@go-mondo/nextjs-auth 0.1.0

package/dist/hooks.d.ts

@@ -0,0 +1,146 @@
+import { QueryKey, UseQueryOptions, UseQueryResult } from '@tanstack/react-query';
+import { G as GetAccessTokenOptions, A as AccessTokenResult } from './access-token-UIlXwi3X.js';
+import { C as Claims, U as UserProfile } from './types-CbrOw4QQ.js';
+
+/**
+ * Options for fetching an access token from browser code.
+ */
+type FetchAccessTokenOptions = GetAccessTokenOptions & {
+    /**
+     * Mounted access-token route. Defaults to `/auth/access-token`.
+     */
+    route?: string;
+    /**
+     * Additional fetch options merged with `credentials: "same-origin"`.
+     */
+    request?: RequestInit;
+};
+/**
+ * Access-token provider for imperative browser API clients.
+ */
+type AccessTokenProvider = {
+    /**
+     * Returns a cached access token when it is still fresh, otherwise calls the
+     * mounted access-token route and stores the result.
+     */
+    getAccessToken: (options?: FetchAccessTokenOptions) => Promise<AccessTokenResult>;
+    /**
+     * Clears the cached entry for the provided route and scopes. Clears every
+     * cached entry when no options are provided.
+     */
+    clear: (options?: Pick<FetchAccessTokenOptions, 'route' | 'scopes'>) => void;
+    /**
+     * Clears every cached entry.
+     */
+    clearAll: () => void;
+};
+/**
+ * Default TanStack Query key used by {@link useAccessToken}.
+ */
+type UseAccessTokenQueryKey = readonly [
+    'mondo-auth',
+    'access-token',
+    string,
+    string | undefined,
+    boolean | undefined,
+    number | undefined
+];
+/**
+ * Options accepted by {@link useAccessToken}.
+ *
+ * All normal TanStack Query options are supported except `queryFn` and
+ * `queryKey`, which are owned by the hook. Pass `queryKey` here to override the
+ * default key.
+ */
+type UseAccessTokenOptions<TData = AccessTokenResult, TQueryKey extends QueryKey = UseAccessTokenQueryKey> = FetchAccessTokenOptions & Omit<UseQueryOptions<AccessTokenResult, Error, TData, TQueryKey>, 'queryFn' | 'queryKey'> & {
+    /**
+     * TanStack Query key. Defaults to route, scopes, refresh, and refresh skew.
+     */
+    queryKey?: TQueryKey;
+};
+/**
+ * Fetches a current access token from the mounted access-token route.
+ *
+ * The server reads the local sealed session and refreshes the token when
+ * needed, when `refresh` is true, or when requested scopes are missing.
+ */
+declare function fetchAccessToken(options?: FetchAccessTokenOptions): Promise<AccessTokenResult>;
+/**
+ * Creates an in-memory access-token cache for imperative browser API clients.
+ *
+ * This is useful when an app needs to make multiple browser-side API calls with
+ * a bearer token. Cached tokens are kept only in memory, are refreshed before
+ * expiry, and concurrent misses share one `/auth/access-token` request.
+ */
+declare function createAccessTokenProvider(defaultOptions?: FetchAccessTokenOptions): AccessTokenProvider;
+/**
+ * TanStack Query hook for a current access token.
+ *
+ * Apps must provide a `QueryClientProvider` above this hook. The hook calls the
+ * app's local access-token endpoint; refresh tokens never leave the server.
+ */
+declare function useAccessToken<TData = AccessTokenResult, TQueryKey extends QueryKey = UseAccessTokenQueryKey>(options?: UseAccessTokenOptions<TData, TQueryKey>): UseQueryResult<TData, Error>;
+
+/**
+ * JSON shapes accepted from the mounted session route.
+ *
+ * The default session route returns `{ user }` as part of the full session, but
+ * apps may transform that route to return the user profile directly.
+ */
+type UserProfileEndpointResponse<UserClaims extends Claims = Claims> = {
+    user?: UserProfile<UserClaims> | null | undefined;
+} | UserProfile<UserClaims> | null | undefined;
+/**
+ * Options for fetching the current user profile from browser code.
+ */
+type FetchUserProfileOptions = {
+    /**
+     * Mounted session route. Defaults to `/auth/session`.
+     */
+    route?: string;
+    /**
+     * Additional fetch options merged with `credentials: "same-origin"`.
+     */
+    request?: RequestInit;
+};
+/**
+ * Default TanStack Query key used by {@link useUserProfile}.
+ */
+type UseUserProfileQueryKey = readonly [
+    'mondo-auth',
+    'user-profile',
+    string
+];
+/**
+ * Options accepted by {@link useUserProfile}.
+ *
+ * All normal TanStack Query options are supported except `queryFn` and
+ * `queryKey`, which are owned by the hook. Pass `queryKey` here to override the
+ * default key.
+ */
+type UseUserProfileOptions<UserClaims extends Claims = Claims, TData = UserProfile<UserClaims> | undefined, TQueryKey extends QueryKey = UseUserProfileQueryKey> = FetchUserProfileOptions & Omit<UseQueryOptions<UserProfile<UserClaims> | undefined, Error, TData, TQueryKey>, 'queryFn' | 'queryKey'> & {
+    /**
+     * TanStack Query key. Defaults to `["mondo-auth", "user-profile", route]`.
+     */
+    queryKey?: TQueryKey;
+};
+/**
+ * Fetches the currently authenticated user profile from the mounted session
+ * route.
+ *
+ * This reads the app's local server-managed session. It does not call the
+ * authorization server directly.
+ *
+ * @returns The current user profile, or `undefined` when no session exists.
+ */
+declare function fetchUserProfile<UserClaims extends Claims = Claims>(options?: FetchUserProfileOptions): Promise<UserProfile<UserClaims> | undefined>;
+/**
+ * TanStack Query hook for the currently authenticated user profile.
+ *
+ * Apps must provide a `QueryClientProvider` above this hook. The hook reads the
+ * app's local session endpoint and caches the resulting user profile in
+ * TanStack Query.
+ */
+declare function useUserProfile<UserClaims extends Claims = Claims, TData = UserProfile<UserClaims> | undefined, TQueryKey extends QueryKey = UseUserProfileQueryKey>(options?: UseUserProfileOptions<UserClaims, TData, TQueryKey>): UseQueryResult<TData, Error>;
+
+export { type AccessTokenProvider, type FetchAccessTokenOptions, type FetchUserProfileOptions, type UseAccessTokenOptions, type UseAccessTokenQueryKey, type UseUserProfileOptions, type UseUserProfileQueryKey, type UserProfileEndpointResponse, createAccessTokenProvider, fetchAccessToken, fetchUserProfile, useAccessToken, useUserProfile };

package/dist/hooks.js

@@ -0,0 +1,230 @@
+'use client';
+import { useQuery } from '@tanstack/react-query';
+
+// src/hooks/access-token.ts
+
+// src/config/routes.ts
+var DEFAULT_ROUTES = {
+  session: "/auth/session",
+  accessToken: "/auth/access-token"};
+function getPublicSessionRoute() {
+  return typeof process === "undefined" ? DEFAULT_ROUTES.session : process.env.NEXT_PUBLIC_SESSION_ROUTE || DEFAULT_ROUTES.session;
+}
+function getPublicAccessTokenRoute() {
+  return typeof process === "undefined" ? DEFAULT_ROUTES.accessToken : process.env.NEXT_PUBLIC_ACCESS_TOKEN_ROUTE || DEFAULT_ROUTES.accessToken;
+}
+
+// src/hooks/access-token.ts
+async function fetchAccessToken(options = {}) {
+  const {
+    refresh,
+    refreshBeforeExpiresIn,
+    request,
+    route = getPublicAccessTokenRoute(),
+    scopes
+  } = options;
+  const body = getRequestBody({ refresh, refreshBeforeExpiresIn, scopes });
+  const headers = new Headers(request?.headers);
+  if (body && !headers.has("content-type")) {
+    headers.set("content-type", "application/json");
+  }
+  const response = await fetch(route, {
+    ...request,
+    body: body ? JSON.stringify(body) : request?.body,
+    credentials: "same-origin",
+    headers,
+    method: body ? "POST" : request?.method
+  });
+  if (!response.ok) {
+    const message = await getErrorMessage(response);
+    throw new Error(message);
+  }
+  return await response.json();
+}
+function createAccessTokenProvider(defaultOptions = {}) {
+  const entries = /* @__PURE__ */ new Map();
+  const loadAccessToken = async (options) => {
+    const key = getAccessTokenCacheKey(options);
+    let promise;
+    promise = fetchAccessToken(options).then(
+      (token) => {
+        entries.set(key, { token });
+        return token;
+      },
+      (error) => {
+        if (entries.get(key)?.promise === promise) {
+          entries.delete(key);
+        }
+        throw error;
+      }
+    );
+    entries.set(key, { promise });
+    return promise;
+  };
+  return {
+    getAccessToken(options = {}) {
+      const mergedOptions = mergeFetchAccessTokenOptions(
+        defaultOptions,
+        options
+      );
+      const key = getAccessTokenCacheKey(mergedOptions);
+      const entry = entries.get(key);
+      if (mergedOptions.refresh !== true && entry?.token && canUseCachedAccessToken(entry.token, mergedOptions)) {
+        return Promise.resolve(entry.token);
+      }
+      if (mergedOptions.refresh !== true && entry?.promise) {
+        return entry.promise;
+      }
+      return loadAccessToken(mergedOptions);
+    },
+    clear(options) {
+      if (!options) {
+        entries.clear();
+        return;
+      }
+      entries.delete(
+        getAccessTokenCacheKey(
+          mergeFetchAccessTokenOptions(defaultOptions, options)
+        )
+      );
+    },
+    clearAll() {
+      entries.clear();
+    }
+  };
+}
+function useAccessToken(options = {}) {
+  const {
+    queryKey,
+    refresh,
+    refreshBeforeExpiresIn,
+    request,
+    route = getPublicAccessTokenRoute(),
+    scopes,
+    ...queryOptions
+  } = options;
+  return useQuery({
+    queryKey: queryKey ?? [
+      "mondo-auth",
+      "access-token",
+      route,
+      normalizeScopes(scopes),
+      refresh,
+      refreshBeforeExpiresIn
+    ],
+    queryFn: () => fetchAccessToken({
+      refresh,
+      refreshBeforeExpiresIn,
+      request,
+      route,
+      scopes
+    }),
+    ...queryOptions
+  });
+}
+function getRequestBody(options) {
+  if (options.refresh === void 0 && options.refreshBeforeExpiresIn === void 0 && options.scopes === void 0) {
+    return void 0;
+  }
+  return options;
+}
+function mergeFetchAccessTokenOptions(defaultOptions, options) {
+  const request = mergeRequestInit(defaultOptions.request, options.request);
+  return {
+    ...defaultOptions,
+    ...options,
+    request
+  };
+}
+function mergeRequestInit(defaultRequest, request) {
+  if (!defaultRequest && !request) {
+    return void 0;
+  }
+  return {
+    ...defaultRequest,
+    ...request,
+    headers: mergeHeaders(defaultRequest?.headers, request?.headers)
+  };
+}
+function mergeHeaders(defaultHeaders, headers) {
+  if (!defaultHeaders && !headers) {
+    return void 0;
+  }
+  const mergedHeaders = new Headers(defaultHeaders);
+  new Headers(headers).forEach((value, key) => {
+    mergedHeaders.set(key, value);
+  });
+  return mergedHeaders;
+}
+function canUseCachedAccessToken(token, options) {
+  const skew = options.refreshBeforeExpiresIn ?? 60;
+  return token.expiresAt > Math.floor(Date.now() / 1e3) + skew;
+}
+function getAccessTokenCacheKey(options) {
+  return JSON.stringify([
+    options.route ?? getPublicAccessTokenRoute(),
+    normalizeScopes(options.scopes)
+  ]);
+}
+async function getErrorMessage(response) {
+  const payload = await readJson(response);
+  if (typeof payload?.error_description === "string") {
+    return payload.error_description;
+  }
+  return `Unable to load an access token (${response.status}).`;
+}
+async function readJson(response) {
+  try {
+    return await response.json();
+  } catch {
+    return void 0;
+  }
+}
+function normalizeScopes(scopes) {
+  return Array.isArray(scopes) ? scopes.join(" ") : scopes;
+}
+async function fetchUserProfile(options = {}) {
+  const { request, route = getPublicSessionRoute() } = options;
+  const response = await fetch(route, {
+    credentials: "same-origin",
+    ...request
+  });
+  if (response.status === 401 || response.status === 403) {
+    return void 0;
+  }
+  if (!response.ok) {
+    throw new Error(`Unable to load the current user (${response.status}).`);
+  }
+  return userProfileFromResponse(
+    await response.json()
+  );
+}
+function useUserProfile(options = {}) {
+  const {
+    queryKey,
+    route = getPublicSessionRoute(),
+    request,
+    ...queryOptions
+  } = options;
+  return useQuery({
+    queryKey: queryKey ?? ["mondo-auth", "user-profile", route],
+    queryFn: () => fetchUserProfile({ request, route }),
+    ...queryOptions
+  });
+}
+function userProfileFromResponse(payload) {
+  if (!payload || typeof payload !== "object") {
+    return void 0;
+  }
+  if ("user" in payload) {
+    return isRecord(payload.user) ? payload.user : void 0;
+  }
+  return payload;
+}
+function isRecord(value) {
+  return Boolean(value && typeof value === "object");
+}
+
+export { createAccessTokenProvider, fetchAccessToken, fetchUserProfile, useAccessToken, useUserProfile };
+//# sourceMappingURL=hooks.js.map
+//# sourceMappingURL=hooks.js.map

package/dist/hooks.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/config/routes.ts","../src/hooks/access-token.ts","../src/hooks/user.ts"],"names":["useQuery"],"mappings":";;;;;AAIO,IAAM,cAAA,GAAiB;AAAA,EAI5B,OAAA,EAAS,eAAA;AAAA,EACT,WAAA,EAAa,oBAEf,CAAA;AAQO,SAAS,qBAAA,GAAgC;AAC9C,EAAA,OAAO,OAAO,YAAY,WAAA,GACtB,cAAA,CAAe,UACf,OAAA,CAAQ,GAAA,CAAI,6BAA6B,cAAA,CAAe,OAAA;AAC9D;AAQO,SAAS,yBAAA,GAAoC;AAClD,EAAA,OAAO,OAAO,YAAY,WAAA,GACtB,cAAA,CAAe,cACf,OAAA,CAAQ,GAAA,CAAI,kCAAkC,cAAA,CAAe,WAAA;AACnE;;;ACuDA,eAAsB,gBAAA,CACpB,OAAA,GAAmC,EAAC,EACR;AAC5B,EAAA,MAAM;AAAA,IACJ,OAAA;AAAA,IACA,sBAAA;AAAA,IACA,OAAA;AAAA,IACA,QAAQ,yBAAA,EAA0B;AAAA,IAClC;AAAA,GACF,GAAI,OAAA;AACJ,EAAA,MAAM,OAAO,cAAA,CAAe,EAAE,OAAA,EAAS,sBAAA,EAAwB,QAAQ,CAAA;AACvE,EAAA,MAAM,OAAA,GAAU,IAAI,OAAA,CAAQ,OAAA,EAAS,OAAO,CAAA;AAE5C,EAAA,IAAI,IAAA,IAAQ,CAAC,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,EAAG;AACxC,IAAA,OAAA,CAAQ,GAAA,CAAI,gBAAgB,kBAAkB,CAAA;AAAA,EAChD;AAEA,EAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,KAAA,EAAO;AAAA,IAClC,GAAG,OAAA;AAAA,IACH,MAAM,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,IAAI,IAAI,OAAA,EAAS,IAAA;AAAA,IAC7C,WAAA,EAAa,aAAA;AAAA,IACb,OAAA;AAAA,IACA,MAAA,EAAQ,IAAA,GAAO,MAAA,GAAS,OAAA,EAAS;AAAA,GAClC,CAAA;AAED,EAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,IAAA,MAAM,OAAA,GAAU,MAAM,eAAA,CAAgB,QAAQ,CAAA;AAC9C,IAAA,MAAM,IAAI,MAAM,OAAO,CAAA;AAAA,EACzB;AAEA,EAAA,OAAQ,MAAM,SAAS,IAAA,EAAK;AAC9B;AASO,SAAS,yBAAA,CACd,cAAA,GAA0C,EAAC,EACtB;AACrB,EAAA,MAAM,OAAA,uBAAc,GAAA,EAAmC;AAEvD,EAAA,MAAM,eAAA,GAAkB,OAAO,OAAA,KAAqC;AAClE,IAAA,MAAM,GAAA,GAAM,uBAAuB,OAAO,CAAA;AAC1C,IAAA,IAAI,OAAA;AAEJ,IAAA,OAAA,GAAU,gBAAA,CAAiB,OAAO,CAAA,CAAE,IAAA;AAAA,MAClC,CAAC,KAAA,KAAU;AACT,QAAA,OAAA,CAAQ,GAAA,CAAI,GAAA,EAAK,EAAE,KAAA,EAAO,CAAA;AAC1B,QAAA,OAAO,KAAA;AAAA,MACT,CAAA;AAAA,MACA,CAAC,KAAA,KAAU;AACT,QAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA,EAAG,YAAY,OAAA,EAAS;AACzC,UAAA,OAAA,CAAQ,OAAO,GAAG,CAAA;AAAA,QACpB;AAEA,QAAA,MAAM,KAAA;AAAA,MACR;AAAA,KACF;AAEA,IAAA,OAAA,CAAQ,GAAA,CAAI,GAAA,EAAK,EAAE,OAAA,EAAS,CAAA;AAC5B,IAAA,OAAO,OAAA;AAAA,EACT,CAAA;AAEA,EAAA,OAAO;AAAA,IACL,cAAA,CAAe,OAAA,GAAU,EAAC,EAAG;AAC3B,MAAA,MAAM,aAAA,GAAgB,4BAAA;AAAA,QACpB,cAAA;AAAA,QACA;AAAA,OACF;AACA,MAAA,MAAM,GAAA,GAAM,uBAAuB,aAAa,CAAA;AAChD,MAAA,MAAM,KAAA,GAAQ,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA;AAE7B,MAAA,IACE,aAAA,CAAc,YAAY,IAAA,IAC1B,KAAA,EAAO,SACP,uBAAA,CAAwB,KAAA,CAAM,KAAA,EAAO,aAAa,CAAA,EAClD;AACA,QAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,KAAA,CAAM,KAAK,CAAA;AAAA,MACpC;AAEA,MAAA,IAAI,aAAA,CAAc,OAAA,KAAY,IAAA,IAAQ,KAAA,EAAO,OAAA,EAAS;AACpD,QAAA,OAAO,KAAA,CAAM,OAAA;AAAA,MACf;AAEA,MAAA,OAAO,gBAAgB,aAAa,CAAA;AAAA,IACtC,CAAA;AAAA,IAEA,MAAM,OAAA,EAAS;AACb,MAAA,IAAI,CAAC,OAAA,EAAS;AACZ,QAAA,OAAA,CAAQ,KAAA,EAAM;AACd,QAAA;AAAA,MACF;AAEA,MAAA,OAAA,CAAQ,MAAA;AAAA,QACN,sBAAA;AAAA,UACE,4BAAA,CAA6B,gBAAgB,OAAO;AAAA;AACtD,OACF;AAAA,IACF,CAAA;AAAA,IAEA,QAAA,GAAW;AACT,MAAA,OAAA,CAAQ,KAAA,EAAM;AAAA,IAChB;AAAA,GACF;AACF;AAQO,SAAS,cAAA,CAId,OAAA,GAAmD,EAAC,EACtB;AAC9B,EAAA,MAAM;AAAA,IACJ,QAAA;AAAA,IACA,OAAA;AAAA,IACA,sBAAA;AAAA,IACA,OAAA;AAAA,IACA,QAAQ,yBAAA,EAA0B;AAAA,IAClC,MAAA;AAAA,IACA,GAAG;AAAA,GACL,GAAI,OAAA;AAEJ,EAAA,OAAO,QAAA,CAAS;AAAA,IACd,UACE,QAAA,IACC;AAAA,MACC,YAAA;AAAA,MACA,cAAA;AAAA,MACA,KAAA;AAAA,MACA,gBAAgB,MAAM,CAAA;AAAA,MACtB,OAAA;AAAA,MACA;AAAA,KACF;AAAA,IACF,OAAA,EAAS,MACP,gBAAA,CAAiB;AAAA,MACf,OAAA;AAAA,MACA,sBAAA;AAAA,MACA,OAAA;AAAA,MACA,KAAA;AAAA,MACA;AAAA,KACD,CAAA;AAAA,IACH,GAAG;AAAA,GAC2D,CAAA;AAClE;AAEA,SAAS,eAAe,OAAA,EAAgC;AACtD,EAAA,IACE,OAAA,CAAQ,YAAY,MAAA,IACpB,OAAA,CAAQ,2BAA2B,MAAA,IACnC,OAAA,CAAQ,WAAW,MAAA,EACnB;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO,OAAA;AACT;AAOA,SAAS,4BAAA,CACP,gBACA,OAAA,EACyB;AACzB,EAAA,MAAM,OAAA,GAAU,gBAAA,CAAiB,cAAA,CAAe,OAAA,EAAS,QAAQ,OAAO,CAAA;AAExE,EAAA,OAAO;AAAA,IACL,GAAG,cAAA;AAAA,IACH,GAAG,OAAA;AAAA,IACH;AAAA,GACF;AACF;AAEA,SAAS,gBAAA,CACP,gBACA,OAAA,EACyB;AACzB,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,OAAA,EAAS;AAC/B,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,OAAO;AAAA,IACL,GAAG,cAAA;AAAA,IACH,GAAG,OAAA;AAAA,IACH,OAAA,EAAS,YAAA,CAAa,cAAA,EAAgB,OAAA,EAAS,SAAS,OAAO;AAAA,GACjE;AACF;AAEA,SAAS,YAAA,CACP,gBACA,OAAA,EACqB;AACrB,EAAA,IAAI,CAAC,cAAA,IAAkB,CAAC,OAAA,EAAS;AAC/B,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,MAAM,aAAA,GAAgB,IAAI,OAAA,CAAQ,cAAc,CAAA;AAChD,EAAA,IAAI,QAAQ,OAAO,CAAA,CAAE,OAAA,CAAQ,CAAC,OAAO,GAAA,KAAQ;AAC3C,IAAA,aAAA,CAAc,GAAA,CAAI,KAAK,KAAK,CAAA;AAAA,EAC9B,CAAC,CAAA;AAED,EAAA,OAAO,aAAA;AACT;AAEA,SAAS,uBAAA,CACP,OACA,OAAA,EACS;AACT,EAAA,MAAM,IAAA,GAAO,QAAQ,sBAAA,IAA0B,EAAA;AAC/C,EAAA,OAAO,KAAA,CAAM,YAAY,IAAA,CAAK,KAAA,CAAM,KAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI,IAAA;AAC3D;AAEA,SAAS,uBACP,OAAA,EACA;AACA,EAAA,OAAO,KAAK,SAAA,CAAU;AAAA,IACpB,OAAA,CAAQ,SAAS,yBAAA,EAA0B;AAAA,IAC3C,eAAA,CAAgB,QAAQ,MAAM;AAAA,GAC/B,CAAA;AACH;AAEA,eAAe,gBAAgB,QAAA,EAAqC;AAClE,EAAA,MAAM,OAAA,GAAW,MAAM,QAAA,CAAS,QAAQ,CAAA;AAIxC,EAAA,IAAI,OAAO,OAAA,EAAS,iBAAA,KAAsB,QAAA,EAAU;AAClD,IAAA,OAAO,OAAA,CAAQ,iBAAA;AAAA,EACjB;AAEA,EAAA,OAAO,CAAA,gCAAA,EAAmC,SAAS,MAAM,CAAA,EAAA,CAAA;AAC3D;AAEA,eAAe,SAAS,QAAA,EAAsC;AAC5D,EAAA,IAAI;AACF,IAAA,OAAO,MAAM,SAAS,IAAA,EAAK;AAAA,EAC7B,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,MAAA;AAAA,EACT;AACF;AAEA,SAAS,gBAAgB,MAAA,EAA4C;AACnE,EAAA,OAAO,MAAM,OAAA,CAAQ,MAAM,IAAI,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA,GAAI,MAAA;AACpD;ACxQA,eAAsB,gBAAA,CACpB,OAAA,GAAmC,EAAC,EACU;AAC9C,EAAA,MAAM,EAAE,OAAA,EAAS,KAAA,GAAQ,qBAAA,IAAwB,GAAI,OAAA;AACrD,EAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,KAAA,EAAO;AAAA,IAClC,WAAA,EAAa,aAAA;AAAA,IACb,GAAG;AAAA,GACJ,CAAA;AAED,EAAA,IAAI,QAAA,CAAS,MAAA,KAAW,GAAA,IAAO,QAAA,CAAS,WAAW,GAAA,EAAK;AACtD,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,iCAAA,EAAoC,QAAA,CAAS,MAAM,CAAA,EAAA,CAAI,CAAA;AAAA,EACzE;AAEA,EAAA,OAAO,uBAAA;AAAA,IACJ,MAAM,SAAS,IAAA;AAAK,GACvB;AACF;AASO,SAAS,cAAA,CAKd,OAAA,GAA+D,EAAC,EAClC;AAC9B,EAAA,MAAM;AAAA,IACJ,QAAA;AAAA,IACA,QAAQ,qBAAA,EAAsB;AAAA,IAC9B,OAAA;AAAA,IACA,GAAG;AAAA,GACL,GAAI,OAAA;AAEJ,EAAA,OAAOA,QAAAA,CAAS;AAAA,IACd,QAAA,EACE,QAAA,IACC,CAAC,YAAA,EAAc,gBAAgB,KAAK,CAAA;AAAA,IACvC,SAAS,MAAM,gBAAA,CAA6B,EAAE,OAAA,EAAS,OAAO,CAAA;AAAA,IAC9D,GAAG;AAAA,GAMJ,CAAA;AACH;AAEA,SAAS,wBACP,OAAA,EACqC;AACrC,EAAA,IAAI,CAAC,OAAA,IAAW,OAAO,OAAA,KAAY,QAAA,EAAU;AAC3C,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,IAAI,UAAU,OAAA,EAAS;AACrB,IAAA,OAAO,QAAA,CAAS,OAAA,CAAQ,IAAI,CAAA,GACvB,QAAQ,IAAA,GACT,MAAA;AAAA,EACN;AAEA,EAAA,OAAO,OAAA;AACT;AAEA,SAAS,SAAS,KAAA,EAAkD;AAClE,EAAA,OAAO,OAAA,CAAQ,KAAA,IAAS,OAAO,KAAA,KAAU,QAAQ,CAAA;AACnD","file":"hooks.js","sourcesContent":["/**\n * Built-in auth route defaults used by both server configuration and\n * browser-safe client helpers.\n */\nexport const DEFAULT_ROUTES = {\n  login: '/auth/login',\n  callback: '/auth/callback',\n  logout: '/auth/logout',\n  session: '/auth/session',\n  accessToken: '/auth/access-token',\n  postLogoutRedirect: '/',\n} as const;\n\n/**\n * Returns the session route that browser code can safely call.\n *\n * The full server configuration reads secret-bearing environment variables, so\n * client hooks use the public session route override instead.\n */\nexport function getPublicSessionRoute(): string {\n  return typeof process === 'undefined'\n    ? DEFAULT_ROUTES.session\n    : process.env.NEXT_PUBLIC_SESSION_ROUTE || DEFAULT_ROUTES.session;\n}\n\n/**\n * Returns the access-token route that browser code can safely call.\n *\n * The full server configuration may read secret-bearing environment variables,\n * so client hooks use the public access-token route override instead.\n */\nexport function getPublicAccessTokenRoute(): string {\n  return typeof process === 'undefined'\n    ? DEFAULT_ROUTES.accessToken\n    : process.env.NEXT_PUBLIC_ACCESS_TOKEN_ROUTE || DEFAULT_ROUTES.accessToken;\n}\n","import {\n  useQuery,\n  type QueryKey,\n  type UseQueryOptions,\n  type UseQueryResult,\n} from '@tanstack/react-query';\nimport { getPublicAccessTokenRoute } from '../config/routes';\nimport type {\n  AccessTokenResult,\n  GetAccessTokenOptions,\n} from '../oauth/access-token';\n\n/**\n * Options for fetching an access token from browser code.\n */\nexport type FetchAccessTokenOptions = GetAccessTokenOptions & {\n  /**\n   * Mounted access-token route. Defaults to `/auth/access-token`.\n   */\n  route?: string;\n\n  /**\n   * Additional fetch options merged with `credentials: \"same-origin\"`.\n   */\n  request?: RequestInit;\n};\n\n/**\n * Access-token provider for imperative browser API clients.\n */\nexport type AccessTokenProvider = {\n  /**\n   * Returns a cached access token when it is still fresh, otherwise calls the\n   * mounted access-token route and stores the result.\n   */\n  getAccessToken: (\n    options?: FetchAccessTokenOptions,\n  ) => Promise<AccessTokenResult>;\n\n  /**\n   * Clears the cached entry for the provided route and scopes. Clears every\n   * cached entry when no options are provided.\n   */\n  clear: (options?: Pick<FetchAccessTokenOptions, 'route' | 'scopes'>) => void;\n\n  /**\n   * Clears every cached entry.\n   */\n  clearAll: () => void;\n};\n\n/**\n * Default TanStack Query key used by {@link useAccessToken}.\n */\nexport type UseAccessTokenQueryKey = readonly [\n  'mondo-auth',\n  'access-token',\n  string,\n  string | undefined,\n  boolean | undefined,\n  number | undefined,\n];\n\n/**\n * Options accepted by {@link useAccessToken}.\n *\n * All normal TanStack Query options are supported except `queryFn` and\n * `queryKey`, which are owned by the hook. Pass `queryKey` here to override the\n * default key.\n */\nexport type UseAccessTokenOptions<\n  TData = AccessTokenResult,\n  TQueryKey extends QueryKey = UseAccessTokenQueryKey,\n> = FetchAccessTokenOptions &\n  Omit<\n    UseQueryOptions<AccessTokenResult, Error, TData, TQueryKey>,\n    'queryFn' | 'queryKey'\n  > & {\n    /**\n     * TanStack Query key. Defaults to route, scopes, refresh, and refresh skew.\n     */\n    queryKey?: TQueryKey;\n  };\n\n/**\n * Fetches a current access token from the mounted access-token route.\n *\n * The server reads the local sealed session and refreshes the token when\n * needed, when `refresh` is true, or when requested scopes are missing.\n */\nexport async function fetchAccessToken(\n  options: FetchAccessTokenOptions = {},\n): Promise<AccessTokenResult> {\n  const {\n    refresh,\n    refreshBeforeExpiresIn,\n    request,\n    route = getPublicAccessTokenRoute(),\n    scopes,\n  } = options;\n  const body = getRequestBody({ refresh, refreshBeforeExpiresIn, scopes });\n  const headers = new Headers(request?.headers);\n\n  if (body && !headers.has('content-type')) {\n    headers.set('content-type', 'application/json');\n  }\n\n  const response = await fetch(route, {\n    ...request,\n    body: body ? JSON.stringify(body) : request?.body,\n    credentials: 'same-origin',\n    headers,\n    method: body ? 'POST' : request?.method,\n  });\n\n  if (!response.ok) {\n    const message = await getErrorMessage(response);\n    throw new Error(message);\n  }\n\n  return (await response.json()) as AccessTokenResult;\n}\n\n/**\n * Creates an in-memory access-token cache for imperative browser API clients.\n *\n * This is useful when an app needs to make multiple browser-side API calls with\n * a bearer token. Cached tokens are kept only in memory, are refreshed before\n * expiry, and concurrent misses share one `/auth/access-token` request.\n */\nexport function createAccessTokenProvider(\n  defaultOptions: FetchAccessTokenOptions = {},\n): AccessTokenProvider {\n  const entries = new Map<string, AccessTokenCacheEntry>();\n\n  const loadAccessToken = async (options: FetchAccessTokenOptions) => {\n    const key = getAccessTokenCacheKey(options);\n    let promise: Promise<AccessTokenResult>;\n\n    promise = fetchAccessToken(options).then(\n      (token) => {\n        entries.set(key, { token });\n        return token;\n      },\n      (error) => {\n        if (entries.get(key)?.promise === promise) {\n          entries.delete(key);\n        }\n\n        throw error;\n      },\n    );\n\n    entries.set(key, { promise });\n    return promise;\n  };\n\n  return {\n    getAccessToken(options = {}) {\n      const mergedOptions = mergeFetchAccessTokenOptions(\n        defaultOptions,\n        options,\n      );\n      const key = getAccessTokenCacheKey(mergedOptions);\n      const entry = entries.get(key);\n\n      if (\n        mergedOptions.refresh !== true &&\n        entry?.token &&\n        canUseCachedAccessToken(entry.token, mergedOptions)\n      ) {\n        return Promise.resolve(entry.token);\n      }\n\n      if (mergedOptions.refresh !== true && entry?.promise) {\n        return entry.promise;\n      }\n\n      return loadAccessToken(mergedOptions);\n    },\n\n    clear(options) {\n      if (!options) {\n        entries.clear();\n        return;\n      }\n\n      entries.delete(\n        getAccessTokenCacheKey(\n          mergeFetchAccessTokenOptions(defaultOptions, options),\n        ),\n      );\n    },\n\n    clearAll() {\n      entries.clear();\n    },\n  };\n}\n\n/**\n * TanStack Query hook for a current access token.\n *\n * Apps must provide a `QueryClientProvider` above this hook. The hook calls the\n * app's local access-token endpoint; refresh tokens never leave the server.\n */\nexport function useAccessToken<\n  TData = AccessTokenResult,\n  TQueryKey extends QueryKey = UseAccessTokenQueryKey,\n>(\n  options: UseAccessTokenOptions<TData, TQueryKey> = {},\n): UseQueryResult<TData, Error> {\n  const {\n    queryKey,\n    refresh,\n    refreshBeforeExpiresIn,\n    request,\n    route = getPublicAccessTokenRoute(),\n    scopes,\n    ...queryOptions\n  } = options;\n\n  return useQuery({\n    queryKey:\n      queryKey ??\n      ([\n        'mondo-auth',\n        'access-token',\n        route,\n        normalizeScopes(scopes),\n        refresh,\n        refreshBeforeExpiresIn,\n      ] satisfies UseAccessTokenQueryKey),\n    queryFn: () =>\n      fetchAccessToken({\n        refresh,\n        refreshBeforeExpiresIn,\n        request,\n        route,\n        scopes,\n      }),\n    ...queryOptions,\n  } as UseQueryOptions<AccessTokenResult, Error, TData, TQueryKey>);\n}\n\nfunction getRequestBody(options: GetAccessTokenOptions) {\n  if (\n    options.refresh === undefined &&\n    options.refreshBeforeExpiresIn === undefined &&\n    options.scopes === undefined\n  ) {\n    return undefined;\n  }\n\n  return options;\n}\n\ntype AccessTokenCacheEntry = {\n  token?: AccessTokenResult;\n  promise?: Promise<AccessTokenResult>;\n};\n\nfunction mergeFetchAccessTokenOptions(\n  defaultOptions: FetchAccessTokenOptions,\n  options: FetchAccessTokenOptions,\n): FetchAccessTokenOptions {\n  const request = mergeRequestInit(defaultOptions.request, options.request);\n\n  return {\n    ...defaultOptions,\n    ...options,\n    request,\n  };\n}\n\nfunction mergeRequestInit(\n  defaultRequest: RequestInit | undefined,\n  request: RequestInit | undefined,\n): RequestInit | undefined {\n  if (!defaultRequest && !request) {\n    return undefined;\n  }\n\n  return {\n    ...defaultRequest,\n    ...request,\n    headers: mergeHeaders(defaultRequest?.headers, request?.headers),\n  };\n}\n\nfunction mergeHeaders(\n  defaultHeaders: HeadersInit | undefined,\n  headers: HeadersInit | undefined,\n): Headers | undefined {\n  if (!defaultHeaders && !headers) {\n    return undefined;\n  }\n\n  const mergedHeaders = new Headers(defaultHeaders);\n  new Headers(headers).forEach((value, key) => {\n    mergedHeaders.set(key, value);\n  });\n\n  return mergedHeaders;\n}\n\nfunction canUseCachedAccessToken(\n  token: AccessTokenResult,\n  options: GetAccessTokenOptions,\n): boolean {\n  const skew = options.refreshBeforeExpiresIn ?? 60;\n  return token.expiresAt > Math.floor(Date.now() / 1000) + skew;\n}\n\nfunction getAccessTokenCacheKey(\n  options: Pick<FetchAccessTokenOptions, 'route' | 'scopes'>,\n) {\n  return JSON.stringify([\n    options.route ?? getPublicAccessTokenRoute(),\n    normalizeScopes(options.scopes),\n  ]);\n}\n\nasync function getErrorMessage(response: Response): Promise<string> {\n  const payload = (await readJson(response)) as\n    | { error_description?: unknown }\n    | undefined;\n\n  if (typeof payload?.error_description === 'string') {\n    return payload.error_description;\n  }\n\n  return `Unable to load an access token (${response.status}).`;\n}\n\nasync function readJson(response: Response): Promise<unknown> {\n  try {\n    return await response.json();\n  } catch {\n    return undefined;\n  }\n}\n\nfunction normalizeScopes(scopes: string | Array<string> | undefined) {\n  return Array.isArray(scopes) ? scopes.join(' ') : scopes;\n}\n","import {\n  useQuery,\n  type QueryKey,\n  type UseQueryOptions,\n  type UseQueryResult,\n} from '@tanstack/react-query';\nimport { getPublicSessionRoute } from '../config/routes';\nimport type { Claims, UserProfile } from '../session/types';\n\n/**\n * JSON shapes accepted from the mounted session route.\n *\n * The default session route returns `{ user }` as part of the full session, but\n * apps may transform that route to return the user profile directly.\n */\nexport type UserProfileEndpointResponse<UserClaims extends Claims = Claims> =\n  | { user?: UserProfile<UserClaims> | null | undefined }\n  | UserProfile<UserClaims>\n  | null\n  | undefined;\n\n/**\n * Options for fetching the current user profile from browser code.\n */\nexport type FetchUserProfileOptions = {\n  /**\n   * Mounted session route. Defaults to `/auth/session`.\n   */\n  route?: string;\n\n  /**\n   * Additional fetch options merged with `credentials: \"same-origin\"`.\n   */\n  request?: RequestInit;\n};\n\n/**\n * Default TanStack Query key used by {@link useUserProfile}.\n */\nexport type UseUserProfileQueryKey = readonly [\n  'mondo-auth',\n  'user-profile',\n  string,\n];\n\n/**\n * Options accepted by {@link useUserProfile}.\n *\n * All normal TanStack Query options are supported except `queryFn` and\n * `queryKey`, which are owned by the hook. Pass `queryKey` here to override the\n * default key.\n */\nexport type UseUserProfileOptions<\n  UserClaims extends Claims = Claims,\n  TData = UserProfile<UserClaims> | undefined,\n  TQueryKey extends QueryKey = UseUserProfileQueryKey,\n> = FetchUserProfileOptions &\n  Omit<\n    UseQueryOptions<\n      UserProfile<UserClaims> | undefined,\n      Error,\n      TData,\n      TQueryKey\n    >,\n    'queryFn' | 'queryKey'\n  > & {\n    /**\n     * TanStack Query key. Defaults to `[\"mondo-auth\", \"user-profile\", route]`.\n     */\n    queryKey?: TQueryKey;\n  };\n\n/**\n * Fetches the currently authenticated user profile from the mounted session\n * route.\n *\n * This reads the app's local server-managed session. It does not call the\n * authorization server directly.\n *\n * @returns The current user profile, or `undefined` when no session exists.\n */\nexport async function fetchUserProfile<UserClaims extends Claims = Claims>(\n  options: FetchUserProfileOptions = {},\n): Promise<UserProfile<UserClaims> | undefined> {\n  const { request, route = getPublicSessionRoute() } = options;\n  const response = await fetch(route, {\n    credentials: 'same-origin',\n    ...request,\n  });\n\n  if (response.status === 401 || response.status === 403) {\n    return undefined;\n  }\n\n  if (!response.ok) {\n    throw new Error(`Unable to load the current user (${response.status}).`);\n  }\n\n  return userProfileFromResponse<UserClaims>(\n    (await response.json()) as UserProfileEndpointResponse<UserClaims>,\n  );\n}\n\n/**\n * TanStack Query hook for the currently authenticated user profile.\n *\n * Apps must provide a `QueryClientProvider` above this hook. The hook reads the\n * app's local session endpoint and caches the resulting user profile in\n * TanStack Query.\n */\nexport function useUserProfile<\n  UserClaims extends Claims = Claims,\n  TData = UserProfile<UserClaims> | undefined,\n  TQueryKey extends QueryKey = UseUserProfileQueryKey,\n>(\n  options: UseUserProfileOptions<UserClaims, TData, TQueryKey> = {},\n): UseQueryResult<TData, Error> {\n  const {\n    queryKey,\n    route = getPublicSessionRoute(),\n    request,\n    ...queryOptions\n  } = options;\n\n  return useQuery({\n    queryKey:\n      queryKey ??\n      (['mondo-auth', 'user-profile', route] satisfies UseUserProfileQueryKey),\n    queryFn: () => fetchUserProfile<UserClaims>({ request, route }),\n    ...queryOptions,\n  } as UseQueryOptions<\n    UserProfile<UserClaims> | undefined,\n    Error,\n    TData,\n    TQueryKey\n  >);\n}\n\nfunction userProfileFromResponse<UserClaims extends Claims>(\n  payload: UserProfileEndpointResponse<UserClaims>,\n): UserProfile<UserClaims> | undefined {\n  if (!payload || typeof payload !== 'object') {\n    return undefined;\n  }\n\n  if ('user' in payload) {\n    return isRecord(payload.user)\n      ? (payload.user as UserProfile<UserClaims>)\n      : undefined;\n  }\n\n  return payload as UserProfile<UserClaims>;\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n  return Boolean(value && typeof value === 'object');\n}\n"]}

package/dist/oauth.cjs

@@ -0,0 +1,10 @@
+'use strict';
+
+// src/oauth/types.ts
+var CodeChallengeMethod = {
+  S256: "S256"
+};
+
+exports.CodeChallengeMethod = CodeChallengeMethod;
+//# sourceMappingURL=oauth.cjs.map
+//# sourceMappingURL=oauth.cjs.map

package/dist/oauth.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/oauth/types.ts"],"names":[],"mappings":";;;AAgBO,IAAM,mBAAA,GAAsB;AAAA,EACjC,IAAA,EAAM;AACR","file":"oauth.cjs","sourcesContent":["/**\n * Minimal token endpoint response shape used by the session model.\n */\nexport interface TokenEndpointResponse {\n  access_token?: string;\n  token_type?: string;\n  id_token?: string;\n  refresh_token?: string;\n  scope?: string;\n  expires_in?: number;\n  [key: string]: unknown;\n}\n\n/**\n * PKCE challenge method supported by this SDK.\n */\nexport const CodeChallengeMethod = {\n  S256: 'S256',\n} as const;\n\ntype PKCEParams = {\n  code_challenge_method: typeof CodeChallengeMethod.S256;\n  code_challenge: string;\n};\n\ntype AuthorizationCodeOptionalParams = {\n  audience?: string;\n};\n\n/**\n * Authorization URL parameters assembled for the login redirect.\n *\n * Runtime-generated fields such as `state`, `nonce`, and PKCE values are added\n * by the login route handler rather than accepted from user config.\n */\nexport type AuthorizationCodeParams = {\n  response_type: 'code';\n  scope: string;\n  redirect_uri: string;\n  state: string;\n  nonce: string;\n  response_mode?: 'query' | 'form_post';\n  display?: 'page' | 'popup' | 'touch' | 'wap';\n  prompt?: 'none' | 'login' | 'consent' | 'select_account';\n  max_age?: number;\n  ui_locales?: string;\n  id_token_hint?: string;\n  login_hint?: string;\n  acr_values?: string;\n} & AuthorizationCodeOptionalParams &\n  PKCEParams;\n\ntype BaseConfigurableAuthorizationParams = Omit<\n  AuthorizationCodeParams,\n  'client_id' | 'state' | 'nonce' | 'code_challenge_method' | 'code_challenge'\n>;\n\n/**\n * Per-request authorization parameter overrides accepted by `handleLogin`.\n */\nexport type OverrideAuthorizationParams =\n  Partial<BaseConfigurableAuthorizationParams>;\n"]}

package/dist/oauth.d.cts

@@ -0,0 +1,55 @@
+export { A as AccessTokenResult, a as GetAccessToken, G as GetAccessTokenOptions } from './access-token-UIlXwi3X.cjs';
+
+/**
+ * Minimal token endpoint response shape used by the session model.
+ */
+interface TokenEndpointResponse {
+    access_token?: string;
+    token_type?: string;
+    id_token?: string;
+    refresh_token?: string;
+    scope?: string;
+    expires_in?: number;
+    [key: string]: unknown;
+}
+/**
+ * PKCE challenge method supported by this SDK.
+ */
+declare const CodeChallengeMethod: {
+    readonly S256: "S256";
+};
+type PKCEParams = {
+    code_challenge_method: typeof CodeChallengeMethod.S256;
+    code_challenge: string;
+};
+type AuthorizationCodeOptionalParams = {
+    audience?: string;
+};
+/**
+ * Authorization URL parameters assembled for the login redirect.
+ *
+ * Runtime-generated fields such as `state`, `nonce`, and PKCE values are added
+ * by the login route handler rather than accepted from user config.
+ */
+type AuthorizationCodeParams = {
+    response_type: 'code';
+    scope: string;
+    redirect_uri: string;
+    state: string;
+    nonce: string;
+    response_mode?: 'query' | 'form_post';
+    display?: 'page' | 'popup' | 'touch' | 'wap';
+    prompt?: 'none' | 'login' | 'consent' | 'select_account';
+    max_age?: number;
+    ui_locales?: string;
+    id_token_hint?: string;
+    login_hint?: string;
+    acr_values?: string;
+} & AuthorizationCodeOptionalParams & PKCEParams;
+type BaseConfigurableAuthorizationParams = Omit<AuthorizationCodeParams, 'client_id' | 'state' | 'nonce' | 'code_challenge_method' | 'code_challenge'>;
+/**
+ * Per-request authorization parameter overrides accepted by `handleLogin`.
+ */
+type OverrideAuthorizationParams = Partial<BaseConfigurableAuthorizationParams>;
+
+export { type AuthorizationCodeParams, CodeChallengeMethod, type OverrideAuthorizationParams, type TokenEndpointResponse };

package/dist/oauth.d.ts

@@ -0,0 +1,55 @@
+export { A as AccessTokenResult, a as GetAccessToken, G as GetAccessTokenOptions } from './access-token-UIlXwi3X.js';
+
+/**
+ * Minimal token endpoint response shape used by the session model.
+ */
+interface TokenEndpointResponse {
+    access_token?: string;
+    token_type?: string;
+    id_token?: string;
+    refresh_token?: string;
+    scope?: string;
+    expires_in?: number;
+    [key: string]: unknown;
+}
+/**
+ * PKCE challenge method supported by this SDK.
+ */
+declare const CodeChallengeMethod: {
+    readonly S256: "S256";
+};
+type PKCEParams = {
+    code_challenge_method: typeof CodeChallengeMethod.S256;
+    code_challenge: string;
+};
+type AuthorizationCodeOptionalParams = {
+    audience?: string;
+};
+/**
+ * Authorization URL parameters assembled for the login redirect.
+ *
+ * Runtime-generated fields such as `state`, `nonce`, and PKCE values are added
+ * by the login route handler rather than accepted from user config.
+ */
+type AuthorizationCodeParams = {
+    response_type: 'code';
+    scope: string;
+    redirect_uri: string;
+    state: string;
+    nonce: string;
+    response_mode?: 'query' | 'form_post';
+    display?: 'page' | 'popup' | 'touch' | 'wap';
+    prompt?: 'none' | 'login' | 'consent' | 'select_account';
+    max_age?: number;
+    ui_locales?: string;
+    id_token_hint?: string;
+    login_hint?: string;
+    acr_values?: string;
+} & AuthorizationCodeOptionalParams & PKCEParams;
+type BaseConfigurableAuthorizationParams = Omit<AuthorizationCodeParams, 'client_id' | 'state' | 'nonce' | 'code_challenge_method' | 'code_challenge'>;
+/**
+ * Per-request authorization parameter overrides accepted by `handleLogin`.
+ */
+type OverrideAuthorizationParams = Partial<BaseConfigurableAuthorizationParams>;
+
+export { type AuthorizationCodeParams, CodeChallengeMethod, type OverrideAuthorizationParams, type TokenEndpointResponse };

package/dist/oauth.js

@@ -0,0 +1,8 @@
+// src/oauth/types.ts
+var CodeChallengeMethod = {
+  S256: "S256"
+};
+
+export { CodeChallengeMethod };
+//# sourceMappingURL=oauth.js.map
+//# sourceMappingURL=oauth.js.map

package/dist/oauth.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/oauth/types.ts"],"names":[],"mappings":";AAgBO,IAAM,mBAAA,GAAsB;AAAA,EACjC,IAAA,EAAM;AACR","file":"oauth.js","sourcesContent":["/**\n * Minimal token endpoint response shape used by the session model.\n */\nexport interface TokenEndpointResponse {\n  access_token?: string;\n  token_type?: string;\n  id_token?: string;\n  refresh_token?: string;\n  scope?: string;\n  expires_in?: number;\n  [key: string]: unknown;\n}\n\n/**\n * PKCE challenge method supported by this SDK.\n */\nexport const CodeChallengeMethod = {\n  S256: 'S256',\n} as const;\n\ntype PKCEParams = {\n  code_challenge_method: typeof CodeChallengeMethod.S256;\n  code_challenge: string;\n};\n\ntype AuthorizationCodeOptionalParams = {\n  audience?: string;\n};\n\n/**\n * Authorization URL parameters assembled for the login redirect.\n *\n * Runtime-generated fields such as `state`, `nonce`, and PKCE values are added\n * by the login route handler rather than accepted from user config.\n */\nexport type AuthorizationCodeParams = {\n  response_type: 'code';\n  scope: string;\n  redirect_uri: string;\n  state: string;\n  nonce: string;\n  response_mode?: 'query' | 'form_post';\n  display?: 'page' | 'popup' | 'touch' | 'wap';\n  prompt?: 'none' | 'login' | 'consent' | 'select_account';\n  max_age?: number;\n  ui_locales?: string;\n  id_token_hint?: string;\n  login_hint?: string;\n  acr_values?: string;\n} & AuthorizationCodeOptionalParams &\n  PKCEParams;\n\ntype BaseConfigurableAuthorizationParams = Omit<\n  AuthorizationCodeParams,\n  'client_id' | 'state' | 'nonce' | 'code_challenge_method' | 'code_challenge'\n>;\n\n/**\n * Per-request authorization parameter overrides accepted by `handleLogin`.\n */\nexport type OverrideAuthorizationParams =\n  Partial<BaseConfigurableAuthorizationParams>;\n"]}

package/dist/session.cjs

@@ -0,0 +1,45 @@
+'use strict';
+
+// src/session/model.ts
+var Session = class {
+  /**
+   * The authenticated user (claims from the `id_token`)
+   */
+  user;
+  /**
+   * A timestamp when authentication / session occurred
+   */
+  issuedAt;
+  /**
+   * A timestamp when authentication / session was last updated (touched)
+   */
+  updatedAt;
+  /**
+   * A timestamp when the authentication / session is set to expire
+   */
+  expiresAt;
+  /**
+   * OAuth access-token state stored separately from the base session payload.
+   */
+  authorization;
+  /**
+   * OIDC authentication token state stored separately from the base session
+   * payload.
+   */
+  authentication;
+  /**
+   * Creates a normalized session object from sealed cookie payloads.
+   */
+  constructor(props) {
+    this.user = props.user;
+    this.issuedAt = props.issuedAt;
+    this.updatedAt = props.updatedAt;
+    this.expiresAt = props.expiresAt;
+    this.authentication = props.authentication;
+    this.authorization = props.authorization;
+  }
+};
+
+exports.Session = Session;
+//# sourceMappingURL=session.cjs.map
+//# sourceMappingURL=session.cjs.map

package/dist/session.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/session/model.ts"],"names":[],"mappings":";;;AA2BO,IAAM,UAAN,MAEP;AAAA;AAAA;AAAA;AAAA,EAIE,IAAA;AAAA;AAAA;AAAA;AAAA,EAKA,QAAA;AAAA;AAAA;AAAA;AAAA,EAKA,SAAA;AAAA;AAAA;AAAA;AAAA,EAKA,SAAA;AAAA;AAAA;AAAA;AAAA,EAKA,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,cAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAAY,KAAA,EAAsC;AAChD,IAAA,IAAA,CAAK,OAAO,KAAA,CAAM,IAAA;AAClB,IAAA,IAAA,CAAK,WAAW,KAAA,CAAM,QAAA;AACtB,IAAA,IAAA,CAAK,YAAY,KAAA,CAAM,SAAA;AACvB,IAAA,IAAA,CAAK,YAAY,KAAA,CAAM,SAAA;AACvB,IAAA,IAAA,CAAK,iBAAiB,KAAA,CAAM,cAAA;AAC5B,IAAA,IAAA,CAAK,gBAAgB,KAAA,CAAM,aAAA;AAAA,EAC7B;AACF","file":"session.cjs","sourcesContent":["import type { TokenEndpointResponse } from '../oauth/types';\nimport type {\n  Claims,\n  IdTokenClaims,\n  SessionAuthentication,\n  SessionAuthorization,\n  SessionInterface,\n  UserProfile,\n} from './types';\n\n/**\n * Serializable session payload stored across sealed cookies.\n */\nexport type SerializedSession<UserClaims extends Claims = Claims> =\n  SessionInterface<UserClaims> & {\n    authentication?: SessionAuthentication;\n    authorization?: SessionAuthorization;\n  };\n\n/**\n * The user's session.\n *\n * The public session shape combines the base user claims cookie with optional\n * authentication and authorization cookies.\n *\n * @category Server\n */\nexport class Session<UserClaims extends Claims = Claims>\n  implements SessionInterface<UserClaims>\n{\n  /**\n   * The authenticated user (claims from the `id_token`)\n   */\n  user: UserProfile<UserClaims>;\n\n  /**\n   * A timestamp when authentication / session occurred\n   */\n  issuedAt: number;\n\n  /**\n   * A timestamp when authentication / session was last updated (touched)\n   */\n  updatedAt: number;\n\n  /**\n   * A timestamp when the authentication / session is set to expire\n   */\n  expiresAt: number;\n\n  /**\n   * OAuth access-token state stored separately from the base session payload.\n   */\n  authorization?: SessionAuthorization;\n\n  /**\n   * OIDC authentication token state stored separately from the base session\n   * payload.\n   */\n  authentication?: SessionAuthentication;\n\n  [key: string]: any;\n\n  /**\n   * Creates a normalized session object from sealed cookie payloads.\n   */\n  constructor(props: SerializedSession<UserClaims>) {\n    this.user = props.user;\n    this.issuedAt = props.issuedAt;\n    this.updatedAt = props.updatedAt;\n    this.expiresAt = props.expiresAt;\n    this.authentication = props.authentication;\n    this.authorization = props.authorization;\n  }\n}\n\n/**\n * Converts an OIDC token endpoint response into the session model stored in\n * sealed cookies.\n *\n * @param tokenEndpointResponse - Token endpoint response returned by\n * `openid-client`.\n */\nexport function fromTokenEndpointResponse<UserClaims extends Claims = Claims>(\n  tokenEndpointResponse: TokenEndpointResponse,\n): Session<UserClaims> {\n  const { iat, exp, aud, iss, nonce, ...user } = decodeJwt<IdTokenClaims>(\n    tokenEndpointResponse.id_token as string,\n  );\n\n  const {\n    id_token,\n    access_token,\n    scope,\n    expires_in,\n    expires_at,\n    refresh_token,\n    token_type,\n    ...remainder\n  } = tokenEndpointResponse;\n\n  const authorization = access_token\n    ? {\n        accessToken: access_token,\n        scope,\n        expiresAt: Math.floor(Date.now() / 1000) + Number(expires_in),\n        refreshToken: refresh_token,\n        type: token_type,\n      }\n    : undefined;\n\n  const authentication = id_token\n    ? {\n        idToken: id_token,\n      }\n    : undefined;\n\n  return Object.assign(\n    new Session({\n      user: user as UserProfile<UserClaims>,\n      issuedAt: iat,\n      updatedAt: iat,\n      expiresAt: exp,\n      authorization,\n      authentication,\n    }),\n    remainder,\n  );\n}\n\nfunction decodeJwt<TClaims>(jwt: string): TClaims {\n  const [, payload] = jwt.split('.');\n\n  if (!payload) {\n    throw new TypeError('Invalid JWT payload.');\n  }\n\n  const normalized = payload.replace(/-/g, '+').replace(/_/g, '/');\n  const padded = normalized.padEnd(\n    normalized.length + ((4 - (normalized.length % 4)) % 4),\n    '=',\n  );\n\n  const decoded =\n    typeof atob === 'function'\n      ? atob(padded)\n      : Buffer.from(padded, 'base64').toString('binary');\n\n  const json = decodeURIComponent(\n    Array.from(\n      decoded,\n      (char) => `%${char.charCodeAt(0).toString(16).padStart(2, '0')}`,\n    ).join(''),\n  );\n\n  return JSON.parse(json) as TClaims;\n}\n"]}