@ghostly-solutions/auth 0.1.0

package/dist/next.js

@@ -0,0 +1,899 @@
+// src/constants/auth-endpoints.ts
+var authApiPrefix = "/v1/auth";
+var authEndpoints = {
+  loginStart: `${authApiPrefix}/keycloak/login`,
+  validateKeycloakToken: `${authApiPrefix}/keycloak/validate`,
+  session: `${authApiPrefix}/me`,
+  logout: `${authApiPrefix}/logout`
+};
+
+// src/constants/http-status.ts
+var httpStatus = {
+  ok: 200,
+  found: 302,
+  noContent: 204,
+  badRequest: 400,
+  unauthorized: 401
+};
+
+// src/errors/auth-sdk-error.ts
+var AuthSdkError = class extends Error {
+  code;
+  details;
+  status;
+  constructor(payload) {
+    super(payload.message);
+    this.name = "AuthSdkError";
+    this.code = payload.code;
+    this.details = payload.details;
+    this.status = payload.status;
+  }
+};
+
+// src/types/auth-error-code.ts
+var authErrorCode = {
+  callbackMissingToken: "callback_missing_token",
+  callbackInvalidToken: "callback_invalid_token",
+  callbackValidationFailed: "callback_validation_failed",
+  unauthorized: "unauthorized",
+  networkError: "network_error",
+  apiError: "api_error",
+  broadcastChannelUnsupported: "broadcast_channel_unsupported",
+  serverOriginResolutionFailed: "server_origin_resolution_failed"
+};
+
+// src/core/object-guards.ts
+function isObjectRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function isStringValue(value) {
+  return typeof value === "string";
+}
+
+// src/core/session-parser.ts
+function isStringArray(value) {
+  return Array.isArray(value) && value.every((entry) => isStringValue(entry));
+}
+function isGhostlySession(value) {
+  if (!isObjectRecord(value)) {
+    return false;
+  }
+  return isStringValue(value.id) && isStringValue(value.username) && (value.firstName === null || isStringValue(value.firstName)) && (value.lastName === null || isStringValue(value.lastName)) && isStringValue(value.email) && isStringValue(value.role) && isStringArray(value.permissions);
+}
+
+// src/adapters/next/server-session.ts
+var hostHeaderName = "x-forwarded-host";
+var fallbackHostHeaderName = "host";
+var forwardedProtoHeaderName = "x-forwarded-proto";
+var defaultProtocol = "https";
+var protocolSeparator = "://";
+var forwardedSessionHeaderNames = ["cookie", "authorization", "x-request-id"];
+function resolveServerOrigin(options) {
+  const host = options.headers.get(hostHeaderName) ?? options.headers.get(fallbackHostHeaderName);
+  if (!host) {
+    throw new AuthSdkError({
+      code: authErrorCode.serverOriginResolutionFailed,
+      details: null,
+      message: "Cannot resolve server origin from request headers.",
+      status: null
+    });
+  }
+  const protocol = options.protocol ?? options.headers.get(forwardedProtoHeaderName) ?? defaultProtocol;
+  return `${protocol}${protocolSeparator}${host}`;
+}
+function forwardSessionHeaders(headers) {
+  const forwarded = new Headers();
+  for (const headerName of forwardedSessionHeaderNames) {
+    const value = headers.get(headerName);
+    if (value) {
+      forwarded.set(headerName, value);
+    }
+  }
+  return forwarded;
+}
+function parseSessionPayload(payload) {
+  if (payload === null) {
+    return null;
+  }
+  if (!isGhostlySession(payload)) {
+    throw new AuthSdkError({
+      code: authErrorCode.apiError,
+      details: payload,
+      message: "Session payload has invalid shape.",
+      status: null
+    });
+  }
+  return payload;
+}
+async function getServerSession(options) {
+  const fetchImplementation = options.fetchImplementation ?? fetch;
+  const origin = resolveServerOrigin(options);
+  const response = await fetchImplementation(`${origin}${authEndpoints.session}`, {
+    cache: "no-store",
+    credentials: "include",
+    headers: forwardSessionHeaders(options.headers),
+    method: "GET"
+  });
+  if (response.status === httpStatus.ok) {
+    const payload = await response.json();
+    return parseSessionPayload(payload);
+  }
+  if (response.status === httpStatus.unauthorized) {
+    throw new AuthSdkError({
+      code: authErrorCode.unauthorized,
+      details: null,
+      message: "Unauthorized server session request.",
+      status: response.status
+    });
+  }
+  throw new AuthSdkError({
+    code: authErrorCode.apiError,
+    details: null,
+    message: "Unexpected server session response.",
+    status: response.status
+  });
+}
+async function requireServerSession(options) {
+  const session = await getServerSession(options);
+  if (session) {
+    return session;
+  }
+  throw new AuthSdkError({
+    code: authErrorCode.unauthorized,
+    details: null,
+    message: "Authenticated session is required.",
+    status: httpStatus.unauthorized
+  });
+}
+
+// src/adapters/next/auth-kit.ts
+var defaultCallbackToken = "mock-keycloak-token";
+var defaultCookieName = "gs_auth_session";
+var defaultCookieValue = "mock-session-super-admin";
+var defaultFrontendCallbackPath = "/auth/callback";
+var callbackCodePrefix = "mock_code_";
+var callbackStatePrefix = "mock_state_";
+var clearCookieDate = "Thu, 01 Jan 1970 00:00:00 GMT";
+var proxyForwardedHeaderNames = [
+  "accept-language",
+  "authorization",
+  "cookie",
+  "content-type",
+  "x-request-id"
+];
+function defaultMockSessionFactory() {
+  return {
+    id: "123",
+    username: "john_doe",
+    firstName: "John",
+    lastName: "Doe",
+    email: "john.doe@ghostlysolutions.ae",
+    role: "superAdmin",
+    permissions: [
+      "users:view",
+      "tasks:view",
+      "analytics:view",
+      "settings:view",
+      "audit-logs:view",
+      "admins:view"
+    ]
+  };
+}
+function createErrorPayload(code, message, details = null) {
+  return { code, message, details };
+}
+function toJsonResponse(payload, status) {
+  return new Response(JSON.stringify(payload), {
+    status,
+    headers: {
+      "content-type": "application/json"
+    }
+  });
+}
+function parseCookieValue(cookieHeader, cookieName) {
+  if (!cookieHeader) {
+    return null;
+  }
+  const prefix = `${cookieName}=`;
+  const pairs = cookieHeader.split(";").map((pair) => pair.trim());
+  const match = pairs.find((pair) => pair.startsWith(prefix));
+  return match ? match.slice(prefix.length) : null;
+}
+function shouldForwardBody(method) {
+  const normalized = method.toUpperCase();
+  return normalized !== "GET" && normalized !== "HEAD";
+}
+function resolveSecureCookie(requestUrl, secureMode) {
+  if (typeof secureMode === "boolean") {
+    return secureMode;
+  }
+  if (requestUrl.protocol !== "https:") {
+    return false;
+  }
+  const hostname = requestUrl.hostname.toLowerCase();
+  return hostname !== "localhost" && hostname !== "127.0.0.1";
+}
+function toSetCookieHeader(options) {
+  const attributes = ["Path=/", "HttpOnly", "SameSite=Lax"];
+  if (options.secure) {
+    attributes.push("Secure");
+  }
+  if (options.clear) {
+    attributes.push("Max-Age=0");
+    attributes.push(`Expires=${clearCookieDate}`);
+  }
+  return `${options.cookieName}=${options.cookieValue}; ${attributes.join("; ")}`;
+}
+async function proxyRequest(baseUrl, request2) {
+  const incomingUrl = new URL(request2.url);
+  const targetUrl = new URL(incomingUrl.pathname + incomingUrl.search, baseUrl);
+  const proxyHeaders = new Headers();
+  for (const headerName of proxyForwardedHeaderNames) {
+    const value = request2.headers.get(headerName);
+    if (value) {
+      proxyHeaders.set(headerName, value);
+    }
+  }
+  const body = shouldForwardBody(request2.method) ? await request2.text() : void 0;
+  const upstreamResponse = await fetch(targetUrl, {
+    method: request2.method,
+    headers: proxyHeaders,
+    cache: "no-store",
+    redirect: "manual",
+    ...body !== void 0 ? { body } : {}
+  });
+  const responseHeaders = new Headers();
+  for (const [headerName, headerValue] of upstreamResponse.headers.entries()) {
+    responseHeaders.set(headerName, headerValue);
+  }
+  return new Response(upstreamResponse.body, {
+    status: upstreamResponse.status,
+    headers: responseHeaders
+  });
+}
+async function resolveNextHeaders() {
+  try {
+    const importNextHeaders = new Function("return import('next/headers')");
+    const nextHeaders = await importNextHeaders();
+    const resolved = await nextHeaders.headers();
+    return resolved;
+  } catch (error) {
+    throw new AuthSdkError({
+      code: authErrorCode.serverOriginResolutionFailed,
+      details: error,
+      message: "Unable to resolve Next request headers.",
+      status: null
+    });
+  }
+}
+function resolveNextProtocol(headers, explicitProtocol) {
+  if (explicitProtocol) {
+    return explicitProtocol;
+  }
+  const forwarded = headers.get("x-forwarded-proto");
+  if (forwarded) {
+    return forwarded;
+  }
+  const host = headers.get("x-forwarded-host") ?? headers.get("host");
+  if (!host) {
+    return "https";
+  }
+  const normalizedHost = host.toLowerCase();
+  return normalizedHost.includes("localhost") || normalizedHost.includes("127.0.0.1") ? "http" : "https";
+}
+function normalizeMockToken(payload) {
+  if (typeof payload !== "object" || payload === null || Array.isArray(payload)) {
+    return null;
+  }
+  const recordPayload = payload;
+  const keys = Object.keys(recordPayload);
+  if (keys.length !== 1 || !keys.includes("token")) {
+    return null;
+  }
+  const tokenValue = recordPayload.token;
+  if (typeof tokenValue !== "string") {
+    return null;
+  }
+  const normalized = tokenValue.trim();
+  return normalized.length > 0 ? normalized : null;
+}
+async function getNextServerSession(options = {}) {
+  const headers = options.headers ?? await resolveNextHeaders();
+  const protocol = resolveNextProtocol(headers, options.protocol);
+  return getServerSession({
+    headers,
+    protocol,
+    ...options.fetchImplementation ? { fetchImplementation: options.fetchImplementation } : {}
+  });
+}
+async function tryGetNextServerSession(options = {}) {
+  try {
+    return await getNextServerSession(options);
+  } catch {
+    return null;
+  }
+}
+async function requireNextServerSession(options = {}) {
+  const session = await getNextServerSession(options);
+  if (session) {
+    return session;
+  }
+  throw new AuthSdkError({
+    code: authErrorCode.unauthorized,
+    details: null,
+    message: "Authenticated session is required.",
+    status: httpStatus.unauthorized
+  });
+}
+function createNextAuthRouteHandlers(options) {
+  const callbackToken = options.mock?.callbackToken ?? defaultCallbackToken;
+  const cookieName = options.mock?.cookieName ?? defaultCookieName;
+  const cookieValue = options.mock?.cookieValue ?? defaultCookieValue;
+  const cookieSecure = options.mock?.cookieSecure ?? "auto";
+  const frontendCallbackPath = options.mock?.frontendCallbackPath ?? defaultFrontendCallbackPath;
+  const createSession = options.mock?.createSession ?? defaultMockSessionFactory;
+  const proxyOptions = options.proxy;
+  if (options.mode === "proxy" && !proxyOptions?.baseUrl) {
+    throw new AuthSdkError({
+      code: authErrorCode.apiError,
+      details: null,
+      message: "proxy.baseUrl is required in proxy mode.",
+      status: null
+    });
+  }
+  const proxyIfNeeded = async (request2) => {
+    if (options.mode !== "proxy") {
+      return null;
+    }
+    return proxyRequest(proxyOptions?.baseUrl ?? "", request2);
+  };
+  return {
+    keycloakLoginGet: async (request2) => {
+      const proxied = await proxyIfNeeded(request2);
+      if (proxied) {
+        return proxied;
+      }
+      const code = `${callbackCodePrefix}${crypto.randomUUID()}`;
+      const state = `${callbackStatePrefix}${crypto.randomUUID()}`;
+      const redirectTarget = `${authEndpoints.loginStart.replace("/login", "/callback")}?code=${encodeURIComponent(code)}&state=${encodeURIComponent(state)}`;
+      return new Response(null, {
+        status: httpStatus.found,
+        headers: {
+          location: redirectTarget
+        }
+      });
+    },
+    keycloakCallbackGet: async (request2) => {
+      const proxied = await proxyIfNeeded(request2);
+      if (proxied) {
+        return proxied;
+      }
+      const requestUrl = new URL(request2.url);
+      const code = requestUrl.searchParams.get("code")?.trim();
+      const state = requestUrl.searchParams.get("state")?.trim();
+      if (!(code && state)) {
+        return toJsonResponse(
+          createErrorPayload("bad_request", "code and state are required."),
+          httpStatus.badRequest
+        );
+      }
+      const callbackUrl = `${frontendCallbackPath}?token=${encodeURIComponent(callbackToken)}`;
+      return new Response(null, {
+        status: httpStatus.found,
+        headers: {
+          location: callbackUrl
+        }
+      });
+    },
+    keycloakValidatePost: async (request2) => {
+      const proxied = await proxyIfNeeded(request2);
+      if (proxied) {
+        return proxied;
+      }
+      let payload;
+      try {
+        payload = await request2.json();
+      } catch {
+        return toJsonResponse(
+          createErrorPayload("bad_request", "Request payload must be valid JSON."),
+          httpStatus.badRequest
+        );
+      }
+      const token = normalizeMockToken(payload);
+      if (!token) {
+        return toJsonResponse(
+          createErrorPayload(
+            "bad_request",
+            "Request payload must contain only non-empty token field."
+          ),
+          httpStatus.badRequest
+        );
+      }
+      if (token !== callbackToken) {
+        return toJsonResponse(
+          createErrorPayload("unauthorized", "Callback token is invalid or expired."),
+          httpStatus.unauthorized
+        );
+      }
+      const session = createSession();
+      const responsePayload = { session };
+      const secure = resolveSecureCookie(new URL(request2.url), cookieSecure);
+      return new Response(JSON.stringify(responsePayload), {
+        status: httpStatus.ok,
+        headers: {
+          "content-type": "application/json",
+          "set-cookie": toSetCookieHeader({
+            cookieName,
+            cookieValue,
+            secure
+          })
+        }
+      });
+    },
+    meGet: async (request2) => {
+      const proxied = await proxyIfNeeded(request2);
+      if (proxied) {
+        return proxied;
+      }
+      const cookie = request2.headers.get("cookie");
+      const session = parseCookieValue(cookie, cookieName) === cookieValue ? createSession() : null;
+      return toJsonResponse(session, httpStatus.ok);
+    },
+    logoutPost: async (request2) => {
+      const proxied = await proxyIfNeeded(request2);
+      if (proxied) {
+        return proxied;
+      }
+      const secure = resolveSecureCookie(new URL(request2.url), cookieSecure);
+      return new Response(null, {
+        status: httpStatus.noContent,
+        headers: {
+          "set-cookie": toSetCookieHeader({
+            cookieName,
+            cookieValue: "",
+            secure,
+            clear: true
+          })
+        }
+      });
+    }
+  };
+}
+
+// src/constants/auth-keys.ts
+var authQueryKeys = {
+  token: "token"
+};
+var authStorageKeys = {
+  returnTo: "ghostly-auth:return-to"
+};
+var authBroadcast = {
+  channelName: "ghostly-auth-channel",
+  sessionUpdatedEvent: "session-updated"
+};
+var authRoutes = {
+  root: "/"};
+
+// src/core/broadcast-sync.ts
+function isSessionUpdatedMessage(value) {
+  if (!isObjectRecord(value)) {
+    return false;
+  }
+  if (!isStringValue(value.type)) {
+    return false;
+  }
+  if (value.type !== authBroadcast.sessionUpdatedEvent) {
+    return false;
+  }
+  return value.session === null || isGhostlySession(value.session);
+}
+function createUnsupportedBroadcastChannelError() {
+  return new AuthSdkError({
+    code: authErrorCode.broadcastChannelUnsupported,
+    details: null,
+    message: "BroadcastChannel is unavailable in this runtime.",
+    status: null
+  });
+}
+function createBroadcastSync(options) {
+  if (typeof BroadcastChannel === "undefined") {
+    throw createUnsupportedBroadcastChannelError();
+  }
+  const channel = new BroadcastChannel(authBroadcast.channelName);
+  const onMessage = (event) => {
+    const messageEvent = event;
+    if (!isSessionUpdatedMessage(messageEvent.data)) {
+      return;
+    }
+    options.onSessionUpdated(messageEvent.data.session);
+  };
+  channel.addEventListener("message", onMessage);
+  return {
+    close() {
+      channel.removeEventListener("message", onMessage);
+      channel.close();
+    },
+    publishSession(session) {
+      const payload = {
+        session,
+        type: authBroadcast.sessionUpdatedEvent
+      };
+      channel.postMessage(payload);
+    }
+  };
+}
+
+// src/core/callback-url.ts
+function readCallbackToken(url) {
+  return url.searchParams.get(authQueryKeys.token);
+}
+function removeCallbackToken(url) {
+  const nextUrl = new URL(url.toString());
+  nextUrl.searchParams.delete(authQueryKeys.token);
+  return nextUrl;
+}
+function replaceBrowserHistory(url) {
+  window.history.replaceState(null, "", url.toString());
+}
+
+// src/core/http-client.ts
+var jsonContentType = "application/json";
+var jsonHeaderName = "content-type";
+var includeCredentials = "include";
+var noStoreCache = "no-store";
+function toTypedValue(value) {
+  return value;
+}
+function mapHttpStatusToAuthErrorCode(status) {
+  if (status === httpStatus.unauthorized) {
+    return authErrorCode.unauthorized;
+  }
+  return authErrorCode.apiError;
+}
+async function parseJsonPayload(response) {
+  try {
+    return await response.json();
+  } catch {
+    return null;
+  }
+}
+async function parseErrorPayload(response) {
+  const payload = await parseJsonPayload(response);
+  if (!isObjectRecord(payload)) {
+    return {
+      code: null,
+      details: null,
+      message: null
+    };
+  }
+  const maybeCode = payload.code;
+  const maybeMessage = payload.message;
+  return {
+    code: isStringValue(maybeCode) ? maybeCode : null,
+    details: "details" in payload ? payload.details : null,
+    message: isStringValue(maybeMessage) ? maybeMessage : null
+  };
+}
+function buildApiErrorMessage(method, path) {
+  return `Auth API request failed: ${method} ${path}`;
+}
+function buildNetworkErrorMessage(method, path) {
+  return `Auth API network failure: ${method} ${path}`;
+}
+async function request(options) {
+  const expectedStatus = options.expectedStatus ?? httpStatus.ok;
+  const headers = new Headers();
+  const hasBody = typeof options.body !== "undefined";
+  if (hasBody) {
+    headers.set(jsonHeaderName, jsonContentType);
+  }
+  const requestInit = {
+    cache: noStoreCache,
+    credentials: includeCredentials,
+    headers,
+    method: options.method
+  };
+  if (hasBody) {
+    requestInit.body = JSON.stringify(options.body);
+  }
+  let response;
+  try {
+    response = await fetch(options.path, requestInit);
+  } catch (error) {
+    throw new AuthSdkError({
+      code: authErrorCode.networkError,
+      details: error,
+      message: buildNetworkErrorMessage(options.method, options.path),
+      status: null
+    });
+  }
+  if (response.status !== expectedStatus) {
+    const parsed = await parseErrorPayload(response);
+    throw new AuthSdkError({
+      code: mapHttpStatusToAuthErrorCode(response.status),
+      details: {
+        apiCode: parsed.code,
+        apiDetails: parsed.details
+      },
+      message: parsed.message ?? buildApiErrorMessage(options.method, options.path),
+      status: response.status
+    });
+  }
+  if (response.status === httpStatus.noContent) {
+    return toTypedValue(null);
+  }
+  const payload = await parseJsonPayload(response);
+  return toTypedValue(payload);
+}
+function getJson(path) {
+  return request({
+    method: "GET",
+    path
+  });
+}
+function postJson(path, body) {
+  return request({
+    body,
+    method: "POST",
+    path
+  });
+}
+function postEmpty(path) {
+  return request({
+    expectedStatus: httpStatus.noContent,
+    method: "POST",
+    path
+  });
+}
+
+// src/core/runtime.ts
+var browserRuntimeErrorMessage = "Browser runtime is required for this auth operation.";
+function isBrowserRuntime() {
+  return typeof window !== "undefined";
+}
+function assertBrowserRuntime() {
+  if (isBrowserRuntime()) {
+    return;
+  }
+  throw new AuthSdkError({
+    code: authErrorCode.apiError,
+    details: null,
+    message: browserRuntimeErrorMessage,
+    status: null
+  });
+}
+
+// src/core/return-to-storage.ts
+function sanitizeReturnTo(value) {
+  if (!value) {
+    return authRoutes.root;
+  }
+  if (!value.startsWith(authRoutes.root)) {
+    return authRoutes.root;
+  }
+  const protocolRelativePrefix = "//";
+  if (value.startsWith(protocolRelativePrefix)) {
+    return authRoutes.root;
+  }
+  return value;
+}
+function getCurrentBrowserPath() {
+  return `${window.location.pathname}${window.location.search}${window.location.hash}`;
+}
+function saveReturnToPath(returnTo) {
+  assertBrowserRuntime();
+  const fallbackPath = getCurrentBrowserPath();
+  const sanitized = sanitizeReturnTo(returnTo ?? fallbackPath);
+  window.sessionStorage.setItem(authStorageKeys.returnTo, sanitized);
+  return sanitized;
+}
+function consumeReturnToPath() {
+  assertBrowserRuntime();
+  const value = window.sessionStorage.getItem(authStorageKeys.returnTo);
+  window.sessionStorage.removeItem(authStorageKeys.returnTo);
+  return sanitizeReturnTo(value);
+}
+
+// src/core/session-store.ts
+var SessionStore = class {
+  listeners = /* @__PURE__ */ new Set();
+  resolvedSession = null;
+  resolveState = "pending";
+  getSessionIfResolved() {
+    if (this.resolveState === "pending") {
+      return null;
+    }
+    return this.resolvedSession;
+  }
+  hasResolvedSession() {
+    return this.resolveState === "resolved";
+  }
+  setSession(session) {
+    this.resolveState = "resolved";
+    this.resolvedSession = session;
+    for (const listener of this.listeners) {
+      listener(session);
+    }
+  }
+  subscribe(listener) {
+    this.listeners.add(listener);
+    return () => {
+      this.listeners.delete(listener);
+    };
+  }
+};
+
+// src/core/auth-client.ts
+function createPendingRedirectPromise() {
+  return new Promise(() => {
+  });
+}
+function createInvalidSessionPayloadError(path) {
+  return new AuthSdkError({
+    code: authErrorCode.apiError,
+    details: null,
+    message: `Auth API response has invalid session shape: ${path}`,
+    status: null
+  });
+}
+function toValidatedSession(payload, path) {
+  if (!isGhostlySession(payload)) {
+    throw createInvalidSessionPayloadError(path);
+  }
+  return payload;
+}
+function toCallbackFailure(error) {
+  if (error instanceof AuthSdkError) {
+    if (error.status === httpStatus.unauthorized) {
+      return new AuthSdkError({
+        code: authErrorCode.callbackInvalidToken,
+        details: error.details,
+        message: "Callback JWT is invalid or expired.",
+        status: error.status
+      });
+    }
+    return new AuthSdkError({
+      code: authErrorCode.callbackValidationFailed,
+      details: error.details,
+      message: "Keycloak callback validation failed.",
+      status: error.status
+    });
+  }
+  return new AuthSdkError({
+    code: authErrorCode.callbackValidationFailed,
+    details: error,
+    message: "Keycloak callback validation failed.",
+    status: null
+  });
+}
+function createNoopBroadcastSync() {
+  return {
+    close() {
+    },
+    publishSession() {
+    }
+  };
+}
+function createSafeBroadcastSync(onSessionUpdated) {
+  try {
+    return createBroadcastSync({
+      onSessionUpdated
+    });
+  } catch (error) {
+    if (error instanceof AuthSdkError && error.code === authErrorCode.broadcastChannelUnsupported) {
+      return createNoopBroadcastSync();
+    }
+    throw error;
+  }
+}
+async function fetchCurrentSessionFromApi() {
+  const payload = await getJson(authEndpoints.session);
+  if (payload === null) {
+    return null;
+  }
+  return toValidatedSession(payload, authEndpoints.session);
+}
+function createAuthClient() {
+  assertBrowserRuntime();
+  const sessionStore = new SessionStore();
+  const broadcastSync = createSafeBroadcastSync((session) => {
+    sessionStore.setSession(session);
+  });
+  const getSession = async (options) => {
+    const forceRefresh = options?.forceRefresh ?? false;
+    if (sessionStore.hasResolvedSession() && !forceRefresh) {
+      return sessionStore.getSessionIfResolved();
+    }
+    const session = await fetchCurrentSessionFromApi();
+    sessionStore.setSession(session);
+    broadcastSync.publishSession(session);
+    return session;
+  };
+  const requireSession = async () => {
+    const session = await getSession();
+    if (session) {
+      return session;
+    }
+    throw new AuthSdkError({
+      code: authErrorCode.unauthorized,
+      details: null,
+      message: "Authenticated session is required.",
+      status: httpStatus.unauthorized
+    });
+  };
+  const login = (options) => {
+    saveReturnToPath(options?.returnTo);
+    window.location.assign(authEndpoints.loginStart);
+  };
+  const processCallback = async () => {
+    const currentUrl = new URL(window.location.href);
+    const token = readCallbackToken(currentUrl);
+    if (!token) {
+      throw new AuthSdkError({
+        code: authErrorCode.callbackMissingToken,
+        details: null,
+        message: "Missing callback token query parameter.",
+        status: httpStatus.badRequest
+      });
+    }
+    const cleanedUrl = removeCallbackToken(currentUrl);
+    replaceBrowserHistory(cleanedUrl);
+    try {
+      const payload = await postJson(
+        authEndpoints.validateKeycloakToken,
+        { token }
+      );
+      const session = toValidatedSession(payload.session, authEndpoints.validateKeycloakToken);
+      sessionStore.setSession(session);
+      broadcastSync.publishSession(session);
+      return {
+        redirectTo: consumeReturnToPath(),
+        session
+      };
+    } catch (error) {
+      throw toCallbackFailure(error);
+    }
+  };
+  const completeCallbackRedirect = async () => {
+    const result = await processCallback();
+    window.location.replace(result.redirectTo);
+    return createPendingRedirectPromise();
+  };
+  const logout = async () => {
+    await postEmpty(authEndpoints.logout);
+    sessionStore.setSession(null);
+    broadcastSync.publishSession(null);
+  };
+  const subscribe = sessionStore.subscribe.bind(sessionStore);
+  return {
+    completeCallbackRedirect,
+    getSession,
+    login,
+    logout,
+    processCallback,
+    requireSession,
+    subscribe
+  };
+}
+
+// src/adapters/next/client-guard.ts
+function createPendingRedirectPromise2() {
+  return new Promise(() => {
+  });
+}
+async function ensureClientAuthenticated(client) {
+  const authClient = client ?? createAuthClient();
+  try {
+    return await authClient.requireSession();
+  } catch (error) {
+    if (error instanceof AuthSdkError && error.code === authErrorCode.unauthorized) {
+      authClient.login();
+      return createPendingRedirectPromise2();
+    }
+    throw error;
+  }
+}
+
+export { createNextAuthRouteHandlers, ensureClientAuthenticated, getNextServerSession, getServerSession, requireNextServerSession, requireServerSession, tryGetNextServerSession };
+//# sourceMappingURL=next.js.map
+//# sourceMappingURL=next.js.map