@imtbl/auth-nextjs 0.0.1-alpha.0 → 2.12.4-alpha.5

package/dist/node/index.js

@@ -0,0 +1,55 @@
+import {
+  createAuthOptions,
+  isTokenExpired,
+  refreshAccessToken
+} from "./chunk-OPPMGNFZ.js";
+
+// src/index.ts
+import NextAuthDefault from "next-auth";
+import { MarketingConsentStatus } from "@imtbl/auth";
+var NextAuth = NextAuthDefault.default || NextAuthDefault;
+function ImmutableAuth(config, overrides) {
+  const authOptions = createAuthOptions(config);
+  if (!overrides) {
+    return NextAuth(authOptions);
+  }
+  const composedCallbacks = {
+    ...authOptions.callbacks
+  };
+  if (overrides.callbacks) {
+    if (overrides.callbacks.jwt) {
+      const internalJwt = authOptions.callbacks?.jwt;
+      const userJwt = overrides.callbacks.jwt;
+      composedCallbacks.jwt = async (params) => {
+        const token = internalJwt ? await internalJwt(params) : params.token;
+        return userJwt({ ...params, token });
+      };
+    }
+    if (overrides.callbacks.session) {
+      const internalSession = authOptions.callbacks?.session;
+      const userSession = overrides.callbacks.session;
+      composedCallbacks.session = async (params) => {
+        const session = internalSession ? await internalSession(params) : params.session;
+        return userSession({ ...params, session });
+      };
+    }
+    if (overrides.callbacks.signIn) {
+      composedCallbacks.signIn = overrides.callbacks.signIn;
+    }
+    if (overrides.callbacks.redirect) {
+      composedCallbacks.redirect = overrides.callbacks.redirect;
+    }
+  }
+  const mergedOptions = {
+    ...authOptions,
+    ...overrides,
+    callbacks: composedCallbacks
+  };
+  return NextAuth(mergedOptions);
+}
+export {
+  ImmutableAuth,
+  MarketingConsentStatus,
+  isTokenExpired,
+  refreshAccessToken
+};

package/dist/node/server/index.cjs

@@ -0,0 +1,300 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/server/index.ts
+var server_exports = {};
+__export(server_exports, {
+  getImmutableSession: () => getImmutableSession,
+  withPageAuthRequired: () => withPageAuthRequired
+});
+module.exports = __toCommonJS(server_exports);
+
+// src/server/with-page-auth.ts
+var import_next_auth = require("next-auth");
+
+// src/config.ts
+var import_credentials = __toESM(require("next-auth/providers/credentials"), 1);
+
+// src/constants.ts
+var DEFAULT_AUTH_DOMAIN = "https://auth.immutable.com";
+var IMMUTABLE_PROVIDER_ID = "immutable";
+var DEFAULT_TOKEN_EXPIRY_SECONDS = 900;
+var DEFAULT_TOKEN_EXPIRY_MS = DEFAULT_TOKEN_EXPIRY_SECONDS * 1e3;
+var TOKEN_EXPIRY_BUFFER_SECONDS = 60;
+var DEFAULT_SESSION_MAX_AGE_SECONDS = 30 * 24 * 60 * 60;
+
+// src/refresh.ts
+async function refreshAccessToken(token, config) {
+  const authDomain = config.authenticationDomain || DEFAULT_AUTH_DOMAIN;
+  if (!token.refreshToken) {
+    return {
+      ...token,
+      error: "NoRefreshToken"
+    };
+  }
+  try {
+    const response = await fetch(`${authDomain}/oauth/token`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        client_id: config.clientId,
+        refresh_token: token.refreshToken
+      })
+    });
+    if (!response.ok) {
+      let errorMessage = `Token refresh failed with status ${response.status}`;
+      try {
+        const errorData = await response.json();
+        if (errorData.error_description || errorData.error) {
+          errorMessage = errorData.error_description || errorData.error;
+        }
+      } catch {
+      }
+      throw new Error(errorMessage);
+    }
+    const data = await response.json();
+    if (!data.access_token || typeof data.access_token !== "string") {
+      throw new Error("Invalid token response: missing access_token");
+    }
+    const expiresIn = data.expires_in || DEFAULT_TOKEN_EXPIRY_SECONDS;
+    const accessTokenExpires = Date.now() + expiresIn * 1e3;
+    return {
+      ...token,
+      accessToken: data.access_token,
+      refreshToken: data.refresh_token ?? token.refreshToken,
+      idToken: data.id_token ?? token.idToken,
+      accessTokenExpires,
+      error: void 0
+    };
+  } catch (error) {
+    console.error("[auth-nextjs] Failed to refresh token:", error);
+    return {
+      ...token,
+      error: "RefreshTokenError"
+    };
+  }
+}
+function isTokenExpired(accessTokenExpires, bufferSeconds = TOKEN_EXPIRY_BUFFER_SECONDS) {
+  if (typeof accessTokenExpires !== "number" || Number.isNaN(accessTokenExpires)) {
+    return true;
+  }
+  return Date.now() >= accessTokenExpires - bufferSeconds * 1e3;
+}
+
+// src/config.ts
+var CredentialsProvider = import_credentials.default.default || import_credentials.default;
+async function validateTokens(accessToken, authDomain) {
+  try {
+    const response = await fetch(`${authDomain}/userinfo`, {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${accessToken}`
+      }
+    });
+    if (!response.ok) {
+      console.error("[auth-nextjs] Token validation failed:", response.status, response.statusText);
+      return null;
+    }
+    return await response.json();
+  } catch (error) {
+    console.error("[auth-nextjs] Token validation error:", error);
+    return null;
+  }
+}
+function createAuthOptions(config) {
+  const authDomain = config.authenticationDomain || DEFAULT_AUTH_DOMAIN;
+  return {
+    providers: [
+      CredentialsProvider({
+        id: IMMUTABLE_PROVIDER_ID,
+        name: "Immutable",
+        credentials: {
+          tokens: { label: "Tokens", type: "text" }
+        },
+        async authorize(credentials) {
+          if (!credentials?.tokens) {
+            return null;
+          }
+          let tokenData;
+          try {
+            tokenData = JSON.parse(credentials.tokens);
+          } catch (error) {
+            console.error("[auth-nextjs] Failed to parse token data:", error);
+            return null;
+          }
+          if (!tokenData.accessToken || typeof tokenData.accessToken !== "string" || !tokenData.profile || typeof tokenData.profile !== "object" || !tokenData.profile.sub || typeof tokenData.profile.sub !== "string" || typeof tokenData.accessTokenExpires !== "number" || Number.isNaN(tokenData.accessTokenExpires)) {
+            console.error("[auth-nextjs] Invalid token data structure - missing required fields");
+            return null;
+          }
+          const userInfo = await validateTokens(tokenData.accessToken, authDomain);
+          if (!userInfo) {
+            console.error("[auth-nextjs] Token validation failed - rejecting authentication");
+            return null;
+          }
+          if (userInfo.sub !== tokenData.profile.sub) {
+            console.error(
+              "[auth-nextjs] User ID mismatch - userinfo sub:",
+              userInfo.sub,
+              "provided sub:",
+              tokenData.profile.sub
+            );
+            return null;
+          }
+          return {
+            id: userInfo.sub,
+            sub: userInfo.sub,
+            email: userInfo.email ?? tokenData.profile.email,
+            nickname: userInfo.nickname ?? tokenData.profile.nickname,
+            accessToken: tokenData.accessToken,
+            refreshToken: tokenData.refreshToken,
+            idToken: tokenData.idToken,
+            accessTokenExpires: tokenData.accessTokenExpires,
+            zkEvm: tokenData.zkEvm
+          };
+        }
+      })
+    ],
+    callbacks: {
+      async jwt({
+        token,
+        user,
+        trigger,
+        session: sessionUpdate
+      }) {
+        if (user) {
+          return {
+            ...token,
+            sub: user.sub,
+            email: user.email,
+            nickname: user.nickname,
+            accessToken: user.accessToken,
+            refreshToken: user.refreshToken,
+            idToken: user.idToken,
+            accessTokenExpires: user.accessTokenExpires,
+            zkEvm: user.zkEvm
+          };
+        }
+        if (trigger === "update" && sessionUpdate) {
+          return {
+            ...token,
+            ...sessionUpdate.accessToken && { accessToken: sessionUpdate.accessToken },
+            ...sessionUpdate.refreshToken && { refreshToken: sessionUpdate.refreshToken },
+            ...sessionUpdate.idToken && { idToken: sessionUpdate.idToken },
+            ...sessionUpdate.accessTokenExpires && { accessTokenExpires: sessionUpdate.accessTokenExpires },
+            ...sessionUpdate.zkEvm && { zkEvm: sessionUpdate.zkEvm }
+          };
+        }
+        if (!isTokenExpired(token.accessTokenExpires)) {
+          return token;
+        }
+        return refreshAccessToken(token, config);
+      },
+      async session({ session, token }) {
+        return {
+          ...session,
+          user: {
+            sub: token.sub,
+            email: token.email,
+            nickname: token.nickname
+          },
+          accessToken: token.accessToken,
+          refreshToken: token.refreshToken,
+          idToken: token.idToken,
+          accessTokenExpires: token.accessTokenExpires,
+          zkEvm: token.zkEvm,
+          ...token.error && { error: token.error }
+        };
+      }
+    },
+    session: {
+      strategy: "jwt",
+      // Session max age in seconds (30 days default)
+      maxAge: DEFAULT_SESSION_MAX_AGE_SECONDS
+    },
+    // Use NEXTAUTH_SECRET from environment
+    secret: process.env.NEXTAUTH_SECRET
+  };
+}
+
+// src/server/with-page-auth.ts
+async function getImmutableSession(req, res, config) {
+  const authOptions = createAuthOptions(config);
+  return (0, import_next_auth.getServerSession)(req, res, authOptions);
+}
+function withPageAuthRequired(config, options = {}) {
+  const {
+    loginUrl = "/login",
+    returnTo,
+    getServerSideProps: customGetServerSideProps
+  } = options;
+  const authOptions = createAuthOptions(config);
+  return async (ctx) => {
+    const session = await (0, import_next_auth.getServerSession)(ctx.req, ctx.res, authOptions);
+    if (!session) {
+      let destination = loginUrl;
+      if (returnTo !== false) {
+        const returnPath = returnTo || ctx.resolvedUrl;
+        const separator = loginUrl.includes("?") ? "&" : "?";
+        destination = `${loginUrl}${separator}returnTo=${encodeURIComponent(returnPath)}`;
+      }
+      return {
+        redirect: {
+          destination,
+          permanent: false
+        }
+      };
+    }
+    if (customGetServerSideProps) {
+      const result = await customGetServerSideProps(ctx, session);
+      if ("redirect" in result || "notFound" in result) {
+        return result;
+      }
+      const userProps = await result.props;
+      return {
+        props: {
+          ...userProps,
+          session
+        }
+      };
+    }
+    return {
+      props: {
+        session
+      }
+    };
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  getImmutableSession,
+  withPageAuthRequired
+});

package/dist/node/server/index.js

@@ -0,0 +1,57 @@
+import {
+  createAuthOptions
+} from "../chunk-OPPMGNFZ.js";
+
+// src/server/with-page-auth.ts
+import { getServerSession as nextAuthGetServerSession } from "next-auth";
+async function getImmutableSession(req, res, config) {
+  const authOptions = createAuthOptions(config);
+  return nextAuthGetServerSession(req, res, authOptions);
+}
+function withPageAuthRequired(config, options = {}) {
+  const {
+    loginUrl = "/login",
+    returnTo,
+    getServerSideProps: customGetServerSideProps
+  } = options;
+  const authOptions = createAuthOptions(config);
+  return async (ctx) => {
+    const session = await nextAuthGetServerSession(ctx.req, ctx.res, authOptions);
+    if (!session) {
+      let destination = loginUrl;
+      if (returnTo !== false) {
+        const returnPath = returnTo || ctx.resolvedUrl;
+        const separator = loginUrl.includes("?") ? "&" : "?";
+        destination = `${loginUrl}${separator}returnTo=${encodeURIComponent(returnPath)}`;
+      }
+      return {
+        redirect: {
+          destination,
+          permanent: false
+        }
+      };
+    }
+    if (customGetServerSideProps) {
+      const result = await customGetServerSideProps(ctx, session);
+      if ("redirect" in result || "notFound" in result) {
+        return result;
+      }
+      const userProps = await result.props;
+      return {
+        props: {
+          ...userProps,
+          session
+        }
+      };
+    }
+    return {
+      props: {
+        session
+      }
+    };
+  };
+}
+export {
+  getImmutableSession,
+  withPageAuthRequired
+};

package/dist/types/client/callback.d.ts

@@ -0,0 +1,37 @@
+import React from 'react';
+import type { ImmutableAuthConfig } from '../types';
+export interface CallbackPageProps {
+    /**
+     * Immutable auth configuration
+     */
+    config: ImmutableAuthConfig;
+    /**
+     * URL to redirect to after successful authentication (when not in popup)
+     */
+    redirectTo?: string;
+    /**
+     * Custom loading component
+     */
+    loadingComponent?: React.ReactElement | null;
+    /**
+     * Custom error component
+     */
+    errorComponent?: (error: string) => React.ReactElement | null;
+}
+/**
+ * Callback page component for handling OAuth redirects.
+ *
+ * Use this in your callback page to process authentication responses.
+ *
+ * @example
+ * ```tsx
+ * // pages/callback.tsx
+ * import { CallbackPage } from "@imtbl/auth-nextjs/client";
+ * import { immutableConfig } from "@/lib/auth-nextjs";
+ *
+ * export default function Callback() {
+ *   return <CallbackPage config={immutableConfig} />;
+ * }
+ * ```
+ */
+export declare function CallbackPage({ config, redirectTo, loadingComponent, errorComponent, }: CallbackPageProps): import("react/jsx-runtime").JSX.Element | null;

package/dist/types/client/index.d.ts

@@ -0,0 +1,5 @@
+export { ImmutableAuthProvider, useImmutableAuth, useAccessToken, } from './provider';
+export { CallbackPage, type CallbackPageProps } from './callback';
+export type { ImmutableAuthProviderProps, UseImmutableAuthReturn, ImmutableAuthConfig, ImmutableUser, } from '../types';
+export type { LoginOptions, DirectLoginOptions } from '@imtbl/auth';
+export { MarketingConsentStatus } from '@imtbl/auth';

package/dist/types/client/provider.d.ts

@@ -0,0 +1,70 @@
+import type { ImmutableAuthProviderProps, UseImmutableAuthReturn } from '../types';
+/**
+ * Provider component for Immutable authentication with NextAuth
+ *
+ * Wraps your app to provide authentication state via useImmutableAuth hook.
+ *
+ * @example
+ * ```tsx
+ * // pages/_app.tsx
+ * import { ImmutableAuthProvider } from "@imtbl/auth-nextjs/client";
+ *
+ * const config = {
+ *   clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
+ *   redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
+ * };
+ *
+ * export default function App({ Component, pageProps }: AppProps) {
+ *   return (
+ *     <ImmutableAuthProvider config={config} session={pageProps.session}>
+ *       <Component {...pageProps} />
+ *     </ImmutableAuthProvider>
+ *   );
+ * }
+ * ```
+ */
+export declare function ImmutableAuthProvider({ children, config, session, basePath, }: ImmutableAuthProviderProps): import("react/jsx-runtime").JSX.Element;
+/**
+ * Hook to access Immutable authentication state and methods
+ *
+ * Must be used within an ImmutableAuthProvider.
+ *
+ * @example
+ * ```tsx
+ * function MyComponent() {
+ *   const { user, isLoading, signIn, signOut } = useImmutableAuth();
+ *
+ *   if (isLoading) return <div>Loading...</div>;
+ *
+ *   if (user) {
+ *     return (
+ *       <div>
+ *         <p>Welcome, {user.email}</p>
+ *         <button onClick={signOut}>Logout</button>
+ *       </div>
+ *     );
+ *   }
+ *
+ *   return <button onClick={signIn}>Login</button>;
+ * }
+ * ```
+ */
+export declare function useImmutableAuth(): UseImmutableAuthReturn;
+/**
+ * Hook to get a function that returns a valid access token
+ *
+ * @example
+ * ```tsx
+ * function ApiComponent() {
+ *   const getAccessToken = useAccessToken();
+ *
+ *   const fetchData = async () => {
+ *     const token = await getAccessToken();
+ *     const response = await fetch("/api/data", {
+ *       headers: { Authorization: `Bearer ${token}` },
+ *     });
+ *   };
+ * }
+ * ```
+ */
+export declare function useAccessToken(): () => Promise<string>;

package/dist/types/config.d.ts

@@ -0,0 +1,23 @@
+import type { NextAuthOptions } from 'next-auth';
+import type { ImmutableAuthConfig } from './types';
+/**
+ * Create NextAuth options configured for Immutable authentication
+ *
+ * @example
+ * ```typescript
+ * // lib/auth.ts
+ * import { createAuthOptions } from "@imtbl/auth-nextjs";
+ *
+ * export const authOptions = createAuthOptions({
+ *   clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
+ *   redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
+ * });
+ *
+ * // pages/api/auth/[...nextauth].ts
+ * import NextAuth from "next-auth";
+ * import { authOptions } from "@/lib/auth";
+ *
+ * export default NextAuth(authOptions);
+ * ```
+ */
+export declare function createAuthOptions(config: ImmutableAuthConfig): NextAuthOptions;

package/dist/types/constants.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Shared constants for @imtbl/auth-nextjs
+ */
+/**
+ * Default Immutable authentication domain
+ */
+export declare const DEFAULT_AUTH_DOMAIN = "https://auth.immutable.com";
+/**
+ * Default OAuth audience
+ */
+export declare const DEFAULT_AUDIENCE = "platform_api";
+/**
+ * Default OAuth scopes
+ */
+export declare const DEFAULT_SCOPE = "openid profile email offline_access transact";
+/**
+ * NextAuth credentials provider ID for Immutable
+ */
+export declare const IMMUTABLE_PROVIDER_ID = "immutable";
+/**
+ * Default NextAuth API base path
+ */
+export declare const DEFAULT_NEXTAUTH_BASE_PATH = "/api/auth";
+/**
+ * Default token expiry in seconds (15 minutes)
+ * Used as fallback when exp claim cannot be extracted from JWT
+ */
+export declare const DEFAULT_TOKEN_EXPIRY_SECONDS = 900;
+/**
+ * Default token expiry in milliseconds
+ */
+export declare const DEFAULT_TOKEN_EXPIRY_MS: number;
+/**
+ * Buffer time in seconds before token expiry to trigger refresh
+ * Tokens will be refreshed when they expire within this window
+ */
+export declare const TOKEN_EXPIRY_BUFFER_SECONDS = 60;
+/**
+ * Default session max age in seconds (30 days)
+ * This is how long the NextAuth session cookie will be valid
+ */
+export declare const DEFAULT_SESSION_MAX_AGE_SECONDS: number;

package/dist/types/index.d.ts

@@ -0,0 +1,63 @@
+import { type NextAuthOptions } from 'next-auth';
+import type { ImmutableAuthConfig } from './types';
+/**
+ * NextAuth options that can be overridden.
+ * Excludes 'providers' as that's managed internally.
+ */
+export type ImmutableAuthOverrides = Omit<NextAuthOptions, 'providers'>;
+/**
+ * Create a NextAuth handler with Immutable authentication
+ *
+ * @param config - Immutable auth configuration
+ * @param overrides - Optional NextAuth options to override defaults
+ *
+ * @remarks
+ * Callback composition: The `jwt` and `session` callbacks are composed rather than
+ * replaced. Internal callbacks run first (handling token storage and refresh), then
+ * your custom callbacks receive the result. Other callbacks (`signIn`, `redirect`)
+ * are replaced entirely if provided.
+ *
+ * @example Basic usage
+ * ```typescript
+ * // pages/api/auth/[...nextauth].ts
+ * import { ImmutableAuth } from "@imtbl/auth-nextjs";
+ *
+ * export default ImmutableAuth({
+ *   clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
+ *   redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
+ * });
+ * ```
+ *
+ * @example With NextAuth overrides
+ * ```typescript
+ * export default ImmutableAuth(
+ *   { clientId: "...", redirectUri: "..." },
+ *   {
+ *     pages: { signIn: "/custom-login", error: "/auth-error" },
+ *     debug: true,
+ *   }
+ * );
+ * ```
+ *
+ * @example With custom jwt callback (composed with internal callback)
+ * ```typescript
+ * export default ImmutableAuth(
+ *   { clientId: "...", redirectUri: "..." },
+ *   {
+ *     callbacks: {
+ *       // Your jwt callback receives the token after internal processing
+ *       async jwt({ token }) {
+ *         // Add custom claims
+ *         token.customClaim = "value";
+ *         return token;
+ *       },
+ *     },
+ *   }
+ * );
+ * ```
+ */
+export declare function ImmutableAuth(config: ImmutableAuthConfig, overrides?: ImmutableAuthOverrides): any;
+export type { ImmutableAuthConfig, ImmutableTokenData, ImmutableUser, ZkEvmInfo, WithPageAuthRequiredOptions, } from './types';
+export type { LoginOptions, DirectLoginOptions } from '@imtbl/auth';
+export { MarketingConsentStatus } from '@imtbl/auth';
+export { refreshAccessToken, isTokenExpired } from './refresh';

package/dist/types/refresh.d.ts

@@ -0,0 +1,16 @@
+import type { JWT } from 'next-auth/jwt';
+import type { ImmutableAuthConfig } from './types';
+/**
+ * Refresh the access token using the refresh token
+ * Called by NextAuth JWT callback when token is expired
+ */
+export declare function refreshAccessToken(token: JWT, config: ImmutableAuthConfig): Promise<JWT>;
+/**
+ * Check if the access token is expired or about to expire
+ * Returns true if token expires within the buffer time (default 60 seconds)
+ *
+ * @remarks
+ * If accessTokenExpires is not a valid number (undefined, null, NaN),
+ * returns true to trigger a refresh as a safety measure.
+ */
+export declare function isTokenExpired(accessTokenExpires: number, bufferSeconds?: number): boolean;

package/dist/types/server/index.d.ts

@@ -0,0 +1,2 @@
+export { withPageAuthRequired, getImmutableSession, type WithPageAuthRequiredFullOptions, type WithPageAuthRequiredProps, } from './with-page-auth';
+export type { WithPageAuthRequiredOptions } from '../types';