@imtbl/auth-nextjs 2.12.4-alpha.5 → 2.12.4-alpha.7

package/README.md

@@ -1,38 +1,58 @@
 # @imtbl/auth-nextjs
 
-Next.js authentication integration for Immutable SDK using NextAuth.js.
+Next.js App Router authentication integration for Immutable SDK using Auth.js v5.
 
-This package bridges `@imtbl/auth` popup-based authentication with NextAuth.js session management, providing:
+This package bridges `@imtbl/auth` popup-based authentication with Auth.js session management, providing:
 
 - Server-side session storage in encrypted JWT cookies
 - Automatic token refresh on both server and client
-- Full SSR support with `getServerSession`
+- Full SSR support with `auth()` function
 - React hooks for easy client-side authentication
+- Middleware support for protecting routes
+
+## Requirements
+
+- Next.js 14+ with App Router
+- Auth.js v5 (next-auth@5.x)
+- React 18+
 
 ## Installation
 
 ```bash
-pnpm add @imtbl/auth-nextjs next-auth
+pnpm add @imtbl/auth-nextjs next-auth@beta
 ```
 
 ## Quick Start
 
-### 1. Set Up Auth API Route
+### 1. Create Auth Configuration
 
 ```typescript
-// pages/api/auth/[...nextauth].ts
-import { ImmutableAuth } from "@imtbl/auth-nextjs";
+// lib/auth.ts
+import { createImmutableAuth } from "@imtbl/auth-nextjs";
 
-export default ImmutableAuth({
+const config = {
   clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
   redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
-});
+};
+
+export const { handlers, auth, signIn, signOut } = createImmutableAuth(config);
 ```
 
-### 2. Create Callback Page
+### 2. Set Up Auth API Route
 
 ```typescript
-// pages/callback.tsx
+// app/api/auth/[...nextauth]/route.ts
+import { handlers } from "@/lib/auth";
+
+export const { GET, POST } = handlers;
+```
+
+### 3. Create Callback Page
+
+```typescript
+// app/callback/page.tsx
+"use client";
+
 import { CallbackPage } from "@imtbl/auth-nextjs/client";
 
 const config = {
@@ -41,14 +61,18 @@ const config = {
 };
 
 export default function Callback() {
-  return <CallbackPage config={config} />;
+  return <CallbackPage config={config} redirectTo="/dashboard" />;
 }
 ```
 
-### 3. Add Provider to App
+See [CallbackPage Props](#callbackpage-props) for all available options.
+
+### 4. Add Provider to Layout
 
 ```typescript
-// pages/_app.tsx
+// app/providers.tsx
+"use client";
+
 import { ImmutableAuthProvider } from "@imtbl/auth-nextjs/client";
 
 const config = {
@@ -56,21 +80,39 @@ const config = {
   redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
 };
 
-export default function App({ Component, pageProps }: AppProps) {
+export function Providers({ children }: { children: React.ReactNode }) {
+  return (
+    <ImmutableAuthProvider config={config}>{children}</ImmutableAuthProvider>
+  );
+}
+
+// app/layout.tsx
+import { Providers } from "./providers";
+
+export default function RootLayout({
+  children,
+}: {
+  children: React.ReactNode;
+}) {
   return (
-    <ImmutableAuthProvider config={config} session={pageProps.session}>
-      <Component {...pageProps} />
-    </ImmutableAuthProvider>
+    <html>
+      <body>
+        <Providers>{children}</Providers>
+      </body>
+    </html>
   );
 }
 ```
 
-### 4. Use in Components
+### 5. Use in Components
 
 ```typescript
+// app/components/LoginButton.tsx
+"use client";
+
 import { useImmutableAuth } from "@imtbl/auth-nextjs/client";
 
-function LoginButton() {
+export function LoginButton() {
   const { user, isLoading, signIn, signOut } = useImmutableAuth();
 
   if (isLoading) return <div>Loading...</div>;
@@ -84,52 +126,42 @@ function LoginButton() {
     );
   }
 
-  return <button onClick={signIn}>Login with Immutable</button>;
+  return <button onClick={() => signIn()}>Login with Immutable</button>;
 }
 ```
 
-### 5. Access Session Server-Side (SSR)
+### 6. Access Session in Server Components
 
 ```typescript
-// pages/profile.tsx
-import { getImmutableSession } from "@imtbl/auth-nextjs/server";
-import type { GetServerSideProps } from "next";
+// app/profile/page.tsx
+import { auth } from "@/lib/auth";
+import { redirect } from "next/navigation";
 
-const config = {
-  clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
-  redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
-};
+export default async function ProfilePage() {
+  const session = await auth();
 
-export default function ProfilePage({ user }) {
-  if (!user) return <p>Not logged in</p>;
-  return <h1>Welcome, {user.email}</h1>;
-}
+  if (!session) {
+    redirect("/login");
+  }
 
-export const getServerSideProps: GetServerSideProps = async (ctx) => {
-  const session = await getImmutableSession(ctx.req, ctx.res, config);
-  return { props: { user: session?.user ?? null } };
-};
+  return <h1>Welcome, {session.user.email}</h1>;
+}
 ```
 
-### 6. Protect Pages (Optional)
+### 7. Protect Routes with Middleware (Optional)
 
 ```typescript
-// pages/dashboard.tsx
-import { withPageAuthRequired } from "@imtbl/auth-nextjs/server";
-
-const config = {
-  clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
-  redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
-};
-
-function DashboardPage() {
-  return <h1>Dashboard (protected)</h1>;
-}
+// middleware.ts
+import { createAuthMiddleware } from "@imtbl/auth-nextjs/server";
+import { auth } from "@/lib/auth";
 
-export default DashboardPage;
+export default createAuthMiddleware(auth, {
+  loginUrl: "/login",
+});
 
-// Redirects to /login if not authenticated
-export const getServerSideProps = withPageAuthRequired(config);
+export const config = {
+  matcher: ["/dashboard/:path*", "/profile/:path*"],
+};
 ```
 
 ## Configuration Options
@@ -152,9 +184,8 @@ The `ImmutableAuthConfig` object accepts the following properties:
 NEXT_PUBLIC_IMMUTABLE_CLIENT_ID=your-client-id
 NEXT_PUBLIC_BASE_URL=http://localhost:3000
 
-# Required by NextAuth for cookie encryption
-NEXTAUTH_SECRET=generate-with-openssl-rand-base64-32
-NEXTAUTH_URL=http://localhost:3000
+# Required by Auth.js for cookie encryption
+AUTH_SECRET=generate-with-openssl-rand-base64-32
 ```
 
 Generate a secret:
@@ -167,99 +198,146 @@ openssl rand -base64 32
 
 ### Main Exports (`@imtbl/auth-nextjs`)
 
-| Export                              | Description                                 |
-| ----------------------------------- | ------------------------------------------- |
-| `ImmutableAuth(config, overrides?)` | Creates NextAuth handler (use in API route) |
-| `refreshAccessToken(token)`         | Utility to refresh an expired access token  |
-| `isTokenExpired(token)`             | Utility to check if a token is expired      |
+| Export                                  | Description                                                         |
+| --------------------------------------- | ------------------------------------------------------------------- |
+| `createImmutableAuth(config, options?)` | Creates Auth.js instance with `{ handlers, auth, signIn, signOut }` |
+| `createAuthConfig(config)`              | Creates Auth.js config (for advanced use)                           |
+| `refreshAccessToken(token, config)`     | Utility to refresh an expired access token                          |
+| `isTokenExpired(expires, buffer?)`      | Utility to check if a token is expired                              |
 
 **Types:**
 
-| Type                          | Description                               |
-| ----------------------------- | ----------------------------------------- |
-| `ImmutableAuthConfig`         | Configuration options                     |
-| `ImmutableAuthOverrides`      | NextAuth options override type            |
-| `ImmutableUser`               | User profile type                         |
-| `ImmutableTokenData`          | Token data passed to credentials provider |
-| `ZkEvmInfo`                   | zkEVM wallet information type             |
-| `WithPageAuthRequiredOptions` | Options for page protection               |
+| Type                     | Description                               |
+| ------------------------ | ----------------------------------------- |
+| `ImmutableAuthConfig`    | Configuration options                     |
+| `ImmutableAuthOverrides` | Auth.js options override type             |
+| `ImmutableAuthResult`    | Return type of createImmutableAuth        |
+| `ImmutableUser`          | User profile type                         |
+| `ImmutableTokenData`     | Token data passed to credentials provider |
+| `ZkEvmInfo`              | zkEVM wallet information type             |
 
 ### Client Exports (`@imtbl/auth-nextjs/client`)
 
-| Export                  | Description                                             |
-| ----------------------- | ------------------------------------------------------- |
-| `ImmutableAuthProvider` | React context provider (wraps NextAuth SessionProvider) |
-| `useImmutableAuth()`    | Hook for authentication state and methods (see below)   |
-| `useAccessToken()`      | Hook returning `getAccessToken` function                |
-| `CallbackPage`          | Pre-built callback page component for OAuth redirects   |
+| Export                  | Description                                            |
+| ----------------------- | ------------------------------------------------------ |
+| `ImmutableAuthProvider` | React context provider (wraps Auth.js SessionProvider) |
+| `useImmutableAuth()`    | Hook for authentication state and methods (see below)  |
+| `useAccessToken()`      | Hook returning `getAccessToken` function               |
+| `CallbackPage`          | Pre-built callback page component for OAuth redirects  |
+
+#### CallbackPage Props
+
+| Prop               | Type                                                  | Default | Description                                                        |
+| ------------------ | ----------------------------------------------------- | ------- | ------------------------------------------------------------------ |
+| `config`           | `ImmutableAuthConfig`                                 | -       | Required. Immutable auth configuration                             |
+| `redirectTo`       | `string \| ((user: ImmutableUser) => string \| void)` | `"/"`   | Where to redirect after successful auth (supports dynamic routing) |
+| `loadingComponent` | `React.ReactElement \| null`                          | `null`  | Custom loading UI while processing authentication                  |
+| `errorComponent`   | `(error: string) => React.ReactElement \| null`       | -       | Custom error UI component                                          |
+| `onSuccess`        | `(user: ImmutableUser) => void \| Promise<void>`      | -       | Callback fired after successful authentication                     |
+| `onError`          | `(error: string) => void`                             | -       | Callback fired when authentication fails                           |
+
+**Example with all props:**
+
+```tsx
+// app/callback/page.tsx
+"use client";
+
+import { CallbackPage } from "@imtbl/auth-nextjs/client";
+import { Spinner } from "@/components/ui/spinner";
+
+const config = {
+  clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
+  redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
+};
+
+export default function Callback() {
+  return (
+    <CallbackPage
+      config={config}
+      // Dynamic redirect based on user
+      redirectTo={(user) => {
+        if (user.email?.endsWith("@admin.com")) return "/admin";
+        return "/dashboard";
+      }}
+      // Custom loading UI
+      loadingComponent={
+        <div className="flex items-center justify-center min-h-screen">
+          <Spinner />
+          <span>Completing authentication...</span>
+        </div>
+      }
+      // Custom error UI
+      errorComponent={(error) => (
+        <div className="text-center p-8">
+          <h2 className="text-red-500">Authentication Error</h2>
+          <p>{error}</p>
+          <a href="/">Return Home</a>
+        </div>
+      )}
+      // Success callback for analytics
+      onSuccess={async (user) => {
+        await analytics.track("login_success", { userId: user.sub });
+      }}
+      // Error callback for logging
+      onError={(error) => {
+        console.error("Auth failed:", error);
+        Sentry.captureMessage(error);
+      }}
+    />
+  );
+}
+```
 
 **`useImmutableAuth()` Return Value:**
 
 | Property          | Type                    | Description                                      |
 | ----------------- | ----------------------- | ------------------------------------------------ |
 | `user`            | `ImmutableUser \| null` | Current user profile (null if not authenticated) |
-| `session`         | `Session \| null`       | Full NextAuth session with tokens                |
+| `session`         | `Session \| null`       | Full Auth.js session with tokens                 |
 | `isLoading`       | `boolean`               | Whether authentication state is loading          |
 | `isAuthenticated` | `boolean`               | Whether user is authenticated                    |
-| `signIn`          | `() => Promise<void>`   | Sign in with Immutable (opens popup)             |
-| `signOut`         | `() => Promise<void>`   | Sign out from both NextAuth and Immutable        |
+| `signIn`          | `(options?) => Promise` | Sign in with Immutable (opens popup)             |
+| `signOut`         | `() => Promise<void>`   | Sign out from both Auth.js and Immutable         |
 | `getAccessToken`  | `() => Promise<string>` | Get a valid access token (refreshes if needed)   |
 | `auth`            | `Auth \| null`          | The underlying Auth instance (for advanced use)  |
 
-**Types:**
-
-| Type                         | Description                      |
-| ---------------------------- | -------------------------------- |
-| `ImmutableAuthProviderProps` | Props for the provider component |
-| `UseImmutableAuthReturn`     | Return type of useImmutableAuth  |
-| `CallbackPageProps`          | Props for CallbackPage component |
-| `ImmutableAuthConfig`        | Re-exported configuration type   |
-| `ImmutableUser`              | Re-exported user type            |
-
 ### Server Exports (`@imtbl/auth-nextjs/server`)
 
-| Export                                   | Description                              |
-| ---------------------------------------- | ---------------------------------------- |
-| `getImmutableSession(req, res, config)`  | Get session server-side                  |
-| `withPageAuthRequired(config, options?)` | HOC for protecting pages with auth check |
-
-**`withPageAuthRequired` Options:**
+| Export                              | Description                                      |
+| ----------------------------------- | ------------------------------------------------ |
+| `createImmutableAuth`               | Re-exported for convenience                      |
+| `createAuthMiddleware(auth, opts?)` | Create middleware for protecting routes          |
+| `withAuth(auth, handler)`           | HOC for protecting Server Actions/Route Handlers |
 
-| Option               | Type                    | Default      | Description                                          |
-| -------------------- | ----------------------- | ------------ | ---------------------------------------------------- |
-| `loginUrl`           | `string`                | `"/login"`   | URL to redirect to when not authenticated            |
-| `returnTo`           | `string \| false`       | current page | URL to redirect to after login (`false` to disable)  |
-| `getServerSideProps` | `(ctx, session) => ...` | -            | Custom getServerSideProps that runs after auth check |
+**`createAuthMiddleware` Options:**
 
-**Example with custom getServerSideProps:**
-
-```typescript
-export const getServerSideProps = withPageAuthRequired(config, {
-  loginUrl: "/auth/signin",
-  async getServerSideProps(ctx, session) {
-    // session is guaranteed to exist here
-    const data = await fetchData(session.accessToken);
-    return { props: { data } };
-  },
-});
-```
-
-**Types:**
-
-| Type                              | Description                               |
-| --------------------------------- | ----------------------------------------- |
-| `WithPageAuthRequiredOptions`     | Basic options for page protection         |
-| `WithPageAuthRequiredFullOptions` | Full options including getServerSideProps |
-| `WithPageAuthRequiredProps`       | Props added to protected pages (session)  |
+| Option           | Type                   | Default    | Description                            |
+| ---------------- | ---------------------- | ---------- | -------------------------------------- |
+| `loginUrl`       | `string`               | `"/login"` | URL to redirect when not authenticated |
+| `protectedPaths` | `(string \| RegExp)[]` | -          | Paths that require authentication      |
+| `publicPaths`    | `(string \| RegExp)[]` | -          | Paths to exclude from protection       |
 
 ## How It Works
 
 1. **Login**: User clicks login → `@imtbl/auth` opens popup → tokens returned
-2. **Session Creation**: Tokens passed to NextAuth's credentials provider → stored in encrypted JWT cookie
-3. **Token Refresh**: NextAuth JWT callback automatically refreshes expired tokens using refresh_token
-4. **SSR**: `getServerSession()` reads and decrypts cookie, providing full session with tokens
+2. **Session Creation**: Tokens passed to Auth.js credentials provider → stored in encrypted JWT cookie
+3. **Token Refresh**: Auth.js JWT callback automatically refreshes expired tokens using refresh_token
+4. **SSR**: `auth()` reads and decrypts cookie, providing full session with tokens
 5. **Auto-hydration**: If localStorage is cleared but session cookie exists, the Auth instance is automatically hydrated from session tokens
 
+## Migration from v4 (Pages Router)
+
+If you're migrating from the Pages Router version:
+
+| v4 (Pages Router)                       | v5 (App Router)                               |
+| --------------------------------------- | --------------------------------------------- |
+| `ImmutableAuth(config)`                 | `createImmutableAuth(config)`                 |
+| `getImmutableSession(req, res, config)` | `auth()` (from createImmutableAuth)           |
+| `withPageAuthRequired(config)`          | `createAuthMiddleware(auth)` or layout checks |
+| `pages/api/auth/[...nextauth].ts`       | `app/api/auth/[...nextauth]/route.ts`         |
+| `pages/_app.tsx` with provider          | `app/layout.tsx` with provider                |
+| `NEXTAUTH_SECRET`                       | `AUTH_SECRET`                                 |
+
 ## License
 
 Apache-2.0

package/dist/node/{chunk-OPPMGNFZ.js → chunk-BRDI4KXS.js}

@@ -1,6 +1,15 @@
+// src/index.ts
+import NextAuthImport from "next-auth";
+
+// src/config.ts
+import CredentialsImport from "next-auth/providers/credentials";
+
 // src/constants.ts
 var DEFAULT_AUTH_DOMAIN = "https://auth.immutable.com";
+var DEFAULT_AUDIENCE = "platform_api";
+var DEFAULT_SCOPE = "openid profile email offline_access transact";
 var IMMUTABLE_PROVIDER_ID = "immutable";
+var DEFAULT_NEXTAUTH_BASE_PATH = "/api/auth";
 var DEFAULT_TOKEN_EXPIRY_SECONDS = 900;
 var DEFAULT_TOKEN_EXPIRY_MS = DEFAULT_TOKEN_EXPIRY_SECONDS * 1e3;
 var TOKEN_EXPIRY_BUFFER_SECONDS = 60;
@@ -68,8 +77,7 @@ function isTokenExpired(accessTokenExpires, bufferSeconds = TOKEN_EXPIRY_BUFFER_
 }
 
 // src/config.ts
-import Credentials from "next-auth/providers/credentials";
-var CredentialsProvider = Credentials.default || Credentials;
+var Credentials = CredentialsImport.default || CredentialsImport;
 async function validateTokens(accessToken, authDomain) {
   try {
     const response = await fetch(`${authDomain}/userinfo`, {
@@ -88,18 +96,18 @@ async function validateTokens(accessToken, authDomain) {
     return null;
   }
 }
-function createAuthOptions(config) {
+function createAuthConfig(config) {
   const authDomain = config.authenticationDomain || DEFAULT_AUTH_DOMAIN;
   return {
     providers: [
-      CredentialsProvider({
+      Credentials({
         id: IMMUTABLE_PROVIDER_ID,
         name: "Immutable",
         credentials: {
           tokens: { label: "Tokens", type: "text" }
         },
         async authorize(credentials) {
-          if (!credentials?.tokens) {
+          if (!credentials?.tokens || typeof credentials.tokens !== "string") {
             return null;
           }
           let tokenData;
@@ -142,6 +150,7 @@ function createAuthOptions(config) {
       })
     ],
     callbacks: {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
       async jwt({
         token,
         user,
@@ -162,13 +171,14 @@ function createAuthOptions(config) {
           };
         }
         if (trigger === "update" && sessionUpdate) {
+          const update = sessionUpdate;
           return {
             ...token,
-            ...sessionUpdate.accessToken && { accessToken: sessionUpdate.accessToken },
-            ...sessionUpdate.refreshToken && { refreshToken: sessionUpdate.refreshToken },
-            ...sessionUpdate.idToken && { idToken: sessionUpdate.idToken },
-            ...sessionUpdate.accessTokenExpires && { accessTokenExpires: sessionUpdate.accessTokenExpires },
-            ...sessionUpdate.zkEvm && { zkEvm: sessionUpdate.zkEvm }
+            ...update.accessToken ? { accessToken: update.accessToken } : {},
+            ...update.refreshToken ? { refreshToken: update.refreshToken } : {},
+            ...update.idToken ? { idToken: update.idToken } : {},
+            ...update.accessTokenExpires ? { accessTokenExpires: update.accessTokenExpires } : {},
+            ...update.zkEvm ? { zkEvm: update.zkEvm } : {}
           };
         }
         if (!isTokenExpired(token.accessTokenExpires)) {
@@ -176,10 +186,12 @@ function createAuthOptions(config) {
         }
         return refreshAccessToken(token, config);
       },
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
       async session({ session, token }) {
         return {
           ...session,
           user: {
+            ...session.user,
             sub: token.sub,
             email: token.email,
             nickname: token.nickname
@@ -197,14 +209,63 @@ function createAuthOptions(config) {
       strategy: "jwt",
       // Session max age in seconds (30 days default)
       maxAge: DEFAULT_SESSION_MAX_AGE_SECONDS
-    },
-    // Use NEXTAUTH_SECRET from environment
-    secret: process.env.NEXTAUTH_SECRET
+    }
+  };
+}
+
+// src/index.ts
+import { MarketingConsentStatus } from "@imtbl/auth";
+var NextAuth = NextAuthImport.default || NextAuthImport;
+function createImmutableAuth(config, overrides) {
+  const authConfig = createAuthConfig(config);
+  if (!overrides) {
+    return NextAuth(authConfig);
+  }
+  const composedCallbacks = {
+    ...authConfig.callbacks
+  };
+  if (overrides.callbacks) {
+    if (overrides.callbacks.jwt) {
+      const internalJwt = authConfig.callbacks?.jwt;
+      const userJwt = overrides.callbacks.jwt;
+      composedCallbacks.jwt = async (params) => {
+        const token = internalJwt ? await internalJwt(params) : params.token;
+        return userJwt({ ...params, token });
+      };
+    }
+    if (overrides.callbacks.session) {
+      const internalSession = authConfig.callbacks?.session;
+      const userSession = overrides.callbacks.session;
+      composedCallbacks.session = async (params) => {
+        const session = internalSession ? await internalSession(params) : params.session;
+        return userSession({ ...params, session });
+      };
+    }
+    if (overrides.callbacks.signIn) {
+      composedCallbacks.signIn = overrides.callbacks.signIn;
+    }
+    if (overrides.callbacks.redirect) {
+      composedCallbacks.redirect = overrides.callbacks.redirect;
+    }
+  }
+  const mergedConfig = {
+    ...authConfig,
+    ...overrides,
+    callbacks: composedCallbacks
   };
+  return NextAuth(mergedConfig);
 }
+var ImmutableAuth = createImmutableAuth;
 
 export {
+  DEFAULT_AUTH_DOMAIN,
+  DEFAULT_AUDIENCE,
+  DEFAULT_SCOPE,
+  DEFAULT_NEXTAUTH_BASE_PATH,
   refreshAccessToken,
   isTokenExpired,
-  createAuthOptions
+  createAuthConfig,
+  createImmutableAuth,
+  ImmutableAuth,
+  MarketingConsentStatus
 };