@go-mondo/nextjs-auth 0.1.0

package/dist/client.cjs

@@ -0,0 +1,1324 @@
+'use strict';
+
+var server_js = require('next/server.js');
+var ironSession = require('iron-session');
+var cookie = require('cookie');
+var headers_js = require('next/headers.js');
+var oidc = require('openid-client');
+var zod = require('zod');
+
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var oidc__namespace = /*#__PURE__*/_interopNamespace(oidc);
+
+// src/client.ts
+
+// src/errors/auth.ts
+function appendCause(errorMessage, cause) {
+  if (!cause) return errorMessage;
+  const separator = errorMessage.endsWith(".") ? "" : ".";
+  return `${errorMessage}${separator} CAUSE: ${cause.message}`;
+}
+var AuthError = class extends Error {
+  /**
+   * A machine-readable error code that remains stable within a major version of the SDK. You
+   * should rely on this error code to handle errors. In contrast, the error message is not part of
+   * the API and can change anytime. Do **not** parse or otherwise rely on the error message to
+   * handle errors.
+   */
+  code;
+  /**
+   * The error class name.
+   */
+  name;
+  /**
+   * The underlying error, if any.
+   *
+   * **IMPORTANT** When this error is from the Identity Provider ({@link IdentityProviderError}) it can contain user
+   * input and is only escaped using basic escaping for putting untrusted data directly into the HTML body.
+   *
+   * You should **not** render this error without using a templating engine that will properly escape it for other
+   * HTML contexts first.
+   */
+  cause;
+  /**
+   * The HTTP status code, if any.
+   */
+  status;
+  /**
+   * @param options - Error metadata used by SDK-specific subclasses.
+   */
+  constructor(options) {
+    super(appendCause(options.message, options.cause));
+    this.code = options.code;
+    this.name = options.name;
+    this.cause = options.cause;
+    this.status = options.status;
+  }
+};
+
+// src/errors/access-token.ts
+var AccessTokenError = class _AccessTokenError extends AuthError {
+  /**
+   * @param code - Stable machine-readable error code.
+   * @param message - Human-readable diagnostic message.
+   * @param cause - Optional lower-level error.
+   */
+  constructor(code, message, cause) {
+    super({ code, message, name: "AccessTokenError", cause });
+    Error.captureStackTrace(this, this.constructor);
+    Object.setPrototypeOf(this, _AccessTokenError.prototype);
+  }
+};
+
+// src/crypto/secrets.ts
+function getSecrets(config) {
+  const secretsArray = Array.isArray(config.secret) ? config.secret : [config.secret];
+  const secrets = {};
+  secretsArray.forEach((secret, index) => {
+    secrets[secretsArray.length - index] = secret;
+  });
+  return secrets;
+}
+async function cookieFactory(req, res) {
+  if (req) {
+    return new HttpCookieStore(req, res);
+  }
+  return headers_js.cookies();
+}
+var HttpCookieStore = class {
+  constructor(req, res) {
+    this.req = req;
+    this.res = res;
+  }
+  req;
+  res;
+  get(cookieName) {
+    const value = cookie.parse(this.req.headers.get("cookie") ?? "")[cookieName];
+    return value === void 0 ? void 0 : { name: cookieName, value };
+  }
+  set(nameOrOptions, value, cookie) {
+    if (typeof nameOrOptions === "string") {
+      return this.setCookie(nameOrOptions, value, cookie);
+    }
+    return this.setCookie(
+      nameOrOptions.name,
+      nameOrOptions.value,
+      nameOrOptions
+    );
+  }
+  setCookie(name, value, cookie$1) {
+    if (!this.res) {
+      return;
+    }
+    const cookieValue = cookie.serialize(name, value, cookie$1);
+    this.res.headers.append("set-cookie", cookieValue);
+  }
+};
+
+// src/session/model.ts
+var Session = class {
+  /**
+   * The authenticated user (claims from the `id_token`)
+   */
+  user;
+  /**
+   * A timestamp when authentication / session occurred
+   */
+  issuedAt;
+  /**
+   * A timestamp when authentication / session was last updated (touched)
+   */
+  updatedAt;
+  /**
+   * A timestamp when the authentication / session is set to expire
+   */
+  expiresAt;
+  /**
+   * OAuth access-token state stored separately from the base session payload.
+   */
+  authorization;
+  /**
+   * OIDC authentication token state stored separately from the base session
+   * payload.
+   */
+  authentication;
+  /**
+   * Creates a normalized session object from sealed cookie payloads.
+   */
+  constructor(props) {
+    this.user = props.user;
+    this.issuedAt = props.issuedAt;
+    this.updatedAt = props.updatedAt;
+    this.expiresAt = props.expiresAt;
+    this.authentication = props.authentication;
+    this.authorization = props.authorization;
+  }
+};
+function fromTokenEndpointResponse(tokenEndpointResponse) {
+  const { iat, exp, aud, iss, nonce, ...user } = decodeJwt(
+    tokenEndpointResponse.id_token
+  );
+  const {
+    id_token,
+    access_token,
+    scope,
+    expires_in,
+    expires_at,
+    refresh_token,
+    token_type,
+    ...remainder
+  } = tokenEndpointResponse;
+  const authorization = access_token ? {
+    accessToken: access_token,
+    scope,
+    expiresAt: Math.floor(Date.now() / 1e3) + Number(expires_in),
+    refreshToken: refresh_token,
+    type: token_type
+  } : void 0;
+  const authentication = id_token ? {
+    idToken: id_token
+  } : void 0;
+  return Object.assign(
+    new Session({
+      user,
+      issuedAt: iat,
+      updatedAt: iat,
+      expiresAt: exp,
+      authorization,
+      authentication
+    }),
+    remainder
+  );
+}
+function decodeJwt(jwt) {
+  const [, payload] = jwt.split(".");
+  if (!payload) {
+    throw new TypeError("Invalid JWT payload.");
+  }
+  const normalized = payload.replace(/-/g, "+").replace(/_/g, "/");
+  const padded = normalized.padEnd(
+    normalized.length + (4 - normalized.length % 4) % 4,
+    "="
+  );
+  const decoded = typeof atob === "function" ? atob(padded) : Buffer.from(padded, "base64").toString("binary");
+  const json = decodeURIComponent(
+    Array.from(
+      decoded,
+      (char) => `%${char.charCodeAt(0).toString(16).padStart(2, "0")}`
+    ).join("")
+  );
+  return JSON.parse(json);
+}
+
+// src/session/assert.ts
+var assertBoolean = (bool2, msg) => {
+  if (!bool2) {
+    throw new Error(msg);
+  }
+};
+
+// src/session/utils.ts
+var epoch = () => Date.now() / 1e3 | 0;
+
+// src/session/stores/abstract-store.ts
+var AbstractSessionStore = class {
+  constructor(config) {
+    this.config = config;
+  }
+  config;
+  /**
+   * Reads and validates the current session.
+   *
+   * @returns The session, or `undefined` when missing, expired, or malformed.
+   */
+  async get() {
+    const { absoluteDuration, idleDuration } = this.config.session;
+    const now = epoch();
+    try {
+      const session = await this._get();
+      if (session) {
+        assertBoolean(
+          session.expiresAt > now,
+          "it is expired based on the effective session expiry"
+        );
+        if (idleDuration !== false) {
+          assertBoolean(
+            session.updatedAt + idleDuration > now,
+            "it is expired based on current idleDuration rules"
+          );
+        }
+        if (absoluteDuration !== false) {
+          assertBoolean(
+            session.issuedAt + absoluteDuration > now,
+            "it is expired based on current absoluteDuration rules"
+          );
+        }
+        return session;
+      }
+    } catch {
+      return void 0;
+    }
+    return void 0;
+  }
+  /**
+   * Persists a complete session.
+   */
+  async set(session) {
+    session.expiresAt = calculateExp(session.updatedAt, this.config, {
+      issuedAt: session.issuedAt
+    });
+    await this._set(session);
+  }
+  /**
+   * Clears the session from the backing store.
+   */
+  async delete() {
+    await this._delete();
+  }
+  /**
+   * Updates idle expiry timestamps and persists the session.
+   *
+   * When idle sessions are disabled, this returns the current session
+   * without modifying cookies.
+   */
+  async touch() {
+    const session = await this.get();
+    if (!session) {
+      return;
+    }
+    if (this.config.session.idleDuration === false) {
+      return session;
+    }
+    const updatedAt = epoch();
+    const expiresAt = calculateExp(updatedAt, this.config, {
+      issuedAt: session.issuedAt
+    });
+    session.updatedAt = updatedAt;
+    session.expiresAt = expiresAt;
+    await this.set(session);
+    return session;
+  }
+};
+function calculateExp(updatedAt, config, session) {
+  const { absoluteDuration, idleDuration } = config.session;
+  const candidates = [];
+  if (idleDuration !== false) {
+    candidates.push(updatedAt + idleDuration);
+  }
+  if (absoluteDuration !== false) {
+    candidates.push(session.issuedAt + absoluteDuration);
+  }
+  return Math.min(...candidates);
+}
+
+// src/session/stores/stateless-store.ts
+function sessionStoreFactory(config, request, response) {
+  return new NewStatelessSessionStore(config, request, response);
+}
+var NewStatelessSessionStore = class extends AbstractSessionStore {
+  constructor(config, request = void 0, response = void 0, cookieStore = () => cookieFactory(request, response)) {
+    super(config);
+    this.cookieStore = cookieStore;
+    this.cookieName = config.session.name;
+    this.cookieOptions = {
+      ...config.session.cookie,
+      httpOnly: true
+    };
+    this.secrets = getSecrets(config);
+  }
+  cookieStore;
+  secrets;
+  cookieName;
+  cookieOptions;
+  async _get() {
+    const [session, authorization, authentication] = await this.getAllCookies();
+    if (!session.data) {
+      return void 0;
+    }
+    return new Session({
+      ...session.data,
+      authorization: authorization.data || void 0,
+      authentication: authentication.data || void 0
+    });
+  }
+  async _set(payload) {
+    const [session, authorization, authentication] = await this.getAllCookies();
+    const {
+      user,
+      issuedAt,
+      updatedAt,
+      expiresAt,
+      authorization: authz,
+      authentication: authn
+    } = payload;
+    session.data = { user, issuedAt, updatedAt, expiresAt };
+    authentication.data = authn;
+    authorization.data = authz;
+    await Promise.all([
+      session.save(),
+      authorization.save(),
+      authentication.save()
+    ]);
+  }
+  async _delete() {
+    const [session, authorization, authentication] = await this.getAllCookies();
+    await Promise.all([
+      session.destroy(),
+      authorization.destroy(),
+      authentication.destroy()
+    ]);
+  }
+  async getAllCookies() {
+    return await Promise.all([
+      this.getCookie("Session"),
+      this.getCookie("Authorization"),
+      this.getCookie("Authentication")
+    ]);
+  }
+  async getCookie(type) {
+    const ironSession$1 = await ironSession.getIronSession(await this.cookieStore(this.config), {
+      cookieName: `${this.cookieName}.${type}`,
+      password: this.secrets,
+      cookieOptions: this.cookieOptions
+    });
+    return ironSession$1;
+  }
+};
+async function discoverOIDC(config) {
+  const isLocalDevelopment = config.issuerBaseURL.includes("localhost") || config.issuerBaseURL.includes("127.0.0.1");
+  return await oidc__namespace.discovery(
+    new URL(config.issuerBaseURL),
+    config.clientId,
+    config.clientSecret,
+    void 0,
+    isLocalDevelopment ? {
+      execute: [oidc__namespace.allowInsecureRequests]
+    } : void 0
+  );
+}
+
+// src/oauth/access-token.ts
+function getAccessTokenFactory(instance) {
+  return async (options = {}) => {
+    const sessionStore = sessionStoreFactory(instance.config);
+    const session = await sessionStore.get();
+    if (!session?.user) {
+      throw new AccessTokenError(
+        "ERR_MISSING_SESSION" /* MISSING_SESSION */,
+        "A session is required to get an access token."
+      );
+    }
+    const authorization = session.authorization;
+    if (!authorization?.accessToken) {
+      throw new AccessTokenError(
+        "ERR_MISSING_ACCESS_TOKEN" /* MISSING_ACCESS_TOKEN */,
+        "The session does not contain an access token."
+      );
+    }
+    if (canUseAccessToken(authorization, options)) {
+      return toAccessTokenResult(authorization);
+    }
+    if (!authorization.refreshToken) {
+      throw new AccessTokenError(
+        isExpired(authorization, options) ? "ERR_EXPIRED_ACCESS_TOKEN" /* EXPIRED_ACCESS_TOKEN */ : "ERR_INSUFFICIENT_SCOPE" /* INSUFFICIENT_SCOPE */,
+        "The access token cannot be refreshed because the session does not contain a refresh token."
+      );
+    }
+    return refreshAccessToken(instance, session, options);
+  };
+}
+async function refreshAccessToken(instance, session, options) {
+  const oidc2 = await import('openid-client');
+  const authorization = session.authorization;
+  if (!authorization?.refreshToken) {
+    throw new AccessTokenError(
+      "ERR_MISSING_REFRESH_TOKEN" /* MISSING_REFRESH_TOKEN */,
+      "The session does not contain a refresh token."
+    );
+  }
+  try {
+    const params = getRefreshParameters(options);
+    const tokens = await oidc2.refreshTokenGrant(
+      await discoverOIDC(instance.config),
+      authorization.refreshToken,
+      params
+    );
+    if (!tokens.access_token) {
+      throw new AccessTokenError(
+        "ERR_FAILED_REFRESH_GRANT" /* FAILED_REFRESH_GRANT */,
+        "The refresh grant did not return an access token."
+      );
+    }
+    const refreshedAuthorization = {
+      accessToken: tokens.access_token,
+      expiresAt: epoch() + Number(tokens.expires_in ?? authorization.expiresAt - epoch()),
+      scope: tokens.scope ?? normalizeScopes(options.scopes) ?? authorization.scope,
+      refreshToken: tokens.refresh_token ?? authorization.refreshToken,
+      type: tokens.token_type ?? authorization.type
+    };
+    session.authorization = refreshedAuthorization;
+    await sessionStoreFactory(instance.config).set(session);
+    return toAccessTokenResult(refreshedAuthorization);
+  } catch (error) {
+    if (error instanceof AccessTokenError) {
+      throw error;
+    }
+    throw new AccessTokenError(
+      "ERR_FAILED_REFRESH_GRANT" /* FAILED_REFRESH_GRANT */,
+      "The refresh grant failed.",
+      error instanceof Error ? error : void 0
+    );
+  }
+}
+function canUseAccessToken(authorization, options) {
+  return options.refresh !== true && !isExpired(authorization, options) && hasScopes(authorization.scope, options.scopes);
+}
+function isExpired(authorization, options) {
+  const skew = options.refreshBeforeExpiresIn ?? 60;
+  return authorization.expiresAt <= epoch() + skew;
+}
+function hasScopes(grantedScope, requiredScopes) {
+  const required = normalizeScopes(requiredScopes);
+  if (!required) {
+    return true;
+  }
+  const granted = new Set((grantedScope ?? "").split(/\s+/).filter(Boolean));
+  return required.split(/\s+/).every((scope) => granted.has(scope));
+}
+function getRefreshParameters(options) {
+  const scope = normalizeScopes(options.scopes);
+  if (!scope) {
+    return void 0;
+  }
+  const params = new URLSearchParams();
+  params.set("scope", scope);
+  return params;
+}
+function normalizeScopes(scopes) {
+  if (Array.isArray(scopes)) {
+    return scopes.join(" ");
+  }
+  return scopes;
+}
+function toAccessTokenResult(authorization) {
+  return {
+    accessToken: authorization.accessToken,
+    expiresAt: authorization.expiresAt,
+    scope: authorization.scope,
+    type: authorization.type
+  };
+}
+
+// src/errors/config.ts
+var ConfigError = class _ConfigError extends AuthError {
+  static code = "ERR_CONFIG_VALIDATION";
+  /**
+   * Standard Schema validation issues for the invalid configuration.
+   */
+  issues;
+  /**
+   * @param issues - Standard Schema validation issues.
+   */
+  constructor(issues) {
+    super({
+      code: _ConfigError.code,
+      message: `Invalid @go-mondo/nextjs-auth configuration:
+${formatIssues(
+        issues
+      )}`,
+      name: "ConfigError"
+    });
+    this.issues = issues;
+    Error.captureStackTrace(this, this.constructor);
+    Object.setPrototypeOf(this, _ConfigError.prototype);
+  }
+};
+function formatIssues(issues) {
+  return issues.map((issue) => {
+    const path = issue.path?.length ? issue.path.map(formatPathSegment).join(".") : "config";
+    return `- ${path}: ${issue.message}`;
+  }).join("\n");
+}
+function formatPathSegment(segment) {
+  return typeof segment === "object" && segment !== null && "key" in segment ? String(segment.key) : String(segment);
+}
+
+// src/config/routes.ts
+var DEFAULT_ROUTES = {
+  login: "/auth/login",
+  callback: "/auth/callback",
+  logout: "/auth/logout",
+  session: "/auth/session",
+  accessToken: "/auth/access-token",
+  postLogoutRedirect: "/"
+};
+var RelativePathSchema = zod.z.string().startsWith("/", 'Must start with "/".').refine((value) => !value.includes("//"), 'Must not contain "//".').describe(
+  'An application-relative path, such as "/auth/login". Double slashes are not allowed.'
+);
+var StringUrlSchema = zod.z.string().url().transform((value) => value.replace(/\/+$/, "")).describe("An absolute URL. Trailing slashes are removed after parsing.");
+var AuthorizationParamValueSchema = zod.z.union([
+  zod.z.string(),
+  zod.z.number(),
+  zod.z.boolean()
+]);
+var SessionSchema = zod.z.object({
+  name: zod.z.string().optional().default("Mondo").describe("Cookie name prefix used for the session cookie set."),
+  idleDuration: zod.z.union([zod.z.number().positive(), zod.z.literal(false)]).default(24 * 60 * 60).describe(
+    "Idle session duration in seconds. Set to false to disable activity-based session extension."
+  ),
+  absoluteDuration: zod.z.union([zod.z.number().positive(), zod.z.literal(false)]).default(false).describe(
+    "Absolute session duration in seconds from login. Set to false to disable a hard maximum lifetime."
+  ),
+  cookie: zod.z.object({
+    domain: zod.z.string().optional().describe("Optional domain shared by session cookies."),
+    path: RelativePathSchema.optional().default("/").describe("Path scope for session cookies."),
+    httpOnly: zod.z.boolean().optional().default(true).describe("Always true for server-managed authentication cookies."),
+    sameSite: zod.z.enum(["lax", "strict", "none"]).optional().default("lax").describe("SameSite policy used for session cookies."),
+    secure: zod.z.boolean().default(true).describe("Whether session cookies require HTTPS.")
+  }).describe("Cookie options for the tamper-proof iron-session cookies.")
+}).refine(
+  (session) => session.idleDuration !== false || session.absoluteDuration !== false,
+  "At least one of idleDuration or absoluteDuration must be enabled."
+).describe("Application session storage and expiration settings.");
+var Schema = zod.z.object({
+  authorization: zod.z.object({
+    response_type: zod.z.enum(["code"]).default("code").describe(
+      "OAuth response type. This SDK uses authorization code flow."
+    ),
+    scope: zod.z.string().default("openid profile email").describe("Default scopes requested during login."),
+    response_mode: zod.z.enum(["query", "form_post"]).default("query").describe(
+      "How the authorization response is returned to the callback."
+    ),
+    audience: zod.z.string().optional().describe("Optional API audience for access token issuance."),
+    display: zod.z.enum(["page", "popup", "touch", "wap"]).optional().describe(
+      "OIDC display preference forwarded to the authorization URL."
+    ),
+    prompt: zod.z.enum(["none", "login", "consent", "select_account"]).optional().describe("OIDC prompt behavior forwarded to the authorization URL."),
+    max_age: zod.z.number().optional().describe("Maximum authentication age, in seconds."),
+    ui_locales: zod.z.string().optional().describe("Preferred UI locales sent to the identity provider."),
+    id_token_hint: zod.z.string().optional().describe("Optional ID token hint sent to the identity provider."),
+    login_hint: zod.z.string().optional().describe("Optional login hint sent to the identity provider."),
+    acr_values: zod.z.string().optional().describe("Optional authentication context values.")
+  }).catchall(AuthorizationParamValueSchema).describe(
+    "Authorization URL parameters. Unknown string, number, and boolean values are preserved for provider-specific options."
+  ),
+  baseURL: StringUrlSchema.describe(
+    "Public application origin used to construct default redirect URLs."
+  ),
+  clientId: zod.z.string().min(1).describe("OIDC client identifier for this Next.js application."),
+  clientSecret: zod.z.string().min(1).describe("OIDC client secret used for token endpoint authentication."),
+  issuerBaseURL: StringUrlSchema.describe(
+    "Issuer origin used for OIDC discovery and logout redirects."
+  ),
+  secret: zod.z.union([zod.z.string().min(32), zod.z.array(zod.z.string().min(32)).min(1)]).describe(
+    "Secret or rotated secrets used by iron-session to seal transaction and session cookies."
+  ),
+  session: SessionSchema,
+  routes: zod.z.object({
+    login: RelativePathSchema.default("/auth/login").describe(
+      "Route that starts the login transaction."
+    ),
+    callback: RelativePathSchema.default("/auth/callback").describe(
+      "Route that completes the authorization code exchange."
+    ),
+    logout: RelativePathSchema.default("/auth/logout").describe(
+      "Route that clears the application session."
+    ),
+    session: RelativePathSchema.default("/auth/session").describe(
+      "Route that returns the current session as JSON."
+    ),
+    accessToken: RelativePathSchema.default("/auth/access-token").describe(
+      "Route that returns or refreshes the current access token."
+    ),
+    postLogoutRedirect: RelativePathSchema.default("/").describe(
+      "Application path to redirect to after logout."
+    )
+  }).describe("Application routes mounted by the auth client."),
+  transaction: zod.z.object({
+    name: zod.z.string().default("Mondo.Verification").describe(
+      "Cookie name used to store login transaction verification."
+    ),
+    cookie: zod.z.object({
+      domain: zod.z.string().optional().describe("Optional domain shared by transaction cookies."),
+      secure: zod.z.boolean().optional().describe("Whether transaction cookies require HTTPS."),
+      sameSite: zod.z.enum(["lax", "strict", "none"]).default("lax").describe("SameSite policy used for transaction cookies."),
+      path: RelativePathSchema.optional().default("/").describe("Path scope for transaction cookies.")
+    }).describe("Cookie options for temporary login transaction state.")
+  }).describe("Short-lived state used to verify authorization callbacks.")
+}).describe("Validated configuration for @go-mondo/nextjs-auth.");
+var schema_default = Schema;
+
+// src/config/utils.ts
+var FALSEY = ["n", "no", "false", "0", "off"];
+var bool = (param, defaultValue) => {
+  if (param === void 0 || param === "") return defaultValue;
+  if (param && typeof param === "string")
+    return !FALSEY.includes(param.toLowerCase().trim());
+  return !!param;
+};
+var num = (param) => param === void 0 || param === "" ? void 0 : +param;
+
+// src/config/config.ts
+var getConfig = (params = {}) => {
+  const MONDO_SECRET = process.env.MONDO_SECRET;
+  const MONDO_ISSUER_BASE_URL = process.env.MONDO_ISSUER_BASE_URL;
+  const APP_BASE_URL = process.env.APP_BASE_URL || process.env.NEXT_PUBLIC_APP_BASE_URL;
+  const MONDO_CLIENT_ID = process.env.MONDO_CLIENT_ID;
+  const MONDO_CLIENT_SECRET = process.env.MONDO_CLIENT_SECRET;
+  const MONDO_AUDIENCE = process.env.MONDO_AUDIENCE;
+  const MONDO_SCOPE = process.env.MONDO_SCOPE;
+  const CALLBACK_ROUTE = process.env.CALLBACK_ROUTE;
+  const LOGOUT_ROUTE = process.env.LOGOUT_ROUTE;
+  const SESSION_ROUTE = process.env.SESSION_ROUTE;
+  const NEXT_PUBLIC_SESSION_ROUTE = process.env.NEXT_PUBLIC_SESSION_ROUTE;
+  const ACCESS_TOKEN_ROUTE = process.env.ACCESS_TOKEN_ROUTE;
+  const NEXT_PUBLIC_ACCESS_TOKEN_ROUTE = process.env.NEXT_PUBLIC_ACCESS_TOKEN_ROUTE;
+  const POST_LOGOUT_REDIRECT_ROUTE = process.env.POST_LOGOUT_REDIRECT_ROUTE;
+  const MONDO_SESSION_NAME = process.env.MONDO_SESSION_NAME;
+  const MONDO_SESSION_IDLE_DURATION = process.env.MONDO_SESSION_IDLE_DURATION;
+  const MONDO_SESSION_ABSOLUTE_DURATION = process.env.MONDO_SESSION_ABSOLUTE_DURATION;
+  const MONDO_SESSION_COOKIE_DOMAIN = process.env.MONDO_COOKIE_DOMAIN;
+  const MONDO_SESSION_COOKIE_PATH = process.env.MONDO_COOKIE_PATH;
+  const MONDO_SESSION_COOKIE_SECURE = process.env.MONDO_COOKIE_SECURE;
+  const MONDO_SESSION_COOKIE_SAME_SITE = process.env.MONDO_COOKIE_SAME_SITE;
+  const MONDO_TRANSACTION_NAME = process.env.MONDO_TRANSACTION_COOKIE_NAME;
+  const MONDO_TRANSACTION_COOKIE_DOMAIN = process.env.MONDO_TRANSACTION_COOKIE_DOMAIN;
+  const MONDO_TRANSACTION_COOKIE_PATH = process.env.MONDO_TRANSACTION_COOKIE_PATH;
+  const MONDO_TRANSACTION_COOKIE_SAME_SITE = process.env.MONDO_TRANSACTION_COOKIE_SAME_SITE;
+  const MONDO_TRANSACTION_COOKIE_SECURE = process.env.MONDO_TRANSACTION_COOKIE_SECURE;
+  const baseURL = APP_BASE_URL && !/^https?:\/\//.test(APP_BASE_URL) ? `https://${APP_BASE_URL}` : APP_BASE_URL;
+  const result = schema_default.safeParse({
+    secret: MONDO_SECRET,
+    issuerBaseURL: MONDO_ISSUER_BASE_URL,
+    baseURL,
+    clientId: MONDO_CLIENT_ID,
+    clientSecret: MONDO_CLIENT_SECRET,
+    ...params,
+    authorization: {
+      response_type: "code",
+      audience: MONDO_AUDIENCE,
+      scope: MONDO_SCOPE,
+      ...params.authorization
+    },
+    session: {
+      name: MONDO_SESSION_NAME,
+      idleDuration: duration(MONDO_SESSION_IDLE_DURATION),
+      absoluteDuration: duration(MONDO_SESSION_ABSOLUTE_DURATION),
+      ...params.session,
+      cookie: {
+        domain: MONDO_SESSION_COOKIE_DOMAIN,
+        path: MONDO_SESSION_COOKIE_PATH || "/",
+        secure: bool(MONDO_SESSION_COOKIE_SECURE),
+        sameSite: MONDO_SESSION_COOKIE_SAME_SITE,
+        ...params.session?.cookie
+      }
+    },
+    routes: {
+      callback: params.routes?.callback || CALLBACK_ROUTE || DEFAULT_ROUTES.callback,
+      login: params.routes?.login || process.env.NEXT_PUBLIC_LOGIN_ROUTE || DEFAULT_ROUTES.login,
+      logout: params.routes?.logout || LOGOUT_ROUTE || DEFAULT_ROUTES.logout,
+      session: params.routes?.session || SESSION_ROUTE || NEXT_PUBLIC_SESSION_ROUTE || DEFAULT_ROUTES.session,
+      accessToken: params.routes?.accessToken || ACCESS_TOKEN_ROUTE || NEXT_PUBLIC_ACCESS_TOKEN_ROUTE || DEFAULT_ROUTES.accessToken,
+      postLogoutRedirect: params.routes?.postLogoutRedirect || POST_LOGOUT_REDIRECT_ROUTE || DEFAULT_ROUTES.postLogoutRedirect
+    },
+    transaction: {
+      name: MONDO_TRANSACTION_NAME,
+      ...params.transaction,
+      cookie: {
+        domain: MONDO_TRANSACTION_COOKIE_DOMAIN,
+        path: MONDO_TRANSACTION_COOKIE_PATH || "/",
+        secure: bool(MONDO_TRANSACTION_COOKIE_SECURE),
+        sameSite: MONDO_TRANSACTION_COOKIE_SAME_SITE,
+        ...params.transaction?.cookie
+      }
+    }
+  });
+  if (!result.success) {
+    throw new ConfigError(result.error.issues);
+  }
+  return result.data;
+};
+function duration(value) {
+  if (!value) {
+    return void 0;
+  }
+  return Number.isNaN(Number(value)) ? bool(value) : num(value);
+}
+
+// src/core/instance.ts
+var initInstance = (params) => {
+  const config = getConfig(params);
+  return {
+    config
+  };
+};
+
+// src/errors/handlers.ts
+var HandlerError = class extends AuthError {
+  constructor(options) {
+    let status;
+    if ("status" in options.cause) status = options.cause.status;
+    super({ ...options, status });
+  }
+};
+var CallbackHandlerError = class _CallbackHandlerError extends HandlerError {
+  static code = "ERR_CALLBACK_HANDLER_FAILURE";
+  constructor(cause) {
+    super({
+      code: _CallbackHandlerError.code,
+      message: "Callback handler failed.",
+      name: "CallbackHandlerError",
+      cause
+    });
+    Object.setPrototypeOf(this, _CallbackHandlerError.prototype);
+  }
+};
+var LoginHandlerError = class _LoginHandlerError extends HandlerError {
+  static code = "ERR_LOGIN_HANDLER_FAILURE";
+  constructor(cause) {
+    super({
+      code: _LoginHandlerError.code,
+      message: "Login handler failed.",
+      name: "LoginHandlerError",
+      cause
+    });
+    Object.setPrototypeOf(this, _LoginHandlerError.prototype);
+  }
+};
+var LogoutHandlerError = class _LogoutHandlerError extends HandlerError {
+  static code = "ERR_LOGOUT_HANDLER_FAILURE";
+  constructor(cause) {
+    super({
+      code: _LogoutHandlerError.code,
+      message: "Logout handler failed.",
+      name: "LogoutHandlerError",
+      cause
+    });
+    Object.setPrototypeOf(this, _LogoutHandlerError.prototype);
+  }
+};
+
+// src/errors/state.ts
+var MissingStateCookieError = class _MissingStateCookieError extends Error {
+  static message = "Missing state cookie from login request (check login URL, callback URL and cookie config).";
+  status = 400;
+  statusCode = 400;
+  constructor() {
+    super(_MissingStateCookieError.message);
+    Object.setPrototypeOf(this, _MissingStateCookieError.prototype);
+  }
+};
+function transactionStoreFactory(config, cookieStore) {
+  return new TransactionStore(
+    getSecrets(config),
+    cookieStore,
+    config.transaction.name,
+    {
+      ...config.transaction.cookie,
+      httpOnly: true
+    }
+  );
+}
+var TransactionStore = class {
+  constructor(secrets, cookieStore, cookieName, cookieOptions) {
+    this.secrets = secrets;
+    this.cookieStore = cookieStore;
+    this.cookieName = cookieName;
+    this.cookieOptions = cookieOptions;
+  }
+  secrets;
+  cookieStore;
+  cookieName;
+  cookieOptions;
+  /**
+   * Saves transaction verification data in a sealed cookie.
+   */
+  async save(value) {
+    const cookie = await this.getCookie();
+    cookie.code_verifier = value.code_verifier;
+    cookie.nonce = value.nonce;
+    cookie.state = value.state;
+    cookie.max_age = value.max_age;
+    cookie.return_to = value.return_to;
+    return await cookie.save();
+  }
+  async getCookie() {
+    const ironSession$1 = await ironSession.getIronSession(
+      this.cookieStore,
+      {
+        cookieName: this.cookieName,
+        password: this.secrets,
+        cookieOptions: this.cookieOptions
+      }
+    );
+    return ironSession$1;
+  }
+  /**
+   * Reads and destroys the transaction cookie.
+   *
+   * @returns Verification data, or `undefined` when the cookie is missing or
+   * malformed.
+   */
+  async read() {
+    const cookie = await this.getCookie();
+    if (!cookie.code_verifier || !cookie.nonce || !cookie.state) {
+      cookie.destroy();
+      return void 0;
+    }
+    const result = {
+      code_verifier: cookie.code_verifier,
+      nonce: cookie.nonce,
+      state: cookie.state,
+      max_age: cookie.max_age,
+      return_to: cookie.return_to
+    };
+    cookie.destroy();
+    return result;
+  }
+};
+
+// src/routes/callback.ts
+var callbackHandlerFactory = (instance) => (options) => async (req) => {
+  try {
+    const cookieStore = await cookieFactory();
+    return await handler(
+      instance,
+      new URL(req.url),
+      transactionStoreFactory(instance.config, cookieStore),
+      sessionStoreFactory(instance.config),
+      options
+    );
+  } catch (e) {
+    throw new CallbackHandlerError(e);
+  }
+};
+async function handler({ config }, requestUrl, transactionStore, sessionStore, options) {
+  const oidc2 = await import('openid-client');
+  const authVerification = await transactionStore.read();
+  if (!authVerification) {
+    throw new MissingStateCookieError();
+  }
+  const clientConfig = await discoverOIDC(config);
+  const tokens = await oidc2.authorizationCodeGrant(
+    clientConfig,
+    requestUrl,
+    {
+      pkceCodeVerifier: authVerification.code_verifier,
+      expectedState: authVerification.state,
+      expectedNonce: authVerification.nonce,
+      idTokenExpected: true,
+      maxAge: authVerification.max_age
+    },
+    options?.tokenParameters
+  );
+  const session = await fromTokenEndpointResponse(tokens);
+  if (session) {
+    await sessionStore.set(session);
+  }
+  return server_js.NextResponse.redirect(authVerification.return_to || config.baseURL);
+}
+
+// src/oauth/types.ts
+var CodeChallengeMethod = {
+  S256: "S256"
+};
+
+// src/http/url.ts
+function toSafeRedirect(dangerousRedirect, safeBaseUrl) {
+  let url;
+  try {
+    url = new URL(dangerousRedirect, safeBaseUrl);
+  } catch (_e) {
+    return void 0;
+  }
+  if (url.origin === safeBaseUrl.origin) {
+    return url.toString();
+  }
+  return void 0;
+}
+function getAuthorizationRedirectURL(config, origin) {
+  return pathOrURLToURL(config, config.routes.callback, origin);
+}
+function pathOrURLToURL(config, pathOrUrl, origin) {
+  if (pathOrUrl instanceof URL) {
+    return pathOrUrl;
+  }
+  try {
+    return new URL(pathOrUrl);
+  } catch (_) {
+    return new URL(joinURL(origin || config.baseURL, pathOrUrl));
+  }
+}
+function joinURL(base, path) {
+  return `${base.replace(/\/+$/, "")}/${path.replace(/^\/+/, "")}`;
+}
+
+// src/routes/login.ts
+var loginHandlerFactory = (instance) => (options) => async (req) => {
+  try {
+    const url = new URL(req.url);
+    return await handler2(
+      instance,
+      transactionStoreFactory(instance.config, await cookieFactory()),
+      buildOptions(
+        instance.config,
+        options,
+        url.searchParams.get("returnTo"),
+        url.origin
+      ),
+      url.origin
+    );
+  } catch (e) {
+    throw new LoginHandlerError(e);
+  }
+};
+async function handler2({ config }, transactionStore, options, requestOrigin) {
+  const oidc2 = await import('openid-client');
+  const returnTo = options?.returnTo || config.baseURL;
+  const authVerification = {
+    nonce: oidc2.randomNonce(),
+    state: oidc2.randomState(),
+    code_verifier: oidc2.randomPKCECodeVerifier(),
+    return_to: returnTo
+  };
+  const parameters = {
+    redirect_uri: getAuthorizationRedirectURL(config, requestOrigin).toString(),
+    ...config.authorization,
+    ...options?.authorization || {},
+    nonce: authVerification.nonce,
+    state: authVerification.state,
+    code_challenge_method: CodeChallengeMethod.S256,
+    code_challenge: await oidc2.calculatePKCECodeChallenge(
+      authVerification.code_verifier
+    )
+  };
+  if (parameters.max_age) {
+    authVerification.max_age = parameters.max_age;
+  }
+  await transactionStore.save(authVerification);
+  const clientConfig = await discoverOIDC(config);
+  const authorizationUrl = oidc2.buildAuthorizationUrl(
+    clientConfig,
+    toAuthorizationUrlParameters(parameters)
+  );
+  return server_js.NextResponse.redirect(authorizationUrl);
+}
+function toAuthorizationUrlParameters(parameters) {
+  const authorizationUrlParameters = {};
+  for (const [key, value] of Object.entries(parameters)) {
+    if (value !== void 0) {
+      authorizationUrlParameters[key] = String(value);
+    }
+  }
+  return authorizationUrlParameters;
+}
+var buildOptions = (config, opts, dangerousReturnTo, requestOrigin) => {
+  const options = opts || {};
+  if (dangerousReturnTo) {
+    const safeBaseUrl = new URL(
+      options?.authorization?.redirect_uri || requestOrigin || config.baseURL
+    );
+    options.returnTo = toSafeRedirect(dangerousReturnTo, safeBaseUrl);
+  }
+  return options;
+};
+var logoutHandlerFactory = (instance) => (options) => async (req) => {
+  try {
+    const url = new URL(req.url);
+    return await handler3(
+      instance,
+      sessionStoreFactory(instance.config),
+      buildOptions2(
+        instance.config,
+        options,
+        url.searchParams.get("returnTo")
+      )
+    );
+  } catch (e) {
+    throw new LogoutHandlerError(e);
+  }
+};
+async function handler3({ config }, sessionCache, options) {
+  let returnURL = pathOrURLToURL(
+    config,
+    options?.returnTo || config.routes.postLogoutRedirect
+  );
+  await sessionCache.delete();
+  if (options?.singleLogOut) {
+    returnURL = new URL(
+      ["/logout", `redirectTo=${returnURL.toString()}`].join("?"),
+      config.issuerBaseURL
+    );
+  }
+  return server_js.NextResponse.redirect(returnURL);
+}
+var buildOptions2 = (config, opts, dangerousReturnTo) => {
+  const options = opts || {};
+  if (dangerousReturnTo) {
+    const safeBaseUrl = new URL(config.baseURL);
+    options.returnTo = toSafeRedirect(dangerousReturnTo, safeBaseUrl);
+  }
+  return options;
+};
+var sessionHandlerFactory = (instance) => (options) => async (_req) => {
+  return await handler4(
+    sessionStoreFactory(instance.config),
+    options
+  );
+};
+async function handler4(sessionStore, options) {
+  const session = await (options?.touch !== false ? sessionStore.touch() : sessionStore.get());
+  const result = options?.transform ? options?.transform(session) : session;
+  if (!result) {
+    return Response.json(
+      {
+        error: "SessionNotFound",
+        error_description: "Session does not exist or has expired"
+      },
+      { status: 401, statusText: "Unauthorized" }
+    );
+  }
+  return server_js.NextResponse.json(result);
+}
+var accessTokenHandlerFactory = (instance) => (options) => async (req) => {
+  try {
+    const { transform, ...staticOptions } = options ?? {};
+    const requestOptions = await getRequestOptions(req);
+    const token = await getAccessTokenFactory(instance)({
+      ...staticOptions,
+      ...requestOptions ?? {}
+    });
+    return server_js.NextResponse.json(transform?.(token) ?? token);
+  } catch (error) {
+    if (error instanceof AccessTokenError) {
+      return server_js.NextResponse.json(
+        {
+          error: error.code,
+          error_description: error.message
+        },
+        { status: getStatusCode(error.code) }
+      );
+    }
+    throw error;
+  }
+};
+async function getRequestOptions(req) {
+  if (req.method !== "POST") {
+    return void 0;
+  }
+  const body = await readJsonBody(req);
+  if (!isRecord(body)) {
+    return void 0;
+  }
+  const options = {};
+  const scopes = getScopes(body.scopes);
+  if (typeof body.refresh === "boolean") {
+    options.refresh = body.refresh;
+  }
+  if (typeof body.refreshBeforeExpiresIn === "number") {
+    options.refreshBeforeExpiresIn = body.refreshBeforeExpiresIn;
+  }
+  if (scopes) {
+    options.scopes = scopes;
+  }
+  return options;
+}
+async function readJsonBody(req) {
+  try {
+    return await req.json();
+  } catch {
+    return void 0;
+  }
+}
+function getScopes(value) {
+  if (typeof value === "string") {
+    return value;
+  }
+  if (Array.isArray(value) && value.every((scope) => typeof scope === "string")) {
+    return value;
+  }
+  return void 0;
+}
+function isRecord(value) {
+  return Boolean(value && typeof value === "object");
+}
+function getStatusCode(code) {
+  switch (code) {
+    case "ERR_MISSING_SESSION" /* MISSING_SESSION */:
+    case "ERR_MISSING_ACCESS_TOKEN" /* MISSING_ACCESS_TOKEN */:
+    case "ERR_MISSING_REFRESH_TOKEN" /* MISSING_REFRESH_TOKEN */:
+    case "ERR_EXPIRED_ACCESS_TOKEN" /* EXPIRED_ACCESS_TOKEN */:
+      return 401;
+    case "ERR_INSUFFICIENT_SCOPE" /* INSUFFICIENT_SCOPE */:
+      return 403;
+    case "ERR_FAILED_REFRESH_GRANT" /* FAILED_REFRESH_GRANT */:
+      return 502;
+  }
+}
+
+// src/client.ts
+var MondoAuthClient = class {
+  instance;
+  /**
+   * Creates a client and validates configuration immediately.
+   *
+   * @param config - Optional explicit config. Environment variables provide the
+   * remaining values.
+   */
+  constructor(config) {
+    this.instance = initInstance(config);
+  }
+  /**
+   * Validated auth configuration used by this client.
+   */
+  get config() {
+    return this.instance.config;
+  }
+  /**
+   * Returns one route handler that serves all configured auth routes.
+   *
+   * Mount this from a catch-all route such as
+   * `src/app/auth/[...auth]/route.ts`.
+   */
+  handleAuth(options = {}) {
+    return async (request) => {
+      const { pathname } = new URL(request.url);
+      const { routes } = this.config;
+      if (pathname === routes.login) {
+        return this.handleLogin(options.login)(request);
+      }
+      if (pathname === routes.callback) {
+        return this.handleCallback(options.callback)(request);
+      }
+      if (pathname === routes.logout) {
+        return this.handleLogout(options.logout)(request);
+      }
+      if (pathname === routes.session) {
+        return this.handleSession(options.session)(request);
+      }
+      if (pathname === routes.accessToken) {
+        return this.handleAccessToken(options.accessToken)(request);
+      }
+      return server_js.NextResponse.json(
+        {
+          error: "NotFound",
+          error_description: `No Mondo auth route is configured for ${pathname}.`
+        },
+        { status: 404 }
+      );
+    };
+  }
+  /**
+   * Creates a route handler that starts the OIDC login redirect.
+   */
+  handleLogin(options) {
+    return loginHandlerFactory(this.instance)(options);
+  }
+  /**
+   * Creates a route handler that completes the OIDC callback.
+   */
+  handleCallback(options) {
+    return callbackHandlerFactory(this.instance)(options);
+  }
+  /**
+   * Creates a route handler that clears the local session.
+   */
+  handleLogout(options) {
+    return logoutHandlerFactory(this.instance)(options);
+  }
+  /**
+   * Creates a route handler that returns the current session as JSON.
+   */
+  handleSession(options) {
+    return sessionHandlerFactory(this.instance)(options);
+  }
+  /**
+   * Creates a route handler that returns or refreshes the current access token.
+   */
+  handleAccessToken(options) {
+    return accessTokenHandlerFactory(this.instance)(options);
+  }
+  /**
+   * Reads the current sealed-cookie session in server code.
+   */
+  getSession = async () => {
+    return sessionStoreFactory(this.config).get();
+  };
+  /**
+   * Returns the current access token, refreshing with the stored refresh token
+   * when the token is expired or missing required scopes.
+   */
+  getAccessToken = (options) => {
+    return getAccessTokenFactory(this.instance)(options);
+  };
+  /**
+   * Drop this into `proxy.ts` to protect matched routes and keep idle sessions
+   * fresh at the request boundary.
+   */
+  proxy = async (request, options = {}) => {
+    const url = new URL(request.url);
+    if (isAuthRoute(url.pathname, this.config.routes)) {
+      return void 0;
+    }
+    if (isPublicPath(url.pathname, options.publicPaths)) {
+      return void 0;
+    }
+    const response = server_js.NextResponse.next();
+    const sessionStore = sessionStoreFactory(
+      this.config,
+      request,
+      response
+    );
+    const session = await sessionStore.get();
+    if (!session?.user) {
+      const returnTo = typeof options.returnTo === "function" ? await options.returnTo(request) : options.returnTo || `${url.pathname}${url.search}`;
+      return server_js.NextResponse.redirect(
+        new URL(
+          `${this.config.routes.login}?returnTo=${encodeURIComponent(returnTo)}`,
+          url.origin
+        )
+      );
+    }
+    await sessionStore.touch();
+    return response;
+  };
+};
+function createAuth(config) {
+  return new MondoAuthClient(config);
+}
+function isAuthRoute(pathname, routes) {
+  return [
+    routes.login,
+    routes.callback,
+    routes.logout,
+    routes.session,
+    routes.accessToken
+  ].includes(pathname);
+}
+function isPublicPath(pathname, publicPaths = []) {
+  return publicPaths.some(
+    (path) => typeof path === "string" ? pathname.startsWith(path) : path.test(pathname)
+  );
+}
+
+exports.MondoAuthClient = MondoAuthClient;
+exports.createAuth = createAuth;
+//# sourceMappingURL=client.cjs.map
+//# sourceMappingURL=client.cjs.map