@monocloud/auth-nextjs 0.1.1 → 0.1.2

package/dist/index.mjs

@@ -1,20 +1,14 @@
 import { MonoCloudAuthBaseError, MonoCloudCoreClient, MonoCloudHttpError, MonoCloudOPError, MonoCloudTokenError, MonoCloudValidationError, MonoCloudValidationError as MonoCloudValidationError$1 } from "@monocloud/auth-node-core";
-import { NextResponse } from "next/server";
-import { redirect } from "next/navigation";
+import { NextRequest, NextResponse } from "next/server.js";
 import { ensureLeadingSlash, isAbsoluteUrl } from "@monocloud/auth-node-core/internal";
 import { isUserInGroup } from "@monocloud/auth-node-core/utils";
 import { serialize } from "cookie";
+import { IncomingMessage, ServerResponse } from "node:http";
 
 //#region src/requests/monocloud-app-router-request.ts
 var MonoCloudAppRouterRequest = class {
-	constructor(req, ctx) {
+	constructor(req) {
 		this.req = req;
-		this.ctx = ctx;
-	}
-	/* v8 ignore next */
-	getRoute(parameter) {
-		var _this$ctx$params;
-		return (_this$ctx$params = this.ctx.params) === null || _this$ctx$params === void 0 ? void 0 : _this$ctx$params[parameter];
 	}
 	getQuery(parameter) {
 		return new URL(this.req.url).searchParams.get(parameter) ?? void 0;
@@ -46,10 +40,6 @@ var MonoCloudPageRouterRequest = class {
 		this.req = req;
 	}
 	/* v8 ignore next */
-	getRoute(parameter) {
-		return this.req.query[parameter];
-	}
-	/* v8 ignore next */
 	getQuery(parameter) {
 		return this.req.query[parameter];
 	}
@@ -188,17 +178,64 @@ var MonoCloudPageRouterResponse = class {
 	}
 };
 
+//#endregion
+//#region src/responses/monocloud-cookie-response.ts
+let isWarned = false;
+var MonoCloudCookieResponse = class {
+	async setCookie(cookieName, value, options) {
+		try {
+			const { cookies } = await import("next/headers");
+			(await cookies()).set(cookieName, value, options);
+		} catch (e) {
+			if (!isWarned) {
+				console.warn(e.message);
+				isWarned = true;
+			}
+		}
+	}
+};
+
+//#endregion
+//#region src/requests/monocloud-cookie-request.ts
+var MonoCloudCookieRequest = class {
+	/* v8 ignore next */
+	async getCookie(name) {
+		var _await$cookies$get;
+		const { cookies } = await import("next/headers");
+		return (_await$cookies$get = (await cookies()).get(name)) === null || _await$cookies$get === void 0 ? void 0 : _await$cookies$get.value;
+	}
+	async getAllCookies() {
+		const values = /* @__PURE__ */ new Map();
+		const { cookies } = await import("next/headers");
+		(await cookies()).getAll().forEach((x) => {
+			values.set(x.name, x.value);
+		});
+		return values;
+	}
+};
+
 //#endregion
 //#region src/utils.ts
+const isMonoCloudRequest = (req) => req instanceof MonoCloudAppRouterRequest || req instanceof MonoCloudPageRouterRequest || req instanceof MonoCloudCookieRequest;
+const isMonoCloudResponse = (res) => res instanceof MonoCloudAppRouterResponse || res instanceof MonoCloudPageRouterResponse || res instanceof MonoCloudCookieResponse;
 const isAppRouter = (req) => req instanceof Request || req.headers instanceof Headers || typeof req.bodyUsed === "boolean";
-const getMonoCloudReqRes = (req, resOrCtx) => {
+const getNextRequest = (req) => {
+	if (req instanceof NextRequest) return req;
+	return new NextRequest(req);
+};
+const getNextResponse = (res) => {
+	if (res instanceof NextResponse) return res;
+	if (res instanceof Response) return new NextResponse(res.body, res);
+	return new NextResponse();
+};
+const getMonoCloudCookieReqRes = (req, resOrCtx) => {
 	let request;
 	let response;
 	if (isAppRouter(req)) {
-		request = new MonoCloudAppRouterRequest(req, resOrCtx instanceof NextResponse ? { params: {} } : resOrCtx);
-		response = new MonoCloudAppRouterResponse(resOrCtx instanceof NextResponse ? resOrCtx : new NextResponse());
+		request = new MonoCloudAppRouterRequest(getNextRequest(req));
+		response = resOrCtx instanceof Response ? new MonoCloudAppRouterResponse(getNextResponse(resOrCtx)) : new MonoCloudCookieResponse();
 	} else {
-		/* c8 ignore start */
+		if (!(req instanceof IncomingMessage) || !(resOrCtx instanceof ServerResponse)) throw new MonoCloudValidationError$1("Invalid pages router request and response");
 		request = new MonoCloudPageRouterRequest(req);
 		response = new MonoCloudPageRouterResponse(resOrCtx);
 	}
@@ -222,214 +259,189 @@ const mergeResponse = (responses) => {
 	return resp;
 };
 
-//#endregion
-//#region src/requests/monocloud-cookie-request.ts
-var MonoCloudCookieRequest = class {
-	/* v8 ignore next */
-	async getCookie(name) {
-		var _await$cookies$get;
-		const { cookies } = await import("next/headers");
-		return (_await$cookies$get = (await cookies()).get(name)) === null || _await$cookies$get === void 0 ? void 0 : _await$cookies$get.value;
-	}
-	async getAllCookies() {
-		const values = /* @__PURE__ */ new Map();
-		const { cookies } = await import("next/headers");
-		(await cookies()).getAll().forEach((x) => {
-			values.set(x.name, x.value);
-		});
-		return values;
-	}
-};
-
-//#endregion
-//#region src/responses/monocloud-cookie-response.ts
-let isWarned = false;
-var MonoCloudCookieResponse = class {
-	async setCookie(cookieName, value, options) {
-		try {
-			const { cookies } = await import("next/headers");
-			(await cookies()).set(cookieName, value, options);
-		} catch (e) {
-			if (!isWarned) {
-				console.warn(e.message);
-				isWarned = true;
-			}
-		}
-	}
-};
-
 //#endregion
 //#region src/monocloud-next-client.ts
+/**
+* The MonoCloud Next.js Client.
+*
+* @example Using Environment Variables (Recommended)
+*
+* 1. Add following variables to your `.env`.
+*
+* ```bash
+* MONOCLOUD_AUTH_TENANT_DOMAIN=<tenant-domain>
+* MONOCLOUD_AUTH_CLIENT_ID=<client-id>
+* MONOCLOUD_AUTH_CLIENT_SECRET=<client-secret>
+* MONOCLOUD_AUTH_SCOPES=openid profile email # Default
+* MONOCLOUD_AUTH_APP_URL=http://localhost:3000
+* MONOCLOUD_AUTH_COOKIE_SECRET=<cookie-secret>
+* ```
+*
+* 2. Instantiate the client in a shared file (e.g., lib/monocloud.ts)
+*
+* ```typescript
+* import { MonoCloudNextClient } from '@monocloud/auth-nextjs';
+*
+* export const monoCloud = new MonoCloudNextClient();
+* ```
+*
+* 3. Add MonoCloud middleware/proxy
+*
+* ```typescript
+* import { monoCloud } from "@/lib/monocloud";
+*
+* export default monoCloud.authMiddleware();
+*
+* export const config = {
+*   matcher: [
+*     "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)",
+*   ],
+* };
+* ```
+*
+* @example Using Constructor Options
+*
+* ⚠️ Security Note: Never commit your credentials to version control. Load them from environment variables.
+*
+* 1. Instantiate the client in a shared file (e.g., lib/monocloud.ts)
+*
+* ```typescript
+* import { MonoCloudNextClient } from '@monocloud/auth-nextjs';
+*
+* export const monoCloud = new MonoCloudNextClient({
+*  tenantDomain: '<tenant-domain>',
+*  clientId: '<client-id>',
+*  clientSecret: '<client-secret>',
+*  scopes: 'openid profile email', // Default
+*  appUrl: 'http://localhost:3000',
+*  cookieSecret: '<cookie-secret>'
+* });
+* ```
+* 2. Add MonoCloud middleware/proxy
+*
+* ```typescript
+* import { monoCloud } from "@/lib/monocloud";
+*
+* export default monoCloud.authMiddleware();
+*
+* export const config = {
+*   matcher: [
+*     "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)",
+*   ],
+* };
+* ```
+*
+* <details>
+* <summary>All Environment Variables</summary>
+*  <h4>Core Configuration (Required)</h4>
+*
+*  <ul>
+*    <li><strong>MONOCLOUD_AUTH_CLIENT_ID : </strong>Unique identifier for your application/client.</li>
+*    <li><strong>MONOCLOUD_AUTH_CLIENT_SECRET : </strong>Application/client secret.</li>
+*    <li><strong>MONOCLOUD_AUTH_TENANT_DOMAIN : </strong>The domain of your MonoCloud tenant (e.g., https://your-tenant.us.monocloud.com).</li>
+*    <li><strong>MONOCLOUD_AUTH_APP_URL : </strong>The base URL where your application is hosted.</li>
+*    <li><strong>MONOCLOUD_AUTH_COOKIE_SECRET : </strong>A long, random string used to encrypt and sign session cookies.</li>
+*  </ul>
+*
+*  <h4>Authentication &amp; Security</h4>
+*
+*  <ul>
+*    <li><strong>MONOCLOUD_AUTH_SCOPES : </strong>A space-separated list of OIDC scopes to request (e.g., openid profile email).</li>
+*    <li><strong>MONOCLOUD_AUTH_RESOURCE : </strong>The default resource/audience identifier for access tokens.</li>
+*    <li><strong>MONOCLOUD_AUTH_USE_PAR : </strong>Enables Pushed Authorization Requests.</li>
+*    <li><strong>MONOCLOUD_AUTH_CLOCK_SKEW : </strong>The allowed clock drift in seconds when validating token timestamps.</li>
+*    <li><strong>MONOCLOUD_AUTH_FEDERATED_SIGNOUT : </strong>If true, signs the user out of MonoCloud (SSO sign-out) when they sign out of the app.</li>
+*    <li><strong>MONOCLOUD_AUTH_RESPONSE_TIMEOUT : </strong>The maximum time in milliseconds to wait for a response.</li>
+*    <li><strong>MONOCLOUD_AUTH_ALLOW_QUERY_PARAM_OVERRIDES : </strong>Allows dynamic overrides of auth parameters via URL query strings.</li>
+*    <li><strong>MONOCLOUD_AUTH_POST_LOGOUT_REDIRECT_URI : </strong>The URL users are sent to after a successful logout.</li>
+*    <li><strong>MONOCLOUD_AUTH_USER_INFO : </strong>Determines if user profile data from the UserInfo endpoint should be fetched after authorization code exchange.</li>
+*    <li><strong>MONOCLOUD_AUTH_REFETCH_USER_INFO : </strong>If true, re-fetches user information on every request to userinfo endpoint or when calling getTokens()</li>
+*    <li><strong>MONOCLOUD_AUTH_ID_TOKEN_SIGNING_ALG : </strong>The expected algorithm for signing ID tokens (e.g., RS256).</li>
+*    <li><strong>MONOCLOUD_AUTH_FILTERED_ID_TOKEN_CLAIMS : </strong>A space-separated list of claims to exclude from the session object.</li>
+*  </ul>
+*
+*  <h4>Routes</h4>
+*
+*   <aside>
+*     <strong>⚠️ Important: Modifying Default Routes</strong>
+*     <p>If you choose to customize any of the default route paths, you must adhere to the following requirements:</p>
+*     <ul>
+*       <li>
+*         <strong>Client-Side Synchronization:</strong> You must also define a corresponding <code>NEXT_PUBLIC_</code> version of the environment variable (e.g., <code>NEXT_PUBLIC_MONOCLOUD_AUTH_CALLBACK_URL</code>). This ensures that client-side components like <code>&lt;SignIn /&gt;</code>, <code>&lt;SignOut /&gt;</code>, and the <code>useAuth()</code> hook can correctly identify your custom endpoints.
+*       </li>
+*       <li>
+*         <strong>Dashboard Configuration:</strong> Changing these URLs will alter the endpoints required by MonoCloud. You must update the <strong>Application URLs</strong> section in your MonoCloud Dashboard to match these new paths.
+*       </li>
+*     </ul>
+*     <p><em>Example:</em></p>
+*     <code>
+*       MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback<br />
+*       NEXT_PUBLIC_MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback
+*     </code>
+*     <p>In this case, the Redirect URI in your dashboard should be set to: <code>http://localhost:3000/api/custom_callback</code> (assuming local development).</p>
+*   </aside>
+*
+*  <ul>
+*    <li><strong>MONOCLOUD_AUTH_CALLBACK_URL : </strong>The application path where MonoCloud sends the user after authentication.</li>
+*    <li><strong>MONOCLOUD_AUTH_SIGNIN_URL : </strong>The internal route path to trigger the sign-in.</li>
+*    <li><strong>MONOCLOUD_AUTH_SIGNOUT_URL : </strong>The internal route path to trigger the sign-out.</li>
+*    <li><strong>MONOCLOUD_AUTH_USER_INFO_URL : </strong>The route that exposes the current user's profile from userinfo endpoint.</li>
+*  </ul>
+*
+*  <h4>Session Cookie Settings</h4>
+*
+*  <ul>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_NAME : </strong>The name of the cookie used to store the user session.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_PATH : </strong>The scope path for the session cookie.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_DOMAIN : </strong>The domain scope for the session cookie.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_HTTP_ONLY : </strong>Prevents client-side scripts from accessing the session cookie.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_SECURE : </strong>Ensures the session cookie is only sent over HTTPS.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_SAME_SITE : </strong>The SameSite policy for the session cookie (Lax, Strict, or None).</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_COOKIE_PERSISTENT : </strong>If true, the session survives browser restarts.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_SLIDING : </strong>If true, the session will be a sliding session instead of absolute.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_DURATION : </strong>The session lifetime in seconds.</li>
+*    <li><strong>MONOCLOUD_AUTH_SESSION_MAX_DURATION : </strong>The absolute maximum lifetime of a session in seconds.</li>
+*  </ul>
+*
+*  <h4>State Cookie Settings</h4>
+*
+*  <ul>
+*    <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_NAME : </strong>The name of the cookie used to store OpenID state/nonce.</li>
+*    <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_PATH : </strong>The scope path for the state cookie.</li>
+*    <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_DOMAIN : </strong>The domain scope for the state cookie.</li>
+*    <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_SECURE : </strong>Ensures the state cookie is only sent over HTTPS</li>
+*    <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_SAME_SITE : </strong>The SameSite policy for the state cookie.</li>
+*    <li><strong>MONOCLOUD_AUTH_STATE_COOKIE_PERSISTENT : </strong>Whether the state cookie is persistent.</li>
+*  </ul>
+*
+*  <h4>Caching</h4>
+*
+*  <ul>
+*    <li><strong>MONOCLOUD_AUTH_JWKS_CACHE_DURATION : </strong>Duration in seconds to cache the JSON Web Key Set.</li>
+*    <li><strong>MONOCLOUD_AUTH_METADATA_CACHE_DURATION : </strong>Duration in seconds to cache the OpenID discovery metadata.</li>
+*  </ul>
+* </details>
+*
+*
+*/
 var MonoCloudNextClient = class {
-	/* v8 ignore next -- @preserve */
+	/**
+	* The underlying OIDC client instance used for low-level OpenID Connect operations.
+	*
+	* @example
+	* // Manually revoke an access token
+	* await client.oidcClient.revokeToken(accessToken, 'access_token');
+	*/
 	get oidcClient() {
 		return this.coreClient.oidcClient;
 	}
+	/**
+	* @param options Configuration options including domain, client ID, and secret.
+	*/
 	constructor(options) {
-		this.protectPage = (...args) => {
-			if (typeof args[0] === "function") return this.protectAppPage(args[0], args[1]);
-			return this.protectPagePage(args[0]);
-		};
-		this.protectAppPage = (component, options$1) => {
-			return async (params) => {
-				const session = await this.getSession();
-				if (!session) {
-					var _options$authParams, _options$authParams2, _options$authParams3, _options$authParams4, _options$authParams5, _options$authParams6, _options$authParams7, _options$authParams8, _options$authParams9;
-					if (options$1 === null || options$1 === void 0 ? void 0 : options$1.onAccessDenied) return options$1.onAccessDenied({ ...params });
-					const { routes, appUrl } = this.getOptions();
-					const { headers } = await import("next/headers");
-					const path = (await headers()).get("x-monocloud-path");
-					const signInRoute = new URL(`${appUrl}${ensureLeadingSlash(routes.signIn)}`);
-					signInRoute.searchParams.set("return_url", (options$1 === null || options$1 === void 0 ? void 0 : options$1.returnUrl) ?? path ?? "/");
-					if (options$1 === null || options$1 === void 0 || (_options$authParams = options$1.authParams) === null || _options$authParams === void 0 ? void 0 : _options$authParams.scopes) signInRoute.searchParams.set("scope", options$1.authParams.scopes);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams2 = options$1.authParams) === null || _options$authParams2 === void 0 ? void 0 : _options$authParams2.resource) signInRoute.searchParams.set("resource", options$1.authParams.resource);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams3 = options$1.authParams) === null || _options$authParams3 === void 0 ? void 0 : _options$authParams3.acrValues) signInRoute.searchParams.set("acr_values", options$1.authParams.acrValues.join(" "));
-					if (options$1 === null || options$1 === void 0 || (_options$authParams4 = options$1.authParams) === null || _options$authParams4 === void 0 ? void 0 : _options$authParams4.display) signInRoute.searchParams.set("display", options$1.authParams.display);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams5 = options$1.authParams) === null || _options$authParams5 === void 0 ? void 0 : _options$authParams5.prompt) signInRoute.searchParams.set("prompt", options$1.authParams.prompt);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams6 = options$1.authParams) === null || _options$authParams6 === void 0 ? void 0 : _options$authParams6.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options$1.authParams.authenticatorHint);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams7 = options$1.authParams) === null || _options$authParams7 === void 0 ? void 0 : _options$authParams7.uiLocales) signInRoute.searchParams.set("ui_locales", options$1.authParams.uiLocales);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams8 = options$1.authParams) === null || _options$authParams8 === void 0 ? void 0 : _options$authParams8.maxAge) signInRoute.searchParams.set("max_age", options$1.authParams.maxAge.toString());
-					if (options$1 === null || options$1 === void 0 || (_options$authParams9 = options$1.authParams) === null || _options$authParams9 === void 0 ? void 0 : _options$authParams9.loginHint) signInRoute.searchParams.set("login_hint", options$1.authParams.loginHint);
-					return redirect(signInRoute.toString());
-				}
-				if ((options$1 === null || options$1 === void 0 ? void 0 : options$1.groups) && !isUserInGroup(session.user, options$1.groups, options$1.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options$1.matchAll)) {
-					if (options$1.onAccessDenied) return options$1.onAccessDenied({
-						...params,
-						user: session.user
-					});
-					return "Access Denied";
-				}
-				return component({
-					...params,
-					user: session.user
-				});
-			};
-		};
-		this.protectPagePage = (options$1) => {
-			return async (context) => {
-				const session = await this.getSession(context.req, context.res);
-				if (!session) {
-					var _options$authParams10, _options$authParams11, _options$authParams12, _options$authParams13, _options$authParams14, _options$authParams15, _options$authParams16, _options$authParams17, _options$authParams18;
-					if (options$1 === null || options$1 === void 0 ? void 0 : options$1.onAccessDenied) {
-						const customProps$1 = await options$1.onAccessDenied({ ...context });
-						return {
-							...customProps$1 ?? {},
-							props: { ...(customProps$1 === null || customProps$1 === void 0 ? void 0 : customProps$1.props) ?? {} }
-						};
-					}
-					const { routes, appUrl } = this.getOptions();
-					const signInRoute = new URL(`${appUrl}${ensureLeadingSlash(routes.signIn)}`);
-					signInRoute.searchParams.set("return_url", (options$1 === null || options$1 === void 0 ? void 0 : options$1.returnUrl) ?? context.resolvedUrl);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams10 = options$1.authParams) === null || _options$authParams10 === void 0 ? void 0 : _options$authParams10.scopes) signInRoute.searchParams.set("scope", options$1.authParams.scopes);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams11 = options$1.authParams) === null || _options$authParams11 === void 0 ? void 0 : _options$authParams11.resource) signInRoute.searchParams.set("resource", options$1.authParams.resource);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams12 = options$1.authParams) === null || _options$authParams12 === void 0 ? void 0 : _options$authParams12.acrValues) signInRoute.searchParams.set("acr_values", options$1.authParams.acrValues.join(" "));
-					if (options$1 === null || options$1 === void 0 || (_options$authParams13 = options$1.authParams) === null || _options$authParams13 === void 0 ? void 0 : _options$authParams13.display) signInRoute.searchParams.set("display", options$1.authParams.display);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams14 = options$1.authParams) === null || _options$authParams14 === void 0 ? void 0 : _options$authParams14.prompt) signInRoute.searchParams.set("prompt", options$1.authParams.prompt);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams15 = options$1.authParams) === null || _options$authParams15 === void 0 ? void 0 : _options$authParams15.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options$1.authParams.authenticatorHint);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams16 = options$1.authParams) === null || _options$authParams16 === void 0 ? void 0 : _options$authParams16.uiLocales) signInRoute.searchParams.set("ui_locales", options$1.authParams.uiLocales);
-					if (options$1 === null || options$1 === void 0 || (_options$authParams17 = options$1.authParams) === null || _options$authParams17 === void 0 ? void 0 : _options$authParams17.maxAge) signInRoute.searchParams.set("max_age", options$1.authParams.maxAge.toString());
-					if (options$1 === null || options$1 === void 0 || (_options$authParams18 = options$1.authParams) === null || _options$authParams18 === void 0 ? void 0 : _options$authParams18.loginHint) signInRoute.searchParams.set("login_hint", options$1.authParams.loginHint);
-					return { redirect: {
-						destination: signInRoute.toString(),
-						permanent: false
-					} };
-				}
-				if ((options$1 === null || options$1 === void 0 ? void 0 : options$1.groups) && !isUserInGroup(session.user, options$1.groups, options$1.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options$1.matchAll)) {
-					var _options$onAccessDeni;
-					const customProps$1 = await ((_options$onAccessDeni = options$1.onAccessDenied) === null || _options$onAccessDeni === void 0 ? void 0 : _options$onAccessDeni.call(options$1, {
-						...context,
-						user: session.user
-					})) ?? { props: { accessDenied: true } };
-					return {
-						...customProps$1,
-						props: { ...customProps$1.props ?? {} }
-					};
-				}
-				const customProps = (options$1 === null || options$1 === void 0 ? void 0 : options$1.getServerSideProps) ? await options$1.getServerSideProps(context) : {};
-				const promiseProp = customProps.props;
-				if (promiseProp instanceof Promise) return {
-					...customProps,
-					props: promiseProp.then((props) => ({
-						user: session.user,
-						...props
-					}))
-				};
-				return {
-					...customProps,
-					props: {
-						user: session.user,
-						...customProps.props
-					}
-				};
-			};
-		};
-		this.protectApi = (handler, options$1) => {
-			return (req, resOrCtx) => {
-				if (isAppRouter(req)) return this.protectAppApi(req, resOrCtx, handler, options$1);
-				return this.protectPageApi(req, resOrCtx, handler, options$1);
-			};
-		};
-		this.protectAppApi = async (req, ctx, handler, options$1) => {
-			const res = new NextResponse();
-			const session = await this.getSession(req, res);
-			if (!session) {
-				if (options$1 === null || options$1 === void 0 ? void 0 : options$1.onAccessDenied) {
-					const result = await options$1.onAccessDenied(req, ctx);
-					if (result instanceof NextResponse) return mergeResponse([res, result]);
-					return mergeResponse([res, new NextResponse(result.body, result)]);
-				}
-				return mergeResponse([res, NextResponse.json({ message: "unauthorized" }, { status: 401 })]);
-			}
-			if ((options$1 === null || options$1 === void 0 ? void 0 : options$1.groups) && !isUserInGroup(session.user, options$1.groups, options$1.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options$1.matchAll)) {
-				if (options$1.onAccessDenied) {
-					const result = await options$1.onAccessDenied(req, ctx);
-					if (result instanceof NextResponse) return mergeResponse([res, result]);
-					return mergeResponse([res, new NextResponse(result.body, result)]);
-				}
-				return mergeResponse([res, NextResponse.json({ message: "forbidden" }, { status: 403 })]);
-			}
-			const resp = await handler(req, ctx);
-			if (resp instanceof NextResponse) return mergeResponse([res, resp]);
-			return mergeResponse([res, new NextResponse(resp.body, resp)]);
-		};
-		this.protectPageApi = async (req, res, handler, options$1) => {
-			const session = await this.getSession(req, res);
-			if (!session) {
-				if (options$1 === null || options$1 === void 0 ? void 0 : options$1.onAccessDenied) return options$1.onAccessDenied(req, res);
-				return res.status(401).json({ message: "unauthorized" });
-			}
-			if ((options$1 === null || options$1 === void 0 ? void 0 : options$1.groups) && !isUserInGroup(session.user, options$1.groups, options$1.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options$1.matchAll)) {
-				if (options$1.onAccessDenied) return options$1.onAccessDenied(req, res, session.user);
-				return res.status(403).json({ message: "forbidden" });
-			}
-			return handler(req, res);
-		};
-		this.authMiddleware = (...args) => {
-			let req;
-			let evt;
-			let options$1;
-			/* v8 ignore else -- @preserve */
-			if (Array.isArray(args)) {
-				if (args.length === 2) {
-					/* v8 ignore else -- @preserve */
-					if (isAppRouter(args[0])) {
-						req = args[0];
-						evt = args[1];
-					}
-				}
-				if (args.length === 1) options$1 = args[0];
-			}
-			if (req && evt) return this.authMiddlewareHandler(req, evt, options$1);
-			return (request, nxtEvt) => {
-				return this.authMiddlewareHandler(request, nxtEvt, options$1);
-			};
-		};
-		this.getSession = this.resolveFunction(this.resolvedGetSession.bind(this));
-		this.getTokens = this.resolveFunction(this.resolvedGetTokens.bind(this));
-		this.isAuthenticated = this.resolveFunction(this.resolvedIsAuthenticated.bind(this));
 		const opt = {
 			...options ?? {},
-			userAgent: (options === null || options === void 0 ? void 0 : options.userAgent) ?? `@monocloud/auth-nextjs@0.1.1`,
+			userAgent: (options === null || options === void 0 ? void 0 : options.userAgent) ?? `@monocloud/auth-nextjs@0.1.2`,
 			debugger: (options === null || options === void 0 ? void 0 : options.debugger) ?? "@monocloud:auth-nextjs"
 		};
 		this.registerPublicEnvVariables();
@@ -440,12 +452,65 @@ var MonoCloudNextClient = class {
 	* that processes all MonoCloud authentication endpoints
 	* (`/signin`, `/callback`, `/userinfo`, `/signout`).
 	*
-	* @param {MonoCloudAuthOptions} [options] Optional configuration authentication routes.
+	* @param options Authentication configuration routes.
 	*
 	* **Note:** If you are already using `authMiddleware()`, you typically do **not**
 	* need this API route handler. This function is intended for applications where
 	* middleware cannot be used—such as statically generated (SSG) deployments that still
 	* require server-side authentication flows.
+	*
+	* @example App Router
+	*
+	* ```typescript
+	* // app/api/auth/[...monocloud]/route.ts
+	*
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export const GET = monoCloud.monoCloudAuth();
+	*```
+	*
+	* @example App Router with Response
+	*
+	* ```typescript
+	* import { monoCloud } from "@/lib/monocloud";
+	* import { NextRequest, NextResponse } from "next/server";
+	*
+	* export const GET = (req: NextRequest) => {
+	*   const authHandler = monoCloud.monoCloudAuth();
+	*
+	*   const res = new NextResponse();
+	*
+	*   res.cookies.set("last_auth_requested", `${Date.now()}`);
+	*
+	*   return authHandler(req, res);
+	* };
+	* ```
+	*
+	* @example Pages Router
+	*
+	* ```typescript
+	* // pages/api/auth/[...monocloud].ts
+	*
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export default monoCloud.monoCloudAuth();
+	*```
+	*
+	* @example Page Router with Response
+	*
+	* ```typescript
+	* import { monoCloud } from "@/lib/monocloud";
+	* import { NextApiRequest, NextApiResponse } from "next";
+	*
+	* export default function handler(req: NextApiRequest, res: NextApiResponse) {
+	*   const authHandler = monoCloud.monoCloudAuth();
+	*
+	*   res.setHeader("last_auth_requested", `${Date.now()}`);
+	*
+	*   return authHandler(req, res);
+	* }
+	* ```
+	*
 	*/
 	monoCloudAuth(options) {
 		return (req, resOrCtx) => {
@@ -455,17 +520,185 @@ var MonoCloudNextClient = class {
 			const route = new URL(url);
 			let onError;
 			if (typeof (options === null || options === void 0 ? void 0 : options.onError) === "function") onError = (error) => options.onError(req, resOrCtx, error);
-			const { request, response } = getMonoCloudReqRes(req, resOrCtx);
+			let request;
+			let response;
+			if (isAppRouter(req)) {
+				request = new MonoCloudAppRouterRequest(getNextRequest(req));
+				response = new MonoCloudAppRouterResponse(getNextResponse(resOrCtx));
+			} else {
+				request = new MonoCloudPageRouterRequest(req);
+				response = new MonoCloudPageRouterResponse(resOrCtx);
+			}
 			return this.handleAuthRoutes(request, response, route.pathname, routes, onError);
 		};
 	}
+	protectPage(...args) {
+		if (typeof args[0] === "function") return this.protectAppPage(args[0], args[1]);
+		return this.protectPagePage(args[0]);
+	}
+	protectAppPage(component, options) {
+		return async (params) => {
+			const session = await this.getSession();
+			if (!session) {
+				var _options$authParams, _options$authParams2, _options$authParams3, _options$authParams4, _options$authParams5, _options$authParams6, _options$authParams7, _options$authParams8, _options$authParams9;
+				if (options === null || options === void 0 ? void 0 : options.onAccessDenied) return options.onAccessDenied({ ...params });
+				const { routes, appUrl } = this.getOptions();
+				const { headers } = await import("next/headers");
+				const path = (await headers()).get("x-monocloud-path");
+				const signInRoute = new URL(`${appUrl}${ensureLeadingSlash(routes.signIn)}`);
+				signInRoute.searchParams.set("return_url", (options === null || options === void 0 ? void 0 : options.returnUrl) ?? path ?? "/");
+				if (options === null || options === void 0 || (_options$authParams = options.authParams) === null || _options$authParams === void 0 ? void 0 : _options$authParams.scopes) signInRoute.searchParams.set("scope", options.authParams.scopes);
+				if (options === null || options === void 0 || (_options$authParams2 = options.authParams) === null || _options$authParams2 === void 0 ? void 0 : _options$authParams2.resource) signInRoute.searchParams.set("resource", options.authParams.resource);
+				if (options === null || options === void 0 || (_options$authParams3 = options.authParams) === null || _options$authParams3 === void 0 ? void 0 : _options$authParams3.acrValues) signInRoute.searchParams.set("acr_values", options.authParams.acrValues.join(" "));
+				if (options === null || options === void 0 || (_options$authParams4 = options.authParams) === null || _options$authParams4 === void 0 ? void 0 : _options$authParams4.display) signInRoute.searchParams.set("display", options.authParams.display);
+				if (options === null || options === void 0 || (_options$authParams5 = options.authParams) === null || _options$authParams5 === void 0 ? void 0 : _options$authParams5.prompt) signInRoute.searchParams.set("prompt", options.authParams.prompt);
+				if (options === null || options === void 0 || (_options$authParams6 = options.authParams) === null || _options$authParams6 === void 0 ? void 0 : _options$authParams6.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options.authParams.authenticatorHint);
+				if (options === null || options === void 0 || (_options$authParams7 = options.authParams) === null || _options$authParams7 === void 0 ? void 0 : _options$authParams7.uiLocales) signInRoute.searchParams.set("ui_locales", options.authParams.uiLocales);
+				if (options === null || options === void 0 || (_options$authParams8 = options.authParams) === null || _options$authParams8 === void 0 ? void 0 : _options$authParams8.maxAge) signInRoute.searchParams.set("max_age", options.authParams.maxAge.toString());
+				if (options === null || options === void 0 || (_options$authParams9 = options.authParams) === null || _options$authParams9 === void 0 ? void 0 : _options$authParams9.loginHint) signInRoute.searchParams.set("login_hint", options.authParams.loginHint);
+				const { redirect } = await import("next/navigation");
+				return redirect(signInRoute.toString());
+			}
+			if ((options === null || options === void 0 ? void 0 : options.groups) && !isUserInGroup(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+				if (options.onAccessDenied) return options.onAccessDenied({
+					...params,
+					user: session.user
+				});
+				return "Access Denied";
+			}
+			return component({
+				...params,
+				user: session.user
+			});
+		};
+	}
+	protectPagePage(options) {
+		return async (context) => {
+			const session = await this.getSession(context.req, context.res);
+			if (!session) {
+				var _options$authParams10, _options$authParams11, _options$authParams12, _options$authParams13, _options$authParams14, _options$authParams15, _options$authParams16, _options$authParams17, _options$authParams18;
+				if (options === null || options === void 0 ? void 0 : options.onAccessDenied) {
+					const customProps$1 = await options.onAccessDenied({ ...context });
+					return {
+						...customProps$1 ?? {},
+						props: { ...(customProps$1 === null || customProps$1 === void 0 ? void 0 : customProps$1.props) ?? {} }
+					};
+				}
+				const { routes, appUrl } = this.getOptions();
+				const signInRoute = new URL(`${appUrl}${ensureLeadingSlash(routes.signIn)}`);
+				signInRoute.searchParams.set("return_url", (options === null || options === void 0 ? void 0 : options.returnUrl) ?? context.resolvedUrl);
+				if (options === null || options === void 0 || (_options$authParams10 = options.authParams) === null || _options$authParams10 === void 0 ? void 0 : _options$authParams10.scopes) signInRoute.searchParams.set("scope", options.authParams.scopes);
+				if (options === null || options === void 0 || (_options$authParams11 = options.authParams) === null || _options$authParams11 === void 0 ? void 0 : _options$authParams11.resource) signInRoute.searchParams.set("resource", options.authParams.resource);
+				if (options === null || options === void 0 || (_options$authParams12 = options.authParams) === null || _options$authParams12 === void 0 ? void 0 : _options$authParams12.acrValues) signInRoute.searchParams.set("acr_values", options.authParams.acrValues.join(" "));
+				if (options === null || options === void 0 || (_options$authParams13 = options.authParams) === null || _options$authParams13 === void 0 ? void 0 : _options$authParams13.display) signInRoute.searchParams.set("display", options.authParams.display);
+				if (options === null || options === void 0 || (_options$authParams14 = options.authParams) === null || _options$authParams14 === void 0 ? void 0 : _options$authParams14.prompt) signInRoute.searchParams.set("prompt", options.authParams.prompt);
+				if (options === null || options === void 0 || (_options$authParams15 = options.authParams) === null || _options$authParams15 === void 0 ? void 0 : _options$authParams15.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options.authParams.authenticatorHint);
+				if (options === null || options === void 0 || (_options$authParams16 = options.authParams) === null || _options$authParams16 === void 0 ? void 0 : _options$authParams16.uiLocales) signInRoute.searchParams.set("ui_locales", options.authParams.uiLocales);
+				if (options === null || options === void 0 || (_options$authParams17 = options.authParams) === null || _options$authParams17 === void 0 ? void 0 : _options$authParams17.maxAge) signInRoute.searchParams.set("max_age", options.authParams.maxAge.toString());
+				if (options === null || options === void 0 || (_options$authParams18 = options.authParams) === null || _options$authParams18 === void 0 ? void 0 : _options$authParams18.loginHint) signInRoute.searchParams.set("login_hint", options.authParams.loginHint);
+				return { redirect: {
+					destination: signInRoute.toString(),
+					permanent: false
+				} };
+			}
+			if ((options === null || options === void 0 ? void 0 : options.groups) && !isUserInGroup(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+				var _options$onAccessDeni;
+				const customProps$1 = await ((_options$onAccessDeni = options.onAccessDenied) === null || _options$onAccessDeni === void 0 ? void 0 : _options$onAccessDeni.call(options, {
+					...context,
+					user: session.user
+				})) ?? { props: { accessDenied: true } };
+				return {
+					...customProps$1,
+					props: { ...customProps$1.props ?? {} }
+				};
+			}
+			const customProps = (options === null || options === void 0 ? void 0 : options.getServerSideProps) ? await options.getServerSideProps(context) : {};
+			const promiseProp = customProps.props;
+			if (promiseProp instanceof Promise) return {
+				...customProps,
+				props: promiseProp.then((props) => ({
+					user: session.user,
+					...props
+				}))
+			};
+			return {
+				...customProps,
+				props: {
+					user: session.user,
+					...customProps.props
+				}
+			};
+		};
+	}
+	protectApi(handler, options) {
+		return (req, resOrCtx) => {
+			if (isAppRouter(req)) return this.protectAppApi(req, resOrCtx, handler, options);
+			return this.protectPageApi(req, resOrCtx, handler, options);
+		};
+	}
+	async protectAppApi(req, ctx, handler, options) {
+		const res = new NextResponse();
+		const session = await this.getSession(req, res);
+		if (!session) {
+			if (options === null || options === void 0 ? void 0 : options.onAccessDenied) {
+				const result = await options.onAccessDenied(req, ctx);
+				if (result instanceof NextResponse) return mergeResponse([res, result]);
+				return mergeResponse([res, new NextResponse(result.body, result)]);
+			}
+			return mergeResponse([res, NextResponse.json({ message: "unauthorized" }, { status: 401 })]);
+		}
+		if ((options === null || options === void 0 ? void 0 : options.groups) && !isUserInGroup(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+			if (options.onAccessDenied) {
+				const result = await options.onAccessDenied(req, ctx);
+				if (result instanceof NextResponse) return mergeResponse([res, result]);
+				return mergeResponse([res, new NextResponse(result.body, result)]);
+			}
+			return mergeResponse([res, NextResponse.json({ message: "forbidden" }, { status: 403 })]);
+		}
+		const resp = await handler(req, ctx);
+		if (resp instanceof NextResponse) return mergeResponse([res, resp]);
+		return mergeResponse([res, new NextResponse(resp.body, resp)]);
+	}
+	async protectPageApi(req, res, handler, options) {
+		const session = await this.getSession(req, res);
+		if (!session) {
+			if (options === null || options === void 0 ? void 0 : options.onAccessDenied) return options.onAccessDenied(req, res);
+			return res.status(401).json({ message: "unauthorized" });
+		}
+		if ((options === null || options === void 0 ? void 0 : options.groups) && !isUserInGroup(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+			if (options.onAccessDenied) return options.onAccessDenied(req, res, session.user);
+			return res.status(403).json({ message: "forbidden" });
+		}
+		return handler(req, res);
+	}
+	authMiddleware(...args) {
+		let req;
+		let evt;
+		let options;
+		/* v8 ignore else -- @preserve */
+		if (Array.isArray(args)) {
+			if (args.length === 2) {
+				/* v8 ignore else -- @preserve */
+				if (isAppRouter(args[0])) {
+					req = args[0];
+					evt = args[1];
+				}
+			}
+			if (args.length === 1) options = args[0];
+		}
+		if (req && evt) return this.authMiddlewareHandler(req, evt, options);
+		return (request, nxtEvt) => {
+			return this.authMiddlewareHandler(request, nxtEvt, options);
+		};
+	}
 	async authMiddlewareHandler(req, evt, options) {
+		req = getNextRequest(req);
 		if (req.headers.has("x-middleware-subrequest")) return NextResponse.json({ message: "forbidden" }, { status: 403 });
 		const { routes, appUrl } = this.getOptions();
 		if (Object.values(routes).map((x) => ensureLeadingSlash(x)).includes(req.nextUrl.pathname)) {
 			let onError;
 			if (typeof (options === null || options === void 0 ? void 0 : options.onError) === "function") onError = (error) => options.onError(req, evt, error);
-			const request = new MonoCloudAppRouterRequest(req, { params: {} });
+			const request = new MonoCloudAppRouterRequest(req);
 			const response = new MonoCloudAppRouterResponse(new NextResponse());
 			return this.handleAuthRoutes(request, response, req.nextUrl.pathname, routes, onError);
 		}
@@ -521,10 +754,101 @@ var MonoCloudNextClient = class {
 				return response.done();
 		}
 	}
+	async getSession(...args) {
+		let request;
+		let response;
+		if (args.length === 0) {
+			request = new MonoCloudCookieRequest();
+			response = new MonoCloudCookieResponse();
+		} else ({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+		/* v8 ignore next -- @preserve */
+		if (!isMonoCloudRequest(request) || !isMonoCloudResponse(response)) throw new MonoCloudValidationError$1("Invalid parameters passed to getSession()");
+		return await this.coreClient.getSession(request, response);
+	}
+	async getTokens(...args) {
+		let request;
+		let response;
+		let options;
+		if (args.length === 0) {
+			request = new MonoCloudCookieRequest();
+			response = new MonoCloudCookieResponse();
+		} else if (args.length === 1) if (args[0] instanceof Request) ({request, response} = getMonoCloudCookieReqRes(args[0], void 0));
+		else {
+			request = new MonoCloudCookieRequest();
+			response = new MonoCloudCookieResponse();
+			options = args[0];
+		}
+		else if (args.length === 2 && args[0] instanceof Request) if (args[1] instanceof Response) ({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+		else {
+			({request, response} = getMonoCloudCookieReqRes(args[0], void 0));
+			options = args[1];
+		}
+		else if (args.length === 2 && args[0] instanceof IncomingMessage && args[1] instanceof ServerResponse) ({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+		else {
+			({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+			options = args[2];
+		}
+		if (!isMonoCloudRequest(request) || !isMonoCloudResponse(response) || options && typeof options !== "object") throw new MonoCloudValidationError$1("Invalid parameters passed to getTokens()");
+		return await this.coreClient.getTokens(request, response, options);
+	}
+	async isAuthenticated(...args) {
+		let request;
+		let response;
+		if (args.length === 0) {
+			request = new MonoCloudCookieRequest();
+			response = new MonoCloudCookieResponse();
+		} else ({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+		/* v8 ignore next -- @preserve */
+		if (!isMonoCloudRequest(request) || !isMonoCloudResponse(response)) throw new MonoCloudValidationError$1("Invalid parameters passed to isAuthenticated()");
+		return await this.coreClient.isAuthenticated(request, response);
+	}
 	/**
-	* Redirects the user to sign-in if not authenticated.
+	* Redirects the user to the sign-in flow if they are not authenticated.
+	*
+	* **This helper is App Router only and is designed for server environments (server components, route handlers, and server actions).**
+	*
+	* @param options Options to customize the sign-in.
+	*
+	* @returns
+	*
+	* @example React Server Component
+	*
+	* ```tsx
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export default async function Home() {
+	*   await monoCloud.protect();
+	*
+	*   return <>You are signed in.</>;
+	* }
+	* ```
+	*
+	* @example API Handler
+	*
+	* ```typescript
+	* import { NextResponse } from "next/server";
+	* import { monoCloud } from "@/lib/monocloud";
 	*
-	* **Note: This function only works on App Router.**
+	* export const GET = async () => {
+	*   await monoCloud.protect();
+	*
+	*   return NextResponse.json({ secret: "ssshhhh!!!" });
+	* };
+	* ```
+	*
+	* @example Server Action
+	*
+	* ```typescript
+	* "use server";
+	*
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export async function getMessage() {
+	*   await monoCloud.protect();
+	*
+	*   return { secret: "sssshhhhh!!!" };
+	* }
+	* ```
 	*/
 	async protect(options) {
 		var _options$authParams19, _options$authParams20, _options$authParams21, _options$authParams22, _options$authParams23, _options$authParams24, _options$authParams25, _options$authParams26, _options$authParams27;
@@ -537,7 +861,7 @@ var MonoCloudNextClient = class {
 			const { headers } = await import("next/headers");
 			path = (await headers()).get("x-monocloud-path") ?? "/";
 		} catch {
-			throw new Error("protect() can only be used in App Router project");
+			throw new Error("protect() can only be used in App Router server environments (RSC, route handlers, or server actions)");
 		}
 		const signInRoute = new URL(`${appUrl}${routes.signIn}`);
 		signInRoute.searchParams.set("return_url", (options === null || options === void 0 ? void 0 : options.returnUrl) ?? path);
@@ -550,6 +874,7 @@ var MonoCloudNextClient = class {
 		if (Array.isArray(options === null || options === void 0 || (_options$authParams25 = options.authParams) === null || _options$authParams25 === void 0 ? void 0 : _options$authParams25.acrValues)) signInRoute.searchParams.set("acr_values", options.authParams.acrValues.join(" "));
 		if (options === null || options === void 0 || (_options$authParams26 = options.authParams) === null || _options$authParams26 === void 0 ? void 0 : _options$authParams26.loginHint) signInRoute.searchParams.set("login_hint", options.authParams.loginHint);
 		if (options === null || options === void 0 || (_options$authParams27 = options.authParams) === null || _options$authParams27 === void 0 ? void 0 : _options$authParams27.prompt) signInRoute.searchParams.set("prompt", options.authParams.prompt);
+		const { redirect } = await import("next/navigation");
 		redirect(signInRoute.toString());
 	}
 	async isUserInGroup(...args) {
@@ -558,44 +883,105 @@ var MonoCloudNextClient = class {
 		let groups;
 		let options;
 		if (args.length === 4) {
-			const req = args[0];
-			const res = args[1];
 			groups = args[2];
 			options = args[3];
-			const reqRes = getMonoCloudReqRes(req, res);
-			({request} = reqRes);
-			({response} = reqRes);
+			({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
 		}
 		if (args.length === 3) {
-			const req = args[0];
-			const res = args[1];
-			groups = args[2];
-			const reqRes = getMonoCloudReqRes(req, res);
-			({request} = reqRes);
-			({response} = reqRes);
+			if (args[0] instanceof Request) if (args[1] instanceof Response) {
+				({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+				groups = args[2];
+			} else {
+				({request, response} = getMonoCloudCookieReqRes(args[0], void 0));
+				groups = args[1];
+				options = args[2];
+			}
+			if (args[0] instanceof IncomingMessage && args[1] instanceof ServerResponse) {
+				({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+				groups = args[2];
+			}
 		}
 		if (args.length === 2) {
-			request = new MonoCloudCookieRequest();
-			response = new MonoCloudCookieResponse();
-			groups = args[0];
-			options = args[1];
+			if (args[0] instanceof Request) {
+				({request, response} = getMonoCloudCookieReqRes(args[0], void 0));
+				groups = args[1];
+			}
+			if (Array.isArray(args[0])) {
+				request = new MonoCloudCookieRequest();
+				response = new MonoCloudCookieResponse();
+				groups = args[0];
+				options = args[1];
+			}
 		}
 		if (args.length === 1) {
 			request = new MonoCloudCookieRequest();
 			response = new MonoCloudCookieResponse();
 			groups = args[0];
 		}
-		if (!Array.isArray(groups) || !request || !response) throw new MonoCloudValidationError$1("Invalid parameters passed to isUserInGroup()");
+		if (!Array.isArray(groups) || !isMonoCloudRequest(request) || !isMonoCloudResponse(response) || options && typeof options !== "object") throw new MonoCloudValidationError$1("Invalid parameters passed to isUserInGroup()");
 		return await this.coreClient.isUserInGroup(request, response, groups, (options === null || options === void 0 ? void 0 : options.groupsClaim) ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options === null || options === void 0 ? void 0 : options.matchAll);
 	}
 	/**
-	* Redirects the user to the sign-in route.
+	* Redirects the user to the sign-in flow.
+	*
+	* **This helper is App Router only and is designed for server environments (server components, route handlers, and server actions).**
+	*
+	* @param options Options to customize the sign-in.
+	*
+	* @returns
 	*
-	* This helper is intended for **App Router** only (server components,
-	* route handlers, server actions). It constructs the MonoCloud sign-in URL
-	* with optional parameters and issues a framework redirect.
+	* @example React Server Component
 	*
-	* @throws Error if used outside of an App Router context.
+	* ```tsx
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export default async function Home() {
+	*   const allowed = await monoCloud.isUserInGroup(["admin"]);
+	*
+	*   if (!allowed) {
+	*     await monoCloud.redirectToSignIn({ returnUrl: "/home" });
+	*   }
+	*
+	*   return <>You are signed in.</>;
+	* }
+	* ```
+	*
+	* @example Server Action
+	*
+	* ```typescript
+	* "use server";
+	*
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export async function protectedAction() {
+	*   const session = await monoCloud.getSession();
+	*
+	*   if (!session) {
+	*     await monoCloud.redirectToSignIn();
+	*   }
+	*
+	*   return { data: "Sensitive Data" };
+	* }
+	* ```
+	*
+	* @example API Handler
+	*
+	* ```typescript
+	* import { NextResponse } from "next/server";
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export const GET = async () => {
+	*   const session = await monoCloud.getSession();
+	*
+	*   if (!session) {
+	*     await monoCloud.redirectToSignIn({
+	*       returnUrl: "/dashboard",
+	*     });
+	*   }
+	*
+	*   return NextResponse.json({ data: "Protected content" });
+	* };
+	* ```
 	*/
 	async redirectToSignIn(options) {
 		const { routes, appUrl } = this.coreClient.getOptions();
@@ -603,7 +989,7 @@ var MonoCloudNextClient = class {
 			const { headers } = await import("next/headers");
 			await headers();
 		} catch {
-			throw new Error("redirectToSignIn() can only be used in App Router project");
+			throw new Error("redirectToSignIn() can only be used in App Router server environments (RSC, route handlers, or server actions)");
 		}
 		const signInRoute = new URL(`${appUrl}${routes.signIn}`);
 		if (options === null || options === void 0 ? void 0 : options.returnUrl) signInRoute.searchParams.set("return_url", options.returnUrl);
@@ -616,15 +1002,69 @@ var MonoCloudNextClient = class {
 		if (Array.isArray(options === null || options === void 0 ? void 0 : options.acrValues)) signInRoute.searchParams.set("acr_values", options.acrValues.join(" "));
 		if (options === null || options === void 0 ? void 0 : options.loginHint) signInRoute.searchParams.set("login_hint", options.loginHint);
 		if (options === null || options === void 0 ? void 0 : options.prompt) signInRoute.searchParams.set("prompt", options.prompt);
+		const { redirect } = await import("next/navigation");
 		redirect(signInRoute.toString());
 	}
 	/**
-	* Redirects the user to the sign-out route.
+	* Redirects the user to the sign-out flow.
+	*
+	* **This helper is App Router only and is designed for server environments (server components, route handlers, and server actions).**
+	*
+	* @param options Options to customize the sign out.
+	*
+	* @returns
+	*
+	* @example React Server Component
 	*
-	* This helper is intended for **App Router** only. It builds the sign-out
-	* URL and optionally attaches a `post_logout_redirect_uri` override.
+	* ```tsx
+	* import { monoCloud } from "@/lib/monocloud";
 	*
-	* @throws Error if used outside of an App Router context.
+	* export default async function Page() {
+	*   const session = await monoCloud.getSession();
+	*
+	*   // Example: Force sign-out if a specific condition is met (e.g., account suspended)
+	*   if (session?.user.isSuspended) {
+	*     await monoCloud.redirectToSignOut();
+	*   }
+	*
+	*   return <>Welcome User</>;
+	* }
+	* ```
+	*
+	* @example Server Action
+	*
+	* ```typescript
+	* "use server";
+	*
+	* import { monoCloud } from "@/lib/monocloud";
+	*
+	* export async function signOutAction() {
+	*   const session = await monoCloud.getSession();
+	*
+	*   if (session) {
+	*     await monoCloud.redirectToSignOut();
+	*   }
+	* }
+	* ```
+	*
+	* @example API Handler
+	*
+	* ```typescript
+	* import { monoCloud } from "@/lib/monocloud";
+	* import { NextResponse } from "next/server";
+	*
+	* export const GET = async () => {
+	*   const session = await monoCloud.getSession();
+	*
+	*   if (session) {
+	*     await monoCloud.redirectToSignOut({
+	*       postLogoutRedirectUri: "/goodbye",
+	*     });
+	*   }
+	*
+	*   return NextResponse.json({ status: "already_signed_out" });
+	* };
+	* ```
 	*/
 	async redirectToSignOut(options) {
 		var _options$postLogoutRe;
@@ -633,71 +1073,14 @@ var MonoCloudNextClient = class {
 			const { headers } = await import("next/headers");
 			await headers();
 		} catch {
-			throw new Error("redirectToSignOut() can only be used in App Router project");
+			throw new Error("redirectToSignOut() can only be used in App Router server environments (RSC, route handlers, or server actions)");
 		}
 		const signOutRoute = new URL(`${appUrl}${routes.signOut}`);
 		if (options === null || options === void 0 || (_options$postLogoutRe = options.postLogoutRedirectUri) === null || _options$postLogoutRe === void 0 ? void 0 : _options$postLogoutRe.trim().length) signOutRoute.searchParams.set("post_logout_url", options.postLogoutRedirectUri);
+		if (typeof (options === null || options === void 0 ? void 0 : options.federated) === "boolean") signOutRoute.searchParams.set("federated", options.federated.toString());
+		const { redirect } = await import("next/navigation");
 		redirect(signOutRoute.toString());
 	}
-	resolveFunction(baseHandler) {
-		return ((...args) => {
-			if (args.length === 3) {
-				const req = args[0];
-				const res = args[1];
-				const options = args[2];
-				return baseHandler(req, res, options);
-			}
-			if (args.length === 2) {
-				const req = args[0];
-				const res = args[1];
-				return baseHandler(req, res);
-			}
-			if (args.length === 1) {
-				const options = args[0];
-				return baseHandler(void 0, void 0, options);
-			}
-			return baseHandler();
-		});
-	}
-	resolvedGetSession(req, resOrCtx) {
-		let request;
-		let response;
-		if (req && resOrCtx) {
-			const result = getMonoCloudReqRes(req, resOrCtx);
-			({request} = result);
-			({response} = result);
-		} else {
-			request = new MonoCloudCookieRequest();
-			response = new MonoCloudCookieResponse();
-		}
-		return this.coreClient.getSession(request, response);
-	}
-	resolvedGetTokens(req, resOrCtx, options) {
-		let request;
-		let response;
-		if (req && resOrCtx) {
-			const result = getMonoCloudReqRes(req, resOrCtx);
-			({request} = result);
-			({response} = result);
-		} else {
-			request = new MonoCloudCookieRequest();
-			response = new MonoCloudCookieResponse();
-		}
-		return this.coreClient.getTokens(request, response, options);
-	}
-	resolvedIsAuthenticated(req, resOrCtx) {
-		let request;
-		let response;
-		if (req && resOrCtx) {
-			const result = getMonoCloudReqRes(req, resOrCtx);
-			({request} = result);
-			({response} = result);
-		} else {
-			request = new MonoCloudCookieRequest();
-			response = new MonoCloudCookieResponse();
-		}
-		return this.coreClient.isAuthenticated(request, response);
-	}
 	getOptions() {
 		return this.coreClient.getOptions();
 	}