@econneq/auth-nextjs 1.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.mts +1 -0
- package/dist/index.d.ts +1 -0
- package/dist/index.js +12 -0
- package/dist/index.js.map +1 -0
- package/dist/index.mjs +3 -0
- package/dist/index.mjs.map +1 -0
- package/dist/middleware/index.d.mts +32 -0
- package/dist/middleware/index.d.ts +32 -0
- package/dist/middleware/index.js +62 -0
- package/dist/middleware/index.js.map +1 -0
- package/dist/middleware/index.mjs +60 -0
- package/dist/middleware/index.mjs.map +1 -0
- package/dist/server/index.d.mts +25 -0
- package/dist/server/index.d.ts +25 -0
- package/dist/server/index.js +55 -0
- package/dist/server/index.js.map +1 -0
- package/dist/server/index.mjs +48 -0
- package/dist/server/index.mjs.map +1 -0
- package/package.json +61 -0
package/dist/index.d.mts
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export { AuthStage, AuthUser, EconneqAuthConfig, LoginInput, Tenant, defineAuthConfig } from '@econneq/auth-core';
|
package/dist/index.d.ts
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export { AuthStage, AuthUser, EconneqAuthConfig, LoginInput, Tenant, defineAuthConfig } from '@econneq/auth-core';
|
package/dist/index.js
ADDED
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
var authCore = require('@econneq/auth-core');
|
|
4
|
+
|
|
5
|
+
|
|
6
|
+
|
|
7
|
+
Object.defineProperty(exports, "defineAuthConfig", {
|
|
8
|
+
enumerable: true,
|
|
9
|
+
get: function () { return authCore.defineAuthConfig; }
|
|
10
|
+
});
|
|
11
|
+
//# sourceMappingURL=index.js.map
|
|
12
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":[],"names":[],"mappings":"","file":"index.js","sourcesContent":[]}
|
package/dist/index.mjs
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":[],"names":[],"mappings":"","file":"index.mjs","sourcesContent":[]}
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
import { NextRequest, NextResponse } from 'next/server';
|
|
2
|
+
import { EconneqAuthConfig } from '@econneq/auth-core';
|
|
3
|
+
|
|
4
|
+
/**
|
|
5
|
+
* @econneq/auth-react/middleware
|
|
6
|
+
* Drop-in auth middleware for Next.js App Router.
|
|
7
|
+
*
|
|
8
|
+
* Usage in proxy.ts / middleware.ts:
|
|
9
|
+
*
|
|
10
|
+
* import { createAuthMiddleware } from '@econneq/auth-react/middleware'
|
|
11
|
+
* import { authConfig } from './auth/auth.config'
|
|
12
|
+
*
|
|
13
|
+
* export default createAuthMiddleware(authConfig, {
|
|
14
|
+
* protectedRoutes: ['/dashboard', '/admin'],
|
|
15
|
+
* publicRoutes: ['/auth/login', '/auth/register'],
|
|
16
|
+
* loginUrl: '/auth/login',
|
|
17
|
+
* tenantSelectUrl: '/auth/select-tenant',
|
|
18
|
+
* })
|
|
19
|
+
*
|
|
20
|
+
* export const config = { matcher: ['/((?!_next|favicon).*)'] }
|
|
21
|
+
*/
|
|
22
|
+
|
|
23
|
+
interface AuthMiddlewareOptions {
|
|
24
|
+
protectedRoutes?: string[];
|
|
25
|
+
publicRoutes?: string[];
|
|
26
|
+
loginUrl?: string;
|
|
27
|
+
tenantSelectUrl?: string;
|
|
28
|
+
afterLoginUrl?: string;
|
|
29
|
+
}
|
|
30
|
+
declare function createAuthMiddleware(config: EconneqAuthConfig, opts?: AuthMiddlewareOptions): (request: NextRequest) => NextResponse;
|
|
31
|
+
|
|
32
|
+
export { type AuthMiddlewareOptions, createAuthMiddleware };
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
import { NextRequest, NextResponse } from 'next/server';
|
|
2
|
+
import { EconneqAuthConfig } from '@econneq/auth-core';
|
|
3
|
+
|
|
4
|
+
/**
|
|
5
|
+
* @econneq/auth-react/middleware
|
|
6
|
+
* Drop-in auth middleware for Next.js App Router.
|
|
7
|
+
*
|
|
8
|
+
* Usage in proxy.ts / middleware.ts:
|
|
9
|
+
*
|
|
10
|
+
* import { createAuthMiddleware } from '@econneq/auth-react/middleware'
|
|
11
|
+
* import { authConfig } from './auth/auth.config'
|
|
12
|
+
*
|
|
13
|
+
* export default createAuthMiddleware(authConfig, {
|
|
14
|
+
* protectedRoutes: ['/dashboard', '/admin'],
|
|
15
|
+
* publicRoutes: ['/auth/login', '/auth/register'],
|
|
16
|
+
* loginUrl: '/auth/login',
|
|
17
|
+
* tenantSelectUrl: '/auth/select-tenant',
|
|
18
|
+
* })
|
|
19
|
+
*
|
|
20
|
+
* export const config = { matcher: ['/((?!_next|favicon).*)'] }
|
|
21
|
+
*/
|
|
22
|
+
|
|
23
|
+
interface AuthMiddlewareOptions {
|
|
24
|
+
protectedRoutes?: string[];
|
|
25
|
+
publicRoutes?: string[];
|
|
26
|
+
loginUrl?: string;
|
|
27
|
+
tenantSelectUrl?: string;
|
|
28
|
+
afterLoginUrl?: string;
|
|
29
|
+
}
|
|
30
|
+
declare function createAuthMiddleware(config: EconneqAuthConfig, opts?: AuthMiddlewareOptions): (request: NextRequest) => NextResponse;
|
|
31
|
+
|
|
32
|
+
export { type AuthMiddlewareOptions, createAuthMiddleware };
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
var server = require('next/server');
|
|
4
|
+
var authCore = require('@econneq/auth-core');
|
|
5
|
+
|
|
6
|
+
// src/middleware/index.ts
|
|
7
|
+
var GLOBAL_TOKEN_COOKIE = "ea_global_token";
|
|
8
|
+
var TENANT_TOKEN_COOKIE = "ea_tenant_token";
|
|
9
|
+
function createAuthMiddleware(config, opts = {}) {
|
|
10
|
+
const {
|
|
11
|
+
protectedRoutes = ["/dashboard", "/app"],
|
|
12
|
+
publicRoutes = ["/auth/login", "/auth/register", "/auth/mfa"],
|
|
13
|
+
loginUrl = "/auth/login",
|
|
14
|
+
tenantSelectUrl = "/auth/select-tenant"
|
|
15
|
+
} = opts;
|
|
16
|
+
return function authMiddleware(request) {
|
|
17
|
+
const { pathname } = request.nextUrl;
|
|
18
|
+
if (publicRoutes.some((r) => pathname.startsWith(r)) || pathname.startsWith("/_next") || pathname.startsWith("/api") || /\.[a-zA-Z]{2,5}$/.test(pathname)) {
|
|
19
|
+
return server.NextResponse.next();
|
|
20
|
+
}
|
|
21
|
+
const isProtected = protectedRoutes.some((r) => pathname.startsWith(r));
|
|
22
|
+
if (!isProtected) return server.NextResponse.next();
|
|
23
|
+
const rawGlobal = request.cookies.get(GLOBAL_TOKEN_COOKIE)?.value;
|
|
24
|
+
const rawTenant = request.cookies.get(TENANT_TOKEN_COOKIE)?.value;
|
|
25
|
+
if (!rawGlobal) {
|
|
26
|
+
const loginRedirect = new URL(loginUrl, request.url);
|
|
27
|
+
loginRedirect.searchParams.set("next", pathname);
|
|
28
|
+
return server.NextResponse.redirect(loginRedirect);
|
|
29
|
+
}
|
|
30
|
+
try {
|
|
31
|
+
const globalToken = authCore.parseGlobalToken(rawGlobal);
|
|
32
|
+
if (authCore.isTokenExpired(globalToken.exp)) {
|
|
33
|
+
const loginRedirect = new URL(loginUrl, request.url);
|
|
34
|
+
loginRedirect.searchParams.set("next", pathname);
|
|
35
|
+
return server.NextResponse.redirect(loginRedirect);
|
|
36
|
+
}
|
|
37
|
+
if (config.tenantMode && !rawTenant) {
|
|
38
|
+
const tenantRedirect = new URL(tenantSelectUrl, request.url);
|
|
39
|
+
tenantRedirect.searchParams.set("next", pathname);
|
|
40
|
+
return server.NextResponse.redirect(tenantRedirect);
|
|
41
|
+
}
|
|
42
|
+
if (rawTenant) {
|
|
43
|
+
const tenantToken = authCore.parseTenantToken(rawTenant);
|
|
44
|
+
if (authCore.isTokenExpired(tenantToken.exp)) {
|
|
45
|
+
return server.NextResponse.redirect(new URL(tenantSelectUrl, request.url));
|
|
46
|
+
}
|
|
47
|
+
const res = server.NextResponse.next();
|
|
48
|
+
res.headers.set("x-auth-user-id", tenantToken.userId);
|
|
49
|
+
res.headers.set("x-auth-tenant-key", tenantToken.tenantKey);
|
|
50
|
+
res.headers.set("x-auth-roles", tenantToken.roles.join(","));
|
|
51
|
+
return res;
|
|
52
|
+
}
|
|
53
|
+
return server.NextResponse.next();
|
|
54
|
+
} catch {
|
|
55
|
+
return server.NextResponse.redirect(new URL(loginUrl, request.url));
|
|
56
|
+
}
|
|
57
|
+
};
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
exports.createAuthMiddleware = createAuthMiddleware;
|
|
61
|
+
//# sourceMappingURL=index.js.map
|
|
62
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../../src/middleware/index.ts"],"names":["NextResponse","parseGlobalToken","isTokenExpired","parseTenantToken"],"mappings":";;;;;;AAqBA,IAAM,mBAAA,GAAuB,iBAAA;AAC7B,IAAM,mBAAA,GAAuB,iBAAA;AAUtB,SAAS,oBAAA,CACd,MAAA,EACA,IAAA,GAA8B,EAAC,EAC/B;AACA,EAAA,MAAM;AAAA,IACJ,eAAA,GAAmB,CAAC,YAAA,EAAc,MAAM,CAAA;AAAA,IACxC,YAAA,GAAmB,CAAC,aAAA,EAAe,gBAAA,EAAkB,WAAW,CAAA;AAAA,IAChE,QAAA,GAAmB,aAAA;AAAA,IACnB,eAAA,GAAmB;AAAA,GACrB,GAAI,IAAA;AAEJ,EAAA,OAAO,SAAS,eAAe,OAAA,EAAoC;AACjE,IAAA,MAAM,EAAE,QAAA,EAAS,GAAI,OAAA,CAAQ,OAAA;AAG7B,IAAA,IACE,YAAA,CAAa,KAAK,CAAC,CAAA,KAAM,SAAS,UAAA,CAAW,CAAC,CAAC,CAAA,IAC/C,QAAA,CAAS,WAAW,QAAQ,CAAA,IAC5B,SAAS,UAAA,CAAW,MAAM,KAC1B,kBAAA,CAAmB,IAAA,CAAK,QAAQ,CAAA,EAChC;AACA,MAAA,OAAOA,oBAAa,IAAA,EAAK;AAAA,IAC3B;AAEA,IAAA,MAAM,WAAA,GAAc,gBAAgB,IAAA,CAAK,CAAC,MAAM,QAAA,CAAS,UAAA,CAAW,CAAC,CAAC,CAAA;AACtE,IAAA,IAAI,CAAC,WAAA,EAAa,OAAOA,mBAAA,CAAa,IAAA,EAAK;AAG3C,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,mBAAmB,CAAA,EAAG,KAAA;AAC5D,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,mBAAmB,CAAA,EAAG,KAAA;AAG5D,IAAA,IAAI,CAAC,SAAA,EAAW;AACd,MAAA,MAAM,aAAA,GAAgB,IAAI,GAAA,CAAI,QAAA,EAAU,QAAQ,GAAG,CAAA;AACnD,MAAA,aAAA,CAAc,YAAA,CAAa,GAAA,CAAI,MAAA,EAAQ,QAAQ,CAAA;AAC/C,MAAA,OAAOA,mBAAA,CAAa,SAAS,aAAa,CAAA;AAAA,IAC5C;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,WAAA,GAAcC,0BAAiB,SAAS,CAAA;AAC9C,MAAA,IAAIC,uBAAA,CAAe,WAAA,CAAY,GAAG,CAAA,EAAG;AACnC,QAAA,MAAM,aAAA,GAAgB,IAAI,GAAA,CAAI,QAAA,EAAU,QAAQ,GAAG,CAAA;AACnD,QAAA,aAAA,CAAc,YAAA,CAAa,GAAA,CAAI,MAAA,EAAQ,QAAQ,CAAA;AAC/C,QAAA,OAAOF,mBAAA,CAAa,SAAS,aAAa,CAAA;AAAA,MAC5C;AAGA,MAAA,IAAI,MAAA,CAAO,UAAA,IAAc,CAAC,SAAA,EAAW;AACnC,QAAA,MAAM,cAAA,GAAiB,IAAI,GAAA,CAAI,eAAA,EAAiB,QAAQ,GAAG,CAAA;AAC3D,QAAA,cAAA,CAAe,YAAA,CAAa,GAAA,CAAI,MAAA,EAAQ,QAAQ,CAAA;AAChD,QAAA,OAAOA,mBAAA,CAAa,SAAS,cAAc,CAAA;AAAA,MAC7C;AAEA,MAAA,IAAI,SAAA,EAAW;AACb,QAAA,MAAM,WAAA,GAAcG,0BAAiB,SAAS,CAAA;AAC9C,QAAA,IAAID,uBAAA,CAAe,WAAA,CAAY,GAAG,CAAA,EAAG;AAEnC,UAAA,OAAOF,oBAAa,QAAA,CAAS,IAAI,IAAI,eAAA,EAAiB,OAAA,CAAQ,GAAG,CAAC,CAAA;AAAA,QACpE;AAEA,QAAA,MAAM,GAAA,GAAMA,oBAAa,IAAA,EAAK;AAC9B,QAAA,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,gBAAA,EAAqB,WAAA,CAAY,MAAM,CAAA;AACvD,QAAA,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,mBAAA,EAAqB,WAAA,CAAY,SAAS,CAAA;AAC1D,QAAA,GAAA,CAAI,QAAQ,GAAA,CAAI,cAAA,EAAqB,YAAY,KAAA,CAAM,IAAA,CAAK,GAAG,CAAC,CAAA;AAChE,QAAA,OAAO,GAAA;AAAA,MACT;AAEA,MAAA,OAAOA,oBAAa,IAAA,EAAK;AAAA,IAC3B,CAAA,CAAA,MAAQ;AACN,MAAA,OAAOA,oBAAa,QAAA,CAAS,IAAI,IAAI,QAAA,EAAU,OAAA,CAAQ,GAAG,CAAC,CAAA;AAAA,IAC7D;AAAA,EACF,CAAA;AACF","file":"index.js","sourcesContent":["/**\n * @econneq/auth-react/middleware\n * Drop-in auth middleware for Next.js App Router.\n *\n * Usage in proxy.ts / middleware.ts:\n *\n * import { createAuthMiddleware } from '@econneq/auth-react/middleware'\n * import { authConfig } from './auth/auth.config'\n *\n * export default createAuthMiddleware(authConfig, {\n * protectedRoutes: ['/dashboard', '/admin'],\n * publicRoutes: ['/auth/login', '/auth/register'],\n * loginUrl: '/auth/login',\n * tenantSelectUrl: '/auth/select-tenant',\n * })\n *\n * export const config = { matcher: ['/((?!_next|favicon).*)'] }\n */\nimport { NextRequest, NextResponse } from 'next/server'\nimport { parseGlobalToken, parseTenantToken, isTokenExpired, type EconneqAuthConfig } from '@econneq/auth-core'\n\nconst GLOBAL_TOKEN_COOKIE = 'ea_global_token'\nconst TENANT_TOKEN_COOKIE = 'ea_tenant_token'\n\nexport interface AuthMiddlewareOptions {\n protectedRoutes?: string[]\n publicRoutes?: string[]\n loginUrl?: string\n tenantSelectUrl?: string\n afterLoginUrl?: string\n}\n\nexport function createAuthMiddleware(\n config: EconneqAuthConfig,\n opts: AuthMiddlewareOptions = {},\n) {\n const {\n protectedRoutes = ['/dashboard', '/app'],\n publicRoutes = ['/auth/login', '/auth/register', '/auth/mfa'],\n loginUrl = '/auth/login',\n tenantSelectUrl = '/auth/select-tenant',\n } = opts\n\n return function authMiddleware(request: NextRequest): NextResponse {\n const { pathname } = request.nextUrl\n\n // Always allow public routes and Next.js internals\n if (\n publicRoutes.some((r) => pathname.startsWith(r)) ||\n pathname.startsWith('/_next') ||\n pathname.startsWith('/api') ||\n /\\.[a-zA-Z]{2,5}$/.test(pathname)\n ) {\n return NextResponse.next()\n }\n\n const isProtected = protectedRoutes.some((r) => pathname.startsWith(r))\n if (!isProtected) return NextResponse.next()\n\n // Read tokens from cookies (httpOnly cookies set by server)\n const rawGlobal = request.cookies.get(GLOBAL_TOKEN_COOKIE)?.value\n const rawTenant = request.cookies.get(TENANT_TOKEN_COOKIE)?.value\n\n // No global token → redirect to login\n if (!rawGlobal) {\n const loginRedirect = new URL(loginUrl, request.url)\n loginRedirect.searchParams.set('next', pathname)\n return NextResponse.redirect(loginRedirect)\n }\n\n try {\n const globalToken = parseGlobalToken(rawGlobal)\n if (isTokenExpired(globalToken.exp)) {\n const loginRedirect = new URL(loginUrl, request.url)\n loginRedirect.searchParams.set('next', pathname)\n return NextResponse.redirect(loginRedirect)\n }\n\n // Has global token but no tenant token → tenant selection\n if (config.tenantMode && !rawTenant) {\n const tenantRedirect = new URL(tenantSelectUrl, request.url)\n tenantRedirect.searchParams.set('next', pathname)\n return NextResponse.redirect(tenantRedirect)\n }\n\n if (rawTenant) {\n const tenantToken = parseTenantToken(rawTenant)\n if (isTokenExpired(tenantToken.exp)) {\n // Tenant token expired — redirect to tenant selection for re-exchange\n return NextResponse.redirect(new URL(tenantSelectUrl, request.url))\n }\n // Inject headers for server components\n const res = NextResponse.next()\n res.headers.set('x-auth-user-id', tenantToken.userId)\n res.headers.set('x-auth-tenant-key', tenantToken.tenantKey)\n res.headers.set('x-auth-roles', tenantToken.roles.join(','))\n return res\n }\n\n return NextResponse.next()\n } catch {\n return NextResponse.redirect(new URL(loginUrl, request.url))\n }\n }\n}\n"]}
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
import { NextResponse } from 'next/server';
|
|
2
|
+
import { parseGlobalToken, isTokenExpired, parseTenantToken } from '@econneq/auth-core';
|
|
3
|
+
|
|
4
|
+
// src/middleware/index.ts
|
|
5
|
+
var GLOBAL_TOKEN_COOKIE = "ea_global_token";
|
|
6
|
+
var TENANT_TOKEN_COOKIE = "ea_tenant_token";
|
|
7
|
+
function createAuthMiddleware(config, opts = {}) {
|
|
8
|
+
const {
|
|
9
|
+
protectedRoutes = ["/dashboard", "/app"],
|
|
10
|
+
publicRoutes = ["/auth/login", "/auth/register", "/auth/mfa"],
|
|
11
|
+
loginUrl = "/auth/login",
|
|
12
|
+
tenantSelectUrl = "/auth/select-tenant"
|
|
13
|
+
} = opts;
|
|
14
|
+
return function authMiddleware(request) {
|
|
15
|
+
const { pathname } = request.nextUrl;
|
|
16
|
+
if (publicRoutes.some((r) => pathname.startsWith(r)) || pathname.startsWith("/_next") || pathname.startsWith("/api") || /\.[a-zA-Z]{2,5}$/.test(pathname)) {
|
|
17
|
+
return NextResponse.next();
|
|
18
|
+
}
|
|
19
|
+
const isProtected = protectedRoutes.some((r) => pathname.startsWith(r));
|
|
20
|
+
if (!isProtected) return NextResponse.next();
|
|
21
|
+
const rawGlobal = request.cookies.get(GLOBAL_TOKEN_COOKIE)?.value;
|
|
22
|
+
const rawTenant = request.cookies.get(TENANT_TOKEN_COOKIE)?.value;
|
|
23
|
+
if (!rawGlobal) {
|
|
24
|
+
const loginRedirect = new URL(loginUrl, request.url);
|
|
25
|
+
loginRedirect.searchParams.set("next", pathname);
|
|
26
|
+
return NextResponse.redirect(loginRedirect);
|
|
27
|
+
}
|
|
28
|
+
try {
|
|
29
|
+
const globalToken = parseGlobalToken(rawGlobal);
|
|
30
|
+
if (isTokenExpired(globalToken.exp)) {
|
|
31
|
+
const loginRedirect = new URL(loginUrl, request.url);
|
|
32
|
+
loginRedirect.searchParams.set("next", pathname);
|
|
33
|
+
return NextResponse.redirect(loginRedirect);
|
|
34
|
+
}
|
|
35
|
+
if (config.tenantMode && !rawTenant) {
|
|
36
|
+
const tenantRedirect = new URL(tenantSelectUrl, request.url);
|
|
37
|
+
tenantRedirect.searchParams.set("next", pathname);
|
|
38
|
+
return NextResponse.redirect(tenantRedirect);
|
|
39
|
+
}
|
|
40
|
+
if (rawTenant) {
|
|
41
|
+
const tenantToken = parseTenantToken(rawTenant);
|
|
42
|
+
if (isTokenExpired(tenantToken.exp)) {
|
|
43
|
+
return NextResponse.redirect(new URL(tenantSelectUrl, request.url));
|
|
44
|
+
}
|
|
45
|
+
const res = NextResponse.next();
|
|
46
|
+
res.headers.set("x-auth-user-id", tenantToken.userId);
|
|
47
|
+
res.headers.set("x-auth-tenant-key", tenantToken.tenantKey);
|
|
48
|
+
res.headers.set("x-auth-roles", tenantToken.roles.join(","));
|
|
49
|
+
return res;
|
|
50
|
+
}
|
|
51
|
+
return NextResponse.next();
|
|
52
|
+
} catch {
|
|
53
|
+
return NextResponse.redirect(new URL(loginUrl, request.url));
|
|
54
|
+
}
|
|
55
|
+
};
|
|
56
|
+
}
|
|
57
|
+
|
|
58
|
+
export { createAuthMiddleware };
|
|
59
|
+
//# sourceMappingURL=index.mjs.map
|
|
60
|
+
//# sourceMappingURL=index.mjs.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../../src/middleware/index.ts"],"names":[],"mappings":";;;;AAqBA,IAAM,mBAAA,GAAuB,iBAAA;AAC7B,IAAM,mBAAA,GAAuB,iBAAA;AAUtB,SAAS,oBAAA,CACd,MAAA,EACA,IAAA,GAA8B,EAAC,EAC/B;AACA,EAAA,MAAM;AAAA,IACJ,eAAA,GAAmB,CAAC,YAAA,EAAc,MAAM,CAAA;AAAA,IACxC,YAAA,GAAmB,CAAC,aAAA,EAAe,gBAAA,EAAkB,WAAW,CAAA;AAAA,IAChE,QAAA,GAAmB,aAAA;AAAA,IACnB,eAAA,GAAmB;AAAA,GACrB,GAAI,IAAA;AAEJ,EAAA,OAAO,SAAS,eAAe,OAAA,EAAoC;AACjE,IAAA,MAAM,EAAE,QAAA,EAAS,GAAI,OAAA,CAAQ,OAAA;AAG7B,IAAA,IACE,YAAA,CAAa,KAAK,CAAC,CAAA,KAAM,SAAS,UAAA,CAAW,CAAC,CAAC,CAAA,IAC/C,QAAA,CAAS,WAAW,QAAQ,CAAA,IAC5B,SAAS,UAAA,CAAW,MAAM,KAC1B,kBAAA,CAAmB,IAAA,CAAK,QAAQ,CAAA,EAChC;AACA,MAAA,OAAO,aAAa,IAAA,EAAK;AAAA,IAC3B;AAEA,IAAA,MAAM,WAAA,GAAc,gBAAgB,IAAA,CAAK,CAAC,MAAM,QAAA,CAAS,UAAA,CAAW,CAAC,CAAC,CAAA;AACtE,IAAA,IAAI,CAAC,WAAA,EAAa,OAAO,YAAA,CAAa,IAAA,EAAK;AAG3C,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,mBAAmB,CAAA,EAAG,KAAA;AAC5D,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,mBAAmB,CAAA,EAAG,KAAA;AAG5D,IAAA,IAAI,CAAC,SAAA,EAAW;AACd,MAAA,MAAM,aAAA,GAAgB,IAAI,GAAA,CAAI,QAAA,EAAU,QAAQ,GAAG,CAAA;AACnD,MAAA,aAAA,CAAc,YAAA,CAAa,GAAA,CAAI,MAAA,EAAQ,QAAQ,CAAA;AAC/C,MAAA,OAAO,YAAA,CAAa,SAAS,aAAa,CAAA;AAAA,IAC5C;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,WAAA,GAAc,iBAAiB,SAAS,CAAA;AAC9C,MAAA,IAAI,cAAA,CAAe,WAAA,CAAY,GAAG,CAAA,EAAG;AACnC,QAAA,MAAM,aAAA,GAAgB,IAAI,GAAA,CAAI,QAAA,EAAU,QAAQ,GAAG,CAAA;AACnD,QAAA,aAAA,CAAc,YAAA,CAAa,GAAA,CAAI,MAAA,EAAQ,QAAQ,CAAA;AAC/C,QAAA,OAAO,YAAA,CAAa,SAAS,aAAa,CAAA;AAAA,MAC5C;AAGA,MAAA,IAAI,MAAA,CAAO,UAAA,IAAc,CAAC,SAAA,EAAW;AACnC,QAAA,MAAM,cAAA,GAAiB,IAAI,GAAA,CAAI,eAAA,EAAiB,QAAQ,GAAG,CAAA;AAC3D,QAAA,cAAA,CAAe,YAAA,CAAa,GAAA,CAAI,MAAA,EAAQ,QAAQ,CAAA;AAChD,QAAA,OAAO,YAAA,CAAa,SAAS,cAAc,CAAA;AAAA,MAC7C;AAEA,MAAA,IAAI,SAAA,EAAW;AACb,QAAA,MAAM,WAAA,GAAc,iBAAiB,SAAS,CAAA;AAC9C,QAAA,IAAI,cAAA,CAAe,WAAA,CAAY,GAAG,CAAA,EAAG;AAEnC,UAAA,OAAO,aAAa,QAAA,CAAS,IAAI,IAAI,eAAA,EAAiB,OAAA,CAAQ,GAAG,CAAC,CAAA;AAAA,QACpE;AAEA,QAAA,MAAM,GAAA,GAAM,aAAa,IAAA,EAAK;AAC9B,QAAA,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,gBAAA,EAAqB,WAAA,CAAY,MAAM,CAAA;AACvD,QAAA,GAAA,CAAI,OAAA,CAAQ,GAAA,CAAI,mBAAA,EAAqB,WAAA,CAAY,SAAS,CAAA;AAC1D,QAAA,GAAA,CAAI,QAAQ,GAAA,CAAI,cAAA,EAAqB,YAAY,KAAA,CAAM,IAAA,CAAK,GAAG,CAAC,CAAA;AAChE,QAAA,OAAO,GAAA;AAAA,MACT;AAEA,MAAA,OAAO,aAAa,IAAA,EAAK;AAAA,IAC3B,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,aAAa,QAAA,CAAS,IAAI,IAAI,QAAA,EAAU,OAAA,CAAQ,GAAG,CAAC,CAAA;AAAA,IAC7D;AAAA,EACF,CAAA;AACF","file":"index.mjs","sourcesContent":["/**\n * @econneq/auth-react/middleware\n * Drop-in auth middleware for Next.js App Router.\n *\n * Usage in proxy.ts / middleware.ts:\n *\n * import { createAuthMiddleware } from '@econneq/auth-react/middleware'\n * import { authConfig } from './auth/auth.config'\n *\n * export default createAuthMiddleware(authConfig, {\n * protectedRoutes: ['/dashboard', '/admin'],\n * publicRoutes: ['/auth/login', '/auth/register'],\n * loginUrl: '/auth/login',\n * tenantSelectUrl: '/auth/select-tenant',\n * })\n *\n * export const config = { matcher: ['/((?!_next|favicon).*)'] }\n */\nimport { NextRequest, NextResponse } from 'next/server'\nimport { parseGlobalToken, parseTenantToken, isTokenExpired, type EconneqAuthConfig } from '@econneq/auth-core'\n\nconst GLOBAL_TOKEN_COOKIE = 'ea_global_token'\nconst TENANT_TOKEN_COOKIE = 'ea_tenant_token'\n\nexport interface AuthMiddlewareOptions {\n protectedRoutes?: string[]\n publicRoutes?: string[]\n loginUrl?: string\n tenantSelectUrl?: string\n afterLoginUrl?: string\n}\n\nexport function createAuthMiddleware(\n config: EconneqAuthConfig,\n opts: AuthMiddlewareOptions = {},\n) {\n const {\n protectedRoutes = ['/dashboard', '/app'],\n publicRoutes = ['/auth/login', '/auth/register', '/auth/mfa'],\n loginUrl = '/auth/login',\n tenantSelectUrl = '/auth/select-tenant',\n } = opts\n\n return function authMiddleware(request: NextRequest): NextResponse {\n const { pathname } = request.nextUrl\n\n // Always allow public routes and Next.js internals\n if (\n publicRoutes.some((r) => pathname.startsWith(r)) ||\n pathname.startsWith('/_next') ||\n pathname.startsWith('/api') ||\n /\\.[a-zA-Z]{2,5}$/.test(pathname)\n ) {\n return NextResponse.next()\n }\n\n const isProtected = protectedRoutes.some((r) => pathname.startsWith(r))\n if (!isProtected) return NextResponse.next()\n\n // Read tokens from cookies (httpOnly cookies set by server)\n const rawGlobal = request.cookies.get(GLOBAL_TOKEN_COOKIE)?.value\n const rawTenant = request.cookies.get(TENANT_TOKEN_COOKIE)?.value\n\n // No global token → redirect to login\n if (!rawGlobal) {\n const loginRedirect = new URL(loginUrl, request.url)\n loginRedirect.searchParams.set('next', pathname)\n return NextResponse.redirect(loginRedirect)\n }\n\n try {\n const globalToken = parseGlobalToken(rawGlobal)\n if (isTokenExpired(globalToken.exp)) {\n const loginRedirect = new URL(loginUrl, request.url)\n loginRedirect.searchParams.set('next', pathname)\n return NextResponse.redirect(loginRedirect)\n }\n\n // Has global token but no tenant token → tenant selection\n if (config.tenantMode && !rawTenant) {\n const tenantRedirect = new URL(tenantSelectUrl, request.url)\n tenantRedirect.searchParams.set('next', pathname)\n return NextResponse.redirect(tenantRedirect)\n }\n\n if (rawTenant) {\n const tenantToken = parseTenantToken(rawTenant)\n if (isTokenExpired(tenantToken.exp)) {\n // Tenant token expired — redirect to tenant selection for re-exchange\n return NextResponse.redirect(new URL(tenantSelectUrl, request.url))\n }\n // Inject headers for server components\n const res = NextResponse.next()\n res.headers.set('x-auth-user-id', tenantToken.userId)\n res.headers.set('x-auth-tenant-key', tenantToken.tenantKey)\n res.headers.set('x-auth-roles', tenantToken.roles.join(','))\n return res\n }\n\n return NextResponse.next()\n } catch {\n return NextResponse.redirect(new URL(loginUrl, request.url))\n }\n }\n}\n"]}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
import { GlobalToken, TenantToken } from '@econneq/auth-core';
|
|
2
|
+
|
|
3
|
+
declare function getGlobalToken(): Promise<GlobalToken | null>;
|
|
4
|
+
declare function getTenantToken(): Promise<TenantToken | null>;
|
|
5
|
+
/**
|
|
6
|
+
* Get the authenticated server user. Redirects to login if not authenticated.
|
|
7
|
+
*/
|
|
8
|
+
declare function getServerUser(loginUrl?: string): Promise<{
|
|
9
|
+
token: TenantToken;
|
|
10
|
+
userId: string;
|
|
11
|
+
}>;
|
|
12
|
+
/**
|
|
13
|
+
* Get the user's roles from the request headers (injected by middleware).
|
|
14
|
+
*/
|
|
15
|
+
declare function getServerRoles(): Promise<string[]>;
|
|
16
|
+
/**
|
|
17
|
+
* Check permission server-side (use in Server Actions).
|
|
18
|
+
*/
|
|
19
|
+
declare function serverCan(permission: string): Promise<boolean>;
|
|
20
|
+
/**
|
|
21
|
+
* Get the Authorization header value for outgoing server-side requests.
|
|
22
|
+
*/
|
|
23
|
+
declare function getServerAuthHeader(): Promise<string>;
|
|
24
|
+
|
|
25
|
+
export { getGlobalToken, getServerAuthHeader, getServerRoles, getServerUser, getTenantToken, serverCan };
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
import { GlobalToken, TenantToken } from '@econneq/auth-core';
|
|
2
|
+
|
|
3
|
+
declare function getGlobalToken(): Promise<GlobalToken | null>;
|
|
4
|
+
declare function getTenantToken(): Promise<TenantToken | null>;
|
|
5
|
+
/**
|
|
6
|
+
* Get the authenticated server user. Redirects to login if not authenticated.
|
|
7
|
+
*/
|
|
8
|
+
declare function getServerUser(loginUrl?: string): Promise<{
|
|
9
|
+
token: TenantToken;
|
|
10
|
+
userId: string;
|
|
11
|
+
}>;
|
|
12
|
+
/**
|
|
13
|
+
* Get the user's roles from the request headers (injected by middleware).
|
|
14
|
+
*/
|
|
15
|
+
declare function getServerRoles(): Promise<string[]>;
|
|
16
|
+
/**
|
|
17
|
+
* Check permission server-side (use in Server Actions).
|
|
18
|
+
*/
|
|
19
|
+
declare function serverCan(permission: string): Promise<boolean>;
|
|
20
|
+
/**
|
|
21
|
+
* Get the Authorization header value for outgoing server-side requests.
|
|
22
|
+
*/
|
|
23
|
+
declare function getServerAuthHeader(): Promise<string>;
|
|
24
|
+
|
|
25
|
+
export { getGlobalToken, getServerAuthHeader, getServerRoles, getServerUser, getTenantToken, serverCan };
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
'use strict';
|
|
2
|
+
|
|
3
|
+
var headers = require('next/headers');
|
|
4
|
+
var navigation = require('next/navigation');
|
|
5
|
+
var authCore = require('@econneq/auth-core');
|
|
6
|
+
|
|
7
|
+
// src/server/index.ts
|
|
8
|
+
var GLOBAL_TOKEN_COOKIE = "ea_global_token";
|
|
9
|
+
var TENANT_TOKEN_COOKIE = "ea_tenant_token";
|
|
10
|
+
async function getGlobalToken() {
|
|
11
|
+
const raw = (await headers.cookies()).get(GLOBAL_TOKEN_COOKIE)?.value;
|
|
12
|
+
if (!raw) return null;
|
|
13
|
+
try {
|
|
14
|
+
const t = authCore.parseGlobalToken(raw);
|
|
15
|
+
return authCore.isTokenExpired(t.exp) ? null : t;
|
|
16
|
+
} catch {
|
|
17
|
+
return null;
|
|
18
|
+
}
|
|
19
|
+
}
|
|
20
|
+
async function getTenantToken() {
|
|
21
|
+
const raw = (await headers.cookies()).get(TENANT_TOKEN_COOKIE)?.value;
|
|
22
|
+
if (!raw) return null;
|
|
23
|
+
try {
|
|
24
|
+
const t = authCore.parseTenantToken(raw);
|
|
25
|
+
return authCore.isTokenExpired(t.exp) ? null : t;
|
|
26
|
+
} catch {
|
|
27
|
+
return null;
|
|
28
|
+
}
|
|
29
|
+
}
|
|
30
|
+
async function getServerUser(loginUrl = "/auth/login") {
|
|
31
|
+
const token = await getTenantToken();
|
|
32
|
+
if (!token) navigation.redirect(loginUrl);
|
|
33
|
+
return { token, userId: token.userId };
|
|
34
|
+
}
|
|
35
|
+
async function getServerRoles() {
|
|
36
|
+
const h = await headers.headers();
|
|
37
|
+
return h.get("x-auth-roles")?.split(",").filter(Boolean) ?? [];
|
|
38
|
+
}
|
|
39
|
+
async function serverCan(permission) {
|
|
40
|
+
const token = await getTenantToken();
|
|
41
|
+
return token?.permissions.includes(permission) ?? false;
|
|
42
|
+
}
|
|
43
|
+
async function getServerAuthHeader() {
|
|
44
|
+
const token = await getTenantToken() ?? await getGlobalToken();
|
|
45
|
+
return token ? `Bearer ${token.raw}` : "";
|
|
46
|
+
}
|
|
47
|
+
|
|
48
|
+
exports.getGlobalToken = getGlobalToken;
|
|
49
|
+
exports.getServerAuthHeader = getServerAuthHeader;
|
|
50
|
+
exports.getServerRoles = getServerRoles;
|
|
51
|
+
exports.getServerUser = getServerUser;
|
|
52
|
+
exports.getTenantToken = getTenantToken;
|
|
53
|
+
exports.serverCan = serverCan;
|
|
54
|
+
//# sourceMappingURL=index.js.map
|
|
55
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../../src/server/index.ts"],"names":["cookies","parseGlobalToken","isTokenExpired","parseTenantToken","redirect","headers"],"mappings":";;;;;;;AAUA,IAAM,mBAAA,GAAuB,iBAAA;AAC7B,IAAM,mBAAA,GAAuB,iBAAA;AAI7B,eAAsB,cAAA,GAA8C;AAClE,EAAA,MAAM,OAAO,MAAMA,eAAA,EAAQ,EAAG,GAAA,CAAI,mBAAmB,CAAA,EAAG,KAAA;AACxD,EAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,EAAA,IAAI;AACF,IAAA,MAAM,CAAA,GAAIC,0BAAiB,GAAG,CAAA;AAC9B,IAAA,OAAOC,uBAAA,CAAe,CAAA,CAAE,GAAG,CAAA,GAAI,IAAA,GAAO,CAAA;AAAA,EACxC,CAAA,CAAA,MAAQ;AAAE,IAAA,OAAO,IAAA;AAAA,EAAK;AACxB;AAEA,eAAsB,cAAA,GAA8C;AAClE,EAAA,MAAM,OAAO,MAAMF,eAAA,EAAQ,EAAG,GAAA,CAAI,mBAAmB,CAAA,EAAG,KAAA;AACxD,EAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,EAAA,IAAI;AACF,IAAA,MAAM,CAAA,GAAIG,0BAAiB,GAAG,CAAA;AAC9B,IAAA,OAAOD,uBAAA,CAAe,CAAA,CAAE,GAAG,CAAA,GAAI,IAAA,GAAO,CAAA;AAAA,EACxC,CAAA,CAAA,MAAQ;AAAE,IAAA,OAAO,IAAA;AAAA,EAAK;AACxB;AAOA,eAAsB,aAAA,CAAc,WAAW,aAAA,EAAgE;AAC7G,EAAA,MAAM,KAAA,GAAQ,MAAM,cAAA,EAAe;AACnC,EAAA,IAAI,CAAC,KAAA,EAAOE,mBAAA,CAAS,QAAQ,CAAA;AAC7B,EAAA,OAAO,EAAE,KAAA,EAAO,MAAA,EAAQ,KAAA,CAAM,MAAA,EAAO;AACvC;AAKA,eAAsB,cAAA,GAAoC;AACxD,EAAA,MAAM,CAAA,GAAI,MAAMC,eAAA,EAAQ;AACxB,EAAA,OAAO,CAAA,CAAE,GAAA,CAAI,cAAc,CAAA,EAAG,KAAA,CAAM,GAAG,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,IAAK,EAAC;AAC/D;AAKA,eAAsB,UAAU,UAAA,EAAsC;AACpE,EAAA,MAAM,KAAA,GAAQ,MAAM,cAAA,EAAe;AACnC,EAAA,OAAO,KAAA,EAAO,WAAA,CAAY,QAAA,CAAS,UAAU,CAAA,IAAK,KAAA;AACpD;AAKA,eAAsB,mBAAA,GAAuC;AAC3D,EAAA,MAAM,KAAA,GAAQ,MAAM,cAAA,EAAe,IAAK,MAAM,cAAA,EAAe;AAC7D,EAAA,OAAO,KAAA,GAAQ,CAAA,OAAA,EAAU,KAAA,CAAM,GAAG,CAAA,CAAA,GAAK,EAAA;AACzC","file":"index.js","sourcesContent":["/**\n * @econneq/auth-react/server\n * Server-side auth utilities for Next.js App Router.\n * Import only in Server Components, Server Actions, or Route Handlers.\n */\nimport { cookies, headers } from 'next/headers'\nimport { redirect } from 'next/navigation'\nimport { parseGlobalToken, parseTenantToken, isTokenExpired } from '@econneq/auth-core'\nimport type { GlobalToken, TenantToken, AuthUser } from '@econneq/auth-core'\n\nconst GLOBAL_TOKEN_COOKIE = 'ea_global_token'\nconst TENANT_TOKEN_COOKIE = 'ea_tenant_token'\n\n// ─── Token accessors ──────────────────────────────────────────────────────────\n\nexport async function getGlobalToken(): Promise<GlobalToken | null> {\n const raw = (await cookies()).get(GLOBAL_TOKEN_COOKIE)?.value\n if (!raw) return null\n try {\n const t = parseGlobalToken(raw)\n return isTokenExpired(t.exp) ? null : t\n } catch { return null }\n}\n\nexport async function getTenantToken(): Promise<TenantToken | null> {\n const raw = (await cookies()).get(TENANT_TOKEN_COOKIE)?.value\n if (!raw) return null\n try {\n const t = parseTenantToken(raw)\n return isTokenExpired(t.exp) ? null : t\n } catch { return null }\n}\n\n// ─── Server Component helpers ────────────────────────────────────────────────\n\n/**\n * Get the authenticated server user. Redirects to login if not authenticated.\n */\nexport async function getServerUser(loginUrl = '/auth/login'): Promise<{ token: TenantToken; userId: string }> {\n const token = await getTenantToken()\n if (!token) redirect(loginUrl)\n return { token, userId: token.userId }\n}\n\n/**\n * Get the user's roles from the request headers (injected by middleware).\n */\nexport async function getServerRoles(): Promise<string[]> {\n const h = await headers()\n return h.get('x-auth-roles')?.split(',').filter(Boolean) ?? []\n}\n\n/**\n * Check permission server-side (use in Server Actions).\n */\nexport async function serverCan(permission: string): Promise<boolean> {\n const token = await getTenantToken()\n return token?.permissions.includes(permission) ?? false\n}\n\n/**\n * Get the Authorization header value for outgoing server-side requests.\n */\nexport async function getServerAuthHeader(): Promise<string> {\n const token = await getTenantToken() ?? await getGlobalToken()\n return token ? `Bearer ${token.raw}` : ''\n}\n"]}
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
import { cookies, headers } from 'next/headers';
|
|
2
|
+
import { redirect } from 'next/navigation';
|
|
3
|
+
import { parseGlobalToken, isTokenExpired, parseTenantToken } from '@econneq/auth-core';
|
|
4
|
+
|
|
5
|
+
// src/server/index.ts
|
|
6
|
+
var GLOBAL_TOKEN_COOKIE = "ea_global_token";
|
|
7
|
+
var TENANT_TOKEN_COOKIE = "ea_tenant_token";
|
|
8
|
+
async function getGlobalToken() {
|
|
9
|
+
const raw = (await cookies()).get(GLOBAL_TOKEN_COOKIE)?.value;
|
|
10
|
+
if (!raw) return null;
|
|
11
|
+
try {
|
|
12
|
+
const t = parseGlobalToken(raw);
|
|
13
|
+
return isTokenExpired(t.exp) ? null : t;
|
|
14
|
+
} catch {
|
|
15
|
+
return null;
|
|
16
|
+
}
|
|
17
|
+
}
|
|
18
|
+
async function getTenantToken() {
|
|
19
|
+
const raw = (await cookies()).get(TENANT_TOKEN_COOKIE)?.value;
|
|
20
|
+
if (!raw) return null;
|
|
21
|
+
try {
|
|
22
|
+
const t = parseTenantToken(raw);
|
|
23
|
+
return isTokenExpired(t.exp) ? null : t;
|
|
24
|
+
} catch {
|
|
25
|
+
return null;
|
|
26
|
+
}
|
|
27
|
+
}
|
|
28
|
+
async function getServerUser(loginUrl = "/auth/login") {
|
|
29
|
+
const token = await getTenantToken();
|
|
30
|
+
if (!token) redirect(loginUrl);
|
|
31
|
+
return { token, userId: token.userId };
|
|
32
|
+
}
|
|
33
|
+
async function getServerRoles() {
|
|
34
|
+
const h = await headers();
|
|
35
|
+
return h.get("x-auth-roles")?.split(",").filter(Boolean) ?? [];
|
|
36
|
+
}
|
|
37
|
+
async function serverCan(permission) {
|
|
38
|
+
const token = await getTenantToken();
|
|
39
|
+
return token?.permissions.includes(permission) ?? false;
|
|
40
|
+
}
|
|
41
|
+
async function getServerAuthHeader() {
|
|
42
|
+
const token = await getTenantToken() ?? await getGlobalToken();
|
|
43
|
+
return token ? `Bearer ${token.raw}` : "";
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
export { getGlobalToken, getServerAuthHeader, getServerRoles, getServerUser, getTenantToken, serverCan };
|
|
47
|
+
//# sourceMappingURL=index.mjs.map
|
|
48
|
+
//# sourceMappingURL=index.mjs.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../../src/server/index.ts"],"names":[],"mappings":";;;;;AAUA,IAAM,mBAAA,GAAuB,iBAAA;AAC7B,IAAM,mBAAA,GAAuB,iBAAA;AAI7B,eAAsB,cAAA,GAA8C;AAClE,EAAA,MAAM,OAAO,MAAM,OAAA,EAAQ,EAAG,GAAA,CAAI,mBAAmB,CAAA,EAAG,KAAA;AACxD,EAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,EAAA,IAAI;AACF,IAAA,MAAM,CAAA,GAAI,iBAAiB,GAAG,CAAA;AAC9B,IAAA,OAAO,cAAA,CAAe,CAAA,CAAE,GAAG,CAAA,GAAI,IAAA,GAAO,CAAA;AAAA,EACxC,CAAA,CAAA,MAAQ;AAAE,IAAA,OAAO,IAAA;AAAA,EAAK;AACxB;AAEA,eAAsB,cAAA,GAA8C;AAClE,EAAA,MAAM,OAAO,MAAM,OAAA,EAAQ,EAAG,GAAA,CAAI,mBAAmB,CAAA,EAAG,KAAA;AACxD,EAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,EAAA,IAAI;AACF,IAAA,MAAM,CAAA,GAAI,iBAAiB,GAAG,CAAA;AAC9B,IAAA,OAAO,cAAA,CAAe,CAAA,CAAE,GAAG,CAAA,GAAI,IAAA,GAAO,CAAA;AAAA,EACxC,CAAA,CAAA,MAAQ;AAAE,IAAA,OAAO,IAAA;AAAA,EAAK;AACxB;AAOA,eAAsB,aAAA,CAAc,WAAW,aAAA,EAAgE;AAC7G,EAAA,MAAM,KAAA,GAAQ,MAAM,cAAA,EAAe;AACnC,EAAA,IAAI,CAAC,KAAA,EAAO,QAAA,CAAS,QAAQ,CAAA;AAC7B,EAAA,OAAO,EAAE,KAAA,EAAO,MAAA,EAAQ,KAAA,CAAM,MAAA,EAAO;AACvC;AAKA,eAAsB,cAAA,GAAoC;AACxD,EAAA,MAAM,CAAA,GAAI,MAAM,OAAA,EAAQ;AACxB,EAAA,OAAO,CAAA,CAAE,GAAA,CAAI,cAAc,CAAA,EAAG,KAAA,CAAM,GAAG,CAAA,CAAE,MAAA,CAAO,OAAO,CAAA,IAAK,EAAC;AAC/D;AAKA,eAAsB,UAAU,UAAA,EAAsC;AACpE,EAAA,MAAM,KAAA,GAAQ,MAAM,cAAA,EAAe;AACnC,EAAA,OAAO,KAAA,EAAO,WAAA,CAAY,QAAA,CAAS,UAAU,CAAA,IAAK,KAAA;AACpD;AAKA,eAAsB,mBAAA,GAAuC;AAC3D,EAAA,MAAM,KAAA,GAAQ,MAAM,cAAA,EAAe,IAAK,MAAM,cAAA,EAAe;AAC7D,EAAA,OAAO,KAAA,GAAQ,CAAA,OAAA,EAAU,KAAA,CAAM,GAAG,CAAA,CAAA,GAAK,EAAA;AACzC","file":"index.mjs","sourcesContent":["/**\n * @econneq/auth-react/server\n * Server-side auth utilities for Next.js App Router.\n * Import only in Server Components, Server Actions, or Route Handlers.\n */\nimport { cookies, headers } from 'next/headers'\nimport { redirect } from 'next/navigation'\nimport { parseGlobalToken, parseTenantToken, isTokenExpired } from '@econneq/auth-core'\nimport type { GlobalToken, TenantToken, AuthUser } from '@econneq/auth-core'\n\nconst GLOBAL_TOKEN_COOKIE = 'ea_global_token'\nconst TENANT_TOKEN_COOKIE = 'ea_tenant_token'\n\n// ─── Token accessors ──────────────────────────────────────────────────────────\n\nexport async function getGlobalToken(): Promise<GlobalToken | null> {\n const raw = (await cookies()).get(GLOBAL_TOKEN_COOKIE)?.value\n if (!raw) return null\n try {\n const t = parseGlobalToken(raw)\n return isTokenExpired(t.exp) ? null : t\n } catch { return null }\n}\n\nexport async function getTenantToken(): Promise<TenantToken | null> {\n const raw = (await cookies()).get(TENANT_TOKEN_COOKIE)?.value\n if (!raw) return null\n try {\n const t = parseTenantToken(raw)\n return isTokenExpired(t.exp) ? null : t\n } catch { return null }\n}\n\n// ─── Server Component helpers ────────────────────────────────────────────────\n\n/**\n * Get the authenticated server user. Redirects to login if not authenticated.\n */\nexport async function getServerUser(loginUrl = '/auth/login'): Promise<{ token: TenantToken; userId: string }> {\n const token = await getTenantToken()\n if (!token) redirect(loginUrl)\n return { token, userId: token.userId }\n}\n\n/**\n * Get the user's roles from the request headers (injected by middleware).\n */\nexport async function getServerRoles(): Promise<string[]> {\n const h = await headers()\n return h.get('x-auth-roles')?.split(',').filter(Boolean) ?? []\n}\n\n/**\n * Check permission server-side (use in Server Actions).\n */\nexport async function serverCan(permission: string): Promise<boolean> {\n const token = await getTenantToken()\n return token?.permissions.includes(permission) ?? false\n}\n\n/**\n * Get the Authorization header value for outgoing server-side requests.\n */\nexport async function getServerAuthHeader(): Promise<string> {\n const token = await getTenantToken() ?? await getGlobalToken()\n return token ? `Bearer ${token.raw}` : ''\n}\n"]}
|
package/package.json
ADDED
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "@econneq/auth-nextjs",
|
|
3
|
+
"version": "1.0.2",
|
|
4
|
+
"description": "Next.js App Router integration — middleware, server actions, SSR auth",
|
|
5
|
+
"author": "Econneq",
|
|
6
|
+
"license": "MIT",
|
|
7
|
+
"keywords": [
|
|
8
|
+
"auth",
|
|
9
|
+
"nextjs",
|
|
10
|
+
"app-router",
|
|
11
|
+
"middleware",
|
|
12
|
+
"ssr",
|
|
13
|
+
"enterprise"
|
|
14
|
+
],
|
|
15
|
+
"main": "./dist/index.js",
|
|
16
|
+
"module": "./dist/index.mjs",
|
|
17
|
+
"types": "./dist/index.d.ts",
|
|
18
|
+
"exports": {
|
|
19
|
+
".": {
|
|
20
|
+
"types": "./dist/index.d.ts",
|
|
21
|
+
"import": "./dist/index.mjs",
|
|
22
|
+
"require": "./dist/index.js"
|
|
23
|
+
},
|
|
24
|
+
"./middleware": {
|
|
25
|
+
"types": "./dist/middleware/index.d.ts",
|
|
26
|
+
"import": "./dist/middleware/index.mjs",
|
|
27
|
+
"require": "./dist/middleware/index.js"
|
|
28
|
+
},
|
|
29
|
+
"./server": {
|
|
30
|
+
"types": "./dist/server/index.d.ts",
|
|
31
|
+
"import": "./dist/server/index.mjs",
|
|
32
|
+
"require": "./dist/server/index.js"
|
|
33
|
+
}
|
|
34
|
+
},
|
|
35
|
+
"sideEffects": false,
|
|
36
|
+
"files": [
|
|
37
|
+
"dist",
|
|
38
|
+
"README.md"
|
|
39
|
+
],
|
|
40
|
+
"dependencies": {
|
|
41
|
+
"@econneq/auth-core": "1.0.1"
|
|
42
|
+
},
|
|
43
|
+
"peerDependencies": {
|
|
44
|
+
"next": ">=14.0.0",
|
|
45
|
+
"react": ">=18.0.0",
|
|
46
|
+
"react-dom": ">=18.0.0"
|
|
47
|
+
},
|
|
48
|
+
"devDependencies": {
|
|
49
|
+
"@types/react": "^18.3.0",
|
|
50
|
+
"next": "^15.0.0",
|
|
51
|
+
"tsup": "^8.5.1",
|
|
52
|
+
"typescript": "^5.4.0",
|
|
53
|
+
"rimraf": "^5.0.0"
|
|
54
|
+
},
|
|
55
|
+
"scripts": {
|
|
56
|
+
"build": "tsup",
|
|
57
|
+
"dev": "tsup --watch",
|
|
58
|
+
"typecheck": "tsc --noEmit",
|
|
59
|
+
"clean": "rimraf dist"
|
|
60
|
+
}
|
|
61
|
+
}
|