npm - @inai-dev/nextjs - Versions diffs - 0.1.0 → 1.1.0 - Mend

@inai-dev/nextjs 0.1.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # @inai-dev/nextjs
-Full Next.js integration for InAI Auth. Includes middleware, server-side helpers, API route handlers, and re-exports all React hooks/components.
+Full Next.js integration for InAI Auth. Includes middleware, server-side auth helpers, API route handlers, React hooks, and UI components.
 ## Installation
@@ -8,72 +8,410 @@ Full Next.js integration for InAI Auth. Includes middleware, server-side helpers
 npm install @inai-dev/nextjs
 ```
-## Setup
-### 1. Environment Variables
+## Environment Variables
 ```env
+# Required — your publishable key (client-side accessible)
 NEXT_PUBLIC_INAI_PUBLISHABLE_KEY=pk_live_...
-INAI_SECRET_KEY=sk_live_...
+# Optional — API URL overrides (defaults to https://apiauth.inai.dev)
+INAI_API_URL=https://apiauth.inai.dev
+NEXT_PUBLIC_INAI_API_URL=https://apiauth.inai.dev
 ```
-### 2. Middleware
+The API URL is resolved in this order:
+1. Explicit config via `configureAuth({ apiUrl: "..." })`
+2. `INAI_API_URL` or `NEXT_PUBLIC_INAI_API_URL` environment variable
+3. Default: `https://apiauth.inai.dev`
+## Setup
+### 1. Middleware
 ```ts
 // middleware.ts
-import { authMiddleware } from "@inai-dev/nextjs/middleware";
+import { inaiAuthMiddleware } from "@inai-dev/nextjs/middleware";
-export default authMiddleware({
-  publishableKey: process.env.NEXT_PUBLIC_INAI_PUBLISHABLE_KEY!,
-  publicRoutes: ["/", "/about", "/sign-in"],
+export default inaiAuthMiddleware({
+  publicRoutes: ["/", "/about", "/login"],
+  signInUrl: "/login",
 });
 export const config = { matcher: ["/((?!_next|static|favicon.ico).*)"] };
 ```
-### 3. Provider
+### 2. Provider
 ```tsx
 // app/layout.tsx
-import { InAIProvider } from "@inai-dev/nextjs";
+import { InAIAuthProvider } from "@inai-dev/nextjs";
-export default function RootLayout({ children }) {
-  return <InAIProvider>{children}</InAIProvider>;
+export default function RootLayout({ children }: { children: React.ReactNode }) {
+  return (
+    <html>
+      <body>
+        <InAIAuthProvider>{children}</InAIAuthProvider>
+      </body>
+    </html>
+  );
 }
 ```
-### 4. Server-Side Auth
+### 3. API Routes
+```ts
+// app/api/auth/[...inai]/route.ts
+import { createAuthRoutes } from "@inai-dev/nextjs/server";
+export const { GET, POST } = createAuthRoutes();
+```
+Handles the following endpoints automatically:
+- `POST /api/auth/login` — User login
+- `POST /api/auth/register` — User registration
+- `POST /api/auth/mfa-challenge` — MFA verification
+- `POST /api/auth/refresh` — Token refresh
+- `POST /api/auth/logout` — User logout
+#### Platform API Routes
+For multi-tenant platform authentication:
+```ts
+// app/api/auth/[...inai]/route.ts
+import { createPlatformAuthRoutes } from "@inai-dev/nextjs/server";
+export const { GET, POST } = createPlatformAuthRoutes();
+```
+## Server-Side Auth
+### `auth()`
+Returns a `ServerAuthObject` with the current authentication state.
 ```ts
-// app/dashboard/page.tsx
 import { auth } from "@inai-dev/nextjs/server";
 export default async function Dashboard() {
-  const session = await auth();
-  if (!session) redirect("/sign-in");
-  return <p>Welcome {session.user.email}</p>;
+  const { userId, has, protect, redirectToSignIn, getToken } = await auth();
+  // Check if user is authenticated
+  if (!userId) {
+    redirectToSignIn({ returnTo: "/dashboard" });
+  }
+  // Check roles/permissions
+  if (has({ role: "admin" })) {
+    // admin-only logic
+  }
+  // Protect — throws redirect if unauthorized
+  const authed = protect({ permission: "posts:write" });
+  // Get the access token
+  const token = await getToken();
+  return <p>User: {userId}</p>;
 }
 ```
-### 5. API Route Handlers
+**`ServerAuthObject`:**
+| Property | Type | Description |
+|---|---|---|
+| `userId` | `string \| null` | Current user ID |
+| `tenantId` | `string \| null` | Tenant ID |
+| `appId` | `string \| null` | Application ID |
+| `envId` | `string \| null` | Environment ID |
+| `orgId` | `string \| null` | Active organization ID |
+| `orgRole` | `string \| null` | Role in active organization |
+| `sessionId` | `string \| null` | Session ID |
+| `getToken()` | `() => Promise<string \| null>` | Get the access token |
+| `has(params)` | `({ role?, permission? }) => boolean` | Check role or permission |
+| `protect(params?)` | `({ role?, permission?, redirectTo? }) => ProtectedAuthObject` | Assert auth or redirect |
+| `redirectToSignIn(opts?)` | `({ returnTo? }) => never` | Redirect to sign-in page |
+### `currentUser()`
+Returns the full user object, or `null` if not authenticated.
 ```ts
-// app/api/auth/[...inai]/route.ts
-import { handleAuthRoutes } from "@inai-dev/nextjs";
-export const { GET, POST } = handleAuthRoutes();
+import { currentUser } from "@inai-dev/nextjs/server";
+export default async function Profile() {
+  const user = await currentUser();
+  if (!user) return null;
+  return <p>{user.email}</p>;
+}
+// Force a fresh fetch from the API (bypasses cached session)
+const freshUser = await currentUser({ fresh: true });
+```
+## React Hooks
+All hooks are imported from `@inai-dev/nextjs`.
+### `useAuth()`
+```ts
+const { isLoaded, isSignedIn, userId, has, signOut } = useAuth();
+has({ role: "admin" });       // check role
+has({ permission: "read" });  // check permission
+await signOut();
+```
+### `useUser()`
+```ts
+const { isLoaded, isSignedIn, user } = useUser();
+// user: UserResource | null
+```
+### `useSession()`
+```ts
+const { isLoaded, isSignedIn, userId, tenantId, orgId, orgRole } = useSession();
+```
+### `useOrganization()`
+```ts
+const { isLoaded, orgId, orgRole } = useOrganization();
+```
+### `useSignIn()`
+```ts
+const { signIn, isLoading, error, status, reset } = useSignIn();
+await signIn.create({ identifier: "user@example.com", password: "..." });
+// status: "idle" | "loading" | "needs_mfa" | "complete" | "error"
+// MFA flow
+await signIn.attemptMFA({ code: "123456" });
+```
+### `useSignUp()`
+```ts
+const { signUp, isLoading, error, status, reset } = useSignUp();
+await signUp.create({
+  email: "user@example.com",
+  password: "...",
+  firstName: "Jane",
+  lastName: "Doe",
+});
+// status: "idle" | "loading" | "needs_email_verification" | "complete" | "error"
+```
+## React Components
+All components are imported from `@inai-dev/nextjs`.
+### `<Protect>`
+Renders children only if the user has the required role or permission.
+```tsx
+<Protect role="admin" fallback={<p>Access denied</p>}>
+  <AdminPanel />
+</Protect>
+<Protect permission="posts:write">
+  <Editor />
+</Protect>
+```
+### `<SignedIn>` / `<SignedOut>`
+Conditional rendering based on authentication state.
+```tsx
+<SignedIn>
+  <p>Welcome back!</p>
+</SignedIn>
+<SignedOut>
+  <p>Please sign in.</p>
+</SignedOut>
+```
+### `<PermissionGate>`
+Permission-based access control.
+```tsx
+<PermissionGate permission="billing:manage" fallback={<p>No access</p>}>
+  <BillingSettings />
+</PermissionGate>
+```
+### `<UserButton>`
+User profile menu with avatar and dropdown.
+```tsx
+<UserButton
+  afterSignOutUrl="/"
+  showName
+  menuItems={[{ label: "Settings", onClick: () => router.push("/settings") }]}
+  appearance={{ buttonSize: 36, buttonBg: "#1a1a2e" }}
+/>
+```
+### `<SignIn>`
+Sign-in form with MFA support.
+```tsx
+<SignIn
+  redirectUrl="/dashboard"
+  onSuccess={() => console.log("Signed in!")}
+  onMFARequired={(mfaToken) => router.push("/mfa")}
+/>
+```
+### `<OrganizationSwitcher>`
+Organization switching dropdown.
+```tsx
+<OrganizationSwitcher />
+```
+## Advanced Configuration
+### `configureAuth()` / `getAuthConfig()`
+Set global configuration early in your app (e.g., in `layout.tsx` or a server initialization file).
+```ts
+import { configureAuth, getAuthConfig } from "@inai-dev/nextjs/server";
+configureAuth({
+  signInUrl: "/login",
+  signUpUrl: "/register",
+  afterSignInUrl: "/dashboard",
+  afterSignOutUrl: "/",
+  apiUrl: "https://apiauth.inai.dev",
+  publishableKey: "pk_live_...",
+});
+const config = getAuthConfig();
+// { signInUrl, signUpUrl, afterSignInUrl, afterSignOutUrl, apiUrl, publishableKey }
+```
+### `createRouteMatcher()`
+Create a reusable route matcher for middleware logic.
+```ts
+import { createRouteMatcher } from "@inai-dev/nextjs/middleware";
+const isPublic = createRouteMatcher(["/", "/about", "/api/(.*)"]);
+const isAdmin = createRouteMatcher(["/admin(.*)"]);
+```
+### `withInAIAuth()`
+Compose InAI auth with your existing middleware.
+```ts
+import { withInAIAuth } from "@inai-dev/nextjs/middleware";
+export default withInAIAuth(
+  (req) => {
+    // Your custom middleware logic
+    return NextResponse.next();
+  },
+  {
+    publicRoutes: ["/", "/login"],
+    signInUrl: "/login",
+    beforeAuth: (req) => {
+      // Runs before auth check
+    },
+    afterAuth: (auth, req) => {
+      // Runs after auth check
+      if (auth.userId && req.nextUrl.pathname === "/login") {
+        return NextResponse.redirect(new URL("/dashboard", req.url));
+      }
+    },
+  }
+);
 ```
-## Exports
+## Exports Reference
-- `@inai-dev/nextjs` — Provider, React hooks, API route handler
-- `@inai-dev/nextjs/server` — `auth()`, `currentUser()`, server-side helpers
-- `@inai-dev/nextjs/middleware` — `authMiddleware()`
+### `@inai-dev/nextjs`
-## Documentation
+| Export | Kind | Description |
+|---|---|---|
+| `InAIAuthProvider` | Component | Auth context provider |
+| `Protect` | Component | Role/permission gate |
+| `SignedIn` | Component | Renders when signed in |
+| `SignedOut` | Component | Renders when signed out |
+| `PermissionGate` | Component | Permission-based gate |
+| `UserButton` | Component | User profile menu |
+| `SignIn` | Component | Sign-in form |
+| `OrganizationSwitcher` | Component | Org switcher |
+| `useAuth` | Hook | Auth state & actions |
+| `useUser` | Hook | User data |
+| `useSession` | Hook | Session info |
+| `useOrganization` | Hook | Organization data |
+| `useSignIn` | Hook | Sign-in flow |
+| `useSignUp` | Hook | Sign-up flow |
+| `COOKIE_AUTH_TOKEN` | Constant | `"auth_token"` |
+| `COOKIE_REFRESH_TOKEN` | Constant | `"refresh_token"` |
+| `COOKIE_AUTH_SESSION` | Constant | `"auth_session"` |
-- [Getting Started](https://github.com/inai-dev/sdk/blob/main/docs/getting-started.md)
-- [Next.js Integration](https://github.com/inai-dev/sdk/blob/main/docs/nextjs-integration.md)
-- [API Reference](https://github.com/inai-dev/sdk/blob/main/docs/api-reference.md)
+### `@inai-dev/nextjs/server`
+| Export | Kind | Description |
+|---|---|---|
+| `auth` | Function | Get `ServerAuthObject` |
+| `currentUser` | Function | Get current user |
+| `createAuthRoutes` | Function | App user auth routes |
+| `createPlatformAuthRoutes` | Function | Platform auth routes |
+| `configureAuth` | Function | Set global config |
+| `getAuthConfig` | Function | Get resolved config |
+| `setAuthCookies` | Function | Set auth cookies |
+| `clearAuthCookies` | Function | Clear auth cookies |
+| `getAuthTokenFromCookies` | Function | Get access token |
+| `getRefreshTokenFromCookies` | Function | Get refresh token |
+### `@inai-dev/nextjs/middleware`
+| Export | Kind | Description |
+|---|---|---|
+| `inaiAuthMiddleware` | Function | Auth middleware |
+| `withInAIAuth` | Function | Compose middleware |
+| `createRouteMatcher` | Function | Route pattern matcher |
+## Exported Types
+```ts
+import type {
+  AuthObject,
+  ServerAuthObject,
+  ProtectedAuthObject,
+  UserResource,
+  PlatformUserResource,
+  SessionResource,
+  OrganizationResource,
+  InAIAuthConfig,
+  InAIAuthErrorBody,
+  SignInResult,
+  SignUpResult,
+} from "@inai-dev/nextjs";
+import type {
+  InAIMiddlewareConfig,
+} from "@inai-dev/nextjs/middleware";
+```
 ## License

package/dist/index.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts"],"sourcesContent":["// Re-export all React hooks, components, and providers\nexport {\n InAIAuthProvider,\n useAuth,\n useUser,\n useSession,\n useOrganization,\n useSignIn,\n useSignUp,\n Protect,\n SignedIn,\n SignedOut,\n PermissionGate,\n UserButton,\n SignIn,\n OrganizationSwitcher,\n} from \"@inai-dev/react\";\n\n// Cookie constants\nexport {\n COOKIE_AUTH_TOKEN,\n COOKIE_REFRESH_TOKEN,\n COOKIE_AUTH_SESSION,\n} from \"@inai-dev/shared\";\n\n// Re-export types\nexport type {\n AuthObject,\n ServerAuthObject,\n ProtectedAuthObject,\n UserResource,\n SessionResource,\n OrganizationResource,\n InAIAuthConfig,\n InAIAuthErrorBody,\n SignInResult,\n SignUpResult,\n} from \"@inai-dev/types\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,mBAeO;AAGP,oBAIO;","names":[]}
1	+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["// Re-export all React hooks, components, and providers\nexport {\n InAIAuthProvider,\n useAuth,\n useUser,\n useSession,\n useOrganization,\n useSignIn,\n useSignUp,\n Protect,\n SignedIn,\n SignedOut,\n PermissionGate,\n UserButton,\n SignIn,\n OrganizationSwitcher,\n} from \"@inai-dev/react\";\n\n// Cookie constants\nexport {\n COOKIE_AUTH_TOKEN,\n COOKIE_REFRESH_TOKEN,\n COOKIE_AUTH_SESSION,\n} from \"@inai-dev/shared\";\n\n// Re-export types\nexport type {\n AuthObject,\n ServerAuthObject,\n ProtectedAuthObject,\n UserResource,\n PlatformUserResource,\n SessionResource,\n OrganizationResource,\n InAIAuthConfig,\n InAIAuthErrorBody,\n SignInResult,\n SignUpResult,\n} from \"@inai-dev/types\";\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AACA,mBAeO;AAGP,oBAIO;","names":[]}

package/dist/index.d.cts CHANGED Viewed

@@ -1,3 +1,3 @@
 export { InAIAuthProvider, OrganizationSwitcher, PermissionGate, Protect, SignIn, SignedIn, SignedOut, UserButton, useAuth, useOrganization, useSession, useSignIn, useSignUp, useUser } from '@inai-dev/react';
 export { COOKIE_AUTH_SESSION, COOKIE_AUTH_TOKEN, COOKIE_REFRESH_TOKEN } from '@inai-dev/shared';
-export { AuthObject, InAIAuthConfig, InAIAuthErrorBody, OrganizationResource, ProtectedAuthObject, ServerAuthObject, SessionResource, SignInResult, SignUpResult, UserResource } from '@inai-dev/types';
+export { AuthObject, InAIAuthConfig, InAIAuthErrorBody, OrganizationResource, PlatformUserResource, ProtectedAuthObject, ServerAuthObject, SessionResource, SignInResult, SignUpResult, UserResource } from '@inai-dev/types';

package/dist/index.d.ts CHANGED Viewed

@@ -1,3 +1,3 @@
 export { InAIAuthProvider, OrganizationSwitcher, PermissionGate, Protect, SignIn, SignedIn, SignedOut, UserButton, useAuth, useOrganization, useSession, useSignIn, useSignUp, useUser } from '@inai-dev/react';
 export { COOKIE_AUTH_SESSION, COOKIE_AUTH_TOKEN, COOKIE_REFRESH_TOKEN } from '@inai-dev/shared';
-export { AuthObject, InAIAuthConfig, InAIAuthErrorBody, OrganizationResource, ProtectedAuthObject, ServerAuthObject, SessionResource, SignInResult, SignUpResult, UserResource } from '@inai-dev/types';
+export { AuthObject, InAIAuthConfig, InAIAuthErrorBody, OrganizationResource, PlatformUserResource, ProtectedAuthObject, ServerAuthObject, SessionResource, SignInResult, SignUpResult, UserResource } from '@inai-dev/types';

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts"],"sourcesContent":["// Re-export all React hooks, components, and providers\nexport {\n InAIAuthProvider,\n useAuth,\n useUser,\n useSession,\n useOrganization,\n useSignIn,\n useSignUp,\n Protect,\n SignedIn,\n SignedOut,\n PermissionGate,\n UserButton,\n SignIn,\n OrganizationSwitcher,\n} from \"@inai-dev/react\";\n\n// Cookie constants\nexport {\n COOKIE_AUTH_TOKEN,\n COOKIE_REFRESH_TOKEN,\n COOKIE_AUTH_SESSION,\n} from \"@inai-dev/shared\";\n\n// Re-export types\nexport type {\n AuthObject,\n ServerAuthObject,\n ProtectedAuthObject,\n UserResource,\n SessionResource,\n OrganizationResource,\n InAIAuthConfig,\n InAIAuthErrorBody,\n SignInResult,\n SignUpResult,\n} from \"@inai-dev/types\";\n"],"mappings":";;;AACA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAGP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;","names":[]}
1	+ {"version":3,"sources":["../src/index.ts"],"sourcesContent":["// Re-export all React hooks, components, and providers\nexport {\n InAIAuthProvider,\n useAuth,\n useUser,\n useSession,\n useOrganization,\n useSignIn,\n useSignUp,\n Protect,\n SignedIn,\n SignedOut,\n PermissionGate,\n UserButton,\n SignIn,\n OrganizationSwitcher,\n} from \"@inai-dev/react\";\n\n// Cookie constants\nexport {\n COOKIE_AUTH_TOKEN,\n COOKIE_REFRESH_TOKEN,\n COOKIE_AUTH_SESSION,\n} from \"@inai-dev/shared\";\n\n// Re-export types\nexport type {\n AuthObject,\n ServerAuthObject,\n ProtectedAuthObject,\n UserResource,\n PlatformUserResource,\n SessionResource,\n OrganizationResource,\n InAIAuthConfig,\n InAIAuthErrorBody,\n SignInResult,\n SignUpResult,\n} from \"@inai-dev/types\";\n"],"mappings":";;;AACA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAGP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;","names":[]}

package/dist/middleware.cjs CHANGED Viewed

@@ -75,28 +75,73 @@ function buildAuthObject(token, claims) {
     }
   };
 }
-async function runAuthCheck(req, signInUrl) {
+async function runAuthCheck(req, signInUrl, apiUrl) {
   const { pathname } = req.nextUrl;
   const token = req.cookies.get(import_shared.COOKIE_AUTH_TOKEN)?.value;
   if (!token || (0, import_shared.isTokenExpired)(token)) {
     const refreshToken = req.cookies.get(import_shared.COOKIE_REFRESH_TOKEN)?.value;
     if (refreshToken) {
       try {
-        const refreshUrl = new URL("/api/auth/refresh", req.url);
-        const refreshRes = await fetch(refreshUrl.toString(), {
-          method: "POST",
-          headers: {
-            "Content-Type": "application/json",
-            Cookie: req.headers.get("cookie") ?? ""
+        if (apiUrl) {
+          const refreshRes = await fetch(`${apiUrl}/api/platform/auth/refresh`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ refresh_token: refreshToken })
+          });
+          if (refreshRes.ok) {
+            const newTokens = await refreshRes.json();
+            const meRes = await fetch(`${apiUrl}/api/platform/auth/me`, {
+              headers: { Authorization: `Bearer ${newTokens.access_token}` }
+            });
+            if (meRes.ok) {
+              const meData = await meRes.json();
+              const newUser = meData.data ?? meData;
+              const isProduction = process.env.NODE_ENV === "production";
+              const response2 = import_server.NextResponse.next();
+              response2.cookies.set(import_shared.COOKIE_AUTH_TOKEN, newTokens.access_token, {
+                httpOnly: true,
+                secure: isProduction,
+                sameSite: "lax",
+                path: "/",
+                maxAge: newTokens.expires_in
+              });
+              response2.cookies.set(import_shared.COOKIE_REFRESH_TOKEN, newTokens.refresh_token, {
+                httpOnly: true,
+                secure: isProduction,
+                sameSite: "strict",
+                path: "/api/auth",
+                maxAge: 7 * 24 * 60 * 60
+              });
+              response2.cookies.set(import_shared.COOKIE_AUTH_SESSION, JSON.stringify({
+                user: newUser,
+                expiresAt: new Date(Date.now() + newTokens.expires_in * 1e3).toISOString()
+              }), {
+                httpOnly: false,
+                secure: isProduction,
+                sameSite: "lax",
+                path: "/",
+                maxAge: newTokens.expires_in
+              });
+              return { authObj: null, response: response2 };
+            }
           }
-        });
-        if (refreshRes.ok) {
-          const response2 = import_server.NextResponse.next();
-          const setCookies = refreshRes.headers.getSetCookie?.() ?? [];
-          for (const cookie of setCookies) {
-            response2.headers.append("Set-Cookie", cookie);
+        } else {
+          const refreshUrl = new URL("/api/auth/refresh", req.url);
+          const refreshRes = await fetch(refreshUrl.toString(), {
+            method: "POST",
+            headers: {
+              "Content-Type": "application/json",
+              Cookie: req.headers.get("cookie") ?? ""
+            }
+          });
+          if (refreshRes.ok) {
+            const response2 = import_server.NextResponse.next();
+            const setCookies = refreshRes.headers.getSetCookie?.() ?? [];
+            for (const cookie of setCookies) {
+              response2.headers.append("Set-Cookie", cookie);
+            }
+            return { authObj: null, response: response2 };
           }
-          return { authObj: null, response: response2 };
         }
       } catch {
       }
@@ -126,6 +171,7 @@ async function runAuthCheck(req, signInUrl) {
 }
 function inaiAuthMiddleware(config = {}) {
   const {
+    apiUrl = import_shared.DEFAULT_API_URL,
     publicRoutes = [],
     signInUrl = "/login",
     beforeAuth,
@@ -140,7 +186,7 @@ function inaiAuthMiddleware(config = {}) {
     if (isPublicRoute(req, publicRoutes, builtinPublic)) {
       return import_server.NextResponse.next();
     }
-    const { authObj, response } = await runAuthCheck(req, signInUrl);
+    const { authObj, response } = await runAuthCheck(req, signInUrl, apiUrl);
     if (response) return response;
     if (!authObj)
       return import_server.NextResponse.redirect(new URL(signInUrl, req.url));
@@ -153,6 +199,7 @@ function inaiAuthMiddleware(config = {}) {
 }
 function withInAIAuth(wrappedMiddleware, config = {}) {
   const {
+    apiUrl = import_shared.DEFAULT_API_URL,
     publicRoutes = [],
     signInUrl = "/login",
     beforeAuth,
@@ -166,7 +213,7 @@ function withInAIAuth(wrappedMiddleware, config = {}) {
     }
     const isPublic = isPublicRoute(req, publicRoutes, builtinPublic);
     if (!isPublic) {
-      const { authObj, response } = await runAuthCheck(req, signInUrl);
+      const { authObj, response } = await runAuthCheck(req, signInUrl, apiUrl);
       if (response) return response;
       if (!authObj)
         return import_server.NextResponse.redirect(new URL(signInUrl, req.url));

package/dist/middleware.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/middleware.ts"],"sourcesContent":["import { NextResponse } from \"next/server\";\nimport type { NextRequest } from \"next/server\";\nimport type { AuthObject } from \"@inai-dev/types\";\nimport {\n COOKIE_AUTH_TOKEN,\n COOKIE_AUTH_SESSION,\n COOKIE_REFRESH_TOKEN,\n getClaimsFromToken,\n isTokenExpired,\n} from \"@inai-dev/shared\";\n\nexport interface InAIMiddlewareConfig {\n publicRoutes?: string[] \| ((req: NextRequest) => boolean);\n signInUrl?: string;\n beforeAuth?: (req: NextRequest) => NextResponse \| void;\n afterAuth?: (auth: AuthObject, req: NextRequest) => NextResponse \| void;\n}\n\nexport function createRouteMatcher(\n patterns: (string \| RegExp)[],\n): (req: NextRequest) => boolean {\n const matchers = patterns.map((pattern) => {\n if (pattern instanceof RegExp) return pattern;\n let regexStr = pattern;\n if (regexStr.endsWith(\"\") && !regexStr.includes(\"(\")) {\n regexStr = regexStr.slice(0, -1) + \".\";\n }\n return new RegExp(`^${regexStr}$`);\n });\n\n return (req: NextRequest) => {\n const pathname = req.nextUrl.pathname;\n return matchers.some((m) => m.test(pathname));\n };\n}\n\nfunction matchesRoute(pathname: string, patterns: string[]): boolean {\n return patterns.some((pattern) => {\n if (pattern.endsWith(\"\")) {\n return pathname.startsWith(pattern.slice(0, -1));\n }\n return pathname === pattern;\n });\n}\n\nfunction isPublicRoute(\n req: NextRequest,\n publicRoutes: string[] \| ((req: NextRequest) => boolean),\n builtinPublic: string[],\n): boolean {\n const pathname = req.nextUrl.pathname;\n if (matchesRoute(pathname, builtinPublic)) return true;\n if (typeof publicRoutes === \"function\") return publicRoutes(req);\n return matchesRoute(pathname, publicRoutes);\n}\n\nfunction buildAuthObject(\n token: string,\n claims: NonNullable<ReturnType<typeof getClaimsFromToken>>,\n): AuthObject {\n const roles = claims.roles ?? [];\n const permissions = claims.permissions ?? [];\n return {\n userId: claims.sub,\n tenantId: claims.tenant_id,\n appId: claims.app_id ?? null,\n envId: claims.env_id ?? null,\n orgId: claims.org_id ?? null,\n orgRole: claims.org_role ?? null,\n sessionId: null,\n getToken: async () => token,\n has: (params: { role?: string; permission?: string }) => {\n if (params.role && roles.includes(params.role)) return true;\n if (params.permission && permissions.includes(params.permission))\n return true;\n return false;\n },\n };\n}\n\nasync function runAuthCheck(\n req: NextRequest,\n signInUrl: string,\n): Promise<{ authObj: AuthObject \| null; response?: NextResponse }> {\n const { pathname } = req.nextUrl;\n const token = req.cookies.get(COOKIE_AUTH_TOKEN)?.value;\n\n if (!token \|\| isTokenExpired(token)) {\n const refreshToken = req.cookies.get(COOKIE_REFRESH_TOKEN)?.value;\n if (refreshToken) {\n try {\n const refreshUrl = new URL(\"/api/auth/refresh\", req.url);\n const refreshRes = await fetch(refreshUrl.toString(), {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n Cookie: req.headers.get(\"cookie\") ?? \"\",\n },\n });\n if (refreshRes.ok) {\n const response = NextResponse.next();\n const setCookies = refreshRes.headers.getSetCookie?.() ?? [];\n for (const cookie of setCookies) {\n response.headers.append(\"Set-Cookie\", cookie);\n }\n return { authObj: null, response };\n }\n } catch {\n // Refresh failed, fall through to redirect\n }\n }\n\n const response = NextResponse.redirect(\n new URL(\n `${signInUrl}?returnTo=${encodeURIComponent(pathname)}`,\n req.url,\n ),\n );\n response.cookies.set(COOKIE_AUTH_TOKEN, \"\", { path: \"/\", maxAge: 0 });\n response.cookies.set(COOKIE_REFRESH_TOKEN, \"\", {\n path: \"/api/auth\",\n maxAge: 0,\n });\n response.cookies.set(COOKIE_AUTH_SESSION, \"\", { path: \"/\", maxAge: 0 });\n return { authObj: null, response };\n }\n\n const claims = getClaimsFromToken(token);\n if (!claims) {\n return {\n authObj: null,\n response: NextResponse.redirect(new URL(signInUrl, req.url)),\n };\n }\n\n return { authObj: buildAuthObject(token, claims) };\n}\n\nexport function inaiAuthMiddleware(config: InAIMiddlewareConfig = {}) {\n const {\n publicRoutes = [],\n signInUrl = \"/login\",\n beforeAuth,\n afterAuth,\n } = config;\n\n const builtinPublic = [\"/_next/\", \"/favicon.ico\", \"/api/\", signInUrl];\n\n return async function middleware(\n req: NextRequest,\n ): Promise<NextResponse> {\n if (beforeAuth) {\n const result = beforeAuth(req);\n if (result) return result;\n }\n\n if (isPublicRoute(req, publicRoutes, builtinPublic)) {\n return NextResponse.next();\n }\n\n const { authObj, response } = await runAuthCheck(req, signInUrl);\n if (response) return response;\n if (!authObj)\n return NextResponse.redirect(new URL(signInUrl, req.url));\n\n if (afterAuth) {\n const result = afterAuth(authObj, req);\n if (result) return result;\n }\n\n return NextResponse.next();\n };\n}\n\nexport function withInAIAuth(\n wrappedMiddleware: (\n req: NextRequest,\n ) => NextResponse \| Response \| Promise<NextResponse \| Response>,\n config: InAIMiddlewareConfig = {},\n): (req: NextRequest) => Promise<NextResponse> {\n const {\n publicRoutes = [],\n signInUrl = \"/login\",\n beforeAuth,\n afterAuth,\n } = config;\n\n const builtinPublic = [\"/_next/\", \"/favicon.ico\", \"/api/*\", signInUrl];\n\n return async function middleware(\n req: NextRequest,\n ): Promise<NextResponse> {\n if (beforeAuth) {\n const result = beforeAuth(req);\n if (result) return result;\n }\n\n const isPublic = isPublicRoute(req, publicRoutes, builtinPublic);\n\n if (!isPublic) {\n const { authObj, response } = await runAuthCheck(req, signInUrl);\n if (response) return response;\n if (!authObj)\n return NextResponse.redirect(new URL(signInUrl, req.url));\n\n if (afterAuth) {\n const result = afterAuth(authObj, req);\n if (result) return result;\n }\n\n const authHeader = JSON.stringify({\n userId: authObj.userId,\n tenantId: authObj.tenantId,\n appId: authObj.appId,\n envId: authObj.envId,\n orgId: authObj.orgId,\n orgRole: authObj.orgRole,\n });\n req.headers.set(\"x-inai-auth\", authHeader);\n }\n\n const wrappedResponse = await wrappedMiddleware(req);\n if (wrappedResponse instanceof NextResponse) return wrappedResponse;\n return new NextResponse(wrappedResponse.body, wrappedResponse);\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAA6B;AAG7B,oBAMO;AASA,SAAS,mBACd,UAC+B;AAC/B,QAAM,WAAW,SAAS,IAAI,CAAC,YAAY;AACzC,QAAI,mBAAmB,OAAQ,QAAO;AACtC,QAAI,WAAW;AACf,QAAI,SAAS,SAAS,GAAG,KAAK,CAAC,SAAS,SAAS,GAAG,GAAG;AACrD,iBAAW,SAAS,MAAM,GAAG,EAAE,IAAI;AAAA,IACrC;AACA,WAAO,IAAI,OAAO,IAAI,QAAQ,GAAG;AAAA,EACnC,CAAC;AAED,SAAO,CAAC,QAAqB;AAC3B,UAAM,WAAW,IAAI,QAAQ;AAC7B,WAAO,SAAS,KAAK,CAAC,MAAM,EAAE,KAAK,QAAQ,CAAC;AAAA,EAC9C;AACF;AAEA,SAAS,aAAa,UAAkB,UAA6B;AACnE,SAAO,SAAS,KAAK,CAAC,YAAY;AAChC,QAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,aAAO,SAAS,WAAW,QAAQ,MAAM,GAAG,EAAE,CAAC;AAAA,IACjD;AACA,WAAO,aAAa;AAAA,EACtB,CAAC;AACH;AAEA,SAAS,cACP,KACA,cACA,eACS;AACT,QAAM,WAAW,IAAI,QAAQ;AAC7B,MAAI,aAAa,UAAU,aAAa,EAAG,QAAO;AAClD,MAAI,OAAO,iBAAiB,WAAY,QAAO,aAAa,GAAG;AAC/D,SAAO,aAAa,UAAU,YAAY;AAC5C;AAEA,SAAS,gBACP,OACA,QACY;AACZ,QAAM,QAAQ,OAAO,SAAS,CAAC;AAC/B,QAAM,cAAc,OAAO,eAAe,CAAC;AAC3C,SAAO;AAAA,IACL,QAAQ,OAAO;AAAA,IACf,UAAU,OAAO;AAAA,IACjB,OAAO,OAAO,UAAU;AAAA,IACxB,OAAO,OAAO,UAAU;AAAA,IACxB,OAAO,OAAO,UAAU;AAAA,IACxB,SAAS,OAAO,YAAY;AAAA,IAC5B,WAAW;AAAA,IACX,UAAU,YAAY;AAAA,IACtB,KAAK,CAAC,WAAmD;AACvD,UAAI,OAAO,QAAQ,MAAM,SAAS,OAAO,IAAI,EAAG,QAAO;AACvD,UAAI,OAAO,cAAc,YAAY,SAAS,OAAO,UAAU;AAC7D,eAAO;AACT,aAAO;AAAA,IACT;AAAA,EACF;AACF;AAEA,eAAe,aACb,KACA,WACkE;AAClE,QAAM,EAAE,SAAS,IAAI,IAAI;AACzB,QAAM,QAAQ,IAAI,QAAQ,IAAI,+BAAiB,GAAG;AAElD,MAAI,CAAC,aAAS,8BAAe,KAAK,GAAG;AACnC,UAAM,eAAe,IAAI,QAAQ,IAAI,kCAAoB,GAAG;AAC5D,QAAI,cAAc;AAChB,UAAI;AACF,cAAM,aAAa,IAAI,IAAI,qBAAqB,IAAI,GAAG;AACvD,cAAM,aAAa,MAAM,MAAM,WAAW,SAAS,GAAG;AAAA,UACpD,QAAQ;AAAA,UACR,SAAS;AAAA,YACP,gBAAgB;AAAA,YAChB,QAAQ,IAAI,QAAQ,IAAI,QAAQ,KAAK;AAAA,UACvC;AAAA,QACF,CAAC;AACD,YAAI,WAAW,IAAI;AACjB,gBAAMA,YAAW,2BAAa,KAAK;AACnC,gBAAM,aAAa,WAAW,QAAQ,eAAe,KAAK,CAAC;AAC3D,qBAAW,UAAU,YAAY;AAC/B,YAAAA,UAAS,QAAQ,OAAO,cAAc,MAAM;AAAA,UAC9C;AACA,iBAAO,EAAE,SAAS,MAAM,UAAAA,UAAS;AAAA,QACnC;AAAA,MACF,QAAQ;AAAA,MAER;AAAA,IACF;AAEA,UAAM,WAAW,2BAAa;AAAA,MAC5B,IAAI;AAAA,QACF,GAAG,SAAS,aAAa,mBAAmB,QAAQ,CAAC;AAAA,QACrD,IAAI;AAAA,MACN;AAAA,IACF;AACA,aAAS,QAAQ,IAAI,iCAAmB,IAAI,EAAE,MAAM,KAAK,QAAQ,EAAE,CAAC;AACpE,aAAS,QAAQ,IAAI,oCAAsB,IAAI;AAAA,MAC7C,MAAM;AAAA,MACN,QAAQ;AAAA,IACV,CAAC;AACD,aAAS,QAAQ,IAAI,mCAAqB,IAAI,EAAE,MAAM,KAAK,QAAQ,EAAE,CAAC;AACtE,WAAO,EAAE,SAAS,MAAM,SAAS;AAAA,EACnC;AAEA,QAAM,aAAS,kCAAmB,KAAK;AACvC,MAAI,CAAC,QAAQ;AACX,WAAO;AAAA,MACL,SAAS;AAAA,MACT,UAAU,2BAAa,SAAS,IAAI,IAAI,WAAW,IAAI,GAAG,CAAC;AAAA,IAC7D;AAAA,EACF;AAEA,SAAO,EAAE,SAAS,gBAAgB,OAAO,MAAM,EAAE;AACnD;AAEO,SAAS,mBAAmB,SAA+B,CAAC,GAAG;AACpE,QAAM;AAAA,IACJ,eAAe,CAAC;AAAA,IAChB,YAAY;AAAA,IACZ;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,QAAM,gBAAgB,CAAC,YAAY,gBAAgB,UAAU,SAAS;AAEtE,SAAO,eAAe,WACpB,KACuB;AACvB,QAAI,YAAY;AACd,YAAM,SAAS,WAAW,GAAG;AAC7B,UAAI,OAAQ,QAAO;AAAA,IACrB;AAEA,QAAI,cAAc,KAAK,cAAc,aAAa,GAAG;AACnD,aAAO,2BAAa,KAAK;AAAA,IAC3B;AAEA,UAAM,EAAE,SAAS,SAAS,IAAI,MAAM,aAAa,KAAK,SAAS;AAC/D,QAAI,SAAU,QAAO;AACrB,QAAI,CAAC;AACH,aAAO,2BAAa,SAAS,IAAI,IAAI,WAAW,IAAI,GAAG,CAAC;AAE1D,QAAI,WAAW;AACb,YAAM,SAAS,UAAU,SAAS,GAAG;AACrC,UAAI,OAAQ,QAAO;AAAA,IACrB;AAEA,WAAO,2BAAa,KAAK;AAAA,EAC3B;AACF;AAEO,SAAS,aACd,mBAGA,SAA+B,CAAC,GACa;AAC7C,QAAM;AAAA,IACJ,eAAe,CAAC;AAAA,IAChB,YAAY;AAAA,IACZ;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,QAAM,gBAAgB,CAAC,YAAY,gBAAgB,UAAU,SAAS;AAEtE,SAAO,eAAe,WACpB,KACuB;AACvB,QAAI,YAAY;AACd,YAAM,SAAS,WAAW,GAAG;AAC7B,UAAI,OAAQ,QAAO;AAAA,IACrB;AAEA,UAAM,WAAW,cAAc,KAAK,cAAc,aAAa;AAE/D,QAAI,CAAC,UAAU;AACb,YAAM,EAAE,SAAS,SAAS,IAAI,MAAM,aAAa,KAAK,SAAS;AAC/D,UAAI,SAAU,QAAO;AACrB,UAAI,CAAC;AACH,eAAO,2BAAa,SAAS,IAAI,IAAI,WAAW,IAAI,GAAG,CAAC;AAE1D,UAAI,WAAW;AACb,cAAM,SAAS,UAAU,SAAS,GAAG;AACrC,YAAI,OAAQ,QAAO;AAAA,MACrB;AAEA,YAAM,aAAa,KAAK,UAAU;AAAA,QAChC,QAAQ,QAAQ;AAAA,QAChB,UAAU,QAAQ;AAAA,QAClB,OAAO,QAAQ;AAAA,QACf,OAAO,QAAQ;AAAA,QACf,OAAO,QAAQ;AAAA,QACf,SAAS,QAAQ;AAAA,MACnB,CAAC;AACD,UAAI,QAAQ,IAAI,eAAe,UAAU;AAAA,IAC3C;AAEA,UAAM,kBAAkB,MAAM,kBAAkB,GAAG;AACnD,QAAI,2BAA2B,2BAAc,QAAO;AACpD,WAAO,IAAI,2BAAa,gBAAgB,MAAM,eAAe;AAAA,EAC/D;AACF;","names":["response"]}
1	+ {"version":3,"sources":["../src/middleware.ts"],"sourcesContent":["import { NextResponse } from \"next/server\";\nimport type { NextRequest } from \"next/server\";\nimport type { AuthObject } from \"@inai-dev/types\";\nimport {\n COOKIE_AUTH_TOKEN,\n COOKIE_AUTH_SESSION,\n COOKIE_REFRESH_TOKEN,\n DEFAULT_API_URL,\n getClaimsFromToken,\n isTokenExpired,\n} from \"@inai-dev/shared\";\n\nexport interface InAIMiddlewareConfig {\n apiUrl?: string;\n publicRoutes?: string[] \| ((req: NextRequest) => boolean);\n signInUrl?: string;\n beforeAuth?: (req: NextRequest) => NextResponse \| void;\n afterAuth?: (auth: AuthObject, req: NextRequest) => NextResponse \| void;\n}\n\nexport function createRouteMatcher(\n patterns: (string \| RegExp)[],\n): (req: NextRequest) => boolean {\n const matchers = patterns.map((pattern) => {\n if (pattern instanceof RegExp) return pattern;\n let regexStr = pattern;\n if (regexStr.endsWith(\"\") && !regexStr.includes(\"(\")) {\n regexStr = regexStr.slice(0, -1) + \".\";\n }\n return new RegExp(`^${regexStr}$`);\n });\n\n return (req: NextRequest) => {\n const pathname = req.nextUrl.pathname;\n return matchers.some((m) => m.test(pathname));\n };\n}\n\nfunction matchesRoute(pathname: string, patterns: string[]): boolean {\n return patterns.some((pattern) => {\n if (pattern.endsWith(\"\")) {\n return pathname.startsWith(pattern.slice(0, -1));\n }\n return pathname === pattern;\n });\n}\n\nfunction isPublicRoute(\n req: NextRequest,\n publicRoutes: string[] \| ((req: NextRequest) => boolean),\n builtinPublic: string[],\n): boolean {\n const pathname = req.nextUrl.pathname;\n if (matchesRoute(pathname, builtinPublic)) return true;\n if (typeof publicRoutes === \"function\") return publicRoutes(req);\n return matchesRoute(pathname, publicRoutes);\n}\n\nfunction buildAuthObject(\n token: string,\n claims: NonNullable<ReturnType<typeof getClaimsFromToken>>,\n): AuthObject {\n const roles = claims.roles ?? [];\n const permissions = claims.permissions ?? [];\n return {\n userId: claims.sub,\n tenantId: claims.tenant_id,\n appId: claims.app_id ?? null,\n envId: claims.env_id ?? null,\n orgId: claims.org_id ?? null,\n orgRole: claims.org_role ?? null,\n sessionId: null,\n getToken: async () => token,\n has: (params: { role?: string; permission?: string }) => {\n if (params.role && roles.includes(params.role)) return true;\n if (params.permission && permissions.includes(params.permission))\n return true;\n return false;\n },\n };\n}\n\nasync function runAuthCheck(\n req: NextRequest,\n signInUrl: string,\n apiUrl?: string,\n): Promise<{ authObj: AuthObject \| null; response?: NextResponse }> {\n const { pathname } = req.nextUrl;\n const token = req.cookies.get(COOKIE_AUTH_TOKEN)?.value;\n\n if (!token \|\| isTokenExpired(token)) {\n const refreshToken = req.cookies.get(COOKIE_REFRESH_TOKEN)?.value;\n if (refreshToken) {\n try {\n if (apiUrl) {\n const refreshRes = await fetch(`${apiUrl}/api/platform/auth/refresh`, {\n method: \"POST\",\n headers: { \"Content-Type\": \"application/json\" },\n body: JSON.stringify({ refresh_token: refreshToken }),\n });\n if (refreshRes.ok) {\n const newTokens = await refreshRes.json() as {\n access_token: string;\n refresh_token: string;\n expires_in: number;\n };\n const meRes = await fetch(`${apiUrl}/api/platform/auth/me`, {\n headers: { Authorization: `Bearer ${newTokens.access_token}` },\n });\n if (meRes.ok) {\n const meData = await meRes.json();\n const newUser = meData.data ?? meData;\n const isProduction = process.env.NODE_ENV === \"production\";\n const response = NextResponse.next();\n response.cookies.set(COOKIE_AUTH_TOKEN, newTokens.access_token, {\n httpOnly: true, secure: isProduction, sameSite: \"lax\",\n path: \"/\", maxAge: newTokens.expires_in,\n });\n response.cookies.set(COOKIE_REFRESH_TOKEN, newTokens.refresh_token, {\n httpOnly: true, secure: isProduction, sameSite: \"strict\",\n path: \"/api/auth\", maxAge: 7 24 * 60 * 60,\n });\n response.cookies.set(COOKIE_AUTH_SESSION, JSON.stringify({\n user: newUser,\n expiresAt: new Date(Date.now() + newTokens.expires_in * 1000).toISOString(),\n }), {\n httpOnly: false, secure: isProduction, sameSite: \"lax\",\n path: \"/\", maxAge: newTokens.expires_in,\n });\n return { authObj: null, response };\n }\n }\n } else {\n const refreshUrl = new URL(\"/api/auth/refresh\", req.url);\n const refreshRes = await fetch(refreshUrl.toString(), {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/json\",\n Cookie: req.headers.get(\"cookie\") ?? \"\",\n },\n });\n if (refreshRes.ok) {\n const response = NextResponse.next();\n const setCookies = refreshRes.headers.getSetCookie?.() ?? [];\n for (const cookie of setCookies) {\n response.headers.append(\"Set-Cookie\", cookie);\n }\n return { authObj: null, response };\n }\n }\n } catch {\n // Refresh failed, fall through to redirect\n }\n }\n\n const response = NextResponse.redirect(\n new URL(\n `${signInUrl}?returnTo=${encodeURIComponent(pathname)}`,\n req.url,\n ),\n );\n response.cookies.set(COOKIE_AUTH_TOKEN, \"\", { path: \"/\", maxAge: 0 });\n response.cookies.set(COOKIE_REFRESH_TOKEN, \"\", {\n path: \"/api/auth\",\n maxAge: 0,\n });\n response.cookies.set(COOKIE_AUTH_SESSION, \"\", { path: \"/\", maxAge: 0 });\n return { authObj: null, response };\n }\n\n const claims = getClaimsFromToken(token);\n if (!claims) {\n return {\n authObj: null,\n response: NextResponse.redirect(new URL(signInUrl, req.url)),\n };\n }\n\n return { authObj: buildAuthObject(token, claims) };\n}\n\nexport function inaiAuthMiddleware(config: InAIMiddlewareConfig = {}) {\n const {\n apiUrl = DEFAULT_API_URL,\n publicRoutes = [],\n signInUrl = \"/login\",\n beforeAuth,\n afterAuth,\n } = config;\n\n const builtinPublic = [\"/_next/\", \"/favicon.ico\", \"/api/\", signInUrl];\n\n return async function middleware(\n req: NextRequest,\n ): Promise<NextResponse> {\n if (beforeAuth) {\n const result = beforeAuth(req);\n if (result) return result;\n }\n\n if (isPublicRoute(req, publicRoutes, builtinPublic)) {\n return NextResponse.next();\n }\n\n const { authObj, response } = await runAuthCheck(req, signInUrl, apiUrl);\n if (response) return response;\n if (!authObj)\n return NextResponse.redirect(new URL(signInUrl, req.url));\n\n if (afterAuth) {\n const result = afterAuth(authObj, req);\n if (result) return result;\n }\n\n return NextResponse.next();\n };\n}\n\nexport function withInAIAuth(\n wrappedMiddleware: (\n req: NextRequest,\n ) => NextResponse \| Response \| Promise<NextResponse \| Response>,\n config: InAIMiddlewareConfig = {},\n): (req: NextRequest) => Promise<NextResponse> {\n const {\n apiUrl = DEFAULT_API_URL,\n publicRoutes = [],\n signInUrl = \"/login\",\n beforeAuth,\n afterAuth,\n } = config;\n\n const builtinPublic = [\"/_next/\", \"/favicon.ico\", \"/api/\", signInUrl];\n\n return async function middleware(\n req: NextRequest,\n ): Promise<NextResponse> {\n if (beforeAuth) {\n const result = beforeAuth(req);\n if (result) return result;\n }\n\n const isPublic = isPublicRoute(req, publicRoutes, builtinPublic);\n\n if (!isPublic) {\n const { authObj, response } = await runAuthCheck(req, signInUrl, apiUrl);\n if (response) return response;\n if (!authObj)\n return NextResponse.redirect(new URL(signInUrl, req.url));\n\n if (afterAuth) {\n const result = afterAuth(authObj, req);\n if (result) return result;\n }\n\n const authHeader = JSON.stringify({\n userId: authObj.userId,\n tenantId: authObj.tenantId,\n appId: authObj.appId,\n envId: authObj.envId,\n orgId: authObj.orgId,\n orgRole: authObj.orgRole,\n });\n req.headers.set(\"x-inai-auth\", authHeader);\n }\n\n const wrappedResponse = await wrappedMiddleware(req);\n if (wrappedResponse instanceof NextResponse) return wrappedResponse;\n return new NextResponse(wrappedResponse.body, wrappedResponse);\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAA6B;AAG7B,oBAOO;AAUA,SAAS,mBACd,UAC+B;AAC/B,QAAM,WAAW,SAAS,IAAI,CAAC,YAAY;AACzC,QAAI,mBAAmB,OAAQ,QAAO;AACtC,QAAI,WAAW;AACf,QAAI,SAAS,SAAS,GAAG,KAAK,CAAC,SAAS,SAAS,GAAG,GAAG;AACrD,iBAAW,SAAS,MAAM,GAAG,EAAE,IAAI;AAAA,IACrC;AACA,WAAO,IAAI,OAAO,IAAI,QAAQ,GAAG;AAAA,EACnC,CAAC;AAED,SAAO,CAAC,QAAqB;AAC3B,UAAM,WAAW,IAAI,QAAQ;AAC7B,WAAO,SAAS,KAAK,CAAC,MAAM,EAAE,KAAK,QAAQ,CAAC;AAAA,EAC9C;AACF;AAEA,SAAS,aAAa,UAAkB,UAA6B;AACnE,SAAO,SAAS,KAAK,CAAC,YAAY;AAChC,QAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,aAAO,SAAS,WAAW,QAAQ,MAAM,GAAG,EAAE,CAAC;AAAA,IACjD;AACA,WAAO,aAAa;AAAA,EACtB,CAAC;AACH;AAEA,SAAS,cACP,KACA,cACA,eACS;AACT,QAAM,WAAW,IAAI,QAAQ;AAC7B,MAAI,aAAa,UAAU,aAAa,EAAG,QAAO;AAClD,MAAI,OAAO,iBAAiB,WAAY,QAAO,aAAa,GAAG;AAC/D,SAAO,aAAa,UAAU,YAAY;AAC5C;AAEA,SAAS,gBACP,OACA,QACY;AACZ,QAAM,QAAQ,OAAO,SAAS,CAAC;AAC/B,QAAM,cAAc,OAAO,eAAe,CAAC;AAC3C,SAAO;AAAA,IACL,QAAQ,OAAO;AAAA,IACf,UAAU,OAAO;AAAA,IACjB,OAAO,OAAO,UAAU;AAAA,IACxB,OAAO,OAAO,UAAU;AAAA,IACxB,OAAO,OAAO,UAAU;AAAA,IACxB,SAAS,OAAO,YAAY;AAAA,IAC5B,WAAW;AAAA,IACX,UAAU,YAAY;AAAA,IACtB,KAAK,CAAC,WAAmD;AACvD,UAAI,OAAO,QAAQ,MAAM,SAAS,OAAO,IAAI,EAAG,QAAO;AACvD,UAAI,OAAO,cAAc,YAAY,SAAS,OAAO,UAAU;AAC7D,eAAO;AACT,aAAO;AAAA,IACT;AAAA,EACF;AACF;AAEA,eAAe,aACb,KACA,WACA,QACkE;AAClE,QAAM,EAAE,SAAS,IAAI,IAAI;AACzB,QAAM,QAAQ,IAAI,QAAQ,IAAI,+BAAiB,GAAG;AAElD,MAAI,CAAC,aAAS,8BAAe,KAAK,GAAG;AACnC,UAAM,eAAe,IAAI,QAAQ,IAAI,kCAAoB,GAAG;AAC5D,QAAI,cAAc;AAChB,UAAI;AACF,YAAI,QAAQ;AACV,gBAAM,aAAa,MAAM,MAAM,GAAG,MAAM,8BAA8B;AAAA,YACpE,QAAQ;AAAA,YACR,SAAS,EAAE,gBAAgB,mBAAmB;AAAA,YAC9C,MAAM,KAAK,UAAU,EAAE,eAAe,aAAa,CAAC;AAAA,UACtD,CAAC;AACD,cAAI,WAAW,IAAI;AACjB,kBAAM,YAAY,MAAM,WAAW,KAAK;AAKxC,kBAAM,QAAQ,MAAM,MAAM,GAAG,MAAM,yBAAyB;AAAA,cAC1D,SAAS,EAAE,eAAe,UAAU,UAAU,YAAY,GAAG;AAAA,YAC/D,CAAC;AACD,gBAAI,MAAM,IAAI;AACZ,oBAAM,SAAS,MAAM,MAAM,KAAK;AAChC,oBAAM,UAAU,OAAO,QAAQ;AAC/B,oBAAM,eAAe,QAAQ,IAAI,aAAa;AAC9C,oBAAMA,YAAW,2BAAa,KAAK;AACnC,cAAAA,UAAS,QAAQ,IAAI,iCAAmB,UAAU,cAAc;AAAA,gBAC9D,UAAU;AAAA,gBAAM,QAAQ;AAAA,gBAAc,UAAU;AAAA,gBAChD,MAAM;AAAA,gBAAK,QAAQ,UAAU;AAAA,cAC/B,CAAC;AACD,cAAAA,UAAS,QAAQ,IAAI,oCAAsB,UAAU,eAAe;AAAA,gBAClE,UAAU;AAAA,gBAAM,QAAQ;AAAA,gBAAc,UAAU;AAAA,gBAChD,MAAM;AAAA,gBAAa,QAAQ,IAAI,KAAK,KAAK;AAAA,cAC3C,CAAC;AACD,cAAAA,UAAS,QAAQ,IAAI,mCAAqB,KAAK,UAAU;AAAA,gBACvD,MAAM;AAAA,gBACN,WAAW,IAAI,KAAK,KAAK,IAAI,IAAI,UAAU,aAAa,GAAI,EAAE,YAAY;AAAA,cAC5E,CAAC,GAAG;AAAA,gBACF,UAAU;AAAA,gBAAO,QAAQ;AAAA,gBAAc,UAAU;AAAA,gBACjD,MAAM;AAAA,gBAAK,QAAQ,UAAU;AAAA,cAC/B,CAAC;AACD,qBAAO,EAAE,SAAS,MAAM,UAAAA,UAAS;AAAA,YACnC;AAAA,UACF;AAAA,QACF,OAAO;AACL,gBAAM,aAAa,IAAI,IAAI,qBAAqB,IAAI,GAAG;AACvD,gBAAM,aAAa,MAAM,MAAM,WAAW,SAAS,GAAG;AAAA,YACpD,QAAQ;AAAA,YACR,SAAS;AAAA,cACP,gBAAgB;AAAA,cAChB,QAAQ,IAAI,QAAQ,IAAI,QAAQ,KAAK;AAAA,YACvC;AAAA,UACF,CAAC;AACD,cAAI,WAAW,IAAI;AACjB,kBAAMA,YAAW,2BAAa,KAAK;AACnC,kBAAM,aAAa,WAAW,QAAQ,eAAe,KAAK,CAAC;AAC3D,uBAAW,UAAU,YAAY;AAC/B,cAAAA,UAAS,QAAQ,OAAO,cAAc,MAAM;AAAA,YAC9C;AACA,mBAAO,EAAE,SAAS,MAAM,UAAAA,UAAS;AAAA,UACnC;AAAA,QACF;AAAA,MACF,QAAQ;AAAA,MAER;AAAA,IACF;AAEA,UAAM,WAAW,2BAAa;AAAA,MAC5B,IAAI;AAAA,QACF,GAAG,SAAS,aAAa,mBAAmB,QAAQ,CAAC;AAAA,QACrD,IAAI;AAAA,MACN;AAAA,IACF;AACA,aAAS,QAAQ,IAAI,iCAAmB,IAAI,EAAE,MAAM,KAAK,QAAQ,EAAE,CAAC;AACpE,aAAS,QAAQ,IAAI,oCAAsB,IAAI;AAAA,MAC7C,MAAM;AAAA,MACN,QAAQ;AAAA,IACV,CAAC;AACD,aAAS,QAAQ,IAAI,mCAAqB,IAAI,EAAE,MAAM,KAAK,QAAQ,EAAE,CAAC;AACtE,WAAO,EAAE,SAAS,MAAM,SAAS;AAAA,EACnC;AAEA,QAAM,aAAS,kCAAmB,KAAK;AACvC,MAAI,CAAC,QAAQ;AACX,WAAO;AAAA,MACL,SAAS;AAAA,MACT,UAAU,2BAAa,SAAS,IAAI,IAAI,WAAW,IAAI,GAAG,CAAC;AAAA,IAC7D;AAAA,EACF;AAEA,SAAO,EAAE,SAAS,gBAAgB,OAAO,MAAM,EAAE;AACnD;AAEO,SAAS,mBAAmB,SAA+B,CAAC,GAAG;AACpE,QAAM;AAAA,IACJ,SAAS;AAAA,IACT,eAAe,CAAC;AAAA,IAChB,YAAY;AAAA,IACZ;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,QAAM,gBAAgB,CAAC,YAAY,gBAAgB,UAAU,SAAS;AAEtE,SAAO,eAAe,WACpB,KACuB;AACvB,QAAI,YAAY;AACd,YAAM,SAAS,WAAW,GAAG;AAC7B,UAAI,OAAQ,QAAO;AAAA,IACrB;AAEA,QAAI,cAAc,KAAK,cAAc,aAAa,GAAG;AACnD,aAAO,2BAAa,KAAK;AAAA,IAC3B;AAEA,UAAM,EAAE,SAAS,SAAS,IAAI,MAAM,aAAa,KAAK,WAAW,MAAM;AACvE,QAAI,SAAU,QAAO;AACrB,QAAI,CAAC;AACH,aAAO,2BAAa,SAAS,IAAI,IAAI,WAAW,IAAI,GAAG,CAAC;AAE1D,QAAI,WAAW;AACb,YAAM,SAAS,UAAU,SAAS,GAAG;AACrC,UAAI,OAAQ,QAAO;AAAA,IACrB;AAEA,WAAO,2BAAa,KAAK;AAAA,EAC3B;AACF;AAEO,SAAS,aACd,mBAGA,SAA+B,CAAC,GACa;AAC7C,QAAM;AAAA,IACJ,SAAS;AAAA,IACT,eAAe,CAAC;AAAA,IAChB,YAAY;AAAA,IACZ;AAAA,IACA;AAAA,EACF,IAAI;AAEJ,QAAM,gBAAgB,CAAC,YAAY,gBAAgB,UAAU,SAAS;AAEtE,SAAO,eAAe,WACpB,KACuB;AACvB,QAAI,YAAY;AACd,YAAM,SAAS,WAAW,GAAG;AAC7B,UAAI,OAAQ,QAAO;AAAA,IACrB;AAEA,UAAM,WAAW,cAAc,KAAK,cAAc,aAAa;AAE/D,QAAI,CAAC,UAAU;AACb,YAAM,EAAE,SAAS,SAAS,IAAI,MAAM,aAAa,KAAK,WAAW,MAAM;AACvE,UAAI,SAAU,QAAO;AACrB,UAAI,CAAC;AACH,eAAO,2BAAa,SAAS,IAAI,IAAI,WAAW,IAAI,GAAG,CAAC;AAE1D,UAAI,WAAW;AACb,cAAM,SAAS,UAAU,SAAS,GAAG;AACrC,YAAI,OAAQ,QAAO;AAAA,MACrB;AAEA,YAAM,aAAa,KAAK,UAAU;AAAA,QAChC,QAAQ,QAAQ;AAAA,QAChB,UAAU,QAAQ;AAAA,QAClB,OAAO,QAAQ;AAAA,QACf,OAAO,QAAQ;AAAA,QACf,OAAO,QAAQ;AAAA,QACf,SAAS,QAAQ;AAAA,MACnB,CAAC;AACD,UAAI,QAAQ,IAAI,eAAe,UAAU;AAAA,IAC3C;AAEA,UAAM,kBAAkB,MAAM,kBAAkB,GAAG;AACnD,QAAI,2BAA2B,2BAAc,QAAO;AACpD,WAAO,IAAI,2BAAa,gBAAgB,MAAM,eAAe;AAAA,EAC/D;AACF;","names":["response"]}

package/dist/middleware.d.cts CHANGED Viewed

@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server';
 import { AuthObject } from '@inai-dev/types';
 interface InAIMiddlewareConfig {
+    apiUrl?: string;
     publicRoutes?: string[] | ((req: NextRequest) => boolean);
     signInUrl?: string;
     beforeAuth?: (req: NextRequest) => NextResponse | void;

package/dist/middleware.d.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server';
 import { AuthObject } from '@inai-dev/types';
 interface InAIMiddlewareConfig {
+    apiUrl?: string;
     publicRoutes?: string[] | ((req: NextRequest) => boolean);
     signInUrl?: string;
     beforeAuth?: (req: NextRequest) => NextResponse | void;