@monocloud/auth-nextjs 0.1.10 → 0.1.11

package/dist/monocloud-next-client.mjs

@@ -0,0 +1,599 @@
+import MonoCloudAppRouterRequest from "./requests/monocloud-app-router-request.mjs";
+import MonoCloudPageRouterRequest from "./requests/monocloud-page-router-request.mjs";
+import MonoCloudAppRouterResponse from "./responses/monocloud-app-router-response.mjs";
+import MonoCloudPageRouterResponse from "./responses/monocloud-page-router-response.mjs";
+import MonoCloudCookieResponse from "./responses/monocloud-cookie-response.mjs";
+import MonoCloudCookieRequest from "./requests/monocloud-cookie-request.mjs";
+import { getMonoCloudCookieReqRes, getNextRequest, getNextResponse, isAppRouter, isMonoCloudRequest, isMonoCloudResponse, isNodeRequest, isNodeResponse, mergeResponse } from "./utils.mjs";
+import { MonoCloudCoreClient, MonoCloudValidationError } from "@monocloud/auth-node-core";
+import { NextResponse } from "next/server.js";
+import { ensureLeadingSlash, isAbsoluteUrl } from "@monocloud/auth-node-core/internal";
+import { isUserInGroup } from "@monocloud/auth-node-core/utils";
+
+//#region src/monocloud-next-client.ts
+/**
+* `MonoCloudNextClient` is the core SDK entry point for integrating MonoCloud authentication into a Next.js application.
+*
+* It provides:
+* - Authentication middleware
+* - Route protection helpers
+* - Session and token access
+* - Redirect utilities
+* - Server-side enforcement helpers
+*
+* ## 1. Add environment variables
+*
+* ```bash:.env.local
+* MONOCLOUD_AUTH_TENANT_DOMAIN=<tenant-domain>
+* MONOCLOUD_AUTH_CLIENT_ID=<client-id>
+* MONOCLOUD_AUTH_CLIENT_SECRET=<client-secret>
+* MONOCLOUD_AUTH_SCOPES=openid profile email
+* MONOCLOUD_AUTH_APP_URL=http://localhost:3000
+* MONOCLOUD_AUTH_COOKIE_SECRET=<cookie-secret>
+* ```
+*
+* ## 2. Register middleware
+*
+* ```typescript:src/proxy.ts
+* import { authMiddleware } from "@monocloud/auth-nextjs";
+*
+* export default authMiddleware();
+*
+* export const config = {
+*   matcher: [
+*     "/((?!_next/static|_next/image|favicon.ico|sitemap.xml|robots.txt).*)",
+*   ],
+* };
+* ```
+*
+* ## Advanced usage
+*
+* ### Create a shared client instance
+*
+* By default, the SDK exposes function exports (for example, `authMiddleware()`, `getSession()`, `getTokens()`) that internally use a shared singleton `MonoCloudNextClient`.
+*
+* Create your own `MonoCloudNextClient` instance when you need multiple configurations, dependency injection, or explicit control over initialization.
+*
+* ```ts:src/monocloud.ts
+* import { MonoCloudNextClient } from "@monocloud/auth-nextjs";
+*
+* export const monoCloud = new MonoCloudNextClient();
+* ```
+*
+* ### Using instance methods
+*
+* Once you create a client instance, call methods directly on it instead of using the default function exports.
+*
+* ```ts:src/app/page.tsx
+* import { monoCloud } from "@/monocloud";
+*
+* export default async function Page() {
+*   const session = await monoCloud.getSession();
+*
+*   if (!session) {
+*     return <>Not signed in</>;
+*   }
+*
+*   return <>Hello {session.user.name}</>;
+* }
+* ```
+*
+* #### Using constructor options
+*
+* When configuration is provided through both constructor options and environment variables, the values passed to the constructor take precedence. Environment variables are used only for options that are not explicitly supplied.
+*
+* ```ts:src/monocloud.ts
+* import { MonoCloudNextClient } from "@monocloud/auth-nextjs";
+*
+* export const monoCloud = new MonoCloudNextClient({
+*   tenantDomain: "<tenant-domain>",
+*   clientId: "<client-id>",
+*   clientSecret: "<client-secret>",
+*   appUrl: "http://localhost:3000",
+*   cookieSecret: "<cookie-secret>",
+*   defaultAuthParams: {
+*     scopes: "openid profile email",
+*   },
+* });
+* ```
+*
+* ### Modifying default routes
+*
+* If you customize any of the default auth route paths:
+*
+* - Also set the corresponding `NEXT_PUBLIC_` environment variables so client-side helpers
+*   (for example `<SignIn />`, `<SignOut />`, and `useAuth()`) can discover the correct URLs.
+* - Update the **Application URLs** in your MonoCloud Dashboard to match the new paths.
+*
+* Example:
+*
+* ```bash:.env.local
+* MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback
+* NEXT_PUBLIC_MONOCLOUD_AUTH_CALLBACK_URL=/api/custom_callback
+* ```
+*
+* When routes are overridden, the Redirect URI configured in the dashboard
+* must reflect the new path. For example, during local development:
+*
+* `http://localhost:3000/api/custom_callback`
+*
+* @category Classes
+*/
+var MonoCloudNextClient = class {
+	/**
+	* This exposes the framework-agnostic MonoCloud client used internally by the Next.js SDK.
+	* Use it if you need access to lower-level functionality not directly exposed by MonoCloudNextClient.
+	*
+	* @returns Returns the underlying **Node client** instance.
+	*/
+	get coreClient() {
+		return this._coreClient;
+	}
+	/**
+	* This is intended for advanced scenarios requiring direct control over the authorization or token flow.
+	*
+	* @returns Returns the underlying **OIDC client** used for OpenID Connect operations.
+	*/
+	get oidcClient() {
+		return this.coreClient.oidcClient;
+	}
+	/**
+	* Creates a new client instance.
+	*
+	* @param options Optional configuration for initializing the MonoCloud client. If not provided, settings are automatically resolved from environment variables.
+	*/
+	constructor(options) {
+		const opt = {
+			...options ?? {},
+			userAgent: (options === null || options === void 0 ? void 0 : options.userAgent) ?? `@monocloud/auth-nextjs@0.1.11`,
+			debugger: (options === null || options === void 0 ? void 0 : options.debugger) ?? "@monocloud:auth-nextjs"
+		};
+		this.registerPublicEnvVariables();
+		this._coreClient = new MonoCloudCoreClient(opt);
+	}
+	/**
+	* @see {@link monoCloudAuth} for full docs and examples.
+	* @param options Optional configuration for the auth handler.
+	* @returns Returns a Next.js-compatible handler for App Router route handlers or Pages Router API routes.
+	*/
+	monoCloudAuth(options) {
+		return (req, resOrCtx) => {
+			const { routes, appUrl } = this.getOptions();
+			let { url = "" } = req;
+			if (!isAbsoluteUrl(url)) url = new URL(url, appUrl).toString();
+			const route = new URL(url);
+			let onError;
+			if (typeof (options === null || options === void 0 ? void 0 : options.onError) === "function") onError = (error) => options.onError(req, resOrCtx, error);
+			let request;
+			let response;
+			if (isAppRouter(req)) {
+				request = new MonoCloudAppRouterRequest(getNextRequest(req));
+				response = new MonoCloudAppRouterResponse(getNextResponse(resOrCtx));
+			} else {
+				request = new MonoCloudPageRouterRequest(req);
+				response = new MonoCloudPageRouterResponse(resOrCtx);
+			}
+			return this.handleAuthRoutes(request, response, route.pathname, routes, onError);
+		};
+	}
+	protectPage(...args) {
+		if (typeof args[0] === "function") return this.protectAppPage(args[0], args[1]);
+		return this.protectPagePage(args[0]);
+	}
+	protectAppPage(component, options) {
+		return async (params) => {
+			const session = await this.getSession();
+			if (!session) {
+				var _options$authParams, _options$authParams2, _options$authParams3, _options$authParams4, _options$authParams5, _options$authParams6, _options$authParams7, _options$authParams8, _options$authParams9;
+				if (options === null || options === void 0 ? void 0 : options.onAccessDenied) return options.onAccessDenied({ ...params });
+				const { routes, appUrl } = this.getOptions();
+				const { headers } = await import("next/headers");
+				const path = (await headers()).get("x-monocloud-path");
+				const signInRoute = new URL(`${appUrl}${ensureLeadingSlash(routes.signIn)}`);
+				signInRoute.searchParams.set("return_url", (options === null || options === void 0 ? void 0 : options.returnUrl) ?? path ?? "/");
+				if (options === null || options === void 0 || (_options$authParams = options.authParams) === null || _options$authParams === void 0 ? void 0 : _options$authParams.scopes) signInRoute.searchParams.set("scope", options.authParams.scopes);
+				if (options === null || options === void 0 || (_options$authParams2 = options.authParams) === null || _options$authParams2 === void 0 ? void 0 : _options$authParams2.resource) signInRoute.searchParams.set("resource", options.authParams.resource);
+				if (options === null || options === void 0 || (_options$authParams3 = options.authParams) === null || _options$authParams3 === void 0 ? void 0 : _options$authParams3.acrValues) signInRoute.searchParams.set("acr_values", options.authParams.acrValues.join(" "));
+				if (options === null || options === void 0 || (_options$authParams4 = options.authParams) === null || _options$authParams4 === void 0 ? void 0 : _options$authParams4.display) signInRoute.searchParams.set("display", options.authParams.display);
+				if (options === null || options === void 0 || (_options$authParams5 = options.authParams) === null || _options$authParams5 === void 0 ? void 0 : _options$authParams5.prompt) signInRoute.searchParams.set("prompt", options.authParams.prompt);
+				if (options === null || options === void 0 || (_options$authParams6 = options.authParams) === null || _options$authParams6 === void 0 ? void 0 : _options$authParams6.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options.authParams.authenticatorHint);
+				if (options === null || options === void 0 || (_options$authParams7 = options.authParams) === null || _options$authParams7 === void 0 ? void 0 : _options$authParams7.uiLocales) signInRoute.searchParams.set("ui_locales", options.authParams.uiLocales);
+				if (options === null || options === void 0 || (_options$authParams8 = options.authParams) === null || _options$authParams8 === void 0 ? void 0 : _options$authParams8.maxAge) signInRoute.searchParams.set("max_age", options.authParams.maxAge.toString());
+				if (options === null || options === void 0 || (_options$authParams9 = options.authParams) === null || _options$authParams9 === void 0 ? void 0 : _options$authParams9.loginHint) signInRoute.searchParams.set("login_hint", options.authParams.loginHint);
+				const { redirect } = await import("next/navigation");
+				return redirect(signInRoute.toString());
+			}
+			if ((options === null || options === void 0 ? void 0 : options.groups) && !isUserInGroup(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+				if (options.onGroupAccessDenied) return options.onGroupAccessDenied({
+					...params,
+					user: session.user
+				});
+				return "Access Denied";
+			}
+			return component({
+				...params,
+				user: session.user
+			});
+		};
+	}
+	protectPagePage(options) {
+		return async (context) => {
+			const session = await this.getSession(context.req, context.res);
+			if (!session) {
+				var _options$authParams10, _options$authParams11, _options$authParams12, _options$authParams13, _options$authParams14, _options$authParams15, _options$authParams16, _options$authParams17, _options$authParams18;
+				if (options === null || options === void 0 ? void 0 : options.onAccessDenied) {
+					const customProps = await options.onAccessDenied({ ...context });
+					return {
+						...customProps ?? {},
+						props: { ...(customProps === null || customProps === void 0 ? void 0 : customProps.props) ?? {} }
+					};
+				}
+				const { routes, appUrl } = this.getOptions();
+				const signInRoute = new URL(`${appUrl}${ensureLeadingSlash(routes.signIn)}`);
+				signInRoute.searchParams.set("return_url", (options === null || options === void 0 ? void 0 : options.returnUrl) ?? context.resolvedUrl);
+				if (options === null || options === void 0 || (_options$authParams10 = options.authParams) === null || _options$authParams10 === void 0 ? void 0 : _options$authParams10.scopes) signInRoute.searchParams.set("scope", options.authParams.scopes);
+				if (options === null || options === void 0 || (_options$authParams11 = options.authParams) === null || _options$authParams11 === void 0 ? void 0 : _options$authParams11.resource) signInRoute.searchParams.set("resource", options.authParams.resource);
+				if (options === null || options === void 0 || (_options$authParams12 = options.authParams) === null || _options$authParams12 === void 0 ? void 0 : _options$authParams12.acrValues) signInRoute.searchParams.set("acr_values", options.authParams.acrValues.join(" "));
+				if (options === null || options === void 0 || (_options$authParams13 = options.authParams) === null || _options$authParams13 === void 0 ? void 0 : _options$authParams13.display) signInRoute.searchParams.set("display", options.authParams.display);
+				if (options === null || options === void 0 || (_options$authParams14 = options.authParams) === null || _options$authParams14 === void 0 ? void 0 : _options$authParams14.prompt) signInRoute.searchParams.set("prompt", options.authParams.prompt);
+				if (options === null || options === void 0 || (_options$authParams15 = options.authParams) === null || _options$authParams15 === void 0 ? void 0 : _options$authParams15.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options.authParams.authenticatorHint);
+				if (options === null || options === void 0 || (_options$authParams16 = options.authParams) === null || _options$authParams16 === void 0 ? void 0 : _options$authParams16.uiLocales) signInRoute.searchParams.set("ui_locales", options.authParams.uiLocales);
+				if (options === null || options === void 0 || (_options$authParams17 = options.authParams) === null || _options$authParams17 === void 0 ? void 0 : _options$authParams17.maxAge) signInRoute.searchParams.set("max_age", options.authParams.maxAge.toString());
+				if (options === null || options === void 0 || (_options$authParams18 = options.authParams) === null || _options$authParams18 === void 0 ? void 0 : _options$authParams18.loginHint) signInRoute.searchParams.set("login_hint", options.authParams.loginHint);
+				return { redirect: {
+					destination: signInRoute.toString(),
+					permanent: false
+				} };
+			}
+			if ((options === null || options === void 0 ? void 0 : options.groups) && !isUserInGroup(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+				var _options$onGroupAcces;
+				const customProps = await ((_options$onGroupAcces = options.onGroupAccessDenied) === null || _options$onGroupAcces === void 0 ? void 0 : _options$onGroupAcces.call(options, {
+					...context,
+					user: session.user
+				})) ?? { props: { groupAccessDenied: true } };
+				return {
+					...customProps,
+					props: { ...customProps.props ?? {} }
+				};
+			}
+			const customProps = (options === null || options === void 0 ? void 0 : options.getServerSideProps) ? await options.getServerSideProps(context) : {};
+			const promiseProp = customProps.props;
+			if (promiseProp instanceof Promise) return {
+				...customProps,
+				props: promiseProp.then((props) => ({
+					user: session.user,
+					...props
+				}))
+			};
+			return {
+				...customProps,
+				props: {
+					user: session.user,
+					...customProps.props
+				}
+			};
+		};
+	}
+	protectApi(handler, options) {
+		return (req, resOrCtx) => {
+			if (isAppRouter(req)) return this.protectAppApi(req, resOrCtx, handler, options);
+			return this.protectPageApi(req, resOrCtx, handler, options);
+		};
+	}
+	async protectAppApi(req, ctx, handler, options) {
+		const res = new NextResponse();
+		const session = await this.getSession(req, res);
+		if (!session) {
+			if (options === null || options === void 0 ? void 0 : options.onAccessDenied) {
+				const result = await options.onAccessDenied(req, ctx);
+				if (result instanceof NextResponse) return mergeResponse([res, result]);
+				return mergeResponse([res, new NextResponse(result.body, result)]);
+			}
+			return mergeResponse([res, NextResponse.json({ message: "unauthorized" }, { status: 401 })]);
+		}
+		if ((options === null || options === void 0 ? void 0 : options.groups) && !isUserInGroup(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+			if (options.onGroupAccessDenied) {
+				const result = await options.onGroupAccessDenied(req, ctx, session.user);
+				if (result instanceof NextResponse) return mergeResponse([res, result]);
+				return mergeResponse([res, new NextResponse(result.body, result)]);
+			}
+			return mergeResponse([res, NextResponse.json({ message: "forbidden" }, { status: 403 })]);
+		}
+		const resp = await handler(req, ctx);
+		if (resp instanceof NextResponse) return mergeResponse([res, resp]);
+		return mergeResponse([res, new NextResponse(resp.body, resp)]);
+	}
+	async protectPageApi(req, res, handler, options) {
+		const session = await this.getSession(req, res);
+		if (!session) {
+			if (options === null || options === void 0 ? void 0 : options.onAccessDenied) return options.onAccessDenied(req, res);
+			return res.status(401).json({ message: "unauthorized" });
+		}
+		if ((options === null || options === void 0 ? void 0 : options.groups) && !isUserInGroup(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) {
+			if (options.onGroupAccessDenied) return options.onGroupAccessDenied(req, res, session.user);
+			return res.status(403).json({ message: "forbidden" });
+		}
+		return handler(req, res);
+	}
+	authMiddleware(...args) {
+		let req;
+		let evt;
+		let options;
+		/* v8 ignore else -- @preserve */
+		if (Array.isArray(args)) {
+			if (args.length === 2) {
+				/* v8 ignore else -- @preserve */
+				if (isAppRouter(args[0])) {
+					req = args[0];
+					evt = args[1];
+				}
+			}
+			if (args.length === 1) options = args[0];
+		}
+		if (req && evt) return this.authMiddlewareHandler(req, evt, options);
+		return (request, nxtEvt) => {
+			return this.authMiddlewareHandler(request, nxtEvt, options);
+		};
+	}
+	async authMiddlewareHandler(req, evt, options) {
+		req = getNextRequest(req);
+		if (req.headers.has("x-middleware-subrequest")) return NextResponse.json({ message: "forbidden" }, { status: 403 });
+		const { routes, appUrl } = this.getOptions();
+		if (Object.values(routes).map((x) => ensureLeadingSlash(x)).includes(req.nextUrl.pathname)) {
+			let onError;
+			if (typeof (options === null || options === void 0 ? void 0 : options.onError) === "function") onError = (error) => options.onError(req, evt, error);
+			const request = new MonoCloudAppRouterRequest(req);
+			const response = new MonoCloudAppRouterResponse(new NextResponse());
+			return this.handleAuthRoutes(request, response, req.nextUrl.pathname, routes, onError);
+		}
+		const nxtResp = new NextResponse();
+		nxtResp.headers.set("x-monocloud-path", req.nextUrl.pathname + req.nextUrl.search);
+		let isRouteProtected = true;
+		let allowedGroups;
+		if (typeof (options === null || options === void 0 ? void 0 : options.protectedRoutes) === "function") isRouteProtected = await options.protectedRoutes(req);
+		else if (typeof (options === null || options === void 0 ? void 0 : options.protectedRoutes) !== "undefined" && Array.isArray(options.protectedRoutes)) isRouteProtected = options.protectedRoutes.some((route) => {
+			if (typeof route === "string" || route instanceof RegExp) return new RegExp(route).test(req.nextUrl.pathname);
+			return route.routes.some((groupRoute) => {
+				const result = new RegExp(groupRoute).test(req.nextUrl.pathname);
+				if (result) allowedGroups = route.groups;
+				return result;
+			});
+		});
+		if (!isRouteProtected) return NextResponse.next({ headers: { "x-monocloud-path": req.nextUrl.pathname + req.nextUrl.search } });
+		const session = await this.getSession(req, nxtResp);
+		if (!session) {
+			if (options === null || options === void 0 ? void 0 : options.onAccessDenied) {
+				const result = await options.onAccessDenied(req, evt);
+				if (result instanceof NextResponse) return mergeResponse([nxtResp, result]);
+				if (result) return mergeResponse([nxtResp, new NextResponse(result.body, result)]);
+				return NextResponse.next(nxtResp);
+			}
+			if (req.nextUrl.pathname.startsWith("/api")) return mergeResponse([nxtResp, NextResponse.json({ message: "unauthorized" }, { status: 401 })]);
+			const signInRoute = new URL(`${appUrl}${ensureLeadingSlash(routes.signIn)}`);
+			signInRoute.searchParams.set("return_url", req.nextUrl.pathname + req.nextUrl.search);
+			return mergeResponse([nxtResp, NextResponse.redirect(signInRoute)]);
+		}
+		const groupsClaim = (options === null || options === void 0 ? void 0 : options.groupsClaim) ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM;
+		if (allowedGroups && !isUserInGroup(session.user, allowedGroups, groupsClaim)) {
+			if (options === null || options === void 0 ? void 0 : options.onGroupAccessDenied) {
+				const result = await options.onGroupAccessDenied(req, evt, session.user);
+				if (result instanceof NextResponse) return mergeResponse([nxtResp, result]);
+				if (result) return mergeResponse([nxtResp, new NextResponse(result.body, result)]);
+				return NextResponse.next(nxtResp);
+			}
+			if (req.nextUrl.pathname.startsWith("/api")) return mergeResponse([nxtResp, NextResponse.json({ message: "forbidden" }, { status: 403 })]);
+			return new NextResponse(`forbidden`, { status: 403 });
+		}
+		return NextResponse.next(nxtResp);
+	}
+	handleAuthRoutes(request, response, path, routes, onError) {
+		switch (path) {
+			case ensureLeadingSlash(routes.signIn): return this.coreClient.signIn(request, response, { onError });
+			case ensureLeadingSlash(routes.callback): return this.coreClient.callback(request, response, { onError });
+			case ensureLeadingSlash(routes.userInfo): return this.coreClient.userInfo(request, response, { onError });
+			case ensureLeadingSlash(routes.signOut): return this.coreClient.signOut(request, response, { onError });
+			default:
+				response.notFound();
+				return response.done();
+		}
+	}
+	async getSession(...args) {
+		let request;
+		let response;
+		let options;
+		if (args.length === 0) {
+			request = new MonoCloudCookieRequest();
+			response = new MonoCloudCookieResponse();
+		} else if (args.length === 1) if (args[0] instanceof Request) ({request, response} = getMonoCloudCookieReqRes(args[0], void 0));
+		else {
+			request = new MonoCloudCookieRequest();
+			response = new MonoCloudCookieResponse();
+			options = args[0];
+		}
+		else if (args.length === 2 && args[0] instanceof Request) if (args[1] instanceof Response) ({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+		else {
+			({request, response} = getMonoCloudCookieReqRes(args[0], void 0));
+			options = args[1];
+		}
+		else if (args.length === 2 && isNodeRequest(args[0]) && isNodeResponse(args[1])) ({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+		else {
+			({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+			options = args[2];
+		}
+		if (!isMonoCloudRequest(request) || !isMonoCloudResponse(response) || options && typeof options !== "object") throw new MonoCloudValidationError("Invalid parameters passed to getSession()");
+		return await this.coreClient.getSession(request, response, options);
+	}
+	async getTokens(...args) {
+		let request;
+		let response;
+		let options;
+		if (args.length === 0) {
+			request = new MonoCloudCookieRequest();
+			response = new MonoCloudCookieResponse();
+		} else if (args.length === 1) if (args[0] instanceof Request) ({request, response} = getMonoCloudCookieReqRes(args[0], void 0));
+		else {
+			request = new MonoCloudCookieRequest();
+			response = new MonoCloudCookieResponse();
+			options = args[0];
+		}
+		else if (args.length === 2 && args[0] instanceof Request) if (args[1] instanceof Response) ({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+		else {
+			({request, response} = getMonoCloudCookieReqRes(args[0], void 0));
+			options = args[1];
+		}
+		else if (args.length === 2 && isNodeRequest(args[0]) && isNodeResponse(args[1])) ({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+		else {
+			({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+			options = args[2];
+		}
+		if (!isMonoCloudRequest(request) || !isMonoCloudResponse(response) || options && typeof options !== "object") throw new MonoCloudValidationError("Invalid parameters passed to getTokens()");
+		return await this.coreClient.getTokens(request, response, options);
+	}
+	async isAuthenticated(...args) {
+		let request;
+		let response;
+		if (args.length === 0) {
+			request = new MonoCloudCookieRequest();
+			response = new MonoCloudCookieResponse();
+		} else ({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+		/* v8 ignore next -- @preserve */
+		if (!isMonoCloudRequest(request) || !isMonoCloudResponse(response)) throw new MonoCloudValidationError("Invalid parameters passed to isAuthenticated()");
+		return await this.coreClient.isAuthenticated(request, response);
+	}
+	/**
+	* @see {@link protect} for full docs and examples.
+	* @param options Optional configuration for redirect behavior (for example, return URL or sign-in parameters).
+	* @returns Resolves if the user is authenticated; otherwise triggers a redirect.
+	*/
+	async protect(options) {
+		var _options$authParams19, _options$authParams20, _options$authParams21, _options$authParams22, _options$authParams23, _options$authParams24, _options$authParams25, _options$authParams26, _options$authParams27;
+		const { routes, appUrl } = this.coreClient.getOptions();
+		let path;
+		try {
+			const session = await this.getSession();
+			if (session && !(options === null || options === void 0 ? void 0 : options.groups)) return;
+			if (session && (options === null || options === void 0 ? void 0 : options.groups) && isUserInGroup(session.user, options.groups, options.groupsClaim ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options.matchAll)) return;
+			const { headers } = await import("next/headers");
+			path = (await headers()).get("x-monocloud-path") ?? "/";
+		} catch {
+			throw new Error("protect() can only be used in App Router server environments (RSC, route handlers, or server actions)");
+		}
+		const signInRoute = new URL(`${appUrl}${routes.signIn}`);
+		signInRoute.searchParams.set("return_url", (options === null || options === void 0 ? void 0 : options.returnUrl) ?? path);
+		if (options === null || options === void 0 || (_options$authParams19 = options.authParams) === null || _options$authParams19 === void 0 ? void 0 : _options$authParams19.maxAge) signInRoute.searchParams.set("max_age", options.authParams.maxAge.toString());
+		if (options === null || options === void 0 || (_options$authParams20 = options.authParams) === null || _options$authParams20 === void 0 ? void 0 : _options$authParams20.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options.authParams.authenticatorHint);
+		if (options === null || options === void 0 || (_options$authParams21 = options.authParams) === null || _options$authParams21 === void 0 ? void 0 : _options$authParams21.scopes) signInRoute.searchParams.set("scope", options.authParams.scopes);
+		if (options === null || options === void 0 || (_options$authParams22 = options.authParams) === null || _options$authParams22 === void 0 ? void 0 : _options$authParams22.resource) signInRoute.searchParams.set("resource", options.authParams.resource);
+		if (options === null || options === void 0 || (_options$authParams23 = options.authParams) === null || _options$authParams23 === void 0 ? void 0 : _options$authParams23.display) signInRoute.searchParams.set("display", options.authParams.display);
+		if (options === null || options === void 0 || (_options$authParams24 = options.authParams) === null || _options$authParams24 === void 0 ? void 0 : _options$authParams24.uiLocales) signInRoute.searchParams.set("ui_locales", options.authParams.uiLocales);
+		if (Array.isArray(options === null || options === void 0 || (_options$authParams25 = options.authParams) === null || _options$authParams25 === void 0 ? void 0 : _options$authParams25.acrValues)) signInRoute.searchParams.set("acr_values", options.authParams.acrValues.join(" "));
+		if (options === null || options === void 0 || (_options$authParams26 = options.authParams) === null || _options$authParams26 === void 0 ? void 0 : _options$authParams26.loginHint) signInRoute.searchParams.set("login_hint", options.authParams.loginHint);
+		if (options === null || options === void 0 || (_options$authParams27 = options.authParams) === null || _options$authParams27 === void 0 ? void 0 : _options$authParams27.prompt) signInRoute.searchParams.set("prompt", options.authParams.prompt);
+		const { redirect } = await import("next/navigation");
+		redirect(signInRoute.toString());
+	}
+	async isUserInGroup(...args) {
+		let request;
+		let response;
+		let groups;
+		let options;
+		if (args.length === 4) {
+			groups = args[2];
+			options = args[3];
+			({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+		}
+		if (args.length === 3) {
+			if (args[0] instanceof Request) if (args[1] instanceof Response) {
+				({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+				groups = args[2];
+			} else {
+				({request, response} = getMonoCloudCookieReqRes(args[0], void 0));
+				groups = args[1];
+				options = args[2];
+			}
+			if (isNodeRequest(args[0]) && isNodeResponse(args[1])) {
+				({request, response} = getMonoCloudCookieReqRes(args[0], args[1]));
+				groups = args[2];
+			}
+		}
+		if (args.length === 2) {
+			if (args[0] instanceof Request) {
+				({request, response} = getMonoCloudCookieReqRes(args[0], void 0));
+				groups = args[1];
+			}
+			if (Array.isArray(args[0])) {
+				request = new MonoCloudCookieRequest();
+				response = new MonoCloudCookieResponse();
+				groups = args[0];
+				options = args[1];
+			}
+		}
+		if (args.length === 1) {
+			request = new MonoCloudCookieRequest();
+			response = new MonoCloudCookieResponse();
+			groups = args[0];
+		}
+		if (!Array.isArray(groups) || !isMonoCloudRequest(request) || !isMonoCloudResponse(response) || options && typeof options !== "object") throw new MonoCloudValidationError("Invalid parameters passed to isUserInGroup()");
+		return await this.coreClient.isUserInGroup(request, response, groups, (options === null || options === void 0 ? void 0 : options.groupsClaim) ?? process.env.MONOCLOUD_AUTH_GROUPS_CLAIM, options === null || options === void 0 ? void 0 : options.matchAll);
+	}
+	/**
+	* @see {@link redirectToSignIn} for full docs and examples.
+	* @param options Optional configuration for the redirect, such as `returnUrl` or additional sign-in parameters.
+	* @returns Never resolves. Triggers a redirect to the sign-in flow.
+	*/
+	async redirectToSignIn(options) {
+		const { routes, appUrl } = this.coreClient.getOptions();
+		try {
+			const { headers } = await import("next/headers");
+			await headers();
+		} catch {
+			throw new Error("redirectToSignIn() can only be used in App Router server environments (RSC, route handlers, or server actions)");
+		}
+		const signInRoute = new URL(`${appUrl}${routes.signIn}`);
+		if (options === null || options === void 0 ? void 0 : options.returnUrl) signInRoute.searchParams.set("return_url", options.returnUrl);
+		if (options === null || options === void 0 ? void 0 : options.maxAge) signInRoute.searchParams.set("max_age", options.maxAge.toString());
+		if (options === null || options === void 0 ? void 0 : options.authenticatorHint) signInRoute.searchParams.set("authenticator_hint", options.authenticatorHint);
+		if (options === null || options === void 0 ? void 0 : options.scopes) signInRoute.searchParams.set("scope", options.scopes);
+		if (options === null || options === void 0 ? void 0 : options.resource) signInRoute.searchParams.set("resource", options.resource);
+		if (options === null || options === void 0 ? void 0 : options.display) signInRoute.searchParams.set("display", options.display);
+		if (options === null || options === void 0 ? void 0 : options.uiLocales) signInRoute.searchParams.set("ui_locales", options.uiLocales);
+		if (Array.isArray(options === null || options === void 0 ? void 0 : options.acrValues)) signInRoute.searchParams.set("acr_values", options.acrValues.join(" "));
+		if (options === null || options === void 0 ? void 0 : options.loginHint) signInRoute.searchParams.set("login_hint", options.loginHint);
+		if (options === null || options === void 0 ? void 0 : options.prompt) signInRoute.searchParams.set("prompt", options.prompt);
+		const { redirect } = await import("next/navigation");
+		redirect(signInRoute.toString());
+	}
+	/**
+	* @see {@link redirectToSignOut} for full docs and examples.
+	* @param options Optional configuration for the redirect, such as `postLogoutRedirectUri` or additional sign-out parameters.
+	* @returns Never resolves. Triggers a redirect to the sign-out flow.
+	*/
+	async redirectToSignOut(options) {
+		var _options$postLogoutRe;
+		const { routes, appUrl } = this.coreClient.getOptions();
+		try {
+			const { headers } = await import("next/headers");
+			await headers();
+		} catch {
+			throw new Error("redirectToSignOut() can only be used in App Router server environments (RSC, route handlers, or server actions)");
+		}
+		const signOutRoute = new URL(`${appUrl}${routes.signOut}`);
+		if (options === null || options === void 0 || (_options$postLogoutRe = options.postLogoutRedirectUri) === null || _options$postLogoutRe === void 0 ? void 0 : _options$postLogoutRe.trim().length) signOutRoute.searchParams.set("post_logout_url", options.postLogoutRedirectUri);
+		if (typeof (options === null || options === void 0 ? void 0 : options.federated) === "boolean") signOutRoute.searchParams.set("federated", options.federated.toString());
+		const { redirect } = await import("next/navigation");
+		redirect(signOutRoute.toString());
+	}
+	getOptions() {
+		return this.coreClient.getOptions();
+	}
+	registerPublicEnvVariables() {
+		Object.keys(process.env).filter((key) => key.startsWith("NEXT_PUBLIC_MONOCLOUD_AUTH")).forEach((publicKey) => {
+			const [, privateKey] = publicKey.split("NEXT_PUBLIC_");
+			process.env[privateKey] = process.env[publicKey];
+		});
+	}
+};
+
+//#endregion
+export { MonoCloudNextClient };
+//# sourceMappingURL=monocloud-next-client.mjs.map