@civic/auth 0.0.1-beta.30 → 0.0.1-beta.31

package/dist/nextjs.d.ts

@@ -1,267 +0,0 @@
-import * as next_dist_shared_lib_image_config from 'next/dist/shared/lib/image-config';
-import * as next_dist_lib_load_custom_routes from 'next/dist/lib/load-custom-routes';
-import * as next_dist_server_config_shared from 'next/dist/server/config-shared';
-import { NextConfig } from 'next';
-import { T as TokensCookieConfig, a as CookieConfig, O as OAuthTokens, C as CodeVerifier } from './types-DOfl9w7j.js';
-import { U as User, S as SessionData, a as UnknownObject } from './types-BxAubCqO.js';
-import { NextRequest, NextResponse } from 'next/server.js';
-import { NextResponse as NextResponse$1 } from 'next/server';
-import { C as CookieStorage, a as CookieStorageSettings } from './storage-ANmRwpZ3.js';
-import 'oslo/oauth2';
-
-type CookiesConfigObject = {
-    tokens: TokensCookieConfig;
-    user: CookieConfig;
-};
-type AuthConfigWithDefaults = {
-    clientId: string;
-    oauthServer: string;
-    callbackUrl: string;
-    loginUrl: string;
-    logoutUrl: string;
-    challengeUrl: string;
-    include: string[];
-    exclude: string[];
-    cookies: CookiesConfigObject;
-};
-type AuthConfig = Partial<AuthConfigWithDefaults>;
-type DefinedAuthConfig = AuthConfigWithDefaults;
-/**
- * Default configuration values that will be used if not overridden
- */
-declare const defaultAuthConfig: Omit<AuthConfigWithDefaults, "clientId">;
-/**
- * Resolves the authentication configuration by combining:
- * 1. Default values
- * 2. Environment variables (set internally by the plugin)
- * 3. Explicitly passed configuration
- *
- * Note: Developers should not set _civic_auth_* environment variables directly.
- * Instead, pass configuration to the createCivicAuthPlugin in next.config.js:
- *
- * @example
- * ```js
- * // next.config.js
- * export default createCivicAuthPlugin({
- *   callbackUrl: '/custom/callback',
- * })
- * ```
- */
-declare const resolveAuthConfig: (config?: AuthConfig) => AuthConfigWithDefaults;
-/**
- * Creates a Next.js plugin that handles auth configuration.
- *
- * This is the main configuration point for the auth system.
- * Do not set _civic_auth_* environment variables directly - instead,
- * pass your configuration here:
- *
- * @example
- * ```js
- * // next.config.js
- * export default createCivicAuthPlugin({
- *   clientId: 'my-client-id',
- *   callbackUrl: '/custom/callback',
- *   loginUrl: '/custom/login',
- *   logoutUrl: '/custom/logout',
- *   include: ['/protected/*'],
- *   exclude: ['/public/*']
- * })
- * ```
- *
- * The plugin sets internal environment variables that are used by
- * the auth system. These variables should not be set manually.
- */
-declare const createCivicAuthPlugin: (authConfig: AuthConfig & Pick<Required<AuthConfig>, "clientId">) => (nextConfig?: NextConfig) => {
-    env: {
-        _civic_auth_client_id: string;
-        _civic_oauth_server: string;
-        _civic_auth_callback_url: string;
-        _civic_auth_challenge_url: string;
-        _civic_auth_login_url: string;
-        _civic_auth_logout_url: string;
-        _civic_auth_includes: string;
-        _civic_auth_excludes: string;
-        _civic_auth_cookie_config: string;
-    };
-    exportPathMap?: (defaultMap: next_dist_server_config_shared.ExportPathMap, ctx: {
-        dev: boolean;
-        dir: string;
-        outDir: string | null;
-        distDir: string;
-        buildId: string;
-    }) => Promise<next_dist_server_config_shared.ExportPathMap> | next_dist_server_config_shared.ExportPathMap;
-    i18n?: next_dist_server_config_shared.I18NConfig | null;
-    eslint?: next_dist_server_config_shared.ESLintConfig;
-    typescript?: next_dist_server_config_shared.TypeScriptConfig;
-    headers?: () => Promise<next_dist_lib_load_custom_routes.Header[]>;
-    rewrites?: () => Promise<next_dist_lib_load_custom_routes.Rewrite[] | {
-        beforeFiles: next_dist_lib_load_custom_routes.Rewrite[];
-        afterFiles: next_dist_lib_load_custom_routes.Rewrite[];
-        fallback: next_dist_lib_load_custom_routes.Rewrite[];
-    }>;
-    redirects?: () => Promise<next_dist_lib_load_custom_routes.Redirect[]>;
-    excludeDefaultMomentLocales?: boolean;
-    webpack?: next_dist_server_config_shared.NextJsWebpackConfig | null;
-    trailingSlash?: boolean;
-    distDir?: string;
-    cleanDistDir?: boolean;
-    assetPrefix?: string;
-    cacheHandler?: string | undefined;
-    cacheMaxMemorySize?: number;
-    useFileSystemPublicRoutes?: boolean;
-    generateBuildId?: () => string | null | Promise<string | null>;
-    generateEtags?: boolean;
-    pageExtensions?: string[];
-    compress?: boolean;
-    analyticsId?: string;
-    poweredByHeader?: boolean;
-    images?: next_dist_shared_lib_image_config.ImageConfig;
-    devIndicators?: {
-        buildActivity?: boolean;
-        buildActivityPosition?: "bottom-right" | "bottom-left" | "top-right" | "top-left";
-    };
-    onDemandEntries?: {
-        maxInactiveAge?: number;
-        pagesBufferLength?: number;
-    };
-    amp?: {
-        canonicalBase?: string;
-    };
-    deploymentId?: string;
-    basePath?: string;
-    sassOptions?: {
-        [key: string]: any;
-    };
-    productionBrowserSourceMaps?: boolean;
-    optimizeFonts?: boolean;
-    reactProductionProfiling?: boolean;
-    reactStrictMode?: boolean | null;
-    publicRuntimeConfig?: {
-        [key: string]: any;
-    };
-    serverRuntimeConfig?: {
-        [key: string]: any;
-    };
-    httpAgentOptions?: {
-        keepAlive?: boolean;
-    };
-    outputFileTracing?: boolean;
-    staticPageGenerationTimeout?: number;
-    crossOrigin?: "anonymous" | "use-credentials";
-    swcMinify?: boolean;
-    compiler?: {
-        reactRemoveProperties?: boolean | {
-            properties?: string[];
-        };
-        relay?: {
-            src: string;
-            artifactDirectory?: string;
-            language?: "typescript" | "javascript" | "flow";
-            eagerEsModules?: boolean;
-        };
-        removeConsole?: boolean | {
-            exclude?: string[];
-        };
-        styledComponents?: boolean | next_dist_server_config_shared.StyledComponentsConfig;
-        emotion?: boolean | next_dist_server_config_shared.EmotionConfig;
-        styledJsx?: boolean | {
-            useLightningcss?: boolean;
-        };
-    };
-    output?: "standalone" | "export";
-    transpilePackages?: string[];
-    skipMiddlewareUrlNormalize?: boolean;
-    skipTrailingSlashRedirect?: boolean;
-    modularizeImports?: Record<string, {
-        transform: string | Record<string, string>;
-        preventFullImport?: boolean;
-        skipDefaultConversion?: boolean;
-    }>;
-    logging?: {
-        fetches?: {
-            fullUrl?: boolean;
-        };
-    };
-    experimental?: next_dist_server_config_shared.ExperimentalConfig;
-};
-
-/**
- * Used on the server-side to get the user object from the cookie
- */
-
-declare const getUser: () => User | null;
-
-type Middleware = (request: NextRequest) => Promise<NextResponse> | NextResponse;
-/**
- *
- * Use this when auth is the only middleware you need.
- * Usage:
- *
- * export default authMiddleware({ loginUrl = '/login' }); // or just authMiddleware();
- *
- */
-declare const authMiddleware: (authConfig?: Omit<AuthConfigWithDefaults, "clientId">) => (request: NextRequest) => Promise<NextResponse>;
-/**
- * Usage:
- *
- * export default withAuth(async (request) => {
- *    console.log('my middleware');
- *    return NextResponse.next();
- *  })
- */
-declare function withAuth(middleware: Middleware): (request: NextRequest) => Promise<NextResponse>;
-/**
- * Use this when you want to configure the middleware here (an alternative is to do it in the next.config file)
- *
- * Usage:
- *
- * const withAuth = auth({ loginUrl = '/login' }); // or just auth();
- *
- * export default withAuth(async (request) => {
- *    console.log('my middleware');
- *    return NextResponse.next();
- *  })
- *
- */
-declare function auth(authConfig?: AuthConfig): (middleware: Middleware) => ((request: NextRequest) => Promise<NextResponse>);
-
-/**
- * Creates an authentication handler for Next.js API routes
- *
- * Usage:
- * ```ts
- * // app/api/auth/[...civicauth]/route.ts
- * import { handler } from '@civic/auth/nextjs'
- * export const GET = handler({
- *   // optional config overrides
- * })
- * ```
- */
-declare const handler: (authConfig?: {}) => (request: NextRequest) => Promise<NextResponse>;
-
-/**
- * Creates HTTP-only cookies for authentication tokens
- */
-declare const createTokenCookies: (response: NextResponse$1, sessionData: SessionData, config: AuthConfig) => void;
-/**
- * Creates a client-readable cookie with user info
- */
-declare const createUserInfoCookie: (response: NextResponse$1, user: User<UnknownObject> | null, sessionData: SessionData, config: AuthConfig) => void;
-/**
- * Clears all authentication cookies
- */
-declare const clearAuthCookies: (config: AuthConfig) => Promise<void>;
-type KeySetter = OAuthTokens | CodeVerifier;
-declare class NextjsCookieStorage extends CookieStorage {
-    readonly config: Partial<TokensCookieConfig>;
-    constructor(config?: Partial<TokensCookieConfig>);
-    get(key: string): string | null;
-    set(key: KeySetter, value: string): void;
-}
-declare class NextjsClientStorage extends CookieStorage {
-    constructor(config?: Partial<CookieStorageSettings>);
-    get(key: string): string | null;
-    set(key: string, value: string): void;
-}
-
-export { type AuthConfig, type AuthConfigWithDefaults, type CookiesConfigObject, type DefinedAuthConfig, NextjsClientStorage, NextjsCookieStorage, auth, authMiddleware, clearAuthCookies, createCivicAuthPlugin, createTokenCookies, createUserInfoCookie, defaultAuthConfig, getUser, handler, resolveAuthConfig, withAuth };

package/dist/nextjs.js

@@ -1,315 +0,0 @@
-"use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
-
-
-
-
-
-
-
-
-
-
-var _chunkTH6FI2XIjs = require('./chunk-TH6FI2XI.js');
-
-
-var _chunkJEOPLLWOjs = require('./chunk-JEOPLLWO.js');
-
-
-
-
-
-
-
-
-var _chunkAM2Y662Ijs = require('./chunk-AM2Y662I.js');
-
-
-
-
-var _chunkCRTRMMJ7js = require('./chunk-CRTRMMJ7.js');
-
-// src/nextjs/GetUser.ts
-var getUser2 = () => {
-  var _a;
-  const clientStorage = new (0, _chunkTH6FI2XIjs.NextjsClientStorage)();
-  const userSession = new (0, _chunkAM2Y662Ijs.GenericUserSession)(clientStorage);
-  const tokens = _chunkAM2Y662Ijs.retrieveTokens.call(void 0, clientStorage);
-  const user = userSession.get();
-  if (!user || !tokens) return null;
-  return _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, user), {
-    idToken: tokens.id_token,
-    accessToken: tokens.access_token,
-    refreshToken: (_a = tokens.refresh_token) != null ? _a : ""
-  });
-};
-
-// src/nextjs/middleware.ts
-var _serverjs = require('next/server.js');
-var _picomatch = require('picomatch'); var _picomatch2 = _interopRequireDefault(_picomatch);
-var matchGlob = (pathname, globPattern) => {
-  const matches = _picomatch2.default.call(void 0, globPattern);
-  return matches(pathname);
-};
-var matchesGlobs = (pathname, patterns) => patterns.some((pattern) => {
-  if (!pattern) return false;
-  console.log("matching", {
-    pattern,
-    pathname,
-    match: matchGlob(pathname, pattern)
-  });
-  return matchGlob(pathname, pattern);
-});
-var applyAuth = (authConfig, request) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
-  const authConfigWithDefaults = _chunkTH6FI2XIjs.resolveAuthConfig.call(void 0, authConfig);
-  const isAuthenticated = !!request.cookies.get("id_token");
-  if (request.nextUrl.pathname === authConfigWithDefaults.loginUrl && request.method === "GET") {
-    console.log("\u2192 Skipping auth check - this is the login URL");
-    return void 0;
-  }
-  if (!matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.include)) {
-    console.log("\u2192 Skipping auth check - path not in include patterns");
-    return void 0;
-  }
-  if (matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.exclude)) {
-    console.log("\u2192 Skipping auth check - path in exclude patterns");
-    return void 0;
-  }
-  if (!isAuthenticated) {
-    const loginUrl = new URL(authConfigWithDefaults.loginUrl, request.url);
-    console.log("\u2192 No valid token found - redirecting to login", loginUrl);
-    return _serverjs.NextResponse.redirect(loginUrl);
-  }
-  console.log("\u2192 Auth check passed");
-  return void 0;
-});
-var authMiddleware = (authConfig = _chunkTH6FI2XIjs.defaultAuthConfig) => (request) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
-  const response = yield applyAuth(authConfig, request);
-  if (response) return response;
-  return _serverjs.NextResponse.next();
-});
-function withAuth(middleware) {
-  return (request) => _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    const response = yield applyAuth({}, request);
-    if (response) return response;
-    return middleware(request);
-  });
-}
-function auth(authConfig = {}) {
-  return (middleware) => {
-    return (request) => _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-      const response = yield applyAuth(authConfig, request);
-      if (response) return response;
-      return middleware(request);
-    });
-  };
-}
-
-// src/nextjs/routeHandler.ts
-
-var _cachejs = require('next/cache.js');
-var _headersjs = require('next/headers.js');
-var logger = _chunkTH6FI2XIjs.loggers.nextjs.handlers.auth;
-var AuthError = class extends Error {
-  constructor(message, status = 401) {
-    super(message);
-    this.status = status;
-    this.name = "AuthError";
-  }
-};
-function handleChallenge(request, config) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    var _a, _b;
-    const cookieStorage = new (0, _chunkTH6FI2XIjs.NextjsCookieStorage)((_b = (_a = config.cookies) == null ? void 0 : _a.tokens) != null ? _b : {});
-    const pkceProducer = new (0, _chunkAM2Y662Ijs.GenericPublicClientPKCEProducer)(cookieStorage);
-    const challenge = yield pkceProducer.getCodeChallenge();
-    const appUrl = request.nextUrl.searchParams.get("appUrl");
-    if (appUrl) {
-      cookieStorage.set("app_url" /* APP_URL */, appUrl);
-    }
-    return _serverjs.NextResponse.json({ status: "success", challenge });
-  });
-}
-function performTokenExchangeAndSetCookies(request, config, code, state, appUrl) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    const resolvedConfigs = _chunkTH6FI2XIjs.resolveAuthConfig.call(void 0, config);
-    const cookieStorage = new (0, _chunkTH6FI2XIjs.NextjsCookieStorage)(resolvedConfigs.cookies.tokens);
-    const callbackUrl = _chunkTH6FI2XIjs.resolveCallbackUrl.call(void 0, resolvedConfigs, appUrl);
-    try {
-      yield _chunkJEOPLLWOjs.resolveOAuthAccessCode.call(void 0, code, state, cookieStorage, _chunkCRTRMMJ7js.__spreadProps.call(void 0, _chunkCRTRMMJ7js.__spreadValues.call(void 0, {}, resolvedConfigs), {
-        redirectUrl: callbackUrl
-      }));
-    } catch (error) {
-      logger.error("Token exchange failed:", error);
-      throw new AuthError("Failed to authenticate user", 401);
-    }
-    const user = yield _chunkAM2Y662Ijs.getUser.call(void 0, cookieStorage);
-    if (!user) {
-      throw new AuthError("Failed to get user info", 401);
-    }
-    const clientStorage = new (0, _chunkTH6FI2XIjs.NextjsClientStorage)();
-    const userSession = new (0, _chunkAM2Y662Ijs.GenericUserSession)(clientStorage);
-    userSession.set(user);
-  });
-}
-function handleCallback(request, config) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    var _a;
-    const resolvedConfigs = _chunkTH6FI2XIjs.resolveAuthConfig.call(void 0, config);
-    console.log("handleCallback", { request, resolvedConfigs });
-    const code = request.nextUrl.searchParams.get("code");
-    const state = request.nextUrl.searchParams.get("state") || "";
-    if (!code || !state) throw new AuthError("Bad parameters", 400);
-    const appUrl = ((_a = request.cookies.get("app_url" /* APP_URL */)) == null ? void 0 : _a.value) || request.nextUrl.searchParams.get("appUrl");
-    console.log("handleCallback", {
-      code,
-      state,
-      cookies: _headersjs.cookies.call(void 0, ),
-      appUrl
-    });
-    const codeVerifier = request.cookies.get("code_verifier" /* COOKIE_NAME */);
-    if (!codeVerifier || !appUrl) {
-      console.log("handleCallback no code_verifier found", {
-        state,
-        serverTokenExchange: _chunkAM2Y662Ijs.serverTokenExchangeFromState.call(void 0, `${state}`)
-      });
-      let response2 = new (0, _serverjs.NextResponse)(
-        `<html><body><span style="display:none">${_chunkAM2Y662Ijs.TOKEN_EXCHANGE_TRIGGER_TEXT}</span></body></html>`
-      );
-      if (state && _chunkAM2Y662Ijs.serverTokenExchangeFromState.call(void 0, state)) {
-        console.log(
-          "handleCallback serverTokenExchangeFromState, launching redirect page...",
-          {
-            requestUrl: request.url,
-            configCallbackUrl: resolvedConfigs.callbackUrl
-          }
-        );
-        const requestUrl = new URL(request.url);
-        const fetchUrl = `${resolvedConfigs.callbackUrl}?${requestUrl.searchParams.toString()}&sameDomainServerTokenExchange=true`;
-        response2 = new (0, _serverjs.NextResponse)(
-          `<html>
-            <body>
-                <span style="display:none">
-                    <script>
-                        window.onload = function () {
-                            const appUrl = globalThis.window?.location?.origin;
-                            fetch('${fetchUrl}&appUrl=' + appUrl).then((response) => {
-                                response.json().then((jsonResponse) => {
-                                    console.log('fetch jsonResponse', jsonResponse);
-                                    if (jsonResponse.redirectUrl) {
-                                        console.log('handleCallback serverTokenExchangeFromState, redirecting');
-                                        window.location.href = jsonResponse.redirectUrl;
-                                    }
-                                });
-                            });
-                        };
-                    </script>
-                </span>
-            </body>
-        </html>
-        `
-        );
-      }
-      response2.headers.set("Content-Type", "text/html; charset=utf-8");
-      console.log(
-        `handleCallback no code_verifier found, returning ${_chunkAM2Y662Ijs.TOKEN_EXCHANGE_TRIGGER_TEXT}`
-      );
-      return response2;
-    }
-    yield performTokenExchangeAndSetCookies(
-      request,
-      resolvedConfigs,
-      code,
-      state,
-      appUrl
-    );
-    if (request.url.includes("sameDomainServerTokenExchange=true")) {
-      console.log(
-        "handleCallback sameDomainServerTokenExchange = true, returnining redirectUrl",
-        appUrl
-      );
-      return _serverjs.NextResponse.json({
-        status: "success",
-        redirectUrl: appUrl
-      });
-    }
-    if (_chunkAM2Y662Ijs.serverTokenExchangeFromState.call(void 0, state)) {
-      console.log(
-        "handleCallback serverTokenExchangeFromState, redirect to appUrl",
-        appUrl
-      );
-      if (!appUrl) {
-        throw new Error("appUrl undefined. Cannot redirect.");
-      }
-      return _serverjs.NextResponse.redirect(`${appUrl}`);
-    }
-    const response = new (0, _serverjs.NextResponse)(
-      `<html><span style="display:none">${_chunkAM2Y662Ijs.TOKEN_EXCHANGE_SUCCESS_TEXT}</span></html>`
-    );
-    response.headers.set("Content-Type", "text/html; charset=utf-8");
-    return response;
-  });
-}
-var getAbsoluteRedirectPath = (redirectPath, currentBasePath) => new URL(redirectPath, currentBasePath).href;
-function handleLogout(request, config) {
-  return _chunkCRTRMMJ7js.__async.call(void 0, this, null, function* () {
-    var _a;
-    const resolvedConfigs = _chunkTH6FI2XIjs.resolveAuthConfig.call(void 0, config);
-    const defaultRedirectPath = (_a = resolvedConfigs.loginUrl) != null ? _a : "/";
-    const redirectTarget = new URL(request.url).searchParams.get("redirect") || defaultRedirectPath;
-    const isAbsoluteRedirect = /^(https?:\/\/|www\.).+/i.test(redirectTarget);
-    const appUrl = request.nextUrl.searchParams.get("appUrl");
-    const finalRedirectUrl = isAbsoluteRedirect ? redirectTarget : getAbsoluteRedirectPath(
-      redirectTarget,
-      new URL(appUrl != null ? appUrl : request.url).origin
-    );
-    const response = _serverjs.NextResponse.redirect(finalRedirectUrl);
-    _chunkTH6FI2XIjs.clearAuthCookies.call(void 0, config);
-    try {
-      _cachejs.revalidatePath.call(void 0, isAbsoluteRedirect ? finalRedirectUrl : redirectTarget);
-    } catch (error) {
-      logger.warn("Failed to revalidate path after logout:", error);
-    }
-    return response;
-  });
-}
-var handler = (authConfig = {}) => (request) => _chunkCRTRMMJ7js.__async.call(void 0, void 0, null, function* () {
-  const config = _chunkTH6FI2XIjs.resolveAuthConfig.call(void 0, authConfig);
-  try {
-    const pathname = request.nextUrl.pathname;
-    const pathSegments = pathname.split("/");
-    const lastSegment = pathSegments[pathSegments.length - 1];
-    switch (lastSegment) {
-      case "challenge":
-        return yield handleChallenge(request, config);
-      case "callback":
-        return yield handleCallback(request, config);
-      case "logout":
-        return yield handleLogout(request, config);
-      default:
-        throw new AuthError(`Invalid auth route: ${pathname}`, 404);
-    }
-  } catch (error) {
-    logger.error("Auth handler error:", error);
-    const status = error instanceof AuthError ? error.status : 500;
-    const message = error instanceof Error ? error.message : "Authentication failed";
-    const response = _serverjs.NextResponse.json({ error: message }, { status });
-    _chunkTH6FI2XIjs.clearAuthCookies.call(void 0, config);
-    return response;
-  }
-});
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-exports.NextjsClientStorage = _chunkTH6FI2XIjs.NextjsClientStorage; exports.NextjsCookieStorage = _chunkTH6FI2XIjs.NextjsCookieStorage; exports.auth = auth; exports.authMiddleware = authMiddleware; exports.clearAuthCookies = _chunkTH6FI2XIjs.clearAuthCookies; exports.createCivicAuthPlugin = _chunkTH6FI2XIjs.createCivicAuthPlugin; exports.createTokenCookies = _chunkTH6FI2XIjs.createTokenCookies; exports.createUserInfoCookie = _chunkTH6FI2XIjs.createUserInfoCookie; exports.defaultAuthConfig = _chunkTH6FI2XIjs.defaultAuthConfig; exports.getUser = getUser2; exports.handler = handler; exports.resolveAuthConfig = _chunkTH6FI2XIjs.resolveAuthConfig; exports.withAuth = withAuth;
-//# sourceMappingURL=nextjs.js.map

package/dist/nextjs.js.map

@@ -1 +0,0 @@
-{"version":3,"sources":["/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/nextjs.js","../src/nextjs/GetUser.ts","../src/nextjs/middleware.ts","../src/nextjs/routeHandler.ts"],"names":["getUser","NextResponse","response"],"mappings":"AAAA;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACF,sDAA4B;AAC5B;AACE;AACF,sDAA4B;AAC5B;AACE;AACA;AACA;AACA;AACA;AACA;AACA;AACF,sDAA4B;AAC5B;AACE;AACA;AACA;AACF,sDAA4B;AAC5B;AACA;ACtBO,IAAMA,SAAAA,EAAU,CAAA,EAAA,GAAmB;AAR1C,EAAA,IAAA,EAAA;AASE,EAAA,MAAM,cAAA,EAAgB,IAAI,yCAAA,CAAoB,CAAA;AAC9C,EAAA,MAAM,YAAA,EAAc,IAAI,wCAAA,CAAmB,aAAa,CAAA;AACxD,EAAA,MAAM,OAAA,EAAS,6CAAA,aAA4B,CAAA;AAC3C,EAAA,MAAM,KAAA,EAAO,WAAA,CAAY,GAAA,CAAI,CAAA;AAC7B,EAAA,GAAA,CAAI,CAAC,KAAA,GAAQ,CAAC,MAAA,EAAQ,OAAO,IAAA;AAE7B,EAAA,OAAO,4CAAA,6CAAA,CAAA,CAAA,EACF,IAAA,CAAA,EADE;AAAA,IAEL,OAAA,EAAS,MAAA,CAAO,QAAA;AAAA,IAChB,WAAA,EAAa,MAAA,CAAO,YAAA;AAAA,IACpB,YAAA,EAAA,CAAc,GAAA,EAAA,MAAA,CAAO,aAAA,EAAA,GAAP,KAAA,EAAA,GAAA,EAAwB;AAAA,EACxC,CAAA,CAAA;AACF,CAAA;ADuBA;AACA;AExBA,0CAA0C;AAC1C,4FAAsB;AAgBtB,IAAM,UAAA,EAAY,CAAC,QAAA,EAAkB,WAAA,EAAA,GAAwB;AAC3D,EAAA,MAAM,QAAA,EAAU,iCAAA,WAAqB,CAAA;AACrC,EAAA,OAAO,OAAA,CAAQ,QAAQ,CAAA;AACzB,CAAA;AAOA,IAAM,aAAA,EAAe,CAAC,QAAA,EAAkB,QAAA,EAAA,GACtC,QAAA,CAAS,IAAA,CAAK,CAAC,OAAA,EAAA,GAAY;AACzB,EAAA,GAAA,CAAI,CAAC,OAAA,EAAS,OAAO,KAAA;AACrB,EAAA,OAAA,CAAQ,GAAA,CAAI,UAAA,EAAY;AAAA,IACtB,OAAA;AAAA,IACA,QAAA;AAAA,IACA,KAAA,EAAO,SAAA,CAAU,QAAA,EAAU,OAAO;AAAA,EACpC,CAAC,CAAA;AACD,EAAA,OAAO,SAAA,CAAU,QAAA,EAAU,OAAO,CAAA;AACpC,CAAC,CAAA;AAGH,IAAM,UAAA,EAAY,CAChB,UAAA,EACA,OAAA,EAAA,GACsC,sCAAA,KAAA,CAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACtC,EAAA,MAAM,uBAAA,EAAyB,gDAAA,UAA4B,CAAA;AAE3D,EAAA,MAAM,gBAAA,EAAkB,CAAC,CAAC,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,UAAU,CAAA;AAGxD,EAAA,GAAA,CACE,OAAA,CAAQ,OAAA,CAAQ,SAAA,IAAa,sBAAA,CAAuB,SAAA,GACpD,OAAA,CAAQ,OAAA,IAAW,KAAA,EACnB;AACA,IAAA,OAAA,CAAQ,GAAA,CAAI,oDAA+C,CAAA;AAC3D,IAAA,OAAO,KAAA,CAAA;AAAA,EACT;AAEA,EAAA,GAAA,CAAI,CAAC,YAAA,CAAa,OAAA,CAAQ,OAAA,CAAQ,QAAA,EAAU,sBAAA,CAAuB,OAAO,CAAA,EAAG;AAC3E,IAAA,OAAA,CAAQ,GAAA,CAAI,2DAAsD,CAAA;AAClE,IAAA,OAAO,KAAA,CAAA;AAAA,EACT;AAEA,EAAA,GAAA,CAAI,YAAA,CAAa,OAAA,CAAQ,OAAA,CAAQ,QAAA,EAAU,sBAAA,CAAuB,OAAO,CAAA,EAAG;AAC1E,IAAA,OAAA,CAAQ,GAAA,CAAI,uDAAkD,CAAA;AAC9D,IAAA,OAAO,KAAA,CAAA;AAAA,EACT;AAGA,EAAA,GAAA,CAAI,CAAC,eAAA,EAAiB;AACpB,IAAA,MAAM,SAAA,EAAW,IAAI,GAAA,CAAI,sBAAA,CAAuB,QAAA,EAAU,OAAA,CAAQ,GAAG,CAAA;AACrE,IAAA,OAAA,CAAQ,GAAA,CAAI,oDAAA,EAAiD,QAAQ,CAAA;AACrE,IAAA,OAAO,sBAAA,CAAa,QAAA,CAAS,QAAQ,CAAA;AAAA,EACvC;AAEA,EAAA,OAAA,CAAQ,GAAA,CAAI,0BAAqB,CAAA;AACjC,EAAA,OAAO,KAAA,CAAA;AACT,CAAA,CAAA;AAUO,IAAM,eAAA,EACX,CAAC,WAAA,EAAa,kCAAA,EAAA,GACd,CAAO,OAAA,EAAA,GAAgD,sCAAA,KAAA,CAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACrD,EAAA,MAAM,SAAA,EAAW,MAAM,SAAA,CAAU,UAAA,EAAY,OAAO,CAAA;AACpD,EAAA,GAAA,CAAI,QAAA,EAAU,OAAO,QAAA;AAIrB,EAAA,OAAO,sBAAA,CAAa,IAAA,CAAK,CAAA;AAC3B,CAAA,CAAA;AAWK,SAAS,QAAA,CACd,UAAA,EACiD;AACjD,EAAA,OAAO,CAAO,OAAA,EAAA,GAAgD,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAC5D,IAAA,MAAM,SAAA,EAAW,MAAM,SAAA,CAAU,CAAC,CAAA,EAAG,OAAO,CAAA;AAC5C,IAAA,GAAA,CAAI,QAAA,EAAU,OAAO,QAAA;AAErB,IAAA,OAAO,UAAA,CAAW,OAAO,CAAA;AAAA,EAC3B,CAAA,CAAA;AACF;AAeO,SAAS,IAAA,CAAK,WAAA,EAAyB,CAAC,CAAA,EAAG;AAChD,EAAA,OAAO,CACL,UAAA,EAAA,GACsD;AACtD,IAAA,OAAO,CAAO,OAAA,EAAA,GAAgD,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAC5D,MAAA,MAAM,SAAA,EAAW,MAAM,SAAA,CAAU,UAAA,EAAY,OAAO,CAAA;AACpD,MAAA,GAAA,CAAI,QAAA,EAAU,OAAO,QAAA;AAErB,MAAA,OAAO,UAAA,CAAW,OAAO,CAAA;AAAA,IAC3B,CAAA,CAAA;AAAA,EACF,CAAA;AACF;AFxDA;AACA;AG1GA;AACA,wCAA+B;AAkB/B,4CAAwB;AAGxB,IAAM,OAAA,EAAS,wBAAA,CAAQ,MAAA,CAAO,QAAA,CAAS,IAAA;AAEvC,IAAM,UAAA,EAAN,MAAA,QAAwB,MAAM;AAAA,EAC5B,WAAA,CACE,OAAA,EACgB,OAAA,EAAiB,GAAA,EACjC;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AAFG,IAAA,IAAA,CAAA,OAAA,EAAA,MAAA;AAGhB,IAAA,IAAA,CAAK,KAAA,EAAO,WAAA;AAAA,EACd;AACF,CAAA;AAOA,SAAe,eAAA,CACb,OAAA,EACA,MAAA,EACuB;AAAA,EAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AA1CzB,IAAA,IAAA,EAAA,EAAA,EAAA;AA2CE,IAAA,MAAM,cAAA,EAAgB,IAAI,yCAAA,CAAA,CAAoB,GAAA,EAAA,CAAA,GAAA,EAAA,MAAA,CAAO,OAAA,EAAA,GAAP,KAAA,EAAA,KAAA,EAAA,EAAA,EAAA,CAAgB,MAAA,EAAA,GAAhB,KAAA,EAAA,GAAA,EAA0B,CAAC,CAAC,CAAA;AAC1E,IAAA,MAAM,aAAA,EAAe,IAAI,qDAAA,CAAgC,aAAa,CAAA;AAEtE,IAAA,MAAM,UAAA,EAAY,MAAM,YAAA,CAAa,gBAAA,CAAiB,CAAA;AACtD,IAAA,MAAM,OAAA,EAAS,OAAA,CAAQ,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,QAAQ,CAAA;AACxD,IAAA,GAAA,CAAI,MAAA,EAAQ;AACV,MAAA,aAAA,CAAc,GAAA,CAAA,uBAAA,EAA0B,MAAM,CAAA;AAAA,IAChD;AACA,IAAA,OAAOC,sBAAAA,CAAa,IAAA,CAAK,EAAE,MAAA,EAAQ,SAAA,EAAW,UAAU,CAAC,CAAA;AAAA,EAC3D,CAAA,CAAA;AAAA;AAEA,SAAe,iCAAA,CACb,OAAA,EACA,MAAA,EACA,IAAA,EACA,KAAA,EACA,MAAA,EACA;AAAA,EAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AACA,IAAA,MAAM,gBAAA,EAAkB,gDAAA,MAAwB,CAAA;AAChD,IAAA,MAAM,cAAA,EAAgB,IAAI,yCAAA,CAAoB,eAAA,CAAgB,OAAA,CAAQ,MAAM,CAAA;AAE5E,IAAA,MAAM,YAAA,EAAc,iDAAA,eAAmB,EAAiB,MAAM,CAAA;AAC9D,IAAA,IAAI;AACF,MAAA,MAAM,qDAAA,IAAuB,EAAM,KAAA,EAAO,aAAA,EAAe,4CAAA,6CAAA,CAAA,CAAA,EACpD,eAAA,CAAA,EADoD;AAAA,QAEvD,WAAA,EAAa;AAAA,MACf,CAAA,CAAC,CAAA;AAAA,IACH,EAAA,MAAA,CAAS,KAAA,EAAO;AACd,MAAA,MAAA,CAAO,KAAA,CAAM,wBAAA,EAA0B,KAAK,CAAA;AAC5C,MAAA,MAAM,IAAI,SAAA,CAAU,6BAAA,EAA+B,GAAG,CAAA;AAAA,IACxD;AAEA,IAAA,MAAM,KAAA,EAAO,MAAM,sCAAA,aAAqB,CAAA;AACxC,IAAA,GAAA,CAAI,CAAC,IAAA,EAAM;AACT,MAAA,MAAM,IAAI,SAAA,CAAU,yBAAA,EAA2B,GAAG,CAAA;AAAA,IACpD;AAEA,IAAA,MAAM,cAAA,EAAgB,IAAI,yCAAA,CAAoB,CAAA;AAC9C,IAAA,MAAM,YAAA,EAAc,IAAI,wCAAA,CAAmB,aAAa,CAAA;AACxD,IAAA,WAAA,CAAY,GAAA,CAAI,IAAI,CAAA;AAAA,EACtB,CAAA,CAAA;AAAA;AACA,SAAe,cAAA,CACb,OAAA,EACA,MAAA,EACuB;AAAA,EAAA,OAAA,sCAAA,IAAA,EAAA,IAAA,EAAA,QAAA,EAAA,CAAA,EAAA;AAvFzB,IAAA,IAAA,EAAA;AAwFE,IAAA,MAAM,gBAAA,EAAkB,gDAAA,MAAwB,CAAA;AAChD,IAAA,OAAA,CAAQ,GAAA,CAAI,gBAAA,EAAkB,EAAE,OAAA,EAAS,gBAAgB,CAAC,CAAA;AAC1D,IAAA,MAAM,KAAA,EAAO,OAAA,CAAQ,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,MAAM,CAAA;AACpD,IAAA,MAAM,MAAA,EAAQ,OAAA,CAAQ,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,OAAO,EAAA,GAAK,EAAA;AAC3D,IAAA,GAAA,CAAI,CAAC,KAAA,GAAQ,CAAC,KAAA,EAAO,MAAM,IAAI,SAAA,CAAU,gBAAA,EAAkB,GAAG,CAAA;AAK9D,IAAA,MAAM,OAAA,EAAA,CAAA,CACJ,GAAA,EAAA,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAA,uBAAwB,CAAA,EAAA,GAAxC,KAAA,EAAA,KAAA,EAAA,EAAA,EAAA,CAA2C,KAAA,EAAA,GAC3C,OAAA,CAAQ,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,QAAQ,CAAA;AAM3C,IAAA,OAAA,CAAQ,GAAA,CAAI,gBAAA,EAAkB;AAAA,MAC5B,IAAA;AAAA,MACA,KAAA;AAAA,MACA,OAAA,EAAS,gCAAA,CAAQ;AAAA,MACjB;AAAA,IACF,CAAC,CAAA;AAED,IAAA,MAAM,aAAA,EAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAA,iCAA4B,CAAA;AAEjE,IAAA,GAAA,CAAI,CAAC,aAAA,GAAgB,CAAC,MAAA,EAAQ;AAC5B,MAAA,OAAA,CAAQ,GAAA,CAAI,uCAAA,EAAyC;AAAA,QACnD,KAAA;AAAA,QACA,mBAAA,EAAqB,2DAAA,CAA6B,EAAA;AACnD,MAAA;AACkBA,MAAAA;AACyB,QAAA;AAC5C,MAAA;AAMkD,MAAA;AACxC,QAAA;AACN,UAAA;AACA,UAAA;AACsB,YAAA;AACe,YAAA;AACrC,UAAA;AACF,QAAA;AAGsC,QAAA;AACa,QAAA;AACpCA,QAAAA;AACb,UAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAMqC,mCAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,QAAA;AAevC,QAAA;AACF,MAAA;AACqC,MAAA;AAC7B,MAAA;AACN,QAAA;AACF,MAAA;AACOC,MAAAA;AACT,IAAA;AAEM,IAAA;AACJ,MAAA;AACA,MAAA;AACA,MAAA;AACA,MAAA;AACA,MAAA;AACF,IAAA;AAEyB,IAAA;AACf,MAAA;AACN,QAAA;AACA,QAAA;AACF,MAAA;AACyB,MAAA;AACf,QAAA;AACK,QAAA;AACd,MAAA;AACH,IAAA;AAGyC,IAAA;AAC/B,MAAA;AACN,QAAA;AACA,QAAA;AACF,MAAA;AACa,MAAA;AACK,QAAA;AAClB,MAAA;AACwC,MAAA;AAC1C,IAAA;AAIqBD,IAAAA;AACiB,MAAA;AACtC,IAAA;AACqC,IAAA;AAC9B,IAAA;AACT,EAAA;AAAA;AAUE;AAMuB;AAAA,EAAA;AAhOzB,IAAA;AAiOkD,IAAA;AACJ,IAAA;AAErB,IAAA;AAE8B,IAAA;AAEL,IAAA;AAG5C,IAAA;AAEE,MAAA;AAC+B,MAAA;AACjC,IAAA;AAEmC,IAAA;AAEhB,IAAA;AAEnB,IAAA;AACkC,MAAA;AACtB,IAAA;AACF,MAAA;AACd,IAAA;AAEO,IAAA;AACT,EAAA;AAAA;AAgByD;AACV,EAAA;AAEvC,EAAA;AAC+B,IAAA;AACM,IAAA;AACgB,IAAA;AAElC,IAAA;AACd,MAAA;AACyC,QAAA;AACzC,MAAA;AACwC,QAAA;AACxC,MAAA;AACsC,QAAA;AAC3C,MAAA;AACqD,QAAA;AACvD,IAAA;AACc,EAAA;AAC2B,IAAA;AAES,IAAA;AAEjB,IAAA;AAEmB,IAAA;AAE7B,IAAA;AAChB,IAAA;AACT,EAAA;AACF;AHCyD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA","file":"/Users/patrick/Code/civic-auth/packages/civic-auth-client/dist/nextjs.js","sourcesContent":[null,"/**\n * Used on the server-side to get the user object from the cookie\n */\nimport { User } from \"@/types\";\nimport { GenericUserSession } from \"@/shared/UserSession\";\nimport { NextjsClientStorage } from \"@/nextjs/cookies\";\nimport { retrieveTokens } from \"@/shared/util\";\n\nexport const getUser = (): User | null => {\n  const clientStorage = new NextjsClientStorage();\n  const userSession = new GenericUserSession(clientStorage);\n  const tokens = retrieveTokens(clientStorage);\n  const user = userSession.get();\n  if (!user || !tokens) return null;\n\n  return {\n    ...user!,\n    idToken: tokens.id_token,\n    accessToken: tokens.access_token,\n    refreshToken: tokens.refresh_token ?? \"\",\n  } as User;\n};\n","/**\n * Authenticates the user on all requests by checking the token cookie\n *\n * Usage:\n * Option 1: use if no other middleware (e.g. no next-intl etc)\n * export default authMiddleware();\n *\n * Option 2: use if other middleware is needed - default auth config\n * export default withAuth((request) => {\n *    console.log('in custom middleware', request.nextUrl.pathname);\n *    return NextResponse.next();\n * })\n *\n * Option 3: use if other middleware is needed - specifying auth config\n * const withCivicAuth = auth({ loginUrl: '/login', include: ['/[.*]/user'] })\n * export default withCivicAuth((request) => {\n *   console.log('in custom middleware', request.url);\n *   return NextResponse.next();\n * })\n *\n */\nimport { NextRequest, NextResponse } from \"next/server.js\";\nimport picomatch from \"picomatch\";\nimport {\n  AuthConfig,\n  defaultAuthConfig,\n  resolveAuthConfig,\n} from \"@/nextjs/config.js\";\n\ntype Middleware = (\n  request: NextRequest,\n) => Promise<NextResponse> | NextResponse;\n\n// Matches globs:\n// Examples:\n// /user\n// /user/*\n// /user/**/info\nconst matchGlob = (pathname: string, globPattern: string) => {\n  const matches = picomatch(globPattern);\n  return matches(pathname);\n};\n\n// Matches globs:\n// Examples:\n// /user\n// /user/*\n// /user/**/info\nconst matchesGlobs = (pathname: string, patterns: string[]) =>\n  patterns.some((pattern) => {\n    if (!pattern) return false;\n    console.log(\"matching\", {\n      pattern,\n      pathname,\n      match: matchGlob(pathname, pattern),\n    });\n    return matchGlob(pathname, pattern);\n  });\n\n// internal - used by all exported functions\nconst applyAuth = async (\n  authConfig: AuthConfig,\n  request: NextRequest,\n): Promise<NextResponse | undefined> => {\n  const authConfigWithDefaults = resolveAuthConfig(authConfig);\n  // Check for any valid auth token\n  const isAuthenticated = !!request.cookies.get(\"id_token\");\n\n  // skip auth check for redirect to login url\n  if (\n    request.nextUrl.pathname === authConfigWithDefaults.loginUrl &&\n    request.method === \"GET\"\n  ) {\n    console.log(\"→ Skipping auth check - this is the login URL\");\n    return undefined;\n  }\n\n  if (!matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.include)) {\n    console.log(\"→ Skipping auth check - path not in include patterns\");\n    return undefined;\n  }\n\n  if (matchesGlobs(request.nextUrl.pathname, authConfigWithDefaults.exclude)) {\n    console.log(\"→ Skipping auth check - path in exclude patterns\");\n    return undefined;\n  }\n\n  // Check for either token type\n  if (!isAuthenticated) {\n    const loginUrl = new URL(authConfigWithDefaults.loginUrl, request.url);\n    console.log(\"→ No valid token found - redirecting to login\", loginUrl);\n    return NextResponse.redirect(loginUrl);\n  }\n\n  console.log(\"→ Auth check passed\");\n  return undefined;\n};\n\n/**\n *\n * Use this when auth is the only middleware you need.\n * Usage:\n *\n * export default authMiddleware({ loginUrl = '/login' }); // or just authMiddleware();\n *\n */\nexport const authMiddleware =\n  (authConfig = defaultAuthConfig) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const response = await applyAuth(authConfig, request);\n    if (response) return response;\n\n    // NextJS doesn't do middleware chaining yet, so this does not mean\n    // \"call the next middleware\" - it means \"continue to the route handler\"\n    return NextResponse.next();\n  };\n\n/**\n * Usage:\n *\n * export default withAuth(async (request) => {\n *    console.log('my middleware');\n *    return NextResponse.next();\n *  })\n */\n// use this when you have your own middleware to chain\nexport function withAuth(\n  middleware: Middleware,\n): (request: NextRequest) => Promise<NextResponse> {\n  return async (request: NextRequest): Promise<NextResponse> => {\n    const response = await applyAuth({}, request);\n    if (response) return response;\n\n    return middleware(request);\n  };\n}\n\n/**\n * Use this when you want to configure the middleware here (an alternative is to do it in the next.config file)\n *\n * Usage:\n *\n * const withAuth = auth({ loginUrl = '/login' }); // or just auth();\n *\n * export default withAuth(async (request) => {\n *    console.log('my middleware');\n *    return NextResponse.next();\n *  })\n *\n */\nexport function auth(authConfig: AuthConfig = {}) {\n  return (\n    middleware: Middleware,\n  ): ((request: NextRequest) => Promise<NextResponse>) => {\n    return async (request: NextRequest): Promise<NextResponse> => {\n      const response = await applyAuth(authConfig, request);\n      if (response) return response;\n\n      return middleware(request);\n    };\n  };\n}\n","import { NextRequest, NextResponse } from \"next/server.js\";\nimport { revalidatePath } from \"next/cache.js\";\nimport { AuthConfig, resolveAuthConfig } from \"@/nextjs/config.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport {\n  clearAuthCookies,\n  NextjsClientStorage,\n  NextjsCookieStorage,\n} from \"@/nextjs/cookies.js\";\nimport { GenericPublicClientPKCEProducer } from \"@/services/PKCE.js\";\nimport { resolveOAuthAccessCode } from \"@/server/login.js\";\nimport { getUser } from \"@/shared/session.js\";\nimport { resolveCallbackUrl } from \"@/nextjs/utils.js\";\nimport { GenericUserSession } from \"@/shared/UserSession.js\";\nimport {\n  TOKEN_EXCHANGE_SUCCESS_TEXT,\n  TOKEN_EXCHANGE_TRIGGER_TEXT,\n} from \"@/constants.js\";\nimport { serverTokenExchangeFromState } from \"@/lib/oauth.js\";\nimport { cookies } from \"next/headers.js\";\nimport { CodeVerifier } from \"@/shared/types\";\n\nconst logger = loggers.nextjs.handlers.auth;\n\nclass AuthError extends Error {\n  constructor(\n    message: string,\n    public readonly status: number = 401,\n  ) {\n    super(message);\n    this.name = \"AuthError\";\n  }\n}\n\n/**\n * create a code verifier and challenge for PKCE\n * saving the verifier in a cookie for later use\n * @returns {Promise<NextResponse>}\n */\nasync function handleChallenge(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const cookieStorage = new NextjsCookieStorage(config.cookies?.tokens ?? {});\n  const pkceProducer = new GenericPublicClientPKCEProducer(cookieStorage);\n\n  const challenge = await pkceProducer.getCodeChallenge();\n  const appUrl = request.nextUrl.searchParams.get(\"appUrl\");\n  if (appUrl) {\n    cookieStorage.set(CodeVerifier.APP_URL, appUrl);\n  }\n  return NextResponse.json({ status: \"success\", challenge });\n}\n\nasync function performTokenExchangeAndSetCookies(\n  request: NextRequest,\n  config: AuthConfig,\n  code: string,\n  state: string,\n  appUrl: string,\n) {\n  const resolvedConfigs = resolveAuthConfig(config);\n  const cookieStorage = new NextjsCookieStorage(resolvedConfigs.cookies.tokens);\n\n  const callbackUrl = resolveCallbackUrl(resolvedConfigs, appUrl);\n  try {\n    await resolveOAuthAccessCode(code, state, cookieStorage, {\n      ...resolvedConfigs,\n      redirectUrl: callbackUrl,\n    });\n  } catch (error) {\n    logger.error(\"Token exchange failed:\", error);\n    throw new AuthError(\"Failed to authenticate user\", 401);\n  }\n\n  const user = await getUser(cookieStorage);\n  if (!user) {\n    throw new AuthError(\"Failed to get user info\", 401);\n  }\n\n  const clientStorage = new NextjsClientStorage();\n  const userSession = new GenericUserSession(clientStorage);\n  userSession.set(user);\n}\nasync function handleCallback(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n  console.log(\"handleCallback\", { request, resolvedConfigs });\n  const code = request.nextUrl.searchParams.get(\"code\");\n  const state = request.nextUrl.searchParams.get(\"state\") || \"\";\n  if (!code || !state) throw new AuthError(\"Bad parameters\", 400);\n\n  // appUrl is passed from the client to the server in the query string\n  // this is necessary because the server does not have access to the client's window.location.origin\n  // and can not accurately determine the appUrl (specially if the app is behind a reverse proxy)\n  const appUrl =\n    request.cookies.get(CodeVerifier.APP_URL)?.value ||\n    request.nextUrl.searchParams.get(\"appUrl\");\n\n  // If we have a code_verifier cookie and the appUrl, we can do a token exchange.\n  // Otherwise, just render an empty page.\n  // The initial redirect back from the auth server does not send cookies, because the redirect is from a 3rd-party domain.\n  // The client will make an additional call to this route with cookies included, at which point we do the token exchange.\n  console.log(\"handleCallback\", {\n    code,\n    state,\n    cookies: cookies(),\n    appUrl,\n  });\n\n  const codeVerifier = request.cookies.get(CodeVerifier.COOKIE_NAME);\n\n  if (!codeVerifier || !appUrl) {\n    console.log(\"handleCallback no code_verifier found\", {\n      state,\n      serverTokenExchange: serverTokenExchangeFromState(`${state}`),\n    });\n    let response = new NextResponse(\n      `<html><body><span style=\"display:none\">${TOKEN_EXCHANGE_TRIGGER_TEXT}</span></body></html>`,\n    );\n\n    // in server-side token exchange mode we need to launch a page that will trigger the token exchange\n    // from the same domain, allowing it access to the code_verifier cookie\n    // we only need to do this in redirect mode, as the iframe already triggers a client-side token exchange\n    // if no code-verifier cookie is found\n    if (state && serverTokenExchangeFromState(state)) {\n      console.log(\n        \"handleCallback serverTokenExchangeFromState, launching redirect page...\",\n        {\n          requestUrl: request.url,\n          configCallbackUrl: resolvedConfigs.callbackUrl,\n        },\n      );\n      // we need to replace the URL with resolved config in case the server is hosted\n      // behind a reverse proxy or load balancer\n      const requestUrl = new URL(request.url);\n      const fetchUrl = `${resolvedConfigs.callbackUrl}?${requestUrl.searchParams.toString()}&sameDomainServerTokenExchange=true`;\n      response = new NextResponse(\n        `<html>\n            <body>\n                <span style=\"display:none\">\n                    <script>\n                        window.onload = function () {\n                            const appUrl = globalThis.window?.location?.origin;\n                            fetch('${fetchUrl}&appUrl=' + appUrl).then((response) => {\n                                response.json().then((jsonResponse) => {\n                                    console.log('fetch jsonResponse', jsonResponse);\n                                    if (jsonResponse.redirectUrl) {\n                                        console.log('handleCallback serverTokenExchangeFromState, redirecting');\n                                        window.location.href = jsonResponse.redirectUrl;\n                                    }\n                                });\n                            });\n                        };\n                    </script>\n                </span>\n            </body>\n        </html>\n        `,\n      );\n    }\n    response.headers.set(\"Content-Type\", \"text/html; charset=utf-8\");\n    console.log(\n      `handleCallback no code_verifier found, returning ${TOKEN_EXCHANGE_TRIGGER_TEXT}`,\n    );\n    return response;\n  }\n\n  await performTokenExchangeAndSetCookies(\n    request,\n    resolvedConfigs,\n    code,\n    state,\n    appUrl,\n  );\n\n  if (request.url.includes(\"sameDomainServerTokenExchange=true\")) {\n    console.log(\n      \"handleCallback sameDomainServerTokenExchange = true, returnining redirectUrl\",\n      appUrl,\n    );\n    return NextResponse.json({\n      status: \"success\",\n      redirectUrl: appUrl,\n    });\n  }\n\n  // this is the case where a 'normal' redirect is happening\n  if (serverTokenExchangeFromState(state)) {\n    console.log(\n      \"handleCallback serverTokenExchangeFromState, redirect to appUrl\",\n      appUrl,\n    );\n    if (!appUrl) {\n      throw new Error(\"appUrl undefined. Cannot redirect.\");\n    }\n    return NextResponse.redirect(`${appUrl}`);\n  }\n  // return an empty HTML response so the iframe doesn't show any response\n  // in the short moment between the redirect and the parent window\n  // acknowledging the redirect and closing the iframe\n  const response = new NextResponse(\n    `<html><span style=\"display:none\">${TOKEN_EXCHANGE_SUCCESS_TEXT}</span></html>`,\n  );\n  response.headers.set(\"Content-Type\", \"text/html; charset=utf-8\");\n  return response;\n}\n\n/**\n * If redirectPath is an absolute path, return it as-is.\n * Otherwise for relative paths, append it to the current domain.\n * @param redirectPath\n * @returns\n */\nconst getAbsoluteRedirectPath = (\n  redirectPath: string,\n  currentBasePath: string,\n) => new URL(redirectPath, currentBasePath).href;\n\nexport async function handleLogout(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n  const defaultRedirectPath = resolvedConfigs.loginUrl ?? \"/\";\n  const redirectTarget =\n    new URL(request.url).searchParams.get(\"redirect\") || defaultRedirectPath;\n\n  const isAbsoluteRedirect = /^(https?:\\/\\/|www\\.).+/i.test(redirectTarget);\n\n  const appUrl = request.nextUrl.searchParams.get(\"appUrl\");\n\n  const finalRedirectUrl = isAbsoluteRedirect\n    ? redirectTarget\n    : getAbsoluteRedirectPath(\n        redirectTarget,\n        new URL(appUrl ?? request.url).origin,\n      );\n\n  const response = NextResponse.redirect(finalRedirectUrl);\n\n  clearAuthCookies(config);\n\n  try {\n    revalidatePath(isAbsoluteRedirect ? finalRedirectUrl : redirectTarget);\n  } catch (error) {\n    logger.warn(\"Failed to revalidate path after logout:\", error);\n  }\n\n  return response;\n}\n\n/**\n * Creates an authentication handler for Next.js API routes\n *\n * Usage:\n * ```ts\n * // app/api/auth/[...civicauth]/route.ts\n * import { handler } from '@civic/auth/nextjs'\n * export const GET = handler({\n *   // optional config overrides\n * })\n * ```\n */\nexport const handler =\n  (authConfig = {}) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const config = resolveAuthConfig(authConfig);\n\n    try {\n      const pathname = request.nextUrl.pathname;\n      const pathSegments = pathname.split(\"/\");\n      const lastSegment = pathSegments[pathSegments.length - 1];\n\n      switch (lastSegment) {\n        case \"challenge\":\n          return await handleChallenge(request, config);\n        case \"callback\":\n          return await handleCallback(request, config);\n        case \"logout\":\n          return await handleLogout(request, config);\n        default:\n          throw new AuthError(`Invalid auth route: ${pathname}`, 404);\n      }\n    } catch (error) {\n      logger.error(\"Auth handler error:\", error);\n\n      const status = error instanceof AuthError ? error.status : 500;\n      const message =\n        error instanceof Error ? error.message : \"Authentication failed\";\n\n      const response = NextResponse.json({ error: message }, { status });\n\n      clearAuthCookies(config);\n      return response;\n    }\n  };\n"]}