@hmp-global/payload-cas-auth 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 HMP Global
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,166 @@
+# `@hmp-global/payload-cas-auth`
+
+CAS SSO authentication plugin for **Payload CMS v3** + **Next.js 16**.
+
+- Registers CAS login/callback/logout as Payload API endpoints (no per-app route files needed)
+- JWT session management (signed with your own secret)
+- Role-based access control derived from CAS attributes
+- Seamless Payload admin panel bridging — users go straight to `/admin` after CAS login
+- Configurable role → capability mapping (`cdn`, `analytics`, `admin`)
+- Dev bypass mode with injected role for local development
+
+---
+
+## Installation
+
+```bash
+npm install @hmp-global/payload-cas-auth
+# or
+pnpm add @hmp-global/payload-cas-auth
+```
+
+Peer dependencies (install if not already present): `next >= 16`, `payload >= 3`, `jose >= 5`
+
+---
+
+## Publishing a new version
+
+1. Bump the `version` in `package.json`
+2. Add an `NPM_TOKEN` secret to the GitHub repo (create one at npmjs.com → Access Tokens → Automation token)
+3. Create a **GitHub Release** — the `publish.yml` workflow builds and publishes to npm automatically
+
+---
+
+## Setup — two files
+
+### 1. `payload.config.ts`
+
+```ts
+import { buildConfig } from 'payload'
+import { casAuthPlugin } from '@hmp-global/payload-cas-auth'
+
+export default buildConfig({
+  // ...
+  plugins: [
+    casAuthPlugin({
+      casBaseUrl:    process.env.CAS_BASE_URL!,
+      sessionSecret: process.env.CAS_SESSION_SECRET!,
+      publicBaseUrl: process.env.PUBLIC_BASE_URL,     // e.g. https://app.example.com
+      enabled:       process.env.CAS_ENABLED !== 'false',
+      devRole:       (process.env.DEV_ROLE ?? 'development') as AppRole,
+    }),
+  ],
+})
+```
+
+This registers four endpoints automatically:
+| Method | Path | Purpose |
+|--------|------|---------|
+| GET | `/api/auth/cas/login` | Redirects to CAS server |
+| GET | `/api/auth/cas/callback` | Validates ticket, sets session cookie |
+| GET | `/api/auth/logout` | Clears session cookie |
+| GET | `/api/auth/admin-session` | Bridges CAS session → Payload admin cookie |
+
+### 2. `src/middleware.ts`
+
+```ts
+import { createCasMiddleware } from '@hmp-global/payload-cas-auth/middleware'
+import type { AppRole } from '@hmp-global/payload-cas-auth'
+
+export const { middleware, config } = createCasMiddleware({
+  casBaseUrl:    process.env.CAS_BASE_URL!,
+  sessionSecret: process.env.CAS_SESSION_SECRET!,
+  publicBaseUrl: process.env.PUBLIC_BASE_URL,
+  enabled:       process.env.CAS_ENABLED !== 'false',
+  devRole:       (process.env.DEV_ROLE ?? 'development') as AppRole,
+
+  // Paths that require CAS login (default: ['/dashboard', '/chat', '/admin'])
+  protectedPaths: ['/dashboard', '/chat', '/admin'],
+
+  // Paths that require the 'cdn' capability — others are redirected to /dashboard
+  cdnRestrictedPaths: ['/dashboard/cdn'],
+})
+```
+
+---
+
+## Environment variables
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `CAS_BASE_URL` | ✅ | CAS server base URL, e.g. `https://login.example.com/cas` |
+| `CAS_SESSION_SECRET` | ✅ | Secret for signing session JWTs (32+ random chars) |
+| `PUBLIC_BASE_URL` | Recommended | Public hostname for CAS redirect URIs |
+| `CAS_ENABLED` | — | Set to `false` to bypass CAS in dev. Default: `true` |
+| `DEV_ROLE` | — | Role to inject when `CAS_ENABLED=false`. Default: `development` |
+
+---
+
+## Role configuration
+
+The plugin reads a CAS attribute to determine each user's role:
+
+```ts
+casAuthPlugin({
+  // ...
+  roleAttribute: 'department',   // CAS attribute name (default: 'role')
+  adminGroups:   ['admin', 'it-admin'],
+  devGroups:     ['engineering', 'development'],
+  marketingGroups: ['marketing', 'content', 'seo'],
+})
+```
+
+### Role → capability mapping
+
+| Role | Can see CDN | Can see Analytics | Can access Admin |
+|------|-------------|-------------------|-----------------|
+| `admin` | ✅ | ✅ | ✅ |
+| `development` | ✅ | ✅ | ✅ |
+| `marketing` | ✗ | ✅ | ✗ (no Payload account) |
+| `unknown` | ✗ | ✗ | ✗ |
+
+Users with `unknown` role are authenticated by CAS but shown a "request access" message — no data is visible.
+
+---
+
+## Using the role in your app
+
+The middleware injects the resolved role as an `x-user-role` request header:
+
+```ts
+// In a server component or API route:
+import { headers } from 'next/headers'
+import { can, ROLE_HEADER } from '@hmp-global/payload-cas-auth'
+import type { AppRole } from '@hmp-global/payload-cas-auth'
+
+const reqHeaders = await headers()
+const role = (reqHeaders.get(ROLE_HEADER) ?? 'unknown') as AppRole
+const canSeeCdn = can(role, 'cdn')
+```
+
+---
+
+## Admin panel auto-login
+
+When a CAS-authenticated user with `admin` or `development` role visits `/admin`:
+
+1. Middleware sees the `_cas_admin` marker cookie is absent → routes to `/api/auth/admin-session`
+2. The bridge finds/creates their Payload user account by email
+3. Syncs a deterministic server-side password (`HMAC(email, sessionSecret)`)
+4. Calls `payload.login()` with that password → gets a verified Payload JWT
+5. Sets `payload-token` + `_cas_admin` cookies → redirects to `/admin`
+6. User lands directly in the admin panel — no separate login prompt
+
+Existing Payload accounts are matched by email. If you already created an admin account via the Payload email/password flow, the bridge will find it and update its password to the deterministic value (the original password is replaced — Payload admin login is intentionally replaced by CAS).
+
+---
+
+## Finding your CAS attribute name
+
+After first login with `CAS_ENABLED=true`, the server logs will print:
+
+```
+[cas-auth] login user=jsmith email=jsmith@example.com role=unknown attrs={"department":"Engineering","uid":"jsmith"}
+```
+
+If `role=unknown`, look at the `attrs` keys and set `roleAttribute` to the right key (e.g. `department`). Then add the values to `devGroups`/`marketingGroups` etc.

package/dist/handlers/admin-session.d.ts

@@ -0,0 +1,18 @@
+import type { PayloadRequest } from 'payload';
+import type { CasAuthConfig } from '../types.js';
+/**
+ * Returns a Payload-compatible endpoint handler for GET /api/auth/admin-session.
+ *
+ * Exchanges a valid CAS session cookie for a Payload admin cookie by:
+ *   1. Verifying the CAS session JWT.
+ *   2. Finding or creating the Payload user by email.
+ *   3. Syncing a deterministic server-side password for that user.
+ *   4. Calling payload.login() — uses Payload's own signing path (guaranteed valid token).
+ *   5. Setting both the Payload token cookie and a `_cas_admin` marker cookie.
+ *   6. Redirecting to the original admin path.
+ *
+ * The `_cas_admin` marker tells the middleware the bridge has already run, preventing
+ * infinite redirect loops while still handling stale/expired Payload tokens.
+ */
+export declare function createAdminSessionHandler(config: CasAuthConfig): (req: PayloadRequest) => Promise<Response>;
+//# sourceMappingURL=admin-session.d.ts.map

package/dist/handlers/admin-session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-session.d.ts","sourceRoot":"","sources":["../../src/handlers/admin-session.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAA;AAE7C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAchD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,aAAa,IAC/B,KAAK,cAAc,KAAG,OAAO,CAAC,QAAQ,CAAC,CA2FtE"}

package/dist/handlers/admin-session.js

@@ -0,0 +1,111 @@
+import { verifySession, getCookieName } from '../session.js';
+import crypto from 'crypto';
+/**
+ * Derive a deterministic server-side password from an email address.
+ * Never exposed to users — only the server calls payload.login() with it.
+ * The password changes if `bridgeSecret` changes, invalidating all existing
+ * Payload sessions (intentional — rotate bridgeSecret to force re-auth).
+ */
+function derivePassword(email, config) {
+    const secret = config.bridgeSecret ?? config.sessionSecret;
+    return crypto.createHmac('sha256', secret).update(email.toLowerCase()).digest('hex');
+}
+/**
+ * Returns a Payload-compatible endpoint handler for GET /api/auth/admin-session.
+ *
+ * Exchanges a valid CAS session cookie for a Payload admin cookie by:
+ *   1. Verifying the CAS session JWT.
+ *   2. Finding or creating the Payload user by email.
+ *   3. Syncing a deterministic server-side password for that user.
+ *   4. Calling payload.login() — uses Payload's own signing path (guaranteed valid token).
+ *   5. Setting both the Payload token cookie and a `_cas_admin` marker cookie.
+ *   6. Redirecting to the original admin path.
+ *
+ * The `_cas_admin` marker tells the middleware the bridge has already run, preventing
+ * infinite redirect loops while still handling stale/expired Payload tokens.
+ */
+export function createAdminSessionHandler(config) {
+    return async function handler(req) {
+        const url = new URL(req.url ?? "http://localhost");
+        const base = config.publicBaseUrl || url.origin;
+        const returnTo = url.searchParams.get('returnTo') ?? '/admin';
+        const loginUrl = new URL('/api/auth/cas/login', base).toString();
+        // 1. Verify CAS session
+        const cookieName = getCookieName(config);
+        const cookies = Object.fromEntries((req.headers.get('cookie') ?? '').split(';').map((c) => {
+            const [k, ...rest] = c.trim().split('=');
+            return [k.trim(), rest.join('=')];
+        }));
+        const sessionToken = cookies[cookieName];
+        if (!sessionToken)
+            return Response.redirect(loginUrl, 302);
+        const sessionUser = await verifySession(sessionToken, config);
+        if (!sessionUser)
+            return Response.redirect(loginUrl, 302);
+        // 2. Get the Payload instance from the request (injected by Payload's endpoint system)
+        const payload = req.payload;
+        if (!payload) {
+            return new Response('Payload instance not available on request.', { status: 500 });
+        }
+        const collection = config.userCollection ?? 'users';
+        const cookiePrefix = config.payloadCookiePrefix ?? payload.config.cookiePrefix ?? 'payload';
+        const deterministicPwd = derivePassword(sessionUser.email, config);
+        // 3. Find or create Payload user
+        const existing = await payload.find({
+            collection,
+            where: { email: { equals: sessionUser.email } },
+            limit: 1,
+            depth: 0,
+        });
+        if (existing.docs.length > 0) {
+            await payload.update({
+                collection,
+                id: existing.docs[0].id,
+                data: { password: deterministicPwd },
+                overrideAccess: true,
+            });
+        }
+        else {
+            await payload.create({
+                collection,
+                data: { email: sessionUser.email, password: deterministicPwd },
+            });
+        }
+        // 4. Login via Payload's own operation to get a guaranteed-valid token
+        let loginToken;
+        try {
+            const result = await payload.login({
+                collection,
+                data: { email: sessionUser.email, password: deterministicPwd },
+            });
+            loginToken = result.token;
+        }
+        catch (err) {
+            console.error('[cas-auth] admin-session: payload.login failed:', err);
+            return new Response('Admin login failed — check server logs.', { status: 500 });
+        }
+        // 5. Build cookies and redirect
+        const secure = config.cookies?.secure ?? url.protocol === 'https:';
+        const maxAge = 7200; // 2 hours
+        const sameSite = 'Lax';
+        const payloadCookie = [
+            `${cookiePrefix}-token=${loginToken}`,
+            'Path=/', 'HttpOnly', `Max-Age=${maxAge}`, `SameSite=${sameSite}`,
+            secure ? 'Secure' : '',
+        ].filter(Boolean).join('; ');
+        const markerCookie = [
+            `_cas_admin=1`,
+            'Path=/', `Max-Age=${maxAge}`, `SameSite=${sameSite}`,
+            secure ? 'Secure' : '',
+        ].filter(Boolean).join('; ');
+        return new Response(null, {
+            status: 302,
+            headers: new Headers([
+                ['Location', new URL(returnTo, base).toString()],
+                ['Set-Cookie', payloadCookie],
+                ['Set-Cookie', markerCookie],
+            ]),
+        });
+    };
+}
+//# sourceMappingURL=admin-session.js.map

package/dist/handlers/admin-session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-session.js","sourceRoot":"","sources":["../../src/handlers/admin-session.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAE5D,OAAO,MAAM,MAAM,QAAQ,CAAA;AAE3B;;;;;GAKG;AACH,SAAS,cAAc,CAAC,KAAa,EAAE,MAAqB;IAC1D,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,IAAI,MAAM,CAAC,aAAa,CAAA;IAC1D,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;AACtF,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,yBAAyB,CAAC,MAAqB;IAC7D,OAAO,KAAK,UAAU,OAAO,CAAC,GAAmB;QAC/C,MAAM,GAAG,GAAQ,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,kBAAkB,CAAC,CAAA;QACvD,MAAM,IAAI,GAAO,MAAM,CAAC,aAAa,IAAI,GAAG,CAAC,MAAM,CAAA;QACnD,MAAM,QAAQ,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,QAAQ,CAAA;QAC7D,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,qBAAqB,EAAE,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAA;QAEhE,wBAAwB;QACxB,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,CAAA;QACxC,MAAM,OAAO,GAAM,MAAM,CAAC,WAAW,CACnC,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YACrD,MAAM,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YACxC,OAAO,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAA;QACnC,CAAC,CAAC,CACH,CAAA;QACD,MAAM,YAAY,GAAG,OAAO,CAAC,UAAU,CAAC,CAAA;QACxC,IAAI,CAAC,YAAY;YAAE,OAAO,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QAE1D,MAAM,WAAW,GAAG,MAAM,aAAa,CAAC,YAAY,EAAE,MAAM,CAAC,CAAA;QAC7D,IAAI,CAAC,WAAW;YAAE,OAAO,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAA;QAEzD,uFAAuF;QACvF,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAA;QAC3B,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,QAAQ,CAAC,4CAA4C,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QACpF,CAAC;QAED,MAAM,UAAU,GAAI,MAAM,CAAC,cAAc,IAAI,OAAO,CAAA;QACpD,MAAM,YAAY,GAAG,MAAM,CAAC,mBAAmB,IAAI,OAAO,CAAC,MAAM,CAAC,YAAY,IAAI,SAAS,CAAA;QAC3F,MAAM,gBAAgB,GAAG,cAAc,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAA;QAElE,iCAAiC;QACjC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC;YAClC,UAAU;YACV,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,MAAM,EAAE,WAAW,CAAC,KAAK,EAAE,EAAE;YAC/C,KAAK,EAAE,CAAC;YACR,KAAK,EAAE,CAAC;SACT,CAAC,CAAA;QAEF,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,OAAO,CAAC,MAAM,CAAC;gBACnB,UAAU;gBACV,EAAE,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE;gBACvB,IAAI,EAAE,EAAE,QAAQ,EAAE,gBAAgB,EAAE;gBACpC,cAAc,EAAE,IAAI;aACrB,CAAC,CAAA;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,CAAC,MAAM,CAAC;gBACnB,UAAU;gBACV,IAAI,EAAE,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAAE;aAC/D,CAAC,CAAA;QACJ,CAAC;QAED,uEAAuE;QACvE,IAAI,UAAkB,CAAA;QACtB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC;gBACjC,UAAU;gBACV,IAAI,EAAE,EAAE,KAAK,EAAE,WAAW,CAAC,KAAK,EAAE,QAAQ,EAAE,gBAAgB,EAAE;aAC/D,CAAC,CAAA;YACF,UAAU,GAAG,MAAM,CAAC,KAAe,CAAA;QACrC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,iDAAiD,EAAE,GAAG,CAAC,CAAA;YACrE,OAAO,IAAI,QAAQ,CAAC,yCAAyC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QACjF,CAAC;QAED,gCAAgC;QAChC,MAAM,MAAM,GAAK,MAAM,CAAC,OAAO,EAAE,MAAM,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAA;QACpE,MAAM,MAAM,GAAK,IAAI,CAAA,CAAC,UAAU;QAChC,MAAM,QAAQ,GAAG,KAAK,CAAA;QAEtB,MAAM,aAAa,GAAG;YACpB,GAAG,YAAY,UAAU,UAAU,EAAE;YACrC,QAAQ,EAAE,UAAU,EAAE,WAAW,MAAM,EAAE,EAAE,YAAY,QAAQ,EAAE;YACjE,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;SACvB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAE5B,MAAM,YAAY,GAAG;YACnB,cAAc;YACd,QAAQ,EAAE,WAAW,MAAM,EAAE,EAAE,YAAY,QAAQ,EAAE;YACrD,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;SACvB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAE5B,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;YACxB,MAAM,EAAE,GAAG;YACX,OAAO,EAAE,IAAI,OAAO,CAAC;gBACnB,CAAC,UAAU,EAAI,IAAI,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAC;gBAClD,CAAC,YAAY,EAAE,aAAa,CAAC;gBAC7B,CAAC,YAAY,EAAE,YAAY,CAAC;aAC7B,CAAC;SACH,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC"}

package/dist/handlers/callback.d.ts

@@ -0,0 +1,9 @@
+import type { PayloadRequest } from 'payload';
+import type { CasAuthConfig } from '../types.js';
+/**
+ * Returns a Payload-compatible endpoint handler for GET /api/auth/cas/callback.
+ * Validates the CAS ticket, resolves the user's role, signs a session JWT,
+ * sets the session cookie, and redirects to /dashboard.
+ */
+export declare function createCallbackHandler(config: CasAuthConfig): (req: PayloadRequest) => Promise<Response>;
+//# sourceMappingURL=callback.d.ts.map

package/dist/handlers/callback.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback.d.ts","sourceRoot":"","sources":["../../src/handlers/callback.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAA;AAI7C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAEhD;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,aAAa,IAC3B,KAAK,cAAc,KAAG,OAAO,CAAC,QAAQ,CAAC,CAgEtE"}

package/dist/handlers/callback.js

@@ -0,0 +1,63 @@
+import { signSession, getCookieName, getCookieMaxAge } from '../session.js';
+import { roleFromCasAttributes } from '../roles.js';
+import { parseCasXml } from '../xml-parser.js';
+/**
+ * Returns a Payload-compatible endpoint handler for GET /api/auth/cas/callback.
+ * Validates the CAS ticket, resolves the user's role, signs a session JWT,
+ * sets the session cookie, and redirects to /dashboard.
+ */
+export function createCallbackHandler(config) {
+    return async function handler(req) {
+        const url = new URL(req.url ?? "http://localhost");
+        const base = config.publicBaseUrl || url.origin;
+        const ticket = url.searchParams.get('ticket');
+        if (!ticket) {
+            return new Response('Missing ticket parameter.', { status: 400 });
+        }
+        // Build the service URL — must exactly match what was sent to CAS in /login
+        const serviceUrl = new URL('/api/auth/cas/callback', base);
+        serviceUrl.searchParams.delete('ticket');
+        const validateUrl = `${config.casBaseUrl}/serviceValidate` +
+            `?service=${encodeURIComponent(serviceUrl.toString())}` +
+            `&ticket=${encodeURIComponent(ticket)}`;
+        let xml;
+        try {
+            const resp = await fetch(validateUrl);
+            xml = await resp.text();
+        }
+        catch (err) {
+            console.error('[cas-auth] serviceValidate fetch error:', err);
+            return new Response('Failed to reach CAS server.', { status: 502 });
+        }
+        const result = parseCasXml(xml);
+        if (!result.ok) {
+            console.error('[cas-auth] ticket validation failed:', result);
+            return new Response(`CAS error ${result.code}: ${result.message}`, { status: 401 });
+        }
+        const email = result.email ??
+            (result.user.includes('@') ? result.user : `${result.user}@${url.hostname}`);
+        const role = roleFromCasAttributes(result.attributes, config);
+        console.log(`[cas-auth] login user=${result.user} email=${email} role=${role}`);
+        const token = await signSession({ username: result.user, email, role }, config);
+        const cookieName = getCookieName(config);
+        const maxAge = getCookieMaxAge(config);
+        const secure = config.cookies?.secure ?? url.protocol === 'https:';
+        const sameSite = config.cookies?.sameSite ?? 'Lax';
+        const cookieStr = [
+            `${cookieName}=${token}`,
+            `Path=/`,
+            `HttpOnly`,
+            `Max-Age=${maxAge}`,
+            `SameSite=${sameSite}`,
+            secure ? 'Secure' : '',
+        ].filter(Boolean).join('; ');
+        return new Response(null, {
+            status: 302,
+            headers: {
+                Location: new URL('/dashboard', base).toString(),
+                'Set-Cookie': cookieStr,
+            },
+        });
+    };
+}
+//# sourceMappingURL=callback.js.map

package/dist/handlers/callback.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"callback.js","sourceRoot":"","sources":["../../src/handlers/callback.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,eAAe,CAAA;AAC3E,OAAO,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAA;AACnD,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAA;AAG9C;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAqB;IACzD,OAAO,KAAK,UAAU,OAAO,CAAC,GAAmB;QAC/C,MAAM,GAAG,GAAI,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,kBAAkB,CAAC,CAAA;QACnD,MAAM,IAAI,GAAG,MAAM,CAAC,aAAa,IAAI,GAAG,CAAC,MAAM,CAAA;QAE/C,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QAC7C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,QAAQ,CAAC,2BAA2B,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QACnE,CAAC;QAED,4EAA4E;QAC5E,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,wBAAwB,EAAE,IAAI,CAAC,CAAA;QAC1D,UAAU,CAAC,YAAY,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;QAExC,MAAM,WAAW,GACf,GAAG,MAAM,CAAC,UAAU,kBAAkB;YACtC,YAAY,kBAAkB,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAC,EAAE;YACvD,WAAW,kBAAkB,CAAC,MAAM,CAAC,EAAE,CAAA;QAEzC,IAAI,GAAW,CAAA;QACf,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,CAAA;YACrC,GAAG,GAAG,MAAM,IAAI,CAAC,IAAI,EAAE,CAAA;QACzB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,yCAAyC,EAAE,GAAG,CAAC,CAAA;YAC7D,OAAO,IAAI,QAAQ,CAAC,6BAA6B,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QACrE,CAAC;QAED,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC,CAAA;QAC/B,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,sCAAsC,EAAE,MAAM,CAAC,CAAA;YAC7D,OAAO,IAAI,QAAQ,CAAC,aAAa,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,OAAO,EAAE,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAA;QACrF,CAAC;QAED,MAAM,KAAK,GACT,MAAM,CAAC,KAAK;YACZ,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,IAAI,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAA;QAE9E,MAAM,IAAI,GAAG,qBAAqB,CAAC,MAAM,CAAC,UAAU,EAAE,MAAM,CAAC,CAAA;QAC7D,OAAO,CAAC,GAAG,CAAC,yBAAyB,MAAM,CAAC,IAAI,UAAU,KAAK,SAAS,IAAI,EAAE,CAAC,CAAA;QAE/E,MAAM,KAAK,GAAG,MAAM,WAAW,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,MAAM,CAAC,CAAA;QAE/E,MAAM,UAAU,GAAI,aAAa,CAAC,MAAM,CAAC,CAAA;QACzC,MAAM,MAAM,GAAQ,eAAe,CAAC,MAAM,CAAC,CAAA;QAC3C,MAAM,MAAM,GAAQ,MAAM,CAAC,OAAO,EAAE,MAAM,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,CAAA;QACvE,MAAM,QAAQ,GAAM,MAAM,CAAC,OAAO,EAAE,QAAQ,IAAI,KAAK,CAAA;QAErD,MAAM,SAAS,GAAG;YAChB,GAAG,UAAU,IAAI,KAAK,EAAE;YACxB,QAAQ;YACR,UAAU;YACV,WAAW,MAAM,EAAE;YACnB,YAAY,QAAQ,EAAE;YACtB,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE;SACvB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAE5B,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;YACxB,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,QAAQ,EAAI,IAAI,GAAG,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC,QAAQ,EAAE;gBAClD,YAAY,EAAE,SAAS;aACxB;SACF,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC"}

package/dist/handlers/login.d.ts

@@ -0,0 +1,4 @@
+import type { PayloadRequest } from 'payload';
+import type { CasAuthConfig } from '../types.js';
+export declare function createLoginHandler(config: CasAuthConfig): (req: PayloadRequest) => Promise<Response>;
+//# sourceMappingURL=login.d.ts.map

package/dist/handlers/login.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.d.ts","sourceRoot":"","sources":["../../src/handlers/login.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAA;AAC7C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAOhD,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,aAAa,IACxB,KAAK,cAAc,KAAG,OAAO,CAAC,QAAQ,CAAC,CAMtE"}

package/dist/handlers/login.js

@@ -0,0 +1,13 @@
+function buildLoginUrl(casBase, callbackUrl, template) {
+    const tpl = template ?? `${casBase}/login?service=__SERVICE__`;
+    return tpl.replace('__SERVICE__', encodeURIComponent(callbackUrl));
+}
+export function createLoginHandler(config) {
+    return async function handler(req) {
+        const url = new URL(req.url ?? "http://localhost");
+        const base = config.publicBaseUrl || url.origin;
+        const callback = new URL('/api/auth/cas/callback', base).toString();
+        return Response.redirect(buildLoginUrl(config.casBaseUrl, callback, config.loginUrlTemplate), 302);
+    };
+}
+//# sourceMappingURL=login.js.map

package/dist/handlers/login.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login.js","sourceRoot":"","sources":["../../src/handlers/login.ts"],"names":[],"mappings":"AAGA,SAAS,aAAa,CAAC,OAAe,EAAE,WAAmB,EAAE,QAAiB;IAC5E,MAAM,GAAG,GAAG,QAAQ,IAAI,GAAG,OAAO,4BAA4B,CAAA;IAC9D,OAAO,GAAG,CAAC,OAAO,CAAC,aAAa,EAAE,kBAAkB,CAAC,WAAW,CAAC,CAAC,CAAA;AACpE,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,MAAqB;IACtD,OAAO,KAAK,UAAU,OAAO,CAAC,GAAmB;QAC/C,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,kBAAkB,CAAC,CAAA;QAClD,MAAM,IAAI,GAAG,MAAM,CAAC,aAAa,IAAI,GAAG,CAAC,MAAM,CAAA;QAC/C,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,wBAAwB,EAAE,IAAI,CAAC,CAAC,QAAQ,EAAE,CAAA;QACnE,OAAO,QAAQ,CAAC,QAAQ,CAAC,aAAa,CAAC,MAAM,CAAC,UAAU,EAAE,QAAQ,EAAE,MAAM,CAAC,gBAAgB,CAAC,EAAE,GAAG,CAAC,CAAA;IACpG,CAAC,CAAA;AACH,CAAC"}

package/dist/handlers/logout.d.ts

@@ -0,0 +1,8 @@
+import type { PayloadRequest } from 'payload';
+import type { CasAuthConfig } from '../types.js';
+/**
+ * Returns a Payload-compatible endpoint handler for GET /api/auth/logout.
+ * Clears the session cookie and redirects to the home page.
+ */
+export declare function createLogoutHandler(config: CasAuthConfig): (req: PayloadRequest) => Promise<Response>;
+//# sourceMappingURL=logout.d.ts.map

package/dist/handlers/logout.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.d.ts","sourceRoot":"","sources":["../../src/handlers/logout.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,SAAS,CAAA;AAE7C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAA;AAEhD;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,aAAa,IACzB,KAAK,cAAc,KAAG,OAAO,CAAC,QAAQ,CAAC,CAetE"}

package/dist/handlers/logout.js

@@ -0,0 +1,21 @@
+import { getCookieName } from '../session.js';
+/**
+ * Returns a Payload-compatible endpoint handler for GET /api/auth/logout.
+ * Clears the session cookie and redirects to the home page.
+ */
+export function createLogoutHandler(config) {
+    return async function handler(req) {
+        const url = new URL(req.url ?? "http://localhost");
+        const base = config.publicBaseUrl || url.origin;
+        const cookieName = getCookieName(config);
+        const clearCookie = `${cookieName}=; Path=/; HttpOnly; Max-Age=0; SameSite=Lax`;
+        return new Response(null, {
+            status: 302,
+            headers: {
+                Location: new URL('/', base).toString(),
+                'Set-Cookie': clearCookie,
+            },
+        });
+    };
+}
+//# sourceMappingURL=logout.js.map

package/dist/handlers/logout.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"logout.js","sourceRoot":"","sources":["../../src/handlers/logout.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAG7C;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAqB;IACvD,OAAO,KAAK,UAAU,OAAO,CAAC,GAAmB;QAC/C,MAAM,GAAG,GAAI,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,kBAAkB,CAAC,CAAA;QACnD,MAAM,IAAI,GAAG,MAAM,CAAC,aAAa,IAAI,GAAG,CAAC,MAAM,CAAA;QAE/C,MAAM,UAAU,GAAG,aAAa,CAAC,MAAM,CAAC,CAAA;QACxC,MAAM,WAAW,GAAG,GAAG,UAAU,8CAA8C,CAAA;QAE/E,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;YACxB,MAAM,EAAE,GAAG;YACX,OAAO,EAAE;gBACP,QAAQ,EAAM,IAAI,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,QAAQ,EAAE;gBAC3C,YAAY,EAAE,WAAW;aAC1B;SACF,CAAC,CAAA;IACJ,CAAC,CAAA;AACH,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+export { casAuthPlugin } from './plugin.js';
+export { createCasMiddleware } from './middleware.js';
+export { verifySession, signSession, getCookieName } from './session.js';
+export { can, getCapabilities, resolveRole, roleFromCasAttributes } from './roles.js';
+export type { CasAuthConfig, AppRole, Capability, SessionUser, CasResult } from './types.js';
+export { CAS_ADMIN_MARKER, ROLE_HEADER } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,aAAa,EAAE,MAAqB,aAAa,CAAA;AAG1D,OAAO,EAAE,mBAAmB,EAAE,MAAe,iBAAiB,CAAA;AAG9D,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AACxE,OAAO,EAAE,GAAG,EAAE,eAAe,EAAE,WAAW,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAA;AAGrF,YAAY,EAAE,aAAa,EAAE,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AAC5F,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA"}

package/dist/index.js

@@ -0,0 +1,9 @@
+// Main plugin export
+export { casAuthPlugin } from './plugin.js';
+// Middleware factory (also available via the 'middleware' subpath export)
+export { createCasMiddleware } from './middleware.js';
+// Utilities for use in app code (API routes, server components)
+export { verifySession, signSession, getCookieName } from './session.js';
+export { can, getCapabilities, resolveRole, roleFromCasAttributes } from './roles.js';
+export { CAS_ADMIN_MARKER, ROLE_HEADER } from './types.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,qBAAqB;AACrB,OAAO,EAAE,aAAa,EAAE,MAAqB,aAAa,CAAA;AAE1D,0EAA0E;AAC1E,OAAO,EAAE,mBAAmB,EAAE,MAAe,iBAAiB,CAAA;AAE9D,gEAAgE;AAChE,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AACxE,OAAO,EAAE,GAAG,EAAE,eAAe,EAAE,WAAW,EAAE,qBAAqB,EAAE,MAAM,YAAY,CAAA;AAIrF,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA"}

package/dist/middleware.d.ts

@@ -0,0 +1,22 @@
+import type { CasAuthConfig } from './types.js';
+import type { NextRequest, NextResponse } from 'next/server';
+type MiddlewareFn = (req: NextRequest) => Promise<NextResponse> | NextResponse;
+interface MiddlewareOptions extends CasAuthConfig {
+    /**
+     * Paths that require CAS authentication. Default: `['/dashboard', '/chat', '/admin']`
+     */
+    protectedPaths?: string[];
+    /**
+     * Paths that require the `cdn` capability. Users without it are redirected to `/dashboard`.
+     * Default: `['/dashboard/cdn']`
+     */
+    cdnRestrictedPaths?: string[];
+}
+export declare function createCasMiddleware(options: MiddlewareOptions): {
+    middleware: MiddlewareFn;
+    config: {
+        matcher: string[];
+    };
+};
+export {};
+//# sourceMappingURL=middleware.d.ts.map

package/dist/middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.d.ts","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAwBA,OAAO,KAAK,EAAE,aAAa,EAAW,MAAO,YAAY,CAAA;AACzD,OAAO,KAAK,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAE5D,KAAK,YAAY,GAAG,CAAC,GAAG,EAAE,WAAW,KAAK,OAAO,CAAC,YAAY,CAAC,GAAG,YAAY,CAAA;AAE9E,UAAU,iBAAkB,SAAQ,aAAa;IAC/C;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;IAEzB;;;OAGG;IACH,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;CAC9B;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,iBAAiB,GAAG;IAC/D,UAAU,EAAE,YAAY,CAAA;IACxB,MAAM,EAAE;QAAE,OAAO,EAAE,MAAM,EAAE,CAAA;KAAE,CAAA;CAC9B,CAkEA"}

package/dist/middleware.js

@@ -0,0 +1,80 @@
+/**
+ * Next.js Edge middleware factory for CAS authentication.
+ *
+ * @example
+ * ```ts
+ * // middleware.ts
+ * import { createCasMiddleware } from '@nexus-core/payload-cas-auth/middleware'
+ *
+ * const { middleware, config } = createCasMiddleware({
+ *   casBaseUrl:    process.env.CAS_BASE_URL!,
+ *   sessionSecret: process.env.CAS_SESSION_SECRET!,
+ *   publicBaseUrl: process.env.PUBLIC_BASE_URL,
+ *   enabled:       process.env.CAS_ENABLED !== 'false',
+ *   devRole:       (process.env.DEV_ROLE ?? 'development') as AppRole,
+ *   protectedPaths: ['/dashboard', '/chat', '/admin'],
+ *   cdnRestrictedPaths: ['/dashboard/cdn'],
+ * })
+ *
+ * export { middleware, config }
+ * ```
+ */
+import { verifySession, getCookieName } from './session.js';
+import { can } from './roles.js';
+import { CAS_ADMIN_MARKER, ROLE_HEADER } from './types.js';
+export function createCasMiddleware(options) {
+    const protectedPaths = options.protectedPaths ?? ['/dashboard', '/chat', '/admin'];
+    const cdnRestrictedPaths = options.cdnRestrictedPaths ?? ['/dashboard/cdn'];
+    const loginPath = '/api/auth/cas/login';
+    const cookieName = getCookieName(options);
+    async function middleware(req) {
+        const { NextResponse } = await import('next/server');
+        const { pathname } = req.nextUrl;
+        const isProtected = protectedPaths.some((p) => pathname === p || pathname.startsWith(p + '/'));
+        const isCdnRoute = cdnRestrictedPaths.some((r) => pathname === r || pathname.startsWith(r + '/'));
+        const isAdminRoute = pathname === '/admin' || pathname.startsWith('/admin/');
+        // ── Dev bypass ──────────────────────────────────────────────────────────
+        if (options.enabled === false) {
+            const devRole = (options.devRole ?? 'development');
+            if (isCdnRoute && !can(devRole, 'cdn')) {
+                return NextResponse.redirect(new URL('/dashboard', req.url));
+            }
+            return NextResponse.next({
+                request: { headers: new Headers({ ...Object.fromEntries(req.headers), [ROLE_HEADER]: devRole }) },
+            });
+        }
+        if (!isProtected)
+            return NextResponse.next();
+        // ── CAS session check ───────────────────────────────────────────────────
+        const token = req.cookies.get(cookieName)?.value;
+        if (!token) {
+            return NextResponse.redirect(new URL(loginPath, req.url));
+        }
+        const user = await verifySession(token, options);
+        if (!user) {
+            return NextResponse.redirect(new URL(loginPath, req.url));
+        }
+        // ── CDN capability gate ─────────────────────────────────────────────────
+        if (isCdnRoute && !can(user.role, 'cdn')) {
+            return NextResponse.redirect(new URL('/dashboard', req.url));
+        }
+        // ── Admin bridge ────────────────────────────────────────────────────────
+        // Route through admin-session if the CAS-admin marker is absent.
+        // The bridge mints a Payload token via payload.login() and sets the marker.
+        if (isAdminRoute && !req.cookies.get(CAS_ADMIN_MARKER)?.value) {
+            const bridge = new URL('/api/auth/admin-session', req.url);
+            bridge.searchParams.set('returnTo', pathname + req.nextUrl.search);
+            return NextResponse.redirect(bridge);
+        }
+        // ── Forward role header ─────────────────────────────────────────────────
+        return NextResponse.next({
+            request: { headers: new Headers({ ...Object.fromEntries(req.headers), [ROLE_HEADER]: user.role }) },
+        });
+    }
+    // Build a matcher that covers all protected paths + their sub-paths
+    const matcher = [
+        ...new Set(protectedPaths.flatMap((p) => [p, `${p}/:path*`])),
+    ];
+    return { middleware, config: { matcher } };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,cAAc,CAAA;AAC3D,OAAO,EAAE,GAAG,EAAE,MAA+B,YAAY,CAAA;AACzD,OAAO,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AAmB1D,MAAM,UAAU,mBAAmB,CAAC,OAA0B;IAI5D,MAAM,cAAc,GAAM,OAAO,CAAC,cAAc,IAAO,CAAC,YAAY,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAA;IACxF,MAAM,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC3E,MAAM,SAAS,GAAY,qBAAqB,CAAA;IAChD,MAAM,UAAU,GAAW,aAAa,CAAC,OAAO,CAAC,CAAA;IAEjD,KAAK,UAAU,UAAU,CAAC,GAAgB;QACxC,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAA;QACpD,MAAM,EAAE,QAAQ,EAAE,GAAO,GAAG,CAAC,OAAO,CAAA;QAEpC,MAAM,WAAW,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,KAAK,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAA;QAC9F,MAAM,UAAU,GAAI,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,KAAK,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAA;QAClG,MAAM,YAAY,GAAG,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,CAAA;QAE5E,2EAA2E;QAC3E,IAAI,OAAO,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,aAAa,CAAY,CAAA;YAC7D,IAAI,UAAU,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,EAAE,CAAC;gBACvC,OAAO,YAAY,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,YAAY,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAA;YAC9D,CAAC;YACD,OAAO,YAAY,CAAC,IAAI,CAAC;gBACvB,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,OAAO,CAAC,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,WAAW,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE;aAClG,CAAC,CAAA;QACJ,CAAC;QAED,IAAI,CAAC,WAAW;YAAE,OAAO,YAAY,CAAC,IAAI,EAAE,CAAA;QAE5C,2EAA2E;QAC3E,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,KAAK,CAAA;QAChD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,YAAY,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAA;QAC3D,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,KAAK,EAAE,OAAO,CAAC,CAAA;QAChD,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,YAAY,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAA;QAC3D,CAAC;QAED,2EAA2E;QAC3E,IAAI,UAAU,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;YACzC,OAAO,YAAY,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC,YAAY,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAA;QAC9D,CAAC;QAED,2EAA2E;QAC3E,iEAAiE;QACjE,4EAA4E;QAC5E,IAAI,YAAY,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,EAAE,KAAK,EAAE,CAAC;YAC9D,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,yBAAyB,EAAE,GAAG,CAAC,GAAG,CAAC,CAAA;YAC1D,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;YAClE,OAAO,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;QACtC,CAAC;QAED,2EAA2E;QAC3E,OAAO,YAAY,CAAC,IAAI,CAAC;YACvB,OAAO,EAAE,EAAE,OAAO,EAAE,IAAI,OAAO,CAAC,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,WAAW,CAAC,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,EAAE;SACpG,CAAC,CAAA;IACJ,CAAC;IAED,oEAAoE;IACpE,MAAM,OAAO,GAAG;QACd,GAAG,IAAI,GAAG,CACR,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,SAAS,CAAC,CAAC,CAClD;KACF,CAAA;IAED,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,EAAE,CAAA;AAC5C,CAAC"}

package/dist/plugin.d.ts

@@ -0,0 +1,30 @@
+import type { Config } from 'payload';
+import type { CasAuthConfig } from './types.js';
+/**
+ * Payload CMS plugin that adds CAS SSO authentication.
+ *
+ * Registers four API endpoints on the Payload app:
+ *   GET /api/auth/cas/login          — redirects to CAS login page
+ *   GET /api/auth/cas/callback       — validates ticket, sets session cookie
+ *   GET /api/auth/logout             — clears session cookie
+ *   GET /api/auth/admin-session      — bridges CAS session → Payload admin cookie
+ *
+ * @example
+ * ```ts
+ * // payload.config.ts
+ * import { casAuthPlugin } from '@nexus-core/payload-cas-auth'
+ *
+ * export default buildConfig({
+ *   plugins: [
+ *     casAuthPlugin({
+ *       casBaseUrl:    process.env.CAS_BASE_URL!,
+ *       sessionSecret: process.env.CAS_SESSION_SECRET!,
+ *       publicBaseUrl: process.env.PUBLIC_BASE_URL,
+ *       enabled:       process.env.CAS_ENABLED !== 'false',
+ *     }),
+ *   ],
+ * })
+ * ```
+ */
+export declare function casAuthPlugin(config: CasAuthConfig): (incomingConfig: Config) => Config;
+//# sourceMappingURL=plugin.d.ts.map

package/dist/plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.d.ts","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,SAAS,CAAA;AAKrC,OAAO,KAAK,EAAE,aAAa,EAAE,MAAa,YAAY,CAAA;AAEtD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,aAAa,IAC1B,gBAAgB,MAAM,KAAG,MAAM,CAkCvD"}

package/dist/plugin.js

@@ -0,0 +1,65 @@
+import { createLoginHandler } from './handlers/login.js';
+import { createCallbackHandler } from './handlers/callback.js';
+import { createLogoutHandler } from './handlers/logout.js';
+import { createAdminSessionHandler } from './handlers/admin-session.js';
+/**
+ * Payload CMS plugin that adds CAS SSO authentication.
+ *
+ * Registers four API endpoints on the Payload app:
+ *   GET /api/auth/cas/login          — redirects to CAS login page
+ *   GET /api/auth/cas/callback       — validates ticket, sets session cookie
+ *   GET /api/auth/logout             — clears session cookie
+ *   GET /api/auth/admin-session      — bridges CAS session → Payload admin cookie
+ *
+ * @example
+ * ```ts
+ * // payload.config.ts
+ * import { casAuthPlugin } from '@nexus-core/payload-cas-auth'
+ *
+ * export default buildConfig({
+ *   plugins: [
+ *     casAuthPlugin({
+ *       casBaseUrl:    process.env.CAS_BASE_URL!,
+ *       sessionSecret: process.env.CAS_SESSION_SECRET!,
+ *       publicBaseUrl: process.env.PUBLIC_BASE_URL,
+ *       enabled:       process.env.CAS_ENABLED !== 'false',
+ *     }),
+ *   ],
+ * })
+ * ```
+ */
+export function casAuthPlugin(config) {
+    return function plugin(incomingConfig) {
+        const loginHandler = createLoginHandler(config);
+        const callbackHandler = createCallbackHandler(config);
+        const logoutHandler = createLogoutHandler(config);
+        const adminSessionHandler = createAdminSessionHandler(config);
+        const newEndpoints = [
+            {
+                path: '/auth/cas/login',
+                method: 'get',
+                handler: loginHandler,
+            },
+            {
+                path: '/auth/cas/callback',
+                method: 'get',
+                handler: callbackHandler,
+            },
+            {
+                path: '/auth/logout',
+                method: 'get',
+                handler: logoutHandler,
+            },
+            {
+                path: '/auth/admin-session',
+                method: 'get',
+                handler: adminSessionHandler,
+            },
+        ];
+        return {
+            ...incomingConfig,
+            endpoints: [...(incomingConfig.endpoints ?? []), ...newEndpoints],
+        };
+    };
+}
+//# sourceMappingURL=plugin.js.map

package/dist/plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.js","sourceRoot":"","sources":["../src/plugin.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAa,qBAAqB,CAAA;AAC/D,OAAO,EAAE,qBAAqB,EAAE,MAAU,wBAAwB,CAAA;AAClE,OAAO,EAAE,mBAAmB,EAAE,MAAY,sBAAsB,CAAA;AAChE,OAAO,EAAE,yBAAyB,EAAE,MAAM,6BAA6B,CAAA;AAGvE;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,UAAU,aAAa,CAAC,MAAqB;IACjD,OAAO,SAAS,MAAM,CAAC,cAAsB;QAC3C,MAAM,YAAY,GAAU,kBAAkB,CAAC,MAAM,CAAC,CAAA;QACtD,MAAM,eAAe,GAAO,qBAAqB,CAAC,MAAM,CAAC,CAAA;QACzD,MAAM,aAAa,GAAS,mBAAmB,CAAC,MAAM,CAAC,CAAA;QACvD,MAAM,mBAAmB,GAAG,yBAAyB,CAAC,MAAM,CAAC,CAAA;QAE7D,MAAM,YAAY,GAAqC;YACrD;gBACE,IAAI,EAAK,iBAAiB;gBAC1B,MAAM,EAAG,KAAK;gBACd,OAAO,EAAE,YAAY;aACtB;YACD;gBACE,IAAI,EAAK,oBAAoB;gBAC7B,MAAM,EAAG,KAAK;gBACd,OAAO,EAAE,eAAe;aACzB;YACD;gBACE,IAAI,EAAK,cAAc;gBACvB,MAAM,EAAG,KAAK;gBACd,OAAO,EAAE,aAAa;aACvB;YACD;gBACE,IAAI,EAAK,qBAAqB;gBAC9B,MAAM,EAAG,KAAK;gBACd,OAAO,EAAE,mBAAmB;aAC7B;SACF,CAAA;QAED,OAAO;YACL,GAAG,cAAc;YACjB,SAAS,EAAE,CAAC,GAAG,CAAC,cAAc,CAAC,SAAS,IAAI,EAAE,CAAC,EAAE,GAAG,YAAY,CAAC;SAClE,CAAA;IACH,CAAC,CAAA;AACH,CAAC"}

package/dist/roles.d.ts

@@ -0,0 +1,11 @@
+import type { AppRole, CasAuthConfig, Capability } from './types.js';
+export declare function can(role: AppRole, capability: Capability): boolean;
+export declare function getCapabilities(role: AppRole): Capability[];
+/**
+ * Resolve an AppRole from a raw CAS attribute value.
+ * Supports multi-valued attributes separated by comma, pipe, semicolon, or space.
+ */
+export declare function resolveRole(value: string | undefined, config: CasAuthConfig): AppRole;
+/** Extract and resolve role from a CAS attributes map. */
+export declare function roleFromCasAttributes(attrs: Record<string, string>, config: CasAuthConfig): AppRole;
+//# sourceMappingURL=roles.d.ts.map

package/dist/roles.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"roles.d.ts","sourceRoot":"","sources":["../src/roles.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,YAAY,CAAA;AASpE,wBAAgB,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,GAAG,OAAO,CAElE;AAED,wBAAgB,eAAe,CAAC,IAAI,EAAE,OAAO,GAAG,UAAU,EAAE,CAE3D;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAgBrF;AAED,0DAA0D;AAC1D,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAKnG"}

package/dist/roles.js

@@ -0,0 +1,42 @@
+const ROLE_CAPABILITIES = {
+    admin: ['cdn', 'analytics', 'admin'],
+    development: ['cdn', 'analytics', 'admin'],
+    marketing: ['analytics'],
+    unknown: [],
+};
+export function can(role, capability) {
+    return ROLE_CAPABILITIES[role]?.includes(capability) ?? false;
+}
+export function getCapabilities(role) {
+    return ROLE_CAPABILITIES[role] ?? [];
+}
+/**
+ * Resolve an AppRole from a raw CAS attribute value.
+ * Supports multi-valued attributes separated by comma, pipe, semicolon, or space.
+ */
+export function resolveRole(value, config) {
+    if (!value)
+        return 'unknown';
+    const v = value.toLowerCase().trim();
+    const vals = v.split(/[,|;\s]+/);
+    const adminGroups = (config.adminGroups ?? ['admin', 'administrator', 'administrators']).map((s) => s.toLowerCase());
+    const devGroups = (config.devGroups ?? ['development', 'dev', 'engineering', 'it', 'technology']).map((s) => s.toLowerCase());
+    const mktGroups = (config.marketingGroups ?? ['marketing', 'content', 'seo', 'analytics', 'communications']).map((s) => s.toLowerCase());
+    for (const v of vals) {
+        if (adminGroups.includes(v))
+            return 'admin';
+        if (devGroups.includes(v))
+            return 'development';
+        if (mktGroups.includes(v))
+            return 'marketing';
+    }
+    return 'unknown';
+}
+/** Extract and resolve role from a CAS attributes map. */
+export function roleFromCasAttributes(attrs, config) {
+    const attrName = (config.roleAttribute ?? 'role').toLowerCase();
+    const val = attrs[attrName]
+        ?? Object.entries(attrs).find(([k]) => k.toLowerCase() === attrName)?.[1];
+    return resolveRole(val, config);
+}
+//# sourceMappingURL=roles.js.map

package/dist/roles.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"roles.js","sourceRoot":"","sources":["../src/roles.ts"],"names":[],"mappings":"AAEA,MAAM,iBAAiB,GAAkC;IACvD,KAAK,EAAQ,CAAC,KAAK,EAAE,WAAW,EAAE,OAAO,CAAC;IAC1C,WAAW,EAAE,CAAC,KAAK,EAAE,WAAW,EAAE,OAAO,CAAC;IAC1C,SAAS,EAAI,CAAC,WAAW,CAAC;IAC1B,OAAO,EAAM,EAAE;CAChB,CAAA;AAED,MAAM,UAAU,GAAG,CAAC,IAAa,EAAE,UAAsB;IACvD,OAAO,iBAAiB,CAAC,IAAI,CAAC,EAAE,QAAQ,CAAC,UAAU,CAAC,IAAI,KAAK,CAAA;AAC/D,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,IAAa;IAC3C,OAAO,iBAAiB,CAAC,IAAI,CAAC,IAAI,EAAE,CAAA;AACtC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,KAAyB,EAAE,MAAqB;IAC1E,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAA;IAE5B,MAAM,CAAC,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAA;IACpC,MAAM,IAAI,GAAG,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,CAAA;IAEhC,MAAM,WAAW,GAAI,CAAC,MAAM,CAAC,WAAW,IAAK,CAAC,OAAO,EAAE,eAAe,EAAE,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAA;IACtH,MAAM,SAAS,GAAM,CAAC,MAAM,CAAC,SAAS,IAAO,CAAC,aAAa,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE,YAAY,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAA;IACnI,MAAM,SAAS,GAAM,CAAC,MAAM,CAAC,eAAe,IAAI,CAAC,WAAW,EAAE,SAAS,EAAE,KAAK,EAAE,WAAW,EAAE,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAA;IAE3I,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;QACrB,IAAI,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAG,OAAO,OAAO,CAAA;QAC5C,IAAI,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAK,OAAO,aAAa,CAAA;QAClD,IAAI,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;YAAK,OAAO,WAAW,CAAA;IAClD,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,0DAA0D;AAC1D,MAAM,UAAU,qBAAqB,CAAC,KAA6B,EAAE,MAAqB;IACxF,MAAM,QAAQ,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,CAAC,WAAW,EAAE,CAAA;IAC/D,MAAM,GAAG,GAAG,KAAK,CAAC,QAAQ,CAAC;WACtB,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IAC3E,OAAO,WAAW,CAAC,GAAG,EAAE,MAAM,CAAC,CAAA;AACjC,CAAC"}

package/dist/session.d.ts

@@ -0,0 +1,6 @@
+import type { CasAuthConfig, SessionUser } from './types.js';
+export declare function getCookieName(config: CasAuthConfig): string;
+export declare function getCookieMaxAge(config: CasAuthConfig): number;
+export declare function signSession(user: SessionUser, config: CasAuthConfig): Promise<string>;
+export declare function verifySession(token: string, config: CasAuthConfig): Promise<SessionUser | null>;
+//# sourceMappingURL=session.d.ts.map

package/dist/session.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.d.ts","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,YAAY,CAAA;AAS5D,wBAAgB,aAAa,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CAE3D;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,aAAa,GAAG,MAAM,CAE7D;AAED,wBAAsB,WAAW,CAAC,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAW3F;AAED,wBAAsB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,CAWrG"}

package/dist/session.js

@@ -0,0 +1,38 @@
+import { SignJWT, jwtVerify } from 'jose';
+const DEFAULT_COOKIE_NAME = 'hms-session';
+const DEFAULT_MAX_AGE = 60 * 60 * 8; // 8 hours
+function getSecret(config) {
+    return new TextEncoder().encode(config.sessionSecret || 'dev-fallback-secret-32-chars-min');
+}
+export function getCookieName(config) {
+    return config.cookies?.name ?? DEFAULT_COOKIE_NAME;
+}
+export function getCookieMaxAge(config) {
+    return config.cookies?.maxAgeSecs ?? DEFAULT_MAX_AGE;
+}
+export async function signSession(user, config) {
+    return new SignJWT({
+        username: user.username,
+        email: user.email,
+        role: user.role,
+        sub: user.username,
+    })
+        .setProtectedHeader({ alg: 'HS256' })
+        .setIssuedAt()
+        .setExpirationTime(`${getCookieMaxAge(config)}s`)
+        .sign(getSecret(config));
+}
+export async function verifySession(token, config) {
+    try {
+        const { payload } = await jwtVerify(token, getSecret(config));
+        return {
+            username: String(payload.username ?? payload.sub ?? ''),
+            email: String(payload.email ?? ''),
+            role: payload.role ?? 'unknown',
+        };
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=session.js.map

package/dist/session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"session.js","sourceRoot":"","sources":["../src/session.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAA;AAGzC,MAAM,mBAAmB,GAAG,aAAa,CAAA;AACzC,MAAM,eAAe,GAAO,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA,CAAG,UAAU;AAEpD,SAAS,SAAS,CAAC,MAAqB;IACtC,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,IAAI,kCAAkC,CAAC,CAAA;AAC7F,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAqB;IACjD,OAAO,MAAM,CAAC,OAAO,EAAE,IAAI,IAAI,mBAAmB,CAAA;AACpD,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,MAAqB;IACnD,OAAO,MAAM,CAAC,OAAO,EAAE,UAAU,IAAI,eAAe,CAAA;AACtD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,IAAiB,EAAE,MAAqB;IACxE,OAAO,IAAI,OAAO,CAAC;QACjB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,KAAK,EAAK,IAAI,CAAC,KAAK;QACpB,IAAI,EAAM,IAAI,CAAC,IAAI;QACnB,GAAG,EAAO,IAAI,CAAC,QAAQ;KACxB,CAAC;SACC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;SACpC,WAAW,EAAE;SACb,iBAAiB,CAAC,GAAG,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC;SAChD,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAA;AAC5B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,KAAa,EAAE,MAAqB;IACtE,IAAI,CAAC;QACH,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,SAAS,CAAC,KAAK,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC,CAAA;QAC7D,OAAO;YACL,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,IAAI,EAAE,CAAC;YACvD,KAAK,EAAK,MAAM,CAAC,OAAO,CAAC,KAAK,IAAO,EAAE,CAAC;YACxC,IAAI,EAAO,OAAO,CAAC,IAA4B,IAAI,SAAS;SAC7D,CAAA;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,107 @@
+/** Application roles derived from CAS attributes. */
+export type AppRole = 'admin' | 'development' | 'marketing' | 'unknown';
+/** Data capabilities gated by role. */
+export type Capability = 'cdn' | 'analytics' | 'admin';
+export interface CasAuthConfig {
+    /**
+     * CAS server base URL, e.g. `https://login.example.com/cas`
+     * Required.
+     */
+    casBaseUrl: string;
+    /**
+     * Secret used to sign session JWTs. Should be at least 32 random chars.
+     * Typically `process.env.CAS_SESSION_SECRET`.
+     */
+    sessionSecret: string;
+    /**
+     * Secret used to derive admin bridge passwords.
+     * Falls back to `sessionSecret` if not provided.
+     * Typically `process.env.CAS_SESSION_SECRET`.
+     */
+    bridgeSecret?: string;
+    /**
+     * Public-facing hostname of this app (used to build CAS redirect URIs).
+     * e.g. `https://app.example.com`. Defaults to the request origin.
+     * Typically `process.env.PUBLIC_BASE_URL`.
+     */
+    publicBaseUrl?: string;
+    /**
+     * When `false`, CAS is bypassed and `devRole` is injected instead.
+     * Defaults to `true`. Set to `false` for local dev.
+     */
+    enabled?: boolean;
+    /**
+     * Role injected when `enabled` is false. Defaults to `'development'`.
+     */
+    devRole?: AppRole;
+    /**
+     * CAS attribute name that carries the user's department/group.
+     * Default: `'role'`. Check raw CAS XML logs after first login if unknown.
+     */
+    roleAttribute?: string;
+    /**
+     * CAS group values that map to the `admin` role.
+     * Default: `['admin', 'administrator', 'administrators']`
+     */
+    adminGroups?: string[];
+    /**
+     * CAS group values that map to the `development` role.
+     * Default: `['development', 'dev', 'engineering', 'it', 'technology']`
+     */
+    devGroups?: string[];
+    /**
+     * CAS group values that map to the `marketing` role.
+     * Default: `['marketing', 'content', 'seo', 'analytics', 'communications']`
+     */
+    marketingGroups?: string[];
+    /**
+     * Custom CAS login URL template. Use `__SERVICE__` as a placeholder for
+     * the encoded callback URL. Useful when CAS is fronted by SAML:
+     * `https://login.example.com/saml/login?destination=/cas/login%3Fservice=__SERVICE__`
+     *
+     * Falls back to `{casBaseUrl}/login?service=__SERVICE__`.
+     */
+    loginUrlTemplate?: string;
+    /**
+     * Payload users collection slug. Default: `'users'`.
+     */
+    userCollection?: string;
+    /**
+     * Payload admin cookie prefix. Default: `'payload'`.
+     * Must match the `cookiePrefix` in your Payload config.
+     */
+    payloadCookiePrefix?: string;
+    /**
+     * Session cookie settings.
+     */
+    cookies?: {
+        /** Default: `'hms-session'` */
+        name?: string;
+        /** Default: `true` in production */
+        secure?: boolean;
+        /** Default: `'lax'` */
+        sameSite?: 'lax' | 'strict' | 'none';
+        /** Default: 8 hours (28800 seconds) */
+        maxAgeSecs?: number;
+    };
+}
+export interface SessionUser {
+    username: string;
+    email: string;
+    role: AppRole;
+}
+export type CasResult = {
+    ok: true;
+    user: string;
+    email?: string;
+    attributes: Record<string, string>;
+} | {
+    ok: false;
+    code: string;
+    message: string;
+};
+/** Cookie set by the admin-session bridge — tells middleware the bridge ran. */
+export declare const CAS_ADMIN_MARKER = "_cas_admin";
+/** Header injected by middleware carrying the user's resolved role. */
+export declare const ROLE_HEADER = "x-user-role";
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAEA,qDAAqD;AACrD,MAAM,MAAM,OAAO,GAAG,OAAO,GAAG,aAAa,GAAG,WAAW,GAAG,SAAS,CAAA;AAEvE,uCAAuC;AACvC,MAAM,MAAM,UAAU,GAAG,KAAK,GAAG,WAAW,GAAG,OAAO,CAAA;AAItD,MAAM,WAAW,aAAa;IAC5B;;;OAGG;IACH,UAAU,EAAE,MAAM,CAAA;IAElB;;;OAGG;IACH,aAAa,EAAE,MAAM,CAAA;IAErB;;;;OAIG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IAErB;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;IAEtB;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAA;IAEjB;;OAEG;IACH,OAAO,CAAC,EAAE,OAAO,CAAA;IAEjB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;IAEtB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,EAAE,CAAA;IAEtB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,EAAE,CAAA;IAEpB;;;OAGG;IACH,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAE1B;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAA;IAEzB;;OAEG;IACH,cAAc,CAAC,EAAE,MAAM,CAAA;IAEvB;;;OAGG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAE5B;;OAEG;IACH,OAAO,CAAC,EAAE;QACR,+BAA+B;QAC/B,IAAI,CAAC,EAAE,MAAM,CAAA;QACb,oCAAoC;QACpC,MAAM,CAAC,EAAE,OAAO,CAAA;QAChB,uBAAuB;QACvB,QAAQ,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAA;QACpC,uCAAuC;QACvC,UAAU,CAAC,EAAE,MAAM,CAAA;KACpB,CAAA;CACF;AAID,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,OAAO,CAAA;CACd;AAID,MAAM,MAAM,SAAS,GACjB;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,GAC9E;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAA;AAIhD,gFAAgF;AAChF,eAAO,MAAM,gBAAgB,eAAe,CAAA;AAE5C,uEAAuE;AACvE,eAAO,MAAM,WAAW,gBAAgB,CAAA"}

package/dist/types.js

@@ -0,0 +1,7 @@
+// ─── Role model ───────────────────────────────────────────────────────────────
+// ─── Internal constants ───────────────────────────────────────────────────────
+/** Cookie set by the admin-session bridge — tells middleware the bridge ran. */
+export const CAS_ADMIN_MARKER = '_cas_admin';
+/** Header injected by middleware carrying the user's resolved role. */
+export const ROLE_HEADER = 'x-user-role';
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,iFAAiF;AAyHjF,iFAAiF;AAEjF,gFAAgF;AAChF,MAAM,CAAC,MAAM,gBAAgB,GAAG,YAAY,CAAA;AAE5C,uEAAuE;AACvE,MAAM,CAAC,MAAM,WAAW,GAAG,aAAa,CAAA"}

package/dist/xml-parser.d.ts

@@ -0,0 +1,4 @@
+import type { CasResult } from './types.js';
+/** Parse a CAS 2.0/3.0 serviceValidate XML response. No external dependencies. */
+export declare function parseCasXml(xml: string): CasResult;
+//# sourceMappingURL=xml-parser.d.ts.map

package/dist/xml-parser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"xml-parser.d.ts","sourceRoot":"","sources":["../src/xml-parser.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAA;AAE3C,kFAAkF;AAClF,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,CAiBlD"}

package/dist/xml-parser.js

@@ -0,0 +1,17 @@
+/** Parse a CAS 2.0/3.0 serviceValidate XML response. No external dependencies. */
+export function parseCasXml(xml) {
+    if (/<cas:authenticationSuccess[\s>]/.test(xml)) {
+        const user = xml.match(/<cas:user>(.*?)<\/cas:user>/s)?.[1]?.trim() ?? '';
+        const email = xml.match(/<cas:email>(.*?)<\/cas:email>/s)?.[1]?.trim();
+        const attrBlock = xml.match(/<cas:attributes>(.*?)<\/cas:attributes>/s)?.[1] ?? '';
+        const attributes = {};
+        for (const m of attrBlock.matchAll(/<cas:(\w+)>(.*?)<\/cas:\1>/gs)) {
+            attributes[m[1]] = m[2].trim();
+        }
+        return { ok: true, user, email: email ?? attributes['email'], attributes };
+    }
+    const code = xml.match(/code="([^"]+)"/)?.[1] ?? 'UNKNOWN';
+    const message = xml.match(/<cas:authenticationFailure[^>]*>(.*?)<\/cas:authenticationFailure>/s)?.[1]?.trim() ?? 'Authentication failed';
+    return { ok: false, code, message };
+}
+//# sourceMappingURL=xml-parser.js.map

package/dist/xml-parser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"xml-parser.js","sourceRoot":"","sources":["../src/xml-parser.ts"],"names":[],"mappings":"AAEA,kFAAkF;AAClF,MAAM,UAAU,WAAW,CAAC,GAAW;IACrC,IAAI,iCAAiC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,GAAI,GAAG,CAAC,KAAK,CAAC,8BAA8B,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;QAC1E,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,gCAAgC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAA;QAEtE,MAAM,SAAS,GAAI,GAAG,CAAC,KAAK,CAAC,0CAA0C,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QACnF,MAAM,UAAU,GAA2B,EAAE,CAAA;QAC7C,KAAK,MAAM,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,8BAA8B,CAAC,EAAE,CAAC;YACnE,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;QAChC,CAAC;QAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,UAAU,EAAE,CAAA;IAC5E,CAAC;IAED,MAAM,IAAI,GAAM,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,SAAS,CAAA;IAC7D,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,qEAAqE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,uBAAuB,CAAA;IACxI,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAA;AACrC,CAAC"}

package/package.json

@@ -0,0 +1,55 @@
+{
+  "name": "@hmp-global/payload-cas-auth",
+  "version": "0.1.0",
+  "description": "CAS SSO authentication plugin for Payload CMS v3 + Next.js 16.",
+  "type": "module",
+  "license": "MIT",
+  "files": [
+    "dist",
+    "README.md",
+    "LICENSE"
+  ],
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types":  "./dist/index.d.ts"
+    },
+    "./middleware": {
+      "import": "./dist/middleware.js",
+      "types":  "./dist/middleware.d.ts"
+    }
+  },
+  "main":  "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "scripts": {
+    "prepare":     "tsc",
+    "build":       "tsc",
+    "build:watch": "tsc --watch",
+    "type-check":  "tsc --noEmit"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.0",
+    "jose":        "^5.0.0",
+    "next":        "^16.0.0",
+    "payload":     "^3.0.0",
+    "typescript":  "^5.8.3"
+  },
+  "peerDependencies": {
+    "jose":    ">=5",
+    "next":    ">=16",
+    "payload": ">=3"
+  },
+  "peerDependenciesMeta": {
+    "next":    { "optional": false },
+    "payload": { "optional": false },
+    "jose":    { "optional": false }
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url":  "https://github.com/hmpglobal/payload-cas-auth"
+  },
+  "keywords": ["payload", "cms", "cas", "sso", "authentication", "plugin", "nextjs"]
+}