@imtbl/auth-next-server 2.12.5-alpha.13

package/.eslintrc.cjs

@@ -0,0 +1,17 @@
+module.exports = {
+  extends: ['../../.eslintrc'],
+  parserOptions: {
+    project: './tsconfig.eslint.json',
+    tsconfigRootDir: __dirname,
+  },
+  rules: {
+    'import/order': 'off',
+    'import/no-unresolved': 'off',
+    'import/named': 'off',
+    'import/default': 'off',
+    'import/namespace': 'off',
+    'import/no-cycle': 'off',
+    'import/no-named-as-default': 'off',
+    'import/no-named-as-default-member': 'off',
+  },
+};

package/LICENSE.md

@@ -0,0 +1,176 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+   Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+   stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+   that You distribute, all copyright, patent, trademark, and
+   attribution notices from the Source form of the Work,
+   excluding those notices that do not pertain to any part of
+   the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+   distribution, then any Derivative Works that You distribute must
+   include a readable copy of the attribution notices contained
+   within such NOTICE file, excluding those notices that do not
+   pertain to any part of the Derivative Works, in at least one
+   of the following places: within a NOTICE text file distributed
+   as part of the Derivative Works; within the Source form or
+   documentation, if provided along with the Derivative Works; or,
+   within a display generated by the Derivative Works, if and
+   wherever such third-party notices normally appear. The contents
+   of the NOTICE file are for informational purposes only and
+   do not modify the License. You may add Your own attribution
+   notices within Derivative Works that You distribute, alongside
+   or as an addendum to the NOTICE text from the Work, provided
+   that such additional attribution notices cannot be construed
+   as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS

package/dist/node/config.d.ts

@@ -0,0 +1,21 @@
+import type { NextAuthConfig } from 'next-auth';
+import type { ImmutableAuthConfig } from './types';
+/**
+ * Create Auth.js v5 configuration for Immutable authentication
+ *
+ * @example
+ * ```typescript
+ * // lib/auth.ts
+ * import NextAuth from "next-auth";
+ * import { createAuthConfig } from "@imtbl/auth-next-server";
+ *
+ * const config = {
+ *   clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
+ *   redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
+ * };
+ *
+ * export const { handlers, auth, signIn, signOut } = NextAuth(createAuthConfig(config));
+ * ```
+ */
+export declare function createAuthConfig(config: ImmutableAuthConfig): NextAuthConfig;
+export declare const createAuthOptions: typeof createAuthConfig;

package/dist/node/constants.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Shared constants for @imtbl/auth-next-server
+ */
+/**
+ * Default Immutable authentication domain
+ */
+export declare const DEFAULT_AUTH_DOMAIN = "https://auth.immutable.com";
+/**
+ * Default OAuth audience
+ */
+export declare const DEFAULT_AUDIENCE = "platform_api";
+/**
+ * Default OAuth scopes
+ */
+export declare const DEFAULT_SCOPE = "openid profile email offline_access transact";
+/**
+ * NextAuth credentials provider ID for Immutable
+ */
+export declare const IMMUTABLE_PROVIDER_ID = "immutable";
+/**
+ * Default NextAuth API base path
+ */
+export declare const DEFAULT_NEXTAUTH_BASE_PATH = "/api/auth";
+/**
+ * Default token expiry in seconds (15 minutes)
+ * Used as fallback when exp claim cannot be extracted from JWT
+ */
+export declare const DEFAULT_TOKEN_EXPIRY_SECONDS = 900;
+/**
+ * Default token expiry in milliseconds
+ */
+export declare const DEFAULT_TOKEN_EXPIRY_MS: number;
+/**
+ * Buffer time in seconds before token expiry to trigger refresh
+ * Tokens will be refreshed when they expire within this window
+ */
+export declare const TOKEN_EXPIRY_BUFFER_SECONDS = 60;
+/**
+ * Default session max age in seconds (365 days)
+ * This is how long the NextAuth session cookie will be valid
+ */
+export declare const DEFAULT_SESSION_MAX_AGE_SECONDS: number;

package/dist/node/index.cjs

@@ -0,0 +1,436 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var src_exports = {};
+__export(src_exports, {
+  createAuthConfig: () => createAuthConfig,
+  createAuthMiddleware: () => createAuthMiddleware,
+  createAuthOptions: () => createAuthOptions,
+  createImmutableAuth: () => createImmutableAuth,
+  createProtectedAuthProps: () => createProtectedAuthProps,
+  createProtectedDataFetcher: () => createProtectedDataFetcher,
+  createProtectedFetchers: () => createProtectedFetchers,
+  getAuthProps: () => getAuthProps,
+  getAuthenticatedData: () => getAuthenticatedData,
+  getValidSession: () => getValidSession,
+  withAuth: () => withAuth,
+  withServerAuth: () => withServerAuth
+});
+module.exports = __toCommonJS(src_exports);
+var import_next_auth = __toESM(require("next-auth"), 1);
+var import_server = require("next/server");
+
+// src/config.ts
+var import_credentials = __toESM(require("next-auth/providers/credentials"), 1);
+
+// src/constants.ts
+var DEFAULT_AUTH_DOMAIN = "https://auth.immutable.com";
+var IMMUTABLE_PROVIDER_ID = "immutable";
+var DEFAULT_TOKEN_EXPIRY_SECONDS = 900;
+var DEFAULT_TOKEN_EXPIRY_MS = DEFAULT_TOKEN_EXPIRY_SECONDS * 1e3;
+var TOKEN_EXPIRY_BUFFER_SECONDS = 60;
+var DEFAULT_SESSION_MAX_AGE_SECONDS = 365 * 24 * 60 * 60;
+
+// src/refresh.ts
+function isTokenExpired(accessTokenExpires, bufferSeconds = TOKEN_EXPIRY_BUFFER_SECONDS) {
+  if (typeof accessTokenExpires !== "number" || Number.isNaN(accessTokenExpires)) {
+    return true;
+  }
+  return Date.now() >= accessTokenExpires - bufferSeconds * 1e3;
+}
+
+// src/config.ts
+var Credentials = import_credentials.default.default || import_credentials.default;
+async function validateTokens(accessToken, authDomain) {
+  try {
+    const response = await fetch(`${authDomain}/userinfo`, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${accessToken}`
+      }
+    });
+    if (!response.ok) {
+      console.error("[auth-next-server] Token validation failed:", response.status, response.statusText);
+      return null;
+    }
+    return await response.json();
+  } catch (error) {
+    console.error("[auth-next-server] Token validation error:", error);
+    return null;
+  }
+}
+function createAuthConfig(config) {
+  const authDomain = config.authenticationDomain || DEFAULT_AUTH_DOMAIN;
+  return {
+    providers: [
+      Credentials({
+        id: IMMUTABLE_PROVIDER_ID,
+        name: "Immutable",
+        credentials: {
+          tokens: { label: "Tokens", type: "text" }
+        },
+        async authorize(credentials) {
+          if (!credentials?.tokens || typeof credentials.tokens !== "string") {
+            return null;
+          }
+          let tokenData;
+          try {
+            tokenData = JSON.parse(credentials.tokens);
+          } catch (error) {
+            console.error("[auth-next-server] Failed to parse token data:", error);
+            return null;
+          }
+          if (!tokenData.accessToken || typeof tokenData.accessToken !== "string" || !tokenData.profile || typeof tokenData.profile !== "object" || !tokenData.profile.sub || typeof tokenData.profile.sub !== "string" || typeof tokenData.accessTokenExpires !== "number" || Number.isNaN(tokenData.accessTokenExpires)) {
+            console.error("[auth-next-server] Invalid token data structure - missing required fields");
+            return null;
+          }
+          const userInfo = await validateTokens(tokenData.accessToken, authDomain);
+          if (!userInfo) {
+            console.error("[auth-next-server] Token validation failed - rejecting authentication");
+            return null;
+          }
+          if (userInfo.sub !== tokenData.profile.sub) {
+            console.error(
+              "[auth-next-server] User ID mismatch - userinfo sub:",
+              userInfo.sub,
+              "provided sub:",
+              tokenData.profile.sub
+            );
+            return null;
+          }
+          return {
+            id: userInfo.sub,
+            sub: userInfo.sub,
+            email: userInfo.email ?? tokenData.profile.email,
+            nickname: userInfo.nickname ?? tokenData.profile.nickname,
+            accessToken: tokenData.accessToken,
+            refreshToken: tokenData.refreshToken,
+            idToken: tokenData.idToken,
+            accessTokenExpires: tokenData.accessTokenExpires,
+            zkEvm: tokenData.zkEvm
+          };
+        }
+      })
+    ],
+    callbacks: {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      async jwt({
+        token,
+        user,
+        trigger,
+        session: sessionUpdate
+      }) {
+        if (user) {
+          return {
+            ...token,
+            sub: user.sub,
+            email: user.email,
+            nickname: user.nickname,
+            accessToken: user.accessToken,
+            refreshToken: user.refreshToken,
+            idToken: user.idToken,
+            accessTokenExpires: user.accessTokenExpires,
+            zkEvm: user.zkEvm
+          };
+        }
+        if (trigger === "update" && sessionUpdate) {
+          const update = sessionUpdate;
+          return {
+            ...token,
+            ...update.accessToken ? { accessToken: update.accessToken } : {},
+            ...update.refreshToken ? { refreshToken: update.refreshToken } : {},
+            ...update.idToken ? { idToken: update.idToken } : {},
+            ...update.accessTokenExpires ? { accessTokenExpires: update.accessTokenExpires } : {},
+            ...update.zkEvm ? { zkEvm: update.zkEvm } : {},
+            // Clear any stale error when valid tokens are synced from client-side
+            error: void 0
+          };
+        }
+        if (!isTokenExpired(token.accessTokenExpires)) {
+          return token;
+        }
+        return {
+          ...token,
+          error: "TokenExpired"
+        };
+      },
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      async session({ session, token }) {
+        return {
+          ...session,
+          user: {
+            ...session.user,
+            sub: token.sub,
+            email: token.email,
+            nickname: token.nickname
+          },
+          accessToken: token.accessToken,
+          refreshToken: token.refreshToken,
+          idToken: token.idToken,
+          accessTokenExpires: token.accessTokenExpires,
+          zkEvm: token.zkEvm,
+          ...token.error && { error: token.error }
+        };
+      }
+    },
+    session: {
+      strategy: "jwt",
+      // Session max age in seconds (365 days default)
+      maxAge: DEFAULT_SESSION_MAX_AGE_SECONDS
+    }
+  };
+}
+var createAuthOptions = createAuthConfig;
+
+// src/utils/pathMatch.ts
+function matchPathPrefix(pathname, pattern) {
+  if (pathname === pattern) return true;
+  const prefix = pattern.endsWith("/") ? pattern : `${pattern}/`;
+  return pathname.startsWith(prefix);
+}
+
+// src/index.ts
+var NextAuth = import_next_auth.default.default || import_next_auth.default;
+function createImmutableAuth(config, overrides) {
+  const baseConfig = createAuthConfig(config);
+  if (!overrides) {
+    return NextAuth(baseConfig);
+  }
+  const { callbacks: overrideCallbacks, ...otherOverrides } = overrides;
+  const composedCallbacks = { ...baseConfig.callbacks };
+  if (overrideCallbacks) {
+    if (overrideCallbacks.jwt) {
+      const baseJwt = baseConfig.callbacks?.jwt;
+      const userJwt = overrideCallbacks.jwt;
+      composedCallbacks.jwt = async (params) => {
+        const result = baseJwt ? await baseJwt(params) : params.token;
+        return userJwt({ ...params, token: result });
+      };
+    }
+    if (overrideCallbacks.session) {
+      const baseSession = baseConfig.callbacks?.session;
+      const userSession = overrideCallbacks.session;
+      composedCallbacks.session = async (params) => {
+        const result = baseSession ? await baseSession(params) : params.session;
+        return userSession({ ...params, session: result });
+      };
+    }
+    if (overrideCallbacks.signIn) {
+      composedCallbacks.signIn = overrideCallbacks.signIn;
+    }
+    if (overrideCallbacks.redirect) {
+      composedCallbacks.redirect = overrideCallbacks.redirect;
+    }
+    if (overrideCallbacks.authorized) {
+      composedCallbacks.authorized = overrideCallbacks.authorized;
+    }
+  }
+  const mergedConfig = {
+    ...baseConfig,
+    ...otherOverrides,
+    callbacks: composedCallbacks
+  };
+  return NextAuth(mergedConfig);
+}
+async function getAuthProps(auth) {
+  const session = await auth();
+  if (!session) {
+    return { session: null, ssr: false };
+  }
+  if (session.error === "TokenExpired") {
+    return { session: null, ssr: false };
+  }
+  if (session.error) {
+    return { session: null, ssr: false, authError: session.error };
+  }
+  return { session, ssr: true };
+}
+async function getAuthenticatedData(auth, fetcher) {
+  const session = await auth();
+  if (!session) {
+    return { session: null, ssr: false, data: null };
+  }
+  if (session.error === "TokenExpired") {
+    return { session: null, ssr: false, data: null };
+  }
+  if (session.error) {
+    return {
+      session: null,
+      ssr: false,
+      data: null,
+      authError: session.error
+    };
+  }
+  try {
+    const data = await fetcher(session.accessToken);
+    return { session, ssr: true, data };
+  } catch (err) {
+    const errorMessage = err instanceof Error ? err.message : String(err);
+    return {
+      session,
+      ssr: true,
+      data: null,
+      fetchError: errorMessage
+    };
+  }
+}
+async function getValidSession(auth) {
+  const session = await auth();
+  if (!session) {
+    return { status: "unauthenticated", session: null };
+  }
+  if (!session.error) {
+    return { status: "authenticated", session };
+  }
+  if (session.error === "TokenExpired") {
+    return { status: "token_expired", session };
+  }
+  return { status: "error", session, error: session.error };
+}
+function createProtectedDataFetcher(auth, onAuthError) {
+  return async function getProtectedData(fetcher) {
+    const result = await getAuthenticatedData(auth, fetcher);
+    if (result.authError) {
+      onAuthError(result.authError);
+    }
+    const { authError: handledAuthError, ...props } = result;
+    return props;
+  };
+}
+function createProtectedAuthProps(auth, onAuthError) {
+  return async function getProtectedAuth() {
+    const result = await getAuthProps(auth);
+    if (result.authError) {
+      onAuthError(result.authError);
+    }
+    const { authError: handledAuthError, ...props } = result;
+    return props;
+  };
+}
+function createProtectedFetchers(auth, onAuthError) {
+  return {
+    getAuthProps: createProtectedAuthProps(auth, onAuthError),
+    getData: createProtectedDataFetcher(auth, onAuthError)
+  };
+}
+async function withServerAuth(auth, serverRender, options = {}) {
+  const result = await getValidSession(auth);
+  switch (result.status) {
+    case "authenticated":
+      return serverRender(result.session);
+    case "token_expired":
+      if (options.onTokenExpired !== void 0) {
+        return typeof options.onTokenExpired === "function" ? options.onTokenExpired() : options.onTokenExpired;
+      }
+      return serverRender(result.session);
+    case "unauthenticated":
+      if (options.onUnauthenticated !== void 0) {
+        return typeof options.onUnauthenticated === "function" ? options.onUnauthenticated() : options.onUnauthenticated;
+      }
+      throw new Error("Unauthorized: No active session");
+    case "error":
+      if (options.onError !== void 0) {
+        return typeof options.onError === "function" ? options.onError(result.error) : options.onError;
+      }
+      throw new Error(`Unauthorized: ${result.error}`);
+    default:
+      throw new Error("Unknown auth state");
+  }
+}
+function createAuthMiddleware(auth, options = {}) {
+  const { loginUrl = "/login", protectedPaths, publicPaths } = options;
+  return async function middleware(request) {
+    const { pathname } = request.nextUrl;
+    if (publicPaths) {
+      const isPublic = publicPaths.some((pattern) => {
+        if (typeof pattern === "string") {
+          return matchPathPrefix(pathname, pattern);
+        }
+        return pattern.test(pathname);
+      });
+      if (isPublic) {
+        return import_server.NextResponse.next();
+      }
+    }
+    if (protectedPaths) {
+      const isProtected = protectedPaths.some((pattern) => {
+        if (typeof pattern === "string") {
+          return matchPathPrefix(pathname, pattern);
+        }
+        return pattern.test(pathname);
+      });
+      if (!isProtected) {
+        return import_server.NextResponse.next();
+      }
+    }
+    const session = await auth();
+    if (!session) {
+      const url = new URL(loginUrl, request.url);
+      const returnTo = request.nextUrl.search ? `${pathname}${request.nextUrl.search}` : pathname;
+      url.searchParams.set("returnTo", returnTo);
+      return import_server.NextResponse.redirect(url);
+    }
+    if (session.error && session.error !== "TokenExpired") {
+      const url = new URL(loginUrl, request.url);
+      const returnTo = request.nextUrl.search ? `${pathname}${request.nextUrl.search}` : pathname;
+      url.searchParams.set("returnTo", returnTo);
+      url.searchParams.set("error", session.error);
+      return import_server.NextResponse.redirect(url);
+    }
+    return import_server.NextResponse.next();
+  };
+}
+function withAuth(auth, handler) {
+  return async (...args) => {
+    const session = await auth();
+    if (!session) {
+      throw new Error("Unauthorized: No active session");
+    }
+    if (session.error && session.error !== "TokenExpired") {
+      throw new Error(`Unauthorized: ${session.error}`);
+    }
+    return handler(session, ...args);
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  createAuthConfig,
+  createAuthMiddleware,
+  createAuthOptions,
+  createImmutableAuth,
+  createProtectedAuthProps,
+  createProtectedDataFetcher,
+  createProtectedFetchers,
+  getAuthProps,
+  getAuthenticatedData,
+  getValidSession,
+  withAuth,
+  withServerAuth
+});