@logickernel/bridge 0.5.0

package/README.md

@@ -0,0 +1,276 @@
+# Bridge
+
+Framework-agnostic micro-frontend authentication library for AuthJS/NextAuth JWT tokens.
+
+## Installation
+
+```bash
+npm install @logickernel/bridge
+# or
+pnpm add @logickernel/bridge
+# or
+yarn add @logickernel/bridge
+```
+
+## Features
+
+- **Framework-agnostic core** - JWT decoding and validation works anywhere
+- **Next.js adapter** - First-class support for Next.js App Router
+- **Role-based access control** - Check user roles against organization permissions
+- **TypeScript-first** - Full type safety with detailed type exports
+- **Dual ESM/CJS** - Works in any JavaScript environment
+
+## Quick Start
+
+### Environment Variables
+
+```bash
+AUTH_SECRET=your-nextauth-secret  # Required: Same secret used by your kernel/auth server
+AUTH_URL=http://localhost:3000    # Required: Used internally for API calls to the kernel
+BASE_URL=http://localhost:7001    # Optional: Facade URL for user-facing redirects (used by getBaseUrl())
+AUTH_COOKIE=authjs.session-token  # Optional: Cookie name for session token (defaults to authjs.session-token)
+```
+
+### Core Usage (Framework-Agnostic)
+
+```typescript
+import {
+  decodeSessionToken,
+  extractSessionCookie,
+  fetchUserRoles,
+  hasAnyRole,
+} from "@logickernel/bridge"
+
+// Decode a JWT session token
+const result = await decodeSessionToken(token, secret, isSecure)
+if (result.success) {
+  console.log(result.session.user.email)
+  console.log(result.session.user.id)
+} else {
+  console.error(result.error) // "missing_token" | "missing_secret" | "decode_error" | "expired"
+}
+
+// Check user roles (uses AUTH_URL environment variable internally)
+// User ID is determined from the session token
+const roles = await fetchUserRoles({
+  organizationId: "org-456",
+  sessionToken: token,
+})
+
+if (roles.success && hasAnyRole(roles.roles, ["organization.owner"])) {
+  // User is an owner
+}
+```
+
+### Next.js Usage
+
+```typescript
+import {
+  getSession,
+  getUserRoles,
+  withAuth,
+  checkPageAuth,
+  createProxyHandler,
+} from "@logickernel/bridge/next"
+```
+
+#### Server Components / Pages
+
+```typescript
+// app/dashboard/page.tsx
+import { getSession } from "@logickernel/bridge/next"
+import { redirect } from "next/navigation"
+
+export default async function DashboardPage() {
+  const session = await getSession()
+  
+  if (!session) {
+    redirect("/auth/signin")
+  }
+
+  return <div>Welcome, {session.user.email}!</div>
+}
+```
+
+#### Role-Based Page Protection
+
+```typescript
+// app/[org_id]/admin/page.tsx
+import { checkPageAuth } from "@logickernel/bridge/next"
+import { redirect, notFound } from "next/navigation"
+
+export default async function AdminPage({
+  params,
+}: {
+  params: Promise<{ org_id: string }>
+}) {
+  const { org_id } = await params
+
+  const auth = await checkPageAuth({
+    requiredRoles: ["organization.owner", "organization.editor"],
+    organizationId: org_id,
+  })
+
+  if (!auth.authenticated) {
+    redirect(auth.redirectUrl)
+  }
+
+  // User is authenticated but may not have required roles
+  if (!auth.roles.some(r => ["organization.owner", "organization.editor"].includes(r))) {
+    notFound()
+  }
+
+  return <div>Admin Panel for {session.user.email}</div>
+}
+```
+
+#### API Routes
+
+```typescript
+// app/api/data/route.ts
+import { withAuth } from "@logickernel/bridge/next"
+import { NextResponse } from "next/server"
+
+// Any authenticated user
+export const GET = withAuth(async (request, { session }) => {
+  return NextResponse.json({
+    userId: session.user.id,
+    email: session.user.email,
+  })
+})
+
+// With role requirements
+export const DELETE = withAuth(
+  async (request, { session }) => {
+    // Only owners can delete
+    return NextResponse.json({ deleted: true })
+  },
+  {
+    requiredRoles: ["organization.owner"],
+    organizationId: "org_id", // Extract from route params
+  }
+)
+```
+
+#### Middleware / Proxy
+
+```typescript
+// src/proxy.ts (or middleware.ts)
+import { createProxyHandler, type ProxyOptions } from "@logickernel/bridge/next"
+
+const config: ProxyOptions = {
+  basePath: "/app",
+  protectedRoutes: {
+    "/app/dashboard": [],  // Any authenticated user
+    "/app/settings": [],
+  },
+  dynamicRoutes: [
+    {
+      pattern: "/[organization_id]/admin",
+      requiredRoles: ["organization.owner"],
+    },
+  ],
+}
+
+export const proxy = createProxyHandler(config)
+
+// Static config for Next.js (must be in the same file)
+export const middlewareConfig = {
+  matcher: ["/((?!_next/static|_next/image|favicon.ico|public).*)"],
+}
+```
+
+## API Reference
+
+### Core Exports (`@logickernel/bridge`)
+
+| Export | Description |
+|--------|-------------|
+| `decodeSessionToken(token, secret, isSecure)` | Decode and validate a JWT session token |
+| `extractSessionCookie(cookies)` | Extract session cookie from a cookies object |
+| `fetchUserRoles(options)` | Fetch user roles from the kernel API (uses AUTH_URL internally) |
+| `hasAnyRole(userRoles, requiredRoles)` | Check if user has at least one required role |
+| `hasAllRoles(userRoles, requiredRoles)` | Check if user has all required roles |
+| `hasRole(userRoles, role)` | Check if user has a specific role |
+| `matchRoute(pathname, config)` | Match a pathname against route configuration |
+| `buildSignInUrl(callbackUrl?)` | Build a sign-in redirect URL (uses AUTH_URL internally) |
+| `buildSignOutUrl(callbackUrl?)` | Build a sign-out redirect URL (uses AUTH_URL internally) |
+
+### Next.js Exports (`@logickernel/bridge/next`)
+
+| Export | Description |
+|--------|-------------|
+| `getSession()` | Get the current session from cookies |
+| `getSessionToken()` | Get the raw session token value |
+| `getUserRoles(orgId)` | Get user roles in an organization (user ID determined from session token) |
+| `withAuth(handler, options?)` | Wrap an API route with authentication |
+| `getSessionFromRequest(request)` | Get session from a NextRequest |
+| `checkPageAuth(options?)` | Check authentication for a page |
+| `requireAuth()` | Require authentication (throws if not authenticated) |
+| `hasRequiredRole(orgId, roles)` | Check if user has required roles (user ID determined from session token) |
+| `createProxyHandler(options)` | Create a middleware/proxy handler |
+
+### Types
+
+```typescript
+import type {
+  Session,
+  SessionUser,
+  DecodeResult,
+  RouteConfig,
+  RouteMatch,
+  MicroFrontendConfig,
+} from "@logickernel/bridge"
+
+import type {
+  ProxyOptions,
+  DynamicRoutePattern,
+  AuthContext,
+  AuthenticatedHandler,
+  WithAuthOptions,
+  PageAuthOptions,
+  PageAuthResult,
+} from "@logickernel/bridge/next"
+```
+
+## Architecture
+
+```
+bridge/
+├── src/
+│   ├── index.ts      # Core exports
+│   ├── types.ts      # Core type definitions
+│   ├── jwt.ts        # JWT decoding utilities
+│   ├── roles.ts      # Role checking utilities
+│   ├── routes.ts     # Route matching utilities
+│   └── next/
+│       ├── index.ts  # Next.js adapter exports
+│       ├── types.ts  # Next.js-specific types
+│       ├── session.ts # Session utilities
+│       ├── api.ts    # API route utilities
+│       ├── page.ts   # Page utilities
+│       └── proxy.ts  # Middleware/proxy utilities
+```
+
+## Development
+
+```bash
+# Install dependencies
+npm install
+
+# Build the library
+npm run build
+
+# Watch mode for development
+npm run dev
+
+# Type checking
+npm run typecheck
+
+# Clean build artifacts
+npm run clean
+```
+
+## License
+
+MIT

package/dist/index.cjs

@@ -0,0 +1,193 @@
+'use strict';
+
+var jwt = require('@auth/core/jwt');
+
+// src/jwt.ts
+function getBaseCookieName() {
+  const cookieName = process.env.AUTH_COOKIE || "authjs.session-token";
+  return cookieName.startsWith("__Secure-") ? cookieName.slice(10) : cookieName;
+}
+var COOKIE_NAMES = {
+  get secure() {
+    const baseName = getBaseCookieName();
+    return `__Secure-${baseName}`;
+  },
+  get dev() {
+    return getBaseCookieName();
+  }
+};
+function getAuthUrl() {
+  return process.env.AUTH_URL || process.env.BASE_URL || "http://localhost:3000";
+}
+function getSalt(isSecure) {
+  return isSecure ? COOKIE_NAMES.secure : COOKIE_NAMES.dev;
+}
+function getCookieName(isSecure) {
+  return isSecure ? COOKIE_NAMES.secure : COOKIE_NAMES.dev;
+}
+function isTokenExpired(decoded) {
+  if (!decoded.exp) return false;
+  return decoded.exp * 1e3 < Date.now();
+}
+function mapToSession(decoded) {
+  return {
+    user: {
+      id: decoded.sub,
+      email: decoded.email,
+      name: decoded.name || null,
+      image: decoded.picture || null
+    },
+    expires: decoded.exp ? new Date(decoded.exp * 1e3).toISOString() : new Date(Date.now() + 30 * 24 * 60 * 60 * 1e3).toISOString()
+    // Default 30 days
+  };
+}
+async function decodeSessionToken(token, secret, isSecure = false) {
+  if (!token) {
+    return { success: false, error: "missing_token" };
+  }
+  if (!secret) {
+    return { success: false, error: "missing_secret" };
+  }
+  try {
+    const salt = getSalt(isSecure);
+    const decoded = await jwt.decode({ token, secret, salt });
+    if (!decoded) {
+      return { success: false, error: "decode_error" };
+    }
+    if (isTokenExpired(decoded)) {
+      return { success: false, error: "expired" };
+    }
+    const session = mapToSession(decoded);
+    return {
+      success: true,
+      session,
+      decoded
+    };
+  } catch {
+    return { success: false, error: "decode_error" };
+  }
+}
+function extractSessionCookie(cookies) {
+  const secureCookie = cookies.get(COOKIE_NAMES.secure);
+  if (secureCookie?.value) {
+    return { value: secureCookie.value, isSecure: true };
+  }
+  const devCookie = cookies.get(COOKIE_NAMES.dev);
+  if (devCookie?.value) {
+    return { value: devCookie.value, isSecure: false };
+  }
+  return void 0;
+}
+
+// src/roles.ts
+async function fetchUserRoles(options) {
+  const { organizationId, sessionToken, fetchFn = fetch } = options;
+  const isSecure = options.isSecure ?? process.env.NODE_ENV === "production";
+  const kernelUrl = getAuthUrl();
+  const cookieName = getCookieName(isSecure);
+  try {
+    const response = await fetchFn(
+      `${kernelUrl}/api/user/organizations/${organizationId}/roles`,
+      {
+        headers: {
+          Cookie: `${cookieName}=${sessionToken}`
+        },
+        cache: "no-store"
+      }
+    );
+    if (!response.ok) {
+      return {
+        success: false,
+        error: `Failed to fetch roles: ${response.status}`
+      };
+    }
+    const data = await response.json();
+    const roles = data.roles?.map((r) => r.roleName) || [];
+    return { success: true, roles };
+  } catch (error) {
+    return {
+      success: false,
+      error: error instanceof Error ? error.message : "Unknown error"
+    };
+  }
+}
+function hasAnyRole(userRoles, requiredRoles) {
+  if (requiredRoles.length === 0) return true;
+  return requiredRoles.some((role) => userRoles.includes(role));
+}
+function hasAllRoles(userRoles, requiredRoles) {
+  if (requiredRoles.length === 0) return true;
+  return requiredRoles.every((role) => userRoles.includes(role));
+}
+function hasRole(userRoles, role) {
+  return userRoles.includes(role);
+}
+
+// src/routes.ts
+function matchesAnyRoute(pathname, routes) {
+  return routes.some((route) => pathname.startsWith(route));
+}
+function findMatchingProtectedRoute(pathname, protectedRoutes) {
+  for (const [route, roles] of Object.entries(protectedRoutes)) {
+    if (pathname.startsWith(route)) {
+      return { route, requiredRoles: roles };
+    }
+  }
+  return void 0;
+}
+function matchRoute(pathname, config) {
+  if (config.publicRoutes && matchesAnyRoute(pathname, config.publicRoutes)) {
+    return { type: "public" };
+  }
+  const match = findMatchingProtectedRoute(pathname, config.protectedRoutes);
+  if (match) {
+    return { type: "protected", requiredRoles: match.requiredRoles };
+  }
+  return { type: "unprotected" };
+}
+function createConfig(options) {
+  return {
+    basePath: options.basePath,
+    protectedRoutes: options.protectedRoutes || {
+      "/dashboard": [],
+      "/admin": ["organization.owner"]
+    },
+    publicRoutes: options.publicRoutes || []
+  };
+}
+function buildSignInUrl(callbackUrl) {
+  const authUrl = getAuthUrl();
+  const url = new URL("/auth/signin", authUrl);
+  if (callbackUrl) {
+    url.searchParams.set("callbackUrl", callbackUrl);
+  }
+  return url;
+}
+function buildSignOutUrl(callbackUrl) {
+  const authUrl = getAuthUrl();
+  const url = new URL("/auth/signout", authUrl);
+  if (callbackUrl) {
+    url.searchParams.set("callbackUrl", callbackUrl);
+  }
+  return url;
+}
+
+exports.COOKIE_NAMES = COOKIE_NAMES;
+exports.buildSignInUrl = buildSignInUrl;
+exports.buildSignOutUrl = buildSignOutUrl;
+exports.createConfig = createConfig;
+exports.decodeSessionToken = decodeSessionToken;
+exports.extractSessionCookie = extractSessionCookie;
+exports.fetchUserRoles = fetchUserRoles;
+exports.findMatchingProtectedRoute = findMatchingProtectedRoute;
+exports.getCookieName = getCookieName;
+exports.getSalt = getSalt;
+exports.hasAllRoles = hasAllRoles;
+exports.hasAnyRole = hasAnyRole;
+exports.hasRole = hasRole;
+exports.isTokenExpired = isTokenExpired;
+exports.mapToSession = mapToSession;
+exports.matchRoute = matchRoute;
+exports.matchesAnyRoute = matchesAnyRoute;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map

package/dist/index.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/jwt.ts","../src/roles.ts","../src/routes.ts"],"names":["decode"],"mappings":";;;;;AAYA,SAAS,iBAAA,GAA4B;AACnC,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,GAAA,CAAI,WAAA,IAAe,sBAAA;AAE9C,EAAA,OAAO,WAAW,UAAA,CAAW,WAAW,IAAI,UAAA,CAAW,KAAA,CAAM,EAAE,CAAA,GAAI,UAAA;AACrE;AAMO,IAAM,YAAA,GAAe;AAAA,EAC1B,IAAI,MAAA,GAAiB;AACnB,IAAA,MAAM,WAAW,iBAAA,EAAkB;AAEnC,IAAA,OAAO,YAAY,QAAQ,CAAA,CAAA;AAAA,EAC7B,CAAA;AAAA,EACA,IAAI,GAAA,GAAc;AAChB,IAAA,OAAO,iBAAA,EAAkB;AAAA,EAC3B;AACF;AAMO,SAAS,UAAA,GAAqB;AACnC,EAAA,OAAO,OAAA,CAAQ,GAAA,CAAI,QAAA,IAAY,OAAA,CAAQ,IAAI,QAAA,IAAY,uBAAA;AACzD;AAKO,SAAS,QAAQ,QAAA,EAA2B;AACjD,EAAA,OAAO,QAAA,GAAW,YAAA,CAAa,MAAA,GAAS,YAAA,CAAa,GAAA;AACvD;AAKO,SAAS,cAAc,QAAA,EAA2B;AACvD,EAAA,OAAO,QAAA,GAAW,YAAA,CAAa,MAAA,GAAS,YAAA,CAAa,GAAA;AACvD;AAKO,SAAS,eAAe,OAAA,EAAgC;AAC7D,EAAA,IAAI,CAAC,OAAA,CAAQ,GAAA,EAAK,OAAO,KAAA;AACzB,EAAA,OAAO,OAAA,CAAQ,GAAA,GAAM,GAAA,GAAO,IAAA,CAAK,GAAA,EAAI;AACvC;AAKO,SAAS,aAAa,OAAA,EAAgC;AAC3D,EAAA,OAAO;AAAA,IACL,IAAA,EAAM;AAAA,MACJ,IAAI,OAAA,CAAQ,GAAA;AAAA,MACZ,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,IAAA,EAAO,QAAQ,IAAA,IAAmB,IAAA;AAAA,MAClC,KAAA,EAAQ,QAAQ,OAAA,IAAsB;AAAA,KACxC;AAAA,IACA,OAAA,EAAS,QAAQ,GAAA,GACb,IAAI,KAAK,OAAA,CAAQ,GAAA,GAAM,GAAI,CAAA,CAAE,WAAA,EAAY,GACzC,IAAI,IAAA,CAAK,IAAA,CAAK,KAAI,GAAI,EAAA,GAAK,KAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA,CAAE,WAAA;AAAY;AAAA,GAClE;AACF;AAwBA,eAAsB,kBAAA,CACpB,KAAA,EACA,MAAA,EACA,QAAA,GAAoB,KAAA,EACG;AACvB,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,eAAA,EAAgB;AAAA,EAClD;AAEA,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,gBAAA,EAAiB;AAAA,EACnD;AAEA,EAAA,IAAI;AACF,IAAA,MAAM,IAAA,GAAO,QAAQ,QAAQ,CAAA;AAC7B,IAAA,MAAM,UAAU,MAAMA,UAAA,CAAO,EAAE,KAAA,EAAO,MAAA,EAAQ,MAAM,CAAA;AAEpD,IAAA,IAAI,CAAC,OAAA,EAAS;AACZ,MAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,cAAA,EAAe;AAAA,IACjD;AAEA,IAAA,IAAI,cAAA,CAAe,OAAuB,CAAA,EAAG;AAC3C,MAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,SAAA,EAAU;AAAA,IAC5C;AAEA,IAAA,MAAM,OAAA,GAAU,aAAa,OAAuB,CAAA;AACpD,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,IAAA;AAAA,MACT,OAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,cAAA,EAAe;AAAA,EACjD;AACF;AAWO,SAAS,qBAAqB,OAAA,EAEP;AAE5B,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,GAAA,CAAI,YAAA,CAAa,MAAM,CAAA;AACpD,EAAA,IAAI,cAAc,KAAA,EAAO;AACvB,IAAA,OAAO,EAAE,KAAA,EAAO,YAAA,CAAa,KAAA,EAAO,UAAU,IAAA,EAAK;AAAA,EACrD;AAGA,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,GAAA,CAAI,YAAA,CAAa,GAAG,CAAA;AAC9C,EAAA,IAAI,WAAW,KAAA,EAAO;AACpB,IAAA,OAAO,EAAE,KAAA,EAAO,SAAA,CAAU,KAAA,EAAO,UAAU,KAAA,EAAM;AAAA,EACnD;AAEA,EAAA,OAAO,MAAA;AACT;;;ACrGA,eAAsB,eACpB,OAAA,EAC2B;AAC3B,EAAA,MAAM,EAAE,cAAA,EAAgB,YAAA,EAAc,OAAA,GAAU,OAAM,GAAI,OAAA;AAE1D,EAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,QAAA,IAAa,OAAA,CAAQ,IAAI,QAAA,KAAa,YAAA;AAC/D,EAAA,MAAM,YAAY,UAAA,EAAW;AAC7B,EAAA,MAAM,UAAA,GAAa,cAAc,QAAQ,CAAA;AAEzC,EAAA,IAAI;AACF,IAAA,MAAM,WAAW,MAAM,OAAA;AAAA,MACrB,CAAA,EAAG,SAAS,CAAA,wBAAA,EAA2B,cAAc,CAAA,MAAA,CAAA;AAAA,MACrD;AAAA,QACE,OAAA,EAAS;AAAA,UACP,MAAA,EAAQ,CAAA,EAAG,UAAU,CAAA,CAAA,EAAI,YAAY,CAAA;AAAA,SACvC;AAAA,QACA,KAAA,EAAO;AAAA;AACT,KACF;AAEA,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,CAAA,uBAAA,EAA0B,QAAA,CAAS,MAAM,CAAA;AAAA,OAClD;AAAA,IACF;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AACjC,IAAA,MAAM,KAAA,GAAQ,KAAK,KAAA,EAAO,GAAA,CAAI,CAAC,CAAA,KAA4B,CAAA,CAAE,QAAQ,CAAA,IAAK,EAAC;AAE3E,IAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,KAAA,EAAM;AAAA,EAChC,SAAS,KAAA,EAAO;AACd,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,OAAA,GAAU;AAAA,KAClD;AAAA,EACF;AACF;AAKO,SAAS,UAAA,CAAW,WAAqB,aAAA,EAAkC;AAChF,EAAA,IAAI,aAAA,CAAc,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AACvC,EAAA,OAAO,cAAc,IAAA,CAAK,CAAC,SAAS,SAAA,CAAU,QAAA,CAAS,IAAI,CAAC,CAAA;AAC9D;AAKO,SAAS,WAAA,CAAY,WAAqB,aAAA,EAAkC;AACjF,EAAA,IAAI,aAAA,CAAc,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AACvC,EAAA,OAAO,cAAc,KAAA,CAAM,CAAC,SAAS,SAAA,CAAU,QAAA,CAAS,IAAI,CAAC,CAAA;AAC/D;AAKO,SAAS,OAAA,CAAQ,WAAqB,IAAA,EAAuB;AAClE,EAAA,OAAO,SAAA,CAAU,SAAS,IAAI,CAAA;AAChC;;;AC/GO,SAAS,eAAA,CAAgB,UAAkB,MAAA,EAA2B;AAC3E,EAAA,OAAO,OAAO,IAAA,CAAK,CAAC,UAAU,QAAA,CAAS,UAAA,CAAW,KAAK,CAAC,CAAA;AAC1D;AAKO,SAAS,0BAAA,CACd,UACA,eAAA,EACwD;AACxD,EAAA,KAAA,MAAW,CAAC,KAAA,EAAO,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,eAAe,CAAA,EAAG;AAC5D,IAAA,IAAI,QAAA,CAAS,UAAA,CAAW,KAAK,CAAA,EAAG;AAC9B,MAAA,OAAO,EAAE,KAAA,EAAO,aAAA,EAAe,KAAA,EAAM;AAAA,IACvC;AAAA,EACF;AACA,EAAA,OAAO,MAAA;AACT;AAkBO,SAAS,UAAA,CACd,UACA,MAAA,EACY;AAEZ,EAAA,IAAI,OAAO,YAAA,IAAgB,eAAA,CAAgB,QAAA,EAAU,MAAA,CAAO,YAAY,CAAA,EAAG;AACzE,IAAA,OAAO,EAAE,MAAM,QAAA,EAAS;AAAA,EAC1B;AAGA,EAAA,MAAM,KAAA,GAAQ,0BAAA,CAA2B,QAAA,EAAU,MAAA,CAAO,eAAe,CAAA;AACzE,EAAA,IAAI,KAAA,EAAO;AACT,IAAA,OAAO,EAAE,IAAA,EAAM,WAAA,EAAa,aAAA,EAAe,MAAM,aAAA,EAAc;AAAA,EACjE;AAGA,EAAA,OAAO,EAAE,MAAM,aAAA,EAAc;AAC/B;AAKO,SAAS,aACd,OAAA,EACqB;AACrB,EAAA,OAAO;AAAA,IACL,UAAU,OAAA,CAAQ,QAAA;AAAA,IAClB,eAAA,EAAiB,QAAQ,eAAA,IAAmB;AAAA,MAC1C,cAAc,EAAC;AAAA,MACf,QAAA,EAAU,CAAC,oBAAoB;AAAA,KACjC;AAAA,IACA,YAAA,EAAc,OAAA,CAAQ,YAAA,IAAgB;AAAC,GACzC;AACF;AAQO,SAAS,eAAe,WAAA,EAA2B;AACxD,EAAA,MAAM,UAAU,UAAA,EAAW;AAC3B,EAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,cAAA,EAAgB,OAAO,CAAA;AAC3C,EAAA,IAAI,WAAA,EAAa;AACf,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,aAAA,EAAe,WAAW,CAAA;AAAA,EACjD;AACA,EAAA,OAAO,GAAA;AACT;AAQO,SAAS,gBAAgB,WAAA,EAA2B;AACzD,EAAA,MAAM,UAAU,UAAA,EAAW;AAC3B,EAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,eAAA,EAAiB,OAAO,CAAA;AAC5C,EAAA,IAAI,WAAA,EAAa;AACf,IAAA,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,aAAA,EAAe,WAAW,CAAA;AAAA,EACjD;AACA,EAAA,OAAO,GAAA;AACT","file":"index.cjs","sourcesContent":["/**\n * Kernel Bridge JWT\n * Framework-agnostic JWT decoding for AuthJS/NextAuth tokens\n */\n\nimport { decode } from \"@auth/core/jwt\"\nimport type { Session, SessionCookie, DecodeResult, DecodedToken } from \"./types\"\n\n/**\n * Get the base cookie name from AUTH_COOKIE env var or default to authjs.session-token\n * Strips __Secure- prefix if present, as it will be added automatically for secure cookies\n */\nfunction getBaseCookieName(): string {\n  const cookieName = process.env.AUTH_COOKIE || \"authjs.session-token\"\n  // Remove __Secure- prefix if present, as we'll add it back for secure cookies\n  return cookieName.startsWith(\"__Secure-\") ? cookieName.slice(10) : cookieName\n}\n\n/**\n * Cookie names used by AuthJS/NextAuth\n * Defaults to authjs.session-token, can be overridden via AUTH_COOKIE env var\n */\nexport const COOKIE_NAMES = {\n  get secure(): string {\n    const baseName = getBaseCookieName()\n    // Secure cookies must start with __Secure- prefix\n    return `__Secure-${baseName}`\n  },\n  get dev(): string {\n    return getBaseCookieName()\n  },\n} as const\n\n/**\n * Get the AUTH_URL from environment variables\n * This is used internally for API calls to the kernel\n */\nexport function getAuthUrl(): string {\n  return process.env.AUTH_URL || process.env.BASE_URL || \"http://localhost:3000\"\n}\n\n/**\n * Get the appropriate salt for JWT decoding based on cookie type\n */\nexport function getSalt(isSecure: boolean): string {\n  return isSecure ? COOKIE_NAMES.secure : COOKIE_NAMES.dev\n}\n\n/**\n * Get the cookie name based on security mode\n */\nexport function getCookieName(isSecure: boolean): string {\n  return isSecure ? COOKIE_NAMES.secure : COOKIE_NAMES.dev\n}\n\n/**\n * Check if a token is expired\n */\nexport function isTokenExpired(decoded: DecodedToken): boolean {\n  if (!decoded.exp) return false\n  return decoded.exp * 1000 < Date.now()\n}\n\n/**\n * Map decoded JWT payload to Session structure\n */\nexport function mapToSession(decoded: DecodedToken): Session {\n  return {\n    user: {\n      id: decoded.sub as string,\n      email: decoded.email as string,\n      name: (decoded.name as string) || null,\n      image: (decoded.picture as string) || null,\n    },\n    expires: decoded.exp\n      ? new Date(decoded.exp * 1000).toISOString()\n      : new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString(), // Default 30 days\n  }\n}\n\n/**\n * Decode and validate a session token\n *\n * This is the core function - framework-agnostic JWT decoding.\n * The caller is responsible for extracting the token from their framework's\n * cookie/header mechanism.\n *\n * @param token - The JWT session token\n * @param secret - The AUTH_SECRET used to sign the token\n * @param isSecure - Whether the token came from a secure cookie\n * @returns DecodeResult with session data or error\n *\n * @example\n * ```typescript\n * const result = await decodeSessionToken(token, process.env.AUTH_SECRET, isSecure)\n * if (result.success) {\n *   console.log(result.session.user.email)\n * } else {\n *   console.error(result.error)\n * }\n * ```\n */\nexport async function decodeSessionToken(\n  token: string | undefined,\n  secret: string | undefined,\n  isSecure: boolean = false\n): Promise<DecodeResult> {\n  if (!token) {\n    return { success: false, error: \"missing_token\" }\n  }\n\n  if (!secret) {\n    return { success: false, error: \"missing_secret\" }\n  }\n\n  try {\n    const salt = getSalt(isSecure)\n    const decoded = await decode({ token, secret, salt })\n\n    if (!decoded) {\n      return { success: false, error: \"decode_error\" }\n    }\n\n    if (isTokenExpired(decoded as DecodedToken)) {\n      return { success: false, error: \"expired\" }\n    }\n\n    const session = mapToSession(decoded as DecodedToken)\n    return {\n      success: true,\n      session,\n      decoded: decoded as DecodedToken,\n    }\n  } catch {\n    return { success: false, error: \"decode_error\" }\n  }\n}\n\n/**\n * Extract session cookie from a cookies object (generic interface)\n *\n * This works with any object that has a `get(name)` method returning\n * `{ value: string } | undefined`, like Next.js cookies() or similar.\n *\n * @param cookies - Object with get(name) method\n * @returns SessionCookie or undefined if no session cookie found\n */\nexport function extractSessionCookie(cookies: {\n  get(name: string): { value: string } | undefined\n}): SessionCookie | undefined {\n  // Try secure cookie first (production with HTTPS)\n  const secureCookie = cookies.get(COOKIE_NAMES.secure)\n  if (secureCookie?.value) {\n    return { value: secureCookie.value, isSecure: true }\n  }\n\n  // Fall back to non-secure cookie (development)\n  const devCookie = cookies.get(COOKIE_NAMES.dev)\n  if (devCookie?.value) {\n    return { value: devCookie.value, isSecure: false }\n  }\n\n  return undefined\n}\n","/**\n * Kernel Bridge Roles\n * Role checking and permission utilities\n */\n\nimport { getCookieName, getAuthUrl } from \"./jwt\"\n\n/**\n * Options for fetching user roles from the kernel\n */\nexport interface FetchRolesOptions {\n  /**\n   * Organization ID to fetch roles in\n   */\n  organizationId: string\n\n  /**\n   * Session token for authentication (user ID is determined from the token)\n   */\n  sessionToken: string\n\n  /**\n   * Whether using secure cookie\n   * Defaults to NODE_ENV === \"production\" if not provided\n   */\n  isSecure?: boolean\n\n  /**\n   * Custom fetch function (optional, for testing or SSR)\n   */\n  fetchFn?: typeof fetch\n}\n\n/**\n * Result of role fetching operation\n */\nexport type FetchRolesResult =\n  | { success: true; roles: string[] }\n  | { success: false; error: string }\n\n/**\n * Fetch user roles from the kernel API\n *\n * This is a framework-agnostic function that makes a fetch request\n * to the kernel's roles endpoint. Uses AUTH_URL environment variable internally.\n * The user ID is determined from the session token.\n *\n * @param options - Configuration for fetching roles\n * @returns Promise with roles array or error\n *\n * @example\n * ```typescript\n * const result = await fetchUserRoles({\n *   organizationId: \"org-123\",\n *   sessionToken: token,\n *   // isSecure defaults to NODE_ENV === \"production\"\n * })\n * if (result.success) {\n *   console.log(result.roles)\n * }\n * ```\n */\nexport async function fetchUserRoles(\n  options: FetchRolesOptions\n): Promise<FetchRolesResult> {\n  const { organizationId, sessionToken, fetchFn = fetch } = options\n  // Default isSecure to production mode\n  const isSecure = options.isSecure ?? (process.env.NODE_ENV === \"production\")\n  const kernelUrl = getAuthUrl()\n  const cookieName = getCookieName(isSecure)\n\n  try {\n    const response = await fetchFn(\n      `${kernelUrl}/api/user/organizations/${organizationId}/roles`,\n      {\n        headers: {\n          Cookie: `${cookieName}=${sessionToken}`,\n        },\n        cache: \"no-store\",\n      }\n    )\n\n    if (!response.ok) {\n      return {\n        success: false,\n        error: `Failed to fetch roles: ${response.status}`,\n      }\n    }\n\n    const data = await response.json()\n    const roles = data.roles?.map((r: { roleName: string }) => r.roleName) || []\n\n    return { success: true, roles }\n  } catch (error) {\n    return {\n      success: false,\n      error: error instanceof Error ? error.message : \"Unknown error\",\n    }\n  }\n}\n\n/**\n * Check if user has at least one of the required roles\n */\nexport function hasAnyRole(userRoles: string[], requiredRoles: string[]): boolean {\n  if (requiredRoles.length === 0) return true // No roles required = any authenticated user\n  return requiredRoles.some((role) => userRoles.includes(role))\n}\n\n/**\n * Check if user has all of the required roles\n */\nexport function hasAllRoles(userRoles: string[], requiredRoles: string[]): boolean {\n  if (requiredRoles.length === 0) return true\n  return requiredRoles.every((role) => userRoles.includes(role))\n}\n\n/**\n * Check if user has a specific role\n */\nexport function hasRole(userRoles: string[], role: string): boolean {\n  return userRoles.includes(role)\n}\n\n","/**\n * Kernel Bridge Routes\n * Route matching and protection utilities\n */\n\nimport { getAuthUrl } from \"./jwt\"\nimport type { RouteConfig, RouteMatch, MicroFrontendConfig } from \"./types\"\n\n/**\n * Check if a pathname matches any route in the list\n */\nexport function matchesAnyRoute(pathname: string, routes: string[]): boolean {\n  return routes.some((route) => pathname.startsWith(route))\n}\n\n/**\n * Find the first matching protected route for a pathname\n */\nexport function findMatchingProtectedRoute(\n  pathname: string,\n  protectedRoutes: RouteConfig\n): { route: string; requiredRoles: string[] } | undefined {\n  for (const [route, roles] of Object.entries(protectedRoutes)) {\n    if (pathname.startsWith(route)) {\n      return { route, requiredRoles: roles }\n    }\n  }\n  return undefined\n}\n\n/**\n * Match a pathname against route configuration\n *\n * @param pathname - The URL pathname to match\n * @param config - Micro-frontend configuration\n * @returns RouteMatch indicating the type of route\n *\n * @example\n * ```typescript\n * const match = matchRoute(\"/dashboard\", {\n *   publicRoutes: [\"/\", \"/api/health\"],\n *   protectedRoutes: { \"/dashboard\": [], \"/admin\": [\"organization.owner\"] },\n * })\n * // Returns: { type: \"protected\", requiredRoles: [] }\n * ```\n */\nexport function matchRoute(\n  pathname: string,\n  config: Pick<MicroFrontendConfig, \"publicRoutes\" | \"protectedRoutes\">\n): RouteMatch {\n  // Check public routes first (if specified)\n  if (config.publicRoutes && matchesAnyRoute(pathname, config.publicRoutes)) {\n    return { type: \"public\" }\n  }\n\n  // Check protected routes\n  const match = findMatchingProtectedRoute(pathname, config.protectedRoutes)\n  if (match) {\n    return { type: \"protected\", requiredRoles: match.requiredRoles }\n  }\n\n  // Not explicitly configured = unprotected\n  return { type: \"unprotected\" }\n}\n\n/**\n * Create a default configuration for a micro-frontend\n */\nexport function createConfig(\n  options: Partial<MicroFrontendConfig> & Pick<MicroFrontendConfig, \"basePath\">\n): MicroFrontendConfig {\n  return {\n    basePath: options.basePath,\n    protectedRoutes: options.protectedRoutes || {\n      \"/dashboard\": [],\n      \"/admin\": [\"organization.owner\"],\n    },\n    publicRoutes: options.publicRoutes || [],\n  }\n}\n\n/**\n * Build a sign-in redirect URL\n * Uses AUTH_URL environment variable internally.\n * \n * @param callbackUrl - Optional callback URL to return to after sign-in\n */\nexport function buildSignInUrl(callbackUrl?: string): URL {\n  const authUrl = getAuthUrl()\n  const url = new URL(\"/auth/signin\", authUrl)\n  if (callbackUrl) {\n    url.searchParams.set(\"callbackUrl\", callbackUrl)\n  }\n  return url\n}\n\n/**\n * Build a sign-out redirect URL\n * Uses AUTH_URL environment variable internally.\n * \n * @param callbackUrl - Optional callback URL to return to after sign-out\n */\nexport function buildSignOutUrl(callbackUrl?: string): URL {\n  const authUrl = getAuthUrl()\n  const url = new URL(\"/auth/signout\", authUrl)\n  if (callbackUrl) {\n    url.searchParams.set(\"callbackUrl\", callbackUrl)\n  }\n  return url\n}\n\n"]}

package/dist/index.d.cts

@@ -0,0 +1,195 @@
+import { D as DecodeResult, S as SessionCookie, a as DecodedToken, b as Session, M as MicroFrontendConfig, R as RouteMatch, c as RouteConfig } from './types-YvOY9KNP.cjs';
+export { d as SessionUser } from './types-YvOY9KNP.cjs';
+
+/**
+ * Kernel Bridge JWT
+ * Framework-agnostic JWT decoding for AuthJS/NextAuth tokens
+ */
+
+/**
+ * Cookie names used by AuthJS/NextAuth
+ * Defaults to authjs.session-token, can be overridden via AUTH_COOKIE env var
+ */
+declare const COOKIE_NAMES: {
+    readonly secure: string;
+    readonly dev: string;
+};
+/**
+ * Get the appropriate salt for JWT decoding based on cookie type
+ */
+declare function getSalt(isSecure: boolean): string;
+/**
+ * Get the cookie name based on security mode
+ */
+declare function getCookieName(isSecure: boolean): string;
+/**
+ * Check if a token is expired
+ */
+declare function isTokenExpired(decoded: DecodedToken): boolean;
+/**
+ * Map decoded JWT payload to Session structure
+ */
+declare function mapToSession(decoded: DecodedToken): Session;
+/**
+ * Decode and validate a session token
+ *
+ * This is the core function - framework-agnostic JWT decoding.
+ * The caller is responsible for extracting the token from their framework's
+ * cookie/header mechanism.
+ *
+ * @param token - The JWT session token
+ * @param secret - The AUTH_SECRET used to sign the token
+ * @param isSecure - Whether the token came from a secure cookie
+ * @returns DecodeResult with session data or error
+ *
+ * @example
+ * ```typescript
+ * const result = await decodeSessionToken(token, process.env.AUTH_SECRET, isSecure)
+ * if (result.success) {
+ *   console.log(result.session.user.email)
+ * } else {
+ *   console.error(result.error)
+ * }
+ * ```
+ */
+declare function decodeSessionToken(token: string | undefined, secret: string | undefined, isSecure?: boolean): Promise<DecodeResult>;
+/**
+ * Extract session cookie from a cookies object (generic interface)
+ *
+ * This works with any object that has a `get(name)` method returning
+ * `{ value: string } | undefined`, like Next.js cookies() or similar.
+ *
+ * @param cookies - Object with get(name) method
+ * @returns SessionCookie or undefined if no session cookie found
+ */
+declare function extractSessionCookie(cookies: {
+    get(name: string): {
+        value: string;
+    } | undefined;
+}): SessionCookie | undefined;
+
+/**
+ * Kernel Bridge Roles
+ * Role checking and permission utilities
+ */
+/**
+ * Options for fetching user roles from the kernel
+ */
+interface FetchRolesOptions {
+    /**
+     * Organization ID to fetch roles in
+     */
+    organizationId: string;
+    /**
+     * Session token for authentication (user ID is determined from the token)
+     */
+    sessionToken: string;
+    /**
+     * Whether using secure cookie
+     * Defaults to NODE_ENV === "production" if not provided
+     */
+    isSecure?: boolean;
+    /**
+     * Custom fetch function (optional, for testing or SSR)
+     */
+    fetchFn?: typeof fetch;
+}
+/**
+ * Result of role fetching operation
+ */
+type FetchRolesResult = {
+    success: true;
+    roles: string[];
+} | {
+    success: false;
+    error: string;
+};
+/**
+ * Fetch user roles from the kernel API
+ *
+ * This is a framework-agnostic function that makes a fetch request
+ * to the kernel's roles endpoint. Uses AUTH_URL environment variable internally.
+ * The user ID is determined from the session token.
+ *
+ * @param options - Configuration for fetching roles
+ * @returns Promise with roles array or error
+ *
+ * @example
+ * ```typescript
+ * const result = await fetchUserRoles({
+ *   organizationId: "org-123",
+ *   sessionToken: token,
+ *   // isSecure defaults to NODE_ENV === "production"
+ * })
+ * if (result.success) {
+ *   console.log(result.roles)
+ * }
+ * ```
+ */
+declare function fetchUserRoles(options: FetchRolesOptions): Promise<FetchRolesResult>;
+/**
+ * Check if user has at least one of the required roles
+ */
+declare function hasAnyRole(userRoles: string[], requiredRoles: string[]): boolean;
+/**
+ * Check if user has all of the required roles
+ */
+declare function hasAllRoles(userRoles: string[], requiredRoles: string[]): boolean;
+/**
+ * Check if user has a specific role
+ */
+declare function hasRole(userRoles: string[], role: string): boolean;
+
+/**
+ * Kernel Bridge Routes
+ * Route matching and protection utilities
+ */
+
+/**
+ * Check if a pathname matches any route in the list
+ */
+declare function matchesAnyRoute(pathname: string, routes: string[]): boolean;
+/**
+ * Find the first matching protected route for a pathname
+ */
+declare function findMatchingProtectedRoute(pathname: string, protectedRoutes: RouteConfig): {
+    route: string;
+    requiredRoles: string[];
+} | undefined;
+/**
+ * Match a pathname against route configuration
+ *
+ * @param pathname - The URL pathname to match
+ * @param config - Micro-frontend configuration
+ * @returns RouteMatch indicating the type of route
+ *
+ * @example
+ * ```typescript
+ * const match = matchRoute("/dashboard", {
+ *   publicRoutes: ["/", "/api/health"],
+ *   protectedRoutes: { "/dashboard": [], "/admin": ["organization.owner"] },
+ * })
+ * // Returns: { type: "protected", requiredRoles: [] }
+ * ```
+ */
+declare function matchRoute(pathname: string, config: Pick<MicroFrontendConfig, "publicRoutes" | "protectedRoutes">): RouteMatch;
+/**
+ * Create a default configuration for a micro-frontend
+ */
+declare function createConfig(options: Partial<MicroFrontendConfig> & Pick<MicroFrontendConfig, "basePath">): MicroFrontendConfig;
+/**
+ * Build a sign-in redirect URL
+ * Uses AUTH_URL environment variable internally.
+ *
+ * @param callbackUrl - Optional callback URL to return to after sign-in
+ */
+declare function buildSignInUrl(callbackUrl?: string): URL;
+/**
+ * Build a sign-out redirect URL
+ * Uses AUTH_URL environment variable internally.
+ *
+ * @param callbackUrl - Optional callback URL to return to after sign-out
+ */
+declare function buildSignOutUrl(callbackUrl?: string): URL;
+
+export { COOKIE_NAMES, DecodeResult, DecodedToken, type FetchRolesOptions, type FetchRolesResult, MicroFrontendConfig, RouteConfig, RouteMatch, Session, SessionCookie, buildSignInUrl, buildSignOutUrl, createConfig, decodeSessionToken, extractSessionCookie, fetchUserRoles, findMatchingProtectedRoute, getCookieName, getSalt, hasAllRoles, hasAnyRole, hasRole, isTokenExpired, mapToSession, matchRoute, matchesAnyRoute };