@civic/auth 0.10.0-beta.6 → 0.10.0-beta.8

package/CHANGELOG.md

@@ -4,6 +4,9 @@
 - increase SDK wrapper width to 360px
 - Fix bug where basePath was not honored when redirecting back from the refresh endpoint, as well as in the loginSuccessUrl.
 - Fix redirect loop if page was loaded with no cookies set and middleware enabled.
+- Refactor NextJS middleware to use direct session rehydration and setting of response cookies rather than redirect
+- Add POST method documentation to routeHandler
+- Fix auto-redirect behaviour in browsers that don't support popups (like safari)
 
 # 0.9.5
 

package/README.md

@@ -329,6 +329,7 @@ Create this file at the following path:
 import { handler } from '@civic/auth/nextjs'
 
 export const GET = handler()
+export const POST = handler()
 ```
 
 These steps apply to the [App Router](https://nextjs.org/docs/app). If you are using the Pages Router, please [contact us](https://discord.com/invite/MWmhXauJw8/?referrer=home-discord) for integration steps.

package/dist/browser/storage.d.ts

@@ -3,6 +3,7 @@ import { EventEmitter } from "eventemitter3";
 export declare class LocalStorageAdapter implements AuthStorage {
     static _emitter: EventEmitter;
     static get emitter(): EventEmitter;
+    getSync(key: string): string | null;
     get(key: string): Promise<string>;
     set(key: string, value: string): Promise<void>;
     delete(key: string): Promise<void>;

package/dist/browser/storage.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../src/browser/storage.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C,qBAAa,mBAAoB,YAAW,WAAW;IACrD,MAAM,CAAC,QAAQ,EAAE,YAAY,CAAC;IAC9B,MAAM,KAAK,OAAO,IAAI,YAAY,CAKjC;IAEK,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAIjC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI9C,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGzC"}
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../src/browser/storage.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C,qBAAa,mBAAoB,YAAW,WAAW;IACrD,MAAM,CAAC,QAAQ,EAAE,YAAY,CAAC;IAC9B,MAAM,KAAK,OAAO,IAAI,YAAY,CAKjC;IAED,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAI7B,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAIjC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI9C,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAGzC"}

package/dist/browser/storage.js

@@ -7,6 +7,9 @@ export class LocalStorageAdapter {
         }
         return LocalStorageAdapter._emitter;
     }
+    getSync(key) {
+        return localStorage.getItem(key);
+    }
     async get(key) {
         return Promise.resolve(localStorage.getItem(key) || "");
     }

package/dist/browser/storage.js.map

@@ -1 +1 @@
-{"version":3,"file":"storage.js","sourceRoot":"","sources":["../../src/browser/storage.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C,MAAM,OAAO,mBAAmB;IAC9B,MAAM,CAAC,QAAQ,CAAe;IAC9B,MAAM,KAAK,OAAO;QAChB,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,CAAC;YAClC,mBAAmB,CAAC,QAAQ,GAAG,IAAI,YAAY,EAAE,CAAC;QACpD,CAAC;QACD,OAAO,mBAAmB,CAAC,QAAQ,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,OAAO,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAa;QAClC,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;CACF","sourcesContent":["import type { AuthStorage } from \"@/types.js\";\nimport { EventEmitter } from \"eventemitter3\";\n\nexport class LocalStorageAdapter implements AuthStorage {\n  static _emitter: EventEmitter;\n  static get emitter(): EventEmitter {\n    if (!LocalStorageAdapter._emitter) {\n      LocalStorageAdapter._emitter = new EventEmitter();\n    }\n    return LocalStorageAdapter._emitter;\n  }\n\n  async get(key: string): Promise<string> {\n    return Promise.resolve(localStorage.getItem(key) || \"\");\n  }\n\n  async set(key: string, value: string): Promise<void> {\n    localStorage.setItem(key, value);\n  }\n\n  async delete(key: string): Promise<void> {\n    localStorage.removeItem(key);\n  }\n}\n"]}
+{"version":3,"file":"storage.js","sourceRoot":"","sources":["../../src/browser/storage.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAE7C,MAAM,OAAO,mBAAmB;IAC9B,MAAM,CAAC,QAAQ,CAAe;IAC9B,MAAM,KAAK,OAAO;QAChB,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,CAAC;YAClC,mBAAmB,CAAC,QAAQ,GAAG,IAAI,YAAY,EAAE,CAAC;QACpD,CAAC;QACD,OAAO,mBAAmB,CAAC,QAAQ,CAAC;IACtC,CAAC;IAED,OAAO,CAAC,GAAW;QACjB,OAAO,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,OAAO,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;IAC1D,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAa;QAClC,YAAY,CAAC,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC;CACF","sourcesContent":["import type { AuthStorage } from \"@/types.js\";\nimport { EventEmitter } from \"eventemitter3\";\n\nexport class LocalStorageAdapter implements AuthStorage {\n  static _emitter: EventEmitter;\n  static get emitter(): EventEmitter {\n    if (!LocalStorageAdapter._emitter) {\n      LocalStorageAdapter._emitter = new EventEmitter();\n    }\n    return LocalStorageAdapter._emitter;\n  }\n\n  getSync(key: string): string | null {\n    return localStorage.getItem(key);\n  }\n\n  async get(key: string): Promise<string> {\n    return Promise.resolve(localStorage.getItem(key) || \"\");\n  }\n\n  async set(key: string, value: string): Promise<void> {\n    localStorage.setItem(key, value);\n  }\n\n  async delete(key: string): Promise<void> {\n    localStorage.removeItem(key);\n  }\n}\n"]}

package/dist/lib/logger.d.ts

@@ -12,6 +12,7 @@ export declare const loggers: {
         readonly handlers: {
             readonly auth: Logger;
         };
+        readonly actions: Logger;
     };
     readonly react: {
         readonly components: Logger;

package/dist/lib/logger.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/lib/logger.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,MAAM;IACrB,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IACjD,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAChD,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAChD,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;CAClD;AAsCD,eAAO,MAAM,YAAY,cAAe,MAAM,KAAG,MACrB,CAAC;AAG7B,eAAO,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;CA2BV,CAAC"}
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../../src/lib/logger.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,MAAM;IACrB,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IACjD,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAChD,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAChD,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;CAClD;AAsCD,eAAO,MAAM,YAAY,cAAe,MAAM,KAAG,MACrB,CAAC;AAG7B,eAAO,MAAM,OAAO;;;;;;;;;;;;;;;;;;;;;;;;CA4BV,CAAC"}

package/dist/lib/logger.js

@@ -39,6 +39,7 @@ export const loggers = {
         handlers: {
             auth: createLogger("api:handlers:auth"),
         },
+        actions: createLogger("api:actions"),
     },
     // React specific loggers
     react: {

package/dist/lib/logger.js.map

@@ -1 +1 @@
-{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/lib/logger.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,MAAM,YAAY,GAAG,aAAa,CAAC;AASnC,MAAM,WAAW;IACP,WAAW,CAAiB;IAC5B,UAAU,CAAiB;IAC3B,UAAU,CAAiB;IAC3B,WAAW,CAAiB;IAEpC,YAAY,SAAiB;QAC3B,+CAA+C;QAC/C,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,GAAG,YAAY,IAAI,SAAS,QAAQ,CAAC,CAAC;QAC/D,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,GAAG,YAAY,IAAI,SAAS,OAAO,CAAC,CAAC;QAC7D,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,GAAG,YAAY,IAAI,SAAS,OAAO,CAAC,CAAC;QAC7D,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,GAAG,YAAY,IAAI,SAAS,QAAQ,CAAC,CAAC;QAE/D,IAAI,CAAC,WAAW,CAAC,KAAK,GAAG,GAAG,CAAC;QAC7B,IAAI,CAAC,UAAU,CAAC,KAAK,GAAG,GAAG,CAAC;QAC5B,IAAI,CAAC,UAAU,CAAC,KAAK,GAAG,GAAG,CAAC;QAC5B,IAAI,CAAC,WAAW,CAAC,KAAK,GAAG,GAAG,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,OAAe,EAAE,GAAG,IAAe;QACvC,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,CAAC,OAAe,EAAE,GAAG,IAAe;QACtC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IACpC,CAAC;IAED,IAAI,CAAC,OAAe,EAAE,GAAG,IAAe;QACtC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,OAAe,EAAE,GAAG,IAAe;QACvC,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IACrC,CAAC;CACF;AAED,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,SAAiB,EAAU,EAAE,CACxD,IAAI,WAAW,CAAC,SAAS,CAAC,CAAC;AAE7B,4DAA4D;AAC5D,MAAM,CAAC,MAAM,OAAO,GAAG;IACrB,2BAA2B;IAC3B,MAAM,EAAE;QACN,MAAM,EAAE,YAAY,CAAC,YAAY,CAAC;QAClC,UAAU,EAAE,YAAY,CAAC,gBAAgB,CAAC;QAC1C,QAAQ,EAAE;YACR,IAAI,EAAE,YAAY,CAAC,mBAAmB,CAAC;SACxC;KACF;IACD,yBAAyB;IACzB,KAAK,EAAE;QACL,UAAU,EAAE,YAAY,CAAC,kBAAkB,CAAC;QAC5C,KAAK,EAAE,YAAY,CAAC,aAAa,CAAC;QAClC,OAAO,EAAE,YAAY,CAAC,eAAe,CAAC;KACvC;IACD,gCAAgC;IAChC,WAAW,EAAE;QACX,MAAM,EAAE,YAAY,CAAC,qBAAqB,CAAC;QAC3C,QAAQ,EAAE;YACR,IAAI,EAAE,YAAY,CAAC,4BAA4B,CAAC;SACjD;KACF;IACD,2BAA2B;IAC3B,QAAQ,EAAE;QACR,UAAU,EAAE,YAAY,CAAC,kBAAkB,CAAC;QAC5C,OAAO,EAAE,YAAY,CAAC,eAAe,CAAC;KACvC;CACO,CAAC","sourcesContent":["import debug from \"debug\";\n\nconst PACKAGE_NAME = \"@civic/auth\";\n\nexport interface Logger {\n  debug(message: string, ...args: unknown[]): void;\n  info(message: string, ...args: unknown[]): void;\n  warn(message: string, ...args: unknown[]): void;\n  error(message: string, ...args: unknown[]): void;\n}\n\nclass DebugLogger implements Logger {\n  private debugLogger: debug.Debugger;\n  private infoLogger: debug.Debugger;\n  private warnLogger: debug.Debugger;\n  private errorLogger: debug.Debugger;\n\n  constructor(namespace: string) {\n    // Format: @org/package:library:component:level\n    this.debugLogger = debug(`${PACKAGE_NAME}:${namespace}:debug`);\n    this.infoLogger = debug(`${PACKAGE_NAME}:${namespace}:info`);\n    this.warnLogger = debug(`${PACKAGE_NAME}:${namespace}:warn`);\n    this.errorLogger = debug(`${PACKAGE_NAME}:${namespace}:error`);\n\n    this.debugLogger.color = \"4\";\n    this.infoLogger.color = \"2\";\n    this.warnLogger.color = \"3\";\n    this.errorLogger.color = \"1\";\n  }\n\n  debug(message: string, ...args: unknown[]): void {\n    this.debugLogger(message, ...args);\n  }\n\n  info(message: string, ...args: unknown[]): void {\n    this.infoLogger(message, ...args);\n  }\n\n  warn(message: string, ...args: unknown[]): void {\n    this.warnLogger(message, ...args);\n  }\n\n  error(message: string, ...args: unknown[]): void {\n    this.errorLogger(message, ...args);\n  }\n}\n\nexport const createLogger = (namespace: string): Logger =>\n  new DebugLogger(namespace);\n\n// Pre-configured loggers for different parts of the package\nexport const loggers = {\n  // Next.js specific loggers\n  nextjs: {\n    routes: createLogger(\"api:routes\"),\n    middleware: createLogger(\"api:middleware\"),\n    handlers: {\n      auth: createLogger(\"api:handlers:auth\"),\n    },\n  },\n  // React specific loggers\n  react: {\n    components: createLogger(\"react:components\"),\n    hooks: createLogger(\"react:hooks\"),\n    context: createLogger(\"react:context\"),\n  },\n  // React Router specific loggers\n  reactRouter: {\n    routes: createLogger(\"react-router:routes\"),\n    handlers: {\n      auth: createLogger(\"react-router:handlers:auth\"),\n    },\n  },\n  // Shared utilities loggers\n  services: {\n    validation: createLogger(\"utils:validation\"),\n    network: createLogger(\"utils:network\"),\n  },\n} as const;\n"]}
+{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/lib/logger.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,MAAM,YAAY,GAAG,aAAa,CAAC;AASnC,MAAM,WAAW;IACP,WAAW,CAAiB;IAC5B,UAAU,CAAiB;IAC3B,UAAU,CAAiB;IAC3B,WAAW,CAAiB;IAEpC,YAAY,SAAiB;QAC3B,+CAA+C;QAC/C,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,GAAG,YAAY,IAAI,SAAS,QAAQ,CAAC,CAAC;QAC/D,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,GAAG,YAAY,IAAI,SAAS,OAAO,CAAC,CAAC;QAC7D,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,GAAG,YAAY,IAAI,SAAS,OAAO,CAAC,CAAC;QAC7D,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,GAAG,YAAY,IAAI,SAAS,QAAQ,CAAC,CAAC;QAE/D,IAAI,CAAC,WAAW,CAAC,KAAK,GAAG,GAAG,CAAC;QAC7B,IAAI,CAAC,UAAU,CAAC,KAAK,GAAG,GAAG,CAAC;QAC5B,IAAI,CAAC,UAAU,CAAC,KAAK,GAAG,GAAG,CAAC;QAC5B,IAAI,CAAC,WAAW,CAAC,KAAK,GAAG,GAAG,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,OAAe,EAAE,GAAG,IAAe;QACvC,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,CAAC,OAAe,EAAE,GAAG,IAAe;QACtC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IACpC,CAAC;IAED,IAAI,CAAC,OAAe,EAAE,GAAG,IAAe;QACtC,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IACpC,CAAC;IAED,KAAK,CAAC,OAAe,EAAE,GAAG,IAAe;QACvC,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC;IACrC,CAAC;CACF;AAED,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,SAAiB,EAAU,EAAE,CACxD,IAAI,WAAW,CAAC,SAAS,CAAC,CAAC;AAE7B,4DAA4D;AAC5D,MAAM,CAAC,MAAM,OAAO,GAAG;IACrB,2BAA2B;IAC3B,MAAM,EAAE;QACN,MAAM,EAAE,YAAY,CAAC,YAAY,CAAC;QAClC,UAAU,EAAE,YAAY,CAAC,gBAAgB,CAAC;QAC1C,QAAQ,EAAE;YACR,IAAI,EAAE,YAAY,CAAC,mBAAmB,CAAC;SACxC;QACD,OAAO,EAAE,YAAY,CAAC,aAAa,CAAC;KACrC;IACD,yBAAyB;IACzB,KAAK,EAAE;QACL,UAAU,EAAE,YAAY,CAAC,kBAAkB,CAAC;QAC5C,KAAK,EAAE,YAAY,CAAC,aAAa,CAAC;QAClC,OAAO,EAAE,YAAY,CAAC,eAAe,CAAC;KACvC;IACD,gCAAgC;IAChC,WAAW,EAAE;QACX,MAAM,EAAE,YAAY,CAAC,qBAAqB,CAAC;QAC3C,QAAQ,EAAE;YACR,IAAI,EAAE,YAAY,CAAC,4BAA4B,CAAC;SACjD;KACF;IACD,2BAA2B;IAC3B,QAAQ,EAAE;QACR,UAAU,EAAE,YAAY,CAAC,kBAAkB,CAAC;QAC5C,OAAO,EAAE,YAAY,CAAC,eAAe,CAAC;KACvC;CACO,CAAC","sourcesContent":["import debug from \"debug\";\n\nconst PACKAGE_NAME = \"@civic/auth\";\n\nexport interface Logger {\n  debug(message: string, ...args: unknown[]): void;\n  info(message: string, ...args: unknown[]): void;\n  warn(message: string, ...args: unknown[]): void;\n  error(message: string, ...args: unknown[]): void;\n}\n\nclass DebugLogger implements Logger {\n  private debugLogger: debug.Debugger;\n  private infoLogger: debug.Debugger;\n  private warnLogger: debug.Debugger;\n  private errorLogger: debug.Debugger;\n\n  constructor(namespace: string) {\n    // Format: @org/package:library:component:level\n    this.debugLogger = debug(`${PACKAGE_NAME}:${namespace}:debug`);\n    this.infoLogger = debug(`${PACKAGE_NAME}:${namespace}:info`);\n    this.warnLogger = debug(`${PACKAGE_NAME}:${namespace}:warn`);\n    this.errorLogger = debug(`${PACKAGE_NAME}:${namespace}:error`);\n\n    this.debugLogger.color = \"4\";\n    this.infoLogger.color = \"2\";\n    this.warnLogger.color = \"3\";\n    this.errorLogger.color = \"1\";\n  }\n\n  debug(message: string, ...args: unknown[]): void {\n    this.debugLogger(message, ...args);\n  }\n\n  info(message: string, ...args: unknown[]): void {\n    this.infoLogger(message, ...args);\n  }\n\n  warn(message: string, ...args: unknown[]): void {\n    this.warnLogger(message, ...args);\n  }\n\n  error(message: string, ...args: unknown[]): void {\n    this.errorLogger(message, ...args);\n  }\n}\n\nexport const createLogger = (namespace: string): Logger =>\n  new DebugLogger(namespace);\n\n// Pre-configured loggers for different parts of the package\nexport const loggers = {\n  // Next.js specific loggers\n  nextjs: {\n    routes: createLogger(\"api:routes\"),\n    middleware: createLogger(\"api:middleware\"),\n    handlers: {\n      auth: createLogger(\"api:handlers:auth\"),\n    },\n    actions: createLogger(\"api:actions\"),\n  },\n  // React specific loggers\n  react: {\n    components: createLogger(\"react:components\"),\n    hooks: createLogger(\"react:hooks\"),\n    context: createLogger(\"react:context\"),\n  },\n  // React Router specific loggers\n  reactRouter: {\n    routes: createLogger(\"react-router:routes\"),\n    handlers: {\n      auth: createLogger(\"react-router:handlers:auth\"),\n    },\n  },\n  // Shared utilities loggers\n  services: {\n    validation: createLogger(\"utils:validation\"),\n    network: createLogger(\"utils:network\"),\n  },\n} as const;\n"]}

package/dist/nextjs/hooks/useInitialAuthConfig.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"useInitialAuthConfig.d.ts","sourceRoot":"","sources":["../../../src/nextjs/hooks/useInitialAuthConfig.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qCAAqC,CAAC;AAC5E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qCAAqC,CAAC;AAChF,OAAO,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAGnD,MAAM,WAAW,2BAA2B;IAC1C,WAAW,CAAC,EAAE,oBAAoB,CAAC;IACnC,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,sBAAsB,CAAC,EAAE,WAAW,GAAG,MAAM,CAAC;IAC9C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;CACtD;AAED,MAAM,WAAW,6BAA6B;IAC5C,WAAW,CAAC,EAAE,oBAAoB,CAAC;IACnC,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;AAED;;;GAGG;AACH,eAAO,MAAM,oBAAoB,aACtB,2BAA2B,KACnC;IACD,aAAa,EAAE,gBAAgB,CAAC;IAChC,yBAAyB,EAAE,CACzB,SAAS,CAAC,EAAE,6BAA6B,KACtC,gBAAgB,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CAsHnB,CAAC"}
+{"version":3,"file":"useInitialAuthConfig.d.ts","sourceRoot":"","sources":["../../../src/nextjs/hooks/useInitialAuthConfig.ts"],"names":[],"mappings":"AASA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qCAAqC,CAAC;AAC5E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qCAAqC,CAAC;AAChF,OAAO,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAInD,MAAM,WAAW,2BAA2B;IAC1C,WAAW,CAAC,EAAE,oBAAoB,CAAC;IACnC,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,sBAAsB,CAAC,EAAE,WAAW,GAAG,MAAM,CAAC;IAC9C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,KAAK,IAAI,CAAC;CACtD;AAED,MAAM,WAAW,6BAA6B;IAC5C,WAAW,CAAC,EAAE,oBAAoB,CAAC;IACnC,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,sBAAsB,CAAC,EAAE,MAAM,CAAC;CACjC;AAED;;;GAGG;AACH,eAAO,MAAM,oBAAoB,aACtB,2BAA2B,KACnC;IACD,aAAa,EAAE,gBAAgB,CAAC;IAChC,yBAAyB,EAAE,CACzB,SAAS,CAAC,EAAE,6BAA6B,KACtC,gBAAgB,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CA+HnB,CAAC"}

package/dist/nextjs/hooks/useInitialAuthConfig.js

@@ -7,6 +7,7 @@ import { useMemo } from "react";
 import { useRouter, usePathname } from "next/navigation.js";
 import { resolveAuthConfig } from "../../nextjs/config.js";
 import { revalidateUserData } from "../../nextjs/actions.js";
+import { BrowserCookieStorage } from "../../shared/index.js";
 /**
  * Hook that creates the initial auth configuration
  * Can be used standalone or merged with overrides
@@ -18,6 +19,8 @@ export const useInitialAuthConfig = (options = {}) => {
     const { clientId, oauthServer, loginSuccessUrl, loginInitUrl, logoutUrl, refreshUrl, logoutCallbackUrl, callbackUrl, targetContainerElement, } = resolvedConfig;
     const baseConfig = useMemo(() => {
         return {
+            // we need this to retrieve client-available cookies for auto-refresh etc.
+            storage: new BrowserCookieStorage(),
             clientId: clientId,
             loginUrl: typeof window !== "undefined"
                 ? window.location.origin + loginInitUrl
@@ -45,6 +48,13 @@ export const useInitialAuthConfig = (options = {}) => {
                 refresh: refreshUrl,
                 logout: logoutUrl,
             },
+            onRefresh: async (error) => {
+                if (error) {
+                    console.error("onRefresh: Error refreshing", error);
+                    return;
+                }
+                router.refresh();
+            },
             onSignIn: async (error) => {
                 if (error) {
                     console.error("onSignIn: Error signing in", error);

package/dist/nextjs/hooks/useInitialAuthConfig.js.map

@@ -1 +1 @@
-{"version":3,"file":"useInitialAuthConfig.js","sourceRoot":"","sources":["../../../src/nextjs/hooks/useInitialAuthConfig.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,YAAY,CAAC;AAEb,OAAO,EAAE,OAAO,EAAE,MAAM,OAAO,CAAC;AAChC,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAIvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAsBzD;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAClC,UAAuC,EAAE,EAOzC,EAAE;IACF,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;IAC/B,MAAM,cAAc,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAElD,MAAM,EACJ,QAAQ,EACR,WAAW,EACX,eAAe,EACf,YAAY,EACZ,SAAS,EACT,UAAU,EACV,iBAAiB,EACjB,WAAW,EACX,sBAAsB,GACvB,GAAG,cAAc,CAAC;IAEnB,MAAM,UAAU,GAAqB,OAAO,CAAC,GAAG,EAAE;QAChD,OAAO;YACL,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EACN,OAAO,MAAM,KAAK,WAAW;gBAC3B,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,YAAY;gBACvC,CAAC,CAAC,SAAS;YACf,WAAW,EACT,OAAO,MAAM,KAAK,WAAW;gBAC3B,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,WAAW;gBACtC,CAAC,CAAC,SAAS;YACf,MAAM,EAAE;gBACN,WAAW,EAAE,WAAW;gBACxB,kBAAkB,EAAE,WAAW;aAChC;YACD,iBAAiB,EAAE,iBAAiB;YACpC,eAAe,EAAE,eAAe;YAChC,sBAAsB,EAAE,sBAAsB;YAC9C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,iBAAiB,EAAE,iBAAiB;YACpC,SAAS,EAAE,QAAQ;YACnB,OAAO,EAAE;gBACP,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE,KAAK;aACf;YACD,gBAAgB,EAAE;gBAChB,IAAI,EAAE,gBAAgB;gBACtB,OAAO,EAAE,UAAU;gBACnB,MAAM,EAAE,SAAS;aAClB;YACD,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;gBACxB,IAAI,KAAK,EAAE,CAAC;oBACV,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;oBACnD,OAAO;gBACT,CAAC;gBAED,IAAI,CAAC;oBACH,uEAAuE;oBACvE,MAAM,kBAAkB,CAAC,QAAQ,CAAC,CAAC;oBACnC,qBAAqB;oBACrB,IAAI,eAAe,IAAI,eAAe,KAAK,QAAQ,EAAE,CAAC;wBACpD,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;gBAAC,OAAO,eAAe,EAAE,CAAC;oBACzB,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,eAAe,CAAC,CAAC;oBACjE,sDAAsD;oBACtD,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,CAAC;YACH,CAAC;YACD,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,UAAU,IAAI,IAAI;YACvC,cAAc,EAAE,IAAI,EAAE,0CAA0C;SACjE,CAAC;IACJ,CAAC,EAAE;QACD,QAAQ;QACR,WAAW;QACX,eAAe;QACf,YAAY;QACZ,iBAAiB;QACjB,UAAU;QACV,SAAS;QACT,MAAM;QACN,QAAQ;QACR,sBAAsB;QACtB,WAAW;QACX,OAAO,CAAC,WAAW;QACnB,OAAO,CAAC,UAAU;QAClB,OAAO,CAAC,UAAU;QAClB,OAAO,CAAC,WAAW;KACpB,CAAC,CAAC;IAEH,MAAM,yBAAyB,GAAG,OAAO,CAAC,GAAG,EAAE;QAC7C,OAAO,CACL,YAA2C,EAAE,EAC3B,EAAE;YACpB,OAAO;gBACL,GAAG,UAAU;gBACb,6DAA6D;gBAC7D,GAAG,CAAC,SAAS,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,SAAS,CAAC,WAAW,EAAE,CAAC;gBACpE,GAAG,CAAC,SAAS,CAAC,UAAU,KAAK,SAAS,IAAI;oBACxC,UAAU,EAAE,SAAS,CAAC,UAAU;iBACjC,CAAC;gBACF,GAAG,CAAC,SAAS,CAAC,QAAQ,IAAI,EAAE,QAAQ,EAAE,SAAS,CAAC,QAAQ,EAAE,CAAC;gBAC3D,GAAG,CAAC,SAAS,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,SAAS,CAAC,WAAW,EAAE,CAAC;gBACpE,GAAG,CAAC,SAAS,CAAC,iBAAiB,IAAI;oBACjC,iBAAiB,EAAE,SAAS,CAAC,iBAAiB;iBAC/C,CAAC;gBACF,GAAG,CAAC,SAAS,CAAC,sBAAsB,IAAI;oBACtC,sBAAsB,EAAE,SAAS,CAAC,sBAAsB;iBACzD,CAAC;aACH,CAAC;QACJ,CAAC,CAAC;IACJ,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;IAEjB,OAAO;QACL,aAAa,EAAE,UAAU;QACzB,yBAAyB;QACzB,SAAS;KACV,CAAC;AACJ,CAAC,CAAC","sourcesContent":["/**\n * Hook for creating the initial auth configuration\n * Reusable across NextJS components that need to initialize GlobalAuthManager\n */\n\"use client\";\n\nimport { useMemo } from \"react\";\nimport { useRouter, usePathname } from \"next/navigation.js\";\nimport { resolveAuthConfig } from \"@/nextjs/config.js\";\nimport type { GlobalAuthConfig } from \"@/reactjs/core/GlobalAuthManager.js\";\nimport type { VanillaJSDisplayMode } from \"@/vanillajs/auth/types/AuthTypes.js\";\nimport type { User, IframeMode } from \"@/types.js\";\nimport { revalidateUserData } from \"@/nextjs/actions.js\";\n\nexport interface UseInitialAuthConfigOptions {\n  displayMode?: VanillaJSDisplayMode;\n  iframeMode?: IframeMode;\n  serverUser?: User | null;\n  nonce?: string;\n  targetContainerElement?: HTMLElement | string;\n  oauthServer?: string;\n  loginSuccessUrl?: string;\n  onUrlChange?: (url: string, source?: string) => void;\n}\n\nexport interface UseInitialAuthConfigOverrides {\n  displayMode?: VanillaJSDisplayMode;\n  iframeMode?: IframeMode;\n  clientId?: string;\n  redirectUrl?: string;\n  logoutRedirectUrl?: string;\n  targetContainerElement?: string;\n}\n\n/**\n * Hook that creates the initial auth configuration\n * Can be used standalone or merged with overrides\n */\nexport const useInitialAuthConfig = (\n  options: UseInitialAuthConfigOptions = {},\n): {\n  initialConfig: GlobalAuthConfig;\n  createConfigWithOverrides: (\n    overrides?: UseInitialAuthConfigOverrides,\n  ) => GlobalAuthConfig;\n  logoutUrl: string;\n} => {\n  const router = useRouter();\n  const pathname = usePathname();\n  const resolvedConfig = resolveAuthConfig(options);\n\n  const {\n    clientId,\n    oauthServer,\n    loginSuccessUrl,\n    loginInitUrl,\n    logoutUrl,\n    refreshUrl,\n    logoutCallbackUrl,\n    callbackUrl,\n    targetContainerElement,\n  } = resolvedConfig;\n\n  const baseConfig: GlobalAuthConfig = useMemo(() => {\n    return {\n      clientId: clientId,\n      loginUrl:\n        typeof window !== \"undefined\"\n          ? window.location.origin + loginInitUrl\n          : undefined,\n      redirectUrl:\n        typeof window !== \"undefined\"\n          ? window.location.origin + callbackUrl\n          : undefined,\n      config: {\n        oauthServer: oauthServer,\n        oauthServerBaseUrl: oauthServer,\n      },\n      logoutRedirectUrl: logoutCallbackUrl,\n      loginSuccessUrl: loginSuccessUrl,\n      targetContainerElement: targetContainerElement,\n      displayMode: options.displayMode,\n      iframeMode: options.iframeMode,\n      logoutCallbackUrl: logoutCallbackUrl,\n      framework: \"nextjs\",\n      logging: {\n        level: \"debug\",\n        enabled: false,\n      },\n      backendEndpoints: {\n        user: \"/api/auth/user\",\n        refresh: refreshUrl,\n        logout: logoutUrl,\n      },\n      onSignIn: async (error) => {\n        if (error) {\n          console.error(\"onSignIn: Error signing in\", error);\n          return;\n        }\n\n        try {\n          // Trigger server-side revalidation to force NextAuthProvider to re-run\n          await revalidateUserData(pathname);\n          // Navigate if needed\n          if (loginSuccessUrl && loginSuccessUrl !== pathname) {\n            router.push(loginSuccessUrl);\n          }\n        } catch (revalidateError) {\n          console.error(\"onSignIn: Revalidation failed:\", revalidateError);\n          // Fallback to router.refresh() if server action fails\n          router.refresh();\n        }\n      },\n      onUrlChange: options.onUrlChange,\n      initialUser: options.serverUser || null,\n      initialIdToken: null, // ID token is httpOnly and not accessible\n    };\n  }, [\n    clientId,\n    oauthServer,\n    loginSuccessUrl,\n    loginInitUrl,\n    logoutCallbackUrl,\n    refreshUrl,\n    logoutUrl,\n    router,\n    pathname,\n    targetContainerElement,\n    callbackUrl,\n    options.displayMode,\n    options.iframeMode,\n    options.serverUser,\n    options.onUrlChange,\n  ]);\n\n  const createConfigWithOverrides = useMemo(() => {\n    return (\n      overrides: UseInitialAuthConfigOverrides = {},\n    ): GlobalAuthConfig => {\n      return {\n        ...baseConfig,\n        // Override specific properties while keeping the base config\n        ...(overrides.displayMode && { displayMode: overrides.displayMode }),\n        ...(overrides.iframeMode !== undefined && {\n          iframeMode: overrides.iframeMode,\n        }),\n        ...(overrides.clientId && { clientId: overrides.clientId }),\n        ...(overrides.redirectUrl && { redirectUrl: overrides.redirectUrl }),\n        ...(overrides.logoutRedirectUrl && {\n          logoutRedirectUrl: overrides.logoutRedirectUrl,\n        }),\n        ...(overrides.targetContainerElement && {\n          targetContainerElement: overrides.targetContainerElement,\n        }),\n      };\n    };\n  }, [baseConfig]);\n\n  return {\n    initialConfig: baseConfig,\n    createConfigWithOverrides,\n    logoutUrl,\n  };\n};\n"]}
+{"version":3,"file":"useInitialAuthConfig.js","sourceRoot":"","sources":["../../../src/nextjs/hooks/useInitialAuthConfig.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,YAAY,CAAC;AAEb,OAAO,EAAE,OAAO,EAAE,MAAM,OAAO,CAAC;AAChC,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAIvD,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAC;AAsBzD;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAClC,UAAuC,EAAE,EAOzC,EAAE;IACF,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAC3B,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAC;IAC/B,MAAM,cAAc,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAElD,MAAM,EACJ,QAAQ,EACR,WAAW,EACX,eAAe,EACf,YAAY,EACZ,SAAS,EACT,UAAU,EACV,iBAAiB,EACjB,WAAW,EACX,sBAAsB,GACvB,GAAG,cAAc,CAAC;IAEnB,MAAM,UAAU,GAAqB,OAAO,CAAC,GAAG,EAAE;QAChD,OAAO;YACL,0EAA0E;YAC1E,OAAO,EAAE,IAAI,oBAAoB,EAAE;YACnC,QAAQ,EAAE,QAAQ;YAClB,QAAQ,EACN,OAAO,MAAM,KAAK,WAAW;gBAC3B,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,YAAY;gBACvC,CAAC,CAAC,SAAS;YACf,WAAW,EACT,OAAO,MAAM,KAAK,WAAW;gBAC3B,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,GAAG,WAAW;gBACtC,CAAC,CAAC,SAAS;YACf,MAAM,EAAE;gBACN,WAAW,EAAE,WAAW;gBACxB,kBAAkB,EAAE,WAAW;aAChC;YACD,iBAAiB,EAAE,iBAAiB;YACpC,eAAe,EAAE,eAAe;YAChC,sBAAsB,EAAE,sBAAsB;YAC9C,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,iBAAiB,EAAE,iBAAiB;YACpC,SAAS,EAAE,QAAQ;YACnB,OAAO,EAAE;gBACP,KAAK,EAAE,OAAO;gBACd,OAAO,EAAE,KAAK;aACf;YACD,gBAAgB,EAAE;gBAChB,IAAI,EAAE,gBAAgB;gBACtB,OAAO,EAAE,UAAU;gBACnB,MAAM,EAAE,SAAS;aAClB;YACD,SAAS,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;gBACzB,IAAI,KAAK,EAAE,CAAC;oBACV,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,KAAK,CAAC,CAAC;oBACpD,OAAO;gBACT,CAAC;gBACD,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,CAAC;YACD,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE;gBACxB,IAAI,KAAK,EAAE,CAAC;oBACV,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;oBACnD,OAAO;gBACT,CAAC;gBAED,IAAI,CAAC;oBACH,uEAAuE;oBACvE,MAAM,kBAAkB,CAAC,QAAQ,CAAC,CAAC;oBACnC,qBAAqB;oBACrB,IAAI,eAAe,IAAI,eAAe,KAAK,QAAQ,EAAE,CAAC;wBACpD,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;oBAC/B,CAAC;gBACH,CAAC;gBAAC,OAAO,eAAe,EAAE,CAAC;oBACzB,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,eAAe,CAAC,CAAC;oBACjE,sDAAsD;oBACtD,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,CAAC;YACH,CAAC;YACD,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,WAAW,EAAE,OAAO,CAAC,UAAU,IAAI,IAAI;YACvC,cAAc,EAAE,IAAI,EAAE,0CAA0C;SACjE,CAAC;IACJ,CAAC,EAAE;QACD,QAAQ;QACR,WAAW;QACX,eAAe;QACf,YAAY;QACZ,iBAAiB;QACjB,UAAU;QACV,SAAS;QACT,MAAM;QACN,QAAQ;QACR,sBAAsB;QACtB,WAAW;QACX,OAAO,CAAC,WAAW;QACnB,OAAO,CAAC,UAAU;QAClB,OAAO,CAAC,UAAU;QAClB,OAAO,CAAC,WAAW;KACpB,CAAC,CAAC;IAEH,MAAM,yBAAyB,GAAG,OAAO,CAAC,GAAG,EAAE;QAC7C,OAAO,CACL,YAA2C,EAAE,EAC3B,EAAE;YACpB,OAAO;gBACL,GAAG,UAAU;gBACb,6DAA6D;gBAC7D,GAAG,CAAC,SAAS,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,SAAS,CAAC,WAAW,EAAE,CAAC;gBACpE,GAAG,CAAC,SAAS,CAAC,UAAU,KAAK,SAAS,IAAI;oBACxC,UAAU,EAAE,SAAS,CAAC,UAAU;iBACjC,CAAC;gBACF,GAAG,CAAC,SAAS,CAAC,QAAQ,IAAI,EAAE,QAAQ,EAAE,SAAS,CAAC,QAAQ,EAAE,CAAC;gBAC3D,GAAG,CAAC,SAAS,CAAC,WAAW,IAAI,EAAE,WAAW,EAAE,SAAS,CAAC,WAAW,EAAE,CAAC;gBACpE,GAAG,CAAC,SAAS,CAAC,iBAAiB,IAAI;oBACjC,iBAAiB,EAAE,SAAS,CAAC,iBAAiB;iBAC/C,CAAC;gBACF,GAAG,CAAC,SAAS,CAAC,sBAAsB,IAAI;oBACtC,sBAAsB,EAAE,SAAS,CAAC,sBAAsB;iBACzD,CAAC;aACH,CAAC;QACJ,CAAC,CAAC;IACJ,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,CAAC;IAEjB,OAAO;QACL,aAAa,EAAE,UAAU;QACzB,yBAAyB;QACzB,SAAS;KACV,CAAC;AACJ,CAAC,CAAC","sourcesContent":["/**\n * Hook for creating the initial auth configuration\n * Reusable across NextJS components that need to initialize GlobalAuthManager\n */\n\"use client\";\n\nimport { useMemo } from \"react\";\nimport { useRouter, usePathname } from \"next/navigation.js\";\nimport { resolveAuthConfig } from \"@/nextjs/config.js\";\nimport type { GlobalAuthConfig } from \"@/reactjs/core/GlobalAuthManager.js\";\nimport type { VanillaJSDisplayMode } from \"@/vanillajs/auth/types/AuthTypes.js\";\nimport type { User, IframeMode } from \"@/types.js\";\nimport { revalidateUserData } from \"@/nextjs/actions.js\";\nimport { BrowserCookieStorage } from \"@/shared/index.js\";\n\nexport interface UseInitialAuthConfigOptions {\n  displayMode?: VanillaJSDisplayMode;\n  iframeMode?: IframeMode;\n  serverUser?: User | null;\n  nonce?: string;\n  targetContainerElement?: HTMLElement | string;\n  oauthServer?: string;\n  loginSuccessUrl?: string;\n  onUrlChange?: (url: string, source?: string) => void;\n}\n\nexport interface UseInitialAuthConfigOverrides {\n  displayMode?: VanillaJSDisplayMode;\n  iframeMode?: IframeMode;\n  clientId?: string;\n  redirectUrl?: string;\n  logoutRedirectUrl?: string;\n  targetContainerElement?: string;\n}\n\n/**\n * Hook that creates the initial auth configuration\n * Can be used standalone or merged with overrides\n */\nexport const useInitialAuthConfig = (\n  options: UseInitialAuthConfigOptions = {},\n): {\n  initialConfig: GlobalAuthConfig;\n  createConfigWithOverrides: (\n    overrides?: UseInitialAuthConfigOverrides,\n  ) => GlobalAuthConfig;\n  logoutUrl: string;\n} => {\n  const router = useRouter();\n  const pathname = usePathname();\n  const resolvedConfig = resolveAuthConfig(options);\n\n  const {\n    clientId,\n    oauthServer,\n    loginSuccessUrl,\n    loginInitUrl,\n    logoutUrl,\n    refreshUrl,\n    logoutCallbackUrl,\n    callbackUrl,\n    targetContainerElement,\n  } = resolvedConfig;\n\n  const baseConfig: GlobalAuthConfig = useMemo(() => {\n    return {\n      // we need this to retrieve client-available cookies for auto-refresh etc.\n      storage: new BrowserCookieStorage(),\n      clientId: clientId,\n      loginUrl:\n        typeof window !== \"undefined\"\n          ? window.location.origin + loginInitUrl\n          : undefined,\n      redirectUrl:\n        typeof window !== \"undefined\"\n          ? window.location.origin + callbackUrl\n          : undefined,\n      config: {\n        oauthServer: oauthServer,\n        oauthServerBaseUrl: oauthServer,\n      },\n      logoutRedirectUrl: logoutCallbackUrl,\n      loginSuccessUrl: loginSuccessUrl,\n      targetContainerElement: targetContainerElement,\n      displayMode: options.displayMode,\n      iframeMode: options.iframeMode,\n      logoutCallbackUrl: logoutCallbackUrl,\n      framework: \"nextjs\",\n      logging: {\n        level: \"debug\",\n        enabled: false,\n      },\n      backendEndpoints: {\n        user: \"/api/auth/user\",\n        refresh: refreshUrl,\n        logout: logoutUrl,\n      },\n      onRefresh: async (error) => {\n        if (error) {\n          console.error(\"onRefresh: Error refreshing\", error);\n          return;\n        }\n        router.refresh();\n      },\n      onSignIn: async (error) => {\n        if (error) {\n          console.error(\"onSignIn: Error signing in\", error);\n          return;\n        }\n\n        try {\n          // Trigger server-side revalidation to force NextAuthProvider to re-run\n          await revalidateUserData(pathname);\n          // Navigate if needed\n          if (loginSuccessUrl && loginSuccessUrl !== pathname) {\n            router.push(loginSuccessUrl);\n          }\n        } catch (revalidateError) {\n          console.error(\"onSignIn: Revalidation failed:\", revalidateError);\n          // Fallback to router.refresh() if server action fails\n          router.refresh();\n        }\n      },\n      onUrlChange: options.onUrlChange,\n      initialUser: options.serverUser || null,\n      initialIdToken: null, // ID token is httpOnly and not accessible\n    };\n  }, [\n    clientId,\n    oauthServer,\n    loginSuccessUrl,\n    loginInitUrl,\n    logoutCallbackUrl,\n    refreshUrl,\n    logoutUrl,\n    router,\n    pathname,\n    targetContainerElement,\n    callbackUrl,\n    options.displayMode,\n    options.iframeMode,\n    options.serverUser,\n    options.onUrlChange,\n  ]);\n\n  const createConfigWithOverrides = useMemo(() => {\n    return (\n      overrides: UseInitialAuthConfigOverrides = {},\n    ): GlobalAuthConfig => {\n      return {\n        ...baseConfig,\n        // Override specific properties while keeping the base config\n        ...(overrides.displayMode && { displayMode: overrides.displayMode }),\n        ...(overrides.iframeMode !== undefined && {\n          iframeMode: overrides.iframeMode,\n        }),\n        ...(overrides.clientId && { clientId: overrides.clientId }),\n        ...(overrides.redirectUrl && { redirectUrl: overrides.redirectUrl }),\n        ...(overrides.logoutRedirectUrl && {\n          logoutRedirectUrl: overrides.logoutRedirectUrl,\n        }),\n        ...(overrides.targetContainerElement && {\n          targetContainerElement: overrides.targetContainerElement,\n        }),\n      };\n    };\n  }, [baseConfig]);\n\n  return {\n    initialConfig: baseConfig,\n    createConfigWithOverrides,\n    logoutUrl,\n  };\n};\n"]}

package/dist/nextjs/middleware.d.ts

@@ -23,6 +23,7 @@ import type { NextRequest } from "next/server.js";
 import { NextResponse } from "next/server.js";
 import type { AuthConfigWithDefaults, OptionalAuthConfig } from "../nextjs/config.js";
 import type { SessionData } from "../types.js";
+import { NextjsMiddlewareCookieStorage } from "./utils.js";
 type Middleware = (request: NextRequest) => Promise<NextResponse> | NextResponse;
 /**
  * use a ServerAuthenticationResolver to validate the existing session
@@ -31,7 +32,7 @@ type Middleware = (request: NextRequest) => Promise<NextResponse> | NextResponse
  * @param request NextRequest object from middleware
  * @returns {Promise<SessionData>}
  */
-export declare const validateAuthTokensIfPresent: (authConfigWithDefaults: AuthConfigWithDefaults, request: NextRequest) => Promise<SessionData>;
+export declare const validateAuthTokensIfPresent: (authConfigWithDefaults: AuthConfigWithDefaults, storage: NextjsMiddlewareCookieStorage) => Promise<SessionData>;
 /**
  *
  * Use this when auth is the only middleware you need.

package/dist/nextjs/middleware.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/nextjs/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,KAAK,EACV,sBAAsB,EACtB,kBAAkB,EACnB,MAAM,oBAAoB,CAAC;AAI5B,OAAO,KAAK,EAAe,WAAW,EAAE,MAAM,YAAY,CAAC;AAuC3D,KAAK,UAAU,GAAG,CAChB,OAAO,EAAE,WAAW,KACjB,OAAO,CAAC,YAAY,CAAC,GAAG,YAAY,CAAC;AAE1C;;;;;;GAMG;AACH,eAAO,MAAM,2BAA2B,2BACd,sBAAsB,WACrC,WAAW,KACnB,OAAO,CAAC,WAAW,CAoBrB,CAAC;AAmFF;;;;;;;GAOG;AACH,eAAO,MAAM,cAAc,gBACZ,kBAAkB,eACf,WAAW,KAAG,OAAO,CAAC,YAAY,CAOjD,CAAC;AAEJ;;;;;;;GAOG;AAEH,wBAAgB,QAAQ,CACtB,UAAU,EAAE,UAAU,GACrB,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,YAAY,CAAC,CAEjD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,IAAI,CAAC,UAAU,GAAE,kBAAuB,gBAExC,UAAU,KACrB,CAAC,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC,CAQrD"}
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../../src/nextjs/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,KAAK,EACV,sBAAsB,EACtB,kBAAkB,EACnB,MAAM,oBAAoB,CAAC;AAI5B,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAS9C,OAAO,EAAE,6BAA6B,EAAE,MAAM,YAAY,CAAC;AAK3D,KAAK,UAAU,GAAG,CAChB,OAAO,EAAE,WAAW,KACjB,OAAO,CAAC,YAAY,CAAC,GAAG,YAAY,CAAC;AAE1C;;;;;;GAMG;AACH,eAAO,MAAM,2BAA2B,2BACd,sBAAsB,WACrC,6BAA6B,KACrC,OAAO,CAAC,WAAW,CAgBrB,CAAC;AAoFF;;;;;;;GAOG;AACH,eAAO,MAAM,cAAc,gBACZ,kBAAkB,eACf,WAAW,KAAG,OAAO,CAAC,YAAY,CAOjD,CAAC;AAEJ;;;;;;;GAOG;AAEH,wBAAgB,QAAQ,CACtB,UAAU,EAAE,UAAU,GACrB,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,YAAY,CAAC,CAEjD;AAKD;;;;;;;;;;GAUG;AACH,wBAAgB,IAAI,CAAC,UAAU,GAAE,kBAAuB,gBAExC,UAAU,KACrB,CAAC,CAAC,OAAO,EAAE,WAAW,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC,CAuBrD"}

package/dist/nextjs/middleware.js

@@ -2,34 +2,10 @@ import { NextResponse } from "next/server.js";
 import { resolveAuthConfig } from "../nextjs/config.js";
 import { loggers } from "../lib/logger.js";
 import { ServerAuthenticationResolver } from "../server/ServerAuthenticationResolver.js";
-import { shouldAttemptRefresh, createRefreshResponse, shouldSkipAuthForSystemUrls, handleLoginUrl, shouldSkipAuthForRoutePatterns, handleUnauthenticatedUser, } from "./utils.js";
+import { shouldAttemptRefresh, shouldSkipAuthForSystemUrls, handleLoginUrl, shouldSkipAuthForRoutePatterns, handleUnauthenticatedUser, copyCivicCookies, } from "./utils.js";
+import { NextjsMiddlewareCookieStorage } from "./utils.js";
+import { UserStorage } from "../shared/lib/types.js";
 const logger = loggers.nextjs.middleware;
-/**
- * CookieStorage implementation for NextJS middleware context that works with NextRequest
- */
-class NextjsReadOnlyRequestCookieStorage {
-    request;
-    constructor(request) {
-        this.request = request;
-    }
-    async get(key) {
-        return this.request.cookies.get(key)?.value || null;
-    }
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    async set(key, value) {
-        // In middleware, we can only set cookies via response objects
-        // This method can't be used directly in middleware
-        logger.error("Cannot set cookies directly in middleware");
-        throw new Error("Cannot set cookies directly in middleware");
-    }
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    async delete(key) {
-        // In middleware, we can only delete cookies via response objects
-        // This method can't be used directly in middleware
-        logger.error("Cannot delete cookies directly in middleware");
-        throw new Error("Cannot delete cookies directly in middleware");
-    }
-}
 /**
  * use a ServerAuthenticationResolver to validate the existing session
  * using NextJS cookie storage
@@ -37,17 +13,14 @@ class NextjsReadOnlyRequestCookieStorage {
  * @param request NextRequest object from middleware
  * @returns {Promise<SessionData>}
  */
-export const validateAuthTokensIfPresent = async (authConfigWithDefaults, request) => {
+export const validateAuthTokensIfPresent = async (authConfigWithDefaults, storage) => {
     try {
-        // TODO: evaluate a more performant way to validate tokens
-        // than having to call and verify the JWT tokens on every request
-        const storage = new NextjsReadOnlyRequestCookieStorage(request);
         const authSessionService = await ServerAuthenticationResolver.build({
             ...authConfigWithDefaults,
             redirectUrl: authConfigWithDefaults.callbackUrl,
         }, storage);
-        // validate the existing session but don't auto-refresh as we can't set cookies in middleware
-        const existingSession = await authSessionService.validateExistingSession(false);
+        // validate the existing session and rehydrate and update cookies to the response if necessary
+        const existingSession = await authSessionService.validateExistingSession();
         return existingSession;
     }
     catch (error) {
@@ -66,8 +39,14 @@ export const validateAuthTokensIfPresent = async (authConfigWithDefaults, reques
  */
 const applyAuth = async (authConfig, request) => {
     const authConfigWithDefaults = resolveAuthConfig(authConfig);
+    const response = NextResponse.next();
+    const cookieConfig = {
+        ...authConfigWithDefaults?.cookies?.tokens,
+        [UserStorage.USER]: authConfigWithDefaults?.cookies?.user || {},
+    };
+    const storage = new NextjsMiddlewareCookieStorage(cookieConfig, request, response);
     // Step 1: Understand the current authentication state
-    const session = await validateAuthTokensIfPresent(authConfigWithDefaults, request);
+    const session = await validateAuthTokensIfPresent(authConfigWithDefaults, storage);
     const shouldSkipAuthForSystemUrlsCheck = shouldSkipAuthForSystemUrls(request.nextUrl.pathname, authConfigWithDefaults, request.method);
     const shouldSkipAuthForRoutePatternsCheck = shouldSkipAuthForRoutePatterns(request.nextUrl.pathname, authConfigWithDefaults);
     const pathNameIsLoginUrl = request.nextUrl.pathname === authConfigWithDefaults.loginUrl;
@@ -78,36 +57,27 @@ const applyAuth = async (authConfig, request) => {
         shouldAttemptRefresh: shouldAttemptRefresh(session),
         shouldSkipAuthForSystemUrls: shouldSkipAuthForSystemUrlsCheck,
         shouldSkipAuthForRoutePatterns: shouldSkipAuthForRoutePatternsCheck,
-        ...authConfigWithDefaults,
     });
-    // Attempt token refresh if needed (OAuth pipeline)
-    if (shouldAttemptRefresh(session)) {
-        const refreshResponse = createRefreshResponse(request, authConfigWithDefaults);
-        if (refreshResponse) {
-            logger.debug("Handle refresh response", refreshResponse.url);
-            return refreshResponse;
-        }
-    }
     // Skip authentication for system URLs (callback, challenge, logout)
     if (shouldSkipAuthForSystemUrlsCheck) {
-        return undefined;
+        return response;
     }
     // Handle login URL with special logic
     if (pathNameIsLoginUrl) {
         handleLoginUrl(request.nextUrl.pathname, session, authConfigWithDefaults);
-        return undefined; // Always allow access to login URL
+        return response; // Always allow access to login URL
     }
     // Skip authentication for routes not matching include/exclude patterns
     if (shouldSkipAuthForRoutePatternsCheck) {
-        return undefined;
+        return response;
     }
     // Handle unauthenticated users on protected routes
     if (!session.authenticated) {
-        return handleUnauthenticatedUser(session, request, authConfigWithDefaults);
+        return handleUnauthenticatedUser(session, request, response, storage, authConfigWithDefaults);
     }
     // Happy ending - authentication passed
-    logger.debug("→ Authentication successful, allowing access");
-    return undefined;
+    logger.debug("→ Authentication successful, allowing access to", response.url);
+    return response;
 };
 /**
  *
@@ -137,6 +107,7 @@ export const authMiddleware = (authConfig = {}) => async (request) => {
 export function withAuth(middleware) {
     return auth()(middleware);
 }
+const isRedirectResponse = (response) => response && response.status === 307;
 /**
  * Use this when you want to configure the middleware here (an alternative is to do it in the next.config file)
  *
@@ -152,9 +123,20 @@ export function auth(authConfig = {}) {
     return (middleware) => {
         return async (request) => {
             const response = await applyAuth(authConfig, request);
-            if (response)
+            // if the response is redirected it means that the user is not authenticated
+            // so we skip the rest of the custom middleware to redirect to the login page
+            if (response && isRedirectResponse(response)) {
+                logger.debug("User is unauthenticated, redirecting to ", response.headers.get("location"));
                 return response;
-            return middleware(request);
+            }
+            const middlewareResponse = await middleware(request);
+            // we need to ensure that the civic cookies that were potentially
+            // added by CivicAuth are set on the final response after all
+            // middleware has been run
+            if (response) {
+                copyCivicCookies(response, middlewareResponse);
+            }
+            return middlewareResponse;
         };
     };
 }

package/dist/nextjs/middleware.js.map

@@ -1 +1 @@
-{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/nextjs/middleware.ts"],"names":[],"mappings":"AAsBA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAK9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC1C,OAAO,EAAE,4BAA4B,EAAE,MAAM,0CAA0C,CAAC;AAExF,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,2BAA2B,EAC3B,cAAc,EACd,8BAA8B,EAC9B,yBAAyB,GAC1B,MAAM,YAAY,CAAC;AAEpB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC;AAEzC;;GAEG;AACH,MAAM,kCAAkC;IAClB;IAApB,YAAoB,OAAoB;QAApB,YAAO,GAAP,OAAO,CAAa;IAAG,CAAC;IAE5C,KAAK,CAAC,GAAG,CAAC,GAAW;QACnB,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,KAAK,IAAI,IAAI,CAAC;IACtD,CAAC;IAED,6DAA6D;IAC7D,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAa;QAClC,8DAA8D;QAC9D,mDAAmD;QACnD,MAAM,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC1D,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IAED,6DAA6D;IAC7D,KAAK,CAAC,MAAM,CAAC,GAAW;QACtB,iEAAiE;QACjE,mDAAmD;QACnD,MAAM,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAC7D,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;CACF;AAMD;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,KAAK,EAC9C,sBAA8C,EAC9C,OAAoB,EACE,EAAE;IACxB,IAAI,CAAC;QACH,0DAA0D;QAC1D,iEAAiE;QACjE,MAAM,OAAO,GAAG,IAAI,kCAAkC,CAAC,OAAO,CAAC,CAAC;QAChE,MAAM,kBAAkB,GAAG,MAAM,4BAA4B,CAAC,KAAK,CACjE;YACE,GAAG,sBAAsB;YACzB,WAAW,EAAE,sBAAsB,CAAC,WAAW;SAChD,EACD,OAAO,CACR,CAAC;QACF,6FAA6F;QAC7F,MAAM,eAAe,GACnB,MAAM,kBAAkB,CAAC,uBAAuB,CAAC,KAAK,CAAC,CAAC;QAC1D,OAAO,eAAe,CAAC;IACzB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,KAAK,CAAC,CAAC;QAC/C,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;IAClC,CAAC;AACH,CAAC,CAAC;AAEF,4CAA4C;AAC5C;;;;;;;GAOG;AACH,MAAM,SAAS,GAAG,KAAK,EACrB,UAA8B,EAC9B,OAAoB,EACe,EAAE;IACrC,MAAM,sBAAsB,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAE7D,sDAAsD;IACtD,MAAM,OAAO,GAAG,MAAM,2BAA2B,CAC/C,sBAAsB,EACtB,OAAO,CACR,CAAC;IACF,MAAM,gCAAgC,GAAG,2BAA2B,CAClE,OAAO,CAAC,OAAO,CAAC,QAAQ,EACxB,sBAAsB,EACtB,OAAO,CAAC,MAAM,CACf,CAAC;IAEF,MAAM,mCAAmC,GAAG,8BAA8B,CACxE,OAAO,CAAC,OAAO,CAAC,QAAQ,EACxB,sBAAsB,CACvB,CAAC;IACF,MAAM,kBAAkB,GACtB,OAAO,CAAC,OAAO,CAAC,QAAQ,KAAK,sBAAsB,CAAC,QAAQ,CAAC;IAC/D,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE;QACpC,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,QAAQ;QAClC,kBAAkB;QAClB,oBAAoB,EAAE,oBAAoB,CAAC,OAAO,CAAC;QACnD,2BAA2B,EAAE,gCAAgC;QAC7D,8BAA8B,EAAE,mCAAmC;QACnE,GAAG,sBAAsB;KAC1B,CAAC,CAAC;IAEH,mDAAmD;IACnD,IAAI,oBAAoB,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,MAAM,eAAe,GAAG,qBAAqB,CAC3C,OAAO,EACP,sBAAsB,CACvB,CAAC;QAEF,IAAI,eAAe,EAAE,CAAC;YACpB,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,eAAe,CAAC,GAAG,CAAC,CAAC;YAC7D,OAAO,eAAe,CAAC;QACzB,CAAC;IACH,CAAC;IAED,oEAAoE;IACpE,IAAI,gCAAgC,EAAE,CAAC;QACrC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,sCAAsC;IACtC,IAAI,kBAAkB,EAAE,CAAC;QACvB,cAAc,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,EAAE,sBAAsB,CAAC,CAAC;QAC1E,OAAO,SAAS,CAAC,CAAC,mCAAmC;IACvD,CAAC;IAED,uEAAuE;IACvE,IAAI,mCAAmC,EAAE,CAAC;QACxC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,mDAAmD;IACnD,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;QAC3B,OAAO,yBAAyB,CAAC,OAAO,EAAE,OAAO,EAAE,sBAAsB,CAAC,CAAC;IAC7E,CAAC;IAED,uCAAuC;IACvC,MAAM,CAAC,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAC7D,OAAO,SAAS,CAAC;AACnB,CAAC,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,cAAc,GACzB,CAAC,aAAiC,EAAE,EAAE,EAAE,CACxC,KAAK,EAAE,OAAoB,EAAyB,EAAE;IACpD,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACtD,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE9B,mEAAmE;IACnE,wEAAwE;IACxE,OAAO,YAAY,CAAC,IAAI,EAAE,CAAC;AAC7B,CAAC,CAAC;AAEJ;;;;;;;GAOG;AACH,sDAAsD;AACtD,MAAM,UAAU,QAAQ,CACtB,UAAsB;IAEtB,OAAO,IAAI,EAAE,CAAC,UAAU,CAAC,CAAC;AAC5B,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,IAAI,CAAC,aAAiC,EAAE;IACtD,OAAO,CACL,UAAsB,EAC6B,EAAE;QACrD,OAAO,KAAK,EAAE,OAAoB,EAAyB,EAAE;YAC3D,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACtD,IAAI,QAAQ;gBAAE,OAAO,QAAQ,CAAC;YAE9B,OAAO,UAAU,CAAC,OAAO,CAAC,CAAC;QAC7B,CAAC,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC","sourcesContent":["/**\n * Authenticates the user on all requests by checking the token cookie\n *\n * Usage:\n * Option 1: use if no other middleware (e.g. no next-intl etc)\n * export default authMiddleware();\n *\n * Option 2: use if other middleware is needed - default auth config\n * export default withAuth((request) => {\n *    logger.debug('in custom middleware', request.nextUrl.pathname);\n *    return NextResponse.next();\n * })\n *\n * Option 3: use if other middleware is needed - specifying auth config\n * const withCivicAuth = auth({ loginUrl: '/login', include: ['/[.*]/user'] })\n * export default withCivicAuth((request) => {\n *   logger.debug('in custom middleware', request.url);\n *   return NextResponse.next();\n * })\n *\n */\nimport type { NextRequest } from \"next/server.js\";\nimport { NextResponse } from \"next/server.js\";\nimport type {\n  AuthConfigWithDefaults,\n  OptionalAuthConfig,\n} from \"@/nextjs/config.js\";\nimport { resolveAuthConfig } from \"@/nextjs/config.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport { ServerAuthenticationResolver } from \"@/server/ServerAuthenticationResolver.js\";\nimport type { AuthStorage, SessionData } from \"@/types.js\";\nimport {\n  shouldAttemptRefresh,\n  createRefreshResponse,\n  shouldSkipAuthForSystemUrls,\n  handleLoginUrl,\n  shouldSkipAuthForRoutePatterns,\n  handleUnauthenticatedUser,\n} from \"./utils.js\";\n\nconst logger = loggers.nextjs.middleware;\n\n/**\n * CookieStorage implementation for NextJS middleware context that works with NextRequest\n */\nclass NextjsReadOnlyRequestCookieStorage implements AuthStorage {\n  constructor(private request: NextRequest) {}\n\n  async get(key: string): Promise<string | null> {\n    return this.request.cookies.get(key)?.value || null;\n  }\n\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  async set(key: string, value: string): Promise<void> {\n    // In middleware, we can only set cookies via response objects\n    // This method can't be used directly in middleware\n    logger.error(\"Cannot set cookies directly in middleware\");\n    throw new Error(\"Cannot set cookies directly in middleware\");\n  }\n\n  // eslint-disable-next-line @typescript-eslint/no-unused-vars\n  async delete(key: string): Promise<void> {\n    // In middleware, we can only delete cookies via response objects\n    // This method can't be used directly in middleware\n    logger.error(\"Cannot delete cookies directly in middleware\");\n    throw new Error(\"Cannot delete cookies directly in middleware\");\n  }\n}\n\ntype Middleware = (\n  request: NextRequest,\n) => Promise<NextResponse> | NextResponse;\n\n/**\n * use a ServerAuthenticationResolver to validate the existing session\n * using NextJS cookie storage\n * @param authConfigWithDefaults\n * @param request NextRequest object from middleware\n * @returns {Promise<SessionData>}\n */\nexport const validateAuthTokensIfPresent = async (\n  authConfigWithDefaults: AuthConfigWithDefaults,\n  request: NextRequest,\n): Promise<SessionData> => {\n  try {\n    // TODO: evaluate a more performant way to validate tokens\n    // than having to call and verify the JWT tokens on every request\n    const storage = new NextjsReadOnlyRequestCookieStorage(request);\n    const authSessionService = await ServerAuthenticationResolver.build(\n      {\n        ...authConfigWithDefaults,\n        redirectUrl: authConfigWithDefaults.callbackUrl,\n      },\n      storage,\n    );\n    // validate the existing session but don't auto-refresh as we can't set cookies in middleware\n    const existingSession =\n      await authSessionService.validateExistingSession(false);\n    return existingSession;\n  } catch (error) {\n    logger.error(\"Error validating tokens\", error);\n    return { authenticated: false };\n  }\n};\n\n// internal - used by all exported functions\n/**\n * Core authentication middleware logic.\n *\n * The Authentication Story:\n * 1. Validate tokens to understand current authentication state\n * 2. Attempt token refresh if needed (the OAuth pipeline approach)\n * 3. Apply route-specific authentication rules based on final state\n */\nconst applyAuth = async (\n  authConfig: OptionalAuthConfig,\n  request: NextRequest,\n): Promise<NextResponse | undefined> => {\n  const authConfigWithDefaults = resolveAuthConfig(authConfig);\n\n  // Step 1: Understand the current authentication state\n  const session = await validateAuthTokensIfPresent(\n    authConfigWithDefaults,\n    request,\n  );\n  const shouldSkipAuthForSystemUrlsCheck = shouldSkipAuthForSystemUrls(\n    request.nextUrl.pathname,\n    authConfigWithDefaults,\n    request.method,\n  );\n\n  const shouldSkipAuthForRoutePatternsCheck = shouldSkipAuthForRoutePatterns(\n    request.nextUrl.pathname,\n    authConfigWithDefaults,\n  );\n  const pathNameIsLoginUrl =\n    request.nextUrl.pathname === authConfigWithDefaults.loginUrl;\n  logger.debug(\"Authentication state:\", {\n    authenticated: session.authenticated,\n    pathName: request.nextUrl.pathname,\n    pathNameIsLoginUrl,\n    shouldAttemptRefresh: shouldAttemptRefresh(session),\n    shouldSkipAuthForSystemUrls: shouldSkipAuthForSystemUrlsCheck,\n    shouldSkipAuthForRoutePatterns: shouldSkipAuthForRoutePatternsCheck,\n    ...authConfigWithDefaults,\n  });\n\n  // Attempt token refresh if needed (OAuth pipeline)\n  if (shouldAttemptRefresh(session)) {\n    const refreshResponse = createRefreshResponse(\n      request,\n      authConfigWithDefaults,\n    );\n\n    if (refreshResponse) {\n      logger.debug(\"Handle refresh response\", refreshResponse.url);\n      return refreshResponse;\n    }\n  }\n\n  // Skip authentication for system URLs (callback, challenge, logout)\n  if (shouldSkipAuthForSystemUrlsCheck) {\n    return undefined;\n  }\n\n  // Handle login URL with special logic\n  if (pathNameIsLoginUrl) {\n    handleLoginUrl(request.nextUrl.pathname, session, authConfigWithDefaults);\n    return undefined; // Always allow access to login URL\n  }\n\n  // Skip authentication for routes not matching include/exclude patterns\n  if (shouldSkipAuthForRoutePatternsCheck) {\n    return undefined;\n  }\n\n  // Handle unauthenticated users on protected routes\n  if (!session.authenticated) {\n    return handleUnauthenticatedUser(session, request, authConfigWithDefaults);\n  }\n\n  // Happy ending - authentication passed\n  logger.debug(\"→ Authentication successful, allowing access\");\n  return undefined;\n};\n\n/**\n *\n * Use this when auth is the only middleware you need.\n * Usage:\n *\n * export default authMiddleware({ loginUrl = '/login' }); // or just authMiddleware();\n *\n */\nexport const authMiddleware =\n  (authConfig: OptionalAuthConfig = {}) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const response = await applyAuth(authConfig, request);\n    if (response) return response;\n\n    // NextJS doesn't do middleware chaining yet, so this does not mean\n    // \"call the next middleware\" - it means \"continue to the route handler\"\n    return NextResponse.next();\n  };\n\n/**\n * Usage:\n *\n * export default withAuth(async (request) => {\n *    logger.debug('my middleware');\n *    return NextResponse.next();\n *  })\n */\n// use this when you have your own middleware to chain\nexport function withAuth(\n  middleware: Middleware,\n): (request: NextRequest) => Promise<NextResponse> {\n  return auth()(middleware);\n}\n\n/**\n * Use this when you want to configure the middleware here (an alternative is to do it in the next.config file)\n *\n * Usage:\n *\n * export default auth(authConfig: AuthConfig ) => {\n *    logger.debug('my middleware');\n *    return NextResponse.next();\n *  })\n *\n */\nexport function auth(authConfig: OptionalAuthConfig = {}) {\n  return (\n    middleware: Middleware,\n  ): ((request: NextRequest) => Promise<NextResponse>) => {\n    return async (request: NextRequest): Promise<NextResponse> => {\n      const response = await applyAuth(authConfig, request);\n      if (response) return response;\n\n      return middleware(request);\n    };\n  };\n}\n"]}
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../../src/nextjs/middleware.ts"],"names":[],"mappings":"AAsBA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAK9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC1C,OAAO,EAAE,4BAA4B,EAAE,MAAM,0CAA0C,CAAC;AAExF,OAAO,EACL,oBAAoB,EACpB,2BAA2B,EAC3B,cAAc,EACd,8BAA8B,EAC9B,yBAAyB,EACzB,gBAAgB,GACjB,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,6BAA6B,EAAE,MAAM,YAAY,CAAC;AAC3D,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAEpD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC;AAMzC;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,KAAK,EAC9C,sBAA8C,EAC9C,OAAsC,EAChB,EAAE;IACxB,IAAI,CAAC;QACH,MAAM,kBAAkB,GAAG,MAAM,4BAA4B,CAAC,KAAK,CACjE;YACE,GAAG,sBAAsB;YACzB,WAAW,EAAE,sBAAsB,CAAC,WAAW;SAChD,EACD,OAAO,CACR,CAAC;QACF,8FAA8F;QAC9F,MAAM,eAAe,GAAG,MAAM,kBAAkB,CAAC,uBAAuB,EAAE,CAAC;QAC3E,OAAO,eAAe,CAAC;IACzB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,KAAK,CAAC,CAAC;QAC/C,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC;IAClC,CAAC;AACH,CAAC,CAAC;AAEF,4CAA4C;AAC5C;;;;;;;GAOG;AACH,MAAM,SAAS,GAAG,KAAK,EACrB,UAA8B,EAC9B,OAAoB,EACe,EAAE;IACrC,MAAM,sBAAsB,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAC7D,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC;IACrC,MAAM,YAAY,GAAG;QACnB,GAAG,sBAAsB,EAAE,OAAO,EAAE,MAAM;QAC1C,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,sBAAsB,EAAE,OAAO,EAAE,IAAI,IAAI,EAAE;KAChE,CAAC;IACF,MAAM,OAAO,GAAG,IAAI,6BAA6B,CAC/C,YAAY,EACZ,OAAO,EACP,QAAQ,CACT,CAAC;IACF,sDAAsD;IACtD,MAAM,OAAO,GAAG,MAAM,2BAA2B,CAC/C,sBAAsB,EACtB,OAAO,CACR,CAAC;IACF,MAAM,gCAAgC,GAAG,2BAA2B,CAClE,OAAO,CAAC,OAAO,CAAC,QAAQ,EACxB,sBAAsB,EACtB,OAAO,CAAC,MAAM,CACf,CAAC;IAEF,MAAM,mCAAmC,GAAG,8BAA8B,CACxE,OAAO,CAAC,OAAO,CAAC,QAAQ,EACxB,sBAAsB,CACvB,CAAC;IACF,MAAM,kBAAkB,GACtB,OAAO,CAAC,OAAO,CAAC,QAAQ,KAAK,sBAAsB,CAAC,QAAQ,CAAC;IAC/D,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE;QACpC,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,QAAQ;QAClC,kBAAkB;QAClB,oBAAoB,EAAE,oBAAoB,CAAC,OAAO,CAAC;QACnD,2BAA2B,EAAE,gCAAgC;QAC7D,8BAA8B,EAAE,mCAAmC;KACpE,CAAC,CAAC;IAEH,oEAAoE;IACpE,IAAI,gCAAgC,EAAE,CAAC;QACrC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,sCAAsC;IACtC,IAAI,kBAAkB,EAAE,CAAC;QACvB,cAAc,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,EAAE,sBAAsB,CAAC,CAAC;QAC1E,OAAO,QAAQ,CAAC,CAAC,mCAAmC;IACtD,CAAC;IAED,uEAAuE;IACvE,IAAI,mCAAmC,EAAE,CAAC;QACxC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,mDAAmD;IACnD,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;QAC3B,OAAO,yBAAyB,CAC9B,OAAO,EACP,OAAO,EACP,QAAQ,EACR,OAAO,EACP,sBAAsB,CACvB,CAAC;IACJ,CAAC;IAED,uCAAuC;IACvC,MAAM,CAAC,KAAK,CAAC,iDAAiD,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC9E,OAAO,QAAQ,CAAC;AAClB,CAAC,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,cAAc,GACzB,CAAC,aAAiC,EAAE,EAAE,EAAE,CACxC,KAAK,EAAE,OAAoB,EAAyB,EAAE;IACpD,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IACtD,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAE9B,mEAAmE;IACnE,wEAAwE;IACxE,OAAO,YAAY,CAAC,IAAI,EAAE,CAAC;AAC7B,CAAC,CAAC;AAEJ;;;;;;;GAOG;AACH,sDAAsD;AACtD,MAAM,UAAU,QAAQ,CACtB,UAAsB;IAEtB,OAAO,IAAI,EAAE,CAAC,UAAU,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,kBAAkB,GAAG,CAAC,QAAuB,EAAE,EAAE,CACrD,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,CAAC;AAEtC;;;;;;;;;;GAUG;AACH,MAAM,UAAU,IAAI,CAAC,aAAiC,EAAE;IACtD,OAAO,CACL,UAAsB,EAC6B,EAAE;QACrD,OAAO,KAAK,EAAE,OAAoB,EAAyB,EAAE;YAC3D,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;YACtD,4EAA4E;YAC5E,6EAA6E;YAC7E,IAAI,QAAQ,IAAI,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC7C,MAAM,CAAC,KAAK,CACV,0CAA0C,EAC1C,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CACjC,CAAC;gBACF,OAAO,QAAQ,CAAC;YAClB,CAAC;YACD,MAAM,kBAAkB,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,CAAC;YAErD,iEAAiE;YACjE,6DAA6D;YAC7D,0BAA0B;YAC1B,IAAI,QAAQ,EAAE,CAAC;gBACb,gBAAgB,CAAC,QAAQ,EAAE,kBAAkB,CAAC,CAAC;YACjD,CAAC;YACD,OAAO,kBAAkB,CAAC;QAC5B,CAAC,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC","sourcesContent":["/**\n * Authenticates the user on all requests by checking the token cookie\n *\n * Usage:\n * Option 1: use if no other middleware (e.g. no next-intl etc)\n * export default authMiddleware();\n *\n * Option 2: use if other middleware is needed - default auth config\n * export default withAuth((request) => {\n *    logger.debug('in custom middleware', request.nextUrl.pathname);\n *    return NextResponse.next();\n * })\n *\n * Option 3: use if other middleware is needed - specifying auth config\n * const withCivicAuth = auth({ loginUrl: '/login', include: ['/[.*]/user'] })\n * export default withCivicAuth((request) => {\n *   logger.debug('in custom middleware', request.url);\n *   return NextResponse.next();\n * })\n *\n */\nimport type { NextRequest } from \"next/server.js\";\nimport { NextResponse } from \"next/server.js\";\nimport type {\n  AuthConfigWithDefaults,\n  OptionalAuthConfig,\n} from \"@/nextjs/config.js\";\nimport { resolveAuthConfig } from \"@/nextjs/config.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport { ServerAuthenticationResolver } from \"@/server/ServerAuthenticationResolver.js\";\nimport type { SessionData } from \"@/types.js\";\nimport {\n  shouldAttemptRefresh,\n  shouldSkipAuthForSystemUrls,\n  handleLoginUrl,\n  shouldSkipAuthForRoutePatterns,\n  handleUnauthenticatedUser,\n  copyCivicCookies,\n} from \"./utils.js\";\nimport { NextjsMiddlewareCookieStorage } from \"./utils.js\";\nimport { UserStorage } from \"@/shared/lib/types.js\";\n\nconst logger = loggers.nextjs.middleware;\n\ntype Middleware = (\n  request: NextRequest,\n) => Promise<NextResponse> | NextResponse;\n\n/**\n * use a ServerAuthenticationResolver to validate the existing session\n * using NextJS cookie storage\n * @param authConfigWithDefaults\n * @param request NextRequest object from middleware\n * @returns {Promise<SessionData>}\n */\nexport const validateAuthTokensIfPresent = async (\n  authConfigWithDefaults: AuthConfigWithDefaults,\n  storage: NextjsMiddlewareCookieStorage,\n): Promise<SessionData> => {\n  try {\n    const authSessionService = await ServerAuthenticationResolver.build(\n      {\n        ...authConfigWithDefaults,\n        redirectUrl: authConfigWithDefaults.callbackUrl,\n      },\n      storage,\n    );\n    // validate the existing session and rehydrate and update cookies to the response if necessary\n    const existingSession = await authSessionService.validateExistingSession();\n    return existingSession;\n  } catch (error) {\n    logger.error(\"Error validating tokens\", error);\n    return { authenticated: false };\n  }\n};\n\n// internal - used by all exported functions\n/**\n * Core authentication middleware logic.\n *\n * The Authentication Story:\n * 1. Validate tokens to understand current authentication state\n * 2. Attempt token refresh if needed (the OAuth pipeline approach)\n * 3. Apply route-specific authentication rules based on final state\n */\nconst applyAuth = async (\n  authConfig: OptionalAuthConfig,\n  request: NextRequest,\n): Promise<NextResponse | undefined> => {\n  const authConfigWithDefaults = resolveAuthConfig(authConfig);\n  const response = NextResponse.next();\n  const cookieConfig = {\n    ...authConfigWithDefaults?.cookies?.tokens,\n    [UserStorage.USER]: authConfigWithDefaults?.cookies?.user || {},\n  };\n  const storage = new NextjsMiddlewareCookieStorage(\n    cookieConfig,\n    request,\n    response,\n  );\n  // Step 1: Understand the current authentication state\n  const session = await validateAuthTokensIfPresent(\n    authConfigWithDefaults,\n    storage,\n  );\n  const shouldSkipAuthForSystemUrlsCheck = shouldSkipAuthForSystemUrls(\n    request.nextUrl.pathname,\n    authConfigWithDefaults,\n    request.method,\n  );\n\n  const shouldSkipAuthForRoutePatternsCheck = shouldSkipAuthForRoutePatterns(\n    request.nextUrl.pathname,\n    authConfigWithDefaults,\n  );\n  const pathNameIsLoginUrl =\n    request.nextUrl.pathname === authConfigWithDefaults.loginUrl;\n  logger.debug(\"Authentication state:\", {\n    authenticated: session.authenticated,\n    pathName: request.nextUrl.pathname,\n    pathNameIsLoginUrl,\n    shouldAttemptRefresh: shouldAttemptRefresh(session),\n    shouldSkipAuthForSystemUrls: shouldSkipAuthForSystemUrlsCheck,\n    shouldSkipAuthForRoutePatterns: shouldSkipAuthForRoutePatternsCheck,\n  });\n\n  // Skip authentication for system URLs (callback, challenge, logout)\n  if (shouldSkipAuthForSystemUrlsCheck) {\n    return response;\n  }\n\n  // Handle login URL with special logic\n  if (pathNameIsLoginUrl) {\n    handleLoginUrl(request.nextUrl.pathname, session, authConfigWithDefaults);\n    return response; // Always allow access to login URL\n  }\n\n  // Skip authentication for routes not matching include/exclude patterns\n  if (shouldSkipAuthForRoutePatternsCheck) {\n    return response;\n  }\n\n  // Handle unauthenticated users on protected routes\n  if (!session.authenticated) {\n    return handleUnauthenticatedUser(\n      session,\n      request,\n      response,\n      storage,\n      authConfigWithDefaults,\n    );\n  }\n\n  // Happy ending - authentication passed\n  logger.debug(\"→ Authentication successful, allowing access to\", response.url);\n  return response;\n};\n\n/**\n *\n * Use this when auth is the only middleware you need.\n * Usage:\n *\n * export default authMiddleware({ loginUrl = '/login' }); // or just authMiddleware();\n *\n */\nexport const authMiddleware =\n  (authConfig: OptionalAuthConfig = {}) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const response = await applyAuth(authConfig, request);\n    if (response) return response;\n\n    // NextJS doesn't do middleware chaining yet, so this does not mean\n    // \"call the next middleware\" - it means \"continue to the route handler\"\n    return NextResponse.next();\n  };\n\n/**\n * Usage:\n *\n * export default withAuth(async (request) => {\n *    logger.debug('my middleware');\n *    return NextResponse.next();\n *  })\n */\n// use this when you have your own middleware to chain\nexport function withAuth(\n  middleware: Middleware,\n): (request: NextRequest) => Promise<NextResponse> {\n  return auth()(middleware);\n}\n\nconst isRedirectResponse = (response?: NextResponse) =>\n  response && response.status === 307;\n\n/**\n * Use this when you want to configure the middleware here (an alternative is to do it in the next.config file)\n *\n * Usage:\n *\n * export default auth(authConfig: AuthConfig ) => {\n *    logger.debug('my middleware');\n *    return NextResponse.next();\n *  })\n *\n */\nexport function auth(authConfig: OptionalAuthConfig = {}) {\n  return (\n    middleware: Middleware,\n  ): ((request: NextRequest) => Promise<NextResponse>) => {\n    return async (request: NextRequest): Promise<NextResponse> => {\n      const response = await applyAuth(authConfig, request);\n      // if the response is redirected it means that the user is not authenticated\n      // so we skip the rest of the custom middleware to redirect to the login page\n      if (response && isRedirectResponse(response)) {\n        logger.debug(\n          \"User is unauthenticated, redirecting to \",\n          response.headers.get(\"location\"),\n        );\n        return response;\n      }\n      const middlewareResponse = await middleware(request);\n\n      // we need to ensure that the civic cookies that were potentially\n      // added by CivicAuth are set on the final response after all\n      // middleware has been run\n      if (response) {\n        copyCivicCookies(response, middlewareResponse);\n      }\n      return middlewareResponse;\n    };\n  };\n}\n"]}

package/dist/nextjs/routeHandler.d.ts

@@ -13,6 +13,9 @@ export declare function handleLogoutCallback(request: NextRequest, config: AuthC
  * export const GET = handler({
  *   // optional config overrides
  * })
+ * export const POST = handler({
+ *   // optional config overrides
+ * })
  * ```
  */
 export declare const handler: (authConfig?: {}) => (request: NextRequest) => Promise<NextResponse>;

package/dist/nextjs/routeHandler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"routeHandler.d.ts","sourceRoot":"","sources":["../../src/nextjs/routeHandler.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAKrD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAsR9C,wBAAsB,YAAY,CAChC,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,YAAY,CAAC,CA2EvB;AAED,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,YAAY,CAAC,CA4DvB;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,OAAO,iCAEF,WAAW,KAAG,OAAO,CAAC,YAAY,CAqCjD,CAAC"}
+{"version":3,"file":"routeHandler.d.ts","sourceRoot":"","sources":["../../src/nextjs/routeHandler.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAKrD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAsR9C,wBAAsB,YAAY,CAChC,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,YAAY,CAAC,CA2EvB;AAED,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,WAAW,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,YAAY,CAAC,CA4DvB;AAED;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,OAAO,iCAEF,WAAW,KAAG,OAAO,CAAC,YAAY,CAqCjD,CAAC"}

package/dist/nextjs/routeHandler.js

@@ -301,6 +301,9 @@ export async function handleLogoutCallback(request, config) {
  * export const GET = handler({
  *   // optional config overrides
  * })
+ * export const POST = handler({
+ *   // optional config overrides
+ * })
  * ```
  */
 export const handler = (authConfig = {}) => async (request) => {
@@ -346,7 +349,10 @@ async function handleUser(request, config) {
         const { civicAuth } = createCivicAuth(request, resolvedConfigs);
         const isLoggedIn = await civicAuth.isLoggedIn();
         if (!isLoggedIn) {
-            return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+            const statusCode = request.nextUrl.searchParams.get("optimisticRehydration")
+                ? 202
+                : 401;
+            return NextResponse.json({ error: "Not authenticated" }, { status: statusCode });
         }
         const user = await civicAuth.getUser();
         return NextResponse.json({ user });

package/dist/nextjs/routeHandler.js.map

@@ -1 +1 @@
-{"version":3,"file":"routeHandler.js","sourceRoot":"","sources":["../../src/nextjs/routeHandler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAA4B,MAAM,oBAAoB,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AAEtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC5E,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAClE,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAE/C,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAEnE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;AAE5C,MAAM,SAAU,SAAQ,KAAK;IAGT;IAFlB,YACE,OAAe,EACC,SAAiB,GAAG;QAEpC,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,WAAM,GAAN,MAAM,CAAc;QAGpC,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;IAC1B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,qBAAqB,GAAG,CAAC,OAAoB,EAAuB,EAAE,CAAC,CAAC;IAC5E,GAAG,EAAE,OAAO,CAAC,GAAG;IAChB,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;IACtD,YAAY,EAAE;QACZ,GAAG,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC;KAC9D;IACD,OAAO,EAAE;QACP,GAAG,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;KACjD;CACF,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,eAAe,GAAG,CAAC,OAAoB,EAAE,MAAkB,EAAE,EAAE;IACnE,MAAM,cAAc,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAAC;QAC5C,GAAG,cAAc,CAAC,OAAO,EAAE,MAAM;QACjC,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,cAAc,CAAC,OAAO,EAAE,IAAI;KACjD,CAAC,CAAC;IAEH,+CAA+C;IAC/C,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAE3D,kDAAkD;IAClD,MAAM,YAAY,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IAE9D,mEAAmE;IACnE,mEAAmE;IACnE,MAAM,MAAM,GACV,cAAc,CAAC,OAAO;QACtB,YAAY;QACZ,IAAI,GAAG,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IAE1C,8DAA8D;IAC9D,MAAM,mBAAmB,GAAG,cAAc,CAAC,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC;QACvE,CAAC,CAAC,cAAc,CAAC,WAAW;QAC5B,CAAC,CAAC,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,cAAc,CAAC,WAAW,EAC1B,MAAM,CACP,CAAC;IACN,MAAM,yBAAyB,GAAG,cAAc,CAAC,iBAAiB,CAAC,UAAU,CAC3E,MAAM,CACP;QACC,CAAC,CAAC,cAAc,CAAC,iBAAiB;QAClC,CAAC,CAAC,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,cAAc,CAAC,iBAAiB,EAChC,MAAM,CACP,CAAC;IAEN,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,aAAa,EAAE;QAC7C,QAAQ,EAAE,cAAc,CAAC,QAAQ;QACjC,WAAW,EAAE,mBAAmB;QAChC,WAAW,EAAE,cAAc,CAAC,WAAW;QACvC,qBAAqB,EAAE,yBAAyB;QAChD,eAAe,EAAE,OAAO,CAAC,GAAG;KAC7B,CAAC,CAAC;IAEH,OAAO;QACL,SAAS;QACT,aAAa;QACb,MAAM,EAAE,2CAA2C;QACnD,mBAAmB,EAAE,6BAA6B;KACnD,CAAC;AACJ,CAAC,CAAC;AAEF;;;GAGG;AACH,KAAK,UAAU,WAAW,CACxB,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEhE,wDAAwD;QACxD,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACnE,IAAI,eAAe,EAAE,CAAC;YACpB,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAC3C,eAAe,CAAC,OAAO,EAAE,MAAM,IAAI,EAAE,CACtC,CAAC;YACF,MAAM,aAAa,CAAC,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,aAAa,CAAC;YACxC,KAAK,EAAE,aAAa,IAAI,SAAS;SAClC,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,gDAAgD,EAAE;YAC5D,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE;SACzB,CAAC,CAAC;QAEH,OAAO,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;QAC5D,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,sBAAsB,EACtB,MAAM,CACP,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,MAAM,SAAS,CAAC,aAAa,EAAE,CAAC;QAEhC,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QAE/D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAChE,IAAI,SAAS,EAAE,CAAC;YACd,4EAA4E;YAC5E,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAClD,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;YAC/C,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,OAAO,YAAY,CAAC,IAAI,CAAC;YACvB,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,kBAAkB;SAC5B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,wCAAwC,EAAE,KAAK,CAAC,CAAC;QAC9D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAChE,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC1C,CAAC;QACD,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,KAAK,EAAE,sBAAsB,EAAE,EACjC,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAClD,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACtD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACxD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAExD,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;QAChD,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,qBAAqB,EACrB,MAAM,CACP,CACF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,SAAS,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;IAEhE,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,mBAAmB,EAAE,GAAG,eAAe,CAChE,OAAO,EACP,eAAe,CAChB,CAAC;QAEF,+DAA+D;QAC/D,MAAM,qBAAqB,GAAG;YAC5B,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YACtD,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE;SAC5B,CAAC;QAEF,mDAAmD;QACnD,MAAM,eAAe,GAAG,SAAS,CAAC,kBAAkB,CAClD,mBAAmB,EACnB,MAAM,CACP,CAAC;QACF,MAAM,WAAW,GACf,eAAe,IAAI,eAAe,CAAC,eAAe,IAAI,GAAG,CAAC;QAE5D,yCAAyC;QACzC,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,cAAc,CAC3C;YACE,IAAI;YACJ,KAAK;YACL,GAAG,EAAE,qBAAqB;SAC3B,EACD;YACE,yCAAyC;YACzC,WAAW,EAAE,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;SACjE,CACF,CAAC;QAEF,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,OAAO,oBAAoB,CACzB,MAAM,EACN,SAAS,CAAC,aAAa,CAAC,mBAAmB,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,CACxE,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,gDAAgD;YAChD,IAAI,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;gBACvC,OAAO,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE;oBACtC,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE;wBACP,cAAc,EAAE,WAAW;qBAC5B;iBACF,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,iCAAiC;gBACjC,OAAO,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CAAC,mBAAmB,EAAE,GAAG,EAAE,MAAM,CAAC,CAC1D,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,0CAA0C,EAAE,KAAK,CAAC,CAAC;QAChE,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,yBAAyB,EACzB,MAAM,CACP,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,iBAAiB,GAAG,KAAK,EAAE,GAAW,EAAE,EAAE;IAC9C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;QACnC,cAAc,CAAC,IAAI,CAAC,CAAC;IACvB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE,KAAK,CAAC,CAAC;IAChE,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,mDAAmD;IACnD,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IAExD,2CAA2C;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACxD,MAAM,uBAAuB,GAC3B,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAExD,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QAE/D,8DAA8D;QAC9D,IAAI,WAAW,GAAG,eAAe,CAAC;QAClC,IAAI,uBAAuB,EAAE,CAAC;YAC5B,WAAW,GAAG;gBACZ,GAAG,eAAe;gBAClB,iBAAiB,EAAE,uBAAuB;aAC3C,CAAC;YACF,MAAM,CAAC,IAAI,CAAC,iDAAiD,EAAE;gBAC7D,QAAQ,EAAE,eAAe,CAAC,iBAAiB;gBAC3C,QAAQ,EAAE,uBAAuB;aAClC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAE5D,qDAAqD;QACrD,+EAA+E;QAC/E,MAAM,CAAC,IAAI,CAAC,4CAA4C,EAAE;YACxD,KAAK,EAAE,CAAC,CAAC,KAAK;SACf,CAAC,CAAC;QAEH,8DAA8D;QAC9D,6EAA6E;QAC7E,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,sBAAsB,CAAC;YACvD,KAAK,EAAE,KAAK,IAAI,SAAS;SAC1B,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,gBAAgB,CAAC,eAAe,CAAC,CAAC;YAExC,8EAA8E;YAC9E,MAAM,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE,KAAK,CAAC,CAAC;QACjE,CAAC;QAED,sFAAsF;QACtF,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QAC1C,cAAc,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAE5C,MAAM,CAAC,IAAI,CAAC,uDAAuD,EAAE;YACnE,SAAS,EAAE,cAAc,CAAC,QAAQ,EAAE;SACrC,CAAC,CAAC;QAEH,OAAO,YAAY,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC1D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAC;QACtD,oEAAoE;QACpE,MAAM,gBAAgB,CAAC,eAAe,CAAC,CAAC;QAExC,MAAM,WAAW,GACf,uBAAuB,IAAI,eAAe,CAAC,iBAAiB,CAAC;QAC/D,MAAM,gBAAgB,GAAG,SAAS,CAAC,aAAa,CAC9C,mBAAmB,EACnB,WAAW,EACX,MAAM,CACP,CAAC;QAEF,OAAO,YAAY,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;IACjD,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,CACT,mEAAmE,CACpE,CAAC;QAEF,+BAA+B;QAC/B,MAAM,gBAAgB,CAAC,eAAe,CAAC,CAAC;QAExC,+DAA+D;QAC/D,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,+CAA+C;QAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAExD,uEAAuE;QACvE,IAAI,KAAK,IAAI,oBAAoB,CAAC,KAAK,EAAE,QAAQ,CAAC,KAAK,QAAQ,EAAE,CAAC;YAChE,oEAAoE;YACpE,MAAM,qBAAqB,GACzB,SAAS,CAAC,wBAAwB,CAAC,mBAAmB,CAAC,CAAC;YAC1D,MAAM,QAAQ,GAAG,IAAI,YAAY,CAC/B,8CAA8C,mBAAmB,YAAY,qBAAqB,gEAAgE,CACnK,CAAC;YACF,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;YACjE,MAAM,CAAC,IAAI,CACT,gEAAgE,EAChE,EAAE,qBAAqB,EAAE,CAC1B,CAAC;YACF,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,kFAAkF;QAClF,MAAM,WAAW,GAAG,SAAS,CAAC,wBAAwB,CAAC,mBAAmB,CAAC,CAAC;QAC5E,MAAM,CAAC,IAAI,CACT,8DAA8D,EAC9D;YACE,iBAAiB,EAAE,eAAe,CAAC,iBAAiB;YACpD,WAAW;SACZ,CACF,CAAC;QAEF,mFAAmF;QACnF,MAAM,iBAAiB,CAAC,WAAW,CAAC,CAAC;QACrC,OAAO,oBAAoB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,kDAAkD,EAAE,KAAK,CAAC,CAAC;QACxE,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,oBAAoB,CACzB,MAAM,EACN,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,eAAe,CAAC,iBAAiB,EACjC,MAAM,CACP,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,OAAO,GAClB,CAAC,UAAU,GAAG,EAAE,EAAE,EAAE,CACpB,KAAK,EAAE,OAAoB,EAAyB,EAAE;IACpD,MAAM,MAAM,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAE7C,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;QAC1C,MAAM,YAAY,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,WAAW,GAAG,YAAY,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAE1D,QAAQ,WAAW,EAAE,CAAC;YACpB,KAAK,WAAW,CAAC;YACjB,KAAK,OAAO;gBACV,OAAO,MAAM,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC5C,KAAK,UAAU;gBACb,OAAO,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC/C,KAAK,SAAS;gBACZ,OAAO,MAAM,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC9C,KAAK,QAAQ;gBACX,OAAO,MAAM,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC7C,KAAK,gBAAgB;gBACnB,OAAO,MAAM,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACrD,KAAK,MAAM;gBACT,OAAO,MAAM,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC3C;gBACE,MAAM,IAAI,SAAS,CAAC,uBAAuB,QAAQ,EAAE,EAAE,GAAG,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAAC;QAE3C,MAAM,MAAM,GAAG,KAAK,YAAY,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC;QAC/D,MAAM,OAAO,GACX,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAC;QAEnE,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QAEnE,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAC/B,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC,CAAC;AAEJ;;;GAGG;AACH,KAAK,UAAU,UAAU,CACvB,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,CAAC;QAEhD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC5E,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,OAAO,EAAE,CAAC;QAEvC,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;QAC3D,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,KAAK,EAAE,uBAAuB,EAAE,EAClC,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;AACH,CAAC","sourcesContent":["import { CivicAuth, type UrlDetectionRequest } from \"@civic/auth/server\";\nimport { LOGOUT_SUCCESS_TEXT } from \"@/constants.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport { displayModeFromState } from \"@/lib/oauth.js\";\nimport type { AuthConfig } from \"@/nextjs/config.js\";\nimport { resolveAuthConfig } from \"@/nextjs/config.js\";\nimport { clearAuthCookies, NextjsCookieStorage } from \"@/nextjs/cookies.js\";\nimport { CodeVerifier, UserStorage } from \"@/shared/lib/types.js\";\nimport { revalidatePath } from \"next/cache.js\";\nimport type { NextRequest } from \"next/server.js\";\nimport { NextResponse } from \"next/server.js\";\nimport { prependBasePath, redirectWithBasePath } from \"./utils.js\";\n\nconst logger = loggers.nextjs.handlers.auth;\n\nclass AuthError extends Error {\n  constructor(\n    message: string,\n    public readonly status: number = 401,\n  ) {\n    super(message);\n    this.name = \"AuthError\";\n  }\n}\n\n/**\n * Helper to convert NextRequest to UrlDetectionRequest for framework-agnostic URL handling\n */\nconst toUrlDetectionRequest = (request: NextRequest): UrlDetectionRequest => ({\n  url: request.url,\n  headers: Object.fromEntries(request.headers.entries()),\n  searchParams: {\n    get: (name: string) => request.nextUrl.searchParams.get(name),\n  },\n  cookies: {\n    get: (name: string) => request.cookies.get(name),\n  },\n});\n\n/**\n * Helper to create CivicAuth instance for a request\n * Now handles appUrl detection for proxy environments\n */\nconst createCivicAuth = (request: NextRequest, config: AuthConfig) => {\n  const resolvedConfig = resolveAuthConfig(config);\n  const cookieStorage = new NextjsCookieStorage({\n    ...resolvedConfig.cookies?.tokens,\n    [UserStorage.USER]: resolvedConfig.cookies?.user,\n  });\n\n  // Convert to framework-agnostic request format\n  const urlDetectionRequest = toUrlDetectionRequest(request);\n\n  // Get appUrl from client (for proxy environments)\n  const clientAppUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n\n  // Use baseUrl from config, then client appUrl, then request origin\n  // This matches the main branch priority: config > client > request\n  const appUrl =\n    resolvedConfig.baseUrl ||\n    clientAppUrl ||\n    new URL(urlDetectionRequest.url).origin;\n\n  // Build absolute URLs using detected appUrl or request origin\n  const absoluteCallbackUrl = resolvedConfig.callbackUrl.startsWith(\"http\")\n    ? resolvedConfig.callbackUrl\n    : CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        resolvedConfig.callbackUrl,\n        appUrl,\n      );\n  const absoluteLogoutCallbackUrl = resolvedConfig.logoutCallbackUrl.startsWith(\n    \"http\",\n  )\n    ? resolvedConfig.logoutCallbackUrl\n    : CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        resolvedConfig.logoutCallbackUrl,\n        appUrl,\n      );\n\n  const civicAuth = new CivicAuth(cookieStorage, {\n    clientId: resolvedConfig.clientId,\n    redirectUrl: absoluteCallbackUrl,\n    oauthServer: resolvedConfig.oauthServer,\n    postLogoutRedirectUrl: absoluteLogoutCallbackUrl,\n    loginSuccessUrl: request.url,\n  });\n\n  return {\n    civicAuth,\n    cookieStorage,\n    appUrl, // Return appUrl for use in other functions\n    urlDetectionRequest, // Return for use in handlers\n  };\n};\n\n/**\n * Login handler - backend OAuth login initiation endpoint\n * Uses CivicAuth.buildLoginUrl()\n */\nasync function handleLogin(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    const frontendState = request.nextUrl.searchParams.get(\"state\");\n\n    // Store appUrl in cookie if provided as query parameter\n    const appUrlFromQuery = request.nextUrl.searchParams.get(\"appUrl\");\n    if (appUrlFromQuery) {\n      const cookieStorage = new NextjsCookieStorage(\n        resolvedConfigs.cookies?.tokens ?? {},\n      );\n      await cookieStorage.set(CodeVerifier.APP_URL, appUrlFromQuery);\n    }\n\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    const url = await civicAuth.buildLoginUrl({\n      state: frontendState || undefined,\n    });\n\n    logger.info(\"[LOGIN_HANDLER] Redirecting to OAuth login URL\", {\n      loginUrl: url.toString(),\n    });\n\n    return NextResponse.redirect(url.toString());\n  } catch (error) {\n    logger.error(\"[LOGIN_HANDLER] Backend login error:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        \"/?error=login_failed\",\n        appUrl,\n      ),\n    );\n  }\n}\n\nasync function handleRefresh(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    await civicAuth.refreshTokens();\n\n    logger.info(\"[REFRESH_HANDLER] Tokens refreshed successfully\");\n\n    const targetUrl = request.nextUrl.searchParams.get(\"targetUrl\");\n    if (targetUrl) {\n      // Success: clear the refresh attempt tracking cookie and redirect to target\n      const response = NextResponse.redirect(targetUrl);\n      response.cookies.delete(\"_civic_last_refresh\");\n      return response;\n    }\n\n    return NextResponse.json({\n      status: \"success\",\n      message: \"Tokens refreshed\",\n    });\n  } catch (error) {\n    logger.error(\"[REFRESH_HANDLER] Token refresh error:\", error);\n    const targetUrl = request.nextUrl.searchParams.get(\"targetUrl\");\n    if (targetUrl) {\n      return NextResponse.redirect(targetUrl);\n    }\n    return NextResponse.json(\n      { error: \"Token refresh failed\" },\n      { status: 500 },\n    );\n  }\n}\n\nasync function handleCallback(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n  const code = request.nextUrl.searchParams.get(\"code\");\n  const state = request.nextUrl.searchParams.get(\"state\");\n  const error = request.nextUrl.searchParams.get(\"error\");\n\n  if (error) {\n    logger.error(\"OAuth error in callback:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        \"/?error=oauth_error\",\n        appUrl,\n      ),\n    );\n  }\n\n  if (!code || !state) throw new AuthError(\"Bad parameters\", 400);\n\n  try {\n    const { civicAuth, appUrl, urlDetectionRequest } = createCivicAuth(\n      request,\n      resolvedConfigs,\n    );\n\n    // Convert NextRequest to the format expected by handleCallback\n    const handleCallbackRequest = {\n      headers: Object.fromEntries(request.headers.entries()),\n      url: request.url.toString(),\n    };\n\n    // Get loginSuccessUrl with proper baseUrl handling\n    const loginSuccessUrl = CivicAuth.getLoginSuccessUrl(\n      urlDetectionRequest,\n      appUrl,\n    );\n    const frontendUrl =\n      loginSuccessUrl || resolvedConfigs.loginSuccessUrl || \"/\";\n\n    // Use CivicAuth's smart callback handler\n    const result = await civicAuth.handleCallback(\n      {\n        code,\n        state,\n        req: handleCallbackRequest,\n      },\n      {\n        // Pass the properly resolved frontendUrl\n        frontendUrl: prependBasePath(frontendUrl, config.basePath || \"\"),\n      },\n    );\n\n    if (result.redirectTo) {\n      return redirectWithBasePath(\n        config,\n        CivicAuth.toAbsoluteUrl(urlDetectionRequest, result.redirectTo, appUrl),\n      );\n    }\n\n    if (result.content) {\n      // Handle both string content and object content\n      if (typeof result.content === \"string\") {\n        return new NextResponse(result.content, {\n          status: 200,\n          headers: {\n            \"Content-Type\": \"text/html\",\n          },\n        });\n      } else {\n        // Object content (JSON response)\n        return NextResponse.json(result.content);\n      }\n    }\n\n    // Fallback redirect\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(urlDetectionRequest, \"/\", appUrl),\n    );\n  } catch (error) {\n    logger.error(\"[CALLBACK_HANDLER] OAuth callback error:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        \"/?error=callback_failed\",\n        appUrl,\n      ),\n    );\n  }\n}\n\nconst revalidateUrlPath = async (url: string) => {\n  try {\n    const path = new URL(url).pathname;\n    revalidatePath(path);\n  } catch (error) {\n    logger.warn(\"Failed to revalidate path after logout:\", error);\n  }\n};\n\nexport async function handleLogout(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  // Get framework-agnostic request for URL utilities\n  const urlDetectionRequest = toUrlDetectionRequest(request);\n  const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n\n  // Read the state from the query parameters\n  const state = request.nextUrl.searchParams.get(\"state\");\n  const clientLogoutRedirectUrl =\n    request.nextUrl.searchParams.get(\"logoutRedirectUrl\");\n\n  try {\n    logger.info(\"[LOGOUT_HANDLER] Backend logout endpoint called\");\n\n    // If client provided a logoutRedirectUrl, override the config\n    let configToUse = resolvedConfigs;\n    if (clientLogoutRedirectUrl) {\n      configToUse = {\n        ...resolvedConfigs,\n        logoutCallbackUrl: clientLogoutRedirectUrl,\n      };\n      logger.info(\"[LOGOUT_HANDLER] Overriding logout callback URL\", {\n        original: resolvedConfigs.logoutCallbackUrl,\n        override: clientLogoutRedirectUrl,\n      });\n    }\n\n    const { civicAuth } = createCivicAuth(request, configToUse);\n\n    // Always redirect to OAuth logout (like main branch)\n    // Don't validate session - even invalid local sessions should hit OAuth logout\n    logger.info(\"[LOGOUT_HANDLER] Processing logout request\", {\n      state: !!state,\n    });\n\n    // Always redirect to OAuth logout endpoint (like main branch)\n    // Client-side iframe logic will handle completion and redirect appropriately\n    const logoutUrl = await civicAuth.buildLogoutRedirectUrl({\n      state: state || undefined,\n    });\n\n    try {\n      await clearAuthCookies(resolvedConfigs);\n\n      // Revalidate current path to update authentication state in server components\n      await revalidateUrlPath(request.url);\n    } catch (error) {\n      logger.error(\"[LOGOUT_HANDLER] Error clearing tokens:\", error);\n    }\n\n    // Remove state parameter from logout URL to prevent it from appearing in frontend URL\n    const cleanLogoutUrl = new URL(logoutUrl);\n    cleanLogoutUrl.searchParams.delete(\"state\");\n\n    logger.info(\"[LOGOUT_HANDLER] Redirecting to OAuth logout endpoint\", {\n      logoutUrl: cleanLogoutUrl.toString(),\n    });\n\n    return NextResponse.redirect(cleanLogoutUrl.toString());\n  } catch (error) {\n    logger.error(\"[LOGOUT_HANDLER] Logout error:\", error);\n    // If logout URL generation fails, clear tokens and redirect to home\n    await clearAuthCookies(resolvedConfigs);\n\n    const fallbackUrl =\n      clientLogoutRedirectUrl || resolvedConfigs.logoutCallbackUrl;\n    const finalFallbackUrl = CivicAuth.toAbsoluteUrl(\n      urlDetectionRequest,\n      fallbackUrl,\n      appUrl,\n    );\n\n    return NextResponse.redirect(finalFallbackUrl);\n  }\n}\n\nexport async function handleLogoutCallback(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    logger.info(\n      \"[LOGOUT_CALLBACK_HANDLER] Backend logout callback endpoint called\",\n    );\n\n    // Clear authentication cookies\n    await clearAuthCookies(resolvedConfigs);\n\n    // Get framework-agnostic request and create CivicAuth instance\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    // Get the state parameter for iframe detection\n    const state = request.nextUrl.searchParams.get(\"state\");\n\n    // If this is an iframe request, return HTML with logout success signal\n    if (state && displayModeFromState(state, \"iframe\") === \"iframe\") {\n      // For iframe mode, include the post-logout redirect URL in the HTML\n      const postLogoutRedirectUrl =\n        civicAuth.getPostLogoutRedirectUrl(urlDetectionRequest);\n      const response = new NextResponse(\n        `<html lang=\"en\"><span style=\"display:none\">${LOGOUT_SUCCESS_TEXT}<a href=\"${postLogoutRedirectUrl}\" rel=\"civic-auth-post-logout-redirect-url\"></a></span></html>`,\n      );\n      response.headers.set(\"Content-Type\", \"text/html; charset=utf-8\");\n      logger.info(\n        \"[LOGOUT_CALLBACK_HANDLER] Returning iframe logout success HTML\",\n        { postLogoutRedirectUrl },\n      );\n      return response;\n    }\n\n    // For non-iframe requests, redirect to the logout callback URL or post-logout URL\n    const redirectUrl = civicAuth.getPostLogoutRedirectUrl(urlDetectionRequest);\n    logger.info(\n      \"[LOGOUT_CALLBACK_HANDLER] Redirecting to logout callback URL\",\n      {\n        logoutCallbackUrl: resolvedConfigs.logoutCallbackUrl,\n        redirectUrl,\n      },\n    );\n\n    // Revalidate the redirect path to update authentication state in server components\n    await revalidateUrlPath(redirectUrl);\n    return redirectWithBasePath(config, redirectUrl);\n  } catch (error) {\n    logger.error(\"[LOGOUT_CALLBACK_HANDLER] Logout callback error:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return redirectWithBasePath(\n      config,\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        resolvedConfigs.logoutCallbackUrl,\n        appUrl,\n      ),\n    );\n  }\n}\n\n/**\n * Creates an authentication handler for Next.js API routes\n *\n * Usage:\n * ```ts\n * // app/api/auth/[...civicauth]/route.ts\n * import { handler } from '@civic/auth/nextjs'\n * export const GET = handler({\n *   // optional config overrides\n * })\n * ```\n */\nexport const handler =\n  (authConfig = {}) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const config = resolveAuthConfig(authConfig);\n\n    try {\n      const pathname = request.nextUrl.pathname;\n      const pathSegments = pathname.split(\"/\");\n      const lastSegment = pathSegments[pathSegments.length - 1];\n\n      switch (lastSegment) {\n        case \"challenge\":\n        case \"login\":\n          return await handleLogin(request, config);\n        case \"callback\":\n          return await handleCallback(request, config);\n        case \"refresh\":\n          return await handleRefresh(request, config);\n        case \"logout\":\n          return await handleLogout(request, config);\n        case \"logoutcallback\":\n          return await handleLogoutCallback(request, config);\n        case \"user\":\n          return await handleUser(request, config);\n        default:\n          throw new AuthError(`Invalid auth route: ${pathname}`, 404);\n      }\n    } catch (error) {\n      logger.error(\"Auth handler error:\", error);\n\n      const status = error instanceof AuthError ? error.status : 500;\n      const message =\n        error instanceof Error ? error.message : \"Authentication failed\";\n\n      const response = NextResponse.json({ error: message }, { status });\n\n      await clearAuthCookies(config);\n      return response;\n    }\n  };\n\n/**\n * User endpoint - returns current user data as JSON\n * Uses CivicAuth.isLoggedIn() and getUser()\n */\nasync function handleUser(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    const isLoggedIn = await civicAuth.isLoggedIn();\n\n    if (!isLoggedIn) {\n      return NextResponse.json({ error: \"Not authenticated\" }, { status: 401 });\n    }\n\n    const user = await civicAuth.getUser();\n\n    return NextResponse.json({ user });\n  } catch (error) {\n    logger.error(\"[USER_HANDLER] User endpoint error:\", error);\n    return NextResponse.json(\n      { error: \"Internal server error\" },\n      { status: 500 },\n    );\n  }\n}\n"]}
+{"version":3,"file":"routeHandler.js","sourceRoot":"","sources":["../../src/nextjs/routeHandler.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAA4B,MAAM,oBAAoB,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AACrD,OAAO,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AAEtD,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC5E,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAClE,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAE/C,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAEnE,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;AAE5C,MAAM,SAAU,SAAQ,KAAK;IAGT;IAFlB,YACE,OAAe,EACC,SAAiB,GAAG;QAEpC,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,WAAM,GAAN,MAAM,CAAc;QAGpC,IAAI,CAAC,IAAI,GAAG,WAAW,CAAC;IAC1B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,qBAAqB,GAAG,CAAC,OAAoB,EAAuB,EAAE,CAAC,CAAC;IAC5E,GAAG,EAAE,OAAO,CAAC,GAAG;IAChB,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;IACtD,YAAY,EAAE;QACZ,GAAG,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC;KAC9D;IACD,OAAO,EAAE;QACP,GAAG,EAAE,CAAC,IAAY,EAAE,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;KACjD;CACF,CAAC,CAAC;AAEH;;;GAGG;AACH,MAAM,eAAe,GAAG,CAAC,OAAoB,EAAE,MAAkB,EAAE,EAAE;IACnE,MAAM,cAAc,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAAC;QAC5C,GAAG,cAAc,CAAC,OAAO,EAAE,MAAM;QACjC,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,cAAc,CAAC,OAAO,EAAE,IAAI;KACjD,CAAC,CAAC;IAEH,+CAA+C;IAC/C,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAE3D,kDAAkD;IAClD,MAAM,YAAY,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IAE9D,mEAAmE;IACnE,mEAAmE;IACnE,MAAM,MAAM,GACV,cAAc,CAAC,OAAO;QACtB,YAAY;QACZ,IAAI,GAAG,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC;IAE1C,8DAA8D;IAC9D,MAAM,mBAAmB,GAAG,cAAc,CAAC,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC;QACvE,CAAC,CAAC,cAAc,CAAC,WAAW;QAC5B,CAAC,CAAC,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,cAAc,CAAC,WAAW,EAC1B,MAAM,CACP,CAAC;IACN,MAAM,yBAAyB,GAAG,cAAc,CAAC,iBAAiB,CAAC,UAAU,CAC3E,MAAM,CACP;QACC,CAAC,CAAC,cAAc,CAAC,iBAAiB;QAClC,CAAC,CAAC,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,cAAc,CAAC,iBAAiB,EAChC,MAAM,CACP,CAAC;IAEN,MAAM,SAAS,GAAG,IAAI,SAAS,CAAC,aAAa,EAAE;QAC7C,QAAQ,EAAE,cAAc,CAAC,QAAQ;QACjC,WAAW,EAAE,mBAAmB;QAChC,WAAW,EAAE,cAAc,CAAC,WAAW;QACvC,qBAAqB,EAAE,yBAAyB;QAChD,eAAe,EAAE,OAAO,CAAC,GAAG;KAC7B,CAAC,CAAC;IAEH,OAAO;QACL,SAAS;QACT,aAAa;QACb,MAAM,EAAE,2CAA2C;QACnD,mBAAmB,EAAE,6BAA6B;KACnD,CAAC;AACJ,CAAC,CAAC;AAEF;;;GAGG;AACH,KAAK,UAAU,WAAW,CACxB,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAEhE,wDAAwD;QACxD,MAAM,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACnE,IAAI,eAAe,EAAE,CAAC;YACpB,MAAM,aAAa,GAAG,IAAI,mBAAmB,CAC3C,eAAe,CAAC,OAAO,EAAE,MAAM,IAAI,EAAE,CACtC,CAAC;YACF,MAAM,aAAa,CAAC,GAAG,CAAC,YAAY,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,aAAa,CAAC;YACxC,KAAK,EAAE,aAAa,IAAI,SAAS;SAClC,CAAC,CAAC;QAEH,MAAM,CAAC,IAAI,CAAC,gDAAgD,EAAE;YAC5D,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE;SACzB,CAAC,CAAC;QAEH,OAAO,YAAY,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE,KAAK,CAAC,CAAC;QAC5D,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,sBAAsB,EACtB,MAAM,CACP,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,aAAa,CAC1B,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,MAAM,SAAS,CAAC,aAAa,EAAE,CAAC;QAEhC,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QAE/D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAChE,IAAI,SAAS,EAAE,CAAC;YACd,4EAA4E;YAC5E,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAClD,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;YAC/C,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,OAAO,YAAY,CAAC,IAAI,CAAC;YACvB,MAAM,EAAE,SAAS;YACjB,OAAO,EAAE,kBAAkB;SAC5B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,wCAAwC,EAAE,KAAK,CAAC,CAAC;QAC9D,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAChE,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,YAAY,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC1C,CAAC;QACD,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,KAAK,EAAE,sBAAsB,EAAE,EACjC,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;AACH,CAAC;AAED,KAAK,UAAU,cAAc,CAC3B,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAClD,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACtD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACxD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAExD,IAAI,KAAK,EAAE,CAAC;QACV,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE,KAAK,CAAC,CAAC;QAChD,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,qBAAqB,EACrB,MAAM,CACP,CACF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK;QAAE,MAAM,IAAI,SAAS,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;IAEhE,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,mBAAmB,EAAE,GAAG,eAAe,CAChE,OAAO,EACP,eAAe,CAChB,CAAC;QAEF,+DAA+D;QAC/D,MAAM,qBAAqB,GAAG;YAC5B,OAAO,EAAE,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YACtD,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,EAAE;SAC5B,CAAC;QAEF,mDAAmD;QACnD,MAAM,eAAe,GAAG,SAAS,CAAC,kBAAkB,CAClD,mBAAmB,EACnB,MAAM,CACP,CAAC;QACF,MAAM,WAAW,GACf,eAAe,IAAI,eAAe,CAAC,eAAe,IAAI,GAAG,CAAC;QAE5D,yCAAyC;QACzC,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,cAAc,CAC3C;YACE,IAAI;YACJ,KAAK;YACL,GAAG,EAAE,qBAAqB;SAC3B,EACD;YACE,yCAAyC;YACzC,WAAW,EAAE,eAAe,CAAC,WAAW,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;SACjE,CACF,CAAC;QAEF,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,OAAO,oBAAoB,CACzB,MAAM,EACN,SAAS,CAAC,aAAa,CAAC,mBAAmB,EAAE,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,CACxE,CAAC;QACJ,CAAC;QAED,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,gDAAgD;YAChD,IAAI,OAAO,MAAM,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;gBACvC,OAAO,IAAI,YAAY,CAAC,MAAM,CAAC,OAAO,EAAE;oBACtC,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE;wBACP,cAAc,EAAE,WAAW;qBAC5B;iBACF,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,iCAAiC;gBACjC,OAAO,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CAAC,mBAAmB,EAAE,GAAG,EAAE,MAAM,CAAC,CAC1D,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,0CAA0C,EAAE,KAAK,CAAC,CAAC;QAChE,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,YAAY,CAAC,QAAQ,CAC1B,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,yBAAyB,EACzB,MAAM,CACP,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,iBAAiB,GAAG,KAAK,EAAE,GAAW,EAAE,EAAE;IAC9C,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;QACnC,cAAc,CAAC,IAAI,CAAC,CAAC;IACvB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE,KAAK,CAAC,CAAC;IAChE,CAAC;AACH,CAAC,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,mDAAmD;IACnD,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IAExD,2CAA2C;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACxD,MAAM,uBAAuB,GAC3B,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IAExD,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;QAE/D,8DAA8D;QAC9D,IAAI,WAAW,GAAG,eAAe,CAAC;QAClC,IAAI,uBAAuB,EAAE,CAAC;YAC5B,WAAW,GAAG;gBACZ,GAAG,eAAe;gBAClB,iBAAiB,EAAE,uBAAuB;aAC3C,CAAC;YACF,MAAM,CAAC,IAAI,CAAC,iDAAiD,EAAE;gBAC7D,QAAQ,EAAE,eAAe,CAAC,iBAAiB;gBAC3C,QAAQ,EAAE,uBAAuB;aAClC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAE5D,qDAAqD;QACrD,+EAA+E;QAC/E,MAAM,CAAC,IAAI,CAAC,4CAA4C,EAAE;YACxD,KAAK,EAAE,CAAC,CAAC,KAAK;SACf,CAAC,CAAC;QAEH,8DAA8D;QAC9D,6EAA6E;QAC7E,MAAM,SAAS,GAAG,MAAM,SAAS,CAAC,sBAAsB,CAAC;YACvD,KAAK,EAAE,KAAK,IAAI,SAAS;SAC1B,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,gBAAgB,CAAC,eAAe,CAAC,CAAC;YAExC,8EAA8E;YAC9E,MAAM,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE,KAAK,CAAC,CAAC;QACjE,CAAC;QAED,sFAAsF;QACtF,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;QAC1C,cAAc,CAAC,YAAY,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAE5C,MAAM,CAAC,IAAI,CAAC,uDAAuD,EAAE;YACnE,SAAS,EAAE,cAAc,CAAC,QAAQ,EAAE;SACrC,CAAC,CAAC;QAEH,OAAO,YAAY,CAAC,QAAQ,CAAC,cAAc,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC1D,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAC;QACtD,oEAAoE;QACpE,MAAM,gBAAgB,CAAC,eAAe,CAAC,CAAC;QAExC,MAAM,WAAW,GACf,uBAAuB,IAAI,eAAe,CAAC,iBAAiB,CAAC;QAC/D,MAAM,gBAAgB,GAAG,SAAS,CAAC,aAAa,CAC9C,mBAAmB,EACnB,WAAW,EACX,MAAM,CACP,CAAC;QAEF,OAAO,YAAY,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;IACjD,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,CAAC,IAAI,CACT,mEAAmE,CACpE,CAAC;QAEF,+BAA+B;QAC/B,MAAM,gBAAgB,CAAC,eAAe,CAAC,CAAC;QAExC,+DAA+D;QAC/D,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,+CAA+C;QAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAExD,uEAAuE;QACvE,IAAI,KAAK,IAAI,oBAAoB,CAAC,KAAK,EAAE,QAAQ,CAAC,KAAK,QAAQ,EAAE,CAAC;YAChE,oEAAoE;YACpE,MAAM,qBAAqB,GACzB,SAAS,CAAC,wBAAwB,CAAC,mBAAmB,CAAC,CAAC;YAC1D,MAAM,QAAQ,GAAG,IAAI,YAAY,CAC/B,8CAA8C,mBAAmB,YAAY,qBAAqB,gEAAgE,CACnK,CAAC;YACF,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;YACjE,MAAM,CAAC,IAAI,CACT,gEAAgE,EAChE,EAAE,qBAAqB,EAAE,CAC1B,CAAC;YACF,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,kFAAkF;QAClF,MAAM,WAAW,GAAG,SAAS,CAAC,wBAAwB,CAAC,mBAAmB,CAAC,CAAC;QAC5E,MAAM,CAAC,IAAI,CACT,8DAA8D,EAC9D;YACE,iBAAiB,EAAE,eAAe,CAAC,iBAAiB;YACpD,WAAW;SACZ,CACF,CAAC;QAEF,mFAAmF;QACnF,MAAM,iBAAiB,CAAC,WAAW,CAAC,CAAC;QACrC,OAAO,oBAAoB,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,kDAAkD,EAAE,KAAK,CAAC,CAAC;QACxE,MAAM,mBAAmB,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;QAC3D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QACxD,OAAO,oBAAoB,CACzB,MAAM,EACN,SAAS,CAAC,aAAa,CACrB,mBAAmB,EACnB,eAAe,CAAC,iBAAiB,EACjC,MAAM,CACP,CACF,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,MAAM,OAAO,GAClB,CAAC,UAAU,GAAG,EAAE,EAAE,EAAE,CACpB,KAAK,EAAE,OAAoB,EAAyB,EAAE;IACpD,MAAM,MAAM,GAAG,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAE7C,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;QAC1C,MAAM,YAAY,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,WAAW,GAAG,YAAY,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAE1D,QAAQ,WAAW,EAAE,CAAC;YACpB,KAAK,WAAW,CAAC;YACjB,KAAK,OAAO;gBACV,OAAO,MAAM,WAAW,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC5C,KAAK,UAAU;gBACb,OAAO,MAAM,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC/C,KAAK,SAAS;gBACZ,OAAO,MAAM,aAAa,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC9C,KAAK,QAAQ;gBACX,OAAO,MAAM,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC7C,KAAK,gBAAgB;gBACnB,OAAO,MAAM,oBAAoB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YACrD,KAAK,MAAM;gBACT,OAAO,MAAM,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;YAC3C;gBACE,MAAM,IAAI,SAAS,CAAC,uBAAuB,QAAQ,EAAE,EAAE,GAAG,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE,KAAK,CAAC,CAAC;QAE3C,MAAM,MAAM,GAAG,KAAK,YAAY,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC;QAC/D,MAAM,OAAO,GACX,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,uBAAuB,CAAC;QAEnE,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QAEnE,MAAM,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAC/B,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC,CAAC;AAEJ;;;GAGG;AACH,KAAK,UAAU,UAAU,CACvB,OAAoB,EACpB,MAAkB;IAElB,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;QAEhE,MAAM,UAAU,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,CAAC;QAEhD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,GAAG,CACjD,uBAAuB,CACxB;gBACC,CAAC,CAAC,GAAG;gBACL,CAAC,CAAC,GAAG,CAAC;YACR,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAC9B,EAAE,MAAM,EAAE,UAAU,EAAE,CACvB,CAAC;QACJ,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,OAAO,EAAE,CAAC;QAEvC,OAAO,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;IACrC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,KAAK,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;QAC3D,OAAO,YAAY,CAAC,IAAI,CACtB,EAAE,KAAK,EAAE,uBAAuB,EAAE,EAClC,EAAE,MAAM,EAAE,GAAG,EAAE,CAChB,CAAC;IACJ,CAAC;AACH,CAAC","sourcesContent":["import { CivicAuth, type UrlDetectionRequest } from \"@civic/auth/server\";\nimport { LOGOUT_SUCCESS_TEXT } from \"@/constants.js\";\nimport { loggers } from \"@/lib/logger.js\";\nimport { displayModeFromState } from \"@/lib/oauth.js\";\nimport type { AuthConfig } from \"@/nextjs/config.js\";\nimport { resolveAuthConfig } from \"@/nextjs/config.js\";\nimport { clearAuthCookies, NextjsCookieStorage } from \"@/nextjs/cookies.js\";\nimport { CodeVerifier, UserStorage } from \"@/shared/lib/types.js\";\nimport { revalidatePath } from \"next/cache.js\";\nimport type { NextRequest } from \"next/server.js\";\nimport { NextResponse } from \"next/server.js\";\nimport { prependBasePath, redirectWithBasePath } from \"./utils.js\";\n\nconst logger = loggers.nextjs.handlers.auth;\n\nclass AuthError extends Error {\n  constructor(\n    message: string,\n    public readonly status: number = 401,\n  ) {\n    super(message);\n    this.name = \"AuthError\";\n  }\n}\n\n/**\n * Helper to convert NextRequest to UrlDetectionRequest for framework-agnostic URL handling\n */\nconst toUrlDetectionRequest = (request: NextRequest): UrlDetectionRequest => ({\n  url: request.url,\n  headers: Object.fromEntries(request.headers.entries()),\n  searchParams: {\n    get: (name: string) => request.nextUrl.searchParams.get(name),\n  },\n  cookies: {\n    get: (name: string) => request.cookies.get(name),\n  },\n});\n\n/**\n * Helper to create CivicAuth instance for a request\n * Now handles appUrl detection for proxy environments\n */\nconst createCivicAuth = (request: NextRequest, config: AuthConfig) => {\n  const resolvedConfig = resolveAuthConfig(config);\n  const cookieStorage = new NextjsCookieStorage({\n    ...resolvedConfig.cookies?.tokens,\n    [UserStorage.USER]: resolvedConfig.cookies?.user,\n  });\n\n  // Convert to framework-agnostic request format\n  const urlDetectionRequest = toUrlDetectionRequest(request);\n\n  // Get appUrl from client (for proxy environments)\n  const clientAppUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n\n  // Use baseUrl from config, then client appUrl, then request origin\n  // This matches the main branch priority: config > client > request\n  const appUrl =\n    resolvedConfig.baseUrl ||\n    clientAppUrl ||\n    new URL(urlDetectionRequest.url).origin;\n\n  // Build absolute URLs using detected appUrl or request origin\n  const absoluteCallbackUrl = resolvedConfig.callbackUrl.startsWith(\"http\")\n    ? resolvedConfig.callbackUrl\n    : CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        resolvedConfig.callbackUrl,\n        appUrl,\n      );\n  const absoluteLogoutCallbackUrl = resolvedConfig.logoutCallbackUrl.startsWith(\n    \"http\",\n  )\n    ? resolvedConfig.logoutCallbackUrl\n    : CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        resolvedConfig.logoutCallbackUrl,\n        appUrl,\n      );\n\n  const civicAuth = new CivicAuth(cookieStorage, {\n    clientId: resolvedConfig.clientId,\n    redirectUrl: absoluteCallbackUrl,\n    oauthServer: resolvedConfig.oauthServer,\n    postLogoutRedirectUrl: absoluteLogoutCallbackUrl,\n    loginSuccessUrl: request.url,\n  });\n\n  return {\n    civicAuth,\n    cookieStorage,\n    appUrl, // Return appUrl for use in other functions\n    urlDetectionRequest, // Return for use in handlers\n  };\n};\n\n/**\n * Login handler - backend OAuth login initiation endpoint\n * Uses CivicAuth.buildLoginUrl()\n */\nasync function handleLogin(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    const frontendState = request.nextUrl.searchParams.get(\"state\");\n\n    // Store appUrl in cookie if provided as query parameter\n    const appUrlFromQuery = request.nextUrl.searchParams.get(\"appUrl\");\n    if (appUrlFromQuery) {\n      const cookieStorage = new NextjsCookieStorage(\n        resolvedConfigs.cookies?.tokens ?? {},\n      );\n      await cookieStorage.set(CodeVerifier.APP_URL, appUrlFromQuery);\n    }\n\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    const url = await civicAuth.buildLoginUrl({\n      state: frontendState || undefined,\n    });\n\n    logger.info(\"[LOGIN_HANDLER] Redirecting to OAuth login URL\", {\n      loginUrl: url.toString(),\n    });\n\n    return NextResponse.redirect(url.toString());\n  } catch (error) {\n    logger.error(\"[LOGIN_HANDLER] Backend login error:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        \"/?error=login_failed\",\n        appUrl,\n      ),\n    );\n  }\n}\n\nasync function handleRefresh(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    await civicAuth.refreshTokens();\n\n    logger.info(\"[REFRESH_HANDLER] Tokens refreshed successfully\");\n\n    const targetUrl = request.nextUrl.searchParams.get(\"targetUrl\");\n    if (targetUrl) {\n      // Success: clear the refresh attempt tracking cookie and redirect to target\n      const response = NextResponse.redirect(targetUrl);\n      response.cookies.delete(\"_civic_last_refresh\");\n      return response;\n    }\n\n    return NextResponse.json({\n      status: \"success\",\n      message: \"Tokens refreshed\",\n    });\n  } catch (error) {\n    logger.error(\"[REFRESH_HANDLER] Token refresh error:\", error);\n    const targetUrl = request.nextUrl.searchParams.get(\"targetUrl\");\n    if (targetUrl) {\n      return NextResponse.redirect(targetUrl);\n    }\n    return NextResponse.json(\n      { error: \"Token refresh failed\" },\n      { status: 500 },\n    );\n  }\n}\n\nasync function handleCallback(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n  const code = request.nextUrl.searchParams.get(\"code\");\n  const state = request.nextUrl.searchParams.get(\"state\");\n  const error = request.nextUrl.searchParams.get(\"error\");\n\n  if (error) {\n    logger.error(\"OAuth error in callback:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        \"/?error=oauth_error\",\n        appUrl,\n      ),\n    );\n  }\n\n  if (!code || !state) throw new AuthError(\"Bad parameters\", 400);\n\n  try {\n    const { civicAuth, appUrl, urlDetectionRequest } = createCivicAuth(\n      request,\n      resolvedConfigs,\n    );\n\n    // Convert NextRequest to the format expected by handleCallback\n    const handleCallbackRequest = {\n      headers: Object.fromEntries(request.headers.entries()),\n      url: request.url.toString(),\n    };\n\n    // Get loginSuccessUrl with proper baseUrl handling\n    const loginSuccessUrl = CivicAuth.getLoginSuccessUrl(\n      urlDetectionRequest,\n      appUrl,\n    );\n    const frontendUrl =\n      loginSuccessUrl || resolvedConfigs.loginSuccessUrl || \"/\";\n\n    // Use CivicAuth's smart callback handler\n    const result = await civicAuth.handleCallback(\n      {\n        code,\n        state,\n        req: handleCallbackRequest,\n      },\n      {\n        // Pass the properly resolved frontendUrl\n        frontendUrl: prependBasePath(frontendUrl, config.basePath || \"\"),\n      },\n    );\n\n    if (result.redirectTo) {\n      return redirectWithBasePath(\n        config,\n        CivicAuth.toAbsoluteUrl(urlDetectionRequest, result.redirectTo, appUrl),\n      );\n    }\n\n    if (result.content) {\n      // Handle both string content and object content\n      if (typeof result.content === \"string\") {\n        return new NextResponse(result.content, {\n          status: 200,\n          headers: {\n            \"Content-Type\": \"text/html\",\n          },\n        });\n      } else {\n        // Object content (JSON response)\n        return NextResponse.json(result.content);\n      }\n    }\n\n    // Fallback redirect\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(urlDetectionRequest, \"/\", appUrl),\n    );\n  } catch (error) {\n    logger.error(\"[CALLBACK_HANDLER] OAuth callback error:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return NextResponse.redirect(\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        \"/?error=callback_failed\",\n        appUrl,\n      ),\n    );\n  }\n}\n\nconst revalidateUrlPath = async (url: string) => {\n  try {\n    const path = new URL(url).pathname;\n    revalidatePath(path);\n  } catch (error) {\n    logger.warn(\"Failed to revalidate path after logout:\", error);\n  }\n};\n\nexport async function handleLogout(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  // Get framework-agnostic request for URL utilities\n  const urlDetectionRequest = toUrlDetectionRequest(request);\n  const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n\n  // Read the state from the query parameters\n  const state = request.nextUrl.searchParams.get(\"state\");\n  const clientLogoutRedirectUrl =\n    request.nextUrl.searchParams.get(\"logoutRedirectUrl\");\n\n  try {\n    logger.info(\"[LOGOUT_HANDLER] Backend logout endpoint called\");\n\n    // If client provided a logoutRedirectUrl, override the config\n    let configToUse = resolvedConfigs;\n    if (clientLogoutRedirectUrl) {\n      configToUse = {\n        ...resolvedConfigs,\n        logoutCallbackUrl: clientLogoutRedirectUrl,\n      };\n      logger.info(\"[LOGOUT_HANDLER] Overriding logout callback URL\", {\n        original: resolvedConfigs.logoutCallbackUrl,\n        override: clientLogoutRedirectUrl,\n      });\n    }\n\n    const { civicAuth } = createCivicAuth(request, configToUse);\n\n    // Always redirect to OAuth logout (like main branch)\n    // Don't validate session - even invalid local sessions should hit OAuth logout\n    logger.info(\"[LOGOUT_HANDLER] Processing logout request\", {\n      state: !!state,\n    });\n\n    // Always redirect to OAuth logout endpoint (like main branch)\n    // Client-side iframe logic will handle completion and redirect appropriately\n    const logoutUrl = await civicAuth.buildLogoutRedirectUrl({\n      state: state || undefined,\n    });\n\n    try {\n      await clearAuthCookies(resolvedConfigs);\n\n      // Revalidate current path to update authentication state in server components\n      await revalidateUrlPath(request.url);\n    } catch (error) {\n      logger.error(\"[LOGOUT_HANDLER] Error clearing tokens:\", error);\n    }\n\n    // Remove state parameter from logout URL to prevent it from appearing in frontend URL\n    const cleanLogoutUrl = new URL(logoutUrl);\n    cleanLogoutUrl.searchParams.delete(\"state\");\n\n    logger.info(\"[LOGOUT_HANDLER] Redirecting to OAuth logout endpoint\", {\n      logoutUrl: cleanLogoutUrl.toString(),\n    });\n\n    return NextResponse.redirect(cleanLogoutUrl.toString());\n  } catch (error) {\n    logger.error(\"[LOGOUT_HANDLER] Logout error:\", error);\n    // If logout URL generation fails, clear tokens and redirect to home\n    await clearAuthCookies(resolvedConfigs);\n\n    const fallbackUrl =\n      clientLogoutRedirectUrl || resolvedConfigs.logoutCallbackUrl;\n    const finalFallbackUrl = CivicAuth.toAbsoluteUrl(\n      urlDetectionRequest,\n      fallbackUrl,\n      appUrl,\n    );\n\n    return NextResponse.redirect(finalFallbackUrl);\n  }\n}\n\nexport async function handleLogoutCallback(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    logger.info(\n      \"[LOGOUT_CALLBACK_HANDLER] Backend logout callback endpoint called\",\n    );\n\n    // Clear authentication cookies\n    await clearAuthCookies(resolvedConfigs);\n\n    // Get framework-agnostic request and create CivicAuth instance\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    // Get the state parameter for iframe detection\n    const state = request.nextUrl.searchParams.get(\"state\");\n\n    // If this is an iframe request, return HTML with logout success signal\n    if (state && displayModeFromState(state, \"iframe\") === \"iframe\") {\n      // For iframe mode, include the post-logout redirect URL in the HTML\n      const postLogoutRedirectUrl =\n        civicAuth.getPostLogoutRedirectUrl(urlDetectionRequest);\n      const response = new NextResponse(\n        `<html lang=\"en\"><span style=\"display:none\">${LOGOUT_SUCCESS_TEXT}<a href=\"${postLogoutRedirectUrl}\" rel=\"civic-auth-post-logout-redirect-url\"></a></span></html>`,\n      );\n      response.headers.set(\"Content-Type\", \"text/html; charset=utf-8\");\n      logger.info(\n        \"[LOGOUT_CALLBACK_HANDLER] Returning iframe logout success HTML\",\n        { postLogoutRedirectUrl },\n      );\n      return response;\n    }\n\n    // For non-iframe requests, redirect to the logout callback URL or post-logout URL\n    const redirectUrl = civicAuth.getPostLogoutRedirectUrl(urlDetectionRequest);\n    logger.info(\n      \"[LOGOUT_CALLBACK_HANDLER] Redirecting to logout callback URL\",\n      {\n        logoutCallbackUrl: resolvedConfigs.logoutCallbackUrl,\n        redirectUrl,\n      },\n    );\n\n    // Revalidate the redirect path to update authentication state in server components\n    await revalidateUrlPath(redirectUrl);\n    return redirectWithBasePath(config, redirectUrl);\n  } catch (error) {\n    logger.error(\"[LOGOUT_CALLBACK_HANDLER] Logout callback error:\", error);\n    const urlDetectionRequest = toUrlDetectionRequest(request);\n    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);\n    return redirectWithBasePath(\n      config,\n      CivicAuth.toAbsoluteUrl(\n        urlDetectionRequest,\n        resolvedConfigs.logoutCallbackUrl,\n        appUrl,\n      ),\n    );\n  }\n}\n\n/**\n * Creates an authentication handler for Next.js API routes\n *\n * Usage:\n * ```ts\n * // app/api/auth/[...civicauth]/route.ts\n * import { handler } from '@civic/auth/nextjs'\n * export const GET = handler({\n *   // optional config overrides\n * })\n * export const POST = handler({\n *   // optional config overrides\n * })\n * ```\n */\nexport const handler =\n  (authConfig = {}) =>\n  async (request: NextRequest): Promise<NextResponse> => {\n    const config = resolveAuthConfig(authConfig);\n\n    try {\n      const pathname = request.nextUrl.pathname;\n      const pathSegments = pathname.split(\"/\");\n      const lastSegment = pathSegments[pathSegments.length - 1];\n\n      switch (lastSegment) {\n        case \"challenge\":\n        case \"login\":\n          return await handleLogin(request, config);\n        case \"callback\":\n          return await handleCallback(request, config);\n        case \"refresh\":\n          return await handleRefresh(request, config);\n        case \"logout\":\n          return await handleLogout(request, config);\n        case \"logoutcallback\":\n          return await handleLogoutCallback(request, config);\n        case \"user\":\n          return await handleUser(request, config);\n        default:\n          throw new AuthError(`Invalid auth route: ${pathname}`, 404);\n      }\n    } catch (error) {\n      logger.error(\"Auth handler error:\", error);\n\n      const status = error instanceof AuthError ? error.status : 500;\n      const message =\n        error instanceof Error ? error.message : \"Authentication failed\";\n\n      const response = NextResponse.json({ error: message }, { status });\n\n      await clearAuthCookies(config);\n      return response;\n    }\n  };\n\n/**\n * User endpoint - returns current user data as JSON\n * Uses CivicAuth.isLoggedIn() and getUser()\n */\nasync function handleUser(\n  request: NextRequest,\n  config: AuthConfig,\n): Promise<NextResponse> {\n  const resolvedConfigs = resolveAuthConfig(config);\n\n  try {\n    const { civicAuth } = createCivicAuth(request, resolvedConfigs);\n\n    const isLoggedIn = await civicAuth.isLoggedIn();\n\n    if (!isLoggedIn) {\n      const statusCode = request.nextUrl.searchParams.get(\n        \"optimisticRehydration\",\n      )\n        ? 202\n        : 401;\n      return NextResponse.json(\n        { error: \"Not authenticated\" },\n        { status: statusCode },\n      );\n    }\n\n    const user = await civicAuth.getUser();\n\n    return NextResponse.json({ user });\n  } catch (error) {\n    logger.error(\"[USER_HANDLER] User endpoint error:\", error);\n    return NextResponse.json(\n      { error: \"Internal server error\" },\n      { status: 500 },\n    );\n  }\n}\n"]}