@civic/auth 0.10.0-beta.1 → 0.10.0-beta.10

package/dist/nextjs/routeHandler.js

@@ -7,6 +7,7 @@ import { clearAuthCookies, NextjsCookieStorage } from "../nextjs/cookies.js";
 import { CodeVerifier, UserStorage } from "../shared/lib/types.js";
 import { revalidatePath } from "next/cache.js";
 import { NextResponse } from "next/server.js";
+import { prependBasePath, redirectWithBasePath } from "./utils.js";
 const logger = loggers.nextjs.handlers.auth;
 class AuthError extends Error {
     status;
@@ -105,13 +106,6 @@ async function handleRefresh(request, config) {
         const { civicAuth } = createCivicAuth(request, resolvedConfigs);
         await civicAuth.refreshTokens();
         logger.info("[REFRESH_HANDLER] Tokens refreshed successfully");
-        const targetUrl = request.nextUrl.searchParams.get("targetUrl");
-        if (targetUrl) {
-            // Success: clear the refresh attempt tracking cookie and redirect to target
-            const response = NextResponse.redirect(targetUrl);
-            response.cookies.delete("_civic_last_refresh");
-            return response;
-        }
         return NextResponse.json({
             status: "success",
             message: "Tokens refreshed",
@@ -119,10 +113,6 @@ async function handleRefresh(request, config) {
     }
     catch (error) {
         logger.error("[REFRESH_HANDLER] Token refresh error:", error);
-        const targetUrl = request.nextUrl.searchParams.get("targetUrl");
-        if (targetUrl) {
-            return NextResponse.redirect(targetUrl);
-        }
         return NextResponse.json({ error: "Token refresh failed" }, { status: 500 });
     }
 }
@@ -156,10 +146,10 @@ async function handleCallback(request, config) {
             req: handleCallbackRequest,
         }, {
             // Pass the properly resolved frontendUrl
-            frontendUrl: frontendUrl,
+            frontendUrl: prependBasePath(frontendUrl, config.basePath || ""),
         });
         if (result.redirectTo) {
-            return NextResponse.redirect(CivicAuth.toAbsoluteUrl(urlDetectionRequest, result.redirectTo, appUrl));
+            return redirectWithBasePath(config, CivicAuth.toAbsoluteUrl(urlDetectionRequest, result.redirectTo, appUrl));
         }
         if (result.content) {
             // Handle both string content and object content
@@ -229,7 +219,7 @@ export async function handleLogout(request, config) {
             state: state || undefined,
         });
         try {
-            await civicAuth.clearTokens();
+            await clearAuthCookies(resolvedConfigs);
             // Revalidate current path to update authentication state in server components
             await revalidateUrlPath(request.url);
         }
@@ -247,7 +237,7 @@ export async function handleLogout(request, config) {
     catch (error) {
         logger.error("[LOGOUT_HANDLER] Logout error:", error);
         // If logout URL generation fails, clear tokens and redirect to home
-        await clearAuthCookies();
+        await clearAuthCookies(resolvedConfigs);
         const fallbackUrl = clientLogoutRedirectUrl || resolvedConfigs.logoutCallbackUrl;
         const finalFallbackUrl = CivicAuth.toAbsoluteUrl(urlDetectionRequest, fallbackUrl, appUrl);
         return NextResponse.redirect(finalFallbackUrl);
@@ -258,7 +248,7 @@ export async function handleLogoutCallback(request, config) {
     try {
         logger.info("[LOGOUT_CALLBACK_HANDLER] Backend logout callback endpoint called");
         // Clear authentication cookies
-        await clearAuthCookies();
+        await clearAuthCookies(resolvedConfigs);
         // Get framework-agnostic request and create CivicAuth instance
         const urlDetectionRequest = toUrlDetectionRequest(request);
         const { civicAuth } = createCivicAuth(request, resolvedConfigs);
@@ -281,13 +271,13 @@ export async function handleLogoutCallback(request, config) {
         });
         // Revalidate the redirect path to update authentication state in server components
         await revalidateUrlPath(redirectUrl);
-        return NextResponse.redirect(redirectUrl);
+        return redirectWithBasePath(config, redirectUrl);
     }
     catch (error) {
         logger.error("[LOGOUT_CALLBACK_HANDLER] Logout callback error:", error);
         const urlDetectionRequest = toUrlDetectionRequest(request);
         const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);
-        return NextResponse.redirect(CivicAuth.toAbsoluteUrl(urlDetectionRequest, resolvedConfigs.logoutCallbackUrl, appUrl));
+        return redirectWithBasePath(config, CivicAuth.toAbsoluteUrl(urlDetectionRequest, resolvedConfigs.logoutCallbackUrl, appUrl));
     }
 }
 /**
@@ -300,6 +290,9 @@ export async function handleLogoutCallback(request, config) {
  * export const GET = handler({
  *   // optional config overrides
  * })
+ * export const POST = handler({
+ *   // optional config overrides
+ * })
  * ```
  */
 export const handler = (authConfig = {}) => async (request) => {
@@ -331,7 +324,7 @@ export const handler = (authConfig = {}) => async (request) => {
         const status = error instanceof AuthError ? error.status : 500;
         const message = error instanceof Error ? error.message : "Authentication failed";
         const response = NextResponse.json({ error: message }, { status });
-        await clearAuthCookies();
+        await clearAuthCookies(config);
         return response;
     }
 };
@@ -345,7 +338,10 @@ async function handleUser(request, config) {
         const { civicAuth } = createCivicAuth(request, resolvedConfigs);
         const isLoggedIn = await civicAuth.isLoggedIn();
         if (!isLoggedIn) {
-            return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+            const statusCode = request.nextUrl.searchParams.get("optimisticRehydration")
+                ? 202
+                : 401;
+            return NextResponse.json({ error: "Not authenticated" }, { status: statusCode });
         }
         const user = await civicAuth.getUser();
         return NextResponse.json({ user });

package/dist/nextjs/routeHandler.js.map

@@ -1 +1 @@
-{"version":3,"file":"routeHandler.js","sourceRoot":"","sources":["../../src/nextjs/routeHandler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAA4B,MAAM,oBAAoB,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AAEtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC5E,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAClE,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAE/C,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;AAE5C,MAAM,SAAU,SAAQ,KAAK;IAGT;IAFlB,YACE,OAAe,EACC,SAAiB,GAAG;QAEpC,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,WAAM,GAAN,MAAM,CAAc;QAGpC,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;IAC1B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,qBAAqB,GAAG,CAAC,OAAoB,EAAuB,EAAE,CAAC,CAAC;IAC5E,GAAG,EAAE,OAAO,CAAC,GAAG;IAChB,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;IACtD,YAAY,EAAE;QACZ,GAAG,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC;KAC9D;IACD,OAAO,EAAE;QACP,GAAG,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;KACjD;CACF,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,eAAe,GAAG,CAAC,OAAoB,EAAE,MAAkB,EAAE,EAAE;IACnE,MAAM,cAAc,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAAC;QAC5C,GAAG,cAAc,CAAC,OAAO,EAAE,MAAM;QACjC,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,cAAc,CAAC,OAAO,EAAE,IAAI;KACjD,CAAC,CAAC;IAEH,+CAA+C;IAC/C,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAE3D,kDAAkD;IAClD,MAAM,YAAY,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IAE9D,mEAAmE;IACnE,mEAAmE;IACnE,MAAM,MAAM,GACV,cAAc,CAAC,OAAO;QACtB,YAAY;QACZ,IAAI,GAAG,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IAE1C,8DAA8D;IAC9D,MAAM,mBAAmB,GAAG,cAAc,CAAC,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC;QACvE,CAAC,CAAC,cAAc,CAAC,WAAW;QAC5B,CAAC,CAAC,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,cAAc,CAAC,WAAW,EAC1B,MAAM,CACP,CAAC;IACN,MAAM,yBAAyB,GAAG,cAAc,CAAC,iBAAiB,CAAC,UAAU,CAC3E,MAAM,CACP;QACC,CAAC,CAAC,cAAc,CAAC,iBAAiB;QAClC,CAAC,CAAC,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,cAAc,CAAC,iBAAiB,EAChC,MAAM,CACP,CAAC;IAEN,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,aAAa,EAAE;QAC7C,QAAQ,EAAE,cAAc,CAAC,QAAQ;QACjC,WAAW,EAAE,mBAAmB;QAChC,WAAW,EAAE,cAAc,CAAC,WAAW;QACvC,qBAAqB,EAAE,yBAAyB;QAChD,eAAe,EAAE,OAAO,CAAC,GAAG;KAC7B,CAAC,CAAC;IAEH,OAAO;QACL,SAAS;QACT,aAAa;QACb,MAAM,EAAE,2CAA2C;QACnD,mBAAmB,EAAE,6BAA6B;KACnD,CAAC;AACJ,CAAC,CAAC;AAEF;;;GAGG;AACH,KAAK,UAAU,WAAW,CACxB,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEhE,wDAAwD;QACxD,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACnE,IAAI,eAAe,EAAE,CAAC;YACpB,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAC3C,eAAe,CAAC,OAAO,EAAE,MAAM,IAAI,EAAE,CACtC,CAAC;YACF,MAAM,aAAa,CAAC,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,aAAa,CAAC;YACxC,KAAK,EAAE,aAAa,IAAI,SAAS;SAClC,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,gDAAgD,EAAE;YAC5D,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE;SACzB,CAAC,CAAC;QAEH,OAAO,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;QAC5D,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,sBAAsB,EACtB,MAAM,CACP,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,MAAM,SAAS,CAAC,aAAa,EAAE,CAAC;QAEhC,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QAE/D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAChE,IAAI,SAAS,EAAE,CAAC;YACd,4EAA4E;YAC5E,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAClD,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;YAC/C,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,OAAO,YAAY,CAAC,IAAI,CAAC;YACvB,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,kBAAkB;SAC5B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,wCAAwC,EAAE,KAAK,CAAC,CAAC;QAC9D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAChE,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC1C,CAAC;QACD,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,KAAK,EAAE,sBAAsB,EAAE,EACjC,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAClD,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACtD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACxD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAExD,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;QAChD,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,qBAAqB,EACrB,MAAM,CACP,CACF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,SAAS,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;IAEhE,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,mBAAmB,EAAE,GAAG,eAAe,CAChE,OAAO,EACP,eAAe,CAChB,CAAC;QAEF,+DAA+D;QAC/D,MAAM,qBAAqB,GAAG;YAC5B,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YACtD,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE;SAC5B,CAAC;QAEF,mDAAmD;QACnD,MAAM,eAAe,GAAG,SAAS,CAAC,kBAAkB,CAClD,mBAAmB,EACnB,MAAM,CACP,CAAC;QACF,MAAM,WAAW,GACf,eAAe,IAAI,eAAe,CAAC,eAAe,IAAI,GAAG,CAAC;QAE5D,yCAAyC;QACzC,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,cAAc,CAC3C;YACE,IAAI;YACJ,KAAK;YACL,GAAG,EAAE,qBAAqB;SAC3B,EACD;YACE,yCAAyC;YACzC,WAAW,EAAE,WAAW;SACzB,CACF,CAAC;QAEF,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CAAC,mBAAmB,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,CACxE,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,gDAAgD;YAChD,IAAI,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;gBACvC,OAAO,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE;oBACtC,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE;wBACP,cAAc,EAAE,WAAW;qBAC5B;iBACF,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,iCAAiC;gBACjC,OAAO,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CAAC,mBAAmB,EAAE,GAAG,EAAE,MAAM,CAAC,CAC1D,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,0CAA0C,EAAE,KAAK,CAAC,CAAC;QAChE,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,yBAAyB,EACzB,MAAM,CACP,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,iBAAiB,GAAG,KAAK,EAAE,GAAW,EAAE,EAAE;IAC9C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;QACnC,cAAc,CAAC,IAAI,CAAC,CAAC;IACvB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE,KAAK,CAAC,CAAC;IAChE,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,mDAAmD;IACnD,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IAExD,2CAA2C;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACxD,MAAM,uBAAuB,GAC3B,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAExD,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QAE/D,8DAA8D;QAC9D,IAAI,WAAW,GAAG,eAAe,CAAC;QAClC,IAAI,uBAAuB,EAAE,CAAC;YAC5B,WAAW,GAAG;gBACZ,GAAG,eAAe;gBAClB,iBAAiB,EAAE,uBAAuB;aAC3C,CAAC;YACF,MAAM,CAAC,IAAI,CAAC,iDAAiD,EAAE;gBAC7D,QAAQ,EAAE,eAAe,CAAC,iBAAiB;gBAC3C,QAAQ,EAAE,uBAAuB;aAClC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAE5D,qDAAqD;QACrD,+EAA+E;QAC/E,MAAM,CAAC,IAAI,CAAC,4CAA4C,EAAE;YACxD,KAAK,EAAE,CAAC,CAAC,KAAK;SACf,CAAC,CAAC;QAEH,8DAA8D;QAC9D,6EAA6E;QAC7E,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,sBAAsB,CAAC;YACvD,KAAK,EAAE,KAAK,IAAI,SAAS;SAC1B,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,WAAW,EAAE,CAAC;YAE9B,8EAA8E;YAC9E,MAAM,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE,KAAK,CAAC,CAAC;QACjE,CAAC;QAED,sFAAsF;QACtF,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QAC1C,cAAc,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAE5C,MAAM,CAAC,IAAI,CAAC,uDAAuD,EAAE;YACnE,SAAS,EAAE,cAAc,CAAC,QAAQ,EAAE;SACrC,CAAC,CAAC;QAEH,OAAO,YAAY,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC1D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAC;QACtD,oEAAoE;QACpE,MAAM,gBAAgB,EAAE,CAAC;QAEzB,MAAM,WAAW,GACf,uBAAuB,IAAI,eAAe,CAAC,iBAAiB,CAAC;QAC/D,MAAM,gBAAgB,GAAG,SAAS,CAAC,aAAa,CAC9C,mBAAmB,EACnB,WAAW,EACX,MAAM,CACP,CAAC;QAEF,OAAO,YAAY,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;IACjD,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,CACT,mEAAmE,CACpE,CAAC;QAEF,+BAA+B;QAC/B,MAAM,gBAAgB,EAAE,CAAC;QAEzB,+DAA+D;QAC/D,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,+CAA+C;QAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAExD,uEAAuE;QACvE,IAAI,KAAK,IAAI,oBAAoB,CAAC,KAAK,EAAE,QAAQ,CAAC,KAAK,QAAQ,EAAE,CAAC;YAChE,oEAAoE;YACpE,MAAM,qBAAqB,GACzB,SAAS,CAAC,wBAAwB,CAAC,mBAAmB,CAAC,CAAC;YAC1D,MAAM,QAAQ,GAAG,IAAI,YAAY,CAC/B,8CAA8C,mBAAmB,YAAY,qBAAqB,gEAAgE,CACnK,CAAC;YACF,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;YACjE,MAAM,CAAC,IAAI,CACT,gEAAgE,EAChE,EAAE,qBAAqB,EAAE,CAC1B,CAAC;YACF,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,kFAAkF;QAClF,MAAM,WAAW,GAAG,SAAS,CAAC,wBAAwB,CAAC,mBAAmB,CAAC,CAAC;QAC5E,MAAM,CAAC,IAAI,CACT,8DAA8D,EAC9D;YACE,iBAAiB,EAAE,eAAe,CAAC,iBAAiB;YACpD,WAAW;SACZ,CACF,CAAC;QAEF,mFAAmF;QACnF,MAAM,iBAAiB,CAAC,WAAW,CAAC,CAAC;QACrC,OAAO,YAAY,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,kDAAkD,EAAE,KAAK,CAAC,CAAC;QACxE,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,eAAe,CAAC,iBAAiB,EACjC,MAAM,CACP,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,OAAO,GAClB,CAAC,UAAU,GAAG,EAAE,EAAE,EAAE,CACpB,KAAK,EAAE,OAAoB,EAAyB,EAAE;IACpD,MAAM,MAAM,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAE7C,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;QAC1C,MAAM,YAAY,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,WAAW,GAAG,YAAY,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAE1D,QAAQ,WAAW,EAAE,CAAC;YACpB,KAAK,WAAW,CAAC;YACjB,KAAK,OAAO;gBACV,OAAO,MAAM,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC5C,KAAK,UAAU;gBACb,OAAO,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC/C,KAAK,SAAS;gBACZ,OAAO,MAAM,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC9C,KAAK,QAAQ;gBACX,OAAO,MAAM,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC7C,KAAK,gBAAgB;gBACnB,OAAO,MAAM,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACrD,KAAK,MAAM;gBACT,OAAO,MAAM,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC3C;gBACE,MAAM,IAAI,SAAS,CAAC,uBAAuB,QAAQ,EAAE,EAAE,GAAG,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAAC;QAE3C,MAAM,MAAM,GAAG,KAAK,YAAY,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC;QAC/D,MAAM,OAAO,GACX,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAC;QAEnE,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QAEnE,MAAM,gBAAgB,EAAE,CAAC;QACzB,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC,CAAC;AAEJ;;;GAGG;AACH,KAAK,UAAU,UAAU,CACvB,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,CAAC;QAEhD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC5E,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,OAAO,EAAE,CAAC;QAEvC,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;QAC3D,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,KAAK,EAAE,uBAAuB,EAAE,EAClC,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;AACH,CAAC","sourcesContent":["import { CivicAuth, type UrlDetectionRequest } from \"@civic/auth/server\";\nimport { LOGOUT_SUCCESS_TEXT } from \"@/constants.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport { displayModeFromState } from \"@/lib/oauth.js\";\nimport type { AuthConfig } from \"@/nextjs/config.js\";\nimport { resolveAuthConfig } from \"@/nextjs/config.js\";\nimport { clearAuthCookies, NextjsCookieStorage } from \"@/nextjs/cookies.js\";\nimport { CodeVerifier, UserStorage } from \"@/shared/lib/types.js\";\nimport { revalidatePath } from \"next/cache.js\";\nimport type { NextRequest } from \"next/server.js\";\nimport { NextResponse } from \"next/server.js\";\n\nconst logger = loggers.nextjs.handlers.auth;\n\nclass AuthError extends Error {\n  constructor(\n    message: string,\n    public readonly status: number = 401,\n  ) {\n    super(message);\n    this.name = \"AuthError\";\n  }\n}\n\n/**\n * Helper to convert NextRequest to UrlDetectionRequest for framework-agnostic URL handling\n */\nconst toUrlDetectionRequest = (request: NextRequest): UrlDetectionRequest => ({\n  url: request.url,\n  headers: Object.fromEntries(request.headers.entries()),\n  searchParams: {\n    get: (name: string) => request.nextUrl.searchParams.get(name),\n  },\n  cookies: {\n    get: (name: string) => request.cookies.get(name),\n  },\n});\n\n/**\n * Helper to create CivicAuth instance for a request\n * Now handles appUrl detection for proxy environments\n */\nconst createCivicAuth = (request: NextRequest, config: AuthConfig) => {\n  const resolvedConfig = resolveAuthConfig(config);\n  const cookieStorage = new NextjsCookieStorage({\n    ...resolvedConfig.cookies?.tokens,\n    [UserStorage.USER]: resolvedConfig.cookies?.user,\n  });\n\n  // Convert to framework-agnostic request format\n  const urlDetectionRequest = toUrlDetectionRequest(request);\n\n  // Get appUrl from client (for proxy environments)\n  const clientAppUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n\n  // Use baseUrl from config, then client appUrl, then request origin\n  // This matches the main branch priority: config > client > request\n  const appUrl =\n    resolvedConfig.baseUrl ||\n    clientAppUrl ||\n    new URL(urlDetectionRequest.url).origin;\n\n  // Build absolute URLs using detected appUrl or request origin\n  const absoluteCallbackUrl = resolvedConfig.callbackUrl.startsWith(\"http\")\n    ? resolvedConfig.callbackUrl\n    : CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        resolvedConfig.callbackUrl,\n        appUrl,\n      );\n  const absoluteLogoutCallbackUrl = resolvedConfig.logoutCallbackUrl.startsWith(\n    \"http\",\n  )\n    ? resolvedConfig.logoutCallbackUrl\n    : CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        resolvedConfig.logoutCallbackUrl,\n        appUrl,\n      );\n\n  const civicAuth = new CivicAuth(cookieStorage, {\n    clientId: resolvedConfig.clientId,\n    redirectUrl: absoluteCallbackUrl,\n    oauthServer: resolvedConfig.oauthServer,\n    postLogoutRedirectUrl: absoluteLogoutCallbackUrl,\n    loginSuccessUrl: request.url,\n  });\n\n  return {\n    civicAuth,\n    cookieStorage,\n    appUrl, // Return appUrl for use in other functions\n    urlDetectionRequest, // Return for use in handlers\n  };\n};\n\n/**\n * Login handler - backend OAuth login initiation endpoint\n * Uses CivicAuth.buildLoginUrl()\n */\nasync function handleLogin(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    const frontendState = request.nextUrl.searchParams.get(\"state\");\n\n    // Store appUrl in cookie if provided as query parameter\n    const appUrlFromQuery = request.nextUrl.searchParams.get(\"appUrl\");\n    if (appUrlFromQuery) {\n      const cookieStorage = new NextjsCookieStorage(\n        resolvedConfigs.cookies?.tokens ?? {},\n      );\n      await cookieStorage.set(CodeVerifier.APP_URL, appUrlFromQuery);\n    }\n\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    const url = await civicAuth.buildLoginUrl({\n      state: frontendState || undefined,\n    });\n\n    logger.info(\"[LOGIN_HANDLER] Redirecting to OAuth login URL\", {\n      loginUrl: url.toString(),\n    });\n\n    return NextResponse.redirect(url.toString());\n  } catch (error) {\n    logger.error(\"[LOGIN_HANDLER] Backend login error:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        \"/?error=login_failed\",\n        appUrl,\n      ),\n    );\n  }\n}\n\nasync function handleRefresh(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    await civicAuth.refreshTokens();\n\n    logger.info(\"[REFRESH_HANDLER] Tokens refreshed successfully\");\n\n    const targetUrl = request.nextUrl.searchParams.get(\"targetUrl\");\n    if (targetUrl) {\n      // Success: clear the refresh attempt tracking cookie and redirect to target\n      const response = NextResponse.redirect(targetUrl);\n      response.cookies.delete(\"_civic_last_refresh\");\n      return response;\n    }\n\n    return NextResponse.json({\n      status: \"success\",\n      message: \"Tokens refreshed\",\n    });\n  } catch (error) {\n    logger.error(\"[REFRESH_HANDLER] Token refresh error:\", error);\n    const targetUrl = request.nextUrl.searchParams.get(\"targetUrl\");\n    if (targetUrl) {\n      return NextResponse.redirect(targetUrl);\n    }\n    return NextResponse.json(\n      { error: \"Token refresh failed\" },\n      { status: 500 },\n    );\n  }\n}\n\nasync function handleCallback(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n  const code = request.nextUrl.searchParams.get(\"code\");\n  const state = request.nextUrl.searchParams.get(\"state\");\n  const error = request.nextUrl.searchParams.get(\"error\");\n\n  if (error) {\n    logger.error(\"OAuth error in callback:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        \"/?error=oauth_error\",\n        appUrl,\n      ),\n    );\n  }\n\n  if (!code || !state) throw new AuthError(\"Bad parameters\", 400);\n\n  try {\n    const { civicAuth, appUrl, urlDetectionRequest } = createCivicAuth(\n      request,\n      resolvedConfigs,\n    );\n\n    // Convert NextRequest to the format expected by handleCallback\n    const handleCallbackRequest = {\n      headers: Object.fromEntries(request.headers.entries()),\n      url: request.url.toString(),\n    };\n\n    // Get loginSuccessUrl with proper baseUrl handling\n    const loginSuccessUrl = CivicAuth.getLoginSuccessUrl(\n      urlDetectionRequest,\n      appUrl,\n    );\n    const frontendUrl =\n      loginSuccessUrl || resolvedConfigs.loginSuccessUrl || \"/\";\n\n    // Use CivicAuth's smart callback handler\n    const result = await civicAuth.handleCallback(\n      {\n        code,\n        state,\n        req: handleCallbackRequest,\n      },\n      {\n        // Pass the properly resolved frontendUrl\n        frontendUrl: frontendUrl,\n      },\n    );\n\n    if (result.redirectTo) {\n      return NextResponse.redirect(\n        CivicAuth.toAbsoluteUrl(urlDetectionRequest, result.redirectTo, appUrl),\n      );\n    }\n\n    if (result.content) {\n      // Handle both string content and object content\n      if (typeof result.content === \"string\") {\n        return new NextResponse(result.content, {\n          status: 200,\n          headers: {\n            \"Content-Type\": \"text/html\",\n          },\n        });\n      } else {\n        // Object content (JSON response)\n        return NextResponse.json(result.content);\n      }\n    }\n\n    // Fallback redirect\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(urlDetectionRequest, \"/\", appUrl),\n    );\n  } catch (error) {\n    logger.error(\"[CALLBACK_HANDLER] OAuth callback error:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        \"/?error=callback_failed\",\n        appUrl,\n      ),\n    );\n  }\n}\n\nconst revalidateUrlPath = async (url: string) => {\n  try {\n    const path = new URL(url).pathname;\n    revalidatePath(path);\n  } catch (error) {\n    logger.warn(\"Failed to revalidate path after logout:\", error);\n  }\n};\n\nexport async function handleLogout(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  // Get framework-agnostic request for URL utilities\n  const urlDetectionRequest = toUrlDetectionRequest(request);\n  const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n\n  // Read the state from the query parameters\n  const state = request.nextUrl.searchParams.get(\"state\");\n  const clientLogoutRedirectUrl =\n    request.nextUrl.searchParams.get(\"logoutRedirectUrl\");\n\n  try {\n    logger.info(\"[LOGOUT_HANDLER] Backend logout endpoint called\");\n\n    // If client provided a logoutRedirectUrl, override the config\n    let configToUse = resolvedConfigs;\n    if (clientLogoutRedirectUrl) {\n      configToUse = {\n        ...resolvedConfigs,\n        logoutCallbackUrl: clientLogoutRedirectUrl,\n      };\n      logger.info(\"[LOGOUT_HANDLER] Overriding logout callback URL\", {\n        original: resolvedConfigs.logoutCallbackUrl,\n        override: clientLogoutRedirectUrl,\n      });\n    }\n\n    const { civicAuth } = createCivicAuth(request, configToUse);\n\n    // Always redirect to OAuth logout (like main branch)\n    // Don't validate session - even invalid local sessions should hit OAuth logout\n    logger.info(\"[LOGOUT_HANDLER] Processing logout request\", {\n      state: !!state,\n    });\n\n    // Always redirect to OAuth logout endpoint (like main branch)\n    // Client-side iframe logic will handle completion and redirect appropriately\n    const logoutUrl = await civicAuth.buildLogoutRedirectUrl({\n      state: state || undefined,\n    });\n\n    try {\n      await civicAuth.clearTokens();\n\n      // Revalidate current path to update authentication state in server components\n      await revalidateUrlPath(request.url);\n    } catch (error) {\n      logger.error(\"[LOGOUT_HANDLER] Error clearing tokens:\", error);\n    }\n\n    // Remove state parameter from logout URL to prevent it from appearing in frontend URL\n    const cleanLogoutUrl = new URL(logoutUrl);\n    cleanLogoutUrl.searchParams.delete(\"state\");\n\n    logger.info(\"[LOGOUT_HANDLER] Redirecting to OAuth logout endpoint\", {\n      logoutUrl: cleanLogoutUrl.toString(),\n    });\n\n    return NextResponse.redirect(cleanLogoutUrl.toString());\n  } catch (error) {\n    logger.error(\"[LOGOUT_HANDLER] Logout error:\", error);\n    // If logout URL generation fails, clear tokens and redirect to home\n    await clearAuthCookies();\n\n    const fallbackUrl =\n      clientLogoutRedirectUrl || resolvedConfigs.logoutCallbackUrl;\n    const finalFallbackUrl = CivicAuth.toAbsoluteUrl(\n      urlDetectionRequest,\n      fallbackUrl,\n      appUrl,\n    );\n\n    return NextResponse.redirect(finalFallbackUrl);\n  }\n}\n\nexport async function handleLogoutCallback(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    logger.info(\n      \"[LOGOUT_CALLBACK_HANDLER] Backend logout callback endpoint called\",\n    );\n\n    // Clear authentication cookies\n    await clearAuthCookies();\n\n    // Get framework-agnostic request and create CivicAuth instance\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    // Get the state parameter for iframe detection\n    const state = request.nextUrl.searchParams.get(\"state\");\n\n    // If this is an iframe request, return HTML with logout success signal\n    if (state && displayModeFromState(state, \"iframe\") === \"iframe\") {\n      // For iframe mode, include the post-logout redirect URL in the HTML\n      const postLogoutRedirectUrl =\n        civicAuth.getPostLogoutRedirectUrl(urlDetectionRequest);\n      const response = new NextResponse(\n        `<html lang=\"en\"><span style=\"display:none\">${LOGOUT_SUCCESS_TEXT}<a href=\"${postLogoutRedirectUrl}\" rel=\"civic-auth-post-logout-redirect-url\"></a></span></html>`,\n      );\n      response.headers.set(\"Content-Type\", \"text/html; charset=utf-8\");\n      logger.info(\n        \"[LOGOUT_CALLBACK_HANDLER] Returning iframe logout success HTML\",\n        { postLogoutRedirectUrl },\n      );\n      return response;\n    }\n\n    // For non-iframe requests, redirect to the logout callback URL or post-logout URL\n    const redirectUrl = civicAuth.getPostLogoutRedirectUrl(urlDetectionRequest);\n    logger.info(\n      \"[LOGOUT_CALLBACK_HANDLER] Redirecting to logout callback URL\",\n      {\n        logoutCallbackUrl: resolvedConfigs.logoutCallbackUrl,\n        redirectUrl,\n      },\n    );\n\n    // Revalidate the redirect path to update authentication state in server components\n    await revalidateUrlPath(redirectUrl);\n    return NextResponse.redirect(redirectUrl);\n  } catch (error) {\n    logger.error(\"[LOGOUT_CALLBACK_HANDLER] Logout callback error:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        resolvedConfigs.logoutCallbackUrl,\n        appUrl,\n      ),\n    );\n  }\n}\n\n/**\n * Creates an authentication handler for Next.js API routes\n *\n * Usage:\n * ```ts\n * // app/api/auth/[...civicauth]/route.ts\n * import { handler } from '@civic/auth/nextjs'\n * export const GET = handler({\n *   // optional config overrides\n * })\n * ```\n */\nexport const handler =\n  (authConfig = {}) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const config = resolveAuthConfig(authConfig);\n\n    try {\n      const pathname = request.nextUrl.pathname;\n      const pathSegments = pathname.split(\"/\");\n      const lastSegment = pathSegments[pathSegments.length - 1];\n\n      switch (lastSegment) {\n        case \"challenge\":\n        case \"login\":\n          return await handleLogin(request, config);\n        case \"callback\":\n          return await handleCallback(request, config);\n        case \"refresh\":\n          return await handleRefresh(request, config);\n        case \"logout\":\n          return await handleLogout(request, config);\n        case \"logoutcallback\":\n          return await handleLogoutCallback(request, config);\n        case \"user\":\n          return await handleUser(request, config);\n        default:\n          throw new AuthError(`Invalid auth route: ${pathname}`, 404);\n      }\n    } catch (error) {\n      logger.error(\"Auth handler error:\", error);\n\n      const status = error instanceof AuthError ? error.status : 500;\n      const message =\n        error instanceof Error ? error.message : \"Authentication failed\";\n\n      const response = NextResponse.json({ error: message }, { status });\n\n      await clearAuthCookies();\n      return response;\n    }\n  };\n\n/**\n * User endpoint - returns current user data as JSON\n * Uses CivicAuth.isLoggedIn() and getUser()\n */\nasync function handleUser(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    const isLoggedIn = await civicAuth.isLoggedIn();\n\n    if (!isLoggedIn) {\n      return NextResponse.json({ error: \"Not authenticated\" }, { status: 401 });\n    }\n\n    const user = await civicAuth.getUser();\n\n    return NextResponse.json({ user });\n  } catch (error) {\n    logger.error(\"[USER_HANDLER] User endpoint error:\", error);\n    return NextResponse.json(\n      { error: \"Internal server error\" },\n      { status: 500 },\n    );\n  }\n}\n"]}
+{"version":3,"file":"routeHandler.js","sourceRoot":"","sources":["../../src/nextjs/routeHandler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAA4B,MAAM,oBAAoB,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AAEtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC5E,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAClE,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAE/C,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAEnE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;AAE5C,MAAM,SAAU,SAAQ,KAAK;IAGT;IAFlB,YACE,OAAe,EACC,SAAiB,GAAG;QAEpC,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,WAAM,GAAN,MAAM,CAAc;QAGpC,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;IAC1B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,qBAAqB,GAAG,CAAC,OAAoB,EAAuB,EAAE,CAAC,CAAC;IAC5E,GAAG,EAAE,OAAO,CAAC,GAAG;IAChB,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;IACtD,YAAY,EAAE;QACZ,GAAG,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC;KAC9D;IACD,OAAO,EAAE;QACP,GAAG,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;KACjD;CACF,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,eAAe,GAAG,CAAC,OAAoB,EAAE,MAAkB,EAAE,EAAE;IACnE,MAAM,cAAc,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAAC;QAC5C,GAAG,cAAc,CAAC,OAAO,EAAE,MAAM;QACjC,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,cAAc,CAAC,OAAO,EAAE,IAAI;KACjD,CAAC,CAAC;IAEH,+CAA+C;IAC/C,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAE3D,kDAAkD;IAClD,MAAM,YAAY,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IAE9D,mEAAmE;IACnE,mEAAmE;IACnE,MAAM,MAAM,GACV,cAAc,CAAC,OAAO;QACtB,YAAY;QACZ,IAAI,GAAG,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IAE1C,8DAA8D;IAC9D,MAAM,mBAAmB,GAAG,cAAc,CAAC,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC;QACvE,CAAC,CAAC,cAAc,CAAC,WAAW;QAC5B,CAAC,CAAC,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,cAAc,CAAC,WAAW,EAC1B,MAAM,CACP,CAAC;IACN,MAAM,yBAAyB,GAAG,cAAc,CAAC,iBAAiB,CAAC,UAAU,CAC3E,MAAM,CACP;QACC,CAAC,CAAC,cAAc,CAAC,iBAAiB;QAClC,CAAC,CAAC,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,cAAc,CAAC,iBAAiB,EAChC,MAAM,CACP,CAAC;IAEN,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,aAAa,EAAE;QAC7C,QAAQ,EAAE,cAAc,CAAC,QAAQ;QACjC,WAAW,EAAE,mBAAmB;QAChC,WAAW,EAAE,cAAc,CAAC,WAAW;QACvC,qBAAqB,EAAE,yBAAyB;QAChD,eAAe,EAAE,OAAO,CAAC,GAAG;KAC7B,CAAC,CAAC;IAEH,OAAO;QACL,SAAS;QACT,aAAa;QACb,MAAM,EAAE,2CAA2C;QACnD,mBAAmB,EAAE,6BAA6B;KACnD,CAAC;AACJ,CAAC,CAAC;AAEF;;;GAGG;AACH,KAAK,UAAU,WAAW,CACxB,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEhE,wDAAwD;QACxD,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACnE,IAAI,eAAe,EAAE,CAAC;YACpB,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAC3C,eAAe,CAAC,OAAO,EAAE,MAAM,IAAI,EAAE,CACtC,CAAC;YACF,MAAM,aAAa,CAAC,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,aAAa,CAAC;YACxC,KAAK,EAAE,aAAa,IAAI,SAAS;SAClC,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,gDAAgD,EAAE;YAC5D,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE;SACzB,CAAC,CAAC;QAEH,OAAO,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;QAC5D,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,sBAAsB,EACtB,MAAM,CACP,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,MAAM,SAAS,CAAC,aAAa,EAAE,CAAC;QAEhC,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QAE/D,OAAO,YAAY,CAAC,IAAI,CAAC;YACvB,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,kBAAkB;SAC5B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,wCAAwC,EAAE,KAAK,CAAC,CAAC;QAC9D,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,KAAK,EAAE,sBAAsB,EAAE,EACjC,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAClD,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACtD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACxD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAExD,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;QAChD,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,qBAAqB,EACrB,MAAM,CACP,CACF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,SAAS,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;IAEhE,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,mBAAmB,EAAE,GAAG,eAAe,CAChE,OAAO,EACP,eAAe,CAChB,CAAC;QAEF,+DAA+D;QAC/D,MAAM,qBAAqB,GAAG;YAC5B,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YACtD,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE;SAC5B,CAAC;QAEF,mDAAmD;QACnD,MAAM,eAAe,GAAG,SAAS,CAAC,kBAAkB,CAClD,mBAAmB,EACnB,MAAM,CACP,CAAC;QACF,MAAM,WAAW,GACf,eAAe,IAAI,eAAe,CAAC,eAAe,IAAI,GAAG,CAAC;QAE5D,yCAAyC;QACzC,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,cAAc,CAC3C;YACE,IAAI;YACJ,KAAK;YACL,GAAG,EAAE,qBAAqB;SAC3B,EACD;YACE,yCAAyC;YACzC,WAAW,EAAE,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;SACjE,CACF,CAAC;QAEF,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,OAAO,oBAAoB,CACzB,MAAM,EACN,SAAS,CAAC,aAAa,CAAC,mBAAmB,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,CACxE,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,gDAAgD;YAChD,IAAI,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;gBACvC,OAAO,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE;oBACtC,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE;wBACP,cAAc,EAAE,WAAW;qBAC5B;iBACF,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,iCAAiC;gBACjC,OAAO,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CAAC,mBAAmB,EAAE,GAAG,EAAE,MAAM,CAAC,CAC1D,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,0CAA0C,EAAE,KAAK,CAAC,CAAC;QAChE,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,yBAAyB,EACzB,MAAM,CACP,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,iBAAiB,GAAG,KAAK,EAAE,GAAW,EAAE,EAAE;IAC9C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;QACnC,cAAc,CAAC,IAAI,CAAC,CAAC;IACvB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE,KAAK,CAAC,CAAC;IAChE,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,mDAAmD;IACnD,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IAExD,2CAA2C;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACxD,MAAM,uBAAuB,GAC3B,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAExD,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QAE/D,8DAA8D;QAC9D,IAAI,WAAW,GAAG,eAAe,CAAC;QAClC,IAAI,uBAAuB,EAAE,CAAC;YAC5B,WAAW,GAAG;gBACZ,GAAG,eAAe;gBAClB,iBAAiB,EAAE,uBAAuB;aAC3C,CAAC;YACF,MAAM,CAAC,IAAI,CAAC,iDAAiD,EAAE;gBAC7D,QAAQ,EAAE,eAAe,CAAC,iBAAiB;gBAC3C,QAAQ,EAAE,uBAAuB;aAClC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAE5D,qDAAqD;QACrD,+EAA+E;QAC/E,MAAM,CAAC,IAAI,CAAC,4CAA4C,EAAE;YACxD,KAAK,EAAE,CAAC,CAAC,KAAK;SACf,CAAC,CAAC;QAEH,8DAA8D;QAC9D,6EAA6E;QAC7E,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,sBAAsB,CAAC;YACvD,KAAK,EAAE,KAAK,IAAI,SAAS;SAC1B,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,gBAAgB,CAAC,eAAe,CAAC,CAAC;YAExC,8EAA8E;YAC9E,MAAM,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE,KAAK,CAAC,CAAC;QACjE,CAAC;QAED,sFAAsF;QACtF,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QAC1C,cAAc,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAE5C,MAAM,CAAC,IAAI,CAAC,uDAAuD,EAAE;YACnE,SAAS,EAAE,cAAc,CAAC,QAAQ,EAAE;SACrC,CAAC,CAAC;QAEH,OAAO,YAAY,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC1D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAC;QACtD,oEAAoE;QACpE,MAAM,gBAAgB,CAAC,eAAe,CAAC,CAAC;QAExC,MAAM,WAAW,GACf,uBAAuB,IAAI,eAAe,CAAC,iBAAiB,CAAC;QAC/D,MAAM,gBAAgB,GAAG,SAAS,CAAC,aAAa,CAC9C,mBAAmB,EACnB,WAAW,EACX,MAAM,CACP,CAAC;QAEF,OAAO,YAAY,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;IACjD,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,CACT,mEAAmE,CACpE,CAAC;QAEF,+BAA+B;QAC/B,MAAM,gBAAgB,CAAC,eAAe,CAAC,CAAC;QAExC,+DAA+D;QAC/D,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,+CAA+C;QAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAExD,uEAAuE;QACvE,IAAI,KAAK,IAAI,oBAAoB,CAAC,KAAK,EAAE,QAAQ,CAAC,KAAK,QAAQ,EAAE,CAAC;YAChE,oEAAoE;YACpE,MAAM,qBAAqB,GACzB,SAAS,CAAC,wBAAwB,CAAC,mBAAmB,CAAC,CAAC;YAC1D,MAAM,QAAQ,GAAG,IAAI,YAAY,CAC/B,8CAA8C,mBAAmB,YAAY,qBAAqB,gEAAgE,CACnK,CAAC;YACF,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;YACjE,MAAM,CAAC,IAAI,CACT,gEAAgE,EAChE,EAAE,qBAAqB,EAAE,CAC1B,CAAC;YACF,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,kFAAkF;QAClF,MAAM,WAAW,GAAG,SAAS,CAAC,wBAAwB,CAAC,mBAAmB,CAAC,CAAC;QAC5E,MAAM,CAAC,IAAI,CACT,8DAA8D,EAC9D;YACE,iBAAiB,EAAE,eAAe,CAAC,iBAAiB;YACpD,WAAW;SACZ,CACF,CAAC;QAEF,mFAAmF;QACnF,MAAM,iBAAiB,CAAC,WAAW,CAAC,CAAC;QACrC,OAAO,oBAAoB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,kDAAkD,EAAE,KAAK,CAAC,CAAC;QACxE,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,oBAAoB,CACzB,MAAM,EACN,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,eAAe,CAAC,iBAAiB,EACjC,MAAM,CACP,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,MAAM,OAAO,GAClB,CAAC,UAAU,GAAG,EAAE,EAAE,EAAE,CACpB,KAAK,EAAE,OAAoB,EAAyB,EAAE;IACpD,MAAM,MAAM,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAE7C,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;QAC1C,MAAM,YAAY,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,WAAW,GAAG,YAAY,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAE1D,QAAQ,WAAW,EAAE,CAAC;YACpB,KAAK,WAAW,CAAC;YACjB,KAAK,OAAO;gBACV,OAAO,MAAM,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC5C,KAAK,UAAU;gBACb,OAAO,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC/C,KAAK,SAAS;gBACZ,OAAO,MAAM,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC9C,KAAK,QAAQ;gBACX,OAAO,MAAM,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC7C,KAAK,gBAAgB;gBACnB,OAAO,MAAM,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACrD,KAAK,MAAM;gBACT,OAAO,MAAM,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC3C;gBACE,MAAM,IAAI,SAAS,CAAC,uBAAuB,QAAQ,EAAE,EAAE,GAAG,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAAC;QAE3C,MAAM,MAAM,GAAG,KAAK,YAAY,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC;QAC/D,MAAM,OAAO,GACX,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAC;QAEnE,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QAEnE,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAC/B,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC,CAAC;AAEJ;;;GAGG;AACH,KAAK,UAAU,UAAU,CACvB,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,CAAC;QAEhD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CACjD,uBAAuB,CACxB;gBACC,CAAC,CAAC,GAAG;gBACL,CAAC,CAAC,GAAG,CAAC;YACR,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAC9B,EAAE,MAAM,EAAE,UAAU,EAAE,CACvB,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,OAAO,EAAE,CAAC;QAEvC,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;QAC3D,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,KAAK,EAAE,uBAAuB,EAAE,EAClC,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;AACH,CAAC","sourcesContent":["import { CivicAuth, type UrlDetectionRequest } from \"@civic/auth/server\";\nimport { LOGOUT_SUCCESS_TEXT } from \"@/constants.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport { displayModeFromState } from \"@/lib/oauth.js\";\nimport type { AuthConfig } from \"@/nextjs/config.js\";\nimport { resolveAuthConfig } from \"@/nextjs/config.js\";\nimport { clearAuthCookies, NextjsCookieStorage } from \"@/nextjs/cookies.js\";\nimport { CodeVerifier, UserStorage } from \"@/shared/lib/types.js\";\nimport { revalidatePath } from \"next/cache.js\";\nimport type { NextRequest } from \"next/server.js\";\nimport { NextResponse } from \"next/server.js\";\nimport { prependBasePath, redirectWithBasePath } from \"./utils.js\";\n\nconst logger = loggers.nextjs.handlers.auth;\n\nclass AuthError extends Error {\n  constructor(\n    message: string,\n    public readonly status: number = 401,\n  ) {\n    super(message);\n    this.name = \"AuthError\";\n  }\n}\n\n/**\n * Helper to convert NextRequest to UrlDetectionRequest for framework-agnostic URL handling\n */\nconst toUrlDetectionRequest = (request: NextRequest): UrlDetectionRequest => ({\n  url: request.url,\n  headers: Object.fromEntries(request.headers.entries()),\n  searchParams: {\n    get: (name: string) => request.nextUrl.searchParams.get(name),\n  },\n  cookies: {\n    get: (name: string) => request.cookies.get(name),\n  },\n});\n\n/**\n * Helper to create CivicAuth instance for a request\n * Now handles appUrl detection for proxy environments\n */\nconst createCivicAuth = (request: NextRequest, config: AuthConfig) => {\n  const resolvedConfig = resolveAuthConfig(config);\n  const cookieStorage = new NextjsCookieStorage({\n    ...resolvedConfig.cookies?.tokens,\n    [UserStorage.USER]: resolvedConfig.cookies?.user,\n  });\n\n  // Convert to framework-agnostic request format\n  const urlDetectionRequest = toUrlDetectionRequest(request);\n\n  // Get appUrl from client (for proxy environments)\n  const clientAppUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n\n  // Use baseUrl from config, then client appUrl, then request origin\n  // This matches the main branch priority: config > client > request\n  const appUrl =\n    resolvedConfig.baseUrl ||\n    clientAppUrl ||\n    new URL(urlDetectionRequest.url).origin;\n\n  // Build absolute URLs using detected appUrl or request origin\n  const absoluteCallbackUrl = resolvedConfig.callbackUrl.startsWith(\"http\")\n    ? resolvedConfig.callbackUrl\n    : CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        resolvedConfig.callbackUrl,\n        appUrl,\n      );\n  const absoluteLogoutCallbackUrl = resolvedConfig.logoutCallbackUrl.startsWith(\n    \"http\",\n  )\n    ? resolvedConfig.logoutCallbackUrl\n    : CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        resolvedConfig.logoutCallbackUrl,\n        appUrl,\n      );\n\n  const civicAuth = new CivicAuth(cookieStorage, {\n    clientId: resolvedConfig.clientId,\n    redirectUrl: absoluteCallbackUrl,\n    oauthServer: resolvedConfig.oauthServer,\n    postLogoutRedirectUrl: absoluteLogoutCallbackUrl,\n    loginSuccessUrl: request.url,\n  });\n\n  return {\n    civicAuth,\n    cookieStorage,\n    appUrl, // Return appUrl for use in other functions\n    urlDetectionRequest, // Return for use in handlers\n  };\n};\n\n/**\n * Login handler - backend OAuth login initiation endpoint\n * Uses CivicAuth.buildLoginUrl()\n */\nasync function handleLogin(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    const frontendState = request.nextUrl.searchParams.get(\"state\");\n\n    // Store appUrl in cookie if provided as query parameter\n    const appUrlFromQuery = request.nextUrl.searchParams.get(\"appUrl\");\n    if (appUrlFromQuery) {\n      const cookieStorage = new NextjsCookieStorage(\n        resolvedConfigs.cookies?.tokens ?? {},\n      );\n      await cookieStorage.set(CodeVerifier.APP_URL, appUrlFromQuery);\n    }\n\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    const url = await civicAuth.buildLoginUrl({\n      state: frontendState || undefined,\n    });\n\n    logger.info(\"[LOGIN_HANDLER] Redirecting to OAuth login URL\", {\n      loginUrl: url.toString(),\n    });\n\n    return NextResponse.redirect(url.toString());\n  } catch (error) {\n    logger.error(\"[LOGIN_HANDLER] Backend login error:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        \"/?error=login_failed\",\n        appUrl,\n      ),\n    );\n  }\n}\n\nasync function handleRefresh(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    await civicAuth.refreshTokens();\n\n    logger.info(\"[REFRESH_HANDLER] Tokens refreshed successfully\");\n\n    return NextResponse.json({\n      status: \"success\",\n      message: \"Tokens refreshed\",\n    });\n  } catch (error) {\n    logger.error(\"[REFRESH_HANDLER] Token refresh error:\", error);\n    return NextResponse.json(\n      { error: \"Token refresh failed\" },\n      { status: 500 },\n    );\n  }\n}\n\nasync function handleCallback(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n  const code = request.nextUrl.searchParams.get(\"code\");\n  const state = request.nextUrl.searchParams.get(\"state\");\n  const error = request.nextUrl.searchParams.get(\"error\");\n\n  if (error) {\n    logger.error(\"OAuth error in callback:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        \"/?error=oauth_error\",\n        appUrl,\n      ),\n    );\n  }\n\n  if (!code || !state) throw new AuthError(\"Bad parameters\", 400);\n\n  try {\n    const { civicAuth, appUrl, urlDetectionRequest } = createCivicAuth(\n      request,\n      resolvedConfigs,\n    );\n\n    // Convert NextRequest to the format expected by handleCallback\n    const handleCallbackRequest = {\n      headers: Object.fromEntries(request.headers.entries()),\n      url: request.url.toString(),\n    };\n\n    // Get loginSuccessUrl with proper baseUrl handling\n    const loginSuccessUrl = CivicAuth.getLoginSuccessUrl(\n      urlDetectionRequest,\n      appUrl,\n    );\n    const frontendUrl =\n      loginSuccessUrl || resolvedConfigs.loginSuccessUrl || \"/\";\n\n    // Use CivicAuth's smart callback handler\n    const result = await civicAuth.handleCallback(\n      {\n        code,\n        state,\n        req: handleCallbackRequest,\n      },\n      {\n        // Pass the properly resolved frontendUrl\n        frontendUrl: prependBasePath(frontendUrl, config.basePath || \"\"),\n      },\n    );\n\n    if (result.redirectTo) {\n      return redirectWithBasePath(\n        config,\n        CivicAuth.toAbsoluteUrl(urlDetectionRequest, result.redirectTo, appUrl),\n      );\n    }\n\n    if (result.content) {\n      // Handle both string content and object content\n      if (typeof result.content === \"string\") {\n        return new NextResponse(result.content, {\n          status: 200,\n          headers: {\n            \"Content-Type\": \"text/html\",\n          },\n        });\n      } else {\n        // Object content (JSON response)\n        return NextResponse.json(result.content);\n      }\n    }\n\n    // Fallback redirect\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(urlDetectionRequest, \"/\", appUrl),\n    );\n  } catch (error) {\n    logger.error(\"[CALLBACK_HANDLER] OAuth callback error:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        \"/?error=callback_failed\",\n        appUrl,\n      ),\n    );\n  }\n}\n\nconst revalidateUrlPath = async (url: string) => {\n  try {\n    const path = new URL(url).pathname;\n    revalidatePath(path);\n  } catch (error) {\n    logger.warn(\"Failed to revalidate path after logout:\", error);\n  }\n};\n\nexport async function handleLogout(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  // Get framework-agnostic request for URL utilities\n  const urlDetectionRequest = toUrlDetectionRequest(request);\n  const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n\n  // Read the state from the query parameters\n  const state = request.nextUrl.searchParams.get(\"state\");\n  const clientLogoutRedirectUrl =\n    request.nextUrl.searchParams.get(\"logoutRedirectUrl\");\n\n  try {\n    logger.info(\"[LOGOUT_HANDLER] Backend logout endpoint called\");\n\n    // If client provided a logoutRedirectUrl, override the config\n    let configToUse = resolvedConfigs;\n    if (clientLogoutRedirectUrl) {\n      configToUse = {\n        ...resolvedConfigs,\n        logoutCallbackUrl: clientLogoutRedirectUrl,\n      };\n      logger.info(\"[LOGOUT_HANDLER] Overriding logout callback URL\", {\n        original: resolvedConfigs.logoutCallbackUrl,\n        override: clientLogoutRedirectUrl,\n      });\n    }\n\n    const { civicAuth } = createCivicAuth(request, configToUse);\n\n    // Always redirect to OAuth logout (like main branch)\n    // Don't validate session - even invalid local sessions should hit OAuth logout\n    logger.info(\"[LOGOUT_HANDLER] Processing logout request\", {\n      state: !!state,\n    });\n\n    // Always redirect to OAuth logout endpoint (like main branch)\n    // Client-side iframe logic will handle completion and redirect appropriately\n    const logoutUrl = await civicAuth.buildLogoutRedirectUrl({\n      state: state || undefined,\n    });\n\n    try {\n      await clearAuthCookies(resolvedConfigs);\n\n      // Revalidate current path to update authentication state in server components\n      await revalidateUrlPath(request.url);\n    } catch (error) {\n      logger.error(\"[LOGOUT_HANDLER] Error clearing tokens:\", error);\n    }\n\n    // Remove state parameter from logout URL to prevent it from appearing in frontend URL\n    const cleanLogoutUrl = new URL(logoutUrl);\n    cleanLogoutUrl.searchParams.delete(\"state\");\n\n    logger.info(\"[LOGOUT_HANDLER] Redirecting to OAuth logout endpoint\", {\n      logoutUrl: cleanLogoutUrl.toString(),\n    });\n\n    return NextResponse.redirect(cleanLogoutUrl.toString());\n  } catch (error) {\n    logger.error(\"[LOGOUT_HANDLER] Logout error:\", error);\n    // If logout URL generation fails, clear tokens and redirect to home\n    await clearAuthCookies(resolvedConfigs);\n\n    const fallbackUrl =\n      clientLogoutRedirectUrl || resolvedConfigs.logoutCallbackUrl;\n    const finalFallbackUrl = CivicAuth.toAbsoluteUrl(\n      urlDetectionRequest,\n      fallbackUrl,\n      appUrl,\n    );\n\n    return NextResponse.redirect(finalFallbackUrl);\n  }\n}\n\nexport async function handleLogoutCallback(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    logger.info(\n      \"[LOGOUT_CALLBACK_HANDLER] Backend logout callback endpoint called\",\n    );\n\n    // Clear authentication cookies\n    await clearAuthCookies(resolvedConfigs);\n\n    // Get framework-agnostic request and create CivicAuth instance\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    // Get the state parameter for iframe detection\n    const state = request.nextUrl.searchParams.get(\"state\");\n\n    // If this is an iframe request, return HTML with logout success signal\n    if (state && displayModeFromState(state, \"iframe\") === \"iframe\") {\n      // For iframe mode, include the post-logout redirect URL in the HTML\n      const postLogoutRedirectUrl =\n        civicAuth.getPostLogoutRedirectUrl(urlDetectionRequest);\n      const response = new NextResponse(\n        `<html lang=\"en\"><span style=\"display:none\">${LOGOUT_SUCCESS_TEXT}<a href=\"${postLogoutRedirectUrl}\" rel=\"civic-auth-post-logout-redirect-url\"></a></span></html>`,\n      );\n      response.headers.set(\"Content-Type\", \"text/html; charset=utf-8\");\n      logger.info(\n        \"[LOGOUT_CALLBACK_HANDLER] Returning iframe logout success HTML\",\n        { postLogoutRedirectUrl },\n      );\n      return response;\n    }\n\n    // For non-iframe requests, redirect to the logout callback URL or post-logout URL\n    const redirectUrl = civicAuth.getPostLogoutRedirectUrl(urlDetectionRequest);\n    logger.info(\n      \"[LOGOUT_CALLBACK_HANDLER] Redirecting to logout callback URL\",\n      {\n        logoutCallbackUrl: resolvedConfigs.logoutCallbackUrl,\n        redirectUrl,\n      },\n    );\n\n    // Revalidate the redirect path to update authentication state in server components\n    await revalidateUrlPath(redirectUrl);\n    return redirectWithBasePath(config, redirectUrl);\n  } catch (error) {\n    logger.error(\"[LOGOUT_CALLBACK_HANDLER] Logout callback error:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return redirectWithBasePath(\n      config,\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        resolvedConfigs.logoutCallbackUrl,\n        appUrl,\n      ),\n    );\n  }\n}\n\n/**\n * Creates an authentication handler for Next.js API routes\n *\n * Usage:\n * ```ts\n * // app/api/auth/[...civicauth]/route.ts\n * import { handler } from '@civic/auth/nextjs'\n * export const GET = handler({\n *   // optional config overrides\n * })\n * export const POST = handler({\n *   // optional config overrides\n * })\n * ```\n */\nexport const handler =\n  (authConfig = {}) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const config = resolveAuthConfig(authConfig);\n\n    try {\n      const pathname = request.nextUrl.pathname;\n      const pathSegments = pathname.split(\"/\");\n      const lastSegment = pathSegments[pathSegments.length - 1];\n\n      switch (lastSegment) {\n        case \"challenge\":\n        case \"login\":\n          return await handleLogin(request, config);\n        case \"callback\":\n          return await handleCallback(request, config);\n        case \"refresh\":\n          return await handleRefresh(request, config);\n        case \"logout\":\n          return await handleLogout(request, config);\n        case \"logoutcallback\":\n          return await handleLogoutCallback(request, config);\n        case \"user\":\n          return await handleUser(request, config);\n        default:\n          throw new AuthError(`Invalid auth route: ${pathname}`, 404);\n      }\n    } catch (error) {\n      logger.error(\"Auth handler error:\", error);\n\n      const status = error instanceof AuthError ? error.status : 500;\n      const message =\n        error instanceof Error ? error.message : \"Authentication failed\";\n\n      const response = NextResponse.json({ error: message }, { status });\n\n      await clearAuthCookies(config);\n      return response;\n    }\n  };\n\n/**\n * User endpoint - returns current user data as JSON\n * Uses CivicAuth.isLoggedIn() and getUser()\n */\nasync function handleUser(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    const isLoggedIn = await civicAuth.isLoggedIn();\n\n    if (!isLoggedIn) {\n      const statusCode = request.nextUrl.searchParams.get(\n        \"optimisticRehydration\",\n      )\n        ? 202\n        : 401;\n      return NextResponse.json(\n        { error: \"Not authenticated\" },\n        { status: statusCode },\n      );\n    }\n\n    const user = await civicAuth.getUser();\n\n    return NextResponse.json({ user });\n  } catch (error) {\n    logger.error(\"[USER_HANDLER] User endpoint error:\", error);\n    return NextResponse.json(\n      { error: \"Internal server error\" },\n      { status: 500 },\n    );\n  }\n}\n"]}

package/dist/nextjs/utils.d.ts

@@ -1,21 +1,36 @@
-import type { AuthConfigWithDefaults } from "../nextjs/config.js";
+import { type AuthConfig, type AuthConfigWithDefaults } from "../nextjs/config.js";
 import type { NextRequest } from "next/server.js";
 import { NextResponse } from "next/server.js";
 import type { SessionData } from "../types.js";
+import { type CookieConfig, type KeySetter } from "../shared/lib/types.js";
+import { CookieStorage } from "../server/index.js";
 export declare const resolveCallbackUrl: (config: AuthConfigWithDefaults, baseUrl?: string) => string;
 export declare function sanitizeBasePath(path: string): string;
+/**
+ * Removes the basePath prefix from a pathname, properly handling edge cases
+ * This is the inverse operation of adding basePath to a URL
+ */
+export declare function removeBasePathFromPath(pathname: string, basePath?: string): string;
 /**
  * Determines if we should attempt token refresh based on session state
  */
 export declare const shouldAttemptRefresh: (session: SessionData) => boolean;
 /**
- * Creates a redirect response to the refresh endpoint
+ * Checks if the current path is a system URL that should skip auth
  */
-export declare const createRefreshResponse: (request: NextRequest, authConfig: AuthConfigWithDefaults) => NextResponse | null;
+export declare const shouldSkipAuthForSystemUrls: (pathname: string, authConfig: AuthConfigWithDefaults) => boolean;
 /**
- * Checks if the current path is a system URL that should skip auth
+ * CookieStorage implementation for NextJS middleware context that works with NextRequest
  */
-export declare const shouldSkipAuthForSystemUrls: (pathname: string, authConfig: AuthConfigWithDefaults, method: string) => boolean;
+export declare class NextjsMiddlewareCookieStorage extends CookieStorage {
+    config: Partial<Record<KeySetter, CookieConfig>>;
+    private request;
+    private response;
+    constructor(config: Partial<Record<KeySetter, CookieConfig>> | undefined, request: NextRequest, response: NextResponse);
+    get(key: string): Promise<string | null>;
+    set(key: string, value: string, cookieConfigOverride: CookieConfig): Promise<void>;
+    delete(key: string): Promise<void>;
+}
 /**
  * Handles authentication logic specifically for the login URL
  * Provides logging for login URL access patterns
@@ -25,8 +40,17 @@ export declare const handleLoginUrl: (pathname: string, session: SessionData, au
  * Checks if the current path should skip auth based on include/exclude patterns
  */
 export declare const shouldSkipAuthForRoutePatterns: (pathname: string, authConfig: AuthConfigWithDefaults) => boolean;
+export declare const copyCivicCookies: (sourceResponse: NextResponse, targetCall: NextResponse | NextRequest) => void;
 /**
  * Handles final authentication logic for unauthenticated users on protected routes
  */
-export declare const handleUnauthenticatedUser: (session: SessionData, request: NextRequest, authConfig: AuthConfigWithDefaults) => NextResponse;
+export declare const handleUnauthenticatedUser: (session: SessionData, request: NextRequest, response: NextResponse, storage: NextjsMiddlewareCookieStorage, authConfig: AuthConfigWithDefaults) => Promise<NextResponse | undefined>;
+/**
+ * Prepends the basePath onto a given URL if it's not already there. Works for both relative and absolute URLs.
+ * @param url
+ * @param basePath
+ * @returns
+ */
+export declare const prependBasePath: (url: string, basePath: string) => string;
+export declare const redirectWithBasePath: (config: AuthConfig, targetUrl: string) => NextResponse;
 //# sourceMappingURL=utils.d.ts.map

package/dist/nextjs/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/nextjs/utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AACjE,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAM9C,eAAO,MAAM,kBAAkB,WACrB,sBAAsB,YACpB,MAAM,KACf,MAGF,CAAC;AAEF,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAQrD;AA+BD;;GAEG;AACH,eAAO,MAAM,oBAAoB,YAAa,WAAW,KAAG,OAE3D,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,YACvB,WAAW,cACR,sBAAsB,KACjC,YAAY,GAAG,IAmBjB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,aAC5B,MAAM,cACJ,sBAAsB,UAC1B,MAAM,KACb,OAkBF,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,cAAc,aACf,MAAM,WACP,WAAW,cACR,sBAAsB,KACjC,IAWF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,8BAA8B,aAC/B,MAAM,cACJ,sBAAsB,KACjC,OAiBF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,yBAAyB,YAC3B,WAAW,WACX,WAAW,cACR,sBAAsB,KACjC,YA2BF,CAAC"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../src/nextjs/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,KAAK,UAAU,EACf,KAAK,sBAAsB,EAC5B,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAG9C,OAAO,EAIL,KAAK,YAAY,EACjB,KAAK,SAAS,EACf,MAAM,uBAAuB,CAAC;AAE/B,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAKlD,eAAO,MAAM,kBAAkB,WACrB,sBAAsB,YACpB,MAAM,KACf,MAGF,CAAC;AAEF,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAQrD;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,MAAM,EAChB,QAAQ,CAAC,EAAE,MAAM,GAChB,MAAM,CAoBR;AA+BD;;GAEG;AACH,eAAO,MAAM,oBAAoB,YAAa,WAAW,KAAG,OAE3D,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,aAC5B,MAAM,cACJ,sBAAsB,KACjC,OAmBF,CAAC;AAEF;;GAEG;AACH,qBAAa,6BAA8B,SAAQ,aAAa;IAErD,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC;IACvD,OAAO,CAAC,OAAO;IACf,OAAO,CAAC,QAAQ;gBAFT,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,SAAS,EAAE,YAAY,CAAC,CAAC,YAAK,EACpD,OAAO,EAAE,WAAW,EACpB,QAAQ,EAAE,YAAY;IAQ1B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAwBxC,GAAG,CACP,GAAG,EAAE,MAAM,EACX,KAAK,EAAE,MAAM,EACb,oBAAoB,EAAE,YAAY,GACjC,OAAO,CAAC,IAAI,CAAC;IAkBV,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAczC;AAED;;;GAGG;AACH,eAAO,MAAM,cAAc,aACf,MAAM,WACP,WAAW,cACR,sBAAsB,KACjC,IAWF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,8BAA8B,aAC/B,MAAM,cACJ,sBAAsB,KACjC,OAiBF,CAAC;AAEF,eAAO,MAAM,gBAAgB,mBACX,YAAY,cAChB,YAAY,GAAG,WAAW,SAoBvC,CAAC;AACF;;GAEG;AACH,eAAO,MAAM,yBAAyB,YAC3B,WAAW,WACX,WAAW,YACV,YAAY,WACb,6BAA6B,cAC1B,sBAAsB,KACjC,OAAO,CAAC,YAAY,GAAG,SAAS,CA8BlC,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,eAAe,QAAS,MAAM,YAAY,MAAM,WAiB5D,CAAC;AAEF,eAAO,MAAM,oBAAoB,WACvB,UAAU,aACP,MAAM,KAChB,YACuE,CAAC"}

package/dist/nextjs/utils.js

@@ -1,6 +1,11 @@
+import { systemUrlsConfig, } from "../nextjs/config.js";
 import { NextResponse } from "next/server.js";
 import { loggers } from "../lib/logger.js";
 import picomatch from "picomatch";
+import { CodeVerifier, OAuthTokenTypes, UserStorage, } from "../shared/lib/types.js";
+import { clearTokens, getCookieConfiguration } from "../shared/lib/util.js";
+import { CookieStorage } from "../server/index.js";
+import { extractCookieFromRawHeader } from "../shared/lib/cookieUtils.js";
 const logger = loggers.nextjs.middleware;
 export const resolveCallbackUrl = (config, baseUrl) => {
     const callbackUrl = new URL(config?.callbackUrl, baseUrl).toString();
@@ -14,6 +19,29 @@ export function sanitizeBasePath(path) {
     // Remove all trailing slashes (not just one)
     return withLeadingSlash.replace(/\/+$/, "");
 }
+/**
+ * Removes the basePath prefix from a pathname, properly handling edge cases
+ * This is the inverse operation of adding basePath to a URL
+ */
+export function removeBasePathFromPath(pathname, basePath) {
+    if (!basePath || basePath === "" || basePath === "/") {
+        return pathname;
+    }
+    // Sanitize the basePath to ensure consistent format
+    const sanitizedBasePath = sanitizeBasePath(basePath);
+    // Check if pathname starts with the basePath followed by a slash or end of string
+    // This prevents partial matches like "/app" matching "/application"
+    if (pathname === sanitizedBasePath) {
+        // Exact match - return root
+        return "/";
+    }
+    else if (pathname.startsWith(sanitizedBasePath + "/")) {
+        // basePath followed by slash - remove basePath but keep the slash
+        return pathname.slice(sanitizedBasePath.length);
+    }
+    // If basePath doesn't match as a complete path segment, return pathname as-is
+    return pathname;
+}
 const getOriginUrl = (request, authConfig) => {
     // Use configured baseUrl if provided (for reverse proxy scenarios)
     if (authConfig.baseUrl) {
@@ -42,37 +70,88 @@ const matchesGlobs = (pathname, patterns) => patterns.some((pattern) => {
 export const shouldAttemptRefresh = (session) => {
     return !session.authenticated && !!session.refreshToken;
 };
-/**
- * Creates a redirect response to the refresh endpoint
- */
-export const createRefreshResponse = (request, authConfig) => {
-    const targetUrl = getOriginUrl(request, authConfig) + request.nextUrl.pathname;
-    // Check if we're already in a redirect flow
-    if (request.nextUrl.searchParams.has("targetUrl")) {
-        return null;
-    }
-    // Create refresh redirect
-    const refreshUrl = new URL(authConfig.refreshUrl, getOriginUrl(request, authConfig));
-    refreshUrl.searchParams.set("targetUrl", targetUrl);
-    logger.debug("→ Refresh token found - redirecting to refresh endpoint");
-    return NextResponse.redirect(refreshUrl.toString());
-};
 /**
  * Checks if the current path is a system URL that should skip auth
  */
-export const shouldSkipAuthForSystemUrls = (pathname, authConfig, method) => {
-    const systemUrls = [
-        authConfig.callbackUrl,
-        authConfig.challengeUrl,
-        authConfig.logoutCallbackUrl,
-        authConfig.logoutUrl,
-    ];
-    const isSystemUrl = systemUrls.includes(pathname) && method === "GET";
+export const shouldSkipAuthForSystemUrls = (pathname, authConfig) => {
+    // make an array of all system URLs from authConfig using the systemUrlsConfig keys
+    const systemUrls = Object.keys(systemUrlsConfig).map((key) => authConfig[key]);
+    // check if any of the urls in systemUrls has a substring match with pathname
+    // the systemUrl could have a basePath, i.e. /dashboard/api/auth/callback, whereas the pathname will not
+    // therefore we check if the systemUrl includes the pathname
+    const isSystemUrl = systemUrls.some((url) => url && url.includes(pathname));
+    logger.debug("→ isSystemUrl check", { pathname, isSystemUrl, systemUrls });
     if (isSystemUrl) {
         logger.debug("→ Skipping auth check - this a URL defined in authConfig", pathname);
     }
     return isSystemUrl;
 };
+/**
+ * CookieStorage implementation for NextJS middleware context that works with NextRequest
+ */
+export class NextjsMiddlewareCookieStorage extends CookieStorage {
+    config;
+    request;
+    response;
+    constructor(config = {}, request, response) {
+        super({
+            secure: true,
+            httpOnly: true,
+        });
+        this.config = config;
+        this.request = request;
+        this.response = response;
+    }
+    async get(key) {
+        // First try to get cookies from the response if it has already been set
+        const cookieValue = this.response.cookies.get(key)?.value;
+        if (cookieValue) {
+            return cookieValue;
+        }
+        const cookieSettings = this.config?.[key] || {};
+        const configuredPath = cookieSettings.path;
+        // If we have a non-root basePath, use raw header parsing to get the first cookie
+        // which should be from the most specific path, avoiding duplicate cookie conflicts
+        if (configuredPath && configuredPath !== "/") {
+            const cookieHeader = this.request.headers.get("cookie");
+            const rawValue = extractCookieFromRawHeader(cookieHeader, key);
+            if (rawValue) {
+                return rawValue;
+            }
+        }
+        // Fallback to standard Next.js request cookies
+        return this.request.cookies.get(key)?.value || null;
+    }
+    async set(key, value, cookieConfigOverride) {
+        const cookieSettings = this.config?.[key] || {
+            ...this.settings,
+        };
+        const dynamicConfig = getCookieConfiguration(this.request);
+        const useCookieSettings = {
+            ...cookieSettings,
+            ...cookieConfigOverride,
+            // Apply dynamic configuration for secure and sameSite
+            secure: dynamicConfig.secure,
+            sameSite: dynamicConfig.sameSite,
+        };
+        // Respect the httpOnly setting from configuration instead of hardcoding it
+        this.response.cookies.set(key, value, useCookieSettings);
+    }
+    async delete(key) {
+        // Get cookie configuration for this key to respect the path setting
+        const cookieSettings = this.config?.[key] || {};
+        // If we have a path configured, use it when deleting the cookie
+        if (cookieSettings.path) {
+            this.response.cookies.set(key, "", {
+                expires: new Date(0), // Expire in the past
+                path: cookieSettings.path,
+            });
+        }
+        else {
+            this.response.cookies.delete(key);
+        }
+    }
+}
 /**
  * Handles authentication logic specifically for the login URL
  * Provides logging for login URL access patterns
@@ -105,22 +184,67 @@ export const shouldSkipAuthForRoutePatterns = (pathname, authConfig) => {
     }
     return false;
 };
+export const copyCivicCookies = (sourceResponse, targetCall) => {
+    const civicCookieNames = [
+        ...Object.values(OAuthTokenTypes),
+        ...Object.values(UserStorage),
+        ...Object.values(CodeVerifier),
+    ];
+    logger.debug("Copying Civic cookies:", {
+        src: sourceResponse.url,
+        target: targetCall.url,
+    });
+    sourceResponse?.cookies
+        .getAll()
+        .filter((cookie) => civicCookieNames.includes(cookie.name))
+        .forEach((cookie) => {
+        logger.debug("Setting middlewareResponse cookie:", cookie);
+        targetCall.cookies.set(cookie);
+    });
+};
 /**
  * Handles final authentication logic for unauthenticated users on protected routes
  */
-export const handleUnauthenticatedUser = (session, request, authConfig) => {
-    const targetUrl = getOriginUrl(request, authConfig) + request.nextUrl.pathname;
-    // Clear expired/invalid tokens if they exist without refresh token
-    if (session.accessToken || session.idToken) {
-        const clearBadTokensUrl = new URL(authConfig.logoutCallbackUrl, getOriginUrl(request, authConfig));
-        clearBadTokensUrl.searchParams.set("targetUrl", targetUrl);
-        logger.debug(`→ Invalid tokens found without refresh - clearing via "${clearBadTokensUrl}"`);
-        return NextResponse.redirect(clearBadTokensUrl.toString());
-    }
-    // Final fallback: redirect to login
+export const handleUnauthenticatedUser = async (session, request, response, storage, authConfig) => {
+    // Clear expired/invalid tokens if they exist
+    if (session.accessToken || session.idToken || session.refreshToken) {
+        logger.debug(`→ Clearing expired/invalid tokens`);
+        await clearTokens(storage);
+    }
+    // Final fallback: redirect to login unless we're already there.
     const loginUrl = new URL(authConfig.loginUrl, getOriginUrl(request, authConfig));
     const redirectUrl = `${loginUrl.toString()}`;
-    logger.debug(`→ No valid tokens found - redirecting to login "${redirectUrl}"`);
-    return NextResponse.redirect(redirectUrl);
+    const loginPathWithoutBasePath = removeBasePathFromPath(loginUrl.pathname, authConfig.basePath);
+    // If we're already at the login URL, the middleware will just return undefined.
+    // This is to prevent an infinite redirect loop if middleware is applied to the login route itself.
+    // The loginUrl from getOriginUrl already includes the basePath, but request.nextUrl.pathname does not. So we strip it off to enable comparison.
+    if (request.nextUrl.pathname !== loginPathWithoutBasePath) {
+        logger.debug(`→ No valid tokens found - redirecting to login "${redirectUrl}"`);
+        const redirectedResponse = redirectWithBasePath(authConfig, redirectUrl);
+        return redirectedResponse;
+    }
+    return response;
+};
+/**
+ * Prepends the basePath onto a given URL if it's not already there. Works for both relative and absolute URLs.
+ * @param url
+ * @param basePath
+ * @returns
+ */
+export const prependBasePath = (url, basePath) => {
+    basePath = "/" + basePath.replace(/^\/|\/$/g, ""); // normalize basePath
+    const isAbsolute = /^https?:\/\//.test(url);
+    if (isAbsolute) {
+        const u = new URL(url);
+        if (!u.pathname.startsWith(basePath)) {
+            u.pathname =
+                basePath + (u.pathname.startsWith("/") ? "" : "/") + u.pathname;
+        }
+        return u.toString();
+    }
+    return url.startsWith(basePath)
+        ? url
+        : basePath + (url.startsWith("/") ? "" : "/") + url;
 };
+export const redirectWithBasePath = (config, targetUrl) => NextResponse.redirect(prependBasePath(targetUrl, config.basePath || ""));
 //# sourceMappingURL=utils.js.map