@frequencyads/auth 0.1.0

package/dist/index.js

@@ -0,0 +1,1006 @@
+'use client';
+"use strict";
+var __defProp = Object.defineProperty;
+var __defProps = Object.defineProperties;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropDescs = Object.getOwnPropertyDescriptors;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropSymbols = Object.getOwnPropertySymbols;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __propIsEnum = Object.prototype.propertyIsEnumerable;
+var __defNormalProp = (obj, key, value) => key in obj ? __defProp(obj, key, { enumerable: true, configurable: true, writable: true, value }) : obj[key] = value;
+var __spreadValues = (a, b) => {
+  for (var prop in b || (b = {}))
+    if (__hasOwnProp.call(b, prop))
+      __defNormalProp(a, prop, b[prop]);
+  if (__getOwnPropSymbols)
+    for (var prop of __getOwnPropSymbols(b)) {
+      if (__propIsEnum.call(b, prop))
+        __defNormalProp(a, prop, b[prop]);
+    }
+  return a;
+};
+var __spreadProps = (a, b) => __defProps(a, __getOwnPropDescs(b));
+var __objRest = (source, exclude) => {
+  var target = {};
+  for (var prop in source)
+    if (__hasOwnProp.call(source, prop) && exclude.indexOf(prop) < 0)
+      target[prop] = source[prop];
+  if (source != null && __getOwnPropSymbols)
+    for (var prop of __getOwnPropSymbols(source)) {
+      if (exclude.indexOf(prop) < 0 && __propIsEnum.call(source, prop))
+        target[prop] = source[prop];
+    }
+  return target;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  AuthProvider: () => AuthProvider,
+  LoginPage: () => LoginPage,
+  ResetPasswordForm: () => ResetPasswordForm,
+  SignOutButton: () => SignOutButton,
+  UserMenu: () => UserMenu,
+  VerifyCodeForm: () => VerifyCodeForm,
+  createAuthMiddleware: () => createAuthMiddleware,
+  defaultMatcher: () => defaultMatcher,
+  getSignOutUrl: () => getSignOutUrl,
+  updateSession: () => updateSession,
+  useAuth: () => useAuth
+});
+module.exports = __toCommonJS(src_exports);
+
+// src/lib/proxy.ts
+var import_ssr = require("@supabase/ssr");
+var import_server = require("next/server");
+var import_config = require("@frequencyads/db/config");
+var import_cookies = require("@frequencyads/db/cookies");
+
+// src/lib/request.ts
+var isDev = process.env.NODE_ENV === "development";
+function getRequestOrigin(request) {
+  var _a;
+  if (!isDev) {
+    return request.nextUrl.origin;
+  }
+  const host = (_a = request.headers.get("host")) != null ? _a : request.nextUrl.host;
+  return `${request.nextUrl.protocol}//${host}`;
+}
+
+// src/lib/proxy.ts
+async function updateSession(request) {
+  var _a;
+  let supabaseResponse = import_server.NextResponse.next({ request });
+  const hostname = new URL(getRequestOrigin(request)).hostname;
+  const cookieDomain = (0, import_cookies.deriveCookieDomain)(hostname, (0, import_config.getTrustedDomains)());
+  const cookieOptions = cookieDomain ? { domain: cookieDomain } : void 0;
+  const supabase = (0, import_ssr.createServerClient)((0, import_config.getSupabaseUrl)(), (0, import_config.getSupabasePublishableKey)(), {
+    cookieOptions,
+    cookies: {
+      getAll() {
+        return request.cookies.getAll();
+      },
+      setAll(cookiesToSet) {
+        cookiesToSet.forEach(({ name, value }) => request.cookies.set(name, value));
+        supabaseResponse = import_server.NextResponse.next({ request });
+        cookiesToSet.forEach(
+          ({ name, value, options }) => supabaseResponse.cookies.set(name, value, options)
+        );
+      }
+    }
+  });
+  const { data } = await supabase.auth.getClaims();
+  const claims = (_a = data == null ? void 0 : data.claims) != null ? _a : null;
+  return { supabaseResponse, claims };
+}
+
+// src/components/auth-provider.tsx
+var import_react = require("react");
+var import_client = require("@frequencyads/db/client");
+var import_jsx_runtime = require("react/jsx-runtime");
+var Context = (0, import_react.createContext)(void 0);
+function AuthProvider({ children, loginUrl }) {
+  var _a, _b, _c, _d;
+  const [supabase] = (0, import_react.useState)(() => (0, import_client.createBrowserClient)());
+  const [user, setUser] = (0, import_react.useState)(null);
+  const [loading, setLoading] = (0, import_react.useState)(true);
+  const userIdRef = (0, import_react.useRef)(null);
+  const setUserStable = (0, import_react.useCallback)((newUser) => {
+    var _a2;
+    const newId = (_a2 = newUser == null ? void 0 : newUser.id) != null ? _a2 : null;
+    if (newId !== userIdRef.current) {
+      userIdRef.current = newId;
+      setUser(newUser);
+    }
+  }, []);
+  (0, import_react.useEffect)(() => {
+    if (!supabase) {
+      setLoading(false);
+      return;
+    }
+    const {
+      data: { subscription }
+    } = supabase.auth.onAuthStateChange((_event, session) => {
+      var _a2;
+      setUserStable((_a2 = session == null ? void 0 : session.user) != null ? _a2 : null);
+      setLoading(false);
+    });
+    async function checkSession() {
+      const {
+        data: { session }
+      } = await supabase.auth.getSession();
+      if (!session) {
+        await supabase.auth.signOut({ scope: "local" });
+      }
+    }
+    const POLL_MS = 3e4;
+    const interval = setInterval(checkSession, POLL_MS);
+    const handleVisibilityChange = () => {
+      if (document.visibilityState === "visible") {
+        checkSession();
+      }
+    };
+    document.addEventListener("visibilitychange", handleVisibilityChange);
+    return () => {
+      subscription.unsubscribe();
+      clearInterval(interval);
+      document.removeEventListener("visibilitychange", handleVisibilityChange);
+    };
+  }, [supabase]);
+  (0, import_react.useEffect)(() => {
+    if (loading || user) return;
+    const url = loginUrl != null ? loginUrl : `${process.env.NEXT_PUBLIC_ACCOUNTS_URL}/login`;
+    if (url) {
+      window.location.href = `${url}?next=${encodeURIComponent(window.location.href)}`;
+    }
+  }, [loading, user, loginUrl]);
+  const profile = {
+    name: (_b = (_a = user == null ? void 0 : user.user_metadata) == null ? void 0 : _a.full_name) != null ? _b : "\u2014",
+    email: (_c = user == null ? void 0 : user.email) != null ? _c : "",
+    avatarUrl: (_d = user == null ? void 0 : user.user_metadata) == null ? void 0 : _d.avatar_url
+  };
+  if (loading || !user) return null;
+  return /* @__PURE__ */ (0, import_jsx_runtime.jsx)(Context.Provider, { value: { supabase, user, profile, loading }, children });
+}
+function useAuth() {
+  const context = (0, import_react.useContext)(Context);
+  if (context === void 0) {
+    throw new Error("useAuth must be used within an AuthProvider");
+  }
+  return context;
+}
+
+// src/components/login/index.tsx
+var import_react4 = require("react");
+var import_core3 = require("@mantine/core");
+var import_icons_react = require("@tabler/icons-react");
+
+// src/components/login/email-password-form.tsx
+var import_react2 = require("react");
+var import_core = require("@mantine/core");
+var import_client2 = require("@frequencyads/db/client");
+var import_jsx_runtime2 = require("react/jsx-runtime");
+function EmailPasswordForm({
+  isPending,
+  startTransition,
+  onVerifyNeeded,
+  onResetRequest,
+  onSuccess
+}) {
+  const supabase = (0, import_client2.createBrowserClient)();
+  const [step, setStep] = (0, import_react2.useState)("email");
+  const [mode, setMode] = (0, import_react2.useState)("signin");
+  const [email, setEmail] = (0, import_react2.useState)("");
+  const [password, setPassword] = (0, import_react2.useState)("");
+  const [confirmPassword, setConfirmPassword] = (0, import_react2.useState)("");
+  const [firstName, setFirstName] = (0, import_react2.useState)("");
+  const [lastName, setLastName] = (0, import_react2.useState)("");
+  const [error, setError] = (0, import_react2.useState)(null);
+  const goBack = () => {
+    setStep("email");
+    setPassword("");
+    setConfirmPassword("");
+    setError(null);
+  };
+  const toggleMode = () => {
+    setMode((m) => m === "signin" ? "signup" : "signin");
+    setStep("email");
+    setPassword("");
+    setConfirmPassword("");
+    setFirstName("");
+    setLastName("");
+    setError(null);
+  };
+  const validateEmail = () => {
+    const trimmed = email.trim();
+    if (!trimmed) {
+      setError("Email is required.");
+      return false;
+    }
+    if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(trimmed)) {
+      setError("Please enter a valid email address.");
+      return false;
+    }
+    return true;
+  };
+  const handleContinue = (e) => {
+    e.preventDefault();
+    setError(null);
+    if (validateEmail()) {
+      setStep("credentials");
+    }
+  };
+  const handleSignIn = (e) => {
+    e.preventDefault();
+    setError(null);
+    if (!validateEmail()) return;
+    if (!password.trim()) {
+      setError("Password is required.");
+      return;
+    }
+    startTransition(async () => {
+      const { error: signInError } = await supabase.auth.signInWithPassword({
+        email: email.trim(),
+        password: password.trim()
+      });
+      if (signInError) {
+        if (signInError.message === "Email not confirmed") {
+          onVerifyNeeded == null ? void 0 : onVerifyNeeded(email);
+        } else {
+          setError(signInError.message);
+        }
+      } else {
+        onSuccess == null ? void 0 : onSuccess();
+      }
+    });
+  };
+  const handleSignUp = (e) => {
+    e.preventDefault();
+    setError(null);
+    if (!firstName.trim()) {
+      setError("First name is required.");
+      return;
+    }
+    if (!lastName.trim()) {
+      setError("Last name is required.");
+      return;
+    }
+    if (!password.trim()) {
+      setError("Password is required.");
+      return;
+    }
+    if (password.trim().length < 8) {
+      setError("Password must be at least 8 characters.");
+      return;
+    }
+    const trimmedPassword = password.trim();
+    if (trimmedPassword !== confirmPassword.trim()) {
+      setError("Passwords do not match.");
+      return;
+    }
+    startTransition(async () => {
+      const fullName = `${firstName.trim()} ${lastName.trim()}`;
+      const { data: signUpData, error: signUpError } = await supabase.auth.signUp({
+        email: email.trim(),
+        password: trimmedPassword,
+        options: {
+          data: {
+            name: fullName,
+            full_name: fullName,
+            first_name: firstName.trim(),
+            last_name: lastName.trim()
+          }
+        }
+      });
+      if (signUpError) {
+        setError(signUpError.message);
+      } else if (signUpData.session) {
+        onSuccess == null ? void 0 : onSuccess();
+      } else {
+        onVerifyNeeded == null ? void 0 : onVerifyNeeded(email);
+      }
+    });
+  };
+  if (mode === "signin") {
+    return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)("form", { onSubmit: handleSignIn, children: /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)(import_core.Stack, { children: [
+      /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(
+        import_core.TextInput,
+        {
+          label: "Email",
+          placeholder: "you@frequency.media",
+          type: "email",
+          value: email,
+          onChange: (e) => setEmail(e.currentTarget.value),
+          disabled: isPending,
+          required: true
+        }
+      ),
+      /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(
+        import_core.PasswordInput,
+        {
+          label: "Password",
+          placeholder: "Your password",
+          value: password,
+          onChange: (e) => setPassword(e.currentTarget.value),
+          disabled: isPending,
+          required: true
+        }
+      ),
+      error && /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_core.Text, { size: "sm", c: "red", children: error }),
+      /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_core.Button, { fullWidth: true, size: "md", type: "submit", loading: isPending, children: "Sign in" }),
+      /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)(import_core.Group, { justify: "space-between", children: [
+        /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(
+          import_core.Anchor,
+          {
+            component: "button",
+            type: "button",
+            size: "sm",
+            onClick: toggleMode,
+            disabled: isPending,
+            children: "Don't have an account?"
+          }
+        ),
+        onResetRequest && /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(
+          import_core.Anchor,
+          {
+            component: "button",
+            type: "button",
+            size: "sm",
+            onClick: onResetRequest,
+            disabled: isPending,
+            children: "Forgot password?"
+          }
+        )
+      ] })
+    ] }) });
+  }
+  if (step === "email") {
+    return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)("form", { onSubmit: handleContinue, children: /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)(import_core.Stack, { children: [
+      /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(
+        import_core.TextInput,
+        {
+          label: "Email",
+          placeholder: "you@frequency.media",
+          type: "email",
+          value: email,
+          onChange: (e) => setEmail(e.currentTarget.value),
+          required: true
+        }
+      ),
+      error && /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_core.Text, { size: "sm", c: "red", children: error }),
+      /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_core.Button, { fullWidth: true, size: "md", type: "submit", children: "Continue" }),
+      /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_core.Anchor, { component: "button", type: "button", size: "sm", onClick: toggleMode, children: "Already have an account?" })
+    ] }) });
+  }
+  return /* @__PURE__ */ (0, import_jsx_runtime2.jsx)("form", { onSubmit: handleSignUp, children: /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)(import_core.Stack, { children: [
+    /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)(import_core.Group, { gap: "xs", align: "baseline", children: [
+      /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_core.Text, { size: "sm", c: "dimmed", children: email }),
+      /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_core.Anchor, { component: "button", type: "button", size: "sm", onClick: goBack, disabled: isPending, children: "Change" })
+    ] }),
+    /* @__PURE__ */ (0, import_jsx_runtime2.jsxs)(import_core.Group, { grow: true, children: [
+      /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(
+        import_core.TextInput,
+        {
+          label: "First name",
+          placeholder: "Jane",
+          value: firstName,
+          onChange: (e) => setFirstName(e.currentTarget.value),
+          disabled: isPending,
+          required: true
+        }
+      ),
+      /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(
+        import_core.TextInput,
+        {
+          label: "Last name",
+          placeholder: "Doe",
+          value: lastName,
+          onChange: (e) => setLastName(e.currentTarget.value),
+          disabled: isPending,
+          required: true
+        }
+      )
+    ] }),
+    /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(
+      import_core.PasswordInput,
+      {
+        label: "Password",
+        placeholder: "At least 8 characters",
+        value: password,
+        onChange: (e) => setPassword(e.currentTarget.value),
+        disabled: isPending,
+        required: true
+      }
+    ),
+    /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(
+      import_core.PasswordInput,
+      {
+        label: "Confirm password",
+        placeholder: "Repeat your password",
+        value: confirmPassword,
+        onChange: (e) => setConfirmPassword(e.currentTarget.value),
+        disabled: isPending,
+        required: true
+      }
+    ),
+    error && /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_core.Text, { size: "sm", c: "red", children: error }),
+    /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(import_core.Button, { fullWidth: true, size: "md", type: "submit", loading: isPending, children: "Create account" }),
+    /* @__PURE__ */ (0, import_jsx_runtime2.jsx)(
+      import_core.Anchor,
+      {
+        component: "button",
+        type: "button",
+        size: "sm",
+        onClick: toggleMode,
+        disabled: isPending,
+        children: "Already have an account?"
+      }
+    )
+  ] }) });
+}
+
+// src/components/login/google-sign-in.tsx
+var import_react3 = require("react");
+var import_core2 = require("@mantine/core");
+var import_client3 = require("@frequencyads/db/client");
+var import_jsx_runtime3 = require("react/jsx-runtime");
+function GoogleIcon() {
+  return /* @__PURE__ */ (0, import_jsx_runtime3.jsxs)("svg", { width: "18", height: "18", viewBox: "0 0 18 18", xmlns: "http://www.w3.org/2000/svg", children: [
+    /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
+      "path",
+      {
+        d: "M17.64 9.2c0-.637-.057-1.251-.164-1.84H9v3.481h4.844a4.14 4.14 0 0 1-1.796 2.716v2.259h2.908c1.702-1.567 2.684-3.875 2.684-6.615z",
+        fill: "#4285F4"
+      }
+    ),
+    /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
+      "path",
+      {
+        d: "M9 18c2.43 0 4.467-.806 5.956-2.18l-2.908-2.259c-.806.54-1.837.86-3.048.86-2.344 0-4.328-1.584-5.036-3.711H.957v2.332A8.997 8.997 0 0 0 9 18z",
+        fill: "#34A853"
+      }
+    ),
+    /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
+      "path",
+      {
+        d: "M3.964 10.71A5.41 5.41 0 0 1 3.682 9c0-.593.102-1.17.282-1.71V4.958H.957A8.997 8.997 0 0 0 0 9c0 1.452.348 2.827.957 4.042l3.007-2.332z",
+        fill: "#FBBC05"
+      }
+    ),
+    /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
+      "path",
+      {
+        d: "M9 3.58c1.321 0 2.508.454 3.44 1.345l2.582-2.58C13.463.891 11.426 0 9 0A8.997 8.997 0 0 0 .957 4.958L3.964 7.29C4.672 5.163 6.656 3.58 9 3.58z",
+        fill: "#EA4335"
+      }
+    )
+  ] });
+}
+function GoogleSignIn({ redirectTo, isPending }) {
+  const supabase = (0, import_client3.createBrowserClient)();
+  const [loading, setLoading] = (0, import_react3.useState)(false);
+  const handleGoogleLogin = async () => {
+    setLoading(true);
+    await supabase.auth.signInWithOAuth({
+      provider: "google",
+      options: {
+        redirectTo: redirectTo != null ? redirectTo : `${window.location.origin}/auth/callback`,
+        queryParams: { prompt: "select_account" }
+      }
+    });
+  };
+  return /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(
+    import_core2.Button,
+    {
+      type: "button",
+      fullWidth: true,
+      size: "md",
+      variant: "default",
+      leftSection: loading ? /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(import_core2.Loader, { size: 18 }) : /* @__PURE__ */ (0, import_jsx_runtime3.jsx)(GoogleIcon, {}),
+      onClick: handleGoogleLogin,
+      disabled: isPending || loading,
+      styles: {
+        root: {
+          fontWeight: 500,
+          height: 44,
+          backgroundColor: "var(--mantine-color-white)",
+          color: "var(--mantine-color-gray-9)",
+          borderColor: "var(--mantine-color-gray-3)"
+        }
+      },
+      children: "Sign in with Google"
+    }
+  );
+}
+
+// src/components/login/index.tsx
+var import_jsx_runtime4 = require("react/jsx-runtime");
+function LoginPage({
+  title = "Sign in",
+  description = "Authenticate once. Operate everywhere.",
+  info,
+  redirectTo,
+  header,
+  footer,
+  onVerifyNeeded,
+  onResetRequest,
+  onSuccess
+}) {
+  const [isPending, startTransition] = (0, import_react4.useTransition)();
+  return /* @__PURE__ */ (0, import_jsx_runtime4.jsxs)(import_core3.Box, { w: "100%", children: [
+    /* @__PURE__ */ (0, import_jsx_runtime4.jsxs)(import_core3.Box, { maw: 460, children: [
+      header && /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(import_core3.Box, { mb: "lg", ta: "center", children: header }),
+      /* @__PURE__ */ (0, import_jsx_runtime4.jsxs)(import_core3.Title, { order: 3, fw: 600, c: "gray.7", mb: "xs", children: [
+        title,
+        info && /* @__PURE__ */ (0, import_jsx_runtime4.jsxs)(import_core3.Box, { component: "span", style: { whiteSpace: "nowrap" }, children: [
+          "\xA0",
+          /* @__PURE__ */ (0, import_jsx_runtime4.jsxs)(import_core3.HoverCard, { width: 300, shadow: "md", withArrow: true, position: "bottom-start", openDelay: 100, children: [
+            /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(import_core3.HoverCard.Target, { children: /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(
+              import_core3.ActionIcon,
+              {
+                variant: "subtle",
+                color: "gray",
+                size: "sm",
+                display: "inline-flex",
+                style: { verticalAlign: "middle" },
+                children: /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(import_icons_react.IconInfoCircle, { size: 16 })
+              }
+            ) }),
+            /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(import_core3.HoverCard.Dropdown, { children: /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(import_core3.Text, { size: "xs", c: "dimmed", lh: 1.6, children: info }) })
+          ] })
+        ] })
+      ] }),
+      description && /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(import_core3.Text, { size: "sm", c: "gray.6", mb: "lg", children: description }),
+      /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(
+        EmailPasswordForm,
+        {
+          isPending,
+          startTransition,
+          onVerifyNeeded,
+          onResetRequest,
+          onSuccess
+        }
+      ),
+      /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(import_core3.Divider, { my: "lg", label: "or continue with", labelPosition: "center", color: "gray.3" }),
+      /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(GoogleSignIn, { redirectTo, isPending })
+    ] }),
+    footer && /* @__PURE__ */ (0, import_jsx_runtime4.jsxs)(import_jsx_runtime4.Fragment, { children: [
+      /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(import_core3.Divider, { my: "lg", color: "gray.3" }),
+      /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(import_core3.Box, { ta: "left", w: "100%", children: footer })
+    ] })
+  ] });
+}
+
+// src/components/sign-out-button.tsx
+var import_core4 = require("@mantine/core");
+var import_icons_react2 = require("@tabler/icons-react");
+var import_jsx_runtime5 = require("react/jsx-runtime");
+function getSignOutUrl(returnTo) {
+  const accountsUrl = process.env.NEXT_PUBLIC_ACCOUNTS_URL;
+  if (!accountsUrl) return "#";
+  const next = returnTo != null ? returnTo : window.location.origin;
+  return `${accountsUrl}/logout?next=${encodeURIComponent(next)}`;
+}
+function SignOutButton(_a) {
+  var _b = _a, { returnTo } = _b, props = __objRest(_b, ["returnTo"]);
+  var _a2;
+  const handleClick = () => {
+    window.location.href = getSignOutUrl(returnTo);
+  };
+  return /* @__PURE__ */ (0, import_jsx_runtime5.jsx)(
+    import_core4.Button,
+    __spreadProps(__spreadValues({
+      onClick: handleClick,
+      variant: "light",
+      color: "red",
+      leftSection: /* @__PURE__ */ (0, import_jsx_runtime5.jsx)(import_icons_react2.IconLogout, { size: 16 }),
+      w: "fit-content"
+    }, props), {
+      children: (_a2 = props.children) != null ? _a2 : "Sign out"
+    })
+  );
+}
+
+// src/components/user-menu.tsx
+var import_core5 = require("@mantine/core");
+var import_icons_react3 = require("@tabler/icons-react");
+var import_react5 = require("react");
+var import_jsx_runtime6 = require("react/jsx-runtime");
+function UserMenu() {
+  const { user, profile } = useAuth();
+  const [opened, setOpened] = (0, import_react5.useState)(false);
+  if (!user) return null;
+  const handleLogout = () => {
+    window.location.href = getSignOutUrl();
+  };
+  return /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)(
+    import_core5.Menu,
+    {
+      width: 260,
+      position: "bottom-end",
+      transitionProps: { transition: "pop-top-right" },
+      opened,
+      onChange: setOpened,
+      children: [
+        /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(import_core5.Menu.Target, { children: /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(
+          import_core5.UnstyledButton,
+          {
+            style: {
+              padding: "var(--mantine-spacing-xs)",
+              borderRadius: "var(--mantine-radius-sm)",
+              transition: "background-color 100ms ease"
+            },
+            children: /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)(import_core5.Group, { gap: 7, children: [
+              /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(import_core5.Avatar, { src: profile.avatarUrl, alt: profile.name, radius: "xl", size: 32 }),
+              /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(import_core5.Text, { fw: 500, size: "sm", lh: 1, mr: 3, children: profile.name }),
+              /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(import_icons_react3.IconChevronDown, { style: { width: (0, import_core5.rem)(12), height: (0, import_core5.rem)(12) }, stroke: 1.5 })
+            ] })
+          }
+        ) }),
+        /* @__PURE__ */ (0, import_jsx_runtime6.jsxs)(import_core5.Menu.Dropdown, { children: [
+          /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(import_core5.Menu.Label, { children: /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(import_core5.Text, { size: "xs", c: "dimmed", truncate: true, children: profile.email }) }),
+          /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(
+            import_core5.Menu.Item,
+            {
+              leftSection: /* @__PURE__ */ (0, import_jsx_runtime6.jsx)(import_icons_react3.IconLogout, { style: { width: (0, import_core5.rem)(16), height: (0, import_core5.rem)(16) }, stroke: 1.5 }),
+              onClick: handleLogout,
+              children: "Sign out"
+            }
+          )
+        ] })
+      ]
+    }
+  );
+}
+
+// src/components/verify-code.tsx
+var import_react6 = require("react");
+var import_core6 = require("@mantine/core");
+var import_client4 = require("@frequencyads/db/client");
+var import_jsx_runtime7 = require("react/jsx-runtime");
+function VerifyCodeForm({
+  email,
+  type,
+  onSuccess,
+  onResend,
+  onBack,
+  backLabel = "Back to sign in",
+  header
+}) {
+  const [code, setCode] = (0, import_react6.useState)("");
+  const [error, setError] = (0, import_react6.useState)(null);
+  const [loading, setLoading] = (0, import_react6.useState)(false);
+  const [verified, setVerified] = (0, import_react6.useState)(false);
+  const [resendCooldown, setResendCooldown] = (0, import_react6.useState)(0);
+  (0, import_react6.useEffect)(() => {
+    if (resendCooldown <= 0) return;
+    const timer = setTimeout(() => setResendCooldown((c) => c - 1), 1e3);
+    return () => clearTimeout(timer);
+  }, [resendCooldown]);
+  const handleVerify = (0, import_react6.useCallback)(
+    async (value) => {
+      if (value.length !== 6) return;
+      setError(null);
+      setLoading(true);
+      try {
+        const supabase = (0, import_client4.createBrowserClient)();
+        const { error: verifyError } = await supabase.auth.verifyOtp({
+          email,
+          token: value,
+          type
+        });
+        if (verifyError) {
+          setError("This code is invalid or has expired. Please request a new one.");
+          setCode("");
+        } else {
+          setVerified(true);
+          onSuccess();
+        }
+      } finally {
+        setLoading(false);
+      }
+    },
+    [email, type, onSuccess]
+  );
+  const [resending, setResending] = (0, import_react6.useState)(false);
+  const handleResend = async () => {
+    setError(null);
+    setResending(true);
+    try {
+      const result = await onResend();
+      if (result.error) {
+        setError(result.error);
+      } else {
+        setResendCooldown(60);
+      }
+    } finally {
+      setResending(false);
+    }
+  };
+  return /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)(import_core6.Box, { w: "100%", maw: 460, children: [
+    header && /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(import_core6.Box, { mb: "lg", style: { textAlign: "center" }, children: header }),
+    /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(import_core6.Title, { order: 3, fw: 600, mb: "xs", c: "gray.7", children: type === "email" ? "Verify your email" : "Enter reset code" }),
+    /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)(import_core6.Text, { size: "sm", c: "gray.6", mb: "lg", children: [
+      "We sent a 6-digit code to ",
+      /* @__PURE__ */ (0, import_jsx_runtime7.jsx)("strong", { children: email })
+    ] }),
+    /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)(import_core6.Stack, { children: [
+      /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(
+        import_core6.PinInput,
+        {
+          length: 6,
+          type: "number",
+          oneTimeCode: true,
+          autoFocus: true,
+          size: "lg",
+          value: code,
+          onChange: (value) => {
+            setCode(value);
+            if (value.length > 0) setError(null);
+          },
+          onComplete: handleVerify,
+          error: !!error,
+          disabled: loading || verified,
+          styles: { input: { fontWeight: 600, fontSize: 20 } }
+        }
+      ),
+      error && /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(import_core6.Text, { size: "sm", c: "red", children: error }),
+      /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(
+        import_core6.Button,
+        {
+          fullWidth: true,
+          size: "md",
+          loading: loading || verified,
+          onClick: () => handleVerify(code),
+          children: "Verify"
+        }
+      ),
+      /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)(import_core6.Text, { size: "sm", c: "gray.6", ta: "center", children: [
+        "Didn't receive the code?",
+        " ",
+        resendCooldown > 0 ? /* @__PURE__ */ (0, import_jsx_runtime7.jsxs)(import_core6.Text, { span: true, c: "gray.5", children: [
+          "Resend in ",
+          resendCooldown,
+          "s"
+        ] }) : /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(
+          import_core6.Anchor,
+          {
+            component: "button",
+            type: "button",
+            size: "sm",
+            onClick: handleResend,
+            disabled: resending,
+            children: resending ? "Sending\u2026" : "Resend code"
+          }
+        )
+      ] }),
+      onBack && /* @__PURE__ */ (0, import_jsx_runtime7.jsx)(import_core6.Anchor, { component: "button", type: "button", size: "sm", onClick: onBack, ta: "center", children: backLabel })
+    ] })
+  ] });
+}
+
+// src/components/reset-password.tsx
+var import_react7 = require("react");
+var import_core7 = require("@mantine/core");
+var import_client5 = require("@frequencyads/db/client");
+var import_jsx_runtime8 = require("react/jsx-runtime");
+function ResetPasswordForm({ onComplete, onBackToLogin, header }) {
+  const supabase = (0, import_client5.createBrowserClient)();
+  const [step, setStep] = (0, import_react7.useState)("email");
+  const [email, setEmail] = (0, import_react7.useState)("");
+  const [password, setPassword] = (0, import_react7.useState)("");
+  const [confirmPassword, setConfirmPassword] = (0, import_react7.useState)("");
+  const [error, setError] = (0, import_react7.useState)(null);
+  const [loading, setLoading] = (0, import_react7.useState)(false);
+  const handleRequestReset = async (e) => {
+    e.preventDefault();
+    setError(null);
+    if (!email.trim()) {
+      setError("Email is required.");
+      return;
+    }
+    setLoading(true);
+    try {
+      const { error: resetError } = await supabase.auth.resetPasswordForEmail(email);
+      if (resetError) {
+        setError(resetError.message);
+      } else {
+        setStep("code");
+      }
+    } finally {
+      setLoading(false);
+    }
+  };
+  const handleSetPassword = async (e) => {
+    e.preventDefault();
+    setError(null);
+    if (password.length < 8) {
+      setError("Password must be at least 8 characters.");
+      return;
+    }
+    if (password !== confirmPassword) {
+      setError("Passwords do not match.");
+      return;
+    }
+    setLoading(true);
+    try {
+      const { error: updateError } = await supabase.auth.updateUser({ password });
+      if (updateError) {
+        setError(updateError.message);
+      } else {
+        onComplete();
+      }
+    } finally {
+      setLoading(false);
+    }
+  };
+  if (step === "code") {
+    return /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(
+      VerifyCodeForm,
+      {
+        email,
+        type: "recovery",
+        onSuccess: () => setStep("password"),
+        onResend: async () => {
+          const { error: resendError } = await supabase.auth.resetPasswordForEmail(email);
+          return { error: resendError == null ? void 0 : resendError.message };
+        },
+        onBack: onBackToLogin,
+        header
+      }
+    );
+  }
+  if (step === "password") {
+    return /* @__PURE__ */ (0, import_jsx_runtime8.jsxs)(import_core7.Box, { w: "100%", maw: 460, children: [
+      header && /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(import_core7.Box, { mb: "lg", style: { textAlign: "center" }, children: header }),
+      /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(import_core7.Title, { order: 3, fw: 600, mb: "xs", c: "gray.7", children: "Set new password" }),
+      /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(import_core7.Text, { size: "sm", c: "gray.6", mb: "lg", children: "Choose a new password for your account." }),
+      /* @__PURE__ */ (0, import_jsx_runtime8.jsx)("form", { onSubmit: handleSetPassword, children: /* @__PURE__ */ (0, import_jsx_runtime8.jsxs)(import_core7.Stack, { children: [
+        /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(
+          import_core7.PasswordInput,
+          {
+            label: "New password",
+            placeholder: "At least 8 characters",
+            value: password,
+            onChange: (e) => setPassword(e.currentTarget.value),
+            minLength: 8,
+            required: true
+          }
+        ),
+        /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(
+          import_core7.PasswordInput,
+          {
+            label: "Confirm password",
+            placeholder: "Repeat your password",
+            value: confirmPassword,
+            onChange: (e) => setConfirmPassword(e.currentTarget.value),
+            required: true
+          }
+        ),
+        error && /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(import_core7.Text, { size: "sm", c: "red", children: error }),
+        /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(import_core7.Button, { fullWidth: true, size: "md", type: "submit", loading, children: "Update password" })
+      ] }) })
+    ] });
+  }
+  return /* @__PURE__ */ (0, import_jsx_runtime8.jsxs)(import_core7.Box, { w: "100%", maw: 460, children: [
+    header && /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(import_core7.Box, { mb: "lg", style: { textAlign: "center" }, children: header }),
+    /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(import_core7.Title, { order: 3, fw: 600, mb: "xs", c: "gray.7", children: "Reset password" }),
+    /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(import_core7.Text, { size: "sm", c: "gray.6", mb: "lg", children: "Enter your email and we'll send you a code to reset your password." }),
+    /* @__PURE__ */ (0, import_jsx_runtime8.jsx)("form", { onSubmit: handleRequestReset, children: /* @__PURE__ */ (0, import_jsx_runtime8.jsxs)(import_core7.Stack, { children: [
+      /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(
+        import_core7.TextInput,
+        {
+          label: "Email",
+          placeholder: "you@frequency.media",
+          type: "email",
+          value: email,
+          onChange: (e) => setEmail(e.currentTarget.value),
+          required: true
+        }
+      ),
+      error && /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(import_core7.Text, { size: "sm", c: "red", children: error }),
+      /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(import_core7.Button, { fullWidth: true, size: "md", type: "submit", loading, children: "Send reset code" }),
+      onBackToLogin && /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(import_core7.Text, { size: "sm", c: "gray.6", ta: "center", children: /* @__PURE__ */ (0, import_jsx_runtime8.jsx)(import_core7.Anchor, { component: "button", type: "button", size: "sm", onClick: onBackToLogin, children: "Back to sign in" }) })
+    ] }) })
+  ] });
+}
+
+// src/middleware.ts
+var import_ssr2 = require("@supabase/ssr");
+var import_server2 = require("next/server");
+var import_config2 = require("@frequencyads/db/config");
+var import_cookies2 = require("@frequencyads/db/cookies");
+function getAccountsUrl() {
+  const url = process.env.NEXT_PUBLIC_ACCOUNTS_URL;
+  if (!url) throw new Error("Missing required env var: NEXT_PUBLIC_ACCOUNTS_URL");
+  return url;
+}
+async function getSessionAndClaims(request) {
+  var _a;
+  let supabaseResponse = import_server2.NextResponse.next({ request });
+  const hostname = new URL(getRequestOrigin(request)).hostname;
+  const cookieDomain = (0, import_cookies2.deriveCookieDomain)(hostname, (0, import_config2.getTrustedDomains)());
+  const cookieOptions = cookieDomain ? { domain: cookieDomain } : void 0;
+  const supabase = (0, import_ssr2.createServerClient)((0, import_config2.getSupabaseUrl)(), (0, import_config2.getSupabasePublishableKey)(), {
+    cookieOptions,
+    cookies: {
+      getAll() {
+        return request.cookies.getAll();
+      },
+      setAll(cookiesToSet) {
+        cookiesToSet.forEach(({ name, value }) => request.cookies.set(name, value));
+        supabaseResponse = import_server2.NextResponse.next({ request });
+        cookiesToSet.forEach(
+          ({ name, value, options }) => supabaseResponse.cookies.set(name, value, options)
+        );
+      }
+    }
+  });
+  const { data } = await supabase.auth.getClaims();
+  const claims = (_a = data == null ? void 0 : data.claims) != null ? _a : null;
+  return { supabase, supabaseResponse, claims };
+}
+async function isOrgMember(supabase, userId) {
+  const { data } = await supabase.from("perm_organization_member").select("id").eq("user_id", userId).limit(1).maybeSingle();
+  return data !== null;
+}
+async function isEmployee(supabase, userId) {
+  const { data } = await supabase.from("perm_user_global_role").select("role").eq("user_id", userId).maybeSingle();
+  return (data == null ? void 0 : data.role) === "EMPLOYEE" || (data == null ? void 0 : data.role) === "ADMIN";
+}
+function createAuthMiddleware({ access }) {
+  return async function middleware(request) {
+    const { supabase, supabaseResponse, claims } = await getSessionAndClaims(request);
+    const accountsUrl = getAccountsUrl();
+    const currentUrl = request.nextUrl.href;
+    if (!claims) {
+      const loginUrl = `${accountsUrl}/login?next=${encodeURIComponent(currentUrl)}`;
+      return import_server2.NextResponse.redirect(loginUrl);
+    }
+    const userId = claims.sub;
+    let authorized = false;
+    if (access === "org-member") {
+      authorized = await isOrgMember(supabase, userId);
+    } else if (access === "employee") {
+      authorized = await isEmployee(supabase, userId);
+    }
+    if (!authorized) {
+      const deniedUrl = `${accountsUrl}?error=access_denied&from=${encodeURIComponent(currentUrl)}`;
+      return import_server2.NextResponse.redirect(deniedUrl);
+    }
+    return supabaseResponse;
+  };
+}
+var defaultMatcher = {
+  matcher: [
+    "/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp|ico)$).*)"
+  ]
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  AuthProvider,
+  LoginPage,
+  ResetPasswordForm,
+  SignOutButton,
+  UserMenu,
+  VerifyCodeForm,
+  createAuthMiddleware,
+  defaultMatcher,
+  getSignOutUrl,
+  updateSession,
+  useAuth
+});