@civic/auth 0.9.6-beta.1 → 0.10.0-beta.0

package/dist/nextjs/routeHandler.js

@@ -1,18 +1,12 @@
-import { LOGOUT_SUCCESS_TEXT, TOKEN_EXCHANGE_SUCCESS_TEXT, TOKEN_EXCHANGE_TRIGGER_TEXT, } from "../constants.js";
+import { CivicAuth } from "@civic/auth/server";
+import { LOGOUT_SUCCESS_TEXT } from "../constants.js";
 import { loggers } from "../lib/logger.js";
-import { displayModeFromState, loginSuccessUrlFromState, serverTokenExchangeFromState, } from "../lib/oauth.js";
+import { displayModeFromState } from "../lib/oauth.js";
 import { resolveAuthConfig } from "../nextjs/config.js";
 import { clearAuthCookies, NextjsCookieStorage } from "../nextjs/cookies.js";
-import { getUser } from "../nextjs/index.js";
-import { resolveCallbackUrl } from "../nextjs/utils.js";
-import { resolveOAuthAccessCode } from "../server/login.js";
-import { GenericPublicClientPKCEProducer } from "../services/PKCE.js";
-import { CodeVerifier, OAuthTokenTypes } from "../shared/lib/types.js";
-import { GenericUserSession } from "../shared/lib/UserSession.js";
-import { clearTokens, generateOauthLogoutUrl } from "../shared/lib/util.js";
+import { CodeVerifier, UserStorage } from "../shared/lib/types.js";
 import { revalidatePath } from "next/cache.js";
 import { NextResponse } from "next/server.js";
-import { NextServerAuthenticationRefresherImpl } from "./NextServerAuthenticationRefresherImpl.js";
 const logger = loggers.nextjs.handlers.auth;
 class AuthError extends Error {
     status;
@@ -22,306 +16,176 @@ class AuthError extends Error {
         this.name = "AuthError";
     }
 }
-const tryUriDecode = (value) => {
-    try {
-        return decodeURIComponent(value);
-    }
-    catch (e) {
-        logger.error("Error decoding URI component:", e);
-        return value;
-    }
-};
-const getDecodedQueryParam = (request, paramName) => {
-    const queryParam = request.nextUrl.searchParams.get(paramName);
-    if (queryParam) {
-        return tryUriDecode(queryParam);
-    }
-    return null;
-};
-const getCookieOrQueryParam = (request, cookieName, queryName) => {
-    // First check the cookie as it might have the full path with base directory
-    const cookieValue = request.cookies.get(cookieName)?.value;
-    if (cookieValue) {
-        return tryUriDecode(cookieValue);
-    }
-    // Fallback to query parameter
-    return getDecodedQueryParam(request, queryName);
-};
-const getAppUrl = (request) => getCookieOrQueryParam(request, CodeVerifier.APP_URL, "appUrl");
-// The loginSuccessUrl can either be decoded from the state parameter, or passed as a cookie or query parameter
-const getLoginSuccessUrl = (request, baseUrl) => {
-    const loginSuccessUrl = loginSuccessUrlFromState(request.nextUrl.searchParams.get("state")) ||
-        getDecodedQueryParam(request, "loginSuccessUrl");
-    if (!loginSuccessUrl) {
-        return null;
-    }
-    return baseUrl ? new URL(loginSuccessUrl, baseUrl).href : loginSuccessUrl;
-};
-const getIdToken = async (config) => {
-    const cookieStorage = new NextjsCookieStorage(config.cookies?.tokens ?? {});
-    return cookieStorage.get(OAuthTokenTypes.ID_TOKEN);
-};
 /**
- * create a code verifier and challenge for PKCE
- * saving the verifier in a cookie for later use
- * @returns {Promise<NextResponse>}
+ * Helper to convert NextRequest to UrlDetectionRequest for framework-agnostic URL handling
  */
-async function handleChallenge(request, config) {
-    const cookieStorage = new NextjsCookieStorage(config.cookies?.tokens ?? {});
-    const pkceProducer = new GenericPublicClientPKCEProducer(cookieStorage);
-    const challenge = await pkceProducer.getCodeChallenge();
-    const appUrl = request.nextUrl.searchParams.get("appUrl");
-    if (appUrl) {
-        await cookieStorage.set(CodeVerifier.APP_URL, appUrl);
-    }
-    return NextResponse.json({ status: "success", challenge });
-}
-const getCookieStorageWithUserOverrides = (config) => {
-    const resolvedConfigs = resolveAuthConfig(config);
-    return new NextjsCookieStorage({
-        ...resolvedConfigs.cookies.tokens,
-        user: resolvedConfigs.cookies.user,
+const toUrlDetectionRequest = (request) => ({
+    url: request.url,
+    headers: Object.fromEntries(request.headers.entries()),
+    searchParams: {
+        get: (name) => request.nextUrl.searchParams.get(name),
+    },
+    cookies: {
+        get: (name) => request.cookies.get(name),
+    },
+});
+/**
+ * Helper to create CivicAuth instance for a request
+ * Now handles appUrl detection for proxy environments
+ */
+const createCivicAuth = (request, config) => {
+    const resolvedConfig = resolveAuthConfig(config);
+    const cookieStorage = new NextjsCookieStorage({
+        ...resolvedConfig.cookies?.tokens,
+        [UserStorage.USER]: resolvedConfig.cookies?.user,
+    });
+    // Convert to framework-agnostic request format
+    const urlDetectionRequest = toUrlDetectionRequest(request);
+    // Get appUrl from client (for proxy environments)
+    const clientAppUrl = CivicAuth.getAppUrl(urlDetectionRequest);
+    // Use baseUrl from config, then client appUrl, then request origin
+    // This matches the main branch priority: config > client > request
+    const appUrl = resolvedConfig.baseUrl ||
+        clientAppUrl ||
+        new URL(urlDetectionRequest.url).origin;
+    // Build absolute URLs using detected appUrl or request origin
+    const absoluteCallbackUrl = resolvedConfig.callbackUrl.startsWith("http")
+        ? resolvedConfig.callbackUrl
+        : CivicAuth.toAbsoluteUrl(urlDetectionRequest, resolvedConfig.callbackUrl, appUrl);
+    const absoluteLogoutCallbackUrl = resolvedConfig.logoutCallbackUrl.startsWith("http")
+        ? resolvedConfig.logoutCallbackUrl
+        : CivicAuth.toAbsoluteUrl(urlDetectionRequest, resolvedConfig.logoutCallbackUrl, appUrl);
+    const civicAuth = new CivicAuth(cookieStorage, {
+        clientId: resolvedConfig.clientId,
+        redirectUrl: absoluteCallbackUrl,
+        oauthServer: resolvedConfig.oauthServer,
+        postLogoutRedirectUrl: absoluteLogoutCallbackUrl,
+        loginSuccessUrl: request.url,
     });
+    return {
+        civicAuth,
+        cookieStorage,
+        appUrl, // Return appUrl for use in other functions
+        urlDetectionRequest, // Return for use in handlers
+    };
 };
-async function performTokenExchangeAndSetCookies(config, code, state, appUrl) {
+/**
+ * Login handler - backend OAuth login initiation endpoint
+ * Uses CivicAuth.buildLoginUrl()
+ */
+async function handleLogin(request, config) {
     const resolvedConfigs = resolveAuthConfig(config);
-    // TODO This is messy, better would be to fix the config.cookies type to always be <name: settings>
-    // rather than nesting the tokens-related ones *and* code-verifier inside "tokens"
-    // (despite code-verifier not relating directly to tokens)
-    const cookieStorage = getCookieStorageWithUserOverrides(config);
-    const callbackUrl = resolveCallbackUrl(resolvedConfigs, appUrl);
     try {
-        await resolveOAuthAccessCode(code, state, cookieStorage, {
-            ...resolvedConfigs,
-            redirectUrl: callbackUrl,
+        const frontendState = request.nextUrl.searchParams.get("state");
+        // Store appUrl in cookie if provided as query parameter
+        const appUrlFromQuery = request.nextUrl.searchParams.get("appUrl");
+        if (appUrlFromQuery) {
+            const cookieStorage = new NextjsCookieStorage(resolvedConfigs.cookies?.tokens ?? {});
+            await cookieStorage.set(CodeVerifier.APP_URL, appUrlFromQuery);
+        }
+        const { civicAuth } = createCivicAuth(request, resolvedConfigs);
+        const url = await civicAuth.buildLoginUrl({
+            state: frontendState || undefined,
         });
+        logger.info("[LOGIN_HANDLER] Redirecting to OAuth login URL", {
+            loginUrl: url.toString(),
+        });
+        return NextResponse.redirect(url.toString());
     }
     catch (error) {
-        logger.error("Token exchange failed:", error);
-        throw new AuthError("Failed to authenticate user", 401);
-    }
-    const user = await getUser();
-    if (!user) {
-        throw new AuthError("Failed to get user info", 401);
+        logger.error("[LOGIN_HANDLER] Backend login error:", error);
+        const urlDetectionRequest = toUrlDetectionRequest(request);
+        const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);
+        return NextResponse.redirect(CivicAuth.toAbsoluteUrl(urlDetectionRequest, "/?error=login_failed", appUrl));
     }
-    const userSession = new GenericUserSession(cookieStorage);
-    await userSession.set(user);
 }
 async function handleRefresh(request, config) {
     const resolvedConfigs = resolveAuthConfig(config);
-    const cookieStorage = getCookieStorageWithUserOverrides(config);
-    const userSession = new GenericUserSession(cookieStorage);
-    const targetUrl = request.nextUrl.searchParams.get("targetUrl");
     try {
-        const onError = (error) => {
-            logger.error("handleRefresh: Token refresh failed:", error);
-            throw new AuthError("Failed to refresh tokens", 500);
-        };
-        const refresher = await NextServerAuthenticationRefresherImpl.build({
-            clientId: resolvedConfigs.clientId,
-            oauthServer: resolvedConfigs.oauthServer,
-            redirectUrl: resolvedConfigs.callbackUrl,
-            refreshUrl: resolvedConfigs.refreshUrl,
-        }, cookieStorage, onError);
-        const tokens = await refresher.refreshAccessToken();
-        const user = await getUser();
-        if (!user) {
-            throw new AuthError("Failed to get user info", 401);
-        }
-        await userSession.set(user);
-        logger.debug("handleRefresh: Token refresh successful");
+        const { civicAuth } = createCivicAuth(request, resolvedConfigs);
+        await civicAuth.refreshTokens();
+        logger.info("[REFRESH_HANDLER] Tokens refreshed successfully");
+        const targetUrl = request.nextUrl.searchParams.get("targetUrl");
         if (targetUrl) {
             // Success: clear the refresh attempt tracking cookie and redirect to target
             const response = NextResponse.redirect(targetUrl);
             response.cookies.delete("_civic_last_refresh");
             return response;
         }
-        // For backend flows, tokens might be null since they're managed in HTTP-only cookies
-        const response = NextResponse.json({
+        return NextResponse.json({
             status: "success",
-            tokens: tokens || null,
+            message: "Tokens refreshed",
         });
-        return response;
     }
     catch (error) {
-        logger.error("handleRefresh: Token refresh failed, clearing tokens:", error);
-        await clearTokens(cookieStorage);
-        await userSession.clear();
+        logger.error("[REFRESH_HANDLER] Token refresh error:", error);
+        const targetUrl = request.nextUrl.searchParams.get("targetUrl");
         if (targetUrl) {
-            logger.warn("handleRefresh: Refresh failed, redirecting to targetUrl");
             return NextResponse.redirect(targetUrl);
         }
-        return NextResponse.json({ status: "failed" });
+        return NextResponse.json({ error: "Token refresh failed" }, { status: 500 });
     }
 }
-const generateHtmlResponseWithCallback = (request, callbackUrl, loginSuccessUrl) => {
-    // we need to replace the URL with resolved config in case the server is hosted
-    // behind a reverse proxy or load balancer
-    const requestUrl = new URL(request.url);
-    const fetchUrl = `${callbackUrl}?${requestUrl.searchParams.toString()}&sameDomainCallback=true`;
-    const loginSuccessSegment = loginSuccessUrl
-        ? `&loginSuccessUrl=${encodeURIComponent(loginSuccessUrl)}`
-        : "";
-    const html = `<html lang="en">
-  <body>
-      <span style="display:none">
-          <script>
-              window.onload = function () {
-                  // Get the complete URL including origin and path
-                  // This ensures we capture any base path like /directory
-                  const appUrl = window.location.href.substring(
-                    0,
-                    window.location.href.indexOf("/api/auth")
-                  );
-                  fetch('${fetchUrl}&appUrl=' + encodeURIComponent(appUrl) + '${loginSuccessSegment}').then((response) => {
-                      response.json().then((jsonResponse) => {
-                        // For login: Redirect back to the callback route, so Case 2 in handleTokenExchangeComplete will be triggered
-                        // For logout: Redirect to the postLogoutRedirectUrl
-                        if(jsonResponse.redirectUrl) {
-                          window.location.href = jsonResponse.redirectUrl;
-                        }
-                      });
-                  });
-              };
-          </script>
-      </span>
-  </body>
-</html>
-`;
-    const response = new NextResponse(html);
-    response.headers.set("Content-Type", "text/html; charset=utf-8");
-    return response;
-};
-const handleTokenExchangeComplete = async (params) => {
-    const { request, config, appUrl, loginSuccessUrl, state } = params;
-    // Case 1: We are being called via fetch to facilitate access to the cookies. Return success json. The iframe has javascript that will reload this route so Case 2 below will be triggered.
-    if (isCalledFromBrowserFetch(request)) {
-        logger.debug("CASE 1: sameDomainCallback=true, returning JSON response with redirect URL", { appUrl, loginSuccessUrl, callbackUrl: config.callbackUrl });
-        const currentUrl = new URL(request.url);
-        // When the client-side JS redirects back here, we don't want to hit this branch again because we can't return JSON from a redirect.
-        // So we strip off the sameDomainCallback parameter from the URL.
-        const newSearchParams = new URLSearchParams(currentUrl.search);
-        newSearchParams.delete("sameDomainCallback");
-        // We strip off the origin so reverse proxies don't break the redirect.
-        const redirectUrl = `${currentUrl.pathname}?${newSearchParams.toString()}${currentUrl.hash}`;
-        return NextResponse.json({
-            status: "success",
-            // This makes the iframe redirect back to this route, so Case 2 below will be triggered.
-            redirectUrl,
-        });
-    }
-    // Case 2: We are already authenticated and in iframe mode.
-    //    Case 2a: We have a custom loginSuccessUrl, so we have to trigger a top-level redirect to it. We do this by rendering a page with the TOKEN_EXCHANGE_SUCCESS_TEXT, which is then picked up by the iframe container.
-    //    Case 2b: We don't have a custom loginSuccessUrl, so we just redirect to the appUrl. If we don't do this, Cypress tests will fail in the 'no custom loginSuccessUrl' case, because in Cypress an iframe redirect is converted to a top-level redirect,
-    //      which means the iframe container no longer exists and so can't action the redirect.
-    const user = await getUser();
-    if (!!user && displayModeFromState(state, "iframe") === "iframe") {
-        if (loginSuccessUrl) {
-            logger.debug("CASE 2a: iframe mode with loginSuccessUrl configured. Returning TOKEN_EXCHANGE_SUCCESS_TEXT to trigger redirect to loginSuccessUrl if any", { loginSuccessUrl });
-            const response = new NextResponse(`<html lang="en"><span style="display:none">${TOKEN_EXCHANGE_SUCCESS_TEXT}</span></html>`);
-            response.headers.set("Content-Type", "text/html; charset=utf-8");
-            return response;
-        }
-        else {
-            logger.debug("CASE 2b: iframe mode with no loginSuccessUrl configured. Doing a normal redirect without relying on the iframe container to redirect.");
-            return NextResponse.redirect(`${appUrl}`);
-        }
-    }
-    // CASE 3: We're not in iframe mode. We can just do a stright http redirect to the final destination, which is either the loginSuccessUrl if specified, or the appUrl.
-    logger.debug("CASE 3: non-iframe mode, redirecting to loginSuccessUrl");
-    return NextResponse.redirect(`${loginSuccessUrl || appUrl}`);
-};
 async function handleCallback(request, config) {
     const resolvedConfigs = resolveAuthConfig(config);
     const code = request.nextUrl.searchParams.get("code");
     const state = request.nextUrl.searchParams.get("state");
+    const error = request.nextUrl.searchParams.get("error");
+    if (error) {
+        logger.error("OAuth error in callback:", error);
+        const urlDetectionRequest = toUrlDetectionRequest(request);
+        const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);
+        return NextResponse.redirect(CivicAuth.toAbsoluteUrl(urlDetectionRequest, "/?error=oauth_error", appUrl));
+    }
     if (!code || !state)
         throw new AuthError("Bad parameters", 400);
-    // appUrl is passed from the client to the server in the query string
-    // this is necessary because the server does not have access to the client's window.location.origin
-    // and can not accurately determine the appUrl (specially if the app is behind a reverse proxy)
-    const appUrl = getAppUrl(request);
-    // If the integrator has specified a loginSuccessUrl, we'll send the user there after the login completes (including token exchange)
-    // We pass in the basePath from config to use as the baseUrl, because we might not have access to the app_url cookie at this point if this was a third-party redirect.
-    const loginSuccessUrl = getLoginSuccessUrl(request, appUrl);
-    const tokenExchangeCompleteParams = {
-        request,
-        config,
-        appUrl,
-        state,
-        loginSuccessUrl,
-    };
-    const user = await getUser();
-    if (user) {
-        // User already authenticated.
-        return handleTokenExchangeComplete(tokenExchangeCompleteParams);
-    }
-    // User not authenticated yet.
-    // If we have a code_verifier cookie and the appUrl, we can do a token exchange.
-    // Otherwise, just render an empty page.
-    // The initial redirect back from the auth server does not send cookies, because the redirect is from a 3rd-party domain.
-    // The client will make an additional call to this route with cookies included, at which point we do the token exchange.
-    const codeVerifier = request.cookies.get(CodeVerifier.COOKIE_NAME);
-    if (!codeVerifier || !appUrl) {
-        logger.debug("handleCallback no code_verifier found", {
+    try {
+        const { civicAuth, appUrl, urlDetectionRequest } = createCivicAuth(request, resolvedConfigs);
+        // Convert NextRequest to the format expected by handleCallback
+        const handleCallbackRequest = {
+            headers: Object.fromEntries(request.headers.entries()),
+            url: request.url.toString(),
+        };
+        // Get loginSuccessUrl with proper baseUrl handling
+        const loginSuccessUrl = CivicAuth.getLoginSuccessUrl(urlDetectionRequest, appUrl);
+        const frontendUrl = loginSuccessUrl || resolvedConfigs.loginSuccessUrl || "/";
+        // Use CivicAuth's smart callback handler
+        const result = await civicAuth.handleCallback({
+            code,
             state,
-            serverTokenExchange: serverTokenExchangeFromState(`${state}`),
+            req: handleCallbackRequest,
+        }, {
+            // Pass the properly resolved frontendUrl
+            frontendUrl: frontendUrl,
         });
-        let response = new NextResponse(`<html lang="en"><body><span style="display:none">${TOKEN_EXCHANGE_TRIGGER_TEXT}</span></body></html>`);
-        // in server-side token exchange mode we need to launch a page that will trigger the token exchange
-        // from the same domain, allowing it access to the code_verifier cookie
-        // we only need to do this in redirect mode, as the iframe already triggers a client-side token exchange
-        // if no code-verifier cookie is found
-        if (state && serverTokenExchangeFromState(state)) {
-            logger.debug("handleCallback serverTokenExchangeFromState, launching redirect page...", {
-                requestUrl: request.url,
-                configCallbackUrl: resolvedConfigs.callbackUrl,
-            });
-            // generate a page that will callback to the same domain, allowing access
-            // to the code_verifier cookie and passing the appUrl.
-            response = generateHtmlResponseWithCallback(request, resolvedConfigs.callbackUrl, loginSuccessUrl || undefined);
+        if (result.redirectTo) {
+            return NextResponse.redirect(CivicAuth.toAbsoluteUrl(urlDetectionRequest, result.redirectTo, appUrl));
         }
-        logger.debug(`handleCallback no code_verifier found, returning ${TOKEN_EXCHANGE_TRIGGER_TEXT}`);
-        return response;
-    }
-    await performTokenExchangeAndSetCookies(resolvedConfigs, code, state, appUrl);
-    return handleTokenExchangeComplete(tokenExchangeCompleteParams);
-}
-/**
- * If redirectPath is an absolute path, return it as-is.
- * Otherwise for relative paths, append it to the current domain.
- * @param redirectPath
- * @param currentBasePath
- * @returns
- */
-const getAbsoluteRedirectPath = (redirectPath, currentBasePath) => new URL(redirectPath, currentBasePath).href;
-const getPostLogoutRedirectUrl = (request, config) => {
-    const { loginUrl } = resolveAuthConfig(config);
-    // if we have a target URL in the request, it's come from civic middleware
-    // and we should use it as the redirect target.
-    const targetUrl = request.nextUrl.searchParams.get("targetUrl");
-    if (targetUrl) {
-        // If a targetUrl is provided, use it as the redirect target.
-        // This is useful for redirecting to a specific page after logout.
-        return targetUrl;
+        if (result.content) {
+            // Handle both string content and object content
+            if (typeof result.content === "string") {
+                return new NextResponse(result.content, {
+                    status: 200,
+                    headers: {
+                        "Content-Type": "text/html",
+                    },
+                });
+            }
+            else {
+                // Object content (JSON response)
+                return NextResponse.json(result.content);
+            }
+        }
+        // Fallback redirect
+        return NextResponse.redirect(CivicAuth.toAbsoluteUrl(urlDetectionRequest, "/", appUrl));
     }
-    const redirectTarget = loginUrl ?? "/";
-    // if the optional loginUrl is provided and it is an absolute URL,
-    // use it as the redirect target
-    const isAbsoluteRedirect = /^(https?:\/\/|www\.).+/i.test(redirectTarget);
-    if (isAbsoluteRedirect) {
-        return redirectTarget;
+    catch (error) {
+        logger.error("[CALLBACK_HANDLER] OAuth callback error:", error);
+        const urlDetectionRequest = toUrlDetectionRequest(request);
+        const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);
+        return NextResponse.redirect(CivicAuth.toAbsoluteUrl(urlDetectionRequest, "/?error=callback_failed", appUrl));
     }
-    // if loginUrl is not defined, the appUrl is passed from the client to the server
-    // in the query string or cookies. This is necessary because the server does not
-    // have access to the client's window.location and can not accurately determine
-    // the appUrl (specially if the app is behind a reverse proxy).
-    const appUrl = getAppUrl(request);
-    if (appUrl)
-        return getAbsoluteRedirectPath(redirectTarget, appUrl);
-    // If we can't determine the post-logout redirect URL, fallback to the app root as it's the most likely location of the login page.
-    return request.nextUrl.origin;
-};
+}
 const revalidateUrlPath = async (url) => {
     try {
         const path = new URL(url).pathname;
@@ -333,86 +197,98 @@ const revalidateUrlPath = async (url) => {
 };
 export async function handleLogout(request, config) {
     const resolvedConfigs = resolveAuthConfig(config);
-    // Ensure we have the proper app URL including any base path
-    const appBaseUrl = getAppUrl(request) || request.url;
-    // Construct the post-logout URL with the base path included
-    const postLogoutUrl = new URL(resolvedConfigs.logoutCallbackUrl, appBaseUrl);
-    // read the id_token from the cookies
-    const idToken = await getIdToken(resolvedConfigs);
-    // read the state from the query parameters
+    // Get framework-agnostic request for URL utilities
+    const urlDetectionRequest = toUrlDetectionRequest(request);
+    const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);
+    // Read the state from the query parameters
     const state = request.nextUrl.searchParams.get("state");
-    if (!state || !idToken) {
-        logger.error("handleLogout: missing state or idToken", {
-            hasState: !!state,
-            hasIdToken: !!idToken,
+    const clientLogoutRedirectUrl = request.nextUrl.searchParams.get("logoutRedirectUrl");
+    try {
+        logger.info("[LOGOUT_HANDLER] Backend logout endpoint called");
+        // If client provided a logoutRedirectUrl, override the config
+        let configToUse = resolvedConfigs;
+        if (clientLogoutRedirectUrl) {
+            configToUse = {
+                ...resolvedConfigs,
+                logoutCallbackUrl: clientLogoutRedirectUrl,
+            };
+            logger.info("[LOGOUT_HANDLER] Overriding logout callback URL", {
+                original: resolvedConfigs.logoutCallbackUrl,
+                override: clientLogoutRedirectUrl,
+            });
+        }
+        const { civicAuth } = createCivicAuth(request, configToUse);
+        // Always redirect to OAuth logout (like main branch)
+        // Don't validate session - even invalid local sessions should hit OAuth logout
+        logger.info("[LOGOUT_HANDLER] Processing logout request", {
+            state: !!state,
         });
-        await clearAuthCookies();
-        // if token or state is missing, the logout call to the server will fail,
-        // (token has potentially expired already) so go straight to the postLogoutUrl
-        //  so the user can be signed out.
-        return NextResponse.redirect(`${postLogoutUrl}${state ? "?state=" + state : ""}`);
+        // Always redirect to OAuth logout endpoint (like main branch)
+        // Client-side iframe logic will handle completion and redirect appropriately
+        const logoutUrl = await civicAuth.buildLogoutRedirectUrl({
+            state: state || undefined,
+        });
+        try {
+            await civicAuth.clearTokens();
+            // Revalidate current path to update authentication state in server components
+            await revalidateUrlPath(request.url);
+        }
+        catch (error) {
+            logger.error("[LOGOUT_HANDLER] Error clearing tokens:", error);
+        }
+        // Remove state parameter from logout URL to prevent it from appearing in frontend URL
+        const cleanLogoutUrl = new URL(logoutUrl);
+        cleanLogoutUrl.searchParams.delete("state");
+        logger.info("[LOGOUT_HANDLER] Redirecting to OAuth logout endpoint", {
+            logoutUrl: cleanLogoutUrl.toString(),
+        });
+        return NextResponse.redirect(cleanLogoutUrl.toString());
     }
-    const displayMode = displayModeFromState(state, "iframe");
-    if (displayMode === "iframe") {
-        // clear auth cookies immediately before calling the logout endpoint to give faster UX
+    catch (error) {
+        logger.error("[LOGOUT_HANDLER] Logout error:", error);
+        // If logout URL generation fails, clear tokens and redirect to home
         await clearAuthCookies();
-        await revalidateUrlPath(request.url);
+        const fallbackUrl = clientLogoutRedirectUrl || resolvedConfigs.logoutCallbackUrl;
+        const finalFallbackUrl = CivicAuth.toAbsoluteUrl(urlDetectionRequest, fallbackUrl, appUrl);
+        return NextResponse.redirect(finalFallbackUrl);
     }
-    const logoutUrl = await generateOauthLogoutUrl({
-        clientId: resolvedConfigs.clientId,
-        idToken,
-        state,
-        redirectUrl: postLogoutUrl.href,
-        oauthServer: resolvedConfigs.oauthServer,
-    });
-    return NextResponse.redirect(`${logoutUrl.href}`);
 }
-const isCalledFromBrowserFetch = (request) => request.url.includes("sameDomainCallback=true");
-const handleLogoutComplete = async (params) => {
-    const { request, resolvedConfigs } = params;
-    const state = request.nextUrl.searchParams.get("state");
-    const postLogoutRedirectUrl = getPostLogoutRedirectUrl(request, resolvedConfigs);
-    // If this is a FETCH call, we can only return json. Trying to redirect or return HTML will fail.
-    if (isCalledFromBrowserFetch(request)) {
-        logger.debug("handleLogoutComplete: sameDomainCallback=true, returning JSON response with redirect URL", { postLogoutRedirectUrl });
-        // The client-side JS will do a window.location.href redirect to postLogoutRedirectUrl when this request returns success.
-        return NextResponse.json({
-            status: "success",
-            redirectUrl: postLogoutRedirectUrl,
-        });
-    }
-    // If this is a redirect inside an iframe and the user is indeed logged out, render some text that makes the parent redirect to the postLogoutRedirectUrl.
-    const user = await getUser();
-    if (!user && !!state && displayModeFromState(state, "iframe") === "iframe") {
-        // User is logged out while in an iframe redirect (not a FETCH call).
-        // Render some text to make the CivicLogoutIframeContainer redirect to the postLogoutRedirectUrl.
-        const response = new NextResponse(`<html lang="en"><span style="display:none">${LOGOUT_SUCCESS_TEXT}<a href="${[postLogoutRedirectUrl]}" rel="civic-auth-post-logout-redirect-url"></a></span></html>`);
-        response.headers.set("Content-Type", "text/html; charset=utf-8");
-        logger.debug("handleLogoutComplete: iframe mode, rendering HTML with logout success text", { postLogoutRedirectUrl });
-        return response;
-    }
-    logger.debug("handleLogoutComplete: redirecting to postLogoutRedirectUrl", {
-        postLogoutRedirectUrl,
-    });
-    revalidateUrlPath(postLogoutRedirectUrl);
-    return NextResponse.redirect(postLogoutRedirectUrl);
-};
 export async function handleLogoutCallback(request, config) {
     const resolvedConfigs = resolveAuthConfig(config);
-    const canAccessCookies = !!(await getIdToken(resolvedConfigs));
-    // If we have access to cookies, clear them.
-    if (canAccessCookies) {
-        logger.debug("handleLogoutCallback can access cookies: clearing auth cookies");
+    try {
+        logger.info("[LOGOUT_CALLBACK_HANDLER] Backend logout callback endpoint called");
+        // Clear authentication cookies
         await clearAuthCookies();
-        return handleLogoutComplete({ request, resolvedConfigs });
+        // Get framework-agnostic request and create CivicAuth instance
+        const urlDetectionRequest = toUrlDetectionRequest(request);
+        const { civicAuth } = createCivicAuth(request, resolvedConfigs);
+        // Get the state parameter for iframe detection
+        const state = request.nextUrl.searchParams.get("state");
+        // If this is an iframe request, return HTML with logout success signal
+        if (state && displayModeFromState(state, "iframe") === "iframe") {
+            // For iframe mode, include the post-logout redirect URL in the HTML
+            const postLogoutRedirectUrl = civicAuth.getPostLogoutRedirectUrl(urlDetectionRequest);
+            const response = new NextResponse(`<html lang="en"><span style="display:none">${LOGOUT_SUCCESS_TEXT}<a href="${postLogoutRedirectUrl}" rel="civic-auth-post-logout-redirect-url"></a></span></html>`);
+            response.headers.set("Content-Type", "text/html; charset=utf-8");
+            logger.info("[LOGOUT_CALLBACK_HANDLER] Returning iframe logout success HTML", { postLogoutRedirectUrl });
+            return response;
+        }
+        // For non-iframe requests, redirect to the logout callback URL or post-logout URL
+        const redirectUrl = civicAuth.getPostLogoutRedirectUrl(urlDetectionRequest);
+        logger.info("[LOGOUT_CALLBACK_HANDLER] Redirecting to logout callback URL", {
+            logoutCallbackUrl: resolvedConfigs.logoutCallbackUrl,
+            redirectUrl,
+        });
+        // Revalidate the redirect path to update authentication state in server components
+        await revalidateUrlPath(redirectUrl);
+        return NextResponse.redirect(redirectUrl);
+    }
+    catch (error) {
+        logger.error("[LOGOUT_CALLBACK_HANDLER] Logout callback error:", error);
+        const urlDetectionRequest = toUrlDetectionRequest(request);
+        const appUrl = CivicAuth.getAppUrl(urlDetectionRequest);
+        return NextResponse.redirect(CivicAuth.toAbsoluteUrl(urlDetectionRequest, resolvedConfigs.logoutCallbackUrl, appUrl));
     }
-    logger.debug("handleLogoutCallback cannot access cookies: generating HTML response with callback");
-    // If we don't have access to cookies, render some javascript to the client that will:
-    // 1. make a same-domain fetch call back to this endpoint and receive a '{status: "success"}' back.
-    // 2. On status: success, set the window.location.href to the post-logout redirect URL (usually the appUrl).
-    return generateHtmlResponseWithCallback(request, 
-    // The client-side JS will make a fetch call back to this URL.
-    resolvedConfigs.logoutCallbackUrl);
 }
 /**
  * Creates an authentication handler for Next.js API routes
@@ -434,7 +310,8 @@ export const handler = (authConfig = {}) => async (request) => {
         const lastSegment = pathSegments[pathSegments.length - 1];
         switch (lastSegment) {
             case "challenge":
-                return await handleChallenge(request, config);
+            case "login":
+                return await handleLogin(request, config);
             case "callback":
                 return await handleCallback(request, config);
             case "refresh":
@@ -443,6 +320,8 @@ export const handler = (authConfig = {}) => async (request) => {
                 return await handleLogout(request, config);
             case "logoutcallback":
                 return await handleLogoutCallback(request, config);
+            case "user":
+                return await handleUser(request, config);
             default:
                 throw new AuthError(`Invalid auth route: ${pathname}`, 404);
         }
@@ -456,4 +335,24 @@ export const handler = (authConfig = {}) => async (request) => {
         return response;
     }
 };
+/**
+ * User endpoint - returns current user data as JSON
+ * Uses CivicAuth.isLoggedIn() and getUser()
+ */
+async function handleUser(request, config) {
+    const resolvedConfigs = resolveAuthConfig(config);
+    try {
+        const { civicAuth } = createCivicAuth(request, resolvedConfigs);
+        const isLoggedIn = await civicAuth.isLoggedIn();
+        if (!isLoggedIn) {
+            return NextResponse.json({ error: "Not authenticated" }, { status: 401 });
+        }
+        const user = await civicAuth.getUser();
+        return NextResponse.json({ user });
+    }
+    catch (error) {
+        logger.error("[USER_HANDLER] User endpoint error:", error);
+        return NextResponse.json({ error: "Internal server error" }, { status: 500 });
+    }
+}
 //# sourceMappingURL=routeHandler.js.map