@go-mondo/nextjs-auth 0.1.0

package/dist/session.d.cts

@@ -0,0 +1,71 @@
+import { C as Claims, S as SessionInterface, U as UserProfile, a as SessionAuthorization, b as SessionAuthentication } from './types-CbrOw4QQ.cjs';
+export { A as AnyRequest, c as AnyResponse, I as IdTokenClaims, d as SessionPart } from './types-CbrOw4QQ.cjs';
+
+/**
+ * Serializable session payload stored across sealed cookies.
+ */
+type SerializedSession<UserClaims extends Claims = Claims> = SessionInterface<UserClaims> & {
+    authentication?: SessionAuthentication;
+    authorization?: SessionAuthorization;
+};
+/**
+ * The user's session.
+ *
+ * The public session shape combines the base user claims cookie with optional
+ * authentication and authorization cookies.
+ *
+ * @category Server
+ */
+declare class Session<UserClaims extends Claims = Claims> implements SessionInterface<UserClaims> {
+    /**
+     * The authenticated user (claims from the `id_token`)
+     */
+    user: UserProfile<UserClaims>;
+    /**
+     * A timestamp when authentication / session occurred
+     */
+    issuedAt: number;
+    /**
+     * A timestamp when authentication / session was last updated (touched)
+     */
+    updatedAt: number;
+    /**
+     * A timestamp when the authentication / session is set to expire
+     */
+    expiresAt: number;
+    /**
+     * OAuth access-token state stored separately from the base session payload.
+     */
+    authorization?: SessionAuthorization;
+    /**
+     * OIDC authentication token state stored separately from the base session
+     * payload.
+     */
+    authentication?: SessionAuthentication;
+    [key: string]: any;
+    /**
+     * Creates a normalized session object from sealed cookie payloads.
+     */
+    constructor(props: SerializedSession<UserClaims>);
+}
+
+interface SessionOptions<UserClaims extends Claims = Claims> {
+    /**
+     * Whether this route should also roll the session expiry forward.
+     *
+     * Defaults to `true`.
+     */
+    touch?: boolean;
+    /**
+     * Transform the session prior to returning it
+     *
+     * @param session - Current session, or `undefined` when missing or expired.
+     */
+    transform?: (session: Session<UserClaims> | undefined) => unknown;
+}
+/**
+ * Builds a route handler for the configured session route.
+ */
+type SessionHandler<UserClaims extends Claims = Claims> = (options?: SessionOptions<UserClaims>) => (req: Request) => Promise<Response>;
+
+export { Claims, type SerializedSession, Session, SessionAuthentication, SessionAuthorization, type SessionHandler, SessionInterface, type SessionOptions, UserProfile };

package/dist/session.d.ts

@@ -0,0 +1,71 @@
+import { C as Claims, S as SessionInterface, U as UserProfile, a as SessionAuthorization, b as SessionAuthentication } from './types-CbrOw4QQ.js';
+export { A as AnyRequest, c as AnyResponse, I as IdTokenClaims, d as SessionPart } from './types-CbrOw4QQ.js';
+
+/**
+ * Serializable session payload stored across sealed cookies.
+ */
+type SerializedSession<UserClaims extends Claims = Claims> = SessionInterface<UserClaims> & {
+    authentication?: SessionAuthentication;
+    authorization?: SessionAuthorization;
+};
+/**
+ * The user's session.
+ *
+ * The public session shape combines the base user claims cookie with optional
+ * authentication and authorization cookies.
+ *
+ * @category Server
+ */
+declare class Session<UserClaims extends Claims = Claims> implements SessionInterface<UserClaims> {
+    /**
+     * The authenticated user (claims from the `id_token`)
+     */
+    user: UserProfile<UserClaims>;
+    /**
+     * A timestamp when authentication / session occurred
+     */
+    issuedAt: number;
+    /**
+     * A timestamp when authentication / session was last updated (touched)
+     */
+    updatedAt: number;
+    /**
+     * A timestamp when the authentication / session is set to expire
+     */
+    expiresAt: number;
+    /**
+     * OAuth access-token state stored separately from the base session payload.
+     */
+    authorization?: SessionAuthorization;
+    /**
+     * OIDC authentication token state stored separately from the base session
+     * payload.
+     */
+    authentication?: SessionAuthentication;
+    [key: string]: any;
+    /**
+     * Creates a normalized session object from sealed cookie payloads.
+     */
+    constructor(props: SerializedSession<UserClaims>);
+}
+
+interface SessionOptions<UserClaims extends Claims = Claims> {
+    /**
+     * Whether this route should also roll the session expiry forward.
+     *
+     * Defaults to `true`.
+     */
+    touch?: boolean;
+    /**
+     * Transform the session prior to returning it
+     *
+     * @param session - Current session, or `undefined` when missing or expired.
+     */
+    transform?: (session: Session<UserClaims> | undefined) => unknown;
+}
+/**
+ * Builds a route handler for the configured session route.
+ */
+type SessionHandler<UserClaims extends Claims = Claims> = (options?: SessionOptions<UserClaims>) => (req: Request) => Promise<Response>;
+
+export { Claims, type SerializedSession, Session, SessionAuthentication, SessionAuthorization, type SessionHandler, SessionInterface, type SessionOptions, UserProfile };

package/dist/session.js

@@ -0,0 +1,43 @@
+// src/session/model.ts
+var Session = class {
+  /**
+   * The authenticated user (claims from the `id_token`)
+   */
+  user;
+  /**
+   * A timestamp when authentication / session occurred
+   */
+  issuedAt;
+  /**
+   * A timestamp when authentication / session was last updated (touched)
+   */
+  updatedAt;
+  /**
+   * A timestamp when the authentication / session is set to expire
+   */
+  expiresAt;
+  /**
+   * OAuth access-token state stored separately from the base session payload.
+   */
+  authorization;
+  /**
+   * OIDC authentication token state stored separately from the base session
+   * payload.
+   */
+  authentication;
+  /**
+   * Creates a normalized session object from sealed cookie payloads.
+   */
+  constructor(props) {
+    this.user = props.user;
+    this.issuedAt = props.issuedAt;
+    this.updatedAt = props.updatedAt;
+    this.expiresAt = props.expiresAt;
+    this.authentication = props.authentication;
+    this.authorization = props.authorization;
+  }
+};
+
+export { Session };
+//# sourceMappingURL=session.js.map
+//# sourceMappingURL=session.js.map

package/dist/session.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/session/model.ts"],"names":[],"mappings":";AA2BO,IAAM,UAAN,MAEP;AAAA;AAAA;AAAA;AAAA,EAIE,IAAA;AAAA;AAAA;AAAA;AAAA,EAKA,QAAA;AAAA;AAAA;AAAA;AAAA,EAKA,SAAA;AAAA;AAAA;AAAA;AAAA,EAKA,SAAA;AAAA;AAAA;AAAA;AAAA,EAKA,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,cAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAY,KAAA,EAAsC;AAChD,IAAA,IAAA,CAAK,OAAO,KAAA,CAAM,IAAA;AAClB,IAAA,IAAA,CAAK,WAAW,KAAA,CAAM,QAAA;AACtB,IAAA,IAAA,CAAK,YAAY,KAAA,CAAM,SAAA;AACvB,IAAA,IAAA,CAAK,YAAY,KAAA,CAAM,SAAA;AACvB,IAAA,IAAA,CAAK,iBAAiB,KAAA,CAAM,cAAA;AAC5B,IAAA,IAAA,CAAK,gBAAgB,KAAA,CAAM,aAAA;AAAA,EAC7B;AACF","file":"session.js","sourcesContent":["import type { TokenEndpointResponse } from '../oauth/types';\nimport type {\n  Claims,\n  IdTokenClaims,\n  SessionAuthentication,\n  SessionAuthorization,\n  SessionInterface,\n  UserProfile,\n} from './types';\n\n/**\n * Serializable session payload stored across sealed cookies.\n */\nexport type SerializedSession<UserClaims extends Claims = Claims> =\n  SessionInterface<UserClaims> & {\n    authentication?: SessionAuthentication;\n    authorization?: SessionAuthorization;\n  };\n\n/**\n * The user's session.\n *\n * The public session shape combines the base user claims cookie with optional\n * authentication and authorization cookies.\n *\n * @category Server\n */\nexport class Session<UserClaims extends Claims = Claims>\n  implements SessionInterface<UserClaims>\n{\n  /**\n   * The authenticated user (claims from the `id_token`)\n   */\n  user: UserProfile<UserClaims>;\n\n  /**\n   * A timestamp when authentication / session occurred\n   */\n  issuedAt: number;\n\n  /**\n   * A timestamp when authentication / session was last updated (touched)\n   */\n  updatedAt: number;\n\n  /**\n   * A timestamp when the authentication / session is set to expire\n   */\n  expiresAt: number;\n\n  /**\n   * OAuth access-token state stored separately from the base session payload.\n   */\n  authorization?: SessionAuthorization;\n\n  /**\n   * OIDC authentication token state stored separately from the base session\n   * payload.\n   */\n  authentication?: SessionAuthentication;\n\n  [key: string]: any;\n\n  /**\n   * Creates a normalized session object from sealed cookie payloads.\n   */\n  constructor(props: SerializedSession<UserClaims>) {\n    this.user = props.user;\n    this.issuedAt = props.issuedAt;\n    this.updatedAt = props.updatedAt;\n    this.expiresAt = props.expiresAt;\n    this.authentication = props.authentication;\n    this.authorization = props.authorization;\n  }\n}\n\n/**\n * Converts an OIDC token endpoint response into the session model stored in\n * sealed cookies.\n *\n * @param tokenEndpointResponse - Token endpoint response returned by\n * `openid-client`.\n */\nexport function fromTokenEndpointResponse<UserClaims extends Claims = Claims>(\n  tokenEndpointResponse: TokenEndpointResponse,\n): Session<UserClaims> {\n  const { iat, exp, aud, iss, nonce, ...user } = decodeJwt<IdTokenClaims>(\n    tokenEndpointResponse.id_token as string,\n  );\n\n  const {\n    id_token,\n    access_token,\n    scope,\n    expires_in,\n    expires_at,\n    refresh_token,\n    token_type,\n    ...remainder\n  } = tokenEndpointResponse;\n\n  const authorization = access_token\n    ? {\n        accessToken: access_token,\n        scope,\n        expiresAt: Math.floor(Date.now() / 1000) + Number(expires_in),\n        refreshToken: refresh_token,\n        type: token_type,\n      }\n    : undefined;\n\n  const authentication = id_token\n    ? {\n        idToken: id_token,\n      }\n    : undefined;\n\n  return Object.assign(\n    new Session({\n      user: user as UserProfile<UserClaims>,\n      issuedAt: iat,\n      updatedAt: iat,\n      expiresAt: exp,\n      authorization,\n      authentication,\n    }),\n    remainder,\n  );\n}\n\nfunction decodeJwt<TClaims>(jwt: string): TClaims {\n  const [, payload] = jwt.split('.');\n\n  if (!payload) {\n    throw new TypeError('Invalid JWT payload.');\n  }\n\n  const normalized = payload.replace(/-/g, '+').replace(/_/g, '/');\n  const padded = normalized.padEnd(\n    normalized.length + ((4 - (normalized.length % 4)) % 4),\n    '=',\n  );\n\n  const decoded =\n    typeof atob === 'function'\n      ? atob(padded)\n      : Buffer.from(padded, 'base64').toString('binary');\n\n  const json = decodeURIComponent(\n    Array.from(\n      decoded,\n      (char) => `%${char.charCodeAt(0).toString(16).padStart(2, '0')}`,\n    ).join(''),\n  );\n\n  return JSON.parse(json) as TClaims;\n}\n"]}

package/dist/types-CbrOw4QQ.d.cts

@@ -0,0 +1,108 @@
+type AnyRequest = Request;
+type AnyResponse = Response;
+/**
+ * Key-value store for the user's claims.
+ *
+ * @category Server
+ */
+interface Claims {
+    [key: string]: any;
+}
+/**
+ * Claims decoded from an OIDC `id_token`.
+ */
+type IdTokenClaims<ExtraClaims extends Claims = Claims> = UserProfile<ExtraClaims> & {
+    nonce: string;
+    iat: number;
+    iss: string;
+    aud: string;
+    exp: number;
+};
+/**
+ * Normalized user profile claims exposed on a session.
+ */
+type UserProfile<ExtraClaims extends Claims> = {
+    /**
+     * The tenant context
+     */
+    tnt: string;
+    /**
+     * The user's name
+     */
+    name?: string;
+    /**
+     * The user's family / last name
+     */
+    family_name?: string;
+    /**
+     * The user's given / first name
+     */
+    given_name?: string;
+    /**
+     * The user's primary email address
+     */
+    email?: string;
+    /**
+     * Identifies whether the email is verified
+     */
+    email_verified?: boolean;
+    /**
+     * The user's primary phone number
+     */
+    phone_number?: string;
+    /**
+     * Identifies whether the phone number is verified
+     */
+    phone_number_verified?: boolean;
+} & ExtraClaims;
+interface SessionInterface<UserClaims extends Claims> {
+    /**
+     * The authenticated user
+     */
+    user: UserProfile<UserClaims>;
+    /**
+     * A timestamp when authentication / session occurred
+     */
+    issuedAt: number;
+    /**
+     * A timestamp when authentication / session was last updated (touched)
+     */
+    updatedAt: number;
+    /**
+     * A timestamp when the authentication / session is set to expire
+     */
+    expiresAt: number;
+}
+interface SessionAuthentication {
+    /**
+     * The raw OIDC token
+     */
+    idToken: string;
+}
+interface SessionAuthorization {
+    /**
+     * Bearer token value used for authorized resource requests.
+     */
+    accessToken: string;
+    /**
+     * Space-delimited scopes granted to the access token.
+     */
+    scope?: string | undefined;
+    /**
+     * Epoch seconds when the access token expires.
+     */
+    expiresAt: number;
+    /**
+     * A refresh token, used to obtain a new access token.
+     *
+     * This token is only populated if the `refresh_token` scope is requested
+     */
+    refreshToken?: string | undefined;
+    /**
+     * Token type returned by the identity provider, usually `Bearer`.
+     */
+    type?: string | undefined;
+}
+type SessionPart<UserClaims extends Claims = Claims> = SessionInterface<UserClaims> | SessionAuthentication | SessionAuthorization;
+
+export type { AnyRequest as A, Claims as C, IdTokenClaims as I, SessionInterface as S, UserProfile as U, SessionAuthorization as a, SessionAuthentication as b, AnyResponse as c, SessionPart as d };

package/dist/types-CbrOw4QQ.d.ts

@@ -0,0 +1,108 @@
+type AnyRequest = Request;
+type AnyResponse = Response;
+/**
+ * Key-value store for the user's claims.
+ *
+ * @category Server
+ */
+interface Claims {
+    [key: string]: any;
+}
+/**
+ * Claims decoded from an OIDC `id_token`.
+ */
+type IdTokenClaims<ExtraClaims extends Claims = Claims> = UserProfile<ExtraClaims> & {
+    nonce: string;
+    iat: number;
+    iss: string;
+    aud: string;
+    exp: number;
+};
+/**
+ * Normalized user profile claims exposed on a session.
+ */
+type UserProfile<ExtraClaims extends Claims> = {
+    /**
+     * The tenant context
+     */
+    tnt: string;
+    /**
+     * The user's name
+     */
+    name?: string;
+    /**
+     * The user's family / last name
+     */
+    family_name?: string;
+    /**
+     * The user's given / first name
+     */
+    given_name?: string;
+    /**
+     * The user's primary email address
+     */
+    email?: string;
+    /**
+     * Identifies whether the email is verified
+     */
+    email_verified?: boolean;
+    /**
+     * The user's primary phone number
+     */
+    phone_number?: string;
+    /**
+     * Identifies whether the phone number is verified
+     */
+    phone_number_verified?: boolean;
+} & ExtraClaims;
+interface SessionInterface<UserClaims extends Claims> {
+    /**
+     * The authenticated user
+     */
+    user: UserProfile<UserClaims>;
+    /**
+     * A timestamp when authentication / session occurred
+     */
+    issuedAt: number;
+    /**
+     * A timestamp when authentication / session was last updated (touched)
+     */
+    updatedAt: number;
+    /**
+     * A timestamp when the authentication / session is set to expire
+     */
+    expiresAt: number;
+}
+interface SessionAuthentication {
+    /**
+     * The raw OIDC token
+     */
+    idToken: string;
+}
+interface SessionAuthorization {
+    /**
+     * Bearer token value used for authorized resource requests.
+     */
+    accessToken: string;
+    /**
+     * Space-delimited scopes granted to the access token.
+     */
+    scope?: string | undefined;
+    /**
+     * Epoch seconds when the access token expires.
+     */
+    expiresAt: number;
+    /**
+     * A refresh token, used to obtain a new access token.
+     *
+     * This token is only populated if the `refresh_token` scope is requested
+     */
+    refreshToken?: string | undefined;
+    /**
+     * Token type returned by the identity provider, usually `Bearer`.
+     */
+    type?: string | undefined;
+}
+type SessionPart<UserClaims extends Claims = Claims> = SessionInterface<UserClaims> | SessionAuthentication | SessionAuthorization;
+
+export type { AnyRequest as A, Claims as C, IdTokenClaims as I, SessionInterface as S, UserProfile as U, SessionAuthorization as a, SessionAuthentication as b, AnyResponse as c, SessionPart as d };

package/package.json

@@ -0,0 +1,146 @@
+{
+  "name": "@go-mondo/nextjs-auth",
+  "version": "0.1.0",
+  "description": "Next.js authentication helpers for Mondo Identity.",
+  "license": "MIT",
+  "type": "module",
+  "sideEffects": false,
+  "main": "./dist/client.cjs",
+  "module": "./dist/client.js",
+  "types": "./dist/client.d.ts",
+  "packageManager": "pnpm@10.32.1",
+  "engines": {
+    "node": ">=20"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/go-mondo/nextjs-auth.git"
+  },
+  "bugs": {
+    "url": "https://github.com/go-mondo/nextjs-auth/issues"
+  },
+  "homepage": "https://github.com/go-mondo/nextjs-auth#readme",
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "dist"
+  ],
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/client.d.ts",
+        "default": "./dist/client.js"
+      },
+      "require": {
+        "types": "./dist/client.d.cts",
+        "default": "./dist/client.cjs"
+      }
+    },
+    "./client": {
+      "import": {
+        "types": "./dist/client.d.ts",
+        "default": "./dist/client.js"
+      },
+      "require": {
+        "types": "./dist/client.d.cts",
+        "default": "./dist/client.cjs"
+      }
+    },
+    "./config": {
+      "import": {
+        "types": "./dist/config.d.ts",
+        "default": "./dist/config.js"
+      },
+      "require": {
+        "types": "./dist/config.d.cts",
+        "default": "./dist/config.cjs"
+      }
+    },
+    "./errors": {
+      "import": {
+        "types": "./dist/errors.d.ts",
+        "default": "./dist/errors.js"
+      },
+      "require": {
+        "types": "./dist/errors.d.cts",
+        "default": "./dist/errors.cjs"
+      }
+    },
+    "./oauth": {
+      "import": {
+        "types": "./dist/oauth.d.ts",
+        "default": "./dist/oauth.js"
+      },
+      "require": {
+        "types": "./dist/oauth.d.cts",
+        "default": "./dist/oauth.cjs"
+      }
+    },
+    "./hooks": {
+      "import": {
+        "types": "./dist/hooks.d.ts",
+        "default": "./dist/hooks.js"
+      },
+      "require": {
+        "types": "./dist/hooks.d.cts",
+        "default": "./dist/hooks.cjs"
+      }
+    },
+    "./session": {
+      "import": {
+        "types": "./dist/session.d.ts",
+        "default": "./dist/session.js"
+      },
+      "require": {
+        "types": "./dist/session.d.cts",
+        "default": "./dist/session.cjs"
+      }
+    },
+    "./package.json": "./package.json"
+  },
+  "scripts": {
+    "build": "tsup",
+    "check": "pnpm run type-check && pnpm run build && pnpm run type-check:examples && pnpm run lint && pnpm run format:check && pnpm run test",
+    "clean": "rimraf dist",
+    "dev:example:client": "pnpm --filter @go-mondo/nextjs-auth-example-client-profile dev",
+    "dev:example:server": "pnpm --filter @go-mondo/nextjs-auth-example-server-profile dev",
+    "format": "biome format --write .",
+    "format:check": "biome format .",
+    "lint": "biome lint .",
+    "lint:fix": "biome lint --write .",
+    "prepare": "husky",
+    "commitlint": "commitlint",
+    "test": "vitest run",
+    "test:coverage": "vitest run --coverage",
+    "test:watch": "vitest",
+    "type-check": "tsc --noEmit",
+    "type-check:examples": "pnpm --filter @go-mondo/nextjs-auth-example-server-profile type-check && pnpm --filter @go-mondo/nextjs-auth-example-client-profile type-check",
+    "prepack": "pnpm run build"
+  },
+  "dependencies": {
+    "cookie": "^1.0.2",
+    "iron-session": "^8.0.4",
+    "openid-client": "^6.8.1",
+    "zod": "4.4.3"
+  },
+  "peerDependencies": {
+    "@tanstack/react-query": ">=5",
+    "react": ">=18",
+    "next": ">=15"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "^2.2.0",
+    "@commitlint/cli": "^19.8.1",
+    "@commitlint/config-conventional": "^19.8.1",
+    "@tanstack/react-query": "^5.95.2",
+    "@types/node": "^20.19.37",
+    "@vitest/coverage-v8": "^3.2.3",
+    "husky": "^9.1.7",
+    "next": "^16.0.3",
+    "rimraf": "^6.1.2",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3",
+    "vitest": "^3.2.3"
+  }
+}