@civic/auth 0.0.1-beta.3 → 0.0.1-beta.30

package/dist/nextjs.js

@@ -4,82 +4,43 @@
 
 
 
-var _chunkWPISYQG3js = require('./chunk-WPISYQG3.js');
 
 
 
 
 
-var _chunk4GIHS7LBjs = require('./chunk-4GIHS7LB.js');
+var _chunkTH6FI2XIjs = require('./chunk-TH6FI2XI.js');
 
 
-var _chunkVXIWRZWUjs = require('./chunk-VXIWRZWU.js');
+var _chunkJEOPLLWOjs = require('./chunk-JEOPLLWO.js');
 
 
 
 
-var _chunkCRTRMMJ7js = require('./chunk-CRTRMMJ7.js');
 
-// src/shared/UserSession.ts
-var GenericUserSession = class {
-  constructor(storage) {
-    this.storage = storage;
-  }
-  get() {
-    const user = this.storage.get("user" /* USER */);
-    return user ? JSON.parse(user) : null;
-  }
-  set(user) {
-    const value = user ? JSON.stringify(user) : "";
-    this.storage.set("user" /* USER */, value);
-  }
-};
 
-// src/nextjs/cookies.ts
-var _headersjs = require('next/headers.js');
-var clearAuthCookies = () => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
-  const cookieStorage = new NextjsCookieStorage();
-  _chunkVXIWRZWUjs.clearTokens.call(void 0, cookieStorage);
-  const clientStorage = new NextjsClientStorage();
-  const userSession = new GenericUserSession(clientStorage);
-  userSession.set(null);
-});
-var NextjsCookieStorage = class extends _chunk4GIHS7LBjs.CookieStorage {
-  constructor(config = {}) {
-    super(_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, config), {
-      secure: true,
-      httpOnly: true
-    }));
-  }
-  get(key) {
-    var _a;
-    return ((_a = _headersjs.cookies.call(void 0, ).get(key)) == null ? void 0 : _a.value) || null;
-  }
-  set(key, value) {
-    _headersjs.cookies.call(void 0, ).set(key, value, this.settings);
-  }
-};
-var NextjsClientStorage = class extends _chunk4GIHS7LBjs.CookieStorage {
-  constructor(config = {}) {
-    super(_chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, config), {
-      secure: false,
-      httpOnly: false
-    }));
-  }
-  get(key) {
-    var _a;
-    return ((_a = _headersjs.cookies.call(void 0, ).get(key)) == null ? void 0 : _a.value) || null;
-  }
-  set(key, value) {
-    _headersjs.cookies.call(void 0, ).set(key, value, this.settings);
-  }
-};
+
+
+var _chunkAM2Y662Ijs = require('./chunk-AM2Y662I.js');
+
+
+
+
+var _chunkCRTRMMJ7js = require('./chunk-CRTRMMJ7.js');
 
 // src/nextjs/GetUser.ts
 var getUser2 = () => {
-  const clientStorage = new NextjsClientStorage();
-  const userSession = new GenericUserSession(clientStorage);
-  return userSession.get();
+  var _a;
+  const clientStorage = new (0, _chunkTH6FI2XIjs.NextjsClientStorage)();
+  const userSession = new (0, _chunkAM2Y662Ijs.GenericUserSession)(clientStorage);
+  const tokens = _chunkAM2Y662Ijs.retrieveTokens.call(void 0, clientStorage);
+  const user = userSession.get();
+  if (!user || !tokens) return null;
+  return _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, user), {
+    idToken: tokens.id_token,
+    accessToken: tokens.access_token,
+    refreshToken: (_a = tokens.refresh_token) != null ? _a : ""
+  });
 };
 
 // src/nextjs/middleware.ts
@@ -99,9 +60,9 @@ var matchesGlobs = (pathname, patterns) => patterns.some((pattern) => {
   return matchGlob(pathname, pattern);
 });
 var applyAuth = (authConfig, request) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
-  const authConfigWithDefaults = _chunkWPISYQG3js.resolveAuthConfig.call(void 0, authConfig);
+  const authConfigWithDefaults = _chunkTH6FI2XIjs.resolveAuthConfig.call(void 0, authConfig);
   const isAuthenticated = !!request.cookies.get("id_token");
-  if (request.nextUrl.pathname === authConfigWithDefaults.loginUrl) {
+  if (request.nextUrl.pathname === authConfigWithDefaults.loginUrl && request.method === "GET") {
     console.log("\u2192 Skipping auth check - this is the login URL");
     return void 0;
   }
@@ -114,14 +75,14 @@ var applyAuth = (authConfig, request) => _chunkCRTRMMJ7js.__async.call(void 0, v
     return void 0;
   }
   if (!isAuthenticated) {
-    console.log("\u2192 No valid token found - redirecting to login");
     const loginUrl = new URL(authConfigWithDefaults.loginUrl, request.url);
+    console.log("\u2192 No valid token found - redirecting to login", loginUrl);
     return _serverjs.NextResponse.redirect(loginUrl);
   }
   console.log("\u2192 Auth check passed");
   return void 0;
 });
-var authMiddleware = (authConfig = _chunkWPISYQG3js.defaultAuthConfig) => (request) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
+var authMiddleware = (authConfig = _chunkTH6FI2XIjs.defaultAuthConfig) => (request) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
   const response = yield applyAuth(authConfig, request);
   if (response) return response;
   return _serverjs.NextResponse.next();
@@ -146,7 +107,8 @@ function auth(authConfig = {}) {
 // src/nextjs/routeHandler.ts
 
 var _cachejs = require('next/cache.js');
-var logger = _chunkWPISYQG3js.loggers.nextjs.handlers.auth;
+var _headersjs = require('next/headers.js');
+var logger = _chunkTH6FI2XIjs.loggers.nextjs.handlers.auth;
 var AuthError = class extends Error {
   constructor(message, status = 401) {
     super(message);
@@ -154,61 +116,154 @@ var AuthError = class extends Error {
     this.name = "AuthError";
   }
 };
-function handleChallenge() {
+function handleChallenge(request, config) {
   return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    const cookieStorage = new NextjsCookieStorage();
-    const pkceProducer = new (0, _chunk4GIHS7LBjs.GenericPublicClientPKCEProducer)(cookieStorage);
+    var _a, _b;
+    const cookieStorage = new (0, _chunkTH6FI2XIjs.NextjsCookieStorage)((_b = (_a = config.cookies) == null ? void 0 : _a.tokens) != null ? _b : {});
+    const pkceProducer = new (0, _chunkAM2Y662Ijs.GenericPublicClientPKCEProducer)(cookieStorage);
     const challenge = yield pkceProducer.getCodeChallenge();
+    const appUrl = request.nextUrl.searchParams.get("appUrl");
+    if (appUrl) {
+      cookieStorage.set("app_url" /* APP_URL */, appUrl);
+    }
     return _serverjs.NextResponse.json({ status: "success", challenge });
   });
 }
-function handleCallback(request, config) {
+function performTokenExchangeAndSetCookies(request, config, code, state, appUrl) {
   return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    const code = request.nextUrl.searchParams.get("code");
-    const state = request.nextUrl.searchParams.get("state");
-    if (!code || !state) throw new AuthError("Bad parameters", 400);
-    const cookieStorage = new NextjsCookieStorage();
-    const resolvedConfigs = _chunkWPISYQG3js.resolveAuthConfig.call(void 0, config);
-    const callbackUrl = _chunkWPISYQG3js.resolveCallbackUrl.call(void 0, resolvedConfigs, request.url);
+    const resolvedConfigs = _chunkTH6FI2XIjs.resolveAuthConfig.call(void 0, config);
+    const cookieStorage = new (0, _chunkTH6FI2XIjs.NextjsCookieStorage)(resolvedConfigs.cookies.tokens);
+    const callbackUrl = _chunkTH6FI2XIjs.resolveCallbackUrl.call(void 0, resolvedConfigs, appUrl);
     try {
-      yield _chunk4GIHS7LBjs.resolveOAuthAccessCode.call(void 0, code, state, cookieStorage, _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, resolvedConfigs), {
+      yield _chunkJEOPLLWOjs.resolveOAuthAccessCode.call(void 0, code, state, cookieStorage, _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, resolvedConfigs), {
         redirectUrl: callbackUrl
       }));
     } catch (error) {
       logger.error("Token exchange failed:", error);
       throw new AuthError("Failed to authenticate user", 401);
     }
-    const user = yield _chunk4GIHS7LBjs.getUser.call(void 0, cookieStorage);
+    const user = yield _chunkAM2Y662Ijs.getUser.call(void 0, cookieStorage);
     if (!user) {
       throw new AuthError("Failed to get user info", 401);
     }
-    const clientStorage = new NextjsClientStorage();
-    const userSession = new GenericUserSession(clientStorage);
+    const clientStorage = new (0, _chunkTH6FI2XIjs.NextjsClientStorage)();
+    const userSession = new (0, _chunkAM2Y662Ijs.GenericUserSession)(clientStorage);
     userSession.set(user);
-    const response = new (0, _serverjs.NextResponse)(`<html></html>`);
+  });
+}
+function handleCallback(request, config) {
+  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
+    var _a;
+    const resolvedConfigs = _chunkTH6FI2XIjs.resolveAuthConfig.call(void 0, config);
+    console.log("handleCallback", { request, resolvedConfigs });
+    const code = request.nextUrl.searchParams.get("code");
+    const state = request.nextUrl.searchParams.get("state") || "";
+    if (!code || !state) throw new AuthError("Bad parameters", 400);
+    const appUrl = ((_a = request.cookies.get("app_url" /* APP_URL */)) == null ? void 0 : _a.value) || request.nextUrl.searchParams.get("appUrl");
+    console.log("handleCallback", {
+      code,
+      state,
+      cookies: _headersjs.cookies.call(void 0, ),
+      appUrl
+    });
+    const codeVerifier = request.cookies.get("code_verifier" /* COOKIE_NAME */);
+    if (!codeVerifier || !appUrl) {
+      console.log("handleCallback no code_verifier found", {
+        state,
+        serverTokenExchange: _chunkAM2Y662Ijs.serverTokenExchangeFromState.call(void 0, `${state}`)
+      });
+      let response2 = new (0, _serverjs.NextResponse)(
+        `<html><body><span style="display:none">${_chunkAM2Y662Ijs.TOKEN_EXCHANGE_TRIGGER_TEXT}</span></body></html>`
+      );
+      if (state && _chunkAM2Y662Ijs.serverTokenExchangeFromState.call(void 0, state)) {
+        console.log(
+          "handleCallback serverTokenExchangeFromState, launching redirect page...",
+          {
+            requestUrl: request.url,
+            configCallbackUrl: resolvedConfigs.callbackUrl
+          }
+        );
+        const requestUrl = new URL(request.url);
+        const fetchUrl = `${resolvedConfigs.callbackUrl}?${requestUrl.searchParams.toString()}&sameDomainServerTokenExchange=true`;
+        response2 = new (0, _serverjs.NextResponse)(
+          `<html>
+            <body>
+                <span style="display:none">
+                    <script>
+                        window.onload = function () {
+                            const appUrl = globalThis.window?.location?.origin;
+                            fetch('${fetchUrl}&appUrl=' + appUrl).then((response) => {
+                                response.json().then((jsonResponse) => {
+                                    console.log('fetch jsonResponse', jsonResponse);
+                                    if (jsonResponse.redirectUrl) {
+                                        console.log('handleCallback serverTokenExchangeFromState, redirecting');
+                                        window.location.href = jsonResponse.redirectUrl;
+                                    }
+                                });
+                            });
+                        };
+                    </script>
+                </span>
+            </body>
+        </html>
+        `
+        );
+      }
+      response2.headers.set("Content-Type", "text/html; charset=utf-8");
+      console.log(
+        `handleCallback no code_verifier found, returning ${_chunkAM2Y662Ijs.TOKEN_EXCHANGE_TRIGGER_TEXT}`
+      );
+      return response2;
+    }
+    yield performTokenExchangeAndSetCookies(
+      request,
+      resolvedConfigs,
+      code,
+      state,
+      appUrl
+    );
+    if (request.url.includes("sameDomainServerTokenExchange=true")) {
+      console.log(
+        "handleCallback sameDomainServerTokenExchange = true, returnining redirectUrl",
+        appUrl
+      );
+      return _serverjs.NextResponse.json({
+        status: "success",
+        redirectUrl: appUrl
+      });
+    }
+    if (_chunkAM2Y662Ijs.serverTokenExchangeFromState.call(void 0, state)) {
+      console.log(
+        "handleCallback serverTokenExchangeFromState, redirect to appUrl",
+        appUrl
+      );
+      if (!appUrl) {
+        throw new Error("appUrl undefined. Cannot redirect.");
+      }
+      return _serverjs.NextResponse.redirect(`${appUrl}`);
+    }
+    const response = new (0, _serverjs.NextResponse)(
+      `<html><span style="display:none">${_chunkAM2Y662Ijs.TOKEN_EXCHANGE_SUCCESS_TEXT}</span></html>`
+    );
     response.headers.set("Content-Type", "text/html; charset=utf-8");
     return response;
   });
 }
-var getAbsoluteRedirectPath = (redirectPath, currentBasePath) => {
-  if (/^(https?:\/\/|www\.).+/i.test(redirectPath)) {
-    return redirectPath;
-  }
-  return new URL(redirectPath, currentBasePath).href;
-};
+var getAbsoluteRedirectPath = (redirectPath, currentBasePath) => new URL(redirectPath, currentBasePath).href;
 function handleLogout(request, config) {
   return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
     var _a;
-    const resolvedConfigs = _chunkWPISYQG3js.resolveAuthConfig.call(void 0, config);
+    const resolvedConfigs = _chunkTH6FI2XIjs.resolveAuthConfig.call(void 0, config);
     const defaultRedirectPath = (_a = resolvedConfigs.loginUrl) != null ? _a : "/";
     const redirectTarget = new URL(request.url).searchParams.get("redirect") || defaultRedirectPath;
     const isAbsoluteRedirect = /^(https?:\/\/|www\.).+/i.test(redirectTarget);
-    const finalRedirectUrl = getAbsoluteRedirectPath(
+    const appUrl = request.nextUrl.searchParams.get("appUrl");
+    const finalRedirectUrl = isAbsoluteRedirect ? redirectTarget : getAbsoluteRedirectPath(
       redirectTarget,
-      new URL(request.url).origin
+      new URL(appUrl != null ? appUrl : request.url).origin
     );
     const response = _serverjs.NextResponse.redirect(finalRedirectUrl);
-    clearAuthCookies();
+    _chunkTH6FI2XIjs.clearAuthCookies.call(void 0, config);
     try {
       _cachejs.revalidatePath.call(void 0, isAbsoluteRedirect ? finalRedirectUrl : redirectTarget);
     } catch (error) {
@@ -218,14 +273,14 @@ function handleLogout(request, config) {
   });
 }
 var handler = (authConfig = {}) => (request) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
-  const config = _chunkWPISYQG3js.resolveAuthConfig.call(void 0, authConfig);
+  const config = _chunkTH6FI2XIjs.resolveAuthConfig.call(void 0, authConfig);
   try {
     const pathname = request.nextUrl.pathname;
     const pathSegments = pathname.split("/");
     const lastSegment = pathSegments[pathSegments.length - 1];
     switch (lastSegment) {
       case "challenge":
-        return yield handleChallenge();
+        return yield handleChallenge(request, config);
       case "callback":
         return yield handleCallback(request, config);
       case "logout":
@@ -238,7 +293,7 @@ var handler = (authConfig = {}) => (request) => _chunkCRTRMMJ7js.__async.call(vo
     const status = error instanceof AuthError ? error.status : 500;
     const message = error instanceof Error ? error.message : "Authentication failed";
     const response = _serverjs.NextResponse.json({ error: message }, { status });
-    clearAuthCookies();
+    _chunkTH6FI2XIjs.clearAuthCookies.call(void 0, config);
     return response;
   }
 });
@@ -249,5 +304,12 @@ var handler = (authConfig = {}) => (request) => _chunkCRTRMMJ7js.__async.call(vo
 
 
 
-exports.auth = auth; exports.authMiddleware = authMiddleware; exports.createCivicAuthPlugin = _chunkWPISYQG3js.createCivicAuthPlugin; exports.getUser = getUser2; exports.handler = handler; exports.withAuth = withAuth;
+
+
+
+
+
+
+
+exports.NextjsClientStorage = _chunkTH6FI2XIjs.NextjsClientStorage; exports.NextjsCookieStorage = _chunkTH6FI2XIjs.NextjsCookieStorage; exports.auth = auth; exports.authMiddleware = authMiddleware; exports.clearAuthCookies = _chunkTH6FI2XIjs.clearAuthCookies; exports.createCivicAuthPlugin = _chunkTH6FI2XIjs.createCivicAuthPlugin; exports.createTokenCookies = _chunkTH6FI2XIjs.createTokenCookies; exports.createUserInfoCookie = _chunkTH6FI2XIjs.createUserInfoCookie; exports.defaultAuthConfig = _chunkTH6FI2XIjs.defaultAuthConfig; exports.getUser = getUser2; exports.handler = handler; exports.resolveAuthConfig = _chunkTH6FI2XIjs.resolveAuthConfig; exports.withAuth = withAuth;
 //# sourceMappingURL=nextjs.js.map

package/dist/nextjs.js.map

@@ -1 +1 @@
-{"version":3,"sources":["/Users/lucas/dev/civic/civic-auth/packages/civic-auth-client/dist/nextjs.js","../src/shared/UserSession.ts","../src/nextjs/cookies.ts","../src/nextjs/GetUser.ts","../src/nextjs/middleware.ts","../src/nextjs/routeHandler.ts"],"names":["getUser","NextResponse"],"mappings":"AAAA;AACE;AACA;AACA;AACA;AACA;AACF,sDAA4B;AAC5B;AACE;AACA;AACA;AACA;AACF,sDAA4B;AAC5B;AACE;AACF,sDAA4B;AAC5B;AACE;AACA;AACA;AACF,sDAA4B;AAC5B;AACA;ACbO,IAAM,mBAAA,EAAN,MAAgD;AAAA,EACrD,WAAA,CAAqB,OAAA,EAAsB;AAAtB,IAAA,IAAA,CAAA,QAAA,EAAA,OAAA;AAAA,EAAuB;AAAA,EAE5C,GAAA,CAAA,EAAmB;AACjB,IAAA,MAAM,KAAA,EAAO,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAA,iBAA4B,CAAA;AACtD,IAAA,OAAO,KAAA,EAAO,IAAA,CAAK,KAAA,CAAM,IAAI,EAAA,EAAI,IAAA;AAAA,EACnC;AAAA,EAEA,GAAA,CAAI,IAAA,EAAyB;AAC3B,IAAA,MAAM,MAAA,EAAQ,KAAA,EAAO,IAAA,CAAK,SAAA,CAAU,IAAI,EAAA,EAAI,EAAA;AAC5C,IAAA,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAA,iBAAA,EAA8B,KAAK,CAAA;AAAA,EAClD;AACF,CAAA;ADeA;AACA;AEjCA,4CAAwB;AA4ExB,IAAM,iBAAA,EAAmB,CAAA,EAAA,GAAY,sCAAA,KAAA,CAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAEnC,EAAA,MAAM,cAAA,EAAgB,IAAI,mBAAA,CAAoB,CAAA;AAC9C,EAAA,0CAAA,aAAyB,CAAA;AAGzB,EAAA,MAAM,cAAA,EAAgB,IAAI,mBAAA,CAAoB,CAAA;AAC9C,EAAA,MAAM,YAAA,EAAc,IAAI,kBAAA,CAAmB,aAAa,CAAA;AACxD,EAAA,WAAA,CAAY,GAAA,CAAI,IAAI,CAAA;AACtB,CAAA,CAAA;AAEA,IAAM,oBAAA,EAAN,MAAA,QAAkC,+BAAc;AAAA,EAC9C,WAAA,CAAY,OAAA,EAAyC,CAAC,CAAA,EAAG;AACvD,IAAA,KAAA,CAAM,4CAAA,6CAAA,CAAA,CAAA,EACD,MAAA,CAAA,EADC;AAAA,MAEJ,MAAA,EAAQ,IAAA;AAAA,MACR,QAAA,EAAU;AAAA,IACZ,CAAA,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,GAAA,CAAI,GAAA,EAA4B;AApGlC,IAAA,IAAA,EAAA;AAqGI,IAAA,OAAA,CAAA,CAAO,GAAA,EAAA,gCAAA,CAAQ,CAAE,GAAA,CAAI,GAAG,CAAA,EAAA,GAAjB,KAAA,EAAA,KAAA,EAAA,EAAA,EAAA,CAAoB,KAAA,EAAA,GAAS,IAAA;AAAA,EACtC;AAAA,EAEA,GAAA,CAAI,GAAA,EAAa,KAAA,EAAqB;AACpC,IAAA,gCAAA,CAAQ,CAAE,GAAA,CAAI,GAAA,EAAK,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA;AAAA,EACzC;AACF,CAAA;AAEA,IAAM,oBAAA,EAAN,MAAA,QAAkC,+BAAc;AAAA,EAC9C,WAAA,CAAY,OAAA,EAAyC,CAAC,CAAA,EAAG;AACvD,IAAA,KAAA,CAAM,4CAAA,6CAAA,CAAA,CAAA,EACD,MAAA,CAAA,EADC;AAAA,MAEJ,MAAA,EAAQ,KAAA;AAAA,MACR,QAAA,EAAU;AAAA,IACZ,CAAA,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,GAAA,CAAI,GAAA,EAA4B;AAtHlC,IAAA,IAAA,EAAA;AAuHI,IAAA,OAAA,CAAA,CAAO,GAAA,EAAA,gCAAA,CAAQ,CAAE,GAAA,CAAI,GAAG,CAAA,EAAA,GAAjB,KAAA,EAAA,KAAA,EAAA,EAAA,EAAA,CAAoB,KAAA,EAAA,GAAS,IAAA;AAAA,EACtC;AAAA,EAEA,GAAA,CAAI,GAAA,EAAa,KAAA,EAAqB;AACpC,IAAA,gCAAA,CAAQ,CAAE,GAAA,CAAI,GAAA,EAAK,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA;AAAA,EACzC;AACF,CAAA;AFjDA;AACA;AGtEO,IAAMA,SAAAA,EAAU,CAAA,EAAA,GAAmB;AACxC,EAAA,MAAM,cAAA,EAAgB,IAAI,mBAAA,CAAoB,CAAA;AAC9C,EAAA,MAAM,YAAA,EAAc,IAAI,kBAAA,CAAmB,aAAa,CAAA;AACxD,EAAA,OAAO,WAAA,CAAY,GAAA,CAAI,CAAA;AACzB,CAAA;AHwEA;AACA;AI/DA,0CAA0C;AAC1C,4FAAsB;AAgBtB,IAAM,UAAA,EAAY,CAAC,QAAA,EAAkB,WAAA,EAAA,GAAwB;AAC3D,EAAA,MAAM,QAAA,EAAU,iCAAA,WAAqB,CAAA;AACrC,EAAA,OAAO,OAAA,CAAQ,QAAQ,CAAA;AACzB,CAAA;AAOA,IAAM,aAAA,EAAe,CAAC,QAAA,EAAkB,QAAA,EAAA,GACtC,QAAA,CAAS,IAAA,CAAK,CAAC,OAAA,EAAA,GAAY;AACzB,EAAA,GAAA,CAAI,CAAC,OAAA,EAAS,OAAO,KAAA;AACrB,EAAA,OAAA,CAAQ,GAAA,CAAI,UAAA,EAAY;AAAA,IACtB,OAAA;AAAA,IACA,QAAA;AAAA,IACA,KAAA,EAAO,SAAA,CAAU,QAAA,EAAU,OAAO;AAAA,EACpC,CAAC,CAAA;AACD,EAAA,OAAO,SAAA,CAAU,QAAA,EAAU,OAAO,CAAA;AACpC,CAAC,CAAA;AAGH,IAAM,UAAA,EAAY,CAChB,UAAA,EACA,OAAA,EAAA,GACsC,sCAAA,KAAA,CAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACtC,EAAA,MAAM,uBAAA,EAAyB,gDAAA,UAA4B,CAAA;AAI3D,EAAA,MAAM,gBAAA,EAAkB,CAAC,CAAC,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA;AAGxD,EAAA,GAAA,CAAI,OAAA,CAAQ,OAAA,CAAQ,SAAA,IAAa,sBAAA,CAAuB,QAAA,EAAU;AAChE,IAAA,OAAA,CAAQ,GAAA,CAAI,oDAA+C,CAAA;AAC3D,IAAA,OAAO,KAAA,CAAA;AAAA,EACT;AAEA,EAAA,GAAA,CAAI,CAAC,YAAA,CAAa,OAAA,CAAQ,OAAA,CAAQ,QAAA,EAAU,sBAAA,CAAuB,OAAO,CAAA,EAAG;AAC3E,IAAA,OAAA,CAAQ,GAAA,CAAI,2DAAsD,CAAA;AAClE,IAAA,OAAO,KAAA,CAAA;AAAA,EACT;AAEA,EAAA,GAAA,CAAI,YAAA,CAAa,OAAA,CAAQ,OAAA,CAAQ,QAAA,EAAU,sBAAA,CAAuB,OAAO,CAAA,EAAG;AAC1E,IAAA,OAAA,CAAQ,GAAA,CAAI,uDAAkD,CAAA;AAC9D,IAAA,OAAO,KAAA,CAAA;AAAA,EACT;AAGA,EAAA,GAAA,CAAI,CAAC,eAAA,EAAiB;AACpB,IAAA,OAAA,CAAQ,GAAA,CAAI,oDAA+C,CAAA;AAC3D,IAAA,MAAM,SAAA,EAAW,IAAI,GAAA,CAAI,sBAAA,CAAuB,QAAA,EAAU,OAAA,CAAQ,GAAG,CAAA;AACrE,IAAA,OAAO,sBAAA,CAAa,QAAA,CAAS,QAAQ,CAAA;AAAA,EACvC;AAEA,EAAA,OAAA,CAAQ,GAAA,CAAI,0BAAqB,CAAA;AACjC,EAAA,OAAO,KAAA,CAAA;AACT,CAAA,CAAA;AAUO,IAAM,eAAA,EACX,CAAC,WAAA,EAAa,kCAAA,EAAA,GACd,CAAO,OAAA,EAAA,GAAgD,sCAAA,KAAA,CAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACrD,EAAA,MAAM,SAAA,EAAW,MAAM,SAAA,CAAU,UAAA,EAAY,OAAO,CAAA;AACpD,EAAA,GAAA,CAAI,QAAA,EAAU,OAAO,QAAA;AAIrB,EAAA,OAAO,sBAAA,CAAa,IAAA,CAAK,CAAA;AAC3B,CAAA,CAAA;AAWK,SAAS,QAAA,CACd,UAAA,EACiD;AACjD,EAAA,OAAO,CAAO,OAAA,EAAA,GAAgD,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAC5D,IAAA,MAAM,SAAA,EAAW,MAAM,SAAA,CAAU,CAAC,CAAA,EAAG,OAAO,CAAA;AAC5C,IAAA,GAAA,CAAI,QAAA,EAAU,OAAO,QAAA;AACrB,IAAA,OAAO,UAAA,CAAW,OAAO,CAAA;AAAA,EAC3B,CAAA,CAAA;AACF;AAeO,SAAS,IAAA,CAAK,WAAA,EAAyB,CAAC,CAAA,EAAG;AAChD,EAAA,OAAO,CACL,UAAA,EAAA,GACsD;AACtD,IAAA,OAAO,CAAO,OAAA,EAAA,GAAgD,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAC5D,MAAA,MAAM,SAAA,EAAW,MAAM,SAAA,CAAU,UAAA,EAAY,OAAO,CAAA;AACpD,MAAA,GAAA,CAAI,QAAA,EAAU,OAAO,QAAA;AACrB,MAAA,OAAO,UAAA,CAAW,OAAO,CAAA;AAAA,IAC3B,CAAA,CAAA;AAAA,EACF,CAAA;AACF;AJdA;AACA;AKjJA;AACA,wCAA+B;AAc/B,IAAM,OAAA,EAAS,wBAAA,CAAQ,MAAA,CAAO,QAAA,CAAS,IAAA;AAEvC,IAAM,UAAA,EAAN,MAAA,QAAwB,MAAM;AAAA,EAC5B,WAAA,CACE,OAAA,EACgB,OAAA,EAAiB,GAAA,EACjC;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AAFG,IAAA,IAAA,CAAA,OAAA,EAAA,MAAA;AAGhB,IAAA,IAAA,CAAK,KAAA,EAAO,WAAA;AAAA,EACd;AACF,CAAA;AAOA,SAAe,eAAA,CAAA,EAAyC;AAAA,EAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACtD,IAAA,MAAM,cAAA,EAAgB,IAAI,mBAAA,CAAoB,CAAA;AAC9C,IAAA,MAAM,aAAA,EAAe,IAAI,qDAAA,CAAgC,aAAa,CAAA;AAEtE,IAAA,MAAM,UAAA,EAAY,MAAM,YAAA,CAAa,gBAAA,CAAiB,CAAA;AAEtD,IAAA,OAAOC,sBAAAA,CAAa,IAAA,CAAK,EAAE,MAAA,EAAQ,SAAA,EAAW,UAAU,CAAC,CAAA;AAAA,EAC3D,CAAA,CAAA;AAAA;AAEA,SAAe,cAAA,CACb,OAAA,EACA,MAAA,EACuB;AAAA,EAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACvB,IAAA,MAAM,KAAA,EAAO,OAAA,CAAQ,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,MAAM,CAAA;AACpD,IAAA,MAAM,MAAA,EAAQ,OAAA,CAAQ,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,OAAO,CAAA;AACtD,IAAA,GAAA,CAAI,CAAC,KAAA,GAAQ,CAAC,KAAA,EAAO,MAAM,IAAI,SAAA,CAAU,gBAAA,EAAkB,GAAG,CAAA;AAE9D,IAAA,MAAM,cAAA,EAAgB,IAAI,mBAAA,CAAoB,CAAA;AAE9C,IAAA,MAAM,gBAAA,EAAkB,gDAAA,MAAwB,CAAA;AAChD,IAAA,MAAM,YAAA,EAAc,iDAAA,eAAmB,EAAiB,OAAA,CAAQ,GAAG,CAAA;AAEnE,IAAA,IAAI;AACF,MAAA,MAAM,qDAAA,IAAuB,EAAM,KAAA,EAAO,aAAA,EAAe,4CAAA,6CAAA,CAAA,CAAA,EACpD,eAAA,CAAA,EADoD;AAAA,QAEvD,WAAA,EAAa;AAAA,MACf,CAAA,CAAC,CAAA;AAAA,IACH,EAAA,MAAA,CAAS,KAAA,EAAO;AACd,MAAA,MAAA,CAAO,KAAA,CAAM,wBAAA,EAA0B,KAAK,CAAA;AAC5C,MAAA,MAAM,IAAI,SAAA,CAAU,6BAAA,EAA+B,GAAG,CAAA;AAAA,IACxD;AAEA,IAAA,MAAM,KAAA,EAAO,MAAM,sCAAA,aAAqB,CAAA;AACxC,IAAA,GAAA,CAAI,CAAC,IAAA,EAAM;AACT,MAAA,MAAM,IAAI,SAAA,CAAU,yBAAA,EAA2B,GAAG,CAAA;AAAA,IACpD;AAEA,IAAA,MAAM,cAAA,EAAgB,IAAI,mBAAA,CAAoB,CAAA;AAC9C,IAAA,MAAM,YAAA,EAAc,IAAI,kBAAA,CAAmB,aAAa,CAAA;AAExD,IAAA,WAAA,CAAY,GAAA,CAAI,IAAI,CAAA;AAKpB,IAAA,MAAM,SAAA,EAAW,IAAIA,2BAAAA,CAAa,CAAA,aAAA,CAAe,CAAA;AACjD,IAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,cAAA,EAAgB,0BAA0B,CAAA;AAC/D,IAAA,OAAO,QAAA;AAAA,EACT,CAAA,CAAA;AAAA;AAQA,IAAM,wBAAA,EAA0B,CAC9B,YAAA,EACA,eAAA,EAAA,GACG;AAEH,EAAA,GAAA,CAAI,yBAAA,CAA0B,IAAA,CAAK,YAAY,CAAA,EAAG;AAChD,IAAA,OAAO,YAAA;AAAA,EACT;AACA,EAAA,OAAO,IAAI,GAAA,CAAI,YAAA,EAAc,eAAe,CAAA,CAAE,IAAA;AAChD,CAAA;AAEA,SAAe,YAAA,CACb,OAAA,EACA,MAAA,EACuB;AAAA,EAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAtGzB,IAAA,IAAA,EAAA;AAuGE,IAAA,MAAM,gBAAA,EAAkB,gDAAA,MAAwB,CAAA;AAChD,IAAA,MAAM,oBAAA,EAAA,CAAsB,GAAA,EAAA,eAAA,CAAgB,QAAA,EAAA,GAAhB,KAAA,EAAA,GAAA,EAA4B,GAAA;AACxD,IAAA,MAAM,eAAA,EACJ,IAAI,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA,CAAE,YAAA,CAAa,GAAA,CAAI,UAAU,EAAA,GAAK,mBAAA;AACvD,IAAA,MAAM,mBAAA,EAAqB,yBAAA,CAA0B,IAAA,CAAK,cAAc,CAAA;AACxE,IAAA,MAAM,iBAAA,EAAmB,uBAAA;AAAA,MACvB,cAAA;AAAA,MACA,IAAI,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA,CAAE;AAAA,IACvB,CAAA;AAEA,IAAA,MAAM,SAAA,EAAWA,sBAAAA,CAAa,QAAA,CAAS,gBAAgB,CAAA;AAEvD,IAAA,gBAAA,CAAiB,CAAA;AAEjB,IAAA,IAAI;AACF,MAAA,qCAAA,mBAAe,EAAqB,iBAAA,EAAmB,cAAc,CAAA;AAAA,IACvE,EAAA,MAAA,CAAS,KAAA,EAAO;AACd,MAAA,MAAA,CAAO,IAAA,CAAK,yCAAA,EAA2C,KAAK,CAAA;AAAA,IAC9D;AAEA,IAAA,OAAO,QAAA;AAAA,EACT,CAAA,CAAA;AAAA;AAcO,IAAM,QAAA,EACX,CAAC,WAAA,EAAa,CAAC,CAAA,EAAA,GACf,CAAO,OAAA,EAAA,GAAgD,sCAAA,KAAA,CAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACrD,EAAA,MAAM,OAAA,EAAS,gDAAA,UAA4B,CAAA;AAE3C,EAAA,IAAI;AACF,IAAA,MAAM,SAAA,EAAW,OAAA,CAAQ,OAAA,CAAQ,QAAA;AACjC,IAAA,MAAM,aAAA,EAAe,QAAA,CAAS,KAAA,CAAM,GAAG,CAAA;AACvC,IAAA,MAAM,YAAA,EAAc,YAAA,CAAa,YAAA,CAAa,OAAA,EAAS,CAAC,CAAA;AAExD,IAAA,OAAA,CAAQ,WAAA,EAAa;AAAA,MACnB,KAAK,WAAA;AACH,QAAA,OAAO,MAAM,eAAA,CAAgB,CAAA;AAAA,MAC/B,KAAK,UAAA;AACH,QAAA,OAAO,MAAM,cAAA,CAAe,OAAA,EAAS,MAAM,CAAA;AAAA,MAC7C,KAAK,QAAA;AACH,QAAA,OAAO,MAAM,YAAA,CAAa,OAAA,EAAS,MAAM,CAAA;AAAA,MAC3C,OAAA;AACE,QAAA,MAAM,IAAI,SAAA,CAAU,CAAA,oBAAA,EAAuB,QAAQ,CAAA,CAAA;AACvD,IAAA;AACc,EAAA;AAC2B,IAAA;AAES,IAAA;AAEjB,IAAA;AAEsB,IAAA;AAEtC,IAAA;AACV,IAAA;AACT,EAAA;AACF;AL0E0D;AACA;AACA;AACA;AACA;AACA;AACA;AACA","file":"/Users/lucas/dev/civic/civic-auth/packages/civic-auth-client/dist/nextjs.js","sourcesContent":[null,"import { AuthStorage } from \"@/server\";\nimport { User } from \"@/types\";\nimport { NextjsClientCookies } from \"./types\";\n\nexport interface UserSession {\n  get(): User | null;\n  set(user: User): void;\n}\n\nexport class GenericUserSession implements UserSession {\n  constructor(readonly storage: AuthStorage) {}\n\n  get(): User | null {\n    const user = this.storage.get(NextjsClientCookies.USER);\n    return user ? JSON.parse(user) : null;\n  }\n\n  set(user: User | null): void {\n    const value = user ? JSON.stringify(user) : \"\";\n    this.storage.set(NextjsClientCookies.USER, value);\n  }\n}\n","import { SessionData, UnknownObject, User } from \"@/types\";\nimport { NextResponse } from \"next/server\";\nimport { AuthConfig } from \"./config\";\nimport { CookieStorage, CookieStorageSettings } from \"@/server\";\nimport { cookies } from \"next/headers.js\";\nimport { GenericUserSession } from \"@/shared/UserSession\";\nimport { clearTokens } from \"@/shared/util\";\n\n/**\n * Creates HTTP-only cookies for authentication tokens\n */\nconst createTokenCookies = (\n  response: NextResponse,\n  sessionData: SessionData,\n  config: AuthConfig,\n) => {\n  const maxAge = sessionData.expiresIn ?? 3600;\n  const cookieOptions = {\n    ...config.cookies?.tokens,\n    maxAge,\n  };\n\n  if (sessionData.accessToken) {\n    response.cookies.set(\"access_token\", sessionData.accessToken, {\n      ...cookieOptions,\n      httpOnly: true,\n    });\n  }\n\n  if (sessionData.idToken) {\n    response.cookies.set(\"id_token\", sessionData.idToken, {\n      ...cookieOptions,\n      httpOnly: true,\n    });\n  }\n\n  if (sessionData.refreshToken) {\n    response.cookies.set(\"refresh_token\", sessionData.refreshToken, {\n      ...cookieOptions,\n      httpOnly: true,\n    });\n  }\n};\n\n/**\n * Creates a client-readable cookie with user info\n */\nconst createUserInfoCookie = (\n  response: NextResponse,\n  user: User<UnknownObject> | null,\n  sessionData: SessionData,\n  config: AuthConfig,\n) => {\n  if (!user) {\n    response.cookies.set(\"user\", \"\", {\n      ...config.cookies?.user,\n      maxAge: 0,\n    });\n    return;\n  }\n  const maxAge = sessionData.expiresIn ?? 3600;\n\n  // TODO select fields to include in the user cookie\n  const frontendUser = {\n    ...user,\n  };\n\n  // TODO make call to get user info from the\n  // auth server /userinfo endpoint when it's available\n  // then add to the default claims above\n\n  response.cookies.set(\"user\", JSON.stringify(frontendUser), {\n    ...config.cookies?.user,\n    maxAge,\n  });\n};\n\n/**\n * Clears all authentication cookies\n */\nconst clearAuthCookies = async () => {\n  // clear session, and tokens\n  const cookieStorage = new NextjsCookieStorage();\n  clearTokens(cookieStorage);\n\n  // clear user\n  const clientStorage = new NextjsClientStorage();\n  const userSession = new GenericUserSession(clientStorage);\n  userSession.set(null);\n};\n\nclass NextjsCookieStorage extends CookieStorage {\n  constructor(config: Partial<CookieStorageSettings> = {}) {\n    super({\n      ...config,\n      secure: true,\n      httpOnly: true,\n    });\n  }\n\n  get(key: string): string | null {\n    return cookies().get(key)?.value || null;\n  }\n\n  set(key: string, value: string): void {\n    cookies().set(key, value, this.settings);\n  }\n}\n\nclass NextjsClientStorage extends CookieStorage {\n  constructor(config: Partial<CookieStorageSettings> = {}) {\n    super({\n      ...config,\n      secure: false,\n      httpOnly: false,\n    });\n  }\n\n  get(key: string): string | null {\n    return cookies().get(key)?.value || null;\n  }\n\n  set(key: string, value: string): void {\n    cookies().set(key, value, this.settings);\n  }\n}\n\nexport {\n  createTokenCookies,\n  createUserInfoCookie,\n  clearAuthCookies,\n  NextjsCookieStorage,\n  NextjsClientStorage,\n};\n","/**\n * Used on the server-side to get the user object from the cookie\n */\nimport { User } from \"@/types\";\nimport { GenericUserSession } from \"@/shared/UserSession\";\nimport { NextjsClientStorage } from \"./cookies\";\n\nexport const getUser = (): User | null => {\n  const clientStorage = new NextjsClientStorage();\n  const userSession = new GenericUserSession(clientStorage);\n  return userSession.get();\n};\n","/**\n * Authenticates the user on all requests by checking the token cookie\n *\n * Usage:\n * Option 1: use if no other middleware (e.g. no next-intl etc)\n * export default authMiddleware();\n *\n * Option 2: use if other middleware is needed - default auth config\n * export default withAuth((request) => {\n *    console.log('in custom middleware', request.nextUrl.pathname);\n *    return NextResponse.next();\n * })\n *\n * Option 3: use if other middleware is needed - specifying auth config\n * const withCivicAuth = auth({ loginUrl: '/login', include: ['/[.*]/user'] })\n * export default withCivicAuth((request) => {\n *   console.log('in custom middleware', request.url);\n *   return NextResponse.next();\n * })\n *\n */\nimport { NextRequest, NextResponse } from \"next/server.js\";\nimport picomatch from \"picomatch\";\nimport {\n  AuthConfig,\n  defaultAuthConfig,\n  resolveAuthConfig,\n} from \"@/nextjs/config.js\";\n\ntype Middleware = (\n  request: NextRequest,\n) => Promise<NextResponse> | NextResponse;\n\n// Matches globs:\n// Examples:\n// /user\n// /user/*\n// /user/**/info\nconst matchGlob = (pathname: string, globPattern: string) => {\n  const matches = picomatch(globPattern);\n  return matches(pathname);\n};\n\n// Matches globs:\n// Examples:\n// /user\n// /user/*\n// /user/**/info\nconst matchesGlobs = (pathname: string, patterns: string[]) =>\n  patterns.some((pattern) => {\n    if (!pattern) return false;\n    console.log(\"matching\", {\n      pattern,\n      pathname,\n      match: matchGlob(pathname, pattern),\n    });\n    return matchGlob(pathname, pattern);\n  });\n\n// internal - used by all exported functions\nconst applyAuth = async (\n  authConfig: AuthConfig,\n  request: NextRequest,\n): Promise<NextResponse | undefined> => {\n  const authConfigWithDefaults = resolveAuthConfig(authConfig);\n\n  // Check for any valid auth token\n  // TODO check if token is not expired\n  const isAuthenticated = !!request.cookies.get(\"id_token\");\n\n  // skip auth check for login url\n  if (request.nextUrl.pathname === authConfigWithDefaults.loginUrl) {\n    console.log(\"→ Skipping auth check - this is the login URL\");\n    return undefined;\n  }\n\n  if (!matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.include)) {\n    console.log(\"→ Skipping auth check - path not in include patterns\");\n    return undefined;\n  }\n\n  if (matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.exclude)) {\n    console.log(\"→ Skipping auth check - path in exclude patterns\");\n    return undefined;\n  }\n\n  // Check for either token type\n  if (!isAuthenticated) {\n    console.log(\"→ No valid token found - redirecting to login\");\n    const loginUrl = new URL(authConfigWithDefaults.loginUrl, request.url);\n    return NextResponse.redirect(loginUrl);\n  }\n\n  console.log(\"→ Auth check passed\");\n  return undefined;\n};\n\n/**\n *\n * Use this when auth is the only middleware you need.\n * Usage:\n *\n * export default authMiddleware({ loginUrl = '/login' }); // or just authMiddleware();\n *\n */\nexport const authMiddleware =\n  (authConfig = defaultAuthConfig) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const response = await applyAuth(authConfig, request);\n    if (response) return response;\n\n    // NextJS doesn't do middleware chaining yet, so this does not mean\n    // \"call the next middleware\" - it means \"continue to the route handler\"\n    return NextResponse.next();\n  };\n\n/**\n * Usage:\n *\n * export default withAuth(async (request) => {\n *    console.log('my middleware');\n *    return NextResponse.next();\n *  })\n */\n// use this when you have your own middleware to chain\nexport function withAuth(\n  middleware: Middleware,\n): (request: NextRequest) => Promise<NextResponse> {\n  return async (request: NextRequest): Promise<NextResponse> => {\n    const response = await applyAuth({}, request);\n    if (response) return response;\n    return middleware(request);\n  };\n}\n\n/**\n * Use this when you want to configure the middleware here (an alternative is to do it in the next.config file)\n *\n * Usage:\n *\n * const withAuth = auth({ loginUrl = '/login' }); // or just auth();\n *\n * export default withAuth(async (request) => {\n *    console.log('my middleware');\n *    return NextResponse.next();\n *  })\n *\n */\nexport function auth(authConfig: AuthConfig = {}) {\n  return (\n    middleware: Middleware,\n  ): ((request: NextRequest) => Promise<NextResponse>) => {\n    return async (request: NextRequest): Promise<NextResponse> => {\n      const response = await applyAuth(authConfig, request);\n      if (response) return response;\n      return middleware(request);\n    };\n  };\n}\n","import { NextRequest, NextResponse } from \"next/server.js\";\nimport { revalidatePath } from \"next/cache.js\";\nimport { AuthConfig, resolveAuthConfig } from \"@/nextjs/config.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport {\n  clearAuthCookies,\n  NextjsClientStorage,\n  NextjsCookieStorage,\n} from \"./cookies.js\";\nimport { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { resolveOAuthAccessCode } from \"@/server/login.js\";\nimport { getUser } from \"@/server/session.js\";\nimport { resolveCallbackUrl } from \"./utils.js\";\nimport { GenericUserSession } from \"@/shared/UserSession.js\";\n\nconst logger = loggers.nextjs.handlers.auth;\n\nclass AuthError extends Error {\n  constructor(\n    message: string,\n    public readonly status: number = 401,\n  ) {\n    super(message);\n    this.name = \"AuthError\";\n  }\n}\n\n/**\n * create a code verifier and challenge for PKCE\n * saving the verifier in a cookie for later use\n * @returns {Promise<NextResponse>}\n */\nasync function handleChallenge(): Promise<NextResponse> {\n  const cookieStorage = new NextjsCookieStorage();\n  const pkceProducer = new GenericPublicClientPKCEProducer(cookieStorage);\n\n  const challenge = await pkceProducer.getCodeChallenge();\n\n  return NextResponse.json({ status: \"success\", challenge });\n}\n\nasync function handleCallback(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const code = request.nextUrl.searchParams.get(\"code\");\n  const state = request.nextUrl.searchParams.get(\"state\");\n  if (!code || !state) throw new AuthError(\"Bad parameters\", 400);\n\n  const cookieStorage = new NextjsCookieStorage();\n\n  const resolvedConfigs = resolveAuthConfig(config);\n  const callbackUrl = resolveCallbackUrl(resolvedConfigs, request.url);\n\n  try {\n    await resolveOAuthAccessCode(code, state, cookieStorage, {\n      ...resolvedConfigs,\n      redirectUrl: callbackUrl,\n    });\n  } catch (error) {\n    logger.error(\"Token exchange failed:\", error);\n    throw new AuthError(\"Failed to authenticate user\", 401);\n  }\n\n  const user = await getUser(cookieStorage);\n  if (!user) {\n    throw new AuthError(\"Failed to get user info\", 401);\n  }\n\n  const clientStorage = new NextjsClientStorage();\n  const userSession = new GenericUserSession(clientStorage);\n\n  userSession.set(user);\n\n  // return an empty HTML response so the iframe doesn't show any response\n  // in the short moment between the redirect and the parent window\n  // acknowledging the redirect and closing the iframe\n  const response = new NextResponse(`<html></html>`);\n  response.headers.set(\"Content-Type\", \"text/html; charset=utf-8\");\n  return response;\n}\n\n/**\n * If redirectPath is an absolute path, return it as-is.\n * Otherwise for relative paths, append it to the current domain.\n * @param redirectPath\n * @returns\n */\nconst getAbsoluteRedirectPath = (\n  redirectPath: string,\n  currentBasePath: string,\n) => {\n  // Check if the redirectPath is an absolute URL\n  if (/^(https?:\\/\\/|www\\.).+/i.test(redirectPath)) {\n    return redirectPath; // Return as-is if it's an absolute URL\n  }\n  return new URL(redirectPath, currentBasePath).href;\n};\n\nasync function handleLogout(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n  const defaultRedirectPath = resolvedConfigs.loginUrl ?? \"/\";\n  const redirectTarget =\n    new URL(request.url).searchParams.get(\"redirect\") || defaultRedirectPath;\n  const isAbsoluteRedirect = /^(https?:\\/\\/|www\\.).+/i.test(redirectTarget);\n  const finalRedirectUrl = getAbsoluteRedirectPath(\n    redirectTarget,\n    new URL(request.url).origin,\n  );\n\n  const response = NextResponse.redirect(finalRedirectUrl);\n\n  clearAuthCookies();\n\n  try {\n    revalidatePath(isAbsoluteRedirect ? finalRedirectUrl : redirectTarget);\n  } catch (error) {\n    logger.warn(\"Failed to revalidate path after logout:\", error);\n  }\n\n  return response;\n}\n\n/**\n * Creates an authentication handler for Next.js API routes\n *\n * Usage:\n * ```ts\n * // app/api/auth/[...civicauth]/route.ts\n * import { handler } from '@civic/auth/nextjs'\n * export const GET = handler({\n *   // optional config overrides\n * })\n * ```\n */\nexport const handler =\n  (authConfig = {}) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const config = resolveAuthConfig(authConfig);\n\n    try {\n      const pathname = request.nextUrl.pathname;\n      const pathSegments = pathname.split(\"/\");\n      const lastSegment = pathSegments[pathSegments.length - 1];\n\n      switch (lastSegment) {\n        case \"challenge\":\n          return await handleChallenge();\n        case \"callback\":\n          return await handleCallback(request, config);\n        case \"logout\":\n          return await handleLogout(request, config);\n        default:\n          throw new AuthError(`Invalid auth route: ${pathname}`, 404);\n      }\n    } catch (error) {\n      logger.error(\"Auth handler error:\", error);\n\n      const status = error instanceof AuthError ? error.status : 500;\n      const message =\n        error instanceof Error ? error.message : \"Authentication failed\";\n\n      const response = NextResponse.json({ error: message }, { status });\n\n      clearAuthCookies();\n      return response;\n    }\n  };\n"]}
+{"version":3,"sources":["/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/nextjs.js","../src/nextjs/GetUser.ts","../src/nextjs/middleware.ts","../src/nextjs/routeHandler.ts"],"names":["getUser","NextResponse","response"],"mappings":"AAAA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF,sDAA4B;AAC5B;AACE;AACF,sDAA4B;AAC5B;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACF,sDAA4B;AAC5B;AACE;AACA;AACA;AACF,sDAA4B;AAC5B;AACA;ACtBO,IAAMA,SAAAA,EAAU,CAAA,EAAA,GAAmB;AAR1C,EAAA,IAAA,EAAA;AASE,EAAA,MAAM,cAAA,EAAgB,IAAI,yCAAA,CAAoB,CAAA;AAC9C,EAAA,MAAM,YAAA,EAAc,IAAI,wCAAA,CAAmB,aAAa,CAAA;AACxD,EAAA,MAAM,OAAA,EAAS,6CAAA,aAA4B,CAAA;AAC3C,EAAA,MAAM,KAAA,EAAO,WAAA,CAAY,GAAA,CAAI,CAAA;AAC7B,EAAA,GAAA,CAAI,CAAC,KAAA,GAAQ,CAAC,MAAA,EAAQ,OAAO,IAAA;AAE7B,EAAA,OAAO,4CAAA,6CAAA,CAAA,CAAA,EACF,IAAA,CAAA,EADE;AAAA,IAEL,OAAA,EAAS,MAAA,CAAO,QAAA;AAAA,IAChB,WAAA,EAAa,MAAA,CAAO,YAAA;AAAA,IACpB,YAAA,EAAA,CAAc,GAAA,EAAA,MAAA,CAAO,aAAA,EAAA,GAAP,KAAA,EAAA,GAAA,EAAwB;AAAA,EACxC,CAAA,CAAA;AACF,CAAA;ADuBA;AACA;AExBA,0CAA0C;AAC1C,4FAAsB;AAgBtB,IAAM,UAAA,EAAY,CAAC,QAAA,EAAkB,WAAA,EAAA,GAAwB;AAC3D,EAAA,MAAM,QAAA,EAAU,iCAAA,WAAqB,CAAA;AACrC,EAAA,OAAO,OAAA,CAAQ,QAAQ,CAAA;AACzB,CAAA;AAOA,IAAM,aAAA,EAAe,CAAC,QAAA,EAAkB,QAAA,EAAA,GACtC,QAAA,CAAS,IAAA,CAAK,CAAC,OAAA,EAAA,GAAY;AACzB,EAAA,GAAA,CAAI,CAAC,OAAA,EAAS,OAAO,KAAA;AACrB,EAAA,OAAA,CAAQ,GAAA,CAAI,UAAA,EAAY;AAAA,IACtB,OAAA;AAAA,IACA,QAAA;AAAA,IACA,KAAA,EAAO,SAAA,CAAU,QAAA,EAAU,OAAO;AAAA,EACpC,CAAC,CAAA;AACD,EAAA,OAAO,SAAA,CAAU,QAAA,EAAU,OAAO,CAAA;AACpC,CAAC,CAAA;AAGH,IAAM,UAAA,EAAY,CAChB,UAAA,EACA,OAAA,EAAA,GACsC,sCAAA,KAAA,CAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACtC,EAAA,MAAM,uBAAA,EAAyB,gDAAA,UAA4B,CAAA;AAE3D,EAAA,MAAM,gBAAA,EAAkB,CAAC,CAAC,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA;AAGxD,EAAA,GAAA,CACE,OAAA,CAAQ,OAAA,CAAQ,SAAA,IAAa,sBAAA,CAAuB,SAAA,GACpD,OAAA,CAAQ,OAAA,IAAW,KAAA,EACnB;AACA,IAAA,OAAA,CAAQ,GAAA,CAAI,oDAA+C,CAAA;AAC3D,IAAA,OAAO,KAAA,CAAA;AAAA,EACT;AAEA,EAAA,GAAA,CAAI,CAAC,YAAA,CAAa,OAAA,CAAQ,OAAA,CAAQ,QAAA,EAAU,sBAAA,CAAuB,OAAO,CAAA,EAAG;AAC3E,IAAA,OAAA,CAAQ,GAAA,CAAI,2DAAsD,CAAA;AAClE,IAAA,OAAO,KAAA,CAAA;AAAA,EACT;AAEA,EAAA,GAAA,CAAI,YAAA,CAAa,OAAA,CAAQ,OAAA,CAAQ,QAAA,EAAU,sBAAA,CAAuB,OAAO,CAAA,EAAG;AAC1E,IAAA,OAAA,CAAQ,GAAA,CAAI,uDAAkD,CAAA;AAC9D,IAAA,OAAO,KAAA,CAAA;AAAA,EACT;AAGA,EAAA,GAAA,CAAI,CAAC,eAAA,EAAiB;AACpB,IAAA,MAAM,SAAA,EAAW,IAAI,GAAA,CAAI,sBAAA,CAAuB,QAAA,EAAU,OAAA,CAAQ,GAAG,CAAA;AACrE,IAAA,OAAA,CAAQ,GAAA,CAAI,oDAAA,EAAiD,QAAQ,CAAA;AACrE,IAAA,OAAO,sBAAA,CAAa,QAAA,CAAS,QAAQ,CAAA;AAAA,EACvC;AAEA,EAAA,OAAA,CAAQ,GAAA,CAAI,0BAAqB,CAAA;AACjC,EAAA,OAAO,KAAA,CAAA;AACT,CAAA,CAAA;AAUO,IAAM,eAAA,EACX,CAAC,WAAA,EAAa,kCAAA,EAAA,GACd,CAAO,OAAA,EAAA,GAAgD,sCAAA,KAAA,CAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACrD,EAAA,MAAM,SAAA,EAAW,MAAM,SAAA,CAAU,UAAA,EAAY,OAAO,CAAA;AACpD,EAAA,GAAA,CAAI,QAAA,EAAU,OAAO,QAAA;AAIrB,EAAA,OAAO,sBAAA,CAAa,IAAA,CAAK,CAAA;AAC3B,CAAA,CAAA;AAWK,SAAS,QAAA,CACd,UAAA,EACiD;AACjD,EAAA,OAAO,CAAO,OAAA,EAAA,GAAgD,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAC5D,IAAA,MAAM,SAAA,EAAW,MAAM,SAAA,CAAU,CAAC,CAAA,EAAG,OAAO,CAAA;AAC5C,IAAA,GAAA,CAAI,QAAA,EAAU,OAAO,QAAA;AAErB,IAAA,OAAO,UAAA,CAAW,OAAO,CAAA;AAAA,EAC3B,CAAA,CAAA;AACF;AAeO,SAAS,IAAA,CAAK,WAAA,EAAyB,CAAC,CAAA,EAAG;AAChD,EAAA,OAAO,CACL,UAAA,EAAA,GACsD;AACtD,IAAA,OAAO,CAAO,OAAA,EAAA,GAAgD,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAC5D,MAAA,MAAM,SAAA,EAAW,MAAM,SAAA,CAAU,UAAA,EAAY,OAAO,CAAA;AACpD,MAAA,GAAA,CAAI,QAAA,EAAU,OAAO,QAAA;AAErB,MAAA,OAAO,UAAA,CAAW,OAAO,CAAA;AAAA,IAC3B,CAAA,CAAA;AAAA,EACF,CAAA;AACF;AFxDA;AACA;AG1GA;AACA,wCAA+B;AAkB/B,4CAAwB;AAGxB,IAAM,OAAA,EAAS,wBAAA,CAAQ,MAAA,CAAO,QAAA,CAAS,IAAA;AAEvC,IAAM,UAAA,EAAN,MAAA,QAAwB,MAAM;AAAA,EAC5B,WAAA,CACE,OAAA,EACgB,OAAA,EAAiB,GAAA,EACjC;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AAFG,IAAA,IAAA,CAAA,OAAA,EAAA,MAAA;AAGhB,IAAA,IAAA,CAAK,KAAA,EAAO,WAAA;AAAA,EACd;AACF,CAAA;AAOA,SAAe,eAAA,CACb,OAAA,EACA,MAAA,EACuB;AAAA,EAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AA1CzB,IAAA,IAAA,EAAA,EAAA,EAAA;AA2CE,IAAA,MAAM,cAAA,EAAgB,IAAI,yCAAA,CAAA,CAAoB,GAAA,EAAA,CAAA,GAAA,EAAA,MAAA,CAAO,OAAA,EAAA,GAAP,KAAA,EAAA,KAAA,EAAA,EAAA,EAAA,CAAgB,MAAA,EAAA,GAAhB,KAAA,EAAA,GAAA,EAA0B,CAAC,CAAC,CAAA;AAC1E,IAAA,MAAM,aAAA,EAAe,IAAI,qDAAA,CAAgC,aAAa,CAAA;AAEtE,IAAA,MAAM,UAAA,EAAY,MAAM,YAAA,CAAa,gBAAA,CAAiB,CAAA;AACtD,IAAA,MAAM,OAAA,EAAS,OAAA,CAAQ,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,QAAQ,CAAA;AACxD,IAAA,GAAA,CAAI,MAAA,EAAQ;AACV,MAAA,aAAA,CAAc,GAAA,CAAA,uBAAA,EAA0B,MAAM,CAAA;AAAA,IAChD;AACA,IAAA,OAAOC,sBAAAA,CAAa,IAAA,CAAK,EAAE,MAAA,EAAQ,SAAA,EAAW,UAAU,CAAC,CAAA;AAAA,EAC3D,CAAA,CAAA;AAAA;AAEA,SAAe,iCAAA,CACb,OAAA,EACA,MAAA,EACA,IAAA,EACA,KAAA,EACA,MAAA,EACA;AAAA,EAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACA,IAAA,MAAM,gBAAA,EAAkB,gDAAA,MAAwB,CAAA;AAChD,IAAA,MAAM,cAAA,EAAgB,IAAI,yCAAA,CAAoB,eAAA,CAAgB,OAAA,CAAQ,MAAM,CAAA;AAE5E,IAAA,MAAM,YAAA,EAAc,iDAAA,eAAmB,EAAiB,MAAM,CAAA;AAC9D,IAAA,IAAI;AACF,MAAA,MAAM,qDAAA,IAAuB,EAAM,KAAA,EAAO,aAAA,EAAe,4CAAA,6CAAA,CAAA,CAAA,EACpD,eAAA,CAAA,EADoD;AAAA,QAEvD,WAAA,EAAa;AAAA,MACf,CAAA,CAAC,CAAA;AAAA,IACH,EAAA,MAAA,CAAS,KAAA,EAAO;AACd,MAAA,MAAA,CAAO,KAAA,CAAM,wBAAA,EAA0B,KAAK,CAAA;AAC5C,MAAA,MAAM,IAAI,SAAA,CAAU,6BAAA,EAA+B,GAAG,CAAA;AAAA,IACxD;AAEA,IAAA,MAAM,KAAA,EAAO,MAAM,sCAAA,aAAqB,CAAA;AACxC,IAAA,GAAA,CAAI,CAAC,IAAA,EAAM;AACT,MAAA,MAAM,IAAI,SAAA,CAAU,yBAAA,EAA2B,GAAG,CAAA;AAAA,IACpD;AAEA,IAAA,MAAM,cAAA,EAAgB,IAAI,yCAAA,CAAoB,CAAA;AAC9C,IAAA,MAAM,YAAA,EAAc,IAAI,wCAAA,CAAmB,aAAa,CAAA;AACxD,IAAA,WAAA,CAAY,GAAA,CAAI,IAAI,CAAA;AAAA,EACtB,CAAA,CAAA;AAAA;AACA,SAAe,cAAA,CACb,OAAA,EACA,MAAA,EACuB;AAAA,EAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAvFzB,IAAA,IAAA,EAAA;AAwFE,IAAA,MAAM,gBAAA,EAAkB,gDAAA,MAAwB,CAAA;AAChD,IAAA,OAAA,CAAQ,GAAA,CAAI,gBAAA,EAAkB,EAAE,OAAA,EAAS,gBAAgB,CAAC,CAAA;AAC1D,IAAA,MAAM,KAAA,EAAO,OAAA,CAAQ,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,MAAM,CAAA;AACpD,IAAA,MAAM,MAAA,EAAQ,OAAA,CAAQ,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,OAAO,EAAA,GAAK,EAAA;AAC3D,IAAA,GAAA,CAAI,CAAC,KAAA,GAAQ,CAAC,KAAA,EAAO,MAAM,IAAI,SAAA,CAAU,gBAAA,EAAkB,GAAG,CAAA;AAK9D,IAAA,MAAM,OAAA,EAAA,CAAA,CACJ,GAAA,EAAA,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAA,uBAAwB,CAAA,EAAA,GAAxC,KAAA,EAAA,KAAA,EAAA,EAAA,EAAA,CAA2C,KAAA,EAAA,GAC3C,OAAA,CAAQ,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,QAAQ,CAAA;AAM3C,IAAA,OAAA,CAAQ,GAAA,CAAI,gBAAA,EAAkB;AAAA,MAC5B,IAAA;AAAA,MACA,KAAA;AAAA,MACA,OAAA,EAAS,gCAAA,CAAQ;AAAA,MACjB;AAAA,IACF,CAAC,CAAA;AAED,IAAA,MAAM,aAAA,EAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAA,iCAA4B,CAAA;AAEjE,IAAA,GAAA,CAAI,CAAC,aAAA,GAAgB,CAAC,MAAA,EAAQ;AAC5B,MAAA,OAAA,CAAQ,GAAA,CAAI,uCAAA,EAAyC;AAAA,QACnD,KAAA;AAAA,QACA,mBAAA,EAAqB,2DAAA,CAA6B,EAAA;AACnD,MAAA;AACkBA,MAAAA;AACyB,QAAA;AAC5C,MAAA;AAMkD,MAAA;AACxC,QAAA;AACN,UAAA;AACA,UAAA;AACsB,YAAA;AACe,YAAA;AACrC,UAAA;AACF,QAAA;AAGsC,QAAA;AACa,QAAA;AACpCA,QAAAA;AACb,UAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAMqC,mCAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,QAAA;AAevC,QAAA;AACF,MAAA;AACqC,MAAA;AAC7B,MAAA;AACN,QAAA;AACF,MAAA;AACOC,MAAAA;AACT,IAAA;AAEM,IAAA;AACJ,MAAA;AACA,MAAA;AACA,MAAA;AACA,MAAA;AACA,MAAA;AACF,IAAA;AAEyB,IAAA;AACf,MAAA;AACN,QAAA;AACA,QAAA;AACF,MAAA;AACyB,MAAA;AACf,QAAA;AACK,QAAA;AACd,MAAA;AACH,IAAA;AAGyC,IAAA;AAC/B,MAAA;AACN,QAAA;AACA,QAAA;AACF,MAAA;AACa,MAAA;AACK,QAAA;AAClB,MAAA;AACwC,MAAA;AAC1C,IAAA;AAIqBD,IAAAA;AACiB,MAAA;AACtC,IAAA;AACqC,IAAA;AAC9B,IAAA;AACT,EAAA;AAAA;AAUE;AAMuB;AAAA,EAAA;AAhOzB,IAAA;AAiOkD,IAAA;AACJ,IAAA;AAErB,IAAA;AAE8B,IAAA;AAEL,IAAA;AAG5C,IAAA;AAEE,MAAA;AAC+B,MAAA;AACjC,IAAA;AAEmC,IAAA;AAEhB,IAAA;AAEnB,IAAA;AACkC,MAAA;AACtB,IAAA;AACF,MAAA;AACd,IAAA;AAEO,IAAA;AACT,EAAA;AAAA;AAgByD;AACV,EAAA;AAEvC,EAAA;AAC+B,IAAA;AACM,IAAA;AACgB,IAAA;AAElC,IAAA;AACd,MAAA;AACyC,QAAA;AACzC,MAAA;AACwC,QAAA;AACxC,MAAA;AACsC,QAAA;AAC3C,MAAA;AACqD,QAAA;AACvD,IAAA;AACc,EAAA;AAC2B,IAAA;AAES,IAAA;AAEjB,IAAA;AAEmB,IAAA;AAE7B,IAAA;AAChB,IAAA;AACT,EAAA;AACF;AHCyD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA","file":"/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/nextjs.js","sourcesContent":[null,"/**\n * Used on the server-side to get the user object from the cookie\n */\nimport { User } from \"@/types\";\nimport { GenericUserSession } from \"@/shared/UserSession\";\nimport { NextjsClientStorage } from \"@/nextjs/cookies\";\nimport { retrieveTokens } from \"@/shared/util\";\n\nexport const getUser = (): User | null => {\n  const clientStorage = new NextjsClientStorage();\n  const userSession = new GenericUserSession(clientStorage);\n  const tokens = retrieveTokens(clientStorage);\n  const user = userSession.get();\n  if (!user || !tokens) return null;\n\n  return {\n    ...user!,\n    idToken: tokens.id_token,\n    accessToken: tokens.access_token,\n    refreshToken: tokens.refresh_token ?? \"\",\n  } as User;\n};\n","/**\n * Authenticates the user on all requests by checking the token cookie\n *\n * Usage:\n * Option 1: use if no other middleware (e.g. no next-intl etc)\n * export default authMiddleware();\n *\n * Option 2: use if other middleware is needed - default auth config\n * export default withAuth((request) => {\n *    console.log('in custom middleware', request.nextUrl.pathname);\n *    return NextResponse.next();\n * })\n *\n * Option 3: use if other middleware is needed - specifying auth config\n * const withCivicAuth = auth({ loginUrl: '/login', include: ['/[.*]/user'] })\n * export default withCivicAuth((request) => {\n *   console.log('in custom middleware', request.url);\n *   return NextResponse.next();\n * })\n *\n */\nimport { NextRequest, NextResponse } from \"next/server.js\";\nimport picomatch from \"picomatch\";\nimport {\n  AuthConfig,\n  defaultAuthConfig,\n  resolveAuthConfig,\n} from \"@/nextjs/config.js\";\n\ntype Middleware = (\n  request: NextRequest,\n) => Promise<NextResponse> | NextResponse;\n\n// Matches globs:\n// Examples:\n// /user\n// /user/*\n// /user/**/info\nconst matchGlob = (pathname: string, globPattern: string) => {\n  const matches = picomatch(globPattern);\n  return matches(pathname);\n};\n\n// Matches globs:\n// Examples:\n// /user\n// /user/*\n// /user/**/info\nconst matchesGlobs = (pathname: string, patterns: string[]) =>\n  patterns.some((pattern) => {\n    if (!pattern) return false;\n    console.log(\"matching\", {\n      pattern,\n      pathname,\n      match: matchGlob(pathname, pattern),\n    });\n    return matchGlob(pathname, pattern);\n  });\n\n// internal - used by all exported functions\nconst applyAuth = async (\n  authConfig: AuthConfig,\n  request: NextRequest,\n): Promise<NextResponse | undefined> => {\n  const authConfigWithDefaults = resolveAuthConfig(authConfig);\n  // Check for any valid auth token\n  const isAuthenticated = !!request.cookies.get(\"id_token\");\n\n  // skip auth check for redirect to login url\n  if (\n    request.nextUrl.pathname === authConfigWithDefaults.loginUrl &&\n    request.method === \"GET\"\n  ) {\n    console.log(\"→ Skipping auth check - this is the login URL\");\n    return undefined;\n  }\n\n  if (!matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.include)) {\n    console.log(\"→ Skipping auth check - path not in include patterns\");\n    return undefined;\n  }\n\n  if (matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.exclude)) {\n    console.log(\"→ Skipping auth check - path in exclude patterns\");\n    return undefined;\n  }\n\n  // Check for either token type\n  if (!isAuthenticated) {\n    const loginUrl = new URL(authConfigWithDefaults.loginUrl, request.url);\n    console.log(\"→ No valid token found - redirecting to login\", loginUrl);\n    return NextResponse.redirect(loginUrl);\n  }\n\n  console.log(\"→ Auth check passed\");\n  return undefined;\n};\n\n/**\n *\n * Use this when auth is the only middleware you need.\n * Usage:\n *\n * export default authMiddleware({ loginUrl = '/login' }); // or just authMiddleware();\n *\n */\nexport const authMiddleware =\n  (authConfig = defaultAuthConfig) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const response = await applyAuth(authConfig, request);\n    if (response) return response;\n\n    // NextJS doesn't do middleware chaining yet, so this does not mean\n    // \"call the next middleware\" - it means \"continue to the route handler\"\n    return NextResponse.next();\n  };\n\n/**\n * Usage:\n *\n * export default withAuth(async (request) => {\n *    console.log('my middleware');\n *    return NextResponse.next();\n *  })\n */\n// use this when you have your own middleware to chain\nexport function withAuth(\n  middleware: Middleware,\n): (request: NextRequest) => Promise<NextResponse> {\n  return async (request: NextRequest): Promise<NextResponse> => {\n    const response = await applyAuth({}, request);\n    if (response) return response;\n\n    return middleware(request);\n  };\n}\n\n/**\n * Use this when you want to configure the middleware here (an alternative is to do it in the next.config file)\n *\n * Usage:\n *\n * const withAuth = auth({ loginUrl = '/login' }); // or just auth();\n *\n * export default withAuth(async (request) => {\n *    console.log('my middleware');\n *    return NextResponse.next();\n *  })\n *\n */\nexport function auth(authConfig: AuthConfig = {}) {\n  return (\n    middleware: Middleware,\n  ): ((request: NextRequest) => Promise<NextResponse>) => {\n    return async (request: NextRequest): Promise<NextResponse> => {\n      const response = await applyAuth(authConfig, request);\n      if (response) return response;\n\n      return middleware(request);\n    };\n  };\n}\n","import { NextRequest, NextResponse } from \"next/server.js\";\nimport { revalidatePath } from \"next/cache.js\";\nimport { AuthConfig, resolveAuthConfig } from \"@/nextjs/config.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport {\n  clearAuthCookies,\n  NextjsClientStorage,\n  NextjsCookieStorage,\n} from \"@/nextjs/cookies.js\";\nimport { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { resolveOAuthAccessCode } from \"@/server/login.js\";\nimport { getUser } from \"@/shared/session.js\";\nimport { resolveCallbackUrl } from \"@/nextjs/utils.js\";\nimport { GenericUserSession } from \"@/shared/UserSession.js\";\nimport {\n  TOKEN_EXCHANGE_SUCCESS_TEXT,\n  TOKEN_EXCHANGE_TRIGGER_TEXT,\n} from \"@/constants.js\";\nimport { serverTokenExchangeFromState } from \"@/lib/oauth.js\";\nimport { cookies } from \"next/headers.js\";\nimport { CodeVerifier } from \"@/shared/types\";\n\nconst logger = loggers.nextjs.handlers.auth;\n\nclass AuthError extends Error {\n  constructor(\n    message: string,\n    public readonly status: number = 401,\n  ) {\n    super(message);\n    this.name = \"AuthError\";\n  }\n}\n\n/**\n * create a code verifier and challenge for PKCE\n * saving the verifier in a cookie for later use\n * @returns {Promise<NextResponse>}\n */\nasync function handleChallenge(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const cookieStorage = new NextjsCookieStorage(config.cookies?.tokens ?? {});\n  const pkceProducer = new GenericPublicClientPKCEProducer(cookieStorage);\n\n  const challenge = await pkceProducer.getCodeChallenge();\n  const appUrl = request.nextUrl.searchParams.get(\"appUrl\");\n  if (appUrl) {\n    cookieStorage.set(CodeVerifier.APP_URL, appUrl);\n  }\n  return NextResponse.json({ status: \"success\", challenge });\n}\n\nasync function performTokenExchangeAndSetCookies(\n  request: NextRequest,\n  config: AuthConfig,\n  code: string,\n  state: string,\n  appUrl: string,\n) {\n  const resolvedConfigs = resolveAuthConfig(config);\n  const cookieStorage = new NextjsCookieStorage(resolvedConfigs.cookies.tokens);\n\n  const callbackUrl = resolveCallbackUrl(resolvedConfigs, appUrl);\n  try {\n    await resolveOAuthAccessCode(code, state, cookieStorage, {\n      ...resolvedConfigs,\n      redirectUrl: callbackUrl,\n    });\n  } catch (error) {\n    logger.error(\"Token exchange failed:\", error);\n    throw new AuthError(\"Failed to authenticate user\", 401);\n  }\n\n  const user = await getUser(cookieStorage);\n  if (!user) {\n    throw new AuthError(\"Failed to get user info\", 401);\n  }\n\n  const clientStorage = new NextjsClientStorage();\n  const userSession = new GenericUserSession(clientStorage);\n  userSession.set(user);\n}\nasync function handleCallback(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n  console.log(\"handleCallback\", { request, resolvedConfigs });\n  const code = request.nextUrl.searchParams.get(\"code\");\n  const state = request.nextUrl.searchParams.get(\"state\") || \"\";\n  if (!code || !state) throw new AuthError(\"Bad parameters\", 400);\n\n  // appUrl is passed from the client to the server in the query string\n  // this is necessary because the server does not have access to the client's window.location.origin\n  // and can not accurately determine the appUrl (specially if the app is behind a reverse proxy)\n  const appUrl =\n    request.cookies.get(CodeVerifier.APP_URL)?.value ||\n    request.nextUrl.searchParams.get(\"appUrl\");\n\n  // If we have a code_verifier cookie and the appUrl, we can do a token exchange.\n  // Otherwise, just render an empty page.\n  // The initial redirect back from the auth server does not send cookies, because the redirect is from a 3rd-party domain.\n  // The client will make an additional call to this route with cookies included, at which point we do the token exchange.\n  console.log(\"handleCallback\", {\n    code,\n    state,\n    cookies: cookies(),\n    appUrl,\n  });\n\n  const codeVerifier = request.cookies.get(CodeVerifier.COOKIE_NAME);\n\n  if (!codeVerifier || !appUrl) {\n    console.log(\"handleCallback no code_verifier found\", {\n      state,\n      serverTokenExchange: serverTokenExchangeFromState(`${state}`),\n    });\n    let response = new NextResponse(\n      `<html><body><span style=\"display:none\">${TOKEN_EXCHANGE_TRIGGER_TEXT}</span></body></html>`,\n    );\n\n    // in server-side token exchange mode we need to launch a page that will trigger the token exchange\n    // from the same domain, allowing it access to the code_verifier cookie\n    // we only need to do this in redirect mode, as the iframe already triggers a client-side token exchange\n    // if no code-verifier cookie is found\n    if (state && serverTokenExchangeFromState(state)) {\n      console.log(\n        \"handleCallback serverTokenExchangeFromState, launching redirect page...\",\n        {\n          requestUrl: request.url,\n          configCallbackUrl: resolvedConfigs.callbackUrl,\n        },\n      );\n      // we need to replace the URL with resolved config in case the server is hosted\n      // behind a reverse proxy or load balancer\n      const requestUrl = new URL(request.url);\n      const fetchUrl = `${resolvedConfigs.callbackUrl}?${requestUrl.searchParams.toString()}&sameDomainServerTokenExchange=true`;\n      response = new NextResponse(\n        `<html>\n            <body>\n                <span style=\"display:none\">\n                    <script>\n                        window.onload = function () {\n                            const appUrl = globalThis.window?.location?.origin;\n                            fetch('${fetchUrl}&appUrl=' + appUrl).then((response) => {\n                                response.json().then((jsonResponse) => {\n                                    console.log('fetch jsonResponse', jsonResponse);\n                                    if (jsonResponse.redirectUrl) {\n                                        console.log('handleCallback serverTokenExchangeFromState, redirecting');\n                                        window.location.href = jsonResponse.redirectUrl;\n                                    }\n                                });\n                            });\n                        };\n                    </script>\n                </span>\n            </body>\n        </html>\n        `,\n      );\n    }\n    response.headers.set(\"Content-Type\", \"text/html; charset=utf-8\");\n    console.log(\n      `handleCallback no code_verifier found, returning ${TOKEN_EXCHANGE_TRIGGER_TEXT}`,\n    );\n    return response;\n  }\n\n  await performTokenExchangeAndSetCookies(\n    request,\n    resolvedConfigs,\n    code,\n    state,\n    appUrl,\n  );\n\n  if (request.url.includes(\"sameDomainServerTokenExchange=true\")) {\n    console.log(\n      \"handleCallback sameDomainServerTokenExchange = true, returnining redirectUrl\",\n      appUrl,\n    );\n    return NextResponse.json({\n      status: \"success\",\n      redirectUrl: appUrl,\n    });\n  }\n\n  // this is the case where a 'normal' redirect is happening\n  if (serverTokenExchangeFromState(state)) {\n    console.log(\n      \"handleCallback serverTokenExchangeFromState, redirect to appUrl\",\n      appUrl,\n    );\n    if (!appUrl) {\n      throw new Error(\"appUrl undefined. Cannot redirect.\");\n    }\n    return NextResponse.redirect(`${appUrl}`);\n  }\n  // return an empty HTML response so the iframe doesn't show any response\n  // in the short moment between the redirect and the parent window\n  // acknowledging the redirect and closing the iframe\n  const response = new NextResponse(\n    `<html><span style=\"display:none\">${TOKEN_EXCHANGE_SUCCESS_TEXT}</span></html>`,\n  );\n  response.headers.set(\"Content-Type\", \"text/html; charset=utf-8\");\n  return response;\n}\n\n/**\n * If redirectPath is an absolute path, return it as-is.\n * Otherwise for relative paths, append it to the current domain.\n * @param redirectPath\n * @returns\n */\nconst getAbsoluteRedirectPath = (\n  redirectPath: string,\n  currentBasePath: string,\n) => new URL(redirectPath, currentBasePath).href;\n\nexport async function handleLogout(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n  const defaultRedirectPath = resolvedConfigs.loginUrl ?? \"/\";\n  const redirectTarget =\n    new URL(request.url).searchParams.get(\"redirect\") || defaultRedirectPath;\n\n  const isAbsoluteRedirect = /^(https?:\\/\\/|www\\.).+/i.test(redirectTarget);\n\n  const appUrl = request.nextUrl.searchParams.get(\"appUrl\");\n\n  const finalRedirectUrl = isAbsoluteRedirect\n    ? redirectTarget\n    : getAbsoluteRedirectPath(\n        redirectTarget,\n        new URL(appUrl ?? request.url).origin,\n      );\n\n  const response = NextResponse.redirect(finalRedirectUrl);\n\n  clearAuthCookies(config);\n\n  try {\n    revalidatePath(isAbsoluteRedirect ? finalRedirectUrl : redirectTarget);\n  } catch (error) {\n    logger.warn(\"Failed to revalidate path after logout:\", error);\n  }\n\n  return response;\n}\n\n/**\n * Creates an authentication handler for Next.js API routes\n *\n * Usage:\n * ```ts\n * // app/api/auth/[...civicauth]/route.ts\n * import { handler } from '@civic/auth/nextjs'\n * export const GET = handler({\n *   // optional config overrides\n * })\n * ```\n */\nexport const handler =\n  (authConfig = {}) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const config = resolveAuthConfig(authConfig);\n\n    try {\n      const pathname = request.nextUrl.pathname;\n      const pathSegments = pathname.split(\"/\");\n      const lastSegment = pathSegments[pathSegments.length - 1];\n\n      switch (lastSegment) {\n        case \"challenge\":\n          return await handleChallenge(request, config);\n        case \"callback\":\n          return await handleCallback(request, config);\n        case \"logout\":\n          return await handleLogout(request, config);\n        default:\n          throw new AuthError(`Invalid auth route: ${pathname}`, 404);\n      }\n    } catch (error) {\n      logger.error(\"Auth handler error:\", error);\n\n      const status = error instanceof AuthError ? error.status : 500;\n      const message =\n        error instanceof Error ? error.message : \"Authentication failed\";\n\n      const response = NextResponse.json({ error: message }, { status });\n\n      clearAuthCookies(config);\n      return response;\n    }\n  };\n"]}