npm - @henosia/app-next - Versions diffs - 1.0.2 → 1.0.4 - Mend

@henosia/app-next 1.0.2 → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/dist/auth/server-guards.mjs ADDED Viewed

@@ -0,0 +1,167 @@
+/*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
+import { HENOSIA_AUTH_SIGN_IN_PATH_NAME } from "../shared.mjs";
+import { isUnauthorizedException, verifyHenosiaAuthToken } from "./server.mjs";
+import { headers } from "next/headers.js";
+import { cache } from "react";
+import { redirect } from "next/navigation.js";
+import { NextResponse } from "next/server.js";
+//#region src/auth/server-guards.ts
+async function buildRequestFromHeaders() {
+	const h = await headers();
+	const url = `${h.get("x-forwarded-proto") ?? "http"}://${h.get("x-forwarded-host") ?? h.get("host") ?? "localhost"}/`;
+	return new Request(url, { headers: h });
+}
+async function verifyClaims() {
+	const { payload } = await verifyHenosiaAuthToken(await buildRequestFromHeaders());
+	return payload;
+}
+/**
+* For Server Components, layouts, and Server Actions.
+*
+* Verifies the current user's Henosia Auth token and returns the verified
+* claims. On unauthorized, redirects to the Henosia sign-in page (the canonical
+* page-level UX); other errors propagate so Next.js' error boundaries / 500
+* page take over.
+*
+* Wrapped in `React.cache` so multiple components in the same render share a
+* single verification.
+*
+* @example
+* ```tsx
+* // app/dashboard/page.tsx
+* import { requireHenosiaAuth } from '@/lib/henosia-auth'
+*
+* export default async function Page() {
+*   const claims = await requireHenosiaAuth()
+*   return <Dashboard org={claims['https://henosia.com/organization']} />
+* }
+* ```
+*/
+const requireHenosiaAuth = cache(async () => {
+	try {
+		return await verifyClaims();
+	} catch (error) {
+		if (isUnauthorizedException(error)) redirect(HENOSIA_AUTH_SIGN_IN_PATH_NAME);
+		throw error;
+	}
+});
+/**
+* Non-redirecting variant of {@link requireHenosiaAuth} for layouts and
+* conditional UI (e.g., navbars that need to render either a "Sign in" button
+* or a user menu). Returns `null` when the user is not authenticated; other
+* errors propagate.
+*
+* @example
+* ```tsx
+* // app/layout.tsx
+* import { getHenosiaAuth } from '@/lib/henosia-auth'
+*
+* export default async function RootLayout({ children }) {
+*   const claims = await getHenosiaAuth()
+*   return <Shell user={claims?.['https://henosia.com/organization']}>{children}</Shell>
+* }
+* ```
+*/
+const getHenosiaAuth = cache(async () => {
+	try {
+		return await verifyClaims();
+	} catch (error) {
+		if (isUnauthorizedException(error)) return null;
+		throw error;
+	}
+});
+/**
+* Headers we attach to *every* response produced by `routeWithHenosiaAuth`
+* (success, 401, 500). Auth-protected JSON is per-user and must not be cached
+* by shared caches (RFC 9111 §5.2.2.7 — `private`) and must not be reused
+* even by the user's own cache (`no-store`). `Vary: Cookie` is the formally
+* correct signal that the response varies on the auth cookie (RFC 9110 §12.5.5).
+*/
+const SECURITY_HEADERS = {
+	"Cache-Control": "private, no-store",
+	"Vary": "Cookie"
+};
+function applySecurityHeaders(response) {
+	for (const [name, value] of Object.entries(SECURITY_HEADERS)) if (!response.headers.has(name)) response.headers.set(name, value);
+	return response;
+}
+function unauthorizedResponse() {
+	return NextResponse.json({
+		error: "invalid_token",
+		error_description: "The access token is missing, invalid, or expired."
+	}, {
+		status: 401,
+		headers: SECURITY_HEADERS
+	});
+}
+function internalServerErrorResponse() {
+	return NextResponse.json({ error: "internal_server_error" }, {
+		status: 500,
+		headers: SECURITY_HEADERS
+	});
+}
+/**
+* For Next.js Route Handlers (`app/api/**\/route.ts`).
+*
+* Wraps a handler so that:
+*   - The request is verified up front.
+*   - On success, the handler receives `{ payload, accessToken, params }` and
+*     may return either a `Response`, any JSON-serializable value
+*     (auto-wrapped via `NextResponse.json`), or `undefined` (→ `204
+*     No Content`).
+*   - On unauthorized, returns a canonical HTTP `401 Unauthorized` response
+*     (RFC 7235): never a redirect.
+*   - On any other error (verifying the token *or* thrown by the handler),
+*     it's logged with the request's pathname for traceability and a generic
+*     `500 Internal Server Error` JSON response is returned (no stack /
+*     internal details leaked) — the same OAuth-shaped contract regardless of
+*     where the failure originated.
+*
+* Preserves the standard Next.js `(request, { params })` signature, including
+* Next 15's promise-typed `params`.
+*
+* @example
+* ```ts
+* // app/api/me/route.ts
+* import { routeWithHenosiaAuth } from '@/lib/henosia-auth'
+*
+* export const GET = routeWithHenosiaAuth((_req, { payload }) => ({
+*   organization: payload['https://henosia.com/organization'],
+* }))
+* ```
+*/
+function routeWithHenosiaAuth(handler) {
+	return async function protectedHandler(request, routeCtx) {
+		let payload;
+		let accessToken;
+		try {
+			const verified = await verifyHenosiaAuthToken(request);
+			payload = verified.payload;
+			accessToken = verified.accessTokenResponse.accessToken;
+		} catch (error) {
+			if (isUnauthorizedException(error)) return unauthorizedResponse();
+			console.error(`[Henosia Auth] Unexpected error verifying token for ${request.method} ${request.nextUrl.pathname}`, error);
+			return internalServerErrorResponse();
+		}
+		let result;
+		try {
+			const params = await routeCtx.params;
+			result = await handler(request, {
+				payload,
+				accessToken,
+				params
+			});
+		} catch (error) {
+			console.error(`[Henosia Auth] Unhandled error in handler for ${request.method} ${request.nextUrl.pathname}`, error);
+			return internalServerErrorResponse();
+		}
+		if (result instanceof Response) return applySecurityHeaders(result);
+		if (result === void 0) return new Response(null, {
+			status: 204,
+			headers: SECURITY_HEADERS
+		});
+		return NextResponse.json(result, { headers: SECURITY_HEADERS });
+	};
+}
+//#endregion
+export { applySecurityHeaders, getHenosiaAuth, requireHenosiaAuth, routeWithHenosiaAuth, unauthorizedResponse };

package/dist/auth/server.d.mts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { HenosiaOrganizationContext } from "../shared.mjs";
+import { i as HenosiaOrganizationContext } from "../shared-BWt7Sysv.mjs";
 import { Auth } from "better-auth";
 import { NextRequest, NextResponse } from "next/server.js";

package/dist/index.d.mts CHANGED Viewed

@@ -1,4 +1,5 @@
-import { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, HenosiaOrganizationContext } from "./shared.mjs";
+import { i as HenosiaOrganizationContext, n as HENOSIA_AUTH_SIGN_IN_PATH_NAME, r as HENOSIA_ORGANIZATION_CTX_COOKIE, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-BWt7Sysv.mjs";
 import { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HenosiaAuthConfig, HenosiaAuthTokenClaims, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken } from "./auth/server.mjs";
-export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, type HenosiaAuthConfig, type HenosiaAuthTokenClaims, type HenosiaOrganizationContext, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken };
+import { HenosiaAuthContext, getHenosiaAuth, requireHenosiaAuth, routeWithHenosiaAuth } from "./auth/server-guards.mjs";
+export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, type HenosiaAuthConfig, type HenosiaAuthContext, type HenosiaAuthTokenClaims, type HenosiaOrganizationContext, auth, cookiePrefix, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };

package/dist/index.mjs CHANGED Viewed

@@ -1,4 +1,5 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
 import { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE } from "./shared.mjs";
 import { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken } from "./auth/server.mjs";
-export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken };
+import { getHenosiaAuth, requireHenosiaAuth, routeWithHenosiaAuth } from "./auth/server-guards.mjs";
+export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, auth, cookiePrefix, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };

package/dist/platform/app-switcher.d.mts CHANGED Viewed

@@ -1,5 +1,5 @@
-import { HenosiaOrganizationContext } from "../shared.mjs";
+import { i as HenosiaOrganizationContext } from "../shared-BWt7Sysv.mjs";
 //#region src/platform/app-switcher.d.ts
 /**

package/dist/shared-BWt7Sysv.d.mts ADDED Viewed

@@ -0,0 +1,19 @@
+//#region src/shared.d.ts
+declare const HENOSIA_AUTH_SIGN_IN_PATH_NAME = "/sign-in";
+/**
+ * The pathname for better-auth's `/get-session` endpoint, used by the React `useSession` hook.
+ *
+ * `useSession` automatically refetches this endpoint on browser tab focus (and optionally on a polling
+ * interval), which we leverage as a built-in keep-alive for the OIDC access/refresh tokens — see
+ * `isPageOrRefreshTokenRequest` and the middleware special-case for this path.
+ */
+declare const HENOSIA_AUTH_GET_SESSION_PATH_NAME = "/api/auth/get-session";
+type HenosiaOrganizationContext = {
+  id: string;
+  name: string;
+  logoUrl: string | null;
+} | null;
+declare const HENOSIA_ORGANIZATION_CTX_COOKIE = "henosia.org";
+//#endregion
+export { HenosiaOrganizationContext as i, HENOSIA_AUTH_SIGN_IN_PATH_NAME as n, HENOSIA_ORGANIZATION_CTX_COOKIE as r, HENOSIA_AUTH_GET_SESSION_PATH_NAME as t };

package/dist/shared.d.mts CHANGED Viewed

@@ -1,19 +1,3 @@
-//#region src/shared.d.ts
-declare const HENOSIA_AUTH_SIGN_IN_PATH_NAME = "/sign-in";
-/**
- * The pathname for better-auth's `/get-session` endpoint, used by the React `useSession` hook.
- *
- * `useSession` automatically refetches this endpoint on browser tab focus (and optionally on a polling
- * interval), which we leverage as a built-in keep-alive for the OIDC access/refresh tokens — see
- * `isPageOrRefreshTokenRequest` and the middleware special-case for this path.
- */
-declare const HENOSIA_AUTH_GET_SESSION_PATH_NAME = "/api/auth/get-session";
-type HenosiaOrganizationContext = {
-  id: string;
-  name: string;
-  logoUrl: string | null;
-} | null;
-declare const HENOSIA_ORGANIZATION_CTX_COOKIE = "henosia.org";
-//#endregion
+import { i as HenosiaOrganizationContext, n as HENOSIA_AUTH_SIGN_IN_PATH_NAME, r as HENOSIA_ORGANIZATION_CTX_COOKIE, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-BWt7Sysv.mjs";
 export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, HenosiaOrganizationContext };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@henosia/app-next",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "Henosia integration for Next.js apps: Provides Henosia Auth and Henosia Platform features like app switcher",
   "author": "Henosia",
   "license": "SEE LICENSE IN LICENSE",
@@ -15,6 +15,7 @@
   "type": "module",
   "files": [
     "dist",
+    ".agents/skills",
     "LICENSE"
   ],
   "scripts": {
@@ -67,6 +68,7 @@
     "./auth/client": "./dist/auth/client.mjs",
     "./auth/middleware": "./dist/auth/middleware.mjs",
     "./auth/server": "./dist/auth/server.mjs",
+    "./auth/server-guards": "./dist/auth/server-guards.mjs",
     "./platform/app-switcher": "./dist/platform/app-switcher.mjs",
     "./shared": "./dist/shared.mjs",
     "./supabase/client": "./dist/supabase/client.mjs",