npm - @drvalue-oss/iam-next - Versions diffs - 0.1.0 - Mend

@drvalue-oss/iam-next 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 drvalue
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md ADDED Viewed

@@ -0,0 +1,76 @@
+# @drvalue-oss/iam-next
+Next.js Route Handler factories for the drvalue IAM **BFF token-exchange pattern**:
+- Refresh token lives in an httpOnly cookie on YOUR Next.js app (never touches the browser JS).
+- Access token is delivered to the browser via URL hash, then stored in localStorage by the SPA.
+- The Next.js app proxies refresh / revoke calls to IAM server-to-server, so the browser never CORS-talks to IAM directly.
+## Install
+```bash
+pnpm add @drvalue-oss/iam-next
+```
+Peer dep: `next ^14 || ^15 || ^16`.
+## Setup
+Create one shared config and three Route Handlers:
+```ts
+// lib/iam.ts
+import type { IamNextConfig } from '@drvalue-oss/iam-next';
+export const iamConfig: IamNextConfig = {
+  iamServerUrl: process.env.IAM_SERVER_URL!,        // https://iam.drvalue.co.kr
+  appUrl: process.env.NEXT_PUBLIC_APP_URL!,         // https://app.drvalue.co.kr
+  cookieDomain: process.env.COOKIE_DOMAIN,          // .drvalue.co.kr (optional)
+  internalApiKey: process.env.INTERNAL_API_KEY,     // for token revoke (optional)
+};
+```
+```ts
+// app/auth/callback/route.ts
+import { createCallbackHandler } from '@drvalue-oss/iam-next';
+import { iamConfig } from '@/lib/iam';
+export const GET = createCallbackHandler({
+  ...iamConfig,
+  resolveLoginPath: (origin) => (origin === 'admin' ? '/admin/login' : '/login'),
+});
+```
+```ts
+// app/api/auth/refresh/route.ts
+import { createRefreshHandler } from '@drvalue-oss/iam-next';
+import { iamConfig } from '@/lib/iam';
+export const POST = createRefreshHandler(iamConfig);
+```
+```ts
+// app/api/auth/logout/route.ts
+import { createLogoutHandler } from '@drvalue-oss/iam-next';
+import { iamConfig } from '@/lib/iam';
+export const POST = createLogoutHandler(iamConfig);
+```
+## The /auth/complete bridge page
+The callback handler redirects to `/auth/complete#access_token=...&expires_in=...` so the access token never lands in a server log. Implement the bridge yourself — it needs to:
+1. Parse the hash, call `setAccessToken(token, expiresIn)` from `@drvalue-oss/iam-react`.
+2. (optional) Fetch `/me` to populate your auth store.
+3. Redirect to the user's destination (admin dashboard / user dashboard / etc).
+See [`examples/nextjs-app/src/app/auth/complete/page.tsx`](../../examples/nextjs-app/src/app/auth/complete/page.tsx) for a reference implementation.
+## Why the URL hash
+The hash is **not sent to the server** on navigation. The Next.js server never sees the access token. Combined with `window.history.replaceState` on the complete page, the token also disappears from the browser URL bar after handoff.
+## License
+[MIT](../../LICENSE)

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,208 @@
+'use strict';
+var server = require('next/server');
+var iamCore = require('@drvalue-oss/iam-core');
+// src/handlers/callback.ts
+function resolveConfig(input) {
+  if (!input.iamServerUrl) throw new Error("iam-next: iamServerUrl is required");
+  if (!input.appUrl) throw new Error("iam-next: appUrl is required");
+  return {
+    iamServerUrl: input.iamServerUrl.replace(/\/$/, ""),
+    appUrl: input.appUrl.replace(/\/$/, ""),
+    cookieDomain: input.cookieDomain,
+    refreshCookieName: input.refreshCookieName ?? iamCore.STORAGE_KEYS.REFRESH_TOKEN,
+    authOriginCookieName: input.authOriginCookieName ?? iamCore.STORAGE_KEYS.AUTH_ORIGIN,
+    refreshCookieMaxAgeSeconds: input.refreshCookieMaxAgeSeconds ?? 7 * 24 * 60 * 60,
+    internalApiKey: input.internalApiKey
+  };
+}
+// src/cookies.ts
+function setRefreshCookie(response, config, value) {
+  response.cookies.set(config.refreshCookieName, value, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    maxAge: config.refreshCookieMaxAgeSeconds,
+    ...config.cookieDomain ? { domain: config.cookieDomain } : {}
+  });
+}
+function clearRefreshCookie(response, config) {
+  response.cookies.set(config.refreshCookieName, "", {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    maxAge: 0,
+    ...config.cookieDomain ? { domain: config.cookieDomain } : {}
+  });
+}
+function setAuthOriginCookie(response, config, value) {
+  response.cookies.set(config.authOriginCookieName, value, {
+    httpOnly: false,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    maxAge: 5 * 60,
+    ...config.cookieDomain ? { domain: config.cookieDomain } : {}
+  });
+}
+// src/handlers/callback.ts
+function parseTokens(raw) {
+  if (!raw || typeof raw !== "object") return null;
+  const r = raw;
+  if (typeof r.access_token !== "string" || typeof r.refresh_token !== "string") {
+    return null;
+  }
+  return {
+    access_token: r.access_token,
+    refresh_token: r.refresh_token,
+    expires_in: typeof r.expires_in === "number" ? r.expires_in : 900
+  };
+}
+function createCallbackHandler(options) {
+  const config = resolveConfig(options);
+  const callbackPath = options.callbackPath ?? "/auth/callback";
+  const completePath = options.completePath ?? "/auth/complete";
+  const resolveLoginPath = options.resolveLoginPath ?? (() => "/login");
+  return async function GET(request) {
+    const code = request.nextUrl.searchParams.get("code");
+    const from = request.nextUrl.searchParams.get("from") ?? "user";
+    const loginPath = resolveLoginPath(from);
+    if (!code) {
+      return server.NextResponse.redirect(new URL(`${loginPath}?error=missing_code`, config.appUrl));
+    }
+    try {
+      const tokenResponse = await fetch(
+        `${config.iamServerUrl}${iamCore.IAM_ENDPOINTS.TOKEN_EXCHANGE}`,
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            code,
+            redirectUri: `${config.appUrl}${callbackPath}?from=${from}`
+          })
+        }
+      );
+      const body = await tokenResponse.json().catch(() => null);
+      if (!tokenResponse.ok) {
+        console.error("[iam-next/callback] token exchange failed:", body);
+        return server.NextResponse.redirect(
+          new URL(`${loginPath}?error=token_exchange_failed`, config.appUrl)
+        );
+      }
+      const tokens = parseTokens(body);
+      if (!tokens) {
+        console.error("[iam-next/callback] token exchange returned 200 with missing fields:", body);
+        return server.NextResponse.redirect(
+          new URL(`${loginPath}?error=token_exchange_invalid`, config.appUrl)
+        );
+      }
+      const redirectUrl = new URL(completePath, config.appUrl);
+      redirectUrl.hash = `access_token=${tokens.access_token}&expires_in=${tokens.expires_in}`;
+      const response = server.NextResponse.redirect(redirectUrl);
+      setRefreshCookie(response, config, tokens.refresh_token);
+      setAuthOriginCookie(response, config, from);
+      return response;
+    } catch (error) {
+      console.error("[iam-next/callback] unexpected error:", error);
+      return server.NextResponse.redirect(new URL(`${loginPath}?error=server_error`, config.appUrl));
+    }
+  };
+}
+function parseTokens2(raw) {
+  if (!raw || typeof raw !== "object") return null;
+  const r = raw;
+  if (typeof r.access_token !== "string" || typeof r.refresh_token !== "string") {
+    return null;
+  }
+  return {
+    access_token: r.access_token,
+    refresh_token: r.refresh_token,
+    expires_in: typeof r.expires_in === "number" ? r.expires_in : 900
+  };
+}
+function createRefreshHandler(options) {
+  const config = resolveConfig(options);
+  return async function POST(request) {
+    const refreshToken = request.cookies.get(config.refreshCookieName)?.value;
+    if (!refreshToken) {
+      return server.NextResponse.json({ error: "No refresh token" }, { status: 401 });
+    }
+    try {
+      const tokenResponse = await fetch(
+        `${config.iamServerUrl}${iamCore.IAM_ENDPOINTS.TOKEN_REFRESH}`,
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ refresh_token: refreshToken })
+        }
+      );
+      const body = await tokenResponse.json().catch(() => null);
+      const tokens = tokenResponse.ok ? parseTokens2(body) : null;
+      if (!tokens) {
+        const response2 = server.NextResponse.json({ error: "Refresh failed" }, { status: 401 });
+        clearRefreshCookie(response2, config);
+        return response2;
+      }
+      const response = server.NextResponse.json({
+        access_token: tokens.access_token,
+        expires_in: tokens.expires_in
+      });
+      setRefreshCookie(response, config, tokens.refresh_token);
+      return response;
+    } catch (error) {
+      console.error("[iam-next/refresh] unexpected error:", error);
+      return server.NextResponse.json({ error: "Server error" }, { status: 500 });
+    }
+  };
+}
+function createLogoutHandler(options) {
+  const config = resolveConfig(options);
+  return async function POST(request) {
+    const refreshToken = request.cookies.get(config.refreshCookieName)?.value;
+    if (refreshToken && refreshToken.includes(".")) {
+      try {
+        const payload = JSON.parse(
+          Buffer.from(refreshToken.split(".")[1] ?? "", "base64url").toString()
+        );
+        if (payload.sub) {
+          await fetch(`${config.iamServerUrl}${iamCore.IAM_ENDPOINTS.TOKEN_REVOKE}`, {
+            method: "POST",
+            headers: {
+              "Content-Type": "application/json",
+              ...config.internalApiKey ? { "X-Internal-Api-Key": config.internalApiKey } : {}
+            },
+            body: JSON.stringify({ user_id: payload.sub })
+          });
+        }
+      } catch (error) {
+        console.error("[iam-next/logout] IAM token revoke failed (best-effort):", error);
+      }
+    }
+    const response = server.NextResponse.json({ success: true });
+    clearRefreshCookie(response, config);
+    return response;
+  };
+}
+Object.defineProperty(exports, "IAM_ENDPOINTS", {
+  enumerable: true,
+  get: function () { return iamCore.IAM_ENDPOINTS; }
+});
+Object.defineProperty(exports, "buildLoginUrl", {
+  enumerable: true,
+  get: function () { return iamCore.buildLoginUrl; }
+});
+Object.defineProperty(exports, "buildRegisterUrl", {
+  enumerable: true,
+  get: function () { return iamCore.buildRegisterUrl; }
+});
+exports.createCallbackHandler = createCallbackHandler;
+exports.createLogoutHandler = createLogoutHandler;
+exports.createRefreshHandler = createRefreshHandler;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/config.ts","../src/cookies.ts","../src/handlers/callback.ts","../src/handlers/refresh.ts","../src/handlers/logout.ts"],"names":["STORAGE_KEYS","NextResponse","IAM_ENDPOINTS","parseTokens","response"],"mappings":";;;;;;AAsCO,SAAS,cAAc,KAAA,EAA6C;AACzE,EAAA,IAAI,CAAC,KAAA,CAAM,YAAA,EAAc,MAAM,IAAI,MAAM,oCAAoC,CAAA;AAC7E,EAAA,IAAI,CAAC,KAAA,CAAM,MAAA,EAAQ,MAAM,IAAI,MAAM,8BAA8B,CAAA;AACjE,EAAA,OAAO;AAAA,IACL,YAAA,EAAc,KAAA,CAAM,YAAA,CAAa,OAAA,CAAQ,OAAO,EAAE,CAAA;AAAA,IAClD,MAAA,EAAQ,KAAA,CAAM,MAAA,CAAO,OAAA,CAAQ,OAAO,EAAE,CAAA;AAAA,IACtC,cAAc,KAAA,CAAM,YAAA;AAAA,IACpB,iBAAA,EAAmB,KAAA,CAAM,iBAAA,IAAqBA,oBAAA,CAAa,aAAA;AAAA,IAC3D,oBAAA,EAAsB,KAAA,CAAM,oBAAA,IAAwBA,oBAAA,CAAa,WAAA;AAAA,IACjE,0BAAA,EAA4B,KAAA,CAAM,0BAAA,IAA8B,CAAA,GAAI,KAAK,EAAA,GAAK,EAAA;AAAA,IAC9E,gBAAgB,KAAA,CAAM;AAAA,GACxB;AACF;;;AC/CO,SAAS,gBAAA,CACd,QAAA,EACA,MAAA,EACA,KAAA,EACM;AACN,EAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,MAAA,CAAO,iBAAA,EAAmB,KAAA,EAAO;AAAA,IACpD,QAAA,EAAU,IAAA;AAAA,IACV,MAAA,EAAQ,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAAA,IACjC,QAAA,EAAU,KAAA;AAAA,IACV,IAAA,EAAM,GAAA;AAAA,IACN,QAAQ,MAAA,CAAO,0BAAA;AAAA,IACf,GAAI,OAAO,YAAA,GAAe,EAAE,QAAQ,MAAA,CAAO,YAAA,KAAiB;AAAC,GAC9D,CAAA;AACH;AAEO,SAAS,kBAAA,CACd,UACA,MAAA,EACM;AACN,EAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,MAAA,CAAO,iBAAA,EAAmB,EAAA,EAAI;AAAA,IACjD,QAAA,EAAU,IAAA;AAAA,IACV,MAAA,EAAQ,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAAA,IACjC,QAAA,EAAU,KAAA;AAAA,IACV,IAAA,EAAM,GAAA;AAAA,IACN,MAAA,EAAQ,CAAA;AAAA,IACR,GAAI,OAAO,YAAA,GAAe,EAAE,QAAQ,MAAA,CAAO,YAAA,KAAiB;AAAC,GAC9D,CAAA;AACH;AAMO,SAAS,mBAAA,CACd,QAAA,EACA,MAAA,EACA,KAAA,EACM;AACN,EAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,MAAA,CAAO,oBAAA,EAAsB,KAAA,EAAO;AAAA,IACvD,QAAA,EAAU,KAAA;AAAA,IACV,MAAA,EAAQ,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAAA,IACjC,QAAA,EAAU,KAAA;AAAA,IACV,IAAA,EAAM,GAAA;AAAA,IACN,QAAQ,CAAA,GAAI,EAAA;AAAA,IACZ,GAAI,OAAO,YAAA,GAAe,EAAE,QAAQ,MAAA,CAAO,YAAA,KAAiB;AAAC,GAC9D,CAAA;AACH;;;AClBA,SAAS,YAAY,GAAA,EAAmC;AACtD,EAAA,IAAI,CAAC,GAAA,IAAO,OAAO,GAAA,KAAQ,UAAU,OAAO,IAAA;AAC5C,EAAA,MAAM,CAAA,GAAI,GAAA;AACV,EAAA,IACE,OAAO,CAAA,CAAE,YAAA,KAAiB,YAC1B,OAAO,CAAA,CAAE,kBAAkB,QAAA,EAC3B;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,cAAc,CAAA,CAAE,YAAA;AAAA,IAChB,eAAe,CAAA,CAAE,aAAA;AAAA,IACjB,YAAY,OAAO,CAAA,CAAE,UAAA,KAAe,QAAA,GAAW,EAAE,UAAA,GAAa;AAAA,GAChE;AACF;AAqBO,SAAS,sBAAsB,OAAA,EAAuC;AAC3E,EAAA,MAAM,MAAA,GAAS,cAAc,OAAO,CAAA;AACpC,EAAA,MAAM,YAAA,GAAe,QAAQ,YAAA,IAAgB,gBAAA;AAC7C,EAAA,MAAM,YAAA,GAAe,QAAQ,YAAA,IAAgB,gBAAA;AAC7C,EAAA,MAAM,gBAAA,GAAmB,OAAA,CAAQ,gBAAA,KAAqB,MAAM,QAAA,CAAA;AAE5D,EAAA,OAAO,eAAe,IAAI,OAAA,EAA6C;AACrE,IAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,OAAA,CAAQ,YAAA,CAAa,IAAI,MAAM,CAAA;AACpD,IAAA,MAAM,OAAO,OAAA,CAAQ,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,MAAM,CAAA,IAAK,MAAA;AACzD,IAAA,MAAM,SAAA,GAAY,iBAAiB,IAAI,CAAA;AAEvC,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,OAAOC,mBAAA,CAAa,SAAS,IAAI,GAAA,CAAI,GAAG,SAAS,CAAA,mBAAA,CAAA,EAAuB,MAAA,CAAO,MAAM,CAAC,CAAA;AAAA,IACxF;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,gBAAgB,MAAM,KAAA;AAAA,QAC1B,CAAA,EAAG,MAAA,CAAO,YAAY,CAAA,EAAGC,sBAAc,cAAc,CAAA,CAAA;AAAA,QACrD;AAAA,UACE,MAAA,EAAQ,MAAA;AAAA,UACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA,EAAmB;AAAA,UAC9C,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,YACnB,IAAA;AAAA,YACA,aAAa,CAAA,EAAG,MAAA,CAAO,MAAM,CAAA,EAAG,YAAY,SAAS,IAAI,CAAA;AAAA,WAC1D;AAAA;AACH,OACF;AAEA,MAAA,MAAM,OAAO,MAAM,aAAA,CAAc,MAAK,CAAE,KAAA,CAAM,MAAM,IAAI,CAAA;AAExD,MAAA,IAAI,CAAC,cAAc,EAAA,EAAI;AACrB,QAAA,OAAA,CAAQ,KAAA,CAAM,8CAA8C,IAAI,CAAA;AAChE,QAAA,OAAOD,mBAAA,CAAa,QAAA;AAAA,UAClB,IAAI,GAAA,CAAI,CAAA,EAAG,SAAS,CAAA,4BAAA,CAAA,EAAgC,OAAO,MAAM;AAAA,SACnE;AAAA,MACF;AAEA,MAAA,MAAM,MAAA,GAAS,YAAY,IAAI,CAAA;AAC/B,MAAA,IAAI,CAAC,MAAA,EAAQ;AAGX,QAAA,OAAA,CAAQ,KAAA,CAAM,wEAAwE,IAAI,CAAA;AAC1F,QAAA,OAAOA,mBAAA,CAAa,QAAA;AAAA,UAClB,IAAI,GAAA,CAAI,CAAA,EAAG,SAAS,CAAA,6BAAA,CAAA,EAAiC,OAAO,MAAM;AAAA,SACpE;AAAA,MACF;AAEA,MAAA,MAAM,WAAA,GAAc,IAAI,GAAA,CAAI,YAAA,EAAc,OAAO,MAAM,CAAA;AACvD,MAAA,WAAA,CAAY,OAAO,CAAA,aAAA,EAAgB,MAAA,CAAO,YAAY,CAAA,YAAA,EAAe,OAAO,UAAU,CAAA,CAAA;AAEtF,MAAA,MAAM,QAAA,GAAWA,mBAAA,CAAa,QAAA,CAAS,WAAW,CAAA;AAClD,MAAA,gBAAA,CAAiB,QAAA,EAAU,MAAA,EAAQ,MAAA,CAAO,aAAa,CAAA;AACvD,MAAA,mBAAA,CAAoB,QAAA,EAAU,QAAQ,IAAI,CAAA;AAC1C,MAAA,OAAO,QAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,OAAA,CAAQ,KAAA,CAAM,yCAAyC,KAAK,CAAA;AAC5D,MAAA,OAAOA,mBAAA,CAAa,SAAS,IAAI,GAAA,CAAI,GAAG,SAAS,CAAA,mBAAA,CAAA,EAAuB,MAAA,CAAO,MAAM,CAAC,CAAA;AAAA,IACxF;AAAA,EACF,CAAA;AACF;AChHA,SAASE,aAAY,GAAA,EAAmC;AACtD,EAAA,IAAI,CAAC,GAAA,IAAO,OAAO,GAAA,KAAQ,UAAU,OAAO,IAAA;AAC5C,EAAA,MAAM,CAAA,GAAI,GAAA;AACV,EAAA,IACE,OAAO,CAAA,CAAE,YAAA,KAAiB,YAC1B,OAAO,CAAA,CAAE,kBAAkB,QAAA,EAC3B;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,cAAc,CAAA,CAAE,YAAA;AAAA,IAChB,eAAe,CAAA,CAAE,aAAA;AAAA,IACjB,YAAY,OAAO,CAAA,CAAE,UAAA,KAAe,QAAA,GAAW,EAAE,UAAA,GAAa;AAAA,GAChE;AACF;AAgBO,SAAS,qBAAqB,OAAA,EAAsC;AACzE,EAAA,MAAM,MAAA,GAAS,cAAc,OAAO,CAAA;AAEpC,EAAA,OAAO,eAAe,KAAK,OAAA,EAA6C;AACtE,IAAA,MAAM,eAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,MAAA,CAAO,iBAAiB,CAAA,EAAG,KAAA;AACpE,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,OAAOF,mBAAAA,CAAa,KAAK,EAAE,KAAA,EAAO,oBAAmB,EAAG,EAAE,MAAA,EAAQ,GAAA,EAAK,CAAA;AAAA,IACzE;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,gBAAgB,MAAM,KAAA;AAAA,QAC1B,CAAA,EAAG,MAAA,CAAO,YAAY,CAAA,EAAGC,sBAAc,aAAa,CAAA,CAAA;AAAA,QACpD;AAAA,UACE,MAAA,EAAQ,MAAA;AAAA,UACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA,EAAmB;AAAA,UAC9C,MAAM,IAAA,CAAK,SAAA,CAAU,EAAE,aAAA,EAAe,cAAc;AAAA;AACtD,OACF;AAEA,MAAA,MAAM,OAAO,MAAM,aAAA,CAAc,MAAK,CAAE,KAAA,CAAM,MAAM,IAAI,CAAA;AACxD,MAAA,MAAM,MAAA,GAAS,aAAA,CAAc,EAAA,GAAKC,YAAAA,CAAY,IAAI,CAAA,GAAI,IAAA;AAEtD,MAAA,IAAI,CAAC,MAAA,EAAQ;AACX,QAAA,MAAMC,SAAAA,GAAWH,mBAAAA,CAAa,IAAA,CAAK,EAAE,KAAA,EAAO,kBAAiB,EAAG,EAAE,MAAA,EAAQ,GAAA,EAAK,CAAA;AAC/E,QAAA,kBAAA,CAAmBG,WAAU,MAAM,CAAA;AACnC,QAAA,OAAOA,SAAAA;AAAA,MACT;AAEA,MAAA,MAAM,QAAA,GAAWH,oBAAa,IAAA,CAAK;AAAA,QACjC,cAAc,MAAA,CAAO,YAAA;AAAA,QACrB,YAAY,MAAA,CAAO;AAAA,OACpB,CAAA;AACD,MAAA,gBAAA,CAAiB,QAAA,EAAU,MAAA,EAAQ,MAAA,CAAO,aAAa,CAAA;AACvD,MAAA,OAAO,QAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,OAAA,CAAQ,KAAA,CAAM,wCAAwC,KAAK,CAAA;AAC3D,MAAA,OAAOA,mBAAAA,CAAa,KAAK,EAAE,KAAA,EAAO,gBAAe,EAAG,EAAE,MAAA,EAAQ,GAAA,EAAK,CAAA;AAAA,IACrE;AAAA,EACF,CAAA;AACF;AC3DO,SAAS,oBAAoB,OAAA,EAAqC;AACvE,EAAA,MAAM,MAAA,GAAS,cAAc,OAAO,CAAA;AAEpC,EAAA,OAAO,eAAe,KAAK,OAAA,EAA6C;AACtE,IAAA,MAAM,eAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,MAAA,CAAO,iBAAiB,CAAA,EAAG,KAAA;AAEpE,IAAA,IAAI,YAAA,IAAgB,YAAA,CAAa,QAAA,CAAS,GAAG,CAAA,EAAG;AAC9C,MAAA,IAAI;AACF,QAAA,MAAM,UAAU,IAAA,CAAK,KAAA;AAAA,UACnB,MAAA,CAAO,IAAA,CAAK,YAAA,CAAa,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,IAAK,EAAA,EAAI,WAAW,CAAA,CAAE,QAAA;AAAS,SACtE;AACA,QAAA,IAAI,QAAQ,GAAA,EAAK;AACf,UAAA,MAAM,MAAM,CAAA,EAAG,MAAA,CAAO,YAAY,CAAA,EAAGC,qBAAAA,CAAc,YAAY,CAAA,CAAA,EAAI;AAAA,YACjE,MAAA,EAAQ,MAAA;AAAA,YACR,OAAA,EAAS;AAAA,cACP,cAAA,EAAgB,kBAAA;AAAA,cAChB,GAAI,OAAO,cAAA,GACP,EAAE,sBAAsB,MAAA,CAAO,cAAA,KAC/B;AAAC,aACP;AAAA,YACA,MAAM,IAAA,CAAK,SAAA,CAAU,EAAE,OAAA,EAAS,OAAA,CAAQ,KAAK;AAAA,WAC9C,CAAA;AAAA,QACH;AAAA,MACF,SAAS,KAAA,EAAO;AACd,QAAA,OAAA,CAAQ,KAAA,CAAM,4DAA4D,KAAK,CAAA;AAAA,MACjF;AAAA,IACF;AAEA,IAAA,MAAM,WAAWD,mBAAAA,CAAa,IAAA,CAAK,EAAE,OAAA,EAAS,MAAM,CAAA;AACpD,IAAA,kBAAA,CAAmB,UAAU,MAAM,CAAA;AACnC,IAAA,OAAO,QAAA;AAAA,EACT,CAAA;AACF","file":"index.cjs","sourcesContent":["import { STORAGE_KEYS } from '@drvalue-oss/iam-core';\n\nexport interface IamNextConfig {\n /** Base URL of your IAM server. Required. e.g. `https://iam.drvalue.co.kr` */\n iamServerUrl: string;\n /** Base URL of THIS Next.js app. Required. e.g. `https://app.drvalue.co.kr` */\n appUrl: string;\n /**\n * Domain for the refresh-token cookie. Set to e.g. `.drvalue.co.kr`\n * to share the cookie across sub-apps. Leave undefined for\n * single-host deployments.\n */\n cookieDomain?: string;\n /**\n * Cookie name for the httpOnly refresh token. Defaults to\n * `STORAGE_KEYS.REFRESH_TOKEN`. Override when two drvalue apps\n * share an origin but should NOT share refresh tokens.\n */\n refreshCookieName?: string;\n /**\n * Cookie name for the short-lived `auth_origin` marker. Defaults to\n * `STORAGE_KEYS.AUTH_ORIGIN`.\n */\n authOriginCookieName?: string;\n /** Refresh-token cookie max age in seconds. Defaults to 7 days. */\n refreshCookieMaxAgeSeconds?: number;\n /**\n * Internal API key forwarded to IAM `/auth/token/revoke` so the\n * server can authorize cross-service token revocation. Optional.\n */\n internalApiKey?: string;\n}\n\nexport interface ResolvedIamNextConfig extends Required<Omit<IamNextConfig, 'cookieDomain' | 'internalApiKey'>> {\n cookieDomain?: string;\n internalApiKey?: string;\n}\n\nexport function resolveConfig(input: IamNextConfig): ResolvedIamNextConfig {\n if (!input.iamServerUrl) throw new Error('iam-next: iamServerUrl is required');\n if (!input.appUrl) throw new Error('iam-next: appUrl is required');\n return {\n iamServerUrl: input.iamServerUrl.replace(/\\/$/, ''),\n appUrl: input.appUrl.replace(/\\/$/, ''),\n cookieDomain: input.cookieDomain,\n refreshCookieName: input.refreshCookieName ?? STORAGE_KEYS.REFRESH_TOKEN,\n authOriginCookieName: input.authOriginCookieName ?? STORAGE_KEYS.AUTH_ORIGIN,\n refreshCookieMaxAgeSeconds: input.refreshCookieMaxAgeSeconds ?? 7 * 24 * 60 * 60,\n internalApiKey: input.internalApiKey,\n };\n}\n","import type { NextResponse } from 'next/server';\nimport type { ResolvedIamNextConfig } from './config.js';\n\nexport function setRefreshCookie(\n response: NextResponse,\n config: ResolvedIamNextConfig,\n value: string,\n): void {\n response.cookies.set(config.refreshCookieName, value, {\n httpOnly: true,\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'lax',\n path: '/',\n maxAge: config.refreshCookieMaxAgeSeconds,\n ...(config.cookieDomain ? { domain: config.cookieDomain } : {}),\n });\n}\n\nexport function clearRefreshCookie(\n response: NextResponse,\n config: ResolvedIamNextConfig,\n): void {\n response.cookies.set(config.refreshCookieName, '', {\n httpOnly: true,\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'lax',\n path: '/',\n maxAge: 0,\n ...(config.cookieDomain ? { domain: config.cookieDomain } : {}),\n });\n}\n\n/**\n * Short-lived (5 min), client-readable. Tells the /auth/complete page\n * where to redirect after token handoff (e.g. user vs admin dashboard).\n */\nexport function setAuthOriginCookie(\n response: NextResponse,\n config: ResolvedIamNextConfig,\n value: string,\n): void {\n response.cookies.set(config.authOriginCookieName, value, {\n httpOnly: false,\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'lax',\n path: '/',\n maxAge: 5 * 60,\n ...(config.cookieDomain ? { domain: config.cookieDomain } : {}),\n });\n}\n","import { NextResponse, type NextRequest } from 'next/server';\nimport { IAM_ENDPOINTS } from '@drvalue-oss/iam-core';\nimport { resolveConfig, type IamNextConfig } from '../config.js';\nimport { setAuthOriginCookie, setRefreshCookie } from '../cookies.js';\n\nexport interface CreateCallbackHandlerOptions extends IamNextConfig {\n /**\n * Path on this app where the callback handler lives. Used to\n * reconstruct `redirectUri` for the token exchange. Defaults to\n * `/auth/callback`.\n */\n callbackPath?: string;\n /**\n * Path the browser is redirected to after a successful token\n * exchange. The access token is appended in the URL hash so it\n * never hits the server log. Defaults to `/auth/complete`.\n */\n completePath?: string;\n /**\n * Map an `auth_origin` value (read from `?from=...`) to the login\n * path used when the exchange fails. Default returns `/login`.\n */\n resolveLoginPath?: (origin: string) => string;\n}\n\ninterface ParsedTokens {\n access_token: string;\n refresh_token: string;\n expires_in: number;\n}\n\nfunction parseTokens(raw: unknown): ParsedTokens | null {\n if (!raw || typeof raw !== 'object') return null;\n const r = raw as Record<string, unknown>;\n if (\n typeof r.access_token !== 'string' ||\n typeof r.refresh_token !== 'string'\n ) {\n return null;\n }\n return {\n access_token: r.access_token,\n refresh_token: r.refresh_token,\n expires_in: typeof r.expires_in === 'number' ? r.expires_in : 900,\n };\n}\n\n/**\n * Factory for the GET handler at `/auth/callback`.\n *\n * Flow:\n * IAM → ?code=xxx&from=user\n * → exchange code for tokens via IAM `/auth/token/exchange`\n * → set refresh_token httpOnly cookie\n * → set short-lived auth_origin cookie\n * → 302 to /auth/complete#access_token=...&expires_in=...\n *\n * Why the hash: access token never lands in the Next.js server log\n * or the Referer header of downstream navigations.\n *\n * Why we re-validate the response body even on 2xx: IAM has historically\n * had bugs where it returns HTTP 200 with `{\"error\": \"...\"}` and no\n * `access_token` field. If we let those through we'd 302 the browser\n * to `/auth/complete#access_token=undefined`, which then triggers the\n * SPA's refresh loop indefinitely. Treat missing fields as a hard fail.\n */\nexport function createCallbackHandler(options: CreateCallbackHandlerOptions) {\n const config = resolveConfig(options);\n const callbackPath = options.callbackPath ?? '/auth/callback';\n const completePath = options.completePath ?? '/auth/complete';\n const resolveLoginPath = options.resolveLoginPath ?? (() => '/login');\n\n return async function GET(request: NextRequest): Promise<NextResponse> {\n const code = request.nextUrl.searchParams.get('code');\n const from = request.nextUrl.searchParams.get('from') ?? 'user';\n const loginPath = resolveLoginPath(from);\n\n if (!code) {\n return NextResponse.redirect(new URL(`${loginPath}?error=missing_code`, config.appUrl));\n }\n\n try {\n const tokenResponse = await fetch(\n `${config.iamServerUrl}${IAM_ENDPOINTS.TOKEN_EXCHANGE}`,\n {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({\n code,\n redirectUri: `${config.appUrl}${callbackPath}?from=${from}`,\n }),\n },\n );\n\n const body = await tokenResponse.json().catch(() => null);\n\n if (!tokenResponse.ok) {\n console.error('[iam-next/callback] token exchange failed:', body);\n return NextResponse.redirect(\n new URL(`${loginPath}?error=token_exchange_failed`, config.appUrl),\n );\n }\n\n const tokens = parseTokens(body);\n if (!tokens) {\n // 200 with no/incomplete tokens — IAM-side bug. Don't redirect\n // to /auth/complete with `undefined` in the hash.\n console.error('[iam-next/callback] token exchange returned 200 with missing fields:', body);\n return NextResponse.redirect(\n new URL(`${loginPath}?error=token_exchange_invalid`, config.appUrl),\n );\n }\n\n const redirectUrl = new URL(completePath, config.appUrl);\n redirectUrl.hash = `access_token=${tokens.access_token}&expires_in=${tokens.expires_in}`;\n\n const response = NextResponse.redirect(redirectUrl);\n setRefreshCookie(response, config, tokens.refresh_token);\n setAuthOriginCookie(response, config, from);\n return response;\n } catch (error) {\n console.error('[iam-next/callback] unexpected error:', error);\n return NextResponse.redirect(new URL(`${loginPath}?error=server_error`, config.appUrl));\n }\n };\n}\n","import { NextResponse, type NextRequest } from 'next/server';\nimport { IAM_ENDPOINTS } from '@drvalue-oss/iam-core';\nimport { resolveConfig, type IamNextConfig } from '../config.js';\nimport { clearRefreshCookie, setRefreshCookie } from '../cookies.js';\n\nexport type CreateRefreshHandlerOptions = IamNextConfig;\n\ninterface ParsedTokens {\n access_token: string;\n refresh_token: string;\n expires_in: number;\n}\n\nfunction parseTokens(raw: unknown): ParsedTokens | null {\n if (!raw || typeof raw !== 'object') return null;\n const r = raw as Record<string, unknown>;\n if (\n typeof r.access_token !== 'string' ||\n typeof r.refresh_token !== 'string'\n ) {\n return null;\n }\n return {\n access_token: r.access_token,\n refresh_token: r.refresh_token,\n expires_in: typeof r.expires_in === 'number' ? r.expires_in : 900,\n };\n}\n\n/**\n * Factory for the POST handler at `/api/auth/refresh`.\n *\n * Reads refresh token from the httpOnly cookie, calls IAM\n * `/auth/token/refresh`, returns the new access token to the browser\n * and rotates the refresh cookie.\n *\n * Returns:\n * 200 { access_token, expires_in } → success\n * 401 { error: 'No refresh token' } → cookie missing\n * 401 { error: 'Refresh failed' } → IAM rejected OR 200 with no token fields\n * (also clears the bad cookie)\n * 500 { error: 'Server error' } → unexpected (cookie left as-is, retry-friendly)\n */\nexport function createRefreshHandler(options: CreateRefreshHandlerOptions) {\n const config = resolveConfig(options);\n\n return async function POST(request: NextRequest): Promise<NextResponse> {\n const refreshToken = request.cookies.get(config.refreshCookieName)?.value;\n if (!refreshToken) {\n return NextResponse.json({ error: 'No refresh token' }, { status: 401 });\n }\n\n try {\n const tokenResponse = await fetch(\n `${config.iamServerUrl}${IAM_ENDPOINTS.TOKEN_REFRESH}`,\n {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ refresh_token: refreshToken }),\n },\n );\n\n const body = await tokenResponse.json().catch(() => null);\n const tokens = tokenResponse.ok ? parseTokens(body) : null;\n\n if (!tokens) {\n const response = NextResponse.json({ error: 'Refresh failed' }, { status: 401 });\n clearRefreshCookie(response, config);\n return response;\n }\n\n const response = NextResponse.json({\n access_token: tokens.access_token,\n expires_in: tokens.expires_in,\n });\n setRefreshCookie(response, config, tokens.refresh_token);\n return response;\n } catch (error) {\n console.error('[iam-next/refresh] unexpected error:', error);\n return NextResponse.json({ error: 'Server error' }, { status: 500 });\n }\n };\n}\n","import { NextResponse, type NextRequest } from 'next/server';\nimport { IAM_ENDPOINTS } from '@drvalue-oss/iam-core';\nimport { resolveConfig, type IamNextConfig } from '../config.js';\nimport { clearRefreshCookie } from '../cookies.js';\n\nexport type CreateLogoutHandlerOptions = IamNextConfig;\n\n/**\n * Factory for the POST handler at `/api/auth/logout`.\n *\n * Two responsibilities:\n * 1. Best-effort: tell IAM to revoke all refresh tokens for this\n * user (so other tabs/devices are logged out too).\n * 2. Always: clear the refresh-token cookie on THIS app.\n *\n * The IAM call is best-effort because we want logout to feel\n * instant. If IAM is briefly down, the cookie is still cleared and\n * the access token expires within minutes anyway.\n *\n * To extract `user_id`, we decode the JWT payload of the refresh\n * token without verifying. Same trust model as `iam-core/decodeJwtPayload`\n * — only used to address the revoke call, not to make decisions.\n */\nexport function createLogoutHandler(options: CreateLogoutHandlerOptions) {\n const config = resolveConfig(options);\n\n return async function POST(request: NextRequest): Promise<NextResponse> {\n const refreshToken = request.cookies.get(config.refreshCookieName)?.value;\n\n if (refreshToken && refreshToken.includes('.')) {\n try {\n const payload = JSON.parse(\n Buffer.from(refreshToken.split('.')[1] ?? '', 'base64url').toString(),\n ) as { sub?: string };\n if (payload.sub) {\n await fetch(`${config.iamServerUrl}${IAM_ENDPOINTS.TOKEN_REVOKE}`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n ...(config.internalApiKey\n ? { 'X-Internal-Api-Key': config.internalApiKey }\n : {}),\n },\n body: JSON.stringify({ user_id: payload.sub }),\n });\n }\n } catch (error) {\n console.error('[iam-next/logout] IAM token revoke failed (best-effort):', error);\n }\n }\n\n const response = NextResponse.json({ success: true });\n clearRefreshCookie(response, config);\n return response;\n };\n}\n"]}

package/dist/index.d.cts ADDED Viewed

@@ -0,0 +1,115 @@
+import { NextRequest, NextResponse } from 'next/server';
+export { IAM_ENDPOINTS, buildLoginUrl, buildRegisterUrl } from '@drvalue-oss/iam-core';
+interface IamNextConfig {
+    /** Base URL of your IAM server. Required. e.g. `https://iam.drvalue.co.kr` */
+    iamServerUrl: string;
+    /** Base URL of THIS Next.js app. Required. e.g. `https://app.drvalue.co.kr` */
+    appUrl: string;
+    /**
+     * Domain for the refresh-token cookie. Set to e.g. `.drvalue.co.kr`
+     * to share the cookie across sub-apps. Leave undefined for
+     * single-host deployments.
+     */
+    cookieDomain?: string;
+    /**
+     * Cookie name for the httpOnly refresh token. Defaults to
+     * `STORAGE_KEYS.REFRESH_TOKEN`. Override when two drvalue apps
+     * share an origin but should NOT share refresh tokens.
+     */
+    refreshCookieName?: string;
+    /**
+     * Cookie name for the short-lived `auth_origin` marker. Defaults to
+     * `STORAGE_KEYS.AUTH_ORIGIN`.
+     */
+    authOriginCookieName?: string;
+    /** Refresh-token cookie max age in seconds. Defaults to 7 days. */
+    refreshCookieMaxAgeSeconds?: number;
+    /**
+     * Internal API key forwarded to IAM `/auth/token/revoke` so the
+     * server can authorize cross-service token revocation. Optional.
+     */
+    internalApiKey?: string;
+}
+interface ResolvedIamNextConfig extends Required<Omit<IamNextConfig, 'cookieDomain' | 'internalApiKey'>> {
+    cookieDomain?: string;
+    internalApiKey?: string;
+}
+interface CreateCallbackHandlerOptions extends IamNextConfig {
+    /**
+     * Path on this app where the callback handler lives. Used to
+     * reconstruct `redirectUri` for the token exchange. Defaults to
+     * `/auth/callback`.
+     */
+    callbackPath?: string;
+    /**
+     * Path the browser is redirected to after a successful token
+     * exchange. The access token is appended in the URL hash so it
+     * never hits the server log. Defaults to `/auth/complete`.
+     */
+    completePath?: string;
+    /**
+     * Map an `auth_origin` value (read from `?from=...`) to the login
+     * path used when the exchange fails. Default returns `/login`.
+     */
+    resolveLoginPath?: (origin: string) => string;
+}
+/**
+ * Factory for the GET handler at `/auth/callback`.
+ *
+ * Flow:
+ *   IAM → ?code=xxx&from=user
+ *   → exchange code for tokens via IAM `/auth/token/exchange`
+ *   → set refresh_token httpOnly cookie
+ *   → set short-lived auth_origin cookie
+ *   → 302 to /auth/complete#access_token=...&expires_in=...
+ *
+ * Why the hash: access token never lands in the Next.js server log
+ * or the Referer header of downstream navigations.
+ *
+ * Why we re-validate the response body even on 2xx: IAM has historically
+ * had bugs where it returns HTTP 200 with `{"error": "..."}` and no
+ * `access_token` field. If we let those through we'd 302 the browser
+ * to `/auth/complete#access_token=undefined`, which then triggers the
+ * SPA's refresh loop indefinitely. Treat missing fields as a hard fail.
+ */
+declare function createCallbackHandler(options: CreateCallbackHandlerOptions): (request: NextRequest) => Promise<NextResponse>;
+type CreateRefreshHandlerOptions = IamNextConfig;
+/**
+ * Factory for the POST handler at `/api/auth/refresh`.
+ *
+ * Reads refresh token from the httpOnly cookie, calls IAM
+ * `/auth/token/refresh`, returns the new access token to the browser
+ * and rotates the refresh cookie.
+ *
+ * Returns:
+ *   200 { access_token, expires_in }  → success
+ *   401 { error: 'No refresh token' } → cookie missing
+ *   401 { error: 'Refresh failed' }   → IAM rejected OR 200 with no token fields
+ *                                       (also clears the bad cookie)
+ *   500 { error: 'Server error' }     → unexpected (cookie left as-is, retry-friendly)
+ */
+declare function createRefreshHandler(options: CreateRefreshHandlerOptions): (request: NextRequest) => Promise<NextResponse>;
+type CreateLogoutHandlerOptions = IamNextConfig;
+/**
+ * Factory for the POST handler at `/api/auth/logout`.
+ *
+ * Two responsibilities:
+ *   1. Best-effort: tell IAM to revoke all refresh tokens for this
+ *      user (so other tabs/devices are logged out too).
+ *   2. Always: clear the refresh-token cookie on THIS app.
+ *
+ * The IAM call is best-effort because we want logout to feel
+ * instant. If IAM is briefly down, the cookie is still cleared and
+ * the access token expires within minutes anyway.
+ *
+ * To extract `user_id`, we decode the JWT payload of the refresh
+ * token without verifying. Same trust model as `iam-core/decodeJwtPayload`
+ * — only used to address the revoke call, not to make decisions.
+ */
+declare function createLogoutHandler(options: CreateLogoutHandlerOptions): (request: NextRequest) => Promise<NextResponse>;
+export { type CreateCallbackHandlerOptions, type CreateLogoutHandlerOptions, type CreateRefreshHandlerOptions, type IamNextConfig, type ResolvedIamNextConfig, createCallbackHandler, createLogoutHandler, createRefreshHandler };

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,115 @@
+import { NextRequest, NextResponse } from 'next/server';
+export { IAM_ENDPOINTS, buildLoginUrl, buildRegisterUrl } from '@drvalue-oss/iam-core';
+interface IamNextConfig {
+    /** Base URL of your IAM server. Required. e.g. `https://iam.drvalue.co.kr` */
+    iamServerUrl: string;
+    /** Base URL of THIS Next.js app. Required. e.g. `https://app.drvalue.co.kr` */
+    appUrl: string;
+    /**
+     * Domain for the refresh-token cookie. Set to e.g. `.drvalue.co.kr`
+     * to share the cookie across sub-apps. Leave undefined for
+     * single-host deployments.
+     */
+    cookieDomain?: string;
+    /**
+     * Cookie name for the httpOnly refresh token. Defaults to
+     * `STORAGE_KEYS.REFRESH_TOKEN`. Override when two drvalue apps
+     * share an origin but should NOT share refresh tokens.
+     */
+    refreshCookieName?: string;
+    /**
+     * Cookie name for the short-lived `auth_origin` marker. Defaults to
+     * `STORAGE_KEYS.AUTH_ORIGIN`.
+     */
+    authOriginCookieName?: string;
+    /** Refresh-token cookie max age in seconds. Defaults to 7 days. */
+    refreshCookieMaxAgeSeconds?: number;
+    /**
+     * Internal API key forwarded to IAM `/auth/token/revoke` so the
+     * server can authorize cross-service token revocation. Optional.
+     */
+    internalApiKey?: string;
+}
+interface ResolvedIamNextConfig extends Required<Omit<IamNextConfig, 'cookieDomain' | 'internalApiKey'>> {
+    cookieDomain?: string;
+    internalApiKey?: string;
+}
+interface CreateCallbackHandlerOptions extends IamNextConfig {
+    /**
+     * Path on this app where the callback handler lives. Used to
+     * reconstruct `redirectUri` for the token exchange. Defaults to
+     * `/auth/callback`.
+     */
+    callbackPath?: string;
+    /**
+     * Path the browser is redirected to after a successful token
+     * exchange. The access token is appended in the URL hash so it
+     * never hits the server log. Defaults to `/auth/complete`.
+     */
+    completePath?: string;
+    /**
+     * Map an `auth_origin` value (read from `?from=...`) to the login
+     * path used when the exchange fails. Default returns `/login`.
+     */
+    resolveLoginPath?: (origin: string) => string;
+}
+/**
+ * Factory for the GET handler at `/auth/callback`.
+ *
+ * Flow:
+ *   IAM → ?code=xxx&from=user
+ *   → exchange code for tokens via IAM `/auth/token/exchange`
+ *   → set refresh_token httpOnly cookie
+ *   → set short-lived auth_origin cookie
+ *   → 302 to /auth/complete#access_token=...&expires_in=...
+ *
+ * Why the hash: access token never lands in the Next.js server log
+ * or the Referer header of downstream navigations.
+ *
+ * Why we re-validate the response body even on 2xx: IAM has historically
+ * had bugs where it returns HTTP 200 with `{"error": "..."}` and no
+ * `access_token` field. If we let those through we'd 302 the browser
+ * to `/auth/complete#access_token=undefined`, which then triggers the
+ * SPA's refresh loop indefinitely. Treat missing fields as a hard fail.
+ */
+declare function createCallbackHandler(options: CreateCallbackHandlerOptions): (request: NextRequest) => Promise<NextResponse>;
+type CreateRefreshHandlerOptions = IamNextConfig;
+/**
+ * Factory for the POST handler at `/api/auth/refresh`.
+ *
+ * Reads refresh token from the httpOnly cookie, calls IAM
+ * `/auth/token/refresh`, returns the new access token to the browser
+ * and rotates the refresh cookie.
+ *
+ * Returns:
+ *   200 { access_token, expires_in }  → success
+ *   401 { error: 'No refresh token' } → cookie missing
+ *   401 { error: 'Refresh failed' }   → IAM rejected OR 200 with no token fields
+ *                                       (also clears the bad cookie)
+ *   500 { error: 'Server error' }     → unexpected (cookie left as-is, retry-friendly)
+ */
+declare function createRefreshHandler(options: CreateRefreshHandlerOptions): (request: NextRequest) => Promise<NextResponse>;
+type CreateLogoutHandlerOptions = IamNextConfig;
+/**
+ * Factory for the POST handler at `/api/auth/logout`.
+ *
+ * Two responsibilities:
+ *   1. Best-effort: tell IAM to revoke all refresh tokens for this
+ *      user (so other tabs/devices are logged out too).
+ *   2. Always: clear the refresh-token cookie on THIS app.
+ *
+ * The IAM call is best-effort because we want logout to feel
+ * instant. If IAM is briefly down, the cookie is still cleared and
+ * the access token expires within minutes anyway.
+ *
+ * To extract `user_id`, we decode the JWT payload of the refresh
+ * token without verifying. Same trust model as `iam-core/decodeJwtPayload`
+ * — only used to address the revoke call, not to make decisions.
+ */
+declare function createLogoutHandler(options: CreateLogoutHandlerOptions): (request: NextRequest) => Promise<NextResponse>;
+export { type CreateCallbackHandlerOptions, type CreateLogoutHandlerOptions, type CreateRefreshHandlerOptions, type IamNextConfig, type ResolvedIamNextConfig, createCallbackHandler, createLogoutHandler, createRefreshHandler };

package/dist/index.js ADDED Viewed

@@ -0,0 +1,193 @@
+import { NextResponse } from 'next/server';
+import { IAM_ENDPOINTS, STORAGE_KEYS } from '@drvalue-oss/iam-core';
+export { IAM_ENDPOINTS, buildLoginUrl, buildRegisterUrl } from '@drvalue-oss/iam-core';
+// src/handlers/callback.ts
+function resolveConfig(input) {
+  if (!input.iamServerUrl) throw new Error("iam-next: iamServerUrl is required");
+  if (!input.appUrl) throw new Error("iam-next: appUrl is required");
+  return {
+    iamServerUrl: input.iamServerUrl.replace(/\/$/, ""),
+    appUrl: input.appUrl.replace(/\/$/, ""),
+    cookieDomain: input.cookieDomain,
+    refreshCookieName: input.refreshCookieName ?? STORAGE_KEYS.REFRESH_TOKEN,
+    authOriginCookieName: input.authOriginCookieName ?? STORAGE_KEYS.AUTH_ORIGIN,
+    refreshCookieMaxAgeSeconds: input.refreshCookieMaxAgeSeconds ?? 7 * 24 * 60 * 60,
+    internalApiKey: input.internalApiKey
+  };
+}
+// src/cookies.ts
+function setRefreshCookie(response, config, value) {
+  response.cookies.set(config.refreshCookieName, value, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    maxAge: config.refreshCookieMaxAgeSeconds,
+    ...config.cookieDomain ? { domain: config.cookieDomain } : {}
+  });
+}
+function clearRefreshCookie(response, config) {
+  response.cookies.set(config.refreshCookieName, "", {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    maxAge: 0,
+    ...config.cookieDomain ? { domain: config.cookieDomain } : {}
+  });
+}
+function setAuthOriginCookie(response, config, value) {
+  response.cookies.set(config.authOriginCookieName, value, {
+    httpOnly: false,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    maxAge: 5 * 60,
+    ...config.cookieDomain ? { domain: config.cookieDomain } : {}
+  });
+}
+// src/handlers/callback.ts
+function parseTokens(raw) {
+  if (!raw || typeof raw !== "object") return null;
+  const r = raw;
+  if (typeof r.access_token !== "string" || typeof r.refresh_token !== "string") {
+    return null;
+  }
+  return {
+    access_token: r.access_token,
+    refresh_token: r.refresh_token,
+    expires_in: typeof r.expires_in === "number" ? r.expires_in : 900
+  };
+}
+function createCallbackHandler(options) {
+  const config = resolveConfig(options);
+  const callbackPath = options.callbackPath ?? "/auth/callback";
+  const completePath = options.completePath ?? "/auth/complete";
+  const resolveLoginPath = options.resolveLoginPath ?? (() => "/login");
+  return async function GET(request) {
+    const code = request.nextUrl.searchParams.get("code");
+    const from = request.nextUrl.searchParams.get("from") ?? "user";
+    const loginPath = resolveLoginPath(from);
+    if (!code) {
+      return NextResponse.redirect(new URL(`${loginPath}?error=missing_code`, config.appUrl));
+    }
+    try {
+      const tokenResponse = await fetch(
+        `${config.iamServerUrl}${IAM_ENDPOINTS.TOKEN_EXCHANGE}`,
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({
+            code,
+            redirectUri: `${config.appUrl}${callbackPath}?from=${from}`
+          })
+        }
+      );
+      const body = await tokenResponse.json().catch(() => null);
+      if (!tokenResponse.ok) {
+        console.error("[iam-next/callback] token exchange failed:", body);
+        return NextResponse.redirect(
+          new URL(`${loginPath}?error=token_exchange_failed`, config.appUrl)
+        );
+      }
+      const tokens = parseTokens(body);
+      if (!tokens) {
+        console.error("[iam-next/callback] token exchange returned 200 with missing fields:", body);
+        return NextResponse.redirect(
+          new URL(`${loginPath}?error=token_exchange_invalid`, config.appUrl)
+        );
+      }
+      const redirectUrl = new URL(completePath, config.appUrl);
+      redirectUrl.hash = `access_token=${tokens.access_token}&expires_in=${tokens.expires_in}`;
+      const response = NextResponse.redirect(redirectUrl);
+      setRefreshCookie(response, config, tokens.refresh_token);
+      setAuthOriginCookie(response, config, from);
+      return response;
+    } catch (error) {
+      console.error("[iam-next/callback] unexpected error:", error);
+      return NextResponse.redirect(new URL(`${loginPath}?error=server_error`, config.appUrl));
+    }
+  };
+}
+function parseTokens2(raw) {
+  if (!raw || typeof raw !== "object") return null;
+  const r = raw;
+  if (typeof r.access_token !== "string" || typeof r.refresh_token !== "string") {
+    return null;
+  }
+  return {
+    access_token: r.access_token,
+    refresh_token: r.refresh_token,
+    expires_in: typeof r.expires_in === "number" ? r.expires_in : 900
+  };
+}
+function createRefreshHandler(options) {
+  const config = resolveConfig(options);
+  return async function POST(request) {
+    const refreshToken = request.cookies.get(config.refreshCookieName)?.value;
+    if (!refreshToken) {
+      return NextResponse.json({ error: "No refresh token" }, { status: 401 });
+    }
+    try {
+      const tokenResponse = await fetch(
+        `${config.iamServerUrl}${IAM_ENDPOINTS.TOKEN_REFRESH}`,
+        {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ refresh_token: refreshToken })
+        }
+      );
+      const body = await tokenResponse.json().catch(() => null);
+      const tokens = tokenResponse.ok ? parseTokens2(body) : null;
+      if (!tokens) {
+        const response2 = NextResponse.json({ error: "Refresh failed" }, { status: 401 });
+        clearRefreshCookie(response2, config);
+        return response2;
+      }
+      const response = NextResponse.json({
+        access_token: tokens.access_token,
+        expires_in: tokens.expires_in
+      });
+      setRefreshCookie(response, config, tokens.refresh_token);
+      return response;
+    } catch (error) {
+      console.error("[iam-next/refresh] unexpected error:", error);
+      return NextResponse.json({ error: "Server error" }, { status: 500 });
+    }
+  };
+}
+function createLogoutHandler(options) {
+  const config = resolveConfig(options);
+  return async function POST(request) {
+    const refreshToken = request.cookies.get(config.refreshCookieName)?.value;
+    if (refreshToken && refreshToken.includes(".")) {
+      try {
+        const payload = JSON.parse(
+          Buffer.from(refreshToken.split(".")[1] ?? "", "base64url").toString()
+        );
+        if (payload.sub) {
+          await fetch(`${config.iamServerUrl}${IAM_ENDPOINTS.TOKEN_REVOKE}`, {
+            method: "POST",
+            headers: {
+              "Content-Type": "application/json",
+              ...config.internalApiKey ? { "X-Internal-Api-Key": config.internalApiKey } : {}
+            },
+            body: JSON.stringify({ user_id: payload.sub })
+          });
+        }
+      } catch (error) {
+        console.error("[iam-next/logout] IAM token revoke failed (best-effort):", error);
+      }
+    }
+    const response = NextResponse.json({ success: true });
+    clearRefreshCookie(response, config);
+    return response;
+  };
+}
+export { createCallbackHandler, createLogoutHandler, createRefreshHandler };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/config.ts","../src/cookies.ts","../src/handlers/callback.ts","../src/handlers/refresh.ts","../src/handlers/logout.ts"],"names":["parseTokens","NextResponse","IAM_ENDPOINTS","response"],"mappings":";;;;;AAsCO,SAAS,cAAc,KAAA,EAA6C;AACzE,EAAA,IAAI,CAAC,KAAA,CAAM,YAAA,EAAc,MAAM,IAAI,MAAM,oCAAoC,CAAA;AAC7E,EAAA,IAAI,CAAC,KAAA,CAAM,MAAA,EAAQ,MAAM,IAAI,MAAM,8BAA8B,CAAA;AACjE,EAAA,OAAO;AAAA,IACL,YAAA,EAAc,KAAA,CAAM,YAAA,CAAa,OAAA,CAAQ,OAAO,EAAE,CAAA;AAAA,IAClD,MAAA,EAAQ,KAAA,CAAM,MAAA,CAAO,OAAA,CAAQ,OAAO,EAAE,CAAA;AAAA,IACtC,cAAc,KAAA,CAAM,YAAA;AAAA,IACpB,iBAAA,EAAmB,KAAA,CAAM,iBAAA,IAAqB,YAAA,CAAa,aAAA;AAAA,IAC3D,oBAAA,EAAsB,KAAA,CAAM,oBAAA,IAAwB,YAAA,CAAa,WAAA;AAAA,IACjE,0BAAA,EAA4B,KAAA,CAAM,0BAAA,IAA8B,CAAA,GAAI,KAAK,EAAA,GAAK,EAAA;AAAA,IAC9E,gBAAgB,KAAA,CAAM;AAAA,GACxB;AACF;;;AC/CO,SAAS,gBAAA,CACd,QAAA,EACA,MAAA,EACA,KAAA,EACM;AACN,EAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,MAAA,CAAO,iBAAA,EAAmB,KAAA,EAAO;AAAA,IACpD,QAAA,EAAU,IAAA;AAAA,IACV,MAAA,EAAQ,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAAA,IACjC,QAAA,EAAU,KAAA;AAAA,IACV,IAAA,EAAM,GAAA;AAAA,IACN,QAAQ,MAAA,CAAO,0BAAA;AAAA,IACf,GAAI,OAAO,YAAA,GAAe,EAAE,QAAQ,MAAA,CAAO,YAAA,KAAiB;AAAC,GAC9D,CAAA;AACH;AAEO,SAAS,kBAAA,CACd,UACA,MAAA,EACM;AACN,EAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,MAAA,CAAO,iBAAA,EAAmB,EAAA,EAAI;AAAA,IACjD,QAAA,EAAU,IAAA;AAAA,IACV,MAAA,EAAQ,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAAA,IACjC,QAAA,EAAU,KAAA;AAAA,IACV,IAAA,EAAM,GAAA;AAAA,IACN,MAAA,EAAQ,CAAA;AAAA,IACR,GAAI,OAAO,YAAA,GAAe,EAAE,QAAQ,MAAA,CAAO,YAAA,KAAiB;AAAC,GAC9D,CAAA;AACH;AAMO,SAAS,mBAAA,CACd,QAAA,EACA,MAAA,EACA,KAAA,EACM;AACN,EAAA,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,MAAA,CAAO,oBAAA,EAAsB,KAAA,EAAO;AAAA,IACvD,QAAA,EAAU,KAAA;AAAA,IACV,MAAA,EAAQ,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA;AAAA,IACjC,QAAA,EAAU,KAAA;AAAA,IACV,IAAA,EAAM,GAAA;AAAA,IACN,QAAQ,CAAA,GAAI,EAAA;AAAA,IACZ,GAAI,OAAO,YAAA,GAAe,EAAE,QAAQ,MAAA,CAAO,YAAA,KAAiB;AAAC,GAC9D,CAAA;AACH;;;AClBA,SAAS,YAAY,GAAA,EAAmC;AACtD,EAAA,IAAI,CAAC,GAAA,IAAO,OAAO,GAAA,KAAQ,UAAU,OAAO,IAAA;AAC5C,EAAA,MAAM,CAAA,GAAI,GAAA;AACV,EAAA,IACE,OAAO,CAAA,CAAE,YAAA,KAAiB,YAC1B,OAAO,CAAA,CAAE,kBAAkB,QAAA,EAC3B;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,cAAc,CAAA,CAAE,YAAA;AAAA,IAChB,eAAe,CAAA,CAAE,aAAA;AAAA,IACjB,YAAY,OAAO,CAAA,CAAE,UAAA,KAAe,QAAA,GAAW,EAAE,UAAA,GAAa;AAAA,GAChE;AACF;AAqBO,SAAS,sBAAsB,OAAA,EAAuC;AAC3E,EAAA,MAAM,MAAA,GAAS,cAAc,OAAO,CAAA;AACpC,EAAA,MAAM,YAAA,GAAe,QAAQ,YAAA,IAAgB,gBAAA;AAC7C,EAAA,MAAM,YAAA,GAAe,QAAQ,YAAA,IAAgB,gBAAA;AAC7C,EAAA,MAAM,gBAAA,GAAmB,OAAA,CAAQ,gBAAA,KAAqB,MAAM,QAAA,CAAA;AAE5D,EAAA,OAAO,eAAe,IAAI,OAAA,EAA6C;AACrE,IAAA,MAAM,IAAA,GAAO,OAAA,CAAQ,OAAA,CAAQ,YAAA,CAAa,IAAI,MAAM,CAAA;AACpD,IAAA,MAAM,OAAO,OAAA,CAAQ,OAAA,CAAQ,YAAA,CAAa,GAAA,CAAI,MAAM,CAAA,IAAK,MAAA;AACzD,IAAA,MAAM,SAAA,GAAY,iBAAiB,IAAI,CAAA;AAEvC,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,OAAO,YAAA,CAAa,SAAS,IAAI,GAAA,CAAI,GAAG,SAAS,CAAA,mBAAA,CAAA,EAAuB,MAAA,CAAO,MAAM,CAAC,CAAA;AAAA,IACxF;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,gBAAgB,MAAM,KAAA;AAAA,QAC1B,CAAA,EAAG,MAAA,CAAO,YAAY,CAAA,EAAG,cAAc,cAAc,CAAA,CAAA;AAAA,QACrD;AAAA,UACE,MAAA,EAAQ,MAAA;AAAA,UACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA,EAAmB;AAAA,UAC9C,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,YACnB,IAAA;AAAA,YACA,aAAa,CAAA,EAAG,MAAA,CAAO,MAAM,CAAA,EAAG,YAAY,SAAS,IAAI,CAAA;AAAA,WAC1D;AAAA;AACH,OACF;AAEA,MAAA,MAAM,OAAO,MAAM,aAAA,CAAc,MAAK,CAAE,KAAA,CAAM,MAAM,IAAI,CAAA;AAExD,MAAA,IAAI,CAAC,cAAc,EAAA,EAAI;AACrB,QAAA,OAAA,CAAQ,KAAA,CAAM,8CAA8C,IAAI,CAAA;AAChE,QAAA,OAAO,YAAA,CAAa,QAAA;AAAA,UAClB,IAAI,GAAA,CAAI,CAAA,EAAG,SAAS,CAAA,4BAAA,CAAA,EAAgC,OAAO,MAAM;AAAA,SACnE;AAAA,MACF;AAEA,MAAA,MAAM,MAAA,GAAS,YAAY,IAAI,CAAA;AAC/B,MAAA,IAAI,CAAC,MAAA,EAAQ;AAGX,QAAA,OAAA,CAAQ,KAAA,CAAM,wEAAwE,IAAI,CAAA;AAC1F,QAAA,OAAO,YAAA,CAAa,QAAA;AAAA,UAClB,IAAI,GAAA,CAAI,CAAA,EAAG,SAAS,CAAA,6BAAA,CAAA,EAAiC,OAAO,MAAM;AAAA,SACpE;AAAA,MACF;AAEA,MAAA,MAAM,WAAA,GAAc,IAAI,GAAA,CAAI,YAAA,EAAc,OAAO,MAAM,CAAA;AACvD,MAAA,WAAA,CAAY,OAAO,CAAA,aAAA,EAAgB,MAAA,CAAO,YAAY,CAAA,YAAA,EAAe,OAAO,UAAU,CAAA,CAAA;AAEtF,MAAA,MAAM,QAAA,GAAW,YAAA,CAAa,QAAA,CAAS,WAAW,CAAA;AAClD,MAAA,gBAAA,CAAiB,QAAA,EAAU,MAAA,EAAQ,MAAA,CAAO,aAAa,CAAA;AACvD,MAAA,mBAAA,CAAoB,QAAA,EAAU,QAAQ,IAAI,CAAA;AAC1C,MAAA,OAAO,QAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,OAAA,CAAQ,KAAA,CAAM,yCAAyC,KAAK,CAAA;AAC5D,MAAA,OAAO,YAAA,CAAa,SAAS,IAAI,GAAA,CAAI,GAAG,SAAS,CAAA,mBAAA,CAAA,EAAuB,MAAA,CAAO,MAAM,CAAC,CAAA;AAAA,IACxF;AAAA,EACF,CAAA;AACF;AChHA,SAASA,aAAY,GAAA,EAAmC;AACtD,EAAA,IAAI,CAAC,GAAA,IAAO,OAAO,GAAA,KAAQ,UAAU,OAAO,IAAA;AAC5C,EAAA,MAAM,CAAA,GAAI,GAAA;AACV,EAAA,IACE,OAAO,CAAA,CAAE,YAAA,KAAiB,YAC1B,OAAO,CAAA,CAAE,kBAAkB,QAAA,EAC3B;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,cAAc,CAAA,CAAE,YAAA;AAAA,IAChB,eAAe,CAAA,CAAE,aAAA;AAAA,IACjB,YAAY,OAAO,CAAA,CAAE,UAAA,KAAe,QAAA,GAAW,EAAE,UAAA,GAAa;AAAA,GAChE;AACF;AAgBO,SAAS,qBAAqB,OAAA,EAAsC;AACzE,EAAA,MAAM,MAAA,GAAS,cAAc,OAAO,CAAA;AAEpC,EAAA,OAAO,eAAe,KAAK,OAAA,EAA6C;AACtE,IAAA,MAAM,eAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,MAAA,CAAO,iBAAiB,CAAA,EAAG,KAAA;AACpE,IAAA,IAAI,CAAC,YAAA,EAAc;AACjB,MAAA,OAAOC,YAAAA,CAAa,KAAK,EAAE,KAAA,EAAO,oBAAmB,EAAG,EAAE,MAAA,EAAQ,GAAA,EAAK,CAAA;AAAA,IACzE;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,gBAAgB,MAAM,KAAA;AAAA,QAC1B,CAAA,EAAG,MAAA,CAAO,YAAY,CAAA,EAAGC,cAAc,aAAa,CAAA,CAAA;AAAA,QACpD;AAAA,UACE,MAAA,EAAQ,MAAA;AAAA,UACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA,EAAmB;AAAA,UAC9C,MAAM,IAAA,CAAK,SAAA,CAAU,EAAE,aAAA,EAAe,cAAc;AAAA;AACtD,OACF;AAEA,MAAA,MAAM,OAAO,MAAM,aAAA,CAAc,MAAK,CAAE,KAAA,CAAM,MAAM,IAAI,CAAA;AACxD,MAAA,MAAM,MAAA,GAAS,aAAA,CAAc,EAAA,GAAKF,YAAAA,CAAY,IAAI,CAAA,GAAI,IAAA;AAEtD,MAAA,IAAI,CAAC,MAAA,EAAQ;AACX,QAAA,MAAMG,SAAAA,GAAWF,YAAAA,CAAa,IAAA,CAAK,EAAE,KAAA,EAAO,kBAAiB,EAAG,EAAE,MAAA,EAAQ,GAAA,EAAK,CAAA;AAC/E,QAAA,kBAAA,CAAmBE,WAAU,MAAM,CAAA;AACnC,QAAA,OAAOA,SAAAA;AAAA,MACT;AAEA,MAAA,MAAM,QAAA,GAAWF,aAAa,IAAA,CAAK;AAAA,QACjC,cAAc,MAAA,CAAO,YAAA;AAAA,QACrB,YAAY,MAAA,CAAO;AAAA,OACpB,CAAA;AACD,MAAA,gBAAA,CAAiB,QAAA,EAAU,MAAA,EAAQ,MAAA,CAAO,aAAa,CAAA;AACvD,MAAA,OAAO,QAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,OAAA,CAAQ,KAAA,CAAM,wCAAwC,KAAK,CAAA;AAC3D,MAAA,OAAOA,YAAAA,CAAa,KAAK,EAAE,KAAA,EAAO,gBAAe,EAAG,EAAE,MAAA,EAAQ,GAAA,EAAK,CAAA;AAAA,IACrE;AAAA,EACF,CAAA;AACF;AC3DO,SAAS,oBAAoB,OAAA,EAAqC;AACvE,EAAA,MAAM,MAAA,GAAS,cAAc,OAAO,CAAA;AAEpC,EAAA,OAAO,eAAe,KAAK,OAAA,EAA6C;AACtE,IAAA,MAAM,eAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,MAAA,CAAO,iBAAiB,CAAA,EAAG,KAAA;AAEpE,IAAA,IAAI,YAAA,IAAgB,YAAA,CAAa,QAAA,CAAS,GAAG,CAAA,EAAG;AAC9C,MAAA,IAAI;AACF,QAAA,MAAM,UAAU,IAAA,CAAK,KAAA;AAAA,UACnB,MAAA,CAAO,IAAA,CAAK,YAAA,CAAa,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,IAAK,EAAA,EAAI,WAAW,CAAA,CAAE,QAAA;AAAS,SACtE;AACA,QAAA,IAAI,QAAQ,GAAA,EAAK;AACf,UAAA,MAAM,MAAM,CAAA,EAAG,MAAA,CAAO,YAAY,CAAA,EAAGC,aAAAA,CAAc,YAAY,CAAA,CAAA,EAAI;AAAA,YACjE,MAAA,EAAQ,MAAA;AAAA,YACR,OAAA,EAAS;AAAA,cACP,cAAA,EAAgB,kBAAA;AAAA,cAChB,GAAI,OAAO,cAAA,GACP,EAAE,sBAAsB,MAAA,CAAO,cAAA,KAC/B;AAAC,aACP;AAAA,YACA,MAAM,IAAA,CAAK,SAAA,CAAU,EAAE,OAAA,EAAS,OAAA,CAAQ,KAAK;AAAA,WAC9C,CAAA;AAAA,QACH;AAAA,MACF,SAAS,KAAA,EAAO;AACd,QAAA,OAAA,CAAQ,KAAA,CAAM,4DAA4D,KAAK,CAAA;AAAA,MACjF;AAAA,IACF;AAEA,IAAA,MAAM,WAAWD,YAAAA,CAAa,IAAA,CAAK,EAAE,OAAA,EAAS,MAAM,CAAA;AACpD,IAAA,kBAAA,CAAmB,UAAU,MAAM,CAAA;AACnC,IAAA,OAAO,QAAA;AAAA,EACT,CAAA;AACF","file":"index.js","sourcesContent":["import { STORAGE_KEYS } from '@drvalue-oss/iam-core';\n\nexport interface IamNextConfig {\n /** Base URL of your IAM server. Required. e.g. `https://iam.drvalue.co.kr` */\n iamServerUrl: string;\n /** Base URL of THIS Next.js app. Required. e.g. `https://app.drvalue.co.kr` */\n appUrl: string;\n /**\n * Domain for the refresh-token cookie. Set to e.g. `.drvalue.co.kr`\n * to share the cookie across sub-apps. Leave undefined for\n * single-host deployments.\n */\n cookieDomain?: string;\n /**\n * Cookie name for the httpOnly refresh token. Defaults to\n * `STORAGE_KEYS.REFRESH_TOKEN`. Override when two drvalue apps\n * share an origin but should NOT share refresh tokens.\n */\n refreshCookieName?: string;\n /**\n * Cookie name for the short-lived `auth_origin` marker. Defaults to\n * `STORAGE_KEYS.AUTH_ORIGIN`.\n */\n authOriginCookieName?: string;\n /** Refresh-token cookie max age in seconds. Defaults to 7 days. */\n refreshCookieMaxAgeSeconds?: number;\n /**\n * Internal API key forwarded to IAM `/auth/token/revoke` so the\n * server can authorize cross-service token revocation. Optional.\n */\n internalApiKey?: string;\n}\n\nexport interface ResolvedIamNextConfig extends Required<Omit<IamNextConfig, 'cookieDomain' | 'internalApiKey'>> {\n cookieDomain?: string;\n internalApiKey?: string;\n}\n\nexport function resolveConfig(input: IamNextConfig): ResolvedIamNextConfig {\n if (!input.iamServerUrl) throw new Error('iam-next: iamServerUrl is required');\n if (!input.appUrl) throw new Error('iam-next: appUrl is required');\n return {\n iamServerUrl: input.iamServerUrl.replace(/\\/$/, ''),\n appUrl: input.appUrl.replace(/\\/$/, ''),\n cookieDomain: input.cookieDomain,\n refreshCookieName: input.refreshCookieName ?? STORAGE_KEYS.REFRESH_TOKEN,\n authOriginCookieName: input.authOriginCookieName ?? STORAGE_KEYS.AUTH_ORIGIN,\n refreshCookieMaxAgeSeconds: input.refreshCookieMaxAgeSeconds ?? 7 * 24 * 60 * 60,\n internalApiKey: input.internalApiKey,\n };\n}\n","import type { NextResponse } from 'next/server';\nimport type { ResolvedIamNextConfig } from './config.js';\n\nexport function setRefreshCookie(\n response: NextResponse,\n config: ResolvedIamNextConfig,\n value: string,\n): void {\n response.cookies.set(config.refreshCookieName, value, {\n httpOnly: true,\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'lax',\n path: '/',\n maxAge: config.refreshCookieMaxAgeSeconds,\n ...(config.cookieDomain ? { domain: config.cookieDomain } : {}),\n });\n}\n\nexport function clearRefreshCookie(\n response: NextResponse,\n config: ResolvedIamNextConfig,\n): void {\n response.cookies.set(config.refreshCookieName, '', {\n httpOnly: true,\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'lax',\n path: '/',\n maxAge: 0,\n ...(config.cookieDomain ? { domain: config.cookieDomain } : {}),\n });\n}\n\n/**\n * Short-lived (5 min), client-readable. Tells the /auth/complete page\n * where to redirect after token handoff (e.g. user vs admin dashboard).\n */\nexport function setAuthOriginCookie(\n response: NextResponse,\n config: ResolvedIamNextConfig,\n value: string,\n): void {\n response.cookies.set(config.authOriginCookieName, value, {\n httpOnly: false,\n secure: process.env.NODE_ENV === 'production',\n sameSite: 'lax',\n path: '/',\n maxAge: 5 * 60,\n ...(config.cookieDomain ? { domain: config.cookieDomain } : {}),\n });\n}\n","import { NextResponse, type NextRequest } from 'next/server';\nimport { IAM_ENDPOINTS } from '@drvalue-oss/iam-core';\nimport { resolveConfig, type IamNextConfig } from '../config.js';\nimport { setAuthOriginCookie, setRefreshCookie } from '../cookies.js';\n\nexport interface CreateCallbackHandlerOptions extends IamNextConfig {\n /**\n * Path on this app where the callback handler lives. Used to\n * reconstruct `redirectUri` for the token exchange. Defaults to\n * `/auth/callback`.\n */\n callbackPath?: string;\n /**\n * Path the browser is redirected to after a successful token\n * exchange. The access token is appended in the URL hash so it\n * never hits the server log. Defaults to `/auth/complete`.\n */\n completePath?: string;\n /**\n * Map an `auth_origin` value (read from `?from=...`) to the login\n * path used when the exchange fails. Default returns `/login`.\n */\n resolveLoginPath?: (origin: string) => string;\n}\n\ninterface ParsedTokens {\n access_token: string;\n refresh_token: string;\n expires_in: number;\n}\n\nfunction parseTokens(raw: unknown): ParsedTokens | null {\n if (!raw || typeof raw !== 'object') return null;\n const r = raw as Record<string, unknown>;\n if (\n typeof r.access_token !== 'string' ||\n typeof r.refresh_token !== 'string'\n ) {\n return null;\n }\n return {\n access_token: r.access_token,\n refresh_token: r.refresh_token,\n expires_in: typeof r.expires_in === 'number' ? r.expires_in : 900,\n };\n}\n\n/**\n * Factory for the GET handler at `/auth/callback`.\n *\n * Flow:\n * IAM → ?code=xxx&from=user\n * → exchange code for tokens via IAM `/auth/token/exchange`\n * → set refresh_token httpOnly cookie\n * → set short-lived auth_origin cookie\n * → 302 to /auth/complete#access_token=...&expires_in=...\n *\n * Why the hash: access token never lands in the Next.js server log\n * or the Referer header of downstream navigations.\n *\n * Why we re-validate the response body even on 2xx: IAM has historically\n * had bugs where it returns HTTP 200 with `{\"error\": \"...\"}` and no\n * `access_token` field. If we let those through we'd 302 the browser\n * to `/auth/complete#access_token=undefined`, which then triggers the\n * SPA's refresh loop indefinitely. Treat missing fields as a hard fail.\n */\nexport function createCallbackHandler(options: CreateCallbackHandlerOptions) {\n const config = resolveConfig(options);\n const callbackPath = options.callbackPath ?? '/auth/callback';\n const completePath = options.completePath ?? '/auth/complete';\n const resolveLoginPath = options.resolveLoginPath ?? (() => '/login');\n\n return async function GET(request: NextRequest): Promise<NextResponse> {\n const code = request.nextUrl.searchParams.get('code');\n const from = request.nextUrl.searchParams.get('from') ?? 'user';\n const loginPath = resolveLoginPath(from);\n\n if (!code) {\n return NextResponse.redirect(new URL(`${loginPath}?error=missing_code`, config.appUrl));\n }\n\n try {\n const tokenResponse = await fetch(\n `${config.iamServerUrl}${IAM_ENDPOINTS.TOKEN_EXCHANGE}`,\n {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({\n code,\n redirectUri: `${config.appUrl}${callbackPath}?from=${from}`,\n }),\n },\n );\n\n const body = await tokenResponse.json().catch(() => null);\n\n if (!tokenResponse.ok) {\n console.error('[iam-next/callback] token exchange failed:', body);\n return NextResponse.redirect(\n new URL(`${loginPath}?error=token_exchange_failed`, config.appUrl),\n );\n }\n\n const tokens = parseTokens(body);\n if (!tokens) {\n // 200 with no/incomplete tokens — IAM-side bug. Don't redirect\n // to /auth/complete with `undefined` in the hash.\n console.error('[iam-next/callback] token exchange returned 200 with missing fields:', body);\n return NextResponse.redirect(\n new URL(`${loginPath}?error=token_exchange_invalid`, config.appUrl),\n );\n }\n\n const redirectUrl = new URL(completePath, config.appUrl);\n redirectUrl.hash = `access_token=${tokens.access_token}&expires_in=${tokens.expires_in}`;\n\n const response = NextResponse.redirect(redirectUrl);\n setRefreshCookie(response, config, tokens.refresh_token);\n setAuthOriginCookie(response, config, from);\n return response;\n } catch (error) {\n console.error('[iam-next/callback] unexpected error:', error);\n return NextResponse.redirect(new URL(`${loginPath}?error=server_error`, config.appUrl));\n }\n };\n}\n","import { NextResponse, type NextRequest } from 'next/server';\nimport { IAM_ENDPOINTS } from '@drvalue-oss/iam-core';\nimport { resolveConfig, type IamNextConfig } from '../config.js';\nimport { clearRefreshCookie, setRefreshCookie } from '../cookies.js';\n\nexport type CreateRefreshHandlerOptions = IamNextConfig;\n\ninterface ParsedTokens {\n access_token: string;\n refresh_token: string;\n expires_in: number;\n}\n\nfunction parseTokens(raw: unknown): ParsedTokens | null {\n if (!raw || typeof raw !== 'object') return null;\n const r = raw as Record<string, unknown>;\n if (\n typeof r.access_token !== 'string' ||\n typeof r.refresh_token !== 'string'\n ) {\n return null;\n }\n return {\n access_token: r.access_token,\n refresh_token: r.refresh_token,\n expires_in: typeof r.expires_in === 'number' ? r.expires_in : 900,\n };\n}\n\n/**\n * Factory for the POST handler at `/api/auth/refresh`.\n *\n * Reads refresh token from the httpOnly cookie, calls IAM\n * `/auth/token/refresh`, returns the new access token to the browser\n * and rotates the refresh cookie.\n *\n * Returns:\n * 200 { access_token, expires_in } → success\n * 401 { error: 'No refresh token' } → cookie missing\n * 401 { error: 'Refresh failed' } → IAM rejected OR 200 with no token fields\n * (also clears the bad cookie)\n * 500 { error: 'Server error' } → unexpected (cookie left as-is, retry-friendly)\n */\nexport function createRefreshHandler(options: CreateRefreshHandlerOptions) {\n const config = resolveConfig(options);\n\n return async function POST(request: NextRequest): Promise<NextResponse> {\n const refreshToken = request.cookies.get(config.refreshCookieName)?.value;\n if (!refreshToken) {\n return NextResponse.json({ error: 'No refresh token' }, { status: 401 });\n }\n\n try {\n const tokenResponse = await fetch(\n `${config.iamServerUrl}${IAM_ENDPOINTS.TOKEN_REFRESH}`,\n {\n method: 'POST',\n headers: { 'Content-Type': 'application/json' },\n body: JSON.stringify({ refresh_token: refreshToken }),\n },\n );\n\n const body = await tokenResponse.json().catch(() => null);\n const tokens = tokenResponse.ok ? parseTokens(body) : null;\n\n if (!tokens) {\n const response = NextResponse.json({ error: 'Refresh failed' }, { status: 401 });\n clearRefreshCookie(response, config);\n return response;\n }\n\n const response = NextResponse.json({\n access_token: tokens.access_token,\n expires_in: tokens.expires_in,\n });\n setRefreshCookie(response, config, tokens.refresh_token);\n return response;\n } catch (error) {\n console.error('[iam-next/refresh] unexpected error:', error);\n return NextResponse.json({ error: 'Server error' }, { status: 500 });\n }\n };\n}\n","import { NextResponse, type NextRequest } from 'next/server';\nimport { IAM_ENDPOINTS } from '@drvalue-oss/iam-core';\nimport { resolveConfig, type IamNextConfig } from '../config.js';\nimport { clearRefreshCookie } from '../cookies.js';\n\nexport type CreateLogoutHandlerOptions = IamNextConfig;\n\n/**\n * Factory for the POST handler at `/api/auth/logout`.\n *\n * Two responsibilities:\n * 1. Best-effort: tell IAM to revoke all refresh tokens for this\n * user (so other tabs/devices are logged out too).\n * 2. Always: clear the refresh-token cookie on THIS app.\n *\n * The IAM call is best-effort because we want logout to feel\n * instant. If IAM is briefly down, the cookie is still cleared and\n * the access token expires within minutes anyway.\n *\n * To extract `user_id`, we decode the JWT payload of the refresh\n * token without verifying. Same trust model as `iam-core/decodeJwtPayload`\n * — only used to address the revoke call, not to make decisions.\n */\nexport function createLogoutHandler(options: CreateLogoutHandlerOptions) {\n const config = resolveConfig(options);\n\n return async function POST(request: NextRequest): Promise<NextResponse> {\n const refreshToken = request.cookies.get(config.refreshCookieName)?.value;\n\n if (refreshToken && refreshToken.includes('.')) {\n try {\n const payload = JSON.parse(\n Buffer.from(refreshToken.split('.')[1] ?? '', 'base64url').toString(),\n ) as { sub?: string };\n if (payload.sub) {\n await fetch(`${config.iamServerUrl}${IAM_ENDPOINTS.TOKEN_REVOKE}`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n ...(config.internalApiKey\n ? { 'X-Internal-Api-Key': config.internalApiKey }\n : {}),\n },\n body: JSON.stringify({ user_id: payload.sub }),\n });\n }\n } catch (error) {\n console.error('[iam-next/logout] IAM token revoke failed (best-effort):', error);\n }\n }\n\n const response = NextResponse.json({ success: true });\n clearRefreshCookie(response, config);\n return response;\n };\n}\n"]}

package/package.json ADDED Viewed

@@ -0,0 +1,51 @@
+{
+  "name": "@drvalue-oss/iam-next",
+  "version": "0.1.0",
+  "description": "Next.js Route Handler factories for the drvalue IAM BFF token-exchange pattern (callback / refresh / logout)",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/drvalue/drvalue-iam-js",
+    "directory": "packages/iam-next"
+  },
+  "homepage": "https://github.com/drvalue/drvalue-iam-js/tree/main/packages/iam-next#readme",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "files": ["dist", "README.md", "LICENSE"],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "clean": "rm -rf dist",
+    "typecheck": "tsc --noEmit"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "sideEffects": false,
+  "keywords": ["drvalue", "iam", "next", "nextjs", "bff", "auth"],
+  "dependencies": {
+    "@drvalue-oss/iam-core": "workspace:*"
+  },
+  "peerDependencies": {
+    "next": "^14.0.0 || ^15.0.0 || ^16.0.0"
+  },
+  "devDependencies": {
+    "next": "^16.0.0",
+    "react": "^19.0.0",
+    "tsup": "^8.3.5",
+    "typescript": "^5.7.2"
+  },
+  "engines": {
+    "node": ">=20.19"
+  }
+}