@dalgoridim/headless-cms 0.1.0

package/dist/auth/firebase/client/index.js

@@ -0,0 +1,138 @@
+"use client";
+
+// src/auth/firebase/client/index.tsx
+import {
+  createContext,
+  useContext,
+  useEffect,
+  useState
+} from "react";
+import {
+  signInWithPopup,
+  signInWithEmailAndPassword,
+  signOut,
+  onAuthStateChanged
+} from "firebase/auth";
+import { CmsAuthProvider } from "@dalgoridim/headless-cms/client";
+import { jsx } from "react/jsx-runtime";
+var FirebaseAuthContext = createContext(
+  void 0
+);
+function setCookie(name, value) {
+  document.cookie = `${name}=${encodeURIComponent(value)}; path=/`;
+}
+function deleteCookie(name) {
+  document.cookie = `${name}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;
+}
+function FirebaseAuthProvider({
+  children,
+  auth,
+  googleProvider,
+  cookieName = "adminToken",
+  onLogout
+}) {
+  const [user, setUser] = useState(null);
+  const [isAdmin, setIsAdmin] = useState(false);
+  const [isEditing, setIsEditing] = useState(false);
+  useEffect(() => {
+    const unsubscribe = onAuthStateChanged(auth, async (u) => {
+      if (!u) {
+        setUser(null);
+        setIsAdmin(false);
+        deleteCookie(cookieName);
+        return;
+      }
+      const tokenResult = await u.getIdTokenResult();
+      const admin = !!tokenResult.claims.admin;
+      if (!admin) {
+        await signOut(auth);
+        setUser(null);
+        setIsAdmin(false);
+        deleteCookie(cookieName);
+        return;
+      }
+      setUser(u);
+      setIsAdmin(true);
+      setCookie(cookieName, tokenResult.token);
+    });
+    return () => unsubscribe();
+  }, [auth, cookieName]);
+  useEffect(() => {
+    const originalFetch = window.fetch;
+    window.fetch = async (...args) => {
+      const response = await originalFetch(...args);
+      if (response.status === 401) {
+        try {
+          const data = await response.clone().json();
+          if (data == null ? void 0 : data.logout) {
+            await signOut(auth);
+            setUser(null);
+            setIsAdmin(false);
+            setIsEditing(false);
+            deleteCookie(cookieName);
+            onLogout == null ? void 0 : onLogout();
+          }
+        } catch (e) {
+        }
+      }
+      return response;
+    };
+    return () => {
+      window.fetch = originalFetch;
+    };
+  }, [auth, cookieName, onLogout]);
+  const requireAdminClaim = async (u) => {
+    const tokenResult = await u.getIdTokenResult();
+    if (!tokenResult.claims.admin) {
+      await signOut(auth);
+      throw new Error("Unauthorized");
+    }
+    setUser(u);
+    setIsAdmin(true);
+    setCookie(cookieName, tokenResult.token);
+  };
+  const loginWithGoogle = async () => {
+    if (!googleProvider)
+      throw new Error("FirebaseAuthProvider: googleProvider not configured");
+    const result = await signInWithPopup(auth, googleProvider);
+    await requireAdminClaim(result.user);
+  };
+  const loginWithEmail = async (email, password) => {
+    const result = await signInWithEmailAndPassword(auth, email, password);
+    await requireAdminClaim(result.user);
+  };
+  const logout = async () => {
+    await signOut(auth);
+    setUser(null);
+    setIsAdmin(false);
+    setIsEditing(false);
+    deleteCookie(cookieName);
+  };
+  const toggleEdit = () => setIsEditing((p) => !p);
+  return /* @__PURE__ */ jsx(
+    FirebaseAuthContext.Provider,
+    {
+      value: {
+        user,
+        isAdmin,
+        isEditing,
+        toggleEdit,
+        loginWithGoogle,
+        loginWithEmail,
+        logout
+      },
+      children: /* @__PURE__ */ jsx(CmsAuthProvider, { value: { isAdmin, isEditing, toggleEdit }, children })
+    }
+  );
+}
+function useFirebaseAuth() {
+  const ctx = useContext(FirebaseAuthContext);
+  if (!ctx)
+    throw new Error("useFirebaseAuth must be used within a FirebaseAuthProvider");
+  return ctx;
+}
+export {
+  FirebaseAuthProvider,
+  useFirebaseAuth
+};
+//# sourceMappingURL=index.js.map

package/dist/auth/firebase/client/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../src/auth/firebase/client/index.tsx"],"sourcesContent":["\"use client\";\n\nimport {\n  createContext,\n  useContext,\n  useEffect,\n  useState,\n  type ReactNode,\n} from \"react\";\nimport {\n  signInWithPopup,\n  signInWithEmailAndPassword,\n  signOut,\n  onAuthStateChanged,\n  type Auth,\n  type User,\n  type GoogleAuthProvider,\n} from \"firebase/auth\";\n// Imported via the public specifier so we share the SAME context instance as\n// the consumer's edit primitives at runtime (see tsup `external` + tsconfig paths).\nimport { CmsAuthProvider } from \"@dalgoridim/headless-cms/client\";\n\nexport interface FirebaseAuthProviderProps {\n  children: ReactNode;\n  /** A Firebase `Auth` instance from the consumer's app config. */\n  auth: Auth;\n  /** Optional Google provider for `loginWithGoogle`. */\n  googleProvider?: GoogleAuthProvider;\n  /** Cookie name for the ID token. Default `adminToken`. */\n  cookieName?: string;\n  /** Called when a 401 `{ logout: true }` response is intercepted. */\n  onLogout?: () => void;\n}\n\ninterface FirebaseAuthContextValue {\n  user: User | null;\n  isAdmin: boolean;\n  isEditing: boolean;\n  toggleEdit: () => void;\n  loginWithGoogle: () => Promise<void>;\n  loginWithEmail: (email: string, password: string) => Promise<void>;\n  logout: () => Promise<void>;\n}\n\nconst FirebaseAuthContext = createContext<FirebaseAuthContextValue | undefined>(\n  undefined,\n);\n\nfunction setCookie(name: string, value: string) {\n  document.cookie = `${name}=${encodeURIComponent(value)}; path=/`;\n}\nfunction deleteCookie(name: string) {\n  document.cookie = `${name}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT`;\n}\n\nexport function FirebaseAuthProvider({\n  children,\n  auth,\n  googleProvider,\n  cookieName = \"adminToken\",\n  onLogout,\n}: FirebaseAuthProviderProps) {\n  const [user, setUser] = useState<User | null>(null);\n  const [isAdmin, setIsAdmin] = useState(false);\n  const [isEditing, setIsEditing] = useState(false);\n\n  useEffect(() => {\n    const unsubscribe = onAuthStateChanged(auth, async (u) => {\n      if (!u) {\n        setUser(null);\n        setIsAdmin(false);\n        deleteCookie(cookieName);\n        return;\n      }\n      const tokenResult = await u.getIdTokenResult();\n      const admin = !!tokenResult.claims.admin;\n      if (!admin) {\n        await signOut(auth);\n        setUser(null);\n        setIsAdmin(false);\n        deleteCookie(cookieName);\n        return;\n      }\n      setUser(u);\n      setIsAdmin(true);\n      setCookie(cookieName, tokenResult.token);\n    });\n    return () => unsubscribe();\n  }, [auth, cookieName]);\n\n  // Intercept admin 401s so an expired session forces sign-out.\n  useEffect(() => {\n    const originalFetch = window.fetch;\n    window.fetch = async (...args: Parameters<typeof fetch>) => {\n      const response = await originalFetch(...args);\n      if (response.status === 401) {\n        try {\n          const data = await response.clone().json();\n          if (data?.logout) {\n            await signOut(auth);\n            setUser(null);\n            setIsAdmin(false);\n            setIsEditing(false);\n            deleteCookie(cookieName);\n            onLogout?.();\n          }\n        } catch {\n          /* not a JSON body — ignore */\n        }\n      }\n      return response;\n    };\n    return () => {\n      window.fetch = originalFetch;\n    };\n  }, [auth, cookieName, onLogout]);\n\n  const requireAdminClaim = async (u: User) => {\n    const tokenResult = await u.getIdTokenResult();\n    if (!tokenResult.claims.admin) {\n      await signOut(auth);\n      throw new Error(\"Unauthorized\");\n    }\n    setUser(u);\n    setIsAdmin(true);\n    setCookie(cookieName, tokenResult.token);\n  };\n\n  const loginWithGoogle = async () => {\n    if (!googleProvider)\n      throw new Error(\"FirebaseAuthProvider: googleProvider not configured\");\n    const result = await signInWithPopup(auth, googleProvider);\n    await requireAdminClaim(result.user);\n  };\n\n  const loginWithEmail = async (email: string, password: string) => {\n    const result = await signInWithEmailAndPassword(auth, email, password);\n    await requireAdminClaim(result.user);\n  };\n\n  const logout = async () => {\n    await signOut(auth);\n    setUser(null);\n    setIsAdmin(false);\n    setIsEditing(false);\n    deleteCookie(cookieName);\n  };\n\n  const toggleEdit = () => setIsEditing((p) => !p);\n\n  return (\n    <FirebaseAuthContext.Provider\n      value={{\n        user,\n        isAdmin,\n        isEditing,\n        toggleEdit,\n        loginWithGoogle,\n        loginWithEmail,\n        logout,\n      }}\n    >\n      <CmsAuthProvider value={{ isAdmin, isEditing, toggleEdit }}>\n        {children}\n      </CmsAuthProvider>\n    </FirebaseAuthContext.Provider>\n  );\n}\n\n/** Extended Firebase auth API (login/logout/user) for login pages and toolbars. */\nexport function useFirebaseAuth(): FirebaseAuthContextValue {\n  const ctx = useContext(FirebaseAuthContext);\n  if (!ctx)\n    throw new Error(\"useFirebaseAuth must be used within a FirebaseAuthProvider\");\n  return ctx;\n}\n"],"mappings":";;;AAEA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAEK;AACP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OAIK;AAGP,SAAS,uBAAuB;AA8I1B;AAtHN,IAAM,sBAAsB;AAAA,EAC1B;AACF;AAEA,SAAS,UAAU,MAAc,OAAe;AAC9C,WAAS,SAAS,GAAG,IAAI,IAAI,mBAAmB,KAAK,CAAC;AACxD;AACA,SAAS,aAAa,MAAc;AAClC,WAAS,SAAS,GAAG,IAAI;AAC3B;AAEO,SAAS,qBAAqB;AAAA,EACnC;AAAA,EACA;AAAA,EACA;AAAA,EACA,aAAa;AAAA,EACb;AACF,GAA8B;AAC5B,QAAM,CAAC,MAAM,OAAO,IAAI,SAAsB,IAAI;AAClD,QAAM,CAAC,SAAS,UAAU,IAAI,SAAS,KAAK;AAC5C,QAAM,CAAC,WAAW,YAAY,IAAI,SAAS,KAAK;AAEhD,YAAU,MAAM;AACd,UAAM,cAAc,mBAAmB,MAAM,OAAO,MAAM;AACxD,UAAI,CAAC,GAAG;AACN,gBAAQ,IAAI;AACZ,mBAAW,KAAK;AAChB,qBAAa,UAAU;AACvB;AAAA,MACF;AACA,YAAM,cAAc,MAAM,EAAE,iBAAiB;AAC7C,YAAM,QAAQ,CAAC,CAAC,YAAY,OAAO;AACnC,UAAI,CAAC,OAAO;AACV,cAAM,QAAQ,IAAI;AAClB,gBAAQ,IAAI;AACZ,mBAAW,KAAK;AAChB,qBAAa,UAAU;AACvB;AAAA,MACF;AACA,cAAQ,CAAC;AACT,iBAAW,IAAI;AACf,gBAAU,YAAY,YAAY,KAAK;AAAA,IACzC,CAAC;AACD,WAAO,MAAM,YAAY;AAAA,EAC3B,GAAG,CAAC,MAAM,UAAU,CAAC;AAGrB,YAAU,MAAM;AACd,UAAM,gBAAgB,OAAO;AAC7B,WAAO,QAAQ,UAAU,SAAmC;AAC1D,YAAM,WAAW,MAAM,cAAc,GAAG,IAAI;AAC5C,UAAI,SAAS,WAAW,KAAK;AAC3B,YAAI;AACF,gBAAM,OAAO,MAAM,SAAS,MAAM,EAAE,KAAK;AACzC,cAAI,6BAAM,QAAQ;AAChB,kBAAM,QAAQ,IAAI;AAClB,oBAAQ,IAAI;AACZ,uBAAW,KAAK;AAChB,yBAAa,KAAK;AAClB,yBAAa,UAAU;AACvB;AAAA,UACF;AAAA,QACF,SAAQ;AAAA,QAER;AAAA,MACF;AACA,aAAO;AAAA,IACT;AACA,WAAO,MAAM;AACX,aAAO,QAAQ;AAAA,IACjB;AAAA,EACF,GAAG,CAAC,MAAM,YAAY,QAAQ,CAAC;AAE/B,QAAM,oBAAoB,OAAO,MAAY;AAC3C,UAAM,cAAc,MAAM,EAAE,iBAAiB;AAC7C,QAAI,CAAC,YAAY,OAAO,OAAO;AAC7B,YAAM,QAAQ,IAAI;AAClB,YAAM,IAAI,MAAM,cAAc;AAAA,IAChC;AACA,YAAQ,CAAC;AACT,eAAW,IAAI;AACf,cAAU,YAAY,YAAY,KAAK;AAAA,EACzC;AAEA,QAAM,kBAAkB,YAAY;AAClC,QAAI,CAAC;AACH,YAAM,IAAI,MAAM,qDAAqD;AACvE,UAAM,SAAS,MAAM,gBAAgB,MAAM,cAAc;AACzD,UAAM,kBAAkB,OAAO,IAAI;AAAA,EACrC;AAEA,QAAM,iBAAiB,OAAO,OAAe,aAAqB;AAChE,UAAM,SAAS,MAAM,2BAA2B,MAAM,OAAO,QAAQ;AACrE,UAAM,kBAAkB,OAAO,IAAI;AAAA,EACrC;AAEA,QAAM,SAAS,YAAY;AACzB,UAAM,QAAQ,IAAI;AAClB,YAAQ,IAAI;AACZ,eAAW,KAAK;AAChB,iBAAa,KAAK;AAClB,iBAAa,UAAU;AAAA,EACzB;AAEA,QAAM,aAAa,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC;AAE/C,SACE;AAAA,IAAC,oBAAoB;AAAA,IAApB;AAAA,MACC,OAAO;AAAA,QACL;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,MAEA,8BAAC,mBAAgB,OAAO,EAAE,SAAS,WAAW,WAAW,GACtD,UACH;AAAA;AAAA,EACF;AAEJ;AAGO,SAAS,kBAA4C;AAC1D,QAAM,MAAM,WAAW,mBAAmB;AAC1C,MAAI,CAAC;AACH,UAAM,IAAI,MAAM,4DAA4D;AAC9E,SAAO;AACT;","names":[]}

package/dist/auth/firebase/index.cjs

@@ -0,0 +1,81 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/auth/firebase/index.ts
+var firebase_exports = {};
+__export(firebase_exports, {
+  firebaseAuth: () => firebaseAuth
+});
+module.exports = __toCommonJS(firebase_exports);
+var import_firebase_admin = __toESM(require("firebase-admin"), 1);
+function readCookie(req, name) {
+  const header = req.headers.get("cookie");
+  if (!header) return null;
+  for (const part of header.split(";")) {
+    const [k, ...v] = part.trim().split("=");
+    if (k === name) return decodeURIComponent(v.join("="));
+  }
+  return null;
+}
+function firebaseAuth(config) {
+  var _a;
+  const cookieName = (_a = config.cookieName) != null ? _a : "adminToken";
+  const allowed = config.adminEmails.map((e) => e.trim());
+  if (!import_firebase_admin.default.apps.length && config.credentials) {
+    const c = config.credentials;
+    import_firebase_admin.default.initializeApp({
+      credential: import_firebase_admin.default.credential.cert({
+        projectId: c.projectId,
+        clientEmail: c.clientEmail,
+        privateKey: c.privateKey
+      }),
+      databaseURL: c.databaseURL
+    });
+  }
+  return {
+    async verifyRequest(req) {
+      var _a2;
+      const token = readCookie(req, cookieName);
+      if (!token) return null;
+      let decoded;
+      try {
+        decoded = await import_firebase_admin.default.auth().verifyIdToken(token);
+      } catch (e) {
+        return null;
+      }
+      const isAdmin = !!decoded.admin && allowed.includes((_a2 = decoded.email) != null ? _a2 : "");
+      return { userId: decoded.uid, email: decoded.email, isAdmin };
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  firebaseAuth
+});
+//# sourceMappingURL=index.cjs.map

package/dist/auth/firebase/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/auth/firebase/index.ts"],"sourcesContent":["import admin from \"firebase-admin\";\nimport type { AuthAdapter, AuthIdentity } from \"../../types\";\n\nexport interface FirebaseAuthConfig {\n  /** Allowlist of admin emails. Both the `admin` claim AND this list must agree. */\n  adminEmails: string[];\n  /** Cookie carrying the Firebase ID token. Default `adminToken`. */\n  cookieName?: string;\n  /** Service-account credentials (only used if firebase-admin isn't initialized). */\n  credentials?: {\n    projectId?: string;\n    clientEmail?: string;\n    privateKey?: string;\n    databaseURL?: string;\n  };\n}\n\nfunction readCookie(req: Request, name: string): string | null {\n  const header = req.headers.get(\"cookie\");\n  if (!header) return null;\n  for (const part of header.split(\";\")) {\n    const [k, ...v] = part.trim().split(\"=\");\n    if (k === name) return decodeURIComponent(v.join(\"=\"));\n  }\n  return null;\n}\n\n/**\n * Server auth adapter backed by Firebase ID tokens. Verifies the token from the\n * cookie and requires both the `admin` custom claim and membership in\n * `adminEmails`.\n */\nexport function firebaseAuth(config: FirebaseAuthConfig): AuthAdapter {\n  const cookieName = config.cookieName ?? \"adminToken\";\n  const allowed = config.adminEmails.map((e) => e.trim());\n\n  if (!admin.apps.length && config.credentials) {\n    const c = config.credentials;\n    admin.initializeApp({\n      credential: admin.credential.cert({\n        projectId: c.projectId,\n        clientEmail: c.clientEmail,\n        privateKey: c.privateKey,\n      }),\n      databaseURL: c.databaseURL,\n    });\n  }\n\n  return {\n    async verifyRequest(req: Request): Promise<AuthIdentity | null> {\n      const token = readCookie(req, cookieName);\n      if (!token) return null;\n\n      let decoded;\n      try {\n        decoded = await admin.auth().verifyIdToken(token);\n      } catch {\n        // Expired/invalid token → treat as unauthorized so the gate returns a\n        // 401 { logout: true } and the client can force sign-out.\n        return null;\n      }\n\n      const isAdmin =\n        !!decoded.admin && allowed.includes(decoded.email ?? \"\");\n\n      return { userId: decoded.uid, email: decoded.email, isAdmin };\n    },\n  };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,4BAAkB;AAiBlB,SAAS,WAAW,KAAc,MAA6B;AAC7D,QAAM,SAAS,IAAI,QAAQ,IAAI,QAAQ;AACvC,MAAI,CAAC,OAAQ,QAAO;AACpB,aAAW,QAAQ,OAAO,MAAM,GAAG,GAAG;AACpC,UAAM,CAAC,GAAG,GAAG,CAAC,IAAI,KAAK,KAAK,EAAE,MAAM,GAAG;AACvC,QAAI,MAAM,KAAM,QAAO,mBAAmB,EAAE,KAAK,GAAG,CAAC;AAAA,EACvD;AACA,SAAO;AACT;AAOO,SAAS,aAAa,QAAyC;AAhCtE;AAiCE,QAAM,cAAa,YAAO,eAAP,YAAqB;AACxC,QAAM,UAAU,OAAO,YAAY,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AAEtD,MAAI,CAAC,sBAAAA,QAAM,KAAK,UAAU,OAAO,aAAa;AAC5C,UAAM,IAAI,OAAO;AACjB,0BAAAA,QAAM,cAAc;AAAA,MAClB,YAAY,sBAAAA,QAAM,WAAW,KAAK;AAAA,QAChC,WAAW,EAAE;AAAA,QACb,aAAa,EAAE;AAAA,QACf,YAAY,EAAE;AAAA,MAChB,CAAC;AAAA,MACD,aAAa,EAAE;AAAA,IACjB,CAAC;AAAA,EACH;AAEA,SAAO;AAAA,IACL,MAAM,cAAc,KAA4C;AAjDpE,UAAAC;AAkDM,YAAM,QAAQ,WAAW,KAAK,UAAU;AACxC,UAAI,CAAC,MAAO,QAAO;AAEnB,UAAI;AACJ,UAAI;AACF,kBAAU,MAAM,sBAAAD,QAAM,KAAK,EAAE,cAAc,KAAK;AAAA,MAClD,SAAQ;AAGN,eAAO;AAAA,MACT;AAEA,YAAM,UACJ,CAAC,CAAC,QAAQ,SAAS,QAAQ,UAASC,MAAA,QAAQ,UAAR,OAAAA,MAAiB,EAAE;AAEzD,aAAO,EAAE,QAAQ,QAAQ,KAAK,OAAO,QAAQ,OAAO,QAAQ;AAAA,IAC9D;AAAA,EACF;AACF;","names":["admin","_a"]}

package/dist/auth/firebase/index.d.cts

@@ -0,0 +1,23 @@
+import { AuthAdapter } from '../../index.cjs';
+
+interface FirebaseAuthConfig {
+    /** Allowlist of admin emails. Both the `admin` claim AND this list must agree. */
+    adminEmails: string[];
+    /** Cookie carrying the Firebase ID token. Default `adminToken`. */
+    cookieName?: string;
+    /** Service-account credentials (only used if firebase-admin isn't initialized). */
+    credentials?: {
+        projectId?: string;
+        clientEmail?: string;
+        privateKey?: string;
+        databaseURL?: string;
+    };
+}
+/**
+ * Server auth adapter backed by Firebase ID tokens. Verifies the token from the
+ * cookie and requires both the `admin` custom claim and membership in
+ * `adminEmails`.
+ */
+declare function firebaseAuth(config: FirebaseAuthConfig): AuthAdapter;
+
+export { type FirebaseAuthConfig, firebaseAuth };

package/dist/auth/firebase/index.d.ts

@@ -0,0 +1,23 @@
+import { AuthAdapter } from '../../index.js';
+
+interface FirebaseAuthConfig {
+    /** Allowlist of admin emails. Both the `admin` claim AND this list must agree. */
+    adminEmails: string[];
+    /** Cookie carrying the Firebase ID token. Default `adminToken`. */
+    cookieName?: string;
+    /** Service-account credentials (only used if firebase-admin isn't initialized). */
+    credentials?: {
+        projectId?: string;
+        clientEmail?: string;
+        privateKey?: string;
+        databaseURL?: string;
+    };
+}
+/**
+ * Server auth adapter backed by Firebase ID tokens. Verifies the token from the
+ * cookie and requires both the `admin` custom claim and membership in
+ * `adminEmails`.
+ */
+declare function firebaseAuth(config: FirebaseAuthConfig): AuthAdapter;
+
+export { type FirebaseAuthConfig, firebaseAuth };

package/dist/auth/firebase/index.js

@@ -0,0 +1,46 @@
+// src/auth/firebase/index.ts
+import admin from "firebase-admin";
+function readCookie(req, name) {
+  const header = req.headers.get("cookie");
+  if (!header) return null;
+  for (const part of header.split(";")) {
+    const [k, ...v] = part.trim().split("=");
+    if (k === name) return decodeURIComponent(v.join("="));
+  }
+  return null;
+}
+function firebaseAuth(config) {
+  var _a;
+  const cookieName = (_a = config.cookieName) != null ? _a : "adminToken";
+  const allowed = config.adminEmails.map((e) => e.trim());
+  if (!admin.apps.length && config.credentials) {
+    const c = config.credentials;
+    admin.initializeApp({
+      credential: admin.credential.cert({
+        projectId: c.projectId,
+        clientEmail: c.clientEmail,
+        privateKey: c.privateKey
+      }),
+      databaseURL: c.databaseURL
+    });
+  }
+  return {
+    async verifyRequest(req) {
+      var _a2;
+      const token = readCookie(req, cookieName);
+      if (!token) return null;
+      let decoded;
+      try {
+        decoded = await admin.auth().verifyIdToken(token);
+      } catch (e) {
+        return null;
+      }
+      const isAdmin = !!decoded.admin && allowed.includes((_a2 = decoded.email) != null ? _a2 : "");
+      return { userId: decoded.uid, email: decoded.email, isAdmin };
+    }
+  };
+}
+export {
+  firebaseAuth
+};
+//# sourceMappingURL=index.js.map

package/dist/auth/firebase/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/auth/firebase/index.ts"],"sourcesContent":["import admin from \"firebase-admin\";\nimport type { AuthAdapter, AuthIdentity } from \"../../types\";\n\nexport interface FirebaseAuthConfig {\n  /** Allowlist of admin emails. Both the `admin` claim AND this list must agree. */\n  adminEmails: string[];\n  /** Cookie carrying the Firebase ID token. Default `adminToken`. */\n  cookieName?: string;\n  /** Service-account credentials (only used if firebase-admin isn't initialized). */\n  credentials?: {\n    projectId?: string;\n    clientEmail?: string;\n    privateKey?: string;\n    databaseURL?: string;\n  };\n}\n\nfunction readCookie(req: Request, name: string): string | null {\n  const header = req.headers.get(\"cookie\");\n  if (!header) return null;\n  for (const part of header.split(\";\")) {\n    const [k, ...v] = part.trim().split(\"=\");\n    if (k === name) return decodeURIComponent(v.join(\"=\"));\n  }\n  return null;\n}\n\n/**\n * Server auth adapter backed by Firebase ID tokens. Verifies the token from the\n * cookie and requires both the `admin` custom claim and membership in\n * `adminEmails`.\n */\nexport function firebaseAuth(config: FirebaseAuthConfig): AuthAdapter {\n  const cookieName = config.cookieName ?? \"adminToken\";\n  const allowed = config.adminEmails.map((e) => e.trim());\n\n  if (!admin.apps.length && config.credentials) {\n    const c = config.credentials;\n    admin.initializeApp({\n      credential: admin.credential.cert({\n        projectId: c.projectId,\n        clientEmail: c.clientEmail,\n        privateKey: c.privateKey,\n      }),\n      databaseURL: c.databaseURL,\n    });\n  }\n\n  return {\n    async verifyRequest(req: Request): Promise<AuthIdentity | null> {\n      const token = readCookie(req, cookieName);\n      if (!token) return null;\n\n      let decoded;\n      try {\n        decoded = await admin.auth().verifyIdToken(token);\n      } catch {\n        // Expired/invalid token → treat as unauthorized so the gate returns a\n        // 401 { logout: true } and the client can force sign-out.\n        return null;\n      }\n\n      const isAdmin =\n        !!decoded.admin && allowed.includes(decoded.email ?? \"\");\n\n      return { userId: decoded.uid, email: decoded.email, isAdmin };\n    },\n  };\n}\n"],"mappings":";AAAA,OAAO,WAAW;AAiBlB,SAAS,WAAW,KAAc,MAA6B;AAC7D,QAAM,SAAS,IAAI,QAAQ,IAAI,QAAQ;AACvC,MAAI,CAAC,OAAQ,QAAO;AACpB,aAAW,QAAQ,OAAO,MAAM,GAAG,GAAG;AACpC,UAAM,CAAC,GAAG,GAAG,CAAC,IAAI,KAAK,KAAK,EAAE,MAAM,GAAG;AACvC,QAAI,MAAM,KAAM,QAAO,mBAAmB,EAAE,KAAK,GAAG,CAAC;AAAA,EACvD;AACA,SAAO;AACT;AAOO,SAAS,aAAa,QAAyC;AAhCtE;AAiCE,QAAM,cAAa,YAAO,eAAP,YAAqB;AACxC,QAAM,UAAU,OAAO,YAAY,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AAEtD,MAAI,CAAC,MAAM,KAAK,UAAU,OAAO,aAAa;AAC5C,UAAM,IAAI,OAAO;AACjB,UAAM,cAAc;AAAA,MAClB,YAAY,MAAM,WAAW,KAAK;AAAA,QAChC,WAAW,EAAE;AAAA,QACb,aAAa,EAAE;AAAA,QACf,YAAY,EAAE;AAAA,MAChB,CAAC;AAAA,MACD,aAAa,EAAE;AAAA,IACjB,CAAC;AAAA,EACH;AAEA,SAAO;AAAA,IACL,MAAM,cAAc,KAA4C;AAjDpE,UAAAA;AAkDM,YAAM,QAAQ,WAAW,KAAK,UAAU;AACxC,UAAI,CAAC,MAAO,QAAO;AAEnB,UAAI;AACJ,UAAI;AACF,kBAAU,MAAM,MAAM,KAAK,EAAE,cAAc,KAAK;AAAA,MAClD,SAAQ;AAGN,eAAO;AAAA,MACT;AAEA,YAAM,UACJ,CAAC,CAAC,QAAQ,SAAS,QAAQ,UAASA,MAAA,QAAQ,UAAR,OAAAA,MAAiB,EAAE;AAEzD,aAAO,EAAE,QAAQ,QAAQ,KAAK,OAAO,QAAQ,OAAO,QAAQ;AAAA,IAC9D;AAAA,EACF;AACF;","names":["_a"]}

package/dist/auth/nextauth/index.cjs

@@ -0,0 +1,51 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/auth/nextauth/index.ts
+var nextauth_exports = {};
+__export(nextauth_exports, {
+  customAuth: () => customAuth,
+  nextAuthAuth: () => nextAuthAuth
+});
+module.exports = __toCommonJS(nextauth_exports);
+function nextAuthAuth(config) {
+  const allowed = config.adminEmails.map((e) => e.trim());
+  return {
+    async verifyRequest(req) {
+      var _a, _b, _c, _d;
+      const session = await config.getSession(req);
+      const email = (_b = (_a = session == null ? void 0 : session.user) == null ? void 0 : _a.email) != null ? _b : void 0;
+      if (!email) return null;
+      return {
+        userId: (_d = (_c = session == null ? void 0 : session.user) == null ? void 0 : _c.id) != null ? _d : email,
+        email,
+        isAdmin: allowed.includes(email)
+      };
+    }
+  };
+}
+function customAuth(verify) {
+  return { verifyRequest: verify };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  customAuth,
+  nextAuthAuth
+});
+//# sourceMappingURL=index.cjs.map

package/dist/auth/nextauth/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/auth/nextauth/index.ts"],"sourcesContent":["import type { AuthAdapter, AuthIdentity } from \"../../types\";\n\n/** Minimal shape this adapter reads from a NextAuth session. */\nexport interface SessionLike {\n  user?: {\n    id?: string;\n    email?: string | null;\n    name?: string | null;\n  } | null;\n}\n\nexport interface NextAuthConfig {\n  /**\n   * Resolve the session for a request — typically your NextAuth `auth()` helper,\n   * wrapped to ignore the `Request` argument, e.g. `getSession: () => auth()`.\n   */\n  getSession: (req: Request) => Promise<SessionLike | null>;\n  /** Allowlist of admin emails. */\n  adminEmails: string[];\n}\n\n/**\n * Auth adapter for NextAuth (Auth.js). Admin status requires the session email\n * to be present in `adminEmails`.\n */\nexport function nextAuthAuth(config: NextAuthConfig): AuthAdapter {\n  const allowed = config.adminEmails.map((e) => e.trim());\n\n  return {\n    async verifyRequest(req: Request): Promise<AuthIdentity | null> {\n      const session = await config.getSession(req);\n      const email = session?.user?.email ?? undefined;\n      if (!email) return null;\n      return {\n        userId: session?.user?.id ?? email,\n        email,\n        isAdmin: allowed.includes(email),\n      };\n    },\n  };\n}\n\n/**\n * Escape hatch for fully custom auth: supply your own request verifier.\n */\nexport function customAuth(\n  verify: (req: Request) => Promise<AuthIdentity | null>,\n): AuthAdapter {\n  return { verifyRequest: verify };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAyBO,SAAS,aAAa,QAAqC;AAChE,QAAM,UAAU,OAAO,YAAY,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AAEtD,SAAO;AAAA,IACL,MAAM,cAAc,KAA4C;AA7BpE;AA8BM,YAAM,UAAU,MAAM,OAAO,WAAW,GAAG;AAC3C,YAAM,SAAQ,8CAAS,SAAT,mBAAe,UAAf,YAAwB;AACtC,UAAI,CAAC,MAAO,QAAO;AACnB,aAAO;AAAA,QACL,SAAQ,8CAAS,SAAT,mBAAe,OAAf,YAAqB;AAAA,QAC7B;AAAA,QACA,SAAS,QAAQ,SAAS,KAAK;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;AAKO,SAAS,WACd,QACa;AACb,SAAO,EAAE,eAAe,OAAO;AACjC;","names":[]}

package/dist/auth/nextauth/index.d.cts

@@ -0,0 +1,30 @@
+import { AuthIdentity, AuthAdapter } from '../../index.cjs';
+
+/** Minimal shape this adapter reads from a NextAuth session. */
+interface SessionLike {
+    user?: {
+        id?: string;
+        email?: string | null;
+        name?: string | null;
+    } | null;
+}
+interface NextAuthConfig {
+    /**
+     * Resolve the session for a request — typically your NextAuth `auth()` helper,
+     * wrapped to ignore the `Request` argument, e.g. `getSession: () => auth()`.
+     */
+    getSession: (req: Request) => Promise<SessionLike | null>;
+    /** Allowlist of admin emails. */
+    adminEmails: string[];
+}
+/**
+ * Auth adapter for NextAuth (Auth.js). Admin status requires the session email
+ * to be present in `adminEmails`.
+ */
+declare function nextAuthAuth(config: NextAuthConfig): AuthAdapter;
+/**
+ * Escape hatch for fully custom auth: supply your own request verifier.
+ */
+declare function customAuth(verify: (req: Request) => Promise<AuthIdentity | null>): AuthAdapter;
+
+export { type NextAuthConfig, type SessionLike, customAuth, nextAuthAuth };

package/dist/auth/nextauth/index.d.ts

@@ -0,0 +1,30 @@
+import { AuthIdentity, AuthAdapter } from '../../index.js';
+
+/** Minimal shape this adapter reads from a NextAuth session. */
+interface SessionLike {
+    user?: {
+        id?: string;
+        email?: string | null;
+        name?: string | null;
+    } | null;
+}
+interface NextAuthConfig {
+    /**
+     * Resolve the session for a request — typically your NextAuth `auth()` helper,
+     * wrapped to ignore the `Request` argument, e.g. `getSession: () => auth()`.
+     */
+    getSession: (req: Request) => Promise<SessionLike | null>;
+    /** Allowlist of admin emails. */
+    adminEmails: string[];
+}
+/**
+ * Auth adapter for NextAuth (Auth.js). Admin status requires the session email
+ * to be present in `adminEmails`.
+ */
+declare function nextAuthAuth(config: NextAuthConfig): AuthAdapter;
+/**
+ * Escape hatch for fully custom auth: supply your own request verifier.
+ */
+declare function customAuth(verify: (req: Request) => Promise<AuthIdentity | null>): AuthAdapter;
+
+export { type NextAuthConfig, type SessionLike, customAuth, nextAuthAuth };

package/dist/auth/nextauth/index.js

@@ -0,0 +1,25 @@
+// src/auth/nextauth/index.ts
+function nextAuthAuth(config) {
+  const allowed = config.adminEmails.map((e) => e.trim());
+  return {
+    async verifyRequest(req) {
+      var _a, _b, _c, _d;
+      const session = await config.getSession(req);
+      const email = (_b = (_a = session == null ? void 0 : session.user) == null ? void 0 : _a.email) != null ? _b : void 0;
+      if (!email) return null;
+      return {
+        userId: (_d = (_c = session == null ? void 0 : session.user) == null ? void 0 : _c.id) != null ? _d : email,
+        email,
+        isAdmin: allowed.includes(email)
+      };
+    }
+  };
+}
+function customAuth(verify) {
+  return { verifyRequest: verify };
+}
+export {
+  customAuth,
+  nextAuthAuth
+};
+//# sourceMappingURL=index.js.map

package/dist/auth/nextauth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/auth/nextauth/index.ts"],"sourcesContent":["import type { AuthAdapter, AuthIdentity } from \"../../types\";\n\n/** Minimal shape this adapter reads from a NextAuth session. */\nexport interface SessionLike {\n  user?: {\n    id?: string;\n    email?: string | null;\n    name?: string | null;\n  } | null;\n}\n\nexport interface NextAuthConfig {\n  /**\n   * Resolve the session for a request — typically your NextAuth `auth()` helper,\n   * wrapped to ignore the `Request` argument, e.g. `getSession: () => auth()`.\n   */\n  getSession: (req: Request) => Promise<SessionLike | null>;\n  /** Allowlist of admin emails. */\n  adminEmails: string[];\n}\n\n/**\n * Auth adapter for NextAuth (Auth.js). Admin status requires the session email\n * to be present in `adminEmails`.\n */\nexport function nextAuthAuth(config: NextAuthConfig): AuthAdapter {\n  const allowed = config.adminEmails.map((e) => e.trim());\n\n  return {\n    async verifyRequest(req: Request): Promise<AuthIdentity | null> {\n      const session = await config.getSession(req);\n      const email = session?.user?.email ?? undefined;\n      if (!email) return null;\n      return {\n        userId: session?.user?.id ?? email,\n        email,\n        isAdmin: allowed.includes(email),\n      };\n    },\n  };\n}\n\n/**\n * Escape hatch for fully custom auth: supply your own request verifier.\n */\nexport function customAuth(\n  verify: (req: Request) => Promise<AuthIdentity | null>,\n): AuthAdapter {\n  return { verifyRequest: verify };\n}\n"],"mappings":";AAyBO,SAAS,aAAa,QAAqC;AAChE,QAAM,UAAU,OAAO,YAAY,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC;AAEtD,SAAO;AAAA,IACL,MAAM,cAAc,KAA4C;AA7BpE;AA8BM,YAAM,UAAU,MAAM,OAAO,WAAW,GAAG;AAC3C,YAAM,SAAQ,8CAAS,SAAT,mBAAe,UAAf,YAAwB;AACtC,UAAI,CAAC,MAAO,QAAO;AACnB,aAAO;AAAA,QACL,SAAQ,8CAAS,SAAT,mBAAe,OAAf,YAAqB;AAAA,QAC7B;AAAA,QACA,SAAS,QAAQ,SAAS,KAAK;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AACF;AAKO,SAAS,WACd,QACa;AACb,SAAO,EAAE,eAAe,OAAO;AACjC;","names":[]}