@henosia/app-next 1.0.6 → 1.0.7

package/dist/middleware-shared-CZbIZuBw.mjs

@@ -1,140 +0,0 @@
-/*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
-import { HENOSIA_AUTH_SIGN_IN_PATH_NAME } from "./shared.mjs";
-import "next/server.js";
-//#region src/auth/env.ts
-const requiredEnvProxy = new Proxy(process.env, { get(target, property, receiver) {
-	const value = Reflect.get(target, property, receiver);
-	if (!value || typeof value !== "string") throw new Error(`[Henosia Auth] Missing required env var: ${property.toString()}`);
-	return value;
-} });
-function getRequiredEnvValue(getter, fallback) {
-	return { get: () => {
-		try {
-			return getter(requiredEnvProxy);
-		} catch (e) {
-			if (fallback !== void 0) return fallback;
-			console.log(e.message);
-			throw e;
-		}
-	} };
-}
-//#endregion
-//#region src/auth/middleware-shared.ts
-/**
-* URL pathname values that should not check for auth in middleware, e.g. the sign-in page.
-* Additional pathname values can be added for public paths, but ONLY if they should not be intercepted by the
-* middleware auth pre-check and redirect.
-*/
-const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES = new Set([HENOSIA_AUTH_SIGN_IN_PATH_NAME]);
-if (HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES.has("/")) throw new Error(`[Henosia Auth] Invalid path name '/'. Values must be non-root paths`);
-/**
-* URL pathname prefixes that should not be blocked by auth in middleware, e.g. the better-auth API routes used to sign in.
-* Additional pathname prefixes can be added for public paths, but ONLY if they should not be intercepted by the
-* middleware auth pre-check and redirect. Include the relevant `/` ending character to prevent unexpected partial
-* route matches.
-*/
-const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES = ["/api/auth/", "/.well-known/"];
-if (HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES.find((p) => p === "/" || !p.trim() || !p.endsWith("/"))) throw new Error("[Henosia Auth] Invalid path name prefixes. Values must be non-empty sub paths ending with slash");
-const middlewareConfig = {
-	baseURL: getRequiredEnvValue((env) => env.BETTER_AUTH_URL),
-	projectId: getRequiredEnvValue((env) => env.HENOSIA_AUTH_PROJECT_ID)
-};
-const cookiePrefix = `henosia-auth-${middlewareConfig.projectId.get()}`;
-function parseCookies(cookieHeader) {
-	const cookieMap = /* @__PURE__ */ new Map();
-	for (const cookie of cookieHeader.split(/;\s*/)) {
-		const [name, value] = cookie.split(/=(.*)/s);
-		if (name) cookieMap.set(name, value);
-	}
-	return cookieMap;
-}
-/**
-* Lightweight Better Auth session-cookie lookup for Next.js middleware.
-*
-* This intentionally mirrors Better Auth's `getSessionCookie` naming rules without importing
-* `better-auth/cookies`, because that module imports JWT helpers at module scope and pulls the
-* server auth graph into Edge middleware bundles.
-*/
-function getHenosiaSessionCookie(request) {
-	const cookies = request.headers.get("cookie");
-	if (!cookies) return null;
-	const parsedCookie = parseCookies(cookies);
-	const getCookie = (name) => parsedCookie.get(name) || parsedCookie.get(`__Secure-${name}`);
-	return getCookie(`${cookiePrefix}.session_token`) || getCookie(`${cookiePrefix}-session_token`) || null;
-}
-/**
-* Gets whether the specified request is for a page (a top level page or iframe page).
-*/
-function isPageRequest(request) {
-	const { headers } = request;
-	const dest = headers.get("X-Henosia-Fetch-Dest") ?? headers.get("Sec-Fetch-Dest");
-	if (dest === "document" || dest === "iframe" || dest === "fencedframe") return true;
-	const isRsc = request.headers.get("RSC") === "1";
-	const isPrefetch = request.headers.get("Next-Router-Prefetch") === "1";
-	return isRsc && !isPrefetch;
-}
-function getSetCookieHeaders(headers) {
-	const getSetCookie = headers.getSetCookie?.();
-	if (getSetCookie?.length) return getSetCookie;
-	const setCookie = headers.get("set-cookie");
-	return setCookie ? splitSetCookieHeader(setCookie) : [];
-}
-function splitSetCookieHeader(setCookieHeader) {
-	const cookies = [];
-	let start = 0;
-	for (let i = 0; i < setCookieHeader.length; i += 1) {
-		if (setCookieHeader[i] !== ",") continue;
-		let cursor = i + 1;
-		while (cursor < setCookieHeader.length && setCookieHeader[cursor] === " ") cursor += 1;
-		while (cursor < setCookieHeader.length && setCookieHeader[cursor] !== "=" && setCookieHeader[cursor] !== ";" && setCookieHeader[cursor] !== ",") cursor += 1;
-		if (setCookieHeader[cursor] === "=") {
-			cookies.push(setCookieHeader.slice(start, i).trim());
-			start = i + 1;
-		}
-	}
-	const lastCookie = setCookieHeader.slice(start).trim();
-	if (lastCookie) cookies.push(lastCookie);
-	return cookies;
-}
-function applySetCookieHeadersToRequestHeaders(requestHeaders, setCookieHeaders) {
-	if (!setCookieHeaders.length) return;
-	const cookies = parseCookies(requestHeaders.get("cookie") ?? "");
-	for (const setCookie of setCookieHeaders) {
-		const parsed = parseSetCookie(setCookie);
-		if (!parsed) continue;
-		if (parsed.deleted) cookies.delete(parsed.name);
-		else cookies.set(parsed.name, parsed.value);
-	}
-	requestHeaders.set("cookie", Array.from(cookies.entries()).map(([name, value]) => `${name}=${value}`).join("; "));
-}
-function parseSetCookie(setCookie) {
-	const [cookiePair, ...attributes] = setCookie.split(";");
-	if (!cookiePair) return null;
-	const [name, value] = cookiePair.trim().split(/=(.*)/s);
-	if (!name) return null;
-	const deleted = attributes.some((attribute) => {
-		const normalized = attribute.trim().toLowerCase();
-		return normalized === "max-age=0" || normalized.startsWith("expires=thu, 01 jan 1970");
-	});
-	return {
-		name,
-		value: value ?? "",
-		deleted
-	};
-}
-/**
-* Removes potentially invalid cached account data from cookies before the next better-auth sign in attempt.
-*/
-function removeCachedAccountData(response) {
-	const baseURL = middlewareConfig.baseURL.get();
-	const secure = baseURL.startsWith("https");
-	const name = `${secure ? "__Secure-" : ""}${cookiePrefix}.account_data`;
-	response.cookies.delete({
-		name,
-		secure,
-		httpOnly: true,
-		domain: new URL(baseURL).hostname
-	});
-}
-//#endregion
-export { getHenosiaSessionCookie as a, removeCachedAccountData as c, cookiePrefix as i, getRequiredEnvValue as l, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES as n, getSetCookieHeaders as o, applySetCookieHeadersToRequestHeaders as r, isPageRequest as s, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES as t };

package/dist/server-DfD6Dc91.d.mts

@@ -1,112 +0,0 @@
-
-import { l as HenosiaOrganizationContext } from "./shared-BWPBaubT.mjs";
-import { Auth } from "better-auth";
-import { NextRequest, NextResponse } from "next/server.js";
-
-//#region src/auth/env.d.ts
-type EnvLiveGetString = {
-  get(): string;
-};
-//#endregion
-//#region src/auth/middleware-shared.d.ts
-/**
- * URL pathname values that should not check for auth in middleware, e.g. the sign-in page.
- * Additional pathname values can be added for public paths, but ONLY if they should not be intercepted by the
- * middleware auth pre-check and redirect.
- */
-declare const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES: Set<string>;
-/**
- * URL pathname prefixes that should not be blocked by auth in middleware, e.g. the better-auth API routes used to sign in.
- * Additional pathname prefixes can be added for public paths, but ONLY if they should not be intercepted by the
- * middleware auth pre-check and redirect. Include the relevant `/` ending character to prevent unexpected partial
- * route matches.
- */
-declare const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES: string[];
-declare const cookiePrefix: `henosia-auth-${string}`;
-/**
- * Gets whether the specified request is for a page (a top level page or iframe page).
- */
-declare function isPageRequest(request: Request): boolean;
-//#endregion
-//#region src/auth/server.d.ts
-interface HenosiaAuthConfig {
-  /** Name of the Henosia Auth OAuth2 provider */
-  provider: 'henosia';
-  /** The consuming app's own deployment or preview browser URL. Used as the better-auth base url */
-  baseURL: EnvLiveGetString;
-  /** The consuming app's own deployment or preview auth secret. Used as the better-auth secret */
-  secret: EnvLiveGetString;
-  /** OAuth client ID from HenosiaAuthClientService */
-  clientId: EnvLiveGetString;
-  /** OAuth client secret from HenosiaAuthClientService */
-  clientSecret: EnvLiveGetString;
-  /** The Henosia auth and platform service base URL, under which the OAuth client is registered */
-  henosiaAuthPlatformServiceBaseUrl: EnvLiveGetString;
-  /** The provider identifier that Henosia Auth is registered with as a OIDC-based Custom Provider in Supabase Auth */
-  henosiaAuthSupabaseProvider: EnvLiveGetString;
-  /**
-   * The project id that the JWT project claim should match in HenosiaAuthTokenClaims.
-   * Ensures that signed-in Henosia users cannot access projects that they have not been granted access to,
-   * for example that User A from Org A cannot access User B from Org B's project.
-   * */
-  projectId: EnvLiveGetString;
-}
-/**
- * Environment-provided configuration for Henosia Auth.
- * When the consuming app runs in the Henosia preview, the env vars are provided by the runtime environment and should not be
- * hard-coded or present in the `.env.local` file. The Henosia Publish feature automatically sets production versions of
- * the values on the deployed app. For self-publish flows or local development, see the `Environment settings`
- * in the Henosia builder navbar for the relevant values. The preview values cannot be used for production deployments.
- */
-declare const henosiaAuthConfig: HenosiaAuthConfig;
-interface HenosiaAuthTokenClaims {
-  /** The project id that the claim is associated with. A `null` value indicates no project access was granted. */
-  'https://henosia.com/project': string | null;
-  /** Whether the claim is associated with Henosia's preview browser in the builder */
-  'https://henosia.com/preview': boolean;
-  /** The organization that the app belongs to */
-  'https://henosia.com/organization': HenosiaOrganizationContext;
-}
-/**
- * Gets whether the specified request is allowed to spend the single-use OIDC refresh token to obtain a new
- * access token.
- *
- */
-declare function isPageOrRefreshTokenRequest(request: Request): boolean;
-/**
- * The Henosia Auth instance.
- *
- * Typed as the minimal {@link Auth} type from better-auth (which is parameterised on the default
- * {@link BetterAuthOptions}) rather than the deeply-inferred concrete type returned by {@link betterAuth}.
- * The deeply-inferred graph references non-portable internals from `better-auth` and `zod` that cannot be
- * named in published declarations (TS2883).
- */
-declare const auth: Auth;
-/**
- * Verifies the Henosia Auth JWT on the current request, or throws in case it's missing or invalid.
- * This method must be called before allowing access to any protected pages or routes,
- * and before accessing data in server side page methods or actions.
- * @param request the current request which provides auth headers
- * @return the better-auth `getAccessToken` response, the verified token `payload` (a {@link HenosiaAuthTokenClaims}),
- *         the `Set-Cookie` headers produced while obtaining/refreshing the token, and a
- *         `transferBetterAuthCookiesToNext` helper that forwards those cookies onto a Next.js request/response pair
- * @throws APIError when the current credentials are missing or invalid
- */
-declare function verifyHenosiaAuthToken(request: Request): Promise<{
-  accessTokenResponse: {
-    accessToken: string;
-    accessTokenExpiresAt: Date | undefined;
-    scopes: string[];
-    idToken: string | undefined;
-  };
-  payload: HenosiaAuthTokenClaims;
-  setCookieHeaders: string[];
-  transferBetterAuthCookiesToNext: (nextRequest: NextRequest, response: NextResponse) => void;
-}>;
-/**
- * Determines whether the specified exception should start the sign-in flow to authenticate the user
- * @param error the error thrown by `verifyHenosiaAuthToken`
- */
-declare function isUnauthorizedException(error: unknown): boolean;
-//#endregion
-export { isPageOrRefreshTokenRequest as a, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES as c, isPageRequest as d, henosiaAuthConfig as i, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES as l, HenosiaAuthTokenClaims as n, isUnauthorizedException as o, auth as r, verifyHenosiaAuthToken as s, HenosiaAuthConfig as t, cookiePrefix as u };

package/dist/session-sync-Cva_oreV.mjs

@@ -1,114 +0,0 @@
-/*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
-import { HENOSIA_AUTH_INVALID_SESSION_BODY, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER, HENOSIA_ORGANIZATION_CTX_COOKIE } from "./shared.mjs";
-import { henosiaAuthConfig, isUnauthorizedException, verifyHenosiaAuthToken } from "./auth/server.mjs";
-import { NextResponse } from "next/server.js";
-//#region src/auth/utils.ts
-function delayWithCancel(delayMs) {
-	let timer;
-	let reject = null;
-	const promise = new Promise((resolve, _reject) => {
-		reject = _reject;
-		timer = setTimeout(() => resolve(), delayMs);
-	});
-	const cancel = () => {
-		clearTimeout(timer);
-		queueMicrotask(() => {
-			reject();
-			reject = null;
-		});
-	};
-	return {
-		promise,
-		cancel
-	};
-}
-//#endregion
-//#region src/auth/session-sync.ts
-function syncOrganizationContextCookie(request, response, payload) {
-	const cachedOrg = request.cookies.get("henosia.org")?.value ?? null;
-	const org = JSON.stringify(payload["https://henosia.com/organization"] ?? null);
-	if (cachedOrg !== org) response.cookies.set(HENOSIA_ORGANIZATION_CTX_COOKIE, org);
-}
-/**
-* Transfers cookies and downstream sessions that require the server auth graph.
-*
-* This runs from Node route handlers directly or through the middleware's internal sync route so
-* `@henosia/app-next/auth/middleware` remains safe to bundle for Edge runtimes.
-*/
-async function syncHenosiaAuthSession(request, response, verified, options = {}) {
-	if (options.transferBetterAuthCookies ?? true) verified.transferBetterAuthCookiesToNext(request, response);
-	syncOrganizationContextCookie(request, response, verified.payload);
-	if (process.env.NEXT_PUBLIC_SUPABASE_URL) await exchangeHenosiaTokenForSupabaseSession(request, response, verified.accessTokenResponse.idToken);
-}
-/**
-* Internal route handler used by middleware to perform server-only session sync before the matched request renders.
-*/
-async function handleHenosiaAuthSessionSync(request) {
-	try {
-		const verified = await verifyHenosiaAuthToken(buildOriginalRequestForSessionSync(request));
-		const response = new NextResponse(null, { status: 204 });
-		await syncHenosiaAuthSession(request, response, verified);
-		return applySessionSyncResponseHeaders(response);
-	} catch (e) {
-		if (isUnauthorizedException(e)) return applySessionSyncResponseHeaders(NextResponse.json(HENOSIA_AUTH_INVALID_SESSION_BODY, { status: 401 }));
-		console.error("[Henosia Auth] session sync error", e);
-		return applySessionSyncResponseHeaders(NextResponse.json({ error: "Server error" }, { status: 500 }));
-	}
-}
-function applySessionSyncResponseHeaders(response) {
-	response.headers.set("Cache-Control", "private, no-store");
-	response.headers.set("Vary", "Cookie");
-	return response;
-}
-function buildOriginalRequestForSessionSync(request) {
-	const originalUrl = request.headers.get("x-henosia-auth-original-url") ?? request.url;
-	const originalMethod = request.headers.get("x-henosia-auth-original-method") ?? "GET";
-	const originalHeaders = new Headers(request.headers);
-	const originalFetchDest = request.headers.get(HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER);
-	if (originalFetchDest) originalHeaders.set("X-Henosia-Fetch-Dest", originalFetchDest);
-	return new Request(originalUrl, {
-		headers: originalHeaders,
-		method: originalMethod
-	});
-}
-/**
-* Lazy-load `@supabase/ssr` so apps that don't use Supabase don't have to install it.
-*/
-async function exchangeHenosiaTokenForSupabaseSession(request, response, idToken) {
-	let createServerClient;
-	try {
-		({createServerClient} = await import("@supabase/ssr"));
-	} catch (e) {
-		console.error("[Henosia Auth] NEXT_PUBLIC_SUPABASE_URL is set but `@supabase/ssr` is not installed. Install it as a peer dependency to enable Supabase session exchange.", e);
-		return;
-	}
-	const supabase = createServerClient(process.env.NEXT_PUBLIC_SUPABASE_URL, process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY, { cookies: {
-		getAll() {
-			return request.cookies.getAll();
-		},
-		setAll(cookiesToSet) {
-			cookiesToSet.forEach(({ name, value }) => request.cookies.set(name, value));
-			try {
-				cookiesToSet.forEach(({ name, value, options }) => response.cookies.set(name, value, options));
-			} catch {}
-		}
-	} });
-	const { promise: supabaseTimeout, cancel } = delayWithCancel(5e3);
-	await Promise.race([supabaseTimeout.then(() => {
-		console.error(`[Supabase] Timed out getting a valid Supabase session: ${process.env.NEXT_PUBLIC_SUPABASE_URL} may be paused or down.`);
-	}), (async () => {
-		try {
-			const { data } = await supabase.auth.getSession();
-			if (!data.session) await supabase.auth.signInWithIdToken({
-				provider: henosiaAuthConfig.henosiaAuthSupabaseProvider.get(),
-				token: idToken
-			});
-		} catch (error) {
-			console.error("[Supabase] Unable to get valid Supabase session", error);
-		} finally {
-			cancel();
-		}
-	})()]);
-}
-//#endregion
-export { syncHenosiaAuthSession as n, syncOrganizationContextCookie as r, handleHenosiaAuthSessionSync as t };

package/dist/shared-BWPBaubT.d.mts

@@ -1,30 +0,0 @@
-
-//#region src/shared.d.ts
-declare const HENOSIA_AUTH_SIGN_IN_PATH_NAME = "/sign-in";
-/**
- * The pathname for better-auth's `/get-session` endpoint, used by the React `useSession` hook.
- *
- * `useSession` automatically refetches this endpoint on browser tab focus (and optionally on a polling
- * interval), which we leverage as a built-in keep-alive for the OIDC access/refresh tokens — see
- * `isPageOrRefreshTokenRequest` and the middleware-backed session sync route.
- */
-declare const HENOSIA_AUTH_GET_SESSION_PATH_NAME = "/api/auth/get-session";
-/**
- * Internal route used by the Edge middleware to delegate server-only token refresh and downstream session sync
- * without importing the Better Auth server graph into the middleware bundle.
- */
-declare const HENOSIA_AUTH_SESSION_SYNC_PATH_NAME = "/api/auth/henosia-session-sync";
-declare const HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_URL_HEADER = "x-henosia-auth-original-url";
-declare const HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_METHOD_HEADER = "x-henosia-auth-original-method";
-declare const HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER = "x-henosia-auth-original-fetch-dest";
-type HenosiaOrganizationContext = {
-  id: string;
-  name: string;
-  logoUrl: string | null;
-} | null;
-declare const HENOSIA_ORGANIZATION_CTX_COOKIE = "henosia.org";
-declare const HENOSIA_AUTH_INVALID_SESSION_BODY: {
-  error: string;
-};
-//#endregion
-export { HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_URL_HEADER as a, HENOSIA_ORGANIZATION_CTX_COOKIE as c, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_METHOD_HEADER as i, HenosiaOrganizationContext as l, HENOSIA_AUTH_INVALID_SESSION_BODY as n, HENOSIA_AUTH_SESSION_SYNC_PATH_NAME as o, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER as r, HENOSIA_AUTH_SIGN_IN_PATH_NAME as s, HENOSIA_AUTH_GET_SESSION_PATH_NAME as t };