npm - @monocloud/auth-nextjs - Versions diffs - 0.1.1 → 0.1.2 - Mend

@monocloud/auth-nextjs 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/dist/client/index.cjs +1 -1
package/dist/client/index.d.mts +136 -3
package/dist/client/index.mjs +1 -1
package/dist/{client-BjnSJS59.cjs → client-Be6A2vEn.cjs} +149 -10
package/dist/client-Be6A2vEn.cjs.map +1 -0
package/dist/client-CnvBgZM-.mjs +244 -0
package/dist/client-CnvBgZM-.mjs.map +1 -0
package/dist/components/client/index.cjs +156 -3
package/dist/components/client/index.cjs.map +1 -1
package/dist/components/client/index.d.mts +156 -3
package/dist/components/client/index.mjs +156 -3
package/dist/components/client/index.mjs.map +1 -1
package/dist/components/index.cjs +84 -1
package/dist/components/index.cjs.map +1 -1
package/dist/components/index.d.mts +86 -1
package/dist/components/index.mjs +84 -1
package/dist/components/index.mjs.map +1 -1
package/dist/index.cjs +716 -333
package/dist/index.cjs.map +1 -1
package/dist/index.d.mts +1890 -56
package/dist/index.mjs +691 -308
package/dist/index.mjs.map +1 -1
package/dist/{types-BleaXQUP.d.mts → types-DOfZTKa6.d.mts} +90 -141
package/package.json +2 -2
package/dist/client-0gaUvMR7.mjs +0 -105
package/dist/client-0gaUvMR7.mjs.map +0 -1
package/dist/client-BjnSJS59.cjs.map +0 -1

package/dist/index.cjs CHANGED Viewed

@@ -1,21 +1,15 @@
 const require_chunk = require('./chunk-CbDLau6x.cjs');
 let _monocloud_auth_node_core = require("@monocloud/auth-node-core");
-let next_server = require("next/server");
-let next_navigation = require("next/navigation");
+let next_server_js = require("next/server.js");
 let _monocloud_auth_node_core_internal = require("@monocloud/auth-node-core/internal");
 let _monocloud_auth_node_core_utils = require("@monocloud/auth-node-core/utils");
 let cookie = require("cookie");
+let node_http = require("node:http");
 //#region src/requests/monocloud-app-router-request.ts
 var MonoCloudAppRouterRequest = class {
-	constructor(req, ctx) {
+	constructor(req) {
 		this.req = req;
-		this.ctx = ctx;
-	}
-	/* v8 ignore next */
-	getRoute(parameter) {
-		var _this$ctx$params;
-		return (_this$ctx$params = this.ctx.params) === null || _this$ctx$params === void 0 ? void 0 : _this$ctx$params[parameter];
 	}
 	getQuery(parameter) {
 		return new URL(this.req.url).searchParams.get(parameter) ?? void 0;
@@ -47,10 +41,6 @@ var MonoCloudPageRouterRequest = class {
 		this.req = req;
 	}
 	/* v8 ignore next */
-	getRoute(parameter) {
-		return this.req.query[parameter];
-	}
-	/* v8 ignore next */
 	getQuery(parameter) {
 		return this.req.query[parameter];
 	}
@@ -90,14 +80,14 @@ var MonoCloudAppRouterResponse = class {
 	}
 	redirect(url, statusCode = 302) {
 		const { headers } = this.res;
-		this.res = next_server.NextResponse.redirect(url, {
+		this.res = next_server_js.NextResponse.redirect(url, {
 			status: statusCode,
 			headers
 		});
 	}
 	sendJson(data, statusCode) {
 		const { headers } = this.res;
-		this.res = next_server.NextResponse.json(data, {
+		this.res = next_server_js.NextResponse.json(data, {
 			status: statusCode,
 			headers
 		});
@@ -105,28 +95,28 @@ var MonoCloudAppRouterResponse = class {
 	/* v8 ignore next */
 	notFound() {
 		const { headers } = this.res;
-		this.res = new next_server.NextResponse(null, {
+		this.res = new next_server_js.NextResponse(null, {
 			status: 404,
 			headers
 		});
 	}
 	internalServerError() {
 		const { headers } = this.res;
-		this.res = new next_server.NextResponse(null, {
+		this.res = new next_server_js.NextResponse(null, {
 			status: 500,
 			headers
 		});
 	}
 	noContent() {
 		const { headers } = this.res;
-		this.res = new next_server.NextResponse(null, {
+		this.res = new next_server_js.NextResponse(null, {
 			status: 204,
 			headers
 		});
 	}
 	methodNotAllowed() {
 		const { headers } = this.res;
-		this.res = new next_server.NextResponse(null, {
+		this.res = new next_server_js.NextResponse(null, {
 			status: 405,
 			headers
 		});
@@ -189,17 +179,64 @@ var MonoCloudPageRouterResponse = class {
 	}
 };
+//#endregion
+//#region src/responses/monocloud-cookie-response.ts
+let isWarned = false;
+var MonoCloudCookieResponse = class {
+	async setCookie(cookieName, value, options) {
+		try {
+			const { cookies } = await import("next/headers");
+			(await cookies()).set(cookieName, value, options);
+		} catch (e) {
+			if (!isWarned) {
+				console.warn(e.message);
+				isWarned = true;
+			}
+		}
+	}
+};
+//#endregion
+//#region src/requests/monocloud-cookie-request.ts
+var MonoCloudCookieRequest = class {
+	/* v8 ignore next */
+	async getCookie(name) {
+		var _await$cookies$get;
+		const { cookies } = await import("next/headers");
+		return (_await$cookies$get = (await cookies()).get(name)) === null || _await$cookies$get === void 0 ? void 0 : _await$cookies$get.value;
+	}
+	async getAllCookies() {
+		const values = /* @__PURE__ */ new Map();
+		const { cookies } = await import("next/headers");
+		(await cookies()).getAll().forEach((x) => {
+			values.set(x.name, x.value);
+		});
+		return values;
+	}
+};
 //#endregion
 //#region src/utils.ts
+const isMonoCloudRequest = (req) => req instanceof MonoCloudAppRouterRequest || req instanceof MonoCloudPageRouterRequest || req instanceof MonoCloudCookieRequest;
+const isMonoCloudResponse = (res) => res instanceof MonoCloudAppRouterResponse || res instanceof MonoCloudPageRouterResponse || res instanceof MonoCloudCookieResponse;
 const isAppRouter = (req) => req instanceof Request || req.headers instanceof Headers || typeof req.bodyUsed === "boolean";
-const getMonoCloudReqRes = (req, resOrCtx) => {
+const getNextRequest = (req) => {
+	if (req instanceof next_server_js.NextRequest) return req;
+	return new next_server_js.NextRequest(req);
+};
+const getNextResponse = (res) => {
+	if (res instanceof next_server_js.NextResponse) return res;
+	if (res instanceof Response) return new next_server_js.NextResponse(res.body, res);
+	return new next_server_js.NextResponse();
+};
+const getMonoCloudCookieReqRes = (req, resOrCtx) => {
 	let request;
 	let response;
 	if (isAppRouter(req)) {
-		request = new MonoCloudAppRouterRequest(req, resOrCtx instanceof next_server.NextResponse ? { params: {} } : resOrCtx);
-		response = new MonoCloudAppRouterResponse(resOrCtx instanceof next_server.NextResponse ? resOrCtx : new next_server.NextResponse());
+		request = new MonoCloudAppRouterRequest(getNextRequest(req));
+		response = resOrCtx instanceof Response ? new MonoCloudAppRouterResponse(getNextResponse(resOrCtx)) : new MonoCloudCookieResponse();
 	} else {
-		/* c8 ignore start */
+		if (!(req instanceof node_http.IncomingMessage) || !(resOrCtx instanceof node_http.ServerResponse)) throw new _monocloud_auth_node_core.MonoCloudValidationError("Invalid pages router request and response");
 		request = new MonoCloudPageRouterRequest(req);
 		response = new MonoCloudPageRouterResponse(resOrCtx);
 	}
@@ -210,7 +247,7 @@ const getMonoCloudReqRes = (req, resOrCtx) => {
 };
 const mergeResponse = (responses) => {
 	const resp = responses.pop();
-	if (!resp) return new next_server.NextResponse();
+	if (!resp) return new next_server_js.NextResponse();
 	responses.forEach((response) => {
 		response.headers.forEach((v, k) => {
 			if (k === "location" && !resp.headers.has(k) || k !== "location") resp.headers.set(k, v);
@@ -223,214 +260,189 @@ const mergeResponse = (responses) => {
 	return resp;
 };
-//#endregion
-//#region src/requests/monocloud-cookie-request.ts
-var MonoCloudCookieRequest = class {
-	/* v8 ignore next */
-	async getCookie(name) {
-		var _await$cookies$get;
-		const { cookies } = await import("next/headers");
-		return (_await$cookies$get = (await cookies()).get(name)) === null || _await$cookies$get === void 0 ? void 0 : _await$cookies$get.value;
-	}
-	async getAllCookies() {
-		const values = /* @__PURE__ */ new Map();
-		const { cookies } = await import("next/headers");
-		(await cookies()).getAll().forEach((x) => {
-			values.set(x.name, x.value);
-		});
-		return values;
-	}
-};
-//#endregion
-//#region src/responses/monocloud-cookie-response.ts
-let isWarned = false;
-var MonoCloudCookieResponse = class {
-	async setCookie(cookieName, value, options) {
-		try {
-			const { cookies } = await import("next/headers");
-			(await cookies()).set(cookieName, value, options);
-		} catch (e) {
-			if (!isWarned) {
-				console.warn(e.message);
-				isWarned = true;
-			}
-		}
-	}
-};
 //#endregion
 //#region src/monocloud-next-client.ts
+/**
+* The MonoCloud Next.js Client.
+*
+* @example Using Environment Variables (Recommended)
+*
+* 1. Add following variables to your `.env`.
+*
+* ```bash
+* MONOCLOUD_AUTH_TENANT_DOMAIN=<tenant-domain>
+* MONOCLOUD_AUTH_CLIENT_ID=<client-id>
+* MONOCLOUD_AUTH_CLIENT_SECRET=<client-secret>
+* MONOCLOUD_AUTH_SCOPES=openid profile email # Default
+* MONOCLOUD_AUTH_APP_URL=http://localhost:3000
+* MONOCLOUD_AUTH_COOKIE_SECRET=<cookie-secret>
+* ```
+*
+* 2. Instantiate the client in a shared file (e.g., lib/monocloud.ts)
+*
+* ```typescript
+* import { MonoCloudNextClient } from '@monocloud/auth-nextjs';
+*
+* export const monoCloud = new MonoCloudNextClient();
+* ```
+*
+* 3. Add MonoCloud middleware/proxy
+*
+* ```typescript
+* import { monoCloud } from "@/lib/monocloud";
+*
+* export default monoCloud.authMiddleware();
+*
+* export const config = {
+*   matcher: [
+*     "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)",
+*   ],
+* };
+* ```
+*
+* @example Using Constructor Options
+*
+* ⚠️ Security Note: Never commit your credentials to version control. Load them from environment variables.
+*
+* 1. Instantiate the client in a shared file (e.g., lib/monocloud.ts)
+*
+* ```typescript
+* import { MonoCloudNextClient } from '@monocloud/auth-nextjs';
+*
+* export const monoCloud = new MonoCloudNextClient({
+*  tenantDomain: '<tenant-domain>',
+*  clientId: '<client-id>',
+*  clientSecret: '<client-secret>',
+*  scopes: 'openid profile email', // Default
+*  appUrl: 'http://localhost:3000',
+*  cookieSecret: '<cookie-secret>'
+* });
+* ```
+* 2. Add MonoCloud middleware/proxy
+*
+* ```typescript
+* import { monoCloud } from "@/lib/monocloud";
+*
+* export default monoCloud.authMiddleware();
+*
+* export const config = {
+*   matcher: [
+*     "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)",
+*   ],
+* };
+* ```
+*
+* <details>
+* <summary>All Environment Variables</summary>
+*  <h4>Core Configuration (Required)</h4>
+*
+*  <ul>
+*    <li><strong>MONOCLOUD_AUTH_CLIENT_ID : </strong>Unique identifier for your application/client.</li>
+*    <li><strong>MONOCLOUD_AUTH_CLIENT_SECRET : </strong>Application/client secret.</li>
+*    <li><strong>MONOCLOUD_AUTH_TENANT_DOMAIN : </strong>The domain of your MonoCloud tenant (e.g., https://your-tenant.us.monocloud.com).</li>
+*    <li><strong>MONOCLOUD_AUTH_APP_URL : </strong>The base URL where your application is hosted.</li>
+*    <li><strong>MONOCLOUD_AUTH_COOKIE_SECRET : </strong>A long, random string used to encrypt and sign session cookies.</li>
+*  </ul>
+*
+*  <h4>Authentication &amp; Security</h4>
+*
+*  <ul>
+*    <li><strong>MONOCLOUD_AUTH_SCOPES : </strong>A space-separated list of OIDC scopes to request (e.g., openid profile email).</li>
+*    <li><strong>MONOCLOUD_AUTH_RESOURCE : </strong>The default resource/audience identifier for access tokens.</li>
+*    <li><strong>MONOCLOUD_AUTH_USE_PAR : </strong>Enables Pushed Authorization Requests.</li>
+*    <li><strong>MONOCLOUD_AUTH_CLOCK_SKEW : </strong>The allowed clock drift in seconds when validating token timestamps.</li>
+*    <li><strong>MONOCLOUD_AUTH_FEDERATED_SIGNOUT : </strong>If true, signs the user out of MonoCloud (SSO sign-out) when they sign out of the app.</li>
+*    <li><strong>MONOCLOUD_AUTH_RESPONSE_TIMEOUT : </strong>The maximum time in milliseconds to wait for a response.</li>
+*    <li><strong>MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES : </strong>Allows dynamic overrides of auth parameters via URL query strings.</li>
+*    <li><strong>MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI : </strong>The URL users are sent to after a successful logout.</li>
+*    <li><strong>MONOCLOUD_AUTH_USER_INFO : </strong>Determines if user profile data from the UserInfo endpoint should be fetched after authorization code exchange.</li>
+*    <li><strong>MONOCLOUD_AUTH_REFETCH_USER_INFO : </strong>If true, re-fetches user information on every request to userinfo endpoint or when calling getTokens()</li>
+*    <li><strong>MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG : </strong>The expected algorithm for signing ID tokens (e.g., RS256).</li>
+*    <li><strong>MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS : </strong>A space-separated list of claims to exclude from the session object.</li>
+*  </ul>
+*
+*  <h4>Routes</h4>
+*
+*   <aside>
+*     <strong>⚠️ Important: Modifying Default Routes</strong>
+*     <p>If you choose to customize any of the default route paths, you must adhere to the following requirements:</p>
+*     <ul>
+*       <li>
+*         <strong>Client-Side Synchronization:</strong> You must also define a corresponding <code>NEXT_PUBLIC_</code> version of the environment variable (e.g., <code>NEXT_PUBLIC_MONOCLOUD_AUTH_CALLBACK_URL</code>). This ensures that client-side components like <code>&lt;SignIn /&gt;</code>, <code>&lt;SignOut /&gt;</code>, and the <code>useAuth()</code> hook can correctly identify your custom endpoints.
+*       </li>
+*       <li>
+*         <strong>Dashboard Configuration:</strong> Changing these URLs will alter the endpoints required by MonoCloud. You must update the <strong>Application URLs</strong> section in your MonoCloud Dashboard to match these new paths.
+*       </li>
+*     </ul>
+*     <p><em>Example:</em></p>
+*     <code>
+*       MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback<br />
+*       NEXT_PUBLIC_MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback
+*     </code>
+*     <p>In this case, the Redirect URI in your dashboard should be set to: <code>http://localhost:3000/api/custom_callback</code> (assuming local development).</p>
+*   </aside>
+*
+*  <ul>
+*    <li><strong>MONOCLOUD_AUTH_CALLBACK_URL : </strong>The application path where MonoCloud sends the user after authentication.</li>
+*    <li><strong>MONOCLOUD_AUTH_SIGNIN_URL : </strong>The internal route path to trigger the sign-in.</li>
+*    <li><strong>MONOCLOUD_AUTH_SIGNOUT_URL : </strong>The internal route path to trigger the sign-out.</li>
+*    <li><strong>MONOCLOUD_AUTH_USER_INFO_URL : </strong>The route that exposes the current user's profile from userinfo endpoint.</li>
+*  </ul>
+*
+*  <h4>Session Cookie Settings</h4>
+*
+*  <ul>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_NAME : </strong>The name of the cookie used to store the user session.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_PATH : </strong>The scope path for the session cookie.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN : </strong>The domain scope for the session cookie.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY : </strong>Prevents client-side scripts from accessing the session cookie.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_SECURE : </strong>Ensures the session cookie is only sent over HTTPS.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE : </strong>The SameSite policy for the session cookie (Lax, Strict, or None).</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT : </strong>If true, the session survives browser restarts.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_SLIDING : </strong>If true, the session will be a sliding session instead of absolute.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_DURATION : </strong>The session lifetime in seconds.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_MAX_DURATION : </strong>The absolute maximum lifetime of a session in seconds.</li>
+*  </ul>
+*
+*  <h4>State Cookie Settings</h4>
+*
+*  <ul>
+*    <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_NAME : </strong>The name of the cookie used to store OpenID state/nonce.</li>
+*    <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_PATH : </strong>The scope path for the state cookie.</li>
+*    <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN : </strong>The domain scope for the state cookie.</li>
+*    <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_SECURE : </strong>Ensures the state cookie is only sent over HTTPS</li>
+*    <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE : </strong>The SameSite policy for the state cookie.</li>
+*    <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT : </strong>Whether the state cookie is persistent.</li>
+*  </ul>
+*
+*  <h4>Caching</h4>
+*
+*  <ul>
+*    <li><strong>MONOCLOUD_AUTH_JWKS_CACHE_DURATION : </strong>Duration in seconds to cache the JSON Web Key Set.</li>
+*    <li><strong>MONOCLOUD_AUTH_METADATA_CACHE_DURATION : </strong>Duration in seconds to cache the OpenID discovery metadata.</li>
+*  </ul>
+* </details>
+*
+*
+*/
 var MonoCloudNextClient = class {
-	/* v8 ignore next -- @preserve */
+	/**
+	* The underlying OIDC client instance used for low-level OpenID Connect operations.
+	*
+	* @example
+	* // Manually revoke an access token
+	* await client.oidcClient.revokeToken(accessToken, 'access_token');
+	*/
 	get oidcClient() {
 		return this.coreClient.oidcClient;
 	}
+	/**
+	* @param options Configuration options including domain, client ID, and secret.
+	*/
 	constructor(options) {
-		this.protectPage = (...args) => {
-			if (typeof args[0] === "function") return this.protectAppPage(args[0], args[1]);
-			return this.protectPagePage(args[0]);
-		};
-		this.protectAppPage = (component, options$1) => {
-			return async (params) => {
-				const session = await this.getSession();
-				if (!session) {
-					var _options$authParams, _options$authParams2, _options$authParams3, _options$authParams4, _options$authParams5, _options$authParams6, _options$authParams7, _options$authParams8, _options$authParams9;
-					if (options$1 === null || options$1 === void 0 ? void 0 : options$1.onAccessDenied) return options$1.onAccessDenied({ ...params });
-					const { routes, appUrl } = this.getOptions();
-					const { headers } = await import("next/headers");
-					const path = (await headers()).get("x-monocloud-path");
-					const signInRoute = new URL(`${appUrl}${(0, _monocloud_auth_node_core_internal.ensureLeadingSlash)(routes.signIn)}`);
-					signInRoute.searchParams.set("return_url", (options$1 === null || options$1 === void 0 ? void 0 : options$1.returnUrl) ?? path ?? "/");
-					if (options$1 === null || options$1 === void 0 || (_options$authParams = options$1.authParams) === null || _options$authParams === void 0 ? void 0 : _options$authParams.scopes) signInRoute.searchParams.set("scope", options$1.authParams.scopes);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams2 = options$1.authParams) === null || _options$authParams2 === void 0 ? void 0 : _options$authParams2.resource) signInRoute.searchParams.set("resource", options$1.authParams.resource);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams3 = options$1.authParams) === null || _options$authParams3 === void 0 ? void 0 : _options$authParams3.acrValues) signInRoute.searchParams.set("acr_values", options$1.authParams.acrValues.join(" "));
-					if (options$1 === null || options$1 === void 0 || (_options$authParams4 = options$1.authParams) === null || _options$authParams4 === void 0 ? void 0 : _options$authParams4.display) signInRoute.searchParams.set("display", options$1.authParams.display);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams5 = options$1.authParams) === null || _options$authParams5 === void 0 ? void 0 : _options$authParams5.prompt) signInRoute.searchParams.set("prompt", options$1.authParams.prompt);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams6 = options$1.authParams) === null || _options$authParams6 === void 0 ? void 0 : _options$authParams6.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options$1.authParams.authenticatorHint);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams7 = options$1.authParams) === null || _options$authParams7 === void 0 ? void 0 : _options$authParams7.uiLocales) signInRoute.searchParams.set("ui_locales", options$1.authParams.uiLocales);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams8 = options$1.authParams) === null || _options$authParams8 === void 0 ? void 0 : _options$authParams8.maxAge) signInRoute.searchParams.set("max_age", options$1.authParams.maxAge.toString());
-					if (options$1 === null || options$1 === void 0 || (_options$authParams9 = options$1.authParams) === null || _options$authParams9 === void 0 ? void 0 : _options$authParams9.loginHint) signInRoute.searchParams.set("login_hint", options$1.authParams.loginHint);
-					return (0, next_navigation.redirect)(signInRoute.toString());
-				}
-				if ((options$1 === null || options$1 === void 0 ? void 0 : options$1.groups) && !(0, _monocloud_auth_node_core_utils.isUserInGroup)(session.user, options$1.groups, options$1.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options$1.matchAll)) {
-					if (options$1.onAccessDenied) return options$1.onAccessDenied({
-						...params,
-						user: session.user
-					});
-					return "Access Denied";
-				}
-				return component({
-					...params,
-					user: session.user
-				});
-			};
-		};
-		this.protectPagePage = (options$1) => {
-			return async (context) => {
-				const session = await this.getSession(context.req, context.res);
-				if (!session) {
-					var _options$authParams10, _options$authParams11, _options$authParams12, _options$authParams13, _options$authParams14, _options$authParams15, _options$authParams16, _options$authParams17, _options$authParams18;
-					if (options$1 === null || options$1 === void 0 ? void 0 : options$1.onAccessDenied) {
-						const customProps$1 = await options$1.onAccessDenied({ ...context });
-						return {
-							...customProps$1 ?? {},
-							props: { ...(customProps$1 === null || customProps$1 === void 0 ? void 0 : customProps$1.props) ?? {} }
-						};
-					}
-					const { routes, appUrl } = this.getOptions();
-					const signInRoute = new URL(`${appUrl}${(0, _monocloud_auth_node_core_internal.ensureLeadingSlash)(routes.signIn)}`);
-					signInRoute.searchParams.set("return_url", (options$1 === null || options$1 === void 0 ? void 0 : options$1.returnUrl) ?? context.resolvedUrl);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams10 = options$1.authParams) === null || _options$authParams10 === void 0 ? void 0 : _options$authParams10.scopes) signInRoute.searchParams.set("scope", options$1.authParams.scopes);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams11 = options$1.authParams) === null || _options$authParams11 === void 0 ? void 0 : _options$authParams11.resource) signInRoute.searchParams.set("resource", options$1.authParams.resource);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams12 = options$1.authParams) === null || _options$authParams12 === void 0 ? void 0 : _options$authParams12.acrValues) signInRoute.searchParams.set("acr_values", options$1.authParams.acrValues.join(" "));
-					if (options$1 === null || options$1 === void 0 || (_options$authParams13 = options$1.authParams) === null || _options$authParams13 === void 0 ? void 0 : _options$authParams13.display) signInRoute.searchParams.set("display", options$1.authParams.display);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams14 = options$1.authParams) === null || _options$authParams14 === void 0 ? void 0 : _options$authParams14.prompt) signInRoute.searchParams.set("prompt", options$1.authParams.prompt);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams15 = options$1.authParams) === null || _options$authParams15 === void 0 ? void 0 : _options$authParams15.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options$1.authParams.authenticatorHint);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams16 = options$1.authParams) === null || _options$authParams16 === void 0 ? void 0 : _options$authParams16.uiLocales) signInRoute.searchParams.set("ui_locales", options$1.authParams.uiLocales);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams17 = options$1.authParams) === null || _options$authParams17 === void 0 ? void 0 : _options$authParams17.maxAge) signInRoute.searchParams.set("max_age", options$1.authParams.maxAge.toString());
-					if (options$1 === null || options$1 === void 0 || (_options$authParams18 = options$1.authParams) === null || _options$authParams18 === void 0 ? void 0 : _options$authParams18.loginHint) signInRoute.searchParams.set("login_hint", options$1.authParams.loginHint);
-					return { redirect: {
-						destination: signInRoute.toString(),
-						permanent: false
-					} };
-				}
-				if ((options$1 === null || options$1 === void 0 ? void 0 : options$1.groups) && !(0, _monocloud_auth_node_core_utils.isUserInGroup)(session.user, options$1.groups, options$1.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options$1.matchAll)) {
-					var _options$onAccessDeni;
-					const customProps$1 = await ((_options$onAccessDeni = options$1.onAccessDenied) === null || _options$onAccessDeni === void 0 ? void 0 : _options$onAccessDeni.call(options$1, {
-						...context,
-						user: session.user
-					})) ?? { props: { accessDenied: true } };
-					return {
-						...customProps$1,
-						props: { ...customProps$1.props ?? {} }
-					};
-				}
-				const customProps = (options$1 === null || options$1 === void 0 ? void 0 : options$1.getServerSideProps) ? await options$1.getServerSideProps(context) : {};
-				const promiseProp = customProps.props;
-				if (promiseProp instanceof Promise) return {
-					...customProps,
-					props: promiseProp.then((props) => ({
-						user: session.user,
-						...props
-					}))
-				};
-				return {
-					...customProps,
-					props: {
-						user: session.user,
-						...customProps.props
-					}
-				};
-			};
-		};
-		this.protectApi = (handler, options$1) => {
-			return (req, resOrCtx) => {
-				if (isAppRouter(req)) return this.protectAppApi(req, resOrCtx, handler, options$1);
-				return this.protectPageApi(req, resOrCtx, handler, options$1);
-			};
-		};
-		this.protectAppApi = async (req, ctx, handler, options$1) => {
-			const res = new next_server.NextResponse();
-			const session = await this.getSession(req, res);
-			if (!session) {
-				if (options$1 === null || options$1 === void 0 ? void 0 : options$1.onAccessDenied) {
-					const result = await options$1.onAccessDenied(req, ctx);
-					if (result instanceof next_server.NextResponse) return mergeResponse([res, result]);
-					return mergeResponse([res, new next_server.NextResponse(result.body, result)]);
-				}
-				return mergeResponse([res, next_server.NextResponse.json({ message: "unauthorized" }, { status: 401 })]);
-			}
-			if ((options$1 === null || options$1 === void 0 ? void 0 : options$1.groups) && !(0, _monocloud_auth_node_core_utils.isUserInGroup)(session.user, options$1.groups, options$1.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options$1.matchAll)) {
-				if (options$1.onAccessDenied) {
-					const result = await options$1.onAccessDenied(req, ctx);
-					if (result instanceof next_server.NextResponse) return mergeResponse([res, result]);
-					return mergeResponse([res, new next_server.NextResponse(result.body, result)]);
-				}
-				return mergeResponse([res, next_server.NextResponse.json({ message: "forbidden" }, { status: 403 })]);
-			}
-			const resp = await handler(req, ctx);
-			if (resp instanceof next_server.NextResponse) return mergeResponse([res, resp]);
-			return mergeResponse([res, new next_server.NextResponse(resp.body, resp)]);
-		};
-		this.protectPageApi = async (req, res, handler, options$1) => {
-			const session = await this.getSession(req, res);
-			if (!session) {
-				if (options$1 === null || options$1 === void 0 ? void 0 : options$1.onAccessDenied) return options$1.onAccessDenied(req, res);
-				return res.status(401).json({ message: "unauthorized" });
-			}
-			if ((options$1 === null || options$1 === void 0 ? void 0 : options$1.groups) && !(0, _monocloud_auth_node_core_utils.isUserInGroup)(session.user, options$1.groups, options$1.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options$1.matchAll)) {
-				if (options$1.onAccessDenied) return options$1.onAccessDenied(req, res, session.user);
-				return res.status(403).json({ message: "forbidden" });
-			}
-			return handler(req, res);
-		};
-		this.authMiddleware = (...args) => {
-			let req;
-			let evt;
-			let options$1;
-			/* v8 ignore else -- @preserve */
-			if (Array.isArray(args)) {
-				if (args.length === 2) {
-					/* v8 ignore else -- @preserve */
-					if (isAppRouter(args[0])) {
-						req = args[0];
-						evt = args[1];
-					}
-				}
-				if (args.length === 1) options$1 = args[0];
-			}
-			if (req && evt) return this.authMiddlewareHandler(req, evt, options$1);
-			return (request, nxtEvt) => {
-				return this.authMiddlewareHandler(request, nxtEvt, options$1);
-			};
-		};
-		this.getSession = this.resolveFunction(this.resolvedGetSession.bind(this));
-		this.getTokens = this.resolveFunction(this.resolvedGetTokens.bind(this));
-		this.isAuthenticated = this.resolveFunction(this.resolvedIsAuthenticated.bind(this));
 		const opt = {
 			...options ?? {},
-			userAgent: (options === null || options === void 0 ? void 0 : options.userAgent) ?? `@monocloud/auth-nextjs@0.1.1`,
+			userAgent: (options === null || options === void 0 ? void 0 : options.userAgent) ?? `@monocloud/auth-nextjs@0.1.2`,
 			debugger: (options === null || options === void 0 ? void 0 : options.debugger) ?? "@monocloud:auth-nextjs"
 		};
 		this.registerPublicEnvVariables();
@@ -441,12 +453,65 @@ var MonoCloudNextClient = class {
 	* that processes all MonoCloud authentication endpoints
 	* (`/signin`, `/callback`, `/userinfo`, `/signout`).
 	*
-	* @param {MonoCloudAuthOptions} [options] Optional configuration authentication routes.
+	* @param options Authentication configuration routes.
 	*
 	* **Note:** If you are already using `authMiddleware()`, you typically do **not**
 	* need this API route handler. This function is intended for applications where
 	* middleware cannot be used—such as statically generated (SSG) deployments that still
 	* require server-side authentication flows.
+	*
+	* @example App Router
+	*
+	* ```typescript
+	* // app/api/auth/[...monocloud]/route.ts
+	*
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export const GET = monoCloud.monoCloudAuth();
+	*```
+	*
+	* @example App Router with Response
+	*
+	* ```typescript
+	* import { monoCloud } from "@/lib/monocloud";
+	* import { NextRequest, NextResponse } from "next/server";
+	*
+	* export const GET = (req: NextRequest) => {
+	*   const authHandler = monoCloud.monoCloudAuth();
+	*
+	*   const res = new NextResponse();
+	*
+	*   res.cookies.set("last_auth_requested", `${Date.now()}`);
+	*
+	*   return authHandler(req, res);
+	* };
+	* ```
+	*
+	* @example Pages Router
+	*
+	* ```typescript
+	* // pages/api/auth/[...monocloud].ts
+	*
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export default monoCloud.monoCloudAuth();
+	*```
+	*
+	* @example Page Router with Response
+	*
+	* ```typescript
+	* import { monoCloud } from "@/lib/monocloud";
+	* import { NextApiRequest, NextApiResponse } from "next";
+	*
+	* export default function handler(req: NextApiRequest, res: NextApiResponse) {
+	*   const authHandler = monoCloud.monoCloudAuth();
+	*
+	*   res.setHeader("last_auth_requested", `${Date.now()}`);
+	*
+	*   return authHandler(req, res);
+	* }
+	* ```
+	*
 	*/
 	monoCloudAuth(options) {
 		return (req, resOrCtx) => {
@@ -456,21 +521,189 @@ var MonoCloudNextClient = class {
 			const route = new URL(url);
 			let onError;
 			if (typeof (options === null || options === void 0 ? void 0 : options.onError) === "function") onError = (error) => options.onError(req, resOrCtx, error);
-			const { request, response } = getMonoCloudReqRes(req, resOrCtx);
+			let request;
+			let response;
+			if (isAppRouter(req)) {
+				request = new MonoCloudAppRouterRequest(getNextRequest(req));
+				response = new MonoCloudAppRouterResponse(getNextResponse(resOrCtx));
+			} else {
+				request = new MonoCloudPageRouterRequest(req);
+				response = new MonoCloudPageRouterResponse(resOrCtx);
+			}
 			return this.handleAuthRoutes(request, response, route.pathname, routes, onError);
 		};
 	}
+	protectPage(...args) {
+		if (typeof args[0] === "function") return this.protectAppPage(args[0], args[1]);
+		return this.protectPagePage(args[0]);
+	}
+	protectAppPage(component, options) {
+		return async (params) => {
+			const session = await this.getSession();
+			if (!session) {
+				var _options$authParams, _options$authParams2, _options$authParams3, _options$authParams4, _options$authParams5, _options$authParams6, _options$authParams7, _options$authParams8, _options$authParams9;
+				if (options === null || options === void 0 ? void 0 : options.onAccessDenied) return options.onAccessDenied({ ...params });
+				const { routes, appUrl } = this.getOptions();
+				const { headers } = await import("next/headers");
+				const path = (await headers()).get("x-monocloud-path");
+				const signInRoute = new URL(`${appUrl}${(0, _monocloud_auth_node_core_internal.ensureLeadingSlash)(routes.signIn)}`);
+				signInRoute.searchParams.set("return_url", (options === null || options === void 0 ? void 0 : options.returnUrl) ?? path ?? "/");
+				if (options === null || options === void 0 || (_options$authParams = options.authParams) === null || _options$authParams === void 0 ? void 0 : _options$authParams.scopes) signInRoute.searchParams.set("scope", options.authParams.scopes);
+				if (options === null || options === void 0 || (_options$authParams2 = options.authParams) === null || _options$authParams2 === void 0 ? void 0 : _options$authParams2.resource) signInRoute.searchParams.set("resource", options.authParams.resource);
+				if (options === null || options === void 0 || (_options$authParams3 = options.authParams) === null || _options$authParams3 === void 0 ? void 0 : _options$authParams3.acrValues) signInRoute.searchParams.set("acr_values", options.authParams.acrValues.join(" "));
+				if (options === null || options === void 0 || (_options$authParams4 = options.authParams) === null || _options$authParams4 === void 0 ? void 0 : _options$authParams4.display) signInRoute.searchParams.set("display", options.authParams.display);
+				if (options === null || options === void 0 || (_options$authParams5 = options.authParams) === null || _options$authParams5 === void 0 ? void 0 : _options$authParams5.prompt) signInRoute.searchParams.set("prompt", options.authParams.prompt);
+				if (options === null || options === void 0 || (_options$authParams6 = options.authParams) === null || _options$authParams6 === void 0 ? void 0 : _options$authParams6.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options.authParams.authenticatorHint);
+				if (options === null || options === void 0 || (_options$authParams7 = options.authParams) === null || _options$authParams7 === void 0 ? void 0 : _options$authParams7.uiLocales) signInRoute.searchParams.set("ui_locales", options.authParams.uiLocales);
+				if (options === null || options === void 0 || (_options$authParams8 = options.authParams) === null || _options$authParams8 === void 0 ? void 0 : _options$authParams8.maxAge) signInRoute.searchParams.set("max_age", options.authParams.maxAge.toString());
+				if (options === null || options === void 0 || (_options$authParams9 = options.authParams) === null || _options$authParams9 === void 0 ? void 0 : _options$authParams9.loginHint) signInRoute.searchParams.set("login_hint", options.authParams.loginHint);
+				const { redirect } = await import("next/navigation");
+				return redirect(signInRoute.toString());
+			}
+			if ((options === null || options === void 0 ? void 0 : options.groups) && !(0, _monocloud_auth_node_core_utils.isUserInGroup)(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+				if (options.onAccessDenied) return options.onAccessDenied({
+					...params,
+					user: session.user
+				});
+				return "Access Denied";
+			}
+			return component({
+				...params,
+				user: session.user
+			});
+		};
+	}
+	protectPagePage(options) {
+		return async (context) => {
+			const session = await this.getSession(context.req, context.res);
+			if (!session) {
+				var _options$authParams10, _options$authParams11, _options$authParams12, _options$authParams13, _options$authParams14, _options$authParams15, _options$authParams16, _options$authParams17, _options$authParams18;
+				if (options === null || options === void 0 ? void 0 : options.onAccessDenied) {
+					const customProps$1 = await options.onAccessDenied({ ...context });
+					return {
+						...customProps$1 ?? {},
+						props: { ...(customProps$1 === null || customProps$1 === void 0 ? void 0 : customProps$1.props) ?? {} }
+					};
+				}
+				const { routes, appUrl } = this.getOptions();
+				const signInRoute = new URL(`${appUrl}${(0, _monocloud_auth_node_core_internal.ensureLeadingSlash)(routes.signIn)}`);
+				signInRoute.searchParams.set("return_url", (options === null || options === void 0 ? void 0 : options.returnUrl) ?? context.resolvedUrl);
+				if (options === null || options === void 0 || (_options$authParams10 = options.authParams) === null || _options$authParams10 === void 0 ? void 0 : _options$authParams10.scopes) signInRoute.searchParams.set("scope", options.authParams.scopes);
+				if (options === null || options === void 0 || (_options$authParams11 = options.authParams) === null || _options$authParams11 === void 0 ? void 0 : _options$authParams11.resource) signInRoute.searchParams.set("resource", options.authParams.resource);
+				if (options === null || options === void 0 || (_options$authParams12 = options.authParams) === null || _options$authParams12 === void 0 ? void 0 : _options$authParams12.acrValues) signInRoute.searchParams.set("acr_values", options.authParams.acrValues.join(" "));
+				if (options === null || options === void 0 || (_options$authParams13 = options.authParams) === null || _options$authParams13 === void 0 ? void 0 : _options$authParams13.display) signInRoute.searchParams.set("display", options.authParams.display);
+				if (options === null || options === void 0 || (_options$authParams14 = options.authParams) === null || _options$authParams14 === void 0 ? void 0 : _options$authParams14.prompt) signInRoute.searchParams.set("prompt", options.authParams.prompt);
+				if (options === null || options === void 0 || (_options$authParams15 = options.authParams) === null || _options$authParams15 === void 0 ? void 0 : _options$authParams15.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options.authParams.authenticatorHint);
+				if (options === null || options === void 0 || (_options$authParams16 = options.authParams) === null || _options$authParams16 === void 0 ? void 0 : _options$authParams16.uiLocales) signInRoute.searchParams.set("ui_locales", options.authParams.uiLocales);
+				if (options === null || options === void 0 || (_options$authParams17 = options.authParams) === null || _options$authParams17 === void 0 ? void 0 : _options$authParams17.maxAge) signInRoute.searchParams.set("max_age", options.authParams.maxAge.toString());
+				if (options === null || options === void 0 || (_options$authParams18 = options.authParams) === null || _options$authParams18 === void 0 ? void 0 : _options$authParams18.loginHint) signInRoute.searchParams.set("login_hint", options.authParams.loginHint);
+				return { redirect: {
+					destination: signInRoute.toString(),
+					permanent: false
+				} };
+			}
+			if ((options === null || options === void 0 ? void 0 : options.groups) && !(0, _monocloud_auth_node_core_utils.isUserInGroup)(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+				var _options$onAccessDeni;
+				const customProps$1 = await ((_options$onAccessDeni = options.onAccessDenied) === null || _options$onAccessDeni === void 0 ? void 0 : _options$onAccessDeni.call(options, {
+					...context,
+					user: session.user
+				})) ?? { props: { accessDenied: true } };
+				return {
+					...customProps$1,
+					props: { ...customProps$1.props ?? {} }
+				};
+			}
+			const customProps = (options === null || options === void 0 ? void 0 : options.getServerSideProps) ? await options.getServerSideProps(context) : {};
+			const promiseProp = customProps.props;
+			if (promiseProp instanceof Promise) return {
+				...customProps,
+				props: promiseProp.then((props) => ({
+					user: session.user,
+					...props
+				}))
+			};
+			return {
+				...customProps,
+				props: {
+					user: session.user,
+					...customProps.props
+				}
+			};
+		};
+	}
+	protectApi(handler, options) {
+		return (req, resOrCtx) => {
+			if (isAppRouter(req)) return this.protectAppApi(req, resOrCtx, handler, options);
+			return this.protectPageApi(req, resOrCtx, handler, options);
+		};
+	}
+	async protectAppApi(req, ctx, handler, options) {
+		const res = new next_server_js.NextResponse();
+		const session = await this.getSession(req, res);
+		if (!session) {
+			if (options === null || options === void 0 ? void 0 : options.onAccessDenied) {
+				const result = await options.onAccessDenied(req, ctx);
+				if (result instanceof next_server_js.NextResponse) return mergeResponse([res, result]);
+				return mergeResponse([res, new next_server_js.NextResponse(result.body, result)]);
+			}
+			return mergeResponse([res, next_server_js.NextResponse.json({ message: "unauthorized" }, { status: 401 })]);
+		}
+		if ((options === null || options === void 0 ? void 0 : options.groups) && !(0, _monocloud_auth_node_core_utils.isUserInGroup)(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+			if (options.onAccessDenied) {
+				const result = await options.onAccessDenied(req, ctx);
+				if (result instanceof next_server_js.NextResponse) return mergeResponse([res, result]);
+				return mergeResponse([res, new next_server_js.NextResponse(result.body, result)]);
+			}
+			return mergeResponse([res, next_server_js.NextResponse.json({ message: "forbidden" }, { status: 403 })]);
+		}
+		const resp = await handler(req, ctx);
+		if (resp instanceof next_server_js.NextResponse) return mergeResponse([res, resp]);
+		return mergeResponse([res, new next_server_js.NextResponse(resp.body, resp)]);
+	}
+	async protectPageApi(req, res, handler, options) {
+		const session = await this.getSession(req, res);
+		if (!session) {
+			if (options === null || options === void 0 ? void 0 : options.onAccessDenied) return options.onAccessDenied(req, res);
+			return res.status(401).json({ message: "unauthorized" });
+		}
+		if ((options === null || options === void 0 ? void 0 : options.groups) && !(0, _monocloud_auth_node_core_utils.isUserInGroup)(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+			if (options.onAccessDenied) return options.onAccessDenied(req, res, session.user);
+			return res.status(403).json({ message: "forbidden" });
+		}
+		return handler(req, res);
+	}
+	authMiddleware(...args) {
+		let req;
+		let evt;
+		let options;
+		/* v8 ignore else -- @preserve */
+		if (Array.isArray(args)) {
+			if (args.length === 2) {
+				/* v8 ignore else -- @preserve */
+				if (isAppRouter(args[0])) {
+					req = args[0];
+					evt = args[1];
+				}
+			}
+			if (args.length === 1) options = args[0];
+		}
+		if (req && evt) return this.authMiddlewareHandler(req, evt, options);
+		return (request, nxtEvt) => {
+			return this.authMiddlewareHandler(request, nxtEvt, options);
+		};
+	}
 	async authMiddlewareHandler(req, evt, options) {
-		if (req.headers.has("x-middleware-subrequest")) return next_server.NextResponse.json({ message: "forbidden" }, { status: 403 });
+		req = getNextRequest(req);
+		if (req.headers.has("x-middleware-subrequest")) return next_server_js.NextResponse.json({ message: "forbidden" }, { status: 403 });
 		const { routes, appUrl } = this.getOptions();
 		if (Object.values(routes).map((x) => (0, _monocloud_auth_node_core_internal.ensureLeadingSlash)(x)).includes(req.nextUrl.pathname)) {
 			let onError;
 			if (typeof (options === null || options === void 0 ? void 0 : options.onError) === "function") onError = (error) => options.onError(req, evt, error);
-			const request = new MonoCloudAppRouterRequest(req, { params: {} });
-			const response = new MonoCloudAppRouterResponse(new next_server.NextResponse());
+			const request = new MonoCloudAppRouterRequest(req);
+			const response = new MonoCloudAppRouterResponse(new next_server_js.NextResponse());
 			return this.handleAuthRoutes(request, response, req.nextUrl.pathname, routes, onError);
 		}
-		const nxtResp = new next_server.NextResponse();
+		const nxtResp = new next_server_js.NextResponse();
 		nxtResp.headers.set("x-monocloud-path", req.nextUrl.pathname + req.nextUrl.search);
 		let isRouteProtected = true;
 		let allowedGroups;
@@ -483,33 +716,33 @@ var MonoCloudNextClient = class {
 				return result;
 			});
 		});
-		if (!isRouteProtected) return next_server.NextResponse.next({ headers: { "x-monocloud-path": req.nextUrl.pathname + req.nextUrl.search } });
+		if (!isRouteProtected) return next_server_js.NextResponse.next({ headers: { "x-monocloud-path": req.nextUrl.pathname + req.nextUrl.search } });
 		const session = await this.getSession(req, nxtResp);
 		if (!session) {
 			if (options === null || options === void 0 ? void 0 : options.onAccessDenied) {
 				const result = await options.onAccessDenied(req, evt);
-				if (result instanceof next_server.NextResponse) return mergeResponse([nxtResp, result]);
-				if (result) return mergeResponse([nxtResp, new next_server.NextResponse(result.body, result)]);
-				return next_server.NextResponse.next(nxtResp);
+				if (result instanceof next_server_js.NextResponse) return mergeResponse([nxtResp, result]);
+				if (result) return mergeResponse([nxtResp, new next_server_js.NextResponse(result.body, result)]);
+				return next_server_js.NextResponse.next(nxtResp);
 			}
-			if (req.nextUrl.pathname.startsWith("/api")) return mergeResponse([nxtResp, next_server.NextResponse.json({ message: "unauthorized" }, { status: 401 })]);
+			if (req.nextUrl.pathname.startsWith("/api")) return mergeResponse([nxtResp, next_server_js.NextResponse.json({ message: "unauthorized" }, { status: 401 })]);
 			const signInRoute = new URL(`${appUrl}${(0, _monocloud_auth_node_core_internal.ensureLeadingSlash)(routes.signIn)}`);
 			signInRoute.searchParams.set("return_url", req.nextUrl.pathname + req.nextUrl.search);
-			return mergeResponse([nxtResp, next_server.NextResponse.redirect(signInRoute)]);
+			return mergeResponse([nxtResp, next_server_js.NextResponse.redirect(signInRoute)]);
 		}
 		const groupsClaim = (options === null || options === void 0 ? void 0 : options.groupsClaim) ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM;
 		const onAccessDenied = options === null || options === void 0 ? void 0 : options.onAccessDenied;
 		if (allowedGroups && !(0, _monocloud_auth_node_core_utils.isUserInGroup)(session.user, allowedGroups, groupsClaim)) {
 			if (onAccessDenied) {
 				const result = await onAccessDenied(req, evt, session.user);
-				if (result instanceof next_server.NextResponse) return mergeResponse([nxtResp, result]);
-				if (result) return mergeResponse([nxtResp, new next_server.NextResponse(result.body, result)]);
-				return next_server.NextResponse.next(nxtResp);
+				if (result instanceof next_server_js.NextResponse) return mergeResponse([nxtResp, result]);
+				if (result) return mergeResponse([nxtResp, new next_server_js.NextResponse(result.body, result)]);
+				return next_server_js.NextResponse.next(nxtResp);
 			}
-			if (req.nextUrl.pathname.startsWith("/api")) return mergeResponse([nxtResp, next_server.NextResponse.json({ message: "forbidden" }, { status: 403 })]);
-			return new next_server.NextResponse(`forbidden`, { status: 403 });
+			if (req.nextUrl.pathname.startsWith("/api")) return mergeResponse([nxtResp, next_server_js.NextResponse.json({ message: "forbidden" }, { status: 403 })]);
+			return new next_server_js.NextResponse(`forbidden`, { status: 403 });
 		}
-		return next_server.NextResponse.next(nxtResp);
+		return next_server_js.NextResponse.next(nxtResp);
 	}
 	handleAuthRoutes(request, response, path, routes, onError) {
 		switch (path) {
@@ -522,10 +755,101 @@ var MonoCloudNextClient = class {
 				return response.done();
 		}
 	}
+	async getSession(...args) {
+		let request;
+		let response;
+		if (args.length === 0) {
+			request = new MonoCloudCookieRequest();
+			response = new MonoCloudCookieResponse();
+		} else ({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+		/* v8 ignore next -- @preserve */
+		if (!isMonoCloudRequest(request) || !isMonoCloudResponse(response)) throw new _monocloud_auth_node_core.MonoCloudValidationError("Invalid parameters passed to getSession()");
+		return await this.coreClient.getSession(request, response);
+	}
+	async getTokens(...args) {
+		let request;
+		let response;
+		let options;
+		if (args.length === 0) {
+			request = new MonoCloudCookieRequest();
+			response = new MonoCloudCookieResponse();
+		} else if (args.length === 1) if (args[0] instanceof Request) ({request, response} = getMonoCloudCookieReqRes(args[0], void 0));
+		else {
+			request = new MonoCloudCookieRequest();
+			response = new MonoCloudCookieResponse();
+			options = args[0];
+		}
+		else if (args.length === 2 && args[0] instanceof Request) if (args[1] instanceof Response) ({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+		else {
+			({request, response} = getMonoCloudCookieReqRes(args[0], void 0));
+			options = args[1];
+		}
+		else if (args.length === 2 && args[0] instanceof node_http.IncomingMessage && args[1] instanceof node_http.ServerResponse) ({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+		else {
+			({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+			options = args[2];
+		}
+		if (!isMonoCloudRequest(request) || !isMonoCloudResponse(response) || options && typeof options !== "object") throw new _monocloud_auth_node_core.MonoCloudValidationError("Invalid parameters passed to getTokens()");
+		return await this.coreClient.getTokens(request, response, options);
+	}
+	async isAuthenticated(...args) {
+		let request;
+		let response;
+		if (args.length === 0) {
+			request = new MonoCloudCookieRequest();
+			response = new MonoCloudCookieResponse();
+		} else ({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+		/* v8 ignore next -- @preserve */
+		if (!isMonoCloudRequest(request) || !isMonoCloudResponse(response)) throw new _monocloud_auth_node_core.MonoCloudValidationError("Invalid parameters passed to isAuthenticated()");
+		return await this.coreClient.isAuthenticated(request, response);
+	}
 	/**
-	* Redirects the user to sign-in if not authenticated.
+	* Redirects the user to the sign-in flow if they are not authenticated.
+	*
+	* **This helper is App Router only and is designed for server environments (server components, route handlers, and server actions).**
+	*
+	* @param options Options to customize the sign-in.
+	*
+	* @returns
+	*
+	* @example React Server Component
+	*
+	* ```tsx
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export default async function Home() {
+	*   await monoCloud.protect();
+	*
+	*   return <>You are signed in.</>;
+	* }
+	* ```
+	*
+	* @example API Handler
 	*
-	* **Note: This function only works on App Router.**
+	* ```typescript
+	* import { NextResponse } from "next/server";
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export const GET = async () => {
+	*   await monoCloud.protect();
+	*
+	*   return NextResponse.json({ secret: "ssshhhh!!!" });
+	* };
+	* ```
+	*
+	* @example Server Action
+	*
+	* ```typescript
+	* "use server";
+	*
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export async function getMessage() {
+	*   await monoCloud.protect();
+	*
+	*   return { secret: "sssshhhhh!!!" };
+	* }
+	* ```
 	*/
 	async protect(options) {
 		var _options$authParams19, _options$authParams20, _options$authParams21, _options$authParams22, _options$authParams23, _options$authParams24, _options$authParams25, _options$authParams26, _options$authParams27;
@@ -538,7 +862,7 @@ var MonoCloudNextClient = class {
 			const { headers } = await import("next/headers");
 			path = (await headers()).get("x-monocloud-path") ?? "/";
 		} catch {
-			throw new Error("protect() can only be used in App Router project");
+			throw new Error("protect() can only be used in App Router server environments (RSC, route handlers, or server actions)");
 		}
 		const signInRoute = new URL(`${appUrl}${routes.signIn}`);
 		signInRoute.searchParams.set("return_url", (options === null || options === void 0 ? void 0 : options.returnUrl) ?? path);
@@ -551,7 +875,8 @@ var MonoCloudNextClient = class {
 		if (Array.isArray(options === null || options === void 0 || (_options$authParams25 = options.authParams) === null || _options$authParams25 === void 0 ? void 0 : _options$authParams25.acrValues)) signInRoute.searchParams.set("acr_values", options.authParams.acrValues.join(" "));
 		if (options === null || options === void 0 || (_options$authParams26 = options.authParams) === null || _options$authParams26 === void 0 ? void 0 : _options$authParams26.loginHint) signInRoute.searchParams.set("login_hint", options.authParams.loginHint);
 		if (options === null || options === void 0 || (_options$authParams27 = options.authParams) === null || _options$authParams27 === void 0 ? void 0 : _options$authParams27.prompt) signInRoute.searchParams.set("prompt", options.authParams.prompt);
-		(0, next_navigation.redirect)(signInRoute.toString());
+		const { redirect } = await import("next/navigation");
+		redirect(signInRoute.toString());
 	}
 	async isUserInGroup(...args) {
 		let request;
@@ -559,44 +884,105 @@ var MonoCloudNextClient = class {
 		let groups;
 		let options;
 		if (args.length === 4) {
-			const req = args[0];
-			const res = args[1];
 			groups = args[2];
 			options = args[3];
-			const reqRes = getMonoCloudReqRes(req, res);
-			({request} = reqRes);
-			({response} = reqRes);
+			({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
 		}
 		if (args.length === 3) {
-			const req = args[0];
-			const res = args[1];
-			groups = args[2];
-			const reqRes = getMonoCloudReqRes(req, res);
-			({request} = reqRes);
-			({response} = reqRes);
+			if (args[0] instanceof Request) if (args[1] instanceof Response) {
+				({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+				groups = args[2];
+			} else {
+				({request, response} = getMonoCloudCookieReqRes(args[0], void 0));
+				groups = args[1];
+				options = args[2];
+			}
+			if (args[0] instanceof node_http.IncomingMessage && args[1] instanceof node_http.ServerResponse) {
+				({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+				groups = args[2];
+			}
 		}
 		if (args.length === 2) {
-			request = new MonoCloudCookieRequest();
-			response = new MonoCloudCookieResponse();
-			groups = args[0];
-			options = args[1];
+			if (args[0] instanceof Request) {
+				({request, response} = getMonoCloudCookieReqRes(args[0], void 0));
+				groups = args[1];
+			}
+			if (Array.isArray(args[0])) {
+				request = new MonoCloudCookieRequest();
+				response = new MonoCloudCookieResponse();
+				groups = args[0];
+				options = args[1];
+			}
 		}
 		if (args.length === 1) {
 			request = new MonoCloudCookieRequest();
 			response = new MonoCloudCookieResponse();
 			groups = args[0];
 		}
-		if (!Array.isArray(groups) || !request || !response) throw new _monocloud_auth_node_core.MonoCloudValidationError("Invalid parameters passed to isUserInGroup()");
+		if (!Array.isArray(groups) || !isMonoCloudRequest(request) || !isMonoCloudResponse(response) || options && typeof options !== "object") throw new _monocloud_auth_node_core.MonoCloudValidationError("Invalid parameters passed to isUserInGroup()");
 		return await this.coreClient.isUserInGroup(request, response, groups, (options === null || options === void 0 ? void 0 : options.groupsClaim) ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options === null || options === void 0 ? void 0 : options.matchAll);
 	}
 	/**
-	* Redirects the user to the sign-in route.
+	* Redirects the user to the sign-in flow.
+	*
+	* **This helper is App Router only and is designed for server environments (server components, route handlers, and server actions).**
+	*
+	* @param options Options to customize the sign-in.
 	*
-	* This helper is intended for **App Router** only (server components,
-	* route handlers, server actions). It constructs the MonoCloud sign-in URL
-	* with optional parameters and issues a framework redirect.
+	* @returns
 	*
-	* @throws Error if used outside of an App Router context.
+	* @example React Server Component
+	*
+	* ```tsx
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export default async function Home() {
+	*   const allowed = await monoCloud.isUserInGroup(["admin"]);
+	*
+	*   if (!allowed) {
+	*     await monoCloud.redirectToSignIn({ returnUrl: "/home" });
+	*   }
+	*
+	*   return <>You are signed in.</>;
+	* }
+	* ```
+	*
+	* @example Server Action
+	*
+	* ```typescript
+	* "use server";
+	*
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export async function protectedAction() {
+	*   const session = await monoCloud.getSession();
+	*
+	*   if (!session) {
+	*     await monoCloud.redirectToSignIn();
+	*   }
+	*
+	*   return { data: "Sensitive Data" };
+	* }
+	* ```
+	*
+	* @example API Handler
+	*
+	* ```typescript
+	* import { NextResponse } from "next/server";
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export const GET = async () => {
+	*   const session = await monoCloud.getSession();
+	*
+	*   if (!session) {
+	*     await monoCloud.redirectToSignIn({
+	*       returnUrl: "/dashboard",
+	*     });
+	*   }
+	*
+	*   return NextResponse.json({ data: "Protected content" });
+	* };
+	* ```
 	*/
 	async redirectToSignIn(options) {
 		const { routes, appUrl } = this.coreClient.getOptions();
@@ -604,7 +990,7 @@ var MonoCloudNextClient = class {
 			const { headers } = await import("next/headers");
 			await headers();
 		} catch {
-			throw new Error("redirectToSignIn() can only be used in App Router project");
+			throw new Error("redirectToSignIn() can only be used in App Router server environments (RSC, route handlers, or server actions)");
 		}
 		const signInRoute = new URL(`${appUrl}${routes.signIn}`);
 		if (options === null || options === void 0 ? void 0 : options.returnUrl) signInRoute.searchParams.set("return_url", options.returnUrl);
@@ -617,15 +1003,69 @@ var MonoCloudNextClient = class {
 		if (Array.isArray(options === null || options === void 0 ? void 0 : options.acrValues)) signInRoute.searchParams.set("acr_values", options.acrValues.join(" "));
 		if (options === null || options === void 0 ? void 0 : options.loginHint) signInRoute.searchParams.set("login_hint", options.loginHint);
 		if (options === null || options === void 0 ? void 0 : options.prompt) signInRoute.searchParams.set("prompt", options.prompt);
-		(0, next_navigation.redirect)(signInRoute.toString());
+		const { redirect } = await import("next/navigation");
+		redirect(signInRoute.toString());
 	}
 	/**
-	* Redirects the user to the sign-out route.
+	* Redirects the user to the sign-out flow.
+	*
+	* **This helper is App Router only and is designed for server environments (server components, route handlers, and server actions).**
+	*
+	* @param options Options to customize the sign out.
+	*
+	* @returns
 	*
-	* This helper is intended for **App Router** only. It builds the sign-out
-	* URL and optionally attaches a `post_logout_redirect_uri` override.
+	* @example React Server Component
 	*
-	* @throws Error if used outside of an App Router context.
+	* ```tsx
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export default async function Page() {
+	*   const session = await monoCloud.getSession();
+	*
+	*   // Example: Force sign-out if a specific condition is met (e.g., account suspended)
+	*   if (session?.user.isSuspended) {
+	*     await monoCloud.redirectToSignOut();
+	*   }
+	*
+	*   return <>Welcome User</>;
+	* }
+	* ```
+	*
+	* @example Server Action
+	*
+	* ```typescript
+	* "use server";
+	*
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export async function signOutAction() {
+	*   const session = await monoCloud.getSession();
+	*
+	*   if (session) {
+	*     await monoCloud.redirectToSignOut();
+	*   }
+	* }
+	* ```
+	*
+	* @example API Handler
+	*
+	* ```typescript
+	* import { monoCloud } from "@/lib/monocloud";
+	* import { NextResponse } from "next/server";
+	*
+	* export const GET = async () => {
+	*   const session = await monoCloud.getSession();
+	*
+	*   if (session) {
+	*     await monoCloud.redirectToSignOut({
+	*       postLogoutRedirectUri: "/goodbye",
+	*     });
+	*   }
+	*
+	*   return NextResponse.json({ status: "already_signed_out" });
+	* };
+	* ```
 	*/
 	async redirectToSignOut(options) {
 		var _options$postLogoutRe;
@@ -634,70 +1074,13 @@ var MonoCloudNextClient = class {
 			const { headers } = await import("next/headers");
 			await headers();
 		} catch {
-			throw new Error("redirectToSignOut() can only be used in App Router project");
+			throw new Error("redirectToSignOut() can only be used in App Router server environments (RSC, route handlers, or server actions)");
 		}
 		const signOutRoute = new URL(`${appUrl}${routes.signOut}`);
 		if (options === null || options === void 0 || (_options$postLogoutRe = options.postLogoutRedirectUri) === null || _options$postLogoutRe === void 0 ? void 0 : _options$postLogoutRe.trim().length) signOutRoute.searchParams.set("post_logout_url", options.postLogoutRedirectUri);
-		(0, next_navigation.redirect)(signOutRoute.toString());
-	}
-	resolveFunction(baseHandler) {
-		return ((...args) => {
-			if (args.length === 3) {
-				const req = args[0];
-				const res = args[1];
-				const options = args[2];
-				return baseHandler(req, res, options);
-			}
-			if (args.length === 2) {
-				const req = args[0];
-				const res = args[1];
-				return baseHandler(req, res);
-			}
-			if (args.length === 1) {
-				const options = args[0];
-				return baseHandler(void 0, void 0, options);
-			}
-			return baseHandler();
-		});
-	}
-	resolvedGetSession(req, resOrCtx) {
-		let request;
-		let response;
-		if (req && resOrCtx) {
-			const result = getMonoCloudReqRes(req, resOrCtx);
-			({request} = result);
-			({response} = result);
-		} else {
-			request = new MonoCloudCookieRequest();
-			response = new MonoCloudCookieResponse();
-		}
-		return this.coreClient.getSession(request, response);
-	}
-	resolvedGetTokens(req, resOrCtx, options) {
-		let request;
-		let response;
-		if (req && resOrCtx) {
-			const result = getMonoCloudReqRes(req, resOrCtx);
-			({request} = result);
-			({response} = result);
-		} else {
-			request = new MonoCloudCookieRequest();
-			response = new MonoCloudCookieResponse();
-		}
-		return this.coreClient.getTokens(request, response, options);
-	}
-	resolvedIsAuthenticated(req, resOrCtx) {
-		let request;
-		let response;
-		if (req && resOrCtx) {
-			const result = getMonoCloudReqRes(req, resOrCtx);
-			({request} = result);
-			({response} = result);
-		} else {
-			request = new MonoCloudCookieRequest();
-			response = new MonoCloudCookieResponse();
-		}
-		return this.coreClient.isAuthenticated(request, response);
+		if (typeof (options === null || options === void 0 ? void 0 : options.federated) === "boolean") signOutRoute.searchParams.set("federated", options.federated.toString());
+		const { redirect } = await import("next/navigation");
+		redirect(signOutRoute.toString());
 	}
 	getOptions() {
 		return this.coreClient.getOptions();