@henosia/app-next 1.0.5 → 1.0.7

package/.agents/skills/henosia-app-next/SKILL.md

@@ -184,7 +184,7 @@ README section.
 
 ```ts
 // Server-side helpers (advanced; prefer the auth guards)
-import { auth, verifyHenosiaAuthToken, isUnauthorizedException, isPageRequest, HENOSIA_AUTH_SIGN_IN_PATH_NAME } from '@henosia/app-next'
+import { getAuth, verifyHenosiaAuthToken, isUnauthorizedException, isPageRequest, HENOSIA_AUTH_SIGN_IN_PATH_NAME } from '@henosia/app-next'
 
 // Shared constants & types (no runtime deps; safe to import from server or client)
 import { HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE } from '@henosia/app-next/shared'
@@ -213,7 +213,7 @@ import { createClient } from '@henosia/app-next/supabase/client'
 
 ## Lower-level helpers — usually not needed
 
-`auth`, `verifyHenosiaAuthToken`, `isUnauthorizedException`, `isPageRequest` are
+`getAuth`, `verifyHenosiaAuthToken`, `isUnauthorizedException`, `isPageRequest` are
 exported from the package root for advanced/edge cases. For protecting pages
 and routes, **always prefer the guards** documented in the
 `henosia-auth-guards` skill. They encode the canonical redirect / 401 / 500

package/README.md

@@ -112,7 +112,7 @@ import { createClient } from '@henosia/app-next/supabase/client'
 
 ```ts
 import {
-  auth,
+  getAuth,
   verifyHenosiaAuthToken,
   isUnauthorizedException,
   isPageRequest,
@@ -173,7 +173,7 @@ export function MyAppSwitcher() {
 
 | Subpath                                   | Purpose                                                                    |
 |-------------------------------------------|----------------------------------------------------------------------------|
-| `@henosia/app-next`                       | Server-side helpers (`auth`, `verifyHenosiaAuthToken`, …)                  |
+| `@henosia/app-next`                       | Server-side helpers (`getAuth`, `verifyHenosiaAuthToken`, …)               |
 | `@henosia/app-next/shared`                | Shared constants & types (no runtime deps)                                 |
 | `@henosia/app-next/auth/middleware`       | `createHenosiaAuthMiddleware`                                              |
 | `@henosia/app-next/auth/server`           | Lower-level server-side auth surface (re-exported by root)                 |

package/dist/api/auth.mjs

@@ -1,5 +1,5 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
-import { auth } from "../auth/server.mjs";
+import { r as getAuth } from "../server-DvvkIB4j.mjs";
 import { toNextJsHandler } from "better-auth/next-js";
 //#region src/api/auth.ts
 /**
@@ -11,7 +11,7 @@ import { toNextJsHandler } from "better-auth/next-js";
 * export { GET, POST } from '@henosia/app-next/api/auth'
 * ```
 */
-const handlers = toNextJsHandler(auth);
+const handlers = toNextJsHandler(getAuth());
 const GET = handlers.GET;
 const POST = handlers.POST;
 //#endregion

package/dist/api/platform.mjs

@@ -1,5 +1,5 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
-import { henosiaAuthConfig, isUnauthorizedException, verifyHenosiaAuthToken } from "../auth/server.mjs";
+import { l as henosiaAuthConfig, o as isUnauthorizedException, s as verifyHenosiaAuthToken } from "../server-DvvkIB4j.mjs";
 import { applySecurityHeaders } from "../auth/server-guards.mjs";
 //#region src/api/platform/v1/app-switcher.ts
 /**

package/dist/auth/middleware.mjs

@@ -1,6 +1,6 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
 import { HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE } from "../shared.mjs";
-import { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, cookiePrefix, henosiaAuthConfig, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken } from "./server.mjs";
+import { a as isPageRequest, c as cookiePrefix, l as henosiaAuthConfig, n as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, o as isUnauthorizedException, s as verifyHenosiaAuthToken, t as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES } from "../server-DvvkIB4j.mjs";
 import { getSessionCookie } from "better-auth/cookies";
 import { NextResponse } from "next/server.js";
 //#region src/auth/utils.ts
@@ -75,7 +75,7 @@ function createHenosiaAuthMiddleware(options = {}) {
 			return response;
 		}
 		if (unauthenticatedPathNames.has(pathname) || !!unauthenticatedPathNamePrefixes.find((p) => pathname.startsWith(p))) return response;
-		if (!getSessionCookie(request, { cookiePrefix })) {
+		if (!getSessionCookie(request, { cookiePrefix: cookiePrefix.get() })) {
 			if (request.method !== "GET") return NextResponse.json(INVALID_SESSION_BODY, { status: 401 });
 			return NextResponse.redirect(new URL(HENOSIA_AUTH_SIGN_IN_PATH_NAME, request.url));
 		}
@@ -144,7 +144,7 @@ async function exchangeHenosiaTokenForSupabaseSession(request, response, idToken
 */
 function removeCachedAccountData(response) {
 	const secure = henosiaAuthConfig.baseURL.get().startsWith("https");
-	const name = `${secure ? "__Secure-" : ""}${cookiePrefix}.account_data`;
+	const name = `${secure ? "__Secure-" : ""}${cookiePrefix.get()}.account_data`;
 	response.cookies.delete({
 		name,
 		secure,

package/dist/auth/server-guards.mjs

@@ -1,6 +1,6 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
 import { HENOSIA_AUTH_SIGN_IN_PATH_NAME } from "../shared.mjs";
-import { isUnauthorizedException, verifyHenosiaAuthToken } from "./server.mjs";
+import { o as isUnauthorizedException, s as verifyHenosiaAuthToken } from "../server-DvvkIB4j.mjs";
 import { headers } from "next/headers.js";
 import { cache } from "react";
 import { redirect } from "next/navigation.js";

package/dist/auth/server.d.mts

@@ -1,5 +1,5 @@
 
-import { i as HenosiaOrganizationContext } from "../shared-BWt7Sysv.mjs";
+import { i as HenosiaOrganizationContext } from "../shared-Cddy8ptu.mjs";
 import { Auth } from "better-auth";
 import { NextRequest, NextResponse } from "next/server.js";
 
@@ -17,39 +17,6 @@ declare const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES: Set<string>;
  * route matches.
  */
 declare const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES: string[];
-type EnvLiveGetString = {
-  get(): string;
-};
-interface HenosiaAuthConfig {
-  /** Name of the Henosia Auth OAuth2 provider */
-  provider: 'henosia';
-  /** The consuming app's own deployment or preview browser URL. Used as the better-auth base url */
-  baseURL: EnvLiveGetString;
-  /** The consuming app's own deployment or preview auth secret. Used as the better-auth secret */
-  secret: EnvLiveGetString;
-  /** OAuth client ID from HenosiaAuthClientService */
-  clientId: EnvLiveGetString;
-  /** OAuth client secret from HenosiaAuthClientService */
-  clientSecret: EnvLiveGetString;
-  /** The Henosia auth and platform service base URL, under which the OAuth client is registered */
-  henosiaAuthPlatformServiceBaseUrl: EnvLiveGetString;
-  /** The provider identifier that Henosia Auth is registered with as a OIDC-based Custom Provider in Supabase Auth */
-  henosiaAuthSupabaseProvider: EnvLiveGetString;
-  /**
-   * The project id that the JWT project claim should match in HenosiaAuthTokenClaims.
-   * Ensures that signed-in Henosia users cannot access projects that they have not been granted access to,
-   * for example that User A from Org A cannot access User B from Org B's project.
-   * */
-  projectId: EnvLiveGetString;
-}
-/**
- * Environment-provided configuration for Henosia Auth.
- * When the consuming app runs in the Henosia preview, the env vars are provided by the runtime environment and should not be
- * hard-coded or present in the `.env.local` file. The Henosia Publish feature automatically sets production versions of
- * the values on the deployed app. For self-publish flows or local development, see the `Environment settings`
- * in the Henosia builder navbar for the relevant values. The preview values cannot be used for production deployments.
- */
-declare const henosiaAuthConfig: HenosiaAuthConfig;
 interface HenosiaAuthTokenClaims {
   /** The project id that the claim is associated with. A `null` value indicates no project access was granted. */
   'https://henosia.com/project': string | null;
@@ -68,16 +35,23 @@ declare function isPageRequest(request: Request): boolean;
  *
  */
 declare function isPageOrRefreshTokenRequest(request: Request): boolean;
-declare const cookiePrefix: `henosia-auth-${string}`;
 /**
- * The Henosia Auth instance.
+ * Returns the singleton Henosia Auth instance, creating it on first call.
+ *
+ * The instance is created lazily so that importing this module does not eagerly read the required
+ * environment variables (see {@link henosiaAuthConfig}). This means modules that only need the
+ * configuration or shared helpers can be imported in environments where the full set of `BETTER_AUTH_*` /
+ * `HENOSIA_AUTH_*` env vars is not yet populated, and only call sites that actually invoke `getAuth()`
+ * will require them to be set.
+ *
+ * Subsequent calls return the same underlying better-auth instance.
  *
- * Typed as the minimal {@link Auth} type from better-auth (which is parameterised on the default
- * {@link BetterAuthOptions}) rather than the deeply-inferred concrete type returned by {@link betterAuth}.
+ * The return type is the minimal {@link Auth} type from better-auth (which is parameterised on the default
+ * `BetterAuthOptions`) rather than the deeply-inferred concrete type returned by {@link betterAuth}.
  * The deeply-inferred graph references non-portable internals from `better-auth` and `zod` that cannot be
  * named in published declarations (TS2883).
  */
-declare const auth: Auth;
+declare const getAuth: () => Auth;
 /**
  * Verifies the Henosia Auth JWT on the current request, or throws in case it's missing or invalid.
  * This method must be called before allowing access to any protected pages or routes,
@@ -105,4 +79,4 @@ declare function verifyHenosiaAuthToken(request: Request): Promise<{
  */
 declare function isUnauthorizedException(error: unknown): boolean;
 //#endregion
-export { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HenosiaAuthConfig, HenosiaAuthTokenClaims, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken };
+export { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HenosiaAuthTokenClaims, getAuth, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken };

package/dist/auth/server.mjs

@@ -1,215 +1,3 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
-import { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME } from "../shared.mjs";
-import { APIError, betterAuth } from "better-auth";
-import { createAuthMiddleware } from "better-auth/api";
-import { bearer, genericOAuth, jwt } from "better-auth/plugins";
-import { nextCookies } from "better-auth/next-js";
-import { verifyAccessToken } from "better-auth/oauth2";
-import { parseSetCookieHeader } from "better-auth/cookies";
-import { AsyncLocalStorage } from "node:async_hooks";
-import { headers } from "next/headers.js";
-//#region src/auth/server.ts
-/**
-* URL pathname values that should not check for auth in middleware, e.g. the sign-in page.
-* Additional pathname values can be added for public paths, but ONLY if they should not be intercepted by the
-* middleware auth pre-check and redirect.
-*/
-const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES = new Set([HENOSIA_AUTH_SIGN_IN_PATH_NAME]);
-if (HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES.has("/")) throw new Error(`[Henosia Auth] Invalid path name '/'. Values must be non-root paths`);
-/**
-* URL pathname prefixes that should not be blocked by auth in middleware, e.g. the better-auth API routes used to sign in.
-* Additional pathname prefixes can be added for public paths, but ONLY if they should not be intercepted by the
-* middleware auth pre-check and redirect. Include the relevant `/` ending character to prevent unexpected partial
-* route matches.
-*/
-const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES = ["/api/auth/", "/.well-known/"];
-if (HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES.find((p) => p === "/" || !p.trim() || !p.endsWith("/"))) throw new Error("[Henosia Auth] Invalid path name prefixes. Values must be non-empty sub paths ending with slash");
-const requiredEnvProxy = new Proxy(process.env, { get(target, property, receiver) {
-	const value = Reflect.get(target, property, receiver);
-	if (!value || typeof value !== "string") throw new Error(`[Henosia Auth] Missing required env var: ${property.toString()}`);
-	return value;
-} });
-function getRequiredEnvValue(getter, fallback) {
-	try {
-		return { get: () => getter(requiredEnvProxy) };
-	} catch (e) {
-		if (fallback) return { get: () => fallback };
-		console.log(e.message);
-		throw e;
-	}
-}
-/**
-* Environment-provided configuration for Henosia Auth.
-* When the consuming app runs in the Henosia preview, the env vars are provided by the runtime environment and should not be
-* hard-coded or present in the `.env.local` file. The Henosia Publish feature automatically sets production versions of
-* the values on the deployed app. For self-publish flows or local development, see the `Environment settings`
-* in the Henosia builder navbar for the relevant values. The preview values cannot be used for production deployments.
-*/
-const henosiaAuthConfig = {
-	provider: "henosia",
-	baseURL: getRequiredEnvValue((env) => env.BETTER_AUTH_URL),
-	secret: getRequiredEnvValue((env) => env.BETTER_AUTH_SECRET),
-	henosiaAuthPlatformServiceBaseUrl: getRequiredEnvValue((env) => env.HENOSIA_AUTH_SERVICE_BASE_URL),
-	henosiaAuthSupabaseProvider: getRequiredEnvValue((env) => env.HENOSIA_AUTH_SUPABASE_PROVIDER, "custom:henosia-auth:platform"),
-	clientSecret: getRequiredEnvValue((env) => env.HENOSIA_AUTH_CLIENT_SECRET),
-	clientId: getRequiredEnvValue((env) => env.HENOSIA_AUTH_CLIENT_ID),
-	projectId: getRequiredEnvValue((env) => env.HENOSIA_AUTH_PROJECT_ID)
-};
-/**
-* Gets whether the specified request is for a page (a top level page or iframe page)
-*/
-function isPageRequest(request) {
-	const { headers } = request;
-	const dest = headers.get("X-Henosia-Fetch-Dest") ?? headers.get("Sec-Fetch-Dest");
-	if (dest === "document" || dest === "iframe" || dest === "fencedframe") return true;
-	const isRsc = request.headers.get("RSC") === "1";
-	const isPrefetch = request.headers.get("Next-Router-Prefetch") === "1";
-	return isRsc && !isPrefetch;
-}
-/**
-* Gets whether the specified request is allowed to spend the single-use OIDC refresh token to obtain a new
-* access token.
-*
-*/
-function isPageOrRefreshTokenRequest(request) {
-	if (isPageRequest(request)) return true;
-	return new URL(request.url).pathname === HENOSIA_AUTH_GET_SESSION_PATH_NAME;
-}
-const currentRequestStorage = new AsyncLocalStorage();
-let henosiaOAuthProviderInitialized = false;
-const cookiePrefix = `henosia-auth-${henosiaAuthConfig.projectId.get()}`;
-const authInstance = betterAuth({
-	baseURL: henosiaAuthConfig.baseURL.get(),
-	secret: henosiaAuthConfig.secret.get(),
-	advanced: { cookiePrefix },
-	plugins: [
-		bearer(),
-		jwt(),
-		genericOAuth({ config: [{
-			providerId: henosiaAuthConfig.provider,
-			discoveryUrl: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/.well-known/openid-configuration`,
-			clientId: henosiaAuthConfig.clientId.get(),
-			clientSecret: henosiaAuthConfig.clientSecret.get(),
-			scopes: [
-				"openid",
-				"profile",
-				"email",
-				"offline_access"
-			],
-			pkce: true,
-			mapProfileToUser: (profile) => {
-				if (!profile.name) profile.name = profile.email;
-				return profile;
-			}
-		}] }),
-		nextCookies()
-	],
-	hooks: { before: createAuthMiddleware(async (ctx) => {
-		if (henosiaOAuthProviderInitialized) return;
-		for (const provider of ctx.context.socialProviders) {
-			const { refreshAccessToken } = provider;
-			if (!refreshAccessToken || provider.id !== henosiaAuthConfig.provider) continue;
-			provider.refreshAccessToken = async (refreshToken) => {
-				const request = currentRequestStorage.getStore();
-				if (!request) throw new APIError("INTERNAL_SERVER_ERROR", { message: `Expected a current request during refreshAccessToken` });
-				if (!isPageOrRefreshTokenRequest(request)) throw new APIError("UNAUTHORIZED", {
-					statusCode: 401,
-					message: "Fetching a refresh access token is only allowed for page or refresh token requests"
-				});
-				return await refreshAccessToken(refreshToken);
-			};
-			henosiaOAuthProviderInitialized = true;
-			break;
-		}
-	}) },
-	session: { cookieCache: {
-		enabled: true,
-		version: "1",
-		maxAge: 720 * 60 * 60,
-		strategy: "jwe",
-		refreshCache: true
-	} },
-	account: {
-		storeStateStrategy: "cookie",
-		storeAccountCookie: true
-	},
-	databaseHooks: { user: { create: { before: async (data) => {
-		const stableId = data.sub;
-		if (!stableId) throw new APIError("INTERNAL_SERVER_ERROR", { message: `Expected '.sub' to be defined but got '${stableId}' for '${data.email}'` });
-		return { data: {
-			...data,
-			id: stableId
-		} };
-	} } } },
-	trustedOrigins: [henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()]
-});
-/**
-* The Henosia Auth instance.
-*
-* Typed as the minimal {@link Auth} type from better-auth (which is parameterised on the default
-* {@link BetterAuthOptions}) rather than the deeply-inferred concrete type returned by {@link betterAuth}.
-* The deeply-inferred graph references non-portable internals from `better-auth` and `zod` that cannot be
-* named in published declarations (TS2883).
-*/
-const auth = authInstance;
-/**
-* Verifies the Henosia Auth JWT on the current request, or throws in case it's missing or invalid.
-* This method must be called before allowing access to any protected pages or routes,
-* and before accessing data in server side page methods or actions.
-* @param request the current request which provides auth headers
-* @return the better-auth `getAccessToken` response, the verified token `payload` (a {@link HenosiaAuthTokenClaims}),
-*         the `Set-Cookie` headers produced while obtaining/refreshing the token, and a
-*         `transferBetterAuthCookiesToNext` helper that forwards those cookies onto a Next.js request/response pair
-* @throws APIError when the current credentials are missing or invalid
-*/
-async function verifyHenosiaAuthToken(request) {
-	currentRequestStorage.enterWith(request);
-	const { response: accessTokenResponse, headers: accessTokenResponseHeaders } = await authInstance.api.getAccessToken({
-		body: { providerId: henosiaAuthConfig.provider },
-		headers: await headers(),
-		returnHeaders: true
-	});
-	if (!accessTokenResponse.idToken) throw new APIError("UNAUTHORIZED", { message: "No id_token returned for openid scope" });
-	const payload = await verifyAccessToken(accessTokenResponse.idToken, {
-		jwksUrl: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/api/auth/jwks`,
-		verifyOptions: {
-			audience: henosiaAuthConfig.clientId.get(),
-			issuer: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/api/auth`
-		}
-	});
-	const { "https://henosia.com/project": projectId } = payload;
-	if (!projectId) throw new APIError("UNAUTHORIZED", { message: "token does not grant access" });
-	if (!henosiaAuthConfig.projectId) throw new APIError("INTERNAL_SERVER_ERROR", { message: "HENOSIA_AUTH_PROJECT_ID env var has not been set" });
-	if (henosiaAuthConfig.projectId.get() !== projectId) throw new APIError("UNAUTHORIZED", { message: "token has invalid projectId" });
-	const setCookieHeaders = accessTokenResponseHeaders.getSetCookie();
-	const transferBetterAuthCookiesToNext = (nextRequest, response) => {
-		for (const cookie of setCookieHeaders) parseSetCookieHeader(cookie).forEach((attributes, name) => {
-			const { value, ...betterOptions } = attributes;
-			const options = {
-				...betterOptions,
-				maxAge: betterOptions["max-age"],
-				httpOnly: betterOptions.httponly,
-				sameSite: betterOptions.samesite
-			};
-			nextRequest.cookies.set(name, value);
-			response.cookies.set(name, value, options);
-		});
-	};
-	return {
-		accessTokenResponse,
-		payload,
-		setCookieHeaders,
-		transferBetterAuthCookiesToNext
-	};
-}
-const unauthorizedExceptionCodes = new Set(["ACCOUNT_NOT_FOUND", "FAILED_TO_GET_ACCESS_TOKEN"]);
-/**
-* Determines whether the specified exception should start the sign-in flow to authenticate the user
-* @param error the error thrown by `verifyHenosiaAuthToken`
-*/
-function isUnauthorizedException(error) {
-	const apiError = error ?? {};
-	return unauthorizedExceptionCodes.has(apiError.body?.code ?? "") || apiError.status === "UNAUTHORIZED" || apiError.statusCode === 401;
-}
-//#endregion
-export { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken };
+import { a as isPageRequest, i as isPageOrRefreshTokenRequest, n as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, o as isUnauthorizedException, r as getAuth, s as verifyHenosiaAuthToken, t as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES } from "../server-DvvkIB4j.mjs";
+export { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, getAuth, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken };

package/dist/index.d.mts

@@ -1,5 +1,51 @@
 
-import { i as HenosiaOrganizationContext, n as HENOSIA_AUTH_SIGN_IN_PATH_NAME, r as HENOSIA_ORGANIZATION_CTX_COOKIE, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-BWt7Sysv.mjs";
-import { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HenosiaAuthConfig, HenosiaAuthTokenClaims, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken } from "./auth/server.mjs";
+import { i as HenosiaOrganizationContext, n as HENOSIA_AUTH_SIGN_IN_PATH_NAME, r as HENOSIA_ORGANIZATION_CTX_COOKIE, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-Cddy8ptu.mjs";
+import { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HenosiaAuthTokenClaims, getAuth, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken } from "./auth/server.mjs";
 import { HenosiaAuthContext, getHenosiaAuth, requireHenosiaAuth, routeWithHenosiaAuth } from "./auth/server-guards.mjs";
-export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, type HenosiaAuthConfig, type HenosiaAuthContext, type HenosiaAuthTokenClaims, type HenosiaOrganizationContext, auth, cookiePrefix, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };
+
+//#region src/auth/configuration.d.ts
+/**
+ * A lazy accessor for an environment-derived string value. Reading is deferred until {@link get} is invoked,
+ * so the underlying `process.env` lookup only happens at call time rather than at module load.
+ */
+type EnvLiveGetString = {
+  get(): string;
+};
+interface HenosiaAuthConfig {
+  /** Name of the Henosia Auth OAuth2 provider */
+  provider: 'henosia';
+  /** The consuming app's own deployment or preview browser URL. Used as the better-auth base url */
+  baseURL: EnvLiveGetString;
+  /** The consuming app's own deployment or preview auth secret. Used as the better-auth secret */
+  secret: EnvLiveGetString;
+  /** OAuth client ID from HenosiaAuthClientService */
+  clientId: EnvLiveGetString;
+  /** OAuth client secret from HenosiaAuthClientService */
+  clientSecret: EnvLiveGetString;
+  /** The Henosia auth and platform service base URL, under which the OAuth client is registered */
+  henosiaAuthPlatformServiceBaseUrl: EnvLiveGetString;
+  /** The provider identifier that Henosia Auth is registered with as a OIDC-based Custom Provider in Supabase Auth */
+  henosiaAuthSupabaseProvider: EnvLiveGetString;
+  /**
+   * The project id that the JWT project claim should match in HenosiaAuthTokenClaims.
+   * Ensures that signed-in Henosia users cannot access projects that they have not been granted access to,
+   * for example that User A from Org A cannot access User B from Org B's project.
+   * */
+  projectId: EnvLiveGetString;
+}
+/**
+ * Environment-provided configuration for Henosia Auth.
+ * When the consuming app runs in the Henosia preview, the env vars are provided by the runtime environment and should not be
+ * hard-coded or present in the `.env.local` file. The Henosia Publish feature automatically sets production versions of
+ * the values on the deployed app. For self-publish flows or local development, see the `Environment settings`
+ * in the Henosia builder navbar for the relevant values. The preview values cannot be used for production deployments.
+ */
+declare const henosiaAuthConfig: HenosiaAuthConfig;
+/**
+ * Project-scoped cookie prefix used by Henosia Auth.
+ */
+declare const cookiePrefix: {
+  get: () => `henosia-auth-${string}`;
+};
+//#endregion
+export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, type HenosiaAuthConfig, type HenosiaAuthContext, type HenosiaAuthTokenClaims, type HenosiaOrganizationContext, cookiePrefix, getAuth, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };

package/dist/index.mjs

@@ -1,5 +1,5 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
 import { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE } from "./shared.mjs";
-import { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken } from "./auth/server.mjs";
+import { a as isPageRequest, c as cookiePrefix, i as isPageOrRefreshTokenRequest, l as henosiaAuthConfig, n as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, o as isUnauthorizedException, r as getAuth, s as verifyHenosiaAuthToken, t as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES } from "./server-DvvkIB4j.mjs";
 import { getHenosiaAuth, requireHenosiaAuth, routeWithHenosiaAuth } from "./auth/server-guards.mjs";
-export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, auth, cookiePrefix, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };
+export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, cookiePrefix, getAuth, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };

package/dist/platform/app-switcher.d.mts

@@ -1,5 +1,5 @@
 
-import { i as HenosiaOrganizationContext } from "../shared-BWt7Sysv.mjs";
+import { i as HenosiaOrganizationContext } from "../shared-Cddy8ptu.mjs";
 
 //#region src/platform/app-switcher.d.ts
 /**

package/dist/server-DvvkIB4j.mjs

@@ -0,0 +1,232 @@
+/*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
+import { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME } from "./shared.mjs";
+import { APIError, betterAuth } from "better-auth";
+import { createAuthMiddleware } from "better-auth/api";
+import { bearer, genericOAuth, jwt } from "better-auth/plugins";
+import { nextCookies } from "better-auth/next-js";
+import { verifyAccessToken } from "better-auth/oauth2";
+import { parseSetCookieHeader } from "better-auth/cookies";
+import { AsyncLocalStorage } from "node:async_hooks";
+import { headers } from "next/headers.js";
+//#region src/auth/configuration.ts
+const requiredEnvProxy = new Proxy(process.env, { get(target, property, receiver) {
+	const value = Reflect.get(target, property, receiver);
+	if (!value || typeof value !== "string") throw new Error(`[Henosia Auth] Missing required env var: ${property.toString()}`);
+	return value;
+} });
+function getRequiredEnvValue(getter, fallback) {
+	try {
+		return { get: () => getter(requiredEnvProxy) };
+	} catch (e) {
+		if (fallback) return { get: () => fallback };
+		console.log(e.message);
+		throw e;
+	}
+}
+/**
+* Environment-provided configuration for Henosia Auth.
+* When the consuming app runs in the Henosia preview, the env vars are provided by the runtime environment and should not be
+* hard-coded or present in the `.env.local` file. The Henosia Publish feature automatically sets production versions of
+* the values on the deployed app. For self-publish flows or local development, see the `Environment settings`
+* in the Henosia builder navbar for the relevant values. The preview values cannot be used for production deployments.
+*/
+const henosiaAuthConfig = {
+	provider: "henosia",
+	baseURL: getRequiredEnvValue((env) => env.BETTER_AUTH_URL),
+	secret: getRequiredEnvValue((env) => env.BETTER_AUTH_SECRET),
+	henosiaAuthPlatformServiceBaseUrl: getRequiredEnvValue((env) => env.HENOSIA_AUTH_SERVICE_BASE_URL),
+	henosiaAuthSupabaseProvider: getRequiredEnvValue((env) => env.HENOSIA_AUTH_SUPABASE_PROVIDER, "custom:henosia-auth:platform"),
+	clientSecret: getRequiredEnvValue((env) => env.HENOSIA_AUTH_CLIENT_SECRET),
+	clientId: getRequiredEnvValue((env) => env.HENOSIA_AUTH_CLIENT_ID),
+	projectId: getRequiredEnvValue((env) => env.HENOSIA_AUTH_PROJECT_ID)
+};
+/**
+* Project-scoped cookie prefix used by Henosia Auth.
+*/
+const cookiePrefix = { get: () => `henosia-auth-${henosiaAuthConfig.projectId.get()}` };
+//#endregion
+//#region src/auth/server.ts
+/**
+* URL pathname values that should not check for auth in middleware, e.g. the sign-in page.
+* Additional pathname values can be added for public paths, but ONLY if they should not be intercepted by the
+* middleware auth pre-check and redirect.
+*/
+const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES = new Set([HENOSIA_AUTH_SIGN_IN_PATH_NAME]);
+if (HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES.has("/")) throw new Error(`[Henosia Auth] Invalid path name '/'. Values must be non-root paths`);
+/**
+* URL pathname prefixes that should not be blocked by auth in middleware, e.g. the better-auth API routes used to sign in.
+* Additional pathname prefixes can be added for public paths, but ONLY if they should not be intercepted by the
+* middleware auth pre-check and redirect. Include the relevant `/` ending character to prevent unexpected partial
+* route matches.
+*/
+const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES = ["/api/auth/", "/.well-known/"];
+if (HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES.find((p) => p === "/" || !p.trim() || !p.endsWith("/"))) throw new Error("[Henosia Auth] Invalid path name prefixes. Values must be non-empty sub paths ending with slash");
+/**
+* Gets whether the specified request is for a page (a top level page or iframe page)
+*/
+function isPageRequest(request) {
+	const { headers } = request;
+	const dest = headers.get("X-Henosia-Fetch-Dest") ?? headers.get("Sec-Fetch-Dest");
+	if (dest === "document" || dest === "iframe" || dest === "fencedframe") return true;
+	const isRsc = request.headers.get("RSC") === "1";
+	const isPrefetch = request.headers.get("Next-Router-Prefetch") === "1";
+	return isRsc && !isPrefetch;
+}
+/**
+* Gets whether the specified request is allowed to spend the single-use OIDC refresh token to obtain a new
+* access token.
+*
+*/
+function isPageOrRefreshTokenRequest(request) {
+	if (isPageRequest(request)) return true;
+	return new URL(request.url).pathname === HENOSIA_AUTH_GET_SESSION_PATH_NAME;
+}
+const currentRequestStorage = new AsyncLocalStorage();
+let henosiaOAuthProviderInitialized = false;
+const createAuthInstance = () => betterAuth({
+	baseURL: henosiaAuthConfig.baseURL.get(),
+	secret: henosiaAuthConfig.secret.get(),
+	advanced: { cookiePrefix: cookiePrefix.get() },
+	plugins: [
+		bearer(),
+		jwt(),
+		genericOAuth({ config: [{
+			providerId: henosiaAuthConfig.provider,
+			discoveryUrl: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/.well-known/openid-configuration`,
+			clientId: henosiaAuthConfig.clientId.get(),
+			clientSecret: henosiaAuthConfig.clientSecret.get(),
+			scopes: [
+				"openid",
+				"profile",
+				"email",
+				"offline_access"
+			],
+			pkce: true,
+			mapProfileToUser: (profile) => {
+				if (!profile.name) profile.name = profile.email;
+				return profile;
+			}
+		}] }),
+		nextCookies()
+	],
+	hooks: { before: createAuthMiddleware(async (ctx) => {
+		if (henosiaOAuthProviderInitialized) return;
+		for (const provider of ctx.context.socialProviders) {
+			const { refreshAccessToken } = provider;
+			if (!refreshAccessToken || provider.id !== henosiaAuthConfig.provider) continue;
+			provider.refreshAccessToken = async (refreshToken) => {
+				const request = currentRequestStorage.getStore();
+				if (!request) throw new APIError("INTERNAL_SERVER_ERROR", { message: `Expected a current request during refreshAccessToken` });
+				if (!isPageOrRefreshTokenRequest(request)) throw new APIError("UNAUTHORIZED", {
+					statusCode: 401,
+					message: "Fetching a refresh access token is only allowed for page or refresh token requests"
+				});
+				return await refreshAccessToken(refreshToken);
+			};
+			henosiaOAuthProviderInitialized = true;
+			break;
+		}
+	}) },
+	session: { cookieCache: {
+		enabled: true,
+		version: "1",
+		maxAge: 720 * 60 * 60,
+		strategy: "jwe",
+		refreshCache: true
+	} },
+	account: {
+		storeStateStrategy: "cookie",
+		storeAccountCookie: true
+	},
+	databaseHooks: { user: { create: { before: async (data) => {
+		const stableId = data.sub;
+		if (!stableId) throw new APIError("INTERNAL_SERVER_ERROR", { message: `Expected '.sub' to be defined but got '${stableId}' for '${data.email}'` });
+		return { data: {
+			...data,
+			id: stableId
+		} };
+	} } } },
+	trustedOrigins: [henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()]
+});
+let authInstance = null;
+/**
+* Returns the singleton Henosia Auth instance, creating it on first call.
+*
+* The instance is created lazily so that importing this module does not eagerly read the required
+* environment variables (see {@link henosiaAuthConfig}). This means modules that only need the
+* configuration or shared helpers can be imported in environments where the full set of `BETTER_AUTH_*` /
+* `HENOSIA_AUTH_*` env vars is not yet populated, and only call sites that actually invoke `getAuth()`
+* will require them to be set.
+*
+* Subsequent calls return the same underlying better-auth instance.
+*
+* The return type is the minimal {@link Auth} type from better-auth (which is parameterised on the default
+* `BetterAuthOptions`) rather than the deeply-inferred concrete type returned by {@link betterAuth}.
+* The deeply-inferred graph references non-portable internals from `better-auth` and `zod` that cannot be
+* named in published declarations (TS2883).
+*/
+const getAuth = () => {
+	if (!authInstance) authInstance = createAuthInstance();
+	return authInstance;
+};
+/**
+* Verifies the Henosia Auth JWT on the current request, or throws in case it's missing or invalid.
+* This method must be called before allowing access to any protected pages or routes,
+* and before accessing data in server side page methods or actions.
+* @param request the current request which provides auth headers
+* @return the better-auth `getAccessToken` response, the verified token `payload` (a {@link HenosiaAuthTokenClaims}),
+*         the `Set-Cookie` headers produced while obtaining/refreshing the token, and a
+*         `transferBetterAuthCookiesToNext` helper that forwards those cookies onto a Next.js request/response pair
+* @throws APIError when the current credentials are missing or invalid
+*/
+async function verifyHenosiaAuthToken(request) {
+	currentRequestStorage.enterWith(request);
+	const { response: accessTokenResponse, headers: accessTokenResponseHeaders } = await getAuth().api.getAccessToken({
+		body: { providerId: henosiaAuthConfig.provider },
+		headers: await headers(),
+		returnHeaders: true
+	});
+	if (!accessTokenResponse.idToken) throw new APIError("UNAUTHORIZED", { message: "No id_token returned for openid scope" });
+	const payload = await verifyAccessToken(accessTokenResponse.idToken, {
+		jwksUrl: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/api/auth/jwks`,
+		verifyOptions: {
+			audience: henosiaAuthConfig.clientId.get(),
+			issuer: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/api/auth`
+		}
+	});
+	const { "https://henosia.com/project": projectId } = payload;
+	if (!projectId) throw new APIError("UNAUTHORIZED", { message: "token does not grant access" });
+	if (!henosiaAuthConfig.projectId) throw new APIError("INTERNAL_SERVER_ERROR", { message: "HENOSIA_AUTH_PROJECT_ID env var has not been set" });
+	if (henosiaAuthConfig.projectId.get() !== projectId) throw new APIError("UNAUTHORIZED", { message: "token has invalid projectId" });
+	const setCookieHeaders = accessTokenResponseHeaders.getSetCookie();
+	const transferBetterAuthCookiesToNext = (nextRequest, response) => {
+		for (const cookie of setCookieHeaders) parseSetCookieHeader(cookie).forEach((attributes, name) => {
+			const { value, ...betterOptions } = attributes;
+			const options = {
+				...betterOptions,
+				maxAge: betterOptions["max-age"],
+				httpOnly: betterOptions.httponly,
+				sameSite: betterOptions.samesite
+			};
+			nextRequest.cookies.set(name, value);
+			response.cookies.set(name, value, options);
+		});
+	};
+	return {
+		accessTokenResponse,
+		payload,
+		setCookieHeaders,
+		transferBetterAuthCookiesToNext
+	};
+}
+const unauthorizedExceptionCodes = new Set(["ACCOUNT_NOT_FOUND", "FAILED_TO_GET_ACCESS_TOKEN"]);
+/**
+* Determines whether the specified exception should start the sign-in flow to authenticate the user
+* @param error the error thrown by `verifyHenosiaAuthToken`
+*/
+function isUnauthorizedException(error) {
+	const apiError = error ?? {};
+	return unauthorizedExceptionCodes.has(apiError.body?.code ?? "") || apiError.status === "UNAUTHORIZED" || apiError.statusCode === 401;
+}
+//#endregion
+export { isPageRequest as a, cookiePrefix as c, isPageOrRefreshTokenRequest as i, henosiaAuthConfig as l, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES as n, isUnauthorizedException as o, getAuth as r, verifyHenosiaAuthToken as s, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES as t };

package/dist/shared.d.mts

@@ -1,3 +1,3 @@
 
-import { i as HenosiaOrganizationContext, n as HENOSIA_AUTH_SIGN_IN_PATH_NAME, r as HENOSIA_ORGANIZATION_CTX_COOKIE, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-BWt7Sysv.mjs";
+import { i as HenosiaOrganizationContext, n as HENOSIA_AUTH_SIGN_IN_PATH_NAME, r as HENOSIA_ORGANIZATION_CTX_COOKIE, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-Cddy8ptu.mjs";
 export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, HenosiaOrganizationContext };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@henosia/app-next",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "description": "Henosia integration for Next.js apps: Provides Henosia Auth and Henosia Platform features like app switcher",
   "author": "Henosia",
   "license": "SEE LICENSE IN LICENSE",