@henosia/app-next 1.0.4 → 1.0.6

package/dist/auth/server.mjs

@@ -1,5 +1,6 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
-import { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME } from "../shared.mjs";
+import { HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "../shared.mjs";
+import { i as cookiePrefix, l as getRequiredEnvValue, n as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, s as isPageRequest, t as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES } from "../middleware-shared-CZbIZuBw.mjs";
 import { APIError, betterAuth } from "better-auth";
 import { createAuthMiddleware } from "better-auth/api";
 import { bearer, genericOAuth, jwt } from "better-auth/plugins";
@@ -7,38 +8,8 @@ import { nextCookies } from "better-auth/next-js";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { parseSetCookieHeader } from "better-auth/cookies";
 import { AsyncLocalStorage } from "node:async_hooks";
-import { headers } from "next/headers.js";
 //#region src/auth/server.ts
 /**
-* URL pathname values that should not check for auth in middleware, e.g. the sign-in page.
-* Additional pathname values can be added for public paths, but ONLY if they should not be intercepted by the
-* middleware auth pre-check and redirect.
-*/
-const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES = new Set([HENOSIA_AUTH_SIGN_IN_PATH_NAME]);
-if (HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES.has("/")) throw new Error(`[Henosia Auth] Invalid path name '/'. Values must be non-root paths`);
-/**
-* URL pathname prefixes that should not be blocked by auth in middleware, e.g. the better-auth API routes used to sign in.
-* Additional pathname prefixes can be added for public paths, but ONLY if they should not be intercepted by the
-* middleware auth pre-check and redirect. Include the relevant `/` ending character to prevent unexpected partial
-* route matches.
-*/
-const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES = ["/api/auth/", "/.well-known/"];
-if (HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES.find((p) => p === "/" || !p.trim() || !p.endsWith("/"))) throw new Error("[Henosia Auth] Invalid path name prefixes. Values must be non-empty sub paths ending with slash");
-const requiredEnvProxy = new Proxy(process.env, { get(target, property, receiver) {
-	const value = Reflect.get(target, property, receiver);
-	if (!value || typeof value !== "string") throw new Error(`[Henosia Auth] Missing required env var: ${property.toString()}`);
-	return value;
-} });
-function getRequiredEnvValue(getter, fallback) {
-	try {
-		return { get: () => getter(requiredEnvProxy) };
-	} catch (e) {
-		if (fallback) return { get: () => fallback };
-		console.log(e.message);
-		throw e;
-	}
-}
-/**
 * Environment-provided configuration for Henosia Auth.
 * When the consuming app runs in the Henosia preview, the env vars are provided by the runtime environment and should not be
 * hard-coded or present in the `.env.local` file. The Henosia Publish feature automatically sets production versions of
@@ -56,16 +27,6 @@ const henosiaAuthConfig = {
 	projectId: getRequiredEnvValue((env) => env.HENOSIA_AUTH_PROJECT_ID)
 };
 /**
-* Gets whether the specified request is for a page (a top level page or iframe page)
-*/
-function isPageRequest(request) {
-	const dest = request.headers.get("Sec-Fetch-Dest");
-	if (dest === "document" || dest === "iframe" || dest === "fencedframe") return true;
-	const isRsc = request.headers.get("RSC") === "1";
-	const isPrefetch = request.headers.get("Next-Router-Prefetch") === "1";
-	return isRsc && !isPrefetch;
-}
-/**
 * Gets whether the specified request is allowed to spend the single-use OIDC refresh token to obtain a new
 * access token.
 *
@@ -76,7 +37,6 @@ function isPageOrRefreshTokenRequest(request) {
 }
 const currentRequestStorage = new AsyncLocalStorage();
 let henosiaOAuthProviderInitialized = false;
-const cookiePrefix = `henosia-auth-${henosiaAuthConfig.projectId.get()}`;
 const authInstance = betterAuth({
 	baseURL: henosiaAuthConfig.baseURL.get(),
 	secret: henosiaAuthConfig.secret.get(),
@@ -162,44 +122,45 @@ const auth = authInstance;
 * @throws APIError when the current credentials are missing or invalid
 */
 async function verifyHenosiaAuthToken(request) {
-	currentRequestStorage.enterWith(request);
-	const { response: accessTokenResponse, headers: accessTokenResponseHeaders } = await authInstance.api.getAccessToken({
-		body: { providerId: henosiaAuthConfig.provider },
-		headers: await headers(),
-		returnHeaders: true
-	});
-	if (!accessTokenResponse.idToken) throw new APIError("UNAUTHORIZED", { message: "No id_token returned for openid scope" });
-	const payload = await verifyAccessToken(accessTokenResponse.idToken, {
-		jwksUrl: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/api/auth/jwks`,
-		verifyOptions: {
-			audience: henosiaAuthConfig.clientId.get(),
-			issuer: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/api/auth`
-		}
-	});
-	const { "https://henosia.com/project": projectId } = payload;
-	if (!projectId) throw new APIError("UNAUTHORIZED", { message: "token does not grant access" });
-	if (!henosiaAuthConfig.projectId) throw new APIError("INTERNAL_SERVER_ERROR", { message: "HENOSIA_AUTH_PROJECT_ID env var has not been set" });
-	if (henosiaAuthConfig.projectId.get() !== projectId) throw new APIError("UNAUTHORIZED", { message: "token has invalid projectId" });
-	const setCookieHeaders = accessTokenResponseHeaders.getSetCookie();
-	const transferBetterAuthCookiesToNext = (nextRequest, response) => {
-		for (const cookie of setCookieHeaders) parseSetCookieHeader(cookie).forEach((attributes, name) => {
-			const { value, ...betterOptions } = attributes;
-			const options = {
-				...betterOptions,
-				maxAge: betterOptions["max-age"],
-				httpOnly: betterOptions.httponly,
-				sameSite: betterOptions.samesite
-			};
-			nextRequest.cookies.set(name, value);
-			response.cookies.set(name, value, options);
+	return await currentRequestStorage.run(request, async () => {
+		const { response: accessTokenResponse, headers: accessTokenResponseHeaders } = await authInstance.api.getAccessToken({
+			body: { providerId: henosiaAuthConfig.provider },
+			headers: request.headers,
+			returnHeaders: true
 		});
-	};
-	return {
-		accessTokenResponse,
-		payload,
-		setCookieHeaders,
-		transferBetterAuthCookiesToNext
-	};
+		if (!accessTokenResponse.idToken) throw new APIError("UNAUTHORIZED", { message: "No id_token returned for openid scope" });
+		const payload = await verifyAccessToken(accessTokenResponse.idToken, {
+			jwksUrl: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/api/auth/jwks`,
+			verifyOptions: {
+				audience: henosiaAuthConfig.clientId.get(),
+				issuer: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/api/auth`
+			}
+		});
+		const { "https://henosia.com/project": projectId } = payload;
+		if (!projectId) throw new APIError("UNAUTHORIZED", { message: "token does not grant access" });
+		if (!henosiaAuthConfig.projectId) throw new APIError("INTERNAL_SERVER_ERROR", { message: "HENOSIA_AUTH_PROJECT_ID env var has not been set" });
+		if (henosiaAuthConfig.projectId.get() !== projectId) throw new APIError("UNAUTHORIZED", { message: "token has invalid projectId" });
+		const setCookieHeaders = accessTokenResponseHeaders.getSetCookie();
+		const transferBetterAuthCookiesToNext = (nextRequest, response) => {
+			for (const cookie of setCookieHeaders) parseSetCookieHeader(cookie).forEach((attributes, name) => {
+				const { value, ...betterOptions } = attributes;
+				const options = {
+					...betterOptions,
+					maxAge: betterOptions["max-age"],
+					httpOnly: betterOptions.httponly,
+					sameSite: betterOptions.samesite
+				};
+				nextRequest.cookies.set(name, value);
+				response.cookies.set(name, value, options);
+			});
+		};
+		return {
+			accessTokenResponse,
+			payload,
+			setCookieHeaders,
+			transferBetterAuthCookiesToNext
+		};
+	});
 }
 const unauthorizedExceptionCodes = new Set(["ACCOUNT_NOT_FOUND", "FAILED_TO_GET_ACCESS_TOKEN"]);
 /**

package/dist/index.d.mts

@@ -1,5 +1,5 @@
 
-import { i as HenosiaOrganizationContext, n as HENOSIA_AUTH_SIGN_IN_PATH_NAME, r as HENOSIA_ORGANIZATION_CTX_COOKIE, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-BWt7Sysv.mjs";
-import { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HenosiaAuthConfig, HenosiaAuthTokenClaims, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken } from "./auth/server.mjs";
+import { c as HENOSIA_ORGANIZATION_CTX_COOKIE, l as HenosiaOrganizationContext, n as HENOSIA_AUTH_INVALID_SESSION_BODY, o as HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, s as HENOSIA_AUTH_SIGN_IN_PATH_NAME, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-BWPBaubT.mjs";
+import { a as isPageOrRefreshTokenRequest, c as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, d as isPageRequest, i as henosiaAuthConfig, l as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, n as HenosiaAuthTokenClaims, o as isUnauthorizedException, r as auth, s as verifyHenosiaAuthToken, t as HenosiaAuthConfig, u as cookiePrefix } from "./server-DfD6Dc91.mjs";
 import { HenosiaAuthContext, getHenosiaAuth, requireHenosiaAuth, routeWithHenosiaAuth } from "./auth/server-guards.mjs";
-export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, type HenosiaAuthConfig, type HenosiaAuthContext, type HenosiaAuthTokenClaims, type HenosiaOrganizationContext, auth, cookiePrefix, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };
+export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_INVALID_SESSION_BODY, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, type HenosiaAuthConfig, type HenosiaAuthContext, type HenosiaAuthTokenClaims, type HenosiaOrganizationContext, auth, cookiePrefix, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };

package/dist/index.mjs

@@ -1,5 +1,6 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
-import { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE } from "./shared.mjs";
-import { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken } from "./auth/server.mjs";
+import { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_INVALID_SESSION_BODY, HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE } from "./shared.mjs";
+import { i as cookiePrefix, n as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, s as isPageRequest, t as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES } from "./middleware-shared-CZbIZuBw.mjs";
+import { auth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isUnauthorizedException, verifyHenosiaAuthToken } from "./auth/server.mjs";
 import { getHenosiaAuth, requireHenosiaAuth, routeWithHenosiaAuth } from "./auth/server-guards.mjs";
-export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, auth, cookiePrefix, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };
+export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_INVALID_SESSION_BODY, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, auth, cookiePrefix, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };

package/dist/middleware-shared-CZbIZuBw.mjs

@@ -0,0 +1,140 @@
+/*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
+import { HENOSIA_AUTH_SIGN_IN_PATH_NAME } from "./shared.mjs";
+import "next/server.js";
+//#region src/auth/env.ts
+const requiredEnvProxy = new Proxy(process.env, { get(target, property, receiver) {
+	const value = Reflect.get(target, property, receiver);
+	if (!value || typeof value !== "string") throw new Error(`[Henosia Auth] Missing required env var: ${property.toString()}`);
+	return value;
+} });
+function getRequiredEnvValue(getter, fallback) {
+	return { get: () => {
+		try {
+			return getter(requiredEnvProxy);
+		} catch (e) {
+			if (fallback !== void 0) return fallback;
+			console.log(e.message);
+			throw e;
+		}
+	} };
+}
+//#endregion
+//#region src/auth/middleware-shared.ts
+/**
+* URL pathname values that should not check for auth in middleware, e.g. the sign-in page.
+* Additional pathname values can be added for public paths, but ONLY if they should not be intercepted by the
+* middleware auth pre-check and redirect.
+*/
+const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES = new Set([HENOSIA_AUTH_SIGN_IN_PATH_NAME]);
+if (HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES.has("/")) throw new Error(`[Henosia Auth] Invalid path name '/'. Values must be non-root paths`);
+/**
+* URL pathname prefixes that should not be blocked by auth in middleware, e.g. the better-auth API routes used to sign in.
+* Additional pathname prefixes can be added for public paths, but ONLY if they should not be intercepted by the
+* middleware auth pre-check and redirect. Include the relevant `/` ending character to prevent unexpected partial
+* route matches.
+*/
+const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES = ["/api/auth/", "/.well-known/"];
+if (HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES.find((p) => p === "/" || !p.trim() || !p.endsWith("/"))) throw new Error("[Henosia Auth] Invalid path name prefixes. Values must be non-empty sub paths ending with slash");
+const middlewareConfig = {
+	baseURL: getRequiredEnvValue((env) => env.BETTER_AUTH_URL),
+	projectId: getRequiredEnvValue((env) => env.HENOSIA_AUTH_PROJECT_ID)
+};
+const cookiePrefix = `henosia-auth-${middlewareConfig.projectId.get()}`;
+function parseCookies(cookieHeader) {
+	const cookieMap = /* @__PURE__ */ new Map();
+	for (const cookie of cookieHeader.split(/;\s*/)) {
+		const [name, value] = cookie.split(/=(.*)/s);
+		if (name) cookieMap.set(name, value);
+	}
+	return cookieMap;
+}
+/**
+* Lightweight Better Auth session-cookie lookup for Next.js middleware.
+*
+* This intentionally mirrors Better Auth's `getSessionCookie` naming rules without importing
+* `better-auth/cookies`, because that module imports JWT helpers at module scope and pulls the
+* server auth graph into Edge middleware bundles.
+*/
+function getHenosiaSessionCookie(request) {
+	const cookies = request.headers.get("cookie");
+	if (!cookies) return null;
+	const parsedCookie = parseCookies(cookies);
+	const getCookie = (name) => parsedCookie.get(name) || parsedCookie.get(`__Secure-${name}`);
+	return getCookie(`${cookiePrefix}.session_token`) || getCookie(`${cookiePrefix}-session_token`) || null;
+}
+/**
+* Gets whether the specified request is for a page (a top level page or iframe page).
+*/
+function isPageRequest(request) {
+	const { headers } = request;
+	const dest = headers.get("X-Henosia-Fetch-Dest") ?? headers.get("Sec-Fetch-Dest");
+	if (dest === "document" || dest === "iframe" || dest === "fencedframe") return true;
+	const isRsc = request.headers.get("RSC") === "1";
+	const isPrefetch = request.headers.get("Next-Router-Prefetch") === "1";
+	return isRsc && !isPrefetch;
+}
+function getSetCookieHeaders(headers) {
+	const getSetCookie = headers.getSetCookie?.();
+	if (getSetCookie?.length) return getSetCookie;
+	const setCookie = headers.get("set-cookie");
+	return setCookie ? splitSetCookieHeader(setCookie) : [];
+}
+function splitSetCookieHeader(setCookieHeader) {
+	const cookies = [];
+	let start = 0;
+	for (let i = 0; i < setCookieHeader.length; i += 1) {
+		if (setCookieHeader[i] !== ",") continue;
+		let cursor = i + 1;
+		while (cursor < setCookieHeader.length && setCookieHeader[cursor] === " ") cursor += 1;
+		while (cursor < setCookieHeader.length && setCookieHeader[cursor] !== "=" && setCookieHeader[cursor] !== ";" && setCookieHeader[cursor] !== ",") cursor += 1;
+		if (setCookieHeader[cursor] === "=") {
+			cookies.push(setCookieHeader.slice(start, i).trim());
+			start = i + 1;
+		}
+	}
+	const lastCookie = setCookieHeader.slice(start).trim();
+	if (lastCookie) cookies.push(lastCookie);
+	return cookies;
+}
+function applySetCookieHeadersToRequestHeaders(requestHeaders, setCookieHeaders) {
+	if (!setCookieHeaders.length) return;
+	const cookies = parseCookies(requestHeaders.get("cookie") ?? "");
+	for (const setCookie of setCookieHeaders) {
+		const parsed = parseSetCookie(setCookie);
+		if (!parsed) continue;
+		if (parsed.deleted) cookies.delete(parsed.name);
+		else cookies.set(parsed.name, parsed.value);
+	}
+	requestHeaders.set("cookie", Array.from(cookies.entries()).map(([name, value]) => `${name}=${value}`).join("; "));
+}
+function parseSetCookie(setCookie) {
+	const [cookiePair, ...attributes] = setCookie.split(";");
+	if (!cookiePair) return null;
+	const [name, value] = cookiePair.trim().split(/=(.*)/s);
+	if (!name) return null;
+	const deleted = attributes.some((attribute) => {
+		const normalized = attribute.trim().toLowerCase();
+		return normalized === "max-age=0" || normalized.startsWith("expires=thu, 01 jan 1970");
+	});
+	return {
+		name,
+		value: value ?? "",
+		deleted
+	};
+}
+/**
+* Removes potentially invalid cached account data from cookies before the next better-auth sign in attempt.
+*/
+function removeCachedAccountData(response) {
+	const baseURL = middlewareConfig.baseURL.get();
+	const secure = baseURL.startsWith("https");
+	const name = `${secure ? "__Secure-" : ""}${cookiePrefix}.account_data`;
+	response.cookies.delete({
+		name,
+		secure,
+		httpOnly: true,
+		domain: new URL(baseURL).hostname
+	});
+}
+//#endregion
+export { getHenosiaSessionCookie as a, removeCachedAccountData as c, cookiePrefix as i, getRequiredEnvValue as l, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES as n, getSetCookieHeaders as o, applySetCookieHeadersToRequestHeaders as r, isPageRequest as s, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES as t };

package/dist/platform/app-switcher.d.mts

@@ -1,5 +1,5 @@
 
-import { i as HenosiaOrganizationContext } from "../shared-BWt7Sysv.mjs";
+import { l as HenosiaOrganizationContext } from "../shared-BWPBaubT.mjs";
 
 //#region src/platform/app-switcher.d.ts
 /**
@@ -23,10 +23,7 @@ interface AppSwitcherAppGroup {
  */
 interface AppSwitcherSuccessResponse {
   groupedApps: AppSwitcherAppGroup[];
-  organization: {
-    id: string;
-    name: string;
-  };
+  organization: HenosiaOrganizationContext;
 }
 /**
  * Error response shape returned by `/api/henosia-platform/v1/app-switcher`.
@@ -51,8 +48,8 @@ interface UseAppSwitcherOptions {
  */
 interface UseAppSwitcherResult {
   /**
-   * The current organization context, derived from the {@link HENOSIA_ORGANIZATION_CTX_COOKIE} cookie set by the
-   * Henosia Auth middleware. `null` until the cookie has been read (or if no organization is in context).
+   * The current organization context, derived from the app-switcher response or the cached
+   * {@link HENOSIA_ORGANIZATION_CTX_COOKIE} cookie. `null` until either source is available.
    */
   organization: HenosiaOrganizationContext;
   /**
@@ -71,9 +68,9 @@ interface UseAppSwitcherResult {
 /**
  * React hook backing the Henosia app-switcher UI.
  *
- * Reads the current organization context from the {@link HENOSIA_ORGANIZATION_CTX_COOKIE} cookie and queries
- * the Henosia Platform `app-switcher` endpoint mounted at `/api/henosia-platform/v1/app-switcher` (provided by
- * `@henosia/app-next/api/platform`).
+ * Reads the cached organization context from the {@link HENOSIA_ORGANIZATION_CTX_COOKIE} cookie and queries the
+ * Henosia Platform `app-switcher` endpoint mounted at `/api/henosia-platform/v1/app-switcher` (provided by
+ * `@henosia/app-next/api/platform`). Once loaded, the verified API response is preferred over the cached cookie.
  *
  *
  * @example

package/dist/platform/app-switcher.mjs

@@ -24,9 +24,9 @@ async function fetchAppSwitcher() {
 /**
 * React hook backing the Henosia app-switcher UI.
 *
-* Reads the current organization context from the {@link HENOSIA_ORGANIZATION_CTX_COOKIE} cookie and queries
-* the Henosia Platform `app-switcher` endpoint mounted at `/api/henosia-platform/v1/app-switcher` (provided by
-* `@henosia/app-next/api/platform`).
+* Reads the cached organization context from the {@link HENOSIA_ORGANIZATION_CTX_COOKIE} cookie and queries the
+* Henosia Platform `app-switcher` endpoint mounted at `/api/henosia-platform/v1/app-switcher` (provided by
+* `@henosia/app-next/api/platform`). Once loaded, the verified API response is preferred over the cached cookie.
 *
 *
 * @example
@@ -64,7 +64,7 @@ function useAppSwitcher(options) {
 		enabled
 	});
 	return {
-		organization,
+		organization: data?.organization ?? organization,
 		groupedApps: data?.groupedApps ?? [],
 		error,
 		isLoading

package/dist/server-DfD6Dc91.d.mts

@@ -0,0 +1,112 @@
+
+import { l as HenosiaOrganizationContext } from "./shared-BWPBaubT.mjs";
+import { Auth } from "better-auth";
+import { NextRequest, NextResponse } from "next/server.js";
+
+//#region src/auth/env.d.ts
+type EnvLiveGetString = {
+  get(): string;
+};
+//#endregion
+//#region src/auth/middleware-shared.d.ts
+/**
+ * URL pathname values that should not check for auth in middleware, e.g. the sign-in page.
+ * Additional pathname values can be added for public paths, but ONLY if they should not be intercepted by the
+ * middleware auth pre-check and redirect.
+ */
+declare const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES: Set<string>;
+/**
+ * URL pathname prefixes that should not be blocked by auth in middleware, e.g. the better-auth API routes used to sign in.
+ * Additional pathname prefixes can be added for public paths, but ONLY if they should not be intercepted by the
+ * middleware auth pre-check and redirect. Include the relevant `/` ending character to prevent unexpected partial
+ * route matches.
+ */
+declare const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES: string[];
+declare const cookiePrefix: `henosia-auth-${string}`;
+/**
+ * Gets whether the specified request is for a page (a top level page or iframe page).
+ */
+declare function isPageRequest(request: Request): boolean;
+//#endregion
+//#region src/auth/server.d.ts
+interface HenosiaAuthConfig {
+  /** Name of the Henosia Auth OAuth2 provider */
+  provider: 'henosia';
+  /** The consuming app's own deployment or preview browser URL. Used as the better-auth base url */
+  baseURL: EnvLiveGetString;
+  /** The consuming app's own deployment or preview auth secret. Used as the better-auth secret */
+  secret: EnvLiveGetString;
+  /** OAuth client ID from HenosiaAuthClientService */
+  clientId: EnvLiveGetString;
+  /** OAuth client secret from HenosiaAuthClientService */
+  clientSecret: EnvLiveGetString;
+  /** The Henosia auth and platform service base URL, under which the OAuth client is registered */
+  henosiaAuthPlatformServiceBaseUrl: EnvLiveGetString;
+  /** The provider identifier that Henosia Auth is registered with as a OIDC-based Custom Provider in Supabase Auth */
+  henosiaAuthSupabaseProvider: EnvLiveGetString;
+  /**
+   * The project id that the JWT project claim should match in HenosiaAuthTokenClaims.
+   * Ensures that signed-in Henosia users cannot access projects that they have not been granted access to,
+   * for example that User A from Org A cannot access User B from Org B's project.
+   * */
+  projectId: EnvLiveGetString;
+}
+/**
+ * Environment-provided configuration for Henosia Auth.
+ * When the consuming app runs in the Henosia preview, the env vars are provided by the runtime environment and should not be
+ * hard-coded or present in the `.env.local` file. The Henosia Publish feature automatically sets production versions of
+ * the values on the deployed app. For self-publish flows or local development, see the `Environment settings`
+ * in the Henosia builder navbar for the relevant values. The preview values cannot be used for production deployments.
+ */
+declare const henosiaAuthConfig: HenosiaAuthConfig;
+interface HenosiaAuthTokenClaims {
+  /** The project id that the claim is associated with. A `null` value indicates no project access was granted. */
+  'https://henosia.com/project': string | null;
+  /** Whether the claim is associated with Henosia's preview browser in the builder */
+  'https://henosia.com/preview': boolean;
+  /** The organization that the app belongs to */
+  'https://henosia.com/organization': HenosiaOrganizationContext;
+}
+/**
+ * Gets whether the specified request is allowed to spend the single-use OIDC refresh token to obtain a new
+ * access token.
+ *
+ */
+declare function isPageOrRefreshTokenRequest(request: Request): boolean;
+/**
+ * The Henosia Auth instance.
+ *
+ * Typed as the minimal {@link Auth} type from better-auth (which is parameterised on the default
+ * {@link BetterAuthOptions}) rather than the deeply-inferred concrete type returned by {@link betterAuth}.
+ * The deeply-inferred graph references non-portable internals from `better-auth` and `zod` that cannot be
+ * named in published declarations (TS2883).
+ */
+declare const auth: Auth;
+/**
+ * Verifies the Henosia Auth JWT on the current request, or throws in case it's missing or invalid.
+ * This method must be called before allowing access to any protected pages or routes,
+ * and before accessing data in server side page methods or actions.
+ * @param request the current request which provides auth headers
+ * @return the better-auth `getAccessToken` response, the verified token `payload` (a {@link HenosiaAuthTokenClaims}),
+ *         the `Set-Cookie` headers produced while obtaining/refreshing the token, and a
+ *         `transferBetterAuthCookiesToNext` helper that forwards those cookies onto a Next.js request/response pair
+ * @throws APIError when the current credentials are missing or invalid
+ */
+declare function verifyHenosiaAuthToken(request: Request): Promise<{
+  accessTokenResponse: {
+    accessToken: string;
+    accessTokenExpiresAt: Date | undefined;
+    scopes: string[];
+    idToken: string | undefined;
+  };
+  payload: HenosiaAuthTokenClaims;
+  setCookieHeaders: string[];
+  transferBetterAuthCookiesToNext: (nextRequest: NextRequest, response: NextResponse) => void;
+}>;
+/**
+ * Determines whether the specified exception should start the sign-in flow to authenticate the user
+ * @param error the error thrown by `verifyHenosiaAuthToken`
+ */
+declare function isUnauthorizedException(error: unknown): boolean;
+//#endregion
+export { isPageOrRefreshTokenRequest as a, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES as c, isPageRequest as d, henosiaAuthConfig as i, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES as l, HenosiaAuthTokenClaims as n, isUnauthorizedException as o, auth as r, verifyHenosiaAuthToken as s, HenosiaAuthConfig as t, cookiePrefix as u };

package/dist/session-sync-Cva_oreV.mjs

@@ -0,0 +1,114 @@
+/*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
+import { HENOSIA_AUTH_INVALID_SESSION_BODY, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER, HENOSIA_ORGANIZATION_CTX_COOKIE } from "./shared.mjs";
+import { henosiaAuthConfig, isUnauthorizedException, verifyHenosiaAuthToken } from "./auth/server.mjs";
+import { NextResponse } from "next/server.js";
+//#region src/auth/utils.ts
+function delayWithCancel(delayMs) {
+	let timer;
+	let reject = null;
+	const promise = new Promise((resolve, _reject) => {
+		reject = _reject;
+		timer = setTimeout(() => resolve(), delayMs);
+	});
+	const cancel = () => {
+		clearTimeout(timer);
+		queueMicrotask(() => {
+			reject();
+			reject = null;
+		});
+	};
+	return {
+		promise,
+		cancel
+	};
+}
+//#endregion
+//#region src/auth/session-sync.ts
+function syncOrganizationContextCookie(request, response, payload) {
+	const cachedOrg = request.cookies.get("henosia.org")?.value ?? null;
+	const org = JSON.stringify(payload["https://henosia.com/organization"] ?? null);
+	if (cachedOrg !== org) response.cookies.set(HENOSIA_ORGANIZATION_CTX_COOKIE, org);
+}
+/**
+* Transfers cookies and downstream sessions that require the server auth graph.
+*
+* This runs from Node route handlers directly or through the middleware's internal sync route so
+* `@henosia/app-next/auth/middleware` remains safe to bundle for Edge runtimes.
+*/
+async function syncHenosiaAuthSession(request, response, verified, options = {}) {
+	if (options.transferBetterAuthCookies ?? true) verified.transferBetterAuthCookiesToNext(request, response);
+	syncOrganizationContextCookie(request, response, verified.payload);
+	if (process.env.NEXT_PUBLIC_SUPABASE_URL) await exchangeHenosiaTokenForSupabaseSession(request, response, verified.accessTokenResponse.idToken);
+}
+/**
+* Internal route handler used by middleware to perform server-only session sync before the matched request renders.
+*/
+async function handleHenosiaAuthSessionSync(request) {
+	try {
+		const verified = await verifyHenosiaAuthToken(buildOriginalRequestForSessionSync(request));
+		const response = new NextResponse(null, { status: 204 });
+		await syncHenosiaAuthSession(request, response, verified);
+		return applySessionSyncResponseHeaders(response);
+	} catch (e) {
+		if (isUnauthorizedException(e)) return applySessionSyncResponseHeaders(NextResponse.json(HENOSIA_AUTH_INVALID_SESSION_BODY, { status: 401 }));
+		console.error("[Henosia Auth] session sync error", e);
+		return applySessionSyncResponseHeaders(NextResponse.json({ error: "Server error" }, { status: 500 }));
+	}
+}
+function applySessionSyncResponseHeaders(response) {
+	response.headers.set("Cache-Control", "private, no-store");
+	response.headers.set("Vary", "Cookie");
+	return response;
+}
+function buildOriginalRequestForSessionSync(request) {
+	const originalUrl = request.headers.get("x-henosia-auth-original-url") ?? request.url;
+	const originalMethod = request.headers.get("x-henosia-auth-original-method") ?? "GET";
+	const originalHeaders = new Headers(request.headers);
+	const originalFetchDest = request.headers.get(HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER);
+	if (originalFetchDest) originalHeaders.set("X-Henosia-Fetch-Dest", originalFetchDest);
+	return new Request(originalUrl, {
+		headers: originalHeaders,
+		method: originalMethod
+	});
+}
+/**
+* Lazy-load `@supabase/ssr` so apps that don't use Supabase don't have to install it.
+*/
+async function exchangeHenosiaTokenForSupabaseSession(request, response, idToken) {
+	let createServerClient;
+	try {
+		({createServerClient} = await import("@supabase/ssr"));
+	} catch (e) {
+		console.error("[Henosia Auth] NEXT_PUBLIC_SUPABASE_URL is set but `@supabase/ssr` is not installed. Install it as a peer dependency to enable Supabase session exchange.", e);
+		return;
+	}
+	const supabase = createServerClient(process.env.NEXT_PUBLIC_SUPABASE_URL, process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY, { cookies: {
+		getAll() {
+			return request.cookies.getAll();
+		},
+		setAll(cookiesToSet) {
+			cookiesToSet.forEach(({ name, value }) => request.cookies.set(name, value));
+			try {
+				cookiesToSet.forEach(({ name, value, options }) => response.cookies.set(name, value, options));
+			} catch {}
+		}
+	} });
+	const { promise: supabaseTimeout, cancel } = delayWithCancel(5e3);
+	await Promise.race([supabaseTimeout.then(() => {
+		console.error(`[Supabase] Timed out getting a valid Supabase session: ${process.env.NEXT_PUBLIC_SUPABASE_URL} may be paused or down.`);
+	}), (async () => {
+		try {
+			const { data } = await supabase.auth.getSession();
+			if (!data.session) await supabase.auth.signInWithIdToken({
+				provider: henosiaAuthConfig.henosiaAuthSupabaseProvider.get(),
+				token: idToken
+			});
+		} catch (error) {
+			console.error("[Supabase] Unable to get valid Supabase session", error);
+		} finally {
+			cancel();
+		}
+	})()]);
+}
+//#endregion
+export { syncHenosiaAuthSession as n, syncOrganizationContextCookie as r, handleHenosiaAuthSessionSync as t };

package/dist/shared-BWPBaubT.d.mts

@@ -0,0 +1,30 @@
+
+//#region src/shared.d.ts
+declare const HENOSIA_AUTH_SIGN_IN_PATH_NAME = "/sign-in";
+/**
+ * The pathname for better-auth's `/get-session` endpoint, used by the React `useSession` hook.
+ *
+ * `useSession` automatically refetches this endpoint on browser tab focus (and optionally on a polling
+ * interval), which we leverage as a built-in keep-alive for the OIDC access/refresh tokens — see
+ * `isPageOrRefreshTokenRequest` and the middleware-backed session sync route.
+ */
+declare const HENOSIA_AUTH_GET_SESSION_PATH_NAME = "/api/auth/get-session";
+/**
+ * Internal route used by the Edge middleware to delegate server-only token refresh and downstream session sync
+ * without importing the Better Auth server graph into the middleware bundle.
+ */
+declare const HENOSIA_AUTH_SESSION_SYNC_PATH_NAME = "/api/auth/henosia-session-sync";
+declare const HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_URL_HEADER = "x-henosia-auth-original-url";
+declare const HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_METHOD_HEADER = "x-henosia-auth-original-method";
+declare const HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER = "x-henosia-auth-original-fetch-dest";
+type HenosiaOrganizationContext = {
+  id: string;
+  name: string;
+  logoUrl: string | null;
+} | null;
+declare const HENOSIA_ORGANIZATION_CTX_COOKIE = "henosia.org";
+declare const HENOSIA_AUTH_INVALID_SESSION_BODY: {
+  error: string;
+};
+//#endregion
+export { HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_URL_HEADER as a, HENOSIA_ORGANIZATION_CTX_COOKIE as c, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_METHOD_HEADER as i, HenosiaOrganizationContext as l, HENOSIA_AUTH_INVALID_SESSION_BODY as n, HENOSIA_AUTH_SESSION_SYNC_PATH_NAME as o, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER as r, HENOSIA_AUTH_SIGN_IN_PATH_NAME as s, HENOSIA_AUTH_GET_SESSION_PATH_NAME as t };

package/dist/shared.d.mts

@@ -1,3 +1,3 @@
 
-import { i as HenosiaOrganizationContext, n as HENOSIA_AUTH_SIGN_IN_PATH_NAME, r as HENOSIA_ORGANIZATION_CTX_COOKIE, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-BWt7Sysv.mjs";
-export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, HenosiaOrganizationContext };
+import { a as HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_URL_HEADER, c as HENOSIA_ORGANIZATION_CTX_COOKIE, i as HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_METHOD_HEADER, l as HenosiaOrganizationContext, n as HENOSIA_AUTH_INVALID_SESSION_BODY, o as HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, r as HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER, s as HENOSIA_AUTH_SIGN_IN_PATH_NAME, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-BWPBaubT.mjs";
+export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_INVALID_SESSION_BODY, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_METHOD_HEADER, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_URL_HEADER, HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, HenosiaOrganizationContext };