@henosia/app-next 1.0.6 → 1.0.8

package/dist/auth/server.mjs

@@ -1,175 +1,3 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
-import { HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "../shared.mjs";
-import { i as cookiePrefix, l as getRequiredEnvValue, n as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, s as isPageRequest, t as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES } from "../middleware-shared-CZbIZuBw.mjs";
-import { APIError, betterAuth } from "better-auth";
-import { createAuthMiddleware } from "better-auth/api";
-import { bearer, genericOAuth, jwt } from "better-auth/plugins";
-import { nextCookies } from "better-auth/next-js";
-import { verifyAccessToken } from "better-auth/oauth2";
-import { parseSetCookieHeader } from "better-auth/cookies";
-import { AsyncLocalStorage } from "node:async_hooks";
-//#region src/auth/server.ts
-/**
-* Environment-provided configuration for Henosia Auth.
-* When the consuming app runs in the Henosia preview, the env vars are provided by the runtime environment and should not be
-* hard-coded or present in the `.env.local` file. The Henosia Publish feature automatically sets production versions of
-* the values on the deployed app. For self-publish flows or local development, see the `Environment settings`
-* in the Henosia builder navbar for the relevant values. The preview values cannot be used for production deployments.
-*/
-const henosiaAuthConfig = {
-	provider: "henosia",
-	baseURL: getRequiredEnvValue((env) => env.BETTER_AUTH_URL),
-	secret: getRequiredEnvValue((env) => env.BETTER_AUTH_SECRET),
-	henosiaAuthPlatformServiceBaseUrl: getRequiredEnvValue((env) => env.HENOSIA_AUTH_SERVICE_BASE_URL),
-	henosiaAuthSupabaseProvider: getRequiredEnvValue((env) => env.HENOSIA_AUTH_SUPABASE_PROVIDER, "custom:henosia-auth:platform"),
-	clientSecret: getRequiredEnvValue((env) => env.HENOSIA_AUTH_CLIENT_SECRET),
-	clientId: getRequiredEnvValue((env) => env.HENOSIA_AUTH_CLIENT_ID),
-	projectId: getRequiredEnvValue((env) => env.HENOSIA_AUTH_PROJECT_ID)
-};
-/**
-* Gets whether the specified request is allowed to spend the single-use OIDC refresh token to obtain a new
-* access token.
-*
-*/
-function isPageOrRefreshTokenRequest(request) {
-	if (isPageRequest(request)) return true;
-	return new URL(request.url).pathname === HENOSIA_AUTH_GET_SESSION_PATH_NAME;
-}
-const currentRequestStorage = new AsyncLocalStorage();
-let henosiaOAuthProviderInitialized = false;
-const authInstance = betterAuth({
-	baseURL: henosiaAuthConfig.baseURL.get(),
-	secret: henosiaAuthConfig.secret.get(),
-	advanced: { cookiePrefix },
-	plugins: [
-		bearer(),
-		jwt(),
-		genericOAuth({ config: [{
-			providerId: henosiaAuthConfig.provider,
-			discoveryUrl: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/.well-known/openid-configuration`,
-			clientId: henosiaAuthConfig.clientId.get(),
-			clientSecret: henosiaAuthConfig.clientSecret.get(),
-			scopes: [
-				"openid",
-				"profile",
-				"email",
-				"offline_access"
-			],
-			pkce: true,
-			mapProfileToUser: (profile) => {
-				if (!profile.name) profile.name = profile.email;
-				return profile;
-			}
-		}] }),
-		nextCookies()
-	],
-	hooks: { before: createAuthMiddleware(async (ctx) => {
-		if (henosiaOAuthProviderInitialized) return;
-		for (const provider of ctx.context.socialProviders) {
-			const { refreshAccessToken } = provider;
-			if (!refreshAccessToken || provider.id !== henosiaAuthConfig.provider) continue;
-			provider.refreshAccessToken = async (refreshToken) => {
-				const request = currentRequestStorage.getStore();
-				if (!request) throw new APIError("INTERNAL_SERVER_ERROR", { message: `Expected a current request during refreshAccessToken` });
-				if (!isPageOrRefreshTokenRequest(request)) throw new APIError("UNAUTHORIZED", {
-					statusCode: 401,
-					message: "Fetching a refresh access token is only allowed for page or refresh token requests"
-				});
-				return await refreshAccessToken(refreshToken);
-			};
-			henosiaOAuthProviderInitialized = true;
-			break;
-		}
-	}) },
-	session: { cookieCache: {
-		enabled: true,
-		version: "1",
-		maxAge: 720 * 60 * 60,
-		strategy: "jwe",
-		refreshCache: true
-	} },
-	account: {
-		storeStateStrategy: "cookie",
-		storeAccountCookie: true
-	},
-	databaseHooks: { user: { create: { before: async (data) => {
-		const stableId = data.sub;
-		if (!stableId) throw new APIError("INTERNAL_SERVER_ERROR", { message: `Expected '.sub' to be defined but got '${stableId}' for '${data.email}'` });
-		return { data: {
-			...data,
-			id: stableId
-		} };
-	} } } },
-	trustedOrigins: [henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()]
-});
-/**
-* The Henosia Auth instance.
-*
-* Typed as the minimal {@link Auth} type from better-auth (which is parameterised on the default
-* {@link BetterAuthOptions}) rather than the deeply-inferred concrete type returned by {@link betterAuth}.
-* The deeply-inferred graph references non-portable internals from `better-auth` and `zod` that cannot be
-* named in published declarations (TS2883).
-*/
-const auth = authInstance;
-/**
-* Verifies the Henosia Auth JWT on the current request, or throws in case it's missing or invalid.
-* This method must be called before allowing access to any protected pages or routes,
-* and before accessing data in server side page methods or actions.
-* @param request the current request which provides auth headers
-* @return the better-auth `getAccessToken` response, the verified token `payload` (a {@link HenosiaAuthTokenClaims}),
-*         the `Set-Cookie` headers produced while obtaining/refreshing the token, and a
-*         `transferBetterAuthCookiesToNext` helper that forwards those cookies onto a Next.js request/response pair
-* @throws APIError when the current credentials are missing or invalid
-*/
-async function verifyHenosiaAuthToken(request) {
-	return await currentRequestStorage.run(request, async () => {
-		const { response: accessTokenResponse, headers: accessTokenResponseHeaders } = await authInstance.api.getAccessToken({
-			body: { providerId: henosiaAuthConfig.provider },
-			headers: request.headers,
-			returnHeaders: true
-		});
-		if (!accessTokenResponse.idToken) throw new APIError("UNAUTHORIZED", { message: "No id_token returned for openid scope" });
-		const payload = await verifyAccessToken(accessTokenResponse.idToken, {
-			jwksUrl: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/api/auth/jwks`,
-			verifyOptions: {
-				audience: henosiaAuthConfig.clientId.get(),
-				issuer: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/api/auth`
-			}
-		});
-		const { "https://henosia.com/project": projectId } = payload;
-		if (!projectId) throw new APIError("UNAUTHORIZED", { message: "token does not grant access" });
-		if (!henosiaAuthConfig.projectId) throw new APIError("INTERNAL_SERVER_ERROR", { message: "HENOSIA_AUTH_PROJECT_ID env var has not been set" });
-		if (henosiaAuthConfig.projectId.get() !== projectId) throw new APIError("UNAUTHORIZED", { message: "token has invalid projectId" });
-		const setCookieHeaders = accessTokenResponseHeaders.getSetCookie();
-		const transferBetterAuthCookiesToNext = (nextRequest, response) => {
-			for (const cookie of setCookieHeaders) parseSetCookieHeader(cookie).forEach((attributes, name) => {
-				const { value, ...betterOptions } = attributes;
-				const options = {
-					...betterOptions,
-					maxAge: betterOptions["max-age"],
-					httpOnly: betterOptions.httponly,
-					sameSite: betterOptions.samesite
-				};
-				nextRequest.cookies.set(name, value);
-				response.cookies.set(name, value, options);
-			});
-		};
-		return {
-			accessTokenResponse,
-			payload,
-			setCookieHeaders,
-			transferBetterAuthCookiesToNext
-		};
-	});
-}
-const unauthorizedExceptionCodes = new Set(["ACCOUNT_NOT_FOUND", "FAILED_TO_GET_ACCESS_TOKEN"]);
-/**
-* Determines whether the specified exception should start the sign-in flow to authenticate the user
-* @param error the error thrown by `verifyHenosiaAuthToken`
-*/
-function isUnauthorizedException(error) {
-	const apiError = error ?? {};
-	return unauthorizedExceptionCodes.has(apiError.body?.code ?? "") || apiError.status === "UNAUTHORIZED" || apiError.statusCode === 401;
-}
-//#endregion
-export { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, auth, cookiePrefix, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken };
+import { a as isPageRequest, i as isPageOrRefreshTokenRequest, n as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, o as isUnauthorizedException, r as getAuth, s as verifyHenosiaAuthToken, t as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES } from "../server-DvvkIB4j.mjs";
+export { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, getAuth, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken };

package/dist/index.d.mts

@@ -1,5 +1,51 @@
 
-import { c as HENOSIA_ORGANIZATION_CTX_COOKIE, l as HenosiaOrganizationContext, n as HENOSIA_AUTH_INVALID_SESSION_BODY, o as HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, s as HENOSIA_AUTH_SIGN_IN_PATH_NAME, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-BWPBaubT.mjs";
-import { a as isPageOrRefreshTokenRequest, c as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, d as isPageRequest, i as henosiaAuthConfig, l as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, n as HenosiaAuthTokenClaims, o as isUnauthorizedException, r as auth, s as verifyHenosiaAuthToken, t as HenosiaAuthConfig, u as cookiePrefix } from "./server-DfD6Dc91.mjs";
+import { i as HenosiaOrganizationContext, n as HENOSIA_AUTH_SIGN_IN_PATH_NAME, r as HENOSIA_ORGANIZATION_CTX_COOKIE, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-Cddy8ptu.mjs";
+import { HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HenosiaAuthTokenClaims, getAuth, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, verifyHenosiaAuthToken } from "./auth/server.mjs";
 import { HenosiaAuthContext, getHenosiaAuth, requireHenosiaAuth, routeWithHenosiaAuth } from "./auth/server-guards.mjs";
-export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_INVALID_SESSION_BODY, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, type HenosiaAuthConfig, type HenosiaAuthContext, type HenosiaAuthTokenClaims, type HenosiaOrganizationContext, auth, cookiePrefix, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };
+
+//#region src/auth/configuration.d.ts
+/**
+ * A lazy accessor for an environment-derived string value. Reading is deferred until {@link get} is invoked,
+ * so the underlying `process.env` lookup only happens at call time rather than at module load.
+ */
+type EnvLiveGetString = {
+  get(): string;
+};
+interface HenosiaAuthConfig {
+  /** Name of the Henosia Auth OAuth2 provider */
+  provider: 'henosia';
+  /** The consuming app's own deployment or preview browser URL. Used as the better-auth base url */
+  baseURL: EnvLiveGetString;
+  /** The consuming app's own deployment or preview auth secret. Used as the better-auth secret */
+  secret: EnvLiveGetString;
+  /** OAuth client ID from HenosiaAuthClientService */
+  clientId: EnvLiveGetString;
+  /** OAuth client secret from HenosiaAuthClientService */
+  clientSecret: EnvLiveGetString;
+  /** The Henosia auth and platform service base URL, under which the OAuth client is registered */
+  henosiaAuthPlatformServiceBaseUrl: EnvLiveGetString;
+  /** The provider identifier that Henosia Auth is registered with as a OIDC-based Custom Provider in Supabase Auth */
+  henosiaAuthSupabaseProvider: EnvLiveGetString;
+  /**
+   * The project id that the JWT project claim should match in HenosiaAuthTokenClaims.
+   * Ensures that signed-in Henosia users cannot access projects that they have not been granted access to,
+   * for example that User A from Org A cannot access User B from Org B's project.
+   * */
+  projectId: EnvLiveGetString;
+}
+/**
+ * Environment-provided configuration for Henosia Auth.
+ * When the consuming app runs in the Henosia preview, the env vars are provided by the runtime environment and should not be
+ * hard-coded or present in the `.env.local` file. The Henosia Publish feature automatically sets production versions of
+ * the values on the deployed app. For self-publish flows or local development, see the `Environment settings`
+ * in the Henosia builder navbar for the relevant values. The preview values cannot be used for production deployments.
+ */
+declare const henosiaAuthConfig: HenosiaAuthConfig;
+/**
+ * Project-scoped cookie prefix used by Henosia Auth.
+ */
+declare const cookiePrefix: {
+  get: () => `henosia-auth-${string}`;
+};
+//#endregion
+export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, type HenosiaAuthConfig, type HenosiaAuthContext, type HenosiaAuthTokenClaims, type HenosiaOrganizationContext, cookiePrefix, getAuth, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };

package/dist/index.mjs

@@ -1,6 +1,5 @@
 /*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
-import { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_INVALID_SESSION_BODY, HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE } from "./shared.mjs";
-import { i as cookiePrefix, n as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, s as isPageRequest, t as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES } from "./middleware-shared-CZbIZuBw.mjs";
-import { auth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isUnauthorizedException, verifyHenosiaAuthToken } from "./auth/server.mjs";
+import { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE } from "./shared.mjs";
+import { a as isPageRequest, c as cookiePrefix, i as isPageOrRefreshTokenRequest, l as henosiaAuthConfig, n as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, o as isUnauthorizedException, r as getAuth, s as verifyHenosiaAuthToken, t as HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES } from "./server-DvvkIB4j.mjs";
 import { getHenosiaAuth, requireHenosiaAuth, routeWithHenosiaAuth } from "./auth/server-guards.mjs";
-export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_INVALID_SESSION_BODY, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, auth, cookiePrefix, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };
+export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, cookiePrefix, getAuth, getHenosiaAuth, henosiaAuthConfig, isPageOrRefreshTokenRequest, isPageRequest, isUnauthorizedException, requireHenosiaAuth, routeWithHenosiaAuth, verifyHenosiaAuthToken };

package/dist/platform/app-switcher.d.mts

@@ -1,5 +1,5 @@
 
-import { l as HenosiaOrganizationContext } from "../shared-BWPBaubT.mjs";
+import { i as HenosiaOrganizationContext } from "../shared-Cddy8ptu.mjs";
 
 //#region src/platform/app-switcher.d.ts
 /**
@@ -23,7 +23,10 @@ interface AppSwitcherAppGroup {
  */
 interface AppSwitcherSuccessResponse {
   groupedApps: AppSwitcherAppGroup[];
-  organization: HenosiaOrganizationContext;
+  organization: {
+    id: string;
+    name: string;
+  };
 }
 /**
  * Error response shape returned by `/api/henosia-platform/v1/app-switcher`.
@@ -48,8 +51,8 @@ interface UseAppSwitcherOptions {
  */
 interface UseAppSwitcherResult {
   /**
-   * The current organization context, derived from the app-switcher response or the cached
-   * {@link HENOSIA_ORGANIZATION_CTX_COOKIE} cookie. `null` until either source is available.
+   * The current organization context, derived from the {@link HENOSIA_ORGANIZATION_CTX_COOKIE} cookie set by the
+   * Henosia Auth middleware. `null` until the cookie has been read (or if no organization is in context).
    */
   organization: HenosiaOrganizationContext;
   /**
@@ -68,9 +71,9 @@ interface UseAppSwitcherResult {
 /**
  * React hook backing the Henosia app-switcher UI.
  *
- * Reads the cached organization context from the {@link HENOSIA_ORGANIZATION_CTX_COOKIE} cookie and queries the
- * Henosia Platform `app-switcher` endpoint mounted at `/api/henosia-platform/v1/app-switcher` (provided by
- * `@henosia/app-next/api/platform`). Once loaded, the verified API response is preferred over the cached cookie.
+ * Reads the current organization context from the {@link HENOSIA_ORGANIZATION_CTX_COOKIE} cookie and queries
+ * the Henosia Platform `app-switcher` endpoint mounted at `/api/henosia-platform/v1/app-switcher` (provided by
+ * `@henosia/app-next/api/platform`).
  *
  *
  * @example

package/dist/platform/app-switcher.mjs

@@ -24,9 +24,9 @@ async function fetchAppSwitcher() {
 /**
 * React hook backing the Henosia app-switcher UI.
 *
-* Reads the cached organization context from the {@link HENOSIA_ORGANIZATION_CTX_COOKIE} cookie and queries the
-* Henosia Platform `app-switcher` endpoint mounted at `/api/henosia-platform/v1/app-switcher` (provided by
-* `@henosia/app-next/api/platform`). Once loaded, the verified API response is preferred over the cached cookie.
+* Reads the current organization context from the {@link HENOSIA_ORGANIZATION_CTX_COOKIE} cookie and queries
+* the Henosia Platform `app-switcher` endpoint mounted at `/api/henosia-platform/v1/app-switcher` (provided by
+* `@henosia/app-next/api/platform`).
 *
 *
 * @example
@@ -64,7 +64,7 @@ function useAppSwitcher(options) {
 		enabled
 	});
 	return {
-		organization: data?.organization ?? organization,
+		organization,
 		groupedApps: data?.groupedApps ?? [],
 		error,
 		isLoading

package/dist/server-DvvkIB4j.mjs

@@ -0,0 +1,232 @@
+/*! Copyright (c) 2026 Henosia ApS. Licensed under the Henosia Commercial Source License v1.0. See LICENSE */
+import { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME } from "./shared.mjs";
+import { APIError, betterAuth } from "better-auth";
+import { createAuthMiddleware } from "better-auth/api";
+import { bearer, genericOAuth, jwt } from "better-auth/plugins";
+import { nextCookies } from "better-auth/next-js";
+import { verifyAccessToken } from "better-auth/oauth2";
+import { parseSetCookieHeader } from "better-auth/cookies";
+import { AsyncLocalStorage } from "node:async_hooks";
+import { headers } from "next/headers.js";
+//#region src/auth/configuration.ts
+const requiredEnvProxy = new Proxy(process.env, { get(target, property, receiver) {
+	const value = Reflect.get(target, property, receiver);
+	if (!value || typeof value !== "string") throw new Error(`[Henosia Auth] Missing required env var: ${property.toString()}`);
+	return value;
+} });
+function getRequiredEnvValue(getter, fallback) {
+	try {
+		return { get: () => getter(requiredEnvProxy) };
+	} catch (e) {
+		if (fallback) return { get: () => fallback };
+		console.log(e.message);
+		throw e;
+	}
+}
+/**
+* Environment-provided configuration for Henosia Auth.
+* When the consuming app runs in the Henosia preview, the env vars are provided by the runtime environment and should not be
+* hard-coded or present in the `.env.local` file. The Henosia Publish feature automatically sets production versions of
+* the values on the deployed app. For self-publish flows or local development, see the `Environment settings`
+* in the Henosia builder navbar for the relevant values. The preview values cannot be used for production deployments.
+*/
+const henosiaAuthConfig = {
+	provider: "henosia",
+	baseURL: getRequiredEnvValue((env) => env.BETTER_AUTH_URL),
+	secret: getRequiredEnvValue((env) => env.BETTER_AUTH_SECRET),
+	henosiaAuthPlatformServiceBaseUrl: getRequiredEnvValue((env) => env.HENOSIA_AUTH_SERVICE_BASE_URL),
+	henosiaAuthSupabaseProvider: getRequiredEnvValue((env) => env.HENOSIA_AUTH_SUPABASE_PROVIDER, "custom:henosia-auth:platform"),
+	clientSecret: getRequiredEnvValue((env) => env.HENOSIA_AUTH_CLIENT_SECRET),
+	clientId: getRequiredEnvValue((env) => env.HENOSIA_AUTH_CLIENT_ID),
+	projectId: getRequiredEnvValue((env) => env.HENOSIA_AUTH_PROJECT_ID)
+};
+/**
+* Project-scoped cookie prefix used by Henosia Auth.
+*/
+const cookiePrefix = { get: () => `henosia-auth-${henosiaAuthConfig.projectId.get()}` };
+//#endregion
+//#region src/auth/server.ts
+/**
+* URL pathname values that should not check for auth in middleware, e.g. the sign-in page.
+* Additional pathname values can be added for public paths, but ONLY if they should not be intercepted by the
+* middleware auth pre-check and redirect.
+*/
+const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES = new Set([HENOSIA_AUTH_SIGN_IN_PATH_NAME]);
+if (HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES.has("/")) throw new Error(`[Henosia Auth] Invalid path name '/'. Values must be non-root paths`);
+/**
+* URL pathname prefixes that should not be blocked by auth in middleware, e.g. the better-auth API routes used to sign in.
+* Additional pathname prefixes can be added for public paths, but ONLY if they should not be intercepted by the
+* middleware auth pre-check and redirect. Include the relevant `/` ending character to prevent unexpected partial
+* route matches.
+*/
+const HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES = ["/api/auth/", "/.well-known/"];
+if (HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES.find((p) => p === "/" || !p.trim() || !p.endsWith("/"))) throw new Error("[Henosia Auth] Invalid path name prefixes. Values must be non-empty sub paths ending with slash");
+/**
+* Gets whether the specified request is for a page (a top level page or iframe page)
+*/
+function isPageRequest(request) {
+	const { headers } = request;
+	const dest = headers.get("X-Henosia-Fetch-Dest") ?? headers.get("Sec-Fetch-Dest");
+	if (dest === "document" || dest === "iframe" || dest === "fencedframe") return true;
+	const isRsc = request.headers.get("RSC") === "1";
+	const isPrefetch = request.headers.get("Next-Router-Prefetch") === "1";
+	return isRsc && !isPrefetch;
+}
+/**
+* Gets whether the specified request is allowed to spend the single-use OIDC refresh token to obtain a new
+* access token.
+*
+*/
+function isPageOrRefreshTokenRequest(request) {
+	if (isPageRequest(request)) return true;
+	return new URL(request.url).pathname === HENOSIA_AUTH_GET_SESSION_PATH_NAME;
+}
+const currentRequestStorage = new AsyncLocalStorage();
+let henosiaOAuthProviderInitialized = false;
+const createAuthInstance = () => betterAuth({
+	baseURL: henosiaAuthConfig.baseURL.get(),
+	secret: henosiaAuthConfig.secret.get(),
+	advanced: { cookiePrefix: cookiePrefix.get() },
+	plugins: [
+		bearer(),
+		jwt(),
+		genericOAuth({ config: [{
+			providerId: henosiaAuthConfig.provider,
+			discoveryUrl: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/.well-known/openid-configuration`,
+			clientId: henosiaAuthConfig.clientId.get(),
+			clientSecret: henosiaAuthConfig.clientSecret.get(),
+			scopes: [
+				"openid",
+				"profile",
+				"email",
+				"offline_access"
+			],
+			pkce: true,
+			mapProfileToUser: (profile) => {
+				if (!profile.name) profile.name = profile.email;
+				return profile;
+			}
+		}] }),
+		nextCookies()
+	],
+	hooks: { before: createAuthMiddleware(async (ctx) => {
+		if (henosiaOAuthProviderInitialized) return;
+		for (const provider of ctx.context.socialProviders) {
+			const { refreshAccessToken } = provider;
+			if (!refreshAccessToken || provider.id !== henosiaAuthConfig.provider) continue;
+			provider.refreshAccessToken = async (refreshToken) => {
+				const request = currentRequestStorage.getStore();
+				if (!request) throw new APIError("INTERNAL_SERVER_ERROR", { message: `Expected a current request during refreshAccessToken` });
+				if (!isPageOrRefreshTokenRequest(request)) throw new APIError("UNAUTHORIZED", {
+					statusCode: 401,
+					message: "Fetching a refresh access token is only allowed for page or refresh token requests"
+				});
+				return await refreshAccessToken(refreshToken);
+			};
+			henosiaOAuthProviderInitialized = true;
+			break;
+		}
+	}) },
+	session: { cookieCache: {
+		enabled: true,
+		version: "1",
+		maxAge: 720 * 60 * 60,
+		strategy: "jwe",
+		refreshCache: true
+	} },
+	account: {
+		storeStateStrategy: "cookie",
+		storeAccountCookie: true
+	},
+	databaseHooks: { user: { create: { before: async (data) => {
+		const stableId = data.sub;
+		if (!stableId) throw new APIError("INTERNAL_SERVER_ERROR", { message: `Expected '.sub' to be defined but got '${stableId}' for '${data.email}'` });
+		return { data: {
+			...data,
+			id: stableId
+		} };
+	} } } },
+	trustedOrigins: [henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()]
+});
+let authInstance = null;
+/**
+* Returns the singleton Henosia Auth instance, creating it on first call.
+*
+* The instance is created lazily so that importing this module does not eagerly read the required
+* environment variables (see {@link henosiaAuthConfig}). This means modules that only need the
+* configuration or shared helpers can be imported in environments where the full set of `BETTER_AUTH_*` /
+* `HENOSIA_AUTH_*` env vars is not yet populated, and only call sites that actually invoke `getAuth()`
+* will require them to be set.
+*
+* Subsequent calls return the same underlying better-auth instance.
+*
+* The return type is the minimal {@link Auth} type from better-auth (which is parameterised on the default
+* `BetterAuthOptions`) rather than the deeply-inferred concrete type returned by {@link betterAuth}.
+* The deeply-inferred graph references non-portable internals from `better-auth` and `zod` that cannot be
+* named in published declarations (TS2883).
+*/
+const getAuth = () => {
+	if (!authInstance) authInstance = createAuthInstance();
+	return authInstance;
+};
+/**
+* Verifies the Henosia Auth JWT on the current request, or throws in case it's missing or invalid.
+* This method must be called before allowing access to any protected pages or routes,
+* and before accessing data in server side page methods or actions.
+* @param request the current request which provides auth headers
+* @return the better-auth `getAccessToken` response, the verified token `payload` (a {@link HenosiaAuthTokenClaims}),
+*         the `Set-Cookie` headers produced while obtaining/refreshing the token, and a
+*         `transferBetterAuthCookiesToNext` helper that forwards those cookies onto a Next.js request/response pair
+* @throws APIError when the current credentials are missing or invalid
+*/
+async function verifyHenosiaAuthToken(request) {
+	currentRequestStorage.enterWith(request);
+	const { response: accessTokenResponse, headers: accessTokenResponseHeaders } = await getAuth().api.getAccessToken({
+		body: { providerId: henosiaAuthConfig.provider },
+		headers: await headers(),
+		returnHeaders: true
+	});
+	if (!accessTokenResponse.idToken) throw new APIError("UNAUTHORIZED", { message: "No id_token returned for openid scope" });
+	const payload = await verifyAccessToken(accessTokenResponse.idToken, {
+		jwksUrl: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/api/auth/jwks`,
+		verifyOptions: {
+			audience: henosiaAuthConfig.clientId.get(),
+			issuer: `${henosiaAuthConfig.henosiaAuthPlatformServiceBaseUrl.get()}/api/auth`
+		}
+	});
+	const { "https://henosia.com/project": projectId } = payload;
+	if (!projectId) throw new APIError("UNAUTHORIZED", { message: "token does not grant access" });
+	if (!henosiaAuthConfig.projectId) throw new APIError("INTERNAL_SERVER_ERROR", { message: "HENOSIA_AUTH_PROJECT_ID env var has not been set" });
+	if (henosiaAuthConfig.projectId.get() !== projectId) throw new APIError("UNAUTHORIZED", { message: "token has invalid projectId" });
+	const setCookieHeaders = accessTokenResponseHeaders.getSetCookie();
+	const transferBetterAuthCookiesToNext = (nextRequest, response) => {
+		for (const cookie of setCookieHeaders) parseSetCookieHeader(cookie).forEach((attributes, name) => {
+			const { value, ...betterOptions } = attributes;
+			const options = {
+				...betterOptions,
+				maxAge: betterOptions["max-age"],
+				httpOnly: betterOptions.httponly,
+				sameSite: betterOptions.samesite
+			};
+			nextRequest.cookies.set(name, value);
+			response.cookies.set(name, value, options);
+		});
+	};
+	return {
+		accessTokenResponse,
+		payload,
+		setCookieHeaders,
+		transferBetterAuthCookiesToNext
+	};
+}
+const unauthorizedExceptionCodes = new Set(["ACCOUNT_NOT_FOUND", "FAILED_TO_GET_ACCESS_TOKEN"]);
+/**
+* Determines whether the specified exception should start the sign-in flow to authenticate the user
+* @param error the error thrown by `verifyHenosiaAuthToken`
+*/
+function isUnauthorizedException(error) {
+	const apiError = error ?? {};
+	return unauthorizedExceptionCodes.has(apiError.body?.code ?? "") || apiError.status === "UNAUTHORIZED" || apiError.statusCode === 401;
+}
+//#endregion
+export { isPageRequest as a, cookiePrefix as c, isPageOrRefreshTokenRequest as i, henosiaAuthConfig as l, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAME_PREFIXES as n, isUnauthorizedException as o, getAuth as r, verifyHenosiaAuthToken as s, HENOSIA_AUTH_MIDDLEWARE_UNAUTHENTICATED_PATH_NAMES as t };

package/dist/shared-Cddy8ptu.d.mts

@@ -0,0 +1,19 @@
+
+//#region src/shared.d.ts
+declare const HENOSIA_AUTH_SIGN_IN_PATH_NAME = "/sign-in";
+/**
+ * The pathname for better-auth's `/get-session` endpoint, used by the React `useSession` hook.
+ *
+ * `useSession` automatically refetches this endpoint on browser tab focus (and optionally on a polling
+ * interval), which we leverage as a built-in keep-alive for the OIDC access/refresh tokens — see
+ * `isPageOrRefreshTokenRequest` and the middleware special-case for this path.
+ */
+declare const HENOSIA_AUTH_GET_SESSION_PATH_NAME = "/api/auth/get-session";
+type HenosiaOrganizationContext = {
+  id: string;
+  name: string;
+  logoUrl: string | null;
+} | null;
+declare const HENOSIA_ORGANIZATION_CTX_COOKIE = "henosia.org";
+//#endregion
+export { HenosiaOrganizationContext as i, HENOSIA_AUTH_SIGN_IN_PATH_NAME as n, HENOSIA_ORGANIZATION_CTX_COOKIE as r, HENOSIA_AUTH_GET_SESSION_PATH_NAME as t };

package/dist/shared.d.mts

@@ -1,3 +1,3 @@
 
-import { a as HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_URL_HEADER, c as HENOSIA_ORGANIZATION_CTX_COOKIE, i as HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_METHOD_HEADER, l as HenosiaOrganizationContext, n as HENOSIA_AUTH_INVALID_SESSION_BODY, o as HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, r as HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER, s as HENOSIA_AUTH_SIGN_IN_PATH_NAME, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-BWPBaubT.mjs";
-export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_INVALID_SESSION_BODY, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_METHOD_HEADER, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_URL_HEADER, HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, HenosiaOrganizationContext };
+import { i as HenosiaOrganizationContext, n as HENOSIA_AUTH_SIGN_IN_PATH_NAME, r as HENOSIA_ORGANIZATION_CTX_COOKIE, t as HENOSIA_AUTH_GET_SESSION_PATH_NAME } from "./shared-Cddy8ptu.mjs";
+export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE, HenosiaOrganizationContext };

package/dist/shared.mjs

@@ -6,18 +6,9 @@ const HENOSIA_AUTH_SIGN_IN_PATH_NAME = "/sign-in";
 *
 * `useSession` automatically refetches this endpoint on browser tab focus (and optionally on a polling
 * interval), which we leverage as a built-in keep-alive for the OIDC access/refresh tokens — see
-* `isPageOrRefreshTokenRequest` and the middleware-backed session sync route.
+* `isPageOrRefreshTokenRequest` and the middleware special-case for this path.
 */
 const HENOSIA_AUTH_GET_SESSION_PATH_NAME = "/api/auth/get-session";
-/**
-* Internal route used by the Edge middleware to delegate server-only token refresh and downstream session sync
-* without importing the Better Auth server graph into the middleware bundle.
-*/
-const HENOSIA_AUTH_SESSION_SYNC_PATH_NAME = "/api/auth/henosia-session-sync";
-const HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_URL_HEADER = "x-henosia-auth-original-url";
-const HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_METHOD_HEADER = "x-henosia-auth-original-method";
-const HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER = "x-henosia-auth-original-fetch-dest";
 const HENOSIA_ORGANIZATION_CTX_COOKIE = "henosia.org";
-const HENOSIA_AUTH_INVALID_SESSION_BODY = { error: "Your session is invalid or expired. Please reload the page to sign in again." };
 //#endregion
-export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_INVALID_SESSION_BODY, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_FETCH_DEST_HEADER, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_METHOD_HEADER, HENOSIA_AUTH_SESSION_SYNC_ORIGINAL_URL_HEADER, HENOSIA_AUTH_SESSION_SYNC_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE };
+export { HENOSIA_AUTH_GET_SESSION_PATH_NAME, HENOSIA_AUTH_SIGN_IN_PATH_NAME, HENOSIA_ORGANIZATION_CTX_COOKIE };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@henosia/app-next",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "description": "Henosia integration for Next.js apps: Provides Henosia Auth and Henosia Platform features like app switcher",
   "author": "Henosia",
   "license": "SEE LICENSE IN LICENSE",