@imtbl/auth-nextjs 2.12.4-alpha.5 → 2.12.4-alpha.7

package/dist/node/server/index.cjs

@@ -30,13 +30,16 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/server/index.ts
 var server_exports = {};
 __export(server_exports, {
-  getImmutableSession: () => getImmutableSession,
-  withPageAuthRequired: () => withPageAuthRequired
+  createAuthConfig: () => createAuthConfig,
+  createAuthMiddleware: () => createAuthMiddleware,
+  createImmutableAuth: () => createImmutableAuth,
+  withAuth: () => withAuth
 });
 module.exports = __toCommonJS(server_exports);
+var import_server = require("next/server");
 
-// src/server/with-page-auth.ts
-var import_next_auth = require("next-auth");
+// src/index.ts
+var import_next_auth = __toESM(require("next-auth"), 1);
 
 // src/config.ts
 var import_credentials = __toESM(require("next-auth/providers/credentials"), 1);
@@ -111,7 +114,7 @@ function isTokenExpired(accessTokenExpires, bufferSeconds = TOKEN_EXPIRY_BUFFER_
 }
 
 // src/config.ts
-var CredentialsProvider = import_credentials.default.default || import_credentials.default;
+var Credentials = import_credentials.default.default || import_credentials.default;
 async function validateTokens(accessToken, authDomain) {
   try {
     const response = await fetch(`${authDomain}/userinfo`, {
@@ -130,18 +133,18 @@ async function validateTokens(accessToken, authDomain) {
     return null;
   }
 }
-function createAuthOptions(config) {
+function createAuthConfig(config) {
   const authDomain = config.authenticationDomain || DEFAULT_AUTH_DOMAIN;
   return {
     providers: [
-      CredentialsProvider({
+      Credentials({
         id: IMMUTABLE_PROVIDER_ID,
         name: "Immutable",
         credentials: {
           tokens: { label: "Tokens", type: "text" }
         },
         async authorize(credentials) {
-          if (!credentials?.tokens) {
+          if (!credentials?.tokens || typeof credentials.tokens !== "string") {
             return null;
           }
           let tokenData;
@@ -184,6 +187,7 @@ function createAuthOptions(config) {
       })
     ],
     callbacks: {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
       async jwt({
         token,
         user,
@@ -204,13 +208,14 @@ function createAuthOptions(config) {
           };
         }
         if (trigger === "update" && sessionUpdate) {
+          const update = sessionUpdate;
           return {
             ...token,
-            ...sessionUpdate.accessToken && { accessToken: sessionUpdate.accessToken },
-            ...sessionUpdate.refreshToken && { refreshToken: sessionUpdate.refreshToken },
-            ...sessionUpdate.idToken && { idToken: sessionUpdate.idToken },
-            ...sessionUpdate.accessTokenExpires && { accessTokenExpires: sessionUpdate.accessTokenExpires },
-            ...sessionUpdate.zkEvm && { zkEvm: sessionUpdate.zkEvm }
+            ...update.accessToken ? { accessToken: update.accessToken } : {},
+            ...update.refreshToken ? { refreshToken: update.refreshToken } : {},
+            ...update.idToken ? { idToken: update.idToken } : {},
+            ...update.accessTokenExpires ? { accessTokenExpires: update.accessTokenExpires } : {},
+            ...update.zkEvm ? { zkEvm: update.zkEvm } : {}
           };
         }
         if (!isTokenExpired(token.accessTokenExpires)) {
@@ -218,10 +223,12 @@ function createAuthOptions(config) {
         }
         return refreshAccessToken(token, config);
       },
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
       async session({ session, token }) {
         return {
           ...session,
           user: {
+            ...session.user,
             sub: token.sub,
             email: token.email,
             nickname: token.nickname
@@ -239,62 +246,103 @@ function createAuthOptions(config) {
       strategy: "jwt",
       // Session max age in seconds (30 days default)
       maxAge: DEFAULT_SESSION_MAX_AGE_SECONDS
-    },
-    // Use NEXTAUTH_SECRET from environment
-    secret: process.env.NEXTAUTH_SECRET
+    }
   };
 }
 
-// src/server/with-page-auth.ts
-async function getImmutableSession(req, res, config) {
-  const authOptions = createAuthOptions(config);
-  return (0, import_next_auth.getServerSession)(req, res, authOptions);
-}
-function withPageAuthRequired(config, options = {}) {
-  const {
-    loginUrl = "/login",
-    returnTo,
-    getServerSideProps: customGetServerSideProps
-  } = options;
-  const authOptions = createAuthOptions(config);
-  return async (ctx) => {
-    const session = await (0, import_next_auth.getServerSession)(ctx.req, ctx.res, authOptions);
-    if (!session) {
-      let destination = loginUrl;
-      if (returnTo !== false) {
-        const returnPath = returnTo || ctx.resolvedUrl;
-        const separator = loginUrl.includes("?") ? "&" : "?";
-        destination = `${loginUrl}${separator}returnTo=${encodeURIComponent(returnPath)}`;
-      }
-      return {
-        redirect: {
-          destination,
-          permanent: false
-        }
+// src/index.ts
+var import_auth = require("@imtbl/auth");
+var NextAuth = import_next_auth.default.default || import_next_auth.default;
+function createImmutableAuth(config, overrides) {
+  const authConfig = createAuthConfig(config);
+  if (!overrides) {
+    return NextAuth(authConfig);
+  }
+  const composedCallbacks = {
+    ...authConfig.callbacks
+  };
+  if (overrides.callbacks) {
+    if (overrides.callbacks.jwt) {
+      const internalJwt = authConfig.callbacks?.jwt;
+      const userJwt = overrides.callbacks.jwt;
+      composedCallbacks.jwt = async (params) => {
+        const token = internalJwt ? await internalJwt(params) : params.token;
+        return userJwt({ ...params, token });
       };
     }
-    if (customGetServerSideProps) {
-      const result = await customGetServerSideProps(ctx, session);
-      if ("redirect" in result || "notFound" in result) {
-        return result;
-      }
-      const userProps = await result.props;
-      return {
-        props: {
-          ...userProps,
-          session
-        }
+    if (overrides.callbacks.session) {
+      const internalSession = authConfig.callbacks?.session;
+      const userSession = overrides.callbacks.session;
+      composedCallbacks.session = async (params) => {
+        const session = internalSession ? await internalSession(params) : params.session;
+        return userSession({ ...params, session });
       };
     }
-    return {
-      props: {
-        session
+    if (overrides.callbacks.signIn) {
+      composedCallbacks.signIn = overrides.callbacks.signIn;
+    }
+    if (overrides.callbacks.redirect) {
+      composedCallbacks.redirect = overrides.callbacks.redirect;
+    }
+  }
+  const mergedConfig = {
+    ...authConfig,
+    ...overrides,
+    callbacks: composedCallbacks
+  };
+  return NextAuth(mergedConfig);
+}
+
+// src/server/index.ts
+function createAuthMiddleware(auth, options = {}) {
+  const { loginUrl = "/login", protectedPaths, publicPaths } = options;
+  return async function middleware(request) {
+    const { pathname } = request.nextUrl;
+    if (publicPaths) {
+      const isPublic = publicPaths.some((pattern) => {
+        if (typeof pattern === "string") {
+          return pathname === pattern || pathname.startsWith(pattern);
+        }
+        return pattern.test(pathname);
+      });
+      if (isPublic) {
+        return import_server.NextResponse.next();
       }
-    };
+    }
+    if (protectedPaths) {
+      const isProtected = protectedPaths.some((pattern) => {
+        if (typeof pattern === "string") {
+          return pathname === pattern || pathname.startsWith(pattern);
+        }
+        return pattern.test(pathname);
+      });
+      if (!isProtected) {
+        return import_server.NextResponse.next();
+      }
+    }
+    const session = await auth();
+    if (!session) {
+      const url = new URL(loginUrl, request.url);
+      const returnTo = request.nextUrl.search ? `${pathname}${request.nextUrl.search}` : pathname;
+      url.searchParams.set("returnTo", returnTo);
+      return import_server.NextResponse.redirect(url);
+    }
+    return import_server.NextResponse.next();
+  };
+}
+function withAuth(auth, handler) {
+  return async (...args) => {
+    const session = await auth();
+    if (!session) {
+      throw new Error("Unauthorized: No active session");
+    }
+    return handler(session, ...args);
   };
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
-  getImmutableSession,
-  withPageAuthRequired
+  createAuthConfig,
+  createAuthMiddleware,
+  createImmutableAuth,
+  withAuth
 });

package/dist/node/server/index.js

@@ -1,57 +1,58 @@
 import {
-  createAuthOptions
-} from "../chunk-OPPMGNFZ.js";
+  createAuthConfig,
+  createImmutableAuth
+} from "../chunk-BRDI4KXS.js";
 
-// src/server/with-page-auth.ts
-import { getServerSession as nextAuthGetServerSession } from "next-auth";
-async function getImmutableSession(req, res, config) {
-  const authOptions = createAuthOptions(config);
-  return nextAuthGetServerSession(req, res, authOptions);
-}
-function withPageAuthRequired(config, options = {}) {
-  const {
-    loginUrl = "/login",
-    returnTo,
-    getServerSideProps: customGetServerSideProps
-  } = options;
-  const authOptions = createAuthOptions(config);
-  return async (ctx) => {
-    const session = await nextAuthGetServerSession(ctx.req, ctx.res, authOptions);
-    if (!session) {
-      let destination = loginUrl;
-      if (returnTo !== false) {
-        const returnPath = returnTo || ctx.resolvedUrl;
-        const separator = loginUrl.includes("?") ? "&" : "?";
-        destination = `${loginUrl}${separator}returnTo=${encodeURIComponent(returnPath)}`;
-      }
-      return {
-        redirect: {
-          destination,
-          permanent: false
+// src/server/index.ts
+import { NextResponse } from "next/server";
+function createAuthMiddleware(auth, options = {}) {
+  const { loginUrl = "/login", protectedPaths, publicPaths } = options;
+  return async function middleware(request) {
+    const { pathname } = request.nextUrl;
+    if (publicPaths) {
+      const isPublic = publicPaths.some((pattern) => {
+        if (typeof pattern === "string") {
+          return pathname === pattern || pathname.startsWith(pattern);
         }
-      };
-    }
-    if (customGetServerSideProps) {
-      const result = await customGetServerSideProps(ctx, session);
-      if ("redirect" in result || "notFound" in result) {
-        return result;
+        return pattern.test(pathname);
+      });
+      if (isPublic) {
+        return NextResponse.next();
       }
-      const userProps = await result.props;
-      return {
-        props: {
-          ...userProps,
-          session
-        }
-      };
     }
-    return {
-      props: {
-        session
+    if (protectedPaths) {
+      const isProtected = protectedPaths.some((pattern) => {
+        if (typeof pattern === "string") {
+          return pathname === pattern || pathname.startsWith(pattern);
+        }
+        return pattern.test(pathname);
+      });
+      if (!isProtected) {
+        return NextResponse.next();
       }
-    };
+    }
+    const session = await auth();
+    if (!session) {
+      const url = new URL(loginUrl, request.url);
+      const returnTo = request.nextUrl.search ? `${pathname}${request.nextUrl.search}` : pathname;
+      url.searchParams.set("returnTo", returnTo);
+      return NextResponse.redirect(url);
+    }
+    return NextResponse.next();
+  };
+}
+function withAuth(auth, handler) {
+  return async (...args) => {
+    const session = await auth();
+    if (!session) {
+      throw new Error("Unauthorized: No active session");
+    }
+    return handler(session, ...args);
   };
 }
 export {
-  getImmutableSession,
-  withPageAuthRequired
+  createAuthConfig,
+  createAuthMiddleware,
+  createImmutableAuth,
+  withAuth
 };

package/dist/types/client/callback.d.ts

@@ -1,14 +1,30 @@
 import React from 'react';
-import type { ImmutableAuthConfig } from '../types';
+import type { ImmutableAuthConfig, ImmutableUser } from '../types';
 export interface CallbackPageProps {
     /**
      * Immutable auth configuration
      */
     config: ImmutableAuthConfig;
     /**
-     * URL to redirect to after successful authentication (when not in popup)
+     * URL to redirect to after successful authentication (when not in popup).
+     * Can be a string or a function that receives the authenticated user.
+     * If a function returns void/undefined, defaults to "/".
+     * @default "/"
+     *
+     * @example Static redirect
+     * ```tsx
+     * <CallbackPage config={config} redirectTo="/dashboard" />
+     * ```
+     *
+     * @example Dynamic redirect based on user
+     * ```tsx
+     * <CallbackPage
+     *   config={config}
+     *   redirectTo={(user) => user.email?.endsWith('@admin.com') ? '/admin' : '/dashboard'}
+     * />
+     * ```
      */
-    redirectTo?: string;
+    redirectTo?: string | ((user: ImmutableUser) => string | void);
     /**
      * Custom loading component
      */
@@ -17,21 +33,39 @@ export interface CallbackPageProps {
      * Custom error component
      */
     errorComponent?: (error: string) => React.ReactElement | null;
+    /**
+     * Callback fired after successful authentication.
+     * Receives the authenticated user as a parameter.
+     * Called before redirect (non-popup) or before window.close (popup).
+     * If this callback returns a Promise, it will be awaited before proceeding.
+     */
+    onSuccess?: (user: ImmutableUser) => void | Promise<void>;
+    /**
+     * Callback fired when authentication fails.
+     * Receives the error message as a parameter.
+     * Called before the error UI is displayed.
+     */
+    onError?: (error: string) => void;
 }
 /**
- * Callback page component for handling OAuth redirects.
+ * Callback page component for handling OAuth redirects (App Router version).
  *
  * Use this in your callback page to process authentication responses.
  *
  * @example
  * ```tsx
- * // pages/callback.tsx
+ * // app/callback/page.tsx
+ * "use client";
  * import { CallbackPage } from "@imtbl/auth-nextjs/client";
- * import { immutableConfig } from "@/lib/auth-nextjs";
+ *
+ * const config = {
+ *   clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
+ *   redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
+ * };
  *
  * export default function Callback() {
- *   return <CallbackPage config={immutableConfig} />;
+ *   return <CallbackPage config={config} />;
  * }
  * ```
  */
-export declare function CallbackPage({ config, redirectTo, loadingComponent, errorComponent, }: CallbackPageProps): import("react/jsx-runtime").JSX.Element | null;
+export declare function CallbackPage({ config, redirectTo, loadingComponent, errorComponent, onSuccess, onError, }: CallbackPageProps): import("react/jsx-runtime").JSX.Element | null;

package/dist/types/client/provider.d.ts

@@ -1,12 +1,13 @@
 import type { ImmutableAuthProviderProps, UseImmutableAuthReturn } from '../types';
 /**
- * Provider component for Immutable authentication with NextAuth
+ * Provider component for Immutable authentication with Auth.js v5
  *
  * Wraps your app to provide authentication state via useImmutableAuth hook.
  *
- * @example
+ * @example App Router (recommended)
  * ```tsx
- * // pages/_app.tsx
+ * // app/providers.tsx
+ * "use client";
  * import { ImmutableAuthProvider } from "@imtbl/auth-nextjs/client";
  *
  * const config = {
@@ -14,13 +15,26 @@ import type { ImmutableAuthProviderProps, UseImmutableAuthReturn } from '../type
  *   redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
  * };
  *
- * export default function App({ Component, pageProps }: AppProps) {
+ * export function Providers({ children }: { children: React.ReactNode }) {
  *   return (
- *     <ImmutableAuthProvider config={config} session={pageProps.session}>
- *       <Component {...pageProps} />
+ *     <ImmutableAuthProvider config={config}>
+ *       {children}
  *     </ImmutableAuthProvider>
  *   );
  * }
+ *
+ * // app/layout.tsx
+ * import { Providers } from "./providers";
+ *
+ * export default function RootLayout({ children }: { children: React.ReactNode }) {
+ *   return (
+ *     <html>
+ *       <body>
+ *         <Providers>{children}</Providers>
+ *       </body>
+ *     </html>
+ *   );
+ * }
  * ```
  */
 export declare function ImmutableAuthProvider({ children, config, session, basePath, }: ImmutableAuthProviderProps): import("react/jsx-runtime").JSX.Element;

package/dist/types/config.d.ts

@@ -1,23 +1,21 @@
-import type { NextAuthOptions } from 'next-auth';
+import type { NextAuthConfig } from 'next-auth';
 import type { ImmutableAuthConfig } from './types';
 /**
- * Create NextAuth options configured for Immutable authentication
+ * Create Auth.js v5 configuration for Immutable authentication
  *
  * @example
  * ```typescript
  * // lib/auth.ts
- * import { createAuthOptions } from "@imtbl/auth-nextjs";
+ * import NextAuth from "next-auth";
+ * import { createAuthConfig } from "@imtbl/auth-nextjs";
  *
- * export const authOptions = createAuthOptions({
+ * const config = {
  *   clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
  *   redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
- * });
- *
- * // pages/api/auth/[...nextauth].ts
- * import NextAuth from "next-auth";
- * import { authOptions } from "@/lib/auth";
+ * };
  *
- * export default NextAuth(authOptions);
+ * export const { handlers, auth, signIn, signOut } = NextAuth(createAuthConfig(config));
  * ```
  */
-export declare function createAuthOptions(config: ImmutableAuthConfig): NextAuthOptions;
+export declare function createAuthConfig(config: ImmutableAuthConfig): NextAuthConfig;
+export declare const createAuthOptions: typeof createAuthConfig;

package/dist/types/index.d.ts

@@ -1,15 +1,22 @@
-import { type NextAuthOptions } from 'next-auth';
+import NextAuthImport from 'next-auth';
+import type { NextAuthConfig } from 'next-auth';
 import type { ImmutableAuthConfig } from './types';
+declare const NextAuth: typeof NextAuthImport;
 /**
- * NextAuth options that can be overridden.
+ * Auth.js v5 config options that can be overridden.
  * Excludes 'providers' as that's managed internally.
  */
-export type ImmutableAuthOverrides = Omit<NextAuthOptions, 'providers'>;
+export type ImmutableAuthOverrides = Omit<NextAuthConfig, 'providers'>;
 /**
- * Create a NextAuth handler with Immutable authentication
+ * Return type of createImmutableAuth - the NextAuth instance with handlers
+ */
+export type ImmutableAuthResult = ReturnType<typeof NextAuth>;
+/**
+ * Create an Auth.js v5 instance with Immutable authentication
  *
  * @param config - Immutable auth configuration
- * @param overrides - Optional NextAuth options to override defaults
+ * @param overrides - Optional Auth.js options to override defaults
+ * @returns NextAuth instance with { handlers, auth, signIn, signOut }
  *
  * @remarks
  * Callback composition: The `jwt` and `session` callbacks are composed rather than
@@ -17,20 +24,24 @@ export type ImmutableAuthOverrides = Omit<NextAuthOptions, 'providers'>;
  * your custom callbacks receive the result. Other callbacks (`signIn`, `redirect`)
  * are replaced entirely if provided.
  *
- * @example Basic usage
+ * @example Basic usage (App Router)
  * ```typescript
- * // pages/api/auth/[...nextauth].ts
- * import { ImmutableAuth } from "@imtbl/auth-nextjs";
+ * // lib/auth.ts
+ * import { createImmutableAuth } from "@imtbl/auth-nextjs";
  *
- * export default ImmutableAuth({
+ * export const { handlers, auth, signIn, signOut } = createImmutableAuth({
  *   clientId: process.env.NEXT_PUBLIC_IMMUTABLE_CLIENT_ID!,
  *   redirectUri: `${process.env.NEXT_PUBLIC_BASE_URL}/callback`,
  * });
+ *
+ * // app/api/auth/[...nextauth]/route.ts
+ * import { handlers } from "@/lib/auth";
+ * export const { GET, POST } = handlers;
  * ```
  *
- * @example With NextAuth overrides
+ * @example With Auth.js overrides
  * ```typescript
- * export default ImmutableAuth(
+ * export const { handlers, auth } = createImmutableAuth(
  *   { clientId: "...", redirectUri: "..." },
  *   {
  *     pages: { signIn: "/custom-login", error: "/auth-error" },
@@ -41,7 +52,7 @@ export type ImmutableAuthOverrides = Omit<NextAuthOptions, 'providers'>;
  *
  * @example With custom jwt callback (composed with internal callback)
  * ```typescript
- * export default ImmutableAuth(
+ * export const { handlers, auth } = createImmutableAuth(
  *   { clientId: "...", redirectUri: "..." },
  *   {
  *     callbacks: {
@@ -56,8 +67,11 @@ export type ImmutableAuthOverrides = Omit<NextAuthOptions, 'providers'>;
  * );
  * ```
  */
-export declare function ImmutableAuth(config: ImmutableAuthConfig, overrides?: ImmutableAuthOverrides): any;
-export type { ImmutableAuthConfig, ImmutableTokenData, ImmutableUser, ZkEvmInfo, WithPageAuthRequiredOptions, } from './types';
+export declare function createImmutableAuth(config: ImmutableAuthConfig, overrides?: ImmutableAuthOverrides): ImmutableAuthResult;
+export declare const ImmutableAuth: typeof createImmutableAuth;
+export { createAuthConfig } from './config';
+export type { ImmutableAuthConfig, ImmutableTokenData, ImmutableUser, ZkEvmInfo, } from './types';
 export type { LoginOptions, DirectLoginOptions } from '@imtbl/auth';
 export { MarketingConsentStatus } from '@imtbl/auth';
 export { refreshAccessToken, isTokenExpired } from './refresh';
+export { DEFAULT_AUTH_DOMAIN, DEFAULT_AUDIENCE, DEFAULT_SCOPE, DEFAULT_NEXTAUTH_BASE_PATH, } from './constants';

package/dist/types/refresh.d.ts

@@ -2,7 +2,7 @@ import type { JWT } from 'next-auth/jwt';
 import type { ImmutableAuthConfig } from './types';
 /**
  * Refresh the access token using the refresh token
- * Called by NextAuth JWT callback when token is expired
+ * Called by Auth.js JWT callback when token is expired
  */
 export declare function refreshAccessToken(token: JWT, config: ImmutableAuthConfig): Promise<JWT>;
 /**