@monocloud/auth-nextjs 0.1.10 → 0.1.11

package/dist/monocloud-next-client.cjs

@@ -0,0 +1,600 @@
+const require_runtime = require('./_virtual/_rolldown/runtime.cjs');
+const require_monocloud_app_router_request = require('./requests/monocloud-app-router-request.cjs');
+const require_monocloud_page_router_request = require('./requests/monocloud-page-router-request.cjs');
+const require_monocloud_app_router_response = require('./responses/monocloud-app-router-response.cjs');
+const require_monocloud_page_router_response = require('./responses/monocloud-page-router-response.cjs');
+const require_monocloud_cookie_response = require('./responses/monocloud-cookie-response.cjs');
+const require_monocloud_cookie_request = require('./requests/monocloud-cookie-request.cjs');
+const require_utils = require('./utils.cjs');
+let _monocloud_auth_node_core = require("@monocloud/auth-node-core");
+let next_server_js = require("next/server.js");
+let _monocloud_auth_node_core_internal = require("@monocloud/auth-node-core/internal");
+let _monocloud_auth_node_core_utils = require("@monocloud/auth-node-core/utils");
+
+//#region src/monocloud-next-client.ts
+/**
+* `MonoCloudNextClient` is the core SDK entry point for integrating MonoCloud authentication into a Next.js application.
+*
+* It provides:
+* - Authentication middleware
+* - Route protection helpers
+* - Session and token access
+* - Redirect utilities
+* - Server-side enforcement helpers
+*
+* ## 1. Add environment variables
+*
+* ```bash:.env.local
+* MONOCLOUD_AUTH_TENANT_DOMAIN=<tenant-domain>
+* MONOCLOUD_AUTH_CLIENT_ID=<client-id>
+* MONOCLOUD_AUTH_CLIENT_SECRET=<client-secret>
+* MONOCLOUD_AUTH_SCOPES=openid profile email
+* MONOCLOUD_AUTH_APP_URL=http://localhost:3000
+* MONOCLOUD_AUTH_COOKIE_SECRET=<cookie-secret>
+* ```
+*
+* ## 2. Register middleware
+*
+* ```typescript:src/proxy.ts
+* import { authMiddleware } from "@monocloud/auth-nextjs";
+*
+* export default authMiddleware();
+*
+* export const config = {
+*   matcher: [
+*     "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)",
+*   ],
+* };
+* ```
+*
+* ## Advanced usage
+*
+* ### Create a shared client instance
+*
+* By default, the SDK exposes function exports (for example, `authMiddleware()`, `getSession()`, `getTokens()`) that internally use a shared singleton `MonoCloudNextClient`.
+*
+* Create your own `MonoCloudNextClient` instance when you need multiple configurations, dependency injection, or explicit control over initialization.
+*
+* ```ts:src/monocloud.ts
+* import { MonoCloudNextClient } from "@monocloud/auth-nextjs";
+*
+* export const monoCloud = new MonoCloudNextClient();
+* ```
+*
+* ### Using instance methods
+*
+* Once you create a client instance, call methods directly on it instead of using the default function exports.
+*
+* ```ts:src/app/page.tsx
+* import { monoCloud } from "@/monocloud";
+*
+* export default async function Page() {
+*   const session = await monoCloud.getSession();
+*
+*   if (!session) {
+*     return <>Not signed in</>;
+*   }
+*
+*   return <>Hello {session.user.name}</>;
+* }
+* ```
+*
+* #### Using constructor options
+*
+* When configuration is provided through both constructor options and environment variables, the values passed to the constructor take precedence. Environment variables are used only for options that are not explicitly supplied.
+*
+* ```ts:src/monocloud.ts
+* import { MonoCloudNextClient } from "@monocloud/auth-nextjs";
+*
+* export const monoCloud = new MonoCloudNextClient({
+*   tenantDomain: "<tenant-domain>",
+*   clientId: "<client-id>",
+*   clientSecret: "<client-secret>",
+*   appUrl: "http://localhost:3000",
+*   cookieSecret: "<cookie-secret>",
+*   defaultAuthParams: {
+*     scopes: "openid profile email",
+*   },
+* });
+* ```
+*
+* ### Modifying default routes
+*
+* If you customize any of the default auth route paths:
+*
+* - Also set the corresponding `NEXT_PUBLIC_` environment variables so client-side helpers
+*   (for example `<SignIn />`, `<SignOut />`, and `useAuth()`) can discover the correct URLs.
+* - Update the **Application URLs** in your MonoCloud Dashboard to match the new paths.
+*
+* Example:
+*
+* ```bash:.env.local
+* MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback
+* NEXT_PUBLIC_MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback
+* ```
+*
+* When routes are overridden, the Redirect URI configured in the dashboard
+* must reflect the new path. For example, during local development:
+*
+* `http://localhost:3000/api/custom_callback`
+*
+* @category Classes
+*/
+var MonoCloudNextClient = class {
+	/**
+	* This exposes the framework-agnostic MonoCloud client used internally by the Next.js SDK.
+	* Use it if you need access to lower-level functionality not directly exposed by MonoCloudNextClient.
+	*
+	* @returns Returns the underlying **Node client** instance.
+	*/
+	get coreClient() {
+		return this._coreClient;
+	}
+	/**
+	* This is intended for advanced scenarios requiring direct control over the authorization or token flow.
+	*
+	* @returns Returns the underlying **OIDC client** used for OpenID Connect operations.
+	*/
+	get oidcClient() {
+		return this.coreClient.oidcClient;
+	}
+	/**
+	* Creates a new client instance.
+	*
+	* @param options Optional configuration for initializing the MonoCloud client. If not provided, settings are automatically resolved from environment variables.
+	*/
+	constructor(options) {
+		const opt = {
+			...options ?? {},
+			userAgent: (options === null || options === void 0 ? void 0 : options.userAgent) ?? `@monocloud/auth-nextjs@0.1.11`,
+			debugger: (options === null || options === void 0 ? void 0 : options.debugger) ?? "@monocloud:auth-nextjs"
+		};
+		this.registerPublicEnvVariables();
+		this._coreClient = new _monocloud_auth_node_core.MonoCloudCoreClient(opt);
+	}
+	/**
+	* @see {@link monoCloudAuth} for full docs and examples.
+	* @param options Optional configuration for the auth handler.
+	* @returns Returns a Next.js-compatible handler for App Router route handlers or Pages Router API routes.
+	*/
+	monoCloudAuth(options) {
+		return (req, resOrCtx) => {
+			const { routes, appUrl } = this.getOptions();
+			let { url = "" } = req;
+			if (!(0, _monocloud_auth_node_core_internal.isAbsoluteUrl)(url)) url = new URL(url, appUrl).toString();
+			const route = new URL(url);
+			let onError;
+			if (typeof (options === null || options === void 0 ? void 0 : options.onError) === "function") onError = (error) => options.onError(req, resOrCtx, error);
+			let request;
+			let response;
+			if (require_utils.isAppRouter(req)) {
+				request = new require_monocloud_app_router_request.default(require_utils.getNextRequest(req));
+				response = new require_monocloud_app_router_response.default(require_utils.getNextResponse(resOrCtx));
+			} else {
+				request = new require_monocloud_page_router_request.default(req);
+				response = new require_monocloud_page_router_response.default(resOrCtx);
+			}
+			return this.handleAuthRoutes(request, response, route.pathname, routes, onError);
+		};
+	}
+	protectPage(...args) {
+		if (typeof args[0] === "function") return this.protectAppPage(args[0], args[1]);
+		return this.protectPagePage(args[0]);
+	}
+	protectAppPage(component, options) {
+		return async (params) => {
+			const session = await this.getSession();
+			if (!session) {
+				var _options$authParams, _options$authParams2, _options$authParams3, _options$authParams4, _options$authParams5, _options$authParams6, _options$authParams7, _options$authParams8, _options$authParams9;
+				if (options === null || options === void 0 ? void 0 : options.onAccessDenied) return options.onAccessDenied({ ...params });
+				const { routes, appUrl } = this.getOptions();
+				const { headers } = await import("next/headers");
+				const path = (await headers()).get("x-monocloud-path");
+				const signInRoute = new URL(`${appUrl}${(0, _monocloud_auth_node_core_internal.ensureLeadingSlash)(routes.signIn)}`);
+				signInRoute.searchParams.set("return_url", (options === null || options === void 0 ? void 0 : options.returnUrl) ?? path ?? "/");
+				if (options === null || options === void 0 || (_options$authParams = options.authParams) === null || _options$authParams === void 0 ? void 0 : _options$authParams.scopes) signInRoute.searchParams.set("scope", options.authParams.scopes);
+				if (options === null || options === void 0 || (_options$authParams2 = options.authParams) === null || _options$authParams2 === void 0 ? void 0 : _options$authParams2.resource) signInRoute.searchParams.set("resource", options.authParams.resource);
+				if (options === null || options === void 0 || (_options$authParams3 = options.authParams) === null || _options$authParams3 === void 0 ? void 0 : _options$authParams3.acrValues) signInRoute.searchParams.set("acr_values", options.authParams.acrValues.join(" "));
+				if (options === null || options === void 0 || (_options$authParams4 = options.authParams) === null || _options$authParams4 === void 0 ? void 0 : _options$authParams4.display) signInRoute.searchParams.set("display", options.authParams.display);
+				if (options === null || options === void 0 || (_options$authParams5 = options.authParams) === null || _options$authParams5 === void 0 ? void 0 : _options$authParams5.prompt) signInRoute.searchParams.set("prompt", options.authParams.prompt);
+				if (options === null || options === void 0 || (_options$authParams6 = options.authParams) === null || _options$authParams6 === void 0 ? void 0 : _options$authParams6.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options.authParams.authenticatorHint);
+				if (options === null || options === void 0 || (_options$authParams7 = options.authParams) === null || _options$authParams7 === void 0 ? void 0 : _options$authParams7.uiLocales) signInRoute.searchParams.set("ui_locales", options.authParams.uiLocales);
+				if (options === null || options === void 0 || (_options$authParams8 = options.authParams) === null || _options$authParams8 === void 0 ? void 0 : _options$authParams8.maxAge) signInRoute.searchParams.set("max_age", options.authParams.maxAge.toString());
+				if (options === null || options === void 0 || (_options$authParams9 = options.authParams) === null || _options$authParams9 === void 0 ? void 0 : _options$authParams9.loginHint) signInRoute.searchParams.set("login_hint", options.authParams.loginHint);
+				const { redirect } = await import("next/navigation");
+				return redirect(signInRoute.toString());
+			}
+			if ((options === null || options === void 0 ? void 0 : options.groups) && !(0, _monocloud_auth_node_core_utils.isUserInGroup)(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+				if (options.onGroupAccessDenied) return options.onGroupAccessDenied({
+					...params,
+					user: session.user
+				});
+				return "Access Denied";
+			}
+			return component({
+				...params,
+				user: session.user
+			});
+		};
+	}
+	protectPagePage(options) {
+		return async (context) => {
+			const session = await this.getSession(context.req, context.res);
+			if (!session) {
+				var _options$authParams10, _options$authParams11, _options$authParams12, _options$authParams13, _options$authParams14, _options$authParams15, _options$authParams16, _options$authParams17, _options$authParams18;
+				if (options === null || options === void 0 ? void 0 : options.onAccessDenied) {
+					const customProps = await options.onAccessDenied({ ...context });
+					return {
+						...customProps ?? {},
+						props: { ...(customProps === null || customProps === void 0 ? void 0 : customProps.props) ?? {} }
+					};
+				}
+				const { routes, appUrl } = this.getOptions();
+				const signInRoute = new URL(`${appUrl}${(0, _monocloud_auth_node_core_internal.ensureLeadingSlash)(routes.signIn)}`);
+				signInRoute.searchParams.set("return_url", (options === null || options === void 0 ? void 0 : options.returnUrl) ?? context.resolvedUrl);
+				if (options === null || options === void 0 || (_options$authParams10 = options.authParams) === null || _options$authParams10 === void 0 ? void 0 : _options$authParams10.scopes) signInRoute.searchParams.set("scope", options.authParams.scopes);
+				if (options === null || options === void 0 || (_options$authParams11 = options.authParams) === null || _options$authParams11 === void 0 ? void 0 : _options$authParams11.resource) signInRoute.searchParams.set("resource", options.authParams.resource);
+				if (options === null || options === void 0 || (_options$authParams12 = options.authParams) === null || _options$authParams12 === void 0 ? void 0 : _options$authParams12.acrValues) signInRoute.searchParams.set("acr_values", options.authParams.acrValues.join(" "));
+				if (options === null || options === void 0 || (_options$authParams13 = options.authParams) === null || _options$authParams13 === void 0 ? void 0 : _options$authParams13.display) signInRoute.searchParams.set("display", options.authParams.display);
+				if (options === null || options === void 0 || (_options$authParams14 = options.authParams) === null || _options$authParams14 === void 0 ? void 0 : _options$authParams14.prompt) signInRoute.searchParams.set("prompt", options.authParams.prompt);
+				if (options === null || options === void 0 || (_options$authParams15 = options.authParams) === null || _options$authParams15 === void 0 ? void 0 : _options$authParams15.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options.authParams.authenticatorHint);
+				if (options === null || options === void 0 || (_options$authParams16 = options.authParams) === null || _options$authParams16 === void 0 ? void 0 : _options$authParams16.uiLocales) signInRoute.searchParams.set("ui_locales", options.authParams.uiLocales);
+				if (options === null || options === void 0 || (_options$authParams17 = options.authParams) === null || _options$authParams17 === void 0 ? void 0 : _options$authParams17.maxAge) signInRoute.searchParams.set("max_age", options.authParams.maxAge.toString());
+				if (options === null || options === void 0 || (_options$authParams18 = options.authParams) === null || _options$authParams18 === void 0 ? void 0 : _options$authParams18.loginHint) signInRoute.searchParams.set("login_hint", options.authParams.loginHint);
+				return { redirect: {
+					destination: signInRoute.toString(),
+					permanent: false
+				} };
+			}
+			if ((options === null || options === void 0 ? void 0 : options.groups) && !(0, _monocloud_auth_node_core_utils.isUserInGroup)(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+				var _options$onGroupAcces;
+				const customProps = await ((_options$onGroupAcces = options.onGroupAccessDenied) === null || _options$onGroupAcces === void 0 ? void 0 : _options$onGroupAcces.call(options, {
+					...context,
+					user: session.user
+				})) ?? { props: { groupAccessDenied: true } };
+				return {
+					...customProps,
+					props: { ...customProps.props ?? {} }
+				};
+			}
+			const customProps = (options === null || options === void 0 ? void 0 : options.getServerSideProps) ? await options.getServerSideProps(context) : {};
+			const promiseProp = customProps.props;
+			if (promiseProp instanceof Promise) return {
+				...customProps,
+				props: promiseProp.then((props) => ({
+					user: session.user,
+					...props
+				}))
+			};
+			return {
+				...customProps,
+				props: {
+					user: session.user,
+					...customProps.props
+				}
+			};
+		};
+	}
+	protectApi(handler, options) {
+		return (req, resOrCtx) => {
+			if (require_utils.isAppRouter(req)) return this.protectAppApi(req, resOrCtx, handler, options);
+			return this.protectPageApi(req, resOrCtx, handler, options);
+		};
+	}
+	async protectAppApi(req, ctx, handler, options) {
+		const res = new next_server_js.NextResponse();
+		const session = await this.getSession(req, res);
+		if (!session) {
+			if (options === null || options === void 0 ? void 0 : options.onAccessDenied) {
+				const result = await options.onAccessDenied(req, ctx);
+				if (result instanceof next_server_js.NextResponse) return require_utils.mergeResponse([res, result]);
+				return require_utils.mergeResponse([res, new next_server_js.NextResponse(result.body, result)]);
+			}
+			return require_utils.mergeResponse([res, next_server_js.NextResponse.json({ message: "unauthorized" }, { status: 401 })]);
+		}
+		if ((options === null || options === void 0 ? void 0 : options.groups) && !(0, _monocloud_auth_node_core_utils.isUserInGroup)(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+			if (options.onGroupAccessDenied) {
+				const result = await options.onGroupAccessDenied(req, ctx, session.user);
+				if (result instanceof next_server_js.NextResponse) return require_utils.mergeResponse([res, result]);
+				return require_utils.mergeResponse([res, new next_server_js.NextResponse(result.body, result)]);
+			}
+			return require_utils.mergeResponse([res, next_server_js.NextResponse.json({ message: "forbidden" }, { status: 403 })]);
+		}
+		const resp = await handler(req, ctx);
+		if (resp instanceof next_server_js.NextResponse) return require_utils.mergeResponse([res, resp]);
+		return require_utils.mergeResponse([res, new next_server_js.NextResponse(resp.body, resp)]);
+	}
+	async protectPageApi(req, res, handler, options) {
+		const session = await this.getSession(req, res);
+		if (!session) {
+			if (options === null || options === void 0 ? void 0 : options.onAccessDenied) return options.onAccessDenied(req, res);
+			return res.status(401).json({ message: "unauthorized" });
+		}
+		if ((options === null || options === void 0 ? void 0 : options.groups) && !(0, _monocloud_auth_node_core_utils.isUserInGroup)(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+			if (options.onGroupAccessDenied) return options.onGroupAccessDenied(req, res, session.user);
+			return res.status(403).json({ message: "forbidden" });
+		}
+		return handler(req, res);
+	}
+	authMiddleware(...args) {
+		let req;
+		let evt;
+		let options;
+		/* v8 ignore else -- @preserve */
+		if (Array.isArray(args)) {
+			if (args.length === 2) {
+				/* v8 ignore else -- @preserve */
+				if (require_utils.isAppRouter(args[0])) {
+					req = args[0];
+					evt = args[1];
+				}
+			}
+			if (args.length === 1) options = args[0];
+		}
+		if (req && evt) return this.authMiddlewareHandler(req, evt, options);
+		return (request, nxtEvt) => {
+			return this.authMiddlewareHandler(request, nxtEvt, options);
+		};
+	}
+	async authMiddlewareHandler(req, evt, options) {
+		req = require_utils.getNextRequest(req);
+		if (req.headers.has("x-middleware-subrequest")) return next_server_js.NextResponse.json({ message: "forbidden" }, { status: 403 });
+		const { routes, appUrl } = this.getOptions();
+		if (Object.values(routes).map((x) => (0, _monocloud_auth_node_core_internal.ensureLeadingSlash)(x)).includes(req.nextUrl.pathname)) {
+			let onError;
+			if (typeof (options === null || options === void 0 ? void 0 : options.onError) === "function") onError = (error) => options.onError(req, evt, error);
+			const request = new require_monocloud_app_router_request.default(req);
+			const response = new require_monocloud_app_router_response.default(new next_server_js.NextResponse());
+			return this.handleAuthRoutes(request, response, req.nextUrl.pathname, routes, onError);
+		}
+		const nxtResp = new next_server_js.NextResponse();
+		nxtResp.headers.set("x-monocloud-path", req.nextUrl.pathname + req.nextUrl.search);
+		let isRouteProtected = true;
+		let allowedGroups;
+		if (typeof (options === null || options === void 0 ? void 0 : options.protectedRoutes) === "function") isRouteProtected = await options.protectedRoutes(req);
+		else if (typeof (options === null || options === void 0 ? void 0 : options.protectedRoutes) !== "undefined" && Array.isArray(options.protectedRoutes)) isRouteProtected = options.protectedRoutes.some((route) => {
+			if (typeof route === "string" || route instanceof RegExp) return new RegExp(route).test(req.nextUrl.pathname);
+			return route.routes.some((groupRoute) => {
+				const result = new RegExp(groupRoute).test(req.nextUrl.pathname);
+				if (result) allowedGroups = route.groups;
+				return result;
+			});
+		});
+		if (!isRouteProtected) return next_server_js.NextResponse.next({ headers: { "x-monocloud-path": req.nextUrl.pathname + req.nextUrl.search } });
+		const session = await this.getSession(req, nxtResp);
+		if (!session) {
+			if (options === null || options === void 0 ? void 0 : options.onAccessDenied) {
+				const result = await options.onAccessDenied(req, evt);
+				if (result instanceof next_server_js.NextResponse) return require_utils.mergeResponse([nxtResp, result]);
+				if (result) return require_utils.mergeResponse([nxtResp, new next_server_js.NextResponse(result.body, result)]);
+				return next_server_js.NextResponse.next(nxtResp);
+			}
+			if (req.nextUrl.pathname.startsWith("/api")) return require_utils.mergeResponse([nxtResp, next_server_js.NextResponse.json({ message: "unauthorized" }, { status: 401 })]);
+			const signInRoute = new URL(`${appUrl}${(0, _monocloud_auth_node_core_internal.ensureLeadingSlash)(routes.signIn)}`);
+			signInRoute.searchParams.set("return_url", req.nextUrl.pathname + req.nextUrl.search);
+			return require_utils.mergeResponse([nxtResp, next_server_js.NextResponse.redirect(signInRoute)]);
+		}
+		const groupsClaim = (options === null || options === void 0 ? void 0 : options.groupsClaim) ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM;
+		if (allowedGroups && !(0, _monocloud_auth_node_core_utils.isUserInGroup)(session.user, allowedGroups, groupsClaim)) {
+			if (options === null || options === void 0 ? void 0 : options.onGroupAccessDenied) {
+				const result = await options.onGroupAccessDenied(req, evt, session.user);
+				if (result instanceof next_server_js.NextResponse) return require_utils.mergeResponse([nxtResp, result]);
+				if (result) return require_utils.mergeResponse([nxtResp, new next_server_js.NextResponse(result.body, result)]);
+				return next_server_js.NextResponse.next(nxtResp);
+			}
+			if (req.nextUrl.pathname.startsWith("/api")) return require_utils.mergeResponse([nxtResp, next_server_js.NextResponse.json({ message: "forbidden" }, { status: 403 })]);
+			return new next_server_js.NextResponse(`forbidden`, { status: 403 });
+		}
+		return next_server_js.NextResponse.next(nxtResp);
+	}
+	handleAuthRoutes(request, response, path, routes, onError) {
+		switch (path) {
+			case (0, _monocloud_auth_node_core_internal.ensureLeadingSlash)(routes.signIn): return this.coreClient.signIn(request, response, { onError });
+			case (0, _monocloud_auth_node_core_internal.ensureLeadingSlash)(routes.callback): return this.coreClient.callback(request, response, { onError });
+			case (0, _monocloud_auth_node_core_internal.ensureLeadingSlash)(routes.userInfo): return this.coreClient.userInfo(request, response, { onError });
+			case (0, _monocloud_auth_node_core_internal.ensureLeadingSlash)(routes.signOut): return this.coreClient.signOut(request, response, { onError });
+			default:
+				response.notFound();
+				return response.done();
+		}
+	}
+	async getSession(...args) {
+		let request;
+		let response;
+		let options;
+		if (args.length === 0) {
+			request = new require_monocloud_cookie_request.default();
+			response = new require_monocloud_cookie_response.default();
+		} else if (args.length === 1) if (args[0] instanceof Request) ({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], void 0));
+		else {
+			request = new require_monocloud_cookie_request.default();
+			response = new require_monocloud_cookie_response.default();
+			options = args[0];
+		}
+		else if (args.length === 2 && args[0] instanceof Request) if (args[1] instanceof Response) ({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], args[1]));
+		else {
+			({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], void 0));
+			options = args[1];
+		}
+		else if (args.length === 2 && require_utils.isNodeRequest(args[0]) && require_utils.isNodeResponse(args[1])) ({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], args[1]));
+		else {
+			({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], args[1]));
+			options = args[2];
+		}
+		if (!require_utils.isMonoCloudRequest(request) || !require_utils.isMonoCloudResponse(response) || options && typeof options !== "object") throw new _monocloud_auth_node_core.MonoCloudValidationError("Invalid parameters passed to getSession()");
+		return await this.coreClient.getSession(request, response, options);
+	}
+	async getTokens(...args) {
+		let request;
+		let response;
+		let options;
+		if (args.length === 0) {
+			request = new require_monocloud_cookie_request.default();
+			response = new require_monocloud_cookie_response.default();
+		} else if (args.length === 1) if (args[0] instanceof Request) ({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], void 0));
+		else {
+			request = new require_monocloud_cookie_request.default();
+			response = new require_monocloud_cookie_response.default();
+			options = args[0];
+		}
+		else if (args.length === 2 && args[0] instanceof Request) if (args[1] instanceof Response) ({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], args[1]));
+		else {
+			({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], void 0));
+			options = args[1];
+		}
+		else if (args.length === 2 && require_utils.isNodeRequest(args[0]) && require_utils.isNodeResponse(args[1])) ({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], args[1]));
+		else {
+			({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], args[1]));
+			options = args[2];
+		}
+		if (!require_utils.isMonoCloudRequest(request) || !require_utils.isMonoCloudResponse(response) || options && typeof options !== "object") throw new _monocloud_auth_node_core.MonoCloudValidationError("Invalid parameters passed to getTokens()");
+		return await this.coreClient.getTokens(request, response, options);
+	}
+	async isAuthenticated(...args) {
+		let request;
+		let response;
+		if (args.length === 0) {
+			request = new require_monocloud_cookie_request.default();
+			response = new require_monocloud_cookie_response.default();
+		} else ({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], args[1]));
+		/* v8 ignore next -- @preserve */
+		if (!require_utils.isMonoCloudRequest(request) || !require_utils.isMonoCloudResponse(response)) throw new _monocloud_auth_node_core.MonoCloudValidationError("Invalid parameters passed to isAuthenticated()");
+		return await this.coreClient.isAuthenticated(request, response);
+	}
+	/**
+	* @see {@link protect} for full docs and examples.
+	* @param options Optional configuration for redirect behavior (for example, return URL or sign-in parameters).
+	* @returns Resolves if the user is authenticated; otherwise triggers a redirect.
+	*/
+	async protect(options) {
+		var _options$authParams19, _options$authParams20, _options$authParams21, _options$authParams22, _options$authParams23, _options$authParams24, _options$authParams25, _options$authParams26, _options$authParams27;
+		const { routes, appUrl } = this.coreClient.getOptions();
+		let path;
+		try {
+			const session = await this.getSession();
+			if (session && !(options === null || options === void 0 ? void 0 : options.groups)) return;
+			if (session && (options === null || options === void 0 ? void 0 : options.groups) && (0, _monocloud_auth_node_core_utils.isUserInGroup)(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) return;
+			const { headers } = await import("next/headers");
+			path = (await headers()).get("x-monocloud-path") ?? "/";
+		} catch {
+			throw new Error("protect() can only be used in App Router server environments (RSC, route handlers, or server actions)");
+		}
+		const signInRoute = new URL(`${appUrl}${routes.signIn}`);
+		signInRoute.searchParams.set("return_url", (options === null || options === void 0 ? void 0 : options.returnUrl) ?? path);
+		if (options === null || options === void 0 || (_options$authParams19 = options.authParams) === null || _options$authParams19 === void 0 ? void 0 : _options$authParams19.maxAge) signInRoute.searchParams.set("max_age", options.authParams.maxAge.toString());
+		if (options === null || options === void 0 || (_options$authParams20 = options.authParams) === null || _options$authParams20 === void 0 ? void 0 : _options$authParams20.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options.authParams.authenticatorHint);
+		if (options === null || options === void 0 || (_options$authParams21 = options.authParams) === null || _options$authParams21 === void 0 ? void 0 : _options$authParams21.scopes) signInRoute.searchParams.set("scope", options.authParams.scopes);
+		if (options === null || options === void 0 || (_options$authParams22 = options.authParams) === null || _options$authParams22 === void 0 ? void 0 : _options$authParams22.resource) signInRoute.searchParams.set("resource", options.authParams.resource);
+		if (options === null || options === void 0 || (_options$authParams23 = options.authParams) === null || _options$authParams23 === void 0 ? void 0 : _options$authParams23.display) signInRoute.searchParams.set("display", options.authParams.display);
+		if (options === null || options === void 0 || (_options$authParams24 = options.authParams) === null || _options$authParams24 === void 0 ? void 0 : _options$authParams24.uiLocales) signInRoute.searchParams.set("ui_locales", options.authParams.uiLocales);
+		if (Array.isArray(options === null || options === void 0 || (_options$authParams25 = options.authParams) === null || _options$authParams25 === void 0 ? void 0 : _options$authParams25.acrValues)) signInRoute.searchParams.set("acr_values", options.authParams.acrValues.join(" "));
+		if (options === null || options === void 0 || (_options$authParams26 = options.authParams) === null || _options$authParams26 === void 0 ? void 0 : _options$authParams26.loginHint) signInRoute.searchParams.set("login_hint", options.authParams.loginHint);
+		if (options === null || options === void 0 || (_options$authParams27 = options.authParams) === null || _options$authParams27 === void 0 ? void 0 : _options$authParams27.prompt) signInRoute.searchParams.set("prompt", options.authParams.prompt);
+		const { redirect } = await import("next/navigation");
+		redirect(signInRoute.toString());
+	}
+	async isUserInGroup(...args) {
+		let request;
+		let response;
+		let groups;
+		let options;
+		if (args.length === 4) {
+			groups = args[2];
+			options = args[3];
+			({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], args[1]));
+		}
+		if (args.length === 3) {
+			if (args[0] instanceof Request) if (args[1] instanceof Response) {
+				({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], args[1]));
+				groups = args[2];
+			} else {
+				({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], void 0));
+				groups = args[1];
+				options = args[2];
+			}
+			if (require_utils.isNodeRequest(args[0]) && require_utils.isNodeResponse(args[1])) {
+				({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], args[1]));
+				groups = args[2];
+			}
+		}
+		if (args.length === 2) {
+			if (args[0] instanceof Request) {
+				({request, response} = require_utils.getMonoCloudCookieReqRes(args[0], void 0));
+				groups = args[1];
+			}
+			if (Array.isArray(args[0])) {
+				request = new require_monocloud_cookie_request.default();
+				response = new require_monocloud_cookie_response.default();
+				groups = args[0];
+				options = args[1];
+			}
+		}
+		if (args.length === 1) {
+			request = new require_monocloud_cookie_request.default();
+			response = new require_monocloud_cookie_response.default();
+			groups = args[0];
+		}
+		if (!Array.isArray(groups) || !require_utils.isMonoCloudRequest(request) || !require_utils.isMonoCloudResponse(response) || options && typeof options !== "object") throw new _monocloud_auth_node_core.MonoCloudValidationError("Invalid parameters passed to isUserInGroup()");
+		return await this.coreClient.isUserInGroup(request, response, groups, (options === null || options === void 0 ? void 0 : options.groupsClaim) ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options === null || options === void 0 ? void 0 : options.matchAll);
+	}
+	/**
+	* @see {@link redirectToSignIn} for full docs and examples.
+	* @param options Optional configuration for the redirect, such as `returnUrl` or additional sign-in parameters.
+	* @returns Never resolves. Triggers a redirect to the sign-in flow.
+	*/
+	async redirectToSignIn(options) {
+		const { routes, appUrl } = this.coreClient.getOptions();
+		try {
+			const { headers } = await import("next/headers");
+			await headers();
+		} catch {
+			throw new Error("redirectToSignIn() can only be used in App Router server environments (RSC, route handlers, or server actions)");
+		}
+		const signInRoute = new URL(`${appUrl}${routes.signIn}`);
+		if (options === null || options === void 0 ? void 0 : options.returnUrl) signInRoute.searchParams.set("return_url", options.returnUrl);
+		if (options === null || options === void 0 ? void 0 : options.maxAge) signInRoute.searchParams.set("max_age", options.maxAge.toString());
+		if (options === null || options === void 0 ? void 0 : options.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options.authenticatorHint);
+		if (options === null || options === void 0 ? void 0 : options.scopes) signInRoute.searchParams.set("scope", options.scopes);
+		if (options === null || options === void 0 ? void 0 : options.resource) signInRoute.searchParams.set("resource", options.resource);
+		if (options === null || options === void 0 ? void 0 : options.display) signInRoute.searchParams.set("display", options.display);
+		if (options === null || options === void 0 ? void 0 : options.uiLocales) signInRoute.searchParams.set("ui_locales", options.uiLocales);
+		if (Array.isArray(options === null || options === void 0 ? void 0 : options.acrValues)) signInRoute.searchParams.set("acr_values", options.acrValues.join(" "));
+		if (options === null || options === void 0 ? void 0 : options.loginHint) signInRoute.searchParams.set("login_hint", options.loginHint);
+		if (options === null || options === void 0 ? void 0 : options.prompt) signInRoute.searchParams.set("prompt", options.prompt);
+		const { redirect } = await import("next/navigation");
+		redirect(signInRoute.toString());
+	}
+	/**
+	* @see {@link redirectToSignOut} for full docs and examples.
+	* @param options Optional configuration for the redirect, such as `postLogoutRedirectUri` or additional sign-out parameters.
+	* @returns Never resolves. Triggers a redirect to the sign-out flow.
+	*/
+	async redirectToSignOut(options) {
+		var _options$postLogoutRe;
+		const { routes, appUrl } = this.coreClient.getOptions();
+		try {
+			const { headers } = await import("next/headers");
+			await headers();
+		} catch {
+			throw new Error("redirectToSignOut() can only be used in App Router server environments (RSC, route handlers, or server actions)");
+		}
+		const signOutRoute = new URL(`${appUrl}${routes.signOut}`);
+		if (options === null || options === void 0 || (_options$postLogoutRe = options.postLogoutRedirectUri) === null || _options$postLogoutRe === void 0 ? void 0 : _options$postLogoutRe.trim().length) signOutRoute.searchParams.set("post_logout_url", options.postLogoutRedirectUri);
+		if (typeof (options === null || options === void 0 ? void 0 : options.federated) === "boolean") signOutRoute.searchParams.set("federated", options.federated.toString());
+		const { redirect } = await import("next/navigation");
+		redirect(signOutRoute.toString());
+	}
+	getOptions() {
+		return this.coreClient.getOptions();
+	}
+	registerPublicEnvVariables() {
+		Object.keys(process.env).filter((key) => key.startsWith("NEXT_PUBLIC_MONOCLOUD_AUTH")).forEach((publicKey) => {
+			const [, privateKey] = publicKey.split("NEXT_PUBLIC_");
+			process.env[privateKey] = process.env[publicKey];
+		});
+	}
+};
+
+//#endregion
+exports.MonoCloudNextClient = MonoCloudNextClient;
+//# sourceMappingURL=monocloud-next-client.cjs.map