@econneq/auth-nextjs 1.0.2 → 1.0.4

package/README.md

@@ -0,0 +1,91 @@
+# @econneq/auth-nextjs
+
+Next.js App Router integration — middleware that gates routes and server utilities that read tokens inside Server Components, Server Actions, and Route Handlers.
+
+## Position in the install order
+
+```
+1. auth-core    ◄── prerequisite
+2. auth-nextjs  ◄── you are here  (parallel with auth-react)
+   auth-react   ◄── needed in your app for client-side hooks/guards
+```
+
+**Install `@econneq/auth-core` first.** This package only depends on `auth-core` directly, but in practice your app will also pull in `@econneq/auth-react` (for `<AuthProvider>` + hooks) and optionally `@econneq/auth-ui` (for the login/tenant pages).
+
+## Install
+
+```bash
+npm install @econneq/auth-core @econneq/auth-nextjs
+# and, in the app:
+npm install @econneq/auth-react   # client side
+```
+
+Peer deps: `next >=14`, `react >=18`, `react-dom >=18`.
+
+## Three entry points
+
+```ts
+import { defineAuthConfig }     from '@econneq/auth-nextjs'             // root
+import { createAuthMiddleware } from '@econneq/auth-nextjs/middleware'  // edge
+import { getServerUser, serverCan, getServerAuthHeader }
+                                from '@econneq/auth-nextjs/server'      // RSC / actions
+```
+
+Keep the imports separated — the middleware bundle runs at the edge and must not pull in Node-only code, which is why `/server` is a different subpath.
+
+## Wire the middleware
+
+```ts
+// proxy.ts (or middleware.ts)
+import { createAuthMiddleware } from '@econneq/auth-nextjs/middleware'
+import { authConfig }           from './src/auth/auth.config'
+
+export default createAuthMiddleware(authConfig, {
+  protectedRoutes: ['/dashboard', '/app'],
+  publicRoutes:    ['/auth/login', '/auth/register', '/auth/mfa'],
+  loginUrl:        '/auth/login',
+  tenantSelectUrl: '/auth/select-tenant',
+})
+
+export const config = { matcher: ['/((?!_next|favicon).*)'] }
+```
+
+What it does:
+
+- No global token → redirect to `loginUrl` (with `?next=`).
+- Token expired → same redirect.
+- Global token present but no tenant token (when `tenantMode`) → redirect to `tenantSelectUrl`.
+- Authenticated → forwards the request and injects `x-auth-user-id`, `x-auth-tenant-key`, `x-auth-roles` headers for downstream Server Components.
+
+## Read auth in Server Components / Actions
+
+```ts
+import { getServerUser, serverCan, getServerAuthHeader }
+  from '@econneq/auth-nextjs/server'
+
+export default async function DashboardPage() {
+  const { token, userId } = await getServerUser()       // redirects if missing
+  const canExport         = await serverCan('reports.export')
+  return <Header name={token.fullName} canExport={canExport} />
+}
+
+// In a Server Action calling your GraphQL/REST API:
+const auth = await getServerAuthHeader()
+fetch(API, { headers: { Authorization: auth } })
+```
+
+Also available: `getGlobalToken()`, `getTenantToken()`, `getServerRoles()`.
+
+## Build
+
+```bash
+npm run build      # tsup → dist with /middleware and /server subpaths
+npm run typecheck
+npm run dev
+```
+
+## Notes
+
+- Cookie names are fixed: `ea_global_token` and `ea_tenant_token`. They must be set `HttpOnly` by your auth API.
+- The `/server` module imports `next/headers` and `next/navigation` — only call it from server contexts.
+- For client-side hooks and guards, use `@econneq/auth-react` — this package deliberately doesn't re-export them.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@econneq/auth-nextjs",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "Next.js App Router integration — middleware, server actions, SSR auth",
   "author": "Econneq",
   "license": "MIT",
@@ -38,7 +38,7 @@
     "README.md"
   ],
   "dependencies": {
-    "@econneq/auth-core": "1.0.1"
+    "@econneq/auth-core": "1.0.3"
   },
   "peerDependencies": {
     "next": ">=14.0.0",