@henosia/app-next 1.0.6 → 1.0.8

package/.agents/skills/henosia-app-next/SKILL.md

@@ -16,8 +16,8 @@ enabled: false # flip to true to enable during Henosia Auth integration in proje
 
 `@henosia/app-next` is the Henosia integration for Next.js apps. It provides:
 
-- Henosia Auth middleware (edge-safe session-cookie pre-check that delegates server-only session sync to the auth route).
-- better-auth and Henosia Platform catch-all Route Handlers, including token refresh, organization-context sync, and optional Supabase session exchange.
+- Henosia Auth middleware (pre-check + token refresh + optional Supabase session exchange).
+- better-auth and Henosia Platform catch-all Route Handlers.
 - A React `authClient` (better-auth) and a `useAppSwitcher` hook.
 - Optional Supabase server/browser client factories.
 - Server-side auth guards — see the **`henosia-auth-guards` skill** for those
@@ -27,7 +27,7 @@ enabled: false # flip to true to enable during Henosia Auth integration in proje
 ## Authoritative reference
 
 For complete and up-to-date package usage details (peer dependencies, subpath
-exports, middleware-backed route-handler session sync, Supabase exchange behavior, app-switcher hook options), read:
+exports, Supabase exchange behavior, app-switcher hook options), read:
 
 - `node_modules/@henosia/app-next/README.md`
 
@@ -171,21 +171,20 @@ README section.
 12. **(Optional) Add Supabase helpers.** When `NEXT_PUBLIC_SUPABASE_URL` is
     set in the Henosia builder env, install the Supabase peer deps and copy
     `lib/supabase/server.ts` and `lib/supabase/client.ts` from the template.
-    The Henosia Auth middleware delegates to the auth route handler, which
-    exchanges the Henosia Auth token for a Supabase session before protected
-    requests render and during session refresh — no extra wiring required. See
-    README "5. (Optional) Supabase helpers".
+    The middleware automatically exchanges the Henosia Auth token for a
+    Supabase session — no extra wiring required. See README "5. (Optional)
+    Supabase helpers".
 13. **Protect every non-public page, layout, server action, and route
     handler.** Use the **`henosia-auth-guards` skill**. The middleware is a
-    pre-check and session-sync entrypoint only — it does **not** satisfy the
-    per-route authorization requirement.
+    pre-check only — it does **not** satisfy the per-route authorization
+    requirement.
 14. Carefully remove the old auth flow components and routes that Henosia Auth replaces 
 
 ## Subpath imports cheat sheet
 
 ```ts
 // Server-side helpers (advanced; prefer the auth guards)
-import { auth, verifyHenosiaAuthToken, isUnauthorizedException, isPageRequest, HENOSIA_AUTH_SIGN_IN_PATH_NAME } from '@henosia/app-next'
+import { getAuth, verifyHenosiaAuthToken, isUnauthorizedException, isPageRequest, HENOSIA_AUTH_SIGN_IN_PATH_NAME } from '@henosia/app-next'
 
 // Shared constants & types (no runtime deps; safe to import from server or client)
 import { HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE } from '@henosia/app-next/shared'
@@ -214,7 +213,7 @@ import { createClient } from '@henosia/app-next/supabase/client'
 
 ## Lower-level helpers — usually not needed
 
-`auth`, `verifyHenosiaAuthToken`, `isUnauthorizedException`, `isPageRequest` are
+`getAuth`, `verifyHenosiaAuthToken`, `isUnauthorizedException`, `isPageRequest` are
 exported from the package root for advanced/edge cases. For protecting pages
 and routes, **always prefer the guards** documented in the
 `henosia-auth-guards` skill. They encode the canonical redirect / 401 / 500

package/.agents/skills/henosia-app-next/assets/template/components/sign-in.tsx

@@ -69,7 +69,7 @@ export function SignIn() {
           <p className="text-center text-xs text-neutral-500">
             Learn more about {" "}
             <Link
-              href="https://docs.henosia.com"
+              href="https://docs.henosia.com/henosia-auth"
               className="underline"
               target="_blank"
             >

package/README.md

@@ -1,6 +1,6 @@
 # @henosia/app-next
 
-Henosia integration for Next.js apps: Provides edge-safe middleware, better-auth setup for Henosia Auth, Henosia Platform API route handlers, and (optionally) automatic Supabase sign in.
+Henosia integration for Next.js apps: Provides middleware and better-auth setup for Henosia Auth, Henosia Platform API route handlers, and (optionally) automatic Supabase sign in.
 
 ## Installation
 
@@ -112,7 +112,7 @@ import { createClient } from '@henosia/app-next/supabase/client'
 
 ```ts
 import {
-  auth,
+  getAuth,
   verifyHenosiaAuthToken,
   isUnauthorizedException,
   isPageRequest,
@@ -133,18 +133,13 @@ import {
 ```
 
 `requireHenosiaAuth` or `routeWithHenosiaAuth` MUST be called from any protected page/route handler/server action — the
-middleware is only the request pre-check and session-sync entrypoint. It keeps the middleware bundle Edge-safe by
-delegating token refresh, organization-context cookie updates, and optional Supabase session exchange to the
-`/api/auth/henosia-session-sync` route handled by the auth catch-all route.
-
-The sync route is mounted automatically when you re-export `GET, POST` from `@henosia/app-next/api/auth`; no extra app
-route is required.
+middleware only performs a fast pre-check.
 
 ## App-switcher hook
 
 `@henosia/app-next/platform/app-switcher` exposes the `useAppSwitcher` React hook used to build a custom
-app-switcher UI. It reads the current organization context from the catch-all platform route mounted in
-[step 3](#3-henosia-platform-catch-all-route), with the cached organization cookie as an immediate fallback.
+app-switcher UI. It reads the current organization context from the cookie set by the middleware and queries
+the catch-all platform route mounted in [step 3](#3-henosia-platform-catch-all-route).
 
 Requires a `@tanstack/react-query` `QueryClientProvider` higher up in the tree.
 
@@ -178,7 +173,7 @@ export function MyAppSwitcher() {
 
 | Subpath                                   | Purpose                                                                    |
 |-------------------------------------------|----------------------------------------------------------------------------|
-| `@henosia/app-next`                       | Server-side helpers (`auth`, `verifyHenosiaAuthToken`, …)                  |
+| `@henosia/app-next`                       | Server-side helpers (`getAuth`, `verifyHenosiaAuthToken`, …)               |
 | `@henosia/app-next/shared`                | Shared constants & types (no runtime deps)                                 |
 | `@henosia/app-next/auth/middleware`       | `createHenosiaAuthMiddleware`                                              |
 | `@henosia/app-next/auth/server`           | Lower-level server-side auth surface (re-exported by root)                 |

package/dist/api/auth.d.mts

@@ -1,8 +1,6 @@
 
-import { NextRequest } from "next/server.js";
-
 //#region src/api/auth.d.ts
-declare const GET: (request: NextRequest) => Promise<Response>;
+declare const GET: (request: Request) => Promise<Response>;
 declare const POST: (request: Request) => Promise<Response>;
 //#endregion
 export { GET, POST };

package/dist/api/auth.mjs

@@ -1,10 +1,6 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
-import "../shared.mjs";
-import { o as getSetCookieHeaders } from "../middleware-shared-CZbIZuBw.mjs";
-import { auth, isUnauthorizedException, verifyHenosiaAuthToken } from "../auth/server.mjs";
-import { n as syncHenosiaAuthSession, t as handleHenosiaAuthSessionSync } from "../session-sync-Cva_oreV.mjs";
+import { r as getAuth } from "../server-DvvkIB4j.mjs";
 import { toNextJsHandler } from "better-auth/next-js";
-import { NextResponse } from "next/server.js";
 //#region src/api/auth.ts
 /**
 * Catch-all Next.js route handler for better-auth.
@@ -15,34 +11,8 @@ import { NextResponse } from "next/server.js";
 * export { GET, POST } from '@henosia/app-next/api/auth'
 * ```
 */
-const handlers = toNextJsHandler(auth);
-const GET = async (request) => {
-	const { pathname } = new URL(request.url);
-	if (pathname === "/api/auth/henosia-session-sync") return handleHenosiaAuthSessionSync(request);
-	if (pathname !== "/api/auth/get-session") return handlers.GET(request);
-	let verified = null;
-	const refreshedCookieResponse = new NextResponse(null);
-	try {
-		verified = await verifyHenosiaAuthToken(request);
-		verified.transferBetterAuthCookiesToNext(request, refreshedCookieResponse);
-	} catch (e) {
-		if (!isUnauthorizedException(e)) {
-			console.error("[Henosia Auth] get-session refresh error", e);
-			throw e;
-		}
-	}
-	const betterAuthResponse = await handlers.GET(request);
-	const response = new NextResponse(betterAuthResponse.body, {
-		headers: betterAuthResponse.headers,
-		status: betterAuthResponse.status,
-		statusText: betterAuthResponse.statusText
-	});
-	if (verified) {
-		for (const setCookie of getSetCookieHeaders(refreshedCookieResponse.headers)) response.headers.append("set-cookie", setCookie);
-		await syncHenosiaAuthSession(request, response, verified, { transferBetterAuthCookies: false });
-	}
-	return response;
-};
+const handlers = toNextJsHandler(getAuth());
+const GET = handlers.GET;
 const POST = handlers.POST;
 //#endregion
 export { GET, POST };

package/dist/api/platform.mjs

@@ -1,67 +1,31 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
-import { HENOSIA_AUTH_INVALID_SESSION_BODY } from "../shared.mjs";
-import { henosiaAuthConfig, isUnauthorizedException, verifyHenosiaAuthToken } from "../auth/server.mjs";
+import { l as henosiaAuthConfig, o as isUnauthorizedException, s as verifyHenosiaAuthToken } from "../server-DvvkIB4j.mjs";
 import { applySecurityHeaders } from "../auth/server-guards.mjs";
-import { r as syncOrganizationContextCookie } from "../session-sync-Cva_oreV.mjs";
-import { NextResponse } from "next/server.js";
 //#region src/api/platform/v1/app-switcher.ts
 /**
 * Handler for the Henosia Platform `app-switcher` endpoint.
 * Proxies the authenticated request to the Henosia Auth platform service using the verified id token.
 */
 async function handleAppSwitcher(request) {
-	let verified = null;
 	try {
-		verified = await verifyHenosiaAuthToken(request);
+		const { accessTokenResponse } = await verifyHenosiaAuthToken(request);
 		const fetchUrl = new URL(henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get());
 		fetchUrl.pathname = request.nextUrl.pathname;
 		const response = await fetch(fetchUrl, {
 			method: "GET",
 			redirect: "error",
-			headers: { authorization: `Bearer ${verified.accessTokenResponse.idToken}` }
+			headers: { authorization: `Bearer ${accessTokenResponse.idToken}` }
 		});
-		if (!response.ok) {
-			const nextResponse = createUpstreamResponse(response);
-			applySecurityHeaders(nextResponse);
-			return applyVerifiedAuthCookies(request, nextResponse, verified);
-		}
-		const body = await response.json();
-		const responseBody = isObjectRecord(body) ? body : {};
-		const nextResponse = NextResponse.json({
-			...responseBody,
-			organization: verified.payload["https://henosia.com/organization"] ?? null
-		}, {
+		return applySecurityHeaders(Response.json(await response.json(), {
 			status: response.status,
 			statusText: response.statusText
-		});
-		applySecurityHeaders(nextResponse);
-		return applyVerifiedAuthCookies(request, nextResponse, verified);
+		}));
 	} catch (e) {
-		if (isUnauthorizedException(e)) return applySecurityHeaders(NextResponse.json(HENOSIA_AUTH_INVALID_SESSION_BODY, { status: 401 }));
+		if (isUnauthorizedException(e)) return Response.json({ error: "Your session is invalid or expired. Please reload the page to sign in again." }, { status: 401 });
 		console.error("[Henosia Platform] App Switcher API error", e);
-		const response = NextResponse.json({ error: "Server error" }, { status: 500 });
-		applySecurityHeaders(response);
-		return verified ? applyVerifiedAuthCookies(request, response, verified) : response;
+		return Response.json({ error: "Server error" }, { status: 500 });
 	}
 }
-function applyVerifiedAuthCookies(request, response, verified) {
-	verified.transferBetterAuthCookiesToNext(request, response);
-	syncOrganizationContextCookie(request, response, verified.payload);
-	return response;
-}
-function createUpstreamResponse(response) {
-	const headers = new Headers();
-	const contentType = response.headers.get("content-type");
-	if (contentType) headers.set("content-type", contentType);
-	return new NextResponse(response.body, {
-		headers,
-		status: response.status,
-		statusText: response.statusText
-	});
-}
-function isObjectRecord(value) {
-	return typeof value === "object" && value !== null && !Array.isArray(value);
-}
 //#endregion
 //#region src/api/platform.ts
 /**

package/dist/auth/middleware.d.mts

@@ -23,16 +23,31 @@ interface HenosiaAuthMiddlewareOptions {
   additionalUnauthenticatedPathNamePrefixes?: ReadonlyArray<string>;
 }
 /**
- * Creates a Next.js middleware function that performs the Henosia Auth edge pre-check.
+ * Creates a Next.js middleware function that performs the Henosia Auth pre-check.
  *
  * The returned function:
- * - Returns a redirect to the sign-in page when no session cookie is present.
- * - Returns a 401 JSON response for non-GET requests without a session cookie.
- * - Delegates token refresh, organization-context sync, and optional Supabase exchange to the server auth route.
- * - Avoids importing the server auth graph so the middleware can be bundled for Edge runtimes.
+ * - Returns a redirect to the sign-in page when no valid session cookie is present.
+ * - Verifies the Henosia Auth JWT, transferring any refreshed cookies onto the response.
+ * - Optionally exchanges the Henosia Auth token for a Supabase session if `NEXT_PUBLIC_SUPABASE_URL` is set.
+ * - Returns the resulting `NextResponse` (a `NextResponse.next({ request })` when authenticated, a redirect or
+ *   401 JSON response otherwise) so the caller can compose additional logic on top.
  *
  * **Important**: this middleware performs an auth *pre-check*. Authorization MUST still be performed at the
- * relevant pages and route handlers using `requireHenosiaAuth` or `routeWithHenosiaAuth` from `@henosia/app-next`.
+ * relevant pages and route handlers using {@link verifyHenosiaAuthToken}.
+ *
+ * @example Composing with custom logic
+ * ```ts
+ * import { type NextRequest, NextResponse } from 'next/server'
+ * import { createHenosiaAuthMiddleware } from '@henosia/app-next/middleware'
+ *
+ * const henosiaAuth = createHenosiaAuthMiddleware()
+ *
+ * export async function middleware(request: NextRequest) {
+ *   // Add app-specific logic here ...
+ *   return await henosiaAuth(request)
+ * }
+ *
+ * ```
  */
 declare function createHenosiaAuthMiddleware(options?: HenosiaAuthMiddlewareOptions): (request: NextRequest) => Promise<NextResponse>;
 //#endregion

package/dist/auth/middleware.mjs

@@ -1,19 +1,57 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
-import { HENOSIA_AUTH_INVALID_SESSION_BODY, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_METHOD_HEADER, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_URL_HEADER, HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME } from "../shared.mjs";
-import { a as getHenosiaSessionCookie, c as removeCachedAccountData, n as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, o as getSetCookieHeaders, r as applySetCookieHeadersToRequestHeaders, s as isPageRequest, t as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES } from "../middleware-shared-CZbIZuBw.mjs";
+import { HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE } from "../shared.mjs";
+import { a as isPageRequest, c as cookiePrefix, l as henosiaAuthConfig, n as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, o as isUnauthorizedException, s as verifyHenosiaAuthToken, t as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES } from "../server-DvvkIB4j.mjs";
+import { getSessionCookie } from "better-auth/cookies";
 import { NextResponse } from "next/server.js";
+//#region src/auth/utils.ts
+function delayWithCancel(delayMs) {
+	let timer;
+	let reject = null;
+	const promise = new Promise((resolve, _reject) => {
+		reject = _reject;
+		timer = setTimeout(() => resolve(), delayMs);
+	});
+	const cancel = () => {
+		clearTimeout(timer);
+		queueMicrotask(() => {
+			reject();
+			reject = null;
+		});
+	};
+	return {
+		promise,
+		cancel
+	};
+}
+//#endregion
 //#region src/auth/middleware.ts
+const INVALID_SESSION_BODY = { error: "Your session is invalid or expired. Please reload the page to sign in again." };
 /**
-* Creates a Next.js middleware function that performs the Henosia Auth edge pre-check.
+* Creates a Next.js middleware function that performs the Henosia Auth pre-check.
 *
 * The returned function:
-* - Returns a redirect to the sign-in page when no session cookie is present.
-* - Returns a 401 JSON response for non-GET requests without a session cookie.
-* - Delegates token refresh, organization-context sync, and optional Supabase exchange to the server auth route.
-* - Avoids importing the server auth graph so the middleware can be bundled for Edge runtimes.
+* - Returns a redirect to the sign-in page when no valid session cookie is present.
+* - Verifies the Henosia Auth JWT, transferring any refreshed cookies onto the response.
+* - Optionally exchanges the Henosia Auth token for a Supabase session if `NEXT_PUBLIC_SUPABASE_URL` is set.
+* - Returns the resulting `NextResponse` (a `NextResponse.next({ request })` when authenticated, a redirect or
+*   401 JSON response otherwise) so the caller can compose additional logic on top.
 *
 * **Important**: this middleware performs an auth *pre-check*. Authorization MUST still be performed at the
-* relevant pages and route handlers using `requireHenosiaAuth` or `routeWithHenosiaAuth` from `@henosia/app-next`.
+* relevant pages and route handlers using {@link verifyHenosiaAuthToken}.
+*
+* @example Composing with custom logic
+* ```ts
+* import { type NextRequest, NextResponse } from 'next/server'
+* import { createHenosiaAuthMiddleware } from '@henosia/app-next/middleware'
+*
+* const henosiaAuth = createHenosiaAuthMiddleware()
+*
+* export async function middleware(request: NextRequest) {
+*   // Add app-specific logic here ...
+*   return await henosiaAuth(request)
+* }
+*
+* ```
 */
 function createHenosiaAuthMiddleware(options = {}) {
 	const unauthenticatedPathNames = new Set([...HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, ...options.additionalUnauthenticatedPathNames ?? []]);
@@ -21,51 +59,98 @@ function createHenosiaAuthMiddleware(options = {}) {
 	if (unauthenticatedPathNamePrefixes.find((p) => p === "/" || !p.trim() || !p.endsWith("/"))) throw new Error("[Henosia Auth] Invalid path name prefixes in additionalUnauthenticatedPathNamePrefixes. Values must be non-empty sub paths ending with slash");
 	if (unauthenticatedPathNames.has("/")) throw new Error(`[Henosia Auth] Invalid path name '/' in additionalUnauthenticatedPathNames. Values must be non-root paths`);
 	return async function henosiaAuthMiddleware(request) {
+		const response = NextResponse.next({ request });
 		const { pathname } = request.nextUrl;
-		if (pathname === "/sign-in") {
-			const response = NextResponse.next({ request });
-			removeCachedAccountData(response);
+		if (pathname === "/sign-in") removeCachedAccountData(response);
+		if (pathname === "/api/auth/get-session") {
+			try {
+				const { transferBetterAuthCookiesToNext } = await verifyHenosiaAuthToken(request);
+				transferBetterAuthCookiesToNext(request, response);
+			} catch (e) {
+				if (!isUnauthorizedException(e)) {
+					console.error("[Henosia Auth] Middleware error", e);
+					throw e;
+				}
+			}
 			return response;
 		}
-		if (unauthenticatedPathNames.has(pathname) || !!unauthenticatedPathNamePrefixes.find((p) => pathname.startsWith(p))) return NextResponse.next({ request });
-		if (!getHenosiaSessionCookie(request)) {
-			if (request.method !== "GET") return NextResponse.json(HENOSIA_AUTH_INVALID_SESSION_BODY, { status: 401 });
+		if (unauthenticatedPathNames.has(pathname) || !!unauthenticatedPathNamePrefixes.find((p) => pathname.startsWith(p))) return response;
+		if (!getSessionCookie(request, { cookiePrefix: cookiePrefix.get() })) {
+			if (request.method !== "GET") return NextResponse.json(INVALID_SESSION_BODY, { status: 401 });
 			return NextResponse.redirect(new URL(HENOSIA_AUTH_SIGN_IN_PATH_NAME, request.url));
 		}
-		const requestHeaders = new Headers(request.headers);
-		const syncResponse = await fetch(new URL(HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, request.url), {
-			method: "GET",
-			headers: createSessionSyncHeaders(request),
-			cache: "no-store",
-			redirect: "manual"
-		});
-		if (syncResponse.status === 401) {
-			if (!isPageRequest(request)) return NextResponse.json(HENOSIA_AUTH_INVALID_SESSION_BODY, { status: 401 });
-			const redirectResponse = NextResponse.redirect(new URL(HENOSIA_AUTH_SIGN_IN_PATH_NAME, request.url));
-			removeCachedAccountData(redirectResponse);
-			return redirectResponse;
+		try {
+			const { accessTokenResponse, payload, transferBetterAuthCookiesToNext } = await verifyHenosiaAuthToken(request);
+			transferBetterAuthCookiesToNext(request, response);
+			const cachedOrg = JSON.stringify(request.cookies.get("henosia.org")?.value ?? null);
+			const org = JSON.stringify(payload["https://henosia.com/organization"]);
+			if (cachedOrg !== org) response.cookies.set(HENOSIA_ORGANIZATION_CTX_COOKIE, org);
+			if (process.env.NEXT_PUBLIC_SUPABASE_URL) await exchangeHenosiaTokenForSupabaseSession(request, response, accessTokenResponse.idToken);
+		} catch (e) {
+			if (isUnauthorizedException(e)) {
+				if (!isPageRequest(request)) return NextResponse.json(INVALID_SESSION_BODY, { status: e.statusCode ?? 401 });
+				const redirectResponse = NextResponse.redirect(new URL(HENOSIA_AUTH_SIGN_IN_PATH_NAME, request.url));
+				removeCachedAccountData(redirectResponse);
+				return redirectResponse;
+			} else {
+				console.error("[Henosia Auth] Middleware error", e);
+				throw e;
+			}
 		}
-		if (!syncResponse.ok) throw new Error(`[Henosia Auth] Session sync failed: ${syncResponse.status} ${syncResponse.statusText}`);
-		const setCookieHeaders = getSetCookieHeaders(syncResponse.headers);
-		applySetCookieHeadersToRequestHeaders(requestHeaders, setCookieHeaders);
-		const response = NextResponse.next({ request: { headers: requestHeaders } });
-		for (const setCookie of setCookieHeaders) response.headers.append("set-cookie", setCookie);
 		return response;
 	};
 }
-function createSessionSyncHeaders(request) {
-	const headers = new Headers();
-	const cookie = request.headers.get("cookie");
-	if (cookie) headers.set("cookie", cookie);
-	headers.set(HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_URL_HEADER, request.url);
-	headers.set(HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_METHOD_HEADER, request.method);
-	const fetchDest = request.headers.get("X-Henosia-Fetch-Dest") ?? request.headers.get("Sec-Fetch-Dest");
-	if (fetchDest) headers.set(HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER, fetchDest);
-	for (const header of ["RSC", "Next-Router-Prefetch"]) {
-		const value = request.headers.get(header);
-		if (value) headers.set(header, value);
+/**
+* Lazy-load `@supabase/ssr` so apps that don't use Supabase don't have to install it.
+*/
+async function exchangeHenosiaTokenForSupabaseSession(request, response, idToken) {
+	let createServerClient;
+	try {
+		({createServerClient} = await import("@supabase/ssr"));
+	} catch (e) {
+		console.error("[Henosia Auth] NEXT_PUBLIC_SUPABASE_URL is set but `@supabase/ssr` is not installed. Install it as a peer dependency to enable Supabase session exchange.", e);
+		return;
 	}
-	return headers;
+	const supabase = createServerClient(process.env.NEXT_PUBLIC_SUPABASE_URL, process.env.NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY, { cookies: {
+		getAll() {
+			return request.cookies.getAll();
+		},
+		setAll(cookiesToSet) {
+			cookiesToSet.forEach(({ name, value }) => request.cookies.set(name, value));
+			try {
+				cookiesToSet.forEach(({ name, value, options }) => response.cookies.set(name, value, options));
+			} catch {}
+		}
+	} });
+	const { promise: supabaseTimeout, cancel } = delayWithCancel(5e3);
+	await Promise.race([supabaseTimeout.then(() => {
+		console.error(`[Supabase] Timed out getting a valid Supabase session: ${process.env.NEXT_PUBLIC_SUPABASE_URL} may be paused or down.`);
+	}), (async () => {
+		try {
+			const { data } = await supabase.auth.getSession();
+			if (!data.session) await supabase.auth.signInWithIdToken({
+				provider: henosiaAuthConfig.henosiaAuthSupabaseProvider.get(),
+				token: idToken
+			});
+		} catch (error) {
+			console.error("[Supabase] Unable to get valid Supabase session", error);
+		} finally {
+			cancel();
+		}
+	})()]);
+}
+/**
+* Removes potentially invalid cached account data from cookies before the next better-auth sign in attempt
+*/
+function removeCachedAccountData(response) {
+	const secure = henosiaAuthConfig.baseURL.get().startsWith("https");
+	const name = `${secure ? "__Secure-" : ""}${cookiePrefix.get()}.account_data`;
+	response.cookies.delete({
+		name,
+		secure,
+		httpOnly: true,
+		domain: new URL(henosiaAuthConfig.baseURL.get()).hostname
+	});
 }
 //#endregion
 export { createHenosiaAuthMiddleware };

package/dist/auth/server-guards.d.mts

@@ -1,5 +1,5 @@
 
-import { n as HenosiaAuthTokenClaims } from "../server-DfD6Dc91.mjs";
+import { HenosiaAuthTokenClaims } from "./server.mjs";
 import { NextRequest, NextResponse } from "next/server.js";
 
 //#region src/auth/server-guards.d.ts

package/dist/auth/server-guards.mjs

@@ -1,10 +1,10 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
 import { HENOSIA_AUTH_SIGN_IN_PATH_NAME } from "../shared.mjs";
-import { isUnauthorizedException, verifyHenosiaAuthToken } from "./server.mjs";
-import { NextResponse } from "next/server.js";
-import { cache } from "react";
+import { o as isUnauthorizedException, s as verifyHenosiaAuthToken } from "../server-DvvkIB4j.mjs";
 import { headers } from "next/headers.js";
+import { cache } from "react";
 import { redirect } from "next/navigation.js";
+import { NextResponse } from "next/server.js";
 //#region src/auth/server-guards.ts
 async function buildRequestFromHeaders() {
 	const h = await headers();

package/dist/auth/server.d.mts

@@ -1,3 +1,82 @@
 
-import { a as isPageOrRefreshTokenRequest, c as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, d as isPageRequest, i as henosiaAuthConfig, l as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, n as HenosiaAuthTokenClaims, o as isUnauthorizedException, r as auth, s as verifyHenosiaAuthToken, t as HenosiaAuthConfig, u as cookiePrefix } from "../server-DfD6Dc91.mjs";
-export { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HenosiaAuthConfig, HenosiaAuthTokenClaims, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken };
+import { i as HenosiaOrganizationContext } from "../shared-Cddy8ptu.mjs";
+import { Auth } from "better-auth";
+import { NextRequest, NextResponse } from "next/server.js";
+
+//#region src/auth/server.d.ts
+/**
+ * URL pathname values that should not check for auth in middleware, e.g. the sign-in page.
+ * Additional pathname values can be added for public paths, but ONLY if they should not be intercepted by the
+ * middleware auth pre-check and redirect.
+ */
+declare const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES: Set<string>;
+/**
+ * URL pathname prefixes that should not be blocked by auth in middleware, e.g. the better-auth API routes used to sign in.
+ * Additional pathname prefixes can be added for public paths, but ONLY if they should not be intercepted by the
+ * middleware auth pre-check and redirect. Include the relevant `/` ending character to prevent unexpected partial
+ * route matches.
+ */
+declare const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES: string[];
+interface HenosiaAuthTokenClaims {
+  /** The project id that the claim is associated with. A `null` value indicates no project access was granted. */
+  'https://henosia.com/project': string | null;
+  /** Whether the claim is associated with Henosia's preview browser in the builder */
+  'https://henosia.com/preview': boolean;
+  /** The organization that the app belongs to */
+  'https://henosia.com/organization': HenosiaOrganizationContext;
+}
+/**
+ * Gets whether the specified request is for a page (a top level page or iframe page)
+ */
+declare function isPageRequest(request: Request): boolean;
+/**
+ * Gets whether the specified request is allowed to spend the single-use OIDC refresh token to obtain a new
+ * access token.
+ *
+ */
+declare function isPageOrRefreshTokenRequest(request: Request): boolean;
+/**
+ * Returns the singleton Henosia Auth instance, creating it on first call.
+ *
+ * The instance is created lazily so that importing this module does not eagerly read the required
+ * environment variables (see {@link henosiaAuthConfig}). This means modules that only need the
+ * configuration or shared helpers can be imported in environments where the full set of `BETTER_AUTH_*` /
+ * `HENOSIA_AUTH_*` env vars is not yet populated, and only call sites that actually invoke `getAuth()`
+ * will require them to be set.
+ *
+ * Subsequent calls return the same underlying better-auth instance.
+ *
+ * The return type is the minimal {@link Auth} type from better-auth (which is parameterised on the default
+ * `BetterAuthOptions`) rather than the deeply-inferred concrete type returned by {@link betterAuth}.
+ * The deeply-inferred graph references non-portable internals from `better-auth` and `zod` that cannot be
+ * named in published declarations (TS2883).
+ */
+declare const getAuth: () => Auth;
+/**
+ * Verifies the Henosia Auth JWT on the current request, or throws in case it's missing or invalid.
+ * This method must be called before allowing access to any protected pages or routes,
+ * and before accessing data in server side page methods or actions.
+ * @param request the current request which provides auth headers
+ * @return the better-auth `getAccessToken` response, the verified token `payload` (a {@link HenosiaAuthTokenClaims}),
+ *         the `Set-Cookie` headers produced while obtaining/refreshing the token, and a
+ *         `transferBetterAuthCookiesToNext` helper that forwards those cookies onto a Next.js request/response pair
+ * @throws APIError when the current credentials are missing or invalid
+ */
+declare function verifyHenosiaAuthToken(request: Request): Promise<{
+  accessTokenResponse: {
+    accessToken: string;
+    accessTokenExpiresAt: Date | undefined;
+    scopes: string[];
+    idToken: string | undefined;
+  };
+  payload: HenosiaAuthTokenClaims;
+  setCookieHeaders: string[];
+  transferBetterAuthCookiesToNext: (nextRequest: NextRequest, response: NextResponse) => void;
+}>;
+/**
+ * Determines whether the specified exception should start the sign-in flow to authenticate the user
+ * @param error the error thrown by `verifyHenosiaAuthToken`
+ */
+declare function isUnauthorizedException(error: unknown): boolean;
+//#endregion
+export { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HenosiaAuthTokenClaims, getAuth, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken };