@henosia/app-next 1.0.2 → 1.0.3

package/README.md

@@ -120,7 +120,19 @@ import {
 } from '@henosia/app-next'
 ```
 
-`verifyHenosiaAuthToken(request)` MUST be called from any protected page/route handler/server action — the
+## Server-side auth guards
+
+Methods to add authorization guards around pages, router handlers, and server actions.
+
+```ts
+import {
+  requireHenosiaAuth,
+  routeWithHenosiaAuth,
+  getHenosiaAuth
+} from '@henosia/app-next/auth/server-guards'
+```
+
+`requireHenosiaAuth` or `routeWithHenosiaAuth` MUST be called from any protected page/route handler/server action — the
 middleware only performs a fast pre-check.
 
 ## App-switcher hook
@@ -159,15 +171,16 @@ export function MyAppSwitcher() {
 
 ## Subpath exports
 
-| Subpath                                        | Purpose                                                    |
-|------------------------------------------------|------------------------------------------------------------|
-| `@henosia/app-next`                            | Server-side helpers (`auth`, `verifyHenosiaAuthToken`, …)  |
-| `@henosia/app-next/shared`                     | Shared constants & types (no runtime deps)                 |
-| `@henosia/app-next/auth/middleware`            | `createHenosiaAuthMiddleware`                              |
-| `@henosia/app-next/auth/server`                | Lower-level server-side auth surface (re-exported by root) |
-| `@henosia/app-next/auth/client`                | Better-auth `authClient` for React                         |
-| `@henosia/app-next/api/auth`                   | `GET`, `POST` for `/api/auth/[...all]`                     |
-| `@henosia/app-next/api/platform`               | `GET` for `/api/henosia-platform/[...all]`                 |
-| `@henosia/app-next/platform/app-switcher`      | `useAppSwitcher` React hook                                |
-| `@henosia/app-next/supabase/server`            | Server-side Supabase client factory                        |
-| `@henosia/app-next/supabase/client`            | Browser Supabase client factory                            |
+| Subpath                                   | Purpose                                                                    |
+|-------------------------------------------|----------------------------------------------------------------------------|
+| `@henosia/app-next`                       | Server-side helpers (`auth`, `verifyHenosiaAuthToken`, …)                  |
+| `@henosia/app-next/shared`                | Shared constants & types (no runtime deps)                                 |
+| `@henosia/app-next/auth/middleware`       | `createHenosiaAuthMiddleware`                                              |
+| `@henosia/app-next/auth/server`           | Lower-level server-side auth surface (re-exported by root)                 |
+| `@henosia/app-next/auth/server-guards`    | Page and route auth guards (`requireHenosiaAuth`, `routeWithHenosiaAuth`, ...)  |
+| `@henosia/app-next/auth/client`           | Better-auth `authClient` for React                                         |
+| `@henosia/app-next/api/auth`              | `GET`, `POST` for `/api/auth/[...all]`                                     |
+| `@henosia/app-next/api/platform`          | `GET` for `/api/henosia-platform/[...all]`                                 |
+| `@henosia/app-next/platform/app-switcher` | `useAppSwitcher` React hook                                                |
+| `@henosia/app-next/supabase/server`       | Server-side Supabase client factory                                        |
+| `@henosia/app-next/supabase/client`       | Browser Supabase client factory                                            |

package/dist/api/platform.mjs

@@ -1,5 +1,6 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
 import { henosiaAuthConfig, isUnauthorizedException, verifyHenosiaAuthToken } from "../auth/server.mjs";
+import { applySecurityHeaders } from "../auth/server-guards.mjs";
 //#region src/api/platform/v1/app-switcher.ts
 /**
 * Handler for the Henosia Platform `app-switcher` endpoint.
@@ -15,10 +16,10 @@ async function handleAppSwitcher(request) {
 			redirect: "error",
 			headers: { authorization: `Bearer ${accessTokenResponse.idToken}` }
 		});
-		return Response.json(await response.json(), {
+		return applySecurityHeaders(Response.json(await response.json(), {
 			status: response.status,
 			statusText: response.statusText
-		});
+		}));
 	} catch (e) {
 		if (isUnauthorizedException(e)) return Response.json({ error: "Your session is invalid or expired. Please reload the page to sign in again." }, { status: 401 });
 		console.error("[Henosia Platform] App Switcher API error", e);

package/dist/auth/middleware.mjs

@@ -25,6 +25,7 @@ function delayWithCancel(delayMs) {
 }
 //#endregion
 //#region src/auth/middleware.ts
+const INVALID_SESSION_BODY = { error: "Your session is invalid or expired. Please reload the page to sign in again." };
 /**
 * Creates a Next.js middleware function that performs the Henosia Auth pre-check.
 *
@@ -67,14 +68,17 @@ function createHenosiaAuthMiddleware(options = {}) {
 				transferBetterAuthCookiesToNext(request, response);
 			} catch (e) {
 				if (!isUnauthorizedException(e)) {
-					console.error("[Middleware]", e);
+					console.error("[Henosia Auth] Middleware error", e);
 					throw e;
 				}
 			}
 			return response;
 		}
 		if (unauthenticatedPathNames.has(pathname) || !!unauthenticatedPathNamePrefixes.find((p) => pathname.startsWith(p))) return response;
-		if (!getSessionCookie(request, { cookiePrefix })) return NextResponse.redirect(new URL(HENOSIA_AUTH_SIGN_IN_PATH_NAME, request.url));
+		if (!getSessionCookie(request, { cookiePrefix })) {
+			if (request.method !== "GET") return NextResponse.json(INVALID_SESSION_BODY, { status: 401 });
+			return NextResponse.redirect(new URL(HENOSIA_AUTH_SIGN_IN_PATH_NAME, request.url));
+		}
 		try {
 			const { accessTokenResponse, payload, transferBetterAuthCookiesToNext } = await verifyHenosiaAuthToken(request);
 			transferBetterAuthCookiesToNext(request, response);
@@ -84,12 +88,12 @@ function createHenosiaAuthMiddleware(options = {}) {
 			if (process.env.NEXT_PUBLIC_SUPABASE_URL) await exchangeHenosiaTokenForSupabaseSession(request, response, accessTokenResponse.idToken);
 		} catch (e) {
 			if (isUnauthorizedException(e)) {
-				if (!isPageRequest(request)) return NextResponse.json({ error: "Your session is invalid or expired. Please reload the page to sign in again." }, { status: e.statusCode ?? 401 });
+				if (!isPageRequest(request)) return NextResponse.json(INVALID_SESSION_BODY, { status: e.statusCode ?? 401 });
 				const redirectResponse = NextResponse.redirect(new URL(HENOSIA_AUTH_SIGN_IN_PATH_NAME, request.url));
 				removeCachedAccountData(redirectResponse);
 				return redirectResponse;
 			} else {
-				console.error("[Middleware]", e);
+				console.error("[Henosia Auth] Middleware error", e);
 				throw e;
 			}
 		}

package/dist/auth/server-guards.d.mts

@@ -0,0 +1,116 @@
+
+import { HenosiaAuthTokenClaims } from "./server.mjs";
+import { NextRequest, NextResponse } from "next/server.js";
+
+//#region src/auth/server-guards.d.ts
+/**
+ * For Server Components, layouts, and Server Actions.
+ *
+ * Verifies the current user's Henosia Auth token and returns the verified
+ * claims. On unauthorized, redirects to the Henosia sign-in page (the canonical
+ * page-level UX); other errors propagate so Next.js' error boundaries / 500
+ * page take over.
+ *
+ * Wrapped in `React.cache` so multiple components in the same render share a
+ * single verification.
+ *
+ * @example
+ * ```tsx
+ * // app/dashboard/page.tsx
+ * import { requireHenosiaAuth } from '@/lib/henosia-auth'
+ *
+ * export default async function Page() {
+ *   const claims = await requireHenosiaAuth()
+ *   return <Dashboard org={claims['https://henosia.com/organization']} />
+ * }
+ * ```
+ */
+declare const requireHenosiaAuth: () => Promise<HenosiaAuthTokenClaims>;
+/**
+ * Non-redirecting variant of {@link requireHenosiaAuth} for layouts and
+ * conditional UI (e.g., navbars that need to render either a "Sign in" button
+ * or a user menu). Returns `null` when the user is not authenticated; other
+ * errors propagate.
+ *
+ * @example
+ * ```tsx
+ * // app/layout.tsx
+ * import { getHenosiaAuth } from '@/lib/henosia-auth'
+ *
+ * export default async function RootLayout({ children }) {
+ *   const claims = await getHenosiaAuth()
+ *   return <Shell user={claims?.['https://henosia.com/organization']}>{children}</Shell>
+ * }
+ * ```
+ */
+declare const getHenosiaAuth: () => Promise<HenosiaAuthTokenClaims | null>;
+/**
+ * Context object passed to a `routeWithHenosiaAuth` handler
+ */
+interface HenosiaAuthContext {
+  /** Verified Henosia Auth JWT claims (project, organization, preview flag). */
+  payload: HenosiaAuthTokenClaims;
+  /**
+   * OAuth 2.0 access token, e.g. for forwarding to a downstream API as a
+   * `Authorization: Bearer …` header.
+   *
+   * **Security:** this is a bearer credential. Do **not** log it, echo it back
+   * in a response body, embed it in error messages, or persist it. Forward
+   * over TLS to trusted downstream services only. Treat it like a password.
+   */
+  accessToken: string;
+}
+/**
+ * A JSON-serializable value that the wrapper will auto-wrap with `NextResponse.json`.
+ */
+type JsonValue = string | number | boolean | null | JsonValue[] | {
+  [key: string]: JsonValue | undefined;
+};
+/**
+ * Allowed return types from a `routeWithHenosiaAuth` handler:
+ *  - A `Response` (returned verbatim — caller controls status/headers/body).
+ *  - A JSON-serializable value (auto-wrapped via `NextResponse.json`).
+ *  - `void` / `undefined` → translated to a `204 No Content` response.
+ */
+type HandlerReturn = Response | JsonValue | void;
+type RouteParams<TParams> = TParams | Promise<TParams>;
+type Handler<TParams> = (request: NextRequest, ctx: HenosiaAuthContext & {
+  params: TParams;
+}) => HandlerReturn | Promise<HandlerReturn>;
+declare function applySecurityHeaders(response: Response): Response;
+declare function unauthorizedResponse(): NextResponse;
+/**
+ * For Next.js Route Handlers (`app/api/**\/route.ts`).
+ *
+ * Wraps a handler so that:
+ *   - The request is verified up front.
+ *   - On success, the handler receives `{ payload, accessToken, params }` and
+ *     may return either a `Response`, any JSON-serializable value
+ *     (auto-wrapped via `NextResponse.json`), or `undefined` (→ `204
+ *     No Content`).
+ *   - On unauthorized, returns a canonical HTTP `401 Unauthorized` response
+ *     (RFC 7235): never a redirect.
+ *   - On any other error (verifying the token *or* thrown by the handler),
+ *     it's logged with the request's pathname for traceability and a generic
+ *     `500 Internal Server Error` JSON response is returned (no stack /
+ *     internal details leaked) — the same OAuth-shaped contract regardless of
+ *     where the failure originated.
+ *
+ * Preserves the standard Next.js `(request, { params })` signature, including
+ * Next 15's promise-typed `params`.
+ *
+ * @example
+ * ```ts
+ * // app/api/me/route.ts
+ * import { routeWithHenosiaAuth } from '@/lib/henosia-auth'
+ *
+ * export const GET = routeWithHenosiaAuth((_req, { payload }) => ({
+ *   organization: payload['https://henosia.com/organization'],
+ * }))
+ * ```
+ */
+declare function routeWithHenosiaAuth<TParams = Record<string, string | string[] | undefined>>(handler: Handler<TParams>): (request: NextRequest, routeCtx: {
+  params: RouteParams<TParams>;
+}) => Promise<Response>;
+//#endregion
+export { HenosiaAuthContext, applySecurityHeaders, getHenosiaAuth, requireHenosiaAuth, routeWithHenosiaAuth, unauthorizedResponse };

package/dist/auth/server-guards.mjs

@@ -0,0 +1,167 @@
+/*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
+import { HENOSIA_AUTH_SIGN_IN_PATH_NAME } from "../shared.mjs";
+import { isUnauthorizedException, verifyHenosiaAuthToken } from "./server.mjs";
+import { headers } from "next/headers.js";
+import { cache } from "react";
+import { redirect } from "next/navigation.js";
+import { NextResponse } from "next/server.js";
+//#region src/auth/server-guards.ts
+async function buildRequestFromHeaders() {
+	const h = await headers();
+	const url = `${h.get("x-forwarded-proto") ?? "http"}://${h.get("x-forwarded-host") ?? h.get("host") ?? "localhost"}/`;
+	return new Request(url, { headers: h });
+}
+async function verifyClaims() {
+	const { payload } = await verifyHenosiaAuthToken(await buildRequestFromHeaders());
+	return payload;
+}
+/**
+* For Server Components, layouts, and Server Actions.
+*
+* Verifies the current user's Henosia Auth token and returns the verified
+* claims. On unauthorized, redirects to the Henosia sign-in page (the canonical
+* page-level UX); other errors propagate so Next.js' error boundaries / 500
+* page take over.
+*
+* Wrapped in `React.cache` so multiple components in the same render share a
+* single verification.
+*
+* @example
+* ```tsx
+* // app/dashboard/page.tsx
+* import { requireHenosiaAuth } from '@/lib/henosia-auth'
+*
+* export default async function Page() {
+*   const claims = await requireHenosiaAuth()
+*   return <Dashboard org={claims['https://henosia.com/organization']} />
+* }
+* ```
+*/
+const requireHenosiaAuth = cache(async () => {
+	try {
+		return await verifyClaims();
+	} catch (error) {
+		if (isUnauthorizedException(error)) redirect(HENOSIA_AUTH_SIGN_IN_PATH_NAME);
+		throw error;
+	}
+});
+/**
+* Non-redirecting variant of {@link requireHenosiaAuth} for layouts and
+* conditional UI (e.g., navbars that need to render either a "Sign in" button
+* or a user menu). Returns `null` when the user is not authenticated; other
+* errors propagate.
+*
+* @example
+* ```tsx
+* // app/layout.tsx
+* import { getHenosiaAuth } from '@/lib/henosia-auth'
+*
+* export default async function RootLayout({ children }) {
+*   const claims = await getHenosiaAuth()
+*   return <Shell user={claims?.['https://henosia.com/organization']}>{children}</Shell>
+* }
+* ```
+*/
+const getHenosiaAuth = cache(async () => {
+	try {
+		return await verifyClaims();
+	} catch (error) {
+		if (isUnauthorizedException(error)) return null;
+		throw error;
+	}
+});
+/**
+* Headers we attach to *every* response produced by `routeWithHenosiaAuth`
+* (success, 401, 500). Auth-protected JSON is per-user and must not be cached
+* by shared caches (RFC 9111 §5.2.2.7 — `private`) and must not be reused
+* even by the user's own cache (`no-store`). `Vary: Cookie` is the formally
+* correct signal that the response varies on the auth cookie (RFC 9110 §12.5.5).
+*/
+const SECURITY_HEADERS = {
+	"Cache-Control": "private, no-store",
+	"Vary": "Cookie"
+};
+function applySecurityHeaders(response) {
+	for (const [name, value] of Object.entries(SECURITY_HEADERS)) if (!response.headers.has(name)) response.headers.set(name, value);
+	return response;
+}
+function unauthorizedResponse() {
+	return NextResponse.json({
+		error: "invalid_token",
+		error_description: "The access token is missing, invalid, or expired."
+	}, {
+		status: 401,
+		headers: SECURITY_HEADERS
+	});
+}
+function internalServerErrorResponse() {
+	return NextResponse.json({ error: "internal_server_error" }, {
+		status: 500,
+		headers: SECURITY_HEADERS
+	});
+}
+/**
+* For Next.js Route Handlers (`app/api/**\/route.ts`).
+*
+* Wraps a handler so that:
+*   - The request is verified up front.
+*   - On success, the handler receives `{ payload, accessToken, params }` and
+*     may return either a `Response`, any JSON-serializable value
+*     (auto-wrapped via `NextResponse.json`), or `undefined` (→ `204
+*     No Content`).
+*   - On unauthorized, returns a canonical HTTP `401 Unauthorized` response
+*     (RFC 7235): never a redirect.
+*   - On any other error (verifying the token *or* thrown by the handler),
+*     it's logged with the request's pathname for traceability and a generic
+*     `500 Internal Server Error` JSON response is returned (no stack /
+*     internal details leaked) — the same OAuth-shaped contract regardless of
+*     where the failure originated.
+*
+* Preserves the standard Next.js `(request, { params })` signature, including
+* Next 15's promise-typed `params`.
+*
+* @example
+* ```ts
+* // app/api/me/route.ts
+* import { routeWithHenosiaAuth } from '@/lib/henosia-auth'
+*
+* export const GET = routeWithHenosiaAuth((_req, { payload }) => ({
+*   organization: payload['https://henosia.com/organization'],
+* }))
+* ```
+*/
+function routeWithHenosiaAuth(handler) {
+	return async function protectedHandler(request, routeCtx) {
+		let payload;
+		let accessToken;
+		try {
+			const verified = await verifyHenosiaAuthToken(request);
+			payload = verified.payload;
+			accessToken = verified.accessTokenResponse.accessToken;
+		} catch (error) {
+			if (isUnauthorizedException(error)) return unauthorizedResponse();
+			console.error(`[Henosia Auth] Unexpected error verifying token for ${request.method} ${request.nextUrl.pathname}`, error);
+			return internalServerErrorResponse();
+		}
+		let result;
+		try {
+			const params = await routeCtx.params;
+			result = await handler(request, {
+				payload,
+				accessToken,
+				params
+			});
+		} catch (error) {
+			console.error(`[Henosia Auth] Unhandled error in handler for ${request.method} ${request.nextUrl.pathname}`, error);
+			return internalServerErrorResponse();
+		}
+		if (result instanceof Response) return applySecurityHeaders(result);
+		if (result === void 0) return new Response(null, {
+			status: 204,
+			headers: SECURITY_HEADERS
+		});
+		return NextResponse.json(result, { headers: SECURITY_HEADERS });
+	};
+}
+//#endregion
+export { applySecurityHeaders, getHenosiaAuth, requireHenosiaAuth, routeWithHenosiaAuth, unauthorizedResponse };

package/dist/auth/server.d.mts

@@ -1,5 +1,5 @@
 
-import { HenosiaOrganizationContext } from "../shared.mjs";
+import { i as HenosiaOrganizationContext } from "../shared-BWt7Sysv.mjs";
 import { Auth } from "better-auth";
 import { NextRequest, NextResponse } from "next/server.js";
 

package/dist/index.d.mts

@@ -1,4 +1,5 @@
 
-import { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, HenosiaOrganizationContext } from "./shared.mjs";
+import { i as HenosiaOrganizationContext, n as HENOSIA_AUTH_SIGN_IN_PATH_NAME, r as HENOSIA_ORGANIZATION_CTX_COOKIE, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-BWt7Sysv.mjs";
 import { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HenosiaAuthConfig, HenosiaAuthTokenClaims, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken } from "./auth/server.mjs";
-export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, type HenosiaAuthConfig, type HenosiaAuthTokenClaims, type HenosiaOrganizationContext, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken };
+import { HenosiaAuthContext, getHenosiaAuth, requireHenosiaAuth, routeWithHenosiaAuth } from "./auth/server-guards.mjs";
+export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, type HenosiaAuthConfig, type HenosiaAuthContext, type HenosiaAuthTokenClaims, type HenosiaOrganizationContext, auth, cookiePrefix, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };

package/dist/index.mjs

@@ -1,4 +1,5 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
 import { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE } from "./shared.mjs";
 import { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken } from "./auth/server.mjs";
-export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken };
+import { getHenosiaAuth, requireHenosiaAuth, routeWithHenosiaAuth } from "./auth/server-guards.mjs";
+export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, auth, cookiePrefix, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };

package/dist/platform/app-switcher.d.mts

@@ -1,5 +1,5 @@
 
-import { HenosiaOrganizationContext } from "../shared.mjs";
+import { i as HenosiaOrganizationContext } from "../shared-BWt7Sysv.mjs";
 
 //#region src/platform/app-switcher.d.ts
 /**

package/dist/shared-BWt7Sysv.d.mts

@@ -0,0 +1,19 @@
+
+//#region src/shared.d.ts
+declare const HENOSIA_AUTH_SIGN_IN_PATH_NAME = "/sign-in";
+/**
+ * The pathname for better-auth's `/get-session` endpoint, used by the React `useSession` hook.
+ *
+ * `useSession` automatically refetches this endpoint on browser tab focus (and optionally on a polling
+ * interval), which we leverage as a built-in keep-alive for the OIDC access/refresh tokens — see
+ * `isPageOrRefreshTokenRequest` and the middleware special-case for this path.
+ */
+declare const HENOSIA_AUTH_GET_SESSION_PATH_NAME = "/api/auth/get-session";
+type HenosiaOrganizationContext = {
+  id: string;
+  name: string;
+  logoUrl: string | null;
+} | null;
+declare const HENOSIA_ORGANIZATION_CTX_COOKIE = "henosia.org";
+//#endregion
+export { HenosiaOrganizationContext as i, HENOSIA_AUTH_SIGN_IN_PATH_NAME as n, HENOSIA_ORGANIZATION_CTX_COOKIE as r, HENOSIA_AUTH_GET_SESSION_PATH_NAME as t };

package/dist/shared.d.mts

@@ -1,19 +1,3 @@
 
-//#region src/shared.d.ts
-declare const HENOSIA_AUTH_SIGN_IN_PATH_NAME = "/sign-in";
-/**
- * The pathname for better-auth's `/get-session` endpoint, used by the React `useSession` hook.
- *
- * `useSession` automatically refetches this endpoint on browser tab focus (and optionally on a polling
- * interval), which we leverage as a built-in keep-alive for the OIDC access/refresh tokens — see
- * `isPageOrRefreshTokenRequest` and the middleware special-case for this path.
- */
-declare const HENOSIA_AUTH_GET_SESSION_PATH_NAME = "/api/auth/get-session";
-type HenosiaOrganizationContext = {
-  id: string;
-  name: string;
-  logoUrl: string | null;
-} | null;
-declare const HENOSIA_ORGANIZATION_CTX_COOKIE = "henosia.org";
-//#endregion
+import { i as HenosiaOrganizationContext, n as HENOSIA_AUTH_SIGN_IN_PATH_NAME, r as HENOSIA_ORGANIZATION_CTX_COOKIE, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-BWt7Sysv.mjs";
 export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, HenosiaOrganizationContext };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@henosia/app-next",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "description": "Henosia integration for Next.js apps: Provides Henosia Auth and Henosia Platform features like app switcher",
   "author": "Henosia",
   "license": "SEE LICENSE IN LICENSE",
@@ -67,6 +67,7 @@
     "./auth/client": "./dist/auth/client.mjs",
     "./auth/middleware": "./dist/auth/middleware.mjs",
     "./auth/server": "./dist/auth/server.mjs",
+    "./auth/server-guards": "./dist/auth/server-guards.mjs",
     "./platform/app-switcher": "./dist/platform/app-switcher.mjs",
     "./shared": "./dist/shared.mjs",
     "./supabase/client": "./dist/supabase/client.mjs",