iBAAiB,QAAQ,GAAG;AAEnE,QAAI;AACF,YAAM,uBAAuB,MAAM,OAAO,eAAe,iCACpD,kBADoD;AAAA,QAEvD,aAAa;AAAA,MACf,EAAC;AAAA,IACH,SAAS,OAAO;AACd,aAAO,MAAM,0BAA0B,KAAK;AAC5C,YAAM,IAAI,UAAU,+BAA+B,GAAG;AAAA,IACxD;AAEA,UAAM,OAAO,MAAM,QAAQ,aAAa;AACxC,QAAI,CAAC,MAAM;AACT,YAAM,IAAI,UAAU,2BAA2B,GAAG;AAAA,IACpD;AAEA,UAAM,gBAAgB,IAAI,oBAAoB;AAC9C,UAAM,cAAc,IAAI,mBAAmB,aAAa;AAExD,gBAAY,IAAI,IAAI;AAKpB,UAAM,WAAW,IAAIA,cAAa,eAAe;AACjD,aAAS,QAAQ,IAAI,gBAAgB,0BAA0B;AAC/D,WAAO;AAAA,EACT;AAAA;AAQA,IAAM,0BAA0B,CAC9B,cACA,oBACG;AAEH,MAAI,0BAA0B,KAAK,YAAY,GAAG;AAChD,WAAO;AAAA,EACT;AACA,SAAO,IAAI,IAAI,cAAc,eAAe,EAAE;AAChD;AAEA,SAAe,aACb,SACA,QACuB;AAAA;AAtGzB;AAuGE,UAAM,kBAAkB,kBAAkB,MAAM;AAChD,UAAM,uBAAsB,qBAAgB,aAAhB,YAA4B;AACxD,UAAM,iBACJ,IAAI,IAAI,QAAQ,GAAG,EAAE,aAAa,IAAI,UAAU,KAAK;AACvD,UAAM,qBAAqB,0BAA0B,KAAK,cAAc;AACxE,UAAM,mBAAmB;AAAA,MACvB;AAAA,MACA,IAAI,IAAI,QAAQ,GAAG,EAAE;AAAA,IACvB;AAEA,UAAM,WAAWA,cAAa,SAAS,gBAAgB;AAEvD,qBAAiB;AAEjB,QAAI;AACF,qBAAe,qBAAqB,mBAAmB,cAAc;AAAA,IACvE,SAAS,OAAO;AACd,aAAO,KAAK,2CAA2C,KAAK;AAAA,IAC9D;AAEA,WAAO;AAAA,EACT;AAAA;AAcO,IAAM,UACX,CAAC,aAAa,CAAC,MACf,CAAO,YAAgD;AACrD,QAAM,SAAS,kBAAkB,UAAU;AAE3C,MAAI;AACF,UAAM,WAAW,QAAQ,QAAQ;AACjC,UAAM,eAAe,SAAS,MAAM,GAAG;AACvC,UAAM,cAAc,aAAa,aAAa,SAAS,CAAC;AAExD,YAAQ,aAAa;AAAA,MACnB,KAAK;AACH,eAAO,MAAM,gBAAgB;AAAA,MAC/B,KAAK;AACH,eAAO,MAAM,eAAe,SAAS,MAAM;AAAA,MAC7C,KAAK;AACH,eAAO,MAAM,aAAa,SAAS,MAAM;AAAA,MAC3C;AACE,cAAM,IAAI,UAAU,uBAAuB,QAAQ,IAAI,GAAG;AAAA,IAC9D;AAAA,EACF,SAAS,OAAO;AACd,WAAO,MAAM,uBAAuB,KAAK;AAEzC,UAAM,SAAS,iBAAiB,YAAY,MAAM,SAAS;AAC3D,UAAM,UACJ,iBAAiB,QAAQ,MAAM,UAAU;AAE3C,UAAM,WAAWA,cAAa,KAAK,EAAE,OAAO,QAAQ,GAAG,EAAE,OAAO,CAAC;AAEjE,qBAAiB;AACjB,WAAO;AAAA,EACT;AACF;","names":["getUser","NextResponse","NextResponse"]}

package/dist/react.d.mts

@@ -0,0 +1,119 @@
+import { JWT } from 'oslo/jwt';
+import { D as DisplayMode, U as User, F as ForwardedTokens, A as AuthSessionService, E as Endpoints, b as UserInfoService, S as SessionData, a as UnknownObject, O as OIDCTokenResponseBody, P as ParsedTokens, C as Config } from './index-DoDoIY_K.mjs';
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { ReactNode } from 'react';
+import { OAuth2Client } from 'oslo/oauth2';
+
+type AuthContextType = {
+    signIn: (displayMode?: DisplayMode) => Promise<void>;
+    isAuthenticated: boolean;
+    isLoading: boolean;
+    error: Error | null;
+    signOut: () => Promise<void>;
+};
+
+type UserContextType$1<T extends Record<string, unknown> & JWT["payload"] = Record<string, unknown> & JWT["payload"]> = {
+    user: User<T> | null;
+} & Omit<AuthContextType, "isAuthenticated">;
+
+type TokenContextType = {
+    accessToken: string | null;
+    idToken: string | null;
+    forwardedTokens: ForwardedTokens;
+    refreshToken: () => Promise<void>;
+    isLoading: boolean;
+    error: Error | null;
+};
+
+declare class AuthSessionServiceImpl implements AuthSessionService {
+    readonly clientId: string;
+    readonly redirectUrl: string;
+    readonly oauthServer: string;
+    readonly inputEndpoints?: Partial<Endpoints> | undefined;
+    private endpoints;
+    private oauth2Client;
+    private userInfoService;
+    private codeVerifier;
+    private refreshTokenTimeout;
+    constructor(clientId: string, redirectUrl: string, oauthServer: string, inputEndpoints?: Partial<Endpoints> | undefined);
+    protected getCodeVerifier(): string;
+    getUserInfoService(): Promise<UserInfoService>;
+    protected getEndpoints(): Promise<Endpoints>;
+    protected getOauth2Client(): Promise<OAuth2Client>;
+    getSessionData(): SessionData;
+    updateSessionData(data: Partial<SessionData>): void;
+    getUser(): User<UnknownObject> | null;
+    setUser(data: User<UnknownObject> | null): void;
+    clearSessionData(): void;
+    getAuthorizationUrlWithChallenge(state: string, scopes: string[]): Promise<URL>;
+    getAuthorizationUrl(scopes: string[], displayMode: DisplayMode, nonce?: string): Promise<string>;
+    loadAuthorizationUrl(authorizationURL: string, displayMode: DisplayMode): void;
+    init(): Promise<this>;
+    logout(): Promise<void>;
+    determineDisplayMode(displayMode: DisplayMode): DisplayMode;
+    signIn(displayMode: DisplayMode, scopes: string[], nonce: string): Promise<void>;
+    tokenExchange(responseUrl: string): Promise<SessionData>;
+    private setupTokenRefresh;
+    refreshToken(): Promise<SessionData>;
+    getUserInfo<T extends UnknownObject>(): Promise<User<T> | null>;
+    /**
+     * Uses the jose library to validate a JWT token using the OAuth JWKS endpoint
+     * @returns {Promise<jose.JWTPayload>}
+     * @throws {Error} if the token is invalid
+     * @param tokens
+     */
+    validateTokens(tokens: OIDCTokenResponseBody): Promise<ParsedTokens>;
+    validateExistingSession(): Promise<SessionData>;
+}
+
+type AuthProviderProps = {
+    children: ReactNode;
+    clientId: string;
+    redirectUrl?: string;
+    nonce?: string;
+    config?: Config;
+    onSignIn?: (error?: Error) => void;
+    onSignOut?: () => void;
+    authServiceImpl?: AuthSessionServiceImpl;
+    serverSideTokenExchange?: boolean;
+};
+
+type CivicAuthProviderProps = Omit<AuthProviderProps, "authServiceImpl" | "serverSideTokenExchange">;
+declare const CivicAuthProvider: ({ children, ...props }: CivicAuthProviderProps) => react_jsx_runtime.JSX.Element;
+
+type UserContextType = {
+    user: User<UnknownObject> | null;
+};
+type NextCivicAuthProviderProps = Omit<AuthProviderProps, "clientId">;
+declare const CivicNextAuthProvider: ({ children, ...props }: NextCivicAuthProviderProps) => react_jsx_runtime.JSX.Element;
+declare const useNextUser: () => UserContextType;
+
+declare const useUser: <T extends Record<string, unknown> = Record<string, never>>() => UserContextType$1<T>;
+
+declare const useUserCookie: () => any;
+
+declare const useToken: () => TokenContextType;
+
+declare const useAuth: () => AuthContextType;
+
+declare const useSession: () => SessionData;
+
+declare const UserButton: ({ displayMode, className, }: {
+    displayMode?: DisplayMode;
+    className?: string;
+}) => react_jsx_runtime.JSX.Element;
+
+declare const SignInButton: ({ displayMode, className, }: {
+    displayMode?: DisplayMode;
+    className?: string;
+}) => react_jsx_runtime.JSX.Element;
+
+declare const SignOutButton: ({ className }: {
+    className?: string;
+}) => react_jsx_runtime.JSX.Element;
+
+declare const NextLogOut: ({ children }: {
+    children: ReactNode;
+}) => react_jsx_runtime.JSX.Element;
+
+export { type AuthContextType, CivicAuthProvider, CivicNextAuthProvider, NextLogOut, SignInButton, SignOutButton, type TokenContextType, UserButton, type UserContextType$1 as UserContextType, useAuth, useNextUser, useSession, useToken, useUser, useUserCookie };

package/dist/react.d.ts

@@ -0,0 +1,119 @@
+import { JWT } from 'oslo/jwt';
+import { D as DisplayMode, U as User, F as ForwardedTokens, A as AuthSessionService, E as Endpoints, b as UserInfoService, S as SessionData, a as UnknownObject, O as OIDCTokenResponseBody, P as ParsedTokens, C as Config } from './index-DoDoIY_K.js';
+import * as react_jsx_runtime from 'react/jsx-runtime';
+import { ReactNode } from 'react';
+import { OAuth2Client } from 'oslo/oauth2';
+
+type AuthContextType = {
+    signIn: (displayMode?: DisplayMode) => Promise<void>;
+    isAuthenticated: boolean;
+    isLoading: boolean;
+    error: Error | null;
+    signOut: () => Promise<void>;
+};
+
+type UserContextType$1<T extends Record<string, unknown> & JWT["payload"] = Record<string, unknown> & JWT["payload"]> = {
+    user: User<T> | null;
+} & Omit<AuthContextType, "isAuthenticated">;
+
+type TokenContextType = {
+    accessToken: string | null;
+    idToken: string | null;
+    forwardedTokens: ForwardedTokens;
+    refreshToken: () => Promise<void>;
+    isLoading: boolean;
+    error: Error | null;
+};
+
+declare class AuthSessionServiceImpl implements AuthSessionService {
+    readonly clientId: string;
+    readonly redirectUrl: string;
+    readonly oauthServer: string;
+    readonly inputEndpoints?: Partial<Endpoints> | undefined;
+    private endpoints;
+    private oauth2Client;
+    private userInfoService;
+    private codeVerifier;
+    private refreshTokenTimeout;
+    constructor(clientId: string, redirectUrl: string, oauthServer: string, inputEndpoints?: Partial<Endpoints> | undefined);
+    protected getCodeVerifier(): string;
+    getUserInfoService(): Promise<UserInfoService>;
+    protected getEndpoints(): Promise<Endpoints>;
+    protected getOauth2Client(): Promise<OAuth2Client>;
+    getSessionData(): SessionData;
+    updateSessionData(data: Partial<SessionData>): void;
+    getUser(): User<UnknownObject> | null;
+    setUser(data: User<UnknownObject> | null): void;
+    clearSessionData(): void;
+    getAuthorizationUrlWithChallenge(state: string, scopes: string[]): Promise<URL>;
+    getAuthorizationUrl(scopes: string[], displayMode: DisplayMode, nonce?: string): Promise<string>;
+    loadAuthorizationUrl(authorizationURL: string, displayMode: DisplayMode): void;
+    init(): Promise<this>;
+    logout(): Promise<void>;
+    determineDisplayMode(displayMode: DisplayMode): DisplayMode;
+    signIn(displayMode: DisplayMode, scopes: string[], nonce: string): Promise<void>;
+    tokenExchange(responseUrl: string): Promise<SessionData>;
+    private setupTokenRefresh;
+    refreshToken(): Promise<SessionData>;
+    getUserInfo<T extends UnknownObject>(): Promise<User<T> | null>;
+    /**
+     * Uses the jose library to validate a JWT token using the OAuth JWKS endpoint
+     * @returns {Promise<jose.JWTPayload>}
+     * @throws {Error} if the token is invalid
+     * @param tokens
+     */
+    validateTokens(tokens: OIDCTokenResponseBody): Promise<ParsedTokens>;
+    validateExistingSession(): Promise<SessionData>;
+}
+
+type AuthProviderProps = {
+    children: ReactNode;
+    clientId: string;
+    redirectUrl?: string;
+    nonce?: string;
+    config?: Config;
+    onSignIn?: (error?: Error) => void;
+    onSignOut?: () => void;
+    authServiceImpl?: AuthSessionServiceImpl;
+    serverSideTokenExchange?: boolean;
+};
+
+type CivicAuthProviderProps = Omit<AuthProviderProps, "authServiceImpl" | "serverSideTokenExchange">;
+declare const CivicAuthProvider: ({ children, ...props }: CivicAuthProviderProps) => react_jsx_runtime.JSX.Element;
+
+type UserContextType = {
+    user: User<UnknownObject> | null;
+};
+type NextCivicAuthProviderProps = Omit<AuthProviderProps, "clientId">;
+declare const CivicNextAuthProvider: ({ children, ...props }: NextCivicAuthProviderProps) => react_jsx_runtime.JSX.Element;
+declare const useNextUser: () => UserContextType;
+
+declare const useUser: <T extends Record<string, unknown> = Record<string, never>>() => UserContextType$1<T>;
+
+declare const useUserCookie: () => any;
+
+declare const useToken: () => TokenContextType;
+
+declare const useAuth: () => AuthContextType;
+
+declare const useSession: () => SessionData;
+
+declare const UserButton: ({ displayMode, className, }: {
+    displayMode?: DisplayMode;
+    className?: string;
+}) => react_jsx_runtime.JSX.Element;
+
+declare const SignInButton: ({ displayMode, className, }: {
+    displayMode?: DisplayMode;
+    className?: string;
+}) => react_jsx_runtime.JSX.Element;
+
+declare const SignOutButton: ({ className }: {
+    className?: string;
+}) => react_jsx_runtime.JSX.Element;
+
+declare const NextLogOut: ({ children }: {
+    children: ReactNode;
+}) => react_jsx_runtime.JSX.Element;
+
+export { type AuthContextType, CivicAuthProvider, CivicNextAuthProvider, NextLogOut, SignInButton, SignOutButton, type TokenContextType, UserButton, type UserContextType$1 as UserContextType, useAuth, useNextUser, useSession, useToken, useUser, useUserCookie };