npm - @foldspace-fe/casdoor-next-auth-kit - Versions diffs - 0.1.1 - Mend

@foldspace-fe/casdoor-next-auth-kit 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/dist/billing/index.d.ts +16 -0
package/dist/billing/index.js +28 -0
package/dist/billing/index.js.map +1 -0
package/dist/callback-BTzHQK_r.d.ts +12 -0
package/dist/casdoor/index.d.ts +28 -0
package/dist/casdoor/index.js +40 -0
package/dist/casdoor/index.js.map +1 -0
package/dist/chunk-6E27SZ7V.js +291 -0
package/dist/chunk-6E27SZ7V.js.map +1 -0
package/dist/chunk-DONQHN4U.js +56 -0
package/dist/chunk-DONQHN4U.js.map +1 -0
package/dist/chunk-IQEVUR77.js +909 -0
package/dist/chunk-IQEVUR77.js.map +1 -0
package/dist/chunk-RGTVPBH7.js +182 -0
package/dist/chunk-RGTVPBH7.js.map +1 -0
package/dist/chunk-T2M5MVPE.js +20 -0
package/dist/chunk-T2M5MVPE.js.map +1 -0
package/dist/chunk-XMBHIEYL.js +1 -0
package/dist/chunk-XMBHIEYL.js.map +1 -0
package/dist/chunk-Y4GJ2AEI.js +192 -0
package/dist/chunk-Y4GJ2AEI.js.map +1 -0
package/dist/cli.d.ts +2 -0
package/dist/cli.js +437 -0
package/dist/cli.js.map +1 -0
package/dist/index.d.ts +77 -0
package/dist/index.js +148 -0
package/dist/index.js.map +1 -0
package/dist/next/index.d.ts +17 -0
package/dist/next/index.js +24 -0
package/dist/next/index.js.map +1 -0
package/dist/options-JUwZSXu2.d.ts +40 -0
package/dist/react/index.d.ts +242 -0
package/dist/react/index.js +774 -0
package/dist/react/index.js.map +1 -0
package/dist/skills/casdoor-next-auth-kit/SKILL.md +158 -0
package/dist/skills/casdoor-next-auth-kit/references/casdoor-api-reference.md +2387 -0
package/dist/skills/casdoor-next-auth-kit/references/swagger.json +3686 -0
package/dist/types-BPsPs5Rv.d.ts +337 -0
package/dist/types-DqVXdUge.d.ts +121 -0
package/package.json +69 -0

package/dist/chunk-IQEVUR77.js ADDED Viewed

@@ -0,0 +1,909 @@
+import {
+  resolvePostLoginRedirect
+} from "./chunk-T2M5MVPE.js";
+// src/core/config.ts
+function normalizeAuthKitConfig(config) {
+  return {
+    ...config,
+    casdoor: {
+      redirectPath: "/callback",
+      signinPath: "/login/oauth/authorize",
+      ...config.casdoor
+    },
+    cookie: {
+      secure: "auto",
+      ...config.cookie
+    },
+    session: {
+      maxAgeSeconds: 60 * 60 * 24 * 7,
+      ...config.session
+    }
+  };
+}
+// src/core/public-origin.ts
+var PUBLIC_ORIGIN_COOKIE_NAME = "auth_origin";
+function getRequestOrigin(request, appUrl) {
+  const referer = request.headers.get("referer");
+  if (referer) {
+    try {
+      return new URL(referer).origin;
+    } catch {
+    }
+  }
+  const origin = request.headers.get("origin");
+  if (origin) {
+    try {
+      return new URL(origin).origin;
+    } catch {
+    }
+  }
+  if (appUrl) {
+    try {
+      return new URL(appUrl).origin;
+    } catch {
+    }
+  }
+  const forwardedProto = request.headers.get("x-forwarded-proto")?.split(",")[0]?.trim();
+  const forwardedHost = request.headers.get("x-forwarded-host")?.split(",")[0]?.trim();
+  if (forwardedProto && forwardedHost) {
+    return `${forwardedProto}://${forwardedHost}`;
+  }
+  return new URL(request.url).origin;
+}
+function setPublicOriginCookie(response, origin, secure) {
+  response.cookies.set(PUBLIC_ORIGIN_COOKIE_NAME, origin, {
+    path: "/",
+    httpOnly: true,
+    sameSite: "lax",
+    secure
+  });
+}
+function clearPublicOriginCookie(response, secure) {
+  response.cookies.set(PUBLIC_ORIGIN_COOKIE_NAME, "", {
+    path: "/",
+    httpOnly: true,
+    sameSite: "lax",
+    secure,
+    maxAge: 0
+  });
+}
+function getStoredPublicOrigin(request) {
+  const cookieHeader = request.headers.get("cookie");
+  if (!cookieHeader) {
+    return null;
+  }
+  for (const entry of cookieHeader.split(";")) {
+    const [rawName, ...valueParts] = entry.trim().split("=");
+    if (rawName === PUBLIC_ORIGIN_COOKIE_NAME) {
+      const value = valueParts.join("=").trim();
+      if (!value) {
+        return null;
+      }
+      try {
+        return decodeURIComponent(value);
+      } catch {
+        return value;
+      }
+    }
+  }
+  return null;
+}
+// src/core/request-security.ts
+function isSecureRequest(request, appUrl) {
+  const url = new URL(request.url);
+  if (url.protocol === "https:") return true;
+  const forwardedProto = request.headers.get("x-forwarded-proto")?.split(",")[0]?.trim().toLowerCase();
+  if (forwardedProto === "https") return true;
+  if (appUrl) {
+    try {
+      return new URL(appUrl).protocol === "https:";
+    } catch {
+      return false;
+    }
+  }
+  return false;
+}
+// src/core/auth-redirect.ts
+var AUTH_REDIRECT_COOKIE_NAME = "auth_redirect";
+function getAuthRedirectTarget(request) {
+  const cookieHeader = request.headers.get("cookie");
+  if (!cookieHeader) {
+    return null;
+  }
+  for (const entry of cookieHeader.split(";")) {
+    const [rawName, ...valueParts] = entry.trim().split("=");
+    if (rawName === AUTH_REDIRECT_COOKIE_NAME) {
+      const value = valueParts.join("=").trim();
+      if (!value) {
+        return null;
+      }
+      let decoded = value;
+      try {
+        decoded = decodeURIComponent(value);
+      } catch {
+      }
+      if (decoded.startsWith("/") && !decoded.startsWith("//")) {
+        return decoded;
+      }
+      return null;
+    }
+  }
+  return null;
+}
+function setAuthRedirectCookie(response, target, secure) {
+  response.cookies.set(AUTH_REDIRECT_COOKIE_NAME, target, {
+    path: "/",
+    httpOnly: true,
+    sameSite: "lax",
+    secure
+  });
+}
+function clearAuthRedirectCookie(response, secure) {
+  response.cookies.set(AUTH_REDIRECT_COOKIE_NAME, "", {
+    path: "/",
+    httpOnly: true,
+    sameSite: "lax",
+    secure,
+    maxAge: 0
+  });
+}
+// src/core/admin.ts
+var DEFAULT_ADMIN_EMAILS = ["admin@example.com"];
+function readAdminEmailSource() {
+  return process.env.GLOBAL_ADMIN_EMAILS || process.env.ADMIN_EMAILS || "";
+}
+function getGlobalAdminEmails() {
+  const source = readAdminEmailSource();
+  if (!source) {
+    return DEFAULT_ADMIN_EMAILS;
+  }
+  return source.split(",").map((value) => value.trim().toLowerCase()).filter(Boolean);
+}
+function isGlobalAdminEmail(email) {
+  if (!email) {
+    return false;
+  }
+  return getGlobalAdminEmails().includes(email.toLowerCase());
+}
+// src/core/index-html.ts
+var DEFAULT_CASDOOR_STATIC_ORIGIN = "https://casdoor-static.foldspace.cn";
+var DEFAULT_CASDOOR_ORIGIN = process.env.NEXT_PUBLIC_CASDOOR_SERVER_URL || "https://auth.heyaai.com";
+var DEFAULT_ICON_HREF = "https://cdn.casbin.org/img/favicon.png";
+var DEFAULT_MANIFEST_HREF = "/manifest.json";
+function escapeHtmlAttribute(value) {
+  return value.replaceAll("&", "&amp;").replaceAll('"', "&quot;").replaceAll("<", "&lt;").replaceAll(">", "&gt;");
+}
+function createAuthIndexHtml(options = {}) {
+  const staticOrigin = options.staticOrigin || DEFAULT_CASDOOR_STATIC_ORIGIN;
+  const casdoorOrigin = options.casdoorOrigin || DEFAULT_CASDOOR_ORIGIN;
+  const apiProxyPrefix = options.apiProxyPrefix || "/auth/";
+  const appName = options.appName || "\u521B\u5C0F\u5267 AI";
+  const organizationName = options.organizationName || "built-in";
+  const description = options.description || "\u521B\u5C0F\u5267 AI \u767B\u5F55 - \u4E00\u4E2A\u652F\u6301 OAuth 2.0\u3001OIDC\u3001SAML \u548C CAS \u7684\u8EAB\u4EFD\u4E0E\u5355\u70B9\u767B\u5F55\u5E73\u53F0";
+  const iconHref = options.iconHref || DEFAULT_ICON_HREF;
+  const manifestHref = options.manifestHref || DEFAULT_MANIFEST_HREF;
+  const mainJs = `${staticOrigin}/static/js/main.5ddbc6ff.js`;
+  const mainCss = `${staticOrigin}/static/css/main.f35879a1.css`;
+  return String.raw`<!doctype html>
+<html lang="zh-CN">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width,initial-scale=1" />
+    <meta name="theme-color" content="#000000" />
+    <meta name="description" content="${escapeHtmlAttribute(description)}" />
+    <link rel="apple-touch-icon" href="${escapeHtmlAttribute(iconHref)}" />
+    <link rel="manifest" href="${escapeHtmlAttribute(manifestHref)}" />
+    <title>${escapeHtmlAttribute(appName)}</title>
+    <script>
+      (function () {
+        var cdnOrigin = ${JSON.stringify(staticOrigin)}
+        var casdoorOrigin = ${JSON.stringify(casdoorOrigin)}
+        var currentOrigin = window.location.origin
+        var proxyPrefix = ${JSON.stringify(apiProxyPrefix)}
+        var proxyPathPrefix = proxyPrefix.replace(/\/$/, '')
+        var applicationId = ${JSON.stringify((options.organizationName || "built-in") + "/" + (options.appName || "\u521B\u5C0F\u5267 AI"))}
+        function toProxyUrl(input) {
+          try {
+            var url = typeof input === 'string' ? new URL(input, window.location.href) : input instanceof URL ? input : null
+            if (!url) {
+              return input
+            }
+            if (url.origin === cdnOrigin && url.pathname.indexOf(proxyPrefix) === 0) {
+              return currentOrigin + url.pathname + url.search + url.hash
+            }
+            if (url.origin === currentOrigin && url.pathname.indexOf('/static/') === 0) {
+              return cdnOrigin + url.pathname + url.search + url.hash
+            }
+            if (url.origin === currentOrigin && (url.pathname === '/auth' || url.pathname.indexOf('/auth/') === 0)) {
+              if (url.pathname === '/auth/api/get-application') {
+                url.searchParams.set('id', applicationId)
+              }
+              return currentOrigin + proxyPathPrefix + url.pathname.slice('/auth'.length) + url.search + url.hash
+            }
+            if (url.origin === casdoorOrigin) {
+              return currentOrigin + proxyPathPrefix + url.pathname + url.search + url.hash
+            }
+          } catch (error) {
+            return input
+          }
+          return input
+        }
+        function rewriteElement(element) {
+          if (!element || element.nodeType !== Node.ELEMENT_NODE) {
+            return
+          }
+          if (element.tagName === 'A' && element.getAttribute('href')) {
+            var href = element.getAttribute('href')
+            var rewrittenHref = toProxyUrl(href)
+            if (rewrittenHref !== href) {
+              element.setAttribute('href', rewrittenHref)
+            }
+          }
+          if (element.tagName === 'FORM' && element.getAttribute('action')) {
+            var action = element.getAttribute('action')
+            var rewrittenAction = toProxyUrl(action)
+            if (rewrittenAction !== action) {
+              element.setAttribute('action', rewrittenAction)
+            }
+          }
+          if (element.tagName === 'SCRIPT' && element.getAttribute('src')) {
+            var scriptSrc = element.getAttribute('src')
+            var rewrittenScriptSrc = toProxyUrl(scriptSrc)
+            if (rewrittenScriptSrc !== scriptSrc) {
+              element.setAttribute('src', rewrittenScriptSrc)
+            }
+          }
+          if (element.tagName === 'LINK' && element.getAttribute('href')) {
+            var linkHref = element.getAttribute('href')
+            var rewrittenLinkHref = toProxyUrl(linkHref)
+            if (rewrittenLinkHref !== linkHref) {
+              element.setAttribute('href', rewrittenLinkHref)
+            }
+          }
+          if (element.tagName === 'IMG' && element.getAttribute('src')) {
+            var imgSrc = element.getAttribute('src')
+            var rewrittenImgSrc = toProxyUrl(imgSrc)
+            if (rewrittenImgSrc !== imgSrc) {
+              element.setAttribute('src', rewrittenImgSrc)
+            }
+          }
+          if (typeof element.querySelectorAll === 'function') {
+            element.querySelectorAll('a[href], form[action], script[src], link[href], img[src]').forEach(rewriteElement)
+          }
+        }
+        if (typeof window.fetch === 'function') {
+          var originalFetch = window.fetch.bind(window)
+          window.fetch = function (input, init) {
+            return originalFetch(toProxyUrl(input), init)
+          }
+        }
+        if (window.XMLHttpRequest && window.XMLHttpRequest.prototype) {
+          var originalOpen = window.XMLHttpRequest.prototype.open
+          window.XMLHttpRequest.prototype.open = function (method, url) {
+            var rewrittenUrl = toProxyUrl(url)
+            return originalOpen.apply(this, [method, rewrittenUrl].concat(Array.prototype.slice.call(arguments, 2)))
+          }
+        }
+        if (window.open) {
+          var originalOpenWindow = window.open.bind(window)
+          window.open = function (url) {
+            return originalOpenWindow(toProxyUrl(url), arguments[1], arguments[2])
+          }
+        }
+        if (window.location && typeof window.location.assign === 'function') {
+          var originalAssign = window.location.assign.bind(window.location)
+          window.location.assign = function (url) {
+            return originalAssign(toProxyUrl(url))
+          }
+        }
+        if (window.location && typeof window.location.replace === 'function') {
+          var originalReplace = window.location.replace.bind(window.location)
+          window.location.replace = function (url) {
+            return originalReplace(toProxyUrl(url))
+          }
+        }
+        if (window.HTMLFormElement && window.HTMLFormElement.prototype) {
+          var originalSubmit = window.HTMLFormElement.prototype.submit
+          window.HTMLFormElement.prototype.submit = function () {
+            if (this.action) {
+              this.action = toProxyUrl(this.action)
+            }
+            return originalSubmit.apply(this, arguments)
+          }
+        }
+        document.addEventListener('click', function (event) {
+          var target = event.target instanceof Element ? event.target.closest('a[href]') : null
+          if (!target) {
+            return
+          }
+          var href = target.getAttribute('href')
+          var rewritten = toProxyUrl(href)
+          if (rewritten !== href) {
+            event.preventDefault()
+            window.location.href = rewritten
+          }
+        }, true)
+        document.addEventListener('submit', function (event) {
+          var form = event.target instanceof HTMLFormElement ? event.target : null
+          if (!form || !form.action) {
+            return
+          }
+          var rewritten = toProxyUrl(form.action)
+          if (rewritten !== form.action) {
+            event.preventDefault()
+            form.action = rewritten
+            form.submit()
+          }
+        }, true)
+        var originalAppendChild = Node.prototype.appendChild
+        Node.prototype.appendChild = function (node) {
+          rewriteElement(node)
+          return originalAppendChild.call(this, node)
+        }
+        var originalInsertBefore = Node.prototype.insertBefore
+        Node.prototype.insertBefore = function (node, referenceNode) {
+          rewriteElement(node)
+          return originalInsertBefore.call(this, node, referenceNode)
+        }
+        if (document.body) {
+          rewriteElement(document.body)
+        }
+        if (window.MutationObserver) {
+          var observer = new MutationObserver(function (mutations) {
+            mutations.forEach(function (mutation) {
+              mutation.addedNodes.forEach(rewriteElement)
+            })
+          })
+          observer.observe(document.documentElement, { childList: true, subtree: true })
+        }
+      })()
+    </script>
+    <script defer="defer" src="${escapeHtmlAttribute(mainJs)}"></script>
+    <link href="${escapeHtmlAttribute(mainCss)}" rel="stylesheet" />
+  </head>
+  <body>
+    <noscript>你需要启用 JavaScript 才能继续。</noscript>
+    <div id="root"></div>
+  </body>
+</html>
+`;
+}
+var AUTH_INDEX_HTML = createAuthIndexHtml();
+// src/core/oauth-state.ts
+import { Buffer as Buffer2 } from "buffer";
+import crypto2 from "crypto";
+var STATE_EXPIRY_SECONDS = 600;
+var STATE_SECRET = process.env.NEXTAUTH_SECRET || process.env.CASDOOR_CLIENT_SECRET || "dev-state-secret";
+var pkceCookiePrefix = "pkce_code_verifier";
+function signStatePayload(payload) {
+  const body = Buffer2.from(JSON.stringify(payload)).toString("base64url");
+  const signature = crypto2.createHmac("sha256", STATE_SECRET).update(body).digest("base64url");
+  return `${body}.${signature}`;
+}
+function decodeStatePayload(state) {
+  const [body, signature] = state.split(".");
+  if (!body || !signature) {
+    return null;
+  }
+  const expectedSignature = crypto2.createHmac("sha256", STATE_SECRET).update(body).digest("base64url");
+  if (expectedSignature.length !== signature.length || !crypto2.timingSafeEqual(Buffer2.from(expectedSignature), Buffer2.from(signature))) {
+    return null;
+  }
+  try {
+    return JSON.parse(Buffer2.from(body, "base64url").toString("utf8"));
+  } catch {
+    return null;
+  }
+}
+function generateStateToken() {
+  return signStatePayload({
+    nonce: crypto2.randomUUID(),
+    issuedAt: Date.now()
+  });
+}
+function getPkceCookieName(state) {
+  const digest = crypto2.createHash("sha256").update(state).digest("base64url");
+  return `${pkceCookiePrefix}.${digest}`;
+}
+async function verifyState(stateFromUrl) {
+  const payload = decodeStatePayload(stateFromUrl);
+  if (!payload) {
+    return false;
+  }
+  return Date.now() - payload.issuedAt <= STATE_EXPIRY_SECONDS * 1e3;
+}
+function parseStateToken(token) {
+  if (!token) return null;
+  return decodeStatePayload(token);
+}
+function verifyStateToken(token) {
+  if (!token) return false;
+  return Boolean(decodeStatePayload(token));
+}
+// src/core/session-token.ts
+import { Buffer as Buffer3 } from "buffer";
+import crypto3 from "crypto";
+var DEFAULT_MAX_AGE = 30 * 24 * 60 * 60;
+function base64UrlEncode(value) {
+  return Buffer3.from(value, "utf8").toString("base64url");
+}
+function base64UrlDecode(value) {
+  return Buffer3.from(value, "base64url").toString("utf8");
+}
+function createSignature(input, secret) {
+  return crypto3.createHmac("sha256", secret).update(input).digest("base64url");
+}
+function timingSafeEqual(left, right) {
+  const leftBuffer = Buffer3.from(left);
+  const rightBuffer = Buffer3.from(right);
+  if (leftBuffer.length !== rightBuffer.length) {
+    return false;
+  }
+  return crypto3.timingSafeEqual(leftBuffer, rightBuffer);
+}
+async function encodeSessionToken(params) {
+  const { token = {}, secret, maxAge = DEFAULT_MAX_AGE } = params;
+  const issuedAt = Math.floor(Date.now() / 1e3);
+  const header = base64UrlEncode(JSON.stringify({ alg: "HS256", typ: "JWT" }));
+  const payload = base64UrlEncode(
+    JSON.stringify({
+      ...token,
+      iat: issuedAt,
+      exp: issuedAt + maxAge,
+      jti: crypto3.randomUUID()
+    })
+  );
+  const signature = createSignature(`${header}.${payload}`, secret);
+  return `${header}.${payload}.${signature}`;
+}
+async function decodeSessionToken(params) {
+  const { token, secret } = params;
+  if (!token) {
+    return null;
+  }
+  const [header, payload, signature] = token.split(".");
+  if (!header || !payload || !signature) {
+    return null;
+  }
+  const expectedSignature = createSignature(`${header}.${payload}`, secret);
+  if (!timingSafeEqual(signature, expectedSignature)) {
+    return null;
+  }
+  try {
+    const parsedPayload = JSON.parse(base64UrlDecode(payload));
+    if (parsedPayload.exp && parsedPayload.exp <= Math.floor(Date.now() / 1e3)) {
+      return null;
+    }
+    return parsedPayload;
+  } catch {
+    return null;
+  }
+}
+// src/casdoor/config.ts
+function getCasdoorConfig(config) {
+  return normalizeAuthKitConfig(config);
+}
+function getCasdoorAuthorizeUrl(config, params) {
+  const base = new URL(config.casdoor.signinPath ?? "/login/oauth/authorize", config.casdoor.serverUrl);
+  base.searchParams.set("response_type", "code");
+  base.searchParams.set("client_id", config.casdoor.clientId);
+  base.searchParams.set("redirect_uri", params.redirectUri);
+  base.searchParams.set("scope", "profile");
+  base.searchParams.set("state", params.state);
+  base.searchParams.set("code_challenge", params.codeChallenge);
+  base.searchParams.set("code_challenge_method", "S256");
+  if (params.kind === "signup") {
+    base.searchParams.set("action", "signup");
+  }
+  return base.toString();
+}
+function getCasdoorTokenUrl(config) {
+  return new URL("/api/login/oauth/access_token", config.casdoor.serverUrl).toString();
+}
+function getCasdoorUserInfoUrl(config) {
+  return new URL("/api/userinfo", config.casdoor.serverUrl).toString();
+}
+// src/casdoor/oauth.ts
+import { Buffer as Buffer4 } from "buffer";
+function decodeJwtPayload(token) {
+  const parts = token.split(".");
+  if (parts.length < 2) {
+    return null;
+  }
+  try {
+    const payload = parts[1];
+    return JSON.parse(Buffer4.from(payload, "base64url").toString("utf8"));
+  } catch {
+    return null;
+  }
+}
+async function exchangeCodeForToken(config, code, redirectUri, codeVerifier) {
+  const response = await fetch(getCasdoorTokenUrl(config), {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({
+      grant_type: "authorization_code",
+      client_id: config.casdoor.clientId,
+      client_secret: config.casdoor.clientSecret,
+      code,
+      redirect_uri: redirectUri,
+      code_verifier: codeVerifier
+    })
+  });
+  if (!response.ok) {
+    throw new Error("Failed to exchange Casdoor authorization code.");
+  }
+  return await response.json();
+}
+async function fetchCasdoorUserInfo(config, accessToken) {
+  const response = await fetch(getCasdoorUserInfoUrl(config), {
+    headers: {
+      authorization: "Bearer " + accessToken
+    }
+  });
+  if (!response.ok) {
+    throw new Error("Failed to fetch Casdoor user profile.");
+  }
+  return await response.json();
+}
+function decodeCasdoorAccessToken(accessToken) {
+  return decodeJwtPayload(accessToken);
+}
+var exchangeCasdoorOAuthToken = exchangeCodeForToken;
+// src/casdoor/entry.ts
+import { NextResponse } from "next/server";
+// src/core/pkce.ts
+var chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+function toBase64Url(bytes) {
+  const raw = Buffer.from(bytes).toString("base64");
+  return raw.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+async function createPkcePair() {
+  const bytes = crypto.getRandomValues(new Uint8Array(48));
+  const verifier = Array.from(bytes, (byte) => chars[byte % chars.length]).join("");
+  const digest = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(verifier));
+  return { verifier, challenge: toBase64Url(digest) };
+}
+// src/casdoor/entry.ts
+function buildLocalAuthorizeUrl(origin, config, params) {
+  const normalized = normalizeAuthKitConfig(config);
+  const authorizePath = params.kind === "signup" ? "/signup/oauth/authorize" : normalized.casdoor.signinPath || "/login/oauth/authorize";
+  const authorizeUrl = new URL(authorizePath, origin);
+  authorizeUrl.searchParams.set("response_type", "code");
+  authorizeUrl.searchParams.set("client_id", normalized.casdoor.clientId);
+  authorizeUrl.searchParams.set("redirect_uri", `${origin}${normalized.casdoor.redirectPath || "/callback"}`);
+  authorizeUrl.searchParams.set("scope", "profile");
+  authorizeUrl.searchParams.set("state", params.state);
+  authorizeUrl.searchParams.set("code_challenge", params.codeChallenge);
+  authorizeUrl.searchParams.set("code_challenge_method", "S256");
+  return authorizeUrl.toString();
+}
+async function createRedirectEntryResponse(request, config, kind) {
+  const normalized = normalizeAuthKitConfig(config);
+  const origin = getRequestOrigin(request, normalized.appUrl);
+  const secure = normalized.cookie?.secure === "auto" ? isSecureRequest(request, normalized.appUrl) : Boolean(normalized.cookie?.secure);
+  const { verifier, challenge } = await createPkcePair();
+  const state = generateStateToken();
+  const response = NextResponse.redirect(
+    buildLocalAuthorizeUrl(origin, normalized, { state, codeChallenge: challenge, kind }),
+    307
+  );
+  const redirectTarget = getAuthRedirectTarget(request);
+  if (redirectTarget) {
+    setAuthRedirectCookie(response, redirectTarget, secure);
+  }
+  setPublicOriginCookie(response, origin, secure);
+  response.cookies.set("oauth_state", state, { httpOnly: true, sameSite: "lax", secure, path: "/" });
+  response.cookies.set(getPkceCookieName(state), verifier, { httpOnly: true, sameSite: "lax", secure, path: "/" });
+  return response;
+}
+async function createAuthorizePageResponse(request, config) {
+  const normalized = normalizeAuthKitConfig(config);
+  const origin = getRequestOrigin(request, normalized.appUrl);
+  const secure = normalized.cookie?.secure === "auto" ? isSecureRequest(request, normalized.appUrl) : Boolean(normalized.cookie?.secure);
+  const response = new NextResponse(
+    createAuthIndexHtml({
+      appName: normalized.casdoor.appName,
+      organizationName: normalized.casdoor.organizationName,
+      staticOrigin: process.env.NEXT_PUBLIC_CASDOOR_STATIC_ORIGIN,
+      casdoorOrigin: normalized.casdoor.serverUrl,
+      apiProxyPrefix: "/auth/"
+    }),
+    {
+      status: 200,
+      headers: {
+        "content-type": "text/html; charset=utf-8",
+        "cache-control": "no-store, max-age=0"
+      }
+    }
+  );
+  setPublicOriginCookie(response, origin, secure);
+  return response;
+}
+async function createLoginEntryResponse(request, config) {
+  return createRedirectEntryResponse(request, config, "login");
+}
+async function createSignupEntryResponse(request, config) {
+  return createRedirectEntryResponse(request, config, "signup");
+}
+async function createAuthorizeEntryResponse(request, config) {
+  return createAuthorizePageResponse(request, config);
+}
+// src/casdoor/callback.ts
+import { NextResponse as NextResponse2 } from "next/server";
+function readCookieHeaderValue(cookieHeader, name) {
+  if (!cookieHeader) {
+    return null;
+  }
+  for (const entry of cookieHeader.split(";")) {
+    const [rawName, ...valueParts] = entry.trim().split("=");
+    if (rawName === name) {
+      const value = valueParts.join("=").trim();
+      return value || null;
+    }
+  }
+  return null;
+}
+function getPublicOrigin(request, config) {
+  return getStoredPublicOrigin(request) || getRequestOrigin(request, config.appUrl);
+}
+function rewriteToCallbackErrorPage(request, config, title, message, details) {
+  const origin = getPublicOrigin(request, config);
+  const targetUrl = new URL("/callback/error", origin);
+  targetUrl.searchParams.set("title", title);
+  targetUrl.searchParams.set("message", message);
+  if (details) {
+    targetUrl.searchParams.set("details", details);
+  }
+  return NextResponse2.redirect(targetUrl, 307);
+}
+function getPkceCodeVerifier(request, state) {
+  return readCookieHeaderValue(request.headers.get("cookie"), getPkceCookieName(state));
+}
+function setNextAuthSessionCookies(response, sessionToken, isSecure) {
+  const cookieName = isSecure ? "__Secure-next-auth.session-token" : "next-auth.session-token";
+  const expires = new Date(Date.now() + 30 * 24 * 60 * 60 * 1e3);
+  const baseOptions = {
+    path: "/",
+    httpOnly: true,
+    sameSite: "lax",
+    secure: isSecure,
+    expires
+  };
+  const maxCookieSize = 3933;
+  if (sessionToken.length <= maxCookieSize) {
+    response.cookies.set(cookieName, sessionToken, baseOptions);
+    return;
+  }
+  const chunkCount = Math.ceil(sessionToken.length / maxCookieSize);
+  for (let index = 0; index < chunkCount; index++) {
+    response.cookies.set(
+      `${cookieName}.${index}`,
+      sessionToken.slice(index * maxCookieSize, (index + 1) * maxCookieSize),
+      baseOptions
+    );
+  }
+}
+function sanitizeRedirectPath(value) {
+  if (!value || !value.startsWith("/") || value.startsWith("//")) {
+    return "/user/account";
+  }
+  return value;
+}
+function mapProfileToAuthUser(profile, adapter) {
+  const typedProfile = profile;
+  const email = typedProfile.email || null;
+  const isAdmin = Boolean(typedProfile.isAdmin) || Boolean(adapter?.isAdminEmail?.(email)) || isGlobalAdminEmail(email);
+  return {
+    id: typedProfile.sub || typedProfile.id || typedProfile.email || "casdoor-user",
+    name: typedProfile.name || typedProfile.displayName || null,
+    email,
+    image: typedProfile.picture || typedProfile.avatarUrl || null,
+    isAdmin,
+    tokenBalance: 2580,
+    isVip: true
+  };
+}
+function getRedirectTarget(request, user, adapter) {
+  const adapterRedirect = adapter?.resolvePostLoginRedirect?.(user);
+  if (adapterRedirect) {
+    return sanitizeRedirectPath(adapterRedirect);
+  }
+  const storedRedirect = getAuthRedirectTarget(request);
+  if (storedRedirect) {
+    return sanitizeRedirectPath(storedRedirect);
+  }
+  return sanitizeRedirectPath(resolvePostLoginRedirect(user, "/user/account"));
+}
+async function createCallbackResponse(request, options) {
+  const normalized = normalizeAuthKitConfig(options.config);
+  const publicOrigin = getPublicOrigin(request, normalized);
+  const url = new URL(request.url);
+  const code = url.searchParams.get("code");
+  const state = url.searchParams.get("state");
+  const error = url.searchParams.get("error");
+  const secure = normalized.cookie?.secure === "auto" ? isSecureRequest(request, normalized.appUrl) : Boolean(normalized.cookie?.secure);
+  if (error) {
+    return rewriteToCallbackErrorPage(
+      request,
+      normalized,
+      "Casdoor \u8FD4\u56DE\u4E86\u6388\u6743\u9519\u8BEF",
+      "\u6388\u6743\u670D\u52A1\u5668\u5728\u56DE\u8C03\u9636\u6BB5\u8FD4\u56DE\u4E86\u9519\u8BEF\u4FE1\u606F\u3002\u8BF7\u8FD4\u56DE\u9996\u9875\u6216\u91CD\u65B0\u767B\u5F55\u540E\u518D\u8BD5\u3002",
+      error
+    );
+  }
+  if (!code) {
+    return rewriteToCallbackErrorPage(
+      request,
+      normalized,
+      "\u7F3A\u5C11\u6388\u6743\u7801",
+      "Casdoor \u56DE\u8C03\u6CA1\u6709\u5E26\u56DE code\uFF0C\u8FD9\u901A\u5E38\u610F\u5473\u7740\u6388\u6743\u6D41\u7A0B\u672A\u5B8C\u6210\u3002",
+      "no_code"
+    );
+  }
+  if (!state || !await verifyState(state)) {
+    return rewriteToCallbackErrorPage(
+      request,
+      normalized,
+      "\u767B\u5F55\u72B6\u6001\u6821\u9A8C\u5931\u8D25",
+      "\u56DE\u8C03\u4E2D\u7684 state \u4E0E\u672C\u6B21\u767B\u5F55\u6D41\u7A0B\u4E0D\u5339\u914D\uFF0C\u8BF7\u91CD\u65B0\u53D1\u8D77\u767B\u5F55\u3002",
+      "invalid_state"
+    );
+  }
+  const codeVerifier = getPkceCodeVerifier(request, state);
+  if (!codeVerifier) {
+    return rewriteToCallbackErrorPage(
+      request,
+      normalized,
+      "\u7F3A\u5C11 PKCE \u6821\u9A8C\u503C",
+      "\u56DE\u8C03\u8BF7\u6C42\u91CC\u6CA1\u6709\u627E\u5230 pkce_code_verifier cookie\u3002\u8BF7\u91CD\u65B0\u4ECE\u767B\u5F55\u5165\u53E3\u53D1\u8D77\u6D41\u7A0B\u3002",
+      "missing_pkce_code_verifier"
+    );
+  }
+  const casdoorConfig = getCasdoorConfig(normalized);
+  const redirectUri = `${publicOrigin}${casdoorConfig.casdoor.redirectPath}`;
+  const tokens = await exchangeCasdoorOAuthToken(casdoorConfig, code, redirectUri, codeVerifier);
+  const accessToken = tokens.access_token ?? tokens.accessToken ?? "";
+  if (!accessToken) {
+    return rewriteToCallbackErrorPage(
+      request,
+      normalized,
+      "\u7F3A\u5C11\u8BBF\u95EE\u4EE4\u724C",
+      "Casdoor \u56DE\u8C03\u6CA1\u6709\u8FD4\u56DE access token\u3002",
+      "missing_access_token"
+    );
+  }
+  const profile = await fetchCasdoorUserInfo(casdoorConfig, accessToken);
+  const decodedAccessToken = decodeCasdoorAccessToken(accessToken);
+  const mappedUser = options.adapter?.onUserSync ? await options.adapter.onUserSync(profile, {
+    accessToken,
+    refreshToken: tokens.refresh_token || tokens.refreshToken,
+    idToken: tokens.id_token || tokens.idToken,
+    expiresAt: tokens.expires_in ? Date.now() + tokens.expires_in * 1e3 : tokens.expiresAt
+  }) : mapProfileToAuthUser(profile, options.adapter);
+  if (options.persistence?.syncAuthUser) {
+    await options.persistence.syncAuthUser(mappedUser);
+  }
+  const sessionToken = await encodeSessionToken({
+    token: {
+      id: mappedUser.id,
+      sub: mappedUser.id,
+      userId: mappedUser.id,
+      name: mappedUser.name,
+      email: mappedUser.email,
+      picture: mappedUser.image,
+      accessToken,
+      expiresAt: tokens.expires_in ? Date.now() + tokens.expires_in * 1e3 : decodedAccessToken?.exp,
+      isAdmin: mappedUser.isAdmin,
+      tokenBalance: mappedUser.tokenBalance,
+      isVip: mappedUser.isVip
+    },
+    secret: normalized.nextauthSecret,
+    maxAge: normalized.session?.maxAgeSeconds
+  });
+  const response = NextResponse2.redirect(new URL(getRedirectTarget(request, mappedUser, options.adapter), publicOrigin));
+  setNextAuthSessionCookies(response, sessionToken, secure);
+  response.cookies.set(getPkceCookieName(state), "", {
+    path: "/",
+    httpOnly: true,
+    sameSite: "lax",
+    secure,
+    maxAge: 0
+  });
+  response.cookies.set("oauth_state", "", {
+    path: "/",
+    httpOnly: true,
+    sameSite: "lax",
+    secure,
+    maxAge: 0
+  });
+  clearAuthRedirectCookie(response, secure);
+  clearPublicOriginCookie(response, secure);
+  return response;
+}
+function createCallbackHandler(options) {
+  return async function GET(request) {
+    return createCallbackResponse(request, options);
+  };
+}
+export {
+  normalizeAuthKitConfig,
+  PUBLIC_ORIGIN_COOKIE_NAME,
+  getRequestOrigin,
+  setPublicOriginCookie,
+  clearPublicOriginCookie,
+  getStoredPublicOrigin,
+  isSecureRequest,
+  AUTH_REDIRECT_COOKIE_NAME,
+  getAuthRedirectTarget,
+  setAuthRedirectCookie,
+  clearAuthRedirectCookie,
+  getGlobalAdminEmails,
+  isGlobalAdminEmail,
+  createAuthIndexHtml,
+  AUTH_INDEX_HTML,
+  pkceCookiePrefix,
+  generateStateToken,
+  getPkceCookieName,
+  verifyState,
+  parseStateToken,
+  verifyStateToken,
+  encodeSessionToken,
+  decodeSessionToken,
+  getCasdoorConfig,
+  getCasdoorAuthorizeUrl,
+  getCasdoorTokenUrl,
+  getCasdoorUserInfoUrl,
+  exchangeCodeForToken,
+  fetchCasdoorUserInfo,
+  decodeCasdoorAccessToken,
+  exchangeCasdoorOAuthToken,
+  createLoginEntryResponse,
+  createSignupEntryResponse,
+  createAuthorizeEntryResponse,
+  createCallbackResponse,
+  createCallbackHandler
+};
+//# sourceMappingURL=chunk-IQEVUR77.js.map